@semapps/auth 1.1.3 → 1.2.0

package/dist/services/jwt.js

@@ -0,0 +1,111 @@
+import fs from 'fs';
+import path from 'path';
+// @ts-expect-error TS(7016): Could not find a declaration file for module 'json... Remove this comment to see the full error message
+import jwt from 'jsonwebtoken';
+import crypto from 'crypto';
+/**
+ * Service that creates and validates JSON web tokens(JWT).
+ * Tokens are signed against this server's keys.
+ * This is useful for generating/validating authentication tokens.
+ *
+ * TODO: Tokens do not expire.
+ */
+const AuthJwtSchema = {
+    name: 'auth.jwt',
+    settings: {
+        jwtPath: null
+    },
+    async created() {
+        const privateKeyPath = path.resolve(this.settings.jwtPath, 'jwtRS256.key');
+        const publicKeyPath = path.resolve(this.settings.jwtPath, 'jwtRS256.key.pub');
+        if (!fs.existsSync(privateKeyPath) && !fs.existsSync(publicKeyPath)) {
+            this.logger.info('JWT keypair not found, generating...');
+            if (!fs.existsSync(this.settings.jwtPath)) {
+                fs.mkdirSync(this.settings.jwtPath);
+            }
+            await this.actions.generateKeyPair({ privateKeyPath, publicKeyPath });
+        }
+        this.privateKey = fs.readFileSync(privateKeyPath);
+        this.publicKey = fs.readFileSync(publicKeyPath);
+    },
+    actions: {
+        generateKeyPair: {
+            handler(ctx) {
+                const { privateKeyPath, publicKeyPath } = ctx.params;
+                return new Promise((resolve, reject) => {
+                    crypto.generateKeyPair('rsa', {
+                        modulusLength: 4096,
+                        publicKeyEncoding: {
+                            type: 'spki',
+                            format: 'pem'
+                        },
+                        privateKeyEncoding: {
+                            type: 'pkcs8',
+                            format: 'pem'
+                        }
+                    }, (err, publicKey, privateKey) => {
+                        if (err) {
+                            reject(err);
+                        }
+                        else {
+                            fs.writeFile(privateKeyPath, privateKey, err => {
+                                if (err) {
+                                    reject(err);
+                                }
+                                else {
+                                    fs.writeFile(publicKeyPath, publicKey, err => {
+                                        if (err) {
+                                            reject(err);
+                                        }
+                                        else {
+                                            resolve({ privateKey, publicKey });
+                                        }
+                                    });
+                                }
+                            });
+                        }
+                    });
+                });
+            }
+        },
+        generateServerSignedToken: {
+            async handler(ctx) {
+                const { payload } = ctx.params;
+                return jwt.sign(payload, this.privateKey, { algorithm: 'RS256' });
+            }
+        },
+        verifyServerSignedToken: {
+            /** Verifies that the token was signed by this server. */
+            async handler(ctx) {
+                const { token } = ctx.params;
+                try {
+                    return jwt.verify(token, this.publicKey, { algorithms: ['RS256'] });
+                }
+                catch (err) {
+                    return false;
+                }
+            }
+        },
+        generateUnsignedToken: {
+            async handler(ctx) {
+                const { payload } = ctx.params;
+                const token = jwt.sign(payload, null, { algorithm: 'none' });
+                return token;
+            }
+        },
+        decodeToken: {
+            // Warning, this does NOT verify if signature is valid
+            async handler(ctx) {
+                const { token } = ctx.params;
+                try {
+                    return jwt.decode(token);
+                }
+                catch (err) {
+                    return false;
+                }
+            }
+        }
+    }
+};
+export default AuthJwtSchema;
+//# sourceMappingURL=jwt.js.map

