@sphereon/ssi-express-support 0.14.2-next.25

package/src/express-builders.ts

@@ -0,0 +1,320 @@
+/**
+ * @public
+ */
+import bodyParser from 'body-parser'
+import { Enforcer } from 'casbin'
+import cors, { CorsOptions } from 'cors'
+import * as dotenv from 'dotenv-flow'
+import express, { Express } from 'express'
+import { Application, ApplicationRequestHandler } from 'express-serve-static-core'
+import session from 'express-session'
+import http from 'http'
+import morgan from 'morgan'
+import passport, { InitializeOptions } from 'passport'
+import { checkUserIsInRole } from './auth-utils'
+import { jsonErrorHandler } from './express-utils'
+import { env } from './functions'
+import { ExpressSupport, IExpressServerOpts } from './types'
+
+type Handler<Request extends http.IncomingMessage, Response extends http.ServerResponse> = (
+  req: Request,
+  res: Response,
+  callback: (err?: Error) => void
+) => void
+dotenv.config()
+
+export class ExpressBuilder {
+  private existingExpress?: Express
+  private hostnameOrIP?: string
+  private port?: number
+  private _handlers?: ApplicationRequestHandler<Application>[] = []
+  private listenCallback?: () => void
+  private _startListen?: boolean | undefined = undefined
+  private readonly envVarPrefix?: string
+  private _corsConfigurer?: ExpressCorsConfigurer
+  private _sessionOpts?: session.SessionOptions
+  private _usePassportAuth?: boolean = false
+  private _passportInitOpts?: InitializeOptions
+  private _userIsInRole?: string | string[]
+  private _enforcer?: Enforcer
+  private _morgan?: Handler<any, any> | undefined
+
+  private constructor(opts?: { existingExpress?: Express; envVarPrefix?: string }) {
+    const { existingExpress, envVarPrefix } = opts ?? {}
+    if (existingExpress) {
+      this.withExpress(existingExpress)
+    }
+    this.envVarPrefix = envVarPrefix ?? ''
+  }
+
+  public static fromExistingExpress(opts?: { existingExpress?: Express; envVarPrefix?: string }) {
+    return new ExpressBuilder(opts ?? {})
+  }
+
+  public static fromServerOpts(opts: IExpressServerOpts & { envVarPrefix?: string }) {
+    const builder = new ExpressBuilder({ existingExpress: opts?.existingExpress, envVarPrefix: opts?.envVarPrefix })
+    return builder.withEnableListenOpts(opts)
+  }
+
+  public enableListen(startOnBuild?: boolean): this {
+    if (startOnBuild !== undefined) {
+      this._startListen = startOnBuild
+    }
+    return this
+  }
+
+  public withMorganLogging(opts?: { existingMorgan?: Handler<any, any>; format?: string; options?: morgan.Options<any, any> }): this {
+    if (opts?.existingMorgan && (opts.format || opts.options)) {
+      throw Error('Cannot using an existing morgan with either a format or options')
+    }
+    this._morgan = opts?.existingMorgan ?? morgan(opts?.format ?? 'dev', opts?.options)
+    return this
+  }
+
+  public withEnableListenOpts({
+    port,
+    hostnameOrIP,
+    callback,
+    startOnBuild,
+  }: {
+    port?: number
+    hostnameOrIP?: string
+    startOnBuild?: boolean
+    callback?: () => void
+  }): this {
+    port && this.withPort(port)
+    hostnameOrIP && this.withHostname(hostnameOrIP)
+    if (typeof callback === 'function') {
+      this.withListenCallback(callback)
+    }
+    this._startListen = startOnBuild !== false
+    return this
+  }
+
+  public withPort(port: number): this {
+    this.port = port
+    return this
+  }
+
+  public withHostname(hostnameOrIP: string): this {
+    this.hostnameOrIP = hostnameOrIP
+    return this
+  }
+
+  public withListenCallback(callback: () => void): this {
+    this.listenCallback = callback
+    return this
+  }
+
+  public withExpress(existingExpress: Express): this {
+    this.existingExpress = existingExpress
+    this._startListen = false
+    return this
+  }
+
+  public withCorsConfigurer(configurer: ExpressCorsConfigurer): this {
+    this._corsConfigurer = configurer
+    return this
+  }
+
+  public withPassportAuth(usePassport: boolean, initializeOptions?: InitializeOptions): this {
+    this._usePassportAuth = usePassport
+    this._passportInitOpts = initializeOptions
+    return this
+  }
+
+  public withGlobalUserIsInRole(userIsInRole: string | string[]): this {
+    this._userIsInRole = userIsInRole
+    return this
+  }
+
+  public withEnforcer(enforcer: Enforcer): this {
+    this._enforcer = enforcer
+    return this
+  }
+
+  public startListening(express: Express) {
+    return express.listen(this.getPort(), this.getHostname(), this.listenCallback)
+  }
+
+  public getHostname(): string {
+    return this.hostnameOrIP ?? env('HOSTNAME', this.envVarPrefix) ?? '0.0.0.0'
+  }
+
+  public getPort(): number {
+    return (this.port ?? env('PORT', this.envVarPrefix) ?? 5000) as number
+  }
+
+  public setHandlers(handlers: ApplicationRequestHandler<any> | ApplicationRequestHandler<any>[]): this {
+    if (Array.isArray(handlers)) {
+      this._handlers = handlers
+    } else if (handlers) {
+      if (!this._handlers) {
+        this._handlers = []
+      }
+      this._handlers.push(handlers)
