refactor: refactor GET /saml-applications/:id/callback API

2024-12-16 20:26:19 -05:00 · 2024-12-09 13:08:02 +08:00 · 2024-12-09 13:08:02 +08:00 · 8420573eec
commit 8420573eec
parent b5481df6f5
5 changed files with 170 additions and 107 deletions
--- a/packages/core/src/saml-applications/routes/anonymous.ts
+++ b/packages/core/src/saml-applications/routes/anonymous.ts
@ -1,17 +1,16 @@
-import { tryThat } from '@silverhand/essentials';
-import saml from 'samlify';
 import { z } from 'zod';

 import RequestError from '#src/errors/RequestError/index.js';
 import koaGuard from '#src/middleware/koa-guard.js';
 import type { AnonymousRouter, RouterInitArgs } from '#src/routes/types.js';
-import { fetchOidcConfig, getUserInfo } from '#src/sso/OidcConnector/utils.js';
-import { SsoConnectorError } from '#src/sso/types/error.js';
 import assertThat from '#src/utils/assert-that.js';

-import { samlLogInResponseTemplate, samlAttributeNameFormatBasic,samlValueXmlnsXsi } from '../libraries/consts.js';
-
-import { exchangeAuthorizationCode, generateAutoSubmitForm, createSamlResponse } from './utils.js';
+import {
+  generateAutoSubmitForm,
+  createSamlResponse,
+  handleOidcCallbackAndGetUserInfo,
+  setupSamlProviders,
+} from './utils.js';

 const samlApplicationSignInCallbackQueryParametersGuard = z.union([
  z.object({
@ -29,6 +28,7 @@ export default function samlApplicationAnonymousRoutes<T extends AnonymousRouter
  const {
    samlApplications: { getSamlIdPMetadataByApplicationId },
  } = libraries;
+  const { applications, samlApplicationSecrets, samlApplicationConfigs } = queries;

  router.get(
    '/saml-applications/:id/metadata',
@ -63,13 +63,7 @@ export default function samlApplicationAnonymousRoutes<T extends AnonymousRouter
        query,
      } = ctx.guard;

-      // Find the SAML application secret by application ID
-      const { applications, samlApplicationSecrets, samlApplicationConfigs } = queries;
-      const {
-        secret,
-        oidcClientMetadata: { redirectUris },
-      } = await applications.findApplicationById(id);
-
+      // Handle error in query parameters
      if ('error' in query) {
        throw new RequestError({
          code: 'oidc.invalid_request',
@ -77,38 +71,27 @@ export default function samlApplicationAnonymousRoutes<T extends AnonymousRouter
        });
      }

-      // TODO: need to validate state for SP initiated SAML flow
+      // Get application configuration
+      const {
+        secret,
+        oidcClientMetadata: { redirectUris },
+      } = await applications.findApplicationById(id);
+
+      assertThat(redirectUris[0], 'oidc.redirect_uri_not_set');
+
+      // TODO: should be able to handle `state` and code verifier etc.
      const { code } = query;

-      const { tokenEndpoint, userinfoEndpoint } = await tryThat(
-        async () => fetchOidcConfig(envSet.oidc.issuer),
-        (error) => {
-          if (error instanceof SsoConnectorError) {
-            throw new RequestError({
-              code: 'oidc.invalid_request',
-              message: error.message,
-            });
-          }
-
-          // Should rarely happen, fetch OIDC configuration should only throw SSO connector error .
-          throw error;
-        }
+      // Handle OIDC callback and get user info
+      const userInfo = await handleOidcCallbackAndGetUserInfo(
+        code,
+        id,
+        secret,
+        redirectUris[0],
+        envSet.oidc.issuer
      );

