@crossauth/backend 0.0.2

package/LICENSE

@@ -0,0 +1,203 @@
+
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright [yyyy] [name of copyright owner]
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+

package/README.md

@@ -0,0 +1,14 @@
+Crossauth common
+================
+
+Copyright (c) 2024 Matthew Baker
+
+Crossauth is a cross platform package for authentication.
+It has a Typescript version and soon also a Python and
+Scala/Java version.  At the moment it is not ready for
+public use, though the Typescript version is ready to
+be used by authorized developers.
+
+This is the backend package on which the framework-specific
+packages depend.
+

package/dist/apikey.d.ts

@@ -0,0 +1,100 @@
+import { ApiKey } from '@crossauth/common';
+import { KeyStorage } from './storage.ts';
+
+/**
+ * Options for {@link ApiKeyManager}.
+ */
+export interface ApiKeyManagerOptions {
+    /** Length in bytes of the randomly-created key (before Base64 encoding and signature) */
+    keyLength?: number;
+    /** Server secret.  Needed for emailing tokens and for csrf tokens */
+    secret?: string;
+    /** The prefix to add to the hashed key in storage.  Defaults to
+     * {@link @crossauth/common!KeyPrefix}.apiKey
+     */
+    prefix?: string;
+    /** The token type in the Authorization header.  Defaults to "ApiKey" */
+    authScheme?: string;
+}
+/**
+ * Manager API keys.
+ *
+ * The caller must pass a {@link KeyStorage} object.  This must provide a
+ * string field called `name` in the returned {@link @crossauth/common!Key}
+ * objects (in other words, the databsae table behind it must have a `name` field).
+ *
+ * Api keys have three forms in their value.  The {@link @crossauth/common!Key}
+ * object's `value` field is a base64-url-encoded random number.
+ * When the key is in a header, it is expected to be folled by a dot and a
+ * signature to protect against injection attacks.
+ * When stored in the key storage, only the unsigned part is used (before the
+ * dot), it is hashed and preceded by
+ * `prefix`.  The signature part is dropped for storage economy.  This does
+ * not compromise security so long as the
+ * signature is always validated before comparing with the database.
+ */
+export declare class ApiKeyManager {
+    private apiKeyStorage;
+    private keyLength;
+    private secret;
+    /** The prefix to add to the hashed key in storage.  Defaults to
+     * {@link @crossauth/common!KeyPrefix}.apiKey
+     */
+    prefix: string;
+    /** The name of the speak in the Authorization header.  Defaults to "ApiKey" */
+    authScheme?: string;
+    /**
+     * Constructor.
+     *
+     * @param apiKeyStorage storage for API keys.  In addition to the fields {@link KeyStorage} needs, the storage also needs a string field called `name`.
+     * @param options options.  See {@link ApiKeyManagerOptions}
+     */
+    constructor(apiKeyStorage: KeyStorage, options?: ApiKeyManagerOptions);
+    /**
+     * Creates a new random key and returns it, unsigned.  It is also persisted in the key storage as a
+     * hash of the unsigned part prefixed with {@link prefix()}.
+     * @param name a name for they key.  This is for the user to refer to it
+     *             (eg, for showing the keys the user has created or deleting
+     *             a key)
+     * @param userid id for the user who owns this key, which may be undefined
+     *               for keys not associated with a user
+     * @param data any application-specific extra data.
+     *              If it contains an array called `scope` and this array
+     *              contains `editUser`, the api key can be used for user
+     *              manipulation functions (eg change password)}
+     * @param expiry expiry as a number of seconds from now
+     * @param extraFields any extra fields to save in key storage, and pass
+     *                    back in the {@link @crossauth/common!Key} object.
+     * @returns the new key as a {@link ApiKey} object, plus the token for the
+     *          Authorization header (with the signature appended.)
+     */
+    createKey(name: string, userid: string | number | undefined, data?: {
+        [key: string]: any;
+    }, expiry?: number, extraFields?: {
+        [key: string]: any;
+    }): Promise<{
+        key: ApiKey;
+        token: string;
+    }>;
+    private static hashApiKeyValue;
+    /**
+     * Returns the hash of the bearer value from the Authorization header.
+     *
+     * This has little practical value other than for reporting.  Unhashed
+     * tokens are never reported.
+     * @param unsignedValue the part of the Authorization header after "Berear ".
+     * @returns a hash of the value (without the prefix).
+     */
+    static hashSignedApiKeyValue(unsignedValue: string): string;
+    private unsignApiKeyValue;
+    private signApiKeyValue;
+    private getKey;
+    /**
+     * Returns the {@link ApiKey} if the token is valid, throws an exception otherwise.
+     * @param headerValue the token from the Authorization header (after the "Bearer ").
+     * @returns The {@link ApiKey} object
+     * @throws {@link @crossauth/common!CrossauthError} with code `InvalidKey`
+     */
+    validateToken(headerValue: string): Promise<ApiKey>;
+}
+//# sourceMappingURL=apikey.d.ts.map

