logto-io
diff --git a/‎packages/core/package.json
Lines changed: 1 addition & 0 deletions b/‎packages/core/package.json
Lines changed: 1 addition & 0 deletions
diff --git a/‎packages/core/src/event-listeners/index.ts
Lines changed: 3 additions & 6 deletions b/‎packages/core/src/event-listeners/index.ts
Lines changed: 3 additions & 6 deletions
diff --git a/‎packages/core/src/middleware/koa-app-secret-transpilation.test.ts
Lines changed: 154 additions & 0 deletions b/‎packages/core/src/middleware/koa-app-secret-transpilation.test.ts
Lines changed: 154 additions & 0 deletions
diff --git a/‎packages/core/src/middleware/koa-app-secret-transpilation.ts
Lines changed: 132 additions & 0 deletions b/‎packages/core/src/middleware/koa-app-secret-transpilation.ts
Lines changed: 132 additions & 0 deletions
diff --git a/‎packages/core/src/middleware/koa-oidc-error-handler.ts
Lines changed: 7 additions & 7 deletions b/‎packages/core/src/middleware/koa-oidc-error-handler.ts
Lines changed: 7 additions & 7 deletions
diff --git a/‎packages/core/src/middleware/koa-slonik-error-handler.ts
Lines changed: 15 additions & 0 deletions b/‎packages/core/src/middleware/koa-slonik-error-handler.ts
Lines changed: 15 additions & 0 deletions
@@ -84,6 +84,7 @@
     "pg-protocol": "^1.6.0",
     "pluralize": "^8.0.0",
     "qrcode": "^1.5.3",
+    "raw-body": "^2.5.2",
     "redis": "^4.6.14",
     "roarr": "^7.11.0",
     "samlify": "2.8.11",
 
@@ -1,15 +1,12 @@
-import { ConsoleLog } from '@logto/shared';
-import chalk from 'chalk';
 import type Provider from 'oidc-provider';
 
 import type Queries from '#src/tenants/Queries.js';
+import { getConsoleLogFromContext } from '#src/utils/console.js';
 
 import { grantListener, grantRevocationListener } from './grant.js';
 import { interactionEndedListener, interactionStartedListener } from './interaction.js';
 import { recordActiveUsers } from './record-active-users.js';
 
-const consoleLog = new ConsoleLog(chalk.magenta('oidc'));
-
 /**
  * @see {@link https://github.com/panva/node-oidc-provider/blob/v7.x/docs/README.md#im-getting-a-client-authentication-failed-error-with-no-details Getting auth error with no details?}
  * @see {@link https://github.com/panva/node-oidc-provider/blob/v7.x/docs/events.md OIDC Provider events}
@@ -29,8 +26,8 @@ export const addOidcEventListeners = (provider: Provider, queries: Queries) => {
   });
   provider.addListener('interaction.started', interactionStartedListener);
   provider.addListener('interaction.ended', interactionEndedListener);
-  provider.addListener('server_error', (_, error) => {
-    consoleLog.error('server_error:', error);
+  provider.addListener('server_error', (ctx, error) => {
+    getConsoleLogFromContext(ctx).error('server_error:', error);
   });
 
   // Record token usage.
 
