From fe8a797087a98cedb1565952c093cd84c9ef6184 Mon Sep 17 00:00:00 2001 From: Jeremy PASTOURET Date: Tue, 19 Nov 2024 19:05:32 +0100 Subject: [PATCH 1/5] =?UTF-8?q?chore:=20mise=20=C3=A0=20jour=20de=20d?= =?UTF-8?q?=C3=A9pendances=20mineurs?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- package-lock.json | 233 +++++++++++++++++++++++++--------------------- package.json | 8 +- 2 files changed, 133 insertions(+), 108 deletions(-) diff --git a/package-lock.json b/package-lock.json index d082c21d97..90382a7718 100644 --- a/package-lock.json +++ b/package-lock.json @@ -34,7 +34,7 @@ "iframe-resizer": "^4.3.2", "jamstack-loader": "^0.0.9", "js-yaml": "^4.1.0", - "jsonwebtoken": "^9.0.0", + "jsonwebtoken": "^9.0.2", "lodash.clonedeep": "^4.5.0", "lodash.isequal": "^4.5.0", "lodash.range": "^3.2.0", @@ -43,11 +43,11 @@ "mongoose": "^6.11.3", "morgan": "^1.10.0", "nodemailer": "^6.9.3", - "openid-client": "^5.6.5", + "openid-client": "^6.1.3", "pinia": "^2.0.16", - "tmp": "^0.2.1", + "tmp": "^0.2.3", "ts-node": "^10.9.2", - "validator": "^13.7.0", + "validator": "^13.12.0", "vite": "^4.3.9", "vite-plugin-html": "^3.2.0", "vue": "^3.2.47", @@ -12425,9 +12425,9 @@ } }, "node_modules/jose": { - "version": "4.15.5", - "resolved": "https://registry.npmjs.org/jose/-/jose-4.15.5.tgz", - "integrity": "sha512-jc7BFxgKPKi94uOvEmzlSWFFe2+vASyXaKUpdQKatWAESU2MWjDfFf0fdfc83CDKcA5QecabZeNLyfhe3yKNkg==", + "version": "5.9.6", + "resolved": "https://registry.npmjs.org/jose/-/jose-5.9.6.tgz", + "integrity": "sha512-AMlnetc9+CV9asI19zHmrgS/WYsWUwCn2R7RzlbJWD7F9eWYUTGyBmU9o6PxngtLGOiDGPRu+Uc4fhKzbpteZQ==", "funding": { "url": "https://github.com/sponsors/panva" } @@ -12533,13 +12533,20 @@ } }, "node_modules/jsonwebtoken": { - "version": "9.0.0", - "license": "MIT", + "version": "9.0.2", + "resolved": "https://registry.npmjs.org/jsonwebtoken/-/jsonwebtoken-9.0.2.tgz", + "integrity": "sha512-PRp66vJ865SSqOlgqS8hujT5U4AOgMfhrwYIuIhfKaoSCZcirrmASQr8CX7cUg+RMih+hgznrjp99o+W4pJLHQ==", "dependencies": { "jws": "^3.2.2", - "lodash": "^4.17.21", + "lodash.includes": "^4.3.0", + "lodash.isboolean": "^3.0.3", + "lodash.isinteger": "^4.0.4", + "lodash.isnumber": "^3.0.3", + "lodash.isplainobject": "^4.0.6", + "lodash.isstring": "^4.0.1", + "lodash.once": "^4.0.0", "ms": "^2.1.1", - "semver": "^7.3.8" + "semver": "^7.5.4" }, "engines": { "node": ">=12", @@ -13138,6 +13145,16 @@ "version": "4.0.8", "license": "MIT" }, + "node_modules/lodash.includes": { + "version": "4.3.0", + "resolved": "https://registry.npmjs.org/lodash.includes/-/lodash.includes-4.3.0.tgz", + "integrity": "sha512-W3Bx6mdkRTGtlJISOvVD/lbqjTlPPUDTMnlXZFnVwi9NKJ6tiAk6LVdlhZMm17VZisqhKcgzpO5Wz91PCt5b0w==" + }, + "node_modules/lodash.isboolean": { + "version": "3.0.3", + "resolved": "https://registry.npmjs.org/lodash.isboolean/-/lodash.isboolean-3.0.3.tgz", + "integrity": "sha512-Bz5mupy2SVbPHURB98VAcw+aHh4vRV5IPNhILUCsOzRmsTmSQ17jIuqopAentWoehktxGd9e/hbIXq980/1QJg==" + }, "node_modules/lodash.isequal": { "version": "4.5.0", "license": "MIT" @@ -13148,6 +13165,26 @@ "integrity": "sha512-7FGG40uhC8Mm633uKW1r58aElFlBlxCrg9JfSi3P6aYiWmfiWF0PgMd86ZUsxE5GwWPdHoS2+48bwTh2VPkIQA==", "peer": true }, + "node_modules/lodash.isinteger": { + "version": "4.0.4", + "resolved": "https://registry.npmjs.org/lodash.isinteger/-/lodash.isinteger-4.0.4.tgz", + "integrity": "sha512-DBwtEWN2caHQ9/imiNeEA5ys1JoRtRfY3d7V9wkqtbycnAmTvRRmbHKDV4a0EYc678/dia0jrte4tjYwVBaZUA==" + }, + "node_modules/lodash.isnumber": { + "version": "3.0.3", + "resolved": "https://registry.npmjs.org/lodash.isnumber/-/lodash.isnumber-3.0.3.tgz", + "integrity": "sha512-QYqzpfwO3/CWf3XP+Z+tkQsfaLL/EnUlXWVkIk5FUPc4sBdTehEqZONuyRt2P67PXAk+NXmTBcc97zw9t1FQrw==" + }, + "node_modules/lodash.isplainobject": { + "version": "4.0.6", + "resolved": "https://registry.npmjs.org/lodash.isplainobject/-/lodash.isplainobject-4.0.6.tgz", + "integrity": "sha512-oSXzaWypCMHkPC3NvBEaPHf0KsA5mvPrOPgQWDsbg8n7orZ290M0BmC/jgRZ4vcJ6DTAhjrsSYgdsW/F+MFOBA==" + }, + "node_modules/lodash.isstring": { + "version": "4.0.1", + "resolved": "https://registry.npmjs.org/lodash.isstring/-/lodash.isstring-4.0.1.tgz", + "integrity": "sha512-0wJxfxH1wgO3GrbuP+dTTk7op+6L41QCXbGINEmD+ny/G/eCqGzxyCsh7159S+mgDDcoarnBw6PC1PS5+wUGgw==" + }, "node_modules/lodash.memoize": { "version": "4.1.2", "dev": true, @@ -13160,7 +13197,6 @@ }, "node_modules/lodash.once": { "version": "4.1.1", - "dev": true, "license": "MIT" }, "node_modules/lodash.range": { @@ -14259,6 +14295,14 @@ "url": "https://github.com/fb55/nth-check?sponsor=1" } }, + "node_modules/oauth4webapi": { + "version": "3.1.3", + "resolved": "https://registry.npmjs.org/oauth4webapi/-/oauth4webapi-3.1.3.tgz", + "integrity": "sha512-dik5wEMdFL5p3JlijYvM7wMNCgaPhblLIDCZtdXcaZp5wgu5Iwmsu7lMzgFhIDTi5d0BJo03LVoOoFQvXMeOeQ==", + "funding": { + "url": "https://github.com/sponsors/panva" + } + }, "node_modules/object-assign": { "version": "4.1.1", "license": "MIT", @@ -14266,14 +14310,6 @@ "node": ">=0.10.0" } }, - "node_modules/object-hash": { - "version": "2.2.0", - "resolved": "https://registry.npmjs.org/object-hash/-/object-hash-2.2.0.tgz", - "integrity": "sha512-gScRMn0bS5fH+IuwyIFgnh9zBdo4DV+6GhygmWM9HyNJSgS0hScp1f5vjtm7oIIOiT9trXrShAkLFSc2IqKNgw==", - "engines": { - "node": ">= 6" - } - }, "node_modules/object-inspect": { "version": "1.12.3", "license": "MIT", @@ -14339,14 +14375,6 @@ "version": "1.1.2", "license": "MIT" }, - "node_modules/oidc-token-hash": { - "version": "5.0.3", - "resolved": "https://registry.npmjs.org/oidc-token-hash/-/oidc-token-hash-5.0.3.tgz", - "integrity": "sha512-IF4PcGgzAr6XXSff26Sk/+P4KZFJVuHAJZj3wgO3vX2bMdNVp/QXTP3P7CEm9V1IdG8lDLY3HhiqpsE/nOwpPw==", - "engines": { - "node": "^10.13.0 || >=12.0.0" - } - }, "node_modules/on-finished": { "version": "2.3.0", "license": "MIT", @@ -14408,35 +14436,17 @@ } }, "node_modules/openid-client": { - "version": "5.6.5", - "resolved": "https://registry.npmjs.org/openid-client/-/openid-client-5.6.5.tgz", - "integrity": "sha512-5P4qO9nGJzB5PI0LFlhj4Dzg3m4odt0qsJTfyEtZyOlkgpILwEioOhVVJOrS1iVH494S4Ee5OCjjg6Bf5WOj3w==", + "version": "6.1.3", + "resolved": "https://registry.npmjs.org/openid-client/-/openid-client-6.1.3.tgz", + "integrity": "sha512-74sc0bR4ptfwCwMheLPaJHTQnds+97Yu6O8eQgoO3MRcd53xkfKyl3gNAsRsYSYoO+AVG3eCgnRMjRkZ6n2RYw==", "dependencies": { - "jose": "^4.15.5", - "lru-cache": "^6.0.0", - "object-hash": "^2.2.0", - "oidc-token-hash": "^5.0.3" + "jose": "^5.9.6", + "oauth4webapi": "^3.1.1" }, "funding": { "url": "https://github.com/sponsors/panva" } }, - "node_modules/openid-client/node_modules/lru-cache": { - "version": "6.0.0", - "resolved": "https://registry.npmjs.org/lru-cache/-/lru-cache-6.0.0.tgz", - "integrity": "sha512-Jo6dJ04CmSjuznwJSS3pUeWmd/H0ffTlkXXgwZi+eq1UCmqQwCh+eLsYOYCwY991i2Fah4h1BEMCx4qThGbsiA==", - "dependencies": { - "yallist": "^4.0.0" - }, - "engines": { - "node": ">=10" - } - }, - "node_modules/openid-client/node_modules/yallist": { - "version": "4.0.0", - "resolved": "https://registry.npmjs.org/yallist/-/yallist-4.0.0.tgz", - "integrity": "sha512-3wdGidZyq5PB084XLES5TpOSRA3wjXAlIWMhum2kRcv/41Sn2emQ0dycQW4uZXLejwKvg6EsvbdlVL+FYEct7A==" - }, "node_modules/openurl": { "version": "1.1.1", "resolved": "https://registry.npmjs.org/openurl/-/openurl-1.1.1.tgz", @@ -16390,13 +16400,11 @@ } }, "node_modules/tmp": { - "version": "0.2.1", - "license": "MIT", - "dependencies": { - "rimraf": "^3.0.0" - }, + "version": "0.2.3", + "resolved": "https://registry.npmjs.org/tmp/-/tmp-0.2.3.tgz", + "integrity": "sha512-nZD7m9iCPC5g0pYmcaxogYKggSfLsdxl8of3Q/oIbqCqLLIO9IAF0GWjX1z9NZRHPiXv8Wex4yDCaZsgEw0Y8w==", "engines": { - "node": ">=8.17.0" + "node": ">=14.14" } }, "node_modules/tmpl": { @@ -16964,8 +16972,9 @@ } }, "node_modules/validator": { - "version": "13.7.0", - "license": "MIT", + "version": "13.12.0", + "resolved": "https://registry.npmjs.org/validator/-/validator-13.12.0.tgz", + "integrity": "sha512-c1Q0mCiPlgdTVVVIJIrBuxNicYE+t/7oKeI9MWLj3fh/uq2Pxh/3eeWbVZ4OcGW1TUf53At0njHw5SMdA3tmMg==", "engines": { "node": ">= 0.10" } @@ -26383,9 +26392,9 @@ } }, "jose": { - "version": "4.15.5", - "resolved": "https://registry.npmjs.org/jose/-/jose-4.15.5.tgz", - "integrity": "sha512-jc7BFxgKPKi94uOvEmzlSWFFe2+vASyXaKUpdQKatWAESU2MWjDfFf0fdfc83CDKcA5QecabZeNLyfhe3yKNkg==" + "version": "5.9.6", + "resolved": "https://registry.npmjs.org/jose/-/jose-5.9.6.tgz", + "integrity": "sha512-AMlnetc9+CV9asI19zHmrgS/WYsWUwCn2R7RzlbJWD7F9eWYUTGyBmU9o6PxngtLGOiDGPRu+Uc4fhKzbpteZQ==" }, "js-beautify": { "version": "1.14.0", @@ -26452,12 +26461,20 @@ } }, "jsonwebtoken": { - "version": "9.0.0", + "version": "9.0.2", + "resolved": "https://registry.npmjs.org/jsonwebtoken/-/jsonwebtoken-9.0.2.tgz", + "integrity": "sha512-PRp66vJ865SSqOlgqS8hujT5U4AOgMfhrwYIuIhfKaoSCZcirrmASQr8CX7cUg+RMih+hgznrjp99o+W4pJLHQ==", "requires": { "jws": "^3.2.2", - "lodash": "^4.17.21", + "lodash.includes": "^4.3.0", + "lodash.isboolean": "^3.0.3", + "lodash.isinteger": "^4.0.4", + "lodash.isnumber": "^3.0.3", + "lodash.isplainobject": "^4.0.6", + "lodash.isstring": "^4.0.1", + "lodash.once": "^4.0.0", "ms": "^2.1.1", - "semver": "^7.3.8" + "semver": "^7.5.4" }, "dependencies": { "lru-cache": { @@ -26846,6 +26863,16 @@ "lodash.debounce": { "version": "4.0.8" }, + "lodash.includes": { + "version": "4.3.0", + "resolved": "https://registry.npmjs.org/lodash.includes/-/lodash.includes-4.3.0.tgz", + "integrity": "sha512-W3Bx6mdkRTGtlJISOvVD/lbqjTlPPUDTMnlXZFnVwi9NKJ6tiAk6LVdlhZMm17VZisqhKcgzpO5Wz91PCt5b0w==" + }, + "lodash.isboolean": { + "version": "3.0.3", + "resolved": "https://registry.npmjs.org/lodash.isboolean/-/lodash.isboolean-3.0.3.tgz", + "integrity": "sha512-Bz5mupy2SVbPHURB98VAcw+aHh4vRV5IPNhILUCsOzRmsTmSQ17jIuqopAentWoehktxGd9e/hbIXq980/1QJg==" + }, "lodash.isequal": { "version": "4.5.0" }, @@ -26855,6 +26882,26 @@ "integrity": "sha512-7FGG40uhC8Mm633uKW1r58aElFlBlxCrg9JfSi3P6aYiWmfiWF0PgMd86ZUsxE5GwWPdHoS2+48bwTh2VPkIQA==", "peer": true }, + "lodash.isinteger": { + "version": "4.0.4", + "resolved": "https://registry.npmjs.org/lodash.isinteger/-/lodash.isinteger-4.0.4.tgz", + "integrity": "sha512-DBwtEWN2caHQ9/imiNeEA5ys1JoRtRfY3d7V9wkqtbycnAmTvRRmbHKDV4a0EYc678/dia0jrte4tjYwVBaZUA==" + }, + "lodash.isnumber": { + "version": "3.0.3", + "resolved": "https://registry.npmjs.org/lodash.isnumber/-/lodash.isnumber-3.0.3.tgz", + "integrity": "sha512-QYqzpfwO3/CWf3XP+Z+tkQsfaLL/EnUlXWVkIk5FUPc4sBdTehEqZONuyRt2P67PXAk+NXmTBcc97zw9t1FQrw==" + }, + "lodash.isplainobject": { + "version": "4.0.6", + "resolved": "https://registry.npmjs.org/lodash.isplainobject/-/lodash.isplainobject-4.0.6.tgz", + "integrity": "sha512-oSXzaWypCMHkPC3NvBEaPHf0KsA5mvPrOPgQWDsbg8n7orZ290M0BmC/jgRZ4vcJ6DTAhjrsSYgdsW/F+MFOBA==" + }, + "lodash.isstring": { + "version": "4.0.1", + "resolved": "https://registry.npmjs.org/lodash.isstring/-/lodash.isstring-4.0.1.tgz", + "integrity": "sha512-0wJxfxH1wgO3GrbuP+dTTk7op+6L41QCXbGINEmD+ny/G/eCqGzxyCsh7159S+mgDDcoarnBw6PC1PS5+wUGgw==" + }, "lodash.memoize": { "version": "4.1.2", "dev": true @@ -26864,8 +26911,7 @@ "dev": true }, "lodash.once": { - "version": "4.1.1", - "dev": true + "version": "4.1.1" }, "lodash.range": { "version": "3.2.0" @@ -27677,14 +27723,14 @@ "boolbase": "^1.0.0" } }, + "oauth4webapi": { + "version": "3.1.3", + "resolved": "https://registry.npmjs.org/oauth4webapi/-/oauth4webapi-3.1.3.tgz", + "integrity": "sha512-dik5wEMdFL5p3JlijYvM7wMNCgaPhblLIDCZtdXcaZp5wgu5Iwmsu7lMzgFhIDTi5d0BJo03LVoOoFQvXMeOeQ==" + }, "object-assign": { "version": "4.1.1" }, - "object-hash": { - "version": "2.2.0", - "resolved": "https://registry.npmjs.org/object-hash/-/object-hash-2.2.0.tgz", - "integrity": "sha512-gScRMn0bS5fH+IuwyIFgnh9zBdo4DV+6GhygmWM9HyNJSgS0hScp1f5vjtm7oIIOiT9trXrShAkLFSc2IqKNgw==" - }, "object-inspect": { "version": "1.12.3" }, @@ -27720,11 +27766,6 @@ "obuf": { "version": "1.1.2" }, - "oidc-token-hash": { - "version": "5.0.3", - "resolved": "https://registry.npmjs.org/oidc-token-hash/-/oidc-token-hash-5.0.3.tgz", - "integrity": "sha512-IF4PcGgzAr6XXSff26Sk/+P4KZFJVuHAJZj3wgO3vX2bMdNVp/QXTP3P7CEm9V1IdG8lDLY3HhiqpsE/nOwpPw==" - }, "on-finished": { "version": "2.3.0", "requires": { @@ -27759,29 +27800,12 @@ "dev": true }, "openid-client": { - "version": "5.6.5", - "resolved": "https://registry.npmjs.org/openid-client/-/openid-client-5.6.5.tgz", - "integrity": "sha512-5P4qO9nGJzB5PI0LFlhj4Dzg3m4odt0qsJTfyEtZyOlkgpILwEioOhVVJOrS1iVH494S4Ee5OCjjg6Bf5WOj3w==", + "version": "6.1.3", + "resolved": "https://registry.npmjs.org/openid-client/-/openid-client-6.1.3.tgz", + "integrity": "sha512-74sc0bR4ptfwCwMheLPaJHTQnds+97Yu6O8eQgoO3MRcd53xkfKyl3gNAsRsYSYoO+AVG3eCgnRMjRkZ6n2RYw==", "requires": { - "jose": "^4.15.5", - "lru-cache": "^6.0.0", - "object-hash": "^2.2.0", - "oidc-token-hash": "^5.0.3" - }, - "dependencies": { - "lru-cache": { - "version": "6.0.0", - "resolved": "https://registry.npmjs.org/lru-cache/-/lru-cache-6.0.0.tgz", - "integrity": "sha512-Jo6dJ04CmSjuznwJSS3pUeWmd/H0ffTlkXXgwZi+eq1UCmqQwCh+eLsYOYCwY991i2Fah4h1BEMCx4qThGbsiA==", - "requires": { - "yallist": "^4.0.0" - } - }, - "yallist": { - "version": "4.0.0", - "resolved": "https://registry.npmjs.org/yallist/-/yallist-4.0.0.tgz", - "integrity": "sha512-3wdGidZyq5PB084XLES5TpOSRA3wjXAlIWMhum2kRcv/41Sn2emQ0dycQW4uZXLejwKvg6EsvbdlVL+FYEct7A==" - } + "jose": "^5.9.6", + "oauth4webapi": "^3.1.1" } }, "openurl": { @@ -29050,10 +29074,9 @@ "dev": true }, "tmp": { - "version": "0.2.1", - "requires": { - "rimraf": "^3.0.0" - } + "version": "0.2.3", + "resolved": "https://registry.npmjs.org/tmp/-/tmp-0.2.3.tgz", + "integrity": "sha512-nZD7m9iCPC5g0pYmcaxogYKggSfLsdxl8of3Q/oIbqCqLLIO9IAF0GWjX1z9NZRHPiXv8Wex4yDCaZsgEw0Y8w==" }, "tmpl": { "version": "1.0.5", @@ -29390,7 +29413,9 @@ "version": "3.0.1" }, "validator": { - "version": "13.7.0" + "version": "13.12.0", + "resolved": "https://registry.npmjs.org/validator/-/validator-13.12.0.tgz", + "integrity": "sha512-c1Q0mCiPlgdTVVVIJIrBuxNicYE+t/7oKeI9MWLj3fh/uq2Pxh/3eeWbVZ4OcGW1TUf53At0njHw5SMdA3tmMg==" }, "vary": { "version": "1.1.2" diff --git a/package.json b/package.json index 521d82db4b..377c146b68 100644 --- a/package.json +++ b/package.json @@ -78,7 +78,7 @@ "iframe-resizer": "^4.3.2", "jamstack-loader": "^0.0.9", "js-yaml": "^4.1.0", - "jsonwebtoken": "^9.0.0", + "jsonwebtoken": "^9.0.2", "lodash.clonedeep": "^4.5.0", "lodash.isequal": "^4.5.0", "lodash.range": "^3.2.0", @@ -87,11 +87,11 @@ "mongoose": "^6.11.3", "morgan": "^1.10.0", "nodemailer": "^6.9.3", - "openid-client": "^5.6.5", + "openid-client": "^6.1.3", "pinia": "^2.0.16", - "tmp": "^0.2.1", + "tmp": "^0.2.3", "ts-node": "^10.9.2", - "validator": "^13.7.0", + "validator": "^13.12.0", "vite": "^4.3.9", "vite-plugin-html": "^3.2.0", "vue": "^3.2.47", From 34dc8b0a6a32953c5ef490569681d3f62ea241a5 Mon Sep 17 00:00:00 2001 From: Jeremy PASTOURET Date: Wed, 11 Dec 2024 16:10:31 +0100 Subject: [PATCH 2/5] =?UTF-8?q?fix:=20readapation=20du=20code=20en=20r?= =?UTF-8?q?=C3=A9utilisation=20la=20documentation=20officiel=20d'OpenID?