@actuate-media/cms-core 0.11.1 → 0.12.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/__tests__/api/cron-routes.test.d.ts +2 -0
- package/dist/__tests__/api/cron-routes.test.d.ts.map +1 -0
- package/dist/__tests__/api/cron-routes.test.js +67 -0
- package/dist/__tests__/api/cron-routes.test.js.map +1 -0
- package/dist/__tests__/auth/password.test.js +82 -3
- package/dist/__tests__/auth/password.test.js.map +1 -1
- package/dist/__tests__/auth/session.test.js +54 -1
- package/dist/__tests__/auth/session.test.js.map +1 -1
- package/dist/__tests__/cron/cron.test.d.ts +2 -0
- package/dist/__tests__/cron/cron.test.d.ts.map +1 -0
- package/dist/__tests__/cron/cron.test.js +262 -0
- package/dist/__tests__/cron/cron.test.js.map +1 -0
- package/dist/__tests__/security/encrypted-fields.test.d.ts +2 -0
- package/dist/__tests__/security/encrypted-fields.test.d.ts.map +1 -0
- package/dist/__tests__/security/encrypted-fields.test.js +60 -0
- package/dist/__tests__/security/encrypted-fields.test.js.map +1 -0
- package/dist/__tests__/security/safe-fetch.test.d.ts +2 -0
- package/dist/__tests__/security/safe-fetch.test.d.ts.map +1 -0
- package/dist/__tests__/security/safe-fetch.test.js +97 -0
- package/dist/__tests__/security/safe-fetch.test.js.map +1 -0
- package/dist/__tests__/security/ssrf.test.d.ts +2 -0
- package/dist/__tests__/security/ssrf.test.d.ts.map +1 -0
- package/dist/__tests__/security/ssrf.test.js +209 -0
- package/dist/__tests__/security/ssrf.test.js.map +1 -0
- package/dist/api/handler-factory.d.ts.map +1 -1
- package/dist/api/handler-factory.js +3 -0
- package/dist/api/handler-factory.js.map +1 -1
- package/dist/api/handlers.d.ts.map +1 -1
- package/dist/api/handlers.js +84 -1
- package/dist/api/handlers.js.map +1 -1
- package/dist/auth/oauth.d.ts +8 -0
- package/dist/auth/oauth.d.ts.map +1 -1
- package/dist/auth/oauth.js +39 -1
- package/dist/auth/oauth.js.map +1 -1
- package/dist/auth/password.d.ts +35 -2
- package/dist/auth/password.d.ts.map +1 -1
- package/dist/auth/password.js +97 -7
- package/dist/auth/password.js.map +1 -1
- package/dist/auth/session.d.ts +9 -0
- package/dist/auth/session.d.ts.map +1 -1
- package/dist/auth/session.js +54 -1
- package/dist/auth/session.js.map +1 -1
- package/dist/cron/index.d.ts +72 -0
- package/dist/cron/index.d.ts.map +1 -0
- package/dist/cron/index.js +222 -0
- package/dist/cron/index.js.map +1 -0
- package/dist/security/encrypted-fields.d.ts +9 -0
- package/dist/security/encrypted-fields.d.ts.map +1 -1
- package/dist/security/encrypted-fields.js +52 -1
- package/dist/security/encrypted-fields.js.map +1 -1
- package/dist/security/ip-canon.d.ts +71 -0
- package/dist/security/ip-canon.d.ts.map +1 -0
- package/dist/security/ip-canon.js +352 -0
- package/dist/security/ip-canon.js.map +1 -0
- package/dist/security/rate-limit.d.ts +0 -4
- package/dist/security/rate-limit.d.ts.map +1 -1
- package/dist/security/rate-limit.js +30 -0
- package/dist/security/rate-limit.js.map +1 -1
- package/dist/security/safe-fetch.d.ts +30 -8
- package/dist/security/safe-fetch.d.ts.map +1 -1
- package/dist/security/safe-fetch.js +32 -6
- package/dist/security/safe-fetch.js.map +1 -1
- package/dist/security/webhook.d.ts +20 -2
- package/dist/security/webhook.d.ts.map +1 -1
- package/dist/security/webhook.js +100 -30
- package/dist/security/webhook.js.map +1 -1
- package/package.json +1 -1
package/dist/auth/oauth.d.ts
CHANGED
|
@@ -74,6 +74,14 @@ export declare function generateCodeChallenge(codeVerifier: string): Promise<str
|
|
|
74
74
|
export declare function generateState(provider: string, codeVerifier: string, returnTo: string, secret: string, nonce?: string): Promise<string>;
|
|
75
75
|
/** Generate a random base64url nonce suitable for binding state to a browser cookie. */
|
|
76
76
|
export declare function generateOAuthNonce(): string;
|
|
77
|
+
/**
|
|
78
|
+
* Thrown when an OAuth state token verifies cryptographically but its decoded
|
|
79
|
+
* payload doesn't match the expected `OAuthState` shape. Mapped to a 400 by
|
|
80
|
+
* the callback handler — the user is then bounced back to the login page.
|
|
81
|
+
*/
|
|
82
|
+
export declare class InvalidOAuthStateError extends Error {
|
|
83
|
+
constructor(reason: string);
|
|
84
|
+
}
|
|
77
85
|
export declare function verifyState(stateToken: string, secret: string): Promise<OAuthState>;
|
|
78
86
|
export declare function getAuthorizationUrl(provider: OAuthProviderType, config: OAuthProviderConfig, state: string, codeChallenge: string): string;
|
|
79
87
|
export declare function exchangeCodeForTokens(provider: OAuthProviderType, code: string, codeVerifier: string, config: OAuthProviderConfig): Promise<{
|
package/dist/auth/oauth.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"oauth.d.ts","sourceRoot":"","sources":["../../src/auth/oauth.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,oBAAoB,CAAA;AAE5D,MAAM,WAAW,mBAAmB;IAClC,QAAQ,EAAE,MAAM,CAAA;IAChB,YAAY,EAAE,MAAM,CAAA;IACpB,WAAW,EAAE,MAAM,CAAA;CACpB;AAED,MAAM,WAAW,cAAc;IAC7B,MAAM,CAAC,EAAE,mBAAmB,CAAA;IAC5B,MAAM,CAAC,EAAE,mBAAmB,CAAA;IAC5B,SAAS,CAAC,EAAE,mBAAmB,CAAA;CAChC;AAED,MAAM,WAAW,UAAU;IACzB,QAAQ,EAAE,MAAM,CAAA;IAChB,YAAY,EAAE,MAAM,CAAA;IACpB,QAAQ,EAAE,MAAM,CAAA;IAChB,gGAAgG;IAChG,KAAK,CAAC,EAAE,MAAM,CAAA;CACf;AAED,MAAM,WAAW,oBAAoB;IACnC;;;;;;;OAOG;IACH,eAAe,CAAC,EAAE,OAAO,CAAA;IACzB;;;OAGG;IACH,WAAW,CAAC,EAAE,CAAC,OAAO,EAAE,gBAAgB,EAAE,QAAQ,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,GAAG,IAAI,CAAA;CACpF;AAED,MAAM,WAAW,mBAAmB;IAClC,QAAQ,EAAE,MAAM,CAAA;IAChB,iBAAiB,EAAE,MAAM,CAAA;IACzB,KAAK,EAAE,MAAM,CAAA;IACb,IAAI,CAAC,EAAE,MAAM,CAAA;IACb,SAAS,CAAC,EAAE,MAAM,CAAA;IAClB,WAAW,EAAE,MAAM,CAAA;IACnB,YAAY,CAAC,EAAE,MAAM,CAAA;IACrB,SAAS,CAAC,EAAE,IAAI,CAAA;CACjB;AAED,MAAM,WAAW,gBAAgB;IAC/B,EAAE,EAAE,MAAM,CAAA;IACV,KAAK,EAAE,MAAM,CAAA;IACb,IAAI,EAAE,MAAM,CAAA;IACZ,MAAM,CAAC,EAAE,MAAM,CAAA;CAChB;AAED,QAAA,MAAM,aAAa;;;;;;;;;;;;;;;;;;;CAmBT,CAAA;AAEV,MAAM,MAAM,iBAAiB,GAAG,MAAM,OAAO,aAAa,CAAA;AAW1D,wBAAgB,oBAAoB,IAAI,MAAM,CAG7C;AAED,wBAAsB,qBAAqB,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAIjF;AAED,wBAAsB,aAAa,CACjC,QAAQ,EAAE,MAAM,EAChB,YAAY,EAAE,MAAM,EACpB,QAAQ,EAAE,MAAM,EAChB,MAAM,EAAE,MAAM,EACd,KAAK,CAAC,EAAE,MAAM,GACb,OAAO,CAAC,MAAM,CAAC,CAWjB;AAED,wFAAwF;AACxF,wBAAgB,kBAAkB,IAAI,MAAM,CAG3C;AAED,wBAAsB,WAAW,CAAC,UAAU,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,CAAC,
|
|
1
|
+
{"version":3,"file":"oauth.d.ts","sourceRoot":"","sources":["../../src/auth/oauth.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,oBAAoB,CAAA;AAE5D,MAAM,WAAW,mBAAmB;IAClC,QAAQ,EAAE,MAAM,CAAA;IAChB,YAAY,EAAE,MAAM,CAAA;IACpB,WAAW,EAAE,MAAM,CAAA;CACpB;AAED,MAAM,WAAW,cAAc;IAC7B,MAAM,CAAC,EAAE,mBAAmB,CAAA;IAC5B,MAAM,CAAC,EAAE,mBAAmB,CAAA;IAC5B,SAAS,CAAC,EAAE,mBAAmB,CAAA;CAChC;AAED,MAAM,WAAW,UAAU;IACzB,QAAQ,EAAE,MAAM,CAAA;IAChB,YAAY,EAAE,MAAM,CAAA;IACpB,QAAQ,EAAE,MAAM,CAAA;IAChB,gGAAgG;IAChG,KAAK,CAAC,EAAE,MAAM,CAAA;CACf;AAED,MAAM,WAAW,oBAAoB;IACnC;;;;;;;OAOG;IACH,eAAe,CAAC,EAAE,OAAO,CAAA;IACzB;;;OAGG;IACH,WAAW,CAAC,EAAE,CAAC,OAAO,EAAE,gBAAgB,EAAE,QAAQ,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,GAAG,IAAI,CAAA;CACpF;AAED,MAAM,WAAW,mBAAmB;IAClC,QAAQ,EAAE,MAAM,CAAA;IAChB,iBAAiB,EAAE,MAAM,CAAA;IACzB,KAAK,EAAE,MAAM,CAAA;IACb,IAAI,CAAC,EAAE,MAAM,CAAA;IACb,SAAS,CAAC,EAAE,MAAM,CAAA;IAClB,WAAW,EAAE,MAAM,CAAA;IACnB,YAAY,CAAC,EAAE,MAAM,CAAA;IACrB,SAAS,CAAC,EAAE,IAAI,CAAA;CACjB;AAED,MAAM,WAAW,gBAAgB;IAC/B,EAAE,EAAE,MAAM,CAAA;IACV,KAAK,EAAE,MAAM,CAAA;IACb,IAAI,EAAE,MAAM,CAAA;IACZ,MAAM,CAAC,EAAE,MAAM,CAAA;CAChB;AAED,QAAA,MAAM,aAAa;;;;;;;;;;;;;;;;;;;CAmBT,CAAA;AAEV,MAAM,MAAM,iBAAiB,GAAG,MAAM,OAAO,aAAa,CAAA;AAW1D,wBAAgB,oBAAoB,IAAI,MAAM,CAG7C;AAED,wBAAsB,qBAAqB,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAIjF;AAED,wBAAsB,aAAa,CACjC,QAAQ,EAAE,MAAM,EAChB,YAAY,EAAE,MAAM,EACpB,QAAQ,EAAE,MAAM,EAChB,MAAM,EAAE,MAAM,EACd,KAAK,CAAC,EAAE,MAAM,GACb,OAAO,CAAC,MAAM,CAAC,CAWjB;AAED,wFAAwF;AACxF,wBAAgB,kBAAkB,IAAI,MAAM,CAG3C;AAED;;;;GAIG;AACH,qBAAa,sBAAuB,SAAQ,KAAK;gBACnC,MAAM,EAAE,MAAM;CAI3B;AAqBD,wBAAsB,WAAW,CAAC,UAAU,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,CAAC,CAYzF;AAED,wBAAgB,mBAAmB,CACjC,QAAQ,EAAE,iBAAiB,EAC3B,MAAM,EAAE,mBAAmB,EAC3B,KAAK,EAAE,MAAM,EACb,aAAa,EAAE,MAAM,GACpB,MAAM,CAaR;AAED,wBAAsB,qBAAqB,CACzC,QAAQ,EAAE,iBAAiB,EAC3B,IAAI,EAAE,MAAM,EACZ,YAAY,EAAE,MAAM,EACpB,MAAM,EAAE,mBAAmB,GAC1B,OAAO,CAAC;IAAE,YAAY,EAAE,MAAM,CAAC;IAAC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAAC,aAAa,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC,CA2B9E;AAED,wBAAsB,cAAc,CAClC,QAAQ,EAAE,iBAAiB,EAC3B,WAAW,EAAE,MAAM,GAClB,OAAO,CAAC,gBAAgB,CAAC,CAwD3B;AAED,wBAAsB,mBAAmB,CACvC,QAAQ,EAAE,MAAM,EAChB,IAAI,EAAE,MAAM,EACZ,UAAU,EAAE,MAAM,EAClB,SAAS,EAAE,cAAc,EACzB,MAAM,EAAE,MAAM,EACd,EAAE,EAAE,GAAG,EACP,OAAO,GAAE,oBAAoB,GAAG;IAAE,aAAa,CAAC,EAAE,MAAM,GAAG,IAAI,CAAA;CAAO,GACrE,OAAO,CAAC;IAAE,KAAK,EAAE,MAAM,CAAC;IAAC,IAAI,EAAE;QAAE,EAAE,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAA;KAAE,CAAA;CAAE,CAAC,CA4I7F;AAED,uGAAuG;AACvG,wBAAsB,aAAa,CACjC,eAAe,EAAE,kBAAkB,EACnC,YAAY,EAAE,MAAM,GACnB,OAAO,CAAC;IAAE,WAAW,EAAE,MAAM,CAAC;IAAC,KAAK,EAAE,UAAU,CAAA;CAAE,CAAC,CAErD;AAED,qGAAqG;AACrG,wBAAsB,cAAc,CAClC,eAAe,EAAE,kBAAkB,EACnC,KAAK,EAAE,MAAM,EACb,MAAM,EAAE,UAAU,GACjB,OAAO,CAAC,mBAAmB,CAAC,CAE9B;AAED,wEAAwE;AACxE,wBAAsB,WAAW,CAC/B,MAAM,EAAE,MAAM,EACd,MAAM,EAAE,mBAAmB,EAC3B,EAAE,EAAE,OAAO,GACV,OAAO,CAAC,IAAI,CAAC,CA6Bf"}
|
package/dist/auth/oauth.js
CHANGED
|
@@ -55,10 +55,48 @@ export function generateOAuthNonce() {
|
|
|
55
55
|
const bytes = crypto.getRandomValues(new Uint8Array(16));
|
|
56
56
|
return base64url(bytes.buffer);
|
|
57
57
|
}
|
|
58
|
+
/**
|
|
59
|
+
* Thrown when an OAuth state token verifies cryptographically but its decoded
|
|
60
|
+
* payload doesn't match the expected `OAuthState` shape. Mapped to a 400 by
|
|
61
|
+
* the callback handler — the user is then bounced back to the login page.
