chore(release): prepare for 0.1.3

Removes the Docker service definition from the build stage in the 
GitLab CI configuration. This change is made to simplify the build 
process and reduce overhead, as the Docker service is no longer 
required for the current build tasks.

.gitlab-ci.yml

@@ -1,22 +1,15 @@
 include:
 - template: 'Workflows/MergeRequest-Pipelines.gitlab-ci.yml'
+- project: unboundsoftware/ci-templates
+  file: Release.gitlab-ci.yml
 
 stages:
 - build
 
-variables:
-  DOCKER_HOST: tcp://docker:2376
-  DOCKER_TLS_CERTDIR: "/certs"
-  DOCKER_TLS_VERIFY: 1
-  DOCKER_CERT_PATH: "$DOCKER_TLS_CERTDIR/client"
-  DOCKER_DRIVER: overlay2
-
 image: buildtool/build-tools:${BUILDTOOLS_VERSION}
 
 build:
   stage: build
-  services:
-  - docker:dind
   script:
   - build
   - push

.gitlab/dependabot.yml

@@ -1,17 +0,0 @@
-# To get started with Dependabot version updates, you'll need to specify which
-# package ecosystems to update and where the package manifests are located.
-# Please see the documentation for all configuration options:
-# https://help.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
-
-version: 2
-updates:
-- package-ecosystem: "npm"
-  directory: "/"
-  schedule:
-    interval: "daily"
-  open-pull-requests-limit: 20
-- package-ecosystem: "docker"
-  directory: "/"
-  schedule:
-    interval: "daily"
-  open-pull-requests-limit: 20

.nvmrc

@@ -0,0 +1 @@
+22

.prettierignore

@@ -0,0 +1,2 @@
+*.yaml
+*.yml

.prettierrc

@@ -0,0 +1,9 @@
+{
+  "semi": false,
+  "singleQuote": true,
+  "trailingComma": "none",
+  "arrowParens": "always",
+  "quoteProps": "as-needed",
+  "bracketSpacing": true,
+  "bracketSameLine": false
+}

