chore(release): prepare for 0.1.2

Bumps [nodemon](https://github.com/remy/nodemon) from 3.0.3 to 3.1.0.
- [Release notes](https://github.com/remy/nodemon/releases)
- [Commits](https://github.com/remy/nodemon/compare/v3.0.3...v3.1.0)

.gitlab-ci.yml

@@ -1,5 +1,7 @@
 include:
 - template: 'Workflows/MergeRequest-Pipelines.gitlab-ci.yml'
+- project: unboundsoftware/ci-templates
+  file: Release.gitlab-ci.yml
 
 stages:
 - build
@@ -16,7 +18,7 @@ image: buildtool/build-tools:${BUILDTOOLS_VERSION}
 build:
   stage: build
   services:
-  - docker:dind
+  - docker:${DOCKER_DIND_VERSION}
   script:
   - build
   - push

.gitlab/dependabot.yml

@@ -1,17 +0,0 @@
-# To get started with Dependabot version updates, you'll need to specify which
-# package ecosystems to update and where the package manifests are located.
-# Please see the documentation for all configuration options:
-# https://help.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
-
-version: 2
-updates:
-- package-ecosystem: "npm"
-  directory: "/"
-  schedule:
-    interval: "daily"
-  open-pull-requests-limit: 20
-- package-ecosystem: "docker"
-  directory: "/"
-  schedule:
-    interval: "daily"
-  open-pull-requests-limit: 20

.nvmrc

@@ -0,0 +1 @@
+20

.prettierignore

@@ -0,0 +1,2 @@
+*.yaml
+*.yml

.prettierrc

@@ -0,0 +1,9 @@
+{
+  "semi": false,
+  "singleQuote": true,
+  "trailingComma": "none",
+  "arrowParens": "always",
+  "quoteProps": "as-needed",
+  "bracketSpacing": true,
+  "bracketSameLine": false
+}

