idp.global/app
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: idp.global/app:v1.16.0
Branches Tags
idp.global/app:main
idp.global/app:v1.21.1 idp.global/app:v1.21.0 idp.global/app:v1.20.0 idp.global/app:v1.19.1 idp.global/app:v1.19.0 idp.global/app:v1.18.0 idp.global/app:v1.17.1 idp.global/app:v1.17.0 idp.global/app:v1.16.0 idp.global/app:v1.15.0 idp.global/app:v1.14.1 idp.global/app:v1.14.0 idp.global/app:v1.13.0 idp.global/app:v1.12.1 idp.global/app:v1.12.0 idp.global/app:v1.11.0 idp.global/app:v1.10.0 idp.global/app:v1.9.0 idp.global/app:v1.8.0 idp.global/app:v1.7.0 idp.global/app:v1.6.0 idp.global/app:v1.5.0 idp.global/app:v1.4.3 idp.global/app:v1.4.2 idp.global/app:v1.4.1 idp.global/app:v1.4.0 idp.global/app:v1.3.1 idp.global/app:v1.3.0 idp.global/app:v1.2.2 idp.global/app:v1.2.1 idp.global/app:v1.2.0 idp.global/app:v1.1.1 idp.global/app:v1.1.0
..
compare: idp.global/app:v1.21.0
Branches Tags
idp.global/app:main
idp.global/app:v1.21.1 idp.global/app:v1.21.0 idp.global/app:v1.20.0 idp.global/app:v1.19.1 idp.global/app:v1.19.0 idp.global/app:v1.18.0 idp.global/app:v1.17.1 idp.global/app:v1.17.0 idp.global/app:v1.16.0 idp.global/app:v1.15.0 idp.global/app:v1.14.1 idp.global/app:v1.14.0 idp.global/app:v1.13.0 idp.global/app:v1.12.1 idp.global/app:v1.12.0 idp.global/app:v1.11.0 idp.global/app:v1.10.0 idp.global/app:v1.9.0 idp.global/app:v1.8.0 idp.global/app:v1.7.0 idp.global/app:v1.6.0 idp.global/app:v1.5.0 idp.global/app:v1.4.3 idp.global/app:v1.4.2 idp.global/app:v1.4.1 idp.global/app:v1.4.0 idp.global/app:v1.3.1 idp.global/app:v1.3.0 idp.global/app:v1.2.2 idp.global/app:v1.2.1 idp.global/app:v1.2.0 idp.global/app:v1.1.1 idp.global/app:v1.1.0

14 Commits
v1.16.0 .. v1.21.0

Author SHA1 Message Date
jkunz a1a684ee81 v1.21.0
Docker (tags) / security (push) Failing after 1s
Details
Docker (tags) / test (push) Has been skipped
Details
Docker (tags) / release (push) Has been skipped
Details
Docker (tags) / metadata (push) Has been skipped
Details
2026-04-20 10:26:22 +00:00
jkunz 6044928c70 feat(reception): add passport device authentication flows and alert delivery management 2026-04-20 10:26:22 +00:00
jkunz 3cd7499f3f v1.20.0
Docker (tags) / security (push) Failing after 1s
Details
Docker (tags) / test (push) Has been skipped
Details
Docker (tags) / release (push) Has been skipped
Details
Docker (tags) / metadata (push) Has been skipped
Details
2026-04-20 09:46:13 +00:00
jkunz 29a21fd3b3 feat(auth): add abuse protection for login and OIDC flows with consent-based authorization handling 2026-04-20 09:46:13 +00:00
jkunz 21f5abb49b v1.19.1
Docker (tags) / security (push) Failing after 1s
Details
Docker (tags) / test (push) Has been skipped
Details
Docker (tags) / release (push) Has been skipped
Details
Docker (tags) / metadata (push) Has been skipped
Details
2026-04-20 08:44:05 +00:00
jkunz 68469b0740 fix(ts_interfaces): rename generated TypeScript interface files to remove the loint-reception prefix 2026-04-20 08:44:05 +00:00
jkunz 525a72b73b v1.19.0
Docker (tags) / security (push) Failing after 1s
Details
Docker (tags) / test (push) Has been skipped
Details
Docker (tags) / release (push) Has been skipped
Details
Docker (tags) / metadata (push) Has been skipped
Details
2026-04-20 08:40:40 +00:00
jkunz d913dfaeb1 feat(oidc): persist hashed OIDC tokens, authorization codes, and user consent in smartdata storage 2026-04-20 08:40:40 +00:00
jkunz fe9da65437 v1.18.0
Docker (tags) / security (push) Failing after 1s
Details
Docker (tags) / test (push) Has been skipped
Details
Docker (tags) / release (push) Has been skipped
Details
Docker (tags) / metadata (push) Has been skipped
Details
2026-04-20 08:27:35 +00:00
jkunz 28d30fe392 feat(reception): persist email action tokens and registration sessions for authentication and signup flows 2026-04-20 08:27:35 +00:00
jkunz 1532c9704b v1.17.1
Docker (tags) / security (push) Failing after 1s
Details
Docker (tags) / test (push) Has been skipped
Details
Docker (tags) / release (push) Has been skipped
Details
Docker (tags) / metadata (push) Has been skipped
Details
2026-04-20 08:15:42 +00:00
jkunz 76efcb835f fix(docs): refresh module readmes and add repository license file 2026-04-20 08:15:42 +00:00
jkunz 2d1e6ea6e1 v1.17.0
Docker (tags) / security (push) Failing after 1s
Details
Docker (tags) / test (push) Has been skipped
Details
Docker (tags) / release (push) Has been skipped
Details
Docker (tags) / metadata (push) Has been skipped
Details
2026-04-20 08:12:07 +00:00
jkunz 98e614a945 feat(auth): harden authentication with argon2 passwords and rotating hashed refresh tokens 2026-04-20 08:12:07 +00:00
99 changed files with 9758 additions and 3983 deletions
Expand all files Collapse all files
changelog.md
+58
View File
@@ -1,5 +1,63 @@
# Changelog
## 2026-04-20 - 1.21.0 - feat(reception)
add passport device authentication flows and alert delivery management
- introduce passport device, challenge, and nonce models with typed request interfaces for enrollment, challenge approval, push token registration, and signed device requests
- add alert and alert rule models plus alert manager endpoints for listing, resolving by hint, marking seen, and routing notifications to eligible recipients
- send security and admin alerts for global admin dashboard access and global app credential regeneration
- schedule housekeeping tasks to expire passport challenges and retry pending passport challenge and alert push deliveries
- cover passport and alert workflows with new node tests
## 2026-04-20 - 1.20.0 - feat(auth)
add abuse protection for login and OIDC flows with consent-based authorization handling
- introduces AbuseProtectionManager and AbuseWindow storage to rate limit password login, magic link, password reset, and OIDC token exchange attempts
- adds housekeeping cleanup for expired abuse protection windows
- adds typed OIDC prepare/complete authorization requests plus consent evaluation and redirect URL generation
- updates the login prompt to support OIDC authorization continuation after user login or consent
- includes tests for abuse protection behavior and OIDC authorization preparation/completion flows
## 2026-04-20 - 1.19.1 - fix(ts_interfaces)
rename generated TypeScript interface files to remove the loint-reception prefix
- Moves data and request interface files from loint-reception.* names to clean module names under ts_interfaces
- Renames the shared plugins export to ts_interfaces/plugins.ts
- Preserves interface contents while standardizing the generated file naming layout
## 2026-04-20 - 1.19.0 - feat(oidc)
persist hashed OIDC tokens, authorization codes, and user consent in smartdata storage
- replace in-memory OIDC authorization code, access token, refresh token, and consent stores with SmartData document classes
- store authorization codes and tokens as hashes instead of persisting plaintext values, with helpers for matching, expiration, and revocation
- persist and merge user consent scopes when issuing authorization codes
- add cleanup lifecycle management for expired OIDC state and stop the cleanup task when reception shuts down
- add tests covering hashed code/token matching, authorization code usage, refresh token revocation, and consent scope merging
## 2026-04-20 - 1.18.0 - feat(reception)
persist email action tokens and registration sessions for authentication and signup flows
- add persisted email action tokens for email login and password reset with one-time consumption and expiry cleanup
- store registration sessions in the database so signup state, email validation, and SMS verification survive restarts
- enforce password changes through either a valid reset token or the current password
- add housekeeping jobs and tests for token/session expiry and state persistence
## 2026-04-20 - 1.17.1 - fix(docs)
refresh module readmes and add repository license file
- rewrite the root, backend, web, client, CLI, and interfaces README content to focus on current module responsibilities and usage
- standardize README license references to the lowercase license file path
- add the repository MIT license file
## 2026-04-20 - 1.17.0 - feat(auth)
harden authentication with argon2 passwords and rotating hashed refresh tokens
- replace SHA-256 password hashing with argon2 while preserving verification and upgrade support for legacy hashes
- rotate refresh tokens on JWT refresh, detect token reuse, and invalidate compromised sessions
- store refresh and transfer tokens as hashes with one-time transfer token validation and expiry
- persist refresh tokens separately on the client so sessions can recover and refresh without embedding tokens in JWTs
- add authentication tests covering password verification, legacy hash migration, refresh token rotation, reuse detection, and one-time transfer tokens
## 2026-01-29 - 1.16.0 - feat(dev)
add local development docs, update tswatch preset and add Playwright screenshots
license
+21
View File
@@ -0,0 +1,21 @@
MIT License
Copyright (c) 2026 Task Venture Capital GmbH
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
package.json
+26 -24
View File
@@ -1,12 +1,12 @@
{
"name": "@idp.global/idp.global",
"version": "1.16.0",
"version": "1.21.0",
"description": "An identity provider software managing user authentications, registrations, and sessions.",
"main": "dist_ts/index.js",
"typings": "dist_ts/index.d.ts",
"type": "module",
"scripts": {
"test": "npm run build",
"test": "pnpm run build && tstest test/",
"build": "tsbuild tsfolders --web --allowimplicitany && tsbundle",
"watch": "tswatch",
"start": "(node cli.js)",
@@ -16,49 +16,51 @@
"author": "Task Venture Capital GmbH",
"license": "MIT",
"dependencies": {
"@api.global/typedrequest": "^3.2.5",
"@api.global/typedrequest": "^3.3.0",
"@api.global/typedrequest-interfaces": "^3.0.19",
"@api.global/typedserver": "^8.3.0",
"@api.global/typedsocket": "^4.1.0",
"@api.global/typedserver": "^8.4.6",
"@api.global/typedsocket": "^4.1.2",
"@consent.software/catalog": "^2.0.1",
"@design.estate/dees-catalog": "^3.41.4",
"@design.estate/dees-domtools": "^2.3.8",
"@design.estate/dees-element": "^2.1.6",
"@git.zone/tspublish": "^1.11.0",
"@push.rocks/lik": "^6.2.2",
"@design.estate/dees-catalog": "^3.81.0",
"@design.estate/dees-domtools": "^2.5.4",
"@design.estate/dees-element": "^2.2.4",
"@git.zone/tspublish": "^1.11.5",
"@push.rocks/lik": "^6.4.0",
"@push.rocks/qenv": "^6.1.3",
"@push.rocks/smartcli": "^4.0.20",
"@push.rocks/smartdata": "^7.0.15",
"@push.rocks/smartdata": "^7.1.7",
"@push.rocks/smartdelay": "^3.0.5",
"@push.rocks/smartfile": "^13.1.0",
"@push.rocks/smarthash": "^3.2.6",
"@push.rocks/smartinteract": "^2.0.6",
"@push.rocks/smartjson": "^6.0.0",
"@push.rocks/smartjwt": "^2.2.1",
"@push.rocks/smartlog": "^3.1.10",
"@push.rocks/smartlog": "^3.2.2",
"@push.rocks/smartmail": "^2.2.0",
"@push.rocks/smartpath": "^6.0.0",
"@push.rocks/smartpromise": "^4.2.3",
"@push.rocks/smartrx": "^3.0.10",
"@push.rocks/smartstate": "^2.0.27",
"@push.rocks/smarttime": "^4.1.1",
"@push.rocks/smartstate": "^2.3.0",
"@push.rocks/smarttime": "^4.2.3",
"@push.rocks/smartunique": "^3.0.9",
"@push.rocks/smarturl": "^3.1.0",
"@push.rocks/taskbuffer": "^4.1.1",
"@push.rocks/taskbuffer": "^8.0.2",
"@push.rocks/webjwt": "^1.0.9",
"@push.rocks/websetup": "^3.0.15",
"@push.rocks/webstore": "^2.0.20",
"@push.rocks/webstore": "^2.0.21",
"@serve.zone/platformclient": "^1.1.2",
"@tsclass/tsclass": "^9.3.0",
"@uptime.link/webwidget": "^1.2.6"
"@tsclass/tsclass": "^9.5.0",
"@uptime.link/webwidget": "^1.2.6",
"argon2": "^0.44.0"
},
"devDependencies": {
"@git.zone/tsbuild": "^4.1.2",
"@git.zone/tsbundle": "^2.8.3",
"@git.zone/tsrun": "^2.0.1",
"@git.zone/tswatch": "^3.0.1",
"@push.rocks/projectinfo": "^5.0.1",
"@types/node": "^25.1.0"
"@git.zone/tsbuild": "^4.4.0",
"@git.zone/tsbundle": "^2.10.0",
"@git.zone/tsrun": "^2.0.2",
"@git.zone/tstest": "^3.6.3",
"@git.zone/tswatch": "^3.3.2",
"@push.rocks/projectinfo": "^5.1.0",
"@types/node": "^25.6.0"
},
"private": true,
"repository": {
pnpm-lock.yaml
Generated
+3714 -2091
View File
File diff suppressed because it is too large Load Diff
readme.md
+135 -317
View File
@@ -1,168 +1,63 @@
# @idp.global/idp.global
🔐 **A modern, open-source Identity Provider (IdP) SaaS platform** for managing user authentication, registrations, sessions, and organization-based access control.
Identity infrastructure for apps that need accounts, sessions, organizations, invites, admin tooling, and OpenID Connect in one TypeScript codebase.
Built with TypeScript and designed for modern web applications, idp.global provides a complete identity management solution that you can self-host or use as a service.
This repository ships the `idp.global` server, the browser/client SDK, the CLI, shared request/data interfaces, and the web UI used by the hosted service.
## Issue Reporting and Security
For reporting bugs, issues, or security vulnerabilities, please visit [community.foss.global/](https://community.foss.global/). This is the central community hub for all issue reporting. Developers who sign and comply with our contribution agreement and go through identification can also get a [code.foss.global/](https://code.foss.global/) account to submit Pull Requests directly.
## ✨ Features
## What It Does
### 🔑 Authentication & Authorization
- **Multiple Login Methods**: Email/password, email magic links, API tokens
- **JWT-Based Sessions**: Secure token management with automatic refresh
- **Two-Factor Authentication**: Enhanced security with 2FA support
- **Password Reset**: Secure password recovery flow
- **Device Management**: Track and manage authenticated devices
- Runs an identity provider with MongoDB-backed users, sessions, roles, organizations, invitations, API tokens, and billing plans.
- Serves a web app for login, registration, account management, org management, billing flows, and global admin views.
- Exposes typed realtime APIs over `typedrequest` and `typedsocket`.
- Implements OIDC/OAuth endpoints including discovery, JWKS, authorization, token, userinfo, and revoke.
- Includes a reusable browser client and a terminal CLI for common account and org workflows.
### 🏢 Organization Management
- **Multi-Tenant Architecture**: Support multiple organizations per user
- **Role-Based Access Control (RBAC)**: Fine-grained permissions system
- **Organization Roles**: Admin, member, and custom role support
- **Member Invitations**: Bulk invite and manage team members
- **Ownership Transfer**: Seamlessly transfer organization ownership
## Monorepo Modules
### 🔗 Third-Party Integration
- **OpenID Connect (OIDC) Provider**: Full OIDC compliance for third-party apps
- Discovery endpoint (`/.well-known/openid-configuration`)
- JWKS endpoint for token verification
- Authorization code flow with PKCE
- Token refresh and revocation
- **OAuth 2.0**: Standard OAuth flows for app authorization
- **Supported Scopes**: `openid`, `profile`, `email`, `organizations`, `roles`
| Folder | Purpose |
| --- | --- |
| `ts/` | Backend service entrypoint and the core `Reception` managers |
| `ts_interfaces/` | Shared request and data contracts used by server, client, CLI, and UI |
| `ts_idpclient/` | Browser-focused SDK published as `@idp.global/client` |
| `ts_idpcli/` | CLI published as `@idp.global/cli` |
| `ts_web/` | Frontend bundle with login, registration, account, org, billing, and admin views |
### 💳 Billing Integration
- **Paddle Integration**: Built-in payment processing support
- **Billing Plans**: Flexible subscription management
- **Checkout Flows**: Streamlined payment experiences
## Core Backend Pieces
### 🎨 Modern Web UI
- **Responsive Design**: Beautiful UI components built with `@design.estate/dees-catalog`
- **Account Management**: User profile, settings, and preferences
- **Organization Dashboard**: Manage members, roles, and apps
- **Admin Panel**: Global administration interface
`Reception` wires the service together and starts these managers:
### 📡 Real-Time Communication
- **WebSocket Support**: Real-time updates via TypedSocket
- **Typed API Requests**: Type-safe client-server communication
- **Public Key Distribution**: Automatic JWT key rotation notifications
- `JwtManager` for signing, refreshing, and validating JWTs.
- `LoginSessionManager` for login state and session lifecycle.
- `RegistrationSessionManager` for multi-step sign-up flows.
- `UserManager` for user lookups and account data.
- `OrganizationManager` for org creation and membership lookup.
- `RoleManager` for org roles and permissions.
- `UserInvitationManager` for invites, membership updates, and ownership transfer.
- `ApiTokenManager` for long-lived token auth.
- `BillingPlanManager` for Paddle-backed billing data.
- `AppManager` and `AppConnectionManager` for app connections and admin app stats.
- `ActivityLogManager` for audit-style activity entries.
- `OidcManager` for the OIDC/OAuth provider surface.
## 🏗️ Architecture
idp.global is built as a modular TypeScript monorepo:
```
├── ts/ # Server-side code (Node.js)
│ └── reception/ # Core identity management logic
├── ts_interfaces/ # Shared TypeScript interfaces (published as @idp.global/interfaces)
├── ts_idpclient/ # Browser/Node client library (published as @idp.global/idpclient)
├── ts_idpcli/ # Command-line interface tool
└── ts_web/ # Web frontend (published as @idp.global/web)
```
### Core Managers
| Manager | Responsibility |
|---------|----------------|
| `JwtManager` | JWT generation, validation, and key management |
| `LoginSessionManager` | Session creation and authentication |
| `UserManager` | User CRUD and profile management |
| `OrganizationManager` | Organization lifecycle management |
| `RoleManager` | RBAC and permission management |
| `OidcManager` | OpenID Connect provider functionality |
| `AppManager` | OAuth client app registration |
| `BillingPlanManager` | Subscription and payment handling |
## 🚀 Quick Start
### 🐳 Docker Deployment (Recommended)
The easiest way to run idp.global is using Docker:
```bash
# Pull the latest image
docker pull code.foss.global/idp.global/idp.global
# Run with environment variables
docker run -d \
-p 2999:2999 \
-e MONGODB_URL=mongodb://your-mongo:27017/idp \
-e IDP_BASEURL=https://your-domain.com \
-e INSTANCE_NAME=idp.global \
code.foss.global/idp.global/idp.global
```
### Environment Variables
| Variable | Description | Required |
|----------|-------------|----------|
| `MONGODB_URL` | MongoDB connection string | ✅ Yes |
| `IDP_BASEURL` | Public URL of your idp.global instance | ✅ Yes |
| `INSTANCE_NAME` | Name for this IDP instance | No (default: `idp.global`) |
| `SERVEZONE_PLATFROM_AUTHORIZATION` | ServeZone platform auth token | No |
### Docker Compose Example
```yaml
version: '3.8'
services:
idp:
image: code.foss.global/idp.global/idp.global
ports:
- "2999:2999"
environment:
MONGODB_URL: mongodb://mongo:27017/idp
IDP_BASEURL: https://idp.yourdomain.com
INSTANCE_NAME: my-idp
depends_on:
- mongo
mongo:
image: mongo:7
volumes:
- mongo-data:/data/db
volumes:
mongo-data:
```
The server listens on port 2999 by default.
## 🛠️ Local Development
## Quick Start
### Prerequisites
- Node.js 20+
- pnpm
- MongoDB (local or remote)
- SMTP server (for email verification in registration flow)
- `pnpm`
- MongoDB
### Getting Started
### Install
```bash
# Clone the repository
git clone https://code.foss.global/idp.global/idp.global.git
cd idp.global
# Install dependencies
pnpm install
# Build the project
pnpm build
# Start development server with hot reload
pnpm watch
```
The server runs on **http://localhost:2999** with:
- 🔄 Auto-restart backend on changes (`ts/`)
- 📦 Automatic frontend bundle rebuilding (`ts_web/`)
### Environment Setup
Create environment variables for the backend:
### Required Environment
```bash
export MONGODB_URL=mongodb://localhost:27017/idp-dev
@@ -170,207 +65,130 @@ export IDP_BASEURL=http://localhost:2999
export INSTANCE_NAME=idp-dev
```
### Development Routes
Optional:
| Route | Description |
|-------|-------------|
| `/` | Welcome/landing page |
| `/login` | Sign in form |
| `/register` | New user registration |
| `/account` | User dashboard (requires auth) |
- `SERVEZONE_PLATFROM_AUTHORIZATION`
- `PADDLE_TOKEN`
- `PADDLE_PRICE_ID`
### 🔑 Default Development Credentials
For local development with the test database, use:
| Field | Value |
|-------|-------|
| **Email/Username** | `admin@idp.global` or `admin` |
| **Password** | `admin` |
This account has `isGlobalAdmin: true` for full platform access including the admin panel at `/account/admin`.
> ⚠️ **Security Note**: These credentials are for local development only. Never use default credentials in production environments.
## 📦 Published Packages
This monorepo publishes the following npm packages:
| Package | Description |
|---------|-------------|
| `@idp.global/interfaces` | TypeScript interfaces for API contracts |
| `@idp.global/idpclient` | Client library for browser and Node.js |
| `@idp.global/web` | Web UI components |
## 💻 Client Usage
### Browser Client
```typescript
import { IdpClient } from '@idp.global/idpclient';
// Initialize the client
const idpClient = new IdpClient('https://idp.global');
// Enable WebSocket connection
await idpClient.enableTypedSocket();
// Check login status
const isLoggedIn = await idpClient.determineLoginStatus();
// Login with email and password
const response = await idpClient.requests.loginWithUserNameAndPassword.fire({
username: 'user@example.com',
password: 'securepassword'
});
if (response.refreshToken) {
await idpClient.refreshJwt(response.refreshToken);
console.log('✅ Login successful!');
}
// Get current user info
const userInfo = await idpClient.whoIs();
console.log('User:', userInfo.user);
// Get user's organizations
const orgs = await idpClient.getRolesAndOrganizations();
console.log('Organizations:', orgs.organizations);
```
### Organization Management
```typescript
// Create a new organization
const result = await idpClient.createOrganization('My Company', 'my-company', 'manifest');
console.log('Created:', result.resultingOrganization);
// Invite members
await idpClient.requests.createInvitation.fire({
jwt: await idpClient.getJwt(),
organizationId: 'org-id',
email: 'newmember@example.com',
roles: ['member']
});
```
### CLI Tool
The `ts_idpcli` module provides a command-line interface:
### Build
```bash
pnpm build
```
### Run Locally
```bash
pnpm watch
```
This starts the backend from `ts/` and rebuilds the frontend bundle from `ts_web/`. The service listens on port `2999`.
## Runtime Surface
### Web Routes
| Route | Purpose |
| --- | --- |
| `/` | Welcome page |
| `/login` | Login flow |
| `/register` | Registration flow |
| `/finishregistration` | Multi-step registration completion |
| `/account` | Signed-in account area |
### OIDC and OAuth Endpoints
| Route | Purpose |
| --- | --- |
| `/.well-known/openid-configuration` | Discovery document |
| `/.well-known/jwks.json` | Public signing keys |
| `/oauth/authorize` | Authorization endpoint |
| `/oauth/token` | Token exchange |
| `/oauth/userinfo` | UserInfo endpoint |
| `/oauth/revoke` | Token revocation |
Supported scopes in the OIDC manager include `openid`, `profile`, `email`, `organizations`, and `roles`.
## SDK Example
The browser SDK lives in `ts_idpclient/` and is published as `@idp.global/client`.
```ts
import { IdpClient } from '@idp.global/client';
const idpClient = new IdpClient('https://idp.global');
await idpClient.enableTypedSocket();
const isLoggedIn = await idpClient.determineLoginStatus();
if (!isLoggedIn) {
const loginResult = await idpClient.requests.loginWithUserNameAndPassword.fire({
username: 'user@example.com',
password: 'secret',
});
if (loginResult.refreshToken) {
await idpClient.refreshJwt(loginResult.refreshToken);
}
}
const whoIs = await idpClient.whoIs();
console.log(whoIs.user.data.email);
```
## CLI Example
The terminal client lives in `ts_idpcli/` and is published as `@idp.global/cli`.
```bash
# Login
idp login
# Show current user
idp whoami
# List organizations
idp orgs
# List organization members
idp members --org <org-id>
# Invite a user
idp invite --org <org-id> --email user@example.com
```
## 🔐 OIDC Integration
The CLI stores credentials in `~/.idp-global/credentials.json` and reads `IDP_URL` to override the target server.
idp.global implements a full OpenID Connect provider. Third-party applications can use it for SSO:
## Shared Interfaces
### Discovery Document
`ts_interfaces/` exports the type contracts shared across the stack:
```
GET /.well-known/openid-configuration
```
- `data/*` for users, orgs, roles, JWTs, sessions, devices, billing plans, apps, and OIDC payloads.
- `request/*` for auth, registration, user, org, invitation, app, admin, billing, and JWT request contracts.
- `tags/*` for shared tag exports.
### Authorization Flow
## Frontend
```
GET /oauth/authorize?
client_id=your-client-id&
redirect_uri=https://yourapp.com/callback&
response_type=code&
scope=openid profile email organizations&
state=random-state&
code_challenge=PKCE_CHALLENGE&
code_challenge_method=S256
```
`ts_web/` is the web application bundle. It contains:
### Token Exchange
- Login and registration prompts.
- A registration stepper.
- Account navigation and account views.
- Organization creation and bulk invite modals.
- Billing and Paddle setup views.
- A global admin view.
```
POST /oauth/token
Content-Type: application/x-www-form-urlencoded
## Package Scripts
grant_type=authorization_code&
code=AUTHORIZATION_CODE&
redirect_uri=https://yourapp.com/callback&
client_id=your-client-id&
client_secret=your-client-secret&
code_verifier=PKCE_VERIFIER
```
| Command | Purpose |
| --- | --- |
| `pnpm build` | Build TypeScript output and frontend bundle |
| `pnpm watch` | Run backend watch mode and frontend bundle watch |
| `pnpm test` | Build and run the test suite |
### UserInfo
## Repository Notes
```
GET /oauth/userinfo
Authorization: Bearer ACCESS_TOKEN
```
Response:
```json
{
"sub": "user-id",
"name": "John Doe",
"email": "john@example.com",
"email_verified": true,
"organizations": [
{ "id": "org-1", "name": "Acme Corp", "slug": "acme", "roles": ["admin"] }
],
"roles": ["user"]
}
```
## 🛠️ Tech Stack
- **Runtime**: Node.js with ES Modules
- **Language**: TypeScript (strict mode)
- **Database**: MongoDB via `@push.rocks/smartdata`
- **Web Server**: `@api.global/typedserver`
- **Real-time**: `@api.global/typedsocket` (WebSocket)
- **JWT**: `@push.rocks/smartjwt` (RS256 signing)
- **Frontend**: `@design.estate/dees-element` (Web Components)
- **Build**: `@git.zone/tsbuild` + `@git.zone/tsbundle`
## 📚 API Reference
### Request Interfaces
All API requests are type-safe. See `ts_interfaces/request/` for the complete API:
- **Authentication**: `IReq_LoginWithEmail`, `IReq_LoginWithApiToken`, `IReq_RefreshJwt`
- **Registration**: `IReq_FirstRegistration`, `IReq_FinishRegistration`
- **User Management**: `IReq_GetUserData`, `IReq_SetUserData`, `IReq_GetUserSessions`
- **Organizations**: `IReq_CreateOrganization`, `IReq_GetOrgMembers`, `IReq_CreateInvitation`
- **Apps & OAuth**: `IReq_GetGlobalApps`, `IReq_CreateGlobalApp`
- **Billing**: `IReq_GetBillingPlan`, `IReq_UpdatePaymentMethod`
### Data Models
See `ts_interfaces/data/` for all data structures:
- `IUser` - User profile and credentials
- `IOrganization` - Organization entity
- `IRole` - User roles within organizations
- `IJwt` - JWT token structure
- `IApp` - OAuth application definitions
- `IOidcAccessToken`, `IAuthorizationCode` - OIDC tokens
- Package manager: `pnpm`
- Main backend entrypoint: `ts/index.ts`
- Frontend entrypoint: `ts_web/index.ts`
- Browser SDK entrypoint: `ts_idpclient/index.ts`
- CLI entrypoint: `ts_idpcli/index.ts`
## License and Legal Information
This repository contains open-source code licensed under the MIT License. A copy of the license can be found in the [LICENSE](./LICENSE) file.
This repository contains open-source code licensed under the MIT License. A copy of the license can be found in the [license](./license) file.
**Please note:** The MIT License does not grant permission to use the trade names, trademarks, service marks, or product names of the project, except as required for reasonable and customary use in describing the origin of the work and reproducing the content of the NOTICE file.
