@crossauth/backend 0.0.28 → 0.0.30
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/index.cjs +1 -1
- package/dist/index.js +355 -347
- package/dist/oauth/authserver.d.ts +11 -0
- package/dist/oauth/authserver.d.ts.map +1 -1
- package/package.json +2 -2
package/dist/index.js
CHANGED
|
@@ -15,7 +15,7 @@ import se from "jsonwebtoken";
|
|
|
15
15
|
import { createPublicKey as ze } from "crypto";
|
|
16
16
|
import te from "node:fs";
|
|
17
17
|
import * as He from "jose";
|
|
18
|
-
var
|
|
18
|
+
var g = /* @__PURE__ */ ((S) => (S[S.String = 0] = "String", S[S.Number = 1] = "Number", S[S.Boolean = 2] = "Boolean", S[S.Json = 3] = "Json", S[S.JsonArray = 4] = "JsonArray", S))(g || {});
|
|
19
19
|
function Me(S, s) {
|
|
20
20
|
let e = S.split("."), t = s;
|
|
21
21
|
for (let r in e) {
|
|
@@ -65,7 +65,7 @@ function w(S, s, e, t, r, i = !1) {
|
|
|
65
65
|
throw new o(l.Configuration, S + " is required");
|
|
66
66
|
pe(S, t) ? je(e, S, t) : r && a in process.env && process.env[a] != null && Ve(e, S, s, a);
|
|
67
67
|
}
|
|
68
|
-
class
|
|
68
|
+
class L {
|
|
69
69
|
/**
|
|
70
70
|
* Constructor
|
|
71
71
|
* @param options See {@link UserStorageOptions}
|
|
@@ -75,7 +75,7 @@ class H {
|
|
|
75
75
|
h(this, "adminEditableFields", []);
|
|
76
76
|
h(this, "normalizeUsername", !0);
|
|
77
77
|
h(this, "normalizeEmail", !0);
|
|
78
|
-
w("userEditableFields",
|
|
78
|
+
w("userEditableFields", g.JsonArray, this, s, "USER_EDITABLE_FIELDS"), w("adminEditableFields", g.JsonArray, this, s, "ADMIN_EDITABLE_FIELDS"), w("normalizeUsername", g.JsonArray, this, s, "NORMALIZE_USERNAME"), w("normalizeEmail", g.JsonArray, this, s, "NORMALIZE_EMAIL");
|
|
79
79
|
}
|
|
80
80
|
/**
|
|
81
81
|
* Creates a user with the given details and secrets.
|
|
@@ -98,7 +98,7 @@ class H {
|
|
|
98
98
|
return s.normalize("NFD").replace(new RegExp("\\p{Diacritic}", "gu"), "").toLowerCase();
|
|
99
99
|
}
|
|
100
100
|
}
|
|
101
|
-
class
|
|
101
|
+
class D {
|
|
102
102
|
/**
|
|
103
103
|
* Returns an object decoded from the data field as a JSON string
|
|
104
104
|
* @param data the JSON string to decode
|
|
@@ -166,7 +166,7 @@ class we {
|
|
|
166
166
|
constructor(s = {}) {
|
|
167
167
|
}
|
|
168
168
|
}
|
|
169
|
-
class G extends
|
|
169
|
+
class G extends L {
|
|
170
170
|
/**
|
|
171
171
|
* Creates a PrismaUserStorage object, optionally overriding defaults.
|
|
172
172
|
* @param options see {@link PrismaUserStorageOptions}
|
|
@@ -181,7 +181,7 @@ class G extends H {
|
|
|
181
181
|
h(this, "includes", ["secrets"]);
|
|
182
182
|
h(this, "includesObject", {});
|
|
183
183
|
h(this, "forceIdToNumber", !0);
|
|
184
|
-
w("userTable",
|
|
184
|
+
w("userTable", g.String, this, e, "USER_TABLE"), w("userSecretsTable", g.String, this, e, "USER_SECRETS_TABLE"), w("idColumn", g.String, this, e, "USER_ID_COLUMN"), w("useridForeignKeyColumn", g.String, this, e, "USER_ID_FOREIGN_KEY_COLUMN"), w("includes", g.String, this, e, "USER_INCLUDES"), w("forceIdToNumber", g.String, this, e, "USER_FORCE_ID_TO_NUMBER"), this.includes.forEach((t) => {
|
|
185
185
|
this.includesObject[t] = !0;
|
|
186
186
|
}), e && e.prismaClient ? this.prismaClient = e.prismaClient : this.prismaClient = new ce();
|
|
187
187
|
}
|
|
@@ -288,7 +288,7 @@ class G extends H {
|
|
|
288
288
|
});
|
|
289
289
|
} catch {
|
|
290
290
|
}
|
|
291
|
-
let { userid:
|
|
291
|
+
let { userid: m, ...y } = d ?? {};
|
|
292
292
|
n = { ...y, ...n }, await c[this.userTable].update({
|
|
293
293
|
where: {
|
|
294
294
|
[this.idColumn]: e.id
|
|
@@ -413,7 +413,7 @@ class G extends H {
|
|
|
413
413
|
}
|
|
414
414
|
}
|
|
415
415
|
}
|
|
416
|
-
class kt extends
|
|
416
|
+
class kt extends D {
|
|
417
417
|
/**
|
|
418
418
|
* Constructor with user storage object to use plus optional parameters.
|
|
419
419
|
*
|
|
@@ -425,7 +425,7 @@ class kt extends L {
|
|
|
425
425
|
h(this, "prismaClient");
|
|
426
426
|
h(this, "transactionTimeout", 5e3);
|
|
427
427
|
h(this, "useridForeignKeyColumn", "userid");
|
|
428
|
-
w("transactionTimeout",
|
|
428
|
+
w("transactionTimeout", g.Number, this, e, "TRANSACTION_TIMEOUT"), w("useridForeignKeyColumn", g.Number, this, e, "USER_ID_FOREIGN_KEY_COLUMN"), e.keyTable && (this.keyTable = e.keyTable), e.prismaClient == null ? this.prismaClient = new ce() : this.prismaClient = e.prismaClient;
|
|
429
429
|
}
|
|
430
430
|
async getKey(e) {
|
|
431
431
|
return await this.getKeyWithTransaction(e, this.prismaClient);
|
|
@@ -699,7 +699,7 @@ class Et extends me {
|
|
|
699
699
|
h(this, "transactionTimeout", 5e3);
|
|
700
700
|
h(this, "updateMode", "DeleteAndInsert");
|
|
701
701
|
h(this, "useridForeignKeyColumn", "userid");
|
|
702
|
-
w("clientTable",
|
|
702
|
+
w("clientTable", g.String, this, e, "OAUTH_CLIENT_TABLE"), w("redirectUriTable", g.String, this, e, "OAUTH_REDIRECTURI_TABLE"), w("validFlowTable", g.String, this, e, "OAUTH_VALID_FLOW_TABLE"), w("transactionTimeout", g.Number, this, e, "TRANSACTION_TIMEOUT"), w("updateMode", g.String, this, e, "OAUTHCLIENT_UPDATE_MODE"), w("useridForeignKeyColumn", g.String, this, e, "USER_ID_FOREIGN_KEY_COLUMN"), e.prismaClient == null ? this.prismaClient = new ce() : this.prismaClient = e.prismaClient;
|
|
703
703
|
}
|
|
704
704
|
async getClientById(e) {
|
|
705
705
|
return (await this.getClientWithTransaction("client_id", e, this.prismaClient, !0, void 0))[0];
|
|
@@ -717,14 +717,14 @@ class Et extends me {
|
|
|
717
717
|
...n
|
|
718
718
|
},
|
|
719
719
|
include: { redirect_uri: !0, valid_flow: !0 }
|
|
720
|
-
}), d = c.redirect_uri,
|
|
720
|
+
}), d = c.redirect_uri, m = c.valid_flow;
|
|
721
721
|
let y = c[this.useridForeignKeyColumn];
|
|
722
722
|
return y === null && (y = void 0), this.useridForeignKeyColumn != "userid" && delete c[this.useridForeignKeyColumn], [{
|
|
723
723
|
...c,
|
|
724
724
|
userid: y,
|
|
725
725
|
client_secret: c.client_secret ?? void 0,
|
|
726
726
|
redirect_uri: d.map((p) => p.uri),
|
|
727
|
-
valid_flow:
|
|
727
|
+
valid_flow: m.map((p) => p.flow)
|
|
728
728
|
}];
|
|
729
729
|
} else {
|
|
730
730
|
const c = await r[this.clientTable].findMany({
|
|
@@ -735,9 +735,9 @@ class Et extends me {
|
|
|
735
735
|
include: { redirect_uri: !0, valid_flow: !0 }
|
|
736
736
|
});
|
|
737
737
|
for (let d of c) {
|
|
738
|
-
const
|
|
738
|
+
const m = d.redirect_uri, y = d.valid_flow;
|
|
739
739
|
let p = d[this.useridForeignKeyColumn];
|
|
740
|
-
p == null && (p = void 0), d.userid = p, this.useridForeignKeyColumn != "userid" && delete d[this.useridForeignKeyColumn], d.client_secret = d.client_secret ?? void 0, d.redirect_uri =
|
|
740
|
+
p == null && (p = void 0), d.userid = p, this.useridForeignKeyColumn != "userid" && delete d[this.useridForeignKeyColumn], d.client_secret = d.client_secret ?? void 0, d.redirect_uri = m.map((_) => _.uri), d.valid_flow = y.map((_) => _.flow);
|
|
741
741
|
}
|
|
742
742
|
return c;
|
|
743
743
|
}
|
|
@@ -959,7 +959,7 @@ class bt extends we {
|
|
|
959
959
|
// PrismaClient;
|
|
960
960
|
h(this, "transactionTimeout", 5e3);
|
|
961
961
|
h(this, "useridForeignKeyColumn", "userid");
|
|
962
|
-
w("authorizationTable",
|
|
962
|
+
w("authorizationTable", g.String, this, e, "OAUTH_CLIENT_TABLE"), w("transactionTimeout", g.Number, this, e, "TRANSACTION_TIMEOUT"), w("useridForeignKeyColumn", g.String, this, e, "USER_ID_FOREIGN_KEY_COLUMN"), e.prismaClient == null ? this.prismaClient = new ce() : this.prismaClient = e.prismaClient;
|
|
963
963
|
}
|
|
964
964
|
async getAuthorizations(e, t) {
|
|
965
965
|
try {
|
|
@@ -1011,7 +1011,7 @@ class bt extends we {
|
|
|
1011
1011
|
}
|
|
1012
1012
|
}
|
|
1013
1013
|
}
|
|
1014
|
-
class Ut extends
|
|
1014
|
+
class Ut extends L {
|
|
1015
1015
|
/**
|
|
1016
1016
|
* Creates a InMemoryUserStorage object, optionally overriding defaults.
|
|
1017
1017
|
* @param options see {@link InMemoryUserStorageOptions}
|
|
@@ -1029,9 +1029,9 @@ class Ut extends H {
|
|
|
1029
1029
|
* @param secrets optionally, secrets to save
|
|
1030
1030
|
*/
|
|
1031
1031
|
async createUser(e, t) {
|
|
1032
|
-
if (e.username_normalized =
|
|
1032
|
+
if (e.username_normalized = L.normalize(e.username), e.username_normalized in this.usersByUsername)
|
|
1033
1033
|
throw new o(l.UserExists);
|
|
1034
|
-
if ("email" in e && e.email && (e.email_normalized =
|
|
1034
|
+
if ("email" in e && e.email && (e.email_normalized = L.normalize(e.email), e.email_normalized in this.getUserByEmail))
|
|
1035
1035
|
throw new o(l.UserExists);
|
|
1036
1036
|
const r = { id: e.username, ...e };
|
|
1037
1037
|
return this.usersByUsername[e.username_normalized] = r, this.secretsByUsername[e.username_normalized] = t ?? {}, "email" in e && e.email && (this.usersByEmail[e.email_normalized] = r), "email" in e && e.email && (this.secretsByEmail[e.email_normalized] = t ?? {}), { id: e.username, ...e };
|
|
@@ -1044,7 +1044,7 @@ class Ut extends H {
|
|
|
1044
1044
|
* @throws {@link @crossauth/common!CrossauthError } with {@link @crossauth/common!ErrorCode } set to either `UserNotExist`.
|
|
1045
1045
|
*/
|
|
1046
1046
|
async getUserByUsername(e, t) {
|
|
1047
|
-
const r =
|
|
1047
|
+
const r = L.normalize(e);
|
|
1048
1048
|
if (r in this.usersByUsername) {
|
|
1049
1049
|
const i = this.usersByUsername[r];
|
|
1050
1050
|
if (!i) throw new o(l.UserNotExist);
|
|
@@ -1073,7 +1073,7 @@ class Ut extends H {
|
|
|
1073
1073
|
* @throws {@link @crossauth/common!CrossauthError } with {@link @crossauth/common!ErrorCode } set to either `UserNotExist`.
|
|
1074
1074
|
*/
|
|
1075
1075
|
async getUserByEmail(e, t) {
|
|
1076
|
-
const r =
|
|
1076
|
+
const r = L.normalize(e);
|
|
1077
1077
|
if (r in this.usersByEmail) {
|
|
1078
1078
|
const i = this.usersByEmail[r];
|
|
1079
1079
|
if (!i) throw new o(l.UserNotExist);
|
|
@@ -1117,7 +1117,7 @@ class Ut extends H {
|
|
|
1117
1117
|
*/
|
|
1118
1118
|
async updateUser(e, t) {
|
|
1119
1119
|
let r = { ...e };
|
|
1120
|
-
if ("username" in r && r.username ? r.username_normalized =
|
|
1120
|
+
if ("username" in r && r.username ? r.username_normalized = L.normalize(r.username) : "id" in r && r.id && (r.username_normalized = L.normalize(String(r.id))), "email" in r && r.email && (r.email_normalized = L.normalize(r.email)), r.username_normalized && r.username_normalized in this.usersByUsername) {
|
|
1121
1121
|
for (let i in r)
|
|
1122
1122
|
this.usersByUsername[r.username_normalized][i] = r[i];
|
|
1123
1123
|
t && (this.secretsByUsername[r.username_normalized] = {
|
|
@@ -1131,11 +1131,11 @@ class Ut extends H {
|
|
|
1131
1131
|
* @param username username of user to delete
|
|
1132
1132
|
*/
|
|
1133
1133
|
async deleteUserByUsername(e) {
|
|
1134
|
-
const t =
|
|
1134
|
+
const t = L.normalize(String(e));
|
|
1135
1135
|
if (t in this.usersByUsername) {
|
|
1136
1136
|
const r = this.usersByUsername[t];
|
|
1137
1137
|
delete this.usersByUsername[t], delete this.secretsByUsername[t];
|
|
1138
|
-
const i =
|
|
1138
|
+
const i = L.normalize(String(r.email));
|
|
1139
1139
|
i in this.usersByEmail && (delete this.usersByEmail[i], delete this.secretsByEmail[i]);
|
|
1140
1140
|
}
|
|
1141
1141
|
}
|
|
@@ -1157,7 +1157,7 @@ class Ut extends H {
|
|
|
1157
1157
|
return i;
|
|
1158
1158
|
}
|
|
1159
1159
|
}
|
|
1160
|
-
class At extends
|
|
1160
|
+
class At extends D {
|
|
1161
1161
|
/**
|
|
1162
1162
|
* Constructor
|
|
1163
1163
|
*/
|
|
@@ -1439,7 +1439,7 @@ class Pt extends we {
|
|
|
1439
1439
|
function $e(S, s) {
|
|
1440
1440
|
return { username: Array.isArray(s.uid) ? s.uid[0] : s.uid, state: "active", ...S };
|
|
1441
1441
|
}
|
|
1442
|
-
class oe extends
|
|
1442
|
+
class oe extends L {
|
|
1443
1443
|
/**
|
|
1444
1444
|
* Constructor.
|
|
1445
1445
|
* @param localStorage the underlying storage where users are kept (without passwords)
|
|
@@ -1452,7 +1452,7 @@ class oe extends H {
|
|
|
1452
1452
|
h(this, "ldapUserSearchBase", "");
|
|
1453
1453
|
h(this, "ldapUsernameAttribute", "cn");
|
|
1454
1454
|
h(this, "createUserFn", $e);
|
|
1455
|
-
this.localStorage = e, w("ldapUrls",
|
|
1455
|
+
this.localStorage = e, w("ldapUrls", g.JsonArray, this, t, "LDAP_URL", !0), w("ldapUserSearchBase", g.String, this, t, "LDAP_USER_SEARCH_BASE"), w("ldapUsernameAttribute", g.String, this, t, "LDAP_USENAME_ATTRIBUTE"), t.createUserFn && (this.createUserFn = t.createUserFn);
|
|
1456
1456
|
}
|
|
1457
1457
|
/**
|
|
1458
1458
|
* Authenticates the user in LDAP and, if valid, creates a user in local
|
|
@@ -1591,17 +1591,17 @@ class oe extends H {
|
|
|
1591
1591
|
t,
|
|
1592
1592
|
n,
|
|
1593
1593
|
function(c, d) {
|
|
1594
|
-
let
|
|
1594
|
+
let m;
|
|
1595
1595
|
if (c) {
|
|
1596
1596
|
a(c), e.unbind();
|
|
1597
1597
|
return;
|
|
1598
1598
|
}
|
|
1599
1599
|
d.on("searchEntry", function(y) {
|
|
1600
|
-
|
|
1600
|
+
m = oe.searchResultToUser(y.pojo);
|
|
1601
1601
|
}), d.on("error", function(y) {
|
|
1602
1602
|
a(y), e.unbind();
|
|
1603
1603
|
}), d.on("end", function(y) {
|
|
1604
|
-
y.status != 0 ? a(new o(l.Connection, "LDAP onnection failed")) :
|
|
1604
|
+
y.status != 0 ? a(new o(l.Connection, "LDAP onnection failed")) : m ? i(m) : a(new o(l.UsernameOrPasswordInvalid)), e.unbind();
|
|
1605
1605
|
});
|
|
1606
1606
|
}
|
|
1607
1607
|
);
|
|
@@ -1630,7 +1630,7 @@ class oe extends H {
|
|
|
1630
1630
|
return oe.sanitizeLdapDn(e).replace("*", "*").replace("(", "(").replace(")", ")");
|
|
1631
1631
|
}
|
|
1632
1632
|
}
|
|
1633
|
-
class Y extends
|
|
1633
|
+
class Y extends L {
|
|
1634
1634
|
/**
|
|
1635
1635
|
* Creates a DbUserStorage object, optionally overriding defaults.
