berget 2.2.7 → 2.2.9

package/src/services/browser-auth.ts

@@ -1,56 +1,56 @@
-import * as http from "http";
-import * as net from "net";
-import * as crypto from "crypto";
-
-export interface BrowserAuthResult {
-  success: boolean;
-  accessToken?: string;
-  refreshToken?: string;
-  expiresIn?: number;
-  error?: string;
-}
+import * as crypto from 'node:crypto';
+import * as http from 'node:http';
+import * as net from 'node:net';
 
 export interface BrowserAuthOptions {
-  keycloakUrl: string;
-  realm: string;
-  clientId: string;
   callbackPort: number;
+  clientId: string;
   debug?: boolean;
+  keycloakUrl: string;
+  realm: string;
+}
+
+export interface BrowserAuthResult {
+  accessToken?: string;
+  error?: string;
+  expiresIn?: number;
+  refreshToken?: string;
+  success: boolean;
 }
 
 export class BrowserAuth {
   constructor(private readonly options: BrowserAuthOptions) {}
 
   async start(): Promise<BrowserAuthResult> {
-    const { keycloakUrl, realm, clientId, callbackPort, debug } = this.options;
+    const { callbackPort, clientId, debug, keycloakUrl, realm } = this.options;
 
     // Generate PKCE code verifier and challenge
     const codeVerifier = this.generateCodeVerifier();
     const codeChallenge = this.generateCodeChallenge(codeVerifier);
-    const state = crypto.randomBytes(16).toString("hex");
+    const state = crypto.randomBytes(16).toString('hex');
 
     const redirectUri = `http://localhost:${callbackPort}/callback`;
 
     // Build authorization URL
     const authUrl = new URL(`${keycloakUrl}/realms/${realm}/protocol/openid-connect/auth`);
-    authUrl.searchParams.set("client_id", clientId);
-    authUrl.searchParams.set("response_type", "code");
-    authUrl.searchParams.set("redirect_uri", redirectUri);
-    authUrl.searchParams.set("scope", "openid email profile");
-    authUrl.searchParams.set("state", state);
-    authUrl.searchParams.set("code_challenge", codeChallenge);
-    authUrl.searchParams.set("code_challenge_method", "S256");
+    authUrl.searchParams.set('client_id', clientId);
+    authUrl.searchParams.set('response_type', 'code');
+    authUrl.searchParams.set('redirect_uri', redirectUri);
+    authUrl.searchParams.set('scope', 'openid email profile');
+    authUrl.searchParams.set('state', state);
+    authUrl.searchParams.set('code_challenge', codeChallenge);
+    authUrl.searchParams.set('code_challenge_method', 'S256');
 
     // Create a promise that resolves when we receive the callback
     const authResult = await new Promise<{
-      success: boolean;
       code?: string;
       error?: string;
-    }>(resolve => {
+      success: boolean;
+    }>((resolve) => {
       let resolved = false;
       const sockets = new Set<net.Socket>();
 
-      const safeResolve = (result: { success: boolean; code?: string; error?: string }) => {
+      const safeResolve = (result: { code?: string; error?: string; success: boolean }) => {
         if (resolved) return;
         resolved = true;
         clearTimeout(timeoutHandle);
@@ -63,13 +63,13 @@ export class BrowserAuth {
         resolve(result);
       };
 
-      const server = http.createServer((req, res) => {
-        const requestUrl = new URL(req.url || "", `http://localhost:${callbackPort}`);
+      const server = http.createServer((request, res) => {
+        const requestUrl = new URL(request.url || '', `http://localhost:${callbackPort}`);
 
-        if (requestUrl.pathname === "/callback") {
-          const receivedState = requestUrl.searchParams.get("state") || "";
-          const code = requestUrl.searchParams.get("code") || "";
-          const error = requestUrl.searchParams.get("error") || "";
+        if (requestUrl.pathname === '/callback') {
+          const receivedState = requestUrl.searchParams.get('state') || '';
+          const code = requestUrl.searchParams.get('code') || '';
+          const error = requestUrl.searchParams.get('error') || '';
 
           const errorPage = (title: string, message: string) => `
             <!DOCTYPE html>
@@ -130,27 +130,27 @@ export class BrowserAuth {
           // Set Connection: close so the browser doesn't keep the socket alive
           // after we respond, and force-end the connection
           if (error) {
-            res.writeHead(200, { "Content-Type": "text/html; charset=utf-8", Connection: "close" });
+            res.writeHead(200, { Connection: 'close', 'Content-Type': 'text/html; charset=utf-8' });
             res.end(
               errorPage(
-                "Authentication Failed",
-                requestUrl.searchParams.get("error_description") || error
-              )
+                'Authentication Failed',
+                requestUrl.searchParams.get('error_description') || error,
+              ),
             );
-            safeResolve({ success: false, error });
+            safeResolve({ error, success: false });
             return;
           }
 
