@crossauth/backend 0.0.7 → 0.0.9
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/emailtokens.d.ts +1 -1
- package/dist/emailtokens.d.ts.map +1 -1
- package/dist/index.cjs +1 -1
- package/dist/index.js +177 -170
- package/dist/oauth/clientmanager.d.ts.map +1 -1
- package/dist/session.d.ts +4 -1
- package/dist/session.d.ts.map +1 -1
- package/dist/storage/prismastorage.d.ts.map +1 -1
- package/package.json +2 -2
package/dist/index.js
CHANGED
|
@@ -1,10 +1,10 @@
|
|
|
1
1
|
var Ae = Object.defineProperty;
|
|
2
2
|
var Ie = (S, s, e) => s in S ? Ae(S, s, { enumerable: !0, configurable: !0, writable: !0, value: e }) : S[s] = e;
|
|
3
3
|
var h = (S, s, e) => Ie(S, typeof s != "symbol" ? s + "" : s, e);
|
|
4
|
-
import { CrossauthError as o, ErrorCode as l, UserState as
|
|
4
|
+
import { CrossauthError as o, ErrorCode as l, UserState as E, CrossauthLogger as u, j as f, OAuthFlows as b, KeyPrefix as U, OAuthTokenConsumerBase as Pe, OAuthClientBase as Ke } from "@crossauth/common";
|
|
5
5
|
import { PrismaClient as oe, Prisma as X } from "@prisma/client";
|
|
6
6
|
import ge from "ldapjs";
|
|
7
|
-
import { timingSafeEqual as me, randomBytes as ce, randomUUID as
|
|
7
|
+
import { timingSafeEqual as me, randomBytes as ce, randomUUID as Fe, createHash as Oe, pbkdf2 as Ne, createHmac as we, createCipheriv as Re, createDecipheriv as De, randomInt as ee } from "node:crypto";
|
|
8
8
|
import { promisify as xe } from "node:util";
|
|
9
9
|
import W from "nunjucks";
|
|
10
10
|
import Ee from "nodemailer";
|
|
@@ -198,17 +198,17 @@ class G extends H {
|
|
|
198
198
|
i = new o(l.UserNotExist);
|
|
199
199
|
}
|
|
200
200
|
if (this.prismaClient || (i = new o(l.Connection)), i) throw i;
|
|
201
|
-
if ((r == null ? void 0 : r.skipActiveCheck) != !0 && a.state ==
|
|
201
|
+
if ((r == null ? void 0 : r.skipActiveCheck) != !0 && a.state == E.awaitingTwoFactorSetup)
|
|
202
202
|
throw u.logger.debug(f({ msg: "2FA setup is not complete" })), new o(l.TwoFactorIncomplete);
|
|
203
|
-
if ((r == null ? void 0 : r.skipActiveCheck) != !0 && a.state ==
|
|
203
|
+
if ((r == null ? void 0 : r.skipActiveCheck) != !0 && a.state == E.disabled)
|
|
204
204
|
throw u.logger.debug(f({ msg: "User is deactivated" })), new o(l.UserNotActive);
|
|
205
|
-
if ((r == null ? void 0 : r.skipEmailVerifiedCheck) != !0 && a.state ==
|
|
205
|
+
if ((r == null ? void 0 : r.skipEmailVerifiedCheck) != !0 && a.state == E.awaitingEmailVerification)
|
|
206
206
|
throw u.logger.debug(f({ msg: "User has not verified email" })), new o(l.EmailNotVerified);
|
|
207
|
-
if ((r == null ? void 0 : r.skipActiveCheck) != !0 && a.state ==
|
|
207
|
+
if ((r == null ? void 0 : r.skipActiveCheck) != !0 && a.state == E.passwordChangeNeeded)
|
|
208
208
|
throw u.logger.debug(f({ msg: "User must change password" })), new o(l.PasswordChangeNeeded);
|
|
209
|
-
if ((r == null ? void 0 : r.skipActiveCheck) != !0 && (a.state ==
|
|
209
|
+
if ((r == null ? void 0 : r.skipActiveCheck) != !0 && (a.state == E.passwordResetNeeded || a.state == E.passwordAndFactor2ResetNeeded))
|
|
210
210
|
throw u.logger.debug(f({ msg: "User must reset password" })), new o(l.PasswordResetNeeded);
|
|
211
|
-
if ((r == null ? void 0 : r.skipActiveCheck) != !0 && a.state ==
|
|
211
|
+
if ((r == null ? void 0 : r.skipActiveCheck) != !0 && a.state == E.factor2ResetNeeded)
|
|
212
212
|
throw u.logger.debug(f({ msg: "2FA reset required" })), new o(l.Factor2ResetNeeded);
|
|
213
213
|
const n = a.secrets || {};
|
|
214
214
|
return a.secrets && (delete n[this.useridForeignKeyColumn], delete a.secrets), { user: { ...a, id: a[this.idColumn] }, secrets: { userid: a[this.idColumn], ...n } };
|
|
@@ -767,7 +767,7 @@ class Tt extends ue {
|
|
|
767
767
|
}
|
|
768
768
|
if (i) {
|
|
769
769
|
for (let d = 0; d < i.length; ++d)
|
|
770
|
-
if (!
|
|
770
|
+
if (!b.isValidFlow(i[d])) throw new o(l.InvalidOAuthFlow, "Invalid flow " + i[d]);
|
|
771
771
|
}
|
|
772
772
|
try {
|
|
773
773
|
c = await t[this.clientTable].create({
|
|
@@ -854,7 +854,7 @@ class Tt extends ue {
|
|
|
854
854
|
}
|
|
855
855
|
if (i) {
|
|
856
856
|
for (let a = 0; a < i.length; ++a)
|
|
857
|
-
if (!
|
|
857
|
+
if (!b.isValidFlow(i[a])) throw new o(l.InvalidOAuthFlow, "Redirect Uri's may not contain page fragments");
|
|
858
858
|
}
|
|
859
859
|
try {
|
|
860
860
|
let a = { ...e };
|
|
@@ -886,13 +886,13 @@ class Tt extends ue {
|
|
|
886
886
|
}
|
|
887
887
|
if (i != null)
|
|
888
888
|
try {
|
|
889
|
-
|
|
889
|
+
await this.prismaClient[this.validFlowTable].deleteMany({
|
|
890
890
|
where: {
|
|
891
891
|
client_id: e.client_id
|
|
892
892
|
}
|
|
893
893
|
});
|
|
894
894
|
for (let a = 0; a < i.length; ++a)
|
|
895
|
-
|
|
895
|
+
await t[this.validFlowTable].create({
|
|
896
896
|
data: {
|
|
897
897
|
client_id: e.client_id,
|
|
898
898
|
flow: i[a]
|
|
@@ -1037,17 +1037,17 @@ class kt extends H {
|
|
|
1037
1037
|
if (r in this.usersByUsername) {
|
|
1038
1038
|
const i = this.usersByUsername[r];
|
|
1039
1039
|
if (!i) throw new o(l.UserNotExist);
|
|
1040
|
-
if ((t == null ? void 0 : t.skipActiveCheck) != !0 && i.state ==
|
|
1040
|
+
if ((t == null ? void 0 : t.skipActiveCheck) != !0 && i.state == E.passwordChangeNeeded)
|
|
1041
1041
|
throw u.logger.debug(f({ msg: "Password change required" })), new o(l.PasswordChangeNeeded);
|
|
1042
|
-
if ((t == null ? void 0 : t.skipActiveCheck) != !0 && (i.state ==
|
|
1042
|
+
if ((t == null ? void 0 : t.skipActiveCheck) != !0 && (i.state == E.passwordResetNeeded || i.state == E.passwordAndFactor2ResetNeeded))
|
|
1043
1043
|
throw u.logger.debug(f({ msg: "Password reset required" })), new o(l.PasswordResetNeeded);
|
|
1044
|
-
if ((t == null ? void 0 : t.skipActiveCheck) != !0 && i.state ==
|
|
1044
|
+
if ((t == null ? void 0 : t.skipActiveCheck) != !0 && i.state == E.factor2ResetNeeded)
|
|
1045
1045
|
throw u.logger.debug(f({ msg: "2FA reset required" })), new o(l.Factor2ResetNeeded);
|
|
1046
|
-
if ((t == null ? void 0 : t.skipActiveCheck) != !0 && i.state ==
|
|
1046
|
+
if ((t == null ? void 0 : t.skipActiveCheck) != !0 && i.state == E.awaitingTwoFactorSetup)
|
|
1047
1047
|
throw u.logger.debug(f({ msg: "2FA setup is not complete" })), new o(l.TwoFactorIncomplete);
|
|
1048
|
-
if ((t == null ? void 0 : t.skipEmailVerifiedCheck) != !0 && i.state ==
