@toa.io/extensions.exposition 1.0.0-alpha.150 → 1.0.0-alpha.151

package/components/identity.federation/operations/types/context.d.ts

@@ -1,5 +1,5 @@
 import type { JWTPayload } from 'jose';
-import type { Call, Observation, Query, Stash, telemetry } from '@toa.io/types';
+import type { Call, Observation, Query, telemetry } from '@toa.io/types';
 import type { Entity } from './entity';
 import type { Configuration } from './configuration';
 export interface Context {
@@ -17,7 +17,6 @@ export interface Context {
         };
     };
     logs: telemetry.Logs;
-    stash: Stash;
     configuration: Configuration;
 }
 export interface TransitInput {

package/components/identity.federation/source/authenticate.ts

@@ -10,7 +10,6 @@ export async function effect ({ scheme, authority, credentials }: Input, context
 
   const ctx: Ctx = {
     trust: context.configuration.trust,
-    stash: context.stash,
     logs: context.logs
   }
 

package/components/identity.federation/source/decode.ts

@@ -5,7 +5,6 @@ import type { Context } from './types'
 export async function effect (token: string, context: Context): Promise<JWTPayload | Error> {
   return await decode(token, {
     trust: context.configuration.trust,
-    stash: context.stash,
     logs: context.logs
   })
 }

package/components/identity.federation/source/incept.ts

@@ -4,11 +4,10 @@ import type { Request } from '@toa.io/types'
 import type { Context, Entity, TransitInput, Scheme } from './types'
 
 export async function effect (input: Input, context: Context): Promise<Output | Error> {
-  if (input.scheme !== 'bearer') return ERR_SCHEME
+  if (input.scheme === 'code') return ERR_SCHEME
 
   const payload = await decode(input.credentials, {
     trust: context.configuration.trust,
-    stash: context.stash,
     logs: context.logs
   })
 
@@ -27,9 +26,9 @@ export async function effect (input: Input, context: Context): Promise<Output |
 const ERR_SCHEME = new Err('ERR_SCHEME', 'Unsupported scheme')
 
 export interface Input {
-  scheme: Scheme
   authority: string
   credentials: string
+  scheme?: Scheme
   id?: string
 }
 

package/components/identity.federation/source/lib/Ctx.ts

@@ -1,8 +1,7 @@
-import type { Stash, telemetry } from '@toa.io/types'
+import type { telemetry } from '@toa.io/types'
 import type { Trust } from '../types'
 
 export interface Ctx {
   trust: Trust[]
-  stash: Stash
   logs: telemetry.Logs
 }

package/components/identity.federation/source/lib/decode.ts

@@ -1,7 +1,6 @@
 import * as jose from 'jose'
 import { createRemoteJWKSet } from './discovery'
-import { ERR_TRUST, ERR_ISS, ERR_SUB, ERR_REPLAY, ERR_EXP } from './errors'
-import type { Stash } from '@toa.io/types'
+import { ERR_TRUST, ERR_ISS, ERR_SUB } from './errors'
 import type { Ctx } from './Ctx'
 import type { Payload } from './Payload'
 
@@ -25,24 +24,5 @@ export async function decode (token: string, ctx: Ctx): Promise<Payload | Error>
 
   const { payload } = await jose.jwtVerify(token, jwks[iss], { audience: trusted.aud })
 
-  if (payload.jti !== undefined) {
-    const error = await validateJti(payload, ctx.stash)
-
-    if (error instanceof Error)
-      return error
-  }
-
   return payload as Payload
 }
-
-async function validateJti (payload: jose.JWTPayload, stash: Stash): Promise<void | Error> {
-  if (payload.exp === undefined)
-    return ERR_EXP
-
-  const ttl = payload.exp - Math.floor(Date.now() / 1000)
-  const key = `identity:federation:jti:${payload.jti}`
-  const ok = await stash.set(key, 1, 'EX', ttl, 'NX') // set if not exists
-
-  if (ok === null)
-    return ERR_REPLAY
-}

package/components/identity.federation/source/lib/exchange.ts

@@ -95,7 +95,7 @@ async function sign (trust: Trust): Promise<string> {
   const signature = trust.signature!
   const aud = Array.isArray(trust.aud) ? trust.aud[0] : trust.aud!
   const now = Math.floor(Date.now() / 1000)
-  const key = await jose.importPKCS8(signature.key, 'ES256')
+  const key = await jose.importPKCS8(atob(signature.key), 'ES256')
 
   return await new jose.SignJWT({})
     .setProtectedHeader({ alg: 'ES256', kid: signature.kid })

package/components/identity.federation/source/types/context.ts

@@ -1,6 +1,5 @@
 import type { JWTPayload } from 'jose'
-
-import type { Call, Observation, Query, Stash, telemetry } from '@toa.io/types'
+import type { Call, Observation, Query, telemetry } from '@toa.io/types'
 import type { Entity } from './entity'
 import type { Configuration } from './configuration'
 
