@crossauth/common 0.0.30 → 0.0.33
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/index.cjs +1 -1
- package/dist/index.iife.js +1 -1
- package/dist/index.js +455 -364
- package/dist/oauth/client.d.ts +22 -5
- package/dist/oauth/client.d.ts.map +1 -1
- package/dist/oauth/tokenconsumer.d.ts +3 -3
- package/dist/oauth/tokenconsumer.d.ts.map +1 -1
- package/package.json +1 -1
package/dist/index.js
CHANGED
|
@@ -1,10 +1,10 @@
|
|
|
1
|
-
var
|
|
2
|
-
var
|
|
1
|
+
var ue = Object.defineProperty;
|
|
2
|
+
var B = (e) => {
|
|
3
3
|
throw TypeError(e);
|
|
4
4
|
};
|
|
5
|
-
var
|
|
6
|
-
var a = (e, t, r) =>
|
|
7
|
-
var
|
|
5
|
+
var he = (e, t, r) => t in e ? ue(e, t, { enumerable: !0, configurable: !0, writable: !0, value: r }) : e[t] = r;
|
|
6
|
+
var a = (e, t, r) => he(e, typeof t != "symbol" ? t + "" : t, r), j = (e, t, r) => t.has(e) || B("Cannot " + r);
|
|
7
|
+
var p = (e, t, r) => (j(e, t, "read from private field"), r ? r.call(e) : t.get(e)), F = (e, t, r) => t.has(e) ? B("Cannot add the same private member more than once") : t instanceof WeakSet ? t.add(e) : t.set(e, r), K = (e, t, r, n) => (j(e, t, "write to private field"), n ? n.call(e, r) : t.set(e, r), r);
|
|
8
8
|
class P {
|
|
9
9
|
}
|
|
10
10
|
/** Ordinary, active user who can log in freely */
|
|
@@ -205,10 +205,10 @@ class g extends Error {
|
|
|
205
205
|
return "message" in r && (i = r.message), new g(48, i);
|
|
206
206
|
}
|
|
207
207
|
}
|
|
208
|
-
function
|
|
209
|
-
return typeof e == "number" && (e = "" + e), e in
|
|
208
|
+
function Fe(e) {
|
|
209
|
+
return typeof e == "number" && (e = "" + e), e in q ? q[e] : q[500];
|
|
210
210
|
}
|
|
211
|
-
const
|
|
211
|
+
const q = {
|
|
212
212
|
200: "OK",
|
|
213
213
|
201: "Created",
|
|
214
214
|
202: "Accepted",
|
|
@@ -327,7 +327,7 @@ a(m, "Warn", 2), /** Log errors, warnings and info messages */
|
|
|
327
327
|
a(m, "Info", 3), /** Log everything */
|
|
328
328
|
a(m, "Debug", 4), a(m, "levelName", ["NONE", "ERROR", "WARN", "INFO", "DEBUG"]);
|
|
329
329
|
let l = m;
|
|
330
|
-
function
|
|
330
|
+
function u(e) {
|
|
331
331
|
let t;
|
|
332
332
|
typeof e == "object" && "err" in e && typeof e.err == "object" && (t = e.err.stack);
|
|
333
333
|
try {
|
|
@@ -350,7 +350,7 @@ function h(e) {
|
|
|
350
350
|
}
|
|
351
351
|
globalThis.crossauthLogger = new l(l.None);
|
|
352
352
|
globalThis.crossauthLoggerAcceptsJson = !0;
|
|
353
|
-
const
|
|
353
|
+
const Z = {
|
|
354
354
|
issuer: "",
|
|
355
355
|
authorization_endpoint: "",
|
|
356
356
|
token_endpoint: "",
|
|
@@ -365,29 +365,29 @@ const te = {
|
|
|
365
365
|
request_parameter_supported: !1,
|
|
366
366
|
request_uri_parameter_supported: !0,
|
|
367
367
|
require_request_uri_registration: !1
|
|
368
|
-
},
|
|
369
|
-
function
|
|
368
|
+
}, H = crypto, ee = (e) => e instanceof CryptoKey, x = new TextEncoder(), N = new TextDecoder();
|
|
369
|
+
function fe(...e) {
|
|
370
370
|
const t = e.reduce((i, { length: o }) => i + o, 0), r = new Uint8Array(t);
|
|
371
371
|
let n = 0;
|
|
372
372
|
for (const i of e)
|
|
373
373
|
r.set(i, n), n += i.length;
|
|
374
374
|
return r;
|
|
375
375
|
}
|
|
376
|
-
const
|
|
376
|
+
const pe = (e) => {
|
|
377
377
|
const t = atob(e), r = new Uint8Array(t.length);
|
|
378
378
|
for (let n = 0; n < t.length; n++)
|
|
379
379
|
r[n] = t.charCodeAt(n);
|
|
380
380
|
return r;
|
|
381
|
-
},
|
|
381
|
+
}, O = (e) => {
|
|
382
382
|
let t = e;
|
|
383
|
-
t instanceof Uint8Array && (t =
|
|
383
|
+
t instanceof Uint8Array && (t = N.decode(t)), t = t.replace(/-/g, "+").replace(/_/g, "/").replace(/\s/g, "");
|
|
384
384
|
try {
|
|
385
|
-
return
|
|
385
|
+
return pe(t);
|
|
386
386
|
} catch {
|
|
387
387
|
throw new TypeError("The input to be decoded is not correctly encoded.");
|
|
388
388
|
}
|
|
389
389
|
};
|
|
390
|
-
class
|
|
390
|
+
class J extends Error {
|
|
391
391
|
static get code() {
|
|
392
392
|
return "ERR_JOSE_GENERIC";
|
|
393
393
|
}
|
|
@@ -396,7 +396,7 @@ class $ extends Error {
|
|
|
396
396
|
super(t), this.code = "ERR_JOSE_GENERIC", this.name = this.constructor.name, (r = Error.captureStackTrace) == null || r.call(Error, this, this.constructor);
|
|
397
397
|
}
|
|
398
398
|
}
|
|
399
|
-
class b extends
|
|
399
|
+
class b extends J {
|
|
400
400
|
constructor() {
|
|
401
401
|
super(...arguments), this.code = "ERR_JOSE_NOT_SUPPORTED";
|
|
402
402
|
}
|
|
@@ -404,7 +404,7 @@ class b extends $ {
|
|
|
404
404
|
return "ERR_JOSE_NOT_SUPPORTED";
|
|
405
405
|
}
|
|
406
406
|
}
|
|
407
|
-
class v extends
|
|
407
|
+
class v extends J {
|
|
408
408
|
constructor() {
|
|
409
409
|
super(...arguments), this.code = "ERR_JWS_INVALID";
|
|
410
410
|
}
|
|
@@ -412,7 +412,7 @@ class v extends $ {
|
|
|
412
412
|
return "ERR_JWS_INVALID";
|
|
413
413
|
}
|
|
414
414
|
}
|
|
415
|
-
class
|
|
415
|
+
class R extends J {
|
|
416
416
|
constructor() {
|
|
417
417
|
super(...arguments), this.code = "ERR_JWT_INVALID";
|
|
418
418
|
}
|
|
@@ -420,7 +420,7 @@ class O extends $ {
|
|
|
420
420
|
return "ERR_JWT_INVALID";
|
|
421
421
|
}
|
|
422
422
|
}
|
|
423
|
-
class
|
|
423
|
+
class ge extends J {
|
|
424
424
|
constructor() {
|
|
425
425
|
super(...arguments), this.code = "ERR_JWS_SIGNATURE_VERIFICATION_FAILED", this.message = "signature verification failed";
|
|
426
426
|
}
|
|
@@ -428,16 +428,16 @@ class me extends $ {
|
|
|
428
428
|
return "ERR_JWS_SIGNATURE_VERIFICATION_FAILED";
|
|
429
429
|
}
|
|
430
430
|
}
|
|
431
|
-
function
|
|
431
|
+
function A(e, t = "algorithm.name") {
|
|
432
432
|
return new TypeError(`CryptoKey does not support this operation, its ${t} must be ${e}`);
|
|
433
433
|
}
|
|
434
|
-
function
|
|
434
|
+
function z(e, t) {
|
|
435
435
|
return e.name === t;
|
|
436
436
|
}
|
|
437
|
-
function
|
|
437
|
+
function M(e) {
|
|
438
438
|
return parseInt(e.name.slice(4), 10);
|
|
439
439
|
}
|
|
440
|
-
function
|
|
440
|
+
function ye(e) {
|
|
441
441
|
switch (e) {
|
|
442
442
|
case "ES256":
|
|
443
443
|
return "P-256";
|
|
@@ -449,7 +449,7 @@ function we(e) {
|
|
|
449
449
|
throw new Error("unreachable");
|
|
450
450
|
}
|
|
451
451
|
}
|
|
452
|
-
function
|
|
452
|
+
function me(e, t) {
|
|
453
453
|
if (t.length && !t.some((r) => e.usages.includes(r))) {
|
|
454
454
|
let r = "CryptoKey does not support this operation, its usages must include ";
|
|
455
455
|
if (t.length > 2) {
|
|
@@ -459,59 +459,59 @@ function ve(e, t) {
|
|
|
459
459
|
throw new TypeError(r);
|
|
460
460
|
}
|
|
461
461
|
}
|
|
462
|
-
function
|
|
462
|
+
function we(e, t, ...r) {
|
|
463
463
|
switch (t) {
|
|
464
464
|
case "HS256":
|
|
465
465
|
case "HS384":
|
|
466
466
|
case "HS512": {
|
|
467
|
-
if (!
|
|
468
|
-
throw
|
|
467
|
+
if (!z(e.algorithm, "HMAC"))
|
|
468
|
+
throw A("HMAC");
|
|
469
469
|
const n = parseInt(t.slice(2), 10);
|
|
470
|
-
if (
|
|
471
|
-
throw
|
|
470
|
+
if (M(e.algorithm.hash) !== n)
|
|
471
|
+
throw A(`SHA-${n}`, "algorithm.hash");
|
|
472
472
|
break;
|
|
473
473
|
}
|
|
474
474
|
case "RS256":
|
|
475
475
|
case "RS384":
|
|
476
476
|
case "RS512": {
|
|
477
|
-
if (!
|
|
478
|
-
throw
|
|
477
|
+
if (!z(e.algorithm, "RSASSA-PKCS1-v1_5"))
|
|
478
|
+
throw A("RSASSA-PKCS1-v1_5");
|
|
479
479
|
const n = parseInt(t.slice(2), 10);
|
|
480
|
-
if (
|
|
481
|
-
throw
|
|
480
|
+
if (M(e.algorithm.hash) !== n)
|
|
481
|
+
throw A(`SHA-${n}`, "algorithm.hash");
|
|
482
482
|
break;
|
|
483
483
|
}
|
|
484
484
|
case "PS256":
|
|
485
485
|
case "PS384":
|
|
486
486
|
case "PS512": {
|
|
487
|
-
if (!
|
|
488
|
-
throw
|
|
487
|
+
if (!z(e.algorithm, "RSA-PSS"))
|
|
488
|
+
throw A("RSA-PSS");
|
|
489
489
|
const n = parseInt(t.slice(2), 10);
|
|
490
|
-
if (
|
|
491
|
-
throw
|
|
490
|
+
if (M(e.algorithm.hash) !== n)
|
|
491
|
+
throw A(`SHA-${n}`, "algorithm.hash");
|
|
492
492
|
break;
|
|
493
493
|
}
|
|
494
494
|
case "EdDSA": {
|
|
495
495
|
if (e.algorithm.name !== "Ed25519" && e.algorithm.name !== "Ed448")
|
|
496
|
-
throw
|
|
496
|
+
throw A("Ed25519 or Ed448");
|
|
497
497
|
break;
|
|
498
498
|
}
|
|
499
499
|
case "ES256":
|
|
500
500
|
case "ES384":
|
|
501
501
|
case "ES512": {
|
|
502
|
-
if (!
