@tachybase/plugin-auth-oidc 0.23.8

package/dist/node_modules/openid-client/lib/helpers/keystore.js

@@ -0,0 +1,298 @@
+const jose = require('jose');
+
+const clone = require('./deep_clone');
+const isPlainObject = require('./is_plain_object');
+
+const internal = Symbol();
+
+const keyscore = (key, { alg, use }) => {
+  let score = 0;
+
+  if (alg && key.alg) {
+    score++;
+  }
+
+  if (use && key.use) {
+    score++;
+  }
+
+  return score;
+};
+
+function getKtyFromAlg(alg) {
+  switch (typeof alg === 'string' && alg.slice(0, 2)) {
+    case 'RS':
+    case 'PS':
+      return 'RSA';
+    case 'ES':
+      return 'EC';
+    case 'Ed':
+      return 'OKP';
+    default:
+      return undefined;
+  }
+}
+
+function getAlgorithms(use, alg, kty, crv) {
+  // Ed25519, Ed448, and secp256k1 always have "alg"
+  // OKP always has "use"
+  if (alg) {
+    return new Set([alg]);
+  }
+
+  switch (kty) {
+    case 'EC': {
+      let algs = [];
+
+      if (use === 'enc' || use === undefined) {
+        algs = algs.concat(['ECDH-ES', 'ECDH-ES+A128KW', 'ECDH-ES+A192KW', 'ECDH-ES+A256KW']);
+      }
+
+      if (use === 'sig' || use === undefined) {
+        switch (crv) {
+          case 'P-256':
+          case 'P-384':
+            algs = algs.concat([`ES${crv.slice(-3)}`]);
+            break;
+          case 'P-521':
+            algs = algs.concat(['ES512']);
+            break;
+          case 'secp256k1':
+            if (jose.cryptoRuntime === 'node:crypto') {
+              algs = algs.concat(['ES256K']);
+            }
+            break;
+        }
+      }
+
+      return new Set(algs);
+    }
+    case 'OKP': {
+      return new Set(['ECDH-ES', 'ECDH-ES+A128KW', 'ECDH-ES+A192KW', 'ECDH-ES+A256KW']);
+    }
+    case 'RSA': {
+      let algs = [];
+
+      if (use === 'enc' || use === undefined) {
+        algs = algs.concat(['RSA-OAEP', 'RSA-OAEP-256', 'RSA-OAEP-384', 'RSA-OAEP-512']);
+        if (jose.cryptoRuntime === 'node:crypto') {
+          algs = algs.concat(['RSA1_5']);
+        }
+      }
+
+      if (use === 'sig' || use === undefined) {
+        algs = algs.concat(['PS256', 'PS384', 'PS512', 'RS256', 'RS384', 'RS512']);
+      }
+
+      return new Set(algs);
+    }
+    default:
+      throw new Error('unreachable');
+  }
+}
+
+module.exports = class KeyStore {
+  #keys;
+
+  constructor(i, keys) {
+    if (i !== internal) throw new Error('invalid constructor call');
+    this.#keys = keys;
+  }
+
+  toJWKS() {
+    return {
+      keys: this.map(({ jwk: { d, p, q, dp, dq, qi, ...jwk } }) => jwk),
+    };
+  }
+
+  all({ alg, kid, use } = {}) {
+    if (!use || !alg) {
+      throw new Error();
+    }
+
+    const kty = getKtyFromAlg(alg);
+
+    const search = { alg, use };
+    return this.filter((key) => {
+      let candidate = true;
+
+      if (candidate && kty !== undefined && key.jwk.kty !== kty) {
+        candidate = false;
+      }
+
+      if (candidate && kid !== undefined && key.jwk.kid !== kid) {
+        candidate = false;
+      }
+
+      if (candidate && use !== undefined && key.jwk.use !== undefined && key.jwk.use !== use) {
+        candidate = false;
+      }
+
+      if (candidate && key.jwk.alg && key.jwk.alg !== alg) {
+        candidate = false;
+      } else if (!key.algorithms.has(alg)) {
+        candidate = false;
+      }
+
+      return candidate;
+    }).sort((first, second) => keyscore(second, search) - keyscore(first, search));
+  }
+
