0
Fork 0
mirror of https://github.com/logto-io/logto.git synced 2024-12-16 20:26:19 -05:00

refactor: update code

This commit is contained in:
Darcy Ye 2024-12-04 11:35:12 +08:00
parent 08928fffa4
commit a3d5f9feb8
No known key found for this signature in database
GPG key ID: B46F4C07EDEFC610
2 changed files with 33 additions and 27 deletions

View file

@ -1,5 +1,5 @@
import { parseJson } from '@logto/connector-kit'; import { parseJson } from '@logto/connector-kit';
import { BindingType } from '@logto/schemas'; import { tryThat } from '@silverhand/essentials';
import camelcaseKeys from 'camelcase-keys'; import camelcaseKeys from 'camelcase-keys';
import { got } from 'got'; import { got } from 'got';
import saml from 'samlify'; import saml from 'samlify';
@ -9,16 +9,15 @@ import RequestError from '#src/errors/RequestError/index.js';
import koaGuard from '#src/middleware/koa-guard.js'; import koaGuard from '#src/middleware/koa-guard.js';
import type { AnonymousRouter, RouterInitArgs } from '#src/routes/types.js'; import type { AnonymousRouter, RouterInitArgs } from '#src/routes/types.js';
import { fetchOidcConfig, getUserInfo } from '#src/sso/OidcConnector/utils.js'; import { fetchOidcConfig, getUserInfo } from '#src/sso/OidcConnector/utils.js';
import { SsoConnectorError } from '#src/sso/types/error.js';
import { oidcTokenResponseGuard } from '#src/sso/types/oidc.js'; import { oidcTokenResponseGuard } from '#src/sso/types/oidc.js';
import assertThat from '#src/utils/assert-that.js';
import assertThat from '../../utils/assert-that.js';
import { createSamlTemplateCallback, samlLogInResponseTemplate } from './utils.js'; import { createSamlTemplateCallback, samlLogInResponseTemplate } from './utils.js';
const samlApplicationSignInCallbackQueryParametersGuard = z.union([ const samlApplicationSignInCallbackQueryParametersGuard = z.union([
z.object({ z.object({
code: z.string(), code: z.string(),
iss: z.string(),
}), }),
z.object({ z.object({
error: z.string(), error: z.string(),
@ -27,7 +26,7 @@ const samlApplicationSignInCallbackQueryParametersGuard = z.union([
]); ]);
export default function samlApplicationAnonymousRoutes<T extends AnonymousRouter>( export default function samlApplicationAnonymousRoutes<T extends AnonymousRouter>(
...[router, { libraries, queries }]: RouterInitArgs<T> ...[router, { libraries, queries, envSet }]: RouterInitArgs<T>
) { ) {
const { const {
samlApplications: { getSamlIdPMetadataByApplicationId }, samlApplications: { getSamlIdPMetadataByApplicationId },
@ -57,11 +56,14 @@ export default function samlApplicationAnonymousRoutes<T extends AnonymousRouter
'/saml-applications/:id/callback', '/saml-applications/:id/callback',
koaGuard({ koaGuard({
params: z.object({ id: z.string() }), params: z.object({ id: z.string() }),
status: [200], query: samlApplicationSignInCallbackQueryParametersGuard,
status: [200, 400],
}), }),
async (ctx, next) => { async (ctx, next) => {
const { id } = ctx.guard.params; const {
const queryParameters = ctx.request.query; params: { id },
query,
} = ctx.guard;
// Find the SAML application secret by application ID // Find the SAML application secret by application ID
const { applications, samlApplicationSecrets, samlApplicationConfigs } = queries; const { applications, samlApplicationSecrets, samlApplicationConfigs } = queries;
@ -70,27 +72,33 @@ export default function samlApplicationAnonymousRoutes<T extends AnonymousRouter
oidcClientMetadata: { redirectUris }, oidcClientMetadata: { redirectUris },
} = await applications.findApplicationById(id); } = await applications.findApplicationById(id);
// Sign-in callback handler if ('error' in query) {
const query = samlApplicationSignInCallbackQueryParametersGuard.safeParse(queryParameters);
if (!query.success) {
throw new RequestError('guard.invalid_input');
}
if ('error' in query.data) {
throw new RequestError({ throw new RequestError({