|
|
1048
|
+
if ((t == null ? void 0 : t.skipEmailVerifiedCheck) != !0 && i.state == E.awaitingEmailVerification)
|
|
1049
1049
|
throw u.logger.debug(f({ msg: "User email not verified" })), new o(l.EmailNotVerified);
|
|
1050
|
-
if ((t == null ? void 0 : t.skipActiveCheck) != !0 && i.state ==
|
|
1050
|
+
if ((t == null ? void 0 : t.skipActiveCheck) != !0 && i.state == E.disabled)
|
|
1051
1051
|
throw u.logger.debug(f({ msg: "User is deactivated" })), new o(l.UserNotActive);
|
|
1052
1052
|
const a = this.secretsByUsername[r];
|
|
1053
1053
|
return { user: { ...i }, secrets: { userid: i.id, ...a } };
|
|
@@ -1672,17 +1672,17 @@ class Y extends H {
|
|
|
1672
1672
|
if (c = `select * from ${this.userSecretsTable} where ${this.useridForeignKeyColumn} = $1`, d = await i.execute(c, [a.id]), d.length == 0)
|
|
1673
1673
|
throw new o(l.UserNotExist);
|
|
1674
1674
|
if (d.length > 0 ? n = { userid: a.id, ...d[0] } : n = { userid: a.id }, !n) throw new o(l.UserNotExist);
|
|
1675
|
-
if (this.useridForeignKeyColumn != "userid" && this.useridForeignKeyColumn in n && delete n[this.useridForeignKeyColumn], await i.commit(), (r == null ? void 0 : r.skipActiveCheck) != !0 && a.state ==
|
|
1675
|
+
if (this.useridForeignKeyColumn != "userid" && this.useridForeignKeyColumn in n && delete n[this.useridForeignKeyColumn], await i.commit(), (r == null ? void 0 : r.skipActiveCheck) != !0 && a.state == E.awaitingTwoFactorSetup)
|
|
1676
1676
|
throw u.logger.debug(f({ msg: "2FA setup is not complete" })), new o(l.TwoFactorIncomplete);
|
|
1677
|
-
if ((r == null ? void 0 : r.skipActiveCheck) != !0 && a.state ==
|
|
1677
|
+
if ((r == null ? void 0 : r.skipActiveCheck) != !0 && a.state == E.disabled)
|
|
1678
1678
|
throw u.logger.debug(f({ msg: "User is deactivated" })), new o(l.UserNotActive);
|
|
1679
|
-
if ((r == null ? void 0 : r.skipEmailVerifiedCheck) != !0 && a.state ==
|
|
1679
|
+
if ((r == null ? void 0 : r.skipEmailVerifiedCheck) != !0 && a.state == E.awaitingEmailVerification)
|
|
1680
1680
|
throw u.logger.debug(f({ msg: "User has not verified email" })), new o(l.EmailNotVerified);
|
|
1681
|
-
if ((r == null ? void 0 : r.skipActiveCheck) != !0 && a.state ==
|
|
1681
|
+
if ((r == null ? void 0 : r.skipActiveCheck) != !0 && a.state == E.passwordChangeNeeded)
|
|
1682
1682
|
throw u.logger.debug(f({ msg: "User must change password" })), new o(l.PasswordChangeNeeded);
|
|
1683
|
-
if ((r == null ? void 0 : r.skipActiveCheck) != !0 && (a.state ==
|
|
1683
|
+
if ((r == null ? void 0 : r.skipActiveCheck) != !0 && (a.state == E.passwordResetNeeded || a.state == E.passwordAndFactor2ResetNeeded))
|
|
1684
1684
|
throw u.logger.debug(f({ msg: "User must reset password" })), new o(l.PasswordResetNeeded);
|
|
1685
|
-
if ((r == null ? void 0 : r.skipActiveCheck) != !0 && a.state ==
|
|
1685
|
+
if ((r == null ? void 0 : r.skipActiveCheck) != !0 && a.state == E.factor2ResetNeeded)
|
|
1686
1686
|
throw u.logger.debug(f({ msg: "2FA reset required" })), new o(l.Factor2ResetNeeded);
|
|
1687
1687
|
return { user: a, secrets: n };
|
|
1688
1688
|
} catch (c) {
|
|
@@ -2200,7 +2200,7 @@ class We extends ue {
|
|
|
2200
2200
|
}
|
|
2201
2201
|
if (i) {
|
|
2202
2202
|
for (let C = 0; C < i.length; ++C)
|
|
2203
|
-
if (!
|
|
2203
|
+
if (!b.isValidFlow(i[C])) throw new o(l.InvalidOAuthFlow, "Invalid flow " + i[C]);
|
|
2204
2204
|
}
|
|
2205
2205
|
let c = [], d = [], w = [], y = this.dbPool.parameters();
|
|
2206
2206
|
try {
|
|
@@ -2285,7 +2285,7 @@ class We extends ue {
|
|
|
2285
2285
|
}
|
|
2286
2286
|
if (i) {
|
|
2287
2287
|
for (let v = 0; v < i.length; ++v)
|
|
2288
|
-
if (!
|
|
2288
|
+
if (!b.isValidFlow(i[v])) throw new o(l.InvalidOAuthFlow, "Redirect Uri's may not contain page fragments");
|
|
2289
2289
|
}
|
|
2290
2290
|
if (!t.client_id) throw new o(l.InvalidClientId, "No client ig given");
|
|
2291
2291
|
let { client_id: a, redirect_uri: n, valid_flow: c, ...d } = t;
|
|
@@ -2626,7 +2626,7 @@ const pe = process.env.PBKDF2_DIGEST || "sha256", Ce = Number(process.env.PBKDF2
|
|
|
2626
2626
|
* Creates a UUID
|
|
2627
2627
|
*/
|
|
2628
2628
|
static uuid() {
|
|
2629
|
-
return
|
|
2629
|
+
return Fe();
|
|
2630
2630
|
}
|
|
2631
2631
|
/**
|
|
2632
2632
|
* Standard hash using SHA256 (not PBKDF2 or HMAC)
|
|
@@ -2644,7 +2644,7 @@ const pe = process.env.PBKDF2_DIGEST || "sha256", Ce = Number(process.env.PBKDF2
|
|
|
2644
2644
|
* @returns the string containing the hash
|
|
2645
2645
|
*/
|
|
2646
2646
|
static sha256(s) {
|
|
2647
|
-
return
|
|
2647
|
+
return Oe("sha256").update(s).digest("base64url");
|
|
2648
2648
|
}
|
|
2649
2649
|
/**
|
|
2650
2650
|
* Hashes a password and returns it as a base64 or base64url encoded string
|
|
@@ -2746,7 +2746,7 @@ const pe = process.env.PBKDF2_DIGEST || "sha256", Ce = Number(process.env.PBKDF2
|
|
|
2746
2746
|
static symmetricEncrypt(s, e, t = void 0) {
|
|
2747
2747
|
t || (t = ce(16));
|
|
2748
2748
|
let r = Buffer.from(e, "base64url");
|
|
2749
|
-
var i =
|
|
2749
|
+
var i = Re("aes-256-cbc", r, t);
|
|
2750
2750
|
let a = i.update(s);
|
|
2751
2751
|
return a = Buffer.concat([a, i.final()]), t.toString("base64url") + "." + a.toString("base64url");
|
|
2752
2752
|
}
|
|
@@ -2762,7 +2762,7 @@ const pe = process.env.PBKDF2_DIGEST || "sha256", Ce = Number(process.env.PBKDF2
|
|
|
2762
2762
|
const r = s.split(".");
|
|
2763
2763
|
if (r.length != 2) throw new o(l.InvalidHash, "Not AES-256-CBC ciphertext");
|
|
2764
2764
|
let i = Buffer.from(r[0], "base64url"), a = Buffer.from(r[1], "base64url");
|
|
2765
|
-
var n =
|
|
2765
|
+
var n = De("aes-256-cbc", t, i);
|
|
2766
2766
|
let c = n.update(a);
|
|
2767
2767
|
return c = Buffer.concat([c, n.final()]), c.toString();
|
|
2768
2768
|
}
|
|
@@ -3382,7 +3382,7 @@ class Ue extends Q {
|
|
|
3382
3382
|
return (await Be(this.accountSid, this.authToken).messages.create(r)).sid;
|
|
3383
3383
|
}
|
|
3384
3384
|
}
|
|
3385
|
-
class
|
|
3385
|
+
class Ft extends re {
|
|
3386
3386
|
/**
|
|
3387
3387
|
* Constructor
|
|
3388
3388
|
*
|
|
@@ -3545,7 +3545,7 @@ class Ot extends re {
|
|
|
3545
3545
|
return Array(+(r > 0 && r)).join("0") + e;
|
|
3546
3546
|
}
|
|
3547
3547
|
}
|
|
3548
|
-
class
|
|
3548
|
+
class Ot extends be {
|
|
3549
3549
|
/**
|
|
3550
3550
|
* Create a new authenticator.
