-
Notifications
You must be signed in to change notification settings - Fork 413
/
Copy pathconfig.ts
401 lines (352 loc) · 12.2 KB
/
config.ts
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
import type {
AuthorizationParameters as OidcAuthorizationParameters,
ClientAuthMethod
} from './client/abstract-client';
import type { Agent } from 'https';
import { SessionStore } from './session/stateful-session';
import { Auth0RequestCookies } from './http';
/**
* Configuration properties.
*/
export interface Config {
/**
* The secret(s) used to derive an encryption key for the user identity in a session cookie and
* to sign the transient cookies used by the login callback.
* Use a single string key or array of keys for an encrypted session cookie.
*/
secret: string | Array<string>;
/**
* Object defining application session cookie attributes.
*/
session: SessionConfig;
/**
* Boolean value to enable Auth0's logout feature.
*/
auth0Logout?: boolean;
/**
* URL parameters used when redirecting users to the authorization server to log in.
*
* If this property is not provided by your application, its default values will be:
*
* ```js
* {
* response_type: 'id_token',
* response_mode: 'form_post',
* scope: 'openid profile email'
* }
* ```
*
* New values can be passed in to change what is returned from the authorization server
* depending on your specific scenario.
*
* For example, to receive an access token for an API, you could initialize like the sample below.
* Note that `response_mode` can be omitted because the OAuth2 default mode of `query` is fine:
*
* ```js
* app.use(auth({
* authorizationParams: {
* response_type: 'code',
* scope: 'openid profile email read:reports',
* audience: 'https://your-auth0-api-identifier'
* }
* }));
* ```
*
* Additional custom parameters can be added as well:
*
* ```js
* app.use(auth({
* authorizationParams: {
* // Note: you need to provide required parameters if this object is set
* response_type: 'id_token',
* response_mode: 'form_post',
* scope: 'openid profile email',
* // Additional parameters
* acr_value: 'tenant:test-tenant',
* custom_param: 'custom-value'
* }
* }));
* ```
*/
authorizationParams: AuthorizationParameters;
/**
* The root URL for the application router, for example `https://localhost`.
*/
baseURL: string;
/**
* The Client ID for your application.
*/
clientID: string;
/**
* The Client Secret for your application.
* Required when requesting access tokens.
*/
clientSecret?: string;
/**
* Integer value for the system clock's tolerance (leeway) in seconds for ID token verification.`
* Defaults to `60` seconds.
*/
clockTolerance: number;
/**
* Integer value for the HTTP timeout in milliseconds for authentication requests.
* Defaults to `5000` ms.
*/
httpTimeout: number;
/**
* Instance of an HTTP agent for authentication requests.
* (This is for the Node.js runtime only)
*/
httpAgent?: Agent;
/**
* Boolean value to opt-out of sending the library and Node.js version to your authorization server
* via the `Auth0-Client` header. Defaults to `true`.
*/
enableTelemetry: boolean;
/**
* Function that returns an object with URL-safe state values for login.
* Used for passing custom state parameters to your authorization server.
*
* ```js
* app.use(auth({
* ...
* getLoginState(options) {
* return {
* returnTo: options.returnTo || req.originalUrl,
* customState: 'foo'
* };
* }
* }));
* ```
*/
getLoginState: (options: LoginOptions) => Record<string, any>;
/**
* Array value of claims to remove from the ID token before storing the cookie session.
* Defaults to `['aud', 'iss', 'iat', 'exp', 'nbf', 'nonce', 'azp', 'auth_time', 's_hash', 'at_hash', 'c_hash']`.
*/
identityClaimFilter: string[];
/**
* Boolean value to log the user out from the identity provider on application logout. Defaults to `true`.
*/
idpLogout: boolean;
/**
* String value for the expected ID token algorithm. Defaults to 'RS256'.
*/
idTokenSigningAlg: string;
/**
* **REQUIRED** The root URL for the token issuer with no trailing slash.
*/
issuerBaseURL: string;
/**
* Set a fallback cookie with no SameSite attribute when `response_mode` is `form_post`.
* Defaults to `true`.
*/
legacySameSiteCookie: boolean;
routes: {
/**
* Either a relative path to the application or a valid URI to an external domain.
* This value must be registered on the authorization server.
* The user will be redirected to this after a logout has been performed.
*/
postLogoutRedirect: string;
/**
* Relative path to the application callback to process the response from the authorization server.
*/
callback: string;
};
/**
* The clients authentication method. Default is `none` when using response_type='id_token`,`private_key_jwt` when
* using a `clientAssertionSigningKey`, otherwise `client_secret_basic`.
*/
clientAuthMethod?: ClientAuthMethod;
/**
* Private key for use with `private_key_jwt` clients.
* This should be a string that is the contents of a PEM file.
* you can also use the `AUTH0_CLIENT_ASSERTION_SIGNING_KEY` environment variable.
*
* For Edge runtime, you can also provide an instance of `CryptoKey`.
*/
clientAssertionSigningKey?: string | CryptoKey;
/**
* The algorithm used to sign the client assertion JWT.
* Uses one of `token_endpoint_auth_signing_alg_values_supported` if not specified.
* If the Authorization Server discovery document does not list `token_endpoint_auth_signing_alg_values_supported`
* this property will be required.
* You can also use the `AUTH0_CLIENT_ASSERTION_SIGNING_ALG` environment variable.
*/
clientAssertionSigningAlg?: string;
/**
* By default, the transaction cookie takes the same settings as the
* session cookie. But you may want to configure the session cookie to be more
* secure in a way that would break the OAuth flow's usage of the transaction
* cookie (Setting SameSite=Strict for example).
*/
transactionCookie: Omit<CookieConfig, 'transient' | 'httpOnly'> & { name: string };
/**
* Set to `true` to enable Back-Channel Logout in your application.
