@tachybase/plugin-auth-oidc 0.23.8

package/dist/node_modules/openid-client/lib/device_flow_handle.js

@@ -0,0 +1,125 @@
+const { inspect } = require('util');
+
+const { RPError, OPError } = require('./errors');
+const now = require('./helpers/unix_timestamp');
+
+class DeviceFlowHandle {
+  #aborted;
+  #client;
+  #clientAssertionPayload;
+  #DPoP;
+  #exchangeBody;
+  #expires_at;
+  #interval;
+  #maxAge;
+  #response;
+  constructor({ client, exchangeBody, clientAssertionPayload, response, maxAge, DPoP }) {
+    ['verification_uri', 'user_code', 'device_code'].forEach((prop) => {
+      if (typeof response[prop] !== 'string' || !response[prop]) {
+        throw new RPError(
+          `expected ${prop} string to be returned by Device Authorization Response, got %j`,
+          response[prop],
+        );
+      }
+    });
+
+    if (!Number.isSafeInteger(response.expires_in)) {
+      throw new RPError(
+        'expected expires_in number to be returned by Device Authorization Response, got %j',
+        response.expires_in,
+      );
+    }
+
+    this.#expires_at = now() + response.expires_in;
+    this.#client = client;
+    this.#DPoP = DPoP;
+    this.#maxAge = maxAge;
+    this.#exchangeBody = exchangeBody;
+    this.#clientAssertionPayload = clientAssertionPayload;
+    this.#response = response;
+    this.#interval = response.interval * 1000 || 5000;
+  }
+
+  abort() {
+    this.#aborted = true;
+  }
+
+  async poll({ signal } = {}) {
+    if ((signal && signal.aborted) || this.#aborted) {
+      throw new RPError('polling aborted');
+    }
+
+    if (this.expired()) {
+      throw new RPError(
+        'the device code %j has expired and the device authorization session has concluded',
+        this.device_code,
+      );
+    }
+
+    await new Promise((resolve) => setTimeout(resolve, this.#interval));
+
+    let tokenset;
+    try {
+      tokenset = await this.#client.grant(
+        {
+          ...this.#exchangeBody,
+          grant_type: 'urn:ietf:params:oauth:grant-type:device_code',
+          device_code: this.device_code,
+        },
+        { clientAssertionPayload: this.#clientAssertionPayload, DPoP: this.#DPoP },
+      );
+    } catch (err) {
+      switch (err instanceof OPError && err.error) {
+        case 'slow_down':
+          this.#interval += 5000;
+        case 'authorization_pending':
+          return this.poll({ signal });
+        default:
+          throw err;
+      }
+    }
+
+    if ('id_token' in tokenset) {
+      await this.#client.decryptIdToken(tokenset);
+      await this.#client.validateIdToken(tokenset, undefined, 'token', this.#maxAge);
+    }
+
+    return tokenset;
+  }
+
+  get device_code() {
+    return this.#response.device_code;
+  }
+
+  get user_code() {
+    return this.#response.user_code;
+  }
+
+  get verification_uri() {
+    return this.#response.verification_uri;
+  }
+
+  get verification_uri_complete() {
+    return this.#response.verification_uri_complete;
+  }
+
+  get expires_in() {
+    return Math.max.apply(null, [this.#expires_at - now(), 0]);
+  }
+
+  expired() {
+    return this.expires_in === 0;
+  }
+
+  /* istanbul ignore next */
+  [inspect.custom]() {
+    return `${this.constructor.name} ${inspect(this.#response, {
+      depth: Infinity,
+      colors: process.stdout.isTTY,
+      compact: false,
+      sorted: true,
+    })}`;
+  }
+}
+
+module.exports = DeviceFlowHandle;