+    } else {
+      this._handlers = []
+    }
+
+    return this
+  }
+
+  public addHandler(handler: ApplicationRequestHandler<any>): this {
+    if (!this._handlers) {
+      this._handlers = []
+    }
+    this._handlers.push(handler)
+    return this
+  }
+
+  public withSessionOptions(sessionOpts: session.SessionOptions): this {
+    this._sessionOpts = sessionOpts
+    return this
+  }
+
+  public build<T extends Application>(opts?: {
+    express?: Express
+    startListening?: boolean
+    handlers?: ApplicationRequestHandler<T> | ApplicationRequestHandler<T>[]
+  }): ExpressSupport {
+    const express = this.buildExpress(opts)
+    return {
+      express,
+      port: this.getPort(),
+      hostname: this.getHostname(),
+      userIsInRole: this._userIsInRole,
+      startListening: this._startListen !== false,
+      enforcer: this._enforcer,
+      start: (opts) => {
+        if (this._startListen !== false) {
+          this.startListening(express)
+        }
+
+        if (opts?.disableErrorHandler !== true) {
+          express.use(jsonErrorHandler)
+        }
+        return express
+      },
+    }
+  }
+
+  protected buildExpress<T extends Application>(opts?: {
+    express?: Express
+    startListening?: boolean
+    handlers?: ApplicationRequestHandler<T> | ApplicationRequestHandler<T>[]
+  }): express.Express {
+    const app: express.Express = opts?.express ?? this.existingExpress ?? express()
+    if (this._morgan) {
+      app.use(this._morgan)
+    }
+    if (this._sessionOpts) {
+      // @ts-ignore
+      app.use(session(this._sessionOpts))
+    }
+    if (this._usePassportAuth) {
+      app.use(passport.initialize(this._passportInitOpts))
+      if (this._sessionOpts) {
+        app.use(passport.session())
+      }
+    }
+    if (this._userIsInRole) {
+      app.use(checkUserIsInRole({ roles: this._userIsInRole }))
+    }
+    if (this._corsConfigurer) {
+      this._corsConfigurer.configure({ existingExpress: app })
+    }
+
+    // @ts-ignore
+    this._handlers && this._handlers.length > 0 && app.use(this._handlers)
+    // @ts-ignore
+    opts?.handlers && app.use(opts.handlers)
+
+    app.use(bodyParser.urlencoded({ extended: true }))
+    app.use(bodyParser.json())
+
+    /*if (this._startListen !== false) {
+          this.startListening(app)
+        }*/
+    return app
+  }
+}
+
+export class ExpressCorsConfigurer {
+  private _disableCors?: boolean
+  private _enablePreflightOptions?: boolean
+  private _allowOrigin?: boolean | string | RegExp | Array<boolean | string | RegExp>
+  private _allowMethods?: string | string[]
+  private _allowedHeaders?: string | string[]
+  private _allowCredentials?: boolean
+  private readonly _express?: Express
+  private readonly _envVarPrefix?: string
+
+  constructor({ existingExpress, envVarPrefix }: { existingExpress?: Express; envVarPrefix?: string }) {
+    this._express = existingExpress
+    this._envVarPrefix = envVarPrefix
+  }
+
+  public allowOrigin(value: string | boolean | RegExp | Array<string | boolean | RegExp>): this {
+    this._allowOrigin = value
+    return this
+  }
+
+  public disableCors(value: boolean): this {
+    this._disableCors = value
+    return this
+  }
+
+  public allowMethods(value: string | string[]): this {
+    this._allowMethods = value
+    return this
+  }
+
+  public allowedHeaders(value: string | string[]): this {
+    this._allowedHeaders = value
+    return this
+  }
+
+  public allowCredentials(value: boolean): this {
+    this._allowCredentials = value
+    return this
+  }
+
+  public configure({ existingExpress }: { existingExpress?: Express }) {
+    const express = existingExpress ?? this._express
+    if (!express) {
+      throw Error('No express passed in during construction or configure')
+    }
+
+    const disableCorsEnv = env('CORS_DISABLE', this._envVarPrefix)
+    const corsDisabled = this._disableCors ?? (disableCorsEnv ? /true/.test(disableCorsEnv) : false)
+    if (corsDisabled) {
+      return
+    }
+    const envAllowOriginStr = env('CORS_ALLOW_ORIGIN', this._envVarPrefix) ?? '*'
+    let envAllowOrigin: string[] | string
+    if (envAllowOriginStr.includes(',')) {
+      envAllowOrigin = envAllowOriginStr.split(',')
+    } else if (envAllowOriginStr.includes(' ')) {
+      envAllowOrigin = envAllowOriginStr.split(' ')
+    } else {
+      envAllowOrigin = envAllowOriginStr
+    }
+    if (Array.isArray(envAllowOrigin) && envAllowOrigin.length === 1) {
+      envAllowOrigin = envAllowOrigin[0]
+    }
+    const corsOptions: CorsOptions = {
+      origin: this._allowOrigin ?? envAllowOrigin,
+      // todo: env vars
+      ...(this._allowMethods && { methods: this._allowMethods }),
+      ...(this._allowedHeaders && { allowedHeaders: this._allowedHeaders }),
+      ...(this._allowCredentials !== undefined && { credentials: this._allowCredentials }),
+      optionsSuccessStatus: 204,
+    }
+
+    if (this._enablePreflightOptions) {
+      express.options('*', cors(corsOptions))
+    }
+    express.use(cors(corsOptions))
+  }
+}

