This PR refactors, fixes, and adds things related to the Okta IDX API, especially stuff that will be used when we implement passcodes for reset password and sign in.
It's best to review this PR commit by commit, as each one is a separate change.
This description describes each in order of commit.
This is used to extract all possible remediation name values into a template literal type containing all the possible values except string.
For example:
// Type to extract all the remediation names from the introspect response
type IntrospectRemediationNames = ExtractLiteralRemediationNames<
IntrospectResponse['remediation']['value'][number]
>;
Will evaluate to:
type IntrospectRemediationNames = "redirect-idp" | "select-enroll-profile" | "identify"
Which is helpful as it means we can avoid using the string type when validating the remediation
Make IntrospectResponse remediation a union of all other remediations
Since the introspect call can be called at any point in the IDX flow to check the current state of the flow, the response returned by the introspect call could be the same as any other IDX API call.
This means that the remediation object could be any remediation object from the other IDX API calls.
This commit updates the remediation object inside the IntrospectResponse to be a union of all the other remediation objects from the other IDX API calls.
Add reset-authenticator remediation to challengeAnswerRemediations
Validates that the challenge/answer response contains a remediation with the given name, throwing an error if it does not. This is useful for ensuring that the remediation we want to perform is available in the challenge/answer response, and the current state is correct.
Create a submitPasscode method, and add it to shared folder. This repeating block of code will be repeatedly used to verify passcodes so having a helper method that manages it will prove helpful.
To extract a given authenticators id from within the remediation object is a bit of a mess.
Since this functionality will be needed quite often, I've moved this to it's own method.
This method handles all the current possible scenarios where we'll need to find authenticator ids.
Currently in the create account flow it's using the select-authenticator-enroll remediation to find the authenticator id for the password authenticator.
When we start doing passwordless we'll need more options here. In this commit I've also added the two that are required for password reset using passcodes, specifically select-authenticator-authenticate and authenticator-verification-data.
Since the shape to find the id can sometimes be different, this also takes into account the possible schema shapes too, so we can hid the complexity from the usages.
Move passcode error handing into a handlePasscodeError function
All deployment options
- [Deploy build 9843 of `identity:identity-gateway` to CODE](https://riffraff.gutools.co.uk/deployment/deployAgain?project=identity%3Aidentity-gateway&build=9843&stage=CODE&updateStrategy=MostlyHarmless&action=deploy)
- [Deploy parts of build 9843 to CODE by previewing it first](https://riffraff.gutools.co.uk/preview/yaml?project=identity%3Aidentity-gateway&build=9843&stage=CODE&updateStrategy=MostlyHarmless)
- [What's on CODE right now?](https://riffraff.gutools.co.uk/deployment/history?projectName=identity%3Aidentity-gateway&stage=CODE)
github-actions[bot]
commented
2 months ago
This PR
This PR refactors, fixes, and adds things related to the Okta IDX API, especially stuff that will be used when we implement passcodes for reset password and sign in.
It's best to review this PR commit by commit, as each one is a separate change.
This description describes each in order of commit.
This has been tested in CODE.
Changes
Add helper
ExtractLiteralRemediationNamestyperefactor commit 0c9acd5
This is used to extract all possible remediation
namevalues into a template literal type containing all the possible values exceptstring.For example:
Will evaluate to:
Which is helpful as it means we can avoid using the
stringtype when validating the remediationMake
IntrospectResponseremediation a union of all other remediationsrefactor commit 40aa5cc
Since the
introspectcall can be called at any point in the IDX flow to check the current state of the flow, the response returned by the introspect call could be the same as any other IDX API call.This means that the remediation object could be any remediation object from the other IDX API calls.
This commit updates the remediation object inside the
IntrospectResponseto be a union of all the other remediation objects from the other IDX API calls.Add
reset-authenticatorremediation tochallengeAnswerRemediationsfeature commit ed2bb97
This is used by password reset with passcodes. This remediation was missed out in the updated API setup in https://github.com/guardian/gateway/pull/2833
Add
validateChallengeAnswerRemediationmethodfeature commit 7029c01
Validates that the
challenge/answerresponse contains a remediation with the given name, throwing an error if it does not. This is useful for ensuring that the remediation we want to perform is available in the challenge/answer response, and the current state is correct.Split idx
shared.tsfile intosharedfolderrefactor commit 5eacb0a
The
shared.tsfile was getting very large and unmanageable with all the different things it was doing.This commit splits the file up into files inside a
sharedfolder, each with an individual task making it easier to reason about.convertExpiresAtToExpiryTimeInMs.tsconvertExpiresAtToExpiryTimeInMsfunctionidxFetch.tspaths.tsschemas.tsMove
submitPasscodefunctionality into shared methodrefactor commit d7504a0
Create a
submitPasscodemethod, and add it to shared folder. This repeating block of code will be repeatedly used to verify passcodes so having a helper method that manages it will prove helpful.Create findAuthenticatorId helper method
refactor commit d401d12
To extract a given authenticators id from within the remediation object is a bit of a mess.
Since this functionality will be needed quite often, I've moved this to it's own method.
This method handles all the current possible scenarios where we'll need to find authenticator ids.
Currently in the create account flow it's using the
select-authenticator-enrollremediation to find the authenticator id for thepasswordauthenticator.When we start doing passwordless we'll need more options here. In this commit I've also added the two that are required for password reset using passcodes, specifically
select-authenticator-authenticateandauthenticator-verification-data.Since the shape to find the id can sometimes be different, this also takes into account the possible schema shapes too, so we can hid the complexity from the usages.
Move passcode error handing into a
handlePasscodeErrorfunctionrefactor commit 57d4da6
The passcode error handling will be similar among all routes that will need it. So move it into it's own method.
Any following errors would need to check for
res.headersSentin case we redirected or rendered a page inside this method.