@redocly/realm 0.129.0-next.5 → 0.129.0-next.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (31) hide show
  1. package/CHANGELOG.md +8 -0
  2. package/dist/constants/common.d.ts +1 -0
  3. package/dist/constants/common.js +1 -1
  4. package/dist/server/plugins/catalog-entities/database/constants/relation-normalization.d.ts +3 -0
  5. package/dist/server/plugins/catalog-entities/database/constants/relation-normalization.js +1 -0
  6. package/dist/server/plugins/catalog-entities/database/mappers/create-entity-relation-db-record-from-dto.js +1 -1
  7. package/dist/server/plugins/catalog-entities/database/mappers/create-entity-relation-db-record-from-file-schema.js +1 -1
  8. package/dist/server/plugins/catalog-entities/database/repositories/local/catalog-entities-bff-repository.d.ts +14 -0
  9. package/dist/server/plugins/catalog-entities/database/repositories/local/catalog-entities-bff-repository.js +112 -0
  10. package/dist/server/plugins/catalog-entities/database/repositories/local/catalog-entities-local-read-repository.js +12 -130
  11. package/dist/server/plugins/catalog-entities/database/repositories/local/catalog-entities-local-write-repository.js +1 -1
  12. package/dist/server/plugins/catalog-entities/utils/normalize-relation.d.ts +77 -0
  13. package/dist/server/plugins/catalog-entities/utils/normalize-relation.js +1 -0
  14. package/dist/server/plugins/config-parser/format-error.js +13 -5
  15. package/dist/server/plugins/config-parser/loaders/utils/read-and-validate-config.js +1 -1
  16. package/dist/server/providers/database/databases/catalog-sqlite/migrations/0003_catalog_versions_and_revisions_relations.sql +12 -6
  17. package/dist/server/providers/database/databases/catalog-sqlite/migrations/0004_normalize_relation_types.sql +147 -0
  18. package/dist/server/providers/database/databases/catalog-sqlite/migrations/meta/0004_snapshot.json +392 -0
  19. package/dist/server/providers/database/databases/catalog-sqlite/migrations/meta/_journal.json +7 -0
  20. package/dist/server/providers/database/databases/sqld-sqlite/migrations/0006_catalog-versions-and-revisions-relations.sql +12 -6
  21. package/dist/server/providers/database/pagination/filter.d.ts +1 -0
  22. package/dist/server/providers/database/pagination/filter.js +1 -1
  23. package/dist/server/web-server/auth.js +2 -2
  24. package/dist/server/web-server/routes/auth.d.ts +1 -0
  25. package/dist/server/web-server/routes/auth.js +1 -1
  26. package/dist/server/web-server/routes/index.js +1 -1
  27. package/dist/server/web-server/routes/mcp-oauth.d.ts +10 -0
  28. package/dist/server/web-server/routes/mcp-oauth.js +1 -1
  29. package/dist/server/web-server/utils/get-request-origin.d.ts +3 -0
  30. package/dist/server/web-server/utils/get-request-origin.js +1 -0
  31. package/package.json +2 -2
package/dist/server/providers/database/pagination/filter.js CHANGED
@@ -1 +1 @@
1
- import{and as O,between as R,eq as T,inArray as C,isNotNull as L,isNull as I,like as v,ne as k,notBetween as y,notInArray as W,notLike as b,or as d,sql as a}from"drizzle-orm";import{isFilterCondition as F}from"./types.js";import{transformToSnakeCase as q}from"./utils/transform-to-snake-case.js";import{isFieldAllowed as D}from"./utils/field-pattern-matcher.js";import{OPERATORS as h}from"./constants.js";const U=["domains","owners"],P=["tags"];function z(t,e){const o=J(e);return o?{sqlBuilder:t,whereCondition:o}:{sqlBuilder:t,whereCondition:null}}function J(t){if(t)return F(t)?j(t):x(t)}const j=t=>{const{op:e,conditions:o}=t,n=[];for(const l of o){if(F(l)){const r=j(l);r&&n.push(r);continue}const i=x(l);i&&n.push(i)}return e===h.AND?O(...n):d(...n)},H=(t,e)=>e.length>1?`$.${e.slice(1).join(".")}.${t}`:`$.${t}`,m=({operator:t,value:e,field:o,parentFields:n,negation:l})=>{const i=a.identifier(n[0]),r=H(o,n);switch(t){case"equal":return l?a`(json_extract(${i}, ${r}) != ${e} OR json_extract(${i}, ${r}) IS NULL)`:a`json_extract(${i}, ${r}) == ${e}`;case"equalNull":return l?a`json_extract(${i}, ${r}) IS NOT NULL`:a`json_extract(${i}, ${r}) IS NULL`;case"contains":return l?a`(json_extract(${i}, ${r}) NOT LIKE ${e} OR json_extract(${i}, ${r}) IS NULL)`:a`json_extract(${i}, ${r}) LIKE ${e}`;case"in":if(Array.isArray(e)){const s=e.map(c=>a`json_extract(${i}, ${r}) == ${c}`);return l?a`(NOT (${d(...s)}) OR json_extract(${i}, ${r}) IS NULL)`:d(...s)}break;case"between":if(Array.isArray(e)&&e.length===2)return l?a`(NOT (json_extract(${i}, ${r}) BETWEEN ${e[0]} AND ${e[1]}) OR json_extract(${i}, ${r}) IS NULL)`:a`json_extract(${i}, ${r}) BETWEEN ${e[0]} AND ${e[1]}`;break;default:throw new Error(`Unsupported operator: ${t} for json path`)}};function G(t,e){if(!t)return;const o=l=>{if(F(l)){for(const i of l.conditions){const r=o(i);if(r!==void 0)return r}return}if(l.field===e)return l.value},n=o(t);return typeof n=="string"?n.trim()===""?null:n.trim():n??null}const M=t=>{const{field:e,operator:o,value:n,modifier:l,parentFields:i}=t,r=l==="not";if(!i||i.length<1)throw new Error("convertNestedFilterClauseToSql called without parentFields");switch(o){case"equal":return m(n===null?{operator:"equalNull",value:n,field:e,parentFields:i,negation:r}:{operator:o,value:n,field:e,parentFields:i,negation:r});case"contains":if(typeof n=="string"){const s=n.startsWith("%")||n.endsWith("%")?n:`%${n}%`;return m({operator:o,value:s,field:e,parentFields:i,negation:r})}break;case"in":if(Array.isArray(n))return m({operator:o,value:n,field:e,parentFields:i,negation:r});break;case"between":if(Array.isArray(n)&&n.length===2)return m({operator:o,value:n,field:e,parentFields:i,negation:r});break;default:throw new Error(`Unsupported filter operator: ${o}`)}},x=t=>{const{field:e,operator:o,value:n,modifier:l,parentFields:i}=t;if(i&&i.length>=1)return M(t);const r=l==="not",s=a.identifier(e),c=P.includes(e),f=U.includes(e);switch(o){case"equal":return n===null?r?L(s):I(s):f?r?a`NOT EXISTS (SELECT 1 FROM json_each(${s}) WHERE json_extract(json_each.value, '$.key') = ${n})`:a`EXISTS (SELECT 1 FROM json_each(${s}) WHERE json_extract(json_each.value, '$.key') = ${n})`:c?r?a`NOT EXISTS (SELECT 1 FROM json_each(${s}) WHERE json_each.value = ${n})`:a`EXISTS (SELECT 1 FROM json_each(${s}) WHERE json_each.value = ${n})`:r?k(s,n):T(s,n);case"contains":if(typeof n=="string"){const u=n.startsWith("%")||n.endsWith("%")?n:`%${n}%`;return r?b(s,u):v(s,u)}break;case"in":if(Array.isArray(n)){if(f){const u=n.map(p=>a`EXISTS (SELECT 1 FROM json_each(${s}) WHERE json_extract(json_each.value, '$.key') = ${p})`);return r?a`NOT (${d(...u)})`:d(...u)}else if(c){const u=n.map(p=>a`EXISTS (SELECT 1 FROM json_each(${s}) WHERE json_each.value = ${p})`);return r?a`NOT (${d(...u)})`:d(...u)}return r?W(s,n):C(s,n)}break;case"between":if(Array.isArray(n)&&n.length===2)return r?y(s,n[0],n[1]):R(s,n[0],n[1]);break;default:throw new Error(`Unsupported filter operator: ${o}`)}},A=["'",'"'];function Z(t="",e=[],o={}){if(!t||!t.trim())return;const n=g(t);return w(n,e,o)}function S(t){const e=X(t);if(e.operator===":"){const o=N(e.value,",");if(o.length>1)return{operator:"in",field:e.field,parentFields:e.parentFields,value:o.map(E),modifier:e.modifier};const n=N(e.value,"..");return n.length===2?{operator:"between",field:e.field,parentFields:e.parentFields,value:[E(n[0]),E(n[1])],modifier:e.modifier}:{operator:"equal",field:e.field,parentFields:e.parentFields,value:e.value==="null"?null:E(e.value),modifier:e.modifier}}else if(e.operator==="~")return{operator:"contains",field:e.field,parentFields:e.parentFields,value:E(e.value),modifier:e.modifier};throw new Error(`Unsupported filter clause: ${t}`)}function X(t){const e="^(?<modifier>^-?)",o="(?<field>[a-z][\\w.]*)",n="(?<operator>:|~)",l="(?<value>.+)",i=new RegExp(`^${e}${o}${n}${l}$`,"i"),r=t.match(i);if(!r||!r.groups)throw new Error(`Invalid filter clause: ${t}`);const{operator:s,value:c,modifier:f}=r.groups,u=r.groups.field.split(".");return{field:u.pop(),parentFields:u,operator:s,value:c,modifier:f==="-"?"not":void 0}}function N(t,e){const o=[];let n="",l=!1,i=0;for(let r=0;r<t.length;r++){const s=t[r-1],c=t[r];if(i>0){i--;continue}s!=="\\"&&A.includes(c)&&(l=!l),!l&&t.slice(r,r+e.length)===e?(o.push(n),n="",i=e.length-1):n+=c}return n&&o.push(n),o}function E(t){for(const e of A)if(t.startsWith(e)&&t.endsWith(e))return t.slice(1,-1);return t}function g(t){let e="",o=0,n=!1,l="";const i=[];for(let s=0;s<t.length;s++){const c=t[s],f=t[s+1];if(['"',"'"].includes(c)&&(s===0||t[s-1]!=="\\")){if(!n){n=!0,l=c,e+=c;continue}if(c===l){n=!1,l="",e+=c;continue}}if(n){e+=c;continue}if(o===0){const u=f==="A"&&t.slice(s+1,s+5)===`${h.AND} `;if(c===" "&&u){const $=e.trim();$&&(i.push(S($)),e="");const _=g(t.slice(s+5));return{op:h.AND,conditions:[...i,_]}}const p=f==="O"&&t.slice(s+1,s+4)===`${h.OR} `;if(c===" "&&p){const $=e.trim();$&&(i.push(S($)),e="");const _=g(t.slice(s+4));return{op:h.OR,conditions:[...i,_]}}}if(c==="("){const u=e.trim();o===0&&u&&(i.push(S(u)),e=""),o++,e+=c;continue}if(c===")"){if(o--,e+=c,o===0){const u=e.slice(1,-1);i.push(g(u)),e=""}continue}e+=c}const r=e.trim();return r&&i.push(S(r)),i.length===1?i[0]:{op:h.AND,conditions:i}}function w(t,e,o){if("field"in t){const n=t.parentFields?.length?`${t.parentFields.join(".")}.${t.field}`:t.field;if(!D(n,e))throw new Error(`Invalid filter field: ${n}`);const l=t.parentFields?.length?t.field:o[t.field]||q(t.field);return{...t,field:l}}else return{...t,conditions:t.conditions.map(n=>w(n,e,o))}}function ee(t,e){if(!t)return;const o=i=>e.includes(i),n=i=>{if(F(i)){const r=i.conditions.map(n).filter(s=>s!==null);return r.length===0?null:r.length===1?r[0]:{...i,conditions:r}}else return o(i.field)?null:i};return n(t)||void 0}export{z as applyFilter,J as convertFilterToWhereCondition,ee as excludeFieldsFromFilter,G as getFirstFilterFieldValue,Z as parseFilterQuery};
1
