Auth0 improvements (#83)

* feat: add safeStringify utility for improved JSON serialization and update response handling

* fix: improve error handling in auth0CallbackHandler by throwing errors instead of returning responses

* fix: update function call in index.js to include request parameter in post-process handling

* fix: update auth0 callback handling to improve JWT validation and response processing

* fix: update wrangler dependency to version 3.87.0 and remove unused packages from package-lock.json

* feat: add generateJsonResponse utility for standardized JSON responses and update response handling in index.js

* refactor: enhance generateJsonResponse function for improved input handling and response generation

* fix: add error handling for service response and service binding function calls in index.js

* fix: improve error handling in service response and binding function calls in index.js

* feat: add refresh token functionality and update integration type enum in index.js and auth0.js

Author: irensaltali

package-lock.json

@@ -0,0 +1,63 @@
+function safeStringify(obj) {
+    return JSON.stringify(obj, (key, value) => {
+        // Check if the value is a function, undefined, symbol, or a Promise
+        if (typeof value === 'function' || 
+            typeof value === 'undefined' || 
+            typeof value === 'symbol' || 
+            (typeof value === 'object' && value !== null && typeof value.then === 'function')) {
+            return undefined; // Exclude these values
+        }
+        return value; // Include all other values
+    });
+}
+
+function generateJsonResponse(input) {
+    if (input instanceof Response) {
+        return input;
+    }
+
+    if (input === null) {
+        return new Response(null, {
+            headers: {
+                'Content-Type': 'application/json',
+            },
+            status: 200,
+        });
+    }
+
+    if (typeof input === 'string') {
+        return new Response(input, {
+            headers: {
+                'Content-Type': 'application/json',
+            },
+            status: 200,
+        });
+    }
+
+    if (typeof input === 'object') {
+        const { statusCode, error, message, ...data } = input;
+        const responseBody = {
+            status: error ? 'error' : 'success',
+            message: message || (error ? 'An error occurred.' : 'Operation completed successfully.'),
+            data: error ? undefined : data,
+            error: error || undefined,
+        };
+
+        return new Response(JSON.stringify(responseBody), {
+            headers: {
+                'Content-Type': 'application/json',
+            },
+            status: statusCode !== undefined ? statusCode : (error ? 500 : 200),
+        });
+    }
+
+    // Default response for unsupported input types
+    return new Response(null, {
+        headers: {
+            'Content-Type': 'application/json',
+        },
+        status: 400,
+    });
+}
+
+export { safeStringify, generateJsonResponse };

src/common.js

@@ -6,4 +6,5 @@ export const IntegrationTypeEnum = {
 	AUTH0CALLBACK : 'auth0_callback',
 	AUTH0USERINFO : 'auth0_userinfo',
 	AUTH0CALLBACKREDIRECT : 'auth0_callback_redirect',
+	AUTH0REFRESH: 'auth0_refresh',
 }

src/enums/integration-type.js

@@ -1,15 +1,14 @@
+import { safeStringify, generateJsonResponse } from "./common";
 const { jwtAuth } = await import('./auth');
-const responses = await import('./responses');
 const { ValueMapper } = await import('./mapping');
 const { setCorsHeaders } = await import('./cors');
 const { PathOperator } = await import('./path-ops');
 const { AuthError } = await import('./types/error_types');
 const { setPoweredByHeader } = await import('./powered-by');
 const { createProxiedRequest } = await import('./requests');
 const { IntegrationTypeEnum } = await import('./enums/integration-type');
-const { auth0CallbackHandler, validateIdToken, getProfile, redirectToLogin } = await import('./integrations/auth0');
 const { ServerlessAPIGatewayContext } = await import('./types/serverless_api_gateway_context');
-
+const { auth0CallbackHandler, validateIdToken, getProfile, redirectToLogin, refreshToken } = await import('./integrations/auth0');
 