*
* On receipt of a Logout Token the backchannelLogout webhook will store the token, then on any
* subsequent requests, will check the store for a Logout Token that corresponds to the
* current session. If it finds one, it will log the user out.
*
* In order for this to work you need to specify a {@link BackchannelLogoutOptions.store},
* or you can reuse {@link SessionConfigParams.store} if you are using one already.
*
* See: https://openid.net/specs/openid-connect-backchannel-1_0.html
*/
backchannelLogout: boolean | BackchannelLogoutOptions;
/**
* Set to `true` to perform a Pushed Authorization Request at the issuer's
* `pushed_authorization_request_endpoint` at login.
*
* See: https://www.rfc-editor.org/rfc/rfc9126.html
*/
pushedAuthorizationRequests: boolean;
}
export interface BackchannelLogoutOptions {
/**
* Used to store Back-Channel Logout entries, you can specify a separate store
* for this or just reuse {@link SessionConfig.store} if you are using one already.
*
* The store should have `get`, `set` and `destroy` methods.
*/
store: SessionStore<any>;
}
/**
* Configuration parameters used for the application session.
*/
export interface SessionConfig {
/**
* String value for the cookie name used for the internal session.
* This value must only include letters, numbers, and underscores.
* Defaults to `appSession`.
*/
name: string;
/**
* By default, the session is stateless and stored in an encrypted cookie. But if you want a stateful session
* you can provide a store with `get`, `set` and `destroy` methods to store the session on the server side.
*/
store?: SessionStore<any>;
/**
* A function for generating a session id when using a custom session store.
*
* **IMPORTANT** You must use a suitably unique value to prevent collisions.
*/
genId?: <Req = any, SessionType extends { [key: string]: any } = { [key: string]: any }>(
req: Req,
session: SessionType
) => string | Promise<string>;
/**
* If you want your session duration to be rolling, resetting everytime the
* user is active on your site, set this to `true`. If you want the session
* duration to be absolute, where the user gets logged out a fixed time after login
* regardless of activity, set this to `false`.
* Defaults to `true`.
*/
rolling: boolean;
/**
* Integer value, in seconds, for application session rolling duration.
* The amount of time for which the user must be idle for then to be logged out.
* Should be `false` when rolling is `false`.
* Defaults to `86400` seconds (1 day).
*/
rollingDuration: number | false;
/**
* Integer value, in seconds, for application absolute rolling duration.
* The amount of time after the user has logged in that they will be logged out.
* Set this to `false` if you don't want an absolute duration on your session.
* Defaults to `604800` seconds (7 days).
*/
absoluteDuration: boolean | number;
/**
* Boolean value to enable automatic session saving when using rolling sessions.
* If this is `false`, you must call `touchSession(req, res)` to update the session.
* Defaults to `true`.
*/
autoSave?: boolean;
/**
* Boolean value to store the ID token in the session. Storing it can make the session cookie too
* large.
* Defaults to `true`.
*/
storeIDToken: boolean;
cookie: CookieConfig;
}
export interface CookieConfig {
/**
* Domain name for the cookie.
* Passed to the [response cookie](https://expressjs.com/en/api.html#res.cookie) as `domain`.
*/
domain?: string;
/**
* Path for the cookie.
* Passed to the [response cookie](https://expressjs.com/en/api.html#res.cookie) as `path`.
*/
path?: string;
/**
* Set to `true` to use a transient cookie (cookie without an explicit expiration).
* Defaults to `false`.
*/
transient: boolean;
/**
* Flags the cookie to be accessible only by the web server.
* Passed to the [response cookie](https://expressjs.com/en/api.html#res.cookie) as `httponly`.
* Defaults to `true`.
*/
httpOnly: boolean;
/**
* Marks the cookie to be used over secure channels only.
* Passed to the [response cookie](https://expressjs.com/en/api.html#res.cookie) as `secure`.
* Defaults to the protocol of {@link Config.baseURL}.
*/
secure?: boolean;
/**
* Value of the SameSite `Set-Cookie` attribute.
* Passed to the [response cookie](https://expressjs.com/en/api.html#res.cookie) as `samesite`.
* Defaults to `Lax` but will be adjusted based on {@link AuthorizationParameters.response_type}.
*/
sameSite: 'lax' | 'strict' | 'none';
}
export interface AuthorizationParameters extends OidcAuthorizationParameters {
scope: string;
response_mode: 'query' | 'form_post';
response_type: 'id_token' | 'code id_token' | 'code';
}
export type GetLoginState = (options: LoginOptions) => { [key: string]: any };
/**
* Custom options to pass to the login handler.
*/
export interface LoginOptions {
/**
* Override the default {@link Config.authorizationParams authorizationParams}.
*/
authorizationParams?: Partial<AuthorizationParameters>;
/**
* URL to return to after login. Overrides the default in {@link Config.baseURL}.
*/
returnTo?: string;
/**
* Generate a unique state value for use during login transactions.
*/
getLoginState?: GetLoginState;
}
/**
* Custom options to pass to the logout handler.
*/
export interface LogoutOptions {
/**
* URL to return to after logout. Overrides the
* default in {@link Config.routes.postLogoutRedirect routes.postLogoutRedirect}.
*/
returnTo?: string;
/**
* Additional custom parameters to pass to the logout endpoint.
*
* @example pass the federated logout param per https://auth0.com/docs/authenticate/login/logout/log-users-out-of-idps
*
* ```js
* handleLogout(req, res, { logoutParams: { federated: '' } });
* ```
*/
logoutParams?: { [key: string]: any };
}
export type GetConfig = Config | ((req: Auth0RequestCookies) => Config | Promise<Config>);