code: 'oidc.invalid_request', code: 'oidc.invalid_request',
status: 400, message: query.error_description,
message: query.data.error_description,
}); });
} }
// TODO: need to validate state for SP initiated SAML flow // TODO: need to validate state for SP initiated SAML flow
const { code, iss } = query.data; const { code } = query;
const { tokenEndpoint, userinfoEndpoint } = await fetchOidcConfig(iss); const { tokenEndpoint, userinfoEndpoint } = await tryThat(
async () => fetchOidcConfig(envSet.oidc.issuer),
(error) => {
if (error instanceof SsoConnectorError) {
throw new RequestError({
code: 'oidc.invalid_request',
message: error.message,
});
}
// Should rarely happen, fetch OIDC configuration should only throw SSO connector error .
throw error;
}
);
const headers = { const headers = {
// Not sure whether we should use internal secret here instead of getting non-expired secret from table `application_secrets`, but it should be fine since this is an internal use case.
Authorization: `Basic ${Buffer.from(`${id}:${secret}`, 'utf8').toString('base64')}`, Authorization: `Basic ${Buffer.from(`${id}:${secret}`, 'utf8').toString('base64')}`,
'Content-Type': 'application/x-www-form-urlencoded', 'Content-Type': 'application/x-www-form-urlencoded',
}; };
@ -99,7 +107,7 @@ export default function samlApplicationAnonymousRoutes<T extends AnonymousRouter
grant_type: 'authorization_code', grant_type: 'authorization_code',
code, code,
client_id: id, client_id: id,
redirect_uri: redirectUris[0] ?? '', ...(redirectUris[0] ? { redirect_uri: redirectUris[0] } : {}),
}); });
// TODO: error handling // TODO: error handling
@ -114,7 +122,6 @@ export default function samlApplicationAnonymousRoutes<T extends AnonymousRouter
if (!result.success) { if (!result.success) {
throw new RequestError({ throw new RequestError({
code: 'oidc.invalid_token', code: 'oidc.invalid_token',
status: 400,
message: 'Invalid token response', message: 'Invalid token response',
}); });
} }
@ -131,7 +138,8 @@ export default function samlApplicationAnonymousRoutes<T extends AnonymousRouter
const { entityId, acsUrl } = const { entityId, acsUrl } =
await samlApplicationConfigs.findSamlApplicationConfigByApplicationId(id); await samlApplicationConfigs.findSamlApplicationConfigByApplicationId(id);
assertThat(entityId && acsUrl, 'application.saml.entity_id_required'); assertThat(entityId, 'application.saml.entity_id_required');
assertThat(acsUrl, 'application.saml.acs_url_required');
// eslint-disable-next-line new-cap // eslint-disable-next-line new-cap
const idp = saml.IdentityProvider({ const idp = saml.IdentityProvider({
@ -157,14 +165,12 @@ export default function samlApplicationAnonymousRoutes<T extends AnonymousRouter
}, },
}); });
const binding = acsUrl.binding ?? BindingType.Post;
// eslint-disable-next-line new-cap // eslint-disable-next-line new-cap
const sp = saml.ServiceProvider({ const sp = saml.ServiceProvider({
entityID: entityId, entityID: entityId,
assertionConsumerService: [ assertionConsumerService: [
{ {
Binding: binding, Binding: acsUrl.binding,
Location: acsUrl.url, Location: acsUrl.url,
}, },
], ],
@ -194,7 +200,6 @@ export default function samlApplicationAnonymousRoutes<T extends AnonymousRouter
</body> </body>
</html> </html>
`; `;
return next(); return next();
} }
); );

View file

@ -28,6 +28,7 @@ const application = {
can_not_delete_active_secret: 'Can not delete the active secret.', can_not_delete_active_secret: 'Can not delete the active secret.',
no_active_secret: 'No active secret found.', no_active_secret: 'No active secret found.',
entity_id_required: 'Entity ID is required to generate metadata.', entity_id_required: 'Entity ID is required to generate metadata.',
acs_url_required: 'Assertion consumer service URL is required to generate metadata.',
invalid_certificate_pem_format: 'Invalid PEM certificate format', invalid_certificate_pem_format: 'Invalid PEM certificate format',
}, },
}; };