fastify-txstate 3.6.9 → 4.0.1

package/lib/unified-auth.js

@@ -1,178 +1,34 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.unifiedAuthenticate = unifiedAuthenticate;
-exports.unifiedAuthenticateAll = unifiedAuthenticateAll;
-exports.requireCookieAuth = requireCookieAuth;
-exports.registerUaCookieRoutes = registerUaCookieRoutes;
-const crypto_1 = require("crypto");
-const jose_1 = require("jose");
-const txstate_utils_1 = require("txstate-utils");
-let hasInit = false;
-const issuerKeys = new Map();
-const issuerConfig = new Map();
-const trustedClients = new Set();
-const uaCookieName = process.env.UA_COOKIE_NAME ?? (0, crypto_1.randomBytes)(16).toString('hex');
-const uaCookieNameRegex = new RegExp(`${uaCookieName}=([^;]+)`);
-const uaServiceUrl = (0, txstate_utils_1.isNotBlank)(process.env.PUBLIC_URL) ? process.env.PUBLIC_URL + (process.env.PUBLIC_URL.endsWith('/') ? '' : '/') + '.uaService' : undefined;
-const tokenCache = new txstate_utils_1.Cache(async (token, req) => {
-    const claims = (0, jose_1.decodeJwt)(token);
-    let verifyKey;
-    if (claims.iss && issuerKeys.has(claims.iss))
-        verifyKey = issuerKeys.get(claims.iss);
-    if (!verifyKey) {
-        req.log.warn(`Received token with issuer: ${claims.iss} but JWT secret could not be found. The server may be misconfigured or the user may have presented a JWT from an untrusted issuer.`);
-        return undefined;
-    }
-    try {
-        const { payload } = await (0, jose_1.jwtVerify)(token, verifyKey);
-        if (trustedClients.size && !trustedClients.has(payload.client_id)) {
-            req.log.warn(`Received token with untrusted client_id: ${payload.client_id}.`);
-            return undefined;
-        }
-        return payload;
-    }
-    catch (e) {
-        // squelch errors about bad tokens, we can already see the 401 in the log
-        if (e.code !== 'ERR_JWS_SIGNATURE_VERIFICATION_FAILED')
-            req.log.error(e);
-        return undefined;
-    }
-}, { freshseconds: 3600 });
-const validateCache = new txstate_utils_1.Cache(async (token, payload) => {
-    const config = issuerConfig.get(payload.iss);
-    if (!config?.validateUrl)
-        return;
-    // avoid checking for deauth until the token is more than 5 minutes old
-    if (new Date(payload.iat * 1000) > new Date(new Date().getTime() - 1000 * 60 * 5))
-        return;
-    const validateUrl = new URL(config.validateUrl);
-    validateUrl.searchParams.set('unifiedJwt', token);
-    const resp = await fetch(validateUrl);
-    const validate = await resp.json();
-    if (!validate.valid)
-        throw new Error(validate.reason ?? 'Your session has been ended on another device or in another browser tab/window. It\'s also possible your NetID is no longer active.');
-});
-const jwkCache = new txstate_utils_1.Cache(async (url) => {
-    const { keys } = await (await fetch(url)).json();
-    const publicKeyByKid = {};
-    for (const jwk of keys) {
-        if (jwk.kid)
-            publicKeyByKid[jwk.kid] = await (0, jose_1.importJWK)(jwk);
-    }
-    return publicKeyByKid;
-});
-function remoteJWKSet(jwkUrl) {
-    return async (protectedHeader) => {
-        const publicKeyByKid = await jwkCache.get(jwkUrl);
-        return publicKeyByKid[protectedHeader.kid];
-    };
-}
-function processIssuerConfig(config) {
-    if (config.iss === 'unified-auth') {
-        const validateUrl = (0, txstate_utils_1.isNotBlank)(config.validateUrl)
-            ? new URL(config.validateUrl, config.url)
-            : new URL('validateToken', config.url);
-        const logoutUrl = (0, txstate_utils_1.isNotBlank)(config.logoutUrl)
-            ? new URL(config.logoutUrl, config.url)
-            : (0, txstate_utils_1.isNotBlank)(process.env.UA_URL)
-                ? new URL(process.env.UA_URL + '/logout')
-                : new URL('logout', config.url);