|
|
3551
3551
|
*
|
|
@@ -3819,7 +3819,7 @@ class Nt extends re {
|
|
|
3819
3819
|
}
|
|
3820
3820
|
}
|
|
3821
3821
|
const se = 16;
|
|
3822
|
-
class
|
|
3822
|
+
class D {
|
|
3823
3823
|
/**
|
|
3824
3824
|
* Construct a new EmailVerifier.
|
|
3825
3825
|
*
|
|
@@ -3879,11 +3879,11 @@ class R {
|
|
|
3879
3879
|
let r = 0;
|
|
3880
3880
|
const i = /* @__PURE__ */ new Date(), a = new Date(i.getTime() + 1e3 * this.verifyEmailExpires);
|
|
3881
3881
|
for (; r < 10; ) {
|
|
3882
|
-
let n = T.randomValue(se), c =
|
|
3882
|
+
let n = T.randomValue(se), c = D.hashEmailVerificationToken(n);
|
|
3883
3883
|
try {
|
|
3884
3884
|
return await this.keyStorage.saveKey(s, c, i, a, e), n;
|
|
3885
3885
|
} catch {
|
|
3886
|
-
n = T.randomValue(se), c =
|
|
3886
|
+
n = T.randomValue(se), c = D.hashEmailVerificationToken(n), r++;
|
|
3887
3887
|
}
|
|
3888
3888
|
}
|
|
3889
3889
|
throw new o(l.Connection, "failed creating a unique key");
|
|
@@ -3924,7 +3924,7 @@ class R {
|
|
|
3924
3924
|
"Either emailVerificationTextBody or emailVerificationHtmlBody must be set to send email verification emails"
|
|
3925
3925
|
);
|
|
3926
3926
|
let { user: r } = await this.userStorage.getUserById(s, { skipEmailVerifiedCheck: !0 }), i = e;
|
|
3927
|
-
i != "" ?
|
|
3927
|
+
i != "" ? D.validateEmail(i) : (i = r.email ?? r.username, i || (i = r.username), D.validateEmail(i)), D.validateEmail(i);
|
|
3928
3928
|
const a = await this.createAndSaveEmailVerificationToken(s, e), n = await this._sendEmailVerificationToken(a, i, t);
|
|
3929
3929
|
u.logger.info(f({ msg: "Sent email verification email", emailMessageId: n, email: i }));
|
|
3930
3930
|
}
|
|
@@ -3944,20 +3944,20 @@ class R {
|
|
|
3944
3944
|
* address the user is validating
|
|
3945
3945
|
*/
|
|
3946
3946
|
async verifyEmailVerificationToken(s) {
|
|
3947
|
-
const e =
|
|
3947
|
+
const e = D.hashEmailVerificationToken(s);
|
|
3948
3948
|
let t = await this.keyStorage.getKey(e);
|
|
3949
3949
|
try {
|
|
3950
3950
|
if (!t.userid || !t.expires) throw new o(l.InvalidKey);
|
|
3951
3951
|
const { user: r } = await this.userStorage.getUserById(t.userid, { skipEmailVerifiedCheck: !0 });
|
|
3952
3952
|
let i = (r.email ?? r.username).toLowerCase();
|
|
3953
|
-
if (i || (i = r.username.toLowerCase()),
|
|
3953
|
+
if (i || (i = r.username.toLowerCase()), D.validateEmail(i), (/* @__PURE__ */ new Date()).getTime() > t.expires.getTime()) throw new o(l.Expired);
|
|
3954
3954
|
return { userid: t.userid, newEmail: t.data ?? "" };
|
|
3955
3955
|
} finally {
|
|
3956
3956
|
}
|
|
3957
3957
|
}
|
|
3958
3958
|
async deleteEmailVerificationToken(s) {
|
|
3959
3959
|
try {
|
|
3960
|
-
const e =
|
|
3960
|
+
const e = D.hashEmailVerificationToken(s);
|
|
3961
3961
|
await this.keyStorage.deleteKey(e);
|
|
3962
3962
|
} catch (e) {
|
|
3963
3963
|
const t = o.asCrossauthError(e);
|
|
@@ -3968,11 +3968,11 @@ class R {
|
|
|
3968
3968
|
let t = 0;
|
|
3969
3969
|
const r = /* @__PURE__ */ new Date(), i = new Date(r.getTime() + 1e3 * this.passwordResetExpires);
|
|
3970
3970
|
for (; t < 10; ) {
|
|
3971
|
-
let a = T.randomValue(se), n =
|
|
3971
|
+
let a = T.randomValue(se), n = D.hashPasswordResetToken(a);
|
|
3972
3972
|
try {
|
|
3973
3973
|
return await this.keyStorage.saveKey(s, n, r, i), a;
|
|
3974
3974
|
} catch {
|
|
3975
|
-
a = T.randomValue(se), n =
|
|
3975
|
+
a = T.randomValue(se), n = D.hashPasswordResetToken(a), t++;
|
|
3976
3976
|
}
|
|
3977
3977
|
}
|
|
3978
3978
|
throw new o(l.Connection, "failed creating a unique key");
|
|
@@ -3992,7 +3992,7 @@ class R {
|
|
|
3992
3992
|
* @returns the user that the token is for
|
|
3993
3993
|
*/
|
|
3994
3994
|
async verifyPasswordResetToken(s) {
|
|
3995
|
-
const e =
|
|
3995
|
+
const e = D.hashPasswordResetToken(s);
|
|
3996
3996
|
u.logger.debug("verifyPasswordResetToken " + s + " " + e);
|
|
3997
3997
|
let t = await this.keyStorage.getKey(e);
|
|
3998
3998
|
if (!t.userid) throw new o(l.InvalidKey);
|
|
@@ -4001,7 +4001,7 @@ class R {
|
|
|
4001
4001
|
t.userid,
|
|
4002
4002
|
{ skipActiveCheck: !0 }
|
|
4003
4003
|
);
|
|
4004
|
-
if (r.state !=
|
|
4004
|
+
if (r.state != E.active && r.state != E.passwordResetNeeded && r.state != E.passwordAndFactor2ResetNeeded)
|
|
4005
4005
|
throw new o(l.UserNotActive);
|
|
4006
4006
|
if ((/* @__PURE__ */ new Date()).getTime() > t.expires.getTime()) throw new o(l.Expired);
|
|
4007
4007
|
return r;
|
|
@@ -4029,21 +4029,21 @@ class R {
|
|
|
4029
4029
|
* @param extraData : these extra variables will be passed to the Nunjucks
|
|
4030
4030
|
* templates
|
|
4031
4031
|
*/
|
|
4032
|
-
async sendPasswordResetToken(s, e = {}) {
|
|
4032
|
+
async sendPasswordResetToken(s, e = {}, t = !1) {
|
|
4033
4033
|
if (!this.passwordResetTextBody && !this.passwordResetHtmlBody)
|
|
4034
4034
|
throw new o(
|
|
4035
4035
|
l.Configuration,
|
|
4036
4036
|
"Either passwordResetTextBody or passwordResetTextBody must be set to send email verification emails"
|
|
4037
4037
|
);
|
|
4038
|
-
let { user:
|
|
4038
|
+
let { user: r } = await this.userStorage.getUserById(s, {
|
|
4039
4039
|
skipActiveCheck: !0
|
|
4040
4040
|
});
|
|
4041
|
-
if (t.state !=
|
|
4041
|
+
if (!t && r.state != E.active && r.state != E.passwordResetNeeded && r.state != E.passwordAndFactor2ResetNeeded)
|
|
4042
4042
|
throw new o(l.UserNotActive);
|
|
4043
|
-
let
|
|
4044
|
-
|
|
4045
|
-
const
|
|
4046
|
-
u.logger.info(f({ msg: "Sent password reset email", emailMessageId:
|
|
4043
|
+
let i = (r.email ?? r.username).toLowerCase();
|
|
4044
|
+
i || (i = r.username.toLowerCase()), D.validateEmail(i);
|
|
4045
|
+
const a = await this.createAndSavePasswordResetToken(s), n = await this._sendPasswordResetToken(a, i, e);
|
|
4046
|
+
u.logger.info(f({ msg: "Sent password reset email", emailMessageId: n, email: i }));
|
|
4047
4047
|
}
|
|
4048
4048
|
/**
|
|
4049
4049
|
* Returns true if the given email has a valid format, false otherwise.
