@crossauth/backend 1.1.0 → 1.1.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/index.cjs +2 -2
- package/dist/index.js +280 -278
- package/dist/storage/prismastorage.d.ts.map +1 -1
- package/package.json +2 -2
package/dist/index.js
CHANGED
|
@@ -18,7 +18,7 @@ import te from "jsonwebtoken";
|
|
|
18
18
|
import ie from "node:fs";
|
|
19
19
|
import { createPublicKey as $e } from "crypto";
|
|
20
20
|
import * as qe from "jose";
|
|
21
|
-
var
|
|
21
|
+
var g = /* @__PURE__ */ ((S) => (S[S.String = 0] = "String", S[S.Number = 1] = "Number", S[S.Boolean = 2] = "Boolean", S[S.Json = 3] = "Json", S[S.JsonArray = 4] = "JsonArray", S))(g || {});
|
|
22
22
|
function We(S, a) {
|
|
23
23
|
let e = S.split("."), t = a;
|
|
24
24
|
for (let r in e) {
|
|
@@ -78,7 +78,7 @@ class L {
|
|
|
78
78
|
u(this, "adminEditableFields", []);
|
|
79
79
|
u(this, "normalizeUsername", !0);
|
|
80
80
|
u(this, "normalizeEmail", !0);
|
|
81
|
-
w("userEditableFields",
|
|
81
|
+
w("userEditableFields", g.JsonArray, this, a, "USER_EDITABLE_FIELDS"), w("adminEditableFields", g.JsonArray, this, a, "ADMIN_EDITABLE_FIELDS"), w("normalizeUsername", g.JsonArray, this, a, "NORMALIZE_USERNAME"), w("normalizeEmail", g.JsonArray, this, a, "NORMALIZE_EMAIL");
|
|
82
82
|
}
|
|
83
83
|
/**
|
|
84
84
|
* Creates a user with the given details and secrets.
|
|
@@ -345,7 +345,7 @@ class Z extends L {
|
|
|
345
345
|
u(this, "includes", ["secrets"]);
|
|
346
346
|
u(this, "includesObject", {});
|
|
347
347
|
u(this, "forceIdToNumber", !0);
|
|
348
|
-
if (w("userTable",
|
|
348
|
+
if (w("userTable", g.String, this, e, "USER_TABLE"), w("userSecretsTable", g.String, this, e, "USER_SECRETS_TABLE"), w("idColumn", g.String, this, e, "USER_ID_COLUMN"), w("useridForeignKeyColumn", g.String, this, e, "USER_ID_FOREIGN_KEY_COLUMN"), w("includes", g.String, this, e, "USER_INCLUDES"), w("forceIdToNumber", g.String, this, e, "USER_FORCE_ID_TO_NUMBER"), this.includes.forEach((t) => {
|
|
349
349
|
this.includesObject[t] = !0;
|
|
350
350
|
}), e && e.prismaClient)
|
|
351
351
|
this.prismaClient = e.prismaClient;
|
|
@@ -468,7 +468,7 @@ class Z extends L {
|
|
|
468
468
|
});
|
|
469
469
|
} catch {
|
|
470
470
|
}
|
|
471
|
-
let { userid:
|
|
471
|
+
let { userid: f, ...y } = d ?? {};
|
|
472
472
|
n = { ...y, ...n }, await c[this.userTable].update({
|
|
473
473
|
where: {
|
|
474
474
|
[this.idColumn]: e.id
|
|
@@ -610,7 +610,7 @@ class Ft extends z {
|
|
|
610
610
|
u(this, "prismaClient");
|
|
611
611
|
u(this, "transactionTimeout", 5e3);
|
|
612
612
|
u(this, "useridForeignKeyColumn", "userid");
|
|
613
|
-
if (w("transactionTimeout",
|
|
613
|
+
if (w("transactionTimeout", g.Number, this, e, "TRANSACTION_TIMEOUT"), w("useridForeignKeyColumn", g.Number, this, e, "USER_ID_FOREIGN_KEY_COLUMN"), e.keyTable && (this.keyTable = e.keyTable), e.prismaClient == null) {
|
|
614
614
|
const t = `${process.env.DATABASE_URL}`, r = new de({ url: t });
|
|
615
615
|
this.prismaClient = new ue({ adapter: r });
|
|
616
616
|
} else
|
|
@@ -888,7 +888,7 @@ class Nt extends ye {
|
|
|
888
888
|
u(this, "transactionTimeout", 5e3);
|
|
889
889
|
u(this, "updateMode", "DeleteAndInsert");
|
|
890
890
|
u(this, "useridForeignKeyColumn", "userid");
|
|
891
|
-
if (w("clientTable",
|
|
891
|
+
if (w("clientTable", g.String, this, e, "OAUTH_CLIENT_TABLE"), w("redirectUriTable", g.String, this, e, "OAUTH_REDIRECTURI_TABLE"), w("validFlowTable", g.String, this, e, "OAUTH_VALID_FLOW_TABLE"), w("transactionTimeout", g.Number, this, e, "TRANSACTION_TIMEOUT"), w("updateMode", g.String, this, e, "OAUTHCLIENT_UPDATE_MODE"), w("useridForeignKeyColumn", g.String, this, e, "USER_ID_FOREIGN_KEY_COLUMN"), e.prismaClient == null) {
|
|
892
892
|
const t = `${process.env.DATABASE_URL}`, r = new de({ url: t });
|
|
893
893
|
this.prismaClient = new ue({ adapter: r });
|
|
894
894
|
} else
|
|
@@ -900,42 +900,43 @@ class Nt extends ye {
|
|
|
900
900
|
async getClientByName(e, t) {
|
|
901
901
|
return await this.getClientWithTransaction("client_name", e, this.prismaClient, !1, t);
|
|
902
902
|
}
|
|
903
|
-
async getClientWithTransaction(e, t, r, i, s) {
|
|
904
|
-
const
|
|
903
|
+
async getClientWithTransaction(e, t, r, i, s, n = !0) {
|
|
904
|
+
const c = s == null && s !== null ? {} : { [this.useridForeignKeyColumn]: s };
|
|
905
905
|
try {
|
|
906
906
|
if (i) {
|
|
907
|
-
const
|
|
907
|
+
const d = await r[this.clientTable].findUniqueOrThrow({
|
|
908
908
|
where: {
|
|
909
909
|
[e]: t,
|
|
910
|
-
...
|
|
910
|
+
...c
|
|
911
911
|
},
|
|
912
912
|
include: { redirect_uri: !0, valid_flow: !0 }
|
|
913
|
-
}),
|
|
914
|
-
let
|
|
915
|
-
return
|
|
916
|
-
...
|
|
917
|
-
userid:
|
|
918
|
-
client_secret:
|
|
919
|
-
redirect_uri:
|
|
920
|
-
valid_flow:
|
|
913
|
+
}), f = d.redirect_uri, y = d.valid_flow;
|
|
914
|
+
let C = d[this.useridForeignKeyColumn];
|
|
915
|
+
return C === null && (C = void 0), this.useridForeignKeyColumn != "userid" && delete d[this.useridForeignKeyColumn], [{
|
|
916
|
+
...d,
|
|
917
|
+
userid: C,
|
|
918
|
+
client_secret: d.client_secret ?? void 0,
|
|
919
|
+
redirect_uri: f.map((v) => v.uri),
|
|
920
|
+
valid_flow: y.map((v) => v.flow)
|
|
921
921
|
}];
|
|
922
922
|
} else {
|
|
923
|
-
const
|
|
923
|
+
const d = await r[this.clientTable].findMany({
|
|
924
924
|
where: {
|
|
925
925
|
[e]: t,
|
|
926
|
-
...
|
|
926
|
+
...c
|
|
927
927
|
},
|
|
928
928
|
include: { redirect_uri: !0, valid_flow: !0 }
|
|
929
929
|
});
|
|
930
|
-
for (let
|
|
931
|
-
const
|
|
932
|
-
let
|
|
933
|
-
|
|
930
|
+
for (let f of d) {
|
|
931
|
+
const y = f.redirect_uri, C = f.valid_flow;
|
|
932
|
+
let v = f[this.useridForeignKeyColumn];
|
|
933
|
+
v == null && (v = void 0), f.userid = v, this.useridForeignKeyColumn != "userid" && delete f[this.useridForeignKeyColumn], f.client_secret = f.client_secret ?? void 0, f.redirect_uri = y.map((p) => p.uri), f.valid_flow = C.map((p) => p.flow);
|
|
934
934
|
}
|
|
935
|
-
return
|
|
935
|
+
return d;
|
|
936
936
|
}
|
|
937
|
-
} catch (
|
|
938
|
-
|
|
937
|
+
} catch (d) {
|
|
938
|
+
if (!n) return [];
|
|
939
|
+
throw h.logger.debug(m({ err: d })), h.logger.error(m({ msg: "Invalid OAuth client", [e]: t, cerr: d })), new o(l.InvalidClientId);
|
|
939
940
|
}
|
|
940
941
|
}
|
|
941
942
|
/**
|
|
@@ -948,7 +949,8 @@ class Nt extends ye {
|
|
|
948
949
|
try {
|
|
949
950
|
return this.prismaClient.$transaction(async (t) => {
|
|
950
951
|
try {
|
|
951
|
-
|
|
952
|
+
if ((await this.getClientWithTransaction("client_id", e.client_id, t, !0, e.userid, !1)).length > 0)
|
|
953
|
+
throw new o(l.ClientExists);
|
|
952
954
|
} catch {
|
|
953
955
|
}
|
|
954
956
|
return await this.createClientWithTransaction(e, t);
|
|
@@ -1152,7 +1154,7 @@ class Dt extends pe {
|
|
|
1152
1154
|
// PrismaClient;
|
|
1153
1155
|
u(this, "transactionTimeout", 5e3);
|
|
1154
1156
|
u(this, "useridForeignKeyColumn", "userid");
|
|
1155
|
-
if (w("authorizationTable",
|
|
1157
|
+
if (w("authorizationTable", g.String, this, e, "OAUTH_AUTHORIZATION_TABLE"), w("transactionTimeout", g.Number, this, e, "TRANSACTION_TIMEOUT"), w("useridForeignKeyColumn", g.String, this, e, "USER_ID_FOREIGN_KEY_COLUMN"), e.prismaClient == null) {
|
|
1156
1158
|
const t = `${process.env.DATABASE_URL}`, r = new de({ url: t });
|
|
1157
1159
|
this.prismaClient = new ue({ adapter: r });
|
|
1158
1160
|
} else
|
|
@@ -1650,7 +1652,7 @@ class le extends L {
|
|
|
1650
1652
|
u(this, "ldapUserSearchBase", "");
|
|
1651
1653
|
u(this, "ldapUsernameAttribute", "cn");
|
|
1652
1654
|
u(this, "createUserFn", Xe);
|
|
1653
|
-
this.localStorage = e, w("ldapUrls",
|
|
1655
|
+
this.localStorage = e, w("ldapUrls", g.JsonArray, this, t, "LDAP_URL", !0), w("ldapUserSearchBase", g.String, this, t, "LDAP_USER_SEARCH_BASE"), w("ldapUsernameAttribute", g.String, this, t, "LDAP_USENAME_ATTRIBUTE"), t.createUserFn && (this.createUserFn = t.createUserFn);
|
|
1654
1656
|
}
|
|
1655
1657
|
/**
|
|
1656
1658
|
* Authenticates the user in LDAP and, if valid, creates a user in local
|
|
@@ -1789,17 +1791,17 @@ class le extends L {
|
|
|
1789
1791
|
t,
|
|
1790
1792
|
n,
|
|
1791
1793
|
function(c, d) {
|
|
1792
|
-
let
|
|
1794
|
+
let f;
|
|
1793
1795
|
if (c) {
|
|
1794
1796
|
s(c), e.unbind();
|
|
1795
1797
|
return;
|
|
1796
1798
|
}
|
|
1797
1799
|
d.on("searchEntry", function(y) {
|
|
1798
|
-
|
|
1800
|
+
f = le.searchResultToUser(y.pojo);
|
|
1799
1801
|
}), d.on("error", function(y) {
|
|
1800
1802
|
s(y), e.unbind();
|
|
1801
1803
|
}), d.on("end", function(y) {
|
|
1802
|
-
y.status != 0 ? s(new o(l.Connection, "LDAP onnection failed")) :
|
|
1804
|
+
y.status != 0 ? s(new o(l.Connection, "LDAP onnection failed")) : f ? i(f) : s(new o(l.UsernameOrPasswordInvalid)), e.unbind();
|
|
1803
1805
|
});
|
|
1804
1806
|
}
|
|
1805
1807
|
);
|
|
@@ -1842,7 +1844,7 @@ class Y extends L {
|
|
|
1842
1844
|
u(this, "useridForeignKeyColumn", "userid");
|
|
1843
1845
|
u(this, "forceIdToNumber", !0);
|
|
1844
1846
|
u(this, "dbPool");
|
|
1845
|
-
this.dbPool = e, w("userTable",
|
|
1847
|
+
this.dbPool = e, w("userTable", g.String, this, t, "USER_TABLE"), w("userSecretsTable", g.String, this, t, "USER_SECRETS_TABLE"), w("idColumn", g.String, this, t, "USER_ID_COLUMN"), w("forceIdToNumber", g.String, this, t, "USER_FORCE_ID_TO_NUMBER"), w("useridForeignKeyColumn", g.String, this, t, "USER_ID_FOREIGN_KEY_COLUMN");
|
|
1846
1848
|
}
|
|
1847
1849
|
/**
|
|
1848
1850
|
* Returns user matching the given id, or throws an exception.
