@restorecommerce/facade 1.3.5 → 1.3.7

package/dist/modules/identity/oidc/index.d.ts

@@ -1,18 +0,0 @@
-/// <reference types="koa-router" />
-import Provider from 'oidc-provider';
-import { type Logger } from 'winston';
-import { type IdentityContext } from '../interfaces.js';
-import type { OIDCConfig } from './interfaces.js';
-import { type IdentitySrvGrpcClient } from '../grpc/index.js';
-export type { OIDCConfig };
-export { createOIDCRouter, type CreateOIDCRouterArgs } from './router.js';
-export interface CreateOIDCArgs {
-    logger: Logger;
-    identitySrvClient: IdentitySrvGrpcClient;
-    config: OIDCConfig;
-    env: string;
-}
-export declare function createOIDC({ identitySrvClient, env, logger, config: { loginFn, post_logout_redirect_uris, localTokenServiceFactory, remoteTokenService, cookies, redirect_uris, client_id, client_secret, issuer, jwks, templates } }: CreateOIDCArgs): {
-    provider: Provider;
-    router: import("koa-router")<{}, IdentityContext>;
-};

package/dist/modules/identity/oidc/index.js

@@ -1,147 +0,0 @@
-var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
-    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
-    return new (P || (P = Promise))(function (resolve, reject) {
-        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
-        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
-        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
-        step((generator = generator.apply(thisArg, _arguments || [])).next());
-    });
-};
-import Provider from 'oidc-provider';
-import { createOIDCRouter } from './router.js';
-import { createIdentityServiceAdapterClass } from './adapter.js';
-import { findUserById, loginUserBody, loginUserCredentials } from './user.js';
-import { registerPasswordGrantType } from './password-grant.js';
-export { createOIDCRouter } from './router.js';
-export function createOIDC({ identitySrvClient, env, logger, config: { loginFn, post_logout_redirect_uris, localTokenServiceFactory, remoteTokenService, cookies, redirect_uris, client_id, client_secret, issuer, jwks, templates } }) {
-    var _a, _b;
-    const adapterClass = createIdentityServiceAdapterClass(remoteTokenService !== null && remoteTokenService !== void 0 ? remoteTokenService : identitySrvClient.token, logger, localTokenServiceFactory);
-    const provider = new Provider(issuer, {
-        adapter: adapterClass,
-        clients: [{
-                post_logout_redirect_uris,
-                client_id,
-                client_secret,
-                id_token_signed_response_alg: 'HS256',
-                grant_types: ['refresh_token', 'authorization_code', 'password'],
-                redirect_uris,
-                scopes: ['openid', 'offline_access'],
-                response_types: [
-                    'code'
-                ],
-                token_endpoint_auth_method: 'client_secret_basic',
-            }],
-        // issueRefreshToken:  async (ctx, client, code) => {
-        //   // Always issue refresh token
-        //   return client.grantTypeAllowed('refresh_token');
-        // },
-        jwks,
-        ttl: {
-            Session: (1 * 24 * 60 * 60) * 1000
-        },
-        cookies: {
-            long: { signed: false },
-            short: { signed: false },
-            keys: cookies.keys,
-        },
-        // oidc-provider only looks up the accounts by their ID when it has to read the claims,
-        // passing it our Account model method is sufficient, it should return a Promise that resolves
-        // with an object with accountId property and a claims method.
-        findAccount: (ctx, id) => __awaiter(this, void 0, void 0, function* () {
-            var _c;
-            try {
-                const userService = (_c = ctx === null || ctx === void 0 ? void 0 : ctx.identitySrvClient) === null || _c === void 0 ? void 0 : _c.user;
-                return {
-                    accountId: id,
-                    claims: (use, scope) => __awaiter(this, void 0, void 0, function* () {
-                        try {
-                            const user = yield findUserById(userService, id);
-                            return {
-                                sub: id,
-                                data: user
-                            };
-                        }
-                        catch (error) {
-                            logger.error('OIDC findAccount claims error', error);
-                            return {
-                                sub: id,
-                                data: {
-                                    id,
-                                }
-                            };
-                        }
-                    }),
-                };
-            }
-            catch (error) {
-                logger.error('OIDC findAccount error', error);
-            }
-        }),
-        claims: {
-            acr: null,
-            sid: null,
-            auth_time: null,
-            iss: null,
-            openid: ['sub', 'data'],
-        },
-        responseTypes: [
-            'code',
-            'id_token',
-            'id_token token',
-            'code id_token',
-            'code token',
-            'code id_token token',
-            'none',
-        ],
-        // let's tell oidc-provider where our own interactions will be
-        // setting a nested route is just good practice so that users
-        // don't run into weird issues with multiple interactions open
-        // at a time.
-        interactions: {
-            url: (ctx) => `/interaction/${ctx.oidc.uid}`,
-        },
-        features: {
-            introspection: {
-                enabled: true
-            },
-            revocation: {
-                enabled: true
-            },
-            devInteractions: {
-                // enabled: dev ?? false
-                enabled: false
-            },
-        },
-    });
-    // Disabled due to playground being disabled
-    // provider.use(helmet());
-    const router = createOIDCRouter({
-        loginFn: loginFn !== null && loginFn !== void 0 ? loginFn : loginUserBody,
-        templates,
-        logger,
-        provider,
-        env,
-    });
-    registerPasswordGrantType({
-        authLogService: identitySrvClient.authentication_log,
-        authenticate: loginUserCredentials,
-        provider
-    });
-    // Disable forbidding redirect to http/localhost in dev mode
-    if (env === 'development') {
-        const proto = (_b = (_a = provider.Client) === null || _a === void 0 ? void 0 : _a.Schema) === null || _b === void 0 ? void 0 : _b.prototype;
-        if (proto) {
-            const { invalidate: orig } = proto;
-            proto.invalidate = function invalidate(message, code) {
-                if (code === 'implicit-force-https' || code === 'implicit-forbid-localhost') {
-                    return;
-                }
-                orig.call(this, message);
-            };
-        }
-    }
-    return {
-        provider,
-        router
-    };
-}