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- backend/controllers/moncomptepro.ts | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/backend/controllers/moncomptepro.ts b/backend/controllers/moncomptepro.ts index 925cc1a6b4..120fa1a4d6 100644 --- a/backend/controllers/moncomptepro.ts +++ b/backend/controllers/moncomptepro.ts @@ -5,7 +5,7 @@ import Sentry from "@sentry/node" const JWT_EXPIRATION_DELAY = 15552000 // 6 * 30 * 24 * 60 * 60 = 6 months const MCP_TOKEN = "mcp_token" -const MCP_STATE = "mcp_ste" +const MCP_NONCE = "mcp_nnce" const MCP_CODE_VERIFER = "mcp_vrfer" const accompagnement = config.accompagnement @@ -32,9 +32,9 @@ const login = async (req, res) => { const codeChallenge: string = await client.calculatePKCECodeChallenge( codeVerifier ) - let state!: string + let nonce!: string const parameters: Record = { - redirect_uri: redirect_uri, + redirect_uri, scope, codeChallenge, code_challenge_method: "S256", @@ -47,15 +47,15 @@ const login = async (req, res) => { * is why we're using it regardless. Like PKCE, random state must be generated * for every redirect to the authorization_endpoint. */ - state = client.randomState() - parameters.state = state + nonce = client.randomState() + parameters.nonce = nonce + res.cookie(MCP_NONCE, nonce) } - res.cookie(MCP_STATE, state) res.cookie(MCP_CODE_VERIFER, codeVerifier) const redirectUrl: URL = client.buildAuthorizationUrl(mcpIssuer, parameters) - return res.redirect(redirectUrl) + return res.redirect(redirectUrl.href) } const retrieveMcpAccessToken = async (req) => { @@ -63,11 +63,12 @@ const retrieveMcpAccessToken = async (req) => { const mcpIssuer = await getMcpClient() const { cookies } = req const codeVerifier = cookies && cookies[MCP_CODE_VERIFER] - const state = cookies && cookies[MCP_STATE] + const nonce = cookies && cookies[MCP_NONCE] return await client.authorizationCodeGrant(mcpIssuer, req, { pkceCodeVerifier: codeVerifier, - expectedState: state, + expectedNonce: nonce, + idTokenExpected: true, }) } catch (error) { console.error("Error in retrieveMcpAccessToken: ", error) @@ -89,7 +90,6 @@ const access = async (req, res, next) => { } const { access_token } = tokens - const claims = tokens.claims()! const { sub } = claims const userInfo = await client.fetchUserInfo(mcpIssuer, access_token, sub) @@ -140,7 +140,7 @@ const loginCallbackRedirect = (req, res) => { const clearCookie = (res) => { res.clearCookie(MCP_TOKEN) res.clearCookie(MCP_CODE_VERIFER) - res.clearCookie(MCP_STATE) + res.clearCookie(MCP_NONCE) } const logout = async (req, res, next) => { From 199a827a1d874c0cd78b0f130e2f7d177eeb7f66 Mon Sep 17 00:00:00 2001 From: Jeremy PASTOURET Date: Thu, 12 Dec 2024 10:20:37 +0100 Subject: [PATCH 3/5] feat: premier niveau de connexion --- backend/controllers/moncomptepro.ts | 35 ++--------------------------- 1 file changed, 2 insertions(+), 33 deletions(-) diff --git a/backend/controllers/moncomptepro.ts b/backend/controllers/moncomptepro.ts index 120fa1a4d6..450c0a647f 