@crossauth/backend 0.0.32 → 0.0.34
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/index.cjs +1 -1
- package/dist/index.js +414 -413
- package/dist/oauth/authserver.d.ts +1 -0
- package/dist/oauth/authserver.d.ts.map +1 -1
- package/dist/oauth/client.d.ts.map +1 -1
- package/package.json +2 -2
package/dist/index.js
CHANGED
|
@@ -1,10 +1,10 @@
|
|
|
1
1
|
var Ae = Object.defineProperty;
|
|
2
2
|
var Ie = (S, s, e) => s in S ? Ae(S, s, { enumerable: !0, configurable: !0, writable: !0, value: e }) : S[s] = e;
|
|
3
|
-
var
|
|
3
|
+
var d = (S, s, e) => Ie(S, typeof s != "symbol" ? s + "" : s, e);
|
|
4
4
|
import { CrossauthError as o, ErrorCode as l, UserState as E, CrossauthLogger as u, j as f, OAuthFlows as b, KeyPrefix as U, OAuthTokenConsumerBase as Pe, OAuthClientBase as Ke } from "@crossauth/common";
|
|
5
5
|
import { PrismaClient as ce, Prisma as X } from "@prisma/client";
|
|
6
6
|
import ye from "@mbakereth/ldapjs";
|
|
7
|
-
import { timingSafeEqual as he, randomBytes as ue, randomUUID as
|
|
7
|
+
import { timingSafeEqual as he, randomBytes as ue, randomUUID as Oe, createHash as Fe, pbkdf2 as Ne, createHmac as ie, createCipheriv as Re, createDecipheriv as De, randomInt as ee } from "node:crypto";
|
|
8
8
|
import { promisify as xe } from "node:util";
|
|
9
9
|
import W from "nunjucks";
|
|
10
10
|
import Ee from "nodemailer";
|
|
@@ -71,10 +71,10 @@ class L {
|
|
|
71
71
|
* @param options See {@link UserStorageOptions}
|
|
72
72
|
*/
|
|
73
73
|
constructor(s = {}) {
|
|
74
|
-
|
|
75
|
-
|
|
76
|
-
|
|
77
|
-
|
|
74
|
+
d(this, "userEditableFields", []);
|
|
75
|
+
d(this, "adminEditableFields", []);
|
|
76
|
+
d(this, "normalizeUsername", !0);
|
|
77
|
+
d(this, "normalizeEmail", !0);
|
|
78
78
|
m("userEditableFields", g.JsonArray, this, s, "USER_EDITABLE_FIELDS"), m("adminEditableFields", g.JsonArray, this, s, "ADMIN_EDITABLE_FIELDS"), m("normalizeUsername", g.JsonArray, this, s, "NORMALIZE_USERNAME"), m("normalizeEmail", g.JsonArray, this, s, "NORMALIZE_EMAIL");
|
|
79
79
|
}
|
|
80
80
|
/**
|
|
@@ -173,14 +173,14 @@ class G extends L {
|
|
|
173
173
|
*/
|
|
174
174
|
constructor(e = {}) {
|
|
175
175
|
super(e);
|
|
176
|
-
|
|
177
|
-
|
|
178
|
-
|
|
179
|
-
|
|
180
|
-
|
|
181
|
-
|
|
182
|
-
|
|
183
|
-
|
|
176
|
+
d(this, "userTable", "user");
|
|
177
|
+
d(this, "userSecretsTable", "userSecrets");
|
|
178
|
+
d(this, "idColumn", "id");
|
|
179
|
+
d(this, "useridForeignKeyColumn", "userid");
|
|
180
|
+
d(this, "prismaClient");
|
|
181
|
+
d(this, "includes", ["secrets"]);
|
|
182
|
+
d(this, "includesObject", {});
|
|
183
|
+
d(this, "forceIdToNumber", !0);
|
|
184
184
|
m("userTable", g.String, this, e, "USER_TABLE"), m("userSecretsTable", g.String, this, e, "USER_SECRETS_TABLE"), m("idColumn", g.String, this, e, "USER_ID_COLUMN"), m("useridForeignKeyColumn", g.String, this, e, "USER_ID_FOREIGN_KEY_COLUMN"), m("includes", g.String, this, e, "USER_INCLUDES"), m("forceIdToNumber", g.String, this, e, "USER_FORCE_ID_TO_NUMBER"), this.includes.forEach((t) => {
|
|
185
185
|
this.includesObject[t] = !0;
|
|
186
186
|
}), e && e.prismaClient ? this.prismaClient = e.prismaClient : this.prismaClient = new ce();
|
|
@@ -279,16 +279,16 @@ class G extends L {
|
|
|
279
279
|
try {
|
|
280
280
|
let { id: r, ...i } = e, { userid: a, ...n } = t ?? {};
|
|
281
281
|
"email" in i && i.email && (i = { email_normalized: G.normalize(i.email), ...i }), "username" in i && i.username && (i = { username_normalized: G.normalize(i.username), ...i }), t ? await this.prismaClient.$transaction(async (c) => {
|
|
282
|
-
let
|
|
282
|
+
let h = {};
|
|
283
283
|
try {
|
|
284
|
-
|
|
284
|
+
h = await c[this.userSecretsTable].findUniqueOrThrow({
|
|
285
285
|
where: {
|
|
286
286
|
[this.useridForeignKeyColumn]: e.id
|
|
287
287
|
}
|
|
288
288
|
});
|
|
289
289
|
} catch {
|
|
290
290
|
}
|
|
291
|
-
let { userid: w, ...y } =
|
|
291
|
+
let { userid: w, ...y } = h ?? {};
|
|
292
292
|
n = { ...y, ...n }, await c[this.userTable].update({
|
|
293
293
|
where: {
|
|
294
294
|
[this.idColumn]: e.id
|
|
@@ -421,10 +421,10 @@ class kt extends x {
|
|
|
421
421
|
*/
|
|
422
422
|
constructor(e = {}) {
|
|
423
423
|
super();
|
|
424
|
-
|
|
425
|
-
|
|
426
|
-
|
|
427
|
-
|
|
424
|
+
d(this, "keyTable", "key");
|
|
425
|
+
d(this, "prismaClient");
|
|
426
|
+
d(this, "transactionTimeout", 5e3);
|
|
427
|
+
d(this, "useridForeignKeyColumn", "userid");
|
|
428
428
|
m("transactionTimeout", g.Number, this, e, "TRANSACTION_TIMEOUT"), m("useridForeignKeyColumn", g.Number, this, e, "USER_ID_FOREIGN_KEY_COLUMN"), e.keyTable && (this.keyTable = e.keyTable), e.prismaClient == null ? this.prismaClient = new ce() : this.prismaClient = e.prismaClient;
|
|
429
429
|
}
|
|
430
430
|
async getKey(e) {
|
|
@@ -468,7 +468,7 @@ class kt extends x {
|
|
|
468
468
|
async saveKey(e, t, r, i, a, n = {}) {
|
|
469
469
|
let c;
|
|
470
470
|
try {
|
|
471
|
-
let
|
|
471
|
+
let h = {
|
|
472
472
|
[this.useridForeignKeyColumn]: e,
|
|
473
473
|
value: t,
|
|
474
474
|
created: r,
|
|
@@ -477,10 +477,10 @@ class kt extends x {
|
|
|
477
477
|
...n
|
|
478
478
|
};
|
|
479
479
|
await this.prismaClient[this.keyTable].create({
|
|
480
|
-
data:
|
|
480
|
+
data: h
|
|
481
481
|
});
|
|
482
|
-
} catch (
|
|
483
|
-
|
|
482
|
+
} catch (h) {
|
|
483
|
+
h instanceof X.PrismaClientKnownRequestError || h instanceof Object && "code" in h ? h.code == "P2002" ? (u.logger.warn(f({ msg: "Attempt to create key that already exists. Stack trace follows" })), u.logger.debug(f({ err: h })), c = new o(l.KeyExists)) : (u.logger.debug(f({ err: h })), c = new o(l.Connection, "Error saving key")) : (u.logger.debug(f({ err: h })), c = new o(l.Connection, "Error saving key"));
|
|
484
484
|
}
|
|
485
485
|
if (c)
|
|
486
486
|
throw c;
|
|
@@ -691,14 +691,14 @@ class Et extends me {
|
|
|
691
691
|
*/
|
|
692
692
|
constructor(e = {}) {
|
|
693
693
|
super();
|
|
694
|
-
|
|
695
|
-
|
|
696
|
-
|
|
697
|
-
|
|
694
|
+
d(this, "clientTable", "oAuthClient");
|
|
695
|
+
d(this, "redirectUriTable", "OAuthClientRedirectUri");
|
|
696
|
+
d(this, "validFlowTable", "OAuthClientValidFlow");
|
|
697
|
+
d(this, "prismaClient");
|
|
698
698
|
// PrismaClient;
|
|
699
|
-
|
|
700
|
-
|
|
701
|
-
|
|
699
|
+
d(this, "transactionTimeout", 5e3);
|
|
700
|
+
d(this, "updateMode", "DeleteAndInsert");
|
|
701
|
+
d(this, "useridForeignKeyColumn", "userid");
|
|
702
702
|
m("clientTable", g.String, this, e, "OAUTH_CLIENT_TABLE"), m("redirectUriTable", g.String, this, e, "OAUTH_REDIRECTURI_TABLE"), m("validFlowTable", g.String, this, e, "OAUTH_VALID_FLOW_TABLE"), m("transactionTimeout", g.Number, this, e, "TRANSACTION_TIMEOUT"), m("updateMode", g.String, this, e, "OAUTHCLIENT_UPDATE_MODE"), m("useridForeignKeyColumn", g.String, this, e, "USER_ID_FOREIGN_KEY_COLUMN"), e.prismaClient == null ? this.prismaClient = new ce() : this.prismaClient = e.prismaClient;
|
|
703
703
|
}
|
|
704
704
|
async getClientById(e) {
|
|
@@ -717,13 +717,13 @@ class Et extends me {
|
|
|
717
717
|
...n
|
|
718
718
|
},
|
|
719
719
|
include: { redirect_uri: !0, valid_flow: !0 }
|
|
720
|
-
}),
|
|
720
|
+
}), h = c.redirect_uri, w = c.valid_flow;
|
|
721
721
|
let y = c[this.useridForeignKeyColumn];
|
|
722
722
|
return y === null && (y = void 0), this.useridForeignKeyColumn != "userid" && delete c[this.useridForeignKeyColumn], [{
|
|
723
723
|
...c,
|
|
724
724
|
userid: y,
|
|
725
725
|
client_secret: c.client_secret ?? void 0,
|
|
726
|
-
redirect_uri:
|
|
726
|
+
redirect_uri: h.map((p) => p.uri),
|
|
727
727
|
valid_flow: w.map((p) => p.flow)
|
|
728
728
|
}];
|
|
729
729
|
} else {
|
|
@@ -734,10 +734,10 @@ class Et extends me {
|
|
|
734
734
|
},
|
|
735
735
|
include: { redirect_uri: !0, valid_flow: !0 }
|
|
736
736
|
});
|
|
737
|
-
for (let
|
|
738
|
-
const w =
|
|
739
|
-
let p =
|
|
740
|
-
p == null && (p = void 0),
|
|
737
|
+
for (let h of c) {
|
|
738
|
+
const w = h.redirect_uri, y = h.valid_flow;
|
|
739
|
+
let p = h[this.useridForeignKeyColumn];
|
|
740
|
+
p == null && (p = void 0), h.userid = p, this.useridForeignKeyColumn != "userid" && delete h[this.useridForeignKeyColumn], h.client_secret = h.client_secret ?? void 0, h.redirect_uri = w.map((_) => _.uri), h.valid_flow = y.map((_) => _.flow);
|
|
741
741
|
}
|
|
742
742
|
return c;
|
|
743
743
|
}
|
|
@@ -768,50 +768,50 @@ class Et extends me {
|
|
|
768
768
|
const { redirect_uri: r, valid_flow: i, userid: a, ...n } = e;
|
|
769
769
|
let c;
|
|
770
770
|
if (a && (n[this.useridForeignKeyColumn] = a), this.useridForeignKeyColumn != "userid" && delete e[this.useridForeignKeyColumn], r)
|
|
771
|
-
for (let
|
|
772
|
-
if (r[
|
|
771
|
+
for (let h = 0; h < r.length; ++h) {
|
|
772
|
+
if (r[h].includes("#")) throw new o(l.InvalidRedirectUri, "Redirect Uri's may not contain page fragments");
|
|
773
773
|
try {
|
|
774
|
-
new URL(r[
|
|
774
|
+
new URL(r[h]);
|
|
775
775
|
} catch {
|
|
776
|
-
throw new o(l.InvalidRedirectUri, `Redriect uri ${r[
|
|
776
|
+
throw new o(l.InvalidRedirectUri, `Redriect uri ${r[h]} is not valid`);
|
|
777
777
|
}
|
|
778
778
|
}
|
|
779
779
|
if (i) {
|
|
780
|
-
for (let
|
|
781
|
-
if (!b.isValidFlow(i[
|
|
780
|
+
for (let h = 0; h < i.length; ++h)
|
|
781
|
+
if (!b.isValidFlow(i[h])) throw new o(l.InvalidOAuthFlow, "Invalid flow " + i[h]);
|
|
782
782
|
}
|
|
783
783
|
try {
|
|
784
784
|
c = await t[this.clientTable].create({
|
|
785
785
|
data: n
|
|
786
786
|
});
|
|
787
|
-
} catch (
|
|
788
|
-
throw
|
|
787
|
+
} catch (h) {
|
|
788
|
+
throw h instanceof X.PrismaClientKnownRequestError || h instanceof Object && "code" in h ? h.code == "P2002" ? (u.logger.debug(f({ err: h })), new o(l.ClientExists, "Attempt to create an OAuth client with a client_id that already exists. Maximum attempts failed")) : (u.logger.debug(f({ err: h })), new o(l.Connection, "Error saving OAuth client")) : (u.logger.debug(f({ err: h })), new o(l.Connection, "Error saving OAuth client"));
|
|
789
789
|
}
|
|
790
790
|
if (!c)
|
|
791
791
|
throw u.logger.error(f({ msg: "Attempt to create key that already exists. Stack trace follows" })), new o(l.KeyExists);
|
|
792
792
|
if (r)
|
|
793
793
|
try {
|
|
794
|
-
for (let
|
|
794
|
+
for (let h = 0; h < r.length; ++h)
|
|
795
795
|
await t[this.redirectUriTable].create({
|
|
796
796
|
data: {
|
|
797
797
|
client_id: c.client_id,
|
|
798
|
-
uri: r[
|
|
798
|
+
uri: r[h]
|
|
799
799
|
}
|
|
800
800
|
});
|
|
801
|
-
} catch (
|
|
802
|
-
throw
|
|
801
|
+
} catch (h) {
|
|
802
|
+
throw h instanceof X.PrismaClientKnownRequestError || h instanceof Object && "code" in h ? h.code == "P2002" ? (u.logger.debug(f({ err: h })), new o(l.InvalidRedirectUri, "Attempt to create an OAuth client with a redirect uri that already belongs to another client")) : (u.logger.debug(f({ err: h })), new o(l.Connection, "Error saving OAuth client")) : (u.logger.debug(f({ err: h })), new o(l.Connection, "Error saving OAuth client"));
|
|
803
803
|
}
|
|
804
804
|
if (i)
|
|
805
805
|
try {
|
|
806
|
-
for (let
|
|
806
|
+
for (let h = 0; h < i.length; ++h)
|
|
807
807
|
await t[this.validFlowTable].create({
|
|
808
808
|
data: {
|
|
809
809
|
client_id: c.client_id,
|
|
810
|
-
flow: i[
|
|
810
|
+
flow: i[h]
|
|
811
811
|
}
|
|
812
812
|
});
|
|
813
|
-
} catch (
|
|
814
|
-
throw
|
|
813
|
+
} catch (h) {
|
|
814
|
+
throw h instanceof X.PrismaClientKnownRequestError || h instanceof Object && "code" in h ? (u.logger.debug(f({ err: h })), new o(l.Connection, "Error saving OAuth client")) : (u.logger.debug(f({ err: h })), new o(l.Connection, "Error saving OAuth client"));
|
|
815
815
|
}
|
|
816
816
|
return { ...c, redirect_uri: r, valid_flow: i };
|
|
817
817
|
}
|
|
@@ -954,11 +954,11 @@ class bt extends we {
|
|
|
954
954
|
*/
|
|
955
955
|
constructor(e = {}) {
|
|
956
956
|
super();
|
|
957
|
-
|
|
958
|
-
|
|
957
|
+
d(this, "authorizationTable", "oAuthAuthorization");
|
|
958
|
+
d(this, "prismaClient");
|
|
959
959
|
// PrismaClient;
|
|
960
|
-
|
|
961
|
-
|
|
960
|
+
d(this, "transactionTimeout", 5e3);
|
|
961
|
+
d(this, "useridForeignKeyColumn", "userid");
|
|
962
962
|
m("authorizationTable", g.String, this, e, "OAUTH_CLIENT_TABLE"), m("transactionTimeout", g.Number, this, e, "TRANSACTION_TIMEOUT"), m("useridForeignKeyColumn", g.String, this, e, "USER_ID_FOREIGN_KEY_COLUMN"), e.prismaClient == null ? this.prismaClient = new ce() : this.prismaClient = e.prismaClient;
|
|
963
963
|
}
|
|
964
964
|
async getAuthorizations(e, t) {
|
|
@@ -1018,10 +1018,10 @@ class Ut extends L {
|
|
|
1018
1018
|
*/
|
|
1019
1019
|
constructor(e = {}) {
|
|
1020
1020
|
super(e);
|
|
1021
|
-
|
|
1022
|
-
|
|
1023
|
-
|
|
1024
|
-
|
|
1021
|
+
d(this, "usersByUsername", {});
|
|
1022
|
+
d(this, "usersByEmail", {});
|
|
1023
|
+
d(this, "secretsByUsername", {});
|
|
1024
|
+
d(this, "secretsByEmail", {});
|
|
1025
1025
|
}
|
|
1026
1026
|
/**
|
|
1027
1027
|
* Create a user
|
|
@@ -1163,9 +1163,9 @@ class At extends x {
|
|
|
1163
1163
|
*/
|
|
1164
1164
|
constructor() {
|
|
1165
1165
|
super();
|
|
1166
|
-
|
|
1167
|
-
|
|
1168
|
-
|
|
1166
|
+
d(this, "keys", {});
|
|
1167
|
+
d(this, "keysByUserId", {});
|
|
1168
|
+
d(this, "nonUserKeys", []);
|
|
1169
1169
|
}
|
|
1170
1170
|
/**
|
|
1171
1171
|
* Returns the matching key recortd, with additional, or throws an exception.
