openid-client 4.2.3 → 4.4.2

package/CHANGELOG.md

@@ -2,6 +2,34 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
+## [4.4.2](https://github.com/panva/node-openid-client/compare/v4.4.1...v4.4.2) (2021-03-07)
+
+
+### Bug Fixes
+
+* resolve discovery URIs one by one to yield consistent results ([6b18218](https://github.com/panva/node-openid-client/commit/6b18218cfa098195ec8442086221a88fa6aef654)), closes [#260](https://github.com/panva/node-openid-client/issues/260) [#267](https://github.com/panva/node-openid-client/issues/267)
+
+## [4.4.1](https://github.com/panva/node-openid-client/compare/v4.4.0...v4.4.1) (2021-02-26)
+
+
+### Bug Fixes
+
+* hide AggregateError message stack ([3011cca](https://github.com/panva/node-openid-client/commit/3011ccabc63e670adcee432b6565d10b55554865)), closes [#336](https://github.com/panva/node-openid-client/issues/336)
+
+## [4.4.0](https://github.com/panva/node-openid-client/compare/v4.3.0...v4.4.0) (2021-01-29)
+
+
+### Features
+
+* allow options.https.pfx for mTSL ([075cad7](https://github.com/panva/node-openid-client/commit/075cad73a28d825128e6c92d44e7dba556b6a6f4)), closes [#326](https://github.com/panva/node-openid-client/issues/326)
+
+## [4.3.0](https://github.com/panva/node-openid-client/compare/v4.2.3...v4.3.0) (2021-01-22)
+
+
+### Features
+
+* **typescript:** add userinfo response generics ([b176b2f](https://github.com/panva/node-openid-client/commit/b176b2f9161be77082c520ab532c237380abda22))
+
 ## [4.2.3](https://github.com/panva/node-openid-client/compare/v4.2.2...v4.2.3) (2021-01-18)
 
 

package/lib/helpers/request.js

@@ -44,7 +44,7 @@ module.exports = async function request(options, { mTLS = false, DPoP } = {}) {
     mTLS
     && (
       (!opts.key || !opts.cert)
-      && (!opts.https || !opts.https.key || !opts.https.certificate)
+      && (!opts.https || !((opts.https.key && opts.https.certificate) || opts.https.pfx))
     )
   ) {
     throw new TypeError('mutual-TLS certificate and key not set');

package/lib/issuer.js

@@ -3,8 +3,8 @@
 const { inspect } = require('util');
 const url = require('url');
 
+const AggregateError = require('aggregate-error');
 const jose = require('jose');
-const pAny = require('p-any');
 const LRU = require('lru-cache');
 const objectHash = require('object-hash');
 
@@ -240,34 +240,46 @@ class Issuer {
       });
     }
 
-    const uris = [];
-    if (parsed.pathname === '/') {
-      uris.push(`${OAUTH2_DISCOVERY}`);
+    const pathnames = [];
+    if (parsed.pathname.endsWith('/')) {
+      pathnames.push(`${parsed.pathname}${OIDC_DISCOVERY.substring(1)}`);
     } else {
-      uris.push(`${OAUTH2_DISCOVERY}${parsed.pathname}`);
+      pathnames.push(`${parsed.pathname}${OIDC_DISCOVERY}`);
     }
-    if (parsed.pathname.endsWith('/')) {
-      uris.push(`${parsed.pathname}${OIDC_DISCOVERY.substring(1)}`);
+    if (parsed.pathname === '/') {
+      pathnames.push(`${OAUTH2_DISCOVERY}`);
     } else {
-      uris.push(`${parsed.pathname}${OIDC_DISCOVERY}`);
+      pathnames.push(`${OAUTH2_DISCOVERY}${parsed.pathname}`);
     }
 