-        return {
-            ...config,
-            validateUrl,
-            logoutUrl
-        };
-    }
-    return {
-        ...config,
-        validateUrl: undefined,
-        logoutUrl: config.logoutUrl ? new URL(config.logoutUrl, config.url) : undefined
-    };
-}
-function init() {
-    hasInit = true;
-    if (process.env.JWT_TRUSTED_ISSUERS) {
-        const issuers = (0, txstate_utils_1.toArray)(JSON.parse(process.env.JWT_TRUSTED_ISSUERS));
-        for (const issuer of issuers) {
-            issuerConfig.set(issuer.iss, processIssuerConfig(issuer));
-            if (issuer.iss === 'unified-auth')
-                issuerKeys.set(issuer.iss, remoteJWKSet(issuer.url));
-            else if (issuer.url)
-                issuerKeys.set(issuer.iss, (0, jose_1.createRemoteJWKSet)(new URL(issuer.url)));
-            else if (issuer.publicKey)
-                issuerKeys.set(issuer.iss, (0, crypto_1.createPublicKey)(issuer.publicKey));
-            else if (issuer.secret)
-                issuerKeys.set(issuer.iss, (0, crypto_1.createSecretKey)(Buffer.from(issuer.secret, 'ascii')));
-        }
-    }
-    for (const clientId of (process.env.JWT_TRUSTED_CLIENTIDS?.split(',').filter(txstate_utils_1.isNotBlank).map(clientId => clientId.trim()) ?? [])) {
-        trustedClients.add(clientId);
-    }
+import { htmlEncode, isBlank, isNotBlank } from 'txstate-utils';
+import { getIssuerConfig, jwtAuthenticate, registeredExceptRoutes, registeredOptionalRoutes, uaCookieName } from "./jwt-auth.js";
+import { apiBaseUrl, uiBaseUrl } from "./server.js";
+function uaServiceUrl(req) {
+    return apiBaseUrl(req) + '/.uaService';
 }
-function tokenFromReq(req) {
-    const m = req?.headers.authorization?.match(/^bearer (.*)$/i);
-    if (m != null)
-        return m[1];
-    const m2 = req?.headers.cookie?.match(uaCookieNameRegex);
-    if (m2 != null)
-        return m2[1];
-}
-async function unifiedAuthenticateInternal(req) {
-    if (!hasInit)
-        init();
-    const token = tokenFromReq(req);
-    if (!token)
-        return undefined;
-    const payload = await tokenCache.get(token, req);
-    if (!payload)
-        return undefined;
-    await validateCache.get(token, payload);
-    req.token = token;
-    return {
-        token,
-        issuerConfig: payload.iss ? issuerConfig.get(payload.iss) : undefined,
-        username: payload.sub,
-        sessionId: payload.sub + '-' + payload.iat,
-        sessionCreatedAt: payload.iat ? new Date(payload.iat * 1000) : undefined,
-        clientId: payload.client_id,
-        impersonatedBy: payload.act?.sub,
-        scope: payload.scope
-    };
-}
-async function unifiedAuthenticate(req, options) {
-    const auth = await unifiedAuthenticateInternal(req);
-    if (options?.usingUaCookieRoutes) {
-        options.exceptRoutes ??= new Set();
-        options.exceptRoutes.add('/.uaService');
-        options.exceptRoutes.add('/.uaRedirect');
-        options.optionalRoutes ??= new Set();
-        options.optionalRoutes.add('/.uaLogout');
-    }
-    const isNoAuthenticationRoute = options?.exceptRoutes?.has(req.routeOptions.url);
-    const requiresAuthenticationRoute = options?.authenticateAll &&
-        !options?.exceptRoutes?.has(req.routeOptions.url) &&
-        !options?.optionalRoutes?.has(req.routeOptions.url);
-    if (requiresAuthenticationRoute && (0, txstate_utils_1.isBlank)(auth?.username)) {
-        throw new Error('Request requires authentication.');
-    }
-    return isNoAuthenticationRoute ? undefined : auth;
+/**
+ * @deprecated Use `jwtAuthenticate(options)` instead. Note the new shape: `jwtAuthenticate`
+ * is now a factory that takes options up front and returns the authenticator function
+ * (`authenticate: jwtAuthenticate({ authenticateAll: true })`), so the options actually
+ * take effect when wired into `new Server({ authenticate })`.
