@toa.io/extensions.exposition 1.0.0-alpha.149 → 1.0.0-alpha.150

package/components/identity.federation/operations/lib/get.js

@@ -1,64 +0,0 @@
-"use strict";
-/* eslint-disable max-depth */
-var __importDefault = (this && this.__importDefault) || function (mod) {
-    return (mod && mod.__esModule) ? mod : { "default": mod };
-};
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.get = void 0;
-const node_stream_1 = require("node:stream");
-const consumers_1 = require("node:stream/consumers");
-const ttlcache_1 = __importDefault(require("@isaacs/ttlcache"));
-const http_cache_semantics_1 = __importDefault(require("http-cache-semantics"));
-const cache = new ttlcache_1.default();
-async function get(url, init) {
-    const headers = toRecord(init?.headers);
-    const request = { url, method: 'GET', headers };
-    const cached = cache.get(url);
-    if (cached?.policy.satisfiesWithoutRevalidation(request) === true) {
-        const headers = toHeaders(cached.policy.responseHeaders());
-        return new Response(cached.body, { headers });
-    }
-    const response = await fetch(url, init);
-    const policy = new http_cache_semantics_1.default(request, { status: response.status, headers: toRecord(response.headers) });
-    const ttl = policy.timeToLive();
-    if (policy.storable() && ttl > 0) {
-        const body = await toBuffer(response.body);
-        cache.set(url, { policy, body }, { ttl });
-        return new Response(body, { headers: response.headers });
-    }
-    else
-        return response;
-}
-exports.get = get;
-function toRecord(headers) {
-    if (!(headers instanceof Headers))
-        headers = toHeaders(headers);
-    return Object.fromEntries(headers.entries());
-}
-function toHeaders(values) {
-    const headers = new Headers();
-    if (values === undefined)
-        return headers;
-    if (Array.isArray(values))
-        for (const [name, value] of values)
-            headers.append(name, value);
-    else
-        for (const name in values) {
-            const value = values[name];
-            if (value === undefined)
-                continue;
-            if (Array.isArray(value))
-                for (const v of value)
-                    headers.append(name, v);
-            else
-                headers.append(name, value);
-        }
-    return headers;
-}
-async function toBuffer(body) {
-    if (body === null)
-        return null;
-    const buf = await (0, consumers_1.buffer)(node_stream_1.Readable.fromWeb(body));
-    return Buffer.from(buf);
-}
-//# sourceMappingURL=get.js.map

package/components/identity.federation/operations/lib/get.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"get.js","sourceRoot":"","sources":["../../source/lib/get.ts"],"names":[],"mappings":";AAAA,8BAA8B;;;;;;AAE9B,6CAAsC;AACtC,qDAA8C;AAE9C,gEAAoC;AACpC,gFAAyC;AAGzC,MAAM,KAAK,GAAG,IAAI,kBAAK,EAAiB,CAAA;AAEjC,KAAK,UAAU,GAAG,CAAE,GAAW,EAAE,IAAkB;IACxD,MAAM,OAAO,GAAG,QAAQ,CAAC,IAAI,EAAE,OAAO,CAAC,CAAA;IACvC,MAAM,OAAO,GAAG,EAAE,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,CAAA;IAC/C,MAAM,MAAM,GAAG,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,CAAA;IAE7B,IAAI,MAAM,EAAE,MAAM,CAAC,4BAA4B,CAAC,OAAO,CAAC,KAAK,IAAI,EAAE,CAAC;QAClE,MAAM,OAAO,GAAG,SAAS,CAAC,MAAM,CAAC,MAAM,CAAC,eAAe,EAAE,CAAC,CAAA;QAE1D,OAAO,IAAI,QAAQ,CAAC,MAAM,CAAC,IAAI,EAAE,EAAE,OAAO,EAAE,CAAC,CAAA;IAC/C,CAAC;IAED,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE,IAAI,CAAC,CAAA;IACvC,MAAM,MAAM,GAAG,IAAI,8BAAM,CAAC,OAAO,EAAE,EAAE,MAAM,EAAE,QAAQ,CAAC,MAAM,EAAE,OAAO,EAAE,QAAQ,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC,CAAA;IACpG,MAAM,GAAG,GAAG,MAAM,CAAC,UAAU,EAAE,CAAA;IAE/B,IAAI,MAAM,CAAC,QAAQ,EAAE,IAAI,GAAG,GAAG,CAAC,EAAE,CAAC;QACjC,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,QAAQ,CAAC,IAAsB,CAAC,CAAA;QAE5D,KAAK,CAAC,GAAG,CAAC,GAAG,EAAE,EAAE,MAAM,EAAE,IAAI,EAAE,EAAE,EAAE,GAAG,EAAE,CAAC,CAAA;QAEzC,OAAO,IAAI,QAAQ,CAAC,IAAI,EAAE,EAAE,OAAO,EAAE,QAAQ,CAAC,OAAO,EAAE,CAAC,CAAA;IAC1D,CAAC;;QACC,OAAO,QAAQ,CAAA;AACnB,CAAC;AAvBD,kBAuBC;AAED,SAAS,QAAQ,CAAE,OAA+B;IAChD,IAAI,CAAC,CAAC,OAAO,YAAY,OAAO,CAAC;QAC/B,OAAO,GAAG,SAAS,CAAC,OAAO,CAAC,CAAA;IAE9B,OAAO,MAAM,CAAC,WAAW,CAAC,OAAO,CAAC,OAAO,EAAE,CAAC,CAAA;AAC9C,CAAC;AAED,SAAS,SAAS,CAAE,MAAgF;IAClG,MAAM,OAAO,GAAG,IAAI,OAAO,EAAE,CAAA;IAE7B,IAAI,MAAM,KAAK,SAAS;QACtB,OAAO,OAAO,CAAA;IAEhB,IAAI,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC;QACvB,KAAK,MAAM,CAAC,IAAI,EAAE,KAAK,CAAC,IAAI,MAAM;YAChC,OAAO,CAAC,MAAM,CAAC,IAAI,EAAE,KAAK,CAAC,CAAA;;QAE7B,KAAK,MAAM,IAAI,IAAI,MAAM,EAAE,CAAC;YAC1B,MAAM,KAAK,GAAG,MAAM,CAAC,IAAI,CAAC,CAAA;YAE1B,IAAI,KAAK,KAAK,SAAS;gBACrB,SAAQ;YAEV,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC;gBACtB,KAAK,MAAM,CAAC,IAAI,KAAK;oBACnB,OAAO,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC,CAAA;;gBAEzB,OAAO,CAAC,MAAM,CAAC,IAAI,EAAE,KAAK,CAAC,CAAA;QAC/B,CAAC;IAEH,OAAO,OAAO,CAAA;AAChB,CAAC;AAED,KAAK,UAAU,QAAQ,CAAE,IAAuC;IAC9D,IAAI,IAAI,KAAK,IAAI;QACf,OAAO,IAAI,CAAA;IAEb,MAAM,GAAG,GAAG,MAAM,IAAA,kBAAM,EAAC,sBAAQ,CAAC,OAAO,CAAC,IAAsB,CAAC,CAAC,CAAA;IAElE,OAAO,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;AACzB,CAAC"}

package/components/identity.federation/operations/lib/jwt.d.ts

@@ -1,20 +0,0 @@
-import type { JwtHeader, IdToken, Trust } from '../types';
-import type { Stash } from '@toa.io/types';
-export declare function decodeJwt(token: string): {
-    header: unknown;
-    payload: unknown;
-    rawHeader: string;
-    rawPayload: string;
-    signature: string;
-};
-export declare function validateJwtHeader(header: unknown): asserts header is JwtHeader;
-export declare function validateJwtPayload(payload: unknown, trusted: Trust[], header: JwtHeader): asserts payload is IdToken;
-export declare function validateSignature({ header: { kid, alg }, payload: { iss }, rawHeader, rawPayload, signature, trusted }: {
-    readonly header: JwtHeader;
-    rawHeader: string;
-    readonly payload: IdToken;
-    rawPayload: string;
-    signature: string;
-    trusted?: Trust[];
-}): Promise<void>;
-export declare function decode(token: string, trusted: Trust[] | undefined, stash: Stash): Promise<IdToken>;

package/components/identity.federation/operations/lib/jwt.js

@@ -1,152 +0,0 @@
-"use strict";
-var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    var desc = Object.getOwnPropertyDescriptor(m, k);
-    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
-      desc = { enumerable: true, get: function() { return m[k]; } };
-    }
-    Object.defineProperty(o, k2, desc);
-}) : (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    o[k2] = m[k];
-}));
-var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
-    Object.defineProperty(o, "default", { enumerable: true, value: v });
-}) : function(o, v) {
-    o["default"] = v;
-});
-var __importStar = (this && this.__importStar) || function (mod) {
-    if (mod && mod.__esModule) return mod;
-    var result = {};
-    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
-    __setModuleDefault(result, mod);
-    return result;
-};
-var __importDefault = (this && this.__importDefault) || function (mod) {
-    return (mod && mod.__esModule) ? mod : { "default": mod };
-};
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.decode = exports.validateSignature = exports.validateJwtPayload = exports.validateJwtHeader = exports.decodeJwt = void 0;
-const node_crypto_1 = __importDefault(require("node:crypto"));
-const assert = __importStar(require("node:assert"));
-const get_1 = require("./get");
-function decodeJwt(token) {
-    const [rawHeader, rawPayload, signature] = token.split('.', 3);
-    const header = JSON.parse(Buffer.from(rawHeader, 'base64url').toString());