|
|
@@ -1894,25 +1896,25 @@ class Y extends L {
|
|
|
1894
1896
|
let i = await this.dbPool.connect(), s, n, c = this.dbPool.parameters();
|
|
1895
1897
|
try {
|
|
1896
1898
|
await i.startTransaction();
|
|
1897
|
-
let d = `select * from ${this.userTable} where ${e} = ` + c.nextParameter(),
|
|
1898
|
-
if (
|
|
1899
|
+
let d = `select * from ${this.userTable} where ${e} = ` + c.nextParameter(), f = await i.execute(d, [t]);
|
|
1900
|
+
if (f.length == 0)
|
|
1899
1901
|
throw new o(l.UserNotExist);
|
|
1900
|
-
let y,
|
|
1901
|
-
if (this.idColumn in
|
|
1902
|
+
let y, C, v;
|
|
1903
|
+
if (this.idColumn in f[0]) y = f[0][this.idColumn];
|
|
1902
1904
|
else throw new o(l.Configuration, "ID column " + this.idColumn + " not present in user table");
|
|
1903
|
-
if ("username" in
|
|
1905
|
+
if ("username" in f[0]) C = f[0].username;
|
|
1904
1906
|
else throw new o(l.Configuration, "username column " + this.idColumn + " not present in user table");
|
|
1905
|
-
if ("state" in
|
|
1907
|
+
if ("state" in f[0]) v = f[0].state;
|
|
1906
1908
|
else throw new o(l.Configuration, "state column " + this.idColumn + " not present in user table");
|
|
1907
1909
|
if (s = {
|
|
1908
|
-
...
|
|
1910
|
+
...f[0],
|
|
1909
1911
|
id: y,
|
|
1910
|
-
username:
|
|
1912
|
+
username: C,
|
|
1911
1913
|
state: v
|
|
1912
1914
|
}, !s) throw new o(l.UserNotExist);
|
|
1913
|
-
if (c = this.dbPool.parameters(), d = `select * from ${this.userSecretsTable} where ${this.useridForeignKeyColumn} = ` + c.nextParameter(),
|
|
1915
|
+
if (c = this.dbPool.parameters(), d = `select * from ${this.userSecretsTable} where ${this.useridForeignKeyColumn} = ` + c.nextParameter(), f = await i.execute(d, [s.id]), f.length == 0)
|
|
1914
1916
|
throw new o(l.UserNotExist);
|
|
1915
|
-
if (
|
|
1917
|
+
if (f.length > 0 ? n = { userid: s.id, ...f[0] } : n = { userid: s.id }, !n) throw new o(l.UserNotExist);
|
|
1916
1918
|
if (this.useridForeignKeyColumn != "userid" && this.useridForeignKeyColumn in n && delete n[this.useridForeignKeyColumn], await i.commit(), (r == null ? void 0 : r.skipActiveCheck) != !0 && s.state == k.awaitingTwoFactorSetup)
|
|
1917
1919
|
throw h.logger.debug(m({ msg: "2FA setup is not complete" })), new o(l.TwoFactorIncomplete);
|
|
1918
1920
|
if ((r == null ? void 0 : r.skipActiveCheck) != !0 && s.state == k.disabled)
|
|
@@ -1943,28 +1945,28 @@ class Y extends L {
|
|
|
1943
1945
|
let i = [], s = [], n = "", c = "", d = this.dbPool.parameters();
|
|
1944
1946
|
e && (c = "OFFSET " + d.nextParameter()), t && (s.push(t), n = "LIMIT " + d.nextParameter());
|
|
1945
1947
|
try {
|
|
1946
|
-
let
|
|
1948
|
+
let f = `select * from ${this.userTable} ${n} ${c} order by username_normalized asc`, y = await r.execute(f, s);
|
|
1947
1949
|
if (y.length == 0)
|
|
1948
1950
|
throw new o(l.UserNotExist);
|
|
1949
|
-
for (let
|
|
1950
|
-
let v,
|
|
1951
|
-
if (this.idColumn in
|
|
1951
|
+
for (let C of y) {
|
|
1952
|
+
let v, p, T;
|
|
1953
|
+
if (this.idColumn in C) v = C[this.idColumn];
|
|
1952
1954
|
else throw new o(l.Configuration, "ID column " + this.idColumn + " not present in user table");
|
|
1953
|
-
if ("username" in
|
|
1955
|
+
if ("username" in C) p = C.username;
|
|
1954
1956
|
else throw new o(l.Configuration, "username column " + this.idColumn + " not present in user table");
|
|
1955
|
-
if ("state" in
|
|
1957
|
+
if ("state" in C) T = C.state;
|
|
1956
1958
|
else throw new o(l.Configuration, "state column " + this.idColumn + " not present in user table");
|
|
1957
1959
|
let E = {
|
|
1958
|
-
...
|
|
1960
|
+
...C,
|
|
1959
1961
|
id: v,
|
|
1960
|
-
username:
|
|
1962
|
+
username: p,
|
|
1961
1963
|
state: T
|
|
1962
1964
|
};
|
|
1963
1965
|
i.push(E);
|
|
1964
1966
|
}
|
|
1965
1967
|
return i;
|
|
1966
|
-
} catch (
|
|
1967
|
-
throw
|
|
1968
|
+
} catch (f) {
|
|
1969
|
+
throw f;
|
|
1968
1970
|
} finally {
|
|
1969
1971
|
r.release();
|
|
1970
1972
|
}
|
|
@@ -1989,23 +1991,23 @@ class Y extends L {
|
|
|
1989
1991
|
throw new o(l.UserNotExist);
|
|
1990
1992
|
let c = { ...e }, d = t ? { ...t } : void 0;
|
|
1991
1993
|
"email" in c && c.email && (c = { email_normalized: this.normalizeEmail ? Y.normalize(c.email) : c.email, ...c }), "username" in c && c.username && (c = { username_normalized: this.normalizeUsername ? Y.normalize(c.username) : c.username, ...c }), i = this.dbPool.parameters();
|
|
1992
|
-
let
|
|
1993
|
-
for (let
|
|
1994
|
-
c[
|
|
1995
|
-
if (
|
|
1996
|
-
let
|
|
1994
|
+
let f = [], y = [];
|
|
1995
|
+
for (let C in c)
|
|
1996
|
+
c[C] != null && C != "id" && (f.push(C + "= " + i.nextParameter()), y.push(c[C]));
|
|
1997
|
+
if (f.length > 0) {
|
|
1998
|
+
let C = f.join(", ");
|
|
1997
1999
|
y.push(e.id);
|
|
1998
|
-
let v = `update ${this.userTable} set ${
|
|
2000
|
+
let v = `update ${this.userTable} set ${C} where ${this.idColumn} = ` + i.nextParameter();
|
|
1999
2001
|
await r.execute(v, y);
|
|
2000
2002
|
}
|
|
2001
2003
|
if (t) {
|
|
2002
|
-
|
|
2003
|
-
for (let
|
|
2004
|
-
d[
|
|
2005
|
-
if (
|
|
2006
|
-
let
|
|
2004
|
+
f = [], y = [], i = this.dbPool.parameters();
|
|
2005
|
+
for (let C in d)
|
|
2006
|
+
d[C] != null && C != "userid" && (f.push(C + "= " + i.nextParameter()), y.push(d[C]));
|
|
2007
|
+
if (f.length > 0) {
|
|
2008
|
+
let C = f.join(", ");
|
|
2007
2009
|
y.push(e.id);
|
|
2008
|
-
let v = `update ${this.userSecretsTable} set ${
|
|
2010
|
+
let v = `update ${this.userSecretsTable} set ${C} where userid = ` + i.nextParameter();
|
|
2009
2011
|
await r.execute(v, y);
|
|
2010
2012
|
}
|
|
2011
2013
|
}
|
|
@@ -2034,27 +2036,27 @@ class Y extends L {
|
|
|
2034
2036
|
await r.startTransaction();
|
|
2035
2037
|
let s = { ...e }, n = t ? { ...t } : void 0;
|
|
2036
2038
|
"email" in s && s.email && (s = { email_normalized: this.normalizeEmail ? Y.normalize(s.email) : s.email, ...s }), "username" in s && s.username && (s = { username_normalized: this.normalizeUsername ? Y.normalize(s.username) : s.username, ...s });
|
|
2037
|
-
let c = [], d = [],
|
|
2039
|
+
let c = [], d = [], f = [];
|
|
2038
2040
|
const y = this.dbPool.parameters();
|
|
2039
2041
|
for (let v in s)
|
|
2040
|
-
s[v] != null && v != "id" && (c.push(v), d.push(y.nextParameter()),
|
|
2042
|
+
s[v] != null && v != "id" && (c.push(v), d.push(y.nextParameter()), f.push(s[v]));
|
|
2041
2043
|
if (c.length > 0) {
|
|
2042
|
-
let v = c.join(", "),
|
|
2043
|
-
const T = `insert into ${this.userTable} (${v}) values (${
|
|
2044
|
+
let v = c.join(", "), p = d.join(", ");
|
|
2045
|
+
const T = `insert into ${this.userTable} (${v}) values (${p}) returning ${this.idColumn}`, E = await r.execute(T, f);
|
|
2044
2046
|
if (E.length == 0 || !E[0][this.idColumn]) throw new o(l.Connection, "Couldn't create user");
|
|
2045
2047
|
i = E[0][this.idColumn];
|
|
2046
2048
|
}
|
|
2047
2049
|
if (!i) throw new o(l.Connection, "Couldn't create user");
|
|
2048
2050
|
if (t) {
|
|
2049
|
-
c = [], d = [],
|
|
2051
|
+
c = [], d = [], f = [];
|
|
2050
2052
|
const v = this.dbPool.parameters();
|
|
2051
|
-
c.push("userid"), d.push(v.nextParameter()),
|
|
2052
|
-
for (let
|
|
2053
|
-
n[
|
|
2053
|
+
c.push("userid"), d.push(v.nextParameter()), f.push(i);
|
|
2054
|
+
for (let p in n)
|
|
2055
|
+
n[p] != null && p != "userid" && (c.push(p), d.push(v.nextParameter()), f.push(n[p]));
|
|
2054
2056
|
if (c.length > 0) {
|
|
2055
|
-
let
|
|
2056
|
-
const E = `insert into ${this.userSecretsTable} (${
|
|
2057
|
-
h.logger.debug(m({ msg: "Executing query", query: E })), await r.execute(E,
|
|
2057
|
+
let p = c.join(", "), T = d.join(", ");
|
|
2058
|
+
const E = `insert into ${this.userSecretsTable} (${p}) values (${T})`;
|
|
2059
|
+
h.logger.debug(m({ msg: "Executing query", query: E })), await r.execute(E, f);
|
|
2058
2060
|
}
|
|
2059
2061
|
}
|
|
2060
2062
|
return await r.commit(), (await this.getUserById(i)).user;
|
|
@@ -2113,7 +2115,7 @@ class Qe extends z {
|
|
|
2113
2115
|
u(this, "keyTable", "keys");
|
|
2114
2116
|
u(this, "dbPool");
|
|
2115
2117
|
u(this, "useridForeignKeyColumn", "userid");
|
|
2116
|
-
w("transactionTimeout",
|
|
2118
|
+
w("transactionTimeout", g.Number, this, t, "TRANSACTION_TIMEOUT"), w("useridForeignKeyColumn", g.String, this, t, "USER_ID_FOREIGN_KEY_COLUMN"), t.keyTable && (this.keyTable = t.keyTable), this.dbPool = e;
|
|
2117
2119
|
}
|
|
2118
2120
|
async getKey(e) {
|
|
2119
2121
|
const t = await this.dbPool.connect();
|
|
@@ -2160,17 +2162,17 @@ class Qe extends z {
|
|
|
2160
2162
|
* @throws {@link @crossauth/common!CrossauthError } if the key could not be stored.