package/dist/apikey.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"apikey.d.ts","sourceRoot":"","sources":["../src/apikey.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,mBAAmB,CAAC;AAEhD,OAAO,EAAE,UAAU,EAAE,MAAM,cAAc,CAAC;AAK1C;;GAEG;AACH,MAAM,WAAW,oBAAoB;IAEjC,yFAAyF;IACzF,SAAS,CAAC,EAAG,MAAM,CAAC;IAEpB,qEAAqE;IACrE,MAAM,CAAC,EAAG,MAAM,CAAC;IAEjB;;OAEG;IACH,MAAM,CAAC,EAAG,MAAM,CAAC;IAEjB,wEAAwE;IACxE,UAAU,CAAC,EAAG,MAAM,CAAC;CACxB;AAED;;;;;;;;;;;;;;;;GAgBG;AACH,qBAAa,aAAa;IACtB,OAAO,CAAC,aAAa,CAAc;IACnC,OAAO,CAAC,SAAS,CAAe;IAChC,OAAO,CAAC,MAAM,CAAe;IAE7B;;OAEG;IACH,MAAM,SAAoB;IAE1B,+EAA+E;IAC/E,UAAU,CAAC,EAAG,MAAM,CAAY;IAEhC;;;;;OAKG;gBACS,aAAa,EAAE,UAAU,EAAE,OAAO,GAAG,oBAAyB;IAS1E;;;;;;;;;;;;;;;;;OAiBG;IACG,SAAS,CAAC,IAAI,EAAE,MAAM,EACxB,MAAM,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS,EACnC,IAAI,CAAC,EAAE;QAAE,CAAC,GAAG,EAAE,MAAM,GAAG,GAAG,CAAA;KAAE,EAC7B,MAAM,CAAC,EAAE,MAAM,EACf,WAAW,CAAC,EAAE;QAAE,CAAC,GAAG,EAAE,MAAM,GAAG,GAAG,CAAA;KAAE,GAChC,OAAO,CAAC;QAAC,GAAG,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAA;KAAC,CAAC;IA0B7C,OAAO,CAAC,MAAM,CAAC,eAAe;IAI9B;;;;;;;OAOG;IACH,MAAM,CAAC,qBAAqB,CAAC,aAAa,EAAG,MAAM;IAInD,OAAO,CAAC,iBAAiB;IAIzB,OAAO,CAAC,eAAe;YAKT,MAAM;IAYpB;;;;;OAKG;IACG,aAAa,CAAC,WAAW,EAAG,MAAM,GAAI,OAAO,CAAC,MAAM,CAAC;CAO9D"}