|
|
1636
1636
|
* @param dbPool the instance of the Posrgres client.
|
|
@@ -1644,7 +1644,7 @@ class Y extends H {
|
|
|
1644
1644
|
h(this, "useridForeignKeyColumn", "userid");
|
|
1645
1645
|
h(this, "forceIdToNumber", !0);
|
|
1646
1646
|
h(this, "dbPool");
|
|
1647
|
-
this.dbPool = e, w("userTable",
|
|
1647
|
+
this.dbPool = e, w("userTable", g.String, this, t, "USER_TABLE"), w("userSecretsTable", g.String, this, t, "USER_SECRETS_TABLE"), w("idColumn", g.String, this, t, "USER_ID_COLUMN"), w("forceIdToNumber", g.String, this, t, "USER_FORCE_ID_TO_NUMBER"), w("useridForeignKeyColumn", g.String, this, t, "USER_ID_FOREIGN_KEY_COLUMN");
|
|
1648
1648
|
}
|
|
1649
1649
|
/**
|
|
1650
1650
|
* Returns user matching the given id, or throws an exception.
|
|
@@ -1696,25 +1696,25 @@ class Y extends H {
|
|
|
1696
1696
|
let i = await this.dbPool.connect(), a, n, c = this.dbPool.parameters();
|
|
1697
1697
|
try {
|
|
1698
1698
|
await i.startTransaction();
|
|
1699
|
-
let d = `select * from ${this.userTable} where ${e} = ` + c.nextParameter(),
|
|
1700
|
-
if (
|
|
1699
|
+
let d = `select * from ${this.userTable} where ${e} = ` + c.nextParameter(), m = await i.execute(d, [t]);
|
|
1700
|
+
if (m.length == 0)
|
|
1701
1701
|
throw new o(l.UserNotExist);
|
|
1702
1702
|
let y, p, _;
|
|
1703
|
-
if (this.idColumn in
|
|
1703
|
+
if (this.idColumn in m[0]) y = m[0][this.idColumn];
|
|
1704
1704
|
else throw new o(l.Configuration, "ID column " + this.idColumn + " not present in user table");
|
|
1705
|
-
if ("username" in
|
|
1705
|
+
if ("username" in m[0]) p = m[0].username;
|
|
1706
1706
|
else throw new o(l.Configuration, "username column " + this.idColumn + " not present in user table");
|
|
1707
|
-
if ("state" in
|
|
1707
|
+
if ("state" in m[0]) _ = m[0].state;
|
|
1708
1708
|
else throw new o(l.Configuration, "state column " + this.idColumn + " not present in user table");
|
|
1709
1709
|
if (a = {
|
|
1710
|
-
...
|
|
1710
|
+
...m[0],
|
|
1711
1711
|
id: y,
|
|
1712
1712
|
username: p,
|
|
1713
1713
|
state: _
|
|
1714
1714
|
}, !a) throw new o(l.UserNotExist);
|
|
1715
|
-
if (c = this.dbPool.parameters(), d = `select * from ${this.userSecretsTable} where ${this.useridForeignKeyColumn} = ` + c.nextParameter(),
|
|
1715
|
+
if (c = this.dbPool.parameters(), d = `select * from ${this.userSecretsTable} where ${this.useridForeignKeyColumn} = ` + c.nextParameter(), m = await i.execute(d, [a.id]), m.length == 0)
|
|
1716
1716
|
throw new o(l.UserNotExist);
|
|
1717
|
-
if (
|
|
1717
|
+
if (m.length > 0 ? n = { userid: a.id, ...m[0] } : n = { userid: a.id }, !n) throw new o(l.UserNotExist);
|
|
1718
1718
|
if (this.useridForeignKeyColumn != "userid" && this.useridForeignKeyColumn in n && delete n[this.useridForeignKeyColumn], await i.commit(), (r == null ? void 0 : r.skipActiveCheck) != !0 && a.state == E.awaitingTwoFactorSetup)
|
|
1719
1719
|
throw u.logger.debug(f({ msg: "2FA setup is not complete" })), new o(l.TwoFactorIncomplete);
|
|
1720
1720
|
if ((r == null ? void 0 : r.skipActiveCheck) != !0 && a.state == E.disabled)
|
|
@@ -1745,7 +1745,7 @@ class Y extends H {
|
|
|
1745
1745
|
let i = [], a = [], n = "", c = "", d = this.dbPool.parameters();
|
|
1746
1746
|
e && (c = "OFFSET " + d.nextParameter()), t && (a.push(t), n = "LIMIT " + d.nextParameter());
|
|
1747
1747
|
try {
|
|
1748
|
-
let
|
|
1748
|
+
let m = `select * from ${this.userTable} ${n} ${c} order by username_normalized asc`, y = await r.execute(m, a);
|
|
1749
1749
|
if (y.length == 0)
|
|
1750
1750
|
throw new o(l.UserNotExist);
|
|
1751
1751
|
for (let p of y) {
|
|
@@ -1765,8 +1765,8 @@ class Y extends H {
|
|
|
1765
1765
|
i.push(k);
|
|
1766
1766
|
}
|
|
1767
1767
|
return i;
|
|
1768
|
-
} catch (
|
|
1769
|
-
throw
|
|
1768
|
+
} catch (m) {
|
|
1769
|
+
throw m;
|
|
1770
1770
|
} finally {
|
|
1771
1771
|
r.release();
|
|
1772
1772
|
}
|
|
@@ -1791,21 +1791,21 @@ class Y extends H {
|
|
|
1791
1791
|
throw new o(l.UserNotExist);
|
|
1792
1792
|
let c = { ...e }, d = t ? { ...t } : void 0;
|
|
1793
1793
|
"email" in c && c.email && (c = { email_normalized: this.normalizeEmail ? Y.normalize(c.email) : c.email, ...c }), "username" in c && c.username && (c = { username_normalized: this.normalizeUsername ? Y.normalize(c.username) : c.username, ...c }), i = this.dbPool.parameters();
|
|
1794
|
-
let
|
|
1794
|
+
let m = [], y = [];
|
|
1795
1795
|
for (let p in c)
|
|
1796
|
-
c[p] != null && p != "id" && (
|
|
1797
|
-
if (
|
|
1798
|
-
let p =
|
|
1796
|
+
c[p] != null && p != "id" && (m.push(p + "= " + i.nextParameter()), y.push(c[p]));
|
|
1797
|
+
if (m.length > 0) {
|
|
1798
|
+
let p = m.join(", ");
|
|
1799
1799
|
y.push(e.id);
|
|
1800
1800
|
let _ = `update ${this.userTable} set ${p} where ${this.idColumn} = ` + i.nextParameter();
|
|
1801
1801
|
await r.execute(_, y);
|
|
1802
1802
|
}
|
|
1803
1803
|
if (t) {
|
|
1804
|
-
|
|
1804
|
+
m = [], y = [], i = this.dbPool.parameters();
|
|
1805
1805
|
for (let p in d)
|
|
1806
|
-
d[p] != null && p != "userid" && (
|
|
1807
|
-
if (
|
|
1808
|
-
let p =
|
|
1806
|
+
d[p] != null && p != "userid" && (m.push(p + "= " + i.nextParameter()), y.push(d[p]));
|
|
1807
|
+
if (m.length > 0) {
|
|
1808
|
+
let p = m.join(", ");
|
|
1809
1809
|
y.push(e.id);
|
|
1810
1810
|
let _ = `update ${this.userSecretsTable} set ${p} where userid = ` + i.nextParameter();
|
|
1811
1811
|
await r.execute(_, y);
|
|
@@ -1836,27 +1836,27 @@ class Y extends H {
|
|
|
1836
1836
|
await r.startTransaction();
|
|
1837
1837
|
let a = { ...e }, n = t ? { ...t } : void 0;
|
|
1838
1838
|
"email" in a && a.email && (a = { email_normalized: this.normalizeEmail ? Y.normalize(a.email) : a.email, ...a }), "username" in a && a.username && (a = { username_normalized: this.normalizeUsername ? Y.normalize(a.username) : a.username, ...a });
|
|
1839
|
-
let c = [], d = [],
|
|
1839
|
+
let c = [], d = [], m = [];
|
|
1840
1840
|
const y = this.dbPool.parameters();
|
|
1841
1841
|
for (let _ in a)
|
|
1842
|
-
a[_] != null && _ != "id" && (c.push(_), d.push(y.nextParameter()),
|
|
1842
|
+
a[_] != null && _ != "id" && (c.push(_), d.push(y.nextParameter()), m.push(a[_]));
|
|
1843
1843
|
if (c.length > 0) {
|
|
1844
1844
|
let _ = c.join(", "), C = d.join(", ");
|
|
1845
|
-
const v = `insert into ${this.userTable} (${_}) values (${C}) returning ${this.idColumn}`, k = await r.execute(v,
|
|
1845
|
+
const v = `insert into ${this.userTable} (${_}) values (${C}) returning ${this.idColumn}`, k = await r.execute(v, m);
|
|
1846
1846
|
if (k.length == 0 || !k[0][this.idColumn]) throw new o(l.Connection, "Couldn't create user");
|
|
1847
1847
|
i = k[0][this.idColumn];
|
|
1848
1848
|
}
|
|
1849
1849
|
if (!i) throw new o(l.Connection, "Couldn't create user");
|
|
1850
1850
|
if (t) {
|
|
1851
|
-
c = [], d = [],
|
|
1851
|
+
c = [], d = [], m = [];
|
|
1852
1852
|
const _ = this.dbPool.parameters();
|
|
1853
|
-
c.push("userid"), d.push(_.nextParameter()),
|
|
1853
|
+
c.push("userid"), d.push(_.nextParameter()), m.push(i);
|
|
1854
1854
|
for (let C in n)
|
|
1855
|
-
n[C] != null && C != "userid" && (c.push(C), d.push(_.nextParameter()),
|
|
1855
|
+
n[C] != null && C != "userid" && (c.push(C), d.push(_.nextParameter()), m.push(n[C]));
|
|
1856
1856
|
if (c.length > 0) {
|
|
1857
1857
|
let C = c.join(", "), v = d.join(", ");
|
|
1858
1858
|
const k = `insert into ${this.userSecretsTable} (${C}) values (${v})`;
|
|
1859
|
-
u.logger.debug(f({ msg: "Executing query", query: k })), await r.execute(k,
|
|
1859
|
+
u.logger.debug(f({ msg: "Executing query", query: k })), await r.execute(k, m);
|
|
1860
1860
|
}
|
|
1861
1861
|
}
|
|
1862
1862
|
return await r.commit(), (await this.getUserById(i)).user;
|
|
@@ -1903,7 +1903,7 @@ class Y extends H {
|
|
|
1903
1903
|
}
|
|
1904
1904
|
}
|
|
1905
1905
|
}
|
|
1906
|
-
class qe extends
|
|
1906
|
+
class qe extends D {
|
|
1907
1907
|
/**
|
|
1908
1908
|
* Constructor with user storage object to use plus optional parameters.
|
|
1909
1909
|
*
|
|
@@ -1915,7 +1915,7 @@ class qe extends L {
|
|
|
1915
1915
|
h(this, "keyTable", "keys");
|
|
1916
1916
|
h(this, "dbPool");
|
|
1917
1917
|
h(this, "useridForeignKeyColumn", "userid");
|
|
1918
|
-
w("transactionTimeout",
|
|
1918
|
+
w("transactionTimeout", g.Number, this, t, "TRANSACTION_TIMEOUT"), w("useridForeignKeyColumn", g.String, this, t, "USER_ID_FOREIGN_KEY_COLUMN"), t.keyTable && (this.keyTable = t.keyTable), this.dbPool = e;
|
|
1919
1919
|
}
|
|
1920
1920
|
async getKey(e) {
|
|
1921
1921
|
const t = await this.dbPool.connect();
|
|
@@ -1962,12 +1962,12 @@ class qe extends L {
|
|
|
1962
1962
|
* @throws {@link @crossauth/common!CrossauthError } if the key could not be stored.
|
|
1963
1963
|
*/
|
|
1964
1964
|
async saveKey(e, t, r, i, a, n = {}) {
|
|
1965
|
-
let c, d = [this.useridForeignKeyColumn, "value", "created", "expires", "data"],
|
|
1965
|
+
let c, d = [this.useridForeignKeyColumn, "value", "created", "expires", "data"], m = this.dbPool.parameters(), y = [];
|
|
1966
1966
|
for (let k = 0; k < 5; ++k)
|
|
1967
|
-
y.push(
|
|
1967
|
+
y.push(m.nextParameter());
|
|
1968
1968
|
let p = [e ?? null, t, r, i ?? null, a ?? ""];
|
|
1969
1969
|
for (let k in n)
|
|
1970
|
-
d.push(k), y.push(
|
|
1970
|
+
d.push(k), y.push(m.nextParameter()), p.push(n[k]);
|
|
1971
1971
|
let _ = d.join(", "), C = y.join(", ");
|
|
1972
1972
|
const v = await this.dbPool.connect();
|
|
1973
1973
|
try {
|
|
@@ -1995,11 +1995,11 @@ class qe extends L {
|
|
|
1995
1995
|
try {
|
|
1996
1996
|
let a, n = [], c = "", d = this.dbPool.parameters();
|
|
1997
1997
|
if (e) {
|
|
1998
|
-
const
|
|
1999
|
-
a = `delete from ${this.keyTable} where ${this.useridForeignKeyColumn} = ${
|
|
1998
|
+
const m = d.nextParameter(), y = d.nextParameter();
|
|
1999
|
+
a = `delete from ${this.keyTable} where ${this.useridForeignKeyColumn} = ${m} and value like ${y} `, n = [e];
|
|
2000
2000
|
} else {
|
|
2001
|
-
const
|
|
2002
|
-
a = `delete from ${this.keyTable} where ${this.useridForeignKeyColumn} is null and value like ${
|
|
2001
|
+
const m = d.nextParameter();
|
|
2002
|
+
a = `delete from ${this.keyTable} where ${this.useridForeignKeyColumn} is null and value like ${m}`;
|
|
2003
2003
|
}
|
|
2004
2004
|
n.push(t + "%"), r && (c = "and value != " + d.nextParameter(), n.push(r)), a += " " + c, u.logger.debug(f({ msg: "Executing query", query: a })), await i.execute(a, n);
|
|
2005
2005
|
} catch (a) {
|
|
@@ -2014,8 +2014,8 @@ class qe extends L {
|
|
|
2014
2014
|
let r = [], i = [];
|
|
2015
2015
|
const a = this.dbPool.parameters();
|
|
2016
2016
|
for (let d in e) {
|
|
2017
|
-
let
|
|
2018
|
-
e[d] == null ? r.push(
|
|
2017
|
+
let m = d == "userid" ? this.useridForeignKeyColumn : d;
|
|
2018
|
+
e[d] == null ? r.push(m + " is null") : (r.push(m + " = " + a.nextParameter()), i.push(e[d]));
|
|
2019
2019
|
}
|
|
2020
2020
|
let n = r.join(" and "), c = `delete from ${this.keyTable} where ${n}`;
|
|
2021
2021
|
await t.execute(c, i);
|
|
@@ -2054,8 +2054,8 @@ class qe extends L {
|
|
|
2054
2054
|
if (c.length == 0)
|
|
2055
2055
|
return [];
|
|
2056
2056
|
for (let d of c) {
|
|
2057
|
-
let
|
|
2058
|
-
this.useridForeignKeyColumn != "userid" && (
|
|
2057
|
+
let m = this.makeKey(d);
|
|
2058
|
+
this.useridForeignKeyColumn != "userid" && (m.userid = m[this.useridForeignKeyColumn], delete m[this.useridForeignKeyColumn]), r.push(m);
|
|
2059
2059
|
}
|
|
2060
2060
|
return r;
|
|
2061
2061
|
} catch (r) {
|
|
@@ -2167,7 +2167,7 @@ class We extends me {
|
|
|
2167
2167
|
h(this, "validFlowTable", "oauthclientvalidflow");
|
|
2168
2168
|
h(this, "dbPool");
|
|
2169
2169
|
h(this, "useridForeignKeyColumn", "userid");
|
|
2170
|
-
w("clientTable",
|
|
2170
|
+
w("clientTable", g.String, this, t, "OAUTH_CLIENT_TABLE"), w("redirectUriTable", g.String, this, t, "OAUTH_REDIRECTURI_TABLE"), w("validFlowTable", g.String, this, t, "OAUTH_VALID_FLOW_TABLE"), w("updateMode", g.String, this, t, "OAUTHCLIENT_UPDATE_MODE"), w("useridForeignKeyColumn", g.String, this, t, "USER_ID_FOREIGN_KEY_COLUMN"), this.dbPool = e;
|
|
2171
2171
|
}
|
|
2172
2172
|
async getClientById(e) {
|
|
2173
2173
|
let t = await this.dbPool.connect();
|
|
@@ -2210,15 +2210,15 @@ class We extends me {
|
|
|
2210
2210
|
};
|
|
2211
2211
|
}
|
|
2212
2212
|
async getClientWithTransaction(e, t, r, i, a, n) {
|
|
2213
|
-
let c = [], d = this.dbPool.parameters(),
|
|
2214
|
-
t && r && (p = `where c.${t} = ` + d.nextParameter(),
|
|
2213
|
+
let c = [], d = this.dbPool.parameters(), m = [], y = `select c.*, r.uri as uri, null as flow from ${this.clientTable} as c left join ${this.redirectUriTable} r on c.client_id = r.client_id `, p = "";
|
|
2214
|
+
t && r && (p = `where c.${t} = ` + d.nextParameter(), m.push(r)), i !== null && i == null || (p == "" ? p = "where " : p += " and ", i == null ? p += "userid is null" : (p += `${this.useridForeignKeyColumn} = ` + d.nextParameter(), m.push(i)));
|
|
2215
2215
|
let _ = `select c.*, null as uri, f.flow as flow from ${this.clientTable} as c left join ${this.validFlowTable} f on c.client_id = f.client_id `, C = "";
|
|
2216
|
-