|
|
2161
2163
|
*/
|
|
2162
2164
|
async saveKey(e, t, r, i, s, n = {}) {
|
|
2163
|
-
let c, d = [this.useridForeignKeyColumn, "value", "created", "expires", "data"],
|
|
2165
|
+
let c, d = [this.useridForeignKeyColumn, "value", "created", "expires", "data"], f = this.dbPool.parameters(), y = [];
|
|
2164
2166
|
for (let E = 0; E < 5; ++E)
|
|
2165
|
-
y.push(
|
|
2166
|
-
let
|
|
2167
|
+
y.push(f.nextParameter());
|
|
2168
|
+
let C = [e ?? null, t, r, i ?? null, s ?? ""];
|
|
2167
2169
|
for (let E in n)
|
|
2168
|
-
d.push(E), y.push(
|
|
2169
|
-
let v = d.join(", "),
|
|
2170
|
+
d.push(E), y.push(f.nextParameter()), C.push(n[E]);
|
|
2171
|
+
let v = d.join(", "), p = y.join(", ");
|
|
2170
2172
|
const T = await this.dbPool.connect();
|
|
2171
2173
|
try {
|
|
2172
|
-
const E = `insert into ${this.keyTable} (${v}) values (${
|
|
2173
|
-
await T.execute(E,
|
|
2174
|
+
const E = `insert into ${this.keyTable} (${v}) values (${p})`;
|
|
2175
|
+
await T.execute(E, C);
|
|
2174
2176
|
} catch (E) {
|
|
2175
2177
|
o.asCrossauthError(E).code == l.ConstraintViolation ? (h.logger.warn(m({ msg: "Attempt to create key that already exists. Stack trace follows" })), h.logger.debug(m({ err: E })), c = new o(l.KeyExists)) : (h.logger.debug(m({ err: E })), c = new o(l.Connection, "Error saving key"));
|
|
2176
2178
|
} finally {
|
|
@@ -2193,11 +2195,11 @@ class Qe extends z {
|
|
|
2193
2195
|
try {
|
|
2194
2196
|
let s, n = [], c = "", d = this.dbPool.parameters();
|
|
2195
2197
|
if (e) {
|
|
2196
|
-
const
|
|
2197
|
-
s = `delete from ${this.keyTable} where ${this.useridForeignKeyColumn} = ${
|
|
2198
|
+
const f = d.nextParameter(), y = d.nextParameter();
|
|
2199
|
+
s = `delete from ${this.keyTable} where ${this.useridForeignKeyColumn} = ${f} and value like ${y} `, n = [e];
|
|
2198
2200
|
} else {
|
|
2199
|
-
const
|
|
2200
|
-
s = `delete from ${this.keyTable} where ${this.useridForeignKeyColumn} is null and value like ${
|
|
2201
|
+
const f = d.nextParameter();
|
|
2202
|
+
s = `delete from ${this.keyTable} where ${this.useridForeignKeyColumn} is null and value like ${f}`;
|
|
2201
2203
|
}
|
|
2202
2204
|
n.push(t + "%"), r && (c = "and value != " + d.nextParameter(), n.push(r)), s += " " + c, h.logger.debug(m({ msg: "Executing query", query: s })), await i.execute(s, n);
|
|
2203
2205
|
} catch (s) {
|
|
@@ -2212,8 +2214,8 @@ class Qe extends z {
|
|
|
2212
2214
|
let r = [], i = [];
|
|
2213
2215
|
const s = this.dbPool.parameters();
|
|
2214
2216
|
for (let d in e) {
|
|
2215
|
-
let
|
|
2216
|
-
e[d] == null ? r.push(
|
|
2217
|
+
let f = d == "userid" ? this.useridForeignKeyColumn : d;
|
|
2218
|
+
e[d] == null ? r.push(f + " is null") : (r.push(f + " = " + s.nextParameter()), i.push(e[d]));
|
|
2217
2219
|
}
|
|
2218
2220
|
let n = r.join(" and "), c = `delete from ${this.keyTable} where ${n}`;
|
|
2219
2221
|
await t.execute(c, i);
|
|
@@ -2252,8 +2254,8 @@ class Qe extends z {
|
|
|
2252
2254
|
if (c.length == 0)
|
|
2253
2255
|
return [];
|
|
2254
2256
|
for (let d of c) {
|
|
2255
|
-
let
|
|
2256
|
-
this.useridForeignKeyColumn != "userid" && (
|
|
2257
|
+
let f = this.makeKey(d);
|
|
2258
|
+
this.useridForeignKeyColumn != "userid" && (f.userid = f[this.useridForeignKeyColumn], delete f[this.useridForeignKeyColumn]), r.push(f);
|
|
2257
2259
|
}
|
|
2258
2260
|
return r;
|
|
2259
2261
|
} catch (r) {
|
|
@@ -2365,7 +2367,7 @@ class et extends ye {
|
|
|
2365
2367
|
u(this, "validFlowTable", "oauthclientvalidflow");
|
|
2366
2368
|
u(this, "dbPool");
|
|
2367
2369
|
u(this, "useridForeignKeyColumn", "userid");
|
|
2368
|
-
w("clientTable",
|
|
2370
|
+
w("clientTable", g.String, this, t, "OAUTH_CLIENT_TABLE"), w("redirectUriTable", g.String, this, t, "OAUTH_REDIRECTURI_TABLE"), w("validFlowTable", g.String, this, t, "OAUTH_VALID_FLOW_TABLE"), w("updateMode", g.String, this, t, "OAUTHCLIENT_UPDATE_MODE"), w("useridForeignKeyColumn", g.String, this, t, "USER_ID_FOREIGN_KEY_COLUMN"), this.dbPool = e;
|
|
2369
2371
|
}
|
|
2370
2372
|
async getClientById(e) {
|
|
2371
2373
|
let t = await this.dbPool.connect();
|
|
@@ -2408,12 +2410,12 @@ class et extends ye {
|
|
|
2408
2410
|
};
|
|
2409
2411
|
}
|
|
2410
2412
|
async getClientWithTransaction(e, t, r, i, s, n) {
|
|
2411
|
-
let c = [], d = this.dbPool.parameters(),
|
|
2412
|
-
t && r && (
|
|
2413
|
-
let v = `select c.*, null as uri, f.flow as flow from ${this.clientTable} as c left join ${this.validFlowTable} f on c.client_id = f.client_id `,
|
|
2414
|
-
t && r && (
|
|
2413
|
+
let c = [], d = this.dbPool.parameters(), f = [], y = `select c.*, r.uri as uri, null as flow from ${this.clientTable} as c left join ${this.redirectUriTable} r on c.client_id = r.client_id `, C = "";
|
|
2414
|
+
t && r && (C = `where c.${t} = ` + d.nextParameter(), f.push(r)), i !== null && i == null || (C == "" ? C = "where " : C += " and ", i == null ? C += "userid is null" : (C += `${this.useridForeignKeyColumn} = ` + d.nextParameter(), f.push(i)));
|
|
2415
|
+
let v = `select c.*, null as uri, f.flow as flow from ${this.clientTable} as c left join ${this.validFlowTable} f on c.client_id = f.client_id `, p = "";
|
|
2416
|
+
t && r && (p = `where c.${t} = ` + d.nextParameter(), f.push(r)), i !== null && i == null || (p == "" ? p = "where " : p += " and ", i == null ? p += "userid is null" : (p += `${this.useridForeignKeyColumn} = ` + d.nextParameter(), f.push(i))), n && (s || (s = 0), s = Number(s), n = Number(n), C == "" ? C = "where " : C += " and ", C += ` c.client_id in (select client_id from ${this.clientTable} limit ${n} offset ${s})`, p == "" ? p = "where " : p += " and ", p += ` c.client_id in (select client_id from ${this.clientTable} limit ${n} offset ${s})`), y += C, v += p;
|
|
2415
2417
|
let T = y + " union " + v + " order by client_id";
|
|
2416
|
-
const E = await e.execute(T,
|
|
2418
|
+
const E = await e.execute(T, f);
|
|
2417
2419
|
let A;
|
|
2418
2420
|
for (let j of E)
|
|
2419
2421
|
(!A || j.client_id != A.client_id) && (A && c.push(A), A = this.makeClient(j), A.valid_flow = [], A.redirect_uri = []), j.uri && A.redirect_uri.push(j.uri), j.flow && A.valid_flow.push(j.flow);
|
|
@@ -2441,45 +2443,45 @@ class et extends ye {
|
|
|
2441
2443
|
async createClientWithTransaction(e, t) {
|
|
2442
2444
|
const { redirect_uri: r, valid_flow: i, userid: s, ...n } = t;
|
|
2443
2445
|
if (s && (n[this.useridForeignKeyColumn] = s), r)
|
|
2444
|
-
for (let
|
|
2445
|
-
if (r[
|
|
2446
|
+
for (let p = 0; p < r.length; ++p) {
|
|
2447
|
+
if (r[p].includes("#")) throw new o(l.InvalidRedirectUri, "Redirect Uri's may not contain page fragments");
|
|
2446
2448
|
try {
|
|
2447
|
-
new URL(r[
|
|
2449
|
+
new URL(r[p]);
|
|
2448
2450
|
} catch {
|
|
2449
|
-
throw new o(l.InvalidRedirectUri, `Redriect uri ${r[
|
|
2451
|
+
throw new o(l.InvalidRedirectUri, `Redriect uri ${r[p]} is not valid`);
|
|
2450
2452
|
}
|
|
2451
2453
|
}
|
|
2452
2454
|
if (i) {
|
|
2453
|
-
for (let
|
|
2454
|
-
if (!U.isValidFlow(i[
|
|
2455
|
+
for (let p = 0; p < i.length; ++p)
|
|
2456
|
+
if (!U.isValidFlow(i[p])) throw new o(l.InvalidOAuthFlow, "Invalid flow " + i[p]);
|
|
2455
2457
|
}
|
|
2456
|
-
let c = [], d = [],
|
|
2458
|
+
let c = [], d = [], f = [], y = this.dbPool.parameters();
|
|
2457
2459
|
try {
|
|
2458
|
-
for (let
|
|
2459
|
-
c.push(
|
|
2460
|
+
for (let p in n)
|
|
2461
|
+
c.push(p), d.push(y.nextParameter()), f.push(n[p]);
|
|
2460
2462
|
if (c.length > 0) {
|
|
2461
|
-
let
|
|
2462
|
-
const E = `insert into ${this.clientTable} (${
|
|
2463
|
-
await e.execute(E,
|
|
2463
|
+
let p = c.join(", "), T = d.join(", ");
|
|
2464
|
+
const E = `insert into ${this.clientTable} (${p}) values (${T})`;
|
|
2465
|
+
await e.execute(E, f);
|
|
2464
2466
|
}
|
|
2465
|
-
} catch (
|
|
2466
|
-
throw typeof
|
|
2467
|
+
} catch (p) {
|
|
2468
|
+
throw typeof p == "object" && p != null && "code" in p && typeof p.code == "string" && (p.code.startsWith("22") || p.code.startsWith("23")) ? (h.logger.debug(m({ err: p })), new o(l.InvalidClientId, "Attempt to create an OAuth client with a client_id that already exists. Maximum attempts failed")) : (h.logger.debug(m({ err: p })), new o(l.Connection, "Error saving OAuth client"));
|
|
2467
2469
|
}
|
|
2468
|
-
let
|
|
2469
|
-
if (
|
|
2470
|
+
let C = await this.getClientWithTransaction(e, "client_id", t.client_id, t.userid);
|
|
2471
|
+
if (C.length == 0)
|
|
2470
2472
|
throw h.logger.error(m({ msg: "Attempt to create key that already exists. Stack trace follows" })), new o(l.KeyExists);
|
|
2471
|
-
let v =
|
|
2473
|
+
let v = C[0];
|
|
2472
2474
|
if (r)
|
|
2473
|
-
for (let
|
|
2474
|
-
|
|
2475
|
+
for (let p = 0; p < r.length; ++p) {
|
|
2476
|
+
f = [], y = this.dbPool.parameters();
|
|
2475
2477
|
let T = `insert into ${this.redirectUriTable} (client_id, uri) values (` + y.nextParameter() + ", " + y.nextParameter() + ")";
|
|
2476
|
-
|
|
2478
|
+
f.push(v.client_id), f.push(r[p]), await e.execute(T, f);
|
|
2477
2479
|
}
|
|
2478
2480
|
if (i)
|
|
2479
|
-
for (let
|
|
2480
|
-
|
|
2481
|
+
for (let p = 0; p < i.length; ++p) {
|
|
2482
|
+
f = [], y = this.dbPool.parameters();
|
|
2481
2483
|
let T = `insert into ${this.validFlowTable} (client_id, flow) values (` + y.nextParameter() + ", " + y.nextParameter() + ")";
|
|
2482
|
-
|
|
2484
|
+
f.push(v.client_id), f.push(i[p]), await e.execute(T, f);
|
|
2483
2485
|
}
|
|
2484
2486
|
return { ...v, redirect_uri: r, valid_flow: i };
|
|
2485
2487
|
}
|
|
@@ -2541,27 +2543,27 @@ class et extends ye {
|
|
|
2541
2543
|
if (!t.client_id) throw new o(l.InvalidClientId, "No client ig given");
|
|
2542
2544
|
let { client_id: s, redirect_uri: n, valid_flow: c, ...d } = t;
|
|
2543
2545
|
n || (n = []), c || (c = []);
|
|
2544
|
-
let
|
|
2545
|
-
await e.execute(y, [t.client_id]),
|
|
2546
|
-
let
|
|
2547
|
-
|
|
2546
|
+
let f = this.dbPool.parameters(), y = `delete from ${this.redirectUriTable} where client_id = ` + f.nextParameter();
|
|
2547
|
+
await e.execute(y, [t.client_id]), f = this.dbPool.parameters(), y = `delete from ${this.validFlowTable} where client_id = ` + f.nextParameter(), await e.execute(y, [t.client_id]);
|
|
2548
|
+
let C = [], v = [], p = [];
|
|
2549
|
+
f = this.dbPool.parameters(), y = `delete from ${this.validFlowTable} where client_id = ` + f.nextParameter();
|
|
2548
2550
|
for (let T in d)
|
|
2549
|
-
|
|
2550
|
-
if (
|
|
2551
|
-
let T =
|
|
2552
|
-
y = `update ${this.clientTable} set (${T}) values (${E})`, await e.execute(y,
|
|
2551
|
+
C.push(T), v.push(f.nextParameter()), p.push(d[T]);
|
|
2552
|
+
if (C.length > 0) {
|
|
2553
|
+
let T = C.join(", "), E = v.join(", ");
|
|
2554
|
+
y = `update ${this.clientTable} set (${T}) values (${E})`, await e.execute(y, p);
|
|
2553
2555
|
}
|
|
2554
2556
|
if (n)
|
|
2555
2557
|
for (let T = 0; T < n.length; ++T) {
|
|
2556
|
-
|
|
2557
|
-
let E = `insert into ${this.redirectUriTable} (client_id, uri) values (` +
|
|
2558
|
-
|
|
2558
|
+
p = [], f = this.dbPool.parameters();
|
|
2559
|
+
let E = `insert into ${this.redirectUriTable} (client_id, uri) values (` + f.nextParameter() + ", " + f.nextParameter() + ")";
|
|
2560
|
+
p.push(t.client_id), p.push(n[T]), await e.execute(E, p);
|
|
2559
2561
|
}
|
|
2560
2562
|
if (c)
|
|
2561
2563
|
for (let T = 0; T < c.length; ++T) {
|
|
2562
|
-
|
|
2563
|
-
let E = `insert into ${this.validFlowTable} (client_id, flow) values (` +
|
|
2564
|
-
|
|
2564
|
+
p = [], f = this.dbPool.parameters();
|
|
2565
|
+
let E = `insert into ${this.validFlowTable} (client_id, flow) values (` + f.nextParameter() + ", " + f.nextParameter() + ")";
|
|
2566
|
+
p.push(t.client_id), p.push(c[T]), await e.execute(E, p);
|
|
2565
2567
|
}
|
|
2566
2568
|
}
|
|
2567
2569
|
async getClients(e, t, r) {
|
|
@@ -2588,14 +2590,14 @@ class tt extends pe {
|
|
|
2588
2590
|
u(this, "authorizationTable", "oauthauthorization");
|
|
2589
2591
|
u(this, "useridForeignKeyColumn", "userid");
|
|
2590
2592
|
u(this, "dbPool");
|
|
2591
|
-
w("authorizationTable",
|
|
2593
|
+
w("authorizationTable", g.String, this, t, "OAUTH_CLIENT_TABLE"), w("useridForeignKeyColumn", g.String, this, t, "USER_ID_FOREIGN_KEY_COLUMN"), this.dbPool = e;
|
|
2592
2594
|
}
|
|
2593
2595
|
async getAuthorizations(e, t) {
|
|
2594
2596
|
let r = await this.dbPool.connect();
|
|
2595
2597
|
try {
|
|
2596
2598
|
const i = this.dbPool.parameters(), s = [];
|
|
2597
2599
|
let n = `select scope from ${this.authorizationTable} where client_id = ` + i.nextParameter();
|
|
2598
|
-
return s.push(e), t === null ? n += ` and ${this.useridForeignKeyColumn} is null` : t && (n += ` and ${this.useridForeignKeyColumn} = ` + i.nextParameter(), s.push(t)), (await r.execute(n, s)).map((
|
|
2600
|
+
return s.push(e), t === null ? n += ` and ${this.useridForeignKeyColumn} is null` : t && (n += ` and ${this.useridForeignKeyColumn} = ` + i.nextParameter(), s.push(t)), (await r.execute(n, s)).map((f) => f.scope);
|
|
2599
2601
|
} catch (i) {
|
|
2600
2602
|
throw i;
|
|
2601
2603
|
} finally {
|
|
@@ -2918,21 +2920,21 @@ const ve = process.env.PBKDF2_DIGEST || "sha256", _e = Number(process.env.PBKDF2
|
|
|
2918
2920
|
t || (t = q.randomSalt());
|
|
2919
2921
|
let s = r != null, n = s ? t + "!" + r : t;
|
|
2920
2922
|
i == null && (i = !1);
|
|
2921
|
-
let
|
|
2923
|
+
let f = (await He(ze)(
|
|
2922
2924
|
a,
|
|
2923
2925
|
n,
|
|
2924
2926
|
e.iterations ?? _e,
|
|
2925
2927
|
e.keyLen ?? ke,
|
|
2926
2928
|
e.digest ?? ve
|
|
2927
2929
|
)).toString("base64url");
|
|
2928
|
-
return i && (
|
|
2929
|
-
|
|
2930
|
+
return i && (f = this.encodePasswordHash(
|
|
2931
|
+
f,
|
|
2930
2932
|
t,
|
|
2931
2933
|
s,
|
|
2932
2934
|
e.iterations ?? _e,
|
|
2933
2935
|
e.keyLen ?? ke,
|
|
2934
2936
|
e.digest ?? ve
|
|
2935
|
-
)),
|
|
2937
|
+
)), f;
|
|
2936
2938
|
}
|
|
2937
2939
|
/**
|
|
2938
2940
|
* For creating non-JWT tokens (eg password reset tokens.) The
|
|
@@ -3092,7 +3094,7 @@ const ce = class ce extends Ie {
|
|
|
3092
3094
|
u(this, "pbkdf2KeyLength", 32);
|
|
3093
3095
|
/** See {@link LocalPasswordAuthenticatorOptions.validatePasswordFn} */
|
|
3094
3096
|
u(this, "validatePasswordFn", lt);
|
|
3095
|
-
w("secret",
|
|
3097
|
+
w("secret", g.String, this, t, "HASHER_SECRET"), w("enableSecretForPasswordHash", g.Boolean, this, t, "ENABLE_SECRET_FOR_PASSWORDS"), w("pbkdf2Digest", g.String, this, t, "PASSWORD_PBKDF2_DIGEST"), w("pbkdf2Iterations", g.String, this, t, "PASSWORD_PBKDF2_ITERATIONS"), w("pbkdf2SaltLength", g.String, this, t, "PASSWORD_PBKDF2_SALTLENGTH"), w("pbkdf2KeyLength", g.String, this, t, "PASSWORD_PBKDF2_KEYLENGTH"), t.validatePasswordFn && (this.validatePasswordFn = t.validatePasswordFn);
|
|
3096
3098
|
}
|
|
3097
3099
|
/**
|
|
3098
3100
|
* Authenticates the user, returning a the user as a {@link User} object.