package/dist/modules/identity/oidc/interfaces.d.ts

@@ -1,73 +0,0 @@
-import { type Adapter, errors } from 'oidc-provider';
-import type Provider from 'oidc-provider';
-import { type IdentityContext } from '../interfaces.js';
-import { type AuthenticationLogServiceClient as authLogService } from '@restorecommerce/rc-grpc-clients/dist/generated/io/restorecommerce/authentication_log.js';
-import { type TokenServiceClient as tokenService } from '@restorecommerce/rc-grpc-clients/dist/generated/io/restorecommerce/token.js';
-import { type User } from '@restorecommerce/rc-grpc-clients/dist/generated/io/restorecommerce/user.js';
-export interface OIDCHbsTemplates {
-    login?: string;
-    layout?: string;
-    consent?: string;
-}
-export interface OIDCConfig {
-    remoteTokenService?: tokenService;
-    localTokenServiceFactory?: (type: string) => Adapter;
-    loginFn?: OIDCBodyLoginFn;
-    issuer: string;
-    jwks: any;
-    client_id: string;
-    client_secret: string;
-    cookies: {
-        keys: string[];
-    };
-    templates?: OIDCHbsTemplates;
-    redirect_uris: string[];
-    post_logout_redirect_uris: string[];
-}
-export interface OIDCError {
-    key: string;
-    message?: string;
-}
-export type UserKey = keyof User;
-export type AuthUserKeyWhitelist = 'id' | 'name' | 'email' | 'localeId' | 'timezoneId' | 'roleAssociations' | 'firstName' | 'lastName' | 'defaultScope' | 'tokens' | 'lastAccess';
-export type AuthUser = Pick<User, AuthUserKeyWhitelist>;
-export interface LoginFnResponse {
-    user?: AuthUser;
-    error?: OIDCError;
-    identifier?: string;
-    remember?: boolean;
-}
-export type OIDCBodyLoginFn = (ctx: IdentityContext, body: any) => Promise<LoginFnResponse>;
-export type OIDCBodyLoginCredentials = (ctx: IdentityContext, credentials: UserCredentials) => Promise<LoginFnResponse>;
-export type OIDCLoginFn = (ctx: IdentityContext, identifier?: string, password?: string, remember?: boolean) => Promise<LoginFnResponse>;
-export interface UserCredentials {
-    identifier: string;
-    password?: string;
-    token?: string;
-}
-export interface OIDCPasswordGrantTypeConfig {
-    provider: Provider;
-    authenticate: OIDCBodyLoginCredentials;
-    tokenExpiration?: number;
-    authLogService: authLogService;
-}
-export interface TokenResponseBody {
-    access_token?: string;
-    id_token?: string;
-    expires_in?: number;
-    last_login?: number;
-    token_type?: string;
-    scope?: string;
-    subject_id?: string;
-    token_name?: string;
-    default_scope?: string;
-    last_access?: number;
-}
-export declare class InvalidPasswordGrant extends errors.InvalidGrant {
-    constructor(detail: string);
-}
-export interface Claims {
-    sub: string | undefined;
-    data: AuthUser;
-    [key: string]: any;
-}

