@tsed/oidc-provider 8.0.1 → 8.0.3

package/src/domain/OidcSettings.ts

@@ -0,0 +1,72 @@
+import type {Adapter} from "@tsed/adapters";
+import type {Type} from "@tsed/core";
+import type {JwksKeyParameters} from "@tsed/jwks";
+import type {Configuration} from "oidc-provider";
+
+import type {OidcAccountsMethods} from "./OidcAccountsMethods.js";
+
+export interface OidcSettings extends Configuration {
+  /**
+   * force the secure cookie. By default, in dev mode it's disabled and in production it's enabled.
+   */
+  secureCookies?: boolean;
+  /**
+   * Path on which the oidc-provider instance is mounted.
+   */
+  path?: string;
+  /**
+   * Issuer URI. By default, Ts.ED create issuer with http://localhost:${httpPort}
+   */
+  issuer?: string;
+  /**
+   * Path to store jwks keys.
+   */
+  jwksPath?: string;
+  /**
+   * Generate jwks from given certificates
+   */
+  certificates?: JwksKeyParameters[];
+  /**
+   * Secure keys.
+   */
+  secureKey?: string[];
+  /**
+   * Enable proxy.
+   */
+  proxy?: boolean;
+  /**
+   * Allow redirect_uri on HTTP protocol and localhost domain.
+   */
+  allowHttpLocalhost?: boolean;
+  /**
+   * Injectable service to manage accounts.
+   */
+  Accounts?: Type<OidcAccountsMethods>;
+  /**
+   * Injectable adapter to manage database connexion.
+   */
+  Adapter?: Type<Adapter>;
+  /**
+   * Use the connection name for the OIDCRedisAdapter.
+   */
+  connectionName?: string;
+
+  plugins?: TsED.OIDCPluginSettings;
+
+  render?: {
+    /**
+     * By default ["clientSecret"] is omitted
+     */
+    omitClientProps?: string[];
+  };
+}
+
+declare global {
+  namespace TsED {
+    interface OIDCPluginSettings {}
+
+    interface Configuration {
+      oidc: OidcSettings;
+    }
+  }
+}

package/src/domain/interfaces.ts

@@ -0,0 +1,13 @@
+import type {default as Provider, interactionPolicy} from "oidc-provider";
+
+export type OIDCContext = InstanceType<Provider["OIDCContext"]>;
+export type OidcClient = InstanceType<Provider["Client"]>;
+export type DefaultPolicy = interactionPolicy.DefaultPolicy;
+export type AuthorizationCode = InstanceType<Provider["AuthorizationCode"]>;
+export type AccessToken = InstanceType<Provider["AccessToken"]>;
+export type ClientCredentials = InstanceType<Provider["ClientCredentials"]>;
+export type DeviceCode = InstanceType<Provider["DeviceCode"]>;
+export type RefreshToken = InstanceType<Provider["RefreshToken"]>;
+export type BackchannelAuthenticationRequest = InstanceType<Provider["BackchannelAuthenticationRequest"]>;
+export type Grant = InstanceType<Provider["Grant"]>;
+export type OidcInteraction = InstanceType<Provider["Interaction"]>;

package/src/index.ts

@@ -0,0 +1,33 @@
+/**
+ * @file Automatically generated by @tsed/barrels.
+ */
+export * from "./constants/constants.js";
+export * from "./decorators/grantId.js";
+export * from "./decorators/interaction.js";
+export * from "./decorators/interactions.js";
+export * from "./decorators/noCache.js";
+export * from "./decorators/oidcCtx.js";
+export * from "./decorators/oidcSession.js";
+export * from "./decorators/params.js";
+export * from "./decorators/prompt.js";
+export * from "./decorators/uid.js";
+export * from "./domain/InteractionMethods.js";
+export * from "./domain/interfaces.js";
+export * from "./domain/OidcAccountsMethods.js";
+export * from "./domain/OidcBadInteractionName.js";
+export * from "./domain/OidcInteractionMethods.js";
+export * from "./domain/OidcInteractionOptions.js";
+export * from "./domain/OidcInteractionPromptProps.js";
+export * from "./domain/OidcSettings.js";
+export * from "./middlewares/OidcInteractionMiddleware.js";
+export * from "./middlewares/OidcNoCacheMiddleware.js";
+export * from "./middlewares/OidcSecureMiddleware.js";
+export * from "./OidcModule.js";
+export * from "./services/OidcAdapters.js";
+export * from "./services/OidcInteractionContext.js";
+export * from "./services/OidcInteractions.js";
+export * from "./services/OidcJwks.js";
+export * from "./services/OidcPolicy.js";
+export * from "./services/OidcProvider.js";
+export * from "./utils/debug.js";
+export * from "./utils/events.js";