+ import{and as O,between as R,eq as T,inArray as C,isNotNull as v,isNull as L,like as I,ne as y,notBetween as k,notInArray as W,notLike as b,or as d,sql as u}from"drizzle-orm";import{isFilterCondition as m}from"./types.js";import{transformToSnakeCase as q}from"./utils/transform-to-snake-case.js";import{isFieldAllowed as D}from"./utils/field-pattern-matcher.js";import{OPERATORS as h}from"./constants.js";const U=["domains","owners"],P=["tags"];function z(t,e){const o=J(e);return o?{sqlBuilder:t,whereCondition:o}:{sqlBuilder:t,whereCondition:null}}function J(t){if(t)return m(t)?A(t):j(t)}const A=t=>{const{op:e,conditions:o}=t,n=[];for(const s of o){if(m(s)){const i=A(s);i&&n.push(i);continue}const r=j(s);r&&n.push(r)}return e===h.AND?O(...n):d(...n)},H=(t,e)=>e.length>1?`$.${e.slice(1).join(".")}.${t}`:`$.${t}`,E=({operator:t,value:e,field:o,parentFields:n,negation:s})=>{const r=u.identifier(n[0]),i=H(o,n);switch(t){case"equal":return s?u`(json_extract(${r}, ${i}) != ${e} OR json_extract(${r}, ${i}) IS NULL)`:u`json_extract(${r}, ${i}) == ${e}`;case"equalNull":return s?u`json_extract(${r}, ${i}) IS NOT NULL`:u`json_extract(${r}, ${i}) IS NULL`;case"contains":return s?u`(json_extract(${r}, ${i}) NOT LIKE ${e} OR json_extract(${r}, ${i}) IS NULL)`:u`json_extract(${r}, ${i}) LIKE ${e}`;case"in":if(Array.isArray(e)){const l=e.map(c=>u`json_extract(${r}, ${i}) == ${c}`);return s?u`(NOT (${d(...l)}) OR json_extract(${r}, ${i}) IS NULL)`:d(...l)}break;case"between":if(Array.isArray(e)&&e.length===2)return s?u`(NOT (json_extract(${r}, ${i}) BETWEEN ${e[0]} AND ${e[1]}) OR json_extract(${r}, ${i}) IS NULL)`:u`json_extract(${r}, ${i}) BETWEEN ${e[0]} AND ${e[1]}`;break;default:throw new Error(`Unsupported operator: ${t} for json path`)}};function G(t,e){if(!t)return;const o=s=>{if(m(s)){for(const r of s.conditions){const i=o(r);if(i!==void 0)return i}return}if(s.field===e)return s.value},n=o(t);return typeof n=="string"?n.trim()===""?null:n.trim():n??null}function Z(t,e){if(!t)return[];const o=[],n=s=>{if(m(s)){for(const r of s.conditions)n(r);return}if(s.field===e){if(Array.isArray(s.value))o.push(...s.value.map(r=>String(r).trim()).filter(r=>r!==""));else if(s.value!==null&&s.value!==void 0){const r=String(s.value).trim();r!==""&&o.push(r)}}};return n(t),o}const M=t=>{const{field:e,operator:o,value:n,modifier:s,parentFields:r}=t,i=s==="not";if(!r||r.length<1)throw new Error("convertNestedFilterClauseToSql called without parentFields");switch(o){case"equal":return E(n===null?{operator:"equalNull",value:n,field:e,parentFields:r,negation:i}:{operator:o,value:n,field:e,parentFields:r,negation:i});case"contains":if(typeof n=="string"){const l=n.startsWith("%")||n.endsWith("%")?n:`%${n}%`;return E({operator:o,value:l,field:e,parentFields:r,negation:i})}break;case"in":if(Array.isArray(n))return E({operator:o,value:n,field:e,parentFields:r,negation:i});break;case"between":if(Array.isArray(n)&&n.length===2)return E({operator:o,value:n,field:e,parentFields:r,negation:i});break;default:throw new Error(`Unsupported filter operator: ${o}`)}},j=t=>{const{field:e,operator:o,value:n,modifier:s,parentFields:r}=t;if(r&&r.length>=1)return M(t);const i=s==="not",l=u.identifier(e),c=P.includes(e),f=U.includes(e);switch(o){case"equal":return n===null?i?v(l):L(l):f?i?u`NOT EXISTS (SELECT 1 FROM json_each(${l}) WHERE json_extract(json_each.value, '$.key') = ${n})`:u`EXISTS (SELECT 1 FROM json_each(${l}) WHERE json_extract(json_each.value, '$.key') = ${n})`:c?i?u`NOT EXISTS (SELECT 1 FROM json_each(${l}) WHERE json_each.value = ${n})`:u`EXISTS (SELECT 1 FROM json_each(${l}) WHERE json_each.value = ${n})`:i?y(l,n):T(l,n);case"contains":if(typeof n=="string"){const a=n.startsWith("%")||n.endsWith("%")?n:`%${n}%`;return i?b(l,a):I(l,a)}break;case"in":if(Array.isArray(n)){if(f){const a=n.map(p=>u`EXISTS (SELECT 1 FROM json_each(${l}) WHERE json_extract(json_each.value, '$.key') = ${p})`);return i?u`NOT (${d(...a)})`:d(...a)}else if(c){const a=n.map(p=>u`EXISTS (SELECT 1 FROM json_each(${l}) WHERE json_each.value = ${p})`);return i?u`NOT (${d(...a)})`:d(...a)}return i?W(l,n):C(l,n)}break;case"between":if(Array.isArray(n)&&n.length===2)return i?k(l,n[0],n[1]):R(l,n[0],n[1]);break;default:throw new Error(`Unsupported filter operator: ${o}`)}},x=["'",'"'];function ee(t="",e=[],o={}){if(!t||!t.trim())return;const n=g(t);return w(n,e,o)}function S(t){const e=X(t);if(e.operator===":"){const o=N(e.value,",");if(o.length>1)return{operator:"in",field:e.field,parentFields:e.parentFields,value:o.map(F),modifier:e.modifier};const n=N(e.value,"..");return n.length===2?{operator:"between",field:e.field,parentFields:e.parentFields,value:[F(n[0]),F(n[1])],modifier:e.modifier}:{operator:"equal",field:e.field,parentFields:e.parentFields,value:e.value==="null"?null:F(e.value),modifier:e.modifier}}else if(e.operator==="~")return{operator:"contains",field:e.field,parentFields:e.parentFields,value:F(e.value),modifier:e.modifier};throw new Error(`Unsupported filter clause: ${t}`)}function X(t){const e="^(?<modifier>^-?)",o="(?<field>[a-z][\\w.]*)",n="(?<operator>:|~)",s="(?<value>.+)",r=new RegExp(`^${e}${o}${n}${s}$`,"i"),i=t.match(r);if(!i||!i.groups)throw new Error(`Invalid filter clause: ${t}`);const{operator:l,value:c,modifier:f}=i.groups,a=i.groups.field.split(".");return{field:a.pop(),parentFields:a,operator:l,value:c,modifier:f==="-"?"not":void 0}}function N(t,e){const o=[];let n="",s=!1,r=0;for(let i=0;i<t.length;i++){const l=t[i-1],c=t[i];if(r>0){r--;continue}l!=="\\"&&x.includes(c)&&(s=!s),!s&&t.slice(i,i+e.length)===e?(o.push(n),n="",r=e.length-1):n+=c}return n&&o.push(n),o}function F(t){for(const e of x)if(t.startsWith(e)&&t.endsWith(e))return t.slice(1,-1);return t}function g(t){let e="",o=0,n=!1,s="";const r=[];for(let l=0;l<t.length;l++){const c=t[l],f=t[l+1];if(['"',"'"].includes(c)&&(l===0||t[l-1]!=="\\")){if(!n){n=!0,s=c,e+=c;continue}if(c===s){n=!1,s="",e+=c;continue}}if(n){e+=c;continue}if(o===0){const a=f==="A"&&t.slice(l+1,l+5)===`${h.AND} `;if(c===" "&&a){const $=e.trim();$&&(r.push(S($)),e="");const _=g(t.slice(l+5));return{op:h.AND,conditions:[...r,_]}}const p=f==="O"&&t.slice(l+1,l+4)===`${h.OR} `;if(c===" "&&p){const $=e.trim();$&&(r.push(S($)),e="");const _=g(t.slice(l+4));return{op:h.OR,conditions:[...r,_]}}}if(c==="("){const a=e.trim();o===0&&a&&(r.push(S(a)),e=""),o++,e+=c;continue}if(c===")"){if(o--,e+=c,o===0){const a=e.slice(1,-1);r.push(g(a)),e=""}continue}e+=c}const i=e.trim();return i&&r.push(S(i)),r.length===1?r[0]:{op:h.AND,conditions:r}}function w(t,e,o){if("field"in t){const n=t.parentFields?.length?`${t.parentFields.join(".")}.${t.field}`:t.field;if(!D(n,e))throw new Error(`Invalid filter field: ${n}`);const s=t.parentFields?.length?t.field:o[t.field]||q(t.field);return{...t,field:s}}else return{...t,conditions:t.conditions.map(n=>w(n,e,o))}}function ne(t,e){if(!t)return;const o=r=>e.includes(r),n=r=>{if(m(r)){const i=r.conditions.map(n).filter(l=>l!==null);return i.length===0?null:i.length===1?i[0]:{...r,conditions:i}}else return o(r.field)?null:r};return n(t)||void 0}export{z as applyFilter,J as convertFilterToWhereCondition,ne as excludeFieldsFromFilter,Z as getAllFilterFieldValues,G as getFirstFilterFieldValue,ee as parseFilterQuery};
package/dist/server/web-server/auth.js CHANGED
@@ -1,4 +1,4 @@
1
- import"../node-crypto-polyfill.js";import{DOMParser as U}from"@xmldom/xmldom";import{SignedXml as B}from"xml-crypto";import F from"xpath";import{deflateSync as J,inflateSync as q}from"fflate";import{createHash as H}from"crypto";import{ulid as W}from"ulid";import{AuthProviderType as d,DEFAULT_TEAM_CLAIM_NAME as K}from"@redocly/config";import{AUTH_URL as Q,JWT_SECRET_KEY as _}from"../constants/common.js";import{getPathPrefix as X,withPathPrefix as Y}from"@redocly/theme/core/utils";import{DEFAULT_AUTHENTICATED_TEAM as G,REQUIRED_OIDC_SCOPES as D,ServerRoutes as P}from"../../constants/common.js";import{appendQueryParams as Z}from"../../utils/url/append-query-params.js";import{logger as ee}from"../tools/notifiers/logger.js";import{randomString as te}from"../utils/crypto/random-string.js";import{randomUUID as R}from"../utils/crypto/random-uuid.js";import{AlgorithmTypes as I,JwtTokenExpired as ne}from"./jwt/types.js";import*as p from"./jwt/jwt.js";import{parseTeamClaimToArray as re}from"../utils/index.js";import{arrayBufferToBase64 as oe,decodeBase64 as j,encodeBase64URL as ae,urlSafeBase64 as v}from"./jwt/encode.js";import{formatSamlCertificate as se}from"./utils/format-saml-certificate.js";function E(e){return e?.type===d.OIDC}function ie(e){return e?.type===d.SAML2}async function ze(e,t){if(E(t))return ce(e,t);if(ie(t))return ue(e,t)}async function ce(e,t){const n=await V(e,t),r=new Set((t.scopes||[]).concat(D)),o=t.authorizationRequestCustomParams||{};return{type:d.OIDC,idpId:e,name:"OAuth provider",authorizationEndpoint:n.authorization_endpoint,clientId:t.clientId,responseType:"code",scope:Array.from(r).join(" "),extraParams:o,pkce:t.pkce}}function ue(e,t){return{type:d.SAML2,idpId:e,name:"SAML2 provider",ssoUrl:t.ssoUrl,issuerId:t.issuerId,entityId:t.entityId||t.issuerId}}async function Be(e,t,n,r,o={}){const a=new Set((r.scopes||[]).concat(D));return await fetch(e,{method:"POST",body:new URLSearchParams({client_id:r.clientId,scope:Array.from(a).join(" "),code:t,redirect_uri:N(n),grant_type:"authorization_code",...r.clientSecret?{client_secret:r.clientSecret}:{},...o}).toString(),headers:{"Content-Type":"application/x-www-form-urlencoded",Accept:"application/json"}}).then(s=>s.json())}function de(e,{authorizationEndpoint:t,clientId:n,responseType:r,scope:o,extraParams:a,idpId:s,pkce:i},l,A,w){if(!t||!n||!r||!o)return{loginUrl:void 0};const u=new URL(t),f=w?.redirectUriOverride??`${e}${Y(P.OIDC_CALLBACK)}`,S={state:R(),idpId:s,redirectUri:f,redirectTo:l,branch:w?.branchOverride??me(e),inviteCode:A,source:w?.sourceOverride??"portal"},h={};if(i){const m=v(te(50)),g=v(H("sha256").update(m).digest("base64")),x="S256";u.searchParams.append("code_challenge",g),u.searchParams.append("code_challenge_method",x),h.code_verifier={value:m,options:{secure:!0,httpOnly:!0,expires:new Date(Date.now()+1e3*60*10),path:X()||"/"}}}u.searchParams.append("client_id",n),u.searchParams.append("scope",o),u.searchParams.append("response_type",r),u.searchParams.append("redirect_uri",N(f)),u.searchParams.append("state",ae(JSON.stringify(S)));for(const m in a)a[m]!==void 0&&u.searchParams.append(m,a[m]);return{loginUrl:u.toString(),cookies:h}}function Fe(e,t,n,r){const o=new URL(e);return o.searchParams.append("post_logout_redirect_uri",t),r&&o.searchParams.append("state",r),o.searchParams.append("id_token_hint",n),o.toString()}async function Je(e){const t=Math.floor(Date.now()/1e3),n=t+(e.ttlSec??600);return p.sign({type:"mcp_auth_code",client_id:e.clientId,redirect_uri:e.redirectUri,id_token:e.idToken,iat:t,exp:n},_)}async function qe(e){const{header:t,payload:n}=p.decode(e),o=Object.values(I).includes(t.alg)?t.alg:I.HS256;if(await p.verify(e,_,o),!n||typeof n!="object")throw new Error("Malformed authorization code");const a=n;if((a.typ??a.type)!=="mcp_auth_code")throw new Error("Invalid authorization code type");const i=n;if(!i.client_id||!i.redirect_uri)throw new Error("Authorization code missing required claims");if(i.exp&&Date.now()>=i.exp*1e3)throw new Error("Authorization code expired");return i}function He(e){const t=e||W(),n=t.startsWith("mcp_")?t:`mcp_${t}`;return{id:n,object:"mcp_session",uri:`urn:redocly:realm:mcp:session:${n}`}}function N(e){return e.match(/^https:\/\/preview-[^\.]+--/)?"https://previewauth--"+e.split("--")[1]:e.match(/^(https:\/\/[^\.]+)--[^\.]+\.preview\./)?e.replace(/^(https:\/\/[^\.]+?)--[^\.]+\.preview\./,"$1.previewauth."):e}function me(e){return e.match(/^(https:\/\/[^\.]+)--([^\.]+)\.preview\./)?.[2]||void 0}function le(e){return e.type===d.OIDC}function pe(e){return e.type===d.SAML2}function We(e,t,n,r){return le(e)?de(t,e,n,r):pe(e)?fe(t,e,n,r):{}}function fe(e,t,n,r){const a=`<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