+ */
+export async function unifiedAuthenticate(req, options) {
+    return await jwtAuthenticate(options)(req);
 }
 /**
- * @deprecated Use unifiedAuthenticateWithOptions with { authenticateAll: true } instead.
+ * @deprecated Use `jwtAuthenticate({ authenticateAll: true })` instead.
  */
-async function unifiedAuthenticateAll(req) {
-    return (await unifiedAuthenticate(req, { authenticateAll: true }));
+export async function unifiedAuthenticateAll(req) {
+    return (await jwtAuthenticate({ authenticateAll: true })(req));
 }
 /**
  * This function is available for server-side view code instead of a client-side application
  * using a framework. It will automatically redirect the user to the Unified Auth login page
  * and return true if they are not authenticated. Otherwise it simply returns false.
  */
-async function requireCookieAuth(req, res) {
-    if ((0, txstate_utils_1.isBlank)(req.auth?.username)) {
+export async function requireCookieAuthUa(req, res) {
+    if (isBlank(req.auth?.username)) {
         const loginUrl = new URL(process.env.UA_URL + '/login');
-        loginUrl.searchParams.set('clientId', process.env.UA_CLIENTID);
-        loginUrl.searchParams.set('returnUrl', uaServiceUrl ?? new URL('/.uaService', req.url).toString());
+        loginUrl.searchParams.set('clientId', (process.env.UA_COOKIE_CLIENTID ?? process.env.UA_CLIENTID));
+        loginUrl.searchParams.set('returnUrl', uaServiceUrl(req));
         loginUrl.searchParams.set('requestedUrl', req.originalUrl);
         void res.redirect(loginUrl.toString());
         return true;
@@ -181,7 +37,16 @@ async function requireCookieAuth(req, res) {
         return false;
     }
 }
-function registerUaCookieRoutes(app) {
+/**
+ * @deprecated Use requireCookieAuthUa instead.
+ */
+export async function requireCookieAuth(req, res) {
+    return await requireCookieAuthUa(req, res);
+}
+export function registerUaCookieRoutes(app) {
+    registeredExceptRoutes.add('/.uaService');
+    registeredExceptRoutes.add('/.uaRedirect');
+    registeredOptionalRoutes.add('/.uaLogout');
     app.get('/.uaLogout', {
         schema: {
             headers: {
@@ -193,15 +58,15 @@ function registerUaCookieRoutes(app) {
             }
         }
     }, async (req, res) => {
-        const redirectUrl = req.auth?.issuerConfig?.logoutUrl && (0, txstate_utils_1.isNotBlank)(req.auth.token)
+        const redirectUrl = req.auth?.issuerConfig?.logoutUrl && isNotBlank(req.auth.token)
             ? `${req.auth.issuerConfig.logoutUrl.toString()}?unifiedJwt=${encodeURIComponent(req.auth.token)}`
-            : (process.env.PUBLIC_URL || new URL('..', req.url).toString());
+            : uiBaseUrl(req);
         void res.header('Set-Cookie', `${uaCookieName}=; Path=/; Secure; HttpOnly; SameSite=Lax; Expires=Thu, 01 Jan 1970 00:00:00 GMT`);
         return `<!DOCTYPE html>
 <html lang="en">
 <head>
   <meta charset="UTF-8">
-  <meta http-equiv="refresh" content="0; url=${(0, txstate_utils_1.htmlEncode)(redirectUrl)}">
+  <meta http-equiv="refresh" content="0; url=${htmlEncode(redirectUrl)}">
   <title>Logging out...</title>
 </head>
 <body>
