@theshelf/authentication 0.3.1 → 0.4.0

package/README.md

@@ -1,16 +1,7 @@
 
-# Authentication | The Shelf
+# Authentication core | The Shelf
 
-The authentication package provides a universal interaction layer with an actual identity provider solution.
-
-This package is based on the following authentication flow:
-
-1. Browser redirects to the IDP login page.
-2. User authenticate at the IDP.
-3. IDP provides identity information to this package.
-4. This package starts a session based on the provided identity.
-5. Sessions can be refreshed via this package.
-6. Until the user logs out via this package.
+This package contains the definition of the authentication flow. It uses a interchangeable driver system for performing the actual operations.
 
 ## Installation
 
@@ -18,54 +9,20 @@ This package is based on the following authentication flow:
 npm install @theshelf/authentication
 ```
 
-## Drivers
-
-Currently, there are two drivers available:
-
-* **OpenID** - persistent document storage.
-* **Google** - authentication via Google accounts
-
 ## How to use
 
 The basic set up looks like this.
 
 ```ts
-import IdentityProvider, { OpenIDDriver | GoogleDriver as SelectedDriver } from '@theshelf/authentication';
+import IdentityProvider from '@theshelf/authentication';
+import driver from '/path/to/driver';
 
-const driver = new SelectedDriver(/* configuration */);
 const identityProvider = new IdentityProvider(driver);
 
 // Perform operations with the identityProvider instance
 ```
 
-### Configuration
-
-#### OpenID driver
-
-```ts
-type OpenIDConfiguration = {
-    issuer: string; // URL to the provider
-    clientId: string; // provided by the provider
-    clientSecret: string; // provided by the provider
-    redirectPath: string; // e.g. "https://application.com/login"
-    allowInsecureRequests: boolean; // only set to false in development
-};
-```
-
-#### Google driver
-
-```ts
-type GoogleConfiguration = {
-    issuer: string; // "https://accounts.google.com"
-    clientId: string; // provided by Google
-    clientSecret: string; // provided by Google
-    redirectPath: string; // e.g. "https://application.com/login"
-    accessType: string; // "online" | "offline"
-    organizationDomain: string; // "application.com"
-};
-```
-
-### Operations
+## Operations
 
 ```ts
 import { Session } from '@theshelf/authentication';
@@ -91,12 +48,13 @@ const secondSession: Session = await identityProvider.refresh(firstSession);
 await identityProvider.logout(secondSession);
 ```
 
-### Session structure
+## Types
 
 The session has the following structure.
 
 ```ts
 type Session = {
+    id: string;
     key?: string;
     requester?: unknown;
     identity: Identity;

package/dist/IdentityProvider.d.ts

@@ -1,8 +1,9 @@
+import type Logger from '@theshelf/logging';
 import type { Driver } from './definitions/interfaces.js';
 import type { Session } from './definitions/types.js';
-export default class IdentityProvider implements Driver {
+export default class IdentityProvider {
     #private;
-    constructor(driver: Driver);
+    constructor(driver: Driver, logger?: Logger);
     get connected(): boolean;
     connect(): Promise<void>;
     disconnect(): Promise<void>;

