npm - @takaro/auth - Versions diffs - 0.0.1 - Mend

@takaro/auth 0.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (30) hide show

package/README.md +1 -0
package/dist/config.d.ts +67 -0
package/dist/config.js +53 -0
package/dist/config.js.map +1 -0
package/dist/lib/ory.d.ts +43 -0
package/dist/lib/ory.js +240 -0
package/dist/lib/ory.js.map +1 -0
package/dist/lib/oryAxiosClient.d.ts +1 -0
package/dist/lib/oryAxiosClient.js +50 -0
package/dist/lib/oryAxiosClient.js.map +1 -0
package/dist/lib/paginationHelpers.d.ts +2 -0
package/dist/lib/paginationHelpers.js +38 -0
package/dist/lib/paginationHelpers.js.map +1 -0
package/dist/lib/permissions.d.ts +27 -0
package/dist/lib/permissions.js +120 -0
package/dist/lib/permissions.js.map +1 -0
package/dist/main.d.ts +3 -0
package/dist/main.js +4 -0
package/dist/main.js.map +1 -0
package/package.json +25 -0
package/src/config.ts +70 -0
package/src/lib/__tests__/ory.integration.test.ts +26 -0
package/src/lib/ory.ts +277 -0
package/src/lib/oryAxiosClient.ts +68 -0
package/src/lib/paginationHelpers.ts +46 -0
package/src/lib/permissions.ts +125 -0
package/src/main.ts +4 -0
package/tsconfig.build.json +9 -0
package/tsconfig.json +8 -0
package/typedoc.json +3 -0

