@theshelf/authentication 0.0.4 → 0.2.0

package/README.md

@@ -18,45 +18,57 @@ This package is based on the following authentication flow:
 npm install @theshelf/authentication
 ```
 
-## Implementations
+## Drivers
 
-Currently, there is only one implementation:
+Currently, there are two drivers available:
 
 * **OpenID** - persistent document storage.
+* **Google** - authentication via Google accounts
 
-## Configuration
+## How to use
 
-The used implementation needs to be configured in the `.env` file, together with the client URL.
+The basic set up looks like this.
 
-```env
-AUTHENTICATION_IMPLEMENTATION="openid"
-AUTHENTICATION_CLIENT_URI="https://application.com/authenticate"
-```
+```ts
+import IdentityProvider, { OpenIDDriver | GoogleDriver as SelectedDriver } from '@theshelf/authentication';
 
-In case of OpenID, additional configuration is required.
+const driver = new SelectedDriver(/* configuration */);
+const identityProvider = new IdentityProvider(driver);
 
-```env
-OPENID_ISSUER="https://identityprovider.com"
-OPENID_CLIENT_ID="openid"
-OPENID_CLIENT_SECRET=""
-OPENID_REDIRECT_PATH="https://application.com/login"
-OPENID_ALLOW_INSECURE_REQUESTS=false
+// Perform operations with the identityProvider instance
 ```
 
-## How to use
+### Configuration
 
-An instance of the configured identity provider implementation can be imported for performing authentication operations.
+#### OpenID driver
 
 ```ts
-import identityProvider from '@theshelf/authentication';
+type OpenIDConfiguration = {
+    issuer: string; // URL to the provider
+    clientId: string; // provided by the provider
+    clientSecret: string; // provided by the provider
+    redirectPath: string; // e.g. "https://application.com/login"
+    allowInsecureRequests: boolean; // only set to false in development
+};
+```
 
-// Perform operations with the identityProvider instance
+#### Google driver
+
+```ts
+type GoogleConfiguration = {
+    issuer: string; // "https://accounts.google.com"
+    clientId: string; // provided by Google
+    clientSecret: string; // provided by Google
+    redirectPath: string; // e.g. "https://application.com/login"
+    accessType: string; // "online" | "offline"
+    organizationDomain: string; // "application.com"
+};
 ```
 
 ### Operations
 
 ```ts
-import identityProvider, { Session } from '@theshelf/authentication';
+import { Session } from '@theshelf/authentication';
 
 // Open connection
 await identityProvider.connect();

package/dist/ConnectionManager.d.ts

@@ -0,0 +1,9 @@
+import type { ConnectionState } from './definitions/constants.js';
+import type { Driver } from './definitions/interfaces.js';
+export default class ConnectionManager {
+    #private;
+    constructor(driver: Driver);
+    get state(): ConnectionState;
+    connect(): Promise<void>;
+    disconnect(): Promise<void>;
+}

package/dist/ConnectionManager.js

@@ -0,0 +1,53 @@
+import { ConnectionStates } from './definitions/constants.js';
+export default class ConnectionManager {
+    #driver;
+    #state = ConnectionStates.DISCONNECTED;
+    #connectPromise;
+    #disconnectPromise;
+    constructor(driver) {
+        this.#driver = driver;
+    }
+    get state() { return this.#state; }
+    async connect() {
+        if (this.#connectPromise !== undefined) {
+            return this.#connectPromise;
+        }
+        if (this.#state !== ConnectionStates.DISCONNECTED) {
+            return;
+        }
+        this.#state = ConnectionStates.CONNECTING;
+        try {
+            this.#connectPromise = this.#driver.connect();
+            await this.#connectPromise;
+            this.#state = ConnectionStates.CONNECTED;
+        }
+        catch (error) {
+            this.#state = ConnectionStates.DISCONNECTED;
+            throw error;
+        }
+        finally {
+            this.#connectPromise = undefined;
+        }
+    }
+    async disconnect() {
+        if (this.#disconnectPromise !== undefined) {
+            return this.#disconnectPromise;
+        }
+        if (this.#state !== ConnectionStates.CONNECTED) {
+            return;
+        }
+        this.#state = ConnectionStates.DISCONNECTING;
+        try {
+            this.#disconnectPromise = this.#driver.disconnect();
+            await this.#disconnectPromise;
+            this.#state = ConnectionStates.DISCONNECTED;
+        }
+        catch (error) {
