@crossauth/backend 0.0.2

package/dist/authenticators/emailauth.d.ts

@@ -0,0 +1,176 @@
+import { User, Key, UserSecretsInputFields, UserInputFields } from '@crossauth/common';
+import { Authenticator, AuthenticationParameters, AuthenticationOptions } from '../auth.ts';
+
+/**
+ * Options for `EmailAuthenticator`
+ */
+export interface EmailAuthenticatorOptions extends AuthenticationOptions {
+    /** The directory containing views (by default, Nunjucks templates) */
+    views?: string;
+    /** Template file containing page for producing the text version of the
+     * email verification email body */
+    emailAuthenticatorTextBody?: string;
+    /** Template file containing page for producing the HTML version of the
+     * email verification email body */
+    emailAuthenticatorHtmlBody?: string;
+    /** Subject for the the email verification email */
+    emailAuthenticatorSubject?: string;
+    /** Sender for emails */
+    emailFrom?: string;
+    /** Hostname of the SMTP server.  No default - required parameter */
+    smtpHost?: string;
+    /** Port the SMTP server is running on.  Default 25 */
+    smtpPort?: number;
+    /** Whether or not TLS is used by the SMTP server.  Default false */
+    smtpUseTls?: boolean;
+    /** Username for connecting to SMTP servger.  Default undefined */
+    smtpUsername?: string;
+    /** Password for connecting to SMTP servger.  Default undefined */
+    smtpPassword?: string;
+    /** Number of seconds before otps should expire.  Default 5 minutes */
+    emailAuthenticatorTokenExpires?: number;
+    /** if passed, use this instead of the default nunjucks renderer */
+    render?: (template: string, data: {
+        [key: string]: any;
+    }) => string;
+}
+/**
+ * This authenticator creates a one-time code and sends it in email
+ */
+export declare class EmailAuthenticator extends Authenticator {
+    private views;
+    private emailAuthenticatorTextBody?;
+    private emailAuthenticatorHtmlBody?;
+    private emailAuthenticatorSubject;
+    private emailFrom;
+    private smtpHost;
+    private smtpPort;
+    private smtpUseTls?;
+    private smtpUsername?;
+    private smtpPassword?;
+    private emailAuthenticatorTokenExpires;
+    private render?;
+    /**
+     * Constructor
+     *
+     * @param options see {@link EmailAuthenticatorOptions}
+     */
+    constructor(options?: EmailAuthenticatorOptions);
+    /**
+     * Used by the OAuth password_mfa grant type.
+     */
+    mfaType(): "none" | "oob" | "otp";
+    /**
+     * Used by the OAuth password_mfa grant type.
+     */
+    mfaChannel(): "none" | "email" | "sms";
+    private createEmailer;
+    private sendToken;
+    /**
+     * Creates and emails the one-time code
+     * @param user the user to create it for.  Uses the `email` field if
+     *             present, `username` otherwise (which in this case is
+     *             expected to contain an email address)
+     * @returns `userData` containing `username`, `email`, `factor2`
+     *          `sessionData` containing the same plus `otp` and `expiry` which
+     *           is a Unix time (number).
+     */
+    prepareConfiguration(user: UserInputFields): Promise<{
+        userData: {
+            [key: string]: any;
+        };
+        sessionData: {
+            [key: string]: any;
+        };
+    } | undefined>;
+    /**
+     * Creates and emails a new one-time code.
+     * @param _username ignored
+     * @param sessionKey the session containing the previously created data.
+     * @returns
+     */
+    reprepareConfiguration(_username: string, sessionKey: Key): Promise<{
+        userData: {
+            [key: string]: any;
+        };
+        secrets: Partial<UserSecretsInputFields>;
+        newSessionData: {
+            [key: string]: any;
+        } | undefined;
+    } | undefined>;
+    /**
+     * Authenticates the user by comparing the user-provided otp with the one
+     * in secrets.
+     *
+     * Validation fails if the otp is incorrect or has expired.
+     *
+     * @param _user ignored
+     * @param secrets taken from the session and should contain `otp` and
+     *                `expiry`
+     * @param params user input and should contain `otp`
+     * @throws {@link @crossauth/common!CrossauthError} with
+     *         {@link @crossauth/common!ErrorCode} `InvalidToken` or `Expired`.
+     */
+    authenticateUser(_user: User, secrets: UserSecretsInputFields, params: AuthenticationParameters): Promise<void>;
+    /**
+     * Does nothing for this class
+     */
+    createPersistentSecrets(_username: string, _params: AuthenticationParameters, _repeatParams?: AuthenticationParameters): Promise<Partial<UserSecretsInputFields>>;
+    /**
+     * Creates and emails a new one-time code.
+     * @param user the user to create it for.  Uses the `email` field if
+     *             present, `username` otherwise (which in this case is
+     *             expected to contain an email address)
+     * @returns `otp` and `expiry` as a Unix time (number).
+     */
+    createOneTimeSecrets(user: User): Promise<Partial<UserSecretsInputFields>>;
+    /**
+     * @returns true - this class can create users
+     */
+    canCreateUser(): boolean;
+    /**
+     * @returns true - this class can update users
+     */
+    canUpdateUser(): boolean;
+    /**
+     * @returns false - users cannot update secrets
+     */
+    canUpdateSecrets(): boolean;
+    /**
+     * @returns empty - this authenticator has no persistent secrets
+     */
+    secretNames(): string[];
+    /**
+     * @returns otp
+     */
+    transientSecretNames(): string[];
+    /**
+     * Does nothing for this class
+     */
+    validateSecrets(_params: AuthenticationParameters): string[];
+    /**
+     * @returns true - as a code is sent to the registers email address, no
+     *          additional email verification is needed
+     */
+    skipEmailVerificationOnSignup(): boolean;
+    /**
+     * Returns whether or not the passed email has a valid form.