package/dist/lib/permissions.js ADDED Viewed

@@ -0,0 +1,120 @@
+export var PERMISSIONS;
+(function (PERMISSIONS) {
+    PERMISSIONS["ROOT"] = "ROOT";
+    PERMISSIONS["MANAGE_USERS"] = "MANAGE_USERS";
+    PERMISSIONS["READ_USERS"] = "READ_USERS";
+    PERMISSIONS["MANAGE_ROLES"] = "MANAGE_ROLES";
+    PERMISSIONS["READ_ROLES"] = "READ_ROLES";
+    PERMISSIONS["MANAGE_GAMESERVERS"] = "MANAGE_GAMESERVERS";
+    PERMISSIONS["READ_GAMESERVERS"] = "READ_GAMESERVERS";
+    PERMISSIONS["READ_MODULES"] = "READ_MODULES";
+    PERMISSIONS["MANAGE_MODULES"] = "MANAGE_MODULES";
+    PERMISSIONS["READ_PLAYERS"] = "READ_PLAYERS";
+    PERMISSIONS["MANAGE_PLAYERS"] = "MANAGE_PLAYERS";
+    PERMISSIONS["MANAGE_SETTINGS"] = "MANAGE_SETTINGS";
+    PERMISSIONS["READ_SETTINGS"] = "READ_SETTINGS";
+    PERMISSIONS["READ_VARIABLES"] = "READ_VARIABLES";
+    PERMISSIONS["MANAGE_VARIABLES"] = "MANAGE_VARIABLES";
+    PERMISSIONS["READ_EVENTS"] = "READ_EVENTS";
+    PERMISSIONS["MANAGE_EVENTS"] = "MANAGE_EVENTS";
+    PERMISSIONS["READ_ITEMS"] = "READ_ITEMS";
+    PERMISSIONS["MANAGE_ITEMS"] = "MANAGE_ITEMS";
+})(PERMISSIONS || (PERMISSIONS = {}));
+export const PERMISSION_DETAILS = {
+    [PERMISSIONS.ROOT]: {
+        permission: PERMISSIONS.ROOT,
+        friendlyName: 'Root Access',
+        description: 'Full access to all systems and resources',
+    },
+    [PERMISSIONS.MANAGE_USERS]: {
+        permission: PERMISSIONS.MANAGE_USERS,
+        friendlyName: 'Manage Users',
+        description: 'Can create, update, and delete users',
+    },
+    [PERMISSIONS.READ_USERS]: {
+        permission: PERMISSIONS.READ_USERS,
+        friendlyName: 'Read Users',
+        description: 'Can view user details',
+    },
+    [PERMISSIONS.MANAGE_ROLES]: {
+        permission: PERMISSIONS.MANAGE_ROLES,
+        friendlyName: 'Manage Roles',
+        description: 'Can create, update, and delete roles',
+    },
+    [PERMISSIONS.READ_ROLES]: {
+        permission: PERMISSIONS.READ_ROLES,
+        friendlyName: 'Read Roles',
+        description: 'Can view role details',
+    },
+    [PERMISSIONS.MANAGE_GAMESERVERS]: {
+        permission: PERMISSIONS.MANAGE_GAMESERVERS,
+        friendlyName: 'Manage Game Servers',
+        description: 'Can create, update, and delete game servers',
+    },
+    [PERMISSIONS.READ_GAMESERVERS]: {
+        permission: PERMISSIONS.READ_GAMESERVERS,
+        friendlyName: 'Read Game Servers',
+        description: 'Can view game server details',
+    },
+    [PERMISSIONS.READ_MODULES]: {
+        permission: PERMISSIONS.READ_MODULES,
+        friendlyName: 'Read Modules',
+        description: 'Can view module details',
+    },
+    [PERMISSIONS.MANAGE_MODULES]: {
+        permission: PERMISSIONS.MANAGE_MODULES,
+        friendlyName: 'Manage Modules',
+        description: 'Can create, update, and delete modules',
+    },
+    [PERMISSIONS.READ_PLAYERS]: {
+        permission: PERMISSIONS.READ_PLAYERS,
+        friendlyName: 'Read Players',
+        description: 'Can view player details',
+    },
+    [PERMISSIONS.MANAGE_PLAYERS]: {
+        permission: PERMISSIONS.MANAGE_PLAYERS,
+        friendlyName: 'Manage Players',
+        description: 'Can create, update, and delete players',
+    },
+    [PERMISSIONS.MANAGE_SETTINGS]: {
+        permission: PERMISSIONS.MANAGE_SETTINGS,
+        friendlyName: 'Manage Settings',
+        description: 'Can modify settings',
+    },
+    [PERMISSIONS.READ_SETTINGS]: {
+        permission: PERMISSIONS.READ_SETTINGS,
+        friendlyName: 'Read Settings',
+        description: 'Can view settings',
+    },
+    [PERMISSIONS.READ_VARIABLES]: {
+        permission: PERMISSIONS.READ_VARIABLES,
+        friendlyName: 'Read Variables',
+        description: 'Can view variables',
+    },
+    [PERMISSIONS.MANAGE_VARIABLES]: {
+        permission: PERMISSIONS.MANAGE_VARIABLES,
+        friendlyName: 'Manage Variables',
+        description: 'Can create, update, and delete variables',
+    },
+    [PERMISSIONS.READ_EVENTS]: {
+        permission: PERMISSIONS.READ_EVENTS,
+        friendlyName: 'Read Events',
+        description: 'Can view event details',
+    },
+    [PERMISSIONS.MANAGE_EVENTS]: {
+        permission: PERMISSIONS.MANAGE_EVENTS,
+        friendlyName: 'Manage Events',
+        description: 'Can create, update, and delete events',
+    },
+    [PERMISSIONS.READ_ITEMS]: {
+        permission: PERMISSIONS.READ_ITEMS,
+        friendlyName: 'Read Items',
+        description: 'Can view item details',
+    },
+    [PERMISSIONS.MANAGE_ITEMS]: {
+        permission: PERMISSIONS.MANAGE_ITEMS,
+        friendlyName: 'Manage Items',
+        description: 'Can create, update, and delete items',
+    },
+};
+//# sourceMappingURL=permissions.js.map