|
|
@@ -1239,8 +1239,8 @@ class At extends x {
|
|
|
1239
1239
|
for (let i = 0; i < r.length; ++i) {
|
|
1240
1240
|
let a = !0, n = 0;
|
|
1241
1241
|
const c = r[i];
|
|
1242
|
-
for (let
|
|
1243
|
-
if (
|
|
1242
|
+
for (let h in e)
|
|
1243
|
+
if (h in c && c[h] != e[h]) {
|
|
1244
1244
|
a = !1, n = i;
|
|
1245
1245
|
break;
|
|
1246
1246
|
}
|
|
@@ -1316,8 +1316,8 @@ class It extends me {
|
|
|
1316
1316
|
*/
|
|
1317
1317
|
constructor(e = {}) {
|
|
1318
1318
|
super();
|
|
1319
|
-
|
|
1320
|
-
|
|
1319
|
+
d(this, "clients", {});
|
|
1320
|
+
d(this, "clientsByName", {});
|
|
1321
1321
|
}
|
|
1322
1322
|
/**
|
|
1323
1323
|
* Returns the matching client record or throws an exception.
|
|
@@ -1407,8 +1407,8 @@ class Pt extends we {
|
|
|
1407
1407
|
*/
|
|
1408
1408
|
constructor(e = {}) {
|
|
1409
1409
|
super();
|
|
1410
|
-
|
|
1411
|
-
|
|
1410
|
+
d(this, "byClientAndUser", {});
|
|
1411
|
+
d(this, "byClient", {});
|
|
1412
1412
|
}
|
|
1413
1413
|
async getAuthorizations(e, t) {
|
|
1414
1414
|
if (t) {
|
|
@@ -1447,11 +1447,11 @@ class oe extends L {
|
|
|
1447
1447
|
*/
|
|
1448
1448
|
constructor(e, t = {}) {
|
|
1449
1449
|
super(t);
|
|
1450
|
-
|
|
1451
|
-
|
|
1452
|
-
|
|
1453
|
-
|
|
1454
|
-
|
|
1450
|
+
d(this, "localStorage");
|
|
1451
|
+
d(this, "ldapUrls", []);
|
|
1452
|
+
d(this, "ldapUserSearchBase", "");
|
|
1453
|
+
d(this, "ldapUsernameAttribute", "cn");
|
|
1454
|
+
d(this, "createUserFn", $e);
|
|
1455
1455
|
this.localStorage = e, m("ldapUrls", g.JsonArray, this, t, "LDAP_URL", !0), m("ldapUserSearchBase", g.String, this, t, "LDAP_USER_SEARCH_BASE"), m("ldapUsernameAttribute", g.String, this, t, "LDAP_USENAME_ATTRIBUTE"), t.createUserFn && (this.createUserFn = t.createUserFn);
|
|
1456
1456
|
}
|
|
1457
1457
|
/**
|
|
@@ -1590,17 +1590,17 @@ class oe extends L {
|
|
|
1590
1590
|
r && (n.attributes = r), e.search(
|
|
1591
1591
|
t,
|
|
1592
1592
|
n,
|
|
1593
|
-
function(c,
|
|
1593
|
+
function(c, h) {
|
|
1594
1594
|
let w;
|
|
1595
1595
|
if (c) {
|
|
1596
1596
|
a(c), e.unbind();
|
|
1597
1597
|
return;
|
|
1598
1598
|
}
|
|
1599
|
-
|
|
1599
|
+
h.on("searchEntry", function(y) {
|
|
1600
1600
|
w = oe.searchResultToUser(y.pojo);
|
|
1601
|
-
}),
|
|
1601
|
+
}), h.on("error", function(y) {
|
|
1602
1602
|
a(y), e.unbind();
|
|
1603
|
-
}),
|
|
1603
|
+
}), h.on("end", function(y) {
|
|
1604
1604
|
y.status != 0 ? a(new o(l.Connection, "LDAP onnection failed")) : w ? i(w) : a(new o(l.UsernameOrPasswordInvalid)), e.unbind();
|
|
1605
1605
|
});
|
|
1606
1606
|
}
|
|
@@ -1638,12 +1638,12 @@ class Y extends L {
|
|
|
1638
1638
|
*/
|
|
1639
1639
|
constructor(e, t = {}) {
|
|
1640
1640
|
super(t);
|
|
1641
|
-
|
|
1642
|
-
|
|
1643
|
-
|
|
1644
|
-
|
|
1645
|
-
|
|
1646
|
-
|
|
1641
|
+
d(this, "userTable", "users");
|
|
1642
|
+
d(this, "userSecretsTable", "usersecrets");
|
|
1643
|
+
d(this, "idColumn", "id");
|
|
1644
|
+
d(this, "useridForeignKeyColumn", "userid");
|
|
1645
|
+
d(this, "forceIdToNumber", !0);
|
|
1646
|
+
d(this, "dbPool");
|
|
1647
1647
|
this.dbPool = e, m("userTable", g.String, this, t, "USER_TABLE"), m("userSecretsTable", g.String, this, t, "USER_SECRETS_TABLE"), m("idColumn", g.String, this, t, "USER_ID_COLUMN"), m("forceIdToNumber", g.String, this, t, "USER_FORCE_ID_TO_NUMBER"), m("useridForeignKeyColumn", g.String, this, t, "USER_ID_FOREIGN_KEY_COLUMN");
|
|
1648
1648
|
}
|
|
1649
1649
|
/**
|
|
@@ -1696,7 +1696,7 @@ class Y extends L {
|
|
|
1696
1696
|
let i = await this.dbPool.connect(), a, n, c = this.dbPool.parameters();
|
|
1697
1697
|
try {
|
|
1698
1698
|
await i.startTransaction();
|
|
1699
|
-
let
|
|
1699
|
+
let h = `select * from ${this.userTable} where ${e} = ` + c.nextParameter(), w = await i.execute(h, [t]);
|
|
1700
1700
|
if (w.length == 0)
|
|
1701
1701
|
throw new o(l.UserNotExist);
|
|
1702
1702
|
let y, p, _;
|
|
@@ -1712,7 +1712,7 @@ class Y extends L {
|
|
|
1712
1712
|
username: p,
|
|
1713
1713
|
state: _
|
|
1714
1714
|
}, !a) throw new o(l.UserNotExist);
|
|
1715
|
-
if (c = this.dbPool.parameters(),
|
|
1715
|
+
if (c = this.dbPool.parameters(), h = `select * from ${this.userSecretsTable} where ${this.useridForeignKeyColumn} = ` + c.nextParameter(), w = await i.execute(h, [a.id]), w.length == 0)
|
|
1716
1716
|
throw new o(l.UserNotExist);
|
|
1717
1717
|
if (w.length > 0 ? n = { userid: a.id, ...w[0] } : n = { userid: a.id }, !n) throw new o(l.UserNotExist);
|
|
1718
1718
|
if (this.useridForeignKeyColumn != "userid" && this.useridForeignKeyColumn in n && delete n[this.useridForeignKeyColumn], await i.commit(), (r == null ? void 0 : r.skipActiveCheck) != !0 && a.state == E.awaitingTwoFactorSetup)
|
|
@@ -1728,8 +1728,8 @@ class Y extends L {
|
|
|
1728
1728
|
if ((r == null ? void 0 : r.skipActiveCheck) != !0 && a.state == E.factor2ResetNeeded)
|
|
1729
1729
|
throw u.logger.debug(f({ msg: "2FA reset required" })), new o(l.Factor2ResetNeeded);
|
|
1730
1730
|
return { user: a, secrets: n };
|
|
1731
|
-
} catch (
|
|
1732
|
-
throw await i.rollback(),
|
|
1731
|
+
} catch (h) {
|
|
1732
|
+
throw await i.rollback(), h;
|
|
1733
1733
|
} finally {
|
|
1734
1734
|
i.release();
|
|
1735
1735
|
}
|
|
@@ -1742,8 +1742,8 @@ class Y extends L {
|
|
|
1742
1742
|
*/
|
|
1743
1743
|
async getUsers(e, t) {
|
|
1744
1744
|
const r = await this.dbPool.connect();
|
|
1745
|
-
let i = [], a = [], n = "", c = "",
|
|
1746
|
-
e && (c = "OFFSET " +
|
|
1745
|
+
let i = [], a = [], n = "", c = "", h = this.dbPool.parameters();
|
|
1746
|
+
e && (c = "OFFSET " + h.nextParameter()), t && (a.push(t), n = "LIMIT " + h.nextParameter());
|
|
1747
1747
|
try {
|
|
1748
1748
|
let w = `select * from ${this.userTable} ${n} ${c} order by username_normalized asc`, y = await r.execute(w, a);
|
|
1749
1749
|
if (y.length == 0)
|
|
@@ -1789,7 +1789,7 @@ class Y extends L {
|
|
|
1789
1789
|
let i = this.dbPool.parameters(), a = `select * from ${this.userTable} where ${this.idColumn} = ` + i.nextParameter();
|
|
1790
1790
|
if ((await r.execute(a, [e.id])).length == 0)
|
|
1791
1791
|
throw new o(l.UserNotExist);
|
|
1792
|
-
let c = { ...e },
|
|
1792
|
+
let c = { ...e }, h = t ? { ...t } : void 0;
|
|
1793
1793
|
"email" in c && c.email && (c = { email_normalized: this.normalizeEmail ? Y.normalize(c.email) : c.email, ...c }), "username" in c && c.username && (c = { username_normalized: this.normalizeUsername ? Y.normalize(c.username) : c.username, ...c }), i = this.dbPool.parameters();
|
|
1794
1794
|
let w = [], y = [];
|
|
1795
1795
|
for (let p in c)
|
|
@@ -1802,8 +1802,8 @@ class Y extends L {
|
|
|
1802
1802
|
}
|
|
1803
1803
|
if (t) {
|
|
1804
1804
|
w = [], y = [], i = this.dbPool.parameters();
|
|
1805
|
-
for (let p in
|
|
1806
|
-
|
|
1805
|
+
for (let p in h)
|
|
1806
|
+
h[p] != null && p != "userid" && (w.push(p + "= " + i.nextParameter()), y.push(h[p]));
|
|
1807
1807
|
if (w.length > 0) {
|
|
1808
1808
|
let p = w.join(", ");
|
|
1809
1809
|
y.push(e.id);
|
|
@@ -1836,25 +1836,25 @@ class Y extends L {
|
|
|
1836
1836
|
await r.startTransaction();
|
|
1837
1837
|
let a = { ...e }, n = t ? { ...t } : void 0;
|
|
1838
1838
|
"email" in a && a.email && (a = { email_normalized: this.normalizeEmail ? Y.normalize(a.email) : a.email, ...a }), "username" in a && a.username && (a = { username_normalized: this.normalizeUsername ? Y.normalize(a.username) : a.username, ...a });
|
|
1839
|
-
let c = [],
|
|
1839
|
+
let c = [], h = [], w = [];
|
|
1840
1840
|
const y = this.dbPool.parameters();
|
|
1841
1841
|
for (let _ in a)
|
|
1842
|
-
a[_] != null && _ != "id" && (c.push(_),
|
|
1842
|
+
a[_] != null && _ != "id" && (c.push(_), h.push(y.nextParameter()), w.push(a[_]));
|
|
1843
1843
|
if (c.length > 0) {
|
|
1844
|
-
let _ = c.join(", "), C =
|
|
1844
|
+
let _ = c.join(", "), C = h.join(", ");
|
|
1845
1845
|
const T = `insert into ${this.userTable} (${_}) values (${C}) returning ${this.idColumn}`, k = await r.execute(T, w);
|
|
1846
1846
|
if (k.length == 0 || !k[0][this.idColumn]) throw new o(l.Connection, "Couldn't create user");
|
|
1847
1847
|
i = k[0][this.idColumn];
|
|
1848
1848
|
}
|
|
1849
1849
|
if (!i) throw new o(l.Connection, "Couldn't create user");
|
|
1850
1850
|
if (t) {
|
|
1851
|
-
c = [],
|
|
1851
|
+
c = [], h = [], w = [];
|
|
1852
1852
|
const _ = this.dbPool.parameters();
|
|
1853
|
-
c.push("userid"),
|
|
1853
|
+
c.push("userid"), h.push(_.nextParameter()), w.push(i);
|
|
1854
1854
|
for (let C in n)
|
|
1855
|
-
n[C] != null && C != "userid" && (c.push(C),
|
|
1855
|
+
n[C] != null && C != "userid" && (c.push(C), h.push(_.nextParameter()), w.push(n[C]));
|
|
1856
1856
|
if (c.length > 0) {
|
|
1857
|
-
let C = c.join(", "), T =
|
|
1857
|
+
let C = c.join(", "), T = h.join(", ");
|
|
1858
1858
|
const k = `insert into ${this.userSecretsTable} (${C}) values (${T})`;
|
|
1859
1859
|
u.logger.debug(f({ msg: "Executing query", query: k })), await r.execute(k, w);
|
|
1860
1860
|
}
|
|
@@ -1912,9 +1912,9 @@ class qe extends x {
|
|
|
1912
1912
|
*/
|
|
1913
1913
|
constructor(e, t = {}) {
|
|
1914
1914
|
super();
|
|
1915
|
-
|
|
1916
|
-
|
|
1917
|
-
|
|
1915
|
+
d(this, "keyTable", "keys");
|
|
1916
|
+
d(this, "dbPool");
|
|
1917
|
+
d(this, "useridForeignKeyColumn", "userid");
|
|
1918
1918
|
m("transactionTimeout", g.Number, this, t, "TRANSACTION_TIMEOUT"), m("useridForeignKeyColumn", g.String, this, t, "USER_ID_FOREIGN_KEY_COLUMN"), t.keyTable && (this.keyTable = t.keyTable), this.dbPool = e;
|
|
1919
1919
|
}
|
|
1920
1920
|
async getKey(e) {
|
|
@@ -1962,13 +1962,13 @@ class qe extends x {
|
|
|
1962
1962
|
* @throws {@link @crossauth/common!CrossauthError } if the key could not be stored.