test/test.abuse.node.ts
+94
View File
@@ -0,0 +1,94 @@
import { tap, expect } from '@git.zone/tstest/tapbundle';
import {
AbuseProtectionManager,
type IAbuseProtectionConfig,
} from '../ts/reception/classes.abuseprotectionmanager.js';
import { AbuseWindow } from '../ts/reception/classes.abusewindow.js';
const createTestAbuseProtectionManager = () => {
const manager = new AbuseProtectionManager({
db: { smartdataDb: {} },
} as any);
const store = new Map<string, AbuseWindow>();
const originalSave = AbuseWindow.prototype.save;
const originalDelete = AbuseWindow.prototype.delete;
(AbuseWindow.prototype as AbuseWindow & { save: () => Promise<void> }).save = async function () {
store.set(this.id, this);
};
(AbuseWindow.prototype as AbuseWindow & { delete: () => Promise<void> }).delete = async function () {
store.delete(this.id);
};
(manager as any).CAbuseWindow = {
getInstance: async (queryArg) => store.get(queryArg.id) ?? null,
};
const restore = () => {
AbuseWindow.prototype.save = originalSave;
AbuseWindow.prototype.delete = originalDelete;
};
return {
manager,
store,
restore,
};
};
const testConfig: IAbuseProtectionConfig = {
maxAttempts: 2,
windowMillis: 1_000,
blockDurationMillis: 2_000,
};
tap.test('blocks after too many attempts within the active window', async () => {
const { manager, restore } = createTestAbuseProtectionManager();
try {
await manager.consumeAttempt('passwordLogin', 'phil@example.com', testConfig);
await manager.consumeAttempt('passwordLogin', 'phil@example.com', testConfig);
await expect(manager.consumeAttempt('passwordLogin', 'phil@example.com', testConfig)).rejects.toThrow();
} finally {
restore();
}
});
tap.test('resets attempts after the block and window have elapsed', async () => {
const { manager, store, restore } = createTestAbuseProtectionManager();
try {
await manager.consumeAttempt('passwordLogin', 'phil@example.com', testConfig);
await manager.consumeAttempt('passwordLogin', 'phil@example.com', testConfig);
await expect(manager.consumeAttempt('passwordLogin', 'phil@example.com', testConfig)).rejects.toThrow();
const abuseWindow = Array.from(store.values())[0];
abuseWindow.data.blockedUntil = Date.now() - 10;
abuseWindow.data.windowStartedAt = Date.now() - testConfig.windowMillis - 10;
abuseWindow.data.validUntil = Date.now() + 1_000;
await manager.consumeAttempt('passwordLogin', 'phil@example.com', testConfig);
expect(abuseWindow.data.attemptCount).toEqual(1);
} finally {
restore();
}
});
tap.test('clears stored attempts after a successful action', async () => {
const { manager, store, restore } = createTestAbuseProtectionManager();
try {
await manager.consumeAttempt('passwordLogin', 'phil@example.com', testConfig);
expect(store.size).toEqual(1);
await manager.clearAttempts('passwordLogin', 'phil@example.com');
expect(store.size).toEqual(0);
} finally {
restore();
}
});
export default tap.start();
test/test.alerts.node.ts
+307
View File
@@ -0,0 +1,307 @@
import { tap, expect } from '@git.zone/tstest/tapbundle';
import { Alert } from '../ts/reception/classes.alert.js';
import { AlertManager } from '../ts/reception/classes.alertmanager.js';
import { AlertRule } from '../ts/reception/classes.alertrule.js';
import { PassportDevice } from '../ts/reception/classes.passportdevice.js';
import { Role } from '../ts/reception/classes.role.js';
import { User } from '../ts/reception/classes.user.js';
const getNestedValue = (targetArg: any, pathArg: string) => {
return pathArg.split('.').reduce((currentArg, keyArg) => currentArg?.[keyArg], targetArg);
};
const matchesQuery = (targetArg: any, queryArg: Record<string, any>) => {
return Object.entries(queryArg).every(([keyArg, valueArg]) => getNestedValue(targetArg, keyArg) === valueArg);
};
const createTestAlertManager = () => {
const alerts = new Map<string, Alert>();
const alertRules = new Map<string, AlertRule>();
const users = new Map<string, User>();
const roles = new Map<string, Role>();
const passportDevices = new Map<string, PassportDevice>();
const deliveredHints: string[] = [];
const manager = new AlertManager({
db: { smartdataDb: {} },
typedrouter: { addTypedRouter: () => undefined },
jwtManager: {
verifyJWTAndGetData: async (jwtArg: string) => ({
data: {
userId: jwtArg,
},
}),
},
userManager: {
CUser: {
getInstance: async (queryArg: Record<string, any>) => {
return Array.from(users.values()).find((docArg) => matchesQuery(docArg, queryArg)) || null;
},
getInstances: async () => Array.from(users.values()),
},
},
roleManager: {
CRole: {
getInstance: async (queryArg: Record<string, any>) => {
return Array.from(roles.values()).find((docArg) => matchesQuery(docArg, queryArg)) || null;
},
},
getAllRolesForOrg: async (organizationIdArg: string) =>
Array.from(roles.values()).filter((roleArg) => roleArg.data.organizationId === organizationIdArg),
},
passportManager: {
authenticatePassportDeviceRequest: async (requestArg: { deviceId: string }) => {
return passportDevices.get(requestArg.deviceId)!;
},
getPassportDevicesForUser: async (userIdArg: string) =>
Array.from(passportDevices.values()).filter(
(deviceArg) => deviceArg.data.userId === userIdArg && deviceArg.data.status === 'active'
),
},
passportPushManager: {
deliverAlertHint: async (_passportDeviceArg: PassportDevice, alertArg: Alert) => {
deliveredHints.push(alertArg.data.notification.hintId);
alertArg.data.notification = {
...alertArg.data.notification,
status: 'sent',
attemptCount: alertArg.data.notification.attemptCount + 1,
deliveredAt: Date.now(),
lastError: null,
};
await alertArg.save();
return true;
},
},
} as any);
const originalAlertSave = Alert.prototype.save;
const originalAlertDelete = Alert.prototype.delete;
const originalAlertRuleSave = AlertRule.prototype.save;
const originalAlertRuleDelete = AlertRule.prototype.delete;
(Alert.prototype as Alert & { save: () => Promise<void> }).save = async function () {
alerts.set(this.id, this);
};
(Alert.prototype as Alert & { delete: () => Promise<void> }).delete = async function () {
alerts.delete(this.id);
};
(AlertRule.prototype as AlertRule & { save: () => Promise<void> }).save = async function () {
alertRules.set(this.id, this);
};
(AlertRule.prototype as AlertRule & { delete: () => Promise<void> }).delete = async function () {
alertRules.delete(this.id);
};
(manager as any).CAlert = {
getInstance: async (queryArg: Record<string, any>) => {
return Array.from(alerts.values()).find((docArg) => matchesQuery(docArg, queryArg)) || null;
},
getInstances: async (queryArg: Record<string, any>) => {
return Array.from(alerts.values()).filter((docArg) => matchesQuery(docArg, queryArg));
},
};
(manager as any).CAlertRule = {
getInstance: async (queryArg: Record<string, any>) => {
return Array.from(alertRules.values()).find((docArg) => matchesQuery(docArg, queryArg)) || null;
},
getInstances: async () => Array.from(alertRules.values()),
};
return {
manager,
alerts,
alertRules,
users,
roles,
passportDevices,
deliveredHints,
restore: () => {
Alert.prototype.save = originalAlertSave;
Alert.prototype.delete = originalAlertDelete;
AlertRule.prototype.save = originalAlertRuleSave;
AlertRule.prototype.delete = originalAlertRuleDelete;
},
};
};
const addUser = (
usersArg: Map<string, User>,
optionsArg: { id: string; email: string; isGlobalAdmin?: boolean }
) => {
const user = new User();
user.id = optionsArg.id;
user.data = {
name: optionsArg.email,
username: optionsArg.email,
email: optionsArg.email,
status: 'active',
connectedOrgs: [],
isGlobalAdmin: optionsArg.isGlobalAdmin,
};
usersArg.set(user.id, user);
return user;
};
const addPassportDevice = (
passportDevicesArg: Map<string, PassportDevice>,
optionsArg: { id: string; userId: string; label: string }
) => {
const device = new PassportDevice();
device.id = optionsArg.id;
device.data = {
userId: optionsArg.userId,
label: optionsArg.label,
platform: 'ios',
status: 'active',
publicKeyAlgorithm: 'p256',
publicKeyX963Base64: 'public-key',
capabilities: {
gps: true,
nfc: true,
push: true,
},
pushRegistration: {
provider: 'apns',
token: `${optionsArg.id}-token`,
topic: 'global.idp.swiftapp',
environment: 'development',
registeredAt: Date.now(),
},
createdAt: Date.now(),
lastSeenAt: Date.now(),
};
passportDevicesArg.set(device.id, device);
return device;
};
tap.test('creates global admin access alerts with the built-in fallback rule', async () => {
const { manager, users, passportDevices, alerts, deliveredHints, restore } = createTestAlertManager();
try {
addUser(users, { id: 'admin-1', email: 'admin-1@example.com', isGlobalAdmin: true });
addPassportDevice(passportDevices, { id: 'device-1', userId: 'admin-1', label: 'Admin Phone' });
const createdAlerts = await manager.createAlertsForEvent({
category: 'admin',
eventType: 'global_admin_access',
severity: 'high',
title: 'Global admin console accessed',
body: 'A global admin accessed the console.',
actorUserId: 'admin-1',
relatedEntityType: 'global-admin-console',
});
expect(createdAlerts).toHaveLength(1);
expect(alerts.size).toEqual(1);
expect(createdAlerts[0].data.notification.status).toEqual('sent');
expect(deliveredHints).toHaveLength(1);
} finally {
restore();
}
});
tap.test('routes organization-scoped alerts to org admins by rule', async () => {
const { manager, users, roles, passportDevices, restore } = createTestAlertManager();
try {
addUser(users, { id: 'owner-1', email: 'owner@example.com' });
addUser(users, { id: 'viewer-1', email: 'viewer@example.com' });
addPassportDevice(passportDevices, { id: 'owner-device', userId: 'owner-1', label: 'Owner Phone' });
const ownerRole = new Role();
ownerRole.id = 'role-owner';
ownerRole.data = {
userId: 'owner-1',
organizationId: 'org-1',
roles: ['owner'],
};
roles.set(ownerRole.id, ownerRole);
const viewerRole = new Role();
viewerRole.id = 'role-viewer';
viewerRole.data = {
userId: 'viewer-1',
organizationId: 'org-1',
roles: ['viewer'],
};
roles.set(viewerRole.id, viewerRole);
const rule = new AlertRule();
rule.id = 'org-admin-rule';
rule.data = {
scope: 'organization',
organizationId: 'org-1',
eventType: 'org_security_notice',
minimumSeverity: 'medium',
recipientMode: 'org_admins',
recipientUserIds: [],
push: true,
enabled: true,
createdByUserId: 'owner-1',
createdAt: Date.now(),
updatedAt: Date.now(),
};
await rule.save();
const createdAlerts = await manager.createAlertsForEvent({
category: 'security',
eventType: 'org_security_notice',
severity: 'high',
title: 'Organization security event',
body: 'A sensitive organization event occurred.',
actorUserId: 'viewer-1',
organizationId: 'org-1',
});
expect(createdAlerts).toHaveLength(1);
expect(createdAlerts[0].data.recipientUserId).toEqual('owner-1');
} finally {
restore();
}
});
tap.test('lists alerts, resolves hint lookups, and marks alerts seen', async () => {
const { manager, alerts, restore } = createTestAlertManager();
try {
const alert = new Alert();
alert.id = 'alert-1';
alert.data = {
recipientUserId: 'user-1',
category: 'security',
eventType: 'global_admin_access',
severity: 'high',
title: 'Important alert',
body: 'Please inspect this alert.',
notification: {
hintId: 'hint-1',
status: 'sent',
attemptCount: 1,
createdAt: Date.now(),
deliveredAt: Date.now(),
seenAt: null,
lastError: null,
},
createdAt: Date.now(),
seenAt: null,
dismissedAt: null,
};
await alert.save();
const listedAlerts = await manager.listAlertsForUser('user-1');
expect(listedAlerts).toHaveLength(1);
const hintAlert = await manager.getAlertByHint('user-1', 'hint-1');
expect(hintAlert?.id).toEqual('alert-1');
const seenAlert = await manager.markAlertSeen('user-1', 'hint-1');
expect(seenAlert.data.notification.status).toEqual('seen');
expect(seenAlert.data.seenAt).toBeGreaterThan(0);
expect(alerts.get('alert-1')?.data.notification.status).toEqual('seen');
} finally {
restore();
}
});
export default tap.start();
test/test.auth.node.ts
+140
View File
@@ -0,0 +1,140 @@
import { tap, expect } from '@git.zone/tstest/tapbundle';
import { EmailActionToken } from '../ts/reception/classes.emailactiontoken.js';
import { LoginSession } from '../ts/reception/classes.loginsession.js';
import { RegistrationSession } from '../ts/reception/classes.registrationsession.js';
import { User } from '../ts/reception/classes.user.js';
import * as plugins from '../ts/plugins.js';
const createTestLoginSession = () => {
const loginSession = new LoginSession();
loginSession.id = 'test-session';
loginSession.data.userId = 'test-user';
(loginSession as LoginSession & { save: () => Promise<void> }).save = async () => undefined;
return loginSession;
};
const createTestEmailActionToken = () => {
const emailActionToken = new EmailActionToken();
emailActionToken.id = 'email-action-token';
emailActionToken.data.email = 'user@example.com';
emailActionToken.data.action = 'emailLogin';
emailActionToken.data.validUntil = Date.now() + 60_000;
let deleted = false;
(emailActionToken as EmailActionToken & { delete: () => Promise<void> }).delete = async () => {
deleted = true;
};
return {
emailActionToken,
wasDeleted: () => deleted,
};
};
const createTestRegistrationSession = () => {
const registrationSession = new RegistrationSession();
registrationSession.id = 'registration-session';
registrationSession.data.emailAddress = 'user@example.com';
registrationSession.data.validUntil = Date.now() + 60_000;
let deleted = false;
(registrationSession as RegistrationSession & { save: () => Promise<void> }).save = async () => undefined;
(registrationSession as RegistrationSession & { delete: () => Promise<void> }).delete = async () => {
deleted = true;
};
return {
registrationSession,
wasDeleted: () => deleted,
};
};
tap.test('hashes passwords with argon2 and verifies them', async () => {
const passwordHash = await User.hashPassword('correct horse battery staple');
expect(passwordHash.startsWith('$argon2')).toBeTrue();
expect(await User.verifyPassword('correct horse battery staple', passwordHash)).toBeTrue();
expect(await User.verifyPassword('wrong password', passwordHash)).toBeFalse();
expect(User.shouldUpgradePasswordHash(passwordHash)).toBeFalse();
});
tap.test('accepts legacy sha256 hashes and marks them for upgrade', async () => {
const legacyHash = await plugins.smarthash.sha256FromString('legacy-password');
expect(User.isLegacyPasswordHash(legacyHash)).toBeTrue();
expect(await User.verifyPassword('legacy-password', legacyHash)).toBeTrue();
expect(await User.verifyPassword('different-password', legacyHash)).toBeFalse();
expect(User.shouldUpgradePasswordHash(legacyHash)).toBeTrue();
});
tap.test('rotates refresh tokens and detects reuse', async () => {
const loginSession = createTestLoginSession();
const firstRefreshToken = await loginSession.getRefreshToken();
const secondRefreshToken = await loginSession.getRefreshToken();
expect(firstRefreshToken.startsWith('refresh_')).toBeTrue();
expect(secondRefreshToken.startsWith('refresh_')).toBeTrue();
expect(firstRefreshToken).not.toEqual(secondRefreshToken);
expect(loginSession.data.refreshToken).toBeNullOrUndefined();
expect(loginSession.data.refreshTokenHash).toBeTruthy();
expect(await loginSession.validateRefreshToken(secondRefreshToken)).toEqual('current');
expect(await loginSession.validateRefreshToken(firstRefreshToken)).toEqual('reused');
await loginSession.invalidate();
expect(await loginSession.validateRefreshToken(secondRefreshToken)).toEqual('invalidated');
});
tap.test('persists transfer tokens as one-time hashes', async () => {
const loginSession = createTestLoginSession();
const transferToken = await loginSession.getTransferToken();
expect(transferToken.startsWith('transfer_')).toBeTrue();
expect(loginSession.data.transferTokenHash).toBeTruthy();
expect(await loginSession.validateTransferToken(transferToken)).toBeTrue();
expect(await loginSession.validateTransferToken(transferToken)).toBeFalse();
});
tap.test('consumes email action tokens exactly once', async () => {
const { emailActionToken, wasDeleted } = createTestEmailActionToken();
const plainToken = EmailActionToken.createOpaqueToken('emailLogin');
emailActionToken.data.tokenHash = EmailActionToken.hashToken(plainToken);
expect(await emailActionToken.consume(plainToken)).toBeTrue();
expect(wasDeleted()).toBeTrue();
});
tap.test('invalidates expired email action tokens', async () => {
const { emailActionToken, wasDeleted } = createTestEmailActionToken();
emailActionToken.data.tokenHash = EmailActionToken.hashToken('expired-token');
emailActionToken.data.validUntil = Date.now() - 1;
expect(await emailActionToken.consume('expired-token')).toBeFalse();
expect(wasDeleted()).toBeTrue();
});
tap.test('persists registration token validation and sms verification state', async () => {
const { registrationSession } = createTestRegistrationSession();
const emailToken = 'registration-token';
registrationSession.data.hashedEmailToken = RegistrationSession.hashToken(emailToken);
expect(await registrationSession.validateEmailToken(emailToken)).toBeTrue();
expect(registrationSession.data.status).toEqual('emailValidated');
expect(registrationSession.data.collectedData.userData.email).toEqual('user@example.com');
registrationSession.data.smsCodeHash = RegistrationSession.hashToken('123456');
expect(await registrationSession.validateSmsCode('123456')).toBeTrue();
expect(registrationSession.data.status).toEqual('mobileVerified');
});
tap.test('removes expired registration sessions on token validation', async () => {
const { registrationSession, wasDeleted } = createTestRegistrationSession();
registrationSession.data.hashedEmailToken = RegistrationSession.hashToken('expired-registration');
registrationSession.data.validUntil = Date.now() - 1;
expect(await registrationSession.validateEmailToken('expired-registration')).toBeFalse();
expect(wasDeleted()).toBeTrue();
});
export default tap.start();
test/test.oidc.node.ts
+208
View File
@@ -0,0 +1,208 @@
import { tap, expect } from '@git.zone/tstest/tapbundle';
import { OidcAccessToken } from '../ts/reception/classes.oidcaccesstoken.js';
import { OidcAuthorizationCode } from '../ts/reception/classes.oidcauthorizationcode.js';
import { OidcManager } from '../ts/reception/classes.oidcmanager.js';
import { OidcRefreshToken } from '../ts/reception/classes.oidcrefreshtoken.js';
import { OidcUserConsent } from '../ts/reception/classes.oidcuserconsent.js';
const createTestOidcManager = () => {
const oidcManager = new OidcManager({
db: { smartdataDb: {} },
typedrouter: { addTypedRouter: () => undefined },
options: { baseUrl: 'https://idp.example' },
} as any);
void oidcManager.stop();
return oidcManager;
};
tap.test('stores authorization codes as hashes and marks them used', async () => {
const authCode = new OidcAuthorizationCode();
authCode.id = 'oidc-auth-code';
authCode.data.codeHash = OidcAuthorizationCode.hashCode('plain-auth-code');
let saveCount = 0;
(authCode as OidcAuthorizationCode & { save: () => Promise<void> }).save = async () => {
saveCount++;
};
expect(authCode.matchesCode('plain-auth-code')).toBeTrue();
expect(authCode.matchesCode('wrong-code')).toBeFalse();
await authCode.markUsed();
expect(authCode.data.used).toBeTrue();
expect(saveCount).toEqual(1);
});
tap.test('stores access tokens without plaintext persistence', async () => {
const accessToken = new OidcAccessToken();
accessToken.id = 'oidc-access-token';
accessToken.data.tokenHash = OidcAccessToken.hashToken('plain-access-token');
accessToken.data.expiresAt = Date.now() + 60_000;
expect(accessToken.matchesToken('plain-access-token')).toBeTrue();
expect(accessToken.matchesToken('different-access-token')).toBeFalse();
expect(accessToken.isExpired()).toBeFalse();
});
tap.test('revokes persisted refresh tokens', async () => {
const refreshToken = new OidcRefreshToken();
refreshToken.id = 'oidc-refresh-token';
refreshToken.data.tokenHash = OidcRefreshToken.hashToken('plain-refresh-token');
refreshToken.data.expiresAt = Date.now() + 60_000;
let saveCount = 0;
(refreshToken as OidcRefreshToken & { save: () => Promise<void> }).save = async () => {
saveCount++;
};
expect(refreshToken.matchesToken('plain-refresh-token')).toBeTrue();
expect(refreshToken.data.revoked).toBeFalse();
await refreshToken.revoke();
expect(refreshToken.data.revoked).toBeTrue();
expect(saveCount).toEqual(1);
});
tap.test('merges user consent scopes without duplicates', async () => {
const consent = new OidcUserConsent();
consent.id = 'oidc-consent';
consent.data.userId = 'user-1';
consent.data.clientId = 'client-1';
consent.data.scopes = ['openid'];
let saveCount = 0;
(consent as OidcUserConsent & { save: () => Promise<void> }).save = async () => {
saveCount++;
};
await consent.grantScopes(['openid', 'email', 'profile']);
expect(consent.data.scopes.sort()).toEqual(['email', 'openid', 'profile']);
expect(consent.data.grantedAt).toBeGreaterThan(0);
expect(consent.data.updatedAt).toBeGreaterThan(0);
expect(saveCount).toEqual(1);
});
tap.test('builds an OAuth redirect URL after successful authorization completion', async () => {
const oidcManager = createTestOidcManager();
(oidcManager as any).findAppByClientId = async () => ({
data: {
name: 'Example App',
appUrl: 'https://app.example',
logoUrl: 'https://app.example/logo.png',
oauthCredentials: {
clientId: 'client-1',
redirectUris: ['https://app.example/callback'],
allowedScopes: ['openid', 'profile', 'email'],
},
},
});
(oidcManager as any).generateAuthorizationCode = async () => 'generated-auth-code';
(oidcManager as any).getUserConsent = async () => ({
data: {
scopes: ['openid', 'profile', 'email'],
},
});
(oidcManager as any).upsertUserConsent = async () => undefined;
const result = await oidcManager.completeAuthorizationForUser('user-1', {
clientId: 'client-1',
redirectUri: 'https://app.example/callback',
scope: 'openid profile email',
state: 'xyz-state',
codeChallenge: 'challenge',
codeChallengeMethod: 'S256',
nonce: 'nonce-1',
consentApproved: true,
});
expect(result.code).toEqual('generated-auth-code');
expect(result.redirectUrl).toEqual(
'https://app.example/callback?code=generated-auth-code&state=xyz-state'
);
await oidcManager.stop();
});
tap.test('prepares OAuth consent when scopes are not yet granted', async () => {
const oidcManager = createTestOidcManager();
(oidcManager as any).findAppByClientId = async () => ({
data: {
name: 'Example App',
appUrl: 'https://app.example',
logoUrl: 'https://app.example/logo.png',
oauthCredentials: {
clientId: 'client-1',
redirectUris: ['https://app.example/callback'],
allowedScopes: ['openid', 'profile', 'email'],
},
},
});
(oidcManager as any).getUserConsent = async () => ({
data: {
scopes: ['openid'],
},
});
const result = await oidcManager.prepareAuthorizationForUser('user-1', {
clientId: 'client-1',
redirectUri: 'https://app.example/callback',
scope: 'openid profile email',
state: 'xyz-state',
prompt: undefined,
codeChallenge: undefined,
codeChallengeMethod: undefined,
nonce: undefined,
});
expect(result.status).toEqual('consent_required');
expect(result.requestedScopes.sort()).toEqual(['email', 'openid', 'profile']);
expect(result.grantedScopes).toEqual(['openid']);
await oidcManager.stop();
});
tap.test('prepares OAuth authorization as ready when consent already exists', async () => {
const oidcManager = createTestOidcManager();
(oidcManager as any).findAppByClientId = async () => ({
data: {
name: 'Example App',
appUrl: 'https://app.example',
logoUrl: 'https://app.example/logo.png',
oauthCredentials: {
clientId: 'client-1',
redirectUris: ['https://app.example/callback'],
allowedScopes: ['openid', 'profile', 'email'],
},
},
});
(oidcManager as any).getUserConsent = async () => ({
data: {
scopes: ['openid', 'profile', 'email'],
},
});
const result = await oidcManager.prepareAuthorizationForUser('user-1', {
clientId: 'client-1',
redirectUri: 'https://app.example/callback',
scope: 'openid profile email',
state: 'xyz-state',
prompt: undefined,
codeChallenge: undefined,
codeChallengeMethod: undefined,
nonce: undefined,
});
expect(result.status).toEqual('ready');
await oidcManager.stop();
});
export default tap.start();
test/test.passport.node.ts
+434
View File
@@ -0,0 +1,434 @@
import { tap, expect } from '@git.zone/tstest/tapbundle';
import * as plugins from '../ts/plugins.js';
import { PassportChallenge } from '../ts/reception/classes.passportchallenge.js';
import { PassportDevice } from '../ts/reception/classes.passportdevice.js';
import { PassportManager } from '../ts/reception/classes.passportmanager.js';
import { PassportNonce } from '../ts/reception/classes.passportnonce.js';
const getNestedValue = (targetArg: any, pathArg: string) => {
return pathArg.split('.').reduce((currentArg, keyArg) => currentArg?.[keyArg], targetArg);
};
const matchesQuery = (targetArg: any, queryArg: Record<string, any>) => {
return Object.entries(queryArg).every(([keyArg, valueArg]) => {
return getNestedValue(targetArg, keyArg) === valueArg;
});
};
const createTestPassportManager = () => {
const passportDevices = new Map<string, PassportDevice>();
const passportChallenges = new Map<string, PassportChallenge>();
const passportNonces = new Map<string, PassportNonce>();
const activityLogCalls: Array<{
userId: string;
action: string;
description: string;
}> = [];
const deliveredHintIds: string[] = [];
const manager = new PassportManager({
db: { smartdataDb: {} },
typedrouter: { addTypedRouter: () => undefined },
options: { baseUrl: 'https://idp.global' },
jwtManager: { verifyJWTAndGetData: async () => null },
activityLogManager: {
logActivity: async (userIdArg: string, actionArg: string, descriptionArg: string) => {
activityLogCalls.push({
userId: userIdArg,
action: actionArg,
description: descriptionArg,
});
},
},
passportPushManager: {
deliverChallengeHint: async (_passportDeviceArg: PassportDevice, passportChallengeArg: PassportChallenge) => {
deliveredHintIds.push(passportChallengeArg.data.notification!.hintId);
passportChallengeArg.data.notification = {
...passportChallengeArg.data.notification!,
status: 'sent',
attemptCount: passportChallengeArg.data.notification!.attemptCount + 1,
deliveredAt: Date.now(),
lastError: null,
};
await passportChallengeArg.save();
return true;
},
},
} as any);
const originalPassportDeviceSave = PassportDevice.prototype.save;
const originalPassportDeviceDelete = PassportDevice.prototype.delete;
const originalPassportChallengeSave = PassportChallenge.prototype.save;
const originalPassportChallengeDelete = PassportChallenge.prototype.delete;
const originalPassportNonceSave = PassportNonce.prototype.save;
const originalPassportNonceDelete = PassportNonce.prototype.delete;
(PassportDevice.prototype as PassportDevice & { save: () => Promise<void> }).save = async function () {
passportDevices.set(this.id, this);
};
(PassportDevice.prototype as PassportDevice & { delete: () => Promise<void> }).delete = async function () {
passportDevices.delete(this.id);
};
(PassportChallenge.prototype as PassportChallenge & { save: () => Promise<void> }).save = async function () {
passportChallenges.set(this.id, this);
};
(PassportChallenge.prototype as PassportChallenge & { delete: () => Promise<void> }).delete = async function () {
passportChallenges.delete(this.id);
};
(PassportNonce.prototype as PassportNonce & { save: () => Promise<void> }).save = async function () {
passportNonces.set(this.id, this);
};
(PassportNonce.prototype as PassportNonce & { delete: () => Promise<void> }).delete = async function () {
passportNonces.delete(this.id);
};
(manager as any).CPassportDevice = {
getInstance: async (queryArg: Record<string, any>) => {
return Array.from(passportDevices.values()).find((docArg) => matchesQuery(docArg, queryArg)) || null;
},
getInstances: async (queryArg: Record<string, any>) => {
return Array.from(passportDevices.values()).filter((docArg) => matchesQuery(docArg, queryArg));
},
};
(manager as any).CPassportChallenge = {
getInstance: async (queryArg: Record<string, any>) => {
return (
Array.from(passportChallenges.values()).find((docArg) => matchesQuery(docArg, queryArg)) || null
);
},
getInstances: async (queryArg: Record<string, any>) => {
return Array.from(passportChallenges.values()).filter((docArg) => matchesQuery(docArg, queryArg));
},
};
(manager as any).CPassportNonce = {
getInstance: async (queryArg: Record<string, any>) => {
return Array.from(passportNonces.values()).find((docArg) => matchesQuery(docArg, queryArg)) || null;
},
getInstances: async (queryArg: Record<string, any>) => {
return Array.from(passportNonces.values()).filter((docArg) => matchesQuery(docArg, queryArg));
},
};
return {
manager,
passportDevices,
passportChallenges,
passportNonces,
activityLogCalls,
deliveredHintIds,
restore: () => {
PassportDevice.prototype.save = originalPassportDeviceSave;
PassportDevice.prototype.delete = originalPassportDeviceDelete;
PassportChallenge.prototype.save = originalPassportChallengeSave;
PassportChallenge.prototype.delete = originalPassportChallengeDelete;
PassportNonce.prototype.save = originalPassportNonceSave;
PassportNonce.prototype.delete = originalPassportNonceDelete;
},
};
};
const createRawPassportSigner = async () => {
const subtle = plugins.crypto.webcrypto.subtle;
const keyPair = await subtle.generateKey({ name: 'ECDSA', namedCurve: 'P-256' }, true, [
'sign',
'verify',
]);
const publicKeyRaw = Buffer.from(await subtle.exportKey('raw', keyPair.publicKey)).toString('base64');
return {
publicKeyX963Base64: publicKeyRaw,
sign: async (payloadArg: string) => {
const signature = await subtle.sign(
{ name: 'ECDSA', hash: 'SHA-256' },
keyPair.privateKey,
Buffer.from(payloadArg, 'utf8')
);
return Buffer.from(signature).toString('base64');
},
};
};
const createDerPassportSigner = () => {
const keyPair = plugins.crypto.generateKeyPairSync('ec', { namedCurve: 'prime256v1' });
const publicJwk = keyPair.publicKey.export({ format: 'jwk' }) as JsonWebKey;
const publicKeyX963Base64 = Buffer.concat([
Buffer.from([4]),
Buffer.from(publicJwk.x!, 'base64url'),
Buffer.from(publicJwk.y!, 'base64url'),
]).toString('base64');
return {
publicKeyX963Base64,
sign: (payloadArg: string) => {
return plugins.crypto.sign('sha256', Buffer.from(payloadArg, 'utf8'), keyPair.privateKey).toString('base64');
},
};
};
const createSignedDeviceRequest = async (
managerArg: PassportManager,
signerArg: { sign: (payloadArg: string) => Promise<string> | string },
requestArg: {
deviceId: string;
action: string;
signedFields?: string[];
}
) => {
const baseRequest = {
deviceId: requestArg.deviceId,
timestamp: Date.now(),
nonce: plugins.crypto.randomUUID(),
};
const payload = (managerArg as any).buildDeviceRequestSigningPayload(
baseRequest,
requestArg.action,
requestArg.signedFields || []
);
return {
...baseRequest,
signatureBase64: await signerArg.sign(payload),
signatureFormat: 'raw' as const,
};
};
tap.test('enrolls a passport device from a pairing challenge', async () => {
const { manager, passportDevices, passportChallenges, activityLogCalls, restore } =
createTestPassportManager();
try {
const enrollment = await manager.createEnrollmentChallengeForUser('user-1', {
deviceLabel: 'Phil iPhone',
platform: 'ios',
capabilities: {
gps: true,
nfc: true,
push: true,
},
});
const signer = await createRawPassportSigner();
const signatureBase64 = await signer.sign(enrollment.signingPayload);
const passportDevice = await manager.completeEnrollment({
pairingToken: enrollment.pairingToken,
deviceLabel: 'Phil iPhone',
platform: 'ios',
publicKeyX963Base64: signer.publicKeyX963Base64,
signatureBase64,
signatureFormat: 'raw',
capabilities: {
gps: true,
nfc: true,
push: true,
},
appVersion: '1.0.0',
});
expect(passportDevice.data.userId).toEqual('user-1');
expect(passportDevice.data.label).toEqual('Phil iPhone');
expect(passportDevices.size).toEqual(1);
expect(passportChallenges.size).toEqual(1);
expect(Array.from(passportChallenges.values())[0].data.status).toEqual('approved');
expect(activityLogCalls[0].action).toEqual('passport_device_enrolled');
} finally {
restore();
}
});
tap.test('creates and approves a passport challenge with DER signatures and evidence', async () => {
const { manager, activityLogCalls, deliveredHintIds, restore } = createTestPassportManager();
try {
const enrollment = await manager.createEnrollmentChallengeForUser('user-2', {
deviceLabel: 'Office iPhone',
platform: 'ios',
capabilities: {
gps: true,
nfc: true,
push: true,
},
});
const signer = createDerPassportSigner();
const passportDevice = await manager.completeEnrollment({
pairingToken: enrollment.pairingToken,
deviceLabel: 'Office iPhone',
platform: 'ios',
publicKeyX963Base64: signer.publicKeyX963Base64,
signatureBase64: signer.sign(enrollment.signingPayload),
signatureFormat: 'der',
capabilities: {
gps: true,
nfc: true,
push: true,
},
});
const challengeResult = await manager.createPassportChallengeForUser('user-2', {
type: 'physical_access',
preferredDeviceId: passportDevice.id,
audience: 'hq-door-a',
notificationTitle: 'Office entry request',
requireLocation: true,
requireNfc: true,
});
expect(deliveredHintIds).toHaveLength(1);
expect(challengeResult.challenge.data.notification?.status).toEqual('sent');
await expect(
manager.approvePassportChallenge({
challengeId: challengeResult.challenge.id,
deviceId: passportDevice.id,
signatureBase64: signer.sign(challengeResult.signingPayload),
signatureFormat: 'der',
})
).rejects.toThrow();
const approvedChallenge = await manager.approvePassportChallenge({
challengeId: challengeResult.challenge.id,
deviceId: passportDevice.id,
signatureBase64: signer.sign(challengeResult.signingPayload),
signatureFormat: 'der',
location: {
latitude: 53.0793,
longitude: 8.8017,
accuracyMeters: 12,
capturedAt: Date.now(),
},
nfc: {
readerId: 'door-reader-a',
},
});
expect(approvedChallenge.data.status).toEqual('approved');
expect(approvedChallenge.data.evidence?.signatureFormat).toEqual('der');
expect(approvedChallenge.data.evidence?.location?.accuracyMeters).toEqual(12);
expect(approvedChallenge.data.evidence?.nfc?.readerId).toEqual('door-reader-a');
expect(activityLogCalls.at(-1)?.action).toEqual('passport_challenge_approved');
} finally {
restore();
}
});
tap.test('registers push tokens and loads pending challenges through signed device requests', async () => {
const { manager, passportNonces, restore } = createTestPassportManager();
try {
const enrollment = await manager.createEnrollmentChallengeForUser('user-3', {
deviceLabel: 'Work iPhone',
platform: 'ios',
capabilities: {
gps: true,
nfc: false,
push: true,
},
});
const signer = await createRawPassportSigner();
const passportDevice = await manager.completeEnrollment({
pairingToken: enrollment.pairingToken,
deviceLabel: 'Work iPhone',
platform: 'ios',
publicKeyX963Base64: signer.publicKeyX963Base64,
signatureBase64: await signer.sign(enrollment.signingPayload),
signatureFormat: 'raw',
capabilities: {
gps: true,
nfc: false,
push: true,
},
});
const pushRequest = await createSignedDeviceRequest(manager, signer, {
deviceId: passportDevice.id,
action: 'registerPassportPushToken',
signedFields: [
'provider=apns',
'token=device-token-1',
'topic=global.idp.swiftapp',
'environment=development',
],
});
const registeredPassportDevice = await (manager as any).authenticatePassportDeviceRequest(
{
...pushRequest,
},
{
action: 'registerPassportPushToken',
signedFields: [
'provider=apns',
'token=device-token-1',
'topic=global.idp.swiftapp',
'environment=development',
],
}
);
registeredPassportDevice.data.pushRegistration = {
provider: 'apns',
token: 'device-token-1',
topic: 'global.idp.swiftapp',
environment: 'development',
registeredAt: Date.now(),
};
await registeredPassportDevice.save();
const challengeResult = await manager.createPassportChallengeForUser('user-3', {
type: 'authentication',
preferredDeviceId: passportDevice.id,
audience: 'office-saas',
notificationTitle: 'Office sign-in verification',
});
const listRequest = await createSignedDeviceRequest(manager, signer, {
deviceId: passportDevice.id,
action: 'listPendingPassportChallenges',
});
const authenticatedDevice = await (manager as any).authenticatePassportDeviceRequest(listRequest, {
action: 'listPendingPassportChallenges',
});
const pendingChallenges = await manager.listPendingChallengesForDevice(authenticatedDevice.id);
expect(pendingChallenges).toHaveLength(1);
expect(pendingChallenges[0].id).toEqual(challengeResult.challenge.id);
const hintId = challengeResult.challenge.data.notification!.hintId;
const getRequest = await createSignedDeviceRequest(manager, signer, {
deviceId: passportDevice.id,
action: 'getPassportChallengeByHint',
signedFields: [`hint_id=${hintId}`],
});
const hintChallenge = await manager.getPassportChallengeByHint(
(
await (manager as any).authenticatePassportDeviceRequest(getRequest, {
action: 'getPassportChallengeByHint',
signedFields: [`hint_id=${hintId}`],
})
).id,
hintId
);
expect(hintChallenge?.id).toEqual(challengeResult.challenge.id);
const seenRequest = await createSignedDeviceRequest(manager, signer, {
deviceId: passportDevice.id,
action: 'markPassportChallengeSeen',
signedFields: [`hint_id=${hintId}`],
});
await (manager as any).authenticatePassportDeviceRequest(seenRequest, {
action: 'markPassportChallengeSeen',
signedFields: [`hint_id=${hintId}`],
});
const seenChallenge = await manager.markPassportChallengeSeen(passportDevice.id, hintId);
expect(seenChallenge.data.notification?.status).toEqual('seen');
expect(passportNonces.size).toEqual(4);
} finally {
restore();
}
});
export default tap.start();
ts/00_commitinfo_data.ts
+1 -1
View File
@@ -3,6 +3,6 @@
*/
export const commitinfo = {
name: '@idp.global/idp.global',
version: '1.16.0',
version: '1.21.0',
description: 'An identity provider software managing user authentications, registrations, and sessions.'
}
ts/plugins.ts
+4 -1
View File
@@ -1,6 +1,7 @@
// Native scope
import * as crypto from 'node:crypto';
import * as path from 'path';
export { path };
export { crypto, path };
// Project scope
import * as idpInterfaces from '../dist_ts_interfaces/index.js';
@@ -32,8 +33,10 @@ import * as smartpromise from '@push.rocks/smartpromise';
import * as smarttime from '@push.rocks/smarttime';
import * as smartunique from '@push.rocks/smartunique';
import * as taskbuffer from '@push.rocks/taskbuffer';
import * as argon2 from 'argon2';
export {
argon2,
lik,
projectinfo,
qenv,
ts/readme.md
+87
View File
@@ -0,0 +1,87 @@
# `ts/` Backend Module
The `ts/` folder contains the server runtime for `idp.global`: startup, website server wiring, typed routes, OIDC endpoints, and the core `Reception` managers.
## Issue Reporting and Security
For reporting bugs, issues, or security vulnerabilities, please visit [community.foss.global/](https://community.foss.global/). This is the central community hub for all issue reporting. Developers who sign and comply with our contribution agreement and go through identification can also get a [code.foss.global/](https://code.foss.global/) account to submit Pull Requests directly.
## What Lives Here
- `index.ts` boots the service, loads env vars, starts the website server, and mounts OIDC endpoints.
- `reception/classes.reception.ts` creates the service container and initializes all managers.
- `reception/` contains the domain logic for users, sessions, orgs, roles, invites, apps, billing, and OIDC.
- `plugins.ts` centralizes external imports used by the backend.
## Startup Behavior
The backend startup in `ts/index.ts` does four main things:
1. Loads runtime configuration from `.nogit` and the working directory.
2. Creates a `UtilityWebsiteServer` that serves the built frontend.
3. Registers OIDC endpoints such as discovery, JWKS, authorize, token, userinfo, and revoke.
4. Creates and starts `Reception`, then starts HTTP serving on port `2999`.
## Required Environment
```bash
export MONGODB_URL=mongodb://localhost:27017/idp-dev
export IDP_BASEURL=http://localhost:2999
export INSTANCE_NAME=idp-dev
```
Optional:
- `SERVEZONE_PLATFROM_AUTHORIZATION`
- `PADDLE_TOKEN`
- `PADDLE_PRICE_ID`
## Key Managers
| Class | Responsibility |
| --- | --- |
| `JwtManager` | JWT issuance, validation, and key rotation support |
| `LoginSessionManager` | Session creation, refresh, logout, and session metadata |
| `RegistrationSessionManager` | Registration flow state |
| `UserManager` | User-centric queries and mutations |
| `OrganizationManager` | Organization creation and access checks |
| `RoleManager` | Role and permission management |
| `UserInvitationManager` | Invitations, member updates, and ownership transfer |
| `BillingPlanManager` | Billing plan state and Paddle config endpoint |
| `AppManager` | Global app administration |
| `AppConnectionManager` | App connection tracking |
| `ActivityLogManager` | User activity logging |
| `OidcManager` | OIDC discovery, auth code flow, token exchange, userinfo, revoke |
## Local Development
From the repository root:
```bash
pnpm install
pnpm build
pnpm watch
```
The watch setup runs the backend from `ts/` and rebuilds the frontend bundle from `ts_web/`.
## License and Legal Information
This repository contains open-source code licensed under the MIT License. A copy of the license can be found in the [license](../license) file.
**Please note:** The MIT License does not grant permission to use the trade names, trademarks, service marks, or product names of the project, except as required for reasonable and customary use in describing the origin of the work and reproducing the content of the NOTICE file.
### Trademarks
This project is owned and maintained by Task Venture Capital GmbH. The names and logos associated with Task Venture Capital GmbH and any related products or services are trademarks of Task Venture Capital GmbH or third parties, and are not included within the scope of the MIT license granted herein.
Use of these trademarks must comply with Task Venture Capital GmbH's Trademark Guidelines or the guidelines of the respective third-party owners, and any usage must be approved in writing. Third-party trademarks used herein are the property of their respective owners and used only in a descriptive manner, e.g. for an implementation of an API or similar.
### Company Information
Task Venture Capital GmbH
Registered at District Court Bremen HRB 35230 HB, Germany
For any legal inquiries or further information, please contact us via email at hello@task.vc.
By using this repository, you acknowledge that you have read this section, agree to comply with its terms, and understand that the licensing of the code does not imply endorsement by Task Venture Capital GmbH of any derivative works.
ts/reception/classes.abuseprotectionmanager.ts
+102
View File
@@ -0,0 +1,102 @@
import * as plugins from '../plugins.js';
import { Reception } from './classes.reception.js';
import { AbuseWindow } from './classes.abusewindow.js';
export interface IAbuseProtectionConfig {
maxAttempts: number;
windowMillis: number;
blockDurationMillis: number;
}
export class AbuseProtectionManager {
public receptionRef: Reception;
public get db() {
return this.receptionRef.db.smartdataDb;
}
public CAbuseWindow = plugins.smartdata.setDefaultManagerForDoc(this, AbuseWindow);
constructor(receptionRefArg: Reception) {
this.receptionRef = receptionRefArg;
}
private normalizeIdentifier(identifierArg: string) {
return identifierArg.trim().toLowerCase();
}
private hashIdentifier(identifierArg: string) {
return plugins.smarthash.sha256FromStringSync(this.normalizeIdentifier(identifierArg));
}
private createWindowId(actionArg: string, identifierArg: string) {
return plugins.smarthash.sha256FromStringSync(
`${actionArg}:${this.hashIdentifier(identifierArg)}`
);
}
private async getWindow(actionArg: string, identifierArg: string) {
return this.CAbuseWindow.getInstance({
id: this.createWindowId(actionArg, identifierArg),
});
}
public async consumeAttempt(
actionArg: string,
identifierArg: string,
configArg: IAbuseProtectionConfig,
errorTextArg = 'Too many attempts. Please wait before trying again.'
