@tsed/oidc-provider 8.0.1 → 8.0.3

package/src/services/OidcPolicy.spec.ts

@@ -0,0 +1,156 @@
+import {Env} from "@tsed/core";
+import {PlatformTest} from "@tsed/platform-http/testing";
+
+import {ConsentInteraction} from "../../test/app/interactions/ConsentInteraction.js";
+import {Interaction} from "../decorators/interaction.js";
+import {OidcInteractions} from "./OidcInteractions.js";
+import {OidcPolicy} from "./OidcPolicy.js";
+
+describe("OidcPolicy", () => {
+  beforeEach(() =>
+    PlatformTest.create({
+      env: Env.PROD,
+      oidc: {
+        issuer: "http://localhost:8081",
+        secureKey: ["secureKey"]
+      }
+    })
+  );
+  afterEach(() => PlatformTest.reset());
+  describe("createPrompt()", () => {
+    it("should bind options to prompt instance", async () => {
+      const oidcProvider = PlatformTest.get<OidcPolicy>(OidcPolicy);
+      const instance = {};
+      const options = {
+        name: "name",
+        requestable: true,
+        details: vi.fn(),
+        checks: []
+      };
+
+      const prompt = await oidcProvider.createPrompt(instance, options);
+
+      expect(prompt.details).toEqual(options.details);
+      expect(prompt.name).toEqual(options.name);
+      expect(prompt.requestable).toEqual(options.requestable);
+    });
+
+    it("should bind methods from instance to prompt instance", async () => {
+      const oidcProvider = PlatformTest.get<OidcPolicy>(OidcPolicy);
+      const instance = {
+        details: vi.fn(),
+        checks: vi.fn().mockReturnValue([])
+      };
+      const options = {
+        name: "name",
+        requestable: true
+      };
+
+      const prompt = await oidcProvider.createPrompt(instance, options);
+
+      expect(prompt.details).toBeDefined();
+      expect(prompt.name).toEqual(options.name);
+      expect(prompt.requestable).toEqual(options.requestable);
+    });
+  });
+  describe("getPolicy()", () => {
+    describe('when there is interactions with "priority" property', () => {
+      @Interaction({
+        name: "test"
+      })
+      class TestInteraction {}
+
+      @Interaction({
+        name: "test2"
+      })
+      class Test2Interaction {}
+
+      @Interaction({
+        name: "login"
+      })
+      class LoginInteraction {}
+
+      @Interaction({
+        name: "consent"
+      })
+      class ConsentInteraction {}
+
+      @Interaction({
+        name: "test3",
+        priority: 0
+      })
+      class Test3Interaction {}
+
+      it("should load policy (without priority)", async () => {
+        const oidcInteractions = {
+          getInteractions: vi
+            .fn()
+            .mockReturnValue([
+              PlatformTest.injector.getProvider(Test2Interaction),
+              PlatformTest.injector.getProvider(LoginInteraction),
+              PlatformTest.injector.getProvider(ConsentInteraction),
+              PlatformTest.injector.getProvider(TestInteraction)
+            ])
+        };
+
+        const oidcProvider = await PlatformTest.invoke<OidcPolicy>(OidcPolicy, [
+          {
+            token: OidcInteractions,
+            use: oidcInteractions
+          }
+        ]);
+
+        const policy = oidcProvider.getPolicy();
+
+        expect(policy.map(({name}: {name: string}) => name)).toEqual(["test2", "login", "consent", "test"]);
+      });
+      it("should load policy (with priority)", async () => {
+        const oidcInteractions = {
+          getInteractions: vi
+            .fn()
+            .mockReturnValue([
+              PlatformTest.injector.getProvider(Test2Interaction),
+              PlatformTest.injector.getProvider(LoginInteraction),
+              PlatformTest.injector.getProvider(ConsentInteraction),
+              PlatformTest.injector.getProvider(TestInteraction),
+              PlatformTest.injector.getProvider(Test3Interaction)
+            ])
+        };
+
+        const oidcProvider = await PlatformTest.invoke<OidcPolicy>(OidcPolicy, [
+          {
+            token: OidcInteractions,
+            use: oidcInteractions
+          }
+        ]);
+
+        const policy = oidcProvider.getPolicy();
+
+        expect(policy.map(({name}: {name: string}) => name)).toEqual(["test3", "login", "consent", "test2", "test"]);
+      });
+    });
+    describe("when there is no interactions without usePriority", () => {
+      it("should load policy", async () => {
+        const oidcInteractions = {
+          getInteractions: vi.fn().mockReturnValue([])
+        };
+
+        const oidcPolicy = await PlatformTest.invoke<OidcPolicy>(OidcPolicy, [
+          {
+            token: OidcInteractions,
+            use: oidcInteractions
+          }
+        ]);
+
+        vi.spyOn(oidcPolicy as any, "getInteractions").mockReturnValue({
+          usePriority: false,
+          interactions: new Map([["login", {name: "login", instance: {}} as any]])
+        });
+
+        const policy = oidcPolicy.getPolicy();
+
+        expect(policy.map(({name}: {name: string}) => name)).toEqual(["login", "consent"]);
+      });
+    });
+  });
+});