package/dist/lib/permissions.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"permissions.js","sourceRoot":"","sources":["../../src/lib/permissions.ts"],"names":[],"mappings":"AAAA,MAAM,CAAN,IAAY,WAoBX;AApBD,WAAY,WAAW;IACrB,4BAAe,CAAA;IACf,4CAA+B,CAAA;IAC/B,wCAA2B,CAAA;IAC3B,4CAA+B,CAAA;IAC/B,wCAA2B,CAAA;IAC3B,wDAA2C,CAAA;IAC3C,oDAAuC,CAAA;IACvC,4CAA+B,CAAA;IAC/B,gDAAmC,CAAA;IACnC,4CAA+B,CAAA;IAC/B,gDAAmC,CAAA;IACnC,kDAAqC,CAAA;IACrC,8CAAiC,CAAA;IACjC,gDAAmC,CAAA;IACnC,oDAAuC,CAAA;IACvC,0CAA6B,CAAA;IAC7B,8CAAiC,CAAA;IACjC,wCAA2B,CAAA;IAC3B,4CAA+B,CAAA;AACjC,CAAC,EApBW,WAAW,KAAX,WAAW,QAoBtB;AAQD,MAAM,CAAC,MAAM,kBAAkB,GAA4C;IACzE,CAAC,WAAW,CAAC,IAAI,CAAC,EAAE;QAClB,UAAU,EAAE,WAAW,CAAC,IAAI;QAC5B,YAAY,EAAE,aAAa;QAC3B,WAAW,EAAE,0CAA0C;KACxD;IACD,CAAC,WAAW,CAAC,YAAY,CAAC,EAAE;QAC1B,UAAU,EAAE,WAAW,CAAC,YAAY;QACpC,YAAY,EAAE,cAAc;QAC5B,WAAW,EAAE,sCAAsC;KACpD;IACD,CAAC,WAAW,CAAC,UAAU,CAAC,EAAE;QACxB,UAAU,EAAE,WAAW,CAAC,UAAU;QAClC,YAAY,EAAE,YAAY;QAC1B,WAAW,EAAE,uBAAuB;KACrC;IACD,CAAC,WAAW,CAAC,YAAY,CAAC,EAAE;QAC1B,UAAU,EAAE,WAAW,CAAC,YAAY;QACpC,YAAY,EAAE,cAAc;QAC5B,WAAW,EAAE,sCAAsC;KACpD;IACD,CAAC,WAAW,CAAC,UAAU,CAAC,EAAE;QACxB,UAAU,EAAE,WAAW,CAAC,UAAU;QAClC,YAAY,EAAE,YAAY;QAC1B,WAAW,EAAE,uBAAuB;KACrC;IACD,CAAC,WAAW,CAAC,kBAAkB,CAAC,EAAE;QAChC,UAAU,EAAE,WAAW,CAAC,kBAAkB;QAC1C,YAAY,EAAE,qBAAqB;QACnC,WAAW,EAAE,6CAA6C;KAC3D;IACD,CAAC,WAAW,CAAC,gBAAgB,CAAC,EAAE;QAC9B,UAAU,EAAE,WAAW,CAAC,gBAAgB;QACxC,YAAY,EAAE,mBAAmB;QACjC,WAAW,EAAE,8BAA8B;KAC5C;IACD,CAAC,WAAW,CAAC,YAAY,CAAC,EAAE;QAC1B,UAAU,EAAE,WAAW,CAAC,YAAY;QACpC,YAAY,EAAE,cAAc;QAC5B,WAAW,EAAE,yBAAyB;KACvC;IACD,CAAC,WAAW,CAAC,cAAc,CAAC,EAAE;QAC5B,UAAU,EAAE,WAAW,CAAC,cAAc;QACtC,YAAY,EAAE,gBAAgB;QAC9B,WAAW,EAAE,wCAAwC;KACtD;IACD,CAAC,WAAW,CAAC,YAAY,CAAC,EAAE;QAC1B,UAAU,EAAE,WAAW,CAAC,YAAY;QACpC,YAAY,EAAE,cAAc;QAC5B,WAAW,EAAE,yBAAyB;KACvC;IACD,CAAC,WAAW,CAAC,cAAc,CAAC,EAAE;QAC5B,UAAU,EAAE,WAAW,CAAC,cAAc;QACtC,YAAY,EAAE,gBAAgB;QAC9B,WAAW,EAAE,wCAAwC;KACtD;IACD,CAAC,WAAW,CAAC,eAAe,CAAC,EAAE;QAC7B,UAAU,EAAE,WAAW,CAAC,eAAe;QACvC,YAAY,EAAE,iBAAiB;QAC/B,WAAW,EAAE,qBAAqB;KACnC;IACD,CAAC,WAAW,CAAC,aAAa,CAAC,EAAE;QAC3B,UAAU,EAAE,WAAW,CAAC,aAAa;QACrC,YAAY,EAAE,eAAe;QAC7B,WAAW,EAAE,mBAAmB;KACjC;IACD,CAAC,WAAW,CAAC,cAAc,CAAC,EAAE;QAC5B,UAAU,EAAE,WAAW,CAAC,cAAc;QACtC,YAAY,EAAE,gBAAgB;QAC9B,WAAW,EAAE,oBAAoB;KAClC;IACD,CAAC,WAAW,CAAC,gBAAgB,CAAC,EAAE;QAC9B,UAAU,EAAE,WAAW,CAAC,gBAAgB;QACxC,YAAY,EAAE,kBAAkB;QAChC,WAAW,EAAE,0CAA0C;KACxD;IACD,CAAC,WAAW,CAAC,WAAW,CAAC,EAAE;QACzB,UAAU,EAAE,WAAW,CAAC,WAAW;QACnC,YAAY,EAAE,aAAa;QAC3B,WAAW,EAAE,wBAAwB;KACtC;IACD,CAAC,WAAW,CAAC,aAAa,CAAC,EAAE;QAC3B,UAAU,EAAE,WAAW,CAAC,aAAa;QACrC,YAAY,EAAE,eAAe;QAC7B,WAAW,EAAE,uCAAuC;KACrD;IACD,CAAC,WAAW,CAAC,UAAU,CAAC,EAAE;QACxB,UAAU,EAAE,WAAW,CAAC,UAAU;QAClC,YAAY,EAAE,YAAY;QAC1B,WAAW,EAAE,uBAAuB;KACrC;IACD,CAAC,WAAW,CAAC,YAAY,CAAC,EAAE;QAC1B,UAAU,EAAE,WAAW,CAAC,YAAY;QACpC,YAAY,EAAE,cAAc;QAC5B,WAAW,EAAE,sCAAsC;KACpD;CACF,CAAC"}