package/dist/auth.d.ts

@@ -0,0 +1,131 @@
+import { User, UserInputFields, UserSecretsInputFields, Key } from '@crossauth/common';
+
+/** Parameters needed for this this class to authenticator a user (besides username)
+ * An example is `password`
+*/
+export interface AuthenticationParameters extends UserSecretsInputFields {
+    otp?: string;
+}
+/**
+ * Options to pass to the constructor.
+ */
+export interface AuthenticationOptions {
+    /** If passed, this is what will be displayed to the user when selecting
+     * an authentication method.
+     */
+    friendlyName?: string;
+}
+export interface AuthenticatorCapabilities {
+    canCreateUser: boolean;
+    canUpdateUser: boolean;
+    canUpdateSecrets: boolean;
+}
+/**
+ * Base class for username/password authentication.
+ *
+ * Subclass this if you want something other than PBKDF2 password hashing.
+ */
+export declare abstract class Authenticator {
+    abstract skipEmailVerificationOnSignup(): boolean;
+    abstract prepareConfiguration(user: UserInputFields): Promise<{
+        userData: {
+            [key: string]: any;
+        };
+        sessionData: {
+            [key: string]: any;
+        };
+    } | undefined>;
+    abstract reprepareConfiguration(username: string, sessionKey: Key): Promise<{
+        userData: {
+            [key: string]: any;
+        };
+        secrets: Partial<UserSecretsInputFields>;
+        newSessionData: {
+            [key: string]: any;
+        } | undefined;
+    } | undefined>;
+    friendlyName: string;
+    factorName: string;
+    /**
+     * Constructor.
+     * @param options see {@link AuthenticationOptions}
+     */
+    constructor(options?: AuthenticationOptions);
+    /**
+     * Used by the OAuth password_mfa grant type.
+     */
+    abstract mfaType(): "none" | "oob" | "otp";
+    /**
+     * Used by the OAuth password_mfa grant type.
+     */
+    abstract mfaChannel(): "none" | "email" | "sms";
+    /**
+     * Should return the user if it exists in storage, otherwise throw {@link @crossauth/common!CrossauthError}:
+     * with {@link @crossauth/common!ErrorCode} of `Connection`, `UserNotExist` or `PasswordNotMatch`
+     *
+     * @param user the user to authenticate
+     * @param secrets user secrets for authenticating
+     */
+    abstract authenticateUser(user: UserInputFields | undefined, secrets: UserSecretsInputFields, params: AuthenticationParameters): Promise<void>;
+    /**
+     * This method should create and return any secrets that are persisted in storage, eg hashes of passwords.
+     *
+     * Not all authenticators have persistent secrets.
+     * @param username username to create secrets for
+     * @param params user-provided secrets (ie unhashed)
+     * @param repeatParams if present, secrets will be checked to be identical in this and `params`, throwing an exception if they are not
+     */
+    abstract createPersistentSecrets(username: string, params: AuthenticationParameters, repeatParams?: AuthenticationParameters): Promise<Partial<UserSecretsInputFields>>;
+    /**
+     * Creates one-time secrets, eg one-time codes that are sent in email or SMS.
+     *
+     * Not all authenticators create one time secrets
+     * @param user user to create secrets for.
+     */
+    abstract createOneTimeSecrets(user: User): Promise<Partial<UserSecretsInputFields>>;
+    /**
+     * If true, it is expected that this authenticator allows users to be created.
+     */
+    abstract canCreateUser(): boolean;
+    /**
+     * If true, it is expected that this authenticator allows users to be updated.
+     */
+    abstract canUpdateSecrets(): boolean;
+    /**
+     * If true, it is expected that this authenticator allows users to change their secrets.
+     */
+    abstract canUpdateUser(): boolean;
+    /**
+     * All peristent secrets created and managed by this authenticator, eg `password`
+     *
+     * When user data is passed, it is filtered by this list.
+     */
+    abstract secretNames(): string[];
+    /**
+     * All transient secrets created and managed by this authenticator, eg `otp`
+     *
+     * When user data is passed, it is filtered by this list.
+     */
+    abstract transientSecretNames(): string[];
+    /**
+     * Implementations should use this to validate secrets against local requirements,
+     * eg minimum password length.
+     * @param params user-provided secrets to validate
+     */
+    abstract validateSecrets(params: AuthenticationParameters): string[];
+    capabilities(): AuthenticatorCapabilities;
+}
+/**
+ * Base class for authenticators that check a username and password.
+ */
+export declare abstract class PasswordAuthenticator extends Authenticator {
+    /** @returns `password` */
+    secretNames(): string[];
+    /** @returns an empty array */
+    transientSecretNames(): never[];
+    /** @returns `none` */
+    mfaType(): "none" | "oob" | "otp";
+    /** @returns `none` */
+    mfaChannel(): "none" | "email" | "sms";
+}
+//# sourceMappingURL=auth.d.ts.map