+  get(...args) {
+    return this.all(...args)[0];
+  }
+
+  static async fromJWKS(jwks, { onlyPublic = false, onlyPrivate = false } = {}) {
+    if (
+      !isPlainObject(jwks) ||
+      !Array.isArray(jwks.keys) ||
+      jwks.keys.some((k) => !isPlainObject(k) || !('kty' in k))
+    ) {
+      throw new TypeError('jwks must be a JSON Web Key Set formatted object');
+    }
+
+    const keys = [];
+
+    for (let jwk of jwks.keys) {
+      jwk = clone(jwk);
+      const { kty, kid, crv } = jwk;
+
+      let { alg, use } = jwk;
+
+      if (typeof kty !== 'string' || !kty) {
+        continue;
+      }
+
+      if (use !== undefined && use !== 'sig' && use !== 'enc') {
+        continue;
+      }
+
+      if (typeof alg !== 'string' && alg !== undefined) {
+        continue;
+      }
+
+      if (typeof kid !== 'string' && kid !== undefined) {
+        continue;
+      }
+
+      if (kty === 'EC' && use === 'sig') {
+        switch (crv) {
+          case 'P-256':
+            alg = 'ES256';
+            break;
+          case 'P-384':
+            alg = 'ES384';
+            break;
+          case 'P-521':
+            alg = 'ES512';
+            break;
+          default:
+            break;
+        }
+      }
+
+      if (crv === 'secp256k1') {
+        use = 'sig';
+        alg = 'ES256K';
+      }
+
+      if (kty === 'OKP') {
+        switch (crv) {
+          case 'Ed25519':
+          case 'Ed448':
+            use = 'sig';
+            alg = 'EdDSA';
+            break;
+          case 'X25519':
+          case 'X448':
+            use = 'enc';
+            break;
+          default:
+            break;
+        }
+      }
+
+      if (alg && !use) {
+        switch (true) {
+          case alg.startsWith('ECDH'):
+            use = 'enc';
+            break;
+          case alg.startsWith('RSA'):
+            use = 'enc';
+            break;
+          default:
+            break;
+        }
+      }
+
+      if (onlyPrivate && (jwk.kty === 'oct' || !jwk.d)) {
+        throw new Error('jwks must only contain private keys');
+      }
+
+      if (onlyPublic && (jwk.d || jwk.k)) {
+        continue;
+      }
+
+      keys.push({
+        jwk: { ...jwk, alg, use },
+        async keyObject(alg) {
+          if (this[alg]) {
+            return this[alg];
+          }
+
+          const keyObject = await jose.importJWK(this.jwk, alg);
+          this[alg] = keyObject;
+          return keyObject;
+        },
+        get algorithms() {
+          Object.defineProperty(this, 'algorithms', {
+            value: getAlgorithms(this.jwk.use, this.jwk.alg, this.jwk.kty, this.jwk.crv),
+            enumerable: true,
+            configurable: false,
+          });
+          return this.algorithms;
+        },
+      });
+    }
+
+    return new this(internal, keys);
+  }
+
+  filter(...args) {
+    return this.#keys.filter(...args);
+  }
+
+  find(...args) {
+    return this.#keys.find(...args);
+  }
+
+  every(...args) {
+    return this.#keys.every(...args);
+  }
+
+  some(...args) {
+    return this.#keys.some(...args);
+  }
+
+  map(...args) {
+    return this.#keys.map(...args);
+  }
+
+  forEach(...args) {
+    return this.#keys.forEach(...args);
+  }
+
+  reduce(...args) {
+    return this.#keys.reduce(...args);
+  }
+
+  sort(...args) {
+    return this.#keys.sort(...args);
+  }
+
+  *[Symbol.iterator]() {
+    for (const key of this.#keys) {
+      yield key;
+    }
+  }
+};