CHANGELOG.md

@@ -0,0 +1,211 @@
+# Changelog
+
+All notable changes to this project will be documented in this file.
+
+## [0.1.2] - 2024-10-19
+
+### 🐛 Bug Fixes
+
+- *(deps)* Update dependency cookie-parser to v1.4.7
+- *(deps)* Update dependency express to v4.21.1
+
+### ⚙️ Miscellaneous Tasks
+
+- Update Dockerfile to remove warnings
+- Support issuer in openid-configuration
+
+## [0.1.1] - 2024-10-05
+
+### 🐛 Bug Fixes
+
+- *(deps)* Update dependency nodemon to v3.1.1
+- *(deps)* Update dependency nodemon to v3.1.2
+- *(deps)* Update dependency debug to v4.3.5
+- *(deps)* Update dependency nodemon to v3.1.3
+- *(deps)* Update dependency nodemon to v3.1.4
+- *(deps)* Update dependency debug to v4.3.6
+- *(deps)* Update dependency debug to v4.3.7
+- *(deps)* Update dependency body-parser to v1.20.3
+- *(deps)* Update dependency express to v4.20.0
+- *(deps)* Update dependency express to v4.21.0
+- *(deps)* Update dependency nodemon to v3.1.5
+- *(deps)* Update dependency nodemon to v3.1.6
+- *(deps)* Update dependency nodemon to v3.1.7
+
+### ⚙️ Miscellaneous Tasks
+
+- Add release flow
+
+## [0.1.0] - 2024-04-08
+
+### 🚀 Features
+
+- Replace keystore handling with node-jose
+
+### 🐛 Bug Fixes
+
+- *(deps)* Update dependency express to v4.19.1
+- *(deps)* Update dependency express to v4.19.2
+
+## [0.0.17] - 2024-03-11
+
+### 🚀 Features
+
+- Support patching of user info
+
+### 🐛 Bug Fixes
+
+- *(deps)* Update dependency express to v4.18.3
+
+## [0.0.16] - 2023-06-01
+
+### 🚀 Features
+
+- Initial users store
+
+## [0.0.15] - 2023-05-31
+
+### 🐛 Bug Fixes
+
+- Return empty array
+
+## [0.0.14] - 2023-05-31
+
+### 🚀 Features
+
+- Remember created users
+
+## [0.0.13] - 2023-05-02
+
+### 🚀 Features
+
+- Add name and email to id token
+
+## [0.0.12] - 2023-03-10
+
+### 🐛 Bug Fixes
+
+- Remove session on logout
+
+## [0.0.11] - 2023-03-10
+
+### 🐛 Bug Fixes
+
+- Update image name to correct location
+- Handle response mode query
+
+### ⚙️ Miscellaneous Tasks
+
+- Use Docker DinD version from variable
+- Change Dependabot rebase strategy
+- Format code and add prettier
+
+## [0.0.9] - 2022-04-28
+
+### 🚀 Features
+
+- Add support for client id and secret tokens
+
+## [0.0.8] - 2022-04-26
+
+### 🚀 Features
+
+- Add dummy-implementation of management API
+
+## [0.0.7] - 2022-04-26
+
+### 🐛 Bug Fixes
+
+- Use correct return-variable
+
+## [0.0.6] - 2022-04-26
+
+### 🐛 Bug Fixes
+
+- Make sure thumbPrint is a string
+
+### 💼 Other
+
+- *(deps)* Bump express from 4.17.3 to 4.18.0
+
+### ⚙️ Miscellaneous Tasks
+
+- Format code
+
+## [0.0.5] - 2022-04-26
+
+### 🐛 Bug Fixes
+
+- Add custom claims to both id and access token
+
+## [0.0.4] - 2022-04-26
+
+### 🚀 Features
+
+- Add email custom claim
+
+## [0.0.3] - 2022-04-26
+
+### 🚀 Features
+
+- Add env-property for default issuer
+
+## [0.0.2] - 2022-04-25
+
+### 💼 Other
+
+- *(deps)* Bump node from 17 to 18
+
+### ⚙️ Miscellaneous Tasks
+
+- Change admin-handling
+
+## [0.0.1] - 2022-04-19
+
+### 🚀 Features
+
+- Initial commit
+- Updated to be compatible with Auth0 SPA which uses the 'Authorization Code Grant using Proof Key for Code Exchange (PKCE)' flow
+- Add ENV-property for setting admin-role
+
+### 🐛 Bug Fixes
+
+- Use correct envs
+- Use commit rather than latest
+- Package.json & yarn.lock to reduce vulnerabilities
+- Package.json & yarn.lock to reduce vulnerabilities
+- Pipeline
+
+### 💼 Other
+
+- *(deps)* Bump nodemon from 2.0.14 to 2.0.15
+- *(deps)* Bump cookie-parser from 1.4.5 to 1.4.6
+- *(deps)* Bump debug from 4.3.2 to 4.3.3
+- *(deps)* Bump body-parser from 1.19.0 to 1.19.1
+- *(deps)* Bump express from 4.17.1 to 4.17.2
+- *(deps)* Bump node-forge from 0.10.0 to 1.0.0
+- *(deps)* Bump node-forge from 1.0.0 to 1.1.0
+- *(deps)* Bump node-forge from 1.1.0 to 1.2.0
+- *(deps)* Bump node-forge from 1.2.0 to 1.2.1
+- *(deps)* Bump body-parser from 1.19.1 to 1.19.2
+- *(deps)* Bump https-localhost from 4.7.0 to 4.7.1
+- *(deps)* Bump express from 4.17.2 to 4.17.3
+- *(deps)* Bump debug from 4.3.3 to 4.3.4
+- *(deps)* Bump node-forge from 1.2.1 to 1.3.0
+- *(deps)* Bump node-forge from 1.3.0 to 1.3.1
+- *(deps)* Bump body-parser from 1.19.2 to 1.20.0
+
+### ⚙️ Miscellaneous Tasks
+
+- Add triggering of acctest
+- Add artifacts
+- Update to latest build-tools
+- Update to latest build-tools
+- Add ingress
+- Add CI workflows
+- Use buildtools version from env
+- Add dependabot config
+- Remove dependabot-standalone
+- Cleanup and remove acctest triggering
+
+<!-- generated by git-cliff -->

Dockerfile

@@ -1,12 +1,12 @@
-FROM node:18
-ENV AUDIENCE "https://shiny.unbound.se"
-ENV ORIGIN_HOST "auth0mock"
-ENV ORIGIN "https://auth0mock:3333"
+FROM node:20
+ENV AUDIENCE="https://shiny.unbound.se"
+ENV ORIGIN_HOST="auth0mock"
+ENV ORIGIN="https://auth0mock:3333"
 EXPOSE 3333
 WORKDIR /app
 ADD package.json yarn.lock /app/
 RUN yarn install --frozen-lockfile
-ADD app.js cert.js /app/
+ADD *.js /app/
 ADD public /app/public
 RUN mkdir -p /root/.config
-ENTRYPOINT yarn start
+ENTRYPOINT ["yarn", "start"]

README.md

@@ -3,47 +3,68 @@
 > This server helps you to simulate auth0 server locally. So, you are able to use the `/tokeninfo` endpoint to verify your token.
 
 ## Getting Started
-### Prerequisites
-* Install [Node.js](http://nodejs.org)
-    * on OSX use [homebrew](http://brew.sh) `brew install node`
-    * on Windows use [chocolatey](https://chocolatey.org/) `choco install nodejs`
 
+### Prerequisites
+
+- Install [Node.js](http://nodejs.org)
+  - on OSX use [homebrew](http://brew.sh) `brew install node`
+  - on Windows use [chocolatey](https://chocolatey.org/) `choco install nodejs`
 
 ## Installing
-* `fork` this repo
-* `clone` your fork
-* `npm install` to install all dependencies
+
+- `fork` this repo
+- `clone` your fork
+- `npm install` to install all dependencies
 
 ## Running the app
+
 After you have installed all dependencies you can now run the app.
 Run `npm start` to start a local server.
 The port will be displayed to you as `http://0.0.0.0:3333` (or if you prefer IPv6, if you're using `express` server, then it's `http://[::1]:3333/`).
 
