Skip to content

Commit

Permalink
Merge branch 'ts-conversion' into main
Browse files Browse the repository at this point in the history 
# Conflicts:
#	package-lock.json
#	package.json
  • Loading branch information
@deepakprabhakara
deepakprabhakara committed Dec 31, 2021
2 parents 36bfc12 + 9cb7264 commit c1aa424
Show file tree
Hide file tree
Showing 64 changed files with 4,341 additions and 2,322 deletions.
12 changes: 12 additions & 0 deletions nodemon.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
{
"restartable": "rs",
"ignore": [".git", "node_modules/", "dist/", "coverage/"],
"watch": ["src/"],
"execMap": {
"ts": "node -r ts-node/register"
},
"env": {
"NODE_ENV": "development"
},
"ext": "js,json,ts"
}
2 changes: 2 additions & 0 deletions .eslintignore
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
node_modules
dist
27 changes: 16 additions & 11 deletions .eslintrc.js
View file
Original file line number Diff line number Diff line change
@@ -1,13 +1,18 @@
module.exports = {
"env": {
"es2021": true,
"node": true
},
"extends": "eslint:recommended",
"parserOptions": {
"ecmaVersion": 13,
"sourceType": "module"
},
"rules": {
}
env: {
es2021: true,
node: true,
},
parserOptions: {
ecmaVersion: 13,
sourceType: 'module',
},
root: true,
parser: '@typescript-eslint/parser',
plugins: ['@typescript-eslint'],
extends: [
'eslint:recommended',
'plugin:@typescript-eslint/recommended',
'prettier',
],
};
2 changes: 1 addition & 1 deletion .github/workflows/codesee-arch-diagram.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -71,7 +71,7 @@ jobs:
step: mapUpload
api_token: ${{ secrets.CODESEE_ARCH_DIAG_API_TOKEN }}
github_ref: ${{ github.ref }}

- name: Insights
id: insights
uses: Codesee-io/codesee-map-action@latest
Expand Down
62 changes: 31 additions & 31 deletions .github/workflows/main.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,8 +30,8 @@ jobs:
ports:
- 5432:5432
env:
POSTGRES_PASSWORD: ""
POSTGRES_HOST_AUTH_METHOD: "trust"
POSTGRES_PASSWORD: ''
POSTGRES_HOST_AUTH_METHOD: 'trust'
# Set health checks to wait until postgres has started
options: >-
--health-cmd pg_isready
Expand Down Expand Up @@ -59,41 +59,41 @@ jobs:
- 3306:3306
env:
MARIADB_DATABASE: mysql
MARIADB_ALLOW_EMPTY_ROOT_PASSWORD: "yes"
MARIADB_ALLOW_EMPTY_ROOT_PASSWORD: 'yes'

steps:
- uses: actions/checkout@v2
- name: Use Node.js ${{ matrix.node-version }}
uses: actions/setup-node@v2
with:
always-auth: true
node-version: ${{ matrix.node-version }}
registry-url: https://registry.npmjs.org
scope: '@boxyhq'
cache: 'npm'
- run: npm ci
- run: npm run test
- run: |
publishTag="latest"
if [[ "$GITHUB_REF" == *\/release ]]
then
echo "Release branch"
else
echo "Dev branch"
publishTag="beta"
versionSuffixTag="-beta.${GITHUB_RUN_NUMBER}"
sed "s/\(^[ ]*\"version\"\:[ ]*\".*\)\",/\1${versionSuffixTag}\",/" < package.json > package.json.new
mv package.json.new package.json
fi
npm publish --tag $publishTag --access public
env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
- uses: actions/checkout@v2
- name: Use Node.js ${{ matrix.node-version }}
uses: actions/setup-node@v2
with:
always-auth: true
node-version: ${{ matrix.node-version }}
registry-url: https://registry.npmjs.org
scope: '@boxyhq'
cache: 'npm'
- run: npm install
- run: npm run test
- run: |
publishTag="latest"
if [[ "$GITHUB_REF" == *\/release ]]
then
echo "Release branch"
else
echo "Dev branch"
publishTag="beta"
versionSuffixTag="-beta.${GITHUB_RUN_NUMBER}"
sed "s/\(^[ ]*\"version\"\:[ ]*\".*\)\",/\1${versionSuffixTag}\",/" < package.json > package.json.new
mv package.json.new package.json
fi
npm publish --tag $publishTag --access public
env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
build:
needs: publish
runs-on: ubuntu-latest