|
|
503
|
-
throw
|
|
504
|
-
const n =
|
|
502
|
+
if (!z(e.algorithm, "ECDSA"))
|
|
503
|
+
throw A("ECDSA");
|
|
504
|
+
const n = ye(t);
|
|
505
505
|
if (e.algorithm.namedCurve !== n)
|
|
506
|
-
throw
|
|
506
|
+
throw A(n, "algorithm.namedCurve");
|
|
507
507
|
break;
|
|
508
508
|
}
|
|
509
509
|
default:
|
|
510
510
|
throw new TypeError("CryptoKey does not support this operation");
|
|
511
511
|
}
|
|
512
|
-
|
|
512
|
+
me(e, r);
|
|
513
513
|
}
|
|
514
|
-
function
|
|
514
|
+
function te(e, t, ...r) {
|
|
515
515
|
var n;
|
|
516
516
|
if (r.length > 2) {
|
|
517
517
|
const i = r.pop();
|
|
@@ -519,11 +519,11 @@ function ie(e, t, ...r) {
|
|
|
519
519
|
} else r.length === 2 ? e += `one of type ${r[0]} or ${r[1]}.` : e += `of type ${r[0]}.`;
|
|
520
520
|
return t == null ? e += ` Received ${t}` : typeof t == "function" && t.name ? e += ` Received function ${t.name}` : typeof t == "object" && t != null && (n = t.constructor) != null && n.name && (e += ` Received an instance of ${t.constructor.name}`), e;
|
|
521
521
|
}
|
|
522
|
-
const
|
|
523
|
-
function
|
|
524
|
-
return
|
|
522
|
+
const V = (e, ...t) => te("Key must be ", e, ...t);
|
|
523
|
+
function re(e, t, ...r) {
|
|
524
|
+
return te(`Key for the ${e} algorithm must be `, t, ...r);
|
|
525
525
|
}
|
|
526
|
-
const
|
|
526
|
+
const ie = (e) => ee(e) ? !0 : (e == null ? void 0 : e[Symbol.toStringTag]) === "KeyObject", D = ["CryptoKey"], ve = (...e) => {
|
|
527
527
|
const t = e.filter(Boolean);
|
|
528
528
|
if (t.length === 0 || t.length === 1)
|
|
529
529
|
return !0;
|
|
@@ -542,11 +542,11 @@ const oe = (e) => re(e) ? !0 : (e == null ? void 0 : e[Symbol.toStringTag]) ===
|
|
|
542
542
|
}
|
|
543
543
|
return !0;
|
|
544
544
|
};
|
|
545
|
-
function
|
|
545
|
+
function _e(e) {
|
|
546
546
|
return typeof e == "object" && e !== null;
|
|
547
547
|
}
|
|
548
|
-
function
|
|
549
|
-
if (!
|
|
548
|
+
function U(e) {
|
|
549
|
+
if (!_e(e) || Object.prototype.toString.call(e) !== "[object Object]")
|
|
550
550
|
return !1;
|
|
551
551
|
if (Object.getPrototypeOf(e) === null)
|
|
552
552
|
return !0;
|
|
@@ -555,14 +555,14 @@ function x(e) {
|
|
|
555
555
|
t = Object.getPrototypeOf(t);
|
|
556
556
|
return Object.getPrototypeOf(e) === t;
|
|
557
557
|
}
|
|
558
|
-
const
|
|
558
|
+
const Se = (e, t) => {
|
|
559
559
|
if (e.startsWith("RS") || e.startsWith("PS")) {
|
|
560
560
|
const { modulusLength: r } = t.algorithm;
|
|
561
561
|
if (typeof r != "number" || r < 2048)
|
|
562
562
|
throw new TypeError(`${e} requires key modulusLength to be 2048 bits or larger`);
|
|
563
563
|
}
|
|
564
564
|
};
|
|
565
|
-
function
|
|
565
|
+
function Ce(e) {
|
|
566
566
|
let t, r;
|
|
567
567
|
switch (e.kty) {
|
|
568
568
|
case "RSA": {
|
|
@@ -634,43 +634,43 @@ function Ae(e) {
|
|
|
634
634
|
}
|
|
635
635
|
return { algorithm: t, keyUsages: r };
|
|
636
636
|
}
|
|
637
|
-
const
|
|
637
|
+
const ne = async (e) => {
|
|
638
638
|
if (!e.alg)
|
|
639
639
|
throw new TypeError('"alg" argument is required when "jwk.alg" is not present');
|
|
640
|
-
const { algorithm: t, keyUsages: r } =
|
|
640
|
+
const { algorithm: t, keyUsages: r } = Ce(e), n = [
|
|
641
641
|
t,
|
|
642
642
|
e.ext ?? !1,
|
|
643
643
|
e.key_ops ?? r
|
|
644
644
|
], i = { ...e };
|
|
645
|
-
return delete i.alg, delete i.use,
|
|
646
|
-
},
|
|
647
|
-
let
|
|
648
|
-
const
|
|
645
|
+
return delete i.alg, delete i.use, H.subtle.importKey("jwk", i, ...n);
|
|
646
|
+
}, oe = (e) => O(e);
|
|
647
|
+
let $, L;
|
|
648
|
+
const se = (e) => (e == null ? void 0 : e[Symbol.toStringTag]) === "KeyObject", ae = async (e, t, r, n) => {
|
|
649
649
|
let i = e.get(t);
|
|
650
650
|
if (i != null && i[n])
|
|
651
651
|
return i[n];
|
|
652
|
-
const o = await
|
|
652
|
+
const o = await ne({ ...r, alg: n });
|
|
653
653
|
return i ? i[n] = o : e.set(t, { [n]: o }), o;
|
|
654
|
-
},
|
|
655
|
-
if (
|
|
654
|
+
}, be = (e, t) => {
|
|
655
|
+
if (se(e)) {
|
|
656
656
|
let r = e.export({ format: "jwk" });
|
|
657
|
-
return delete r.d, delete r.dp, delete r.dq, delete r.p, delete r.q, delete r.qi, r.k ?
|
|
657
|
+
return delete r.d, delete r.dp, delete r.dq, delete r.p, delete r.q, delete r.qi, r.k ? oe(r.k) : (L || (L = /* @__PURE__ */ new WeakMap()), ae(L, e, r, t));
|
|
658
658
|
}
|
|
659
659
|
return e;
|
|
660
|
-
},
|
|
661
|
-
if (
|
|
660
|
+
}, Ae = (e, t) => {
|
|
661
|
+
if (se(e)) {
|
|
662
662
|
let r = e.export({ format: "jwk" });
|
|
663
|
-
return r.k ?
|
|
663
|
+
return r.k ? oe(r.k) : ($ || ($ = /* @__PURE__ */ new WeakMap()), ae($, e, r, t));
|
|
664
664
|
}
|
|
665
665
|
return e;
|
|
666
|
-
},
|
|
666
|
+
}, ke = { normalizePublicKey: be, normalizePrivateKey: Ae }, T = (e, t, r = 0) => {
|
|
667
667
|
r === 0 && (t.unshift(t.length), t.unshift(6));
|
|
668
668
|
const n = e.indexOf(t[0], r);
|
|
669
669
|
if (n === -1)
|
|
670
670
|
return !1;
|
|
671
671
|
const i = e.subarray(n, n + t.length);
|
|
672
672
|
return i.length !== t.length ? !1 : i.every((o, s) => o === t[s]) || T(e, t, n + 1);
|
|
673
|
-
},
|
|
673
|
+
}, G = (e) => {
|
|
674
674
|
switch (!0) {
|
|
675
675
|
case T(e, [42, 134, 72, 206, 61, 3, 1, 7]):
|
|
676
676
|
return "P-256";
|
|
@@ -689,19 +689,19 @@ const ce = (e) => (e == null ? void 0 : e[Symbol.toStringTag]) === "KeyObject",
|
|
|
689
689
|
default:
|
|
690
690
|
throw new b("Invalid or unsupported EC Key Curve or OKP Key Sub Type");
|
|
691
691
|
}
|
|
692
|
-
},
|
|
692
|
+
}, ce = async (e, t, r, n, i) => {
|
|
693
693
|
let o, s;
|
|
694
|
-
const c = new Uint8Array(atob(r.replace(e, "")).split("").map((
|
|
694
|
+
const c = new Uint8Array(atob(r.replace(e, "")).split("").map((f) => f.charCodeAt(0))), d = t === "spki";
|
|
695
695
|
switch (n) {
|
|
696
696
|
case "PS256":
|
|
697
697
|
case "PS384":
|
|
698
698
|
case "PS512":
|
|
699
|
-
o = { name: "RSA-PSS", hash: `SHA-${n.slice(-3)}` }, s =
|
|
699
|
+
o = { name: "RSA-PSS", hash: `SHA-${n.slice(-3)}` }, s = d ? ["verify"] : ["sign"];
|
|
700
700
|
break;
|
|
701
701
|
case "RS256":
|
|
702
702
|
case "RS384":
|
|
703
703
|
case "RS512":
|
|
704
|
-
o = { name: "RSASSA-PKCS1-v1_5", hash: `SHA-${n.slice(-3)}` }, s =
|
|
704
|
+
o = { name: "RSASSA-PKCS1-v1_5", hash: `SHA-${n.slice(-3)}` }, s = d ? ["verify"] : ["sign"];
|
|
705
705
|
break;
|
|
706
706
|
case "RSA-OAEP":
|
|
707
707
|
case "RSA-OAEP-256":
|
|
@@ -710,81 +710,81 @@ const ce = (e) => (e == null ? void 0 : e[Symbol.toStringTag]) === "KeyObject",
|
|
|
710
710
|
o = {
|
|
711
711
|
name: "RSA-OAEP",
|
|
712
712
|
hash: `SHA-${parseInt(n.slice(-3), 10) || 1}`
|
|
713
|
-
}, s =
|
|
713
|
+
}, s = d ? ["encrypt", "wrapKey"] : ["decrypt", "unwrapKey"];
|
|
714
714
|
break;
|
|
715
715
|
case "ES256":
|
|
716
|
-
o = { name: "ECDSA", namedCurve: "P-256" }, s =
|
|
716
|
+
o = { name: "ECDSA", namedCurve: "P-256" }, s = d ? ["verify"] : ["sign"];
|
|
717
717
|
break;
|
|
718
718
|
case "ES384":
|
|
719
|
-
o = { name: "ECDSA", namedCurve: "P-384" }, s =
|
|
719
|
+
o = { name: "ECDSA", namedCurve: "P-384" }, s = d ? ["verify"] : ["sign"];
|
|
720
720
|
break;
|
|
721
721
|
case "ES512":
|
|
722
|
-
o = { name: "ECDSA", namedCurve: "P-521" }, s =
|
|
722
|
+
o = { name: "ECDSA", namedCurve: "P-521" }, s = d ? ["verify"] : ["sign"];
|
|
723
723
|
break;
|
|
724
724
|
case "ECDH-ES":
|
|
725
725
|
case "ECDH-ES+A128KW":
|
|
726
726
|
case "ECDH-ES+A192KW":
|
|
727
727
|
case "ECDH-ES+A256KW": {
|
|
728
|
-
const
|
|
729
|
-
o =
|
|
728
|
+
const f = G(c);
|
|
729
|
+
o = f.startsWith("P-") ? { name: "ECDH", namedCurve: f } : { name: f }, s = d ? [] : ["deriveBits"];
|
|
730
730
|
break;
|
|
731
731
|
}
|
|
732
732
|
case "EdDSA":
|
|
733
|
-
o = { name:
|
|
733
|
+
o = { name: G(c) }, s = d ? ["verify"] : ["sign"];
|
|
734
734
|
break;
|
|
735
735
|
default:
|
|
736
736
|
throw new b('Invalid or unsupported "alg" (Algorithm) value');
|
|
737
737
|
}
|
|
738
|
-
return
|
|
739
|
-
},
|
|
740
|
-
async function
|
|
738
|
+
return H.subtle.importKey(t, c, o, !1, s);
|
|
739
|
+
}, Ie = (e, t, r) => ce(/(?:-----(?:BEGIN|END) PRIVATE KEY-----|\s)/g, "pkcs8", e, t), Pe = (e, t, r) => ce(/(?:-----(?:BEGIN|END) PUBLIC KEY-----|\s)/g, "spki", e, t);
|
|
740
|
+
async function Te(e, t, r) {
|
|
741
741
|
if (typeof e != "string" || e.indexOf("-----BEGIN PUBLIC KEY-----") !== 0)
|
|
742
742
|
throw new TypeError('"spki" must be SPKI formatted string');
|
|
743
|
-
return
|
|
743
|
+
return Pe(e, t);
|
|
744
744
|
}
|
|
745
|
-
async function
|
|
745
|
+
async function Re(e, t, r) {
|
|
746
746
|
if (typeof e != "string" || e.indexOf("-----BEGIN PRIVATE KEY-----") !== 0)
|
|
747
747
|
throw new TypeError('"pkcs8" must be PKCS#8 formatted string');
|
|
748
|
-
return
|
|
748
|
+
return Ie(e, t);
|
|
749
749
|
}
|
|
750
|
-
async function
|
|
751
|
-
if (!
