UNPKG

@wristband/express-auth

Version:

SDK for integrating your ExpressJS application with Wristband. Handles user authentication and token management.

wristband-dev/express-auth

181 lines (180 loc) • 9.47 kB

JavaScript

"use strict"; var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) { if (k2 === undefined) k2 = k; var desc = Object.getOwnPropertyDescriptor(m, k); if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) { desc = { enumerable: true, get: function() { return m[k]; } }; } Object.defineProperty(o, k2, desc); }) : (function(o, m, k, k2) { if (k2 === undefined) k2 = k; o[k2] = m[k]; })); var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) { Object.defineProperty(o, "default", { enumerable: true, value: v }); }) : function(o, v) { o["default"] = v; }); var __importStar = (this && this.__importStar) || function (mod) { if (mod && mod.__esModule) return mod; var result = {}; if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k); __setModuleDefault(result, mod); return result; }; Object.defineProperty(exports, "__esModule", { value: true }); exports.isExpired = exports.getOAuthAuthorizeUrl = exports.createLoginStateCookie = exports.clearOldestLoginStateCookie = exports.createLoginState = exports.resolveTenantCustomDomainParam = exports.resolveTenantDomainName = exports.getAndClearLoginStateCookie = exports.decryptLoginState = exports.encryptLoginState = exports.base64URLEncode = exports.generateRandomString = exports.parseTenantSubdomain = void 0; const crypto_1 = require("crypto"); const iron_webcrypto_1 = require("iron-webcrypto"); const crypto = __importStar(require("uncrypto")); const constants_1 = require("./constants"); const cookies_1 = require("./cookies"); function parseTenantSubdomain(req, rootDomain) { const { host } = req.headers; return host.substring(host.indexOf('.') + 1) === rootDomain ? host.substring(0, host.indexOf('.')) : ''; } exports.parseTenantSubdomain = parseTenantSubdomain; function generateRandomString(length) { return (0, crypto_1.randomBytes)(length).toString('base64').replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, ''); } exports.generateRandomString = generateRandomString; function base64URLEncode(str) { return str.replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, ''); } exports.base64URLEncode = base64URLEncode; async function encryptLoginState(loginState, loginStateSecret) { const encryptedLoginState = await (0, iron_webcrypto_1.seal)(crypto, loginState, loginStateSecret, iron_webcrypto_1.defaults); if (encryptedLoginState.length > 4096) { throw new TypeError('Login state cookie exceeds 4kB in size. Ensure your [customState] and [returnUrl] values are a reasonable size.'); } return encryptedLoginState; } exports.encryptLoginState = encryptLoginState; async function decryptLoginState(loginStateCookie, loginStateSecret) { const loginState = await (0, iron_webcrypto_1.unseal)(crypto, loginStateCookie, loginStateSecret, iron_webcrypto_1.defaults); return loginState; } exports.decryptLoginState = decryptLoginState; function getAndClearLoginStateCookie(req, res, dangerouslyDisableSecureCookies) { const { state } = req.query; const paramState = state ? state.toString() : ''; const cookies = (0, cookies_1.parseCookies)(req); // This should always resolve to a single cookie with this prefix, or possibly no cookie at all // if it got cleared or expired before the callback was triggered. const matchingLoginCookieNames = Object.keys(cookies).filter((cookieName) => { return cookieName.startsWith(`${constants_1.LOGIN_STATE_COOKIE_PREFIX}${paramState}${constants_1.LOGIN_STATE_COOKIE_SEPARATOR}`); }); let loginStateCookie = ''; if (matchingLoginCookieNames.length > 0) { const cookieName = matchingLoginCookieNames[0]; loginStateCookie = cookies[cookieName]; (0, cookies_1.clearCookie)(res, cookieName, dangerouslyDisableSecureCookies); } return loginStateCookie; } exports.getAndClearLoginStateCookie = getAndClearLoginStateCookie; function resolveTenantDomainName(req, useTenantSubdomains, rootDomain) { if (useTenantSubdomains) { return parseTenantSubdomain(req, rootDomain) || ''; } const { tenant_domain: tenantDomainParam } = req.query; if (!!tenantDomainParam && typeof tenantDomainParam !