@unwanted/matrix-sdk-mini 34.13.0 → 36.0.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/git-revision.txt +1 -1
- package/lib/@types/event.d.ts +25 -0
- package/lib/@types/event.d.ts.map +1 -1
- package/lib/@types/event.js +5 -0
- package/lib/@types/event.js.map +1 -1
- package/lib/client.d.ts +44 -19
- package/lib/client.d.ts.map +1 -1
- package/lib/client.js +148 -90
- package/lib/client.js.map +1 -1
- package/lib/embedded.d.ts +4 -3
- package/lib/embedded.d.ts.map +1 -1
- package/lib/embedded.js +57 -74
- package/lib/embedded.js.map +1 -1
- package/lib/feature.d.ts.map +1 -1
- package/lib/feature.js +2 -1
- package/lib/feature.js.map +1 -1
- package/lib/http-api/errors.d.ts +3 -3
- package/lib/http-api/errors.js +3 -3
- package/lib/http-api/errors.js.map +1 -1
- package/lib/http-api/utils.js +2 -2
- package/lib/http-api/utils.js.map +1 -1
- package/lib/models/event-timeline.d.ts.map +1 -1
- package/lib/models/event-timeline.js +1 -21
- package/lib/models/event-timeline.js.map +1 -1
- package/lib/models/event.d.ts +11 -1
- package/lib/models/event.d.ts.map +1 -1
- package/lib/models/event.js +48 -5
- package/lib/models/event.js.map +1 -1
- package/lib/models/invites-ignorer-types.d.ts +27 -0
- package/lib/models/invites-ignorer-types.d.ts.map +1 -0
- package/lib/models/invites-ignorer-types.js +36 -0
- package/lib/models/invites-ignorer-types.js.map +1 -0
- package/lib/models/invites-ignorer.d.ts +2 -26
- package/lib/models/invites-ignorer.d.ts.map +1 -1
- package/lib/models/invites-ignorer.js +2 -27
- package/lib/models/invites-ignorer.js.map +1 -1
- package/lib/models/room-member.d.ts +6 -1
- package/lib/models/room-member.d.ts.map +1 -1
- package/lib/models/room-member.js +7 -1
- package/lib/models/room-member.js.map +1 -1
- package/lib/models/room.d.ts +6 -1
- package/lib/models/room.d.ts.map +1 -1
- package/lib/models/room.js +7 -1
- package/lib/models/room.js.map +1 -1
- package/lib/oidc/authorize.d.ts +2 -2
- package/lib/oidc/authorize.d.ts.map +1 -1
- package/lib/oidc/authorize.js +5 -5
- package/lib/oidc/authorize.js.map +1 -1
- package/lib/oidc/discovery.d.ts +8 -0
- package/lib/oidc/discovery.d.ts.map +1 -1
- package/lib/oidc/discovery.js +22 -11
- package/lib/oidc/discovery.js.map +1 -1
- package/lib/oidc/index.d.ts +3 -4
- package/lib/oidc/index.d.ts.map +1 -1
- package/lib/oidc/index.js.map +1 -1
- package/lib/oidc/register.js +3 -3
- package/lib/oidc/register.js.map +1 -1
- package/lib/oidc/tokenRefresher.d.ts.map +1 -1
- package/lib/oidc/tokenRefresher.js +6 -5
- package/lib/oidc/tokenRefresher.js.map +1 -1
- package/lib/oidc/validate.d.ts +9 -23
- package/lib/oidc/validate.d.ts.map +1 -1
- package/lib/oidc/validate.js +13 -28
- package/lib/oidc/validate.js.map +1 -1
- package/lib/randomstring.d.ts +30 -3
- package/lib/randomstring.d.ts.map +1 -1
- package/lib/randomstring.js +68 -16
- package/lib/randomstring.js.map +1 -1
- package/lib/store/indexeddb-local-backend.js +4 -2
- package/lib/store/indexeddb-local-backend.js.map +1 -1
- package/lib/testing.d.ts +17 -0
- package/lib/testing.d.ts.map +1 -1
- package/lib/testing.js +42 -0
- package/lib/testing.js.map +1 -1
- package/package.json +5 -5
- package/src/@types/event.ts +17 -0
- package/src/client.ts +87 -41
- package/src/embedded.ts +41 -51
- package/src/feature.ts +1 -0
- package/src/http-api/errors.ts +3 -3
- package/src/http-api/utils.ts +2 -2
- package/src/models/event-timeline.ts +1 -21
- package/src/models/event.ts +46 -0
- package/src/models/invites-ignorer-types.ts +48 -0
- package/src/models/invites-ignorer.ts +7 -42
- package/src/models/room-member.ts +16 -1
- package/src/models/room.ts +16 -1
- package/src/oidc/authorize.ts +7 -7
- package/src/oidc/discovery.ts +16 -10
- package/src/oidc/index.ts +3 -4
- package/src/oidc/register.ts +3 -3
- package/src/oidc/tokenRefresher.ts +3 -2
- package/src/oidc/validate.ts +40 -63
- package/src/randomstring.ts +65 -19
- package/src/store/indexeddb-local-backend.ts +2 -2
- package/src/testing.ts +41 -0
package/lib/oidc/authorize.d.ts
CHANGED
|
@@ -1,5 +1,5 @@
|
|
|
1
1
|
import { IdTokenClaims } from "oidc-client-ts";
|
|
2
|
-
import { BearerTokenResponse,
|
|
2
|
+
import { BearerTokenResponse, ValidatedAuthMetadata } from "./validate.ts";
|
|
3
3
|
export type { BearerTokenResponse };
|
|
4
4
|
/**
|
|
5
5
|
* Authorization parameters which are used in the authentication request of an OIDC auth code flow.
|
|
@@ -56,7 +56,7 @@ export declare const generateAuthorizationUrl: (authorizationUrl: string, client
|
|
|
56
56
|
*/
|
|
57
57
|
export declare const generateOidcAuthorizationUrl: ({ metadata, redirectUri, clientId, homeserverUrl, identityServerUrl, nonce, prompt, urlState, }: {
|
|
58
58
|
clientId: string;
|
|
59
|
-
metadata:
|
|
59
|
+
metadata: ValidatedAuthMetadata;
|
|
60
60
|
homeserverUrl: string;
|
|
61
61
|
identityServerUrl?: string;
|
|
62
62
|
redirectUri: string;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"authorize.d.ts","sourceRoot":"","sources":["../../src/oidc/authorize.ts"],"names":[],"mappings":"AAgBA,OAAO,EAAE,aAAa,EAAsE,MAAM,gBAAgB,CAAC;AAKnH,OAAO,EACH,mBAAmB,EAGnB,
|
|
1
|
+
{"version":3,"file":"authorize.d.ts","sourceRoot":"","sources":["../../src/oidc/authorize.ts"],"names":[],"mappings":"AAgBA,OAAO,EAAE,aAAa,EAAsE,MAAM,gBAAgB,CAAC;AAKnH,OAAO,EACH,mBAAmB,EAGnB,qBAAqB,EAGxB,MAAM,eAAe,CAAC;AAKvB,YAAY,EAAE,mBAAmB,EAAE,CAAC;AAEpC;;;;GAIG;AACH,MAAM,MAAM,mBAAmB,GAAG;IAC9B,KAAK,EAAE,MAAM,CAAC;IACd,KAAK,EAAE,MAAM,CAAC;IACd,WAAW,EAAE,MAAM,CAAC;IACpB,YAAY,EAAE,MAAM,CAAC;IACrB,KAAK,EAAE,MAAM,CAAC;CACjB,CAAC;AAEF;;;;GAIG;AACH,eAAO,MAAM,aAAa,cAAe,MAAM,KAAG,MAGjD,CAAC;AAcF;;;;;;;GAOG;AACH,eAAO,MAAM,2BAA2B,oBAAqB;IAAE,WAAW,EAAE,MAAM,CAAA;CAAE,KAAG,mBAMrF,CAAC;AAEH;;;;;;;;GAQG;AACH,eAAO,MAAM,wBAAwB,qBACf,MAAM,YACd,MAAM,sDACoC,mBAAmB,KACxE,OAAO,CAAC,MAAM,CAchB,CAAC;AAEF;;;;;;;;;;;;;GAaG;AACH,eAAO,MAAM,4BAA4B,oGAStC;IACC,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,qBAAqB,CAAC;IAChC,aAAa,EAAE,MAAM,CAAC;IACtB,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,WAAW,EAAE,MAAM,CAAC;IACpB,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACrB,KAAG,OAAO,CAAC,MAAM,CAqBjB,CAAC;AAqBF;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,8BAA8B,SACjC,MAAM,SACL,MAAM,KACd,OAAO,CAAC;IACP,kBAAkB,EAAE;QAAE,QAAQ,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAA;KAAE,CAAC;IACzD,aAAa,EAAE,mBAAmB,CAAC;IACnC,aAAa,EAAE,MAAM,CAAC;IACtB,aAAa,EAAE,aAAa,CAAC;IAC7B,iBAAiB,CAAC,EAAE,MAAM,CAAC;CAC9B,CA8DA,CAAC"}
|
package/lib/oidc/authorize.js
CHANGED
|
@@ -20,7 +20,7 @@ limitations under the License.
|
|
|
20
20
|
|
|
21
21
|
import { Log, OidcClient, SigninResponse, SigninState, WebStorageStateStore } from "oidc-client-ts";
|
|
22
22
|
import { logger } from "../logger.js";
|
|
23
|
-
import {
|
|
23
|
+
import { secureRandomString } from "../randomstring.js";
|
|
24
24
|
import { OidcError } from "./error.js";
|
|
25
25
|
import { validateBearerTokenResponse, validateIdToken, validateStoredUserState } from "./validate.js";
|
|
26
26
|
import { sha256 } from "../digest.js";
|
|
@@ -40,7 +40,7 @@ import { encodeUnpaddedBase64Url } from "../base64.js";
|
|
|
40
40
|
* @returns scope
|
|
41
41
|
*/
|
|
42
42
|
export var generateScope = deviceId => {
|
|
43
|
-
var safeDeviceId = deviceId !== null && deviceId !== void 0 ? deviceId :
|
|
43
|
+
var safeDeviceId = deviceId !== null && deviceId !== void 0 ? deviceId : secureRandomString(10);
|
|
44
44
|
return "openid urn:matrix:org.matrix.msc2967.client:api:* urn:matrix:org.matrix.msc2967.client:device:".concat(safeDeviceId);
|
|
45
45
|
};
|
|
46
46
|
|
|
@@ -75,9 +75,9 @@ export var generateAuthorizationParams = _ref2 => {
|
|
|
75
75
|
return {
|
|
76
76
|
scope: generateScope(),
|
|
77
77
|
redirectUri,
|
|
78
|
-
state:
|
|
79
|
-
nonce:
|
|
80
|
-
codeVerifier:
|
|
78
|
+
state: secureRandomString(8),
|
|
79
|
+
nonce: secureRandomString(8),
|
|
80
|
+
codeVerifier: secureRandomString(64) // https://tools.ietf.org/html/rfc7636#section-4.1 length needs to be 43-128 characters
|
|
81
81
|
};
|
|
82
82
|
};
|
|
83
83
|
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"authorize.js","names":["Log","OidcClient","SigninResponse","SigninState","WebStorageStateStore","logger","randomString","OidcError","validateBearerTokenResponse","validateIdToken","validateStoredUserState","sha256","encodeUnpaddedBase64Url","generateScope","deviceId","safeDeviceId","concat","generateCodeChallenge","_ref","_asyncToGenerator","codeVerifier","globalThis","crypto","subtle","warn","hashBuffer","_x","apply","arguments","generateAuthorizationParams","_ref2","redirectUri","scope","state","nonce","generateAuthorizationUrl","_ref4","authorizationUrl","clientId","_ref3","url","URL","searchParams","append","toString","_x2","_x3","_x4","generateOidcAuthorizationUrl","_ref6","_ref5","metadata","homeserverUrl","identityServerUrl","prompt","urlState","oidcClient","_objectSpread","client_id","redirect_uri","authority","issuer","response_mode","response_type","stateStore","prefix","store","window","sessionStorage","userState","request","createSigninRequest","url_state","_x5","normalizeBearerTokenResponseTokenType","response","id_token","expires_at","refresh_token","access_token","token_type","completeAuthorizationCodeGrant","_ref7","code","reconstructedUrl","location","origin","setLogger","stateString","get","Error","MissingOrInvalidStoredState","signInState","fromStorageString","client","signinResponse","processSigninResponse","href","settings","normalizedTokenResponse","oidcClientSettings","tokenResponse","idTokenClaims","profile","error","errorType","message","Object","values","includes","CodeExchangeFailed","_x6","_x7"],"sources":["../../src/oidc/authorize.ts"],"sourcesContent":["/*\nCopyright 2023 The Matrix.org Foundation C.I.C.\n\nLicensed under the Apache License, Version 2.0 (the \"License\");\nyou may not use this file except in compliance with the License.\nYou may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\nUnless required by applicable law or agreed to in writing, software\ndistributed under the License is distributed on an \"AS IS\" BASIS,\nWITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\nSee the License for the specific language governing permissions and\nlimitations under the License.\n*/\n\nimport { IdTokenClaims, Log, OidcClient, SigninResponse, SigninState, WebStorageStateStore } from \"oidc-client-ts\";\n\nimport { logger } from \"../logger.ts\";\nimport { randomString } from \"../randomstring.ts\";\nimport { OidcError } from \"./error.ts\";\nimport {\n BearerTokenResponse,\n UserState,\n validateBearerTokenResponse,\n ValidatedIssuerMetadata,\n validateIdToken,\n validateStoredUserState,\n} from \"./validate.ts\";\nimport { sha256 } from \"../digest.ts\";\nimport { encodeUnpaddedBase64Url } from \"../base64.ts\";\n\n// reexport for backwards compatibility\nexport type { BearerTokenResponse };\n\n/**\n * Authorization parameters which are used in the authentication request of an OIDC auth code flow.