|
|
750
|
+
async function Y(e, t) {
|
|
751
|
+
if (!U(e))
|
|
752
752
|
throw new TypeError("JWK must be an object");
|
|
753
753
|
switch (t || (t = e.alg), e.kty) {
|
|
754
754
|
case "oct":
|
|
755
755
|
if (typeof e.k != "string" || !e.k)
|
|
756
756
|
throw new TypeError('missing "k" (Key Value) Parameter value');
|
|
757
|
-
return
|
|
757
|
+
return O(e.k);
|
|
758
758
|
case "RSA":
|
|
759
759
|
if (e.oth !== void 0)
|
|
760
760
|
throw new b('RSA JWK "oth" (Other Primes Info) Parameter value is not supported');
|
|
761
761
|
case "EC":
|
|
762
762
|
case "OKP":
|
|
763
|
-
return
|
|
763
|
+
return ne({ ...e, alg: t });
|
|
764
764
|
default:
|
|
765
765
|
throw new b('Unsupported "kty" (Key Type) Parameter value');
|
|
766
766
|
}
|
|
767
767
|
}
|
|
768
|
-
const
|
|
768
|
+
const W = (e) => e == null ? void 0 : e[Symbol.toStringTag], Ee = (e, t) => {
|
|
769
769
|
if (!(t instanceof Uint8Array)) {
|
|
770
|
-
if (!
|
|
771
|
-
throw new TypeError(
|
|
770
|
+
if (!ie(t))
|
|
771
|
+
throw new TypeError(re(e, t, ...D, "Uint8Array"));
|
|
772
772
|
if (t.type !== "secret")
|
|
773
|
-
throw new TypeError(`${
|
|
773
|
+
throw new TypeError(`${W(t)} instances for symmetric algorithms must be of type "secret"`);
|
|
774
774
|
}
|
|
775
|
-
},
|
|
776
|
-
if (!
|
|
777
|
-
throw new TypeError(
|
|
775
|
+
}, Oe = (e, t, r) => {
|
|
776
|
+
if (!ie(t))
|
|
777
|
+
throw new TypeError(re(e, t, ...D));
|
|
778
778
|
if (t.type === "secret")
|
|
779
|
-
throw new TypeError(`${
|
|
779
|
+
throw new TypeError(`${W(t)} instances for asymmetric algorithms must not be of type "secret"`);
|
|
780
780
|
if (t.algorithm && r === "verify" && t.type === "private")
|
|
781
|
-
throw new TypeError(`${
|
|
781
|
+
throw new TypeError(`${W(t)} instances for asymmetric algorithm verifying must be of type "public"`);
|
|
782
782
|
if (t.algorithm && r === "encrypt" && t.type === "private")
|
|
783
|
-
throw new TypeError(`${
|
|
784
|
-
},
|
|
785
|
-
e.startsWith("HS") || e === "dir" || e.startsWith("PBES2") || /^A\d{3}(?:GCM)?KW$/.test(e) ?
|
|
783
|
+
throw new TypeError(`${W(t)} instances for asymmetric algorithm encryption must be of type "public"`);
|
|
784
|
+
}, Ke = (e, t, r) => {
|
|
785
|
+
e.startsWith("HS") || e === "dir" || e.startsWith("PBES2") || /^A\d{3}(?:GCM)?KW$/.test(e) ? Ee(e, t) : Oe(e, t, r);
|
|
786
786
|
};
|
|
787
|
-
function
|
|
787
|
+
function Ue(e, t, r, n, i) {
|
|
788
788
|
if (i.crit !== void 0 && (n == null ? void 0 : n.crit) === void 0)
|
|
789
789
|
throw new e('"crit" (Critical) Header Parameter MUST be integrity protected');
|
|
790
790
|
if (!n || n.crit === void 0)
|
|
@@ -803,7 +803,7 @@ function xe(e, t, r, n, i) {
|
|
|
803
803
|
}
|
|
804
804
|
return new Set(n.crit);
|
|
805
805
|
}
|
|
806
|
-
function
|
|
806
|
+
function Ne(e, t) {
|
|
807
807
|
const r = `SHA-${e.slice(-3)}`;
|
|
808
808
|
switch (e) {
|
|
809
809
|
case "HS256":
|
|
@@ -828,28 +828,28 @@ function ze(e, t) {
|
|
|
828
828
|
throw new b(`alg ${e} is not supported either by JOSE or your javascript runtime`);
|
|
829
829
|
}
|
|
830
830
|
}
|
|
831
|
-
async function
|
|
832
|
-
if (t = await
|
|
833
|
-
return
|
|
831
|
+
async function xe(e, t, r) {
|
|
832
|
+
if (t = await ke.normalizePublicKey(t, e), ee(t))
|
|
833
|
+
return we(t, e, r), t;
|
|
834
834
|
if (t instanceof Uint8Array) {
|
|
835
835
|
if (!e.startsWith("HS"))
|
|
836
|
-
throw new TypeError(
|
|
837
|
-
return
|
|
836
|
+
throw new TypeError(V(t, ...D));
|
|
837
|
+
return H.subtle.importKey("raw", t, { hash: `SHA-${e.slice(-3)}`, name: "HMAC" }, !1, [r]);
|
|
838
838
|
}
|
|
839
|
-
throw new TypeError(
|
|
839
|
+
throw new TypeError(V(t, ...D, "Uint8Array"));
|
|
840
840
|
}
|
|
841
|
-
const
|
|
842
|
-
const i = await
|
|
843
|
-
|
|
844
|
-
const o =
|
|
841
|
+
const ze = async (e, t, r, n) => {
|
|
842
|
+
const i = await xe(e, t, "verify");
|
|
843
|
+
Se(e, i);
|
|
844
|
+
const o = Ne(e, i.algorithm);
|
|
845
845
|
try {
|
|
846
|
-
return await
|
|
846
|
+
return await H.subtle.verify(o, i, r, n);
|
|
847
847
|
} catch {
|
|
848
848
|
return !1;
|
|
849
849
|
}
|
|
850
850
|
};
|
|
851
|
-
async function
|
|
852
|
-
if (!
|
|
851
|
+
async function We(e, t, r) {
|
|
852
|
+
if (!U(e))
|
|
853
853
|
throw new v("Flattened JWS must be an object");
|
|
854
854
|
if (e.protected === void 0 && e.header === void 0)
|
|
855
855
|
throw new v('Flattened JWS must have either of the "protected" or "header" members');
|
|
@@ -859,22 +859,22 @@ async function He(e, t, r) {
|
|
|
859
859
|
throw new v("JWS Payload missing");
|
|
860
860
|
if (typeof e.signature != "string")
|
|
861
861
|
throw new v("JWS Signature missing or incorrect type");
|
|
862
|
-
if (e.header !== void 0 && !
|
|
862
|
+
if (e.header !== void 0 && !U(e.header))
|
|
863
863
|
throw new v("JWS Unprotected Header incorrect type");
|
|
864
864
|
let n = {};
|
|
865
865
|
if (e.protected)
|
|
866
866
|
try {
|
|
867
|
-
const
|
|
868
|
-
n = JSON.parse(
|
|
867
|
+
const le = O(e.protected);
|
|
868
|
+
n = JSON.parse(N.decode(le));
|
|
869
869
|
} catch {
|
|
870
870
|
throw new v("JWS Protected Header is invalid");
|
|
871
871
|
}
|
|
872
|
-
if (!
|
|
872
|
+
if (!ve(n, e.header))
|
|
873
873
|
throw new v("JWS Protected and JWS Unprotected Header Parameter names must be disjoint");
|
|
874
874
|
const i = {
|
|
875
875
|
...n,
|
|
876
876
|
...e.header
|
|
877
|
-
}, o =
|
|
877
|
+
}, o = Ue(v, /* @__PURE__ */ new Map([["b64", !0]]), r == null ? void 0 : r.crit, n, i);
|
|
878
878
|
let s = !0;
|
|
879
879
|
if (o.has("b64") && (s = n.b64, typeof s != "boolean"))
|
|
880
880
|
throw new v('The "b64" (base64url-encode payload) Header Parameter must be a boolean');
|
|
@@ -886,39 +886,39 @@ async function He(e, t, r) {
|
|
|
886
886
|
throw new v("JWS Payload must be a string");
|
|
887
887
|
} else if (typeof e.payload != "string" && !(e.payload instanceof Uint8Array))
|
|
888
888
|
throw new v("JWS Payload must be a string or an Uint8Array instance");
|
|
889
|
-
let
|
|
890
|
-
typeof t == "function" && (t = await t(n, e),
|
|
891
|
-
const
|
|
892
|
-
let
|
|
889
|
+
let d = !1;
|
|
890
|
+
typeof t == "function" && (t = await t(n, e), d = !0), Ke(c, t, "verify");
|
|
891
|
+
const f = fe(x.encode(e.protected ?? ""), x.encode("."), typeof e.payload == "string" ? x.encode(e.payload) : e.payload);
|
|
892
|
+
let k;
|
|
893
893
|
try {
|
|
894
|
-
|
|
894
|
+
k = O(e.signature);
|
|
895
895
|
} catch {
|
|
896
896
|
throw new v("Failed to base64url decode the signature");
|
|
897
897
|
}
|
|
898
|
-
if (!await
|
|
899
|
-
throw new
|
|
900
|
-
let
|
|
898
|
+
if (!await ze(c, t, k, f))
|
|
899
|
+
throw new ge();
|
|
900
|
+
let S;
|
|
901
901
|
if (s)
|
|
902
902
|
try {
|
|
903
|
-
|
|
903
|
+
S = O(e.payload);
|
|
904
904
|
} catch {
|
|
905
905
|
throw new v("Failed to base64url decode the payload");
|
|
906
906
|
}
|
|
907
|
-
else typeof e.payload == "string" ?
|
|
908
|
-
const
|
|
909
|
-
return e.protected !== void 0 && (
|
|
907
|
+
else typeof e.payload == "string" ? S = x.encode(e.payload) : S = e.payload;
|
|
908
|
+
const I = { payload: S };
|
|
909
|
+
return e.protected !== void 0 && (I.protectedHeader = n), e.header !== void 0 && (I.unprotectedHeader = e.header), d ? { ...I, key: t } : I;
|
|
910
910
|
}
|
|
911
|
-
async function
|
|
912
|
-
if (e instanceof Uint8Array && (e =
|
|
911
|
+
async function De(e, t, r) {
|
|
912
|
+
if (e instanceof Uint8Array && (e = N.decode(e)), typeof e != "string")
|
|
913
913
|
throw new v("Compact JWS must be a string or Uint8Array");
|
|
914
914
|
const { 0: n, 1: i, 2: o, length: s } = e.split(".");
|
|
915
915
|
if (s !== 3)
|
|
916
916
|
throw new v("Invalid Compact JWS");
|
|
917
|
-
const c = await
|
|
918
|
-
return typeof t == "function" ? { ...
|
|
917
|
+
const c = await We({ payload: i, protected: n, signature: o }, t, r), d = { payload: c.payload, protectedHeader: c.protectedHeader };
|
|
918
|
+
return typeof t == "function" ? { ...d, key: c.key } : d;
|
|
919
919
|
}
|
|
920
|
-
const
|
|
921
|
-
function
|
|
920
|
+
const de = O;
|
|
921
|
+
function X(e) {
|
|
922
922
|
let t;
|
|
923
923
|
if (typeof e == "string") {
|
|
924
924
|
const r = e.split(".");
|
|
@@ -931,41 +931,41 @@ function qe(e) {
|
|
|
931
931
|
try {
|
|
932
932
|
if (typeof t != "string" || !t)
|
|
933
933
|
throw new Error();
|
|
934
|
-
const r = JSON.parse(
|
|
935
|
-
if (!
