@sap/xssec/src/context/IdentityServiceSecurityContext.js

XS Advanced Container Security API for node.js

const ConfigurationError = require("../error/configuration/ConfigurationError");
const SecurityContext = require("./SecurityContext");

/**
 * @typedef {import('../service/IdentityService')} IdentityService
 * @typedef {import('../token/IdentityServiceToken')} IdentityServiceToken
 * @typedef {import('../util/Types').SecurityContextConfig} SecurityContextConfig
 */

/** @extends {SecurityContext<IdentityService, IdentityServiceToken>} */
class IdentityServiceSecurityContext extends SecurityContext {
    /**
     * An XsuaaSecurityContext that may be available if an XsuaaLegacyExtension instance has been configured.
     * @type {import("./XsuaaSecurityContext")}
     */
    xsuaaContext;
    
    /**
     * @param {IdentityService|null} service
     * @param {IdentityServiceToken} token 
     * @param {SecurityContextConfig} [contextConfig] 
     */
    constructor(service, token, contextConfig) {
        super(service, token, contextConfig);
    }

    /**
     * Returns the service plans of the consumer application.
     * This method is only available if the context was created from an app2service token and a service with proof token validation enabled.
     * @returns {string[]}
     */
    get servicePlans() {
        if (!this.service.hasProofTokenEnabled()) {
            throw new ConfigurationError("This property is only available on IdentityServiceSecurityContexts created on an IdentityService with proofToken validation enabled.");
        }

        return this.config.servicePlans;
    }

    /**
    * This method returns an OAuth id token for the user of the given validated token.
    * If the token is already an id token, it is returned as is.
    * If the token is from a technical user, an error is thrown.
    * If the token is an access token, it is exchanged for an id token.
    * 
    * Subsequent calls with access tokens will return a cached id token if it is still valid for at least 5min.
    * The cache size (default: 100) can be configured inside the `idTokenCache` service configuration property.
    *
    * @param {import("../util/Types").TokenFetchOptions & import("../util/Types").IdentityServiceTokenFetchOptions} [options] - custom token fetch options
    * @returns {Promise<string>} - the id token as raw jwt string
    * @throws {Error} if the token is from a technical user
    */
    getIdToken(options = {}) {
        return this.service._getIdToken(this.token, {
            correlationId: this.config.correlationId,
            app_tid: this.token.appTid,
            ...options
        });
    }

    /**
     * Checks whether the token from which this context was created is a token fetched by the OAuth 2.0 client for internal use.
     * This method requires the IdentityService instance to have x5t validation enabled.
     * @returns {boolean} true if the token was fetched via client credentials flow with the credentials of this context's IdentityService instance, false otherwise.
     */
    isInternal() {
        if (!this.service.hasX5tEnabled()) {
            throw new ConfigurationError("This method is only available on IdentityServiceSecurityContexts created on an IdentityService instance with x5t validation enabled.");
        }

        return this.token.azp === this.service.credentials.clientid
            && this.token.subject === this.service.credentials.clientid
            && this.token.appTid === this.service.credentials.app_tid;
    }

    // Methods for backward-compatibility
    getUserInfo() {
        return {
            ...super.getUserInfo(),
            logonName: this.token.payload.user_name || this.token.email || this.token.payload.user_uuid || "",
        };
    }
}


module.exports = IdentityServiceSecurityContext;