package/dist/node_modules/openid-client/lib/helpers/merge.js

@@ -0,0 +1,24 @@
+const isPlainObject = require('./is_plain_object');
+
+function merge(target, ...sources) {
+  for (const source of sources) {
+    if (!isPlainObject(source)) {
+      continue;
+    }
+    for (const [key, value] of Object.entries(source)) {
+      /* istanbul ignore if */
+      if (key === '__proto__' || key === 'constructor') {
+        continue;
+      }
+      if (isPlainObject(target[key]) && isPlainObject(value)) {
+        target[key] = merge(target[key], value);
+      } else if (typeof value !== 'undefined') {
+        target[key] = value;
+      }
+    }
+  }
+
+  return target;
+}
+
+module.exports = merge;

package/dist/node_modules/openid-client/lib/helpers/pick.js

@@ -0,0 +1,9 @@
+module.exports = function pick(object, ...paths) {
+  const obj = {};
+  for (const path of paths) {
+    if (object[path] !== undefined) {
+      obj[path] = object[path];
+    }
+  }
+  return obj;
+};

package/dist/node_modules/openid-client/lib/helpers/process_response.js

@@ -0,0 +1,71 @@
+const { STATUS_CODES } = require('http');
+const { format } = require('util');
+
+const { OPError } = require('../errors');
+const parseWwwAuthenticate = require('./www_authenticate_parser');
+
+const throwAuthenticateErrors = (response) => {
+  const params = parseWwwAuthenticate(response.headers['www-authenticate']);
+
+  if (params.error) {
+    throw new OPError(params, response);
+  }
+};
+
+const isStandardBodyError = (response) => {
+  let result = false;
+  try {
+    let jsonbody;
+    if (typeof response.body !== 'object' || Buffer.isBuffer(response.body)) {
+      jsonbody = JSON.parse(response.body);
+    } else {
+      jsonbody = response.body;
+    }
+    result = typeof jsonbody.error === 'string' && jsonbody.error.length;
+    if (result) Object.defineProperty(response, 'body', { value: jsonbody, configurable: true });
+  } catch (err) {}
+
+  return result;
+};
+
+function processResponse(response, { statusCode = 200, body = true, bearer = false } = {}) {
+  if (response.statusCode !== statusCode) {
+    if (bearer) {
+      throwAuthenticateErrors(response);
+    }
+
+    if (isStandardBodyError(response)) {
+      throw new OPError(response.body, response);
+    }
+
+    throw new OPError(
+      {
+        error: format(
+          'expected %i %s, got: %i %s',
+          statusCode,
+          STATUS_CODES[statusCode],
+          response.statusCode,
+          STATUS_CODES[response.statusCode],
+        ),
+      },
+      response,
+    );
+  }
+
+  if (body && !response.body) {
+    throw new OPError(
+      {
+        error: format(
+          'expected %i %s with body but no body was returned',
+          statusCode,
+          STATUS_CODES[statusCode],
+        ),
+      },
+      response,
+    );
+  }
+
+  return response.body;
+}
+
+module.exports = processResponse;