) {
const now = Date.now();
let abuseWindow = await this.getWindow(actionArg, identifierArg);
if (!abuseWindow) {
abuseWindow = new AbuseWindow();
abuseWindow.id = this.createWindowId(actionArg, identifierArg);
abuseWindow.data.action = actionArg;
abuseWindow.data.identifierHash = this.hashIdentifier(identifierArg);
abuseWindow.data.createdAt = now;
}
if (abuseWindow.isBlocked(now)) {
throw new plugins.typedrequest.TypedResponseError(errorTextArg);
}
if (abuseWindow.data.blockedUntil && abuseWindow.data.blockedUntil <= now) {
abuseWindow.data.attemptCount = 0;
abuseWindow.data.windowStartedAt = now;
abuseWindow.data.blockedUntil = 0;
}
if (
!abuseWindow.data.windowStartedAt ||
abuseWindow.data.windowStartedAt + configArg.windowMillis <= now
) {
abuseWindow.data.attemptCount = 0;
abuseWindow.data.windowStartedAt = now;
}
abuseWindow.data.attemptCount += 1;
abuseWindow.data.updatedAt = now;
abuseWindow.data.validUntil = now + configArg.windowMillis;
if (abuseWindow.data.attemptCount > configArg.maxAttempts) {
abuseWindow.data.blockedUntil = now + configArg.blockDurationMillis;
abuseWindow.data.validUntil = abuseWindow.data.blockedUntil;
await abuseWindow.save();
throw new plugins.typedrequest.TypedResponseError(errorTextArg);
}
await abuseWindow.save();
}
public async clearAttempts(actionArg: string, identifierArg: string) {
const abuseWindow = await this.getWindow(actionArg, identifierArg);
if (!abuseWindow) {
return;
}
await abuseWindow.delete();
}
}
ts/reception/classes.abusewindow.ts
+33
View File
@@ -0,0 +1,33 @@
import * as plugins from '../plugins.js';
import type { AbuseProtectionManager } from './classes.abuseprotectionmanager.js';
@plugins.smartdata.Manager()
export class AbuseWindow extends plugins.smartdata.SmartDataDbDoc<
AbuseWindow,
plugins.idpInterfaces.data.IAbuseWindow,
AbuseProtectionManager
> {
@plugins.smartdata.unI()
public id: string;
@plugins.smartdata.svDb()
public data: plugins.idpInterfaces.data.IAbuseWindow['data'] = {
action: '',
identifierHash: '',
attemptCount: 0,
windowStartedAt: 0,
blockedUntil: 0,
validUntil: 0,
createdAt: 0,
updatedAt: 0,
};
public isBlocked(nowArg = Date.now()) {
return this.data.blockedUntil > nowArg;
}
public isExpired(nowArg = Date.now()) {
return this.data.validUntil < nowArg;
}
}
ts/reception/classes.alert.ts
+39
View File
@@ -0,0 +1,39 @@
import * as plugins from '../plugins.js';
import type { AlertManager } from './classes.alertmanager.js';
@plugins.smartdata.Manager()
export class Alert extends plugins.smartdata.SmartDataDbDoc<
Alert,
plugins.idpInterfaces.data.IAlert,
AlertManager
> {
@plugins.smartdata.unI()
public id: string;
@plugins.smartdata.svDb()
public data: plugins.idpInterfaces.data.IAlert['data'] = {
recipientUserId: '',
organizationId: undefined,
category: 'security',
eventType: '',
severity: 'medium',
title: '',
body: '',
actorUserId: undefined,
relatedEntityId: undefined,
relatedEntityType: undefined,
notification: {
hintId: '',
status: 'pending',
attemptCount: 0,
createdAt: 0,
deliveredAt: null,
seenAt: null,
lastError: null,
},
createdAt: 0,
seenAt: null,
dismissedAt: null,
};
}
ts/reception/classes.alertmanager.ts
+425
View File
@@ -0,0 +1,425 @@
import * as plugins from '../plugins.js';
import { Alert } from './classes.alert.js';
import { AlertRule } from './classes.alertrule.js';
import type { Reception } from './classes.reception.js';
const severityOrder: Record<plugins.idpInterfaces.data.TAlertSeverity, number> = {
low: 1,
medium: 2,
high: 3,
critical: 4,
};
export class AlertManager {
public receptionRef: Reception;
public get db() {
return this.receptionRef.db.smartdataDb;
}
public typedRouter = new plugins.typedrequest.TypedRouter();
public CAlert = plugins.smartdata.setDefaultManagerForDoc(this, Alert);
public CAlertRule = plugins.smartdata.setDefaultManagerForDoc(this, AlertRule);
constructor(receptionRefArg: Reception) {
this.receptionRef = receptionRefArg;
this.receptionRef.typedrouter.addTypedRouter(this.typedRouter);
this.typedRouter.addTypedHandler(
new plugins.typedrequest.TypedHandler<plugins.idpInterfaces.request.IReq_ListPassportAlerts>(
'listPassportAlerts',
async (requestArg) => {
const passportDevice = await this.receptionRef.passportManager.authenticatePassportDeviceRequest(
requestArg,
{
action: 'listPassportAlerts',
}
);
const alerts = await this.listAlertsForUser(passportDevice.data.userId);
return {
alerts: alerts.map((alertArg) => ({ id: alertArg.id, data: alertArg.data })),
};
}
)
);
this.typedRouter.addTypedHandler(
new plugins.typedrequest.TypedHandler<plugins.idpInterfaces.request.IReq_GetPassportAlertByHint>(
'getPassportAlertByHint',
async (requestArg) => {
const passportDevice = await this.receptionRef.passportManager.authenticatePassportDeviceRequest(
requestArg,
{
action: 'getPassportAlertByHint',
signedFields: [`hint_id=${requestArg.hintId}`],
}
);
const alert = await this.getAlertByHint(passportDevice.data.userId, requestArg.hintId);
return {
alert: alert ? { id: alert.id, data: alert.data } : undefined,
};
}
)
);
this.typedRouter.addTypedHandler(
new plugins.typedrequest.TypedHandler<plugins.idpInterfaces.request.IReq_MarkPassportAlertSeen>(
'markPassportAlertSeen',
async (requestArg) => {
const passportDevice = await this.receptionRef.passportManager.authenticatePassportDeviceRequest(
requestArg,
{
action: 'markPassportAlertSeen',
signedFields: [`hint_id=${requestArg.hintId}`],
}
);
await this.markAlertSeen(passportDevice.data.userId, requestArg.hintId);
return {
success: true,
};
}
)
);
this.typedRouter.addTypedHandler(
new plugins.typedrequest.TypedHandler<plugins.idpInterfaces.request.IReq_UpsertAlertRule>(
'upsertAlertRule',
async (requestArg) => {
const actorUserId = await this.verifyAlertRuleAccess(
requestArg.jwt,
requestArg.scope,
requestArg.organizationId
);
const rule = requestArg.ruleId
? await this.CAlertRule.getInstance({ id: requestArg.ruleId })
: new AlertRule();
if (!rule) {
throw new plugins.typedrequest.TypedResponseError('Alert rule not found');
}
rule.id = rule.id || plugins.smartunique.shortId();
rule.data = {
scope: requestArg.scope,
organizationId: requestArg.organizationId,
eventType: requestArg.eventType,
minimumSeverity: requestArg.minimumSeverity,
recipientMode: requestArg.recipientMode,
recipientUserIds: requestArg.recipientUserIds || [],
push: requestArg.push,
enabled: requestArg.enabled,
createdByUserId: rule.data?.createdByUserId || actorUserId,
createdAt: rule.data?.createdAt || Date.now(),
updatedAt: Date.now(),
};
await rule.save();
return {
rule: {
id: rule.id,
data: rule.data,
},
};
}
)
);
this.typedRouter.addTypedHandler(
new plugins.typedrequest.TypedHandler<plugins.idpInterfaces.request.IReq_GetAlertRules>(
'getAlertRules',
async (requestArg) => {
await this.verifyAlertRuleAccess(requestArg.jwt, requestArg.scope || 'global', requestArg.organizationId);
const rules = await this.CAlertRule.getInstances({});
return {
rules: rules
.filter((ruleArg) => {
if (requestArg.scope && ruleArg.data.scope !== requestArg.scope) {
return false;
}
if (requestArg.organizationId && ruleArg.data.organizationId !== requestArg.organizationId) {
return false;
}
return true;
})
.map((ruleArg) => ({ id: ruleArg.id, data: ruleArg.data })),
};
}
)
);
this.typedRouter.addTypedHandler(
new plugins.typedrequest.TypedHandler<plugins.idpInterfaces.request.IReq_DeleteAlertRule>(
'deleteAlertRule',
async (requestArg) => {
const rule = await this.CAlertRule.getInstance({ id: requestArg.ruleId });
if (!rule) {
throw new plugins.typedrequest.TypedResponseError('Alert rule not found');
}
await this.verifyAlertRuleAccess(requestArg.jwt, rule.data.scope, rule.data.organizationId);
await rule.delete();
return {
success: true,
};
}
)
);
}
private async verifyAlertRuleAccess(
jwtArg: string,
scopeArg: plugins.idpInterfaces.data.TAlertRuleScope,
organizationIdArg?: string
) {
const jwt = await this.receptionRef.jwtManager.verifyJWTAndGetData(jwtArg);
if (!jwt) {
throw new plugins.typedrequest.TypedResponseError('Invalid JWT');
}
if (scopeArg === 'global') {
const user = await this.receptionRef.userManager.CUser.getInstance({ id: jwt.data.userId });
if (!user?.data?.isGlobalAdmin) {
throw new plugins.typedrequest.TypedResponseError('Global admin privileges required');
}
return jwt.data.userId;
}
if (!organizationIdArg) {
throw new plugins.typedrequest.TypedResponseError('organizationId is required');
}
const role = await this.receptionRef.roleManager.CRole.getInstance({
data: {
userId: jwt.data.userId,
organizationId: organizationIdArg,
},
});
if (!role || !role.data.roles.some((roleArg) => ['owner', 'admin'].includes(roleArg))) {
throw new plugins.typedrequest.TypedResponseError('Organization admin privileges required');
}
return jwt.data.userId;
}
private async resolveGlobalAdminRecipients() {
const users = await this.receptionRef.userManager.CUser.getInstances({});
return users.filter((userArg) => !!userArg.data.isGlobalAdmin);
}
private async resolveOrganizationAdminRecipients(organizationIdArg: string) {
const roles = await this.receptionRef.roleManager.getAllRolesForOrg(organizationIdArg);
const adminUserIds = [...new Set(
roles
.filter((roleArg) => roleArg.data.roles.some((roleNameArg) => ['owner', 'admin'].includes(roleNameArg)))
.map((roleArg) => roleArg.data.userId)
)];
const users = await Promise.all(
adminUserIds.map((userIdArg) => this.receptionRef.userManager.CUser.getInstance({ id: userIdArg }))
);
return users.filter(Boolean);
}
private async resolveRuleRecipients(ruleArg: AlertRule) {
switch (ruleArg.data.recipientMode) {
case 'global_admins':
return this.resolveGlobalAdminRecipients();
case 'org_admins':
if (!ruleArg.data.organizationId) {
return [];
}
return this.resolveOrganizationAdminRecipients(ruleArg.data.organizationId);
case 'specific_users':
if (!ruleArg.data.recipientUserIds?.length) {
return [];
}
const users = await Promise.all(
ruleArg.data.recipientUserIds.map((userIdArg) =>
this.receptionRef.userManager.CUser.getInstance({ id: userIdArg })
)
);
return users.filter(Boolean);
}
}
private async getMatchingRules(optionsArg: {
eventType: string;
severity: plugins.idpInterfaces.data.TAlertSeverity;
organizationId?: string;
}) {
const rules = await this.CAlertRule.getInstances({});
const matchingRules = rules.filter((ruleArg) => {
if (!ruleArg.data.enabled) {
return false;
}
if (ruleArg.data.eventType !== optionsArg.eventType) {
return false;
}
if (ruleArg.data.scope === 'organization' && ruleArg.data.organizationId !== optionsArg.organizationId) {
return false;
}
return severityOrder[optionsArg.severity] >= severityOrder[ruleArg.data.minimumSeverity];
});
if (matchingRules.length > 0) {
return matchingRules;
}
if (optionsArg.eventType === 'global_admin_access') {
const fallbackRule = new AlertRule();
fallbackRule.id = 'builtin-global-admin-access';
fallbackRule.data = {
scope: 'global',
organizationId: undefined,
eventType: 'global_admin_access',
minimumSeverity: 'high',
recipientMode: 'global_admins',
recipientUserIds: [],
push: true,
enabled: true,
createdByUserId: 'system',
createdAt: 0,
updatedAt: 0,
};
return [fallbackRule];
}
if (optionsArg.eventType === 'global_app_credentials_regenerated') {
const fallbackRule = new AlertRule();
fallbackRule.id = 'builtin-global-app-credentials-regenerated';
fallbackRule.data = {
scope: 'global',
organizationId: undefined,
eventType: 'global_app_credentials_regenerated',
minimumSeverity: 'critical',
recipientMode: 'global_admins',
recipientUserIds: [],
push: true,
enabled: true,
createdByUserId: 'system',
createdAt: 0,
updatedAt: 0,
};
return [fallbackRule];
}
return [];
}
public async createAlertsForEvent(optionsArg: {
category: plugins.idpInterfaces.data.TAlertCategory;
eventType: string;
severity: plugins.idpInterfaces.data.TAlertSeverity;
title: string;
body: string;
actorUserId?: string;
organizationId?: string;
relatedEntityId?: string;
relatedEntityType?: string;
}) {
const matchingRules = await this.getMatchingRules(optionsArg);
if (matchingRules.length === 0) {
return [];
}
const recipientIds = new Set<string>();
for (const rule of matchingRules) {
const recipients = await this.resolveRuleRecipients(rule);
for (const recipient of recipients) {
recipientIds.add(recipient.id);
}
}
const createdAlerts: Alert[] = [];
for (const recipientUserId of recipientIds) {
const alert = new Alert();
alert.id = plugins.smartunique.shortId();
alert.data = {
recipientUserId,
organizationId: optionsArg.organizationId,
category: optionsArg.category,
eventType: optionsArg.eventType,
severity: optionsArg.severity,
title: optionsArg.title,
body: optionsArg.body,
actorUserId: optionsArg.actorUserId,
relatedEntityId: optionsArg.relatedEntityId,
relatedEntityType: optionsArg.relatedEntityType,
notification: {
hintId: plugins.crypto.randomUUID(),
status: 'pending',
attemptCount: 0,
createdAt: Date.now(),
deliveredAt: null,
seenAt: null,
lastError: null,
},
createdAt: Date.now(),
seenAt: null,
dismissedAt: null,
};
await alert.save();
createdAlerts.push(alert);
const devices = await this.receptionRef.passportManager.getPassportDevicesForUser(recipientUserId);
let delivered = false;
for (const device of devices) {
const result = await this.receptionRef.passportPushManager.deliverAlertHint(device, alert);
delivered = delivered || result;
}
if (!delivered && devices.length === 0) {
alert.data.notification = {
...alert.data.notification,
status: 'failed',
attemptCount: alert.data.notification.attemptCount + 1,
lastError: 'Recipient has no active passport device',
};
await alert.save();
}
}
return createdAlerts;
}
public async listAlertsForUser(userIdArg: string) {
const alerts = await this.CAlert.getInstances({
'data.recipientUserId': userIdArg,
});
return alerts.sort((leftArg, rightArg) => rightArg.data.createdAt - leftArg.data.createdAt);
}
public async getAlertByHint(userIdArg: string, hintIdArg: string) {
return this.CAlert.getInstance({
'data.recipientUserId': userIdArg,
'data.notification.hintId': hintIdArg,
});
}
public async markAlertSeen(userIdArg: string, hintIdArg: string) {
const alert = await this.getAlertByHint(userIdArg, hintIdArg);
if (!alert) {
throw new plugins.typedrequest.TypedResponseError('Alert not found');
}
alert.data.seenAt = Date.now();
alert.data.notification = {
...alert.data.notification,
status: 'seen',
seenAt: Date.now(),
};
await alert.save();
return alert;
}
public async reDeliverPendingAlerts() {
const alerts = await this.CAlert.getInstances({});
for (const alert of alerts) {
if (alert.data.notification.status === 'sent' || alert.data.notification.status === 'seen') {
continue;
}
const devices = await this.receptionRef.passportManager.getPassportDevicesForUser(
alert.data.recipientUserId
);
for (const device of devices) {
await this.receptionRef.passportPushManager.deliverAlertHint(device, alert);
}
}
}
}
ts/reception/classes.alertrule.ts
+28
View File
@@ -0,0 +1,28 @@
import * as plugins from '../plugins.js';
import type { AlertManager } from './classes.alertmanager.js';
@plugins.smartdata.Manager()
export class AlertRule extends plugins.smartdata.SmartDataDbDoc<
AlertRule,
plugins.idpInterfaces.data.IAlertRule,
AlertManager
> {
@plugins.smartdata.unI()
public id: string;
@plugins.smartdata.svDb()
public data: plugins.idpInterfaces.data.IAlertRule['data'] = {
scope: 'global',
organizationId: undefined,
eventType: '',
minimumSeverity: 'medium',
recipientMode: 'global_admins',
recipientUserIds: [],
push: true,
enabled: true,
createdByUserId: '',
createdAt: 0,
updatedAt: 0,
};
}
ts/reception/classes.appmanager.ts
+26 -2
View File
@@ -59,7 +59,20 @@ export class AppManager {
new plugins.typedrequest.TypedHandler<plugins.idpInterfaces.request.IReq_GetGlobalAppStats>(
'getGlobalAppStats',
async (requestArg) => {
await this.verifyGlobalAdmin(requestArg.jwt);
const jwtData = await this.verifyGlobalAdmin(requestArg.jwt);
const user = await this.receptionRef.userManager.CUser.getInstance({
id: jwtData.data.userId,
});
await this.receptionRef.alertManager.createAlertsForEvent({
category: 'admin',
eventType: 'global_admin_access',
severity: 'high',
title: 'Global admin console accessed',
body: `${user?.data?.email || 'A global admin'} accessed the global app administration dashboard.`,
actorUserId: jwtData.data.userId,
relatedEntityType: 'global-admin-console',
});
// Get all global apps (including inactive)
const globalApps = await this.CApp.getInstances({
@@ -198,7 +211,7 @@ export class AppManager {
new plugins.typedrequest.TypedHandler<plugins.idpInterfaces.request.IReq_RegenerateAppCredentials>(
'regenerateAppCredentials',
async (requestArg) => {
await this.verifyGlobalAdmin(requestArg.jwt);
const jwtData = await this.verifyGlobalAdmin(requestArg.jwt);
const app = await this.CApp.getInstance({ id: requestArg.appId });
if (!app) {
@@ -214,6 +227,17 @@ export class AppManager {
app.data.oauthCredentials.clientSecretHash = clientSecretHash;
await app.save();
await this.receptionRef.alertManager.createAlertsForEvent({
category: 'security',
eventType: 'global_app_credentials_regenerated',
severity: 'critical',
title: 'Global app credentials regenerated',
body: `OAuth credentials for ${app.data.name} were regenerated.`,
actorUserId: jwtData.data.userId,
relatedEntityId: app.id,
relatedEntityType: 'global-app',
});
return {
clientId,
clientSecret, // Only shown once
ts/reception/classes.emailactiontoken.ts
+49
View File
@@ -0,0 +1,49 @@
import * as plugins from '../plugins.js';
import { LoginSessionManager } from './classes.loginsessionmanager.js';
@plugins.smartdata.Manager()
export class EmailActionToken extends plugins.smartdata.SmartDataDbDoc<
EmailActionToken,
plugins.idpInterfaces.data.IEmailActionToken,
LoginSessionManager
> {
public static hashToken(tokenArg: string) {
return plugins.smarthash.sha256FromStringSync(tokenArg);
}
public static createOpaqueToken(actionArg: plugins.idpInterfaces.data.TEmailActionTokenAction) {
return `${actionArg}_${plugins.crypto.randomBytes(32).toString('base64url')}`;
}
@plugins.smartdata.unI()
public id: string;
@plugins.smartdata.svDb()
public data: plugins.idpInterfaces.data.IEmailActionToken['data'] = {
email: '',
action: 'emailLogin',
tokenHash: '',
validUntil: 0,
createdAt: 0,
};
public isExpired() {
return this.data.validUntil < Date.now();
}
public matchesToken(tokenArg: string) {
return this.data.tokenHash === EmailActionToken.hashToken(tokenArg);
}
public async consume(tokenArg: string) {
if (this.isExpired() || !this.matchesToken(tokenArg)) {
if (this.isExpired()) {
await this.delete();
}
return false;
}
await this.delete();
return true;
}
}
ts/reception/classes.housekeeping.ts
+90
View File
@@ -34,6 +34,96 @@ export class ReceptionHousekeeping {
'2 * * * * *'
);
this.taskmanager.addAndScheduleTask(
new plugins.taskbuffer.Task({
name: 'expiredEmailActionTokens',
taskFunction: async () => {
const expiredEmailActionTokens =
await this.receptionRef.loginSessionManager.CEmailActionToken.getInstances({
data: {
validUntil: {
$lt: Date.now(),
} as any,
},
});
for (const emailActionToken of expiredEmailActionTokens) {
await emailActionToken.delete();
}
},
}),
'2 * * * * *'
);
this.taskmanager.addAndScheduleTask(
new plugins.taskbuffer.Task({
name: 'expiredRegistrationSessions',
taskFunction: async () => {
const expiredRegistrationSessions =
await this.receptionRef.registrationSessionManager.CRegistrationSession.getInstances({
data: {
validUntil: {
$lt: Date.now(),
} as any,
},
});
for (const registrationSession of expiredRegistrationSessions) {
await registrationSession.delete();
}
},
}),
'2 * * * * *'
);
this.taskmanager.addAndScheduleTask(
new plugins.taskbuffer.Task({
name: 'expiredAbuseWindows',
taskFunction: async () => {
const expiredAbuseWindows =
await this.receptionRef.abuseProtectionManager.CAbuseWindow.getInstances({
data: {
validUntil: {
$lt: Date.now(),
} as any,
},
});
for (const abuseWindow of expiredAbuseWindows) {
await abuseWindow.delete();
}
},
}),
'2 * * * * *'
);
this.taskmanager.addAndScheduleTask(
new plugins.taskbuffer.Task({
name: 'expiredPassportChallenges',
taskFunction: async () => {
await this.receptionRef.passportManager.cleanupExpiredChallenges();
},
}),
'2 * * * * *'
);
this.taskmanager.addAndScheduleTask(
new plugins.taskbuffer.Task({
name: 'redeliverPassportChallengeHints',
taskFunction: async () => {
await this.receptionRef.passportManager.reDeliverPendingChallengeHints();
},
}),
'7 * * * * *'
);
this.taskmanager.addAndScheduleTask(
new plugins.taskbuffer.Task({
name: 'redeliverAlertHints',
taskFunction: async () => {
await this.receptionRef.alertManager.reDeliverPendingAlerts();
},
}),
'12 * * * * *'
);
this.taskmanager.start();
logger.log('info', 'housekeeping started');
}
ts/reception/classes.jwt.ts
+38 -16
View File
@@ -1,5 +1,6 @@
import * as plugins from '../plugins.js';
import { JwtManager } from './classes.jwtmanager.js';
import type { LoginSession } from './classes.loginsession.js';
/**
* a User is identified by its username or email.
@@ -11,21 +12,27 @@ export class Jwt extends plugins.smartdata.SmartDataDbDoc<Jwt, plugins.idpInterf
public static async createJwtForRefreshToken(
jwtManagerInstance: JwtManager,
refreshTokenArg: string
) {
const loginSession =
await jwtManagerInstance.receptionRef.loginSessionManager.CLoginSession.getLoginSessionByRefreshToken(
): Promise<string | null> {
const sessionLookup =
await jwtManagerInstance.receptionRef.loginSessionManager.findLoginSessionByRefreshToken(
refreshTokenArg
);
if (!loginSession) {
return null;
}
const refreshTokenValid = await loginSession.validateRefreshToken(refreshTokenArg);
if (!refreshTokenValid) {
if (!sessionLookup || sessionLookup.validationStatus !== 'current') {
return null;
}
return this.createJwtForLoginSession(jwtManagerInstance, sessionLookup.loginSession);
}
public static async createJwtForLoginSession(
jwtManagerInstance: JwtManager,
loginSession: LoginSession
): Promise<string | null> {
const user = await jwtManagerInstance.receptionRef.userManager.CUser.getInstance({
id: loginSession.data.userId,
});
if (!user) {
return null;
}
const validUntil = plugins.smarttime.ExtendedDate.fromMillis(
Date.now() + plugins.smarttime.getMilliSecondsFromUnits({ days: 1 })
);
@@ -33,10 +40,10 @@ export class Jwt extends plugins.smartdata.SmartDataDbDoc<Jwt, plugins.idpInterf
jwt.id = plugins.smartunique.shortId();
jwt.data = {
userId: user.id,
sessionId: loginSession.id,
validUntil: validUntil.getTime(),
refreshEvery: 1000000,
refreshFrom: Date.now() + plugins.smarttime.getMilliSecondsFromUnits({ days: 0.5 }),
refreshToken: await loginSession.getRefreshToken(), // TODO: handle multiple refresh tokens
justForLooks: {
validUntilIsoString: validUntil.toISOString(),
}
@@ -46,7 +53,7 @@ export class Jwt extends plugins.smartdata.SmartDataDbDoc<Jwt, plugins.idpInterf
const jwtString = await jwtManagerInstance.smartjwtInstance.createJWT({
id: jwt.id,
blocked: null,
blocked: false,
data: jwt.data,
} as plugins.idpInterfaces.data.IJwt);
return jwtString;
@@ -68,11 +75,26 @@ export class Jwt extends plugins.smartdata.SmartDataDbDoc<Jwt, plugins.idpInterf
}
public async getLoginSession() {
const loginSession = await this.manager.receptionRef.loginSessionManager.CLoginSession.getInstance({
data: {
refreshToken: this.data.refreshToken,
}
});
return loginSession;
if (this.data.sessionId) {
return this.manager.receptionRef.loginSessionManager.CLoginSession.getInstance({
id: this.data.sessionId,
});
}
if (!this.data.refreshToken) {
return null;
}
const sessionLookup =
await this.manager.receptionRef.loginSessionManager.findLoginSessionByRefreshToken(
this.data.refreshToken
);
if (!sessionLookup) {
return null;
}
return sessionLookup.loginSession;
}
}
ts/reception/classes.jwtmanager.ts
+40 -4
View File
@@ -25,10 +25,41 @@ export class JwtManager {
new plugins.typedrequest.TypedHandler(
'refreshJwt',
async (requestArg) => {
const resultJwt = await Jwt.createJwtForRefreshToken(this, requestArg.refreshToken);
const sessionLookup =
await this.receptionRef.loginSessionManager.findLoginSessionByRefreshToken(
requestArg.refreshToken
);
if (!sessionLookup || sessionLookup.validationStatus === 'invalid') {
return {
status: 'not found',
};
}
if (sessionLookup.validationStatus === 'invalidated') {
return {
status: 'invalidated',
};
}
if (sessionLookup.validationStatus === 'reused') {
await sessionLookup.loginSession.invalidate();
return {
status: 'invalidated',
};
}
const rotatedRefreshToken = await sessionLookup.loginSession.getRefreshToken();
const resultJwt = await Jwt.createJwtForLoginSession(this, sessionLookup.loginSession);
if (!rotatedRefreshToken || !resultJwt) {
return {
status: 'invalidated',
};
}
return {
status: 'loggedIn',
jwt: resultJwt,
refreshToken: rotatedRefreshToken,
};
}
)
@@ -120,19 +151,24 @@ export class JwtManager {
await this.pushPublicKeyToClients();
}
public async verifyJWTAndGetData(jwtArg: string): Promise<Jwt> {
public async verifyJWTAndGetData(jwtArg: string): Promise<Jwt | null> {
const jwtData: plugins.idpInterfaces.data.IJwt = await this.smartjwtInstance.verifyJWTAndGetData(jwtArg);
const jwt = await this.CJwt.getInstance({
id: jwtData.id,
});
if (!jwt) {
return null;
}
if (jwt.blocked) {
return null;
}
if (jwt) {
const loginSession = await jwt.getLoginSession();
if (!loginSession) {
if (!loginSession || loginSession.data.invalidated) {
await jwt.block();
this.blockedJwtIdList.push(jwt.id);
if (!this.blockedJwtIdList.includes(jwt.id)) {
this.blockedJwtIdList.push(jwt.id);
}
return null;
}
}
ts/reception/classes.loginsession.ts
+91 -11
View File
@@ -2,6 +2,8 @@ import * as plugins from '../plugins.js';
import { LoginSessionManager } from './classes.loginsessionmanager.js';
import { User } from './classes.user.js';
export type TRefreshTokenValidationResult = 'current' | 'invalid' | 'invalidated' | 'reused';
/**
* a LoginSession keeps track of a login over the whole time of the user being loggedin
*/
@@ -40,7 +42,14 @@ export class LoginSession extends plugins.smartdata.SmartDataDbDoc<
}
public static async getLoginSessionByRefreshToken(refreshTokenArg: string) {
const loginSession = await LoginSession.getInstance({
const refreshTokenHash = await LoginSession.hashSessionToken(refreshTokenArg);
let loginSession = await LoginSession.getInstance({
'data.refreshTokenHash': refreshTokenHash,
});
if (loginSession) {
return loginSession;
}
loginSession = await LoginSession.getInstance({
data: {
refreshToken: refreshTokenArg,
},
@@ -48,6 +57,14 @@ export class LoginSession extends plugins.smartdata.SmartDataDbDoc<
return loginSession;
}
public static async hashSessionToken(tokenArg: string) {
return plugins.smarthash.sha256FromString(tokenArg);
}
public static createOpaqueToken(prefixArg: string) {
return `${prefixArg}${plugins.crypto.randomBytes(32).toString('base64url')}`;
}
// ========
// INSTANCE
// ========
@@ -60,13 +77,17 @@ export class LoginSession extends plugins.smartdata.SmartDataDbDoc<
validUntil: Date.now() + plugins.smarttime.getMilliSecondsFromUnits({ weeks: 1 }),
invalidated: false,
refreshToken: null,
refreshTokenHash: null,
rotatedRefreshTokenHashes: [],
transferTokenHash: null,
transferTokenExpiresAt: null,
deviceId: null,
deviceInfo: null,
createdAt: Date.now(),
lastActive: Date.now(),
};
public transferToken: string;
public transferToken: string | null = null;
constructor() {
super();
@@ -77,40 +98,99 @@ export class LoginSession extends plugins.smartdata.SmartDataDbDoc<
*/
public async invalidate() {
this.data.invalidated = true;
this.data.refreshToken = null;
this.data.refreshTokenHash = null;
this.data.transferTokenHash = null;
this.data.transferTokenExpiresAt = null;
await this.save();
}
/**
* a refresh token is unique to a login session and ONLY created once per login session
* a refresh token is unique to a login session and rotated whenever it is issued
* @returns
*/
public async getRefreshToken() {
if (this.data.invalidated) {
console.log('login session is invalidated. no refresh token can be generated.');
return null;
}
if (!this.data.refreshToken) {
this.data.refreshToken = plugins.smartunique.uni('refresh_');
const previousRefreshTokenHash =
this.data.refreshTokenHash ||
(this.data.refreshToken
? await LoginSession.hashSessionToken(this.data.refreshToken)
: null);
if (previousRefreshTokenHash) {
this.data.rotatedRefreshTokenHashes = [
...(this.data.rotatedRefreshTokenHashes || []),
previousRefreshTokenHash,
].slice(-5);
}
const refreshToken = LoginSession.createOpaqueToken('refresh_');
this.data.refreshTokenHash = await LoginSession.hashSessionToken(refreshToken);
this.data.refreshToken = null;
this.data.lastActive = Date.now();
await this.save();
return this.data.refreshToken;
return refreshToken;
}
public async getTransferToken() {
this.transferToken = plugins.smartunique.uni('transfer_');
this.transferToken = LoginSession.createOpaqueToken('transfer_');
this.data.transferTokenHash = await LoginSession.hashSessionToken(this.transferToken);
this.data.transferTokenExpiresAt =
Date.now() + plugins.smarttime.getMilliSecondsFromUnits({ minutes: 5 });
await this.save();
return this.transferToken;
}
public async validateRefreshToken(refreshTokenArg: string) {
return this.data.refreshToken === refreshTokenArg;
public async validateRefreshToken(
refreshTokenArg: string
): Promise<TRefreshTokenValidationResult> {
if (this.data.invalidated) {
return 'invalidated';
}
const refreshTokenHash = await LoginSession.hashSessionToken(refreshTokenArg);
if (
this.data.refreshTokenHash === refreshTokenHash ||
(!!this.data.refreshToken && this.data.refreshToken === refreshTokenArg)
) {
return 'current';
}
if ((this.data.rotatedRefreshTokenHashes || []).includes(refreshTokenHash)) {
return 'reused';
}
return 'invalid';
}
public async validateTransferToken(transferTokenArg: string) {
const result = this.transferToken === transferTokenArg;
if (this.data.invalidated || !this.data.transferTokenHash) {
return false;
}
if (
this.data.transferTokenExpiresAt &&
this.data.transferTokenExpiresAt < Date.now()
) {
this.data.transferTokenHash = null;
this.data.transferTokenExpiresAt = null;
await this.save();
return false;
}
const result =
this.data.transferTokenHash ===
(await LoginSession.hashSessionToken(transferTokenArg));
// a transfer token can only be used once, so we invalidate it here
if (result) {
this.transferToken = null;
this.data.transferTokenHash = null;
this.data.transferTokenExpiresAt = null;
await this.save();
}
return result;
}
ts/reception/classes.loginsessionmanager.ts
+268 -85
View File
@@ -1,27 +1,49 @@
import * as plugins from '../plugins.js';
import { LoginSession } from './classes.loginsession.js';
import { EmailActionToken } from './classes.emailactiontoken.js';
import { LoginSession, type TRefreshTokenValidationResult } from './classes.loginsession.js';
import { Reception } from './classes.reception.js';
import { logger } from './logging.js';
export class LoginSessionManager {
private readonly abuseProtectionConfigs = {
passwordLogin: {
maxAttempts: 5,
windowMillis: plugins.smarttime.getMilliSecondsFromUnits({ minutes: 15 }),
blockDurationMillis: plugins.smarttime.getMilliSecondsFromUnits({ minutes: 30 }),
},
emailLoginRequest: {
maxAttempts: 5,
windowMillis: plugins.smarttime.getMilliSecondsFromUnits({ minutes: 15 }),
blockDurationMillis: plugins.smarttime.getMilliSecondsFromUnits({ minutes: 15 }),
},
emailLoginToken: {
maxAttempts: 5,
windowMillis: plugins.smarttime.getMilliSecondsFromUnits({ minutes: 15 }),
blockDurationMillis: plugins.smarttime.getMilliSecondsFromUnits({ minutes: 30 }),
},
passwordResetRequest: {
maxAttempts: 5,
windowMillis: plugins.smarttime.getMilliSecondsFromUnits({ minutes: 15 }),
blockDurationMillis: plugins.smarttime.getMilliSecondsFromUnits({ minutes: 15 }),
},
passwordResetCompletion: {
maxAttempts: 5,
windowMillis: plugins.smarttime.getMilliSecondsFromUnits({ minutes: 15 }),
blockDurationMillis: plugins.smarttime.getMilliSecondsFromUnits({ minutes: 30 }),
},
};
// refs
public receptionRef: Reception;
public get db() {
return this.receptionRef.db.smartdataDb;
}
public CEmailActionToken = plugins.smartdata.setDefaultManagerForDoc(this, EmailActionToken);
public CLoginSession = plugins.smartdata.setDefaultManagerForDoc(this, LoginSession);
public loginSessions = new plugins.lik.ObjectMap<LoginSession>();
public typedRouter = new plugins.typedrequest.TypedRouter();
public emailTokenMap = new plugins.lik.ObjectMap<{
email: string;
token: string;
action: 'emailLogin' | 'passwordReset';
}>();
constructor(receptionRefArg: Reception) {
this.receptionRef = receptionRefArg;
this.receptionRef.typedrouter.addTypedRouter(this.typedRouter);
@@ -29,12 +51,17 @@ export class LoginSessionManager {
new plugins.typedrequest.TypedHandler<plugins.idpInterfaces.request.IReq_LoginWithEmailOrUsernameAndPassword>(
'loginWithEmailOrUsernameAndPassword',
async (requestData) => {
const loginIdentifier = requestData.username;
await this.receptionRef.abuseProtectionManager.consumeAttempt(
'passwordLogin',
loginIdentifier,
this.abuseProtectionConfigs.passwordLogin,
'Too many login attempts. Please wait before trying again.'
);
let user = await this.receptionRef.userManager.CUser.getInstance({
data: {
username: requestData.username,
passwordHash: await this.receptionRef.userManager.CUser.hashPassword(
requestData.password
),
},
});
@@ -42,33 +69,34 @@ export class LoginSessionManager {
user = await this.receptionRef.userManager.CUser.getInstance({
data: {
email: requestData.username,
passwordHash: await this.receptionRef.userManager.CUser.hashPassword(
requestData.password
),
},
});
}
if (user) {
// lets recheck
if (
(user.data.username !== requestData.username &&
user.data.email !== requestData.username) ||
user.data.passwordHash !==
(await this.receptionRef.userManager.CUser.hashPassword(requestData.password))
) {
throw new Error(
'database returned a user that does not match wanted criterea. CRITICAL!'
if (user && (await this.receptionRef.userManager.CUser.verifyPassword(
requestData.password,
user.data.passwordHash
))) {
if (this.receptionRef.userManager.CUser.shouldUpgradePasswordHash(user.data.passwordHash)) {
user.data.passwordHash = await this.receptionRef.userManager.CUser.hashPassword(
requestData.password
);
await user.save();
}
const loginSession = await LoginSession.createLoginSessionForUser(user);
this.loginSessions.add(loginSession);
const refreshToken = await loginSession.getRefreshToken();
if (!refreshToken) {
throw new plugins.typedrequest.TypedResponseError('Could not create login session');
}
await this.receptionRef.abuseProtectionManager.clearAttempts(
'passwordLogin',
loginIdentifier
);
return {
status: 'ok',
refreshToken: refreshToken,
refreshToken,
twoFaNeeded: false,
};
} else {
@@ -82,6 +110,12 @@ export class LoginSessionManager {
new plugins.typedrequest.TypedHandler<plugins.idpInterfaces.request.IReq_LoginWithEmail>(
'loginWithEmail',
async (requestDataArg) => {
await this.receptionRef.abuseProtectionManager.consumeAttempt(
'emailLoginRequest',
requestDataArg.email,
this.abuseProtectionConfigs.emailLoginRequest,
'Too many magic link requests. Please wait before trying again.'
