grannt 5.4.23

package/lib/config.js

@@ -0,0 +1,220 @@
+
+var crypto = require('crypto')
+
+var oauth = require('../config/oauth.json')
+var reserved = require('../config/reserved.json')
+var profile = require('../config/profile.json')
+
+
+var compose = (...fns) =>
+  fns.reduce((x, y) => (...args) => y(x(...args)))
+
+var dcopy = (obj) =>
+  JSON.parse(JSON.stringify(obj))
+
+var merge = (...args) =>
+  Object.assign(...args.filter(Boolean).map(dcopy))
+
+var filter = (obj) => Object.keys(obj)
+  .filter((key) =>
+    // empty string
+    obj[key] !== '' && (
+    // provider name
+    key === obj.name ||
+    // reserved key
+    reserved.includes(key)
+  ))
+  .reduce((all, key) => (all[key] = obj[key], all), {})
+
+var format = {
+
+  oauth: ({oauth}) =>
+    parseInt(oauth) || undefined
+  ,
+
+  key: ({oauth, key, consumer_key, client_id}) =>
+      oauth === 1
+    ? key || consumer_key
+
+    : oauth === 2
+    ? key || client_id
+
+    : undefined
+  ,
+
+  secret: ({oauth, secret, consumer_secret, client_secret}) =>
+      oauth === 1
+    ? secret || consumer_secret
+
+    : oauth === 2
+    ? secret || client_secret
+
+    : undefined
+  ,
+
+  scope: ({scope, scope_delimiter = ','}) =>
+      scope instanceof Array
+    ? scope.filter(Boolean).join(scope_delimiter) || undefined
+
+    : typeof scope === 'object'
+    ? JSON.stringify(scope)
+
+    : scope || undefined
+  ,
+
+  state: ({state}) =>
+    state || undefined
+  ,
+
+  nonce: ({nonce}) =>
+    nonce || undefined
+  ,
+
+  redirect_uri: ({redirect_uri, origin, prefix, protocol, host, name}) =>
+      redirect_uri
+    ? redirect_uri
+
+    : origin
+    ? `${origin}${prefix}/${name}/callback`
+
+    : protocol && host
+    ? `${protocol}://${host}${prefix}/${name}/callback`
+
+    : undefined
+  ,
+
+  custom_params: (provider) => {
+    var params = provider.custom_params || {}
+
+    // remove falsy
+    params = Object.keys(params)
+      .filter((key) => params[key])
+      .reduce((all, key) => (all[key] = params[key], all), {})
+
+    return Object.keys(params).length ? params : undefined
+  },
+
+  overrides: (provider) => {
+    var overrides = provider.overrides || {}
+    delete provider.overrides
+
+    // remove nested
+    Object.keys(overrides).forEach((name) => {
+      overrides[name] = Object.keys(overrides[name])
+        .filter((key) => key !== 'overrides')
+        .reduce((all, key) => (all[key] = overrides[name][key], all), {})
+    })
+
+    overrides = Object.keys(overrides)
+      .reduce((all, key) => (all[key] = init(provider, overrides[key]), all), {})
+
+    return Object.keys(overrides).length ? overrides : undefined
+  },
+
+}
+
+var state = (provider, key = 'state', value = provider[key]) =>
+    value === true || value === 'true'
+  ? crypto.randomBytes(20).toString('hex')
+
+  : value === 'false'
+  ? undefined
+
+  : /string|number/.test(typeof value)
+  ? value.toString()
+
+  : undefined
+
+var pkce = (code_verifier = crypto.randomBytes(40).toString('hex')) => ({
+  code_verifier,
+  code_challenge: crypto.createHash('sha256')
+    .update(code_verifier).digest().toString('base64')
+    .replace(/=/g, '').replace(/\+/g, '-').replace(/\//g, '_')
+})
+
+var transform = (provider) => {
+
+  Object.keys(format)
+    .forEach((key) => provider[key] = format[key](provider))
+
+  // filter undefined
+  return dcopy(provider)
+}
+
+var init = compose(merge, filter, transform)
+
+var compat = (config) =>
+  config.fitbit2 ? (Object.assign({}, config, {fitbit2: Object.assign({}, oauth.fitbit, profile.fitbit, config.fitbit2)})) :
+  config.linkedin2 ? (Object.assign({}, config, {linkedin2: Object.assign({}, oauth.linkedin, profile.linkedin, config.linkedin2)})) :
+  config.zeit ? (Object.assign({}, config, {zeit: Object.assign({}, oauth.vercel, profile.vercel, config.zeit)})) :
+  config
+
+var defaults = ({path, prefix = '/connect', ...rest} = {}) => ({
+  ...rest,
+  prefix: path ? `${path}${prefix}` : prefix
+})
+
+// init all configured providers
+var ctor = ((_defaults) => (config = {}, defaults = _defaults(config.defaults)) =>
+  Object.keys(compat(config))
+    .filter((name) => !/defaults/.test(name))
+    .reduce((all, name) => (
+      all[name] = init(oauth[name], profile[name], defaults, config[name], {name, [name]: true}),
+      all
+    ), {defaults})
+)(defaults)
+
+// get provider on connect
+var provider = (config, session, _state = {}) => {
+  var name = session.provider
+  var provider = config[name]
+
+  if (!provider) {
+    if ((config.defaults || {}).dynamic !== true) {
+      return {}
+    }
+    provider = init(oauth[name], profile[name], config.defaults, {name, [name]: true})
+  }
+
+  if (session.override && provider.overrides) {
+    var override = provider.overrides[session.override]
+    if (override) {
+      provider = override
+    }
+  }
+
+  if ((session.dynamic && provider.dynamic) || _state.dynamic) {
+    var dynamic = Object.assign(
+      {},
+      _state.dynamic,
+      provider.dynamic === true
+        ? session.dynamic
+        : Object.keys(session.dynamic || {})
+            .filter((key) => provider.dynamic.includes(key))
+            .reduce((all, key) => (all[key] = session.dynamic[key], all), {})
+    )
+    provider = init(provider, dynamic)
+  }
+
+  if (provider.state) {
+    provider = dcopy(provider)
+    provider.state = state(provider)
+  }
+  if (provider.nonce) {
+    provider = dcopy(provider)
+    provider.nonce = state(provider, 'nonce')
+  }
+  if (provider.pkce) {
+    provider = dcopy(provider)
+    ;({
+      code_verifier: provider.code_verifier,
+      code_challenge: provider.code_challenge
+    } = pkce())
+  }
+
+  return provider
+}
+
+module.exports = Object.assign(ctor, {
+  compose, dcopy, merge, filter, format, state, pkce, transform, init, defaults, compat, provider
+})