-    return pAny(uris.map(async (pathname) => {
-      const wellKnownUri = url.format({ ...parsed, pathname });
-      const response = await request.call(this, {
-        method: 'GET',
-        responseType: 'json',
-        url: wellKnownUri,
-      });
-      const body = processResponse(response);
-      return new Issuer({
-        ...ISSUER_DEFAULTS,
-        ...body,
-        [AAD_MULTITENANT]: !!AAD_MULTITENANT_DISCOVERY.find(
-          (discoveryURL) => wellKnownUri.startsWith(discoveryURL),
-        ),
-      });
-    }));
+    const errors = [];
+    // eslint-disable-next-line no-restricted-syntax
+    for (const pathname of pathnames) {
+      try {
+        const wellKnownUri = url.format({ ...parsed, pathname });
+        // eslint-disable-next-line no-await-in-loop
+        const response = await request.call(this, {
+          method: 'GET',
+          responseType: 'json',
+          url: wellKnownUri,
+        });
+        const body = processResponse(response);
+        return new Issuer({
+          ...ISSUER_DEFAULTS,
+          ...body,
+          [AAD_MULTITENANT]: !!AAD_MULTITENANT_DISCOVERY.find(
+            (discoveryURL) => wellKnownUri.startsWith(discoveryURL),
+          ),
+        });
+      } catch (err) {
+        errors.push(err);
+      }
+    }
+
+    const err = new AggregateError(errors);
+    err.message = `Issuer.discover() failed.${err.message.split('\n')
+      .filter((line) => !line.startsWith('        at')).join('\n')}`;
+    throw err;
   }
 
   /* istanbul ignore next */

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "openid-client",
-  "version": "4.2.3",
+  "version": "4.4.2",
   "description": "OpenID Connect Relying Party (RP, Client) implementation for Node.js runtime, supports passportjs",
   "keywords": [
     "auth",
@@ -63,13 +63,13 @@
     ]
   },
   "dependencies": {
+    "aggregate-error": "^3.1.0",
     "got": "^11.8.0",
     "jose": "^2.0.4",
     "lru-cache": "^6.0.0",
     "make-error": "^1.3.6",
     "object-hash": "^2.0.1",
-    "oidc-token-hash": "^5.0.1",
-    "p-any": "^3.0.0"
+    "oidc-token-hash": "^5.0.1"
   },
   "devDependencies": {
     "@commitlint/cli": "^11.0.0",

package/types/index.d.ts

@@ -4,19 +4,28 @@
 /**
  * @see https://github.com/panva/node-openid-client/blob/master/docs/README.md
  */
-import * as http from 'http';
-import * as http2 from 'http2';
+import * as http from "http";
+import * as http2 from "http2";
 
-import { Options as GotOptions, CancelableRequest, Response } from 'got';
-import { URL } from 'url';
-import * as jose from 'jose';
-import * as crypto from 'crypto';
+import { Options as GotOptions, CancelableRequest, Response } from "got";
+import { URL } from "url";
+import * as jose from "jose";
+import * as crypto from "crypto";
 
 export type HttpOptions = GotOptions;
 export type RetryFunction = (retry: number, error: Error) => number;
 export type CustomHttpOptionsProvider = (options: HttpOptions) => HttpOptions;
-export type TokenTypeHint = 'access_token' | 'refresh_token' | string;
-export type DPoPInput = crypto.KeyObject | crypto.PrivateKeyInput | jose.JWKRSAKey | jose.JWKECKey | jose.JWKOKPKey;
+export type TokenTypeHint = "access_token" | "refresh_token" | string;
+export type DPoPInput =
+  | crypto.KeyObject
+  | crypto.PrivateKeyInput
+  | jose.JWKRSAKey
+  | jose.JWKECKey
+  | jose.JWKOKPKey;
+
+interface UnknownObject {
+  [key: string]: unknown;
+}
 
 /**
  * @see https://github.com/panva/node-openid-client/blob/master/lib/index.js
@@ -30,11 +39,25 @@ export const custom: {
 /**
  * @see https://medium.com/@darutk/diagrams-of-all-the-openid-connect-flows-6968e3990660
  */
-export type ResponseType = 'code' | 'id_token' | 'code id_token' | 'id_token token' | 'code token' | 'code id_token token' | 'none';
+export type ResponseType =
+  | "code"
+  | "id_token"
+  | "code id_token"
+  | "id_token token"
+  | "code token"
+  | "code id_token token"
+  | "none";
 /**
  * @see https://github.com/panva/node-openid-client/blob/master/docs/README.md#client-authentication-methods
  */
-export type ClientAuthMethod = 'client_secret_basic' | 'client_secret_post' | 'client_secret_jwt' | 'private_key_jwt' | 'tls_client_auth' | 'self_signed_tls_client_auth' | 'none';
+export type ClientAuthMethod =
+  | "client_secret_basic"
+  | "client_secret_post"
+  | "client_secret_jwt"
+  | "private_key_jwt"
+  | "tls_client_auth"
+  | "self_signed_tls_client_auth"
+  | "none";
 
