UNPKG

@axway/axway-flow-authorization/src/credentialmanager.js

Version:

14 kBJavaScriptView Raw

1const fs = require('fs');
2const path = require('path');
3const { promisify } = require('util');
4const handlers = require('./handlers');
5const { status, States } = require('./status');
6
7const readFileAsync = promisify(fs.readFile);
8const statAsync = promisify(fs.stat);
9
10const REFRESH_POLICY_BEFOREEXPIRY = 'beforeexpiry';
11const REFRESH_POLICY_ONEXPIRY = 'onexpiry';
12const REFRESH_POLICY_PERIODIC = 'periodic';
13const DEFAULT_BEFOREEXPIRY_SECONDS = 60;
14const DEFAULT_PERIODIC_SECONDS = 3600;
15
16const RETRY_INTERVAL = 15000;
17
18// Asynchronously load the authorization templates
19const authTemplates = {};
20Object.keys(handlers).forEach(handler => {
authTemplates[`${handler}Callback`] = loadTemplate(`${handler}Callback`, '');
authTemplates[`${handler}Error`] = loadTemplate(`${handler}Error`, '');
23});
24
25/**
* Load the authorization templates required by the middleware.
* @param {string} template The name of the template file to load.
* @param {string} defText The default if the file does not exist.
* @return {Promise} A promise that resolves with the template content.
*/
31function loadTemplate(template, defText) {
const templatePath = path.join(__dirname, 'template', `${template}.html`);
return statAsync(templatePath)
.then(() => readFileAsync(templatePath))
.then((buf) => buf.toString())
.catch(() => Promise.resolve(defText));
37}
38
39/**
* @module axway-flow-authorization
*/
42/**
43* Singleton wrapper.
44* @private
45*/
46class Singleton {
static declare(key, Clazz) {
const globalSymbols = Object.getOwnPropertySymbols(global);
const symbol = Symbol.for(key);
const exists = (globalSymbols.indexOf(symbol) > -1);
// no dupes
/* istanbul ignore else */
if (!exists) {
	global[symbol] = new Clazz();
}
Object.defineProperty(Clazz, 'instance', {
	get: () => {
		return global[symbol];
	}
});
Object.freeze(Clazz);
}
63
static get(key) {
const globalSymbols = Object.getOwnPropertySymbols(global);
const symbol = Symbol.for(key);
const exists = (globalSymbols.indexOf(symbol) > -1);
68
if (!exists) {
	throw new Error(`failed to find singleton: ${key}`);
}
return global[symbol];
}
74}
75
76/**
77* The credential manager service.
78* Manages credentials and attempts to keep them evergreen.
79*
80* Shape of an OAuth2 credential:
81* onedrive: {
82*	access_token: <currentaccess token>,
83*	type: 'oauth2',
84*	token_url: <token url>,
85*	client_id: <client id>,
86*	client_secret: <client secret>,
87*	redirect_uri: <redirect uri>,
88*	refresh_token: <refresh token>
89* }
90*
91* Shape of apikey/unmanaged auth:
92* myservice: 'mykey'
93*
94* Shape of basic auth:
95* myservice: {
96*   username: 'username',
97*   password: 'password'
98* }
99*
100* @public
101* @class
102*/
103class CredentialManager {
/**
* Constructs a CredentialManager.  The instance is a singleton.
* @private
*/
constructor() {
this.credentials = {};
this.scheduler = {};
this.middleware = this.middleware.bind(this);
}
113
/**
* Set the logger.
* @param {object} logger The logger.
* @public
*/
setLogger(logger) {
this.logger = logger;
}
122
/**
* Return the managed credential config.
* @param {string} name The credential name to get.
* @returns {Obejct} The managed credential config.
* @public
*/
getCredentialConfig(name) {
if (!this.credentials.hasOwnProperty(name)) {
	return;
}
return JSON.parse(JSON.stringify(this.credentials[name]));
}
135
/**
* Return all the managed credential configs.