|
|
62
|
+
*/
|
|
63
|
+
export class InvalidOAuthStateError extends Error {
|
|
64
|
+
constructor(reason) {
|
|
65
|
+
super(`OAuth state is malformed: ${reason}`);
|
|
66
|
+
this.name = 'InvalidOAuthStateError';
|
|
67
|
+
}
|
|
68
|
+
}
|
|
69
|
+
function assertOAuthState(payload) {
|
|
70
|
+
if (typeof payload !== 'object' || payload === null) {
|
|
71
|
+
throw new InvalidOAuthStateError('payload is not an object');
|
|
72
|
+
}
|
|
73
|
+
const p = payload;
|
|
74
|
+
if (typeof p.provider !== 'string' || p.provider.length === 0) {
|
|
75
|
+
throw new InvalidOAuthStateError('missing or invalid `provider`');
|
|
76
|
+
}
|
|
77
|
+
if (typeof p.codeVerifier !== 'string' || p.codeVerifier.length === 0) {
|
|
78
|
+
throw new InvalidOAuthStateError('missing or invalid `codeVerifier`');
|
|
79
|
+
}
|
|
80
|
+
if (typeof p.returnTo !== 'string') {
|
|
81
|
+
throw new InvalidOAuthStateError('missing or invalid `returnTo`');
|
|
82
|
+
}
|
|
83
|
+
if (p.nonce !== undefined && typeof p.nonce !== 'string') {
|
|
84
|
+
throw new InvalidOAuthStateError('`nonce`, when present, must be a string');
|
|
85
|
+
}
|
|
86
|
+
}
|
|
58
87
|
export async function verifyState(stateToken, secret) {
|
|
59
88
|
const secretKey = new TextEncoder().encode(secret);
|
|
60
89
|
const { payload } = await jwtVerify(stateToken, secretKey, { issuer: 'actuate-cms' });
|
|
61
|
-
|
|
90
|
+
assertOAuthState(payload);
|
|
91
|
+
// Return only the validated fields; strip extras (jose injects iat/exp/iss).
|
|
92
|
+
const safe = {
|
|
93
|
+
provider: payload.provider,
|
|
94
|
+
codeVerifier: payload.codeVerifier,
|
|
95
|
+
returnTo: payload.returnTo,
|
|
96
|
+
};
|
|
97
|
+
if (payload.nonce !== undefined)
|
|
98
|
+
safe.nonce = payload.nonce;
|
|
99
|
+
return safe;
|
|
62
100
|
}
|
|
63
101
|
export function getAuthorizationUrl(provider, config, state, codeChallenge) {
|
|
64
102
|
const urls = PROVIDER_URLS[provider];
|
package/dist/auth/oauth.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"oauth.js","sourceRoot":"","sources":["../../src/auth/oauth.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,SAAS,EAAE,MAAM,MAAM,CAAA;AACzC,OAAO,EAAE,aAAa,EAAE,MAAM,cAAc,CAAA;AAC5C,OAAO,EAAE,aAAa,EAAE,MAAM,+BAA+B,CAAA;AA0D7D,MAAM,aAAa,GAAG;IACpB,MAAM,EAAE;QACN,SAAS,EAAE,8CAA8C;QACzD,KAAK,EAAE,qCAAqC;QAC5C,QAAQ,EAAE,+CAA+C;QACzD,MAAM,EAAE,sBAAsB;KAC/B;IACD,MAAM,EAAE;QACN,SAAS,EAAE,0CAA0C;QACrD,KAAK,EAAE,6CAA6C;QACpD,QAAQ,EAAE,6BAA6B;QACvC,MAAM,EAAE,sBAAsB;KAC/B;IACD,SAAS,EAAE;QACT,SAAS,EAAE,gEAAgE;QAC3E,KAAK,EAAE,4DAA4D;QACnE,QAAQ,EAAE,qCAAqC;QAC/C,MAAM,EAAE,sBAAsB;KAC/B;CACO,CAAA;AAIV,SAAS,SAAS,CAAC,MAAmB;IACpC,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,MAAM,CAAC,CAAA;IACpC,IAAI,MAAM,GAAG,EAAE,CAAA;IACf,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACtC,MAAM,IAAI,MAAM,CAAC,YAAY,CAAC,KAAK,CAAC,CAAC,CAAE,CAAC,CAAA;IAC1C,CAAC;IACD,OAAO,IAAI,CAAC,MAAM,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAA;AAChF,CAAC;AAED,MAAM,UAAU,oBAAoB;IAClC,MAAM,KAAK,GAAG,MAAM,CAAC,eAAe,CAAC,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC,CAAA;IACxD,OAAO,SAAS,CAAC,KAAK,CAAC,MAAM,CAAC,CAAA;AAChC,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,qBAAqB,CAAC,YAAoB;IAC9D,MAAM,OAAO,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,YAAY,CAAC,CAAA;IACtD,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,OAAO,CAAC,CAAA;IAC7D,OAAO,SAAS,CAAC,MAAM,CAAC,CAAA;AAC1B,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,aAAa,CACjC,QAAgB,EAChB,YAAoB,EACpB,QAAgB,EAChB,MAAc,EACd,KAAc;IAEd,MAAM,SAAS,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,MAAM,CAAC,CAAA;IAClD,MAAM,OAAO,GAAe,KAAK;QAC/B,CAAC,CAAC,EAAE,QAAQ,EAAE,YAAY,EAAE,QAAQ,EAAE,KAAK,EAAE;QAC7C,CAAC,CAAC,EAAE,QAAQ,EAAE,YAAY,EAAE,QAAQ,EAAE,CAAA;IACxC,OAAO,IAAI,OAAO,CAAC,EAAE,GAAG,OAAO,EAAE,CAAC;SAC/B,kBAAkB,CAAC,EAAE,GAAG,EAAE,OAAO,EAAE,CAAC;SACpC,WAAW,EAAE;SACb,iBAAiB,CAAC,KAAK,CAAC;SACxB,SAAS,CAAC,aAAa,CAAC;SACxB,IAAI,CAAC,SAAS,CAAC,CAAA;AACpB,CAAC;AAED,wFAAwF;AACxF,MAAM,UAAU,kBAAkB;IAChC,MAAM,KAAK,GAAG,MAAM,CAAC,eAAe,CAAC,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC,CAAA;IACxD,OAAO,SAAS,CAAC,KAAK,CAAC,MAAM,CAAC,CAAA;AAChC,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,WAAW,CAAC,UAAkB,EAAE,MAAc;IAClE,MAAM,SAAS,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,MAAM,CAAC,CAAA;IAClD,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,SAAS,CAAC,UAAU,EAAE,SAAS,EAAE,EAAE,MAAM,EAAE,aAAa,EAAE,CAAC,CAAA;IACrF,OAAO,OAAgC,CAAA;AACzC,CAAC;AAED,MAAM,UAAU,mBAAmB,CACjC,QAA2B,EAC3B,MAA2B,EAC3B,KAAa,EACb,aAAqB;IAErB,MAAM,IAAI,GAAG,aAAa,CAAC,QAAQ,CAAC,CAAA;IACpC,MAAM,MAAM,GAAG,IAAI,eAAe,CAAC;QACjC,aAAa,EAAE,MAAM;QACrB,SAAS,EAAE,MAAM,CAAC,QAAQ;QAC1B,YAAY,EAAE,MAAM,CAAC,WAAW;QAChC,KAAK,EAAE,IAAI,CAAC,MAAM;QAClB,KAAK;QACL,cAAc,EAAE,aAAa;QAC7B,qBAAqB,EAAE,MAAM;KAC9B,CAAC,CAAA;IAEF,OAAO,GAAG,IAAI,CAAC,SAAS,IAAI,MAAM,CAAC,QAAQ,EAAE,EAAE,CAAA;AACjD,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,qBAAqB,CACzC,QAA2B,EAC3B,IAAY,EACZ,YAAoB,EACpB,MAA2B;IAE3B,MAAM,IAAI,GAAG,aAAa,CAAC,QAAQ,CAAC,CAAA;IAEpC,MAAM,IAAI,GAAG,IAAI,eAAe,CAAC;QAC/B,UAAU,EAAE,oBAAoB;QAChC,IAAI;QACJ,YAAY,EAAE,MAAM,CAAC,WAAW;QAChC,SAAS,EAAE,MAAM,CAAC,QAAQ;QAC1B,aAAa,EAAE,MAAM,CAAC,YAAY;QAClC,aAAa,EAAE,YAAY;KAC5B,CAAC,CAAA;IAEF,MAAM,OAAO,GAA2B;QACtC,cAAc,EAAE,mCAAmC;KACpD,CAAA;IACD,IAAI,QAAQ,KAAK,QAAQ,EAAE,CAAC;QAC1B,OAAO,CAAC,QAAQ,CAAC,GAAG,kBAAkB,CAAA;IACxC,CAAC;IAED,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,IAAI,CAAC,KAAK,EAAE,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAA;IAE5F,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QACjB,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAA;QAClC,MAAM,IAAI,KAAK,CAAC,0BAA0B,QAAQ,CAAC,MAAM,MAAM,IAAI,EAAE,CAAC,CAAA;IACxE,CAAC;IAED,OAAO,QAAQ,CAAC,IAAI,EAAE,CAAA;AACxB,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,cAAc,CAClC,QAA2B,EAC3B,WAAmB;IAEnB,MAAM,IAAI,GAAG,aAAa,CAAC,QAAQ,CAAC,CAAA;IAEpC,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,IAAI,CAAC,QAAQ,EAAE;QAC1C,OAAO,EAAE,EAAE,aAAa,EAAE,UAAU,WAAW,EAAE,EAAE;KACpD,CAAC,CAAA;IAEF,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QACjB,MAAM,IAAI,KAAK,CAAC,iCAAiC,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAA;IACtE,CAAC;IAED,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAA;IAElC,IAAI,QAAQ,KAAK,QAAQ,EAAE,CAAC;QAC1B,IAAI,KAAK,GAAW,IAAI,CAAC,KAAK,IAAI,EAAE,CAAA;QACpC,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,oCAAoC,EAAE;gBACjE,OAAO,EAAE;oBACP,aAAa,EAAE,UAAU,WAAW,EAAE;oBACtC,MAAM,EAAE,6BAA6B;iBACtC;aACF,CAAC,CAAA;YACF,IAAI,QAAQ,CAAC,EAAE,EAAE,CAAC;gBAChB,MAAM,MAAM,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAInC,CAAA;gBACF,MAAM,OAAO,GACX,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,IAAI,CAAC,CAAC,QAAQ,CAAC,IAAI,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAA;gBAC/E,IAAI,OAAO;oBAAE,KAAK,GAAG,OAAO,CAAC,KAAK,CAAA;YACpC,CAAC;QACH,CAAC;QACD,OAAO;YACL,EAAE,EAAE,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC;YACnB,KAAK;YACL,IAAI,EAAE,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,KAAK,IAAI,EAAE;YACnC,MAAM,EAAE,IAAI,CAAC,UAAU;SACxB,CAAA;IACH,CAAC;IAED,IAAI,QAAQ,KAAK,WAAW,EAAE,CAAC;QAC7B,OAAO;YACL,EAAE,EAAE,IAAI,CAAC,EAAE;YACX,KAAK,EAAE,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,iBAAiB,IAAI,EAAE;YAChD,IAAI,EAAE,IAAI,CAAC,WAAW,IAAI,EAAE;SAC7B,CAAA;IACH,CAAC;IAED,SAAS;IACT,OAAO;QACL,EAAE,EAAE,IAAI,CAAC,GAAG;QACZ,KAAK,EAAE,IAAI,CAAC,KAAK,IAAI,EAAE;QACvB,IAAI,EAAE,IAAI,CAAC,IAAI,IAAI,EAAE;QACrB,MAAM,EAAE,IAAI,CAAC,OAAO;KACrB,CAAA;AACH,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,mBAAmB,CACvC,QAAgB,EAChB,IAAY,EACZ,UAAkB,EAClB,SAAyB,EACzB,MAAc,EACd,EAAO,EACP,UAAoE,EAAE;IAEtE,MAAM,KAAK,GAAG,MAAM,WAAW,CAAC,UAAU,EAAE,MAAM,CAAC,CAAA;IAEnD,IAAI,KAAK,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;QAChC,MAAM,IAAI,KAAK,CAAC,kCAAkC,CAAC,CAAA;IACrD,CAAC;IAED,0EAA0E;IAC1E,4EAA4E;IAC5E,qCAAqC;IACrC,IAAI,KAAK,CAAC,KAAK,EAAE,CAAC;QAChB,IAAI,CAAC,OAAO,CAAC,aAAa,IAAI,OAAO,CAAC,aAAa,KAAK,KAAK,CAAC,KAAK,EAAE,CAAC;YACpE,MAAM,IAAI,KAAK,CAAC,iEAAiE,CAAC,CAAA;QACpF,CAAC;IACH,CAAC;IAED,MAAM,YAAY,GAAG,QAA6B,CAAA;IAClD,MAAM,cAAc,GAAG,SAAS,CAAC,YAAY,CAAC,CAAA;IAC9C,IAAI,CAAC,cAAc,EAAE,CAAC;QACpB,MAAM,IAAI,KAAK,CAAC,mBAAmB,QAAQ,qBAAqB,CAAC,CAAA;IACnE,CAAC;IAED,MAAM,MAAM,GAAG,MAAM,qBAAqB,CAAC,YAAY,EAAE,IAAI,EAAE,KAAK,CAAC,YAAY,EAAE,cAAc,CAAC,CAAA;IAClG,MAAM,OAAO,GAAG,MAAM,cAAc,CAAC,YAAY,EAAE,MAAM,CAAC,YAAY,CAAC,CAAA;IAEvE,IAAI,CAAC,OAAO,CAAC,KAAK,EAAE,CAAC;QACnB,MAAM,IAAI,KAAK,CAAC,gDAAgD,CAAC,CAAA;IACnE,CAAC;IAED,MAAM,eAAe,GAAG,OAAO,CAAC,KAAK,CAAC,WAAW,EAAE,CAAC,IAAI,EAAE,CAAA;IAE1D,qBAAqB;IACrB,8EAA8E;IAC9E,2EAA2E;IAC3E,gEAAgE;IAChE,2EAA2E;IAC3E,4EAA4E;IAC5E,qEAAqE;IACrE,kEAAkE;IAClE,0DAA0D;IAC1D,8EAA8E;IAC9E,MAAM,YAAY,GAAG,MAAM,EAAE,CAAC,YAAY;QACxC,EAAE,UAAU,EAAE,CAAC;QACb,KAAK,EAAE,EAAE,0BAA0B,EAAE,EAAE,QAAQ,EAAE,iBAAiB,EAAE,OAAO,CAAC,EAAE,EAAE,EAAE;QAClF,OAAO,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE;KACxB,CAAC;SACD,KAAK,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,CAAA;IAEpB,IAAI,IAAI,GAAG,YAAY,EAAE,IAAI,IAAI,IAAI,CAAA;IAErC,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,MAAM,SAAS,GAAG,MAAM,EAAE,CAAC,IAAI,CAAC,SAAS,CAAC;YACxC,KAAK,EAAE,EAAE,KAAK,EAAE,EAAE,MAAM,EAAE,eAAe,EAAE,IAAI,EAAE,aAAa,EAAE,EAAE;SACnE,CAAC,CAAA;QAEF,IAAI,SAAS,EAAE,CAAC;YACd,MAAM,WAAW,GACf,OAAO,SAAS,CAAC,YAAY,KAAK,QAAQ,IAAI,SAAS,CAAC,YAAY,CAAC,MAAM,GAAG,CAAC,CAAA;YACjF,IAAI,WAAW,EAAE,CAAC;gBAChB,uEAAuE;gBACvE,kEAAkE;gBAClE,4DAA4D;gBAC5D,MAAM,IAAI,KAAK,CACb,2HAA2H,CAC5H,CAAA;YACH,CAAC;YACD,IAAI,GAAG,SAAS,CAAA;QAClB,CAAC;IACH,CAAC;IAED,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,IAAI,CAAC,OAAO,CAAC,eAAe,EAAE,CAAC;YAC7B,MAAM,IAAI,KAAK,CACb,mGAAmG,CACpG,CAAA;QACH,CAAC;QACD,IAAI,OAAO,CAAC,WAAW,EAAE,CAAC;YACxB,MAAM,OAAO,CAAC,WAAW,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAA;QAC9C,CAAC;QACD,IAAI,GAAG,MAAM,EAAE,CAAC,IAAI,CAAC,MAAM,CAAC;YAC1B,IAAI,EAAE;gBACJ,KAAK,EAAE,eAAe;gBACtB,IAAI,EAAE,OAAO,CAAC,IAAI;gBAClB,IAAI,EAAE,QAAQ;gBACd,QAAQ,EAAE,IAAI;gBACd,YAAY,EAAE,IAAI;aACnB;SACF,CAAC,CAAA;IACJ,CAAC;IAED,2EAA2E;IAC3E,4EAA4E;IAC5E,2EAA2E;IAC3E,IAAI,EAAE,CAAC,YAAY,EAAE,MAAM,EAAE,CAAC;QAC5B,MAAM,oBAAoB,GAAG,MAAM,CAAC,YAAY;YAC9C,CAAC,CAAC,MAAM,aAAa,CAAC,MAAM,CAAC,YAAY,CAAC;YAC1C,CAAC,CAAC,IAAI,CAAA;QACR,MAAM,qBAAqB,GAAG,MAAM,CAAC,aAAa;YAChD,CAAC,CAAC,MAAM,aAAa,CAAC,MAAM,CAAC,aAAa,CAAC;YAC3C,CAAC,CAAC,IAAI,CAAA;QAER,MAAM,EAAE,CAAC,YAAY;aAClB,MAAM,CAAC;YACN,KAAK,EAAE,EAAE,0BAA0B,EAAE,EAAE,QAAQ,EAAE,iBAAiB,EAAE,OAAO,CAAC,EAAE,EAAE,EAAE;YAClF,MAAM,EAAE;gBACN,MAAM,EAAE,IAAI,CAAC,EAAE;gBACf,QAAQ;gBACR,iBAAiB,EAAE,OAAO,CAAC,EAAE;gBAC7B,WAAW,EAAE,oBAAoB;gBACjC,YAAY,EAAE,qBAAqB;aACpC;YACD,MAAM,EAAE;gBACN,WAAW,EAAE,oBAAoB;gBACjC,YAAY,EAAE,qBAAqB;aACpC;SACF,CAAC;aACD,KAAK,CAAC,CAAC,GAAY,EAAE,EAAE;YACtB,OAAO,CAAC,KAAK,CACX,kDAAkD,EAClD,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG,CACzC,CAAA;QACH,CAAC,CAAC,CAAA;IACN,CAAC;IAED,MAAM,YAAY,GAAG,MAAM,EAAE,CAAC,OAAO,CAAC,MAAM,CAAC;QAC3C,IAAI,EAAE;YACJ,MAAM,EAAE,IAAI,CAAC,EAAE;YACf,SAAS,EAAE,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;SAC1D;KACF,CAAC,CAAA;IAEF,MAAM,KAAK,GAAG,MAAM,aAAa,CAC/B,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,EAAE,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,SAAS,EAAE,YAAY,CAAC,EAAE,EAAE,EAChE,EAAE,MAAM,EAAE,CACX,CAAA;IAED,OAAO;QACL,KAAK;QACL,IAAI,EAAE,EAAE,EAAE,EAAE,IAAI,CAAC,EAAE,EAAE,KAAK,EAAE,IAAI,CAAC,KAAK,EAAE,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE;KAC3E,CAAA;AACH,CAAC;AAED,uGAAuG;AACvG,MAAM,CAAC,KAAK,UAAU,aAAa,CACjC,eAAmC,EACnC,YAAoB;IAEpB,MAAM,IAAI,KAAK,CAAC,iDAAiD,CAAC,CAAA;AACpE,CAAC;AAED,qGAAqG;AACrG,MAAM,CAAC,KAAK,UAAU,cAAc,CAClC,eAAmC,EACnC,KAAa,EACb,MAAkB;IAElB,MAAM,IAAI,KAAK,CAAC,iCAAiC,CAAC,CAAA;AACpD,CAAC;AAED,wEAAwE;AACxE,MAAM,CAAC,KAAK,UAAU,WAAW,CAC/B,MAAc,EACd,MAA2B,EAC3B,EAAW;IAEX,MAAM,CAAC,GAAG,EAAS,CAAA;IACnB,MAAM,WAAW,GAAG,MAAM,CAAC,WAAW,CAAC,CAAC,CAAC,MAAM,aAAa,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,IAAI,CAAA;IACvF,MAAM,YAAY,GAAG,MAAM,CAAC,YAAY,CAAC,CAAC,CAAC,MAAM,aAAa,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,IAAI,CAAA;IAE1F,IAAI,CAAC,CAAC,YAAY,EAAE,MAAM,EAAE,CAAC;QAC3B,MAAM,CAAC,CAAC,YAAY,CAAC,MAAM,CAAC;YAC1B,KAAK,EAAE;gBACL,0BAA0B,EAAE;oBAC1B,QAAQ,EAAE,MAAM,CAAC,QAAQ;oBACzB,iBAAiB,EAAE,MAAM,CAAC,iBAAiB;iBAC5C;aACF;YACD,MAAM,EAAE;gBACN,MAAM;gBACN,QAAQ,EAAE,MAAM,CAAC,QAAQ;gBACzB,iBAAiB,EAAE,MAAM,CAAC,iBAAiB;gBAC3C,WAAW;gBACX,YAAY;gBACZ,SAAS,EAAE,MAAM,CAAC,SAAS,IAAI,IAAI;aACpC;YACD,MAAM,EAAE;gBACN,MAAM;gBACN,WAAW;gBACX,YAAY;gBACZ,SAAS,EAAE,MAAM,CAAC,SAAS,IAAI,IAAI;aACpC;SACF,CAAC,CAAA;IACJ,CAAC;AACH,CAAC"}
|
|
1
|
+
{"version":3,"file":"oauth.js","sourceRoot":"","sources":["../../src/auth/oauth.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,SAAS,EAAE,MAAM,MAAM,CAAA;AACzC,OAAO,EAAE,aAAa,EAAE,MAAM,cAAc,CAAA;AAC5C,OAAO,EAAE,aAAa,EAAE,MAAM,+BAA+B,CAAA;AA0D7D,MAAM,aAAa,GAAG;IACpB,MAAM,EAAE;QACN,SAAS,EAAE,8CAA8C;QACzD,KAAK,EAAE,qCAAqC;QAC5C,QAAQ,EAAE,+CAA+C;QACzD,MAAM,EAAE,sBAAsB;KAC/B;IACD,MAAM,EAAE;QACN,SAAS,EAAE,0CAA0C;QACrD,KAAK,EAAE,6CAA6C;QACpD,QAAQ,EAAE,6BAA6B;QACvC,MAAM,EAAE,sBAAsB;KAC/B;IACD,SAAS,EAAE;QACT,SAAS,EAAE,gEAAgE;QAC3E,KAAK,EAAE,4DAA4D;QACnE,QAAQ,EAAE,qCAAqC;QAC/C,MAAM,EAAE,sBAAsB;KAC/B;CACO,CAAA;AAIV,SAAS,SAAS,CAAC,MAAmB;IACpC,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,MAAM,CAAC,CAAA;IACpC,IAAI,MAAM,GAAG,EAAE,CAAA;IACf,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACtC,MAAM,IAAI,MAAM,CAAC,YAAY,CAAC,KAAK,CAAC,CAAC,CAAE,CAAC,CAAA;IAC1C,CAAC;IACD,OAAO,IAAI,CAAC,MAAM,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAA;AAChF,CAAC;AAED,MAAM,UAAU,oBAAoB;IAClC,MAAM,KAAK,GAAG,MAAM,CAAC,eAAe,CAAC,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC,CAAA;IACxD,OAAO,SAAS,CAAC,KAAK,CAAC,MAAM,CAAC,CAAA;AAChC,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,qBAAqB,CAAC,YAAoB;IAC9D,MAAM,OAAO,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,YAAY,CAAC,CAAA;IACtD,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,OAAO,CAAC,CAAA;IAC7D,OAAO,SAAS,CAAC,MAAM,CAAC,CAAA;AAC1B,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,aAAa,CACjC,QAAgB,EAChB,YAAoB,EACpB,QAAgB,EAChB,MAAc,EACd,KAAc;IAEd,MAAM,SAAS,