package/src/services/OidcPolicy.ts

@@ -0,0 +1,92 @@
+import {inject, Injectable, injector, Provider} from "@tsed/di";
+import {interactionPolicy} from "oidc-provider";
+
+import {InteractionMethods} from "../domain/InteractionMethods.js";
+import {OidcInteractionOptions} from "../domain/OidcInteractionOptions.js";
+import {OidcInteractions} from "./OidcInteractions.js";
+import Prompt = interactionPolicy.Prompt;
+
+@Injectable()
+export class OidcPolicy {
+  protected injector = injector();
+  protected oidcInteractions = inject(OidcInteractions);
+
+  public getPolicy() {
+    let policy = interactionPolicy.base();
+    const {usePriority, interactions} = this.getInteractions();
+
+    if (interactions.size) {
+      for (const {name, instance, options} of interactions.values()) {
+        if (!policy.get(name)) {
+          const prompt = this.createPrompt(instance, options);
+
+          policy.add(prompt, options.priority);
+        }
+
+        if (instance.$onCreate) {
+          instance.$onCreate(policy.get(name)!);
+        }
+      }
+
+      // reordering interactions by interactions index
+      if (!usePriority) {
+        policy = policy.sort((a, b) => {
+          const o1 = interactions.get(a.name)?.order || 0;
+          const o2 = interactions.get(b.name)?.order || 0;
+
+          return o1 < o2 ? -1 : 1;
+        });
+      }
+    }
+
+    return this.injector.alter("$alterOidcPolicy", policy);
+  }
+
+  public createPrompt(instance: InteractionMethods, options: OidcInteractionOptions): Prompt {
+    const {checks: originalChecks = [], details, ...promptOptions} = options;
+    const checks = [...(instance.checks ? instance.checks() : originalChecks)].filter(Boolean);
+
+    return new interactionPolicy.Prompt(promptOptions, instance.details ? instance.details.bind(instance) : details, ...checks);
+  }
+
+  private getInteractions() {
+    let usePriority = false;
+
+    const interactions = this.oidcInteractions.getInteractions();
+
+    const map = interactions.reduce(
+      (map, provider, index) => {
+        const instance = this.injector.get<InteractionMethods>(provider.token)!;
+
+        const options = provider.store.get("interactionOptions");
+
+        if (options.priority !== undefined) {
+          usePriority = true;
+        }
+
+        return map.set(options.name, {
+          order: index,
+          name: options.name,
+          provider,
+          instance,
+          options
+        });
+      },
+      new Map<
+        string,
+        {
+          order: number;
+          provider: Provider;
+          instance: any;
+          options: OidcInteractionOptions;
+          name: string;
+        }
+      >()
+    );
+
+    return {
+      interactions: map,
+      usePriority
+    };
+  }
+}

