@simulacrum/auth0-simulator 0.11.1 → 0.11.3

package/dist/handlers/auth0-handlers.mjs

@@ -0,0 +1,207 @@
+import { createLoginRedirectHandler } from "./login-redirect.mjs";
+import { createWebMessageHandler } from "./web-message.mjs";
+import { createPersonQuery } from "./utils.mjs";
+import { loginView } from "../views/login.mjs";
+import { createTokens } from "./oauth-handlers.mjs";
+import { userNamePasswordForm } from "../views/username-password.mjs";
+import { stringify } from "querystring";
+import { assert } from "assert-ts";
+import { encode } from "base64-url";
+import { decode as decode$1 } from "jsonwebtoken";
+
+//#region src/handlers/auth0-handlers.ts
+const createLogger = (debug) => ({ log: (...args) => {
+	if (!debug) return;
+	console.dir(...args);
+} });
+const createAuth0Handlers = (simulationStore, serviceURL, options, debug) => {
+	let { audience, scope, clientID, rulesDirectory } = options;
+	let personQuery = createPersonQuery(simulationStore);
+	let authorizeHandlers = {
+		query: createLoginRedirectHandler(options),
+		web_message: createWebMessageHandler()
+	};
+	let logger = createLogger(debug);
+	return {
+		["/heartbeat"]: function(_, res) {
+			res.status(200).json({ ok: true });
+		},
+		["/authorize"]: function(req, res, next) {
+			logger.log({ "/authorize": {
+				body: req.body,
+				query: req.query,
+				session: req.session
+			} });
+			let currentUser = req.query.currentUser;
+			assert(!!req.session, "no session");
+			if (currentUser) req.session.username = currentUser;
+			let responseMode = req.query.response_mode ?? "query";
+			assert(["query", "web_message"].includes(responseMode), `unknown response_mode ${responseMode}`);
+			let handler = authorizeHandlers[responseMode];
+			handler(req, res, next);
+		},
+		["/login"]: function(req, res) {
+			logger.log({ "/login": {
+				body: req.body,
+				query: req.query
+			} });
+			let query = req.query;
+			let responseClientId = query.client_id ?? clientID;
+			let responseAudience = query.audience ?? audience;
+			assert(!!responseClientId, `no clientID assigned`);
+			let html = loginView({
+				domain: new URL(serviceURL(req)).host,
+				scope,
+				redirectUri: query.redirect_uri,
+				clientID: responseClientId,
+				audience: responseAudience,
+				loginFailed: false
+			});
+			res.set("Content-Type", "text/html");
+			res.status(200).send(Buffer.from(html));
+		},
+		["/usernamepassword/login"]: function(req, res) {
+			logger.log({ "/usernamepassword/login": {
+				body: req.body,
+				query: req.query
+			} });
+			let { username, nonce, password } = req.body;
+			assert(!!username, "no username in /usernamepassword/login");
+			assert(!!nonce, "no nonce in /usernamepassword/login");
+			assert(!!req.session, "no session");
+			if (!personQuery((person) => person.email?.toLowerCase() === username.toLowerCase() && person.password === password)) {
+				let query = req.query;
+				let responseClientId = query.client_id ?? clientID;
+				let responseAudience = query.audience ?? audience;
+				assert(!!clientID, `no clientID assigned`);
+				let html = loginView({
+					domain: new URL(serviceURL(req)).host,
+					scope,
+					redirectUri: query.redirect_uri,
+					clientID: responseClientId,
+					audience: responseAudience,
+					loginFailed: true
+				});
+				res.set("Content-Type", "text/html");
+				res.status(400).send(html);
+				return;
+			}
+			req.session.username = username;
+			simulationStore.store.dispatch(simulationStore.actions.batchUpdater([simulationStore.schema.sessions.patch({ [nonce]: {
+				username,
+				nonce
+			} })]));
+			res.status(200).send(userNamePasswordForm(req.body));
+		},
+		["/login/callback"]: function(req, res) {
+			let wctx = JSON.parse(req.body.wctx);
+			logger.log({ "/login/callback": {
+				body: req.body,
+				query: req.query,
+				wctx
+			} });
+			let { redirect_uri, nonce } = wctx;
+			const { username } = simulationStore.schema.sessions.selectById(simulationStore.store.getState(), { id: nonce }) ?? {};
+			let routerUrl = `${redirect_uri}?${stringify({
+				code: encode(`${nonce}:${username}`),
+				...wctx
+			})}`;
+			res.redirect(302, routerUrl);
+		},
+		["/oauth/token"]: async function(req, res, next) {
+			logger.log({ "/oauth/token": {
+				body: req.body,
+				query: req.query
+			} });
+			try {
+				let iss = serviceURL(req);
+				let responseClientId = req?.body?.client_id ?? clientID;
+				let responseAudience = req?.body?.audience ?? audience;
+				assert(!!responseClientId, "500::no clientID in options or request body");
+				let tokens = await createTokens({
+					simulationStore,
+					body: req.body,
+					iss,
+					clientID: responseClientId,
+					audience: responseAudience,
+					rulesDirectory,
+					scope
+				});
+				res.status(200).json({
+					...tokens,
+					expires_in: 86400,
+					token_type: "Bearer"
+				});
+			} catch (error) {
+				next(error);
+			}
+		},
+		["/v2/logout"]: function(req, res) {
+			req.session = null;
+			let returnToUrl = req.query.returnTo ?? req.headers.referer;
+			assert(typeof returnToUrl === "string", `no logical returnTo url`);
+			res.redirect(returnToUrl);
+		},
+		["/userinfo"]: function(req, res) {
+			let token = null;
+			if (req.headers.authorization) token = req.headers.authorization?.split(" ")?.[1];
+			else token = req?.query?.access_token;
+			assert(!!token, "no authorization header or access_token");
+			let { sub } = decode$1(token, { json: true });
+			let user = personQuery((person) => {
+				assert(!!person.id, `no email defined on person scenario`);
+				return person.id === sub;
+			});
+			assert(!!user, "no user in /userinfo");
+			let userinfo = {
+				sub,
+				name: user.name,
+				given_name: user.name,
+				family_name: user.name,
+				email: user.email,
+				email_verified: true,
+				locale: "en",
+				hd: "okta.com"
+			};
+			res.status(200).json(userinfo);
+		},
+		["/passwordless/start"]: function(req, res, next) {
+			logger.log({ "/passwordless/start": { body: req.body } });
+			try {
+				const { client_id, connection, email, phone_number } = req.body;
+				if (!client_id) {
+					res.status(400).json({ error: "client_id is required" });
+					return;
+				}
+				if (!connection || connection !== "email" && connection !== "sms") {
+					res.status(400).json({ error: "connection must be 'email' or 'sms'" });
+					return;
+				}
+				if (connection === "email" && !email) {
+					res.status(400).json({ error: "email is required when connection is 'email'" });
+					return;
+				}
+				if (connection === "sms" && !phone_number) {
+					res.status(400).json({ error: "phone_number is required when connection is 'sms'" });
+					return;
+				}
+				if (connection === "email") res.status(200).json({
+					_id: "000000000000000000000000",
+					email,
+					email_verified: false
+				});
+				else res.status(200).json({
+					_id: "000000000000000000000000",
+					phone_number,
+					phone_verified: false
+				});
+			} catch (error) {
+				next(error);
+			}
+		}
+	};
+};
+
+//#endregion
+export { createAuth0Handlers };
+//# sourceMappingURL=auth0-handlers.mjs.map

