openid-client 4.9.0 → 5.0.2

package/lib/helpers/issuer.js

@@ -0,0 +1,110 @@
+const objectHash = require('object-hash');
+const LRU = require('lru-cache');
+
+const { RPError } = require('../errors');
+
+const { assertIssuerConfiguration } = require('./assert');
+const KeyStore = require('./keystore');
+const { keystores } = require('./weak_cache');
+const processResponse = require('./process_response');
+const request = require('./request');
+
+const inFlight = new WeakMap();
+const caches = new WeakMap();
+const lrus = (ctx) => {
+  if (!caches.has(ctx)) {
+    caches.set(ctx, new LRU({ max: 100 }));
+  }
+  return caches.get(ctx);
+};
+
+async function getKeyStore(reload = false) {
+  assertIssuerConfiguration(this, 'jwks_uri');
+
+  const keystore = keystores.get(this);
+  const cache = lrus(this);
+
+  if (reload || !keystore) {
+    if (inFlight.has(this)) {
+      return inFlight.get(this);
+    }
+    cache.reset();
+    inFlight.set(
+      this,
+      (async () => {
+        const response = await request
+          .call(this, {
+            method: 'GET',
+            responseType: 'json',
+            url: this.jwks_uri,
+            headers: {
+              Accept: 'application/json',
+            },
+          })
+          .finally(() => {
+            inFlight.delete(this);
+          });
+        const jwks = processResponse(response);
+
+        const joseKeyStore = KeyStore.fromJWKS(jwks, { onlyPublic: true });
+        cache.set('throttle', true, 60 * 1000);
+        keystores.set(this, joseKeyStore);
+
+        return joseKeyStore;
+      })(),
+    );
+
+    return inFlight.get(this);
+  }
+
+  return keystore;
+}
+
+async function queryKeyStore({ kid, kty, alg, use }, { allowMulti = false } = {}) {
+  const cache = lrus(this);
+
+  const def = {
+    kid,
+    kty,
+    alg,
+    use,
+  };
+
+  const defHash = objectHash(def, {
+    algorithm: 'sha256',
+    ignoreUnknown: true,
+    unorderedArrays: true,
+    unorderedSets: true,
+  });
+
+  // refresh keystore on every unknown key but also only upto once every minute
+  const freshJwksUri = cache.get(defHash) || cache.get('throttle');
+
+  const keystore = await getKeyStore.call(this, !freshJwksUri);
+  const keys = keystore.all(def);
+
+  delete def.use;
+  if (keys.length === 0) {
+    throw new RPError({
+      printf: ["no valid key found in issuer's jwks_uri for key parameters %j", def],
+      jwks: keystore,
+    });
+  }
+
+  if (!allowMulti && keys.length > 1 && !kid) {
+    throw new RPError({
+      printf: [
+        "multiple matching keys found in issuer's jwks_uri for key parameters %j, kid must be provided in this case",
+        def,
+      ],
+      jwks: keystore,
+    });
+  }
+
+  cache.set(defHash, true);
+
+  return keys;
+}
+
+module.exports.queryKeyStore = queryKeyStore;
+module.exports.keystore = getKeyStore;