100644 --- a/backend/controllers/moncomptepro.ts +++ b/backend/controllers/moncomptepro.ts @@ -5,7 +5,6 @@ import Sentry from "@sentry/node" const JWT_EXPIRATION_DELAY = 15552000 // 6 * 30 * 24 * 60 * 60 = 6 months const MCP_TOKEN = "mcp_token" -const MCP_NONCE = "mcp_nnce" const MCP_CODE_VERIFER = "mcp_vrfer" const accompagnement = config.accompagnement @@ -28,32 +27,10 @@ const getMcpClient = async (): Promise => { const login = async (req, res) => { const mcpIssuer = await getMcpClient() - const codeVerifier: string = client.randomPKCECodeVerifier() - const codeChallenge: string = await client.calculatePKCECodeChallenge( - codeVerifier - ) - let nonce!: string const parameters: Record = { redirect_uri, scope, - codeChallenge, - code_challenge_method: "S256", } - - if (!mcpIssuer.serverMetadata().supportsPKCE()) { - /** - * We cannot be sure the server supports PKCE so we're going to use state too. - * Use of PKCE is backwards compatible even if the AS doesn't support it which - * is why we're using it regardless. Like PKCE, random state must be generated - * for every redirect to the authorization_endpoint. - */ - nonce = client.randomState() - parameters.nonce = nonce - res.cookie(MCP_NONCE, nonce) - } - - res.cookie(MCP_CODE_VERIFER, codeVerifier) - const redirectUrl: URL = client.buildAuthorizationUrl(mcpIssuer, parameters) return res.redirect(redirectUrl.href) } @@ -61,15 +38,8 @@ const login = async (req, res) => { const retrieveMcpAccessToken = async (req) => { try { const mcpIssuer = await getMcpClient() - const { cookies } = req - const codeVerifier = cookies && cookies[MCP_CODE_VERIFER] - const nonce = cookies && cookies[MCP_NONCE] - - return await client.authorizationCodeGrant(mcpIssuer, req, { - pkceCodeVerifier: codeVerifier, - expectedNonce: nonce, - idTokenExpected: true, - }) + + return await client.authorizationCodeGrant(mcpIssuer, req, {}) } catch (error) { console.error("Error in retrieveMcpAccessToken: ", error) throw error @@ -140,7 +110,6 @@ const loginCallbackRedirect = (req, res) => { const clearCookie = (res) => { res.clearCookie(MCP_TOKEN) res.clearCookie(MCP_CODE_VERIFER) - res.clearCookie(MCP_NONCE) } const logout = async (req, res, next) => { From 713c45fbe91892532bb4b4907d9f0af753a8e8cd Mon Sep 17 00:00:00 2001 From: Shamzic Date: Tue, 14 Jan 2025 18:04:26 +0100 Subject: [PATCH 4/5] fix: redirection au login MCP (page accompagnement) --- backend/controllers/moncomptepro.ts | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/backend/controllers/moncomptepro.ts b/backend/controllers/moncomptepro.ts index 450c0a647f..537ed256d1 100644 --- a/backend/controllers/moncomptepro.ts +++ b/backend/controllers/moncomptepro.ts @@ -38,8 +38,8 @@ const login = async (req, res) => { const retrieveMcpAccessToken = async (req) => { try { const mcpIssuer = await getMcpClient() - - return await client.authorizationCodeGrant(mcpIssuer, req, {}) + const currentUrl = new URL(config.baseURL + req.originalUrl) + return await