* @returns {Array} A list of the managed credential configs.
* @public
*/
getCredentialConfigs() {
return Object.keys(this.credentials)
	.map(name => this.getCredentialConfig(name))
	.reduce((credConfigs, credConfig) => {
		credConfigs[credConfig.name] = credConfig;
		return credConfigs;
	}, {});
}
149
/**
* Returns the named credential.
* @param {string} name The name of the credential to retrieve.
* @returns {*} The named credential or null if no credential exists.
* @public
*/
getCredential(name) {
const cred = this.credentials.hasOwnProperty(name) && this.credentials[name];
if (cred && ((!cred.expiry) || cred.expiry >= Date.now())) {
	if (cred.type && handlers[cred.type] && handlers[cred.type].token) {
		return handlers[cred.type].token(cred);
	} else {
		// Untyped bare token
		return cred.token;
	}
}
// Credential not found/expired
return null;
}
169
/**
* Remove all managed credentials and stop all schedules.
* @public
*/
clear() {
Object.values(this.scheduler).forEach((timeout) => {
	timeout.expiry && clearTimeout(timeout.expiry);
	timeout.refresh && clearTimeout(timeout.refresh);
});
this.scheduler = {};
this.credentials = {};
}
182
/**
* Initialize the config for the service. If the config contains a `credentials` section
* those credentials will be added to the CredentialManager.
*
* @param {object} config The credential manager config.
* @param {object|string} config.credentials The credential to managa.
* @public
*/
set config(config) {
const { credentials, ...options } = config;
this.options = options || {};
this.clear();
Object.entries(credentials || {}).forEach(([ name, credential ]) => {
	if (typeof credential === 'string') {
		credential = {
			name,
			token: credential
		};
	} else if (typeof credential === 'object') {
		credential = JSON.parse(JSON.stringify(credential));
		credential.name = name;
	} else {
		this.logger && this.logger
			.error(`Credential ${name} is not a supported type ${typeof credential}`);
		credential = null;
	}
	credential && this.addCredential(credential);
});
}
212
/**
* Add a credential to be managed.
* @param {object} credential The credential to manage.
* @param {string} credential.name The name of the credential.
* @param {long} credential.expiry The expiration time of the current credential.
* @param {string} credential.type The type of the credential.
* @param {*} credential.token The current credential value (e.g. access token for oauth).
* @param {string} credential.refreshPolicy The refresh policy of the credential.
*
* @public
*/
addCredential(credential) {
this.logger && this.logger.debug(`Adding credential: ${credential.name}`);
credential.status = status.ok(); // Unless proven otherwise.
227
// Allow type specific credential initialization (e.g. allow oauth to
// determine the status of the credential config).
if (handlers[credential.type]) {
	const { initCredential } = handlers[credential.type];
	initCredential && initCredential(this.options, credential);
}
234
// Clear any schedules for the credential if overwriting an existing credential
if (this.scheduler[credential.name]) {
	const { refresh, expiry } = this.scheduler[credential.name];
	expiry && clearTimeout(expiry);
	refresh && clearTimeout(refresh);
}
this.scheduler[credential.name] = {};
this.credentials[credential.name] = credential;
243
// Schedule the status update on credential expiry
this.scheduleExpiry(credential);
246
// Refresh the credential to ensure we have valid credential
this.refresh(credential);
}
250
/**
* Remove the named credential from the store.
* @param {string} name The name of the credential to remove.
*/
removeCredential(name) {
this.logger && this.logger.debug(`Removing credential: ${name}`);
if (this.scheduler && this.scheduler[name]) {
	const { expiry, refresh } = this.scheduler[name];
	expiry && clearTimeout(expiry);
	refresh && clearTimeout(refresh);
}
delete this.scheduler[name];
delete this.credentials[name];
}
265
/**
* Is the credential refreshable.
*
* @param {object} credential The credential to check refreshability on.
* @returns {boolean} true if the credential supports refresh, false otherwise.
