fastify-txstate 3.3.0 → 3.3.1

package/README.md

@@ -28,19 +28,34 @@ server.app.get('/yourpath', async (req, res) => {
 This will result in a 400 error being returned to the client, with a plain text body: `Please provide an id.`
 
 You may skip the message string and a default will be used, e.g. `throw new HttpError(401)` sends a plain text body: `Authentication is required.`
-## FailedValidationError
-This class helps an API communicate with its client about errors that occured during a validation or writing operation. An `errors` object should be passed during construction whose keys correspond to the dot-separated paths of the input object that had problems, and each value is an array of error messages related to that path.
+## ValidationErrors
+This class helps an API communicate with its client about errors that occured during a validation or writing operation. The constructor takes three arguments: a message to be displayed to the user, a dot-separated path to the property of the input object that the message is related to, and a message type, which could be 'error', 'info', 'warning', 'success', or 'system' (system is for errors that the user is not responsible for like a database being offline).
 ```javascript
-const { FailedValidationError } = require('fastify-txstate')
+import { ValidationErrors } from 'fastify-txstate'
+import { hasFatalErrors } from '@txstate-mws/fastify-shared'
 server.app.post('/saveathing', async (req, res) => {
   const thing = req.body
-  const errors = {}
-  if (!thing.title) errors.title = ['Title is required.']
-  if (!thing?.address?.zip) errors['address.zip'] = ['Zip code is required.']
-  if (Object.keys(errors).length) throw new FailedValidationError(errors)
+  const messages = []
+  if (!thing.title) messages.push({ message: 'Title is required.', path: 'title', type: 'error' })
+  if (!thing?.address?.zip) messages.push({ message: 'Zip code is required.', path: 'address.zip', type: 'error' })
+  if (hasFatalErrors(messages)) throw new ValidationErrors(messages)
   /* continue processing request */
 })
 ```
+The client will receive HTTP status 422 and a JSON body that looks like this:
+```json
+{
+  "success": false,
+  "messages": [
+    { "type": "error", "message": "Zip code is required.", "path": "address.zip" }
+  ]
+}
+```
+This format is well supported by our @txstate-mws/svelte-forms library, so it should be easy to pass the errors into your form.
+
+### ValidationError
+`ValidationErrors` is preferred since it will show multiple errors at once, instead of making the user fix errors one at a time and not know how far they are from being done. If you just need to throw a quick single error, `throw new ValidationError('Wrong!', 'answer')` is also available.
+
 ## Custom Error Handling
 If you would like special treatment for certain errors, `addErrorHandler` provides an easy way:
 ```javascript

package/lib/error.d.ts

@@ -4,6 +4,11 @@ export declare class HttpError extends Error {
     statusCode: number;
     constructor(statusCode: number, message?: string);
 }
+/**
+ * @deprecated This response format is less flexible than the one based on the ValidationMessage
+ * interface. Use ValidationError or ValidationErrors instead, and adjust the client to expect
+ * the new format.
+ */
 export declare class FailedValidationError extends HttpError {
     errors: Record<string, string[]>;
     constructor(errors: Record<string, string[]>);

package/lib/error.js

@@ -18,6 +18,11 @@ class HttpError extends Error {
     }
 }
 exports.HttpError = HttpError;
+/**
+ * @deprecated This response format is less flexible than the one based on the ValidationMessage
+ * interface. Use ValidationError or ValidationErrors instead, and adjust the client to expect
+ * the new format.