package/dist/node_modules/openid-client/lib/errors.js

@@ -0,0 +1,55 @@
+const { format } = require('util');
+
+class OPError extends Error {
+  constructor({ error_description, error, error_uri, session_state, state, scope }, response) {
+    super(!error_description ? error : `${error} (${error_description})`);
+
+    Object.assign(
+      this,
+      { error },
+      error_description && { error_description },
+      error_uri && { error_uri },
+      state && { state },
+      scope && { scope },
+      session_state && { session_state },
+    );
+
+    if (response) {
+      Object.defineProperty(this, 'response', {
+        value: response,
+      });
+    }
+
+    this.name = this.constructor.name;
+    Error.captureStackTrace(this, this.constructor);
+  }
+}
+
+class RPError extends Error {
+  constructor(...args) {
+    if (typeof args[0] === 'string') {
+      super(format(...args));
+    } else {
+      const { message, printf, response, ...rest } = args[0];
+      if (printf) {
+        super(format(...printf));
+      } else {
+        super(message);
+      }
+      Object.assign(this, rest);
+      if (response) {
+        Object.defineProperty(this, 'response', {
+          value: response,
+        });
+      }
+    }
+
+    this.name = this.constructor.name;
+    Error.captureStackTrace(this, this.constructor);
+  }
+}
+
+module.exports = {
+  OPError,
+  RPError,
+};

package/dist/node_modules/openid-client/lib/helpers/assert.js

@@ -0,0 +1,24 @@
+function assertSigningAlgValuesSupport(endpoint, issuer, properties) {
+  if (!issuer[`${endpoint}_endpoint`]) return;
+
+  const eam = `${endpoint}_endpoint_auth_method`;
+  const easa = `${endpoint}_endpoint_auth_signing_alg`;
+  const easavs = `${endpoint}_endpoint_auth_signing_alg_values_supported`;
+
+  if (properties[eam] && properties[eam].endsWith('_jwt') && !properties[easa] && !issuer[easavs]) {
+    throw new TypeError(
+      `${easavs} must be configured on the issuer if ${easa} is not defined on a client`,
+    );
+  }
+}
+
+function assertIssuerConfiguration(issuer, endpoint) {
+  if (!issuer[endpoint]) {
+    throw new TypeError(`${endpoint} must be configured on the issuer`);
+  }
+}
+
+module.exports = {
+  assertSigningAlgValuesSupport,
+  assertIssuerConfiguration,
+};

package/dist/node_modules/openid-client/lib/helpers/base64url.js

@@ -0,0 +1,13 @@
+let encode;
+if (Buffer.isEncoding('base64url')) {
+  encode = (input, encoding = 'utf8') => Buffer.from(input, encoding).toString('base64url');
+} else {
+  const fromBase64 = (base64) => base64.replace(/=/g, '').replace(/\+/g, '-').replace(/\//g, '_');
+  encode = (input, encoding = 'utf8') =>
+    fromBase64(Buffer.from(input, encoding).toString('base64'));
+}
+
+const decode = (input) => Buffer.from(input, 'base64');
+
+module.exports.decode = decode;
+module.exports.encode = encode;