+     * @param email the email address to validate
+     * @returns true if it is valid. false otherwise
+     */
+    static isEmailValid(email: string): boolean;
+    /**
+     * Throws an exception if an email address doesn't have a valid form.
+     * @param email the email address to validate
+     * @throws {@link @crossauth/common!CrossauthError} with {@link @crossauth/common!ErrorCode} `InvalidEmail`.
+     */
+    static validateEmail(email: string | undefined): void;
+    /**
+     * Takles a number and turns it into a zero-padded string
+     * @param num number ot pad
+     * @param places total number of required digits
+     * @returns zero-padded string
+     */
+    static zeroPad(num: number, places: number): string;
+}
+//# sourceMappingURL=emailauth.d.ts.map

package/dist/authenticators/emailauth.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"emailauth.d.ts","sourceRoot":"","sources":["../../src/authenticators/emailauth.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EACR,IAAI,EACJ,GAAG,EACH,sBAAsB,EACtB,eAAe,EAAE,MAAM,mBAAmB,CAAC;AAI/C,OAAO,EACH,aAAa,EACb,KAAK,wBAAwB,EAC7B,KAAK,qBAAqB,EAAE,MAAM,YAAY,CAAC;AAOnD;;GAEG;AACH,MAAM,WAAW,yBAA0B,SAAQ,qBAAqB;IAEpE,sEAAsE;IACtE,KAAK,CAAC,EAAG,MAAM,CAAC;IAEhB;uCACmC;IACnC,0BAA0B,CAAC,EAAG,MAAM,CAAC;IAErC;uCACmC;IACnC,0BAA0B,CAAC,EAAG,MAAM,CAAC;IAErC,mDAAmD;IACnD,yBAAyB,CAAC,EAAG,MAAM,CAAC;IAEpC,wBAAwB;IACxB,SAAS,CAAC,EAAG,MAAM,CAAC;IAEpB,oEAAoE;IACpE,QAAQ,CAAC,EAAG,MAAM,CAAC;IAEnB,sDAAsD;IACtD,QAAQ,CAAC,EAAG,MAAM,CAAC;IAEnB,oEAAoE;IACpE,UAAU,CAAC,EAAG,OAAO,CAAC;IAEtB,kEAAkE;IAClE,YAAY,CAAC,EAAG,MAAM,CAAC;IAEvB,kEAAkE;IAClE,YAAY,CAAC,EAAG,MAAM,CAAC;IAEvB,sEAAsE;IACtE,8BAA8B,CAAC,EAAG,MAAM,CAAC;IAEzC,mEAAmE;IACnE,MAAM,CAAC,EAAG,CAAC,QAAQ,EAAG,MAAM,EAAE,IAAI,EAAG;QAAC,CAAC,GAAG,EAAC,MAAM,GAAE,GAAG,CAAA;KAAC,KAAK,MAAM,CAAC;CACtE;AAED;;GAEG;AACH,qBAAa,kBAAmB,SAAQ,aAAa;IAEjD,OAAO,CAAC,KAAK,CAAoB;IACjC,OAAO,CAAC,0BAA0B,CAAC,CAA8C;IACjF,OAAO,CAAC,0BAA0B,CAAC,CAAU;IAC7C,OAAO,CAAC,yBAAyB,CAAyB;IAC1D,OAAO,CAAC,SAAS,CAAe;IAChC,OAAO,CAAC,QAAQ,CAAe;IAC/B,OAAO,CAAC,QAAQ,CAAgB;IAChC,OAAO,CAAC,UAAU,CAAC,CAAkB;IACrC,OAAO,CAAC,YAAY,CAAC,CAAU;IAC/B,OAAO,CAAC,YAAY,CAAC,CAAU;IAC/B,OAAO,CAAC,8BAA8B,CAAiB;IACvD,OAAO,CAAC,MAAM,CAAC,CACQ;IAEvB;;;;OAIG;gBACS,OAAO,GAAG,yBAA8B;IAqBpD;;OAEG;IACH,OAAO,IAAK,MAAM,GAAG,KAAK,GAAG,KAAK;IAElC;;OAEG;IACH,UAAU,IAAK,MAAM,GAAG,OAAO,GAAG,KAAK;IAEvC,OAAO,CAAC,aAAa;YAYP,SAAS;IAiCvB;;;;;;;;OAQG;IACG,oBAAoB,CAAC,IAAI,EAAG,eAAe,GAC7C,OAAO,CAAC;QACJ,QAAQ,EAAE;YAAE,CAAC,GAAG,EAAE,MAAM,GAAG,GAAG,CAAA;SAAE,CAAC;QACjC,WAAW,EAAE;YAAE,CAAC,GAAG,EAAE,MAAM,GAAG,GAAG,CAAA;SAAE,CAAA;KACtC,GAAC,SAAS,CAAC;IAgChB;;;;;OAKG;IACG,sBAAsB,CAAC,SAAS,EAAG,MAAM,EAAE,UAAU,EAAG,GAAG,GAC7D,OAAO,CAAC;QACJ,QAAQ,EAAE;YAAE,CAAC,GAAG,EAAE,MAAM,GAAG,GAAG,CAAA;SAAE,CAAC;QACjC,OAAO,EAAE,OAAO,CAAC,sBAAsB,CAAC,CAAC;QACzC,cAAc,EAAE;YAAE,CAAC,GAAG,EAAE,MAAM,GAAG,GAAG,CAAA;SAAE,GAAG,SAAS,CAAA;KACjD,GAAC,SAAS,CAAC;IAqBpB;;;;;;;;;;;;OAYG;IACG,gBAAgB,CAAC,KAAK,EAAE,IAAI,EAC9B,OAAO,EAAE,sBAAsB,EAC/B,MAAM,EAAE,wBAAwB,GAChC,OAAO,CAAC,IAAI,CAAC;IAUjB;;OAEG;IACG,uBAAuB,CAAC,SAAS,EAAE,MAAM,EAC3C,OAAO,EAAE,wBAAwB,EACjC,aAAa,CAAC,EAAE,wBAAwB,GACxC,OAAO,CAAC,OAAO,CAAC,sBAAsB,CAAC,CAAC;IAI5C;;;;;;OAMG;IACG,oBAAoB,CAAC,IAAI,EAAG,IAAI,GAClC,OAAO,CAAC,OAAO,CAAC,sBAAsB,CAAC,CAAC;IAgB5C;;OAEG;IACH,aAAa,IAAK,OAAO;IAKzB;;OAEG;IACH,aAAa,IAAK,OAAO;IAIzB;;OAEG;IACH,gBAAgB,IAAK,OAAO;IAI5B;;OAEG;IACH,WAAW,IAAK,MAAM,EAAE;IAIxB;;OAEG;IACH,oBAAoB,IAAK,MAAM,EAAE;IAIjC;;OAEG;IACH,eAAe,CAAC,OAAO,EAAG,wBAAwB,GAAI,MAAM,EAAE;IAI9D;;;OAGG;IACH,6BAA6B,IAAK,OAAO;IAIzC;;;;OAIG;IACH,MAAM,CAAC,YAAY,CAAC,KAAK,EAAG,MAAM,GAAI,OAAO;IAU7C;;;;OAIG;IACH,MAAM,CAAC,aAAa,CAAC,KAAK,EAAG,MAAM,GAAC,SAAS;IAM7C;;;;;OAKG;IACH,MAAM,CAAC,OAAO,CAAC,GAAG,EAAG,MAAM,EAAE,MAAM,EAAG,MAAM,GAAI,MAAM;CAKzD"}

package/dist/authenticators/ldapauth.d.ts

@@ -0,0 +1,89 @@
+import { User, UserSecretsInputFields, Key, UserInputFields } from '@crossauth/common';
+import { PasswordAuthenticator, AuthenticationParameters, AuthenticationOptions } from '../auth.ts';
+import { LdapUserStorage } from '../storage/ldapstorage.ts';
+
+/** Optional parameters to pass to {@link LdapAuthenticator} constructor. */
+export interface LdapAuthenticatorOptions extends AuthenticationOptions {
+    ldapAutoCreateAccount?: boolean;
+}
+/**
+ * Authenticates a user against LDAP.
+ *
+ * Users are expected to be in a local storage as well, as defined by `ldapStorage`.
+ * This class can optionally auto-create a user that is not already there.
+ */
+export declare class LdapAuthenticator extends PasswordAuthenticator {
+    private ldapAutoCreateAccount;
+    private ldapStorage;
+    /**
+     * Create a new authenticator.
+     *
+     * @param ldapStorage the storage that defines the LDAP server and databse for storing users locally
+     * @param options see {@link LdapAuthenticatorOptions}
+     */
+    constructor(ldapStorage: LdapUserStorage, options?: LdapAuthenticatorOptions);
+    /**
+     * Authenticates the user, returning a the user as a {@link User} object.
+     *
+     * @param user the `username` field is required and this is used for LDAP authentication.
+     *             If `ldapAutoCreateAccount` is true, these attributes as used for user creation (see {@link LdapUserStorage.createUser}).
+     * @param _secrets Ignored as secrets are stored in LDAP
+     * @param params the `password` field is expected to contain the LDAP password.
+     * @throws {@link @crossauth/common!CrossauthError} with {@link @crossauth/common!ErrorCode} of `Connection`, `UsernameOrPasswordInvalid`.
+     */
+    authenticateUser(user: UserInputFields, _secrets: UserSecretsInputFields, params: AuthenticationParameters): Promise<void>;
+    /**
+     * Does nothing as LDAP is responsible for password format (this class doesn't create password entries)
+     */
+    validateSecrets(_params: AuthenticationParameters): string[];
+    /**
+     * Does nothing in this class.
+     */
+    createPersistentSecrets(_username: string, _params: AuthenticationParameters, _repeatParams: AuthenticationParameters): Promise<Partial<UserSecretsInputFields>>;
+    /**
+     * Does nothing in this class.
+     */
+    createOneTimeSecrets(_user: User): Promise<Partial<UserSecretsInputFields>>;
+    /**
+     * @returns true - we can create a user (but not secrets)
+     */
+    canCreateUser(): boolean;
+    /**
+     *
+     * @returns true - we can update user (but not secrets).
