Add node modules and compiled JavaScript from main (#54)

Co-authored-by: Oliver King <oking3@uncc.edu>

node_modules/openid-client/lib/device_flow_handle.js

@@ -0,0 +1,123 @@
+/* eslint-disable camelcase */
+const { inspect } = require('util');
+
+const { RPError, OPError } = require('./errors');
+const instance = require('./helpers/weak_cache');
+const now = require('./helpers/unix_timestamp');
+const { authenticatedPost } = require('./helpers/client');
+const processResponse = require('./helpers/process_response');
+const TokenSet = require('./token_set');
+
+class DeviceFlowHandle {
+  constructor({
+    client, exchangeBody, clientAssertionPayload, response, maxAge, DPoP,
+  }) {
+    ['verification_uri', 'user_code', 'device_code'].forEach((prop) => {
+      if (typeof response[prop] !== 'string' || !response[prop]) {
+        throw new RPError(`expected ${prop} string to be returned by Device Authorization Response, got %j`, response[prop]);
+      }
+    });
+
+    if (!Number.isSafeInteger(response.expires_in)) {
+      throw new RPError('expected expires_in number to be returned by Device Authorization Response, got %j', response.expires_in);
+    }
+
+    instance(this).expires_at = now() + response.expires_in;
+    instance(this).client = client;
+    instance(this).DPoP = DPoP;
+    instance(this).maxAge = maxAge;
+    instance(this).exchangeBody = exchangeBody;
+    instance(this).clientAssertionPayload = clientAssertionPayload;
+    instance(this).response = response;
+    instance(this).interval = response.interval * 1000 || 5000;
+  }
+
+  abort() {
+    instance(this).aborted = true;
+  }
+
+  async poll({ signal } = {}) {
+    if ((signal && signal.aborted) || instance(this).aborted) {
+      throw new RPError('polling aborted');
+    }
+
+    if (this.expired()) {
+      throw new RPError('the device code %j has expired and the device authorization session has concluded', this.device_code);
+    }
+
+    await new Promise((resolve) => setTimeout(resolve, instance(this).interval));
+
+    const response = await authenticatedPost.call(
+      instance(this).client,
+      'token',
+      {
+        form: {
+          ...instance(this).exchangeBody,
+          grant_type: 'urn:ietf:params:oauth:grant-type:device_code',
+          device_code: this.device_code,
+        },
+        responseType: 'json',
+      },
+      { clientAssertionPayload: instance(this).clientAssertionPayload, DPoP: instance(this).DPoP },
+    );
+
+    let responseBody;
+    try {
+      responseBody = processResponse(response);
+    } catch (err) {
+      switch (err instanceof OPError && err.error) {
+        case 'slow_down':
+          instance(this).interval += 5000;
+        case 'authorization_pending': // eslint-disable-line no-fallthrough
+          return this.poll({ signal });
+        default:
+          throw err;
+      }
+    }
+
+    const tokenset = new TokenSet(responseBody);
+
+    if ('id_token' in tokenset) {
+      await instance(this).client.decryptIdToken(tokenset);
+      await instance(this).client.validateIdToken(tokenset, undefined, 'token', instance(this).maxAge);
+    }
+
+    return tokenset;
+  }
+
+  get device_code() {
+    return instance(this).response.device_code;
+  }
+
+  get user_code() {
+    return instance(this).response.user_code;
+  }
+
+  get verification_uri() {
+    return instance(this).response.verification_uri;
+  }
+
+  get verification_uri_complete() {
+    return instance(this).response.verification_uri_complete;
+  }
+
+  get expires_in() {
+    return Math.max.apply(null, [instance(this).expires_at - now(), 0]);
+  }
+
+  expired() {
+    return this.expires_in === 0;
+  }
+
+  /* istanbul ignore next */
+  [inspect.custom]() {
+    return `${this.constructor.name} ${inspect(instance(this).response, {
+      depth: Infinity,
+      colors: process.stdout.isTTY,
+      compact: false,
+      sorted: true,
+    })}`;
+  }
+}
+
+module.exports = DeviceFlowHandle;

node_modules/openid-client/lib/errors.js

@@ -0,0 +1,61 @@
+/* eslint-disable camelcase */
+const { format } = require('util');
+
+const makeError = require('make-error');
+
+function OPError({
+  error_description,
+  error,
+  error_uri,
+  session_state,
+  state,
+  scope,
+}, response) {
+  OPError.super.call(this, !error_description ? error : `${error} (${error_description})`);
+
+  Object.assign(
+    this,
+    { error },
+    (error_description && { error_description }),
+    (error_uri && { error_uri }),
+    (state && { state }),
+    (scope && { scope }),
+    (session_state && { session_state }),
+  );
+
+  if (response) {
+    Object.defineProperty(this, 'response', {
+      value: response,
+    });
+  }
+}
+
+makeError(OPError);
+
+function RPError(...args) {
+  if (typeof args[0] === 'string') {
+    RPError.super.call(this, format(...args));
+  } else {
+    const {
+      message, printf, response, ...rest
+    } = args[0];
+    if (printf) {
+      RPError.super.call(this, format(...printf));
+    } else {
+      RPError.super.call(this, message);
+    }
+    Object.assign(this, rest);
+    if (response) {
+      Object.defineProperty(this, 'response', {
+        value: response,
+      });
+    }
+  }
+}
+
+makeError(RPError);
+
+module.exports = {
+  OPError,
+  RPError,
+};