\n *\n * See https://openid.net/specs/openid-connect-basic-1_0.html#RequestParameters.\n */\nexport type AuthorizationParams = {\n state: string;\n scope: string;\n redirectUri: string;\n codeVerifier: string;\n nonce: string;\n};\n\n/**\n * @experimental\n * Generate the scope used in authorization request with OIDC OP\n * @returns scope\n */\nexport const generateScope = (deviceId?: string): string => {\n const safeDeviceId = deviceId ?? randomString(10);\n return `openid urn:matrix:org.matrix.msc2967.client:api:* urn:matrix:org.matrix.msc2967.client:device:${safeDeviceId}`;\n};\n\n// https://www.rfc-editor.org/rfc/rfc7636\nconst generateCodeChallenge = async (codeVerifier: string): Promise<string> => {\n if (!globalThis.crypto.subtle) {\n // @TODO(kerrya) should this be allowed? configurable?\n logger.warn(\"A secure context is required to generate code challenge. Using plain text code challenge\");\n return codeVerifier;\n }\n\n const hashBuffer = await sha256(codeVerifier);\n return encodeUnpaddedBase64Url(hashBuffer);\n};\n\n/**\n * Generate authorization params to pass to {@link generateAuthorizationUrl}.\n *\n * Used as part of an authorization code OIDC flow: see https://openid.net/specs/openid-connect-basic-1_0.html#CodeFlow.\n *\n * @param redirectUri - absolute url for OP to redirect to after authorization\n * @returns AuthorizationParams\n */\nexport const generateAuthorizationParams = ({ redirectUri }: { redirectUri: string }): AuthorizationParams => ({\n scope: generateScope(),\n redirectUri,\n state: randomString(8),\n nonce: randomString(8),\n codeVerifier: randomString(64), // https://tools.ietf.org/html/rfc7636#section-4.1 length needs to be 43-128 characters\n});\n\n/**\n * @deprecated use generateOidcAuthorizationUrl\n * Generate a URL to attempt authorization with the OP\n * See https://openid.net/specs/openid-connect-basic-1_0.html#CodeRequest\n * @param authorizationUrl - endpoint to attempt authorization with the OP\n * @param clientId - id of this client as registered with the OP\n * @param authorizationParams - params to be used in the url\n * @returns a Promise with the url as a string\n */\nexport const generateAuthorizationUrl = async (\n authorizationUrl: string,\n clientId: string,\n { scope, redirectUri, state, nonce, codeVerifier }: AuthorizationParams,\n): Promise<string> => {\n const url = new URL(authorizationUrl);\n url.searchParams.append(\"response_mode\", \"query\");\n url.searchParams.append(\"response_type\", \"code\");\n url.searchParams.append(\"redirect_uri\", redirectUri);\n url.searchParams.append(\"client_id\", clientId);\n url.searchParams.append(\"state\", state);\n url.searchParams.append(\"scope\", scope);\n url.searchParams.append(\"nonce\", nonce);\n\n url.searchParams.append(\"code_challenge_method\", \"S256\");\n url.searchParams.append(\"code_challenge\", await generateCodeChallenge(codeVerifier));\n\n return url.toString();\n};\n\n/**\n * @experimental\n * Generate a URL to attempt authorization with the OP\n * See https://openid.net/specs/openid-connect-basic-1_0.html#CodeRequest\n * @param metadata - validated metadata from OP discovery\n * @param clientId - this client's id as registered with the OP\n * @param homeserverUrl - used to establish the session on return from the OP\n * @param identityServerUrl - used to establish the session on return from the OP\n * @param nonce - state\n * @param prompt - indicates to the OP which flow the user should see - eg login or registration\n * See https://openid.net/specs/openid-connect-prompt-create-1_0.html#name-prompt-parameter\n * @param urlState - value to append to the opaque state identifier to uniquely identify the callback\n * @returns a Promise with the url as a string\n */\nexport const generateOidcAuthorizationUrl = async ({\n metadata,\n redirectUri,\n clientId,\n homeserverUrl,\n identityServerUrl,\n nonce,\n prompt,\n urlState,\n}: {\n clientId: string;\n metadata: ValidatedIssuerMetadata;\n homeserverUrl: string;\n identityServerUrl?: string;\n redirectUri: string;\n nonce: string;\n prompt?: string;\n urlState?: string;\n}): Promise<string> => {\n const scope = generateScope();\n const oidcClient = new OidcClient({\n ...metadata,\n client_id: clientId,\n redirect_uri: redirectUri,\n authority: metadata.issuer,\n response_mode: \"query\",\n response_type: \"code\",\n scope,\n stateStore: new WebStorageStateStore({ prefix: \"mx_oidc_\", store: window.sessionStorage }),\n });\n const userState: UserState = { homeserverUrl, nonce, identityServerUrl };\n const request = await oidcClient.createSigninRequest({\n state: userState,\n nonce,\n prompt,\n url_state: urlState,\n });\n\n return request.url;\n};\n\n/**\n * Normalize token_type to use capital case to make consuming the token response easier\n * token_type is case insensitive, and it is spec-compliant for OPs to return token_type: \"bearer\"\n * Later, when used in auth headers it is case sensitive and must be Bearer\n * See: https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.4\n *\n * @param response - validated token response\n * @returns response with token_type set to 'Bearer'\n */\nconst normalizeBearerTokenResponseTokenType = (response: SigninResponse): BearerTokenResponse =>\n ({\n id_token: response.id_token,\n scope: response.scope,\n expires_at: response.expires_at,\n refresh_token: response.refresh_token,\n access_token: response.access_token,\n token_type: \"Bearer\",\n }) as BearerTokenResponse;\n\n/**\n * @experimental\n * Attempt to exchange authorization code for bearer token.\n *\n * Takes the authorization code returned by the OpenID Provider via the authorization URL, and makes a\n * request to the Token Endpoint, to obtain the access token, refresh token, etc.\n *\n * @param code - authorization code as returned by OP during authorization\n * @param storedAuthorizationParams - stored params from start of oidc login flow\n * @returns valid bearer token response\n * @throws An `Error` with `message` set to an entry in {@link OidcError},\n * when the request fails, or the returned token response is invalid.\n */\nexport const completeAuthorizationCodeGrant = async (\n code: string,\n state: string,\n): Promise<{\n oidcClientSettings: { clientId: string; issuer: string };\n tokenResponse: BearerTokenResponse;\n homeserverUrl: string;\n idTokenClaims: IdTokenClaims;\n identityServerUrl?: string;\n}> => {\n /**\n * Element Web strips and changes the url on starting the app\n * Use the code and state from query params to rebuild a url\n * so that oidc-client can parse it\n */\n const reconstructedUrl = new URL(window.location.origin);\n reconstructedUrl.searchParams.append(\"code\", code);\n reconstructedUrl.searchParams.append(\"state\", state);\n\n // set oidc-client to use our logger\n Log.setLogger(logger);\n try {\n const response = new SigninResponse(reconstructedUrl.searchParams);\n\n const stateStore = new WebStorageStateStore({ prefix: \"mx_oidc_\", store: window.sessionStorage });\n\n // retrieve the state we put in storage at the start of oidc auth flow\n const stateString = await stateStore.get(response.state!);\n if (!stateString) {\n throw new Error(OidcError.MissingOrInvalidStoredState);\n }\n\n // hydrate the sign in state and create a client\n // the stored sign in state includes oidc configuration we set at the start of the oidc login flow\n const signInState = await SigninState.fromStorageString(stateString);\n const client = new OidcClient({ ...signInState, stateStore });\n\n // validate the code and state, and attempt to swap the code for tokens\n const signinResponse = await client.processSigninResponse(reconstructedUrl.href);\n\n // extra values we stored at the start of the login flow\n // used to complete login in the client\n const userState = signinResponse.userState;\n validateStoredUserState(userState);\n\n // throws when response is invalid\n validateBearerTokenResponse(signinResponse);\n // throws when token is invalid\n validateIdToken(signinResponse.id_token, client.settings.authority, client.settings.client_id, userState.nonce);\n const normalizedTokenResponse = normalizeBearerTokenResponseTokenType(signinResponse);\n\n return {\n oidcClientSettings: {\n clientId: client.settings.client_id,\n issuer: client.settings.authority,\n },\n tokenResponse: normalizedTokenResponse,\n homeserverUrl: userState.homeserverUrl,\n identityServerUrl: userState.identityServerUrl,\n idTokenClaims: signinResponse.profile,\n };\n } catch (error) {\n logger.error(\"Oidc login failed\", error);\n const errorType = (error as Error).message;\n\n // rethrow errors that we recognise\n if (Object.values(OidcError).includes(errorType as any)) {\n throw error;\n }\n throw new Error(OidcError.CodeExchangeFailed);\n }\n};\n"],"mappings":";;;;AAAA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AAEA,SAAwBA,GAAG,EAAEC,UAAU,EAAEC,cAAc,EAAEC,WAAW,EAAEC,oBAAoB,QAAQ,gBAAgB;AAElH,SAASC,MAAM,QAAQ,cAAc;AACrC,SAASC,YAAY,QAAQ,oBAAoB;AACjD,SAASC,SAAS,QAAQ,YAAY;AACtC,SAGIC,2BAA2B,EAE3BC,eAAe,EACfC,uBAAuB,QACpB,eAAe;AACtB,SAASC,MAAM,QAAQ,cAAc;AACrC,SAASC,uBAAuB,QAAQ,cAAc;;AAEtD;;AAGA;AACA;AACA;AACA;AACA;;AASA;AACA;AACA;AACA;AACA;AACA,OAAO,IAAMC,aAAa,GAAIC,QAAiB,IAAa;EACxD,IAAMC,YAAY,GAAGD,QAAQ,aAARA,QAAQ,cAARA,QAAQ,GAAIR,YAAY,CAAC,EAAE,CAAC;EACjD,wGAAAU,MAAA,CAAwGD,YAAY;AACxH,CAAC;;AAED;AACA,IAAME,qBAAqB;EAAA,IAAAC,IAAA,GAAAC,iBAAA,CAAG,WAAOC,YAAoB,EAAsB;IAC3E,IAAI,CAACC,UAAU,CAACC,MAAM,CAACC,MAAM,EAAE;MAC3B;MACAlB,MAAM,CAACmB,IAAI,CAAC,0FAA0F,CAAC;MACvG,OAAOJ,YAAY;IACvB;IAEA,IAAMK,UAAU,SAASd,MAAM,CAACS,YAAY,CAAC;IAC7C,OAAOR,uBAAuB,CAACa,UAAU,CAAC;EAC9C,CAAC;EAAA,gBATKR,qBAAqBA,CAAAS,EAAA;IAAA,OAAAR,IAAA,CAAAS,KAAA,OAAAC,SAAA;EAAA;AAAA,GAS1B;;AAED;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,IAAMC,2BAA2B,GAAGC,KAAA;EAAA,IAAC;IAAEC;EAAqC,CAAC,GAAAD,KAAA;EAAA,OAA2B;IAC3GE,KAAK,EAAEnB,aAAa,CAAC,CAAC;IACtBkB,WAAW;IACXE,KAAK,EAAE3B,YAAY,CAAC,CAAC,CAAC;IACtB4B,KAAK,EAAE5B,YAAY,CAAC,CAAC,CAAC;IACtBc,YAAY,EAAEd,YAAY,CAAC,EAAE,CAAC,CAAE;EACpC,CAAC;AAAA,CAAC;;AAEF;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,IAAM6B,wBAAwB;EAAA,IAAAC,KAAA,GAAAjB,iBAAA,CAAG,WACpCkB,gBAAwB,EACxBC,QAAgB,EAAAC,KAAA,EAEE;IAAA,IADlB;MAAEP,KAAK;MAAED,WAAW;MAAEE,KAAK;MAAEC,KAAK;MAAEd;IAAkC,CAAC,GAAAmB,KAAA;IAEvE,IAAMC,GAAG,GAAG,IAAIC,GAAG,CAACJ,gBAAgB,CAAC;IACrCG,GAAG,CAACE,YAAY,CAACC,MAAM,CAAC,eAAe,EAAE,OAAO,CAAC;IACjDH,GAAG,CAACE,YAAY,CAACC,MAAM,CAAC,eAAe,EAAE,MAAM,CAAC;IAChDH,GAAG,CAACE,YAAY,CAACC,MAAM,CAAC,cAAc,EAAEZ,WAAW,CAAC;IACpDS,GAAG,CAACE,YAAY,CAACC,MAAM,CAAC,WAAW,EAAEL,QAAQ,CAAC;IAC9CE,GAAG,CAACE,YAAY,CAACC,MAAM,CAAC,OAAO,EAAEV,KAAK,CAAC;IACvCO,GAAG,CAACE,YAAY,CAACC,MAAM,CAAC,OAAO,EAAEX,KAAK,CAAC;IACvCQ,GAAG,CAACE,YAAY,CAACC,MAAM,CAAC,OAAO,EAAET,KAAK,CAAC;IAEvCM,GAAG,CAACE,YAAY,CAACC,MAAM,CAAC,uBAAuB,EAAE,MAAM,CAAC;IACxDH,GAAG,CAACE,YAAY,CAACC,MAAM,CAAC,gBAAgB,QAAQ1B,qBAAqB,CAACG,YAAY,CAAC,CAAC;IAEpF,OAAOoB,GAAG,CAACI,QAAQ,CAAC,CAAC;EACzB,CAAC;EAAA,gBAlBYT,wBAAwBA,CAAAU,GAAA,EAAAC,GAAA,EAAAC,GAAA;IAAA,OAAAX,KAAA,CAAAT,KAAA,OAAAC,SAAA;EAAA;AAAA,GAkBpC;;AAED;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