qa360 2.2.20 → 2.3.1

package/dist/core/auth/saml-handler.js

@@ -0,0 +1,364 @@
+/**
+ * SAML 2.0 Handler
+ *
+ * P1 - Enterprise SSO support
+ *
+ * Supports:
+ * - SP-initiated SSO (Service Provider initiates)
+ * - IdP-initiated SSO (Identity Provider initiates)
+ * - SAML Response parsing and validation
+ * - Assertion extraction and attribute reading
+ * - Signature verification (basic)
+ *
+ * @see https://www.oasis-open.org/committees/download.php/6058/sstc-saml-core-2.0.pdf
+ */
+/**
+ * SAML 2.0 Handler class
+ */
+export class SAMLHandler {
+    config;
+    constructor(config) {
+        this.config = config;
+    }
+    /**
+     * Generate SAML AuthnRequest for SP-initiated SSO
+     * Creates a base64-encoded SAML request to send to IdP
+     */
+    generateAuthnRequest(options) {
+        const id = this.generateId();
+        const issueInstant = new Date().toISOString();
+        const acsUrl = options?.assertionConsumerServiceUrl || this.config.acsUrl;
+        const protocolBinding = options?.protocolBinding || this.config.protocolBinding || 'HTTP-POST';
+        // Build SAML AuthnRequest XML
+        const samlRequest = `<?xml version="1.0" encoding="UTF-8"?>
+<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
+                    ID="${id}"
+                    Version="2.0"
+                    IssueInstant="${issueInstant}"
+                    ProtocolBinding="${protocolBinding}"
+                    AssertionConsumerServiceURL="${acsUrl}"
+                    Destination="${this.config.idpSsoUrl || ''}"${options?.forceAuthn ? ' ForceAuthn="true"' : ''}${options?.passive ? ' IsPassive="true"' : ''}>
+  <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">${this.config.spEntityId}</saml:Issuer>
+  ${options?.forceAuthn ? '<samlp:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/>' : ''}
+  ${options?.passive ? '<samlp:NameIDPolicy AllowCreate="false" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/>' : ''}
+  <samlp:RequestedAuthnContext Comparison="exact">
+    <saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
+  </samlp:RequestedAuthnContext>
+</samlp:AuthnRequest>`;
+        // Base64 encode
+        return Buffer.from(samlRequest).toString('base64');
+    }
+    /**
+     * Get IdP SSO URL with SAML request for SP-initiated flow
+     */
+    getSSOUrl(options) {
+        if (!this.config.idpSsoUrl) {
+            throw new Error('IdP SSO URL not configured');
+        }
+        const samlRequest = this.generateAuthnRequest(options);
+        const params = new URLSearchParams({
+            SAMLRequest: samlRequest,
+        });
+        if (options?.relayState) {
+            params.append('RelayState', options.relayState);
+        }
+        const separator = this.config.idpSsoUrl.includes('?') ? '&' : '?';
+        return `${this.config.idpSsoUrl}${separator}${params.toString()}`;
+    }
+    /**
+     * Parse SAML Response from IdP
+     * Extracts assertion and attributes from base64-encoded SAML response
+     */
+    parseResponse(samlResponse) {
+        const errors = [];
+        try {
+            // Validate base64 format (basic check for valid characters)
+            const base64Regex = /^[A-Za-z0-9+/]*={0,2}$/;
+            const urlSafeBase64Regex = /^[A-Za-z0-9_-]*={0,2}$/;
+            // Decode base64
+            let decoded;
+            try {
+                if (!base64Regex.test(samlResponse) && !urlSafeBase64Regex.test(samlResponse)) {
+                    throw new Error('Invalid base64 format');
+                }
+                decoded = Buffer.from(samlResponse, 'base64').toString('utf-8');
+                // Check if decoding produced valid UTF-8 text (SAML responses start with <?xml)
+                if (!decoded.startsWith('<?xml') && !decoded.startsWith('<samlp:') && !decoded.startsWith('<saml:')) {
+                    throw new Error('Decoded content is not valid SAML XML');
+                }
+            }
+            catch {
+                // Try URL-decoded base64