+## Initial users
+
+Adding a JSON file with the following layout will populate the users store when starting:
+
+```json
+{
+  "email@test.com": {
+    "given_name": "name",
+    "family_name": "family",
+    "user_id": "id"
+  }
+}
+```
+
+By default `./users.json` will be read but this can be overridden by setting the environment variable `USERS_FILE`.
 
 ## API Documentation
 
 ### `GET` /token/:username
+
 Returns a token with the given user(username). This token can the be used by your application.
 
 ### `POST` /tokeninfo
+
 Returns the data of the token like the username.
 
 **Body**
+
 ```
 {
     "id_token": "your-token-kjasdf6ashasl..."
 }
 ```
 
-
 ## Related Projects
-* [express-typescript-boilerplate](https://github.com/w3tecch/express-typescript-boilerplate) - Boilerplate for an restful express-apllication written in TypeScript
-* [express-graphql-typescript-boilerplate](https://github.com/w3tecch/express-graphql-typescript-boilerplate) - A starter kit for building amazing GraphQL API's with TypeScript and express by @w3tecch
 
+- [express-typescript-boilerplate](https://github.com/w3tecch/express-typescript-boilerplate) - Boilerplate for an restful express-apllication written in TypeScript
+- [express-graphql-typescript-boilerplate](https://github.com/w3tecch/express-graphql-typescript-boilerplate) - A starter kit for building amazing GraphQL API's with TypeScript and express by @w3tecch
 
 ## License
+
 [MIT](/LICENSE)
 
-
 ---
-Made with ♥ by Gery Hirschfeld ([@GeryHirschfeld1](https://twitter.com/GeryHirschfeld1))
+
+Made with ♥ by Gery Hirschfeld ([@GeryHirschfeld1](https://twitter.com/GeryHirschfeld1))

app.js

@@ -8,19 +8,24 @@ const Debug = require('debug')
 const path = require('path')
 const cors = require('cors')
 const bodyParser = require('body-parser')
+const jose = require('node-jose');
 const favicon = require('serve-favicon')
-const cert = require('./cert')
+const initialUsers = require('./users')
 
-let issuer = process.env.ISSUER || 'localhost:3333'
-let jwksOrigin = `https://${issuer}/`
+const issuer = process.env.ISSUER || 'localhost:3333'
+const jwksOrigin = `https://${issuer}/`
 const audience = process.env.AUDIENCE || 'https://generic-audience'
-const adminCustomClaim = process.env.ADMIN_CUSTOM_CLAIM || 'https://unbound.se/admin'
-const emailCustomClaim = process.env.EMAIL_CUSTOM_CLAIM || 'https://unbound.se/email'
+const adminCustomClaim =
+  process.env.ADMIN_CUSTOM_CLAIM || 'https://unbound.se/admin'
+const emailCustomClaim =
+  process.env.EMAIL_CUSTOM_CLAIM || 'https://unbound.se/email'
 
 const debug = Debug('app')
 
-let { privateKey, certDer, thumbprint, exponent, modulus } = cert(jwksOrigin)
-
+const keyStore = jose.JWK.createKeyStore()
+keyStore.generate('RSA', 2048, { alg: 'RS256', use: 'sig' })
+// let { privateKey, certDer, thumbprint, exponent, modulus } = cert(jwksOrigin)
+const users = initialUsers(process.env.USERS_FILE || './users.json')
 const sessions = {}
 const challenges = {}
 
@@ -37,61 +42,103 @@ const addCustomClaims = (email, customClaims, token) => {
       ...claim
     }
   }, token)
+}
 
+const signToken = async (token) => {
+  const [key] = keyStore.all({ use: 'sig' })
+  const opt = { compact: true, jwk: key, fields: { typ: 'jwt' } }
+  return await jose.JWS.createSign(opt, key)
+    .update(JSON.stringify(token))
+    .final()
 }
 
 // Configure our small auth0-mock-server
-app.options('*', cors(corsOpts))
+app
+  .options('*', cors(corsOpts))
   .use(cors())
-  .use(bodyParser.json())
+  .use(bodyParser.json({ strict: false }))
   .use(bodyParser.urlencoded({ extended: true }))
   .use(cookieParser())
   .use(express.static(`${__dirname}/public`))
   .use(favicon(path.join(__dirname, 'public', 'favicon.ico')))
 