CHANGELOG.md

@@ -0,0 +1,229 @@
+# Changelog
+
+All notable changes to this project will be documented in this file.
+
+## [0.1.3] - 2024-12-13
+
+### 🐛 Bug Fixes
+
+- *(deps)* Pin dependencies
+- *(deps)* Update dependency express to v4.21.2
+- *(deps)* Update dependency debug to v4.4.0
+- *(deps)* Update dependency nodemon to v3.1.9
+
+### 🚜 Refactor
+
+- *(ci)* Remove unused Docker variables from config
+
+### ⚙️ Miscellaneous Tasks
+
+- Update renovate configuration to disable auth0mock updates
+- Remove Docker service from build stage configuration
+
+## [0.1.2] - 2024-10-19
+
+### 🐛 Bug Fixes
+
+- *(deps)* Update dependency cookie-parser to v1.4.7
+- *(deps)* Update dependency express to v4.21.1
+
+### ⚙️ Miscellaneous Tasks
+
+- Update Dockerfile to remove warnings
+- Support issuer in openid-configuration
+
+## [0.1.1] - 2024-10-05
+
+### 🐛 Bug Fixes
+
+- *(deps)* Update dependency nodemon to v3.1.1
+- *(deps)* Update dependency nodemon to v3.1.2
+- *(deps)* Update dependency debug to v4.3.5
+- *(deps)* Update dependency nodemon to v3.1.3
+- *(deps)* Update dependency nodemon to v3.1.4
+- *(deps)* Update dependency debug to v4.3.6
+- *(deps)* Update dependency debug to v4.3.7
+- *(deps)* Update dependency body-parser to v1.20.3
+- *(deps)* Update dependency express to v4.20.0
+- *(deps)* Update dependency express to v4.21.0
+- *(deps)* Update dependency nodemon to v3.1.5
+- *(deps)* Update dependency nodemon to v3.1.6
+- *(deps)* Update dependency nodemon to v3.1.7
+
+### ⚙️ Miscellaneous Tasks
+
+- Add release flow
+
+## [0.1.0] - 2024-04-08
+
+### 🚀 Features
+
+- Replace keystore handling with node-jose
+
+### 🐛 Bug Fixes
+
+- *(deps)* Update dependency express to v4.19.1
+- *(deps)* Update dependency express to v4.19.2
+
+## [0.0.17] - 2024-03-11
+
+### 🚀 Features
+
+- Support patching of user info
+
+### 🐛 Bug Fixes
+
+- *(deps)* Update dependency express to v4.18.3
+
+## [0.0.16] - 2023-06-01
+
+### 🚀 Features
+
+- Initial users store
+
+## [0.0.15] - 2023-05-31
+
+### 🐛 Bug Fixes
+
+- Return empty array
+
+## [0.0.14] - 2023-05-31
+
+### 🚀 Features
+
+- Remember created users
+
+## [0.0.13] - 2023-05-02
+
+### 🚀 Features
+
+- Add name and email to id token
+
+## [0.0.12] - 2023-03-10
+
+### 🐛 Bug Fixes
+
+- Remove session on logout
+
+## [0.0.11] - 2023-03-10
+
+### 🐛 Bug Fixes
+
+- Update image name to correct location
+- Handle response mode query
+
+### ⚙️ Miscellaneous Tasks
+
+- Use Docker DinD version from variable
+- Change Dependabot rebase strategy
+- Format code and add prettier
+
+## [0.0.9] - 2022-04-28
+
+### 🚀 Features
+
+- Add support for client id and secret tokens
+
+## [0.0.8] - 2022-04-26
+
+### 🚀 Features
+
+- Add dummy-implementation of management API
+
+## [0.0.7] - 2022-04-26
+
+### 🐛 Bug Fixes
+
+- Use correct return-variable
+
+## [0.0.6] - 2022-04-26
+
+### 🐛 Bug Fixes
+
+- Make sure thumbPrint is a string
+
+### 💼 Other
+
+- *(deps)* Bump express from 4.17.3 to 4.18.0
+
+### ⚙️ Miscellaneous Tasks
+
+- Format code
+
+## [0.0.5] - 2022-04-26
+
+### 🐛 Bug Fixes
+
+- Add custom claims to both id and access token
+
+## [0.0.4] - 2022-04-26
+
+### 🚀 Features
+
+- Add email custom claim
+
+## [0.0.3] - 2022-04-26
+
+### 🚀 Features
+
+- Add env-property for default issuer
+
+## [0.0.2] - 2022-04-25
+
+### 💼 Other
+
+- *(deps)* Bump node from 17 to 18
+
+### ⚙️ Miscellaneous Tasks
+
+- Change admin-handling
+
+## [0.0.1] - 2022-04-19
+
+### 🚀 Features
+
+- Initial commit
+- Updated to be compatible with Auth0 SPA which uses the 'Authorization Code Grant using Proof Key for Code Exchange (PKCE)' flow
+- Add ENV-property for setting admin-role
+
+### 🐛 Bug Fixes
+
+- Use correct envs
+- Use commit rather than latest
+- Package.json & yarn.lock to reduce vulnerabilities
+- Package.json & yarn.lock to reduce vulnerabilities
+- Pipeline
+
+### 💼 Other
+
+- *(deps)* Bump nodemon from 2.0.14 to 2.0.15
+- *(deps)* Bump cookie-parser from 1.4.5 to 1.4.6
+- *(deps)* Bump debug from 4.3.2 to 4.3.3
+- *(deps)* Bump body-parser from 1.19.0 to 1.19.1
+- *(deps)* Bump express from 4.17.1 to 4.17.2
+- *(deps)* Bump node-forge from 0.10.0 to 1.0.0
+- *(deps)* Bump node-forge from 1.0.0 to 1.1.0
+- *(deps)* Bump node-forge from 1.1.0 to 1.2.0
+- *(deps)* Bump node-forge from 1.2.0 to 1.2.1
+- *(deps)* Bump body-parser from 1.19.1 to 1.19.2
+- *(deps)* Bump https-localhost from 4.7.0 to 4.7.1
+- *(deps)* Bump express from 4.17.2 to 4.17.3
+- *(deps)* Bump debug from 4.3.3 to 4.3.4
+- *(deps)* Bump node-forge from 1.2.1 to 1.3.0
+- *(deps)* Bump node-forge from 1.3.0 to 1.3.1
+- *(deps)* Bump body-parser from 1.19.2 to 1.20.0
+
+### ⚙️ Miscellaneous Tasks
+
+- Add triggering of acctest
+- Add artifacts
+- Update to latest build-tools
+- Update to latest build-tools
+- Add ingress
+- Add CI workflows
+- Use buildtools version from env
+- Add dependabot config
+- Remove dependabot-standalone
+- Cleanup and remove acctest triggering
+
+<!-- generated by git-cliff -->

Dockerfile

@@ -1,12 +1,12 @@
-FROM node:18
-ENV AUDIENCE "https://shiny.unbound.se"
-ENV ORIGIN_HOST "auth0mock"
-ENV ORIGIN "https://auth0mock:3333"
+FROM node:22@sha256:35a5dd72bcac4bce43266408b58a02be6ff0b6098ffa6f5435aeea980a8951d7
+ENV AUDIENCE="https://shiny.unbound.se"
+ENV ORIGIN_HOST="auth0mock"
+ENV ORIGIN="https://auth0mock:3333"
 EXPOSE 3333
 WORKDIR /app
 ADD package.json yarn.lock /app/
 RUN yarn install --frozen-lockfile
-ADD app.js cert.js /app/
+ADD *.js /app/
 ADD public /app/public
 RUN mkdir -p /root/.config
-ENTRYPOINT yarn start
+ENTRYPOINT ["yarn", "start"]

README.md

@@ -3,47 +3,68 @@
 > This server helps you to simulate auth0 server locally. So, you are able to use the `/tokeninfo` endpoint to verify your token.
 