           if (receivedState !== state) {
-            res.writeHead(200, { "Content-Type": "text/html; charset=utf-8", Connection: "close" });
+            res.writeHead(200, { Connection: 'close', 'Content-Type': 'text/html; charset=utf-8' });
             res.end(
-              errorPage("Authentication Failed", "Invalid state parameter. Please try again.")
+              errorPage('Authentication Failed', 'Invalid state parameter. Please try again.'),
             );
-            safeResolve({ success: false, error: "Invalid state parameter" });
+            safeResolve({ error: 'Invalid state parameter', success: false });
             return;
           }
 
-          res.writeHead(200, { "Content-Type": "text/html; charset=utf-8", Connection: "close" });
+          res.writeHead(200, { Connection: 'close', 'Content-Type': 'text/html; charset=utf-8' });
           res.end(`
             <!DOCTYPE html>
             <html lang="en">
@@ -205,14 +205,14 @@ export class BrowserAuth {
               </body>
             </html>
           `);
-          safeResolve({ success: true, code });
+          safeResolve({ code, success: true });
         }
       });
 
       // Track sockets so we can destroy them on shutdown
-      server.on("connection", (socket: net.Socket) => {
+      server.on('connection', (socket: net.Socket) => {
         sockets.add(socket);
-        socket.on("close", () => sockets.delete(socket));
+        socket.on('close', () => sockets.delete(socket));
       });
 
       server.listen(callbackPort, () => {
@@ -224,15 +224,15 @@ export class BrowserAuth {
       // Set timeout for the server
       const timeoutHandle = setTimeout(
         () => {
-          safeResolve({ success: false, error: "Authentication timed out" });
+          safeResolve({ error: 'Authentication timed out', success: false });
         },
-        5 * 60 * 1000
+        5 * 60 * 1000,
       ); // 5 minute timeout
 
       // Open browser
       (async () => {
         try {
-          const open = await import("open").then(m => m.default);
+          const open = await import('open').then((m) => m.default);
           await open(authUrl.toString());
         } catch {
           // Browser failed to open - user must open URL manually
@@ -242,55 +242,55 @@ export class BrowserAuth {
 
     if (!authResult.success || !authResult.code) {
       return {
+        error: authResult.error || 'Unknown error',
         success: false,
-        error: authResult.error || "Unknown error",
       };
     }
 
     // Exchange authorization code for tokens
     const tokenUrl = `${keycloakUrl}/realms/${realm}/protocol/openid-connect/token`;
     const tokenResponse = await fetch(tokenUrl, {
-      method: "POST",
-      headers: {
-        "Content-Type": "application/x-www-form-urlencoded",
-      },
       body: new URLSearchParams({
-        grant_type: "authorization_code",
         client_id: clientId,
         code: authResult.code,
-        redirect_uri: redirectUri,
         code_verifier: codeVerifier,
+        grant_type: 'authorization_code',
+        redirect_uri: redirectUri,
       }).toString(),
+      headers: {
+        'Content-Type': 'application/x-www-form-urlencoded',
+      },
+      method: 'POST',
     });
 
     if (!tokenResponse.ok) {
       const errorText = await tokenResponse.text();
       return {
-        success: false,
         error: `Failed to exchange code for tokens: ${errorText}`,
+        success: false,
       };
     }
 
     const tokenData = (await tokenResponse.json()) as {
       access_token: string;
-      refresh_token: string;
       expires_in: number;
       refresh_expires_in?: number;
+      refresh_token: string;
     };
 
     return {
-      success: true,
       accessToken: tokenData.access_token,
-      refreshToken: tokenData.refresh_token,
       expiresIn: tokenData.expires_in,
+      refreshToken: tokenData.refresh_token,
+      success: true,
     };
   }
 
-  private generateCodeVerifier(): string {
-    return crypto.randomBytes(32).toString("base64url");
+  private generateCodeChallenge(verifier: string): string {
+    return crypto.createHash('sha256').update(verifier).digest('base64url');
   }
 
-  private generateCodeChallenge(verifier: string): string {
-    return crypto.createHash("sha256").update(verifier).digest("base64url");
+  private generateCodeVerifier(): string {
+    return crypto.randomBytes(32).toString('base64url');
   }
 }