@simulacrum/auth0-simulator/dist/handlers/oauth-handlers.cjs

Run local instance of Auth0 API for local development and integration testing

const require_rolldown_runtime = require('../_virtual/rolldown_runtime.cjs');
require('../store/entities.cjs');
require('../store/index.cjs');
const require_utils = require('./utils.cjs');
const require_date = require('../auth/date.cjs');
const require_jwt = require('../auth/jwt.cjs');
const require_rules_runner = require('../rules/rules-runner.cjs');
const require_refresh_token = require('../auth/refresh-token.cjs');
let assert_ts = require("assert-ts");
let base64_url = require("base64-url");

//#region src/handlers/oauth-handlers.ts
const createTokens = async ({ body, iss, clientID, audience, rulesDirectory, scope: scopeConfig, simulationStore }) => {
	let { grant_type } = body;
	let scope = require_utils.deriveScope({
		scopeConfig,
		clientID,
		audience
	});
	let accessToken = getBaseAccessToken({
		iss,
		grant_type,
		scope,
		audience
	});
	let user;
	let nonce;
	if (grant_type === "client_credentials") return { access_token: require_jwt.createJsonWebToken(accessToken) };
	else if (grant_type === "refresh_token") {
		let { refresh_token: refreshTokenValue } = body;
		let refreshToken = JSON.parse((0, base64_url.decode)(refreshTokenValue));
		user = require_utils.createPersonQuery(simulationStore)((person) => person.id === refreshToken.user.id);
		nonce = refreshToken.nonce;
		(0, assert_ts.assert)(!!nonce, `400::No nonce in request`);
	} else {
		let result = verifyUserExistsInStore({
			simulationStore,
			body,
			grant_type
		});
		user = result.user;
		nonce = result.nonce;
	}
	(0, assert_ts.assert)(!!user, "500::No user found");
	let { idTokenData, userData } = getIdToken({
		body,
		iss,
		user,
		clientID,
		nonce
	});
	let context = {
		clientID,
		accessToken: {
			scope,
			sub: idTokenData.sub
		},
		idToken: idTokenData
	};
	await require_rules_runner.createRulesRunner(rulesDirectory)(userData, context);
	return {
		access_token: require_jwt.createJsonWebToken({
			...accessToken,
			...context.accessToken,
			...scope.split(" ").includes("email") ? { email: user.email } : {}
		}),
		id_token: require_jwt.createJsonWebToken({
			...userData,
			...context.idToken
		}),
		refresh_token: require_refresh_token.issueRefreshToken(scope, grant_type) ? require_refresh_token.createRefreshToken({
			exp: idTokenData.exp,
			rotations: 0,
			scope,
			user,
			nonce
		}) : void 0
	};
};
const getIdToken = ({ body, iss, user, clientID, nonce }) => {
	let userData = {
		name: body?.name ?? user.name,
		email: body?.email ?? user.email,
		email_verified: true,
		user_id: body?.id ?? user.id,
		nickname: body?.nickname,
		picture: body?.picture ?? user.picture,
		identities: body?.identities
	};
	(0, assert_ts.assert)(!!user.email, "500::User in store requires an email");
	let idTokenData = {
		alg: "RS256",
		typ: "JWT",
		iss,
		exp: require_date.expiresAt(),
		iat: require_date.epochTime(),
		email: user.email,
		aud: clientID,
		sub: user.id
	};
	if (typeof nonce !== "undefined") idTokenData.nonce = nonce;
	return {
		userData,
		idTokenData
	};
};
const getBaseAccessToken = ({ iss, grant_type, scope, audience }) => ({
	iss,
	exp: require_date.expiresAt(),
	iat: require_date.epochTime(),
	aud: audience,
	gty: grant_type,
	scope
});
const verifyUserExistsInStore = ({ simulationStore, body, grant_type }) => {
	let { code } = body;
	let personQuery = require_utils.createPersonQuery(simulationStore);
	let nonce;
	let username;
	let password;
	if (grant_type === "http://auth0.com/oauth/grant-type/passwordless/otp") username = body.username;
	else if (grant_type === "password") {
		username = body.username;
		password = body.password;
	} else {
		(0, assert_ts.assert)(typeof code !== "undefined", "400::no code in /oauth/token");
		[nonce, username] = (0, base64_url.decode)(code).split(":");
		(0, assert_ts.assert)(!!username, `400::no nonce in store for ${code}`);
	}
	let user = personQuery((person) => {
		(0, assert_ts.assert)(!!person.email, `500::no email defined on person scenario`);
		let valid = person.email.toLowerCase() === username.toLowerCase();
		if (typeof password === "undefined") return valid;
		else return valid && password === person.password;
	});
	(0, assert_ts.assert)(!!user, "401::Unauthorized");
	return {
		user,
		nonce
	};
};

//#endregion
exports.createTokens = createTokens;