|
|
@@ -3246,7 +3248,7 @@ class X extends ae {
|
|
|
3246
3248
|
u(this, "smtpPassword");
|
|
3247
3249
|
u(this, "emailAuthenticatorTokenExpires", 60 * 5);
|
|
3248
3250
|
u(this, "render");
|
|
3249
|
-
w("views",
|
|
3251
|
+
w("views", g.String, this, e, "VIEWS"), w("emailAuthenticatorTextBody", g.String, this, e, "EMAIL_AUTHENTICATOR_TEXT_BODY"), w("emailAuthenticatorHtmlBody", g.String, this, e, "EMAIL_AUTHENTICATOR_HTML_BODY"), w("emailAuthenticatorSubject", g.String, this, e, "EMAIL_AUTHENTICATOR_SUBJECT"), w("emailFrom", g.String, this, e, "EMAIL_FROM", !0), w("smtpHost", g.String, this, e, "SMTP_HOST", !0), w("smtpPort", g.Number, this, e, "SMTP_PORT"), w("smtpUsername", g.String, this, e, "SMTP_USERNAME"), w("smtpPassword", g.String, this, e, "SMTP_PASSWORD"), w("smtpUseTls", g.Boolean, this, e, "SMTP_USE_TLS"), w("emailAuthenticatorTokenExpires", g.Number, this, e, "EMAIL_AUTHENTICATOR_TOKEN_EXPIRES"), e.render ? this.render = e.render : W.configure(this.views, { autoescape: !0 });
|
|
3250
3252
|
}
|
|
3251
3253
|
/**
|
|
3252
3254
|
* Used by the OAuth password_mfa grant type.
|
|
@@ -3455,7 +3457,7 @@ class ee extends ae {
|
|
|
3455
3457
|
u(this, "smsAuthenticatorFrom", "");
|
|
3456
3458
|
u(this, "smsAuthenticatorTokenExpires", 60 * 5);
|
|
3457
3459
|
u(this, "render");
|
|
3458
|
-
w("views",
|
|
3460
|
+
w("views", g.String, this, e, "VIEWS"), w("smsAuthenticatorBody", g.String, this, e, "SMS_AUTHENTICATOR_BODY"), w("smsAuthenticatorFrom", g.String, this, e, "SMS_AUTHENTICATOR_FROM", !0), w("smsAuthenticatorTokenExpires", g.Number, this, e, "SMS_AUTHENTICATOR_TOKEN_EXPIRES"), e.render ? this.render = e.render : W.configure(this.views, { autoescape: !0 });
|
|
3459
3461
|
}
|
|
3460
3462
|
/**
|
|
3461
3463
|
* Used by the OAuth password_mfa grant type.
|
|
@@ -3496,7 +3498,7 @@ class ee extends ae {
|
|
|
3496
3498
|
otp: t
|
|
3497
3499
|
};
|
|
3498
3500
|
let d = { otp: t };
|
|
3499
|
-
const
|
|
3501
|
+
const f = this.render ? this.render(this.smsAuthenticatorBody, d) : W.render(this.smsAuthenticatorBody, d), y = this.sendSms(r, f);
|
|
3500
3502
|
return h.logger.info(m({
|
|
3501
3503
|
msg: "Sent factor otp sms",
|
|
3502
3504
|
smsMessageId: y,
|
|
@@ -3847,7 +3849,7 @@ class $t extends Ie {
|
|
|
3847
3849
|
u(this, "ldapAutoCreateAccount", !1);
|
|
3848
3850
|
u(this, "ldapStorage");
|
|
3849
3851
|
u(this, "ldapAutoCreateFactor1", "ldap");
|
|
3850
|
-
w("ldapAutoCreateAccount",
|
|
3852
|
+
w("ldapAutoCreateAccount", g.Boolean, this, t, "LDAP_AUTO_CREATE_ACCOUNT"), w("ldapAutoCreateFactor1", g.Boolean, this, t, "LDAP_AUTO_CREATE_FACTOR1"), this.ldapStorage = e;
|
|
3851
3853
|
}
|
|
3852
3854
|
/**
|
|
3853
3855
|
* Authenticates the user, returning a the user as a {@link User} object.
|
|
@@ -4148,7 +4150,7 @@ class D {
|
|
|
4148
4150
|
u(this, "verifyEmailExpires", 60 * 60 * 24);
|
|
4149
4151
|
u(this, "passwordResetExpires", 60 * 60 * 24);
|
|
4150
4152
|
u(this, "render");
|
|
4151
|
-
this.userStorage = a, this.keyStorage = e, w("siteUrl",
|
|
4153
|
+
this.userStorage = a, this.keyStorage = e, w("siteUrl", g.String, this, t, "SITE_URL", !0), w("prefix", g.String, this, t, "PREFIX"), w("views", g.String, this, t, "VIEWS"), w("emailVerificationTextBody", g.String, this, t, "EMAIL_VERIFICATION_TEXT_BODY"), w("emailVerificationHtmlBody", g.String, this, t, "EMAIL_VERIFICATION_HTML_BODY"), w("emailVerificationSubject", g.String, this, t, "EMAIL_VERIFICATION_SUBJECT"), w("passwordResetTextBody", g.String, this, t, "PASSWORD_RESET_TEXT_BODY"), w("passwordResetHtmlBody", g.String, this, t, "PASSWORD_RESET_HTML_BODY"), w("passwordResetSubject", g.String, this, t, "PASSWORD_RESET_SUBJECT"), w("emailFrom", g.String, this, t, "EMAIL_FROM", !0), w("smtpHost", g.String, this, t, "SMTP_HOST", !0), w("smtpPort", g.Number, this, t, "SMTP_PORT"), w("smtpUsername", g.String, this, t, "SMTP_USERNAME"), w("smtpPassword", g.String, this, t, "SMTP_PASSWORD"), w("smtpUseTls", g.Boolean, this, t, "SMTP_USE_TLS"), w("verifyEmailExpires", g.Boolean, this, t, "VERIFY_EMAIL_EXPIRES"), w("passwordResetExpires", g.String, this, t, "PASSWORD_RESET_EXPIRES"), t.render ? this.render = t.render : W.configure(this.views, { autoescape: !0 });
|
|
4152
4154
|
}
|
|
4153
4155
|
createEmailer() {
|
|
4154
4156
|
let a = {};
|
|
@@ -4392,7 +4394,7 @@ class ct {
|
|
|
4392
4394
|
u(this, "sameSite", "lax");
|
|
4393
4395
|
// hasher settings
|
|
4394
4396
|
u(this, "secret", "");
|
|
4395
|
-
w("headerName",
|
|
4397
|
+
w("headerName", g.String, this, a, "CSRF_HEADER_NAME"), w("cookieName", g.String, this, a, "CSRF_COOKIE_NAME"), w("domain", g.String, this, a, "CSRF_COOKIE_DOMAIN"), w("httpOnly", g.Boolean, this, a, "CSRF_COOKIE_HTTPONLY"), w("path", g.String, this, a, "CSRF_COOKIE_PATH"), w("secure", g.Boolean, this, a, "CSRF_COOKIE_SECURE"), w("sameSite", g.String, this, a, "CSRF_COOKIE_SAMESITE"), w("secret", g.String, this, a, "SECRET", !0);
|
|
4396
4398
|
}
|
|
4397
4399
|
/**
|
|
4398
4400
|
* Creates a session key and saves in storage
|
|
@@ -4514,7 +4516,7 @@ class x {
|
|
|
4514
4516
|
u(this, "sameSite", "lax");
|
|
4515
4517
|
// hasher settings
|
|
4516
4518
|
u(this, "secret", "");
|
|
4517
|
-
e.userStorage && (this.userStorage = e.userStorage), this.keyStorage = a, w("idleTimeout",
|
|
4519
|
+
e.userStorage && (this.userStorage = e.userStorage), this.keyStorage = a, w("idleTimeout", g.Number, this, e, "SESSION_IDLE_TIMEOUT"), w("persist", g.Boolean, this, e, "PERSIST_SESSION_ID"), this.filterFunction = e.filterFunction, w("cookieName", g.String, this, e, "SESSION_COOKIE_NAME"), w("maxAge", g.String, this, e, "SESSION_COOKIE_MAX_AGE"), w("domain", g.String, this, e, "SESSION_COOKIE_DOMAIN"), w("httpOnly", g.Boolean, this, e, "SESSIONCOOKIE_HTTPONLY"), w("path", g.String, this, e, "SESSION_COOKIE_PATH"), w("secure", g.Boolean, this, e, "SESSION_COOKIE_SECURE"), w("sameSite", g.String, this, e, "SESSION_COOKIE_SAMESITE"), w("secret", g.String, this, e, "SECRET", !0);
|
|
4518
4520
|
}
|
|
4519
4521
|
expiry(a) {
|
|
4520
4522
|
let e;
|
|
@@ -4554,13 +4556,13 @@ class x {
|
|
|
4554
4556
|
const d = x.hashSessionId(i);
|
|
4555
4557
|
try {
|
|
4556
4558
|
this.idleTimeout > 0 && a && (e = { ...e, lastActivity: /* @__PURE__ */ new Date() }), await this.keyStorage.saveKey(a, d, s, n, void 0, e), c = !0;
|
|
4557
|
-
} catch (
|
|
4558
|
-
let y = o.asCrossauthError(
|
|
4559
|
+
} catch (f) {
|
|
4560
|
+
let y = o.asCrossauthError(f);
|
|
4559
4561
|
if (y.code == l.KeyExists || y.code == l.InvalidKey) {
|
|
4560
4562
|
if (r++, i = _.randomValue(Ue), r > 10)
|
|
4561
4563
|
throw h.logger.error(m({ msg: "Max attempts exceeded trying to create session ID" })), new o(l.KeyExists);
|
|
4562
4564
|
} else
|
|
4563
|
-
throw h.logger.debug(m({ err:
|
|
4565
|
+
throw h.logger.debug(m({ err: f })), f;
|
|
4564
4566
|
}
|
|
4565
4567
|
}
|
|
4566
4568
|
return {
|
|
@@ -4695,7 +4697,7 @@ class Jt {
|
|
|
4695
4697
|
t.userStorage && (this.userStorage = t.userStorage), this.keyStorage = a, this.authenticators = e;
|
|
4696
4698
|
for (let r in this.authenticators)
|
|
4697
4699
|
this.authenticators[r].factorName = r;
|
|
4698
|
-
if (this.session = new x(this.keyStorage, { ...t == null ? void 0 : t.sessionCookieOptions, ...t ?? {} }), this.csrfTokens = new ct({ ...t == null ? void 0 : t.doubleSubmitCookieOptions, ...t ?? {} }), w("allowedFactor2",
|
|
4700
|
+
if (this.session = new x(this.keyStorage, { ...t == null ? void 0 : t.sessionCookieOptions, ...t ?? {} }), this.csrfTokens = new ct({ ...t == null ? void 0 : t.doubleSubmitCookieOptions, ...t ?? {} }), w("allowedFactor2", g.JsonArray, this, t, "ALLOWED_FACTOR2"), w("enableEmailVerification", g.Boolean, this, t, "ENABLE_EMAIL_VERIFICATION"), w("enablePasswordReset", g.Boolean, this, t, "ENABLE_PASSWORD_RESET"), this.emailTokenStorage = this.keyStorage, this.userStorage && (this.enableEmailVerification || this.enablePasswordReset)) {
|
|
4699
4701
|
let r = this.keyStorage;
|
|
4700
4702
|
t.emailTokenStorage && (this.emailTokenStorage = t.emailTokenStorage), this.tokenEmailer = new D(this.userStorage, r, t);
|
|
4701
4703
|
}
|
|
@@ -4768,8 +4770,8 @@ class Jt {
|
|
|
4768
4770
|
}
|
|
4769
4771
|
if (v.username == "") throw new o(l.UserNotExist);
|
|
4770
4772
|
await this.authenticators[(i == null ? void 0 : i.factor1) ?? c].authenticateUser(v, n, e);
|
|
4771
|
-
let
|
|
4772
|
-
n =
|
|
4773
|
+
let p = await this.userStorage.getUserByUsername(a, { skipActiveCheck: !0, skipEmailVerifiedCheck: !0 });
|
|
4774
|
+
n = p.secrets, i = p.user;
|
|
4773
4775
|
}
|
|
4774
4776
|
let d;
|
|
4775
4777
|
if (i.state == k.passwordChangeNeeded)
|
|
@@ -4783,7 +4785,7 @@ class Jt {
|
|
|
4783
4785
|
const v = await this.session.createSessionKey(i.id, t);
|
|
4784
4786
|