+                try {
+                    const urlDecoded = decodeURIComponent(samlResponse);
+                    if (!base64Regex.test(urlDecoded) && !urlSafeBase64Regex.test(urlDecoded)) {
+                        throw new Error('Invalid base64 format after URL decode');
+                    }
+                    decoded = Buffer.from(urlDecoded, 'base64').toString('utf-8');
+                }
+                catch (e) {
+                    errors.push(e instanceof Error ? e.message : 'Invalid base64 encoding');
+                    return { raw: samlResponse, errors };
+                }
+            }
+            // Parse XML
+            const response = this.parseSAMLXML(decoded);
+            // Validate response
+            if (response.statusCode && response.statusCode !== 'urn:oasis:names:tc:SAML:2.0:status:Success') {
+                errors.push(`SAML status: ${response.statusCode} - ${response.statusMessage || 'Unknown error'}`);
+            }
+            if (response.destination && response.destination !== this.config.acsUrl) {
+                errors.push(`Destination mismatch: expected ${this.config.acsUrl}, got ${response.destination}`);
+            }
+            if (errors.length > 0) {
+                return { raw: samlResponse, errors };
+            }
+            return {
+                raw: samlResponse,
+                response,
+            };
+        }
+        catch (e) {
+            return {
+                raw: samlResponse,
+                errors: [e instanceof Error ? e.message : 'Unknown parsing error'],
+            };
+        }
+    }
+    /**
+     * Parse SAML XML and extract relevant fields
+     */
+    parseSAMLXML(xml) {
+        // Simple XML parsing without external dependencies
+        const response = {
+            id: '',
+            issueInstant: '',
+            version: '2.0',
+        };
+        // Extract Response attributes using regex
+        const idMatch = xml.match(/ID="([^"]+)"/);
+        if (idMatch)
+            response.id = idMatch[1];
+        const instantMatch = xml.match(/IssueInstant="([^"]+)"/);
+        if (instantMatch)
+            response.issueInstant = instantMatch[1];
+        const versionMatch = xml.match(/Version="([^"]+)"/);
+        if (versionMatch)
+            response.version = versionMatch[1];
+        const destMatch = xml.match(/Destination="([^"]+)"/);
+        if (destMatch)
+            response.destination = destMatch[1];
+        // Extract Issuer
+        const issuerMatch = xml.match(/<saml:Issuer[^>]*>([^<]+)<\/saml:Issuer>/);
+        if (issuerMatch)
+            response.issuer = issuerMatch[1].trim();
+        // Extract Status Code
+        const statusCodeMatch = xml.match(/<samlp:StatusCode[^>]*Value="([^"]+)"/);
+        if (statusCodeMatch)
+            response.statusCode = statusCodeMatch[1];
+        // Extract Status Message
+        const statusMsgMatch = xml.match(/<samlp:StatusMessage[^>]*>([^<]+)<\/samlp:StatusMessage>/);
+        if (statusMsgMatch)
+            response.statusMessage = statusMsgMatch[1].trim();
+        // Extract Assertion
+        const assertionMatch = xml.match(/<saml:Assertion[^>]*>([\s\S]*?)<\/saml:Assertion>/);
+        if (assertionMatch) {
+            response.assertion = this.parseAssertion(assertionMatch[1]);
+        }
+        return response;
+    }
+    /**
+     * Parse SAML Assertion
+     */
+    parseAssertion(assertionXml) {
+        const assertion = {
+            id: '',
+            issueInstant: '',
+            issuer: '',
+        };
+        const idMatch = assertionXml.match(/ID="([^"]+)"/);
+        if (idMatch)
+            assertion.id = idMatch[1];
+        const instantMatch = assertionXml.match(/IssueInstant="([^"]+)"/);
+        if (instantMatch)
+            assertion.issueInstant = instantMatch[1];
+        const issuerMatch = assertionXml.match(/<saml:Issuer[^>]*>([^<]+)<\/saml:Issuer>/);
+        if (issuerMatch)
