const noDotPathRE = /(\/\.\/|\/\.\.\/)/;
const v6HostRE = /\[[0-9a-f:]+\]/;
const loopback4 = new Address4('127.0.0.0/8');
+const scopeSplitRE = / +/;
class Communication {
/**
}
+ /**
+ * Encode hashed verifier data for PKCE.
+ * @param {BinaryLike} verifier
+ * @returns {String}
+ */
static _challengeFromVerifier(verifier) {
const hash = createHash('sha256');
hash.update(verifier);
return base64ToBase64URL(hash.digest('base64'));
}
+
+ /**
+ * @typedef PKCEData
+ * @property {String} codeChallengeMethod
+ * @property {String} codeVerifier
+ * @property {String} codeChallenge
+ */
/**
* Create a code verifier and its challenge.
* @param {Number} length
- * @returns {Object}
+ * @returns {Promise<PKCEData>}
*/
static async generatePKCE(length = 128) {
if (length < 43 || length > 128) {
}
+ /**
+ * Valid response statuses.
+ * Allow 401 as a workaround for one specific client which return such on
+ * its client identifier endpoint when not yet authenticated.
+ * @param {Number} status
+ * @returns {Boolean}
+ */
+ static _validateStatus(status) {
+ return (status >= 200 && status < 300) || status == 401;
+ }
+
+
/**
* A request config skeleton.
* @param {String} method
responseType: 'text',
// So force the matter by eliding all response transformations
transformResponse: [ (res) => res ],
+
+ validateStatus: Communication._validateStatus,
};
Object.entries(params).map(([k, v]) => config.params.set(k, v));
return config;
* Retrieve and parse microformat data from url.
* N.B. this absorbs any errors!
* @param {URL} urlObj
- * @returns {Object}
+ * @returns {Promise<Object>}
*/
async fetchMicroformat(urlObj) {
const _scope = _fileScope('fetchMicroformat');
* Retrieve and parse JSON.
* N.B. this absorbs any errors!
* @param {URL} urlObj
- * @returns {Object}
+ * @returns {Promise<Object>}
*/
async fetchJSON(urlObj) {
const _scope = _fileScope('fetchJSON');
* N.B. Sets isLoopback on urlObj
* @param {URL} urlObj
* @param {Boolean} allowLoopback
+ * @returns {Promise<void>}
*/
static async _urlNamedHost(urlObj, allowLoopback, resolveHostname) {
let address;
* @param {String} url
* @param {Object} validationOptions
* @param {Boolean} validationOptions.allowLoopback
+ * @param {Boolean} validationOptions.resolveHostname
+ * @returns {Promise<void>}
*/
async validateProfile(url, validationOptions) {
const _scope = _fileScope('validateProfile');
const errorScope = 'invalid profile url';
- const options = Object.assign({}, {
+ const options = Object.assign({
allowLoopback: false,
resolveHostname: false,
}, validationOptions);
* @param {Object} validationOptions
* @param {Boolean} validationOptions.allowLoopback
* @param {Boolean} validationOptions.resolveHostname
- * @returns {URL}
+ * @returns {Promise<URL>}
*/
async validateClientIdentifier(url, validationOptions) {
const _scope = _fileScope('validateClientIdentifier');
const errorScope = 'invalid client identifier url';
- const options = Object.assign({}, {
+ const options = Object.assign({
allowLoopback: true,
resolveHostname: true,
}, validationOptions);
* @property {String} metadata.issuer
* @property {String} metadata.authorizationEndpoint
* @property {String} metadata.tokenEndpoint
+ * @property {String} metadata.ticketEndpoint
* @property {String} metadata.introspectionEndpoint
* @property {String} metadata.introspectionEndpointAuthMethodsSupported
* @property {String} metadata.revocationEndpoint
Object.entries({
authorizationEndpoint: 'authorization_endpoint', // backwards compatibility
tokenEndpoint: 'token_endpoint', // backwards compatibility
+ ticketEndpoint: 'ticket_endpoint', // backwards compatibility
}).forEach(([p, r]) => {
if (mfData && r in mfData.rels) {
profile.metadata[p] = profile[p] = mfData.rels[r][0]; // eslint-disable-line security/detect-object-injection
issuer: 'issuer',
authorizationEndpoint: 'authorization_endpoint',
tokenEndpoint: 'token_endpoint',
+ ticketEndpoint: 'ticket_endpoint',
introspectionEndpoint: 'introspection_endpoint',
introspectionEndpointAuthMethodsSupported: 'introspection_endpoint_auth_methods_supported',
revocationEndpoint: 'revocation_endpoint',
});
// Populate legacy profile fields.
