UNPKG

@poppinss/oauth-client

Version:

A framework agnostic package to implement "Login with" flow using OAuth compliant authorization servers.

github.com/poppinss/oauth-client

poppinss/oauth-client

208 lines (207 loc) 6.56 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
import { a as E_OAUTH_STATE_MISMATCH, i as E_OAUTH_MISSING_TOKEN, n as HttpClient, r as debug_default, t as UrlBuilder } from "../../../url_builder-DGjb8L12.js"; import { t as random } from "../../../helpers-mzKBsjzS.js"; import { RuntimeException } from "@poppinss/exception"; import { parse } from "node:querystring"; import { createHash } from "node:crypto"; //#region src/clients/oauth2/main.ts /** * Generic implementation of OAuth2. */ var Oauth2Client = class { constructor(options) { this.options = options; } /** * Define the authorize url. Can be overridden by config */ authorizeUrl = ""; /** * Define the access token url. Can be overridden by config */ accessTokenUrl = ""; /** * Returns the PKCE code verifier for building the authorization redirect. * Child classes can override this method to generate and persist a verifier. */ getPkceCodeVerifierForRedirect() { return null; } /** * Returns the PKCE code verifier for the access token exchange. * Child classes can override this method to load a previously persisted verifier. */ getPkceCodeVerifierForAccessToken() { return null; } /** * Returns the PKCE code challenge. Child classes can override this method * to customize the challenge derivation or persistence strategy. */ getPkceCodeChallenge(codeVerifier) { return this.makeCodeChallenge(codeVerifier, this.getPkceCodeChallengeMethod()); } /** * Returns the PKCE code challenge method. */ getPkceCodeChallengeMethod() { return "S256"; } /** * Processing the API client response. The child class can overwrite it * for more control */ processClientResponse(client, response) { /** * Return json as it is when parsed response as json */ if (client.getResponseType() === "json") return response; return parse(response); } /** * Configure the redirect request. Invoked before * the user callback. * * The client defaults can be removed using the `clearParam` method */ configureRedirectRequest(_) {} /** * Configure the access token request. Invoked before * the user callback. * * The client defaults can be removed using the `clearParam` or * `clearOauth1Param` methods */ configureAccessTokenRequest(_) {} /** * Returns the instance of the HTTP client for internal use */ httpClient(url) { return new HttpClient(url); } /** * Returns the instance of the URL builder */ urlBuilder(url) { return new UrlBuilder(url); } /** * Generates a random PKCE code verifier. */ makeCodeVerifier() { return random(64); } /** * Generates a PKCE code challenge from the given verifier. */ makeCodeChallenge(codeVerifier, method = "S256") { if (method === "plain") return codeVerifier; return createHash("sha256").update(codeVerifier).digest("base64url"); } /** * Returns the redirect url for redirecting the user. Pre-defines * the following params * * - redirect_uri * - client_id */ getRedirectUrl(callback) { const authorizeUrl = this.options.authorizeUrl || this.authorizeUrl; if (!authorizeUrl) throw new RuntimeException("Missing \"config.authorizeUrl\". The property is required to make redirect url"); const urlBuilder = this.urlBuilder(authorizeUrl); /** * Default params. One can call `clearParam` to remove them */ urlBuilder.param("redirect_uri", this.options.callbackUrl); urlBuilder.param("client_id", this.options.clientId); const codeVerifier = this.getPkceCodeVerifierForRedirect(); if (codeVerifier) { urlBuilder.param("code_challenge", this.getPkceCodeChallenge(codeVerifier)); urlBuilder.param("code_challenge_method", this.getPkceCodeChallengeMethod()); } this.configureRedirectRequest(urlBuilder); /** * Invoke callback when defined. This is the place where one can configure * the request query params */ if (typeof callback === "function") callback(urlBuilder); const url = urlBuilder.makeUrl(); debug_default("oauth2 redirect url: \"%s\"", url); return url; } /** * Generates a random token to be stored as a state and to be sent along * for later verification */ getState() { return random(32); } /** * Verifies the redirect input with the state input */ verifyState(state, inputValue) { if (!state || state !== inputValue) throw new E_OAUTH_STATE_MISMATCH(); } /** * Get the access token from the authorization code. One must define * the authorization code using the callback input. * * ```ts * client.getAccessToken((request) => { * request.field('code', authorizationCode) * }) * ``` * * Pre-defines the following form fields * * - grant_type = 'authorization_code' * - redirect_uri * - client_id * - client_secret */ async getAccessToken(callback) { const accessTokenUrl = this.options.accessTokenUrl || this.accessTokenUrl; if (!accessTokenUrl) throw new RuntimeException("Missing \"config.accessTokenUrl\". The property is required to get access token"); const httpClient = this.httpClient(accessTokenUrl); /** * Default field. One can call `clearField` to remove them */ httpClient.field("grant_type", "authorization_code"); httpClient.field("redirect_uri", this.options.callbackUrl); httpClient.field("client_id", this.options.clientId); httpClient.field("client_secret", this.options.clientSecret); const codeVerifier = this.getPkceCodeVerifierForAccessToken(); if (codeVerifier) httpClient.field("code_verifier", codeVerifier); /** * Expecting JSON response. One can call `parseAs('text')` for urlencoded * response */ httpClient.parseAs("json"); this.configureAccessTokenRequest(httpClient); /** * Invoke the user callback after setting defaults. This allows the callback * to clear/overwrite them */ if (typeof callback === "function") callback(httpClient); /** * Make request and parse response */ const response = await httpClient.post(); const accessTokenResponse = this.processClientResponse(httpClient, response); debug_default("oauth2 access token response %O", accessTokenResponse); const { access_token: accessToken, token_type: tokenType, expires_in: expiresIn, refresh_token: refreshToken, ...parsed } = accessTokenResponse; /** * We expect the response to have "access_token" */ if (!accessToken) throw new E_OAUTH_MISSING_TOKEN(E_OAUTH_MISSING_TOKEN.oauth2Message, { cause: parsed }); return { token: accessToken, type: tokenType, expiresIn, ...expiresIn ? { expiresAt: new Date((/* @__PURE__ */ new Date()).getTime() + 1e3 * expiresIn) } : {}, refreshToken, ...parsed }; } }; //#endregion export { Oauth2Client };