+            this.#state = ConnectionStates.CONNECTED;
+            throw error;
+        }
+        finally {
+            this.#disconnectPromise = undefined;
+        }
+    }
+}

package/dist/IdentityProvider.d.ts

@@ -0,0 +1,15 @@
+import type { ConnectionState } from './definitions/constants.js';
+import type { Driver } from './definitions/interfaces.js';
+import type { Session } from './definitions/types.js';
+export default class IdentityProvider implements Driver {
+    #private;
+    constructor(driver: Driver);
+    get connectionState(): ConnectionState;
+    get connected(): boolean;
+    connect(): Promise<void>;
+    disconnect(): Promise<void>;
+    getLoginUrl(origin: string): Promise<string>;
+    login(origin: string, data: Record<string, unknown>): Promise<Session>;
+    refresh(session: Session): Promise<Session>;
+    logout(session: Session): Promise<void>;
+}

package/dist/IdentityProvider.js

@@ -0,0 +1,34 @@
+import { ConnectionStates } from './definitions/constants.js';
+import ConnectionManager from './ConnectionManager.js';
+export default class IdentityProvider {
+    #driver;
+    #connectionManager;
+    constructor(driver) {
+        this.#driver = driver;
+        this.#connectionManager = new ConnectionManager(driver);
+    }
+    get connectionState() {
+        return this.#connectionManager.state;
+    }
+    get connected() {
+        return this.connectionState === ConnectionStates.CONNECTED;
+    }
+    connect() {
+        return this.#connectionManager.connect();
+    }
+    disconnect() {
+        return this.#connectionManager.disconnect();
+    }
+    getLoginUrl(origin) {
+        return this.#driver.getLoginUrl(origin);
+    }
+    login(origin, data) {
+        return this.#driver.login(origin, data);
+    }
+    refresh(session) {
+        return this.#driver.refresh(session);
+    }
+    logout(session) {
+        return this.#driver.logout(session);
+    }
+}

package/dist/definitions/constants.d.ts

@@ -0,0 +1,7 @@
+export declare const ConnectionStates: {
+    readonly DISCONNECTED: "DISCONNECTED";
+    readonly DISCONNECTING: "DISCONNECTING";
+    readonly CONNECTING: "CONNECTING";
+    readonly CONNECTED: "CONNECTED";
+};
+export type ConnectionState = typeof ConnectionStates[keyof typeof ConnectionStates];

package/dist/definitions/constants.js

@@ -0,0 +1,6 @@
+export const ConnectionStates = {
+    DISCONNECTED: 'DISCONNECTED',
+    DISCONNECTING: 'DISCONNECTING',
+    CONNECTING: 'CONNECTING',
+    CONNECTED: 'CONNECTED'
+};

package/dist/definitions/interfaces.d.ts

@@ -1,5 +1,5 @@
 import type { Session } from './types.js';
-export interface IdentityProvider {
+export interface Driver {
     get connected(): boolean;
     connect(): Promise<void>;
     disconnect(): Promise<void>;

package/dist/definitions/types.d.ts

@@ -11,7 +11,7 @@ type Session = {
     requester?: unknown;
     identity: Identity;
     accessToken: Token;
-    refreshToken: Token;
+    refreshToken?: Token;
     expires: Date;
 };
 export type { Identity, Session };

package/dist/drivers/Google.d.ts

@@ -0,0 +1,22 @@
+import type { Driver } from '../definitions/interfaces.js';
+import type { Session } from '../definitions/types.js';
+type GoogleConfiguration = {
+    issuer: string;
+    clientId: string;
+    clientSecret: string;
+    redirectPath: string;
+    accessType: string;
+    organizationDomain: string;
+};
+export default class OpenID implements Driver {
+    #private;
+    constructor(configuration: GoogleConfiguration);
+    get connected(): boolean;
+    connect(): Promise<void>;
+    disconnect(): Promise<void>;
+    getLoginUrl(origin: string): Promise<string>;
+    login(origin: string, data: Record<string, unknown>): Promise<Session>;
+    refresh(session: Session): Promise<Session>;
+    logout(session: Session): Promise<void>;
+}
+export {};

package/dist/drivers/Google.js

@@ -0,0 +1,151 @@
+import { authorizationCodeGrant, buildAuthorizationUrl, calculatePKCECodeChallenge, discovery, fetchUserInfo, randomNonce, randomPKCECodeVerifier, refreshTokenGrant, tokenRevocation } from 'openid-client';
+import crypto from 'node:crypto';
+import LoginFailed from '../errors/LoginFailed.js';
+import RefreshFailed from '../errors/RefreshFailed.js';
+import NotConnected from '../errors/NotConnected.js';
+const SECRET = crypto.randomUUID() + crypto.randomUUID();