package/dist/services/jwt.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"jwt.js","sourceRoot":"","sources":["../../services/jwt.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,IAAI,CAAC;AACpB,OAAO,IAAI,MAAM,MAAM,CAAC;AACxB,qIAAqI;AACrI,OAAO,GAAG,MAAM,cAAc,CAAC;AAC/B,OAAO,MAAM,MAAM,QAAQ,CAAC;AAG5B;;;;;;GAMG;AACH,MAAM,aAAa,GAAG;IACpB,IAAI,EAAE,UAAmB;IACzB,QAAQ,EAAE;QACR,OAAO,EAAE,IAAI;KACd;IACD,KAAK,CAAC,OAAO;QACX,MAAM,cAAc,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,OAAO,EAAE,cAAc,CAAC,CAAC;QAC3E,MAAM,aAAa,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,OAAO,EAAE,kBAAkB,CAAC,CAAC;QAE9E,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,cAAc,CAAC,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,aAAa,CAAC,EAAE,CAAC;YACpE,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,sCAAsC,CAAC,CAAC;YACzD,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;gBAC1C,EAAE,CAAC,SAAS,CAAC,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;YACtC,CAAC;YACD,MAAM,IAAI,CAAC,OAAO,CAAC,eAAe,CAAC,EAAE,cAAc,EAAE,aAAa,EAAE,CAAC,CAAC;QACxE,CAAC;QAED,IAAI,CAAC,UAAU,GAAG,EAAE,CAAC,YAAY,CAAC,cAAc,CAAC,CAAC;QAClD,IAAI,CAAC,SAAS,GAAG,EAAE,CAAC,YAAY,CAAC,aAAa,CAAC,CAAC;IAClD,CAAC;IACD,OAAO,EAAE;QACP,eAAe,EAAE;YACf,OAAO,CAAC,GAAG;gBACT,MAAM,EAAE,cAAc,EAAE,aAAa,EAAE,GAAG,GAAG,CAAC,MAAM,CAAC;gBAErD,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;oBACrC,MAAM,CAAC,eAAe,CACpB,KAAK,EACL;wBACE,aAAa,EAAE,IAAI;wBACnB,iBAAiB,EAAE;4BACjB,IAAI,EAAE,MAAM;4BACZ,MAAM,EAAE,KAAK;yBACd;wBACD,kBAAkB,EAAE;4BAClB,IAAI,EAAE,OAAO;4BACb,MAAM,EAAE,KAAK;yBACd;qBACF,EACD,CAAC,GAAG,EAAE,SAAS,EAAE,UAAU,EAAE,EAAE;wBAC7B,IAAI,GAAG,EAAE,CAAC;4BACR,MAAM,CAAC,GAAG,CAAC,CAAC;wBACd,CAAC;6BAAM,CAAC;4BACN,EAAE,CAAC,SAAS,CAAC,cAAc,EAAE,UAAU,EAAE,GAAG,CAAC,EAAE;gCAC7C,IAAI,GAAG,EAAE,CAAC;oCACR,MAAM,CAAC,GAAG,CAAC,CAAC;gCACd,CAAC;qCAAM,CAAC;oCACN,EAAE,CAAC,SAAS,CAAC,aAAa,EAAE,SAAS,EAAE,GAAG,CAAC,EAAE;wCAC3C,IAAI,GAAG,EAAE,CAAC;4CACR,MAAM,CAAC,GAAG,CAAC,CAAC;wCACd,CAAC;6CAAM,CAAC;4CACN,OAAO,CAAC,EAAE,UAAU,EAAE,SAAS,EAAE,CAAC,CAAC;wCACrC,CAAC;oCACH,CAAC,CAAC,CAAC;gCACL,CAAC;4BACH,CAAC,CAAC,CAAC;wBACL,CAAC;oBACH,CAAC,CACF,CAAC;gBACJ,CAAC,CAAC,CAAC;YACL,CAAC;SACF;QAED,yBAAyB,EAAE;YACzB,KAAK,CAAC,OAAO,CAAC,GAAG;gBACf,MAAM,EAAE,OAAO,EAAE,GAAG,GAAG,CAAC,MAAM,CAAC;gBAC/B,OAAO,GAAG,CAAC,IAAI,CAAC,OAAO,EAAE,IAAI,CAAC,UAAU,EAAE,EAAE,SAAS,EAAE,OAAO,EAAE,CAAC,CAAC;YACpE,CAAC;SACF;QAED,uBAAuB,EAAE;YACvB,yDAAyD;YACzD,KAAK,CAAC,OAAO,CAAC,GAAG;gBACf,MAAM,EAAE,KAAK,EAAE,GAAG,GAAG,CAAC,MAAM,CAAC;gBAC7B,IAAI,CAAC;oBACH,OAAO,GAAG,CAAC,MAAM,CAAC,KAAK,EAAE,IAAI,CAAC,SAAS,EAAE,EAAE,UAAU,EAAE,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;gBACtE,CAAC;gBAAC,OAAO,GAAG,EAAE,CAAC;oBACb,OAAO,KAAK,CAAC;gBACf,CAAC;YACH,CAAC;SACF;QAED,qBAAqB,EAAE;YACrB,KAAK,CAAC,OAAO,CAAC,GAAG;gBACf,MAAM,EAAE,OAAO,EAAE,GAAG,GAAG,CAAC,MAAM,CAAC;gBAC/B,MAAM,KAAK,GAAG,GAAG,CAAC,IAAI,CAAC,OAAO,EAAE,IAAI,EAAE,EAAE,SAAS,EAAE,MAAM,EAAE,CAAC,CAAC;gBAC7D,OAAO,KAAK,CAAC;YACf,CAAC;SACF;QAED,WAAW,EAAE;YACX,sDAAsD;YACtD,KAAK,CAAC,OAAO,CAAC,GAAG;gBACf,MAAM,EAAE,KAAK,EAAE,GAAG,GAAG,CAAC,MAAM,CAAC;gBAC7B,IAAI,CAAC;oBACH,OAAO,GAAG,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;gBAC3B,CAAC;gBAAC,OAAO,GAAG,EAAE,CAAC;oBACb,OAAO,KAAK,CAAC;gBACf,CAAC;YACH,CAAC;SACF;KACF;CACsB,CAAC;AAE1B,eAAe,aAAa,CAAC"}