@@ -19,7 +18,6 @@ export interface Context {
     }
   }
   logs: telemetry.Logs
-  stash: Stash
   configuration: Configuration
 }
 

package/features/identity.federation.feature

@@ -236,42 +236,6 @@ Feature: Identity Federation
       id: ${{ Bob.id }}
       """
 
-  Scenario: Tokens with `jti` are one-time
-    Given the `identity.federation` configuration:
-      """yaml
-      trust:
-        - iss: http://localhost:44444
-      """
-    And ID token with jti is issued for User
-    When the following request is received:
-      """
-      GET /identity/ HTTP/1.1
-      host: nex.toa.io
-      authorization: Bearer ${{ User.id_token }}
-      accept: application/yaml
-      """
-    Then the following reply is sent:
-      """
-      200 OK
-      authorization: Token ${{ User.token }}
-
-      id: ${{ User.id }}
-      roles: []
-      """
-
-    # second use
-    When the following request is received:
-      """
-      GET /identity/ HTTP/1.1
-      host: nex.toa.io
-      authorization: Bearer ${{ User.id_token }}
-      accept: application/yaml
-      """
-    Then the following reply is sent:
-      """
-      401 Unauthorized
-      """
-
   Scenario: Authorization code flow with secret
     Given the `identity.federation` configuration:
       """yaml
@@ -305,7 +269,7 @@ Feature: Identity Federation
           signature:
             iss: io.toa.nex.id
             kid: key-id
-            key: secret
+            key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JR0hBZ0VBTUJNR0J5cUdTTTQ5QWdFR0NDcUdTTTQ5QXdFSEJHMHdhd0lCQVFRZzl4OURhdHdIMEdaSFNDbzkKVE1IVFZYeWVZMFlROHFiNzNqSFYydjRNc3llaFJBTkNBQVF3YVlsbmEyaFNWM0cvUklsTkxWNDFsZzhQbTRLZgpIZkN1S0tpdzNCSUpUblNBckFNSkxTeTF2WXdTSU1IejcyMG1rbVdUcld1UWtranZrRHBaeGZSdgotLS0tLUVORCBQUklWQVRFIEtFWS0tLS0t
       """
     And auth code for Bob is issued for https://web.toa.io/callback/
     When the following request is received:

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@toa.io/extensions.exposition",
-  "version": "1.0.0-alpha.150",
+  "version": "1.0.0-alpha.151",
   "description": "Toa Exposition",
   "author": "temich <tema.gurtovoy@gmail.com>",
   "homepage": "https://github.com/toa-io/toa#readme",
@@ -62,5 +62,5 @@
     },
     "testEnvironment": "node"
   },
-  "gitHead": "4f3e9875d99d8db718c8825cea8188147b3d9337"
+  "gitHead": "38345350d7fc75507400826ad41ce29caf3e35c6"
 }

package/source/directives/auth/Incept.ts

@@ -35,6 +35,7 @@ export class Incept implements Directive {
 
     const identity = await Incept.schemes[scheme].invoke<Maybe<Identity>>('incept', {
       input: {
+        scheme,
         authority: context.authority,
         id,
         credentials

package/transpiled/directives/auth/Incept.js

@@ -52,6 +52,7 @@ class Incept {
         Incept.schemes[scheme] ??= await Incept.discovery[provider];
         const identity = await Incept.schemes[scheme].invoke('incept', {
             input: {
+                scheme,
                 authority: context.authority,
                 id,
                 credentials

