@crossauth/backend 0.0.30 → 0.0.32
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/index.cjs +1 -1
- package/dist/index.js +359 -356
- package/dist/oauth/authserver.d.ts.map +1 -1
- package/dist/oauth/client.d.ts +12 -0
- package/dist/oauth/client.d.ts.map +1 -1
- package/dist/storage/ldapstorage.d.ts.map +1 -1
- package/package.json +2 -2
package/dist/index.js
CHANGED
|
@@ -4,8 +4,8 @@ var h = (S, s, e) => Ie(S, typeof s != "symbol" ? s + "" : s, e);
|
|
|
4
4
|
import { CrossauthError as o, ErrorCode as l, UserState as E, CrossauthLogger as u, j as f, OAuthFlows as b, KeyPrefix as U, OAuthTokenConsumerBase as Pe, OAuthClientBase as Ke } from "@crossauth/common";
|
|
5
5
|
import { PrismaClient as ce, Prisma as X } from "@prisma/client";
|
|
6
6
|
import ye from "@mbakereth/ldapjs";
|
|
7
|
-
import { timingSafeEqual as he, randomBytes as ue, randomUUID as Fe, createHash as Oe, pbkdf2 as Ne, createHmac as ie, createCipheriv as Re, createDecipheriv as
|
|
8
|
-
import { promisify as
|
|
7
|
+
import { timingSafeEqual as he, randomBytes as ue, randomUUID as Fe, createHash as Oe, pbkdf2 as Ne, createHmac as ie, createCipheriv as Re, createDecipheriv as De, randomInt as ee } from "node:crypto";
|
|
8
|
+
import { promisify as xe } from "node:util";
|
|
9
9
|
import W from "nunjucks";
|
|
10
10
|
import Ee from "nodemailer";
|
|
11
11
|
import Be from "twilio";
|
|
@@ -16,7 +16,7 @@ import { createPublicKey as ze } from "crypto";
|
|
|
16
16
|
import te from "node:fs";
|
|
17
17
|
import * as He from "jose";
|
|
18
18
|
var g = /* @__PURE__ */ ((S) => (S[S.String = 0] = "String", S[S.Number = 1] = "Number", S[S.Boolean = 2] = "Boolean", S[S.Json = 3] = "Json", S[S.JsonArray = 4] = "JsonArray", S))(g || {});
|
|
19
|
-
function
|
|
19
|
+
function je(S, s) {
|
|
20
20
|
let e = S.split("."), t = s;
|
|
21
21
|
for (let r in e) {
|
|
22
22
|
const i = e[r];
|
|
@@ -34,8 +34,8 @@ function pe(S, s) {
|
|
|
34
34
|
}
|
|
35
35
|
return !0;
|
|
36
36
|
}
|
|
37
|
-
function
|
|
38
|
-
const t =
|
|
37
|
+
function Me(S, s, e) {
|
|
38
|
+
const t = je(s, e);
|
|
39
39
|
S[s.replace(".", "_")] = t;
|
|
40
40
|
}
|
|
41
41
|
function Ve(S, s, e, t) {
|
|
@@ -59,11 +59,11 @@ function Ve(S, s, e, t) {
|
|
|
59
59
|
break;
|
|
60
60
|
}
|
|
61
61
|
}
|
|
62
|
-
function
|
|
62
|
+
function m(S, s, e, t, r, i = !1) {
|
|
63
63
|
const a = "CROSSAUTH_" + r;
|
|
64
64
|
if (i && !pe(S, t) && !(a && a in process.env))
|
|
65
65
|
throw new o(l.Configuration, S + " is required");
|
|
66
|
-
pe(S, t) ?
|
|
66
|
+
pe(S, t) ? Me(e, S, t) : r && a in process.env && process.env[a] != null && Ve(e, S, s, a);
|
|
67
67
|
}
|
|
68
68
|
class L {
|
|
69
69
|
/**
|
|
@@ -75,7 +75,7 @@ class L {
|
|
|
75
75
|
h(this, "adminEditableFields", []);
|
|
76
76
|
h(this, "normalizeUsername", !0);
|
|
77
77
|
h(this, "normalizeEmail", !0);
|
|
78
|
-
|
|
78
|
+
m("userEditableFields", g.JsonArray, this, s, "USER_EDITABLE_FIELDS"), m("adminEditableFields", g.JsonArray, this, s, "ADMIN_EDITABLE_FIELDS"), m("normalizeUsername", g.JsonArray, this, s, "NORMALIZE_USERNAME"), m("normalizeEmail", g.JsonArray, this, s, "NORMALIZE_EMAIL");
|
|
79
79
|
}
|
|
80
80
|
/**
|
|
81
81
|
* Creates a user with the given details and secrets.
|
|
@@ -98,7 +98,7 @@ class L {
|
|
|
98
98
|
return s.normalize("NFD").replace(new RegExp("\\p{Diacritic}", "gu"), "").toLowerCase();
|
|
99
99
|
}
|
|
100
100
|
}
|
|
101
|
-
class
|
|
101
|
+
class x {
|
|
102
102
|
/**
|
|
103
103
|
* Returns an object decoded from the data field as a JSON string
|
|
104
104
|
* @param data the JSON string to decode
|
|
@@ -181,7 +181,7 @@ class G extends L {
|
|
|
181
181
|
h(this, "includes", ["secrets"]);
|
|
182
182
|
h(this, "includesObject", {});
|
|
183
183
|
h(this, "forceIdToNumber", !0);
|
|
184
|
-
|
|
184
|
+
m("userTable", g.String, this, e, "USER_TABLE"), m("userSecretsTable", g.String, this, e, "USER_SECRETS_TABLE"), m("idColumn", g.String, this, e, "USER_ID_COLUMN"), m("useridForeignKeyColumn", g.String, this, e, "USER_ID_FOREIGN_KEY_COLUMN"), m("includes", g.String, this, e, "USER_INCLUDES"), m("forceIdToNumber", g.String, this, e, "USER_FORCE_ID_TO_NUMBER"), this.includes.forEach((t) => {
|
|
185
185
|
this.includesObject[t] = !0;
|
|
186
186
|
}), e && e.prismaClient ? this.prismaClient = e.prismaClient : this.prismaClient = new ce();
|
|
187
187
|
}
|
|
@@ -288,7 +288,7 @@ class G extends L {
|
|
|
288
288
|
});
|
|
289
289
|
} catch {
|
|
290
290
|
}
|
|
291
|
-
let { userid:
|
|
291
|
+
let { userid: w, ...y } = d ?? {};
|
|
292
292
|
n = { ...y, ...n }, await c[this.userTable].update({
|
|
293
293
|
where: {
|
|
294
294
|
[this.idColumn]: e.id
|
|
@@ -413,7 +413,7 @@ class G extends L {
|
|
|
413
413
|
}
|
|
414
414
|
}
|
|
415
415
|
}
|
|
416
|
-
class kt extends
|
|
416
|
+
class kt extends x {
|
|
417
417
|
/**
|
|
418
418
|
* Constructor with user storage object to use plus optional parameters.
|
|
419
419
|
*
|
|
@@ -425,7 +425,7 @@ class kt extends D {
|
|
|
425
425
|
h(this, "prismaClient");
|
|
426
426
|
h(this, "transactionTimeout", 5e3);
|
|
427
427
|
h(this, "useridForeignKeyColumn", "userid");
|
|
428
|
-
|
|
428
|
+
m("transactionTimeout", g.Number, this, e, "TRANSACTION_TIMEOUT"), m("useridForeignKeyColumn", g.Number, this, e, "USER_ID_FOREIGN_KEY_COLUMN"), e.keyTable && (this.keyTable = e.keyTable), e.prismaClient == null ? this.prismaClient = new ce() : this.prismaClient = e.prismaClient;
|
|
429
429
|
}
|
|
430
430
|
async getKey(e) {
|
|
431
431
|
return await this.getKeyWithTransaction(e, this.prismaClient);
|
|
@@ -699,7 +699,7 @@ class Et extends me {
|
|
|
699
699
|
h(this, "transactionTimeout", 5e3);
|
|
700
700
|
h(this, "updateMode", "DeleteAndInsert");
|
|
701
701
|
h(this, "useridForeignKeyColumn", "userid");
|
|
702
|
-
|
|
702
|
+
m("clientTable", g.String, this, e, "OAUTH_CLIENT_TABLE"), m("redirectUriTable", g.String, this, e, "OAUTH_REDIRECTURI_TABLE"), m("validFlowTable", g.String, this, e, "OAUTH_VALID_FLOW_TABLE"), m("transactionTimeout", g.Number, this, e, "TRANSACTION_TIMEOUT"), m("updateMode", g.String, this, e, "OAUTHCLIENT_UPDATE_MODE"), m("useridForeignKeyColumn", g.String, this, e, "USER_ID_FOREIGN_KEY_COLUMN"), e.prismaClient == null ? this.prismaClient = new ce() : this.prismaClient = e.prismaClient;
|
|
703
703
|
}
|
|
704
704
|
async getClientById(e) {
|
|
705
705
|
return (await this.getClientWithTransaction("client_id", e, this.prismaClient, !0, void 0))[0];
|
|
@@ -717,14 +717,14 @@ class Et extends me {
|
|
|
717
717
|
...n
|
|
718
718
|
},
|
|
719
719
|
include: { redirect_uri: !0, valid_flow: !0 }
|
|
720
|
-
}), d = c.redirect_uri,
|
|
720
|
+
}), d = c.redirect_uri, w = c.valid_flow;
|
|
721
721
|
let y = c[this.useridForeignKeyColumn];
|
|
722
722
|
return y === null && (y = void 0), this.useridForeignKeyColumn != "userid" && delete c[this.useridForeignKeyColumn], [{
|
|
723
723
|
...c,
|
|
724
724
|
userid: y,
|
|
725
725
|
client_secret: c.client_secret ?? void 0,
|
|
726
726
|
redirect_uri: d.map((p) => p.uri),
|
|
727
|
-
valid_flow:
|
|
727
|
+
valid_flow: w.map((p) => p.flow)
|
|
728
728
|
}];
|
|
729
729
|
} else {
|
|
730
730
|
const c = await r[this.clientTable].findMany({
|
|
@@ -735,9 +735,9 @@ class Et extends me {
|
|
|
735
735
|
include: { redirect_uri: !0, valid_flow: !0 }
|
|
736
736
|
});
|
|
737
737
|
for (let d of c) {
|
|
738
|
-
const
|
|
738
|
+
const w = d.redirect_uri, y = d.valid_flow;
|
|
739
739
|
let p = d[this.useridForeignKeyColumn];
|
|
740
|
-
p == null && (p = void 0), d.userid = p, this.useridForeignKeyColumn != "userid" && delete d[this.useridForeignKeyColumn], d.client_secret = d.client_secret ?? void 0, d.redirect_uri =
|
|
740
|
+
p == null && (p = void 0), d.userid = p, this.useridForeignKeyColumn != "userid" && delete d[this.useridForeignKeyColumn], d.client_secret = d.client_secret ?? void 0, d.redirect_uri = w.map((_) => _.uri), d.valid_flow = y.map((_) => _.flow);
|
|
741
741
|
}
|
|
742
742
|
return c;
|
|
743
743
|
}
|
|
@@ -959,7 +959,7 @@ class bt extends we {
|
|
|
959
959
|
// PrismaClient;
|
|
960
960
|
h(this, "transactionTimeout", 5e3);
|
|
961
961
|
h(this, "useridForeignKeyColumn", "userid");
|
|
962
|
-
|
|
962
|
+
m("authorizationTable", g.String, this, e, "OAUTH_CLIENT_TABLE"), m("transactionTimeout", g.Number, this, e, "TRANSACTION_TIMEOUT"), m("useridForeignKeyColumn", g.String, this, e, "USER_ID_FOREIGN_KEY_COLUMN"), e.prismaClient == null ? this.prismaClient = new ce() : this.prismaClient = e.prismaClient;
|
|
963
963
|
}
|
|
964
964
|
async getAuthorizations(e, t) {
|
|
965
965
|
try {
|
|
@@ -1157,7 +1157,7 @@ class Ut extends L {
|
|
|
1157
1157
|
return i;
|
|
1158
1158
|
}
|
|
1159
1159
|
}
|
|
1160
|
-
class At extends
|
|
1160
|
+
class At extends x {
|
|
1161
1161
|
/**
|
|
1162
1162
|
* Constructor
|
|
1163
1163
|
*/
|
|
@@ -1452,7 +1452,7 @@ class oe extends L {
|
|
|
1452
1452
|
h(this, "ldapUserSearchBase", "");
|
|
1453
1453
|
h(this, "ldapUsernameAttribute", "cn");
|
|
1454
1454
|
h(this, "createUserFn", $e);
|
|
1455
|
-
this.localStorage = e,
|
|
1455
|
+
this.localStorage = e, m("ldapUrls", g.JsonArray, this, t, "LDAP_URL", !0), m("ldapUserSearchBase", g.String, this, t, "LDAP_USER_SEARCH_BASE"), m("ldapUsernameAttribute", g.String, this, t, "LDAP_USENAME_ATTRIBUTE"), t.createUserFn && (this.createUserFn = t.createUserFn);
|
|
1456
1456
|
}
|
|
1457
1457
|
/**
|
|
1458
1458
|
* Authenticates the user in LDAP and, if valid, creates a user in local
|
|
@@ -1552,7 +1552,7 @@ class oe extends L {
|
|
|
1552
1552
|
} catch (i) {
|
|
1553
1553
|
u.logger.debug(f({ err: i }));
|
|
1554
1554
|
const a = o.asCrossauthError(i);
|
|
1555
|
-
throw
|
|
1555
|
+
throw i instanceof ye.InvalidCredentialsError ? new o(l.UsernameOrPasswordInvalid) : a.code != l.UnknownError ? a : new o(l.Connection, "LDAP error getting user");
|
|
1556
1556
|
}
|
|
1557
1557
|
}
|
|
1558
1558
|
// bind and return the ldap client
|
|
@@ -1591,17 +1591,17 @@ class oe extends L {
|
|
|
1591
1591
|
t,
|
|
1592
1592
|
n,
|
|
1593
1593
|
function(c, d) {
|
|
1594
|
-
let
|
|
1594
|
+
let w;
|
|
1595
1595
|
if (c) {
|
|
1596
1596
|
a(c), e.unbind();
|
|
1597
1597
|
return;
|
|
1598
1598
|
}
|
|
1599
1599
|
d.on("searchEntry", function(y) {
|
|
1600
|
-
|
|
1600
|
+
w = oe.searchResultToUser(y.pojo);
|
|
1601
1601
|
}), d.on("error", function(y) {
|
|
1602
1602
|
a(y), e.unbind();
|
|
1603
1603
|
}), d.on("end", function(y) {
|
|
1604
|
-
y.status != 0 ? a(new o(l.Connection, "LDAP onnection failed")) :
|
|
1604
|
+
y.status != 0 ? a(new o(l.Connection, "LDAP onnection failed")) : w ? i(w) : a(new o(l.UsernameOrPasswordInvalid)), e.unbind();
|
|
1605
1605
|
});
|
|
1606
1606
|
}
|
|
1607
1607
|
);
|
|
@@ -1644,7 +1644,7 @@ class Y extends L {
|
|
|
1644
1644
|
h(this, "useridForeignKeyColumn", "userid");
|
|
1645
1645
|
h(this, "forceIdToNumber", !0);
|
|
1646
1646
|
h(this, "dbPool");
|
|
1647
|
-
this.dbPool = e,
|
|
1647
|
+
this.dbPool = e, m("userTable", g.String, this, t, "USER_TABLE"), m("userSecretsTable", g.String, this, t, "USER_SECRETS_TABLE"), m("idColumn", g.String, this, t, "USER_ID_COLUMN"), m("forceIdToNumber", g.String, this, t, "USER_FORCE_ID_TO_NUMBER"), m("useridForeignKeyColumn", g.String, this, t, "USER_ID_FOREIGN_KEY_COLUMN");
|
|
1648
1648
|
}
|
|
1649
1649
|
/**
|
|
1650
1650
|
* Returns user matching the given id, or throws an exception.
|
|
@@ -1696,25 +1696,25 @@ class Y extends L {
|
|
|
1696
1696
|
let i = await this.dbPool.connect(), a, n, c = this.dbPool.parameters();
|
|
1697
1697
|
try {
|
|
1698
1698
|
await i.startTransaction();
|
|
1699
|
-
let d = `select * from ${this.userTable} where ${e} = ` + c.nextParameter(),
|
|
1700
|
-
if (
|
|
1699
|
+
let d = `select * from ${this.userTable} where ${e} = ` + c.nextParameter(), w = await i.execute(d, [t]);
|
|
1700
|
+
if (w.length == 0)
|
|
1701
1701
|
throw new o(l.UserNotExist);
|
|
1702
1702
|
let y, p, _;
|
|
1703
|
-
if (this.idColumn in
|
|
1703
|
+
if (this.idColumn in w[0]) y = w[0][this.idColumn];
|
|
1704
1704
|
else throw new o(l.Configuration, "ID column " + this.idColumn + " not present in user table");
|
|
1705
|
-
if ("username" in
|
|
1705
|
+
if ("username" in w[0]) p = w[0].username;
|
|
1706
1706
|
else throw new o(l.Configuration, "username column " + this.idColumn + " not present in user table");
|
|
1707
|
-
if ("state" in
|
|
1707
|
+
if ("state" in w[0]) _ = w[0].state;
|
|
1708
1708
|
else throw new o(l.Configuration, "state column " + this.idColumn + " not present in user table");
|
|
1709
1709
|
if (a = {
|
|
1710
|
-
...