@@ -0,0 +1,154 @@
+import { type Context } from 'koa';
+import { type IRouterParamContext } from 'koa-router';
+
+import { MockQueries } from '#src/test-utils/tenant.js';
+import { createContextWithRouteParameters } from '#src/utils/test-utils.js';
+
+import koaAppSecretTranspilation from './koa-app-secret-transpilation.js';
+
+const { jest } = import.meta;
+
+describe('koaAppSecretTranspilation middleware', () => {
+  const next = jest.fn();
+  const findByCredentials = jest.fn();
+  const queries = new MockQueries({ applicationSecrets: { findByCredentials } });
+
+  type Values = {
+    authorization?: string;
+    body?: Record<string, unknown>;
+    query?: Record<string, unknown>;
+  };
+
+  const expectNothingChanged = (
+    ctx: Context & IRouterParamContext,
+    { authorization, body, query }: Values = {},
+    calledCount = 0
+  ) => {
+    expect(ctx.headers.authorization).toBe(authorization);
+    expect(ctx.request.body).toStrictEqual(body);
+    expect(ctx.query).toStrictEqual(query);
+    expect(findByCredentials).toHaveBeenCalledTimes(calledCount);
+  };
+
+  afterEach(() => {
+    jest.clearAllMocks();
+  });
+
+  it('should do nothing if no credentials are found', async () => {
+    const ctx = createContextWithRouteParameters();
+    await koaAppSecretTranspilation(queries)(ctx, next);
+    expectNothingChanged(ctx);
+  });
+
+  it('should do nothing if Authorization header is not valid', async () => {
+    const ctx = createContextWithRouteParameters();
+
+    for (const authorization of [
+      'Bearer',
+      'Bearer invalid',
+      'Basic invalid',
+      `Basic ${Buffer.from('\u0019:1').toString('base64')}`,
+    ]) {
+      ctx.headers.authorization = authorization;
+      // eslint-disable-next-line no-await-in-loop
+      await koaAppSecretTranspilation(queries)(ctx, next);
+      expectNothingChanged(ctx, { authorization });
+    }
+  });
+
+  it('should do nothing if params are not valid', async () => {
+    const ctx = createContextWithRouteParameters();
+
+    ctx.method = 'POST';
+    for (const body of [
+      {},
+      { client_id: 1 },
+      { client_secret: 1 },
+      { client_id: '1', client_secret: 1 },
+    ]) {
+      ctx.request.body = body;
+      // eslint-disable-next-line no-await-in-loop
+      await koaAppSecretTranspilation(queries)(ctx, next);
+      expectNothingChanged(ctx, { body });
+    }
+
+    ctx.method = 'GET';
+    for (const query of [
+      {},
+      { client_id: 1 },
+      { client_secret: 1 },
+      { client_id: '1', client_secret: 1 },
+    ]) {
+      ctx.request.body = undefined;
+      // @ts-expect-error
+      ctx.query = query;
+      // eslint-disable-next-line no-await-in-loop
+      await koaAppSecretTranspilation(queries)(ctx, next);
+      expectNothingChanged(ctx, { query });
+    }
+  });
+
+  it('should do nothing if client credentials have the wrong combination', async () => {
+    const ctx = createContextWithRouteParameters();
+
+    for (const [authorization, body] of [
+      ['Basic ' + Buffer.from('1:').toString('base64'), { client_id: '2', client_secret: '1' }],
+      ['Basic ' + Buffer.from('1:1').toString('base64'), { client_id: '1', client_secret: '1' }],
+    ] as const) {
+      ctx.headers.authorization = authorization;
+      ctx.method = 'POST';
+      ctx.request.body = body;
+      // eslint-disable-next-line no-await-in-loop
+      await koaAppSecretTranspilation(queries)(ctx, next);
+      expectNothingChanged(ctx, { authorization, body });
+    }
+  });
+
+  it('should do nothing if client credentials cannot be found', async () => {
+    const ctx = createContextWithRouteParameters();
+    const authorization = 'Basic ' + Buffer.from('1:1').toString('base64');
+    ctx.headers.authorization = authorization;
+    await koaAppSecretTranspilation(queries)(ctx, next);
+    expectNothingChanged(ctx, { authorization }, 1);
+  });
+
+  it('should throw an error if client credentials are expired', async () => {
+    const ctx = createContextWithRouteParameters();
+    const authorization = 'Basic ' + Buffer.from('1:1').toString('base64');
+    ctx.headers.authorization = authorization;
+    findByCredentials.mockResolvedValueOnce({ expiresAt: new Date(Date.now() - 1000) });
+    await expect(koaAppSecretTranspilation(queries)(ctx, next)).rejects.toThrowError(
+      'invalid_request'
+    );
+    expectNothingChanged(ctx, { authorization }, 1);
+  });
+
+  it('should rewrite the client secret in the header', async () => {
+    const ctx = createContextWithRouteParameters();
+    const authorization = 'Basic ' + Buffer.from('1:1').toString('base64');
+    ctx.headers.authorization = authorization;
+    findByCredentials.mockResolvedValueOnce({ originalSecret: '2' });
+    await koaAppSecretTranspilation(queries)(ctx, next);
+    expect(ctx.headers.authorization).toBe('Basic ' + Buffer.from('1:2').toString('base64'));
+  });
+
+  it('should rewrite the client secret in the body', async () => {
+    const ctx = createContextWithRouteParameters();
+    const body = { client_id: '1', client_secret: '1' };
+    ctx.method = 'POST';
+    ctx.request.body = body;
+    findByCredentials.mockResolvedValueOnce({ originalSecret: '2' });
+    await koaAppSecretTranspilation(queries)(ctx, next);
+    expect(ctx.request.body.client_secret).toBe('2');
+  });
+