package/dist/services/mail.d.ts

@@ -0,0 +1,31 @@
+declare const AuthMailSchema: {
+    name: "auth.mail";
+    mixins: any[];
+    settings: {
+        defaults: {
+            locale: string;
+            frontUrl: null;
+        };
+        templateFolder: string;
+        from: null;
+        transport: null;
+    };
+    actions: {
+        sendResetPasswordEmail: {
+            handler(ctx: Moleculer.Context<Optionalize<{
+                [x: string]: any;
+            }>, {}, Moleculer.GenericObject>): Promise<void>;
+        };
+    };
+    methods: {
+        getTemplateLocale(userLocale: any): "fr-FR" | "en-EN";
+    };
+};
+export default AuthMailSchema;
+declare global {
+    export namespace Moleculer {
+        interface AllServices {
+            [AuthMailSchema.name]: typeof AuthMailSchema;
+        }
+    }
+}

package/dist/services/mail.js

@@ -0,0 +1,52 @@
+import path from 'path';
+import urlJoin from 'url-join';
+// @ts-expect-error TS(7016): Could not find a declaration file for module 'mole... Remove this comment to see the full error message
+import MailService from 'moleculer-mail';
+import { fileURLToPath } from 'url';
+// @ts-expect-error TS(1470): The 'import.meta' meta-property is not allowed in ... Remove this comment to see the full error message
+const __dirname = path.dirname(fileURLToPath(import.meta.url));
+const AuthMailSchema = {
+    name: 'auth.mail',
+    mixins: [MailService],
+    settings: {
+        defaults: {
+            locale: 'en',
+            frontUrl: null
+        },
+        templateFolder: path.join(__dirname, '../templates'),
+        from: null,
+        transport: null
+    },
+    actions: {
+        sendResetPasswordEmail: {
+            async handler(ctx) {
+                const { account, token } = ctx.params;
+                await this.actions.send({
+                    to: account.email,
+                    template: 'reset-password',
+                    locale: this.getTemplateLocale(account.preferredLocale || this.settings.defaults.locale),
+                    data: {
+                        account,
+                        resetUrl: `${urlJoin(this.settings.defaults.frontUrl, 'login')}?new_password=true&token=${token}`
+                    }
+                }, {
+                    parentCtx: ctx
+                });
+            }
+        }
+    },
+    methods: {
+        getTemplateLocale(userLocale) {
+            switch (userLocale) {
+                case 'fr':
+                    return 'fr-FR';
+                case 'en':
+                    return 'en-EN';
+                default:
+                    return 'en-EN';
+            }
+        }
+    }
+};
+export default AuthMailSchema;
+//# sourceMappingURL=mail.js.map