+     */
+    canUpdateUser(): boolean;
+    /**
+     * @returns false - users cannot update secrets
+     */
+    canUpdateSecrets(): boolean;
+    /**
+     *
+     * @returns false - if email verification is enabled, it should happen for this authenticator
+     */
+    skipEmailVerificationOnSignup(): boolean;
+    /**
+     * Does nothing in this class
+     */
+    prepareConfiguration(_user: UserInputFields): Promise<{
+        userData: {
+            [key: string]: any;
+        };
+        sessionData: {
+            [key: string]: any;
+        };
+    } | undefined>;
+    /**
+     * Does nothing in this class
+     */
+    reprepareConfiguration(_username: string, _sessionKey: Key): Promise<{
+        userData: {
+            [key: string]: any;
+        };
+        secrets: Partial<UserSecretsInputFields>;
+        newSessionData: {
+            [key: string]: any;
+        } | undefined;
+    } | undefined>;
+}
+//# sourceMappingURL=ldapauth.d.ts.map

package/dist/authenticators/ldapauth.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ldapauth.d.ts","sourceRoot":"","sources":["../../src/authenticators/ldapauth.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,IAAI,EAAE,sBAAsB,EAAE,GAAG,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAC;AAG5F,OAAO,EAAE,qBAAqB,EAAE,KAAK,wBAAwB,EAAG,KAAK,qBAAqB,EAAC,MAAM,YAAY,CAAC;AAC9G,OAAO,EAAE,eAAe,EAAE,MAAM,2BAA2B,CAAC;AAE5D,4EAA4E;AAC5E,MAAM,WAAW,wBAAyB,SAAQ,qBAAqB;IACnE,qBAAqB,CAAC,EAAG,OAAO,CAAC;CACpC;AAED;;;;;GAKG;AACH,qBAAa,iBAAkB,SAAQ,qBAAqB;IAExD,OAAO,CAAC,qBAAqB,CAAmB;IAChD,OAAO,CAAC,WAAW,CAAmB;IAEtC;;;;;OAKG;gBACS,WAAW,EAAG,eAAe,EAC7B,OAAO,GAAG,wBAA6B;IAMnD;;;;;;;;OAQG;IACG,gBAAgB,CAAC,IAAI,EAAG,eAAe,EAAE,QAAQ,EAAE,sBAAsB,EAAE,MAAM,EAAE,wBAAwB,GAAI,OAAO,CAAC,IAAI,CAAC;IAoBlI;;OAEG;IACH,eAAe,CAAC,OAAO,EAAG,wBAAwB,GAAI,MAAM,EAAE;IAI9D;;OAEG;IACG,uBAAuB,CAAC,SAAS,EAAG,MAAM,EAAC,OAAO,EAAE,wBAAwB,EAAE,aAAa,EAAE,wBAAwB,GAAI,OAAO,CAAC,OAAO,CAAC,sBAAsB,CAAC,CAAC;IAIvK;;OAEG;IACG,oBAAoB,CAAC,KAAK,EAAG,IAAI,GAAI,OAAO,CAAC,OAAO,CAAC,sBAAsB,CAAC,CAAC;IAInF;;OAEG;IACH,aAAa,IAAK,OAAO;IAEzB;;;OAGG;IACH,aAAa,IAAK,OAAO;IAEzB;;OAEG;IACH,gBAAgB,IAAK,OAAO;IAI5B;;;OAGG;IACH,6BAA6B,IAAK,OAAO;IAIzC;;OAEG;IACG,oBAAoB,CAAC,KAAK,EAAG,eAAe,GAAI,OAAO,CAAC;QAAC,QAAQ,EAAE;YAAC,CAAC,GAAG,EAAC,MAAM,GAAG,GAAG,CAAA;SAAC,CAAC;QAAC,WAAW,EAAE;YAAC,CAAC,GAAG,EAAC,MAAM,GAAG,GAAG,CAAA;SAAC,CAAA;KAAC,GAAC,SAAS,CAAC;IAI1I;;OAEG;IACG,sBAAsB,CAAC,SAAS,EAAG,MAAM,EAAE,WAAW,EAAG,GAAG,GAAI,OAAO,CAAC;QAAC,QAAQ,EAAE;YAAC,CAAC,GAAG,EAAC,MAAM,GAAG,GAAG,CAAA;SAAC,CAAC;QAAC,OAAO,EAAE,OAAO,CAAC,sBAAsB,CAAC,CAAC;QAAC,cAAc,EAAE;YAAC,CAAC,GAAG,EAAC,MAAM,GAAG,GAAG,CAAA;SAAC,GAAC,SAAS,CAAA;KAAC,GAAC,SAAS,CAAC;CAGpN"}

package/dist/authenticators/passwordauth.d.ts

@@ -0,0 +1,159 @@
+import { User, UserSecretsInputFields, Key, UserInputFields } from '@crossauth/common';
+import { UserStorage } from '../storage.ts';
+import { PasswordAuthenticator, AuthenticationParameters, AuthenticationOptions } from '../auth.ts';
+
+/**
+ * Optional parameters to pass to {@link LocalPasswordAuthenticator}
+ * constructor.
+ */
+export interface LocalPasswordAuthenticatorOptions extends AuthenticationOptions {
+    /** Application secret.  If defined, it is used as the secret in PBKDF2 to hash passwords */
+    secret?: string;
+    /** If true, the `secret` will be concatenated to the salt when generating a hash for storing the password */
+    enableSecretForPasswordHash?: boolean;
+    /** Digest method for PBKDF2 hasher.. Default `sha256` */
+    pbkdf2Digest?: string;
+    /** Number of PBKDF2 iterations.  Default 600_000 */
+    pbkdf2Iterations?: number;
+    /** Number of characters for salt, before base64-enoding.  Default 16 */
+    pbkdf2SaltLength?: number;
+    /** Length the PBKDF2 key to generate, before bsae64-url encoding.  Default 32 */
+    pbkdf2KeyLength?: number;
+    /** Function that throws a {@link @crossauth/common!CrossauthError} with
+     *  {@link @crossauth/common!ErrorCode} `PasswordFormat` if the password
+     *  doesn't confirm to local rules (eg number of charafters)  */
+    validatePasswordFn?: (params: AuthenticationParameters) => string[];
+}
+/**
+ * Does username/password authentication using PBKDF2 hashed passwords.