|
|
1963
1963
|
*/
|
|
1964
1964
|
async saveKey(e, t, r, i, a, n = {}) {
|
|
1965
|
-
let c,
|
|
1965
|
+
let c, h = [this.useridForeignKeyColumn, "value", "created", "expires", "data"], w = this.dbPool.parameters(), y = [];
|
|
1966
1966
|
for (let k = 0; k < 5; ++k)
|
|
1967
1967
|
y.push(w.nextParameter());
|
|
1968
1968
|
let p = [e ?? null, t, r, i ?? null, a ?? ""];
|
|
1969
1969
|
for (let k in n)
|
|
1970
|
-
|
|
1971
|
-
let _ =
|
|
1970
|
+
h.push(k), y.push(w.nextParameter()), p.push(n[k]);
|
|
1971
|
+
let _ = h.join(", "), C = y.join(", ");
|
|
1972
1972
|
const T = await this.dbPool.connect();
|
|
1973
1973
|
try {
|
|
1974
1974
|
const k = `insert into ${this.keyTable} (${_}) values (${C})`;
|
|
@@ -1993,15 +1993,15 @@ class qe extends x {
|
|
|
1993
1993
|
async deleteAllForUser(e, t, r) {
|
|
1994
1994
|
const i = await this.dbPool.connect();
|
|
1995
1995
|
try {
|
|
1996
|
-
let a, n = [], c = "",
|
|
1996
|
+
let a, n = [], c = "", h = this.dbPool.parameters();
|
|
1997
1997
|
if (e) {
|
|
1998
|
-
const w =
|
|
1998
|
+
const w = h.nextParameter(), y = h.nextParameter();
|
|
1999
1999
|
a = `delete from ${this.keyTable} where ${this.useridForeignKeyColumn} = ${w} and value like ${y} `, n = [e];
|
|
2000
2000
|
} else {
|
|
2001
|
-
const w =
|
|
2001
|
+
const w = h.nextParameter();
|
|
2002
2002
|
a = `delete from ${this.keyTable} where ${this.useridForeignKeyColumn} is null and value like ${w}`;
|
|
2003
2003
|
}
|
|
2004
|
-
n.push(t + "%"), r && (c = "and value != " +
|
|
2004
|
+
n.push(t + "%"), r && (c = "and value != " + h.nextParameter(), n.push(r)), a += " " + c, u.logger.debug(f({ msg: "Executing query", query: a })), await i.execute(a, n);
|
|
2005
2005
|
} catch (a) {
|
|
2006
2006
|
throw a;
|
|
2007
2007
|
} finally {
|
|
@@ -2013,9 +2013,9 @@ class qe extends x {
|
|
|
2013
2013
|
try {
|
|
2014
2014
|
let r = [], i = [];
|
|
2015
2015
|
const a = this.dbPool.parameters();
|
|
2016
|
-
for (let
|
|
2017
|
-
let w =
|
|
2018
|
-
e[
|
|
2016
|
+
for (let h in e) {
|
|
2017
|
+
let w = h == "userid" ? this.useridForeignKeyColumn : h;
|
|
2018
|
+
e[h] == null ? r.push(w + " is null") : (r.push(w + " = " + a.nextParameter()), i.push(e[h]));
|
|
2019
2019
|
}
|
|
2020
2020
|
let n = r.join(" and "), c = `delete from ${this.keyTable} where ${n}`;
|
|
2021
2021
|
await t.execute(c, i);
|
|
@@ -2031,8 +2031,8 @@ class qe extends x {
|
|
|
2031
2031
|
let i, a = [];
|
|
2032
2032
|
const n = this.dbPool.parameters();
|
|
2033
2033
|
if (e) {
|
|
2034
|
-
let c = n.nextParameter(),
|
|
2035
|
-
i = `delete from ${this.keyTable} where ${this.useridForeignKeyColumn} = ${c} and value like ${
|
|
2034
|
+
let c = n.nextParameter(), h = n.nextParameter();
|
|
2035
|
+
i = `delete from ${this.keyTable} where ${this.useridForeignKeyColumn} = ${c} and value like ${h}`, a.push(e);
|
|
2036
2036
|
} else {
|
|
2037
2037
|
let c = n.nextParameter();
|
|
2038
2038
|
i = `delete from ${this.keyTable} where ${this.useridForeignKeyColumn} is null and value like ${c}`;
|
|
@@ -2053,8 +2053,8 @@ class qe extends x {
|
|
|
2053
2053
|
let c = await t.execute(i, a);
|
|
2054
2054
|
if (c.length == 0)
|
|
2055
2055
|
return [];
|
|
2056
|
-
for (let
|
|
2057
|
-
let w = this.makeKey(
|
|
2056
|
+
for (let h of c) {
|
|
2057
|
+
let w = this.makeKey(h);
|
|
2058
2058
|
this.useridForeignKeyColumn != "userid" && (w.userid = w[this.useridForeignKeyColumn], delete w[this.useridForeignKeyColumn]), r.push(w);
|
|
2059
2059
|
}
|
|
2060
2060
|
return r;
|
|
@@ -2086,12 +2086,12 @@ class qe extends x {
|
|
|
2086
2086
|
delete r.value;
|
|
2087
2087
|
let i = [], a = [], n = this.dbPool.parameters();
|
|
2088
2088
|
for (let c in r) {
|
|
2089
|
-
let
|
|
2090
|
-
r[c] != null && c == "userid" && this.useridForeignKeyColumn != "userid" && (
|
|
2089
|
+
let h = c;
|
|
2090
|
+
r[c] != null && c == "userid" && this.useridForeignKeyColumn != "userid" && (h = this.useridForeignKeyColumn), i.push(c + "= " + n.nextParameter()), a.push(r[h]);
|
|
2091
2091
|
}
|
|
2092
2092
|
if (a.push(t.value), i.length > 0) {
|
|
2093
|
-
let c = i.join(", "),
|
|
2094
|
-
u.logger.debug(f({ msg: "Executing query", query:
|
|
2093
|
+
let c = i.join(", "), h = `update ${this.keyTable} set ${c} where value = ` + n.nextParameter();
|
|
2094
|
+
u.logger.debug(f({ msg: "Executing query", query: h })), await e.execute(h, a);
|
|
2095
2095
|
}
|
|
2096
2096
|
}
|
|
2097
2097
|
/**
|
|
@@ -2162,11 +2162,11 @@ class We extends me {
|
|
|
2162
2162
|
*/
|
|
2163
2163
|
constructor(e, t = {}) {
|
|
2164
2164
|
super();
|
|
2165
|
-
|
|
2166
|
-
|
|
2167
|
-
|
|
2168
|
-
|
|
2169
|
-
|
|
2165
|
+
d(this, "clientTable", "oauthclient");
|
|
2166
|
+
d(this, "redirectUriTable", "oauthclientredirecturi");
|
|
2167
|
+
d(this, "validFlowTable", "oauthclientvalidflow");
|
|
2168
|
+
d(this, "dbPool");
|
|
2169
|
+
d(this, "useridForeignKeyColumn", "userid");
|
|
2170
2170
|
m("clientTable", g.String, this, t, "OAUTH_CLIENT_TABLE"), m("redirectUriTable", g.String, this, t, "OAUTH_REDIRECTURI_TABLE"), m("validFlowTable", g.String, this, t, "OAUTH_VALID_FLOW_TABLE"), m("updateMode", g.String, this, t, "OAUTHCLIENT_UPDATE_MODE"), m("useridForeignKeyColumn", g.String, this, t, "USER_ID_FOREIGN_KEY_COLUMN"), this.dbPool = e;
|
|
2171
2171
|
}
|
|
2172
2172
|
async getClientById(e) {
|
|
@@ -2210,10 +2210,10 @@ class We extends me {
|
|
|
2210
2210
|
};
|
|
2211
2211
|
}
|
|
2212
2212
|
async getClientWithTransaction(e, t, r, i, a, n) {
|
|
2213
|
-
let c = [],
|
|
2214
|
-
t && r && (p = `where c.${t} = ` +
|
|
2213
|
+
let c = [], h = this.dbPool.parameters(), w = [], y = `select c.*, r.uri as uri, null as flow from ${this.clientTable} as c left join ${this.redirectUriTable} r on c.client_id = r.client_id `, p = "";
|
|
2214
|
+
t && r && (p = `where c.${t} = ` + h.nextParameter(), w.push(r)), i !== null && i == null || (p == "" ? p = "where " : p += " and ", i == null ? p += "userid is null" : (p += `${this.useridForeignKeyColumn} = ` + h.nextParameter(), w.push(i)));
|
|
2215
2215
|
let _ = `select c.*, null as uri, f.flow as flow from ${this.clientTable} as c left join ${this.validFlowTable} f on c.client_id = f.client_id `, C = "";
|
|
2216
|
-
t && r && (C = `where c.${t} = ` +
|
|
2216
|
+
t && r && (C = `where c.${t} = ` + h.nextParameter(), w.push(r)), i !== null && i == null || (C == "" ? C = "where " : C += " and ", i == null ? C += "userid is null" : (C += `${this.useridForeignKeyColumn} = ` + h.nextParameter(), w.push(i))), n && (a || (a = 0), a = Number(a), n = Number(n), p == "" ? p = "where " : p += " and ", p += ` c.client_id in (select client_id from ${this.clientTable} limit ${n} offset ${a})`, C == "" ? C = "where " : C += " and ", C += ` c.client_id in (select client_id from ${this.clientTable} limit ${n} offset ${a})`), y += p, _ += C;
|
|
2217
2217
|
let T = y + " union " + _ + " order by client_id";
|
|
2218
2218
|
const k = await e.execute(T, w);
|
|
2219
2219
|
let A;
|
|
@@ -2255,12 +2255,12 @@ class We extends me {
|
|
|
2255
2255
|
for (let C = 0; C < i.length; ++C)
|
|
2256
2256
|
if (!b.isValidFlow(i[C])) throw new o(l.InvalidOAuthFlow, "Invalid flow " + i[C]);
|
|
2257
2257
|
}
|
|
2258
|
-
let c = [],
|
|
2258
|
+
let c = [], h = [], w = [], y = this.dbPool.parameters();
|
|
2259
2259
|
try {
|
|
2260
2260
|
for (let C in n)
|
|
2261
|
-
c.push(C),
|
|
2261
|
+
c.push(C), h.push(y.nextParameter()), w.push(n[C]);
|
|
2262
2262
|
if (c.length > 0) {
|
|
2263
|
-
let C = c.join(", "), T =
|
|
2263
|
+
let C = c.join(", "), T = h.join(", ");
|
|
2264
2264
|
const k = `insert into ${this.clientTable} (${C}) values (${T})`;
|
|
2265
2265
|
await e.execute(k, w);
|
|
2266
2266
|
}
|
|
@@ -2341,14 +2341,14 @@ class We extends me {
|
|
|
2341
2341
|
if (!b.isValidFlow(i[T])) throw new o(l.InvalidOAuthFlow, "Redirect Uri's may not contain page fragments");
|
|
2342
2342
|
}
|
|
2343
2343
|
if (!t.client_id) throw new o(l.InvalidClientId, "No client ig given");
|
|
2344
|
-
let { client_id: a, redirect_uri: n, valid_flow: c, ...
|
|
2344
|
+
let { client_id: a, redirect_uri: n, valid_flow: c, ...h } = t;
|
|
2345
2345
|
n || (n = []), c || (c = []);
|
|
2346
2346
|
let w = this.dbPool.parameters(), y = `delete from ${this.redirectUriTable} where client_id = ` + w.nextParameter();
|
|
2347
2347
|
await e.execute(y, [t.client_id]), w = this.dbPool.parameters(), y = `delete from ${this.validFlowTable} where client_id = ` + w.nextParameter(), await e.execute(y, [t.client_id]);
|
|
2348
2348
|
let p = [], _ = [], C = [];
|
|
2349
2349
|
w = this.dbPool.parameters(), y = `delete from ${this.validFlowTable} where client_id = ` + w.nextParameter();
|
|
2350
|
-
for (let T in
|
|
2351
|
-
p.push(T), _.push(w.nextParameter()), C.push(
|
|
2350
|
+
for (let T in h)
|
|
2351
|
+
p.push(T), _.push(w.nextParameter()), C.push(h[T]);
|
|
2352
2352
|
if (p.length > 0) {
|
|
2353
2353
|
let T = p.join(", "), k = _.join(", ");
|
|
2354
2354
|
y = `update ${this.clientTable} set (${T}) values (${k})`, await e.execute(y, C);
|
|
@@ -2387,9 +2387,9 @@ class Je extends we {
|
|
|
2387
2387
|
*/
|
|
2388
2388
|
constructor(e, t = {}) {
|
|
2389
2389
|
super();
|
|
2390
|
-
|
|
2391
|
-
|
|
2392
|
-
|
|
2390
|
+
d(this, "authorizationTable", "oauthauthorization");
|
|
2391
|
+
d(this, "useridForeignKeyColumn", "userid");
|
|
2392
|
+
d(this, "dbPool");
|
|
2393
2393
|
m("authorizationTable", g.String, this, t, "OAUTH_CLIENT_TABLE"), m("useridForeignKeyColumn", g.String, this, t, "USER_ID_FOREIGN_KEY_COLUMN"), this.dbPool = e;
|
|
2394
2394
|
}
|
|
2395
2395
|
async getAuthorizations(e, t) {
|
|
@@ -2410,8 +2410,8 @@ class Je extends we {
|
|
|
2410
2410
|
await i.startTransaction();
|
|
2411
2411
|
let a = this.dbPool.parameters(), n = [], c = `delete from ${this.authorizationTable} where client_id = ` + a.nextParameter();
|
|
2412
2412
|
n.push(e), t ? (c += ` and ${this.useridForeignKeyColumn} = ` + a.nextParameter(), n.push(t)) : c += ` and ${this.useridForeignKeyColumn} is null`, await i.execute(c, n);
|
|
2413
|
-
for (let
|
|
2414
|
-
a = this.dbPool.parameters(), n = [], c = `insert into ${this.authorizationTable} (client_id, userid, scope) values (` + a.nextParameter() + ", " + a.nextParameter() + ", " + a.nextParameter() + ")", n.push(e), n.push(t), n.push(
|
|
2413
|
+
for (let h of r)
|
|
2414
|
+
a = this.dbPool.parameters(), n = [], c = `insert into ${this.authorizationTable} (client_id, userid, scope) values (` + a.nextParameter() + ", " + a.nextParameter() + ", " + a.nextParameter() + ")", n.push(e), n.push(t), n.push(h), await i.execute(c, n);
|
|
2415
2415
|
await i.commit();
|
|
2416
2416
|
} catch (a) {
|
|
2417
2417
|
throw await i.rollback(), a;
|
|
@@ -2433,7 +2433,7 @@ class Ze {
|
|
|
2433
2433
|
class de extends Ye {
|
|
2434
2434
|
constructor(e) {
|
|
2435
2435
|
super();
|
|
2436
|
-
|
|
2436
|
+
d(this, "pgPool");
|
|
2437
2437
|
this.pgPool = e;
|
|
2438
2438
|
}
|
|
2439
2439
|
async connect() {
|
|
@@ -2447,7 +2447,7 @@ class de extends Ye {
|
|
|
2447
2447
|
class Xe extends Ze {
|
|
2448
2448
|
constructor(e) {
|
|
2449
2449
|
super();
|
|
2450
|
-
|
|
2450
|
+
d(this, "pgClient");
|
|
2451
2451
|
this.pgClient = e;
|
|
2452
2452
|
}
|
|
2453
2453
|
crossauthErrorFromPostgresError(e) {
|
|
@@ -2482,7 +2482,7 @@ class Xe extends Ze {
|
|
|
2482
2482
|
class Qe extends Ge {
|
|
2483
2483
|
constructor() {
|
|
2484
2484
|
super();
|
|
2485
|
-
|
|
2485
|
+
d(this, "nextParam", 1);
|
|
2486
2486
|
}
|
|
2487
2487
|
nextParameter() {
|
|
2488
2488
|
return "$" + this.nextParam++;
|
|
@@ -2498,7 +2498,7 @@ class Kt extends Y {
|
|
|
2498
2498
|
super(new de(s), e);
|
|
2499
2499
|
}
|
|
2500
2500
|
}
|
|
2501
|
-
class
|
|
2501
|
+
class Ot extends qe {
|
|
2502
2502
|
/**
|
|
2503
2503
|
* Creates a PostgresKeyStorage object, optionally overriding defaults.
|
|
2504
2504
|
* @param pgPool the instance of the Posrgres client.
|
|
@@ -2508,7 +2508,7 @@ class Ft extends qe {
|
|
|
2508
2508
|
super(new de(s), e);
|
|
2509
2509
|
}
|
|
2510
2510
|
}
|
|
2511
|
-
class
|
|
2511
|
+
class Ft extends We {
|
|
2512
2512
|
/**
|
|
2513
2513
|
* Creates a PostgresOAuthClientStorage object, optionally overriding defaults.
|
|
2514
2514
|
* @param pgPool the instance of the Posrgres client.