+  it('should rewrite the client secret in the query', async () => {
+    const ctx = createContextWithRouteParameters();
+    const query = { client_id: '1', client_secret: '1' };
+    ctx.method = 'GET';
+    ctx.query = query;
+    findByCredentials.mockResolvedValueOnce({ originalSecret: '2' });
+    await koaAppSecretTranspilation(queries)(ctx, next);
+    expect(ctx.query.client_secret).toBe('2');
+  });
+});
@@ -0,0 +1,132 @@
+import type { Nullable } from '@silverhand/essentials';
+import type { MiddlewareType } from 'koa';
+import { errors } from 'oidc-provider';
+
+import type Queries from '#src/tenants/Queries.js';
+
+const noVSCHAR = /[^\u0020-\u007E]/;
+
+function decodeAuthToken(token: string) {
+  const authToken = decodeURIComponent(token.replaceAll('+', '%20'));
+  if (noVSCHAR.test(authToken)) {
+    return;
+  }
+  return authToken;
+}
+
+/** @import { getConstantClientMetadata } from '#src/oidc/utils.js'; */
+/**
+ * Create a middleware function that reads the app secret from the request and check if it matches
+ * the app secret in the `application_secrets` table. If it matches, the secret will be transpiled
+ * to the one in the `applications` table in order to be recognized by `oidc-provider`.
+ *
+ * If the app secret is not found in the `application_secrets` table, the middleware will keep
+ * everything as is and let the `oidc-provider` handle it.
+ *
+ * @remarks
+ * We have to transpile the app secret because the `oidc-provider` only accepts one secret per
+ * client.
+ *
+ * @remarks
+ * The way to read the app secret from the request is duplicated from the original `oidc-provider`
+ * implementation as the client should not be aware of this process. If we change the way to
+ * authenticate the client in the future, we should update this middleware accordingly.
+ *
+ * @see {@link getConstantClientMetadata} for client authentication method based on application
+ * type.
+ * @see {@link https://github.com/panva/node-oidc-provider/blob/v8.4.6/lib/shared/token_auth.js#L74 | oidc-provider} for
+ * the original implementation.
+ */
+export default function koaAppSecretTranspilation<StateT, ContextT, ResponseBodyT>(
+  queries: Queries
+): MiddlewareType<StateT, ContextT, Nullable<ResponseBodyT>> {
+  return async (ctx, next) => {
+    type ClientCredentials = Partial<{
+      clientId: string;
+      clientSecret: string;
+    }>;
+    const getCredentialsFromHeader = (): ClientCredentials => {
+      const parts = ctx.headers.authorization?.split(' ');
+
+      if (parts?.length !== 2 || parts[0]?.toLowerCase() !== 'basic' || !parts[1]) {
+        return {};
+      }
+
+      const [part0, part1] = Buffer.from(parts[1], 'base64').toString().split(':');
+
+      return {
+        clientId: part0 && decodeAuthToken(part0),
+        clientSecret: part1 && decodeAuthToken(part1),
+      };
+    };
+
+    const getCredentialsFromParams = (): ClientCredentials => {
+      const params: unknown = ctx.method === 'POST' ? ctx.request.body : ctx.query;
+
+      if (typeof params !== 'object' || params === null) {
+        return {};
+      }
+
+      const clientId =
+        'client_id' in params && typeof params.client_id === 'string'
+          ? params.client_id
+          : undefined;
+      const clientSecret =
+        'client_secret' in params && typeof params.client_secret === 'string'
+          ? params.client_secret
+          : undefined;
+      return { clientId, clientSecret };
+    };
+
+    const getCredentials = (
+      header: ClientCredentials,
+      params: ClientCredentials
+    ): ClientCredentials => {
+      if (header.clientId && params.clientId && header.clientId !== params.clientId) {
+        return {};
+      }
+
+      // Only authorization header is allowed to be used for client authentication if the client ID
+      // is provided in the header.
+      if (header.clientId && (!header.clientSecret || params.clientSecret)) {
+        return {};
+      }
+
+      const clientId = header.clientId ?? params.clientId;
+      const clientSecret = header.clientSecret ?? params.clientSecret;
+
+      return { clientId, clientSecret };
+    };
+
+    const header = getCredentialsFromHeader();
+    const params = getCredentialsFromParams();
+    const { clientId, clientSecret } = getCredentials(header, params);
+    if (!clientId || !clientSecret) {
+      return next();
+    }
+
+    const result = await queries.applicationSecrets.findByCredentials(clientId, clientSecret);
+
+    // Fall back to the original client secret logic to provide backward compatibility.
+    if (!result) {
+      return next();
+    }
+
+    if (result.expiresAt && result.expiresAt < Date.now()) {
+      throw new errors.InvalidRequest('client secret has expired');
+    }
+
+    // All checks passed. Rewrite the client secret to the one in the `applications` table.
+    if (header.clientSecret) {
+      ctx.headers.authorization = `Basic ${Buffer.from(
+        `${clientId}:${result.originalSecret}`
+      ).toString('base64')}`;
+    } else if (ctx.method === 'POST') {
+      ctx.request.body.client_secret = result.originalSecret;
+    } else {
+      ctx.query.client_secret = result.originalSecret;
+    }
+
+    return next();
+  };
+}
@@ -90,17 +90,10 @@ export default function koaOidcErrorHandler<StateT, ContextT>(): Middleware<Stat
         throw error;
       }
 