+ */
+export declare class LocalPasswordAuthenticator extends PasswordAuthenticator {
+    static NoPassword: string;
+    private secret;
+    /** If true, the secret key will be added to the salt when hashing.  Default false */
+    enableSecretForPasswords: boolean;
+    /** See {@link LocalPasswordAuthenticatorOptions.pbkdf2Digest}  */
+    pbkdf2Digest?: string;
+    /** See {@link LocalPasswordAuthenticatorOptions.pbkdf2Iterations}  */
+    pbkdf2Iterations?: number;
+    /** See {@link LocalPasswordAuthenticatorOptions.pbkdf2SaltLength}  */
+    pbkdf2SaltLength?: number;
+    /** See {@link LocalPasswordAuthenticatorOptions.pbkdf2KeyLength}  */
+    pbkdf2KeyLength?: number;
+    /** See {@link LocalPasswordAuthenticatorOptions.validatePasswordFn}  */
+    validatePasswordFn: (params: AuthenticationParameters) => string[];
+    /**
+     * Create a new authenticator.
+     *
+     * See crypto.pbkdf2 for more information on the optional parameters.
+     *
+     * @param _userStorage ignored
+     * @param options see {@link LocalPasswordAuthenticatorOptions}
+     */
+    constructor(_userStorage: UserStorage, options?: LocalPasswordAuthenticatorOptions);
+    /**
+     * Authenticates the user, returning a the user as a {@link User} object.
+     *
+     * If you set `extraFields` when constructing the {@link UserStorage} instance passed to the constructor,
+     * these will be included in the returned User object.  `hashedPassword`, if present in the User object,
+     * will be removed.
+     *
+     * @param user the `username` field should contain the username
+     * @param secrets from the `UserSecrets` table.  `password` is expected to be present
+     * @param params the user input.  `password` is expected to be present
+     * @throws {@link @crossauth/common!CrossauthError} with
+     *         {@link @crossauth/common!ErrorCode} of `Connection`,
+     *         `UserNotExist`or `PasswordInvalid`, `TwoFactorIncomplete`,
+     *         `EmailNotVerified` or `UserNotActive`.
+     */
+    authenticateUser(user: UserInputFields, secrets: UserSecretsInputFields, params: AuthenticationParameters): Promise<void>;
+    /**
+     * Calls the implementor-provided `validatePasswordFn`
+     *
+     * This function is called to apply local password policy (password length,
+     * uppercase/lowercase etc)
+     * @param params the password should be in `password`
+     * @returns an array of errors
+     */
+    validateSecrets(params: AuthenticationParameters): string[];
+    /**
+     * Creates and returns a hash of the passed password, with the hashing parameters encoded ready
+     * for storage.
+     *
+     * If salt is not provieed, a random one is greated.  If secret was passed to the constructor
+     * or in the .env, and enableSecretInPasswords was set to true, it is used as the pepper.
+     * used as the pepper.
+     *
+     * @param password the password to hash
+     * @param salt the salt to use.  If undefined, a random one will be generated.
+     * @returns the encoded hash string.
+     */
+    createPasswordHash(password: string, salt?: string): Promise<string>;
+    /**
+     * Just calls createPasswordHash with encode set to true
+     * @param password the password to hash
+     * @returns a string for storing in storage
+     */
+    createPasswordForStorage(password: string): Promise<string>;
+    /**
+     * A static version of the password hasher, provided for convenience
+     * @param password : unhashed password
+     * @param passwordHash : hashed password
+     * @param secret secret, if used when hashing passwords, or undefined if not
+     * @returns true if match, false otherwise
+     */
+    passwordMatchesHash(password: string, passwordHash: string, secret?: string): Promise<boolean>;
+    /**
+     * This will return p hash of the passed password.
+     * @param _username ignored
+     * @param params expected to contain `password`
+     * @param repeatParams if defined, this is expected to also contain
+     *        `password` and is checked to match the one in `params`
+     * @returns the newly created password in the `password` field.
+     */
+    createPersistentSecrets(_username: string, params: AuthenticationParameters, repeatParams: AuthenticationParameters): Promise<Partial<UserSecretsInputFields>>;
+    /**
+     * Does nothing for this class.
+     */
+    createOneTimeSecrets(_user: User): Promise<Partial<UserSecretsInputFields>>;
+    /**
+     * @returns true - this class can create users
+     */
+    canCreateUser(): boolean;
+    /**
+     * @returns true - this class can update users
+     */
+    canUpdateUser(): boolean;
+    /**
+     * @returns true - users can update secrets
+     */
+    canUpdateSecrets(): boolean;
+    /**
+     * @returns false, if email verification is enabled, it should be for this authenticator too
+     */
+    skipEmailVerificationOnSignup(): boolean;
+    /**
+     * Does nothing for this class.
+     */
+    prepareConfiguration(_user: UserInputFields): Promise<{
+        userData: {
+            [key: string]: any;
+        };
+        sessionData: {
+            [key: string]: any;
+        };
+    } | undefined>;
+    /**
+     * Does nothing for this class.