|
|
934
|
+
const r = JSON.parse(N.decode(de(t)));
|
|
935
|
+
if (!U(r))
|
|
936
936
|
throw new Error();
|
|
937
937
|
return r;
|
|
938
938
|
} catch {
|
|
939
939
|
throw new TypeError("Invalid Token or Protected Header formatting");
|
|
940
940
|
}
|
|
941
941
|
}
|
|
942
|
-
function
|
|
942
|
+
function He(e) {
|
|
943
943
|
if (typeof e != "string")
|
|
944
|
-
throw new
|
|
944
|
+
throw new R("JWTs must use Compact JWS serialization, JWT must be a string");
|
|
945
945
|
const { 1: t, length: r } = e.split(".");
|
|
946
946
|
if (r === 5)
|
|
947
|
-
throw new
|
|
947
|
+
throw new R("Only JWTs using Compact JWS serialization can be decoded");
|
|
948
948
|
if (r !== 3)
|
|
949
|
-
throw new
|
|
949
|
+
throw new R("Invalid JWT");
|
|
950
950
|
if (!t)
|
|
951
|
-
throw new
|
|
951
|
+
throw new R("JWTs must contain a payload");
|
|
952
952
|
let n;
|
|
953
953
|
try {
|
|
954
|
-
n =
|
|
954
|
+
n = de(t);
|
|
955
955
|
} catch {
|
|
956
|
-
throw new
|
|
956
|
+
throw new R("Failed to base64url decode the payload");
|
|
957
957
|
}
|
|
958
958
|
let i;
|
|
959
959
|
try {
|
|
960
|
-
i = JSON.parse(
|
|
960
|
+
i = JSON.parse(N.decode(n));
|
|
961
961
|
} catch {
|
|
962
|
-
throw new
|
|
962
|
+
throw new R("Failed to parse the decoded payload as JSON");
|
|
963
963
|
}
|
|
964
|
-
if (!
|
|
965
|
-
throw new
|
|
964
|
+
if (!U(i))
|
|
965
|
+
throw new R("Invalid JWT Claims Set");
|
|
966
966
|
return i;
|
|
967
967
|
}
|
|
968
|
-
const
|
|
968
|
+
const h = class h {
|
|
969
969
|
/**
|
|
970
970
|
* Returns a user-friendly name for the given flow strings.
|
|
971
971
|
*
|
|
@@ -976,7 +976,7 @@ const d = class d {
|
|
|
976
976
|
static flowNames(t) {
|
|
977
977
|
let r = {};
|
|
978
978
|
return t.forEach((n) => {
|
|
979
|
-
n in
|
|
979
|
+
n in h.flowName && (r[n] = h.flowName[n]);
|
|
980
980
|
}), r;
|
|
981
981
|
}
|
|
982
982
|
/**
|
|
@@ -985,7 +985,7 @@ const d = class d {
|
|
|
985
985
|
* @returns true or false.
|
|
986
986
|
*/
|
|
987
987
|
static isValidFlow(t) {
|
|
988
|
-
return
|
|
988
|
+
return h.allFlows().includes(t);
|
|
989
989
|
}
|
|
990
990
|
/**
|
|
991
991
|
* Returns true only if all given strings are valid flows
|
|
@@ -995,19 +995,19 @@ const d = class d {
|
|
|
995
995
|
static areAllValidFlows(t) {
|
|
996
996
|
let r = !0;
|
|
997
997
|
return t.forEach((n) => {
|
|
998
|
-
|
|
998
|
+
h.isValidFlow(n) || (r = !1);
|
|
999
999
|
}), r;
|
|
1000
1000
|
}
|
|
1001
1001
|
static allFlows() {
|
|
1002
1002
|
return [
|
|
1003
|
-
|
|
1004
|
-
|
|
1005
|
-
|
|
1006
|
-
|
|
1007
|
-
|
|
1008
|
-
|
|
1009
|
-
|
|
1010
|
-
|
|
1003
|
+
h.AuthorizationCode,
|
|
1004
|
+
h.AuthorizationCodeWithPKCE,
|
|
1005
|
+
h.ClientCredentials,
|
|
1006
|
+
h.RefreshToken,
|
|
1007
|
+
h.DeviceCode,
|
|
1008
|
+
h.Password,
|
|
1009
|
+
h.PasswordMfa,
|
|
1010
|
+
h.OidcAuthorizationCode
|
|
1011
1011
|
];
|
|
1012
1012
|
}
|
|
1013
1013
|
/**
|
|
@@ -1018,52 +1018,52 @@ const d = class d {
|
|
|
1018
1018
|
*/
|
|
1019
1019
|
static grantType(t) {
|
|
1020
1020
|
switch (t) {
|
|
1021
|
-
case
|
|
1022
|
-
case
|
|
1023
|
-
case
|
|
1021
|
+
case h.AuthorizationCode:
|
|
1022
|
+
case h.AuthorizationCodeWithPKCE:
|
|
1023
|
+
case h.OidcAuthorizationCode:
|
|
1024
1024
|
return ["authorization_code"];
|
|
1025
|
-
case
|
|
1025
|
+
case h.ClientCredentials:
|
|
1026
1026
|
return ["client_credentials"];
|
|
1027
|
-
case
|
|
1027
|
+
case h.RefreshToken:
|
|
1028
1028
|
return ["refresh_token"];
|
|
1029
|
-
case
|
|
1029
|
+
case h.Password:
|
|
1030
1030
|
return ["password"];
|
|
1031
|
-
case
|
|
1031
|
+
case h.PasswordMfa:
|
|
1032
1032
|
return ["http://auth0.com/oauth/grant-type/mfa-otp", "http://auth0.com/oauth/grant-type/mfa-oob"];
|
|
1033
|
-
case
|
|
1033
|
+
case h.DeviceCode:
|
|
1034
1034
|
return ["urn:ietf:params:oauth:grant-type:device_code"];
|
|
1035
1035
|
}
|
|
1036
1036
|
}
|
|
1037
1037
|
};
|
|
1038
1038
|
/** All flows are allowed */
|
|
1039
|
-
a(
|
|
1040
|
-
a(
|
|
1041
|
-
a(
|
|
1042
|
-
a(
|
|
1043
|
-
a(
|
|
1044
|
-
a(
|
|
1045
|
-
a(
|
|
1046
|
-
a(
|
|
1039
|
+
a(h, "All", "all"), /** OAuth authorization code flow (without PKCE) */
|
|
1040
|
+
a(h, "AuthorizationCode", "authorizationCode"), /** OAuth authorization code flow with PKCE */
|
|
1041
|
+
a(h, "AuthorizationCodeWithPKCE", "authorizationCodeWithPKCE"), /** Auth client credentials flow */
|
|
1042
|
+
a(h, "ClientCredentials", "clientCredentials"), /** OAuth refresh token flow */
|
|
1043
|
+
a(h, "RefreshToken", "refreshToken"), /** OAuth device code flow */
|
|
1044
|
+
a(h, "DeviceCode", "deviceCode"), /** OAuth password flow */
|
|
1045
|
+
a(h, "Password", "password"), /** The Auth0 password MFA extension to the password flow */
|
|
1046
|
+
a(h, "PasswordMfa", "passwordMfa"), /** The OpenID Connect authorization code flow, with or without
|
|
1047
1047
|
* PKCE.
|
|
1048
1048
|
*/
|
|
1049
|
-
a(
|
|
1049
|
+
a(h, "OidcAuthorizationCode", "oidcAuthorizationCode"), /** A user friendly name for the given flow ID
|
|
1050
1050
|
*
|
|
1051
1051
|
* For example, if you pass "authorizationCode"
|
|
1052
1052
|
* (`OAuthFlows.AuthorizationCode`) you will get `"Authorization Code"`.
|
|
1053
1053
|
*/
|
|
1054
|
-
a(
|
|
1055
|
-
[
|
|
1056
|
-
[
|
|
1057
|
-
[
|
|
1058
|
-
[
|
|
1059
|
-
[
|
|
1060
|
-
[
|
|
1061
|
-
[
|
|
1062
|
-
[
|
|
1054
|
+
a(h, "flowName", {
|
|
1055
|
+
[h.AuthorizationCode]: "Authorization Code",
|
|
1056
|
+
[h.AuthorizationCodeWithPKCE]: "Authorization Code with PKCE",
|
|
1057
|
+
[h.ClientCredentials]: "Client Credentials",
|
|
1058
|
+
[h.RefreshToken]: "Refresh Token",
|
|
1059
|
+
[h.DeviceCode]: "Device Code",
|
|
1060
|
+
[h.Password]: "Password",
|
|
1061
|
+
[h.PasswordMfa]: "Password MFA",
|
|
1062
|
+
[h.OidcAuthorizationCode]: "OIDC Authorization Code"
|
|
1063
1063
|
});
|
|
1064
|
-
let
|
|
1065
|
-
var w, _
|
|
1066
|
-
class
|
|
1064
|
+
let Q = h;
|
|
1065
|
+
var w, _;
|
|
1066
|
+
class qe {
|
|
1067
1067
|
/**
|
|
1068
1068
|
* Constructor.
|
|
1069
1069
|
*
|
|
@@ -1099,20 +1099,17 @@ class Be {
|
|
|
1099
1099
|
codeChallengeMethod: o,
|
|
1100
1100
|
stateLength: s,
|
|
1101
1101
|
verifierLength: c,
|
|
1102
|
-
tokenConsumer:
|
|
1103
|
-
authServerCredentials:
|
|
1104
|
-
authServerMode:
|
|
1105
|
-
authServerHeaders:
|
|
1102
|
+
tokenConsumer: d,
|
|
1103
|
+
authServerCredentials: f,
|
|
1104
|
+
authServerMode: k,
|
|
1105
|
+
authServerHeaders: E
|
|
1106
1106
|
}) {
|
|
1107
1107
|
a(this, "authServerBaseUrl", "");
|
|
1108
|
-
|
|
1109
|
-
|
|
1110
|
-
K(this, U);
|
|
1108
|
+
F(this, w);
|
|
1109
|
+
F(this, _);
|
|
1111
1110
|
a(this, "codeChallengeMethod", "S256");
|
|
1112
|
-
K(this, R);
|
|
1113
1111
|
a(this, "verifierLength", 32);
|
|
1114
1112
|
a(this, "redirect_uri");
|
|
1115
|
-
K(this, E, "");
|
|
1116
1113
|
a(this, "stateLength", 32);
|
|
1117
1114
|
a(this, "authzCode", "");
|
|
1118
1115
|
a(this, "oidcConfig");
|
|
@@ -1120,22 +1117,16 @@ class Be {
|
|
|
1120
1117
|
a(this, "authServerHeaders", {});
|
|
1121
1118
|
a(this, "authServerMode");
|
|
1122
1119
|
a(this, "authServerCredentials");
|
|
1123
|
-
|
|
1120
|
+
a(this, "oauthPostType", "json");
|
|
1121
|
+
a(this, "oauthLogFetch", !1);
|
|
1122
|
+
a(this, "oauthUseUserInfoEndpoint", !1);
|
|
1123
|
+
this.tokenConsumer = d, this.authServerBaseUrl = t, c && (this.verifierLength = c), s && (this.stateLength = s), r && K(this, w, r), n && K(this, _, n), i && (this.redirect_uri = i), o && (this.codeChallengeMethod = o), this.authServerBaseUrl = t, f && (this.authServerCredentials = f), k && (this.authServerMode = k), E && (this.authServerHeaders = E);
|
|
1124
1124
|
}
|
|
1125
1125
|
set client_id(t) {
|
|
1126
|
-
|
|
1126
|
+
K(this, w, t);
|
|
1127
1127
|
}
|
|
1128
1128
|
set client_secret(t) {
|
|
1129
|
-
|
|
1130
|
-
}
|
|
1131
|
-
set codeVerifier(t) {
|
|
1132
|
-
S(this, R, t);
|
|
1133
|
-
}
|
|
1134
|
-
set codeChallenge(t) {
|
|
1135
|
-
S(this, U, t);
|
|
1136
|
-
}
|
|
1137
|
-
set state(t) {
|
|
1138
|
-
S(this, E, t);
|
|
1129
|
+
K(this, _, t);
|
|
1139
1130
|
}
|
|
1140
1131
|
/**
|
|
1141
1132
|
* Loads OpenID Connect configuration so that the client can determine
|
|
@@ -1150,7 +1141,7 @@ class Be {
|
|
|
1150
1141
|
*/
|
|
1151
1142
|
async loadConfig(t) {
|
|
1152
1143
|
if (t) {
|
|
1153
|
-
l.logger.debug(
|
|
1144
|
+
l.logger.debug(u({ msg: "Reading OIDC config locally" })), this.oidcConfig = t;
|
|
1154
1145
|
return;
|
|
1155
1146
|
}
|
|
1156
1147
|
let r;
|
|
@@ -1158,18 +1149,18 @@ class Be {
|
|
|
1158
1149
|
const n = new URL(
|
|
1159
1150
|
this.authServerBaseUrl + "/.well-known/openid-configuration"
|
|
1160
1151
|
);
|
|
1161
|
-
l.logger.debug(
|
|
1152
|
+
l.logger.debug(u({ msg: `Fetching OIDC config from ${n}` }));
|
|
1162
1153
|
let i = { headers: this.authServerHeaders };
|
|
1163
1154
|
this.authServerMode && (i.mode = this.authServerMode), this.authServerCredentials && (i.credentials = this.authServerCredentials), r = await fetch(n, i);
|
|
1164
1155
|
} catch (n) {
|
|
1165
|
-
l.logger.error(
|
|
1156
|
+
l.logger.error(u({ err: n }));
|
|
1166
1157
|
}
|
|
1167
1158
|
if (!r || !r.ok)
|
|
1168
1159
|
throw new g(
|
|
1169
1160
|
y.Connection,
|
|
1170
1161
|
"Couldn't get OIDC configuration from URL" + this.authServerBaseUrl + "/.well-known/openid-configuration"
|
|
1171
1162
|
);
|
|
1172
|
-
this.oidcConfig = { ...
