fastify-txstate 3.6.9 → 4.0.0

package/lib/unified-auth.js

@@ -1,21 +1,18 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.unifiedAuthenticate = unifiedAuthenticate;
-exports.unifiedAuthenticateAll = unifiedAuthenticateAll;
-exports.requireCookieAuth = requireCookieAuth;
-exports.registerUaCookieRoutes = registerUaCookieRoutes;
-const crypto_1 = require("crypto");
-const jose_1 = require("jose");
-const txstate_utils_1 = require("txstate-utils");
+import { createPublicKey, createSecretKey, randomBytes } from 'node:crypto';
+import { createRemoteJWKSet, decodeJwt, jwtVerify, importJWK } from 'jose';
+import { Cache, htmlEncode, isBlank, isNotBlank, toArray } from 'txstate-utils';
+import { apiBaseUrl, uiBaseUrl } from "./server.js";
 let hasInit = false;
 const issuerKeys = new Map();
 const issuerConfig = new Map();
 const trustedClients = new Set();
-const uaCookieName = process.env.UA_COOKIE_NAME ?? (0, crypto_1.randomBytes)(16).toString('hex');
-const uaCookieNameRegex = new RegExp(`${uaCookieName}=([^;]+)`);
-const uaServiceUrl = (0, txstate_utils_1.isNotBlank)(process.env.PUBLIC_URL) ? process.env.PUBLIC_URL + (process.env.PUBLIC_URL.endsWith('/') ? '' : '/') + '.uaService' : undefined;
-const tokenCache = new txstate_utils_1.Cache(async (token, req) => {
-    const claims = (0, jose_1.decodeJwt)(token);
+const uaCookieName = process.env.UA_COOKIE_NAME ?? randomBytes(16).toString('hex');
+const uaCookieNameRegex = new RegExp(`${uaCookieName}=([^;]+)`, 'v');
+function uaServiceUrl(req) {
+    return apiBaseUrl(req) + '/.uaService';
+}
+const tokenCache = new Cache(async (token, req) => {
+    const claims = decodeJwt(token);
     let verifyKey;
     if (claims.iss && issuerKeys.has(claims.iss))
         verifyKey = issuerKeys.get(claims.iss);
@@ -24,7 +21,7 @@ const tokenCache = new txstate_utils_1.Cache(async (token, req) => {
         return undefined;
     }
     try {
-        const { payload } = await (0, jose_1.jwtVerify)(token, verifyKey);
+        const { payload } = await jwtVerify(token, verifyKey);
         if (trustedClients.size && !trustedClients.has(payload.client_id)) {
             req.log.warn(`Received token with untrusted client_id: ${payload.client_id}.`);
             return undefined;
@@ -32,13 +29,14 @@ const tokenCache = new txstate_utils_1.Cache(async (token, req) => {
         return payload;
     }
     catch (e) {
-        // squelch errors about bad tokens, we can already see the 401 in the log
-        if (e.code !== 'ERR_JWS_SIGNATURE_VERIFICATION_FAILED')
+        // squelch expected token errors — bad signatures and expirations show as 401 in the access log
+        const code = e.code;
+        if (code !== 'ERR_JWS_SIGNATURE_VERIFICATION_FAILED' && code !== 'ERR_JWT_EXPIRED')
             req.log.error(e);
         return undefined;
     }
 }, { freshseconds: 3600 });
-const validateCache = new txstate_utils_1.Cache(async (token, payload) => {
+const validateCache = new Cache(async (token, payload) => {
     const config = issuerConfig.get(payload.iss);
     if (!config?.validateUrl)
         return;
@@ -52,12 +50,12 @@ const validateCache = new txstate_utils_1.Cache(async (token, payload) => {
     if (!validate.valid)
         throw new Error(validate.reason ?? 'Your session has been ended on another device or in another browser tab/window. It\'s also possible your NetID is no longer active.');