-    const payload = JSON.parse(Buffer.from(rawPayload, 'base64url').toString());
-    return { header, payload, rawHeader, rawPayload, signature };
-}
-exports.decodeJwt = decodeJwt;
-function validateJwtHeader(header) {
-    assert.ok(header !== null && typeof header === 'object', 'Header is not an object');
-    assert.ok('alg' in header, 'Header is missing alg');
-    assert.ok(typeof header.alg === 'string', 'Header alg is not a string');
-    assert.match(header.alg, /^RS256|HS\d{3}$/, `Unknown algorithm ${header.alg}`);
-    assert.ok(!('kid' in header) || typeof header.kid === 'string', 'kid must be a string if present');
-}
-exports.validateJwtHeader = validateJwtHeader;
-function validateJwtPayload(payload, trusted, header) {
-    assert.ok(trusted.length > 0, 'No trusted issuers provided');
-    // the full list of validations is
-    // at https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation
-    assert.ok(payload !== null && typeof payload === 'object', 'Payload is not an object');
-    assert.ok('iss' in payload, 'Payload is missing iss');
-    assert.ok(typeof payload.iss === 'string', 'Payload iss is not a string');
-    assert.ok('aud' in payload, 'Payload is missing aud');
-    assert.ok(typeof payload.aud === 'string' ||
-        (Array.isArray(payload.aud) && payload.aud.every((e) => typeof e === 'string')), 'Payload aud is not a string nor an array of strings');
-    const issuer = trusted.find((config) => config.iss === payload.iss);
-    assert.ok(issuer, `Unknown issuer: ${payload.iss}`);
-    if (Array.isArray(issuer.aud)) {
-        const tokenAud = payload.aud;
-        if (typeof tokenAud === 'string')
-            assert.ok(issuer.aud.some((a) => a === tokenAud), `Unknown audience: ${tokenAud}`);
-        else
-            assert.ok(issuer.aud.some((a) => tokenAud.includes(a)), `Unknown audiences: ${tokenAud.join(', ')}`);
-    }
-    if (header.alg.startsWith('HS')) {
-        const secrets = issuer.secrets;
-        assert.ok(secrets, `We don't have known secrets for ${payload.iss}`);
-        const keys = secrets[header.alg];
-        assert.ok(keys, `No known secrets for ${header.alg}`);
-        if (typeof header.kid === 'string')
-            assert.ok(header.kid in keys, `No secret ${header.kid} provided for ${header.alg}`);
-    }
-    assert.ok('sub' in payload, 'Payload is missing sub');
-    assert.ok(typeof payload.sub === 'string', 'Payload sub is not a string');
-    assert.ok('exp' in payload, 'Payload is missing exp');
-    assert.ok(typeof payload.exp === 'number', 'Payload exp is not a number');
-    assert.ok(Date.now() < payload.exp * 1000, 'Token is expired');
-    assert.ok('iat' in payload, 'Payload is missing iat');
-    assert.ok(typeof payload.iat === 'number', 'Payload iat is not a number');
-    assert.ok(Date.now() >= payload.iat * 1000, 'Token was issued in the future');
-    assert.ok(payload.exp >= payload.iat, 'Payload exp is before iat');
-    if ('nbf' in payload) {
-        assert.ok(typeof payload.nbf === 'number', 'Payload nbf is not a number');
-        assert.ok(Date.now() >= payload.nbf * 1000, 'Token is not valid yet');
-    }
-    if ('jti' in payload)
-        assert.ok(typeof payload.jti === 'string', 'Payload jti is not a string');
-}
-exports.validateJwtPayload = validateJwtPayload;
-async function validateSignature({ header: { kid, alg }, payload: { iss }, rawHeader, rawPayload, signature, trusted = [] }) {
-    if (alg.startsWith('HS')) {
-        // symmetric algorithm, issuer is validated at this point
-        const secrets = trusted.find((c) => c.iss === iss).secrets[alg];
-        const secret = kid !== undefined ? secrets[kid] : Object.values(secrets)[0];
-        const algorithm = alg.replace(/^HS(\d{3})$/, 'sha$1'); // HS256 -> sha256
