npm - fastify-txstate - Versions diffs - 3.5.1 → 3.6.1 - Mend

fastify-txstate 3.5.1 → 3.6.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/lib/index.d.ts CHANGED Viewed

@@ -25,6 +25,13 @@ export interface FastifyTxStateAuthInfo {
      * If all else fails, you can sha256 the session token with a salt.
      */
     sessionId: string;
+    /**
+     * The date that the session was created, if available. This is useful for considering
+     * tokens before a certain date as invalid. For instance, if you want a logout action
+     * to invalidate all tokens created until that point, you can compare this field against
+     * the last time they logged out.
+     */
+    sessionCreatedAt?: Date;
     /**
      * Some authentication systems allow administrators to impersonate regular users, so that
      * they can see what that user sees and troubleshoot issues. We still want to log the administrator
@@ -51,6 +58,24 @@ export interface FastifyTxStateAuthInfo {
      * only a portion of the application's functionality would be available to them.
      */
     scope?: string;
+    /**
+     * The token or key that was used to authenticate the request. This is useful for
+     * making sub-requests to other APIs that can authenticate with the same token.
+     */
+    token: string;
+    /**
+     * The issuer configuration for the token, if applicable. This helps you generate
+     * a proper logout url in multi-issuer environments.
+     */
+    issuerConfig?: IssuerConfig;
+}
+export interface IssuerConfig {
+    iss: string;
+    url?: string;
+    publicKey?: string;
+    secret?: string;
+    validateUrl?: URL;
+    logoutUrl?: URL;
 }
 export interface FastifyTxStateOptions extends Partial<FastifyServerOptions> {
     https?: http2.SecureServerOptions;
@@ -88,6 +113,10 @@ export interface FastifyTxStateOptions extends Partial<FastifyServerOptions> {
 declare module 'fastify' {
     interface FastifyRequest {
         auth?: FastifyTxStateAuthInfo;
+        /**
+         * @deprecated Use `req.auth.token` instead. Just trying to keep everything contained.
+         * This will be removed in the next major version.
+         */
         token?: string;
     }
     interface FastifyReply {

package/lib/index.js CHANGED Viewed

@@ -211,7 +211,7 @@ class Server {
                 DELETE: true
             };
             this.app.addHook('onRequest', async (req, res) => {
-                if (!authenticatedMethods[req.method] || req.routeOptions.url === '/health' || (this.swaggerEndpoint && req.routeOptions.url?.startsWith(this.swaggerEndpoint)))
+                if (!authenticatedMethods[req.method] || (0, txstate_utils_1.isBlank)(req.routeOptions.url) || req.routeOptions.url === '/health' || req.routeOptions.url === '/.uaService' || (this.swaggerEndpoint && req.routeOptions.url?.startsWith(this.swaggerEndpoint)))
                     return;
                 try {
                     req.auth = await config.authenticate(req);

package/lib/unified-auth.d.ts CHANGED Viewed

@@ -1,7 +1,22 @@
 import { type FastifyReply, type FastifyRequest } from 'fastify';
-import { type FastifyInstanceTyped, type FastifyTxStateAuthInfo } from '.';
-export declare const uaCookieName: string;
-export declare function unifiedAuthenticate(req: FastifyRequest): Promise<FastifyTxStateAuthInfo | undefined>;
+import { type IssuerConfig, type FastifyInstanceTyped, type FastifyTxStateAuthInfo } from '.';
+export interface IssuerConfigRaw extends Omit<IssuerConfig, 'validateUrl' | 'logoutUrl'> {
+    validateUrl?: string;
+    logoutUrl?: string;
+}
+export declare function unifiedAuthenticate(req: FastifyRequest, options?: {
+    authenticateAll?: boolean;
+    exceptRoutes?: Set<string>;
+    usingUaCookieRoutes?: boolean;
+}): Promise<FastifyTxStateAuthInfo | undefined>;
+/**
+ * @deprecated Use unifiedAuthenticateWithOptions with { authenticateAll: true } instead.
+ */
 export declare function unifiedAuthenticateAll(req: FastifyRequest): Promise<FastifyTxStateAuthInfo>;
+/**
+ * This function is available for server-side view code instead of a client-side application
+ * using a framework. It will automatically redirect the user to the Unified Auth login page
+ * and return true if they are not authenticated. Otherwise it simply returns false.
+ */
 export declare function requireCookieAuth(req: FastifyRequest, res: FastifyReply): Promise<boolean>;
 export declare function registerUaCookieRoutes(app: FastifyInstanceTyped): void;