+            assertion.issuer = issuerMatch[1].trim();
+        // Extract Subject
+        const subjectMatch = assertionXml.match(/<saml:Subject[^>]*>([\s\S]*?)<\/saml:Subject>/);
+        if (subjectMatch) {
+            assertion.subject = this.parseSubject(subjectMatch[1]);
+        }
+        // Extract Conditions
+        const conditionsMatch = assertionXml.match(/<saml:Conditions[^>]*>([\s\S]*?)<\/saml:Conditions>/);
+        if (conditionsMatch) {
+            assertion.conditions = this.parseConditions(conditionsMatch[1]);
+        }
+        // Extract Attribute Statement
+        const attributeMatch = assertionXml.match(/<saml:AttributeStatement[^>]*>([\s\S]*?)<\/saml:AttributeStatement>/);
+        if (attributeMatch) {
+            assertion.attributes = this.parseAttributes(attributeMatch[1]);
+        }
+        // Extract AuthnStatement
+        const authnMatch = assertionXml.match(/<saml:AuthnStatement[^>]*>([\s\S]*?)<\/saml:AuthnStatement>/);
+        if (authnMatch) {
+            const authnInstantMatch = authnMatch[1].match(/AuthnInstant="([^"]+)"/);
+            const sessionIndexMatch = authnMatch[1].match(/SessionIndex="([^"]+)"/);
+            const sessionNotOnOrAfterMatch = authnMatch[1].match(/SessionNotOnOrAfter="([^"]+)"/);
+            assertion.authnStatement = {
+                authnInstant: authnInstantMatch?.[1] || '',
+                sessionIndex: sessionIndexMatch?.[1],
+                sessionNotOnOrAfter: sessionNotOnOrAfterMatch?.[1],
+            };
+        }
+        return assertion;
+    }
+    /**
+     * Parse SAML Subject
+     */
+    parseSubject(subjectXml) {
+        const nameIdMatch = subjectXml.match(/<saml:NameID[^>]*>([^<]+)<\/saml:NameID>/);
+        const formatMatch = subjectXml.match(/<saml:NameID[^>]*Format="([^"]+)"/);
+        return {
+            nameId: nameIdMatch?.[1]?.trim() || '',
+            format: formatMatch?.[1],
+        };
+    }
+    /**
+     * Parse SAML Conditions
+     */
+    parseConditions(conditionsXml) {
+        const conditions = {};
+        const notBeforeMatch = conditionsXml.match(/NotBefore="([^"]+)"/);
+        if (notBeforeMatch)
+            conditions.notBefore = notBeforeMatch[1];
+        const notOnOrAfterMatch = conditionsXml.match(/NotOnOrAfter="([^"]+)"/);
+        if (notOnOrAfterMatch)
+            conditions.notOnOrAfter = notOnOrAfterMatch[1];
+        const audienceMatches = conditionsXml.matchAll(/<saml:Audience[^>]*>([^<]+)<\/saml:Audience>/g);
+        const audiences = [];
+        for (const match of audienceMatches) {
+            audiences.push(match[1].trim());
+        }
+        if (audiences.length > 0) {
+            conditions.audience = audiences;
+        }
+        return conditions;
+    }
+    /**
+     * Parse SAML Attributes
+     */
+    parseAttributes(attributesXml) {
+        const attributes = {};
+        const attributeMatches = attributesXml.matchAll(/<saml:Attribute[^>]*Name="([^"]+)"[^>]*>([\s\S]*?)<\/saml:Attribute>/g);
+        for (const match of attributeMatches) {
+            const name = match[1];
+            const values = [];
+            const valueMatches = match[2].matchAll(/<saml:AttributeValue[^>]*>([^<]*)<\/saml:AttributeValue>/g);
+            for (const valueMatch of valueMatches) {
+                values.push(valueMatch[1].trim());
+            }
+            attributes[name] = values;
+        }
+        return attributes;
+    }
+    /**
+     * Validate SAML Response conditions
+     * Checks time validity and audience
+     */
+    validateConditions(parsed) {
+        const errors = [];
+        const now = new Date();
+        if (!parsed.assertion?.conditions) {
+            return { valid: true, errors: [] };
+        }
+        const conditions = parsed.assertion.conditions;
+        // Check NotBefore
+        if (conditions.notBefore) {
+            const notBefore = new Date(conditions.notBefore);
+            if (now < notBefore) {
+                errors.push(`Response not valid until ${conditions.notBefore}`);