|
|
@@ -4063,11 +4063,11 @@ class R {
|
|
|
4063
4063
|
* @param email the email to validate
|
|
4064
4064
|
*/
|
|
4065
4065
|
static validateEmail(s) {
|
|
4066
|
-
if (s == null || !
|
|
4066
|
+
if (s == null || !D.isEmailValid(s)) throw new o(l.InvalidEmail);
|
|
4067
4067
|
}
|
|
4068
4068
|
}
|
|
4069
4069
|
const _e = 16, ke = 16;
|
|
4070
|
-
function
|
|
4070
|
+
function Rt(S) {
|
|
4071
4071
|
return {
|
|
4072
4072
|
...S,
|
|
4073
4073
|
path: S.path ?? "/"
|
|
@@ -4377,7 +4377,7 @@ class x {
|
|
|
4377
4377
|
e && (e = x.hashSessionId(e)), await this.keyStorage.deleteAllForUser(s, U.session, e);
|
|
4378
4378
|
}
|
|
4379
4379
|
}
|
|
4380
|
-
class
|
|
4380
|
+
class Dt {
|
|
4381
4381
|
/**
|
|
4382
4382
|
* Constructor
|
|
4383
4383
|
* @param keyStorage the {@link KeyStorage} instance to use, eg {@link PrismaKeyStorage}.
|
|
@@ -4401,7 +4401,7 @@ class Rt {
|
|
|
4401
4401
|
this.authenticators[r].factorName = r;
|
|
4402
4402
|
if (this.session = new x(this.keyStorage, { ...t == null ? void 0 : t.sessionCookieOptions, ...t ?? {} }), this.csrfTokens = new rt({ ...t == null ? void 0 : t.doubleSubmitCookieOptions, ...t ?? {} }), m("allowedFactor2", g.JsonArray, this, t, "ALLOWED_FACTOR2"), m("enableEmailVerification", g.Boolean, this, t, "ENABLE_EMAIL_VERIFICATION"), m("enablePasswordReset", g.Boolean, this, t, "ENABLE_PASSWORD_RESET"), this.emailTokenStorage = this.keyStorage, this.userStorage && (this.enableEmailVerification || this.enablePasswordReset)) {
|
|
4403
4403
|
let r = this.keyStorage;
|
|
4404
|
-
t.emailTokenStorage && (this.emailTokenStorage = t.emailTokenStorage), this.tokenEmailer = new
|
|
4404
|
+
t.emailTokenStorage && (this.emailTokenStorage = t.emailTokenStorage), this.tokenEmailer = new D(this.userStorage, r, t);
|
|
4405
4405
|
}
|
|
4406
4406
|
}
|
|
4407
4407
|
/**
|
|
@@ -4466,9 +4466,9 @@ class Rt {
|
|
|
4466
4466
|
await this.authenticators[i.factor1].authenticateUser(i, n, e);
|
|
4467
4467
|
}
|
|
4468
4468
|
let c;
|
|
4469
|
-
if (i.state ==
|
|
4469
|
+
if (i.state == E.passwordChangeNeeded)
|
|
4470
4470
|
c = (await this.createAnonymousSession({ data: JSON.stringify({ passwordchange: { username: i.username } }) })).sessionCookie;
|
|
4471
|
-
else if (i.state ==
|
|
4471
|
+
else if (i.state == E.factor2ResetNeeded)
|
|
4472
4472
|
c = (await this.createAnonymousSession({ data: JSON.stringify({ factor2change: { username: i.username } }) })).sessionCookie;
|
|
4473
4473
|
else if (!a && i.factor2 && i.factor2 != "") {
|
|
4474
4474
|
const { sessionCookie: p } = await this.initiateTwoFactorLogin(i);
|
|
@@ -4825,7 +4825,7 @@ class Rt {
|
|
|
4825
4825
|
let t = !1, { user: r, key: i } = await this.session.getUserForSessionId(e, {
|
|
4826
4826
|
skipActiveCheck: !0
|
|
4827
4827
|
});
|
|
4828
|
-
if (r && r.state !=
|
|
4828
|
+
if (r && r.state != E.active && r.state != E.factor2ResetNeeded)
|
|
4829
4829
|
throw new o(l.UserNotActive);
|
|
4830
4830
|
if (!i) throw new o(l.InvalidKey, "Session key not found");
|
|
4831
4831
|
let a = z.decodeData(i.data)["2fa"];
|
|
@@ -4844,7 +4844,7 @@ class Rt {
|
|
|
4844
4844
|
state: !y && this.enableEmailVerification ? "awaitingemailverification" : "active",
|
|
4845
4845
|
factor2: a.factor2
|
|
4846
4846
|
};
|
|
4847
|
-
return await this.userStorage.updateUser(p, d), !y && t && this.enableEmailVerification && this.tokenEmailer && await ((_ = this.tokenEmailer) == null ? void 0 : _.sendEmailVerificationToken(r.id, void 0)), await this.keyStorage.updateData(x.hashSessionId(i.value), "2fa", void 0), { ...r, ...p };
|
|
4847
|
+
return c.secretNames().length > 0 ? await this.userStorage.updateUser(p, d) : await this.userStorage.updateUser(p), !y && t && this.enableEmailVerification && this.tokenEmailer && await ((_ = this.tokenEmailer) == null ? void 0 : _.sendEmailVerificationToken(r.id, void 0)), await this.keyStorage.updateData(x.hashSessionId(i.value), "2fa", void 0), { ...r, ...p };
|
|
4848
4848
|
}
|
|
4849
4849
|
/**
|
|
4850
4850
|
* Initiates the two factor login process.
|
|
@@ -4975,7 +4975,7 @@ class Rt {
|
|
|
4975
4975
|
const { user: e } = await this.userStorage.getUserByEmail(s, {
|
|
4976
4976
|
skipActiveCheck: !0
|
|
4977
4977
|
});
|
|
4978
|
-
if (e.state !=
|
|
4978
|
+
if (e.state != E.active && e.state != E.passwordResetNeeded && e.state != E.passwordAndFactor2ResetNeeded)
|
|
4979
4979
|
throw new o(l.UserNotActive);
|
|
4980
4980
|
await ((t = this.tokenEmailer) == null ? void 0 : t.sendPasswordResetToken(e.id));
|
|
4981
4981
|
}
|
|
@@ -5037,28 +5037,31 @@ class Rt {
|
|
|
5037
5037
|
* @param newUser the new user details
|
|
5038
5038
|
* @returns true if email verification is now needed, false otherwise
|
|
5039
5039
|
*/
|
|
5040
|
-
async updateUser(s, e, t = !1) {
|
|
5041
|
-
var
|
|
5042
|
-
let
|
|
5040
|
+
async updateUser(s, e, t = !1, r = !1) {
|
|
5041
|
+
var y, p;
|
|
5042
|
+
let i;
|
|
5043
5043
|
if (!this.userStorage) throw new o(l.Configuration, "Cannot call updateUser if no user storage provided");
|
|
5044
5044
|
if (!("id" in s) || s.id == null)
|
|
5045
5045
|
throw new o(l.UserNotExist, "Please specify a user id");
|
|
5046
5046
|
if (!("username" in s) || s.username == null)
|
|
5047
5047
|
throw new o(l.UserNotExist, "Please specify a userername");
|
|
5048
|
-
let { email:
|
|
5049
|
-
|
|
5050
|
-
let
|
|
5051
|
-
if (
|
|
5052
|
-
|
|
5053
|
-
else if (
|
|
5054
|
-
|
|
5048
|
+
let { email: a, username: n, password: c, ...d } = e;
|
|
5049
|
+
d.userid = s.userid;
|
|
5050
|
+
let w = !1;
|
|
5051
|
+
if (a)
|
|
5052
|
+
i = a, D.validateEmail(i), w = !0;
|
|
5053
|
+
else if (n) {
|
|
5054
|
+
i = n;
|
|
5055
5055
|
try {
|
|
5056
|
-
|
|
5056
|
+
D.validateEmail(s.username), w = !0;
|
|
5057
5057
|
} catch {
|
|
5058
5058
|
}
|
|
5059
|
-
|
|
5059
|
+
w && D.validateEmail(i);
|
|
5060
5060
|
}
|
|
5061
|
-
return !t && this.enableEmailVerification &&
|
|
5061
|
+
return !t && this.enableEmailVerification && w ? await ((y = this.tokenEmailer) == null ? void 0 : y.sendEmailVerificationToken(s.id, i)) : (a && (d.email = a), n && (d.username = n)), (e.state == E.passwordResetNeeded || e.state == E.passwordAndFactor2ResetNeeded) && await ((p = this.tokenEmailer) == null ? void 0 : p.sendPasswordResetToken(s.id, {}, r)), await this.userStorage.updateUser(d), {
|
|
5062
|
+
emailVerificationTokenSent: !t && this.enableEmailVerification && w,
|
|
5063
|
+