package/dist/IdentityProvider.js

@@ -1,27 +1,90 @@
+import NotConnected from './errors/NotConnected.js';
 export default class IdentityProvider {
     #driver;
-    constructor(driver) {
+    #logger;
+    #logPrefix;
+    constructor(driver, logger) {
         this.#driver = driver;
+        this.#logger = logger?.for(IdentityProvider.name);
+        this.#logPrefix = `${this.#driver.name} ->`;
     }
     get connected() {
         return this.#driver.connected;
     }
-    connect() {
-        return this.#driver.connect();
+    async connect() {
+        if (this.connected === true) {
+            return;
+        }
+        this.#logger?.debug(this.#logPrefix, 'Connecting');
+        try {
+            await this.#driver.connect();
+        }
+        catch (error) {
+            this.#logger?.error(this.#logPrefix, 'Connect failed with error', error);
+            throw error;
+        }
     }
-    disconnect() {
-        return this.#driver.disconnect();
+    async disconnect() {
+        if (this.connected === false) {
+            return;
+        }
+        this.#logger?.debug(this.#logPrefix, 'Disconnecting');
+        try {
+            return await this.#driver.disconnect();
+        }
+        catch (error) {
+            this.#logger?.error(this.#logPrefix, 'Disconnect failed with error', error);
+            throw error;
+        }
     }
-    getLoginUrl(origin) {
-        return this.#driver.getLoginUrl(origin);
+    async getLoginUrl(origin) {
+        this.#logger?.debug(this.#logPrefix, 'Getting login URL for origin', origin);
+        try {
+            this.#validateConnection();
+            return await this.#driver.getLoginUrl(origin);
+        }
+        catch (error) {
+            this.#logger?.error(this.#logPrefix, 'Get login URL for origin', origin, 'failed with error', error);
+            throw error;
+        }
     }
-    login(origin, data) {
-        return this.#driver.login(origin, data);
+    async login(origin, data) {
+        this.#logger?.debug(this.#logPrefix, 'Logging in');
+        try {
+            this.#validateConnection();
+            return await this.#driver.login(origin, data);
+        }
+        catch (error) {
+            // Do NOT log data, as it might contain sensitive information
+            this.#logger?.error(this.#logPrefix, 'Login for origin', origin, 'failed with error', error);
+            throw error;
+        }
     }
-    refresh(session) {
-        return this.#driver.refresh(session);
+    async refresh(session) {
+        this.#logger?.debug(this.#logPrefix, 'Refreshing session');
+        try {
+            this.#validateConnection();
+            return await this.#driver.refresh(session);
+        }
+        catch (error) {
+            this.#logger?.error(this.#logPrefix, 'Refresh session for', session.id, 'failed with error', error);
+            throw error;
+        }
     }
-    logout(session) {
-        return this.#driver.logout(session);
+    async logout(session) {
+        this.#logger?.debug(this.#logPrefix, 'Logging out');
+        try {
+            this.#validateConnection();
+            return await this.#driver.logout(session);
+        }
+        catch (error) {
+            this.#logger?.error(this.#logPrefix, 'Logout session for', session.id, 'failed with error', error);
+            throw error;
+        }
+    }
+    #validateConnection() {
+        if (this.connected === false) {
+            throw new NotConnected();
+        }
     }
 }

package/dist/definitions/interfaces.d.ts

@@ -1,5 +1,6 @@
 import type { Session } from './types.js';
 export interface Driver {
+    get name(): string;
     get connected(): boolean;
     connect(): Promise<void>;
     disconnect(): Promise<void>;

package/dist/definitions/types.d.ts

@@ -7,6 +7,7 @@ type Identity = {
 };
 type Token = string;
 type Session = {
+    id: string;
     key?: string;
     requester?: unknown;
     identity: Identity;

package/dist/index.d.ts

@@ -1,7 +1,8 @@
-export type * from './definitions/interfaces.js';
-export type * from './definitions/types.js';
+export type { Driver } from './definitions/interfaces.js';
+export type { Identity, Session } from './definitions/types.js';
 export { default as AuthenticationError } from './errors/AuthenticationError.js';
 export { default as NotConnected } from './errors/NotConnected.js';
-export { default as GoogleDriver } from './drivers/Google.js';
-export { default as OpenIDDriver } from './drivers/OpenID.js';
+export { default as LoginFailed } from './errors/LoginFailed.js';
+export { default as RefreshFailed } from './errors/RefreshFailed.js';
+export { default as generateId } from './utils/generateId.js';
 export { default } from './IdentityProvider.js';

package/dist/index.js

@@ -1,5 +1,6 @@
 export { default as AuthenticationError } from './errors/AuthenticationError.js';
 export { default as NotConnected } from './errors/NotConnected.js';
-export { default as GoogleDriver } from './drivers/Google.js';
-export { default as OpenIDDriver } from './drivers/OpenID.js';
+export { default as LoginFailed } from './errors/LoginFailed.js';
+export { default as RefreshFailed } from './errors/RefreshFailed.js';
+export { default as generateId } from './utils/generateId.js';
 export { default } from './IdentityProvider.js';

package/dist/utils/generateId.d.ts

@@ -0,0 +1 @@
+export default function generateId(): string;

package/dist/utils/generateId.js

@@ -0,0 +1,4 @@
+import crypto from 'node:crypto';
+export default function generateId() {
+    return crypto.randomUUID();
+}