+     */
+    reprepareConfiguration(_username: string, _sessionKey: Key): Promise<{
+        userData: {
+            [key: string]: any;
+        };
+        secrets: Partial<UserSecretsInputFields>;
+        newSessionData: {
+            [key: string]: any;
+        } | undefined;
+    } | undefined>;
+}
+//# sourceMappingURL=passwordauth.d.ts.map

package/dist/authenticators/passwordauth.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"passwordauth.d.ts","sourceRoot":"","sources":["../../src/authenticators/passwordauth.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,IAAI,EAAE,sBAAsB,EAAE,GAAG,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAC;AAE5F,OAAO,EAAE,WAAW,EAAE,MAAM,eAAe,CAAA;AAI3C,OAAO,EAAE,qBAAqB,EAAE,KAAK,wBAAwB,EAAG,KAAK,qBAAqB,EAAC,MAAM,YAAY,CAAC;AAwB9G;;;GAGG;AACH,MAAM,WAAW,iCAAkC,SAAQ,qBAAqB;IAE5E,4FAA4F;IAC5F,MAAM,CAAC,EAAG,MAAM,CAAC;IAEjB,6GAA6G;IAC7G,2BAA2B,CAAC,EAAG,OAAO,CAAC;IAEvC,yDAAyD;IACzD,YAAY,CAAC,EAAG,MAAM,CAAC;IAEvB,oDAAoD;IACpD,gBAAgB,CAAC,EAAG,MAAM,CAAC;IAE3B,wEAAwE;IACxE,gBAAgB,CAAC,EAAG,MAAM,CAAC;IAE3B,iFAAiF;IACjF,eAAe,CAAC,EAAG,MAAM,CAAC;IAE1B;;oEAEgE;IAChE,kBAAkB,CAAC,EAAG,CAAC,MAAM,EAAG,wBAAwB,KAAK,MAAM,EAAE,CAAC;CACzE;AAED;;GAEG;AACH,qBAAa,0BAA2B,SAAQ,qBAAqB;IAEjE,MAAM,CAAC,UAAU,SAAc;IAC/B,OAAO,CAAC,MAAM,CAAgC;IAE9C,qFAAqF;IACrF,wBAAwB,EAAG,OAAO,CAAS;IAE3C,kEAAkE;IAClE,YAAY,CAAC,EAAG,MAAM,CAAY;IAElC,sEAAsE;IACtE,gBAAgB,CAAC,EAAG,MAAM,CAAW;IAErC,sEAAsE;IACtE,gBAAgB,CAAC,EAAG,MAAM,CAAM;IAEhC,qEAAqE;IACrE,eAAe,CAAC,EAAG,MAAM,CAAM;IAE/B,wEAAwE;IACxE,kBAAkB,EAAG,CAAC,MAAM,EAAG,wBAAwB,KAAK,MAAM,EAAE,CACvC;IAE7B;;;;;;;OAOG;gBACS,YAAY,EAAG,WAAW,EAC1B,OAAO,GAAG,iCAAsC;IAW5D;;;;;;;;;;;;;;OAcG;IACG,gBAAgB,CAAC,IAAI,EAAG,eAAe,EAAE,OAAO,EAAE,sBAAsB,EAAE,MAAM,EAAE,wBAAwB,GAAI,OAAO,CAAC,IAAI,CAAC;IAYjI;;;;;;;OAOG;IACH,eAAe,CAAC,MAAM,EAAG,wBAAwB,GAAI,MAAM,EAAE;IAK7D;;;;;;;;;;;OAWG;IACG,kBAAkB,CAAC,QAAQ,EAAG,MAAM,EAAE,IAAI,CAAC,EAAG,MAAM,GAAI,OAAO,CAAC,MAAM,CAAC;IAY7E;;;;OAIG;IACG,wBAAwB,CAAC,QAAQ,EAAG,MAAM,GAAI,OAAO,CAAC,MAAM,CAAC;IAInE;;;;;;OAMG;IACG,mBAAmB,CAAC,QAAQ,EAAG,MAAM,EAAE,YAAY,EAAG,MAAM,EAAE,MAAM,CAAC,EAAG,MAAM;IAKpF;;;;;;;OAOG;IACG,uBAAuB,CAAC,SAAS,EAAG,MAAM,EAC5C,MAAM,EAAE,wBAAwB,EAChC,YAAY,EAAE,wBAAwB,GAAI,OAAO,CAAC,OAAO,CAAC,sBAAsB,CAAC,CAAC;IAQtF;;OAEG;IACG,oBAAoB,CAAC,KAAK,EAAG,IAAI,GAAI,OAAO,CAAC,OAAO,CAAC,sBAAsB,CAAC,CAAC;IAInF;;OAEG;IACH,aAAa,IAAK,OAAO;IACzB;;OAEG;IACH,aAAa,IAAK,OAAO;IAEzB;;OAEG;IACH,gBAAgB,IAAK,OAAO;IAI5B;;OAEG;IACH,6BAA6B,IAAK,OAAO;IAIzC;;OAEG;IACG,oBAAoB,CAAC,KAAK,EAAG,eAAe,GAAI,OAAO,CAAC;QAAC,QAAQ,EAAE;YAAC,CAAC,GAAG,EAAC,MAAM,GAAG,GAAG,CAAA;SAAC,CAAC;QAAC,WAAW,EAAE;YAAC,CAAC,GAAG,EAAC,MAAM,GAAG,GAAG,CAAA;SAAC,CAAA;KAAC,GAAC,SAAS,CAAC;IAI1I;;OAEG;IACG,sBAAsB,CAAC,SAAS,EAAG,MAAM,EAAE,WAAW,EAAG,GAAG,GAAI,OAAO,CAAC;QAAC,QAAQ,EAAE;YAAC,CAAC,GAAG,EAAC,MAAM,GAAG,GAAG,CAAA;SAAC,CAAC;QAAC,OAAO,EAAE,OAAO,CAAC,sBAAsB,CAAC,CAAC;QAAC,cAAc,EAAE;YAAC,CAAC,GAAG,EAAC,MAAM,GAAG,GAAG,CAAA;SAAC,GAAC,SAAS,CAAA;KAAC,GAAC,SAAS,CAAC;CAGpN"}

package/dist/authenticators/smsauth.d.ts

@@ -0,0 +1,160 @@
+import { User, Key, UserSecretsInputFields, UserInputFields } from '@crossauth/common';
+import { Authenticator, AuthenticationParameters, AuthenticationOptions } from '../auth.ts';
+
+/**
+ * Options for {@link SmsAuthenticator}
+ */
+export interface SmsAuthenticatorOptions extends AuthenticationOptions {
+    /** The directory containing views (by default, Nunjucks templates) */
+    views?: string;
+    /** Template file containing page for producing the
+     * SMS message */
+    smsAuthenticatorBody?: string;
+    /** Phone number for sending sms from */
+    smsAuthenticatorFrom?: string;
+    /** Number of seconds before otps should expire.  Default 5 minutes */
+    smsAuthenticatorTokenExpires?: number;
+    /** if passed, use this instead of the default nunjucks renderer */
+    render?: (template: string, data: {
+        [key: string]: any;
+    }) => string;
+}
+/**
+ * This authenticator creates a one-time code and sends it in an sms using
+ * Twilio
+ */
+export declare abstract class SmsAuthenticator extends Authenticator {
+    protected views: string;
+    protected smsAuthenticatorBody: string;
+    protected smsAuthenticatorFrom: string;
+    protected smsAuthenticatorTokenExpires: number;
+    private render?;
+    /**
+     * Constructor
+     * @param options see {@link SmsAuthenticatorOptions}
+     */
+    constructor(options?: SmsAuthenticatorOptions);
+    /**
+     * Used by the OAuth password_mfa grant type.
