mirror of
https://github.com/logto-io/logto.git
synced 2025-01-06 20:40:08 -05:00
refactor: update code
This commit is contained in:
parent
08928fffa4
commit
a3d5f9feb8
2 changed files with 33 additions and 27 deletions
|
@ -1,5 +1,5 @@
|
||||||
import { parseJson } from '@logto/connector-kit';
|
import { parseJson } from '@logto/connector-kit';
|
||||||
import { BindingType } from '@logto/schemas';
|
import { tryThat } from '@silverhand/essentials';
|
||||||
import camelcaseKeys from 'camelcase-keys';
|
import camelcaseKeys from 'camelcase-keys';
|
||||||
import { got } from 'got';
|
import { got } from 'got';
|
||||||
import saml from 'samlify';
|
import saml from 'samlify';
|
||||||
|
@ -9,16 +9,15 @@ import RequestError from '#src/errors/RequestError/index.js';
|
||||||
import koaGuard from '#src/middleware/koa-guard.js';
|
import koaGuard from '#src/middleware/koa-guard.js';
|
||||||
import type { AnonymousRouter, RouterInitArgs } from '#src/routes/types.js';
|
import type { AnonymousRouter, RouterInitArgs } from '#src/routes/types.js';
|
||||||
import { fetchOidcConfig, getUserInfo } from '#src/sso/OidcConnector/utils.js';
|
import { fetchOidcConfig, getUserInfo } from '#src/sso/OidcConnector/utils.js';
|
||||||
|
import { SsoConnectorError } from '#src/sso/types/error.js';
|
||||||
import { oidcTokenResponseGuard } from '#src/sso/types/oidc.js';
|
import { oidcTokenResponseGuard } from '#src/sso/types/oidc.js';
|
||||||
|
import assertThat from '#src/utils/assert-that.js';
|
||||||
import assertThat from '../../utils/assert-that.js';
|
|
||||||
|
|
||||||
import { createSamlTemplateCallback, samlLogInResponseTemplate } from './utils.js';
|
import { createSamlTemplateCallback, samlLogInResponseTemplate } from './utils.js';
|
||||||
|
|
||||||
const samlApplicationSignInCallbackQueryParametersGuard = z.union([
|
const samlApplicationSignInCallbackQueryParametersGuard = z.union([
|
||||||
z.object({
|
z.object({
|
||||||
code: z.string(),
|
code: z.string(),
|
||||||
iss: z.string(),
|
|
||||||
}),
|
}),
|
||||||
z.object({
|
z.object({
|
||||||
error: z.string(),
|
error: z.string(),
|
||||||
|
@ -27,7 +26,7 @@ const samlApplicationSignInCallbackQueryParametersGuard = z.union([
|
||||||
]);
|
]);
|
||||||
|
|
||||||
export default function samlApplicationAnonymousRoutes<T extends AnonymousRouter>(
|
export default function samlApplicationAnonymousRoutes<T extends AnonymousRouter>(
|
||||||
...[router, { libraries, queries }]: RouterInitArgs<T>
|
...[router, { libraries, queries, envSet }]: RouterInitArgs<T>
|
||||||
) {
|
) {
|
||||||
const {
|
const {
|
||||||
samlApplications: { getSamlIdPMetadataByApplicationId },
|
samlApplications: { getSamlIdPMetadataByApplicationId },
|
||||||
|
@ -57,11 +56,14 @@ export default function samlApplicationAnonymousRoutes<T extends AnonymousRouter
|
||||||
'/saml-applications/:id/callback',
|
'/saml-applications/:id/callback',
|
||||||
koaGuard({
|
koaGuard({
|
||||||
params: z.object({ id: z.string() }),
|
params: z.object({ id: z.string() }),
|
||||||
status: [200],
|
query: samlApplicationSignInCallbackQueryParametersGuard,
|
||||||
|
status: [200, 400],
|
||||||
}),
|
}),
|
||||||
async (ctx, next) => {
|
async (ctx, next) => {
|
||||||
const { id } = ctx.guard.params;
|
const {
|
||||||
const queryParameters = ctx.request.query;
|
params: { id },
|
||||||
|
query,
|
||||||
|
} = ctx.guard;
|
||||||
|
|
||||||
// Find the SAML application secret by application ID
|
// Find the SAML application secret by application ID
|
||||||
const { applications, samlApplicationSecrets, samlApplicationConfigs } = queries;
|
const { applications, samlApplicationSecrets, samlApplicationConfigs } = queries;
|
||||||
|
@ -70,27 +72,33 @@ export default function samlApplicationAnonymousRoutes<T extends AnonymousRouter
|
||||||
oidcClientMetadata: { redirectUris },
|
oidcClientMetadata: { redirectUris },
|
||||||
} = await applications.findApplicationById(id);
|
} = await applications.findApplicationById(id);
|
||||||
|
|
||||||
// Sign-in callback handler
|
if ('error' in query) {
|
||||||
const query = samlApplicationSignInCallbackQueryParametersGuard.safeParse(queryParameters);
|
|
||||||
|
|
||||||
if (!query.success) {
|
|
||||||
throw new RequestError('guard.invalid_input');
|
|
||||||
}
|
|
||||||
|
|
||||||
if ('error' in query.data) {
|
|
||||||
throw new RequestError({
|
throw new RequestError({
|
||||||
code: 'oidc.invalid_request',
|
code: 'oidc.invalid_request',
|
||||||
status: 400,
|
message: query.error_description,
|
||||||
message: query.data.error_description,
|
|
||||||
});
|
});
|
||||||
}
|
}
|
||||||
|
|
||||||
// TODO: need to validate state for SP initiated SAML flow
|
// TODO: need to validate state for SP initiated SAML flow
|
||||||
const { code, iss } = query.data;
|
const { code } = query;
|
||||||
|
|
||||||
const { tokenEndpoint, userinfoEndpoint } = await fetchOidcConfig(iss);
|
const { tokenEndpoint, userinfoEndpoint } = await tryThat(
|
||||||
|
async () => fetchOidcConfig(envSet.oidc.issuer),
|
||||||
|
(error) => {
|
||||||
|
if (error instanceof SsoConnectorError) {
|
||||||
|
throw new RequestError({
|
||||||
|
code: 'oidc.invalid_request',
|
||||||
|
message: error.message,
|
||||||
|
});
|
||||||
|
}
|
||||||
|
|
||||||
|
// Should rarely happen, fetch OIDC configuration should only throw SSO connector error .