package/dist/services/mail.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"mail.js","sourceRoot":"","sources":["../../services/mail.ts"],"names":[],"mappings":"AAAA,OAAO,IAAI,MAAM,MAAM,CAAC;AACxB,OAAO,OAAO,MAAM,UAAU,CAAC;AAC/B,qIAAqI;AACrI,OAAO,WAAW,MAAM,gBAAgB,CAAC;AAEzC,OAAO,EAAE,aAAa,EAAE,MAAM,KAAK,CAAC;AAEpC,qIAAqI;AACrI,MAAM,SAAS,GAAG,IAAI,CAAC,OAAO,CAAC,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;AAE/D,MAAM,cAAc,GAAG;IACrB,IAAI,EAAE,WAAoB;IAC1B,MAAM,EAAE,CAAC,WAAW,CAAC;IACrB,QAAQ,EAAE;QACR,QAAQ,EAAE;YACR,MAAM,EAAE,IAAI;YACZ,QAAQ,EAAE,IAAI;SACf;QACD,cAAc,EAAE,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,cAAc,CAAC;QACpD,IAAI,EAAE,IAAI;QACV,SAAS,EAAE,IAAI;KAChB;IACD,OAAO,EAAE;QACP,sBAAsB,EAAE;YACtB,KAAK,CAAC,OAAO,CAAC,GAAG;gBACf,MAAM,EAAE,OAAO,EAAE,KAAK,EAAE,GAAG,GAAG,CAAC,MAAM,CAAC;gBAEtC,MAAM,IAAI,CAAC,OAAO,CAAC,IAAI,CACrB;oBACE,EAAE,EAAE,OAAO,CAAC,KAAK;oBACjB,QAAQ,EAAE,gBAAgB;oBAC1B,MAAM,EAAE,IAAI,CAAC,iBAAiB,CAAC,OAAO,CAAC,eAAe,IAAI,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,MAAM,CAAC;oBACxF,IAAI,EAAE;wBACJ,OAAO;wBACP,QAAQ,EAAE,GAAG,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,QAAQ,EAAE,OAAO,CAAC,4BAA4B,KAAK,EAAE;qBAClG;iBACF,EACD;oBACE,SAAS,EAAE,GAAG;iBACf,CACF,CAAC;YACJ,CAAC;SACF;KACF;IACD,OAAO,EAAE;QACP,iBAAiB,CAAC,UAAU;YAC1B,QAAQ,UAAU,EAAE,CAAC;gBACnB,KAAK,IAAI;oBACP,OAAO,OAAO,CAAC;gBACjB,KAAK,IAAI;oBACP,OAAO,OAAO,CAAC;gBACjB;oBACE,OAAO,OAAO,CAAC;YACnB,CAAC;QACH,CAAC;KACF;CACsB,CAAC;AAE1B,eAAe,cAAc,CAAC"}

package/dist/services/migration.d.ts

@@ -0,0 +1,18 @@
+declare const AuthMigrationSchema: {
+    name: "auth.migration";
+    actions: {
+        migrateUsersToAccounts: {
+            handler(ctx: Moleculer.Context<Optionalize<{
+                [x: string]: any;
+            }>, {}, Moleculer.GenericObject>): Promise<void>;
+        };
+    };
+};
+export default AuthMigrationSchema;
+declare global {
+    export namespace Moleculer {
+        interface AllServices {
+            [AuthMigrationSchema.name]: typeof AuthMigrationSchema;
+        }
+    }
+}

package/dist/services/migration.js

@@ -0,0 +1,33 @@
+import { MIME_TYPES } from '@semapps/mime-types';
+import { getSlugFromUri } from '@semapps/ldp';
+const AuthMigrationSchema = {
+    name: 'auth.migration',
+    actions: {
+        migrateUsersToAccounts: {
+            async handler(ctx) {
+                const { usersContainer, emailPredicate, usernamePredicate } = ctx.params;
+                const results = await ctx.call('ldp.container.get', { containerUri: usersContainer, accept: MIME_TYPES.JSON });
+                for (const user of results['ldp:contains']) {
+                    if (user[emailPredicate]) {
+                        try {
+                            await ctx.call('auth.account.create', {
+                                email: user[emailPredicate],
+                                username: usernamePredicate ? user[usernamePredicate] : getSlugFromUri(user.id),
+                                webId: user.id
+                            });
+                        }
+                        catch (e) {
+                            // @ts-expect-error TS(18046): 'e' is of type 'unknown'.
+                            console.log(`Unable to create account for user ${user.id}. Error message: ${e.message}`);
+                        }
+                    }
+                    else {
+                        console.log(`No email found for user ${user.id}`);
+                    }
+                }
+            }
+        }
+    }
+};
+export default AuthMigrationSchema;
+//# sourceMappingURL=migration.js.map

