Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Sync with latest #3

Merged
merged 3 commits into from
Apr 17, 2024
Merged

Sync with latest #3

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
48e3a93
trim whitespace
dickhardt Apr 16, 2024
d49f04f
secure cookie if SAME_SITE none
dickhardt Apr 16, 2024
db7d81f
1.0.13
dickhardt Apr 16, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions package-lock.json
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "client-as",
"version": "1.0.12",
"version": "1.0.13",
"description": "Hellō Client and Authorization Server",
"main": "server.js",
"directories": {
Expand Down
47 changes: 24 additions & 23 deletions src/api.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -52,6 +52,7 @@ const PRODUCTION = (process.env.NODE_ENV === 'production')
const DEVELOPMENT = (process.env.NODE_ENV === 'development')

const SAME_SITE = (DEVELOPMENT) ? 'none' : 'strict'
const SECURE = PRODUCTION || (SAME_SITE === 'none')

const { version } = require('../package.json')

Expand Down Expand Up @@ -92,12 +93,12 @@ const META_DATA: MetaData = {
token_endpoint: TOKEN_ENDPOINT,
jwks_uri: JWKS_ENDPOINT,
grant_types_supported: [
'authorization_code',
'client_credentials',
'authorization_code',
'client_credentials',
'refresh_token',
'cookie_token', // non-standard
],
revocation_endpoint: REVOCATION_ENDPOINT,
revocation_endpoint: REVOCATION_ENDPOINT,
}
if (USE_DPOP) {
META_DATA.dpop_signing_alg_values_supported = ['RS256']
Expand All @@ -107,8 +108,8 @@ if (USE_DPOP) {
console.log('/.well-known/oauth-authorization-server', JSON.stringify(META_DATA, null, 2))

class TokenError extends Error {
statusCode: number;
statusCode: number;

constructor(statusCode: number, message: string) {
super(message);
this.statusCode = statusCode || 500
Expand All @@ -129,15 +130,15 @@ const setTokenCookies = (reply: FastifyReply, access_token: string, refresh_toke
maxAge: access_token ? ACCESS_LIFETIME : 0,
httpOnly: true,
path: API_ROOT,
secure: PRODUCTION,
secure: SECURE,
sameSite: SAME_SITE,
})

const refreshTokenCookie = serializeCookie('refresh_token', refresh_token || '', {
maxAge: refresh_token ? REFRESH_LIFETIME : 0,
httpOnly: true,
path: TOKEN_ENDPOINT,
secure: PRODUCTION,
secure: SECURE,
sameSite: SAME_SITE,
})

Expand All @@ -146,9 +147,9 @@ const setTokenCookies = (reply: FastifyReply, access_token: string, refresh_toke
maxAge: 0,
httpOnly: true,
path: TOKEN_ENDPOINT,
secure: PRODUCTION,
secure: SECURE,
sameSite: SAME_SITE,
})
})

reply.header('Set-Cookie', [accessTokenCookie, refreshTokenCookie, sessionTokenCookie]);
}
Expand All @@ -159,7 +160,7 @@ const setSessionCookie = (reply: FastifyReply, session_token: string) => {
maxAge: session_token ? STATE_LIFETIME : 0,
httpOnly: true,
path: TOKEN_ENDPOINT,
secure: PRODUCTION,
secure: SECURE,
sameSite: SAME_SITE,
})
reply.header('Set-Cookie', sessionTokenCookie);
Expand Down Expand Up @@ -217,7 +218,7 @@ const validateDPoP = (req: FastifyRequest): string => {
throw new TokenError(400, 'DPoP signature is invalid')
const jkt = generateThumbprint(jwk)
return jkt
}
}

const refreshFromCode = async (code: string, client_id: string, jkt: string): Promise<string> => {
const currentState = await state.read(code)
Expand All @@ -239,7 +240,7 @@ const refreshFromCode = async (code: string, client_id: string, jkt: string): Pr
// future - logout user to revoke issued refresh_token
throw new TokenError(400, 'code has already been used')
}
currentState.code_used = now
currentState.code_used = now
await state.update(code, currentState)

const payload: Payload = {
Expand Down Expand Up @@ -295,7 +296,7 @@ const refreshFromRefresh = (refresh_token: string): string => {
}

const refreshFromSession = async (session_token: string) => {
// lookup session_token and get payload
// lookup session_token and get payload
const { header, payload } = jws.decode(session_token, { json: true })
// TODO -- verify session_token
if (!header || !payload) {
Expand Down Expand Up @@ -346,7 +347,7 @@ const accessFromRefresh = (refresh_token: string): string => {
throw new TokenError(400, 'refresh_token is invalid')
}
const now = Math.floor(Date.now() / 1000)
// check if expired
// check if expired
if (payload.exp < now) {
throw new TokenError(400, 'refresh_token is expired')
}
Expand Down Expand Up @@ -418,7 +419,7 @@ const tokenEndpoint = async (req: FastifyRequest, reply: FastifyReply) => {
}

if (grant_type === 'refresh_token') {
if (!refresh_token){
if (!refresh_token){
return reply.code(400).send({error:'invalid_request', error_description:'refresh_token is required'})
}
const jwt = validateDPoP(req)
Expand Down Expand Up @@ -488,7 +489,7 @@ const tokenEndpoint = async (req: FastifyRequest, reply: FastifyReply) => {

const introspectEndpoint = async (req: FastifyRequest, reply: FastifyReply) => {
let token: string = ''

if (req.method === 'POST') {
({ token } = req?.body as { token: string })
} else if (req.method === 'GET') {
Expand Down Expand Up @@ -566,7 +567,7 @@ const loginSync = async ( params: LoginSyncParams ): Promise<LoginSyncResponse>
}

const now = Math.floor(Date.now() / 1000)
const currentState = await state.read(nonce)
const currentState = await state.read(nonce)
if (!currentState) {
console.error({error:'invalid_request', error_description:'nonce is invalid'})
return {}
Expand All @@ -575,7 +576,7 @@ const loginSync = async ( params: LoginSyncParams ): Promise<LoginSyncResponse>
if (!PRODUCTION) {
console.log('loginSync', {currentState})
}


if (currentState.loggedIn) {
console.error({error:'invalid_request', error_description:'nonce is already logged in'})
Expand All @@ -587,14 +588,14 @@ const loginSync = async ( params: LoginSyncParams ): Promise<LoginSyncResponse>
}

// we have a valid state to change to sync login across channels
await state.update(nonce, {
await state.update(nonce, {
iss: ISSUER,
exp: now + STATE_LIFETIME,
nonce,
loggedIn: true,
sub
loggedIn: true,
sub
})


return {}
}
Expand Down Expand Up @@ -628,7 +629,7 @@ const api = (app: FastifyInstance) => {
})
app.get(JWKS_ENDPOINT, (req, reply) => {
return reply.send(PUBLIC_JWKS)
})
})
app.get(AUTH_ROUTE+"/version", (request, reply) => {
return reply.send({version});
});
Expand Down
1 change: 0 additions & 1 deletion src/jwks.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -76,4 +76,3 @@ try {
}

export { PRIVATE_KEY, PUBLIC_KEY, PUBLIC_JWKS };

2 changes: 1 addition & 1 deletion src/state.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
// store state of auth
// store state of auth

import Redis from 'ioredis';
import { STATE_LIFETIME } from './constants';
Expand Down