1
+ import"../node-crypto-polyfill.js";import{DOMParser as U}from"@xmldom/xmldom";import{SignedXml as B}from"xml-crypto";import F from"xpath";import{deflateSync as J,inflateSync as q}from"fflate";import{createHash as H}from"crypto";import{ulid as W}from"ulid";import{AuthProviderType as u,DEFAULT_TEAM_CLAIM_NAME as K}from"@redocly/config";import{AUTH_URL as Q,JWT_SECRET_KEY as _}from"../constants/common.js";import{getPathPrefix as X,withPathPrefix as Y}from"@redocly/theme/core/utils";import{DEFAULT_AUTHENTICATED_TEAM as G,REQUIRED_OIDC_SCOPES as D,ServerRoutes as P}from"../../constants/common.js";import{appendQueryParams as Z}from"../../utils/url/append-query-params.js";import{logger as ee}from"../tools/notifiers/logger.js";import{randomString as te}from"../utils/crypto/random-string.js";import{randomUUID as R}from"../utils/crypto/random-uuid.js";import{AlgorithmTypes as I,JwtTokenExpired as ne}from"./jwt/types.js";import*as p from"./jwt/jwt.js";import{parseTeamClaimToArray as re}from"../utils/index.js";import{arrayBufferToBase64 as ae,decodeBase64 as v,encodeBase64URL as oe,urlSafeBase64 as j}from"./jwt/encode.js";import{formatSamlCertificate as se}from"./utils/format-saml-certificate.js";function N(e){return e?.type===u.OIDC}function ie(e){return e?.type===u.SAML2}async function ze(e,t){if(N(t))return ce(e,t);if(ie(t))return ue(e,t)}async function ce(e,t){const n=await V(e,t),r=new Set((t.scopes||[]).concat(D)),a=t.authorizationRequestCustomParams||{};return{type:u.OIDC,idpId:e,name:"OAuth provider",authorizationEndpoint:n.authorization_endpoint,clientId:t.clientId,responseType:"code",scope:Array.from(r).join(" "),extraParams:a,pkce:t.pkce}}function ue(e,t){return{type:u.SAML2,idpId:e,name:"SAML2 provider",ssoUrl:t.ssoUrl,issuerId:t.issuerId,entityId:t.entityId||t.issuerId}}async function Be(e,t,n,r,a={}){const o=new Set((r.scopes||[]).concat(D));return await fetch(e,{method:"POST",body:new URLSearchParams({client_id:r.clientId,scope:Array.from(o).join(" "),code:t,redirect_uri:E(n),grant_type:"authorization_code",...r.clientSecret?{client_secret:r.clientSecret}:{},...a}).toString(),headers:{"Content-Type":"application/x-www-form-urlencoded",Accept:"application/json"}}).then(s=>s.json())}function de(e,{authorizationEndpoint:t,clientId:n,responseType:r,scope:a,extraParams:o,idpId:s,pkce:l},m,A,w){if(!t||!n||!r||!a)return{loginUrl:void 0};const c=new URL(t),f=w?.redirectUriOverride??`${e}${Y(P.OIDC_CALLBACK)}`,S={state:R(),idpId:s,redirectUri:f,redirectTo:m,branch:w?.branchOverride??me(e),inviteCode:A,source:w?.sourceOverride??"portal"},h={};if(l){const d=j(te(50)),g=j(H("sha256").update(d).digest("base64")),x="S256";c.searchParams.append("code_challenge",g),c.searchParams.append("code_challenge_method",x),h.code_verifier={value:d,options:{secure:!0,httpOnly:!0,expires:new Date(Date.now()+1e3*60*10),path:X()||"/"}}}c.searchParams.append("client_id",n),c.searchParams.append("scope",a),c.searchParams.append("response_type",r),c.searchParams.append("redirect_uri",E(f)),c.searchParams.append("state",oe(JSON.stringify(S)));for(const d in o)o[d]!==void 0&&c.searchParams.append(d,o[d]);return{loginUrl:c.toString(),cookies:h}}function Fe(e,t,n,r){const a=new URL(e);return a.searchParams.append("post_logout_redirect_uri",t),r&&a.searchParams.append("state",r),a.searchParams.append("id_token_hint",n),a.toString()}async function Je(e){const t=Math.floor(Date.now()/1e3),n=t+(e.ttlSec??600);return p.sign({type:"mcp_auth_code",client_id:e.clientId,redirect_uri:e.redirectUri,id_token:e.idToken,iat:t,exp:n},_)}async function qe(e){const{header:t,payload:n}=p.decode(e),a=Object.values(I).includes(t.alg)?t.alg:I.HS256;if(await p.verify(e,_,a),n.type!=="mcp_auth_code")throw new Error("Invalid authorization code type");if(!n.client_id||!n.redirect_uri)throw new Error("Authorization code missing required claims");if(typeof n.exp=="number"&&Date.now()>=n.exp*1e3)throw new Error("Authorization code expired");return n}function He(e){const t=e||W(),n=t.startsWith("mcp_")?t:`mcp_${t}`;return{id:n,object:"mcp_session",uri:`urn:redocly:realm:mcp:session:${n}`}}function E(e){return e.match(/^https:\/\/preview-[^\.]+--/)?"https://previewauth--"+e.split("--")[1]:e.match(/^(https:\/\/[^\.]+)--[^\.]+\.preview\./)?e.replace(/^(https:\/\/[^\.]+?)--[^\.]+\.preview\./,"$1.previewauth."):e}function me(e){return e.match(/^(https:\/\/[^\.]+)--([^\.]+)\.preview\./)?.[2]||void 0}function le(e){return e.type===u.OIDC}function pe(e){return e.type===u.SAML2}function We(e,t,n,r){return le(e)?de(t,e,n,r):pe(e)?fe(t,e,n,r):{}}function fe(e,t,n,r){const o=`<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
2
2
  xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
3
3
  Version="2.0"
4
4
  ID="_${R()}"
@@ -9,4 +9,4 @@ import"../node-crypto-polyfill.js";import{DOMParser as U}from"@xmldom/xmldom";im
9
9
  <samlp:NameIDPolicy
10
10
  AllowCreate="true"
11
11
  Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"/>
12
- </samlp:AuthnRequest>`,s=he(a);return{loginUrl:Z(t.ssoUrl,{SAMLRequest:s,RelayState:JSON.stringify({idpId:t.idpId,redirectTo:n,inviteCode:r,source:"portal"})})}}function he(e){return oe(J(new TextEncoder().encode(e)).buffer)}function Ke(e){const t=j(e);if(t.startsWith("<samlp:Response")||t.indexOf("<saml2p:Response")>-1)return t;const n=q(new Uint8Array(atob(e).split("").map(r=>r.charCodeAt(0))));return new TextDecoder().decode(n)}function Qe(e){try{return JSON.parse(j(e||""))}catch{throw new Error("Invalid OAuth2 state")}}function Xe(e){const t=new U().parseFromString(e,"application/xml"),r=c(t,"//*[local-name(.)='StatusCode']/@Value")[0]?.nodeValue?.endsWith("Success")||!1,a=c(t,"//*[local-name(.)='Response']/@Destination")[0]?.nodeValue||"",s=c(t,"//*[local-name(.)='Assertion']//*[local-name(.)='Issuer']/text()")[0],i=s&&s.nodeValue||void 0,l=c(t,"//*[local-name(.)='Audience']/text()")[0],A=l&&l.nodeValue||void 0,u=c(t,"//*[local-name(.)='Assertion']//*[local-name(.)='X509Certificate']/text()")[0]?.nodeValue||"",f=c(t,"//*[local-name(.)='Subject']//*[local-name(.)='NameID']/text()")[0],S=f&&f.nodeValue||"",h=c(t,"//*[local-name(.)='Subject']//*[local-name(.)='NameID']/@Format")[0],m=h&&h.nodeValue||"",g=c(t,"//*[local-name(.)='Conditions']/@NotOnOrAfter")[0],x=ye(g),T={},k=c(t,"//*[local-name(.)='AttributeStatement']//*[local-name(.)='Attribute']");if(k.length)for(const C of k){const O=c(C,"./@Name")[0];if(O.nodeValue){const b=c(C,"./*[local-name(.)='AttributeValue']/text()")[0];b?.nodeValue&&(T[O.nodeValue]=b.nodeValue)}}return{uid:S,success:r,expiresAt:x,issuerId:i,entityId:A,attrs:T,cert:u,nameFormat:m,destination:a}}function ye(e){const t=typeof e?.nodeValue=="string"&&L(Date.parse(e.nodeValue)),n=L(Date.now()),r=L(Date.now()+720*60*1e3);return t?t>n&&t<r?r:t:n}function L(e){return Math.floor(e/1e3)}const M={},y={jwks:{}};async function V(e,t){return M[e]||(M[e]=t.configurationUrl?await $(t.configurationUrl):t.configuration),M[e]}async function we(e){for(const t of Object.keys(e)){const n=e[t];if(!E(n))continue;const r=await V(t,n);if(r.jwks_uri){const o=await $(r.jwks_uri);for(const a of o.keys)y.jwks[a.kid]={...a,idpId:t}}}}async function $(e){return fetch(e,{headers:{Accept:"application/json"}}).then(t=>t.json())}async function Ye(e){return fetch(`${Q}/oidc/userinfo`,{headers:{Accept:"application/json",Authorization:`Bearer ${e}`}}).then(t=>t.status===200?t.json():void 0).catch(()=>{})}function Ge(e){if(!e.configurationUrl)return!1;const t=new URL(e.configurationUrl);return["localhost","127.0.0.1","blueharvest.cloud","bhstage.cloud","cloud.redocly.com","beta.redocly.com","cloud.eu.redocly.com","beta.eu.redocly.com","cba.au.redocly.com"].some(r=>Ae(t.hostname,r))}function Ae(e,t){return e===t||e.endsWith(`.${t}`)}async function Ze(e,t){const n=new U().parseFromString(e),r=c(n,"//*[local-name(.)='Signature' and namespace-uri(.)='http://www.w3.org/2000/09/xmldsig#']")[0];if(!r)throw new Error("Cannot find Signature in the SAML response");const o=se(t),a=new B({publicCert:o});a.loadSignature(r);try{return a.checkSignature(e)}catch{return!1}}function et(e,t,n,r){t==="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"&&(e=n["http://schemas.microsoft.com/identity/claims/objectidentifier"]);let o;(t==="urn:oasis:names:tc:SAML:2.0:nameid-format:email"||t==="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress")&&(o=e),t==="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"&&e?.match(/.+@.+/)&&(o=e);const a=n["http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"],s=a?.match(/.+@.+/);return o=o||n["http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"]||(s?a:void 0),o=o?.toLowerCase(),{sub:e,given_name:n["http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"],family_name:n["http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"],name:n["http://schemas.microsoft.com/identity/claims/displayname"]||a,email:o,email_verified:!0,teams:r?re(n[r]):[]}}function z(e,t={}){return e.map(n=>t[n]||n)}async function tt(e,t){if(!t)return{};const n=t.authorization;if(!n)return{};try{const r=p.decode(n);if(r.header.alg===I.RS256){y.jwks[r.header.kid]===void 0&&await we(e);const l=y.jwks[r.header.kid];if(!l)return y.jwks[r.header.kid]=null,{};await p.verify(n,l,r.header.alg)}else await p.verify(n,_,r.header.alg);const o=r.payload.idpId||y.jwks[r.header.kid]?.idpId,a=e[o]||{},s=xe(a),i=ge(a);return{...r.payload,email:r.payload.email?.toLowerCase(),idpId:o,teams:Array.from(new Set([...z(r.payload.teams||[],i),..."defaultTeams"in a&&a.defaultTeams||[],...z("teamsClaimName"in a&&r.payload[s||""]||[],i),G])),name:Se(r.payload),isAuthenticated:!0,idpAccessToken:t.idp_access_token,federatedAccessToken:t.federated_access_token,federatedIdToken:t.federated_id_token,authCookie:n}}catch(r){r instanceof ne||ee.error("Malformed JWT token: %s",r.message)}return{}}function Se(e){return e.name||e.given_name||e.email}function ge(e){switch(e.type){case d.SAML2:return e.teamsAttributeMap;case d.OIDC:return e.teamsClaimMap;default:return}}function xe(e){switch(e.type){case d.SAML2:return e.teamsAttributeName;case d.OIDC:return e.teamsClaimName;default:return K}}function c(e,t){return F.select(t,e)||[]}export{We as buildLoginUrl,de as buildOidcLoginUrl,Fe as buildOidcLogoutUrl,fe as buildSAML2LoginUrl,Je as createMcpAuthorizationCode,He as createMcpSessionResource,Ke as decodeSamlResponse,he as encodeSAML2,et as extractUserClaims,ze as getAuthProviderLoginParams,ce as getOidcLoginParams,V as getOidcMetadata,Ye as getRedoclyTokenPayload,ue as getSaml2LoginParams,tt as getUserParamsFromCookies,Se as getUsernameFromPayload,E as isOidcProviderConfig,Ge as isRedoclySso,ie as isSaml2ProviderConfig,Be as oidcExchangeCodeForToken,Qe as parseOidcState,me as parsePreviewBranch,Xe as parseSamlResponse,N as rewritePreviewAuthRedirectUri,qe as verifyMcpAuthorizationCode,Ze as verifySAMLResponse};