|
|
1710
|
+
...w[0],
|
|
1711
1711
|
id: y,
|
|
1712
1712
|
username: p,
|
|
1713
1713
|
state: _
|
|
1714
1714
|
}, !a) throw new o(l.UserNotExist);
|
|
1715
|
-
if (c = this.dbPool.parameters(), d = `select * from ${this.userSecretsTable} where ${this.useridForeignKeyColumn} = ` + c.nextParameter(),
|
|
1715
|
+
if (c = this.dbPool.parameters(), d = `select * from ${this.userSecretsTable} where ${this.useridForeignKeyColumn} = ` + c.nextParameter(), w = await i.execute(d, [a.id]), w.length == 0)
|
|
1716
1716
|
throw new o(l.UserNotExist);
|
|
1717
|
-
if (
|
|
1717
|
+
if (w.length > 0 ? n = { userid: a.id, ...w[0] } : n = { userid: a.id }, !n) throw new o(l.UserNotExist);
|
|
1718
1718
|
if (this.useridForeignKeyColumn != "userid" && this.useridForeignKeyColumn in n && delete n[this.useridForeignKeyColumn], await i.commit(), (r == null ? void 0 : r.skipActiveCheck) != !0 && a.state == E.awaitingTwoFactorSetup)
|
|
1719
1719
|
throw u.logger.debug(f({ msg: "2FA setup is not complete" })), new o(l.TwoFactorIncomplete);
|
|
1720
1720
|
if ((r == null ? void 0 : r.skipActiveCheck) != !0 && a.state == E.disabled)
|
|
@@ -1745,28 +1745,28 @@ class Y extends L {
|
|
|
1745
1745
|
let i = [], a = [], n = "", c = "", d = this.dbPool.parameters();
|
|
1746
1746
|
e && (c = "OFFSET " + d.nextParameter()), t && (a.push(t), n = "LIMIT " + d.nextParameter());
|
|
1747
1747
|
try {
|
|
1748
|
-
let
|
|
1748
|
+
let w = `select * from ${this.userTable} ${n} ${c} order by username_normalized asc`, y = await r.execute(w, a);
|
|
1749
1749
|
if (y.length == 0)
|
|
1750
1750
|
throw new o(l.UserNotExist);
|
|
1751
1751
|
for (let p of y) {
|
|
1752
|
-
let _, C,
|
|
1752
|
+
let _, C, T;
|
|
1753
1753
|
if (this.idColumn in p) _ = p[this.idColumn];
|
|
1754
1754
|
else throw new o(l.Configuration, "ID column " + this.idColumn + " not present in user table");
|
|
1755
1755
|
if ("username" in p) C = p.username;
|
|
1756
1756
|
else throw new o(l.Configuration, "username column " + this.idColumn + " not present in user table");
|
|
1757
|
-
if ("state" in p)
|
|
1757
|
+
if ("state" in p) T = p.state;
|
|
1758
1758
|
else throw new o(l.Configuration, "state column " + this.idColumn + " not present in user table");
|
|
1759
1759
|
let k = {
|
|
1760
1760
|
...p,
|
|
1761
1761
|
id: _,
|
|
1762
1762
|
username: C,
|
|
1763
|
-
state:
|
|
1763
|
+
state: T
|
|
1764
1764
|
};
|
|
1765
1765
|
i.push(k);
|
|
1766
1766
|
}
|
|
1767
1767
|
return i;
|
|
1768
|
-
} catch (
|
|
1769
|
-
throw
|
|
1768
|
+
} catch (w) {
|
|
1769
|
+
throw w;
|
|
1770
1770
|
} finally {
|
|
1771
1771
|
r.release();
|
|
1772
1772
|
}
|
|
@@ -1791,21 +1791,21 @@ class Y extends L {
|
|
|
1791
1791
|
throw new o(l.UserNotExist);
|
|
1792
1792
|
let c = { ...e }, d = t ? { ...t } : void 0;
|
|
1793
1793
|
"email" in c && c.email && (c = { email_normalized: this.normalizeEmail ? Y.normalize(c.email) : c.email, ...c }), "username" in c && c.username && (c = { username_normalized: this.normalizeUsername ? Y.normalize(c.username) : c.username, ...c }), i = this.dbPool.parameters();
|
|
1794
|
-
let
|
|
1794
|
+
let w = [], y = [];
|
|
1795
1795
|
for (let p in c)
|
|
1796
|
-
c[p] != null && p != "id" && (
|
|
1797
|
-
if (
|
|
1798
|
-
let p =
|
|
1796
|
+
c[p] != null && p != "id" && (w.push(p + "= " + i.nextParameter()), y.push(c[p]));
|
|
1797
|
+
if (w.length > 0) {
|
|
1798
|
+
let p = w.join(", ");
|
|
1799
1799
|
y.push(e.id);
|
|
1800
1800
|
let _ = `update ${this.userTable} set ${p} where ${this.idColumn} = ` + i.nextParameter();
|
|
1801
1801
|
await r.execute(_, y);
|
|
1802
1802
|
}
|
|
1803
1803
|
if (t) {
|
|
1804
|
-
|
|
1804
|
+
w = [], y = [], i = this.dbPool.parameters();
|
|
1805
1805
|
for (let p in d)
|
|
1806
|
-
d[p] != null && p != "userid" && (
|
|
1807
|
-
if (
|
|
1808
|
-
let p =
|
|
1806
|
+
d[p] != null && p != "userid" && (w.push(p + "= " + i.nextParameter()), y.push(d[p]));
|
|
1807
|
+
if (w.length > 0) {
|
|
1808
|
+
let p = w.join(", ");
|
|
1809
1809
|
y.push(e.id);
|
|
1810
1810
|
let _ = `update ${this.userSecretsTable} set ${p} where userid = ` + i.nextParameter();
|
|
1811
1811
|
await r.execute(_, y);
|
|
@@ -1836,27 +1836,27 @@ class Y extends L {
|
|
|
1836
1836
|
await r.startTransaction();
|
|
1837
1837
|
let a = { ...e }, n = t ? { ...t } : void 0;
|
|
1838
1838
|
"email" in a && a.email && (a = { email_normalized: this.normalizeEmail ? Y.normalize(a.email) : a.email, ...a }), "username" in a && a.username && (a = { username_normalized: this.normalizeUsername ? Y.normalize(a.username) : a.username, ...a });
|
|
1839
|
-
let c = [], d = [],
|
|
1839
|
+
let c = [], d = [], w = [];
|
|
1840
1840
|
const y = this.dbPool.parameters();
|
|
1841
1841
|
for (let _ in a)
|
|
1842
|
-
a[_] != null && _ != "id" && (c.push(_), d.push(y.nextParameter()),
|
|
1842
|
+
a[_] != null && _ != "id" && (c.push(_), d.push(y.nextParameter()), w.push(a[_]));
|
|
1843
1843
|
if (c.length > 0) {
|
|
1844
1844
|
let _ = c.join(", "), C = d.join(", ");
|
|
1845
|
-
const
|
|
1845
|
+
const T = `insert into ${this.userTable} (${_}) values (${C}) returning ${this.idColumn}`, k = await r.execute(T, w);
|
|
1846
1846
|
if (k.length == 0 || !k[0][this.idColumn]) throw new o(l.Connection, "Couldn't create user");
|
|
1847
1847
|
i = k[0][this.idColumn];
|
|
1848
1848
|
}
|
|
1849
1849
|
if (!i) throw new o(l.Connection, "Couldn't create user");
|
|
1850
1850
|
if (t) {
|
|
1851
|
-
c = [], d = [],
|
|
1851
|
+
c = [], d = [], w = [];
|
|
1852
1852
|
const _ = this.dbPool.parameters();
|
|
1853
|
-
c.push("userid"), d.push(_.nextParameter()),
|
|
1853
|
+
c.push("userid"), d.push(_.nextParameter()), w.push(i);
|
|
1854
1854
|
for (let C in n)
|
|
1855
|
-
n[C] != null && C != "userid" && (c.push(C), d.push(_.nextParameter()),
|
|
1855
|
+
n[C] != null && C != "userid" && (c.push(C), d.push(_.nextParameter()), w.push(n[C]));
|
|
1856
1856
|
if (c.length > 0) {
|
|
1857
|
-
let C = c.join(", "),
|
|
1858
|
-
const k = `insert into ${this.userSecretsTable} (${C}) values (${
|
|
1859
|
-
u.logger.debug(f({ msg: "Executing query", query: k })), await r.execute(k,
|
|
1857
|
+
let C = c.join(", "), T = d.join(", ");
|
|
1858
|
+
const k = `insert into ${this.userSecretsTable} (${C}) values (${T})`;
|
|
1859
|
+
u.logger.debug(f({ msg: "Executing query", query: k })), await r.execute(k, w);
|
|
1860
1860
|
}
|
|
1861
1861
|
}
|
|
1862
1862
|
return await r.commit(), (await this.getUserById(i)).user;
|
|
@@ -1903,7 +1903,7 @@ class Y extends L {
|
|
|
1903
1903
|
}
|
|
1904
1904
|
}
|
|
1905
1905
|
}
|
|
1906
|
-
class qe extends
|
|
1906
|
+
class qe extends x {
|
|
1907
1907
|
/**
|
|
1908
1908
|
* Constructor with user storage object to use plus optional parameters.
|
|
1909
1909
|
*
|
|
@@ -1915,7 +1915,7 @@ class qe extends D {
|
|
|
1915
1915
|
h(this, "keyTable", "keys");
|
|
1916
1916
|
h(this, "dbPool");
|
|
1917
1917
|
h(this, "useridForeignKeyColumn", "userid");
|
|
1918
|
-
|
|
1918
|
+
m("transactionTimeout", g.Number, this, t, "TRANSACTION_TIMEOUT"), m("useridForeignKeyColumn", g.String, this, t, "USER_ID_FOREIGN_KEY_COLUMN"), t.keyTable && (this.keyTable = t.keyTable), this.dbPool = e;
|
|
1919
1919
|
}
|
|
1920
1920
|
async getKey(e) {
|
|
1921
1921
|
const t = await this.dbPool.connect();
|
|
@@ -1962,21 +1962,21 @@ class qe extends D {
|
|
|
1962
1962
|
* @throws {@link @crossauth/common!CrossauthError } if the key could not be stored.
|
|
1963
1963
|
*/
|
|
1964
1964
|
async saveKey(e, t, r, i, a, n = {}) {
|
|
1965
|
-
let c, d = [this.useridForeignKeyColumn, "value", "created", "expires", "data"],
|
|
1965
|
+
let c, d = [this.useridForeignKeyColumn, "value", "created", "expires", "data"], w = this.dbPool.parameters(), y = [];
|
|
1966
1966
|
for (let k = 0; k < 5; ++k)
|
|
1967
|
-
y.push(
|
|
1967
|
+
y.push(w.nextParameter());
|
|
1968
1968
|
let p = [e ?? null, t, r, i ?? null, a ?? ""];
|
|
1969
1969
|
for (let k in n)
|
|
1970
|
-
d.push(k), y.push(
|
|
1970
|
+
d.push(k), y.push(w.nextParameter()), p.push(n[k]);
|
|
1971
1971
|
let _ = d.join(", "), C = y.join(", ");
|
|
1972
|
-
const
|
|
1972
|
+
const T = await this.dbPool.connect();
|
|
1973
1973
|
try {
|
|
1974
1974
|
const k = `insert into ${this.keyTable} (${_}) values (${C})`;
|
|
1975
|
-
await
|
|
1975
|
+
await T.execute(k, p);
|
|
1976
1976
|
} catch (k) {
|
|
1977
1977
|
o.asCrossauthError(k).code == l.ConstraintViolation ? (u.logger.warn(f({ msg: "Attempt to create key that already exists. Stack trace follows" })), u.logger.debug(f({ err: k })), c = new o(l.KeyExists)) : (u.logger.debug(f({ err: k })), c = new o(l.Connection, "Error saving key"));
|
|
1978
1978
|
} finally {
|
|
1979
|
-
|
|
1979
|
+
T.release();
|
|
1980
1980
|
}
|
|
1981
1981
|
if (c)
|
|
1982
1982
|
throw c;
|
|
@@ -1995,11 +1995,11 @@ class qe extends D {
|
|
|
1995
1995
|
try {
|
|
1996
1996
|
let a, n = [], c = "", d = this.dbPool.parameters();
|
|
1997
1997
|
if (e) {
|
|
1998
|
-
const
|
|
1999
|
-
a = `delete from ${this.keyTable} where ${this.useridForeignKeyColumn} = ${
|
|
1998
|
+
const w = d.nextParameter(), y = d.nextParameter();
|
|
1999
|
+
a = `delete from ${this.keyTable} where ${this.useridForeignKeyColumn} = ${w} and value like ${y} `, n = [e];
|
|
2000
2000
|
} else {
|
|
2001
|
-
const
|
|
2002
|
-
a = `delete from ${this.keyTable} where ${this.useridForeignKeyColumn} is null and value like ${
|
|
2001
|
+
const w = d.nextParameter();
|
|
2002
|
+
a = `delete from ${this.keyTable} where ${this.useridForeignKeyColumn} is null and value like ${w}`;
|
|
2003
2003
|
}
|
|
2004
2004
|
n.push(t + "%"), r && (c = "and value != " + d.nextParameter(), n.push(r)), a += " " + c, u.logger.debug(f({ msg: "Executing query", query: a })), await i.execute(a, n);
|
|
2005
2005
|
} catch (a) {
|
|
@@ -2014,8 +2014,8 @@ class qe extends D {
|
|
|
2014
2014
|
let r = [], i = [];
|
|
2015
2015
|
const a = this.dbPool.parameters();
|
|
2016
2016
|
for (let d in e) {
|
|
2017
|
-
let
|
|
2018
|
-
e[d] == null ? r.push(
|
|
2017
|
+
let w = d == "userid" ? this.useridForeignKeyColumn : d;
|
|
2018
|
+
e[d] == null ? r.push(w + " is null") : (r.push(w + " = " + a.nextParameter()), i.push(e[d]));
|
|
2019
2019
|
}
|
|
2020
2020
|
let n = r.join(" and "), c = `delete from ${this.keyTable} where ${n}`;
|
|
2021
2021
|
await t.execute(c, i);
|
|
@@ -2054,8 +2054,8 @@ class qe extends D {
|
|
|
2054
2054
|
if (c.length == 0)
|
|
2055
2055
|
return [];
|
|
2056
2056
|
for (let d of c) {
|
|
2057
|
-
let
|
|
2058
|
-
this.useridForeignKeyColumn != "userid" && (
|
|
2057
|
+
let w = this.makeKey(d);
|
|
2058
|
+
this.useridForeignKeyColumn != "userid" && (w.userid = w[this.useridForeignKeyColumn], delete w[this.useridForeignKeyColumn]), r.push(w);
|
|
2059
2059
|
}
|
|
2060
2060
|
return r;
|
|
2061
2061
|
} catch (r) {
|
|
@@ -2167,7 +2167,7 @@ class We extends me {
|
|
|
2167
2167
|
h(this, "validFlowTable", "oauthclientvalidflow");
|
|
2168
2168
|
h(this, "dbPool");
|
|
2169
2169
|
h(this, "useridForeignKeyColumn", "userid");
|
|
2170
|
-
|
|
2170
|
+
m("clientTable", g.String, this, t, "OAUTH_CLIENT_TABLE"), m("redirectUriTable", g.String, this, t, "OAUTH_REDIRECTURI_TABLE"), m("validFlowTable", g.String, this, t, "OAUTH_VALID_FLOW_TABLE"), m("updateMode", g.String, this, t, "OAUTHCLIENT_UPDATE_MODE"), m("useridForeignKeyColumn", g.String, this, t, "USER_ID_FOREIGN_KEY_COLUMN"), this.dbPool = e;
|
|
2171
2171
|
}
|
|
2172
2172
|
async getClientById(e) {
|
|
2173
2173
|
let t = await this.dbPool.connect();
|
|
@@ -2210,12 +2210,12 @@ class We extends me {
|
|
|
2210
2210
|
};
|
|
2211
2211
|
}
|
|
2212
2212
|
async getClientWithTransaction(e, t, r, i, a, n) {
|
|
2213
|
-
let c = [], d = this.dbPool.parameters(),
|
|
2214
|
-
t && r && (p = `where c.${t} = ` + d.nextParameter(),
|
|
2213
|
+
let c = [], d = this.dbPool.parameters(), w = [], y = `select c.*, r.uri as uri, null as flow from ${this.clientTable} as c left join ${this.redirectUriTable} r on c.client_id = r.client_id `, p = "";
|
|
2214
|
+
t && r && (p = `where c.${t} = ` + d.nextParameter(), w.push(r)), i !== null && i == null || (p == "" ? p = "where " : p += " and ", i == null ? p += "userid is null" : (p += `${this.useridForeignKeyColumn} = ` + d.nextParameter(), w.push(i)));
|
|
2215
2215
|
let _ = `select c.*, null as uri, f.flow as flow from ${this.clientTable} as c left join ${this.validFlowTable} f on c.client_id = f.client_id `, C = "";
|
|
2216
|
-
t && r && (C = `where c.${t} = ` + d.nextParameter(),
|
|
2217
|
-
let
|
|
2218
|
-
const k = await e.execute(
|
|
2216
|
+
t && r && (C = `where c.${t} = ` + d.nextParameter(), w.push(r)), i !== null && i == null || (C == "" ? C = "where " : C += " and ", i == null ? C += "userid is null" : (C += `${this.useridForeignKeyColumn} = ` + d.nextParameter(), w.push(i))), n && (a || (a = 0), a = Number(a), n = Number(n), p == "" ? p = "where " : p += " and ", p += ` c.client_id in (select client_id from ${this.clientTable} limit ${n} offset ${a})`, C == "" ? C = "where " : C += " and ", C += ` c.client_id in (select client_id from ${this.clientTable} limit ${n} offset ${a})`), y += p, _ += C;
|
|
2217
|
+
let T = y + " union " + _ + " order by client_id";
|
|
2218
|
+
const k = await e.execute(T, w);
|
|
2219
2219
|
let A;
|
|
2220
2220
|
for (let z of k)
|
|
2221
2221
|
(!A || z.client_id != A.client_id) && (A && c.push(A), A = this.makeClient(z), A.valid_flow = [], A.redirect_uri = []), z.uri && A.redirect_uri.push(z.uri), z.flow && A.valid_flow.push(z.flow);
|
|
@@ -2255,14 +2255,14 @@ class We extends me {
|
|
|
2255
2255
|
for (let C = 0; C < i.length; ++C)
|
|
2256
2256
|
if (!b.isValidFlow(i[C])) throw new o(l.InvalidOAuthFlow, "Invalid flow " + i[C]);
|
|
2257
2257
|
}
|
|
2258
|
-
let c = [], d = [],
|
|
2258
|
+
let c = [], d = [], w = [], y = this.dbPool.parameters();
|
|
2259
2259
|
try {
|
|
2260
2260
|
for (let C in n)
|
|
2261
|
-
c.push(C), d.push(y.nextParameter()),
|
|
2261
|
+
c.push(C), d.push(y.nextParameter()), w.push(n[C]);
|
|
2262
2262
|
if (c.length > 0) {
|
|
2263
|
-
let C = c.join(", "),
|
|
2264
|
-
const k = `insert into ${this.clientTable} (${C}) values (${
|
|
2265
|
-
await e.execute(k,
|
|
2263
|
+
let C = c.join(", "), T = d.join(", ");
|
|
2264
|
+
const k = `insert into ${this.clientTable} (${C}) values (${T})`;
|
|
2265
|
+
await e.execute(k, w);
|
|
2266
2266
|
}
|
|
2267
2267
|
} catch (C) {
|
|
2268
2268
|
throw typeof C == "object" && C != null && "code" in C && typeof C.code == "string" && (C.code.startsWith("22") || C.code.startsWith("23")) ? (u.logger.debug(f({ err: C })), new o(l.InvalidClientId, "Attempt to create an OAuth client with a client_id that already exists. Maximum attempts failed")) : (u.logger.debug(f({ err: C })), new o(l.Connection, "Error saving OAuth client"));
|
|