package/dist/auth.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../src/auth.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,IAAI,EAAE,eAAe,EAAE,sBAAsB,EAAE,GAAG,EAAE,MAAM,mBAAmB,CAAC;AAE5F;;EAEE;AACF,MAAM,WAAW,wBAAyB,SAAQ,sBAAsB;IACpE,GAAG,CAAC,EAAG,MAAM,CAAC;CACjB;AAED;;GAEG;AACH,MAAM,WAAW,qBAAqB;IAClC;;OAEG;IACH,YAAY,CAAC,EAAG,MAAM,CAAC;CAE1B;AAED,MAAM,WAAW,yBAAyB;IACtC,aAAa,EAAE,OAAO,CAAC;IACvB,aAAa,EAAE,OAAO,CAAC;IACvB,gBAAgB,EAAE,OAAO,CAAC;CAC7B;AAED;;;;GAIG;AACH,8BAAsB,aAAa;IAE/B,QAAQ,CAAC,6BAA6B,IAAK,OAAO;IAClD,QAAQ,CAAC,oBAAoB,CAAC,IAAI,EAAG,eAAe,GAAI,OAAO,CAAC;QAAC,QAAQ,EAAE;YAAC,CAAC,GAAG,EAAC,MAAM,GAAG,GAAG,CAAA;SAAC,CAAC;QAAC,WAAW,EAAE;YAAC,CAAC,GAAG,EAAC,MAAM,GAAG,GAAG,CAAA;SAAC,CAAA;KAAE,GAAC,SAAS,CAAC;IAC7I,QAAQ,CAAC,sBAAsB,CAAC,QAAQ,EAAG,MAAM,EAAE,UAAU,EAAG,GAAG,GAAI,OAAO,CAAC;QAAC,QAAQ,EAAE;YAAC,CAAC,GAAG,EAAC,MAAM,GAAG,GAAG,CAAA;SAAC,CAAC;QAAC,OAAO,EAAE,OAAO,CAAC,sBAAsB,CAAC,CAAC;QAAC,cAAc,EAAE;YAAC,CAAC,GAAG,EAAC,MAAM,GAAG,GAAG,CAAA;SAAC,GAAC,SAAS,CAAA;KAAC,GAAC,SAAS,CAAC;IAClN,YAAY,EAAG,MAAM,CAAC;IACtB,UAAU,EAAG,MAAM,CAAM;IACzB;;;OAGG;gBACS,OAAO,CAAC,EAAG,qBAAqB;IAM5C;;OAEG;IACH,QAAQ,CAAC,OAAO,IAAK,MAAM,GAAG,KAAK,GAAG,KAAK;IAE3C;;OAEG;IACH,QAAQ,CAAC,UAAU,IAAK,MAAM,GAAG,OAAO,GAAG,KAAK;IAEhD;;;;;;OAMG;IACH,QAAQ,CAAC,gBAAgB,CAAC,IAAI,EAAE,eAAe,GAAG,SAAS,EACvD,OAAO,EAAE,sBAAsB,EAC/B,MAAM,EAAE,wBAAwB,GAAI,OAAO,CAAC,IAAI,CAAC;IAErD;;;;;;;OAOG;IACH,QAAQ,CAAC,uBAAuB,CAAC,QAAQ,EAAG,MAAM,EAAE,MAAM,EAAE,wBAAwB,EAAE,YAAY,CAAC,EAAE,wBAAwB,GAAI,OAAO,CAAC,OAAO,CAAC,sBAAsB,CAAC,CAAC;IAEzK;;;;;OAKG;IACH,QAAQ,CAAC,oBAAoB,CAAC,IAAI,EAAG,IAAI,GAAI,OAAO,CAAC,OAAO,CAAC,sBAAsB,CAAC,CAAC;IAErF;;OAEG;IACH,QAAQ,CAAC,aAAa,IAAK,OAAO;IAElC;;OAEG;IACH,QAAQ,CAAC,gBAAgB,IAAK,OAAO;IAErC;;OAEG;IACH,QAAQ,CAAC,aAAa,IAAK,OAAO;IAElC;;;;OAIG;IACH,QAAQ,CAAC,WAAW,IAAK,MAAM,EAAE;IAEjC;;;;OAIG;IACH,QAAQ,CAAC,oBAAoB,IAAK,MAAM,EAAE;IAE1C;;;;OAIG;IACH,QAAQ,CAAC,eAAe,CAAC,MAAM,EAAG,wBAAwB,GAAI,MAAM,EAAE;IAEtE,YAAY,IAAK,yBAAyB;CAO7C;AAED;;GAEG;AACH,8BAAsB,qBAAsB,SAAQ,aAAa;IAE7D,0BAA0B;IAC1B,WAAW;IAEX,8BAA8B;IAC9B,oBAAoB;IAEpB,sBAAsB;IACtB,OAAO,IAAK,MAAM,GAAG,KAAK,GAAG,KAAK;IAElC,sBAAsB;IACtB,UAAU,IAAK,MAAM,GAAG,OAAO,GAAG,KAAK;CAC1C"}