client.authorizationCodeGrant(mcpIssuer, currentUrl, {}) } catch (error) { console.error("Error in retrieveMcpAccessToken: ", error) throw error From ef88d3d3aea4c7fc68a59257517ead04c5c82f48 Mon Sep 17 00:00:00 2001 From: Jeremy PASTOURET Date: Wed, 15 Jan 2025 10:11:26 +0100 Subject: [PATCH 5/5] ajout du rate limit --- backend/routes/moncomptepro.ts | 11 ++++++++++- package-lock.json | 21 +++++++++++++++++++++ package.json | 3 ++- 3 files changed, 33 insertions(+), 2 deletions(-) diff --git a/backend/routes/moncomptepro.ts b/backend/routes/moncomptepro.ts index ed78121025..018786d01d 100644 --- a/backend/routes/moncomptepro.ts +++ b/backend/routes/moncomptepro.ts @@ -1,9 +1,18 @@ import cookieParser from "cookie-parser" import moncompteproController from "../controllers/moncomptepro.js" import { Express } from "express" +import rateLimit from "express-rate-limit" const moncompteproRoutes = function (api: Express) { - api.get("/login", cookieParser(), moncompteproController.login) + const loginRateLimiter = rateLimit({ + windowMs: 900000, // 15 minutes + }) + api.get( + "/login", + cookieParser(), + loginRateLimiter, + moncompteproController.login + ) api.get( "/auth/redirect", cookieParser(), diff --git a/package-lock.json b/package-lock.json index 22a85717fc..e5acee82d9 100644 --- a/package-lock.json +++ b/package-lock.json @@ -32,6 +32,7 @@ "errorhandler": "^1.5.1", "event-stream": "4.0.1", "express": "^4.21.1", + "express-rate-limit": "^7.4.1", "express-validator": "^7.2.0", "haversine": "^1.1.1", "js-yaml": "^4.1.0", @@ -10276,6 +10277,20 @@ "node": ">= 0.10.0" } }, + "node_modules/express-rate-limit": { + "version": "7.5.0", + "resolved": "https://registry.npmjs.org/express-rate-limit/-/express-rate-limit-7.5.0.tgz", + "integrity": "sha512-eB5zbQh5h+VenMPM3fh+nw1YExi5nMr6HUCR62ELSP11huvxm/Uir1H1QEyTkk5QX6A58pX6NmaTMceKZ0Eodg==", + "engines": { + "node": ">= 16" + }, + "funding": { + "url": "https://github.com/sponsors/express-rate-limit" + }, + "peerDependencies": { + "express": "^4.11 || 5 || ^5.0.0-beta.1" + } + }, "node_modules/express-validator": { "version": "7.2.0", "resolved": "https://registry.npmjs.org/express-validator/-/express-validator-7.2.0.tgz", @@ -26095,6 +26110,12 @@ } } }, + "express-rate-limit": { + "version": "7.5.0", + "resolved": "https://registry.npmjs.org/express-rate-limit/-/express-rate-limit-7.5.0.tgz", + "integrity": "sha512-eB5zbQh5h+VenMPM3fh+nw1YExi5nMr6HUCR62ELSP11huvxm/Uir1H1QEyTkk5QX6A58pX6NmaTMceKZ0Eodg==", + "requires": {} + }, "express-validator": { "version": "7.2.0", "resolved": "https://registry.npmjs.org/express-validator/-/express-validator-7.2.0.tgz", diff --git a/package.json b/package.json index 266fdb21d9..fe740aedff 100644 --- a/package.json +++ b/package.json @@ -100,7 +100,8 @@ "vue-matomo": "^4.2.0", "vue-router": "^4.1.6", "webpack-cli": "^4.10.0", - "webpack-dev-server": "^4.7.3" + "webpack-dev-server": "^4.7.3", + "express-rate-limit": "^7.4.1" }, "devDependencies": { "@sentry/vite-plugin": "^2.22.4",