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,MAAM,CAAC,CAAA;IAClD,MAAM,OAAO,GAAe,KAAK;QAC/B,CAAC,CAAC,EAAE,QAAQ,EAAE,YAAY,EAAE,QAAQ,EAAE,KAAK,EAAE;QAC7C,CAAC,CAAC,EAAE,QAAQ,EAAE,YAAY,EAAE,QAAQ,EAAE,CAAA;IACxC,OAAO,IAAI,OAAO,CAAC,EAAE,GAAG,OAAO,EAAE,CAAC;SAC/B,kBAAkB,CAAC,EAAE,GAAG,EAAE,OAAO,EAAE,CAAC;SACpC,WAAW,EAAE;SACb,iBAAiB,CAAC,KAAK,CAAC;SACxB,SAAS,CAAC,aAAa,CAAC;SACxB,IAAI,CAAC,SAAS,CAAC,CAAA;AACpB,CAAC;AAED,wFAAwF;AACxF,MAAM,UAAU,kBAAkB;IAChC,MAAM,KAAK,GAAG,MAAM,CAAC,eAAe,CAAC,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC,CAAA;IACxD,OAAO,SAAS,CAAC,KAAK,CAAC,MAAM,CAAC,CAAA;AAChC,CAAC;AAED;;;;GAIG;AACH,MAAM,OAAO,sBAAuB,SAAQ,KAAK;IAC/C,YAAY,MAAc;QACxB,KAAK,CAAC,6BAA6B,MAAM,EAAE,CAAC,CAAA;QAC5C,IAAI,CAAC,IAAI,GAAG,wBAAwB,CAAA;IACtC,CAAC;CACF;AAED,SAAS,gBAAgB,CAAC,OAAgB;IACxC,IAAI,OAAO,OAAO,KAAK,QAAQ,IAAI,OAAO,KAAK,IAAI,EAAE,CAAC;QACpD,MAAM,IAAI,sBAAsB,CAAC,0BAA0B,CAAC,CAAA;IAC9D,CAAC;IACD,MAAM,CAAC,GAAG,OAAkC,CAAA;IAC5C,IAAI,OAAO,CAAC,CAAC,QAAQ,KAAK,QAAQ,IAAI,CAAC,CAAC,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC9D,MAAM,IAAI,sBAAsB,CAAC,+BAA+B,CAAC,CAAA;IACnE,CAAC;IACD,IAAI,OAAO,CAAC,CAAC,YAAY,KAAK,QAAQ,IAAI,CAAC,CAAC,YAAY,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACtE,MAAM,IAAI,sBAAsB,CAAC,mCAAmC,CAAC,CAAA;IACvE,CAAC;IACD,IAAI,OAAO,CAAC,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;QACnC,MAAM,IAAI,sBAAsB,CAAC,+BAA+B,CAAC,CAAA;IACnE,CAAC;IACD,IAAI,CAAC,CAAC,KAAK,KAAK,SAAS,IAAI,OAAO,CAAC,CAAC,KAAK,KAAK,QAAQ,EAAE,CAAC;QACzD,MAAM,IAAI,sBAAsB,CAAC,yCAAyC,CAAC,CAAA;IAC7E,CAAC;AACH,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,WAAW,CAAC,UAAkB,EAAE,MAAc;IAClE,MAAM,SAAS,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,MAAM,CAAC,CAAA;IAClD,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,SAAS,CAAC,UAAU,EAAE,SAAS,EAAE,EAAE,MAAM,EAAE,aAAa,EAAE,CAAC,CAAA;IACrF,gBAAgB,CAAC,OAAO,CAAC,CAAA;IACzB,6EAA6E;IAC7E,MAAM,IAAI,GAAe;QACvB,QAAQ,EAAE,OAAO,CAAC,QAAQ;QAC1B,YAAY,EAAE,OAAO,CAAC,YAAY;QAClC,QAAQ,EAAE,OAAO,CAAC,QAAQ;KAC3B,CAAA;IACD,IAAI,OAAO,CAAC,KAAK,KAAK,SAAS;QAAE,IAAI,CAAC,KAAK,GAAG,OAAO,CAAC,KAAK,CAAA;IAC3D,OAAO,IAAI,CAAA;AACb,CAAC;AAED,MAAM,UAAU,mBAAmB,CACjC,QAA2B,EAC3B,MAA2B,EAC3B,KAAa,EACb,aAAqB;IAErB,MAAM,IAAI,GAAG,aAAa,CAAC,QAAQ,CAAC,CAAA;IACpC,MAAM,MAAM,GAAG,IAAI,eAAe,CAAC;QACjC,aAAa,EAAE,MAAM;QACrB,SAAS,EAAE,MAAM,CAAC,QAAQ;QAC1B,YAAY,EAAE,MAAM,CAAC,WAAW;QAChC,KAAK,EAAE,IAAI,CAAC,MAAM;QAClB,KAAK;QACL,cAAc,EAAE,aAAa;QAC7B,qBAAqB,EAAE,MAAM;KAC9B,CAAC,CAAA;IAEF,OAAO,GAAG,IAAI,CAAC,SAAS,IAAI,MAAM,CAAC,QAAQ,EAAE,EAAE,CAAA;AACjD,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,qBAAqB,CACzC,QAA2B,EAC3B,IAAY,EACZ,YAAoB,EACpB,MAA2B;IAE3B,MAAM,IAAI,GAAG,aAAa,CAAC,QAAQ,CAAC,CAAA;IAEpC,MAAM,IAAI,GAAG,IAAI,eAAe,CAAC;QAC/B,UAAU,EAAE,oBAAoB;QAChC,IAAI;QACJ,YAAY,EAAE,MAAM,CAAC,WAAW;QAChC,SAAS,EAAE,MAAM,CAAC,QAAQ;QAC1B,aAAa,EAAE,MAAM,CAAC,YAAY;QAClC,aAAa,EAAE,YAAY;KAC5B,CAAC,CAAA;IAEF,MAAM,OAAO,GAA2B;QACtC,cAAc,EAAE,mCAAmC;KACpD,CAAA;IACD,IAAI,QAAQ,KAAK,QAAQ,EAAE,CAAC;QAC1B,OAAO,CAAC,QAAQ,CAAC,GAAG,kBAAkB,CAAA;IACxC,CAAC;IAED,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,IAAI,CAAC,KAAK,EAAE,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAA;IAE5F,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QACjB,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAA;QAClC,MAAM,IAAI,KAAK,CAAC,0BAA0B,QAAQ,CAAC,MAAM,MAAM,IAAI,EAAE,CAAC,CAAA;IACxE,CAAC;IAED,OAAO,QAAQ,CAAC,IAAI,EAAE,CAAA;AACxB,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,cAAc,CAClC,QAA2B,EAC3B,WAAmB;IAEnB,MAAM,IAAI,GAAG,aAAa,CAAC,QAAQ,CAAC,CAAA;IAEpC,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,IAAI,CAAC,QAAQ,EAAE;QAC1C,OAAO,EAAE,EAAE,aAAa,EAAE,UAAU,WAAW,EAAE,EAAE;KACpD,CAAC,CAAA;IAEF,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QACjB,MAAM,IAAI,KAAK,CAAC,iCAAiC,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAA;IACtE,CAAC;IAED,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAA;IAElC,IAAI,QAAQ,KAAK,QAAQ,EAAE,CAAC;QAC1B,IAAI,KAAK,GAAW,IAAI,CAAC,KAAK,IAAI,EAAE,CAAA;QACpC,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,oCAAoC,EAAE;gBACjE,OAAO,EAAE;oBACP,aAAa,EAAE,UAAU,WAAW,EAAE;oBACtC,MAAM,EAAE,6BAA6B;iBACtC;aACF,CAAC,CAAA;YACF,IAAI,QAAQ,CAAC,EAAE,EAAE,CAAC;gBAChB,MAAM,MAAM,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAInC,CAAA;gBACF,MAAM,OAAO,GACX,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,IAAI,CAAC,CAAC,QAAQ,CAAC,IAAI,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAA;gBAC/E,IAAI,OAAO;oBAAE,KAAK,GAAG,OAAO,CAAC,KAAK,CAAA;YACpC,CAAC;QACH,CAAC;QACD,OAAO;YACL,EAAE,EAAE,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC;YACnB,KAAK;YACL,IAAI,EAAE,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,KAAK,IAAI,EAAE;YACnC,MAAM,EAAE,IAAI,CAAC,UAAU;SACxB,CAAA;IACH,CAAC;IAED,IAAI,QAAQ,KAAK,WAAW,EAAE,CAAC;QAC7B,OAAO;YACL,EAAE,EAAE,IAAI,CAAC,EAAE;YACX,KAAK,EAAE,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,iBAAiB,IAAI,EAAE;YAChD,IAAI,EAAE,IAAI,CAAC,WAAW,IAAI,EAAE;SAC7B,CAAA;IACH,CAAC;IAED,SAAS;IACT,OAAO;QACL,EAAE,EAAE,IAAI,CAAC,GAAG;QACZ,KAAK,EAAE,IAAI,CAAC,KAAK,IAAI,EAAE;QACvB,IAAI,EAAE,IAAI,CAAC,IAAI,IAAI,EAAE;QACrB,MAAM,EAAE,IAAI,CAAC,OAAO;KACrB,CAAA;AACH,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,mBAAmB,CACvC,QAAgB,EAChB,IAAY,EACZ,UAAkB,EAClB,SAAyB,EACzB,MAAc,EACd,EAAO,EACP,UAAoE,EAAE;IAEtE,MAAM,KAAK,GAAG,MAAM,WAAW,CAAC,UAAU,EAAE,MAAM,CAAC,CAAA;IAEnD,IAAI,KAAK,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;QAChC,MAAM,IAAI,KAAK,CAAC,kCAAkC,CAAC,CAAA;IACrD,CAAC;IAED,0EAA0E;IAC1E,4EAA4E;IAC5E,qCAAqC;IACrC,IAAI,KAAK,CAAC,KAAK,EAAE,CAAC;QAChB,IAAI,CAAC,OAAO,CAAC,aAAa,IAAI,OAAO,CAAC,aAAa,KAAK,KAAK,CAAC,KAAK,EAAE,CAAC;YACpE,MAAM,IAAI,KAAK,CAAC,iEAAiE,CAAC,CAAA;QACpF,CAAC;IACH,CAAC;IAED,MAAM,YAAY,GAAG,QAA6B,CAAA;IAClD,MAAM,cAAc,GAAG,SAAS,CAAC,YAAY,CAAC,CAAA;IAC9C,IAAI,CAAC,cAAc,EAAE,CAAC;QACpB,MAAM,IAAI,KAAK,CAAC,mBAAmB,QAAQ,qBAAqB,CAAC,CAAA;IACnE,CAAC;IAED,MAAM,MAAM,GAAG,MAAM,qBAAqB,CAAC,YAAY,EAAE,IAAI,EAAE,KAAK,CAAC,YAAY,EAAE,cAAc,CAAC,CAAA;IAClG,MAAM,OAAO,GAAG,MAAM,cAAc,CAAC,YAAY,EAAE,MAAM,CAAC,YAAY,CAAC,CAAA;IAEvE,IAAI,CAAC,OAAO,CAAC,KAAK,EAAE,CAAC;QACnB,MAAM,IAAI,KAAK,CAAC,gDAAgD,CAAC,CAAA;IACnE,CAAC;IAED,MAAM,eAAe,GAAG,OAAO,CAAC,KAAK,CAAC,WAAW,EAAE,CAAC,IAAI,EAAE,CAAA;IAE1D,qBAAqB;IACrB,8EAA8E;IAC9E,2EAA2E;IAC3E,gEAAgE;IAChE,2EAA2E;IAC3E,4EAA4E;IAC5E,qEAAqE;IACrE,kEAAkE;IAClE,0DAA0D;IAC1D,8EAA8E;IAC9E,MAAM,YAAY,GAAG,MAAM,EAAE,CAAC,YAAY;QACxC,EAAE,UAAU,EAAE,CAAC;QACb,KAAK,EAAE,EAAE,0BAA0B,EAAE,EAAE,QAAQ,EAAE,iBAAiB,EAAE,OAAO,CAAC,EAAE,EAAE,EAAE;QAClF,OAAO,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE;KACxB,CAAC;SACD,KAAK,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,CAAA;IAEpB,IAAI,IAAI,GAAG,YAAY,EAAE,IAAI,IAAI,IAAI,CAAA;IAErC,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,MAAM,SAAS,GAAG,MAAM,EAAE,CAAC,IAAI,CAAC,SAAS,CAAC;YACxC,KAAK,EAAE,EAAE,KAAK,EAAE,EAAE,MAAM,EAAE,eAAe,EAAE,IAAI,EAAE,aAAa,EAAE,EAAE;SACnE,CAAC,CAAA;QAEF,IAAI,SAAS,EAAE,CAAC;YACd,MAAM,WAAW,GACf,OAAO,SAAS,CAAC,YAAY,KAAK,QAAQ,IAAI,SAAS,CAAC,YAAY,CAAC,MAAM,GAAG,CAAC,CAAA;YACjF,IAAI,WAAW,EAAE,CAAC;gBAChB,uEAAuE;gBACvE,kEAAkE;gBAClE,4DAA4D;gBAC5D,MAAM,IAAI,KAAK