steps:
- name: Check Out Repo
- name: Check Out Repo
uses: actions/checkout@v2

- name: Get short SHA
Expand Down
2 changes: 2 additions & 0 deletions .gitignore
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,3 +2,5 @@
node_modules/**
.nyc_output
_config
dist
.DS_Store
16 changes: 9 additions & 7 deletions Dockerfile
View file
Original file line number Diff line number Diff line change
@@ -1,11 +1,12 @@
# Install dependencies only when needed
FROM node:16.13.1-alpine3.14 AS deps
FROM node:16.13.1-alpine3.14 AS build
# Check https://github.com/nodejs/docker-node/tree/b4117f9333da4138b03a546ec926ef50a31506c3#nodealpine to understand why libc6-compat might be needed.
RUN apk add --no-cache libc6-compat
WORKDIR /app
COPY src/ src/
COPY package.json package-lock.json ./
RUN npm ci --only=production
COPY package.json package-lock.json tsconfig*.json ./
RUN npm install
RUN npm run build

# Production image, copy all the files and run next
FROM node:16.13.1-alpine3.14 AS runner
Expand All @@ -17,13 +18,14 @@ ENV NODE_ENV production
RUN addgroup -g 1001 -S nodejs
RUN adduser -S nodejs -u 1001

COPY --from=deps /app/src ./src
COPY --from=deps /app/node_modules ./node_modules
COPY --from=deps /app/package.json ./package.json
COPY --from=build /app/dist ./dist
COPY --from=build /app/package.json ./package.json
COPY --from=build /app/package-lock.json ./package-lock.json
RUN npm ci --only=production

USER nodejs

EXPOSE 5000
EXPOSE 6000

CMD [ "node", "src/jackson.js" ]
CMD [ "node", "dist/jackson.js" ]
57 changes: 28 additions & 29 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,28 +4,28 @@ SAML service [SAML in a box from BoxyHQ]

You need someone like Jules Winnfield to save you from the vagaries of SAML login.

# Source code visualizer
## Source code visualizer

[CodeSee codebase visualizer](https://app.codesee.io/maps/public/53e91640-23b5-11ec-a724-79d7dd589517)

# Getting Started
## Getting Started

There are two ways to use this repo.

- As an npm library (for Express compatible frameworks)
- As an npm library
- As a separate service

## Install as an npm library

Jackson is available as an [npm package](https://www.npmjs.com/package/@boxyhq/saml-jackson) that can be integrated into any web application framework (like Express.js for example). Please file an issue or submit a PR if you encounter any issues with your choice of framework.

```
```bash
npm i @boxyhq/saml-jackson
```

### Add Express Routes

```
```javascript
// express
const express = require('express');
const router = express.Router();
Expand Down Expand Up @@ -169,11 +169,11 @@ app.use('/sso', router);

The docker container can be found at [boxyhq/jackson](https://hub.docker.com/r/boxyhq/jackson/tags). It is preferable to use a specific version instead of the `latest` tag. Jackson uses two ports (configurable if needed, see below) 5000 and 6000. 6000 is the internal port and ideally should not be exposed to a public network.

```
```bash
docker run -p 5000:5000 -p 6000:6000 boxyhq/jackson:78e9099d
```

Refer to https://github.com/boxyhq/jackson#configuration for the full configuration.
Refer to <https://github.com/boxyhq/jackson#configuration> for the full configuration.