package/src/express-utils.ts

@@ -0,0 +1,30 @@
+import express, { NextFunction } from 'express'
+export function sendErrorResponse(response: express.Response, statusCode: number, message: string | object, error?: Error) {
+  console.log(`sendErrorResponse: ${message}`)
+  if (error) {
+    console.log(JSON.stringify(error))
+  }
+  if (response.headersSent) {
+    console.log(`sendErrorResponse headers already sent`)
+    return
+  }
+  response.statusCode = statusCode
+  if (typeof message === 'string' && !message.startsWith('{')) {
+    message = { error: message }
+  }
+  if (typeof message === 'string' && message.startsWith('{')) {
+    return response.status(statusCode).end(message)
+  }
+  return response.status(statusCode).json(message)
+}
+
+export const jsonErrorHandler = (err: any, req: express.Request, res: express.Response, next: NextFunction) => {
+  const statusCode: number = 'statusCode' in err ? err.statusCode : 500
+  const errorMsg = typeof err === 'string' ? err : err.message
+  if (res.headersSent) {
+    console.log('Headers already sent, when calling error handler. Will defer to next error handler')
+    console.log(`Error was: ${JSON.stringify(err)}`)
+    return next(err)
+  }
+  return sendErrorResponse(res, statusCode, errorMsg, typeof err !== 'string' ? err : undefined)
+}