package/lib/helpers/keystore.js

@@ -0,0 +1,312 @@
+const v8 = require('v8');
+
+const jose = require('jose');
+
+const clone = globalThis.structuredClone || ((value) => v8.deserialize(v8.serialize(value)));
+
+const isPlainObject = require('./is_plain_object');
+const isKeyObject = require('./is_key_object');
+
+const internal = Symbol();
+
+function fauxAlg(kty) {
+  switch (kty) {
+    case 'RSA':
+      return 'RSA-OAEP';
+    case 'EC':
+      return 'ECDH-ES';
+    case 'OKP':
+      return 'ECDH-ES';
+    case 'oct':
+      return 'HS256';
+    default:
+      return undefined;
+  }
+}
+
+const keyscore = (key, { alg, use }) => {
+  let score = 0;
+
+  if (alg && key.alg) {
+    score++;
+  }
+
+  if (use && key.use) {
+    score++;
+  }
+
+  return score;
+};
+
+function getKtyFromAlg(alg) {
+  switch (typeof alg === 'string' && alg.substr(0, 2)) {
+    case 'RS':
+    case 'PS':
+      return 'RSA';
+    case 'ES':
+      return 'EC';
+    case 'Ed':
+      return 'OKP';
+    default:
+      return undefined;
+  }
+}
+
+function getAlgorithms(use, alg, kty, crv) {
+  // Ed25519, Ed448, and secp256k1 always have "alg"
+  // OKP always has use
+  if (alg) {
+    return new Set([alg]);
+  }
+
+  switch (kty) {
+    case 'EC': {
+      let algs = [];
+
+      if (use === 'enc' || use === undefined) {
+        algs = algs.concat(['ECDH-ES', 'ECDH-ES+A128KW', 'ECDH-ES+A192KW', 'ECDH-ES+A256KW']);
+      }
+
+      if (use === 'sig' || use === undefined) {
+        algs = algs.concat([`ES${crv.substr(-3)}`.replace('21', '12')]);
+      }
+
+      return new Set(algs);
+    }
+    case 'OKP': {
+      return new Set(['ECDH-ES', 'ECDH-ES+A128KW', 'ECDH-ES+A192KW', 'ECDH-ES+A256KW']);
+    }
+    case 'RSA': {
+      let algs = [];
+
+      if (use === 'enc' || use === undefined) {
+        algs = algs.concat(['RSA-OAEP', 'RSA-OAEP-256', 'RSA-OAEP-384', 'RSA-OAEP-512', 'RSA1_5']);
+      }
+
+      if (use === 'sig' || use === undefined) {
+        algs = algs.concat(['PS256', 'PS384', 'PS512', 'RS256', 'RS384', 'RS512']);
+      }
+
+      return new Set(algs);
+    }
+    default:
+      throw new Error('unreachable');
+  }
+}
+
+module.exports = class KeyStore {
+  #keys;
+
+  constructor(i, keys) {
+    if (i !== internal) throw new Error('invalid constructor call');
+    this.#keys = keys;
+  }
+
+  toJWKS() {
+    return {
+      keys: this.map(({ jwk: { d, p, q, dp, dq, qi, ...jwk } }) => jwk),
+    };
+  }
+
+  all({ alg, kid, use } = {}) {
+    if (!use || !alg) {
+      throw new Error();
+    }
+
+    const kty = getKtyFromAlg(alg);
+
+    const search = { alg, use };
+    return this.filter((key) => {
+      let candidate = true;
+
+      if (candidate && kty !== undefined && key.jwk.kty !== kty) {
+        candidate = false;
+      }
+
+      if (candidate && kid !== undefined && key.jwk.kid !== kid) {
+        candidate = false;
+      }
+
+      if (candidate && use !== undefined && key.jwk.use !== undefined && key.jwk.use !== use) {
+        candidate = false;
+      }
+
+      if (candidate && key.jwk.alg && key.jwk.alg !== alg) {
+        candidate = false;
+      } else if (!key.algorithms.has(alg)) {
+        candidate = false;
+      }
+
+      return candidate;
+    }).sort((first, second) => keyscore(second, search) - keyscore(first, search));
+  }
+
+  get(...args) {
+    return this.all(...args)[0];
+  }
+
+  static async fromJWKS(jwks, { onlyPublic = false, onlyPrivate = false } = {}) {
+    if (
+      !isPlainObject(jwks) ||
+      !Array.isArray(jwks.keys) ||