 export default {
 	async fetch(request, env, ctx) {
@@ -69,7 +68,7 @@ export default {
 						return setPoweredByHeader(
 							setCorsHeaders(
 								request,
-								new Response(JSON.stringify({ error: error.message, code: error.code }), {
+								new Response(safeStringify({ error: error.message, code: error.code }), {
 									status: error.statusCode,
 									headers: { 'Content-Type': 'application/json' },
 								}),
@@ -83,13 +82,13 @@ export default {
 			}
 			else if (sagContext.apiConfig.authorizer && matchedPath.config.auth && sagContext.apiConfig.authorizer.type == 'auth0') {
 				try {
-					sagContext.jwtPayload = await validateIdToken(request, sagContext.apiConfig.authorizer);
+					sagContext.jwtPayload = await validateIdToken(request, null, sagContext.apiConfig.authorizer);
 				} catch (error) {
 					if (error instanceof AuthError) {
 						return setPoweredByHeader(
 							setCorsHeaders(
 								request,
-								new Response(JSON.stringify({ error: error.message, code: error.code }), {
+								new Response(safeStringify({ error: error.message, code: error.code }), {
 									status: error.statusCode,
 									headers: { 'Content-Type': 'application/json' },
 								}),
@@ -128,23 +127,88 @@ export default {
 					const module = await import(`${service.entrypoint}.js`);
 					const Service = module.default;
 					const serviceInstance = new Service();
-					const response = serviceInstance.fetch(request, env, ctx);
-					return setPoweredByHeader(setCorsHeaders(request, response, sagContext.apiConfig.cors));
+					const response = await serviceInstance.fetch(request, env, ctx);
+					try {
+						return setPoweredByHeader(setCorsHeaders(request, generateJsonResponse(response), sagContext.apiConfig.cors));
+					} catch (error) {
+						return setPoweredByHeader(
+							setCorsHeaders(
+								request,
+								new Response(safeStringify({ error: error.message, code: error.code }), {
+									status: error.statusCode || 500,
+									headers: { 'Content-Type': 'application/json' },
+								}),
+								sagContext.apiConfig.cors
+							)
+						);
+					}
 				}
 			} else if (matchedPath.config.integration && matchedPath.config.integration.type == IntegrationTypeEnum.SERVICE_BINDING) {
 				const service =
 					sagContext.apiConfig.serviceBindings &&
 					sagContext.apiConfig.serviceBindings.find((serviceBinding) => serviceBinding.alias === matchedPath.config.integration.binding);
 
 				if (service) {
-					const response = await env[service.binding][matchedPath.config.integration.function](request, JSON.stringify(env), JSON.stringify(sagContext));
-					return setPoweredByHeader(setCorsHeaders(request, response, sagContext.apiConfig.cors));
+					try {
+						const response = await env[service.binding][matchedPath.config.integration.function](request, safeStringify(env), safeStringify(sagContext));
+						return setPoweredByHeader(setCorsHeaders(request, generateJsonResponse(response), sagContext.apiConfig.cors));
+					} catch (error) {
+						return setPoweredByHeader(
+							setCorsHeaders(
+								request,
+								new Response(safeStringify({ error: error.message, code: error.code }), {
+									status: error.statusCode || 500,
+									headers: { 'Content-Type': 'application/json' },
+								}),
+								sagContext.apiConfig.cors
+							)
+						);
+					}
 				}
 			} else if (matchedPath.config.integration && matchedPath.config.integration.type == IntegrationTypeEnum.AUTH0CALLBACK) {
-				const urlParams = new URLSearchParams(sagContext.requestUrl.search);
-				const code = urlParams.get('code');
+				try {
+					const urlParams = new URLSearchParams(sagContext.requestUrl.search);
+					const code = urlParams.get('code');
+
+					const jwt = await auth0CallbackHandler(code, sagContext.apiConfig.authorizer);
+					sagContext.jwtPayload = await validateIdToken(null, jwt.id_token, sagContext.apiConfig.authorizer);
+
+					// Post-process logic
+					if (matchedPath.config.integration.post_process) {
+						const postProcessConfig = matchedPath.config.integration.post_process;
+						if (postProcessConfig.type === 'service_binding') {
+							const postProcessService = sagContext.apiConfig.serviceBindings.find(
+								(serviceBinding) => serviceBinding.alias === postProcessConfig.binding
+							);
+							if (postProcessService) {
+								await env[postProcessService.binding][postProcessConfig.function](request, safeStringify(env), safeStringify(sagContext));
+							}
+						}
+					}
 
