feat: add my-account and my-org proxy

Author: frederikprijck

src/server/auth-client.test.ts

@@ -20,6 +20,7 @@ import {
   SUBJECT_TOKEN_TYPES
 } from "../types/index.js";
 import { DEFAULT_SCOPES } from "../utils/constants.js";
+import { generateDpopKeyPair } from "../utils/dpopUtils.js";
 import { AuthClient } from "./auth-client.js";
 import { decrypt, encrypt } from "./cookies.js";
 import { StatefulSessionStore } from "./session/stateful-session-store.js";
@@ -6423,6 +6424,77 @@ ca/T0LLtgmbMmxSv/MmzIg==
     });
   });
 
+  describe("handleMyAccount", async () => {
+    it("should rewrite to my account", async () => {
+      const currentAccessToken = DEFAULT.accessToken;
+      const secret = await generateSecret(32);
+      const transactionStore = new TransactionStore({
+        secret
+      });
+      const sessionStore = new StatelessSessionStore({
+        secret
+      });
+
+      const dpopKeyPair = await generateDpopKeyPair();
+      const authClient = new AuthClient({
+        transactionStore,
+        sessionStore,
+
+        domain: DEFAULT.domain,
+        clientId: DEFAULT.clientId,
+        clientSecret: DEFAULT.clientSecret,
+
+        secret,
+        appBaseUrl: DEFAULT.appBaseUrl,
+
+        routes: getDefaultRoutes(),
+
+        fetch: getMockAuthorizationServer(),
+        useDPoP: true,
+        dpopKeyPair: dpopKeyPair
+      });
+      const expiresAt = Math.floor(Date.now() / 1000) - 10 * 24 * 60 * 60; // expired 10 days ago
+      const session: SessionData = {
+        user: {
+          sub: DEFAULT.sub,
+          name: "John Doe",
+          email: "[email protected]",
+          picture: "https://example.com/john.jpg"
+        },
+        tokenSet: {
+          accessToken: currentAccessToken,
+          scope: "openid profile email",
+          refreshToken: DEFAULT.refreshToken,
+          expiresAt
+        },
+        internal: {
+          sid: DEFAULT.sid,
+          createdAt: Math.floor(Date.now() / 1000)
+        }
+      };
+      const maxAge = 60 * 60; // 1 hour
+      const expiration = Math.floor(Date.now() / 1000 + maxAge);
+      const sessionCookie = await encrypt(session, secret, expiration);
+      const headers = new Headers();
+      headers.append("cookie", `__session=${sessionCookie}`);
+      headers.append("auth0-scope", "foo:bar");
+      const request = new NextRequest(
+        new URL("/me/foo-bar/12", DEFAULT.appBaseUrl),
+        {
+          method: "GET",
+          headers
+        }
+      );
+
+      const response = await authClient.handleMyAccount(request);
+      expect(response.status).toEqual(200);
+      expect(response.headers.get("authorization")).toEqual("DPoP at_123");
+      expect(response.headers.get("auth0-scope")).toEqual("foo:bar");
+      expect(response.headers.get("x-middleware-rewrite")).toEqual("https://guabu.us.auth0.com/me/v1/foo-bar/12");
+
+    });
+  });
+
   describe("getTokenSet", async () => {
     it("should return the access token if it has not expired", async () => {
       const secret = await generateSecret(32);

src/server/auth-client.ts

@@ -157,6 +157,17 @@ export type RoutesOptions = Partial<
   >
 >;
 
+// We are using an internal method of DPoPHandle.
+// We should look for a way to achieve this without relying on internal methods.
+type DPoPHandle = oauth.DPoPHandle & {
+  addProof: (
+    url: URL,
+    headers: Headers,
+    htm: string,
+    accessToken?: string
+  ) => Promise<void>;
+};
+
 export interface AuthClientOptions {
   transactionStore: TransactionStore;
   sessionStore: AbstractSessionStore;
@@ -399,6 +410,10 @@ export class AuthClient {
       this.enableConnectAccountEndpoint
     ) {
       return this.handleConnectAccount(req);
+    } else if (sanitizedPathname.startsWith("/me")) {
+      return this.handleMyAccount(req);
+    } else if (sanitizedPathname.startsWith("/my-org")) {
+      return this.handleMyOrg(req);
     } else {
       // no auth handler found, simply touch the sessions
       // TODO: this should only happen if rolling sessions are enabled. Also, we should
@@ -1073,6 +1088,73 @@ export class AuthClient {
     return connectAccountResponse;
   }
 
+  async handleMyAccount(req: NextRequest): Promise<NextResponse> {
+    return this.handleProxy(req, {
+      proxyPath: "/me",
+      targetBaseUrl: `${this.issuer}/me/v1`,
+      audience: `${this.issuer}/me/v1/`
+    });
+  }
+
+  async handleMyOrg(req: NextRequest): Promise<NextResponse> {
+    return this.handleProxy(req, {
+      proxyPath: "/my-org",
+      targetBaseUrl: `${this.issuer}/my-org`,
+      audience: `${this.issuer}/my-org/`
+    });
+  }
+
+  async handleProxy(
+    req: NextRequest,
+    options: {
+      proxyPath: string;
+      targetBaseUrl: string;
+      audience: string;
+    }
+  ): Promise<NextResponse> {
+    const session = await this.sessionStore.get(req.cookies);
+    if (!session) {
+      return new NextResponse("The user does not have an active session.", {
+        status: 401
+      });
+    }
+
+    const targetBaseUrl = options.targetBaseUrl;
+    const targetUrl = new URL(
+      req.nextUrl.pathname.replace(options.proxyPath, targetBaseUrl.toString())
+    );
+
+    const [error, token] = await this.getTokenSet(session, {
+      audience: targetBaseUrl.toString(),
+      scope: req.headers.get("auth0-scope")
+    });
+
+    if (error) {
+      throw new Error(
+        `Failed to retrieve access token for My Account: ${error.message}`
+      );
+    }
+
+    const headers = new Headers(req.headers);
+
+    if (token.tokenSet.token_type?.toLowerCase() === "bearer") {
+      headers.set("Authorization", `Bearer ${token.tokenSet.accessToken}`);
+    } else {
+      const dpopHandle = oauth.DPoP(
+        this.clientMetadata,
+        this.dpopKeyPair!
+      ) as DPoPHandle;
+
+      dpopHandle.addProof(targetUrl, headers, req.method);
+
+      headers.set("Authorization", `DPoP ${token?.tokenSet.accessToken}`);
+    }
+
+    return NextResponse.rewrite(targetUrl, {
+      request: { headers }
+    });
+  }
+
   /**
    * Retrieves the token set from the session data, considering optional audience and scope parameters.
    * When audience and scope are provided, it checks if they match the global ones defined in the authorization parameters.