@theshelf/authentication 0.0.3 → 0.1.0

package/README.md

@@ -23,6 +23,7 @@ npm install @theshelf/authentication
 Currently, there is only one implementation:
 
 * **OpenID** - persistent document storage.
+* **Google** - authentication via Google accounts
 
 ## Configuration
 
@@ -43,6 +44,19 @@ OPENID_REDIRECT_PATH="https://application.com/login"
 OPENID_ALLOW_INSECURE_REQUESTS=false
 ```
 
+In case of Google, the following configuration is required.
+
+```env
+GOOGLE_ISSUER="https://accounts.google.com"
+GOOGLE_CLIENT_ID="google-client-id.apps.googleusercontent.com"
+GOOGLE_CLIENT_SECRET=""
+GOOGLE_REDIRECT_PATH="https://application.com/login"
+GOOGLE_ACCESS_TYPE="offline"
+GOOGLE_ORGANIZATION_DOMAIN="yourdomain.com"
+```
+
+The ACCESS_TYPE can be either `online` or `offline`. The default is `offline`, which provides refresh tokens. The ORGANIZATION_DOMAIN can be used to restrict login to a specific Google Workspace domain.
+
 ## How to use
 
 An instance of the configured identity provider implementation can be imported for performing authentication operations.

package/dist/implementation.js

@@ -1,7 +1,9 @@
 import UnknownImplementation from './errors/UnknownImplementation.js';
+import createGoogle from './implementations/google/create.js';
 import createOpenID from './implementations/openid/create.js';
 const implementations = new Map([
     ['openid', createOpenID],
+    ['google', createGoogle]
 ]);
 const DEFAULT_AUTHENTICATION_IMPLEMENTATION = 'openid';
 const implementationName = process.env.AUTHENTICATION_IMPLEMENTATION ?? DEFAULT_AUTHENTICATION_IMPLEMENTATION;

package/dist/implementations/google/Google.d.ts

@@ -0,0 +1,22 @@
+import type { IdentityProvider } from '../../definitions/interfaces.js';
+import type { Session } from '../../definitions/types.js';
+type GoogleConfiguration = {
+    issuer: string;
+    clientId: string;
+    clientSecret: string;
+    redirectPath: string;
+    accessType: string;
+    organizationDomain: string;
+};
+export default class OpenID implements IdentityProvider {
+    #private;
+    constructor(configuration: GoogleConfiguration);
+    get connected(): boolean;
+    connect(): Promise<void>;
+    disconnect(): Promise<void>;
+    getLoginUrl(origin: string): Promise<string>;
+    login(origin: string, data: Record<string, unknown>): Promise<Session>;
+    refresh(session: Session): Promise<Session>;
+    logout(session: Session): Promise<void>;
+}
+export {};

package/dist/implementations/google/Google.js

@@ -0,0 +1,147 @@
+import { authorizationCodeGrant, buildAuthorizationUrl, calculatePKCECodeChallenge, discovery, fetchUserInfo, randomNonce, randomPKCECodeVerifier, refreshTokenGrant, tokenRevocation } from 'openid-client';
+import crypto from 'node:crypto';
+import LoginFailed from '../../errors/LoginFailed.js';
+import NotConnected from '../../errors/NotConnected.js';
+const SECRET = crypto.randomUUID() + crypto.randomUUID();
+const TTL = 30000;
+export default class OpenID {
+    #providerConfiguration;
+    #clientConfiguration;
+    #codeVerifier = randomPKCECodeVerifier();
+    constructor(configuration) {
+        this.#providerConfiguration = configuration;
+    }
+    get connected() {
+        return this.#clientConfiguration !== undefined;
+    }
+    async connect() {
+        const issuer = new URL(this.#providerConfiguration.issuer);
+        const clientId = this.#providerConfiguration.clientId;
+        const clientSecret = this.#providerConfiguration.clientSecret;
+        this.#clientConfiguration = await discovery(issuer, clientId, clientSecret);
+    }
+    async disconnect() {
+        this.#clientConfiguration = undefined;
+    }
+    async getLoginUrl(origin) {
+        const redirect_uri = new URL(this.#providerConfiguration.redirectPath, origin).href;
+        const scope = 'openid profile email';
+        const code_challenge = await calculatePKCECodeChallenge(this.#codeVerifier);
+        const code_challenge_method = 'S256';
+        const access_type = this.#providerConfiguration.accessType;
+        const hd = this.#providerConfiguration.organizationDomain;
+        const payload = this.#createPayload();
+        const state = this.#calculateSignature(payload);
+        const parameters = {
+            redirect_uri,
+            scope,
+            code_challenge,
+            code_challenge_method,
+            access_type,
+            hd,
+            prompt: 'consent',
+            nonce: payload.nonce,
+            state
+        };
+        const clientConfiguration = this.#getClientConfiguration();
+        const redirectTo = buildAuthorizationUrl(clientConfiguration, parameters);
+        return redirectTo.href;
+    }
+    async login(origin, data) {
+        const clientConfiguration = this.#getClientConfiguration();
+        const url = new URL(this.#providerConfiguration.redirectPath, origin);
+        for (const [key, value] of Object.entries(data)) {
+            url.searchParams.set(key, value);
+        }
+        const payload = this.#getPayload(data.state);
+        const tokens = await authorizationCodeGrant(clientConfiguration, url, {
+            pkceCodeVerifier: this.#codeVerifier,
+            expectedNonce: payload.nonce,