+const TTL = 30000;
+export default class OpenID {
+    #providerConfiguration;
+    #clientConfiguration;
+    #codeVerifier = randomPKCECodeVerifier();
+    constructor(configuration) {
+        this.#providerConfiguration = configuration;
+    }
+    get connected() {
+        return this.#clientConfiguration !== undefined;
+    }
+    async connect() {
+        const issuer = new URL(this.#providerConfiguration.issuer);
+        const clientId = this.#providerConfiguration.clientId;
+        const clientSecret = this.#providerConfiguration.clientSecret;
+        this.#clientConfiguration = await discovery(issuer, clientId, clientSecret);
+    }
+    async disconnect() {
+        this.#clientConfiguration = undefined;
+    }
+    async getLoginUrl(origin) {
+        const redirect_uri = new URL(this.#providerConfiguration.redirectPath, origin).href;
+        const scope = 'openid profile email';
+        const code_challenge = await calculatePKCECodeChallenge(this.#codeVerifier);
+        const code_challenge_method = 'S256';
+        const access_type = this.#providerConfiguration.accessType;
+        const hd = this.#providerConfiguration.organizationDomain;
+        const payload = this.#createPayload();
+        const state = this.#calculateSignature(payload);
+        const parameters = {
+            redirect_uri,
+            scope,
+            code_challenge,
+            code_challenge_method,
+            access_type,
+            hd,
+            prompt: 'consent',
+            nonce: payload.nonce,
+            state
+        };
+        const clientConfiguration = this.#getClientConfiguration();
+        const redirectTo = buildAuthorizationUrl(clientConfiguration, parameters);
+        return redirectTo.href;
+    }
+    async login(origin, data) {
+        const clientConfiguration = this.#getClientConfiguration();
+        const url = new URL(this.#providerConfiguration.redirectPath, origin);
+        for (const [key, value] of Object.entries(data)) {
+            url.searchParams.set(key, String(value));
+        }
+        const payload = this.#getPayload(data.state);
+        const tokens = await authorizationCodeGrant(clientConfiguration, url, {
+            pkceCodeVerifier: this.#codeVerifier,
+            expectedNonce: payload.nonce,
+            expectedState: data.state,
+            idTokenExpected: true
+        });
+        const access_token = tokens.access_token;
+        const claims = this.#getClaims(tokens);
+        const sub = claims.sub;
+        const expires = claims.exp * 1000;
+        const userInfo = await fetchUserInfo(clientConfiguration, access_token, sub);
+        const identity = {
+            name: userInfo.name,
+            nickname: userInfo.nickname,
+            picture: userInfo.picture,
+            email: userInfo.email,
+            email_verified: userInfo.email_verified
+        };
+        return {
+            identity: identity,
+            accessToken: tokens.access_token,
+            refreshToken: tokens.refresh_token,
+            expires: new Date(expires)
+        };
+    }
+    async refresh(session) {
+        if (session.refreshToken === undefined) {
+            throw new RefreshFailed('Missing refresh token');
+        }
+        const config = this.#getClientConfiguration();
+        const tokens = await refreshTokenGrant(config, session.refreshToken);
+        const claims = this.#getClaims(tokens);
+        const expires = claims.exp * 1000;
+        return {
+            requester: session.requester,
+            identity: session.identity,
+            accessToken: tokens.access_token,
+            refreshToken: tokens.refresh_token,
+            expires: new Date(expires)
+        };
+    }
+    logout(session) {
+        const config = this.#getClientConfiguration();
+        return tokenRevocation(config, session.refreshToken ?? session.accessToken);
+    }
+    #getClientConfiguration() {
+        if (this.#clientConfiguration === undefined) {
+            throw new NotConnected('Google client not connected');
+        }
+        return this.#clientConfiguration;
+    }
+    #getClaims(tokens) {
+        const claims = tokens.claims();
+        if (claims === undefined) {
+            throw new LoginFailed('No claims in ID token');
+        }
+        return claims;
+    }
+    #createPayload() {