@@ -2273,15 +2273,15 @@ class We extends me {
|
|
|
2273
2273
|
let _ = p[0];
|
|
2274
2274
|
if (r)
|
|
2275
2275
|
for (let C = 0; C < r.length; ++C) {
|
|
2276
|
-
|
|
2277
|
-
let
|
|
2278
|
-
|
|
2276
|
+
w = [], y = this.dbPool.parameters();
|
|
2277
|
+
let T = `insert into ${this.redirectUriTable} (client_id, uri) values (` + y.nextParameter() + ", " + y.nextParameter() + ")";
|
|
2278
|
+
w.push(_.client_id), w.push(r[C]), await e.execute(T, w);
|
|
2279
2279
|
}
|
|
2280
2280
|
if (i)
|
|
2281
2281
|
for (let C = 0; C < i.length; ++C) {
|
|
2282
|
-
|
|
2283
|
-
let
|
|
2284
|
-
|
|
2282
|
+
w = [], y = this.dbPool.parameters();
|
|
2283
|
+
let T = `insert into ${this.validFlowTable} (client_id, flow) values (` + y.nextParameter() + ", " + y.nextParameter() + ")";
|
|
2284
|
+
w.push(_.client_id), w.push(i[C]), await e.execute(T, w);
|
|
2285
2285
|
}
|
|
2286
2286
|
return { ..._, redirect_uri: r, valid_flow: i };
|
|
2287
2287
|
}
|
|
@@ -2328,42 +2328,42 @@ class We extends me {
|
|
|
2328
2328
|
if (!t.client_id) throw new o(l.InvalidClientId);
|
|
2329
2329
|
const r = t.redirect_uri, i = t.valid_flow;
|
|
2330
2330
|
if (r)
|
|
2331
|
-
for (let
|
|
2332
|
-
if (r[
|
|
2331
|
+
for (let T = 0; T < r.length; ++T) {
|
|
2332
|
+
if (r[T].includes("#")) throw new o(l.InvalidRedirectUri, "Redirect Uri's may not contain page fragments");
|
|
2333
2333
|
try {
|
|
2334
|
-
new URL(r[
|
|
2334
|
+
new URL(r[T]);
|
|
2335
2335
|
} catch {
|
|
2336
|
-
throw new o(l.InvalidRedirectUri, `Redriect uri ${r[
|
|
2336
|
+
throw new o(l.InvalidRedirectUri, `Redriect uri ${r[T]} is not valid`);
|
|
2337
2337
|
}
|
|
2338
2338
|
}
|
|
2339
2339
|
if (i) {
|
|
2340
|
-
for (let
|
|
2341
|
-
if (!b.isValidFlow(i[
|
|
2340
|
+
for (let T = 0; T < i.length; ++T)
|
|
2341
|
+
if (!b.isValidFlow(i[T])) throw new o(l.InvalidOAuthFlow, "Redirect Uri's may not contain page fragments");
|
|
2342
2342
|
}
|
|
2343
2343
|
if (!t.client_id) throw new o(l.InvalidClientId, "No client ig given");
|
|
2344
2344
|
let { client_id: a, redirect_uri: n, valid_flow: c, ...d } = t;
|
|
2345
2345
|
n || (n = []), c || (c = []);
|
|
2346
|
-
let
|
|
2347
|
-
await e.execute(y, [t.client_id]),
|
|
2346
|
+
let w = this.dbPool.parameters(), y = `delete from ${this.redirectUriTable} where client_id = ` + w.nextParameter();
|
|
2347
|
+
await e.execute(y, [t.client_id]), w = this.dbPool.parameters(), y = `delete from ${this.validFlowTable} where client_id = ` + w.nextParameter(), await e.execute(y, [t.client_id]);
|
|
2348
2348
|
let p = [], _ = [], C = [];
|
|
2349
|
-
|
|
2350
|
-
for (let
|
|
2351
|
-
p.push(
|
|
2349
|
+
w = this.dbPool.parameters(), y = `delete from ${this.validFlowTable} where client_id = ` + w.nextParameter();
|
|
2350
|
+
for (let T in d)
|
|
2351
|
+
p.push(T), _.push(w.nextParameter()), C.push(d[T]);
|
|
2352
2352
|
if (p.length > 0) {
|
|
2353
|
-
let
|
|
2354
|
-
y = `update ${this.clientTable} set (${
|
|
2353
|
+
let T = p.join(", "), k = _.join(", ");
|
|
2354
|
+
y = `update ${this.clientTable} set (${T}) values (${k})`, await e.execute(y, C);
|
|
2355
2355
|
}
|
|
2356
2356
|
if (n)
|
|
2357
|
-
for (let
|
|
2358
|
-
C = [],
|
|
2359
|
-
let k = `insert into ${this.redirectUriTable} (client_id, uri) values (` +
|
|
2360
|
-
C.push(t.client_id), C.push(n[
|
|
2357
|
+
for (let T = 0; T < n.length; ++T) {
|
|
2358
|
+
C = [], w = this.dbPool.parameters();
|
|
2359
|
+
let k = `insert into ${this.redirectUriTable} (client_id, uri) values (` + w.nextParameter() + ", " + w.nextParameter() + ")";
|
|
2360
|
+
C.push(t.client_id), C.push(n[T]), await e.execute(k, C);
|
|
2361
2361
|
}
|
|
2362
2362
|
if (c)
|
|
2363
|
-
for (let
|
|
2364
|
-
C = [],
|
|
2365
|
-
let k = `insert into ${this.validFlowTable} (client_id, flow) values (` +
|
|
2366
|
-
C.push(t.client_id), C.push(c[
|
|
2363
|
+
for (let T = 0; T < c.length; ++T) {
|
|
2364
|
+
C = [], w = this.dbPool.parameters();
|
|
2365
|
+
let k = `insert into ${this.validFlowTable} (client_id, flow) values (` + w.nextParameter() + ", " + w.nextParameter() + ")";
|
|
2366
|
+
C.push(t.client_id), C.push(c[T]), await e.execute(k, C);
|
|
2367
2367
|
}
|
|
2368
2368
|
}
|
|
2369
2369
|
async getClients(e, t, r) {
|
|
@@ -2390,14 +2390,14 @@ class Je extends we {
|
|
|
2390
2390
|
h(this, "authorizationTable", "oauthauthorization");
|
|
2391
2391
|
h(this, "useridForeignKeyColumn", "userid");
|
|
2392
2392
|
h(this, "dbPool");
|
|
2393
|
-
|
|
2393
|
+
m("authorizationTable", g.String, this, t, "OAUTH_CLIENT_TABLE"), m("useridForeignKeyColumn", g.String, this, t, "USER_ID_FOREIGN_KEY_COLUMN"), this.dbPool = e;
|
|
2394
2394
|
}
|
|
2395
2395
|
async getAuthorizations(e, t) {
|
|
2396
2396
|
let r = await this.dbPool.connect();
|
|
2397
2397
|
try {
|
|
2398
2398
|
const i = this.dbPool.parameters(), a = [];
|
|
2399
2399
|
let n = `select scope from ${this.authorizationTable} where client_id = ` + i.nextParameter();
|
|
2400
|
-
return a.push(e), t === null ? n += ` and ${this.useridForeignKeyColumn} is null` : t && (n += ` and ${this.useridForeignKeyColumn} = ` + i.nextParameter(), a.push(t)), (await r.execute(n, a)).map((
|
|
2400
|
+
return a.push(e), t === null ? n += ` and ${this.useridForeignKeyColumn} is null` : t && (n += ` and ${this.useridForeignKeyColumn} = ` + i.nextParameter(), a.push(t)), (await r.execute(n, a)).map((w) => w.scope);
|
|
2401
2401
|
} catch (i) {
|
|
2402
2402
|
throw i;
|
|
2403
2403
|
} finally {
|
|
@@ -2566,7 +2566,7 @@ class be extends re {
|
|
|
2566
2566
|
return "none";
|
|
2567
2567
|
}
|
|
2568
2568
|
}
|
|
2569
|
-
const Ce = process.env.PBKDF2_DIGEST || "sha256", Se = Number(process.env.PBKDF2_ITERATIONS || 6e5),
|
|
2569
|
+
const Ce = process.env.PBKDF2_DIGEST || "sha256", Se = Number(process.env.PBKDF2_ITERATIONS || 6e5), Te = Number(process.env.PBKDF2_KEYLENGTH || 32), et = Number(process.env.PBKDF2_KEYLENGTH || 16), ae = "sha256", q = class q {
|
|
2570
2570
|
/**
|
|
2571
2571
|
* Returns true if the plaintext password, when hashed, equals the one in the hash, using
|
|
2572
2572
|
* it's hasher settings
|
|
@@ -2713,21 +2713,21 @@ const Ce = process.env.PBKDF2_DIGEST || "sha256", Se = Number(process.env.PBKDF2
|
|
|
2713
2713
|
t || (t = q.randomSalt());
|
|
2714
2714
|
let a = r != null, n = a ? t + "!" + r : t;
|
|
2715
2715
|
i == null && (i = !1);
|
|
2716
|
-
let
|
|
2716
|
+
let w = (await xe(Ne)(
|
|
2717
2717
|
s,
|
|
2718
2718
|
n,
|
|
2719
2719
|
e.iterations ?? Se,
|
|
2720
|
-
e.keyLen ??
|
|
2720
|
+
e.keyLen ?? Te,
|
|
2721
2721
|
e.digest ?? Ce
|
|
2722
2722
|
)).toString("base64url");
|
|
2723
|
-
return i && (
|
|
2724
|
-
|
|
2723
|
+
return i && (w = this.encodePasswordHash(
|
|
2724
|
+
w,
|
|
2725
2725
|
t,
|
|
2726
2726
|
a,
|
|
2727
2727
|
e.iterations ?? Se,
|
|
2728
|
-
e.keyLen ??
|
|
2728
|
+
e.keyLen ?? Te,
|
|
2729
2729
|
e.digest ?? Ce
|
|
2730
|
-
)),
|
|
2730
|
+
)), w;
|
|
2731
2731
|
}
|
|
2732
2732
|
/**
|
|
2733
2733
|
* For creating non-JWT tokens (eg password reset tokens.) The
|
|
@@ -2847,13 +2847,13 @@ const Ce = process.env.PBKDF2_DIGEST || "sha256", Se = Number(process.env.PBKDF2
|
|
|
2847
2847
|
const r = s.split(".");
|
|
2848
2848
|
if (r.length != 2) throw new o(l.InvalidHash, "Not AES-256-CBC ciphertext");
|
|
2849
2849
|
let i = Buffer.from(r[0], "base64url"), a = Buffer.from(r[1], "base64url");
|
|
2850
|
-
var n =
|
|
2850
|
+
var n = De("aes-256-cbc", t, i);
|
|
2851
2851
|
let c = n.update(a);
|
|
2852
2852
|
return c = Buffer.concat([c, n.final()]), c.toString();
|
|
2853
2853
|
}
|
|
2854
2854
|
};
|
|
2855
2855
|
h(q, "Base32", "ABCDEFGHJKLMNPQRSTUVWXYZ23456789".split(""));
|
|
2856
|
-
let
|
|
2856
|
+
let v = q;
|
|
2857
2857
|
function tt(S) {
|
|
2858
2858
|
let s = [];
|
|
2859
2859
|
if (!S.password) s.push("Password not provided");
|
|
@@ -2887,7 +2887,7 @@ const le = class le extends be {
|
|
|
2887
2887
|
h(this, "pbkdf2KeyLength", 32);
|
|
2888
2888
|
/** See {@link LocalPasswordAuthenticatorOptions.validatePasswordFn} */
|
|
2889
2889
|
h(this, "validatePasswordFn", tt);
|
|
2890
|
-
|
|
2890
|
+
m("secret", g.String, this, t, "HASHER_SECRET"), m("enableSecretForPasswordHash", g.Boolean, this, t, "ENABLE_SECRET_FOR_PASSWORDS"), m("pbkdf2Digest", g.String, this, t, "PASSWORD_PBKDF2_DIGEST"), m("pbkdf2Iterations", g.String, this, t, "PASSWORD_PBKDF2_ITERATIONS"), m("pbkdf2SaltLength", g.String, this, t, "PASSWORD_PBKDF2_SALTLENGTH"), m("pbkdf2KeyLength", g.String, this, t, "PASSWORD_PBKDF2_KEYLENGTH"), t.validatePasswordFn && (this.validatePasswordFn = t.validatePasswordFn);
|
|
2891
2891
|
}
|
|
2892
2892
|
/**
|
|
2893
2893
|
* Authenticates the user, returning a the user as a {@link User} object.
|
|
@@ -2907,7 +2907,7 @@ const le = class le extends be {
|
|
|
2907
2907
|
async authenticateUser(e, t, r) {
|
|
2908
2908
|
if (!r.password) throw new o(l.PasswordInvalid, "Password not provided");
|
|
2909
2909
|
if (!t.password) throw new o(l.PasswordInvalid);
|
|
2910
|
-
if (!await
|
|
2910
|
+
if (!await v.passwordsEqual(r.password, t.password, this.secret))
|
|
2911
2911
|
throw u.logger.debug(f({ msg: "Invalid password hash", user: e.username })), new o(l.PasswordInvalid);
|
|
2912
2912
|
if (e.state == "awaitingtwofactorsetup") throw new o(l.TwoFactorIncomplete);
|
|
2913
2913
|
if (e.state == "awaitingemailverification") throw new o(l.EmailNotVerified);
|
|
@@ -2937,7 +2937,7 @@ const le = class le extends be {
|
|
|
2937
2937
|
* @returns the encoded hash string.
|
|
2938
2938
|
*/
|
|
2939
2939
|
async createPasswordHash(e, t) {
|
|
2940
|
-
return await
|
|
2940
|
+
return await v.passwordHash(e, {
|
|
2941
2941
|
salt: t,
|
|
2942
2942
|
encode: !0,
|
|
2943
2943
|
secret: this.enableSecretForPasswords ? this.secret : void 0,
|
|
@@ -2962,7 +2962,7 @@ const le = class le extends be {
|
|
|
2962
2962
|
* @returns true if match, false otherwise
|
|
2963
2963
|
*/
|
|
2964
2964
|
async passwordMatchesHash(e, t, r) {
|
|
2965
|
-
return t == le.NoPassword ? !1 : await
|
|
2965
|
+
return t == le.NoPassword ? !1 : await v.passwordsEqual(e, t, r);
|
|
2966
2966
|
}
|
|
2967
2967
|
/**
|
|
2968
2968
|
* This will return p hash of the passed password.
|
|
@@ -3020,7 +3020,7 @@ const le = class le extends be {
|
|
|
3020
3020
|
}
|
|
3021
3021
|
};
|
|
3022
3022
|
h(le, "NoPassword", "********");
|
|
3023
|
-
let
|
|
3023
|
+
let ve = le;
|
|
3024
3024
|
class Z extends re {
|
|
3025
3025
|
/**
|
|
3026
3026
|
* Constructor
|
|
@@ -3041,7 +3041,7 @@ class Z extends re {
|
|
|
3041
3041
|
h(this, "smtpPassword");
|
|
3042
3042
|
h(this, "emailAuthenticatorTokenExpires", 60 * 5);
|
|
3043
3043
|
h(this, "render");
|
|
3044
|
-
|
|
3044
|
+
m("views", g.String, this, e, "VIEWS"), m("emailAuthenticatorTextBody", g.String, this, e, "EMAIL_AUTHENTICATOR_TEXT_BODY"), m("emailAuthenticatorHtmlBody", g.String, this, e, "EMAIL_AUTHENTICATOR_HTML_BODY"), m("emailAuthenticatorSubject", g.String, this, e, "EMAIL_AUTHENTICATOR_SUBJECT"), m("emailFrom", g.String, this, e, "EMAIL_FROM", !0), m("smtpHost", g.String, this, e, "SMTP_HOST", !0), m("smtpPort", g.Number, this, e, "SMTP_PORT"), m("smtpUsername", g.String, this, e, "SMTP_USERNAME"), m("smtpPassword", g.String, this, e, "SMTP_PASSWORD"), m("smtpUseTls", g.Boolean, this, e, "SMTP_USE_TLS"), m("emailAuthenticatorTokenExpires", g.Number, this, e, "EMAIL_AUTHENTICATOR_TOKEN_EXPIRES"), e.render ? this.render = e.render : W.configure(this.views, { autoescape: !0 });
|
|
3045
3045
|
}
|
|
3046
3046
|
/**
|
|
3047
3047
|
* Used by the OAuth password_mfa grant type.
|
|
@@ -3112,7 +3112,7 @@ class Z extends re {
|
|
|
3112
3112
|
* @returns
|
|
3113
3113
|
*/
|
|
3114
3114
|
async reprepareConfiguration(e, t) {
|
|
3115
|
-
const r =
|
|
3115
|
+
const r = x.decodeData(t.data)["2fa"], i = Z.zeroPad(ee(999999), 6), a = /* @__PURE__ */ new Date(), n = new Date(a.getTime() + 1e3 * this.emailAuthenticatorTokenExpires).getTime(), c = this.sendToken(r.email, i);
|
|
3116
3116
|
return u.logger.info(f({
|
|
3117
3117
|
msg: "Sent factor otp email",
|
|
3118
3118
|
emailMessageId: c,
|
|
@@ -3249,7 +3249,7 @@ class Q extends re {
|
|
|
3249
3249
|
h(this, "smsAuthenticatorFrom", "");
|
|
3250
3250
|
h(this, "smsAuthenticatorTokenExpires", 60 * 5);
|
|
3251
3251
|
h(this, "render");
|
|
3252
|
-
|
|
3252
|
+
m("views", g.String, this, e, "VIEWS"), m("smsAuthenticatorBody", g.String, this, e, "SMS_AUTHENTICATOR_BODY"), m("smsAuthenticatorFrom", g.String, this, e, "SMS_AUTHENTICATOR_FROM", !0), m("smsAuthenticatorTokenExpires", g.Number, this, e, "SMS_AUTHENTICATOR_TOKEN_EXPIRES"), e.render ? this.render = e.render : W.configure(this.views, { autoescape: !0 });
|
|
3253
3253
|
}
|
|
3254
3254
|
/**
|
|
3255
3255
|
* Used by the OAuth password_mfa grant type.
|
|
@@ -3289,7 +3289,7 @@ class Q extends re {
|
|
|
3289
3289
|
otp: t
|
|
3290
3290
|
};
|
|
3291
3291
|
let d = { otp: t };
|
|
3292
|
-
const
|
|
3292
|
+
const w = this.render ? this.render(this.smsAuthenticatorBody, d) : W.render(this.smsAuthenticatorBody, d), y = this.sendSms(r, w);
|
|
3293
3293
|
return u.logger.info(f({
|
|
3294
3294
|
msg: "Sent factor otp sms",
|
|
3295
3295
|
smsMessageId: y,
|
|
@@ -3303,7 +3303,7 @@ class Q extends re {
|
|
|
3303
3303
|
* @returns
|
|
3304
3304
|
*/
|
|
3305
3305
|
async reprepareConfiguration(e, t) {
|
|
3306
|
-
const r =
|
|
3306
|
+
const r = x.decodeData(t.data)["2fa"], i = Q.zeroPad(ee(999999), 6), a = /* @__PURE__ */ new Date(), n = new Date(a.getTime() + 1e3 * this.smsAuthenticatorTokenExpires).getTime(), c = this.sendSms(r.phone, i);
|
|
3307
3307
|
return u.logger.info(f({
|
|
3308
3308
|
msg: "Sent factor otp sms",
|
|
3309
3309
|
smsMessageId: c,
|
|
@@ -3522,7 +3522,7 @@ class Rt extends re {
|
|
|
3522
3522
|
* @returns
|
|
3523
3523
|
*/
|
|
3524
3524
|
async reprepareConfiguration(e, t) {
|
|
3525
|
-
const r =
|
|
3525
|
+
const r = x.decodeData(t.data)["2fa"], i = this.code, a = /* @__PURE__ */ new Date(), n = new Date(a.getTime() + 1e3 * 60).getTime();
|
|
3526
3526
|
return {
|
|
3527
3527
|
userData: { factor2: r.factor2, otp: i },
|
|
3528
3528
|
secrets: {},
|
|
@@ -3628,7 +3628,7 @@ class Rt extends re {
|
|
|
3628
3628
|
return Array(+(r > 0 && r)).join("0") + e;
|
|
3629
3629
|
}
|
|
3630
3630
|
}
|
|
3631
|
-
class
|
|
3631
|
+
class Dt extends be {
|
|
3632
3632
|
/**
|
|
3633
3633
|
* Create a new authenticator.
|
|
3634
3634
|
*
|
|
@@ -3639,7 +3639,7 @@ class xt extends be {
|
|
|
3639
3639
|
super({ friendlyName: "LDAP", ...t });
|
|
3640
3640
|
h(this, "ldapAutoCreateAccount", !1);
|
|
3641
3641
|
h(this, "ldapStorage");
|
|
3642
|
-
|
|
3642
|
+
m("ldapAutoCreateAccount", g.Boolean, this, t, "LDAP_AUTO_CREATE_ACCOUNT"), this.ldapStorage = e;
|
|
3643
3643
|
}
|
|
3644
3644
|
/**
|
|
3645
3645
|
* Authenticates the user, returning a the user as a {@link User} object.