);
logger.log('info', `loginWithEmail requested for: ${requestDataArg.email}`);
const existingUser = await this.receptionRef.userManager.CUser.getInstance({
data: {
@@ -90,31 +124,21 @@ export class LoginSessionManager {
});
if (existingUser) {
logger.log('info', `loginWithEmail found user: ${existingUser.data.email}`);
this.emailTokenMap.findOneAndRemoveSync(
(itemArg) => itemArg.email === existingUser.data.email
const loginEmailToken = await this.createEmailActionToken(
existingUser.data.email,
'emailLogin'
);
const loginEmailToken = plugins.smartunique.uuid4();
this.emailTokenMap.add({
email: existingUser.data.email,
token: loginEmailToken,
action: 'emailLogin',
});
// lets make sure its only valid for 10 minutes
plugins.smartdelay.delayFor(600000, null, true).then(() => {
this.emailTokenMap.findOneAndRemoveSync(
(itemArg) => itemArg.token === loginEmailToken
);
});
this.receptionRef.receptionMailer.sendLoginWithEMailMail(existingUser, loginEmailToken);
return {
status: 'ok',
testOnlyToken: process.env.TEST_MODE ? loginEmailToken : undefined,
};
} else {
logger.log('info', `loginWithEmail did not find user: ${requestDataArg.email}`);
}
return {
status: 'ok',
testOnlyToken: process.env.TEST_MODE
? this.emailTokenMap.findSync((itemArg) => itemArg.email === existingUser.data.email)
.token
: null,
testOnlyToken: undefined,
};
}
)
@@ -124,19 +148,37 @@ export class LoginSessionManager {
new plugins.typedrequest.TypedHandler<plugins.idpInterfaces.request.IReq_LoginWithEmailAfterEmailTokenAquired>(
'loginWithEmailAfterEmailTokenAquired',
async (requestArg) => {
const tokenObject = this.emailTokenMap.findSync((itemArg) => {
return itemArg.email === requestArg.email && itemArg.token === requestArg.token;
});
await this.receptionRef.abuseProtectionManager.consumeAttempt(
'emailLoginToken',
requestArg.email,
this.abuseProtectionConfigs.emailLoginToken,
'Too many magic link attempts. Please wait before trying again.'
);
const tokenObject = await this.consumeEmailActionToken(
requestArg.email,
requestArg.token,
'emailLogin'
);
if (tokenObject) {
const user = await this.receptionRef.userManager.CUser.getInstance({
data: {
email: requestArg.email,
},
});
if (!user) {
throw new plugins.typedrequest.TypedResponseError('User not found');
}
const loginSession = await LoginSession.createLoginSessionForUser(user);
this.loginSessions.add(loginSession);
const refreshToken = await loginSession.getRefreshToken();
if (!refreshToken) {
throw new plugins.typedrequest.TypedResponseError('Could not create login session');
}
await this.receptionRef.abuseProtectionManager.clearAttempts(
'emailLoginToken',
requestArg.email
);
return {
refreshToken: await loginSession.getRefreshToken(),
refreshToken,
};
} else {
throw new plugins.typedrequest.TypedResponseError('Validation Token not found');
@@ -147,8 +189,11 @@ export class LoginSessionManager {
this.typedRouter.addTypedHandler<plugins.idpInterfaces.request.ILogoutRequest>(
new plugins.typedrequest.TypedHandler('logout', async (requestDataArg) => {
const loginSession = await this.CLoginSession.getLoginSessionByRefreshToken(requestDataArg.refreshToken);
await loginSession.invalidate();
const sessionLookup = await this.findLoginSessionByRefreshToken(requestDataArg.refreshToken);
if (!sessionLookup || sessionLookup.validationStatus !== 'current') {
throw new plugins.typedrequest.TypedResponseError('Invalid refresh token');
}
await sessionLookup.loginSession.invalidate();
return {}
})
);
@@ -158,31 +203,39 @@ export class LoginSessionManager {
'exchangeRefreshTokenAndTransferToken',
async (requestDataArg) => {
switch (true) {
case !!requestDataArg.refreshToken:
const loginSession = await this.loginSessions.find(async (loginSessionArg) => {
return loginSessionArg.validateRefreshToken(requestDataArg.refreshToken);
});
if (!loginSession) {
case !!requestDataArg.refreshToken: {
const sessionLookup = await this.findLoginSessionByRefreshToken(
requestDataArg.refreshToken
);
if (!sessionLookup || sessionLookup.validationStatus !== 'current') {
if (sessionLookup?.validationStatus === 'reused') {
await sessionLookup.loginSession.invalidate();
}
throw new plugins.typedrequest.TypedResponseError('your refresh token is invalid');
}
return {
transferToken: await loginSession.getTransferToken(),
transferToken: await sessionLookup.loginSession.getTransferToken(),
};
break;
case !!requestDataArg.transferToken:
let transferToken: string;
const loginSession2 = await this.loginSessions.find(async (loginSessionArg) => {
return loginSessionArg.validateTransferToken(requestDataArg.transferToken);
});
}
case !!requestDataArg.transferToken: {
const loginSession2 = await this.findLoginSessionByTransferToken(
requestDataArg.transferToken
);
if (!loginSession2) {
throw new plugins.typedrequest.TypedResponseError(
'Your transfer token is not valid.'
);
}
const refreshToken = await loginSession2.getRefreshToken();
if (!refreshToken) {
throw new plugins.typedrequest.TypedResponseError('Could not create login session');
}
return {
refreshToken: await loginSession2.getRefreshToken(),
refreshToken,
};
break;
}
default:
throw new plugins.typedrequest.TypedResponseError('Invalid token exchange request');
}
}
)
@@ -192,6 +245,12 @@ export class LoginSessionManager {
new plugins.typedrequest.TypedHandler<plugins.idpInterfaces.request.IReq_ResetPassword>(
'resetPassword',
async (requestDataArg) => {
await this.receptionRef.abuseProtectionManager.consumeAttempt(
'passwordResetRequest',
requestDataArg.email,
this.abuseProtectionConfigs.passwordResetRequest,
'Too many password reset requests. Please wait before trying again.'
);
const emailOfPasswordToReset = requestDataArg.email;
const existingUser = await this.receptionRef.userManager.CUser.getInstance({
data: {
@@ -199,23 +258,13 @@ export class LoginSessionManager {
},
});
if (existingUser) {
this.emailTokenMap.findOneAndRemoveSync(
(itemArg) => itemArg.email === existingUser.data.email
const resetToken = await this.createEmailActionToken(
existingUser.data.email,
'passwordReset'
);
this.emailTokenMap.add({
email: existingUser.data.email,
token: plugins.smartunique.shortId(),
action: 'passwordReset',
});
plugins.smartdelay.delayFor(600000, null, true).then(() => {
this.emailTokenMap.findOneAndRemoveSync(
(itemArg) => itemArg.email === existingUser.data.email
);
});
this.receptionRef.receptionMailer.sendPasswordResetMail(
existingUser,
this.emailTokenMap.findSync((itemArg) => itemArg.email === existingUser.data.email)
.token
resetToken
);
}
// note: we always return ok here, since we don't want to give any indication as to wether a user is already registered with us.
@@ -230,6 +279,53 @@ export class LoginSessionManager {
new plugins.typedrequest.TypedHandler<plugins.idpInterfaces.request.IReq_SetNewPassword>(
'setNewPassword',
async (requestData) => {
await this.receptionRef.abuseProtectionManager.consumeAttempt(
'passwordResetCompletion',
requestData.email,
this.abuseProtectionConfigs.passwordResetCompletion,
'Too many password change attempts. Please wait before trying again.'
);
const user = await this.receptionRef.userManager.CUser.getInstance({
data: {
email: requestData.email,
},
});
if (!user) {
throw new plugins.typedrequest.TypedResponseError('User not found');
}
if (requestData.tokenArg) {
const tokenObject = await this.consumeEmailActionToken(
requestData.email,
requestData.tokenArg,
'passwordReset'
);
if (!tokenObject) {
throw new plugins.typedrequest.TypedResponseError('Password reset token invalid');
}
} else if (requestData.oldPassword) {
const passwordOk = await this.receptionRef.userManager.CUser.verifyPassword(
requestData.oldPassword,
user.data.passwordHash
);
if (!passwordOk) {
throw new plugins.typedrequest.TypedResponseError('Old password invalid');
}
} else {
throw new plugins.typedrequest.TypedResponseError(
'Either a reset token or the old password is required'
);
}
user.data.passwordHash = await this.receptionRef.userManager.CUser.hashPassword(
requestData.newPassword
);
await user.save();
await this.receptionRef.abuseProtectionManager.clearAttempts(
'passwordResetCompletion',
requestData.email
);
return {
status: 'ok',
};
@@ -271,8 +367,7 @@ export class LoginSessionManager {
throw new plugins.typedrequest.TypedResponseError('Invalid JWT');
}
// Get the current session's refresh token to identify the current session
const currentRefreshToken = jwt.data.refreshToken;
const currentLoginSession = await jwt.getLoginSession();
// Get all sessions for this user
const sessions = await this.CLoginSession.getInstances({
@@ -290,7 +385,7 @@ export class LoginSessionManager {
ip: session.data.deviceInfo?.ip || 'Unknown',
lastActive: session.data.lastActive || session.data.createdAt || Date.now(),
createdAt: session.data.createdAt || Date.now(),
isCurrent: session.data.refreshToken === currentRefreshToken,
isCurrent: session.id === currentLoginSession?.id,
})),
};
}
@@ -317,8 +412,10 @@ export class LoginSessionManager {
throw new plugins.typedrequest.TypedResponseError('Session not found');
}
const currentLoginSession = await jwt.getLoginSession();
// Don't allow revoking the current session via this method
if (sessionToRevoke.data.refreshToken === jwt.data.refreshToken) {
if (sessionToRevoke.id === currentLoginSession?.id) {
throw new plugins.typedrequest.TypedResponseError(
'Cannot revoke current session. Use logout instead.'
);
@@ -338,4 +435,90 @@ export class LoginSessionManager {
)
);
}
public async findLoginSessionByRefreshToken(refreshTokenArg: string): Promise<{
loginSession: LoginSession;
validationStatus: TRefreshTokenValidationResult;
} | null> {
const directMatch = await this.CLoginSession.getLoginSessionByRefreshToken(refreshTokenArg);
if (directMatch) {
return {
loginSession: directMatch,
validationStatus: await directMatch.validateRefreshToken(refreshTokenArg),
};
}
const loginSessions = await this.CLoginSession.getInstances({});
for (const loginSession of loginSessions) {
const validationStatus = await loginSession.validateRefreshToken(refreshTokenArg);
if (validationStatus !== 'invalid') {
return {
loginSession,
validationStatus,
};
}
}
return null;
}
public async findLoginSessionByTransferToken(transferTokenArg: string) {
const transferTokenHash = await LoginSession.hashSessionToken(transferTokenArg);
const loginSession = await this.CLoginSession.getInstance({
'data.transferTokenHash': transferTokenHash,
});
if (!loginSession) {
return null;
}
const isValid = await loginSession.validateTransferToken(transferTokenArg);
return isValid ? loginSession : null;
}
public async createEmailActionToken(
emailArg: string,
actionArg: plugins.idpInterfaces.data.TEmailActionTokenAction
) {
const existingTokens = await this.CEmailActionToken.getInstances({
'data.email': emailArg,
'data.action': actionArg,
});
for (const existingToken of existingTokens) {
await existingToken.delete();
}
const plainToken = EmailActionToken.createOpaqueToken(actionArg);
const emailActionToken = new EmailActionToken();
emailActionToken.id = plugins.smartunique.shortId();
emailActionToken.data = {
email: emailArg,
action: actionArg,
tokenHash: EmailActionToken.hashToken(plainToken),
validUntil: Date.now() + plugins.smarttime.getMilliSecondsFromUnits({ minutes: 10 }),
createdAt: Date.now(),
};
await emailActionToken.save();
return plainToken;
}
public async consumeEmailActionToken(
emailArg: string,
tokenArg: string,
actionArg: plugins.idpInterfaces.data.TEmailActionTokenAction
) {
const emailActionToken = await this.CEmailActionToken.getInstance({
'data.email': emailArg,
'data.action': actionArg,
'data.tokenHash': EmailActionToken.hashToken(tokenArg),
});
if (!emailActionToken) {
return null;
}
const consumed = await emailActionToken.consume(tokenArg);
return consumed ? emailActionToken : null;
}
}
ts/reception/classes.oidcaccesstoken.ts
+34
View File
@@ -0,0 +1,34 @@
import * as plugins from '../plugins.js';
import type { OidcManager } from './classes.oidcmanager.js';
@plugins.smartdata.Manager()
export class OidcAccessToken extends plugins.smartdata.SmartDataDbDoc<
OidcAccessToken,
plugins.idpInterfaces.data.IOidcAccessToken,
OidcManager
> {
public static hashToken(tokenArg: string) {
return plugins.smarthash.sha256FromStringSync(tokenArg);
}
@plugins.smartdata.unI()
public id: string;
@plugins.smartdata.svDb()
public data: plugins.idpInterfaces.data.IOidcAccessToken['data'] = {
tokenHash: '',
clientId: '',
userId: '',
scopes: [],
expiresAt: 0,
issuedAt: 0,
};
public isExpired() {
return this.data.expiresAt < Date.now();
}
public matchesToken(tokenArg: string) {
return this.data.tokenHash === OidcAccessToken.hashToken(tokenArg);
}
}
ts/reception/classes.oidcauthorizationcode.ts
+44
View File
@@ -0,0 +1,44 @@
import * as plugins from '../plugins.js';
import type { OidcManager } from './classes.oidcmanager.js';
@plugins.smartdata.Manager()
export class OidcAuthorizationCode extends plugins.smartdata.SmartDataDbDoc<
OidcAuthorizationCode,
plugins.idpInterfaces.data.IAuthorizationCode,
OidcManager
> {
public static hashCode(codeArg: string) {
return plugins.smarthash.sha256FromStringSync(codeArg);
}
@plugins.smartdata.unI()
public id: string;
@plugins.smartdata.svDb()
public data: plugins.idpInterfaces.data.IAuthorizationCode['data'] = {
codeHash: '',
clientId: '',
userId: '',
scopes: [],
redirectUri: '',
codeChallenge: undefined,
codeChallengeMethod: undefined,
nonce: undefined,
expiresAt: 0,
issuedAt: 0,
used: false,
};
public isExpired() {
return this.data.expiresAt < Date.now();
}
public matchesCode(codeArg: string) {
return this.data.codeHash === OidcAuthorizationCode.hashCode(codeArg);
}
public async markUsed() {
this.data.used = true;
await this.save();
}
}
ts/reception/classes.oidcmanager.ts
+349 -84
View File
@@ -1,36 +1,85 @@
import * as plugins from '../plugins.js';
import type { Reception } from './classes.reception.js';
import type { App } from './classes.app.js';
import { OidcAccessToken } from './classes.oidcaccesstoken.js';
import { OidcAuthorizationCode } from './classes.oidcauthorizationcode.js';
import { OidcRefreshToken } from './classes.oidcrefreshtoken.js';
import { OidcUserConsent } from './classes.oidcuserconsent.js';
/**
* OidcManager handles OpenID Connect (OIDC) server functionality
* for third-party client authentication.
*/
export class OidcManager {
private readonly abuseProtectionConfig = {
oidcTokenExchange: {
maxAttempts: 10,
windowMillis: plugins.smarttime.getMilliSecondsFromUnits({ minutes: 10 }),
blockDurationMillis: plugins.smarttime.getMilliSecondsFromUnits({ minutes: 15 }),
},
};
public receptionRef: Reception;
public get db() {
return this.receptionRef.db.smartdataDb;
}
// In-memory store for authorization codes (short-lived, 10 min TTL)
private authorizationCodes = new Map<string, plugins.idpInterfaces.data.IAuthorizationCode>();
public typedRouter = new plugins.typedrequest.TypedRouter();
// In-memory store for access tokens (for validation)
private accessTokens = new Map<string, plugins.idpInterfaces.data.IOidcAccessToken>();
public COidcAuthorizationCode = plugins.smartdata.setDefaultManagerForDoc(
this,
OidcAuthorizationCode
);
// In-memory store for refresh tokens
private refreshTokens = new Map<string, plugins.idpInterfaces.data.IOidcRefreshToken>();
public COidcAccessToken = plugins.smartdata.setDefaultManagerForDoc(this, OidcAccessToken);
// In-memory store for user consents (should be persisted later)
private userConsents = new Map<string, plugins.idpInterfaces.data.IUserConsent>();
public COidcRefreshToken = plugins.smartdata.setDefaultManagerForDoc(this, OidcRefreshToken);
public COidcUserConsent = plugins.smartdata.setDefaultManagerForDoc(this, OidcUserConsent);
private cleanupInterval: ReturnType<typeof setInterval> | null = null;
constructor(receptionRefArg: Reception) {
this.receptionRef = receptionRefArg;
this.receptionRef.typedrouter.addTypedRouter(this.typedRouter);
// Start cleanup task for expired codes/tokens
this.typedRouter.addTypedHandler(
new plugins.typedrequest.TypedHandler<plugins.idpInterfaces.request.IReq_PrepareOidcAuthorization>(
'prepareOidcAuthorization',
async (requestArg) => {
const jwt = await this.receptionRef.jwtManager.verifyJWTAndGetData(requestArg.jwt);
if (!jwt) {
throw new plugins.typedrequest.TypedResponseError('Invalid JWT');
}
return this.prepareAuthorizationForUser(jwt.data.userId, requestArg);
}
)
);
this.typedRouter.addTypedHandler(
new plugins.typedrequest.TypedHandler<plugins.idpInterfaces.request.IReq_CompleteOidcAuthorization>(
'completeOidcAuthorization',
async (requestArg) => {
const jwt = await this.receptionRef.jwtManager.verifyJWTAndGetData(requestArg.jwt);
if (!jwt) {
throw new plugins.typedrequest.TypedResponseError('Invalid JWT');
}
return this.completeAuthorizationForUser(jwt.data.userId, requestArg);
}
)
);
this.startCleanupTask();
}
public async stop() {
if (this.cleanupInterval) {
clearInterval(this.cleanupInterval);
this.cleanupInterval = null;
}
}
/**
* Get the OIDC Discovery Document
*/
@@ -118,6 +167,10 @@ export class OidcManager {
return this.errorResponse('unsupported_response_type', 'Only code response type is supported');
}
if (prompt && !this.isSupportedPrompt(prompt)) {
return this.errorResponse('invalid_request', 'Unsupported prompt value');
}
// Validate code challenge method if present
if (codeChallenge && codeChallengeMethod !== 'S256') {
return this.errorResponse('invalid_request', 'Only S256 code challenge method is supported');
@@ -159,6 +212,9 @@ export class OidcManager {
if (nonce) {
loginUrl.searchParams.set('nonce', nonce);
}
if (prompt) {
loginUrl.searchParams.set('prompt', prompt);
}
return Response.redirect(loginUrl.toString(), 302);
}
@@ -174,9 +230,11 @@ export class OidcManager {
codeChallenge?: string,
nonce?: string
): Promise<string> {
const code = plugins.smartunique.shortId(32);
const authCode: plugins.idpInterfaces.data.IAuthorizationCode = {
code,
const code = this.createOpaqueToken();
const authCode = new OidcAuthorizationCode();
authCode.id = plugins.smartunique.shortId(12);
authCode.data = {
codeHash: OidcAuthorizationCode.hashCode(code),
clientId,
userId,
scopes,
@@ -184,14 +242,77 @@ export class OidcManager {
codeChallenge,
codeChallengeMethod: codeChallenge ? 'S256' : undefined,
nonce,
expiresAt: Date.now() + 10 * 60 * 1000, // 10 minutes
expiresAt: Date.now() + 10 * 60 * 1000,
issuedAt: Date.now(),
used: false,
};
this.authorizationCodes.set(code, authCode);
await authCode.save();
return code;
}
public async prepareAuthorizationForUser(
userIdArg: string,
requestArg: Omit<plugins.idpInterfaces.request.IReq_PrepareOidcAuthorization['request'], 'jwt'>
): Promise<plugins.idpInterfaces.request.IReq_PrepareOidcAuthorization['response']> {
const resolvedRequest = await this.resolveAuthorizationRequest(requestArg);
const consentState = await this.evaluateConsentRequirement(
userIdArg,
resolvedRequest.clientId,
resolvedRequest.validScopes,
resolvedRequest.prompt
);
return {
status: consentState.consentRequired ? ('consent_required' as const) : ('ready' as const),
clientId: resolvedRequest.clientId,
appName: resolvedRequest.app.data.name,
appUrl: resolvedRequest.app.data.appUrl,
logoUrl: resolvedRequest.app.data.logoUrl,
requestedScopes: resolvedRequest.validScopes,
grantedScopes: consentState.grantedScopes,
};
}
public async completeAuthorizationForUser(
userIdArg: string,
requestArg: Omit<plugins.idpInterfaces.request.IReq_CompleteOidcAuthorization['request'], 'jwt'>
) {
const resolvedRequest = await this.resolveAuthorizationRequest(requestArg);
const consentState = await this.evaluateConsentRequirement(
userIdArg,
resolvedRequest.clientId,
resolvedRequest.validScopes,
resolvedRequest.prompt
);
if (consentState.consentRequired && !requestArg.consentApproved) {
throw new Error('Consent required');
}
if (requestArg.consentApproved) {
await this.upsertUserConsent(userIdArg, resolvedRequest.clientId, resolvedRequest.validScopes);
}
const code = await this.generateAuthorizationCode(
resolvedRequest.clientId,
userIdArg,
resolvedRequest.validScopes,
resolvedRequest.redirectUri,
resolvedRequest.codeChallenge,
resolvedRequest.nonce
);
const redirectUrl = new URL(resolvedRequest.redirectUri);
redirectUrl.searchParams.set('code', code);
redirectUrl.searchParams.set('state', resolvedRequest.state);
return {
code,
redirectUrl: redirectUrl.toString(),
};
}
/**
* Handle the token endpoint request
*/
@@ -222,6 +343,13 @@ export class OidcManager {
return this.tokenErrorResponse('invalid_client', 'Missing client_id');
}
await this.receptionRef.abuseProtectionManager.consumeAttempt(
'oidcTokenExchange',
clientId,
this.abuseProtectionConfig.oidcTokenExchange,
'Too many token endpoint attempts. Please wait before retrying.'
);
// Find and validate app
const app = await this.findAppByClientId(clientId);
if (!app) {
@@ -236,13 +364,20 @@ export class OidcManager {
}
}
let response: Response;
if (grantType === 'authorization_code') {
return this.handleAuthorizationCodeGrant(formData, app);
response = await this.handleAuthorizationCodeGrant(formData, app);
} else if (grantType === 'refresh_token') {
return this.handleRefreshTokenGrant(formData, app);
response = await this.handleRefreshTokenGrant(formData, app);
} else {
return this.tokenErrorResponse('unsupported_grant_type', 'Unsupported grant type');
response = this.tokenErrorResponse('unsupported_grant_type', 'Unsupported grant type');
}
if (response.status === 200) {
await this.receptionRef.abuseProtectionManager.clearAttempts('oidcTokenExchange', clientId);
}
return response;
}
/**
@@ -261,50 +396,48 @@ export class OidcManager {
}
// Find and validate authorization code
const authCode = this.authorizationCodes.get(code);
const authCode = await this.getAuthorizationCodeByCode(code);
if (!authCode) {
return this.tokenErrorResponse('invalid_grant', 'Invalid authorization code');
}
if (authCode.used) {
// Code reuse attack - revoke all tokens for this code
this.authorizationCodes.delete(code);
if (authCode.data.used) {
return this.tokenErrorResponse('invalid_grant', 'Authorization code already used');
}
if (authCode.expiresAt < Date.now()) {
this.authorizationCodes.delete(code);
if (authCode.isExpired()) {
await authCode.delete();
return this.tokenErrorResponse('invalid_grant', 'Authorization code expired');
}
if (authCode.clientId !== app.data.oauthCredentials.clientId) {
if (authCode.data.clientId !== app.data.oauthCredentials.clientId) {
return this.tokenErrorResponse('invalid_grant', 'Client ID mismatch');
}
if (authCode.redirectUri !== redirectUri) {
if (authCode.data.redirectUri !== redirectUri) {
return this.tokenErrorResponse('invalid_grant', 'Redirect URI mismatch');
}
// Verify PKCE if code challenge was used
if (authCode.codeChallenge) {
if (authCode.data.codeChallenge) {
if (!codeVerifier) {
return this.tokenErrorResponse('invalid_grant', 'Code verifier required');
}
const expectedChallenge = this.generateS256Challenge(codeVerifier);
if (expectedChallenge !== authCode.codeChallenge) {
if (expectedChallenge !== authCode.data.codeChallenge) {
return this.tokenErrorResponse('invalid_grant', 'Invalid code verifier');
}
}
// Mark code as used
authCode.used = true;
await authCode.markUsed();
// Generate tokens
const tokens = await this.generateTokens(
authCode.userId,
authCode.data.userId,
app.data.oauthCredentials.clientId,
authCode.scopes,
authCode.nonce
authCode.data.scopes,
authCode.data.nonce
);
return new Response(JSON.stringify(tokens), {
@@ -330,31 +463,30 @@ export class OidcManager {
return this.tokenErrorResponse('invalid_request', 'Missing refresh_token');
}
const tokenHash = await plugins.smarthash.sha256FromString(refreshToken);
const storedToken = this.refreshTokens.get(tokenHash);
const storedToken = await this.getRefreshTokenByToken(refreshToken);
if (!storedToken) {
return this.tokenErrorResponse('invalid_grant', 'Invalid refresh token');
}
if (storedToken.revoked) {
if (storedToken.data.revoked) {
return this.tokenErrorResponse('invalid_grant', 'Refresh token has been revoked');
}
if (storedToken.expiresAt < Date.now()) {
this.refreshTokens.delete(tokenHash);
if (storedToken.isExpired()) {
await storedToken.delete();
return this.tokenErrorResponse('invalid_grant', 'Refresh token expired');
}
if (storedToken.clientId !== app.data.oauthCredentials.clientId) {
if (storedToken.data.clientId !== app.data.oauthCredentials.clientId) {
return this.tokenErrorResponse('invalid_grant', 'Client ID mismatch');
}
// Generate new tokens (without new refresh token by default)
const tokens = await this.generateTokens(
storedToken.userId,
storedToken.clientId,
storedToken.scopes,
storedToken.data.userId,
storedToken.data.clientId,
storedToken.data.scopes,
undefined,
false // Don't generate new refresh token
);
@@ -384,18 +516,18 @@ export class OidcManager {
const refreshTokenLifetime = 30 * 24 * 3600; // 30 days
// Generate access token
const accessToken = plugins.smartunique.shortId(32);
const accessTokenHash = await plugins.smarthash.sha256FromString(accessToken);
const accessTokenData: plugins.idpInterfaces.data.IOidcAccessToken = {
id: plugins.smartunique.shortId(8),
tokenHash: accessTokenHash,
const accessToken = this.createOpaqueToken();
const accessTokenData = new OidcAccessToken();
accessTokenData.id = plugins.smartunique.shortId(12);
accessTokenData.data = {
tokenHash: OidcAccessToken.hashToken(accessToken),
clientId,
userId,
scopes,
expiresAt: now + accessTokenLifetime * 1000,
issuedAt: now,
};
this.accessTokens.set(accessTokenHash, accessTokenData);
await accessTokenData.save();
// Generate ID token (JWT)
const idToken = await this.generateIdToken(userId, clientId, scopes, nonce);
@@ -410,11 +542,11 @@ export class OidcManager {
// Generate refresh token if requested
if (includeRefreshToken) {
const refreshToken = plugins.smartunique.shortId(48);
const refreshTokenHash = await plugins.smarthash.sha256FromString(refreshToken);
const refreshTokenData: plugins.idpInterfaces.data.IOidcRefreshToken = {
id: plugins.smartunique.shortId(8),
tokenHash: refreshTokenHash,
const refreshToken = this.createOpaqueToken(48);
const refreshTokenData = new OidcRefreshToken();
refreshTokenData.id = plugins.smartunique.shortId(12);
refreshTokenData.data = {
tokenHash: OidcRefreshToken.hashToken(refreshToken),
clientId,
userId,
scopes,
@@ -422,7 +554,7 @@ export class OidcManager {
issuedAt: now,
revoked: false,
};
this.refreshTokens.set(refreshTokenHash, refreshTokenData);
await refreshTokenData.save();
response.refresh_token = refreshToken;
}
@@ -482,8 +614,7 @@ export class OidcManager {
}
const accessToken = authHeader.substring(7);
const tokenHash = await plugins.smarthash.sha256FromString(accessToken);
const tokenData = this.accessTokens.get(tokenHash);
const tokenData = await this.getAccessTokenByToken(accessToken);
if (!tokenData) {
return new Response(JSON.stringify({ error: 'invalid_token' }), {
@@ -495,8 +626,8 @@ export class OidcManager {
});
}
if (tokenData.expiresAt < Date.now()) {
this.accessTokens.delete(tokenHash);
if (tokenData.isExpired()) {
await tokenData.delete();
return new Response(JSON.stringify({ error: 'invalid_token', error_description: 'Token expired' }), {
status: 401,
headers: {
@@ -507,7 +638,7 @@ export class OidcManager {
}
// Get user claims based on token scopes
const userInfo = await this.getUserClaims(tokenData.userId, tokenData.scopes);
const userInfo = await this.getUserClaims(tokenData.data.userId, tokenData.data.scopes);
return new Response(JSON.stringify(userInfo), {
status: 200,
@@ -583,21 +714,20 @@ export class OidcManager {
return new Response(null, { status: 200 }); // Spec says always return 200
}
const tokenHash = await plugins.smarthash.sha256FromString(token);
// Try to revoke as refresh token
if (!tokenTypeHint || tokenTypeHint === 'refresh_token') {
const refreshToken = this.refreshTokens.get(tokenHash);
const refreshToken = await this.getRefreshTokenByToken(token);
if (refreshToken) {
refreshToken.revoked = true;
await refreshToken.revoke();
return new Response(null, { status: 200 });
}
}
// Try to revoke as access token
if (!tokenTypeHint || tokenTypeHint === 'access_token') {
if (this.accessTokens.has(tokenHash)) {
this.accessTokens.delete(tokenHash);
const accessToken = await this.getAccessTokenByToken(token);
if (accessToken) {
await accessToken.delete();
return new Response(null, { status: 200 });
}
}
@@ -616,6 +746,125 @@ export class OidcManager {
return apps[0] || null;
}
private isSupportedPrompt(promptArg: string): promptArg is 'none' | 'login' | 'consent' {
return ['none', 'login', 'consent'].includes(promptArg);
}
private async resolveAuthorizationRequest(
requestArg: Pick<
plugins.idpInterfaces.request.IReq_CompleteOidcAuthorization['request'],
'clientId' | 'redirectUri' | 'scope' | 'state' | 'prompt' | 'codeChallenge' | 'codeChallengeMethod' | 'nonce'
>
) {
if (!requestArg.clientId || !requestArg.redirectUri || !requestArg.scope || !requestArg.state) {
throw new Error('Missing required OAuth authorization parameters');
}
if (requestArg.prompt && !this.isSupportedPrompt(requestArg.prompt)) {
throw new Error('Unsupported prompt value');
}
if (requestArg.codeChallenge && requestArg.codeChallengeMethod !== 'S256') {
throw new Error('Only S256 code challenge method is supported');
}
const app = await this.findAppByClientId(requestArg.clientId);
if (!app) {
throw new Error('Unknown client_id');
}
if (!app.data.oauthCredentials.redirectUris.includes(requestArg.redirectUri)) {
throw new Error('Invalid redirect_uri');
}
const requestedScopes = requestArg.scope
.split(' ')
.filter(Boolean) as plugins.idpInterfaces.data.TOidcScope[];
const allowedScopes =
app.data.oauthCredentials.allowedScopes as plugins.idpInterfaces.data.TOidcScope[];
const validScopes = requestedScopes.filter((scopeArg) => allowedScopes.includes(scopeArg));
if (!validScopes.includes('openid')) {
throw new Error('openid scope is required');
}
return {
app,
clientId: requestArg.clientId,
redirectUri: requestArg.redirectUri,
state: requestArg.state,
prompt: requestArg.prompt,
codeChallenge: requestArg.codeChallenge,
codeChallengeMethod: requestArg.codeChallengeMethod,
nonce: requestArg.nonce,
validScopes,
};
}
private async evaluateConsentRequirement(
userIdArg: string,
clientIdArg: string,
scopesArg: plugins.idpInterfaces.data.TOidcScope[],
promptArg?: 'none' | 'login' | 'consent'
) {
const existingConsent = await this.getUserConsent(userIdArg, clientIdArg);
const grantedScopes = existingConsent?.data.scopes || [];
const missingScopes = scopesArg.filter((scopeArg) => !grantedScopes.includes(scopeArg));
return {
grantedScopes,
missingScopes,
consentRequired: promptArg === 'consent' || missingScopes.length > 0,
};
}
private createOpaqueToken(byteLength = 32): string {
return plugins.crypto.randomBytes(byteLength).toString('base64url');
}
private async getAuthorizationCodeByCode(codeArg: string) {
return this.COidcAuthorizationCode.getInstance({
'data.codeHash': OidcAuthorizationCode.hashCode(codeArg),
});
}
private async getAccessTokenByToken(tokenArg: string) {
return this.COidcAccessToken.getInstance({
'data.tokenHash': OidcAccessToken.hashToken(tokenArg),
});
}
private async getRefreshTokenByToken(tokenArg: string) {
return this.COidcRefreshToken.getInstance({
'data.tokenHash': OidcRefreshToken.hashToken(tokenArg),
});
}
public async getUserConsent(userIdArg: string, clientIdArg: string) {
return this.COidcUserConsent.getInstance({
'data.userId': userIdArg,
'data.clientId': clientIdArg,
});
}
public async upsertUserConsent(
userIdArg: string,
clientIdArg: string,
scopesArg: plugins.idpInterfaces.data.TOidcScope[]
) {
let userConsent = await this.getUserConsent(userIdArg, clientIdArg);
if (!userConsent) {
userConsent = new OidcUserConsent();
userConsent.id = plugins.smartunique.shortId(12);
userConsent.data.userId = userIdArg;
userConsent.data.clientId = clientIdArg;
}
await userConsent.grantScopes(scopesArg);
return userConsent;
}
/**
* Generate S256 PKCE challenge from verifier
*/
@@ -655,29 +904,45 @@ export class OidcManager {
* Start cleanup task for expired tokens/codes
*/
private startCleanupTask(): void {
setInterval(() => {
const now = Date.now();
this.cleanupInterval = setInterval(() => {
void this.cleanupExpiredOidcState();
}, 60 * 1000);
}
// Clean up expired authorization codes
for (const [code, data] of this.authorizationCodes) {
if (data.expiresAt < now) {
this.authorizationCodes.delete(code);
}
}
private async cleanupExpiredOidcState() {
const now = Date.now();
// Clean up expired access tokens
for (const [hash, data] of this.accessTokens) {
if (data.expiresAt < now) {
this.accessTokens.delete(hash);
}
}
const expiredAuthorizationCodes = await this.COidcAuthorizationCode.getInstances({
data: {
expiresAt: {
$lt: now,
} as any,
},
});
for (const authCode of expiredAuthorizationCodes) {
await authCode.delete();
}
// Clean up expired refresh tokens
for (const [hash, data] of this.refreshTokens) {
if (data.expiresAt < now) {
this.refreshTokens.delete(hash);
}
}
}, 60 * 1000); // Run every minute
const expiredAccessTokens = await this.COidcAccessToken.getInstances({
data: {
expiresAt: {
$lt: now,
} as any,
},
});
for (const accessToken of expiredAccessTokens) {
await accessToken.delete();
}
const expiredRefreshTokens = await this.COidcRefreshToken.getInstances({
data: {
expiresAt: {
$lt: now,
} as any,
},
});
for (const refreshToken of expiredRefreshTokens) {
await refreshToken.delete();
}
}
}
ts/reception/classes.oidcrefreshtoken.ts
+40
View File
@@ -0,0 +1,40 @@
import * as plugins from '../plugins.js';
import type { OidcManager } from './classes.oidcmanager.js';
@plugins.smartdata.Manager()
export class OidcRefreshToken extends plugins.smartdata.SmartDataDbDoc<
OidcRefreshToken,
plugins.idpInterfaces.data.IOidcRefreshToken,
OidcManager
> {
public static hashToken(tokenArg: string) {
return plugins.smarthash.sha256FromStringSync(tokenArg);
}
@plugins.smartdata.unI()
public id: string;
@plugins.smartdata.svDb()
public data: plugins.idpInterfaces.data.IOidcRefreshToken['data'] = {
tokenHash: '',
clientId: '',
userId: '',
scopes: [],
expiresAt: 0,
issuedAt: 0,
revoked: false,
};
public isExpired() {
return this.data.expiresAt < Date.now();
}
public matchesToken(tokenArg: string) {
return this.data.tokenHash === OidcRefreshToken.hashToken(tokenArg);
}
public async revoke() {
this.data.revoked = true;
await this.save();
}
}
ts/reception/classes.oidcuserconsent.ts
+30
View File
@@ -0,0 +1,30 @@
import * as plugins from '../plugins.js';
import type { OidcManager } from './classes.oidcmanager.js';
@plugins.smartdata.Manager()
export class OidcUserConsent extends plugins.smartdata.SmartDataDbDoc<
OidcUserConsent,
plugins.idpInterfaces.data.IUserConsent,
OidcManager
> {
@plugins.smartdata.unI()
public id: string;
@plugins.smartdata.svDb()
public data: plugins.idpInterfaces.data.IUserConsent['data'] = {
userId: '',
clientId: '',
scopes: [],
grantedAt: 0,
updatedAt: 0,
};
public async grantScopes(scopesArg: plugins.idpInterfaces.data.TOidcScope[]) {
this.data.scopes = [...new Set([...this.data.scopes, ...scopesArg])];
if (!this.data.grantedAt) {
this.data.grantedAt = Date.now();
}
this.data.updatedAt = Date.now();
await this.save();
}
}
ts/reception/classes.passportchallenge.ts
+59
View File
@@ -0,0 +1,59 @@
import * as plugins from '../plugins.js';
import type { PassportManager } from './classes.passportmanager.js';
@plugins.smartdata.Manager()
export class PassportChallenge extends plugins.smartdata.SmartDataDbDoc<
PassportChallenge,
plugins.idpInterfaces.data.IPassportChallenge,
PassportManager
> {
public static hashToken(tokenArg: string) {
return plugins.smarthash.sha256FromStringSync(tokenArg);
}
@plugins.smartdata.unI()
public id: string;
@plugins.smartdata.svDb()
public data: plugins.idpInterfaces.data.IPassportChallenge['data'] = {
userId: '',
deviceId: null,
type: 'device_enrollment',
status: 'pending',
tokenHash: null,
challenge: '',
metadata: {
originHost: undefined,
audience: undefined,
notificationTitle: undefined,
deviceLabel: undefined,
requireLocation: false,
requireNfc: false,
requestedCapabilities: undefined,
},
evidence: undefined,
notification: undefined,
createdAt: 0,
expiresAt: 0,
completedAt: null,
};
public isExpired(nowArg = Date.now()) {
return this.data.expiresAt < nowArg;
}
public async markApproved(
evidenceArg?: plugins.idpInterfaces.data.IPassportChallenge['data']['evidence']
) {
this.data.status = 'approved';
this.data.completedAt = Date.now();
this.data.evidence = evidenceArg;
await this.save();
}
public async markExpired() {
this.data.status = 'expired';
await this.save();
}
}
ts/reception/classes.passportdevice.ts
+37
View File
@@ -0,0 +1,37 @@
import * as plugins from '../plugins.js';