package/dist/modules/identity/oidc/interfaces.js

@@ -1,7 +0,0 @@
-import { errors } from 'oidc-provider';
-export class InvalidPasswordGrant extends errors.InvalidGrant {
-    constructor(detail) {
-        super('invalid_password_grant');
-        Object.assign(this, { error_description: detail, error_detail: detail });
-    }
-}

package/dist/modules/identity/oidc/password-grant.d.ts

@@ -1,2 +0,0 @@
-import { type OIDCPasswordGrantTypeConfig } from './interfaces.js';
-export declare const registerPasswordGrantType: (config: OIDCPasswordGrantTypeConfig) => void;

package/dist/modules/identity/oidc/password-grant.js

@@ -1,163 +0,0 @@
-var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
-    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
-    return new (P || (P = Promise))(function (resolve, reject) {
-        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
-        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
-        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
-        step((generator = generator.apply(thisArg, _arguments || [])).next());
-    });
-};
-import { InvalidPasswordGrant } from './interfaces.js';
-import { nanoid, epochTime } from './utils.js';
-import * as useragent from 'useragent';
-import * as uuid from 'uuid';
-import * as requestIp from 'request-ip';
-import { AuthenticationLog, AuthenticationLogList } from '@restorecommerce/rc-grpc-clients/dist/generated/io/restorecommerce/authentication_log.js';
-import { Subject } from '@restorecommerce/rc-grpc-clients/dist/generated/io/restorecommerce/auth.js';
-export const registerPasswordGrantType = (config) => {
-    const performPasswordGrant = (ctx, clientId, identifier, password, key) => __awaiter(void 0, void 0, void 0, function* () {
-        var _a, _b;
-        const client = yield ctx.oidc.provider.Client.find(clientId);
-        let account;
-        try {
-            let user = {
-                identifier,
-                [key]: password
-            };
-            account = yield config.authenticate(ctx, user);
-        }
-        catch (err) {
-            if (err.details && err.details.includes(':')) {
-                err.details = err.details.split(':')[1].trim();
-            }
-            throw new InvalidPasswordGrant(err.details);
-        }
-        if (!account || !account.user) {
-            if (account.error && account.error.message) {
-                throw new InvalidPasswordGrant('invalid credentials provided: ' + account.error.message);
-            }
-            throw new InvalidPasswordGrant('invalid credentials provided');
-        }
-        let expiresIn = config.tokenExpiration;
-        if (!expiresIn) {
-            // default value of 1 day expiration when not set in config
-            expiresIn = 86400;
-        }
-        const claims = {
-            sub: account.user.id,
-            data: account.user
-        };
-        const { AccessToken } = ctx.oidc.provider;
-        // for interactive login (to update user data in arangodb with token name)
-        let tokenName = uuid.v4().replace(/-/g, '');
-        claims.token_name = tokenName;
-        let defaultScope = claims.data.defaultScope;
-        const at = new AccessToken({
-            gty: 'password',
-            scope: 'openid',
-            accountId: account.user.id,
-            claims,
-            client,
-            grantId: ctx.oidc.uid,
-            expiresWithSession: false,
-            expiresIn
-        });
-        ctx.oidc.entity('AccessToken', at);
-        const accessToken = yield at.save();
-        let last_access;
-        if ((_a = claims === null || claims === void 0 ? void 0 : claims.data) === null || _a === void 0 ? void 0 : _a.lastAccess) {
-            last_access = claims.data.lastAccess;
-        }