12
+ </samlp:AuthnRequest>`,s=he(o);return{loginUrl:Z(t.ssoUrl,{SAMLRequest:s,RelayState:JSON.stringify({idpId:t.idpId,redirectTo:n,inviteCode:r,source:"portal"})})}}function he(e){return ae(J(new TextEncoder().encode(e)).buffer)}function Ke(e){const t=v(e);if(t.startsWith("<samlp:Response")||t.indexOf("<saml2p:Response")>-1)return t;const n=q(new Uint8Array(atob(e).split("").map(r=>r.charCodeAt(0))));return new TextDecoder().decode(n)}function Qe(e){try{return JSON.parse(v(e||""))}catch{throw new Error("Invalid OAuth2 state")}}function Xe(e){const t=new U().parseFromString(e,"application/xml"),r=i(t,"//*[local-name(.)='StatusCode']/@Value")[0]?.nodeValue?.endsWith("Success")||!1,o=i(t,"//*[local-name(.)='Response']/@Destination")[0]?.nodeValue||"",s=i(t,"//*[local-name(.)='Assertion']//*[local-name(.)='Issuer']/text()")[0],l=s&&s.nodeValue||void 0,m=i(t,"//*[local-name(.)='Audience']/text()")[0],A=m&&m.nodeValue||void 0,c=i(t,"//*[local-name(.)='Assertion']//*[local-name(.)='X509Certificate']/text()")[0]?.nodeValue||"",f=i(t,"//*[local-name(.)='Subject']//*[local-name(.)='NameID']/text()")[0],S=f&&f.nodeValue||"",h=i(t,"//*[local-name(.)='Subject']//*[local-name(.)='NameID']/@Format")[0],d=h&&h.nodeValue||"",g=i(t,"//*[local-name(.)='Conditions']/@NotOnOrAfter")[0],x=ye(g),k={},T=i(t,"//*[local-name(.)='AttributeStatement']//*[local-name(.)='Attribute']");if(T.length)for(const C of T){const O=i(C,"./@Name")[0];if(O.nodeValue){const b=i(C,"./*[local-name(.)='AttributeValue']/text()")[0];b?.nodeValue&&(k[O.nodeValue]=b.nodeValue)}}return{uid:S,success:r,expiresAt:x,issuerId:l,entityId:A,attrs:k,cert:c,nameFormat:d,destination:o}}function ye(e){const t=typeof e?.nodeValue=="string"&&L(Date.parse(e.nodeValue)),n=L(Date.now()),r=L(Date.now()+720*60*1e3);return t?t>n&&t<r?r:t:n}function L(e){return Math.floor(e/1e3)}const M={},y={jwks:{}};async function V(e,t){return M[e]||(M[e]=t.configurationUrl?await $(t.configurationUrl):t.configuration),M[e]}async function we(e){for(const t of Object.keys(e)){const n=e[t];if(!N(n))continue;const r=await V(t,n);if(r.jwks_uri){const a=await $(r.jwks_uri);for(const o of a.keys)y.jwks[o.kid]={...o,idpId:t}}}}async function $(e){return fetch(e,{headers:{Accept:"application/json"}}).then(t=>t.json())}async function Ye(e){return fetch(`${Q}/oidc/userinfo`,{headers:{Accept:"application/json",Authorization:`Bearer ${e}`}}).then(t=>t.status===200?t.json():void 0).catch(()=>{})}function Ge(e){if(!e.configurationUrl)return!1;const t=new URL(e.configurationUrl);return["localhost","127.0.0.1","blueharvest.cloud","bhstage.cloud","cloud.redocly.com","beta.redocly.com","cloud.eu.redocly.com","beta.eu.redocly.com","cba.au.redocly.com"].some(r=>Ae(t.hostname,r))}function Ae(e,t){return e===t||e.endsWith(`.${t}`)}async function Ze(e,t){const n=new U().parseFromString(e),r=i(n,"//*[local-name(.)='Signature' and namespace-uri(.)='http://www.w3.org/2000/09/xmldsig#']")[0];if(!r)throw new Error("Cannot find Signature in the SAML response");const a=se(t),o=new B({publicCert:a});o.loadSignature(r);try{return o.checkSignature(e)}catch{return!1}}function et(e,t,n,r){t==="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"&&(e=n["http://schemas.microsoft.com/identity/claims/objectidentifier"]);let a;(t==="urn:oasis:names:tc:SAML:2.0:nameid-format:email"||t==="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress")&&(a=e),t==="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"&&e?.match(/.+@.+/)&&(a=e);const o=n["http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"],s=o?.match(/.+@.+/);return a=a||n["http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"]||(s?o:void 0),a=a?.toLowerCase(),{sub:e,given_name:n["http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"],family_name:n["http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"],name:n["http://schemas.microsoft.com/identity/claims/displayname"]||o,email:a,email_verified:!0,teams:r?re(n[r]):[]}}function z(e,t={}){return e.map(n=>t[n]||n)}async function tt(e,t){if(!t)return{};const n=t.authorization;if(!n)return{};try{const r=p.decode(n);if(r.header.alg===I.RS256){y.jwks[r.header.kid]===void 0&&await we(e);const m=y.jwks[r.header.kid];if(!m)return y.jwks[r.header.kid]=null,{};await p.verify(n,m,r.header.alg)}else await p.verify(n,_,r.header.alg);const a=r.payload.idpId||y.jwks[r.header.kid]?.idpId,o=e[a]||{},s=xe(o),l=ge(o);return{...r.payload,email:r.payload.email?.toLowerCase(),idpId:a,teams:Array.from(new Set([...z(r.payload.teams||[],l),..."defaultTeams"in o&&o.defaultTeams||[],...z("teamsClaimName"in o&&r.payload[s||""]||[],l),G])),name:Se(r.payload),isAuthenticated:!0,idpAccessToken:t.idp_access_token,federatedAccessToken:t.federated_access_token,federatedIdToken:t.federated_id_token,authCookie:n}}catch(r){r instanceof ne||ee.error("Malformed JWT token: %s",r.message)}return{}}function Se(e){return e.name||e.given_name||e.email}function ge(e){switch(e.type){case u.SAML2:return e.teamsAttributeMap;case u.OIDC:return e.teamsClaimMap;default:return}}function xe(e){switch(e.type){case u.SAML2:return e.teamsAttributeName;case u.OIDC:return e.teamsClaimName;default:return K}}function i(e,t){return F.select(t,e)||[]}export{We as buildLoginUrl,de as buildOidcLoginUrl,Fe as buildOidcLogoutUrl,fe as buildSAML2LoginUrl,Je as createMcpAuthorizationCode,He as createMcpSessionResource,Ke as decodeSamlResponse,he as encodeSAML2,et as extractUserClaims,ze as getAuthProviderLoginParams,ce as getOidcLoginParams,V as getOidcMetadata,Ye as getRedoclyTokenPayload,ue as getSaml2LoginParams,tt as getUserParamsFromCookies,Se as getUsernameFromPayload,N as isOidcProviderConfig,Ge as isRedoclySso,ie as isSaml2ProviderConfig,Be as oidcExchangeCodeForToken,Qe as parseOidcState,me as parsePreviewBranch,Xe as parseSamlResponse,E as rewritePreviewAuthRedirectUri,qe as verifyMcpAuthorizationCode,Ze as verifySAMLResponse};
package/dist/server/web-server/routes/auth.d.ts CHANGED
@@ -4,6 +4,7 @@ export declare function authorizeHandler(ctx: Context): Promise<Response>;
4
4
  export declare function redoclyLoginCallbackHandler(): Handler;
5
5
  export declare function oidcCallbackHandler(store: Store): Handler;
6
6
  export declare function logoutHandler(store: Store): (ctx: Context) => Promise<Response>;
7
+ export declare function postLogoutHandler(store: Store): (ctx: Context) => Promise<Response>;
7
8
  export declare function inviteHandler(store: Store): (ctx: Context) => Promise<Response>;
8
9
  export declare function idpLoginHandler(store: Store): (ctx: Context) => Promise<Response>;
9
10
  export declare function samlCallbackHandler(store: Store): Handler;
package/dist/server/web-server/routes/auth.js CHANGED
@@ -1 +1 @@
1
- import{setCookie as L,deleteCookie as q}from"hono/cookie";import{AuthProviderType as G}from"@redocly/config";import{withPathPrefix as M,getPathPrefix as C}from"@redocly/theme/core/utils";import{compareURIs as X}from"../../../utils/url/compare-uris.js";import{ensureArray as U}from"../../../utils/array/ensure-array.js";import{ALTERNATIVE_AUD_CLAIM_NAME as E,JWT_SECRET_KEY as v,ORG_SLUG as W}from"../../constants/common.js";import{DEFAULT_COOKIE_EXPIRATION as F,ServerRoutes as D}from"../../../constants/common.js";import{sanitizeRedirectPathname as B}from"../../../utils/url/sanitize-redirect-pathname.js";import{telemetry as k}from"../../telemetry/index.js";import{getAuthProviderLoginParams as Y,isOidcProviderConfig as $,isSaml2ProviderConfig as Q,oidcExchangeCodeForToken as Z,buildLoginUrl as x,decodeSamlResponse as ee,extractUserClaims as re,parseSamlResponse as oe,parseOidcState as ne,verifySAMLResponse as te,getUsernameFromPayload as ie,buildOidcLogoutUrl as se,getOidcMetadata as z,getRedoclyTokenPayload as ae,isRedoclySso as de,rewritePreviewAuthRedirectUri as ce,parsePreviewBranch as N,buildOidcLoginUrl as le,createMcpSessionResource as I}from"../auth.js";import*as S from"../jwt/jwt.js";import{AlgorithmTypes as ue}from"../jwt/types.js";import{handleErrorPageRender as pe}from"../utils.js";import{encodeBase64URL as ge}from"../jwt/encode.js";async function Oe(s){if(process.env.NODE_ENV==="production")return s.newResponse(null,404,{});const{password:e,...o}=await s.req.json(),a=await S.sign({...o,name:o.username||o.email||"Unknown"},v);return L(s,"authorization",a,{path:C()||"/",httpOnly:!0,secure:!0,sameSite:"none"}),s.newResponse(null,200,{})}function Pe(){return async s=>{const e=s.get("logger"),o=encodeURIComponent(s.req.query("message")||"");e.error(`Login error: ${o}`);const a=`${D.LOGIN}/?error=${encodeURIComponent(o)}`;return s.newResponse(null,301,{Location:a})}}function j(s){if(!s||!s.includes(D.MCP_CALLBACK))return null;try{const e=s.split("/"),o=e[e.length-1];if(o){const a=Buffer.from(o,"base64url").toString("utf-8");return JSON.parse(a).mcpSessionId||null}}catch{}return null}function Se(s){return async e=>{const o=e.get("logger"),a=s.getConfig().ssoDirect,n=ne(e.req.query("state")),f=n.idpId,t=n.source==="mcp"||n.redirectTo&&typeof n.redirectTo=="string"&&n.redirectTo.includes(D.MCP_CALLBACK),c=t?j(typeof n.redirectTo=="string"?n.redirectTo:void 0):null,i=a?.[f];if(!$(i))return o.error("OIDC login error: missing OIDC provider config"),e.text("Forbidden",403);const d=await z(f,i);if(a&&!d.token_endpoint){const p="Invalid OIDC configuration: token_endpoint is required";return o.error(`OIDC login error: ${p}`),e.text(p,500)}try{const p=d.token_endpoint,l=e.req.query("code"),m=e.req.query("error");if(m)return t&&k.sendMcpAuthorizationFailedMessage({...I(c),error:`OIDC error: ${m}`,error_details:e.req.query("error_description")||null}),pe(e,s,{slug:"/"},403,"403OIDC");if(!l){const h="Code is expected but not present";return o.error(`OIDC login error: ${h}`),t&&k.sendMcpAuthorizationFailedMessage({...I(c),error:h,error_details:null}),new Response(`Forbidden: ${h}`,{status:403})}const y=e.req.header("x-forwarded-host"),g=e.req.header("x-forwarded-proto")||"https",A=t&&typeof n.redirectUri=="string"?n.redirectUri:new URL(M(D.OIDC_CALLBACK),y?`${g}://${y}`:e.req.url).toString(),_=e.get("cookies")?.code_verifier,u=await Z(p,l,A,i,{...i.tokenRequestCustomParams,..._?