 ## Getting Started
-### Prerequisites
-* Install [Node.js](http://nodejs.org)
-    * on OSX use [homebrew](http://brew.sh) `brew install node`
-    * on Windows use [chocolatey](https://chocolatey.org/) `choco install nodejs`
 
+### Prerequisites
+
+- Install [Node.js](http://nodejs.org)
+  - on OSX use [homebrew](http://brew.sh) `brew install node`
+  - on Windows use [chocolatey](https://chocolatey.org/) `choco install nodejs`
 
 ## Installing
-* `fork` this repo
-* `clone` your fork
-* `npm install` to install all dependencies
+
+- `fork` this repo
+- `clone` your fork
+- `npm install` to install all dependencies
 
 ## Running the app
+
 After you have installed all dependencies you can now run the app.
 Run `npm start` to start a local server.
 The port will be displayed to you as `http://0.0.0.0:3333` (or if you prefer IPv6, if you're using `express` server, then it's `http://[::1]:3333/`).
 
+## Initial users
+
+Adding a JSON file with the following layout will populate the users store when starting:
+
+```json
+{
+  "email@test.com": {
+    "given_name": "name",
+    "family_name": "family",
+    "user_id": "id"
+  }
+}
+```
+
+By default `./users.json` will be read but this can be overridden by setting the environment variable `USERS_FILE`.
 
 ## API Documentation
 
 ### `GET` /token/:username
+
 Returns a token with the given user(username). This token can the be used by your application.
 
 ### `POST` /tokeninfo
+
 Returns the data of the token like the username.
 
 **Body**
+
 ```
 {
     "id_token": "your-token-kjasdf6ashasl..."
 }
 ```
 
-
 ## Related Projects
-* [express-typescript-boilerplate](https://github.com/w3tecch/express-typescript-boilerplate) - Boilerplate for an restful express-apllication written in TypeScript
-* [express-graphql-typescript-boilerplate](https://github.com/w3tecch/express-graphql-typescript-boilerplate) - A starter kit for building amazing GraphQL API's with TypeScript and express by @w3tecch
 
+- [express-typescript-boilerplate](https://github.com/w3tecch/express-typescript-boilerplate) - Boilerplate for an restful express-apllication written in TypeScript
+- [express-graphql-typescript-boilerplate](https://github.com/w3tecch/express-graphql-typescript-boilerplate) - A starter kit for building amazing GraphQL API's with TypeScript and express by @w3tecch
 
 ## License
+
 [MIT](/LICENSE)
 
-
 ---
-Made with ♥ by Gery Hirschfeld ([@GeryHirschfeld1](https://twitter.com/GeryHirschfeld1))
+
+Made with ♥ by Gery Hirschfeld ([@GeryHirschfeld1](https://twitter.com/GeryHirschfeld1))

app.js

@@ -8,19 +8,24 @@ const Debug = require('debug')
 const path = require('path')
 const cors = require('cors')
 const bodyParser = require('body-parser')
+const jose = require('node-jose');
 const favicon = require('serve-favicon')
-const cert = require('./cert')
+const initialUsers = require('./users')
 
-let issuer = process.env.ISSUER || 'localhost:3333'
-let jwksOrigin = `https://${issuer}/`
+const issuer = process.env.ISSUER || 'localhost:3333'
+const jwksOrigin = `https://${issuer}/`
 const audience = process.env.AUDIENCE || 'https://generic-audience'
-const adminCustomClaim = process.env.ADMIN_CUSTOM_CLAIM || 'https://unbound.se/admin'
-const emailCustomClaim = process.env.EMAIL_CUSTOM_CLAIM || 'https://unbound.se/email'
+const adminCustomClaim =
+  process.env.ADMIN_CUSTOM_CLAIM || 'https://unbound.se/admin'
+const emailCustomClaim =
+  process.env.EMAIL_CUSTOM_CLAIM || 'https://unbound.se/email'
 
 const debug = Debug('app')
 
-let { privateKey, certDer, thumbprint, exponent, modulus } = cert(jwksOrigin)
-
+const keyStore = jose.JWK.createKeyStore()
+keyStore.generate('RSA', 2048, { alg: 'RS256', use: 'sig' })
+// let { privateKey, certDer, thumbprint, exponent, modulus } = cert(jwksOrigin)
+const users = initialUsers(process.env.USERS_FILE || './users.json')
 const sessions = {}
 const challenges = {}
 
@@ -37,61 +42,103 @@ const addCustomClaims = (email, customClaims, token) => {
       ...claim
     }
   }, token)
+}
 
+const signToken = async (token) => {
+  const [key] = keyStore.all({ use: 'sig' })
+  const opt = { compact: true, jwk: key, fields: { typ: 'jwt' } }
+  return await jose.JWS.createSign(opt, key)
+    .update(JSON.stringify(token))
+    .final()
 }
 