package/transpiled/directives/auth/Incept.js.map

@@ -1 +1 @@
-{"version":3,"file":"Incept.js","sourceRoot":"","sources":["../../../source/directives/auth/Incept.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,8DAAgC;AAChC,uCAAkC;AAClC,iDAAkC;AAClC,mCAA+B;AAC/B,qCAAiC;AACjC,uCAAgD;AAIhD,MAAa,MAAM;IACT,MAAM,CAAU,OAAO,GAAY,EAAwB,CAAA;IAC3D,MAAM,CAAC,SAAS,CAAW;IAElB,QAAQ,CAAe;IAExC,YAAoB,QAAgB,EAAE,SAAoB;QACxD,qBAAM,CAAC,EAAE,CAAC,QAAQ,KAAK,IAAI,IAAI,OAAO,QAAQ,KAAK,QAAQ,EACzD,8CAA8C,CAAC,CAAA;QAEjD,IAAI,CAAC,QAAQ,GAAG,QAAQ,CAAA;QACxB,MAAM,CAAC,SAAS,KAAK,SAAS,CAAA;IAChC,CAAC;IAEM,MAAM,CAAC,KAAK,CAAC,MAAM,CAAE,OAAgB,EAAE,EAAU;QACtD,MAAM,CAAC,MAAM,EAAE,WAAW,CAAC,GAAG,IAAA,aAAK,EAAC,OAAO,CAAC,OAAO,CAAC,OAAO,CAAC,aAAc,CAAC,CAAA;QAC3E,MAAM,QAAQ,GAAG,mBAAS,CAAC,MAAM,CAAC,CAAA;QAElC,IAAI,QAAQ,KAAK,SAAS;YACxB,MAAM,IAAI,IAAI,CAAC,UAAU,CAAC,wCAAwC,CAAC,CAAA;QAErE,IAAI,CAAC,mBAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC;YAC/B,MAAM,IAAI,IAAI,CAAC,UAAU,CAAC,2DAA2D,CAAC,CAAA;QAExF,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,KAAK,MAAM,MAAM,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAA;QAE3D,MAAM,QAAQ,GAAG,MAAM,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,MAAM,CAAkB,QAAQ,EAAE;YAC9E,KAAK,EAAE;gBACL,SAAS,EAAE,OAAO,CAAC,SAAS;gBAC5B,EAAE;gBACF,WAAW;aACZ;SACF,CAAC,CAAA;QAEF,IAAI,QAAQ,YAAY,KAAK;YAC3B,MAAM,IAAI,IAAI,CAAC,mBAAmB,CAAC,QAAQ,CAAC,CAAA;QAE9C,QAAQ,CAAC,MAAM,GAAG,MAAM,CAAA;QACxB,QAAQ,CAAC,KAAK,GAAG,EAAE,CAAA;QAEnB,OAAO,QAAQ,CAAA;IACjB,CAAC;IAEM,SAAS,CAAE,QAAyB;QACzC,OAAO,QAAQ,KAAK,IAAI,CAAA;IAC1B,CAAC;IAEM,KAAK,CAAE,OAAgB;QAC5B,IAAI,IAAI,CAAC,QAAQ,KAAK,IAAI;YACxB,OAAO,IAAI,CAAA;QAEb,MAAM,IAAI,GAAG,IAAA,eAAM,EAAC,OAAO,CAAC,OAAO,CAAC,OAAO,CAAC,aAAa,CAAC,CAAA;QAE1D,OAAO,EAAE,IAAI,EAAE,CAAA;IACjB,CAAC;IAEM,KAAK,CAAC,MAAM,CAAE,OAAgB,EAAE,QAA8B;QACnE,MAAM,EAAE,GAAG,QAAQ,CAAC,IAAI,EAAE,CAAC,IAAI,CAAC,QAAQ,IAAI,IAAI,CAAC,CAAA;QAEjD,IAAI,EAAE,KAAK,SAAS,EAAE,CAAC;YACrB,kBAAO,CAAC,KAAK,CAAC,gEAAgE,EAAE;gBAC9E,QAAQ,EAAE,IAAI,CAAC,QAAQ;gBACvB,QAAQ;aACT,CAAC,CAAA;YAEF,OAAM;QACR,CAAC;QAED,IAAA,qBAAM,EAAC,OAAO,EAAE,KAAK,QAAQ,EAAE,2BAA2B,IAAI,CAAC,QAAQ,2BAA2B,CAAC,CAAA;QAEnG,IAAI,OAAO,CAAC,OAAO,CAAC,OAAO,CAAC,aAAa,KAAK,SAAS;YACrD,OAAO,CAAC,QAAQ,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,OAAO,EAAE,EAAE,CAAC,CAAA;;YAEnD,OAAO,CAAC,QAAQ,GAAG,EAAE,EAAE,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,EAAE,EAAE,CAAA;IACrE,CAAC;;AA1EH,wBA2EC"}