d = this.session.makeCookie(v, r);
|
|
4785
4787
|
}
|
|
4786
|
-
const
|
|
4788
|
+
const f = this.csrfTokens.createCsrfToken(), y = this.csrfTokens.makeCsrfCookie(f), C = this.csrfTokens.makeCsrfFormOrHeaderToken(f);
|
|
4787
4789
|
try {
|
|
4788
4790
|
this.emailTokenStorage.deleteAllForUser(
|
|
4789
4791
|
i.id,
|
|
@@ -4795,7 +4797,7 @@ class Jt {
|
|
|
4795
4797
|
return {
|
|
4796
4798
|
sessionCookie: d,
|
|
4797
4799
|
csrfCookie: y,
|
|
4798
|
-
csrfFormOrHeaderValue:
|
|
4800
|
+
csrfFormOrHeaderValue: C,
|
|
4799
4801
|
user: i,
|
|
4800
4802
|
secrets: n
|
|
4801
4803
|
};
|
|
@@ -5109,10 +5111,10 @@ class Jt {
|
|
|
5109
5111
|
*/
|
|
5110
5112
|
async repeatTwoFactorSignup(a) {
|
|
5111
5113
|
if (!this.userStorage) throw new o(l.Configuration, "Cannot call repeatTwoFactorSignup if no user storage provided");
|
|
5112
|
-
const e = (await this.dataForSessionId(a))["2fa"], t = e.username, r = e.factor2, i = x.hashSessionId(a), s = await this.keyStorage.getKey(i), c = await this.authenticators[r].reprepareConfiguration(t, s), d = c == null ? {} : c.userData,
|
|
5114
|
+
const e = (await this.dataForSessionId(a))["2fa"], t = e.username, r = e.factor2, i = x.hashSessionId(a), s = await this.keyStorage.getKey(i), c = await this.authenticators[r].reprepareConfiguration(t, s), d = c == null ? {} : c.userData, f = c == null ? {} : c.secrets, y = c == null ? {} : c.newSessionData;
|
|
5113
5115
|
y && await this.keyStorage.updateData(i, "2fa", y);
|
|
5114
|
-
const { user:
|
|
5115
|
-
return { userid:
|
|
5116
|
+
const { user: C } = await this.userStorage.getUserByUsername(t, { skipActiveCheck: !0, skipEmailVerifiedCheck: !0 });
|
|
5117
|
+
return { userid: C.id, userData: d, secrets: f };
|
|
5116
5118
|
}
|
|
5117
5119
|
/**
|
|
5118
5120
|
* Authenticates with the second factor.
|
|
@@ -5125,7 +5127,7 @@ class Jt {
|
|
|
5125
5127
|
* @throws {@link @crossauth/common!CrossauthError} if authentication fails.
|
|
5126
5128
|
*/
|
|
5127
5129
|
async completeTwoFactorSetup(a, e) {
|
|
5128
|
-
var
|
|
5130
|
+
var C;
|
|
5129
5131
|
if (!this.userStorage) throw new o(l.Configuration, "Cannot call completeTwoFactorSetup if no user storage provided");
|
|
5130
5132
|
let { user: t, key: r } = await this.session.getUserForSessionId(e, {
|
|
5131
5133
|
skipActiveCheck: !0
|
|
@@ -5142,14 +5144,14 @@ class Jt {
|
|
|
5142
5144
|
for (let v in i)
|
|
5143
5145
|
d.includes(v) && (c[v] = i[v]);
|
|
5144
5146
|
if (await n.authenticateUser(void 0, i, a), t || (t = (await this.userStorage.getUserByUsername(s, { skipActiveCheck: !0, skipEmailVerifiedCheck: !0 })).user), !t) throw new o(l.UserNotExist, "Couldn't fetch user");
|
|
5145
|
-
let
|
|
5146
|
-
t.state == k.awaitingTwoFactorSetupAndEmailVerification && (
|
|
5147
|
+
let f = k.active;
|
|
5148
|
+
t.state == k.awaitingTwoFactorSetupAndEmailVerification && (f = k.awaitingEmailVerification);
|
|
5147
5149
|
const y = {
|
|
5148
5150
|
id: t.id,
|
|
5149
|
-
state:
|
|
5151
|
+
state: f,
|
|
5150
5152
|
factor2: i.factor2
|
|
5151
5153
|
};
|
|
5152
|
-
return n.secretNames().length > 0 ? await this.userStorage.updateUser(y, c) : await this.userStorage.updateUser(y),
|
|
5154
|
+
return n.secretNames().length > 0 ? await this.userStorage.updateUser(y, c) : await this.userStorage.updateUser(y), f == k.awaitingEmailVerification && this.tokenEmailer && await ((C = this.tokenEmailer) == null ? void 0 : C.sendEmailVerificationToken(t.id, void 0)), await this.keyStorage.updateData(x.hashSessionId(r.value), "2fa", void 0), { ...t, ...y };
|
|
5153
5155
|
}
|
|
5154
5156
|
/**
|
|
5155
5157
|
* Initiates the two factor login process.
|
|
@@ -5179,14 +5181,14 @@ class Jt {
|
|
|
5179
5181
|
*/
|
|
5180
5182
|
async initiateTwoFactorPageVisit(a, e, t, r, i) {
|
|
5181
5183
|
const n = await this.authenticators[a.factor2].createOneTimeSecrets(a);
|
|
5182
|
-
let c, d,
|
|
5184
|
+
let c, d, f;
|
|
5183
5185
|
const y = x.hashSessionId(e);
|
|
5184
5186
|
h.logger.debug("initiateTwoFactorPageVisit " + a.username + " " + e + " " + y);
|
|
5185
|
-
let
|
|
5186
|
-
return i && (
|
|
5187
|
+
let C = { username: a.username, factor2: a.factor2, secrets: n, body: t, url: r };
|
|
5188
|
+
return i && (C["content-type"] = i), await this.keyStorage.updateData(y, "pre2fa", C), {
|
|
5187
5189
|
sessionCookie: c,
|
|
5188
5190
|
csrfCookie: d,
|
|
5189
|
-
csrfFormOrHeaderValue:
|
|
5191
|
+
csrfFormOrHeaderValue: f
|
|
5190
5192
|
};
|
|
5191
5193
|
}
|
|
5192
5194
|
/**
|
|
@@ -5249,12 +5251,12 @@ class Jt {
|
|
|
5249
5251
|
let { key: i } = await this.session.getUserForSessionId(e);
|
|
5250
5252
|
if (!i || !i.data || i.data == "") throw new o(l.Unauthorized);
|
|
5251
5253
|
let s = z.decodeData(i.data)["2fa"], n = s.username, c = s.factor2;
|
|
5252
|
-
const { user: d, secrets:
|
|
5254
|
+
const { user: d, secrets: f } = await this.userStorage.getUserByUsername(n), y = this.authenticators[c];
|
|
5253
5255
|
if (!y) throw new o(l.Configuration, "Second factor " + c + " not enabled");
|
|
5254
|
-
await y.authenticateUser(d, { ...
|
|
5255
|
-
const
|
|
5256
|
+
await y.authenticateUser(d, { ...f, ...s }, a);
|
|
5257
|
+
const C = await this.session.createSessionKey(d.id, t);
|
|
5256
5258
|
await this.keyStorage.deleteKey(x.hashSessionId(i.value));
|
|
5257
|
-
const v = this.session.makeCookie(
|
|
5259
|
+
const v = this.session.makeCookie(C, r), p = this.csrfTokens.createCsrfToken(), T = this.csrfTokens.makeCsrfCookie(p), E = this.csrfTokens.makeCsrfFormOrHeaderToken(p);
|
|
5258
5260
|
try {
|
|
5259
5261
|
this.emailTokenStorage.deleteAllForUser(
|
|
5260
5262
|
d.id,
|
|
@@ -5331,8 +5333,8 @@ class Jt {
|
|
|
5331
5333
|
s.id,
|
|
5332
5334
|
b.passwordResetToken
|
|
5333
5335
|
);
|
|
5334
|
-
} catch (
|
|
5335
|
-
h.logger.warn(m({ msg: "Couldn't delete password reset tokens while logging in", user: a })), h.logger.debug(m({ err:
|
|
5336
|
+
} catch (f) {
|
|
5337
|
+
h.logger.warn(m({ msg: "Couldn't delete password reset tokens while logging in", user: a })), h.logger.debug(m({ err: f }));
|
|
5336
5338
|
}
|
|
5337
5339
|
return s;
|
|
5338
5340
|
}
|
|
@@ -5343,7 +5345,7 @@ class Jt {
|
|
|
5343
5345
|
* @returns true if email verification is now needed, false otherwise
|
|
5344
5346
|
*/
|
|
5345
5347
|
async updateUser(a, e, t = !1, r = !1) {
|
|
5346
|
-
var y,
|
|
5348
|
+
var y, C;
|
|
5347
5349
|
let i;
|
|
5348
5350
|
if (!this.userStorage) throw new o(l.Configuration, "Cannot call updateUser if no user storage provided");
|
|
5349
5351
|
if (!("id" in a) || a.id == null)
|
|
@@ -5352,19 +5354,19 @@ class Jt {
|
|
|
5352
5354
|
throw new o(l.UserNotExist, "Please specify a userername");
|
|
5353
5355
|
let { email: s, username: n, password: c, ...d } = e;
|
|
5354
5356
|
d.userid = a.userid, d.id = a.id;
|
|
5355
|
-
let
|
|
5357
|
+
let f = !1;
|
|
5356
5358
|
if (s)
|
|
5357
|
-
i = s, D.validateEmail(i),
|
|
5359
|
+
i = s, D.validateEmail(i), f = !0;
|
|
5358
5360
|
else if (n) {
|
|
5359
5361
|
i = n;
|
|
5360
5362
|
try {
|
|
5361
|
-
D.validateEmail(a.username),
|
|
5363
|
+
D.validateEmail(a.username), f = !0;
|
|
5362
5364
|
} catch {
|
|
5363
5365
|
}
|
|
5364
|
-
|
|
5366
|
+
f && D.validateEmail(i);
|
|
5365
5367
|
}
|
|
5366
|
-
return !t && this.enableEmailVerification &&
|
|
5367
|
-
emailVerificationTokenSent: !t && this.enableEmailVerification &&
|
|
5368
|
+
return !t && this.enableEmailVerification && f ? await ((y = this.tokenEmailer) == null ? void 0 : y.sendEmailVerificationToken(a.id, i)) : (s && (d.email = s), n && (d.username = n)), (e.state == k.passwordResetNeeded || e.state == k.passwordAndFactor2ResetNeeded) && await ((C = this.tokenEmailer) == null ? void 0 : C.sendPasswordResetToken(a.id, {}, r)), await this.userStorage.updateUser(d), {
|
|
5369
|
+
emailVerificationTokenSent: !t && this.enableEmailVerification && f,
|
|
5368
5370
|
passwordResetTokenSent: e.state == k.passwordResetNeeded || e.state == k.passwordAndFactor2ResetNeeded
|
|
5369
5371
|
};
|
|
5370
5372
|
}
|
|
@@ -5417,7 +5419,7 @@ class we {
|
|
|
5417
5419
|
u(this, "prefix", b.apiKey);
|
|
5418
5420
|
/** The name of the speak in the Authorization header. Defaults to "ApiKey" */
|
|
5419
5421
|
u(this, "authScheme", "ApiKey");
|
|
5420
|
-
this.apiKeyStorage = a, w("secret",
|
|
5422
|
+
this.apiKeyStorage = a, w("secret", g.String, this, e, "SECRET", !0), w("keyLength", g.String, this, e, "APIKEY_LENGTH"), w("prefix", g.String, this, e, "APIKEY_PREFIX"), w("authScheme", g.String, this, e, "APIKEY_AUTHSCHEME");
|
|
5421
5423
|
}
|
|
5422
5424
|
/**
|
|
5423
5425
|
* Creates a new random key and returns it, unsigned. It is also persisted in the key storage as a
|
|
@@ -5438,7 +5440,7 @@ class we {
|
|
|
5438
5440
|
* Authorization header (with the signature appended.)