-        const hmac = node_crypto_1.default.createHmac(algorithm, secret);
-        hmac.update(rawHeader);
-        hmac.update('.');
-        hmac.update(rawPayload);
-        assert.strictEqual(signature, hmac.digest('base64url'), 'Signature does not match');
-        return;
-    }
-    // Getting issuer public keys
-    const oidcRequest = await (0, get_1.get)(new URL('/.well-known/openid-configuration', iss).href);
-    assert.ok(oidcRequest.ok, `Failed to fetch OpenID configuration: ${oidcRequest.statusText}`);
-    const { jwks_uri: jwksUri } = (await oidcRequest.json());
-    const jwkRequest = await (0, get_1.get)(jwksUri);
-    assert.ok(jwkRequest.ok, `Failed to fetch issuer keys: ${jwkRequest.statusText}`);
-    const { keys } = (await jwkRequest.json());
-    // getting the corresponding signing key
-    const signingKeys = keys.filter((k) => k.use === 'sig' && k.alg === alg);
-    assert.ok(signingKeys.length > 0, 'No acceptable signing keys found');
-    assert.ok(kid !== undefined || signingKeys.length === 1, 'Signing key selection is not deterministic');
-    const signingKey = kid === undefined ? keys[0] : signingKeys.find((k) => k.kid === kid);
-    assert.ok(signingKey, 'Signing key was not found in issuer keys');
-    const verifyFunction = node_crypto_1.default.createVerify('RSA-SHA256');
-    verifyFunction.write(rawHeader);
-    verifyFunction.write('.');
-    verifyFunction.write(rawPayload);
-    verifyFunction.end();
-    const signatureValid = verifyFunction.verify({ format: 'jwk', key: signingKey }, signature, 'base64url');
-    assert.ok(signatureValid, 'Failed to validate signature');
-}
-exports.validateSignature = validateSignature;
-async function validateJti(token, stash) {
-    const key = `identity:federation:jti:${token.jti}`;
-    const used = await stash.exists(key);
-    assert.ok(used === 0, 'Token has already been used');
-    const ttl = token.exp - Math.floor(Date.now() / 1000);
-    await stash.set(key, '1', 'EX', ttl);
-}
-async function decode(token, trusted, stash) {
-    assert.ok(trusted !== undefined, 'No trusted issuers provided');
-    const { header, payload, rawHeader, rawPayload, signature } = decodeJwt(token);
-    validateJwtHeader(header);
-    validateJwtPayload(payload, trusted, header);
-    if (payload.jti !== undefined)
-        await validateJti(payload, stash);
-    await validateSignature({
-        header,
-        rawHeader,
-        payload,
-        rawPayload,
-        signature,
-        trusted
-    });
-    return payload;
-}
-exports.decode = decode;
-//# sourceMappingURL=jwt.js.map

package/components/identity.federation/operations/lib/jwt.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"jwt.js","sourceRoot":"","sources":["../../source/lib/jwt.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,8DAAgC;AAChC,oDAAqC;AACrC,+BAA2B;AAI3B,SAAgB,SAAS,CAAE,KAAa;IAOtC,MAAM,CAAC,SAAS,EAAE,UAAU,EAAE,SAAS,CAAC,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,CAAC,CAAA;IAE9D,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,SAAS,EAAE,WAAW,CAAC,CAAC,QAAQ,EAAE,CAAC,CAAA;IACzE,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,UAAU,EAAE,WAAW,CAAC,CAAC,QAAQ,EAAE,CAAC,CAAA;IAE3E,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,SAAS,EAAE,UAAU,EAAE,SAAS,EAAE,CAAA;AAC9D,CAAC;AAbD,8BAaC;AAED,SAAgB,iBAAiB,CAAE,MAAe;IAChD,MAAM,CAAC,EAAE,CAAC,MAAM,KAAK,IAAI,IAAI,OAAO,MAAM,KAAK,QAAQ,EAAE,yBAAyB,CAAC,CAAA;IACnF,MAAM,CAAC,EAAE,CAAC,KAAK,IAAI,MAAM,EAAE,uBAAuB,CAAC,CAAA;IACnD,MAAM,CAAC,EAAE,CAAC,OAAO,MAAM,CAAC,GAAG,KAAK,QAAQ,EAAE,4BAA4B,CAAC,CAAA;IACvE,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,GAAG,EAAE,iBAAiB,EAAE,qBAAqB,MAAM,CAAC,GAAG,EAAE,CAAC,CAAA;IAC9E,MAAM,CAAC,EAAE,CAAC,CAAC,CAAC,KAAK,IAAI,MAAM,CAAC,IAAI,OAAO,MAAM,CAAC,GAAG,KAAK,QAAQ,EAAE,iCAAiC,CAAC,CAAA;AACpG,CAAC;AAND,8CAMC;AAED,SAAgB,kBAAkB,CAAE,OAAgB,EAClD,OAAgB,EAChB,MAAiB;IACjB,MAAM,CAAC,EAAE,CAAC,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,6BAA6B,CAAC,CAAA;IAE5D,kCAAkC;IAClC,6EAA6E;IAC7E,MAAM,CAAC,EAAE,CAAC,OAAO,KAAK,IAAI,IAAI,OAAO,OAAO,KAAK,QAAQ,EAAE,0BAA0B,CAAC,CAAA;IAEtF,MAAM,CAAC,EAAE,CAAC,KAAK,IAAI,OAAO,EAAE,wBAAwB,CAAC,CAAA;IACrD,MAAM,CAAC,EAAE,CAAC,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ,EAAE,6BAA6B,CAAC,CAAA;IACzE,MAAM,CAAC,EAAE,CAAC,KAAK,IAAI,OAAO,EAAE,wBAAwB,CAAC,CAAA;IACrD,MAAM,CAAC,EAAE,CAAC,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ;QACvC,CAAC,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,EAAe,EAAE,CAAC,OAAO,CAAC,KAAK,QAAQ,CAAC,CAAC,EAC9F,qDAAqD,CAAC,CAAA;IAEtD,MAAM,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,CAAC,GAAG,KAAK,OAAO,CAAC,GAAG,CAAC,CAAA;IAEnE,MAAM,CAAC,EAAE,CAAC,MAAM,EAAE,mBAAmB,OAAO,CAAC,GAAG,EAAE,CAAC,CAAA;IAEnD,IAAI,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC;QAC9B,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAA;QAE5B,IAAI,OAAO,QAAQ,KAAK,QAAQ;YAC9B,MAAM,CAAC,EAAE,CAAC,MAAM,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,KAAK,QAAQ,CAAC,EAAE,qBAAqB,QAAQ,EAAE,CAAC,CAAA;;YAElF,MAAM,CAAC,EAAE,CAAC,MAAM,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,EAAE,sBAAsB,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAA;IACxG,CAAC;IAED,IAAI,MAAM,CAAC,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;QAChC,MAAM,OAAO,GAAG,MAAM,CAAC,OAAO,CAAA;QAE9B,MAAM,CAAC,EAAE,CAAC,OAAO,EAAE,mCAAmC,OAAO,CAAC,GAAG,EAAE,CAAC,CAAA;QAEpE,MAAM,IAAI,GAAG,OAAO,CAAC,MAAM,CAAC,GAAG,CAAC,CAAA;QAEhC,MAAM,CAAC,EAAE,CAAC,IAAI,EAAE,wBAAwB,MAAM,CAAC,GAAG,EAAE,CAAC,CAAA;QAErD,IAAI,OAAO,MAAM,CAAC,GAAG,KAAK,QAAQ;YAChC,MAAM,CAAC,EAAE,CAAC,MAAM,CAAC,GAAG,IAAI,IAAI,EAAE,aAAa,MAAM,CAAC,GAAG,iBAAiB,MAAM,CAAC,GAAG,EAAE,CAAC,CAAA;IACvF,CAAC;IAED,MAAM,CAAC,EAAE,CAAC,KAAK,IAAI,OAAO,EAAE,wBAAwB,CAAC,CAAA;IACrD,MAAM,CAAC,EAAE,CAAC,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ,EAAE,6BAA6B,CAAC,CAAA;IAEzE,MAAM,CAAC,EAAE,CAAC,KAAK,IAAI,OAAO,EAAE,wBAAwB,CAAC,CAAA;IACrD,MAAM,CAAC,EAAE,CAAC,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ,EAAE,6BAA6B,CAAC,CAAA;IACzE,MAAM,CAAC,EAAE,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,OAAO,CAAC,GAAG,GAAG,IAAI,EAAE,kBAAkB,CAAC,CAAA;IAE9D,MAAM,CAAC,EAAE,CAAC,KAAK,IAAI,OAAO,EAAE,wBAAwB,CAAC,CAAA;IACrD,MAAM,CAAC,EAAE,CAAC,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ,EAAE,6BAA6B,CAAC,CAAA;IACzE,MAAM,CAAC,EAAE,CAAC,IAAI,CAAC,GAAG,EAAE,IAAI,OAAO,CAAC,GAAG,GAAG,IAAI,EAAE,gCAAgC,CAAC,CAAA;IAC7E,MAAM,CAAC,EAAE,CAAC,OAAO,CAAC,GAAG,IAAI,OAAO,CAAC,GAAG,EAAE,2BAA2B,CAAC,CAAA;IAElE,IAAI,KAAK,IAAI,OAAO,EAAE,CAAC;QACrB,MAAM,CAAC,EAAE,CAAC,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ,EAAE,6BAA6B,CAAC,CAAA;QACzE,MAAM,CAAC,EAAE,CAAC,IAAI,CAAC,GAAG,EAAE,IAAI,OAAO,CAAC,GAAG,GAAG,IAAI,EAAE,wBAAwB,CAAC,CAAA;IACvE,CAAC;IAED,IAAI,KAAK,IAAI,OAAO;QAClB,MAAM,CAAC,EAAE,CAAC,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ,EAAE,6BAA6B,CAAC,CAAA;AAC7E,CAAC;AA7DD,gDA6DC;AAEM,KAAK,UAAU,iBAAiB,CAAE,EACvC,MAAM,EAAE,EAAE,GAAG,EAAE,GAAG,EAAE,EACpB,OAAO,EAAE,EAAE,GAAG,EAAE,EAChB,SAAS,EACT,UAAU,EACV,SAAS,EACT,OAAO,GAAG,EAAE,EAQb;IACC,IAAI,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;QACzB,yDAAyD;QAEzD,MAAM,OAAO,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,GAAG,KAAK,GAAG,CAAE,CAAC,OAAQ,CAAC,GAAG,CAAC,CAAA;QACjE,MAAM,MAAM,GAAG,GAAG,KAAK,SAAS,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,CAAA;QAC3E,MAAM,SAAS,GAAG,GAAG,CAAC,OAAO,CAAC,aAAa,EAAE,OAAO,CAAC,CAAA,CAAC,kBAAkB;QACxE,MAAM,IAAI,GAAG,qBAAM,CAAC,UAAU,CAAC,SAAS,EAAE,MAAM,CAAC,CAAA;QAEjD,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,CAAA;QACtB,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,CAAA;QAChB,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC,CAAA;QACvB,MAAM,CAAC,WAAW,CAAC,SAAS,EAAE,