@tachybase/plugin-auth-oidc 0.23.8

package/dist/server/actions/redirect.js

@@ -0,0 +1,55 @@
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var redirect_exports = {};
+__export(redirect_exports, {
+  redirect: () => redirect
+});
+module.exports = __toCommonJS(redirect_exports);
+var import_server = require("@tachybase/server");
+const redirect = async (ctx, next) => {
+  const {
+    params: { state }
+  } = ctx.action;
+  const search = new URLSearchParams(decodeURIComponent(state));
+  const authenticator = search.get("name");
+  const appName = search.get("app");
+  const redirect2 = search.get("redirect") || "/admin";
+  let prefix = process.env.APP_PUBLIC_PATH || "";
+  if (appName && appName !== "main") {
+    const appSupervisor = import_server.AppSupervisor.getInstance();
+    if ((appSupervisor == null ? void 0 : appSupervisor.runningMode) !== "single") {
+      prefix += `apps/${appName}`;
+    }
+  }
+  const auth = await ctx.app.authManager.get(authenticator, ctx);
+  if (prefix.endsWith("/")) {
+    prefix = prefix.slice(0, -1);
+  }
+  try {
+    const { token } = await auth.signIn();
+    ctx.redirect(`${prefix}${redirect2}?authenticator=${authenticator}&token=${token}`);
+  } catch (error) {
+    ctx.logger.error("OIDC auth error", { error });
+    ctx.redirect(`${prefix}/signin?redirect=${redirect2}&authenticator=${authenticator}&error=${error.message}`);
+  }
+  await next();
+};
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  redirect
+});

package/dist/server/index.d.ts

@@ -0,0 +1 @@
+export { default } from './plugin';

package/dist/server/index.js

@@ -0,0 +1,33 @@
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var server_exports = {};
+__export(server_exports, {
+  default: () => import_plugin.default
+});
+module.exports = __toCommonJS(server_exports);
+var import_plugin = __toESM(require("./plugin"));

package/dist/server/migrations/20231007124508-update-autosignup.d.ts

@@ -0,0 +1,6 @@
+import { Migration } from '@tachybase/server';
+export default class UpdateAutoSignupMigration extends Migration {
+    appVersion: string;
+    up(): Promise<void>;
+    down(): Promise<void>;
+}

package/dist/server/migrations/20231007124508-update-autosignup.js

@@ -0,0 +1,52 @@
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var update_autosignup_exports = {};
+__export(update_autosignup_exports, {
+  default: () => UpdateAutoSignupMigration
+});
+module.exports = __toCommonJS(update_autosignup_exports);
+var import_server = require("@tachybase/server");
+var import_constants = require("../../constants");
+class UpdateAutoSignupMigration extends import_server.Migration {
+  appVersion = "<0.14.0-alpha.8";
+  async up() {
+    const result = await this.app.version.satisfies("<=0.14.0-alpha.8");
+    if (!result) {
+      return;
+    }
+    const r = this.db.getRepository("authenticators");
+    const items = await r.find({
+      filter: {
+        authType: import_constants.authType
+      }
+    });
+    await this.db.sequelize.transaction(async (transaction) => {
+      for (const item of items) {
+        let options = item.options;
+        options = {
+          public: { autoSignup: true, ...options.public },
+          oidc: { userBindField: "email", ...options.oidc }
+        };
+        item.set("options", options);
+        await item.save({ transaction });
+      }
+    });
+  }
+  async down() {
+  }
+}

package/dist/server/oidc-auth.d.ts

@@ -0,0 +1,15 @@
+import { AuthConfig, BaseAuth } from '@tachybase/auth';
+export { Model } from '@tachybase/database';
+export declare class OIDCAuth extends BaseAuth {
+    constructor(config: AuthConfig);
+    getRedirectUri(): string;
+    getOptions(): any;
+    getExchangeBody(): {};
+    mapField(userInfo: {
+        [source: string]: any;
+    }): {
+        [source: string]: any;
+    };
+    createOIDCClient(): Promise<import("openid-client").BaseClient>;
+    validate(): Promise<import("@tachybase/database").Model<any, any>>;
+}