|
|
1163
|
+
this.oidcConfig = { ...Z };
|
|
1173
1164
|
try {
|
|
1174
1165
|
const n = await r.json();
|
|
1175
1166
|
for (const [i, o] of Object.entries(n))
|
|
@@ -1203,19 +1194,19 @@ class Be {
|
|
|
1203
1194
|
* - `error_description` friendly error message or undefined
|
|
1204
1195
|
* if no error
|
|
1205
1196
|
*/
|
|
1206
|
-
async startAuthorizationCodeFlow(t, r = !1) {
|
|
1207
|
-
var
|
|
1208
|
-
if (l.logger.debug(
|
|
1197
|
+
async startAuthorizationCodeFlow(t, r, n, i = !1) {
|
|
1198
|
+
var c, d, f;
|
|
1199
|
+
if (l.logger.debug(u({ msg: "Starting authorization code flow" })), this.oidcConfig || await this.loadConfig(), !((c = this.oidcConfig) != null && c.response_types_supported.includes("code")) || !((d = this.oidcConfig) != null && d.response_modes_supported.includes("query")))
|
|
1209
1200
|
return {
|
|
1210
1201
|
error: "invalid_request",
|
|
1211
1202
|
error_description: "Server does not support authorization code flow"
|
|
1212
1203
|
};
|
|
1213
|
-
if (!((
|
|
1204
|
+
if (!((f = this.oidcConfig) != null && f.authorization_endpoint))
|
|
1214
1205
|
return {
|
|
1215
1206
|
error: "server_error",
|
|
1216
1207
|
error_description: "Cannot get authorize endpoint"
|
|
1217
1208
|
};
|
|
1218
|
-
if (
|
|
1209
|
+
if (!p(this, w)) return {
|
|
1219
1210
|
error: "invalid_request",
|
|
1220
1211
|
error_description: "Cannot make authorization code flow without client id"
|
|
1221
1212
|
};
|
|
@@ -1223,8 +1214,30 @@ class Be {
|
|
|
1223
1214
|
error: "invalid_request",
|
|
1224
1215
|
error_description: "Cannot make authorization code flow without Redirect Uri"
|
|
1225
1216
|
};
|
|
1226
|
-
let
|
|
1227
|
-
return
|
|
1217
|
+
let s = this.oidcConfig.authorization_endpoint + "?response_type=code&client_id=" + encodeURIComponent(p(this, w)) + "&state=" + encodeURIComponent(t) + "&redirect_uri=" + encodeURIComponent(this.redirect_uri);
|
|
1218
|
+
return r && (s += "&scope=" + encodeURIComponent(r)), i && n && (s += "&code_challenge=" + n), { url: s };
|
|
1219
|
+
}
|
|
1220
|
+
async codeChallengeAndVerifier() {
|
|
1221
|
+
const t = this.randomValue(this.verifierLength);
|
|
1222
|
+
return { codeChallenge: this.codeChallengeMethod == "plain" ? t : await this.sha256(t), codeVerifier: t };
|
|
1223
|
+
}
|
|
1224
|
+
async getIdPayload(t, r) {
|
|
1225
|
+
let n, i;
|
|
1226
|
+
try {
|
|
1227
|
+
let o;
|
|
1228
|
+
if (o = await this.validateIdToken(t), !o)
|
|
1229
|
+
return n = "access_denied", i = "Invalid ID token received", { error: n, error_description: i };
|
|
1230
|
+
if (r && this.oauthUseUserInfoEndpoint) {
|
|
1231
|
+
const s = await this.userInfoEndpoint(r);
|
|
1232
|
+
if (s.error)
|
|
1233
|
+
return n = s.error, i = "Failed getting user info: " + (s.error_description ?? "unknown error"), { error: n, error_description: i };
|
|
1234
|
+
o = { ...o, ...s };
|
|
1235
|
+
}
|
|
1236
|
+
return { payload: o };
|
|
1237
|
+
} catch (o) {
|
|
1238
|
+
const s = g.asCrossauthError(o);
|
|
1239
|
+
return l.logger.debug(u({ err: s })), l.logger.error(u({ msg: "Couldn't get user info", cerr: s })), n = s.oauthErrorCode, i = "Couldn't get user info: " + s.message, { error: n, error_description: i };
|
|
1240
|
+
}
|
|
1228
1241
|
}
|
|
1229
1242
|
/**
|
|
1230
1243
|
* This implements the functionality behind the redirect URI
|
|
@@ -1246,36 +1259,41 @@ class Be {
|
|
|
1246
1259
|
* @returns The {@link OAuthTokenResponse} from the `token` endpoint
|
|
1247
1260
|
* request, or `error` and `error_description`.
|
|
1248
1261
|
*/
|
|
1249
|
-
async redirectEndpoint(t, r, n, i) {
|
|
1250
|
-
var
|
|
1251
|
-
if (this.oidcConfig || await this.loadConfig(),
|
|
1252
|
-
return
|
|
1253
|
-
if (
|
|
1254
|
-
return { error: "access_denied", error_description: "State is not valid" };
|
|
1255
|
-
if (this.authzCode = t, !((p = this.oidcConfig) != null && p.grant_types_supported.includes("authorization_code")))
|
|
1262
|
+
async redirectEndpoint(t, r, n, i, o) {
|
|
1263
|
+
var k, E;
|
|
1264
|
+
if (this.oidcConfig || await this.loadConfig(), i || !t)
|
|
1265
|
+
return i || (i = "server_error"), o || (o = "Unknown error"), { error: i, error_description: o };
|
|
1266
|
+
if (this.authzCode = t, !((k = this.oidcConfig) != null && k.grant_types_supported.includes("authorization_code")))
|
|
1256
1267
|
return {
|
|
1257
1268
|
error: "invalid_request",
|
|
1258
1269
|
error_description: "Server does not support authorization code grant"
|
|
1259
1270
|
};
|
|
1260
|
-
if (!((
|
|
1271
|
+
if (!((E = this.oidcConfig) != null && E.token_endpoint))
|
|
1261
1272
|
return {
|
|
1262
1273
|
error: "server_error",
|
|
1263
1274
|
error_description: "Cannot get token endpoint"
|
|
1264
1275
|
};
|
|
1265
|
-
const
|
|
1266
|
-
let
|
|
1267
|
-
|
|
1268
|
-
let
|
|
1269
|
-
grant_type:
|
|
1270
|
-
client_id:
|
|
1271
|
-
code: this.authzCode
|
|
1276
|
+
const s = this.oidcConfig.token_endpoint;
|
|
1277
|
+
let c, d;
|
|
1278
|
+
c = "authorization_code", d = p(this, _);
|
|
1279
|
+
let f = {
|
|
1280
|
+
grant_type: c,
|
|
1281
|
+
client_id: p(this, w),
|
|
1282
|
+
code: this.authzCode,
|
|
1283
|
+
redirect_uri: this.redirect_uri
|
|
1272
1284
|
};
|
|
1273
|
-
|
|
1285
|
+
r && (f.scope = r), d && (f.client_secret = d), n && (f.code_verifier = n);
|
|
1274
1286
|
try {
|
|
1275
|
-
|
|
1276
|
-
|
|
1277
|
-
|
|
1278
|
-
|
|
1287
|
+
let S = await this.post(s, f, this.authServerHeaders);
|
|
1288
|
+
if (S.id_token) {
|
|
1289
|
+
const I = await this.getIdPayload(S.id_token, S.access_token);
|
|
1290
|
+
if (I.error)
|
|
1291
|
+
return I;
|
|
1292
|
+
S.id_payload = I.payload;
|
|
1293
|
+
}
|
|
1294
|
+
return S;
|
|
1295
|
+
} catch (S) {
|
|
1296
|
+
return l.logger.error(u({ err: S })), {
|
|
1279
1297
|
error: "server_error",
|
|
1280
1298
|
error_description: "Unable to get access token from server"
|
|
1281
1299
|
};
|
|
@@ -1297,28 +1315,35 @@ class Be {
|
|
|
1297
1315
|
*/
|
|
1298
1316
|
async clientCredentialsFlow(t) {
|
|
1299
1317
|
var i, o;
|
|
1300
|
-
if (l.logger.debug(
|
|
1318
|
+
if (l.logger.debug(u({ msg: "Starting client credentials flow" })), this.oidcConfig || await this.loadConfig(), !((i = this.oidcConfig) != null && i.grant_types_supported.includes("client_credentials")))
|
|
1301
1319
|
return {
|
|
1302
1320
|
error: "invalid_request",
|
|
1303
1321
|
error_description: "Server does not support client credentials grant"
|
|
1304
1322
|
};
|
|
1305
1323
|
if (!((o = this.oidcConfig) != null && o.token_endpoint))
|
|
1306
1324
|
return { error: "server_error", error_description: "Cannot get token endpoint" };
|
|
1307
|
-
if (!