+            }
+        }
+        // Check NotOnOrAfter
+        if (conditions.notOnOrAfter) {
+            const notOnOrAfter = new Date(conditions.notOnOrAfter);
+            if (now >= notOnOrAfter) {
+                errors.push(`Response expired at ${conditions.notOnOrAfter}`);
+            }
+        }
+        // Check Audience
+        if (conditions.audience && conditions.audience.length > 0) {
+            if (!conditions.audience.includes(this.config.spEntityId)) {
+                errors.push(`Audience mismatch: expected ${this.config.spEntityId}, got ${conditions.audience.join(', ')}`);
+            }
+        }
+        return {
+            valid: errors.length === 0,
+            errors,
+        };
+    }
+    /**
+     * Extract user attributes from SAML response
+     */
+    getUserAttributes(samlResponse) {
+        const parsed = this.parseResponse(samlResponse);
+        if (parsed.response?.assertion?.attributes) {
+            return parsed.response.assertion.attributes;
+        }
+        return null;
+    }
+    /**
+     * Get NameID (user identifier) from SAML response
+     */
+    getNameId(samlResponse) {
+        const parsed = this.parseResponse(samlResponse);
+        return parsed.response?.assertion?.subject?.nameId || null;
+    }
+    /**
+     * Get email from SAML response attributes
+     */
+    getEmail(samlResponse) {
+        const attrs = this.getUserAttributes(samlResponse);
+        if (!attrs)
+            return null;
+        // Common email attribute names
+        const emailKeys = ['email', 'Email', 'EmailAddress', 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress'];
+        for (const key of emailKeys) {
+            if (attrs[key] && attrs[key][0]) {
+                return attrs[key][0];
+            }
+        }
+        return null;
+    }
+    /**
+     * Get display name from SAML response attributes
+     */
+    getDisplayName(samlResponse) {
+        const attrs = this.getUserAttributes(samlResponse);
+        if (!attrs)
+            return null;
+        // Common name attribute names
+        const nameKeys = ['firstName', 'lastName', 'name', 'displayName', 'cn', 'http://schemas.microsoft.com/identity/claims/displayname'];
+        for (const key of nameKeys) {
+            if (attrs[key] && attrs[key][0]) {
+                return attrs[key][0];
+            }
+        }
+        return null;
+    }
+    /**
+     * Generate unique ID for SAML requests
+     */
+    generateId() {
+        return `_${Date.now()}_${Math.random().toString(36).substring(2, 15)}`;
+    }
+}
+/**
+ * Factory function to create SAML handler
+ */
+export function createSAMLHandler(config) {
+    return new SAMLHandler(config);
+}
+export default SAMLHandler;

package/dist/core/auth/webauthn-handler.d.ts

@@ -0,0 +1,182 @@
+/**
+ * WebAuthn / Passkeys Handler
+ *
+ * P1 - Modern passwordless authentication
+ *
+ * Supports:
+ * - WebAuthn registration (credential creation)
+ * - WebAuthn authentication (assertion)
+ * - Passkeys (platform and cross-device)
+ * - Credential ID storage and lookup
+ *
+ * @see https://w3c.github.io/webauthn/
+ */
+export interface WebAuthnConfig {
+    /** Relying Party ID (usually the domain) */
+    rpId: string;
+    /** Relying Party name (app name) */
+    rpName: string;
+    /** Relying Party origin */
+    origin?: string;
+    /** User verification requirement */
+    userVerification?: 'required' | 'preferred' | 'discouraged';
+    /** Attestation preference */
+    attestation?: 'none' | 'indirect' | 'direct';
+    /** Require resident key (passkey) */
+    requireResidentKey?: boolean;
+}
+export interface WebAuthnUser {
+    /** User ID (binary) */
+    id: ArrayBuffer;
+    /** Username */
+    name: string;
+    /** Display name */
+    displayName: string;
+    /** Optional icon */
+    icon?: string;
+}
+export interface WebAuthnCredential {
+    /** Credential ID */
+    id: string;
+    /** Public key */