package/package.json

@@ -1,11 +1,12 @@
 {
   "name": "@theshelf/authentication",
   "private": false,
-  "version": "0.3.1",
+  "version": "0.4.0",
   "type": "module",
   "repository": {
     "url": "git+https://github.com/MaskingTechnology/theshelf.git"
   },
+  "license": "MIT",
   "scripts": {
     "build": "tsc",
     "clean": "rimraf dist",
@@ -17,9 +18,9 @@
     "README.md",
     "dist"
   ],
-  "types": "dist/index.d.ts",
+  "types": "./dist/index.d.ts",
   "exports": "./dist/index.js",
-  "dependencies": {
-    "openid-client": "6.8.1"
+  "peerDependencies": {
+    "@theshelf/logging": "^0.4.0"
   }
 }

package/dist/drivers/Google.d.ts

@@ -1,22 +0,0 @@
-import type { Driver } from '../definitions/interfaces.js';
-import type { Session } from '../definitions/types.js';
-type GoogleConfiguration = {
-    issuer: string;
-    clientId: string;
-    clientSecret: string;
-    redirectPath: string;
-    accessType: string;
-    organizationDomain: string;
-};
-export default class OpenID implements Driver {
-    #private;
-    constructor(configuration: GoogleConfiguration);
-    get connected(): boolean;
-    connect(): Promise<void>;
-    disconnect(): Promise<void>;
-    getLoginUrl(origin: string): Promise<string>;
-    login(origin: string, data: Record<string, unknown>): Promise<Session>;
-    refresh(session: Session): Promise<Session>;
-    logout(session: Session): Promise<void>;
-}
-export {};