package/dist/node_modules/openid-client/lib/helpers/client.js

@@ -0,0 +1,208 @@
+const jose = require('jose');
+
+const { RPError } = require('../errors');
+
+const { assertIssuerConfiguration } = require('./assert');
+const { random } = require('./generators');
+const now = require('./unix_timestamp');
+const request = require('./request');
+const { keystores } = require('./weak_cache');
+const merge = require('./merge');
+
+// TODO: in v6.x additionally encode the `- _ . ! ~ * ' ( )` characters
+// https://github.com/panva/node-openid-client/commit/5a2ea80ef5e59ec0c03dbd97d82f551e24a9d348
+const formUrlEncode = (value) => encodeURIComponent(value).replace(/%20/g, '+');
+
+async function clientAssertion(endpoint, payload) {
+  let alg = this[`${endpoint}_endpoint_auth_signing_alg`];
+  if (!alg) {
+    assertIssuerConfiguration(
+      this.issuer,
+      `${endpoint}_endpoint_auth_signing_alg_values_supported`,
+    );
+  }
+
+  if (this[`${endpoint}_endpoint_auth_method`] === 'client_secret_jwt') {
+    if (!alg) {
+      const supported = this.issuer[`${endpoint}_endpoint_auth_signing_alg_values_supported`];
+      alg =
+        Array.isArray(supported) && supported.find((signAlg) => /^HS(?:256|384|512)/.test(signAlg));
+    }
+
+    if (!alg) {
+      throw new RPError(
+        `failed to determine a JWS Algorithm to use for ${
+          this[`${endpoint}_endpoint_auth_method`]
+        } Client Assertion`,
+      );
+    }
+
+    return new jose.CompactSign(Buffer.from(JSON.stringify(payload)))
+      .setProtectedHeader({ alg })
+      .sign(this.secretForAlg(alg));
+  }
+
+  const keystore = await keystores.get(this);
+
+  if (!keystore) {
+    throw new TypeError('no client jwks provided for signing a client assertion with');
+  }
+
+  if (!alg) {
+    const supported = this.issuer[`${endpoint}_endpoint_auth_signing_alg_values_supported`];
+    alg =
+      Array.isArray(supported) &&
+      supported.find((signAlg) => keystore.get({ alg: signAlg, use: 'sig' }));
+  }
+
+  if (!alg) {
+    throw new RPError(
+      `failed to determine a JWS Algorithm to use for ${
+        this[`${endpoint}_endpoint_auth_method`]
+      } Client Assertion`,
+    );
+  }
+
+  const key = keystore.get({ alg, use: 'sig' });
+  if (!key) {
+    throw new RPError(
+      `no key found in client jwks to sign a client assertion with using alg ${alg}`,
+    );
+  }
+
+  return new jose.CompactSign(Buffer.from(JSON.stringify(payload)))
+    .setProtectedHeader({ alg, kid: key.jwk && key.jwk.kid })
+    .sign(await key.keyObject(alg));
+}
+
+async function authFor(endpoint, { clientAssertionPayload } = {}) {
+  const authMethod = this[`${endpoint}_endpoint_auth_method`];
+  switch (authMethod) {
+    case 'self_signed_tls_client_auth':
+    case 'tls_client_auth':
+    case 'none':
+      return { form: { client_id: this.client_id } };
+    case 'client_secret_post':
+      if (typeof this.client_secret !== 'string') {
+        throw new TypeError(
+          'client_secret_post client authentication method requires a client_secret',
+        );
+      }
+      return { form: { client_id: this.client_id, client_secret: this.client_secret } };
+    case 'private_key_jwt':
+    case 'client_secret_jwt': {
+      const timestamp = now();
+
+      const assertion = await clientAssertion.call(this, endpoint, {
+        iat: timestamp,
+        exp: timestamp + 60,
+        jti: random(),
+        iss: this.client_id,
+        sub: this.client_id,
+        aud: this.issuer.issuer,
+        ...clientAssertionPayload,
+      });
+
+      return {
+        form: {
+          client_id: this.client_id,
+          client_assertion: assertion,
+          client_assertion_type: 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer',
+        },
+      };
+    }
+    case 'client_secret_basic': {
+      // This is correct behaviour, see https://tools.ietf.org/html/rfc6749#section-2.3.1 and the
+      // related appendix. (also https://github.com/panva/node-openid-client/pull/91)
+      // > The client identifier is encoded using the
+      // > "application/x-www-form-urlencoded" encoding algorithm per
+      // > Appendix B, and the encoded value is used as the username; the client
+      // > password is encoded using the same algorithm and used as the
+      // > password.
+      if (typeof this.client_secret !== 'string') {
+        throw new TypeError(
+          'client_secret_basic client authentication method requires a client_secret',
+        );
+      }
+      const encoded = `${formUrlEncode(this.client_id)}:${formUrlEncode(this.client_secret)}`;
+      const value = Buffer.from(encoded).toString('base64');
+      return { headers: { Authorization: `Basic ${value}` } };
+    }
+    default: {
+      throw new TypeError(`missing, or unsupported, ${endpoint}_endpoint_auth_method`);
+    }
+  }
+}
+
+function resolveResponseType() {
+  const { length, 0: value } = this.response_types;
+
+  if (length === 1) {
+    return value;
+  }
+
+  return undefined;
+}
+
+function resolveRedirectUri() {
+  const { length, 0: value } = this.redirect_uris || [];
+
+  if (length === 1) {
+    return value;
+  }
+
+  return undefined;
+}
+
+async function authenticatedPost(
+  endpoint,
+  opts,
+  { clientAssertionPayload, endpointAuthMethod = endpoint, DPoP } = {},
+) {
+  const auth = await authFor.call(this, endpointAuthMethod, { clientAssertionPayload });
+  const requestOpts = merge(opts, auth);
+
+  const mTLS =
+    this[`${endpointAuthMethod}_endpoint_auth_method`].includes('tls_client_auth') ||
+    (endpoint === 'token' && this.tls_client_certificate_bound_access_tokens);
+
+  let targetUrl;
+  if (mTLS && this.issuer.mtls_endpoint_aliases) {
+    targetUrl = this.issuer.mtls_endpoint_aliases[`${endpoint}_endpoint`];
+  }
+
+  targetUrl = targetUrl || this.issuer[`${endpoint}_endpoint`];
+
+  if ('form' in requestOpts) {
+    for (const [key, value] of Object.entries(requestOpts.form)) {
+      if (typeof value === 'undefined') {
+        delete requestOpts.form[key];
+      }
+    }
+  }
+
+  return request.call(
+    this,
+    {
+      ...requestOpts,
+      method: 'POST',
+      url: targetUrl,
+      headers: {
+        ...(endpoint !== 'revocation'
+          ? {
+              Accept: 'application/json',
+            }
+          : undefined),
+        ...requestOpts.headers,
+      },
+    },
+    { mTLS, DPoP },
+  );
+}
+
+module.exports = {
+  resolveResponseType,
+  resolveRedirectUri,
+  authFor,
+  authenticatedPost,
+};