,IAAMoB,4BAA4B;EAAA,IAAAC,KAAA,GAAA9B,iBAAA,CAAG,WAAA+B,KAAA,EAkBrB;IAAA,IAlB4B;MAC/CC,QAAQ;MACRpB,WAAW;MACXO,QAAQ;MACRc,aAAa;MACbC,iBAAiB;MACjBnB,KAAK;MACLoB,MAAM;MACNC;IAUJ,CAAC,GAAAL,KAAA;IACG,IAAMlB,KAAK,GAAGnB,aAAa,CAAC,CAAC;IAC7B,IAAM2C,UAAU,GAAG,IAAIvD,UAAU,CAAAwD,aAAA,CAAAA,aAAA,KAC1BN,QAAQ;MACXO,SAAS,EAAEpB,QAAQ;MACnBqB,YAAY,EAAE5B,WAAW;MACzB6B,SAAS,EAAET,QAAQ,CAACU,MAAM;MAC1BC,aAAa,EAAE,OAAO;MACtBC,aAAa,EAAE,MAAM;MACrB/B,KAAK;MACLgC,UAAU,EAAE,IAAI5D,oBAAoB,CAAC;QAAE6D,MAAM,EAAE,UAAU;QAAEC,KAAK,EAAEC,MAAM,CAACC;MAAe,CAAC;IAAC,EAC7F,CAAC;IACF,IAAMC,SAAoB,GAAG;MAAEjB,aAAa;MAAElB,KAAK;MAAEmB;IAAkB,CAAC;IACxE,IAAMiB,OAAO,SAASd,UAAU,CAACe,mBAAmB,CAAC;MACjDtC,KAAK,EAAEoC,SAAS;MAChBnC,KAAK;MACLoB,MAAM;MACNkB,SAAS,EAAEjB;IACf,CAAC,CAAC;IAEF,OAAOe,OAAO,CAAC9B,GAAG;EACtB,CAAC;EAAA,gBAvCYQ,4BAA4BA,CAAAyB,GAAA;IAAA,OAAAxB,KAAA,CAAAtB,KAAA,OAAAC,SAAA;EAAA;AAAA,GAuCxC;;AAED;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,IAAM8C,qCAAqC,GAAIC,QAAwB,KAClE;EACGC,QAAQ,EAAED,QAAQ,CAACC,QAAQ;EAC3B5C,KAAK,EAAE2C,QAAQ,CAAC3C,KAAK;EACrB6C,UAAU,EAAEF,QAAQ,CAACE,UAAU;EAC/BC,aAAa,EAAEH,QAAQ,CAACG,aAAa;EACrCC,YAAY,EAAEJ,QAAQ,CAACI,YAAY;EACnCC,UAAU,EAAE;AAChB,CAAC,CAAwB;;AAE7B;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,IAAMC,8BAA8B;EAAA,IAAAC,KAAA,GAAA/D,iBAAA,CAAG,WAC1CgE,IAAY,EACZlD,KAAa,EAOX;IACF;AACJ;AACA;AACA;AACA;IACI,IAAMmD,gBAAgB,GAAG,IAAI3C,GAAG,CAAC0B,MAAM,CAACkB,QAAQ,CAACC,MAAM,CAAC;IACxDF,gBAAgB,CAAC1C,YAAY,CAACC,MAAM,CAAC,MAAM,EAAEwC,IAAI,CAAC;IAClDC,gBAAgB,CAAC1C,YAAY,CAACC,MAAM,CAAC,OAAO,EAAEV,KAAK,CAAC;;IAEpD;IACAjC,GAAG,CAACuF,SAAS,CAAClF,MAAM,CAAC;IACrB,IAAI;MACA,IAAMsE,QAAQ,GAAG,IAAIzE,cAAc,CAACkF,gBAAgB,CAAC1C,YAAY,CAAC;MAElE,IAAMsB,UAAU,GAAG,IAAI5D,oBAAoB,CAAC;QAAE6D,MAAM,EAAE,UAAU;QAAEC,KAAK,EAAEC,MAAM,CAACC;MAAe,CAAC,CAAC;;MAEjG;MACA,IAAMoB,WAAW,SAASxB,UAAU,CAACyB,GAAG,CAACd,QAAQ,CAAC1C,KAAM,CAAC;MACzD,IAAI,CAACuD,WAAW,EAAE;QACd,MAAM,IAAIE,KAAK,CAACnF,SAAS,CAACoF,2BAA2B,CAAC;MAC1D;;MAEA;MACA;MACA,IAAMC,WAAW,SAASzF,WAAW,CAAC0F,iBAAiB,CAACL,WAAW,CAAC;MACpE,IAAMM,MAAM,GAAG,IAAI7F,UAAU,CAAAwD,aAAA,CAAAA,aAAA,KAAMmC,WAAW;QAAE5B;MAAU,EAAE,CAAC;;MAE7D;MACA,IAAM+B,cAAc,SAASD,MAAM,CAACE,qBAAqB,CAACZ,gBAAgB,CAACa,IAAI,CAAC;;MAEhF;MACA;MACA,IAAM5B,SAAS,GAAG0B,cAAc,CAAC1B,SAAS;MAC1C3D,uBAAuB,CAAC2D,SAAS,CAAC;;MAElC;MACA7D,2BAA2B,CAACuF,cAAc,CAAC;MAC3C;MACAtF,eAAe,CAACsF,cAAc,CAACnB,QAAQ,EAAEkB,MAAM,CAACI,QAAQ,CAACtC,SAAS,EAAEkC,MAAM,CAACI,QAAQ,CAACxC,SAAS,EAAEW,SAAS,CAACnC,KAAK,CAAC;MAC/G,IAAMiE,uBAAuB,GAAGzB,qCAAqC,CAACqB,cAAc,CAAC;MAErF,OAAO;QACHK,kBAAkB,EAAE;UAChB9D,QAAQ,EAAEwD,MAAM,CAACI,QAAQ,CAACxC,SAAS;UACnCG,MAAM,EAAEiC,MAAM,CAACI,QAAQ,CAACtC;QAC5B,CAAC;QACDyC,aAAa,EAAEF,uBAAuB;QACtC/C,aAAa,EAAEiB,SAAS,CAACjB,aAAa;QACtCC,iBAAiB,EAAEgB,SAAS,CAAChB,iBAAiB;QAC9CiD,aAAa,EAAEP,cAAc,CAACQ;MAClC,CAAC;IACL,CAAC,CAAC,OAAOC,KAAK,EAAE;MACZnG,MAAM,CAACmG,KAAK,CAAC,mBAAmB,EAAEA,KAAK,CAAC;MACxC,IAAMC,SAAS,GAAID,KAAK,CAAWE,OAAO;;MAE1C;MACA,IAAIC,MAAM,CAACC,MAAM,CAACrG,SAAS,CAAC,CAACsG,QAAQ,CAACJ,SAAgB,CAAC,EAAE;QACrD,MAAMD,KAAK;MACf;MACA,MAAM,IAAId,KAAK,CAACnF,SAAS,CAACuG,kBAAkB,CAAC;IACjD;EACJ,CAAC;EAAA,gBAvEY7B,8BAA8BA,CAAA8B,GAAA,EAAAC,GAAA;IAAA,OAAA9B,KAAA,CAAAvD,KAAA,OAAAC,SAAA;EAAA;AAAA,GAuE1C","ignoreList":[]}
|
|
1
|
+
{"version":3,"file":"authorize.js","names":["Log","OidcClient","SigninResponse","SigninState","WebStorageStateStore","logger","secureRandomString","OidcError","validateBearerTokenResponse","validateIdToken","validateStoredUserState","sha256","encodeUnpaddedBase64Url","generateScope","deviceId","safeDeviceId","concat","generateCodeChallenge","_ref","_asyncToGenerator","codeVerifier","globalThis","crypto","subtle","warn","hashBuffer","_x","apply","arguments","generateAuthorizationParams","_ref2","redirectUri","scope","state","nonce","generateAuthorizationUrl","_ref4","authorizationUrl","clientId","_ref3","url","URL","searchParams","append","toString","_x2","_x3","_x4","generateOidcAuthorizationUrl","_ref6","_ref5","metadata","homeserverUrl","identityServerUrl","prompt","urlState","oidcClient","_objectSpread","client_id","redirect_uri","authority","issuer","response_mode","response_type","stateStore","prefix","store","window","sessionStorage","userState","request","createSigninRequest","url_state","_x5","normalizeBearerTokenResponseTokenType","response","id_token","expires_at","refresh_token","access_token","token_type","completeAuthorizationCodeGrant","_ref7","code","reconstructedUrl","location","origin","setLogger","stateString","get","Error","MissingOrInvalidStoredState","signInState","fromStorageString","client","signinResponse","processSigninResponse","href","settings","normalizedTokenResponse","oidcClientSettings","tokenResponse","idTokenClaims","profile","error","errorType","message","Object","values","includes","CodeExchangeFailed","_x6","_x7"],"sources":["../../src/oidc/authorize.ts"],"sourcesContent":["/*\nCopyright 2023 The Matrix.org Foundation C.I.C.\n\nLicensed under the Apache License, Version 2.0 (the \"License\");\nyou may not use this file except in compliance with the License.\nYou may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\nUnless required by applicable law or agreed to in writing, software\ndistributed under the License is distributed on an \"AS IS\" BASIS,\nWITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\nSee the License for the specific language governing permissions and\nlimitations under the License.\n*/\n\nimport { IdTokenClaims, Log, OidcClient, SigninResponse, SigninState, WebStorageStateStore } from \"oidc-client-ts\";\n\nimport { logger } from \"../logger.ts\";\nimport { secureRandomString } from \"../randomstring.ts\";\nimport { OidcError } from \"./error.ts\";\nimport {\n BearerTokenResponse,\n UserState,\n validateBearerTokenResponse,\n ValidatedAuthMetadata,\n validateIdToken,\n validateStoredUserState,\n} from \"./validate.ts\";\nimport { sha256 } from \"../digest.ts\";\nimport { encodeUnpaddedBase64Url } from \"../base64.ts\";\n\n// reexport for backwards compatibility\nexport type { BearerTokenResponse };\n\n/**\n * Authorization parameters which are used in the authentication request of an OIDC auth code flow.\n *\n * See https://openid.net/specs/openid-connect-basic-1_0.html#RequestParameters.\n */\nexport type AuthorizationParams = {\n state: string;\n scope: string;\n redirectUri: string;\n codeVerifier: string;\n nonce: string;\n};\n\n/**\n * @experimental\n * Generate the scope used in authorization request with OIDC OP\n * @returns scope\n */\nexport const generateScope = (deviceId?: string): string => {\n const safeDeviceId = deviceId ?? secureRandomString(10);\n return `openid urn:matrix:org.matrix.msc2967.client:api:* urn:matrix:org.matrix.msc2967.client:device:${safeDeviceId}`;\n};\n\n// https://www.rfc-editor.org/rfc/rfc7636\nconst generateCodeChallenge = async (codeVerifier: string): Promise<string> => {\n if (!globalThis.crypto.subtle) {\n // @TODO(kerrya) should this be allowed? configurable?\n logger.warn(\"A secure context is required to generate code challenge. Using plain text code challenge\");\n return codeVerifier;\n }\n\n const hashBuffer = await sha256(codeVerifier);\n return encodeUnpaddedBase64Url(hashBuffer);\n};\n\n/**\n * Generate authorization params to pass to {@link generateAuthorizationUrl}.\n *\n * Used as part of an authorization code OIDC flow: see https://openid.net/specs/openid-connect-basic-1_0.html#CodeFlow.\n *\n * @param redirectUri - absolute url for OP to redirect to after authorization\n * @returns AuthorizationParams\n */\nexport const generateAuthorizationParams = ({ redirectUri }: { redirectUri: string }): AuthorizationParams => ({\n scope: generateScope(),\n redirectUri,\n state: secureRandomString(8),\n nonce: secureRandomString(8),\n codeVerifier: secureRandomString(64), // https://tools.ietf.org/html/rfc7636#section-4.1 length needs to be 43-128 characters\n});\n\n/**\n * @deprecated use generateOidcAuthorizationUrl\n * Generate a URL to attempt authorization with the OP\n * See https://openid.net/specs/openid-connect-basic-1_0.html#CodeRequest\n * @param authorizationUrl - endpoint to attempt authorization with the OP\n * @param clientId - id of this client as registered with the OP\n * @param authorizationParams - params to be used in the url\n * @returns a Promise with the url as a string\n */\nexport const generateAuthorizationUrl = async (\n authorizationUrl: string,\n clientId: string,\n { scope, redirectUri, state, nonce, codeVerifier }: AuthorizationParams,\n): Promise<string> => {\n const url = new URL(authorizationUrl);\n url.searchParams.append(\"response_mode\", \"query\");\n url.searchParams.append(\"response_type\", \"code\");\n url.searchParams.append(\"redirect_uri\", redirectUri);\n url.searchParams.append(\"client_id\", clientId);\n url.searchParams.append(\"state\", state);\n url.searchParams.append(\"scope\", scope);\n url.searchParams.append(\"nonce\", nonce);\n\n url.searchParams.append(\"code_challenge_method\", \"S256\");\n url.searchParams.append(\"code_challenge\", await generateCodeChallenge(codeVerifier));\n\n return url.toString();\n};\n\n/**\n * @experimental\n * Generate a URL to attempt authorization with the OP\n * See https://openid.net/specs/openid-connect-basic-1_0.html#CodeRequest\n * @param metadata - validated metadata from OP discovery\n * @param clientId - this client's id as registered with the OP\n * @param homeserverUrl - used to establish the session on return from the OP\n * @param identityServerUrl - used to establish the session on return from the OP\n * @param nonce - state\n * @param prompt - indicates to the OP which flow the user should see - eg login or registration\n * See https://openid.net/specs/openid-connect-prompt-create-1_0.html#name-prompt-parameter\n * @param urlState - value to append to the opaque state identifier to uniquely identify the callback\n * @returns a Promise with the url as a string\n */\nexport const generateOidcAuthorizationUrl = async ({\n metadata,\n redirectUri,\n clientId,\n homeserverUrl,\n identityServerUrl,\n nonce,\n prompt,\n urlState,\n}: {\n clientId: string;\n metadata: ValidatedAuthMetadata;\n homeserverUrl: string;\n identityServerUrl?: string;\n redirectUri: string;\n nonce: string;\n prompt?: string;\n urlState?: string;\n}): Promise<string> => {\n const scope = generateScope();\n const oidcClient = new OidcClient({\n ...metadata,\n client_id: clientId,\n redirect_uri: redirectUri,\n authority: metadata.issuer,\n response_mode: \"query\",\n response_type: \"code\",\n scope,\n stateStore: new WebStorageStateStore({ prefix: \"mx_oidc_\", store: window.sessionStorage }),\n });\n const userState: UserState = { homeserverUrl, nonce, identityServerUrl };\n const request = await oidcClient.createSigninRequest({\n state: userState,\n nonce,\n prompt,\n url_state: urlState,\n });\n\n return request.url;\n};\n\n/**\n * Normalize token_type to use capital case to make consuming the token response easier\n * token_type is case insensitive, and it is spec-compliant for OPs to return token_type: \"bearer\"\n * Later, when used in auth headers it is case sensitive and must be Bearer\n * See: https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.4\n *\n * @param response - validated token response\n * @returns response with token_type set to 'Bearer'\n */\nconst normalizeBearerTokenResponseTokenType = (response: SigninResponse): BearerTokenResponse =>\n ({\n id_token: response.id_token,\n scope: response.scope,\n expires_at: response.expires_at,\n refresh_token: response.refresh_token,\n access_token: response.access_token,\n token_type: \"Bearer\",\n }) as BearerTokenResponse;\n\n/**\n * @experimental\n * Attempt to exchange authorization code for bearer token.