{code_verifier:_}:{}});if(u.error)return o.error(`Error from OIDC provider: "${u.error}"`),t&&k.sendMcpAuthorizationFailedMessage({...I(c),error:`Token exchange error: ${u.error}`,error_details:u.error_description||null}),e.text(`Forbidden: ${u.error_description||u.error}`,403);if(!u?.id_token){const h="No id_token, please, add openid to scopes";return o.error(`OIDC login error: ${h}`),t&&k.sendMcpAuthorizationFailedMessage({...I(c),error:h,error_details:null}),new Response(`Forbidden: ${h}`,{status:403})}const{payload:r,header:T}=S.decode(u.id_token),H=T.alg===ue.RS256;if(i.audience?.length&&![...U(r.aud||[]),...U(r[E]||[])].some(R=>i.audience?.includes(R))){const R="No valid audience found in id_token";return o.error(`OIDC login error: ${R}`),t&&k.sendMcpAuthorizationFailedMessage({...I(c),error:R,error_details:null}),new Response(`Forbidden: ${R}`)}const b=H?u.id_token:await S.sign({...r,idpId:f},v);ie(r)||o.warn("To display your username, the required 'email' or 'full_profile' scope must be added to the identity provider configuration");const O=i?.tokenExpirationTime?Date.now()+i.tokenExpirationTime*1e3:r.exp*1e3||Date.now()+F*1e3;if(i.introspectEndpoint){const h=await fetch(i.introspectEndpoint,{method:"POST",headers:{"Content-Type":"application/json"},body:JSON.stringify({access_token:u.access_token})});if(h.ok){const P=(await h.json()).ext?.federatedIdentity;P&&(L(e,"federated_access_token",P.access_token||"",{path:C()||"/",httpOnly:!1,expires:new Date(O)}),L(e,"federated_id_token",P.id_token||"",{path:C()||"/",httpOnly:!1,expires:new Date(O)}))}else o.warn(`OIDC introspect error: ${h.statusText}`)}if(L(e,"authorization",b,{path:C()||"/",httpOnly:!0,expires:new Date(O)}),b!==u.id_token&&L(e,"idp_id_token",u.id_token||"",{path:C()||"/",httpOnly:!0,expires:new Date(O)}),L(e,"idp_access_token",u.access_token||"",{path:C()||"/",httpOnly:!0,expires:new Date(O)}),q(e,"code_verifier",{path:C()||"/"}),t&&n.redirectTo&&typeof n.redirectTo=="string"&&n.redirectTo.includes(D.MCP_CALLBACK)){const h=e.req.url.split("?")[0].replace(D.OIDC_CALLBACK,""),R=M(n.redirectTo),P=`${h}${R}`;return e.newResponse(null,302,{Location:P})}const K=typeof n.redirectTo=="string"?n.redirectTo:void 0;let J=B(new URL(K||"/",e.req.url).pathname);const V=e.newResponse(null,302,{Location:J});return o.updateContext({email:r.email,subject:r.sub}),o.info("OIDC login successful"),V}catch(p){const l=p instanceof Error?p.message:String(p),m=p instanceof Error?p.stack:String(p);if(o.error(`OIDC login error: ${l}`),t&&k.sendMcpAuthorizationFailedMessage({...I(c),error:l,error_details:m}),p.error==="access_denied")return o.info("Access denied"),e.text("Forbidden",403)}const w="Something went wrong";return o.error(`OIDC login error: ${w}`),t&&k.sendMcpAuthorizationFailedMessage({...I(c),error:w,error_details:null}),e.text(w,500)}}function ve(s){return async e=>{const o=e.get("logger"),n=e.get("auth").claims?.idpId,t=s.getConfig().ssoDirect?.[n];if(e.req.method==="POST")return $(t)||q(e,"authorization",{path:C()||"/"}),o.info("Logout successful"),e.newResponse(null,200,{});let c;if($(t)){const i=(await z(n,t)).end_session_endpoint;if(i){const d=new URL(e.req.url),w=e.req.header("x-forwarded-proto")||d.protocol.slice(0,-1)||"https",p=e.req.header("x-forwarded-host")||d.host,l=`${w}://${p}`,m=N(l),y=m?ge(JSON.stringify({branch:N(l)})):void 0,g=m?`${ce(l)}/_auth/logout`:l;c=se(i,g,e.get("cookies")?.idp_id_token||e.get("cookies")?.authorization||"",y)}}return o.info("Logout successful"),q(e,"authorization",{path:C()||"/"}),e.newResponse(null,302,{Location:c||M("/")})}}function $e(s){return async e=>{const o=e.get("logger"),a=e.req.param("code"),n=process.env.BH_API_URL,f=(t,c,i)=>t&&c?`${t} ${c.charAt(0)}`:i;try{if(!n)throw new Error("BH_API_URL is not set");const t=s.getConfig().ssoDirect;if(!t||!Object.keys(t).length)return o.warn("Invite no sso configured to handle"),e.redirect(M("/"));const c=await fetch(`${n}/user-invites/public/${a}`);if(!c.ok)return c.status===404?(o.warn(`Invite ${a} not found redirect to homepage`),e.redirect(M("/"))):(o.error("Invite error",await c.text()),e.redirect(M("/")));const i=await c.json(),d=new URL(M("/invite"),e.req.url);return d.searchParams.set("code",a),d.searchParams.set("org",i.organization.name),d.searchParams.set("invitedBy",f(i.invitedBy.firstName,i.invitedBy.lastName,i.invitedBy.name)),e.newResponse(null,302,{Location:d.toString()})}catch(t){return o.error("Error processing invite",{error:t,inviteCode:a}),e.text(t.message||"Failed to process invite",400)}}}function Te(s){return async e=>{const o=e.get("logger"),a=s.getConfig().ssoDirect,n=new URL(e.req.url),f=e.req.query("inviteCode"),t=e.req.header("x-forwarded-proto")||n.protocol.slice(0,-1)||"https",c=e.req.header("x-forwarded-host")||n.host,i=`${t}://${c}`;let d=n.searchParams.get("idpId");const w=n.searchParams.get("redirectTo"),p=Object.keys(a||{})[0];d=d||p;const l=n.searchParams.get("mcp_redirect_uri"),m=!!l;if(!a?.[d]){const r="Invalid idpId";if(o.error(`IdP login error: ${r}`),m){const T=j(w||void 0);k.sendMcpAuthorizationFailedMessage({...I(T),error:r,error_details:null})}return e.text(`Forbidden: ${r}`,403)}const g=d&&a?await Y(d,a[d]):void 0,A={};for(const r of Object.keys(g?.extraParams||{}))A[r]=n.searchParams.get(r)||g?.extraParams?.[r]||void 0;let _,u={};if(m&&l&&g&&g.type===G.OIDC){o.info(`Building MCP OAuth login URL with redirect_uri: ${l}`);const r=le("",{...g,extraParams:A},w,f,{redirectUriOverride:l,sourceOverride:"mcp",branchOverride:void 0});_=r.loginUrl,u=r.cookies||{}}else if(g){const r=x({...g,extraParams:A},i,w,f);_=r.loginUrl,u=r.cookies||{}}return Object.keys(u).forEach(r=>{L(e,r,u[r].value,u[r].options)}),o.info(`IdP login initiated for ID '${d}'`),e.newResponse(null,302,{Location:_||new URL(e.req.url).pathname})}}function qe(s){return async e=>{const o=e.get("logger"),a=await e.req.formData(),n=a.get("SAMLResponse"),f=a.get("RelayState");if(typeof n!="string"||typeof f!="string"){const r="SAMLResponse is required";return o.error(`SAML2 login error: ${r}`),e.text(`Bad request: ${r}`,400)}const t=ee(n),{success:c,uid:i,nameFormat:d,attrs:w,issuerId:p,expiresAt:l}=oe(t),{idpId:m,redirectTo:y}=JSON.parse(f);if(!c){const r="SAML2 assertion is not successful";return o.error(`SAML2 login error: ${r}`),e.text(`Permission denied: ${r}`,401)}if(!l||Math.ceil(Date.now()/1e3)>=l){const r="SAML2 Token Expired";return o.error(`SAML2 login error: ${r}`),e.text(r,401)}const g=s.getConfig().ssoDirect?.[m];if(!g||!Q(g)){const r="Cannot find valid IdP";return o.error(`SAML2 login error: ${r}`),e.text(`Permission denied: ${r}`,401)}if(!(g.issuerId&&p&&X(g.issuerId,p))){const r="IssuerID is misconfigured or untrusted assertions issuer received";return o.error(`SAML2 login error: ${r}`),e.text(`Permission denied: ${r}`,401)}if(!await te(t,g.x509PublicCert)){const r="SAMLResponse signature invalid";return o.error(`SAML2 login error: ${r}`),e.text(r,401)}const _=re(i,d,w,g.teamsAttributeName);if(!_.sub){const r="The provider did not return a valid user identity.";return o.error(`SAML2 login error: ${r}`),e.text(r,400)}if(!_.email){const r="The provider did not return a valid user email.";return o.error(`SAML2 login error: ${r}`),e.text(r,400)}const u=await S.sign({..._,idpId:m},v);return L(e,"authorization",u,{path:C()||"/",httpOnly:!0,expires:new Date(l*1e3)}),o.updateContext({email:_.email,subject:_.sub}),o.info("SAML2 login successful"),e.newResponse(null,302,{Location:y||"/"})}}function Ue(s){return async e=>{const o=e.get("logger"),a=new URL(e.req.query("redirectTo")||"/",e.req.url),n=M(B(a.pathname)),f=s.getConfig().ssoDirect,t=Object.entries(f||{}).find(([,y])=>$(y)&&de(y));if(!(f&&t))return e.newResponse(null,302,{Location:n});const i=e.req.query("token"),d=i&&await ae(i);if(!d)return e.newResponse(null,302,{Location:n});if(!U(d[E]||[]).some(y=>y===W))return e.newResponse(null,302,{Location:n});const l=await S.sign({...d,idpId:t?.at(0)},v),m=Date.now()+F*1e3;return L(e,"authorization",l,{path:C()||"/",httpOnly:!0,expires:new Date(m),sameSite:"None",secure:!0}),o.info("Token login successful"),e.newResponse(null,302,{Location:n})}}export{Oe as authorizeHandler,Te as idpLoginHandler,$e as inviteHandler,ve as logoutHandler,Se as oidcCallbackHandler,Pe as redoclyLoginCallbackHandler,Ue as redoclyTokenLoginHandler,qe as samlCallbackHandler};
1
+ import{setCookie as L,deleteCookie as T}from"hono/cookie";import{AuthProviderType as G}from"@redocly/config";import{withPathPrefix as R,getPathPrefix as _}from"@redocly/theme/core/utils";import{compareURIs as X}from"../../../utils/url/compare-uris.js";import{ensureArray as q}from"../../../utils/array/ensure-array.js";import{ALTERNATIVE_AUD_CLAIM_NAME as E,JWT_SECRET_KEY as v,ORG_SLUG as W}from"../../constants/common.js";import{DEFAULT_COOKIE_EXPIRATION as F,ServerRoutes as D}from"../../../constants/common.js";import{sanitizeRedirectPathname as B}from"../../../utils/url/sanitize-redirect-pathname.js";import{telemetry as k}from"../../telemetry/index.js";import{getAuthProviderLoginParams as Y,isOidcProviderConfig as $,isSaml2ProviderConfig as Q,oidcExchangeCodeForToken as Z,buildLoginUrl as x,decodeSamlResponse as ee,extractUserClaims as re,parseSamlResponse as oe,parseOidcState as ne,verifySAMLResponse as te,getUsernameFromPayload as ie,buildOidcLogoutUrl as se,getOidcMetadata as z,getRedoclyTokenPayload as ae,isRedoclySso as de,rewritePreviewAuthRedirectUri as ce,parsePreviewBranch as N,buildOidcLoginUrl as le,createMcpSessionResource as I}from"../auth.js";import*as S from"../jwt/jwt.js";import{AlgorithmTypes as ue}from"../jwt/types.js";import{handleErrorPageRender as pe}from"../utils.js";import{encodeBase64URL as ge}from"../jwt/encode.js";async function Oe(i){if(process.env.NODE_ENV==="production")return i.newResponse(null,404,{});const{password:e,...r}=await i.req.json(),a=await S.sign({...r,name:r.username||r.email||"Unknown"},v);return L(i,"authorization",a,{path:_()||"/",httpOnly:!0,secure:!0,sameSite:"none"}),i.newResponse(null,200,{})}function Pe(){return async i=>{const e=i.get("logger"),r=encodeURIComponent(i.req.query("message")||"");e.error(`Login error: ${r}`);const a=`${D.LOGIN}/?error=${encodeURIComponent(r)}`;return i.newResponse(null,301,{Location:a})}}function H(i){if(!i||!i.includes(D.MCP_CALLBACK))return null;try{const e=i.split("/"),r=e[e.length-1];if(r){const a=Buffer.from(r,"base64url").toString("utf-8");return JSON.parse(a).mcpSessionId||null}}catch{}return null}function Se(i){return async e=>{const r=e.get("logger"),a=i.getConfig().ssoDirect,n=ne(e.req.query("state")),f=n.idpId,t=n.source==="mcp"||n.redirectTo&&typeof n.redirectTo=="string"&&n.redirectTo.includes(D.MCP_CALLBACK),c=t?H(typeof n.redirectTo=="string"?n.redirectTo:void 0):null,s=a?.[f];if(!$(s))return r.error("OIDC login error: missing OIDC provider config"),e.text("Forbidden",403);const d=await z(f,s);if(a&&!d.token_endpoint){const p="Invalid OIDC configuration: token_endpoint is required";return r.error(`OIDC login error: ${p}`),e.text(p,500)}try{const p=d.token_endpoint,l=e.req.query("code"),m=e.req.query("error");if(m)return t&&k.sendMcpAuthorizationFailedMessage({...I(c),error:`OIDC error: ${m}`,error_details:e.req.query("error_description")||null}),pe(e,i,{slug:"/"},403,"403OIDC");if(!l){const h="Code is expected but not present";return r.error(`OIDC login error: ${h}`),t&&k.sendMcpAuthorizationFailedMessage({...I(c),error:h,error_details:null}),new Response(`Forbidden: ${h}`,{status:403})}const y=e.req.header("x-forwarded-host"),g=e.req.header("x-forwarded-proto")||"https",A=t&&typeof n.redirectUri=="string"?n.redirectUri:new URL(R(D.OIDC_CALLBACK),y?