,CACb,2HAA2H,CAC5H,CAAA;YACH,CAAC;YACD,IAAI,GAAG,SAAS,CAAA;QAClB,CAAC;IACH,CAAC;IAED,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,IAAI,CAAC,OAAO,CAAC,eAAe,EAAE,CAAC;YAC7B,MAAM,IAAI,KAAK,CACb,mGAAmG,CACpG,CAAA;QACH,CAAC;QACD,IAAI,OAAO,CAAC,WAAW,EAAE,CAAC;YACxB,MAAM,OAAO,CAAC,WAAW,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAA;QAC9C,CAAC;QACD,IAAI,GAAG,MAAM,EAAE,CAAC,IAAI,CAAC,MAAM,CAAC;YAC1B,IAAI,EAAE;gBACJ,KAAK,EAAE,eAAe;gBACtB,IAAI,EAAE,OAAO,CAAC,IAAI;gBAClB,IAAI,EAAE,QAAQ;gBACd,QAAQ,EAAE,IAAI;gBACd,YAAY,EAAE,IAAI;aACnB;SACF,CAAC,CAAA;IACJ,CAAC;IAED,2EAA2E;IAC3E,4EAA4E;IAC5E,2EAA2E;IAC3E,IAAI,EAAE,CAAC,YAAY,EAAE,MAAM,EAAE,CAAC;QAC5B,MAAM,oBAAoB,GAAG,MAAM,CAAC,YAAY;YAC9C,CAAC,CAAC,MAAM,aAAa,CAAC,MAAM,CAAC,YAAY,CAAC;YAC1C,CAAC,CAAC,IAAI,CAAA;QACR,MAAM,qBAAqB,GAAG,MAAM,CAAC,aAAa;YAChD,CAAC,CAAC,MAAM,aAAa,CAAC,MAAM,CAAC,aAAa,CAAC;YAC3C,CAAC,CAAC,IAAI,CAAA;QAER,MAAM,EAAE,CAAC,YAAY;aAClB,MAAM,CAAC;YACN,KAAK,EAAE,EAAE,0BAA0B,EAAE,EAAE,QAAQ,EAAE,iBAAiB,EAAE,OAAO,CAAC,EAAE,EAAE,EAAE;YAClF,MAAM,EAAE;gBACN,MAAM,EAAE,IAAI,CAAC,EAAE;gBACf,QAAQ;gBACR,iBAAiB,EAAE,OAAO,CAAC,EAAE;gBAC7B,WAAW,EAAE,oBAAoB;gBACjC,YAAY,EAAE,qBAAqB;aACpC;YACD,MAAM,EAAE;gBACN,WAAW,EAAE,oBAAoB;gBACjC,YAAY,EAAE,qBAAqB;aACpC;SACF,CAAC;aACD,KAAK,CAAC,CAAC,GAAY,EAAE,EAAE;YACtB,OAAO,CAAC,KAAK,CACX,kDAAkD,EAClD,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG,CACzC,CAAA;QACH,CAAC,CAAC,CAAA;IACN,CAAC;IAED,MAAM,YAAY,GAAG,MAAM,EAAE,CAAC,OAAO,CAAC,MAAM,CAAC;QAC3C,IAAI,EAAE;YACJ,MAAM,EAAE,IAAI,CAAC,EAAE;YACf,SAAS,EAAE,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;SAC1D;KACF,CAAC,CAAA;IAEF,MAAM,KAAK,GAAG,MAAM,aAAa,CAC/B,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,EAAE,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,SAAS,EAAE,YAAY,CAAC,EAAE,EAAE,EAChE,EAAE,MAAM,EAAE,CACX,CAAA;IAED,OAAO;QACL,KAAK;QACL,IAAI,EAAE,EAAE,EAAE,EAAE,IAAI,CAAC,EAAE,EAAE,KAAK,EAAE,IAAI,CAAC,KAAK,EAAE,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE;KAC3E,CAAA;AACH,CAAC;AAED,uGAAuG;AACvG,MAAM,CAAC,KAAK,UAAU,aAAa,CACjC,eAAmC,EACnC,YAAoB;IAEpB,MAAM,IAAI,KAAK,CAAC,iDAAiD,CAAC,CAAA;AACpE,CAAC;AAED,qGAAqG;AACrG,MAAM,CAAC,KAAK,UAAU,cAAc,CAClC,eAAmC,EACnC,KAAa,EACb,MAAkB;IAElB,MAAM,IAAI,KAAK,CAAC,iCAAiC,CAAC,CAAA;AACpD,CAAC;AAED,wEAAwE;AACxE,MAAM,CAAC,KAAK,UAAU,WAAW,CAC/B,MAAc,EACd,MAA2B,EAC3B,EAAW;IAEX,MAAM,CAAC,GAAG,EAAS,CAAA;IACnB,MAAM,WAAW,GAAG,MAAM,CAAC,WAAW,CAAC,CAAC,CAAC,MAAM,aAAa,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,IAAI,CAAA;IACvF,MAAM,YAAY,GAAG,MAAM,CAAC,YAAY,CAAC,CAAC,CAAC,MAAM,aAAa,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,IAAI,CAAA;IAE1F,IAAI,CAAC,CAAC,YAAY,EAAE,MAAM,EAAE,CAAC;QAC3B,MAAM,CAAC,CAAC,YAAY,CAAC,MAAM,CAAC;YAC1B,KAAK,EAAE;gBACL,0BAA0B,EAAE;oBAC1B,QAAQ,EAAE,MAAM,CAAC,QAAQ;oBACzB,iBAAiB,EAAE,MAAM,CAAC,iBAAiB;iBAC5C;aACF;YACD,MAAM,EAAE;gBACN,MAAM;gBACN,QAAQ,EAAE,MAAM,CAAC,QAAQ;gBACzB,iBAAiB,EAAE,MAAM,CAAC,iBAAiB;gBAC3C,WAAW;gBACX,YAAY;gBACZ,SAAS,EAAE,MAAM,CAAC,SAAS,IAAI,IAAI;aACpC;YACD,MAAM,EAAE;gBACN,MAAM;gBACN,WAAW;gBACX,YAAY;gBACZ,SAAS,EAAE,MAAM,CAAC,SAAS,IAAI,IAAI;aACpC;SACF,CAAC,CAAA;IACJ,CAAC;AACH,CAAC"}
|
package/dist/auth/password.d.ts
CHANGED
|
@@ -1,8 +1,41 @@
|
|
|
1
1
|
import type { PasswordPolicy } from '../config/types.js';
|
|
2
|
-
/**
|
|
2
|
+
/**
|
|
3
|
+
* PBKDF2 iteration count. Bumped from 100,000 (insufficient by 2026 standards)
|
|
4
|
+
* to 600,000 to align with OWASP/NIST 2023+ guidance for PBKDF2-HMAC-SHA256.
|
|
5
|
+
* The hash format embeds the iteration count, so existing 100k hashes still
|
|
6
|
+
* verify correctly — `verifyPassword` reads the count from the stored string,
|
|
7
|
+
* and `needsRehash` lets callers (login.ts) opportunistically upgrade old
|
|
8
|
+
* hashes when the user signs in with the correct password.
|
|
9
|
+
*/
|
|
10
|
+
export declare const PBKDF2_ITERATIONS = 600000;
|
|
11
|
+
/** Hash a password using Web Crypto API (PBKDF2-HMAC-SHA256). */
|
|
3
12
|
export declare function hashPassword(password: string): Promise<string>;
|
|
4
|
-
/**
|
|
13
|
+
/**
|
|
14
|
+
* Verify a password against its stored hash.
|
|
15
|
+
*
|
|
16
|
+
* Reads the iteration count from the stored hash so old hashes (100k from
|
|
17
|
+
* pre-2026 deployments) and current hashes (600k) both verify. Pair with
|
|
18
|
+
* `needsRehash` at the login site to opportunistically upgrade old hashes.
|
|
19
|
+
*/
|
|
5
20
|
export declare function verifyPassword(password: string, storedHash: string): Promise<boolean>;
|
|
21
|
+
/**
|
|
22
|
+
* Returns true when the stored hash uses fewer iterations than current policy.
|
|
23
|
+
*
|
|
24
|
+
* Login flow should: verify -> if `needsRehash` -> hash again with current
|
|
25
|
+
* params -> persist. This upgrades old hashes silently as users sign in.
|
|
26
|
+
*/
|
|
27
|
+
export declare function needsRehash(storedHash: string): boolean;
|
|
28
|
+
/**
|
|
29
|
+
* Returns a PBKDF2 verification result against the module-level dummy hash.
|
|
30
|
+
* The hash is shared across all calls (and across all unknown emails) — it
|
|
31
|
+
* doesn't matter that it's deterministic per-process, because the comparison
|
|
32
|
+
* itself takes constant time and the attacker only learns "not the dummy
|
|
33
|
+
* hash" — which they already know.
|
|
34
|
+
*
|
|
35
|
+
* The boolean return is meaningless for callers and is intentionally always
|
|
36
|
+
* `false` in practice; it exists so the type matches `verifyPassword`.
|
|
37
|
+
*/
|
|
38
|
+
export declare function compareToDummyHash(password: string): Promise<boolean>;
|
|
6
39
|
/** Validate a password against the configured policy rules. */
|
|
7
40
|
export declare function validatePasswordPolicy(password: string, policy: PasswordPolicy): {
|
|
8
41
|
valid: boolean;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"password.d.ts","sourceRoot":"","sources":["../../src/auth/password.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,oBAAoB,CAAA;AAGxD,
|
|
1
|
+
{"version":3,"file":"password.d.ts","sourceRoot":"","sources":["../../src/auth/password.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,oBAAoB,CAAA;AAGxD;;;;;;;GAOG;AACH,eAAO,MAAM,iBAAiB,SAAU,CAAA;AAExC,iEAAiE;AACjE,wBAAsB,YAAY,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAiBpE;AAED;;;;;;GAMG;AACH,wBAAsB,cAAc,CAAC,QAAQ,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CA+B3F;AAED;;;;;GAKG;AACH,wBAAgB,WAAW,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAOvD;AAsCD;;;;;;;;;GASG;AACH,wBAAsB,kBAAkB,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAG3E;AAED,+DAA+D;AAC/D,wBAAgB,sBAAsB,CACpC,QAAQ,EAAE,MAAM,EAChB,MAAM,EAAE,cAAc,GACrB;IAAE,KAAK,EAAE,OAAO,CAAC;IAAC,MAAM,EAAE,MAAM,EAAE,CAAA;CAAE,CAoBtC;AAED,6EAA6E;AAC7E,OAAO,EAAE,aAAa,IAAI,mBAAmB,EAAE,MAAM,6BAA6B,CAAA"}
|
package/dist/auth/password.js
CHANGED
|
@@ -1,27 +1,117 @@
|
|
|
1
1
|
import { timingSafeEqual } from 'node:crypto';
|
|
2
|
-
/**
|
|
2
|
+
/**
|
|
3
|
+
* PBKDF2 iteration count. Bumped from 100,000 (insufficient by 2026 standards)
|
|
4
|
+
* to 600,000 to align with OWASP/NIST 2023+ guidance for PBKDF2-HMAC-SHA256.