package/lib/flow/oauth1.js

@@ -0,0 +1,145 @@
+
+var qs = require('qs')
+var request = require('../client')
+
+
+exports.request = ({request:client}) => async ({provider, input}) => {
+  var options = {
+    method: 'POST',
+    url: provider.request_url,
+    oauth: {
+      callback: provider.redirect_uri,
+      consumer_key: provider.key,
+      consumer_secret: provider.secret
+    }
+  }
+  if (provider.private_key) {
+    options.oauth.signature_method = 'RSA-SHA1'
+    options.oauth.private_key = provider.private_key
+    delete options.oauth.consumer_secret
+  }
+  if (provider.etsy || provider.linkedin) {
+    options.qs = {scope: provider.scope}
+  }
+  if (provider.getpocket) {
+    delete options.oauth
+    options.headers = {
+      'x-accept': 'application/x-www-form-urlencoded'
+    }
+    options.form = {
+      consumer_key: provider.key,
+      redirect_uri: provider.redirect_uri,
+      state: provider.state
+    }
+  }
+  if (provider.freshbooks) {
+    options.oauth.signature_method = 'PLAINTEXT'
+  }
+  if (provider.twitter) {
+    if (provider.scope) {
+      options.qs = {x_auth_access_type: [].concat(provider.scope).join()}
+    }
+    if (provider.custom_params) {
+      options.qs = {x_auth_access_type: provider.custom_params.x_auth_access_type}
+    }
+  }
+  if (provider.subdomain) {
+    options.url = options.url.replace('[subdomain]', provider.subdomain)
+  }
+  try {
+    var {body:output} = await request({...client, ...options})
+    if (provider.sellsy) {
+      output = qs.parse(output)
+    }
+  }
+  catch (err) {
+    var output = {error: err.body || err.message}
+  }
+  return {provider, input, output}
+}
+
+exports.authorize = async ({provider, input, output}) => {
+  if (!output.oauth_token && !output.code) {
+    output = Object.keys(output).length
+      ? output : {error: 'Grant: OAuth1 missing oauth_token parameter'}
+    return {provider, input, output}
+  }
+  var url = provider.authorize_url
+  var params = {
+    oauth_token: output.oauth_token
+  }
+  if (provider.custom_params) {
+    for (var key in provider.custom_params) {
+      params[key] = provider.custom_params[key]
+    }
+  }
+  if (provider.flickr && provider.scope) {
+    params.perms = provider.scope
+  }
+  if (provider.getpocket) {
+    params = {
+      request_token: output.code,
+      redirect_uri: provider.redirect_uri
+    }
+  }
+  if (provider.ravelry || provider.trello) {
+    params.scope = provider.scope
+  }
+  if (provider.tripit) {
+    params.oauth_callback = provider.redirect_uri
+  }
+  if (provider.subdomain) {
+    url = url.replace('[subdomain]', provider.subdomain)
+  }
+  return {provider, input, output: `${url}?${qs.stringify(params)}`}
+}
+
+exports.access = ({request:client}) => async ({provider, input, input:{session, query}}) => {
+  if (!query.oauth_token && !session.request.code) {
+    var output = Object.keys(query).length
+      ? query : {error: 'Grant: OAuth1 missing oauth_token parameter'}
+    return {provider, input, output}
+  }
+  var options = {
+    method: 'POST',
+    url: provider.access_url,
+    oauth: {
+      consumer_key: provider.key,
+      consumer_secret: provider.secret,
+      token: query.oauth_token,
+      token_secret: session.request.oauth_token_secret,
+      verifier: query.oauth_verifier
+    }
+  }
+  if (provider.private_key) {
+    options.oauth.signature_method = 'RSA-SHA1'
+    options.oauth.private_key = provider.private_key
+    delete options.oauth.consumer_secret
+  }
+  if (provider.freshbooks) {
+    options.oauth.signature_method = 'PLAINTEXT'
+  }
+  if (provider.getpocket) {
+    delete options.oauth
+    options.headers = {
+      'x-accept': 'application/x-www-form-urlencoded'
+    }
+    options.form = {
+      consumer_key: provider.key,
+      code: session.request.code
+    }
+  }
+  if (provider.goodreads || provider.tripit) {
+    delete options.oauth.verifier
+  }
+  if (provider.subdomain) {
+    options.url = options.url.replace('[subdomain]', provider.subdomain)
+  }
+  try {
+    var {body:output} = await request({...client, ...options})
+  }
+  catch (err) {
+    var output = {error: err.body || err.message}
+  }
+  return {provider, input, output}
+}