import type { PassportManager } from './classes.passportmanager.js';
@plugins.smartdata.Manager()
export class PassportDevice extends plugins.smartdata.SmartDataDbDoc<
PassportDevice,
plugins.idpInterfaces.data.IPassportDevice,
PassportManager
> {
@plugins.smartdata.unI()
public id: string;
@plugins.smartdata.svDb()
public data: plugins.idpInterfaces.data.IPassportDevice['data'] = {
userId: '',
label: '',
platform: 'unknown',
status: 'active',
publicKeyAlgorithm: 'p256',
publicKeyX963Base64: '',
capabilities: {
gps: false,
nfc: false,
push: false,
},
pushRegistration: undefined,
appVersion: undefined,
createdAt: 0,
lastSeenAt: undefined,
lastChallengeAt: undefined,
};
public isActive() {
return this.data.status === 'active';
}
}
ts/reception/classes.passportmanager.ts
+816
View File
@@ -0,0 +1,816 @@
import * as plugins from '../plugins.js';
import { PassportChallenge } from './classes.passportchallenge.js';
import { PassportDevice } from './classes.passportdevice.js';
import { PassportNonce } from './classes.passportnonce.js';
import { logger } from './logging.js';
import { Reception } from './classes.reception.js';
export class PassportManager {
private readonly enrollmentChallengeMillis = plugins.smarttime.getMilliSecondsFromUnits({
minutes: 10,
});
private readonly assertionChallengeMillis = plugins.smarttime.getMilliSecondsFromUnits({
minutes: 5,
});
private readonly deviceRequestWindowMillis = plugins.smarttime.getMilliSecondsFromUnits({
minutes: 5,
});
public receptionRef: Reception;
public get db() {
return this.receptionRef.db.smartdataDb;
}
public typedRouter = new plugins.typedrequest.TypedRouter();
public CPassportDevice = plugins.smartdata.setDefaultManagerForDoc(this, PassportDevice);
public CPassportChallenge = plugins.smartdata.setDefaultManagerForDoc(this, PassportChallenge);
public CPassportNonce = plugins.smartdata.setDefaultManagerForDoc(this, PassportNonce);
constructor(receptionRefArg: Reception) {
this.receptionRef = receptionRefArg;
this.receptionRef.typedrouter.addTypedRouter(this.typedRouter);
this.typedRouter.addTypedHandler(
new plugins.typedrequest.TypedHandler<plugins.idpInterfaces.request.IReq_CreatePassportEnrollmentChallenge>(
'createPassportEnrollmentChallenge',
async (requestArg) => {
const userId = await this.getAuthenticatedUserId(requestArg.jwt);
const enrollmentChallenge = await this.createEnrollmentChallengeForUser(userId, {
deviceLabel: requestArg.deviceLabel,
platform: requestArg.platform,
appVersion: requestArg.appVersion,
capabilities: requestArg.capabilities,
});
return {
challengeId: enrollmentChallenge.challenge.id,
pairingToken: enrollmentChallenge.pairingToken,
pairingPayload: enrollmentChallenge.pairingPayload,
signingPayload: enrollmentChallenge.signingPayload,
expiresAt: enrollmentChallenge.challenge.data.expiresAt,
};
}
)
);
this.typedRouter.addTypedHandler(
new plugins.typedrequest.TypedHandler<plugins.idpInterfaces.request.IReq_CompletePassportEnrollment>(
'completePassportEnrollment',
async (requestArg) => {
const passportDevice = await this.completeEnrollment({
pairingToken: requestArg.pairingToken,
deviceLabel: requestArg.deviceLabel,
platform: requestArg.platform,
publicKeyX963Base64: requestArg.publicKeyX963Base64,
signatureBase64: requestArg.signatureBase64,
signatureFormat: requestArg.signatureFormat,
appVersion: requestArg.appVersion,
capabilities: requestArg.capabilities,
});
return {
device: {
id: passportDevice.id,
data: passportDevice.data,
},
};
}
)
);
this.typedRouter.addTypedHandler(
new plugins.typedrequest.TypedHandler<plugins.idpInterfaces.request.IReq_GetPassportDevices>(
'getPassportDevices',
async (requestArg) => {
const userId = await this.getAuthenticatedUserId(requestArg.jwt);
const devices = await this.getPassportDevicesForUser(userId);
return {
devices: devices.map((deviceArg) => ({
id: deviceArg.id,
data: deviceArg.data,
})),
};
}
)
);
this.typedRouter.addTypedHandler(
new plugins.typedrequest.TypedHandler<plugins.idpInterfaces.request.IReq_RevokePassportDevice>(
'revokePassportDevice',
async (requestArg) => {
const userId = await this.getAuthenticatedUserId(requestArg.jwt);
await this.revokePassportDeviceForUser(userId, requestArg.deviceId);
return {
success: true,
};
}
)
);
this.typedRouter.addTypedHandler(
new plugins.typedrequest.TypedHandler<plugins.idpInterfaces.request.IReq_CreatePassportChallenge>(
'createPassportChallenge',
async (requestArg) => {
const userId = await this.getAuthenticatedUserId(requestArg.jwt);
const challengeResult = await this.createPassportChallengeForUser(userId, {
type: requestArg.type,
preferredDeviceId: requestArg.preferredDeviceId,
audience: requestArg.audience,
notificationTitle: requestArg.notificationTitle,
requireLocation: requestArg.requireLocation,
requireNfc: requestArg.requireNfc,
});
return {
challengeId: challengeResult.challenge.id,
challenge: challengeResult.challenge.data.challenge,
signingPayload: challengeResult.signingPayload,
deviceId: challengeResult.challenge.data.deviceId!,
expiresAt: challengeResult.challenge.data.expiresAt,
};
}
)
);
this.typedRouter.addTypedHandler(
new plugins.typedrequest.TypedHandler<plugins.idpInterfaces.request.IReq_ApprovePassportChallenge>(
'approvePassportChallenge',
async (requestArg) => {
const passportChallenge = await this.approvePassportChallenge({
challengeId: requestArg.challengeId,
deviceId: requestArg.deviceId,
signatureBase64: requestArg.signatureBase64,
signatureFormat: requestArg.signatureFormat,
location: requestArg.location,
nfc: requestArg.nfc,
});
return {
success: true,
challenge: {
id: passportChallenge.id,
data: passportChallenge.data,
},
};
}
)
);
this.typedRouter.addTypedHandler(
new plugins.typedrequest.TypedHandler<plugins.idpInterfaces.request.IReq_RegisterPassportPushToken>(
'registerPassportPushToken',
async (requestArg) => {
const passportDevice = await this.authenticatePassportDeviceRequest(requestArg, {
action: 'registerPassportPushToken',
signedFields: [
`provider=${requestArg.provider}`,
`token=${requestArg.token}`,
`topic=${requestArg.topic}`,
`environment=${requestArg.environment}`,
],
});
passportDevice.data.pushRegistration = {
provider: requestArg.provider,
token: requestArg.token,
topic: requestArg.topic,
environment: requestArg.environment,
registeredAt: Date.now(),
lastDeliveredAt: passportDevice.data.pushRegistration?.lastDeliveredAt,
lastError: undefined,
};
passportDevice.data.lastSeenAt = Date.now();
await passportDevice.save();
return {
success: true,
};
}
)
);
this.typedRouter.addTypedHandler(
new plugins.typedrequest.TypedHandler<plugins.idpInterfaces.request.IReq_ListPendingPassportChallenges>(
'listPendingPassportChallenges',
async (requestArg) => {
const passportDevice = await this.authenticatePassportDeviceRequest(requestArg, {
action: 'listPendingPassportChallenges',
});
const challenges = await this.listPendingChallengesForDevice(passportDevice.id);
return {
challenges: challenges.map((challengeArg) => ({
id: challengeArg.id,
data: challengeArg.data,
})),
};
}
)
);
this.typedRouter.addTypedHandler(
new plugins.typedrequest.TypedHandler<plugins.idpInterfaces.request.IReq_GetPassportChallengeByHint>(
'getPassportChallengeByHint',
async (requestArg) => {
const passportDevice = await this.authenticatePassportDeviceRequest(requestArg, {
action: 'getPassportChallengeByHint',
signedFields: [`hint_id=${requestArg.hintId}`],
});
const passportChallenge = await this.getPassportChallengeByHint(passportDevice.id, requestArg.hintId);
return {
challenge: passportChallenge
? {
id: passportChallenge.id,
data: passportChallenge.data,
}
: undefined,
};
}
)
);
this.typedRouter.addTypedHandler(
new plugins.typedrequest.TypedHandler<plugins.idpInterfaces.request.IReq_MarkPassportChallengeSeen>(
'markPassportChallengeSeen',
async (requestArg) => {
const passportDevice = await this.authenticatePassportDeviceRequest(requestArg, {
action: 'markPassportChallengeSeen',
signedFields: [`hint_id=${requestArg.hintId}`],
});
await this.markPassportChallengeSeen(passportDevice.id, requestArg.hintId);
return {
success: true,
};
}
)
);
}
private async getAuthenticatedUserId(jwtArg: string) {
const jwt = await this.receptionRef.jwtManager.verifyJWTAndGetData(jwtArg);
if (!jwt) {
throw new plugins.typedrequest.TypedResponseError('Invalid JWT');
}
return jwt.data.userId;
}
private getOriginHost() {
return new URL(this.receptionRef.options.baseUrl).host;
}
private createOpaqueToken(prefixArg: string) {
return `${prefixArg}${plugins.crypto.randomBytes(32).toString('base64url')}`;
}
private buildDeviceRequestSigningPayload(
requestArg: plugins.idpInterfaces.request.IPassportDeviceSignedRequest,
actionArg: string,
signedFieldsArg: string[] = []
) {
return [
'purpose=passport-device-request',
`origin=${this.getOriginHost()}`,
`action=${actionArg}`,
`device_id=${requestArg.deviceId}`,
`timestamp=${requestArg.timestamp}`,
`nonce=${requestArg.nonce}`,
...signedFieldsArg,
].join('\n');
}
private async consumePassportNonce(deviceIdArg: string, nonceArg: string, timestampArg: number) {
const now = Date.now();
if (Math.abs(now - timestampArg) > this.deviceRequestWindowMillis) {
throw new plugins.typedrequest.TypedResponseError('Passport device request timestamp expired');
}
const existingNonce = await this.CPassportNonce.getInstance({
id: PassportNonce.hashNonce(`${deviceIdArg}:${nonceArg}`),
});
if (existingNonce && !existingNonce.isExpired(now)) {
throw new plugins.typedrequest.TypedResponseError('Passport device request replay detected');
}
const passportNonce = existingNonce || new PassportNonce();
passportNonce.id = PassportNonce.hashNonce(`${deviceIdArg}:${nonceArg}`);
passportNonce.data = {
deviceId: deviceIdArg,
nonceHash: PassportNonce.hashNonce(nonceArg),
createdAt: now,
expiresAt: now + this.deviceRequestWindowMillis,
};
await passportNonce.save();
}
public async authenticatePassportDeviceRequest(
requestArg: plugins.idpInterfaces.request.IPassportDeviceSignedRequest,
optionsArg: {
action: string;
signedFields?: string[];
}
) {
const passportDevice = await this.CPassportDevice.getInstance({
id: requestArg.deviceId,
'data.status': 'active',
});
if (!passportDevice) {
throw new plugins.typedrequest.TypedResponseError('Passport device not found');
}
const verified = this.verifyPassportSignature(
passportDevice.data.publicKeyX963Base64,
requestArg.signatureBase64,
requestArg.signatureFormat || 'raw',
this.buildDeviceRequestSigningPayload(
requestArg,
optionsArg.action,
optionsArg.signedFields || []
)
);
if (!verified) {
throw new plugins.typedrequest.TypedResponseError('Passport device signature invalid');
}
await this.consumePassportNonce(requestArg.deviceId, requestArg.nonce, requestArg.timestamp);
passportDevice.data.lastSeenAt = Date.now();
await passportDevice.save();
return passportDevice;
}
private normalizeCapabilities(
capabilitiesArg?: Partial<plugins.idpInterfaces.data.IPassportCapabilities>
): plugins.idpInterfaces.data.IPassportCapabilities {
return {
gps: !!capabilitiesArg?.gps,
nfc: !!capabilitiesArg?.nfc,
push: !!capabilitiesArg?.push,
};
}
private buildEnrollmentSigningPayload(pairingTokenArg: string, challengeArg: PassportChallenge) {
return [
'purpose=passport-enrollment',
`origin=${this.getOriginHost()}`,
`token=${pairingTokenArg}`,
`challenge=${challengeArg.data.challenge}`,
`challenge_id=${challengeArg.id}`,
].join('\n');
}
private buildChallengeSigningPayload(challengeArg: PassportChallenge) {
return [
'purpose=passport-challenge',
`origin=${this.getOriginHost()}`,
`challenge=${challengeArg.data.challenge}`,
`challenge_id=${challengeArg.id}`,
`type=${challengeArg.data.type}`,
`device_id=${challengeArg.data.deviceId || ''}`,
`audience=${challengeArg.data.metadata.audience || ''}`,
`require_location=${challengeArg.data.metadata.requireLocation}`,
`require_nfc=${challengeArg.data.metadata.requireNfc}`,
].join('\n');
}
private createPairingPayload(
pairingTokenArg: string,
challengeArg: PassportChallenge,
deviceLabelArg: string
) {
const searchParams = new URLSearchParams({
token: pairingTokenArg,
challenge: challengeArg.data.challenge,
challenge_id: challengeArg.id,
origin: this.getOriginHost(),
device: deviceLabelArg,
});
return `idp.global://pair?${searchParams.toString()}`;
}
private createP256JwkFromX963(publicKeyX963Base64Arg: string) {
const rawPublicKey = Buffer.from(publicKeyX963Base64Arg, 'base64');
if (rawPublicKey.length !== 65 || rawPublicKey[0] !== 4) {
throw new plugins.typedrequest.TypedResponseError('Invalid passport public key');
}
return {
kty: 'EC',
crv: 'P-256',
x: rawPublicKey.subarray(1, 33).toString('base64url'),
y: rawPublicKey.subarray(33, 65).toString('base64url'),
ext: true,
} as JsonWebKey;
}
private verifyPassportSignature(
publicKeyX963Base64Arg: string,
signatureBase64Arg: string,
signatureFormatArg: plugins.idpInterfaces.data.TPassportSignatureFormat,
payloadArg: string
) {
const publicKey = plugins.crypto.createPublicKey({
key: this.createP256JwkFromX963(publicKeyX963Base64Arg),
format: 'jwk',
});
const signature = Buffer.from(signatureBase64Arg, 'base64');
const payload = Buffer.from(payloadArg, 'utf8');
return signatureFormatArg === 'raw'
? plugins.crypto.verify('sha256', payload, { key: publicKey, dsaEncoding: 'ieee-p1363' }, signature)
: plugins.crypto.verify('sha256', payload, publicKey, signature);
}
public async createEnrollmentChallengeForUser(
userIdArg: string,
optionsArg: {
deviceLabel: string;
platform: plugins.idpInterfaces.data.TPassportDevicePlatform;
appVersion?: string;
capabilities?: Partial<plugins.idpInterfaces.data.IPassportCapabilities>;
}
) {
const pairingToken = this.createOpaqueToken('passport_pair_');
const passportChallenge = new PassportChallenge();
passportChallenge.id = plugins.smartunique.shortId();
passportChallenge.data = {
userId: userIdArg,
deviceId: null,
type: 'device_enrollment',
status: 'pending',
tokenHash: PassportChallenge.hashToken(pairingToken),
challenge: this.createOpaqueToken('challenge_'),
metadata: {
originHost: this.getOriginHost(),
deviceLabel: optionsArg.deviceLabel,
requireLocation: false,
requireNfc: false,
requestedCapabilities: this.normalizeCapabilities(optionsArg.capabilities),
},
evidence: undefined,
notification: undefined,
createdAt: Date.now(),
expiresAt: Date.now() + this.enrollmentChallengeMillis,
completedAt: null,
};
await passportChallenge.save();
return {
challenge: passportChallenge,
pairingToken,
pairingPayload: this.createPairingPayload(
pairingToken,
passportChallenge,
optionsArg.deviceLabel
),
signingPayload: this.buildEnrollmentSigningPayload(pairingToken, passportChallenge),
};
}
public async completeEnrollment(optionsArg: {
pairingToken: string;
deviceLabel: string;
platform: plugins.idpInterfaces.data.TPassportDevicePlatform;
publicKeyX963Base64: string;
signatureBase64: string;
signatureFormat?: plugins.idpInterfaces.data.TPassportSignatureFormat;
appVersion?: string;
capabilities?: Partial<plugins.idpInterfaces.data.IPassportCapabilities>;
}) {
const passportChallenge = await this.CPassportChallenge.getInstance({
'data.tokenHash': PassportChallenge.hashToken(optionsArg.pairingToken),
'data.type': 'device_enrollment',
'data.status': 'pending',
});
if (!passportChallenge) {
throw new plugins.typedrequest.TypedResponseError('Pairing token not found');
}
if (passportChallenge.isExpired()) {
await passportChallenge.markExpired();
throw new plugins.typedrequest.TypedResponseError('Pairing token expired');
}
const existingPassportDevice = await this.CPassportDevice.getInstance({
'data.publicKeyX963Base64': optionsArg.publicKeyX963Base64,
'data.status': 'active',
});
if (existingPassportDevice) {
throw new plugins.typedrequest.TypedResponseError('Passport device already enrolled');
}
const verified = this.verifyPassportSignature(
optionsArg.publicKeyX963Base64,
optionsArg.signatureBase64,
optionsArg.signatureFormat || 'raw',
this.buildEnrollmentSigningPayload(optionsArg.pairingToken, passportChallenge)
);
if (!verified) {
throw new plugins.typedrequest.TypedResponseError('Passport signature invalid');
}
const passportDevice = new PassportDevice();
passportDevice.id = plugins.smartunique.shortId();
passportDevice.data = {
userId: passportChallenge.data.userId,
label: optionsArg.deviceLabel,
platform: optionsArg.platform,
status: 'active',
publicKeyAlgorithm: 'p256',
publicKeyX963Base64: optionsArg.publicKeyX963Base64,
capabilities: this.normalizeCapabilities(
optionsArg.capabilities || passportChallenge.data.metadata.requestedCapabilities
),
pushRegistration: undefined,
appVersion: optionsArg.appVersion,
createdAt: Date.now(),
lastSeenAt: Date.now(),
lastChallengeAt: undefined,
};
await passportDevice.save();
passportChallenge.data.deviceId = passportDevice.id;
passportChallenge.data.tokenHash = null;
await passportChallenge.markApproved({
signatureFormat: optionsArg.signatureFormat || 'raw',
});
await this.receptionRef.activityLogManager.logActivity(
passportChallenge.data.userId,
'passport_device_enrolled',
`Enrolled passport device ${passportDevice.data.label}`,
{
targetId: passportDevice.id,
targetType: 'passport-device',
}
);
return passportDevice;
}
public async getPassportDevicesForUser(userIdArg: string) {
const devices = await this.CPassportDevice.getInstances({
'data.userId': userIdArg,
'data.status': 'active',
});
return devices.sort(
(leftArg, rightArg) =>
(rightArg.data.lastSeenAt || rightArg.data.createdAt) -
(leftArg.data.lastSeenAt || leftArg.data.createdAt)
);
}
public async revokePassportDeviceForUser(userIdArg: string, deviceIdArg: string) {
const passportDevice = await this.CPassportDevice.getInstance({
id: deviceIdArg,
'data.userId': userIdArg,
'data.status': 'active',
});
if (!passportDevice) {
throw new plugins.typedrequest.TypedResponseError('Passport device not found');
}
passportDevice.data.status = 'revoked';
await passportDevice.save();
await this.receptionRef.activityLogManager.logActivity(
userIdArg,
'passport_device_revoked',
`Revoked passport device ${passportDevice.data.label}`,
{
targetId: passportDevice.id,
targetType: 'passport-device',
}
);
}
public async createPassportChallengeForUser(
userIdArg: string,
optionsArg: {
type?: Exclude<plugins.idpInterfaces.data.TPassportChallengeType, 'device_enrollment'>;
preferredDeviceId?: string;
audience?: string;
notificationTitle?: string;
requireLocation?: boolean;
requireNfc?: boolean;
}
) {
const passportDevices = await this.getPassportDevicesForUser(userIdArg);
if (passportDevices.length === 0) {
throw new plugins.typedrequest.TypedResponseError('No passport device enrolled');
}
const targetDevice = optionsArg.preferredDeviceId
? passportDevices.find((deviceArg) => deviceArg.id === optionsArg.preferredDeviceId)
: passportDevices[0];
if (!targetDevice) {
throw new plugins.typedrequest.TypedResponseError('Target passport device not found');
}
const passportChallenge = new PassportChallenge();
passportChallenge.id = plugins.smartunique.shortId();
passportChallenge.data = {
userId: userIdArg,
deviceId: targetDevice.id,
type: optionsArg.type || 'step_up',
status: 'pending',
tokenHash: null,
challenge: this.createOpaqueToken('passport_challenge_'),
metadata: {
originHost: this.getOriginHost(),
audience: optionsArg.audience,
notificationTitle: optionsArg.notificationTitle,
deviceLabel: targetDevice.data.label,
requireLocation: !!optionsArg.requireLocation,
requireNfc: !!optionsArg.requireNfc,
},
evidence: undefined,
notification: {
hintId: plugins.crypto.randomUUID(),
status: 'pending',
attemptCount: 0,
createdAt: Date.now(),
deliveredAt: null,
seenAt: null,
lastError: null,
},
createdAt: Date.now(),
expiresAt: Date.now() + this.assertionChallengeMillis,
completedAt: null,
};
await passportChallenge.save();
targetDevice.data.lastChallengeAt = Date.now();
await targetDevice.save();
await this.receptionRef.passportPushManager.deliverChallengeHint(targetDevice, passportChallenge);
return {
challenge: passportChallenge,
signingPayload: this.buildChallengeSigningPayload(passportChallenge),
};
}
public async approvePassportChallenge(optionsArg: {
challengeId: string;
deviceId: string;
signatureBase64: string;
signatureFormat?: plugins.idpInterfaces.data.TPassportSignatureFormat;
location?: plugins.idpInterfaces.data.IPassportLocationEvidence;
nfc?: plugins.idpInterfaces.data.IPassportNfcEvidence;
}) {
const passportChallenge = await this.CPassportChallenge.getInstance({
id: optionsArg.challengeId,
'data.status': 'pending',
});
if (!passportChallenge) {
throw new plugins.typedrequest.TypedResponseError('Passport challenge not found');
}
if (passportChallenge.isExpired()) {
await passportChallenge.markExpired();
throw new plugins.typedrequest.TypedResponseError('Passport challenge expired');
}
if (passportChallenge.data.deviceId && passportChallenge.data.deviceId !== optionsArg.deviceId) {
throw new plugins.typedrequest.TypedResponseError('Passport challenge not assigned to this device');
}
const passportDevice = await this.CPassportDevice.getInstance({
id: optionsArg.deviceId,
'data.status': 'active',
});
if (!passportDevice) {
throw new plugins.typedrequest.TypedResponseError('Passport device not found');
}
if (passportDevice.data.userId !== passportChallenge.data.userId) {
throw new plugins.typedrequest.TypedResponseError('Passport device user mismatch');
}
if (passportChallenge.data.metadata.requireLocation && !optionsArg.location) {
throw new plugins.typedrequest.TypedResponseError('Location evidence required');
}
if (passportChallenge.data.metadata.requireNfc && !optionsArg.nfc) {
throw new plugins.typedrequest.TypedResponseError('NFC evidence required');
}
const verified = this.verifyPassportSignature(
passportDevice.data.publicKeyX963Base64,
optionsArg.signatureBase64,
optionsArg.signatureFormat || 'raw',
this.buildChallengeSigningPayload(passportChallenge)
);
if (!verified) {
throw new plugins.typedrequest.TypedResponseError('Passport signature invalid');
}
await passportChallenge.markApproved({
signatureFormat: optionsArg.signatureFormat || 'raw',
location: optionsArg.location,
nfc: optionsArg.nfc,
});
passportDevice.data.lastSeenAt = Date.now();
await passportDevice.save();
await this.receptionRef.activityLogManager.logActivity(
passportChallenge.data.userId,
'passport_challenge_approved',
`Approved passport challenge ${passportChallenge.data.type}`,
{
targetId: passportChallenge.id,
targetType: 'passport-challenge',
}
);
return passportChallenge;
}
public async listPendingChallengesForDevice(deviceIdArg: string) {
const passportChallenges = await this.CPassportChallenge.getInstances({
'data.deviceId': deviceIdArg,
'data.status': 'pending',
});
return passportChallenges.sort((leftArg, rightArg) => rightArg.data.createdAt - leftArg.data.createdAt);
}
public async getPassportChallengeByHint(deviceIdArg: string, hintIdArg: string) {
return this.CPassportChallenge.getInstance({
'data.deviceId': deviceIdArg,
'data.status': 'pending',
'data.notification.hintId': hintIdArg,
});
}
public async markPassportChallengeSeen(deviceIdArg: string, hintIdArg: string) {
const passportChallenge = await this.getPassportChallengeByHint(deviceIdArg, hintIdArg);
if (!passportChallenge) {
throw new plugins.typedrequest.TypedResponseError('Passport challenge not found');
}
passportChallenge.data.notification = {
...passportChallenge.data.notification!,
status: 'seen',
seenAt: Date.now(),
};
await passportChallenge.save();
return passportChallenge;
}
public async cleanupExpiredChallenges() {
const passportChallenges = await this.CPassportChallenge.getInstances({});
for (const passportChallenge of passportChallenges) {
if (passportChallenge.data.status === 'pending' && passportChallenge.isExpired()) {
await passportChallenge.markExpired();
}
}
const passportNonces = await this.CPassportNonce.getInstances({});
for (const passportNonce of passportNonces) {
if (passportNonce.isExpired()) {
await passportNonce.delete();
}
}
}
public async reDeliverPendingChallengeHints() {
const passportChallenges = await this.CPassportChallenge.getInstances({
'data.status': 'pending',
});
for (const passportChallenge of passportChallenges) {
if (!passportChallenge.data.notification || passportChallenge.data.notification.status === 'sent') {
continue;
}
if (!passportChallenge.data.deviceId) {
continue;
}
const passportDevice = await this.CPassportDevice.getInstance({
id: passportChallenge.data.deviceId,
'data.status': 'active',
});
if (!passportDevice) {
continue;
}
try {
await this.receptionRef.passportPushManager.deliverChallengeHint(passportDevice, passportChallenge);
} catch (errorArg) {
logger.log('warn', `passport hint redelivery failed: ${(errorArg as Error).message}`);
}
}
}
}
ts/reception/classes.passportnonce.ts
+29
View File
@@ -0,0 +1,29 @@
import * as plugins from '../plugins.js';
import type { PassportManager } from './classes.passportmanager.js';
@plugins.smartdata.Manager()
export class PassportNonce extends plugins.smartdata.SmartDataDbDoc<
PassportNonce,
plugins.idpInterfaces.data.IPassportNonce,
PassportManager
> {
public static hashNonce(nonceArg: string) {
return plugins.smarthash.sha256FromStringSync(nonceArg);
}
@plugins.smartdata.unI()
public id: string;
@plugins.smartdata.svDb()
public data: plugins.idpInterfaces.data.IPassportNonce['data'] = {
deviceId: '',
nonceHash: '',
createdAt: 0,
expiresAt: 0,
};
public isExpired(nowArg = Date.now()) {
return this.data.expiresAt < nowArg;
}
}
ts/reception/classes.passportpushmanager.ts
+231
View File
@@ -0,0 +1,231 @@
import * as plugins from '../plugins.js';
import { Alert } from './classes.alert.js';
import { logger } from './logging.js';
import { PassportChallenge } from './classes.passportchallenge.js';
import { PassportDevice } from './classes.passportdevice.js';
import type { Reception } from './classes.reception.js';
interface IApnsConfig {
keyId: string;
teamId: string;
privateKey: string;
}
export class PassportPushManager {
public receptionRef: Reception;
constructor(receptionRefArg: Reception) {
this.receptionRef = receptionRefArg;
}
private async getApnsConfig(): Promise<IApnsConfig | null> {
try {
return {
keyId: await this.receptionRef.serviceQenv.getEnvVarOnDemand('PASSPORT_APNS_KEY_ID'),
teamId: await this.receptionRef.serviceQenv.getEnvVarOnDemand('PASSPORT_APNS_TEAM_ID'),
privateKey: await this.receptionRef.serviceQenv.getEnvVarOnDemand('PASSPORT_APNS_PRIVATE_KEY'),
};
} catch {
return null;
}
}
private base64UrlEncode(valueArg: string | Buffer) {
return Buffer.from(valueArg).toString('base64url');
}
private createApnsJwt(configArg: IApnsConfig) {
const nowSeconds = Math.floor(Date.now() / 1000);
const header = this.base64UrlEncode(
JSON.stringify({ alg: 'ES256', kid: configArg.keyId, typ: 'JWT' })
);
const payload = this.base64UrlEncode(JSON.stringify({ iss: configArg.teamId, iat: nowSeconds }));
const unsignedToken = `${header}.${payload}`;
const signature = plugins.crypto.sign('sha256', Buffer.from(unsignedToken, 'utf8'), {
key: configArg.privateKey.replace(/\\n/g, '\n'),
dsaEncoding: 'ieee-p1363',
});
return `${unsignedToken}.${this.base64UrlEncode(signature)}`;
}
private async deliverApnsPayload(
passportDeviceArg: PassportDevice,
payloadArg: Record<string, any>
) {
if (!passportDeviceArg.data.pushRegistration) {
return {
ok: false,
status: 0,
text: async () => 'Passport device has no push registration',
};
}
const apnsConfig = await this.getApnsConfig();
if (!apnsConfig) {
return {
ok: false,
status: 0,
text: async () => 'APNs push transport is not configured',
};
}
const pushRegistration = passportDeviceArg.data.pushRegistration;
const apnsHost =
pushRegistration.environment === 'production'
? 'https://api.push.apple.com'
: 'https://api.sandbox.push.apple.com';
const authorizationToken = this.createApnsJwt(apnsConfig);
return fetch(`${apnsHost}/3/device/${pushRegistration.token}`, {
method: 'POST',
headers: {
authorization: `bearer ${authorizationToken}`,
'apns-topic': pushRegistration.topic,
'apns-push-type': 'alert',
'content-type': 'application/json',
},
body: JSON.stringify(payloadArg),
}).catch((errorArg: Error) => {
return {
ok: false,
status: 0,
text: async () => errorArg.message,
};
});
}
public async deliverChallengeHint(passportDeviceArg: PassportDevice, passportChallengeArg: PassportChallenge) {
if (!passportDeviceArg.data.pushRegistration) {
passportChallengeArg.data.notification = {
...passportChallengeArg.data.notification,
status: 'failed',
attemptCount: (passportChallengeArg.data.notification?.attemptCount || 0) + 1,
lastError: 'Passport device has no push registration',
};
await passportChallengeArg.save();
return false;
}
if (!(await this.getApnsConfig())) {
passportChallengeArg.data.notification = {
...passportChallengeArg.data.notification,
status: 'failed',
attemptCount: (passportChallengeArg.data.notification?.attemptCount || 0) + 1,
lastError: 'APNs push transport is not configured',
};
await passportChallengeArg.save();
logger.log('warn', 'passport push delivery skipped because APNs is not configured');
return false;
}
const response = await this.deliverApnsPayload(passportDeviceArg, {
aps: {
alert: {
title: passportChallengeArg.data.metadata.notificationTitle || 'idp.global challenge',
body: `Open idp.global to review your ${passportChallengeArg.data.type} request.`,
},
sound: 'default',
},
kind: 'passport_challenge',
hintId: passportChallengeArg.data.notification?.hintId,
challengeId: passportChallengeArg.id,
severity:
passportChallengeArg.data.type === 'physical_access' ? 'high' : passportChallengeArg.data.type,
});
const responseText = await response.text();
if (response.ok) {
passportDeviceArg.data.pushRegistration.lastDeliveredAt = Date.now();
passportDeviceArg.data.pushRegistration.lastError = undefined;
passportChallengeArg.data.notification = {
...passportChallengeArg.data.notification,
status: 'sent',
attemptCount: (passportChallengeArg.data.notification?.attemptCount || 0) + 1,
deliveredAt: Date.now(),
lastError: null,
};
await passportDeviceArg.save();
await passportChallengeArg.save();
return true;
}
passportDeviceArg.data.pushRegistration.lastError = responseText || `APNs error ${response.status}`;
passportChallengeArg.data.notification = {
...passportChallengeArg.data.notification,
status: 'failed',
attemptCount: (passportChallengeArg.data.notification?.attemptCount || 0) + 1,
lastError: responseText || `APNs error ${response.status}`,
};
await passportDeviceArg.save();
await passportChallengeArg.save();
logger.log('warn', `passport push delivery failed: ${responseText || response.status}`);
return false;
}
public async deliverAlertHint(passportDeviceArg: PassportDevice, alertArg: Alert) {
if (!passportDeviceArg.data.pushRegistration) {
alertArg.data.notification = {
...alertArg.data.notification,
status: 'failed',
attemptCount: alertArg.data.notification.attemptCount + 1,
lastError: 'Passport device has no push registration',
};
await alertArg.save();
return false;
}
if (!(await this.getApnsConfig())) {
alertArg.data.notification = {
...alertArg.data.notification,
status: 'failed',
attemptCount: alertArg.data.notification.attemptCount + 1,
lastError: 'APNs push transport is not configured',
};
await alertArg.save();
return false;
}
const response = await this.deliverApnsPayload(passportDeviceArg, {
aps: {
alert: {
title: alertArg.data.title,
body: alertArg.data.body,
},
sound: 'default',
},
kind: 'passport_alert',
hintId: alertArg.data.notification.hintId,
alertId: alertArg.id,
severity: alertArg.data.severity,
eventType: alertArg.data.eventType,
});
const responseText = await response.text();
if (response.ok) {
passportDeviceArg.data.pushRegistration.lastDeliveredAt = Date.now();
passportDeviceArg.data.pushRegistration.lastError = undefined;
alertArg.data.notification = {
...alertArg.data.notification,
status: 'sent',
attemptCount: alertArg.data.notification.attemptCount + 1,
deliveredAt: Date.now(),
lastError: null,
};
await passportDeviceArg.save();
await alertArg.save();
return true;
}
passportDeviceArg.data.pushRegistration.lastError = responseText || `APNs error ${response.status}`;
alertArg.data.notification = {
...alertArg.data.notification,
status: 'failed',
attemptCount: alertArg.data.notification.attemptCount + 1,
lastError: responseText || `APNs error ${response.status}`,
};
await passportDeviceArg.save();
await alertArg.save();
logger.log('warn', `passport alert push delivery failed: ${responseText || response.status}`);
return false;
}
}
ts/reception/classes.reception.ts
+9 -2
View File
@@ -1,5 +1,4 @@
import * as plugins from '../plugins.js';
import * as paths from '../paths.js';
import { logger } from './logging.js';
import { JwtManager } from './classes.jwtmanager.js';
@@ -18,6 +17,10 @@ import { AppConnectionManager } from './classes.appconnectionmanager.js';
import { ActivityLogManager } from './classes.activitylogmanager.js';
import { UserInvitationManager } from './classes.userinvitationmanager.js';
import { OidcManager } from './classes.oidcmanager.js';
import { AbuseProtectionManager } from './classes.abuseprotectionmanager.js';
import { AlertManager } from './classes.alertmanager.js';
import { PassportManager } from './classes.passportmanager.js';
import { PassportPushManager } from './classes.passportpushmanager.js';
export interface IReceptionOptions {
/**
@@ -30,7 +33,6 @@ export interface IReceptionOptions {
}
export class Reception {
public projectinfoNpm = new plugins.projectinfo.ProjectinfoNpm(paths.packageDir);
public typedrouter = new plugins.typedrequest.TypedRouter();
public serviceQenv = new plugins.qenv.Qenv('./', './.nogit');
public szPlatformClient = new plugins.szPlatformClient.SzPlatformClient();
@@ -49,7 +51,11 @@ export class Reception {
public appManager = new AppManager(this);
public appConnectionManager = new AppConnectionManager(this);
public activityLogManager = new ActivityLogManager(this);
public alertManager = new AlertManager(this);
public userInvitationManager = new UserInvitationManager(this);
public abuseProtectionManager = new AbuseProtectionManager(this);
public passportPushManager = new PassportPushManager(this);
public passportManager = new PassportManager(this);
public oidcManager = new OidcManager(this);
housekeeping = new ReceptionHousekeeping(this);
@@ -80,6 +86,7 @@ export class Reception {
*/
public async stop() {
await this.housekeeping.stop();
await this.oidcManager.stop();
console.log('stopped serviceserver!');
await this.db.stop();
}
ts/reception/classes.receptiondb.ts
-1
View File
@@ -10,7 +10,6 @@ export class ReceptionDb {
}
public async start() {
console.log(this.receptionRef.options.mongoDescriptor);
this.smartdataDb = new plugins.smartdata.SmartdataDb(this.receptionRef.options.mongoDescriptor);
await this.smartdataDb.init();
}
ts/reception/classes.registrationsession.ts
+119 -123
View File
@@ -5,191 +5,187 @@ import { logger } from './logging.js';
import { User } from './classes.user.js';
/**
* a RegistrationSession is a in memory session for signing up
* a RegistrationSession persists a sign up flow across restarts
*/
export class RegistrationSession {
// ======
// STATIC
// ======
@plugins.smartdata.Manager()
export class RegistrationSession extends plugins.smartdata.SmartDataDbDoc<
RegistrationSession,
plugins.idpInterfaces.data.IRegistrationSession,
RegistrationSessionManager
> {
public static hashToken(tokenArg: string) {
return plugins.smarthash.sha256FromStringSync(tokenArg);
}
public static async createRegistrationSessionForEmail(
registrationSessionManageremailArg: RegistrationSessionManager,
emailArg: string
) {
const newRegistrationSession = new RegistrationSession(
registrationSessionManageremailArg,
emailArg
);
const emailValidationResult = await newRegistrationSession
.validateEMailAddress()
.catch((error) => {
throw new plugins.typedrequest.TypedResponseError(
'Error occured during email provider & dns validation'
);
});
const newRegistrationSession = new RegistrationSession();
newRegistrationSession.id = plugins.smartunique.shortId();
newRegistrationSession.data.emailAddress = emailArg;
newRegistrationSession.data.validUntil =
Date.now() + plugins.smarttime.getMilliSecondsFromUnits({ minutes: 10 });
newRegistrationSession.data.createdAt = Date.now();
const emailValidationResult = await newRegistrationSession.validateEMailAddress().catch(() => {
throw new plugins.typedrequest.TypedResponseError(
'Error occured during email provider & dns validation'
);
});
if (!emailValidationResult?.valid) {
newRegistrationSession.destroy();
throw new plugins.typedrequest.TypedResponseError(
'Email Address is not valid. Please use a correctly formated email address'
);
}
if (emailValidationResult.disposable) {
newRegistrationSession.destroy();
throw new plugins.typedrequest.TypedResponseError(
'Email is disposable. Please use a non disposable email address.'