package/dist/handlers/auth0-handlers.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth0-handlers.mjs","names":["authorizeHandlers: Record<ResponseModes, RequestHandler>","responseClientId: string","responseAudience: string","token: string | null","decodeToken"],"sources":["../../src/handlers/auth0-handlers.ts"],"sourcesContent":["import type { ExtendedSimulationStore } from \"../store/index.ts\";\nimport type { Request, RequestHandler } from \"express\";\nimport type {\n  Auth0Configuration,\n  QueryParams,\n  ResponseModes,\n} from \"../types.ts\";\nimport { createLoginRedirectHandler } from \"./login-redirect.ts\";\nimport { createWebMessageHandler } from \"./web-message.ts\";\nimport { loginView } from \"../views/login.ts\";\nimport { createTokens } from \"./oauth-handlers.ts\";\nimport { assert } from \"assert-ts\";\nimport { stringify } from \"querystring\";\nimport { encode } from \"base64-url\";\nimport { userNamePasswordForm } from \"../views/username-password.ts\";\nimport { decode as decodeToken } from \"jsonwebtoken\";\nimport { createPersonQuery } from \"./utils.ts\";\n\nexport type Routes =\n  | \"/heartbeat\"\n  | \"/authorize\"\n  | \"/login\"\n  | \"/usernamepassword/login\"\n  | \"/login/callback\"\n  | \"/oauth/token\"\n  | \"/v2/logout\"\n  | \"/userinfo\"\n  | \"/passwordless/start\";\n\nexport type AuthSession = { username: string; nonce: string };\n\ntype LoggerArgs = Parameters<typeof console.dir>;\n\nconst createLogger = (debug: boolean) => ({\n  log: (...args: LoggerArgs): void => {\n    if (!debug) {\n      return;\n    }\n\n    console.dir(...args);\n  },\n});\n\nexport const createAuth0Handlers = (\n  simulationStore: ExtendedSimulationStore,\n  serviceURL: (request: Request) => string,\n  options: Auth0Configuration,\n  debug: boolean\n): Record<Routes, RequestHandler> => {\n  let { audience, scope, clientID, rulesDirectory } = options;\n  let personQuery = createPersonQuery(simulationStore);\n\n  let authorizeHandlers: Record<ResponseModes, RequestHandler> = {\n    query: createLoginRedirectHandler(options),\n    web_message: createWebMessageHandler(),\n  };\n\n  let logger = createLogger(debug);\n\n  return {\n    [\"/heartbeat\"]: function (_, res) {\n      res.status(200).json({ ok: true });\n    },\n\n    [\"/authorize\"]: function (req, res, next) {\n      logger.log({\n        \"/authorize\": {\n          body: req.body,\n          query: req.query,\n          session: req.session,\n        },\n      });\n      let currentUser = req.query.currentUser as string | undefined;\n\n      assert(!!req.session, \"no session\");\n\n      if (currentUser) {\n        // the request is a silent login.\n        // We fake an existing login by\n        // adding the user to the session\n        req.session.username = currentUser;\n      }\n\n      let responseMode = (req.query.response_mode ?? \"query\") as ResponseModes;\n\n      assert(\n        [\"query\", \"web_message\"].includes(responseMode),\n        `unknown response_mode ${responseMode}`\n      );\n\n      let handler = authorizeHandlers[responseMode];\n\n      handler(req, res, next);\n    },\n\n    [\"/login\"]: function (req, res) {\n      logger.log({ \"/login\": { body: req.body, query: req.query } });\n      let query = req.query as QueryParams;\n      let responseClientId = query.client_id ?? clientID;\n      let responseAudience = query.audience ?? audience;\n      assert(!!responseClientId, `no clientID assigned`);\n\n      let html = loginView({\n        domain: new URL(serviceURL(req)).host,\n        scope,\n        redirectUri: query.redirect_uri,\n        clientID: responseClientId,\n        audience: responseAudience,\n        loginFailed: false,\n      });\n\n      res.set(\"Content-Type\", \"text/html\");\n\n      res.status(200).send(Buffer.from(html));\n    },\n\n    [\"/usernamepassword/login\"]: function (req, res) {\n      logger.log({\n        \"/usernamepassword/login\": { body: req.body, query: req.query },\n      });\n      let { username, nonce, password } = req.body;\n\n      assert(!!username, \"no username in /usernamepassword/login\");\n      assert(!!nonce, \"no nonce in /usernamepassword/login\");\n      assert(!!req.session, \"no session\");\n\n      let user = personQuery(\n        (person) =>\n          person.email?.toLowerCase() === username.toLowerCase() &&\n          person.password === password\n      );\n\n      if (!user) {\n        let query = req.query as QueryParams;\n        let responseClientId = query.client_id ?? clientID;\n        let responseAudience = query.audience ?? audience;\n\n        assert(!!clientID, `no clientID assigned`);\n\n        