* @public
*/
isRefreshableCredential(credential) {
let refreshable = false;
if (credential && credential.type && handlers[credential.type]
		&& handlers[credential.type].refresh && handlers[credential.type].refreshable) {
	refreshable = handlers[credential.type].refreshable(credential);
}
return refreshable;
}
281
/**
* Refresh the credential and schedule the next refresh.
* @param {object} credential The credential to refresh.
* @private
*/
refresh(credential) {
if (!this.isRefreshableCredential(credential)) {
	return;
}
291
this.logger && this.logger.debug(`Credential: ${credential.name} refreshing`);
handlers[credential.type].refresh(credential).then(
	(newCred) => {
		this.credentials[newCred.name] = newCred;
		this.scheduleExpiry(newCred);
297
		if (this.isRefreshableCredential(newCred)) {
			const next = this.scheduleNextRefresh(newCred);
			this.logger && this.logger
				.debug(`Credential: ${newCred.name} refreshed. Next refresh in ${next}ms.`);
		} else {
			this.logger && this.logger.debug(`Credential: ${newCred.name} refreshed.`);
		}
	},
	(err) => {
		if (!this.credentials[credential.name]) {
			// Credential was already removed, so we don't care about any errors
			// and should not try to refresh it again either.
			return;
		}
		// TODO: This probably needs exponential back off and the ability to identify
		// terminal errors.
		credential.status = status(credential.status, {
			action: States.action.refreshError
		});
		const next = this.scheduleNextRefresh(
			this.credentials[credential.name], RETRY_INTERVAL);
		this.logger && this.logger
			.error(`Credential: ${credential.name} refresh failed. Next refresh in ${next}ms. ${err ? (err.message || err) : ''}`);
	}
).catch((err) => {
	this.logger && this.logger
		.error(`Credential: ${credential.name} scheduled refresh failed. ${err.message || err}`);
});
}
327
/**
* Schedule the next refresh of the credential.
*
* @param {object} credential The credential to schedule refresh for.
* @param {number} wait The number of ms to schedule retry in, if not set then
*                      it is calculated from the credential's refresh policy.
* @returns {number} The number of milliseconds until the next refresh.
* @private
*/
scheduleNextRefresh(credential, wait = -1) {
if (wait < 0) {
	if (!credential.refreshPolicy
		|| credential.refreshPolicy === REFRESH_POLICY_BEFOREEXPIRY) {
		if (credential.expiry) {
			// Refresh N seconds before expiry
			const now = Date.now();
			const offset = (credential.refreshOffset
				|| DEFAULT_BEFOREEXPIRY_SECONDS) * 1000;
			wait = ((credential.expiry - offset) || now) - now;
		}
	} else if (credential.refreshPolicy === REFRESH_POLICY_ONEXPIRY) {
		// Refresh on expiry
		if (credential.expiry) {
			const now = Date.now();
			wait = (credential.expiry || now) - now;
		}
	} else if (credential.refreshPolicy === REFRESH_POLICY_PERIODIC) {
		// Refresh every N seconds
		wait = (credential.refreshPeriod || DEFAULT_PERIODIC_SECONDS) * 1000;
	} else {
		// Unknown policy
		throw new Error(`Invalid refresh policy: ${credential.refreshPolicy}`);
	}
}
362
// Cleanup any pending schedules.
this.scheduler[credential.name].refresh
	&& clearTimeout(this.scheduler[credential.name].refresh);
this.scheduler[credential.name].refresh = null;
367
// Schedule the next refresh
if (wait >= 0) {
	this.scheduler[credential.name].refresh = setTimeout(() => {
		this.scheduler[credential.name].refresh = null;
		this.refresh(credential);
	}, wait);
	this.scheduler[credential.name].refresh.unref();
}
376
return wait;
}
379
/**
* Actively update the status when the credential expires.
*
* @param {object} credential The credential to monitor expiry on.