t && r && (C = `where c.${t} = ` + d.nextParameter(),
|
|
2216
|
+
t && r && (C = `where c.${t} = ` + d.nextParameter(), m.push(r)), i !== null && i == null || (C == "" ? C = "where " : C += " and ", i == null ? C += "userid is null" : (C += `${this.useridForeignKeyColumn} = ` + d.nextParameter(), m.push(i))), n && (a || (a = 0), a = Number(a), n = Number(n), p == "" ? p = "where " : p += " and ", p += ` c.client_id in (select client_id from ${this.clientTable} limit ${n} offset ${a})`, C == "" ? C = "where " : C += " and ", C += ` c.client_id in (select client_id from ${this.clientTable} limit ${n} offset ${a})`), y += p, _ += C;
|
|
2217
2217
|
let v = y + " union " + _ + " order by client_id";
|
|
2218
|
-
const k = await e.execute(v,
|
|
2218
|
+
const k = await e.execute(v, m);
|
|
2219
2219
|
let A;
|
|
2220
|
-
for (let
|
|
2221
|
-
(!A ||
|
|
2220
|
+
for (let z of k)
|
|
2221
|
+
(!A || z.client_id != A.client_id) && (A && c.push(A), A = this.makeClient(z), A.valid_flow = [], A.redirect_uri = []), z.uri && A.redirect_uri.push(z.uri), z.flow && A.valid_flow.push(z.flow);
|
|
2222
2222
|
return A && c.push(A), c;
|
|
2223
2223
|
}
|
|
2224
2224
|
/**
|
|
@@ -2255,14 +2255,14 @@ class We extends me {
|
|
|
2255
2255
|
for (let C = 0; C < i.length; ++C)
|
|
2256
2256
|
if (!b.isValidFlow(i[C])) throw new o(l.InvalidOAuthFlow, "Invalid flow " + i[C]);
|
|
2257
2257
|
}
|
|
2258
|
-
let c = [], d = [],
|
|
2258
|
+
let c = [], d = [], m = [], y = this.dbPool.parameters();
|
|
2259
2259
|
try {
|
|
2260
2260
|
for (let C in n)
|
|
2261
|
-
c.push(C), d.push(y.nextParameter()),
|
|
2261
|
+
c.push(C), d.push(y.nextParameter()), m.push(n[C]);
|
|
2262
2262
|
if (c.length > 0) {
|
|
2263
2263
|
let C = c.join(", "), v = d.join(", ");
|
|
2264
2264
|
const k = `insert into ${this.clientTable} (${C}) values (${v})`;
|
|
2265
|
-
await e.execute(k,
|
|
2265
|
+
await e.execute(k, m);
|
|
2266
2266
|
}
|
|
2267
2267
|
} catch (C) {
|
|
2268
2268
|
throw typeof C == "object" && C != null && "code" in C && typeof C.code == "string" && (C.code.startsWith("22") || C.code.startsWith("23")) ? (u.logger.debug(f({ err: C })), new o(l.InvalidClientId, "Attempt to create an OAuth client with a client_id that already exists. Maximum attempts failed")) : (u.logger.debug(f({ err: C })), new o(l.Connection, "Error saving OAuth client"));
|
|
@@ -2273,15 +2273,15 @@ class We extends me {
|
|
|
2273
2273
|
let _ = p[0];
|
|
2274
2274
|
if (r)
|
|
2275
2275
|
for (let C = 0; C < r.length; ++C) {
|
|
2276
|
-
|
|
2276
|
+
m = [], y = this.dbPool.parameters();
|
|
2277
2277
|
let v = `insert into ${this.redirectUriTable} (client_id, uri) values (` + y.nextParameter() + ", " + y.nextParameter() + ")";
|
|
2278
|
-
|
|
2278
|
+
m.push(_.client_id), m.push(r[C]), await e.execute(v, m);
|
|
2279
2279
|
}
|
|
2280
2280
|
if (i)
|
|
2281
2281
|
for (let C = 0; C < i.length; ++C) {
|
|
2282
|
-
|
|
2282
|
+
m = [], y = this.dbPool.parameters();
|
|
2283
2283
|
let v = `insert into ${this.validFlowTable} (client_id, flow) values (` + y.nextParameter() + ", " + y.nextParameter() + ")";
|
|
2284
|
-
|
|
2284
|
+
m.push(_.client_id), m.push(i[C]), await e.execute(v, m);
|
|
2285
2285
|
}
|
|
2286
2286
|
return { ..._, redirect_uri: r, valid_flow: i };
|
|
2287
2287
|
}
|
|
@@ -2343,26 +2343,26 @@ class We extends me {
|
|
|
2343
2343
|
if (!t.client_id) throw new o(l.InvalidClientId, "No client ig given");
|
|
2344
2344
|
let { client_id: a, redirect_uri: n, valid_flow: c, ...d } = t;
|
|
2345
2345
|
n || (n = []), c || (c = []);
|
|
2346
|
-
let
|
|
2347
|
-
await e.execute(y, [t.client_id]),
|
|
2346
|
+
let m = this.dbPool.parameters(), y = `delete from ${this.redirectUriTable} where client_id = ` + m.nextParameter();
|
|
2347
|
+
await e.execute(y, [t.client_id]), m = this.dbPool.parameters(), y = `delete from ${this.validFlowTable} where client_id = ` + m.nextParameter(), await e.execute(y, [t.client_id]);
|
|
2348
2348
|
let p = [], _ = [], C = [];
|
|
2349
|
-
|
|
2349
|
+
m = this.dbPool.parameters(), y = `delete from ${this.validFlowTable} where client_id = ` + m.nextParameter();
|
|
2350
2350
|
for (let v in d)
|
|
2351
|
-
p.push(v), _.push(
|
|
2351
|
+
p.push(v), _.push(m.nextParameter()), C.push(d[v]);
|
|
2352
2352
|
if (p.length > 0) {
|
|
2353
2353
|
let v = p.join(", "), k = _.join(", ");
|
|
2354
2354
|
y = `update ${this.clientTable} set (${v}) values (${k})`, await e.execute(y, C);
|
|
2355
2355
|
}
|
|
2356
2356
|
if (n)
|
|
2357
2357
|
for (let v = 0; v < n.length; ++v) {
|
|
2358
|
-
C = [],
|
|
2359
|
-
let k = `insert into ${this.redirectUriTable} (client_id, uri) values (` +
|
|
2358
|
+
C = [], m = this.dbPool.parameters();
|
|
2359
|
+
let k = `insert into ${this.redirectUriTable} (client_id, uri) values (` + m.nextParameter() + ", " + m.nextParameter() + ")";
|
|
2360
2360
|
C.push(t.client_id), C.push(n[v]), await e.execute(k, C);
|
|
2361
2361
|
}
|
|
2362
2362
|
if (c)
|
|
2363
2363
|
for (let v = 0; v < c.length; ++v) {
|
|
2364
|
-
C = [],
|
|
2365
|
-
let k = `insert into ${this.validFlowTable} (client_id, flow) values (` +
|
|
2364
|
+
C = [], m = this.dbPool.parameters();
|
|
2365
|
+
let k = `insert into ${this.validFlowTable} (client_id, flow) values (` + m.nextParameter() + ", " + m.nextParameter() + ")";
|
|
2366
2366
|
C.push(t.client_id), C.push(c[v]), await e.execute(k, C);
|
|
2367
2367
|
}
|
|
2368
2368
|
}
|
|
@@ -2390,14 +2390,14 @@ class Je extends we {
|
|
|
2390
2390
|
h(this, "authorizationTable", "oauthauthorization");
|
|
2391
2391
|
h(this, "useridForeignKeyColumn", "userid");
|
|
2392
2392
|
h(this, "dbPool");
|
|
2393
|
-
w("authorizationTable",
|
|
2393
|
+
w("authorizationTable", g.String, this, t, "OAUTH_CLIENT_TABLE"), w("useridForeignKeyColumn", g.String, this, t, "USER_ID_FOREIGN_KEY_COLUMN"), this.dbPool = e;
|
|
2394
2394
|
}
|
|
2395
2395
|
async getAuthorizations(e, t) {
|
|
2396
2396
|
let r = await this.dbPool.connect();
|
|
2397
2397
|
try {
|
|
2398
2398
|
const i = this.dbPool.parameters(), a = [];
|
|
2399
2399
|
let n = `select scope from ${this.authorizationTable} where client_id = ` + i.nextParameter();
|
|
2400
|
-
return a.push(e), t === null ? n += ` and ${this.useridForeignKeyColumn} is null` : t && (n += ` and ${this.useridForeignKeyColumn} = ` + i.nextParameter(), a.push(t)), (await r.execute(n, a)).map((
|
|
2400
|
+
return a.push(e), t === null ? n += ` and ${this.useridForeignKeyColumn} is null` : t && (n += ` and ${this.useridForeignKeyColumn} = ` + i.nextParameter(), a.push(t)), (await r.execute(n, a)).map((m) => m.scope);
|
|
2401
2401
|
} catch (i) {
|
|
2402
2402
|
throw i;
|
|
2403
2403
|
} finally {
|
|
@@ -2713,21 +2713,21 @@ const Ce = process.env.PBKDF2_DIGEST || "sha256", Se = Number(process.env.PBKDF2
|
|
|
2713
2713
|
t || (t = q.randomSalt());
|
|
2714
2714
|
let a = r != null, n = a ? t + "!" + r : t;
|
|
2715
2715
|
i == null && (i = !1);
|
|
2716
|
-
let
|
|
2716
|
+
let m = (await De(Ne)(
|
|
2717
2717
|
s,
|
|
2718
2718
|
n,
|
|
2719
2719
|
e.iterations ?? Se,
|
|
2720
2720
|
e.keyLen ?? ve,
|
|
2721
2721
|
e.digest ?? Ce
|
|
2722
2722
|
)).toString("base64url");
|
|
2723
|
-
return i && (
|
|
2724
|
-
|
|
2723
|
+
return i && (m = this.encodePasswordHash(
|
|
2724
|
+
m,
|
|
2725
2725
|
t,
|
|
2726
2726
|
a,
|
|
2727
2727
|
e.iterations ?? Se,
|
|
2728
2728
|
e.keyLen ?? ve,
|
|
2729
2729
|
e.digest ?? Ce
|
|
2730
|
-
)),
|
|
2730
|
+
)), m;
|
|
2731
2731
|
}
|
|
2732
2732
|
/**
|
|
2733
2733
|
* For creating non-JWT tokens (eg password reset tokens.) The
|
|
@@ -2887,7 +2887,7 @@ const le = class le extends be {
|
|
|
2887
2887
|
h(this, "pbkdf2KeyLength", 32);
|
|
2888
2888
|
/** See {@link LocalPasswordAuthenticatorOptions.validatePasswordFn} */
|
|
2889
2889
|
h(this, "validatePasswordFn", tt);
|
|
2890
|
-
w("secret",
|
|
2890
|
+
w("secret", g.String, this, t, "HASHER_SECRET"), w("enableSecretForPasswordHash", g.Boolean, this, t, "ENABLE_SECRET_FOR_PASSWORDS"), w("pbkdf2Digest", g.String, this, t, "PASSWORD_PBKDF2_DIGEST"), w("pbkdf2Iterations", g.String, this, t, "PASSWORD_PBKDF2_ITERATIONS"), w("pbkdf2SaltLength", g.String, this, t, "PASSWORD_PBKDF2_SALTLENGTH"), w("pbkdf2KeyLength", g.String, this, t, "PASSWORD_PBKDF2_KEYLENGTH"), t.validatePasswordFn && (this.validatePasswordFn = t.validatePasswordFn);
|
|
2891
2891
|
}
|
|
2892
2892
|
/**
|
|
2893
2893
|
* Authenticates the user, returning a the user as a {@link User} object.
|
|
@@ -3041,7 +3041,7 @@ class Z extends re {
|
|
|
3041
3041
|
h(this, "smtpPassword");
|
|
3042
3042
|
h(this, "emailAuthenticatorTokenExpires", 60 * 5);
|
|
3043
3043
|
h(this, "render");
|
|
3044
|
-
w("views",
|
|
3044
|
+
w("views", g.String, this, e, "VIEWS"), w("emailAuthenticatorTextBody", g.String, this, e, "EMAIL_AUTHENTICATOR_TEXT_BODY"), w("emailAuthenticatorHtmlBody", g.String, this, e, "EMAIL_AUTHENTICATOR_HTML_BODY"), w("emailAuthenticatorSubject", g.String, this, e, "EMAIL_AUTHENTICATOR_SUBJECT"), w("emailFrom", g.String, this, e, "EMAIL_FROM", !0), w("smtpHost", g.String, this, e, "SMTP_HOST", !0), w("smtpPort", g.Number, this, e, "SMTP_PORT"), w("smtpUsername", g.String, this, e, "SMTP_USERNAME"), w("smtpPassword", g.String, this, e, "SMTP_PASSWORD"), w("smtpUseTls", g.Boolean, this, e, "SMTP_USE_TLS"), w("emailAuthenticatorTokenExpires", g.Number, this, e, "EMAIL_AUTHENTICATOR_TOKEN_EXPIRES"), e.render ? this.render = e.render : W.configure(this.views, { autoescape: !0 });
|
|
3045
3045
|
}
|
|
3046
3046
|
/**
|
|
3047
3047
|
* Used by the OAuth password_mfa grant type.
|
|
@@ -3112,7 +3112,7 @@ class Z extends re {
|
|
|
3112
3112
|
* @returns
|
|
3113
3113
|
*/
|
|
3114
3114
|
async reprepareConfiguration(e, t) {
|
|
3115
|
-
const r =
|
|
3115
|
+
const r = D.decodeData(t.data)["2fa"], i = Z.zeroPad(ee(999999), 6), a = /* @__PURE__ */ new Date(), n = new Date(a.getTime() + 1e3 * this.emailAuthenticatorTokenExpires).getTime(), c = this.sendToken(r.email, i);
|
|
3116
3116
|
return u.logger.info(f({
|
|
3117
3117
|
msg: "Sent factor otp email",
|
|
3118
3118
|
emailMessageId: c,
|
|
@@ -3249,7 +3249,7 @@ class Q extends re {
|
|
|
3249
3249
|
h(this, "smsAuthenticatorFrom", "");
|
|
3250
3250
|
h(this, "smsAuthenticatorTokenExpires", 60 * 5);
|
|
3251
3251
|
h(this, "render");
|
|
3252
|
-
w("views",
|
|
3252
|
+
w("views", g.String, this, e, "VIEWS"), w("smsAuthenticatorBody", g.String, this, e, "SMS_AUTHENTICATOR_BODY"), w("smsAuthenticatorFrom", g.String, this, e, "SMS_AUTHENTICATOR_FROM", !0), w("smsAuthenticatorTokenExpires", g.Number, this, e, "SMS_AUTHENTICATOR_TOKEN_EXPIRES"), e.render ? this.render = e.render : W.configure(this.views, { autoescape: !0 });
|
|
3253
3253
|
}
|
|
3254
3254
|
/**
|
|
3255
3255
|
* Used by the OAuth password_mfa grant type.
|
|
@@ -3289,7 +3289,7 @@ class Q extends re {
|
|
|
3289
3289
|
otp: t
|
|
3290
3290
|
};
|
|
3291
3291
|
let d = { otp: t };
|
|
3292
|
-
const
|
|
3292
|
+
const m = this.render ? this.render(this.smsAuthenticatorBody, d) : W.render(this.smsAuthenticatorBody, d), y = this.sendSms(r, m);
|
|
3293
3293
|
return u.logger.info(f({
|
|
3294
3294
|
msg: "Sent factor otp sms",
|
|
3295
3295
|
smsMessageId: y,
|
|
@@ -3303,7 +3303,7 @@ class Q extends re {
|
|
|
3303
3303
|
* @returns
|
|
3304
3304
|
*/
|
|
3305
3305
|
async reprepareConfiguration(e, t) {
|
|
3306
|
-
const r =
|
|
3306
|
+
const r = D.decodeData(t.data)["2fa"], i = Q.zeroPad(ee(999999), 6), a = /* @__PURE__ */ new Date(), n = new Date(a.getTime() + 1e3 * this.smsAuthenticatorTokenExpires).getTime(), c = this.sendSms(r.phone, i);
|
|
3307
3307
|
return u.logger.info(f({
|
|
3308
3308
|
msg: "Sent factor otp sms",
|
|
3309
3309
|
smsMessageId: c,
|
|
@@ -3522,7 +3522,7 @@ class Rt extends re {
|
|
|
3522
3522
|
* @returns
|
|
3523
3523
|
*/
|
|
3524
3524
|
async reprepareConfiguration(e, t) {
|
|
3525
|
-
const r =
|
|
3525
|
+
const r = D.decodeData(t.data)["2fa"], i = this.code, a = /* @__PURE__ */ new Date(), n = new Date(a.getTime() + 1e3 * 60).getTime();
|
|
3526
3526
|
return {
|
|
3527
3527
|
userData: { factor2: r.factor2, otp: i },
|
|
3528
3528
|
secrets: {},
|
|
@@ -3639,7 +3639,7 @@ class xt extends be {
|
|
|
3639
3639
|
super({ friendlyName: "LDAP", ...t });
|
|
3640
3640
|
h(this, "ldapAutoCreateAccount", !1);
|
|
3641
3641
|
h(this, "ldapStorage");
|
|
3642
|
-
w("ldapAutoCreateAccount",
|
|
3642
|
+
w("ldapAutoCreateAccount", g.Boolean, this, t, "LDAP_AUTO_CREATE_ACCOUNT"), this.ldapStorage = e;
|
|
3643
3643
|
}
|
|
3644
3644
|
/**
|
|
3645
3645
|
* Authenticates the user, returning a the user as a {@link User} object.
|
|
@@ -3758,7 +3758,7 @@ class Dt extends re {
|
|
|
3758
3758
|
}), { qrUrl: r, secret: t };
|
|
3759
3759
|
}
|
|
3760
3760
|
async getSecretFromSession(e, t) {
|
|
3761
|
-
const r =
|
|
3761
|
+
const r = D.decodeData(t.data);
|
|
3762
3762
|
if (!("totpsecret" in r))
|
|
3763
3763
|
throw new o(
|
|
3764
3764
|
l.Unauthorized,
|
|
@@ -3902,7 +3902,7 @@ class Dt extends re {
|
|
|
3902
3902
|
}
|
|
3903
3903
|
}
|
|
3904
3904
|
const ne = 16;
|
|
3905
|
-
class
|
|
3905
|
+
class R {
|
|
3906
3906
|
/**
|
|
3907
3907
|
* Construct a new EmailVerifier.