let html = loginView({\n          domain: new URL(serviceURL(req)).host,\n          scope,\n          redirectUri: query.redirect_uri,\n          clientID: responseClientId,\n          audience: responseAudience,\n          loginFailed: true,\n        });\n\n        res.set(\"Content-Type\", \"text/html\");\n\n        res.status(400).send(html);\n        return;\n      }\n\n      req.session.username = username;\n\n      simulationStore.store.dispatch(\n        simulationStore.actions.batchUpdater([\n          simulationStore.schema.sessions.patch({\n            [nonce]: { username, nonce },\n          }),\n        ])\n      );\n\n      res.status(200).send(userNamePasswordForm(req.body));\n    },\n\n    [\"/login/callback\"]: function (req, res) {\n      let wctx = JSON.parse(req.body.wctx);\n      logger.log({\n        \"/login/callback\": { body: req.body, query: req.query, wctx },\n      });\n\n      let { redirect_uri, nonce } = wctx;\n\n      const session = simulationStore.schema.sessions.selectById(\n        simulationStore.store.getState(),\n        { id: nonce }\n      );\n\n      const { username } = session ?? {};\n\n      let encodedNonce = encode(`${nonce}:${username}`);\n\n      let qs = stringify({ code: encodedNonce, ...wctx });\n\n      let routerUrl = `${redirect_uri}?${qs}`;\n\n      res.redirect(302, routerUrl);\n    },\n\n    [\"/oauth/token\"]: async function (req, res, next) {\n      logger.log({ \"/oauth/token\": { body: req.body, query: req.query } });\n      try {\n        let iss = serviceURL(req);\n\n        let responseClientId: string =\n          (req?.body?.client_id as string) ?? clientID;\n        let responseAudience: string =\n          (req?.body?.audience as string) ?? audience;\n\n        assert(\n          !!responseClientId,\n          \"500::no clientID in options or request body\"\n        );\n\n        let tokens = await createTokens({\n          simulationStore,\n          body: req.body,\n          iss,\n          clientID: responseClientId,\n          audience: responseAudience,\n          rulesDirectory,\n          scope,\n        });\n\n        res.status(200).json({\n          ...tokens,\n          expires_in: 86400,\n          token_type: \"Bearer\",\n        });\n      } catch (error) {\n        next(error);\n      }\n    },\n\n    [\"/v2/logout\"]: function (req, res) {\n      req.session = null;\n\n      let returnToUrl = req.query.returnTo ?? req.headers.referer;\n\n      assert(typeof returnToUrl === \"string\", `no logical returnTo url`);\n\n      res.redirect(returnToUrl);\n    },\n\n    [\"/userinfo\"]: function (req, res) {\n      let token: string | null = null;\n      if (req.headers.authorization) {\n        let authorizationHeader = req.headers.authorization;\n        token = authorizationHeader?.split(\" \")?.[1];\n      } else {\n        token = req?.query?.access_token as string;\n      }\n\n      assert(!!token, \"no authorization header or access_token\");\n      let { sub } = decodeToken(token, { json: true }) as { sub: string };\n\n      let user = personQuery((person) => {\n        assert(!!person.id, `no email defined on person scenario`);\n\n        return person.id === sub;\n      });\n\n      assert(!!user, \"no user in /userinfo\");\n\n      let userinfo = {\n        sub,\n        name: user.name,\n        given_name: user.name,\n        family_name: user.name,\n        email: user.email,\n        email_verified: true,\n        locale: \"en\",\n        hd: \"okta.com\",\n      };\n\n      res.status(200).json(userinfo);\n    },\n\n    [\"/passwordless/start\"]: function (req, res, next) {\n      logger.log({ \"/passwordless/start\": { body: req.body } });\n\n      try {\n        const { client_id, connection, email, phone_number } = req.body;\n\n        // Validate required fields\n        if (!client_id) {\n          res.status(400).json({ error: \"client_id is required\" });\n          return;\n        }\n\n        if (!connection || (connection !== \"email\" && connection !