+{"version":3,"file":"Incept.js","sourceRoot":"","sources":["../../../source/directives/auth/Incept.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,8DAAgC;AAChC,uCAAkC;AAClC,iDAAkC;AAClC,mCAA+B;AAC/B,qCAAiC;AACjC,uCAAgD;AAIhD,MAAa,MAAM;IACT,MAAM,CAAU,OAAO,GAAY,EAAwB,CAAA;IAC3D,MAAM,CAAC,SAAS,CAAW;IAElB,QAAQ,CAAe;IAExC,YAAoB,QAAgB,EAAE,SAAoB;QACxD,qBAAM,CAAC,EAAE,CAAC,QAAQ,KAAK,IAAI,IAAI,OAAO,QAAQ,KAAK,QAAQ,EACzD,8CAA8C,CAAC,CAAA;QAEjD,IAAI,CAAC,QAAQ,GAAG,QAAQ,CAAA;QACxB,MAAM,CAAC,SAAS,KAAK,SAAS,CAAA;IAChC,CAAC;IAEM,MAAM,CAAC,KAAK,CAAC,MAAM,CAAE,OAAgB,EAAE,EAAU;QACtD,MAAM,CAAC,MAAM,EAAE,WAAW,CAAC,GAAG,IAAA,aAAK,EAAC,OAAO,CAAC,OAAO,CAAC,OAAO,CAAC,aAAc,CAAC,CAAA;QAC3E,MAAM,QAAQ,GAAG,mBAAS,CAAC,MAAM,CAAC,CAAA;QAElC,IAAI,QAAQ,KAAK,SAAS;YACxB,MAAM,IAAI,IAAI,CAAC,UAAU,CAAC,wCAAwC,CAAC,CAAA;QAErE,IAAI,CAAC,mBAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC;YAC/B,MAAM,IAAI,IAAI,CAAC,UAAU,CAAC,2DAA2D,CAAC,CAAA;QAExF,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,KAAK,MAAM,MAAM,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAA;QAE3D,MAAM,QAAQ,GAAG,MAAM,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,MAAM,CAAkB,QAAQ,EAAE;YAC9E,KAAK,EAAE;gBACL,MAAM;gBACN,SAAS,EAAE,OAAO,CAAC,SAAS;gBAC5B,EAAE;gBACF,WAAW;aACZ;SACF,CAAC,CAAA;QAEF,IAAI,QAAQ,YAAY,KAAK;YAC3B,MAAM,IAAI,IAAI,CAAC,mBAAmB,CAAC,QAAQ,CAAC,CAAA;QAE9C,QAAQ,CAAC,MAAM,GAAG,MAAM,CAAA;QACxB,QAAQ,CAAC,KAAK,GAAG,EAAE,CAAA;QAEnB,OAAO,QAAQ,CAAA;IACjB,CAAC;IAEM,SAAS,CAAE,QAAyB;QACzC,OAAO,QAAQ,KAAK,IAAI,CAAA;IAC1B,CAAC;IAEM,KAAK,CAAE,OAAgB;QAC5B,IAAI,IAAI,CAAC,QAAQ,KAAK,IAAI;YACxB,OAAO,IAAI,CAAA;QAEb,MAAM,IAAI,GAAG,IAAA,eAAM,EAAC,OAAO,CAAC,OAAO,CAAC,OAAO,CAAC,aAAa,CAAC,CAAA;QAE1D,OAAO,EAAE,IAAI,EAAE,CAAA;IACjB,CAAC;IAEM,KAAK,CAAC,MAAM,CAAE,OAAgB,EAAE,QAA8B;QACnE,MAAM,EAAE,GAAG,QAAQ,CAAC,IAAI,EAAE,CAAC,IAAI,CAAC,QAAQ,IAAI,IAAI,CAAC,CAAA;QAEjD,IAAI,EAAE,KAAK,SAAS,EAAE,CAAC;YACrB,kBAAO,CAAC,KAAK,CAAC,gEAAgE,EAAE;gBAC9E,QAAQ,EAAE,IAAI,CAAC,QAAQ;gBACvB,QAAQ;aACT,CAAC,CAAA;YAEF,OAAM;QACR,CAAC;QAED,IAAA,qBAAM,EAAC,OAAO,EAAE,KAAK,QAAQ,EAAE,2BAA2B,IAAI,CAAC,QAAQ,2BAA2B,CAAC,CAAA;QAEnG,IAAI,OAAO,CAAC,OAAO,CAAC,OAAO,CAAC,aAAa,KAAK,SAAS;YACrD,OAAO,CAAC,QAAQ,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,OAAO,EAAE,EAAE,CAAC,CAAA;;YAEnD,OAAO,CAAC,QAAQ,GAAG,EAAE,EAAE,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,EAAE,EAAE,CAAA;IACrE,CAAC;;AA3EH,wBA4EC"}