+ */
 class FailedValidationError extends HttpError {
     errors;
     constructor(errors) {

package/lib/index.js

@@ -153,12 +153,15 @@ class Server {
                 return JSON.stringify(data);
             };
         });
+        this.app.addHook('onRequest', (req, res, done) => {
+            res.extraLogInfo = {};
+            done();
+        });
         if (!config.skipOriginCheck && !process.env.SKIP_ORIGIN_CHECK) {
             this.setValidOrigins([...(config.validOrigins ?? []), ...(process.env.VALID_ORIGINS?.split(',') ?? [])]);
             this.setValidOriginHosts([...(config.validOriginHosts ?? []), ...(process.env.VALID_ORIGIN_HOSTS?.split(',') ?? [])]);
             this.setValidOriginSuffixes([...(config.validOriginSuffixes ?? []), ...(process.env.VALID_ORIGIN_SUFFIXES?.split(',') ?? [])]);
             this.app.addHook('onRequest', async (req, res) => {
-                res.extraLogInfo = {};
                 if (!req.headers.origin)
                     return;
                 let passed = this.validOrigins[req.headers.origin];
@@ -207,7 +210,7 @@ class Server {
                 DELETE: true
             };
             this.app.addHook('onRequest', async (req, res) => {
-                if (!authenticatedMethods[req.method])
+                if (!authenticatedMethods[req.method] || req.routeOptions.url === '/health')
                     return;
                 try {
                     req.auth = await config.authenticate(req);
@@ -349,7 +352,7 @@ class Server {
     setValidOriginSuffixes(suffixes) {
         this.validOriginSuffixes.clear();
         for (const s of suffixes)
-            this.validOriginSuffixes.add(s);
+            this.validOriginSuffixes.add(s.replace(/^\./, ''));
     }
     async swagger(opts) {
         let openapi = opts?.openapi ?? {};

package/lib/unified-auth.d.ts

@@ -1,63 +1,4 @@
-/// <reference types="node" />
-/// <reference types="node" />
-import { type KeyObject } from 'crypto';
 import { type FastifyRequest } from 'fastify';
-import { type JWTPayload, type JWTVerifyGetKey, type KeyLike } from 'jose';
-import { Cache } from 'txstate-utils';
 import { type FastifyTxStateAuthInfo } from '.';
-declare class MockContext<AuthType = any> {
-    auth?: AuthType;
-    constructor(auth: any);
-    waitForAuth(): Promise<AuthType | undefined>;
-    static init(): void;
-}
-interface IssuerConfig {
-    iss: string;
-    url?: string;
-    publicKey?: string;
-    secret?: string;
-    validateUrl: URL;
-}
-declare class Context<AuthType extends FastifyTxStateAuthInfo = FastifyTxStateAuthInfo> extends MockContext<AuthType> {
-    private readonly authPromise;
-    protected static jwtVerifyKey: KeyObject | undefined;
-    protected static issuerKeys: Map<string, KeyLike | JWTVerifyGetKey>;
-    protected static issuerConfig: Map<string, any>;
-    protected static tokenCache: Cache<string, any, {
-        req?: FastifyRequest<import("fastify").RouteGenericInterface, import("fastify").RawServerDefault, import("http").IncomingMessage, import("fastify").FastifySchema, import("fastify").FastifyTypeProviderDefault, unknown, import("fastify").FastifyBaseLogger, import("fastify/types/type-provider").ResolveFastifyRequestType<import("fastify").FastifyTypeProviderDefault, import("fastify").FastifySchema, import("fastify").RouteGenericInterface>> | undefined;
-        ctx: Context;
-    }>;
-    constructor(req?: FastifyRequest);
-    waitForAuth(): Promise<AuthType | undefined>;
-    protected static hasInitialized: boolean;
-    static init(): void;
-    /**
-     * If implemented, this method will be called on startup, once per configured issuer. It receives
-     * the issuer configuration from the JWT_TRUSTED_ISSUERS environment variable and allows you to manipulate
-     * the configuration before storing it.
-     *
-     * Once stored, whatever you create may be used in your custom validateToken method. For example,
-     * you might want to create an in-memory URL object with an issuer's URL so that it can be manipulated
-     * easily to send validation checks to the issuer.
-     */
-    static processIssuerConfig: undefined | ((config: any) => any);
-    /**
-     * If implemented, this method is called after a token's signature is checked and passes. You would
-     * typically implement this method to check whether the user has manually signed out, or the token has
-     * been otherwise deauthorized before its expiration date.
-     *
-     * If the token is not valid, this method should throw an error with an appropriate message.
