269 lines
7.8 KiB
JavaScript
269 lines
7.8 KiB
JavaScript
process.env.DEBUG = 'app*';
|
|
|
|
const express = require('express');
|
|
const cookieParser = require('cookie-parser')
|
|
const app = express();
|
|
const jwt = require('jsonwebtoken');
|
|
const Debug = require('debug');
|
|
const path = require('path');
|
|
const cors = require('cors');
|
|
const bodyParser = require('body-parser');
|
|
const favicon = require('serve-favicon');
|
|
const cert = require('./cert');
|
|
|
|
let issuer = 'localhost:3333';
|
|
let jwksOrigin = `https://${issuer}/`;
|
|
const audience = process.env.AUDIENCE || 'https://generic-audience';
|
|
|
|
const debug = Debug('app');
|
|
|
|
let { privateKey, certDer, thumbprint, exponent, modulus } = cert(jwksOrigin);
|
|
|
|
const sessions = {}
|
|
const challenges = {}
|
|
|
|
const corsOpts = (req, cb) => {
|
|
cb(null, { origin: req.headers.origin })
|
|
}
|
|
|
|
// Configure our small auth0-mock-server
|
|
app.options('*', cors(corsOpts))
|
|
.use(cors())
|
|
.use(bodyParser.json())
|
|
.use(bodyParser.urlencoded({ extended: true }))
|
|
.use(cookieParser())
|
|
.use(express.static(`${__dirname}/public`))
|
|
.use(favicon(path.join(__dirname, 'public', 'favicon.ico')));
|
|
|
|
// This route can be used to generate a valid jwt-token.
|
|
app.post('/oauth/token', (req, res) => {
|
|
const code = req.body.code
|
|
const session = sessions[code]
|
|
|
|
let date = Math.floor(Date.now() / 1000);
|
|
let accessToken = jwt.sign(Buffer.from(JSON.stringify({
|
|
iss: jwksOrigin,
|
|
aud: [audience],
|
|
sub: 'auth0|' + session.email,
|
|
iat: date,
|
|
exp: date + 7200,
|
|
azp: session.clientId,
|
|
})), privateKey, {
|
|
algorithm: 'RS256',
|
|
keyid: thumbprint
|
|
});
|
|
|
|
let idToken = jwt.sign(Buffer.from(JSON.stringify({
|
|
iss: jwksOrigin,
|
|
aud: session.clientId,
|
|
nonce: session.nonce,
|
|
sub: 'auth0|' + session.email,
|
|
iat: date,
|
|
exp: date + 7200,
|
|
azp: session.clientId,
|
|
name: 'Example Person',
|
|
picture: 'https://cdn.playbuzz.com/cdn/5458360f-32ea-460e-a707-1a2d26760558/70bda687-cb84-4756-8a44-8cf735ed87b3.jpg',
|
|
'https://unbound.se/roles': session.roles
|
|
})), privateKey, {
|
|
algorithm: 'RS256',
|
|
keyid: thumbprint
|
|
});
|
|
|
|
debug('Signed token for ' + session.email);
|
|
// res.json({ token });
|
|
|
|
res.json({
|
|
access_token: accessToken,
|
|
id_token: idToken,
|
|
scope: 'openid%20profile%20email',
|
|
expires_in: 7200,
|
|
token_type: 'Bearer'
|
|
})
|
|
});
|
|
|
|
// This route can be used to generate a valid jwt-token.
|
|
app.get('/token/:email', (req, res) => {
|
|
if (!req.params.email) {
|
|
debug('No user was given!');
|
|
return res.status(400).send('user is missing');
|
|
}
|
|
const token = jwt.sign({
|
|
user_id: 'auth0|' + req.params.email,
|
|
}, privateKey);
|
|
debug('Signed token for ' + req.params.email);
|
|
res.json({ token });
|
|
});
|
|
|
|
app.post('/code', (req, res) => {
|
|
if (!req.body.email || !req.body.password || !req.body.codeChallenge) {
|
|
debug('Body is invalid!', req.body);
|
|
return res.status(400).send('Email or password is missing!');
|
|
}
|
|
|
|
const code = req.body.codeChallenge
|
|
challenges[req.body.codeChallenge] = code
|
|
const state = req.body.state
|
|
let roles = []
|
|
if (req.body.admin === 'true') {
|
|
roles = ['admin']
|
|
}
|
|
sessions[code] = {
|
|
email: req.body.email,
|
|
password: req.body.password,
|
|
state: req.body.state,
|
|
nonce: req.body.nonce,
|
|
clientId: req.body.clientId,
|
|
codeChallenge: req.body.codeChallenge,
|
|
roles: roles
|
|
}
|
|
res.redirect(`${req.body.redirect}?domain=${issuer}&code=${code}&state=${encodeURIComponent(state)}`)
|
|
})
|
|
|
|
app.get('/authorize', (req, res) => {
|
|
const redirect = req.query.redirect_uri;
|
|
const state = req.query.state;
|
|
const nonce = req.query.nonce;
|
|
const clientId = req.query.client_id;
|
|
const codeChallenge = req.query.code_challenge;
|
|
const prompt = req.query.prompt;
|
|
const responseMode = req.query.response_mode;
|
|
if (prompt === 'none' && responseMode === 'web_message') {