-      // Exchange authorization code for tokens
-      const { accessToken } = await exchangeAuthorizationCode(tokenEndpoint, {
-        code,
-        clientId: id,
-        clientSecret: secret,
-        redirectUri: redirectUris[0],
-      });
-
-      assertThat(accessToken, new RequestError('oidc.access_denied'));
-
-      // Get user info using access token
-      const userInfo = await getUserInfo(accessToken, userinfoEndpoint);
-
-      // Get SAML configuration and create SAML response
+      // Get SAML configuration
      const { metadata } = await getSamlIdPMetadataByApplicationId(id);
      const { privateKey } =
        await samlApplicationSecrets.findActiveSamlApplicationSecretByApplicationId(id);
@ -118,41 +101,8 @@ export default function samlApplicationAnonymousRoutes<T extends AnonymousRouter
      assertThat(entityId, 'application.saml.entity_id_required');
      assertThat(acsUrl, 'application.saml.acs_url_required');

-      // eslint-disable-next-line new-cap
-      const idp = saml.IdentityProvider({
-        metadata,
-        privateKey,
-        isAssertionEncrypted: false,
-        loginResponseTemplate: {
-          context: samlLogInResponseTemplate,
-          attributes: [
-            {
-              name: 'email',
-              valueTag: 'email',
-              nameFormat: samlAttributeNameFormatBasic,
-              valueXsiType: samlValueXmlnsXsi['string'],
-            },
-            {
-              name: 'name',
-              valueTag: 'name',
-              nameFormat: samlAttributeNameFormatBasic,
-              valueXsiType: samlValueXmlnsXsi['string'],
-            },
-          ],
-        },
-      });
-
-      // eslint-disable-next-line new-cap
-      const sp = saml.ServiceProvider({
-        entityID: entityId,
-        assertionConsumerService: [
-          {
-            Binding: acsUrl.binding,
-            Location: acsUrl.url,
-          },
-        ],
-      });
-
+      // Setup SAML providers and create response
+      const { idp, sp } = setupSamlProviders(metadata, privateKey, entityId, acsUrl);
      const { context, entityEndpoint } = await createSamlResponse(idp, sp, userInfo);

      // Return auto-submit form
--- a/packages/core/src/saml-applications/routes/utils.ts
+++ b/packages/core/src/saml-applications/routes/utils.ts
@ -1,17 +1,28 @@
 import { parseJson } from '@logto/connector-kit';
 import { generateStandardId } from '@logto/shared';
+import { tryThat } from '@silverhand/essentials';
 import camelcaseKeys from 'camelcase-keys';
 import { got } from 'got';
 import saml from 'samlify';
+import { ZodError, z } from 'zod';

 import RequestError from '#src/errors/RequestError/index.js';
-import { oidcTokenResponseGuard, type idTokenProfileStandardClaims } from '#src/sso/types/oidc.js';
+import { fetchOidcConfigRaw, getRawUserInfoResponse } from '#src/sso/OidcConnector/utils.js';
+import { idTokenProfileStandardClaimsGuard } from '#src/sso/types/oidc.js';
+import { oidcTokenResponseGuard, type IdTokenProfileStandardClaims } from '#src/sso/types/oidc.js';
+import assertThat from '#src/utils/assert-that.js';
+
+import {
+  samlLogInResponseTemplate,
+  samlAttributeNameFormatBasic,
+  samlValueXmlnsXsi,
+} from '../libraries/consts.js';

 const createSamlTemplateCallback =
  (
    idp: saml.IdentityProviderInstance,
    sp: saml.ServiceProviderInstance,
-    user: idTokenProfileStandardClaims
+    user: IdTokenProfileStandardClaims
  ) =>
  (template: string) => {
    const assertionConsumerServiceUrl = sp.entityMeta.getAssertionConsumerService(
@ -63,7 +74,7 @@ const createSamlTemplateCallback =
    };
  };

