frontegg / nodejs-sdk Goto Github PK

https://github.com/frontegg/nodejs-sdk/releases/tag/4.2.0 changed the values returned from IdentityClient.getInstance().validateIdentityOnToken. Now roles and permissions are not returned anymore, which should be considered a breaking change.

This should've been a major version bump instead of a minor version according to semver. Teams who use dependency bots with automerge features would end up with a broken deployment.

Currently, it is based on OR which doesn't make sense

Hi, I found an issue when trying to setup Frontegg middleware with Next.js as described in the documentation. There seems to be a problem when checking whether given route is frontegg public route here, but only when isFronteggPublicRoute function is called from fronteggNextJs middleware. I also tried to setup express app with frontegg middleware and it works correctly.

Actual behaviour

• following API requests sent from login screen fail with status code 401
  • /api/frontegg/metadata?entityName=saml
  • /api/frontegg/identity/resources/sso/v1
  • /api/frontegg/identity/resources/configurations/v1/public
• user is not able to log in to the app using login form

Expected behaviour

• requests to public API mentioned above succeed with status code 200
• login flow works correctly

For now, we are using following workaround to make fronteggNextJs middleware work:

export default (req: NextApiRequest, res: NextApiResponse) => {

  // we had to remove `/api/frontegg` part
  // of `req.url` to make it work correctly
  req.url = req.url.replace('/api/frontegg', '')
  
  return fronteggNextJs({
    clientId: process.env.FRONTEGG_CLIENT_ID,
    apiKey: process.env.FRONTEGG_API_KEY,
    authMiddleware: withAuthentication(),
    contextResolver: async (req) => {
      return {
        tenantId: req.user ? req.user.tenantId : '',
        userId: req.user ? req.user.id : '',
        permissions: [FronteggPermissions.All],
      }
    },
  })(req, res)
}

We want to implement an API request to fetch a single user: https://docs.frontegg.com/reference/userscontrollerv1_getuserbyid in our project and want to strictly type the expected API response.

I assumed that I would be able to import IUser and use it, but it doesn't seem like it is exported from @frontegg/client

Sometimes during logout flow, there is an express error ERR_HTTP_HEADERS_SENT.

The problem is frontegg middleware calls to auth middleware via this helper function
https://github.com/frontegg/nodejs-sdk/blob/master/src/middleware/utils.ts#L141
This function will throw an error if the value of the next callback (resolve of promise) is a string, this callback function (next) will be sent to auth middleware.
In case of error, the code (frontegg middleware) will send a response, you can see it here
https://github.com/frontegg/nodejs-sdk/blob/master/src/middleware/fronteggMiddleware.ts#L142
The problem is the auth middleware already (could) made a response and called to next callback, see this
https://github.com/frontegg/nodejs-sdk/blob/master/src/identity/with-authentication.ts#L45

The setup:

app.use('/frontegg', frontegg({
  clientId: 'my-client-id',
  apiKey: 'my-api-key',
  authMiddleware: withAuthentication(),
  contextResolver: (req) => {
    const email = req.context.user; // The user context (after JWT verification)
    const tenantId = req.context.tenantId; // The tenantId context (after JWT verification)
    const permissions = [FronteggPermissions.All];

    return {
      email,
      tenantId,
      permissions
    };
  }
}))

Thanks

Hi, opening a feature request to add something like superUser: boolean to IUsertype

right now to detect if user is a super user we set the following in the metadata (which isn't the most secure thing in the world) would be nice to consolidate these into a single source of truth

When using the frontegg client, the authenticator start a task with setTimeout which runs indefinitely (the authenticator has no shutdown function). Leaving a task open when an app shuts down is bad practice and can also fail tests.
This also affects the getPublicKey function in the IdentityClient class, that in turn creates an authenticator, again starting a task that runs indefinitely (And actually the access token is needed only once).

Suggested fix:
Add a shutdown function to the authenticator, removing the refresh token timeout + in identity client, shutdown the authenticator after the key is retrieved.

Suggested PR:
#36