+        return {
+            jti: crypto.randomUUID(),
+            nonce: randomNonce(),
+            iat: Date.now(),
+            exp: Date.now() + TTL
+        };
+    }
+    #calculateSignature(payload) {
+        const data = JSON.stringify(payload);
+        const value = Buffer.from(data).toString('base64url');
+        const signature = Buffer.from(crypto.createHmac("sha512", SECRET).update(data).digest()).toString('base64url');
+        return `${value}.${signature}`;
+    }
+    #getPayload(state) {
+        if (typeof state !== 'string') {
+            throw new LoginFailed('Invalid state');
+        }
+        if (state.includes('.') === false) {
+            throw new LoginFailed('Invalid state');
+        }
+        const [value, signature] = state.split('.');
+        const decodedValue = Buffer.from(value, 'base64').toString('utf8');
+        const decodedSignature = Buffer.from(signature, 'base64');
+        const check = Buffer.from(crypto.createHmac("sha512", SECRET).update(decodedValue).digest());
+        if (crypto.timingSafeEqual(check, decodedSignature) === false) {
+            throw new LoginFailed('Invalid state');
+        }
+        const payload = JSON.parse(decodedValue);
+        const now = Date.now();
+        if (payload.iat > now || payload.exp < now) {
+            throw new LoginFailed('Invalid state');
+        }
+        return payload;
+    }
+}

package/dist/{implementations/openid → drivers}/OpenID.d.ts

@@ -1,5 +1,5 @@
-import type { IdentityProvider } from '../../definitions/interfaces.js';
-import type { Session } from '../../definitions/types.js';
+import type { Driver } from '../definitions/interfaces.js';
+import type { Session } from '../definitions/types.js';
 type OpenIDConfiguration = {
     issuer: string;
     clientId: string;
@@ -7,7 +7,7 @@ type OpenIDConfiguration = {
     redirectPath: string;
     allowInsecureRequests: boolean;
 };
-export default class OpenID implements IdentityProvider {
+export default class OpenID implements Driver {
     #private;
     constructor(configuration: OpenIDConfiguration);
     get connected(): boolean;

package/dist/{implementations/openid → drivers}/OpenID.js

@@ -1,6 +1,7 @@
 import { allowInsecureRequests, authorizationCodeGrant, buildAuthorizationUrlWithPAR, calculatePKCECodeChallenge, discovery, fetchUserInfo, randomPKCECodeVerifier, refreshTokenGrant, tokenRevocation } from 'openid-client';
-import LoginFailed from '../../errors/LoginFailed.js';
-import NotConnected from '../../errors/NotConnected.js';
+import LoginFailed from '../errors/LoginFailed.js';
+import RefreshFailed from '../errors/RefreshFailed.js';
+import NotConnected from '../errors/NotConnected.js';
 export default class OpenID {
     #providerConfiguration;
     #clientConfiguration;
@@ -39,9 +40,9 @@ export default class OpenID {
     async login(origin, data) {
         const clientConfiguration = this.#getClientConfiguration();
         const url = new URL(this.#providerConfiguration.redirectPath, origin);
-        url.searchParams.set('session_state', data.session_state);
-        url.searchParams.set('iss', data.iss);
-        url.searchParams.set('code', data.code);
+        for (const [key, value] of Object.entries(data)) {
+            url.searchParams.set(key, String(value));
+        }
         const tokens = await authorizationCodeGrant(clientConfiguration, url, {
             pkceCodeVerifier: this.#codeVerifier,
             idTokenExpected: true
@@ -66,6 +67,9 @@ export default class OpenID {
         };
     }
     async refresh(session) {
+        if (session.refreshToken === undefined) {
+            throw new RefreshFailed('Missing refresh token');
+        }
         const config = this.#getClientConfiguration();
         const tokens = await refreshTokenGrant(config, session.refreshToken);
         const claims = this.#getClaims(tokens);
@@ -80,7 +84,7 @@ export default class OpenID {
     }
     logout(session) {
         const config = this.#getClientConfiguration();
-        return tokenRevocation(config, session.refreshToken);
+        return tokenRevocation(config, session.refreshToken ?? session.accessToken);
     }
     #getClientConfiguration() {
         if (this.#clientConfiguration === undefined) {

package/dist/errors/AuthenticationError.d.ts

@@ -1,2 +1,3 @@
 export default class AuthenticationError extends Error {