`${g}://${y}`:e.req.url).toString(),C=e.get("cookies")?.code_verifier,u=await Z(p,l,A,s,{...s.tokenRequestCustomParams,...C?{code_verifier:C}:{}});if(u.error)return r.error(`Error from OIDC provider: "${u.error}"`),t&&k.sendMcpAuthorizationFailedMessage({...I(c),error:`Token exchange error: ${u.error}`,error_details:u.error_description||null}),e.text(`Forbidden: ${u.error_description||u.error}`,403);if(!u?.id_token){const h="No id_token, please, add openid to scopes";return r.error(`OIDC login error: ${h}`),t&&k.sendMcpAuthorizationFailedMessage({...I(c),error:h,error_details:null}),new Response(`Forbidden: ${h}`,{status:403})}const{payload:o,header:U}=S.decode(u.id_token),j=U.alg===ue.RS256;if(s.audience?.length&&![...q(o.aud||[]),...q(o[E]||[])].some(M=>s.audience?.includes(M))){const M="No valid audience found in id_token";return r.error(`OIDC login error: ${M}`),t&&k.sendMcpAuthorizationFailedMessage({...I(c),error:M,error_details:null}),new Response(`Forbidden: ${M}`)}const b=j?u.id_token:await S.sign({...o,idpId:f},v);ie(o)||r.warn("To display your username, the required 'email' or 'full_profile' scope must be added to the identity provider configuration");const O=s?.tokenExpirationTime?Date.now()+s.tokenExpirationTime*1e3:o.exp*1e3||Date.now()+F*1e3;if(s.introspectEndpoint){const h=await fetch(s.introspectEndpoint,{method:"POST",headers:{"Content-Type":"application/json"},body:JSON.stringify({access_token:u.access_token})});if(h.ok){const P=(await h.json()).ext?.federatedIdentity;P&&(L(e,"federated_access_token",P.access_token||"",{path:_()||"/",httpOnly:!1,expires:new Date(O)}),L(e,"federated_id_token",P.id_token||"",{path:_()||"/",httpOnly:!1,expires:new Date(O)}))}else r.warn(`OIDC introspect error: ${h.statusText}`)}if(L(e,"authorization",b,{path:_()||"/",httpOnly:!0,expires:new Date(O)}),b!==u.id_token&&L(e,"idp_id_token",u.id_token||"",{path:_()||"/",httpOnly:!0,expires:new Date(O)}),L(e,"idp_access_token",u.access_token||"",{path:_()||"/",httpOnly:!0,expires:new Date(O)}),T(e,"code_verifier",{path:_()||"/"}),t&&n.redirectTo&&typeof n.redirectTo=="string"&&n.redirectTo.includes(D.MCP_CALLBACK)){const h=e.req.url.split("?")[0].replace(D.OIDC_CALLBACK,""),M=R(n.redirectTo),P=`${h}${M}`;return e.newResponse(null,302,{Location:P})}const K=typeof n.redirectTo=="string"?n.redirectTo:void 0;let J=B(new URL(K||"/",e.req.url).pathname);const V=e.newResponse(null,302,{Location:J});return r.updateContext({email:o.email,subject:o.sub}),r.info("OIDC login successful"),V}catch(p){const l=p instanceof Error?p.message:String(p),m=p instanceof Error?p.stack:String(p);if(r.error(`OIDC login error: ${l}`),t&&k.sendMcpAuthorizationFailedMessage({...I(c),error:l,error_details:m}),p.error==="access_denied")return r.info("Access denied"),e.text("Forbidden",403)}const w="Something went wrong";return r.error(`OIDC login error: ${w}`),t&&k.sendMcpAuthorizationFailedMessage({...I(c),error:w,error_details:null}),e.text(w,500)}}function ve(i){return async e=>{const r=e.get("logger"),n=e.get("auth").claims?.idpId,t=i.getConfig().ssoDirect?.[n];if(e.req.method==="POST")return $(t)||T(e,"authorization",{path:_()||"/"}),r.info("Logout successful"),e.newResponse(null,200,{});let c;if($(t)){const s=(await z(n,t)).end_session_endpoint;if(s){const d=new URL(e.req.url),w=e.req.header("x-forwarded-proto")||d.protocol.slice(0,-1)||"https",p=e.req.header("x-forwarded-host")||d.host,l=`${w}://${p}`,m=N(l),y=m?ge(JSON.stringify({branch:N(l)})):void 0,g=m?`${ce(l)}/_auth/logout`:`${l}/post-logout`;c=se(s,g,e.get("cookies")?.idp_id_token||e.get("cookies")?.authorization||"",y)}}return r.info("Logout successful"),T(e,"authorization",{path:_()||"/"}),e.newResponse(null,302,{Location:c||R("/")})}}function $e(i){return async e=>{const r=i.getConfig().logoutReturnUrl,a=r||R("/");return e.newResponse(null,302,{Location:a})}}function Ue(i){return async e=>{const r=e.get("logger"),a=e.req.param("code"),n=process.env.BH_API_URL,f=(t,c,s)=>t&&c?`${t} ${c.charAt(0)}`:s;try{if(!n)throw new Error("BH_API_URL is not set");const t=i.getConfig().ssoDirect;if(!t||!Object.keys(t).length)return r.warn("Invite no sso configured to handle"),e.redirect(R("/"));const c=await fetch(`${n}/user-invites/public/${a}`);if(!c.ok)return c.status===404?(r.warn(`Invite ${a} not found redirect to homepage`),e.redirect(R("/"))):(r.error("Invite error",await c.text()),e.redirect(R("/")));const s=await c.json(),d=new URL(R("/invite"),e.req.url);return d.searchParams.set("code",a),d.searchParams.set("org",s.organization.name),d.searchParams.set("invitedBy",f(s.invitedBy.firstName,s.invitedBy.lastName,s.invitedBy.name)),e.newResponse(null,302,{Location:d.toString()})}catch(t){return r.error("Error processing invite",{error:t,inviteCode:a}),e.text(t.message||"Failed to process invite",400)}}}function Te(i){return async e=>{const r=e.get("logger"),a=i.getConfig().ssoDirect,n=new URL(e.req.url),f=e.req.query("inviteCode"),t=e.req.header("x-forwarded-proto")||n.protocol.slice(0,-1)||"https",c=e.req.header("x-forwarded-host")||n.host,s=`${t}://${c}`;let d=n.searchParams.get("idpId");const w=n.searchParams.get("redirectTo"),p=Object.keys(a||{})[0];d=d||p;const l=n.searchParams.get("mcp_redirect_uri"),m=!!l;if(!a?.[d]){const o="Invalid idpId";if(r.error(`IdP login error: ${o}`),m){const U=H(w||void 0);k.sendMcpAuthorizationFailedMessage({...I(U),error:o,error_details:null})}return e.text(`Forbidden: ${o}`,403)}const g=d&&a?await Y(d,a[d]):void 0,A={};for(const o of Object.keys(g?.extraParams||{}))A[o]=n.searchParams.get(o)||g?.extraParams?.[o]||void 0;let C,u={};if(m&&l&&g&&g.type===G.OIDC){r.info(`Building MCP OAuth login URL with redirect_uri: ${l}`);const o=le("",{...g,extraParams:A},w,f,{redirectUriOverride:l,sourceOverride:"mcp",branchOverride:void 0});C=o.loginUrl,u=o.cookies||{}}else if(g){const o=x({...g,extraParams:A},s,w,f);C=o.loginUrl,u=o.cookies||{}}return Object.keys(u).forEach(o=>{L(e,o,u[o].value,u[o].options)}),r.info(`IdP login initiated for ID '${d}'`),e.newResponse(null,302,{Location:C||new URL(e.req.url).pathname})}}function qe(i){return async e=>{const r=e.get("logger"),a=await e.req.formData(),n=a.get("SAMLResponse"),f=a.get("RelayState");if(typeof n!="string"||typeof f!="string"){const o="SAMLResponse is required";return r.error(`SAML2 login error: ${o}`),e.text(`Bad request: ${o}`,400)}const t=ee(n),{success:c,uid:s,nameFormat:d,attrs:w,issuerId:p,expiresAt:l}=oe(t),{idpId:m,redirectTo:y}=JSON.parse(f);if(!c){const o="SAML2 assertion is not successful";return r.error(`SAML2 login error: ${o}`),e.text(`Permission denied: ${o}`,401)}if(!l||Math.ceil(Date.now()/1e3)>=l){const o="SAML2 Token Expired";return r.error(`SAML2 login error: ${o}`),e.text(o,401)}const g=i.getConfig().ssoDirect?.[m];if(!g||!Q(g)){const o="Cannot find valid IdP";return r.error(`SAML2 login error: ${o}`),e.text(`Permission denied: ${o}`,401)}if(!(g.issuerId&&p&&X(g.issuerId,p))){const o="IssuerID is misconfigured or untrusted assertions issuer received";return r.error(`SAML2 login error: ${o}`),e.text(`Permission denied: ${o}`,401)}if(!await te(t,g.x509PublicCert)){const o="SAMLResponse signature invalid";return r.error(`SAML2 login error: ${o}`),e.text(o,401)}const C=re(s,d,w,g.teamsAttributeName);if(!C.sub){const o="The provider did not return a valid user identity.";return r.error(`SAML2 login error: ${o}`),e.text(o,400)}if(!C.email){const o="The provider did not return a valid user email.";return r.error(`SAML2 login error: ${o}`),e.text(o,400)}const u=await S.sign({...C,idpId:m},v);return L(e,"authorization",u,{path:_()||"/",httpOnly:!0,expires:new Date(l*1e3)}),r.updateContext({email:C.email,subject:C.sub}),r.info("SAML2 login successful"),e.newResponse(null,302,{Location:y||"/"})}}function be(i){return async e=>{const r=e.get("logger"),a=new URL(e.req.query("redirectTo")||"/",e.req.url),n=R(B(a.pathname)),f=i.getConfig().ssoDirect,t=Object.entries(f||{}).find(([,y])=>$(y)&&de(y));if(!(f&&t))return e.newResponse(null,302,{Location:n});const s=e.req.query("token"),d=s&&await ae(s);if(!d)return e.newResponse(null,302,{Location:n});if(!q(d[E]||[]).some(y=>y===W))return e.newResponse(null,302,{Location:n});const l=await S.sign({...d,idpId:t?.at(0)},v),m=Date.now()+F*1e3;return L(e,"authorization",l,{path:_()||"/",httpOnly:!0,expires:new Date(m),sameSite:"None",secure:!0}),r.info("Token login successful"),e.newResponse(null,302,{Location:n})}}export{Oe as authorizeHandler,Te as idpLoginHandler,Ue as inviteHandler,ve as logoutHandler,Se as oidcCallbackHandler,$e as postLogoutHandler,Pe as redoclyLoginCallbackHandler,be as redoclyTokenLoginHandler,qe as samlCallbackHandler};
package/dist/server/web-server/routes/index.js CHANGED
@@ -1 +1 @@
1
- import{serveStatic as f}from"hono/serve-static";import{withPathPrefix as e,withoutPathPrefix as s}from"@redocly/theme/core/utils";import{ServerRoutes as i}from"../../../constants/common.js";import{PUBLIC_STATIC_FOLDER as R}from"../../constants/common.js";import{authMiddleware as c}from"../middleware/authMiddleware.js";import{ensureSearchData as g}from"../middleware/ensureSearchData.js";import{dynamicMiddleware as S}from"../middleware/dynamic-middleware/dynamic-middleware.js";import{installRoutes as r}from"../../plugins/dev-onboarding/api/routes/index.js";import{authorizeHandler as I,oidcCallbackHandler as P,logoutHandler as T,idpLoginHandler as h,redoclyLoginCallbackHandler as D,samlCallbackHandler as N,redoclyTokenLoginHandler as M,inviteHandler as B}from"./auth.js";import{appDataHandler as U}from"./app-data.js";import{searchFacetsHandler as G,searchHandler as w}from"./search.js";import{dynamicRouteHandler as F}from"./dynamic-route.js";import{pageDataHandler as v,sharedPageDataHandler as K}from"./page-data.js";import{pathPrefixRedirectHandler as y}from"./path-prefix-redirect.js";import{getRoutesByLineHandler as E,resolvePathHandler as o,resolvePathsHandler as k,resolveSlugHandler as p}from"./resolve-route.js";import{feedbackHandler as Y}from"./feedback.js";import{loggerMiddleware as b}from"../middleware/loggerMiddleware.js";import{responseHeadersMiddleware as V}from"../middleware/responseHeadersMiddleware.js";import{idleTimeoutMiddleware as x}from"../middleware/idleTimeoutMiddleware.js";import{otelTracesHandler as z}from"./otel/otel.js";import{healthCheckHandler as Z}from"./health.js";import{askAiHandler as $}from"./ask-ai.js";import{replayOauth2RedirectCallbackHandler as q}from"./replay-oauth2-redirect.js";import{mcpOAuthProtectedResourceHandler as W,mcpOAuthAuthorizationServerHandler as j,mcpDynamicClientRegistrationHandler as J,mcpAuthorizationHandler as Q,mcpTokenPortalHandler as X,mcpCallbackHandler as _}from"./mcp-oauth.js";import{corsMiddleware