@tachybase/plugin-auth-oidc 0.23.8

package/dist/node_modules/openid-client/lib/issuer.js

@@ -0,0 +1,192 @@
+const { inspect } = require('util');
+const url = require('url');
+
+const { RPError } = require('./errors');
+const getClient = require('./client');
+const registry = require('./issuer_registry');
+const processResponse = require('./helpers/process_response');
+const webfingerNormalize = require('./helpers/webfinger_normalize');
+const request = require('./helpers/request');
+const clone = require('./helpers/deep_clone');
+const { keystore } = require('./helpers/issuer');
+
+const AAD_MULTITENANT_DISCOVERY = [
+  'https://login.microsoftonline.com/common/.well-known/openid-configuration',
+  'https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration',
+  'https://login.microsoftonline.com/organizations/v2.0/.well-known/openid-configuration',
+  'https://login.microsoftonline.com/consumers/v2.0/.well-known/openid-configuration',
+];
+const AAD_MULTITENANT = Symbol();
+const ISSUER_DEFAULTS = {
+  claim_types_supported: ['normal'],
+  claims_parameter_supported: false,
+  grant_types_supported: ['authorization_code', 'implicit'],
+  request_parameter_supported: false,
+  request_uri_parameter_supported: true,
+  require_request_uri_registration: false,
+  response_modes_supported: ['query', 'fragment'],
+  token_endpoint_auth_methods_supported: ['client_secret_basic'],
+};
+
+class Issuer {
+  #metadata;
+  constructor(meta = {}) {
+    const aadIssValidation = meta[AAD_MULTITENANT];
+    delete meta[AAD_MULTITENANT];
+    ['introspection', 'revocation'].forEach((endpoint) => {
+      // if intro/revocation endpoint auth specific meta is missing use the token ones if they
+      // are defined
+      if (
+        meta[`${endpoint}_endpoint`] &&
+        meta[`${endpoint}_endpoint_auth_methods_supported`] === undefined &&
+        meta[`${endpoint}_endpoint_auth_signing_alg_values_supported`] === undefined
+      ) {
+        if (meta.token_endpoint_auth_methods_supported) {
+          meta[`${endpoint}_endpoint_auth_methods_supported`] =
+            meta.token_endpoint_auth_methods_supported;
+        }
+        if (meta.token_endpoint_auth_signing_alg_values_supported) {
+          meta[`${endpoint}_endpoint_auth_signing_alg_values_supported`] =
+            meta.token_endpoint_auth_signing_alg_values_supported;
+        }
+      }
+    });
+
+    this.#metadata = new Map();
+
+    Object.entries(meta).forEach(([key, value]) => {
+      this.#metadata.set(key, value);
+      if (!this[key]) {
+        Object.defineProperty(this, key, {
+          get() {
+            return this.#metadata.get(key);
+          },
+          enumerable: true,
+        });
+      }
+    });
+
+    registry.set(this.issuer, this);
+
+    const Client = getClient(this, aadIssValidation);
+
+    Object.defineProperties(this, {
+      Client: { value: Client, enumerable: true },
+      FAPI1Client: { value: class FAPI1Client extends Client {}, enumerable: true },
+      FAPI2Client: { value: class FAPI2Client extends Client {}, enumerable: true },
+    });
+  }
+
+  get metadata() {
+    return clone(Object.fromEntries(this.#metadata.entries()));
+  }
+
+  static async webfinger(input) {
+    const resource = webfingerNormalize(input);
+    const { host } = url.parse(resource);
+    const webfingerUrl = `https://${host}/.well-known/webfinger`;
+
+    const response = await request.call(this, {
+      method: 'GET',
+      url: webfingerUrl,
+      responseType: 'json',
+      searchParams: { resource, rel: 'http://openid.net/specs/connect/1.0/issuer' },
+      headers: {
+        Accept: 'application/json',
+      },
+    });
+    const body = processResponse(response);
+
+    const location =
+      Array.isArray(body.links) &&
+      body.links.find(
+        (link) =>
+          typeof link === 'object' &&
+          link.rel === 'http://openid.net/specs/connect/1.0/issuer' &&
+          link.href,
+      );
+
+    if (!location) {
+      throw new RPError({
+        message: 'no issuer found in webfinger response',
+        body,
+      });
+    }
+
+    if (typeof location.href !== 'string' || !location.href.startsWith('https://')) {
+      throw new RPError({
+        printf: ['invalid issuer location %s', location.href],
+        body,
+      });
+    }
+
+    const expectedIssuer = location.href;
+    if (registry.has(expectedIssuer)) {
+      return registry.get(expectedIssuer);
+    }
+
+    const issuer = await this.discover(expectedIssuer);
+
+    if (issuer.issuer !== expectedIssuer) {
+      registry.del(issuer.issuer);
+      throw new RPError(
+        'discovered issuer mismatch, expected %s, got: %s',
+        expectedIssuer,
+        issuer.issuer,
+      );
+    }
+    return issuer;
+  }
+
+  static async discover(uri) {
+    const wellKnownUri = resolveWellKnownUri(uri);
+
+    const response = await request.call(this, {
+      method: 'GET',
+      responseType: 'json',
+      url: wellKnownUri,
+      headers: {
+        Accept: 'application/json',
+      },
+    });
+    const body = processResponse(response);
+    return new Issuer({
+      ...ISSUER_DEFAULTS,
+      ...body,
+      [AAD_MULTITENANT]: !!AAD_MULTITENANT_DISCOVERY.find((discoveryURL) =>
+        wellKnownUri.startsWith(discoveryURL),
+      ),
+    });
+  }
+
+  async reloadJwksUri() {
+    await keystore.call(this, true);
+  }
+
+  /* istanbul ignore next */
+  [inspect.custom]() {
+    return `${this.constructor.name} ${inspect(this.metadata, {
+      depth: Infinity,
+      colors: process.stdout.isTTY,
+      compact: false,
+      sorted: true,
+    })}`;
+  }
+}
+
+function resolveWellKnownUri(uri) {
+  const parsed = url.parse(uri);
+  if (parsed.pathname.includes('/.well-known/')) {
+    return uri;
+  } else {
+    let pathname;
+    if (parsed.pathname.endsWith('/')) {
+      pathname = `${parsed.pathname}.well-known/openid-configuration`;
+    } else {
+      pathname = `${parsed.pathname}/.well-known/openid-configuration`;
+    }
+    return url.format({ ...parsed, pathname });
+  }
+}
+
+module.exports = Issuer;