 // Configure our small auth0-mock-server
-app.options('*', cors(corsOpts))
+app
+  .options('*', cors(corsOpts))
   .use(cors())
-  .use(bodyParser.json())
+  .use(bodyParser.json({ strict: false }))
   .use(bodyParser.urlencoded({ extended: true }))
   .use(cookieParser())
   .use(express.static(`${__dirname}/public`))
   .use(favicon(path.join(__dirname, 'public', 'favicon.ico')))
 
 // This route can be used to generate a valid jwt-token.
-app.post('/oauth/token', (req, res) => {
-  const code = req.body.code
-  const session = sessions[code]
+app.post('/oauth/token', async (req, res) => {
+  const date = Math.floor(Date.now() / 1000)
+  if (req.body.grant_type === 'client_credentials' && req.body.client_id) {
+    const accessToken = await signToken({
+      iss: jwksOrigin,
+      aud: [audience],
+      sub: 'auth0|management',
+      iat: date,
+      exp: date + 7200,
+      azp: req.body.client_id
+    })
 
-  let date = Math.floor(Date.now() / 1000)
-  let accessToken = jwt.sign(Buffer.from(JSON.stringify(addCustomClaims(session.email, session.customClaims, {
-    iss: jwksOrigin,
-    aud: [audience],
-    sub: 'auth0|' + session.email,
-    iat: date,
-    exp: date + 7200,
-    azp: session.clientId
-  }))), privateKey, {
-    algorithm: 'RS256',
-    keyid: thumbprint
-  })
+    const idToken = await signToken({
+      iss: jwksOrigin,
+      aud: req.body.client_id,
+      sub: 'auth0|management',
+      iat: date,
+      exp: date + 7200,
+      azp: req.body.client_id,
+      name: 'Management API'
+    })
 
-  let idToken = jwt.sign(Buffer.from(JSON.stringify(addCustomClaims(session.email, session.customClaims, {
-    iss: jwksOrigin,
-    aud: session.clientId,
-    nonce: session.nonce,
-    sub: 'auth0|' + session.email,
-    iat: date,
-    exp: date + 7200,
-    azp: session.clientId,
-    name: 'Example Person',
-    picture: 'https://cdn.playbuzz.com/cdn/5458360f-32ea-460e-a707-1a2d26760558/70bda687-cb84-4756-8a44-8cf735ed87b3.jpg'
-  }))), privateKey, {
-    algorithm: 'RS256',
-    keyid: thumbprint
-  })
+    debug('Signed token for management API')
 
-  debug('Signed token for ' + session.email)
-  // res.json({ token });
+    res.json({
+      access_token: accessToken,
+      id_token: idToken,
+      scope: 'openid%20profile%20email',
+      expires_in: 7200,
+      token_type: 'Bearer'
+    })
+  } else if (req.body.code) {
+    const code = req.body.code
+    const session = sessions[code]
+    const accessToken = await signToken(
+      addCustomClaims(session.email, session.customClaims, {
+        iss: jwksOrigin,
+        aud: [audience],
+        sub: 'auth0|' + session.email,
+        iat: date,
+        exp: date + 7200,
+        azp: session.clientId
+      })
+    )
 
-  res.json({
-    access_token: accessToken,
-    id_token: idToken,
-    scope: 'openid%20profile%20email',
-    expires_in: 7200,
-    token_type: 'Bearer'
-  })
+    const idToken = await signToken(
+      addCustomClaims(session.email, session.customClaims, {
+        iss: jwksOrigin,
+        aud: session.clientId,
+        nonce: session.nonce,
+        sub: 'auth0|' + session.email,
+        iat: date,
+        exp: date + 7200,
+        azp: session.clientId,
+        name: 'Example Person',
+        given_name: 'Example',
+        family_name: 'Person',
+        email: session.email,
+        picture:
+          'https://cdn.playbuzz.com/cdn/5458360f-32ea-460e-a707-1a2d26760558/70bda687-cb84-4756-8a44-8cf735ed87b3.jpg'
+      })
+    )
+
+    debug('Signed token for ' + session.email)
+
+    res.json({
+      access_token: accessToken,
+      id_token: idToken,
+      scope: 'openid%20profile%20email',
+      expires_in: 7200,
+      token_type: 'Bearer'
+    })
+  } else {
+    res.status(401)
+    res.send('Missing client_id or client_secret')
+  }
 })
 
 // This route can be used to generate a valid jwt-token.
@@ -100,9 +147,12 @@ app.get('/token/:email', (req, res) => {
     debug('No user was given!')
     return res.status(400).send('user is missing')
   }
-  const token = jwt.sign({
-    user_id: 'auth0|' + req.params.email
-  }, privateKey)
+  const token = jwt.sign(
+    {
+      user_id: 'auth0|' + req.params.email
+    },
+    privateKey
+  )
   debug('Signed token for ' + req.params.email)
   res.json({ token })
 })
@@ -127,7 +177,9 @@ app.post('/code', (req, res) => {
     codeChallenge: req.body.codeChallenge,
     customClaims: [claim]
   }
-  res.redirect(`${req.body.redirect}?domain=${issuer}&code=${code}&state=${encodeURIComponent(state)}`)
+  res.redirect(
+    `${req.body.redirect}?code=${code}&state=${encodeURIComponent(state)}`
+  )
 })
 