package/dist/authenticators/dummyfactor2.d.ts

@@ -0,0 +1,129 @@
+import { User, Key, UserSecretsInputFields, UserInputFields } from '@crossauth/common';
+import { Authenticator, AuthenticationParameters, AuthenticationOptions } from '../auth.ts';
+
+/**
+ * Options for `DummyFactor2Authenticator`
+ */
+export interface DummyFactor2AuthenticatorOptions extends AuthenticationOptions {
+}
+/**
+ * This authenticator creates fixed one-time code
+ */
+export declare class DummyFactor2Authenticator extends Authenticator {
+    readonly code: string;
+    /**
+     * Constructor
+     *
+     * @param options see {@link EmailAuthenticatorOptions}
+     */
+    constructor(code: string, options?: DummyFactor2AuthenticatorOptions);
+    /**
+     * Used by the OAuth password_mfa grant type.
+     */
+    mfaType(): "none" | "oob" | "otp";
+    /**
+     * Used by the OAuth password_mfa grant type.
+     */
+    mfaChannel(): "none" | "email" | "sms";
+    /**
+     * Creates and emails the one-time code
+     * @param user the user to create it for.  Uses the `email` field if
+     *             present, `username` otherwise (which in this case is
+     *             expected to contain an email address)
+     * @returns `userData` containing `username`, `email`, `factor2`
+     *          `sessionData` containing the same plus `otp` and `expiry` which
+     *           is a Unix time (number).
+     */
+    prepareConfiguration(user: UserInputFields): Promise<{
+        userData: {
+            [key: string]: any;
+        };
+        sessionData: {
+            [key: string]: any;
+        };
+    } | undefined>;
+    /**
+     * Creates and emails a new one-time code.
+     * @param _username ignored
+     * @param sessionKey the session containing the previously created data.
+     * @returns
+     */
+    reprepareConfiguration(_username: string, sessionKey: Key): Promise<{
+        userData: {
+            [key: string]: any;
+        };
+        secrets: Partial<UserSecretsInputFields>;
+        newSessionData: {
+            [key: string]: any;
+        } | undefined;
+    } | undefined>;
+    /**
+     * Authenticates the user by comparing the user-provided otp with the one
+     * in secrets.
+     *
+     * Validation fails if the otp is incorrect or has expired.
+     *
+     * @param _user ignored
+     * @param secrets taken from the session and should contain `otp` and
+     *                `expiry`
+     * @param params user input and should contain `otp`
+     * @throws {@link @crossauth/common!CrossauthError} with
+     *         {@link @crossauth/common!ErrorCode} `InvalidToken` or `Expired`.
+     */
+    authenticateUser(_user: User, secrets: UserSecretsInputFields, params: AuthenticationParameters): Promise<void>;
+    /**
+     * Does nothing for this class
+     */
+    createPersistentSecrets(_username: string, _params: AuthenticationParameters, _repeatParams?: AuthenticationParameters): Promise<Partial<UserSecretsInputFields>>;
+    /**
+     * Creates and emails a new one-time code.
+     * @param user the user to create it for.  Uses the `email` field if
+     *             present, `username` otherwise (which in this case is
+     *             expected to contain an email address)
+     * @returns `otp` and `expiry` as a Unix time (number).
+     */
+    createOneTimeSecrets(_user: User): Promise<Partial<UserSecretsInputFields>>;
+    /**
+     * @returns true - this class can create users
+     */
+    canCreateUser(): boolean;
+    /**
+     * @returns true - this class can update users
+     */
+    canUpdateUser(): boolean;
+    /**
+     * @returns false - users cannot update secrets
+     */
+    canUpdateSecrets(): boolean;
+    /**
+     * @returns empty - this authenticator has no persistent secrets
+     */
+    secretNames(): string[];
+    /**
+     * @returns otp
+     */
+    transientSecretNames(): string[];
+    /**
+     * Does nothing for this class
+     */
+    validateSecrets(_params: AuthenticationParameters): string[];
+    /**
+     * @returns true - as a code is sent to the registers email address, no
+     *          additional email verification is needed
+     */
+    skipEmailVerificationOnSignup(): boolean;
+    /**
+     * Returns whether or not the passed email has a valid form.
+     * @param email the email address to validate
+     * @returns true if it is valid. false otherwise
+     */
+    static isEmailValid(email: string): boolean;
+    /**
+     * Takles a number and turns it into a zero-padded string
+     * @param num number ot pad
+     * @param places total number of required digits
+     * @returns zero-padded string
+     */
+    static zeroPad(num: number, places: number): string;
+}
+//# sourceMappingURL=dummyfactor2.d.ts.map

