remove keycloak libary

Author: felixheck

package-lock.json

@@ -41,13 +41,15 @@
     "ava": "^0.20.0",
     "coveralls": "^2.13.1",
     "hapi": "^16.4.3",
+    "nock": "^9.0.14",
     "nyc": "^11.0.3",
     "standard": "^10.0.2"
   },
   "dependencies": {
+    "axios": "^0.16.2",
     "boom": "^5.2.0",
     "joi": "^10.6.0",
-    "keycloak-auth-utils": "^3.2.1",
+    "jsonwebtoken": "^7.4.1",
     "lodash": "^4.17.4"
   },
   "peerDependencies": {

package.json

@@ -1,4 +1,4 @@
-const { GrantManager } = require('keycloak-auth-utils')
+const axios = require('axios')
 const cache = require('./cache')
 const token = require('./token')
 const { error, fakeReply, verify } = require('./utils')
@@ -11,10 +11,26 @@ const pkg = require('../package.json')
  * Internally used properties
  */
 const internals = {
-  manager: undefined,
+  clientOptions: undefined,
   userInfoFields: undefined
 }
 
+function validateOnline (token) {
+  const opts = internals.clientOptions
+
+  return axios.post(`${opts.realmUrl}/protocol/openid-connect/token/introspect`, {
+    token,
+    client_secret: opts.secret,
+    client_id: opts.clientId
+  }).then(({ data }) => {
+    if (!data.active) {
+      throw Error(error.msg.invalid)
+    }
+
+    return token
+  })
+}
+
 /**
  * @function
  * @public
@@ -25,19 +41,15 @@ const internals = {
  * @param {Function} reply The callback handler
  */
 function handleKeycloakValidation (tkn, reply) {
-  const invalidate = (err) => reply(error('unauthorized', err, error.msg.invalid))
-
-  internals.manager.validateAccessToken(tkn.get()).then((res) => {
-    if (!res) {
-      return invalidate()
-    }
-
+  validateOnline(tkn.get()).then((res) => {
     const { expiresIn, credentials } = tkn.getData(internals.userInfoFields)
     const userData = { credentials }
 
     cache.set(tkn.get(), userData, expiresIn)
     return reply.continue(userData)
-  }).catch(invalidate)
+  }).catch((err) => {
+    reply(error('unauthorized', err, error.msg.invalid))
+  })
 }
 
 /**
@@ -104,7 +116,7 @@ function plugin (server, opts, next) {
   opts = verify(opts)
   cache.init(server, opts.cache)
 
-  internals.manager = new GrantManager(opts.client)
+  internals.clientOptions = opts.client
   internals.userInfoFields = opts.userInfo
 
   server.auth.scheme('keycloak-jwt', strategy)

src/index.js

@@ -48,7 +48,7 @@ function verify (opts) {
  * @returns {Boom} The created `Boom` error
  */
 function error (type, err, msg) {
-  return boom[type](err ? err.toString() : msg, 'Bearer')
+  return boom[type](err ? err.message || err.toString() : msg, 'Bearer')
 }
 
 /**

src/utils.js

@@ -1,5 +1,8 @@
 const token = 'abc.def.ghi'
-const realmUrl = 'https://localhost:8080/auth/realms/testme'
+const baseUrl = 'http://localhost:8080'
+const realmPath = '/auth/realms/testme'
+const introspectPath = '/protocol/openid-connect/token/introspect'
+const realmUrl = `${baseUrl}${realmPath}`
 const clientId = 'foobar'
 const secret = '1234-bar-4321-foo'
 
@@ -21,7 +24,12 @@ const clientConfig = {
  *
  * Common attributes
  */
-const common = Object.assign({}, clientConfig, { token })
+const common = Object.assign({}, clientConfig, {
+  baseUrl,
+  token,
+  realmPath,
+  introspectPath
+})
 
