Change architecture to avoid build issues #156

Author: vlad-ignatov

src/adapters/BrowserAdapter.ts

@@ -3,6 +3,7 @@ import Client from "../Client";
 import BrowserStorage from "../storage/BrowserStorage";
 import { fhirclient } from "../types";
 import * as security from "../security/browser"
+import { encodeURL, decode, fromUint8Array } from "js-base64"
 
 /**
  * Browser Adapter
@@ -24,6 +25,8 @@ export default class BrowserAdapter implements fhirclient.Adapter
      */
     options: fhirclient.BrowserFHIRSettings;
 
+    security = security;
+
     /**
      * @param options Environment-specific options
      */
@@ -141,6 +144,19 @@ export default class BrowserAdapter implements fhirclient.Adapter
         return window.btoa(str);
     }
 
+    base64urlencode(input: string | Uint8Array)
+    {
+        if (typeof input == "string") {
+            return encodeURL(input)
+        }
+        return fromUint8Array(input, true)
+    }
+
+    base64urldecode(input: string)
+    {
+        return decode(input)
+    }
+
     /**
      * Creates and returns adapter-aware SMART api. Not that while the shape of
      * the returned object is well known, the arguments to this function are not.

src/adapters/NodeAdapter.ts

@@ -5,6 +5,8 @@ import ServerStorage from "../storage/ServerStorage";
 import { AbortController } from "abortcontroller-polyfill/dist/cjs-ponyfill";
 import { IncomingMessage, ServerResponse } from "http";
 import { TLSSocket } from "tls";
+import * as security from "../security/server"
+import { base64url } from "jose"
 
 
 interface NodeAdapterOptions {
@@ -28,6 +30,8 @@ export default class NodeAdapter implements fhirclient.Adapter
      */
     options: NodeAdapterOptions;
 
+    security = security;
+
     /**
      * @param options Environment-specific options
      */
@@ -125,6 +129,16 @@ export default class NodeAdapter implements fhirclient.Adapter
         return global.Buffer.from(str, "base64").toString("ascii");
     }
 
+    base64urlencode(input: string | Uint8Array)
+    {
+        return base64url.encode(input);
+    }
+
+    base64urldecode(input: string)
+    {
+        return base64url.decode(input).toString();
+    }
+
     /**
      * Returns a reference to the AbortController constructor. In browsers,
      * AbortController will always be available as global (native or polyfilled)

src/security/browser.ts

@@ -23,13 +23,6 @@ const ALGS = {
     } as RsaHashedKeyGenParams
 };
 
-export const base64urlencode = (input: string | Uint8Array) => {
-    if (typeof input == "string") {
-        return encodeURL(input)
-    }
-    return fromUint8Array(input, true)
-}
-
 export const base64urldecode = (input: string) => {
     return decode(input)
 }
@@ -46,8 +39,8 @@ export async function digestSha256(payload: string): Promise<Uint8Array> {
 
 export const generatePKCEChallenge = async (entropy = 96): Promise<PkcePair> => {
     const inputBytes    = randomBytes(entropy)
-    const codeVerifier  = base64urlencode(inputBytes)
-    const codeChallenge = base64urlencode(await digestSha256(codeVerifier))
+    const codeVerifier  = fromUint8Array(inputBytes)
+    const codeChallenge = fromUint8Array(await digestSha256(codeVerifier))
     return { codeChallenge, codeVerifier }
 }
 
@@ -87,7 +80,7 @@ export async function signCompactJws(alg: keyof typeof ALGS, privateKey: CryptoK
 
     const jwtHeader  = JSON.stringify({ ...header, alg });
     const jwtPayload = JSON.stringify(payload);
-    const jwtAuthenticatedContent = `${base64urlencode(jwtHeader)}.${base64urlencode(jwtPayload)}`;
+    const jwtAuthenticatedContent = `${encodeURL(jwtHeader)}.${encodeURL(jwtPayload)}`;
 
     const signature = await subtle.sign(
         { ...privateKey.algorithm, hash: 'SHA-384' },

src/security/index.ts

@@ -23,8 +23,6 @@ interface PkcePair {
 
 type SupportedAlg = 'ES384' | 'RS384'
 