== 'string') { throw new TypeError('More than one [tenant_domain] query parameter was encountered'); } return tenantDomainParam || ''; } exports.resolveTenantDomainName = resolveTenantDomainName; function resolveTenantCustomDomainParam(req) { const { tenant_custom_domain: tenantCustomDomainParam } = req.query; if (!!tenantCustomDomainParam && typeof tenantCustomDomainParam !== 'string') { throw new TypeError('More than one [tenant_custom_domain] query parameter was encountered'); } return tenantCustomDomainParam || ''; } exports.resolveTenantCustomDomainParam = resolveTenantCustomDomainParam; function createLoginState(req, redirectUri, config = {}) { const { return_url: returnUrl } = req.query; if (!!returnUrl && typeof returnUrl !== 'string') { throw new TypeError('More than one [return_url] query parameter was encountered'); } const loginStateData = { state: generateRandomString(32), codeVerifier: generateRandomString(32), redirectUri, ...(!!returnUrl && typeof returnUrl === 'string' ? { returnUrl } : {}), ...(!!config.customState && !!Object.keys(config.customState).length ? { customState: config.customState } : {}), }; return config.customState ? { ...loginStateData, customState: config.customState } : loginStateData; } exports.createLoginState = createLoginState; function clearOldestLoginStateCookie(req, res, dangerouslyDisableSecureCookies) { const cookies = (0, cookies_1.parseCookies)(req); // The max amount of concurrent login state cookies we allow is 3. If there are already 3 cookies, // then we clear the one with the oldest creation timestamp to make room for the new one. const allLoginCookieNames = Object.keys(cookies).filter((cookieName) => { return cookieName.startsWith(`${constants_1.LOGIN_STATE_COOKIE_PREFIX}`); }); // Retain only the 2 cookies with the most recent timestamps. if (allLoginCookieNames.length >= 3) { const mostRecentTimestamps = allLoginCookieNames .map((cookieName) => { return cookieName.split(constants_1.LOGIN_STATE_COOKIE_SEPARATOR)[2]; }) .sort() .reverse() .slice(0, 2); allLoginCookieNames.forEach((cookieName) => { const timestamp = cookieName.split(constants_1.LOGIN_STATE_COOKIE_SEPARATOR)[2]; if (!mostRecentTimestamps.includes(timestamp)) { (0, cookies_1.clearCookie)(res, cookieName, dangerouslyDisableSecureCookies); } }); } } exports.clearOldestLoginStateCookie = clearOldestLoginStateCookie; function createLoginStateCookie(res, state, encryptedLoginState, dangerouslyDisableSecureCookies) { // Add the new login state cookie (1 hour max age). const cookieName = `${constants_1.LOGIN_STATE_COOKIE_PREFIX}${state}${constants_1.LOGIN_STATE_COOKIE_SEPARATOR}${Date.now().valueOf()}`; (0, cookies_1.setCookie)(res, cookieName, encryptedLoginState, { maxAge: 3600000, dangerouslyDisableSecureCookies }); } exports.createLoginStateCookie = createLoginStateCookie; function getOAuthAuthorizeUrl(req, config) { const { login_hint: loginHint } = req.query; if (!!loginHint && typeof loginHint !== 'string') { throw new TypeError('More than one [login_hint] query parameter was encountered'); } const queryParams = new URLSearchParams({ client_id: config.clientId, redirect_uri: config.redirectUri, response_type: 'code', state: config.state, scope: config.scopes.join(' '), code_challenge: base64URLEncode((0, crypto_1.createHash)('sha256').update(config.codeVerifier).digest('base64')), code_challenge_method: 'S256', nonce: generateRandomString(32), ...(!!loginHint && typeof loginHint === 'string' ? { login_hint: loginHint } : {}), }); const separator = config.useCustomDomains ? '.' : '-'; // Domain priority order resolution: // 1) tenant_custom_domain query param // 2a) tenant subdomain // 2b) tenant_domain query param // 3) defaultTenantCustomDomain login config // 4) defaultTenantDomainName login config if (config.tenantCustomDomain) { return `https://${config.tenantCustomDomain}/api/v1/oauth2/authorize?${queryParams.toString()}`; } if (config.tenantDomainName) { return `https://${config.tenantDomainName}${separator}${config.wristbandApplicationDomain}/api/v1/oauth2/authorize?${queryParams.toString()}`; } if (config.defaultTenantCustomDomain) { return `https://${config.defaultTenantCustomDomain}/api/v1/oauth2/authorize?${queryParams.toString()}`; } return `https://${config.defaultTenantDomainName}${separator}${config.wristbandApplicationDomain}/api/v1/oauth2/authorize?${queryParams.toString()}`; } exports.getOAuthAuthorizeUrl = getOAuthAuthorizeUrl; function isExpired(expiresAt) { const currentTime = Date.now().valueOf(); return currentTime >= expiresAt; } exports.isExpired = isExpired;