-      // Report oidc exceptions to ApplicationInsights
-      void appInsights.trackException(error, buildAppInsightsTelemetry(ctx));
-
       // Mimic oidc-provider's error handling, thus we can use the unified logic below.
       // See https://github.com/panva/node-oidc-provider/blob/37d0a6cfb3c618141a44cbb904ce45659438f821/lib/shared/error_handler.js
       ctx.status = error.statusCode || 500;
       ctx.body = errorOut(error);
-
-      if (!EnvSet.values.isUnitTest && (!EnvSet.values.isProduction || ctx.status >= 500)) {
-        getConsoleLogFromContext(ctx).error(error);
-      }
     }
 
     // This is the only way we can check if the error is handled by the oidc-provider, because
@@ -115,6 +108,7 @@ export default function koaOidcErrorHandler<StateT, ContextT>(): Middleware<Stat
 
       if (parsed.success) {
         const { data } = parsed;
+
         const code = isSessionNotFound(data.error_description)
           ? 'session.not_found'
           : `oidc.${data.error}`;
@@ -126,6 +120,12 @@ export default function koaOidcErrorHandler<StateT, ContextT>(): Middleware<Stat
           error_uri: uri,
           ...ctx.body,
         };
+
+        if (!EnvSet.values.isUnitTest && (!EnvSet.values.isProduction || ctx.status >= 500)) {
+          getConsoleLogFromContext(ctx).error(ctx.body);
+        }
+
+        void appInsights.trackException(ctx.body, buildAppInsightsTelemetry(ctx));
       }
     }
   };
 
@@ -5,6 +5,7 @@ import {
   InvalidInputError,
   CheckIntegrityConstraintViolationError,
   UniqueIntegrityConstraintViolationError,
+  ForeignKeyIntegrityConstraintViolationError,
 } from '@silverhand/slonik';
 import type { Middleware } from 'koa';
 
@@ -42,6 +43,13 @@ export default function koaSlonikErrorHandler<StateT, ContextT>(): Middleware<St
             status: 422,
           });
         }
+
+        if (error.constraint === 'application_secrets_pkey') {
+          throw new RequestError({
+            code: 'application.secret_name_exists',
+            status: 422,
+          });
+        }
       }
 
       if (error instanceof CheckIntegrityConstraintViolationError) {
@@ -51,6 +59,13 @@ export default function koaSlonikErrorHandler<StateT, ContextT>(): Middleware<St
         });
       }
 
+      if (error instanceof ForeignKeyIntegrityConstraintViolationError) {
+        throw new RequestError({
+          code: 'entity.relation_foreign_key_not_found',
+          status: 404,
+        });
+      }
+
       if (error instanceof InsertionError) {
         throw new RequestError({
           code: 'entity.create_failed',