*/
scheduleExpiry(credential) {
this.scheduler[credential.name].expiry
	&& clearTimeout(this.scheduler[credential.name].expiry);
if (credential.expiry) {
	this.scheduler[credential.name].expiry = setTimeout(() => {
		const newstatus = {
			credential: States.credential.expired
		};
		if (this.isRefreshableCredential(credential)
			&& credential.status
			&& credential.status.action === States.action.none) {
			newstatus.action = States.action.needsRefresh;
		}
		credential.status = status(credential.status, newstatus);
	}, credential.expiry - Date.now());
400
	this.scheduler[credential.name].expiry.unref();
} else {
	this.scheduler[credential.name].expiry = null;
}
}
406
/**
* Middleware to handle credential callbacks exposed by credential manager.
*
* @param {object} req The request.
* @param {object} res The response.
* @returns {object} Middleware response.
*/
async middleware(req, res) {
const name = req.query.state;
416
if (!this.credentials.hasOwnProperty(name)
		|| !this.credentials[name].type
		|| !handlers[this.credentials[name].type].authorize) {
	return res.status(404).send();
}
422
try {
	const credential = this.credentials[name];
	const newCred = await handlers[credential.type].authorize(credential, { ...req.query });
	this.credentials[newCred.name] = newCred;
	this.scheduleExpiry(newCred);
	if (this.isRefreshableCredential(newCred)) {
		const next = this.scheduleNextRefresh(newCred);
		this.logger && this.logger
			.debug(`Credential: ${newCred.name} acquired. Next refresh in ${next}ms.`);
	} else {
		this.logger && this.logger
			.debug(`Credential: ${newCred.name} acquired.`);
	}
436
	const respText = await authTemplates[`${credential.type}Callback`];
	res.status(200)
		.set('Content-Type', 'text/html')
		.send(respText);
} catch (ex) {
	this.credentials[name].status = status(this.credentials[name].status, {
		action: States.action.authError
	});
	this.logger && this.logger.error(ex);
	const respText = await authTemplates[`${this.credentials[name].type}Error`];
	res.status(401)
		.set('Content-Type', 'text/html')
		.send(respText);
}
}
452}
453
454Singleton.declare('axway-flow-authorization-credential-manager', CredentialManager);
455
456exports = module.exports = Singleton.get('axway-flow-authorization-credential-manager');

1	`const fs = require('fs');`
2	`const path = require('path');`
3	`const { promisify } = require('util');`
4	`const handlers = require('./handlers');`
5	`const { status, States } = require('./status');`
6
7	`const readFileAsync = promisify(fs.readFile);`
8	`const statAsync = promisify(fs.stat);`
9
10	`const REFRESH_POLICY_BEFOREEXPIRY = 'beforeexpiry';`
11	`const REFRESH_POLICY_ONEXPIRY = 'onexpiry';`
12	`const REFRESH_POLICY_PERIODIC = 'periodic';`
13	`const DEFAULT_BEFOREEXPIRY_SECONDS = 60;`
14	`const DEFAULT_PERIODIC_SECONDS = 3600;`
15
16	`const RETRY_INTERVAL = 15000;`
17
18	`// Asynchronously load the authorization templates`
19	`const authTemplates = {};`
20	`Object.keys(handlers).forEach(handler => {`
21	authTemplates[`${handler}Callback`] = loadTemplate(`${handler}Callback`, '');
22	authTemplates[`${handler}Error`] = loadTemplate(`${handler}Error`, '');
23	`});`
24
25	`/**`
26	`* Load the authorization templates required by the middleware.`
27	`* @param {string} template The name of the template file to load.`
28	`* @param {string} defText The default if the file does not exist.`
29	`* @return {Promise} A promise that resolves with the template content.`
30	`*/`
31	`function loadTemplate(template, defText) {`
32	const templatePath = path.join(__dirname, 'template', `${template}.html`);