+            expectedState: data.state,
+            idTokenExpected: true
+        });
+        const access_token = tokens.access_token;
+        const claims = this.#getClaims(tokens);
+        const sub = claims.sub;
+        const expires = claims.exp * 1000;
+        const userInfo = await fetchUserInfo(clientConfiguration, access_token, sub);
+        const identity = {
+            name: userInfo.name,
+            nickname: userInfo.nickname,
+            picture: userInfo.picture,
+            email: userInfo.email,
+            email_verified: userInfo.email_verified
+        };
+        return {
+            identity: identity,
+            accessToken: tokens.access_token,
+            refreshToken: tokens.refresh_token,
+            expires: new Date(expires)
+        };
+    }
+    async refresh(session) {
+        const config = this.#getClientConfiguration();
+        const tokens = await refreshTokenGrant(config, session.refreshToken);
+        const claims = this.#getClaims(tokens);
+        const expires = claims.exp * 1000;
+        return {
+            requester: session.requester,
+            identity: session.identity,
+            accessToken: tokens.access_token,
+            refreshToken: tokens.refresh_token,
+            expires: new Date(expires)
+        };
+    }
+    logout(session) {
+        const config = this.#getClientConfiguration();
+        return tokenRevocation(config, session.refreshToken);
+    }
+    #getClientConfiguration() {
+        if (this.#clientConfiguration === undefined) {
+            throw new NotConnected('Google client not connected');
+        }
+        return this.#clientConfiguration;
+    }
+    #getClaims(tokens) {
+        const claims = tokens.claims();
+        if (claims === undefined) {
+            throw new LoginFailed('No claims in ID token');
+        }
+        return claims;
+    }
+    #createPayload() {
+        return {
+            jti: crypto.randomUUID(),
+            nonce: randomNonce(),
+            iat: Date.now(),
+            exp: Date.now() + TTL
+        };
+    }
+    #calculateSignature(payload) {
+        const data = JSON.stringify(payload);
+        const value = Buffer.from(data).toString('base64url');
+        const signature = Buffer.from(crypto.createHmac("sha512", SECRET).update(data).digest()).toString('base64url');
+        return `${value}.${signature}`;
+    }
+    #getPayload(state) {
+        if (typeof state !== 'string') {
+            throw new LoginFailed('Invalid state');
+        }
+        if (state.includes('.') === false) {
+            throw new LoginFailed('Invalid state');
+        }
+        const [value, signature] = state.split('.');
+        const decodedValue = Buffer.from(value, 'base64').toString('utf8');
+        const decodedSignature = Buffer.from(signature, 'base64');
+        const check = Buffer.from(crypto.createHmac("sha512", SECRET).update(decodedValue).digest());
+        if (crypto.timingSafeEqual(check, decodedSignature) === false) {
+            throw new LoginFailed('Invalid state');
+        }
+        const payload = JSON.parse(decodedValue);
+        const now = Date.now();
+        if (payload.iat > now || payload.exp < now) {
+            throw new LoginFailed('Invalid state');
+        }
+        return payload;
+    }
+}

package/dist/implementations/google/create.d.ts

@@ -0,0 +1,2 @@
+import Google from './Google.js';
+export default function create(): Google;

package/dist/implementations/google/create.js

@@ -0,0 +1,10 @@
+import Google from './Google.js';
+export default function create() {
+    const issuer = process.env.GOOGLE_ISSUER ?? 'undefined';
+    const clientId = process.env.GOOGLE_CLIENT_ID ?? 'undefined';
+    const clientSecret = process.env.GOOGLE_CLIENT_SECRET ?? 'undefined';
+    const redirectPath = process.env.GOOGLE_REDIRECT_PATH ?? 'undefined';
+    const accessType = process.env.GOOGLE_ACCESS_TYPE ?? 'online';
+    const organizationDomain = process.env.GOOGLE_ORGANIZATION_DOMAIN ?? '';
+    return new Google({ issuer, clientId, clientSecret, redirectPath, accessType, organizationDomain });
+}

package/dist/implementations/openid/OpenID.js

@@ -39,9 +39,9 @@ export default class OpenID {
     async login(origin, data) {
         const clientConfiguration = this.#getClientConfiguration();
         const url = new URL(this.#providerConfiguration.redirectPath, origin);
-        url.searchParams.set('session_state', data.session_state);
-        url.searchParams.set('iss', data.iss);
-        url.searchParams.set('code', data.code);
+        for (const [key, value] of Object.entries(data)) {
+            url.searchParams.set(key, value);
+        }
         const tokens = await authorizationCodeGrant(clientConfiguration, url, {
             pkceCodeVerifier: this.#codeVerifier,
             idTokenExpected: true

package/package.json

@@ -1,8 +1,11 @@
 {
   "name": "@theshelf/authentication",
   "private": false,
-  "version": "0.0.3",
+  "version": "0.1.0",
   "type": "module",
+  "repository": {
+    "url": "https://github.com/MaskingTechnology/theshelf"
+  },
   "scripts": {
     "build": "tsc",
     "clean": "rimraf dist",