-				return auth0CallbackHandler(code, sagContext.apiConfig.authorizer);
+					return setPoweredByHeader(setCorsHeaders(
+						request,
+						new Response(safeStringify(jwt), {
+							status: 200,
+							headers: { 'Content-Type': 'application/json' },
+						}),
+						sagContext.apiConfig.cors
+					));
+				} catch (error) {
+					console.error('Error processing Auth0 callback', error);
+					if (error instanceof AuthError) {
+						return setPoweredByHeader(setCorsHeaders(
+							request,
+							new Response(safeStringify({ error: error.message, code: error.code }), {
+								status: error.statusCode,
+								headers: { 'Content-Type': 'application/json' },
+							}),
+							sagContext.apiConfig.cors
+						));
+					} else {
+						return setPoweredByHeader(setCorsHeaders(request, responses.internalServerErrorResponse(), sagContext.apiConfig.cors));
+					}
+				}
 			} else if (matchedPath.config.integration && matchedPath.config.integration.type == IntegrationTypeEnum.AUTH0USERINFO) {
 				const urlParams = new URLSearchParams(sagContext.requestUrl.search);
 				const accessToken = urlParams.get('access_token');
@@ -153,11 +217,13 @@ export default {
 			} else if (matchedPath.config.integration && matchedPath.config.integration.type == IntegrationTypeEnum.AUTH0CALLBACKREDIRECT) {
 				const urlParams = new URLSearchParams(sagContext.requestUrl.search);
 				return redirectToLogin({ state: urlParams.get('state') }, sagContext.apiConfig.authorizer);
+			} else if (matchedPath.config.integration && matchedPath.config.integration.type == IntegrationTypeEnum.AUTH0REFRESH) {
+				return this.refreshTokenLogic(request, env, sagContext);
 			} else {
 				return setPoweredByHeader(
 					setCorsHeaders(
 						request,
-						new Response(JSON.stringify(matchedPath.config.response), { headers: { 'Content-Type': 'application/json' } }),
+						new Response(safeStringify(matchedPath.config.response), { headers: { 'Content-Type': 'application/json' } }),
 						sagContext.apiConfig.cors
 					),
 				);
@@ -185,4 +251,56 @@ export default {
 
 		return apiConfig;
 	},
+
+	async refreshTokenLogic(request, env, sagContext) {
+		const urlParams = new URLSearchParams(sagContext.requestUrl.search);
+		const refreshTokenParam = urlParams.get('refresh_token');
+
+		if (!refreshTokenParam) {
+			return setPoweredByHeader(setCorsHeaders(request,
+				new Response(
+					safeStringify({ error: 'Missing refresh token', code: 'missing_refresh_token' }),
+					{ status: 400, headers: { 'Content-Type': 'application/json' } }
+				),
+				sagContext.apiConfig.cors));
+		}
+
+		try {
+			sagContext.jwtPayload = await validateIdToken(request, null, sagContext.apiConfig.authorizer);
+			return setPoweredByHeader(setCorsHeaders(request,
+				new Response(
+					safeStringify({ message: 'Token is still valid', code: 'token_still_valid' }),
+					{ status: 200, headers: { 'Content-Type': 'application/json' } }
+				),
+				sagContext.apiConfig.cors));
+
+		} catch (error) {
+			if (error instanceof AuthError && error.code === 'ERR_JWT_EXPIRED') {
+				try {
+					const newTokens = await refreshToken(refreshTokenParam, sagContext.apiConfig.authorizer);
+					return setPoweredByHeader(setCorsHeaders(
+						request,
+						new Response(safeStringify(newTokens), { status: 200, headers: { 'Content-Type': 'application/json' }, }),
+						sagContext.apiConfig.cors
+					));
+				} catch (refreshError) {
+					return setPoweredByHeader(setCorsHeaders(
+						request,
+						new Response(safeStringify({ error: refreshError.message, code: refreshError.code }), {
+							status: refreshError.statusCode || 500, headers: { 'Content-Type': 'application/json' },
+						}),
+						sagContext.apiConfig.cors
+					));
+				}
+			} else {
+				return setPoweredByHeader(
+					setCorsHeaders(
+						request, new Response(safeStringify({ error: error.message, code: error.code }), {
+							status: error.statusCode || 500, headers: { 'Content-Type': 'application/json' },
+						}),
+						sagContext.apiConfig.cors
+					));
+			}
+		}
+	}
 };