+      jwks.keys.some((k) => !isPlainObject(k) || !('kty' in k))
+    ) {
+      throw new TypeError('jwks must be a JSON Web Key Set formatted object');
+    }
+
+    const keys = [];
+
+    for (let jwk of jwks.keys) {
+      jwk = clone(jwk);
+      const { kty, kid, crv } = jwk;
+
+      let { alg, use } = jwk;
+
+      if (typeof kty !== 'string' || !kty) {
+        continue;
+      }
+
+      if (use !== undefined && use !== 'sig' && use !== 'enc') {
+        continue;
+      }
+
+      if (typeof alg !== 'string' && alg !== undefined) {
+        continue;
+      }
+
+      if (typeof kid !== 'string' && kid !== undefined) {
+        continue;
+      }
+
+      if (kty === 'EC' && use === 'sig') {
+        switch (crv) {
+          case 'P-256':
+            alg = 'ES256';
+            break;
+          case 'P-384':
+            alg = 'ES384';
+            break;
+          case 'P-521':
+            alg = 'ES512';
+            break;
+          default:
+            break;
+        }
+      }
+
+      if (crv === 'secp256k1') {
+        use = 'sig';
+        alg = 'ES256K';
+      }
+
+      if (kty === 'OKP') {
+        switch (crv) {
+          case 'Ed25519':
+          case 'Ed448':
+            use = 'sig';
+            alg = 'EdDSA';
+            break;
+          case 'X25519':
+          case 'X448':
+            use = 'enc';
+            break;
+          default:
+            break;
+        }
+      }
+
+      if (alg && !use) {
+        switch (true) {
+          case alg.startsWith('ECDH'):
+            use = 'enc';
+            break;
+          case alg.startsWith('RSA'):
+            use = 'enc';
+            break;
+          default:
+            break;
+        }
+      }
+
+      const keyObject = await jose.importJWK(jwk, alg || fauxAlg(jwk.kty)).catch(() => {});
+
+      if (!keyObject) continue;
+
+      if (keyObject instanceof Uint8Array || keyObject.type === 'secret') {
+        if (onlyPrivate) {
+          throw new Error('jwks must only contain private keys');
+        }
+        continue;
+      }
+
+      if (!isKeyObject(keyObject)) {
+        throw new Error('what?!');
+      }
+
+      if (onlyPrivate && keyObject.type !== 'private') {
+        throw new Error('jwks must only contain private keys');
+      }
+
+      if (onlyPublic && keyObject.type !== 'public') {
+        continue;
+      }
+
+      if (kty === 'RSA' && keyObject.asymmetricKeySize < 2048) {
+        continue;
+      }
+
+      keys.push({
+        jwk: { ...jwk, alg, use },
+        keyObject,
+        get algorithms() {
+          Object.defineProperty(this, 'algorithms', {
+            value: getAlgorithms(this.jwk.use, this.jwk.alg, this.jwk.kty, this.jwk.crv),
+            enumerable: true,
+            configurable: false,
+          });
+          return this.algorithms;
+        },
+      });
+    }
+
+    return new this(internal, keys);
+  }
+
+  filter(...args) {
+    return this.#keys.filter(...args);
+  }
+
+  find(...args) {
+    return this.#keys.find(...args);
+  }
+
+  every(...args) {
+    return this.#keys.every(...args);
+  }
+
+  some(...args) {
+    return this.#keys.some(...args);
+  }
+
+  map(...args) {
+    return this.#keys.map(...args);
+  }
+
+  forEach(...args) {
+    return this.#keys.forEach(...args);
+  }
+
+  reduce(...args) {
+    return this.#keys.reduce(...args);
+  }
+
+  sort(...args) {
+    return this.#keys.sort(...args);
+  }
+
+  *[Symbol.iterator]() {
+    for (const key of this.#keys) {
+      yield key;
+    }
+  }
+};