package/dist/main.d.ts ADDED Viewed

@@ -0,0 +1,3 @@
+export { IAuthConfig, configSchema as authConfigSchema } from './config.js';
+export { ory, AUDIENCES } from './lib/ory.js';
+export * from './lib/permissions.js';

package/dist/main.js ADDED Viewed

@@ -0,0 +1,4 @@
+export { configSchema as authConfigSchema } from './config.js';
+export { ory, AUDIENCES } from './lib/ory.js';
+export * from './lib/permissions.js';
+//# sourceMappingURL=main.js.map

package/dist/main.js.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"main.js","sourceRoot":"","sources":["../src/main.ts"],"names":[],"mappings":"AAAA,OAAO,EAAe,YAAY,IAAI,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAE5E,OAAO,EAAE,GAAG,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AAC9C,cAAc,sBAAsB,CAAC"}

package/package.json ADDED Viewed

@@ -0,0 +1,25 @@
+{
+  "name": "@takaro/auth",
+  "version": "0.0.1",
+  "description": "An opinionated auth handler",
+  "main": "dist/main.js",
+  "types": "dist/main.d.ts",
+  "type": "module",
+  "scripts": {
+    "start:dev": "tsc --watch --preserveWatchOutput -p ./tsconfig.build.json",
+    "build": "tsc -p ./tsconfig.build.json",
+    "test": "npm run test:unit --if-present && npm run test:integration --if-present",
+    "test:unit": "echo 'No tests (yet :))'",
+    "test:integration": "mocha --config ../../.mocharc.js src/**/*.integration.test.ts"
+  },
+  "keywords": [],
+  "author": "",
+  "license": "ISC",
+  "dependencies": {
+    "convict": "^6.2.3"
+  },
+  "devDependencies": {
+    "@takaro/test": "0.0.1",
+    "@types/convict": "^6.1.1"
+  }
+}

package/src/config.ts ADDED Viewed

@@ -0,0 +1,70 @@
+import { Config, IBaseConfig } from '@takaro/config';
+export interface IAuthConfig extends IBaseConfig {
+  kratos: {
+    publicUrl: string;
+    adminUrl: string;
+  };
+  hydra: {
+    publicUrl: string;
+    adminUrl: string;
+    adminClientId: string;
+    adminClientSecret: string;
+  };
+  takaro: {
+    url: string;
+  };
+}
+export const configSchema = {
+  kratos: {
+    publicUrl: {
+      doc: 'The URL of the Kratos public API',
+      format: String,
+      default: 'http://kratos:4433',
+      env: 'KRATOS_URL',
+    },
+    adminUrl: {
+      doc: 'The URL of the Kratos admin API',
+      format: String,
+      default: 'http://kratos:4434',
+      env: 'KRATOS_ADMIN_URL',
+    },
+  },
+  hydra: {
+    publicUrl: {
+      doc: 'The URL of the Takaro OAuth server',
+      format: String,
+      default: 'http://hydra:4444',
+      env: 'TAKARO_OAUTH_HOST',
+    },
+    adminUrl: {
+      doc: 'The URL of the Takaro OAuth admin server',
+      format: String,
+      default: 'http://hydra:4445',
+      env: 'TAKARO_OAUTH_ADMIN_HOST',
+    },
+    adminClientId: {
+      doc: 'The client ID to use when authenticating with the Takaro server',
+      format: String,
+      default: null,
+      env: 'ADMIN_CLIENT_ID',
+    },
+    adminClientSecret: {
+      doc: 'The client secret to use when authenticating with the Takaro server',
+      format: String,
+      default: null,
+      env: 'ADMIN_CLIENT_SECRET',
+    },
+  },
+  takaro: {
+    url: {
+      doc: 'The URL of the Takaro server',
+      format: String,
+      default: 'http://localhost:3000',
+      env: 'TAKARO_HOST',
+    },
+  },
+};
+export const config = new Config<IAuthConfig>([configSchema]);