\n *\n * Takes the authorization code returned by the OpenID Provider via the authorization URL, and makes a\n * request to the Token Endpoint, to obtain the access token, refresh token, etc.\n *\n * @param code - authorization code as returned by OP during authorization\n * @param storedAuthorizationParams - stored params from start of oidc login flow\n * @returns valid bearer token response\n * @throws An `Error` with `message` set to an entry in {@link OidcError},\n * when the request fails, or the returned token response is invalid.\n */\nexport const completeAuthorizationCodeGrant = async (\n code: string,\n state: string,\n): Promise<{\n oidcClientSettings: { clientId: string; issuer: string };\n tokenResponse: BearerTokenResponse;\n homeserverUrl: string;\n idTokenClaims: IdTokenClaims;\n identityServerUrl?: string;\n}> => {\n /**\n * Element Web strips and changes the url on starting the app\n * Use the code and state from query params to rebuild a url\n * so that oidc-client can parse it\n */\n const reconstructedUrl = new URL(window.location.origin);\n reconstructedUrl.searchParams.append(\"code\", code);\n reconstructedUrl.searchParams.append(\"state\", state);\n\n // set oidc-client to use our logger\n Log.setLogger(logger);\n try {\n const response = new SigninResponse(reconstructedUrl.searchParams);\n\n const stateStore = new WebStorageStateStore({ prefix: \"mx_oidc_\", store: window.sessionStorage });\n\n // retrieve the state we put in storage at the start of oidc auth flow\n const stateString = await stateStore.get(response.state!);\n if (!stateString) {\n throw new Error(OidcError.MissingOrInvalidStoredState);\n }\n\n // hydrate the sign in state and create a client\n // the stored sign in state includes oidc configuration we set at the start of the oidc login flow\n const signInState = await SigninState.fromStorageString(stateString);\n const client = new OidcClient({ ...signInState, stateStore });\n\n // validate the code and state, and attempt to swap the code for tokens\n const signinResponse = await client.processSigninResponse(reconstructedUrl.href);\n\n // extra values we stored at the start of the login flow\n // used to complete login in the client\n const userState = signinResponse.userState;\n validateStoredUserState(userState);\n\n // throws when response is invalid\n validateBearerTokenResponse(signinResponse);\n // throws when token is invalid\n validateIdToken(signinResponse.id_token, client.settings.authority, client.settings.client_id, userState.nonce);\n const normalizedTokenResponse = normalizeBearerTokenResponseTokenType(signinResponse);\n\n return {\n oidcClientSettings: {\n clientId: client.settings.client_id,\n issuer: client.settings.authority,\n },\n tokenResponse: normalizedTokenResponse,\n homeserverUrl: userState.homeserverUrl,\n identityServerUrl: userState.identityServerUrl,\n idTokenClaims: signinResponse.profile,\n };\n } catch (error) {\n logger.error(\"Oidc login failed\", error);\n const errorType = (error as Error).message;\n\n // rethrow errors that we recognise\n if (Object.values(OidcError).includes(errorType as any)) {\n throw error;\n }\n throw new Error(OidcError.CodeExchangeFailed);\n }\n};\n"],"mappings":";;;;AAAA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AAEA,SAAwBA,GAAG,EAAEC,UAAU,EAAEC,cAAc,EAAEC,WAAW,EAAEC,oBAAoB,QAAQ,gBAAgB;AAElH,SAASC,MAAM,QAAQ,cAAc;AACrC,SAASC,kBAAkB,QAAQ,oBAAoB;AACvD,SAASC,SAAS,QAAQ,YAAY;AACtC,SAGIC,2BAA2B,EAE3BC,eAAe,EACfC,uBAAuB,QACpB,eAAe;AACtB,SAASC,MAAM,QAAQ,cAAc;AACrC,SAASC,uBAAuB,QAAQ,cAAc;;AAEtD;;AAGA;AACA;AACA;AACA;AACA;;AASA;AACA;AACA;AACA;AACA;AACA,OAAO,IAAMC,aAAa,GAAIC,QAAiB,IAAa;EACxD,IAAMC,YAAY,GAAGD,QAAQ,aAARA,QAAQ,cAARA,QAAQ,GAAIR,kBAAkB,CAAC,EAAE,CAAC;EACvD,wGAAAU,MAAA,CAAwGD,YAAY;AACxH,CAAC;;AAED;AACA,IAAME,qBAAqB;EAAA,IAAAC,IAAA,GAAAC,iBAAA,CAAG,WAAOC,YAAoB,EAAsB;IAC3E,IAAI,CAACC,UAAU,CAACC,MAAM,CAACC,MAAM,EAAE;MAC3B;MACAlB,MAAM,CAACmB,IAAI,CAAC,0FAA0F,CAAC;MACvG,OAAOJ,YAAY;IACvB;IAEA,IAAMK,UAAU,SAASd,MAAM,CAACS,YAAY,CAAC;IAC7C,OAAOR,uBAAuB,CAACa,UAAU,CAAC;EAC9C,CAAC;EAAA,gBATKR,qBAAqBA,CAAAS,EAAA;IAAA,OAAAR,IAAA,CAAAS,KAAA,OAAAC,SAAA;EAAA;AAAA,GAS1B;;AAED;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,IAAMC,2BAA2B,GAAGC,KAAA;EAAA,IAAC;IAAEC;EAAqC,CAAC,GAAAD,KAAA;EAAA,OAA2B;IAC3GE,KAAK,EAAEnB,aAAa,CAAC,CAAC;IACtBkB,WAAW;IACXE,KAAK,EAAE3B,kBAAkB,CAAC,CAAC,CAAC;IAC5B4B,KAAK,EAAE5B,kBAAkB,CAAC,CAAC,CAAC;IAC5Bc,YAAY,EAAEd,kBAAkB,CAAC,EAAE,CAAC,CAAE;EAC1C,CAAC;AAAA,CAAC;;AAEF;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,IAAM6B,wBAAwB;EAAA,IAAAC,KAAA,GAAAjB,iBAAA,CAAG,WACpCkB,gBAAwB,EACxBC,QAAgB,EAAAC,KAAA,EAEE;IAAA,IADlB;MAAEP,KAAK;MAAED,WAAW;MAAEE,KAAK;MAAEC,KAAK;MAAEd;IAAkC,CAAC,GAAAmB,KAAA;IAEvE,IAAMC,GAAG,GAAG,IAAIC,GAAG,CAACJ,gBAAgB,CAAC;IACrCG,GAAG,CAACE,YAAY,CAACC,MAAM,CAAC,eAAe,EAAE,OAAO,CAAC;IACjDH,GAAG,CAACE,YAAY,CAACC,MAAM,CAAC,eAAe,EAAE,MAAM,CAAC;IAChDH,GAAG,CAACE,YAAY,CAACC,MAAM,CAAC,cAAc,EAAEZ,WAAW,CAAC;IACpDS,GAAG,CAACE,YAAY,CAACC,MAAM,CAAC,WAAW,EAAEL,QAAQ,CAAC;IAC9CE,GAAG,CAACE,YAAY,CAACC,MAAM,CAAC,OAAO,EAAEV,KAAK,CAAC;IACvCO,GAAG,CAACE,YAAY,CAACC,MAAM,CAAC,OAAO,EAAEX,KAAK,CAAC;IACvCQ,GAAG,CAACE,YAAY,CAACC,MAAM,CAAC,OAAO,EAAET,KAAK,CAAC;IAEvCM,GAAG,CAACE,YAAY,CAACC,MAAM,CAAC,uBAAuB,EAAE,MAAM,CAAC;IACxDH,GAAG,CAACE,YAAY,CAACC,MAAM,CAAC,gBAAgB,QAAQ1B,qBAAqB,CAACG,YAAY,CAAC,CAAC;IAEpF,OAAOoB,GAAG,CAACI,QAAQ,CAAC,CAAC;EACzB,CAAC;EAAA,gBAlBYT,wBAAwBA,CAAAU,GAAA,EAAAC,GAAA,EAAAC,GAAA;IAAA,OAAAX,KAAA,CAAAT,KAAA,OAAAC,SAAA;EAAA;AAAA,GAkBpC;;AAED;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,IAAMoB,4BAA4B;EAAA,IAAAC,KAAA,GAAA9B,iBAAA,CAAG,WAAA+B,KAAA,EAkBrB;IAAA,IAlB4B;MAC/CC,QAAQ;MACRpB,WAAW;MACXO,QAAQ;MACRc,aAAa;MACbC,iBAAiB;MACjBnB,KAAK;MACLoB,MAAM;MACNC;IAUJ,CAAC,GAAAL,KAAA;IACG,IAAMlB,KAAK,GAAGnB,aAAa,CAAC,CAAC;IAC7B,IAAM2C,UAAU,GAAG,IAAIvD,UAAU,CAAAwD,aAAA,CAAAA,aAAA,KAC1BN,QAAQ;MACXO,SAAS,EAAEpB,QAAQ;MACnBqB,YAAY,EAAE5B,WAAW;MACzB6B,SAAS,EAAET,QAAQ,CAACU,MAAM;MAC1BC,aAAa,EAAE,OAAO;MACtBC,aAAa,EAAE,MAAM;MACrB/B,KAAK;MACLgC,UAAU,EAAE,IAAI5D,oBAAoB,CAAC;QAAE6D,MAAM,EAAE,UAAU;QAAEC,KAAK,EAAEC,MAAM,CAACC;MAAe,CAAC;IAAC,EAC7F,CAAC;IACF,IAAMC,SAAoB,GAAG;MAAEjB,aAAa;MAAElB,KAAK;MAAEmB;IAAkB,CAAC;IACxE,IAAMiB,OAAO,SAASd,UAAU,CAACe,mBAAmB,CAAC;MACjDtC,KAAK,EAAEoC,SAAS;MAChBnC,KAAK;MACLoB,MAAM;MACNkB,SAAS,EAAEjB;IACf,CAAC,CAAC;IAEF,OAAOe,OAAO,CAAC9B,GAAG;EACtB,CAAC;EAAA,gBAvCYQ,4BAA4BA,CAAAyB,GAAA;IAAA,OAAAxB,KAAA,CAAAtB,KAAA,OAAAC,SAAA;EAAA;AAAA,GAuCxC;;AAED;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,IAAM8C,qCAAqC,GAAIC,QAAwB,KAClE;EACGC,QAAQ,EAAED,QAAQ,CAACC,QAAQ;EAC3B5C,KAAK,EAAE2C,QAAQ,CAAC3C,KAAK;EACrB6C,UAAU,EAAEF,QAAQ,CAACE,UAAU;EAC/BC,aAAa,EAAEH,QAAQ,CAACG,aAAa;EACrCC,YAAY,EAAEJ,QAAQ,CAACI,YAAY;EACnCC,UAAU,EAAE;AAChB,CAAC,CAAwB;;AAE7B;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,IAAMC,8BAA8B;EAAA,IAAAC,KAAA,GAAA/D,iBAAA,CAAG,WAC1CgE,IAAY,EACZlD,KAAa,EAOX;IACF;AACJ;AACA;AACA;AACA;IACI,IAAMmD,gBAAgB,GAAG,IAAI3C,GAAG,CAAC0B,MAAM,CAACkB,QAAQ,CAACC,MAAM,CAAC;IACxDF,gBAAgB,CAAC1C,YAAY,CAACC,MAAM,CAAC,MAAM,EAAEwC,IAAI,CAAC;IAClDC,gBAAgB,CAAC1C,YAAY,CAACC,MAAM,CAAC,OAAO,EAAEV,KAAK,CAAC;;IAEpD;IACAjC,GAAG,CAACuF,SAAS,CAAClF,MAAM,CAAC;IACrB,IAAI;MACA,IAAMsE,QAAQ,GAAG,IAAIzE,cAAc,CAACkF,gBAAgB,CAAC1C,YAAY,CAAC;MAElE,IAAMsB,UAAU,GAAG,IAAI5D,oBAAoB,CAAC;QAAE6D,MAAM,EAAE,UAAU;QAAEC,KAAK,EAAEC,MAAM,CAACC;MAAe,CAAC,CAAC;;MAEjG;MACA,IAAMoB,WAAW,SAASxB,UAAU,CAACyB,GAAG,CAACd,QAAQ,CAAC1C,KAAM,CAAC;MACzD,IAAI,CAACuD,WAAW,EAAE;QACd,MAAM,IAAIE,KAAK,CAACnF,SAAS,CAACoF,2BAA2B,CAAC;MAC1D;;MAEA;MACA;MACA,IAAMC,WAAW,SAASzF,WAAW,CAAC0F,iBAAiB,CAACL,WAAW,CAAC;MACpE,IAAMM,MAAM,GAAG,IAAI7F,UAAU,CAAAwD,aAAA,CAAAA,aAAA,KAAMmC,WAAW;QAAE5B;MAAU,EAAE,CAAC;;MAE7D;MACA,IAAM+B,cAAc,SAASD,MAAM,CAACE,qBAAqB,CAACZ,gBAAgB,CAACa,IAAI,CAAC;;MAEhF;MACA;MACA,IAAM5B,SAAS,GAAG0B,cAAc,CAAC1B,SAAS;MAC1C3D,uBAAuB,CAAC2D,SAAS,CAAC;;MAElC;MACA7D,2BAA2B,CAACuF,cAAc,CAAC;MAC3C;MACAtF,eAAe,CAACsF,cAAc,CAACnB,QAAQ,EAAEkB,MAAM,CAACI,QAAQ,CAACtC,SAAS,EAAEkC,MAAM,CAACI,QAAQ,CAACxC,SAAS,EAAEW,SAAS,CAACnC,KAAK,CAAC;MAC/G,IAAMiE,uBAAuB,GAAGzB,qCAAqC,CAACqB,cAAc,CAAC;MAErF,OAAO;QACHK,kBAAkB,EAAE;UAChB9D,QAAQ,EAAEwD,MAAM,CAACI,QAAQ,CAACxC,SAAS;UACnCG,MAAM,EAAEiC,MAAM,CAACI,QAAQ,CAACtC;QAC5B,CAAC;QACDyC,aAAa,EAAEF,uBAAuB;QACtC/C,aAAa,EAAEiB,SAAS,CAACjB,aAAa;QACtCC,iBAAiB,EAAEgB,SAAS,CAAChB,iBAAiB;QAC9CiD,aAAa,EAAEP,cAAc,CAACQ;MAClC,CAAC;IACL,CAAC,CAAC,OAAOC,KAAK,EAAE;MACZnG,MAAM,CAACmG,KAAK,CAAC,mBAAmB,EAAEA,KAAK,CAAC;MACxC,IAAMC,SAAS,GAAID,KAAK,CAAWE,OAAO;;MAE1C;MACA,IAAIC,MAAM,CAACC,MAAM,CAACrG,SAAS,CAAC,CAACsG,QAAQ,CAACJ,SAAgB,CAAC,EAAE;QACrD,MAAMD,KAAK;MACf;MACA,MAAM,IAAId,KAAK,CAACnF,SAAS,CAACuG,kBAAkB,CAAC;IACjD;EACJ,CAAC;EAAA,gBAvEY7B,8BAA8BA,CAAA8B,GAAA,EAAAC,GAAA;IAAA,OAAA9B,KAAA,CAAAvD,KAAA,OAAAC,SAAA;EAAA;AAAA,GAuE1C","ignoreList":[]}
|
package/lib/oidc/discovery.d.ts
CHANGED
|
@@ -9,6 +9,14 @@ import { OidcClientConfig } from "./index.ts";
|
|
|
9
9
|
* @param issuer - the OIDC issuer as returned by the /auth_issuer API
|
|
10
10
|
* @returns validated authentication metadata and optionally signing keys
|
|
11
11
|
* @throws when delegated auth config is invalid or unreachable
|
|
12
|
+
* @deprecated in favour of {@link MatrixClient#getAuthMetadata}
|
|
12
13
|
*/
|
|
13
14
|
export declare const discoverAndValidateOIDCIssuerWellKnown: (issuer: string) => Promise<OidcClientConfig>;
|
|
15
|
+
/**
|
|
16
|
+
* @experimental
|
|
17
|
+
* Validate the authentication metadata and fetch the signing keys from the jwks_uri in the metadata
|
|
18
|
+
* @param authMetadata - the authentication metadata to validate
|
|
19
|
+
* @returns validated authentication metadata and signing keys
|
|
20
|
+
*/
|
|
21
|
+
export declare const validateAuthMetadataAndKeys: (authMetadata: unknown) => Promise<OidcClientConfig>;
|
|
14
22
|
//# sourceMappingURL=discovery.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"discovery.d.ts","sourceRoot":"","sources":["../../src/oidc/discovery.ts"],"names":[],"mappings":"AAoBA,OAAO,EAAE,gBAAgB,EAAE,MAAM,YAAY,CAAC;AAE9C
|
|
1
|
+
{"version":3,"file":"discovery.d.ts","sourceRoot":"","sources":["../../src/oidc/discovery.ts"],"names":[],"mappings":"AAoBA,OAAO,EAAE,gBAAgB,EAAE,MAAM,YAAY,CAAC;AAE9C;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,sCAAsC,WAAkB,MAAM,KAAG,OAAO,CAAC,gBAAgB,CAQrG,CAAC;AACF;;;;;GAKG;AACH,eAAO,MAAM,2BAA2B,iBAAwB,OAAO,KAAG,OAAO,CAAC,gBAAgB,CAgBjG,CAAC"}
|
package/lib/oidc/discovery.js
CHANGED
|
@@ -19,7 +19,7 @@ limitations under the License.