-        if ((_b = claims === null || claims === void 0 ? void 0 : claims.data) === null || _b === void 0 ? void 0 : _b.tokens) {
-            claims.data = Object.assign(Object.assign({}, claims.data), { tokens: [] });
-        }
-        const generateIdToken = (ctx, clientId, expiresIn, claims) => __awaiter(void 0, void 0, void 0, function* () {
-            const client = yield ctx.oidc.provider.Client.find(clientId);
-            ctx.oidc.entity('Client', client);
-            const { IdToken } = ctx.oidc.provider;
-            const jti = nanoid();
-            const exp = epochTime() + expiresIn;
-            const token = new IdToken(Object.assign({}, claims), { ctx });
-            token.set('jti', jti);
-            token.scope = 'openid profile';
-            return yield token.issue({ expiresAt: exp });
-        });
-        const idToken = yield generateIdToken(ctx, clientId, expiresIn, claims);
-        return {
-            access_token: accessToken,
-            id_token: idToken,
-            expires_in: epochTime() + at.expiration,
-            last_login: epochTime(),
-            token_type: at.tokenType,
-            scope: 'openid',
-            token_name: tokenName,
-            default_scope: defaultScope,
-            last_access
-        };
-    });
-    config.provider.registerGrantType('password', (ctx, next) => __awaiter(void 0, void 0, void 0, function* () {
-        try {
-            const { body, client } = ctx.oidc;
-            ctx.type = 'json';
-            let passwordValue;
-            let key = 'password';
-            if (body.password) {
-                passwordValue = body.password;
-            }
-            else if (body.token) {
-                passwordValue = body.token;
-                key = 'token';
-            }
-            const req = ctx.request;
-            let os, agentName;
-            const agent = useragent.parse(req.headers['user-agent']);
-            if (agent) {
-                os = agent.os.toString();
-                agentName = agent.toAgent();
-            }
-            ctx.body = yield performPasswordGrant(ctx, client.clientId, body.identifier, passwordValue, key);
-            const token_name = ctx.body.token_name;
-            const token = ctx.body.access_token;
-            const scope = ctx.body.default_scope;
-            let ipv4_address, ipv6_address;
-            const clientIP = requestIp.getClientIp(req.req);
-            if (clientIP && clientIP.includes('.')) {
-                ipv4_address = clientIP;
-            }
-            else if (clientIP && clientIP.includes(':')) {
-                ipv6_address = clientIP;
-            }
-            const authLogItem = AuthenticationLog.fromPartial({
-                ipv4Address: ipv4_address,
-                ipv6Address: ipv6_address,
-                operatingSystem: os,
-                userAgent: agentName,
-                date: new Date().getTime(),
-                activity: 'login',
-                tokenName: token_name
-            });
-            yield config.authLogService.create(AuthenticationLogList.fromPartial({
-                items: [authLogItem],
-                subject: Subject.fromPartial({ token, scope })
-            }));
-        }
-        catch (ex) {
-            if (ex instanceof InvalidPasswordGrant) {
-                ctx.status = 401;
-                ctx.type = 'json';
-                ctx.body = {
-                    error: ex['error'],
-                    error_description: ex['error_description']
-                };
-            }
-            else {
-                ctx.status = 400;
-                ctx.body = {
-                    error: 'bad_request',
-                    error_description: 'Bad request'
-                };
-            }
-        }
-        yield next();
-    }), ['identifier', 'password'], []);
-};