as O}from"../middleware/corsMiddleware.js";import{installApiRoutes as u}from"./api-routes/api-routes.js";import{cookieMiddleware as aa}from"../middleware/cookieMiddleware.js";import{staticContentHandler as ea}from"../routes/static-content.js";import{infoHandler as C}from"./info.js";import{catalogHandler as ia}from"./catalog/catalog.js";import{catalogRelationsHandler as la}from"./catalog/catalog-relations.js";import{bffCatalogHandler as ma}from"./catalog/bff-catalog.js";import{bffCatalogRevisionsHandler as ta}from"./catalog/bff-catalog-revisions.js";import{bffCatalogRelatedEntitiesHandler as na}from"./catalog/bff-catalog-related-entities.js";import{catalogAuthMiddleware as L}from"../middleware/catalogAuthMiddleware.js";import{telemetryMiddleware as Aa}from"../middleware/telemetry-middleware.js";import{errorHandler as da}from"./error.js";function qa(a,l,m){const{resolveRouteData:n,readStaticAsset:A}=m;a.use("*",x()),a.use("*",aa()),a.use("*",S(l)),a.use("*",c(l)),a.use("*",b()),a.use("*",V(l)),a.use("*",Aa()),a.use(e("*"),f({root:`./${R}`,getContent:(t,H)=>ea(t,H,l,A),rewriteRequestPath:t=>s(t)})),a.use(e(i.FEEDBACK),O({allowMethods:["POST"]})),a.use(e(i.ASK_AI),O({allowMethods:["POST"]})),a.use("*",Ta(l));const d=g(l);a.use(e(i.INFO),C()),process.env.NEW_CATALOG_ENABLED==="true"&&(a.use(e(i.CATALOG_ENTITIES),L(l.serverOutDir,{secureMethods:["POST","PUT","DELETE","PATCH"]})),a.use(e(i.CATALOG_ENTITIES_RELATIONS),L(l.serverOutDir,{secureMethods:["POST","PUT","DELETE","PATCH"]})),a.use(e(i.CATALOG_ENTITIES),ia(l)),a.use(e(i.CATALOG_ENTITIES_RELATIONS),la(l)),a.get(e(i.BFF_CATALOG_ENTITIES),ma(l)),a.get(e(i.BFF_CATALOG_RELATED_ENTITIES),na(l)),a.get(e(i.BFF_CATALOG_REVISIONS),ta(l))),a.get(e(i.SHARED_PAGE_DATA),K(l)),a.get(e(i.PAGE_DATA),v(l,n)),a.get(e(i.APP_DATA),U(l)),a.post(e(i.SEARCH),d,w(l)),a.post(e(i.SEARCH_FACETS),d,G(l)),a.post(e(i.AUTHORIZATION),I),a.post(e(i.LOGOUT),T(l)),a.get(e(i.LOGOUT),T(l)),a.get(e(i.OIDC_CALLBACK),P(l)),a.get(e(i.REDOCLY_TOKEN_LOGIN),M(l)),a.get(e(i.REDOCLY_LOGIN_CALLBACK),D()),a.get(e(i.IDP_LOGIN),h(l)),a.post(e(i.SAML_CALLBACK),N(l)),a.get(e(i.INVITE),B(l)),a.get(e(i.HEALTH),Z),a.get(e(i.MCP_OAUTH_PROTECTED_RESOURCE),W()),a.get(e(i.MCP_OAUTH_AUTHORIZATION_SERVER),j()),a.post(e(i.MCP_DYNAMIC_CLIENT_REGISTRATION),J()),a.get(e(i.MCP_AUTHORIZATION),Q()),a.post(e(i.MCP_TOKEN_PORTAL),X()),a.get(e(i.MCP_CALLBACK),_()),a.get(e(`${i.MCP_CALLBACK}/*`),_()),r(a,l),u(a,l),a.post(e(i.FEEDBACK),Y(l)),a.post(e(i.RESOLVE_ROUTE_BY_PATH),o(l)),a.post(e(i.RESOLVE_ROUTES_BY_PATHS),k(l)),a.post(e(i.RESOLVE_ROUTE_BY_SLUG),p(l)),a.post(e(i.ASK_AI),$(l)),a.get(e(i.GET_ROUTES_BY_LINE),E(l)),a.post(e(i.OTEL_TRACES),z),a.get(e(i.REPLAY_OAUTH2_CALLBACK),q),a.all(e("/*"),F(l,n,A)),a.get("*",y),a.onError(da)}function Ta(a){return async(l,m)=>{await a.waitForPluginsLifecycle(),await m()}}function Wa(a,l){a.get(e(i.INFO),C()),a.post(e(i.RESOLVE_ROUTE_BY_PATH),o(l)),a.post(e(i.RESOLVE_ROUTE_BY_SLUG),p(l)),a.get(e(i.GET_ROUTES_BY_LINE),E(l))}export{Wa as installDevRoutes,qa as installProdRoutes,Ta as waitForPluginsLifecycle};
1
+ import{serveStatic as f}from"hono/serve-static";import{withPathPrefix as e,withoutPathPrefix as s}from"@redocly/theme/core/utils";import{ServerRoutes as i}from"../../../constants/common.js";import{PUBLIC_STATIC_FOLDER as R}from"../../constants/common.js";import{authMiddleware as c}from"../middleware/authMiddleware.js";import{ensureSearchData as g}from"../middleware/ensureSearchData.js";import{dynamicMiddleware as S}from"../middleware/dynamic-middleware/dynamic-middleware.js";import{installRoutes as P}from"../../plugins/dev-onboarding/api/routes/index.js";import{authorizeHandler as I,oidcCallbackHandler as r,logoutHandler as d,postLogoutHandler as h,idpLoginHandler as D,redoclyLoginCallbackHandler as N,samlCallbackHandler as M,redoclyTokenLoginHandler as U,inviteHandler as B}from"./auth.js";import{appDataHandler as G}from"./app-data.js";import{searchFacetsHandler as w,searchHandler as F}from"./search.js";import{dynamicRouteHandler as v}from"./dynamic-route.js";import{pageDataHandler as K,sharedPageDataHandler as y}from"./page-data.js";import{pathPrefixRedirectHandler as k}from"./path-prefix-redirect.js";import{getRoutesByLineHandler as E,resolvePathHandler as o,resolvePathsHandler as Y,resolveSlugHandler as p}from"./resolve-route.js";import{feedbackHandler as b}from"./feedback.js";import{loggerMiddleware as V}from"../middleware/loggerMiddleware.js";import{responseHeadersMiddleware as x}from"../middleware/responseHeadersMiddleware.js";import{idleTimeoutMiddleware as z}from"../middleware/idleTimeoutMiddleware.js";import{otelTracesHandler as Z}from"./otel/otel.js";import{healthCheckHandler as $}from"./health.js";import{askAiHandler as q}from"./ask-ai.js";import{replayOauth2RedirectCallbackHandler as W}from"./replay-oauth2-redirect.js";import{mcpOAuthProtectedResourceHandler as j,mcpOAuthAuthorizationServerHandler as J,mcpDynamicClientRegistrationHandler as Q,mcpAuthorizationHandler as X,mcpTokenPortalHandler as u,mcpCallbackHandler as _}from"./mcp-oauth.js";import{corsMiddleware as O}from"../middleware/corsMiddleware.js";import{installApiRoutes as aa}from"./api-routes/api-routes.js";import{cookieMiddleware as ea}from"../middleware/cookieMiddleware.js";import{staticContentHandler as ia}from"../routes/static-content.js";import{infoHandler as L}from"./info.js";import{catalogHandler as la}from"./catalog/catalog.js";import{catalogRelationsHandler as ta}from"./catalog/catalog-relations.js";import{bffCatalogHandler as ma}from"./catalog/bff-catalog.js";import{bffCatalogRevisionsHandler as na}from"./catalog/bff-catalog-revisions.js";import{bffCatalogRelatedEntitiesHandler as Aa}from"./catalog/bff-catalog-related-entities.js";import{catalogAuthMiddleware as C}from"../middleware/catalogAuthMiddleware.js";import{telemetryMiddleware as Ta}from"../middleware/telemetry-middleware.js";import{errorHandler as da}from"./error.js";function Wa(a,l,t){const{resolveRouteData:n,readStaticAsset:A}=t;a.use("*",z()),a.use("*",ea()),a.use("*",S(l)),a.use("*",c(l)),a.use("*",V()),a.use("*",x(l)),a.use("*",Ta()),a.use(e("*"),f({root:`./${R}`,getContent:(m,H)=>ia(m,H,l,A),rewriteRequestPath:m=>s(m)})),a.use(e(i.FEEDBACK),O({allowMethods:["POST"]})),a.use(e(i.ASK_AI),O({allowMethods:["POST"]})),a.use("*",Ea(l));const T=g(l);a.use(e(i.INFO),L()),process.env.NEW_CATALOG_ENABLED==="true"&&(a.use(e(i.CATALOG_ENTITIES),C(l.serverOutDir,{secureMethods:["POST","PUT","DELETE","PATCH"]})),a.use(e(i.CATALOG_ENTITIES_RELATIONS),C(l.serverOutDir,{secureMethods:["POST","PUT","DELETE","PATCH"]})),a.use(e(i.CATALOG_ENTITIES),la(l)),a.use(e(i.CATALOG_ENTITIES_RELATIONS),ta(l)),a.get(e(i.BFF_CATALOG_ENTITIES),ma(l)),a.get(e(i.BFF_CATALOG_RELATED_ENTITIES),Aa(l)),a.get(e(i.BFF_CATALOG_REVISIONS),na(l))),a.get(e(i.SHARED_PAGE_DATA),y(l)),a.get(e(i.PAGE_DATA),K(l,n)),a.get(e(i.APP_DATA),G(l)),a.post(e(i.SEARCH),T,F(l)),a.post(e(i.SEARCH_FACETS),T,w(l)),a.post(e(i.AUTHORIZATION),I),a.post(e(i.LOGOUT),d(l)),a.get(e(i.LOGOUT),d(l)),a.get(e(i.POST_LOGOUT),h(l)),a.get(e(i.OIDC_CALLBACK),r(l)),a.get(e(i.REDOCLY_TOKEN_LOGIN),U(l)),a.get(e(i.REDOCLY_LOGIN_CALLBACK),N()),a.get(e(i.IDP_LOGIN),D(l)),a.post(e(i.SAML_CALLBACK),M(l)),a.get(e(i.INVITE),B(l)),a.get(e(i.HEALTH),$),a.get(e(i.MCP_OAUTH_PROTECTED_RESOURCE),j()),a.get(e(i.MCP_OAUTH_AUTHORIZATION_SERVER),J()),a.post(e(i.MCP_DYNAMIC_CLIENT_REGISTRATION),Q()),a.get(e(i.MCP_AUTHORIZATION),X()),a.post(e(i.MCP_TOKEN_PORTAL),u()),a.get(e(i.MCP_CALLBACK),_()),a.get(e(`${i.MCP_CALLBACK}/*`),_()),P(a,l),aa(a,l),a.post(e(i.FEEDBACK),b(l)),a.post(e(i.RESOLVE_ROUTE_BY_PATH),o(l)),a.post(e(i.RESOLVE_ROUTES_BY_PATHS),Y(l)),a.post(e(i.RESOLVE_ROUTE_BY_SLUG),p(l)),a.post(e(i.ASK_AI),q(l)),a.get(e(i.GET_ROUTES_BY_LINE),E(l)),a.post(e(i.OTEL_TRACES),Z),a.get(e(i.REPLAY_OAUTH2_CALLBACK),W),a.all(e("/*"),v(l,n,A)),a.get("*",k),a.onError(da)}function Ea(a){return async(l,t)=>{await a.waitForPluginsLifecycle(),await t()}}function ja(a,l){a.get(e(i.INFO),L()),a.post(e(i.RESOLVE_ROUTE_BY_PATH),o(l)),a.post(e(i.RESOLVE_ROUTE_BY_SLUG),p(l)),a.get(e(i.GET_ROUTES_BY_LINE),E(l))}export{ja as installDevRoutes,Wa as installProdRoutes,Ea as waitForPluginsLifecycle};
package/dist/server/web-server/routes/mcp-oauth.d.ts CHANGED
@@ -1,4 +1,14 @@
1
1
  import type { Handler } from 'hono';
2
+ export type McpContextPayload = {
3
+ isMcpFlow: boolean;
4
+ originalRedirectUri: string | null;
5
+ mcpClientId: string | null;
6
+ mcpState: string | null;
7
+ mcpSessionId: string;
8
+ timestamp: number;
9
+ };
10
+ export declare function createMcpContextToken(context: McpContextPayload): Promise<string>;
11
+ export declare function verifyAndParseMcpContextToken(token: string): Promise<McpContextPayload>;
2
12
  export declare function mcpOAuthProtectedResourceHandler(): Handler;
3
13
  export declare function mcpOAuthAuthorizationServerHandler(): Handler;
4
14
  /**
package/dist/server/web-server/routes/mcp-oauth.js CHANGED
@@ -1 +1 @@
1
- import{getCookie as f}from"hono/cookie";import{ulid as C}from"ulid";import{AUTH_URL as m}from"../../constants/common.js";import{ServerRoutes as d}from"../../../constants/common.js";import{withPathPrefix as g}from"@redocly/theme/core/utils";import{logger as S}from"../../tools/notifiers/logger.js";import{telemetry as p}from"../../telemetry/index.js";import{createMcpAuthorizationCode as M,verifyMcpAuthorizationCode as y,createMcpSessionResource as l}from"../auth.js";const a=(e,t,n=200,i)=>e.json(t,n,{"Content-Type":"application/json",...i??{}});function $(){return async e=>{if(e.req.method!=="GET")return a(e,{error:"Method not allowed"},405,{Allow:"GET"});const t=new URL(e.req.url),n=e.req.header("x-forwarded-proto")||t.protocol.slice(0,-1)||"https",i=e.req.header("x-forwarded-host")||t.host,r=`${n}://${i}`;return a(e,{resource:`${r}/mcp`,authorization_servers:[r],bearer_methods_supported:["header"],resource_documentation:`${r}/.well-known/oauth-authorization-server`,scopes_supported:["openid","profile","email","offline_access"],bearer_token_types_supported:["Bearer"]})}}function q(){return async e=>{const t=new URL(e.req.url),n=e.req.header("x-forwarded-proto")||t.protocol.slice(0,-1)||"https",i=e.req.header("x-forwarded-host")||t.host,r=`${n}://${i}`;return a(e,{issuer:m||"",authorization_endpoint:`${r}${d.MCP_AUTHORIZATION}`,token_endpoint:`${r}${d.MCP_TOKEN_PORTAL}`,jwks_uri:`${m||""}/.well-known/jwks.json`,registration_endpoint:`${r}${d.MCP_DYNAMIC_CLIENT_REGISTRATION}`,scopes_supported:["openid","profile","email","offline_access"],response_types_supported:["code"],grant_types_supported:["authorization_code","refresh_token","client_credentials"],subject_types_supported:["public"],id_token_signing_alg_values_supported:["RS256"],code_challenge_methods_supported:["S256"]})}}function z(){return async e=>{if(e.req.method!