|
|
@@ -2535,8 +2535,8 @@ class re {
|
|
|
2535
2535
|
* @param options see {@link AuthenticationOptions}
|
|
2536
2536
|
*/
|
|
2537
2537
|
constructor(s) {
|
|
2538
|
-
|
|
2539
|
-
|
|
2538
|
+
d(this, "friendlyName");
|
|
2539
|
+
d(this, "factorName", "");
|
|
2540
2540
|
if (!(s != null && s.friendlyName)) throw new o(l.Configuration, "Authenticator must have a friendly name");
|
|
2541
2541
|
this.friendlyName = s == null ? void 0 : s.friendlyName;
|
|
2542
2542
|
}
|
|
@@ -2679,7 +2679,7 @@ const Ce = process.env.PBKDF2_DIGEST || "sha256", Se = Number(process.env.PBKDF2
|
|
|
2679
2679
|
* Creates a UUID
|
|
2680
2680
|
*/
|
|
2681
2681
|
static uuid() {
|
|
2682
|
-
return
|
|
2682
|
+
return Oe();
|
|
2683
2683
|
}
|
|
2684
2684
|
/**
|
|
2685
2685
|
* Standard hash using SHA256 (not PBKDF2 or HMAC)
|
|
@@ -2697,7 +2697,7 @@ const Ce = process.env.PBKDF2_DIGEST || "sha256", Se = Number(process.env.PBKDF2
|
|
|
2697
2697
|
* @returns the string containing the hash
|
|
2698
2698
|
*/
|
|
2699
2699
|
static sha256(s) {
|
|
2700
|
-
return
|
|
2700
|
+
return Fe("sha256").update(s).digest("base64url");
|
|
2701
2701
|
}
|
|
2702
2702
|
/**
|
|
2703
2703
|
* Hashes a password and returns it as a base64 or base64url encoded string
|
|
@@ -2784,10 +2784,10 @@ const Ce = process.env.PBKDF2_DIGEST || "sha256", Se = Number(process.env.PBKDF2
|
|
|
2784
2784
|
const i = r[0], a = r[1], n = JSON.parse(Buffer.from(i, "base64url").toString());
|
|
2785
2785
|
if (t && n.t + t * 1e3 > (/* @__PURE__ */ new Date()).getTime())
|
|
2786
2786
|
throw new o(l.Expired);
|
|
2787
|
-
const
|
|
2788
|
-
if (
|
|
2787
|
+
const h = ie(ae, e).update(i).digest("base64url");
|
|
2788
|
+
if (h.length != a.length)
|
|
2789
2789
|
throw new o(l.InvalidKey, "Signature does not match payload");
|
|
2790
|
-
if (!he(Buffer.from(
|
|
2790
|
+
if (!he(Buffer.from(h), Buffer.from(a)))
|
|
2791
2791
|
throw new o(l.InvalidKey, "Signature does not match payload");
|
|
2792
2792
|
return n;
|
|
2793
2793
|
}
|
|
@@ -2852,7 +2852,7 @@ const Ce = process.env.PBKDF2_DIGEST || "sha256", Se = Number(process.env.PBKDF2
|
|
|
2852
2852
|
return c = Buffer.concat([c, n.final()]), c.toString();
|
|
2853
2853
|
}
|
|
2854
2854
|
};
|
|
2855
|
-
|
|
2855
|
+
d(q, "Base32", "ABCDEFGHJKLMNPQRSTUVWXYZ23456789".split(""));
|
|
2856
2856
|
let v = q;
|
|
2857
2857
|
function tt(S) {
|
|
2858
2858
|
let s = [];
|
|
@@ -2874,19 +2874,19 @@ const le = class le extends be {
|
|
|
2874
2874
|
*/
|
|
2875
2875
|
constructor(e, t = {}) {
|
|
2876
2876
|
super({ friendlyName: "Local password", ...t });
|
|
2877
|
-
|
|
2877
|
+
d(this, "secret");
|
|
2878
2878
|
/** If true, the secret key will be added to the salt when hashing. Default false */
|
|
2879
|
-
|
|
2879
|
+
d(this, "enableSecretForPasswords", !1);
|
|
2880
2880
|
/** See {@link LocalPasswordAuthenticatorOptions.pbkdf2Digest} */
|
|
2881
|
-
|
|
2881
|
+
d(this, "pbkdf2Digest", "sha256");
|
|
2882
2882
|
/** See {@link LocalPasswordAuthenticatorOptions.pbkdf2Iterations} */
|
|
2883
|
-
|
|
2883
|
+
d(this, "pbkdf2Iterations", 6e5);
|
|
2884
2884
|
/** See {@link LocalPasswordAuthenticatorOptions.pbkdf2SaltLength} */
|
|
2885
|
-
|
|
2885
|
+
d(this, "pbkdf2SaltLength", 16);
|
|
2886
2886
|
/** See {@link LocalPasswordAuthenticatorOptions.pbkdf2KeyLength} */
|
|
2887
|
-
|
|
2887
|
+
d(this, "pbkdf2KeyLength", 32);
|
|
2888
2888
|
/** See {@link LocalPasswordAuthenticatorOptions.validatePasswordFn} */
|
|
2889
|
-
|
|
2889
|
+
d(this, "validatePasswordFn", tt);
|
|
2890
2890
|
m("secret", g.String, this, t, "HASHER_SECRET"), m("enableSecretForPasswordHash", g.Boolean, this, t, "ENABLE_SECRET_FOR_PASSWORDS"), m("pbkdf2Digest", g.String, this, t, "PASSWORD_PBKDF2_DIGEST"), m("pbkdf2Iterations", g.String, this, t, "PASSWORD_PBKDF2_ITERATIONS"), m("pbkdf2SaltLength", g.String, this, t, "PASSWORD_PBKDF2_SALTLENGTH"), m("pbkdf2KeyLength", g.String, this, t, "PASSWORD_PBKDF2_KEYLENGTH"), t.validatePasswordFn && (this.validatePasswordFn = t.validatePasswordFn);
|
|
2891
2891
|
}
|
|
2892
2892
|
/**
|
|
@@ -3019,7 +3019,7 @@ const le = class le extends be {
|
|
|
3019
3019
|
async reprepareConfiguration(e, t) {
|
|
3020
3020
|
}
|
|
3021
3021
|
};
|
|
3022
|
-
|
|
3022
|
+
d(le, "NoPassword", "********");
|
|
3023
3023
|
let ve = le;
|
|
3024
3024
|
class Z extends re {
|
|
3025
3025
|
/**
|
|
@@ -3029,18 +3029,18 @@ class Z extends re {
|
|
|
3029
3029
|
*/
|
|
3030
3030
|
constructor(e = {}) {
|
|
3031
3031
|
super({ friendlyName: "Email otp", ...e });
|
|
3032
|
-
|
|
3033
|
-
|
|
3034
|
-
|
|
3035
|
-
|
|
3036
|
-
|
|
3037
|
-
|
|
3038
|
-
|
|
3039
|
-
|
|
3040
|
-
|
|
3041
|
-
|
|
3042
|
-
|
|
3043
|
-
|
|
3032
|
+
d(this, "views", "views");
|
|
3033
|
+
d(this, "emailAuthenticatorTextBody", "emailauthenticationtextbody.njk");
|
|
3034
|
+
d(this, "emailAuthenticatorHtmlBody");
|
|
3035
|
+
d(this, "emailAuthenticatorSubject", "Login code");
|
|
3036
|
+
d(this, "emailFrom", "");
|
|
3037
|
+
d(this, "smtpHost", "");
|
|
3038
|
+
d(this, "smtpPort", 587);
|
|
3039
|
+
d(this, "smtpUseTls", !0);
|
|
3040
|
+
d(this, "smtpUsername");
|
|
3041
|
+
d(this, "smtpPassword");
|
|
3042
|
+
d(this, "emailAuthenticatorTokenExpires", 60 * 5);
|
|
3043
|
+
d(this, "render");
|
|
3044
3044
|
m("views", g.String, this, e, "VIEWS"), m("emailAuthenticatorTextBody", g.String, this, e, "EMAIL_AUTHENTICATOR_TEXT_BODY"), m("emailAuthenticatorHtmlBody", g.String, this, e, "EMAIL_AUTHENTICATOR_HTML_BODY"), m("emailAuthenticatorSubject", g.String, this, e, "EMAIL_AUTHENTICATOR_SUBJECT"), m("emailFrom", g.String, this, e, "EMAIL_FROM", !0), m("smtpHost", g.String, this, e, "SMTP_HOST", !0), m("smtpPort", g.Number, this, e, "SMTP_PORT"), m("smtpUsername", g.String, this, e, "SMTP_USERNAME"), m("smtpPassword", g.String, this, e, "SMTP_PASSWORD"), m("smtpUseTls", g.Boolean, this, e, "SMTP_USE_TLS"), m("emailAuthenticatorTokenExpires", g.Number, this, e, "EMAIL_AUTHENTICATOR_TOKEN_EXPIRES"), e.render ? this.render = e.render : W.configure(this.views, { autoescape: !0 });
|
|
3045
3045
|
}
|
|
3046
3046
|
/**
|
|
@@ -3098,10 +3098,10 @@ class Z extends re {
|
|
|
3098
3098
|
factor2: this.factorName,
|
|
3099
3099
|
expiry: a,
|
|
3100
3100
|
otp: t
|
|
3101
|
-
},
|
|
3101
|
+
}, h = this.sendToken(r, t);
|
|
3102
3102
|
return u.logger.info(f({
|
|
3103
3103
|
msg: "Sent factor otp email",
|
|
3104
|
-
emailMessageId:
|
|
3104
|
+
emailMessageId: h,
|
|
3105
3105
|
email: r
|
|
3106
3106
|
})), { userData: n, sessionData: c };
|
|
3107
3107
|
}
|
|
@@ -3244,11 +3244,11 @@ class Q extends re {
|
|
|
3244
3244
|
*/
|
|
3245
3245
|
constructor(e = {}) {
|
|
3246
3246
|
super({ friendlyName: "SMS otp", ...e });
|
|
3247
|
-
|
|
3248
|
-
|
|
3249
|
-
|
|
3250
|
-
|
|
3251
|
-
|
|
3247
|
+
d(this, "views", "views");
|
|
3248
|
+
d(this, "smsAuthenticatorBody", "smsauthenticationbody.njk");
|
|
3249
|
+
d(this, "smsAuthenticatorFrom", "");
|
|
3250
|
+
d(this, "smsAuthenticatorTokenExpires", 60 * 5);
|
|
3251
|
+
d(this, "render");
|
|
3252
3252
|
m("views", g.String, this, e, "VIEWS"), m("smsAuthenticatorBody", g.String, this, e, "SMS_AUTHENTICATOR_BODY"), m("smsAuthenticatorFrom", g.String, this, e, "SMS_AUTHENTICATOR_FROM", !0), m("smsAuthenticatorTokenExpires", g.Number, this, e, "SMS_AUTHENTICATOR_TOKEN_EXPIRES"), e.render ? this.render = e.render : W.configure(this.views, { autoescape: !0 });
|
|
3253
3253
|
}
|
|
3254
3254
|
/**
|
|
@@ -3288,8 +3288,8 @@ class Q extends re {
|
|
|
3288
3288
|
expiry: a,
|
|
3289
3289
|
otp: t
|
|
3290
3290
|
};
|
|
3291
|
-
let
|
|
3292
|
-
const w = this.render ? this.render(this.smsAuthenticatorBody,
|
|
3291
|
+
let h = { otp: t };
|
|
3292
|
+
const w = this.render ? this.render(this.smsAuthenticatorBody, h) : W.render(this.smsAuthenticatorBody, h), y = this.sendSms(r, w);
|
|
3293
3293
|
return u.logger.info(f({
|
|
3294
3294
|
msg: "Sent factor otp sms",
|
|
3295
3295
|
smsMessageId: y,
|
|
@@ -3442,8 +3442,8 @@ class Ue extends Q {
|
|
|
3442
3442
|
*/
|
|
3443
3443
|
constructor(e = {}) {
|
|
3444
3444
|
super(e);
|
|
3445
|
-
|
|
3446
|
-
|
|
3445
|
+
d(this, "accountSid");
|
|
3446
|
+
d(this, "authToken");
|
|
3447
3447
|
if (!process.env.TWILIO_ACCOUNT_SID || !process.env.TWILIO_AUTH_TOKEN)
|
|
3448
3448
|
throw new o(
|
|
3449
3449
|
l.Configuration,
|
|
@@ -3475,7 +3475,7 @@ class Rt extends re {
|
|
|
3475
3475
|
*/
|
|
3476
3476
|
constructor(e, t = {}) {
|
|
3477
3477
|
super({ friendlyName: "Dummy factor2", ...t });
|
|
3478
|
-
|
|
3478
|
+
d(this, "code");
|
|
3479
3479
|
this.code = e;
|
|
3480
3480
|
}
|
|
3481
3481
|
/**
|
|
@@ -3637,8 +3637,8 @@ class Dt extends be {
|
|
|
3637
3637
|
*/
|
|
3638
3638
|
constructor(e, t = {}) {
|
|
3639
3639
|
super({ friendlyName: "LDAP", ...t });
|
|
3640
|
-
|
|
3641
|
-
|
|
3640
|
+
d(this, "ldapAutoCreateAccount", !1);
|
|
3641
|
+
d(this, "ldapStorage");
|
|
3642
3642
|
m("ldapAutoCreateAccount", g.Boolean, this, t, "LDAP_AUTO_CREATE_ACCOUNT"), this.ldapStorage = e;
|
|
3643
3643
|
}
|
|
3644
3644
|
/**
|
|
@@ -3730,7 +3730,7 @@ class xt extends re {
|
|
|
3730
3730
|
*/
|
|
3731
3731
|
constructor(e, t) {
|
|
3732
3732
|
super({ friendlyName: "Google Authenticator", ...t });
|
|
3733
|
-
|
|
3733
|
+
d(this, "appName");
|
|
3734
3734
|
this.appName = e;
|
|
3735
3735
|
}
|
|
3736
3736
|
/**
|
|
@@ -3913,26 +3913,26 @@ class R {
|
|
|
3913
3913
|
* @param options see {@link TokenEmailerOptions}
|
|
3914
3914
|
*/
|
|
3915
3915
|
constructor(s, e, t = {}) {
|
|
3916
|
-
|
|
3917
|
-
|
|
3918
|
-
|
|
3919
|
-
|
|
3920
|
-
|
|
3921
|
-
|
|
3922
|
-
|
|
3923
|
-
|
|
3924
|
-
|
|
3925
|
-
|
|
3926
|
-
|
|
3927
|
-
|
|
3928
|
-
|
|
3929
|
-
|
|
3930
|
-
|
|
3931
|
-
|
|
3932
|
-
|
|
3933
|
-
|
|
3934
|
-
|
|
3935
|
-
|
|
3916
|
+
d(this, "userStorage");
|
|
3917
|
+
d(this, "keyStorage");
|
|
3918
|
+
d(this, "views", "views");
|
|
3919
|
+
d(this, "siteUrl");
|
|
3920
|
+
d(this, "prefix", "/");
|
|
3921
|
+
d(this, "emailVerificationTextBody", "emailverificationtextbody.njk");
|
|
3922
|
+
d(this, "emailVerificationHtmlBody");
|
|
3923
|
+
d(this, "emailVerificationSubject", "Please verify your email");
|
|
3924
|
+
d(this, "passwordResetTextBody", "passwordresettextbody.njk");
|
|
3925
|
+
d(this, "passwordResetHtmlBody");
|
|
3926
|
+
d(this, "passwordResetSubject", "Password reset");
|
|
3927
|
+
d(this, "emailFrom", "");
|
|
3928
|
+
d(this, "smtpHost", "");
|
|
3929
|
+
d(this, "smtpPort", 587);
|
|
3930
|
+
d(this, "smtpUseTls", !0);
|
|
3931
|
+
d(this, "smtpUsername");
|
|
3932
|
+
d(this, "smtpPassword");
|
|
3933
|
+
d(this, "verifyEmailExpires", 60 * 60 * 24);
|
|
3934
|
+
d(this, "passwordResetExpires", 60 * 60 * 24);
|
|
3935
|
+
d(this, "render");
|
|
3936
3936
|
this.userStorage = s, this.keyStorage = e, m("siteUrl", g.String, this, t, "SITE_URL", !0), m("prefix", g.String, this, t, "PREFIX"), m("views", g.String, this, t, "VIEWS"), m("emailVerificationTextBody", g.String, this, t, "EMAIL_VERIFICATION_TEXT_BODY"), m("emailVerificationHtmlBody", g.String, this, t, "EMAIL_VERIFICATION_HTML_BODY"), m("emailVerificationSubject", g.String, this, t, "EMAIL_VERIFICATION_SUBJECT"), m("passwordResetTextBody", g.String, this, t, "PASSWORD_RESET_TEXT_BODY"), m("passwordResetHtmlBody", g.String, this, t, "PASSWORD_RESET_HTML_BODY"), m("passwordResetSubject", g.String, this, t, "PASSWORD_RESET_SUBJECT"), m("emailFrom", g.String, this, t, "EMAIL_FROM", !0), m("smtpHost", g.String, this, t, "SMTP_HOST", !0), m("smtpPort", g.Number, this, t, "SMTP_PORT"), m("smtpUsername", g.String, this, t, "SMTP_USERNAME"), m("smtpPassword", g.String, this, t, "SMTP_PASSWORD"), m("smtpUseTls", g.Boolean, this, t, "SMTP_USE_TLS"), m("verifyEmailExpires", g.Boolean, this, t, "VERIFY_EMAIL_EXPIRES"), m("passwordResetExpires", g.String, this, t, "PASSWORD_RESET_EXPIRES"), t.render ? this.render = t.render : W.configure(this.views, { autoescape: !0 });
|
|
3937
3937
|
}
|
|
3938
3938
|
createEmailer() {
|
|
@@ -4166,17 +4166,17 @@ class rt {
|
|
|
4166
4166
|
constructor(s = {}) {
|
|
4167
4167
|
// header settings
|
|
4168
4168
|
/** name of the CRSF HTTP header */
|
|
4169
|
-
|
|
4169
|
+
d(this, "headerName", "X-CROSSAUTH-CSRF");
|
|
4170
4170
|
// cookie settings
|
|
4171
4171
|
/** Name of the CSRF Cookie */
|
|
4172
|
-
|
|
4173
|
-
|
|
4174
|
-
|
|
4175
|
-
|
|
4176
|
-
|
|
4177
|
-
|
|
4172
|
+
d(this, "cookieName", "CSRFTOKEN");
|
|
4173
|
+
d(this, "domain");
|
|
4174
|
+
d(this, "httpOnly", !1);
|
|
4175
|
+
d(this, "path", "/");
|
|
4176
|
+
d(this, "secure", !0);
|
|
4177
|
+
d(this, "sameSite", "lax");
|
|
4178
4178
|
// hasher settings
|
|
4179
|
-
|
|
4179
|
+
d(this, "secret", "");
|
|
4180
4180
|
m("headerName", g.String, this, s, "CSRF_HEADER_NAME"), m("cookieName", g.String, this, s, "CSRF_COOKIE_NAME"), m("domain", g.String, this, s, "CSRF_COOKIE_DOMAIN"), m("httpOnly", g.Boolean, this, s, "CSRF_COOKIE_HTTPONLY"), m("path", g.String, this, s, "CSRF_COOKIE_PATH"), m("secure", g.Boolean, this, s, "CSRF_COOKIE_SECURE"), m("sameSite", g.String, this, s, "CSRF_COOKIE_SAMESITE"), m("secret", g.String, this, s, "SECRET", !0);
|
|
4181
4181
|
}
|
|
4182
4182
|
/**
|
|
@@ -4279,26 +4279,26 @@ class D {
|
|
|
4279
4279
|
* expires option is ignored (cookies are session-only).