-     */
-    static validateToken: undefined | ((token: string, issuerConfig: any, claims: JWTPayload) => void | Promise<void>);
-    tokenFromReq(req?: FastifyRequest): string | undefined;
-    authFromReq(req?: FastifyRequest): Promise<AuthType | undefined>;
-    authFromPayload(payload: JWTPayload): Promise<AuthType>;
-}
-declare class TxStateUAuthContext extends Context {
-    static processIssuerConfig(config: IssuerConfig): IssuerConfig;
-    static validateToken(token: string, issuerConfig: IssuerConfig, claims: any): Promise<void>;
-    authFromPayload(payload: JWTPayload): Promise<FastifyTxStateAuthInfo>;
-}
-export declare function unifiedAuthenticate(req: FastifyRequest, ContextClass?: typeof TxStateUAuthContext): Promise<FastifyTxStateAuthInfo | undefined>;
-export declare function unifiedAuthenticateAll(req: FastifyRequest, ContextClass?: typeof TxStateUAuthContext): Promise<FastifyTxStateAuthInfo | undefined>;
-export {};
+export declare function unifiedAuthenticate(req: FastifyRequest): Promise<FastifyTxStateAuthInfo | undefined>;
+export declare function unifiedAuthenticateAll(req: FastifyRequest): Promise<FastifyTxStateAuthInfo>;

package/lib/unified-auth.js

@@ -4,161 +4,114 @@ exports.unifiedAuthenticateAll = exports.unifiedAuthenticate = void 0;
 const crypto_1 = require("crypto");
 const jose_1 = require("jose");
 const txstate_utils_1 = require("txstate-utils");
-function cleanPem(secretOrPem) {
-    return secretOrPem?.replace(/(-+BEGIN [\w\s]+ KEY-+)\s*(.*?)\s*(-+END [\w\s]+ KEY-+)/, '$1\n$2\n$3');
-}
-class MockContext {
-    auth;
-    constructor(auth) {
-        this.auth = auth;
-    }
-    async waitForAuth() {
-        return this.auth;
+let hasInit = false;
+const issuerKeys = new Map();
+const issuerConfig = new Map();
+const trustedClients = new Set();
+const tokenCache = new txstate_utils_1.Cache(async (token, req) => {
+    const claims = (0, jose_1.decodeJwt)(token);
+    let verifyKey;
+    if (claims.iss && issuerKeys.has(claims.iss))
+        verifyKey = issuerKeys.get(claims.iss);
+    if (!verifyKey) {
+        req.log.warn(`Received token with issuer: ${claims.iss} but JWT secret could not be found. The server may be misconfigured or the user may have presented a JWT from an untrusted issuer.`);
+        return undefined;
     }
-    static init() { }
-}
-class Context extends MockContext {
-    authPromise;
-    static jwtVerifyKey;
-    static issuerKeys = new Map();
-    static issuerConfig = new Map();
-    static tokenCache = new txstate_utils_1.Cache(async (token, { req, ctx }) => {
-        // `this` is always the Context class, even if we are making instances of a subclass of Context
-        // we need to get the instance's constructor instead in case it has overridden one of our
-        // static methods/variables
-        const ctxStatic = ctx.constructor;
-        const logger = req?.log ?? console;
-        let verifyKey = Context.jwtVerifyKey;
-        try {
-            const claims = (0, jose_1.decodeJwt)(token);
-            if (claims.iss && ctxStatic.issuerKeys.has(claims.iss))
-                verifyKey = ctxStatic.issuerKeys.get(claims.iss);
-            if (!verifyKey) {
-                logger.info(`Received token with issuer: ${claims.iss} but JWT secret could not be found. The server may be misconfigured or the user may have presented a JWT from an untrusted issuer.`);
-                return undefined;
-            }
-            await ctxStatic.validateToken?.(token, ctxStatic.issuerConfig.get(claims.iss), claims);
-            const { payload } = await (0, jose_1.jwtVerify)(token, verifyKey);
-            return await ctx.authFromPayload(payload);
-        }
-        catch (e) {
-            // squelch errors about bad tokens, we can already see the 401 in the log
-            if (e.code !== 'ERR_JWS_SIGNATURE_VERIFICATION_FAILED')
-                logger.error(e);
+    try {
+        const { payload } = await (0, jose_1.jwtVerify)(token, verifyKey);
+        if (trustedClients.size && !trustedClients.has(payload.client_id)) {
+            req.log.warn(`Received token with untrusted client_id: ${payload.client_id}.`);
             return undefined;
         }
-    }, { freshseconds: 10 });
-    constructor(req) {
-        super(undefined);
-        this.authPromise = this.authFromReq(req);