package/dist/services/migration.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"migration.js","sourceRoot":"","sources":["../../services/migration.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,qBAAqB,CAAC;AACjD,OAAO,EAAE,cAAc,EAAE,MAAM,cAAc,CAAC;AAG9C,MAAM,mBAAmB,GAAG;IAC1B,IAAI,EAAE,gBAAyB;IAC/B,OAAO,EAAE;QACP,sBAAsB,EAAE;YACtB,KAAK,CAAC,OAAO,CAAC,GAAG;gBACf,MAAM,EAAE,cAAc,EAAE,cAAc,EAAE,iBAAiB,EAAE,GAAG,GAAG,CAAC,MAAM,CAAC;gBAEzE,MAAM,OAAO,GAAG,MAAM,GAAG,CAAC,IAAI,CAAC,mBAAmB,EAAE,EAAE,YAAY,EAAE,cAAc,EAAE,MAAM,EAAE,UAAU,CAAC,IAAI,EAAE,CAAC,CAAC;gBAE/G,KAAK,MAAM,IAAI,IAAI,OAAO,CAAC,cAAc,CAAC,EAAE,CAAC;oBAC3C,IAAI,IAAI,CAAC,cAAc,CAAC,EAAE,CAAC;wBACzB,IAAI,CAAC;4BACH,MAAM,GAAG,CAAC,IAAI,CAAC,qBAAqB,EAAE;gCACpC,KAAK,EAAE,IAAI,CAAC,cAAc,CAAC;gCAC3B,QAAQ,EAAE,iBAAiB,CAAC,CAAC,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC,CAAC,CAAC,cAAc,CAAC,IAAI,CAAC,EAAE,CAAC;gCAC/E,KAAK,EAAE,IAAI,CAAC,EAAE;6BACf,CAAC,CAAC;wBACL,CAAC;wBAAC,OAAO,CAAC,EAAE,CAAC;4BACX,wDAAwD;4BACxD,OAAO,CAAC,GAAG,CAAC,qCAAqC,IAAI,CAAC,EAAE,oBAAoB,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC;wBAC3F,CAAC;oBACH,CAAC;yBAAM,CAAC;wBACN,OAAO,CAAC,GAAG,CAAC,2BAA2B,IAAI,CAAC,EAAE,EAAE,CAAC,CAAC;oBACpD,CAAC;gBACH,CAAC;YACH,CAAC;SACF;KACF;CACsB,CAAC;AAE1B,eAAe,mBAAmB,CAAC"}

package/dist/tsconfig.tsbuildinfo

@@ -0,0 +1 @@
+{"root":["../index.ts"],"errors":true,"version":"5.9.2"}

package/index.ts

@@ -0,0 +1,17 @@
+import AuthCASService from './services/auth.cas.ts';
+import AuthLocalService from './services/auth.local.ts';
+import AuthOIDCService from './services/auth.oidc.ts';
+import AuthAccountService from './services/account.ts';
+import AuthJWTService from './services/jwt.ts';
+import AuthMigrationService from './services/migration.ts';
+import AuthMailService from './services/mail.ts';
+
+export {
+  AuthCASService,
+  AuthLocalService,
+  AuthOIDCService,
+  AuthAccountService,
+  AuthJWTService,
+  AuthMigrationService,
+  AuthMailService
+};

package/middlewares/localLogout.ts

@@ -0,0 +1,6 @@
+const localLogout = (req: any, res: any, next: any) => {
+  req.logout(); // Passport logout
+  next();
+};
+
+export default localLogout;

package/middlewares/{redirectToFront.js → redirectToFront.ts}

@@ -1,4 +1,4 @@
-const redirectToFront = (req, res) => {
+const redirectToFront = (req: any, res: any) => {
   // Redirect browser to the redirect URL pushed in session
   const redirectUrl = new URL(req.session.redirectUrl);
   if (req.user) {
@@ -11,4 +11,4 @@ const redirectToFront = (req, res) => {
   res.end();
 };
 
-module.exports = redirectToFront;
+export default redirectToFront;

package/middlewares/{saveRedirectUrl.js → saveRedirectUrl.ts}

@@ -1,4 +1,4 @@
-const saveRedirectUrl = (req, res, next) => {
+const saveRedirectUrl = (req: any, res: any, next: any) => {
   // Persist referer on the session to get it back after redirection
   // If the redirectUrl is already in the session, use it as default value
   req.session.redirectUrl =
@@ -6,4 +6,4 @@ const saveRedirectUrl = (req, res, next) => {
   next();
 };
 
-module.exports = saveRedirectUrl;
+export default saveRedirectUrl;

package/middlewares/{sendToken.js → sendToken.ts}

@@ -1,6 +1,6 @@
-const sendToken = (req, res) => {
+const sendToken = (req: any, res: any) => {
   res.setHeader('Content-Type', 'application/json');
   res.end(JSON.stringify({ token: req.user.token, webId: req.user.webId, newUser: req.user.newUser }));
 };
 