+    constructor(message?: string);
 }

package/dist/errors/AuthenticationError.js

@@ -1,2 +1,9 @@
 export default class AuthenticationError extends Error {
+    constructor(message) {
+        super(message);
+        this.name = this.constructor.name;
+        if (Error.captureStackTrace) {
+            Error.captureStackTrace(this, this.constructor);
+        }
+    }
 }

package/dist/errors/RefreshFailed.d.ts

@@ -0,0 +1,3 @@
+import AuthenticationError from './AuthenticationError.js';
+export default class RefreshFailed extends AuthenticationError {
+}

package/dist/errors/RefreshFailed.js

@@ -0,0 +1,3 @@
+import AuthenticationError from './AuthenticationError.js';
+export default class RefreshFailed extends AuthenticationError {
+}

package/dist/index.d.ts

@@ -1,6 +1,7 @@
-export * from './definitions/interfaces.js';
-export * from './definitions/types.js';
+export type * from './definitions/interfaces.js';
+export type * from './definitions/types.js';
 export { default as AuthenticationError } from './errors/AuthenticationError.js';
 export { default as NotConnected } from './errors/NotConnected.js';
-export { default as UnknownImplementation } from './errors/UnknownImplementation.js';
-export { default } from './implementation.js';
+export { default as GoogleDriver } from './drivers/Google.js';
+export { default as OpenIDDriver } from './drivers/OpenID.js';
+export { default } from './IdentityProvider.js';

package/dist/index.js

@@ -1,6 +1,5 @@
-export * from './definitions/interfaces.js';
-export * from './definitions/types.js';
 export { default as AuthenticationError } from './errors/AuthenticationError.js';
 export { default as NotConnected } from './errors/NotConnected.js';
-export { default as UnknownImplementation } from './errors/UnknownImplementation.js';
-export { default } from './implementation.js';
+export { default as GoogleDriver } from './drivers/Google.js';
+export { default as OpenIDDriver } from './drivers/OpenID.js';
+export { default } from './IdentityProvider.js';

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@theshelf/authentication",
   "private": false,
-  "version": "0.0.4",
+  "version": "0.2.0",
   "type": "module",
   "repository": {
     "url": "https://github.com/MaskingTechnology/theshelf"

package/dist/errors/UnknownImplementation.d.ts

@@ -1,4 +0,0 @@
-import AuthenticationError from './AuthenticationError.js';
-export default class UnknownImplementation extends AuthenticationError {
-    constructor(name: string);
-}

package/dist/errors/UnknownImplementation.js

@@ -1,6 +0,0 @@
-import AuthenticationError from './AuthenticationError.js';
-export default class UnknownImplementation extends AuthenticationError {
-    constructor(name) {
-        super(`Unknown authentication implementation: ${name}`);
-    }
-}

package/dist/implementation.d.ts

@@ -1,3 +0,0 @@
-import type { IdentityProvider } from './definitions/interfaces.js';
-declare const _default: IdentityProvider;
-export default _default;

package/dist/implementation.js

@@ -1,12 +0,0 @@
-import UnknownImplementation from './errors/UnknownImplementation.js';
-import createOpenID from './implementations/openid/create.js';
-const implementations = new Map([
-    ['openid', createOpenID],
-]);
-const DEFAULT_AUTHENTICATION_IMPLEMENTATION = 'openid';
-const implementationName = process.env.AUTHENTICATION_IMPLEMENTATION ?? DEFAULT_AUTHENTICATION_IMPLEMENTATION;
-const creator = implementations.get(implementationName.toLowerCase());
-if (creator === undefined) {
-    throw new UnknownImplementation(implementationName);
-}
-export default creator();

package/dist/implementations/openid/create.d.ts

@@ -1,2 +0,0 @@
-import OpenID from './OpenID.js';
-export default function create(): OpenID;

package/dist/implementations/openid/create.js

@@ -1,9 +0,0 @@
-import OpenID from './OpenID.js';
-export default function create() {
-    const issuer = process.env.OPENID_ISSUER ?? 'undefined';
-    const clientId = process.env.OPENID_CLIENT_ID ?? 'undefined';
-    const clientSecret = process.env.OPENID_CLIENT_SECRET ?? 'undefined';
-    const redirectPath = process.env.OPENID_REDIRECT_PATH ?? 'undefined';
-    const allowInsecureRequests = process.env.OPENID_ALLOW_INSECURE_REQUESTS === 'true';
-    return new OpenID({ issuer, clientId, clientSecret, redirectPath, allowInsecureRequests });
-}