|
|
3908
3908
|
*
|
|
@@ -3933,7 +3933,7 @@ class x {
|
|
|
3933
3933
|
h(this, "verifyEmailExpires", 60 * 60 * 24);
|
|
3934
3934
|
h(this, "passwordResetExpires", 60 * 60 * 24);
|
|
3935
3935
|
h(this, "render");
|
|
3936
|
-
this.userStorage = s, this.keyStorage = e, w("siteUrl",
|
|
3936
|
+
this.userStorage = s, this.keyStorage = e, w("siteUrl", g.String, this, t, "SITE_URL", !0), w("prefix", g.String, this, t, "PREFIX"), w("views", g.String, this, t, "VIEWS"), w("emailVerificationTextBody", g.String, this, t, "EMAIL_VERIFICATION_TEXT_BODY"), w("emailVerificationHtmlBody", g.String, this, t, "EMAIL_VERIFICATION_HTML_BODY"), w("emailVerificationSubject", g.String, this, t, "EMAIL_VERIFICATION_SUBJECT"), w("passwordResetTextBody", g.String, this, t, "PASSWORD_RESET_TEXT_BODY"), w("passwordResetHtmlBody", g.String, this, t, "PASSWORD_RESET_HTML_BODY"), w("passwordResetSubject", g.String, this, t, "PASSWORD_RESET_SUBJECT"), w("emailFrom", g.String, this, t, "EMAIL_FROM", !0), w("smtpHost", g.String, this, t, "SMTP_HOST", !0), w("smtpPort", g.Number, this, t, "SMTP_PORT"), w("smtpUsername", g.String, this, t, "SMTP_USERNAME"), w("smtpPassword", g.String, this, t, "SMTP_PASSWORD"), w("smtpUseTls", g.Boolean, this, t, "SMTP_USE_TLS"), w("verifyEmailExpires", g.Boolean, this, t, "VERIFY_EMAIL_EXPIRES"), w("passwordResetExpires", g.String, this, t, "PASSWORD_RESET_EXPIRES"), t.render ? this.render = t.render : W.configure(this.views, { autoescape: !0 });
|
|
3937
3937
|
}
|
|
3938
3938
|
createEmailer() {
|
|
3939
3939
|
let s = {};
|
|
@@ -3962,11 +3962,11 @@ class x {
|
|
|
3962
3962
|
let r = 0;
|
|
3963
3963
|
const i = /* @__PURE__ */ new Date(), a = new Date(i.getTime() + 1e3 * this.verifyEmailExpires);
|
|
3964
3964
|
for (; r < 10; ) {
|
|
3965
|
-
let n = T.randomValue(ne), c =
|
|
3965
|
+
let n = T.randomValue(ne), c = R.hashEmailVerificationToken(n);
|
|
3966
3966
|
try {
|
|
3967
3967
|
return await this.keyStorage.saveKey(s, c, i, a, e), n;
|
|
3968
3968
|
} catch {
|
|
3969
|
-
n = T.randomValue(ne), c =
|
|
3969
|
+
n = T.randomValue(ne), c = R.hashEmailVerificationToken(n), r++;
|
|
3970
3970
|
}
|
|
3971
3971
|
}
|
|
3972
3972
|
throw new o(l.Connection, "failed creating a unique key");
|
|
@@ -4007,7 +4007,7 @@ class x {
|
|
|
4007
4007
|
"Either emailVerificationTextBody or emailVerificationHtmlBody must be set to send email verification emails"
|
|
4008
4008
|
);
|
|
4009
4009
|
let { user: r } = await this.userStorage.getUserById(s, { skipEmailVerifiedCheck: !0 }), i = e;
|
|
4010
|
-
i != "" ?
|
|
4010
|
+
i != "" ? R.validateEmail(i) : (i = r.email ?? r.username, i || (i = r.username), R.validateEmail(i)), R.validateEmail(i);
|
|
4011
4011
|
const a = await this.createAndSaveEmailVerificationToken(s, e), n = await this._sendEmailVerificationToken(a, i, t);
|
|
4012
4012
|
u.logger.info(f({ msg: "Sent email verification email", emailMessageId: n, email: i }));
|
|
4013
4013
|
}
|
|
@@ -4027,20 +4027,20 @@ class x {
|
|
|
4027
4027
|
* address the user is validating
|
|
4028
4028
|
*/
|
|
4029
4029
|
async verifyEmailVerificationToken(s) {
|
|
4030
|
-
const e =
|
|
4030
|
+
const e = R.hashEmailVerificationToken(s);
|
|
4031
4031
|
let t = await this.keyStorage.getKey(e);
|
|
4032
4032
|
try {
|
|
4033
4033
|
if (!t.userid || !t.expires) throw new o(l.InvalidKey);
|
|
4034
4034
|
const { user: r } = await this.userStorage.getUserById(t.userid, { skipEmailVerifiedCheck: !0 });
|
|
4035
4035
|
let i = (r.email ?? r.username).toLowerCase();
|
|
4036
|
-
if (i || (i = r.username.toLowerCase()),
|
|
4036
|
+
if (i || (i = r.username.toLowerCase()), R.validateEmail(i), (/* @__PURE__ */ new Date()).getTime() > t.expires.getTime()) throw new o(l.Expired);
|
|
4037
4037
|
return { userid: t.userid, newEmail: t.data ?? "" };
|
|
4038
4038
|
} finally {
|
|
4039
4039
|
}
|
|
4040
4040
|
}
|
|
4041
4041
|
async deleteEmailVerificationToken(s) {
|
|
4042
4042
|
try {
|
|
4043
|
-
const e =
|
|
4043
|
+
const e = R.hashEmailVerificationToken(s);
|
|
4044
4044
|
await this.keyStorage.deleteKey(e);
|
|
4045
4045
|
} catch (e) {
|
|
4046
4046
|
const t = o.asCrossauthError(e);
|
|
@@ -4051,11 +4051,11 @@ class x {
|
|
|
4051
4051
|
let t = 0;
|
|
4052
4052
|
const r = /* @__PURE__ */ new Date(), i = new Date(r.getTime() + 1e3 * this.passwordResetExpires);
|
|
4053
4053
|
for (; t < 10; ) {
|
|
4054
|
-
let a = T.randomValue(ne), n =
|
|
4054
|
+
let a = T.randomValue(ne), n = R.hashPasswordResetToken(a);
|
|
4055
4055
|
try {
|
|
4056
4056
|
return await this.keyStorage.saveKey(s, n, r, i), a;
|
|
4057
4057
|
} catch {
|
|
4058
|
-
a = T.randomValue(ne), n =
|
|
4058
|
+
a = T.randomValue(ne), n = R.hashPasswordResetToken(a), t++;
|
|
4059
4059
|
}
|
|
4060
4060
|
}
|
|
4061
4061
|
throw new o(l.Connection, "failed creating a unique key");
|
|
@@ -4075,7 +4075,7 @@ class x {
|
|
|
4075
4075
|
* @returns the user that the token is for
|
|
4076
4076
|
*/
|
|
4077
4077
|
async verifyPasswordResetToken(s) {
|
|
4078
|
-
const e =
|
|
4078
|
+
const e = R.hashPasswordResetToken(s);
|
|
4079
4079
|
u.logger.debug("verifyPasswordResetToken " + s + " " + e);
|
|
4080
4080
|
let t = await this.keyStorage.getKey(e);
|
|
4081
4081
|
if (!t.userid) throw new o(l.InvalidKey);
|
|
@@ -4124,7 +4124,7 @@ class x {
|
|
|
4124
4124
|
if (!t && r.state != E.active && r.state != E.passwordResetNeeded && r.state != E.passwordAndFactor2ResetNeeded)
|
|
4125
4125
|
throw new o(l.UserNotActive);
|
|
4126
4126
|
let i = (r.email ?? r.username).toLowerCase();
|
|
4127
|
-
i || (i = r.username.toLowerCase()),
|
|
4127
|
+
i || (i = r.username.toLowerCase()), R.validateEmail(i);
|
|
4128
4128
|
const a = await this.createAndSavePasswordResetToken(s), n = await this._sendPasswordResetToken(a, i, e);
|
|
4129
4129
|
u.logger.info(f({ msg: "Sent password reset email", emailMessageId: n, email: i }));
|
|
4130
4130
|
}
|
|
@@ -4146,7 +4146,7 @@ class x {
|
|
|
4146
4146
|
* @param email the email to validate
|
|
4147
4147
|
*/
|
|
4148
4148
|
static validateEmail(s) {
|
|
4149
|
-
if (s == null || !
|
|
4149
|
+
if (s == null || !R.isEmailValid(s)) throw new o(l.InvalidEmail);
|
|
4150
4150
|
}
|
|
4151
4151
|
}
|
|
4152
4152
|
const _e = 16, ke = 16;
|
|
@@ -4177,7 +4177,7 @@ class rt {
|
|
|
4177
4177
|
h(this, "sameSite", "lax");
|
|
4178
4178
|
// hasher settings
|
|
4179
4179
|
h(this, "secret", "");
|
|
4180
|
-
w("headerName",
|
|
4180
|
+
w("headerName", g.String, this, s, "CSRF_HEADER_NAME"), w("cookieName", g.String, this, s, "CSRF_COOKIE_NAME"), w("domain", g.String, this, s, "CSRF_COOKIE_DOMAIN"), w("httpOnly", g.Boolean, this, s, "CSRF_COOKIE_HTTPONLY"), w("path", g.String, this, s, "CSRF_COOKIE_PATH"), w("secure", g.Boolean, this, s, "CSRF_COOKIE_SECURE"), w("sameSite", g.String, this, s, "CSRF_COOKIE_SAMESITE"), w("secret", g.String, this, s, "SECRET", !0);
|
|
4181
4181
|
}
|
|
4182
4182
|
/**
|
|
4183
4183
|
* Creates a session key and saves in storage
|
|
@@ -4270,7 +4270,7 @@ class rt {
|
|
|
4270
4270
|
}
|
|
4271
4271
|
}
|
|
4272
4272
|
}
|
|
4273
|
-
class
|
|
4273
|
+
class x {
|
|
4274
4274
|
/**
|
|
4275
4275
|
* Constructor.
|
|
4276
4276
|
*
|
|
@@ -4299,7 +4299,7 @@ class D {
|
|
|
4299
4299
|
h(this, "sameSite", "lax");
|
|
4300
4300
|
// hasher settings
|
|
4301
4301
|
h(this, "secret", "");
|
|
4302
|
-
e.userStorage && (this.userStorage = e.userStorage), this.keyStorage = s, w("idleTimeout",
|
|
4302
|
+
e.userStorage && (this.userStorage = e.userStorage), this.keyStorage = s, w("idleTimeout", g.Number, this, e, "SESSION_IDLE_TIMEOUT"), w("persist", g.Boolean, this, e, "PERSIST_SESSION_ID"), this.filterFunction = e.filterFunction, w("cookieName", g.String, this, e, "SESSION_COOKIE_NAME"), w("maxAge", g.String, this, e, "SESSION_COOKIE_MAX_AGE"), w("domain", g.String, this, e, "SESSION_COOKIE_DOMAIN"), w("httpOnly", g.Boolean, this, e, "SESSIONCOOKIE_HTTPONLY"), w("path", g.String, this, e, "SESSION_COOKIE_PATH"), w("secure", g.Boolean, this, e, "SESSION_COOKIE_SECURE"), w("sameSite", g.String, this, e, "SESSION_COOKIE_SAMESITE"), w("secret", g.String, this, e, "SECRET", !0);
|
|
4303
4303
|
}
|
|
4304
4304
|
expiry(s) {
|
|
4305
4305
|
let e;
|
|
@@ -4336,16 +4336,16 @@ class D {
|
|
|
4336
4336
|
const a = /* @__PURE__ */ new Date();
|
|
4337
4337
|
let n = this.expiry(a), c = !1;
|
|
4338
4338
|
for (; r < 10 && !c; ) {
|
|
4339
|
-
const d =
|
|
4339
|
+
const d = x.hashSessionId(i);
|
|
4340
4340
|
try {
|
|
4341
4341
|
this.idleTimeout > 0 && s && (e = { ...e, lastActivity: /* @__PURE__ */ new Date() }), await this.keyStorage.saveKey(s, d, a, n, void 0, e), c = !0;
|
|
4342
|
-
} catch (
|
|
4343
|
-
let y = o.asCrossauthError(
|
|
4342
|
+
} catch (m) {
|
|
4343
|
+
let y = o.asCrossauthError(m);
|
|
4344
4344
|
if (y.code == l.KeyExists || y.code == l.InvalidKey) {
|
|
4345
4345
|
if (r++, i = T.randomValue(ke), r > 10)
|
|
4346
4346
|
throw u.logger.error(f({ msg: "Max attempts exceeded trying to create session ID" })), new o(l.KeyExists);
|
|
4347
4347
|
} else
|
|
4348
|
-
throw u.logger.debug(f({ err:
|
|
4348
|
+
throw u.logger.debug(f({ err: m })), m;
|
|
4349
4349
|
}
|
|
4350
4350
|
}
|
|
4351
4351
|
return {
|
|
@@ -4392,7 +4392,7 @@ class D {
|
|
|
4392
4392
|
*/
|
|
4393
4393
|
async updateSessionKey(s) {
|
|
4394
4394
|
if (!s.value) throw new o(l.InvalidKey, "No session when updating activity");
|
|
4395
|
-
s.value =
|
|
4395
|
+
s.value = x.hashSessionId(s.value), await this.keyStorage.updateKey(s);
|
|
4396
4396
|
}
|
|
4397
4397
|
/**
|
|
4398
4398
|
* Unsigns a cookie and returns the original value.
|
|
@@ -4440,7 +4440,7 @@ class D {
|
|
|
4440
4440
|
* `Expired` or `UserNotExist`.
|
|
4441
4441
|
*/
|
|
4442
4442
|
async getSessionKey(s) {
|
|
4443
|
-
const e = Date.now(), t =
|
|
4443
|
+
const e = Date.now(), t = x.hashSessionId(s), r = await this.keyStorage.getKey(t);
|
|
4444
4444
|
if (r.value = s, r.expires && e > r.expires.getTime())
|
|
4445
4445
|
throw u.logger.warn(f({ msg: "Session id in cookie expired in key storage", hashedSessionCookie: T.hash(s) })), new o(l.Expired);
|
|
4446
4446
|
if (r.userid && this.idleTimeout > 0 && r.lastactive && e > r.lastactive.getTime() + this.idleTimeout * 1e3)
|
|
@@ -4455,7 +4455,7 @@ class D {
|
|
|
4455
4455
|
* @param except if defined, don't delete this key
|
|
4456
4456
|
*/
|
|
4457
4457
|
async deleteAllForUser(s, e) {
|
|
4458
|
-
e && (e =
|
|
4458
|
+
e && (e = x.hashSessionId(e)), await this.keyStorage.deleteAllForUser(s, U.session, e);
|
|
4459
4459
|
}
|
|
4460
4460
|
}
|
|
4461
4461
|
class Lt {
|
|
@@ -4480,9 +4480,9 @@ class Lt {
|
|
|
4480
4480
|
t.userStorage && (this.userStorage = t.userStorage), this.keyStorage = s, this.authenticators = e;
|
|
4481
4481
|
for (let r in this.authenticators)
|
|
4482
4482
|
this.authenticators[r].factorName = r;
|
|
4483
|
-
if (this.session = new
|
|
4483
|
+
if (this.session = new x(this.keyStorage, { ...t == null ? void 0 : t.sessionCookieOptions, ...t ?? {} }), this.csrfTokens = new rt({ ...t == null ? void 0 : t.doubleSubmitCookieOptions, ...t ?? {} }), w("allowedFactor2", g.JsonArray, this, t, "ALLOWED_FACTOR2"), w("enableEmailVerification", g.Boolean, this, t, "ENABLE_EMAIL_VERIFICATION"), w("enablePasswordReset", g.Boolean, this, t, "ENABLE_PASSWORD_RESET"), this.emailTokenStorage = this.keyStorage, this.userStorage && (this.enableEmailVerification || this.enablePasswordReset)) {
|
|
4484
4484
|
let r = this.keyStorage;
|
|
4485
|
-
t.emailTokenStorage && (this.emailTokenStorage = t.emailTokenStorage), this.tokenEmailer = new
|
|
4485
|
+
t.emailTokenStorage && (this.emailTokenStorage = t.emailTokenStorage), this.tokenEmailer = new R(this.userStorage, r, t);
|
|
4486
4486
|
}
|
|
4487
4487
|
}
|
|
4488
4488
|
/**
|
|
@@ -4558,7 +4558,7 @@ class Lt {
|
|
|
4558
4558
|
const p = await this.session.createSessionKey(i.id, t);
|
|
4559
4559
|
c = this.session.makeCookie(p, r);
|
|
4560
4560
|
}
|
|
4561
|
-
const d = this.csrfTokens.createCsrfToken(),
|
|
4561
|
+
const d = this.csrfTokens.createCsrfToken(), m = this.csrfTokens.makeCsrfCookie(d), y = this.csrfTokens.makeCsrfFormOrHeaderToken(d);
|
|
4562
4562
|
try {
|
|
4563
4563
|
this.emailTokenStorage.deleteAllForUser(
|
|
4564
4564
|
i.id,
|
|
@@ -4569,7 +4569,7 @@ class Lt {
|
|
|
4569
4569
|
}
|
|
4570
4570
|
return {
|
|
4571
4571
|
sessionCookie: c,
|
|
4572
|
-
csrfCookie:
|
|
4572
|
+
csrfCookie: m,
|
|
4573
4573
|
csrfFormOrHeaderValue: y,
|
|
4574
4574
|
user: i,
|
|
4575
4575
|
secrets: n
|
|
@@ -4602,7 +4602,7 @@ class Lt {
|
|
|
4602
4602
|
*/
|
|
4603
4603
|
async logout(s) {
|
|
4604
4604
|
const e = await this.session.getSessionKey(s);
|
|
4605
|
-
return await this.keyStorage.deleteKey(
|
|
4605
|
+
return await this.keyStorage.deleteKey(x.hashSessionId(e.value));
|
|
4606
4606
|
}
|
|
4607
4607
|
/**
|
|
4608
4608
|
* Logs a user out from all sessions.
|
|
@@ -4750,7 +4750,7 @@ class Lt {
|
|
|
4750
4750
|
* @param value new value to store
|
|
4751
4751
|
*/
|
|
4752
4752
|
async updateSessionData(s, e, t) {
|
|
4753
|
-
const r =
|
|
4753
|
+
const r = x.hashSessionId(s);
|
|
4754
4754
|
u.logger.debug(f({ msg: `Updating session data value${e}`, hashedSessionCookie: T.hash(s) })), await this.keyStorage.updateData(r, e, t);
|
|
4755
4755
|
}
|
|
4756
4756
|
/**
|
|
@@ -4762,7 +4762,7 @@ class Lt {
|
|
|
4762
4762
|
* @param dataArray names and values.