Kubernetes and docker-compose deployment files will be coming soon.

Expand All @@ -187,12 +187,12 @@ Please follow the instructions [here](https://docs.google.com/document/d/1fk---Z

As outlined in the guide above we try and support 4 attributes in the SAML claims - `id`, `email`, `firstName`, `lastName`. This is how the common SAML attributes map over for most providers, but some providers have custom mappings. Please refer to the documentation on Identity Provider to understand the exact mapping.

| SAML Attribute | Jackson mapping |
| -------------------------------------------------------------------- | --------------- |
| http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier | id |
| http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress | email |
| http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname | firstName |
| http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname | lastName |
| SAML Attribute | Jackson mapping |
| ---------------------------------------------------------------------- | --------------- |
| <http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier> | id |
| <http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress> | email |
| <http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname> | firstName |
| <http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname> | lastName |

### 2. SAML config API

Expand All @@ -202,7 +202,7 @@ You will need to provide a place in the UI for your customers (The account setti

The following API call sets up the configuration in Jackson:

```
```bash
curl --location --request POST 'http://localhost:6000/api/v1/saml/config' \
--header 'Authorization: Api-Key <Jackson API Key>' \
--header 'Content-Type: application/x-www-form-urlencoded' \
Expand All @@ -225,15 +225,15 @@ The response returns a JSON with `client_id` and `client_secret` that can be sto

This endpoint can be used to return metadata about an existing SAML config. This can be used to check and display the details to your customers. You can use either `clientID` or `tenant` and `product` combination.

```
```bash
curl -G --location 'http://localhost:6000/api/v1/saml/config' \
--header 'Authorization: Api-Key <Jackson API Key>' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'tenant=boxyhq.com' \
--data-urlencode 'product=demo'
```

```
```bash
curl -G --location 'http://localhost:6000/api/v1/saml/config' \
--header 'Authorization: Api-Key <Jackson API Key>' \
--header 'Content-Type: application/x-www-form-urlencoded' \
Expand All @@ -246,15 +246,15 @@ The response returns a JSON with `provider` indicating the domain of your Identi

This endpoint can be used to delete an existing IdP metadata.

```
```bash
curl -X "DELETE" --location 'http://localhost:6000/api/v1/saml/config' \
--header 'Authorization: Api-Key <Jackson API Key>' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'tenant=boxyhq.com' \
--data-urlencode 'product=demo'
```

```
```bash
curl -X "DELETE" --location 'http://localhost:6000/api/v1/saml/config' \
--header 'Authorization: Api-Key <Jackson API Key>' \
--header 'Content-Type: application/x-www-form-urlencoded' \
Expand All @@ -266,15 +266,15 @@ curl -X "DELETE" --location 'http://localhost:6000/api/v1/saml/config' \

Jackson has been designed to abstract the SAML login flow as a pure OAuth 2.0 flow. This means it's compatible with any standard OAuth 2.0 library out there, both client-side and server-side. It is important to remember that SAML is configured per customer unlike OAuth 2.0 where you can have a single OAuth app supporting logins for all customers.

Jackson also supports the PKCE authorization flow (https://oauth.net/2/pkce/), so you can protect your SPAs.
Jackson also supports the PKCE authorization flow (<https://oauth.net/2/pkce/>), so you can protect your SPAs.