+     */
+    mfaType(): "none" | "oob" | "otp";
+    /**
+     * Used by the OAuth password_mfa grant type.
+     */
+    mfaChannel(): "none" | "email" | "sms";
+    /**
+     * Send an SMS
+     *
+     * @param to number to send SMS to (starting with `+`)
+     * @param body text to send
+     * @returns the send message ID
+     */
+    protected abstract sendSms(to: string, body: string): Promise<string>;
+    /**
+     * Creates and sends the one-time code
+     * @param user the user to create it for.  Uses the `phone` field which
+     *        is expected to be a phone number starting with `+`
+     * @returns `userData` containing `username`, `phone`, `factor2`
+     *          `sessionData` containing the same plus `otp` and `expiry` which
+     *           is a Unix time (number).
+     */
+    prepareConfiguration(user: UserInputFields): Promise<{
+        userData: {
+            [key: string]: any;
+        };
+        sessionData: {
+            [key: string]: any;
+        };
+    } | undefined>;
+    /**
+     * Creates and sends a new one-time code.
+     * @param _username ignored
+     * @param sessionKey the session containing the previously created data.
+     * @returns
+     */
+    reprepareConfiguration(_username: string, sessionKey: Key): Promise<{
+        userData: {
+            [key: string]: any;
+        };
+        secrets: Partial<UserSecretsInputFields>;
+        newSessionData: {
+            [key: string]: any;
+        } | undefined;
+    } | undefined>;
+    /**
+     * Authenticates the user by comparing the user-provided otp with the one
+     * in secrets.
+     *
+     * Validation fails if the otp is incorrect or has expired.
+     *
+     * @param _user ignored
+     * @param secrets taken from the session and should contain `otp` and
+     *                `expiry`
+     * @param params user input and should contain `otp`
+     * @throws {@link @crossauth/common!CrossauthError} with
+     *         {@link @crossauth/common!ErrorCode} `InvalidToken` or `Expired`.
+     */
+    authenticateUser(_user: User, secrets: UserSecretsInputFields, params: AuthenticationParameters): Promise<void>;
+    /**
+     * Does nothing for this class
+     */
+    createPersistentSecrets(_username: string, _params: AuthenticationParameters, _repeatParams?: AuthenticationParameters): Promise<Partial<UserSecretsInputFields>>;
+    /**
+     * Creates and sends a new one-time code.
+     * @param user the user to create it for.  Uses the `phone` field which
+     *        should start with `+`
+     * @returns `otp` and `expiry` as a Unix time (number).
+     */
+    createOneTimeSecrets(user: User): Promise<Partial<UserSecretsInputFields>>;
+    /**
+     * @returns true - this class can create users
+     */
+    canCreateUser(): boolean;
+    /**
+     * @returns true - this class can update users
+     */
+    canUpdateUser(): boolean;
+    /**
+     * @returns false - users cannot update secrets
+     */
+    canUpdateSecrets(): boolean;
+    /**
+     * @returns empty - this authenticator has no persistent secrets
+     */
+    secretNames(): string[];
+    /**
+     * @returns otp
+     */
+    transientSecretNames(): string[];
+    /**
+     * Does nothing for this class
+     */
+    validateSecrets(_params: AuthenticationParameters): string[];
+    /**
+     * @returns false - doesn't replace email verification
+     */
+    skipEmailVerificationOnSignup(): boolean;
+    /**
+     * Returns whether or not the passed phone number has a valid form.
+     * @param number the phone number to validate
+     * @returns true if it is valid. false otherwise
+     */
+    static isPhoneValid(number: string): boolean;
+    /**
+     * Throws an exception if a phone number doesn't have a valid form.
+     *
+     * It must start with a `+` and be 8 to 15 digits
+     * @param number the phone number to validate
+     * @throws {@link @crossauth/common!CrossauthError} with
+     * {@link @crossauth/common!ErrorCode} `InvalidPhoneNumber`.