package/lib/unified-auth.js CHANGED Viewed

@@ -1,6 +1,5 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.uaCookieName = void 0;
 exports.unifiedAuthenticate = unifiedAuthenticate;
 exports.unifiedAuthenticateAll = unifiedAuthenticateAll;
 exports.requireCookieAuth = requireCookieAuth;
@@ -12,7 +11,7 @@ let hasInit = false;
 const issuerKeys = new Map();
 const issuerConfig = new Map();
 const trustedClients = new Set();
-exports.uaCookieName = process.env.UA_COOKIE_NAME ?? (0, crypto_1.randomBytes)(16).toString('hex');
+const uaCookieName = process.env.UA_COOKIE_NAME ?? (0, crypto_1.randomBytes)(16).toString('hex');
 const tokenCache = new txstate_utils_1.Cache(async (token, req) => {
     const claims = (0, jose_1.decodeJwt)(token);
     let verifyKey;
@@ -68,10 +67,27 @@ function remoteJWKSet(jwkUrl) {
 }
 function processIssuerConfig(config) {
     if (config.iss === 'unified-auth') {
-        config.validateUrl = new URL(config.url ?? '');
-        config.validateUrl.pathname = [...config.validateUrl.pathname.split('/').slice(0, -1), 'validateToken'].join('/');
+        const validateUrl = (0, txstate_utils_1.isNotBlank)(config.validateUrl)
+            ? new URL(config.validateUrl, config.url)
+            : (0, txstate_utils_1.isNotBlank)(process.env.UA_URL)
+                ? new URL(process.env.UA_URL + '/validateToken')
+                : new URL('validateToken', config.url);
+        const logoutUrl = (0, txstate_utils_1.isNotBlank)(config.logoutUrl)
+            ? new URL(config.logoutUrl, config.url)
+            : (0, txstate_utils_1.isNotBlank)(process.env.UA_URL)
+                ? new URL(process.env.UA_URL + '/logout')
+                : new URL('logout', config.url);
+        return {
+            ...config,
+            validateUrl,
+            logoutUrl
+        };
     }
-    return config;
+    return {
+        ...config,
+        validateUrl: undefined,
+        logoutUrl: config.logoutUrl ? new URL(config.logoutUrl, config.url) : undefined
+    };
 }
 function init() {
     hasInit = true;
@@ -97,11 +113,11 @@ function tokenFromReq(req) {
     const m = req?.headers.authorization?.match(/^bearer (.*)$/i);
     if (m != null)
         return m[1];
-    const m2 = req?.headers.cookie?.match(new RegExp(`${exports.uaCookieName}=([^;]+)`));
+    const m2 = req?.headers.cookie?.match(new RegExp(`${uaCookieName}=([^;]+)`));
     if (m2 != null)
         return m2[1];
 }
-async function unifiedAuthenticate(req) {
+async function unifiedAuthenticateInternal(req) {
     if (!hasInit)
         init();
     const token = tokenFromReq(req);
@@ -113,24 +129,48 @@ async function unifiedAuthenticate(req) {
     await validateCache.get(token, payload);
     req.token = token;
     return {
+        token,
+        issuerConfig: payload.iss ? issuerConfig.get(payload.iss) : undefined,
         username: payload.sub,
         sessionId: payload.sub + '-' + payload.iat,
+        sessionCreatedAt: payload.iat ? new Date(payload.iat * 1000) : undefined,
         clientId: payload.client_id,
         impersonatedBy: payload.act?.sub,
         scope: payload.scope
     };
 }
-async function unifiedAuthenticateAll(req) {
-    const auth = await unifiedAuthenticate(req);
-    if (!auth?.username.length)
-        throw new Error('All requests require authentication.');
+async function unifiedAuthenticate(req, options) {
+    const auth = await unifiedAuthenticateInternal(req);
+    if (options?.usingUaCookieRoutes) {
+        options.exceptRoutes ??= new Set();
+        options.exceptRoutes.add('/.uaService');
+        options.exceptRoutes.add('/.uaRedirect');
+    }
+    const isAuthenticatedRoute = options?.authenticateAll && (options.exceptRoutes == null || !options.exceptRoutes.has(req.routeOptions.url));
+    if (isAuthenticatedRoute) {
+        if ((0, txstate_utils_1.isBlank)(auth?.username))
+            throw new Error('Request requires authentication.');
+    }
     return auth;
 }
+/**
+ * @deprecated Use unifiedAuthenticateWithOptions with { authenticateAll: true } instead.
+ */
+async function unifiedAuthenticateAll(req) {
+    return (await unifiedAuthenticate(req, { authenticateAll: true }));
+}
+/**
+ * This function is available for server-side view code instead of a client-side application
+ * using a framework. It will automatically redirect the user to the Unified Auth login page
+ * and return true if they are not authenticated. Otherwise it simply returns false.
+ */
 async function requireCookieAuth(req, res) {
-    if (req.auth === undefined || req.auth.username.length === 0) {
-        await res
-            .header('Set-Cookie', `${exports.uaCookieName}_return=${encodeURIComponent(`${process.env.PUBLIC_URL ?? ''}${req.originalUrl}`)}; Path=/; Secure; HttpOnly; SameSite=Lax`)