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC,EAAE,0BAA0B,CAAC,CAAA;QAEnF,OAAM;IACR,CAAC;IAED,6BAA6B;IAC7B,MAAM,WAAW,GAAG,MAAM,IAAA,SAAG,EAAC,IAAI,GAAG,CAAC,mCAAmC,EAAE,GAAG,CAAC,CAAC,IAAI,CAAC,CAAA;IAErF,MAAM,CAAC,EAAE,CAAC,WAAW,CAAC,EAAE,EACtB,yCAAyC,WAAW,CAAC,UAAU,EAAE,CAAC,CAAA;IAEpE,MAAM,EAAE,QAAQ,EAAE,OAAO,EAAE,GAAG,CAAC,MAAM,WAAW,CAAC,IAAI,EAAE,CAAyB,CAAA;IAEhF,MAAM,UAAU,GAAG,MAAM,IAAA,SAAG,EAAC,OAAO,CAAC,CAAA;IAErC,MAAM,CAAC,EAAE,CAAC,UAAU,CAAC,EAAE,EAAE,gCAAgC,UAAU,CAAC,UAAU,EAAE,CAAC,CAAA;IAEjF,MAAM,EAAE,IAAI,EAAE,GAAG,CAAC,MAAM,UAAU,CAAC,IAAI,EAAE,CAExC,CAAA;IAED,wCAAwC;IACxC,MAAM,WAAW,GAAG,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,GAAG,KAAK,KAAK,IAAI,CAAC,CAAC,GAAG,KAAK,GAAG,CAAC,CAAA;IAExE,MAAM,CAAC,EAAE,CAAC,WAAW,CAAC,MAAM,GAAG,CAAC,EAAE,kCAAkC,CAAC,CAAA;IAErE,MAAM,CAAC,EAAE,CAAC,GAAG,KAAK,SAAS,IAAI,WAAW,CAAC,MAAM,KAAK,CAAC,EACrD,4CAA4C,CAAC,CAAA;IAE/C,MAAM,UAAU,GAAG,GAAG,KAAK,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,WAAW,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,GAAG,KAAK,GAAG,CAAC,CAAA;IAEvF,MAAM,CAAC,EAAE,CAAC,UAAU,EAAE,0CAA0C,CAAC,CAAA;IAEjE,MAAM,cAAc,GAAG,qBAAM,CAAC,YAAY,CAAC,YAAY,CAAC,CAAA;IAExD,cAAc,CAAC,KAAK,CAAC,SAAS,CAAC,CAAA;IAC/B,cAAc,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;IACzB,cAAc,CAAC,KAAK,CAAC,UAAU,CAAC,CAAA;IAChC,cAAc,CAAC,GAAG,EAAE,CAAA;IAEpB,MAAM,cAAc,GAAG,cAAc,CAAC,MAAM,CAAC,EAAE,MAAM,EAAE,KAAK,EAAE,GAAG,EAAE,UAAU,EAAE,EAC7E,SAAS,EACT,WAAW,CAAC,CAAA;IAEd,MAAM,CAAC,EAAE,CAAC,cAAc,EAAE,8BAA8B,CAAC,CAAA;AAC3D,CAAC;AAvED,8CAuEC;AAED,KAAK,UAAU,WAAW,CAAE,KAAc,EAAE,KAAY;IACtD,MAAM,GAAG,GAAG,2BAA2B,KAAK,CAAC,GAAG,EAAE,CAAA;IAClD,MAAM,IAAI,GAAG,MAAM,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAA;IAEpC,MAAM,CAAC,EAAE,CAAC,IAAI,KAAK,CAAC,EAAE,6BAA6B,CAAC,CAAA;IAEpD,MAAM,GAAG,GAAG,KAAK,CAAC,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAA;IAErD,MAAM,KAAK,CAAC,GAAG,CAAC,GAAG,EAAE,GAAG,EAAE,IAAI,EAAE,GAAG,CAAC,CAAA;AACtC,CAAC;AAEM,KAAK,UAAU,MAAM,CAAE,KAAa,EAAE,OAA4B,EAAE,KAAY;IACrF,MAAM,CAAC,EAAE,CAAC,OAAO,KAAK,SAAS,EAAE,6BAA6B,CAAC,CAAA;IAE/D,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,SAAS,EAAE,UAAU,EAAE,SAAS,EAAE,GAAG,SAAS,CAAC,KAAK,CAAC,CAAA;IAE9E,iBAAiB,CAAC,MAAM,CAAC,CAAA;IACzB,kBAAkB,CAAC,OAAO,EAAE,OAAO,EAAE,MAAM,CAAC,CAAA;IAE5C,IAAI,OAAO,CAAC,GAAG,KAAK,SAAS;QAC3B,MAAM,WAAW,CAAC,OAAO,EAAE,KAAK,CAAC,CAAA;IAEnC,MAAM,iBAAiB,CAAC;QACtB,MAAM;QACN,SAAS;QACT,OAAO;QACP,UAAU;QACV,SAAS;QACT,OAAO;KACR,CAAC,CAAA;IAEF,OAAO,OAAO,CAAA;AAChB,CAAC;AArBD,wBAqBC"}

package/components/identity.federation/source/lib/assertions-as-values.ts

@@ -1,22 +0,0 @@
-import * as assert from 'node:assert'
-import { console } from 'openspan'
-
-/**
- * Wrapping function that returns assertion errors as function return value
- */
-export function assertionsAsValues<T extends (...args: any[]) => Promise<any>> (
-  fn: T) {
-  return async (...args: Parameters<T>): Promise<ReturnType<T> | Error> => {
-    try {
-      return await fn(...args)
-    } catch (err) {
-      if (err instanceof assert.AssertionError) {
-        console.error('OIDC Authentication exception', { message: err.message })
-
-        return err
-      }
-
-      throw err
-    }
-  }
-}

package/components/identity.federation/source/lib/get.ts

@@ -1,82 +0,0 @@
-/* eslint-disable max-depth */
-
-import { Readable } from 'node:stream'
-import { buffer } from 'node:stream/consumers'
-
-import Cache from '@isaacs/ttlcache'
-import Policy from 'http-cache-semantics'
-import type { ReadableStream } from 'node:stream/web'
-
-const cache = new Cache<string, Entry>()
-
-export async function get (url: string, init?: RequestInit): Promise<Response> {
-  const headers = toRecord(init?.headers)
-  const request = { url, method: 'GET', headers }
-  const cached = cache.get(url)
-
-  if (cached?.policy.satisfiesWithoutRevalidation(request) === true) {