33	`return statAsync(templatePath)`
34	`.then(() => readFileAsync(templatePath))`
35	`.then((buf) => buf.toString())`
36	`.catch(() => Promise.resolve(defText));`
37	`}`
38
39	`/**`
40	`* @module axway-flow-authorization`
41	`*/`
42	`/**`
43	`* Singleton wrapper.`
44	`* @private`
45	`*/`
46	`class Singleton {`
47	`static declare(key, Clazz) {`
48	`const globalSymbols = Object.getOwnPropertySymbols(global);`
49	`const symbol = Symbol.for(key);`
50	`const exists = (globalSymbols.indexOf(symbol) > -1);`
51	`// no dupes`
52	`/* istanbul ignore else */`
53	`if (!exists) {`
54	`global[symbol] = new Clazz();`
55	`}`
56	`Object.defineProperty(Clazz, 'instance', {`
57	`get: () => {`
58	`return global[symbol];`
59	`}`
60	`});`
61	`Object.freeze(Clazz);`
62	`}`
63
64	`static get(key) {`
65	`const globalSymbols = Object.getOwnPropertySymbols(global);`
66	`const symbol = Symbol.for(key);`
67	`const exists = (globalSymbols.indexOf(symbol) > -1);`
68
69	`if (!exists) {`
70	throw new Error(`failed to find singleton: ${key}`);
71	`}`
72	`return global[symbol];`
73	`}`
74	`}`
75
76	`/**`
77	`* The credential manager service.`
78	`* Manages credentials and attempts to keep them evergreen.`
79	`*`
80	`* Shape of an OAuth2 credential:`
81	`* onedrive: {`
82	`* access_token: <currentaccess token>,`
83	`* type: 'oauth2',`
84	`* token_url: <token url>,`
85	`* client_id: <client id>,`
86	`* client_secret: <client secret>,`
87	`* redirect_uri: <redirect uri>,`
88	`* refresh_token: <refresh token>`
89	`* }`
90	`*`
91	`* Shape of apikey/unmanaged auth:`
92	`* myservice: 'mykey'`
93	`*`
94	`* Shape of basic auth:`
95	`* myservice: {`
96	`* username: 'username',`
97	`* password: 'password'`
98	`* }`
99	`*`
100	`* @public`
101	`* @class`
102	`*/`
103	`class CredentialManager {`
104	`/**`
105	`* Constructs a CredentialManager. The instance is a singleton.`
106	`* @private`
107	`*/`
108	`constructor() {`
109	`this.credentials = {};`
110	`this.scheduler = {};`
111	`this.middleware = this.middleware.bind(this);`
112	`}`
113
114	`/**`
115	`* Set the logger.`
116	`* @param {object} logger The logger.`
117	`* @public`
118	`*/`
119	`setLogger(logger) {`
120	`this.logger = logger;`
121	`}`
122
123	`/**`
124	`* Return the managed credential config.`
125	`* @param {string} name The credential name to get.`
126	`* @returns {Obejct} The managed credential config.`
127	`* @public`
128	`*/`
129	`getCredentialConfig(name) {`
130	`if (!this.credentials.hasOwnProperty(name)) {`
131	`return;`
132	`}`
133	`return JSON.parse(JSON.stringify(this.credentials[name]));`
134	`}`
135
136	`/**`
137	`* Return all the managed credential configs.`
138	`* @returns {Array} A list of the managed credential configs.`
139	`* @public`
140	`*/`
141	`getCredentialConfigs() {`
142	`return Object.keys(this.credentials)`
143	`.map(name => this.getCredentialConfig(name))`
144	`.reduce((credConfigs, credConfig) => {`
145	`credConfigs[credConfig.name] = credConfig;`
146	`return credConfigs;`
147	`}, {});`
148	`}`
149
150	`/**`
151	`* Returns the named credential.`
152	`* @param {string} name The name of the credential to retrieve.`
153	`* @returns {*} The named credential or null if no credential exists.`
154	`* @public`
155	`*/`
156	`getCredential(name) {`
157	`const cred = this.credentials.hasOwnProperty(name) && this.credentials[name];`
158	`if (cred && ((!cred.expiry) \|\| cred.expiry >= Date.now())) {`
159	`if (cred.type && handlers[cred.type] && handlers[cred.type].token) {`
160	`return handlers[cred.type].token(cred);`
161	`} else {`