package/src/lib/__tests__/ory.integration.test.ts ADDED Viewed

@@ -0,0 +1,26 @@
+import { ory } from '../ory.js';
+import { faker } from '@faker-js/faker';
+import { expect } from '@takaro/test';
+describe('Ory', () => {
+  it('Create and delete identities', async () => {
+    // First, create a bunch of identities
+    const totalIdentities = 150;
+    const identities = await Promise.all(
+      Array.from({ length: totalIdentities }).map(() =>
+        ory.createIdentity(faker.internet.email(), 'password', 'domainId')
+      )
+    );
+    // Fetch the first one by ID
+    const firstIdentity = await ory.getIdentity(identities[0].id);
+    expect(firstIdentity.email).to.be.eq(identities[0].email);
+    // Delete them all
+    await ory.deleteIdentitiesForDomain('domainId');
+    // Make sure they're gone
+    expect(ory.getIdentity(identities[0].id)).to.eventually.be.rejectedWith('Not Found');
+  });
+});

package/src/lib/ory.ts ADDED Viewed

@@ -0,0 +1,277 @@
+import { Configuration, CreateIdentityBody, FrontendApi, IdentityApi, OAuth2Api } from '@ory/client';
+import { config } from '../config.js';
+import { errors, logger, TakaroDTO } from '@takaro/util';
+import { createAxiosClient } from './oryAxiosClient.js';
+import { paginateIdentities } from './paginationHelpers.js';
+import { Request } from 'express';
+import { IsBoolean, IsNumber, IsString } from 'class-validator';
+enum IDENTITY_SCHEMA {
+  USER = 'user_v0',
+}
+export enum AUDIENCES {
+  // Used for various sysadmin tasks in the Takaro API
+  TAKARO_API_ADMIN = 't:api:admin',
+}
+export interface ITakaroIdentity {
+  id: string;
+  email: string;
+  domainId: string;
+}
+export class TakaroTokenDTO extends TakaroDTO<TakaroTokenDTO> {
+  @IsBoolean()
+  active: boolean;
+  @IsString()
+  clientId: string;
+  @IsNumber()
+  exp: number;
+  @IsNumber()
+  iat: number;
+  @IsString()
+  iss: string;
+  @IsString()
+  sub: string;
+  @IsString({ each: true })
+  aud: string[];
+}
+function metadataTypeguard(metadata: unknown): metadata is { domainId: string } {
+  return typeof metadata === 'object' && metadata !== null && 'domainId' in metadata;
+}
+class Ory {
+  private authToken: string | null = null;
+  private log = logger('ory');
+  private adminClient: OAuth2Api;
+  private identityClient: IdentityApi;
+  private frontendClient: FrontendApi;
+  constructor() {
+    this.identityClient = new IdentityApi(
+      new Configuration({
+        basePath: config.get('kratos.adminUrl'),
+      }),
+      undefined,
+      createAxiosClient(config.get('kratos.adminUrl'))
+    );
+    this.frontendClient = new FrontendApi(
+      new Configuration({
+        basePath: config.get('kratos.publicUrl'),
+      }),
+      undefined,
+      createAxiosClient(config.get('kratos.publicUrl'))
+    );
+    this.adminClient = new OAuth2Api(
+      new Configuration({
+        basePath: config.get('hydra.adminUrl'),
+      }),
+      undefined,
+      createAxiosClient(config.get('hydra.adminUrl'))
+    );
+  }
+  get OAuth2URL() {
+    return config.get('hydra.publicUrl');
+  }
+  async deleteIdentitiesForDomain(domainId: string) {
+    for await (const identities of paginateIdentities(this.identityClient)) {
+      for (const identity of identities) {
+        if (
+          identity.metadata_public &&
+          metadataTypeguard(identity.metadata_public) &&
+          identity.metadata_public.domainId === domainId
+        ) {
+          await this.deleteIdentity(identity.id);
+        }
+      }
+    }
+  }
+  async getIdentity(id: string): Promise<ITakaroIdentity> {
+    const res = await this.identityClient.getIdentity({
+      id,
+    });
+    if (!res.data.metadata_public) {
+      this.log.warn('Identity has no metadata_public', {
+        identity: res.data.id,
+      });
+      throw new errors.ForbiddenError();
+    }
+    if (!metadataTypeguard(res.data.metadata_public)) {
+      this.log.warn('Identity metadata_public is not of type {domainId: string}', { identity: res.data.id });
+      throw new errors.ForbiddenError();
+    }
+    return {
+      id: res.data.id,
+      email: res.data.traits.email,
+      domainId: res.data.metadata_public.domainId,
+    };
+  }
+  async createIdentity(email: string, domainId: string, password?: string): Promise<ITakaroIdentity> {