|
|
const code = req.cookies['auth0']
|
|
const session = sessions[code]
|
|
session.nonce = nonce
|
|
session.state = state
|
|
session.codeChallenge = codeChallenge
|
|
res.send(`
|
|
<!DOCTYPE html>
|
|
<html>
|
|
<body>
|
|
<script type="text/javascript">
|
|
(() => {
|
|
const msg = {
|
|
type: 'authorization_response',
|
|
response: {
|
|
code: '${code}',
|
|
state: '${state}'
|
|
}
|
|
}
|
|
parent.postMessage(msg, "*")
|
|
})()
|
|
</script>
|
|
</body>
|
|
</html>`)
|
|
} else {
|
|
res.cookie('auth0', codeChallenge, {
|
|
sameSite: 'None',
|
|
secure: true,
|
|
httpOnly: true
|
|
})
|
|
res.send(`
|
|
<html lang="en">
|
|
<head>
|
|
<meta charset="utf-8">
|
|
<meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
|
|
<title>Auth</title>
|
|
<link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/bootstrap/4.4.1/css/bootstrap.min.css" integrity="sha384-Vkoo8x4CGsO3+Hhxv8T/Q5PaXtkKtu6ug5TOeNV6gBiFeWPGFN9MuhOf23Q9Ifjh" crossorigin="anonymous">
|
|
</head>
|
|
<body>
|
|
<div class="container">
|
|
<form method="post" action="/code">
|
|
<div class="card" style="width: 18rem;">
|
|
<div class="card-body">
|
|
<h5 class="card-title">Login</h5>
|
|
<div class="form-group">
|
|
<label for="email">Email</label>
|
|
<input type="text" name="email" id="email" class="form-control">
|
|
</div>
|
|
<div class="form-group">
|
|
<label for="password">Password</label>
|
|
<input type="password" name="password" id="password" class="form-control">
|
|
</div>
|
|
<div class="form-check">
|
|
<input class="form-check-input" type="checkbox" name="admin" value="true" id="admin">
|
|
<label class="form-check-label" for="admin">
|
|
Admin
|
|
</label>
|
|
</div>
|
|
<button type="submit" class="btn btn-primary">Login</button>
|
|
<input type="hidden" value="${redirect}" name="redirect">
|
|
<input type="hidden" value="${state}" name="state">
|
|
<input type="hidden" value="${nonce}" name="nonce">
|
|
<input type="hidden" value="${clientId}" name="clientId">
|
|
<input type="hidden" value="${codeChallenge}" name="codeChallenge">
|
|
</div>
|
|
</div>
|
|
</form>
|
|
</div>
|
|
</body>
|
|
</html>
|
|
`)
|
|
}
|
|
});
|
|
|
|
app.get('/userinfo', (req, res) => {
|
|
res.contentType('application/json').send(JSON.stringify({ picture: 'https://cdn.playbuzz.com/cdn/5458360f-32ea-460e-a707-1a2d26760558/70bda687-cb84-4756-8a44-8cf735ed87b3.jpg' }))
|
|
});
|
|
|
|
app.get('/v2/logout', (req, res) => {
|
|
res.redirect(`${req.query.returnTo}?domain=${issuer}`)
|
|
})
|
|
|
|
app.get('/.well-known/jwks.json', (req, res) => {
|
|
res
|
|
.contentType('application/json')
|
|
.send(JSON.stringify({
|
|
keys: [
|
|
{
|
|
alg: 'RS256',
|
|
// e: 'AQAB',
|
|
e: exponent,
|
|
kid: thumbprint,
|
|
kty: 'RSA',
|
|
n: modulus,
|
|
use: 'sig',
|
|
x5c: [certDer],
|
|
x5t: thumbprint,
|
|
},
|
|
],
|
|
}));
|
|
});
|
|
|
|
// This route returns the inside of a jwt-token. Your main application
|
|
// should use this route to keep the auth0-flow
|
|
app.post('/tokeninfo', (req, res) => {
|
|
if (!req.body.id_token) {
|
|
debug('No token given in the body!');
|
|
return res.status(401).send('missing id_token');
|
|
}
|
|
const data = jwt.decode(req.body.id_token);
|
|
if (data) {
|
|
debug('Return token data from ' + data.user_id);
|
|
res.json(data);
|
|
} else {
|
|
debug('The token was invalid and could not be decoded!');
|
|
res.status(401).send('invalid id_token');
|
|
}
|
|
});
|
|
|
|
app.post('/issuer', (req, res) => {
|
|
if (!req.body.issuer) {
|
|
debug('No issuer given in the body!');
|
|
return res.status(401).send('missing issuer');
|
|
}
|
|
issuer = req.body.issuer;
|
|
jwksOrigin = `https://${issuer}/`;
|
|
const { privateKey: key, certDer: der, thumbPrint: thumb, exponent: exp, modulus: mod } = cert(jwksOrigin);
|
|
privateKey = key;
|
|
certDer = der;
|
|
thumbprint = thumb;
|
|
exponent = exp;
|
|
modulus = mod;
|
|
debug('Issuer set to ' + req.body.issuer);
|
|
res.send('ok')
|
|
});
|
|
|
|
app.listen(3333, () => {
|
|
debug('Auth0-Mock-Server listening on port 3333!');
|
|
});
|