UNPKG

signalk-server

Version:

An implementation of a [Signal K](http://signalk.org) server for boats.

194 lines 5.89 kB
/** * Signal K permission type */ export type SignalKPermission = 'readonly' | 'readwrite' | 'admin'; /** * OIDC Configuration - merged from environment variables and security.json */ export interface OIDCConfig { enabled: boolean; issuer: string; clientId: string; clientSecret: string; redirectUri: string; scope: string; defaultPermission: SignalKPermission; autoCreateUsers: boolean; /** Groups that grant admin permission */ adminGroups?: string[]; /** Groups that grant readwrite permission */ readwriteGroups?: string[]; /** * ID token claim key for groups (default: 'groups'). * Common alternatives: 'roles', 'memberOf', 'cognito:groups' * Note: Groups must be present in the ID token, not the userinfo endpoint. * Both array and single string values are supported. */ groupsAttribute?: string; /** * Display name for the OIDC provider shown on the login button. * Default: 'SSO Login' */ providerName: string; /** * If true, automatically redirect to OIDC login when not authenticated. * Default: false */ autoLogin: boolean; } /** * Partial OIDC config for merging from different sources */ export interface PartialOIDCConfig { enabled?: boolean; issuer?: string; clientId?: string; clientSecret?: string; redirectUri?: string; scope?: string; defaultPermission?: SignalKPermission; autoCreateUsers?: boolean; adminGroups?: string[]; readwriteGroups?: string[]; groupsAttribute?: string; providerName?: string; autoLogin?: boolean; } /** * OIDC Authorization State - stored in cookie during auth flow */ export interface OIDCAuthState { state: string; codeVerifier: string; nonce: string; redirectUri: string; originalUrl: string; createdAt: number; } /** * OIDC Token Response */ export interface OIDCTokens { accessToken: string; idToken: string; refreshToken?: string; expiresIn?: number; tokenType: string; } /** * OIDC User Info - extracted from ID token or userinfo endpoint */ export interface OIDCUserInfo { sub: string; email?: string; name?: string; preferredUsername?: string; groups?: string[]; } /** * OIDC user identifier stored in security.json */ export interface OIDCUserIdentifier { sub: string; issuer: string; } /** * Discovery document cache entry */ export interface DiscoveryCache { metadata: OIDCProviderMetadata; fetchedAt: number; expiresAt: number; } /** * OIDC Provider Metadata (subset of OpenID Discovery) */ export interface OIDCProviderMetadata { issuer: string; authorization_endpoint: string; token_endpoint: string; userinfo_endpoint?: string; jwks_uri: string; response_types_supported: string[]; code_challenge_methods_supported?: string[]; /** Endpoint for RP-initiated logout (optional, not all providers support) */ end_session_endpoint?: string; } /** * OIDC Error codes */ export type OIDCErrorCode = 'DISCOVERY_FAILED' | 'INVALID_STATE' | 'STATE_EXPIRED' | 'INVALID_TOKEN' | 'TOKEN_EXCHANGE_FAILED' | 'USER_INFO_FAILED' | 'CONFIG_INVALID' | 'PKCE_FAILED' | 'NOT_CONFIGURED' | 'USER_CREATION_DENIED'; /** * OIDC Error class */ export declare class OIDCError extends Error { code: OIDCErrorCode; cause?: Error | undefined; constructor(message: string, code: OIDCErrorCode, cause?: Error | undefined); } /** * Default OIDC configuration values */ export declare const OIDC_DEFAULTS: Omit<OIDCConfig, 'issuer' | 'clientId' | 'clientSecret' | 'redirectUri'>; /** * State cookie configuration */ export declare const STATE_COOKIE_NAME = "OIDC_STATE"; export declare const STATE_MAX_AGE_MS: number; /** * Crypto service interface for OIDC state encryption. * * tokensecurity implements this by providing a derived secret. * OIDC handles its own encryption - tokensecurity knows nothing * about OIDC state structure (separation of concerns). */ export interface OIDCCryptoService { /** * Get the secret for OIDC state encryption. * This is derived from the master secret, ensuring OIDC * never has access to the JWT signing key. */ getStateEncryptionSecret(): string; } /** * Criteria for looking up users by external provider metadata. * Designed to support multiple auth providers, not just OIDC. */ export interface ProviderUserLookup { /** Provider identifier (e.g., 'oidc', 'ldap', 'saml') */ provider: string; /** Provider-specific lookup criteria */ criteria: Record<string, string>; } /** * Generic user service interface for external authentication providers. * Named generically to support future auth providers beyond OIDC. * * This interface abstracts user storage so authentication providers * don't need to know about the underlying storage mechanism * (array, SQLite, PostgreSQL, etc.). */ export interface ExternalUserService { /** Find a user by external provider metadata */ findUserByProvider(lookup: ProviderUserLookup): Promise<ExternalUser | null>; /** Find a user by username (for collision detection) */ findUserByUsername(username: string): Promise<ExternalUser | null>; /** Create a new user */ createUser(user: ExternalUser): Promise<void>; /** Update an existing user's type and/or provider data */ updateUser(username: string, updates: { type?: string; providerData?: Record<string, unknown>; }): Promise<void>; } /** * User representation for external auth providers. * This is a subset of the full User type that external providers need. */ export interface ExternalUser { username: string; type: string; /** Provider-specific identifier (e.g., OIDC sub+issuer) */ providerData?: Record<string, unknown>; } //# sourceMappingURL=types.d.ts.map