-export const exchangeAuthorizationCode = async (
+const exchangeAuthorizationCode = async (
  tokenEndpoint: string,
  {
    code,
@ -109,7 +120,7 @@ export const exchangeAuthorizationCode = async (
 export const createSamlResponse = async (
  idp: saml.IdentityProviderInstance,
  sp: saml.ServiceProviderInstance,
-  userInfo: idTokenProfileStandardClaims
+  userInfo: IdTokenProfileStandardClaims
 ): Promise<{ context: string; entityEndpoint: string }> => {
  // TODO: fix binding method
  // eslint-disable-next-line @typescript-eslint/no-unsafe-assignment
@ -141,3 +152,103 @@ export const generateAutoSubmitForm = (actionUrl: string, samlResponse: string):
    </html>
  `;
 };
+
+const getUserInfo = async (
+  accessToken: string,
+  userinfoEndpoint: string
+): Promise<IdTokenProfileStandardClaims & Record<string, unknown>> => {
+  const body = await getRawUserInfoResponse(accessToken, userinfoEndpoint);
+  const result = idTokenProfileStandardClaimsGuard.catchall(z.unknown()).safeParse(body);
+
+  if (!result.success) {
+    throw new RequestError({
+      code: 'oidc.invalid_request',
+      message: 'Invalid user info response',
+      details: result.error.flatten(),
+    });
+  }
+
+  return result.data;
+};
+
+// Helper functions for SAML callback
+export const handleOidcCallbackAndGetUserInfo = async (
+  code: string,
+  applicationId: string,
+  secret: string,
+  redirectUri: string,
+  issuer: string
+) => {
+  // Get OIDC configuration
+  const { tokenEndpoint, userinfoEndpoint } = await tryThat(
+    async () => fetchOidcConfigRaw(issuer),
+    (error) => {
+      if (error instanceof ZodError) {
+        throw new RequestError({
+          code: 'oidc.invalid_request',
+          message: error.message,
+          error: error.flatten(),
+        });
+      }
+
+      throw error;
+    }
+  );
+
+  // Exchange authorization code for tokens
+  const { accessToken } = await exchangeAuthorizationCode(tokenEndpoint, {
+    code,
+    clientId: applicationId,
+    clientSecret: secret,
+    redirectUri,
+  });
+
+  assertThat(accessToken, new RequestError('oidc.access_denied'));
+
+  // Get user info using access token
+  return getUserInfo(accessToken, userinfoEndpoint);
+};
+
+export const setupSamlProviders = (
+  metadata: string,
+  privateKey: string,
+  entityId: string,
+  acsUrl: { binding: string; url: string }
+) => {
+  // eslint-disable-next-line new-cap
+  const idp = saml.IdentityProvider({
+    metadata,
+    privateKey,
+    isAssertionEncrypted: false,
+    loginResponseTemplate: {
+      context: samlLogInResponseTemplate,
+      attributes: [
+        {
+          name: 'email',
+          valueTag: 'email',
+          nameFormat: samlAttributeNameFormatBasic,
+          valueXsiType: samlValueXmlnsXsi.string,
+        },
+        {
+          name: 'name',
+          valueTag: 'name',
+          nameFormat: samlAttributeNameFormatBasic,
+          valueXsiType: samlValueXmlnsXsi.string,
+        },
+      ],
+    },
+  });
+
+  // eslint-disable-next-line new-cap
+  const sp = saml.ServiceProvider({
+    entityID: entityId,
+    assertionConsumerService: [
+      {
+        Binding: acsUrl.binding,
+        Location: acsUrl.url,
+      },
+    ],
+  });
+
+  return { idp, sp };
+};
--- a/packages/core/src/sso/OidcConnector/utils.ts
+++ b/packages/core/src/sso/OidcConnector/utils.ts
@ -3,7 +3,7 @@ import { assert } from '@silverhand/essentials';
 import camelcaseKeys, { type CamelCaseKeys } from 'camelcase-keys';
 import { got, HTTPError } from 'got';
 import { createRemoteJWKSet, jwtVerify, type JWTVerifyOptions } from 'jose';
-import { z } from 'zod';
+import { z, ZodError } from 'zod';

 import {
  SsoConnectorConfigErrorCodes,
@ -20,30 +20,28 @@ import {
  type OidcTokenResponse,
 } from '../types/oidc.js';