 });
-const jwkCache = new txstate_utils_1.Cache(async (url) => {
+const jwkCache = new Cache(async (url) => {
     const { keys } = await (await fetch(url)).json();
     const publicKeyByKid = {};
     for (const jwk of keys) {
         if (jwk.kid)
-            publicKeyByKid[jwk.kid] = await (0, jose_1.importJWK)(jwk);
+            publicKeyByKid[jwk.kid] = await importJWK(jwk);
     }
     return publicKeyByKid;
 });
@@ -69,12 +67,12 @@ function remoteJWKSet(jwkUrl) {
 }
 function processIssuerConfig(config) {
     if (config.iss === 'unified-auth') {
-        const validateUrl = (0, txstate_utils_1.isNotBlank)(config.validateUrl)
+        const validateUrl = isNotBlank(config.validateUrl)
             ? new URL(config.validateUrl, config.url)
             : new URL('validateToken', config.url);
-        const logoutUrl = (0, txstate_utils_1.isNotBlank)(config.logoutUrl)
+        const logoutUrl = isNotBlank(config.logoutUrl)
             ? new URL(config.logoutUrl, config.url)
-            : (0, txstate_utils_1.isNotBlank)(process.env.UA_URL)
+            : isNotBlank(process.env.UA_URL)
                 ? new URL(process.env.UA_URL + '/logout')
                 : new URL('logout', config.url);
         return {
@@ -92,25 +90,25 @@ function processIssuerConfig(config) {
 function init() {
     hasInit = true;
     if (process.env.JWT_TRUSTED_ISSUERS) {
-        const issuers = (0, txstate_utils_1.toArray)(JSON.parse(process.env.JWT_TRUSTED_ISSUERS));
+        const issuers = toArray(JSON.parse(process.env.JWT_TRUSTED_ISSUERS));
         for (const issuer of issuers) {
             issuerConfig.set(issuer.iss, processIssuerConfig(issuer));
             if (issuer.iss === 'unified-auth')
                 issuerKeys.set(issuer.iss, remoteJWKSet(issuer.url));
             else if (issuer.url)
-                issuerKeys.set(issuer.iss, (0, jose_1.createRemoteJWKSet)(new URL(issuer.url)));
+                issuerKeys.set(issuer.iss, createRemoteJWKSet(new URL(issuer.url)));
             else if (issuer.publicKey)
-                issuerKeys.set(issuer.iss, (0, crypto_1.createPublicKey)(issuer.publicKey));
+                issuerKeys.set(issuer.iss, createPublicKey(issuer.publicKey));
             else if (issuer.secret)
-                issuerKeys.set(issuer.iss, (0, crypto_1.createSecretKey)(Buffer.from(issuer.secret, 'ascii')));
+                issuerKeys.set(issuer.iss, createSecretKey(Buffer.from(issuer.secret, 'ascii')));
         }
     }
-    for (const clientId of (process.env.JWT_TRUSTED_CLIENTIDS?.split(',').filter(txstate_utils_1.isNotBlank).map(clientId => clientId.trim()) ?? [])) {
+    for (const clientId of (process.env.JWT_TRUSTED_CLIENTIDS?.split(',').filter(isNotBlank).map(clientId => clientId.trim()) ?? [])) {
         trustedClients.add(clientId);
     }
 }
 function tokenFromReq(req) {
-    const m = req?.headers.authorization?.match(/^bearer (.*)$/i);
+    const m = req?.headers.authorization?.match(/^bearer (.*)$/iv);
     if (m != null)
         return m[1];
     const m2 = req?.headers.cookie?.match(uaCookieNameRegex);
@@ -126,8 +124,9 @@ async function unifiedAuthenticateInternal(req) {
     const payload = await tokenCache.get(token, req);
     if (!payload)
         return undefined;
+    if (payload.exp && payload.exp * 1000 <= Date.now())