 app.get('/authorize', (req, res) => {
@@ -138,13 +190,26 @@ app.get('/authorize', (req, res) => {
   const codeChallenge = req.query.code_challenge
   const prompt = req.query.prompt
   const responseMode = req.query.response_mode
+  if (responseMode === 'query') {
+    const code = req.cookies['auth0']
+    const session = sessions[code]
+    if (session) {
+      session.nonce = nonce
+      session.state = state
+      session.codeChallenge = codeChallenge
+      sessions[codeChallenge] = session
+      res.redirect(`${redirect}?code=${codeChallenge}&state=${state}`)
+      return
+    }
+  }
   if (prompt === 'none' && responseMode === 'web_message') {
     const code = req.cookies['auth0']
     const session = sessions[code]
-    session.nonce = nonce
-    session.state = state
-    session.codeChallenge = codeChallenge
-    res.send(`
+    if (session) {
+      session.nonce = nonce
+      session.state = state
+      session.codeChallenge = codeChallenge
+      res.send(`
 <!DOCTYPE html>
 <html>
   <body>
@@ -162,13 +227,16 @@ app.get('/authorize', (req, res) => {
   </script>
   </body>
 </html>`)
-  } else {
-    res.cookie('auth0', codeChallenge, {
-      sameSite: 'None',
-      secure: true,
-      httpOnly: true
-    })
-    res.send(`
+      return
+    }
+  }
+
+  res.cookie('auth0', codeChallenge, {
+    sameSite: 'None',
+    secure: true,
+    httpOnly: true
+  })
+  res.send(`
 <html lang='en'>
   <head>
     <meta charset='utf-8'>
@@ -209,35 +277,96 @@ app.get('/authorize', (req, res) => {
   </body>
 </html>
 `)
-  }
 })
 
 app.get('/userinfo', (req, res) => {
-  res.contentType('application/json').send(JSON.stringify({ picture: 'https://cdn.playbuzz.com/cdn/5458360f-32ea-460e-a707-1a2d26760558/70bda687-cb84-4756-8a44-8cf735ed87b3.jpg' }))
+  res.contentType('application/json').send(
+    JSON.stringify({
+      picture:
+        'https://cdn.playbuzz.com/cdn/5458360f-32ea-460e-a707-1a2d26760558/70bda687-cb84-4756-8a44-8cf735ed87b3.jpg'
+    })
+  )
 })
 
 app.get('/v2/logout', (req, res) => {
-  res.redirect(`${req.query.returnTo}?domain=${issuer}`)
+  const code = req.cookies['auth0']
+  const session = sessions[code]
+  if (session) {
+    delete sessions[code]
+  }
+  res.redirect(req.query.returnTo)
+})
+
+app.get('/.well-known/openid-configuration', (req, res) => {
+  debug('Fetching OpenID configuration')
+  res.contentType('application/json').send(
+    JSON.stringify({
+      "issuer":
+        `${jwksOrigin}`,
+      "authorization_endpoint":
+        `${jwksOrigin}authorize`,
+      "token_endpoint":
+        `${jwksOrigin}oauth/token`,
+      "token_endpoint_auth_methods_supported":
+        ["client_secret_basic", "private_key_jwt"],
+      "token_endpoint_auth_signing_alg_values_supported":
+        ["RS256"],
+      "userinfo_endpoint":
+        `${jwksOrigin}userinfo`,
+      "check_session_iframe":
+        `${jwksOrigin}check_session`,
+      "end_session_endpoint":
+        `${jwksOrigin}end_session`,
+      "jwks_uri":
+        `${jwksOrigin}.well-known/jwks.json`,
+      "registration_endpoint":
+        `${jwksOrigin}register`,
+      "scopes_supported":
+        ["openid", "profile", "email", "address",
+          "phone", "offline_access"],
+      "response_types_supported":
+        ["code", "code id_token", "id_token", "id_token token"],
+      "acr_values_supported":
+        [],
+      "subject_types_supported":
+        ["public", "pairwise"],
+      "userinfo_signing_alg_values_supported":
+        ["RS256", "ES256", "HS256"],
+      "userinfo_encryption_alg_values_supported":
+        ["RSA-OAEP-256", "A128KW"],
+      "userinfo_encryption_enc_values_supported":
+        ["A128CBC-HS256", "A128GCM"],
+      "id_token_signing_alg_values_supported":
+        ["RS256", "ES256", "HS256"],
+      "id_token_encryption_alg_values_supported":
+        ["RSA-OAEP-256", "A128KW"],
+      "id_token_encryption_enc_values_supported":
+        ["A128CBC-HS256", "A128GCM"],
+      "request_object_signing_alg_values_supported":
+        ["none", "RS256", "ES256"],
+      "display_values_supported":
+        ["page", "popup"],
+      "claim_types_supported":
+        ["normal", "distributed"],
+      "claims_supported":
+        ["sub", "iss", "auth_time", "acr",
+          "name", "given_name", "family_name", "nickname",
+          "profile", "picture", "website",
+          "email", "email_verified", "locale", "zoneinfo",
+          "https://unbound.se/email", "https://unbound.se/admin"],
+      "claims_parameter_supported":
+        true,
+      "service_documentation":
+        "http://auth0/",
+      "ui_locales_supported":
+        ["en-US"]
+    })
+  )
 })
 