|
|
1325
|
+
if (!p(this, w)) return {
|
|
1308
1326
|
error: "invalid_request",
|
|
1309
1327
|
error_description: "Cannot make client credentials flow without client id"
|
|
1310
1328
|
};
|
|
1311
1329
|
const r = this.oidcConfig.token_endpoint;
|
|
1312
1330
|
let n = {
|
|
1313
1331
|
grant_type: "client_credentials",
|
|
1314
|
-
client_id:
|
|
1315
|
-
client_secret:
|
|
1332
|
+
client_id: p(this, w),
|
|
1333
|
+
client_secret: p(this, _)
|
|
1316
1334
|
};
|
|
1317
1335
|
t && (n.scope = t);
|
|
1318
1336
|
try {
|
|
1319
|
-
|
|
1337
|
+
let s = await this.post(r, n, this.authServerHeaders);
|
|
1338
|
+
if (s.id_token) {
|
|
1339
|
+
const c = await this.getIdPayload(s.id_token, s.access_token);
|
|
1340
|
+
if (c.error)
|
|
1341
|
+
return c;
|
|
1342
|
+
s.id_payload = c.payload;
|
|
1343
|
+
}
|
|
1344
|
+
return s;
|
|
1320
1345
|
} catch (s) {
|
|
1321
|
-
return l.logger.error(
|
|
1346
|
+
return l.logger.error(u({ err: s })), {
|
|
1322
1347
|
error: "server_error",
|
|
1323
1348
|
error_description: "Error connecting to authorization server"
|
|
1324
1349
|
};
|
|
@@ -1341,7 +1366,7 @@ class Be {
|
|
|
1341
1366
|
*/
|
|
1342
1367
|
async passwordFlow(t, r, n) {
|
|
1343
1368
|
var s, c;
|
|
1344
|
-
if (l.logger.debug(
|
|
1369
|
+
if (l.logger.debug(u({ msg: "Starting password flow" })), this.oidcConfig || await this.loadConfig(), !((s = this.oidcConfig) != null && s.grant_types_supported.includes("password")))
|
|
1345
1370
|
return {
|
|
1346
1371
|
error: "invalid_request",
|
|
1347
1372
|
error_description: "Server does not support password grant"
|
|
@@ -1354,17 +1379,23 @@ class Be {
|
|
|
1354
1379
|
const i = this.oidcConfig.token_endpoint;
|
|
1355
1380
|
let o = {
|
|
1356
1381
|
grant_type: "password",
|
|
1357
|
-
client_id:
|
|
1358
|
-
client_secret:
|
|
1382
|
+
client_id: p(this, w),
|
|
1383
|
+
client_secret: p(this, _),
|
|
1359
1384
|
username: t,
|
|
1360
1385
|
password: r
|
|
1361
1386
|
};
|
|
1362
1387
|
n && (o.scope = n);
|
|
1363
1388
|
try {
|
|
1364
|
-
let
|
|
1365
|
-
|
|
1366
|
-
|
|
1367
|
-
|
|
1389
|
+
let d = await this.post(i, o, this.authServerHeaders);
|
|
1390
|
+
if (d.id_token) {
|
|
1391
|
+
const f = await this.getIdPayload(d.id_token, d.access_token);
|
|
1392
|
+
if (f.error)
|
|
1393
|
+
return f;
|
|
1394
|
+
d.id_payload = f.payload;
|
|
1395
|
+
}
|
|
1396
|
+
return d;
|
|
1397
|
+
} catch (d) {
|
|
1398
|
+
return l.logger.error(u({ err: d })), {
|
|
1368
1399
|
error: "server_error",
|
|
1369
1400
|
error_description: "Error connecting to authorization server"
|
|
1370
1401
|
};
|
|
@@ -1385,7 +1416,7 @@ class Be {
|
|
|
1385
1416
|
*/
|
|
1386
1417
|
async mfaAuthenticators(t) {
|
|
1387
1418
|
var o, s, c;
|
|
1388
|
-
if (l.logger.debug(
|
|
1419
|
+
if (l.logger.debug(u({ msg: "Getting valid MFA authenticators" })), this.oidcConfig || await this.loadConfig(), !((o = this.oidcConfig) != null && o.grant_types_supported.includes("http://auth0.com/oauth/grant-type/mfa-otp")) && ((s = this.oidcConfig) != null && s.grant_types_supported.includes("http://auth0.com/oauth/grant-type/mfa-oob")))
|
|
1389
1420
|
return {
|
|
1390
1421
|
error: "invalid_request",
|
|
1391
1422
|
error_description: "Server does not support password_mfa grant"
|
|
@@ -1399,19 +1430,19 @@ class Be {
|
|
|
1399
1430
|
error_description: "Expected array of authenticators in mfa/authenticators response"
|
|
1400
1431
|
};
|
|
1401
1432
|
let i = [];
|
|
1402
|
-
for (let
|
|
1403
|
-
const
|
|
1404
|
-
if (!
|
|
1433
|
+
for (let d = 0; d < n.length; ++d) {
|
|
1434
|
+
const f = n[d];
|
|
1435
|
+
if (!f.id || !f.authenticator_type || !f.active)
|
|
1405
1436
|
return {
|
|
1406
1437
|
error: "server_error",
|
|
1407
1438
|
error_description: "Invalid mfa/authenticators response"
|
|
1408
1439
|
};
|
|
1409
1440
|
i.push({
|
|
1410
|
-
id:
|
|
1411
|
-
authenticator_type:
|
|
1412
|
-
active:
|
|
1413
|
-
name:
|
|
1414
|
-
oob_channel:
|
|
1441
|
+
id: f.id,
|
|
1442
|
+
authenticator_type: f.authenticator_type,
|
|
1443
|
+
active: f.active,
|
|
1444
|
+
name: f.name,
|
|
1445
|
+
oob_channel: f.oob_channel
|
|
1415
1446
|
});
|
|
1416
1447
|
}
|
|
1417
1448
|
return { authenticators: i };
|
|
@@ -1430,7 +1461,7 @@ class Be {
|
|
|
1430
1461
|
*/
|
|
1431
1462
|
async mfaOtpRequest(t, r) {
|
|
1432
1463
|
var o, s;
|
|
1433
|
-
if (l.logger.debug(
|
|
1464
|
+
if (l.logger.debug(u({ msg: "Making MFA OTB request" })), this.oidcConfig || await this.loadConfig(), !((o = this.oidcConfig) != null && o.grant_types_supported.includes("http://auth0.com/oauth/grant-type/mfa-otp")))
|
|
1434
1465
|
return {
|
|
1435
1466
|
error: "invalid_request",
|
|
1436
1467
|
error_description: "Server does not support password_mfa grant"
|
|
@@ -1438,8 +1469,8 @@ class Be {
|
|
|
1438
1469
|
if (!((s = this.oidcConfig) != null && s.issuer))
|
|
1439
1470
|
return { error: "server_error", error_description: "Cannot get issuer" };
|
|
1440
1471
|
const n = this.oidcConfig.issuer + (this.oidcConfig.issuer.endsWith("/") ? "" : "/") + "mfa/challenge", i = await this.post(n, {
|
|
1441
|
-
client_id:
|
|
1442
|
-
client_secret:
|
|
1472
|
+
client_id: p(this, w),
|
|
1473
|
+
client_secret: p(this, _),
|
|
1443
1474
|
challenge_type: "otp",
|
|
1444
1475
|
mfa_token: t,
|
|
1445
1476
|
authenticator_id: r
|
|
@@ -1468,7 +1499,7 @@ class Be {
|
|
|
1468
1499
|
*/
|
|
1469
1500
|
async mfaOtpComplete(t, r, n) {
|
|
1470
1501
|
var s, c;
|
|
1471
|
-
if (l.logger.debug(
|
|
1502
|
+
if (l.logger.debug(u({ msg: "Completing MFA OTP request" })), this.oidcConfig || await this.loadConfig(), !((s = this.oidcConfig) != null && s.grant_types_supported.includes("http://auth0.com/oauth/grant-type/mfa-otp")))
|
|
1472
1503
|
return {
|
|
1473
1504
|
error: "invalid_request",
|
|
1474
1505
|
error_description: "Server does not support password_mfa grant"
|
|
@@ -1477,13 +1508,19 @@ class Be {
|
|
|
1477
1508
|
return { error: "server_error", error_description: "Cannot get issuer" };
|
|
1478
1509
|
const i = this.oidcConfig.token_endpoint, o = await this.post(i, {
|
|
1479
1510
|
grant_type: "http://auth0.com/oauth/grant-type/mfa-otp",
|
|
1480
|
-
client_id:
|
|
1481
|
-
client_secret:
|
|
1511
|
+
client_id: p(this, w),
|
|
1512
|
+
client_secret: p(this, _),
|
|
1482
1513
|
challenge_type: "otp",
|
|
1483
1514
|
mfa_token: t,
|
|
1484
1515
|
otp: r,
|
|
1485
1516
|
scope: n
|
|
1486
1517
|
}, this.authServerHeaders);
|
|
1518
|
+
if (o.id_token) {
|
|
1519
|
+
const d = await this.getIdPayload(o.id_token, o.access_token);
|
|
1520
|
+
if (d.error)
|
|
1521
|
+
return d;
|
|
1522
|
+
o.id_payload = d.payload;
|
|
1523
|
+
}
|
|
1487
1524
|
return {
|
|
1488
1525
|
id_token: o.id_token,
|
|
1489
1526
|
access_token: o.access_token,
|
|
@@ -1515,7 +1552,7 @@ class Be {
|
|
|
1515
1552
|
*/
|
|
1516
1553
|
async mfaOobRequest(t, r) {
|
|
1517
1554
|
var o, s;
|
|
1518
|
-
if (l.logger.debug(
|
|
1555
|
+
if (l.logger.debug(u({ msg: "Making MFA OOB request" })), this.oidcConfig || await this.loadConfig(), !((o = this.oidcConfig) != null && o.grant_types_supported.includes("http://auth0.com/oauth/grant-type/mfa-otp")))
|
|
1519
1556
|
return {
|
|
1520
1557
|
error: "invalid_request",
|
|
1521
1558
|
error_description: "Server does not support password_mfa grant"
|
|
@@ -1523,8 +1560,8 @@ class Be {
|
|
|
1523
1560
|
if (!((s = this.oidcConfig) != null && s.issuer))
|
|
1524
1561
|
return { error: "server_error", error_description: "Cannot get issuer" };
|
|
1525
1562
|
const n = this.oidcConfig.issuer + (this.oidcConfig.issuer.endsWith("/") ? "" : "/") + "mfa/challenge", i = await this.post(n, {
|
|
1526
|
-
client_id:
|
|
1527
|
-
client_secret:
|
|
1563
|
+
client_id: p(this, w),
|
|
1564
|
+
client_secret: p(this, _),
|
|
1528
1565
|
challenge_type: "oob",
|
|
1529
1566
|
mfa_token: t,
|
|
1530
1567
|
authenticator_id: r
|
|
@@ -1549,28 +1586,36 @@ class Be {
|
|
|
1549
1586
|
* an error instead of the response fields.