package/lib/helpers/merge.js

@@ -1,5 +1,3 @@
-/* eslint-disable no-restricted-syntax, no-param-reassign, no-continue */
-
 const isPlainObject = require('./is_plain_object');
 
 function merge(target, ...sources) {

package/lib/helpers/pick.js

@@ -1,6 +1,6 @@
 module.exports = function pick(object, ...paths) {
   const obj = {};
-  for (const path of paths) { // eslint-disable-line no-restricted-syntax
+  for (const path of paths) {
     if (object[path]) {
       obj[path] = object[path];
     }

package/lib/helpers/process_response.js

@@ -7,7 +7,7 @@ const REGEXP = /(\w+)=("[^"]*")/g;
 const throwAuthenticateErrors = (response) => {
   const params = {};
   try {
-    while ((REGEXP.exec(response.headers['www-authenticate'])) !== null) {
+    while (REGEXP.exec(response.headers['www-authenticate']) !== null) {
       if (RegExp.$1 && RegExp.$2) {
         params[RegExp.$1] = RegExp.$2.slice(1, -1);
       }
@@ -29,7 +29,7 @@ const isStandardBodyError = (response) => {
       jsonbody = response.body;
     }
     result = typeof jsonbody.error === 'string' && jsonbody.error.length;
-    if (result) response.body = jsonbody;
+    if (result) Object.defineProperty(response, 'body', { value: jsonbody, configurable: true });
   } catch (err) {}
 
   return result;
@@ -45,15 +45,31 @@ function processResponse(response, { statusCode = 200, body = true, bearer = fal
       throw new OPError(response.body, response);
     }
 
-    throw new OPError({
-      error: format('expected %i %s, got: %i %s', statusCode, STATUS_CODES[statusCode], response.statusCode, STATUS_CODES[response.statusCode]),
-    }, response);
+    throw new OPError(
+      {
+        error: format(
+          'expected %i %s, got: %i %s',
+          statusCode,
+          STATUS_CODES[statusCode],
+          response.statusCode,
+          STATUS_CODES[response.statusCode],
+        ),
+      },
+      response,
+    );
   }
 
   if (body && !response.body) {
-    throw new OPError({
-      error: format('expected %i %s with body but no body was returned', statusCode, STATUS_CODES[statusCode]),
-    }, response);
+    throw new OPError(
+      {
+        error: format(
+          'expected %i %s with body but no body was returned',
+          statusCode,
+          STATUS_CODES[statusCode],
+        ),
+      },
+      response,
+    );
   }
 
   return response.body;

package/lib/helpers/request.js

@@ -1,56 +1,182 @@
-const Got = require('got');
+const assert = require('assert');
+const querystring = require('querystring');
+const http = require('http');
+const https = require('https');
+const { once } = require('events');
 
 const pkg = require('../../package.json');
+const { RPError } = require('../errors');
 
+const pick = require('./pick');
 const { deep: defaultsDeep } = require('./defaults');
-const isAbsoluteUrl = require('./is_absolute_url');
 const { HTTP_OPTIONS } = require('./consts');
 
 let DEFAULT_HTTP_OPTIONS;
-let got;
 
-const setDefaults = (options) => {
-  DEFAULT_HTTP_OPTIONS = defaultsDeep({}, options, DEFAULT_HTTP_OPTIONS);
-  got = Got.extend(DEFAULT_HTTP_OPTIONS);
+const allowed = [
+  'agent',
+  'ca',
+  'cert',
+  'crl',
+  'headers',
+  'key',
+  'lookup',
+  'passphrase',
+  'pfx',
+  'timeout',
+];
+
+const setDefaults = (props, options) => {
+  DEFAULT_HTTP_OPTIONS = defaultsDeep(
+    {},
+    props.length ? pick(options, ...props) : options,
+    DEFAULT_HTTP_OPTIONS,
+  );
 };
 
-setDefaults({
-  followRedirect: false,
+setDefaults([], {
   headers: { 'User-Agent': `${pkg.name}/${pkg.version} (${pkg.homepage})` },
-  retry: 0,
   timeout: 3500,
-  throwHttpErrors: false,
 });
 
+function send(req, body, contentType) {
+  if (contentType) {
+    req.removeHeader('content-type');
+    req.setHeader('content-type', contentType);
+  }
+  if (body) {
+    req.removeHeader('content-length');
+    req.setHeader('content-length', Buffer.byteLength(body));
+    req.write(body);
+  }
+  req.end();
+}
+
 module.exports = async function request(options, { accessToken, mTLS = false, DPoP } = {}) {
-  const { url } = options;
-  isAbsoluteUrl(url);
+  let url;
+  try {
+    url = new URL(options.url);
+    delete options.url;
+    assert(/^(https?:)$/.test(url.protocol));
+  } catch (err) {
+    throw new TypeError('only valid absolute URLs can be requested');
+  }
   const optsFn = this[HTTP_OPTIONS];
   let opts = options;
 
   if (DPoP && 'dpopProof' in this) {
     opts.headers = opts.headers || {};
-    opts.headers.DPoP = this.dpopProof({
-      htu: url,
-      htm: options.method,
-    }, DPoP, accessToken);
+    opts.headers.DPoP = await this.dpopProof(
+      {
+        htu: url,
+        htm: options.method,
+      },
+      DPoP,
+      accessToken,
+    );
   }
 