+    const body: CreateIdentityBody = {
+      schema_id: IDENTITY_SCHEMA.USER,
+      traits: {
+        email,
+      },
+      metadata_public: {
+        domainId,
+      },
+    };
+    if (password) {
+      body.credentials = {
+        password: {
+          config: {
+            password,
+          },
+        },
+      };
+    }
+    const res = await this.identityClient.createIdentity({
+      createIdentityBody: body,
+    });
+    return {
+      id: res.data.id,
+      email: res.data.traits.email,
+      domainId,
+    };
+  }
+  async deleteIdentity(id: string): Promise<void> {
+    await this.identityClient.deleteIdentity({
+      id,
+    });
+  }
+  async getIdentityFromReq(req: Request): Promise<ITakaroIdentity> {
+    const tokenFromAuthHeader = req.headers['authorization']?.replace('Bearer ', '');
+    const sessionRes = await this.frontendClient.toSession({
+      cookie: req.headers.cookie,
+      xSessionToken: tokenFromAuthHeader,
+    });
+    if (!sessionRes.data.identity!.metadata_public) {
+      this.log.warn('Identity has no metadata_public', {
+        identity: sessionRes.data.identity!.id,
+      });
+      throw new errors.ForbiddenError();
+    }
+    if (!metadataTypeguard(sessionRes.data.identity!.metadata_public)) {
+      this.log.warn('Identity metadata_public is not of type {domainId: string}', {
+        identity: sessionRes.data.identity!.id,
+      });
+      throw new errors.ForbiddenError();
+    }
+    return {
+      id: sessionRes.data.identity!.id,
+      email: sessionRes.data.identity!.traits.email,
+      domainId: sessionRes.data.identity!.metadata_public.domainId,
+    };
+  }
+  async submitApiLogin(username: string, password: string) {
+    const flow = await this.frontendClient.createNativeLoginFlow({
+      refresh: true,
+    });
+    return this.frontendClient.updateLoginFlow({
+      flow: flow.data.id,
+      updateLoginFlowBody: {
+        password,
+        identifier: username,
+        method: 'password',
+      },
+    });
+  }
+  async apiLogout(req: Request) {
+    const tokenFromAuthHeader = req.headers['authorization']?.replace('Bearer ', '');
+    if (!tokenFromAuthHeader) return true;
+    return this.frontendClient.performNativeLogout({
+      performNativeLogoutBody: {
+        session_token: tokenFromAuthHeader,
+      },
+    });
+  }
+  async introspectToken(token: string): Promise<TakaroTokenDTO> {
+    const introspectRes = await this.adminClient.introspectOAuth2Token({
+      token,
+    });
+    const data = new TakaroTokenDTO({
+      active: introspectRes.data.active,
+      clientId: introspectRes.data.client_id,
+      aud: introspectRes.data.aud,
+      exp: introspectRes.data.exp,
+      iat: introspectRes.data.iat,
+      iss: introspectRes.data.iss,
+      sub: introspectRes.data.sub,
+    });
+    try {
+      // Check for correctness of the data
+      // DOES NOT CHECK FOR EXPIRATION
+      await data.validate();
+    } catch (error) {
+      this.log.warn('Introspected token has invalid shape', { error });
+      throw new errors.ForbiddenError();
+    }
+    return data;
+  }
+  // Currently, this is only used for creating the admin-auth client.
+  // ...In the future we should make this more generic and allow for
+  // creating any API client perhaps?
+  async createOIDCClient(): Promise<{
+    clientId: string;
+    clientSecret: string;
+  }> {
+    const client = await this.adminClient.createOAuth2Client({
+      oAuth2Client: {
+        grant_types: ['client_credentials'],
+        audience: [AUDIENCES.TAKARO_API_ADMIN],
+      },
+    });
+    if (!client.data.client_id || !client.data.client_secret) {
+      this.log.error('Could not create OIDC client', { client });
+      throw new errors.InternalServerError();
+    }
+    return {
+      clientId: client.data.client_id,
+      clientSecret: client.data.client_secret,
+    };
+  }
+  async getRecoveryFlow(id: string) {
+    const recoveryRes = await this.identityClient.createRecoveryLinkForIdentity({
+      createRecoveryLinkForIdentityBody: {
+        identity_id: id,
+        expires_in: '24h',
+      },
+    });
+    return recoveryRes.data;
+  }
+}
+export const ory = new Ory();