package/dist/server/oidc-auth.js

@@ -0,0 +1,154 @@
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var oidc_auth_exports = {};
+__export(oidc_auth_exports, {
+  Model: () => import_database.Model,
+  OIDCAuth: () => OIDCAuth
+});
+module.exports = __toCommonJS(oidc_auth_exports);
+var import_auth = require("@tachybase/auth");
+var import_openid_client = require("openid-client");
+var import_constants = require("../constants");
+var import_database = require("@tachybase/database");
+class OIDCAuth extends import_auth.BaseAuth {
+  constructor(config) {
+    const { ctx } = config;
+    super({
+      ...config,
+      userCollection: ctx.db.getCollection("users")
+    });
+  }
+  getRedirectUri() {
+    const ctx = this.ctx;
+    const { http, port } = this.getOptions();
+    const protocol = http ? "http" : "https";
+    const host = port ? `${ctx.hostname}${port ? `:${port}` : ""}` : ctx.host;
+    return `${protocol}://${host}${process.env.API_BASE_PATH}oidc:redirect`;
+  }
+  getOptions() {
+    var _a;
+    return ((_a = this.options) == null ? void 0 : _a.oidc) || {};
+  }
+  getExchangeBody() {
+    const options = this.getOptions();
+    const { exchangeBodyKeys } = options;
+    if (!exchangeBodyKeys) {
+      return {};
+    }
+    const body = {};
+    exchangeBodyKeys.filter((item) => item.enabled).forEach((item) => {
+      const name = item.paramName || item.optionsKey;
+      body[name] = options[item.optionsKey];
+    });
+    return body;
+  }
+  mapField(userInfo) {
+    const { fieldMap } = this.getOptions();
+    if (!fieldMap) {
+      return userInfo;
+    }
+    fieldMap.forEach((item) => {
+      const { source, target } = item;
+      if (userInfo[source]) {
+        userInfo[target] = userInfo[source];
+      }
+    });
+    return userInfo;
+  }
+  async createOIDCClient() {
+    const { issuer, clientId, clientSecret, idTokenSignedResponseAlg } = this.getOptions();
+    const oidc = await import_openid_client.Issuer.discover(issuer);
+    return new oidc.Client({
+      client_id: clientId,
+      client_secret: clientSecret,
+      id_token_signed_response_alg: idTokenSignedResponseAlg || "RS256"
+    });
+  }
+  async validate() {
+    var _a;
+    const ctx = this.ctx;
+    const { params: values } = ctx.action;
+    const { userInfoMethod = "GET", accessTokenVia = "header", stateToken } = this.getOptions();
+    const token = stateToken || ctx.cookies.get(import_constants.cookieName);
+    const search = new URLSearchParams(decodeURIComponent(values.state));
+    if (search.get("token") !== token) {
+      ctx.logger.error("tachybase_oidc state mismatch", { method: "validate" });
+      return null;
+    }
+    const client = await this.createOIDCClient();
+    const tokens = await client.callback(
+      this.getRedirectUri(),
+      {
+        code: values.code,
+        iss: values.iss
+      },
+      {},
+      { exchangeBody: this.getExchangeBody() }
+    );
+    const userInfo = await client.userinfo(tokens, {
+      method: userInfoMethod,
+      via: accessTokenVia !== "query" ? accessTokenVia : "header",
+      params: accessTokenVia === "query" ? {
+        access_token: tokens.access_token
+      } : {}
+    });
+    const mappedUserInfo = this.mapField(userInfo);
+    const { nickname, username, name, sub, email, phone } = mappedUserInfo;
+    const authenticator = this.authenticator;
+    let user = await authenticator.findUser(sub);
+    if (user) {
+      return user;
+    }
+    const { userBindField = "email" } = this.getOptions();
+    if (userBindField === "email" && email) {
+      user = await this.userRepository.findOne({
+        filter: { email }
+      });
+    } else if (userBindField === "username" && username) {
+      user = await this.userRepository.findOne({
+        filter: { username }
+      });
+    }
+    if (user) {
+      await authenticator.addUser(user.id, {
+        through: {
+          uuid: sub
+        }
+      });
+      return user;
+    }
+    const { autoSignup } = ((_a = this.options) == null ? void 0 : _a.public) || {};
+    if (!autoSignup) {
+      throw new Error("User not found");
+    }
+    if (username && !this.validateUsername(username)) {
+      throw new Error(`Username must be 2-16 characters in length (excluding @.<>"'/)`);
+    }
+    return await authenticator.newUser(sub, {
+      username: username ?? null,
+      nickname: nickname || name || username || sub,
+      email: email ?? null,
+      phone: phone ?? null
+    });
+  }
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  Model,
+  OIDCAuth
+});

package/dist/server/plugin.d.ts

@@ -0,0 +1,11 @@
+import { InstallOptions, Plugin } from '@tachybase/server';
+export declare class OidcPlugin extends Plugin {
+    afterAdd(): void;
+    beforeLoad(): void;
+    load(): Promise<void>;
+    install(options?: InstallOptions): Promise<void>;
+    afterEnable(): Promise<void>;
+    afterDisable(): Promise<void>;
+    remove(): Promise<void>;
+}
+export default OidcPlugin;