 // This route can be used to generate a valid jwt-token.
-app.post('/oauth/token', (req, res) => {
-  const code = req.body.code
-  const session = sessions[code]
+app.post('/oauth/token', async (req, res) => {
+  const date = Math.floor(Date.now() / 1000)
+  if (req.body.grant_type === 'client_credentials' && req.body.client_id) {
+    const accessToken = await signToken({
+      iss: jwksOrigin,
+      aud: [audience],
+      sub: 'auth0|management',
+      iat: date,
+      exp: date + 7200,
+      azp: req.body.client_id
+    })
 
-  let date = Math.floor(Date.now() / 1000)
-  let accessToken = jwt.sign(Buffer.from(JSON.stringify(addCustomClaims(session.email, session.customClaims, {
-    iss: jwksOrigin,
-    aud: [audience],
-    sub: 'auth0|' + session.email,
-    iat: date,
-    exp: date + 7200,
-    azp: session.clientId
-  }))), privateKey, {
-    algorithm: 'RS256',
-    keyid: thumbprint
-  })
+    const idToken = await signToken({
+      iss: jwksOrigin,
+      aud: req.body.client_id,
+      sub: 'auth0|management',
+      iat: date,
+      exp: date + 7200,
+      azp: req.body.client_id,
+      name: 'Management API'
+    })
 
-  let idToken = jwt.sign(Buffer.from(JSON.stringify(addCustomClaims(session.email, session.customClaims, {
-    iss: jwksOrigin,
-    aud: session.clientId,
-    nonce: session.nonce,
-    sub: 'auth0|' + session.email,
-    iat: date,
-    exp: date + 7200,
-    azp: session.clientId,
-    name: 'Example Person',
-    picture: 'https://cdn.playbuzz.com/cdn/5458360f-32ea-460e-a707-1a2d26760558/70bda687-cb84-4756-8a44-8cf735ed87b3.jpg'
-  }))), privateKey, {
-    algorithm: 'RS256',
-    keyid: thumbprint
-  })
+    debug('Signed token for management API')
 
-  debug('Signed token for ' + session.email)
-  // res.json({ token });
+    res.json({
+      access_token: accessToken,
+      id_token: idToken,
+      scope: 'openid%20profile%20email',
+      expires_in: 7200,
+      token_type: 'Bearer'
+    })
+  } else if (req.body.code) {
+    const code = req.body.code
+    const session = sessions[code]
+    const accessToken = await signToken(
+      addCustomClaims(session.email, session.customClaims, {
+        iss: jwksOrigin,
+        aud: [audience],
+        sub: 'auth0|' + session.email,
+        iat: date,
+        exp: date + 7200,
+        azp: session.clientId
+      })
+    )
 
-  res.json({
-    access_token: accessToken,
-    id_token: idToken,
-    scope: 'openid%20profile%20email',
-    expires_in: 7200,
-    token_type: 'Bearer'
-  })
+    const idToken = await signToken(
+      addCustomClaims(session.email, session.customClaims, {
+        iss: jwksOrigin,
+        aud: session.clientId,
+        nonce: session.nonce,
+        sub: 'auth0|' + session.email,
+        iat: date,
+        exp: date + 7200,
+        azp: session.clientId,
+        name: 'Example Person',
+        given_name: 'Example',
+        family_name: 'Person',
+        email: session.email,
+        picture:
+          'https://cdn.playbuzz.com/cdn/5458360f-32ea-460e-a707-1a2d26760558/70bda687-cb84-4756-8a44-8cf735ed87b3.jpg'
+      })
+    )
+
+    debug('Signed token for ' + session.email)
+
+    res.json({
+      access_token: accessToken,
+      id_token: idToken,
+      scope: 'openid%20profile%20email',
+      expires_in: 7200,
+      token_type: 'Bearer'
+    })
+  } else {
+    res.status(401)
+    res.send('Missing client_id or client_secret')
+  }
 })
 
 // This route can be used to generate a valid jwt-token.
@@ -100,9 +147,12 @@ app.get('/token/:email', (req, res) => {
     debug('No user was given!')
     return res.status(400).send('user is missing')
   }
-  const token = jwt.sign({
-    user_id: 'auth0|' + req.params.email
-  }, privateKey)
+  const token = jwt.sign(
+    {
+      user_id: 'auth0|' + req.params.email
+    },
+    privateKey
+  )
   debug('Signed token for ' + req.params.email)
   res.json({ token })
 })
@@ -127,7 +177,9 @@ app.post('/code', (req, res) => {
     codeChallenge: req.body.codeChallenge,
     customClaims: [claim]
   }
-  res.redirect(`${req.body.redirect}?domain=${issuer}&code=${code}&state=${encodeURIComponent(state)}`)
+  res.redirect(
+    `${req.body.redirect}?code=${code}&state=${encodeURIComponent(state)}`
+  )
 })
 