+export const fetchOidcConfigRaw = async (issuer: string) => {
+  const { body } = await got.get(`${issuer}/.well-known/openid-configuration`, {
+    responseType: 'json',
+  });
+
+  return camelcaseKeys(oidcConfigResponseGuard.parse(body));
+};
+
 export const fetchOidcConfig = async (
  issuer: string
 ): Promise<CamelCaseKeys<OidcConfigResponse>> => {
  try {
-    const { body } = await got.get(`${issuer}/.well-known/openid-configuration`, {
-      responseType: 'json',
-    });
-
-    const result = oidcConfigResponseGuard.safeParse(body);
-
-    if (!result.success) {
+    return await fetchOidcConfigRaw(issuer);
+  } catch (error: unknown) {
+    if (error instanceof ZodError) {
      throw new SsoConnectorError(SsoConnectorErrorCodes.InvalidConfig, {
        config: { issuer },
        message: SsoConnectorConfigErrorCodes.InvalidConfigResponse,
-        error: result.error.flatten(),
+        error: error.flatten(),
      });
    }

-    return camelcaseKeys(result.data);
-  } catch (error: unknown) {
-    if (error instanceof SsoConnectorError) {
-      throw error;
-    }
-
    throw new SsoConnectorError(SsoConnectorErrorCodes.InvalidConfig, {
      config: { issuer },
      message: SsoConnectorConfigErrorCodes.FailToFetchConfig,
@ -159,26 +157,29 @@ export const getIdTokenClaims = async (
  }
 };

+export const getRawUserInfoResponse = async (accessToken: string, userinfoEndpoint: string) => {
+  const httpResponse = await got.get(userinfoEndpoint, {
+    headers: {
+      Authorization: `Bearer ${accessToken}`,
+    },
+  });
+
+  return httpResponse.body;
+};
+
 /**
 * Get the user info from the userinfo endpoint incase id token does not contain sufficient user claims.
 */
 export const getUserInfo = async (accessToken: string, userinfoEndpoint: string) => {
  try {
-    const httpResponse = await got.get(userinfoEndpoint, {
-      headers: {
-        Authorization: `Bearer ${accessToken}`,
-      },
-      responseType: 'json',
-    });
+    const body = await getRawUserInfoResponse(accessToken, userinfoEndpoint);

-    const result = idTokenProfileStandardClaimsGuard
-      .catchall(z.unknown())
-      .safeParse(httpResponse.body);
+    const result = idTokenProfileStandardClaimsGuard.catchall(z.unknown()).safeParse(body);

    if (!result.success) {
      throw new SsoConnectorError(SsoConnectorErrorCodes.AuthorizationFailed, {
        message: 'Invalid user info response',
-        response: httpResponse.body,
+        response: body,
        error: result.error.flatten(),
      });
    }
--- a/packages/core/src/sso/types/oidc.ts
+++ b/packages/core/src/sso/types/oidc.ts
@ -78,4 +78,4 @@ export const idTokenProfileStandardClaimsGuard = z.object({
  nonce: z.string().nullish(),
 });

-export type idTokenProfileStandardClaims = z.infer<typeof idTokenProfileStandardClaimsGuard>;
+export type IdTokenProfileStandardClaims = z.infer<typeof idTokenProfileStandardClaimsGuard>;
--- a/packages/phrases/src/locales/en/errors/oidc.ts
+++ b/packages/phrases/src/locales/en/errors/oidc.ts
@ -8,6 +8,7 @@ const oidc = {
  invalid_grant: 'Grant request is invalid.',
  invalid_redirect_uri:
    "`redirect_uri` did not match any of the client's registered `redirect_uris`.",
+  redirect_uri_not_set: '`redirect_uri` is not set.',
  access_denied: 'Access denied.',
  invalid_target: 'Invalid resource indicator.',
  unsupported_grant_type: 'Unsupported `grant_type` requested.',