package/dist/node_modules/openid-client/lib/issuer_registry.js

@@ -0,0 +1,3 @@
+const LRU = require('lru-cache');
+
+module.exports = new LRU({ max: 100 });

package/dist/node_modules/openid-client/lib/passport_strategy.js

@@ -0,0 +1,205 @@
+const url = require('url');
+const { format } = require('util');
+
+const cloneDeep = require('./helpers/deep_clone');
+const { RPError, OPError } = require('./errors');
+const { BaseClient } = require('./client');
+const { random, codeChallenge } = require('./helpers/generators');
+const pick = require('./helpers/pick');
+const { resolveResponseType, resolveRedirectUri } = require('./helpers/client');
+
+function verified(err, user, info = {}) {
+  if (err) {
+    this.error(err);
+  } else if (!user) {
+    this.fail(info);
+  } else {
+    this.success(user, info);
+  }
+}
+
+function OpenIDConnectStrategy(
+  { client, params = {}, passReqToCallback = false, sessionKey, usePKCE = true, extras = {} } = {},
+  verify,
+) {
+  if (!(client instanceof BaseClient)) {
+    throw new TypeError('client must be an instance of openid-client Client');
+  }
+
+  if (typeof verify !== 'function') {
+    throw new TypeError('verify callback must be a function');
+  }
+
+  if (!client.issuer || !client.issuer.issuer) {
+    throw new TypeError('client must have an issuer with an identifier');
+  }
+
+  this._client = client;
+  this._issuer = client.issuer;
+  this._verify = verify;
+  this._passReqToCallback = passReqToCallback;
+  this._usePKCE = usePKCE;
+  this._key = sessionKey || `oidc:${url.parse(this._issuer.issuer).hostname}`;
+  this._params = cloneDeep(params);
+
+  // state and nonce are handled in authenticate()
+  delete this._params.state;
+  delete this._params.nonce;
+
+  this._extras = cloneDeep(extras);
+
+  if (!this._params.response_type) this._params.response_type = resolveResponseType.call(client);
+  if (!this._params.redirect_uri) this._params.redirect_uri = resolveRedirectUri.call(client);
+  if (!this._params.scope) this._params.scope = 'openid';
+
+  if (this._usePKCE === true) {
+    const supportedMethods = Array.isArray(this._issuer.code_challenge_methods_supported)
+      ? this._issuer.code_challenge_methods_supported
+      : false;
+
+    if (supportedMethods && supportedMethods.includes('S256')) {
+      this._usePKCE = 'S256';
+    } else if (supportedMethods && supportedMethods.includes('plain')) {
+      this._usePKCE = 'plain';
+    } else if (supportedMethods) {
+      throw new TypeError(
+        'neither code_challenge_method supported by the client is supported by the issuer',
+      );
+    } else {
+      this._usePKCE = 'S256';
+    }
+  } else if (typeof this._usePKCE === 'string' && !['plain', 'S256'].includes(this._usePKCE)) {
+    throw new TypeError(`${this._usePKCE} is not valid/implemented PKCE code_challenge_method`);
+  }
+
+  this.name = url.parse(client.issuer.issuer).hostname;
+}
+
+OpenIDConnectStrategy.prototype.authenticate = function authenticate(req, options) {
+  (async () => {
+    const client = this._client;
+    if (!req.session) {
+      throw new TypeError('authentication requires session support');
+    }
+    const reqParams = client.callbackParams(req);
+    const sessionKey = this._key;
+
+    const { 0: parameter, length } = Object.keys(reqParams);