 /**
  * @see https://github.com/panva/node-openid-client/blob/master/docs/README.md#new-clientmetadata-jwks
@@ -84,14 +107,16 @@ export interface ClaimsParameterMember {
 export interface AuthorizationParameters {
   acr_values?: string;
   audience?: string;
-  claims?: string | {
-    id_token?: {
-      [key: string]: null | ClaimsParameterMember
-    }
-    userinfo?: {
-      [key: string]: null | ClaimsParameterMember
-    }
-  };
+  claims?:
+    | string
+    | {
+        id_token?: {
+          [key: string]: null | ClaimsParameterMember;
+        };
+        userinfo?: {
+          [key: string]: null | ClaimsParameterMember;
+        };
+      };
   claims_locales?: string;
   client_id?: string;
   code_challenge_method?: string;
@@ -299,38 +324,45 @@ export interface DeviceAuthorizationExtras {
   DPoP?: DPoPInput;
 }
 
-export interface UserinfoResponse {
-  sub: string;
-  name?: string;
-  given_name?: string;
-  family_name?: string;
-  middle_name?: string;
-  nickname?: string;
-  preferred_username?: string;
-  profile?: string;
-  picture?: string;
-  website?: string;
-  email?: string;
-  email_verified?: boolean;
-  gender?: string;
-  birthdate?: string;
-  zoneinfo?: string;
-  locale?: string;
-  phone_number?: string;
-  updated_at?: number;
-  address?: {
+export type Address<ExtendedAddress extends {} = UnknownObject> = Override<
+  {
     formatted?: string;
     street_address?: string;
     locality?: string;
     region?: string;
     postal_code?: string;
     country?: string;
-
-    [key: string]: unknown;
-  };
-
-  [key: string]: unknown;
-}
+  },
+  ExtendedAddress
+>;
+
+export type UserinfoResponse<
+  UserInfo extends {} = UnknownObject,
+  ExtendedAddress extends {} = UnknownObject
+> = Override<
+  {
+    sub: string;
+    name?: string;
+    given_name?: string;
+    family_name?: string;
+    middle_name?: string;
+    nickname?: string;
+    preferred_username?: string;
+    profile?: string;
+    picture?: string;
+    website?: string;
+    email?: string;
+    email_verified?: boolean;
+    gender?: string;
+    birthdate?: string;
+    zoneinfo?: string;
+    locale?: string;
+    phone_number?: string;
+    updated_at?: number;
+    address?: Address<ExtendedAddress>;
+  },
+  UserInfo
+>;
 
 export interface IntrospectionResponse {
   active: boolean;
@@ -345,7 +377,7 @@ export interface IntrospectionResponse {
   scope: string;
   token_type?: string;
   cnf?: {
-    'x5t#S256'?: string;
+    "x5t#S256"?: string;
 
     [key: string]: unknown;
   };
@@ -363,7 +395,11 @@ export interface ClientOptions {
  * consuming callbacks, triggering token endpoint grants, revoking and introspecting tokens.
  */
 export class Client {
-  constructor(metadata: ClientMetadata, jwks?: jose.JSONWebKeySet, options?: ClientOptions);
+  constructor(
+    metadata: ClientMetadata,
+    jwks?: jose.JSONWebKeySet,
+    options?: ClientOptions
+  );
   [custom.http_options]: CustomHttpOptionsProvider;
   [custom.clock_tolerance]: number;
   metadata: ClientMetadata;
@@ -392,7 +428,9 @@ export class Client {
    * an object. Note: the request read stream will not be parsed, it is expected that you will have a body parser
    * prior to calling this method. This parser would set the req.body property
    */
-  callbackParams(input: string | http.IncomingMessage | http2.Http2ServerRequest): CallbackParamsType;
+  callbackParams(
+    input: string | http.IncomingMessage | http2.Http2ServerRequest
+  ): CallbackParamsType;
 