package/lib/flow/oauth2.js

@@ -0,0 +1,220 @@
+
+var crypto = require('crypto')
+var qs = require('qs')
+var request = require('../client')
+
+
+exports.authorize = async ({provider, input}) => {
+  var url = provider.authorize_url
+  var params = {
+    client_id: provider.key,
+    response_type: 'code',
+    redirect_uri: provider.redirect_uri,
+    scope: provider.scope,
+    state: provider.state,
+    nonce: provider.nonce
+  }
+  if (provider.pkce) {
+    params.code_challenge_method = 'S256'
+    params.code_challenge = provider.code_challenge
+  }
+  if (provider.custom_params) {
+    for (var key in provider.custom_params) {
+      params[key] = provider.custom_params[key]
+    }
+  }
+  if (provider.basecamp) {
+    params.type = 'web_server'
+  }
+  if (provider.freelancer && params.scope) {
+    params.advanced_scopes = params.scope
+    delete params.scope
+  }
+  if (provider.instagram && /^\d+$/.test(provider.key)) {
+    params.app_id = params.client_id
+    delete params.client_id
+    params.scope = (params.scope || '').replace(/ /g, ',') || undefined
+  }
+  if (provider.optimizely && params.scope) {
+    params.scopes = params.scope
+    delete params.scope
+  }
+  if (provider.tiktok) {
+    params.client_key = params.client_id
+    delete params.client_id
+  }
+  if (provider.visualstudio) {
+    params.response_type = 'Assertion'
+  }
+  if (provider.wechat) {
+    params.appid = params.client_id
+    delete params.client_id
+  }
+  if (provider.subdomain) {
+    url = url.replace('[subdomain]', provider.subdomain)
+  }
+  var querystring = qs.stringify(params)
+  if (provider.unsplash && params.scope) {
+    var scope = params.scope
+    delete params.scope
+    querystring = qs.stringify(params) + '&scope=' + scope
+  }
+  return {provider, input, output: `${url}?${querystring}`}
+}
+
+exports.access = ({request:client}) => async ({provider, input, input:{query, body, session}}) => {
+  query = Object.keys(query).length ? query : body
+  if (!query.code) {
+    var output = Object.keys(query).length
+      ? query : {error: 'Grant: OAuth2 missing code parameter'}
+    return {provider, input, output}
+  }
+  else if (session.state && (query.state !== session.state)) {
+    var output = {error: 'Grant: OAuth2 state mismatch'}
+    return {provider, input, output}
+  }
+  var options = {
+    method: 'POST',
+    url: provider.access_url,
+    form: {
+      grant_type: 'authorization_code',
+      code: query.code,
+      client_id: provider.key,
+      client_secret: provider.secret,
+      redirect_uri: provider.redirect_uri
+    }
+  }
+  if (provider.pkce) {
+    options.form.code_verifier = session.code_verifier
+  }
+  if (provider.basecamp) {
+    options.form.type = 'web_server'
+  }
+  if (provider.concur) {
+    delete options.form
+    options.qs = {
+      code: query.code,
+      client_id: provider.key,
+      client_secret: provider.secret
+    }
+  }
+  if (/autodesk|ebay|fitbit|homeaway|hootsuite|notion|reddit|trustpilot/.test(provider.name)
+    || provider.token_endpoint_auth_method === 'client_secret_basic'
+  ) {
+    delete options.form.client_id
+    delete options.form.client_secret
+    options.auth = {user: provider.key, pass: provider.secret}
+  }
+  if (/twitter/.test(provider.name)) {
+    options.form.client_id = provider.key
+    delete options.form.client_secret
+    options.auth = {user: provider.key, pass: provider.secret}