== \"sms\")) {\n          res.status(400).json({\n            error: \"connection must be 'email' or 'sms'\",\n          });\n          return;\n        }\n\n        if (connection === \"email\" && !email) {\n          res.status(400).json({\n            error: \"email is required when connection is 'email'\",\n          });\n          return;\n        }\n\n        if (connection === \"sms\" && !phone_number) {\n          res.status(400).json({\n            error: \"phone_number is required when connection is 'sms'\",\n          });\n          return;\n        }\n\n        // Return appropriate response based on connection type\n        if (connection === \"email\") {\n          res.status(200).json({\n            _id: \"000000000000000000000000\",\n            email: email,\n            email_verified: false,\n          });\n        } else {\n          res.status(200).json({\n            _id: \"000000000000000000000000\",\n            phone_number: phone_number,\n            phone_verified: false,\n          });\n        }\n      } catch (error) {\n        next(error);\n      }\n    },\n  };\n};\n"],"mappings":";;;;;;;;;;;;AAiCA,MAAM,gBAAgB,WAAoB,EACxC,MAAM,GAAG,SAA2B;AAClC,KAAI,CAAC,MACH;AAGF,SAAQ,IAAI,GAAG,KAAK;GAEvB;AAED,MAAa,uBACX,iBACA,YACA,SACA,UACmC;CACnC,IAAI,EAAE,UAAU,OAAO,UAAU,mBAAmB;CACpD,IAAI,cAAc,kBAAkB,gBAAgB;CAEpD,IAAIA,oBAA2D;EAC7D,OAAO,2BAA2B,QAAQ;EAC1C,aAAa,yBAAyB;EACvC;CAED,IAAI,SAAS,aAAa,MAAM;AAEhC,QAAO;EACL,CAAC,eAAe,SAAU,GAAG,KAAK;AAChC,OAAI,OAAO,IAAI,CAAC,KAAK,EAAE,IAAI,MAAM,CAAC;;EAGpC,CAAC,eAAe,SAAU,KAAK,KAAK,MAAM;AACxC,UAAO,IAAI,EACT,cAAc;IACZ,MAAM,IAAI;IACV,OAAO,IAAI;IACX,SAAS,IAAI;IACd,EACF,CAAC;GACF,IAAI,cAAc,IAAI,MAAM;AAE5B,UAAO,CAAC,CAAC,IAAI,SAAS,aAAa;AAEnC,OAAI,YAIF,KAAI,QAAQ,WAAW;GAGzB,IAAI,eAAgB,IAAI,MAAM,iBAAiB;AAE/C,UACE,CAAC,SAAS,cAAc,CAAC,SAAS,aAAa,EAC/C,yBAAyB,eAC1B;GAED,IAAI,UAAU,kBAAkB;AAEhC,WAAQ,KAAK,KAAK,KAAK;;EAGzB,CAAC,WAAW,SAAU,KAAK,KAAK;AAC9B,UAAO,IAAI,EAAE,UAAU;IAAE,MAAM,IAAI;IAAM,OAAO,IAAI;IAAO,EAAE,CAAC;GAC9D,IAAI,QAAQ,IAAI;GAChB,IAAI,mBAAmB,MAAM,aAAa;GAC1C,IAAI,mBAAmB,MAAM,YAAY;AACzC,UAAO,CAAC,CAAC,kBAAkB,uBAAuB;GAElD,IAAI,OAAO,UAAU;IACnB,QAAQ,IAAI,IAAI,WAAW,IAAI,CAAC,CAAC;IACjC;IACA,aAAa,MAAM;IACnB,UAAU;IACV,UAAU;IACV,aAAa;IACd,CAAC;AAEF,OAAI,IAAI,gBAAgB,YAAY;AAEpC,OAAI,OAAO,IAAI,CAAC,KAAK,OAAO,KAAK,KAAK,CAAC;;EAGzC,CAAC,4BAA4B,SAAU,KAAK,KAAK;AAC/C,UAAO,IAAI,EACT,2BAA2B;IAAE,MAAM,IAAI;IAAM,OAAO,IAAI;IAAO,EAChE,CAAC;GACF,IAAI,EAAE,UAAU,OAAO,aAAa,IAAI;AAExC,UAAO,CAAC,CAAC,UAAU,yCAAyC;AAC5D,UAAO,CAAC,CAAC,OAAO,sCAAsC;AACtD,UAAO,CAAC,CAAC,IAAI,SAAS,aAAa;AAQnC,OAAI,CANO,aACR,WACC,OAAO,OAAO,aAAa,KAAK,SAAS,aAAa,IACtD,OAAO,aAAa,SACvB,EAEU;IACT,IAAI,QAAQ,IAAI;IAChB,IAAI,mBAAmB,MAAM,aAAa;IAC1C,IAAI,mBAAmB,MAAM,YAAY;AAEzC,WAAO,CAAC,CAAC,UAAU,uBAAuB;IAE1C,IAAI,OAAO,UAAU;KACnB,QAAQ,IAAI,IAAI,WAAW,IAAI,CAAC,CAAC;KACjC;KACA,aAAa,MAAM;KACnB,UAAU;KACV,UAAU;KACV,aAAa;KACd,CAAC;AAEF,QAAI,IAAI,gBAAgB,YAAY;AAEpC,QAAI,OAAO,IAAI,CAAC,KAAK,KAAK;AAC1B;;AAGF,OAAI,QAAQ,WAAW;AAEvB,mBAAgB,MAAM,SACpB,gBAAgB,QAAQ,aAAa,CACnC,gBAAgB,OAAO,SAAS,MAAM,GACnC,QAAQ;IAAE;IAAU;IAAO,EAC7B,CAAC,CACH,CAAC,CACH;AAED,OAAI,OAAO,IAAI,CAAC,KAAK,qBAAqB,IAAI,KAAK,CAAC;;EAGtD,CAAC,oBAAoB,SAAU,KAAK,KAAK;GACvC,IAAI,OAAO,KAAK,MAAM,IAAI,KAAK,KAAK;AACpC,UAAO,IAAI,EACT,mBAAmB;IAAE,MAAM,IAAI;IAAM,OAAO,IAAI;IAAO;IAAM,EAC9D,CAAC;GAEF,IAAI,EAAE,cAAc,UAAU;GAO9B,MAAM,EAAE,aALQ,gBAAgB,OAAO,SAAS,WAC9C,gBAAgB,MAAM,UAAU,EAChC,EAAE,IAAI,OAAO,CACd,IAE+B,EAAE;GAMlC,IAAI,YAAY,GAAG,aAAa,GAFvB,UAAU;IAAE,MAFF,OAAO,GAAG,MAAM,GAAG,WAAW;IAER,GAAG;IAAM,CAAC;AAInD,OAAI,SAAS,KAAK,UAAU;;EAG9B,CAAC,iBAAiB,eAAgB,KAAK,KAAK,MAAM;AAChD,UAAO,IAAI,EAAE,gBAAgB;IAAE,MAAM,IAAI;IAAM,OAAO,IAAI;IAAO,EAAE,CAAC;AACpE,OAAI;IACF,IAAI,MAAM,WAAW,IAAI;IAEzB,IAAIC,mBACD,KAAK,MAAM,aAAwB;IACtC,IAAIC,mBACD,KAAK,MAAM,YAAuB;AAErC,WACE,CAAC,CAAC,kBACF,8CACD;IAED,IAAI,SAAS,MAAM,aAAa;KAC9B;KACA,MAAM,IAAI;KACV;KACA,UAAU;KACV,UAAU;KACV;KACA;KACD,CAAC;AAEF,QAAI,OAAO,IAAI,CAAC,KAAK;KACnB,GAAG;KACH,YAAY;KACZ,YAAY;KACb,CAAC;YACK,OAAO;AACd,SAAK,MAAM;;;EAIf,CAAC,eAAe,SAAU,KAAK,KAAK;AAClC,OAAI,UAAU;GAEd,IAAI,cAAc,IAAI,MAAM,YAAY,IAAI,QAAQ;AAEpD,UAAO,OAAO,gBAAgB,UAAU,0BAA0B;AAElE,OAAI,SAAS,YAAY;;EAG3B,CAAC,cAAc,SAAU,KAAK,KAAK;GACjC,IAAIC,QAAuB;AAC3B,OAAI,IAAI,QAAQ,cAEd,SAD0B,IAAI,QAAQ,eACT,MAAM,IAAI,GAAG;OAE1C,SAAQ,KAAK,OAAO;AAGtB,UAAO,CAAC,CAAC,OAAO,0CAA0C;GAC1D,IAAI,EAAE,QAAQC,SAAY,OAAO,EAAE,MAAM,MAAM,CAAC;GAEhD,IAAI,OAAO,aAAa,WAAW;AACjC,WAAO,CAAC,CAAC,OAAO,IAAI,sCAAsC;AAE1D,WAAO,OAAO,OAAO;KACrB;AAEF,UAAO,CAAC,CAAC,MAAM,uBAAuB;GAEtC,IAAI,WAAW;IACb;IACA,MAAM,KAAK;IACX,YAAY,KAAK;IACjB,aAAa,KAAK;IAClB,OAAO,KAAK;IACZ,gBAAgB;IAChB,QAAQ;IACR,IAAI;IACL;AAED,OAAI,OAAO,IAAI,CAAC,KAAK,SAAS;;EAGhC,CAAC,wBAAwB,SAAU,KAAK,KAAK,MAAM;AACjD,UAAO,IAAI,EAAE,uBAAuB,EAAE,MAAM,IAAI,MAAM,EAAE,CAAC;AAEzD,OAAI;IACF,MAAM,EAAE,WAAW,YAAY,OAAO,iBAAiB,IAAI;AAG3D,QAAI,CAAC,WAAW;AACd,SAAI,OAAO,IAAI,CAAC,KAAK,EAAE,OAAO,yBAAyB,CAAC;AACxD;;AAGF,QAAI,CAAC,cAAe,eAAe,WAAW,eAAe,OAAQ;AACnE,SAAI,OAAO,IAAI,CAAC,KAAK,EACnB,OAAO,uCACR,CAAC;AACF;;AAGF,QAAI,eAAe,WAAW,CAAC,OAAO;AACpC,SAAI,OAAO,IAAI,CAAC,KAAK,EACnB,OAAO,gDACR,CAAC;AACF;;AAGF,QAAI,eAAe,SAAS,CAAC,cAAc;AACzC,SAAI,OAAO,IAAI,CAAC,KAAK,EACnB,OAAO,qDACR,CAAC;AACF;;AAIF,QAAI,eAAe,QACjB,KAAI,OAAO,IAAI,CAAC,KAAK;KACnB,KAAK;KACE;KACP,gBAAgB;KACjB,CAAC;QAEF,KAAI,OAAO,IAAI,CAAC,KAAK;KACnB,KAAK;KACS;KACd,gBAAgB;KACjB,CAAC;YAEG,OAAO;AACd,SAAK,MAAM;;;EAGhB"}