 app.get('/.well-known/jwks.json', (req, res) => {
-  res
-    .contentType('application/json')
-    .send(JSON.stringify({
-      keys: [
-        {
-          alg: 'RS256',
-          // e: 'AQAB',
-          e: exponent,
-          kid: thumbprint,
-          kty: 'RSA',
-          n: modulus,
-          use: 'sig',
-          x5c: [certDer],
-          x5t: thumbprint
-        }
-      ]
-    }))
+  debug('Fetching JWKS')
+  res.contentType('application/json').send(keyStore.toJSON())
 })
 
 // This route returns the inside of a jwt-token. Your main application
@@ -257,21 +386,59 @@ app.post('/tokeninfo', (req, res) => {
   }
 })
 
-app.post('/issuer', (req, res) => {
-  if (!req.body.issuer) {
-    debug('No issuer given in the body!')
-    return res.status(401).send('missing issuer')
+app.get('/api/v2/users-by-email', (req, res) => {
+  const email = req.query.email
+  console.log('users', users)
+  const user = users[email]
+  if (user === undefined) {
+    res.json([])
+  } else {
+    res.json([user])
   }
-  issuer = req.body.issuer
-  jwksOrigin = `https://${issuer}/`
-  const { privateKey: key, certDer: der, thumbPrint: thumb, exponent: exp, modulus: mod } = cert(jwksOrigin)
-  privateKey = key
-  certDer = der
-  thumbprint = thumb
-  exponent = exp
-  modulus = mod
-  debug('Issuer set to ' + req.body.issuer)
-  res.send('ok')
+})
+
+app.patch('/api/v2/users/:userid', (req, res) => {
+  const email = req.params.userid.slice(6)
+  console.log('patching user with id', email)
+  const user = users[email]
+  if (!user) {
+    res.sendStatus(404)
+    return
+  }
+  users[email] = {
+    email: email,
+    given_name: req.body.given_name || user.given_name,
+    family_name: req.body.family_name || user.family_name,
+    user_id: email,
+    picture: req.body.picture || user.picture
+  }
+  res.json({
+    user_id: `auth0|${email}`
+  })
+})
+
+app.post('/api/v2/users', (req, res) => {
+  const email = req.body.email
+  users[email] = {
+    email: email,
+    given_name: 'Given',
+    family_name: 'Last',
+    user_id: email
+  }
+  res.json({
+    user_id: `auth0|${email}`
+  })
+})
+
+app.post('/api/v2/tickets/password-change', (req, res) => {
+  res.json({
+    ticket: `https://some-url`
+  })
+})
+
+app.use(function (req, res, next) {
+  console.log('404', req.path)
+  res.status(404).send('error: 404 Not Found ' + req.path)
 })
 