|
|
|
19
19
|
*/
|
|
20
20
|
|
|
21
21
|
import { MetadataService, OidcClientSettingsStore } from "oidc-client-ts";
|
|
22
|
-
import {
|
|
22
|
+
import { validateAuthMetadata } from "./validate.js";
|
|
23
23
|
import { Method, timeoutSignal } from "../http-api/index.js";
|
|
24
24
|
/**
|
|
25
25
|
* @experimental
|
|
@@ -31,36 +31,47 @@ import { Method, timeoutSignal } from "../http-api/index.js";
|
|
|
31
31
|
* @param issuer - the OIDC issuer as returned by the /auth_issuer API
|
|
32
32
|
* @returns validated authentication metadata and optionally signing keys
|
|
33
33
|
* @throws when delegated auth config is invalid or unreachable
|
|
34
|
+
* @deprecated in favour of {@link MatrixClient#getAuthMetadata}
|
|
34
35
|
*/
|
|
35
36
|
export var discoverAndValidateOIDCIssuerWellKnown = /*#__PURE__*/function () {
|
|
36
37
|
var _ref = _asyncToGenerator(function* (issuer) {
|
|
37
|
-
var _yield$metadataServic;
|
|
38
38
|
var issuerOpenIdConfigUrl = new URL(".well-known/openid-configuration", issuer);
|
|
39
39
|
var issuerWellKnownResponse = yield fetch(issuerOpenIdConfigUrl, {
|
|
40
40
|
method: Method.Get,
|
|
41
41
|
signal: timeoutSignal(5000)
|
|
42
42
|
});
|
|
43
43
|
var issuerWellKnown = yield issuerWellKnownResponse.json();
|
|
44
|
-
|
|
44
|
+
return validateAuthMetadataAndKeys(issuerWellKnown);
|
|
45
|
+
});
|
|
46
|
+
return function discoverAndValidateOIDCIssuerWellKnown(_x) {
|
|
47
|
+
return _ref.apply(this, arguments);
|
|
48
|
+
};
|
|
49
|
+
}();
|
|
50
|
+
/**
|
|
51
|
+
* @experimental
|
|
52
|
+
* Validate the authentication metadata and fetch the signing keys from the jwks_uri in the metadata
|
|
53
|
+
* @param authMetadata - the authentication metadata to validate
|
|
54
|
+
* @returns validated authentication metadata and signing keys
|
|
55
|
+
*/
|
|
56
|
+
export var validateAuthMetadataAndKeys = /*#__PURE__*/function () {
|
|
57
|
+
var _ref2 = _asyncToGenerator(function* (authMetadata) {
|
|
58
|
+
var validatedIssuerConfig = validateAuthMetadata(authMetadata);
|
|
45
59
|
|
|
46
60
|
// create a temporary settings store, so we can use metadata service for discovery
|
|
47
61
|
var settings = new OidcClientSettingsStore({
|
|
48
|
-
authority: issuer,
|
|
62
|
+
authority: validatedIssuerConfig.issuer,
|
|
63
|
+
metadata: validatedIssuerConfig,
|
|
49
64
|
redirect_uri: "",
|
|
50
65
|
// Not known yet, this is here to make the type checker happy
|
|
51
66
|
client_id: "" // Not known yet, this is here to make the type checker happy
|
|
52
67
|
});
|
|
53
68
|
var metadataService = new MetadataService(settings);
|
|
54
|
-
var metadata = yield metadataService.getMetadata();
|
|
55
|
-
var signingKeys = (_yield$metadataServic = yield metadataService.getSigningKeys()) !== null && _yield$metadataServic !== void 0 ? _yield$metadataServic : undefined;
|
|
56
|
-
isValidatedIssuerMetadata(metadata);
|
|
57
69
|
return _objectSpread(_objectSpread({}, validatedIssuerConfig), {}, {
|
|
58
|
-
|
|
59
|
-
signingKeys
|
|
70
|
+
signingKeys: yield metadataService.getSigningKeys()
|
|
60
71
|
});
|
|
61
72
|
});
|
|
62
|
-
return function
|
|
63
|
-
return
|
|
73
|
+
return function validateAuthMetadataAndKeys(_x2) {
|
|
74
|
+
return _ref2.apply(this, arguments);
|
|
64
75
|
};
|
|
65
76
|
}();
|
|
66
77
|
//# sourceMappingURL=discovery.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"discovery.js","names":["MetadataService","OidcClientSettingsStore","
|
|
1
|
+
{"version":3,"file":"discovery.js","names":["MetadataService","OidcClientSettingsStore","validateAuthMetadata","Method","timeoutSignal","discoverAndValidateOIDCIssuerWellKnown","_ref","_asyncToGenerator","issuer","issuerOpenIdConfigUrl","URL","issuerWellKnownResponse","fetch","method","Get","signal","issuerWellKnown","json","validateAuthMetadataAndKeys","_x","apply","arguments","_ref2","authMetadata","validatedIssuerConfig","settings","authority","metadata","redirect_uri","client_id","metadataService","_objectSpread","signingKeys","getSigningKeys","_x2"],"sources":["../../src/oidc/discovery.ts"],"sourcesContent":["/*\nCopyright 2023 The Matrix.org Foundation C.I.C.\n\nLicensed under the Apache License, Version 2.0 (the \"License\");\nyou may not use this file except in compliance with the License.\nYou may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\nUnless required by applicable law or agreed to in writing, software\ndistributed under the License is distributed on an \"AS IS\" BASIS,\nWITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\nSee the License for the specific language governing permissions and\nlimitations under the License.\n*/\n\nimport { MetadataService, OidcClientSettingsStore } from \"oidc-client-ts\";\n\nimport { validateAuthMetadata } from \"./validate.ts\";\nimport { Method, timeoutSignal } from \"../http-api/index.ts\";\nimport { OidcClientConfig } from \"./index.ts\";\n\n/**\n * @experimental\n * Discover and validate delegated auth configuration\n * - delegated auth issuer openid-configuration is reachable\n * - delegated auth issuer openid-configuration is configured correctly for us\n * Fetches https://oidc-issuer.example.com/.well-known/openid-configuration and other files linked therein.\n * When successful, validated metadata is returned\n * @param issuer - the OIDC issuer as returned by the /auth_issuer API\n * @returns validated authentication metadata and optionally signing keys\n * @throws when delegated auth config is invalid or unreachable\n * @deprecated in favour of {@link MatrixClient#getAuthMetadata}\n */\nexport const discoverAndValidateOIDCIssuerWellKnown = async (issuer: string): Promise<OidcClientConfig> => {\n const issuerOpenIdConfigUrl = new URL(\".well-known/openid-configuration\", issuer);\n const issuerWellKnownResponse = await fetch(issuerOpenIdConfigUrl, {\n method: Method.Get,\n signal: timeoutSignal(5000),\n });\n const issuerWellKnown = await issuerWellKnownResponse.json();\n return validateAuthMetadataAndKeys(issuerWellKnown);\n};\n/**\n * @experimental\n * Validate the authentication metadata and fetch the signing keys from the jwks_uri in the metadata\n * @param authMetadata - the authentication metadata to validate\n * @returns validated authentication metadata and signing keys\n */\nexport const validateAuthMetadataAndKeys = async (authMetadata: unknown): Promise<OidcClientConfig> => {\n const validatedIssuerConfig = validateAuthMetadata(authMetadata);\n\n // create a temporary settings store, so we can use metadata service for discovery\n const settings = new OidcClientSettingsStore({\n authority: validatedIssuerConfig.issuer,\n metadata: validatedIssuerConfig,\n redirect_uri: \"\", // Not known yet, this is here to make the type checker happy\n client_id: \"\", // Not known yet, this is here to make the type checker happy\n });\n const metadataService = new MetadataService(settings);\n \n return {\n ...validatedIssuerConfig,\n signingKeys: await metadataService.getSigningKeys(),\n };\n};\n"],"mappings":";;;;AAAA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AAEA,SAASA,eAAe,EAAEC,uBAAuB,QAAQ,gBAAgB;AAEzE,SAASC,oBAAoB,QAAQ,eAAe;AACpD,SAASC,MAAM,EAAEC,aAAa,QAAQ,sBAAsB;AAG5D;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,IAAMC,sCAAsC;EAAA,IAAAC,IAAA,GAAAC,iBAAA,CAAG,WAAOC,MAAc,EAAgC;IACvG,IAAMC,qBAAqB,GAAG,IAAIC,GAAG,CAAC,kCAAkC,EAAEF,MAAM,CAAC;IACjF,IAAMG,uBAAuB,SAASC,KAAK,CAACH,qBAAqB,EAAE;MAC/DI,MAAM,EAAEV,MAAM,CAACW,GAAG;MAClBC,MAAM,EAAEX,aAAa,CAAC,IAAI;IAC9B,CAAC,CAAC;IACF,IAAMY,eAAe,SAASL,uBAAuB,CAACM,IAAI,CAAC,CAAC;IAC5D,OAAOC,2BAA2B,CAACF,eAAe,CAAC;EACvD,CAAC;EAAA,gBARYX,sCAAsCA,CAAAc,EAAA;IAAA,OAAAb,IAAA,CAAAc,KAAA,OAAAC,SAAA;EAAA;AAAA,GAQlD;AACD;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,IAAMH,2BAA2B;EAAA,IAAAI,KAAA,GAAAf,iBAAA,CAAG,WAAOgB,YAAqB,EAAgC;IACnG,IAAMC,qBAAqB,GAAGtB,oBAAoB,CAACqB,YAAY,CAAC;;IAEhE;IACA,IAAME,QAAQ,GAAG,IAAIxB,uBAAuB,CAAC;MACzCyB,SAAS,EAAEF,qBAAqB,CAAChB,MAAM;MACvCmB,QAAQ,EAAEH,qBAAqB;MAC/BI,YAAY,EAAE,EAAE;MAAE;MAClBC,SAAS,EAAE,EAAE,CAAE;IACnB,CAAC,CAAC;IACF,IAAMC,eAAe,GAAG,IAAI9B,eAAe,CAACyB,QAAQ,CAAC;IAErD,OAAAM,aAAA,CAAAA,aAAA,KACOP,qBAAqB;MACxBQ,WAAW,QAAQF,eAAe,CAACG,cAAc,CAAC;IAAC;EAE3D,CAAC;EAAA,gBAhBYf,2BAA2BA,CAAAgB,GAAA;IAAA,OAAAZ,KAAA,CAAAF,KAAA,OAAAC,SAAA;EAAA;AAAA,GAgBvC","ignoreList":[]}
|
package/lib/oidc/index.d.ts
CHANGED
|
@@ -1,5 +1,5 @@
|
|
|
1
1
|
import type { SigningKey } from "oidc-client-ts";
|
|
2
|
-
import {
|
|
2
|
+
import { ValidatedAuthMetadata } from "./validate.ts";
|
|
3
3
|
export * from "./authorize.ts";
|
|
4
4
|
export * from "./discovery.ts";
|
|
5
5
|
export * from "./error.ts";
|
|
@@ -10,8 +10,7 @@ export * from "./validate.ts";
|
|
|
10
10
|
* Validated config for native OIDC authentication, as returned by {@link discoverAndValidateOIDCIssuerWellKnown}.
|
|
11
11
|
* Contains metadata and signing keys from the issuer's well-known (https://oidc-issuer.example.com/.well-known/openid-configuration).