-    }
-    async waitForAuth() {
-        this.auth = await this.authPromise;
-        return this.auth;
-    }
-    static hasInitialized = false;
-    static init() {
-        if (this.hasInitialized)
-            return;
-        this.hasInitialized = true;
-        let secret = cleanPem(process.env.JWT_SECRET_VERIFY);
-        if (secret != null) {
-            Context.jwtVerifyKey = (0, crypto_1.createPublicKey)(secret);
-        }
-        else {
-            secret = cleanPem(process.env.JWT_SECRET);
-            if (secret != null) {
-                try {
-                    Context.jwtVerifyKey = (0, crypto_1.createPublicKey)(secret);
-                }
-                catch (e) {
-                    console.info('JWT_SECRET was not a private key, treating it as symmetric.');
-                    Context.jwtVerifyKey = (0, crypto_1.createSecretKey)(Buffer.from(secret, 'ascii'));
-                }
-            }
-        }
-        if (process.env.JWT_TRUSTED_ISSUERS) {
-            const issuers = (0, txstate_utils_1.toArray)(JSON.parse(process.env.JWT_TRUSTED_ISSUERS));
-            for (const issuer of issuers) {
-                this.issuerConfig.set(issuer.iss, this.processIssuerConfig?.((0, txstate_utils_1.omit)(issuer, 'publicKey', 'secret')));
-                if (issuer.url)
-                    this.issuerKeys.set(issuer.iss, (0, jose_1.createRemoteJWKSet)(new URL(issuer.url)));
-                else if (issuer.publicKey)
-                    this.issuerKeys.set(issuer.iss, (0, crypto_1.createPublicKey)(issuer.publicKey));
-                else if (issuer.secret)
-                    this.issuerKeys.set(issuer.iss, (0, crypto_1.createSecretKey)(Buffer.from(issuer.secret, 'ascii')));
-            }
-        }
-    }
-    /**
-     * If implemented, this method will be called on startup, once per configured issuer. It receives
-     * the issuer configuration from the JWT_TRUSTED_ISSUERS environment variable and allows you to manipulate
-     * the configuration before storing it.
-     *
-     * Once stored, whatever you create may be used in your custom validateToken method. For example,
-     * you might want to create an in-memory URL object with an issuer's URL so that it can be manipulated
-     * easily to send validation checks to the issuer.
-     */
-    static processIssuerConfig;
-    /**
-     * If implemented, this method is called after a token's signature is checked and passes. You would
-     * typically implement this method to check whether the user has manually signed out, or the token has
-     * been otherwise deauthorized before its expiration date.
-     *
-     * If the token is not valid, this method should throw an error with an appropriate message.
-     */
-    static validateToken;
-    tokenFromReq(req) {
-        const m = req?.headers.authorization?.match(/^bearer (.*)$/i);
-        return m?.[1];
+        return payload;
     }
-    async authFromReq(req) {
-        const token = this.tokenFromReq(req);
-        if (!token)
-            return undefined;
-        return this.constructor.tokenCache.get(token, { req, ctx: this });
+    catch (e) {
+        // squelch errors about bad tokens, we can already see the 401 in the log
+        if (e.code !== 'ERR_JWS_SIGNATURE_VERIFICATION_FAILED')
+            req.log.error(e);
+        return undefined;
     }
-    async authFromPayload(payload) {
-        return payload;
+}, { freshseconds: 3600 });
+const validateCache = new txstate_utils_1.Cache(async (token, payload) => {
+    const config = issuerConfig.get(payload.iss);
+    if (!config?.validateUrl)
+        return;
+    // avoid checking for deauth until the token is more than 5 minutes old
+    if (new Date(payload.iat * 1000) > new Date(new Date().getTime() - 1000 * 60 * 5))
+        return;
+    const validateUrl = new URL(config.validateUrl);
+    validateUrl.searchParams.set('unifiedJwt', token);
+    const resp = await fetch(validateUrl);
+    const validate = await resp.json();
+    if (!validate.valid)
+        throw new Error(validate.reason ?? 'Your session has been ended on another device or in another browser tab/window. It\'s also possible your NetID is no longer active.');
+});
+const jwkCache = new txstate_utils_1.Cache(async (url) => {
+    const { keys } = await (await fetch(url)).json();