|
|
4280
4280
|
*/
|
|
4281
4281
|
constructor(s, e = {}) {
|
|
4282
|
-
|
|
4283
|
-
|
|
4282
|
+
d(this, "userStorage");
|
|
4283
|
+
d(this, "keyStorage");
|
|
4284
4284
|
/** This is set from input options. Number of seconds before an
|
|
4285
4285
|
* idle session will time out
|
|
4286
4286
|
*/
|
|
4287
|
-
|
|
4288
|
-
|
|
4289
|
-
|
|
4287
|
+
d(this, "idleTimeout", 0);
|
|
4288
|
+
d(this, "persist", !0);
|
|
4289
|
+
d(this, "filterFunction");
|
|
4290
4290
|
// cookie settings
|
|
4291
4291
|
/** Name of the CSRF Cookie, set from input options */
|
|
4292
|
-
|
|
4293
|
-
|
|
4292
|
+
d(this, "cookieName", "SESSIONID");
|
|
4293
|
+
d(this, "maxAge", 60 * 60 * 24 * 30);
|
|
4294
4294
|
// 30 days
|
|
4295
|
-
|
|
4296
|
-
|
|
4297
|
-
|
|
4298
|
-
|
|
4299
|
-
|
|
4295
|
+
d(this, "domain");
|
|
4296
|
+
d(this, "httpOnly", !1);
|
|
4297
|
+
d(this, "path", "/");
|
|
4298
|
+
d(this, "secure", !0);
|
|
4299
|
+
d(this, "sameSite", "lax");
|
|
4300
4300
|
// hasher settings
|
|
4301
|
-
|
|
4301
|
+
d(this, "secret", "");
|
|
4302
4302
|
e.userStorage && (this.userStorage = e.userStorage), this.keyStorage = s, m("idleTimeout", g.Number, this, e, "SESSION_IDLE_TIMEOUT"), m("persist", g.Boolean, this, e, "PERSIST_SESSION_ID"), this.filterFunction = e.filterFunction, m("cookieName", g.String, this, e, "SESSION_COOKIE_NAME"), m("maxAge", g.String, this, e, "SESSION_COOKIE_MAX_AGE"), m("domain", g.String, this, e, "SESSION_COOKIE_DOMAIN"), m("httpOnly", g.Boolean, this, e, "SESSIONCOOKIE_HTTPONLY"), m("path", g.String, this, e, "SESSION_COOKIE_PATH"), m("secure", g.Boolean, this, e, "SESSION_COOKIE_SECURE"), m("sameSite", g.String, this, e, "SESSION_COOKIE_SAMESITE"), m("secret", g.String, this, e, "SECRET", !0);
|
|
4303
4303
|
}
|
|
4304
4304
|
expiry(s) {
|
|
@@ -4336,9 +4336,9 @@ class D {
|
|
|
4336
4336
|
const a = /* @__PURE__ */ new Date();
|
|
4337
4337
|
let n = this.expiry(a), c = !1;
|
|
4338
4338
|
for (; r < 10 && !c; ) {
|
|
4339
|
-
const
|
|
4339
|
+
const h = D.hashSessionId(i);
|
|
4340
4340
|
try {
|
|
4341
|
-
this.idleTimeout > 0 && s && (e = { ...e, lastActivity: /* @__PURE__ */ new Date() }), await this.keyStorage.saveKey(s,
|
|
4341
|
+
this.idleTimeout > 0 && s && (e = { ...e, lastActivity: /* @__PURE__ */ new Date() }), await this.keyStorage.saveKey(s, h, a, n, void 0, e), c = !0;
|
|
4342
4342
|
} catch (w) {
|
|
4343
4343
|
let y = o.asCrossauthError(w);
|
|
4344
4344
|
if (y.code == l.KeyExists || y.code == l.InvalidKey) {
|
|
@@ -4466,17 +4466,17 @@ class Lt {
|
|
|
4466
4466
|
* @param options optional parameters for authentication. See {@link SessionManagerOptions }.
|
|
4467
4467
|
*/
|
|
4468
4468
|
constructor(s, e, t = {}) {
|
|
4469
|
-
|
|
4470
|
-
|
|
4471
|
-
|
|
4472
|
-
|
|
4473
|
-
|
|
4474
|
-
|
|
4469
|
+
d(this, "userStorage");
|
|
4470
|
+
d(this, "keyStorage");
|
|
4471
|
+
d(this, "emailTokenStorage");
|
|
4472
|
+
d(this, "csrfTokens");
|
|
4473
|
+
d(this, "session");
|
|
4474
|
+
d(this, "authenticators");
|
|
4475
4475
|
//readonly authenticator : UsernamePasswordAuthenticator;
|
|
4476
|
-
|
|
4477
|
-
|
|
4478
|
-
|
|
4479
|
-
|
|
4476
|
+
d(this, "enableEmailVerification", !1);
|
|
4477
|
+
d(this, "enablePasswordReset", !1);
|
|
4478
|
+
d(this, "tokenEmailer");
|
|
4479
|
+
d(this, "allowedFactor2", []);
|
|
4480
4480
|
t.userStorage && (this.userStorage = t.userStorage), this.keyStorage = s, this.authenticators = e;
|
|
4481
4481
|
for (let r in this.authenticators)
|
|
4482
4482
|
this.authenticators[r].factorName = r;
|
|
@@ -4558,7 +4558,7 @@ class Lt {
|
|
|
4558
4558
|
const p = await this.session.createSessionKey(i.id, t);
|
|
4559
4559
|
c = this.session.makeCookie(p, r);
|
|
4560
4560
|
}
|
|
4561
|
-
const
|
|
4561
|
+
const h = this.csrfTokens.createCsrfToken(), w = this.csrfTokens.makeCsrfCookie(h), y = this.csrfTokens.makeCsrfFormOrHeaderToken(h);
|
|
4562
4562
|
try {
|
|
4563
4563
|
this.emailTokenStorage.deleteAllForUser(
|
|
4564
4564
|
i.id,
|
|
@@ -4836,12 +4836,12 @@ class Lt {
|
|
|
4836
4836
|
if (!this.userStorage) throw new o(l.Configuration, "Cannot call initiateTwoFactorSignup if no user storage provided");
|
|
4837
4837
|
if (!this.authenticators[s.factor1]) throw new o(l.Configuration, "Authenticator cannot create users");
|
|
4838
4838
|
if (!this.authenticators[s.factor2]) throw new o(l.Configuration, "Two factor authentication not enabled for user");
|
|
4839
|
-
const a = await this.authenticators[s.factor2].prepareConfiguration(s), n = a == null ? {} : a.userData, c = a == null ? {} : a.sessionData,
|
|
4839
|
+
const a = await this.authenticators[s.factor2].prepareConfiguration(s), n = a == null ? {} : a.userData, c = a == null ? {} : a.sessionData, h = await this.authenticators[s.factor1].createPersistentSecrets(s.username, e, r);
|
|
4840
4840
|
return s.state = "awaitingtwofactorsetup", await this.keyStorage.updateData(
|
|
4841
4841
|
D.hashSessionId(t),
|
|
4842
4842
|
"2fa",
|
|
4843
4843
|
c
|
|
4844
|
-
), { userid: (await this.userStorage.createUser(s,
|
|
4844
|
+
), { userid: (await this.userStorage.createUser(s, h)).id, userData: n };
|
|
4845
4845
|
}
|
|
4846
4846
|
/**
|
|
4847
4847
|
* Begins the process of setting up 2FA for a user which has already been
|
|
@@ -4884,10 +4884,10 @@ class Lt {
|
|
|
4884
4884
|
*/
|
|
4885
4885
|
async repeatTwoFactorSignup(s) {
|
|
4886
4886
|
if (!this.userStorage) throw new o(l.Configuration, "Cannot call repeatTwoFactorSignup if no user storage provided");
|
|
4887
|
-
const e = (await this.dataForSessionId(s))["2fa"], t = e.username, r = e.factor2, i = D.hashSessionId(s), a = await this.keyStorage.getKey(i), c = await this.authenticators[r].reprepareConfiguration(t, a),
|
|
4887
|
+
const e = (await this.dataForSessionId(s))["2fa"], t = e.username, r = e.factor2, i = D.hashSessionId(s), a = await this.keyStorage.getKey(i), c = await this.authenticators[r].reprepareConfiguration(t, a), h = c == null ? {} : c.userData, w = c == null ? {} : c.secrets, y = c == null ? {} : c.newSessionData;
|
|
4888
4888
|
y && await this.keyStorage.updateData(i, "2fa", y);
|
|
4889
4889
|
const { user: p } = await this.userStorage.getUserByUsername(t, { skipActiveCheck: !0, skipEmailVerifiedCheck: !0 });
|
|
4890
|
-
return { userid: p.id, userData:
|
|
4890
|
+
return { userid: p.id, userData: h, secrets: w };
|
|
4891
4891
|
}
|
|
4892
4892
|
/**
|
|
4893
4893
|
* Authenticates with the second factor.
|
|
@@ -4913,9 +4913,9 @@ class Lt {
|
|
|
4913
4913
|
let n = a.username;
|
|
4914
4914
|
const c = this.authenticators[a.factor2];
|
|
4915
4915
|
if (!c) throw new o(l.Configuration, "Unrecognised second factor authentication");
|
|
4916
|
-
const
|
|
4916
|
+
const h = {}, w = c.secretNames();
|
|
4917
4917
|
for (let C in a)
|
|
4918
|
-
w.includes(C) && (
|
|
4918
|
+
w.includes(C) && (h[C] = a[C]);
|
|
4919
4919
|
await c.authenticateUser(void 0, a, s), r || (t = !0, r = (await this.userStorage.getUserByUsername(n, { skipActiveCheck: !0, skipEmailVerifiedCheck: !0 })).user);
|
|
4920
4920
|
const y = c.skipEmailVerificationOnSignup() == !0;
|
|
4921
4921
|
if (!r) throw new o(l.UserNotExist, "Couldn't fetch user");
|
|
@@ -4924,7 +4924,7 @@ class Lt {
|
|
|
4924
4924
|
state: !y && this.enableEmailVerification ? "awaitingemailverification" : "active",
|
|
4925
4925
|
factor2: a.factor2
|
|
4926
4926
|
};
|
|
4927
|
-
return c.secretNames().length > 0 ? await this.userStorage.updateUser(p,
|
|
4927
|
+
return c.secretNames().length > 0 ? await this.userStorage.updateUser(p, h) : await this.userStorage.updateUser(p), !y && t && this.enableEmailVerification && this.tokenEmailer && await ((_ = this.tokenEmailer) == null ? void 0 : _.sendEmailVerificationToken(r.id, void 0)), await this.keyStorage.updateData(D.hashSessionId(i.value), "2fa", void 0), { ...r, ...p };
|
|
4928
4928
|
}
|
|
4929
4929
|
/**
|
|
4930
4930
|
* Initiates the two factor login process.
|
|
@@ -4954,13 +4954,13 @@ class Lt {
|
|
|
4954
4954
|
*/
|
|
4955
4955
|
async initiateTwoFactorPageVisit(s, e, t, r, i) {
|
|
4956
4956
|
const n = await this.authenticators[s.factor2].createOneTimeSecrets(s);
|
|
4957
|
-
let c,
|
|
4957
|
+
let c, h, w;
|
|
4958
4958
|
const y = D.hashSessionId(e);
|
|
4959
4959
|
u.logger.debug("initiateTwoFactorPageVisit " + s.username + " " + e + " " + y);
|
|
4960
4960
|
let p = { username: s.username, factor2: s.factor2, secrets: n, body: t, url: r };
|
|
4961
4961
|
return i && (p["content-type"] = i), await this.keyStorage.updateData(y, "pre2fa", p), {
|
|
4962
4962
|
sessionCookie: c,
|
|
4963
|
-
csrfCookie:
|
|
4963
|
+
csrfCookie: h,
|
|
4964
4964
|
csrfFormOrHeaderValue: w
|
|
4965
4965
|
};
|
|
4966
4966
|
}
|
|
@@ -4982,8 +4982,8 @@ class Lt {
|
|
|
4982
4982
|
const { secrets: i } = await this.userStorage.getUserByUsername(r.pre2fa.username), a = this.authenticators[r.pre2fa.factor2];
|
|
4983
4983
|
if (!a) throw new o(l.Configuration, "Unrecognised second factor authentication");
|
|
4984
4984
|
const n = {}, c = a.secretNames();
|
|
4985
|
-
for (let
|
|
4986
|
-
c.includes(
|
|
4985
|
+
for (let h in i)
|
|
4986
|
+
c.includes(h) && h in i && (n[h] = i[h]);
|
|
4987
4987
|
await a.authenticateUser(void 0, { ...n, ...r.pre2fa.secrets }, s), await this.keyStorage.updateData(D.hashSessionId(t.value), "pre2fa", void 0);
|
|
4988
4988
|
}
|
|
4989
4989
|
/**
|
|
@@ -5024,15 +5024,15 @@ class Lt {
|
|
|
5024
5024
|
let { key: i } = await this.session.getUserForSessionId(e);
|
|
5025
5025
|
if (!i || !i.data || i.data == "") throw new o(l.Unauthorized);
|
|
5026
5026
|
let a = x.decodeData(i.data)["2fa"], n = a.username, c = a.factor2;
|
|
5027
|
-
const { user:
|
|
5027
|
+
const { user: h, secrets: w } = await this.userStorage.getUserByUsername(n), y = this.authenticators[c];
|
|
5028
5028
|
if (!y) throw new o(l.Configuration, "Second factor " + c + " not enabled");
|
|
5029
|
-
await y.authenticateUser(
|
|
5030
|
-
const p = await this.session.createSessionKey(
|
|
5029
|
+
await y.authenticateUser(h, { ...w, ...a }, s);
|
|
5030
|
+
const p = await this.session.createSessionKey(h.id, t);
|
|
5031
5031
|
await this.keyStorage.deleteKey(D.hashSessionId(i.value));
|
|
5032
5032
|
const _ = this.session.makeCookie(p, r), C = this.csrfTokens.createCsrfToken(), T = this.csrfTokens.makeCsrfCookie(C), k = this.csrfTokens.makeCsrfFormOrHeaderToken(C);
|
|
5033
5033
|
try {
|
|
5034
5034
|
this.emailTokenStorage.deleteAllForUser(
|
|
5035
|
-
|
|
5035
|
+
h.id,
|
|
5036
5036
|
U.passwordResetToken
|
|
5037
5037
|
);
|
|
5038
5038
|
} catch (A) {
|
|
@@ -5042,7 +5042,7 @@ class Lt {
|
|
|
5042
5042
|
sessionCookie: _,
|
|
5043
5043
|
csrfCookie: T,
|
|
5044
5044
|
csrfFormOrHeaderValue: k,
|
|
5045
|
-
user:
|
|
5045
|
+
user: h
|
|
5046
5046
|
};
|
|
5047
5047
|
}
|
|
5048
5048
|
/**
|
|
@@ -5096,10 +5096,10 @@ class Lt {
|
|
|
5096
5096
|
let { user: a, secrets: n } = await this.userStorage.getUserByUsername(s);
|
|
5097
5097
|
const c = e == 1 ? a.factor1 : a.factor2;
|
|
5098
5098
|
i != null && await this.authenticators[c].authenticateUser(a, n, i);
|
|
5099
|
-
const
|
|
5099
|
+
const h = await this.authenticators[a.factor1].createPersistentSecrets(a.username, t, r);
|
|
5100
5100
|
await this.userStorage.updateUser(
|
|
5101
5101
|
{ id: a.id },
|
|
5102
|
-
|
|
5102
|
+
h
|
|
5103
5103
|
);
|
|
5104
5104
|
try {
|
|
5105
5105
|
this.emailTokenStorage.deleteAllForUser(
|
|
@@ -5125,8 +5125,8 @@ class Lt {
|
|
|
5125
5125
|
throw new o(l.UserNotExist, "Please specify a user id");
|
|
5126
5126
|
if (!("username" in s) || s.username == null)
|
|
5127
5127
|
throw new o(l.UserNotExist, "Please specify a userername");
|
|
5128
|
-
let { email: a, username: n, password: c, ...