+     */
+    static validatePhone(number: string | undefined): void;
+    /**
+     * Takles a number and turns it into a zero-padded string
+     * @param num number ot pad
+     * @param places total number of required digits
+     * @returns zero-padded string
+     */
+    static zeroPad(num: number, places: number): string;
+}
+//# sourceMappingURL=smsauth.d.ts.map

package/dist/authenticators/smsauth.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"smsauth.d.ts","sourceRoot":"","sources":["../../src/authenticators/smsauth.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EACR,IAAI,EACJ,GAAG,EACH,sBAAsB,EACtB,eAAe,EAAE,MAAM,mBAAmB,CAAC;AAI/C,OAAO,EACH,aAAa,EACb,KAAK,wBAAwB,EAC7B,KAAK,qBAAqB,EAAE,MAAM,YAAY,CAAC;AAMnD;;GAEG;AACH,MAAM,WAAW,uBAAwB,SAAQ,qBAAqB;IAElE,sEAAsE;IACtE,KAAK,CAAC,EAAG,MAAM,CAAC;IAEhB;qBACiB;IACjB,oBAAoB,CAAC,EAAG,MAAM,CAAC;IAE/B,wCAAwC;IACxC,oBAAoB,CAAC,EAAG,MAAM,CAAC;IAE/B,sEAAsE;IACtE,4BAA4B,CAAC,EAAG,MAAM,CAAC;IAEvC,mEAAmE;IACnE,MAAM,CAAC,EAAG,CAAC,QAAQ,EAAG,MAAM,EAAE,IAAI,EAAG;QAAC,CAAC,GAAG,EAAC,MAAM,GAAE,GAAG,CAAA;KAAC,KAAK,MAAM,CAAC;CACtE;AAED;;;GAGG;AACH,8BAAsB,gBAAiB,SAAQ,aAAa;IAExD,SAAS,CAAC,KAAK,EAAG,MAAM,CAAW;IACnC,SAAS,CAAC,oBAAoB,EAAG,MAAM,CAA+B;IACtE,SAAS,CAAC,oBAAoB,EAAG,MAAM,CAAM;IAC7C,SAAS,CAAC,4BAA4B,EAAG,MAAM,CAAQ;IACvD,OAAO,CAAC,MAAM,CAAC,CACQ;IAEvB;;;OAGG;gBACS,OAAO,GAAG,uBAA4B;IAclD;;OAEG;IACH,OAAO,IAAK,MAAM,GAAG,KAAK,GAAG,KAAK;IAElC;;OAEG;IACH,UAAU,IAAK,MAAM,GAAG,OAAO,GAAG,KAAK;IAEvC;;;;;;OAMG;IACH,SAAS,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,EAAG,MAAM,EAAE,IAAI,EAAG,MAAM,GAAI,OAAO,CAAC,MAAM,CAAC;IAExE;;;;;;;OAOG;IACG,oBAAoB,CAAC,IAAI,EAAG,eAAe,GAC7C,OAAO,CAAC;QACJ,QAAQ,EAAE;YAAE,CAAC,GAAG,EAAE,MAAM,GAAG,GAAG,CAAA;SAAE,CAAC;QACjC,WAAW,EAAE;YAAE,CAAC,GAAG,EAAE,MAAM,GAAG,GAAG,CAAA;SAAE,CAAA;KACtC,GAAC,SAAS,CAAC;IAoChB;;;;;OAKG;IACG,sBAAsB,CAAC,SAAS,EAAG,MAAM,EAAE,UAAU,EAAG,GAAG,GAC7D,OAAO,CAAC;QACJ,QAAQ,EAAE;YAAE,CAAC,GAAG,EAAE,MAAM,GAAG,GAAG,CAAA;SAAE,CAAC;QACjC,OAAO,EAAE,OAAO,CAAC,sBAAsB,CAAC,CAAC;QACzC,cAAc,EAAE;YAAE,CAAC,GAAG,EAAE,MAAM,GAAG,GAAG,CAAA;SAAE,GAAG,SAAS,CAAA;KACjD,GAAC,SAAS,CAAC;IAqBpB;;;;;;;;;;;;OAYG;IACG,gBAAgB,CAAC,KAAK,EAAE,IAAI,EAC9B,OAAO,EAAE,sBAAsB,EAC/B,MAAM,EAAE,wBAAwB,GAChC,OAAO,CAAC,IAAI,CAAC;IAUjB;;OAEG;IACG,uBAAuB,CAAC,SAAS,EAAE,MAAM,EAC3C,OAAO,EAAE,wBAAwB,EACjC,aAAa,CAAC,EAAE,wBAAwB,GACxC,OAAO,CAAC,OAAO,CAAC,sBAAsB,CAAC,CAAC;IAI5C;;;;;OAKG;IACG,oBAAoB,CAAC,IAAI,EAAG,IAAI,GAClC,OAAO,CAAC,OAAO,CAAC,sBAAsB,CAAC,CAAC;IAgB5C;;OAEG;IACH,aAAa,IAAK,OAAO;IAKzB;;OAEG;IACH,aAAa,IAAK,OAAO;IAIzB;;OAEG;IACH,gBAAgB,IAAK,OAAO;IAI5B;;OAEG;IACH,WAAW,IAAK,MAAM,EAAE;IAIxB;;OAEG;IACH,oBAAoB,IAAK,MAAM,EAAE;IAIjC;;OAEG;IACH,eAAe,CAAC,OAAO,EAAG,wBAAwB,GAAI,MAAM,EAAE;IAI9D;;OAEG;IACH,6BAA6B,IAAK,OAAO;IAIzC;;;;OAIG;IACH,MAAM,CAAC,YAAY,CAAC,MAAM,EAAG,MAAM,GAAI,OAAO;IAQ9C;;;;;;;OAOG;IACH,MAAM,CAAC,aAAa,CAAC,MAAM,EAAG,MAAM,GAAC,SAAS;IAM9C;;;;;OAKG;IACH,MAAM,CAAC,OAAO,CAAC,GAAG,EAAG,MAAM,EAAE,MAAM,EAAG,MAAM,GAAI,MAAM;CAKzD"}

package/dist/authenticators/tests/ldapauth.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=ldapauth.test.d.ts.map

package/dist/authenticators/tests/ldapauth.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ldapauth.test.d.ts","sourceRoot":"","sources":["../../../src/authenticators/tests/ldapauth.test.ts"],"names":[],"mappings":""}