 app.get('/authorize', (req, res) => {
@@ -138,13 +190,26 @@ app.get('/authorize', (req, res) => {
   const codeChallenge = req.query.code_challenge
   const prompt = req.query.prompt
   const responseMode = req.query.response_mode
+  if (responseMode === 'query') {
+    const code = req.cookies['auth0']
+    const session = sessions[code]
+    if (session) {
+      session.nonce = nonce
+      session.state = state
+      session.codeChallenge = codeChallenge
+      sessions[codeChallenge] = session
+      res.redirect(`${redirect}?code=${codeChallenge}&state=${state}`)
+      return
+    }
+  }
   if (prompt === 'none' && responseMode === 'web_message') {
     const code = req.cookies['auth0']
     const session = sessions[code]
-    session.nonce = nonce
-    session.state = state
-    session.codeChallenge = codeChallenge
-    res.send(`
+    if (session) {
+      session.nonce = nonce
+      session.state = state
+      session.codeChallenge = codeChallenge
+      res.send(`
 <!DOCTYPE html>
 <html>
   <body>
@@ -162,13 +227,16 @@ app.get('/authorize', (req, res) => {
   </script>
   </body>
 </html>`)
-  } else {
-    res.cookie('auth0', codeChallenge, {
-      sameSite: 'None',
-      secure: true,
-      httpOnly: true
-    })
-    res.send(`
+      return
+    }
+  }
+
+  res.cookie('auth0', codeChallenge, {
+    sameSite: 'None',
+    secure: true,
+    httpOnly: true
+  })
+  res.send(`
 <html lang='en'>
   <head>
     <meta charset='utf-8'>
@@ -209,35 +277,96 @@ app.get('/authorize', (req, res) => {
   </body>
 </html>
 `)
-  }
 })
 
 app.get('/userinfo', (req, res) => {
-  res.contentType('application/json').send(JSON.stringify({ picture: 'https://cdn.playbuzz.com/cdn/5458360f-32ea-460e-a707-1a2d26760558/70bda687-cb84-4756-8a44-8cf735ed87b3.jpg' }))
+  res.contentType('application/json').send(
+    JSON.stringify({
+      picture:
+        'https://cdn.playbuzz.com/cdn/5458360f-32ea-460e-a707-1a2d26760558/70bda687-cb84-4756-8a44-8cf735ed87b3.jpg'
+    })
+  )
 })
 
 app.get('/v2/logout', (req, res) => {
-  res.redirect(`${req.query.returnTo}?domain=${issuer}`)
+  const code = req.cookies['auth0']
+  const session = sessions[code]
+  if (session) {
+    delete sessions[code]
+  }
+  res.redirect(req.query.returnTo)
+})
+
+app.get('/.well-known/openid-configuration', (req, res) => {
+  debug('Fetching OpenID configuration')
+  res.contentType('application/json').send(
+    JSON.stringify({
+      "issuer":
+        `${jwksOrigin}`,
+      "authorization_endpoint":
+        `${jwksOrigin}authorize`,
+      "token_endpoint":
+        `${jwksOrigin}oauth/token`,
+      "token_endpoint_auth_methods_supported":
+        ["client_secret_basic", "private_key_jwt"],
+      "token_endpoint_auth_signing_alg_values_supported":
+        ["RS256"],
+      "userinfo_endpoint":
+        `${jwksOrigin}userinfo`,
+      "check_session_iframe":
+        `${jwksOrigin}check_session`,
+      "end_session_endpoint":
+        `${jwksOrigin}end_session`,
+      "jwks_uri":
+        `${jwksOrigin}.well-known/jwks.json`,
+      "registration_endpoint":
+        `${jwksOrigin}register`,
+      "scopes_supported":
+        ["openid", "profile", "email", "address",
+          "phone", "offline_access"],
+      "response_types_supported":
+        ["code", "code id_token", "id_token", "id_token token"],
+      "acr_values_supported":
+        [],
+      "subject_types_supported":
+        ["public", "pairwise"],
+      "userinfo_signing_alg_values_supported":
+        ["RS256", "ES256", "HS256"],
+      "userinfo_encryption_alg_values_supported":
+        ["RSA-OAEP-256", "A128KW"],
+      "userinfo_encryption_enc_values_supported":
+        ["A128CBC-HS256", "A128GCM"],
+      "id_token_signing_alg_values_supported":
+        ["RS256", "ES256", "HS256"],
+      "id_token_encryption_alg_values_supported":
+        ["RSA-OAEP-256", "A128KW"],
+      "id_token_encryption_enc_values_supported":
+        ["A128CBC-HS256", "A128GCM"],
+      "request_object_signing_alg_values_supported":
+        ["none", "RS256", "ES256"],
+      "display_values_supported":
+        ["page", "popup"],
+      "claim_types_supported":
+        ["normal", "distributed"],
+      "claims_supported":
+        ["sub", "iss", "auth_time", "acr",
+          "name", "given_name", "family_name", "nickname",
+          "profile", "picture", "website",
+          "email", "email_verified", "locale", "zoneinfo",
+          "https://unbound.se/email", "https://unbound.se/admin"],
+      "claims_parameter_supported":
+        true,
+      "service_documentation":
+        "http://auth0/",
+      "ui_locales_supported":
+        ["en-US"]
+    })
+  )
 })
 