-module.exports = sendToken;
+export default sendToken;

package/mixins/auth.sso.ts

@@ -0,0 +1,100 @@
+import path from 'path';
+// @ts-expect-error TS(7016): Could not find a declaration file for module 'expr... Remove this comment to see the full error message
+import session from 'express-session';
+import { ServiceSchema } from 'moleculer';
+import AuthMixin from './auth.ts';
+import saveRedirectUrl from '../middlewares/saveRedirectUrl.ts';
+import redirectToFront from '../middlewares/redirectToFront.ts';
+import localLogout from '../middlewares/localLogout.ts';
+
+const AuthSSOMixin = {
+  mixins: [AuthMixin],
+  settings: {
+    baseUrl: null,
+    jwtPath: null,
+    registrationAllowed: true,
+    reservedUsernames: [],
+    webIdSelection: [],
+    // SSO-specific settings
+    sessionSecret: 's€m@pps',
+    selectSsoData: null
+  },
+  actions: {
+    loginOrSignup: {
+      async handler(ctx) {
+        const { ssoData } = ctx.params;
+
+        const profileData = this.settings.selectSsoData ? await this.settings.selectSsoData(ssoData) : ssoData;
+
+        // TODO use UUID to identify unique accounts with SSO
+        const existingAccounts = await ctx.call('auth.account.find', { query: { email: profileData.email } });
+
+        let accountData;
+        let webId;
+        let newUser;
+        if (existingAccounts.length > 0) {
+          accountData = existingAccounts[0];
+          webId = accountData.webId;
+          newUser = false;
+
+          // TODO update account with recent profileData information
+
+          ctx.emit('auth.connected', { webId, accountData, ssoData }, { meta: { webId: null, dataset: null } });
+        } else {
+          if (!this.settings.registrationAllowed) {
+            throw new Error('registration.not-allowed');
+          }
+
+          accountData = await ctx.call('auth.account.create', {
+            uuid: profileData.uuid,
+            email: profileData.email,
+            username: profileData.username
+          });
+          webId = await ctx.call(
+            'webid.createWebId',
+            this.pickWebIdData({ nick: accountData.username, ...profileData })
+          );
+          newUser = true;
+
+          // Link the webId with the account
+          await ctx.call('auth.account.attachWebId', { accountUri: accountData['@id'], webId });
+
+          ctx.emit(
+            'auth.registered',
+            { webId, profileData, accountData, ssoData },
+            { meta: { webId: null, dataset: null } }
+          );
+        }
+
+        const token = await ctx.call('auth.jwt.generateServerSignedToken', { payload: { webId } });
+
+        return { token, newUser };
+      }
+    }
+  },
+  methods: {
+    getApiRoutes(basePath) {
+      const sessionMiddleware = session({ secret: this.settings.sessionSecret, maxAge: null });
+      return [
+        {
+          path: path.join(basePath, '/auth'),
+          name: 'auth',
+          use: [sessionMiddleware, this.passport.initialize(), this.passport.session()],
+          aliases: {
+            'GET /': [saveRedirectUrl, this.passport.authenticate(this.passportId, { session: false }), redirectToFront]
+          }
+        },
+        {
+          path: path.join(basePath, '/auth/logout'),
+          name: 'auth-logout',
+          use: [sessionMiddleware, this.passport.initialize(), this.passport.session()],
+          aliases: {
+            'GET /': [saveRedirectUrl, localLogout, redirectToFront]
+          }
+        }
+      ];
+    }
+  }
+} satisfies Partial<ServiceSchema>;
+
+export default AuthSSOMixin;

package/mixins/{auth.js → auth.ts}

@@ -1,8 +1,11 @@
-const passport = require('passport');
-const { Errors: E } = require('moleculer-web');
-const { TripleStoreAdapter } = require('@semapps/triplestore');
-const AuthAccountService = require('../services/account');
-const AuthJWTService = require('../services/jwt');
+// @ts-expect-error TS(7016): Could not find a declaration file for module 'pass... Remove this comment to see the full error message
+import passport from 'passport';
+// @ts-expect-error TS(2614): Module '"moleculer-web"' has no exported member 'E... Remove this comment to see the full error message
+import { Errors as E } from 'moleculer-web';
+import { TripleStoreAdapter } from '@semapps/triplestore';
+import { ServiceSchema } from 'moleculer';
+import AuthAccountService from '../services/account.ts';
+import AuthJWTService from '../services/jwt.ts';
 