   /**
    * Performs the callback for Authorization Server's authorization response.
@@ -401,7 +439,12 @@ export class Client {
    * @param checks checks to perform on the Authorization Response
    * @param extras add extra parameters to the Token Endpoint Request and/or Client Authentication JWT Assertion
    */
-  callback(redirectUri: string | undefined, parameters: CallbackParamsType, checks?: OpenIDCallbackChecks, extras?: CallbackExtras): Promise<TokenSet>;
+  callback(
+    redirectUri: string | undefined,
+    parameters: CallbackParamsType,
+    checks?: OpenIDCallbackChecks,
+    extras?: CallbackExtras
+  ): Promise<TokenSet>;
 
   /**
    * Pure OAuth 2.0 version of callback().
@@ -410,7 +453,12 @@ export class Client {
    * @param checks checks to perform on the Authorization Response
    * @param extras add extra parameters to the Token Endpoint Request and/or Client Authentication JWT Assertion
    */
-  oauthCallback(redirectUri: string | undefined, parameters: CallbackParamsType, checks?: OAuthCallbackChecks, extras?: CallbackExtras): Promise<TokenSet>;
+  oauthCallback(
+    redirectUri: string | undefined,
+    parameters: CallbackParamsType,
+    checks?: OAuthCallbackChecks,
+    extras?: CallbackExtras
+  ): Promise<TokenSet>;
 
   /**
    * Performs refresh_token grant type exchange.
@@ -418,7 +466,10 @@ export class Client {
    * will be used automatically.
    * @param extras Add extra parameters to the Token Endpoint Request and/or Client Authentication JWT Assertion
    */
-  refresh(refreshToken: TokenSet | string, extras?: RefreshExtras): Promise<TokenSet>;
+  refresh(
+    refreshToken: TokenSet | string,
+    extras?: RefreshExtras
+  ): Promise<TokenSet>;
 
   /**
    * Fetches the OIDC userinfo response with the provided Access Token. Also handles signed and/or
@@ -429,7 +480,19 @@ export class Client {
    * will be used automatically.
    * @param options Options for the UserInfo request.
    */
-  userinfo(accessToken: TokenSet | string, options?: { method?: 'GET' | 'POST', via?: 'header' | 'body' | 'query', tokenType?: string, params?: object, DPoP?: DPoPInput }): Promise<UserinfoResponse>;
+  userinfo<
+    TUserInfo extends {} = UnknownObject,
+    TAddress extends {} = UnknownObject
+  >(
+    accessToken: TokenSet | string,
+    options?: {
+      method?: "GET" | "POST";
+      via?: "header" | "body" | "query";
+      tokenType?: string;
+      params?: object;
+      DPoP?: DPoPInput;
+    }
+  ): Promise<UserinfoResponse<TUserInfo, TAddress>>;
 
   /**
    * Fetches an arbitrary resource with the provided Access Token in an Authorization header.
@@ -439,13 +502,17 @@ export class Client {
    * will be used automatically.
    * @param options Options for the request.
    */
-  requestResource(resourceUrl: string | URL, accessToken: TokenSet | string, options?: {
-    headers?: object
-    body?: string | Buffer
-    method?: 'GET' | 'POST' | 'PUT' | 'HEAD' | 'DELETE' | 'OPTIONS' | 'TRACE'
-    tokenType?: string
-    DPoP?: DPoPInput
-  }): CancelableRequest<Response<Buffer>>;
+  requestResource(
+    resourceUrl: string | URL,
+    accessToken: TokenSet | string,
+    options?: {
+      headers?: object;
+      body?: string | Buffer;
+      method?: "GET" | "POST" | "PUT" | "HEAD" | "DELETE" | "OPTIONS" | "TRACE";
+      tokenType?: string;
+      DPoP?: DPoPInput;
+    }
+  ): CancelableRequest<Response<Buffer>>;
 
   /**
    * Performs an arbitrary grant_type exchange at the token_endpoint.
@@ -455,12 +522,20 @@ export class Client {
   /**
    * Introspects a token at the Authorization Server's introspection_endpoint.
    */
-  introspect(token: string, tokenTypeHint?: TokenTypeHint, extras?: IntrospectExtras): Promise<IntrospectionResponse>;
+  introspect(
+    token: string,
+    tokenTypeHint?: TokenTypeHint,
+    extras?: IntrospectExtras
+  ): Promise<IntrospectionResponse>;
 
   /**
    * Revokes a token at the Authorization Server's revocation_endpoint.
    */
-  revoke(token: string, tokenTypeHint?: TokenTypeHint, extras?: RevokeExtras): Promise<undefined>;
+  revoke(
+    token: string,
+    tokenTypeHint?: TokenTypeHint,
+    extras?: RevokeExtras
+  ): Promise<undefined>;
 