package/dist/handlers/index.cjs

@@ -0,0 +1,29 @@
+const require_rolldown_runtime = require('../_virtual/rolldown_runtime.cjs');
+const require_create_cors = require('../middleware/create-cors.cjs');
+const require_no_cache = require('../middleware/no-cache.cjs');
+const require_session = require('../middleware/session.cjs');
+const require_error_handling = require('../middleware/error-handling.cjs');
+const require_auth0_handlers = require('./auth0-handlers.cjs');
+const require_openid_handlers = require('./openid-handlers.cjs');
+require('../types.cjs');
+let express = require("express");
+express = require_rolldown_runtime.__toESM(express);
+let path = require("path");
+path = require_rolldown_runtime.__toESM(path);
+
+//#region src/handlers/index.ts
+const publicDir = path.default.join(__dirname, "..", "views", "public");
+const extendRouter = (config, extend, debug = false) => (router, simulationStore) => {
+	const serviceURL = (request) => `${request.protocol}://${request.get("Host")}/`;
+	const auth0 = require_auth0_handlers.createAuth0Handlers(simulationStore, serviceURL, config, debug);
+	const openid = require_openid_handlers.createOpenIdHandlers(serviceURL);
+	router.use(express.default.static(publicDir)).use(require_session.createSession()).use(require_create_cors.createCors()).use(require_no_cache.noCache());
+	if (extend) extend(router, simulationStore);
+	router.get("/health", (_, response) => {
+		response.send({ status: "ok" });
+	}).get("/heartbeat", auth0["/heartbeat"]).get("/authorize", auth0["/authorize"]).get("/login", auth0["/login"]).get("/u/login", auth0["/usernamepassword/login"]).post("/usernamepassword/login", auth0["/usernamepassword/login"]).post("/login/callback", auth0["/login/callback"]).post("/oauth/token", auth0["/oauth/token"]).post("/passwordless/start", auth0["/passwordless/start"]).get("/userinfo", auth0["/userinfo"]).get("/v2/logout", auth0["/v2/logout"]).get("/.well-known/jwks.json", openid["/.well-known/jwks.json"]).get("/.well-known/openid-configuration", openid["/.well-known/openid-configuration"]);
+	router.use(require_error_handling.defaultErrorHandler);
+};
+
+//#endregion
+exports.extendRouter = extendRouter;

package/dist/handlers/index.mjs

@@ -0,0 +1,27 @@
+import { createCors } from "../middleware/create-cors.mjs";
+import { noCache } from "../middleware/no-cache.mjs";
+import { createSession } from "../middleware/session.mjs";
+import { defaultErrorHandler } from "../middleware/error-handling.mjs";
+import { createAuth0Handlers } from "./auth0-handlers.mjs";
+import { createOpenIdHandlers } from "./openid-handlers.mjs";
+import "../types.mjs";
+import express, { Router } from "express";
+import path from "path";
+
+//#region src/handlers/index.ts
+const publicDir = path.join(import.meta.dirname, "..", "views", "public");
+const extendRouter = (config, extend, debug = false) => (router, simulationStore) => {
+	const serviceURL = (request) => `${request.protocol}://${request.get("Host")}/`;
+	const auth0 = createAuth0Handlers(simulationStore, serviceURL, config, debug);
+	const openid = createOpenIdHandlers(serviceURL);
+	router.use(express.static(publicDir)).use(createSession()).use(createCors()).use(noCache());
+	if (extend) extend(router, simulationStore);
+	router.get("/health", (_, response) => {
+		response.send({ status: "ok" });
+	}).get("/heartbeat", auth0["/heartbeat"]).get("/authorize", auth0["/authorize"]).get("/login", auth0["/login"]).get("/u/login", auth0["/usernamepassword/login"]).post("/usernamepassword/login", auth0["/usernamepassword/login"]).post("/login/callback", auth0["/login/callback"]).post("/oauth/token", auth0["/oauth/token"]).post("/passwordless/start", auth0["/passwordless/start"]).get("/userinfo", auth0["/userinfo"]).get("/v2/logout", auth0["/v2/logout"]).get("/.well-known/jwks.json", openid["/.well-known/jwks.json"]).get("/.well-known/openid-configuration", openid["/.well-known/openid-configuration"]);
+	router.use(defaultErrorHandler);
+};
+
+//#endregion
+export { extendRouter };
+//# sourceMappingURL=index.mjs.map