|
|
12
12
|
*/
|
|
13
|
-
export interface OidcClientConfig extends
|
|
14
|
-
|
|
15
|
-
signingKeys?: SigningKey[];
|
|
13
|
+
export interface OidcClientConfig extends ValidatedAuthMetadata {
|
|
14
|
+
signingKeys: SigningKey[] | null;
|
|
16
15
|
}
|
|
17
16
|
//# sourceMappingURL=index.d.ts.map
|
package/lib/oidc/index.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/oidc/index.ts"],"names":[],"mappings":"AAgBA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,gBAAgB,CAAC;AACjD,OAAO,EAAE,qBAAqB,EAAE,
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/oidc/index.ts"],"names":[],"mappings":"AAgBA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,gBAAgB,CAAC;AACjD,OAAO,EAAE,qBAAqB,EAAE,MAAM,eAAe,CAAC;AAEtD,cAAc,gBAAgB,CAAC;AAC/B,cAAc,gBAAgB,CAAC;AAC/B,cAAc,YAAY,CAAC;AAC3B,cAAc,eAAe,CAAC;AAC9B,cAAc,qBAAqB,CAAC;AACpC,cAAc,eAAe,CAAC;AAE9B;;;GAGG;AACH,MAAM,WAAW,gBAAiB,SAAQ,qBAAqB;IAC3D,WAAW,EAAE,UAAU,EAAE,GAAG,IAAI,CAAC;CACpC"}
|
package/lib/oidc/index.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.js","names":[],"sources":["../../src/oidc/index.ts"],"sourcesContent":["/*\nCopyright 2023 The Matrix.org Foundation C.I.C.\n\nLicensed under the Apache License, Version 2.0 (the \"License\");\nyou may not use this file except in compliance with the License.\nYou may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\nUnless required by applicable law or agreed to in writing, software\ndistributed under the License is distributed on an \"AS IS\" BASIS,\nWITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\nSee the License for the specific language governing permissions and\nlimitations under the License.\n*/\n\nimport type { SigningKey } from \"oidc-client-ts\";\nimport {
|
|
1
|
+
{"version":3,"file":"index.js","names":[],"sources":["../../src/oidc/index.ts"],"sourcesContent":["/*\nCopyright 2023 The Matrix.org Foundation C.I.C.\n\nLicensed under the Apache License, Version 2.0 (the \"License\");\nyou may not use this file except in compliance with the License.\nYou may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\nUnless required by applicable law or agreed to in writing, software\ndistributed under the License is distributed on an \"AS IS\" BASIS,\nWITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\nSee the License for the specific language governing permissions and\nlimitations under the License.\n*/\n\nimport type { SigningKey } from \"oidc-client-ts\";\nimport { ValidatedAuthMetadata } from \"./validate.ts\";\n\nexport * from \"./authorize.ts\";\nexport * from \"./discovery.ts\";\nexport * from \"./error.ts\";\nexport * from \"./register.ts\";\nexport * from \"./tokenRefresher.ts\";\nexport * from \"./validate.ts\";\n\n/**\n * Validated config for native OIDC authentication, as returned by {@link discoverAndValidateOIDCIssuerWellKnown}.\n * Contains metadata and signing keys from the issuer's well-known (https://oidc-issuer.example.com/.well-known/openid-configuration).\n */\nexport interface OidcClientConfig extends ValidatedAuthMetadata {\n signingKeys: SigningKey[] | null;\n}\n"],"mappings":"AAAA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AAKA,cAAc,gBAAgB;AAC9B,cAAc,gBAAgB;AAC9B,cAAc,YAAY;AAC1B,cAAc,eAAe;AAC7B,cAAc,qBAAqB;AACnC,cAAc,eAAe;;AAE7B;AACA;AACA;AACA;AAHA","ignoreList":[]}
|
package/lib/oidc/register.js
CHANGED
|
@@ -38,11 +38,11 @@ export var DEVICE_CODE_SCOPE = "urn:ietf:params:oauth:grant-type:device_code";
|
|
|
38
38
|
*/
|
|
39
39
|
export var registerOidcClient = /*#__PURE__*/function () {
|
|
40
40
|
var _ref = _asyncToGenerator(function* (delegatedAuthConfig, clientMetadata) {
|
|
41
|
-
if (!delegatedAuthConfig.
|
|
41
|
+
if (!delegatedAuthConfig.registration_endpoint) {
|
|
42
42
|
throw new Error(OidcError.DynamicRegistrationNotSupported);
|
|
43
43
|
}
|
|
44
44
|
var grantTypes = ["authorization_code", "refresh_token"];
|
|
45
|
-
if (grantTypes.some(scope => !delegatedAuthConfig.
|
|
45
|
+
if (grantTypes.some(scope => !delegatedAuthConfig.grant_types_supported.includes(scope))) {
|
|
46
46
|
throw new Error(OidcError.DynamicRegistrationNotSupported);
|
|
47
47
|
}
|
|
48
48
|
|
|
@@ -66,7 +66,7 @@ export var registerOidcClient = /*#__PURE__*/function () {
|
|
|
66
66
|
"Content-Type": "application/json"
|
|
67
67
|
};
|
|
68
68
|
try {
|
|
69
|
-
var response = yield fetch(delegatedAuthConfig.
|
|
69
|
+
var response = yield fetch(delegatedAuthConfig.registration_endpoint, {
|
|
70
70
|
method: Method.Post,
|
|
71
71
|
headers,
|
|
72
72
|
body: JSON.stringify(metadata)
|
package/lib/oidc/register.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"register.js","names":["OidcError","Method","logger","DEVICE_CODE_SCOPE","registerOidcClient","_ref","_asyncToGenerator","delegatedAuthConfig","clientMetadata","
|
|
1
|
+
{"version":3,"file":"register.js","names":["OidcError","Method","logger","DEVICE_CODE_SCOPE","registerOidcClient","_ref","_asyncToGenerator","delegatedAuthConfig","clientMetadata","registration_endpoint","Error","DynamicRegistrationNotSupported","grantTypes","some","scope","grant_types_supported","includes","metadata","client_name","clientName","client_uri","clientUri","response_types","grant_types","redirect_uris","redirectUris","id_token_signed_response_alg","token_endpoint_auth_method","application_type","applicationType","logo_uri","logoUri","contacts","policy_uri","policyUri","tos_uri","tosUri","headers","response","fetch","method","Post","body","JSON","stringify","status","DynamicRegistrationFailed","json","clientId","DynamicRegistrationInvalid","error","Object","values","message","_x","_x2","apply","arguments"],"sources":["../../src/oidc/register.ts"],"sourcesContent":["/*\nCopyright 2023 The Matrix.org Foundation C.I.C.\n\nLicensed under the Apache License, Version 2.0 (the \"License\");\nyou may not use this file except in compliance with the License.\nYou may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\nUnless required by applicable law or agreed to in writing, software\ndistributed under the License is distributed on an \"AS IS\" BASIS,\nWITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\nSee the License for the specific language governing permissions and\nlimitations under the License.\n*/\n\nimport { OidcClientConfig } from \"./index.ts\";\nimport { OidcError } from \"./error.ts\";\nimport { Method } from \"../http-api/index.ts\";\nimport { logger } from \"../logger.ts\";\nimport { NonEmptyArray } from \"../@types/common.ts\";\n\n/**\n * Client metadata passed to registration endpoint\n */\nexport type OidcRegistrationClientMetadata = {\n clientName: OidcRegistrationRequestBody[\"client_name\"];\n clientUri: OidcRegistrationRequestBody[\"client_uri\"];\n logoUri?: OidcRegistrationRequestBody[\"logo_uri\"];\n applicationType: OidcRegistrationRequestBody[\"application_type\"];\n redirectUris: OidcRegistrationRequestBody[\"redirect_uris\"];\n contacts: OidcRegistrationRequestBody[\"contacts\"];\n tosUri: OidcRegistrationRequestBody[\"tos_uri\"];\n policyUri: OidcRegistrationRequestBody[\"policy_uri\"];\n};\n\n/**\n * Request body for dynamic registration as defined by https://github.com/matrix-org/matrix-spec-proposals/pull/2966\n */\ninterface OidcRegistrationRequestBody {\n client_name?: string;\n client_uri: string;\n logo_uri?: string;\n contacts?: string[];\n tos_uri?: string;\n policy_uri?: string;\n redirect_uris?: NonEmptyArray<string>;\n response_types?: NonEmptyArray<string>;\n grant_types?: NonEmptyArray<string>;\n id_token_signed_response_alg?: string;\n token_endpoint_auth_method: string;\n application_type: \"web\" | \"native\";\n}\n\nexport const DEVICE_CODE_SCOPE = \"urn:ietf:params:oauth:grant-type:device_code\";\n\n/**\n * Attempts dynamic registration against the configured registration endpoint\n * @param delegatedAuthConfig - Auth config from {@link discoverAndValidateOIDCIssuerWellKnown}\n * @param clientMetadata - The metadata for the client which to register\n * @returns Promise<string> resolved with registered clientId\n * @throws when registration is not supported, on failed request or invalid response\n */\nexport const registerOidcClient = async (\n delegatedAuthConfig: OidcClientConfig,\n clientMetadata: OidcRegistrationClientMetadata,\n): Promise<string> => {\n if (!delegatedAuthConfig.registration_endpoint) {\n throw new Error(OidcError.DynamicRegistrationNotSupported);\n }\n\n const grantTypes: NonEmptyArray<string> = [\"authorization_code\", \"refresh_token\"];\n if (grantTypes.some((scope) => !delegatedAuthConfig.grant_types_supported.includes(scope))) {\n throw new Error(OidcError.DynamicRegistrationNotSupported);\n }\n\n // https://openid.net/specs/openid-connect-registration-1_0.html\n const metadata: OidcRegistrationRequestBody = {\n client_name: clientMetadata.clientName,\n client_uri: clientMetadata.clientUri,\n response_types: [\"code\"],\n grant_types: grantTypes,\n redirect_uris: clientMetadata.redirectUris,\n id_token_signed_response_alg: \"RS256\",\n token_endpoint_auth_method: \"none\",\n application_type: clientMetadata.applicationType,\n logo_uri: clientMetadata.logoUri,\n contacts: clientMetadata.contacts,\n policy_uri: clientMetadata.policyUri,\n tos_uri: clientMetadata.tosUri,\n };\n const headers = {\n \"Accept\": \"application/json\",\n \"Content-Type\": \"application/json\",\n };\n\n try {\n const response = await fetch(delegatedAuthConfig.registration_endpoint, {\n method: Method.Post,\n headers,\n body: JSON.stringify(metadata),\n });\n\n if (response.status >= 400) {\n throw new Error(OidcError.DynamicRegistrationFailed);\n }\n\n const body = await response.json();\n const clientId = body[\"client_id\"];\n if (!clientId || typeof clientId !