src/index.js

@@ -25,38 +25,25 @@ async function auth0CallbackHandler(code, authorizer) {
 
         if (!response.ok) {
             const errorData = await response.json();
-            return new Response(JSON.stringify({
-                error: 'Failed to fetch token',
-                details: errorData
-            }), {
-                status: response.status,
-                headers: { 'Content-Type': 'application/json' }
-            });
+            throw new Error(`Failed to fetch token: ${JSON.stringify(errorData)}`);
         }
 
-        const data = await response.json();
-        return new Response(JSON.stringify(data), {
-            status: 200,
-            headers: { 'Content-Type': 'application/json' }
-        });
+        const jwt = await response.json();
+        return jwt;
     } catch (error) {
-        return new Response(JSON.stringify({
-            error: 'Internal Server Error',
-            message: error.message
-        }), {
-            status: 500,
-            headers: { 'Content-Type': 'application/json' }
-        });
+        throw new Error(`Internal Server Error: ${error.message}`);
     }
 }
 
-async function validateIdToken(request, authorizer) {
+async function validateIdToken(request, jwt, authorizer) {
     const { domain, jwks, jwks_uri } = authorizer;
-    const authHeader = request.headers.get('Authorization');
-    if (!authHeader || !authHeader.startsWith('Bearer ')) {
-        throw new AuthError('No token provided or token format is invalid.', 'AUTH_ERROR', 401);
+    if (!jwt) {
+        const authHeader = request.headers.get('Authorization');
+        if (!authHeader || !authHeader.startsWith('Bearer ')) {
+            throw new AuthError('No token provided or token format is invalid.', 'AUTH_ERROR', 401);
+        }
+        jwt = authHeader.split(' ')[1];
     }
-    const jwt = authHeader.split(' ')[1];
 
     try {
         // Create a JWK Set from the JWKS endpoint or the JWKS data
@@ -153,4 +140,37 @@ async function redirectToLogin(params, authorizer) {
     return Response.redirect(loginUrl, 302);
 }
 
-export { auth0CallbackHandler, validateIdToken, getProfile, redirectToLogin };
+async function refreshToken(refreshToken, authorizer) {
+    const { domain, client_id, client_secret } = authorizer;
+
+    const tokenUrl = `https://${domain}/oauth/token`;
+
+    const body = new URLSearchParams({
+        grant_type: 'refresh_token',
+        client_id,
+        client_secret,
+        refresh_token: refreshToken
+    });
+
+    try {
+        const response = await fetch(tokenUrl, {
+            method: 'POST',
+            headers: {
+                'Content-Type': 'application/x-www-form-urlencoded'
+            },
+            body: body.toString()
+        });
+
+        if (!response.ok) {
+            const errorData = await response.json();
+            throw new Error(`Failed to fetch token: ${JSON.stringify(errorData)}`);
+        }
+
+        const jwt = await response.json();
+        return jwt;
+    } catch (error) {
+        throw new Error(`Internal Server Error: ${error.message}`);
+    }
+}
+
+export { auth0CallbackHandler, validateIdToken, getProfile, redirectToLogin, refreshToken };

src/integrations/auth0.js

@@ -7,4 +7,4 @@ class AuthError extends Error {
 	}
 }
 
-export { AuthError }; // Ensure AuthError is exported
+export { AuthError };