|
|
5439
5441
|
*/
|
|
5440
5442
|
async createKey(a, e, t, r, i) {
|
|
5441
|
-
const s = _.randomValue(this.keyLength), n = /* @__PURE__ */ new Date(), c = r ? new Date(n.getTime() + r * 1e3) : void 0, d = we.hashApiKeyValue(s),
|
|
5443
|
+
const s = _.randomValue(this.keyLength), n = /* @__PURE__ */ new Date(), c = r ? new Date(n.getTime() + r * 1e3) : void 0, d = we.hashApiKeyValue(s), f = {
|
|
5442
5444
|
name: a,
|
|
5443
5445
|
value: s,
|
|
5444
5446
|
userid: e,
|
|
@@ -5452,11 +5454,11 @@ class we {
|
|
|
5452
5454
|
this.prefix + d,
|
|
5453
5455
|
n,
|
|
5454
5456
|
c,
|
|
5455
|
-
|
|
5457
|
+
f.data,
|
|
5456
5458
|
{ name: a, ...i }
|
|
5457
5459
|
);
|
|
5458
5460
|
const y = this.signApiKeyValue(s);
|
|
5459
|
-
return { key:
|
|
5461
|
+
return { key: f, token: y };
|
|
5460
5462
|
}
|
|
5461
5463
|
static hashApiKeyValue(a) {
|
|
5462
5464
|
return _.hash(a);
|
|
@@ -5515,7 +5517,7 @@ class J {
|
|
|
5515
5517
|
l.Configuration,
|
|
5516
5518
|
"Must specify clientStorage when adding a client manager"
|
|
5517
5519
|
);
|
|
5518
|
-
this.clientStorage = a.clientStorage, w("oauthPbkdf2Digest",
|
|
5520
|
+
this.clientStorage = a.clientStorage, w("oauthPbkdf2Digest", g.String, this, a, "OAUTH_PBKDF2_DIGEST"), w("oauthPbkdf2KeyLength", g.String, this, a, "OAUTH_PBKDF2_KEYLENGTH"), w("requireRedirectUriRegistration", g.Boolean, this, a, "OAUTH_REQUIRE_REDIRECT_URI_REGISTRATION");
|
|
5519
5521
|
}
|
|
5520
5522
|
/**
|
|
5521
5523
|
* Creates a client and puts it in the storage
|
|
@@ -5549,19 +5551,19 @@ class J {
|
|
|
5549
5551
|
valid_flow: t,
|
|
5550
5552
|
userid: i
|
|
5551
5553
|
};
|
|
5552
|
-
let
|
|
5554
|
+
let f;
|
|
5553
5555
|
for (let y = 0; y < 5; ++y)
|
|
5554
5556
|
try {
|
|
5555
|
-
|
|
5557
|
+
f = await this.clientStorage.createClient(d);
|
|
5556
5558
|
break;
|
|
5557
|
-
} catch (
|
|
5559
|
+
} catch (C) {
|
|
5558
5560
|
if (y == 4) {
|
|
5559
|
-
if (o.asCrossauthError(
|
|
5561
|
+
if (o.asCrossauthError(C).code != l.ClientExists) throw C;
|
|
5560
5562
|
} else
|
|
5561
5563
|
d.client_id = J.randomClientId();
|
|
5562
5564
|
}
|
|
5563
|
-
if (!
|
|
5564
|
-
return
|
|
5565
|
+
if (!f) throw new o(l.ClientExists);
|
|
5566
|
+
return f.client_secret && c && (f.client_secret = c), f;
|
|
5565
5567
|
}
|
|
5566
5568
|
/**
|
|
5567
5569
|
* Updates a client
|
|
@@ -5631,7 +5633,7 @@ class ht extends Fe {
|
|
|
5631
5633
|
*/
|
|
5632
5634
|
constructor(e, t = {}) {
|
|
5633
5635
|
const r = {};
|
|
5634
|
-
w("jwtKeyType",
|
|
5636
|
+
w("jwtKeyType", g.String, r, t, "JWT_KEY_TYPE");
|
|
5635
5637
|
super(e, { ...t, ...r });
|
|
5636
5638
|
/**
|
|
5637
5639
|
* Value passed to the constructor. The `aud` claim must match it
|
|
@@ -5645,7 +5647,7 @@ class ht extends Fe {
|
|
|
5645
5647
|
u(this, "keyStorage");
|
|
5646
5648
|
u(this, "jwtSecretKeyFile", "");
|
|
5647
5649
|
u(this, "jwtPublicKeyFile", "");
|
|
5648
|
-
if (this.audience = e, w("authServerBaseUrl",
|
|
5650
|
+
if (this.audience = e, w("authServerBaseUrl", g.String, this, t, "AUTH_SERVER_BASE_URL", !0), w("jwtSecretKeyFile", g.String, this, t, "JWT_SECRET_KEY_FILE"), w("jwtPublicKeyFile", g.String, this, t, "JWT_PUBLIC_KEY_FILE"), w("jwtSecretKey", g.String, this, t, "JWT_SECRET_KEY"), w("jwtPublicKey", g.String, this, t, "JWT_PUBLIC_KEY"), w("clockTolerance", g.Number, this, t, "OAUTH_CLOCK_TOLERANCE"), w("persistAccessToken", g.Boolean, this, t, "OAUTH_PERSIST_ACCESS_TOKEN"), this.keyStorage = t.keyStorage, this.jwtSecretKey || this.jwtSecretKeyFile) {
|
|
5649
5651
|
if (this.jwtPublicKey || this.jwtPublicKeyFile)
|
|
5650
5652
|
throw new o(
|
|
5651
5653
|
l.Configuration,
|
|
@@ -5721,7 +5723,7 @@ class mt extends Ne {
|
|
|
5721
5723
|
const r = {
|
|
5722
5724
|
client_id: ""
|
|
5723
5725
|
};
|
|
5724
|
-
w("client_id",
|
|
5726
|
+
w("client_id", g.String, r, t, "OAUTH_CLIENT_ID", !0);
|
|
5725
5727
|
super({
|
|
5726
5728
|
authServerBaseUrl: e,
|
|
5727
5729
|
tokenConsumer: new ht(
|
|
@@ -5742,7 +5744,7 @@ class mt extends Ne {
|
|
|
5742
5744
|
u(this, "userStorage");
|
|
5743
5745
|
this.client_id = r.client_id;
|
|
5744
5746
|
let i = {};
|
|
5745
|
-
if (w("stateLength",
|
|
5747
|
+
if (w("stateLength", g.String, this, t, "OAUTH_STATE_LENGTH"), w("verifierLength", g.String, this, t, "OAUTH_VERIFIER_LENGTH"), w("client_secret", g.String, i, t, "OAUTH_CLIENT_SECRET"), w("codeChallengeMethod", g.String, this, t, "OAUTH_CODE_CHALLENGE_METHOD"), w("deviceAuthorizationUrl", g.String, this, t, "OAUTH_DEVICE_AUTHORIZATION_URL"), w("oauthLogFetch", g.Boolean, this, t, "OAUTH_LOG_FETCH"), this.deviceAuthorizationUrl.startsWith("/") && (this.deviceAuthorizationUrl = this.deviceAuthorizationUrl.substring(1)), i.client_secret && (this.client_secret = i.client_secret), w("userCreationType", g.String, this, t, "OAUTH_USER_CREATION_TYPE"), w("userMatchField", g.String, this, t, "OAUTH_USER_MATCH_FIELD"), w("idTokenMatchField", g.String, this, t, "OAUTH_IDTOKEN_MaTCH_FIELD"), this.userCreationType == "merge" ? this.userCreationFn = ft : this.userCreationType == "embed" ? this.userCreationFn = gt : t.userCreationFn && this.userCreationType == "custom" ? this.userCreationFn = t.userCreationFn : this.userCreationFn = wt, t.userStorage && (this.userStorage = t.userStorage), w("oauthPostType", g.String, this, t, "OAUTH_POST_TYPE"), w("oauthUseUserInfoEndpoint", g.Boolean, this, t, "OAUTH_USE_USER_INFO_ENDPOINT"), w("oauthAuthorizeRedirect", g.String, this, t, "OAUTH_AUTHORIZE_REDIRECT"), this.oauthPostType != "json" && this.oauthPostType != "form")
|
|
5746
5748
|
throw new o(l.Configuration, "oauthPostType must be json or form");
|
|
5747
5749
|
}
|
|
5748
5750
|
/**
|
|
@@ -5889,9 +5891,9 @@ class Yt {
|
|
|
5889
5891
|
u(this, "validFlows", ["all"]);
|
|
5890
5892
|
/** Set from options. See {@link OAuthAuthorizationServerOptions.allowedFactor2} */
|
|
5891
5893
|
u(this, "allowedFactor2", []);
|
|
5892
|
-
this.clientStorage = a, this.keyStorage = e, this.userStorage = r.userStorage, this.authStorage = r.authStorage, t && (this.authenticators = t), this.clientManager = new J({ clientStorage: a, ...r }), w("authServerBaseUrl",
|
|
5894
|
+
this.clientStorage = a, this.keyStorage = e, this.userStorage = r.userStorage, this.authStorage = r.authStorage, t && (this.authenticators = t), this.clientManager = new J({ clientStorage: a, ...r }), w("authServerBaseUrl", g.String, this, r, "AUTH_SERVER_BASE_URL", !0), w("oauthIssuer", g.String, this, r, "OAUTH_ISSUER"), this.oauthIssuer || (this.oauthIssuer = this.authServerBaseUrl), w("audience", g.String, this, r, "OAUTH_AUDIENCE"), w("oauthPbkdf2Iterations", g.String, this, r, "OAUTH_PBKDF2_ITERATIONS"), w("requireClientSecretOrChallenge", g.Boolean, this, r, "OAUTH_REQUIRE_CLIENT_SECRET_OR_CHALLENGE"), w("jwtAlgorithm", g.String, this, r, "JWT_ALGORITHM"), w("codeLength", g.Number, this, r, "OAUTH_CODE_LENGTH"), w("jwtKeyType", g.String, this, r, "JWT_KEY_TYPE"), w("jwtSecretKeyFile", g.String, this, r, "JWT_SECRET_KEY_FILE"), w("jwtPublicKeyFile", g.String, this, r, "JWT_PUBLIC_KEY_FILE"), w("jwtPrivateKeyFile", g.String, this, r, "JWT_PRIVATE_KEY_FILE"), w("jwtSecretKey", g.String, this, r, "JWT_SECRET_KEY"), w("jwtPublicKey", g.String, this, r, "JWT_PUBLIC_KEY"), w("jwtPrivateKey", g.String, this, r, "JWT_PRIVATE_KEY"), w("jwtKid", g.String, this, r, "JWT_KID"), w("persistAccessToken", g.String, this, r, "OAUTH_PERSIST_ACCESS_TOKEN"), w("issueRefreshToken", g.String, this, r, "OAUTH_ISSUE_REFRESH_TOKEN"), w("opaqueAccessToken", g.String, this, r, "OAUTH_OPAQUE_ACCESS_TOKEN"), w("accessTokenExpiry", g.Number, this, r, "OAUTH_ACCESS_TOKEN_EXPIRY"), w("refreshTokenExpiry", g.Number, this, r, "OAUTH_REFRESH_TOKEN_EXPIRY"), w("rollingRefreshToken", g.Boolean, this, r, "OAUTH_ROLLING_REFRESH_TOKEN"), w("authorizationCodeExpiry", g.Number, this, r, "OAUTH_AUTHORIZATION_CODE_EXPIRY"), w("mfaTokenExpiry", g.Number, this, r, "OAUTH_MFA_TOKEN_EXPIRY"), w("clockTolerance", g.Number, this, r, "OAUTH_CLOCK_TOLERANCE"), w("validateScopes", g.Boolean, this, r, "OAUTH_VALIDATE_SCOPES"), w("emptyScopeIsValid", g.Boolean, this, r, "OAUTH_EMPTY_SCOPE_VALID"), w("validScopes", g.JsonArray, this, r, "OAUTH_VALID_SCOPES"), w("validFlows", g.JsonArray, this, r, "OAUTH_validFlows"), w("idTokenClaims", g.Json, this, r, "OAUTH_ID_TOKEN_CLAIMS"), w("accessTokenClaims", g.Json, this, r, "OAUTH_ACCESS_TOKEN_CLAIMS"), w("allowedFactor2", g.JsonArray, this, r, "ALLOWED_FACTOR2"), w("userCodeExpiry", g.Number, this, r, "DEVICECODE_USERCODE_EXPIRY"), w("userCodeThrottle", g.Number, this, r, "DEVICECODE_USERCODE_THROTTLE"), w("deviceCodePollInterval", g.Number, this, r, "DEVICECODE_POLL_INTERVAL"), w("deviceCodeLength", g.Number, this, r, "DEVICECODE_LENGTH"), w("userCodeLength", g.Number, this, r, "DEVICECODE_USERCODE_LENGTH");
|
|
5893
5895
|
let i = {};
|
|
5894
|
-
if (w("userCodeDashEvery",
|
|
5896
|
+
if (w("userCodeDashEvery", g.String, i, r, "DEVICECODE_USERCODE_DASH_EVERY"), i.userCodeDashEvery)
|
|
5895
5897
|
if (i.userCodeDashEvery == "" || i.userCodeDashEvery.toLowerCase() == "null") this.userCodeDashEvery = null;
|
|
5896
5898
|
else
|
|
5897
5899
|
try {
|
|
@@ -5902,7 +5904,7 @@ class Yt {
|
|
|
5902
5904
|
"userCodeDashEvery must be a number or null"
|
|
5903
5905
|
);
|
|
5904
5906
|
}
|
|
5905
|
-
if (w("deviceCodeVerificationUri",
|
|
5907
|
+
if (w("deviceCodeVerificationUri", g.String, this, r, "DEVICECODE_VERIFICATION_URI"), r.upstreamClient && (this.upstreamClientOptions = r.upstreamClient, this.upstreamClient = new mt(r.upstreamClient.authServerBaseUrl, r.upstreamClient.options), !r.upstreamClient.options.redirect_uri))
|
|
5906
5908
|
throw new o(l.Configuration, "Must define redirect_uri in upstreamClient options");
|
|
5907
5909
|
if (this.validFlows.length == 1 && this.validFlows[0] == U.All && (this.validFlows = U.allFlows()), this.jwtAlgorithmChecked = yt(this.jwtAlgorithm), this.jwtSecretKey || this.jwtSecretKeyFile) {
|
|
5908
5910
|
if (this.jwtPublicKey || this.jwtPublicKeyFile || this.jwtPrivateKey || this.jwtPrivateKeyFile)
|
|
@@ -5981,9 +5983,9 @@ class Yt {
|
|
|
5981
5983
|
error: "unsupported_response_type",
|
|
5982
5984
|
error_description: "Unsupported response type " + a
|
|
5983
5985
|
};
|
|
5984
|
-
let
|
|
5986
|
+
let f;
|
|
5985
5987
|
try {
|
|
5986
|
-
|
|
5988
|
+
f = await this.clientStorage.getClientById(e);
|
|
5987
5989
|
} catch (T) {
|
|
5988
5990
|
return h.logger.debug(m({ err: T })), {
|
|
5989
5991
|
error: "unauthorized_client",
|
|
@@ -5992,23 +5994,23 @@ class Yt {
|
|
|
5992
5994
|
}
|
|
5993
5995
|
const {
|
|
5994
5996
|
scopes: y,
|
|
5995
|
-
error:
|
|
5997
|
+
error: C,
|
|
5996
5998
|
error_description: v
|
|
5997
5999
|
} = await this.validateAndPersistScope(e, r, c);
|
|
5998
|
-
if (
|
|
5999
|
-
error:
|
|
6000
|
+
if (C) return {
|
|
6001
|
+
error: C,
|
|
6000
6002
|
error_description: v
|
|
6001
6003
|
};
|
|
6002
|
-
const
|
|
6003
|
-
if (!