package/dist/node_modules/openid-client/lib/helpers/request.js

@@ -0,0 +1,200 @@
+const assert = require('assert');
+const querystring = require('querystring');
+const http = require('http');
+const https = require('https');
+const { once } = require('events');
+const { URL } = require('url');
+
+const LRU = require('lru-cache');
+
+const pkg = require('../../package.json');
+const { RPError } = require('../errors');
+
+const pick = require('./pick');
+const { deep: defaultsDeep } = require('./defaults');
+const { HTTP_OPTIONS } = require('./consts');
+
+let DEFAULT_HTTP_OPTIONS;
+const NQCHAR = /^[\x21\x23-\x5B\x5D-\x7E]+$/;
+
+const allowed = [
+  'agent',
+  'ca',
+  'cert',
+  'crl',
+  'headers',
+  'key',
+  'lookup',
+  'passphrase',
+  'pfx',
+  'timeout',
+];
+
+const setDefaults = (props, options) => {
+  DEFAULT_HTTP_OPTIONS = defaultsDeep(
+    {},
+    props.length ? pick(options, ...props) : options,
+    DEFAULT_HTTP_OPTIONS,
+  );
+};
+
+setDefaults([], {
+  headers: {
+    'User-Agent': `${pkg.name}/${pkg.version} (${pkg.homepage})`,
+    'Accept-Encoding': 'identity',
+  },
+  timeout: 3500,
+});
+
+function send(req, body, contentType) {
+  if (contentType) {
+    req.removeHeader('content-type');
+    req.setHeader('content-type', contentType);
+  }
+  if (body) {
+    req.removeHeader('content-length');
+    req.setHeader('content-length', Buffer.byteLength(body));
+    req.write(body);
+  }
+  req.end();
+}
+
+const nonces = new LRU({ max: 100 });
+
+module.exports = async function request(options, { accessToken, mTLS = false, DPoP } = {}) {
+  let url;
+  try {
+    url = new URL(options.url);
+    delete options.url;
+    assert(/^(https?:)$/.test(url.protocol));
+  } catch (err) {
+    throw new TypeError('only valid absolute URLs can be requested');
+  }
+  const optsFn = this[HTTP_OPTIONS];
+  let opts = options;
+
+  const nonceKey = `${url.origin}${url.pathname}`;
+  if (DPoP && 'dpopProof' in this) {
+    opts.headers = opts.headers || {};
+    opts.headers.DPoP = await this.dpopProof(
+      {
+        htu: `${url.origin}${url.pathname}`,
+        htm: options.method || 'GET',
+        nonce: nonces.get(nonceKey),
+      },
+      DPoP,
+      accessToken,
+    );
+  }
+
+  let userOptions;
+  if (optsFn) {
+    userOptions = pick(
+      optsFn.call(this, url, defaultsDeep({}, opts, DEFAULT_HTTP_OPTIONS)),
+      ...allowed,
+    );
+  }
+  opts = defaultsDeep({}, userOptions, opts, DEFAULT_HTTP_OPTIONS);
+
+  if (mTLS && !opts.pfx && !(opts.key && opts.cert)) {
+    throw new TypeError('mutual-TLS certificate and key not set');
+  }
+
+  if (opts.searchParams) {
+    for (const [key, value] of Object.entries(opts.searchParams)) {
+      url.searchParams.delete(key);
+      url.searchParams.set(key, value);
+    }
+  }
+
+  let responseType;
+  let form;
+  let json;
+  let body;
+  ({ form, responseType, json, body, ...opts } = opts);
+
+  for (const [key, value] of Object.entries(opts.headers || {})) {
+    if (value === undefined) {
+      delete opts.headers[key];
+    }
+  }
+
+  let response;
+  const req = (url.protocol === 'https:' ? https.request : http.request)(url.href, opts);
+  return (async () => {
+    if (json) {
+      send(req, JSON.stringify(json), 'application/json');
+    } else if (form) {
+      send(req, querystring.stringify(form), 'application/x-www-form-urlencoded');
+    } else if (body) {
+      send(req, body);
+    } else {
+      send(req);
+    }
+
+    [response] = await Promise.race([once(req, 'response'), once(req, 'timeout')]);
+
+    // timeout reached
+    if (!response) {
+      req.destroy();
+      throw new RPError(`outgoing request timed out after ${opts.timeout}ms`);
+    }
+
+    const parts = [];
+
+    for await (const part of response) {
+      parts.push(part);
+    }
+
+    if (parts.length) {
+      switch (responseType) {
+        case 'json': {
+          Object.defineProperty(response, 'body', {
+            get() {
+              let value = Buffer.concat(parts);
+              try {
+                value = JSON.parse(value);
+              } catch (err) {
+                Object.defineProperty(err, 'response', { value: response });
+                throw err;
+              } finally {
+                Object.defineProperty(response, 'body', { value, configurable: true });
+              }
+              return value;
+            },
+            configurable: true,
+          });
+          break;
+        }
+        case undefined:
+        case 'buffer': {
+          Object.defineProperty(response, 'body', {
+            get() {
+              const value = Buffer.concat(parts);
+              Object.defineProperty(response, 'body', { value, configurable: true });
+              return value;
+            },
+            configurable: true,
+          });
+          break;
+        }
+        default:
+          throw new TypeError('unsupported responseType request option');
+      }
+    }
+
+    return response;
+  })()
+    .catch((err) => {
+      if (response) Object.defineProperty(err, 'response', { value: response });
+      throw err;
+    })
+    .finally(() => {
+      const dpopNonce = response && response.headers['dpop-nonce'];
+      if (dpopNonce && NQCHAR.test(dpopNonce)) {
+        nonces.set(nonceKey, dpopNonce);
+      }
+    });
+};
+
+module.exports.setDefaults = setDefaults.bind(undefined, allowed);