package/src/services/OidcProvider.spec.ts

@@ -0,0 +1,116 @@
+import "../../test/app/controllers/oidc/InteractionsCtrl.js";
+
+import {Env} from "@tsed/core";
+import {runInContext} from "@tsed/di";
+import {PlatformTest} from "@tsed/platform-http/testing";
+
+import {OidcProvider} from "./OidcProvider.js";
+
+describe("OidcProvider", () => {
+  describe("Production", () => {
+    beforeEach(() =>
+      PlatformTest.create({
+        env: Env.PROD,
+        oidc: {
+          issuer: "http://localhost:8081",
+          secureKey: ["secureKey"]
+        }
+      })
+    );
+    afterEach(() => PlatformTest.reset());
+
+    it("should create oidc instance", () => {
+      const oidcProvider = PlatformTest.get<OidcProvider>(OidcProvider);
+
+      // @ts-ignore
+      expect(oidcProvider.getInteractionsUrl()({}, {uid: "uid"})).toEqual("/interaction/uid");
+    });
+  });
+  describe("createErrorHandler()", () => {
+    beforeEach(() =>
+      PlatformTest.create({
+        env: Env.PROD,
+        oidc: {
+          issuer: "http://localhost:8081",
+          secureKey: ["secureKey"]
+        }
+      })
+    );
+    afterEach(() => PlatformTest.reset());
+
+    it("should intercept all oidc errors", () => {
+      const oidcProvider = PlatformTest.get<OidcProvider>(OidcProvider);
+      vi.spyOn((oidcProvider as any).injector.logger, "error");
+
+      const fn = (oidcProvider as any).createErrorHandler("event");
+      fn(
+        {
+          headers: {
+            origin: "origin"
+          },
+          oidc: {
+            params: {
+              client_id: "client_id"
+            }
+          }
+        },
+        {error: "error", error_description: "error_description", error_detail: "error_detail"},
+        "account_id",
+        "sid"
+      );
+
+      expect((oidcProvider as any).injector.logger.error).toHaveBeenCalledWith({
+        duration: expect.any(Number),
+        reqId: expect.any(String),
+        account_id: "account_id",
+        error: {error_description: "error_description", error_detail: "error_detail", error: "error"},
+        event: "OIDC_ERROR",
+        headers: {
+          origin: "origin"
+        },
+        params: {client_id: "client_id"},
+        sid: "sid",
+        type: "event",
+        time: expect.any(Date)
+      });
+    });
+    it("should intercept all oidc errors (in request context)", async () => {
+      const oidcProvider = PlatformTest.get<OidcProvider>(OidcProvider);
+      const ctx = PlatformTest.createRequestContext();
+
+      vi.spyOn(ctx.logger, "error");
+
+      const fn = (oidcProvider as any).createErrorHandler("event");
+
+      await runInContext(ctx, () => {
+        fn(
+          {
+            headers: {
+              origin: "origin"
+            },
+            oidc: {
+              params: {
+                client_id: "client_id"
+              }
+            }
+          },
+          {error: "error", error_description: "error_description", error_detail: "error_detail"},
+          "account_id",
+          "sid"
+        );
+      });
+
+      expect(ctx.logger.error).toHaveBeenCalledWith({
+        account_id: "account_id",
+        error: {error_description: "error_description", error_detail: "error_detail", error: "error"},
+        event: "OIDC_ERROR",
+        headers: {
+          origin: "origin"
+        },
+        params: {client_id: "client_id"},
+        sid: "sid",
+        type: "event"
+      });
+    });
+  });
+});