|
|
@@ -3721,7 +3721,7 @@ class xt extends be {
|
|
|
3721
3721
|
async reprepareConfiguration(e, t) {
|
|
3722
3722
|
}
|
|
3723
3723
|
}
|
|
3724
|
-
class
|
|
3724
|
+
class xt extends re {
|
|
3725
3725
|
/**
|
|
3726
3726
|
* Constructor
|
|
3727
3727
|
* @param appName this forms part of the QR code that users scan into
|
|
@@ -3758,7 +3758,7 @@ class Dt extends re {
|
|
|
3758
3758
|
}), { qrUrl: r, secret: t };
|
|
3759
3759
|
}
|
|
3760
3760
|
async getSecretFromSession(e, t) {
|
|
3761
|
-
const r =
|
|
3761
|
+
const r = x.decodeData(t.data);
|
|
3762
3762
|
if (!("totpsecret" in r))
|
|
3763
3763
|
throw new o(
|
|
3764
3764
|
l.Unauthorized,
|
|
@@ -3933,7 +3933,7 @@ class R {
|
|
|
3933
3933
|
h(this, "verifyEmailExpires", 60 * 60 * 24);
|
|
3934
3934
|
h(this, "passwordResetExpires", 60 * 60 * 24);
|
|
3935
3935
|
h(this, "render");
|
|
3936
|
-
this.userStorage = s, this.keyStorage = e,
|
|
3936
|
+
this.userStorage = s, this.keyStorage = e, m("siteUrl", g.String, this, t, "SITE_URL", !0), m("prefix", g.String, this, t, "PREFIX"), m("views", g.String, this, t, "VIEWS"), m("emailVerificationTextBody", g.String, this, t, "EMAIL_VERIFICATION_TEXT_BODY"), m("emailVerificationHtmlBody", g.String, this, t, "EMAIL_VERIFICATION_HTML_BODY"), m("emailVerificationSubject", g.String, this, t, "EMAIL_VERIFICATION_SUBJECT"), m("passwordResetTextBody", g.String, this, t, "PASSWORD_RESET_TEXT_BODY"), m("passwordResetHtmlBody", g.String, this, t, "PASSWORD_RESET_HTML_BODY"), m("passwordResetSubject", g.String, this, t, "PASSWORD_RESET_SUBJECT"), m("emailFrom", g.String, this, t, "EMAIL_FROM", !0), m("smtpHost", g.String, this, t, "SMTP_HOST", !0), m("smtpPort", g.Number, this, t, "SMTP_PORT"), m("smtpUsername", g.String, this, t, "SMTP_USERNAME"), m("smtpPassword", g.String, this, t, "SMTP_PASSWORD"), m("smtpUseTls", g.Boolean, this, t, "SMTP_USE_TLS"), m("verifyEmailExpires", g.Boolean, this, t, "VERIFY_EMAIL_EXPIRES"), m("passwordResetExpires", g.String, this, t, "PASSWORD_RESET_EXPIRES"), t.render ? this.render = t.render : W.configure(this.views, { autoescape: !0 });
|
|
3937
3937
|
}
|
|
3938
3938
|
createEmailer() {
|
|
3939
3939
|
let s = {};
|
|
@@ -3949,24 +3949,24 @@ class R {
|
|
|
3949
3949
|
* correct prefix for inserting into storage.
|
|
3950
3950
|
*/
|
|
3951
3951
|
static hashEmailVerificationToken(s) {
|
|
3952
|
-
return U.emailVerificationToken +
|
|
3952
|
+
return U.emailVerificationToken + v.hash(s);
|
|
3953
3953
|
}
|
|
3954
3954
|
/**
|
|
3955
3955
|
* Produces a hash of the given password reset token with the
|
|
3956
3956
|
* correct prefix for inserting into storage.
|
|
3957
3957
|
*/
|
|
3958
3958
|
static hashPasswordResetToken(s) {
|
|
3959
|
-
return U.passwordResetToken +
|
|
3959
|
+
return U.passwordResetToken + v.hash(s);
|
|
3960
3960
|
}
|
|
3961
3961
|
async createAndSaveEmailVerificationToken(s, e = "") {
|
|
3962
3962
|
let r = 0;
|
|
3963
3963
|
const i = /* @__PURE__ */ new Date(), a = new Date(i.getTime() + 1e3 * this.verifyEmailExpires);
|
|
3964
3964
|
for (; r < 10; ) {
|
|
3965
|
-
let n =
|
|
3965
|
+
let n = v.randomValue(ne), c = R.hashEmailVerificationToken(n);
|
|
3966
3966
|
try {
|
|
3967
3967
|
return await this.keyStorage.saveKey(s, c, i, a, e), n;
|
|
3968
3968
|
} catch {
|
|
3969
|
-
n =
|
|
3969
|
+
n = v.randomValue(ne), c = R.hashEmailVerificationToken(n), r++;
|
|
3970
3970
|
}
|
|
3971
3971
|
}
|
|
3972
3972
|
throw new o(l.Connection, "failed creating a unique key");
|
|
@@ -4051,11 +4051,11 @@ class R {
|
|
|
4051
4051
|
let t = 0;
|
|
4052
4052
|
const r = /* @__PURE__ */ new Date(), i = new Date(r.getTime() + 1e3 * this.passwordResetExpires);
|
|
4053
4053
|
for (; t < 10; ) {
|
|
4054
|
-
let a =
|
|
4054
|
+
let a = v.randomValue(ne), n = R.hashPasswordResetToken(a);
|
|
4055
4055
|
try {
|
|
4056
4056
|
return await this.keyStorage.saveKey(s, n, r, i), a;
|
|
4057
4057
|
} catch {
|
|
4058
|
-
a =
|
|
4058
|
+
a = v.randomValue(ne), n = R.hashPasswordResetToken(a), t++;
|
|
4059
4059
|
}
|
|
4060
4060
|
}
|
|
4061
4061
|
throw new o(l.Connection, "failed creating a unique key");
|
|
@@ -4177,7 +4177,7 @@ class rt {
|
|
|
4177
4177
|
h(this, "sameSite", "lax");
|
|
4178
4178
|
// hasher settings
|
|
4179
4179
|
h(this, "secret", "");
|
|
4180
|
-
|
|
4180
|
+
m("headerName", g.String, this, s, "CSRF_HEADER_NAME"), m("cookieName", g.String, this, s, "CSRF_COOKIE_NAME"), m("domain", g.String, this, s, "CSRF_COOKIE_DOMAIN"), m("httpOnly", g.Boolean, this, s, "CSRF_COOKIE_HTTPONLY"), m("path", g.String, this, s, "CSRF_COOKIE_PATH"), m("secure", g.Boolean, this, s, "CSRF_COOKIE_SECURE"), m("sameSite", g.String, this, s, "CSRF_COOKIE_SAMESITE"), m("secret", g.String, this, s, "SECRET", !0);
|
|
4181
4181
|
}
|
|
4182
4182
|
/**
|
|
4183
4183
|
* Creates a session key and saves in storage
|
|
@@ -4187,7 +4187,7 @@ class rt {
|
|
|
4187
4187
|
* @returns a random CSRF token.
|
|
4188
4188
|
*/
|
|
4189
4189
|
createCsrfToken() {
|
|
4190
|
-
return
|
|
4190
|
+
return v.randomValue(_e);
|
|
4191
4191
|
}
|
|
4192
4192
|
/**
|
|
4193
4193
|
* Returns a {@link Cookie } object with the given session key.
|
|
@@ -4196,7 +4196,7 @@ class rt {
|
|
|
4196
4196
|
* @returns a {@link Cookie } object,
|
|
4197
4197
|
*/
|
|
4198
4198
|
makeCsrfCookie(s) {
|
|
4199
|
-
const e =
|
|
4199
|
+
const e = v.signSecureToken(s, this.secret);
|
|
4200
4200
|
let t = {};
|
|
4201
4201
|
return this.domain && (t.domain = this.domain), this.path && (t.path = this.path), t.sameSite = this.sameSite, this.httpOnly && (t.httpOnly = this.httpOnly), this.secure && (t.secure = this.secure), {
|
|
4202
4202
|
name: this.cookieName,
|
|
@@ -4208,7 +4208,7 @@ class rt {
|
|
|
4208
4208
|
return this.maskCsrfToken(s);
|
|
4209
4209
|
}
|
|
4210
4210
|
unsignCookie(s) {
|
|
4211
|
-
return
|
|
4211
|
+
return v.unsignSecureToken(s, this.secret);
|
|
4212
4212
|
}
|
|
4213
4213
|
/**
|
|
4214
4214
|
* Takes a session ID and creates a string representation of the cookie (value of the HTTP `Cookie` header).
|
|
@@ -4221,14 +4221,14 @@ class rt {
|
|
|
4221
4221
|
return this.domain && (e += "; " + this.domain), this.path && (e += "; " + this.path), this.httpOnly && (e += "; httpOnly"), this.secure && (e += "; secure"), e;
|
|
4222
4222
|
}
|
|
4223
4223
|
maskCsrfToken(s) {
|
|
4224
|
-
const e =
|
|
4224
|
+
const e = v.randomValue(_e), t = v.xor(s, e);
|
|
4225
4225
|
return e + "." + t;
|
|
4226
4226
|
}
|
|
4227
4227
|
unmaskCsrfToken(s) {
|
|
4228
4228
|
const e = s.split(".");
|
|
4229
4229
|
if (e.length != 2) throw new o(l.InvalidCsrf, "CSRF token in header or form not in correct format");
|
|
4230
4230
|
const t = e[0], r = e[1];
|
|
4231
|
-
return
|
|
4231
|
+
return v.xor(r, t);
|
|
4232
4232
|
}
|
|
4233
4233
|
/**
|
|
4234
4234
|
* Validates the passed CSRF token.
|
|
@@ -4245,12 +4245,12 @@ class rt {
|
|
|
4245
4245
|
const t = this.unmaskCsrfToken(e);
|
|
4246
4246
|
let r;
|
|
4247
4247
|
try {
|
|
4248
|
-
r =
|
|
4248
|
+
r = v.unsignSecureToken(s, this.secret);
|
|
4249
4249
|
} catch (i) {
|
|
4250
4250
|
throw u.logger.error(f({ err: i })), new o(l.InvalidCsrf, "Invalid CSRF cookie");
|
|
4251
4251
|
}
|
|
4252
4252
|
if (r != t)
|
|
4253
|
-
throw u.logger.warn(f({ msg: "Invalid CSRF token received - form/header value does not match", csrfCookieHash:
|
|
4253
|
+
throw u.logger.warn(f({ msg: "Invalid CSRF token received - form/header value does not match", csrfCookieHash: v.hash(s) })), new o(l.InvalidCsrf);
|
|
4254
4254
|
}
|
|
4255
4255
|
/**
|
|
4256
4256
|
* Validates the passed CSRF cookie (doesn't check it matches the token, just that the cookie is valid).
|
|
@@ -4264,13 +4264,13 @@ class rt {
|
|
|
4264
4264
|
*/
|
|
4265
4265
|
validateCsrfCookie(s) {
|
|
4266
4266
|
try {
|
|
4267
|
-
return
|
|
4267
|
+
return v.unsignSecureToken(s, this.secret);
|
|
4268
4268
|
} catch (e) {
|
|
4269
4269
|
throw u.logger.error(f({ err: e })), new o(l.InvalidCsrf, "Invalid CSRF cookie");
|
|
4270
4270
|
}
|
|
4271
4271
|
}
|
|
4272
4272
|
}
|
|
4273
|
-
class
|
|
4273
|
+
class D {
|
|
4274
4274
|
/**
|
|
4275
4275
|
* Constructor.
|
|
4276
4276
|
*
|
|
@@ -4299,7 +4299,7 @@ class x {
|
|
|
4299
4299
|
h(this, "sameSite", "lax");
|
|
4300
4300
|
// hasher settings
|
|
4301
4301
|
h(this, "secret", "");
|
|
4302
|
-
e.userStorage && (this.userStorage = e.userStorage), this.keyStorage = s,
|
|
4302
|
+
e.userStorage && (this.userStorage = e.userStorage), this.keyStorage = s, m("idleTimeout", g.Number, this, e, "SESSION_IDLE_TIMEOUT"), m("persist", g.Boolean, this, e, "PERSIST_SESSION_ID"), this.filterFunction = e.filterFunction, m("cookieName", g.String, this, e, "SESSION_COOKIE_NAME"), m("maxAge", g.String, this, e, "SESSION_COOKIE_MAX_AGE"), m("domain", g.String, this, e, "SESSION_COOKIE_DOMAIN"), m("httpOnly", g.Boolean, this, e, "SESSIONCOOKIE_HTTPONLY"), m("path", g.String, this, e, "SESSION_COOKIE_PATH"), m("secure", g.Boolean, this, e, "SESSION_COOKIE_SECURE"), m("sameSite", g.String, this, e, "SESSION_COOKIE_SAMESITE"), m("secret", g.String, this, e, "SECRET", !0);
|
|
4303
4303
|
}
|
|
4304
4304
|
expiry(s) {
|
|
4305
4305
|
let e;
|
|
@@ -4313,7 +4313,7 @@ class x {
|
|
|
4313
4313
|
* @returns a base64-url-encoded string that can go into the storage
|
|
4314
4314
|
*/
|
|
4315
4315
|
static hashSessionId(s) {
|
|
4316
|
-
return U.session +
|
|
4316
|
+
return U.session + v.hash(s);
|
|
4317
4317
|
}
|
|
4318
4318
|
/**
|
|
4319
4319
|
* Creates a session key and saves in storage
|
|
@@ -4332,20 +4332,20 @@ class x {
|
|
|
4332
4332
|
* attempts exceeded trying to create a unique session id
|
|
4333
4333
|
*/
|
|
4334
4334
|
async createSessionKey(s, e = {}) {
|
|
4335
|
-
let r = 0, i =
|
|
4335
|
+
let r = 0, i = v.randomValue(ke);
|
|
4336
4336
|
const a = /* @__PURE__ */ new Date();
|
|
4337
4337
|
let n = this.expiry(a), c = !1;
|
|
4338
4338
|
for (; r < 10 && !c; ) {
|
|
4339
|
-
const d =
|
|
4339
|
+
const d = D.hashSessionId(i);
|
|
4340
4340
|
try {
|
|
4341
4341
|
this.idleTimeout > 0 && s && (e = { ...e, lastActivity: /* @__PURE__ */ new Date() }), await this.keyStorage.saveKey(s, d, a, n, void 0, e), c = !0;
|
|
4342
|
-
} catch (
|
|
4343
|
-
let y = o.asCrossauthError(
|
|
4342
|
+
} catch (w) {
|
|
4343
|
+
let y = o.asCrossauthError(w);
|
|
4344
4344
|
if (y.code == l.KeyExists || y.code == l.InvalidKey) {
|
|
4345
|
-
if (r++, i =
|
|
4345
|
+
if (r++, i = v.randomValue(ke), r > 10)
|
|
4346
4346
|
throw u.logger.error(f({ msg: "Max attempts exceeded trying to create session ID" })), new o(l.KeyExists);
|
|
4347
4347
|
} else
|
|
4348
|
-
throw u.logger.debug(f({ err:
|
|
4348
|
+
throw u.logger.debug(f({ err: w })), w;
|
|
4349
4349
|
}
|
|
4350
4350
|
}
|
|
4351
4351
|
return {
|
|
@@ -4365,7 +4365,7 @@ class x {
|
|
|
4365
4365
|
* @returns a {@link Cookie } object,
|
|
4366
4366
|
*/
|
|
4367
4367
|
makeCookie(s, e) {
|
|
4368
|
-
let t =
|
|
4368
|
+
let t = v.signSecureToken(s.value, this.secret), r = {};
|
|
4369
4369
|
return e == null && (e = this.persist), this.domain && (r.domain = this.domain), s.expires && e && (r.expires = s.expires), this.path && (r.path = this.path), r.sameSite = this.sameSite, this.httpOnly && (r.httpOnly = this.httpOnly), this.secure && (r.secure = this.secure), {
|
|
4370
4370
|
name: this.cookieName,
|
|
4371
4371
|
value: t,
|
|
@@ -4392,7 +4392,7 @@ class x {
|
|
|
4392
4392
|
*/
|
|
4393
4393
|
async updateSessionKey(s) {
|
|
4394
4394
|
if (!s.value) throw new o(l.InvalidKey, "No session when updating activity");
|
|
4395
|
-
s.value =
|
|
4395
|
+
s.value = D.hashSessionId(s.value), await this.keyStorage.updateKey(s);
|
|
4396
4396
|
}
|
|
4397
4397
|
/**
|
|
4398
4398
|
* Unsigns a cookie and returns the original value.
|
|
@@ -4402,7 +4402,7 @@ class x {
|
|
|
4402
4402
|
* is invalid.
|
|
4403
4403
|
*/
|
|
4404
4404
|
unsignCookie(s) {
|
|
4405
|
-
return
|
|
4405
|
+
return v.unsignSecureToken(s, this.secret);
|
|
4406
4406
|
}
|
|
4407
4407
|
/**
|
|
4408
4408
|
* Returns the user matching the given session key in session storage, or throws an exception.
|
|
@@ -4440,13 +4440,13 @@ class x {
|
|
|
4440
4440
|
* `Expired` or `UserNotExist`.
|
|
4441
4441
|
*/
|
|
4442
4442
|
async getSessionKey(s) {
|
|
4443
|
-
const e = Date.now(), t =
|
|
4443
|
+
const e = Date.now(), t = D.hashSessionId(s), r = await this.keyStorage.getKey(t);
|
|
4444
4444
|
if (r.value = s, r.expires && e > r.expires.getTime())
|
|
4445
|
-
throw u.logger.warn(f({ msg: "Session id in cookie expired in key storage", hashedSessionCookie:
|
|
4445
|
+
throw u.logger.warn(f({ msg: "Session id in cookie expired in key storage", hashedSessionCookie: v.hash(s) })), new o(l.Expired);
|
|
4446
4446
|
if (r.userid && this.idleTimeout > 0 && r.lastactive && e > r.lastactive.getTime() + this.idleTimeout * 1e3)
|
|
4447
|
-
throw u.logger.warn(f({ msg: "Session cookie with expired idle time received", hashedSessionCookie:
|
|
4447
|
+
throw u.logger.warn(f({ msg: "Session cookie with expired idle time received", hashedSessionCookie: v.hash(s) })), new o(l.Expired);
|
|
4448
4448
|
if (this.filterFunction && !this.filterFunction(r))
|
|
4449
|
-
throw u.logger.warn(f({ msg: "Filter function on session id in cookie failed", hashedSessionCookie:
|
|
4449
|
+
throw u.logger.warn(f({ msg: "Filter function on session id in cookie failed", hashedSessionCookie: v.hash(s) })), new o(l.InvalidKey);
|
|
4450
4450
|
return r;
|
|
4451
4451
|
}
|
|
4452
4452
|
/**
|
|
@@ -4455,7 +4455,7 @@ class x {
|
|
|
4455
4455
|
* @param except if defined, don't delete this key
|
|
4456
4456
|
*/
|
|
4457
4457
|
async deleteAllForUser(s, e) {
|
|
4458
|
-
e && (e =
|
|
4458
|
+
e && (e = D.hashSessionId(e)), await this.keyStorage.deleteAllForUser(s, U.session, e);
|
|
4459
4459
|
}
|
|
4460
4460
|
}
|
|
4461
4461
|
class Lt {
|
|
@@ -4480,7 +4480,7 @@ class Lt {
|
|
|
4480
4480
|
t.userStorage && (this.userStorage = t.userStorage), this.keyStorage = s, this.authenticators = e;
|
|
4481
4481
|
for (let r in this.authenticators)
|
|
4482
4482
|
this.authenticators[r].factorName = r;
|
|
4483
|
-
if (this.session = new
|
|
4483
|
+
if (this.session = new D(this.keyStorage, { ...t == null ? void 0 : t.sessionCookieOptions, ...t ?? {} }), this.csrfTokens = new rt({ ...t == null ? void 0 : t.doubleSubmitCookieOptions, ...t ?? {} }), m("allowedFactor2", g.JsonArray, this, t, "ALLOWED_FACTOR2"), m("enableEmailVerification", g.Boolean, this, t, "ENABLE_EMAIL_VERIFICATION"), m("enablePasswordReset", g.Boolean, this, t, "ENABLE_PASSWORD_RESET"), this.emailTokenStorage = this.keyStorage, this.userStorage && (this.enableEmailVerification || this.enablePasswordReset)) {
|
|
4484
4484
|
let r = this.keyStorage;
|
|
4485
4485
|
t.emailTokenStorage && (this.emailTokenStorage = t.emailTokenStorage), this.tokenEmailer = new R(this.userStorage, r, t);
|
|
4486
4486
|
}
|
|
@@ -4558,7 +4558,7 @@ class Lt {
|
|
|
4558
4558
|
const p = await this.session.createSessionKey(i.id, t);
|
|
4559
4559
|
c = this.session.makeCookie(p, r);
|
|
4560
4560
|
}
|
|
4561
|
-
const d = this.csrfTokens.createCsrfToken(),
|
|
4561
|
+
const d = this.csrfTokens.createCsrfToken(), w = this.csrfTokens.makeCsrfCookie(d), y = this.csrfTokens.makeCsrfFormOrHeaderToken(d);
|
|
4562
4562
|
try {
|
|
4563
4563
|
this.emailTokenStorage.deleteAllForUser(
|
|
4564
4564
|
i.id,
|
|
@@ -4569,7 +4569,7 @@ class Lt {
|
|
|
4569
4569
|
}
|
|
4570
4570
|
return {
|
|
4571
4571
|
sessionCookie: c,
|
|
4572
|
-
csrfCookie:
|
|
4572
|
+
csrfCookie: w,
|
|
4573
4573
|
csrfFormOrHeaderValue: y,
|
|
4574
4574
|
user: i,
|
|
4575
4575
|
secrets: n
|
|
@@ -4602,7 +4602,7 @@ class Lt {
|
|
|
4602
4602
|
*/
|
|
4603
4603
|
async logout(s) {
|
|
4604
4604
|
const e = await this.session.getSessionKey(s);
|
|
4605
|
-
return await this.keyStorage.deleteKey(
|
|
4605
|
+
return await this.keyStorage.deleteKey(D.hashSessionId(e.value));
|
|
4606
4606
|
}
|
|
4607
4607
|
/**
|
|
4608
4608
|
* Logs a user out from all sessions.