+
+    /**
+     * Start authentication request if this has no authorization response parameters or
+     * this might a login initiated from a third party as per
+     * https://openid.net/specs/openid-connect-core-1_0.html#ThirdPartyInitiatedLogin.
+     */
+    if (length === 0 || (length === 1 && parameter === 'iss')) {
+      // provide options object with extra authentication parameters
+      const params = {
+        state: random(),
+        ...this._params,
+        ...options,
+      };
+
+      if (!params.nonce && params.response_type.includes('id_token')) {
+        params.nonce = random();
+      }
+
+      req.session[sessionKey] = pick(params, 'nonce', 'state', 'max_age', 'response_type');
+
+      if (this._usePKCE && params.response_type.includes('code')) {
+        const verifier = random();
+        req.session[sessionKey].code_verifier = verifier;
+
+        switch (this._usePKCE) {
+          case 'S256':
+            params.code_challenge = codeChallenge(verifier);
+            params.code_challenge_method = 'S256';
+            break;
+          case 'plain':
+            params.code_challenge = verifier;
+            break;
+        }
+      }
+
+      this.redirect(client.authorizationUrl(params));
+      return;
+    }
+    /* end authentication request */
+
+    /* start authentication response */
+
+    const session = req.session[sessionKey];
+    if (Object.keys(session || {}).length === 0) {
+      throw new Error(
+        format(
+          'did not find expected authorization request details in session, req.session["%s"] is %j',
+          sessionKey,
+          session,
+        ),
+      );
+    }
+
+    const {
+      state,
+      nonce,
+      max_age: maxAge,
+      code_verifier: codeVerifier,
+      response_type: responseType,
+    } = session;
+
+    try {
+      delete req.session[sessionKey];
+    } catch (err) {}
+
+    const opts = {
+      redirect_uri: this._params.redirect_uri,
+      ...options,
+    };
+
+    const checks = {
+      state,
+      nonce,
+      max_age: maxAge,
+      code_verifier: codeVerifier,
+      response_type: responseType,
+    };
+
+    const tokenset = await client.callback(opts.redirect_uri, reqParams, checks, this._extras);
+
+    const passReq = this._passReqToCallback;
+    const loadUserinfo = this._verify.length > (passReq ? 3 : 2) && client.issuer.userinfo_endpoint;
+
+    const args = [tokenset, verified.bind(this)];
+
+    if (loadUserinfo) {
+      if (!tokenset.access_token) {
+        throw new RPError({
+          message:
+            'expected access_token to be returned when asking for userinfo in verify callback',
+          tokenset,
+        });
+      }
+      const userinfo = await client.userinfo(tokenset);
+      args.splice(1, 0, userinfo);
+    }
+
+    if (passReq) {
+      args.unshift(req);
+    }
+
+    this._verify(...args);
+    /* end authentication response */
+  })().catch((error) => {
+    if (
+      (error instanceof OPError &&
+        error.error !== 'server_error' &&
+        !error.error.startsWith('invalid')) ||
+      error instanceof RPError
+    ) {
+      this.fail(error);
+    } else {
+      this.error(error);
+    }
+  });
+};
+
+module.exports = OpenIDConnectStrategy;