node_modules/openid-client/lib/helpers/assert.js

@@ -0,0 +1,22 @@
+function assertSigningAlgValuesSupport(endpoint, issuer, properties) {
+  if (!issuer[`${endpoint}_endpoint`]) return;
+
+  const eam = `${endpoint}_endpoint_auth_method`;
+  const easa = `${endpoint}_endpoint_auth_signing_alg`;
+  const easavs = `${endpoint}_endpoint_auth_signing_alg_values_supported`;
+
+  if (properties[eam] && properties[eam].endsWith('_jwt') && !properties[easa] && !issuer[easavs]) {
+    throw new TypeError(`${easavs} must be configured on the issuer if ${easa} is not defined on a client`);
+  }
+}
+
+function assertIssuerConfiguration(issuer, endpoint) {
+  if (!issuer[endpoint]) {
+    throw new TypeError(`${endpoint} must be configured on the issuer`);
+  }
+}
+
+module.exports = {
+  assertSigningAlgValuesSupport,
+  assertIssuerConfiguration,
+};

node_modules/openid-client/lib/helpers/base64url.js

@@ -0,0 +1,12 @@
+let encode;
+if (Buffer.isEncoding('base64url')) {
+  encode = (input, encoding = 'utf8') => Buffer.from(input, encoding).toString('base64url');
+} else {
+  const fromBase64 = (base64) => base64.replace(/=/g, '').replace(/\+/g, '-').replace(/\//g, '_');
+  encode = (input, encoding = 'utf8') => fromBase64(Buffer.from(input, encoding).toString('base64'));
+}
+
+const decode = (input) => Buffer.from(input, 'base64');
+
+module.exports.decode = decode;
+module.exports.encode = encode;

node_modules/openid-client/lib/helpers/client.js

@@ -0,0 +1,170 @@
+const jose = require('jose');
+
+const { assertIssuerConfiguration } = require('./assert');
+const { random } = require('./generators');
+const now = require('./unix_timestamp');
+const request = require('./request');
+const instance = require('./weak_cache');
+const merge = require('./merge');
+
+const formUrlEncode = (value) => encodeURIComponent(value).replace(/%20/g, '+');
+
+async function clientAssertion(endpoint, payload) {
+  let alg = this[`${endpoint}_endpoint_auth_signing_alg`];
+  if (!alg) {
+    assertIssuerConfiguration(this.issuer, `${endpoint}_endpoint_auth_signing_alg_values_supported`);
+  }
+
+  if (this[`${endpoint}_endpoint_auth_method`] === 'client_secret_jwt') {
+    const key = await this.joseSecret();
+
+    if (!alg) {
+      const supported = this.issuer[`${endpoint}_endpoint_auth_signing_alg_values_supported`];
+      alg = Array.isArray(supported) && supported.find((signAlg) => key.algorithms('sign').has(signAlg));
+    }
+
+    return jose.JWS.sign(payload, key, { alg, typ: 'JWT' });
+  }
+
+  const keystore = instance(this).get('keystore');
+
+  if (!keystore) {
+    throw new TypeError('no client jwks provided for signing a client assertion with');
+  }
+
+  if (!alg) {
+    const algs = new Set();
+
+    keystore.all().forEach((key) => {
+      key.algorithms('sign').forEach(Set.prototype.add.bind(algs));
+    });
+
+    const supported = this.issuer[`${endpoint}_endpoint_auth_signing_alg_values_supported`];
+    alg = Array.isArray(supported) && supported.find((signAlg) => algs.has(signAlg));
+  }
+
+  const key = keystore.get({ alg, use: 'sig' });
+  if (!key) {
+    throw new TypeError(`no key found in client jwks to sign a client assertion with using alg ${alg}`);
+  }
+  return jose.JWS.sign(payload, key, { alg, typ: 'JWT', kid: key.kid.startsWith('DONOTUSE.') ? undefined : key.kid });
+}
+
+async function authFor(endpoint, { clientAssertionPayload } = {}) {
+  const authMethod = this[`${endpoint}_endpoint_auth_method`];
+  switch (authMethod) {
+    case 'self_signed_tls_client_auth':
+    case 'tls_client_auth':
+    case 'none':
+      return { form: { client_id: this.client_id } };
+    case 'client_secret_post':
+      if (!this.client_secret) {
+        throw new TypeError('client_secret_post client authentication method requires a client_secret');
+      }
+      return { form: { client_id: this.client_id, client_secret: this.client_secret } };
+    case 'private_key_jwt':
+    case 'client_secret_jwt': {
+      const timestamp = now();
+
+      const mTLS = endpoint === 'token' && this.tls_client_certificate_bound_access_tokens;
+      const audience = [...new Set([
+        this.issuer.issuer,
+        this.issuer.token_endpoint,
+        this.issuer[`${endpoint}_endpoint`],
+        mTLS && this.issuer.mtls_endpoint_aliases
+          ? this.issuer.mtls_endpoint_aliases.token_endpoint : undefined,
+      ].filter(Boolean))];
+
+      const assertion = await clientAssertion.call(this, endpoint, {
+        iat: timestamp,
+        exp: timestamp + 60,
+        jti: random(),
+        iss: this.client_id,
+        sub: this.client_id,
+        aud: audience,
+        ...clientAssertionPayload,
+      });
+
+      return {
+        form: {
+          client_id: this.client_id,
+          client_assertion: assertion,
+          client_assertion_type: 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer',
+        },
+      };
+    }
+    default: { // client_secret_basic
+      // This is correct behaviour, see https://tools.ietf.org/html/rfc6749#section-2.3.1 and the
+      // related appendix. (also https://github.com/panva/node-openid-client/pull/91)
+      // > The client identifier is encoded using the
+      // > "application/x-www-form-urlencoded" encoding algorithm per
+      // > Appendix B, and the encoded value is used as the username; the client
+      // > password is encoded using the same algorithm and used as the
+      // > password.
+      if (!this.client_secret) {
+        throw new TypeError('client_secret_basic client authentication method requires a client_secret');
+      }
+      const encoded = `${formUrlEncode(this.client_id)}:${formUrlEncode(this.client_secret)}`;
+      const value = Buffer.from(encoded).toString('base64');
+      return { headers: { Authorization: `Basic ${value}` } };
+    }
+  }
+}
+
+function resolveResponseType() {
+  const { length, 0: value } = this.response_types;
+
+  if (length === 1) {
+    return value;
+  }
+
+  return undefined;
+}
+
+function resolveRedirectUri() {
+  const { length, 0: value } = this.redirect_uris || [];
+
+  if (length === 1) {
+    return value;
+  }
+
+  return undefined;
+}
+
+async function authenticatedPost(endpoint, opts, {
+  clientAssertionPayload, endpointAuthMethod = endpoint, DPoP,
+} = {}) {
+  const auth = await authFor.call(this, endpointAuthMethod, { clientAssertionPayload });
+  const requestOpts = merge(opts, auth);
+
+  const mTLS = this[`${endpointAuthMethod}_endpoint_auth_method`].includes('tls_client_auth')
+    || (endpoint === 'token' && this.tls_client_certificate_bound_access_tokens);
+
+  let targetUrl;
+  if (mTLS && this.issuer.mtls_endpoint_aliases) {
+    targetUrl = this.issuer.mtls_endpoint_aliases[`${endpoint}_endpoint`];
+  }
+
+  targetUrl = targetUrl || this.issuer[`${endpoint}_endpoint`];
+
+  if ('form' in requestOpts) {
+    for (const [key, value] of Object.entries(requestOpts.form)) { // eslint-disable-line no-restricted-syntax, max-len
+      if (typeof value === 'undefined') {
+        delete requestOpts.form[key];
+      }
+    }
+  }
+
+  return request.call(this, {
+    ...requestOpts,
+    method: 'POST',
+    url: targetUrl,
+  }, { mTLS, DPoP });
+}
+
+module.exports = {
+  resolveResponseType,
+  resolveRedirectUri,
+  authFor,
+  authenticatedPost,
+};

