-
-
Notifications
You must be signed in to change notification settings - Fork 447
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
9 changed files
with
343 additions
and
23 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
66 changes: 66 additions & 0 deletions
66
packages/core/src/oidc/grants/token-exchange/actor-token.test.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,66 @@ | ||
import { errors, type KoaContextWithOIDC } from 'oidc-provider'; | ||
import Sinon from 'sinon'; | ||
|
||
import { createOidcContext } from '#src/test-utils/oidc-provider.js'; | ||
|
||
import { handleActorToken } from './actor-token.js'; | ||
import { TokenExchangeTokenType } from './types.js'; | ||
|
||
const { InvalidGrant } = errors; | ||
|
||
const actorId = 'some_account_id'; | ||
|
||
const validOidcContext: Partial<KoaContextWithOIDC['oidc']> = { | ||
params: { | ||
actor_token: 'some_actor_token', | ||
actor_token_type: TokenExchangeTokenType.AccessToken, | ||
}, | ||
}; | ||
|
||
beforeAll(() => { | ||
// `oidc-provider` will warn for dev interactions | ||
Sinon.stub(console, 'warn'); | ||
}); | ||
|
||
afterAll(() => { | ||
Sinon.restore(); | ||
}); | ||
|
||
describe('handleActorToken', () => { | ||
it('should return actorId', async () => { | ||
const ctx = createOidcContext(validOidcContext); | ||
Sinon.stub(ctx.oidc.provider.AccessToken, 'find').resolves({ actorId, scope: 'openid' }); | ||
|
||
await expect(handleActorToken(ctx)).resolves.toStrictEqual({ | ||
actorId, | ||
}); | ||
}); | ||
|
||
it('should return empty actorId when params are not present', async () => { | ||
const ctx = createOidcContext({ params: {} }); | ||
|
||
await expect(handleActorToken(ctx)).resolves.toStrictEqual({ | ||
actorId: undefined, | ||
}); | ||
}); | ||
|
||
it('should throw if actor_token_type is invalid', async () => { | ||
const ctx = createOidcContext({ | ||
params: { | ||
actor_token: 'some_actor_token', | ||
actor_token_type: 'invalid', | ||
}, | ||
}); | ||
|
||
await expect(handleActorToken(ctx)).rejects.toThrow( | ||
new InvalidGrant('unsupported actor token type') | ||
); | ||
}); | ||
|
||
it('should throw if actor_token is invalid', async () => { | ||
const ctx = createOidcContext(validOidcContext); | ||
Sinon.stub(ctx.oidc.provider.AccessToken, 'find').rejects(); | ||
|
||
await expect(handleActorToken(ctx)).rejects.toThrow(new InvalidGrant('invalid actor token')); | ||
}); | ||
}); |
38 changes: 38 additions & 0 deletions
38
packages/core/src/oidc/grants/token-exchange/actor-token.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,38 @@ | ||
import { trySafe } from '@silverhand/essentials'; | ||
import { type KoaContextWithOIDC, errors } from 'oidc-provider'; | ||
|
||
import assertThat from '#src/utils/assert-that.js'; | ||
|
||
import { TokenExchangeTokenType } from './types.js'; | ||
|
||
const { InvalidGrant } = errors; | ||
|
||
/** | ||
* Handles the `actor_token` and `actor_token_type` parameters, | ||
* if both are present and valid, the `accountId` of the actor token is returned. | ||
*/ | ||
export const handleActorToken = async (ctx: KoaContextWithOIDC): Promise<{ actorId?: string }> => { | ||
const { params, provider } = ctx.oidc; | ||
const { AccessToken } = provider; | ||
|
||
assertThat(params, new InvalidGrant('parameters must be available')); | ||
assertThat( | ||
!params.actor_token || params.actor_token_type === TokenExchangeTokenType.AccessToken, | ||
new InvalidGrant('unsupported actor token type') | ||
); | ||
|
||
if (!params.actor_token) { | ||
return { actorId: undefined }; | ||
} | ||
|
||
// The actor token should have `openid` scope (RFC 0005), and a token with this scope is an opaque token. | ||
// We can use `AccessToken.find` to handle the token, no need to handle JWT tokens. | ||
const actorToken = await trySafe(async () => AccessToken.find(String(params.actor_token))); | ||
assertThat(actorToken?.accountId, new InvalidGrant('invalid actor token')); | ||
assertThat( | ||
actorToken.scope?.includes('openid'), | ||
new InvalidGrant('actor token must have openid scope') | ||
); | ||
|
||
return { actorId: actorToken.accountId }; | ||
}; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
import { z } from 'zod'; | ||
|
||
export const tokenExchangeActGuard = z.object({ | ||
act: z.object({ | ||
sub: z.string(), | ||
}), | ||
}); | ||
|
||
export type TokenExchangeAct = z.infer<typeof tokenExchangeActGuard>; | ||
|
||
export enum TokenExchangeTokenType { | ||
AccessToken = 'urn:ietf:params:oauth:token-type:access_token', | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.