passwordResetTokenSent: e.state == E.passwordResetNeeded || e.state == E.passwordAndFactor2ResetNeeded
|
|
5064
|
+
};
|
|
5062
5065
|
}
|
|
5063
5066
|
/**
|
|
5064
5067
|
* Resets the secret for factor1 or 2 (eg reset password)
|
|
@@ -5076,20 +5079,20 @@ class Rt {
|
|
|
5076
5079
|
if (u.logger.debug(f({ msg: "resetSecret" })), !this.tokenEmailer) throw new o(l.Configuration, "Password reset not enabled");
|
|
5077
5080
|
const i = await this.userForPasswordResetToken(s), a = e == 1 ? i.factor1 : i.factor2;
|
|
5078
5081
|
if (!this.tokenEmailer) throw new o(l.Configuration);
|
|
5079
|
-
let n = i.state ==
|
|
5082
|
+
let n = i.state == E.passwordAndFactor2ResetNeeded ? E.factor2ResetNeeded : E.active;
|
|
5080
5083
|
await this.userStorage.updateUser(
|
|
5081
5084
|
{ id: i.id, state: n },
|
|
5082
5085
|
await this.authenticators[a].createPersistentSecrets(i.username, t, r)
|
|
5083
5086
|
);
|
|
5084
5087
|
try {
|
|
5085
|
-
this.emailTokenStorage.deleteAllForUser(
|
|
5088
|
+
await this.emailTokenStorage.deleteAllForUser(
|
|
5086
5089
|
i.id,
|
|
5087
5090
|
U.passwordResetToken
|
|
5088
5091
|
);
|
|
5089
5092
|
} catch (c) {
|
|
5090
5093
|
u.logger.warn(f({ msg: "Couldn't delete password reset tokens while logging in", user: i.username })), u.logger.debug(f({ err: c }));
|
|
5091
5094
|
}
|
|
5092
|
-
return i;
|
|
5095
|
+
return { ...i, state: n };
|
|
5093
5096
|
}
|
|
5094
5097
|
}
|
|
5095
5098
|
class he {
|
|
@@ -5231,7 +5234,7 @@ class J {
|
|
|
5231
5234
|
digest: this.oauthPbkdf2Digest
|
|
5232
5235
|
})), e.forEach((y) => {
|
|
5233
5236
|
J.validateUri(y);
|
|
5234
|
-
}), t || (t =
|
|
5237
|
+
}), t || (t = b.allFlows());
|
|
5235
5238
|
const d = {
|
|
5236
5239
|
client_id: a,
|
|
5237
5240
|
client_secret: n,
|
|
@@ -5244,9 +5247,13 @@ class J {
|
|
|
5244
5247
|
let w;
|
|
5245
5248
|
for (let y = 0; y < 5; ++y)
|
|
5246
5249
|
try {
|
|
5247
|
-
w = await this.clientStorage.createClient(d)
|
|
5250
|
+
w = await this.clientStorage.createClient(d);
|
|
5251
|
+
break;
|
|
5248
5252
|
} catch (p) {
|
|
5249
|
-
if (
|
|
5253
|
+
if (y == 4) {
|
|
5254
|
+
if (o.asCrossauthError(p).code != l.ClientExists) throw p;
|
|
5255
|
+
} else
|
|
5256
|
+
d.client_id = J.randomClientId();
|
|
5250
5257
|
}
|
|
5251
5258
|
if (!w) throw new o(l.ClientExists);
|
|
5252
5259
|
return w.client_secret && c && (w.client_secret = c), w;
|
|
@@ -5408,7 +5415,7 @@ class xt {
|
|
|
5408
5415
|
"userCodeDashEvery must be a number or null"
|
|
5409
5416
|
);
|
|
5410
5417
|
}
|
|
5411
|
-
if (m("deviceCodeVerificationUri", g.String, this, r, "DEVICECODE_VERIFICATION_URI"), this.validFlows.length == 1 && this.validFlows[0] ==
|
|
5418
|
+
if (m("deviceCodeVerificationUri", g.String, this, r, "DEVICECODE_VERIFICATION_URI"), this.validFlows.length == 1 && this.validFlows[0] == b.All && (this.validFlows = b.allFlows()), this.jwtAlgorithmChecked = at(this.jwtAlgorithm), this.jwtSecretKey || this.jwtSecretKeyFile) {
|
|
5412
5419
|
if (this.jwtPublicKey || this.jwtPublicKeyFile || this.jwtPrivateKey || this.jwtPrivateKeyFile)
|
|
5413
5420
|
throw new o(
|
|
5414
5421
|
l.Configuration,
|
|
@@ -5448,7 +5455,7 @@ class xt {
|
|
|
5448
5455
|
l.Configuration,
|
|
5449
5456
|
"If setting jwtPublicKey or jwtPrivate key, must also set jwtKeyType"
|
|
5450
5457
|
);
|
|
5451
|
-
if (this.opaqueAccessToken && (this.persistAccessToken = !0), (this.validFlows.includes(
|
|
5458
|
+
if (this.opaqueAccessToken && (this.persistAccessToken = !0), (this.validFlows.includes(b.Password) || this.validFlows.includes(b.PasswordMfa)) && (!this.userStorage || Object.keys(this.authenticators).length == 0))
|
|
5452
5459
|
throw new o(
|
|
5453
5460
|
l.Configuration,
|
|
5454
5461
|
"If password flow or password MFA flow is enabled, userStorage and authenticators must be provided"
|
|
@@ -5598,21 +5605,21 @@ class xt {
|
|
|
5598
5605
|
async authenticateClient(s, e, t) {
|
|
5599
5606
|
let r = !1;
|
|
5600
5607
|
switch (s) {
|
|
5601
|
-
case
|
|
5602
|
-
case
|
|
5608
|
+
case b.AuthorizationCode:
|
|
5609
|
+
case b.AuthorizationCodeWithPKCE:
|
|
5603
5610
|
r = e.confidential == !0 || e.client_secret != null || t != null;
|
|
5604
5611
|
break;
|
|
5605
|
-
case
|
|
5612
|
+
case b.ClientCredentials:
|
|
5606
5613
|
r = !0;
|
|
5607
5614
|
break;
|
|
5608
|
-
case
|
|
5609
|
-
case
|
|
5615
|
+
case b.Password:
|
|
5616
|
+
case b.PasswordMfa:
|
|
5610
5617
|
r = e.confidential == !0 || e.client_secret != null || t != null;
|
|
5611
5618
|
break;
|
|
5612
|
-
case
|
|
5619
|
+
case b.RefreshToken:
|
|
5613
5620
|
r = e.confidential == !0 || e.client_secret != null || t != null;
|
|
5614
5621
|
break;
|
|
5615
|
-
case
|
|
5622
|
+
case b.DeviceCode:
|
|
5616
5623
|
r = e.confidential == !0 || e.client_secret != null || t != null;
|
|
5617
5624
|
break;
|
|
5618
5625
|
}
|
|
@@ -5672,7 +5679,7 @@ class xt {
|
|
|
5672
5679
|
otp: _,
|
|
5673
5680
|
deviceCode: C
|
|
5674
5681
|
}) {
|
|
5675
|
-
var K,
|
|
5682
|
+
var K, O, B;
|
|
5676
5683
|
const v = this.inferFlowFromPost(s, a);
|
|
5677
5684
|
if (!v) return {
|
|
5678
5685
|
error: "server_error",
|
|
@@ -5682,7 +5689,7 @@ class xt {
|
|
|
5682
5689
|
if (!k.client) return k;
|
|
5683
5690
|
const A = k.client, M = await this.authenticateClient(v, A, i);
|
|
5684
5691
|
if (M.error) return M;
|
|
5685
|
-
if (v ==
|
|
5692
|
+
if (v == b.Password && !this.validFlows.includes(v) && !this.validFlows.includes(b.PasswordMfa))
|
|
5686
5693
|
return {
|
|
5687
5694
|
error: "access_denied",
|
|
5688
5695
|
error_description: "Unsupported flow type " + v
|
|
@@ -5698,8 +5705,8 @@ class xt {
|
|
|
5698
5705
|
error_description: "Client does not support " + v
|
|
5699
5706
|
};
|
|
5700
5707
|
let j = !1;
|
|
5701
|
-
this.issueRefreshToken && v !=
|
|
5702
|
-
let
|
|
5708
|
+
this.issueRefreshToken && v != b.RefreshToken && (j = !0), this.issueRefreshToken && v == b.RefreshToken && this.rollingRefreshToken && (j = !0);
|
|
5709
|
+
let R;
|
|
5703
5710
|
if (s == "authorization_code")
|
|
5704
5711
|
return this.requireClientSecretOrChallenge && A && A.client_secret && !i && !a ? {
|
|
5705
5712
|
error: "access_denied",
|
|
@@ -5727,11 +5734,11 @@ class xt {
|
|
|
5727
5734
|
let P;
|
|
5728
5735
|
if (N.username)
|
|
5729
5736
|
try {
|
|
5730
|
-
const { user:
|
|
5731
|
-
P =
|
|
5732
|
-
} catch (
|
|
5737
|
+
const { user: F } = await ((K = this.userStorage) == null ? void 0 : K.getUserByUsername(N.username));
|
|
5738
|
+
P = F;
|
|
5739