-export const base64urlencode = (input: string | Uint8Array) => base64url.encode(input);
-export const base64urldecode = (input: string) => base64url.decode(input).toString();
 
 export { randomBytes }
 
@@ -36,12 +34,12 @@ export async function digestSha256(payload: string) {
 
 export async function generatePKCEChallenge(entropy = 96): Promise<PkcePair> {
     const inputBytes    = randomBytes(entropy)
-    const codeVerifier  = base64urlencode(inputBytes)
-    const codeChallenge = base64urlencode(await digestSha256(codeVerifier))
+    const codeVerifier  = base64url.encode(inputBytes)
+    const codeChallenge = base64url.encode(await digestSha256(codeVerifier))
     return { codeChallenge, codeVerifier }
 }
 
-export async function importJWK(jwk: fhirclient.JWK): Promise<KeyLike> {
+export async function importJWK(jwk: fhirclient.JWK): Promise<CryptoKey> {
     // alg is optional in JWK but we need it here!
     if (!jwk.alg) {
         throw new Error('The "alg" property of the JWK must be set to "ES384" or "RS384"')
@@ -60,7 +58,7 @@ export async function importJWK(jwk: fhirclient.JWK): Promise<KeyLike> {
         throw new Error('The "key_ops" property of the JWK does not contain "sign"')
     }
 
-    return joseImportJWK(jwk) as Promise<KeyLike>
+    return joseImportJWK(jwk) as Promise<CryptoKey>
 }
 
 export async function signCompactJws(alg: SupportedAlg, privateKey: KeyLike, header: any, payload: any): Promise<string> {

src/security/server.ts

@@ -14,7 +14,6 @@ import {
 import Client from "./Client";
 import { SMART_KEY } from "./settings";
 import { fhirclient } from "./types";
-import * as security from "./security/index"
 
 const debug = _debug.extend("oauth2");
 
@@ -327,7 +326,7 @@ export async function authorize(
     }
 
     if (shouldIncludeChallenge(extensions.codeChallengeMethods.includes('S256'), pkceMode)) {
-        let codes = await security.generatePKCEChallenge()
+        let codes = await env.security.generatePKCEChallenge()
         Object.assign(state, codes);
         await storage.set(stateKey, state); // note that the challenge is ALREADY encoded properly  
         redirectParams.push("code_challenge=" + state.codeChallenge);
@@ -675,7 +674,9 @@ export async function buildTokenRequest(
     // Asymmetric auth
     else if (privateKey) {
 
-        const pk = privateKey.key || await security.importJWK(privateKey)
+        const pk = "key" in privateKey ?
+            privateKey.key as CryptoKey:
+            await env.security.importJWK(privateKey as fhirclient.JWK)
 
         if (isBrowser() && pk.extractable) {
             console.warn(
@@ -698,11 +699,11 @@ export async function buildTokenRequest(
             iss: clientId,
             sub: clientId,
             aud: tokenUri,
-            jti: security.base64urlencode(security.randomBytes(32)),
+            jti: env.base64urlencode(env.security.randomBytes(32)),
             exp: getTimeInFuture(120) // two minutes in the future
         };
 
-        const clientAssertion = await security.signCompactJws(privateKey.alg, pk, jwtHeaders, jwtClaims);
+        const clientAssertion = await env.security.signCompactJws(privateKey.alg, pk, jwtHeaders, jwtClaims);
         requestOptions.body += `&client_assertion_type=${encodeURIComponent("urn:ietf:params:oauth:client-assertion-type:jwt-bearer")}`;
         requestOptions.body += `&client_assertion=${encodeURIComponent(clientAssertion)}`;
         debug("Using state.clientPrivateJwk to add a client_assertion to the POST body")

src/smart.ts

@@ -159,6 +159,16 @@ declare namespace fhirclient {
          * ASCII string to Base64
          */
         atob(str: string): string;
+        
+        /**
+         * ASCII string or Uint8Array to Base64URL
+         */
+        base64urlencode: (input: string | Uint8Array) => string
+
+        /**
+         * Base64Url to ASCII string
+         */
+        base64urldecode: (input: string) => string
 