 /**
  * @type Object
@@ -37,6 +45,7 @@ const content = {
     'name': 'John Doe',
     'email': '[email protected]',
     'admin': true,
+    'active': true,
     'realm_access': {
       'roles': [
         'admin'
@@ -71,9 +80,9 @@ const content = {
  * Various JSON Web Tokens
  */
 const jwt = {
-  userData: 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjUsImlhdCI6MSwic3ViIjoiMTIzNDU2Nzg5MCIsIm5hbWUiOiJKb2huIERvZSIsImVtYWlsIjoiam9obi5kb2VAbWFpbC5jb20iLCJhZG1pbiI6dHJ1ZSwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbImFkbWluIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19LCJzYW1lIjp7InJvbGVzIjpbImVkaXRvciJdfSwib3RoZXItYXBwIjp7InJvbGVzIjpbIm90aGVyLWFwcDpjcmVhdG9yIl19fX0.uuhtpYNVtFZvPuRAEktWEDn_2u-dvimWnspXVt-gObU',
-  userDataExp: 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiZW1haWwiOiJqb2huLmRvZUBtYWlsLmNvbSIsImFkbWluIjp0cnVlLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsiYWRtaW4iXX0sInJlc291cmNlX2FjY2VzcyI6eyJhY2NvdW50Ijp7InJvbGVzIjpbIm1hbmFnZS1hY2NvdW50IiwibWFuYWdlLWFjY291bnQtbGlua3MiLCJ2aWV3LXByb2ZpbGUiXX0sInNhbWUiOnsicm9sZXMiOlsiZWRpdG9yIl19LCJvdGhlci1hcHAiOnsicm9sZXMiOlsib3RoZXItYXBwOmNyZWF0b3IiXX19fQ.BcTtSEpyiUVBVkUOwVDM0_T9UIy-vk2aaUAR8XM6Hd0',
-  userDataScope: 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjUsImlhdCI6MSwic3ViIjoiMTIzNDU2Nzg5MCIsIm5hbWUiOiJKb2huIERvZSIsImVtYWlsIjoiam9obi5kb2VAbWFpbC5jb20iLCJhZG1pbiI6dHJ1ZX0.2tfThhgwSbIEq2cZcoHSRwL2-UCanF23BXlyphm5ehs'
+  userData: 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjUsImFjdGl2ZSI6dHJ1ZSwiaWF0IjoxLCJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiZW1haWwiOiJqb2huLmRvZUBtYWlsLmNvbSIsImFkbWluIjp0cnVlLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsiYWRtaW4iXX0sInJlc291cmNlX2FjY2VzcyI6eyJhY2NvdW50Ijp7InJvbGVzIjpbIm1hbmFnZS1hY2NvdW50IiwibWFuYWdlLWFjY291bnQtbGlua3MiLCJ2aWV3LXByb2ZpbGUiXX0sInNhbWUiOnsicm9sZXMiOlsiZWRpdG9yIl19LCJvdGhlci1hcHAiOnsicm9sZXMiOlsib3RoZXItYXBwOmNyZWF0b3IiXX19fQ.rjQkSo132lPSVUEsuz42oB5u_lW9zCBpvnOyngDYa_0',
+  userDataExp: 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhY3RpdmUiOnRydWUsInN1YiI6IjEyMzQ1Njc4OTAiLCJuYW1lIjoiSm9obiBEb2UiLCJlbWFpbCI6ImpvaG4uZG9lQG1haWwuY29tIiwiYWRtaW4iOnRydWUsInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJhZG1pbiJdfSwicmVzb3VyY2VfYWNjZXNzIjp7ImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb3VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfSwic2FtZSI6eyJyb2xlcyI6WyJlZGl0b3IiXX0sIm90aGVyLWFwcCI6eyJyb2xlcyI6WyJvdGhlci1hcHA6Y3JlYXRvciJdfX19.0_g0X4cOpOEJ37qwRQzBpouQDn2aEyg0-0jnnWECCsk',
+  userDataScope: 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhY3RpdmUiOnRydWUsImV4cCI6NSwiaWF0IjoxLCJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiZW1haWwiOiJqb2huLmRvZUBtYWlsLmNvbSIsImFkbWluIjp0cnVlfQ.V7lYgZKjnDJcPtUnIBHA9f-8bn8XXB6uH8bXElH-aOU'
 }
 
 module.exports = {

test/_fixtures.js

@@ -1,11 +1,8 @@
 const hapi = require('hapi')
-const _ = require('lodash')
-const { GrantManager } = require('keycloak-auth-utils')
+const nock = require('nock')
 const authKeycloak = require('../src')
 const fixtures = require('./_fixtures')
 
-const GrantManagerClone = {}
-
 /**
  * @type Object
  * @private
@@ -19,24 +16,20 @@ const defaults = {
 }
 
 /**
- * @type Object.<Function>
+ * @function
  * @public
  *
- * Provide several functions to clone, reset and
- * stub methods of `GrantManager`.
+ * Mock introspect request to the Keycloak server.
+ *
+ * @param {number} code The status code to be returned
+ * @param {Object} data The response object to be returned
+ * @param {boolean} isError Whether to reply with an error
  */
-const prototypes = {
-  clone () {
-    GrantManagerClone.prototype = _.cloneDeep(GrantManager.prototype)
-  },
-  reset () {
-    GrantManager.prototype = GrantManagerClone.prototype
-  },
-  stub (name, value, type = 'resolve') {
-    GrantManager.prototype[name] = function () {
-      return Promise[type](value)
-    }
-  }
+function mock (code, data, isError) {
+  const base = nock(fixtures.common.baseUrl)
+    .post(`${fixtures.common.realmPath}${fixtures.common.introspectPath}`)
+
+  isError ? base.replyWithError(data) : base.reply(code, data)
 }
 