node_modules/openid-client/lib/helpers/consts.js

@@ -0,0 +1,62 @@
+const OIDC_DISCOVERY = '/.well-known/openid-configuration';
+const OAUTH2_DISCOVERY = '/.well-known/oauth-authorization-server';
+const WEBFINGER = '/.well-known/webfinger';
+const REL = 'http://openid.net/specs/connect/1.0/issuer';
+const AAD_MULTITENANT_DISCOVERY = [
+  `https://login.microsoftonline.com/common${OIDC_DISCOVERY}`,
+  `https://login.microsoftonline.com/common/v2.0${OIDC_DISCOVERY}`,
+  `https://login.microsoftonline.com/organizations/v2.0${OIDC_DISCOVERY}`,
+  `https://login.microsoftonline.com/consumers/v2.0${OIDC_DISCOVERY}`,
+];
+
+const CLIENT_DEFAULTS = {
+  grant_types: ['authorization_code'],
+  id_token_signed_response_alg: 'RS256',
+  authorization_signed_response_alg: 'RS256',
+  response_types: ['code'],
+  token_endpoint_auth_method: 'client_secret_basic',
+};
+
+const ISSUER_DEFAULTS = {
+  claim_types_supported: ['normal'],
+  claims_parameter_supported: false,
+  grant_types_supported: ['authorization_code', 'implicit'],
+  request_parameter_supported: false,
+  request_uri_parameter_supported: true,
+  require_request_uri_registration: false,
+  response_modes_supported: ['query', 'fragment'],
+  token_endpoint_auth_methods_supported: ['client_secret_basic'],
+};
+
+const CALLBACK_PROPERTIES = [
+  'access_token', // 6749
+  'code', // 6749
+  'error', // 6749
+  'error_description', // 6749
+  'error_uri', // 6749
+  'expires_in', // 6749
+  'id_token', // Core 1.0
+  'state', // 6749
+  'token_type', // 6749
+  'session_state', // Session Management
+  'response', // JARM
+];
+
+const JWT_CONTENT = /^application\/jwt/;
+
+const HTTP_OPTIONS = Symbol('openid-client.custom.http-options');
+const CLOCK_TOLERANCE = Symbol('openid-client.custom.clock-tolerance');
+
+module.exports = {
+  AAD_MULTITENANT_DISCOVERY,
+  CALLBACK_PROPERTIES,
+  CLIENT_DEFAULTS,
+  CLOCK_TOLERANCE,
+  HTTP_OPTIONS,
+  ISSUER_DEFAULTS,
+  JWT_CONTENT,
+  OAUTH2_DISCOVERY,
+  OIDC_DISCOVERY,
+  REL,
+  WEBFINGER,
+};

node_modules/openid-client/lib/helpers/deep_clone.js

@@ -0,0 +1 @@
+module.exports = (obj) => JSON.parse(JSON.stringify(obj));

node_modules/openid-client/lib/helpers/defaults.js

@@ -0,0 +1,29 @@
+/* eslint-disable no-restricted-syntax, no-continue */
+
+const isPlainObject = require('./is_plain_object');
+
+function defaults(deep, target, ...sources) {
+  for (const source of sources) {
+    if (!isPlainObject(source)) {
+      continue;
+    }
+    for (const [key, value] of Object.entries(source)) {
+      /* istanbul ignore if */
+      if (key === '__proto__' || key === 'constructor') {
+        continue;
+      }
+      if (typeof target[key] === 'undefined' && typeof value !== 'undefined') {
+        target[key] = value;
+      }
+
+      if (deep && isPlainObject(target[key]) && isPlainObject(value)) {
+        defaults(true, target[key], value);
+      }
+    }
+  }
+
+  return target;
+}
+
+module.exports = defaults.bind(undefined, false);
+module.exports.deep = defaults.bind(undefined, true);