package/dist/node_modules/openid-client/lib/helpers/consts.js

@@ -0,0 +1,7 @@
+const HTTP_OPTIONS = Symbol();
+const CLOCK_TOLERANCE = Symbol();
+
+module.exports = {
+  CLOCK_TOLERANCE,
+  HTTP_OPTIONS,
+};

package/dist/node_modules/openid-client/lib/helpers/decode_jwt.js

@@ -0,0 +1,27 @@
+const base64url = require('./base64url');
+
+module.exports = (token) => {
+  if (typeof token !== 'string' || !token) {
+    throw new TypeError('JWT must be a string');
+  }
+
+  const { 0: header, 1: payload, 2: signature, length } = token.split('.');
+
+  if (length === 5) {
+    throw new TypeError('encrypted JWTs cannot be decoded');
+  }
+
+  if (length !== 3) {
+    throw new Error('JWTs must have three components');
+  }
+
+  try {
+    return {
+      header: JSON.parse(base64url.decode(header)),
+      payload: JSON.parse(base64url.decode(payload)),
+      signature,
+    };
+  } catch (err) {
+    throw new Error('JWT is malformed');
+  }
+};

package/dist/node_modules/openid-client/lib/helpers/deep_clone.js

@@ -0,0 +1 @@
+module.exports = globalThis.structuredClone || ((obj) => JSON.parse(JSON.stringify(obj)));

package/dist/node_modules/openid-client/lib/helpers/defaults.js

@@ -0,0 +1,27 @@
+const isPlainObject = require('./is_plain_object');
+
+function defaults(deep, target, ...sources) {
+  for (const source of sources) {
+    if (!isPlainObject(source)) {
+      continue;
+    }
+    for (const [key, value] of Object.entries(source)) {
+      /* istanbul ignore if */
+      if (key === '__proto__' || key === 'constructor') {
+        continue;
+      }
+      if (typeof target[key] === 'undefined' && typeof value !== 'undefined') {
+        target[key] = value;
+      }
+
+      if (deep && isPlainObject(target[key]) && isPlainObject(value)) {
+        defaults(true, target[key], value);
+      }
+    }
+  }
+
+  return target;
+}
+
+module.exports = defaults.bind(undefined, false);
+module.exports.deep = defaults.bind(undefined, true);