|
|
5
|
+
* The hash format embeds the iteration count, so existing 100k hashes still
|
|
6
|
+
* verify correctly — `verifyPassword` reads the count from the stored string,
|
|
7
|
+
* and `needsRehash` lets callers (login.ts) opportunistically upgrade old
|
|
8
|
+
* hashes when the user signs in with the correct password.
|
|
9
|
+
*/
|
|
10
|
+
export const PBKDF2_ITERATIONS = 600_000;
|
|
11
|
+
/** Hash a password using Web Crypto API (PBKDF2-HMAC-SHA256). */
|
|
3
12
|
export async function hashPassword(password) {
|
|
4
13
|
const salt = crypto.getRandomValues(new Uint8Array(16));
|
|
5
14
|
const key = await crypto.subtle.importKey('raw', new TextEncoder().encode(password), 'PBKDF2', false, ['deriveBits']);
|
|
6
|
-
const derived = await crypto.subtle.deriveBits({ name: 'PBKDF2', salt, iterations:
|
|
15
|
+
const derived = await crypto.subtle.deriveBits({ name: 'PBKDF2', salt, iterations: PBKDF2_ITERATIONS, hash: 'SHA-256' }, key, 256);
|
|
7
16
|
const saltHex = Buffer.from(salt).toString('hex');
|
|
8
17
|
const hashHex = Buffer.from(derived).toString('hex');
|
|
9
|
-
return `pbkdf2
|
|
18
|
+
return `pbkdf2:${PBKDF2_ITERATIONS}:${saltHex}:${hashHex}`;
|
|
10
19
|
}
|
|
11
|
-
/**
|
|
20
|
+
/**
|
|
21
|
+
* Verify a password against its stored hash.
|
|
22
|
+
*
|
|
23
|
+
* Reads the iteration count from the stored hash so old hashes (100k from
|
|
24
|
+
* pre-2026 deployments) and current hashes (600k) both verify. Pair with
|
|
25
|
+
* `needsRehash` at the login site to opportunistically upgrade old hashes.
|
|
26
|
+
*/
|
|
12
27
|
export async function verifyPassword(password, storedHash) {
|
|
13
|
-
const
|
|
14
|
-
if (
|
|
28
|
+
const parts = storedHash.split(':');
|
|
29
|
+
if (parts.length !== 4)
|
|
15
30
|
return false;
|
|
31
|
+
const [, iterStr, saltHex, hashHex] = parts;
|
|
32
|
+
if (!iterStr || !saltHex || !hashHex)
|
|
33
|
+
return false;
|
|
34
|
+
const iterations = parseInt(iterStr, 10);
|
|
35
|
+
// Bound the iteration count: refuse anything below 10k (almost certainly
|
|
36
|
+
// a corrupted hash) or above 5M (DoS guard — an attacker who controls a
|
|
37
|
+
// user's stored hash could otherwise pin a worker for tens of seconds per
|
|
38
|
+
// login attempt).
|
|
39
|
+
if (!Number.isFinite(iterations) || iterations < 10_000 || iterations > 5_000_000) {
|
|
40
|
+
return false;
|
|
41
|
+
}
|
|
16
42
|
const salt = Buffer.from(saltHex, 'hex');
|
|
17
43
|
const key = await crypto.subtle.importKey('raw', new TextEncoder().encode(password), 'PBKDF2', false, ['deriveBits']);
|
|
18
|
-
const derived = await crypto.subtle.deriveBits({ name: 'PBKDF2', salt, iterations
|
|
44
|
+
const derived = await crypto.subtle.deriveBits({ name: 'PBKDF2', salt, iterations, hash: 'SHA-256' }, key, 256);
|
|
19
45
|
const derivedBuf = Buffer.from(derived);
|
|
20
46
|
const storedBuf = Buffer.from(hashHex, 'hex');
|
|
21
47
|
if (derivedBuf.length !== storedBuf.length)
|
|
22
48
|
return false;
|
|
23
49
|
return timingSafeEqual(derivedBuf, storedBuf);
|
|
24
50
|
}
|
|
51
|
+
/**
|
|
52
|
+
* Returns true when the stored hash uses fewer iterations than current policy.
|
|
53
|
+
*
|
|
54
|
+
* Login flow should: verify -> if `needsRehash` -> hash again with current
|
|
55
|
+
* params -> persist. This upgrades old hashes silently as users sign in.
|
|
56
|
+
*/
|
|
57
|
+
export function needsRehash(storedHash) {
|
|
58
|
+
const parts = storedHash.split(':');
|
|
59
|
+
if (parts.length !== 4)
|
|
60
|
+
return false;
|
|
61
|
+
const iterStr = parts[1];
|
|
62
|
+
const iterations = iterStr ? parseInt(iterStr, 10) : 0;
|
|
63
|
+
if (!Number.isFinite(iterations))
|
|
64
|
+
return false;
|
|
65
|
+
return iterations < PBKDF2_ITERATIONS;
|
|
66
|
+
}
|
|
67
|
+
/**
|
|
68
|
+
* A stable dummy PBKDF2 hash used to keep login response time roughly constant
|
|
69
|
+
* regardless of whether the email exists. When the user is not found, the
|
|
70
|
+
* login handler still runs `verifyPassword(submittedPassword, dummyHash)` so
|
|
71
|
+
* the timing channel that distinguished "no user" from "wrong password"
|
|
72
|
+
* disappears.
|
|
73
|
+
*
|
|
74
|
+
* Initialised eagerly at module load via a top-level Promise. Without this,
|
|
75
|
+
* the very first call to `compareToDummyHash` after a cold start would have
|
|
76
|
+
* to run `hashPassword` (600k iterations) *and* `verifyPassword` (another
|
|
77
|
+
* 600k iterations) — roughly 2× the latency of a normal verify, which
|
|
78
|
+
* recreates the user-enumeration timing channel this defense is meant to
|
|
79
|
+
* close. The Promise is awaited inside `compareToDummyHash`, so callers
|
|
80
|
+
* never see a partial hash.
|
|
81
|
+
*
|
|
82
|
+
* Why a Promise instead of a string returned from a top-level await:
|
|
83
|
+
* - The Web Crypto PBKDF2 derivation is asynchronous; we can't compute it
|
|
84
|
+
* synchronously at module top level without forcing every importer to
|
|
85
|
+
* also support top-level await.
|
|
86
|
+
* - Storing the in-flight Promise lets the work start at module load and
|
|
87
|
+
* overlap with the first request, rather than blocking on it.
|
|
88
|
+
*/
|
|
89
|
+
const _dummyHashPromise = (async () => {
|
|
90
|
+
const dummyPlaintext = Buffer.from(crypto.getRandomValues(new Uint8Array(32))).toString('hex');
|
|
91
|
+
return hashPassword(dummyPlaintext);
|
|
92
|
+
})();
|
|
93
|
+
// Surface uncaught rejections so that — if the eager hash ever fails — we
|
|
94
|
+
// see it in logs at startup, not on the first login. Without this handler,
|
|
95
|
+
// Node would emit an unhandledRejection warning the moment a request hits
|
|
96
|
+
// `compareToDummyHash`.
|
|
97
|
+
_dummyHashPromise.catch((err) => {
|
|
98
|
+
// eslint-disable-next-line no-console
|
|
99
|
+
console.error('[actuate][auth] failed to precompute dummy login hash:', err);
|
|
100
|
+
});
|
|
101
|
+
/**
|
|
102
|
+
* Returns a PBKDF2 verification result against the module-level dummy hash.
|
|
103
|
+
* The hash is shared across all calls (and across all unknown emails) — it
|
|
104
|
+
* doesn't matter that it's deterministic per-process, because the comparison
|
|
105
|
+
* itself takes constant time and the attacker only learns "not the dummy
|
|
106
|
+
* hash" — which they already know.
|
|
107
|
+
*
|
|
108
|
+
* The boolean return is meaningless for callers and is intentionally always
|
|
109
|
+
* `false` in practice; it exists so the type matches `verifyPassword`.
|
|
110
|
+
*/
|
|
111
|
+
export async function compareToDummyHash(password) {
|
|
112
|
+
const dummyHash = await _dummyHashPromise;
|
|
113
|
+
return verifyPassword(password, dummyHash);
|
|
114
|
+
}
|
|
25
115
|
/** Validate a password against the configured policy rules. */
|
|
26
116
|
export function validatePasswordPolicy(password, policy) {
|
|
27
117
|
const errors = [];
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"password.js","sourceRoot":"","sources":["../../src/auth/password.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,eAAe,EAAE,MAAM,aAAa,CAAA;AAE7C,
|
|
1
|
+
{"version":3,"file":"password.js","sourceRoot":"","sources":["../../src/auth/password.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,eAAe,EAAE,MAAM,aAAa,CAAA;AAE7C;;;;;;;GAOG;AACH,MAAM,CAAC,MAAM,iBAAiB,GAAG,OAAO,CAAA;AAExC,iEAAiE;AACjE,MAAM,CAAC,KAAK,UAAU,YAAY,CAAC,QAAgB;IACjD,MAAM,IAAI,GAAG,MAAM,CAAC,eAAe,CAAC,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC,CAAA;IACvD,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CACvC,KAAK,EACL,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,QAAQ,CAAC,EAClC,QAAQ,EACR,KAAK,EACL,CAAC,YAAY,CAAC,CACf,CAAA;IACD,MAAM,OAAO,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,UAAU,CAC5C,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,EAAE,UAAU,EAAE,iBAAiB,EAAE,IAAI,EAAE,SAAS,EAAE,EACxE,GAAG,EACH,GAAG,CACJ,CAAA;IACD,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAA;IACjD,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAA;IACpD,OAAO,UAAU,iBAAiB,IAAI,OAAO,IAAI,OAAO,EAAE,CAAA;AAC5D,CAAC;AAED;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAAC,QAAgB,EAAE,UAAkB;IACvE,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;IACnC,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,KAAK,CAAA;IACpC,MAAM,CAAC,EAAE,OAAO,EAAE,OAAO,EAAE,OAAO,CAAC,GAAG,KAAK,CAAA;IAC3C,IAAI,CAAC,OAAO,IAAI,CAAC,OAAO,IAAI,CAAC,OAAO;QAAE,OAAO,KAAK,CAAA;IAClD,MAAM,UAAU,GAAG,QAAQ,CAAC,OAAO,EAAE,EAAE,CAAC,CAAA;IACxC,yEAAyE;IACzE,wEAAwE;IACxE,0EAA0E;IAC1E,kBAAkB;IAClB,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,UAAU,CAAC,IAAI,UAAU,GAAG,MAAM,IAAI,UAAU,GAAG,SAAS,EAAE,CAAC;QAClF,OAAO,KAAK,CAAA;IACd,CAAC;IAED,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,KAAK,CAAC,CAAA;IACxC,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CACvC,KAAK,EACL,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,QAAQ,CAAC,EAClC,QAAQ,EACR,KAAK,EACL,CAAC,YAAY,CAAC,CACf,CAAA;IACD,MAAM,OAAO,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,UAAU,CAC5C,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,EAAE,UAAU,EAAE,IAAI,EAAE,SAAS,EAAE,EACrD,GAAG,EACH,GAAG,CACJ,CAAA;IACD,MAAM,UAAU,GAAG,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAA;IACvC,MAAM,SAAS,GAAG,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,KAAK,CAAC,CAAA;IAC7C,IAAI,UAAU,CAAC,MAAM,KAAK,SAAS,CAAC,MAAM;QAAE,OAAO,KAAK,CAAA;IACxD,OAAO,eAAe,CAAC,UAAU,EAAE,SAAS,CAAC,CAAA;AAC/C,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,WAAW,CAAC,UAAkB;IAC5C,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;IACnC,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,KAAK,CAAA;IACpC,MAAM,OAAO,GAAG,KAAK,CAAC,CAAC,CAAC,CAAA;IACxB,MAAM,UAAU,GAAG,OAAO,CAAC,CAAC,CAAC,QAAQ,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAA;IACtD,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,UAAU,CAAC;QAAE,OAAO,KAAK,CAAA;IAC9C,OAAO,UAAU,GAAG,iBAAiB,CAAA;AACvC,CAAC;AAED;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,MAAM,iBAAiB,GAAoB,CAAC,KAAK,IAAI,EAAE;IACrD,MAAM,cAAc,GAAG,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,eAAe,CAAC,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAA;IAC9F,OAAO,YAAY,CAAC,cAAc,CAAC,CAAA;AACrC,CAAC,CAAC,EAAE,CAAA;AAEJ,0EAA0E;AAC1E,2EAA2E;AAC3E,0EAA0E;AAC1E,wBAAwB;AACxB,iBAAiB,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;IAC9B,sCAAsC;IACtC,OAAO,CAAC,KAAK,CAAC,wDAAwD,EAAE,GAAG,CAAC,CAAA;AAC9E,CAAC,CAAC,CAAA;AAEF;;;;;;;;;GASG;AACH,MAAM,CAAC,KAAK,UAAU,kBAAkB,CAAC,QAAgB;IACvD,MAAM,SAAS,GAAG,MAAM,iBAAiB,CAAA;IACzC,OAAO,cAAc,CAAC,QAAQ,EAAE,SAAS,CAAC,CAAA;AAC5C,CAAC;AAED,+DAA+D;AAC/D,MAAM,UAAU,sBAAsB,CACpC,QAAgB,EAChB,MAAsB;IAEtB,MAAM,MAAM,GAAa,EAAE,CAAA;IAE3B,IAAI,MAAM,CAAC,SAAS,IAAI,QAAQ,CAAC,MAAM,GAAG,MAAM,CAAC,SAAS,EAAE,CAAC;QAC3D,MAAM,CAAC,IAAI,CAAC,6BAA6B,MAAM,CAAC,SAAS,aAAa,CAAC,CAAA;IACzE,CAAC;IACD,IAAI,MAAM,CAAC,gBAAgB,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;QACvD,MAAM,CAAC,IAAI,CAAC,2CAA2C,CAAC,CAAA;IAC1D,CAAC;IACD,IAAI,MAAM,CAAC,gBAAgB,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;QACvD,MAAM,CAAC,IAAI,CAAC,0CAA0C,CAAC,CAAA;IACzD,CAAC;IACD,IAAI,MAAM,CAAC,cAAc,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;QAClD,MAAM,CAAC,IAAI,CAAC,+BAA+B,CAAC,CAAA;IAC9C,CAAC;IACD,IAAI,MAAM,CAAC,mBAAmB,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;QACjE,MAAM,CAAC,IAAI,CAAC,2CAA2C,CAAC,CAAA;IAC1D,CAAC;IAED,OAAO,EAAE,KAAK,EAAE,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,MAAM,EAAE,CAAA;AAC/C,CAAC;AAED,6EAA6E;AAC7E,OAAO,EAAE,aAAa,IAAI,mBAAmB,EAAE,MAAM,6BAA6B,CAAA"}
|
package/dist/auth/session.d.ts
CHANGED
|
@@ -4,6 +4,15 @@ export interface SessionPayload {
|
|
|
4
4
|
sessionId: string;
|
|
5
5
|
fingerprint?: string;
|
|
6
6
|
}
|
|
7
|
+
/**
|
|
8
|
+
* Thrown when a JWT verifies cryptographically but its decoded payload
|
|
9
|
+
* doesn't match the expected `SessionPayload` shape. We map this to a 401
|
|
10
|
+
* (not 500) because it represents a forged-but-correctly-signed-by-the-CMS
|
|
11
|
+
* token rather than a server bug.