node_modules/openid-client/lib/helpers/generators.js

@@ -0,0 +1,13 @@
+const { createHash, randomBytes } = require('crypto');
+
+const base64url = require('./base64url');
+
+const random = (bytes = 32) => base64url.encode(randomBytes(bytes));
+
+module.exports = {
+  random,
+  state: random,
+  nonce: random,
+  codeVerifier: random,
+  codeChallenge: (codeVerifier) => base64url.encode(createHash('sha256').update(codeVerifier).digest()),
+};

node_modules/openid-client/lib/helpers/is_absolute_url.js

@@ -0,0 +1,12 @@
+const url = require('url');
+const { strict: assert } = require('assert');
+
+module.exports = (target) => {
+  try {
+    const { protocol } = new url.URL(target);
+    assert(protocol.match(/^(https?:)$/));
+    return true;
+  } catch (err) {
+    throw new TypeError('only valid absolute URLs can be requested');
+  }
+};

node_modules/openid-client/lib/helpers/is_plain_object.js

@@ -0,0 +1 @@
+module.exports = (a) => !!a && a.constructor === Object;

node_modules/openid-client/lib/helpers/merge.js

@@ -0,0 +1,26 @@
+/* eslint-disable no-restricted-syntax, no-param-reassign, no-continue */
+
+const isPlainObject = require('./is_plain_object');
+
+function merge(target, ...sources) {
+  for (const source of sources) {
+    if (!isPlainObject(source)) {
+      continue;
+    }
+    for (const [key, value] of Object.entries(source)) {
+      /* istanbul ignore if */
+      if (key === '__proto__' || key === 'constructor') {
+        continue;
+      }
+      if (isPlainObject(target[key]) && isPlainObject(value)) {
+        target[key] = merge(target[key], value);
+      } else if (typeof value !== 'undefined') {
+        target[key] = value;
+      }
+    }
+  }
+
+  return target;
+}
+
+module.exports = merge;

node_modules/openid-client/lib/helpers/pick.js

@@ -0,0 +1,9 @@
+module.exports = function pick(object, ...paths) {
+  const obj = {};
+  for (const path of paths) { // eslint-disable-line no-restricted-syntax
+    if (object[path]) {
+      obj[path] = object[path];
+    }
+  }
+  return obj;
+};

node_modules/openid-client/lib/helpers/process_response.js

@@ -0,0 +1,62 @@
+const { STATUS_CODES } = require('http');
+const { format } = require('util');
+
+const { OPError } = require('../errors');
+
+const REGEXP = /(\w+)=("[^"]*")/g;
+const throwAuthenticateErrors = (response) => {
+  const params = {};
+  try {
+    while ((REGEXP.exec(response.headers['www-authenticate'])) !== null) {
+      if (RegExp.$1 && RegExp.$2) {
+        params[RegExp.$1] = RegExp.$2.slice(1, -1);
+      }
+    }
+  } catch (err) {}
+
+  if (params.error) {
+    throw new OPError(params, response);
+  }
+};
+
+const isStandardBodyError = (response) => {
+  let result = false;
+  try {
+    let jsonbody;
+    if (typeof response.body !== 'object' || Buffer.isBuffer(response.body)) {
+      jsonbody = JSON.parse(response.body);
+    } else {
+      jsonbody = response.body;
+    }
+    result = typeof jsonbody.error === 'string' && jsonbody.error.length;
+    if (result) response.body = jsonbody;
+  } catch (err) {}
+
+  return result;
+};
+
+function processResponse(response, { statusCode = 200, body = true, bearer = false } = {}) {
+  if (response.statusCode !== statusCode) {
+    if (bearer) {
+      throwAuthenticateErrors(response);
+    }
+
+    if (isStandardBodyError(response)) {
+      throw new OPError(response.body, response);
+    }
+
+    throw new OPError({
+      error: format('expected %i %s, got: %i %s', statusCode, STATUS_CODES[statusCode], response.statusCode, STATUS_CODES[response.statusCode]),
+    }, response);
+  }
+
+  if (body && !response.body) {
+    throw new OPError({
+      error: format('expected %i %s with body but no body was returned', statusCode, STATUS_CODES[statusCode]),
+    }, response);
+  }
+
+  return response.body;
+}
+
+module.exports = processResponse;