|
+
} catch (F) {
|
|
5733
5740
|
return u.logger.error(f({
|
|
5734
|
-
err:
|
|
5741
|
+
err: F,
|
|
5735
5742
|
msg: "Couldn't get user for refresh token. Doesn't exist?",
|
|
5736
5743
|
username: N.username
|
|
5737
5744
|
})), {
|
|
@@ -5740,11 +5747,11 @@ class xt {
|
|
|
5740
5747
|
};
|
|
5741
5748
|
}
|
|
5742
5749
|
try {
|
|
5743
|
-
const
|
|
5744
|
-
await this.keyStorage.deleteKey(
|
|
5745
|
-
} catch (
|
|
5746
|
-
const I = o.asCrossauthError(
|
|
5747
|
-
u.logger.debug(f({ err:
|
|
5750
|
+
const F = U.refreshToken + T.hash(n);
|
|
5751
|
+
await this.keyStorage.deleteKey(F);
|
|
5752
|
+
} catch (F) {
|
|
5753
|
+
const I = o.asCrossauthError(F);
|
|
5754
|
+
u.logger.debug(f({ err: F })), u.logger.warn(f({ msg: "Cannot delete refresh token", cerr: I }));
|
|
5748
5755
|
}
|
|
5749
5756
|
return await this.makeAccessToken({
|
|
5750
5757
|
client: A,
|
|
@@ -5758,11 +5765,11 @@ class xt {
|
|
|
5758
5765
|
const {
|
|
5759
5766
|
scopes: N,
|
|
5760
5767
|
error: P,
|
|
5761
|
-
error_description:
|
|
5768
|
+
error_description: F
|
|
5762
5769
|
} = await this.validateAndPersistScope(e, t, void 0);
|
|
5763
5770
|
return P ? {
|
|
5764
5771
|
error: P,
|
|
5765
|
-
error_description:
|
|
5772
|
+
error_description: F
|
|
5766
5773
|
} : await this.makeAccessToken({
|
|
5767
5774
|
client: A,
|
|
5768
5775
|
client_secret: i,
|
|
@@ -5792,7 +5799,7 @@ class xt {
|
|
|
5792
5799
|
I,
|
|
5793
5800
|
$,
|
|
5794
5801
|
{ password: d }
|
|
5795
|
-
),
|
|
5802
|
+
), R = I;
|
|
5796
5803
|
} catch (I) {
|
|
5797
5804
|
return u.logger.debug(f({ err: I })), {
|
|
5798
5805
|
error: "access_denied",
|
|
@@ -5802,32 +5809,32 @@ class xt {
|
|
|
5802
5809
|
const {
|
|
5803
5810
|
scopes: N,
|
|
5804
5811
|
error: P,
|
|
5805
|
-
error_description:
|
|
5806
|
-
} = await this.validateAndPersistScope(e, t,
|
|
5812
|
+
error_description: F
|
|
5813
|
+
} = await this.validateAndPersistScope(e, t, R);
|
|
5807
5814
|
return P ? {
|
|
5808
5815
|
error: P,
|
|
5809
|
-
error_description:
|
|
5810
|
-
} :
|
|
5816
|
+
error_description: F
|
|
5817
|
+
} : R.factor2 ? this.allowedFactor2.length > 0 && (R.state == E.factor2ResetNeeded || !this.allowedFactor2.includes(R.factor2 ? R.factor2 : "none")) ? {
|
|
5811
5818
|
error: "access_denied",
|
|
5812
5819
|
error_description: "2FA method not allowed or needs to be reconfigured"
|
|
5813
|
-
} : await this.createMfaRequest(
|
|
5820
|
+
} : await this.createMfaRequest(R) : await this.makeAccessToken({
|
|
5814
5821
|
client: A,
|
|
5815
5822
|
client_secret: i,
|
|
5816
5823
|
codeVerifier: a,
|
|
5817
5824
|
scopes: N,
|
|
5818
5825
|
issueRefreshToken: j,
|
|
5819
|
-
user:
|
|
5826
|
+
user: R
|
|
5820
5827
|
});
|
|
5821
5828
|
} else if (s == "http://auth0.com/oauth/grant-type/mfa-otp") {
|
|
5822
5829
|
const {
|
|
5823
5830
|
scopes: N,
|
|
5824
5831
|
error: P,
|
|
5825
|
-
error_description:
|
|
5832
|
+
error_description: F
|
|
5826
5833
|
} = await this.validateAndPersistScope(e, t, void 0);
|
|
5827
5834
|
if (P)
|
|
5828
5835
|
return {
|
|
5829
5836
|
error: P,
|
|
5830
|
-
error_description:
|
|
5837
|
+
error_description: F
|
|
5831
5838
|
};
|
|
5832
5839
|
if (!_)
|
|
5833
5840
|
return {
|
|
@@ -5885,12 +5892,12 @@ class xt {
|
|
|
5885
5892
|
const {
|
|
5886
5893
|
scopes: N,
|
|
5887
5894
|
error: P,
|
|
5888
|
-
error_description:
|
|
5895
|
+
error_description: F
|
|
5889
5896
|
} = await this.validateAndPersistScope(e, t, void 0);
|
|
5890
5897
|
if (P)
|
|
5891
5898
|
return {
|
|
5892
5899
|
error: P,
|
|
5893
|
-
error_description:
|
|
5900
|
+
error_description: F
|
|
5894
5901
|
};
|
|
5895
5902
|
if (!y || !p)
|
|
5896
5903
|
return {
|
|
@@ -5928,7 +5935,7 @@ class xt {
|
|
|
5928
5935
|
};
|
|
5929
5936
|
await $.authenticateUser(
|
|
5930
5937
|
I.user,
|
|
5931
|
-
{ ...L, otp: V.otp, expiry: (
|
|
5938
|
+
{ ...L, otp: V.otp, expiry: (O = I.key.expires) == null ? void 0 : O.getTime() },
|
|
5932
5939
|
{ otp: p }
|
|
5933
5940
|
);
|
|
5934
5941
|
} catch (L) {
|
|
@@ -5964,15 +5971,15 @@ class xt {
|
|
|
5964
5971
|
try {
|
|
5965
5972
|
N = await this.keyStorage.getKey(U.deviceCode + C);
|
|
5966
5973
|
} catch (P) {
|
|
5967
|
-
const
|
|
5968
|
-
return u.logger.debug(f({ err:
|
|
5974
|
+
const F = o.asCrossauthError(P);
|
|
5975
|
+
return u.logger.debug(f({ err: F })), u.logger.error(f({ msg: "Couldn't get device code", cerr: F })), {
|
|
5969
5976
|
error: "accerss_denied",
|
|
5970
5977
|
error_description: "Invalid device code"
|
|
5971
5978
|
};
|
|
5972
5979
|
}
|
|
5973
5980
|
try {
|
|
5974
|
-
const P = JSON.parse(N.data ?? "{}"),
|
|
5975
|
-
if (N.expires &&
|
|
5981
|
+
const P = JSON.parse(N.data ?? "{}"), F = (/* @__PURE__ */ new Date()).getTime();
|
|
5982
|
+
if (N.expires && F > N.expires.getTime())
|
|
5976
5983
|
return await this.deleteDeviceCode(C), {
|
|
5977
5984
|
error: "expired_token",
|
|
5978
5985
|
error_description: "Code has expired"
|
|
@@ -5994,8 +6001,8 @@ class xt {
|
|
|
5994
6001
|
});
|
|
5995
6002
|
}
|
|
5996
6003
|
} catch (P) {
|
|
5997
|
-
const
|
|
5998
|
-
return u.logger.debug(f({ err:
|
|
6004
|
+
const F = o.asCrossauthError(P);
|
|
6005
|
+
return u.logger.debug(f({ err: F })), u.logger.error(f({ msg: "Couldn't get device code", cerr: F })), await this.deleteDeviceCode(C), {
|
|
5999
6006
|
error: "accerss_denied",
|
|
6000
6007
|
error_description: "Invalid device code"
|
|
6001
6008
|
};
|
|
@@ -6052,7 +6059,7 @@ class xt {
|
|
|
6052
6059
|
error_description: "Invalid deviceCodeVerificationUri"
|
|
6053
6060
|
};
|
|
6054
6061
|
}
|
|
6055
|
-
const r =
|
|
6062
|
+
const r = b.DeviceCode, i = await this.getClientById(s);
|
|
6056
6063
|
if (!i.client) return i;
|
|
6057
6064
|
const a = i.client, n = await this.authenticateClient(r, a, t);
|
|
6058
6065
|
if (n.error) return n;
|
|
@@ -6417,7 +6424,7 @@ class xt {
|
|
|
6417
6424
|
* @returns respond as defined by the Password MFA spec
|
|
6418
6425
|
*/
|
|
6419
6426
|
async mfaChallengeEndpoint(s, e, t, r, i) {
|
|
6420
|
-
const a =
|
|
6427
|
+
const a = b.PasswordMfa, n = await this.getClientById(e);
|
|
6421
6428
|
if (!n.client) return n;
|
|
6422
6429
|
const c = n.client, d = await this.authenticateClient(a, c, t);
|
|
6423
6430
|
if (d.error) return d;
|
|
@@ -6474,9 +6481,9 @@ class xt {
|
|
|
6474
6481
|
*/
|
|
6475
6482
|
inferFlowFromGet(s, e, t) {
|
|
6476
6483
|
if (s == "code" && !e.includes("openid"))
|
|
6477
|
-
return t ?