 app.get('/.well-known/jwks.json', (req, res) => {
-  res
-    .contentType('application/json')
-    .send(JSON.stringify({
-      keys: [
-        {
-          alg: 'RS256',
-          // e: 'AQAB',
-          e: exponent,
-          kid: thumbprint,
-          kty: 'RSA',
-          n: modulus,
-          use: 'sig',
-          x5c: [certDer],
-          x5t: thumbprint
-        }
-      ]
-    }))
+  debug('Fetching JWKS')
+  res.contentType('application/json').send(keyStore.toJSON())
 })
 
 // This route returns the inside of a jwt-token. Your main application
@@ -257,21 +386,59 @@ app.post('/tokeninfo', (req, res) => {
   }
 })
 
-app.post('/issuer', (req, res) => {
-  if (!req.body.issuer) {
-    debug('No issuer given in the body!')
-    return res.status(401).send('missing issuer')
+app.get('/api/v2/users-by-email', (req, res) => {
+  const email = req.query.email
+  console.log('users', users)
+  const user = users[email]
+  if (user === undefined) {
+    res.json([])
+  } else {
+    res.json([user])
   }
-  issuer = req.body.issuer
-  jwksOrigin = `https://${issuer}/`
-  const { privateKey: key, certDer: der, thumbprint: thumb, exponent: exp, modulus: mod } = cert(jwksOrigin)
-  privateKey = key
-  certDer = der
-  thumbprint = thumb
-  exponent = exp
-  modulus = mod
-  debug('Issuer set to ' + req.body.issuer)
-  res.send('ok')
+})
+
+app.patch('/api/v2/users/:userid', (req, res) => {
+  const email = req.params.userid.slice(6)
+  console.log('patching user with id', email)
+  const user = users[email]
+  if (!user) {
+    res.sendStatus(404)
+    return
+  }
+  users[email] = {
+    email: email,
+    given_name: req.body.given_name || user.given_name,
+    family_name: req.body.family_name || user.family_name,
+    user_id: email,
+    picture: req.body.picture || user.picture
+  }
+  res.json({
+    user_id: `auth0|${email}`
+  })
+})
+
+app.post('/api/v2/users', (req, res) => {
+  const email = req.body.email
+  users[email] = {
+    email: email,
+    given_name: 'Given',
+    family_name: 'Last',
+    user_id: email
+  }
+  res.json({
+    user_id: `auth0|${email}`
+  })
+})
+
+app.post('/api/v2/tickets/password-change', (req, res) => {
+  res.json({
+    ticket: `https://some-url`
+  })
+})
+
+app.use(function (req, res, next) {
+  console.log('404', req.path)
+  res.status(404).send('error: 404 Not Found ' + req.path)
 })
 