package/src/functions.ts

@@ -0,0 +1,6 @@
+export function env(key?: string, prefix?: string): string | undefined {
+  if (!key) {
+    return
+  }
+  return process.env[`${prefix ? prefix.trim() : ''}${key}`]
+}

package/src/index.ts

@@ -0,0 +1,7 @@
+export * from './entra-id-auth'
+export * from './static-bearer-auth'
+export * from './auth-utils'
+export * from './express-builders'
+export * from './types'
+export { sendErrorResponse, jsonErrorHandler } from './express-utils'
+export * from './functions'

package/src/openid-connect-auth.ts

@@ -0,0 +1,47 @@
+import passport from 'passport'
+import { IBearerStrategyOption, IBearerStrategyOptionWithRequest, ITokenPayload, VerifyCallback } from './types'
+
+export class OpenIDConnectAuth {
+  private readonly strategy: string
+  private options?: IBearerStrategyOptionWithRequest
+
+  public static init(strategy: string) {
+    return new OpenIDConnectAuth(strategy)
+  }
+
+  private constructor(strategy: string) {
+    this.strategy = strategy
+  }
+
+  public withOptions(options: IBearerStrategyOption | IBearerStrategyOptionWithRequest): this {
+    this.options = {
+      ...options,
+      passReqToCallback: 'passReqToCallback' in options ? options.passReqToCallback : false,
+    }
+    return this
+  }
+
+  connectPassport() {
+    const _options = this.options
+    if (!_options) {
+      throw Error('No options supplied for EntraID')
+    }
+    import('passport-azure-ad')
+      .then((entraID) =>
+        passport.use(
+          this.strategy,
+          new entraID.BearerStrategy(_options, function (token: ITokenPayload, cb: VerifyCallback): void {
+            if (token) {
+              // console.log(`token: ${JSON.stringify(token, null, 2)}`)
+              return cb(null, token)
+            }
+            return cb('bearer token not found or incorrect', null)
+          })
+        )
+      )
+      .catch((reason) => {
+        console.log(reason)
+        throw Error('Could not create bearer strategy. Did you include the "passport-azure-ad/bearer-strategy" dependency in package.json?')
+      })
+  }
+}