 /**
  * Auth Mixin that handles authentication and authorization for routes
@@ -76,11 +79,13 @@ const AuthMixin = {
     const { jwtPath, reservedUsernames, minPasswordLength, minUsernameLength, accountsDataset, podProvider } =
       this.settings;
 
+    // @ts-expect-error TS(2345): Argument of type '{ mixins: { name: "auth.jwt"; se... Remove this comment to see the full error message
     this.broker.createService({
       mixins: [AuthJWTService],
       settings: { jwtPath }
     });
 
+    // @ts-expect-error TS(2345): Argument of type '{ mixins: { name: "auth.account"... Remove this comment to see the full error message
     this.broker.createService({
       mixins: [AuthAccountService],
       settings: { reservedUsernames, minPasswordLength, minUsernameLength },
@@ -91,10 +96,10 @@ const AuthMixin = {
     if (!this.passportId) throw new Error('this.passportId must be set in the service creation.');
 
     this.passport = passport;
-    this.passport.serializeUser((user, done) => {
+    this.passport.serializeUser((user: any, done: any) => {
       done(null, user);
     });
-    this.passport.deserializeUser((user, done) => {
+    this.passport.deserializeUser((user: any, done: any) => {
       done(null, user);
     });
 
@@ -109,24 +114,70 @@ const AuthMixin = {
     }
   },
   actions: {
-    // See https://moleculer.services/docs/0.13/moleculer-web.html#Authentication
-    async authenticate(ctx) {
-      const { route, req, res } = ctx.params;
-      // Extract method and token from authorization header.
-      const [method, token] = req.headers.authorization?.split(' ') || [];
-
-      if (!token) {
-        // No token
+    authenticate: {
+      // See https://moleculer.services/docs/0.13/moleculer-web.html#Authentication
+      async handler(ctx) {
+        const { route, req, res } = ctx.params;
+        // Extract method and token from authorization header.
+        const [method, token] = req.headers.authorization?.split(' ') || [];
+
+        if (!token) {
+          // No token
+          // @ts-expect-error TS(2339): Property 'webId' does not exist on type '{}'.
+          ctx.meta.webId = 'anon';
+          return Promise.resolve(null);
+        }
+
+        if (method === 'Bearer') {
+          const payload = await ctx.call('auth.jwt.verifyServerSignedToken', { token });
+          if (payload) {
+            // @ts-expect-error TS(2339): Property 'tokenPayload' does not exist on type '{}... Remove this comment to see the full error message
+            ctx.meta.tokenPayload = payload;
+            // @ts-expect-error TS(2339): Property 'webId' does not exist on type '{}'.
+            ctx.meta.webId = payload.webId;
+            return Promise.resolve(payload);
+          }
+
+          // Check if token is a capability.
+          if (route.opts.authorizeWithCapability) {
+            return this.validateCapability(ctx, token);
+          }
+
+          // Invalid token
+          // TODO make sure token is deleted client-side
+          return Promise.reject(new E.UnAuthorizedError(E.ERR_INVALID_TOKEN));
+        }
+
+        // No valid auth method given.
+        // @ts-expect-error TS(2339): Property 'webId' does not exist on type '{}'.
         ctx.meta.webId = 'anon';
         return Promise.resolve(null);
       }
+    },
+
+    authorize: {
+      // See https://moleculer.services/docs/0.13/moleculer-web.html#Authorization
+      async handler(ctx) {
+        const { route, req, res } = ctx.params;
+        // Extract token from authorization header (do not take the Bearer part)
+        /** @type {[string, string]} */
+        const [method, token] = req.headers.authorization && req.headers.authorization.split(' ');
 
-      if (method === 'Bearer') {
-        const payload = await ctx.call('auth.jwt.verifyServerSignedToken', { token });
-        if (payload) {
-          ctx.meta.tokenPayload = payload;
-          ctx.meta.webId = payload.webId;
-          return Promise.resolve(payload);
+        if (!token) {
+          return Promise.reject(new E.UnAuthorizedError(E.ERR_NO_TOKEN));
+        }
+        if (method !== 'Bearer') {
+          return Promise.reject(new E.UnAuthorizedError(E.ERR_INVALID_TOKEN));
+        }
+
+        // Validate if the token was signed by server (registered user).
+        const serverSignedPayload = await ctx.call('auth.jwt.verifyServerSignedToken', { token });
+        if (serverSignedPayload) {
+          // @ts-expect-error TS(2339): Property 'tokenPayload' does not exist on type '{}... Remove this comment to see the full error message
+          ctx.meta.tokenPayload = serverSignedPayload;
+          // @ts-expect-error TS(2339): Property 'webId' does not exist on type '{}'.
+          ctx.meta.webId = serverSignedPayload.webId;
+          return Promise.resolve(serverSignedPayload);
         }
 