package/dist/handlers/index.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.mjs","names":[],"sources":["../../src/handlers/index.ts"],"sourcesContent":["import express, { type Request, type Express, Router } from \"express\";\nimport type { ExtendedSimulationStore } from \"../store/index.ts\";\nimport { createCors } from \"../middleware/create-cors.ts\";\nimport { noCache } from \"../middleware/no-cache.ts\";\nimport { createSession } from \"../middleware/session.ts\";\nimport { defaultErrorHandler } from \"../middleware/error-handling.ts\";\nimport { createAuth0Handlers } from \"./auth0-handlers.ts\";\nimport { createOpenIdHandlers } from \"./openid-handlers.ts\";\nimport path from \"path\";\nimport { type Auth0Configuration } from \"../types.ts\";\n\nconst publicDir = path.join(import.meta.dirname, \"..\", \"views\", \"public\");\nexport const extendRouter =\n  (\n    config: Auth0Configuration,\n    extend:\n      | ((router: Router, simulationStore: ExtendedSimulationStore) => void)\n      | undefined,\n    debug = false\n  ) =>\n  (router: Express, simulationStore: ExtendedSimulationStore) => {\n    const serviceURL = (request: Request) =>\n      `${request.protocol}://${request.get(\"Host\")}/`;\n    const auth0 = createAuth0Handlers(\n      simulationStore,\n      serviceURL,\n      config,\n      debug\n    );\n    const openid = createOpenIdHandlers(serviceURL);\n\n    router\n      .use(express.static(publicDir))\n      .use(createSession())\n      .use(createCors())\n      .use(noCache());\n\n    if (extend) {\n      extend(router, simulationStore);\n    }\n\n    router\n      .get(\"/health\", (_, response) => {\n        response.send({ status: \"ok\" });\n      })\n      .get(\"/heartbeat\", auth0[\"/heartbeat\"])\n      .get(\"/authorize\", auth0[\"/authorize\"])\n      .get(\"/login\", auth0[\"/login\"])\n      .get(\"/u/login\", auth0[\"/usernamepassword/login\"])\n      .post(\"/usernamepassword/login\", auth0[\"/usernamepassword/login\"])\n      .post(\"/login/callback\", auth0[\"/login/callback\"])\n      .post(\"/oauth/token\", auth0[\"/oauth/token\"])\n      .post(\"/passwordless/start\", auth0[\"/passwordless/start\"])\n      .get(\"/userinfo\", auth0[\"/userinfo\"])\n      .get(\"/v2/logout\", auth0[\"/v2/logout\"])\n      .get(\"/.well-known/jwks.json\", openid[\"/.well-known/jwks.json\"])\n      .get(\n        \"/.well-known/openid-configuration\",\n        openid[\"/.well-known/openid-configuration\"]\n      );\n\n    // needs to be the last middleware added\n    router.use(defaultErrorHandler);\n  };\n"],"mappings":";;;;;;;;;;;AAWA,MAAM,YAAY,KAAK,KAAK,OAAO,KAAK,SAAS,MAAM,SAAS,SAAS;AACzE,MAAa,gBAET,QACA,QAGA,QAAQ,WAET,QAAiB,oBAA6C;CAC7D,MAAM,cAAc,YAClB,GAAG,QAAQ,SAAS,KAAK,QAAQ,IAAI,OAAO,CAAC;CAC/C,MAAM,QAAQ,oBACZ,iBACA,YACA,QACA,MACD;CACD,MAAM,SAAS,qBAAqB,WAAW;AAE/C,QACG,IAAI,QAAQ,OAAO,UAAU,CAAC,CAC9B,IAAI,eAAe,CAAC,CACpB,IAAI,YAAY,CAAC,CACjB,IAAI,SAAS,CAAC;AAEjB,KAAI,OACF,QAAO,QAAQ,gBAAgB;AAGjC,QACG,IAAI,YAAY,GAAG,aAAa;AAC/B,WAAS,KAAK,EAAE,QAAQ,MAAM,CAAC;GAC/B,CACD,IAAI,cAAc,MAAM,cAAc,CACtC,IAAI,cAAc,MAAM,cAAc,CACtC,IAAI,UAAU,MAAM,UAAU,CAC9B,IAAI,YAAY,MAAM,2BAA2B,CACjD,KAAK,2BAA2B,MAAM,2BAA2B,CACjE,KAAK,mBAAmB,MAAM,mBAAmB,CACjD,KAAK,gBAAgB,MAAM,gBAAgB,CAC3C,KAAK,uBAAuB,MAAM,uBAAuB,CACzD,IAAI,aAAa,MAAM,aAAa,CACpC,IAAI,cAAc,MAAM,cAAc,CACtC,IAAI,0BAA0B,OAAO,0BAA0B,CAC/D,IACC,qCACA,OAAO,qCACR;AAGH,QAAO,IAAI,oBAAoB"}

package/dist/handlers/login-redirect.cjs

@@ -0,0 +1,24 @@
+const require_rolldown_runtime = require('../_virtual/rolldown_runtime.cjs');
+let querystring = require("querystring");
+
+//#region src/handlers/login-redirect.ts
+const createLoginRedirectHandler = (options) => function loginRedirect(req, res) {
+	let { client_id, audience, redirect_uri, scope, state, nonce, response_mode, code_challenge, code_challenge_method, auth0Client, response_type } = req.query;
+	res.status(302).redirect(`/login?${(0, querystring.stringify)({
+		state,
+		redirect_uri,
+		client: client_id || options.clientID,
+		protocol: "oauth2",
+		scope,
+		response_type,
+		response_mode,
+		nonce,
+		code_challenge,
+		code_challenge_method,
+		auth0Client,
+		audience: audience || options.audience
+	})}`);
+};
+
+//#endregion
+exports.createLoginRedirectHandler = createLoginRedirectHandler;