-            .redirect(`${process.env.UA_URL ?? ''}/login?clientId=${process.env.UA_CLIENTID ?? ''}&returnUrl=${encodeURIComponent(`${process.env.PUBLIC_URL ?? ''}/.uaService`)}`);
+    if ((0, txstate_utils_1.isBlank)(req.auth?.username)) {
+        const loginUrl = new URL(process.env.UA_URL + '/login');
+        loginUrl.searchParams.set('clientId', process.env.UA_CLIENTID);
+        loginUrl.searchParams.set('returnUrl', (0, txstate_utils_1.isNotBlank)(process.env.PUBLIC_URL) ? new URL(process.env.PUBLIC_URL + '/.uaService').toString() : new URL('/.uaService', req.url).toString());
+        loginUrl.searchParams.set('requestedUrl', req.originalUrl);
+        void res.redirect(loginUrl.toString());
         return true;
     }
     else {
@@ -143,44 +183,59 @@ function registerUaCookieRoutes(app) {
             headers: {
                 type: 'object',
                 properties: {
-                    cookie: { type: 'string', pattern: `${exports.uaCookieName}=[A-Za-z0-9_-]+\\.[A-Za-z0-9_-]+\\.[A-Za-z0-9_-]+` }
+                    cookie: { type: 'string', pattern: `${uaCookieName}=[A-Za-z0-9_-]+\\.[A-Za-z0-9_-]+\\.[A-Za-z0-9_-]+` }
                 },
                 required: ['cookie']
             }
         }
     }, async (req, res) => {
-        const m = req.headers.cookie.match(new RegExp(`${exports.uaCookieName}=([^;]+)`));
-        if (m == null)
-            return res.code(400).send('Missing UA JWT');
+        const redirectUrl = req.auth?.issuerConfig?.logoutUrl
+            ? `${req.auth.issuerConfig.logoutUrl.toString()}?unifiedJwt=${encodeURIComponent(req.auth.token)}`
+            : (process.env.PUBLIC_URL || new URL('..', req.url).toString());
         return res
-            .header('Set-Cookie', `${exports.uaCookieName}=; Path=/; Secure; HttpOnly; SameSite=Lax; Expires=Thu, 01 Jan 1970 00:00:00 GMT`)
-            .redirect(`${process.env.UA_URL ?? ''}/logout?unifiedJwt=${encodeURIComponent(m[1])}`);
+            .header('Set-Cookie', `${uaCookieName}=; Path=/; Secure; HttpOnly; SameSite=Lax; Expires=Thu, 01 Jan 1970 00:00:00 GMT`)
+            .redirect(redirectUrl);
     });
     app.get('/.uaService', {
         schema: {
             querystring: {
                 type: 'object',
                 properties: {
-                    unifiedJwt: { type: 'string', pattern: '^[A-Za-z0-9_-]+\\.[A-Za-z0-9_-]+\\.[A-Za-z0-9_-]+$' }
+                    unifiedJwt: { type: 'string', pattern: '^[A-Za-z0-9_-]+\\.[A-Za-z0-9_-]+\\.[A-Za-z0-9_-]+$' },
+                    requestedUrl: { type: 'string', format: 'uri' }
                 },
                 required: ['unifiedJwt'],
                 additionalProperties: false
-            },
-            headers: {
+            }
+        }
+    }, async (req, res) => {
+        return res
+            .header('Set-Cookie', `${uaCookieName}=${req.query.unifiedJwt}; Path=/; Secure; HttpOnly; SameSite=Lax`)
+            .redirect(req.query.requestedUrl ?? (process.env.PUBLIC_URL || new URL('..', req.url).toString()));
+    });
+    /**
+     * In the case of a client-side application that uses the UA cookie to authenticate,
+     * the client code can detect a 401 from the API and redirect the user to this endpoint.
+     *
+     * This endpoint will redirect the browser to Unified Auth so that the client code does
+     * not need to have any configuration for Unified Auth.
+     */
+    app.get('/.uaRedirect', {
+        schema: {
+            querystring: {
                 type: 'object',
                 properties: {
-                    cookie: { type: 'string', pattern: `${exports.uaCookieName}_return=${encodeURIComponent(`${process.env.PUBLIC_URL ?? ''}`)}` }
+                    requestedUrl: { type: 'string', format: 'uri' }
                 },
-                required: ['cookie']
+                additionalProperties: false
             }
         }
     }, async (req, res) => {
-        const m = req.headers.cookie.match(new RegExp(`${exports.uaCookieName}_return=([^;]+)`));
-        if (m == null)
-            return res.code(400).send('Return URL cookie not found');
-        return res
-            .header('Set-Cookie', `${exports.uaCookieName}=${req.query.unifiedJwt}; Path=/; Secure; HttpOnly; SameSite=Lax`)
-            .header('Set-Cookie', `${exports.uaCookieName}_return=; Path=/; Secure; HttpOnly; SameSite=Lax; Expires=Thu, 01 Jan 1970 00:00:00 GMT`)
-            .redirect(decodeURIComponent(m[1]));
+        const loginUrl = new URL(process.env.UA_URL + '/login');
+        loginUrl.searchParams.set('clientId', process.env.UA_CLIENTID);
+        loginUrl.searchParams.set('returnUrl', new URL('.uaService', process.env.PUBLIC_URL || new URL(req.url, req.protocol + '://' + req.hostname)).toString());
+        if (req.query.requestedUrl)
+            loginUrl.searchParams.set('requestedUrl', req.query.requestedUrl);
+        return res.redirect(loginUrl.toString());
     });
 }