node_modules/openid-client/lib/helpers/request.js

@@ -0,0 +1,56 @@
+const Got = require('got');
+
+const pkg = require('../../package.json');
+
+const { deep: defaultsDeep } = require('./defaults');
+const isAbsoluteUrl = require('./is_absolute_url');
+const { HTTP_OPTIONS } = require('./consts');
+
+let DEFAULT_HTTP_OPTIONS;
+let got;
+
+const setDefaults = (options) => {
+  DEFAULT_HTTP_OPTIONS = defaultsDeep({}, options, DEFAULT_HTTP_OPTIONS);
+  got = Got.extend(DEFAULT_HTTP_OPTIONS);
+};
+
+setDefaults({
+  followRedirect: false,
+  headers: { 'User-Agent': `${pkg.name}/${pkg.version} (${pkg.homepage})` },
+  retry: 0,
+  timeout: 3500,
+  throwHttpErrors: false,
+});
+
+module.exports = async function request(options, { accessToken, mTLS = false, DPoP } = {}) {
+  const { url } = options;
+  isAbsoluteUrl(url);
+  const optsFn = this[HTTP_OPTIONS];
+  let opts = options;
+
+  if (DPoP && 'dpopProof' in this) {
+    opts.headers = opts.headers || {};
+    opts.headers.DPoP = this.dpopProof({
+      htu: url,
+      htm: options.method,
+    }, DPoP, accessToken);
+  }
+
+  if (optsFn) {
+    opts = optsFn.call(this, defaultsDeep({}, opts, DEFAULT_HTTP_OPTIONS));
+  }
+
+  if (
+    mTLS
+    && (
+      (!opts.key || !opts.cert)
+      && (!opts.https || !((opts.https.key && opts.https.certificate) || opts.https.pfx))
+    )
+  ) {
+    throw new TypeError('mutual-TLS certificate and key not set');
+  }
+
+  return got(opts);
+};
+
+module.exports.setDefaults = setDefaults;

node_modules/openid-client/lib/helpers/unix_timestamp.js

@@ -0,0 +1 @@
+module.exports = () => Math.floor(Date.now() / 1000);

node_modules/openid-client/lib/helpers/weak_cache.js

@@ -0,0 +1,8 @@
+const privateProps = new WeakMap();
+
+module.exports = (ctx) => {
+  if (!privateProps.has(ctx)) {
+    privateProps.set(ctx, new Map([['metadata', new Map()]]));
+  }
+  return privateProps.get(ctx);
+};

node_modules/openid-client/lib/helpers/webfinger_normalize.js

@@ -0,0 +1,71 @@
+// Credit: https://github.com/rohe/pyoidc/blob/master/src/oic/utils/webfinger.py
+
+// -- Normalization --
+// A string of any other type is interpreted as a URI either the form of scheme
+// "://" authority path-abempty [ "?" query ] [ "#" fragment ] or authority
+// path-abempty [ "?" query ] [ "#" fragment ] per RFC 3986 [RFC3986] and is
+// normalized according to the following rules:
+//
+// If the user input Identifier does not have an RFC 3986 [RFC3986] scheme
+// portion, the string is interpreted as [userinfo "@"] host [":" port]
+// path-abempty [ "?" query ] [ "#" fragment ] per RFC 3986 [RFC3986].
+// If the userinfo component is present and all of the path component, query
+// component, and port component are empty, the acct scheme is assumed. In this
+// case, the normalized URI is formed by prefixing acct: to the string as the
+// scheme. Per the 'acct' URI Scheme [I‑D.ietf‑appsawg‑acct‑uri], if there is an
+// at-sign character ('@') in the userinfo component, it needs to be
+// percent-encoded as described in RFC 3986 [RFC3986].
+// For all other inputs without a scheme portion, the https scheme is assumed,
+// and the normalized URI is formed by prefixing https:// to the string as the
+// scheme.
+// If the resulting URI contains a fragment portion, it MUST be stripped off
+// together with the fragment delimiter character "#".
+// The WebFinger [I‑D.ietf‑appsawg‑webfinger] Resource in this case is the
+// resulting URI, and the WebFinger Host is the authority component.
+//
+// Note: Since the definition of authority in RFC 3986 [RFC3986] is
+// [ userinfo "@" ] host [ ":" port ], it is legal to have a user input
+// identifier like userinfo@host:port, e.g., alice@example.com:8080.
+
+const PORT = /^\d+$/;
+
+function hasScheme(input) {
+  if (input.includes('://')) return true;
+
+  const authority = input.replace(/(\/|\?)/g, '#').split('#')[0];
+  if (authority.includes(':')) {
+    const index = authority.indexOf(':');
+    const hostOrPort = authority.slice(index + 1);
+    if (!PORT.test(hostOrPort)) {
+      return true;
+    }
+  }
+
+  return false;
+}
+
+function acctSchemeAssumed(input) {
+  if (!input.includes('@')) return false;
+  const parts = input.split('@');
+  const host = parts[parts.length - 1];
+  return !(host.includes(':') || host.includes('/') || host.includes('?'));
+}
+
+function normalize(input) {
+  if (typeof input !== 'string') {
+    throw new TypeError('input must be a string');
+  }
+
+  let output;
+  if (hasScheme(input)) {
+    output = input;
+  } else if (acctSchemeAssumed(input)) {
+    output = `acct:${input}`;
+  } else {
+    output = `https://${input}`;
+  }
+
+  return output.split('#')[0];
+}
+
+module.exports = normalize;

node_modules/openid-client/lib/index.js

@@ -0,0 +1,25 @@
+const Issuer = require('./issuer');
+const { OPError, RPError } = require('./errors');
+const Registry = require('./issuer_registry');
+const Strategy = require('./passport_strategy');
+const TokenSet = require('./token_set');
+const { CLOCK_TOLERANCE, HTTP_OPTIONS } = require('./helpers/consts');
+const generators = require('./helpers/generators');
+const { setDefaults } = require('./helpers/request');
+
+module.exports = {
+  Issuer,
+  Registry,
+  Strategy,
+  TokenSet,
+  errors: {
+    OPError,
+    RPError,
+  },
+  custom: {
+    setHttpOptionsDefaults: setDefaults,
+    http_options: HTTP_OPTIONS,
+    clock_tolerance: CLOCK_TOLERANCE,
+  },
+  generators,
+};