package/dist/handlers/login-redirect.mjs

@@ -0,0 +1,24 @@
+import { stringify } from "querystring";
+
+//#region src/handlers/login-redirect.ts
+const createLoginRedirectHandler = (options) => function loginRedirect(req, res) {
+	let { client_id, audience, redirect_uri, scope, state, nonce, response_mode, code_challenge, code_challenge_method, auth0Client, response_type } = req.query;
+	res.status(302).redirect(`/login?${stringify({
+		state,
+		redirect_uri,
+		client: client_id || options.clientID,
+		protocol: "oauth2",
+		scope,
+		response_type,
+		response_mode,
+		nonce,
+		code_challenge,
+		code_challenge_method,
+		auth0Client,
+		audience: audience || options.audience
+	})}`);
+};
+
+//#endregion
+export { createLoginRedirectHandler };
+//# sourceMappingURL=login-redirect.mjs.map

package/dist/handlers/login-redirect.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"login-redirect.mjs","names":[],"sources":["../../src/handlers/login-redirect.ts"],"sourcesContent":["import type { Request, Response, RequestHandler } from \"express\";\nimport type { Auth0Configuration, QueryParams } from \"../types.ts\";\nimport { stringify } from \"querystring\";\n\nexport const createLoginRedirectHandler = (\n  options: Auth0Configuration\n): RequestHandler =>\n  function loginRedirect(req: Request, res: Response) {\n    let {\n      client_id,\n      audience,\n      redirect_uri,\n      scope,\n      state,\n      nonce,\n      response_mode,\n      code_challenge,\n      code_challenge_method,\n      auth0Client,\n      response_type,\n    } = req.query as QueryParams;\n\n    res.status(302).redirect(\n      `/login?${stringify({\n        state,\n        redirect_uri,\n        client: client_id || options.clientID,\n        protocol: \"oauth2\",\n        scope,\n        response_type,\n        response_mode,\n        nonce,\n        code_challenge,\n        code_challenge_method,\n        auth0Client,\n        audience: audience || options.audience,\n      })}`\n    );\n  };\n"],"mappings":";;;AAIA,MAAa,8BACX,YAEA,SAAS,cAAc,KAAc,KAAe;CAClD,IAAI,EACF,WACA,UACA,cACA,OACA,OACA,OACA,eACA,gBACA,uBACA,aACA,kBACE,IAAI;AAER,KAAI,OAAO,IAAI,CAAC,SACd,UAAU,UAAU;EAClB;EACA;EACA,QAAQ,aAAa,QAAQ;EAC7B,UAAU;EACV;EACA;EACA;EACA;EACA;EACA;EACA;EACA,UAAU,YAAY,QAAQ;EAC/B,CAAC,GACH"}

package/dist/handlers/oauth-handlers.cjs

@@ -0,0 +1,144 @@
+const require_rolldown_runtime = require('../_virtual/rolldown_runtime.cjs');
+require('../store/entities.cjs');
+require('../store/index.cjs');
+const require_utils = require('./utils.cjs');
+const require_date = require('../auth/date.cjs');
+const require_jwt = require('../auth/jwt.cjs');
+const require_rules_runner = require('../rules/rules-runner.cjs');
+const require_refresh_token = require('../auth/refresh-token.cjs');
+let assert_ts = require("assert-ts");
+let base64_url = require("base64-url");
+
+//#region src/handlers/oauth-handlers.ts
+const createTokens = async ({ body, iss, clientID, audience, rulesDirectory, scope: scopeConfig, simulationStore }) => {
+	let { grant_type } = body;
+	let scope = require_utils.deriveScope({
+		scopeConfig,
+		clientID,
+		audience
+	});
+	let accessToken = getBaseAccessToken({
+		iss,
+		grant_type,
+		scope,
+		audience
+	});
+	let user;
+	let nonce;
+	if (grant_type === "client_credentials") return { access_token: require_jwt.createJsonWebToken(accessToken) };
+	else if (grant_type === "refresh_token") {
+		let { refresh_token: refreshTokenValue } = body;
+		let refreshToken = JSON.parse((0, base64_url.decode)(refreshTokenValue));
+		user = require_utils.createPersonQuery(simulationStore)((person) => person.id === refreshToken.user.id);
+		nonce = refreshToken.nonce;
+		(0, assert_ts.assert)(!!nonce, `400::No nonce in request`);
+	} else {
+		let result = verifyUserExistsInStore({
+			simulationStore,
+			body,
+			grant_type
+		});
+		user = result.user;
+		nonce = result.nonce;
+	}
+	(0, assert_ts.assert)(!!user, "500::No user found");
+	let { idTokenData, userData } = getIdToken({
+		body,
+		iss,
+		user,
+		clientID,
+		nonce
+	});
+	let context = {
+		clientID,
+		accessToken: {
+			scope,
+			sub: idTokenData.sub
+		},
+		idToken: idTokenData
+	};
+	await require_rules_runner.createRulesRunner(rulesDirectory)(userData, context);
+	return {
+		access_token: require_jwt.createJsonWebToken({
+			...accessToken,
+			...context.accessToken,
+			...scope.split(" ").includes("email") ? { email: user.email } : {}
+		}),
+		id_token: require_jwt.createJsonWebToken({
+			...userData,
+			...context.idToken
+		}),
+		refresh_token: require_refresh_token.issueRefreshToken(scope, grant_type) ? require_refresh_token.createRefreshToken({
+			exp: idTokenData.exp,
+			rotations: 0,
+			scope,
+			user,
+			nonce
+		}) : void 0
+	};
+};
+const getIdToken = ({ body, iss, user, clientID, nonce }) => {
+	let userData = {
+		name: body?.name ?? user.name,
+		email: body?.email ?? user.email,
+		email_verified: true,
+		user_id: body?.id ?? user.id,
+		nickname: body?.nickname,
+		picture: body?.picture ?? user.picture,
+		identities: body?.identities
+	};
+	(0, assert_ts.assert)(!!user.email, "500::User in store requires an email");
+	let idTokenData = {
+		alg: "RS256",
+		typ: "JWT",
+		iss,
+		exp: require_date.expiresAt(),
+		iat: require_date.epochTime(),
+		email: user.email,
+		aud: clientID,
+		sub: user.id
+	};
+	if (typeof nonce !== "undefined") idTokenData.nonce = nonce;
+	return {
+		userData,
+		idTokenData
+	};
+};
+const getBaseAccessToken = ({ iss, grant_type, scope, audience }) => ({
+	iss,
+	exp: require_date.expiresAt(),
+	iat: require_date.epochTime(),
+	aud: audience,
+	gty: grant_type,
+	scope
+});
+const verifyUserExistsInStore = ({ simulationStore, body, grant_type }) => {
+	let { code } = body;
+	let personQuery = require_utils.createPersonQuery(simulationStore);
+	let nonce;
+	let username;
+	let password;
+	if (grant_type === "http://auth0.com/oauth/grant-type/passwordless/otp") username = body.username;
+	else if (grant_type === "password") {
+		username = body.username;
+		password = body.password;
+	} else {
+		(0, assert_ts.assert)(typeof code !== "undefined", "400::no code in /oauth/token");
+		[nonce, username] = (0, base64_url.decode)(code).split(":");
+		(0, assert_ts.assert)(!!username, `400::no nonce in store for ${code}`);
+	}
+	let user = personQuery((person) => {
+		(0, assert_ts.assert)(!!person.email, `500::no email defined on person scenario`);
+		let valid = person.email.toLowerCase() === username.toLowerCase();
+		if (typeof password === "undefined") return valid;
+		else return valid && password === person.password;
+	});
+	(0, assert_ts.assert)(!!user, "401::Unauthorized");
+	return {
+		user,
+		nonce
+	};
+};
+
+//#endregion
+exports.createTokens = createTokens;