package/dist/drivers/Google.js

@@ -1,151 +0,0 @@
-import { authorizationCodeGrant, buildAuthorizationUrl, calculatePKCECodeChallenge, discovery, fetchUserInfo, randomNonce, randomPKCECodeVerifier, refreshTokenGrant, tokenRevocation } from 'openid-client';
-import crypto from 'node:crypto';
-import LoginFailed from '../errors/LoginFailed.js';
-import RefreshFailed from '../errors/RefreshFailed.js';
-import NotConnected from '../errors/NotConnected.js';
-const SECRET = crypto.randomUUID() + crypto.randomUUID();
-const TTL = 30000;
-export default class OpenID {
-    #providerConfiguration;
-    #clientConfiguration;
-    #codeVerifier = randomPKCECodeVerifier();
-    constructor(configuration) {
-        this.#providerConfiguration = configuration;
-    }
-    get connected() {
-        return this.#clientConfiguration !== undefined;
-    }
-    async connect() {
-        const issuer = new URL(this.#providerConfiguration.issuer);
-        const clientId = this.#providerConfiguration.clientId;
-        const clientSecret = this.#providerConfiguration.clientSecret;
-        this.#clientConfiguration = await discovery(issuer, clientId, clientSecret);
-    }
-    async disconnect() {
-        this.#clientConfiguration = undefined;
-    }
-    async getLoginUrl(origin) {
-        const redirect_uri = new URL(this.#providerConfiguration.redirectPath, origin).href;
-        const scope = 'openid profile email';
-        const code_challenge = await calculatePKCECodeChallenge(this.#codeVerifier);
-        const code_challenge_method = 'S256';
-        const access_type = this.#providerConfiguration.accessType;
-        const hd = this.#providerConfiguration.organizationDomain;
-        const payload = this.#createPayload();
-        const state = this.#calculateSignature(payload);
-        const parameters = {
-            redirect_uri,
-            scope,
-            code_challenge,
-            code_challenge_method,
-            access_type,
-            hd,
-            prompt: 'consent',
-            nonce: payload.nonce,
-            state
-        };
-        const clientConfiguration = this.#getClientConfiguration();
-        const redirectTo = buildAuthorizationUrl(clientConfiguration, parameters);
-        return redirectTo.href;
-    }
-    async login(origin, data) {
-        const clientConfiguration = this.#getClientConfiguration();
-        const url = new URL(this.#providerConfiguration.redirectPath, origin);
-        for (const [key, value] of Object.entries(data)) {
-            url.searchParams.set(key, String(value));
-        }
-        const payload = this.#getPayload(data.state);
-        const tokens = await authorizationCodeGrant(clientConfiguration, url, {
-            pkceCodeVerifier: this.#codeVerifier,
-            expectedNonce: payload.nonce,
-            expectedState: data.state,
-            idTokenExpected: true
-        });
-        const access_token = tokens.access_token;
-        const claims = this.#getClaims(tokens);
-        const sub = claims.sub;
-        const expires = claims.exp * 1000;
-        const userInfo = await fetchUserInfo(clientConfiguration, access_token, sub);
-        const identity = {
-            name: userInfo.name,
-            nickname: userInfo.nickname,
-            picture: userInfo.picture,
-            email: userInfo.email,
-            email_verified: userInfo.email_verified
-        };
-        return {
-            identity: identity,
-            accessToken: tokens.access_token,
-            refreshToken: tokens.refresh_token,
-            expires: new Date(expires)
-        };
-    }
-    async refresh(session) {
-        if (session.refreshToken === undefined) {
-            throw new RefreshFailed('Missing refresh token');
-        }
-        const config = this.#getClientConfiguration();
-        const tokens = await refreshTokenGrant(config, session.refreshToken);
-        const claims = this.#getClaims(tokens);
-        const expires = claims.exp * 1000;
-        return {
-            requester: session.requester,
-            identity: session.identity,
-            accessToken: tokens.access_token,
-            refreshToken: tokens.refresh_token,
-            expires: new Date(expires)
-        };
-    }
-    logout(session) {
-        const config = this.#getClientConfiguration();
-        return tokenRevocation(config, session.refreshToken ?? session.accessToken);
-    }
-    #getClientConfiguration() {
-        if (this.#clientConfiguration === undefined) {
-            throw new NotConnected('Google client not connected');
-        }
-        return this.#clientConfiguration;
-    }
-    #getClaims(tokens) {
-        const claims = tokens.claims();
-        if (claims === undefined) {
-            throw new LoginFailed('No claims in ID token');
-        }
-        return claims;
-    }
-    #createPayload() {
-        return {
-            jti: crypto.randomUUID(),
-            nonce: randomNonce(),
-            iat: Date.now(),
-            exp: Date.now() + TTL
-        };
-    }
-    #calculateSignature(payload) {
-        const data = JSON.stringify(payload);
-        const value = Buffer.from(data).toString('base64url');
-        const signature = Buffer.from(crypto.createHmac("sha512", SECRET).update(data).digest()).toString('base64url');
-        return `${value}.${signature}`;
-    }
-    #getPayload(state) {
-        if (typeof state !== 'string') {
-            throw new LoginFailed('Invalid state');
-        }
-        if (state.includes('.') === false) {
-            throw new LoginFailed('Invalid state');
-        }
-        const [value, signature] = state.split('.');
-        const decodedValue = Buffer.from(value, 'base64').toString('utf8');
-        const decodedSignature = Buffer.from(signature, 'base64');
-        const check = Buffer.from(crypto.createHmac("sha512", SECRET).update(decodedValue).digest());
-        if (crypto.timingSafeEqual(check, decodedSignature) === false) {
-            throw new LoginFailed('Invalid state');
-        }
-        const payload = JSON.parse(decodedValue);
-        const now = Date.now();
-        if (payload.iat > now || payload.exp < now) {
-            throw new LoginFailed('Invalid state');
-        }
-        return payload;
-    }
-}

package/dist/drivers/OpenID.d.ts

@@ -1,21 +0,0 @@
-import type { Driver } from '../definitions/interfaces.js';
-import type { Session } from '../definitions/types.js';
-type OpenIDConfiguration = {
-    issuer: string;
-    clientId: string;
-    clientSecret: string;
-    redirectPath: string;
-    allowInsecureRequests: boolean;
-};
-export default class OpenID implements Driver {
-    #private;
-    constructor(configuration: OpenIDConfiguration);
-    get connected(): boolean;
-    connect(): Promise<void>;
-    disconnect(): Promise<void>;
-    getLoginUrl(origin: string): Promise<string>;
-    login(origin: string, data: Record<string, unknown>): Promise<Session>;
-    refresh(session: Session): Promise<Session>;
-    logout(session: Session): Promise<void>;
-}
-export {};