== \"string\") {\n throw new Error(OidcError.DynamicRegistrationInvalid);\n }\n\n return clientId;\n } catch (error) {\n if (Object.values(OidcError).includes((error as Error).message as OidcError)) {\n throw error;\n } else {\n logger.error(\"Dynamic registration request failed\", error);\n throw new Error(OidcError.DynamicRegistrationFailed);\n }\n }\n};\n"],"mappings":";AAAA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AAGA,SAASA,SAAS,QAAQ,YAAY;AACtC,SAASC,MAAM,QAAQ,sBAAsB;AAC7C,SAASC,MAAM,QAAQ,cAAc;;AAGrC;AACA;AACA;;AAYA;AACA;AACA;;AAgBA,OAAO,IAAMC,iBAAiB,GAAG,8CAA8C;;AAE/E;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,IAAMC,kBAAkB;EAAA,IAAAC,IAAA,GAAAC,iBAAA,CAAG,WAC9BC,mBAAqC,EACrCC,cAA8C,EAC5B;IAClB,IAAI,CAACD,mBAAmB,CAACE,qBAAqB,EAAE;MAC5C,MAAM,IAAIC,KAAK,CAACV,SAAS,CAACW,+BAA+B,CAAC;IAC9D;IAEA,IAAMC,UAAiC,GAAG,CAAC,oBAAoB,EAAE,eAAe,CAAC;IACjF,IAAIA,UAAU,CAACC,IAAI,CAAEC,KAAK,IAAK,CAACP,mBAAmB,CAACQ,qBAAqB,CAACC,QAAQ,CAACF,KAAK,CAAC,CAAC,EAAE;MACxF,MAAM,IAAIJ,KAAK,CAACV,SAAS,CAACW,+BAA+B,CAAC;IAC9D;;IAEA;IACA,IAAMM,QAAqC,GAAG;MAC1CC,WAAW,EAAEV,cAAc,CAACW,UAAU;MACtCC,UAAU,EAAEZ,cAAc,CAACa,SAAS;MACpCC,cAAc,EAAE,CAAC,MAAM,CAAC;MACxBC,WAAW,EAAEX,UAAU;MACvBY,aAAa,EAAEhB,cAAc,CAACiB,YAAY;MAC1CC,4BAA4B,EAAE,OAAO;MACrCC,0BAA0B,EAAE,MAAM;MAClCC,gBAAgB,EAAEpB,cAAc,CAACqB,eAAe;MAChDC,QAAQ,EAAEtB,cAAc,CAACuB,OAAO;MAChCC,QAAQ,EAAExB,cAAc,CAACwB,QAAQ;MACjCC,UAAU,EAAEzB,cAAc,CAAC0B,SAAS;MACpCC,OAAO,EAAE3B,cAAc,CAAC4B;IAC5B,CAAC;IACD,IAAMC,OAAO,GAAG;MACZ,QAAQ,EAAE,kBAAkB;MAC5B,cAAc,EAAE;IACpB,CAAC;IAED,IAAI;MACA,IAAMC,QAAQ,SAASC,KAAK,CAAChC,mBAAmB,CAACE,qBAAqB,EAAE;QACpE+B,MAAM,EAAEvC,MAAM,CAACwC,IAAI;QACnBJ,OAAO;QACPK,IAAI,EAAEC,IAAI,CAACC,SAAS,CAAC3B,QAAQ;MACjC,CAAC,CAAC;MAEF,IAAIqB,QAAQ,CAACO,MAAM,IAAI,GAAG,EAAE;QACxB,MAAM,IAAInC,KAAK,CAACV,SAAS,CAAC8C,yBAAyB,CAAC;MACxD;MAEA,IAAMJ,IAAI,SAASJ,QAAQ,CAACS,IAAI,CAAC,CAAC;MAClC,IAAMC,QAAQ,GAAGN,IAAI,CAAC,WAAW,CAAC;MAClC,IAAI,CAACM,QAAQ,IAAI,OAAOA,QAAQ,KAAK,QAAQ,EAAE;QAC3C,MAAM,IAAItC,KAAK,CAACV,SAAS,CAACiD,0BAA0B,CAAC;MACzD;MAEA,OAAOD,QAAQ;IACnB,CAAC,CAAC,OAAOE,KAAK,EAAE;MACZ,IAAIC,MAAM,CAACC,MAAM,CAACpD,SAAS,CAAC,CAACgB,QAAQ,CAAEkC,KAAK,CAAWG,OAAoB,CAAC,EAAE;QAC1E,MAAMH,KAAK;MACf,CAAC,MAAM;QACHhD,MAAM,CAACgD,KAAK,CAAC,qCAAqC,EAAEA,KAAK,CAAC;QAC1D,MAAM,IAAIxC,KAAK,CAACV,SAAS,CAAC8C,yBAAyB,CAAC;MACxD;IACJ;EACJ,CAAC;EAAA,gBA3DY1C,kBAAkBA,CAAAkD,EAAA,EAAAC,GAAA;IAAA,OAAAlD,IAAA,CAAAmD,KAAA,OAAAC,SAAA;EAAA;AAAA,GA2D9B","ignoreList":[]}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"tokenRefresher.d.ts","sourceRoot":"","sources":["../../src/oidc/tokenRefresher.ts"],"names":[],"mappings":"AAgBA,OAAO,EAAE,aAAa,EAAoC,MAAM,gBAAgB,CAAC;AAEjF,OAAO,EAAE,YAAY,EAAE,MAAM,sBAAsB,CAAC;AAKpD;;;;;;GAMG;AACH,qBAAa,kBAAkB;IA4BvB;;;OAGG;IACH,OAAO,CAAC,QAAQ,CAAC,aAAa;IA/BlC;;;;;OAKG;IACH,SAAgB,eAAe,EAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAChD,OAAO,CAAC,UAAU,CAAc;IAChC,OAAO,CAAC,sBAAsB,CAAC,CAAwB;;IAGnD;;OAEG;IACH,MAAM,EAAE,MAAM;IACd;;OAEG;IACH,QAAQ,EAAE,MAAM;IAChB;;OAEG;IACH,WAAW,EAAE,MAAM;IACnB;;OAEG;IACH,QAAQ,EAAE,MAAM;IAChB;;;OAGG;IACc,aAAa,EAAE,aAAa;YAKnC,oBAAoB;
|
|
1
|
+
{"version":3,"file":"tokenRefresher.d.ts","sourceRoot":"","sources":["../../src/oidc/tokenRefresher.ts"],"names":[],"mappings":"AAgBA,OAAO,EAAE,aAAa,EAAoC,MAAM,gBAAgB,CAAC;AAEjF,OAAO,EAAE,YAAY,EAAE,MAAM,sBAAsB,CAAC;AAKpD;;;;;;GAMG;AACH,qBAAa,kBAAkB;IA4BvB;;;OAGG;IACH,OAAO,CAAC,QAAQ,CAAC,aAAa;IA/BlC;;;;;OAKG;IACH,SAAgB,eAAe,EAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAChD,OAAO,CAAC,UAAU,CAAc;IAChC,OAAO,CAAC,sBAAsB,CAAC,CAAwB;;IAGnD;;OAEG;IACH,MAAM,EAAE,MAAM;IACd;;OAEG;IACH,QAAQ,EAAE,MAAM;IAChB;;OAEG;IACH,WAAW,EAAE,MAAM;IACnB;;OAEG;IACH,QAAQ,EAAE,MAAM;IAChB;;;OAGG;IACc,aAAa,EAAE,aAAa;YAKnC,oBAAoB;IA0BlC;;;;;OAKG;IACU,oBAAoB,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,CAAC;IAY9E;;;;;;;OAOG;IACU,aAAa,CAAC,MAAM,EAAE;QAAE,WAAW,EAAE,MAAM,CAAC;QAAC,YAAY,CAAC,EAAE,MAAM,CAAA;KAAE,GAAG,OAAO,CAAC,IAAI,CAAC;YAInF,YAAY;CA0B7B"}
|
|
@@ -1,7 +1,5 @@
|
|
|
1
1
|
import _asyncToGenerator from "@babel/runtime/helpers/asyncToGenerator";
|
|
2
2
|
import _defineProperty from "@babel/runtime/helpers/defineProperty";
|
|
3
|
-
function ownKeys(e, r) { var t = Object.keys(e); if (Object.getOwnPropertySymbols) { var o = Object.getOwnPropertySymbols(e); r && (o = o.filter(function (r) { return Object.getOwnPropertyDescriptor(e, r).enumerable; })), t.push.apply(t, o); } return t; }
|
|
4
|
-
function _objectSpread(e) { for (var r = 1; r < arguments.length; r++) { var t = null != arguments[r] ? arguments[r] : {}; r % 2 ? ownKeys(Object(t), !0).forEach(function (r) { _defineProperty(e, r, t[r]); }) : Object.getOwnPropertyDescriptors ? Object.defineProperties(e, Object.getOwnPropertyDescriptors(t)) : ownKeys(Object(t)).forEach(function (r) { Object.defineProperty(e, r, Object.getOwnPropertyDescriptor(t, r)); }); } return e; }
|
|
5
3
|
/*
|
|
6
4
|
Copyright 2023 The Matrix.org Foundation C.I.C.
|
|
7
5
|
|
|
@@ -69,18 +67,21 @@ export class OidcTokenRefresher {
|
|
|
69
67
|
var _this = this;
|
|
70
68
|
return _asyncToGenerator(function* () {
|
|
71
69
|
try {
|
|
70
|
+
var _config$signingKeys;
|
|
72
71
|
var config = yield discoverAndValidateOIDCIssuerWellKnown(issuer);
|
|
73
72
|
var scope = generateScope(deviceId);
|
|
74
|
-
_this.oidcClient = new OidcClient(
|
|
73
|
+
_this.oidcClient = new OidcClient({
|
|
74
|
+
metadata: config,
|
|
75
|
+
signingKeys: (_config$signingKeys = config.signingKeys) !== null && _config$signingKeys !== void 0 ? _config$signingKeys : undefined,
|
|
75
76
|
client_id: clientId,
|
|
76
77
|
scope,
|
|
77
78
|
redirect_uri: redirectUri,
|
|
78
|
-
authority: config.
|
|
79
|
+
authority: config.issuer,
|
|
79
80
|
stateStore: new WebStorageStateStore({
|
|
80
81
|
prefix: "mx_oidc_",
|
|
81
82
|
store: window.sessionStorage
|
|
82
83
|
})
|
|
83
|
-
})
|
|
84
|
+
});
|
|
84
85
|
} catch (error) {
|
|
85
86
|
logger.error("Failed to initialise OIDC client.", error);
|
|
86
87
|
throw new Error("Failed to initialise OIDC client.");
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"tokenRefresher.js","names":["OidcClient","WebStorageStateStore","generateScope","discoverAndValidateOIDCIssuerWellKnown","logger","OidcTokenRefresher","constructor","issuer","clientId","redirectUri","deviceId","idTokenClaims","_defineProperty","oidcClientReady","initialiseOidcClient","_this","_asyncToGenerator","config","scope","oidcClient","
|
|
1
|
+
{"version":3,"file":"tokenRefresher.js","names":["OidcClient","WebStorageStateStore","generateScope","discoverAndValidateOIDCIssuerWellKnown","logger","OidcTokenRefresher","constructor","issuer","clientId","redirectUri","deviceId","idTokenClaims","_defineProperty","oidcClientReady","initialiseOidcClient","_this","_asyncToGenerator","_config$signingKeys","config","scope","oidcClient","metadata","signingKeys","undefined","client_id","redirect_uri","authority","stateStore","prefix","store","window","sessionStorage","error","Error","doRefreshAccessToken","refreshToken","_this2","inflightRefreshRequest","getNewTokens","tokens","persistTokens","_this3","refreshTokenState","refresh_token","session_state","data","profile","response","useRefreshToken","state","timeoutInSeconds","accessToken","access_token"],"sources":["../../src/oidc/tokenRefresher.ts"],"sourcesContent":["/*\nCopyright 2023 The Matrix.org Foundation C.I.C.\n\nLicensed under the Apache License, Version 2.0 (the \"License\");\nyou may not use this file except in compliance with the License.\nYou may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\nUnless required by applicable law or agreed to in writing, software\ndistributed under the License is distributed on an \"AS IS\" BASIS,\nWITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\nSee the License for the specific language governing permissions and\nlimitations under the License.\n*/\n\nimport { IdTokenClaims, OidcClient, WebStorageStateStore } from \"oidc-client-ts\";\n\nimport { AccessTokens } from \"../http-api/index.ts\";\nimport { generateScope } from \"./authorize.ts\";\nimport { discoverAndValidateOIDCIssuerWellKnown } from \"./discovery.ts\";\nimport { logger } from \"../logger.ts\";\n\n/**\n * @experimental\n * Class responsible for refreshing OIDC access tokens\n *\n * Client implementations will likely want to override {@link persistTokens} to persist tokens after successful refresh\n *\n */\nexport class OidcTokenRefresher {\n /**\n * Promise which will complete once the OidcClient has been initialised\n * and is ready to start refreshing tokens.\n *\n * Will reject if the client initialisation fails.\n */\n public readonly oidcClientReady!: Promise<void>;\n private oidcClient!: OidcClient;\n private inflightRefreshRequest?: Promise<AccessTokens>;\n\n public constructor(\n /**\n * The OIDC issuer as returned by the /auth_issuer API\n */\n issuer: string,\n /**\n * id of this client as registered with the OP\n */\n clientId: string,\n /**\n * redirectUri as registered with OP\n */\n redirectUri: string,\n /**\n * Device ID of current session\n */\n deviceId: string,\n /**\n * idTokenClaims as returned from authorization grant\n * used to validate tokens\n */\n private readonly idTokenClaims: IdTokenClaims,\n ) {\n this.oidcClientReady = this.initialiseOidcClient(issuer, clientId, deviceId, redirectUri);\n }\n\n private async initialiseOidcClient(\n issuer: string,\n clientId: string,\n deviceId: string,\n redirectUri: string,\n ): Promise<void> {\n try {\n const config = await discoverAndValidateOIDCIssuerWellKnown(issuer);\n\n const scope = generateScope(deviceId);\n\n this.oidcClient = new OidcClient({\n metadata: config,\n signingKeys: config.signingKeys ?? undefined,\n client_id: clientId,\n scope,\n redirect_uri: redirectUri,\n authority: config.issuer,\n stateStore: new WebStorageStateStore({ prefix: \"mx_oidc_\", store: window.sessionStorage }),\n });\n } catch (error) {\n logger.error(\"Failed to initialise OIDC client.\", error);\n throw new Error(\"Failed to initialise OIDC client.\");\n }\n }\n\n /**\n * Attempt token refresh using given refresh token\n * @param refreshToken - refresh token to use in request with token issuer\n * @returns tokens - Promise that resolves with new access and refresh tokens\n * @throws when token refresh fails\n */\n public async doRefreshAccessToken(refreshToken: string): Promise<AccessTokens> {\n if (!this.inflightRefreshRequest) {\n this.inflightRefreshRequest = this.getNewTokens(refreshToken);\n }\n try {\n const tokens = await this.inflightRefreshRequest;\n return tokens;\n } finally {\n this.inflightRefreshRequest = undefined;\n }\n }\n\n /**\n * Persist the new tokens, called after tokens are successfully refreshed.\n *\n * This function is intended to be overriden by the consumer when persistence is necessary.\n *\n * @param tokens.accessToken - new access token\n * @param tokens.refreshToken - OPTIONAL new refresh token\n */\n public async persistTokens(tokens: { accessToken: string; refreshToken?: string }): Promise<void> {\n // NOOP\n }\n\n private async getNewTokens(refreshToken: string): Promise<AccessTokens> {\n if (!this.oidcClient) {\n throw new Error(\"Cannot get new token before OIDC client is initialised.