0
Fork 0
mirror of https://github.com/logto-io/logto.git synced 2024-12-30 20:33:54 -05:00

refactor: refactor code

This commit is contained in:
Darcy Ye 2024-12-05 16:06:53 +08:00
parent a3d5f9feb8
commit 755c138f12
No known key found for this signature in database
GPG key ID: B46F4C07EDEFC610
3 changed files with 122 additions and 83 deletions

View file

@ -0,0 +1,22 @@
export const samlLogInResponseTemplate = `
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="{ID}" Version="2.0" IssueInstant="{IssueInstant}" Destination="{Destination}" InResponseTo="{InResponseTo}">
<saml:Issuer>{Issuer}</saml:Issuer>
<samlp:Status>
<samlp:StatusCode Value="{StatusCode}"/>
</samlp:Status>
<saml:Assertion ID="{AssertionID}" Version="2.0" IssueInstant="{IssueInstant}" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
<saml:Issuer>{Issuer}</saml:Issuer>
<saml:Subject>
<saml:NameID Format="{NameIDFormat}">{NameID}</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData NotOnOrAfter="{SubjectConfirmationDataNotOnOrAfter}" Recipient="{SubjectRecipient}" InResponseTo="{InResponseTo}"/>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="{ConditionsNotBefore}" NotOnOrAfter="{ConditionsNotOnOrAfter}">
<saml:AudienceRestriction>
<saml:Audience>{Audience}</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
{AttributeStatement}
</saml:Assertion>
</samlp:Response>`;

View file

@ -1,8 +1,5 @@
import { parseJson } from '@logto/connector-kit';
import { tryThat } from '@silverhand/essentials'; import { tryThat } from '@silverhand/essentials';
import camelcaseKeys from 'camelcase-keys'; import * as saml from 'samlify';
import { got } from 'got';
import saml from 'samlify';
import { z } from 'zod'; import { z } from 'zod';
import RequestError from '#src/errors/RequestError/index.js'; import RequestError from '#src/errors/RequestError/index.js';
@ -10,10 +7,11 @@ import koaGuard from '#src/middleware/koa-guard.js';
import type { AnonymousRouter, RouterInitArgs } from '#src/routes/types.js'; import type { AnonymousRouter, RouterInitArgs } from '#src/routes/types.js';
import { fetchOidcConfig, getUserInfo } from '#src/sso/OidcConnector/utils.js'; import { fetchOidcConfig, getUserInfo } from '#src/sso/OidcConnector/utils.js';
import { SsoConnectorError } from '#src/sso/types/error.js'; import { SsoConnectorError } from '#src/sso/types/error.js';
import { oidcTokenResponseGuard } from '#src/sso/types/oidc.js';
import assertThat from '#src/utils/assert-that.js'; import assertThat from '#src/utils/assert-that.js';
import { createSamlTemplateCallback, samlLogInResponseTemplate } from './utils.js'; import { samlLogInResponseTemplate } from '../libraries/consts.js';
import { exchangeAuthorizationCode, generateAutoSubmitForm, createSamlResponse } from './utils.js';
const samlApplicationSignInCallbackQueryParametersGuard = z.union([ const samlApplicationSignInCallbackQueryParametersGuard = z.union([
z.object({ z.object({
@ -97,41 +95,20 @@ export default function samlApplicationAnonymousRoutes<T extends AnonymousRouter
} }
); );
const headers = { // Exchange authorization code for tokens
// Not sure whether we should use internal secret here instead of getting non-expired secret from table `application_secrets`, but it should be fine since this is an internal use case. const { accessToken } = await exchangeAuthorizationCode(tokenEndpoint, {
Authorization: `Basic ${Buffer.from(`${id}:${secret}`, 'utf8').toString('base64')}`,
'Content-Type': 'application/x-www-form-urlencoded',
};
const tokenRequestParameters = new URLSearchParams({
grant_type: 'authorization_code',
code, code,
client_id: id, clientId: id,
...(redirectUris[0] ? { redirect_uri: redirectUris[0] } : {}), clientSecret: secret,
redirectUri: redirectUris[0],
}); });
// TODO: error handling
// Exchange the authorization code for an access token
const httpResponse = await got.post(tokenEndpoint, {
body: tokenRequestParameters.toString(),
headers,
});
const result = oidcTokenResponseGuard.safeParse(parseJson(httpResponse.body));
if (!result.success) {
throw new RequestError({
code: 'oidc.invalid_token',
message: 'Invalid token response',
});
}
const { accessToken } = camelcaseKeys(result.data);
assertThat(accessToken, new RequestError('oidc.access_denied')); assertThat(accessToken, new RequestError('oidc.access_denied'));
// Get user info using access token
const userInfo = await getUserInfo(accessToken, userinfoEndpoint); const userInfo = await getUserInfo(accessToken, userinfoEndpoint);
// Get SAML configuration and create SAML response
const { metadata } = await getSamlIdPMetadataByApplicationId(id); const { metadata } = await getSamlIdPMetadataByApplicationId(id);
const { privateKey } = const { privateKey } =
await samlApplicationSecrets.findActiveSamlApplicationSecretByApplicationId(id); await samlApplicationSecrets.findActiveSamlApplicationSecretByApplicationId(id);
@ -176,30 +153,10 @@ export default function samlApplicationAnonymousRoutes<T extends AnonymousRouter
], ],
}); });
// TODO: fix binding method const { context, entityEndpoint } = await createSamlResponse(idp, sp, userInfo);
// eslint-disable-next-line @typescript-eslint/no-unsafe-assignment
const { context, entityEndpoint } = await idp.createLoginResponse(
sp,
// @ts-expect-error --fix request object later
null,
'post',
userInfo,
createSamlTemplateCallback(idp, sp, userInfo)
);
ctx.body = ` // Return auto-submit form
<html> ctx.body = generateAutoSubmitForm(entityEndpoint, context);
<body>
<form id="redirectForm" action="${entityEndpoint}" method="POST">
<input type="hidden" name="SAMLResponse" value="${context}" />
<input type="submit" value="Submit" />
</form>
<script>
document.getElementById('redirectForm').submit();
</script>
</body>
</html>
`;
return next(); return next();
} }
); );