|
|
5129
|
-
|
|
5128
|
+
let { email: a, username: n, password: c, ...h } = e;
|
|
5129
|
+
h.userid = s.userid;
|
|
5130
5130
|
let w = !1;
|
|
5131
5131
|
if (a)
|
|
5132
5132
|
i = a, R.validateEmail(i), w = !0;
|
|
@@ -5138,7 +5138,7 @@ class Lt {
|
|
|
5138
5138
|
}
|
|
5139
5139
|
w && R.validateEmail(i);
|
|
5140
5140
|
}
|
|
5141
|
-
return !t && this.enableEmailVerification && w ? await ((y = this.tokenEmailer) == null ? void 0 : y.sendEmailVerificationToken(s.id, i)) : (a && (
|
|
5141
|
+
return !t && this.enableEmailVerification && w ? await ((y = this.tokenEmailer) == null ? void 0 : y.sendEmailVerificationToken(s.id, i)) : (a && (h.email = a), n && (h.username = n)), (e.state == E.passwordResetNeeded || e.state == E.passwordAndFactor2ResetNeeded) && await ((p = this.tokenEmailer) == null ? void 0 : p.sendPasswordResetToken(s.id, {}, r)), await this.userStorage.updateUser(h), {
|
|
5142
5142
|
emailVerificationTokenSent: !t && this.enableEmailVerification && w,
|
|
5143
5143
|
passwordResetTokenSent: e.state == E.passwordResetNeeded || e.state == E.passwordAndFactor2ResetNeeded
|
|
5144
5144
|
};
|
|
@@ -5183,15 +5183,15 @@ class ge {
|
|
|
5183
5183
|
* @param options options. See {@link ApiKeyManagerOptions}
|
|
5184
5184
|
*/
|
|
5185
5185
|
constructor(s, e = {}) {
|
|
5186
|
-
|
|
5187
|
-
|
|
5188
|
-
|
|
5186
|
+
d(this, "apiKeyStorage");
|
|
5187
|
+
d(this, "keyLength", 16);
|
|
5188
|
+
d(this, "secret", "");
|
|
5189
5189
|
/** The prefix to add to the hashed key in storage. Defaults to
|
|
5190
5190
|
* {@link @crossauth/common!KeyPrefix}.apiKey
|
|
5191
5191
|
*/
|
|
5192
|
-
|
|
5192
|
+
d(this, "prefix", U.apiKey);
|
|
5193
5193
|
/** The name of the speak in the Authorization header. Defaults to "ApiKey" */
|
|
5194
|
-
|
|
5194
|
+
d(this, "authScheme", "ApiKey");
|
|
5195
5195
|
this.apiKeyStorage = s, m("secret", g.String, this, e, "SECRET", !0), m("keyLength", g.String, this, e, "APIKEY_LENGTH"), m("prefix", g.String, this, e, "APIKEY_PREFIX"), m("authScheme", g.String, this, e, "APIKEY_AUTHSCHEME");
|
|
5196
5196
|
}
|
|
5197
5197
|
/**
|
|
@@ -5213,7 +5213,7 @@ class ge {
|
|
|
5213
5213
|
* Authorization header (with the signature appended.)
|
|
5214
5214
|
*/
|
|
5215
5215
|
async createKey(s, e, t, r, i) {
|
|
5216
|
-
const a = v.randomValue(this.keyLength), n = /* @__PURE__ */ new Date(), c = r ? new Date(n.getTime() + r * 1e3) : void 0,
|
|
5216
|
+
const a = v.randomValue(this.keyLength), n = /* @__PURE__ */ new Date(), c = r ? new Date(n.getTime() + r * 1e3) : void 0, h = ge.hashApiKeyValue(a), w = {
|
|
5217
5217
|
name: s,
|
|
5218
5218
|
value: a,
|
|
5219
5219
|
userid: e,
|
|
@@ -5224,7 +5224,7 @@ class ge {
|
|
|
5224
5224
|
};
|
|
5225
5225
|
await this.apiKeyStorage.saveKey(
|
|
5226
5226
|
e,
|
|
5227
|
-
this.prefix +
|
|
5227
|
+
this.prefix + h,
|
|
5228
5228
|
n,
|
|
5229
5229
|
c,
|
|
5230
5230
|
w.data,
|
|
@@ -5282,10 +5282,10 @@ class J {
|
|
|
5282
5282
|
* @param options See {@link OAuthClientManagerOptions}
|
|
5283
5283
|
*/
|
|
5284
5284
|
constructor(s = {}) {
|
|
5285
|
-
|
|
5286
|
-
|
|
5287
|
-
|
|
5288
|
-
|
|
5285
|
+
d(this, "oauthPbkdf2Digest", "sha256");
|
|
5286
|
+
d(this, "oauthPbkdf2Iterations", 4e4);
|
|
5287
|
+
d(this, "oauthPbkdf2KeyLength", 32);
|
|
5288
|
+
d(this, "clientStorage");
|
|
5289
5289
|
if (!s.clientStorage) throw new o(
|
|
5290
5290
|
l.Configuration,
|
|
5291
5291
|
"Must specify clientStorage when adding a client manager"
|
|
@@ -5315,7 +5315,7 @@ class J {
|
|
|
5315
5315
|
})), e.forEach((y) => {
|
|
5316
5316
|
J.validateUri(y);
|
|
5317
5317
|
}), t || (t = b.allFlows());
|
|
5318
|
-
const
|
|
5318
|
+
const h = {
|
|
5319
5319
|
client_id: a,
|
|
5320
5320
|
client_secret: n,
|
|
5321
5321
|
client_name: s,
|
|
@@ -5327,13 +5327,13 @@ class J {
|
|
|
5327
5327
|
let w;
|
|
5328
5328
|
for (let y = 0; y < 5; ++y)
|
|
5329
5329
|
try {
|
|
5330
|
-
w = await this.clientStorage.createClient(
|
|
5330
|
+
w = await this.clientStorage.createClient(h);
|
|
5331
5331
|
break;
|
|
5332
5332
|
} catch (p) {
|
|
5333
5333
|
if (y == 4) {
|
|
5334
5334
|
if (o.asCrossauthError(p).code != l.ClientExists) throw p;
|
|
5335
5335
|
} else
|
|
5336
|
-
|
|
5336
|
+
h.client_id = J.randomClientId();
|
|
5337
5337
|
}
|
|
5338
5338
|
if (!w) throw new o(l.ClientExists);
|
|
5339
5339
|
return w.client_secret && c && (w.client_secret = c), w;
|
|
@@ -5433,57 +5433,58 @@ class zt {
|
|
|
5433
5433
|
* @param options See {@link OAuthAuthorizationServerOptions }
|
|
5434
5434
|
*/
|
|
5435
5435
|
constructor(s, e, t, r = {}) {
|
|
5436
|
-
|
|
5437
|
-
|
|
5438
|
-
|
|
5439
|
-
|
|
5440
|
-
|
|
5436
|
+
d(this, "clientStorage");
|
|
5437
|
+
d(this, "keyStorage");
|
|
5438
|
+
d(this, "userStorage");
|
|
5439
|
+
d(this, "authenticators", {});
|
|
5440
|
+
d(this, "authStorage");
|
|
5441
5441
|
/** For validating redirect URIs. */
|
|
5442
|
-
|
|
5443
|
-
|
|
5444
|
-
|
|
5445
|
-
|
|
5446
|
-
|
|
5447
|
-
|
|
5448
|
-
|
|
5449
|
-
|
|
5450
|
-
|
|
5451
|
-
|
|
5452
|
-
|
|
5453
|
-
|
|
5454
|
-
|
|
5455
|
-
|
|
5456
|
-
|
|
5457
|
-
|
|
5458
|
-
|
|
5459
|
-
|
|
5460
|
-
|
|
5461
|
-
|
|
5462
|
-
|
|
5463
|
-
|
|
5464
|
-
|
|
5465
|
-
|
|
5466
|
-
|
|
5467
|
-
|
|
5468
|
-
|
|
5469
|
-
|
|
5470
|
-
|
|
5471
|
-
|
|
5472
|
-
|
|
5473
|
-
|
|
5442
|
+
d(this, "clientManager");
|
|
5443
|
+
d(this, "oauthIssuer", "");
|
|
5444
|
+
d(this, "audience", null);
|
|
5445
|
+
d(this, "requireRedirectUriRegistration", !0);
|
|
5446
|
+
d(this, "requireClientSecretOrChallenge", !0);
|
|
5447
|
+
d(this, "jwtAlgorithm", "RS256");
|
|
5448
|
+
d(this, "jwtAlgorithmChecked", "RS256");
|
|
5449
|
+
d(this, "codeLength", 32);
|
|
5450
|
+
d(this, "jwtKeyType", "");
|
|
5451
|
+
d(this, "jwtSecretKey", "");
|
|
5452
|
+
d(this, "jwtPublicKey", "");
|
|
5453
|
+
d(this, "jwtPrivateKey", "");
|
|
5454
|
+
d(this, "jwtSecretKeyFile", "");
|
|
5455
|
+
d(this, "jwtPublicKeyFile", "");
|
|
5456
|
+
d(this, "jwtPrivateKeyFile", "");
|
|
5457
|
+
d(this, "jwtKid", "1");
|
|
5458
|
+
d(this, "secretOrPrivateKey", "");
|
|
5459
|
+
d(this, "secretOrPublicKey", "");
|
|
5460
|
+
d(this, "persistAccessToken", !1);
|
|
5461
|
+
d(this, "issueRefreshToken", !1);
|
|
5462
|
+
d(this, "opaqueAccessToken", !1);
|
|
5463
|
+
d(this, "accessTokenExpiry", 60 * 60);
|
|
5464
|
+
d(this, "refreshTokenExpiry", 60 * 60);
|
|
5465
|
+
d(this, "rollingRefreshToken", !0);
|
|
5466
|
+
d(this, "authorizationCodeExpiry", 60 * 5);
|
|
5467
|
+
d(this, "mfaTokenExpiry", 60 * 5);
|
|
5468
|
+
d(this, "clockTolerance", 10);
|
|
5469
|
+
d(this, "emptyScopeIsValid", !0);
|
|
5470
|
+
d(this, "validateScopes", !1);
|
|
5471
|
+
d(this, "validScopes", []);
|
|
5472
|
+
d(this, "idTokenClaims", {});
|
|
5473
|
+
d(this, "accessTokenClaims", {});
|
|
5474
5474
|
// device code
|
|
5475
|
-
|
|
5476
|
-
|
|
5477
|
-
|
|
5478
|
-
|
|
5479
|
-
|
|
5480
|
-
|
|
5481
|
-
|
|
5475
|
+
d(this, "userCodeExpiry", 60 * 5);
|
|
5476
|
+
d(this, "userCodeThrottle", 1500);
|
|
5477
|
+
d(this, "deviceCodePollInterval", 5);
|
|
5478
|
+
d(this, "userCodeLength", 8);
|
|
5479
|
+
d(this, "deviceCodeLength", 16);
|
|
5480
|
+
d(this, "userCodeDashEvery", 4);
|
|
5481
|
+
d(this, "deviceCodeVerificationUri", "");
|
|
5482
|
+
d(this, "authServerBaseUrl", "");
|
|
5482
5483
|
/** Set from options. See {@link OAuthAuthorizationServerOptions.validFlows} */
|
|
5483
|
-
|
|
5484
|
+
d(this, "validFlows", ["all"]);
|
|
5484
5485
|
/** Set from options. See {@link OAuthAuthorizationServerOptions.allowedFactor2} */
|
|
5485
|
-
|
|
5486
|
-
this.clientStorage = s, this.keyStorage = e, this.userStorage = r.userStorage, this.authStorage = r.authStorage, t && (this.authenticators = t), this.clientManager = new J({ clientStorage: s, ...r }), m("
|
|
5486
|
+
d(this, "allowedFactor2", []);
|
|
5487
|
+
this.clientStorage = s, this.keyStorage = e, this.userStorage = r.userStorage, this.authStorage = r.authStorage, t && (this.authenticators = t), this.clientManager = new J({ clientStorage: s, ...r }), m("authServerBaseUrl", g.String, this, r, "AUTH_SERVER_BASE_URL", !0), m("oauthIssuer", g.String, this, r, "OAUTH_ISSUER"), this.oauthIssuer || (this.oauthIssuer = this.authServerBaseUrl), m("audience", g.String, this, r, "OAUTH_AUDIENCE"), m("oauthPbkdf2Iterations", g.String, this, r, "OAUTH_PBKDF2_ITERATIONS"), m("requireClientSecretOrChallenge", g.Boolean, this, r, "OAUTH_REQUIRE_CLIENT_SECRET_OR_CHALLENGE"), m("jwtAlgorithm", g.String, this, r, "JWT_ALGORITHM"), m("codeLength", g.Number, this, r, "OAUTH_CODE_LENGTH"), m("jwtKeyType", g.String, this, r, "JWT_KEY_TYPE"), m("jwtSecretKeyFile", g.String, this, r, "JWT_SECRET_KEY_FILE"), m("jwtPublicKeyFile", g.String, this, r, "JWT_PUBLIC_KEY_FILE"), m("jwtPrivateKeyFile", g.String, this, r, "JWT_PRIVATE_KEY_FILE"), m("jwtSecretKey", g.String, this, r, "JWT_SECRET_KEY"), m("jwtPublicKey", g.String, this, r, "JWT_PUBLIC_KEY"), m("jwtPrivateKey", g.String, this, r, "JWT_PRIVATE_KEY"), m("jwtKid", g.String, this, r, "JWT_KID"), m("persistAccessToken", g.String, this, r, "OAUTH_PERSIST_ACCESS_TOKEN"), m("issueRefreshToken", g.String, this, r, "OAUTH_ISSUE_REFRESH_TOKEN"), m("opaqueAccessToken", g.String, this, r, "OAUTH_OPAQUE_ACCESS_TOKEN"), m("accessTokenExpiry", g.Number, this, r, "OAUTH_ACCESS_TOKEN_EXPIRY"), m("refreshTokenExpiry", g.Number, this, r, "OAUTH_REFRESH_TOKEN_EXPIRY"), m("rollingRefreshToken", g.Boolean, this, r, "OAUTH_ROLLING_REFRESH_TOKEN"), m("authorizationCodeExpiry", g.Number, this, r, "OAUTH_AUTHORIZATION_CODE_EXPIRY"), m("mfaTokenExpiry", g.Number, this, r, "OAUTH_MFA_TOKEN_EXPIRY"), m("clockTolerance", g.Number, this, r, "OAUTH_CLOCK_TOLERANCE"), m("validateScopes", g.Boolean, this, r, "OAUTH_VALIDATE_SCOPES"), m("emptyScopeIsValid", g.Boolean, this, r, "OAUTH_EMPTY_SCOPE_VALID"), m("validScopes", g.JsonArray, this, r, "OAUTH_VALID_SCOPES"), m("validFlows", g.JsonArray, this, r, "OAUTH_validFlows"), m("idTokenClaims", g.Json, this, r, "OAUTH_ID_TOKEN_CLAIMS"), m("accessTokenClaims", g.Json, this, r, "OAUTH_ACCESS_TOKEN_CLAIMS"), m("allowedFactor2", g.JsonArray, this, r, "ALLOWED_FACTOR2"), m("userCodeExpiry", g.Number, this, r, "DEVICECODE_USERCODE_EXPIRY"), m("userCodeThrottle", g.Number, this, r, "DEVICECODE_USERCODE_THROTTLE"), m("deviceCodePollInterval", g.Number, this, r, "DEVICECODE_POLL_INTERVAL"), m("deviceCodeLength", g.Number, this, r, "DEVICECODE_LENGTH"), m("userCodeLength", g.Number, this, r, "DEVICECODE_USERCODE_LENGTH");