|
|
@@ -4750,8 +4750,8 @@ class Lt {
|
|
|
4750
4750
|
* @param value new value to store
|
|
4751
4751
|
*/
|
|
4752
4752
|
async updateSessionData(s, e, t) {
|
|
4753
|
-
const r =
|
|
4754
|
-
u.logger.debug(f({ msg: `Updating session data value${e}`, hashedSessionCookie:
|
|
4753
|
+
const r = D.hashSessionId(s);
|
|
4754
|
+
u.logger.debug(f({ msg: `Updating session data value${e}`, hashedSessionCookie: v.hash(s) })), await this.keyStorage.updateData(r, e, t);
|
|
4755
4755
|
}
|
|
4756
4756
|
/**
|
|
4757
4757
|
* Update field sin the session data.
|
|
@@ -4762,8 +4762,8 @@ class Lt {
|
|
|
4762
4762
|
* @param dataArray names and values.
|
|
4763
4763
|
*/
|
|
4764
4764
|
async updateManySessionData(s, e) {
|
|
4765
|
-
const t =
|
|
4766
|
-
u.logger.debug(f({ msg: "Updating session data", hashedSessionCookie:
|
|
4765
|
+
const t = D.hashSessionId(s);
|
|
4766
|
+
u.logger.debug(f({ msg: "Updating session data", hashedSessionCookie: v.hash(s) })), await this.keyStorage.updateManyData(t, e);
|
|
4767
4767
|
}
|
|
4768
4768
|
/**
|
|
4769
4769
|
* Deletes a field from the session data.
|
|
@@ -4774,8 +4774,8 @@ class Lt {
|
|
|
4774
4774
|
* @param name of the field.
|
|
4775
4775
|
*/
|
|
4776
4776
|
async deleteSessionData(s, e) {
|
|
4777
|
-
const t =
|
|
4778
|
-
u.logger.debug(f({ msg: `Updating session data value${e}`, hashedSessionCookie:
|
|
4777
|
+
const t = D.hashSessionId(s);
|
|
4778
|
+
u.logger.debug(f({ msg: `Updating session data value${e}`, hashedSessionCookie: v.hash(s) })), await this.keyStorage.deleteData(t, e);
|
|
4779
4779
|
}
|
|
4780
4780
|
/**
|
|
4781
4781
|
* Deletes the given session ID from the key storage (not the cookie)
|
|
@@ -4783,7 +4783,7 @@ class Lt {
|
|
|
4783
4783
|
* @param sessionId the session Id to delete
|
|
4784
4784
|
*/
|
|
4785
4785
|
async deleteSession(s) {
|
|
4786
|
-
return await this.keyStorage.deleteKey(
|
|
4786
|
+
return await this.keyStorage.deleteKey(D.hashSessionId(s));
|
|
4787
4787
|
}
|
|
4788
4788
|
/**
|
|
4789
4789
|
* Creates a new user, sending an email verification message if necessary.
|
|
@@ -4838,7 +4838,7 @@ class Lt {
|
|
|
4838
4838
|
if (!this.authenticators[s.factor2]) throw new o(l.Configuration, "Two factor authentication not enabled for user");
|
|
4839
4839
|
const a = await this.authenticators[s.factor2].prepareConfiguration(s), n = a == null ? {} : a.userData, c = a == null ? {} : a.sessionData, d = await this.authenticators[s.factor1].createPersistentSecrets(s.username, e, r);
|
|
4840
4840
|
return s.state = "awaitingtwofactorsetup", await this.keyStorage.updateData(
|
|
4841
|
-
|
|
4841
|
+
D.hashSessionId(t),
|
|
4842
4842
|
"2fa",
|
|
4843
4843
|
c
|
|
4844
4844
|
), { userid: (await this.userStorage.createUser(s, d)).id, userData: n };
|
|
@@ -4858,13 +4858,13 @@ class Lt {
|
|
|
4858
4858
|
if (!this.authenticators[e]) throw new o(l.Configuration, "Two factor authentication not enabled for user");
|
|
4859
4859
|
const i = await this.authenticators[e].prepareConfiguration(s), a = i == null ? {} : i.userData, n = i == null ? {} : i.sessionData;
|
|
4860
4860
|
return await this.keyStorage.updateData(
|
|
4861
|
-
|
|
4861
|
+
D.hashSessionId(t),
|
|
4862
4862
|
"2fa",
|
|
4863
4863
|
n
|
|
4864
4864
|
), a;
|
|
4865
4865
|
}
|
|
4866
4866
|
return await this.userStorage.updateUser({ id: s.id, factor2: e ?? "" }), await this.keyStorage.updateData(
|
|
4867
|
-
|
|
4867
|
+
D.hashSessionId(t),
|
|
4868
4868
|
"2fa",
|
|
4869
4869
|
void 0
|
|
4870
4870
|
), {};
|
|
@@ -4884,10 +4884,10 @@ class Lt {
|
|
|
4884
4884
|
*/
|
|
4885
4885
|
async repeatTwoFactorSignup(s) {
|
|
4886
4886
|
if (!this.userStorage) throw new o(l.Configuration, "Cannot call repeatTwoFactorSignup if no user storage provided");
|
|
4887
|
-
const e = (await this.dataForSessionId(s))["2fa"], t = e.username, r = e.factor2, i =
|
|
4887
|
+
const e = (await this.dataForSessionId(s))["2fa"], t = e.username, r = e.factor2, i = D.hashSessionId(s), a = await this.keyStorage.getKey(i), c = await this.authenticators[r].reprepareConfiguration(t, a), d = c == null ? {} : c.userData, w = c == null ? {} : c.secrets, y = c == null ? {} : c.newSessionData;
|
|
4888
4888
|
y && await this.keyStorage.updateData(i, "2fa", y);
|
|
4889
4889
|
const { user: p } = await this.userStorage.getUserByUsername(t, { skipActiveCheck: !0, skipEmailVerifiedCheck: !0 });
|
|
4890
|
-
return { userid: p.id, userData: d, secrets:
|
|
4890
|
+
return { userid: p.id, userData: d, secrets: w };
|
|
4891
4891
|
}
|
|
4892
4892
|
/**
|
|
4893
4893
|
* Authenticates with the second factor.
|
|
@@ -4908,14 +4908,14 @@ class Lt {
|
|
|
4908
4908
|
if (r && r.state != E.active && r.state != E.factor2ResetNeeded)
|
|
4909
4909
|
throw new o(l.UserNotActive);
|
|
4910
4910
|
if (!i) throw new o(l.InvalidKey, "Session key not found");
|
|
4911
|
-
let a =
|
|
4911
|
+
let a = x.decodeData(i.data)["2fa"];
|
|
4912
4912
|
if (!(a != null && a.factor2) || !(a != null && a.username)) throw new o(l.Unauthorized, "Two factor authentication not initiated");
|
|
4913
4913
|
let n = a.username;
|
|
4914
4914
|
const c = this.authenticators[a.factor2];
|
|
4915
4915
|
if (!c) throw new o(l.Configuration, "Unrecognised second factor authentication");
|
|
4916
|
-
const d = {},
|
|
4916
|
+
const d = {}, w = c.secretNames();
|
|
4917
4917
|
for (let C in a)
|
|
4918
|
-
|
|
4918
|
+
w.includes(C) && (d[C] = a[C]);
|
|
4919
4919
|
await c.authenticateUser(void 0, a, s), r || (t = !0, r = (await this.userStorage.getUserByUsername(n, { skipActiveCheck: !0, skipEmailVerifiedCheck: !0 })).user);
|
|
4920
4920
|
const y = c.skipEmailVerificationOnSignup() == !0;
|
|
4921
4921
|
if (!r) throw new o(l.UserNotExist, "Couldn't fetch user");
|
|
@@ -4924,7 +4924,7 @@ class Lt {
|
|
|
4924
4924
|
state: !y && this.enableEmailVerification ? "awaitingemailverification" : "active",
|
|
4925
4925
|
factor2: a.factor2
|
|
4926
4926
|
};
|
|
4927
|
-
return c.secretNames().length > 0 ? await this.userStorage.updateUser(p, d) : await this.userStorage.updateUser(p), !y && t && this.enableEmailVerification && this.tokenEmailer && await ((_ = this.tokenEmailer) == null ? void 0 : _.sendEmailVerificationToken(r.id, void 0)), await this.keyStorage.updateData(
|
|
4927
|
+
return c.secretNames().length > 0 ? await this.userStorage.updateUser(p, d) : await this.userStorage.updateUser(p), !y && t && this.enableEmailVerification && this.tokenEmailer && await ((_ = this.tokenEmailer) == null ? void 0 : _.sendEmailVerificationToken(r.id, void 0)), await this.keyStorage.updateData(D.hashSessionId(i.value), "2fa", void 0), { ...r, ...p };
|
|
4928
4928
|
}
|
|
4929
4929
|
/**
|
|
4930
4930
|
* Initiates the two factor login process.
|
|
@@ -4954,14 +4954,14 @@ class Lt {
|
|
|
4954
4954
|
*/
|
|
4955
4955
|
async initiateTwoFactorPageVisit(s, e, t, r, i) {
|
|
4956
4956
|
const n = await this.authenticators[s.factor2].createOneTimeSecrets(s);
|
|
4957
|
-
let c, d,
|
|
4958
|
-
const y =
|
|
4957
|
+
let c, d, w;
|
|
4958
|
+
const y = D.hashSessionId(e);
|
|
4959
4959
|
u.logger.debug("initiateTwoFactorPageVisit " + s.username + " " + e + " " + y);
|
|
4960
4960
|
let p = { username: s.username, factor2: s.factor2, secrets: n, body: t, url: r };
|
|
4961
4961
|
return i && (p["content-type"] = i), await this.keyStorage.updateData(y, "pre2fa", p), {
|
|
4962
4962
|
sessionCookie: c,
|
|
4963
4963
|
csrfCookie: d,
|
|
4964
|
-
csrfFormOrHeaderValue:
|
|
4964
|
+
csrfFormOrHeaderValue: w
|
|
4965
4965
|
};
|
|
4966
4966
|
}
|
|
4967
4967
|
/**
|
|
@@ -4977,14 +4977,14 @@ class Lt {
|
|
|
4977
4977
|
if (!this.userStorage) throw new o(l.Configuration, "Cannot call completeTwoFactorPageVisit if no user storage provided");
|
|
4978
4978
|
let { key: t } = await this.session.getUserForSessionId(e);
|
|
4979
4979
|
if (!t) throw new o(l.InvalidKey, "Session key not found");
|
|
4980
|
-
let r =
|
|
4980
|
+
let r = x.decodeData(t.data);
|
|
4981
4981
|
if (!("pre2fa" in r)) throw new o(l.Unauthorized, "Two factor authentication not initiated");
|
|
4982
4982
|
const { secrets: i } = await this.userStorage.getUserByUsername(r.pre2fa.username), a = this.authenticators[r.pre2fa.factor2];
|
|
4983
4983
|
if (!a) throw new o(l.Configuration, "Unrecognised second factor authentication");
|
|
4984
4984
|
const n = {}, c = a.secretNames();
|
|
4985
4985
|
for (let d in i)
|
|
4986
4986
|
c.includes(d) && d in i && (n[d] = i[d]);
|
|
4987
|
-
await a.authenticateUser(void 0, { ...n, ...r.pre2fa.secrets }, s), await this.keyStorage.updateData(
|
|
4987
|
+
await a.authenticateUser(void 0, { ...n, ...r.pre2fa.secrets }, s), await this.keyStorage.updateData(D.hashSessionId(t.value), "pre2fa", void 0);
|
|
4988
4988
|
}
|
|
4989
4989
|
/**
|
|
4990
4990
|
* Cancels the 2FA that was previously initiated but not completed..
|
|
@@ -4998,9 +4998,9 @@ class Lt {
|
|
|
4998
4998
|
async cancelTwoFactorPageVisit(s) {
|
|
4999
4999
|
let { key: e } = await this.session.getUserForSessionId(s);
|
|
5000
5000
|
if (!e) throw new o(l.InvalidKey, "Session key not found");
|
|
5001
|
-
let t =
|
|
5001
|
+
let t = x.decodeData(e.data);
|
|
5002
5002
|
if (!("pre2fa" in t)) throw new o(l.Unauthorized, "Two factor authentication not initiated");
|
|
5003
|
-
return await this.keyStorage.updateData(
|
|
5003
|
+
return await this.keyStorage.updateData(D.hashSessionId(e.value), "pre2fa", void 0), t.pre2fa;
|
|
5004
5004
|
}
|
|
5005
5005
|
/**
|
|
5006
5006
|
* Performs the second factor authentication as the second step of the login
|
|
@@ -5023,13 +5023,13 @@ class Lt {
|
|
|
5023
5023
|
if (!this.userStorage) throw new o(l.Configuration, "Cannot call completeTwoFactorLogin if no user storage provided");
|
|
5024
5024
|
let { key: i } = await this.session.getUserForSessionId(e);
|
|
5025
5025
|
if (!i || !i.data || i.data == "") throw new o(l.Unauthorized);
|
|
5026
|
-
let a =
|
|
5027
|
-
const { user: d, secrets:
|
|
5026
|
+
let a = x.decodeData(i.data)["2fa"], n = a.username, c = a.factor2;
|
|
5027
|
+
const { user: d, secrets: w } = await this.userStorage.getUserByUsername(n), y = this.authenticators[c];
|
|
5028
5028
|
if (!y) throw new o(l.Configuration, "Second factor " + c + " not enabled");
|
|
5029
|
-
await y.authenticateUser(d, { ...
|
|
5029
|
+
await y.authenticateUser(d, { ...w, ...a }, s);
|
|
5030
5030
|
const p = await this.session.createSessionKey(d.id, t);
|
|
5031
|
-
await this.keyStorage.deleteKey(
|
|
5032
|
-
const _ = this.session.makeCookie(p, r), C = this.csrfTokens.createCsrfToken(),
|
|
5031
|
+
await this.keyStorage.deleteKey(D.hashSessionId(i.value));
|
|
5032
|
+
const _ = this.session.makeCookie(p, r), C = this.csrfTokens.createCsrfToken(), T = this.csrfTokens.makeCsrfCookie(C), k = this.csrfTokens.makeCsrfFormOrHeaderToken(C);
|
|
5033
5033
|
try {
|
|
5034
5034
|
this.emailTokenStorage.deleteAllForUser(
|
|
5035
5035
|
d.id,
|
|
@@ -5040,7 +5040,7 @@ class Lt {
|
|
|
5040
5040
|
}
|
|
5041
5041
|
return {
|
|
5042
5042
|
sessionCookie: _,
|
|
5043
|
-
csrfCookie:
|
|
5043
|
+
csrfCookie: T,
|
|
5044
5044
|
csrfFormOrHeaderValue: k,
|
|
5045
5045
|
user: d
|
|
5046
5046
|
};
|
|
@@ -5106,8 +5106,8 @@ class Lt {
|
|
|
5106
5106
|
a.id,
|
|
5107
5107
|
U.passwordResetToken
|
|
5108
5108
|
);
|
|
5109
|
-
} catch (
|
|
5110
|
-
u.logger.warn(f({ msg: "Couldn't delete password reset tokens while logging in", user: s })), u.logger.debug(f({ err:
|
|
5109
|
+
} catch (w) {
|
|
5110
|
+
u.logger.warn(f({ msg: "Couldn't delete password reset tokens while logging in", user: s })), u.logger.debug(f({ err: w }));
|
|
5111
5111
|
}
|
|
5112
5112
|
return a;
|
|
5113
5113
|
}
|
|
@@ -5127,19 +5127,19 @@ class Lt {
|
|
|
5127
5127
|
throw new o(l.UserNotExist, "Please specify a userername");
|
|
5128
5128
|
let { email: a, username: n, password: c, ...d } = e;
|
|
5129
5129
|
d.userid = s.userid;
|
|
5130
|
-
let
|
|
5130
|
+
let w = !1;
|
|
5131
5131
|
if (a)
|
|
5132
|
-
i = a, R.validateEmail(i),
|
|
5132
|
+
i = a, R.validateEmail(i), w = !0;
|
|
5133
5133
|
else if (n) {
|
|
5134
5134
|
i = n;
|
|
5135
5135
|
try {
|
|
5136
|
-
R.validateEmail(s.username),
|
|
5136
|
+
R.validateEmail(s.username), w = !0;
|
|
5137
5137
|
} catch {
|
|
5138
5138
|
}
|
|
5139
|
-
|
|
5139
|
+
w && R.validateEmail(i);
|
|
5140
5140
|
}
|
|
5141
|
-
return !t && this.enableEmailVerification &&
|
|
5142
|
-
emailVerificationTokenSent: !t && this.enableEmailVerification &&
|
|
5141
|
+
return !t && this.enableEmailVerification && w ? await ((y = this.tokenEmailer) == null ? void 0 : y.sendEmailVerificationToken(s.id, i)) : (a && (d.email = a), n && (d.username = n)), (e.state == E.passwordResetNeeded || e.state == E.passwordAndFactor2ResetNeeded) && await ((p = this.tokenEmailer) == null ? void 0 : p.sendPasswordResetToken(s.id, {}, r)), await this.userStorage.updateUser(d), {
|
|
5142
|
+
emailVerificationTokenSent: !t && this.enableEmailVerification && w,
|
|
5143
5143
|
passwordResetTokenSent: e.state == E.passwordResetNeeded || e.state == E.passwordAndFactor2ResetNeeded
|
|
5144
5144
|
};
|
|
5145
5145
|
}
|
|
@@ -5192,7 +5192,7 @@ class ge {
|
|
|
5192
5192
|
h(this, "prefix", U.apiKey);
|
|
5193
5193
|
/** The name of the speak in the Authorization header. Defaults to "ApiKey" */
|
|
5194
5194
|
h(this, "authScheme", "ApiKey");
|
|
5195
|
-
this.apiKeyStorage = s,
|
|
5195
|
+
this.apiKeyStorage = s, m("secret", g.String, this, e, "SECRET", !0), m("keyLength", g.String, this, e, "APIKEY_LENGTH"), m("prefix", g.String, this, e, "APIKEY_PREFIX"), m("authScheme", g.String, this, e, "APIKEY_AUTHSCHEME");
|
|
5196
5196
|
}
|
|
5197
5197
|
/**
|
|
5198
5198
|
* Creates a new random key and returns it, unsigned. It is also persisted in the key storage as a
|
|
@@ -5213,11 +5213,11 @@ class ge {
|
|
|
5213
5213
|
* Authorization header (with the signature appended.)