@@ -221,13 +86,18 @@ function registerUaCookieRoutes(app) {
             }
         }
     }, async (req, res) => {
+        const destination = req.query.requestedUrl ?? uiBaseUrl(req);
+        if (req.query.requestedUrl && req.originChecker && !req.originChecker.check(req.query.requestedUrl, req.hostname)) {
+            void res.status(403);
+            return 'Requested URL failed origin check.';
+        }
         void res.header('Set-Cookie', `${uaCookieName}=${req.query.unifiedJwt}; Path=/; Secure; HttpOnly; SameSite=Lax`);
         void res.type('text/html');
         return `<!DOCTYPE html>
 <html lang="en">
 <head>
   <meta charset="UTF-8">
-  <meta http-equiv="refresh" content="0; url=${(0, txstate_utils_1.htmlEncode)(req.query.requestedUrl ?? (process.env.PUBLIC_URL || new URL('..', req.url).toString()))}">
+  <meta http-equiv="refresh" content="0; url=${htmlEncode(destination)}">
   <title>Logging in...</title>
 </head>
 <body>
@@ -252,14 +122,18 @@ function registerUaCookieRoutes(app) {
             }
         }
     }, async (req, res) => {
-        const loginUrl = (0, txstate_utils_1.isNotBlank)(process.env.UA_URL)
+        if (req.query.requestedUrl && req.originChecker && !req.originChecker.check(req.query.requestedUrl, req.hostname)) {
+            void res.status(403);
+            return 'Requested URL failed origin check.';
+        }
+        const loginUrl = isNotBlank(process.env.UA_URL)
             ? new URL(process.env.UA_URL + '/login')
-            : new URL('login', issuerConfig.get('unified-auth')?.url);
-        loginUrl.searchParams.set('clientId', process.env.UA_CLIENTID ?? process.env.JWT_TRUSTED_CLIENTIDS.split(',')[0]);
-        const returnUrl = uaServiceUrl ?? new URL('.uaService', req.protocol + '://' + req.hostname).toString();
+            : new URL('login', getIssuerConfig('unified-auth')?.url);
+        loginUrl.searchParams.set('clientId', process.env.UA_COOKIE_CLIENTID ?? process.env.UA_CLIENTID ?? process.env.JWT_TRUSTED_CLIENTIDS.split(',')[0]);
+        const returnUrl = uaServiceUrl(req);
         loginUrl.searchParams.set('returnUrl', returnUrl);
         if (req.query.requestedUrl)
             loginUrl.searchParams.set('requestedUrl', req.query.requestedUrl);
-        return res.redirect(loginUrl.toString());
+        return await res.redirect(loginUrl.toString());
     });
 }

package/package.json

@@ -1,12 +1,12 @@
 {
   "name": "fastify-txstate",
-  "version": "3.6.9",
+  "version": "4.0.1",
   "description": "A small wrapper for fastify providing a set of common conventions & utility functions we use.",
+  "type": "module",
   "exports": {
     ".": {
       "types": "./lib/index.d.ts",
-      "require": "./lib/index.js",
-      "import": "./lib-esm/index.js"
+      "import": "./lib/index.js"
     }
   },
   "types": "./lib/index.d.ts",
@@ -14,37 +14,37 @@
     "prepublishOnly": "npm run build",
     "build": "rm -rf lib && tsc",
     "test": "./test.sh",
-    "mocha": "TS_NODE_PROJECT=test/tsconfig.json mocha -r ts-node/register test/**/*.ts",
-    "testserver": "node -r ts-node/register --no-warnings testserver/index.ts"
