update wrapper

Author: derisen

Common/msal-node-wrapper/src/config/ConfigurationHelper.ts

@@ -19,6 +19,7 @@ export class ConfigurationHelper {
         return {
             auth: {
                 ...authConfig.auth,
+                authority: authConfig.auth?.authority ? authConfig.auth.authority : "https://login.microsoftonline.com/common",
             },
             system: {
                 ...authConfig.system,

Common/msal-node-wrapper/src/error/AccessDeniedError.ts

@@ -0,0 +1,65 @@
+/*
+ * Copyright (c) Microsoft Corporation. All rights reserved.
+ * Licensed under the MIT License.
+ */
+
+import { AuthError, AccountInfo } from "@azure/msal-node";
+
+/**
+ * Contains string constants used by error codes and messages.
+ */
+export const AccessDeniedErrorMessage = {
+    unauthorizedAccessError: {
+        code: "401",
+        desc: "Unauthorized"
+    },
+    forbiddenAccessError: {
+        code: "403",
+        desc: "Forbidden"
+    }
+};
+
+/**
+ * Error thrown when the user is not authorized to access a route
+ */
+export class AccessDeniedError extends AuthError {
+    route?: string;
+    account?: AccountInfo;
+
+    constructor(errorCode: string, errorMessage?: string, route?: string, account?: AccountInfo) {
+        super(errorCode, errorMessage);
+        this.name = "AccessDeniedError";
+        this.route = route;
+        this.account = account;
+        
+        Object.setPrototypeOf(this, AccessDeniedError.prototype);
+    }
+
+    /**
+     * Creates an error when access is unauthorized
+     *
+     * @returns {AccessDeniedError} Empty issuer error
+     */
+    static createUnauthorizedAccessError(route?: string, account?: AccountInfo): AccessDeniedError {
+        return new AccessDeniedError(
+            AccessDeniedErrorMessage.unauthorizedAccessError.code,
+            AccessDeniedErrorMessage.unauthorizedAccessError.desc,
+            route,
+            account
+        );
+    }
+
+    /**
+     * Creates an error when the access is forbidden
+     *
+     * @returns {AccessDeniedError} Empty issuer error
+     */
+    static createForbiddenAccessError(route?: string, account?: AccountInfo): AccessDeniedError {
+        return new AccessDeniedError(
+            AccessDeniedErrorMessage.forbiddenAccessError.code,
+            AccessDeniedErrorMessage.forbiddenAccessError.desc,
+            route,
+            account
+        );
+    }
+}

Common/msal-node-wrapper/src/error/InteractionRequiredError.ts

@@ -7,7 +7,7 @@ import { InteractionRequiredAuthError } from "@azure/msal-node";
 import { LoginOptions, TokenRequestOptions } from "../middleware/MiddlewareOptions";
 
 /**
- * Token Validation library error class thrown for configuration errors
+ * Error thrown when user interaction is required.
  */
 export class InteractionRequiredError extends InteractionRequiredAuthError {
     requestOptions: LoginOptions;

Common/msal-node-wrapper/src/middleware/context/AuthContext.ts

@@ -67,8 +67,8 @@ export class AuthContext {
      * Returns the current user account from session
      * @returns {AccountInfo} account object
      */
-    getAccount(): AccountInfo {
-        return this.context.req.session.account!; // eslint-disable-line @typescript-eslint/no-non-null-assertion
+    getAccount(): AccountInfo | undefined {
+        return this.context.req.session.account || undefined; // eslint-disable-line @typescript-eslint/no-non-null-assertion
     }
 
     /**

Common/msal-node-wrapper/src/middleware/guardMiddleware.ts

@@ -6,6 +6,7 @@
 import { Request, Response, NextFunction, RequestHandler } from "express";
 import { WebAppAuthProvider } from "../provider/WebAppAuthProvider";
 import { RouteGuardOptions } from "./MiddlewareOptions";
+import { AccessDeniedError } from "../error/AccessDeniedError";
 
 function guardMiddleware(
     this: WebAppAuthProvider,
@@ -20,7 +21,7 @@ function guardMiddleware(
                 })(req, res, next);
             }
 
-            return res.status(401).send("Unauthorized");
+            return next(AccessDeniedError.createUnauthorizedAccessError(req.originalUrl, req.authContext.getAccount()));
         }
 
         if (options.idTokenClaims) {
@@ -53,7 +54,7 @@ function guardMiddleware(
             });
 
             if (!hasClaims) {
-                return res.status(403).send("Forbidden");
+                return next(AccessDeniedError.createForbiddenAccessError(req.originalUrl, req.authContext.getAccount()));
             }
         }
 