+        return undefined;
     await validateCache.get(token, payload);
-    req.token = token;
     return {
         token,
         issuerConfig: payload.iss ? issuerConfig.get(payload.iss) : undefined,
@@ -139,7 +138,7 @@ async function unifiedAuthenticateInternal(req) {
         scope: payload.scope
     };
 }
-async function unifiedAuthenticate(req, options) {
+export async function unifiedAuthenticate(req, options) {
     const auth = await unifiedAuthenticateInternal(req);
     if (options?.usingUaCookieRoutes) {
         options.exceptRoutes ??= new Set();
@@ -149,10 +148,10 @@ async function unifiedAuthenticate(req, options) {
         options.optionalRoutes.add('/.uaLogout');
     }
     const isNoAuthenticationRoute = options?.exceptRoutes?.has(req.routeOptions.url);
-    const requiresAuthenticationRoute = options?.authenticateAll &&
-        !options?.exceptRoutes?.has(req.routeOptions.url) &&
-        !options?.optionalRoutes?.has(req.routeOptions.url);
-    if (requiresAuthenticationRoute && (0, txstate_utils_1.isBlank)(auth?.username)) {
+    const requiresAuthenticationRoute = options?.authenticateAll
+        && !options.exceptRoutes?.has(req.routeOptions.url)
+        && !options.optionalRoutes?.has(req.routeOptions.url);
+    if (requiresAuthenticationRoute && isBlank(auth?.username)) {
         throw new Error('Request requires authentication.');
     }
     return isNoAuthenticationRoute ? undefined : auth;
@@ -160,7 +159,7 @@ async function unifiedAuthenticate(req, options) {
 /**
  * @deprecated Use unifiedAuthenticateWithOptions with { authenticateAll: true } instead.
  */
-async function unifiedAuthenticateAll(req) {
+export async function unifiedAuthenticateAll(req) {
     return (await unifiedAuthenticate(req, { authenticateAll: true }));
 }
 /**
@@ -168,11 +167,11 @@ async function unifiedAuthenticateAll(req) {
  * using a framework. It will automatically redirect the user to the Unified Auth login page
  * and return true if they are not authenticated. Otherwise it simply returns false.
  */
-async function requireCookieAuth(req, res) {
-    if ((0, txstate_utils_1.isBlank)(req.auth?.username)) {
+export async function requireCookieAuth(req, res) {
+    if (isBlank(req.auth?.username)) {
         const loginUrl = new URL(process.env.UA_URL + '/login');
         loginUrl.searchParams.set('clientId', process.env.UA_CLIENTID);
-        loginUrl.searchParams.set('returnUrl', uaServiceUrl ?? new URL('/.uaService', req.url).toString());
+        loginUrl.searchParams.set('returnUrl', uaServiceUrl(req));
         loginUrl.searchParams.set('requestedUrl', req.originalUrl);
         void res.redirect(loginUrl.toString());
         return true;
@@ -181,7 +180,7 @@ async function requireCookieAuth(req, res) {
         return false;
     }
 }
-function registerUaCookieRoutes(app) {
+export function registerUaCookieRoutes(app) {
     app.get('/.uaLogout', {
         schema: {
             headers: {
@@ -193,15 +192,15 @@ function registerUaCookieRoutes(app) {
             }
         }
     }, async (req, res) => {
-        const redirectUrl = req.auth?.issuerConfig?.logoutUrl && (0, txstate_utils_1.isNotBlank)(req.auth.token)
+        const redirectUrl = req.auth?.issuerConfig?.logoutUrl && isNotBlank(req.auth.token)