\");\n }\n\n const refreshTokenState = {\n refresh_token: refreshToken,\n session_state: \"test\",\n data: undefined,\n profile: this.idTokenClaims,\n };\n\n const response = await this.oidcClient.useRefreshToken({\n state: refreshTokenState,\n timeoutInSeconds: 300,\n });\n\n const tokens = {\n accessToken: response.access_token,\n refreshToken: response.refresh_token,\n };\n\n await this.persistTokens(tokens);\n\n return tokens;\n }\n}\n"],"mappings":";;AAAA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AAEA,SAAwBA,UAAU,EAAEC,oBAAoB,QAAQ,gBAAgB;AAGhF,SAASC,aAAa,QAAQ,gBAAgB;AAC9C,SAASC,sCAAsC,QAAQ,gBAAgB;AACvE,SAASC,MAAM,QAAQ,cAAc;;AAErC;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,MAAMC,kBAAkB,CAAC;EAWrBC,WAAWA;EACd;AACR;AACA;EACQC,MAAc;EACd;AACR;AACA;EACQC,QAAgB;EAChB;AACR;AACA;EACQC,WAAmB;EACnB;AACR;AACA;EACQC,QAAgB;EAChB;AACR;AACA;AACA;EACyBC,aAA4B,EAC/C;IAAA,KADmBA,aAA4B,GAA5BA,aAA4B;IA/BjD;AACJ;AACA;AACA;AACA;AACA;IALIC,eAAA;IAAAA,eAAA;IAAAA,eAAA;IAiCI,IAAI,CAACC,eAAe,GAAG,IAAI,CAACC,oBAAoB,CAACP,MAAM,EAAEC,QAAQ,EAAEE,QAAQ,EAAED,WAAW,CAAC;EAC7F;EAEcK,oBAAoBA,CAC9BP,MAAc,EACdC,QAAgB,EAChBE,QAAgB,EAChBD,WAAmB,EACN;IAAA,IAAAM,KAAA;IAAA,OAAAC,iBAAA;MACb,IAAI;QAAA,IAAAC,mBAAA;QACA,IAAMC,MAAM,SAASf,sCAAsC,CAACI,MAAM,CAAC;QAEnE,IAAMY,KAAK,GAAGjB,aAAa,CAACQ,QAAQ,CAAC;QAErCK,KAAI,CAACK,UAAU,GAAG,IAAIpB,UAAU,CAAC;UAC7BqB,QAAQ,EAAEH,MAAM;UAChBI,WAAW,GAAAL,mBAAA,GAAEC,MAAM,CAACI,WAAW,cAAAL,mBAAA,cAAAA,mBAAA,GAAIM,SAAS;UAC5CC,SAAS,EAAEhB,QAAQ;UACnBW,KAAK;UACLM,YAAY,EAAEhB,WAAW;UACzBiB,SAAS,EAAER,MAAM,CAACX,MAAM;UACxBoB,UAAU,EAAE,IAAI1B,oBAAoB,CAAC;YAAE2B,MAAM,EAAE,UAAU;YAAEC,KAAK,EAAEC,MAAM,CAACC;UAAe,CAAC;QAC7F,CAAC,CAAC;MACN,CAAC,CAAC,OAAOC,KAAK,EAAE;QACZ5B,MAAM,CAAC4B,KAAK,CAAC,mCAAmC,EAAEA,KAAK,CAAC;QACxD,MAAM,IAAIC,KAAK,CAAC,mCAAmC,CAAC;MACxD;IAAC;EACL;;EAEA;AACJ;AACA;AACA;AACA;AACA;EACiBC,oBAAoBA,CAACC,YAAoB,EAAyB;IAAA,IAAAC,MAAA;IAAA,OAAApB,iBAAA;MAC3E,IAAI,CAACoB,MAAI,CAACC,sBAAsB,EAAE;QAC9BD,MAAI,CAACC,sBAAsB,GAAGD,MAAI,CAACE,YAAY,CAACH,YAAY,CAAC;MACjE;MACA,IAAI;QACA,IAAMI,MAAM,SAASH,MAAI,CAACC,sBAAsB;QAChD,OAAOE,MAAM;MACjB,CAAC,SAAS;QACNH,MAAI,CAACC,sBAAsB,GAAGd,SAAS;MAC3C;IAAC;EACL;;EAEA;AACJ;AACA;AACA;AACA;AACA;AACA;AACA;EACiBiB,aAAaA,CAACD,MAAsD,EAAiB;IAAA,OAAAvB,iBAAA;EAElG,CAAC,CADG;EAGUsB,YAAYA,CAACH,YAAoB,EAAyB;IAAA,IAAAM,MAAA;IAAA,OAAAzB,iBAAA;MACpE,IAAI,CAACyB,MAAI,CAACrB,UAAU,EAAE;QAClB,MAAM,IAAIa,KAAK,CAAC,yDAAyD,CAAC;MAC9E;MAEA,IAAMS,iBAAiB,GAAG;QACtBC,aAAa,EAAER,YAAY;QAC3BS,aAAa,EAAE,MAAM;QACrBC,IAAI,EAAEtB,SAAS;QACfuB,OAAO,EAAEL,MAAI,CAAC9B;MAClB,CAAC;MAED,IAAMoC,QAAQ,SAASN,MAAI,CAACrB,UAAU,CAAC4B,eAAe,CAAC;QACnDC,KAAK,EAAEP,iBAAiB;QACxBQ,gBAAgB,EAAE;MACtB,CAAC,CAAC;MAEF,IAAMX,MAAM,GAAG;QACXY,WAAW,EAAEJ,QAAQ,CAACK,YAAY;QAClCjB,YAAY,EAAEY,QAAQ,CAACJ;MAC3B,CAAC;MAED,MAAMF,MAAI,CAACD,aAAa,CAACD,MAAM,CAAC;MAEhC,OAAOA,MAAM;IAAC;EAClB;AACJ","ignoreList":[]}
|
package/lib/oidc/validate.d.ts
CHANGED
|
@@ -1,36 +1,22 @@
|
|
|
1
1
|
import { IdTokenClaims, OidcMetadata, SigninResponse } from "oidc-client-ts";
|
|
2
|
-
export type ValidatedIssuerConfig = {
|
|
3
|
-
authorizationEndpoint: string;
|
|
4
|
-
tokenEndpoint: string;
|
|
5
|
-
registrationEndpoint?: string;
|
|
6
|
-
accountManagementEndpoint?: string;
|
|
7
|
-
accountManagementActionsSupported?: string[];
|
|
8
|
-
};
|
|
9
|
-
/**
|
|
10
|
-
* Validates issuer `.well-known/openid-configuration`
|
|
11
|
-
* As defined in RFC5785 https://openid.net/specs/openid-connect-discovery-1_0.html
|
|
12
|
-
* validates that OP is compatible with Element's OIDC flow
|
|
13
|
-
* @param wellKnown - json object
|
|
14
|
-
* @returns valid issuer config
|
|
15
|
-
* @throws Error - when issuer config is not found or is invalid
|
|
16
|
-
*/
|
|
17
|
-
export declare const validateOIDCIssuerWellKnown: (wellKnown: unknown) => ValidatedIssuerConfig;
|
|
18
2
|
/**
|
|
19
3
|
* Metadata from OIDC authority discovery
|
|
20
4
|
* With validated properties required in type
|
|
21
5
|
*/
|
|
22
|
-
export type
|
|
6
|
+
export type ValidatedAuthMetadata = Partial<OidcMetadata> & Pick<OidcMetadata, "issuer" | "authorization_endpoint" | "token_endpoint" | "revocation_endpoint" | "response_types_supported" | "grant_types_supported" | "code_challenge_methods_supported"> & {
|
|
23
7
|
account_management_uri?: string;
|
|
24
8
|
account_management_actions_supported?: string[];
|
|
9
|
+
prompt_values_supported?: string[];
|
|
25
10
|
};
|
|
26
11
|
/**
|
|
27
|
-
*
|
|
28
|
-
*
|
|
29
|
-
*
|
|
30
|
-
* @param
|
|
31
|
-
* @
|
|
12
|
+
* Validates issuer `.well-known/openid-configuration`
|
|
13
|
+
* As defined in RFC5785 https://openid.net/specs/openid-connect-discovery-1_0.html
|
|
14
|
+
* validates that OP is compatible with Element's OIDC flow
|
|
15
|
+
* @param authMetadata - json object
|
|
16
|
+
* @returns valid issuer config
|
|
17
|
+
* @throws Error - when issuer config is not found or is invalid
|
|
32
18
|
*/
|
|
33
|
-
export declare
|
|
19
|
+
export declare const validateAuthMetadata: (authMetadata: unknown) => ValidatedAuthMetadata;
|
|
34
20
|
export declare const decodeIdToken: (token: string) => IdTokenClaims;
|
|
35
21
|
/**
|
|
36
22
|
* Validate idToken
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"validate.d.ts","sourceRoot":"","sources":["../../src/oidc/validate.ts"],"names":[],"mappings":"AAiBA,OAAO,EAAE,aAAa,EAAE,YAAY,EAAE,cAAc,EAAE,MAAM,gBAAgB,CAAC;AAK7E
|
|
1
|
+
{"version":3,"file":"validate.d.ts","sourceRoot":"","sources":["../../src/oidc/validate.ts"],"names":[],"mappings":"AAiBA,OAAO,EAAE,aAAa,EAAE,YAAY,EAAE,cAAc,EAAE,MAAM,gBAAgB,CAAC;AAK7E;;;GAGG;AACH,MAAM,MAAM,qBAAqB,GAAG,OAAO,CAAC,YAAY,CAAC,GACrD,IAAI,CACA,YAAY,EACV,QAAQ,GACR,wBAAwB,GACxB,gBAAgB,GAChB,qBAAqB,GACrB,0BAA0B,GAC1B,uBAAuB,GACvB,kCAAkC,CACvC,GAAG;IAEA,sBAAsB,CAAC,EAAE,MAAM,CAAC;IAChC,oCAAoC,CAAC,EAAE,MAAM,EAAE,CAAC;IAGhD,uBAAuB,CAAC,EAAE,MAAM,EAAE,CAAC;CACtC,CAAC;AAqCN;;;;;;;GAOG;AACH,eAAO,MAAM,oBAAoB,iBAAkB,OAAO,KAAG,qBA2B5D,CAAC;AAEF,eAAO,MAAM,aAAa,UAAW,MAAM,KAAG,aAO7C,CAAC;AAEF;;;;;;;;GAQG;AACH,eAAO,MAAM,eAAe,YACf,MAAM,GAAG,SAAS,UACnB,MAAM,YACJ,MAAM,SACT,MAAM,GAAG,SAAS,KAC1B,IAyCF,CAAC;AAEF;;;GAGG;AACH,MAAM,MAAM,SAAS,GAAG;IACpB;;OAEG;IACH,aAAa,EAAE,MAAM,CAAC;IACtB,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B;;OAEG;IACH,KAAK,EAAE,MAAM,CAAC;CACjB,CAAC;AACF;;;;GAIG;AACH,wBAAgB,uBAAuB,CAAC,SAAS,EAAE,OAAO,GAAG,OAAO,CAAC,SAAS,IAAI,SAAS,CAc1F;AAED;;;;;;GAMG;AACH,MAAM,MAAM,mBAAmB,GAAG;IAC9B,UAAU,EAAE,QAAQ,CAAC;IACrB,YAAY,EAAE,MAAM,CAAC;IACrB,KAAK,EAAE,MAAM,CAAC;IACd,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,UAAU,CAAC,EAAE,MAAM,CAAC;IAEpB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,QAAQ,EAAE,MAAM,CAAC;CACpB,CAAC;AAEF;;GAEG;AACH,KAAK,mBAAmB,GAAG,cAAc,GACrC,mBAAmB,GAAG;IAClB,UAAU,EAAE,QAAQ,GAAG,QAAQ,CAAC;CACnC,CAAC;AAWN,wBAAgB,2BAA2B,CAAC,QAAQ,EAAE,OAAO,GAAG,OAAO,CAAC,QAAQ,IAAI,mBAAmB,CAItG"}
|
package/lib/oidc/validate.js
CHANGED
|
@@ -17,6 +17,12 @@ limitations under the License.
|
|
|
17
17
|
import { jwtDecode } from "jwt-decode";
|
|
18
18
|
import { logger } from "../logger.js";
|
|
19
19
|
import { OidcError } from "./error.js";
|
|
20
|
+
|
|
21
|
+
/**
|
|
22
|
+
* Metadata from OIDC authority discovery
|
|
23
|
+
* With validated properties required in type
|
|
24
|
+
*/
|
|
25
|
+
|
|
20
26
|
var isRecord = value => !!value && typeof value === "object" && !Array.isArray(value);
|
|
21
27
|
var requiredStringProperty = (wellKnown, key) => {
|
|
22
28
|
if (!wellKnown[key] || !optionalStringProperty(wellKnown, key)) {
|
|
@@ -52,44 +58,22 @@ var requiredArrayValue = (wellKnown, key, value) => {
|
|
|
52
58
|
* Validates issuer `.well-known/openid-configuration`
|
|
53
59
|
* As defined in RFC5785 https://openid.net/specs/openid-connect-discovery-1_0.html
|
|
54
60
|
* validates that OP is compatible with Element's OIDC flow
|
|
55
|
-
* @param
|
|
61
|
+
* @param authMetadata - json object
|
|
56
62
|
* @returns valid issuer config
|
|
57
63
|
* @throws Error - when issuer config is not found or is invalid
|
|
58
64
|
*/
|
|
59
|
-
export var
|
|
60
|
-
if (!isRecord(
|
|
65
|
+
export var validateAuthMetadata = authMetadata => {
|
|
66
|
+
if (!isRecord(authMetadata)) {
|
|
61
67
|
logger.error("Issuer configuration not found or malformed");
|
|
62
68
|
throw new Error(OidcError.OpSupport);
|
|
63
69
|
}
|
|
64
|
-
var isInvalid = [requiredStringProperty(
|
|
70
|
+
var isInvalid = [requiredStringProperty(authMetadata, "issuer"), requiredStringProperty(authMetadata, "authorization_endpoint"), requiredStringProperty(authMetadata, "token_endpoint"), requiredStringProperty(authMetadata, "revocation_endpoint"), optionalStringProperty(authMetadata, "registration_endpoint"), optionalStringProperty(authMetadata, "account_management_uri"), optionalStringProperty(authMetadata, "device_authorization_endpoint"), optionalStringArrayProperty(authMetadata, "account_management_actions_supported"), requiredArrayValue(authMetadata, "response_types_supported", "code"), requiredArrayValue(authMetadata, "grant_types_supported", "authorization_code"), requiredArrayValue(authMetadata, "code_challenge_methods_supported", "S256"), optionalStringArrayProperty(authMetadata, "prompt_values_supported")].some(isValid => !isValid);
|
|
65
71
|
if (!isInvalid) {
|
|
66
|
-
return
|
|
67
|
-
authorizationEndpoint: wellKnown["authorization_endpoint"],
|
|
68
|
-
tokenEndpoint: wellKnown["token_endpoint"],
|
|
69
|
-
registrationEndpoint: wellKnown["registration_endpoint"],
|
|
70
|
-
accountManagementEndpoint: wellKnown["account_management_uri"],
|
|
71
|
-
accountManagementActionsSupported: wellKnown["account_management_actions_supported"]
|
|
72
|
-
};
|
|
72
|
+
return authMetadata;
|
|
73
73
|
}
|
|
74
74
|
logger.error("Issuer configuration not valid");
|
|
75
75
|
throw new Error(OidcError.OpSupport);
|
|
76
76
|
};
|
|
77
|
-
|
|
78
|
-
/**
|
|
79
|
-
* Metadata from OIDC authority discovery
|
|
80
|
-
* With validated properties required in type
|
|
81
|
-
*/
|
|
82
|
-
|
|
83
|
-
/**
|
|
84
|
-
* Wraps validateOIDCIssuerWellKnown in a type assertion
|
|
85
|
-
* that asserts expected properties are present
|
|
86
|
-
* (Typescript assertions cannot be arrow functions)
|
|
87
|
-
* @param metadata - issuer openid-configuration response
|
|
88
|
-
* @throws when metadata validation fails
|
|
89
|
-
*/
|
|
90
|
-
export function isValidatedIssuerMetadata(metadata) {
|
|
91
|
-
validateOIDCIssuerWellKnown(metadata);
|
|
92
|
-
}
|
|
93
77
|
export var decodeIdToken = token => {
|
|
94
78
|
try {
|
|
95
79
|
return jwtDecode(token);
|
|
@@ -125,7 +109,8 @@ export var validateIdToken = (idToken, issuer, clientId, nonce) => {
|
|
|
125
109
|
* The ID Token MUST be rejected if the ID Token does not list the Client as a valid audience, or if it contains additional audiences not trusted by the Client.
|
|
126
110
|
* EW: Don't accept tokens with other untrusted audiences
|
|
127
111
|
* */
|
|
128
|
-
|
|
112
|
+
var sanitisedAuds = typeof claims.aud === "string" ? [claims.aud] : claims.aud;
|
|
113
|
+
if (!sanitisedAuds.includes(clientId)) {
|
|
129
114
|
throw new Error("Invalid audience");
|
|
130
115
|
}
|
|
131
116
|
|