node_modules/openid-client/lib/index.mjs

@@ -0,0 +1,10 @@
+import mod from './index.js';
+
+export default mod;
+export const Issuer = mod.Issuer;
+export const Registry = mod.Registry;
+export const Strategy = mod.Strategy;
+export const TokenSet = mod.TokenSet;
+export const errors = mod.errors;
+export const custom = mod.custom;
+export const generators = mod.generators;

node_modules/openid-client/lib/issuer.js

@@ -0,0 +1,282 @@
+/* eslint-disable max-classes-per-file */
+
+const { inspect } = require('util');
+const url = require('url');
+
+const AggregateError = require('aggregate-error');
+const jose = require('jose');
+const LRU = require('lru-cache');
+const objectHash = require('object-hash');
+
+const { RPError } = require('./errors');
+const getClient = require('./client');
+const registry = require('./issuer_registry');
+const processResponse = require('./helpers/process_response');
+const webfingerNormalize = require('./helpers/webfinger_normalize');
+const instance = require('./helpers/weak_cache');
+const request = require('./helpers/request');
+const { assertIssuerConfiguration } = require('./helpers/assert');
+const {
+  ISSUER_DEFAULTS, OIDC_DISCOVERY, OAUTH2_DISCOVERY, WEBFINGER, REL, AAD_MULTITENANT_DISCOVERY,
+} = require('./helpers/consts');
+
+const AAD_MULTITENANT = Symbol('AAD_MULTITENANT');
+
+class Issuer {
+  /**
+   * @name constructor
+   * @api public
+   */
+  constructor(meta = {}) {
+    const aadIssValidation = meta[AAD_MULTITENANT];
+    delete meta[AAD_MULTITENANT];
+
+    ['introspection', 'revocation'].forEach((endpoint) => {
+      // if intro/revocation endpoint auth specific meta is missing use the token ones if they
+      // are defined
+      if (
+        meta[`${endpoint}_endpoint`]
+        && meta[`${endpoint}_endpoint_auth_methods_supported`] === undefined
+        && meta[`${endpoint}_endpoint_auth_signing_alg_values_supported`] === undefined
+      ) {
+        if (meta.token_endpoint_auth_methods_supported) {
+          meta[`${endpoint}_endpoint_auth_methods_supported`] = meta.token_endpoint_auth_methods_supported;
+        }
+        if (meta.token_endpoint_auth_signing_alg_values_supported) {
+          meta[`${endpoint}_endpoint_auth_signing_alg_values_supported`] = meta.token_endpoint_auth_signing_alg_values_supported;
+        }
+      }
+    });
+
+    Object.entries(meta).forEach(([key, value]) => {
+      instance(this).get('metadata').set(key, value);
+      if (!this[key]) {
+        Object.defineProperty(this, key, {
+          get() { return instance(this).get('metadata').get(key); },
+          enumerable: true,
+        });
+      }
+    });
+
+    instance(this).set('cache', new LRU({ max: 100 }));
+
+    registry.set(this.issuer, this);
+
+    const Client = getClient(this, aadIssValidation);
+
+    Object.defineProperties(this, {
+      Client: { value: Client },
+      FAPIClient: { value: class FAPIClient extends Client {} },
+    });
+  }
+
+  /**
+   * @name keystore
+   * @api public
+   */
+  async keystore(reload = false) {
+    assertIssuerConfiguration(this, 'jwks_uri');
+
+    const keystore = instance(this).get('keystore');
+    const cache = instance(this).get('cache');
+
+    if (reload || !keystore) {
+      cache.reset();
+      const response = await request.call(this, {
+        method: 'GET',
+        responseType: 'json',
+        url: this.jwks_uri,
+      });
+      const jwks = processResponse(response);
+
+      const joseKeyStore = jose.JWKS.asKeyStore(jwks, { ignoreErrors: true });
+      cache.set('throttle', true, 60 * 1000);
+      instance(this).set('keystore', joseKeyStore);
+      return joseKeyStore;
+    }
+
+    return keystore;
+  }
+
+  /**
+   * @name queryKeyStore
+   * @api private
+   */
+  async queryKeyStore({
+    kid, kty, alg, use, key_ops: ops,
+  }, { allowMulti = false } = {}) {
+    const cache = instance(this).get('cache');
+
+    const def = {
+      kid, kty, alg, use, key_ops: ops,
+    };
+
+    const defHash = objectHash(def, {
+      algorithm: 'sha256',
+      ignoreUnknown: true,
+      unorderedArrays: true,
+      unorderedSets: true,
+    });
+
+    // refresh keystore on every unknown key but also only upto once every minute
+    const freshJwksUri = cache.get(defHash) || cache.get('throttle');
+
+    const keystore = await this.keystore(!freshJwksUri);
+    const keys = keystore.all(def);