package/dist/handlers/oauth-handlers.mjs

@@ -0,0 +1,144 @@
+import "../store/entities.mjs";
+import "../store/index.mjs";
+import { createPersonQuery, deriveScope } from "./utils.mjs";
+import { epochTime, expiresAt } from "../auth/date.mjs";
+import { createJsonWebToken } from "../auth/jwt.mjs";
+import { createRulesRunner } from "../rules/rules-runner.mjs";
+import { createRefreshToken, issueRefreshToken } from "../auth/refresh-token.mjs";
+import { assert } from "assert-ts";
+import { decode } from "base64-url";
+
+//#region src/handlers/oauth-handlers.ts
+const createTokens = async ({ body, iss, clientID, audience, rulesDirectory, scope: scopeConfig, simulationStore }) => {
+	let { grant_type } = body;
+	let scope = deriveScope({
+		scopeConfig,
+		clientID,
+		audience
+	});
+	let accessToken = getBaseAccessToken({
+		iss,
+		grant_type,
+		scope,
+		audience
+	});
+	let user;
+	let nonce;
+	if (grant_type === "client_credentials") return { access_token: createJsonWebToken(accessToken) };
+	else if (grant_type === "refresh_token") {
+		let { refresh_token: refreshTokenValue } = body;
+		let refreshToken = JSON.parse(decode(refreshTokenValue));
+		user = createPersonQuery(simulationStore)((person) => person.id === refreshToken.user.id);
+		nonce = refreshToken.nonce;
+		assert(!!nonce, `400::No nonce in request`);
+	} else {
+		let result = verifyUserExistsInStore({
+			simulationStore,
+			body,
+			grant_type
+		});
+		user = result.user;
+		nonce = result.nonce;
+	}
+	assert(!!user, "500::No user found");
+	let { idTokenData, userData } = getIdToken({
+		body,
+		iss,
+		user,
+		clientID,
+		nonce
+	});
+	let context = {
+		clientID,
+		accessToken: {
+			scope,
+			sub: idTokenData.sub
+		},
+		idToken: idTokenData
+	};
+	await createRulesRunner(rulesDirectory)(userData, context);
+	return {
+		access_token: createJsonWebToken({
+			...accessToken,
+			...context.accessToken,
+			...scope.split(" ").includes("email") ? { email: user.email } : {}
+		}),
+		id_token: createJsonWebToken({
+			...userData,
+			...context.idToken
+		}),
+		refresh_token: issueRefreshToken(scope, grant_type) ? createRefreshToken({
+			exp: idTokenData.exp,
+			rotations: 0,
+			scope,
+			user,
+			nonce
+		}) : void 0
+	};
+};
+const getIdToken = ({ body, iss, user, clientID, nonce }) => {
+	let userData = {
+		name: body?.name ?? user.name,
+		email: body?.email ?? user.email,
+		email_verified: true,
+		user_id: body?.id ?? user.id,
+		nickname: body?.nickname,
+		picture: body?.picture ?? user.picture,
+		identities: body?.identities
+	};
+	assert(!!user.email, "500::User in store requires an email");
+	let idTokenData = {
+		alg: "RS256",
+		typ: "JWT",
+		iss,
+		exp: expiresAt(),
+		iat: epochTime(),
+		email: user.email,
+		aud: clientID,
+		sub: user.id
+	};
+	if (typeof nonce !== "undefined") idTokenData.nonce = nonce;
+	return {
+		userData,
+		idTokenData
+	};
+};
+const getBaseAccessToken = ({ iss, grant_type, scope, audience }) => ({
+	iss,
+	exp: expiresAt(),
+	iat: epochTime(),
+	aud: audience,
+	gty: grant_type,
+	scope
+});
+const verifyUserExistsInStore = ({ simulationStore, body, grant_type }) => {
+	let { code } = body;
+	let personQuery = createPersonQuery(simulationStore);
+	let nonce;
+	let username;
+	let password;
+	if (grant_type === "http://auth0.com/oauth/grant-type/passwordless/otp") username = body.username;
+	else if (grant_type === "password") {
+		username = body.username;
+		password = body.password;
+	} else {
+		assert(typeof code !== "undefined", "400::no code in /oauth/token");
+		[nonce, username] = decode(code).split(":");
+		assert(!!username, `400::no nonce in store for ${code}`);
+	}
+	let user = personQuery((person) => {
+		assert(!!person.email, `500::no email defined on person scenario`);
+		let valid = person.email.toLowerCase() === username.toLowerCase();
+		if (typeof password === "undefined") return valid;
+		else return valid && password === person.password;
+	});
+	assert(!!user, "401::Unauthorized");
+	return {
+		user,
+		nonce
+	};
+};
+
+//#endregion
+export { createTokens };
+//# sourceMappingURL=oauth-handlers.mjs.map