=="POST")return a(e,{error:"Method not allowed"},405);try{return a(e,{client_id:process.env.OAUTH_CLIENT_ID||"",client_name:"MCP Client",redirect_uris:[],grant_types:["authorization_code","refresh_token"],response_types:["code"],scope:"openid offline email",subject_type:"public",token_endpoint_auth_method:"none",created_at:new Date().toISOString(),updated_at:new Date().toISOString()},201)}catch(t){return a(e,{error:"invalid_request",error_description:t?.message||"Unable to register client"},500)}}}function L(){return async e=>{const t=new URL(e.req.url),{searchParams:n}=t,i=n.get("redirect_uri"),r=C();p.sendMcpAuthorizationStartedMessage({...l(r),redirect_uri:i||null});const s={isMcpFlow:!0,originalRedirectUri:i,mcpClientId:n.get("client_id"),mcpState:n.get("state"),mcpSessionId:r,timestamp:Date.now()};try{const o=new URL(e.req.url),c=e.req.header("x-forwarded-proto")||o.protocol.slice(0,-1)||"https",_=e.req.header("x-forwarded-host")||o.host,u=`${c}://${_}`,w=Buffer.from(JSON.stringify(s)).toString("base64url"),h=new URL(d.IDP_LOGIN,u);return h.searchParams.set("redirectTo",`${g(d.MCP_CALLBACK)}/${w}`),h.searchParams.set("idpId","oidc"),e.redirect(h.toString())}catch(o){const c=o instanceof Error?o.message:String(o),_=o instanceof Error?o.stack:String(o);p.sendMcpAuthorizationFailedMessage({...l(r),error:c,error_details:_});const u=new URL(g(`${m}/oauth2/auth`));return u.search=n.toString(),e.redirect(u.toString())}}}function O(){return async e=>{if(e.req.method!=="POST")return a(e,{error:"Method not allowed"},405);try{const t=await e.req.formData(),n=t.get("grant_type"),i=t.get("code"),r=t.get("redirect_uri")||void 0;if(n!=="authorization_code"||!i)return a(e,{error:"invalid_request",error_description:"Invalid grant type or missing authorization code"},400);try{const s=await y(i);if(r&&r!==s.redirect_uri)return a(e,{error:"invalid_grant",error_description:"redirect_uri mismatch"},400);if(process.env.OAUTH_CLIENT_ID&&s.client_id&&s.client_id!==process.env.OAUTH_CLIENT_ID)return a(e,{error:"invalid_client",error_description:"Client mismatch"},400);const o=s.id_token;return typeof o!="string"||o.length===0?a(e,{error:"invalid_grant",error_description:"Missing id_token in authorization code"},400):a(e,{access_token:o,token_type:"Bearer",expires_in:3600,scope:"openid profile email",id_token:o},200,{"Cache-Control":"no-store",Pragma:"no-cache"})}catch{return a(e,{error:"invalid_grant",error_description:"Invalid authorization code"},400)}}catch(t){return a(e,{error:"server_error",error_description:"Failed to process token request",error_details:t.message},500)}}}function D(){return async e=>{const t=new URL(e.req.url);let n=t.searchParams.get("context");if(!n&&t.pathname.startsWith(g(`${d.MCP_CALLBACK}/`))){const r=t.pathname.split("/"),s=r[r.length-1];if(s)try{n=Buffer.from(s,"base64url").toString("utf-8")}catch(o){S.error("[OAuth Debug] Error decoding context:",o)}}if(!n)return p.sendMcpAuthorizationFailedMessage({...l(null),error:"Missing context parameter",error_details:null}),e.text("Missing context parameter",400);let i=null;try{const r=typeof n=="string"&&n.startsWith("{")?JSON.parse(n):JSON.parse(decodeURIComponent(n));if(i=r.mcpSessionId||null,!r.isMcpFlow||!r.originalRedirectUri)throw new Error("Invalid MCP context");const s=f(e,"idp_id_token")||f(e,"authorization"),o=await M({idToken:s||"",clientId:r.mcpClientId||"",redirectUri:r.originalRedirectUri,ttlSec:600}),c=new URL(r.originalRedirectUri);return c.searchParams.set("code",o),r.mcpState&&c.searchParams.set("state",r.mcpState),p.sendMcpAuthorizationCompletedMessage({...l(i),redirect_uri:r.originalRedirectUri||null}),e.redirect(c.toString())}catch(r){const s=r instanceof Error?r.message:String(r),o=r instanceof Error?r.stack:String(r);return p.sendMcpAuthorizationFailedMessage({...l(i),error:s,error_details:o}),e.text(`Invalid MCP callback: ${s}`,400)}}}export{L as mcpAuthorizationHandler,D as mcpCallbackHandler,z as mcpDynamicClientRegistrationHandler,q as mcpOAuthAuthorizationServerHandler,$ as mcpOAuthProtectedResourceHandler,O as mcpTokenPortalHandler};
1
+ import{getCookie as C}from"hono/cookie";import{ulid as w}from"ulid";import{AUTH_URL as _,JWT_SECRET_KEY as y}from"../../constants/common.js";import{ServerRoutes as d}from"../../../constants/common.js";import{withPathPrefix as m}from"@redocly/theme/core/utils";import{telemetry as l}from"../../telemetry/index.js";import{createMcpAuthorizationCode as k,verifyMcpAuthorizationCode as S,createMcpSessionResource as u}from"../auth.js";import*as h from"../jwt/jwt.js";import{getRequestOrigin as g}from"../utils/get-request-origin.js";const n=(e,r,o=200,a)=>e.json(r,o,{"Content-Type":"application/json",...a??{}});async function T(e){const r=Math.floor(Date.now()/1e3);return h.sign({type:"mcp_context",...e,iat:r,exp:r+600},y)}async function I(e){await h.verify(e,y);const{payload:r}=h.decode(e);if(r.type!=="mcp_context")throw new Error("Invalid context token type");return r}function O(){return async e=>{if(e.req.method!=="GET")return n(e,{error:"Method not allowed"},405,{Allow:"GET"});const r=g(e);return n(e,{resource:`${r}/mcp`,authorization_servers:[r],bearer_methods_supported:["header"],resource_documentation:`${r}/.well-known/oauth-authorization-server`,scopes_supported:["openid","profile","email","offline_access"],bearer_token_types_supported:["Bearer"]})}}function D(){return async e=>{const r=g(e);return n(e,{issuer:_||"",authorization_endpoint:`${r}${d.MCP_AUTHORIZATION}`,token_endpoint:`${r}${d.MCP_TOKEN_PORTAL}`,jwks_uri:`${_||""}/.well-known/jwks.json`,registration_endpoint:`${r}${d.MCP_DYNAMIC_CLIENT_REGISTRATION}`,scopes_supported:["openid","profile","email","offline_access"],response_types_supported:["code"],grant_types_supported:["authorization_code","refresh_token","client_credentials"],subject_types_supported:["public"],id_token_signing_alg_values_supported:["RS256"],code_challenge_methods_supported:["S256"]})}}function $(){return async e=>{if(e.req.method!=="POST")return n(e,{error:"Method not allowed"},405);try{return n(e,{client_id:process.env.OAUTH_CLIENT_ID||"",client_name:"MCP Client",redirect_uris:[],grant_types:["authorization_code","refresh_token"],response_types:["code"],scope:"openid offline email",subject_type:"public",token_endpoint_auth_method:"none",created_at:new Date().toISOString(),updated_at:new Date().toISOString()},201)}catch(r){return n(e,{error:"invalid_request",error_description:r?.message||"Unable to register client"},500)}}}function q(){return async e=>{const r=new URL(e.req.url),{searchParams:o}=r,a=o.get("redirect_uri"),t=w();l.sendMcpAuthorizationStartedMessage({...u(t),redirect_uri:a||null});const s=g(e),c={isMcpFlow:!0,originalRedirectUri:a,mcpClientId:o.get("client_id"),mcpState:o.get("state"),mcpSessionId:t,timestamp:Date.now()};try{const i=await T(c),p=new URL(d.IDP_LOGIN,s);return p.searchParams.set("redirectTo",`${m(d.MCP_CALLBACK)}/${i}`),p.searchParams.set("idpId","oidc"),e.redirect(p.toString())}catch(i){const p=i instanceof Error?i.message:String(i),M=i instanceof Error?i.stack:String(i);l.sendMcpAuthorizationFailedMessage({...u(t),error:p,error_details:M});const f=new URL(m(`${_}/oauth2/auth`));return f.search=o.toString(),e.redirect(f.toString())}}}function H(){return async e=>{if(e.req.method!=="POST")return n(e,{error:"Method not allowed"},405);try{const r=await e.req.formData(),o=r.get("grant_type"),a=r.get("code"),t=r.get("redirect_uri")||void 0;if(o!=="authorization_code"||!a)return n(e,{error:"invalid_request",error_description:"Invalid grant type or missing authorization code"},400);try{const s=await S(a);if(t&&t!==s.redirect_uri)return n(e,{error:"invalid_grant",error_description:"redirect_uri mismatch"},400);if(process.env.OAUTH_CLIENT_ID&&s.client_id&&s.client_id!==process.env.OAUTH_CLIENT_ID)return n(e,{error:"invalid_client",error_description:"Client mismatch"},400);const c=s.id_token;return typeof c!="string"||c.length===0?n(e,{error:"invalid_grant",error_description:"Missing id_token in authorization code"},400):n(e,{access_token:c,token_type:"Bearer",expires_in:3600,scope:"openid profile email",id_token:c},200,{"Cache-Control":"no-store",Pragma:"no-cache"})}catch{return n(e,{error:"invalid_grant",error_description:"Invalid authorization code"},400)}}catch(r){const o=r instanceof Error?r.message:String(r);return n(e,{error:"server_error",error_description:"Failed to process token request",error_details:o},500)}}}function b(){return async e=>{const r=new URL(e.req.url);let o=r.searchParams.get("context");if(!o&&r.pathname.startsWith(m(`${d.MCP_CALLBACK}/`))){const t=r.pathname.split("/");o=t[t.length-1]}if(!o)return l.sendMcpAuthorizationFailedMessage({...u(null),error:"Missing context parameter",error_details:null}),e.text("Missing context parameter",400);let a=null;try{const t=await I(o);if(a=t.mcpSessionId||null,!t.isMcpFlow||!t.originalRedirectUri)throw new Error("Invalid MCP context");const s=C(e,"idp_id_token")||C(e,"authorization"),c=await k({idToken:s||"",clientId:t.mcpClientId||"",redirectUri:t.originalRedirectUri,ttlSec:600}),i=new URL(t.originalRedirectUri);return i.searchParams.set("code",c),t.mcpState&&i.searchParams.set("state",t.mcpState),l.sendMcpAuthorizationCompletedMessage({...u(a),redirect_uri:t.originalRedirectUri||null}),e.redirect(i.toString())}catch(t){const s=t instanceof Error?t.message:String(t),c=t instanceof Error?t.stack:String(t);return l.sendMcpAuthorizationFailedMessage({...u(a),error:s,error_details:c}),e.text(`Invalid MCP callback: ${s}`,400)}}}export{T as createMcpContextToken,q as mcpAuthorizationHandler,b as mcpCallbackHandler,$ as mcpDynamicClientRegistrationHandler,D as mcpOAuthAuthorizationServerHandler,O as mcpOAuthProtectedResourceHandler,H as mcpTokenPortalHandler,I as verifyAndParseMcpContextToken};
package/dist/server/web-server/utils/get-request-origin.d.ts ADDED
@@ -0,0 +1,3 @@
1
+ import type { Context } from 'hono';
2
+ export declare function getRequestOrigin(ctx: Context): string;
3
+ //# sourceMappingURL=get-request-origin.d.ts.map
package/dist/server/web-server/utils/get-request-origin.js ADDED
@@ -0,0 +1 @@
1
+ function s(r){const e=new URL(r.req.url),o=r.req.header("x-forwarded-proto")||e.protocol.slice(0,-1)||"https",t=r.req.header("x-forwarded-host")||e.host;return`${o}://${t}`}export{s as getRequestOrigin};
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@redocly/realm",
3
- "version": "0.129.0-next.5",
3
+ "version": "0.129.0-next.6",
4
4
  "description": "",
5
5
  "type": "module",
6
6
  "bin": {
@@ -94,7 +94,7 @@
94
94
  "xpath": "0.0.34",
95
95
  "yaml-ast-parser": "0.0.43",
96
96
  "@redocly/asyncapi-docs": "1.6.0-next.5",
97
- "@redocly/config": "0.41.1",
97
+ "@redocly/config": "0.41.2",
98
98
  "@redocly/graphql-docs": "1.6.0-next.0",
99
99
  "@redocly/openapi-docs": "3.17.0-next.5",
100
100
  "@redocly/portal-legacy-ui": "0.12.0-next.0",