|
|
5487
5488
|
let i = {};
|
|
5488
5489
|
if (m("userCodeDashEvery", g.String, i, r, "DEVICECODE_USERCODE_DASH_EVERY"), i.userCodeDashEvery)
|
|
5489
5490
|
if (i.userCodeDashEvery == "" || i.userCodeDashEvery.toLowerCase() == "null") this.userCodeDashEvery = null;
|
|
@@ -5753,14 +5754,14 @@ class zt {
|
|
|
5753
5754
|
codeVerifier: a,
|
|
5754
5755
|
refreshToken: n,
|
|
5755
5756
|
username: c,
|
|
5756
|
-
password:
|
|
5757
|
+
password: h,
|
|
5757
5758
|
mfaToken: w,
|
|
5758
5759
|
oobCode: y,
|
|
5759
5760
|
bindingCode: p,
|
|
5760
5761
|
otp: _,
|
|
5761
5762
|
deviceCode: C
|
|
5762
5763
|
}) {
|
|
5763
|
-
var
|
|
5764
|
+
var F, V, j;
|
|
5764
5765
|
const T = this.inferFlowFromPost(s, a);
|
|
5765
5766
|
if (!T) return {
|
|
5766
5767
|
error: "server_error",
|
|
@@ -5815,11 +5816,11 @@ class zt {
|
|
|
5815
5816
|
let P;
|
|
5816
5817
|
if (N.username)
|
|
5817
5818
|
try {
|
|
5818
|
-
const { user:
|
|
5819
|
-
P =
|
|
5820
|
-
} catch (
|
|
5819
|
+
const { user: O } = await ((F = this.userStorage) == null ? void 0 : F.getUserByUsername(N.username));
|
|
5820
|
+
P = O;
|
|
5821
|
+
} catch (O) {
|
|
5821
5822
|
return u.logger.error(f({
|
|
5822
|
-
err:
|
|
5823
|
+
err: O,
|
|
5823
5824
|
msg: "Couldn't get user for refresh token. Doesn't exist?",
|
|
5824
5825
|
username: N.username
|
|
5825
5826
|
})), {
|
|
@@ -5828,11 +5829,11 @@ class zt {
|
|
|
5828
5829
|
};
|
|
5829
5830
|
}
|
|
5830
5831
|
try {
|
|
5831
|
-
const
|
|
5832
|
-
await this.keyStorage.deleteKey(
|
|
5833
|
-
} catch (
|
|
5834
|
-
const I = o.asCrossauthError(
|
|
5835
|
-
u.logger.debug(f({ err:
|
|
5832
|
+
const O = U.refreshToken + v.hash(n);
|
|
5833
|
+
await this.keyStorage.deleteKey(O);
|
|
5834
|
+
} catch (O) {
|
|
5835
|
+
const I = o.asCrossauthError(O);
|
|
5836
|
+
u.logger.debug(f({ err: O })), u.logger.warn(f({ msg: "Cannot delete refresh token", cerr: I }));
|
|
5836
5837
|
}
|
|
5837
5838
|
return await this.makeAccessToken({
|
|
5838
5839
|
client: A,
|
|
@@ -5846,11 +5847,11 @@ class zt {
|
|
|
5846
5847
|
const {
|
|
5847
5848
|
scopes: N,
|
|
5848
5849
|
error: P,
|
|
5849
|
-
error_description:
|
|
5850
|
+
error_description: O
|
|
5850
5851
|
} = await this.validateAndPersistScope(e, t, void 0);
|
|
5851
5852
|
return P ? {
|
|
5852
5853
|
error: P,
|
|
5853
|
-
error_description:
|
|
5854
|
+
error_description: O
|
|
5854
5855
|
} : await this.makeAccessToken({
|
|
5855
5856
|
client: A,
|
|
5856
5857
|
client_secret: i,
|
|
@@ -5859,7 +5860,7 @@ class zt {
|
|
|
5859
5860
|
issueRefreshToken: H
|
|
5860
5861
|
});
|
|
5861
5862
|
} else if (s == "password") {
|
|
5862
|
-
if (!c || !
|
|
5863
|
+
if (!c || !h)
|
|
5863
5864
|
return {
|
|
5864
5865
|
error: "access_denied",
|
|
5865
5866
|
error_description: "Username and/or password not provided for password flow"
|
|
@@ -5879,7 +5880,7 @@ class zt {
|
|
|
5879
5880
|
await B.authenticateUser(
|
|
5880
5881
|
I,
|
|
5881
5882
|
$,
|
|
5882
|
-
{ password:
|
|
5883
|
+
{ password: h }
|
|
5883
5884
|
), K = I;
|
|
5884
5885
|
} catch (I) {
|
|
5885
5886
|
return u.logger.debug(f({ err: I })), {
|
|
@@ -5890,11 +5891,11 @@ class zt {
|
|
|
5890
5891
|
const {
|
|
5891
5892
|
scopes: N,
|
|
5892
5893
|
error: P,
|
|
5893
|
-
error_description:
|
|
5894
|
+
error_description: O
|
|
5894
5895
|
} = await this.validateAndPersistScope(e, t, K);
|
|
5895
5896
|
return P ? {
|
|
5896
5897
|
error: P,
|
|
5897
|
-
error_description:
|
|
5898
|
+
error_description: O
|
|
5898
5899
|
} : K.factor2 ? this.allowedFactor2.length > 0 && (K.state == E.factor2ResetNeeded || !this.allowedFactor2.includes(K.factor2 ? K.factor2 : "none")) ? {
|
|
5899
5900
|
error: "access_denied",
|
|
5900
5901
|
error_description: "2FA method not allowed or needs to be reconfigured"
|
|
@@ -5910,12 +5911,12 @@ class zt {
|
|
|
5910
5911
|
const {
|
|
5911
5912
|
scopes: N,
|
|
5912
5913
|
error: P,
|
|
5913
|
-
error_description:
|
|
5914
|
+
error_description: O
|
|
5914
5915
|
} = await this.validateAndPersistScope(e, t, void 0);
|
|
5915
5916
|
if (P)
|
|
5916
5917
|
return {
|
|
5917
5918
|
error: P,
|
|
5918
|
-
error_description:
|
|
5919
|
+
error_description: O
|
|
5919
5920
|
};
|
|
5920
5921
|
if (!_)
|
|
5921
5922
|
return {
|
|
@@ -5973,12 +5974,12 @@ class zt {
|
|
|
5973
5974
|
const {
|
|
5974
5975
|
scopes: N,
|
|
5975
5976
|
error: P,
|
|
5976
|
-
error_description:
|
|
5977
|
+
error_description: O
|
|
5977
5978
|
} = await this.validateAndPersistScope(e, t, void 0);
|
|
5978
5979
|
if (P)
|
|
5979
5980
|
return {
|
|
5980
5981
|
error: P,
|
|
5981
|
-
error_description:
|
|
5982
|
+
error_description: O
|
|
5982
5983
|
};
|
|
5983
5984
|
if (!y || !p)
|
|
5984
5985
|
return {
|
|
@@ -6052,15 +6053,15 @@ class zt {
|
|
|
6052
6053
|
try {
|
|
6053
6054
|
N = await this.keyStorage.getKey(U.deviceCode + C);
|
|
6054
6055
|
} catch (P) {
|
|
6055
|
-
const
|
|
6056
|
-
return u.logger.debug(f({ err:
|
|
6056
|
+
const O = o.asCrossauthError(P);
|
|
6057
|
+
return u.logger.debug(f({ err: O })), u.logger.error(f({ msg: "Couldn't get device code", cerr: O })), {
|
|
6057
6058
|
error: "accerss_denied",
|
|
6058
6059
|
error_description: "Invalid device code"
|
|
6059
6060
|
};
|
|
6060
6061
|
}
|
|
6061
6062
|
try {
|
|
6062
|
-
const P = JSON.parse(N.data ?? "{}"),
|
|
6063
|
-
if (N.expires &&
|
|
6063
|
+
const P = JSON.parse(N.data ?? "{}"), O = (/* @__PURE__ */ new Date()).getTime();
|
|
6064
|
+
if (N.expires && O > N.expires.getTime())
|
|
6064
6065
|
return await this.deleteDeviceCode(C), {
|
|
6065
6066
|
error: "expired_token",
|
|
6066
6067
|
error_description: "Code has expired"
|
|
@@ -6082,8 +6083,8 @@ class zt {
|
|
|
6082
6083
|
});
|
|
6083
6084
|
}
|
|
6084
6085
|
} catch (P) {
|
|
6085
|
-
const
|
|
6086
|
-
return u.logger.debug(f({ err:
|
|
6086
|
+
const O = o.asCrossauthError(P);
|
|
6087
|
+
return u.logger.debug(f({ err: O })), u.logger.error(f({ msg: "Couldn't get device code", cerr: O })), await this.deleteDeviceCode(C), {
|
|
6087
6088
|
error: "accerss_denied",
|
|
6088
6089
|
error_description: "Invalid device code"
|
|
6089
6090
|
};
|
|
@@ -6156,9 +6157,9 @@ class zt {
|
|
|
6156
6157
|
error_description: k
|
|
6157
6158
|
};
|
|
6158
6159
|
}
|
|
6159
|
-
let c,
|
|
6160
|
+
let c, h = !1;
|
|
6160
6161
|
const w = /* @__PURE__ */ new Date(), y = this.userCodeExpiry, p = new Date(w.getTime() + this.userCodeExpiry * 1e3 + this.clockTolerance * 1e3);
|
|
6161
|
-
for (let T = 0; T < 10 && !
|
|
6162
|
+
for (let T = 0; T < 10 && !h; ++T)
|
|
6162
6163
|
try {
|
|
6163
6164
|
c = v.randomValue(this.deviceCodeLength), await this.keyStorage.saveKey(
|
|
6164
6165
|
void 0,
|
|
@@ -6166,18 +6167,18 @@ class zt {
|
|
|
6166
6167
|
w,
|
|
6167
6168
|
p,
|
|
6168
6169
|
JSON.stringify({ scope: e, client_id: s })
|
|
6169
|
-
),
|
|
6170
|
+
), h = !0;
|
|
6170
6171
|
} catch {
|
|
6171
6172
|
u.logger.debug(f({ msg: `Attempt number${T} at creating a unique authozation code failed` }));
|
|
6172
6173
|
}
|
|
6173
|
-
if (!
|
|
6174
|
+
if (!h || !c)
|
|
6174
6175
|
return {
|
|
6175
6176
|
error: "server_error",
|
|
6176
6177
|
error_description: "Couldn't create device code"
|
|
6177
6178
|
};
|
|
6178
6179
|
let _;
|
|
6179
|
-
|
|
6180
|
-
for (let T = 0; T < 10 && !
|
|
6180
|
+
h = !1;
|
|
6181
|
+
for (let T = 0; T < 10 && !h; ++T)
|
|
6181
6182
|
try {
|
|
6182
6183
|
_ = v.randomBase32(this.userCodeLength), await this.keyStorage.saveKey(
|
|
6183
6184
|
void 0,
|
|
@@ -6185,11 +6186,11 @@ class zt {
|
|
|
6185
6186
|
w,
|
|
6186
6187
|
p,
|
|
6187
6188
|
JSON.stringify({ deviceCode: c })
|
|
6188
|
-
),
|
|
6189
|
+
), h = !0;
|
|
6189
6190
|
} catch {
|
|
6190
6191
|
u.logger.debug(f({ msg: `Attempt number${T} at creating a unique authozation code failed` }));
|
|
6191
6192
|
}
|
|
6192
|
-
if (!
|
|
6193
|
+
if (!h || !_)
|
|
6193
6194
|
return await this.deleteDeviceCode(c), {
|
|
6194
6195
|
error: "server_error",
|
|
6195
6196
|
error_description: "Couldn't create device code"
|
|
@@ -6282,19 +6283,19 @@ class zt {
|
|
|
6282
6283
|
error_description: "User code has already been used",
|
|
6283
6284
|
client_id: n
|
|
6284
6285
|
};
|
|
6285
|
-
let
|
|
6286
|
+
let h = !1;
|
|
6286
6287
|
if (u.logger.debug(f({
|
|
6287
6288
|
msg: "Checking scopes have been authorized",
|
|
6288
6289
|
scope: a
|
|
6289
|
-
})), a ?
|
|
6290
|
+
})), a ? h = await this.hasAllScopes(
|
|
6290
6291
|
n,
|
|
6291
6292
|
e,
|
|
6292
6293
|
a.split(" ")
|
|
6293
|
-
) :
|
|
6294
|
+
) : h = await this.hasAllScopes(
|
|
6294
6295
|
n,
|
|
6295
6296
|
e,
|
|
6296
6297
|
[null]
|
|
6297
|
-
), !