package/src/services/OidcProvider.ts

@@ -0,0 +1,198 @@
+import {Env, setValue} from "@tsed/core";
+import {constant, context, inject, Injectable, InjectorService} from "@tsed/di";
+import {PlatformApplication, PlatformContext} from "@tsed/platform-http";
+import Provider, {type Configuration, type KoaContextWithOIDC} from "oidc-provider";
+
+import {INTERACTIONS} from "../constants/constants.js";
+import {OidcAccountsMethods} from "../domain/OidcAccountsMethods.js";
+import {OidcSettings} from "../domain/OidcSettings.js";
+import {OIDC_ERROR_EVENTS} from "../utils/events.js";
+import {OidcAdapters} from "./OidcAdapters.js";
+import {OidcJwks} from "./OidcJwks.js";
+import {OidcPolicy} from "./OidcPolicy.js";
+
+function mapError(error: any) {
+  return Object.getOwnPropertyNames(error).reduce((obj: any, key) => {
+    return {
+      ...obj,
+      [key]: error[key]
+    };
+  }, {});
+}
+
+@Injectable()
+export class OidcProvider {
+  raw: Provider;
+
+  protected env = constant<Env>("env");
+  protected httpPort = constant<number | string>("httpPort");
+  protected httpsPort = constant<number | string>("httpsPort");
+  protected issuer = constant<string>("oidc.issuer", "");
+  protected oidc = constant<OidcSettings>("oidc")!;
+  protected platformName = constant<string>("PLATFORM_NAME");
+  protected oidcJwks = inject(OidcJwks);
+  protected oidcPolicy = inject(OidcPolicy);
+  protected adapters = inject(OidcAdapters);
+  protected injector = inject(InjectorService);
+  protected app = inject(PlatformApplication);
+
+  get logger() {
+    return this.$ctx.logger;
+  }
+
+  protected get $ctx() {
+    return context<PlatformContext>();
+  }
+
+  hasConfiguration() {
+    return !!this.oidc;
+  }
+
+  async getConfiguration(): Promise<Configuration> {
+    const [jwks, adapter] = await Promise.all([this.oidcJwks.getJwks(), this.adapters.createAdapterClass()]);
+    const {
+      issuer,
+      jwksPath,
+      secureKey,
+      proxy,
+      Accounts,
+      secureCookies = this.env == Env.PROD,
+      Adapter,
+      connectionName,
+      render,
+      ...options
+    } = this.oidc;
+
+    const configuration: Configuration = {
+      interactions: {
+        /* istanbul ignore next */
+        url: (ctx, interaction) => `interaction/${interaction.uid}`
+      },
+      ...options,
+      adapter,
+      jwks
+    };
+
+    if (Accounts) {
+      configuration.findAccount = (ctx, id, token) => this.injector.get<OidcAccountsMethods>(Accounts)!.findAccount(id, token);
+    }
+
+    if (secureCookies) {
+      setValue(configuration, "cookies.short.secure", true);
+      setValue(configuration, "cookies.long.secure", true);
+    }
+
+    const policy = this.oidcPolicy.getPolicy();
+
+    if (policy) {
+      setValue(configuration, "interactions.policy", policy);
+    }
+
+    const url = this.getInteractionsUrl();
+    if (url) {
+      setValue(configuration, "interactions.url", url);
+    }
+
+    return configuration;
+  }
+
+  getIssuer() {
+    if (this.issuer) {
+      return this.issuer;
+    }
+
+    // istanbul ignore next
+    if (this.httpsPort) {
+      return `https://localhost:${this.httpsPort}`;
+    }
+
+    return `http://localhost:${this.httpPort}`;
+  }
+
+  get(): Provider {
+    return this.raw;
+  }
+
+  /**
+   * Create a new instance of OidcProvider
+   */
+  async create(): Promise<void | Provider> {
+    const {proxy = this.env === Env.PROD, secureKey, allowHttpLocalhost = this.env !== Env.PROD} = this.oidc;
+    const configuration = await this.getConfiguration();
+
+    await this.injector.alterAsync("$alterOidcConfiguration", configuration);
+
+    const oidcProvider = new Provider(this.getIssuer(), configuration);
+
+    if (proxy) {
+      // istanbul ignore next
+      switch (this.platformName) {
+        default:
+        case "express":
+          oidcProvider.proxy = true;
+          break;
+        case "koa":
+          (this.app.rawApp as any).proxy = true;
+          break;
+      }
+    }
+
+    if (secureKey) {
+      oidcProvider.app.keys = secureKey;
+    }
+
+    this.raw = oidcProvider;
+
+    if (allowHttpLocalhost) {
+      this.allowHttpLocalhost();
+    }
+
+    OIDC_ERROR_EVENTS.map((event) => {
+      this.raw.on(event, this.createErrorHandler(event));
+    });
+
+    await this.injector.emit("$onCreateOIDC", this.raw);
+
+    return this.raw;
+  }
+
+  private createErrorHandler(event: string) {
+    return (ctx: KoaContextWithOIDC, error: any, accountId?: string, sid?: string) => {
+      this.logger.error({
+        event: "OIDC_ERROR",
+        type: event,
+        error: mapError(error),
+        account_id: accountId,
+        params: ctx.oidc.params,
+        headers: ctx.headers,
+        sid
+      });
+
+      // TODO see if we need to call platformExceptions
+      // this.platformExceptions.catch(error, ctx.request.$ctx);
+    };
+  }
+
+  private getInteractionsUrl() {
+    const provider = this.injector.getProviders().find((provider) => provider.subType === INTERACTIONS);
+
+    if (provider) {
+      return (ctx: any, interaction: any) => {
+        return provider.path.replace(/:uid/, interaction.uid);
+      };
+    }
+  }
+
+  private allowHttpLocalhost() {
+    const {invalidate: orig} = (this.raw.Client as any).Schema.prototype;
+
+    (this.raw.Client as any).Schema.prototype.invalidate = function invalidate(message: string, code: string) {
+      if (code === "implicit-force-https" || code === "implicit-forbid-localhost") {
+        return;
+      }
+
+      /* istanbul ignore next */
+      return orig.call(this, message);
+    };
+  }
+}