|
|
6484
|
+
return t ? b.AuthorizationCodeWithPKCE : b.AuthorizationCode;
|
|
6478
6485
|
if (e.includes("openid") && s == "code")
|
|
6479
|
-
return t ?
|
|
6486
|
+
return t ? b.AuthorizationCodeWithPKCE : b.AuthorizationCode;
|
|
6480
6487
|
}
|
|
6481
6488
|
/**
|
|
6482
6489
|
* Returns the OAuth flow type that corresonds to the given
|
|
@@ -6487,19 +6494,19 @@ class xt {
|
|
|
6487
6494
|
*/
|
|
6488
6495
|
inferFlowFromPost(s, e) {
|
|
6489
6496
|
if (s == "authorization_code")
|
|
6490
|
-
return e ?
|
|
6497
|
+
return e ? b.AuthorizationCodeWithPKCE : b.AuthorizationCode;
|
|
6491
6498
|
if (s == "client_credentials")
|
|
6492
|
-
return
|
|
6499
|
+
return b.ClientCredentials;
|
|
6493
6500
|
if (s == "refresh_token")
|
|
6494
|
-
return
|
|
6501
|
+
return b.RefreshToken;
|
|
6495
6502
|
if (s == "urn:ietf:params:oauth:grant-type:device_code")
|
|
6496
|
-
return
|
|
6503
|
+
return b.DeviceCode;
|
|
6497
6504
|
if (s == "password")
|
|
6498
|
-
return
|
|
6505
|
+
return b.Password;
|
|
6499
6506
|
if (s == "http://auth0.com/oauth/grant-type/mfa-otp")
|
|
6500
|
-
return
|
|
6507
|
+
return b.PasswordMfa;
|
|
6501
6508
|
if (s == "http://auth0.com/oauth/grant-type/mfa-oob")
|
|
6502
|
-
return
|
|
6509
|
+
return b.PasswordMfa;
|
|
6503
6510
|
}
|
|
6504
6511
|
async getAuthorizationCode(s, e, t, r, i, a, n) {
|
|
6505
6512
|
if (i && (a || (a = "S256"), a != "S256" && a != "plain"))
|
|
@@ -6555,8 +6562,8 @@ class xt {
|
|
|
6555
6562
|
t ?? "",
|
|
6556
6563
|
s.client_secret ?? ""
|
|
6557
6564
|
));
|
|
6558
|
-
} catch (
|
|
6559
|
-
return u.logger.error(f({ err:
|
|
6565
|
+
} catch (R) {
|
|
6566
|
+
return u.logger.error(f({ err: R })), { error: "server_error", error_description: "Couldn't validate client" };
|
|
6560
6567
|
}
|
|
6561
6568
|
if (!c) return {
|
|
6562
6569
|
error: "access_denied",
|
|
@@ -6564,9 +6571,9 @@ class xt {
|
|
|
6564
6571
|
};
|
|
6565
6572
|
let d = {};
|
|
6566
6573
|
if (e) {
|
|
6567
|
-
let
|
|
6574
|
+
let R;
|
|
6568
6575
|
try {
|
|
6569
|
-
|
|
6576
|
+
R = await this.keyStorage.getKey(U.authorizationCode + T.hash(e)), d = z.decodeData(R.data);
|
|
6570
6577
|
} catch (K) {
|
|
6571
6578
|
return u.logger.debug(f({ err: K })), {
|
|
6572
6579
|
error: "access_denied",
|
|
@@ -6574,7 +6581,7 @@ class xt {
|
|
|
6574
6581
|
};
|
|
6575
6582
|
}
|
|
6576
6583
|
try {
|
|
6577
|
-
await this.keyStorage.deleteKey(
|
|
6584
|
+
await this.keyStorage.deleteKey(R.value);
|
|
6578
6585
|
} catch (K) {
|
|
6579
6586
|
u.logger.warn(f({
|
|
6580
6587
|
err: K,
|
|
@@ -6590,8 +6597,8 @@ class xt {
|
|
|
6590
6597
|
error_description: "Invalid code challenge/code challenge method method for authorization code"
|
|
6591
6598
|
};
|
|
6592
6599
|
if (d.challenge) {
|
|
6593
|
-
const
|
|
6594
|
-
if (T.hash(
|
|
6600
|
+
const R = d.challengeMethod == "plain" ? r ?? "" : T.sha256(r ?? "");
|
|
6601
|
+
if (T.hash(R) != d.challenge)
|
|
6595
6602
|
return {
|
|
6596
6603
|
error: "access_denied",
|
|
6597
6604
|
error_description: "Code verifier is incorrect"
|
|
@@ -6607,13 +6614,13 @@ class xt {
|
|
|
6607
6614
|
type: "access"
|
|
6608
6615
|
};
|
|
6609
6616
|
i && (C.scope = i), this.accessTokenExpiry != null && (C.exp = y + this.accessTokenExpiry, p = new Date(w.getTime() + this.accessTokenExpiry * 1e3 + this.clockTolerance * 1e3)), this.audience && (C.aud = this.audience);
|
|
6610
|
-
const v = await new Promise((
|
|
6617
|
+
const v = await new Promise((R, K) => {
|
|
6611
6618
|
ie.sign(
|
|
6612
6619
|
C,
|
|
6613
6620
|
this.secretOrPrivateKey,
|
|
6614
6621
|
{ algorithm: this.jwtAlgorithmChecked, keyid: "1" },
|
|
6615
|
-
(
|
|
6616
|
-
B ?