|
|
12
|
+
*/
|
|
13
|
+
export declare class InvalidSessionPayloadError extends Error {
|
|
14
|
+
constructor(reason: string);
|
|
15
|
+
}
|
|
7
16
|
export interface SessionOptions {
|
|
8
17
|
secret: string;
|
|
9
18
|
maxAge?: number;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"session.d.ts","sourceRoot":"","sources":["../../src/auth/session.ts"],"names":[],"mappings":"AAEA,MAAM,WAAW,cAAc;IAC7B,MAAM,EAAE,MAAM,CAAA;IACd,IAAI,EAAE,MAAM,CAAA;IACZ,SAAS,EAAE,MAAM,CAAA;IACjB,WAAW,CAAC,EAAE,MAAM,CAAA;CACrB;AAED,MAAM,WAAW,cAAc;IAC7B,MAAM,EAAE,MAAM,CAAA;IACd,MAAM,CAAC,EAAE,MAAM,CAAA;IACf,MAAM,CAAC,EAAE,MAAM,CAAA;IACf,QAAQ,CAAC,EAAE,MAAM,CAAA;CAClB;AAID,yCAAyC;AACzC,wBAAsB,aAAa,CACjC,OAAO,EAAE,cAAc,EACvB,OAAO,EAAE,cAAc,GACtB,OAAO,CAAC,MAAM,CAAC,CASjB;AAED,6CAA6C;AAC7C,wBAAsB,aAAa,CACjC,KAAK,EAAE,MAAM,EACb,OAAO,EAAE,cAAc,GACtB,OAAO,CAAC,cAAc,CAAC,
|
|
1
|
+
{"version":3,"file":"session.d.ts","sourceRoot":"","sources":["../../src/auth/session.ts"],"names":[],"mappings":"AAEA,MAAM,WAAW,cAAc;IAC7B,MAAM,EAAE,MAAM,CAAA;IACd,IAAI,EAAE,MAAM,CAAA;IACZ,SAAS,EAAE,MAAM,CAAA;IACjB,WAAW,CAAC,EAAE,MAAM,CAAA;CACrB;AAED;;;;;GAKG;AACH,qBAAa,0BAA2B,SAAQ,KAAK;gBACvC,MAAM,EAAE,MAAM;CAI3B;AAgCD,MAAM,WAAW,cAAc;IAC7B,MAAM,EAAE,MAAM,CAAA;IACd,MAAM,CAAC,EAAE,MAAM,CAAA;IACf,MAAM,CAAC,EAAE,MAAM,CAAA;IACf,QAAQ,CAAC,EAAE,MAAM,CAAA;CAClB;AAID,yCAAyC;AACzC,wBAAsB,aAAa,CACjC,OAAO,EAAE,cAAc,EACvB,OAAO,EAAE,cAAc,GACtB,OAAO,CAAC,MAAM,CAAC,CASjB;AAED,6CAA6C;AAC7C,wBAAsB,aAAa,CACjC,KAAK,EAAE,MAAM,EACb,OAAO,EAAE,cAAc,GACtB,OAAO,CAAC,cAAc,CAAC,CAkBzB;AAED,sDAAsD;AACtD,wBAAsB,aAAa,CAAC,SAAS,EAAE,MAAM,EAAE,EAAE,EAAE,GAAG,GAAG,OAAO,CAAC,IAAI,CAAC,CAK7E;AAED;;;;;;;GAOG;AACH,wBAAsB,cAAc,CAClC,KAAK,EAAE,MAAM,EACb,OAAO,EAAE,cAAc,EACvB,EAAE,CAAC,EAAE,GAAG,GACP,OAAO,CAAC,MAAM,CAAC,CAgBjB"}
|
package/dist/auth/session.js
CHANGED
|
@@ -1,4 +1,45 @@
|
|
|
1
1
|
import * as jose from 'jose';
|
|
2
|
+
/**
|
|
3
|
+
* Thrown when a JWT verifies cryptographically but its decoded payload
|
|
4
|
+
* doesn't match the expected `SessionPayload` shape. We map this to a 401
|
|
5
|
+
* (not 500) because it represents a forged-but-correctly-signed-by-the-CMS
|
|
6
|
+
* token rather than a server bug.
|
|
7
|
+
*/
|
|
8
|
+
export class InvalidSessionPayloadError extends Error {
|
|
9
|
+
constructor(reason) {
|
|
10
|
+
super(`Session payload is malformed: ${reason}`);
|
|
11
|
+
this.name = 'InvalidSessionPayloadError';
|
|
12
|
+
}
|
|
13
|
+
}
|
|
14
|
+
/**
|
|
15
|
+
* Narrow an arbitrary JWT payload to a `SessionPayload`. Required because
|
|
16
|
+
* `jose.jwtVerify()` returns `JWTPayload`, which is `Record<string, unknown>`
|
|
17
|
+
* — without an explicit shape check, downstream code reading `payload.role`
|
|
18
|
+
* would happily evaluate `undefined` against the `WRITE_ROLES`/`ADMIN_ROLES`
|
|
19
|
+
* sets and grant `false` (deny), which is safe — but reading `payload.userId`
|
|
20
|
+
* to look up the user would crash deep in the request, after side effects.
|
|
21
|
+
*
|
|
22
|
+
* Centralizing the check keeps the failure mode crisp: the request returns
|
|
23
|
+
* 401 and the audit log shows "malformed session" instead of a 500.
|
|
24
|
+
*/
|
|
25
|
+
function assertSessionPayload(payload) {
|
|
26
|
+
if (typeof payload !== 'object' || payload === null) {
|
|
27
|
+
throw new InvalidSessionPayloadError('payload is not an object');
|
|
28
|
+
}
|
|
29
|
+
const p = payload;
|
|
30
|
+
if (typeof p.userId !== 'string' || p.userId.length === 0) {
|
|
31
|
+
throw new InvalidSessionPayloadError('missing or invalid `userId`');
|
|
32
|
+
}
|
|
33
|
+
if (typeof p.role !== 'string' || p.role.length === 0) {
|
|
34
|
+
throw new InvalidSessionPayloadError('missing or invalid `role`');
|
|
35
|
+
}
|
|
36
|
+
if (typeof p.sessionId !== 'string' || p.sessionId.length === 0) {
|
|
37
|
+
throw new InvalidSessionPayloadError('missing or invalid `sessionId`');
|
|
38
|
+
}
|
|
39
|
+
if (p.fingerprint !== undefined && typeof p.fingerprint !== 'string') {
|
|
40
|
+
throw new InvalidSessionPayloadError('`fingerprint`, when present, must be a string');
|
|
41
|
+
}
|
|
42
|
+
}
|
|
2
43
|
const DEFAULT_MAX_AGE = 60 * 60 * 24 * 7; // 7 days
|
|
3
44
|
/** Create a signed JWT session token. */
|
|
4
45
|
export async function createSession(payload, options) {
|
|
@@ -18,7 +59,19 @@ export async function verifySession(token, options) {
|
|
|
18
59
|
issuer: options.issuer ?? 'actuate-cms',
|
|
19
60
|
audience: options.audience ?? 'actuate-cms',
|
|
20
61
|
});
|
|
21
|
-
|
|
62
|
+
assertSessionPayload(payload);
|
|
63
|
+
// Strip standard JWT claims (iat/exp/iss/aud/etc) so the returned object
|
|
64
|
+
// is ONLY the SessionPayload fields we explicitly validated. This prevents
|
|
65
|
+
// callers (e.g. `refreshSession`) from accidentally re-signing arbitrary
|
|
66
|
+
// attacker-supplied claims.