             ? `${req.auth.issuerConfig.logoutUrl.toString()}?unifiedJwt=${encodeURIComponent(req.auth.token)}`
-            : (process.env.PUBLIC_URL || new URL('..', req.url).toString());
+            : uiBaseUrl(req);
         void res.header('Set-Cookie', `${uaCookieName}=; Path=/; Secure; HttpOnly; SameSite=Lax; Expires=Thu, 01 Jan 1970 00:00:00 GMT`);
         return `<!DOCTYPE html>
 <html lang="en">
 <head>
   <meta charset="UTF-8">
-  <meta http-equiv="refresh" content="0; url=${(0, txstate_utils_1.htmlEncode)(redirectUrl)}">
+  <meta http-equiv="refresh" content="0; url=${htmlEncode(redirectUrl)}">
   <title>Logging out...</title>
 </head>
 <body>
@@ -221,13 +220,18 @@ function registerUaCookieRoutes(app) {
             }
         }
     }, async (req, res) => {
+        const destination = req.query.requestedUrl ?? uiBaseUrl(req);
+        if (req.query.requestedUrl && req.originChecker && !req.originChecker.check(req.query.requestedUrl, req.hostname)) {
+            void res.status(403);
+            return 'Requested URL failed origin check.';
+        }
         void res.header('Set-Cookie', `${uaCookieName}=${req.query.unifiedJwt}; Path=/; Secure; HttpOnly; SameSite=Lax`);
         void res.type('text/html');
         return `<!DOCTYPE html>
 <html lang="en">
 <head>
   <meta charset="UTF-8">
-  <meta http-equiv="refresh" content="0; url=${(0, txstate_utils_1.htmlEncode)(req.query.requestedUrl ?? (process.env.PUBLIC_URL || new URL('..', req.url).toString()))}">
+  <meta http-equiv="refresh" content="0; url=${htmlEncode(destination)}">
   <title>Logging in...</title>
 </head>
 <body>
@@ -252,14 +256,18 @@ function registerUaCookieRoutes(app) {
             }
         }
     }, async (req, res) => {
-        const loginUrl = (0, txstate_utils_1.isNotBlank)(process.env.UA_URL)
+        if (req.query.requestedUrl && req.originChecker && !req.originChecker.check(req.query.requestedUrl, req.hostname)) {
+            void res.status(403);
+            return 'Requested URL failed origin check.';
+        }
+        const loginUrl = isNotBlank(process.env.UA_URL)
             ? new URL(process.env.UA_URL + '/login')
             : new URL('login', issuerConfig.get('unified-auth')?.url);
         loginUrl.searchParams.set('clientId', process.env.UA_CLIENTID ?? process.env.JWT_TRUSTED_CLIENTIDS.split(',')[0]);
-        const returnUrl = uaServiceUrl ?? new URL('.uaService', req.protocol + '://' + req.hostname).toString();
+        const returnUrl = uaServiceUrl(req);
         loginUrl.searchParams.set('returnUrl', returnUrl);
         if (req.query.requestedUrl)
             loginUrl.searchParams.set('requestedUrl', req.query.requestedUrl);
-        return res.redirect(loginUrl.toString());
+        return await res.redirect(loginUrl.toString());
     });
 }

package/package.json

@@ -1,12 +1,12 @@
 {
   "name": "fastify-txstate",
-  "version": "3.6.9",
+  "version": "4.0.0",
   "description": "A small wrapper for fastify providing a set of common conventions & utility functions we use.",
+  "type": "module",
   "exports": {
     ".": {
       "types": "./lib/index.d.ts",
-      "require": "./lib/index.js",
-      "import": "./lib-esm/index.js"
+      "import": "./lib/index.js"
     }
   },
   "types": "./lib/index.d.ts",
@@ -14,37 +14,37 @@
     "prepublishOnly": "npm run build",
     "build": "rm -rf lib && tsc",
     "test": "./test.sh",