 app.listen(3333, () => {

cert.js

@@ -1,132 +0,0 @@
-const base64url = require('base64-url')
-const createHash = require('crypto').createHash
-const forge = require('node-forge')
-const NodeRSA = require('node-rsa')
-
-const PRIVATE_KEY_PEM =
-  '-----BEGIN RSA PRIVATE KEY-----\n' +
-  'MIIEpAIBAAKCAQEApoocpO3bbUF6o8eyJlQCfwLahEsunWdVF++yOEyKu4Lp1j0m\n' +
-  '2j/P7iHOtxBAkjdM2X2oW3qO1mR0sIFefqnm93g0q2nRuYEoS+W3o6X50wjOVm8f\n' +
-  'r/tLqELzy5BoET0AQl7Axp1DNsb0HNOBcoIBt+xVY4I+k6uXJJJMzbgvahAgSLZ9\n' +
-  'RW0Z0WT+dCHZpZUj0nLxNXIPdci65Bw6IognqXHP6AwKZXpT6jCzjzq9uyHxVcud\n' +
-  'qw6j0kQw48/A5A6AN5fIVy1cKnd0sKdqRX1NUqVoiOrO4jaDB1IdLD+YmRE/JjOH\n' +
-  'sWIMElYCPxKqnsNo6VCslGX/ziinArHhqRBrHwIDAQABAoIBAHAdmpsN5iLvafjI\n' +
-  'f45+EBAhg6p8Uq102zx6CakNHniN8Y5hLL7RJtJRwDBNqKrGv93LUoQDRhXfGw+Y\n' +
-  'iF0NVIhVTF/5pU8VPGOcCr0JB96ilwZpWRPIQW7NZAMu/GBeiMYls/IB/TXrSnv9\n' +
-  'h6/nBfEkEXgkPqx7YA0m0L3NuV3U1lCY/LhBJY4Xvi0uRdqu3tTHXftehuPwC4UB\n' +
-  '42eJTWv/qLeOlkCdUUV4f7+dNaES88Vdhj6lu/BusnNhvnwHQik4dNwzPCGeP8NV\n' +
-  '5gaesWiNWFZuTURGKk1B65p5LzNPjsVT50RDuW8FnSZwIvNcohrX9ILPsmg/t0Kr\n' +
-  'ozcOksECgYEA4XWOK4twx5RG162zveRHqU7H9RBWSz7/PzM9Eob9vx/tC/b1YqBR\n' +
-  'VShk23vje19eNiYWAkxcpobIP4ek/0ZT8nHkJg8wl+J/hnXADcvwv2dKnoFnm5pn\n' +
-  'rTBUKc8R3wrSlAV8XQAtdnxsfFa5AOQJ6WFVI9AdfH3Iw8XZk4gIIPMCgYEAvRlY\n' +
-  'y80HnR3kwMOqY488V1qk41dmfNqa+YDL+zkPF1HhHI9VnK5BQuI7lyKJl984KwHu\n' +
-  '0gbwx3Wp4XkD5JUboEpl5LnaLsjEWemjTaQWdvJHPd5wkJ0m/jRQ2YeT4g2gFu4y\n' +
-  'Pi/pWkrzhnzQQVAmOdAm5Kj27LtDzp0lspw3uCUCgYEAw2YdvFGSgfZZW4147QeO\n' +
-  'sAbON+9bysUjdMPUl10VR/LEgA0d6MdnFfX3S13Y7tDdlvJ1OrKxzcWcgaru7ism\n' +
-  'kEXy5KVfiRNNUNx2gb6RvWEpA6zFfc9ZMXlkSAPlyjfX/1+tw/Bmdn0pjK2gk0wP\n' +
-  '5wtrPameFInzWPD9O+a2nM8CgYBZ6UhgNs+M9B7FTQOiLQPa4R2PfwobCXIwef4D\n' +
-  'KIE1bFgl1T02r2AWZi1BUkmr7ZXuVQ/xyx0HKbopm/mu4PruvxEtrPTB0/IQcleU\n' +
-  'XhXUXqRjFXXePOrCaaubkqxNCn95B67aBLvmk8awxn3a4DocuQ0VIgWuT+gQwIWh\n' +
-  'JEgWBQKBgQDKD+2Yh1/rUzu15lbPH0JSpozUinuFjePieR/4n+5CtEUxWJ2f0WeK\n' +
-  's4XWWf2qgUccjpiGju2UR840mgWROoZ8BfSTd5tg1F7bo0HMgu2hu0RIRpZcRhsA\n' +
-  'Cd0GrJvf1t0QIdDCXAy+RpgU1SLSq4Q6Lomc0WA5C5nBw9RKEUOV9A==\n' +
-  '-----END RSA PRIVATE KEY-----\n'
-
-const PUBLIC_KEY_PEM =
-  '-----BEGIN PUBLIC KEY-----\n' +
-  'MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApoocpO3bbUF6o8eyJlQC\n' +
-  'fwLahEsunWdVF++yOEyKu4Lp1j0m2j/P7iHOtxBAkjdM2X2oW3qO1mR0sIFefqnm\n' +
-  '93g0q2nRuYEoS+W3o6X50wjOVm8fr/tLqELzy5BoET0AQl7Axp1DNsb0HNOBcoIB\n' +
-  't+xVY4I+k6uXJJJMzbgvahAgSLZ9RW0Z0WT+dCHZpZUj0nLxNXIPdci65Bw6Iogn\n' +
-  'qXHP6AwKZXpT6jCzjzq9uyHxVcudqw6j0kQw48/A5A6AN5fIVy1cKnd0sKdqRX1N\n' +
-  'UqVoiOrO4jaDB1IdLD+YmRE/JjOHsWIMElYCPxKqnsNo6VCslGX/ziinArHhqRBr\n' +
-  'HwIDAQAB\n' +
-  '-----END PUBLIC KEY-----\n'
-
-const createCertificate = ({
-                             publicKey,
-                             privateKey,
-                             jwksOrigin
-                           }) => {
-  const cert = forge.pki.createCertificate()
-  cert.publicKey = publicKey
-  cert.serialNumber = '123'
-  const attrs = [
-    {
-      name: 'commonName',
-      value: `${jwksOrigin}`
-    }
-  ]
-  cert.validity.notBefore = new Date()
-  cert.validity.notAfter = new Date()
-  cert.validity.notAfter.setFullYear(cert.validity.notBefore.getFullYear() + 1)
-  cert.setSubject(attrs)
-  cert.setIssuer(attrs)
-  cert.sign(privateKey)
-  return forge.pki.certificateToPem(cert)
-}
-
-const getCertThumbprint = (certificate) => {
-  const shasum = createHash('sha1')
-  const der = Buffer.from(certificate).toString('binary')
-  shasum.update(der)
-  return shasum.digest('base64')
-}
-
-const createKeyPair = () => {
-  const privateKey = forge.pki.privateKeyFromPem(PRIVATE_KEY_PEM)
-  const publicKey = forge.pki.publicKeyFromPem(PUBLIC_KEY_PEM)
-  return {
-    privateKey,
-    publicKey
-  }
-}
-
-const bnToB64 = (bn) => {
-  let hex = BigInt(bn).toString(16)
-  if (hex.length % 2) {
-    hex = '0' + hex
-  }
-
-  const bin = []
-  let i = 0
-  let d
-  let b
-  while (i < hex.length) {
-    d = parseInt(hex.slice(i, i + 2), 16)
-    b = String.fromCharCode(d)
-    bin.push(b)
-    i += 2
-  }
-
-  return Buffer.from(bin.join(''), 'binary').toString('base64')
-}
-
-const setup = (jwksOrigin) => {
-  const { privateKey, publicKey } = createKeyPair()
-  const certPem = createCertificate({
-    jwksOrigin,
-    privateKey,
-    publicKey
-  })
-  const certDer = forge.util.encode64(
-    forge.asn1
-      .toDer(forge.pki.certificateToAsn1(forge.pki.certificateFromPem(certPem)))
-      .getBytes()
-  )
-  const thumbprint = base64url.encode(getCertThumbprint(certDer))
-
-  const helperKey = new NodeRSA()
-  helperKey.importKey(forge.pki.privateKeyToPem(privateKey))
-  const { n: modulus, e: exponent } = helperKey.exportKey('components')
-
-  return {
-    privateKey: forge.pki.privateKeyToPem(privateKey),
-    certDer: certDer,
-    thumbPrint: thumbprint.toString(),
-    exponent: bnToB64(exponent),
-    modulus: modulus.toString('base64')
-  }
-}
-
-module.exports = setup