162	`// Untyped bare token`
163	`return cred.token;`
164	`}`
165	`}`
166	`// Credential not found/expired`
167	`return null;`
168	`}`
169
170	`/**`
171	`* Remove all managed credentials and stop all schedules.`
172	`* @public`
173	`*/`
174	`clear() {`
175	`Object.values(this.scheduler).forEach((timeout) => {`
176	`timeout.expiry && clearTimeout(timeout.expiry);`
177	`timeout.refresh && clearTimeout(timeout.refresh);`
178	`});`
179	`this.scheduler = {};`
180	`this.credentials = {};`
181	`}`
182
183	`/**`
184	* Initialize the config for the service. If the config contains a `credentials` section
185	`* those credentials will be added to the CredentialManager.`
186	`*`
187	`* @param {object} config The credential manager config.`
188	`* @param {object\|string} config.credentials The credential to managa.`
189	`* @public`
190	`*/`
191	`set config(config) {`
192	`const { credentials, ...options } = config;`
193	`this.options = options \|\| {};`
194	`this.clear();`
195	`Object.entries(credentials \|\| {}).forEach(([ name, credential ]) => {`
196	`if (typeof credential === 'string') {`
197	`credential = {`
198	`name,`
199	`token: credential`
200	`};`
201	`} else if (typeof credential === 'object') {`
202	`credential = JSON.parse(JSON.stringify(credential));`
203	`credential.name = name;`
204	`} else {`
205	`this.logger && this.logger`
206	.error(`Credential ${name} is not a supported type ${typeof credential}`);
207	`credential = null;`
208	`}`
209	`credential && this.addCredential(credential);`
210	`});`
211	`}`
212
213	`/**`
214	`* Add a credential to be managed.`
215	`* @param {object} credential The credential to manage.`
216	`* @param {string} credential.name The name of the credential.`
217	`* @param {long} credential.expiry The expiration time of the current credential.`
218	`* @param {string} credential.type The type of the credential.`
219	`* @param {*} credential.token The current credential value (e.g. access token for oauth).`
220	`* @param {string} credential.refreshPolicy The refresh policy of the credential.`
221	`*`
222	`* @public`
223	`*/`
224	`addCredential(credential) {`
225	this.logger && this.logger.debug(`Adding credential: ${credential.name}`);
226	`credential.status = status.ok(); // Unless proven otherwise.`
227
228	`// Allow type specific credential initialization (e.g. allow oauth to`
229	`// determine the status of the credential config).`
230	`if (handlers[credential.type]) {`
231	`const { initCredential } = handlers[credential.type];`
232	`initCredential && initCredential(this.options, credential);`
233	`}`
234
235	`// Clear any schedules for the credential if overwriting an existing credential`
236	`if (this.scheduler[credential.name]) {`
237	`const { refresh, expiry } = this.scheduler[credential.name];`
238	`expiry && clearTimeout(expiry);`
239	`refresh && clearTimeout(refresh);`
240	`}`
241	`this.scheduler[credential.name] = {};`
242	`this.credentials[credential.name] = credential;`
243
244	`// Schedule the status update on credential expiry`
245	`this.scheduleExpiry(credential);`
246
247	`// Refresh the credential to ensure we have valid credential`
248	`this.refresh(credential);`
249	`}`
250
251	`/**`
252	`* Remove the named credential from the store.`
253	`* @param {string} name The name of the credential to remove.`
254	`*/`
255	`removeCredential(name) {`
256	this.logger && this.logger.debug(`Removing credential: ${name}`);
257	`if (this.scheduler && this.scheduler[name]) {`
258	`const { expiry, refresh } = this.scheduler[name];`
259	`expiry && clearTimeout(expiry);`