|
|
5214
5214
|
*/
|
|
5215
5215
|
async createKey(s, e, t, r, i) {
|
|
5216
|
-
const a =
|
|
5216
|
+
const a = v.randomValue(this.keyLength), n = /* @__PURE__ */ new Date(), c = r ? new Date(n.getTime() + r * 1e3) : void 0, d = ge.hashApiKeyValue(a), w = {
|
|
5217
5217
|
name: s,
|
|
5218
5218
|
value: a,
|
|
5219
5219
|
userid: e,
|
|
5220
|
-
data:
|
|
5220
|
+
data: x.encodeData(t),
|
|
5221
5221
|
expires: c,
|
|
5222
5222
|
created: n,
|
|
5223
5223
|
...i
|
|
@@ -5227,14 +5227,14 @@ class ge {
|
|
|
5227
5227
|
this.prefix + d,
|
|
5228
5228
|
n,
|
|
5229
5229
|
c,
|
|
5230
|
-
|
|
5230
|
+
w.data,
|
|
5231
5231
|
{ name: s, ...i }
|
|
5232
5232
|
);
|
|
5233
5233
|
const y = this.signApiKeyValue(a);
|
|
5234
|
-
return { key:
|
|
5234
|
+
return { key: w, token: y };
|
|
5235
5235
|
}
|
|
5236
5236
|
static hashApiKeyValue(s) {
|
|
5237
|
-
return
|
|
5237
|
+
return v.hash(s);
|
|
5238
5238
|
}
|
|
5239
5239
|
/**
|
|
5240
5240
|
* Returns the hash of the bearer value from the Authorization header.
|
|
@@ -5245,13 +5245,13 @@ class ge {
|
|
|
5245
5245
|
* @returns a hash of the value (without the prefix).
|
|
5246
5246
|
*/
|
|
5247
5247
|
static hashSignedApiKeyValue(s) {
|
|
5248
|
-
return
|
|
5248
|
+
return v.hash(s.split(".")[0]);
|
|
5249
5249
|
}
|
|
5250
5250
|
unsignApiKeyValue(s) {
|
|
5251
|
-
return
|
|
5251
|
+
return v.unsign(s, this.secret).v;
|
|
5252
5252
|
}
|
|
5253
5253
|
signApiKeyValue(s) {
|
|
5254
|
-
return
|
|
5254
|
+
return v.sign({ v: s }, this.secret);
|
|
5255
5255
|
}
|
|
5256
5256
|
async getKey(s) {
|
|
5257
5257
|
if (this.authScheme != "" && s.startsWith(this.authScheme + " ")) {
|
|
@@ -5290,7 +5290,7 @@ class J {
|
|
|
5290
5290
|
l.Configuration,
|
|
5291
5291
|
"Must specify clientStorage when adding a client manager"
|
|
5292
5292
|
);
|
|
5293
|
-
this.clientStorage = s.clientStorage,
|
|
5293
|
+
this.clientStorage = s.clientStorage, m("oauthPbkdf2Digest", g.String, this, s, "OAUTH_PBKDF2_DIGEST"), m("oauthPbkdf2KeyLength", g.String, this, s, "OAUTH_PBKDF2_KEYLENGTH"), m("requireRedirectUriRegistration", g.Boolean, this, s, "OAUTH_REQUIRE_REDIRECT_URI_REGISTRATION");
|
|
5294
5294
|
}
|
|
5295
5295
|
/**
|
|
5296
5296
|
* Creates a client and puts it in the storage
|
|
@@ -5307,7 +5307,7 @@ class J {
|
|
|
5307
5307
|
async createClient(s, e, t, r = !0, i) {
|
|
5308
5308
|
const a = J.randomClientId();
|
|
5309
5309
|
let n, c;
|
|
5310
|
-
r && (c = J.randomClientSecret(), n = await
|
|
5310
|
+
r && (c = J.randomClientSecret(), n = await v.passwordHash(c, {
|
|
5311
5311
|
encode: !0,
|
|
5312
5312
|
iterations: this.oauthPbkdf2Iterations,
|
|
5313
5313
|
keyLen: this.oauthPbkdf2KeyLength,
|
|
@@ -5324,10 +5324,10 @@ class J {
|
|
|
5324
5324
|
valid_flow: t,
|
|
5325
5325
|
userid: i
|
|
5326
5326
|
};
|
|
5327
|
-
let
|
|
5327
|
+
let w;
|
|
5328
5328
|
for (let y = 0; y < 5; ++y)
|
|
5329
5329
|
try {
|
|
5330
|
-
|
|
5330
|
+
w = await this.clientStorage.createClient(d);
|
|
5331
5331
|
break;
|
|
5332
5332
|
} catch (p) {
|
|
5333
5333
|
if (y == 4) {
|
|
@@ -5335,8 +5335,8 @@ class J {
|
|
|
5335
5335
|
} else
|
|
5336
5336
|
d.client_id = J.randomClientId();
|
|
5337
5337
|
}
|
|
5338
|
-
if (!
|
|
5339
|
-
return
|
|
5338
|
+
if (!w) throw new o(l.ClientExists);
|
|
5339
|
+
return w.client_secret && c && (w.client_secret = c), w;
|
|
5340
5340
|
}
|
|
5341
5341
|
/**
|
|
5342
5342
|
* Updates a client
|
|
@@ -5350,7 +5350,7 @@ class J {
|
|
|
5350
5350
|
async updateClient(s, e, t = !1) {
|
|
5351
5351
|
const r = await this.clientStorage.getClientById(s);
|
|
5352
5352
|
let i = !1, a;
|
|
5353
|
-
e.confidential === !0 && !r.confidential || e.confidential === !0 && t ? (a = J.randomClientSecret(), e.client_secret = await
|
|
5353
|
+
e.confidential === !0 && !r.confidential || e.confidential === !0 && t ? (a = J.randomClientSecret(), e.client_secret = await v.passwordHash(a, {
|
|
5354
5354
|
encode: !0,
|
|
5355
5355
|
iterations: this.oauthPbkdf2Iterations,
|
|
5356
5356
|
keyLen: this.oauthPbkdf2KeyLength,
|
|
@@ -5365,13 +5365,13 @@ class J {
|
|
|
5365
5365
|
* Create a random OAuth client id
|
|
5366
5366
|
*/
|
|
5367
5367
|
static randomClientId() {
|
|
5368
|
-
return
|
|
5368
|
+
return v.randomValue(it);
|
|
5369
5369
|
}
|
|
5370
5370
|
/**
|
|
5371
5371
|
* Create a random OAuth client secret
|
|
5372
5372
|
*/
|
|
5373
5373
|
static randomClientSecret() {
|
|
5374
|
-
return
|
|
5374
|
+
return v.randomValue(st);
|
|
5375
5375
|
}
|
|
5376
5376
|
/** If the passed redirect URI is not in the set of valid ones,
|
|
5377
5377
|
* throw {@link @crossauth/common!CrossauthError} with
|
|
@@ -5483,9 +5483,9 @@ class zt {
|
|
|
5483
5483
|
h(this, "validFlows", ["all"]);
|
|
5484
5484
|
/** Set from options. See {@link OAuthAuthorizationServerOptions.allowedFactor2} */
|
|
5485
5485
|
h(this, "allowedFactor2", []);
|
|
5486
|
-
this.clientStorage = s, this.keyStorage = e, this.userStorage = r.userStorage, this.authStorage = r.authStorage, t && (this.authenticators = t), this.clientManager = new J({ clientStorage: s, ...r }),
|
|
5486
|
+
this.clientStorage = s, this.keyStorage = e, this.userStorage = r.userStorage, this.authStorage = r.authStorage, t && (this.authenticators = t), this.clientManager = new J({ clientStorage: s, ...r }), m("oauthIssuer", g.String, this, r, "AUTH_SERVER_BASE_URL", !0), m("audience", g.String, this, r, "OAUTH_AUDIENCE"), m("oauthPbkdf2Iterations", g.String, this, r, "OAUTH_PBKDF2_ITERATIONS"), m("requireClientSecretOrChallenge", g.Boolean, this, r, "OAUTH_REQUIRE_CLIENT_SECRET_OR_CHALLENGE"), m("jwtAlgorithm", g.String, this, r, "JWT_ALGORITHM"), m("codeLength", g.Number, this, r, "OAUTH_CODE_LENGTH"), m("jwtKeyType", g.String, this, r, "JWT_KEY_TYPE"), m("jwtSecretKeyFile", g.String, this, r, "JWT_SECRET_KEY_FILE"), m("jwtPublicKeyFile", g.String, this, r, "JWT_PUBLIC_KEY_FILE"), m("jwtPrivateKeyFile", g.String, this, r, "JWT_PRIVATE_KEY_FILE"), m("jwtSecretKey", g.String, this, r, "JWT_SECRET_KEY"), m("jwtPublicKey", g.String, this, r, "JWT_PUBLIC_KEY"), m("jwtPrivateKey", g.String, this, r, "JWT_PRIVATE_KEY"), m("jwtKid", g.String, this, r, "JWT_KID"), m("persistAccessToken", g.String, this, r, "OAUTH_PERSIST_ACCESS_TOKEN"), m("issueRefreshToken", g.String, this, r, "OAUTH_ISSUE_REFRESH_TOKEN"), m("opaqueAccessToken", g.String, this, r, "OAUTH_OPAQUE_ACCESS_TOKEN"), m("accessTokenExpiry", g.Number, this, r, "OAUTH_ACCESS_TOKEN_EXPIRY"), m("refreshTokenExpiry", g.Number, this, r, "OAUTH_REFRESH_TOKEN_EXPIRY"), m("rollingRefreshToken", g.Boolean, this, r, "OAUTH_ROLLING_REFRESH_TOKEN"), m("authorizationCodeExpiry", g.Number, this, r, "OAUTH_AUTHORIZATION_CODE_EXPIRY"), m("mfaTokenExpiry", g.Number, this, r, "OAUTH_MFA_TOKEN_EXPIRY"), m("clockTolerance", g.Number, this, r, "OAUTH_CLOCK_TOLERANCE"), m("validateScopes", g.Boolean, this, r, "OAUTH_VALIDATE_SCOPES"), m("emptyScopeIsValid", g.Boolean, this, r, "OAUTH_EMPTY_SCOPE_VALID"), m("validScopes", g.JsonArray, this, r, "OAUTH_VALID_SCOPES"), m("validFlows", g.JsonArray, this, r, "OAUTH_validFlows"), m("idTokenClaims", g.Json, this, r, "OAUTH_ID_TOKEN_CLAIMS"), m("accessTokenClaims", g.Json, this, r, "OAUTH_ACCESS_TOKEN_CLAIMS"), m("allowedFactor2", g.JsonArray, this, r, "ALLOWED_FACTOR2"), m("userCodeExpiry", g.Number, this, r, "DEVICECODE_USERCODE_EXPIRY"), m("userCodeThrottle", g.Number, this, r, "DEVICECODE_USERCODE_THROTTLE"), m("deviceCodePollInterval", g.Number, this, r, "DEVICECODE_POLL_INTERVAL"), m("deviceCodeLength", g.Number, this, r, "DEVICECODE_LENGTH"), m("userCodeLength", g.Number, this, r, "DEVICECODE_USERCODE_LENGTH");
|
|
5487
5487
|
let i = {};
|
|
5488
|
-
if (
|
|
5488
|
+
if (m("userCodeDashEvery", g.String, i, r, "DEVICECODE_USERCODE_DASH_EVERY"), i.userCodeDashEvery)
|
|
5489
5489
|
if (i.userCodeDashEvery == "" || i.userCodeDashEvery.toLowerCase() == "null") this.userCodeDashEvery = null;
|
|
5490
5490
|
else
|
|
5491
5491
|
try {
|
|
@@ -5496,7 +5496,7 @@ class zt {
|
|
|
5496
5496
|
"userCodeDashEvery must be a number or null"
|
|
5497
5497
|
);
|
|
5498
5498
|
}
|
|
5499
|
-
if (
|
|
5499
|
+
if (m("deviceCodeVerificationUri", g.String, this, r, "DEVICECODE_VERIFICATION_URI"), this.validFlows.length == 1 && this.validFlows[0] == b.All && (this.validFlows = b.allFlows()), this.jwtAlgorithmChecked = at(this.jwtAlgorithm), this.jwtSecretKey || this.jwtSecretKeyFile) {
|
|
5500
5500
|
if (this.jwtPublicKey || this.jwtPublicKeyFile || this.jwtPrivateKey || this.jwtPrivateKeyFile)
|
|
5501
5501
|
throw new o(
|
|
5502
5502
|
l.Configuration,
|
|
@@ -5573,11 +5573,11 @@ class zt {
|
|
|
5573
5573
|
error: "unsupported_response_type",
|
|
5574
5574
|
error_description: "Unsupported response type " + s
|
|
5575
5575
|
};
|
|
5576
|
-
let
|
|
5576
|
+
let w;
|
|
5577
5577
|
try {
|
|
5578
|
-
|
|
5579
|
-
} catch (
|
|
5580
|
-
return u.logger.debug(f({ err:
|
|
5578
|
+
w = await this.clientStorage.getClientById(e);
|
|
5579
|
+
} catch (T) {
|
|
5580
|
+
return u.logger.debug(f({ err: T })), {
|
|
5581
5581
|
error: "unauthorized_client",
|
|
5582
5582
|
error_description: "Client is not authorized"
|
|
5583
5583
|
};
|
|
@@ -5597,7 +5597,7 @@ class zt {
|
|
|
5597
5597
|
error: "access_denied",
|
|
5598
5598
|
error_description: "Unsupported flow type " + C
|
|
5599
5599
|
};
|
|
5600
|
-
if (!
|
|
5600
|
+
if (!w.valid_flow.includes(C))
|
|
5601
5601
|
return {
|
|
5602
5602
|
error: "unauthorized_client",
|
|
5603
5603
|
error_description: "Client does not support " + C
|
|
@@ -5611,7 +5611,7 @@ class zt {
|
|
|
5611
5611
|
};
|
|
5612
5612
|
}
|
|
5613
5613
|
return s == "code" ? await this.getAuthorizationCode(
|
|
5614
|
-
|
|
5614
|
+
w,
|
|
5615
5615
|
t,
|
|
5616
5616
|
y,
|
|
5617
5617
|
i,
|
|
@@ -5710,7 +5710,7 @@ class zt {
|
|
|
5710
5710
|
} : r && (!t || !e.client_secret) ? {
|
|
5711
5711
|
error: "access_denied",
|
|
5712
5712
|
error_description: "Client is confidential but either secret not passed or is missing in database"
|
|
5713
|
-
} : r && !await
|
|
5713
|
+
} : r && !await v.passwordsEqual(
|
|
5714
5714
|
t ?? "",
|
|
5715
5715
|
e.client_secret ?? ""
|
|
5716
5716
|
) ? {
|
|
@@ -5754,39 +5754,39 @@ class zt {
|
|
|
5754
5754
|
refreshToken: n,
|
|
5755
5755
|
username: c,
|
|
5756
5756
|
password: d,
|
|
5757
|
-
mfaToken:
|
|
5757
|
+
mfaToken: w,
|
|
5758
5758
|
oobCode: y,
|
|
5759
5759
|
bindingCode: p,
|
|
5760
5760
|
otp: _,
|
|
5761
5761
|
deviceCode: C
|
|
5762
5762
|
}) {
|
|
5763
|
-
var O, V,
|
|
5764
|
-
const
|
|
5765
|
-
if (!
|
|
5763
|
+
var O, V, j;
|
|
5764
|
+
const T = this.inferFlowFromPost(s, a);
|
|
5765
|
+
if (!T) return {
|
|
5766
5766
|
error: "server_error",
|
|
5767
5767
|
error_description: "Unable to determine OAuth flow type"
|
|
5768
5768
|
};
|
|
5769
5769
|
const k = await this.getClientById(e);
|
|
5770
5770
|
if (!k.client) return k;
|
|
5771
|
-
const A = k.client, z = await this.authenticateClient(
|
|
5771
|
+
const A = k.client, z = await this.authenticateClient(T, A, i);
|
|
5772
5772
|
if (z.error) return z;
|
|
5773
|
-
if (
|
|
5773
|
+
if (T == b.Password && !this.validFlows.includes(T) && !this.validFlows.includes(b.PasswordMfa))
|
|
5774
5774
|
return {
|
|
5775
5775
|
error: "access_denied",
|
|
5776
|
-
error_description: "Unsupported flow type " +
|
|
5776
|
+
error_description: "Unsupported flow type " + T
|
|
5777
5777
|
};
|
|
5778
|
-
if (!
|
|
5778
|
+
if (!T || !this.validFlows.includes(T))
|
|
5779
5779
|
return {
|
|
5780
5780
|
error: "access_denied",
|
|
5781
|
-
error_description: "Unsupported flow type " +
|
|
5781
|
+
error_description: "Unsupported flow type " + T
|
|
5782
5782
|
};
|
|
5783
|
-
if (A && !A.valid_flow.includes(
|
|
5783
|
+
if (A && !A.valid_flow.includes(T))
|
|
5784
5784
|
return {
|
|
5785
5785
|
error: "unauthorized_client",
|
|
5786
|
-
error_description: "Client does not support " +
|
|
5786
|
+
error_description: "Client does not support " + T
|
|
5787
5787
|
};
|
|
5788
5788
|
let H = !1;
|
|
5789
|
-
this.issueRefreshToken &&
|
|
5789
|
+
this.issueRefreshToken && T != b.RefreshToken && (H = !0), this.issueRefreshToken && T == b.RefreshToken && this.rollingRefreshToken && (H = !0);
|
|
5790
5790
|
let K;
|
|
5791
5791
|
if (s == "authorization_code")
|
|
5792
5792
|
return this.requireClientSecretOrChallenge && A && A.client_secret && !i && !a ? {
|
|
@@ -5828,7 +5828,7 @@ class zt {
|
|
|
5828
5828
|
};
|
|
5829
5829
|
}
|
|
5830
5830
|
try {
|
|
5831
|
-
const F = U.refreshToken +
|
|
5831
|
+
const F = U.refreshToken + v.hash(n);
|
|
5832
5832
|
await this.keyStorage.deleteKey(F);
|
|
5833
5833
|
} catch (F) {
|
|
5834
5834
|
const I = o.asCrossauthError(F);
|
|
@@ -5922,12 +5922,12 @@ class zt {
|
|
|
5922
5922
|
error: "access_denied",
|
|
5923
5923
|
error_description: "OTP not provided"
|
|
5924
5924
|
};
|
|
5925
|
-
if (!