|
|
6004
|
+
const p = this.inferFlowFromGet(a, y || [], s);
|
|
6005
|
+
if (!p || !this.validFlows.includes(p))
|
|
6004
6006
|
return {
|
|
6005
6007
|
error: "access_denied",
|
|
6006
|
-
error_description: "Unsupported flow type " +
|
|
6008
|
+
error_description: "Unsupported flow type " + p
|
|
6007
6009
|
};
|
|
6008
|
-
if (!
|
|
6010
|
+
if (!f.valid_flow.includes(p))
|
|
6009
6011
|
return {
|
|
6010
6012
|
error: "unauthorized_client",
|
|
6011
|
-
error_description: "Client does not support " +
|
|
6013
|
+
error_description: "Client does not support " + p
|
|
6012
6014
|
};
|
|
6013
6015
|
try {
|
|
6014
6016
|
this.validateState(i);
|
|
@@ -6019,7 +6021,7 @@ class Yt {
|
|
|
6019
6021
|
};
|
|
6020
6022
|
}
|
|
6021
6023
|
return a == "code" ? await this.getAuthorizationCode(
|
|
6022
|
-
|
|
6024
|
+
f,
|
|
6023
6025
|
t,
|
|
6024
6026
|
y,
|
|
6025
6027
|
i,
|
|
@@ -6162,11 +6164,11 @@ class Yt {
|
|
|
6162
6164
|
refreshToken: n,
|
|
6163
6165
|
username: c,
|
|
6164
6166
|
password: d,
|
|
6165
|
-
mfaToken:
|
|
6167
|
+
mfaToken: f,
|
|
6166
6168
|
oobCode: y,
|
|
6167
|
-
bindingCode:
|
|
6169
|
+
bindingCode: C,
|
|
6168
6170
|
otp: v,
|
|
6169
|
-
deviceCode:
|
|
6171
|
+
deviceCode: p
|
|
6170
6172
|
}) {
|
|
6171
6173
|
var F, $, V;
|
|
6172
6174
|
const T = this.inferFlowFromPost(a, s);
|
|
@@ -6362,12 +6364,12 @@ class Yt {
|
|
|
6362
6364
|
error: "access_denied",
|
|
6363
6365
|
error_description: "OTP not provided"
|
|
6364
6366
|
};
|
|
6365
|
-
if (!
|
|
6367
|
+
if (!f)
|
|
6366
6368
|
return {
|
|
6367
6369
|
error: "access_denied",
|
|
6368
6370
|
error_description: "MFA token not provided"
|
|
6369
6371
|
};
|
|
6370
|
-
const P = await this.validateMfaToken(
|
|
6372
|
+
const P = await this.validateMfaToken(f), R = b.mfaToken + _.hash(f);
|
|
6371
6373
|
if (!P.user || !P.key)
|
|
6372
6374
|
return {
|
|
6373
6375
|
error: "access_denied",
|
|
@@ -6420,17 +6422,17 @@ class Yt {
|
|
|
6420
6422
|
error: O,
|
|
6421
6423
|
error_description: I
|
|
6422
6424
|
};
|
|
6423
|
-
if (!y || !
|
|
6425
|
+
if (!y || !C)
|
|
6424
6426
|
return {
|
|
6425
6427
|
error: "access_denied",
|
|
6426
6428
|
error_description: "OOB code or binding code not provided"
|
|
6427
6429
|
};
|
|
6428
|
-
if (!
|
|
6430
|
+
if (!f)
|
|
6429
6431
|
return {
|
|
6430
6432
|
error: "access_denied",
|
|
6431
6433
|
error_description: "MFA token not provided"
|
|
6432
6434
|
};
|
|
6433
|
-
const P = await this.validateMfaToken(
|
|
6435
|
+
const P = await this.validateMfaToken(f);
|
|
6434
6436
|
if (!P.user || !P.key)
|
|
6435
6437
|
return {
|
|
6436
6438
|
error: "access_denied",
|
|
@@ -6457,7 +6459,7 @@ class Yt {
|
|
|
6457
6459
|
await R.authenticateUser(
|
|
6458
6460
|
P.user,
|
|
6459
6461
|
{ ...B, otp: M.otp, expiry: ($ = P.key.expires) == null ? void 0 : $.getTime() },
|
|
6460
|
-
{ otp:
|
|
6462
|
+
{ otp: C }
|
|
6461
6463
|
);
|
|
6462
6464
|
} catch (B) {
|
|
6463
6465
|
return h.logger.debug(m({ err: B })), {
|
|
@@ -6483,14 +6485,14 @@ class Yt {
|
|
|
6483
6485
|
user: P.user
|
|
6484
6486
|
});
|
|
6485
6487
|
} else if (a == "urn:ietf:params:oauth:grant-type:device_code") {
|
|
6486
|
-
if (!
|
|
6488
|
+
if (!p)
|
|
6487
6489
|
return {
|
|
6488
6490
|
error: "invalid_request",
|
|
6489
6491
|
error_description: "No device code given"
|
|
6490
6492
|
};
|
|
6491
6493
|
let N;
|
|
6492
6494
|
try {
|
|
6493
|
-
N = await this.keyStorage.getKey(b.deviceCode +
|
|
6495
|
+
N = await this.keyStorage.getKey(b.deviceCode + p);
|
|
6494
6496
|
} catch (O) {
|
|
6495
6497
|
const I = o.asCrossauthError(O);
|
|
6496
6498
|
return h.logger.debug(m({ err: I })), h.logger.error(m({ msg: "Couldn't get device code", cerr: I })), {
|
|
@@ -6501,7 +6503,7 @@ class Yt {
|
|
|
6501
6503
|
try {
|
|
6502
6504
|
const O = JSON.parse(N.data ?? "{}"), I = (/* @__PURE__ */ new Date()).getTime();
|
|
6503
6505
|
if (N.expires && I > N.expires.getTime())
|
|
6504
|
-
return await this.deleteDeviceCode(
|
|
6506
|
+
return await this.deleteDeviceCode(p), {
|
|
6505
6507
|
error: "expired_token",
|
|
6506
6508
|
error_description: "Code has expired"
|
|
6507
6509
|
};
|
|
@@ -6512,7 +6514,7 @@ class Yt {
|
|
|
6512
6514
|
};
|
|
6513
6515
|
{
|
|
6514
6516
|
let P = O.scope ? O.scope.split(" ") : void 0, R = O.userid ? await ((V = this.userStorage) == null ? void 0 : V.getUserById(O.userid)) : void 0;
|
|
6515
|
-
return await this.deleteDeviceCode(
|
|
6517
|
+
return await this.deleteDeviceCode(p), await this.makeAccessToken({
|
|
6516
6518
|
client: A,
|
|
6517
6519
|
client_secret: i,
|
|
6518
6520
|
codeVerifier: s,
|
|
@@ -6523,7 +6525,7 @@ class Yt {
|
|
|
6523
6525
|
}
|
|
6524
6526
|
} catch (O) {
|
|
6525
6527
|
const I = o.asCrossauthError(O);
|
|
6526
|
-
return h.logger.debug(m({ err: I })), h.logger.error(m({ msg: "Couldn't get device code", cerr: I })), await this.deleteDeviceCode(
|
|
6528
|
+
return h.logger.debug(m({ err: I })), h.logger.error(m({ msg: "Couldn't get device code", cerr: I })), await this.deleteDeviceCode(p), {
|
|
6527
6529
|
error: "accerss_denied",
|
|
6528
6530
|
error_description: "Invalid device code"
|
|
6529
6531
|
};
|
|
@@ -6566,7 +6568,7 @@ class Yt {
|
|
|
6566
6568
|
scope: e,
|
|
6567
6569
|
client_secret: t
|
|
6568
6570
|
}) {
|
|
6569
|
-
var
|
|
6571
|
+
var p;
|
|
6570
6572
|
if (this.deviceCodeVerificationUri == "")
|
|
6571
6573
|
return {
|
|
6572
6574
|
error: "invalid_request",
|
|
@@ -6597,14 +6599,14 @@ class Yt {
|
|
|
6597
6599
|
};
|
|
6598
6600
|
}
|
|
6599
6601
|
let c, d = !1;
|
|
6600
|
-
const
|
|
6602
|
+
const f = /* @__PURE__ */ new Date(), y = this.userCodeExpiry, C = new Date(f.getTime() + this.userCodeExpiry * 1e3 + this.clockTolerance * 1e3);
|
|
6601
6603
|
for (let T = 0; T < 10 && !d; ++T)
|
|
6602
6604
|
try {
|
|
6603
6605
|
c = _.randomValue(this.deviceCodeLength), await this.keyStorage.saveKey(
|
|
6604
6606
|
void 0,
|
|
6605
6607
|
b.deviceCode + c,
|
|
6606
|
-
|
|
6607
|
-
|
|
6608
|
+
f,
|
|
6609
|
+
C,
|
|
6608
6610
|
JSON.stringify({ scope: e, client_id: a })
|
|
6609
6611
|
), d = !0;
|
|
6610
6612
|
} catch {
|
|
@@ -6622,8 +6624,8 @@ class Yt {
|
|
|
6622
6624
|
v = _.randomBase32(this.userCodeLength), await this.keyStorage.saveKey(
|
|
6623
6625
|
void 0,
|
|
6624
6626
|
b.userCode + v,
|
|
6625
|
-
|
|
6626
|
-
|
|
6627
|
+
f,
|
|
6628
|
+
C,
|
|
6627
6629
|
JSON.stringify({ deviceCode: c })
|
|
6628
6630
|
), d = !0;
|
|
6629
6631
|
} catch {
|
|
@@ -6636,7 +6638,7 @@ class Yt {
|
|
|
6636
6638
|
};
|
|
6637
6639
|
if (v && this.userCodeDashEvery) {
|
|
6638
6640
|
const T = new RegExp(String.raw`(.{1,${this.userCodeDashEvery}})`, "g");
|
|
6639
|
-
v = (
|
|
6641
|
+
v = (p = v.match(T)) == null ? void 0 : p.join("-");
|
|
6640
6642
|
}
|
|
6641
6643
|
return {
|
|
6642
6644
|
device_code: c,
|
|
@@ -6662,7 +6664,7 @@ class Yt {
|
|
|
6662
6664
|
userCode: a,
|
|
6663
6665
|
user: e
|
|
6664
6666
|
}) {
|
|
6665
|
-
var
|
|
6667
|
+
var f;
|
|
6666
6668
|
a = a.replace(/[ -]*/g, "");
|
|
6667
6669
|
let t, r = {};
|
|
6668
6670
|
try {
|
|
@@ -6684,12 +6686,12 @@ class Yt {
|
|
|
6684
6686
|
try {
|
|
6685
6687
|
i = await this.keyStorage.getKey(b.deviceCode + r.deviceCode);
|
|
6686
6688
|
} catch (y) {
|
|
6687
|
-
const
|
|
6688
|
-
return h.logger.debug(m({ err:
|
|
6689
|
+
const C = o.asCrossauthError(y);
|
|
6690
|
+
return h.logger.debug(m({ err: C })), h.logger.error(m({
|
|
6689
6691
|
msg: "Invalid device code for user code",
|
|
6690
6692
|
userCodeHash: _.hash(a),
|
|
6691
6693
|
deviceCodeHash: _.hash(r.deviceCode),
|
|
6692
|
-
cerr:
|
|
6694
|
+
cerr: C
|
|
6693
6695
|
})), await this.deleteUserCode(a), {
|
|
6694
6696
|
ok: !1,
|
|
6695
6697
|
error: "server_error",
|
|
@@ -6708,7 +6710,7 @@ class Yt {
|
|
|
6708
6710
|
error_description: "Unexpected or incomplete data in device code key"
|
|
6709
6711
|
};
|
|
6710
6712
|
}
|
|
6711
|
-
if ((/* @__PURE__ */ new Date()).getTime() > ((
|
|
6713
|
+
if ((/* @__PURE__ */ new Date()).getTime() > ((f = r.expires) == null ? void 0 : f.getTime()))
|
|
6712
6714
|
return await this.deleteUserCode(a), {
|
|
6713
6715
|
ok: !1,
|
|
6714
6716
|
error: "expired_token",
|
|
@@ -6738,8 +6740,8 @@ class Yt {
|
|
|
6738
6740
|
try {
|
|
6739
6741
|
e != null && e.id && await this.keyStorage.updateData(b.deviceCode + r.deviceCode, "userid", e.id);
|
|
6740
6742
|
} catch (y) {
|
|
6741
|
-
const
|
|
6742
|
-
return h.logger.debug(m({ err:
|
|
6743
|
+
const C = o.asCrossauthError(y);
|
|
6744
|
+
return h.logger.debug(m({ err: C })), h.logger.warn(m({ msg: "Couldn't update user id on user code entry - deleting", cerr: C })), await this.deleteUserCode(a), await this.deleteDeviceCode(r.deviceCode), {
|
|
6743
6745
|
ok: !1,
|
|
6744
6746
|
error: "access_denied",
|
|
6745
6747
|
error_description: "Invalid user code",
|
|
@@ -6756,8 +6758,8 @@ class Yt {
|
|
|
6756
6758
|
try {
|
|
6757
6759
|
e != null && e.id && await this.keyStorage.updateData(b.deviceCode + r.deviceCode, "userid", e.id), await this.keyStorage.updateData(b.deviceCode + r.deviceCode, "ok", !0);
|
|
6758
6760
|
} catch (y) {
|
|
6759
|
-
const
|
|
6760
|
-
return h.logger.debug(m({ err:
|
|
6761
|
+
const C = o.asCrossauthError(y);
|
|
6762
|
+
return h.logger.debug(m({ err: C })), h.logger.warn(m({ msg: "Couldn't update status on user code entry - deleting", cerr: C })), await this.deleteUserCode(a), await this.deleteDeviceCode(r.deviceCode), {
|
|
6761
6763
|
ok: !1,
|
|
6762
6764
|
error: "access_denied",
|
|
6763
6765
|
error_description: "Invalid user code",
|
|
@@ -6949,9 +6951,9 @@ class Yt {
|
|
|
6949
6951
|
if (!n.client) return n;
|
|
6950
6952
|
const c = n.client, d = await this.authenticateClient(s, c, t);
|
|
6951
6953
|
if (d.error) return d;
|
|
6952
|
-
const
|
|
6953
|
-
if (!