         /**
          * Returns a reference to the AbortController class
@@ -173,6 +183,14 @@ declare namespace fhirclient {
          * optionally a storage or storage factory function.
          */
         getSmartApi(): SMART;
+
+        security: {
+            randomBytes: (count: number) => Uint8Array
+            digestSha256: (payload: string) => Promise<Uint8Array>
+            generatePKCEChallenge: (entropy?: number) => Promise<{ codeChallenge: string; codeVerifier: string }>
+            importJWK: (jwk: JWK) => Promise<CryptoKey>
+            signCompactJws: (alg: "ES384" | "RS384", privateKey: CryptoKey, header: any, payload: any) => Promise<string>
+        }
     }
 
     /**

src/types.d.ts

@@ -224,7 +224,7 @@ describe("Browser tests", () => {
           expect(client.getEncounterId()).to.equal("e3ec2d15-4c27-4607-a45c-2f84962b0700");
           expect(client.getUserId()).to.equal("smart-Practitioner-71482713");
           expect(client.getUserType()).to.equal("Practitioner");
-      });
+        });
 
         it ("code flow with fullSessionStorageSupport = false", async () => {
 
@@ -1874,4 +1874,28 @@ describe("Browser tests", () => {
             });
         });
     });
+
+    // describe("BrowserAdapter", () => {
+
+    //     it ("base64urlencode a string", () => {
+    //         // @ts-ignore
+    //         const env = new Adapter({})
+    //         const input = "This is a test"
+    //         expect(env.base64urlencode(input)).to.equal(Buffer.from(input).toString("base64url"))
+    //     })
+    
+    //     it ("base64urlencode an Uint8Array", () => {
+    //         // @ts-ignore
+    //         const env = new Adapter({})
+    //         const input = "This is a test"
+    //         expect(env.base64urlencode(new TextEncoder().encode(input))).to.equal(Buffer.from(input).toString("base64url"))
+    //     })
+    
+    //     it ("base64urldecode", () => {
+    //         // @ts-ignore
+    //         const env = new Adapter({})
+    //         const input = Buffer.from("test").toString("base64url")
+    //         expect(env.base64urldecode(input)).to.equal("test")
+    //     })
+    // })
 });

test/browser.test.ts

@@ -3,12 +3,16 @@ const EventEmitter = require("events");
 import BrowserStorage      from "../../src/storage/BrowserStorage";
 import { fhirclient }      from "../../src/types";
 import { AbortController } from "abortcontroller-polyfill/dist/cjs-ponyfill";
+import * as security       from "../../src/security/server"
+import { base64url }       from "jose"
 
 
 export default class BrowserEnvironment extends EventEmitter implements fhirclient.Adapter
 {
     options: any;
 
+    security = security;
+
     constructor(options = {})
     {
         super();
@@ -64,6 +68,16 @@ export default class BrowserEnvironment extends EventEmitter implements fhirclie
         return Buffer.from(str, "base64").toString("ascii");
     }
 
+    base64urlencode(input: string | Uint8Array)
+    {
+        return base64url.encode(input);
+    }
+
+    base64urldecode(input: string)
+    {
+        return base64url.decode(input).toString();
+    }
+
     getAbortController()
     {
         return AbortController as any;

test/mocks/BrowserEnvironment.ts

@@ -1,6 +1,8 @@
 import { AbortController as AbortControllerPonyfill } from "abortcontroller-polyfill/dist/cjs-ponyfill";
 import ServerStorage       from "../../src/storage/ServerStorage";
 import { fhirclient }      from "../../src/types";
+import * as security       from "../../src/security/server"
+import { base64url }       from "jose"
 
 const AbortController = global.AbortController || AbortControllerPonyfill
 
@@ -14,6 +16,8 @@ export default class ServerEnvironment implements fhirclient.Adapter
 
     options: fhirclient.JsonObject;
 
+    security = security;
+
     constructor(request?: any, response?: any, storage?: any)
     {
         this.request  = request;
@@ -79,6 +83,16 @@ export default class ServerEnvironment implements fhirclient.Adapter
         return Buffer.from(str, "base64").toString("ascii");
     }
 
+    base64urlencode(input: string | Uint8Array)
+    {
+        return base64url.encode(input);
+    }
+
+    base64urldecode(input: string)
+    {
+        return base64url.decode(input).toString();
+    }
+
     getAbortController()
     {
         return AbortController;