 app.listen(3333, () => {

cert.js

@@ -1,132 +0,0 @@
-const base64url = require('base64-url')
-const createHash = require('crypto').createHash
-const forge = require('node-forge')
-const NodeRSA = require('node-rsa')
-
-const PRIVATE_KEY_PEM =
-  '-----BEGIN RSA PRIVATE KEY-----\n' +
-  'MIIEpAIBAAKCAQEApoocpO3bbUF6o8eyJlQCfwLahEsunWdVF++yOEyKu4Lp1j0m\n' +
-  '2j/P7iHOtxBAkjdM2X2oW3qO1mR0sIFefqnm93g0q2nRuYEoS+W3o6X50wjOVm8f\n' +
-  'r/tLqELzy5BoET0AQl7Axp1DNsb0HNOBcoIBt+xVY4I+k6uXJJJMzbgvahAgSLZ9\n' +
-  'RW0Z0WT+dCHZpZUj0nLxNXIPdci65Bw6IognqXHP6AwKZXpT6jCzjzq9uyHxVcud\n' +
-  'qw6j0kQw48/A5A6AN5fIVy1cKnd0sKdqRX1NUqVoiOrO4jaDB1IdLD+YmRE/JjOH\n' +
-  'sWIMElYCPxKqnsNo6VCslGX/ziinArHhqRBrHwIDAQABAoIBAHAdmpsN5iLvafjI\n' +
-  'f45+EBAhg6p8Uq102zx6CakNHniN8Y5hLL7RJtJRwDBNqKrGv93LUoQDRhXfGw+Y\n' +
-  'iF0NVIhVTF/5pU8VPGOcCr0JB96ilwZpWRPIQW7NZAMu/GBeiMYls/IB/TXrSnv9\n' +
-  'h6/nBfEkEXgkPqx7YA0m0L3NuV3U1lCY/LhBJY4Xvi0uRdqu3tTHXftehuPwC4UB\n' +
-  '42eJTWv/qLeOlkCdUUV4f7+dNaES88Vdhj6lu/BusnNhvnwHQik4dNwzPCGeP8NV\n' +
-  '5gaesWiNWFZuTURGKk1B65p5LzNPjsVT50RDuW8FnSZwIvNcohrX9ILPsmg/t0Kr\n' +
-  'ozcOksECgYEA4XWOK4twx5RG162zveRHqU7H9RBWSz7/PzM9Eob9vx/tC/b1YqBR\n' +
-  'VShk23vje19eNiYWAkxcpobIP4ek/0ZT8nHkJg8wl+J/hnXADcvwv2dKnoFnm5pn\n' +
-  'rTBUKc8R3wrSlAV8XQAtdnxsfFa5AOQJ6WFVI9AdfH3Iw8XZk4gIIPMCgYEAvRlY\n' +
-  'y80HnR3kwMOqY488V1qk41dmfNqa+YDL+zkPF1HhHI9VnK5BQuI7lyKJl984KwHu\n' +
-  '0gbwx3Wp4XkD5JUboEpl5LnaLsjEWemjTaQWdvJHPd5wkJ0m/jRQ2YeT4g2gFu4y\n' +
-  'Pi/pWkrzhnzQQVAmOdAm5Kj27LtDzp0lspw3uCUCgYEAw2YdvFGSgfZZW4147QeO\n' +
-  'sAbON+9bysUjdMPUl10VR/LEgA0d6MdnFfX3S13Y7tDdlvJ1OrKxzcWcgaru7ism\n' +
-  'kEXy5KVfiRNNUNx2gb6RvWEpA6zFfc9ZMXlkSAPlyjfX/1+tw/Bmdn0pjK2gk0wP\n' +
-  '5wtrPameFInzWPD9O+a2nM8CgYBZ6UhgNs+M9B7FTQOiLQPa4R2PfwobCXIwef4D\n' +
-  'KIE1bFgl1T02r2AWZi1BUkmr7ZXuVQ/xyx0HKbopm/mu4PruvxEtrPTB0/IQcleU\n' +
-  'XhXUXqRjFXXePOrCaaubkqxNCn95B67aBLvmk8awxn3a4DocuQ0VIgWuT+gQwIWh\n' +
-  'JEgWBQKBgQDKD+2Yh1/rUzu15lbPH0JSpozUinuFjePieR/4n+5CtEUxWJ2f0WeK\n' +
-  's4XWWf2qgUccjpiGju2UR840mgWROoZ8BfSTd5tg1F7bo0HMgu2hu0RIRpZcRhsA\n' +
-  'Cd0GrJvf1t0QIdDCXAy+RpgU1SLSq4Q6Lomc0WA5C5nBw9RKEUOV9A==\n' +
-  '-----END RSA PRIVATE KEY-----\n'
-
-const PUBLIC_KEY_PEM =
-  '-----BEGIN PUBLIC KEY-----\n' +
-  'MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApoocpO3bbUF6o8eyJlQC\n' +
-  'fwLahEsunWdVF++yOEyKu4Lp1j0m2j/P7iHOtxBAkjdM2X2oW3qO1mR0sIFefqnm\n' +
-  '93g0q2nRuYEoS+W3o6X50wjOVm8fr/tLqELzy5BoET0AQl7Axp1DNsb0HNOBcoIB\n' +
-  't+xVY4I+k6uXJJJMzbgvahAgSLZ9RW0Z0WT+dCHZpZUj0nLxNXIPdci65Bw6Iogn\n' +
-  'qXHP6AwKZXpT6jCzjzq9uyHxVcudqw6j0kQw48/A5A6AN5fIVy1cKnd0sKdqRX1N\n' +
-  'UqVoiOrO4jaDB1IdLD+YmRE/JjOHsWIMElYCPxKqnsNo6VCslGX/ziinArHhqRBr\n' +
-  'HwIDAQAB\n' +
-  '-----END PUBLIC KEY-----\n'
-
-const createCertificate = ({
-                             publicKey,
-                             privateKey,
-                             jwksOrigin
-                           }) => {
-  const cert = forge.pki.createCertificate()
-  cert.publicKey = publicKey
-  cert.serialNumber = '123'
-  const attrs = [
-    {
-      name: 'commonName',
-      value: `${jwksOrigin}`
-    }
-  ]
-  cert.validity.notBefore = new Date()
-  cert.validity.notAfter = new Date()
-  cert.validity.notAfter.setFullYear(cert.validity.notBefore.getFullYear() + 1)
-  cert.setSubject(attrs)
-  cert.setIssuer(attrs)
-  cert.sign(privateKey)
-  return forge.pki.certificateToPem(cert)
-}
-
-const getCertThumbprint = (certificate) => {
-  const shasum = createHash('sha1')
-  const der = Buffer.from(certificate).toString('binary')
-  shasum.update(der)
-  return shasum.digest('base64')
-}
-
-const createKeyPair = () => {
-  const privateKey = forge.pki.privateKeyFromPem(PRIVATE_KEY_PEM)
-  const publicKey = forge.pki.publicKeyFromPem(PUBLIC_KEY_PEM)
-  return {
-    privateKey,
-    publicKey
-  }
-}
-
-const bnToB64 = (bn) => {
-  let hex = BigInt(bn).toString(16)
-  if (hex.length % 2) {
-    hex = '0' + hex
-  }
-
-  const bin = []
-  let i = 0
-  let d
-  let b
-  while (i < hex.length) {
-    d = parseInt(hex.slice(i, i + 2), 16)
-    b = String.fromCharCode(d)
-    bin.push(b)
-    i += 2
-  }
-
-  return Buffer.from(bin.join(''), 'binary').toString('base64')
-}
-
-const setup = (jwksOrigin) => {
-  const { privateKey, publicKey } = createKeyPair()
-  const certPem = createCertificate({
-    jwksOrigin,
-    privateKey,
-    publicKey
-  })
-  const certDer = forge.util.encode64(
-    forge.asn1
-      .toDer(forge.pki.certificateToAsn1(forge.pki.certificateFromPem(certPem)))
-      .getBytes()
-  )
-  const thumbprint = base64url.encode(getCertThumbprint(certDer))
-
-  const helperKey = new NodeRSA()
-  helperKey.importKey(forge.pki.privateKeyToPem(privateKey))
-  const { n: modulus, e: exponent } = helperKey.exportKey('components')
-
-  return {
-    privateKey: forge.pki.privateKeyToPem(privateKey),
-    certDer,
-    thumbprint: thumbprint.toString(),
-    exponent: bnToB64(exponent),
-    modulus: modulus.toString('base64')
-  }
-}
-
-module.exports = setup