package/dist/node_modules/openid-client/lib/token_set.js

@@ -0,0 +1,35 @@
+const base64url = require('./helpers/base64url');
+const now = require('./helpers/unix_timestamp');
+
+class TokenSet {
+  constructor(values) {
+    Object.assign(this, values);
+    const { constructor, ...properties } = Object.getOwnPropertyDescriptors(
+      this.constructor.prototype,
+    );
+
+    Object.defineProperties(this, properties);
+  }
+
+  set expires_in(value) {
+    this.expires_at = now() + Number(value);
+  }
+
+  get expires_in() {
+    return Math.max.apply(null, [this.expires_at - now(), 0]);
+  }
+
+  expired() {
+    return this.expires_in === 0;
+  }
+
+  claims() {
+    if (!this.id_token) {
+      throw new TypeError('id_token not present in TokenSet');
+    }
+
+    return JSON.parse(base64url.decode(this.id_token.split('.')[1]));
+  }
+}
+
+module.exports = TokenSet;

package/dist/node_modules/openid-client/package.json

@@ -0,0 +1 @@
+{"name":"openid-client","version":"5.7.1","description":"OpenID Connect Relying Party (RP, Client) implementation for Node.js runtime, supports passportjs","keywords":["auth","authentication","basic","certified","client","connect","dynamic","electron","hybrid","identity","implicit","oauth","oauth2","oidc","openid","passport","relying party","strategy"],"homepage":"https://github.com/panva/openid-client","repository":"panva/openid-client","funding":{"url":"https://github.com/sponsors/panva"},"license":"MIT","author":"Filip Skokan <panva.ip@gmail.com>","exports":{"types":"./types/index.d.ts","import":"./lib/index.mjs","require":"./lib/index.js"},"main":"./lib/index.js","types":"./types/index.d.ts","files":["lib","types/index.d.ts"],"scripts":{"format":"npx prettier --loglevel silent --write ./lib ./test ./certification ./types","test":"mocha test/**/*.test.js"},"dependencies":{"jose":"^4.15.9","lru-cache":"^6.0.0","object-hash":"^2.2.0","oidc-token-hash":"^5.0.3"},"devDependencies":{"@types/node":"^16.18.106","@types/passport":"^1.0.16","base64url":"^3.0.1","chai":"^4.5.0","mocha":"^10.7.3","nock":"^13.5.5","prettier":"^2.8.8","readable-mock-req":"^0.2.2","sinon":"^9.2.4","timekeeper":"^2.3.1"},"standard-version":{"scripts":{"postchangelog":"sed -i '' -e 's/### \\[/## [/g' CHANGELOG.md"},"types":[{"type":"feat","section":"Features"},{"type":"fix","section":"Fixes"},{"type":"chore","hidden":true},{"type":"docs","hidden":true},{"type":"style","hidden":true},{"type":"refactor","section":"Refactor","hidden":false},{"type":"perf","section":"Performance","hidden":false},{"type":"test","hidden":true}]},"_lastModified":"2024-12-22T16:05:42.361Z"}