|
|
4763
4763
|
*/
|
|
4764
4764
|
async updateManySessionData(s, e) {
|
|
4765
|
-
const t =
|
|
4765
|
+
const t = x.hashSessionId(s);
|
|
4766
4766
|
u.logger.debug(f({ msg: "Updating session data", hashedSessionCookie: T.hash(s) })), await this.keyStorage.updateManyData(t, e);
|
|
4767
4767
|
}
|
|
4768
4768
|
/**
|
|
@@ -4774,7 +4774,7 @@ class Lt {
|
|
|
4774
4774
|
* @param name of the field.
|
|
4775
4775
|
*/
|
|
4776
4776
|
async deleteSessionData(s, e) {
|
|
4777
|
-
const t =
|
|
4777
|
+
const t = x.hashSessionId(s);
|
|
4778
4778
|
u.logger.debug(f({ msg: `Updating session data value${e}`, hashedSessionCookie: T.hash(s) })), await this.keyStorage.deleteData(t, e);
|
|
4779
4779
|
}
|
|
4780
4780
|
/**
|
|
@@ -4783,7 +4783,7 @@ class Lt {
|
|
|
4783
4783
|
* @param sessionId the session Id to delete
|
|
4784
4784
|
*/
|
|
4785
4785
|
async deleteSession(s) {
|
|
4786
|
-
return await this.keyStorage.deleteKey(
|
|
4786
|
+
return await this.keyStorage.deleteKey(x.hashSessionId(s));
|
|
4787
4787
|
}
|
|
4788
4788
|
/**
|
|
4789
4789
|
* Creates a new user, sending an email verification message if necessary.
|
|
@@ -4838,7 +4838,7 @@ class Lt {
|
|
|
4838
4838
|
if (!this.authenticators[s.factor2]) throw new o(l.Configuration, "Two factor authentication not enabled for user");
|
|
4839
4839
|
const a = await this.authenticators[s.factor2].prepareConfiguration(s), n = a == null ? {} : a.userData, c = a == null ? {} : a.sessionData, d = await this.authenticators[s.factor1].createPersistentSecrets(s.username, e, r);
|
|
4840
4840
|
return s.state = "awaitingtwofactorsetup", await this.keyStorage.updateData(
|
|
4841
|
-
|
|
4841
|
+
x.hashSessionId(t),
|
|
4842
4842
|
"2fa",
|
|
4843
4843
|
c
|
|
4844
4844
|
), { userid: (await this.userStorage.createUser(s, d)).id, userData: n };
|
|
@@ -4858,13 +4858,13 @@ class Lt {
|
|
|
4858
4858
|
if (!this.authenticators[e]) throw new o(l.Configuration, "Two factor authentication not enabled for user");
|
|
4859
4859
|
const i = await this.authenticators[e].prepareConfiguration(s), a = i == null ? {} : i.userData, n = i == null ? {} : i.sessionData;
|
|
4860
4860
|
return await this.keyStorage.updateData(
|
|
4861
|
-
|
|
4861
|
+
x.hashSessionId(t),
|
|
4862
4862
|
"2fa",
|
|
4863
4863
|
n
|
|
4864
4864
|
), a;
|
|
4865
4865
|
}
|
|
4866
4866
|
return await this.userStorage.updateUser({ id: s.id, factor2: e ?? "" }), await this.keyStorage.updateData(
|
|
4867
|
-
|
|
4867
|
+
x.hashSessionId(t),
|
|
4868
4868
|
"2fa",
|
|
4869
4869
|
void 0
|
|
4870
4870
|
), {};
|
|
@@ -4884,10 +4884,10 @@ class Lt {
|
|
|
4884
4884
|
*/
|
|
4885
4885
|
async repeatTwoFactorSignup(s) {
|
|
4886
4886
|
if (!this.userStorage) throw new o(l.Configuration, "Cannot call repeatTwoFactorSignup if no user storage provided");
|
|
4887
|
-
const e = (await this.dataForSessionId(s))["2fa"], t = e.username, r = e.factor2, i =
|
|
4887
|
+
const e = (await this.dataForSessionId(s))["2fa"], t = e.username, r = e.factor2, i = x.hashSessionId(s), a = await this.keyStorage.getKey(i), c = await this.authenticators[r].reprepareConfiguration(t, a), d = c == null ? {} : c.userData, m = c == null ? {} : c.secrets, y = c == null ? {} : c.newSessionData;
|
|
4888
4888
|
y && await this.keyStorage.updateData(i, "2fa", y);
|
|
4889
4889
|
const { user: p } = await this.userStorage.getUserByUsername(t, { skipActiveCheck: !0, skipEmailVerifiedCheck: !0 });
|
|
4890
|
-
return { userid: p.id, userData: d, secrets:
|
|
4890
|
+
return { userid: p.id, userData: d, secrets: m };
|
|
4891
4891
|
}
|
|
4892
4892
|
/**
|
|
4893
4893
|
* Authenticates with the second factor.
|
|
@@ -4908,14 +4908,14 @@ class Lt {
|
|
|
4908
4908
|
if (r && r.state != E.active && r.state != E.factor2ResetNeeded)
|
|
4909
4909
|
throw new o(l.UserNotActive);
|
|
4910
4910
|
if (!i) throw new o(l.InvalidKey, "Session key not found");
|
|
4911
|
-
let a =
|
|
4911
|
+
let a = D.decodeData(i.data)["2fa"];
|
|
4912
4912
|
if (!(a != null && a.factor2) || !(a != null && a.username)) throw new o(l.Unauthorized, "Two factor authentication not initiated");
|
|
4913
4913
|
let n = a.username;
|
|
4914
4914
|
const c = this.authenticators[a.factor2];
|
|
4915
4915
|
if (!c) throw new o(l.Configuration, "Unrecognised second factor authentication");
|
|
4916
|
-
const d = {},
|
|
4916
|
+
const d = {}, m = c.secretNames();
|
|
4917
4917
|
for (let C in a)
|
|
4918
|
-
|
|
4918
|
+
m.includes(C) && (d[C] = a[C]);
|
|
4919
4919
|
await c.authenticateUser(void 0, a, s), r || (t = !0, r = (await this.userStorage.getUserByUsername(n, { skipActiveCheck: !0, skipEmailVerifiedCheck: !0 })).user);
|
|
4920
4920
|
const y = c.skipEmailVerificationOnSignup() == !0;
|
|
4921
4921
|
if (!r) throw new o(l.UserNotExist, "Couldn't fetch user");
|
|
@@ -4924,7 +4924,7 @@ class Lt {
|
|
|
4924
4924
|
state: !y && this.enableEmailVerification ? "awaitingemailverification" : "active",
|
|
4925
4925
|
factor2: a.factor2
|
|
4926
4926
|
};
|
|
4927
|
-
return c.secretNames().length > 0 ? await this.userStorage.updateUser(p, d) : await this.userStorage.updateUser(p), !y && t && this.enableEmailVerification && this.tokenEmailer && await ((_ = this.tokenEmailer) == null ? void 0 : _.sendEmailVerificationToken(r.id, void 0)), await this.keyStorage.updateData(
|
|
4927
|
+
return c.secretNames().length > 0 ? await this.userStorage.updateUser(p, d) : await this.userStorage.updateUser(p), !y && t && this.enableEmailVerification && this.tokenEmailer && await ((_ = this.tokenEmailer) == null ? void 0 : _.sendEmailVerificationToken(r.id, void 0)), await this.keyStorage.updateData(x.hashSessionId(i.value), "2fa", void 0), { ...r, ...p };
|
|
4928
4928
|
}
|
|
4929
4929
|
/**
|
|
4930
4930
|
* Initiates the two factor login process.
|
|
@@ -4954,14 +4954,14 @@ class Lt {
|
|
|
4954
4954
|
*/
|
|
4955
4955
|
async initiateTwoFactorPageVisit(s, e, t, r, i) {
|
|
4956
4956
|
const n = await this.authenticators[s.factor2].createOneTimeSecrets(s);
|
|
4957
|
-
let c, d,
|
|
4958
|
-
const y =
|
|
4957
|
+
let c, d, m;
|
|
4958
|
+
const y = x.hashSessionId(e);
|
|
4959
4959
|
u.logger.debug("initiateTwoFactorPageVisit " + s.username + " " + e + " " + y);
|
|
4960
4960
|
let p = { username: s.username, factor2: s.factor2, secrets: n, body: t, url: r };
|
|
4961
4961
|
return i && (p["content-type"] = i), await this.keyStorage.updateData(y, "pre2fa", p), {
|
|
4962
4962
|
sessionCookie: c,
|
|
4963
4963
|
csrfCookie: d,
|
|
4964
|
-
csrfFormOrHeaderValue:
|
|
4964
|
+
csrfFormOrHeaderValue: m
|
|
4965
4965
|
};
|
|
4966
4966
|
}
|
|
4967
4967
|
/**
|
|
@@ -4977,14 +4977,14 @@ class Lt {
|
|
|
4977
4977
|
if (!this.userStorage) throw new o(l.Configuration, "Cannot call completeTwoFactorPageVisit if no user storage provided");
|
|
4978
4978
|
let { key: t } = await this.session.getUserForSessionId(e);
|
|
4979
4979
|
if (!t) throw new o(l.InvalidKey, "Session key not found");
|
|
4980
|
-
let r =
|
|
4980
|
+
let r = D.decodeData(t.data);
|
|
4981
4981
|
if (!("pre2fa" in r)) throw new o(l.Unauthorized, "Two factor authentication not initiated");
|
|
4982
4982
|
const { secrets: i } = await this.userStorage.getUserByUsername(r.pre2fa.username), a = this.authenticators[r.pre2fa.factor2];
|
|
4983
4983
|
if (!a) throw new o(l.Configuration, "Unrecognised second factor authentication");
|
|
4984
4984
|
const n = {}, c = a.secretNames();
|
|
4985
4985
|
for (let d in i)
|
|
4986
4986
|
c.includes(d) && d in i && (n[d] = i[d]);
|
|
4987
|
-
await a.authenticateUser(void 0, { ...n, ...r.pre2fa.secrets }, s), await this.keyStorage.updateData(
|
|
4987
|
+
await a.authenticateUser(void 0, { ...n, ...r.pre2fa.secrets }, s), await this.keyStorage.updateData(x.hashSessionId(t.value), "pre2fa", void 0);
|
|
4988
4988
|
}
|
|
4989
4989
|
/**
|
|
4990
4990
|
* Cancels the 2FA that was previously initiated but not completed..
|
|
@@ -4998,9 +4998,9 @@ class Lt {
|
|
|
4998
4998
|
async cancelTwoFactorPageVisit(s) {
|
|
4999
4999
|
let { key: e } = await this.session.getUserForSessionId(s);
|
|
5000
5000
|
if (!e) throw new o(l.InvalidKey, "Session key not found");
|
|
5001
|
-
let t =
|
|
5001
|
+
let t = D.decodeData(e.data);
|
|
5002
5002
|
if (!("pre2fa" in t)) throw new o(l.Unauthorized, "Two factor authentication not initiated");
|
|
5003
|
-
return await this.keyStorage.updateData(
|
|
5003
|
+
return await this.keyStorage.updateData(x.hashSessionId(e.value), "pre2fa", void 0), t.pre2fa;
|
|
5004
5004
|
}
|
|
5005
5005
|
/**
|
|
5006
5006
|
* Performs the second factor authentication as the second step of the login
|
|
@@ -5023,12 +5023,12 @@ class Lt {
|
|
|
5023
5023
|
if (!this.userStorage) throw new o(l.Configuration, "Cannot call completeTwoFactorLogin if no user storage provided");
|
|
5024
5024
|
let { key: i } = await this.session.getUserForSessionId(e);
|
|
5025
5025
|
if (!i || !i.data || i.data == "") throw new o(l.Unauthorized);
|
|
5026
|
-
let a =
|
|
5027
|
-
const { user: d, secrets:
|
|
5026
|
+
let a = D.decodeData(i.data)["2fa"], n = a.username, c = a.factor2;
|
|
5027
|
+
const { user: d, secrets: m } = await this.userStorage.getUserByUsername(n), y = this.authenticators[c];
|
|
5028
5028
|
if (!y) throw new o(l.Configuration, "Second factor " + c + " not enabled");
|
|
5029
|
-
await y.authenticateUser(d, { ...
|
|
5029
|
+
await y.authenticateUser(d, { ...m, ...a }, s);
|
|
5030
5030
|
const p = await this.session.createSessionKey(d.id, t);
|
|
5031
|
-
await this.keyStorage.deleteKey(
|
|
5031
|
+
await this.keyStorage.deleteKey(x.hashSessionId(i.value));
|
|
5032
5032
|
const _ = this.session.makeCookie(p, r), C = this.csrfTokens.createCsrfToken(), v = this.csrfTokens.makeCsrfCookie(C), k = this.csrfTokens.makeCsrfFormOrHeaderToken(C);
|
|
5033
5033
|
try {
|
|
5034
5034
|
this.emailTokenStorage.deleteAllForUser(
|
|
@@ -5106,8 +5106,8 @@ class Lt {
|
|
|
5106
5106
|
a.id,
|
|
5107
5107
|
U.passwordResetToken
|
|
5108
5108
|
);
|
|
5109
|
-
} catch (
|
|
5110
|
-
u.logger.warn(f({ msg: "Couldn't delete password reset tokens while logging in", user: s })), u.logger.debug(f({ err:
|
|
5109
|
+
} catch (m) {
|
|
5110
|
+
u.logger.warn(f({ msg: "Couldn't delete password reset tokens while logging in", user: s })), u.logger.debug(f({ err: m }));
|
|
5111
5111
|
}
|
|
5112
5112
|
return a;
|
|
5113
5113
|
}
|
|
@@ -5127,19 +5127,19 @@ class Lt {
|
|
|
5127
5127
|
throw new o(l.UserNotExist, "Please specify a userername");
|
|
5128
5128
|
let { email: a, username: n, password: c, ...d } = e;
|
|
5129
5129
|
d.userid = s.userid;
|
|
5130
|
-
let
|
|
5130
|
+
let m = !1;
|
|
5131
5131
|
if (a)
|
|
5132
|
-
i = a,
|
|
5132
|
+
i = a, R.validateEmail(i), m = !0;
|
|
5133
5133
|
else if (n) {
|
|
5134
5134
|
i = n;
|
|
5135
5135
|
try {
|
|
5136
|
-
|
|
5136
|
+
R.validateEmail(s.username), m = !0;
|
|
5137
5137
|
} catch {
|
|
5138
5138
|
}
|
|
5139
|
-
|
|
5139
|
+
m && R.validateEmail(i);
|
|
5140
5140
|
}
|
|
5141
|
-
return !t && this.enableEmailVerification &&
|
|
5142
|
-
emailVerificationTokenSent: !t && this.enableEmailVerification &&
|
|
5141
|
+
return !t && this.enableEmailVerification && m ? await ((y = this.tokenEmailer) == null ? void 0 : y.sendEmailVerificationToken(s.id, i)) : (a && (d.email = a), n && (d.username = n)), (e.state == E.passwordResetNeeded || e.state == E.passwordAndFactor2ResetNeeded) && await ((p = this.tokenEmailer) == null ? void 0 : p.sendPasswordResetToken(s.id, {}, r)), await this.userStorage.updateUser(d), {
|
|
5142
|
+
emailVerificationTokenSent: !t && this.enableEmailVerification && m,
|
|
5143
5143
|
passwordResetTokenSent: e.state == E.passwordResetNeeded || e.state == E.passwordAndFactor2ResetNeeded
|
|
5144
5144
|
};
|
|
5145
5145
|
}
|
|
@@ -5192,7 +5192,7 @@ class ge {
|
|
|
5192
5192
|
h(this, "prefix", U.apiKey);
|
|
5193
5193
|
/** The name of the speak in the Authorization header. Defaults to "ApiKey" */
|
|
5194
5194
|
h(this, "authScheme", "ApiKey");
|
|
5195
|
-
this.apiKeyStorage = s, w("secret",
|
|
5195
|
+
this.apiKeyStorage = s, w("secret", g.String, this, e, "SECRET", !0), w("keyLength", g.String, this, e, "APIKEY_LENGTH"), w("prefix", g.String, this, e, "APIKEY_PREFIX"), w("authScheme", g.String, this, e, "APIKEY_AUTHSCHEME");
|
|
5196
5196
|
}
|
|
5197
5197
|
/**
|
|
5198
5198
|
* Creates a new random key and returns it, unsigned. It is also persisted in the key storage as a
|
|
@@ -5213,11 +5213,11 @@ class ge {
|
|
|
5213
5213
|
* Authorization header (with the signature appended.)
|
|
5214
5214
|
*/
|
|
5215
5215
|
async createKey(s, e, t, r, i) {
|
|
5216
|
-
const a = T.randomValue(this.keyLength), n = /* @__PURE__ */ new Date(), c = r ? new Date(n.getTime() + r * 1e3) : void 0, d = ge.hashApiKeyValue(a),
|
|
5216
|
+
const a = T.randomValue(this.keyLength), n = /* @__PURE__ */ new Date(), c = r ? new Date(n.getTime() + r * 1e3) : void 0, d = ge.hashApiKeyValue(a), m = {
|
|
5217
5217
|
name: s,
|
|
5218
5218
|
value: a,
|
|
5219
5219
|
userid: e,
|
|
5220
|
-
data:
|
|
5220
|
+
data: D.encodeData(t),
|
|
5221
5221
|
expires: c,
|
|
5222
5222
|
created: n,
|
|
5223
5223
|
...i
|
|
@@ -5227,11 +5227,11 @@ class ge {
|
|
|
5227
5227
|
this.prefix + d,
|
|
5228
5228
|
n,
|
|
5229
5229
|
c,
|
|
5230
|
-
|
|
5230
|
+
m.data,
|
|
5231
5231
|
{ name: s, ...i }
|
|
5232
5232
|
);
|
|
5233
5233
|
const y = this.signApiKeyValue(a);
|
|
5234
|
-
return { key:
|
|
5234
|
+
return { key: m, token: y };
|
|
5235
5235
|
}
|
|
5236
5236
|
static hashApiKeyValue(s) {
|
|
5237
5237
|
return T.hash(s);
|
|
@@ -5290,7 +5290,7 @@ class J {
|
|
|
5290
5290
|
l.Configuration,
|
|
5291
5291
|
"Must specify clientStorage when adding a client manager"
|
|
5292
5292
|
);
|
|
5293
|
-
this.clientStorage = s.clientStorage, w("oauthPbkdf2Digest",
|
|
5293
|
+
this.clientStorage = s.clientStorage, w("oauthPbkdf2Digest", g.String, this, s, "OAUTH_PBKDF2_DIGEST"), w("oauthPbkdf2KeyLength", g.String, this, s, "OAUTH_PBKDF2_KEYLENGTH"), w("requireRedirectUriRegistration", g.Boolean, this, s, "OAUTH_REQUIRE_REDIRECT_URI_REGISTRATION");
|
|
5294
5294
|
}
|
|
5295
5295
|
/**
|
|
5296
5296
|
* Creates a client and puts it in the storage
|
|
@@ -5324,10 +5324,10 @@ class J {
|
|
|
5324
5324
|
valid_flow: t,
|
|
5325
5325
|
userid: i
|
|
5326
5326
|
};
|
|
5327
|
-
let
|
|
5327
|
+
let m;
|
|
5328
5328
|
for (let y = 0; y < 5; ++y)
|
|
5329
5329
|
try {
|
|
5330
|
-
|
|
5330
|
+
m = await this.clientStorage.createClient(d);
|
|
5331
5331
|
break;
|
|
5332
5332
|
} catch (p) {
|
|
5333
5333
|
if (y == 4) {
|
|
@@ -5335,8 +5335,8 @@ class J {
|
|
|
5335
5335
|
} else
|
|
5336
5336
|
d.client_id = J.randomClientId();
|
|
5337
5337
|
}
|
|
5338
|
-
if (!