package/dist/server/plugin.js

@@ -0,0 +1,83 @@
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var plugin_exports = {};
+__export(plugin_exports, {
+  OidcPlugin: () => OidcPlugin,
+  default: () => plugin_default
+});
+module.exports = __toCommonJS(plugin_exports);
+var import_path = require("path");
+var import_server = require("@tachybase/server");
+var import_constants = require("../constants");
+var import_getAuthUrl = require("./actions/getAuthUrl");
+var import_redirect = require("./actions/redirect");
+var import_oidc_auth = require("./oidc-auth");
+class OidcPlugin extends import_server.Plugin {
+  afterAdd() {
+  }
+  beforeLoad() {
+  }
+  async load() {
+    this.db.addMigrations({
+      namespace: "auth",
+      directory: (0, import_path.resolve)(__dirname, "migrations"),
+      context: {
+        plugin: this
+      }
+    });
+    this.app.authManager.registerTypes(import_constants.authType, {
+      auth: import_oidc_auth.OIDCAuth
+    });
+    this.app.resourcer.define({
+      name: "oidc",
+      actions: {
+        getAuthUrl: import_getAuthUrl.getAuthUrl,
+        redirect: import_redirect.redirect
+      }
+    });
+    this.app.acl.allow("oidc", "*", "public");
+    import_server.Gateway.getInstance().addAppSelectorMiddleware(async (ctx, next) => {
+      const { req } = ctx;
+      const url = new URL(req.url, `http://${req.headers.host}`);
+      const params = url.searchParams;
+      const state = params.get("state");
+      if (!state) {
+        return next();
+      }
+      const search = new URLSearchParams(state);
+      const appName = search.get("app");
+      if (appName) {
+        ctx.resolvedAppName = appName;
+      }
+      await next();
+    });
+  }
+  async install(options) {
+  }
+  async afterEnable() {
+  }
+  async afterDisable() {
+  }
+  async remove() {
+  }
+}
+var plugin_default = OidcPlugin;
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  OidcPlugin
+});

package/dist/swagger/index.d.ts

@@ -0,0 +1,143 @@
+declare const _default: {
+    info: {
+        title: string;
+    };
+    paths: {
+        '/oidc:getAuthUrl': {
+            security: any[];
+            get: {
+                description: string;
+                tags: string[];
+                parameters: {
+                    name: string;
+                    description: string;
+                    in: string;
+                    schema: {
+                        type: string;
+                    };
+                    required: boolean;
+                }[];
+                responses: {
+                    200: {
+                        description: string;
+                        content: {
+                            'application/json': {
+                                schema: {
+                                    type: string;
+                                };
+                            };
+                        };
+                    };
+                };
+            };
+        };
+        '/auth:signIn': {
+            security: any[];
+            post: {
+                description: string;
+                tags: string[];
+                parameters: {
+                    name: string;
+                    description: string;
+                    in: string;
+                    schema: {
+                        type: string;
+                    };
+                    required: boolean;
+                }[];
+                requestBody: {
+                    content: {
+                        'application/json': {
+                            schema: {
+                                type: string;
+                                properties: {
+                                    code: {
+                                        type: string;
+                                    };
+                                    state: {
+                                        type: string;
+                                    };
+                                    iss: {
+                                        type: string;
+                                    };
+                                };
+                            };
+                        };
+                    };
+                };
+                responses: {
+                    200: {
+                        description: string;
+                        content: {
+                            'application/json': {
+                                schema: {
+                                    type: string;
+                                    properties: {
+                                        token: {
+                                            type: string;
+                                        };
+                                        user: {
+                                            type: string;
+                                            description: string;
+                                            properties: {
+                                                id: {
+                                                    type: string;
+                                                    description: string;
+                                                };
+                                                nickname: {
+                                                    type: string;
+                                                    description: string;
+                                                };
+                                                email: {
+                                                    type: string;
+                                                    description: string;
+                                                };
+                                                phone: {
+                                                    type: string;
+                                                    description: string;
+                                                };
+                                                appLang: {
+                                                    type: string;
+                                                    description: string;
+                                                };
+                                                systemSettings: {
+                                                    type: string;
+                                                    description: string;
+                                                    properties: {
+                                                        theme: {
+                                                            type: string;
+                                                            description: string;
+                                                        };
+                                                    };
+                                                };
+                                                createdAt: {
+                                                    type: string;
+                                                    format: string;
+                                                    description: string;
+                                                };
+                                                updatedAt: {
+                                                    type: string;
+                                                    format: string;
+                                                    description: string;
+                                                };
+                                                createdById: {
+                                                    type: string;
+                                                    description: string;
+                                                };
+                                                updatedById: {
+                                                    type: string;
+                                                    description: string;
+                                                };
+                                            };
+                                        };
+                                    };
+                                };
+                            };
+                        };
+                    };
+                };
+            };
+        };
+    };
+};
+export default _default;