Update oidc-spa

garronej · garronej · commit 8923c9e9d5b5 · 2025-12-27T19:36:04.000+01:00
diff --git a/package.json b/package.json
@@ -24,7 +24,7 @@
         "@hono/node-server": "^1.11.1",
         "@hono/zod-openapi": "^0.13.0",
         "hono": "^4.11.1",
-        "oidc-spa": "^8.7.7",
+        "oidc-spa": "^8.7.10",
         "tsafe": "^1.8.12",
         "url-join": "^5.0.0",
         "zod": "^3.23.8"
diff --git a/src/auth.ts b/src/auth.ts
@@ -1,4 +1,4 @@
-import { oidcSpa } from "oidc-spa/server";
+import { oidcSpa, extractRequestAuthContext } from "oidc-spa/server";
 import { z } from "zod";
 import { HTTPException } from "hono/http-exception";
 import type { HonoRequest } from "hono";
@@ -9,7 +9,7 @@ const { bootstrapAuth, validateAndDecodeAccessToken } = oidcSpa
             sub: z.string(),
             realm_access: z.object({
                 roles: z.array(z.string())
-            })
+            }).optional()
         })
     })
     .createUtils();
@@ -24,39 +24,46 @@ export async function getUser(
     req: HonoRequest,
     requiredRole?: "realm-admin" | "support-staff"
 ): Promise<User> {
+    const requestAuthContext = extractRequestAuthContext({
+        request: req,
+        trustProxy: true
+    });
 
-    const { isSuccess, errorCause, debugErrorMessage, decodedAccessToken } =
-        await validateAndDecodeAccessToken({
-            request: {
-                url: req.url,
-                method: req.method,
-                getHeaderValue: headerName => req.header(headerName)
-            }
-        });
+    if( !requestAuthContext ){
+        // Demo shortcut: we return 401 on missing Authorization, but a mixed
+        // public/private endpoint could instead return undefined here and let
+        // the caller decide whether to process an anonymous request.
+        console.warn("Anonymous request");
+        throw new HTTPException(401); // Unauthorized
+    }
 
-    if (!isSuccess) {
+    if (!requestAuthContext.isWellFormed) {
+        console.warn(requestAuthContext.debugErrorMessage);
+        throw new HTTPException(400); // Bad Request
+    }
 
-        if( errorCause === "missing Authorization header" ){
-            // Demo shortcut: we return 401 on missing Authorization, but a mixed
-            // public/private endpoint could instead return undefined here and let
-            // the caller decide whether to process an anonymous request.
-            console.warn("Anonymous request");
-        }else{
-            console.warn(debugErrorMessage);
-        }
+    const { isSuccess, debugErrorMessage, decodedAccessToken } =
+        await validateAndDecodeAccessToken(
+            requestAuthContext.accessTokenAndMetadata
+        );
 
-        throw new HTTPException(401);
+    if (!isSuccess) {
+        console.warn(debugErrorMessage);
+        throw new HTTPException(401); // Unauthorized
     }
 
-    if (
-        requiredRole !== undefined &&
-        !decodedAccessToken.realm_access.roles.includes(requiredRole)
-    ) {
-        console.warn(`User missing role: ${requiredRole}`);
-        throw new HTTPException(403);
+    // Your custom Authorization logic: Grant per request access depending
+    // on the access token claim.
+    if (requiredRole) {
+        if (!decodedAccessToken.realm_access?.roles.includes(requiredRole)) {
+            console.warn(`User missing role: ${requiredRole}`);
+            throw new HTTPException(403); // Forbidden
+        }
     }
 
-    return {
+    const user: User = {
         id: decodedAccessToken.sub
     };
+
+    return user;
 }
diff --git a/src/main.ts b/src/main.ts
@@ -242,7 +242,7 @@ import { getUser, bootstrapAuth } from "./auth";
 
         app.openapi(route, async c => {
             const user = await getUser(c.req);
-
+            
             const { id } = c.req.valid("param");
 
             getUserTodoStore(user.id).remove(id);
diff --git a/yarn.lock b/yarn.lock
@@ -245,10 +245,10 @@ minimist@^1.2.6:
   resolved "https://registry.yarnpkg.com/minimist/-/minimist-1.2.8.tgz#c1a464e7693302e082a075cee0c057741ac4772c"
   integrity sha512-2yyAR8qBkN3YuheJanUpWC5U3bb5osDywNB8RzDVlDwDHbocAJveqqj1u8+SVD7jkWT4yvsHCpWqqWqAxb0zCA==
 
-oidc-spa@^8.7.7:
-  version "8.7.7"
-  resolved "https://registry.yarnpkg.com/oidc-spa/-/oidc-spa-8.7.7.tgz#90438888772c2e1607391af378d8a597aeac3898"
-  integrity sha512-iz+P2Lv9Xqx3oLKGSKToal5j0+nV/CQju8ZN9ZOJaNnwzFzvMJoj3u1AHt/tBWnfGAa3XvkFenmYsAspaVNqJw==
+oidc-spa@^8.7.10:
+  version "8.7.10"
+  resolved "https://registry.yarnpkg.com/oidc-spa/-/oidc-spa-8.7.10.tgz#ff2ca92f13526bddbe681d4ed68f28e0b2fbddcd"
+  integrity sha512-OyR9vuQ8MXOX6qFRmcXrO9cc9oLkQBFfNhQYj6+XcjjG/2i0cjWdi9CSKFxFHFEPhbyDXbVT5Nc9+gsialUgTg==
 
 openapi3-ts@^4.1.2:
   version "4.3.1"