package/dist/modules/identity/oidc/router.d.ts

@@ -1,13 +0,0 @@
-import type KoaRouter from 'koa-router';
-import type Provider from 'oidc-provider';
-import { type Logger } from 'winston';
-import { type IdentityContext } from '../interfaces.js';
-import { type OIDCHbsTemplates, type OIDCBodyLoginFn } from './interfaces.js';
-export interface CreateOIDCRouterArgs {
-    logger: Logger;
-    provider: Provider;
-    env?: string;
-    templates?: OIDCHbsTemplates;
-    loginFn: OIDCBodyLoginFn;
-}
-export declare const createOIDCRouter: ({ logger, loginFn, provider, env, templates }: CreateOIDCRouterArgs) => KoaRouter<{}, IdentityContext>;

package/dist/modules/identity/oidc/router.js

@@ -1,164 +0,0 @@
-var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
-    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
-    return new (P || (P = Promise))(function (resolve, reject) {
-        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
-        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
-        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
-        step((generator = generator.apply(thisArg, _arguments || [])).next());
-    });
-};
-import { OIDCTemplateEngine } from './templates.js';
-import { koaBody } from 'koa-body';
-import Router from 'koa-router';
-export const createOIDCRouter = ({ logger, loginFn, provider, env, templates }) => {
-    const dev = env === 'development';
-    const tplEngine = new OIDCTemplateEngine(templates);
-    const router = new Router();
-    router.get('/interaction/:uid', (ctx, next) => __awaiter(void 0, void 0, void 0, function* () {
-        const { uid, prompt, params, session, } = yield provider.interactionDetails(ctx.req, ctx.res);
-        const client = yield provider.Client.find(params.client_id);
-        switch (prompt.name) {
-            case 'login': {
-                ctx.type = 'html';
-                ctx.body = yield tplEngine.login({
-                    title: 'Login',
-                    dev,
-                    uid,
-                    dbg: {
-                        params,
-                        prompt,
-                        session
-                    }
-                });
-                return;
-            }
-            case 'consent': {
-                console.log('consent', prompt.details);
-                const { prompt: { name, details } } = yield provider.interactionDetails(ctx.req, ctx.res);
-                const consent = {};
-                consent.rejectedScopes = [];
-                // replace = false means previously rejected scopes and claims remain rejected
-                // changing this to true will remove those rejections in favour of just what you rejected above
-                consent.replace = false;
-                const result = { consent };
-                return provider.interactionFinished(ctx.req, ctx.res, result, {
-                    mergeWithLastSubmission: true,
-                });
-                // ctx.type = 'html';
-                // ctx.body = await tplEngine.consent({
-                //   title: 'Authorize',
-                //   dev,
-                //   uid,
-                //   details: prompt.details,
-                //   dbg: {
-                //     params,
-                //     prompt,
-                //     session
-                //   }
-                // });
-                // return;
-            }
-            default:
-                return next();
-        }
-    }));
-    // router.post('/interaction/:uid/confirm', bodyParser({
-    //   text: false, json: false
-    // }), async (ctx) => {
-    //   const { prompt: { name, details } } = await provider.interactionDetails(ctx.req, ctx.res);
-    //   const consent: any = {};
-    //   consent.rejectedScopes = [];
-    //   // replace = false means previously rejected scopes and claims remain rejected
-    //   // changing this to true will remove those rejections in favour of just what you rejected above
-    //   consent.replace = false;
-    //   const result = { consent };
-    //   return provider.interactionFinished(ctx.req, ctx.res, result, {
-    //     mergeWithLastSubmission: true,
-    //   });