   /**
    * Creates a signed and optionally encrypted Request Object to send to the AS. Uses the client's
@@ -473,15 +548,27 @@ export class Client {
    * Starts a Device Authorization Request at the issuer's device_authorization_endpoint and returns a handle
    * for subsequent Device Access Token Request polling.
    */
-  deviceAuthorization(parameters?: DeviceAuthorizationParameters, extras?: DeviceAuthorizationExtras): Promise<DeviceFlowHandle<Client>>;
-  static register(metadata: object, other?: RegisterOther & ClientOptions): Promise<Client>;
-  static fromUri(registrationClientUri: string, registrationAccessToken: string, jwks?: jose.JSONWebKeySet, clientOptions?: ClientOptions): Promise<Client>;
+  deviceAuthorization(
+    parameters?: DeviceAuthorizationParameters,
+    extras?: DeviceAuthorizationExtras
+  ): Promise<DeviceFlowHandle<Client>>;
+  static register(
+    metadata: object,
+    other?: RegisterOther & ClientOptions
+  ): Promise<Client>;
+  static fromUri(
+    registrationClientUri: string,
+    registrationAccessToken: string,
+    jwks?: jose.JSONWebKeySet,
+    clientOptions?: ClientOptions
+  ): Promise<Client>;
   static [custom.http_options]: CustomHttpOptionsProvider;
 
   [key: string]: unknown;
 }
 
-export class DeviceFlowHandle<TClient extends Client> { // tslint:disable-line:no-unnecessary-generics
+export class DeviceFlowHandle<TClient extends Client> {
+  // tslint:disable-line:no-unnecessary-generics
   poll(): Promise<TokenSet>;
   expired(): boolean;
   expires_at: number;
@@ -526,7 +613,11 @@ export interface MtlsEndpointAliases {
 // https://stackoverflow.com/questions/39622778/what-is-new-in-typescript
 // https://github.com/Microsoft/TypeScript/issues/204
 export interface TypeOfGenericClient<TClient extends Client> {
-  new (metadata: ClientMetadata, jwks?: jose.JSONWebKeySet, options?: ClientOptions): TClient;
+  new (
+    metadata: ClientMetadata,
+    jwks?: jose.JSONWebKeySet,
+    options?: ClientOptions
+  ): TClient;
   [custom.http_options]: CustomHttpOptionsProvider;
   [custom.clock_tolerance]: number;
 }
@@ -535,7 +626,8 @@ export interface TypeOfGenericClient<TClient extends Client> {
  * Encapsulates a discovered or instantiated OpenID Connect Issuer (Issuer), Identity Provider (IdP),
  * Authorization Server (AS) and its metadata.
  */
-export class Issuer<TClient extends Client> { // tslint:disable-line:no-unnecessary-generics
+export class Issuer<TClient extends Client> {
+  // tslint:disable-line:no-unnecessary-generics
   constructor(metadata: IssuerMetadata);
 
   /**
@@ -665,10 +757,34 @@ export class TokenSet implements TokenSetParameters {
   [key: string]: unknown;
 }
 
-export type StrategyVerifyCallbackUserInfo<TUser> = (tokenset: TokenSet, userinfo: UserinfoResponse, done: (err: any, user?: TUser) => void) => void;
-export type StrategyVerifyCallback<TUser> = (tokenset: TokenSet, done: (err: any, user?: TUser) => void) => void;
-export type StrategyVerifyCallbackReqUserInfo<TUser> = (req: http.IncomingMessage, tokenset: TokenSet, userinfo: UserinfoResponse, done: (err: any, user?: TUser) => void) => void;
-export type StrategyVerifyCallbackReq<TUser> = (req: http.IncomingMessage, tokenset: TokenSet, done: (err: any, user?: TUser) => void) => void;
+export type StrategyVerifyCallbackUserInfo<
+  TUser,
+  TUserInfo extends {} = UnknownObject,
+  TAddress extends {} = UnknownObject
+> = (
+  tokenset: TokenSet,
+  userinfo: UserinfoResponse<TUserInfo, TAddress>,
+  done: (err: any, user?: TUser) => void
+) => void;
+export type StrategyVerifyCallback<TUser> = (
+  tokenset: TokenSet,
+  done: (err: any, user?: TUser) => void
+) => void;
+export type StrategyVerifyCallbackReqUserInfo<
+  TUser,
+  TUserInfo extends {} = UnknownObject,
+  TAddress extends {} = UnknownObject
+> = (
+  req: http.IncomingMessage,
+  tokenset: TokenSet,
+  userinfo: UserinfoResponse<TUserInfo, TAddress>,
+  done: (err: any, user?: TUser) => void
+) => void;
+export type StrategyVerifyCallbackReq<TUser> = (
+  req: http.IncomingMessage,
+  tokenset: TokenSet,
+  done: (err: any, user?: TUser) => void
+) => void;
 