-    const headers = toHeaders(cached.policy.responseHeaders())
-
-    return new Response(cached.body, { headers })
-  }
-
-  const response = await fetch(url, init)
-  const policy = new Policy(request, { status: response.status, headers: toRecord(response.headers) })
-  const ttl = policy.timeToLive()
-
-  if (policy.storable() && ttl > 0) {
-    const body = await toBuffer(response.body as ReadableStream)
-
-    cache.set(url, { policy, body }, { ttl })
-
-    return new Response(body, { headers: response.headers })
-  } else
-    return response
-}
-
-function toRecord (headers: RequestInit['headers']): Record<string, string> {
-  if (!(headers instanceof Headers))
-    headers = toHeaders(headers)
-
-  return Object.fromEntries(headers.entries())
-}
-
-function toHeaders (values?: Array<[string, string]> | Record<string, string | string[] | undefined>): Headers {
-  const headers = new Headers()
-
-  if (values === undefined)
-    return headers
-
-  if (Array.isArray(values))
-    for (const [name, value] of values)
-      headers.append(name, value)
-  else
-    for (const name in values) {
-      const value = values[name]
-
-      if (value === undefined)
-        continue
-
-      if (Array.isArray(value))
-        for (const v of value)
-          headers.append(name, v)
-      else
-        headers.append(name, value)
-    }
-
-  return headers
-}
-
-async function toBuffer (body: ReadableStream<Uint8Array> | null): Promise<Buffer | null> {
-  if (body === null)
-    return null
-
-  const buf = await buffer(Readable.fromWeb(body as ReadableStream))
-
-  return Buffer.from(buf)
-}
-
-interface Entry {
-  policy: Policy
-  body: Buffer | null
-}

package/components/identity.federation/source/lib/jwt.test.ts

@@ -1,179 +0,0 @@
-import * as http from 'node:http'
-
-/* eslint-disable @typescript-eslint/consistent-type-assertions */
-import { once } from 'node:events'
-import { validateSignature, decodeJwt, validateJwtPayload } from './jwt'
-import { get } from './get'
-import type { AddressInfo } from 'node:net'
-import type { IdToken, JwtHeader, Trust } from '../types'
-
-describe('jwt', () => {
-  describe('validateJwtPayload', () => {
-    const jwtHeader: JwtHeader = { alg: 'HS256', kid: 'k1' }
-
-    const trusted: Trust[] = [{
-      iss: 'test-iss',
-      aud: ['test-aud1', 'test-aud2'],
-      secrets: { [jwtHeader.alg]: { [jwtHeader.kid!]: 'test-secrete' } }
-    }]
-
-    const validJwtPayload: IdToken = {
-      iss: trusted[0].iss,
-      sub: 'test-sub',
-      iat: Date.now() / 1000,
-      exp: Date.now() / 1000 + 2000,
-      aud: trusted[0].aud![1]
-    }
-
-    describe('aud', () => {
-      test('throws without it', () => {
-        const { aud, ...noAudPayload } = validJwtPayload
-
-        expect(() => validateJwtPayload(noAudPayload, trusted, jwtHeader)).toThrow('Payload is missing aud')
-      })
-
-      test('passes with a single string', () => {
-        expect(validJwtPayload.aud).toEqual(expect.any(String))
-        expect(() => validateJwtPayload(validJwtPayload, trusted, jwtHeader)).not.toThrow()
-      })
-
-      test('passes with an array', () => {
-        const arrayAudPayload = { ...validJwtPayload, aud: trusted[0].aud }
-
-        expect(arrayAudPayload.aud).toEqual(expect.any(Array))
-        expect(() => validateJwtPayload(arrayAudPayload, trusted, jwtHeader)).not.toThrow()
-      })
-
-      test('throws with an array that does not intersects', () => {
-        const arrayAudPayload = { ...validJwtPayload, aud: ['boo', 'foo'] }
-
-        expect(arrayAudPayload.aud).toEqual(expect.any(Array))
-        expect(() => validateJwtPayload(arrayAudPayload, trusted, jwtHeader))
-          .toThrow('Unknown audiences: boo, foo')
-      })
-    })
-  })
-
-  test('decode', () => {