|
|
6298
|
+
), !h) {
|
|
6298
6299
|
try {
|
|
6299
6300
|
e != null && e.id && await this.keyStorage.updateData(U.deviceCode + r.deviceCode, "userid", e.id);
|
|
6300
6301
|
} catch (y) {
|
|
@@ -6507,8 +6508,8 @@ class zt {
|
|
|
6507
6508
|
async mfaChallengeEndpoint(s, e, t, r, i) {
|
|
6508
6509
|
const a = b.PasswordMfa, n = await this.getClientById(e);
|
|
6509
6510
|
if (!n.client) return n;
|
|
6510
|
-
const c = n.client,
|
|
6511
|
-
if (
|
|
6511
|
+
const c = n.client, h = await this.authenticateClient(a, c, t);
|
|
6512
|
+
if (h.error) return h;
|
|
6512
6513
|
const w = await this.validateMfaToken(s);
|
|
6513
6514
|
if (!w.user || !w.key) return w;
|
|
6514
6515
|
if (w.user.factor2 != i)
|
|
@@ -6601,7 +6602,7 @@ class zt {
|
|
|
6601
6602
|
error: "invalid_request",
|
|
6602
6603
|
error_description: `The redirect uri ${e} is invalid`
|
|
6603
6604
|
};
|
|
6604
|
-
const
|
|
6605
|
+
const h = /* @__PURE__ */ new Date(), w = this.authorizationCodeExpiry ? new Date(h.getTime() + this.authorizationCodeExpiry * 1e3 + this.clockTolerance * 1e3) : void 0, y = {};
|
|
6605
6606
|
t && (y.scope = t), i && (y.challengeMethod = a, y.challenge = v.hash(i)), n && (y.username = n.username, y.id = n.id);
|
|
6606
6607
|
const p = JSON.stringify(y);
|
|
6607
6608
|
let _ = !1, C = "";
|
|
@@ -6610,7 +6611,7 @@ class zt {
|
|
|
6610
6611
|
C = v.randomValue(this.codeLength), await this.keyStorage.saveKey(
|
|
6611
6612
|
void 0,
|
|
6612
6613
|
U.authorizationCode + v.hash(C),
|
|
6613
|
-
|
|
6614
|
+
h,
|
|
6614
6615
|
w,
|
|
6615
6616
|
p
|
|
6616
6617
|
), _ = !0;
|
|
@@ -6650,36 +6651,36 @@ class zt {
|
|
|
6650
6651
|
error: "access_denied",
|
|
6651
6652
|
error_description: "Invalid client secret"
|
|
6652
6653
|
};
|
|
6653
|
-
let
|
|
6654
|
+
let h = {};
|
|
6654
6655
|
if (e) {
|
|
6655
6656
|
let K;
|
|
6656
6657
|
try {
|
|
6657
|
-
K = await this.keyStorage.getKey(U.authorizationCode + v.hash(e)),
|
|
6658
|
-
} catch (
|
|
6659
|
-
return u.logger.debug(f({ err:
|
|
6658
|
+
K = await this.keyStorage.getKey(U.authorizationCode + v.hash(e)), h = x.decodeData(K.data);
|
|
6659
|
+
} catch (F) {
|
|
6660
|
+
return u.logger.debug(f({ err: F })), {
|
|
6660
6661
|
error: "access_denied",
|
|
6661
6662
|
error_description: "Invalid or expired authorization code"
|
|
6662
6663
|
};
|
|
6663
6664
|
}
|
|
6664
6665
|
try {
|
|
6665
6666
|
await this.keyStorage.deleteKey(K.value);
|
|
6666
|
-
} catch (
|
|
6667
|
+
} catch (F) {
|
|
6667
6668
|
u.logger.warn(f({
|
|
6668
|
-
err:
|
|
6669
|
+
err: F,
|
|
6669
6670
|
msg: "Couldn't delete authorization code from storatge",
|
|
6670
6671
|
client_id: s == null ? void 0 : s.client_id
|
|
6671
6672
|
}));
|
|
6672
6673
|
}
|
|
6673
|
-
i =
|
|
6674
|
+
i = h.scope;
|
|
6674
6675
|
}
|
|
6675
|
-
if (n && (
|
|
6676
|
+
if (n && (h.username = n.username), h.challengeMethod && !h.challenge && h.challengeMethod != "plain" && h.challengeMethod != "S256")
|
|
6676
6677
|
return {
|
|
6677
6678
|
error: "access_denied",
|
|
6678
6679
|
error_description: "Invalid code challenge/code challenge method method for authorization code"
|
|
6679
6680
|
};
|
|
6680
|
-
if (
|
|
6681
|
-
const K =
|
|
6682
|
-
if (v.hash(K) !=
|
|
6681
|
+
if (h.challenge) {
|
|
6682
|
+
const K = h.challengeMethod == "plain" ? r ?? "" : v.sha256(r ?? "");
|
|
6683
|
+
if (v.hash(K) != h.challenge)
|
|
6683
6684
|
return {
|
|
6684
6685
|
error: "access_denied",
|
|
6685
6686
|
error_description: "Code verifier is incorrect"
|
|
@@ -6687,9 +6688,9 @@ class zt {
|
|
|
6687
6688
|
}
|
|
6688
6689
|
const w = /* @__PURE__ */ new Date(), y = Math.ceil(w.getTime() / 1e3);
|
|
6689
6690
|
let p;
|
|
6690
|
-
if ((i && i.includes("openid") || Object.keys(this.accessTokenClaims).length > 0) && this.userStorage &&
|
|
6691
|
+
if ((i && i.includes("openid") || Object.keys(this.accessTokenClaims).length > 0) && this.userStorage && h.username)
|
|
6691
6692
|
try {
|
|
6692
|
-
const { user: K } = await this.userStorage.getUserByUsername(
|
|
6693
|
+
const { user: K } = await this.userStorage.getUserByUsername(h.username);
|
|
6693
6694
|
n = K;
|
|
6694
6695
|
} catch (K) {
|
|
6695
6696
|
return u.logger.error(f({ err: K })), {
|
|
@@ -6702,17 +6703,17 @@ class zt {
|
|
|
6702
6703
|
jti: _,
|
|
6703
6704
|
iat: y,
|
|
6704
6705
|
iss: this.oauthIssuer,
|
|
6705
|
-
sub:
|
|
6706
|
+
sub: h.username,
|
|
6706
6707
|
type: "access"
|
|
6707
6708
|
};
|
|
6708
6709
|
C = this.addClaims(C, this.accessTokenClaims, i, n), i && (C.scope = i), this.accessTokenExpiry != null && (C.exp = y + this.accessTokenExpiry, p = new Date(w.getTime() + this.accessTokenExpiry * 1e3 + this.clockTolerance * 1e3)), this.audience && (C.aud = this.audience);
|
|
6709
|
-
const T = await new Promise((K,
|
|
6710
|
+
const T = await new Promise((K, F) => {
|
|
6710
6711
|
se.sign(
|
|
6711
6712
|
C,
|
|
6712
6713
|
this.secretOrPrivateKey,
|
|
6713
6714
|
{ algorithm: this.jwtAlgorithmChecked, keyid: "1" },
|
|
6714
6715
|
(V, j) => {
|
|
6715
|
-
j ? K(j) :
|
|
6716
|
+
j ? K(j) : F(V || new o(
|
|
6716
6717
|
l.Unauthorized,
|
|
6717
6718
|
"Couldn't create jwt"
|
|
6718
6719
|
));
|
|
@@ -6729,15 +6730,15 @@ class zt {
|
|
|
6729
6730
|
let k;
|
|
6730
6731
|
if (i && i.includes("openid")) {
|
|
6731
6732
|
const K = v.uuid();
|
|
6732
|
-
let
|
|
6733
|
+
let F = {
|
|
6733
6734
|
aud: s.client_id,
|
|
6734
6735
|
jti: K,
|
|
6735
6736
|
iat: y,
|
|
6736
6737
|
iss: this.oauthIssuer,
|
|
6737
|
-
sub:
|
|
6738
|
+
sub: h.username,
|
|
6738
6739
|
type: "id"
|
|
6739
6740
|
};
|
|
6740
|
-
if (i.includes("email") && (n != null && n.email) && (
|
|
6741
|
+
if (i.includes("email") && (n != null && n.email) && (F.email = n.email), i.includes("address") && n && "address" in n && (F.address = n.address), i.includes("phone") && n && "phone" in n && (F.phone = n.phone), i.includes("profile") && n)
|
|
6741
6742
|
for (let V of [
|
|
6742
6743
|
"name",
|
|
6743
6744
|
"family_name",
|
|
@@ -6754,10 +6755,10 @@ class zt {
|
|
|
6754
6755
|
"locale",
|
|
6755
6756
|
"updated_at"
|
|
6756
6757
|
])
|
|
6757
|
-
|
|
6758
|
-
|
|
6758
|
+
F[V] = n[V];
|
|
6759
|
+
F = this.addClaims(F, this.idTokenClaims, i, n), F.scope = i, this.accessTokenExpiry != null && (F.exp = y + this.accessTokenExpiry), k = await new Promise((V, j) => {
|
|
6759
6760
|
se.sign(
|
|
6760
|
-
|
|
6761
|
+
F,
|
|
6761
6762
|
this.secretOrPrivateKey,
|
|
6762
6763
|
{
|
|
6763
6764
|
algorithm: this.jwtAlgorithmChecked,
|
|
@@ -6775,25 +6776,25 @@ class zt {
|
|
|
6775
6776
|
let A;
|
|
6776
6777
|
if (a) {
|
|
6777
6778
|
const K = {
|
|
6778
|
-
username:
|
|
6779
|
+
username: h.username,
|
|
6779
6780
|
client_id: s.client_id
|
|
6780
6781
|
};
|
|
6781
6782
|
i && (K.scope = i);
|
|
6782
|
-
let
|
|
6783
|
+
let F;
|
|
6783
6784
|
const j = {
|
|
6784
6785
|
jti: v.uuid(),
|
|
6785
6786
|
iat: y,
|
|
6786
6787
|
iss: this.oauthIssuer,
|
|
6787
|
-
sub:
|
|
6788
|
+
sub: h.username,
|
|
6788
6789
|
type: "refresh"
|
|
6789
6790
|
};
|
|
6790
|
-
this.refreshTokenExpiry != null && (j.exp = y + this.refreshTokenExpiry,
|
|
6791
|
+
this.refreshTokenExpiry != null && (j.exp = y + this.refreshTokenExpiry, F = this.refreshTokenExpiry ? new Date(y + this.refreshTokenExpiry * 1e3 + this.clockTolerance * 1e3) : void 0), this.oauthIssuer && (j.aud = this.oauthIssuer), A = await new Promise((N, P) => {
|
|
6791
6792
|
se.sign(
|
|
6792
6793
|
j,
|
|
6793
6794
|
this.secretOrPrivateKey,
|
|
6794
6795
|
{ algorithm: this.jwtAlgorithmChecked, keyid: "1" },
|
|
6795
|
-
(
|
|
6796
|
-
I ? N(I) : P(
|
|
6796
|
+
(O, I) => {
|
|
6797
|
+
I ? N(I) : P(O || new o(
|
|
6797
6798
|
l.Unauthorized,
|
|
6798
6799
|
"Couldn't create jwt"
|
|
6799
6800
|
));
|
|
@@ -6804,7 +6805,7 @@ class zt {
|
|
|
6804
6805
|
// to avoid user storage dependency
|
|
6805
6806
|
U.refreshToken + v.hash(A),
|
|
6806
6807
|
w,
|
|
6807
|
-
|
|
6808
|
+
F,
|
|
6808
6809
|
JSON.stringify(K)
|
|
6809
6810
|
));
|
|
6810
6811
|
}
|
|
@@ -7127,15 +7128,15 @@ class nt extends Pe {
|
|
|
7127
7128
|
/**
|
|
7128
7129
|
* Value passed to the constructor. The `aud` claim must match it
|
|
7129
7130
|
*/
|
|
7130
|
-
|
|
7131
|
+
d(this, "audience");
|
|
7131
7132
|
/**
|
|
7132
7133
|
* Value passed to the constructor. If true, access tokens are saved
|
|
7133
7134
|
* in storage,
|
|
7134
7135
|
*/
|
|
7135
|
-
|
|
7136
|
-
|
|
7137
|
-
|
|
7138
|
-
|
|
7136
|
+
d(this, "persistAccessToken", !1);
|
|
7137
|
+
d(this, "keyStorage");
|
|
7138
|
+
d(this, "jwtSecretKeyFile", "");
|
|
7139
|
+
d(this, "jwtPublicKeyFile", "");
|
|
7139
7140
|
if (this.audience = e, m("authServerBaseUrl", g.String, this, t, "AUTH_SERVER_BASE_URL", !0), m("jwtSecretKeyFile", g.String, this, t, "JWT_SECRET_KEY_FILE"), m("jwtPublicKeyFile", g.String, this, t, "JWT_PUBLIC_KEY_FILE"), m("jwtSecretKey", g.String, this, t, "JWT_SECRET_KEY"), m("jwtPublicKey", g.String, this, t, "JWT_PUBLIC_KEY"), m("clockTolerance", g.Number, this, t, "OAUTH_CLOCK_TOLERANCE"), m("persistAccessToken", g.Boolean, this, t, "OAUTH_PERSIST_ACCESS_TOKEN"), this.keyStorage = t.keyStorage, this.jwtSecretKey || this.jwtSecretKeyFile) {
|
|
7140
7141
|
if (this.jwtPublicKey || this.jwtPublicKeyFile)
|
|
7141
7142
|
throw new o(
|
|
@@ -7225,15 +7226,15 @@ class Ht extends Ke {
|
|
|
7225
7226
|
),
|
|
7226
7227
|
...t
|
|
7227
7228
|
});
|
|
7228
|
-
|
|
7229
|
-
|
|
7230
|
-
|
|
7231
|
-
|
|
7232
|
-
|
|
7233
|
-
|
|
7229
|
+
d(this, "deviceAuthorizationUrl", "device_authorization");
|
|
7230
|
+
d(this, "userCreationType", "idToken");
|
|
7231
|
+
d(this, "userMatchField", "username");
|
|
7232
|
+
d(this, "idTokenMatchField", "sub");
|
|
7233
|
+
d(this, "userCreationFn");
|
|
7234
|
+
d(this, "userStorage");
|
|
7234
7235
|
this.client_id = r.client_id;
|
|
7235
7236
|
let i = {};
|
|
7236
|
-
if (m("stateLength", g.String, this, t, "OAUTH_STATE_LENGTH"), m("verifierLength", g.String, this, t, "OAUTH_VERIFIER_LENGTH"), m("client_secret", g.String, i, t, "OAUTH_CLIENT_SECRET"), m("codeChallengeMethod", g.String, this, t, "OAUTH_CODE_CHALLENGE_METHOD"), m("deviceAuthorizationUrl", g.String, this, t, "OAUTH_DEVICE_AUTHORIZATION_URL"), m("oauthLogFetch", g.Boolean, this, t, "OAUTH_LOG_FETCH"), this.deviceAuthorizationUrl.startsWith("/") && (this.deviceAuthorizationUrl = this.deviceAuthorizationUrl.substring(1)), i.client_secret && (this.client_secret = i.client_secret), m("userCreationType", g.String, this, t, "OAUTH_USER_CREATION_TYPE"), m("userMatchField", g.String, this, t, "OAUTH_USER_MATCH_FIELD"), m("idTokenMatchField", g.String, this, t, "OAUTH_IDTOKEN_MaTCH_FIELD"), this.userCreationType == "merge" ? this.userCreationFn = ot : this.userCreationType == "embed" ? this.userCreationFn = lt : t.userCreationFn && this.userCreationType == "custom" ? this.userCreationFn = t.userCreationFn : this.userCreationFn = ct, t.userStorage && (this.userStorage = t.userStorage), m("oauthPostType", g.String, this, t, "OAUTH_POST_TYPE"), m("oauthUseUserInfoEndpoint", g.Boolean, this, t, "OAUTH_USE_USER_INFO_ENDPOINT"), this.oauthPostType != "json" && this.oauthPostType != "form")
|
|
7237
|
+
if (m("stateLength", g.String, this, t, "OAUTH_STATE_LENGTH"), m("verifierLength", g.String, this, t, "OAUTH_VERIFIER_LENGTH"), m("client_secret", g.String, i, t, "OAUTH_CLIENT_SECRET"), m("codeChallengeMethod", g.String, this, t, "OAUTH_CODE_CHALLENGE_METHOD"), m("deviceAuthorizationUrl", g.String, this, t, "OAUTH_DEVICE_AUTHORIZATION_URL"), m("oauthLogFetch", g.Boolean, this, t, "OAUTH_LOG_FETCH"), this.deviceAuthorizationUrl.startsWith("/") && (this.deviceAuthorizationUrl = this.deviceAuthorizationUrl.substring(1)), i.client_secret && (this.client_secret = i.client_secret), m("userCreationType", g.String, this, t, "OAUTH_USER_CREATION_TYPE"), m("userMatchField", g.String, this, t, "OAUTH_USER_MATCH_FIELD"), m("idTokenMatchField", g.String, this, t, "OAUTH_IDTOKEN_MaTCH_FIELD"), this.userCreationType == "merge" ? this.userCreationFn = ot : this.userCreationType == "embed" ? this.userCreationFn = lt : t.userCreationFn && this.userCreationType == "custom" ? this.userCreationFn = t.userCreationFn : this.userCreationFn = ct, t.userStorage && (this.userStorage = t.userStorage), m("oauthPostType", g.String, this, t, "OAUTH_POST_TYPE"), m("oauthUseUserInfoEndpoint", g.Boolean, this, t, "OAUTH_USE_USER_INFO_ENDPOINT"), m("oauthAuthorizeRedirect", g.String, this, t, "OAUTH_AUTHORIZE_REDIRECT"), this.oauthPostType != "json" && this.oauthPostType != "form")
|
|
7237
7238
|
throw new o(l.Configuration, "oauthPostType must be json or form");
|
|
7238
7239
|
}
|
|
7239
7240
|
/**
|
|
@@ -7298,7 +7299,7 @@ class jt {
|
|
|
7298
7299
|
* Keyed on auth server base URL then audience. The latter may be ""
|
|
7299
7300
|
* for none
|
|
7300
7301
|
*/
|
|
7301
|
-
|
|
7302
|
+
d(this, "tokenConsumers");
|
|
7302
7303
|
this.tokenConsumers = [...s];
|
|
7303
7304
|
}
|
|
7304
7305
|
/**
|
|
@@ -7351,9 +7352,9 @@ export {
|
|
|
7351
7352
|
nt as OAuthTokenConsumer,
|
|
7352
7353
|
g as ParamType,
|
|
7353
7354
|
be as PasswordAuthenticator,
|
|
7354
|
-
|
|
7355
|
+
Ot as PostgresKeyStorage,
|
|
7355
7356
|
Nt as PostgresOAuthAuthorizationStorage,
|
|
7356
|
-
|
|
7357
|
+
Ft as PostgresOAuthClientStorage,
|
|
7357
7358
|
Kt as PostgresUserStorage,
|
|
7358
7359
|
kt as PrismaKeyStorage,
|
|
7359
7360
|
bt as PrismaOAuthAuthorizationStorage,
|