|
|
5339
|
-
return
|
|
5338
|
+
if (!m) throw new o(l.ClientExists);
|
|
5339
|
+
return m.client_secret && c && (m.client_secret = c), m;
|
|
5340
5340
|
}
|
|
5341
5341
|
/**
|
|
5342
5342
|
* Updates a client
|
|
@@ -5470,6 +5470,7 @@ class zt {
|
|
|
5470
5470
|
h(this, "validateScopes", !1);
|
|
5471
5471
|
h(this, "validScopes", []);
|
|
5472
5472
|
h(this, "idTokenClaims", {});
|
|
5473
|
+
h(this, "accessTokenClaims", {});
|
|
5473
5474
|
// device code
|
|
5474
5475
|
h(this, "userCodeExpiry", 60 * 5);
|
|
5475
5476
|
h(this, "userCodeThrottle", 1500);
|
|
@@ -5482,9 +5483,9 @@ class zt {
|
|
|
5482
5483
|
h(this, "validFlows", ["all"]);
|
|
5483
5484
|
/** Set from options. See {@link OAuthAuthorizationServerOptions.allowedFactor2} */
|
|
5484
5485
|
h(this, "allowedFactor2", []);
|
|
5485
|
-
this.clientStorage = s, this.keyStorage = e, this.userStorage = r.userStorage, this.authStorage = r.authStorage, t && (this.authenticators = t), this.clientManager = new J({ clientStorage: s, ...r }), w("oauthIssuer",
|
|
5486
|
+
this.clientStorage = s, this.keyStorage = e, this.userStorage = r.userStorage, this.authStorage = r.authStorage, t && (this.authenticators = t), this.clientManager = new J({ clientStorage: s, ...r }), w("oauthIssuer", g.String, this, r, "AUTH_SERVER_BASE_URL", !0), w("audience", g.String, this, r, "OAUTH_AUDIENCE"), w("oauthPbkdf2Iterations", g.String, this, r, "OAUTH_PBKDF2_ITERATIONS"), w("requireClientSecretOrChallenge", g.Boolean, this, r, "OAUTH_REQUIRE_CLIENT_SECRET_OR_CHALLENGE"), w("jwtAlgorithm", g.String, this, r, "JWT_ALGORITHM"), w("codeLength", g.Number, this, r, "OAUTH_CODE_LENGTH"), w("jwtKeyType", g.String, this, r, "JWT_KEY_TYPE"), w("jwtSecretKeyFile", g.String, this, r, "JWT_SECRET_KEY_FILE"), w("jwtPublicKeyFile", g.String, this, r, "JWT_PUBLIC_KEY_FILE"), w("jwtPrivateKeyFile", g.String, this, r, "JWT_PRIVATE_KEY_FILE"), w("jwtSecretKey", g.String, this, r, "JWT_SECRET_KEY"), w("jwtPublicKey", g.String, this, r, "JWT_PUBLIC_KEY"), w("jwtPrivateKey", g.String, this, r, "JWT_PRIVATE_KEY"), w("jwtKid", g.String, this, r, "JWT_KID"), w("persistAccessToken", g.String, this, r, "OAUTH_PERSIST_ACCESS_TOKEN"), w("issueRefreshToken", g.String, this, r, "OAUTH_ISSUE_REFRESH_TOKEN"), w("opaqueAccessToken", g.String, this, r, "OAUTH_OPAQUE_ACCESS_TOKEN"), w("accessTokenExpiry", g.Number, this, r, "OAUTH_ACCESS_TOKEN_EXPIRY"), w("refreshTokenExpiry", g.Number, this, r, "OAUTH_REFRESH_TOKEN_EXPIRY"), w("rollingRefreshToken", g.Boolean, this, r, "OAUTH_ROLLING_REFRESH_TOKEN"), w("authorizationCodeExpiry", g.Number, this, r, "OAUTH_AUTHORIZATION_CODE_EXPIRY"), w("mfaTokenExpiry", g.Number, this, r, "OAUTH_MFA_TOKEN_EXPIRY"), w("clockTolerance", g.Number, this, r, "OAUTH_CLOCK_TOLERANCE"), w("validateScopes", g.Boolean, this, r, "OAUTH_VALIDATE_SCOPES"), w("emptyScopeIsValid", g.Boolean, this, r, "OAUTH_EMPTY_SCOPE_VALID"), w("validScopes", g.JsonArray, this, r, "OAUTH_VALID_SCOPES"), w("validFlows", g.JsonArray, this, r, "OAUTH_validFlows"), w("idTokenClaims", g.Json, this, r, "OAUTH_ID_TOKEN_CLAIMS"), w("accessTokenClaims", g.Json, this, r, "OAUTH_ACCESS_TOKEN_CLAIMS"), w("allowedFactor2", g.JsonArray, this, r, "ALLOWED_FACTOR2"), w("userCodeExpiry", g.Number, this, r, "DEVICECODE_USERCODE_EXPIRY"), w("userCodeThrottle", g.Number, this, r, "DEVICECODE_USERCODE_THROTTLE"), w("deviceCodePollInterval", g.Number, this, r, "DEVICECODE_POLL_INTERVAL"), w("deviceCodeLength", g.Number, this, r, "DEVICECODE_LENGTH"), w("userCodeLength", g.Number, this, r, "DEVICECODE_USERCODE_LENGTH");
|
|
5486
5487
|
let i = {};
|
|
5487
|
-
if (w("userCodeDashEvery",
|
|
5488
|
+
if (w("userCodeDashEvery", g.String, i, r, "DEVICECODE_USERCODE_DASH_EVERY"), i.userCodeDashEvery)
|
|
5488
5489
|
if (i.userCodeDashEvery == "" || i.userCodeDashEvery.toLowerCase() == "null") this.userCodeDashEvery = null;
|
|
5489
5490
|
else
|
|
5490
5491
|
try {
|
|
@@ -5495,7 +5496,7 @@ class zt {
|
|
|
5495
5496
|
"userCodeDashEvery must be a number or null"
|
|
5496
5497
|
);
|
|
5497
5498
|
}
|
|
5498
|
-
if (w("deviceCodeVerificationUri",
|
|
5499
|
+
if (w("deviceCodeVerificationUri", g.String, this, r, "DEVICECODE_VERIFICATION_URI"), this.validFlows.length == 1 && this.validFlows[0] == b.All && (this.validFlows = b.allFlows()), this.jwtAlgorithmChecked = at(this.jwtAlgorithm), this.jwtSecretKey || this.jwtSecretKeyFile) {
|
|
5499
5500
|
if (this.jwtPublicKey || this.jwtPublicKeyFile || this.jwtPrivateKey || this.jwtPrivateKeyFile)
|
|
5500
5501
|
throw new o(
|
|
5501
5502
|
l.Configuration,
|
|
@@ -5572,9 +5573,9 @@ class zt {
|
|
|
5572
5573
|
error: "unsupported_response_type",
|
|
5573
5574
|
error_description: "Unsupported response type " + s
|
|
5574
5575
|
};
|
|
5575
|
-
let
|
|
5576
|
+
let m;
|
|
5576
5577
|
try {
|
|
5577
|
-
|
|
5578
|
+
m = await this.clientStorage.getClientById(e);
|
|
5578
5579
|
} catch (v) {
|
|
5579
5580
|
return u.logger.debug(f({ err: v })), {
|
|
5580
5581
|
error: "unauthorized_client",
|
|
@@ -5596,7 +5597,7 @@ class zt {
|
|
|
5596
5597
|
error: "access_denied",
|
|
5597
5598
|
error_description: "Unsupported flow type " + C
|
|
5598
5599
|
};
|
|
5599
|
-
if (!
|
|
5600
|
+
if (!m.valid_flow.includes(C))
|
|
5600
5601
|
return {
|
|
5601
5602
|
error: "unauthorized_client",
|
|
5602
5603
|
error_description: "Client does not support " + C
|
|
@@ -5610,7 +5611,7 @@ class zt {
|
|
|
5610
5611
|
};
|
|
5611
5612
|
}
|
|
5612
5613
|
return s == "code" ? await this.getAuthorizationCode(
|
|
5613
|
-
|
|
5614
|
+
m,
|
|
5614
5615
|
t,
|
|
5615
5616
|
y,
|
|
5616
5617
|
i,
|
|
@@ -5753,13 +5754,13 @@ class zt {
|
|
|
5753
5754
|
refreshToken: n,
|
|
5754
5755
|
username: c,
|
|
5755
5756
|
password: d,
|
|
5756
|
-
mfaToken:
|
|
5757
|
+
mfaToken: m,
|
|
5757
5758
|
oobCode: y,
|
|
5758
5759
|
bindingCode: p,
|
|
5759
5760
|
otp: _,
|
|
5760
5761
|
deviceCode: C
|
|
5761
5762
|
}) {
|
|
5762
|
-
var
|
|
5763
|
+
var O, V, M;
|
|
5763
5764
|
const v = this.inferFlowFromPost(s, a);
|
|
5764
5765
|
if (!v) return {
|
|
5765
5766
|
error: "server_error",
|
|
@@ -5767,8 +5768,8 @@ class zt {
|
|
|
5767
5768
|
};
|
|
5768
5769
|
const k = await this.getClientById(e);
|
|
5769
5770
|
if (!k.client) return k;
|
|
5770
|
-
const A = k.client,
|
|
5771
|
-
if (
|
|
5771
|
+
const A = k.client, z = await this.authenticateClient(v, A, i);
|
|
5772
|
+
if (z.error) return z;
|
|
5772
5773
|
if (v == b.Password && !this.validFlows.includes(v) && !this.validFlows.includes(b.PasswordMfa))
|
|
5773
5774
|
return {
|
|
5774
5775
|
error: "access_denied",
|
|
@@ -5784,9 +5785,9 @@ class zt {
|
|
|
5784
5785
|
error: "unauthorized_client",
|
|
5785
5786
|
error_description: "Client does not support " + v
|
|
5786
5787
|
};
|
|
5787
|
-
let
|
|
5788
|
-
this.issueRefreshToken && v != b.RefreshToken && (
|
|
5789
|
-
let
|
|
5788
|
+
let H = !1;
|
|
5789
|
+
this.issueRefreshToken && v != b.RefreshToken && (H = !0), this.issueRefreshToken && v == b.RefreshToken && this.rollingRefreshToken && (H = !0);
|
|
5790
|
+
let K;
|
|
5790
5791
|
if (s == "authorization_code")
|
|
5791
5792
|
return this.requireClientSecretOrChallenge && A && A.client_secret && !i && !a ? {
|
|
5792
5793
|
error: "access_denied",
|
|
@@ -5799,28 +5800,28 @@ class zt {
|
|
|
5799
5800
|
code: r,
|
|
5800
5801
|
client_secret: i,
|
|
5801
5802
|
codeVerifier: a,
|
|
5802
|
-
issueRefreshToken:
|
|
5803
|
+
issueRefreshToken: H
|
|
5803
5804
|
}) : {
|
|
5804
5805
|
error: "access_denied",
|
|
5805
5806
|
error_description: "No authorization code provided for authorization code flow"
|
|
5806
5807
|
};
|
|
5807
5808
|
if (s == "refresh_token") {
|
|
5808
|
-
const
|
|
5809
|
-
if (!n || !
|
|
5809
|
+
const N = await this.getRefreshTokenData(n);
|
|
5810
|
+
if (!n || !N || !this.userStorage)
|
|
5810
5811
|
return {
|
|
5811
5812
|
error: "access_denied",
|
|
5812
5813
|
error_description: "Refresh token is invalid"
|
|
5813
5814
|
};
|
|
5814
5815
|
let P;
|
|
5815
|
-
if (
|
|
5816
|
+
if (N.username)
|
|
5816
5817
|
try {
|
|
5817
|
-
const { user: F } = await ((
|
|
5818
|
+
const { user: F } = await ((O = this.userStorage) == null ? void 0 : O.getUserByUsername(N.username));
|
|
5818
5819
|
P = F;
|
|
5819
5820
|
} catch (F) {
|
|
5820
5821
|
return u.logger.error(f({
|
|
5821
5822
|
err: F,
|
|
5822
5823
|
msg: "Couldn't get user for refresh token. Doesn't exist?",
|
|
5823
|
-
username:
|
|
5824
|
+
username: N.username
|
|
5824
5825
|
})), {
|
|
5825
5826
|
error: "access_denied",
|
|
5826
5827
|
error_description: "Refresh token is invalid"
|
|
@@ -5837,13 +5838,13 @@ class zt {
|
|
|
5837
5838
|
client: A,
|
|
5838
5839
|
client_secret: i,
|
|
5839
5840
|
codeVerifier: a,
|
|
5840
|
-
issueRefreshToken:
|
|
5841
|
-
scopes:
|
|
5841
|
+
issueRefreshToken: H,
|
|
5842
|
+
scopes: N.scope,
|
|
5842
5843
|
user: P
|
|
5843
5844
|
});
|
|
5844
5845
|
} else if (s == "client_credentials") {
|
|
5845
5846
|
const {
|
|
5846
|
-
scopes:
|
|
5847
|
+
scopes: N,
|
|
5847
5848
|
error: P,
|
|
5848
5849
|
error_description: F
|
|
5849
5850
|
} = await this.validateAndPersistScope(e, t, void 0);
|
|
@@ -5854,8 +5855,8 @@ class zt {
|
|
|
5854
5855
|
client: A,
|
|
5855
5856
|
client_secret: i,
|
|
5856
5857
|
codeVerifier: a,
|
|
5857
|
-
scopes:
|
|
5858
|
-
issueRefreshToken:
|
|
5858
|
+
scopes: N,
|
|
5859
|
+
issueRefreshToken: H
|
|
5859
5860
|
});
|
|
5860
5861
|
} else if (s == "password") {
|
|
5861
5862
|
if (!c || !d)
|
|
@@ -5869,17 +5870,17 @@ class zt {
|
|
|
5869
5870
|
error: "server_error",
|
|
5870
5871
|
error_description: "Password authentication not configured"
|
|
5871
5872
|
};
|
|
5872
|
-
const { user: I, secrets: $ } = await this.userStorage.getUserByUsername(c),
|
|
5873
|
-
if (!
|
|
5873
|
+
const { user: I, secrets: $ } = await this.userStorage.getUserByUsername(c), B = this.authenticators[I.factor1];
|
|
5874
|
+
if (!B || !B.secretNames().includes("password"))
|
|
5874
5875
|
return {
|
|
5875
5876
|
error: "access_denied",
|
|
5876
5877
|
error_description: "Password flow used but factor 1 authenticator does not accept passwords"
|
|
5877
5878
|
};
|
|
5878
|
-
await
|
|
5879
|
+
await B.authenticateUser(
|
|
5879
5880
|
I,
|
|
5880
5881
|
$,
|
|
5881
5882
|
{ password: d }
|
|
5882
|
-
),
|
|
5883
|
+
), K = I;
|
|
5883
5884
|
} catch (I) {
|
|
5884
5885
|
return u.logger.debug(f({ err: I })), {
|
|
5885
5886
|
error: "access_denied",
|
|
@@ -5887,27 +5888,27 @@ class zt {
|
|
|
5887
5888
|
};
|
|
5888
5889
|
}
|
|
5889
5890
|
const {
|
|
5890
|
-
scopes:
|
|
5891
|
+
scopes: N,
|
|
5891
5892
|
error: P,
|
|
5892
5893
|
error_description: F
|
|
5893
|
-
} = await this.validateAndPersistScope(e, t,
|
|
5894
|
+
} = await this.validateAndPersistScope(e, t, K);
|
|
5894
5895
|
return P ? {
|
|
5895
5896
|
error: P,
|
|
5896
5897
|
error_description: F
|
|
5897
|
-
} :
|
|
5898
|
+
} : K.factor2 ? this.allowedFactor2.length > 0 && (K.state == E.factor2ResetNeeded || !this.allowedFactor2.includes(K.factor2 ? K.factor2 : "none")) ? {
|
|
5898
5899
|
error: "access_denied",
|
|
5899
5900
|
error_description: "2FA method not allowed or needs to be reconfigured"
|
|
5900
|
-
} : await this.createMfaRequest(
|
|
5901
|
+
} : await this.createMfaRequest(K) : await this.makeAccessToken({
|
|
5901
5902
|
client: A,
|
|
5902
5903
|
client_secret: i,
|
|
5903
5904
|
codeVerifier: a,
|
|
5904
|
-
scopes:
|
|
5905
|
-
issueRefreshToken:
|
|
5906
|
-
user:
|
|
5905
|
+
scopes: N,
|
|
5906
|
+
issueRefreshToken: H,
|
|
5907
|
+
user: K
|
|
5907
5908
|
});
|
|
5908
5909
|
} else if (s == "http://auth0.com/oauth/grant-type/mfa-otp") {
|
|
5909
5910
|
const {
|
|
5910
|
-
scopes:
|
|
5911
|
+
scopes: N,
|
|
5911
5912
|
error: P,
|
|
5912
5913
|
error_description: F
|
|
5913
5914
|
} = await this.validateAndPersistScope(e, t, void 0);
|
|
@@ -5921,41 +5922,41 @@ class zt {
|
|
|
5921
5922
|
error: "access_denied",
|
|
5922
5923
|
error_description: "OTP not provided"
|
|
5923
5924
|
};
|
|
5924
|
-
if (!
