UNPKG

signalk-server

Version:

An implementation of a [Signal K](http://signalk.org) server for boats.

59 lines 2.82 kB
import { Request, Response, IRouter } from 'express'; import { OIDCConfig, OIDCUserInfo, OIDCCryptoService, ExternalUserService, ExternalUser } from './types'; /** * Validate and merge userinfo claims into ID token claims. * * Security considerations: * - Validates that userinfo sub matches ID token sub (OIDC Core spec requirement) * - Only merges safe claims (email, name, preferred_username, groups) * - Does NOT allow userinfo to overwrite security-critical claims (sub, iss, aud, nonce) * * @param idTokenClaims The validated claims from the ID token * @param userinfoClaims The claims from the userinfo endpoint * @param groupsAttribute The attribute name for groups (default: 'groups') * @throws OIDCError if userinfo sub doesn't match ID token sub */ export declare function validateAndMergeUserinfoClaims(idTokenClaims: Record<string, unknown>, userinfoClaims: Record<string, unknown>, groupsAttribute?: string): void; /** * Dependencies injected by tokensecurity. * This interface defines the contract between tokensecurity and OIDC authentication. */ export interface OIDCAuthDependencies { /** Get parsed OIDC configuration */ getOIDCConfig: () => OIDCConfig; /** Set session cookies after successful authentication */ setSessionCookie: (res: Response, req: Request, token: string, username: string, options?: { rememberMe?: boolean; }) => void; /** Clear session cookies on logout */ clearSessionCookie: (res: Response) => void; /** Generate a JWT for a user */ generateJWT: (userId: string, expiration?: string) => string; /** * Crypto service for OIDC state encryption. * Provides a derived secret - OIDC handles its own encryption. */ cryptoService: OIDCCryptoService; /** * User service for external authentication providers. * Abstracts user storage so OIDC doesn't need to know about * the underlying storage mechanism. */ userService: ExternalUserService; } /** * Find or create a user from OIDC authentication. * This function looks up existing users by OIDC subject+issuer, or creates * a new user if auto-creation is enabled. * * For existing users, permissions are recalculated on each login based on * current group memberships. This allows permission changes to take effect * when group assignments change in the identity provider. */ export declare function findOrCreateOIDCUser(userInfo: OIDCUserInfo, oidcConfig: OIDCConfig, deps: Pick<OIDCAuthDependencies, 'userService'>): Promise<ExternalUser | null>; /** * Register OIDC authentication routes. * This function adds the OIDC login, callback, and status endpoints to the Express app. */ export declare function registerOIDCRoutes(app: IRouter, deps: OIDCAuthDependencies): void; //# sourceMappingURL=oidc-auth.d.ts.map