|
|
6622
|
+
(O, B) => {
|
|
6623
|
+
B ? R(B) : K(O || new o(
|
|
6617
6624
|
l.Unauthorized,
|
|
6618
6625
|
"Couldn't create jwt"
|
|
6619
6626
|
));
|
|
@@ -6631,10 +6638,10 @@ class xt {
|
|
|
6631
6638
|
if (i && i.includes("openid")) {
|
|
6632
6639
|
if (this.userStorage && d.username)
|
|
6633
6640
|
try {
|
|
6634
|
-
const { user:
|
|
6635
|
-
n =
|
|
6636
|
-
} catch (
|
|
6637
|
-
return u.logger.error(f({ err:
|
|
6641
|
+
const { user: O } = await this.userStorage.getUserByUsername(d.username);
|
|
6642
|
+
n = O;
|
|
6643
|
+
} catch (O) {
|
|
6644
|
+
return u.logger.error(f({ err: O })), {
|
|
6638
6645
|
error: "server_error",
|
|
6639
6646
|
error_description: "Couldn't load user data"
|
|
6640
6647
|
};
|
|
@@ -6647,7 +6654,7 @@ class xt {
|
|
|
6647
6654
|
type: "id"
|
|
6648
6655
|
};
|
|
6649
6656
|
if (i.includes("email") && (n != null && n.email) && (K.email = n.email), i.includes("address") && n && "address" in n && (K.address = n.address), i.includes("phone") && n && "phone" in n && (K.phone = n.phone), i.includes("profile") && n)
|
|
6650
|
-
for (let
|
|
6657
|
+
for (let O of [
|
|
6651
6658
|
"name",
|
|
6652
6659
|
"family_name",
|
|
6653
6660
|
"given_name",
|
|
@@ -6663,33 +6670,33 @@ class xt {
|
|
|
6663
6670
|
"locale",
|
|
6664
6671
|
"updated_at"
|
|
6665
6672
|
])
|
|
6666
|
-
K[
|
|
6673
|
+
K[O] = n[O];
|
|
6667
6674
|
if (n) {
|
|
6668
6675
|
if (i) {
|
|
6669
|
-
for (let
|
|
6670
|
-
if (
|
|
6671
|
-
if (this.idTokenClaims[
|
|
6676
|
+
for (let O of i)
|
|
6677
|
+
if (O in this.idTokenClaims)
|
|
6678
|
+
if (this.idTokenClaims[O] == "all")
|
|
6672
6679
|
K = {
|
|
6673
6680
|
...K,
|
|
6674
6681
|
...n
|
|
6675
6682
|
};
|
|
6676
6683
|
else
|
|
6677
|
-
for (let B in this.idTokenClaims[
|
|
6678
|
-
K[B] = n[this.idTokenClaims[
|
|
6684
|
+
for (let B in this.idTokenClaims[O])
|
|
6685
|
+
K[B] = n[this.idTokenClaims[O][B]];
|
|
6679
6686
|
}
|
|
6680
6687
|
if ("all" in this.idTokenClaims) {
|
|
6681
|
-
const
|
|
6682
|
-
if (
|
|
6688
|
+
const O = this.idTokenClaims.all;
|
|
6689
|
+
if (O == "all")
|
|
6683
6690
|
K = {
|
|
6684
6691
|
...K,
|
|
6685
6692
|
...n
|
|
6686
6693
|
};
|
|
6687
6694
|
else
|
|
6688
|
-
for (let B in
|
|
6689
|
-
K[B] = n[
|
|
6695
|
+
for (let B in O)
|
|
6696
|
+
K[B] = n[O[B]];
|
|
6690
6697
|
}
|
|
6691
6698
|
}
|
|
6692
|
-
K.scope = i, this.accessTokenExpiry != null && (K.exp = y + this.accessTokenExpiry), k = await new Promise((
|
|
6699
|
+
K.scope = i, this.accessTokenExpiry != null && (K.exp = y + this.accessTokenExpiry), k = await new Promise((O, B) => {
|
|
6693
6700
|
ie.sign(
|
|
6694
6701
|
K,
|
|
6695
6702
|
this.secretOrPrivateKey,
|
|
@@ -6698,7 +6705,7 @@ class xt {
|
|
|
6698
6705
|
keyid: this.jwtKid
|
|
6699
6706
|
},
|
|
6700
6707
|
(N, P) => {
|
|
6701
|
-
P ?
|
|
6708
|
+
P ? O(P) : B(N || new o(
|
|
6702
6709
|
l.Unauthorized,
|
|
6703
6710
|
"Couldn't create jwt"
|
|
6704
6711
|
));
|
|
@@ -6708,11 +6715,11 @@ class xt {
|
|
|
6708
6715
|
}
|
|
6709
6716
|
let A;
|
|
6710
6717
|
if (a) {
|
|
6711
|
-
const
|
|
6718
|
+
const R = {
|
|
6712
6719
|
username: d.username,
|
|
6713
6720
|
client_id: s.client_id
|
|
6714
6721
|
};
|
|
6715
|
-
i && (
|
|
6722
|
+
i && (R.scope = i);
|
|
6716
6723
|
let K;
|
|
6717
6724
|
const B = {
|
|
6718
6725
|
jti: T.uuid(),
|
|
@@ -6726,8 +6733,8 @@ class xt {
|
|
|
6726
6733
|
B,
|
|
6727
6734
|
this.secretOrPrivateKey,
|
|
6728
6735
|
{ algorithm: this.jwtAlgorithmChecked, keyid: "1" },
|
|
6729
|
-
(
|
|
6730
|
-
I ? N(I) : P(
|
|
6736
|
+
(F, I) => {
|
|
6737
|
+
I ? N(I) : P(F || new o(
|
|
6731
6738
|
l.Unauthorized,
|
|
6732
6739
|
"Couldn't create jwt"
|
|
6733
6740
|
));
|
|
@@ -6739,7 +6746,7 @@ class xt {
|
|
|
6739
6746
|
U.refreshToken + T.hash(A),
|
|
6740
6747
|
w,
|
|
6741
6748
|
K,
|
|
6742
|
-
JSON.stringify(
|
|
6749
|
+
JSON.stringify(R)
|
|
6743
6750
|
));
|
|
6744
6751
|
}
|
|
6745
6752
|
return {
|
|
@@ -6896,7 +6903,7 @@ class xt {
|
|
|
6896
6903
|
*/
|
|
6897
6904
|
responseTypesSupported() {
|
|
6898
6905
|
let s = [];
|
|
6899
|
-
return (this.validFlows.includes(
|
|
6906
|
+
return (this.validFlows.includes(b.AuthorizationCode) || this.validFlows.includes(b.AuthorizationCodeWithPKCE) || this.validFlows.includes(b.OidcAuthorizationCode)) && s.push("code"), s;
|
|
6900
6907
|
}
|
|
6901
6908
|
/**
|
|
6902
6909
|
* Returns an OIDC configuration object based on this authorization
|
|
@@ -6918,7 +6925,7 @@ class xt {
|
|
|
6918
6925
|
}) {
|
|
6919
6926
|
let i = [];
|
|
6920
6927
|
this.validFlows.forEach((n) => {
|
|
6921
|
-
const c =
|
|
6928
|
+
const c = b.grantType(n);
|
|
6922
6929
|
c && (i = [...i, ...c]);
|
|
6923
6930
|
});
|
|
6924
6931
|
const a = [
|
|
@@ -7191,14 +7198,14 @@ export {
|
|
|
7191
7198
|
re as Authenticator,
|
|
7192
7199
|
T as Crypto,
|
|
7193
7200
|
rt as DoubleSubmitCsrfToken,
|
|
7194
|
-
|
|
7201
|
+
Ft as DummyFactor2Authenticator,
|
|
7195
7202
|
Z as EmailAuthenticator,
|
|
7196
7203
|
Et as InMemoryKeyStorage,
|
|
7197
7204
|
Ut as InMemoryOAuthAuthorizationStorage,
|
|
7198
7205
|
bt as InMemoryOAuthClientStorage,
|
|
7199
7206
|
kt as InMemoryUserStorage,
|
|
7200
7207
|
z as KeyStorage,
|
|
7201
|
-
|
|
7208
|
+
Ot as LdapAuthenticator,
|
|
7202
7209
|
ae as LdapUserStorage,
|
|
7203
7210
|
Te as LocalPasswordAuthenticator,
|
|
7204
7211
|
xt as OAuthAuthorizationServer,
|
|
@@ -7219,12 +7226,12 @@ export {
|
|
|
7219
7226
|
Tt as PrismaOAuthClientStorage,
|
|
7220
7227
|
G as PrismaUserStorage,
|
|
7221
7228
|
x as SessionCookie,
|
|
7222
|
-
|
|
7229
|
+
Dt as SessionManager,
|
|
7223
7230
|
Q as SmsAuthenticator,
|
|
7224
|
-
|
|
7231
|
+
D as TokenEmailer,
|
|
7225
7232
|
Nt as TotpAuthenticator,
|
|
7226
7233
|
Ue as TwilioAuthenticator,
|
|
7227
7234
|
H as UserStorage,
|
|
7228
7235
|
m as setParameter,
|
|
7229
|
-
|
|
7236
|
+
Rt as toCookieSerializeOptions
|
|
7230
7237
|
};
|