package/src/middlewares/OidcInteractionMiddleware.spec.ts

@@ -0,0 +1,40 @@
+import {faker} from "@faker-js/faker";
+import {PlatformTest} from "@tsed/platform-http/testing";
+
+import {
+  INTERACTION_CONTEXT,
+  INTERACTION_DETAILS,
+  INTERACTION_PARAMS,
+  INTERACTION_PROMPT,
+  INTERACTION_SESSION,
+  INTERACTION_UID
+} from "../constants/constants.js";
+import {OidcInteractionContext} from "../services/OidcInteractionContext.js";
+import {OidcInteractionMiddleware} from "./OidcInteractionMiddleware.js";
+
+describe("OidcInteractionMiddleware", () => {
+  beforeEach(() => PlatformTest.create());
+  afterEach(() => PlatformTest.reset());
+  it("should create interaction details and store it to the context", async () => {
+    const interactionDetails = {
+      uid: faker.string.uuid(),
+      prompt: {},
+      params: {},
+      session: {}
+    };
+    const oidcInteractionContext = {
+      interactionDetails: vi.fn().mockReturnValue(interactionDetails)
+    };
+
+    const middleware = await PlatformTest.invoke<OidcInteractionMiddleware>(OidcInteractionMiddleware, [
+      {
+        token: OidcInteractionContext,
+        use: oidcInteractionContext
+      }
+    ]);
+
+    await middleware.use();
+
+    expect(oidcInteractionContext.interactionDetails).toHaveBeenCalledWith();
+  });
+});

package/src/middlewares/OidcInteractionMiddleware.ts

@@ -0,0 +1,14 @@
+import {Inject} from "@tsed/di";
+import {Middleware} from "@tsed/platform-middlewares";
+
+import {OidcInteractionContext} from "../services/OidcInteractionContext.js";
+
+@Middleware()
+export class OidcInteractionMiddleware {
+  @Inject()
+  protected oidcInteractionContext: OidcInteractionContext;
+
+  async use() {
+    await this.oidcInteractionContext.interactionDetails();
+  }
+}

package/src/middlewares/OidcNoCacheMiddleware.spec.ts

@@ -0,0 +1,18 @@
+import {PlatformTest} from "@tsed/platform-http/testing";
+
+import {OidcNoCacheMiddleware} from "./OidcNoCacheMiddleware.js";
+
+describe("OidcNoCacheMiddleware", () => {
+  beforeEach(() => PlatformTest.create());
+  afterEach(() => PlatformTest.reset());
+  it("should add headers", () => {
+    const middleware = PlatformTest.get<OidcNoCacheMiddleware>(OidcNoCacheMiddleware);
+    const ctx = PlatformTest.createRequestContext();
+    vi.spyOn(ctx.response, "setHeader").mockReturnThis();
+
+    middleware.use(ctx);
+
+    expect(ctx.response.setHeader).toHaveBeenCalledWith("Pragma", "no-cache");
+    expect(ctx.response.setHeader).toHaveBeenCalledWith("Cache-Control", "no-cache, no-store");
+  });
+});

package/src/middlewares/OidcNoCacheMiddleware.ts

@@ -0,0 +1,10 @@
+import {Middleware, MiddlewareMethods} from "@tsed/platform-middlewares";
+import {Context} from "@tsed/platform-params";
+
+@Middleware()
+export class OidcNoCacheMiddleware implements MiddlewareMethods {
+  use(@Context() ctx: Context) {
+    ctx.response.setHeader("Pragma", "no-cache");
+    ctx.response.setHeader("Cache-Control", "no-cache, no-store");
+  }
+}