k8s/deploy.yaml

@@ -14,7 +14,7 @@ spec:
     spec:
       containers:
         - name: auth0mock
-          image: registry.gitlab.com/unboundsoftware/shiny/auth0mock:${COMMIT}
+          image: registry.gitlab.com/unboundsoftware/auth0mock:${COMMIT}
           imagePullPolicy: "IfNotPresent"
           resources:
             requests:

k8s/ingress-test.yaml

@@ -1,4 +1,4 @@
-apiVersion: networking.k8s.io/v1beta1
+apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   name: auth0-ingress

package.json

@@ -6,23 +6,26 @@
   "scripts": {
     "test": "echo \"Error: no test specified\" && exit 1",
     "dev": "nodemon ./app.js",
-    "start": "node ./app.js"
+    "start": "node ./app.js",
+    "lint:prettier": "prettier --check .",
+    "lint": "yarn lint:prettier",
+    "lintfix": "prettier --write --list-different ."
   },
   "author": "",
   "license": "MIT",
   "dependencies": {
-    "base64-url": "^2.3.3",
-    "body-parser": "^1.20.0",
-    "buffer": "^6.0.3",
-    "cookie-parser": "^1.4.6",
-    "cors": "^2.8.3",
-    "debug": "^4.3.4",
-    "express": "^4.18.0",
-    "https-localhost": "^4.7.1",
-    "jsonwebtoken": "^8.5.1",
-    "node-forge": "^1.3.1",
-    "node-rsa": "^1.1.1",
-    "nodemon": "^2.0.15",
-    "serve-favicon": "^2.4.2"
+    "body-parser": "1.20.3",
+    "cookie-parser": "1.4.7",
+    "cors": "2.8.5",
+    "debug": "4.4.0",
+    "express": "4.21.2",
+    "https-localhost": "4.7.1",
+    "jsonwebtoken": "9.0.2",
+    "node-jose": "2.2.0",
+    "nodemon": "3.1.9",
+    "serve-favicon": "2.5.0"
+  },
+  "devDependencies": {
+    "prettier": "3.4.2"
   }
 }

renovate.json

@@ -0,0 +1,17 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "extends": [
+    "config:recommended"
+  ],
+  "packageRules": [
+    {
+      "matchManagers": [
+        "kubernetes"
+      ],
+      "matchPackageNames": [
+        "registry.gitlab.com/unboundsoftware/auth0mock"
+      ],
+      "enabled": false
+    }
+  ]
+}

users.js

@@ -0,0 +1,18 @@
+const fs = require('fs')
+
+const setup = (usersFile) => {
+  let users = {}
+  if (fs.existsSync(usersFile)) {
+    console.log(`initial users file "${usersFile}" exists, reading`)
+    const read = fs.readFileSync(usersFile, { encoding: 'utf8', flag: 'r' })
+    users = JSON.parse(read)
+    for (let key of Object.keys(users)) {
+      users[key] = { ...users[key], email: key }
+    }
+    console.log('users:', users)
+  } else {
+    console.log(`initial users file "${usersFile}" missing`)
+  }
+  return users
+}
+module.exports = setup