|
|
6954
|
-
if (
|
|
6954
|
+
const f = await this.validateMfaToken(a);
|
|
6955
|
+
if (!f.user || !f.key) return f;
|
|
6956
|
+
if (f.user.factor2 != i)
|
|
6955
6957
|
return {
|
|
6956
6958
|
error: "access_denied",
|
|
6957
6959
|
error_description: "Invalid MFA authenticator"
|
|
@@ -6966,20 +6968,20 @@ class Yt {
|
|
|
6966
6968
|
oobCode: _.randomValue(this.codeLength)
|
|
6967
6969
|
});
|
|
6968
6970
|
try {
|
|
6969
|
-
const
|
|
6970
|
-
if (!
|
|
6971
|
+
const C = this.authenticators[f.user.factor2];
|
|
6972
|
+
if (!C)
|
|
6971
6973
|
throw new o(
|
|
6972
6974
|
l.Configuration,
|
|
6973
6975
|
"User's authenticator has not been loaded"
|
|
6974
6976
|
);
|
|
6975
|
-
const v = await
|
|
6977
|
+
const v = await C.createOneTimeSecrets(f.user);
|
|
6976
6978
|
await this.keyStorage.updateData(
|
|
6977
|
-
|
|
6979
|
+
f.key.value,
|
|
6978
6980
|
"omfa",
|
|
6979
6981
|
{ ...y, ...v }
|
|
6980
6982
|
);
|
|
6981
|
-
} catch (
|
|
6982
|
-
return h.logger.debug(m({ err:
|
|
6983
|
+
} catch (C) {
|
|
6984
|
+
return h.logger.debug(m({ err: C })), {
|
|
6983
6985
|
error: "server_error",
|
|
6984
6986
|
error_description: "Unable to initiate OOB authentication"
|
|
6985
6987
|
};
|
|
@@ -7041,21 +7043,21 @@ class Yt {
|
|
|
7041
7043
|
error: "invalid_request",
|
|
7042
7044
|
error_description: `The redirect uri ${e} is invalid`
|
|
7043
7045
|
};
|
|
7044
|
-
const d = /* @__PURE__ */ new Date(),
|
|
7046
|
+
const d = /* @__PURE__ */ new Date(), f = this.authorizationCodeExpiry ? new Date(d.getTime() + this.authorizationCodeExpiry * 1e3 + this.clockTolerance * 1e3) : void 0, y = {
|
|
7045
7047
|
client_id: a.client_id,
|
|
7046
7048
|
redirect_uri: e
|
|
7047
7049
|
};
|
|
7048
7050
|
t && (y.scope = t), i && (y.challengeMethod = s, y.challenge = _.hash(i)), n && (y.username = n.username, y.id = n.id);
|
|
7049
|
-
const
|
|
7050
|
-
let v = !1,
|
|
7051
|
+
const C = JSON.stringify(y);
|
|
7052
|
+
let v = !1, p = "";
|
|
7051
7053
|
for (let T = 0; T < 10 && !v; ++T)
|
|
7052
7054
|
try {
|
|
7053
|
-
|
|
7055
|
+
p = _.randomValue(this.codeLength), await this.keyStorage.saveKey(
|
|
7054
7056
|
void 0,
|
|
7055
|
-
b.authorizationCode + _.hash(
|
|
7057
|
+
b.authorizationCode + _.hash(p),
|
|
7056
7058
|
d,
|
|
7057
|
-
|
|
7058
|
-
|
|
7059
|
+
f,
|
|
7060
|
+
C
|
|
7059
7061
|
), v = !0;
|
|
7060
7062
|
} catch {
|
|
7061
7063
|
h.logger.debug(m({ msg: `Attempt number${T} at creating a unique authozation code failed` }));
|
|
@@ -7065,7 +7067,7 @@ class Yt {
|
|
|
7065
7067
|
l.KeyExists,
|
|
7066
7068
|
"Couldn't create a authorization code"
|
|
7067
7069
|
);
|
|
7068
|
-
return { code:
|
|
7070
|
+
return { code: p, state: r };
|
|
7069
7071
|
}
|
|
7070
7072
|
async getAuthorizationCodeData(a) {
|
|
7071
7073
|
let e, t = {};
|
|
@@ -7152,8 +7154,8 @@ class Yt {
|
|
|
7152
7154
|
error_description: "Code verifier is incorrect"
|
|
7153
7155
|
};
|
|
7154
7156
|
}
|
|
7155
|
-
const
|
|
7156
|
-
let
|
|
7157
|
+
const f = /* @__PURE__ */ new Date(), y = Math.ceil(f.getTime() / 1e3);
|
|
7158
|
+
let C;
|
|
7157
7159
|
if ((i && i.includes("openid") || Object.keys(this.accessTokenClaims).length > 0) && this.userStorage && d.username)
|
|
7158
7160
|
try {
|
|
7159
7161
|
const { user: K } = await this.userStorage.getUserByUsername(d.username);
|
|
@@ -7165,17 +7167,17 @@ class Yt {
|
|
|
7165
7167
|
};
|
|
7166
7168
|
}
|
|
7167
7169
|
const v = _.uuid();
|
|
7168
|
-
let
|
|
7170
|
+
let p = {
|
|
7169
7171
|
jti: v,
|
|
7170
7172
|
iat: y,
|
|
7171
7173
|
iss: this.oauthIssuer,
|
|
7172
7174
|
sub: d.username,
|
|
7173
7175
|
type: "access"
|
|
7174
7176
|
};
|
|
7175
|
-
|
|
7177
|
+
p = this.addClaims(p, this.accessTokenClaims, i, n), i && (p.scope = i), this.accessTokenExpiry != null && (p.exp = y + this.accessTokenExpiry, C = new Date(f.getTime() + this.accessTokenExpiry * 1e3 + this.clockTolerance * 1e3)), this.audience && (p.aud = this.audience);
|
|
7176
7178
|
const T = await new Promise((K, F) => {
|
|
7177
7179
|
te.sign(
|
|
7178
|
-
|
|
7180
|
+
p,
|
|
7179
7181
|
this.secretOrPrivateKey,
|
|
7180
7182
|
{ algorithm: this.jwtAlgorithmChecked, keyid: "1" },
|
|
7181
7183
|
($, V) => {
|
|
@@ -7190,8 +7192,8 @@ class Yt {
|
|
|
7190
7192
|
void 0,
|
|
7191
7193
|
// to avoid user storage dependency, we don't set this
|
|
7192
7194
|
b.accessToken + _.hash(v),
|
|
7193
|
-
|
|
7194
|
-
|
|
7195
|
+
f,
|
|
7196
|
+
C
|
|
7195
7197
|
));
|
|
7196
7198
|
let E;
|
|
7197
7199
|
if (i && i.includes("openid")) {
|
|
@@ -7270,7 +7272,7 @@ class Yt {
|
|
|
7270
7272
|
void 0,
|
|
7271
7273
|
// to avoid user storage dependency
|
|
7272
7274
|
b.refreshToken + _.hash(A),
|
|
7273
|
-
|
|
7275
|
+
f,
|
|
7274
7276
|
F,
|
|
7275
7277
|
JSON.stringify(K)
|
|
7276
7278
|
));
|
|
@@ -7288,31 +7290,31 @@ class Yt {
|
|
|
7288
7290
|
* Create an access token
|
|
7289
7291
|
*/
|
|
7290
7292
|
async createTokensFromPayload(a, e, t) {
|
|
7291
|
-
var
|
|
7293
|
+
var f;
|
|
7292
7294
|
const r = /* @__PURE__ */ new Date(), i = Math.ceil(r.getTime() / 1e3);
|
|
7293
7295
|
let s, n, c, d;
|
|
7294
7296
|
if (e) {
|
|
7295
7297
|
const y = _.uuid();
|
|
7296
|
-
let
|
|
7298
|
+
let C = {
|
|
7297
7299
|
...e,
|
|
7298
7300
|
jti: y,
|
|
7299
7301
|
iat: i,
|
|
7300
7302
|
iss: this.oauthIssuer,
|
|
7301
7303
|
type: "access"
|
|
7302
7304
|
};
|
|
7303
|
-
this.accessTokenExpiry != null && (
|
|
7305
|
+
this.accessTokenExpiry != null && (C.exp = i + this.accessTokenExpiry, s = new Date(r.getTime() + this.accessTokenExpiry * 1e3 + this.clockTolerance * 1e3)), this.audience && (C.aud = this.audience), n = await new Promise((v, p) => {
|
|
7304
7306
|
te.sign(
|
|
7305
|
-
|
|
7307
|
+
C,
|
|
7306
7308
|
this.secretOrPrivateKey,
|
|
7307
7309
|
{ algorithm: this.jwtAlgorithmChecked, keyid: "1" },
|
|
7308
7310
|
(T, E) => {
|
|
7309
|
-
E ? v(E) :
|
|
7311
|
+
E ? v(E) : p(T || new o(
|
|
7310
7312
|
l.Unauthorized,
|
|
7311
7313
|
"Couldn't create jwt"
|
|
7312
7314
|
));
|
|
7313
7315
|
}
|
|
7314
7316
|
);
|
|
7315
|
-
}), d =
|
|
7317
|
+
}), d = C, this.persistAccessToken && this.keyStorage && await ((f = this.keyStorage) == null ? void 0 : f.saveKey(
|
|
7316
7318
|
void 0,
|
|
7317
7319
|
// to avoid user storage dependency, we don't set this
|
|
7318
7320
|
b.accessToken + _.hash(y),
|
|
@@ -7330,17 +7332,17 @@ class Yt {
|
|
|
7330
7332
|
iss: this.oauthIssuer,
|
|
7331
7333
|
type: "id"
|
|
7332
7334
|
}, t) {
|
|
7333
|
-
const
|
|
7334
|
-
c = await new Promise((v,
|
|
7335
|
+
const C = t;
|
|
7336
|
+
c = await new Promise((v, p) => {
|
|
7335
7337
|
te.sign(
|
|
7336
|
-
|
|
7338
|
+
C,
|
|
7337
7339
|
this.secretOrPrivateKey,
|
|
7338
7340
|
{
|
|
7339
7341
|
algorithm: this.jwtAlgorithmChecked,
|
|
7340
7342
|
keyid: this.jwtKid
|
|
7341
7343
|
},
|
|
7342
7344
|
(T, E) => {
|
|
7343
|
-
E ? v(E) :
|
|
7345
|
+
E ? v(E) : p(T || new o(
|
|
7344
7346
|
l.Unauthorized,
|
|
7345
7347
|
"Couldn't create jwt"
|
|
7346
7348
|
));
|
|
@@ -7717,7 +7719,7 @@ export {
|
|
|
7717
7719
|
ye as OAuthClientStorage,
|
|
7718
7720
|
Gt as OAuthResourceServer,
|
|
7719
7721
|
ht as OAuthTokenConsumer,
|
|
7720
|
-
|
|
7722
|
+
g as ParamType,
|
|
7721
7723
|
Ie as PasswordAuthenticator,
|
|
7722
7724
|
jt as PostgresKeyStorage,
|
|
7723
7725
|
Vt as PostgresOAuthAuthorizationStorage,
|