package/src/middlewares/OidcSecureMiddleware.spec.ts

@@ -0,0 +1,106 @@
+import {PlatformTest} from "@tsed/platform-http/testing";
+
+import {OidcSecureMiddleware} from "./OidcSecureMiddleware.js";
+
+describe("OidcSecureMiddleware", () => {
+  beforeEach(() => PlatformTest.create());
+  afterEach(() => PlatformTest.reset());
+
+  it("should check if the request is not secure on GET verb", async () => {
+    const middleware = await PlatformTest.invoke<OidcSecureMiddleware>(OidcSecureMiddleware);
+    const request = PlatformTest.createRequest({
+      secure: false,
+      method: "GET",
+      url: "/path",
+      headers: {
+        host: "host"
+      }
+    });
+
+    const ctx = PlatformTest.createRequestContext({
+      event: {
+        request
+      }
+    });
+    vi.spyOn(ctx.response, "redirect").mockReturnValue(undefined as any);
+
+    middleware.use(ctx);
+
+    expect(ctx.response.redirect).toHaveBeenCalledWith(302, "https://host/path");
+  });
+
+  it("should check if the request is not secure on HEAD verb", async () => {
+    const middleware = await PlatformTest.invoke<OidcSecureMiddleware>(OidcSecureMiddleware);
+    const ctx = PlatformTest.createRequestContext({
+      event: {
+        request: PlatformTest.createRequest({
+          secure: false,
+          method: "GET",
+          url: "/path",
+          headers: {
+            host: "host"
+          }
+        })
+      }
+    });
+
+    vi.spyOn(ctx.response, "redirect").mockReturnValue(undefined as any);
+
+    middleware.use(ctx);
+
+    expect(ctx.response.redirect).toHaveBeenCalledWith(302, "https://host/path");
+  });
+
+  it("should check if the request is not secure on POST verb", async () => {
+    const middleware = await PlatformTest.invoke<OidcSecureMiddleware>(OidcSecureMiddleware);
+    const ctx = PlatformTest.createRequestContext({
+      event: {
+        request: PlatformTest.createRequest({
+          secure: false,
+          method: "POST",
+          url: "/path",
+          headers: {
+            host: "host"
+          }
+        })
+      }
+    });
+
+    let actualError: any;
+    try {
+      middleware.use(ctx);
+    } catch (er) {
+      actualError = er;
+    }
+
+    expect(actualError.status).toEqual(400);
+    expect(actualError.message).toEqual("InvalidRequest");
+    expect(actualError.body).toEqual({
+      error: "invalid_request",
+      error_description: "Do yourself a favor and only use https"
+    });
+  });
+
+  it("should check if the request is secure on GET verb", async () => {
+    const middleware = await PlatformTest.invoke<OidcSecureMiddleware>(OidcSecureMiddleware);
+
+    const ctx = PlatformTest.createRequestContext({
+      event: {
+        request: PlatformTest.createRequest({
+          secure: true,
+          method: "GET",
+          url: "/path",
+          headers: {
+            host: "host"
+          }
+        })
+      }
+    });
+
+    vi.spyOn(ctx.response, "redirect").mockReturnValue(undefined as any);
+
+    middleware.use(ctx);
+
+    expect(ctx.response.redirect).not.toHaveBeenCalled();
+  });
+});

package/src/middlewares/OidcSecureMiddleware.ts

@@ -0,0 +1,29 @@
+import {BadRequest} from "@tsed/exceptions";
+import {Middleware, MiddlewareMethods} from "@tsed/platform-middlewares";
+import {Context} from "@tsed/platform-params";
+import url from "url";
+
+@Middleware()
+export class OidcSecureMiddleware implements MiddlewareMethods {
+  use(@Context() ctx: Context) {
+    const req = ctx.request;
+
+    if (!req.secure) {
+      if (req.method === "GET" || req.method === "HEAD") {
+        ctx.response.redirect(
+          302,
+          url.format({
+            protocol: "https",
+            host: req.get("host"),
+            pathname: req.url
+          })
+        );
+      } else {
+        throw new BadRequest("InvalidRequest", {
+          error: "invalid_request",
+          error_description: "Do yourself a favor and only use https"
+        });
+      }
+    }
+  }
+}

