logto/packages/core/src/oidc/utils.ts

import type { CustomClientMetadata, OidcClientMetadata } from '@logto/schemas';
import { ApplicationType, customClientMetadataGuard, GrantType } from '@logto/schemas';
import { conditional } from '@silverhand/essentials';
import type { AllClientMetadata, ClientAuthMethod } from 'oidc-provider';
import { errors } from 'oidc-provider';

import type { EnvSet } from '#src/env-set/index.js';

export const getConstantClientMetadata = (
  envSet: EnvSet,
  type: ApplicationType
): AllClientMetadata => {
  const { jwkSigningAlg } = envSet.oidc;

  const getTokenEndpointAuthMethod = (): ClientAuthMethod => {
    switch (type) {
      case ApplicationType.Native:
      case ApplicationType.SPA: {
        return 'none';
      }

      default: {
        return 'client_secret_basic';
      }
    }
  };

  return {
    application_type: type === ApplicationType.Native ? 'native' : 'web',
    grant_types:
      type === ApplicationType.MachineToMachine
        ? [GrantType.ClientCredentials]
        : [GrantType.AuthorizationCode, GrantType.RefreshToken],
    token_endpoint_auth_method: getTokenEndpointAuthMethod(),
    response_types: conditional(type === ApplicationType.MachineToMachine && []),
    // https://www.scottbrady91.com/jose/jwts-which-signing-algorithm-should-i-use
    authorization_signed_response_alg: jwkSigningAlg,
    userinfo_signed_response_alg: jwkSigningAlg,
    id_token_signed_response_alg: jwkSigningAlg,
    introspection_signed_response_alg: jwkSigningAlg,
  };
};

export const buildOidcClientMetadata = (metadata?: OidcClientMetadata): OidcClientMetadata => ({
  redirectUris: [],
  postLogoutRedirectUris: [],
  ...metadata,
});

export const validateCustomClientMetadata = (key: string, value: unknown) => {
  const result = customClientMetadataGuard.pick({ [key]: true }).safeParse({ [key]: value });

  if (!result.success) {
    throw new errors.InvalidClientMetadata(key);
  }
};

export const isOriginAllowed = (
  origin: string,
  { corsAllowedOrigins = [] }: CustomClientMetadata,
  redirectUris: string[] = []
) => {
  const redirectUriOrigins = redirectUris.map((uri) => new URL(uri).origin);

  return [...corsAllowedOrigins, ...redirectUriOrigins].includes(origin);
};

export const getUtcStartOfToday = () => {
  const now = new Date();

  return new Date(Date.UTC(now.getUTCFullYear(), now.getUTCMonth(), now.getUTCDate(), 0, 0, 0, 0));
};
refactor: fix lint errors 2022-10-21 13:14:17 +08:00			`import type { CustomClientMetadata, OidcClientMetadata } from '@logto/schemas';`
			`import { ApplicationType, customClientMetadataGuard, GrantType } from '@logto/schemas';`
feat(core): machine to machine apps 2022-09-21 13:06:56 +08:00			`import { conditional } from '@silverhand/essentials';`
refactor: fix lint errors 2022-10-21 13:14:17 +08:00			`import type { AllClientMetadata, ClientAuthMethod } from 'oidc-provider';`
			`import { errors } from 'oidc-provider';`
feat: `POST /applicaiton` 2021-08-18 00:24:00 +08:00
refactor: remove deprecated singleton instances 2023-01-11 16:41:53 +08:00			`import type { EnvSet } from '#src/env-set/index.js';`
refactor: support EC key and ES signing algorithms (#2847) 2023-01-09 17:34:13 +08:00
refactor: remove deprecated singleton instances 2023-01-11 16:41:53 +08:00			`export const getConstantClientMetadata = (`
			`envSet: EnvSet,`
			`type: ApplicationType`
			`): AllClientMetadata => {`
refactor: support EC key and ES signing algorithms (#2847) 2023-01-09 17:34:13 +08:00			`const { jwkSigningAlg } = envSet.oidc;`

feat(core): machine to machine apps 2022-09-21 13:06:56 +08:00			`const getTokenEndpointAuthMethod = (): ClientAuthMethod => {`
			`switch (type) {`
			`case ApplicationType.Native:`
chore: upgrade configs 2023-02-16 23:49:03 +08:00			`case ApplicationType.SPA: {`
feat(core): machine to machine apps 2022-09-21 13:06:56 +08:00			`return 'none';`
chore: upgrade configs 2023-02-16 23:49:03 +08:00			`}`