package/dist/node_modules/openid-client/lib/helpers/unix_timestamp.js

@@ -0,0 +1 @@
+module.exports = () => Math.floor(Date.now() / 1000);

package/dist/node_modules/openid-client/lib/helpers/weak_cache.js

@@ -0,0 +1 @@
+module.exports.keystores = new WeakMap();

package/dist/node_modules/openid-client/lib/helpers/webfinger_normalize.js

@@ -0,0 +1,71 @@
+// Credit: https://github.com/rohe/pyoidc/blob/master/src/oic/utils/webfinger.py
+
+// -- Normalization --
+// A string of any other type is interpreted as a URI either the form of scheme
+// "://" authority path-abempty [ "?" query ] [ "#" fragment ] or authority
+// path-abempty [ "?" query ] [ "#" fragment ] per RFC 3986 [RFC3986] and is
+// normalized according to the following rules:
+//
+// If the user input Identifier does not have an RFC 3986 [RFC3986] scheme
+// portion, the string is interpreted as [userinfo "@"] host [":" port]
+// path-abempty [ "?" query ] [ "#" fragment ] per RFC 3986 [RFC3986].
+// If the userinfo component is present and all of the path component, query
+// component, and port component are empty, the acct scheme is assumed. In this
+// case, the normalized URI is formed by prefixing acct: to the string as the
+// scheme. Per the 'acct' URI Scheme [I‑D.ietf‑appsawg‑acct‑uri], if there is an
+// at-sign character ('@') in the userinfo component, it needs to be
+// percent-encoded as described in RFC 3986 [RFC3986].
+// For all other inputs without a scheme portion, the https scheme is assumed,
+// and the normalized URI is formed by prefixing https:// to the string as the
+// scheme.
+// If the resulting URI contains a fragment portion, it MUST be stripped off
+// together with the fragment delimiter character "#".
+// The WebFinger [I‑D.ietf‑appsawg‑webfinger] Resource in this case is the
+// resulting URI, and the WebFinger Host is the authority component.
+//
+// Note: Since the definition of authority in RFC 3986 [RFC3986] is
+// [ userinfo "@" ] host [ ":" port ], it is legal to have a user input
+// identifier like userinfo@host:port, e.g., alice@example.com:8080.
+
+const PORT = /^\d+$/;
+
+function hasScheme(input) {
+  if (input.includes('://')) return true;
+
+  const authority = input.replace(/(\/|\?)/g, '#').split('#')[0];
+  if (authority.includes(':')) {
+    const index = authority.indexOf(':');
+    const hostOrPort = authority.slice(index + 1);
+    if (!PORT.test(hostOrPort)) {
+      return true;
+    }
+  }
+
+  return false;
+}
+
+function acctSchemeAssumed(input) {
+  if (!input.includes('@')) return false;
+  const parts = input.split('@');
+  const host = parts[parts.length - 1];
+  return !(host.includes(':') || host.includes('/') || host.includes('?'));
+}
+
+function normalize(input) {
+  if (typeof input !== 'string') {
+    throw new TypeError('input must be a string');
+  }
+
+  let output;
+  if (hasScheme(input)) {
+    output = input;
+  } else if (acctSchemeAssumed(input)) {
+    output = `acct:${input}`;
+  } else {
+    output = `https://${input}`;
+  }
+
+  return output.split('#')[0];
+}
+
+module.exports = normalize;

package/dist/node_modules/openid-client/lib/helpers/www_authenticate_parser.js

@@ -0,0 +1,14 @@
+const REGEXP = /(\w+)=("[^"]*")/g;
+
+module.exports = (wwwAuthenticate) => {
+  const params = {};
+  try {
+    while (REGEXP.exec(wwwAuthenticate) !== null) {
+      if (RegExp.$1 && RegExp.$2) {
+        params[RegExp.$1] = RegExp.$2.slice(1, -1);
+      }
+    }
+  } catch (err) {}
+
+  return params;
+};