+  }
+  if (provider.token_endpoint_auth_method === 'private_key_jwt') {
+    var jwt = ({kid, x5t, secret}) => ({
+      header: {
+        typ: 'JWT',
+        alg: provider.token_endpoint_auth_signing_alg || 'RS256',
+        kid,
+        x5t
+      },
+      payload: {
+        iss: provider.key,
+        sub: provider.key,
+        aud: provider.access_url,
+        jti: crypto.randomBytes(20).toString('hex'),
+        exp: Math.round(Date.now() / 1000) + 300,
+        iat: Math.round(Date.now() / 1000) - 120,
+        nbf: Math.round(Date.now() / 1000) - 120
+      },
+      secret
+    })
+
+    var assertion = (() => {
+      var oidc = require('../oidc')
+      var {public_key, private_key} = provider
+      return oidc.sign(jwt({
+        kid: private_key.kty ? oidc.kid(private_key) : undefined,
+        x5t: public_key ? public_key.kty ? public_key.x5t : oidc.x5t(public_key) : undefined,
+        secret: private_key.kty ? oidc.pem(private_key) : private_key,
+      }))
+    })()
+
+    options.form.client_assertion_type = 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer'
+    options.form.client_assertion = assertion
+    delete options.form.client_id
+    delete options.form.client_secret
+  }
+  if (provider.instagram && /^\d+$/.test(provider.key)) {
+    options.form.app_id = options.form.client_id
+    delete options.form.client_id
+    options.form.app_secret = options.form.client_secret
+    delete options.form.client_secret
+  }
+  if (provider.notion) {
+    options.json = options.form
+    delete options.form
+  }
+  if (provider.tiktok) {
+    options.form.client_key = options.form.client_id
+    delete options.form.client_id
+  }
+  if (provider.qq) {
+    options.method = 'GET'
+    options.qs = options.form
+    delete options.form
+  }
+  if (provider.untappd) {
+    options.method = 'GET'
+    options.qs = options.form
+    delete options.qs.grant_type
+    options.qs.response_type = 'code'
+    delete options.form
+  }
+  if (provider.wechat) {
+    options.method = 'GET'
+    options.qs = options.form
+    delete options.form
+    options.qs.appid = options.qs.client_id
+    options.qs.secret = options.qs.client_secret
+    delete options.qs.client_id
+    delete options.qs.client_secret
+  }
+  if (provider.smartsheet) {
+    delete options.form.client_secret
+    var hash = crypto.createHash('sha256')
+    hash.update(provider.secret + '|' + query.code)
+    options.form.hash = hash.digest('hex')
+  }
+  if (provider.surveymonkey) {
+    options.qs = {api_key: provider.custom_params.api_key}
+  }
+  if (provider.visualstudio) {
+    options.form = {
+      client_assertion_type: 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer',
+      client_assertion: provider.secret,
+      grant_type: 'urn:ietf:params:oauth:grant-type:jwt-bearer',
+      assertion: query.code,
+      redirect_uri: provider.redirect_uri
+    }
+  }
+  if (provider.withings) {
+    options.form.action = 'requesttoken'
+  }
+  if (provider.subdomain) {
+    options.url = options.url.replace('[subdomain]', provider.subdomain)
+  }
+  try {
+    var {body:output} = await request({...client, ...options})
+    if (provider.intuit) {
+      output.realmId = query.realmId
+    }
+    if (provider.withings) {
+      output = output.body
+    }
+  }
+  catch (err) {
+    var output = {error: err.body || err.message}
+  }
+  return {provider, input, output}
+}