Common/msal-node-wrapper/src/middleware/handlers/logoutHandler.ts

@@ -9,47 +9,49 @@ import { LogoutOptions } from "../MiddlewareOptions";
 import { UrlUtils } from "../../utils/UrlUtils";
 
 function logoutHandler(
-    this: WebAppAuthProvider, 
+    this: WebAppAuthProvider,
     options: LogoutOptions
 ): RequestHandler {
     return async (req: Request, res: Response): Promise<void> => {
         this.getLogger().trace("logoutHandler called");
-        
+
         const shouldLogoutFromIdp = options.idpLogout ? options.idpLogout : true;
         let logoutUri = options.postLogoutRedirectUri || "/";
 
-        try {
-            const tokenCache = this.getMsalClient().getTokenCache();
-            const cachedAccount = await tokenCache.getAccountByHomeId(req.authContext.getAccount().homeAccountId);
+        const account = req.authContext.getAccount();
+
+        if (account) {
+            try {
+                const tokenCache = this.getMsalClient().getTokenCache();
+                const cachedAccount = await tokenCache.getAccountByHomeId(account.homeAccountId);
 
-            if (cachedAccount) {
-                await tokenCache.removeAccount(cachedAccount);
+                if (cachedAccount) {
+                    await tokenCache.removeAccount(cachedAccount);
+                }
+            } catch (error) {
+                this.logger.error(`Error occurred while clearing cache for user: ${JSON.stringify(error)}`);
             }
-        } catch (error) {
-            this.logger.error(`Error occurred while clearing cache for user: ${JSON.stringify(error)}`);
         }
 
         if (shouldLogoutFromIdp) {
             /**
              * Construct a logout URI and redirect the user to end the
              * session with Azure AD. For more information, visit:
              * (AAD) https://docs.microsoft.com/azure/active-directory/develop/v2-protocols-oidc#send-a-sign-out-request
+             * (B2C) https://docs.microsoft.com/azure/active-directory-b2c/openid-connect#send-a-sign-out-request
              */
 
             const postLogoutRedirectUri = UrlUtils.ensureAbsoluteUrl(
                 options.postLogoutRedirectUri || "/",
                 req.protocol,
                 req.get("host") || req.hostname
             );
-
-            // TODO: need to make use of endSessionRequest options
-
-            // FIXME: need the canonical uri (ending with slash) && esnure absolute url
-            logoutUri = `${this.getMsalConfig().auth.authority}/oauth2/v2.0/logout?post_logout_redirect_uri=${postLogoutRedirectUri}`;
+            
+            // eslint-disable-next-line @typescript-eslint/no-non-null-assertion
+            logoutUri = `${UrlUtils.enforceTrailingSlash(this.getMsalConfig().auth.authority!)}/oauth2/v2.0/logout?post_logout_redirect_uri=${postLogoutRedirectUri}`;
         }
 
         req.session.destroy(() => {
-            // TODO: remove/expire cookie?
             res.redirect(logoutUri);
         });
     };

Common/msal-node-wrapper/src/network/FetchManager.ts

@@ -30,7 +30,7 @@ export class FetchManager {
      * @param {string} accessToken: Raw access token
      * @returns {Promise<any>}
      */
-    // eslint-disable-next-line @typescript-eslint/no-explicit-any, @typescript-eslint/explicit-module-boundary-types
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any
     static callApiEndpointWithToken = async (endpoint: string, accessToken: string): Promise<any> => {
         if (StringUtils.isEmpty(accessToken)) {
             throw new Error(ErrorMessages.TOKEN_NOT_FOUND);
@@ -89,7 +89,7 @@ export class FetchManager {
     static handlePagination = async (accessToken: string, nextPage: string, data: string[] = []): Promise<string[]> => {
         try {
             const graphResponse = await (await FetchManager.callApiEndpointWithToken(nextPage, accessToken)).data;
-            // eslint-disable-next-line @typescript-eslint/no-explicit-any, @typescript-eslint/explicit-module-boundary-types
+            // eslint-disable-next-line @typescript-eslint/no-explicit-any
             graphResponse["value"].map((v: any) => data.push(v.id));
 
             if (graphResponse[AccessControlConstants.PAGINATION_LINK]) {

Common/msal-node-wrapper/src/utils/UrlUtils.ts

@@ -65,11 +65,20 @@ export class UrlUtils {
     };
 
     /**
-     * Ensures that the URL contains a trailing slash at the end
+     * Ensures that the path contains a leading slash at the start
      * @param {string} path: a given path
      * @returns {string}
      */
     static enforceLeadingSlash = (path: string): string => {
         return path.split("")[0] === "/" ? path : "/" + path;
     };
+
+    /**
+     * Ensures that the URL contains a trailing slash at the end
+     * @param {string} url: a given path
+     * @returns {string}
+     */
+    static enforceTrailingSlash = (url: string): string => {
+        return url.endsWith("/") ? url : url + "/";
+    };
 }