|
|
5925
|
+
if (!m)
|
|
5925
5926
|
return {
|
|
5926
5927
|
error: "access_denied",
|
|
5927
5928
|
error_description: "MFA token not provided"
|
|
5928
5929
|
};
|
|
5929
|
-
const I = await this.validateMfaToken(
|
|
5930
|
+
const I = await this.validateMfaToken(m), $ = U.mfaToken + T.hash(m);
|
|
5930
5931
|
if (!I.user || !I.key)
|
|
5931
5932
|
return {
|
|
5932
5933
|
error: "access_denied",
|
|
5933
5934
|
error_description: "Invalid MFA token"
|
|
5934
5935
|
};
|
|
5935
|
-
const
|
|
5936
|
-
if (!
|
|
5936
|
+
const B = this.authenticators[I.user.factor2];
|
|
5937
|
+
if (!B || !this.userStorage)
|
|
5937
5938
|
return {
|
|
5938
5939
|
error: "access_denied",
|
|
5939
5940
|
error_description: "MFA type is not supported for OAuth"
|
|
5940
5941
|
};
|
|
5941
5942
|
try {
|
|
5942
|
-
const { secrets:
|
|
5943
|
-
await
|
|
5943
|
+
const { secrets: j } = await this.userStorage.getUserById(I.user.id);
|
|
5944
|
+
await B.authenticateUser(
|
|
5944
5945
|
I.user,
|
|
5945
|
-
|
|
5946
|
+
j,
|
|
5946
5947
|
{ otp: _ }
|
|
5947
5948
|
);
|
|
5948
|
-
} catch (
|
|
5949
|
-
return u.logger.debug(f({ err:
|
|
5949
|
+
} catch (j) {
|
|
5950
|
+
return u.logger.debug(f({ err: j })), {
|
|
5950
5951
|
error: "access_denied",
|
|
5951
5952
|
error_description: "Invalid OTP"
|
|
5952
5953
|
};
|
|
5953
5954
|
}
|
|
5954
5955
|
try {
|
|
5955
5956
|
await this.keyStorage.deleteKey($);
|
|
5956
|
-
} catch (
|
|
5957
|
-
u.logger.debug(f({ err:
|
|
5958
|
-
cerr:
|
|
5957
|
+
} catch (j) {
|
|
5958
|
+
u.logger.debug(f({ err: j })), u.logger.warn(f({
|
|
5959
|
+
cerr: j,
|
|
5959
5960
|
msg: "Couldn't delete mfa token",
|
|
5960
5961
|
hashedMfaToken: I.key.value
|
|
5961
5962
|
}));
|
|
@@ -5964,13 +5965,13 @@ class zt {
|
|
|
5964
5965
|
client: A,
|
|
5965
5966
|
client_secret: i,
|
|
5966
5967
|
codeVerifier: a,
|
|
5967
|
-
scopes:
|
|
5968
|
-
issueRefreshToken:
|
|
5968
|
+
scopes: N,
|
|
5969
|
+
issueRefreshToken: H,
|
|
5969
5970
|
user: I.user
|
|
5970
5971
|
});
|
|
5971
5972
|
} else if (s == "http://auth0.com/oauth/grant-type/mfa-oob") {
|
|
5972
5973
|
const {
|
|
5973
|
-
scopes:
|
|
5974
|
+
scopes: N,
|
|
5974
5975
|
error: P,
|
|
5975
5976
|
error_description: F
|
|
5976
5977
|
} = await this.validateAndPersistScope(e, t, void 0);
|
|
@@ -5984,12 +5985,12 @@ class zt {
|
|
|
5984
5985
|
error: "access_denied",
|
|
5985
5986
|
error_description: "OOB code or binding code not provided"
|
|
5986
5987
|
};
|
|
5987
|
-
if (!
|
|
5988
|
+
if (!m)
|
|
5988
5989
|
return {
|
|
5989
5990
|
error: "access_denied",
|
|
5990
5991
|
error_description: "MFA token not provided"
|
|
5991
5992
|
};
|
|
5992
|
-
const I = await this.validateMfaToken(
|
|
5993
|
+
const I = await this.validateMfaToken(m);
|
|
5993
5994
|
if (!I.user || !I.key)
|
|
5994
5995
|
return {
|
|
5995
5996
|
error: "access_denied",
|
|
@@ -6002,33 +6003,33 @@ class zt {
|
|
|
6002
6003
|
error_description: "MFA type is not supported for OAuth"
|
|
6003
6004
|
};
|
|
6004
6005
|
try {
|
|
6005
|
-
const { secrets:
|
|
6006
|
-
if (!
|
|
6006
|
+
const { secrets: B } = await this.userStorage.getUserById(I.user.id), j = D.decodeData(I.key.data).omfa;
|
|
6007
|
+
if (!j || !j.otp || !j.oobCode)
|
|
6007
6008
|
return {
|
|
6008
6009
|
error: "server_error",
|
|
6009
6010
|
error_description: "Cannot retrieve email OTP"
|
|
6010
6011
|
};
|
|
6011
|
-
if (
|
|
6012
|
+
if (j.oobCode != y)
|
|
6012
6013
|
return {
|
|
6013
6014
|
error: "access_denied",
|
|
6014
6015
|
error_description: "Invalid OOB code"
|
|
6015
6016
|
};
|
|
6016
6017
|
await $.authenticateUser(
|
|
6017
6018
|
I.user,
|
|
6018
|
-
{ ...
|
|
6019
|
+
{ ...B, otp: j.otp, expiry: (V = I.key.expires) == null ? void 0 : V.getTime() },
|
|
6019
6020
|
{ otp: p }
|
|
6020
6021
|
);
|
|
6021
|
-
} catch (
|
|
6022
|
-
return u.logger.debug(f({ err:
|
|
6022
|
+
} catch (B) {
|
|
6023
|
+
return u.logger.debug(f({ err: B })), {
|
|
6023
6024
|
error: "access_denied",
|
|
6024
6025
|
error_description: "Invalid OTP"
|
|
6025
6026
|
};
|
|
6026
6027
|
}
|
|
6027
6028
|
try {
|
|
6028
6029
|
await this.keyStorage.deleteKey(I.key.value);
|
|
6029
|
-
} catch (
|
|
6030
|
-
u.logger.debug(f({ err:
|
|
6031
|
-
cerr:
|
|
6030
|
+
} catch (B) {
|
|
6031
|
+
u.logger.debug(f({ err: B })), u.logger.warn(f({
|
|
6032
|
+
cerr: B,
|
|
6032
6033
|
msg: "Couldn't delete mfa token",
|
|
6033
6034
|
hashedMfaToken: I.key.value
|
|
6034
6035
|
}));
|
|
@@ -6037,8 +6038,8 @@ class zt {
|
|
|
6037
6038
|
client: A,
|
|
6038
6039
|
client_secret: i,
|
|
6039
6040
|
codeVerifier: a,
|
|
6040
|
-
scopes:
|
|
6041
|
-
issueRefreshToken:
|
|
6041
|
+
scopes: N,
|
|
6042
|
+
issueRefreshToken: H,
|
|
6042
6043
|
user: I.user
|
|
6043
6044
|
});
|
|
6044
6045
|
} else if (s == "urn:ietf:params:oauth:grant-type:device_code") {
|
|
@@ -6047,9 +6048,9 @@ class zt {
|
|
|
6047
6048
|
error: "invalid_request",
|
|
6048
6049
|
error_description: "No device code given"
|
|
6049
6050
|
};
|
|
6050
|
-
let
|
|
6051
|
+
let N;
|
|
6051
6052
|
try {
|
|
6052
|
-
|
|
6053
|
+
N = await this.keyStorage.getKey(U.deviceCode + C);
|
|
6053
6054
|
} catch (P) {
|
|
6054
6055
|
const F = o.asCrossauthError(P);
|
|
6055
6056
|
return u.logger.debug(f({ err: F })), u.logger.error(f({ msg: "Couldn't get device code", cerr: F })), {
|
|
@@ -6058,8 +6059,8 @@ class zt {
|
|
|
6058
6059
|
};
|
|
6059
6060
|
}
|
|
6060
6061
|
try {
|
|
6061
|
-
const P = JSON.parse(
|
|
6062
|
-
if (
|
|
6062
|
+
const P = JSON.parse(N.data ?? "{}"), F = (/* @__PURE__ */ new Date()).getTime();
|
|
6063
|
+
if (N.expires && F > N.expires.getTime())
|
|
6063
6064
|
return await this.deleteDeviceCode(C), {
|
|
6064
6065
|
error: "expired_token",
|
|
6065
6066
|
error_description: "Code has expired"
|
|
@@ -6070,13 +6071,13 @@ class zt {
|
|
|
6070
6071
|
error_description: "Waiting for user code to be entered"
|
|
6071
6072
|
};
|
|
6072
6073
|
{
|
|
6073
|
-
let I = P.scope ? P.scope.split(" ") : void 0, $ = P.userid ? await ((
|
|
6074
|
+
let I = P.scope ? P.scope.split(" ") : void 0, $ = P.userid ? await ((M = this.userStorage) == null ? void 0 : M.getUserById(P.userid)) : void 0;
|
|
6074
6075
|
return await this.deleteDeviceCode(C), await this.makeAccessToken({
|
|
6075
6076
|
client: A,
|
|
6076
6077
|
client_secret: i,
|
|
6077
6078
|
codeVerifier: a,
|
|
6078
6079
|
scopes: I,
|
|
6079
|
-
issueRefreshToken:
|
|
6080
|
+
issueRefreshToken: H,
|
|
6080
6081
|
user: $ == null ? void 0 : $.user
|
|
6081
6082
|
});
|
|
6082
6083
|
}
|
|
@@ -6156,13 +6157,13 @@ class zt {
|
|
|
6156
6157
|
};
|
|
6157
6158
|
}
|
|
6158
6159
|
let c, d = !1;
|
|
6159
|
-
const
|
|
6160
|
+
const m = /* @__PURE__ */ new Date(), y = this.userCodeExpiry, p = new Date(m.getTime() + this.userCodeExpiry * 1e3 + this.clockTolerance * 1e3);
|
|
6160
6161
|
for (let v = 0; v < 10 && !d; ++v)
|
|
6161
6162
|
try {
|
|
6162
6163
|
c = T.randomValue(this.deviceCodeLength), await this.keyStorage.saveKey(
|
|
6163
6164
|
void 0,
|
|
6164
6165
|
U.deviceCode + c,
|
|
6165
|
-
|
|
6166
|
+
m,
|
|
6166
6167
|
p,
|
|
6167
6168
|
JSON.stringify({ scope: e, client_id: s })
|
|
6168
6169
|
), d = !0;
|
|
@@ -6181,7 +6182,7 @@ class zt {
|
|
|
6181
6182
|
_ = T.randomBase32(this.userCodeLength), await this.keyStorage.saveKey(
|
|
6182
6183
|
void 0,
|
|
6183
6184
|
U.userCode + _,
|
|
6184
|
-
|
|
6185
|
+
m,
|
|
6185
6186
|
p,
|
|
6186
6187
|
JSON.stringify({ deviceCode: c })
|
|
6187
6188
|
), d = !0;
|
|
@@ -6221,7 +6222,7 @@ class zt {
|
|
|
6221
6222
|
userCode: s,
|
|
6222
6223
|
user: e
|
|
6223
6224
|
}) {
|
|
6224
|
-
var
|
|
6225
|
+
var m;
|
|
6225
6226
|
s = s.replace(/[ -]*/g, "");
|
|
6226
6227
|
let t, r = {};
|
|
6227
6228
|
try {
|
|
@@ -6267,7 +6268,7 @@ class zt {
|
|
|
6267
6268
|
error_description: "Unexpected or incomplete data in device code key"
|
|
6268
6269
|
};
|
|
6269
6270
|
}
|
|
6270
|
-
if ((/* @__PURE__ */ new Date()).getTime() > ((
|
|
6271
|
+
if ((/* @__PURE__ */ new Date()).getTime() > ((m = r.expires) == null ? void 0 : m.getTime()))
|
|
6271
6272
|
return await this.deleteUserCode(s), {
|
|
6272
6273
|
ok: !1,
|
|
6273
6274
|
error: "expired_token",
|
|
@@ -6447,7 +6448,7 @@ class zt {
|
|
|
6447
6448
|
error_description: "Invalid MFA token"
|
|
6448
6449
|
};
|
|
6449
6450
|
try {
|
|
6450
|
-
if (
|
|
6451
|
+
if (D.decodeData(t.data).omfaaid != e.factor2)
|
|
6451
6452
|
return {
|
|
6452
6453
|
error: "access_denied",
|
|
6453
6454
|
error_description: "authenticatorId not valid for user"
|
|
@@ -6508,9 +6509,9 @@ class zt {
|
|
|
6508
6509
|
if (!n.client) return n;
|
|
6509
6510
|
const c = n.client, d = await this.authenticateClient(a, c, t);
|
|
6510
6511
|
if (d.error) return d;
|
|
6511
|
-
const
|
|
6512
|
-
if (!