+    "nodetest": "node --experimental-transform-types --no-warnings --test test/**/*.ts",
+    "testserver": "node --experimental-transform-types --no-warnings testserver/index.ts",
+    "lint": "eslint src test testserver"
   },
   "dependencies": {
-    "@elastic/elasticsearch": "^8.13.0",
-    "@fastify/swagger": "^8.14.0",
-    "@fastify/swagger-ui": "^3.0.0",
-    "@fastify/type-provider-json-schema-to-ts": "^3.0.0",
+    "@elastic/elasticsearch": "^9.0.0",
+    "@fastify/swagger": "^9.0.0",
+    "@fastify/swagger-ui": "^5.0.0",
+    "@fastify/type-provider-json-schema-to-ts": "^5.0.0",
     "@txstate-mws/fastify-shared": "^1.0.9",
-    "@types/ua-parser-js": ">=0.7.39",
+    "ajv": "^8.20.0",
     "ajv-errors": "^3.0.0",
     "ajv-formats": "^3.0.0",
-    "fastify": "^4.9.2",
-    "fastify-plugin": "^4.5.1",
+    "fastify": "^5.0.0",
     "http-status-codes": "^2.1.4",
-    "jose": "^5.0.0 || ^6.0.0",
+    "jose": "^6.0.0",
+    "openapi-types": "^12.1.3",
+    "pino": "^10.3.1",
     "txstate-utils": "^1.9.5",
-    "ua-parser-js": "^1.0.37"
+    "ua-parser-js": "^2.0.0"
   },
   "devDependencies": {
-    "@fastify/multipart": "^8.0.0",
-    "@types/chai": "^4.2.14",
-    "@types/mocha": "^10.0.0",
+    "@fastify/multipart": "^10.0.0",
+    "@stylistic/eslint-plugin": "^5.0.0",
+    "@types/chai": "^5.2.3",
     "@types/node": "^24.0.0",
-    "axios": "^1.6.8",
-    "chai": "^4.2.0",
-    "eslint-config-standard-with-typescript": "^43.0.0",
+    "axios": "^1.15.0",
+    "chai": "^6.0.0",
+    "eslint-config-love": "^154.0.0",
     "json-schema-to-ts": "^3.0.1",
-    "mocha": "^10.0.0",
-    "ts-node": "^10.2.1",
-    "typescript": "^5.0.4"
+    "typescript": "^6.0.0"
   },
   "repository": {
     "type": "git",
@@ -56,8 +56,10 @@
     "url": "https://github.com/txstate-etc/fastify-txstate/issues"
   },
   "homepage": "https://github.com/txstate-etc/fastify-txstate#readme",
+  "engines": {
+    "node": ">=20"
+  },
   "files": [
-    "lib/**/*",
-    "lib-esm/**/*"
+    "lib/**/*"
   ]
 }

package/lib-esm/index.js

@@ -1,20 +0,0 @@
-import ftxst from '../lib/index.js'
-
-export const devLogger = ftxst.devLogger
-export const prodLogger = ftxst.prodLogger
-export const HttpError = ftxst.HttpError
-export const FailedValidationError = ftxst.FailedValidationError
-export const ValidationError = ftxst.ValidationError
-export const ValidationErrors = ftxst.ValidationErrors
-export const unifiedAuthenticate = ftxst.unifiedAuthenticate
-export const unifiedAuthenticateAll = ftxst.unifiedAuthenticateAll
-export const registerUaCookieRoutes = ftxst.registerUaCookieRoutes
-export const analyticsPlugin = ftxst.analyticsPlugin
-export const AnalyticsClient = ftxst.AnalyticsClient
-export const LoggingAnalyticsClient = ftxst.LoggingAnalyticsClient
-export const ElasticAnalyticsClient = ftxst.ElasticAnalyticsClient
-export const postFormData = ftxst.postFormData
-export const readableToWebReadable = ftxst.readableToWebReadable
-export const FileSystemHandler = ftxst.FileSystemHandler
-export const fileHandler = ftxst.fileHandler
-export default ftxst.default

package/lib-esm/package.json

@@ -1,3 +0,0 @@
-{
-  "type": "module"
-}