);
}
console.log(
`${newRegistrationSession.emailAddress} is valid. Continuing registration process!`
);
await newRegistrationSession.sendTokenValidationEmail();
console.log(`Successfully sent email validation email`);
const validationToken = await newRegistrationSession.sendTokenValidationEmail();
newRegistrationSession.unhashedEmailToken = validationToken;
return newRegistrationSession;
}
// ========
// INSTANCE
// ========
public registrationSessionManagerRef: RegistrationSessionManager;
@plugins.smartdata.unI()
public id: string;
public emailAddress: string;
@plugins.smartdata.svDb()
public data: plugins.idpInterfaces.data.IRegistrationSession['data'] = {
emailAddress: '',
hashedEmailToken: '',
smsCodeHash: null,
smsvalidationCounter: 0,
status: 'announced',
validUntil: 0,
createdAt: 0,
collectedData: {
userData: {
username: null,
connectedOrgs: [],
email: null,
name: null,
status: null,
mobileNumber: null,
password: null,
passwordHash: null,
},
},
};
/**
* only used during testing
*/
public unhashedEmailToken?: string;
public hashedEmailToken: string;
private smsvalidationCounter = 0;
public smsCode: string;
/**
* the status of the registration. should progress in a linear fashion.
*/
public status: 'announced' | 'emailValidated' | 'mobileVerified' | 'registered' | 'failed' =
'announced';
public get emailAddress() {
return this.data.emailAddress;
}
public collectedData: {
userData: plugins.idpInterfaces.data.IUser['data'];
} = {
userData: {
username: null,
connectedOrgs: [],
email: null,
name: null,
status: null,
mobileNumber: null,
password: null,
passwordHash: null,
},
};
public get status() {
return this.data.status;
}
constructor(
registrationSessionManagerRefArg: RegistrationSessionManager,
emailAddressArg: string
) {
this.registrationSessionManagerRef = registrationSessionManagerRefArg;
this.emailAddress = emailAddressArg;
this.registrationSessionManagerRef.registrationSessions.addToMap(this.emailAddress, this);
public set status(statusArg: plugins.idpInterfaces.data.TRegistrationSessionStatus) {
this.data.status = statusArg;
}
// lets destroy this after 10 minutes,
// works in unrefed mode so not blocking node exiting.
plugins.smartdelay.delayFor(600000, null, true).then(() => this.destroy());
public get collectedData() {
return this.data.collectedData;
}
public isExpired() {
return this.data.validUntil < Date.now();
}
/**
* validates a token by comparing its hash against the stored hashed token
* @param tokenArg
*/
public validateEmailToken(tokenArg: string): boolean {
const result = this.hashedEmailToken === plugins.smarthash.sha256FromStringSync(tokenArg);
if (result && this.status === 'announced') {
this.status = 'emailValidated';
this.collectedData.userData.email = this.emailAddress;
public async validateEmailToken(tokenArg: string): Promise<boolean> {
if (this.isExpired()) {
await this.destroy();
return false;
}
if (!result && this.status === 'announced') {
this.status = 'failed';
const result = this.data.hashedEmailToken === RegistrationSession.hashToken(tokenArg);
if (result && this.data.status === 'announced') {
this.data.status = 'emailValidated';
this.data.collectedData.userData.email = this.data.emailAddress;
await this.save();
}
if (!result && this.data.status === 'announced') {
this.data.status = 'failed';
await this.save();
}
return result;
}
/** validates the sms code */
public validateSmsCode(smsCodeArg: string) {
this.smsvalidationCounter++;
const result = this.smsCode === smsCodeArg;
if (this.status === 'emailValidated' && result) {
this.status = 'mobileVerified';
public async validateSmsCode(smsCodeArg: string) {
this.data.smsvalidationCounter++;
const result = this.data.smsCodeHash === RegistrationSession.hashToken(smsCodeArg);
if (this.data.status === 'emailValidated' && result) {
this.data.status = 'mobileVerified';
await this.save();
return result;
} else {
if (this.smsvalidationCounter === 5) {
this.destroy();
throw new plugins.typedrequest.TypedResponseError(
'Registration cancelled due to repeated wrong verification code submission'
);
}
return false;
}
if (this.data.smsvalidationCounter >= 5) {
await this.destroy();
throw new plugins.typedrequest.TypedResponseError(
'Registration cancelled due to repeated wrong verification code submission'
);
}
await this.save();
return false;
}
/**
* validate the email address with provider and dns sanity checks
* @returns
*/
public async validateEMailAddress(): Promise<plugins.smartmail.IEmailValidationResult> {
console.log(`validating email ${this.emailAddress}`);
const result = await new plugins.smartmail.EmailAddressValidator().validate(this.emailAddress);
const result = await new plugins.smartmail.EmailAddressValidator().validate(this.data.emailAddress);
return result;
}
/**
* send the validation email
*/
public async sendTokenValidationEmail() {
const uuidToSend = plugins.smartunique.uuid4();
this.unhashedEmailToken = uuidToSend;
this.hashedEmailToken = plugins.smarthash.sha256FromStringSync(uuidToSend);
this.registrationSessionManagerRef.receptionRef.receptionMailer.sendRegistrationEmail(
this,
uuidToSend
);
logger.log('info', `sent a validation email with a verification code to ${this.emailAddress}`);
this.data.hashedEmailToken = RegistrationSession.hashToken(uuidToSend);
await this.save();
this.manager.receptionRef.receptionMailer.sendRegistrationEmail(this, uuidToSend);
logger.log('info', `sent a validation email with a verification code to ${this.data.emailAddress}`);
return uuidToSend;
}
/**
* validate the mobile number of someone
*/
public async sendValidationSms() {
this.smsCode =
await this.registrationSessionManagerRef.receptionRef.szPlatformClient.smsConnector.sendSmsVerifcation(
{
fromName: this.registrationSessionManagerRef.receptionRef.options.name,
toNumber: parseInt(this.collectedData.userData.mobileNumber),
}
);
const smsCode =
await this.manager.receptionRef.szPlatformClient.smsConnector.sendSmsVerifcation({
fromName: this.manager.receptionRef.options.name,
toNumber: parseInt(this.data.collectedData.userData.mobileNumber),
});
this.data.smsCodeHash = RegistrationSession.hashToken(smsCode);
await this.save();
return smsCode;
}
/**
* this method can be called when this registrationsession is validated
* and all data has been set
*/
public async manifestUserWithAccountData(): Promise<User> {
if (this.status !== 'mobileVerified') {
if (this.data.status !== 'mobileVerified') {
throw new plugins.typedrequest.TypedResponseError(
'You can only manifest user that have a validated email Address and Mobile Number'
);
}
if (!this.collectedData) {
if (!this.data.collectedData) {
throw new Error('You have to set the accountdata first');
}
const manifestedUser =
await this.registrationSessionManagerRef.receptionRef.userManager.CUser.createNewUserForUserData(
this.collectedData.userData
);
const manifestedUser = await this.manager.receptionRef.userManager.CUser.createNewUserForUserData(
this.data.collectedData.userData as plugins.idpInterfaces.data.IUser['data']
);
this.data.status = 'registered';
await this.save();
return manifestedUser;
}
/**
* destroys the registrationsession
*/
public destroy() {
this.registrationSessionManagerRef.registrationSessions.removeFromMap(this.emailAddress);
public async destroy() {
await this.delete();
}
}
ts/reception/classes.registrationsessionmanager.ts
+33 -27
View File
@@ -5,10 +5,14 @@ import { logger } from './logging.js';
export class RegistrationSessionManager {
public receptionRef: Reception;
public registrationSessions = new plugins.lik.FastMap<RegistrationSession>();
public typedRouter = new plugins.typedrequest.TypedRouter();
public get db() {
return this.receptionRef.db.smartdataDb;
}
public CRegistrationSession = plugins.smartdata.setDefaultManagerForDoc(this, RegistrationSession);
constructor(receptionRefArg: Reception) {
this.receptionRef = receptionRefArg;
this.receptionRef.typedrouter.addTypedRouter(this.typedRouter);
@@ -29,17 +33,16 @@ export class RegistrationSessionManager {
`We sent you an Email with more information.`
);
}
// check for exiting SignupSession
const existingSession = this.registrationSessions.getByKey(requestData.email);
if (existingSession) {
const existingSessions = await this.CRegistrationSession.getInstances({
'data.emailAddress': requestData.email,
});
for (const existingSession of existingSessions) {
logger.log('warn', `destroyed old signupSession for ${requestData.email}`);
existingSession.destroy();
await existingSession.destroy();
}
// lets check the email before we create a signup session
const newSignupSession = await RegistrationSession.createRegistrationSessionForEmail(
this,
requestData.email
).catch((e: plugins.typedrequest.TypedResponseError) => {
console.log(e.errorText);
@@ -63,10 +66,7 @@ export class RegistrationSessionManager {
new plugins.typedrequest.TypedHandler<plugins.idpInterfaces.request.IReq_AfterRegistrationEmailClicked>(
'afterRegistrationEmailClicked',
async (requestData) => {
console.log(requestData);
const signupSession = await this.registrationSessions.find(async (itemArg) =>
itemArg.validateEmailToken(requestData.token)
);
const signupSession = await this.findRegistrationSessionByToken(requestData.token);
if (signupSession) {
return {
email: signupSession.emailAddress,
@@ -86,9 +86,7 @@ export class RegistrationSessionManager {
new plugins.typedrequest.TypedHandler<plugins.idpInterfaces.request.IReq_SetDataForRegistration>(
'setDataForRegistration',
async (requestData) => {
const registrationSession = await this.registrationSessions.find(async (itemArg) =>
itemArg.validateEmailToken(requestData.token)
);
const registrationSession = await this.findRegistrationSessionByToken(requestData.token);
if (!registrationSession) {
throw new plugins.typedrequest.TypedResponseError(
'could not find a matching signupsession'
@@ -114,9 +112,7 @@ export class RegistrationSessionManager {
new plugins.typedrequest.TypedHandler<plugins.idpInterfaces.request.IReq_MobileVerificationForRegistration>(
'mobileVerificationForRegistration',
async (requestData) => {
const registrationSession = await this.registrationSessions.find(async (itemArg) =>
itemArg.validateEmailToken(requestData.token)
);
const registrationSession = await this.findRegistrationSessionByToken(requestData.token);
if (!registrationSession) {
throw new plugins.typedrequest.TypedResponseError(
'could not find a matching signupsession'
@@ -131,17 +127,16 @@ export class RegistrationSessionManager {
}
if (requestData.mobileNumber) {
registrationSession.status = 'emailValidated';
registrationSession.collectedData.userData.mobileNumber = requestData.mobileNumber;
await registrationSession.sendValidationSms();
const smsCode = await registrationSession.sendValidationSms();
return {
messageSent: true,
testOnlySmsCode: process.env.TEST_MODE ? registrationSession.smsCode : null,
testOnlySmsCode: process.env.TEST_MODE ? smsCode : null,
};
}
if (requestData.verificationCode) {
const validationResult = registrationSession.validateSmsCode(
const validationResult = await registrationSession.validateSmsCode(
requestData.verificationCode
);
return {
@@ -160,9 +155,7 @@ export class RegistrationSessionManager {
new plugins.typedrequest.TypedHandler<plugins.idpInterfaces.request.IReq_FinishRegistration>(
'finishRegistration',
async (requestData) => {
const registrationSession = await this.registrationSessions.find(async (itemArg) =>
itemArg.validateEmailToken(requestData.token)
);
const registrationSession = await this.findRegistrationSessionByToken(requestData.token);
if (!registrationSession) {
throw new plugins.typedrequest.TypedResponseError(
'could not find a matching signupsession'
@@ -170,7 +163,7 @@ export class RegistrationSessionManager {
}
const resultingUser = await registrationSession.manifestUserWithAccountData();
registrationSession.destroy();
await registrationSession.destroy();
this.receptionRef.receptionMailer.sendWelcomeEMail(resultingUser);
return {
accountData: {
@@ -187,4 +180,17 @@ export class RegistrationSessionManager {
)
);
}
public async findRegistrationSessionByToken(tokenArg: string) {
const registrationSession = await this.CRegistrationSession.getInstance({
'data.hashedEmailToken': RegistrationSession.hashToken(tokenArg),
});
if (!registrationSession) {
return null;
}
const isValid = await registrationSession.validateEmailToken(tokenArg);
return isValid ? registrationSession : null;
}
}
ts/reception/classes.user.ts
+21 -3
View File
@@ -17,7 +17,7 @@ export class User extends plugins.smartdata.SmartDataDbDoc<
const newUser = new User();
newUser.id = plugins.smartunique.shortId();
newUser.data = {
connectedOrgs: null,
connectedOrgs: [],
status: 'new',
name: userDataArg.name,
username: userDataArg.username,
@@ -31,8 +31,26 @@ export class User extends plugins.smartdata.SmartDataDbDoc<
return newUser;
}
public static hashPassword(passwordArg: string) {
return plugins.smarthash.sha256FromString(passwordArg);
public static async hashPassword(passwordArg: string) {
return plugins.argon2.hash(passwordArg);
}
public static isLegacyPasswordHash(passwordHashArg?: string) {
return !!passwordHashArg && !passwordHashArg.startsWith('$argon2');
}
public static shouldUpgradePasswordHash(passwordHashArg?: string) {
return this.isLegacyPasswordHash(passwordHashArg);
}
public static async verifyPassword(passwordArg: string, passwordHashArg?: string) {
if (!passwordHashArg) {
return false;
}
if (this.isLegacyPasswordHash(passwordHashArg)) {
return passwordHashArg === (await plugins.smarthash.sha256FromString(passwordArg));
}
return plugins.argon2.verify(passwordHashArg, passwordArg);
}
// INSTANCE
ts/reception/classes.usermanager.ts
+11 -3
View File
@@ -23,6 +23,9 @@ export class UserManager {
new plugins.typedrequest.TypedHandler('getRolesAndOrganizationsForUserId', async reqArg => {
console.log('user manager: getting roles and orgs');
const user = await this.getUserByJwtValidation(reqArg.jwt);
if (!user) {
throw new plugins.typedrequest.TypedResponseError('User not found');
}
const organizations = await this.receptionRef.organizationmanager.getAllOrganizationsForUser(
user
);
@@ -49,8 +52,7 @@ export class UserManager {
email: user.data.email,
mobileNumber: user.data.mobileNumber,
connectedOrgs: user.data.connectedOrgs,
status: null,
password: null,
status: user.data.status,
isGlobalAdmin: user.data.isGlobalAdmin,
} as plugins.idpInterfaces.data.IUser['data']
}
@@ -64,6 +66,9 @@ export class UserManager {
*/
public async getUserByJwt(jwtString: string) {
const jwtInstance = await this.receptionRef.jwtManager.verifyJWTAndGetData(jwtString);
if (!jwtInstance) {
return null;
}
const user = await this.CUser.getInstance({
id: jwtInstance.data.userId
});
@@ -75,7 +80,10 @@ export class UserManager {
* faster than the "getUserByJwt"
*/
public async getUserByJwtValidation(jwtStringArg: string) {
const jwtDataArg: plugins.idpInterfaces.data.IJwt = await this.receptionRef.jwtManager.smartjwtInstance.verifyJWTAndGetData(jwtStringArg);
const jwtDataArg = await this.receptionRef.jwtManager.verifyJWTAndGetData(jwtStringArg);
if (!jwtDataArg) {
return null;
}
const resultingUser = await this.CUser.getInstance({
id: jwtDataArg.data.userId
});
ts/reception/logging.ts
-3
View File
@@ -1,6 +1,3 @@
import * as plugins from '../plugins.js';
import * as paths from '../paths.js';
const projectinfoNpm = new plugins.projectinfo.ProjectinfoNpm(paths.packageDir);
export const logger = new plugins.smartlog.ConsoleLog();
ts_idpcli/classes.idpcli.ts
+1
View File
@@ -193,6 +193,7 @@ export class IdpCli {
this.storeCredentials({
...credentials,
jwt: response.jwt,
refreshToken: response.refreshToken || credentials.refreshToken,
});
return response.jwt;
}
ts_idpcli/readme.md
+48 -132
View File
@@ -1,181 +1,97 @@
# @idp.global/cli
Command-line interface for interacting with the idp.global Identity Provider. A Node.js CLI tool that provides authentication, user management, and organization administration from the terminal.
Terminal client for `idp.global`.
## Overview
It wraps the same typed backend used by the web app and SDK, but stores credentials on disk so you can inspect accounts, sessions, orgs, and admin state from the shell.
The IdpCli module provides a complete command-line interface for managing your idp.global account and organizations. It uses file-based credential storage and WebSocket connections for real-time communication with the IdP server.
## Issue Reporting and Security
## Installation
For reporting bugs, issues, or security vulnerabilities, please visit [community.foss.global/](https://community.foss.global/). This is the central community hub for all issue reporting. Developers who sign and comply with our contribution agreement and go through identification can also get a [code.foss.global/](https://code.foss.global/) account to submit Pull Requests directly.
## Install
```bash
npm install -g @idp.global/cli
# or
pnpm add -g @idp.global/cli
```
## Quick Start
```bash
# Login with email and password
idp login
# Check current user
idp whoami
# List your organizations
idp orgs
# Logout
idp logout
idp sessions
```
## Commands
### Authentication
| Command | Description |
|---------|-------------|
| `idp login` | Interactive login with email and password |
| `idp login-token` | Login with an API token |
| `idp logout` | Clear stored credentials and end session |
### User Information
| Command | Description |
|---------|-------------|
| `idp whoami` | Display current user information |
| `idp sessions` | List all active sessions |
| `idp revoke --session <id>` | Revoke a specific session |
### Organization Management
| Command | Description |
|---------|-------------|
| `idp orgs` | List all organizations you belong to |
| `idp orgs-create` | Create a new organization (interactive) |
| `idp members --org <id>` | List members of an organization |
| `idp invite --org <id> --email <email>` | Invite a user to an organization |
### Admin Commands (Global Admins Only)
| Command | Description |
|---------|-------------|
| `idp admin-check` | Check if you are a global admin |
| `idp admin-apps` | List all global apps with connection stats |
| `idp admin-suspend --user <id>` | Suspend a user account |
| Command | Purpose |
| --- | --- |
| `idp login` | Prompt for email and password |
| `idp login-token` | Prompt for an API token |
| `idp logout` | Remove local credentials and try server-side logout |
| `idp whoami` | Print the current user |
| `idp sessions` | List active sessions |
| `idp revoke --session <session-id>` | Revoke a session |
| `idp orgs` | List organizations for the current user |
| `idp orgs-create` | Interactively create an organization |
| `idp members --org <org-id>` | List members for an organization |
| `idp invite --org <org-id> --email user@example.com` | Invite a member |
| `idp admin-check` | Check global admin status |
| `idp admin-apps` | List global app stats |
| `idp admin-suspend --user <user-id>` | Suspend a user |
## Configuration
### Environment Variables
The CLI reads `IDP_URL` and defaults to `https://idp.global`.
| Variable | Description | Default |
|----------|-------------|---------|
| `IDP_URL` | Override the IdP server URL | `https://idp.global` |
```bash
IDP_URL=http://localhost:2999 idp whoami
```
### Credential Storage
Credentials are stored in:
Credentials are stored in `~/.idp-global/credentials.json`. This file contains your refresh token and JWT for persistent authentication across CLI sessions.
```text
~/.idp-global/credentials.json
```
## Programmatic Usage
You can also use the IdpCli class programmatically:
```typescript
```ts
import { IdpCli } from '@idp.global/cli';
const cli = new IdpCli({
idpBaseUrl: 'https://idp.global',
configDir: '/custom/config/path', // optional
idpBaseUrl: 'http://localhost:2999',
});
// Login
await cli.loginWithPassword('user@example.com', 'password');
await cli.loginWithPassword('user@example.com', 'secret');
// Get current user
const user = await cli.whoami();
console.log('Logged in as:', user.data.name);
const me = await cli.whoami();
const orgs = await cli.getOrganizations();
// Get organizations
const { organizations, roles } = await cli.getOrganizations();
for (const org of organizations) {
console.log(`- ${org.data.name} (${org.id})`);
}
console.log(me?.data?.email);
console.log(orgs?.organizations.length);
// Disconnect when done
await cli.disconnect();
```
### IdpCli Class Methods
## What The Class Exposes
**Authentication:**
- `loginWithPassword(email, password)` - Login with credentials
- `loginWithApiToken(token)` - Login with API token
- `refreshJwt()` - Refresh the current JWT
- `logout()` - Clear credentials and end session
- `loginWithPassword()` and `loginWithApiToken()`
- `refreshJwt()` and `logout()`
- `whoami()`, `getSessions()`, and `revokeSession()`
- `getOrganizations()`, `createOrganization()`, `getOrgMembers()`, and `inviteMember()`
- `checkGlobalAdmin()`, `getGlobalAppStats()`, and `suspendUser()`
**User:**
- `whoami()` - Get current user info
- `getSessions()` - Get active sessions
- `revokeSession(sessionId)` - Revoke a session
## Implementation Notes
**Organizations:**
- `getOrganizations()` - List user's organizations
- `createOrganization(name, slug, mode)` - Create new organization
- `getOrgMembers(orgId)` - Get organization members
- `inviteMember(orgId, email, roles)` - Invite a user
**Admin:**
- `checkGlobalAdmin()` - Check admin status
- `getGlobalAppStats()` - Get app statistics
- `suspendUser(userId)` - Suspend a user
## Examples
### Create an Organization
```bash
$ idp orgs-create
Organization Name: My Company
Organization Slug: my-company
Organization created successfully!
ID: org_abc123
Name: My Company
```
### Invite Team Members
```bash
$ idp invite --org org_abc123 --email colleague@example.com
Invitation sent to colleague@example.com
```
### View Active Sessions
```bash
$ idp sessions
Active Sessions:
- sess_xyz789
Device: MacBook Pro
Browser: Chrome
OS: macOS
Last Active: 1/29/2025, 2:30:00 PM
Current: Yes
```
## Dependencies
- `@api.global/typedrequest` - Type-safe API requests
- `@api.global/typedsocket` - WebSocket communication
- `@push.rocks/smartcli` - CLI framework
- `@push.rocks/smartinteract` - Interactive prompts
- `@idp.global/interfaces` - TypeScript interfaces
- The CLI connects to the backend websocket surface at `/typedrequest`.
- It uses file-based credentials instead of browser storage.
- `orgs-create` first checks availability, then creates the organization.
## License and Legal Information
This repository contains open-source code licensed under the MIT License. A copy of the license can be found in the [LICENSE](../LICENSE) file.
This repository contains open-source code licensed under the MIT License. A copy of the license can be found in the [license](../license) file.
**Please note:** The MIT License does not grant permission to use the trade names, trademarks, service marks, or product names of the project, except as required for reasonable and customary use in describing the origin of the work and reproducing the content of the NOTICE file.
ts_idpclient/classes.idpclient.ts
+72 -25
View File
@@ -29,9 +29,9 @@ export class IdpClient {
appDataArg = {
id: '', // TODO
appUrl: `https://${window.location.host}/`,
description: null,
logoUrl: null,
name: null,
description: '',
logoUrl: '',
name: '',
};
}
this.appData = appDataArg;
@@ -67,10 +67,14 @@ export class IdpClient {
await this.storeJwt(jwtStringArg);
}
public async setRefreshToken(refreshTokenArg: string) {
await this.storeRefreshToken(refreshTokenArg);
}
/**
* a typedsocket for going reactive
*/
public typedsocket: plugins.typedsocket.TypedSocket;
public typedsocket!: plugins.typedsocket.TypedSocket;
/**
* a typed router to go reactive
@@ -89,16 +93,30 @@ export class IdpClient {
await this.ssoStore.set('idpJwt', jwtString);
}
public async storeRefreshToken(refreshToken: string) {
await this.ssoStore.set('idpRefreshToken', refreshToken);
}
public async getJwt(): Promise<string> {
return await this.ssoStore.get('idpJwt');
}
public async getRefreshToken(): Promise<string> {
return await this.ssoStore.get('idpRefreshToken');
}
public async getJwtData(): Promise<plugins.idpInterfaces.data.IJwt> {
return this.helpers.extractDataFromJwtString(await this.getJwt());
}
public async deleteJwt() {
await this.ssoStore.delete('idpJwt');
console.log('removed jwt');
}
public async deleteRefreshToken() {
await this.ssoStore.delete('idpRefreshToken');
}
public async clearAuthState() {
await Promise.all([this.deleteJwt(), this.deleteRefreshToken()]);
}
/**
@@ -115,47 +133,63 @@ export class IdpClient {
if (extractedJwt.data.refreshFrom < Date.now() && Date.now() < extractedJwt.data.validUntil) {
jwt = await this.refreshJwt();
} else if (Date.now() > extractedJwt.data.validUntil) {
this.deleteJwt();
await this.deleteJwt();
jwt = await this.refreshJwt();
}
return jwt;
}
public async refreshJwt(refreshTokenArg?: string): Promise<string> {
let extractedJwt: plugins.idpInterfaces.data.IJwt;
public async refreshJwt(refreshTokenArg?: string): Promise<string | null> {
const refreshToken = refreshTokenArg || (await this.getRefreshToken());
if (!refreshTokenArg) {
extractedJwt = await this.helpers.extractDataFromJwtString(await this.getJwt());
if (!refreshToken) {
return null;
}
await this.typedsocketDeferred.promise;
const refreshJwtReq =
this.typedsocket.createTypedRequest<plugins.idpInterfaces.request.IReq_RefreshJwt>(
'refreshJwt'
);
const response = await refreshJwtReq.fire({
refreshToken: refreshTokenArg || extractedJwt.data.refreshToken,
});
if (response.jwt) {
await this.storeJwt(response.jwt);
} else {
await this.deleteJwt();
const response = await refreshJwtReq
.fire({
refreshToken,
})
.catch(async () => {
await this.clearAuthState();
return null;
});
if (!response?.jwt) {
await this.clearAuthState();
this.statusObservable.next(response?.status || 'loggedOut');
return null;
}
if (response.refreshToken) {
await this.storeRefreshToken(response.refreshToken);
}
await this.storeJwt(response.jwt);
this.statusObservable.next(response.status);
return await this.getJwt();
return response.jwt;
}
/**
* can be used to switch between pages
*/
public async getTransferToken(appDataArg?: plugins.idpInterfaces.data.IAppLegacy): Promise<string> {
const jwt = await this.performJwtHousekeeping();
const extractedJwt = await this.helpers.extractDataFromJwtString(jwt);
public async getTransferToken(appDataArg?: plugins.idpInterfaces.data.IAppLegacy): Promise<string | null> {
await this.performJwtHousekeeping();
const refreshToken = await this.getRefreshToken();
if (!refreshToken) {
return null;
}
await this.typedsocketDeferred.promise;
const getTransferToken =
this.typedsocket.createTypedRequest<plugins.idpInterfaces.request.IReq_ExchangeRefreshTokenAndTransferToken>(
'exchangeRefreshTokenAndTransferToken'
);
const response = await getTransferToken.fire({
refreshToken: extractedJwt.data.refreshToken,
refreshToken,
appData: appDataArg || this.appData,
});
return response.transferToken;
@@ -230,6 +264,13 @@ export class IdpClient {
const jwt = await this.performJwtHousekeeping();
return !!jwt;
} else {
const refreshToken = await this.getRefreshToken();
if (refreshToken) {
const jwt = await this.refreshJwt(refreshToken);
if (jwt) {
return true;
}
}
const transferTokenResult = await this.processTransferToken();
if (transferTokenResult) {
// we are in the clear
@@ -258,12 +299,18 @@ export class IdpClient {
*/
public async logout() {
const idpLogoutUrl = this.parsedReceptionUrl.clone().set('path', '/logout');
const refreshToken = await this.getRefreshToken();
if (!globalThis.location.href.startsWith(idpLogoutUrl.origin)) {
// we are somewhere in an app
await this.deleteJwt();
await this.clearAuthState();
globalThis.location.href = idpLogoutUrl.toString();
} else {
// we are in the sso page
if (!refreshToken) {
await this.clearAuthState();
window.location.href = this.parsedReceptionUrl.origin;
return;
}
await this.enableTypedSocket();
console.log(`logging out against ${this.parsedReceptionUrl.toString()}`);
const logoutTr =
@@ -271,9 +318,9 @@ export class IdpClient {
'logout'
);
await logoutTr.fire({
refreshToken: (await this.getJwtData()).data.refreshToken,
refreshToken,
});
await this.deleteJwt();
await this.clearAuthState();
const appData = await this.getAppDataOnSsoDomain();
if (appData) {
console.log(`redirecting to app after logout: ${appData.appUrl}`);
ts_idpclient/classes.idprequests.ts
+12
View File
@@ -76,6 +76,18 @@ export class IdpRequests {
);
}
public get completeOidcAuthorization() {
return this.idpClientArg.typedsocket.createTypedRequest<plugins.idpInterfaces.request.IReq_CompleteOidcAuthorization>(
'completeOidcAuthorization'
);
}
public get prepareOidcAuthorization() {
return this.idpClientArg.typedsocket.createTypedRequest<plugins.idpInterfaces.request.IReq_PrepareOidcAuthorization>(
'prepareOidcAuthorization'
);
}
public get resetPassword() {
return this.idpClientArg.typedsocket.createTypedRequest<plugins.idpInterfaces.request.IReq_ResetPassword>(
'resetPassword'
ts_idpclient/readme.md
+77 -310
View File
@@ -1,71 +1,61 @@
# @idp.global/idpclient
# @idp.global/client
A TypeScript client library for integrating with the idp.global Identity Provider. Works in both browser and Node.js environments.
Browser-facing TypeScript client for talking to an `idp.global` server over `typedrequest` and `typedsocket`.
## Overview
It handles login state, refresh tokens, JWT housekeeping, cross-app transfer tokens, and direct access to the typed request surface.
The IdpClient provides a complete API for authentication, session management, and organization operations. It uses WebSocket connections via TypedSocket for real-time, type-safe communication with the IdP server.
## Issue Reporting and Security
## Installation
For reporting bugs, issues, or security vulnerabilities, please visit [community.foss.global/](https://community.foss.global/). This is the central community hub for all issue reporting. Developers who sign and comply with our contribution agreement and go through identification can also get a [code.foss.global/](https://code.foss.global/) account to submit Pull Requests directly.
## Install
```bash
npm install @idp.global/idpclient
# or
pnpm add @idp.global/idpclient
pnpm add @idp.global/client
```
## Quick Start
```typescript
import { IdpClient } from '@idp.global/idpclient';
```ts
import { IdpClient } from '@idp.global/client';
// Initialize the client
const idpClient = new IdpClient('https://idp.global');
// Enable WebSocket connection
await idpClient.enableTypedSocket();
// Check login status
const isLoggedIn = await idpClient.determineLoginStatus();
const loggedIn = await idpClient.determineLoginStatus();
if (isLoggedIn) {
const userInfo = await idpClient.whoIs();
console.log('Logged in as:', userInfo.user.data.name);
if (!loggedIn) {
const loginResult = await idpClient.requests.loginWithUserNameAndPassword.fire({
username: 'user@example.com',
password: 'secret',
});
if (loginResult.refreshToken) {
await idpClient.refreshJwt(loginResult.refreshToken);
}
}
const whoIs = await idpClient.whoIs();
console.log(whoIs.user.data.email);
```
## Core Features
## What The Client Handles
### Authentication
- Normalizes the base URL to the server's `/typedrequest` endpoint.
- Stores JWT and refresh token state in a browser `WebStore`.
- Refreshes expiring JWTs via `performJwtHousekeeping()`.
- Redirects to `/login` when `determineLoginStatus(true)` is used.
- Exchanges refresh tokens for cross-app transfer tokens.
- Exposes the low-level typed requests through `idpClient.requests`.