+    publicKey: string;
+    /** Sign counter */
+    counter: number;
+    /** User handle */
+    userHandle?: string;
+    /** Credential type */
+    type: 'public-key';
+    /** Transport hints */
+    transports?: AuthenticatorTransport[];
+}
+export interface RegistrationResult {
+    success: boolean;
+    credential?: WebAuthnCredential;
+    error?: string;
+}
+export interface AuthenticationResult {
+    success: boolean;
+    credentialId?: string;
+    userHandle?: string;
+    error?: string;
+}
+/**
+ * Types for WebAuthn API
+ */
+export interface PublicKeyCredentialCreationOptionsJSON {
+    challenge: string;
+    rp: {
+        id: string;
+        name: string;
+    };
+    user: {
+        id: string;
+        name: string;
+        displayName: string;
+        icon?: string;
+    };
+    pubKeyCredParams: {
+        type: string;
+        alg: number;
+    }[];
+    excludeCredentials?: {
+        id: string;
+        type: string;
+    }[];
+    authenticatorSelection?: {
+        authenticatorAttachment?: 'platform' | 'cross-platform';
+        requireResidentKey?: boolean;
+        userVerification?: 'required' | 'preferred' | 'discouraged';
+    };
+    attestation?: 'none' | 'indirect' | 'direct';
+    timeout?: number;
+}
+export interface PublicKeyCredentialRequestOptionsJSON {
+    challenge: string;
+    rpId?: string;
+    allowCredentials?: {
+        id: string;
+        type: string;
+    }[];
+    userVerification?: 'required' | 'preferred' | 'discouraged';
+    timeout?: number;
+}
+/**
+ * WebAuthn Handler class
+ */
+export declare class WebAuthnHandler {
+    private config;
+    private credentials;
+    constructor(config: WebAuthnConfig);
+    /**
+     * Generate a random challenge for WebAuthn
+     */
+    generateChallenge(): string;
+    /**
+     * Create registration options for WebAuthn navigator.credentials.create()
+     */
+    createRegistrationOptions(user: WebAuthnUser, excludeCredentials?: string[]): PublicKeyCredentialCreationOptionsJSON;
+    /**
+     * Parse registration response from navigator.credentials.create()
+     */
+    parseRegistration(response: any): Promise<RegistrationResult>;
+    /**
+     * Create authentication options for WebAuthn navigator.credentials.get()
+     */
+    createAuthenticationOptions(allowedCredentials?: string[]): PublicKeyCredentialRequestOptionsJSON;
+    /**
+     * Parse authentication response from navigator.credentials.get()
+     */
+    parseAuthentication(response: any): Promise<AuthenticationResult>;
+    /**
+     * Get stored credential by ID
+     */
+    getCredential(credentialId: string): WebAuthnCredential | undefined;
+    /**
+     * Get all stored credentials for a user
+     */
+    getCredentials(): WebAuthnCredential[];
+    /**
+     * Check if WebAuthn is supported in current browser
+     */
+    isSupported(): boolean;
+    /**
+     * Check if platform authenticator is available
+     */
+    isPlatformAvailable(): Promise<boolean>;
+    /**
+     * Check if conditional mediation (autofill) is supported
+     */
+    isConditionalMediationSupported(): boolean;
+    /**
+     * Store credential externally
+     */
+    storeCredential(credential: WebAuthnCredential): void;
+    /**
+     * Remove credential
+     */
+    removeCredential(credentialId: string): boolean;
+    /**
+     * Clear all credentials
+     */
+    clearCredentials(): void;
+    /**
+     * Helper: Convert ArrayBuffer to Base64
+     */
+    private bufferToBase64;
+    /**
+     * Helper: Convert Base64 to Uint8Array
+     */
+    private base64ToBuffer;
+    /**
+     * Helper to extract public key from attestation object
+     * This is a simplified version - full CBOR parsing would be more complex
+     */
+    private extractPublicKeyFromAttestation;
+    private decoder;
+}
+/**
+ * Factory function to create WebAuthn handler
+ */
+export declare function createWebAuthnHandler(config: WebAuthnConfig): WebAuthnHandler;
+export default WebAuthnHandler;