 /**
@@ -140,5 +133,5 @@ function getServer (options, done) {
 module.exports = {
   getServer,
   registerPlugin,
-  prototypes
+  mock
 }

test/_helpers.js

@@ -1,15 +1,10 @@
 const test = require('ava')
 const cache = require('../src/cache')
-const { prototypes, getServer, registerPlugin } = require('./_helpers')
+const { mock, getServer, registerPlugin } = require('./_helpers')
 const fixtures = require('./_fixtures')
 
-test.beforeEach(() => {
-  prototypes.clone()
-})
-
 test.afterEach('reset instances and prototypes', () => {
   cache.reset()
-  prototypes.reset()
 })
 
 test.cb.serial('throw error if plugin gets registered twice', (t) => {
@@ -20,7 +15,7 @@ test.cb.serial('throw error if plugin gets registered twice', (t) => {
 })
 
 test.cb.serial('authentication does succeed', (t) => {
-  prototypes.stub('validateAccessToken', fixtures.content.userData)
+  mock(200, fixtures.content.userData)
 
   getServer(undefined, (server) => {
     server.inject({
@@ -38,7 +33,7 @@ test.cb.serial('authentication does succeed', (t) => {
 })
 
 test.cb.serial('authentication does succeed – cached', (t) => {
-  prototypes.stub('validateAccessToken', fixtures.content.userData)
+  mock(200, fixtures.content.userData)
 
   const mockReq = {
     method: 'GET',
@@ -63,7 +58,7 @@ test.cb.serial('authentication does succeed – cached', (t) => {
 })
 
 test.cb.serial('authentication does success – valid roles', (t) => {
-  prototypes.stub('validateAccessToken', fixtures.content.userData)
+  mock(200, fixtures.content.userData)
 
   getServer(undefined, (server) => {
     server.inject({
@@ -81,7 +76,7 @@ test.cb.serial('authentication does success – valid roles', (t) => {
 })
 
 test.cb.serial('authentication does fail – invalid roles', (t) => {
-  prototypes.stub('validateAccessToken', fixtures.content.userData)
+  mock(200, fixtures.content.userData)
 
   getServer(undefined, (server) => {
     server.inject({
@@ -99,7 +94,7 @@ test.cb.serial('authentication does fail – invalid roles', (t) => {
 })
 
 test.cb.serial('authentication does fail – invalid token', (t) => {
-  prototypes.stub('validateAccessToken', false)
+  mock(200, { active: false })
 
   getServer(undefined, (server) => {
     server.inject({
@@ -135,7 +130,7 @@ test.cb.serial('authentication does fail – invalid header', (t) => {
 })
 
 test.cb.serial('server method validates token', (t) => {
-  prototypes.stub('validateAccessToken', fixtures.content.userData)
+  mock(200, fixtures.content.userData)
 
   getServer(undefined, (server) => {
     server.kjwt.validate(`bearer ${fixtures.jwt.userData}`, (err, res) => {
@@ -148,22 +143,22 @@ test.cb.serial('server method validates token', (t) => {
 })
 
 test.cb.serial('server method invalidates token – validation error', (t) => {
-  prototypes.stub('validateAccessToken', new Error('an error'), 'reject')
+  mock(400, 'an error', true)
 
   getServer(undefined, (server) => {
     server.kjwt.validate(`bearer ${fixtures.jwt.userData}`, (err, res) => {
       t.falsy(res)
       t.truthy(err)
       t.truthy(err.isBoom)
       t.is(err.output.statusCode, 401)
-      t.is(err.output.headers['WWW-Authenticate'], 'Bearer error="Error: an error"')
+      t.is(err.output.headers['WWW-Authenticate'], 'Bearer error="an error"')
       t.end()
     })
   })
 })
 
 test.cb.serial('server method invalidates token – invalid', (t) => {
-  prototypes.stub('validateAccessToken', false)
+  mock(200, { active: false })
 
   getServer(undefined, (server) => {
     server.kjwt.validate(`bearer ${fixtures.jwt.userData}`, (err, res) => {

test/index.spec.js

@@ -19,7 +19,7 @@ test('get boom error with error message', (t) => {
   const mockErr = new Error('barfoo')
   const result = utils.error('badRequest', mockErr, 'foobar')
   t.truthy(result)
-  t.deepEqual(result, boom.badRequest(mockErr.toString(), 'Bearer'))
+  t.deepEqual(result, boom.badRequest(mockErr.message, 'Bearer'))
 })
 
 test('decorate callback function with `continue`', (t) => {