package/src/static-bearer-auth.ts

@@ -0,0 +1,151 @@
+import passport from 'passport'
+import * as u8a from 'uint8arrays'
+import { BearerUser, IStaticBearerVerifyOptions } from './types'
+export class StaticBearerAuth {
+  private readonly strategy: string
+  private static providers: Map<string, StaticBearerUserProvider> = new Map()
+  private static verifyOptions: Map<string, IStaticBearerVerifyOptions | string> = new Map()
+  private hashTokens?: boolean = false
+
+  public static init(strategy: string, provider?: StaticBearerUserProvider) {
+    return new StaticBearerAuth(strategy ?? 'bearer', provider ?? new MapBasedStaticBearerUserProvider(strategy))
+  }
+
+  private constructor(strategy: string, provider: StaticBearerUserProvider) {
+    this.strategy = strategy
+    if (StaticBearerAuth.providers.has(strategy)) {
+      if (StaticBearerAuth.providers.get(strategy) !== provider) {
+        throw Error('Cannot register another user provider for strategy: ' + strategy)
+      }
+    } else {
+      StaticBearerAuth.providers.set(strategy, provider)
+    }
+  }
+
+  get provider() {
+    const provider = StaticBearerAuth.providers.get(this.strategy)
+    if (!provider) {
+      throw Error('Could not get user provider for ' + this.strategy)
+    }
+    return provider
+  }
+
+  withHashTokens(hashTokens: boolean): this {
+    this.hashTokens = hashTokens
+    return this
+  }
+
+  withUsers(users: BearerUser[] | BearerUser): this {
+    this.addUser(users)
+    return this
+  }
+
+  addUser(user: BearerUser[] | BearerUser): this {
+    this.provider.addUser(user)
+    return this
+  }
+
+  withVerifyOptions(options: IStaticBearerVerifyOptions | string): this {
+    StaticBearerAuth.verifyOptions.set(this.strategy, options)
+    return this
+  }
+
+  connectPassport() {
+    const _provider = this.provider
+    function findUser(token: string, cb: (error: any, user: any, options?: IStaticBearerVerifyOptions | string) => void) {
+      const user = _provider.getUser(token)
+      if (user) {
+        return cb(null, user)
+      }
+      return cb('bearer token not found or incorrect', false)
+    }
+
+    import('passport-http-bearer')
+      .then((httpBearer) => {
+        const hashTokens = this.hashTokens ?? false
+        passport.use(
+          this.strategy,
+          new httpBearer.Strategy({ passReqToCallback: false }, function (
+            token: string,
+            cb: (error: any, user: any, options?: IStaticBearerVerifyOptions | string) => void
+          ): void {
+            if (hashTokens) {
+              import('@noble/hashes/sha256')
+                .then((hash) => {
+                  findUser(u8a.toString(hash.sha256(token)), cb)
+                })
+                .catch((error) => {
+                  console.log(`hash problem: ${error}`)
+                  throw Error('Did you include @noble/hashes in package.json?')
+                })
+            } else {
+              findUser(token, cb)
+            }
+          })
+        )
+      })
+      .catch((error) => {
+        console.log(`passport-http-bearer package problem: ${error}`)
+        throw Error('Did you include passport-http-bearer in package.json?')
+      })
+  }
+}
+
+export interface StaticBearerUserProvider {
+  strategy: string
+
+  addUser(user: BearerUser | BearerUser[], hashToken?: boolean): void
+
+  getUser(token: string): BearerUser | undefined
+
+  hashedTokens?: boolean
+}
+
+export class MapBasedStaticBearerUserProvider implements StaticBearerUserProvider {
+  private readonly _strategy: string
+  private readonly _users: BearerUser[] = []
+  private readonly _hashedTokens: boolean
+
+  constructor(strategy: string, hashedTokens?: boolean) {
+    this._strategy = strategy
+    this._hashedTokens = hashedTokens ?? false
+  }
+
+  get users(): BearerUser[] {
+    return this._users
+  }
+
+  get hashedTokens(): boolean {
+    return this._hashedTokens
+  }
+
+  get strategy(): string {
+    return this._strategy
+  }
+
+  getUser(token: string): BearerUser | undefined {
+    return this.users.find((user) => user.token === token)
+  }
+
+  addUser(user: BearerUser | BearerUser[], hashToken?: boolean): void {
+    const users = Array.isArray(user) ? user : [user]
+    if (hashToken) {
+      if (!this.hashedTokens) {
+        throw Error('Cannot hash token, when hashed tokens is not enabled on the user provider for strategy ' + this.strategy)
+      }
+      import('@noble/hashes/sha256')
+        .then((hash) => {
+          users.forEach((user) => (user.token = u8a.toString(hash.sha256(user.token))))
+        })
+        .catch((error) => {
+          console.log(`hash problem: ${error}`)
+          throw Error('Did you include @noble/hashes in package.json?')
+        })
+    }
+    this._users.push(...users)
+  }
+
+  getUsers(): BearerUser[] {
+    return this._users
+  }
+}