         // Check if token is a capability.
@@ -134,53 +185,19 @@ const AuthMixin = {
           return this.validateCapability(ctx, token);
         }
 
-        // Invalid token
-        // TODO make sure token is deleted client-side
         return Promise.reject(new E.UnAuthorizedError(E.ERR_INVALID_TOKEN));
       }
-
-      // No valid auth method given.
-      ctx.meta.webId = 'anon';
-      return Promise.resolve(null);
     },
 
-    // See https://moleculer.services/docs/0.13/moleculer-web.html#Authorization
-    async authorize(ctx) {
-      const { route, req, res } = ctx.params;
-      // Extract token from authorization header (do not take the Bearer part)
-      /** @type {[string, string]} */
-      const [method, token] = req.headers.authorization && req.headers.authorization.split(' ');
-
-      if (!token) {
-        return Promise.reject(new E.UnAuthorizedError(E.ERR_NO_TOKEN));
+    impersonate: {
+      async handler(ctx) {
+        const { webId } = ctx.params;
+        return await ctx.call('auth.jwt.generateServerSignedToken', {
+          payload: {
+            webId
+          }
+        });
       }
-      if (method !== 'Bearer') {
-        return Promise.reject(new E.UnAuthorizedError(E.ERR_INVALID_TOKEN));
-      }
-
-      // Validate if the token was signed by server (registered user).
-      const serverSignedPayload = await ctx.call('auth.jwt.verifyServerSignedToken', { token });
-      if (serverSignedPayload) {
-        ctx.meta.tokenPayload = serverSignedPayload;
-        ctx.meta.webId = serverSignedPayload.webId;
-        return Promise.resolve(serverSignedPayload);
-      }
-
-      // Check if token is a capability.
-      if (route.opts.authorizeWithCapability) {
-        return this.validateCapability(ctx, token);
-      }
-
-      return Promise.reject(new E.UnAuthorizedError(E.ERR_INVALID_TOKEN));
-    },
-
-    async impersonate(ctx) {
-      const { webId } = ctx.params;
-      return await ctx.call('auth.jwt.generateServerSignedToken', {
-        payload: {
-          webId
-        }
-      });
     }
   },
   methods: {
@@ -189,6 +206,11 @@ const AuthMixin = {
       // We do not use the VC-JOSE spec to sign and envelop presentations. Instead we go
       // with embedded signatures. This way, the signature persists within the resource.
 
+      const hasCapabilityService = ctx.broker.registry.actions.isAvailable(
+        'crypto.vc.verifier.verifyCapabilityPresentation'
+      );
+      if (!hasCapabilityService) return Promise.reject(new E.UnAuthorizedError(E.ERR_INVALID_TOKEN));
+
       // Decode JTW to JSON.
       const decodedToken = await ctx.call('auth.jwt.decodeToken', { token });
       if (!decodedToken) return Promise.reject(new E.UnAuthorizedError(E.ERR_INVALID_TOKEN));
@@ -220,7 +242,9 @@ const AuthMixin = {
     },
     pickWebIdData(data) {
       if (this.settings.webIdSelection.length > 0) {
-        return Object.fromEntries(this.settings.webIdSelection.filter(key => key in data).map(key => [key, data[key]]));
+        return Object.fromEntries(
+          this.settings.webIdSelection.filter((key: any) => key in data).map((key: any) => [key, data[key]])
+        );
       } else {
         // TODO do not return anything if webIdSelection is empty, to conform with pickAccountData
         return data || {};
@@ -229,13 +253,13 @@ const AuthMixin = {
     pickAccountData(data) {
       if (this.settings.accountSelection.length > 0) {
         return Object.fromEntries(
-          this.settings.accountSelection.filter(key => key in data).map(key => [key, data[key]])
+          this.settings.accountSelection.filter((key: any) => key in data).map((key: any) => [key, data[key]])
         );
       } else {
         return {};
       }
     }
   }
-};
+} satisfies Partial<ServiceSchema>;
 
-module.exports = AuthMixin;
+export default AuthMixin;