#### Password Login
## Common Flows
```typescript
const response = await idpClient.requests.loginWithUserNameAndPassword.fire({
### Password Login
```ts
const result = await idpClient.requests.loginWithUserNameAndPassword.fire({
username: 'user@example.com',
password: 'securepassword',
});
if (response.refreshToken) {
await idpClient.refreshJwt(response.refreshToken);
console.log('Login successful!');
} else if (response.twoFaNeeded) {
console.log('2FA verification required');
}
```
#### Magic Link Login
```typescript
// Request magic link
await idpClient.requests.loginWithEmail.fire({
email: 'user@example.com',
});
// After clicking the email link
const result = await idpClient.requests.loginWithEmailAfterToken.fire({
email: 'user@example.com',
token: 'token-from-email-link',
password: 'secret',
});
if (result.refreshToken) {
@@ -73,303 +63,80 @@ if (result.refreshToken) {
}
```
#### API Token Login
### Magic Link Login
```typescript
const result = await idpClient.requests.loginWithApiToken.fire({
apiToken: 'your-api-token',
```ts
await idpClient.requests.loginWithEmail.fire({
email: 'user@example.com',
});
if (result.jwt) {
await idpClient.setJwt(result.jwt);
}
const result = await idpClient.requests.loginWithEmailAfterToken.fire({
email: 'user@example.com',
token: 'token-from-email',
});
await idpClient.refreshJwt(result.refreshToken);
```
### Session Management
### Session and Identity
```typescript
// Get current JWT
const jwt = await idpClient.getJwt();
// Get parsed JWT data
const jwtData = await idpClient.getJwtData();
console.log('User ID:', jwtData.id);
// Refresh JWT (automatic housekeeping)
```ts
await idpClient.performJwtHousekeeping();
// Manual refresh
await idpClient.refreshJwt();
const jwt = await idpClient.getJwt();
const jwtData = await idpClient.getJwtData();
const whoIs = await idpClient.whoIs();
// Logout
await idpClient.logout();
console.log(jwtData.id, whoIs.user.data.username);
```
### User Information
### Organizations
```typescript
// Get current user details
const whoIsResponse = await idpClient.whoIs();
console.log('Name:', whoIsResponse.user.data.name);
console.log('Email:', whoIsResponse.user.data.email);
```ts
const rolesAndOrganizations = await idpClient.getRolesAndOrganizations();
// Get user data
const userData = await idpClient.requests.getUserData.fire({
jwt: await idpClient.getJwt(),
userId: jwtData.id,
});
// Update user data
await idpClient.requests.setUserData.fire({
jwt: await idpClient.getJwt(),
userId: jwtData.id,
name: 'New Name',
});
```
### Organization Management
```typescript
// Get user's organizations and roles
const orgsAndRoles = await idpClient.getRolesAndOrganizations();
console.log('Organizations:', orgsAndRoles.organizations);
console.log('Roles:', orgsAndRoles.roles);
// Create a new organization
const result = await idpClient.createOrganization(
'My Company', // name
'my-company', // slug
'manifest' // mode: 'checkAvailability' or 'manifest'
const created = await idpClient.createOrganization(
'Acme',
'acme',
'manifest'
);
if (result.resultingOrganization) {
console.log('Created:', result.resultingOrganization.id);
}
// Get organization details
const orgDetails = await idpClient.requests.getOrganizationById.fire({
jwt: await idpClient.getJwt(),
organizationId: 'org-id',
});
```
### Member & Invitation Management
```typescript
// Get organization members
const members = await idpClient.requests.getOrgMembers.fire({
jwt: await idpClient.getJwt(),
organizationId: 'org-id',
});
// Invite a new member
await idpClient.requests.createInvitation.fire({
jwt: await idpClient.getJwt(),
organizationId: 'org-id',
email: 'newmember@example.com',
roles: ['member'],
});
// Bulk invite members
await idpClient.requests.bulkCreateInvitations.fire({
jwt: await idpClient.getJwt(),
organizationId: 'org-id',
invitations: [
{ email: 'user1@example.com', roles: ['member'] },
{ email: 'user2@example.com', roles: ['admin'] },
],
});
// Accept an invitation
await idpClient.requests.acceptInvitation.fire({
jwt: await idpClient.getJwt(),
invitationToken: 'token-from-invite-email',
});
// Remove a member
await idpClient.requests.removeMember.fire({
jwt: await idpClient.getJwt(),
organizationId: 'org-id',
userId: 'user-id',
});
// Transfer ownership
await idpClient.requests.transferOwnership.fire({
jwt: await idpClient.getJwt(),
organizationId: 'org-id',
newOwnerId: 'new-owner-user-id',
organizationId: created.resultingOrganization.id,
});
```
### Password Management
### Cross-App Transfer
```typescript
// Request password reset
await idpClient.requests.resetPassword.fire({
email: 'user@example.com',
});
// Set new password (with token from email)
await idpClient.requests.setNewPassword.fire({
email: 'user@example.com',
tokenArg: 'reset-token',
newPassword: 'newsecurepassword',
});
// Change password (when logged in)
await idpClient.requests.setNewPassword.fire({
email: 'user@example.com',
oldPassword: 'currentpassword',
newPassword: 'newsecurepassword',
});
```
### Session & Device Management
```typescript
// Get active sessions
const sessions = await idpClient.requests.getUserSessions.fire({
jwt: await idpClient.getJwt(),
userId: jwtData.id,
});
// Revoke a session
await idpClient.requests.revokeSession.fire({
jwt: await idpClient.getJwt(),
sessionId: 'session-id',
});
// Get device ID
const deviceInfo = await idpClient.requests.obtainDeviceId.fire({});
// Attach device to session
await idpClient.requests.attachDeviceId.fire({
jwt: await idpClient.getJwt(),
deviceId: deviceInfo.deviceId.id,
});
```
### Cross-Domain Authentication
```typescript
// Get transfer token for SSO between apps
```ts
const transferToken = await idpClient.getTransferToken();
// Switch to another app with authentication
await idpClient.getTransferTokenAndSwitchToLocation('https://app.example.com/');
// Process incoming transfer token (in target app)
const success = await idpClient.processTransferToken();
if (success) {
console.log('Cross-domain login successful');
}
```
### Billing Integration
## Typed Request Surface
```typescript
// Get billing plan for an organization
const billingPlan = await idpClient.requests.getBillingPlan.fire({
jwt: await idpClient.getJwt(),
organizationId: 'org-id',
});
`IdpRequests` exposes typed request getters for:
// Get Paddle configuration
const paddleConfig = await idpClient.requests.getPaddleConfig.fire({
jwt: await idpClient.getJwt(),
});
- authentication
- registration
- user/session queries
- org and invitation management
- billing requests
- JWT validation key requests
- admin requests
// Update payment method
await idpClient.updatePaddleCheckoutId('org-id', 'checkout-id');
```
Use these when you want full control instead of the higher-level helper methods on `IdpClient`.
### Admin Operations (Global Admins Only)
## Important Runtime Notes
```typescript
// Check if user is global admin
const isAdmin = await idpClient.requests.checkGlobalAdmin.fire({
jwt: await idpClient.getJwt(),
});
// Get platform statistics
const stats = await idpClient.requests.getGlobalAppStats.fire({
jwt: await idpClient.getJwt(),
});
// Create a global app
await idpClient.requests.createGlobalApp.fire({
jwt: await idpClient.getJwt(),
name: 'My App',
description: 'App description',
});
// Suspend a user
await idpClient.requests.suspendUser.fire({
jwt: await idpClient.getJwt(),
userId: 'user-id',
});
```
## Reactive Subscriptions
The client provides RxJS subjects for reactive updates:
```typescript
// Subscribe to login status changes
idpClient.statusObservable.subscribe((status) => {
console.log('Login status changed:', status);
});
// Subscribe to roles updates
idpClient.rolesReplaySubject.subscribe((roles) => {
console.log('Roles updated:', roles);
});
// Subscribe to organizations updates
idpClient.organizationsReplaySubject.subscribe((orgs) => {
console.log('Organizations updated:', orgs);
});
```
## API Reference
### IdpClient Class
| Method | Description |
|--------|-------------|
| `enableTypedSocket()` | Initialize WebSocket connection |
| `determineLoginStatus(requireLogin?)` | Check if user is logged in |
| `getJwt()` | Get stored JWT string |
| `getJwtData()` | Get parsed JWT data |
| `setJwt(jwt)` | Store JWT |
| `deleteJwt()` | Remove stored JWT |
| `refreshJwt(refreshToken?)` | Refresh the JWT |
| `performJwtHousekeeping()` | Auto-refresh JWT if needed |
| `logout()` | End session and redirect |
| `whoIs()` | Get current user info |
| `getRolesAndOrganizations()` | Get user's orgs and roles |
| `createOrganization(name, slug, mode)` | Create new organization |
| `getTransferToken(appData?)` | Get SSO transfer token |
| `processTransferToken()` | Process incoming transfer token |
| `stop()` | Close WebSocket connection |
### IdpRequests Class
Access via `idpClient.requests.*`:
**Authentication**: `loginWithUserNameAndPassword`, `loginWithEmail`, `loginWithEmailAfterToken`, `loginWithApiToken`, `resetPassword`, `setNewPassword`
**User**: `getUserData`, `setUserData`, `getUserSessions`, `revokeSession`, `getUserActivity`
**Organization**: `getOrganizationById`, `updateOrganization`, `createInvitation`, `bulkCreateInvitations`, `getOrgMembers`, `getOrgInvitations`, `acceptInvitation`, `cancelInvitation`, `resendInvitation`, `removeMember`, `updateMemberRoles`, `transferOwnership`
**Billing**: `getBillingPlan`, `getPaddleConfig`
**Admin**: `checkGlobalAdmin`, `getGlobalAppStats`, `createGlobalApp`, `updateGlobalApp`, `deleteGlobalApp`, `suspendUser`, `deleteSuspendedUser`
- The default fallback `appData` uses `window.location`, so this package is primarily browser-oriented.
- The client expects the backend `typedrequest` websocket surface to be reachable.
- Auth state is persisted in browser storage under the `idpglobalStore` store name.
## License and Legal Information
This repository contains open-source code licensed under the MIT License. A copy of the license can be found in the [LICENSE](../LICENSE) file.
This repository contains open-source code licensed under the MIT License. A copy of the license can be found in the [license](../license) file.
**Please note:** The MIT License does not grant permission to use the trade names, trademarks, service marks, or product names of the project, except as required for reasonable and customary use in describing the origin of the work and reproducing the content of the NOTICE file.
ts_interfaces/data/abusewindow.ts
+13
View File
@@ -0,0 +1,13 @@
export interface IAbuseWindow {
id: string;
data: {
action: string;
identifierHash: string;
attemptCount: number;
windowStartedAt: number;
blockedUntil: number;
validUntil: number;
createdAt: number;
updatedAt: number;
};
}
ts_interfaces/data/loint-reception.activity.ts → ts_interfaces/data/activity.ts
+3
View File
@@ -3,6 +3,9 @@ export type TActivityAction =
| 'logout'
| 'session_created'
| 'session_revoked'
| 'passport_device_enrolled'
| 'passport_device_revoked'
| 'passport_challenge_approved'
| 'org_created'
| 'org_joined'
| 'org_left'
ts_interfaces/data/alert.ts
+35
View File
@@ -0,0 +1,35 @@
export type TAlertSeverity = 'low' | 'medium' | 'high' | 'critical';
export type TAlertStatus = 'pending' | 'seen' | 'dismissed';
export type TAlertCategory = 'security' | 'admin' | 'system';
export type TAlertNotificationStatus = 'pending' | 'sent' | 'failed' | 'seen';
export interface IAlert {
id: string;
data: {
recipientUserId: string;
organizationId?: string;
category: TAlertCategory;
eventType: string;
severity: TAlertSeverity;
title: string;
body: string;
actorUserId?: string;
relatedEntityId?: string;
relatedEntityType?: string;
notification: {
hintId: string;
status: TAlertNotificationStatus;
attemptCount: number;
createdAt: number;
deliveredAt?: number | null;
seenAt?: number | null;
lastError?: string | null;
};
createdAt: number;
seenAt?: number | null;
dismissedAt?: number | null;
};
}
ts_interfaces/data/alertrule.ts
+22
View File
@@ -0,0 +1,22 @@
import type { TAlertSeverity } from './alert.js';
export type TAlertRuleScope = 'global' | 'organization';
export type TAlertRuleRecipientMode = 'global_admins' | 'org_admins' | 'specific_users';
export interface IAlertRule {
id: string;
data: {
scope: TAlertRuleScope;
organizationId?: string;
eventType: string;
minimumSeverity: TAlertSeverity;
recipientMode: TAlertRuleRecipientMode;
recipientUserIds?: string[];
push: boolean;
enabled: boolean;
createdByUserId: string;
createdAt: number;
updatedAt: number;
};
}
ts_interfaces/data/loint-reception.app.ts → ts_interfaces/data/app.ts
View File
ts_interfaces/data/loint-reception.appconnection.ts → ts_interfaces/data/appconnection.ts
+1 -1
View File
@@ -1,4 +1,4 @@
import type { TAppType } from './loint-reception.app.js';
import type { TAppType } from './app.js';
export type TAppConnectionStatus = 'active' | 'disconnected';
ts_interfaces/data/loint-reception.billingplan.ts → ts_interfaces/data/billingplan.ts
+1 -1
View File
@@ -1,4 +1,4 @@
import * as plugins from '../loint-reception.plugins.js';
import * as plugins from '../plugins.js';
export type TSupportedCurrency = 'EUR';
ts_interfaces/data/loint-reception.device.ts → ts_interfaces/data/device.ts
+1 -1
View File
@@ -1,3 +1,3 @@
import * as plugins from '../loint-reception.plugins.js';
import * as plugins from '../plugins.js';
export interface IDevice extends plugins.tsclass.network.IDevice {}
ts_interfaces/data/emailactiontoken.ts
+12
View File
@@ -0,0 +1,12 @@
export type TEmailActionTokenAction = 'emailLogin' | 'passwordReset';
export interface IEmailActionToken {
id: string;
data: {
email: string;
action: TEmailActionTokenAction;
tokenHash: string;
validUntil: number;
createdAt: number;
};
}
ts_interfaces/data/index.ts
+21 -13
View File
@@ -1,13 +1,21 @@
export * from './loint-reception.activity.js';
export * from './loint-reception.app.js';
export * from './loint-reception.oidc.js';
export * from './loint-reception.appconnection.js';
export * from './loint-reception.billingplan.js';
export * from './loint-reception.device.js';
export * from './loint-reception.jwt.js';
export * from './loint-reception.loginsession.js';
export * from './loint-reception.organization.js';
export * from './loint-reception.paddlecheckoutdata.js';
export * from './loint-reception.role.js';
export * from './loint-reception.user.js';
export * from './loint-reception.userinvitation.js';
export * from './abusewindow.js';
export * from './activity.js';
export * from './alert.js';
export * from './alertrule.js';
export * from './app.js';
export * from './emailactiontoken.js';
export * from './oidc.js';
export * from './appconnection.js';
export * from './billingplan.js';
export * from './device.js';
export * from './jwt.js';
export * from './loginsession.js';
export * from './organization.js';
export * from './paddlecheckoutdata.js';
export * from './passportchallenge.js';
export * from './passportdevice.js';
export * from './passportnonce.js';
export * from './registrationsession.js';
export * from './role.js';
export * from './user.js';
export * from './userinvitation.js';
ts_interfaces/data/loint-reception.jwt.ts → ts_interfaces/data/jwt.ts
+7 -2
View File
@@ -10,6 +10,11 @@ export interface IJwt {
*/
userId: string;
/**
* the login session backing this jwt
*/
sessionId?: string;
/**
* the latest point of
*/
@@ -24,9 +29,9 @@ export interface IJwt {
refreshEvery: number;
/**
* the refresh token to obtain a new jwt for a session
* legacy field kept for compatibility with already-issued jwt documents
*/
refreshToken: string;
refreshToken?: string;
/**
* just for looks/debugging
ts_interfaces/data/loint-reception.loginsession.ts → ts_interfaces/data/loginsession.ts
+11 -4
View File
@@ -1,15 +1,22 @@
export interface ILoginSession {
id: string;
data: {
userId: string;
userId: string | null;
validUntil: number;
invalidated: boolean;
refreshToken: string;
/**
* legacy plaintext refresh token field kept so existing sessions can migrate on first use
*/
refreshToken?: string | null;
refreshTokenHash?: string | null;
rotatedRefreshTokenHashes?: string[];
transferTokenHash?: string | null;
transferTokenExpiresAt?: number | null;
/**
* a device id that can be used to share the login session
* in different contexts on the same device
*/
deviceId: string;
deviceId?: string | null;
/**
* Device metadata for session display
*/
@@ -18,7 +25,7 @@ export interface ILoginSession {
browser: string;
os: string;
ip: string;
};
} | null;
/**
* When this session was created
*/
ts_interfaces/data/loint-reception.organization.ts
-13
View File
@@ -1,13 +0,0 @@
import * as plugins from '../loint-reception.plugins.js';
import { type IBillingPlan } from './loint-reception.billingplan.js';
import { type IRole } from './loint-reception.role.js';
export interface IOrganization {
id: string;
data: {
name: string;
slug: string;
billingPlanId: string;
roleIds: string[];
};
}
ts_interfaces/data/loint-reception.oidc.ts → ts_interfaces/data/oidc.ts
+67 -59
View File
@@ -11,86 +11,94 @@ export type TOidcScope = 'openid' | 'profile' | 'email' | 'organizations' | 'rol
* Authorization code for OAuth 2.0 authorization code flow
*/
export interface IAuthorizationCode {
/** The authorization code string */
code: string;
/** OAuth client ID */
clientId: string;
/** User ID who authorized */
userId: string;
/** Scopes granted */
scopes: TOidcScope[];
/** Redirect URI used in authorization request */
redirectUri: string;
/** PKCE code challenge (S256 hashed) */
codeChallenge?: string;
/** PKCE code challenge method */
codeChallengeMethod?: 'S256';
/** Nonce from authorization request (for ID token) */
nonce?: string;
/** Expiration timestamp (10 minutes from creation) */
expiresAt: number;
/** Whether the code has been used (single-use) */
used: boolean;
id: string;
data: {
/** Hashed authorization code string */
codeHash: string;
/** OAuth client ID */
clientId: string;
/** User ID who authorized */
userId: string;
/** Scopes granted */
scopes: TOidcScope[];
/** Redirect URI used in authorization request */
redirectUri: string;
/** PKCE code challenge (S256 hashed) */
codeChallenge?: string;
/** PKCE code challenge method */
codeChallengeMethod?: 'S256';
/** Nonce from authorization request (for ID token) */
nonce?: string;
/** Expiration timestamp (10 minutes from creation) */
expiresAt: number;
/** Creation timestamp */
issuedAt: number;
/** Whether the code has been used (single-use) */
used: boolean;
};
}
/**
* OIDC Access Token (opaque or JWT)
*/
export interface IOidcAccessToken {
/** Token identifier */
id: string;
/** The access token string (or hash for storage) */
tokenHash: string;
/** OAuth client ID */
clientId: string;
/** User ID */
userId: string;
/** Granted scopes */
scopes: TOidcScope[];
/** Expiration timestamp */
expiresAt: number;
/** Creation timestamp */
issuedAt: number;
data: {
/** The access token string hash for storage */
tokenHash: string;
/** OAuth client ID */
clientId: string;
/** User ID */
userId: string;
/** Granted scopes */
scopes: TOidcScope[];
/** Expiration timestamp */
expiresAt: number;
/** Creation timestamp */
issuedAt: number;
};
}
/**
* OIDC Refresh Token
*/
export interface IOidcRefreshToken {
/** Token identifier */
id: string;
/** The refresh token string (or hash for storage) */
tokenHash: string;
/** OAuth client ID */
clientId: string;
/** User ID */
userId: string;
/** Granted scopes */
scopes: TOidcScope[];
/** Expiration timestamp */
expiresAt: number;
/** Creation timestamp */
issuedAt: number;
/** Whether the token has been revoked */
revoked: boolean;
data: {
/** The refresh token string hash for storage */
tokenHash: string;
/** OAuth client ID */
clientId: string;
/** User ID */
userId: string;
/** Granted scopes */
scopes: TOidcScope[];
/** Expiration timestamp */
expiresAt: number;
/** Creation timestamp */
issuedAt: number;
/** Whether the token has been revoked */
revoked: boolean;
};
}
/**
* User consent record for an OAuth client
*/
export interface IUserConsent {
/** Unique identifier */
id: string;
/** User who gave consent */
userId: string;
/** OAuth client ID */
clientId: string;
/** Scopes the user consented to */
scopes: TOidcScope[];
/** When consent was granted */
grantedAt: number;
/** When consent was last updated */
updatedAt: number;
data: {
/** User who gave consent */
userId: string;
/** OAuth client ID */
clientId: string;
/** Scopes the user consented to */
scopes: TOidcScope[];
/** When consent was granted */
grantedAt: number;
/** When consent was last updated */
updatedAt: number;
};
}
/**
ts_interfaces/data/organization.ts
+13
View File
@@ -0,0 +1,13 @@
import * as plugins from '../plugins.js';
import { type IBillingPlan } from './billingplan.js';
import { type IRole } from './role.js';
export interface IOrganization {
id: string;
data: {
name: string;
slug: string;
billingPlanId: string;
roleIds: string[];
};
}
ts_interfaces/data/loint-reception.paddlecheckoutdata.ts → ts_interfaces/data/paddlecheckoutdata.ts
View File
ts_interfaces/data/passportchallenge.ts
+63
View File
@@ -0,0 +1,63 @@
import type { IPassportCapabilities } from './passportdevice.js';
export type TPassportChallengeType =
| 'device_enrollment'
| 'authentication'
| 'step_up'
| 'physical_access';
export type TPassportChallengeStatus = 'pending' | 'approved' | 'expired' | 'rejected';
export type TPassportChallengeDeliveryStatus = 'pending' | 'sent' | 'failed' | 'seen';
export type TPassportSignatureFormat = 'raw' | 'der';
export interface IPassportLocationEvidence {
latitude: number;
longitude: number;
accuracyMeters: number;
capturedAt: number;
}
export interface IPassportNfcEvidence {
tagId?: string;
readerId?: string;
}
export interface IPassportChallenge {
id: string;
data: {
userId: string;
deviceId?: string | null;
type: TPassportChallengeType;
status: TPassportChallengeStatus;
tokenHash?: string | null;
challenge: string;
metadata: {
originHost?: string;
audience?: string;
notificationTitle?: string;
deviceLabel?: string;
requireLocation: boolean;
requireNfc: boolean;
requestedCapabilities?: Partial<IPassportCapabilities>;
};
evidence?: {
signatureFormat?: TPassportSignatureFormat;
location?: IPassportLocationEvidence;
nfc?: IPassportNfcEvidence;
};
notification?: {
hintId: string;
status: TPassportChallengeDeliveryStatus;
attemptCount: number;
createdAt: number;
deliveredAt?: number | null;
seenAt?: number | null;
lastError?: string | null;
};
createdAt: number;
expiresAt: number;
completedAt?: number | null;
};
}
ts_interfaces/data/passportdevice.ts
+46
View File
@@ -0,0 +1,46 @@
export type TPassportDevicePlatform =
| 'ios'
| 'ipados'
| 'macos'
| 'watchos'
| 'android'
| 'web'
| 'unknown';
export type TPassportDeviceStatus = 'active' | 'revoked';
export type TPassportPushProvider = 'apns';
export type TPassportPushEnvironment = 'development' | 'production';
export interface IPassportCapabilities {
gps: boolean;
nfc: boolean;
push: boolean;
}
export interface IPassportDevice {
id: string;
data: {
userId: string;
label: string;
platform: TPassportDevicePlatform;
status: TPassportDeviceStatus;
publicKeyAlgorithm: 'p256';
publicKeyX963Base64: string;
capabilities: IPassportCapabilities;
pushRegistration?: {
provider: TPassportPushProvider;
token: string;
topic: string;
environment: TPassportPushEnvironment;
registeredAt: number;
lastDeliveredAt?: number;
lastError?: string;
};
appVersion?: string;
createdAt: number;
lastSeenAt?: number;
lastChallengeAt?: number;
};
}
ts_interfaces/data/passportnonce.ts
+9
View File
@@ -0,0 +1,9 @@
export interface IPassportNonce {
id: string;
data: {
deviceId: string;
nonceHash: string;
createdAt: number;
expiresAt: number;
};
}
ts_interfaces/data/loint-reception.property.ts → ts_interfaces/data/property.ts
+2 -2
View File
@@ -1,5 +1,5 @@
import * as plugins from '../loint-reception.plugins.js';
import { type IRole } from './loint-reception.role.js';
import * as plugins from '../plugins.js';
import { type IRole } from './role.js';
export interface ISubOrgProperty {
name: string;
ts_interfaces/data/registrationsession.ts
+31
View File
@@ -0,0 +1,31 @@
export type TRegistrationSessionStatus =
| 'announced'
| 'emailValidated'
| 'mobileVerified'
| 'registered'
| 'failed';
export interface IRegistrationSession {
id: string;
data: {
emailAddress: string;
hashedEmailToken: string;
smsCodeHash?: string | null;
smsvalidationCounter: number;
status: TRegistrationSessionStatus;
validUntil: number;
createdAt: number;
collectedData: {
userData: {
username?: string | null;
connectedOrgs: string[];
email?: string | null;
name?: string | null;
status?: 'new' | 'active' | 'deleted' | 'suspended' | null;
mobileNumber?: string | null;
password?: string | null;
passwordHash?: string | null;
};
};
};
}
ts_interfaces/data/loint-reception.role.ts → ts_interfaces/data/role.ts
+1 -1
View File
@@ -1,4 +1,4 @@
import * as plugins from '../loint-reception.plugins.js';
import * as plugins from '../plugins.js';
/** Standard role types available in all organizations */
export type TStandardRole = 'owner' | 'admin' | 'editor' | 'guest' | 'viewer' | 'outlaw';
ts_interfaces/data/loint-reception.user.ts → ts_interfaces/data/user.ts
+2 -2
View File
@@ -1,5 +1,5 @@
import * as plugins from '../loint-reception.plugins.js';
import { type IRole } from './loint-reception.role.js';
import * as plugins from '../plugins.js';
import { type IRole } from './role.js';
export interface IUser {
id: string;
ts_interfaces/data/loint-reception.userinvitation.ts → ts_interfaces/data/userinvitation.ts
+1 -1
View File
@@ -1,4 +1,4 @@
import * as plugins from '../loint-reception.plugins.js';
import * as plugins from '../plugins.js';
/**
* A UserInvitation represents an invitation to join an organization.
ts_interfaces/loint-reception.plugins.ts → ts_interfaces/plugins.ts
View File
ts_interfaces/readme.md
+75 -276
View File
@@ -1,315 +1,114 @@
# @idp.global/interfaces
TypeScript interfaces and type definitions for the idp.global Identity Provider platform.
Shared TypeScript contracts for the `idp.global` backend, browser client, CLI, and frontend.
## Overview
Use this package when you want typed request/response payloads and shared data models for users, sessions, organizations, apps, billing, and OIDC.
This package provides the complete type system for idp.global, including data models, API request/response interfaces, and OIDC definitions. Use this package when building applications that integrate with idp.global or when you need type-safe interactions with the IdP API.
## Issue Reporting and Security
## Installation
For reporting bugs, issues, or security vulnerabilities, please visit [community.foss.global/](https://community.foss.global/). This is the central community hub for all issue reporting. Developers who sign and comply with our contribution agreement and go through identification can also get a [code.foss.global/](https://code.foss.global/) account to submit Pull Requests directly.
## Install
```bash
npm install @idp.global/interfaces
# or
pnpm add @idp.global/interfaces
```
## Usage
## Quick Start
```typescript
```ts
import { data, request, tags } from '@idp.global/interfaces';
// Data interfaces
const user: data.IUser = {
id: 'user_123',
data: {
name: 'John Doe',
username: 'johndoe',
email: 'john@example.com',
status: 'active',
connectedOrgs: ['org_1', 'org_2'],
},
const loginRequest: request.IReq_LoginWithEmailOrUsernameAndPassword['request'] = {
username: 'user@example.com',
password: 'secret',
};
// Organization interface
const org: data.IOrganization = {
const organization: data.IOrganization = {
id: 'org_1',
data: {
name: 'Acme Corp',
name: 'Acme',
slug: 'acme',
billingPlanId: 'plan_free',
roleIds: ['role_admin', 'role_member'],
roleIds: [],
},
};
```
## Package Structure
## Exports
```
ts_interfaces/
├── data/ # Data model interfaces
│ ├── loint-reception.user.ts # User profiles
│ ├── loint-reception.organization.ts # Organizations
│ ├── loint-reception.role.ts # RBAC roles
│ ├── loint-reception.app.ts # OAuth applications
│ ├── loint-reception.oidc.ts # OIDC tokens & flows
│ ├── loint-reception.jwt.ts # JWT structures
│ ├── loint-reception.loginsession.ts # Login sessions
│ ├── loint-reception.billingplan.ts # Billing plans
│ ├── loint-reception.device.ts # Device management
│ ├── loint-reception.activity.ts # Activity logs
│ ├── loint-reception.userinvitation.ts # Invitations
│ └── loint-reception.appconnection.ts # App connections
├── request/ # API request/response interfaces
│ ├── loint-reception.login.ts # Authentication
│ ├── loint-reception.registration.ts # User registration
│ ├── loint-reception.user.ts # User management
│ ├── loint-reception.organization.ts # Org management
│ ├── loint-reception.jwt.ts # JWT operations
│ ├── loint-reception.apitoken.ts # API tokens
│ ├── loint-reception.app.ts # App management
│ ├── loint-reception.billingplan.ts # Billing
│ └── loint-reception.admin.ts # Admin operations
└── tags/ # Tag definitions
### `data`
The `data` export includes types for:
- users
- organizations
- roles
- JWT payloads
- login sessions
- devices
- activity logs
- apps and app connections
- billing plans and Paddle checkout data
- OIDC data structures
- invitations
### `request`
The `request` export includes typed request contracts for:
- login, logout, refresh, password reset, and device attachment
- registration flow requests
- user and session queries
- organization CRUD-style requests
- invitations and membership changes
- app and admin actions
- billing and JWT validation support
### `tags`
Shared tag exports live under `tags/`.
## Layout
| Path | Purpose |
| --- | --- |
| `data/index.ts` | Re-exports all shared data interfaces |
| `request/index.ts` | Re-exports all typed request contracts |
| `tags/index.ts` | Re-exports shared tags |
## Examples
### Login Contract
```ts
type TLogin = request.IReq_LoginWithEmailOrUsernameAndPassword;
const payload: TLogin['request'] = {
username: 'user@example.com',
password: 'secret',
};
```
## Data Interfaces
### Session Contract
### User (`IUser`)
```typescript
interface IUser {
id: string;
data: {
name: string;
username: string;
email: string;
mobileNumber?: string;
password?: string; // Only during initial setting
passwordHash?: string; // For validation
status: 'new' | 'active' | 'deleted' | 'suspended';
connectedOrgs: string[]; // Organization IDs
isGlobalAdmin?: boolean; // Platform admin flag
};
}
```ts
type TSessions = request.IReq_GetUserSessions['response']['sessions'];
```
### Organization (`IOrganization`)
### OIDC Contract
```typescript
interface IOrganization {
id: string;
data: {
name: string;
slug: string;
billingPlanId: string;
roleIds: string[];
};
}
```ts
type TUserInfo = data.IUserInfoResponse;
```
### Role (`IRole`)
## Scope
```typescript
interface IRole {
id: string;
data: {
name: string;
organizationId: string;
userId: string;
permissions: string[];
};
}
```
### OAuth Application Types
```typescript
// Global platform apps (maintained by platform admins)
interface IGlobalApp {
id: string;
type: 'globalApp';
data: {
name: string;
description: string;
iconBase64?: string;
oauthCredentials?: IOAuthCredentials;
};
}
// Partner apps (third-party integrations)
interface IPartnerApp {
id: string;
type: 'partnerApp';
data: {
name: string;
description: string;
ownerOrganizationId: string;
oauthCredentials?: IOAuthCredentials;
};
}
// Custom OIDC clients
interface ICustomOidcApp {
id: string;
type: 'customOidcApp';
data: {
name: string;
description: string;
ownerOrganizationId: string;
oauthCredentials: IOAuthCredentials;
};
}
```
### OAuth Credentials
```typescript
interface IOAuthCredentials {
clientId: string;
clientSecretHash: string;
redirectUris: string[];
scopes: string[];
grantTypes: ('authorization_code' | 'refresh_token' | 'client_credentials')[];
}
```
## OIDC Interfaces
### Authorization Code
```typescript
interface IAuthorizationCode {
code: string;
clientId: string;
userId: string;
scopes: string[];
redirectUri: string;
codeChallenge?: string;
codeChallengeMethod?: 'S256';
expiresAt: number;
used: boolean;
}
```
### Token Response
```typescript
interface ITokenResponse {
access_token: string;
token_type: 'Bearer';
expires_in: number;
refresh_token?: string;
id_token?: string;
scope: string;
}
```
### UserInfo Response
```typescript
interface IUserInfoResponse {
sub: string;
name?: string;
preferred_username?: string;
email?: string;
email_verified?: boolean;
organizations?: Array<{
id: string;
name: string;
slug: string;
roles: string[];
}>;
roles?: string[];
}
```
### ID Token Claims
```typescript
interface IIdTokenClaims {
iss: string; // Issuer
sub: string; // Subject (user ID)
aud: string; // Audience (client ID)
exp: number; // Expiration time
iat: number; // Issued at
nonce?: string; // Replay protection
name?: string;
email?: string;
email_verified?: boolean;
organizations?: Array<{...}>;
roles?: string[];
}
```
## Request Interfaces
All API requests follow the TypedRequest pattern:
```typescript
interface IReq_LoginWithEmailOrUsernameAndPassword {
method: 'loginWithEmailOrUsernameAndPassword';
request: {
username: string;
password: string;
};
response: {
refreshToken?: string;
twoFaNeeded: boolean;
};
}
```
### Authentication Requests
| Interface | Method | Description |
|-----------|--------|-------------|
| `IReq_LoginWithEmailOrUsernameAndPassword` | `loginWithEmailOrUsernameAndPassword` | Password login |
| `IReq_LoginWithEmail` | `loginWithEmail` | Magic link request |
| `IReq_LoginWithEmailAfterEmailTokenAquired` | `loginWithEmailAfterEmailTokenAquired` | Magic link verification |
| `IReq_LoginWithApiToken` | `loginWithApiToken` | API token login |
| `IReq_RefreshJwt` | `refreshJwt` | Refresh access token |
| `ILogoutRequest` | `logout` | End session |
### User Management Requests
| Interface | Method | Description |
|-----------|--------|-------------|
| `IReq_GetUserData` | `getUserData` | Get current user |
| `IReq_SetUserData` | `setUserData` | Update user profile |
| `IReq_GetUserSessions` | `getUserSessions` | List active sessions |
| `IReq_ResetPassword` | `resetPassword` | Request password reset |
| `IReq_SetNewPassword` | `setNewPassword` | Set new password |
### Organization Requests
| Interface | Method | Description |
|-----------|--------|-------------|
| `IReq_CreateOrganization` | `createOrganization` | Create new org |
| `IReq_GetOrgMembers` | `getOrgMembers` | List org members |
| `IReq_CreateInvitation` | `createInvitation` | Invite user |
| `IReq_AcceptInvitation` | `acceptInvitation` | Accept invite |
### JWT Operations
| Interface | Method | Description |
|-----------|--------|-------------|
| `IReq_GetPublicKeyForValidation` | `getPublicKeyForValidation` | Get JWT public key |
| `IReq_GetJwtIdBlocklist` | `getJwtIdBlocklist` | Get revoked token IDs |
## Supported OIDC Scopes
| Scope | Description |
|-------|-------------|
| `openid` | Required for OIDC flows |
| `profile` | User's name and username |
| `email` | User's email address |
| `organizations` | User's organization memberships |
| `roles` | User's roles within organizations |
This package is intentionally contract-only. It does not open sockets, store auth state, or perform HTTP/websocket communication by itself.
## License and Legal Information
This repository contains open-source code licensed under the MIT License. A copy of the license can be found in the [LICENSE](../LICENSE) file.
This repository contains open-source code licensed under the MIT License. A copy of the license can be found in the [license](../license) file.