package/dist/drivers/OpenID.js

@@ -1,109 +0,0 @@
-import { allowInsecureRequests, authorizationCodeGrant, buildAuthorizationUrlWithPAR, calculatePKCECodeChallenge, discovery, fetchUserInfo, randomPKCECodeVerifier, refreshTokenGrant, tokenRevocation } from 'openid-client';
-import LoginFailed from '../errors/LoginFailed.js';
-import RefreshFailed from '../errors/RefreshFailed.js';
-import NotConnected from '../errors/NotConnected.js';
-export default class OpenID {
-    #providerConfiguration;
-    #clientConfiguration;
-    #codeVerifier = randomPKCECodeVerifier();
-    constructor(configuration) {
-        this.#providerConfiguration = configuration;
-    }
-    get connected() {
-        return this.#clientConfiguration !== undefined;
-    }
-    async connect() {
-        const issuer = new URL(this.#providerConfiguration.issuer);
-        const clientId = this.#providerConfiguration.clientId;
-        const clientSecret = this.#providerConfiguration.clientSecret;
-        const requestOptions = this.#getRequestOptions();
-        this.#clientConfiguration = await discovery(issuer, clientId, clientSecret, undefined, requestOptions);
-    }
-    async disconnect() {
-        this.#clientConfiguration = undefined;
-    }
-    async getLoginUrl(origin) {
-        const redirect_uri = new URL(this.#providerConfiguration.redirectPath, origin).href;
-        const scope = 'openid profile email';
-        const code_challenge = await calculatePKCECodeChallenge(this.#codeVerifier);
-        const code_challenge_method = 'S256';
-        const parameters = {
-            redirect_uri,
-            scope,
-            code_challenge,
-            code_challenge_method
-        };
-        const clientConfiguration = this.#getClientConfiguration();
-        const redirectTo = await buildAuthorizationUrlWithPAR(clientConfiguration, parameters);
-        return redirectTo.href;
-    }
-    async login(origin, data) {
-        const clientConfiguration = this.#getClientConfiguration();
-        const url = new URL(this.#providerConfiguration.redirectPath, origin);
-        for (const [key, value] of Object.entries(data)) {
-            url.searchParams.set(key, String(value));
-        }
-        const tokens = await authorizationCodeGrant(clientConfiguration, url, {
-            pkceCodeVerifier: this.#codeVerifier,
-            idTokenExpected: true
-        });
-        const access_token = tokens.access_token;
-        const claims = this.#getClaims(tokens);
-        const sub = claims.sub;
-        const expires = claims.exp * 1000;
-        const userInfo = await fetchUserInfo(clientConfiguration, access_token, sub);
-        const identity = {
-            name: userInfo.name,
-            nickname: userInfo.nickname,
-            picture: userInfo.picture,
-            email: userInfo.email,
-            email_verified: userInfo.email_verified
-        };
-        return {
-            identity: identity,
-            accessToken: tokens.access_token,
-            refreshToken: tokens.refresh_token,
-            expires: new Date(expires)
-        };
-    }
-    async refresh(session) {
-        if (session.refreshToken === undefined) {
-            throw new RefreshFailed('Missing refresh token');
-        }
-        const config = this.#getClientConfiguration();
-        const tokens = await refreshTokenGrant(config, session.refreshToken);
-        const claims = this.#getClaims(tokens);
-        const expires = claims.exp * 1000;
-        return {
-            requester: session.requester,
-            identity: session.identity,
-            accessToken: tokens.access_token,
-            refreshToken: tokens.refresh_token,
-            expires: new Date(expires)
-        };
-    }
-    logout(session) {
-        const config = this.#getClientConfiguration();
-        return tokenRevocation(config, session.refreshToken ?? session.accessToken);
-    }
-    #getClientConfiguration() {
-        if (this.#clientConfiguration === undefined) {
-            throw new NotConnected('OpenID client not connected');
-        }
-        return this.#clientConfiguration;
-    }
-    #getRequestOptions() {
-        const options = {};
-        if (this.#providerConfiguration.allowInsecureRequests) {
-            options.execute = [allowInsecureRequests];
-        }
-        return options;
-    }
-    #getClaims(tokens) {
-        const claims = tokens.claims();
-        if (claims === undefined) {
-            throw new LoginFailed('No claims in ID token');
-        }
-        return claims;
-    }
-}