+
+    if (keys.length === 0) {
+      throw new RPError({
+        printf: ["no valid key found in issuer's jwks_uri for key parameters %j", def],
+        jwks: keystore,
+      });
+    }
+
+    if (!allowMulti && keys.length > 1 && !kid) {
+      throw new RPError({
+        printf: ["multiple matching keys found in issuer's jwks_uri for key parameters %j, kid must be provided in this case", def],
+        jwks: keystore,
+      });
+    }
+
+    cache.set(defHash, true);
+
+    return new jose.JWKS.KeyStore(keys);
+  }
+
+  /**
+   * @name metadata
+   * @api public
+   */
+  get metadata() {
+    const copy = {};
+    instance(this).get('metadata').forEach((value, key) => {
+      copy[key] = value;
+    });
+    return copy;
+  }
+
+  /**
+   * @name webfinger
+   * @api public
+   */
+  static async webfinger(input) {
+    const resource = webfingerNormalize(input);
+    const { host } = url.parse(resource);
+    const webfingerUrl = `https://${host}${WEBFINGER}`;
+
+    const response = await request.call(this, {
+      method: 'GET',
+      url: webfingerUrl,
+      responseType: 'json',
+      searchParams: { resource, rel: REL },
+      followRedirect: true,
+    });
+    const body = processResponse(response);
+
+    const location = Array.isArray(body.links) && body.links.find((link) => typeof link === 'object' && link.rel === REL && link.href);
+
+    if (!location) {
+      throw new RPError({
+        message: 'no issuer found in webfinger response',
+        body,
+      });
+    }
+
+    if (typeof location.href !== 'string' || !location.href.startsWith('https://')) {
+      throw new RPError({
+        printf: ['invalid issuer location %s', location.href],
+        body,
+      });
+    }
+
+    const expectedIssuer = location.href;
+    if (registry.has(expectedIssuer)) {
+      return registry.get(expectedIssuer);
+    }
+
+    const issuer = await this.discover(expectedIssuer);
+
+    if (issuer.issuer !== expectedIssuer) {
+      registry.delete(issuer.issuer);
+      throw new RPError('discovered issuer mismatch, expected %s, got: %s', expectedIssuer, issuer.issuer);
+    }
+    return issuer;
+  }
+
+  /**
+   * @name discover
+   * @api public
+   */
+  static async discover(uri) {
+    const parsed = url.parse(uri);
+
+    if (parsed.pathname.includes('/.well-known/')) {
+      const response = await request.call(this, {
+        method: 'GET',
+        responseType: 'json',
+        url: uri,
+      });
+      const body = processResponse(response);
+      return new Issuer({
+        ...ISSUER_DEFAULTS,
+        ...body,
+        [AAD_MULTITENANT]: !!AAD_MULTITENANT_DISCOVERY.find(
+          (discoveryURL) => uri.startsWith(discoveryURL),
+        ),
+      });
+    }
+
+    const pathnames = [];
+    if (parsed.pathname.endsWith('/')) {
+      pathnames.push(`${parsed.pathname}${OIDC_DISCOVERY.substring(1)}`);
+    } else {
+      pathnames.push(`${parsed.pathname}${OIDC_DISCOVERY}`);
+    }
+    if (parsed.pathname === '/') {
+      pathnames.push(`${OAUTH2_DISCOVERY}`);
+    } else {
+      pathnames.push(`${OAUTH2_DISCOVERY}${parsed.pathname}`);
+    }
+
+    const errors = [];
+    // eslint-disable-next-line no-restricted-syntax
+    for (const pathname of pathnames) {
+      try {
+        const wellKnownUri = url.format({ ...parsed, pathname });
+        // eslint-disable-next-line no-await-in-loop
+        const response = await request.call(this, {
+          method: 'GET',
+          responseType: 'json',
+          url: wellKnownUri,
+        });
+        const body = processResponse(response);
+        return new Issuer({
+          ...ISSUER_DEFAULTS,
+          ...body,
+          [AAD_MULTITENANT]: !!AAD_MULTITENANT_DISCOVERY.find(
+            (discoveryURL) => wellKnownUri.startsWith(discoveryURL),
+          ),
+        });
+      } catch (err) {
+        errors.push(err);
+      }
+    }
+
+    const err = new AggregateError(errors);
+    err.message = `Issuer.discover() failed.${err.message.split('\n')
+      .filter((line) => !line.startsWith('        at')).join('\n')}`;
+    throw err;
+  }
+
+  /* istanbul ignore next */
+  [inspect.custom]() {
+    return `${this.constructor.name} ${inspect(this.metadata, {
+      depth: Infinity,
+      colors: process.stdout.isTTY,
+      compact: false,
+      sorted: true,
+    })}`;
+  }
+}
+
+module.exports = Issuer;