260	`refresh && clearTimeout(refresh);`
261	`}`
262	`delete this.scheduler[name];`
263	`delete this.credentials[name];`
264	`}`
265
266	`/**`
267	`* Is the credential refreshable.`
268	`*`
269	`* @param {object} credential The credential to check refreshability on.`
270	`* @returns {boolean} true if the credential supports refresh, false otherwise.`
271	`* @public`
272	`*/`
273	`isRefreshableCredential(credential) {`
274	`let refreshable = false;`
275	`if (credential && credential.type && handlers[credential.type]`
276	`&& handlers[credential.type].refresh && handlers[credential.type].refreshable) {`
277	`refreshable = handlers[credential.type].refreshable(credential);`
278	`}`
279	`return refreshable;`
280	`}`
281
282	`/**`
283	`* Refresh the credential and schedule the next refresh.`
284	`* @param {object} credential The credential to refresh.`
285	`* @private`
286	`*/`
287	`refresh(credential) {`
288	`if (!this.isRefreshableCredential(credential)) {`
289	`return;`
290	`}`
291
292	this.logger && this.logger.debug(`Credential: ${credential.name} refreshing`);
293	`handlers[credential.type].refresh(credential).then(`
294	`(newCred) => {`
295	`this.credentials[newCred.name] = newCred;`
296	`this.scheduleExpiry(newCred);`
297
298	`if (this.isRefreshableCredential(newCred)) {`
299	`const next = this.scheduleNextRefresh(newCred);`
300	`this.logger && this.logger`
301	.debug(`Credential: ${newCred.name} refreshed. Next refresh in ${next}ms.`);
302	`} else {`
303	this.logger && this.logger.debug(`Credential: ${newCred.name} refreshed.`);
304	`}`
305	`},`
306	`(err) => {`
307	`if (!this.credentials[credential.name]) {`
308	`// Credential was already removed, so we don't care about any errors`
309	`// and should not try to refresh it again either.`
310	`return;`
311	`}`
312	`// TODO: This probably needs exponential back off and the ability to identify`
313	`// terminal errors.`
314	`credential.status = status(credential.status, {`
315	`action: States.action.refreshError`
316	`});`
317	`const next = this.scheduleNextRefresh(`
318	`this.credentials[credential.name], RETRY_INTERVAL);`
319	`this.logger && this.logger`
320	.error(`Credential: ${credential.name} refresh failed. Next refresh in ${next}ms. ${err ? (err.message \|\| err) : ''}`);
321	`}`
322	`).catch((err) => {`
323	`this.logger && this.logger`
324	.error(`Credential: ${credential.name} scheduled refresh failed. ${err.message \|\| err}`);
325	`});`
326	`}`
327
328	`/**`
329	`* Schedule the next refresh of the credential.`
330	`*`
331	`* @param {object} credential The credential to schedule refresh for.`
332	`* @param {number} wait The number of ms to schedule retry in, if not set then`
333	`* it is calculated from the credential's refresh policy.`
334	`* @returns {number} The number of milliseconds until the next refresh.`
335	`* @private`
336	`*/`
337	`scheduleNextRefresh(credential, wait = -1) {`
338	`if (wait < 0) {`
339	`if (!credential.refreshPolicy`
340	`\|\| credential.refreshPolicy === REFRESH_POLICY_BEFOREEXPIRY) {`
341	`if (credential.expiry) {`
342	`// Refresh N seconds before expiry`
343	`const now = Date.now();`
344	`const offset = (credential.refreshOffset`
345	`\|\| DEFAULT_BEFOREEXPIRY_SECONDS) * 1000;`
346	`wait = ((credential.expiry - offset) \|\| now) - now;`
347	`}`
348	`} else if (credential.refreshPolicy === REFRESH_POLICY_ONEXPIRY) {`
349	`// Refresh on expiry`
350	`if (credential.expiry) {`
351	`const now = Date.now();`
352	`wait = (credential.expiry \|\| now) - now;`
353	`}`
354	`} else if (credential.refreshPolicy === REFRESH_POLICY_PERIODIC) {`