-    // });
-    router.post('/interaction/:uid/login', koaBody({
-        text: false, json: false
-    }), (ctx) => __awaiter(void 0, void 0, void 0, function* () {
-        const { prompt, uid, params, session } = yield provider.interactionDetails(ctx.req, ctx.res);
-        if (prompt.name !== 'login') {
-            throw new Error('INVALID_PROMPT');
-        }
-        const render = ({ error, identifier, remember } = {}) => __awaiter(void 0, void 0, void 0, function* () {
-            ctx.response.type = 'html';
-            ctx.response.body = yield tplEngine.login({
-                title: 'Login',
-                uid,
-                identifier,
-                remember,
-                error: error !== null && error !== void 0 ? error : {
-                    key: 'ERROR',
-                    message: 'Error'
-                },
-                dev,
-                dbg: {
-                    params,
-                    prompt,
-                    session
-                }
-            });
-            return;
-        });
-        const body = typeof ctx.request.body === 'object' && ctx.request.body ? ctx.request.body : undefined;
-        if (!body) {
-            logger.error('OIDC login invalid body', body);
-            return render();
-        }
-        const { error, user, identifier, remember } = yield loginFn(ctx, body);
-        if (error || !user) {
-            logger.error('OIDC login callback error', error);
-            return render({
-                error,
-                identifier,
-                remember
-            });
-        }
-        if (!user) {
-            return render({
-                error: {
-                    key: 'INVALID_IDENTIFIER_OR_PASSWORD',
-                    message: 'Invalid identifier or password'
-                },
-                identifier,
-                remember
-            });
-        }
-        const result = {
-            select_account: {},
-            login: {
-                remember,
-                accountId: user.id,
-            },
-            meta: {}
-        };
-        return provider.interactionFinished(ctx.req, ctx.res, result, {
-            mergeWithLastSubmission: false,
-        });
-    }));
-    router.get('/interaction/:uid/abort', (ctx) => __awaiter(void 0, void 0, void 0, function* () {
-        const result = {
-            error: 'access_denied',
-            error_description: 'End-User aborted interaction',
-        };
-        return provider.interactionFinished(ctx.req, ctx.res, result, {
-            mergeWithLastSubmission: false,
-        });
-    }));
-    // router.get('/session', async (ctx) => {
-    //   const _ctx = provider.app.createContext(ctx.req, ctx.res);
-    //   // const session = await provider.Session.get(_ctx)
-    //   const x = new provider.OIDCContext(ctx)
-    //   // new provider.OIDCContext(ctx)
-    //   ctx.response.body = {
-    //     ats: x.getAccessToken(),
-    //     at: provider.AccessToken.find(x.getAccessToken()),
-    //     // session
-    //   };
-    // });
-    return router;
-};
-;

package/dist/modules/identity/oidc/templates.d.ts

@@ -1,36 +0,0 @@
-import { type OIDCHbsTemplates } from './interfaces.js';
-export interface OIDCTemplateError {
-    key: string;
-    message?: string;
-}
-export interface OIDCTemplateContext {
-    title: string;
-    error?: OIDCTemplateError;
-    dev: boolean;
-    dbg: {
-        session?: any;
-        params?: any;
-        prompt?: any;
-    };
-}
-export interface OIDCTemplateConsentContext extends OIDCTemplateContext {
-    uid: string;
-    details?: any;
-}
-export interface OIDCTemplateLoginContext extends OIDCTemplateContext {
-    uid: string;
-    identifier?: string;
-    remember?: boolean;
-}
-export declare class OIDCTemplateEngine {
-    private templates;
-    private layoutHbs?;
-    private loginHbs?;
-    private consentHbs?;
-    constructor(templates: OIDCHbsTemplates | undefined);
-    layout(context: OIDCTemplateContext & {
-        body: string;
-    }): Promise<string>;
-    login(context: OIDCTemplateLoginContext): Promise<string>;
-    consent(context: OIDCTemplateConsentContext): Promise<string>;
-}