View file

@ -1,32 +1,13 @@
import { parseJson } from '@logto/connector-kit';
import { generateStandardId } from '@logto/shared'; import { generateStandardId } from '@logto/shared';
import saml from 'samlify'; import camelcaseKeys from 'camelcase-keys';
import { got } from 'got';
import * as saml from 'samlify';
import { type idTokenProfileStandardClaims } from '#src/sso/types/oidc.js'; import RequestError from '#src/errors/RequestError/index.js';
import { oidcTokenResponseGuard, type idTokenProfileStandardClaims } from '#src/sso/types/oidc.js';
export const samlLogInResponseTemplate = ` const createSamlTemplateCallback =
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="{ID}" Version="2.0" IssueInstant="{IssueInstant}" Destination="{Destination}" InResponseTo="{InResponseTo}">
<saml:Issuer>{Issuer}</saml:Issuer>
<samlp:Status>
<samlp:StatusCode Value="{StatusCode}"/>
</samlp:Status>
<saml:Assertion ID="{AssertionID}" Version="2.0" IssueInstant="{IssueInstant}" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
<saml:Issuer>{Issuer}</saml:Issuer>
<saml:Subject>
<saml:NameID Format="{NameIDFormat}">{NameID}</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData NotOnOrAfter="{SubjectConfirmationDataNotOnOrAfter}" Recipient="{SubjectRecipient}" InResponseTo="{InResponseTo}"/>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="{ConditionsNotBefore}" NotOnOrAfter="{ConditionsNotOnOrAfter}">
<saml:AudienceRestriction>
<saml:Audience>{Audience}</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
{AttributeStatement}
</saml:Assertion>
</samlp:Response>`;
export const createSamlTemplateCallback =
( (
idp: saml.IdentityProviderInstance, idp: saml.IdentityProviderInstance,
sp: saml.ServiceProviderInstance, sp: saml.ServiceProviderInstance,
@ -72,3 +53,82 @@ export const createSamlTemplateCallback =
context, context,
}; };
}; };
export const exchangeAuthorizationCode = async (
tokenEndpoint: string,
{
code,
clientId,
clientSecret,
redirectUri,
}: {
code: string;
clientId: string;
clientSecret: string;
redirectUri?: string;
}
) => {
const headers = {
Authorization: `Basic ${Buffer.from(`${clientId}:${clientSecret}`, 'utf8').toString('base64')}`,
'Content-Type': 'application/x-www-form-urlencoded',
};
const tokenRequestParameters = new URLSearchParams({
grant_type: 'authorization_code',
code,
client_id: clientId,
...(redirectUri ? { redirect_uri: redirectUri } : {}),
});
const httpResponse = await got.post(tokenEndpoint, {
body: tokenRequestParameters.toString(),
headers,
});
const result = oidcTokenResponseGuard.safeParse(parseJson(httpResponse.body));
if (!result.success) {
throw new RequestError({
code: 'oidc.invalid_token',
message: 'Invalid token response',
});
}
return camelcaseKeys(result.data);
};
export const createSamlResponse = async (
idp: saml.IdentityProviderInstance,
sp: saml.ServiceProviderInstance,
userInfo: idTokenProfileStandardClaims
): Promise<{ context: string; entityEndpoint: string }> => {
// TODO: fix binding method
// eslint-disable-next-line @typescript-eslint/no-unsafe-assignment
const { context, entityEndpoint } = await idp.createLoginResponse(
sp,
// @ts-expect-error --fix request object later
null,
'post',
userInfo,
createSamlTemplateCallback(idp, sp, userInfo)
);
// eslint-disable-next-line @typescript-eslint/no-unsafe-assignment
return { context, entityEndpoint };
};
export const generateAutoSubmitForm = (actionUrl: string, samlResponse: string) => {
return `
<html>
<body>
<form id="redirectForm" action="${actionUrl}" method="POST">
<input type="hidden" name="SAMLResponse" value="${samlResponse}" />
<input type="submit" value="Submit" />
</form>
<script>
document.getElementById('redirectForm').submit();
</script>
</body>
</html>
`;
};