|
||||||
|
throw error;
|
||||||
|
}
|
||||||
|
);
|
||||||
|
|
||||||
const headers = {
|
const headers = {
|
||||||
|
// Not sure whether we should use internal secret here instead of getting non-expired secret from table `application_secrets`, but it should be fine since this is an internal use case.
|
||||||
Authorization: `Basic ${Buffer.from(`${id}:${secret}`, 'utf8').toString('base64')}`,
|
Authorization: `Basic ${Buffer.from(`${id}:${secret}`, 'utf8').toString('base64')}`,
|
||||||
'Content-Type': 'application/x-www-form-urlencoded',
|
'Content-Type': 'application/x-www-form-urlencoded',
|
||||||
};
|
};
|
||||||
|
@ -99,7 +107,7 @@ export default function samlApplicationAnonymousRoutes<T extends AnonymousRouter
|
||||||
grant_type: 'authorization_code',
|
grant_type: 'authorization_code',
|
||||||
code,
|
code,
|
||||||
client_id: id,
|
client_id: id,
|
||||||
redirect_uri: redirectUris[0] ?? '',
|
...(redirectUris[0] ? { redirect_uri: redirectUris[0] } : {}),
|
||||||
});
|
});
|
||||||
|
|
||||||
// TODO: error handling
|
// TODO: error handling
|
||||||
|
@ -114,7 +122,6 @@ export default function samlApplicationAnonymousRoutes<T extends AnonymousRouter
|
||||||
if (!result.success) {
|
if (!result.success) {
|
||||||
throw new RequestError({
|
throw new RequestError({
|
||||||
code: 'oidc.invalid_token',
|
code: 'oidc.invalid_token',
|
||||||
status: 400,
|
|
||||||
message: 'Invalid token response',
|
message: 'Invalid token response',
|
||||||
});
|
});
|
||||||
}
|
}
|
||||||
|
@ -131,7 +138,8 @@ export default function samlApplicationAnonymousRoutes<T extends AnonymousRouter
|
||||||
const { entityId, acsUrl } =
|
const { entityId, acsUrl } =
|
||||||
await samlApplicationConfigs.findSamlApplicationConfigByApplicationId(id);
|
await samlApplicationConfigs.findSamlApplicationConfigByApplicationId(id);
|
||||||
|
|
||||||
assertThat(entityId && acsUrl, 'application.saml.entity_id_required');
|
assertThat(entityId, 'application.saml.entity_id_required');
|
||||||
|
assertThat(acsUrl, 'application.saml.acs_url_required');
|
||||||
|
|
||||||
// eslint-disable-next-line new-cap
|
// eslint-disable-next-line new-cap
|
||||||
const idp = saml.IdentityProvider({
|
const idp = saml.IdentityProvider({
|
||||||
|
@ -157,14 +165,12 @@ export default function samlApplicationAnonymousRoutes<T extends AnonymousRouter
|
||||||
},
|
},
|
||||||
});
|
});
|
||||||
|
|
||||||
const binding = acsUrl.binding ?? BindingType.Post;
|
|
||||||
|
|
||||||
// eslint-disable-next-line new-cap
|
// eslint-disable-next-line new-cap
|
||||||
const sp = saml.ServiceProvider({
|
const sp = saml.ServiceProvider({
|
||||||
entityID: entityId,
|
entityID: entityId,
|
||||||
assertionConsumerService: [
|
assertionConsumerService: [
|
||||||
{
|
{
|
||||||
Binding: binding,
|
Binding: acsUrl.binding,
|
||||||
Location: acsUrl.url,
|
Location: acsUrl.url,
|
||||||
},
|
},
|
||||||
],
|
],
|
||||||
|
@ -194,7 +200,6 @@ export default function samlApplicationAnonymousRoutes<T extends AnonymousRouter
|
||||||
</body>
|
</body>
|
||||||
</html>
|
</html>
|
||||||
`;
|
`;
|
||||||
|
|
||||||
return next();
|
return next();
|
||||||
}
|
}
|
||||||
);
|
);
|
||||||
|
|
|
@ -28,6 +28,7 @@ const application = {
|
||||||
can_not_delete_active_secret: 'Can not delete the active secret.',
|
can_not_delete_active_secret: 'Can not delete the active secret.',
|
||||||
no_active_secret: 'No active secret found.',
|
no_active_secret: 'No active secret found.',
|
||||||
entity_id_required: 'Entity ID is required to generate metadata.',
|
entity_id_required: 'Entity ID is required to generate metadata.',
|
||||||
|
acs_url_required: 'Assertion consumer service URL is required to generate metadata.',
|
||||||
invalid_certificate_pem_format: 'Invalid PEM certificate format',
|
invalid_certificate_pem_format: 'Invalid PEM certificate format',
|
||||||
},
|
},
|
||||||
};
|
};
|
||||||
|
|
Loading…
Reference in a new issue