+    const publicKeyByKid = {};
+    for (const jwk of keys) {
+        if (jwk.kid)
+            publicKeyByKid[jwk.kid] = await (0, jose_1.importJWK)(jwk);
     }
+    return publicKeyByKid;
+});
+function remoteJWKSet(jwkUrl) {
+    return async (protectedHeader) => {
+        const publicKeyByKid = await jwkCache.get(jwkUrl);
+        return publicKeyByKid[protectedHeader.kid];
+    };
 }
-class TxStateUAuthContext extends Context {
-    static processIssuerConfig(config) {
-        if (config.iss === 'unified-auth') {
-            config.validateUrl = new URL(config.url ?? '');
-            config.validateUrl.pathname = '/validateToken';
-        }
-        return config;
+function processIssuerConfig(config) {
+    if (config.iss === 'unified-auth') {
+        config.validateUrl = new URL(config.url ?? '');
+        config.validateUrl.pathname = '/validateToken';
     }
-    static async validateToken(token, issuerConfig, claims) {
-        if (claims.iss === 'unified-auth') {
-            const validateUrl = new URL(issuerConfig.validateUrl);
-            validateUrl.searchParams.set('unifiedJwt', token);
-            const resp = await fetch(validateUrl);
-            const validate = await resp.json();
-            if (!validate.valid)
-                throw new Error(validate.reason ?? 'Your session has been ended on another device or in another browser tab/window. It\'s also possible your NetID is no longer active.');
+    return config;
+}
+function init() {
+    hasInit = true;
+    if (process.env.JWT_TRUSTED_ISSUERS) {
+        const issuers = (0, txstate_utils_1.toArray)(JSON.parse(process.env.JWT_TRUSTED_ISSUERS));
+        for (const issuer of issuers) {
+            issuerConfig.set(issuer.iss, processIssuerConfig(issuer));
+            if (issuer.iss === 'unified-auth')
+                issuerKeys.set(issuer.iss, remoteJWKSet(issuer.url));
+            else if (issuer.url)
+                issuerKeys.set(issuer.iss, (0, jose_1.createRemoteJWKSet)(new URL(issuer.url)));
+            else if (issuer.publicKey)
+                issuerKeys.set(issuer.iss, (0, crypto_1.createPublicKey)(issuer.publicKey));
+            else if (issuer.secret)
+                issuerKeys.set(issuer.iss, (0, crypto_1.createSecretKey)(Buffer.from(issuer.secret, 'ascii')));
         }
     }
-    async authFromPayload(payload) {
-        return {
-            username: payload.sub,
-            sessionId: payload.sub + '-' + payload.iat,
-            clientId: payload.client_id,
-            impersonatedBy: payload.impersonatedBy
-        };
+    for (const clientId of (process.env.JWT_TRUSTED_CLIENTIDS?.split(',').filter(txstate_utils_1.isNotBlank).map(clientId => clientId.trim()) ?? [])) {
+        trustedClients.add(clientId);
     }
 }
-async function unifiedAuthenticate(req, ContextClass = TxStateUAuthContext) {
-    ContextClass.init();
-    const ctx = new ContextClass(req);
-    return ctx.waitForAuth();
+function tokenFromReq(req) {
+    const m = req?.headers.authorization?.match(/^bearer (.*)$/i);
+    return m?.[1];
+}
+async function unifiedAuthenticate(req) {
+    if (!hasInit)
+        init();
+    const token = tokenFromReq(req);
+    if (!token)
+        return undefined;
+    const payload = await tokenCache.get(token, req);
+    if (!payload)
+        return undefined;
+    await validateCache.get(token, payload);
+    return {
+        username: payload.sub,
+        sessionId: payload.sub + '-' + payload.iat,
+        clientId: payload.client_id,
+        impersonatedBy: payload.act?.sub
+    };
 }
 exports.unifiedAuthenticate = unifiedAuthenticate;
-async function unifiedAuthenticateAll(req, ContextClass = TxStateUAuthContext) {
-    ContextClass.init();
-    const ctx = new ContextClass(req);
-    const auth = await ctx.waitForAuth();
+async function unifiedAuthenticateAll(req) {
+    const auth = await unifiedAuthenticate(req);
     if (!auth?.username.length && !req.routeOptions.url?.startsWith('/docs'))
         throw new Error('All requests require authentication.');
     return auth;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "fastify-txstate",
-  "version": "3.3.0",
+  "version": "3.3.1",
   "description": "A small wrapper for fastify providing a set of common conventions & utility functions we use.",
   "exports": {
     ".": {