package/src/services/OidcAdapters.spec.ts

@@ -0,0 +1,100 @@
+import {faker} from "@faker-js/faker";
+import {PlatformTest} from "@tsed/platform-http/testing";
+import type {Adapter} from "oidc-provider";
+
+import {OidcAdapters} from "./OidcAdapters.js";
+
+describe("OidcAdapters", () => {
+  beforeEach(() => PlatformTest.create());
+  afterEach(() => PlatformTest.reset());
+
+  describe("createAdapterClass()", () => {
+    let adapter: Adapter;
+
+    beforeEach(async () => {
+      const oidcAdapters = await PlatformTest.invoke<OidcAdapters>(OidcAdapters);
+      adapter = new (oidcAdapters.createAdapterClass())("clients");
+    });
+
+    describe("adapter.upsert()", () => {
+      it("should call upsert", async () => {
+        const id = faker.string.uuid();
+
+        await adapter.upsert(
+          id,
+          {
+            client_id: id
+          },
+          20000
+        );
+
+        const obj: any = await adapter.find(id);
+
+        expect(obj._id).toEqual(id);
+        expect(obj.client_id).toEqual(id);
+        expect(obj.expires_at).toBeInstanceOf(Date);
+
+        await adapter.destroy(id);
+      });
+    });
+
+    describe("adapter.findByUserCode()", () => {
+      it("should find data by userCode", async () => {
+        const id = faker.string.uuid();
+
+        await adapter.upsert(
+          id,
+          {
+            userCode: id
+          },
+          20000
+        );
+
+        const obj: any = await adapter.findByUserCode(id);
+
+        expect(obj._id).toEqual(id);
+        expect(obj.userCode).toEqual(id);
+        expect(obj.expires_at).toBeInstanceOf(Date);
+      });
+    });
+    describe("adapter.findByUid()", () => {
+      it("should find data by uid", async () => {
+        const id = faker.string.uuid();
+
+        await adapter.upsert(
+          id,
+          {
+            uid: id
+          },
+          20000
+        );
+
+        const obj: any = await adapter.findByUid(id);
+
+        expect(obj._id).toEqual(id);
+        expect(obj.uid).toEqual(id);
+        expect(obj.expires_at).toBeInstanceOf(Date);
+      });
+    });
+    describe("adapter.deleteMany()", () => {
+      it("should delete items", async () => {
+        const id = faker.string.uuid();
+
+        await adapter.upsert(
+          id,
+          {
+            grantId: id
+          },
+          20000
+        );
+
+        await adapter.consume(id);
+        const obj: any = await adapter.find(id);
+        await adapter.revokeByGrantId(id);
+
+        expect(obj._id).toEqual(id);
+        expect(obj.grantId).toEqual(id);
+      });
+    });
+  });
+});

package/src/services/OidcAdapters.ts

@@ -0,0 +1,92 @@
+import {Adapter, Adapters} from "@tsed/adapters";
+import {constant, inject, Injectable} from "@tsed/di";
+import type {Adapter as OidcAdapter, AdapterConstructor} from "oidc-provider";
+
+export type OidcAdapterMethods<Model = any> = Adapter<Model> & Partial<Omit<OidcAdapter, "upsert">>;
+
+@Injectable()
+export class OidcAdapters {
+  protected adapters = inject(Adapters);
+
+  createAdapterClass(): AdapterConstructor {
+    const self = this;
+    const adapterBase = constant("oidc.Adapter", constant("adapters.Adapter"));
+    const connectionName = constant("oidc.connectionName", "default");
+
+    return class CustomAdapter implements OidcAdapter {
+      adapter: OidcAdapterMethods;
+
+      constructor(name: string) {
+        this.adapter = self.adapters.invokeAdapter<any>({
+          adapter: adapterBase,
+          collectionName: name,
+          connectionName,
+          model: Object
+        }) as OidcAdapterMethods;
+      }
+
+      async upsert(id: string, payload: any, expiresIn: number): Promise<void> {
+        let expiresAt;
+
+        if (expiresIn) {
+          expiresAt = new Date(Date.now() + expiresIn * 1000);
+        }
+
+        await this.adapter.upsert(id, payload, expiresAt);
+      }
+
+      find(id: string) {
+        return this.adapter.findById(id);
+      }
+
+      findByUserCode(userCode: string) {
+        // istanbul ignore next
+        if (this.adapter.findByUserCode) {
+          return this.adapter.findByUserCode(userCode);
+        }
+
+        return this.adapter.findOne({
+          userCode
+        });
+      }
+
+      findByUid(uid: string) {
+        // istanbul ignore next
+        if (this.adapter.findByUid) {
+          return this.adapter.findByUid(uid);
+        }
+
+        return this.adapter.findOne({
+          uid
+        });
+      }
+
+      async destroy(id: string) {
+        // istanbul ignore next
+        if (this.adapter.destroy) {
+          return this.adapter.destroy(id);
+        }
+
+        await this.adapter.deleteById(id);
+      }
+
+      async revokeByGrantId(grantId: string) {
+        // istanbul ignore next
+        if (this.adapter.revokeByGrantId) {
+          return this.adapter.revokeByGrantId(grantId);
+        }
+
+        await this.adapter.deleteMany({grantId});
+      }
+
+      async consume(grantId: string) {
+        // istanbul ignore next
+        if (this.adapter.consume) {
+          return this.adapter.consume(grantId);
+        }
+
+        await this.adapter.update(grantId, {consumed: Math.floor(Date.now() / 1000)});
+      }
+    };
+  }
+}