+  let userOptions;
   if (optsFn) {
-    opts = optsFn.call(this, defaultsDeep({}, opts, DEFAULT_HTTP_OPTIONS));
+    userOptions = pick(
+      optsFn.call(this, url, defaultsDeep({}, opts, DEFAULT_HTTP_OPTIONS)),
+      ...allowed,
+    );
   }
+  opts = defaultsDeep({}, userOptions, opts, DEFAULT_HTTP_OPTIONS);
 
-  if (
-    mTLS
-    && (
-      (!opts.key || !opts.cert)
-      && (!opts.https || !((opts.https.key && opts.https.certificate) || opts.https.pfx))
-    )
-  ) {
+  if (mTLS && !opts.pfx && !(opts.key && opts.cert)) {
     throw new TypeError('mutual-TLS certificate and key not set');
   }
 
-  return got(opts);
+  if (opts.searchParams) {
+    for (const [key, value] of Object.entries(opts.searchParams)) {
+      url.searchParams.delete(key);
+      url.searchParams.set(key, value);
+    }
+  }
+
+  let responseType;
+  let form;
+  let json;
+  let body;
+  ({ form, responseType, json, body, ...opts } = opts);
+
+  for (const [key, value] of Object.entries(opts.headers || {})) {
+    if (value === undefined) {
+      delete opts.headers[key];
+    }
+  }
+
+  let response;
+  const req = (url.protocol === 'https:' ? https.request : http.request)(url, opts);
+  return (async () => {
+    if (json) {
+      send(req, JSON.stringify(json), 'application/json');
+    } else if (form) {
+      send(req, querystring.stringify(form), 'application/x-www-form-urlencoded');
+    } else if (body) {
+      send(req, body);
+    } else {
+      send(req);
+    }
+
+    [response] = await Promise.race([once(req, 'response'), once(req, 'timeout')]);
+
+    // timeout reached
+    if (!response) {
+      req.destroy();
+      throw new RPError(`outgoing request timed out after ${opts.timeout}ms`);
+    }
+
+    const parts = [];
+
+    for await (const part of response) {
+      parts.push(part);
+    }
+
+    if (parts.length) {
+      switch (responseType) {
+        case 'json': {
+          Object.defineProperty(response, 'body', {
+            get() {
+              let value = Buffer.concat(parts);
+              try {
+                value = JSON.parse(value);
+              } catch (err) {
+                Object.defineProperty(err, 'response', { value: response });
+                throw err;
+              } finally {
+                Object.defineProperty(response, 'body', { value, configurable: true });
+              }
+              return value;
+            },
+            configurable: true,
+          });
+          break;
+        }
+        case undefined:
+        case 'buffer': {
+          Object.defineProperty(response, 'body', {
+            get() {
+              const value = Buffer.concat(parts);
+              Object.defineProperty(response, 'body', { value, configurable: true });
+              return value;
+            },
+            configurable: true,
+          });
+          break;
+        }
+        default:
+          throw new TypeError('unsupported responseType request option');
+      }
+    }
+
+    return response;
+  })().catch((err) => {
+    Object.defineProperty(err, 'response', { value: response });
+    throw err;
+  });
 };
 
-module.exports.setDefaults = setDefaults;
+module.exports.setDefaults = setDefaults.bind(undefined, allowed);

package/lib/helpers/weak_cache.js

@@ -1,8 +1 @@
-const privateProps = new WeakMap();
-
-module.exports = (ctx) => {
-  if (!privateProps.has(ctx)) {
-    privateProps.set(ctx, new Map([['metadata', new Map()]]));
-  }
-  return privateProps.get(ctx);
-};
+module.exports.keystores = new WeakMap();