-    const { header, payload } = decodeJwt('eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzb21lIjoicGF5bG9hZCJ9.4twFt5NiznN84AWoo1d7KO1T_yoc0Z6XOpOVswacPZg')
-
-    expect(header).toMatchObject({ alg: 'HS256' })
-    expect(payload).toEqual({ some: 'payload' })
-  })
-
-  test('symmetric pass', async () => {
-    // example from
-    // https://pyjwt.readthedocs.io/en/latest/usage.html#encoding-decoding-tokens-with-hs256
-
-    await expect(validateSignature({
-      header: { alg: 'HS256', kid: 'k2' },
-      payload: { iss: 'test-issuer', aud: 'test', sub: '0', exp: 0, iat: 0 },
-      rawHeader: 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9',
-      rawPayload: 'eyJzb21lIjoicGF5bG9hZCJ9',
-      signature: '4twFt5NiznN84AWoo1d7KO1T_yoc0Z6XOpOVswacPZg',
-      trusted: [
-        {
-          iss: 'test-issuer',
-          secrets: {
-            HS256: {
-              k1: 'old-secret',
-              k2: 'secret'
-            }
-          }
-        }
-      ]
-    } as Parameters<typeof validateSignature>[0])).resolves.toBeUndefined()
-  })
-
-  test('symmetric fail', async () => {
-    await expect(validateSignature({
-      header: { alg: 'HS256' },
-      payload: { iss: 'test-issuer', aud: 'test', sub: '0', exp: 0, iat: 0 },
-      rawHeader: 'header',
-      rawPayload: 'payload',
-      signature: 'signature',
-      trusted: [
-        {
-          iss: 'test-issuer',
-          secrets: {
-            HS256: {
-              theKey: 'secret'
-            }
-          }
-        }
-      ]
-    } as Parameters<typeof validateSignature>[0])).rejects.toThrow('Signature does not match')
-  })
-
-  describe('cache', () => {
-    let server: http.Server
-    // eslint-disable-next-line @typescript-eslint/no-invalid-void-type
-    const handler = jest.fn<void, [http.IncomingMessage, http.ServerResponse]>()
-    let endpoint: string
-
-    beforeAll(async () => {
-      server = http.createServer(handler)
-
-      server.listen(0, 'localhost')
-      await once(server, 'listening')
-
-      const { port } = server.address() as AddressInfo
-
-      endpoint = `http://localhost:${port}`
-    })
-
-    afterEach(() => {
-      handler.mockReset()
-    })
-
-    afterAll(async () => {
-      server.close()
-      await once(server, 'close')
-    })
-
-    test('fetches only once', async () => {
-      handler.mockImplementationOnce((req, res) => {
-        res.writeHead(200, { 'content-type': 'application/json', 'cache-control': 'public, max-age=3600' })
-        res.end(JSON.stringify({ foo: 'bar' }))
-      }).mockImplementationOnce((req, res) => {
-        res.writeHead(500)
-        res.end()
-      })
-
-      const firstRequest = await get(endpoint)
-
-      expect(firstRequest.ok).toBe(true)
-
-      const json = await firstRequest.json()
-
-      expect(json).toEqual({ foo: 'bar' })
-
-      const secondRequest = await get(endpoint)
-
-      expect(secondRequest.ok).toBe(true)
-      await expect(secondRequest.json()).resolves.toEqual({ foo: 'bar' })
-
-      expect(handler).toHaveBeenCalledTimes(1)
-    })
-
-    test('respects caching headers', async () => {
-      handler.mockImplementation((req, res) => {
-        res.writeHead(200, { 'content-type': 'application/json', 'cache-control': 'no-cache' })
-        res.end(JSON.stringify({ foo: 'bar' }))
-      })
-
-      const firstRequest = await get(endpoint + '/no-cache')
-
-      expect(firstRequest.headers.get('cache-control')).toBe('no-cache')
-      expect(firstRequest.ok).toBe(true)
-      await expect(firstRequest.json()).resolves.toEqual({ foo: 'bar' })
-
-      const secondRequest = await get(endpoint + '/no-cache')
-
-      expect(secondRequest.ok).toBe(true)
-      await expect(secondRequest.json()).resolves.toEqual({ foo: 'bar' })
-
-      expect(handler).toHaveBeenCalledTimes(2)
-    })
-  })
-})