|
|
1550
1587
|
*/
|
|
1551
1588
|
async mfaOobComplete(t, r, n, i) {
|
|
1552
|
-
var c,
|
|
1553
|
-
if (l.logger.debug(
|
|
1589
|
+
var c, d;
|
|
1590
|
+
if (l.logger.debug(u({ msg: "Completing MFA OOB request" })), this.oidcConfig || await this.loadConfig(), !((c = this.oidcConfig) != null && c.grant_types_supported.includes("http://auth0.com/oauth/grant-type/mfa-oob")))
|
|
1554
1591
|
return {
|
|
1555
1592
|
error: "invalid_request",
|
|
1556
1593
|
error_description: "Server does not support password_mfa grant"
|
|
1557
1594
|
};
|
|
1558
|
-
if (!((
|
|
1595
|
+
if (!((d = this.oidcConfig) != null && d.issuer))
|
|
1559
1596
|
return { error: "server_error", error_description: "Cannot get issuer" };
|
|
1560
1597
|
const o = this.oidcConfig.token_endpoint, s = await this.post(o, {
|
|
1561
1598
|
grant_type: "http://auth0.com/oauth/grant-type/mfa-oob",
|
|
1562
|
-
client_id:
|
|
1563
|
-
client_secret:
|
|
1599
|
+
client_id: p(this, w),
|
|
1600
|
+
client_secret: p(this, _),
|
|
1564
1601
|
challenge_type: "otp",
|
|
1565
1602
|
mfa_token: t,
|
|
1566
1603
|
oob_code: r,
|
|
1567
1604
|
binding_code: n,
|
|
1568
1605
|
scope: i
|
|
1569
1606
|
}, this.authServerHeaders);
|
|
1570
|
-
|
|
1571
|
-
|
|
1572
|
-
|
|
1573
|
-
|
|
1607
|
+
if (s.error)
|
|
1608
|
+
return {
|
|
1609
|
+
error: s.error,
|
|
1610
|
+
error_description: s.error_description
|
|
1611
|
+
};
|
|
1612
|
+
if (s.id_token) {
|
|
1613
|
+
const f = await this.getIdPayload(s.id_token, s.access_token);
|
|
1614
|
+
if (f.error)
|
|
1615
|
+
return f;
|
|
1616
|
+
s.id_payload = f.payload;
|
|
1617
|
+
}
|
|
1618
|
+
return {
|
|
1574
1619
|
id_token: s.id_token,
|
|
1575
1620
|
access_token: s.access_token,
|
|
1576
1621
|
refresh_token: s.refresh_token,
|
|
@@ -1583,7 +1628,7 @@ class Be {
|
|
|
1583
1628
|
// Refresh Token Flow
|
|
1584
1629
|
async refreshTokenFlow(t) {
|
|
1585
1630
|
var o, s;
|
|
1586
|
-
if (l.logger.debug(
|
|
1631
|
+
if (l.logger.debug(u({ msg: "Starting refresh token flow" })), this.oidcConfig || await this.loadConfig(), !((o = this.oidcConfig) != null && o.grant_types_supported.includes("refresh_token")))
|
|
1587
1632
|
return {
|
|
1588
1633
|
error: "invalid_request",
|
|
1589
1634
|
error_description: "Server does not support refresh_token grant"
|
|
@@ -1595,18 +1640,24 @@ class Be {
|
|
|
1595
1640
|
};
|
|
1596
1641
|
const r = this.oidcConfig.token_endpoint;
|
|
1597
1642
|
let n;
|
|
1598
|
-
n =
|
|
1643
|
+
n = p(this, _);
|
|
1599
1644
|
let i = {
|
|
1600
1645
|
grant_type: "refresh_token",
|
|
1601
1646
|
refresh_token: t,
|
|
1602
|
-
client_id:
|
|
1647
|
+
client_id: p(this, w)
|
|
1603
1648
|
};
|
|
1604
1649
|
n && (i.client_secret = n);
|
|
1605
1650
|
try {
|
|
1606
1651
|
let c = await this.post(r, i, this.authServerHeaders);
|
|
1607
|
-
|
|
1652
|
+
if (c.id_token) {
|
|
1653
|
+
const d = await this.getIdPayload(c.id_token, c.access_token);
|
|
1654
|
+
if (d.error)
|
|
1655
|
+
return d;
|
|
1656
|
+
c.id_payload = d.payload;
|
|
1657
|
+
}
|
|
1658
|
+
return c;
|
|
1608
1659
|
} catch (c) {
|
|
1609
|
-
return l.logger.error(
|
|
1660
|
+
return l.logger.error(u({ err: c })), {
|
|
1610
1661
|
error: "server_error",
|
|
1611
1662
|
error_description: "Error connecting to authorization server"
|
|
1612
1663
|
};
|
|
@@ -1622,22 +1673,22 @@ class Be {
|
|
|
1622
1673
|
*/
|
|
1623
1674
|
async startDeviceCodeFlow(t, r) {
|
|
1624
1675
|
var i;
|
|
1625
|
-
if (l.logger.debug(
|
|
1676
|
+
if (l.logger.debug(u({ msg: "Starting device code flow" })), this.oidcConfig || await this.loadConfig(), !((i = this.oidcConfig) != null && i.grant_types_supported.includes("urn:ietf:params:oauth:grant-type:device_code")))
|
|
1626
1677
|
return {
|
|
1627
1678
|
error: "invalid_request",
|
|
1628
1679
|
error_description: "Server does not support device code grant"
|
|
1629
1680
|
};
|
|
1630
1681
|
let n = {
|
|
1631
1682
|
grant_type: "urn:ietf:params:oauth:grant-type:device_code",
|
|
1632
|
-
client_id:
|
|
1633
|
-
client_secret:
|
|
1683
|
+
client_id: p(this, w),
|
|
1684
|
+
client_secret: p(this, _)
|
|
1634
1685
|
};
|
|
1635
1686
|
r && (n.scope = r);
|
|
1636
1687
|
try {
|
|
1637
1688
|
let o = await this.post(t, n, this.authServerHeaders);
|
|
1638
1689
|
return o.id_token && !await this.validateIdToken(o.id_token) ? { error: "access_denied", error_description: "Invalid ID token" } : o;
|
|
1639
1690
|
} catch (o) {
|
|
1640
|
-
return l.logger.error(
|
|
1691
|
+
return l.logger.error(u({ err: o })), {
|
|
1641
1692
|
error: "server_error",
|
|
1642
1693
|
error_description: "Error connecting to authorization server"
|
|
1643
1694
|
};
|
|
@@ -1652,7 +1703,7 @@ class Be {
|
|
|
1652
1703
|
*/
|
|
1653
1704
|
async pollDeviceCodeFlow(t) {
|
|
1654
1705
|
var n, i, o;
|
|
1655
|
-
if (l.logger.debug(
|
|
1706
|
+
if (l.logger.debug(u({ msg: "Starting device code flow" })), this.oidcConfig || await this.loadConfig(), !((n = this.oidcConfig) != null && n.grant_types_supported.includes("urn:ietf:params:oauth:grant-type:device_code")))
|
|
1656
1707
|
return {
|
|
1657
1708
|
error: "invalid_request",
|
|
1658
1709
|
error_description: "Server does not support device code grant"
|
|
@@ -1664,20 +1715,39 @@ class Be {
|
|
|
1664
1715
|
};
|
|
1665
1716
|
let r = {
|
|
1666
1717
|
grant_type: "urn:ietf:params:oauth:grant-type:device_code",
|
|
1667
|
-
client_id:
|
|
1668
|
-
client_secret:
|
|
1718
|
+
client_id: p(this, w),
|
|
1719
|
+
client_secret: p(this, _),
|
|
1669
1720
|
device_code: t
|
|
1670
1721
|
};
|
|
1671
1722
|
try {
|
|
1672
1723
|
const s = await this.post((o = this.oidcConfig) == null ? void 0 : o.token_endpoint, r, this.authServerHeaders);
|
|
1673
|
-
|
|
1724
|
+
if (s.error) return s;
|
|
1725
|
+
if (s.id_token) {
|
|
1726
|
+
const c = await this.getIdPayload(s.id_token, s.access_token);
|
|
1727
|
+
if (c.error)
|
|
1728
|
+
return c;
|
|
1729
|
+
s.id_payload = c.payload;
|
|
1730
|
+
}
|
|
1731
|
+
return s;
|
|
1674
1732
|
} catch (s) {
|
|
1675
|
-
return l.logger.error(
|
|
1733
|
+
return l.logger.error(u({ err: s })), {
|
|
1676
1734
|
error: "server_error",
|
|
1677
1735
|
error_description: "Error connecting to authorization server"
|
|
1678
1736
|
};
|
|
1679
1737
|
}
|
|
1680
1738
|
}
|
|
1739
|
+
//////////////////////////////////////////////////////////////////
|
|
1740
|
+
// UserInfo
|
|
1741
|
+
async userInfoEndpoint(t) {
|
|
1742
|
+
var i;
|
|
1743
|
+
if (!((i = this.oidcConfig) != null && i.userinfo_endpoint))
|
|
1744
|
+
return {
|
|
1745
|
+
error: "server_error",
|
|
1746
|
+
error_description: "Cannot get token endpoint"
|
|
1747
|
+
};
|
|
1748
|
+
const r = this.oidcConfig.userinfo_endpoint;
|
|
1749
|
+
return await this.post(r, {}, { authorization: "Bearer " + t });
|
|
1750
|
+
}
|
|
1681
1751
|
/**
|
|
1682
1752
|
* Makes a POST request to the given URL using `fetch()`.
|
|
1683
1753
|
*
|
|
@@ -1687,22 +1757,34 @@ class Be {
|
|
|
1687
1757
|
* @throws any exception raised by `fetch()`
|
|
1688
1758
|
*/
|
|
1689
1759
|
async post(t, r, n = {}) {
|
|
1690
|
-
l.logger.debug(
|
|
1760
|
+
l.logger.debug(u({
|
|
1691
1761
|
msg: "Fetch POST",
|
|
1692
1762
|
url: t,
|
|
1693
1763
|
params: Object.keys(r)
|
|
1694
1764
|
}));
|
|
1695
1765
|
let i = {};
|
|
1696
|
-
|
|
1766
|
+
this.authServerCredentials && (i.credentials = this.authServerCredentials), this.authServerMode && (i.mode = this.authServerMode);
|
|
1767
|
+
let o = "", s = "";
|
|
1768
|
+
if (this.oauthPostType == "json")
|
|
1769
|
+
o = JSON.stringify(r), s = "application/json";
|
|
1770
|
+
else {
|
|
1771
|
+
o = "";
|
|
1772
|
+
for (let f in r)
|
|
1773
|
+
o != "" && (o += "&"), o += encodeURIComponent(f) + "=" + encodeURIComponent(r[f]);
|
|
1774
|
+
s = "application/x-www-form-urlencoded";
|
|
1775
|
+
}
|
|
1776
|
+
this.oauthLogFetch && l.logger.debug(u({ msg: "OAuth fetch", method: "POST", url: t, body: o }));
|
|
1777
|
+
const d = await (await fetch(t, {
|
|
1697
1778
|
method: "POST",
|
|
1698
1779
|
...i,
|
|
1699
1780
|
headers: {
|
|
1700
1781
|
Accept: "application/json",
|
|
1701
|
-
"Content-Type":
|
|
1782
|
+
"Content-Type": s,
|
|
1702
1783
|
...n
|
|
1703
1784
|
},
|
|
1704
|
-
body:
|
|
1785
|
+
body: o
|
|
1705
1786
|
})).json();
|
|
1787
|
+
return this.oauthLogFetch && l.logger.debug(u({ msg: "OAuth fetch response", body: JSON.stringify(d) })), d;
|
|
1706
1788
|
}
|
|
1707
1789
|
/**
|
|
1708
1790
|
* Makes a GET request to the given URL using `fetch()`.
|
|
@@ -1713,17 +1795,18 @@ class Be {
|
|
|
1713
1795
|
* @throws any exception raised by `fetch()`
|
|
1714
1796
|
*/
|
|
1715
1797
|
async get(t, r = {}) {
|
|
1716
|
-
l.logger.debug(
|
|
1798
|
+
l.logger.debug(u({ msg: "Fetch GET", url: t }));
|
|
1717
1799
|
let n = {};
|
|
1718
|
-
|
|
1800
|
+
this.authServerCredentials && (n.credentials = this.authServerCredentials), this.authServerMode && (n.mode = this.authServerMode), this.oauthLogFetch && l.logger.debug(u({ msg: "OAuth fetch", method: "GET", url: t }));
|
|
1801
|
+
const o = await (await fetch(t, {
|
|
1719
1802
|
method: "GET",
|
|
1720
1803
|
...n,
|
|
1721
1804
|
headers: {
|
|
1722
1805
|
Accept: "application/json",
|
|
1723
|
-
"Content-Type": "application/json",
|
|
1724
1806
|
...r
|
|
1725
1807
|
}
|
|
1726
1808
|
})).json();
|
|
1809
|
+
return this.oauthLogFetch && l.logger.debug(u({ msg: "OAuth fetch response", body: JSON.stringify(o) })), o;
|
|
1727
1810
|
}
|
|
1728
1811
|
/**
|
|
1729
1812
|
* Validates an OpenID ID token, returning undefined if it is invalid.
|
|
@@ -1752,16 +1835,16 @@ class Be {
|
|
|
1752
1835
|
try {
|
|
1753
1836
|
return await this.tokenConsumer.tokenAuthorized(t, "id");
|
|
1754
1837
|
} catch (r) {
|
|
1755
|
-
l.logger.warn(
|
|
1838
|
+
l.logger.warn(u({ err: r }));
|
|
1756
1839
|
return;
|
|
1757
1840
|
}
|
|
1758
1841
|
}
|
|
1759
1842
|
getTokenPayload(t) {
|
|
1760
|
-
return
|
|
1843
|
+
return He(t);
|
|
1761
1844
|
}
|
|
1762
1845
|
}
|
|
1763
|
-
w = new WeakMap(), _ = new WeakMap()
|
|
1764
|
-
class
|
|
1846
|
+
w = new WeakMap(), _ = new WeakMap();
|
|
1847
|
+
class Me {
|
|
1765
1848
|
/**
|
|
1766
1849
|
* Constrctor
|
|
1767
1850
|
*
|
|
@@ -1802,7 +1885,7 @@ class Le {
|
|
|
1802
1885
|
* still call this function. This is because key loading is
|
|
1803
1886
|
* asynchronous, and constructors may not be async.