			`default: {`
feat(core): machine to machine apps 2022-09-21 13:06:56 +08:00			`return 'client_secret_basic';`
chore: upgrade configs 2023-02-16 23:49:03 +08:00			`}`
feat(core): machine to machine apps 2022-09-21 13:06:56 +08:00			`}`
			`};`

			`return {`
			`application_type: type === ApplicationType.Native ? 'native' : 'web',`
			`grant_types:`
			`type === ApplicationType.MachineToMachine`
			`? [GrantType.ClientCredentials]`
			`: [GrantType.AuthorizationCode, GrantType.RefreshToken],`
			`token_endpoint_auth_method: getTokenEndpointAuthMethod(),`
			`response_types: conditional(type === ApplicationType.MachineToMachine && []),`
refactor: support EC key and ES signing algorithms (#2847) 2023-01-09 17:34:13 +08:00			`// https://www.scottbrady91.com/jose/jwts-which-signing-algorithm-should-i-use`
			`authorization_signed_response_alg: jwkSigningAlg,`
			`userinfo_signed_response_alg: jwkSigningAlg,`
			`id_token_signed_response_alg: jwkSigningAlg,`
			`introspection_signed_response_alg: jwkSigningAlg,`
feat(core): machine to machine apps 2022-09-21 13:06:56 +08:00			`};`
			`};`
refactor(core): fulfill correct `applicationType` when needed (#126) * refactor(core): fulfill correct `applicationType` when needed * refactor(core): use enum for application type * refactor(core): do not filter undefined automatically 2021-10-11 17:55:17 +08:00
feat(schema): update application db (#169) * feat(schema): update appliaction db update application db * ci(schema): cr fix application table schema typo fix application table schema typo 2022-01-11 11:58:58 +08:00			`export const buildOidcClientMetadata = (metadata?: OidcClientMetadata): OidcClientMetadata => ({`
refactor: integrate zod in schemas (#90) 2021-08-26 13:05:23 +08:00			`redirectUris: [],`
			`postLogoutRedirectUris: [],`
refactor(core): fulfill correct `applicationType` when needed (#126) * refactor(core): fulfill correct `applicationType` when needed * refactor(core): use enum for application type * refactor(core): do not filter undefined automatically 2021-10-11 17:55:17 +08:00			`...metadata,`
feat: `POST /applicaiton` 2021-08-18 00:24:00 +08:00			`});`
feat(core,schemas): cors allowed origins (#507) * feat(schemas): cors allowed origins of application in custom OIDC client metadata * refactor(schemas): rename CustomClientMetadataType to CustomClientMetadataKey * feat(core): cors allowed origins 2022-04-08 18:16:20 +08:00
			`export const validateCustomClientMetadata = (key: string, value: unknown) => {`
			`const result = customClientMetadataGuard.pick({ [key]: true }).safeParse({ [key]: value });`

			`if (!result.success) {`
			`throw new errors.InvalidClientMetadata(key);`
			`}`
			`};`

refactor: by default allow redirect URIs for CORS access (#1420) * refactor: by default allow redirect URIs for CORS access * refactor: improve wording Co-authored-by: IceHe.xyz <icehe@silverhand.io> Co-authored-by: IceHe.xyz <icehe@silverhand.io> 2022-07-05 17:36:43 +08:00			`export const isOriginAllowed = (`
			`origin: string,`
refactor: improve allow CORS tooltip wording (#1427) 2022-07-05 21:09:57 +08:00			`{ corsAllowedOrigins = [] }: CustomClientMetadata,`
refactor: by default allow redirect URIs for CORS access (#1420) * refactor: by default allow redirect URIs for CORS access * refactor: improve wording Co-authored-by: IceHe.xyz <icehe@silverhand.io> Co-authored-by: IceHe.xyz <icehe@silverhand.io> 2022-07-05 17:36:43 +08:00			`redirectUris: string[] = []`
			`) => {`
			`const redirectUriOrigins = redirectUris.map((uri) => new URL(uri).origin);`

			`return [...corsAllowedOrigins, ...redirectUriOrigins].includes(origin);`
			`};`
feat(core,schemas): record daily active users (#4113) 2023-07-07 15:14:29 +08:00
			`export const getUtcStartOfToday = () => {`
			`const now = new Date();`

			`return new Date(Date.UTC(now.getUTCFullYear(), now.getUTCMonth(), now.getUTCDate(), 0, 0, 0, 0));`
			`};`