node_modules/openid-client/lib/issuer_registry.js

@@ -0,0 +1,3 @@
+const REGISTRY = new Map();
+
+module.exports = REGISTRY;

node_modules/openid-client/lib/passport_strategy.js

@@ -0,0 +1,188 @@
+/* eslint-disable no-underscore-dangle */
+
+const url = require('url');
+const { format } = require('util');
+
+const cloneDeep = require('./helpers/deep_clone');
+const { RPError, OPError } = require('./errors');
+const { BaseClient } = require('./client');
+const { random, codeChallenge } = require('./helpers/generators');
+const pick = require('./helpers/pick');
+const { resolveResponseType, resolveRedirectUri } = require('./helpers/client');
+
+function verified(err, user, info = {}) {
+  if (err) {
+    this.error(err);
+  } else if (!user) {
+    this.fail(info);
+  } else {
+    this.success(user, info);
+  }
+}
+
+/**
+ * @name constructor
+ * @api public
+ */
+function OpenIDConnectStrategy({
+  client,
+  params = {},
+  passReqToCallback = false,
+  sessionKey,
+  usePKCE = true,
+  extras = {},
+} = {}, verify) {
+  if (!(client instanceof BaseClient)) {
+    throw new TypeError('client must be an instance of openid-client Client');
+  }
+
+  if (typeof verify !== 'function') {
+    throw new TypeError('verify callback must be a function');
+  }
+
+  if (!client.issuer || !client.issuer.issuer) {
+    throw new TypeError('client must have an issuer with an identifier');
+  }
+
+  this._client = client;
+  this._issuer = client.issuer;
+  this._verify = verify;
+  this._passReqToCallback = passReqToCallback;
+  this._usePKCE = usePKCE;
+  this._key = sessionKey || `oidc:${url.parse(this._issuer.issuer).hostname}`;
+  this._params = cloneDeep(params);
+  this._extras = cloneDeep(extras);
+
+  if (!this._params.response_type) this._params.response_type = resolveResponseType.call(client);
+  if (!this._params.redirect_uri) this._params.redirect_uri = resolveRedirectUri.call(client);
+  if (!this._params.scope) this._params.scope = 'openid';
+
+  if (this._usePKCE === true) {
+    const supportedMethods = Array.isArray(this._issuer.code_challenge_methods_supported)
+      ? this._issuer.code_challenge_methods_supported : false;
+
+    if (supportedMethods && supportedMethods.includes('S256')) {
+      this._usePKCE = 'S256';
+    } else if (supportedMethods && supportedMethods.includes('plain')) {
+      this._usePKCE = 'plain';
+    } else if (supportedMethods) {
+      throw new TypeError('neither code_challenge_method supported by the client is supported by the issuer');
+    } else {
+      this._usePKCE = 'S256';
+    }
+  } else if (typeof this._usePKCE === 'string' && !['plain', 'S256'].includes(this._usePKCE)) {
+    throw new TypeError(`${this._usePKCE} is not valid/implemented PKCE code_challenge_method`);
+  }
+
+  this.name = url.parse(client.issuer.issuer).hostname;
+}
+
+OpenIDConnectStrategy.prototype.authenticate = function authenticate(req, options) {
+  (async () => {
+    const client = this._client;
+    if (!req.session) {
+      throw new TypeError('authentication requires session support');
+    }
+    const reqParams = client.callbackParams(req);
+    const sessionKey = this._key;
+
+    /* start authentication request */
+    if (Object.keys(reqParams).length === 0) {
+      // provide options object with extra authentication parameters
+      const params = {
+        state: random(),
+        ...this._params,
+        ...options,
+      };
+
+      if (!params.nonce && params.response_type.includes('id_token')) {
+        params.nonce = random();
+      }
+
+      req.session[sessionKey] = pick(params, 'nonce', 'state', 'max_age', 'response_type');
+
+      if (this._usePKCE && params.response_type.includes('code')) {
+        const verifier = random();
+        req.session[sessionKey].code_verifier = verifier;
+
+        switch (this._usePKCE) { // eslint-disable-line default-case
+          case 'S256':
+            params.code_challenge = codeChallenge(verifier);
+            params.code_challenge_method = 'S256';
+            break;
+          case 'plain':
+            params.code_challenge = verifier;
+            break;
+        }
+      }
+
+      this.redirect(client.authorizationUrl(params));
+      return;
+    }
+    /* end authentication request */
+
+    /* start authentication response */
+
+    const session = req.session[sessionKey];
+    if (Object.keys(session || {}).length === 0) {
+      throw new Error(format('did not find expected authorization request details in session, req.session["%s"] is %j', sessionKey, session));
+    }
+
+    const {
+      state, nonce, max_age: maxAge, code_verifier: codeVerifier, response_type: responseType,
+    } = session;
+
+    try {
+      delete req.session[sessionKey];
+    } catch (err) {}
+
+    const opts = {
+      redirect_uri: this._params.redirect_uri,
+      ...options,
+    };
+
+    const checks = {
+      state,
+      nonce,
+      max_age: maxAge,
+      code_verifier: codeVerifier,
+      response_type: responseType,
+    };
+
+    const tokenset = await client.callback(opts.redirect_uri, reqParams, checks, this._extras);
+
+    const passReq = this._passReqToCallback;
+    const loadUserinfo = this._verify.length > (passReq ? 3 : 2) && client.issuer.userinfo_endpoint;
+
+    const args = [tokenset, verified.bind(this)];
+
+    if (loadUserinfo) {
+      if (!tokenset.access_token) {
+        throw new RPError({
+          message: 'expected access_token to be returned when asking for userinfo in verify callback',
+          tokenset,
+        });
+      }
+      const userinfo = await client.userinfo(tokenset);
+      args.splice(1, 0, userinfo);
+    }
+
+    if (passReq) {
+      args.unshift(req);
+    }
+
+    this._verify(...args);
+    /* end authentication response */
+  })().catch((error) => {
+    if (
+      (error instanceof OPError && error.error !== 'server_error' && !error.error.startsWith('invalid'))
+      || error instanceof RPError
+    ) {
+      this.fail(error);
+    } else {
+      this.error(error);
+    }
+  });
+};
+
+module.exports = OpenIDConnectStrategy;

node_modules/openid-client/lib/token_set.js

@@ -0,0 +1,50 @@
+const base64url = require('./helpers/base64url');
+const now = require('./helpers/unix_timestamp');
+
+class TokenSet {
+  /**
+   * @name constructor
+   * @api public
+   */
+  constructor(values) {
+    Object.assign(this, values);
+  }
+
+  /**
+   * @name expires_in=
+   * @api public
+   */
+  set expires_in(value) { // eslint-disable-line camelcase
+    this.expires_at = now() + Number(value);
+  }
+
+  /**
+   * @name expires_in
+   * @api public
+   */
+  get expires_in() { // eslint-disable-line camelcase
+    return Math.max.apply(null, [this.expires_at - now(), 0]);
+  }
+
+  /**
+   * @name expired
+   * @api public
+   */
+  expired() {
+    return this.expires_in === 0;
+  }
+
+  /**
+   * @name claims
+   * @api public
+   */
+  claims() {
+    if (!this.id_token) {
+      throw new TypeError('id_token not present in TokenSet');
+    }
+
+    return JSON.parse(base64url.decode(this.id_token.split('.')[1]));
+  }
+}
+
+module.exports = TokenSet;