355	`// Refresh every N seconds`
356	`wait = (credential.refreshPeriod \|\| DEFAULT_PERIODIC_SECONDS) * 1000;`
357	`} else {`
358	`// Unknown policy`
359	throw new Error(`Invalid refresh policy: ${credential.refreshPolicy}`);
360	`}`
361	`}`
362
363	`// Cleanup any pending schedules.`
364	`this.scheduler[credential.name].refresh`
365	`&& clearTimeout(this.scheduler[credential.name].refresh);`
366	`this.scheduler[credential.name].refresh = null;`
367
368	`// Schedule the next refresh`
369	`if (wait >= 0) {`
370	`this.scheduler[credential.name].refresh = setTimeout(() => {`
371	`this.scheduler[credential.name].refresh = null;`
372	`this.refresh(credential);`
373	`}, wait);`
374	`this.scheduler[credential.name].refresh.unref();`
375	`}`
376
377	`return wait;`
378	`}`
379
380	`/**`
381	`* Actively update the status when the credential expires.`
382	`*`
383	`* @param {object} credential The credential to monitor expiry on.`
384	`*/`
385	`scheduleExpiry(credential) {`
386	`this.scheduler[credential.name].expiry`
387	`&& clearTimeout(this.scheduler[credential.name].expiry);`
388	`if (credential.expiry) {`
389	`this.scheduler[credential.name].expiry = setTimeout(() => {`
390	`const newstatus = {`
391	`credential: States.credential.expired`
392	`};`
393	`if (this.isRefreshableCredential(credential)`
394	`&& credential.status`
395	`&& credential.status.action === States.action.none) {`
396	`newstatus.action = States.action.needsRefresh;`
397	`}`
398	`credential.status = status(credential.status, newstatus);`
399	`}, credential.expiry - Date.now());`
400
401	`this.scheduler[credential.name].expiry.unref();`
402	`} else {`
403	`this.scheduler[credential.name].expiry = null;`
404	`}`
405	`}`
406
407	`/**`
408	`* Middleware to handle credential callbacks exposed by credential manager.`
409	`*`
410	`* @param {object} req The request.`
411	`* @param {object} res The response.`
412	`* @returns {object} Middleware response.`
413	`*/`
414	`async middleware(req, res) {`
415	`const name = req.query.state;`
416
417	`if (!this.credentials.hasOwnProperty(name)`
418	`\|\| !this.credentials[name].type`
419	`\|\| !handlers[this.credentials[name].type].authorize) {`
420	`return res.status(404).send();`
421	`}`
422
423	`try {`
424	`const credential = this.credentials[name];`
425	`const newCred = await handlers[credential.type].authorize(credential, { ...req.query });`
426	`this.credentials[newCred.name] = newCred;`
427	`this.scheduleExpiry(newCred);`
428	`if (this.isRefreshableCredential(newCred)) {`
429	`const next = this.scheduleNextRefresh(newCred);`
430	`this.logger && this.logger`
431	.debug(`Credential: ${newCred.name} acquired. Next refresh in ${next}ms.`);
432	`} else {`
433	`this.logger && this.logger`
434	.debug(`Credential: ${newCred.name} acquired.`);
435	`}`
436
437	const respText = await authTemplates[`${credential.type}Callback`];
438	`res.status(200)`
439	`.set('Content-Type', 'text/html')`
440	`.send(respText);`
441	`} catch (ex) {`
442	`this.credentials[name].status = status(this.credentials[name].status, {`
443	`action: States.action.authError`
444	`});`
445	`this.logger && this.logger.error(ex);`
446	const respText = await authTemplates[`${this.credentials[name].type}Error`];
447	`res.status(401)`
448	`.set('Content-Type', 'text/html')`
449	`.send(respText);`
450	`}`
451	`}`
452	`}`
453
454	`Singleton.declare('axway-flow-authorization-credential-manager', CredentialManager);`
455
456	`exports = module.exports = Singleton.get('axway-flow-authorization-credential-manager');`