- ['authorizationEndpoint', 'tokenEndpoint'].forEach((f) => {
+ ['authorizationEndpoint', 'tokenEndpoint', 'ticketEndpoint'].forEach((f) => {
if (f in profile.metadata) {
profile[f] = profile.metadata[f]; // eslint-disable-line security/detect-object-injection
}
/**
* POST to the auth endpoint, to redeem a code for a profile object.
+ * FIXME: [name] this isn't specific to profile redemption, it works for tokens too
* @param {URL} urlObj
* @param {String} code
* @param {String} codeVerifier
async redeemProfileCode(urlObj, code, codeVerifier, clientId, redirectURI) {
const _scope = _fileScope('redeemProfileCode');
- const data = new URLSearchParams();
- Object.entries({
+ const formData = common.formData({
'grant_type': 'authorization_code',
code,
'client_id': clientId,
'redirect_uri': redirectURI,
'code_verifier': codeVerifier,
- }).forEach(([name, value]) => data.set(name, value));
+ });
- const postRedeemProfileCodeConfig = Communication._axiosConfig('POST', urlObj, data.toString(), {}, {
+ const postRedeemProfileCodeConfig = Communication._axiosConfig('POST', urlObj, formData, {}, {
[Enum.Header.ContentType]: Enum.ContentType.ApplicationForm,
[Enum.Header.Accept]: `${Enum.ContentType.ApplicationJson}, ${Enum.ContentType.Any};q=0.1`,
});
}
}
+
+ /**
+ * Verify a token with an IdP endpoint, using the Authentication header supplied.
+ * @param {URL} introspectionUrlObj
+ * @param {String} authorizationHeader
+ * @param {String} token
+ */
+ async introspectToken(introspectionUrlObj, authorizationHeader, token) {
+ const _scope = _fileScope('introspectToken');
+
+ const formData = common.formData({ token });
+ const postIntrospectConfig = Communication._axiosConfig('POST', introspectionUrlObj, formData, {}, {
+ [Enum.Header.Authorization]: authorizationHeader,
+ [Enum.Header.ContentType]: Enum.ContentType.ApplicationForm,
+ [Enum.Header.Accept]: `${Enum.ContentType.ApplicationJson}, ${Enum.ContentType.Any};q=0.1`,
+ });
+ delete postIntrospectConfig.validateStatus; // only accept success
+
+ let tokenInfo;
+ try {
+ const response = await this.axios(postIntrospectConfig);
+ this.logger.debug(_scope, 'response', { response });
+ // check status
+ try {
+ tokenInfo = JSON.parse(response.data);
+ const {
+ active,
+ me,
+ client_id: clientId,
+ scope,
+ exp,
+ iat,
+ } = tokenInfo;
+
+ return {
+ active,
+ ...(me && { me }),
+ ...(clientId && { clientId }),
+ ...(scope && { scope: scope.split(scopeSplitRE) }),
+ ...(exp && { exp: Number(exp) }),
+ ...(iat && { iat: Number(iat) }),
+ };
+ } catch (e) {
+ this.logger.error(_scope, 'failed to parse json', { error: e, response });
+ throw e;
+ }
+ } catch (e) {
+ this.logger.error(_scope, 'introspect token request failed', { error: e, url: introspectionUrlObj.href });
+ throw e;
+ }
+ }
+
+
+ /**
+ * Attempt to deliver a ticket to an endpoint.
+ * N.B. does not absorb errors
+ * @param {*} ticketEndpointUrlObj
+ * @param {*} resourceUrlObj
+ * @param {*} subjectUrlObj
+ * @param {*} ticket
+ * @returns {Promise<AxiosResponse>}
+ */
+ async deliverTicket(ticketEndpointUrlObj, resourceUrlObj, subjectUrlObj, ticket) {
+ const _scope = _fileScope('deliverTicket');
+
+ try {
+ const ticketPayload = {
+ ticket,
+ resource: resourceUrlObj.href,
+ subject: subjectUrlObj.href,
+ };
+ const ticketConfig = Communication._axiosConfig('POST', ticketEndpointUrlObj, ticketPayload, {}, {
+ [Enum.Header.ContentType]: Enum.ContentType.ApplicationForm,
+ });
+ return await this.axios(ticketConfig);
+ } catch (e) {
+ this.logger.error(_scope, 'ticket delivery request failed', { error: e, url: ticketEndpointUrlObj.href });
+ throw e;
+ }
+ }
+
}
-module.exports = Communication;
\ No newline at end of file
+module.exports = Communication;