UNPKG

oidc-provider

Version:

OAuth 2.0 Authorization Server implementation for Node.js with OpenID Connect

github.com/panva/node-oidc-provider

panva/node-oidc-provider

199 lines (159 loc) 5.69 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
import { WEB_URI } from '../consts/client_attributes.js'; import instance from './weak_cache.js'; import addClient from './add_client.js'; import als from './als.js'; import { InvalidClient, InvalidClientMetadata } from './errors.js'; import fetchBodyCheck from './fetch_body_check.js'; import fetchRequest from './fetch_request.js'; const FORBIDDEN_AUTH_METHODS = new Set([ 'client_secret_basic', 'client_secret_post', 'client_secret_jwt', ]); const cache = new WeakMap(); function getCache(provider) { let entries = cache.get(provider); if (!entries) { entries = new Map(); cache.set(provider, entries); } return entries; } export function isValidClientIdUrl(id) { const url = URL.parse(id); if (!url) { return false; } // MUST have an "https" scheme if (url.protocol !== 'https:') { return false; } // MUST contain a path component (not just "/") if (!url.pathname || url.pathname === '/') { return false; } // MUST NOT contain single-dot or double-dot path segments // URL.parse normalizes dot segments, so check the raw input const rawPath = id.replace(/^https:\/\/[^/]*/i, '').split('?')[0].split('#')[0]; const rawSegments = rawPath.split('/'); if (rawSegments.some((seg) => seg === '.' || seg === '..')) { return false; } // MUST NOT contain a fragment component if (url.hash) { return false; } // MUST NOT contain a username or password if (url.username || url.password) { return false; } return true; } function parseCacheDuration(response, { min, max }) { let duration; const cacheControl = response.headers.get('cache-control'); if (cacheControl) { const maxAgeMatch = cacheControl.match(/(?:^|,)\s*max-age\s*=\s*(\d+)/i); if (maxAgeMatch) { duration = parseInt(maxAgeMatch[1], 10); } } if (duration === undefined) { const expires = response.headers.get('expires'); if (expires) { const expiresDate = Date.parse(expires); if (!Number.isNaN(expiresDate)) { duration = Math.floor((expiresDate - Date.now()) / 1000); } } } if (duration === undefined) { duration = min; } return Math.max(min, Math.min(max, duration)); } export async function resolveClientByMetadataDocument(provider, id) { const { features: { clientIdMetadataDocument: feature }, } = instance(provider).configuration; const ctx = als.getStore(); const entries = getCache(provider); // Check cache const cached = entries.get(id); if (cached && cached.freshUntil > Date.now()) { const client = await addClient(provider, cached.properties, { store: false }); Object.defineProperty(client, 'clientIdMetadataDocument', { value: true }); if (!(await feature.allowClient(ctx, client))) { throw new InvalidClient('client is not allowed'); } return client; } // Gate the fetch if (!(await feature.allowFetch(ctx, id))) { throw new InvalidClient('client_id metadata document fetch not allowed'); } let response; try { response = await fetchRequest(provider, id, { method: 'GET', headers: { accept: 'application/json', }, redirect: 'manual', }); } catch (err) { throw new InvalidClient('client_id metadata document fetch failed', err.message); } if (response.status !== 200) { throw new InvalidClient('client_id metadata document fetch failed', `unexpected response status ${response.status}`); } let bodyText; try { bodyText = (await fetchBodyCheck(provider, 'client_id metadata document', response)).toString(); } catch (err) { throw new InvalidClient('client_id metadata document fetch failed', err.message); } let properties; try { properties = JSON.parse(bodyText); } catch { throw new InvalidClient('client_id metadata document fetch failed', 'invalid JSON'); } if (typeof properties !== 'object' || properties === null || Array.isArray(properties)) { throw new InvalidClientMetadata('client_id metadata document is not a JSON object'); } // client_id property MUST match the URL via simple string comparison if (properties.client_id !== id) { throw new InvalidClientMetadata('client_id metadata document client_id does not match the expected value'); } // token_endpoint_auth_method MUST NOT be a shared-secret method if (FORBIDDEN_AUTH_METHODS.has(properties.token_endpoint_auth_method)) { throw new InvalidClientMetadata('client_id metadata document must not use shared-secret token endpoint authentication methods'); } // client_secret and client_secret_expires_at MUST NOT be present if ('client_secret' in properties || 'client_secret_expires_at' in properties) { throw new InvalidClientMetadata('client_id metadata document must not contain client_secret or client_secret_expires_at'); } // URI properties MUST be absolute URIs using the https: scheme for (const prop of WEB_URI) { if (prop in properties) { const uri = URL.parse(properties[prop]); if (!uri || uri.protocol !== 'https:') { throw new InvalidClientMetadata(`client_id metadata document ${prop} must be an https: URL`); } } } // Compute cache TTL const ttl = parseCacheDuration(response, feature.cacheDuration); const client = await addClient(provider, properties, { store: false }); Object.defineProperty(client, 'clientIdMetadataDocument', { value: true }); // Cache the valid properties entries.set(id, { properties, freshUntil: Date.now() + (ttl * 1000), }); if (!(await feature.allowClient(ctx, client))) { throw new InvalidClient('client is not allowed'); } return client; }