|
|
5925
|
+
if (!w)
|
|
5926
5926
|
return {
|
|
5927
5927
|
error: "access_denied",
|
|
5928
5928
|
error_description: "MFA token not provided"
|
|
5929
5929
|
};
|
|
5930
|
-
const I = await this.validateMfaToken(
|
|
5930
|
+
const I = await this.validateMfaToken(w), $ = U.mfaToken + v.hash(w);
|
|
5931
5931
|
if (!I.user || !I.key)
|
|
5932
5932
|
return {
|
|
5933
5933
|
error: "access_denied",
|
|
@@ -5940,23 +5940,23 @@ class zt {
|
|
|
5940
5940
|
error_description: "MFA type is not supported for OAuth"
|
|
5941
5941
|
};
|
|
5942
5942
|
try {
|
|
5943
|
-
const { secrets:
|
|
5943
|
+
const { secrets: M } = await this.userStorage.getUserById(I.user.id);
|
|
5944
5944
|
await B.authenticateUser(
|
|
5945
5945
|
I.user,
|
|
5946
|
-
|
|
5946
|
+
M,
|
|
5947
5947
|
{ otp: _ }
|
|
5948
5948
|
);
|
|
5949
|
-
} catch (
|
|
5950
|
-
return u.logger.debug(f({ err:
|
|
5949
|
+
} catch (M) {
|
|
5950
|
+
return u.logger.debug(f({ err: M })), {
|
|
5951
5951
|
error: "access_denied",
|
|
5952
5952
|
error_description: "Invalid OTP"
|
|
5953
5953
|
};
|
|
5954
5954
|
}
|
|
5955
5955
|
try {
|
|
5956
5956
|
await this.keyStorage.deleteKey($);
|
|
5957
|
-
} catch (
|
|
5958
|
-
u.logger.debug(f({ err:
|
|
5959
|
-
cerr:
|
|
5957
|
+
} catch (M) {
|
|
5958
|
+
u.logger.debug(f({ err: M })), u.logger.warn(f({
|
|
5959
|
+
cerr: M,
|
|
5960
5960
|
msg: "Couldn't delete mfa token",
|
|
5961
5961
|
hashedMfaToken: I.key.value
|
|
5962
5962
|
}));
|
|
@@ -5985,12 +5985,12 @@ class zt {
|
|
|
5985
5985
|
error: "access_denied",
|
|
5986
5986
|
error_description: "OOB code or binding code not provided"
|
|
5987
5987
|
};
|
|
5988
|
-
if (!
|
|
5988
|
+
if (!w)
|
|
5989
5989
|
return {
|
|
5990
5990
|
error: "access_denied",
|
|
5991
5991
|
error_description: "MFA token not provided"
|
|
5992
5992
|
};
|
|
5993
|
-
const I = await this.validateMfaToken(
|
|
5993
|
+
const I = await this.validateMfaToken(w);
|
|
5994
5994
|
if (!I.user || !I.key)
|
|
5995
5995
|
return {
|
|
5996
5996
|
error: "access_denied",
|
|
@@ -6003,20 +6003,20 @@ class zt {
|
|
|
6003
6003
|
error_description: "MFA type is not supported for OAuth"
|
|
6004
6004
|
};
|
|
6005
6005
|
try {
|
|
6006
|
-
const { secrets: B } = await this.userStorage.getUserById(I.user.id),
|
|
6007
|
-
if (!
|
|
6006
|
+
const { secrets: B } = await this.userStorage.getUserById(I.user.id), M = x.decodeData(I.key.data).omfa;
|
|
6007
|
+
if (!M || !M.otp || !M.oobCode)
|
|
6008
6008
|
return {
|
|
6009
6009
|
error: "server_error",
|
|
6010
6010
|
error_description: "Cannot retrieve email OTP"
|
|
6011
6011
|
};
|
|
6012
|
-
if (
|
|
6012
|
+
if (M.oobCode != y)
|
|
6013
6013
|
return {
|
|
6014
6014
|
error: "access_denied",
|
|
6015
6015
|
error_description: "Invalid OOB code"
|
|
6016
6016
|
};
|
|
6017
6017
|
await $.authenticateUser(
|
|
6018
6018
|
I.user,
|
|
6019
|
-
{ ...B, otp:
|
|
6019
|
+
{ ...B, otp: M.otp, expiry: (V = I.key.expires) == null ? void 0 : V.getTime() },
|
|
6020
6020
|
{ otp: p }
|
|
6021
6021
|
);
|
|
6022
6022
|
} catch (B) {
|
|
@@ -6071,7 +6071,7 @@ class zt {
|
|
|
6071
6071
|
error_description: "Waiting for user code to be entered"
|
|
6072
6072
|
};
|
|
6073
6073
|
{
|
|
6074
|
-
let I = P.scope ? P.scope.split(" ") : void 0, $ = P.userid ? await ((
|
|
6074
|
+
let I = P.scope ? P.scope.split(" ") : void 0, $ = P.userid ? await ((j = this.userStorage) == null ? void 0 : j.getUserById(P.userid)) : void 0;
|
|
6075
6075
|
return await this.deleteDeviceCode(C), await this.makeAccessToken({
|
|
6076
6076
|
client: A,
|
|
6077
6077
|
client_secret: i,
|
|
@@ -6150,25 +6150,25 @@ class zt {
|
|
|
6150
6150
|
error_description: "Unsupported flow type " + r
|
|
6151
6151
|
};
|
|
6152
6152
|
if (e) {
|
|
6153
|
-
const { error:
|
|
6154
|
-
if (
|
|
6155
|
-
error:
|
|
6153
|
+
const { error: T, errorDescription: k } = this.validateScope(e);
|
|
6154
|
+
if (T) return {
|
|
6155
|
+
error: T,
|
|
6156
6156
|
error_description: k
|
|
6157
6157
|
};
|
|
6158
6158
|
}
|
|
6159
6159
|
let c, d = !1;
|
|
6160
|
-
const
|
|
6161
|
-
for (let
|
|
6160
|
+
const w = /* @__PURE__ */ new Date(), y = this.userCodeExpiry, p = new Date(w.getTime() + this.userCodeExpiry * 1e3 + this.clockTolerance * 1e3);
|
|
6161
|
+
for (let T = 0; T < 10 && !d; ++T)
|
|
6162
6162
|
try {
|
|
6163
|
-
c =
|
|
6163
|
+
c = v.randomValue(this.deviceCodeLength), await this.keyStorage.saveKey(
|
|
6164
6164
|
void 0,
|
|
6165
6165
|
U.deviceCode + c,
|
|
6166
|
-
|
|
6166
|
+
w,
|
|
6167
6167
|
p,
|
|
6168
6168
|
JSON.stringify({ scope: e, client_id: s })
|
|
6169
6169
|
), d = !0;
|
|
6170
6170
|
} catch {
|
|
6171
|
-
u.logger.debug(f({ msg: `Attempt number${
|
|
6171
|
+
u.logger.debug(f({ msg: `Attempt number${T} at creating a unique authozation code failed` }));
|
|
6172
6172
|
}
|
|
6173
6173
|
if (!d || !c)
|
|
6174
6174
|
return {
|
|
@@ -6177,17 +6177,17 @@ class zt {
|
|
|
6177
6177
|
};
|
|
6178
6178
|
let _;
|
|
6179
6179
|
d = !1;
|
|
6180
|
-
for (let
|
|
6180
|
+
for (let T = 0; T < 10 && !d; ++T)
|
|
6181
6181
|
try {
|
|
6182
|
-
_ =
|
|
6182
|
+
_ = v.randomBase32(this.userCodeLength), await this.keyStorage.saveKey(
|
|
6183
6183
|
void 0,
|
|
6184
6184
|
U.userCode + _,
|
|
6185
|
-
|
|
6185
|
+
w,
|
|
6186
6186
|
p,
|
|
6187
6187
|
JSON.stringify({ deviceCode: c })
|
|
6188
6188
|
), d = !0;
|
|
6189
6189
|
} catch {
|
|
6190
|
-
u.logger.debug(f({ msg: `Attempt number${
|
|
6190
|
+
u.logger.debug(f({ msg: `Attempt number${T} at creating a unique authozation code failed` }));
|
|
6191
6191
|
}
|
|
6192
6192
|
if (!d || !_)
|
|
6193
6193
|
return await this.deleteDeviceCode(c), {
|
|
@@ -6195,8 +6195,8 @@ class zt {
|
|
|
6195
6195
|
error_description: "Couldn't create device code"
|
|
6196
6196
|
};
|
|
6197
6197
|
if (_ && this.userCodeDashEvery) {
|
|
6198
|
-
const
|
|
6199
|
-
_ = (C = _.match(
|
|
6198
|
+
const T = new RegExp(String.raw`(.{1,${this.userCodeDashEvery}})`, "g");
|
|
6199
|
+
_ = (C = _.match(T)) == null ? void 0 : C.join("-");
|
|
6200
6200
|
}
|
|
6201
6201
|
return {
|
|
6202
6202
|
device_code: c,
|
|
@@ -6222,7 +6222,7 @@ class zt {
|
|
|
6222
6222
|
userCode: s,
|
|
6223
6223
|
user: e
|
|
6224
6224
|
}) {
|
|
6225
|
-
var
|
|
6225
|
+
var w;
|
|
6226
6226
|
s = s.replace(/[ -]*/g, "");
|
|
6227
6227
|
let t, r = {};
|
|
6228
6228
|
try {
|
|
@@ -6235,7 +6235,7 @@ class zt {
|
|
|
6235
6235
|
};
|
|
6236
6236
|
}
|
|
6237
6237
|
if (!r.deviceCode)
|
|
6238
|
-
return u.logger.error(f({ msg: "No device code for user code", userCodeHash:
|
|
6238
|
+
return u.logger.error(f({ msg: "No device code for user code", userCodeHash: v.hash(s) })), await this.deleteUserCode(s), {
|
|
6239
6239
|
ok: !1,
|
|
6240
6240
|
error: "server_error",
|
|
6241
6241
|
error_description: "No device code for user code"
|
|
@@ -6247,8 +6247,8 @@ class zt {
|
|
|
6247
6247
|
const p = o.asCrossauthError(y);
|
|
6248
6248
|
return u.logger.debug(f({ err: p })), u.logger.error(f({
|
|
6249
6249
|
msg: "Invalid device code for user code",
|
|
6250
|
-
userCodeHash:
|
|
6251
|
-
deviceCodeHash:
|
|
6250
|
+
userCodeHash: v.hash(s),
|
|
6251
|
+
deviceCodeHash: v.hash(r.deviceCode),
|
|
6252
6252
|
cerr: p
|
|
6253
6253
|
})), await this.deleteUserCode(s), {
|
|
6254
6254
|
ok: !1,
|
|
@@ -6268,7 +6268,7 @@ class zt {
|
|
|
6268
6268
|
error_description: "Unexpected or incomplete data in device code key"
|
|
6269
6269
|
};
|
|
6270
6270
|
}
|
|
6271
|
-
if ((/* @__PURE__ */ new Date()).getTime() > ((
|
|
6271
|
+
if ((/* @__PURE__ */ new Date()).getTime() > ((w = r.expires) == null ? void 0 : w.getTime()))
|
|
6272
6272
|
return await this.deleteUserCode(s), {
|
|
6273
6273
|
ok: !1,
|
|
6274
6274
|
error: "expired_token",
|
|
@@ -6343,7 +6343,7 @@ class zt {
|
|
|
6343
6343
|
};
|
|
6344
6344
|
}
|
|
6345
6345
|
if (!t.deviceCode)
|
|
6346
|
-
return u.logger.error(f({ msg: "No device code for user code", userCodeHash:
|
|
6346
|
+
return u.logger.error(f({ msg: "No device code for user code", userCodeHash: v.hash(s) })), await this.deleteUserCode(s), {
|
|
6347
6347
|
ok: !1,
|
|
6348
6348
|
error: "server_error",
|
|
6349
6349
|
error_description: "No device code for user code"
|
|
@@ -6355,8 +6355,8 @@ class zt {
|
|
|
6355
6355
|
const c = o.asCrossauthError(n);
|
|
6356
6356
|
return u.logger.debug(f({ err: c })), u.logger.error(f({
|
|
6357
6357
|
msg: "Invalid device code for user code",
|
|
6358
|
-
userCodeHash:
|
|
6359
|
-
deviceCodeHash:
|
|
6358
|
+
userCodeHash: v.hash(s),
|
|
6359
|
+
deviceCodeHash: v.hash(t.deviceCode),
|
|
6360
6360
|
cerr: c
|
|
6361
6361
|
})), await this.deleteUserCode(s), {
|
|
6362
6362
|
ok: !1,
|
|
@@ -6394,7 +6394,7 @@ class zt {
|
|
|
6394
6394
|
};
|
|
6395
6395
|
}
|
|
6396
6396
|
async createMfaRequest(s) {
|
|
6397
|
-
const e =
|
|
6397
|
+
const e = v.randomValue(this.codeLength), t = U.mfaToken + v.hash(e), r = /* @__PURE__ */ new Date();
|
|
6398
6398
|
try {
|
|
6399
6399
|
await this.keyStorage.saveKey(
|
|
6400
6400
|
s.id,
|
|
@@ -6420,7 +6420,7 @@ class zt {
|
|
|
6420
6420
|
var r;
|
|
6421
6421
|
let e, t;
|
|
6422
6422
|
try {
|
|
6423
|
-
const i = U.mfaToken +
|
|
6423
|
+
const i = U.mfaToken + v.hash(s);
|
|
6424
6424
|
if (t = await this.keyStorage.getKey(i), !t.userid)
|
|
6425
6425
|
return {
|
|
6426
6426
|
error: "access_denied",
|
|
@@ -6448,7 +6448,7 @@ class zt {
|
|
|
6448
6448
|
error_description: "Invalid MFA token"
|
|
6449
6449
|
};
|
|
6450
6450
|
try {
|
|
6451
|
-
if (
|
|
6451
|
+
if (x.decodeData(t.data).omfaaid != e.factor2)
|
|
6452
6452
|
return {
|
|
6453
6453
|
error: "access_denied",
|
|
6454
6454
|
error_description: "authenticatorId not valid for user"
|
|
@@ -6509,9 +6509,9 @@ class zt {
|
|
|
6509
6509
|
if (!n.client) return n;
|
|
6510
6510
|
const c = n.client, d = await this.authenticateClient(a, c, t);
|
|
6511
6511
|
if (d.error) return d;
|
|
6512
|
-
const
|
|
6513
|
-
if (!
|
|
6514
|
-
if (
|
|
6512
|
+
const w = await this.validateMfaToken(s);
|
|
6513
|
+
if (!w.user || !w.key) return w;
|
|
6514
|
+
if (w.user.factor2 != i)
|
|
6515
6515
|
return {
|
|
6516
6516
|
error: "access_denied",
|
|
6517
6517
|
error_description: "Invalid MFA authenticator"
|
|
@@ -6523,18 +6523,18 @@ class zt {
|
|
|
6523
6523
|
};
|
|
6524
6524
|
let y = {};
|
|
6525
6525
|
r == "oob" && (y = {
|
|
6526
|
-
oobCode:
|
|
6526
|
+
oobCode: v.randomValue(this.codeLength)
|
|
6527
6527
|
});
|
|
6528
6528
|
try {
|
|
6529
|
-
const p = this.authenticators[
|
|
6529
|
+
const p = this.authenticators[w.user.factor2];
|
|
6530
6530
|
if (!p)
|
|
6531
6531
|
throw new o(
|
|
6532
6532
|
l.Configuration,
|
|
6533
6533
|
"User's authenticator has not been loaded"
|
|
6534
6534
|
);
|
|
6535
|
-
const _ = await p.createOneTimeSecrets(
|
|
6535
|
+
const _ = await p.createOneTimeSecrets(w.user);
|
|
6536
6536
|
await this.keyStorage.updateData(
|
|
6537
|
-
|
|
6537
|
+
w.key.value,
|
|
6538
6538
|
"omfa",
|
|
6539
6539
|
{ ...y, ..._ }
|
|
6540
6540
|
);
|
|
@@ -6601,21 +6601,21 @@ class zt {
|
|
|
6601
6601
|
error: "invalid_request",
|
|
6602
6602
|
error_description: `The redirect uri ${e} is invalid`
|
|
6603
6603
|
};
|
|
6604
|
-
const d = /* @__PURE__ */ new Date(),
|
|
6605
|
-
t && (y.scope = t), i && (y.challengeMethod = a, y.challenge =
|
|
6604
|
+
const d = /* @__PURE__ */ new Date(), w = this.authorizationCodeExpiry ? new Date(d.getTime() + this.authorizationCodeExpiry * 1e3 + this.clockTolerance * 1e3) : void 0, y = {};
|
|
6605
|
+
t && (y.scope = t), i && (y.challengeMethod = a, y.challenge = v.hash(i)), n && (y.username = n.username, y.id = n.id);
|
|
6606
6606
|
const p = JSON.stringify(y);
|
|
6607
6607
|
let _ = !1, C = "";
|
|
6608
|
-
for (let
|
|
6608
|
+
for (let T = 0; T < 10 && !_; ++T)
|
|
6609
6609
|
try {
|
|
6610
|
-
C =
|
|
6610
|
+
C = v.randomValue(this.codeLength), await this.keyStorage.saveKey(
|
|
6611
6611
|
void 0,
|
|
6612
|
-
U.authorizationCode +
|
|
6612
|
+
U.authorizationCode + v.hash(C),
|
|
6613
6613
|
d,
|
|
6614
|
-
|
|
6614
|
+
w,
|
|
6615
6615
|
p
|
|
6616
6616
|
), _ = !0;
|
|
6617
6617
|
} catch {
|
|
6618
|
-
u.logger.debug(f({ msg: `Attempt number${
|
|
6618
|
+
u.logger.debug(f({ msg: `Attempt number${T} at creating a unique authozation code failed` }));
|
|
6619
6619
|
}
|
|
6620
6620
|
if (!_)
|
|
6621
6621
|
throw new o(
|
|
@@ -6639,7 +6639,7 @@ class zt {
|
|
|
6639
6639
|
var z, H;
|
|
6640
6640
|
let c = !0;
|
|
6641
6641
|
try {
|
|
6642
|
-
s.client_secret != null && (c = await
|
|
6642
|
+
s.client_secret != null && (c = await v.passwordsEqual(
|
|
6643
6643
|
t ?? "",
|
|
6644
6644
|
s.client_secret ?? ""
|
|
6645
6645
|
));
|
|
@@ -6654,7 +6654,7 @@ class zt {
|
|
|
6654
6654
|
if (e) {
|
|
6655
6655
|
let K;
|
|
6656
6656
|
try {
|
|
6657
|
-
K = await this.keyStorage.getKey(U.authorizationCode +
|
|
6657
|
+
K = await this.keyStorage.getKey(U.authorizationCode + v.hash(e)), d = x.decodeData(K.data);
|
|
6658
6658
|
} catch (O) {
|
|
6659
6659
|
return u.logger.debug(f({ err: O })), {
|
|
6660
6660
|
error: "access_denied",
|
|
@@ -6678,14 +6678,14 @@ class zt {
|
|
|
6678
6678
|
error_description: "Invalid code challenge/code challenge method method for authorization code"
|
|
6679
6679
|
};
|
|
6680
6680
|
if (d.challenge) {
|
|
6681
|
-
const K = d.challengeMethod == "plain" ? r ?? "" :
|
|
6682
|
-
if (
|
|
6681
|
+
const K = d.challengeMethod == "plain" ? r ?? "" : v.sha256(r ?? "");
|
|
6682
|
+
if (v.hash(K) != d.challenge)
|
|
6683
6683
|
return {
|
|
6684
6684
|
error: "access_denied",
|
|
6685
6685
|
error_description: "Code verifier is incorrect"
|
|
6686
6686
|
};
|
|
6687
6687
|
}
|
|
6688
|
-
const
|
|
6688
|
+
const w = /* @__PURE__ */ new Date(), y = Math.ceil(w.getTime() / 1e3);
|
|
6689
6689
|