|
|
1804
1887
|
*/
|
|
1805
|
-
async loadKeys() {
|
|
1888
|
+
async loadKeys(t) {
|
|
1806
1889
|
try {
|
|
1807
1890
|
if (this.jwtSecretKey) {
|
|
1808
1891
|
if (!this.jwtKeyType)
|
|
@@ -1810,25 +1893,25 @@ class Le {
|
|
|
1810
1893
|
y.Configuration,
|
|
1811
1894
|
"Must specify jwtKeyType if setting jwtSecretKey"
|
|
1812
1895
|
);
|
|
1813
|
-
this.keys._default = await
|
|
1896
|
+
this.keys._default = await Re(this.jwtSecretKey, this.jwtKeyType);
|
|
1814
1897
|
} else if (this.jwtPublicKey) {
|
|
1815
1898
|
if (!this.jwtKeyType)
|
|
1816
1899
|
throw new g(
|
|
1817
1900
|
y.Configuration,
|
|
1818
1901
|
"Must specify jwtKeyType if setting jwtPublicKey"
|
|
1819
1902
|
);
|
|
1820
|
-
const
|
|
1821
|
-
this.keys._default =
|
|
1903
|
+
const r = await Te(this.jwtPublicKey, this.jwtKeyType);
|
|
1904
|
+
this.keys._default = r;
|
|
1822
1905
|
} else {
|
|
1823
1906
|
if (this.oidcConfig || await this.loadConfig(), !this.oidcConfig)
|
|
1824
1907
|
throw new g(
|
|
1825
1908
|
y.Connection,
|
|
1826
1909
|
"Load OIDC config before Jwks"
|
|
1827
1910
|
);
|
|
1828
|
-
await this.loadJwks();
|
|
1911
|
+
await this.loadJwks(void 0, t);
|
|
1829
1912
|
}
|
|
1830
|
-
} catch (
|
|
1831
|
-
throw l.logger.debug(
|
|
1913
|
+
} catch (r) {
|
|
1914
|
+
throw l.logger.debug(u({ err: r })), new g(y.Connection, "Couldn't load keys");
|
|
1832
1915
|
}
|
|
1833
1916
|
}
|
|
1834
1917
|
/**
|
|
@@ -1851,11 +1934,11 @@ class Le {
|
|
|
1851
1934
|
try {
|
|
1852
1935
|
r = await fetch(new URL("/.well-known/openid-configuration", this.authServerBaseUrl));
|
|
1853
1936
|
} catch (n) {
|
|
1854
|
-
l.logger.error(
|
|
1937
|
+
l.logger.error(u({ err: n }));
|
|
1855
1938
|
}
|
|
1856
1939
|
if (!r || !r.ok)
|
|
1857
1940
|
throw new g(y.Connection, "Couldn't get OIDC configuration");
|
|
1858
|
-
this.oidcConfig = { ...
|
|
1941
|
+
this.oidcConfig = { ...Z };
|
|
1859
1942
|
try {
|
|
1860
1943
|
const n = await r.json();
|
|
1861
1944
|
for (const [i, o] of Object.entries(n))
|
|
@@ -1873,40 +1956,46 @@ class Le {
|
|
|
1873
1956
|
* - `Connection` if the fetch to the authorization server failed,
|
|
1874
1957
|
* the OIDC configuration wasn't set or the keys could not be parsed.
|
|
1875
1958
|
*/
|
|
1876
|
-
async loadJwks(t) {
|
|
1959
|
+
async loadJwks(t, r) {
|
|
1877
1960
|
if (t) {
|
|
1878
1961
|
this.keys = {};
|
|
1879
|
-
for (let
|
|
1880
|
-
const
|
|
1881
|
-
this.keys[
|
|
1962
|
+
for (let n = 0; n < t.keys.length; ++n) {
|
|
1963
|
+
const i = t.keys[n];
|
|
1964
|
+
this.keys[i.kid ?? "_default"] = await Y(t.keys[n]);
|
|
1882
1965
|
}
|
|
1883
1966
|
} else {
|
|
1884
1967
|
if (!this.oidcConfig)
|
|
1885
1968
|
throw new g(y.Connection, "Load OIDC config before Jwks");
|
|
1886
|
-
let
|
|
1969
|
+
let n;
|
|
1887
1970
|
try {
|
|
1888
|
-
|
|
1889
|
-
} catch (
|
|
1890
|
-
l.logger.error(
|
|
1971
|
+
n = await fetch(new URL(this.oidcConfig.jwks_uri));
|
|
1972
|
+
} catch (i) {
|
|
1973
|
+
l.logger.error(u({ err: i }));
|
|
1891
1974
|
}
|
|
1892
|
-
if (!
|
|
1975
|
+
if (!n || !n.ok)
|
|
1893
1976
|
throw new g(y.Connection, "Couldn't get OIDC configuration");
|
|
1894
1977
|
this.keys = {};
|
|
1895
1978
|
try {
|
|
1896
|
-
const
|
|
1897
|
-
if (!("keys" in
|
|
1979
|
+
const i = await n.json();
|
|
1980
|
+
if (!("keys" in i) || !Array.isArray(i.keys))
|
|
1898
1981
|
throw new g(y.Connection, "Couldn't fetch keys");
|
|
1899
|
-
for (let
|
|
1982
|
+
for (let o = 0; o < i.keys.length; ++o)
|
|
1900
1983
|
try {
|
|
1901
|
-
let
|
|
1902
|
-
"kid" in
|
|
1903
|
-
|
|
1904
|
-
|
|
1905
|
-
|
|
1906
|
-
|
|
1984
|
+
let s = "_default", c = { ...i.keys[o] };
|
|
1985
|
+
if ("kid" in c && typeof c.kid == "string" && (s = String(c.kid)), c && !c.alg && !c.jwk_alg && r)
|
|
1986
|
+
if (r.startsWith("RS") && c.kty == "RSA")
|
|
1987
|
+
c.alg = r;
|
|
1988
|
+
else {
|
|
1989
|
+
l.logger.debug(u({ msg: "Skipping key with " + c.kty }));
|
|
1990
|
+
continue;
|
|
1991
|
+
}
|
|
1992
|
+
const d = await Y(c);
|
|
1993
|
+
this.keys[s] = d;
|
|
1994
|
+
} catch (s) {
|
|
1995
|
+
throw l.logger.error(u({ err: s })), new g(y.Connection, "Couldn't load keys");
|
|
1907
1996
|
}
|
|
1908
|
-
} catch (
|
|
1909
|
-
throw l.logger.error(
|
|
1997
|
+
} catch (i) {
|
|
1998
|
+
throw l.logger.error(u({ err: i })), new g(y.Connection, "Unrecognized response from OIDC jwks endpoint");
|
|
1910
1999
|
}
|
|
1911
2000
|
}
|
|
1912
2001
|
}
|
|
@@ -1922,20 +2011,23 @@ class Le {
|
|
|
1922
2011
|
* @returns the JWT payload if the token is valid, `undefined` otherwise.
|
|
1923
2012
|
*/
|
|
1924
2013
|
async tokenAuthorized(t, r) {
|
|
1925
|
-
(!this.keys || Object.keys(this.keys).length == 0)
|
|
2014
|
+
if (!this.keys || Object.keys(this.keys).length == 0) {
|
|
2015
|
+
const i = X(t);
|
|
2016
|
+
await this.loadKeys(i.alg);
|
|
2017
|
+
}
|
|
1926
2018
|
const n = await this.validateToken(t);
|
|
1927
2019
|
if (n) {
|
|
1928
|
-
if (n.type != r) {
|
|
1929
|
-
l.logger.error(h({ msg: r + " expected but got " + n.type }));
|
|
1930
|
-
return;
|
|
1931
|
-
}
|
|
1932
2020
|
if (n.iss != this.authServerBaseUrl) {
|
|
1933
|
-
|
|
2021
|
+
const i = n.jti ? n.jti : n.sid ? n.sid : "";
|
|
2022
|
+
l.logger.error(u({ msg: `Invalid issuer ${n.iss} in access token`, hashedAccessToken: await this.hash(i) }));
|
|
1934
2023
|
return;
|
|
1935
2024
|
}
|
|
1936
|
-
if (n.aud
|
|
1937
|
-
|
|
1938
|
-
|
|
2025
|
+
if (n.aud) {
|
|
2026
|
+
const i = n.jti ? n.jti : n.sid ? n.sid : "";
|
|
2027
|
+
if (Array.isArray(n.aud) && !n.aud.includes(this.audience) || !Array.isArray(n.aud) && n.aud != this.audience) {
|
|
2028
|
+
l.logger.error(u({ msg: `Invalid audience ${n.aud} in access token`, hashedAccessToken: await this.hash(i) }));
|
|
2029
|
+
return;
|
|
2030
|
+
}
|
|
1939
2031
|
}
|
|
1940
2032
|
return n;
|
|
1941
2033
|
}
|
|
@@ -1944,31 +2036,30 @@ class Le {
|
|
|
1944
2036
|
(!this.keys || Object.keys(this.keys).length == 0) && l.logger.warn("No keys loaded so cannot validate tokens");
|
|
1945
2037
|
let r;
|
|
1946
2038
|
try {
|
|
1947
|
-
r =
|
|
2039
|
+
r = X(t).kid;
|
|
1948
2040
|
} catch {
|
|
1949
|
-
l.logger.warn(
|
|
2041
|
+
l.logger.warn(u({ msg: "Invalid access token format" }));
|
|
1950
2042
|
return;
|
|
1951
2043
|
}
|
|
1952
2044
|
let n;
|
|
1953
|
-
"_default" in this.keys && (n = this.keys._default);
|
|
1954
2045
|
for (let i in this.keys)
|
|
1955
2046
|
if (r == i) {
|
|
1956
2047
|
n = this.keys[i];
|
|
1957
2048
|
break;
|
|
1958
2049
|
}
|
|
1959
|
-
if (!n) {
|
|
1960
|
-
l.logger.warn(
|
|
2050
|
+
if (!n && "_default" in this.keys && (n = this.keys._default), !n) {
|
|
2051
|
+
l.logger.warn(u({ msg: "No matching keys found for access token" }));
|
|
1961
2052
|
return;
|
|
1962
2053
|
}
|
|
1963
2054
|
try {
|
|
1964
|
-
const { payload: i } = await
|
|
2055
|
+
const { payload: i } = await De(t, n), o = JSON.parse(new TextDecoder().decode(i));
|
|
1965
2056
|
if (o.exp * 1e3 < Date.now() + this.clockTolerance) {
|
|
1966
|
-
l.logger.warn(
|
|
2057
|
+
l.logger.warn(u({ msg: "Access token has expired" }));
|
|
1967
2058
|
return;
|
|
1968
2059
|
}
|
|
1969
2060
|
return o;
|
|
1970
2061
|
} catch {
|
|
1971
|
-
l.logger.warn(
|
|
2062
|
+
l.logger.warn(u({ msg: "Access token did not validate" }));
|
|
1972
2063
|
return;
|
|
1973
2064
|
}
|
|
1974
2065
|
}
|
|
@@ -1976,13 +2067,13 @@ class Le {
|
|
|
1976
2067
|
export {
|
|
1977
2068
|
g as CrossauthError,
|
|
1978
2069
|
l as CrossauthLogger,
|
|
1979
|
-
|
|
2070
|
+
Z as DEFAULT_OIDCCONFIG,
|
|
1980
2071
|
y as ErrorCode,
|
|
1981
2072
|
C as KeyPrefix,
|
|
1982
|
-
|
|
1983
|
-
|
|
1984
|
-
|
|
2073
|
+
qe as OAuthClientBase,
|
|
2074
|
+
Q as OAuthFlows,
|
|
2075
|
+
Me as OAuthTokenConsumerBase,
|
|
1985
2076
|
P as UserState,
|
|
1986
|
-
|
|
1987
|
-
|
|
2077
|
+
Fe as httpStatus,
|
|
2078
|
+
u as j
|
|
1988
2079
|
};
|