If for any reason you need to implement the flow on your own, the steps are outlined below:

### 4. Authorize

The OAuth flow begins with redirecting your user to the `authorize` URL:

```
```bash
https://localhost:5000/oauth/authorize
?response_type=code&provider=saml
&client_id=<clientID or tenant and product query params as described in the SAML config API section above>
Expand All @@ -295,7 +295,7 @@ After successful authorization, the user is redirected back to the `redirect_uri

The code can then be exchanged for a token by making the following request:

```
```bash
curl --request POST \
--url 'http://localhost:5000/oauth/token' \
--header 'content-type: application/x-www-form-urlencoded' \
Expand All @@ -313,7 +313,7 @@ curl --request POST \

If everything goes well you should receive a JSON response that includes the access token. This token is needed for the next step where we fetch the user profile.

```
```json
{
"access_token": <access token>,
"token_type": "bearer",
Expand All @@ -325,7 +325,7 @@ If everything goes well you should receive a JSON response that includes the acc

The short-lived access token can now be used to request the user's profile. You'll need to make the following request:

```
```bash
curl --request GET \
--url https://localhost:5000/oauth/userinfo \
--header 'authorization: Bearer <access token>' \
Expand All @@ -334,7 +334,7 @@ curl --request GET \

If everything goes well you should receive a JSON response with the user's profile:

```
```json
{
"id": <id from the Identity Provider>,
"email": "sjackson@coolstartup.com",
Expand All @@ -357,7 +357,6 @@ To Do
Jackson currently supports the following databases.

- Postgres
- CockroachDB
- MySQL
- MariaDB
- MongoDB
Expand All @@ -381,7 +380,7 @@ The following options are supported and will have to be configured during deploy
| IDP_ENABLED (npm: idpEnabled) | Set to `true` to enable IdP initiated login for SAML. SP initiated login is the only recommended flow but you might have to support IdP login at times. | `false` |
| DB_ENGINE (npm: db.engine) | Supported values are `redis`, `sql`, `mongo`, `mem`. | `sql` |
| DB_URL (npm: db.url) | The database URL to connect to. For example `postgres://postgres:postgres@localhost:5450/jackson` | |
| DB_TYPE (npm: db.type) | Only needed when DB_ENGINE is `sql`. Supported values are `postgres`, `cockroachdb`, `mysql`, `mariadb`. | `postgres` |
| DB_TYPE (npm: db.type) | Only needed when DB_ENGINE is `sql`. Supported values are `postgres`, `mysql`, `mariadb`. | `postgres` |
| DB_TTL (npm: db.ttl) | TTL for the code, session and token stores (in seconds). | 300 |
| DB_CLEANUP_LIMIT (npm: db.cleanupLimit) | Limit cleanup of TTL entries to this number. | 1000 |
| DB_ENCRYPTION_KEY (npm: db.encryptionKey) | To encrypt data at rest specify a 32 character key. | |
Expand All @@ -391,7 +390,7 @@ The following options are supported and will have to be configured during deploy

If PRE_LOADED_CONFIG is set then it should point to a directory with the following structure (example below):-

```
```bash
boxyhq.js
boxyhq.xml
anothertenant.js
Expand All @@ -400,7 +399,7 @@ anothertenant.xml

The JS file has the following structure:-

```
```javascript
module.exports = {
defaultRedirectUrl: 'http://localhost:3000/login/saml',
redirectUrl: '["http://localhost:3000/*", "http://localhost:5000/*"]',
Expand All @@ -415,7 +414,7 @@ The config and XML above correspond to the `SAML API config` (see below).

## SAML Login flows

There are two kinds of SAML login flows - SP-initiated and IdP-initiated. We highly recommend sticking to the SP-initiated flow since it is more secure but Jackson also supports the IdP-initiated flow if you enable it. For an in-depth understanding of SAML and the two flows please refer to Okta's comprehensive guide - https://developer.okta.com/docs/concepts/saml/.
There are two kinds of SAML login flows - SP-initiated and IdP-initiated. We highly recommend sticking to the SP-initiated flow since it is more secure but Jackson also supports the IdP-initiated flow if you enable it. For an in-depth understanding of SAML and the two flows please refer to Okta's comprehensive guide - <https://developer.okta.com/docs/concepts/saml/>.

## Contributing

Expand Down
Loading

0 comments on commit c1aa424

Please sign in to comment.