**Please note:** The MIT License does not grant permission to use the trade names, trademarks, service marks, or product names of the project, except as required for reasonable and customary use in describing the origin of the work and reproducing the content of the NOTICE file.
ts_interfaces/request/loint-reception.admin.ts → ts_interfaces/request/admin.ts
+1 -1
View File
@@ -1,4 +1,4 @@
import * as plugins from '../loint-reception.plugins.js';
import * as plugins from '../plugins.js';
import * as data from '../data/index.js';
/**
ts_interfaces/request/alert.ts
+97
View File
@@ -0,0 +1,97 @@
import * as plugins from '../plugins.js';
import * as data from '../data/index.js';
import type { IPassportDeviceSignedRequest } from './passport.js';
export interface IReq_ListPassportAlerts
extends plugins.typedRequestInterfaces.implementsTR<
plugins.typedRequestInterfaces.ITypedRequest,
IReq_ListPassportAlerts
> {
method: 'listPassportAlerts';
request: IPassportDeviceSignedRequest;
response: {
alerts: data.IAlert[];
};
}
export interface IReq_GetPassportAlertByHint
extends plugins.typedRequestInterfaces.implementsTR<
plugins.typedRequestInterfaces.ITypedRequest,
IReq_GetPassportAlertByHint
> {
method: 'getPassportAlertByHint';
request: IPassportDeviceSignedRequest & {
hintId: string;
};
response: {
alert?: data.IAlert;
};
}
export interface IReq_MarkPassportAlertSeen
extends plugins.typedRequestInterfaces.implementsTR<
plugins.typedRequestInterfaces.ITypedRequest,
IReq_MarkPassportAlertSeen
> {
method: 'markPassportAlertSeen';
request: IPassportDeviceSignedRequest & {
hintId: string;
};
response: {
success: boolean;
};
}
export interface IReq_UpsertAlertRule
extends plugins.typedRequestInterfaces.implementsTR<
plugins.typedRequestInterfaces.ITypedRequest,
IReq_UpsertAlertRule
> {
method: 'upsertAlertRule';
request: {
jwt: string;
ruleId?: string;
scope: data.TAlertRuleScope;
organizationId?: string;
eventType: string;
minimumSeverity: data.TAlertSeverity;
recipientMode: data.TAlertRuleRecipientMode;
recipientUserIds?: string[];
push: boolean;
enabled: boolean;
};
response: {
rule: data.IAlertRule;
};
}
export interface IReq_GetAlertRules
extends plugins.typedRequestInterfaces.implementsTR<
plugins.typedRequestInterfaces.ITypedRequest,
IReq_GetAlertRules
> {
method: 'getAlertRules';
request: {
jwt: string;
scope?: data.TAlertRuleScope;
organizationId?: string;
};
response: {
rules: data.IAlertRule[];
};
}
export interface IReq_DeleteAlertRule
extends plugins.typedRequestInterfaces.implementsTR<
plugins.typedRequestInterfaces.ITypedRequest,
IReq_DeleteAlertRule
> {
method: 'deleteAlertRule';
request: {
jwt: string;
ruleId: string;
};
response: {
success: boolean;
};
}
ts_interfaces/request/loint-reception.apitoken.ts → ts_interfaces/request/apitoken.ts
View File
ts_interfaces/request/loint-reception.app.ts → ts_interfaces/request/app.ts
+1 -1
View File
@@ -1,5 +1,5 @@
import * as data from '../data/index.js';
import * as plugins from '../loint-reception.plugins.js';
import * as plugins from '../plugins.js';
// Get all global apps
export interface IReq_GetGlobalApps
ts_interfaces/request/authorization.ts
+72
View File
@@ -0,0 +1,72 @@
import * as plugins from '../plugins.js';
import { type IUser, type IRole } from '../data/index.js';
import { type TOidcScope } from '../data/index.js';
export interface IReq_InternalAuthorization
extends plugins.typedRequestInterfaces.implementsTR<
plugins.typedRequestInterfaces.ITypedRequest,
IReq_InternalAuthorization
> {
method: '';
request: {
accountData: IUser;
jwt: string;
};
response: {
accountData: IUser;
jwt: string;
relevantRoles: IRole[];
};
}
export interface IReq_CompleteOidcAuthorization
extends plugins.typedRequestInterfaces.implementsTR<
plugins.typedRequestInterfaces.ITypedRequest,
IReq_CompleteOidcAuthorization
> {
method: 'completeOidcAuthorization';
request: {
jwt: string;
clientId: string;
redirectUri: string;
scope: string;
state: string;
prompt?: 'none' | 'login' | 'consent';
codeChallenge?: string;
codeChallengeMethod?: 'S256';
nonce?: string;
consentApproved?: boolean;
};
response: {
code: string;
redirectUrl: string;
};
}
export interface IReq_PrepareOidcAuthorization
extends plugins.typedRequestInterfaces.implementsTR<
plugins.typedRequestInterfaces.ITypedRequest,
IReq_PrepareOidcAuthorization
> {
method: 'prepareOidcAuthorization';
request: {
jwt: string;
clientId: string;
redirectUri: string;
scope: string;
state: string;
prompt?: 'none' | 'login' | 'consent';
codeChallenge?: string;
codeChallengeMethod?: 'S256';
nonce?: string;
};
response: {
status: 'ready' | 'consent_required';
clientId: string;
appName: string;
appUrl: string;
logoUrl?: string;
requestedScopes: TOidcScope[];
grantedScopes: TOidcScope[];
};
}
ts_interfaces/request/loint-reception.billingplan.ts → ts_interfaces/request/billingplan.ts
+1 -1
View File
@@ -1,4 +1,4 @@
import * as plugins from '../loint-reception.plugins.js';
import * as plugins from '../plugins.js';
import * as data from '../data/index.js';
export interface IReq_UpdatePaymentMethod
ts_interfaces/request/index.ts
+14 -12
View File
@@ -1,12 +1,14 @@
export * from './loint-reception.admin.js';
export * from './loint-reception.apitoken.js';
export * from './loint-reception.app.js';
export * from './loint-reception.authorization.js';
export * from './loint-reception.billingplan.js';
export * from './loint-reception.jwt.js';
export * from './loint-reception.login.js';
export * from './loint-reception.organization.js';
export * from './loint-reception.plan.js';
export * from './loint-reception.registration.js';
export * from './loint-reception.user.js';
export * from './loint-reception.userinvitation.js';
export * from './admin.js';
export * from './apitoken.js';
export * from './alert.js';
export * from './app.js';
export * from './authorization.js';
export * from './billingplan.js';
export * from './jwt.js';
export * from './login.js';
export * from './organization.js';
export * from './passport.js';
export * from './plan.js';
export * from './registration.js';
export * from './user.js';
export * from './userinvitation.js';
ts_interfaces/request/loint-reception.jwt.ts → ts_interfaces/request/jwt.ts
+1 -1
View File
@@ -1,5 +1,5 @@
import * as data from '../data/index.js';
import * as plugins from '../loint-reception.plugins.js';
import * as plugins from '../plugins.js';
/**
* Request to get the public key for JWT validation.
ts_interfaces/request/loint-reception.login.ts → ts_interfaces/request/login.ts
+3 -2
View File
@@ -1,4 +1,4 @@
import * as plugins from '../loint-reception.plugins.js';
import * as plugins from '../plugins.js';
import * as data from '../data/index.js';
export interface IReq_LoginWithEmailOrUsernameAndPassword
@@ -87,7 +87,8 @@ export interface IReq_RefreshJwt
};
response: {
status: data.TLoginStatus;
jwt: string;
jwt?: string;
refreshToken?: string;
};
}
ts_interfaces/request/loint-reception.authorization.ts
-19
View File
@@ -1,19 +0,0 @@
import * as plugins from '../loint-reception.plugins.js';
import { type IUser, type IRole } from '../data/index.js';
export interface IReq_InternalAuthorization
extends plugins.typedRequestInterfaces.implementsTR<
plugins.typedRequestInterfaces.ITypedRequest,
IReq_InternalAuthorization
> {
method: '';
request: {
accountData: IUser;
jwt: string;
};
response: {
accountData: IUser;
jwt: string;
relevantRoles: IRole[];
};
}
ts_interfaces/request/loint-reception.organization.ts → ts_interfaces/request/organization.ts
+1 -1
View File
@@ -1,5 +1,5 @@
import * as data from '../data/index.js';
import * as plugins from '../loint-reception.plugins.js';
import * as plugins from '../plugins.js';
export interface IReq_GetOrganizationById
extends plugins.typedRequestInterfaces.implementsTR<
ts_interfaces/request/passport.ts
+183
View File
@@ -0,0 +1,183 @@
import * as plugins from '../plugins.js';
import * as data from '../data/index.js';
export interface IPassportDeviceSignedRequest {
deviceId: string;
timestamp: number;
nonce: string;
signatureBase64: string;
signatureFormat?: data.TPassportSignatureFormat;
}
export interface IReq_CreatePassportEnrollmentChallenge
extends plugins.typedRequestInterfaces.implementsTR<
plugins.typedRequestInterfaces.ITypedRequest,
IReq_CreatePassportEnrollmentChallenge
> {
method: 'createPassportEnrollmentChallenge';
request: {
jwt: string;
deviceLabel: string;
platform: data.TPassportDevicePlatform;
appVersion?: string;
capabilities?: Partial<data.IPassportCapabilities>;
};
response: {
challengeId: string;
pairingToken: string;
pairingPayload: string;
signingPayload: string;
expiresAt: number;
};
}
export interface IReq_CompletePassportEnrollment
extends plugins.typedRequestInterfaces.implementsTR<
plugins.typedRequestInterfaces.ITypedRequest,
IReq_CompletePassportEnrollment
> {
method: 'completePassportEnrollment';
request: {
pairingToken: string;
deviceLabel: string;
platform: data.TPassportDevicePlatform;
publicKeyX963Base64: string;
signatureBase64: string;
signatureFormat?: data.TPassportSignatureFormat;
appVersion?: string;
capabilities?: Partial<data.IPassportCapabilities>;
};
response: {
device: data.IPassportDevice;
};
}
export interface IReq_GetPassportDevices
extends plugins.typedRequestInterfaces.implementsTR<
plugins.typedRequestInterfaces.ITypedRequest,
IReq_GetPassportDevices
> {
method: 'getPassportDevices';
request: {
jwt: string;
};
response: {
devices: data.IPassportDevice[];
};
}
export interface IReq_RevokePassportDevice
extends plugins.typedRequestInterfaces.implementsTR<
plugins.typedRequestInterfaces.ITypedRequest,
IReq_RevokePassportDevice
> {
method: 'revokePassportDevice';
request: {
jwt: string;
deviceId: string;
};
response: {
success: boolean;
};
}
export interface IReq_CreatePassportChallenge
extends plugins.typedRequestInterfaces.implementsTR<
plugins.typedRequestInterfaces.ITypedRequest,
IReq_CreatePassportChallenge
> {
method: 'createPassportChallenge';
request: {
jwt: string;
type?: Exclude<data.TPassportChallengeType, 'device_enrollment'>;
preferredDeviceId?: string;
audience?: string;
notificationTitle?: string;
requireLocation?: boolean;
requireNfc?: boolean;
};
response: {
challengeId: string;
challenge: string;
signingPayload: string;
deviceId: string;
expiresAt: number;
};
}
export interface IReq_ApprovePassportChallenge
extends plugins.typedRequestInterfaces.implementsTR<
plugins.typedRequestInterfaces.ITypedRequest,
IReq_ApprovePassportChallenge
> {
method: 'approvePassportChallenge';
request: {
challengeId: string;
deviceId: string;
signatureBase64: string;
signatureFormat?: data.TPassportSignatureFormat;
location?: data.IPassportLocationEvidence;
nfc?: data.IPassportNfcEvidence;
};
response: {
success: boolean;
challenge: data.IPassportChallenge;
};
}
export interface IReq_RegisterPassportPushToken
extends plugins.typedRequestInterfaces.implementsTR<
plugins.typedRequestInterfaces.ITypedRequest,
IReq_RegisterPassportPushToken
> {
method: 'registerPassportPushToken';
request: IPassportDeviceSignedRequest & {
provider: data.TPassportPushProvider;
token: string;
topic: string;
environment: data.TPassportPushEnvironment;
};
response: {
success: boolean;
};
}
export interface IReq_ListPendingPassportChallenges
extends plugins.typedRequestInterfaces.implementsTR<
plugins.typedRequestInterfaces.ITypedRequest,
IReq_ListPendingPassportChallenges
> {
method: 'listPendingPassportChallenges';
request: IPassportDeviceSignedRequest;
response: {
challenges: data.IPassportChallenge[];
};
}
export interface IReq_GetPassportChallengeByHint
extends plugins.typedRequestInterfaces.implementsTR<
plugins.typedRequestInterfaces.ITypedRequest,
IReq_GetPassportChallengeByHint
> {
method: 'getPassportChallengeByHint';
request: IPassportDeviceSignedRequest & {
hintId: string;
};
response: {
challenge?: data.IPassportChallenge;
};
}
export interface IReq_MarkPassportChallengeSeen
extends plugins.typedRequestInterfaces.implementsTR<
plugins.typedRequestInterfaces.ITypedRequest,
IReq_MarkPassportChallengeSeen
> {
method: 'markPassportChallengeSeen';
request: IPassportDeviceSignedRequest & {
hintId: string;
};
response: {
success: boolean;
};
}
ts_interfaces/request/loint-reception.plan.ts → ts_interfaces/request/plan.ts
+1 -1
View File
@@ -1,5 +1,5 @@
import * as data from '../data/index.js';
import * as plugins from '../loint-reception.plugins.js';
import * as plugins from '../plugins.js';
export interface IReq_GetPlansForOrganizationId
extends plugins.typedRequestInterfaces.implementsTR<
ts_interfaces/request/loint-reception.registration.ts → ts_interfaces/request/registration.ts
+1 -1
View File
@@ -1,4 +1,4 @@
import * as plugins from '../loint-reception.plugins.js';
import * as plugins from '../plugins.js';
import { type IUser } from '../data/index.js';
export interface IReq_FirstRegistration
ts_interfaces/request/loint-reception.user.ts → ts_interfaces/request/user.ts
+1 -1
View File
@@ -1,5 +1,5 @@
import * as data from '../data/index.js';
import * as plugins from '../loint-reception.plugins.js';
import * as plugins from '../plugins.js';
export interface IReq_GetUserData
extends plugins.typedRequestInterfaces.implementsTR<
ts_interfaces/request/loint-reception.userinvitation.ts → ts_interfaces/request/userinvitation.ts
+1 -1
View File
@@ -1,5 +1,5 @@
import * as data from '../data/index.js';
import * as plugins from '../loint-reception.plugins.js';
import * as plugins from '../plugins.js';
/**
* Create an invitation to join an organization
ts_interfaces/tags/index.ts
+1 -1
View File
@@ -1,4 +1,4 @@
import * as plugins from '../loint-reception.plugins.js';
import * as plugins from '../plugins.js';
export interface ITag_LolePubapi
extends plugins.typedRequestInterfaces.implementsTag<
ts_web/00_commitinfo_data.ts
+1 -1
View File
@@ -3,6 +3,6 @@
*/
export const commitinfo = {
name: '@idp.global/idp.global',
version: '1.16.0',
version: '1.21.0',
description: 'An identity provider software managing user authentications, registrations, and sessions.'
}
ts_web/elements/account/content.ts
+1 -1
View File
@@ -19,7 +19,7 @@ import { accountDesignTokens } from './sharedstyles.js';
import * as views from './views/index.js';
import * as accountstate from '../../states/accountstate.js';
import { commitinfo } from '../../../dist_ts/00_commitinfo_data.js';
import { commitinfo } from '../../../ts/00_commitinfo_data.js';
declare global {
ts_web/elements/account/navigation.ts
+1 -1
View File
@@ -17,7 +17,7 @@ import { accountDesignTokens } from './sharedstyles.js';
import { CreateOrgModal } from './create-org-modal.js';
import { OrgSelectModal } from './org-select-modal.js';
import { commitinfo } from '../../../dist_ts/00_commitinfo_data.js';
import { commitinfo } from '../../../ts/00_commitinfo_data.js';
declare global {
interface HTMLElementTagNameMap {
ts_web/elements/idp-centercontainer.ts
+1 -1
View File
@@ -11,7 +11,7 @@ import {
query,
} from '@design.estate/dees-element';
import { commitinfo } from '../../dist_ts/00_commitinfo_data.js';
import { commitinfo } from '../../ts/00_commitinfo_data.js';
import { IdpState } from '../states/idp.state.js';
declare global {
ts_web/elements/idp-loginprompt.ts
+335 -27
View File
@@ -12,7 +12,6 @@ import {
domtools,
} from '@design.estate/dees-element';
// third party catalogs
import '@uptime.link/webwidget';
import '@design.estate/dees-catalog';
@@ -29,6 +28,12 @@ declare global {
export class IdpLoginPrompt extends DeesElement {
public static demo = () => html`<idp-loginprompt></idp-loginprompt>`;
@state()
accessor oidcConsentState: plugins.idpInterfaces.request.IReq_PrepareOidcAuthorization['response'] | null = null;
@state()
accessor oidcConsentError = '';
@property()
accessor productOfInterest: string;
@@ -48,6 +53,155 @@ export class IdpLoginPrompt extends DeesElement {
domtools.elementBasic.setup();
}
private getOidcAuthorizationContext(): Omit<
plugins.idpInterfaces.request.IReq_CompleteOidcAuthorization['request'],
'jwt'
> | null {
const currentUrl = plugins.smarturl.Smarturl.createFromUrl(window.location.href);
if (currentUrl.searchParams.oauth !== 'true') {
return null;
}
const clientId = currentUrl.searchParams.client_id;
const redirectUri = currentUrl.searchParams.redirect_uri;
const scope = currentUrl.searchParams.scope;
const state = currentUrl.searchParams.state;
if (!clientId || !redirectUri || !scope || !state) {
return null;
}
const prompt = ['none', 'login', 'consent'].includes(currentUrl.searchParams.prompt)
? (currentUrl.searchParams.prompt as 'none' | 'login' | 'consent')
: undefined;
return {
clientId,
redirectUri,
scope,
state,
prompt,
codeChallenge: currentUrl.searchParams.code_challenge || undefined,
codeChallengeMethod:
currentUrl.searchParams.code_challenge_method === 'S256' ? 'S256' : undefined,
nonce: currentUrl.searchParams.nonce || undefined,
};
}
private redirectOidcError(errorArg: string, descriptionArg?: string) {
const oidcContext = this.getOidcAuthorizationContext();
if (!oidcContext) {
return false;
}
const redirectUrl = new URL(oidcContext.redirectUri);
redirectUrl.searchParams.set('error', errorArg);
redirectUrl.searchParams.set('state', oidcContext.state);
if (descriptionArg) {
redirectUrl.searchParams.set('error_description', descriptionArg);
}
window.location.href = redirectUrl.toString();
return true;
}
private getOidcScopeDescription(scopeArg: plugins.idpInterfaces.data.TOidcScope) {
const scopeMap: Record<plugins.idpInterfaces.data.TOidcScope, string> = {
openid: 'Confirm your identity with this app.',
profile: 'Share your display name and username.',
email: 'Share your email address.',
organizations: 'Share your organizations and their roles.',
roles: 'Share your platform roles.',
};
return scopeMap[scopeArg];
}
private getOidcAppHost(appUrlArg: string) {
try {
return new URL(appUrlArg).hostname;
} catch {
return appUrlArg;
}
}
private async prepareOidcAuthorization(jwtArg: string) {
const oidcContext = this.getOidcAuthorizationContext();
if (!oidcContext) {
return null;
}
const idpState = await IdpState.getSingletonInstance();
return idpState.idpClient.requests.prepareOidcAuthorization
.fire({
jwt: jwtArg,
...oidcContext,
})
.catch(() => null);
}
private async handleOidcAfterLogin(jwtArg: string) {
const oidcContext = this.getOidcAuthorizationContext();
if (!oidcContext) {
return false;
}
const loginForm = this.shadowRoot.querySelector('#loginForm') as DeesForm | null;
loginForm?.setStatus('pending', 'preparing application authorization...');
this.oidcConsentError = '';
const preparation = await this.prepareOidcAuthorization(jwtArg);
if (!preparation) {
loginForm?.setStatus('error', 'could not prepare the application authorization');
return true;
}
if (preparation.status === 'consent_required') {
if (oidcContext.prompt === 'none') {
this.redirectOidcError('consent_required');
return true;
}
this.oidcConsentState = preparation;
return true;
}
await this.completeOidcAuthorization(jwtArg);
return true;
}
private async completeOidcAuthorization(jwtArg: string, consentApproved = false) {
const oidcContext = this.getOidcAuthorizationContext();
if (!oidcContext) {
return false;
}
const idpState = await IdpState.getSingletonInstance();
const loginForm = this.shadowRoot.querySelector('#loginForm') as DeesForm | null;
loginForm?.setStatus('pending', 'authorizing application...');
this.oidcConsentError = '';
const response = await idpState.idpClient.requests.completeOidcAuthorization
.fire({
jwt: jwtArg,
...oidcContext,
consentApproved,
})
.catch(() => null);
if (!response?.redirectUrl) {
if (this.oidcConsentState) {
this.oidcConsentError = 'Could not authorize the application.';
} else {
loginForm?.setStatus('error', 'could not authorize the application');
}
return false;
}
window.location.href = response.redirectUrl;
return true;
}
public static styles = [
cssManager.defaultStyles,
css`
@@ -103,10 +257,147 @@ export class IdpLoginPrompt extends DeesElement {
.form-footer a:hover {
opacity: 0.8;
}
.consent-card {
display: flex;
flex-direction: column;
gap: 16px;
padding: 24px;
border: 1px solid rgba(255, 255, 255, 0.08);
border-radius: 18px;
background: rgba(255, 255, 255, 0.04);
}
.consent-appname {
font-size: 20px;
font-weight: 600;
}
.consent-appurl {
color: var(--muted-foreground);
font-size: 14px;
word-break: break-word;
}
.consent-scopes {
display: flex;
flex-direction: column;
gap: 12px;
}
.consent-scope {
padding: 14px 16px;
border-radius: 14px;
background: rgba(255, 255, 255, 0.03);
}
.consent-scope-header {
display: flex;
justify-content: space-between;
gap: 12px;
font-weight: 600;
text-transform: uppercase;
letter-spacing: 0.04em;
font-size: 12px;
}
.consent-scope-tag {
color: #9cd67c;
}
.consent-scope-description {
margin-top: 6px;
color: var(--muted-foreground);
font-size: 14px;
line-height: 1.5;
}
.consent-actions {
display: flex;
justify-content: flex-end;
gap: 12px;
}
.consent-button {
border: none;
border-radius: 999px;
padding: 12px 18px;
font: inherit;
cursor: pointer;
}
.consent-button-secondary {
background: rgba(255, 255, 255, 0.08);
color: var(--foreground);
}
.consent-button-primary {
background: linear-gradient(135deg, #9b7bff, #5fd1ff);
color: #0a0a0a;
font-weight: 600;
}
.consent-error {
color: #ff9a9a;
font-size: 14px;
}
`,
];
public render(): TemplateResult {
if (this.oidcConsentState) {
return html`
<idp-centercontainer>
<div class="form-header">
<h2>Continue to ${this.oidcConsentState.appName}</h2>
<p>Review and approve the access this app is requesting.</p>
</div>
<div class="consent-card">
<div class="consent-appname">${this.oidcConsentState.appName}</div>
<div class="consent-appurl">${this.getOidcAppHost(this.oidcConsentState.appUrl)}</div>
<div class="consent-scopes">
${this.oidcConsentState.requestedScopes.map((scopeArg) => html`
<div class="consent-scope">
<div class="consent-scope-header">
<span>${scopeArg}</span>
${this.oidcConsentState.grantedScopes.includes(scopeArg)
? html`<span class="consent-scope-tag">Previously allowed</span>`
: null}
</div>
<div class="consent-scope-description">${this.getOidcScopeDescription(scopeArg)}</div>
</div>
`)}
</div>
${this.oidcConsentError ? html`<div class="consent-error">${this.oidcConsentError}</div>` : null}
<div class="consent-actions">
<button
class="consent-button consent-button-secondary"
@click=${() => {
this.redirectOidcError('access_denied');
}}
>
Cancel
</button>
<button
class="consent-button consent-button-primary"
@click=${async () => {
const idpState = await IdpState.getSingletonInstance();
const jwt = await idpState.idpClient.getJwt();
if (!jwt) {
this.redirectOidcError('login_required');
return;
}
await this.completeOidcAuthorization(jwt, true);
}}
>
Allow and continue
</button>
</div>
</div>
</idp-centercontainer>
`;
}
return html`
<idp-centercontainer>
<div class="form-header">
@@ -115,12 +406,12 @@ export class IdpLoginPrompt extends DeesElement {
</div>
<dees-form
id="loginForm"
@formData="${(eventArg) => {
@formData=${(eventArg) => {
this.login({
emailAddress: eventArg.detail.data.emailAddress,
passwordArg: eventArg.detail.data.password,
});
}}"
}}
>
<dees-input-text
id="loginEmailInput"
@@ -137,7 +428,8 @@ export class IdpLoginPrompt extends DeesElement {
<dees-form-submit id="loginSubmitButton"></dees-form-submit>
</dees-form>
<div class="form-footer">
Don't have an account? <a @click=${async () => {
Don't have an account?
<a @click=${async () => {
const idpState = await IdpState.getSingletonInstance();
idpState.domtools.router.pushUrl('/register');
}}>Create one</a>
@@ -147,32 +439,48 @@ export class IdpLoginPrompt extends DeesElement {
}
public async firstUpdated() {
const domtoolsInstance = await this.domtoolsPromise;
const loginForm: DeesForm = this.shadowRoot.querySelector('#loginForm');
const loginPasswordInput: DeesInputText = loginForm.querySelector('#loginPasswordInput');
const loginSubmitButton: DeesFormSubmit = loginForm.querySelector('#loginSubmitButton');
await this.domtoolsPromise;
const idpState = await IdpState.getSingletonInstance();
const loginForm = this.shadowRoot.querySelector('#loginForm') as DeesForm;
const loginPasswordInput = loginForm.querySelector('#loginPasswordInput') as DeesInputText;
const loginSubmitButton = loginForm.querySelector('#loginSubmitButton') as DeesFormSubmit;
const oidcContext = this.getOidcAuthorizationContext();
const setButtonText = async () => {
if (loginPasswordInput.value) {
console.log('updating text of loginprompt.');
loginSubmitButton.text = 'Login';
loginSubmitButton.text = oidcContext ? 'Sign in and continue' : 'Login';
} else {
loginSubmitButton.text = 'Send magic link (or enter password)';
}
};
loginForm.changeSubject.subscribe(() => {
console.log(`checking button text ${loginPasswordInput.value}`);
setButtonText();
void setButtonText();
});
setButtonText();
await setButtonText();
if (oidcContext) {
const loggedIn = await idpState.idpClient.determineLoginStatus(false);
if (!loggedIn && oidcContext.prompt === 'none') {
this.redirectOidcError('login_required');
return;
}
if (loggedIn && oidcContext.prompt !== 'login') {
const jwt = await idpState.idpClient.getJwt();
if (jwt) {
await this.handleOidcAfterLogin(jwt);
}
}
}
}
private login = async (valueArg: { emailAddress: string; passwordArg: string }) => {
// lets disable the submit button
const loginSubmitButton: plugins.deesCatalog.DeesFormSubmit = this.shadowRoot.querySelector('#loginSubmitButton');
const loginSubmitButton = this.shadowRoot.querySelector(
'#loginSubmitButton'
) as plugins.deesCatalog.DeesFormSubmit;
loginSubmitButton.disabled = true;
// lets define the needed requests
const idpState = await IdpState.getSingletonInstance();
const loginForm: DeesForm = this.shadowRoot.querySelector('#loginForm');
const loginForm = this.shadowRoot.querySelector('#loginForm') as DeesForm;
const loginRequestWithUsernameAndPassword =
idpState.idpClient.typedsocket.createTypedRequest<plugins.idpInterfaces.request.IReq_LoginWithEmailOrUsernameAndPassword>(
'loginWithEmailOrUsernameAndPassword'
@@ -182,19 +490,19 @@ export class IdpLoginPrompt extends DeesElement {
'loginWithEmail'
);
// lets do the actual logging in
if (valueArg.emailAddress && valueArg.passwordArg) {
loginForm.setStatus('pending', 'logging in...');
const response = await loginRequestWithUsernameAndPassword
.fire({
username: valueArg.emailAddress, // TODO: rename to emailAddress
username: valueArg.emailAddress,
password: valueArg.passwordArg,
})
.catch(() => {
loginForm.setStatus('error', 'could not log you in. Try Again!');
return;
return null;
});
if (!response) {
loginSubmitButton.disabled = false;
return;
}
if (response.refreshToken) {
@@ -202,11 +510,13 @@ export class IdpLoginPrompt extends DeesElement {
const jwt = await idpState.idpClient.refreshJwt(response.refreshToken);
if (jwt) {
loginForm.setStatus('success', 'obtained jwt.');
idpState.domtools.router.pushUrl('/account');
const oidcHandled = await this.handleOidcAfterLogin(jwt);
if (!oidcHandled) {
idpState.domtools.router.pushUrl('/account');
}
} else {
loginForm.setStatus('error', 'something went wrong');
}
} else {
}
} else if (valueArg.emailAddress && !valueArg.passwordArg) {
loginForm.setStatus('pending', 'sending magic link...');
@@ -216,13 +526,13 @@ export class IdpLoginPrompt extends DeesElement {
if (response.status === 'ok') {
loginForm.setStatus('success', 'Please check your email!');
}
console.log(response);
}
loginSubmitButton.disabled = false;
};
public async dispatchJwt(jwtArg?: string) {
if (jwtArg !== undefined) {
console.log(`dispatching jwt from loginprompt.`);
this.jwt = jwtArg;
await domtools.plugins.smartdelay.delayFor(200);
this.dispatchEvent(
@@ -237,9 +547,7 @@ export class IdpLoginPrompt extends DeesElement {
}
public async focus() {
(
this.shadowRoot.querySelector('#loginEmailInput') as plugins.deesCatalog.DeesInputText
).focus();
(this.shadowRoot.querySelector('#loginEmailInput') as plugins.deesCatalog.DeesInputText).focus();
}
public async show() {
ts_web/elements/idp-registerprompt.ts
+4 -11
View File
@@ -207,21 +207,14 @@ export class IdpRegistrationPrompt extends DeesElement {
}
public async handleRefreshToken(refreshTokenArg: string, delayDispatchMillisArg = 0) {
// a refreshToken binds directly to a session.
// the refresh token is used on a continuous basis to get fresh and short-lived jwts
const idpState = await IdpState.getSingletonInstance();
const refreshJwt = idpState.idpClient.typedsocket.createTypedRequest<plugins.idpInterfaces.request.IReq_RefreshJwt>(
'refreshJwt'
);
const responseJwt = await refreshJwt.fire({
refreshToken: refreshTokenArg,
});
const jwt = await idpState.idpClient.refreshJwt(refreshTokenArg);
if (responseJwt.jwt) {
if (jwt) {
this.domtools.convenience.smartdelay.delayFor(delayDispatchMillisArg).then(() => {
this.dispatchJwt(responseJwt.jwt);
this.dispatchJwt(jwt);
});
return responseJwt.jwt;
return jwt;
} else {
return null;
}
ts_web/elements/idp-registration-stepper.ts
+6 -6
View File
@@ -488,15 +488,15 @@ export class IdpRegistrationStepper extends DeesElement {
username: this.storedData.email,
password: eventArg.detail.data.password,
});
this.storedData.refreshToken = loginResponse.refreshToken;
deesForm.setStatus('pending', 'Obtaining JWT...');
const jwtResponse = await idpState.idpClient.requests.obtainJwt.fire({
refreshToken: this.storedData.refreshToken,
});
const jwt = await idpState.idpClient.refreshJwt(loginResponse.refreshToken);
if (!jwt) {
deesForm.setStatus('error', 'Failed to establish a login session.');
return;
}
deesForm.setStatus('success', 'Ok! Lets Go!');
await idpState.idpClient.setJwt(jwtResponse.jwt);
idpState.domtools.router.pushUrl('/account');
}, { signal });
},
ts_web/readme.md
+54 -244
View File
@@ -1,259 +1,69 @@
# @idp.global/web
# `ts_web/` Web App Module
Web Components and UI elements for the idp.global Identity Provider platform. Built with `@design.estate/dees-element` and the dees-catalog component library.
The `ts_web/` folder contains the frontend for `idp.global`: login, registration, account management, org management, billing, and admin UI.
## Overview
It is built with `@design.estate/dees-element`, `@design.estate/dees-domtools`, and the shared `idp.global` client and interface packages.
This package provides the complete web interface for idp.global, including authentication flows, account management, and organization administration. All components are built as Web Components using the Lit-based `dees-element` framework.
## Issue Reporting and Security
## Installation
For reporting bugs, issues, or security vulnerabilities, please visit [community.foss.global/](https://community.foss.global/). This is the central community hub for all issue reporting. Developers who sign and comply with our contribution agreement and go through identification can also get a [code.foss.global/](https://code.foss.global/) account to submit Pull Requests directly.
## What Lives Here
| Path | Purpose |
| --- | --- |
| `index.ts` | Frontend entrypoint and initial render |
| `views/viewcontainer.ts` | View switching for welcome, login, register, finishregistration, and account |
| `elements/` | Web components for prompts, layout, and account UI |
| `elements/account/views/` | Account subviews including org, apps, subscriptions, paddle setup, and admin |
| `states/` | App-level and account-level state containers |
## UI Surface
The module currently includes:
- a welcome page
- login and registration prompts
- a multi-step registration flow
- an account area with navigation
- organization selection and creation flows
- bulk member invitation UI
- app and subscription views
- a global admin view
## Routing
`IdpViewcontainer` switches between these frontend states:
| View | Route |
| --- | --- |
| `welcome` | `/` |
| `login` | `/login` |
| `register` | `/register` |
| `finishregistration` | `/finishregistration` |
| `account` | `/account` |
## Build And Run
From the repository root:
```bash
npm install @idp.global/web
# or
pnpm add @idp.global/web
```
## Architecture
```
ts_web/
├── index.ts # Application entry point
├── plugins.ts # Plugin imports
├── views/
│ ├── viewcontainer.ts # Main view router
│ └── index.ts
├── elements/ # Web Components
│ ├── idp-loginprompt.ts # Login form
│ ├── idp-registerprompt.ts # Registration form
│ ├── idp-registration-stepper.ts # Multi-step registration
│ ├── idp-centercontainer.ts # Centered layout container
│ ├── idp-transfermanager.ts # SSO transfer handling
│ ├── idp-welcome.ts # Welcome/landing page
│ └── account/ # Account dashboard components
│ ├── content.ts # Main account layout
│ ├── navigation.ts # Sidebar navigation
│ ├── org-select-modal.ts # Organization switcher
│ ├── create-org-modal.ts # Create organization dialog
│ ├── bulk-invite-modal.ts # Bulk member invite dialog
│ └── views/ # Account sub-views
│ ├── baseview.ts # Base view class
│ ├── usersview.ts # User profile view
│ ├── orgview.ts # Organization details
│ ├── orgsetup.ts # Organization setup
│ ├── appsview.ts # Connected apps
│ ├── adminview.ts # Global admin panel
│ ├── subscriptions.ts # Billing subscriptions
│ └── paddlesetup.ts # Payment setup
└── states/
├── idp.state.ts # Main application state
└── accountstate.ts # Account dashboard state
```
## Components
### Authentication Components
#### `<idp-loginprompt>`
Login form supporting password and magic link authentication.
```html
<idp-loginprompt></idp-loginprompt>
```
Features:
- Email/username + password login
- Magic link (passwordless) authentication
- Automatic button text based on password presence
- Form validation and error handling
- Redirect to registration
#### `<idp-registerprompt>`
Initial registration form for new users.
```html
<idp-registerprompt></idp-registerprompt>
```
#### `<idp-registration-stepper>`
Multi-step registration wizard for completing user profile.
```html
<idp-registration-stepper></idp-registration-stepper>
```
Steps include:
- Profile information
- Email verification
- Mobile verification (optional)
- Password setup
### Layout Components
#### `<idp-viewcontainer>`
Main view container that handles routing between views.
```html
<idp-viewcontainer></idp-viewcontainer>
```
Supported views:
- `welcome` - Landing page
- `login` - Login form
- `register` - Registration form
- `finishregistration` - Registration stepper
- `account` - Account dashboard
#### `<idp-centercontainer>`
Centered container with animation support for forms.
```html
<idp-centercontainer>
<h2>Your Content</h2>
<form>...</form>
</idp-centercontainer>
```
Methods:
- `show()` - Animate container into view
- `hide()` - Animate container out of view
### Account Dashboard Components
#### `<idp-account-content>`
Main account dashboard layout with navigation.
```html
<idp-account-content></idp-account-content>
```
#### Navigation Views
| Component | Route | Description |
|-----------|-------|-------------|
| `<idp-usersview>` | `/account/users` | User profile management |
| `<idp-orgview>` | `/account/org` | Organization details |
| `<idp-orgsetup>` | `/account/orgsetup` | Organization configuration |
| `<idp-appsview>` | `/account/apps` | Connected applications |
| `<idp-adminview>` | `/account/admin` | Global admin panel |
| `<idp-subscriptions>` | `/account/subscriptions` | Billing management |
| `<idp-paddlesetup>` | `/account/paddle` | Payment method setup |
### Modal Components
#### `<idp-org-select-modal>`
Organization switcher modal for users with multiple organizations.
#### `<idp-create-org-modal>`
Dialog for creating new organizations with slug validation.
#### `<idp-bulk-invite-modal>`
Bulk invitation dialog for inviting multiple members at once.
## State Management
### IdpState
Central application state using `@push.rocks/smartstate`.
```typescript
import { IdpState } from '@idp.global/web';
const idpState = await IdpState.getSingletonInstance();
// Access IdP client
const isLoggedIn = await idpState.idpClient.determineLoginStatus();
// Access router
idpState.domtools.router.pushUrl('/login');
// Subscribe to view changes
idpState.mainStatePart.select(s => s.view).subscribe(view => {
console.log('Current view:', view);
});
```
### AccountState
State for the account dashboard section.
```typescript
import { AccountState } from '@idp.global/web';
const accountState = await AccountState.getSingletonInstance();
// Access current organization
const currentOrg = accountState.currentOrganization;
// Access user roles
const roles = accountState.userRoles;
```
## Styling
Components use CSS custom properties for theming:
```css
:host {
--foreground: hsl(0 0% 98%);
--muted-foreground: hsl(240 5% 64.9%);
--background-accent: #303f9f;
}
```
All components include:
- Dark mode by default
- Geist Sans font family
- Smooth animations
- Responsive layouts
## Dependencies
- `@design.estate/dees-element` - Web Component base class
- `@design.estate/dees-catalog` - UI component library
- `@design.estate/dees-domtools` - DOM utilities and routing
- `@idp.global/idpclient` - IdP client library
- `@idp.global/interfaces` - TypeScript interfaces
- `@push.rocks/smartstate` - State management
- `@uptime.link/webwidget` - Status widget
## Views and Routes
| Route | View | Component |
|-------|------|-----------|
| `/` | `welcome` | `IdpWelcome` |
| `/login` | `login` | `IdpLoginPrompt` |
| `/register` | `register` | `IdpRegistrationPrompt` |
| `/finishregistration` | `finishregistration` | `IdpRegistrationStepper` |
| `/account` | `account` | `IdpAccountContent` |
| `/logout` | - | Logout handler |
## Building
The web module is bundled using `@git.zone/tsbundle`:
```bash
# Development with hot reload
pnpm watch
# Production build
pnpm install
pnpm build
pnpm watch
```
The bundled output is served from `dist_ts_web/` by the TypedServer.
`pnpm watch` rebuilds the frontend bundle from `ts_web/index.ts` into `dist_serve/bundle.js` while the backend serves the app.
## Notes
- The app metadata in `ts_web/index.ts` identifies the site as `idp.global`.
- The frontend uses the shared client package for auth state and backend communication.
- Account-related UI is split into reusable elements plus state containers in `states/`.
## License and Legal Information
This repository contains open-source code licensed under the MIT License. A copy of the license can be found in the [LICENSE](../LICENSE) file.
This repository contains open-source code licensed under the MIT License. A copy of the license can be found in the [license](../license) file.
**Please note:** The MIT License does not grant permission to use the trade names, trademarks, service marks, or product names of the project, except as required for reasonable and customary use in describing the origin of the work and reproducing the content of the NOTICE file.
tsconfig.json
+3 -1
View File
@@ -4,7 +4,9 @@
"module": "NodeNext",
"moduleResolution": "NodeNext",
"esModuleInterop": true,
"verbatimModuleSyntax": true
"verbatimModuleSyntax": true,
"types": ["node"],
"strict": false
},
"exclude": [
"dist_*/**/*.d.ts"