package/src/lib/oryAxiosClient.ts ADDED Viewed

@@ -0,0 +1,68 @@
+import axios, { AxiosError } from 'axios';
+import { addCounterToAxios, errors, logger } from '@takaro/util';
+const log = logger('ory:http');
+export function createAxiosClient(baseURL: string) {
+  const client = axios.create({
+    baseURL,
+    headers: {
+      'Content-Type': 'application/json',
+      'User-Agent': 'Takaro-Agent',
+    },
+  });
+  addCounterToAxios(client, {
+    name: 'ory_api_requests_total',
+    help: 'Total number of requests to the Ory API',
+  });
+  client.interceptors.request.use((request) => {
+    log.silly(`➡️ ${request.method?.toUpperCase()} ${request.url}`, {
+      method: request.method,
+      url: request.url,
+    });
+    return request;
+  });
+  client.interceptors.response.use(
+    (response) => {
+      log.silly(
+        `⬅️ ${response.request.method?.toUpperCase()} ${response.request.path} ${response.status} ${
+          response.statusText
+        }`,
+        {
+          status: response.status,
+          method: response.request.method,
+          url: response.request.url,
+        }
+      );
+      return response;
+    },
+    (error: AxiosError) => {
+      let details = {};
+      if (error.response?.data) {
+        const data = error.response.data as Record<string, unknown>;
+        details = JSON.stringify(data.error_description);
+      }
+      log.error(`☠️ Request errored: [${error.response?.status}] ${details}`, {
+        status: error.response?.status,
+        statusText: error.response?.statusText,
+        method: error.config?.method,
+        url: error.config?.url,
+        response: error.response?.data,
+      });
+      if (error.response?.status === 409) {
+        return Promise.reject(new errors.ConflictError('User with this identifier already exists'));
+      }
+      return Promise.reject(error);
+    }
+  );
+  return client;
+}

package/src/lib/paginationHelpers.ts ADDED Viewed

@@ -0,0 +1,46 @@
+import { IdentityApi } from '@ory/client';
+import { parse, URLSearchParams } from 'url';
+export async function* paginateIdentities(adminClient: IdentityApi, page = undefined, perPage = 100) {
+  let nextPage: number | undefined = page;
+  while (true) {
+    const response = await adminClient.listIdentities({
+      page: nextPage,
+      perPage,
+    });
+    if (response.data.length === 0) {
+      // Stop the iteration if there are no more items
+      break;
+    }
+    yield response.data;
+    // Parse Link header
+    const linkHeader = response.headers.link;
+    const links = linkHeader.split(',');
+    const nextLink = links.find((link: string) => link.includes('rel="next"'));
+    if (!nextLink) {
+      break;
+    }
+    // Extract the 'next' page URL
+    const match = nextLink.match(/<(.*)>/);
+    const url = match ? match[1] : undefined;
+    if (!url) {
+      break;
+    }
+    const parsedUrl = parse(url);
+    const params = new URLSearchParams(parsedUrl.query || '');
+    const nextPageToken = params.get('page');
+    if (nextPageToken) {
+      nextPage = parseInt(nextPageToken, 10);
+    } else {
+      break; // stop if there is no next page
+    }
+  }
+}