package/lib-esm/index.js CHANGED Viewed

@@ -8,6 +8,7 @@ export const ValidationError = ftxst.ValidationError
 export const ValidationErrors = ftxst.ValidationErrors
 export const unifiedAuthenticate = ftxst.unifiedAuthenticate
 export const unifiedAuthenticateAll = ftxst.unifiedAuthenticateAll
+export const registerUaCookieRoutes = ftxst.registerUaCookieRoutes
 export const analyticsPlugin = ftxst.analyticsPlugin
 export const AnalyticsClient = ftxst.AnalyticsClient
 export const LoggingAnalyticsClient = ftxst.LoggingAnalyticsClient

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "fastify-txstate",
-  "version": "3.5.1",
+  "version": "3.6.1",
   "description": "A small wrapper for fastify providing a set of common conventions & utility functions we use.",
   "exports": {
     ".": {
@@ -25,11 +25,11 @@
     "@txstate-mws/fastify-shared": "^1.0.9",
     "@types/ua-parser-js": ">=0.7.39",
     "ajv-errors": "^3.0.0",
-    "ajv-formats": "^2.1.1",
+    "ajv-formats": "^3.0.0",
     "fastify": "^4.9.2",
     "fastify-plugin": "^4.5.1",
     "http-status-codes": "^2.1.4",
-    "jose": "^5.2.3",
+    "jose": "^6.0.0",
     "txstate-utils": "^1.9.5",
     "ua-parser-js": "^1.0.37"
   },