 export interface StrategyOptions<TClient extends Client> {
   client: TClient;
@@ -683,25 +799,30 @@ export interface StrategyOptions<TClient extends Client> {
   extras?: CallbackExtras;
   /**
    * Boolean specifying whether the verify function should get the request object as first argument instead.
-   * Default: 'false'
    */
   passReqToCallback?: boolean;
   /**
    * The PKCE method to use. When 'true' it will resolve based on the issuer metadata, when 'false' no PKCE will be
-   * used. Default: 'false'
+   * used.
    */
   usePKCE?: boolean | string;
   /**
-   * The PKCE method to use. When 'true' it will resolve based on the issuer metadata, when 'false' no PKCE will be
-   * used. Default: 'false'
+   * The property name to store transaction information such as nonce, state, max_age, code_verifier, and response_type.
    */
   sessionKey?: string;
 }
 
 // tslint:disable-next-line:no-unnecessary-class
-export class Strategy<TUser, TClient extends Client> { // tslint:disable-line:no-unnecessary-generics
-  constructor(options: StrategyOptions<TClient>, verify: StrategyVerifyCallback<TUser> | StrategyVerifyCallbackUserInfo<TUser> |
-    StrategyVerifyCallbackReq<TUser> | StrategyVerifyCallbackReqUserInfo<TUser>)
+export class Strategy<TUser, TClient extends Client> {
+  // tslint:disable-line:no-unnecessary-generics
+  constructor(
+    options: StrategyOptions<TClient>,
+    verify:
+      | StrategyVerifyCallback<TUser>
+      | StrategyVerifyCallbackUserInfo<TUser>
+      | StrategyVerifyCallbackReq<TUser>
+      | StrategyVerifyCallbackReqUserInfo<TUser>
+  );
 
   authenticate(req: any, options?: any): void;
   success(user: any, info?: any): void;
@@ -718,25 +839,25 @@ export class Strategy<TUser, TClient extends Client> { // tslint:disable-line:no
 export namespace generators {
   /**
    * Generates random bytes and encodes them in url safe base64.
-   * @param bytes Number indicating the number of bytes to generate. Default: 32
+   * @param bytes Number indicating the number of bytes to generate.
    */
   function random(bytes?: number): string;
 
   /**
    * Generates random bytes and encodes them in url safe base64.
-   * @param bytes Number indicating the number of bytes to generate. Default: 32
+   * @param bytes Number indicating the number of bytes to generate.
    */
   function state(bytes?: number): string;
 
   /**
    * Generates random bytes and encodes them in url safe base64.
-   * @param bytes Number indicating the number of bytes to generate. Default: 32
+   * @param bytes Number indicating the number of bytes to generate.
    */
   function nonce(bytes?: number): string;
 
   /**
    * Generates random bytes and encodes them in url safe base64.
-   * @param bytes Number indicating the number of bytes to generate. Default: 32
+   * @param bytes Number indicating the number of bytes to generate.
    */
   function codeVerifier(bytes?: number): string;
   /**
@@ -811,3 +932,17 @@ export namespace errors {
     auth_time?: number;
   }
 }
+
+/**
+ * This is very useful to allow applications to override property types
+ * without making types in this package too weird
+ */
+// https://github.com/Microsoft/TypeScript/issues/25987#issuecomment-441224690
+type KnownKeys<T> = {
+  [K in keyof T]: string extends K ? never : number extends K ? never : K;
+} extends { [_ in keyof T]: infer U }
+  ? {} extends U
+    ? never
+    : U
+  : never;
+type Override<T1, T2> = Omit<T1, keyof Omit<T2, keyof KnownKeys<T2>>> & T2;