k8s/deploy.yaml

@@ -14,7 +14,7 @@ spec:
     spec:
       containers:
         - name: auth0mock
-          image: registry.gitlab.com/unboundsoftware/shiny/auth0mock:${COMMIT}
+          image: registry.gitlab.com/unboundsoftware/auth0mock:${COMMIT}
           imagePullPolicy: "IfNotPresent"
           resources:
             requests:

k8s/ingress-test.yaml

@@ -1,4 +1,4 @@
-apiVersion: networking.k8s.io/v1beta1
+apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   name: auth0-ingress

package.json

@@ -6,23 +6,26 @@
   "scripts": {
     "test": "echo \"Error: no test specified\" && exit 1",
     "dev": "nodemon ./app.js",
-    "start": "node ./app.js"
+    "start": "node ./app.js",
+    "lint:prettier": "prettier --check .",
+    "lint": "yarn lint:prettier",
+    "lintfix": "prettier --write --list-different ."
   },
   "author": "",
   "license": "MIT",
   "dependencies": {
-    "base64-url": "^2.3.3",
-    "body-parser": "^1.20.0",
-    "buffer": "^6.0.3",
+    "body-parser": "^1.20.2",
     "cookie-parser": "^1.4.6",
     "cors": "^2.8.3",
     "debug": "^4.3.4",
-    "express": "^4.18.0",
+    "express": "^4.18.2",
     "https-localhost": "^4.7.1",
-    "jsonwebtoken": "^8.5.1",
-    "node-forge": "^1.3.1",
-    "node-rsa": "^1.1.1",
-    "nodemon": "^2.0.15",
+    "jsonwebtoken": "^9.0.2",
+    "node-jose": "^2.2.0",
+    "nodemon": "^3.1.0",
     "serve-favicon": "^2.4.2"
+  },
+  "devDependencies": {
+    "prettier": "^3.2.5"
   }
 }

renovate.json

@@ -0,0 +1,6 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "extends": [
+    "config:recommended"
+  ]
+}

users.js

@@ -0,0 +1,18 @@
+const fs = require('fs')
+
+const setup = (usersFile) => {
+  let users = {}
+  if (fs.existsSync(usersFile)) {
+    console.log(`initial users file "${usersFile}" exists, reading`)
+    const read = fs.readFileSync(usersFile, { encoding: 'utf8', flag: 'r' })
+    users = JSON.parse(read)
+    for (let key of Object.keys(users)) {
+      users[key] = { ...users[key], email: key }
+    }
+    console.log('users:', users)
+  } else {
+    console.log(`initial users file "${usersFile}" missing`)
+  }
+  return users
+}
+module.exports = setup