|
|
67
|
+
const safe = {
|
|
68
|
+
userId: payload.userId,
|
|
69
|
+
role: payload.role,
|
|
70
|
+
sessionId: payload.sessionId,
|
|
71
|
+
};
|
|
72
|
+
if (payload.fingerprint !== undefined)
|
|
73
|
+
safe.fingerprint = payload.fingerprint;
|
|
74
|
+
return safe;
|
|
22
75
|
}
|
|
23
76
|
/** Revoke a session by marking it in the database. */
|
|
24
77
|
export async function revokeSession(sessionId, db) {
|
package/dist/auth/session.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"session.js","sourceRoot":"","sources":["../../src/auth/session.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,IAAI,MAAM,MAAM,CAAA;
|
|
1
|
+
{"version":3,"file":"session.js","sourceRoot":"","sources":["../../src/auth/session.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,IAAI,MAAM,MAAM,CAAA;AAS5B;;;;;GAKG;AACH,MAAM,OAAO,0BAA2B,SAAQ,KAAK;IACnD,YAAY,MAAc;QACxB,KAAK,CAAC,iCAAiC,MAAM,EAAE,CAAC,CAAA;QAChD,IAAI,CAAC,IAAI,GAAG,4BAA4B,CAAA;IAC1C,CAAC;CACF;AAED;;;;;;;;;;GAUG;AACH,SAAS,oBAAoB,CAAC,OAAgB;IAC5C,IAAI,OAAO,OAAO,KAAK,QAAQ,IAAI,OAAO,KAAK,IAAI,EAAE,CAAC;QACpD,MAAM,IAAI,0BAA0B,CAAC,0BAA0B,CAAC,CAAA;IAClE,CAAC;IACD,MAAM,CAAC,GAAG,OAAkC,CAAA;IAC5C,IAAI,OAAO,CAAC,CAAC,MAAM,KAAK,QAAQ,IAAI,CAAC,CAAC,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC1D,MAAM,IAAI,0BAA0B,CAAC,6BAA6B,CAAC,CAAA;IACrE,CAAC;IACD,IAAI,OAAO,CAAC,CAAC,IAAI,KAAK,QAAQ,IAAI,CAAC,CAAC,IAAI,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACtD,MAAM,IAAI,0BAA0B,CAAC,2BAA2B,CAAC,CAAA;IACnE,CAAC;IACD,IAAI,OAAO,CAAC,CAAC,SAAS,KAAK,QAAQ,IAAI,CAAC,CAAC,SAAS,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAChE,MAAM,IAAI,0BAA0B,CAAC,gCAAgC,CAAC,CAAA;IACxE,CAAC;IACD,IAAI,CAAC,CAAC,WAAW,KAAK,SAAS,IAAI,OAAO,CAAC,CAAC,WAAW,KAAK,QAAQ,EAAE,CAAC;QACrE,MAAM,IAAI,0BAA0B,CAAC,+CAA+C,CAAC,CAAA;IACvF,CAAC;AACH,CAAC;AASD,MAAM,eAAe,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,CAAC,CAAA,CAAC,SAAS;AAElD,yCAAyC;AACzC,MAAM,CAAC,KAAK,UAAU,aAAa,CACjC,OAAuB,EACvB,OAAuB;IAEvB,MAAM,MAAM,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,CAAA;IACvD,OAAO,IAAI,IAAI,CAAC,OAAO,CAAC,EAAE,GAAG,OAAO,EAAE,CAAC;SACpC,kBAAkB,CAAC,EAAE,GAAG,EAAE,OAAO,EAAE,CAAC;SACpC,WAAW,EAAE;SACb,iBAAiB,CAAC,GAAG,OAAO,CAAC,MAAM,IAAI,eAAe,GAAG,CAAC;SAC1D,SAAS,CAAC,OAAO,CAAC,MAAM,IAAI,aAAa,CAAC;SAC1C,WAAW,CAAC,OAAO,CAAC,QAAQ,IAAI,aAAa,CAAC;SAC9C,IAAI,CAAC,MAAM,CAAC,CAAA;AACjB,CAAC;AAED,6CAA6C;AAC7C,MAAM,CAAC,KAAK,UAAU,aAAa,CACjC,KAAa,EACb,OAAuB;IAEvB,MAAM,MAAM,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,CAAA;IACvD,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,MAAM,EAAE;QACtD,MAAM,EAAE,OAAO,CAAC,MAAM,IAAI,aAAa;QACvC,QAAQ,EAAE,OAAO,CAAC,QAAQ,IAAI,aAAa;KAC5C,CAAC,CAAA;IACF,oBAAoB,CAAC,OAAO,CAAC,CAAA;IAC7B,yEAAyE;IACzE,2EAA2E;IAC3E,yEAAyE;IACzE,4BAA4B;IAC5B,MAAM,IAAI,GAAmB;QAC3B,MAAM,EAAE,OAAO,CAAC,MAAM;QACtB,IAAI,EAAE,OAAO,CAAC,IAAI;QAClB,SAAS,EAAE,OAAO,CAAC,SAAS;KAC7B,CAAA;IACD,IAAI,OAAO,CAAC,WAAW,KAAK,SAAS;QAAE,IAAI,CAAC,WAAW,GAAG,OAAO,CAAC,WAAW,CAAA;IAC7E,OAAO,IAAI,CAAA;AACb,CAAC;AAED,sDAAsD;AACtD,MAAM,CAAC,KAAK,UAAU,aAAa,CAAC,SAAiB,EAAE,EAAO;IAC5D,MAAM,EAAE,CAAC,OAAO,CAAC,MAAM,CAAC;QACtB,KAAK,EAAE,EAAE,EAAE,EAAE,SAAS,EAAE;QACxB,IAAI,EAAE,EAAE,SAAS,EAAE,IAAI,IAAI,EAAE,EAAE;KAChC,CAAC,CAAA;AACJ,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAClC,KAAa,EACb,OAAuB,EACvB,EAAQ;IAER,MAAM,OAAO,GAAG,MAAM,aAAa,CAAC,KAAK,EAAE,OAAO,CAAC,CAAA;IAEnD,IAAI,EAAE,EAAE,CAAC;QACP,MAAM,OAAO,GAAG,MAAM,EAAE,CAAC,OAAO,CAAC,UAAU,CAAC,EAAE,KAAK,EAAE,EAAE,EAAE,EAAE,OAAO,CAAC,SAAS,EAAE,EAAE,CAAC,CAAA;QACjF,IAAI,CAAC,OAAO,IAAI,OAAO,CAAC,SAAS,IAAI,OAAO,CAAC,SAAS,GAAG,IAAI,IAAI,EAAE,EAAE,CAAC;YACpE,MAAM,IAAI,KAAK,CAAC,6BAA6B,CAAC,CAAA;QAChD,CAAC;QACD,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,IAAI,eAAe,CAAA;QAChD,MAAM,EAAE,CAAC,OAAO,CAAC,MAAM,CAAC;YACtB,KAAK,EAAE,EAAE,EAAE,EAAE,OAAO,CAAC,SAAS,EAAE;YAChC,IAAI,EAAE,EAAE,SAAS,EAAE,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,MAAM,GAAG,IAAI,CAAC,EAAE;SAC1D,CAAC,CAAA;IACJ,CAAC;IAED,OAAO,aAAa,CAAC,OAAO,EAAE,OAAO,CAAC,CAAA;AACxC,CAAC"}
|
|
@@ -0,0 +1,72 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Cron handlers for scheduled platform jobs.
|
|
3
|
+
*
|
|
4
|
+
* The endpoints in `api/handlers.ts` validate `Authorization: Bearer ${CRON_SECRET}`
|
|
5
|
+
* before invoking these — Vercel Cron sends that header automatically when
|
|
6
|
+
* `CRON_SECRET` is defined in the project's environment. See:
|
|
7
|
+
* https://vercel.com/docs/cron-jobs/manage-cron-jobs#securing-cron-jobs
|
|
8
|
+
*
|
|
9
|
+
* Each handler is **idempotent** and **bounded** — safe to invoke from any
|
|
10
|
+
* scheduler (Vercel Cron, GitHub Actions, EventBridge, k8s CronJob, etc.) and
|
|
11
|
+
* safe to invoke twice in the same window.
|
|
12
|
+
*/
|
|
13
|
+
import { schedulingCronHandler } from '../scheduling/index.js';
|
|
14
|
+
type PrismaDB = any;
|
|
15
|
+
export interface CleanupOptions {
|
|
16
|
+
/** Hard-delete revoked / expired sessions older than this. Default: 7d. */
|
|
17
|
+
sessionRetentionMs?: number;
|
|
18
|
+
/** Hard-delete audit log entries older than this. Default: 90d. */
|
|
19
|
+
auditLogRetentionMs?: number;
|
|
20
|
+
/** Hard-delete soft-deleted documents older than this. Default: 30d. */
|
|
21
|
+
trashRetentionMs?: number;
|
|
22
|
+
/** Hard-delete used / expired password reset tokens older than this. Default: 1d. */
|
|
23
|
+
passwordResetRetentionMs?: number;
|
|
24
|
+
}
|
|
25
|
+
export interface CleanupResult {
|
|
26
|
+
sessionsDeleted: number;
|
|
27
|
+
auditLogsDeleted: number;
|
|
28
|
+
documentsDeleted: number;
|
|
29
|
+
passwordResetTokensDeleted: number;
|
|
30
|
+
}
|
|
31
|
+
/**
|
|
32
|
+
* Delete stale rows from session, audit log, trash, and password-reset tables.
|
|
33
|
+
*
|
|
34
|
+
* Each deletion is wrapped in its own try/catch so a missing model (e.g. an
|
|
35
|
+
* older Prisma schema without `passwordResetToken`) doesn't fail the entire
|
|
36
|
+
* job — partial cleanup is still useful and the caller logs the count.
|
|
37
|
+
*/
|
|
38
|
+
export declare function processCleanup(db: PrismaDB, options?: CleanupOptions): Promise<CleanupResult>;
|
|
39
|
+
export interface SeoScanIssue {
|
|
40
|
+
documentId: string;
|
|
41
|
+
title: string;
|
|
42
|
+
slug: string;
|
|
43
|
+
problems: string[];
|
|
44
|
+
}
|
|
45
|
+
export interface SeoScanResult {
|
|
46
|
+
total: number;
|
|
47
|
+
pagesWithIssues: number;
|
|
48
|
+
totalProblems: number;
|
|
49
|
+
issues: SeoScanIssue[];
|
|
50
|
+
}
|
|
51
|
+
/**
|
|
52
|
+
* Run the same SEO checks as `POST /seo/scan`, but headlessly so a cron
|
|
53
|
+
* (or a CLI / external scheduler) can invoke it without an admin session.
|
|
54
|
+
*
|
|
55
|
+
* Bounded by `maxDocuments` to avoid OOM / timeout on large catalogs —
|
|
56
|
+
* defaults to 5000, which is well above the typical Vercel function memory
|
|
57
|
+
* envelope while staying safely under the 60s cron execution limit.
|
|
58
|
+
*/
|
|
59
|
+
export declare function processSeoScan(db: PrismaDB, options?: {
|
|
60
|
+
maxDocuments?: number;
|
|
61
|
+
}): Promise<SeoScanResult>;
|
|
62
|
+
/** Re-export for convenience so the route handler can import everything from one module. */
|
|
63
|
+
export { schedulingCronHandler };
|
|
64
|
+
/**
|
|
65
|
+
* Validate a Vercel-style cron Authorization header against `CRON_SECRET`.
|
|
66
|
+
*
|
|
67
|
+
* Returns `false` if the env var is missing — that's deliberately fail-closed
|
|
68
|
+
* so a misconfigured deploy can't silently expose cron endpoints to the public
|
|
69
|
+
* internet. Comparison is constant-time to defeat byte-by-byte timing attacks.
|
|
70
|
+
*/
|
|
71
|
+
export declare function isAuthorizedCronRequest(authHeader: string | null | undefined): boolean;
|
|
72
|
+
//# sourceMappingURL=index.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/cron/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAGH,OAAO,EAAE,qBAAqB,EAAE,MAAM,wBAAwB,CAAA;AAE9D,KAAK,QAAQ,GAAG,GAAG,CAAA;AAEnB,MAAM,WAAW,cAAc;IAC7B,2EAA2E;IAC3E,kBAAkB,CAAC,EAAE,MAAM,CAAA;IAC3B,mEAAmE;IACnE,mBAAmB,CAAC,EAAE,MAAM,CAAA;IAC5B,wEAAwE;IACxE,gBAAgB,CAAC,EAAE,MAAM,CAAA;IACzB,qFAAqF;IACrF,wBAAwB,CAAC,EAAE,MAAM,CAAA;CAClC;AAWD,MAAM,WAAW,aAAa;IAC5B,eAAe,EAAE,MAAM,CAAA;IACvB,gBAAgB,EAAE,MAAM,CAAA;IACxB,gBAAgB,EAAE,MAAM,CAAA;IACxB,0BAA0B,EAAE,MAAM,CAAA;CACnC;AAYD;;;;;;GAMG;AACH,wBAAsB,cAAc,CAClC,EAAE,EAAE,QAAQ,EACZ,OAAO,GAAE,cAAmB,GAC3B,OAAO,CAAC,aAAa,CAAC,CA4DxB;AAED,MAAM,WAAW,YAAY;IAC3B,UAAU,EAAE,MAAM,CAAA;IAClB,KAAK,EAAE,MAAM,CAAA;IACb,IAAI,EAAE,MAAM,CAAA;IACZ,QAAQ,EAAE,MAAM,EAAE,CAAA;CACnB;AAED,MAAM,WAAW,aAAa;IAC5B,KAAK,EAAE,MAAM,CAAA;IACb,eAAe,EAAE,MAAM,CAAA;IACvB,aAAa,EAAE,MAAM,CAAA;IACrB,MAAM,EAAE,YAAY,EAAE,CAAA;CACvB;AAED;;;;;;;GAOG;AACH,wBAAsB,cAAc,CAClC,EAAE,EAAE,QAAQ,EACZ,OAAO,GAAE;IAAE,YAAY,CAAC,EAAE,MAAM,CAAA;CAAO,GACtC,OAAO,CAAC,aAAa,CAAC,CAwExB;AAED,4FAA4F;AAC5F,OAAO,EAAE,qBAAqB,EAAE,CAAA;AAEhC;;;;;;GAMG;AACH,wBAAgB,uBAAuB,CAAC,UAAU,EAAE,MAAM,GAAG,IAAI,GAAG,SAAS,GAAG,OAAO,CAStF"}
|