package/dist/node_modules/openid-client/lib/helpers/generators.js

@@ -0,0 +1,14 @@
+const { createHash, randomBytes } = require('crypto');
+
+const base64url = require('./base64url');
+
+const random = (bytes = 32) => base64url.encode(randomBytes(bytes));
+
+module.exports = {
+  random,
+  state: random,
+  nonce: random,
+  codeVerifier: random,
+  codeChallenge: (codeVerifier) =>
+    base64url.encode(createHash('sha256').update(codeVerifier).digest()),
+};

package/dist/node_modules/openid-client/lib/helpers/is_key_object.js

@@ -0,0 +1,4 @@
+const util = require('util');
+const crypto = require('crypto');
+
+module.exports = util.types.isKeyObject || ((obj) => obj && obj instanceof crypto.KeyObject);

package/dist/node_modules/openid-client/lib/helpers/is_plain_object.js

@@ -0,0 +1 @@
+module.exports = (a) => !!a && a.constructor === Object;

package/dist/node_modules/openid-client/lib/helpers/issuer.js

@@ -0,0 +1,111 @@
+const objectHash = require('object-hash');
+const LRU = require('lru-cache');
+
+const { RPError } = require('../errors');
+
+const { assertIssuerConfiguration } = require('./assert');
+const KeyStore = require('./keystore');
+const { keystores } = require('./weak_cache');
+const processResponse = require('./process_response');
+const request = require('./request');
+
+const inFlight = new WeakMap();
+const caches = new WeakMap();
+const lrus = (ctx) => {
+  if (!caches.has(ctx)) {
+    caches.set(ctx, new LRU({ max: 100 }));
+  }
+  return caches.get(ctx);
+};
+
+async function getKeyStore(reload = false) {
+  assertIssuerConfiguration(this, 'jwks_uri');
+
+  const keystore = keystores.get(this);
+  const cache = lrus(this);
+
+  if (reload || !keystore) {
+    if (inFlight.has(this)) {
+      return inFlight.get(this);
+    }
+    cache.reset();
+    inFlight.set(
+      this,
+      (async () => {
+        const response = await request
+          .call(this, {
+            method: 'GET',
+            responseType: 'json',
+            url: this.jwks_uri,
+            headers: {
+              Accept: 'application/json, application/jwk-set+json',
+            },
+          })
+          .finally(() => {
+            inFlight.delete(this);
+          });
+        const jwks = processResponse(response);
+
+        const joseKeyStore = KeyStore.fromJWKS(jwks, { onlyPublic: true });
+        cache.set('throttle', true, 60 * 1000);
+        keystores.set(this, joseKeyStore);
+
+        return joseKeyStore;
+      })(),
+    );
+
+    return inFlight.get(this);
+  }
+
+  return keystore;
+}
+
+async function queryKeyStore({ kid, kty, alg, use }, { allowMulti = false } = {}) {
+  const cache = lrus(this);
+
+  const def = {
+    kid,
+    kty,
+    alg,
+    use,
+  };
+
+  const defHash = objectHash(def, {
+    algorithm: 'sha256',
+    ignoreUnknown: true,
+    unorderedArrays: true,
+    unorderedSets: true,
+    respectType: false,
+  });
+
+  // refresh keystore on every unknown key but also only upto once every minute
+  const freshJwksUri = cache.get(defHash) || cache.get('throttle');
+
+  const keystore = await getKeyStore.call(this, !freshJwksUri);
+  const keys = keystore.all(def);
+
+  delete def.use;
+  if (keys.length === 0) {
+    throw new RPError({
+      printf: ["no valid key found in issuer's jwks_uri for key parameters %j", def],
+      jwks: keystore,
+    });
+  }
+
+  if (!allowMulti && keys.length > 1 && !kid) {
+    throw new RPError({
+      printf: [
+        "multiple matching keys found in issuer's jwks_uri for key parameters %j, kid must be provided in this case",
+        def,
+      ],
+      jwks: keystore,
+    });
+  }
+
+  cache.set(defHash, true);
+
+  return keys;
+}
+
+module.exports.queryKeyStore = queryKeyStore;
+module.exports.keystore = getKeyStore;