package/src/utils/debug.spec.ts

@@ -0,0 +1,12 @@
+import {debug} from "./debug.js";
+
+describe("debug", () => {
+  it("should debug", () => {
+    expect(
+      debug({
+        value: undefined,
+        test: "1"
+      })
+    ).toEqual("<strong>test</strong>: '1'");
+  });
+});

package/src/utils/debug.ts

@@ -0,0 +1,25 @@
+import {isEmpty} from "@tsed/core";
+import qs from "querystring";
+import {inspect} from "util";
+
+const keys = new Set();
+
+function serialize(obj: any) {
+  return Object.entries(obj).reduce((acc: any, [key, value]) => {
+    keys.add(key);
+
+    if (isEmpty(value)) {
+      return acc;
+    }
+
+    acc[key] = inspect(value, {depth: null});
+    return acc;
+  }, {});
+}
+
+export const debug = (obj: any) =>
+  qs.stringify(serialize(obj), "<br/>", ": ", {
+    encodeURIComponent(value) {
+      return keys.has(value) ? `<strong>${value}</strong>` : value;
+    }
+  });

package/src/utils/events.ts

@@ -0,0 +1,61 @@
+/**
+ * Exports all OIDC providers events
+ */
+export const OIDC_EVENTS = [
+  "access_token.destroyed",
+  "access_token.saved",
+  "access_token.issued",
+  "authorization_code.consumed",
+  "authorization_code.destroyed",
+  "authorization_code.saved",
+  "authorization.accepted",
+  "authorization.error",
+  "authorization.success",
+  "backchannel.error",
+  "backchannel.success",
+  "jwks.error",
+  "client_credentials.destroyed",
+  "client_credentials.saved",
+  "client_credentials.issued",
+  "device_code.consumed",
+  "device_code.destroyed",
+  "device_code.saved",
+  "discovery.error",
+  "end_session.error",
+  "end_session.success",
+  "grant.error",
+  "grant.revoked",
+  "grant.success",
+  "initial_access_token.destroyed",
+  "initial_access_token.saved",
+  "interaction.destroyed",
+  "interaction.ended",
+  "interaction.saved",
+  "interaction.started",
+  "introspection.error",
+  "replay_detection.destroyed",
+  "replay_detection.saved",
+  "pushed_authorization_request.error",
+  "pushed_authorization_request.success",
+  "pushed_authorization_request.destroyed",
+  "pushed_authorization_request.saved",
+  "refresh_token.consumed",
+  "refresh_token.destroyed",
+  "refresh_token.saved",
+  "registration_access_token.destroyed",
+  "registration_access_token.saved",
+  "registration_create.error",
+  "registration_create.success",
+  "registration_delete.error",
+  "registration_delete.success",
+  "registration_read.error",
+  "registration_update.error",
+  "registration_update.success",
+  "revocation.error",
+  "server_error",
+  "session.destroyed",
+  "session.saved",
+  "userinfo.error"
+];
+
+export const OIDC_ERROR_EVENTS = OIDC_EVENTS.filter((e) => e.includes("error"));