let p;
|
|
6690
6690
|
if ((i && i.includes("openid") || Object.keys(this.accessTokenClaims).length > 0) && this.userStorage && d.username)
|
|
6691
6691
|
try {
|
|
@@ -6697,7 +6697,7 @@ class zt {
|
|
|
6697
6697
|
error_description: "Couldn't load user data"
|
|
6698
6698
|
};
|
|
6699
6699
|
}
|
|
6700
|
-
const _ =
|
|
6700
|
+
const _ = v.uuid();
|
|
6701
6701
|
let C = {
|
|
6702
6702
|
jti: _,
|
|
6703
6703
|
iat: y,
|
|
@@ -6705,14 +6705,14 @@ class zt {
|
|
|
6705
6705
|
sub: d.username,
|
|
6706
6706
|
type: "access"
|
|
6707
6707
|
};
|
|
6708
|
-
C = this.addClaims(C, this.accessTokenClaims, i, n), i && (C.scope = i), this.accessTokenExpiry != null && (C.exp = y + this.accessTokenExpiry, p = new Date(
|
|
6709
|
-
const
|
|
6708
|
+
C = this.addClaims(C, this.accessTokenClaims, i, n), i && (C.scope = i), this.accessTokenExpiry != null && (C.exp = y + this.accessTokenExpiry, p = new Date(w.getTime() + this.accessTokenExpiry * 1e3 + this.clockTolerance * 1e3)), this.audience && (C.aud = this.audience);
|
|
6709
|
+
const T = await new Promise((K, O) => {
|
|
6710
6710
|
se.sign(
|
|
6711
6711
|
C,
|
|
6712
6712
|
this.secretOrPrivateKey,
|
|
6713
6713
|
{ algorithm: this.jwtAlgorithmChecked, keyid: "1" },
|
|
6714
|
-
(V,
|
|
6715
|
-
|
|
6714
|
+
(V, j) => {
|
|
6715
|
+
j ? K(j) : O(V || new o(
|
|
6716
6716
|
l.Unauthorized,
|
|
6717
6717
|
"Couldn't create jwt"
|
|
6718
6718
|
));
|
|
@@ -6722,13 +6722,13 @@ class zt {
|
|
|
6722
6722
|
this.persistAccessToken && this.keyStorage && await ((z = this.keyStorage) == null ? void 0 : z.saveKey(
|
|
6723
6723
|
void 0,
|
|
6724
6724
|
// to avoid user storage dependency, we don't set this
|
|
6725
|
-
U.accessToken +
|
|
6726
|
-
|
|
6725
|
+
U.accessToken + v.hash(_),
|
|
6726
|
+
w,
|
|
6727
6727
|
p
|
|
6728
6728
|
));
|
|
6729
6729
|
let k;
|
|
6730
6730
|
if (i && i.includes("openid")) {
|
|
6731
|
-
const K =
|
|
6731
|
+
const K = v.uuid();
|
|
6732
6732
|
let O = {
|
|
6733
6733
|
aud: s.client_id,
|
|
6734
6734
|
jti: K,
|
|
@@ -6755,7 +6755,7 @@ class zt {
|
|
|
6755
6755
|
"updated_at"
|
|
6756
6756
|
])
|
|
6757
6757
|
O[V] = n[V];
|
|
6758
|
-
O = this.addClaims(O, this.idTokenClaims, i, n), O.scope = i, this.accessTokenExpiry != null && (O.exp = y + this.accessTokenExpiry), k = await new Promise((V,
|
|
6758
|
+
O = this.addClaims(O, this.idTokenClaims, i, n), O.scope = i, this.accessTokenExpiry != null && (O.exp = y + this.accessTokenExpiry), k = await new Promise((V, j) => {
|
|
6759
6759
|
se.sign(
|
|
6760
6760
|
O,
|
|
6761
6761
|
this.secretOrPrivateKey,
|
|
@@ -6764,7 +6764,7 @@ class zt {
|
|
|
6764
6764
|
keyid: this.jwtKid
|
|
6765
6765
|
},
|
|
6766
6766
|
(N, P) => {
|
|
6767
|
-
P ? V(P) :
|
|
6767
|
+
P ? V(P) : j(N || new o(
|
|
6768
6768
|
l.Unauthorized,
|
|
6769
6769
|
"Couldn't create jwt"
|
|
6770
6770
|
));
|
|
@@ -6780,16 +6780,16 @@ class zt {
|
|
|
6780
6780
|
};
|
|
6781
6781
|
i && (K.scope = i);
|
|
6782
6782
|
let O;
|
|
6783
|
-
const
|
|
6784
|
-
jti:
|
|
6783
|
+
const j = {
|
|
6784
|
+
jti: v.uuid(),
|
|
6785
6785
|
iat: y,
|
|
6786
6786
|
iss: this.oauthIssuer,
|
|
6787
6787
|
sub: d.username,
|
|
6788
6788
|
type: "refresh"
|
|
6789
6789
|
};
|
|
6790
|
-
this.refreshTokenExpiry != null && (
|
|
6790
|
+
this.refreshTokenExpiry != null && (j.exp = y + this.refreshTokenExpiry, O = this.refreshTokenExpiry ? new Date(y + this.refreshTokenExpiry * 1e3 + this.clockTolerance * 1e3) : void 0), this.oauthIssuer && (j.aud = this.oauthIssuer), A = await new Promise((N, P) => {
|
|
6791
6791
|
se.sign(
|
|
6792
|
-
|
|
6792
|
+
j,
|
|
6793
6793
|
this.secretOrPrivateKey,
|
|
6794
6794
|
{ algorithm: this.jwtAlgorithmChecked, keyid: "1" },
|
|
6795
6795
|
(F, I) => {
|
|
@@ -6802,14 +6802,14 @@ class zt {
|
|
|
6802
6802
|
}), A && await ((H = this.keyStorage) == null ? void 0 : H.saveKey(
|
|
6803
6803
|
void 0,
|
|
6804
6804
|
// to avoid user storage dependency
|
|
6805
|
-
U.refreshToken +
|
|
6806
|
-
|
|
6805
|
+
U.refreshToken + v.hash(A),
|
|
6806
|
+
w,
|
|
6807
6807
|
O,
|
|
6808
6808
|
JSON.stringify(K)
|
|
6809
6809
|
));
|
|
6810
6810
|
}
|
|
6811
6811
|
return {
|
|
6812
|
-
access_token:
|
|
6812
|
+
access_token: T,
|
|
6813
6813
|
id_token: k,
|
|
6814
6814
|
refresh_token: A,
|
|
6815
6815
|
expires_in: this.accessTokenExpiry == null ? void 0 : this.accessTokenExpiry,
|
|
@@ -6830,8 +6830,8 @@ class zt {
|
|
|
6830
6830
|
else {
|
|
6831
6831
|
let a = e[i];
|
|
6832
6832
|
typeof a == "string" && (a = [a]);
|
|
6833
|
-
for (let n
|
|
6834
|
-
s[n] = r[n];
|
|
6833
|
+
for (let n in a)
|
|
6834
|
+
s[n] = r[a[n]];
|
|
6835
6835
|
}
|
|
6836
6836
|
}
|
|
6837
6837
|
if ("all" in e) {
|
|
@@ -6841,9 +6841,11 @@ class zt {
|
|
|
6841
6841
|
...s,
|
|
6842
6842
|
...r
|
|
6843
6843
|
};
|
|
6844
|
-
else
|
|
6845
|
-
|
|
6846
|
-
|
|
6844
|
+
else {
|
|
6845
|
+
console.log(i);
|
|
6846
|
+
for (let a in i)
|
|
6847
|
+
s[a] = r[i[a]];
|
|
6848
|
+
}
|
|
6847
6849
|
}
|
|
6848
6850
|
}
|
|
6849
6851
|
return s;
|
|
@@ -6856,7 +6858,7 @@ class zt {
|
|
|
6856
6858
|
*/
|
|
6857
6859
|
async validAuthorizationCode(s) {
|
|
6858
6860
|
try {
|
|
6859
|
-
const e = U.authorizationCode +
|
|
6861
|
+
const e = U.authorizationCode + v.hash(s);
|
|
6860
6862
|
return await this.keyStorage.getKey(e), !0;
|
|
6861
6863
|
} catch (e) {
|
|
6862
6864
|
return u.logger.debug(f({ err: e })), !1;
|
|
@@ -6870,7 +6872,7 @@ class zt {
|
|
|
6870
6872
|
*/
|
|
6871
6873
|
async validRefreshToken(s) {
|
|
6872
6874
|
try {
|
|
6873
|
-
const e = U.refreshToken +
|
|
6875
|
+
const e = U.refreshToken + v.hash(s);
|
|
6874
6876
|
return await this.keyStorage.getKey(e), !0;
|
|
6875
6877
|
} catch (e) {
|
|
6876
6878
|
return u.logger.debug(f({ err: e })), !1;
|
|
@@ -6885,7 +6887,7 @@ class zt {
|
|
|
6885
6887
|
async getRefreshTokenData(s) {
|
|
6886
6888
|
if (s)
|
|
6887
6889
|
try {
|
|
6888
|
-
const e = U.refreshToken +
|
|
6890
|
+
const e = U.refreshToken + v.hash(s), t = await this.keyStorage.getKey(e);
|
|
6889
6891
|
return JSON.parse(t.data || "{}");
|
|
6890
6892
|
} catch (e) {
|
|
6891
6893
|
u.logger.debug(f({ err: e }));
|
|
@@ -6919,7 +6921,7 @@ class zt {
|
|
|
6919
6921
|
try {
|
|
6920
6922
|
const e = await this.validateJwt(s, "access");
|
|
6921
6923
|
if (this.persistAccessToken) {
|
|
6922
|
-
const t = U.accessToken +
|
|
6924
|
+
const t = U.accessToken + v.hash(e.payload.jti);
|
|
6923
6925
|
await this.keyStorage.getKey(t);
|
|
6924
6926
|
}
|
|
6925
6927
|
return e;
|
|
@@ -7120,7 +7122,7 @@ class nt extends Pe {
|
|
|
7120
7122
|
*/
|
|
7121
7123
|
constructor(e, t = {}) {
|
|
7122
7124
|
const r = {};
|
|
7123
|
-
|
|
7125
|
+
m("jwtKeyType", g.String, r, t, "JWT_KEY_TYPE");
|
|
7124
7126
|
super(e, { ...t, ...r });
|
|
7125
7127
|
/**
|
|
7126
7128
|
* Value passed to the constructor. The `aud` claim must match it
|
|
@@ -7134,7 +7136,7 @@ class nt extends Pe {
|
|
|
7134
7136
|
h(this, "keyStorage");
|
|
7135
7137
|
h(this, "jwtSecretKeyFile", "");
|
|
7136
7138
|
h(this, "jwtPublicKeyFile", "");
|
|
7137
|
-
if (this.audience = e,
|
|
7139
|
+
if (this.audience = e, m("authServerBaseUrl", g.String, this, t, "AUTH_SERVER_BASE_URL", !0), m("jwtSecretKeyFile", g.String, this, t, "JWT_SECRET_KEY_FILE"), m("jwtPublicKeyFile", g.String, this, t, "JWT_PUBLIC_KEY_FILE"), m("jwtSecretKey", g.String, this, t, "JWT_SECRET_KEY"), m("jwtPublicKey", g.String, this, t, "JWT_PUBLIC_KEY"), m("clockTolerance", g.Number, this, t, "OAUTH_CLOCK_TOLERANCE"), m("persistAccessToken", g.Boolean, this, t, "OAUTH_PERSIST_ACCESS_TOKEN"), this.keyStorage = t.keyStorage, this.jwtSecretKey || this.jwtSecretKeyFile) {
|
|
7138
7140
|
if (this.jwtPublicKey || this.jwtPublicKeyFile)
|
|
7139
7141
|
throw new o(
|
|
7140
7142
|
l.Configuration,
|
|
@@ -7162,7 +7164,7 @@ class nt extends Pe {
|
|
|
7162
7164
|
* @returns Base64-url-encoded hash
|
|
7163
7165
|
*/
|
|
7164
7166
|
async hash(e) {
|
|
7165
|
-
return
|
|
7167
|
+
return v.hash(e);
|
|
7166
7168
|
}
|
|
7167
7169
|
/**
|
|
7168
7170
|
* If the given token is valid, the paylaod is returned. Otherwise
|
|
@@ -7183,7 +7185,7 @@ class nt extends Pe {
|
|
|
7183
7185
|
const r = await super.tokenAuthorized(e, t);
|
|
7184
7186
|
if (r && t == "access" && this.persistAccessToken && this.keyStorage)
|
|
7185
7187
|
try {
|
|
7186
|
-
const a = U.accessToken +
|
|
7188
|
+
const a = U.accessToken + v.hash(r.jti ? r.jti : r.sid ? r.sid : ""), n = await this.keyStorage.getKey(a), c = /* @__PURE__ */ new Date();
|
|
7187
7189
|
if (n.expires && ((i = n.expires) == null ? void 0 : i.getTime()) < c.getTime()) {
|
|
7188
7190
|
u.logger.error(f({ msg: "Access token expired in storage but not in JWT" }));
|
|
7189
7191
|
return;
|
|
@@ -7191,7 +7193,7 @@ class nt extends Pe {
|
|
|
7191
7193
|
} catch (a) {
|
|
7192
7194
|
u.logger.warn(f({
|
|
7193
7195
|
msg: "Couldn't get token from database - is it valid?",
|
|
7194
|
-
hashedAccessToken:
|
|
7196
|
+
hashedAccessToken: v.hash(r.jti ? r.jti : r.sid ? r.sid : "")
|
|
7195
7197
|
})), u.logger.debug(f({ err: a }));
|
|
7196
7198
|
return;
|
|
7197
7199
|
}
|
|
@@ -7210,7 +7212,7 @@ class Ht extends Ke {
|
|
|
7210
7212
|
const r = {
|
|
7211
7213
|
client_id: ""
|
|
7212
7214
|
};
|
|
7213
|
-
|
|
7215
|
+
m("client_id", g.String, r, t, "OAUTH_CLIENT_ID", !0);
|
|
7214
7216
|
super({
|
|
7215
7217
|
authServerBaseUrl: e,
|
|
7216
7218
|
tokenConsumer: new nt(
|
|
@@ -7231,7 +7233,8 @@ class Ht extends Ke {
|
|
|
7231
7233
|
h(this, "userStorage");
|
|
7232
7234
|
this.client_id = r.client_id;
|
|
7233
7235
|
let i = {};
|
|
7234
|
-
|
|
7236
|
+
if (m("stateLength", g.String, this, t, "OAUTH_STATE_LENGTH"), m("verifierLength", g.String, this, t, "OAUTH_VERIFIER_LENGTH"), m("client_secret", g.String, i, t, "OAUTH_CLIENT_SECRET"), m("codeChallengeMethod", g.String, this, t, "OAUTH_CODE_CHALLENGE_METHOD"), m("deviceAuthorizationUrl", g.String, this, t, "OAUTH_DEVICE_AUTHORIZATION_URL"), m("oauthLogFetch", g.Boolean, this, t, "OAUTH_LOG_FETCH"), this.deviceAuthorizationUrl.startsWith("/") && (this.deviceAuthorizationUrl = this.deviceAuthorizationUrl.substring(1)), i.client_secret && (this.client_secret = i.client_secret), m("userCreationType", g.String, this, t, "OAUTH_USER_CREATION_TYPE"), m("userMatchField", g.String, this, t, "OAUTH_USER_MATCH_FIELD"), m("idTokenMatchField", g.String, this, t, "OAUTH_IDTOKEN_MaTCH_FIELD"), this.userCreationType == "merge" ? this.userCreationFn = ot : this.userCreationType == "embed" ? this.userCreationFn = lt : t.userCreationFn && this.userCreationType == "custom" ? this.userCreationFn = t.userCreationFn : this.userCreationFn = ct, t.userStorage && (this.userStorage = t.userStorage), m("oauthPostType", g.String, this, t, "OAUTH_POST_TYPE"), m("oauthUseUserInfoEndpoint", g.Boolean, this, t, "OAUTH_USE_USER_INFO_ENDPOINT"), this.oauthPostType != "json" && this.oauthPostType != "form")
|
|
7237
|
+
throw new o(l.Configuration, "oauthPostType must be json or form");
|
|
7235
7238
|
}
|
|
7236
7239
|
/**
|
|
7237
7240
|
* Uses {@link @crossauth/backend!Crypto.randomValue} to create a random string
|
|
@@ -7240,7 +7243,7 @@ class Ht extends Ke {
|
|
|
7240
7243
|
* @returns the Base64-URL-encoded random string
|
|
7241
7244
|
*/
|
|
7242
7245
|
randomValue(e) {
|
|
7243
|
-
return
|
|
7246
|
+
return v.randomValue(e);
|
|
7244
7247
|
}
|
|
7245
7248
|
/**
|
|
7246
7249
|
* Uses {@link @crossauth/backend!Crypto.sha256} to create hash a string using SHA256
|
|
@@ -7248,7 +7251,7 @@ class Ht extends Ke {
|
|
|
7248
7251
|
* @returns the Base64-URL-encoded hash
|
|
7249
7252
|
*/
|
|
7250
7253
|
async sha256(e) {
|
|
7251
|
-
return
|
|
7254
|
+
return v.sha256(e);
|
|
7252
7255
|
}
|
|
7253
7256
|
}
|
|
7254
7257
|
async function ot(S, s, e, t) {
|
|
@@ -7282,7 +7285,7 @@ async function ct(S, s, e, t) {
|
|
|
7282
7285
|
state: S.state ?? "active"
|
|
7283
7286
|
};
|
|
7284
7287
|
}
|
|
7285
|
-
class
|
|
7288
|
+
class jt {
|
|
7286
7289
|
/**
|
|
7287
7290
|
* Constructor
|
|
7288
7291
|
* @param tokenConsumers one or more consumers that will process
|
|
@@ -7327,7 +7330,7 @@ class Mt {
|
|
|
7327
7330
|
export {
|
|
7328
7331
|
ge as ApiKeyManager,
|
|
7329
7332
|
re as Authenticator,
|
|
7330
|
-
|
|
7333
|
+
v as Crypto,
|
|
7331
7334
|
rt as DoubleSubmitCsrfToken,
|
|
7332
7335
|
Rt as DummyFactor2Authenticator,
|
|
7333
7336
|
Z as EmailAuthenticator,
|
|
@@ -7335,16 +7338,16 @@ export {
|
|
|
7335
7338
|
Pt as InMemoryOAuthAuthorizationStorage,
|
|
7336
7339
|
It as InMemoryOAuthClientStorage,
|
|
7337
7340
|
Ut as InMemoryUserStorage,
|
|
7338
|
-
|
|
7339
|
-
|
|
7341
|
+
x as KeyStorage,
|
|
7342
|
+
Dt as LdapAuthenticator,
|
|
7340
7343
|
oe as LdapUserStorage,
|
|
7341
|
-
|
|
7344
|
+
ve as LocalPasswordAuthenticator,
|
|
7342
7345
|
zt as OAuthAuthorizationServer,
|
|
7343
7346
|
we as OAuthAuthorizationStorage,
|
|
7344
7347
|
Ht as OAuthClientBackend,
|
|
7345
7348
|
J as OAuthClientManager,
|
|
7346
7349
|
me as OAuthClientStorage,
|
|
7347
|
-
|
|
7350
|
+
jt as OAuthResourceServer,
|
|
7348
7351
|
nt as OAuthTokenConsumer,
|
|
7349
7352
|
g as ParamType,
|
|
7350
7353
|
be as PasswordAuthenticator,
|
|
@@ -7356,13 +7359,13 @@ export {
|
|
|
7356
7359
|
bt as PrismaOAuthAuthorizationStorage,
|
|
7357
7360
|
Et as PrismaOAuthClientStorage,
|
|
7358
7361
|
G as PrismaUserStorage,
|
|
7359
|
-
|
|
7362
|
+
D as SessionCookie,
|
|
7360
7363
|
Lt as SessionManager,
|
|
7361
7364
|
Q as SmsAuthenticator,
|
|
7362
7365
|
R as TokenEmailer,
|
|
7363
|
-
|
|
7366
|
+
xt as TotpAuthenticator,
|
|
7364
7367
|
Ue as TwilioAuthenticator,
|
|
7365
7368
|
L as UserStorage,
|
|
7366
|
-
|
|
7369
|
+
m as setParameter,
|
|
7367
7370
|
Bt as toCookieSerializeOptions
|
|
7368
7371
|
};
|