195 lines
5.1 KiB
JavaScript
195 lines
5.1 KiB
JavaScript
// azure.js
|
|
import http from "node:http";
|
|
import { URL } from "node:url";
|
|
import open, { apps } from "open";
|
|
import crypto from "node:crypto";
|
|
import fs from "node:fs";
|
|
import path from "node:path";
|
|
import os from "node:os";
|
|
import {
|
|
PublicClientApplication,
|
|
ConfidentialClientApplication,
|
|
} from "@azure/msal-node";
|
|
import {
|
|
DefaultAzureCredential,
|
|
ClientSecretCredential,
|
|
DeviceCodeCredential,
|
|
} from "@azure/identity";
|
|
|
|
export async function getCredential(credentialType, options) {
|
|
switch (credentialType) {
|
|
case "d":
|
|
case "default":
|
|
return new DefaultAzureCredential();
|
|
case "cs":
|
|
case "clientSecret":
|
|
if (!options.tenantId || !options.clientId || !options.clientSecret) {
|
|
throw new Error(
|
|
"tenantId, clientId, and clientSecret are required for ClientSecretCredential",
|
|
);
|
|
}
|
|
return new ClientSecretCredential(
|
|
options.tenantId,
|
|
options.clientId,
|
|
options.clientSecret,
|
|
);
|
|
case "dc":
|
|
case "deviceCode":
|
|
if (!options.tenantId || !options.clientId) {
|
|
throw new Error(
|
|
"tenantId and clientId are required for DeviceCodeCredential",
|
|
);
|
|
}
|
|
return new DeviceCodeCredential({
|
|
tenantId: options.tenantId,
|
|
clientId: options.clientId,
|
|
userPromptCallback: (info) => {
|
|
console.log(info.message);
|
|
},
|
|
});
|
|
default:
|
|
throw new Error(`Unsupported credential type: ${credentialType}`);
|
|
}
|
|
}
|
|
|
|
function fileCachePlugin(cachePath) {
|
|
return {
|
|
beforeCacheAccess: async (ctx) => {
|
|
if (fs.existsSync(cachePath)) {
|
|
ctx.tokenCache.deserialize(fs.readFileSync(cachePath, "utf8"));
|
|
}
|
|
},
|
|
afterCacheAccess: async (ctx) => {
|
|
if (ctx.cacheHasChanged) {
|
|
fs.mkdirSync(path.dirname(cachePath), { recursive: true });
|
|
fs.writeFileSync(cachePath, ctx.tokenCache.serialize());
|
|
}
|
|
},
|
|
};
|
|
}
|
|
|
|
function generatePkce() {
|
|
const verifier = crypto.randomBytes(32).toString("base64url"); // 43 chars, valid
|
|
const challenge = crypto
|
|
.createHash("sha256")
|
|
.update(verifier)
|
|
.digest("base64url");
|
|
|
|
return { verifier, challenge, challengeMethod: "S256" };
|
|
}
|
|
|
|
export async function loginInteractive({ appName, tenantId, clientId, scopes }) {
|
|
if (!tenantId) throw new Error("tenantId is required");
|
|
if (!clientId) throw new Error("clientId is required");
|
|
if (!Array.isArray(scopes) || scopes.length === 0)
|
|
throw new Error("scopes[] is required");
|
|
|
|
// Make app name lowercase with all non-alphanumeric characters removed
|
|
// spaces replaced with dashes and all letters converted to lowercase
|
|
const sanitizedAppName = (appName || "Azure Node Login")
|
|
.toLowerCase()
|
|
.replace(/[^a-z0-9]+/g, "-");
|
|
|
|
const cachePath = path.join(
|
|
os.homedir(),
|
|
`.config/${sanitizedAppName}`,
|
|
`${clientId}-token-cache.json`,
|
|
);
|
|
|
|
const pca = new PublicClientApplication({
|
|
auth: {
|
|
clientId,
|
|
authority: `https://login.microsoftonline.com/${tenantId}`,
|
|
},
|
|
cache: {
|
|
cachePlugin: fileCachePlugin(cachePath),
|
|
},
|
|
});
|
|
|
|
const accounts = await pca.getTokenCache().getAllAccounts();
|
|
|
|
if (accounts.length > 0) {
|
|
try {
|
|
const silentResult = await pca.acquireTokenSilent({
|
|
account: accounts[0],
|
|
scopes,
|
|
});
|
|
return silentResult;
|
|
} catch (e) {
|
|
// proceed to interactive login
|
|
}
|
|
}
|
|
|
|
const pkce = generatePkce();
|
|
|
|
return new Promise((resolve, reject) => {
|
|
let redirectUri;
|
|
|
|
const server = http.createServer(async (req, res) => {
|
|
try {
|
|
const url = new URL(req.url ?? "/", `http://${req.headers.host}`);
|
|
|
|
if (url.pathname !== "/callback") {
|
|
res.writeHead(404).end();
|
|
return;
|
|
}
|
|
|
|
const code = url.searchParams.get("code");
|
|
if (!code) {
|
|
res.writeHead(400).end("Missing authorization code");
|
|
server.close();
|
|
reject(new Error("Missing authorization code"));
|
|
return;
|
|
}
|
|
|
|
res.end("Authentication complete. You may close this tab.");
|
|
server.close();
|
|
|
|
const token = await pca.acquireTokenByCode({
|
|
code,
|
|
scopes,
|
|
redirectUri,
|
|
codeVerifier: pkce.verifier,
|
|
});
|
|
|
|
resolve(token);
|
|
} catch (e) {
|
|
try {
|
|
server.close();
|
|
} catch {}
|
|
reject(e);
|
|
}
|
|
});
|
|
|
|
server.listen(0, "127.0.0.1", async () => {
|
|
try {
|
|
const { port } = server.address();
|
|
redirectUri = `http://localhost:${port}/callback`;
|
|
console.log("Using redirectUri:", redirectUri);
|
|
|
|
const authUrl = await pca.getAuthCodeUrl({
|
|
scopes,
|
|
redirectUri,
|
|
codeChallenge: pkce.challenge,
|
|
codeChallengeMethod: pkce.challengeMethod,
|
|
});
|
|
|
|
try {
|
|
await open(authUrl, {
|
|
wait: false,
|
|
app: {
|
|
name: apps.edge, // Enforce using Microsoft Edge browser
|
|
},
|
|
});
|
|
} catch {}
|
|
console.log("Visit:\n" + authUrl);
|
|
} catch (e) {
|
|
try {
|
|
server.close();
|
|
} catch {}
|
|
reject(e);
|
|
}
|
|
});
|
|
});
|
|
}
|