package/dist/authenticators/dummyfactor2.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"dummyfactor2.d.ts","sourceRoot":"","sources":["../../src/authenticators/dummyfactor2.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EACR,IAAI,EACJ,GAAG,EACH,sBAAsB,EACtB,eAAe,EAAE,MAAM,mBAAmB,CAAC;AAG/C,OAAO,EACH,aAAa,EACb,KAAK,wBAAwB,EAC7B,KAAK,qBAAqB,EAAE,MAAM,YAAY,CAAC;AAGnD;;GAEG;AACH,MAAM,WAAW,gCAAiC,SAAQ,qBAAqB;CAC9E;AAED;;GAEG;AACH,qBAAa,yBAA0B,SAAQ,aAAa;IAExD,QAAQ,CAAC,IAAI,EAAG,MAAM,CAAC;IAEvB;;;;OAIG;gBACS,IAAI,EAAG,MAAM,EAAE,OAAO,GAAG,gCAAqC;IAK1E;;OAEG;IACH,OAAO,IAAK,MAAM,GAAG,KAAK,GAAG,KAAK;IAElC;;OAEG;IACH,UAAU,IAAK,MAAM,GAAG,OAAO,GAAG,KAAK;IAEvC;;;;;;;;OAQG;IACG,oBAAoB,CAAC,IAAI,EAAG,eAAe,GAC7C,OAAO,CAAC;QACJ,QAAQ,EAAE;YAAE,CAAC,GAAG,EAAE,MAAM,GAAG,GAAG,CAAA;SAAE,CAAC;QACjC,WAAW,EAAE;YAAE,CAAC,GAAG,EAAE,MAAM,GAAG,GAAG,CAAA;SAAE,CAAA;KACtC,GAAC,SAAS,CAAC;IAsBhB;;;;;OAKG;IACG,sBAAsB,CAAC,SAAS,EAAG,MAAM,EAAE,UAAU,EAAG,GAAG,GAC7D,OAAO,CAAC;QACJ,QAAQ,EAAE;YAAE,CAAC,GAAG,EAAE,MAAM,GAAG,GAAG,CAAA;SAAE,CAAC;QACjC,OAAO,EAAE,OAAO,CAAC,sBAAsB,CAAC,CAAC;QACzC,cAAc,EAAE;YAAE,CAAC,GAAG,EAAE,MAAM,GAAG,GAAG,CAAA;SAAE,GAAG,SAAS,CAAA;KACjD,GAAC,SAAS,CAAC;IAepB;;;;;;;;;;;;OAYG;IACG,gBAAgB,CAAC,KAAK,EAAE,IAAI,EAC9B,OAAO,EAAE,sBAAsB,EAC/B,MAAM,EAAE,wBAAwB,GAChC,OAAO,CAAC,IAAI,CAAC;IAUjB;;OAEG;IACG,uBAAuB,CAAC,SAAS,EAAE,MAAM,EAC3C,OAAO,EAAE,wBAAwB,EACjC,aAAa,CAAC,EAAE,wBAAwB,GACxC,OAAO,CAAC,OAAO,CAAC,sBAAsB,CAAC,CAAC;IAI5C;;;;;;OAMG;IACG,oBAAoB,CAAC,KAAK,EAAG,IAAI,GACnC,OAAO,CAAC,OAAO,CAAC,sBAAsB,CAAC,CAAC;IAS5C;;OAEG;IACH,aAAa,IAAK,OAAO;IAKzB;;OAEG;IACH,aAAa,IAAK,OAAO;IAIzB;;OAEG;IACH,gBAAgB,IAAK,OAAO;IAI5B;;OAEG;IACH,WAAW,IAAK,MAAM,EAAE;IAIxB;;OAEG;IACH,oBAAoB,IAAK,MAAM,EAAE;IAIjC;;OAEG;IACH,eAAe,CAAC,OAAO,EAAG,wBAAwB,GAAI,MAAM,EAAE;IAI9D;;;OAGG;IACH,6BAA6B,IAAK,OAAO;IAIzC;;;;OAIG;IACH,MAAM,CAAC,YAAY,CAAC,KAAK,EAAG,MAAM,GAAI,OAAO;IAS7C;;;;;OAKG;IACH,MAAM,CAAC,OAAO,CAAC,GAAG,EAAG,MAAM,EAAE,MAAM,EAAG,MAAM,GAAI,MAAM;CAKzD"}