|
|
6513
|
-
if (
|
|
6512
|
+
const m = await this.validateMfaToken(s);
|
|
6513
|
+
if (!m.user || !m.key) return m;
|
|
6514
|
+
if (m.user.factor2 != i)
|
|
6514
6515
|
return {
|
|
6515
6516
|
error: "access_denied",
|
|
6516
6517
|
error_description: "Invalid MFA authenticator"
|
|
@@ -6525,15 +6526,15 @@ class zt {
|
|
|
6525
6526
|
oobCode: T.randomValue(this.codeLength)
|
|
6526
6527
|
});
|
|
6527
6528
|
try {
|
|
6528
|
-
const p = this.authenticators[
|
|
6529
|
+
const p = this.authenticators[m.user.factor2];
|
|
6529
6530
|
if (!p)
|
|
6530
6531
|
throw new o(
|
|
6531
6532
|
l.Configuration,
|
|
6532
6533
|
"User's authenticator has not been loaded"
|
|
6533
6534
|
);
|
|
6534
|
-
const _ = await p.createOneTimeSecrets(
|
|
6535
|
+
const _ = await p.createOneTimeSecrets(m.user);
|
|
6535
6536
|
await this.keyStorage.updateData(
|
|
6536
|
-
|
|
6537
|
+
m.key.value,
|
|
6537
6538
|
"omfa",
|
|
6538
6539
|
{ ...y, ..._ }
|
|
6539
6540
|
);
|
|
@@ -6600,7 +6601,7 @@ class zt {
|
|
|
6600
6601
|
error: "invalid_request",
|
|
6601
6602
|
error_description: `The redirect uri ${e} is invalid`
|
|
6602
6603
|
};
|
|
6603
|
-
const d = /* @__PURE__ */ new Date(),
|
|
6604
|
+
const d = /* @__PURE__ */ new Date(), m = this.authorizationCodeExpiry ? new Date(d.getTime() + this.authorizationCodeExpiry * 1e3 + this.clockTolerance * 1e3) : void 0, y = {};
|
|
6604
6605
|
t && (y.scope = t), i && (y.challengeMethod = a, y.challenge = T.hash(i)), n && (y.username = n.username, y.id = n.id);
|
|
6605
6606
|
const p = JSON.stringify(y);
|
|
6606
6607
|
let _ = !1, C = "";
|
|
@@ -6610,7 +6611,7 @@ class zt {
|
|
|
6610
6611
|
void 0,
|
|
6611
6612
|
U.authorizationCode + T.hash(C),
|
|
6612
6613
|
d,
|
|
6613
|
-
|
|
6614
|
+
m,
|
|
6614
6615
|
p
|
|
6615
6616
|
), _ = !0;
|
|
6616
6617
|
} catch {
|
|
@@ -6635,15 +6636,15 @@ class zt {
|
|
|
6635
6636
|
issueRefreshToken: a = !1,
|
|
6636
6637
|
user: n
|
|
6637
6638
|
}) {
|
|
6638
|
-
var
|
|
6639
|
+
var z, H;
|
|
6639
6640
|
let c = !0;
|
|
6640
6641
|
try {
|
|
6641
6642
|
s.client_secret != null && (c = await T.passwordsEqual(
|
|
6642
6643
|
t ?? "",
|
|
6643
6644
|
s.client_secret ?? ""
|
|
6644
6645
|
));
|
|
6645
|
-
} catch (
|
|
6646
|
-
return u.logger.error(f({ err:
|
|
6646
|
+
} catch (K) {
|
|
6647
|
+
return u.logger.error(f({ err: K })), { error: "server_error", error_description: "Couldn't validate client" };
|
|
6647
6648
|
}
|
|
6648
6649
|
if (!c) return {
|
|
6649
6650
|
error: "access_denied",
|
|
@@ -6651,20 +6652,20 @@ class zt {
|
|
|
6651
6652
|
};
|
|
6652
6653
|
let d = {};
|
|
6653
6654
|
if (e) {
|
|
6654
|
-
let
|
|
6655
|
+
let K;
|
|
6655
6656
|
try {
|
|
6656
|
-
|
|
6657
|
-
} catch (
|
|
6658
|
-
return u.logger.debug(f({ err:
|
|
6657
|
+
K = await this.keyStorage.getKey(U.authorizationCode + T.hash(e)), d = D.decodeData(K.data);
|
|
6658
|
+
} catch (O) {
|
|
6659
|
+
return u.logger.debug(f({ err: O })), {
|
|
6659
6660
|
error: "access_denied",
|
|
6660
6661
|
error_description: "Invalid or expired authorization code"
|
|
6661
6662
|
};
|
|
6662
6663
|
}
|
|
6663
6664
|
try {
|
|
6664
|
-
await this.keyStorage.deleteKey(
|
|
6665
|
-
} catch (
|
|
6665
|
+
await this.keyStorage.deleteKey(K.value);
|
|
6666
|
+
} catch (O) {
|
|
6666
6667
|
u.logger.warn(f({
|
|
6667
|
-
err:
|
|
6668
|
+
err: O,
|
|
6668
6669
|
msg: "Couldn't delete authorization code from storatge",
|
|
6669
6670
|
client_id: s == null ? void 0 : s.client_id
|
|
6670
6671
|
}));
|
|
@@ -6677,66 +6678,67 @@ class zt {
|
|
|
6677
6678
|
error_description: "Invalid code challenge/code challenge method method for authorization code"
|
|
6678
6679
|
};
|
|
6679
6680
|
if (d.challenge) {
|
|
6680
|
-
const
|
|
6681
|
-
if (T.hash(
|
|
6681
|
+
const K = d.challengeMethod == "plain" ? r ?? "" : T.sha256(r ?? "");
|
|
6682
|
+
if (T.hash(K) != d.challenge)
|
|
6682
6683
|
return {
|
|
6683
6684
|
error: "access_denied",
|
|
6684
6685
|
error_description: "Code verifier is incorrect"
|
|
6685
6686
|
};
|
|
6686
6687
|
}
|
|
6687
|
-
const
|
|
6688
|
+
const m = /* @__PURE__ */ new Date(), y = Math.ceil(m.getTime() / 1e3);
|
|
6688
6689
|
let p;
|
|
6689
|
-
|
|
6690
|
+
if ((i && i.includes("openid") || Object.keys(this.accessTokenClaims).length > 0) && this.userStorage && d.username)
|
|
6691
|
+
try {
|
|
6692
|
+
const { user: K } = await this.userStorage.getUserByUsername(d.username);
|
|
6693
|
+
n = K;
|
|
6694
|
+
} catch (K) {
|
|
6695
|
+
return u.logger.error(f({ err: K })), {
|
|
6696
|
+
error: "server_error",
|
|
6697
|
+
error_description: "Couldn't load user data"
|
|
6698
|
+
};
|
|
6699
|
+
}
|
|
6700
|
+
const _ = T.uuid();
|
|
6701
|
+
let C = {
|
|
6690
6702
|
jti: _,
|
|
6691
6703
|
iat: y,
|
|
6692
6704
|
iss: this.oauthIssuer,
|
|
6693
6705
|
sub: d.username,
|
|
6694
6706
|
type: "access"
|
|
6695
6707
|
};
|
|
6696
|
-
i && (C.scope = i), this.accessTokenExpiry != null && (C.exp = y + this.accessTokenExpiry, p = new Date(
|
|
6697
|
-
const v = await new Promise((
|
|
6708
|
+
C = this.addClaims(C, this.accessTokenClaims, i, n), i && (C.scope = i), this.accessTokenExpiry != null && (C.exp = y + this.accessTokenExpiry, p = new Date(m.getTime() + this.accessTokenExpiry * 1e3 + this.clockTolerance * 1e3)), this.audience && (C.aud = this.audience);
|
|
6709
|
+
const v = await new Promise((K, O) => {
|
|
6698
6710
|
se.sign(
|
|
6699
6711
|
C,
|
|
6700
6712
|
this.secretOrPrivateKey,
|
|
6701
6713
|
{ algorithm: this.jwtAlgorithmChecked, keyid: "1" },
|
|
6702
|
-
(
|
|
6703
|
-
|
|
6714
|
+
(V, M) => {
|
|
6715
|
+
M ? K(M) : O(V || new o(
|
|
6704
6716
|
l.Unauthorized,
|
|
6705
6717
|
"Couldn't create jwt"
|
|
6706
6718
|
));
|
|
6707
6719
|
}
|
|
6708
6720
|
);
|
|
6709
6721
|
});
|
|
6710
|
-
this.persistAccessToken && this.keyStorage && await ((
|
|
6722
|
+
this.persistAccessToken && this.keyStorage && await ((z = this.keyStorage) == null ? void 0 : z.saveKey(
|
|
6711
6723
|
void 0,
|
|
6712
6724
|
// to avoid user storage dependency, we don't set this
|
|
6713
6725
|
U.accessToken + T.hash(_),
|
|
6714
|
-
|
|
6726
|
+
m,
|
|
6715
6727
|
p
|
|
6716
6728
|
));
|
|
6717
6729
|
let k;
|
|
6718
6730
|
if (i && i.includes("openid")) {
|
|
6719
|
-
|
|
6720
|
-
|
|
6721
|
-
const { user: O } = await this.userStorage.getUserByUsername(d.username);
|
|
6722
|
-
n = O;
|
|
6723
|
-
} catch (O) {
|
|
6724
|
-
return u.logger.error(f({ err: O })), {
|
|
6725
|
-
error: "server_error",
|
|
6726
|
-
error_description: "Couldn't load user data"
|
|
6727
|
-
};
|
|
6728
|
-
}
|
|
6729
|
-
const N = T.uuid();
|
|
6730
|
-
let K = {
|
|
6731
|
+
const K = T.uuid();
|
|
6732
|
+
let O = {
|
|
6731
6733
|
aud: s.client_id,
|
|
6732
|
-
jti:
|
|
6734
|
+
jti: K,
|
|
6733
6735
|
iat: y,
|
|
6734
6736
|
iss: this.oauthIssuer,
|
|
6735
6737
|
sub: d.username,
|
|
6736
6738
|
type: "id"
|
|
6737
6739
|
};
|
|
6738
|
-
if (i.includes("email") && (n != null && n.email) && (
|
|
6739
|
-
for (let
|
|
6740
|
+
if (i.includes("email") && (n != null && n.email) && (O.email = n.email), i.includes("address") && n && "address" in n && (O.address = n.address), i.includes("phone") && n && "phone" in n && (O.phone = n.phone), i.includes("profile") && n)
|
|
6741
|
+
for (let V of [
|
|
6740
6742
|
"name",
|
|
6741
6743
|
"family_name",
|
|
6742
6744
|
"given_name",
|
|
@@ -6752,42 +6754,17 @@ class zt {
|
|
|
6752
6754
|
"locale",
|
|
6753
6755
|
"updated_at"
|
|
6754
6756
|
])
|
|
6755
|
-
|
|
6756
|
-
|
|
6757
|
-
if (i) {
|
|
6758
|
-
for (let O of i)
|
|
6759
|
-
if (O in this.idTokenClaims)
|
|
6760
|
-
if (this.idTokenClaims[O] == "all")
|
|
6761
|
-
K = {
|
|
6762
|
-
...K,
|
|
6763
|
-
...n
|
|
6764
|
-
};
|
|
6765
|
-
else
|
|
6766
|
-
for (let B in this.idTokenClaims[O])
|
|
6767
|
-
K[B] = n[this.idTokenClaims[O][B]];
|
|
6768
|
-
}
|
|
6769
|
-
if ("all" in this.idTokenClaims) {
|
|
6770
|
-
const O = this.idTokenClaims.all;
|
|
6771
|
-
if (O == "all")
|
|
6772
|
-
K = {
|
|
6773
|
-
...K,
|
|
6774
|
-
...n
|
|
6775
|
-
};
|
|
6776
|
-
else
|
|
6777
|
-
for (let B in O)
|
|
6778
|
-
K[B] = n[O[B]];
|
|
6779
|
-
}
|
|
6780
|
-
}
|
|
6781
|
-
K.scope = i, this.accessTokenExpiry != null && (K.exp = y + this.accessTokenExpiry), k = await new Promise((O, B) => {
|
|
6757
|
+
O[V] = n[V];
|
|
6758
|
+
O = this.addClaims(O, this.idTokenClaims, i, n), O.scope = i, this.accessTokenExpiry != null && (O.exp = y + this.accessTokenExpiry), k = await new Promise((V, M) => {
|
|
6782
6759
|
se.sign(
|
|
6783
|
-
|
|
6760
|
+
O,
|
|
6784
6761
|
this.secretOrPrivateKey,
|
|
6785
6762
|
{
|
|
6786
6763
|
algorithm: this.jwtAlgorithmChecked,
|
|
6787
6764
|
keyid: this.jwtKid
|
|
6788
6765
|
},
|
|
6789
|
-
(
|
|
6790
|
-
P ?
|
|
6766
|
+
(N, P) => {
|
|
6767
|
+
P ? V(P) : M(N || new o(
|
|
6791
6768
|
l.Unauthorized,
|
|
6792
6769
|
"Couldn't create jwt"
|
|
6793
6770
|
));
|
|
@@ -6797,38 +6774,38 @@ class zt {
|
|
|
6797
6774
|
}
|
|
6798
6775
|
let A;
|
|
6799
6776
|
if (a) {
|
|
6800
|
-
const
|
|
6777
|
+
const K = {
|
|
6801
6778
|
username: d.username,
|
|
6802
6779
|
client_id: s.client_id
|
|
6803
6780
|
};
|
|
6804
|
-
i && (
|
|
6805
|
-
let
|
|
6806
|
-
const
|
|
6781
|
+
i && (K.scope = i);
|
|
6782
|
+
let O;
|
|
6783
|
+
const M = {
|
|
6807
6784
|
jti: T.uuid(),
|
|
6808
6785
|
iat: y,
|
|
6809
6786
|
iss: this.oauthIssuer,
|
|
6810
6787
|
sub: d.username,
|
|
6811
6788
|
type: "refresh"
|
|
6812
6789
|
};
|
|
6813
|
-
this.refreshTokenExpiry != null && (
|
|
6790
|
+
this.refreshTokenExpiry != null && (M.exp = y + this.refreshTokenExpiry, O = this.refreshTokenExpiry ? new Date(y + this.refreshTokenExpiry * 1e3 + this.clockTolerance * 1e3) : void 0), this.oauthIssuer && (M.aud = this.oauthIssuer), A = await new Promise((N, P) => {
|
|
6814
6791
|
se.sign(
|
|
6815
|
-
|
|
6792
|
+
M,
|
|
6816
6793
|
this.secretOrPrivateKey,
|
|
6817
6794
|
{ algorithm: this.jwtAlgorithmChecked, keyid: "1" },
|
|
6818
6795
|
(F, I) => {
|
|
6819
|
-
I ?
|
|
6796
|
+
I ? N(I) : P(F || new o(
|
|
6820
6797
|
l.Unauthorized,
|
|
6821
6798
|
"Couldn't create jwt"
|
|
6822
6799
|
));
|
|
6823
6800
|
}
|
|
6824
6801
|
);
|
|
6825
|
-
}), A && await ((
|
|
6802
|
+
}), A && await ((H = this.keyStorage) == null ? void 0 : H.saveKey(
|
|
6826
6803
|
void 0,
|
|
6827
6804
|
// to avoid user storage dependency
|
|
6828
6805
|
U.refreshToken + T.hash(A),
|
|
6829
|
-
|
|
6830
|
-
|
|
6831
|
-
JSON.stringify(
|
|
6806
|
+
m,
|
|
6807
|
+
O,
|
|
6808
|
+
JSON.stringify(K)
|
|
6832
6809
|
));
|
|
6833
6810
|
}
|
|
6834
6811
|
return {
|
|
@@ -6840,6 +6817,37 @@ class zt {
|
|
|
6840
6817
|
scope: i ? i.join(" ") : void 0
|
|
6841
6818
|
};
|
|
6842
6819
|
}
|
|
6820
|
+
addClaims(s, e, t, r) {
|
|
6821
|
+
if (r) {
|
|
6822
|
+
if (t) {
|
|
6823
|
+
for (let i of t)
|
|
6824
|
+
if (i in e)
|
|
6825
|
+
if (e[i] == "all")
|
|
6826
|
+
s = {
|
|
6827
|
+
...s,
|
|
6828
|
+
...r
|
|
6829
|
+
};
|
|
6830
|
+
else {
|
|
6831
|
+
let a = e[i];
|
|
6832
|
+
typeof a == "string" && (a = [a]);
|
|
6833
|
+
for (let n of a)
|
|
6834
|
+
s[n] = r[n];
|
|
6835
|
+
}
|
|
6836
|
+
}
|
|
6837
|
+
if ("all" in e) {
|
|
6838
|
+
let i = e.all;
|
|
6839
|
+
if (typeof i == "string" && (i = [i]), i == "all")
|
|
6840
|
+
s = {
|
|
6841
|
+
...s,
|
|
6842
|
+
...r
|
|
6843
|
+
};
|
|
6844
|
+
else
|
|
6845
|
+
for (let a of i)
|
|
6846
|
+
s[a] = r[a];
|
|
6847
|
+
}
|
|
6848
|
+
}
|
|
6849
|
+
return s;
|
|
6850
|
+
}
|
|
6843
6851
|
/**
|
|
6844
6852
|
* Returns whether the given authorization code is valid (in the database)
|
|
6845
6853
|
*
|
|
@@ -7112,7 +7120,7 @@ class nt extends Pe {
|
|
|
7112
7120
|
*/
|
|
7113
7121
|
constructor(e, t = {}) {
|
|
7114
7122
|
const r = {};
|
|
7115
|
-
w("jwtKeyType",
|
|
7123
|
+
w("jwtKeyType", g.String, r, t, "JWT_KEY_TYPE");
|
|
7116
7124
|
super(e, { ...t, ...r });
|
|
7117
7125
|
/**
|
|
7118
7126
|
* Value passed to the constructor. The `aud` claim must match it
|
|
@@ -7126,7 +7134,7 @@ class nt extends Pe {
|
|
|
7126
7134
|
h(this, "keyStorage");
|
|
7127
7135
|
h(this, "jwtSecretKeyFile", "");
|
|
7128
7136
|
h(this, "jwtPublicKeyFile", "");
|
|
7129
|
-
if (this.audience = e, w("authServerBaseUrl",
|
|
7137
|
+
if (this.audience = e, w("authServerBaseUrl", g.String, this, t, "AUTH_SERVER_BASE_URL", !0), w("jwtSecretKeyFile", g.String, this, t, "JWT_SECRET_KEY_FILE"), w("jwtPublicKeyFile", g.String, this, t, "JWT_PUBLIC_KEY_FILE"), w("jwtSecretKey", g.String, this, t, "JWT_SECRET_KEY"), w("jwtPublicKey", g.String, this, t, "JWT_PUBLIC_KEY"), w("clockTolerance", g.Number, this, t, "OAUTH_CLOCK_TOLERANCE"), w("persistAccessToken", g.Boolean, this, t, "OAUTH_PERSIST_ACCESS_TOKEN"), this.keyStorage = t.keyStorage, this.jwtSecretKey || this.jwtSecretKeyFile) {
|
|
7130
7138
|
if (this.jwtPublicKey || this.jwtPublicKeyFile)
|
|
7131
7139
|
throw new o(
|
|
7132
7140
|
l.Configuration,
|
|
@@ -7202,7 +7210,7 @@ class Ht extends Ke {
|
|
|
7202
7210
|
const r = {
|
|
7203
7211
|
client_id: ""
|
|
7204
7212
|
};
|
|
7205
|
-
w("client_id",
|
|
7213
|
+
w("client_id", g.String, r, t, "OAUTH_CLIENT_ID", !0);
|
|
7206
7214
|
super({
|
|
7207
7215
|
authServerBaseUrl: e,
|
|
7208
7216
|
tokenConsumer: new nt(
|
|
@@ -7223,7 +7231,7 @@ class Ht extends Ke {
|
|
|
7223
7231
|
h(this, "userStorage");
|
|
7224
7232
|
this.client_id = r.client_id;
|
|
7225
7233
|
let i = {};
|
|
7226
|
-
w("stateLength",
|
|
7234
|
+
w("stateLength", g.String, this, t, "OAUTH_STATE_LENGTH"), w("verifierLength", g.String, this, t, "OAUTH_VERIFIER_LENGTH"), w("client_secret", g.String, i, t, "OAUTH_CLIENT_SECRET"), w("codeChallengeMethod", g.String, this, t, "OAUTH_CODE_CHALLENGE_METHOD"), w("deviceAuthorizationUrl", g.String, this, t, "OAUTH_DEVICE_AUTHORIZATION_URL"), this.deviceAuthorizationUrl.startsWith("/") && (this.deviceAuthorizationUrl = this.deviceAuthorizationUrl.substring(1)), i.client_secret && (this.client_secret = i.client_secret), w("userCreationType", g.String, this, t, "OAUTH_USER_CREATION_TYPE"), w("userMatchField", g.String, this, t, "OAUTH_USER_MATCH_FIELD"), w("idTokenMatchField", g.String, this, t, "OAUTH_IDTOKEN_MaTCH_FIELD"), this.userCreationType == "merge" ? this.userCreationFn = ot : this.userCreationType == "embed" ? this.userCreationFn = lt : t.userCreationFn && this.userCreationType == "custom" ? this.userCreationFn = t.userCreationFn : this.userCreationFn = ct, t.userStorage && (this.userStorage = t.userStorage);
|
|
7227
7235
|
}
|
|
7228
7236
|
/**
|
|
7229
7237
|
* Uses {@link @crossauth/backend!Crypto.randomValue} to create a random string
|
|
@@ -7327,7 +7335,7 @@ export {
|
|
|
7327
7335
|
Pt as InMemoryOAuthAuthorizationStorage,
|
|
7328
7336
|
It as InMemoryOAuthClientStorage,
|
|
7329
7337
|
Ut as InMemoryUserStorage,
|
|
7330
|
-
|
|
7338
|
+
D as KeyStorage,
|
|
7331
7339
|
xt as LdapAuthenticator,
|
|
7332
7340
|
oe as LdapUserStorage,
|
|
7333
7341
|
Te as LocalPasswordAuthenticator,
|
|
@@ -7338,7 +7346,7 @@ export {
|
|
|
7338
7346
|
me as OAuthClientStorage,
|
|
7339
7347
|
Mt as OAuthResourceServer,
|
|
7340
7348
|
nt as OAuthTokenConsumer,
|
|
7341
|
-
|
|
7349
|
+
g as ParamType,
|
|
7342
7350
|
be as PasswordAuthenticator,
|
|
7343
7351
|
Ft as PostgresKeyStorage,
|
|
7344
7352
|
Nt as PostgresOAuthAuthorizationStorage,
|
|
@@ -7348,13 +7356,13 @@ export {
|
|
|
7348
7356
|
bt as PrismaOAuthAuthorizationStorage,
|
|
7349
7357
|
Et as PrismaOAuthClientStorage,
|
|
7350
7358
|
G as PrismaUserStorage,
|
|
7351
|
-
|
|
7359
|
+
x as SessionCookie,
|
|
7352
7360
|
Lt as SessionManager,
|
|
7353
7361
|
Q as SmsAuthenticator,
|
|
7354
|
-
|
|
7362
|
+
R as TokenEmailer,
|
|
7355
7363
|
Dt as TotpAuthenticator,
|
|
7356
7364
|
Ue as TwilioAuthenticator,
|
|
7357
|
-
|
|
7365
|
+
L as UserStorage,
|
|
7358
7366
|
w as setParameter,
|
|
7359
7367
|
Bt as toCookieSerializeOptions
|
|
7360
7368
|
};
|