-    "mocha": "TS_NODE_PROJECT=test/tsconfig.json mocha -r ts-node/register test/**/*.ts",
-    "testserver": "node -r ts-node/register --no-warnings testserver/index.ts"
+    "nodetest": "node --experimental-transform-types --no-warnings --test test/**/*.ts",
+    "testserver": "node --experimental-transform-types --no-warnings testserver/index.ts",
+    "lint": "eslint src test testserver"
   },
   "dependencies": {
-    "@elastic/elasticsearch": "^8.13.0",
-    "@fastify/swagger": "^8.14.0",
-    "@fastify/swagger-ui": "^3.0.0",
-    "@fastify/type-provider-json-schema-to-ts": "^3.0.0",
+    "@elastic/elasticsearch": "^9.0.0",
+    "@fastify/swagger": "^9.0.0",
+    "@fastify/swagger-ui": "^5.0.0",
+    "@fastify/type-provider-json-schema-to-ts": "^5.0.0",
     "@txstate-mws/fastify-shared": "^1.0.9",
-    "@types/ua-parser-js": ">=0.7.39",
+    "ajv": "^8.20.0",
     "ajv-errors": "^3.0.0",
     "ajv-formats": "^3.0.0",
-    "fastify": "^4.9.2",
-    "fastify-plugin": "^4.5.1",
+    "fastify": "^5.0.0",
     "http-status-codes": "^2.1.4",
-    "jose": "^5.0.0 || ^6.0.0",
+    "jose": "^6.0.0",
+    "openapi-types": "^12.1.3",
+    "pino": "^10.3.1",
     "txstate-utils": "^1.9.5",
-    "ua-parser-js": "^1.0.37"
+    "ua-parser-js": "^2.0.0"
   },
   "devDependencies": {
-    "@fastify/multipart": "^8.0.0",
-    "@types/chai": "^4.2.14",
-    "@types/mocha": "^10.0.0",
+    "@fastify/multipart": "^10.0.0",
+    "@stylistic/eslint-plugin": "^5.0.0",
+    "@types/chai": "^5.2.3",
     "@types/node": "^24.0.0",
-    "axios": "^1.6.8",
-    "chai": "^4.2.0",
-    "eslint-config-standard-with-typescript": "^43.0.0",
+    "axios": "^1.15.0",
+    "chai": "^6.0.0",
+    "eslint-config-love": "^153.0.0",
     "json-schema-to-ts": "^3.0.1",
-    "mocha": "^10.0.0",
-    "ts-node": "^10.2.1",
-    "typescript": "^5.0.4"
+    "typescript": "^6.0.0"
   },
   "repository": {
     "type": "git",
@@ -56,8 +56,10 @@
     "url": "https://github.com/txstate-etc/fastify-txstate/issues"
   },
   "homepage": "https://github.com/txstate-etc/fastify-txstate#readme",
+  "engines": {
+    "node": ">=20"
+  },
   "files": [
-    "lib/**/*",
-    "lib-esm/**/*"
+    "lib/**/*"
   ]
 }

package/lib-esm/index.js

@@ -1,20 +0,0 @@
-import ftxst from '../lib/index.js'
-
-export const devLogger = ftxst.devLogger
-export const prodLogger = ftxst.prodLogger
-export const HttpError = ftxst.HttpError
-export const FailedValidationError = ftxst.FailedValidationError
-export const ValidationError = ftxst.ValidationError
-export const ValidationErrors = ftxst.ValidationErrors
-export const unifiedAuthenticate = ftxst.unifiedAuthenticate
-export const unifiedAuthenticateAll = ftxst.unifiedAuthenticateAll
-export const registerUaCookieRoutes = ftxst.registerUaCookieRoutes
-export const analyticsPlugin = ftxst.analyticsPlugin
-export const AnalyticsClient = ftxst.AnalyticsClient
-export const LoggingAnalyticsClient = ftxst.LoggingAnalyticsClient
-export const ElasticAnalyticsClient = ftxst.ElasticAnalyticsClient
-export const postFormData = ftxst.postFormData
-export const readableToWebReadable = ftxst.readableToWebReadable
-export const FileSystemHandler = ftxst.FileSystemHandler
-export const fileHandler = ftxst.fileHandler
-export default ftxst.default

package/lib-esm/package.json

@@ -1,3 +0,0 @@
-{
-  "type": "module"
-}