package/lib/grant.js

@@ -0,0 +1,31 @@
+
+var {compose} = require('./util')
+var {defaults, connect, callback} = require('./request')
+var {data, transport} = require('./response')
+var _config = require('./config')
+
+
+module.exports = ({config, request, state, extend}) => {
+  config = _config(config)
+
+  if (!extend) {
+    extend = [require('./profile')]
+  }
+
+  var pipe = compose(
+    defaults(config),
+
+    ({provider, input, input:{params}}) => params.override !== 'callback'
+      ? connect({request})({provider, input})
+      : compose(
+          callback({request})({provider, input}),
+          data,
+          extend ? compose(...extend.map((fn) => fn({request, state}))) : (args) => ({...args})
+        )({provider, input}),
+
+    transport,
+  )
+
+  pipe.config = config
+  return pipe
+}

package/lib/handler/aws.js

@@ -0,0 +1,89 @@
+
+var qs = require('qs')
+var Grant = require('../grant')
+var Session = require('../session')
+
+
+module.exports = function (args = {}) {
+  var grant = Grant(args.config ? args : {config: args})
+  app.config = grant.config
+
+  var regex = new RegExp([
+    '^',
+    app.config.defaults.prefix,
+    /(?:\/([^\/\?]+?))/.source, // /:provider
+    /(?:\/([^\/\?]+?))?/.source, // /:override?
+    /(?:\/$|\/?\?+.*)?$/.source, // querystring
+  ].join(''), 'i')
+
+  var store = Session(args.session)
+
+  async function app (event, state) {
+    var req = params(event)
+    var session = store(req)
+    var match = regex.exec(req.path)
+    if (!match) {
+      return {session}
+    }
+
+    var {location, session:sess, state} = await grant({
+      method: req.method,
+      params: {provider: match[1], override: match[2]},
+      query: req.query,
+      body: req.body,
+      state,
+      session: (await session.get()).grant
+    })
+
+    await session.set({grant: sess})
+
+    return location
+      ? {session, redirect: redirect(event, location, session)}
+      : {session, response: state.response || sess.response}
+  }
+
+  return app
+}
+
+var path = ({version, path, rawPath, requestContext:ctx} = event) =>
+  version === '2.0' ? rawPath :
+  version === '1.0' ? path : ctx.path
+
+var body = ({body, isBase64Encoded} = event) =>
+  body
+    ? isBase64Encoded ? Buffer.from(body, 'base64').toString()
+    : body : {}
+
+var params = (event) =>
+  !event.version || event.version === '1.0' ?
+    {
+      method: event.httpMethod,
+      path: path(event),
+      query: qs.parse(event.queryStringParameters),
+      headers: event.headers,
+      body: qs.parse(body(event)),
+    }
+  : event.version === '2.0' ?
+    {
+      method: event.requestContext.http.method,
+      path: path(event),
+      query: qs.parse(event.rawQueryString),
+      headers: {...event.headers, Cookie: (event.cookies || []).join('; ')},
+      body: qs.parse(body(event)),
+    }
+  : {}
+
+var redirect = (event, location, session) =>
+  !event.version || event.version === '1.0' ?
+  {
+    statusCode: 302,
+    headers: {location},
+    multiValueHeaders: {'set-cookie': session.headers['set-cookie']}
+  }
+  : event.version === '2.0' ?
+  {
+    statusCode: 302,
+    headers: {location},
+    cookies: session.headers['set-cookie']
+  }
+  : {}