@crossauth/fastify 0.0.15 → 0.0.17
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/index.cjs +1 -1
- package/dist/index.js +237 -224
- package/package.json +3 -3
package/dist/index.js
CHANGED
|
@@ -7,11 +7,11 @@ import ye from "@fastify/formbody";
|
|
|
7
7
|
import be from "@fastify/cors";
|
|
8
8
|
import _e from "@fastify/cookie";
|
|
9
9
|
import ue from "nunjucks";
|
|
10
|
-
import { setParameter as S, ParamType as C, Crypto as
|
|
10
|
+
import { setParameter as S, ParamType as C, Crypto as F, TokenEmailer as xe, OAuthClientManager as L, SessionManager as Ae, ApiKeyManager as Y, KeyStorage as Fe, OAuthAuthorizationServer as Ne, DoubleSubmitCsrfToken as Ue, OAuthClientBackend as Oe, OAuthResourceServer as Ie, OAuthTokenConsumer as Me } from "@crossauth/backend";
|
|
11
11
|
import { CrossauthLogger as d, j as c, CrossauthError as l, ErrorCode as g, UserState as O, OAuthFlows as E } from "@crossauth/common";
|
|
12
12
|
import { jwtDecode as J } from "jwt-decode";
|
|
13
13
|
import Re from "qrcode";
|
|
14
|
-
const
|
|
14
|
+
const N = ["Content-Type", "application/json; charset=utf-8"];
|
|
15
15
|
class De {
|
|
16
16
|
/**
|
|
17
17
|
* Constructor.
|
|
@@ -144,7 +144,7 @@ class De {
|
|
|
144
144
|
return await this.updateUser(
|
|
145
145
|
e,
|
|
146
146
|
o,
|
|
147
|
-
(i, n, t) => i.header(...
|
|
147
|
+
(i, n, t) => i.header(...N).send({
|
|
148
148
|
ok: !0,
|
|
149
149
|
emailVerificationRequired: t
|
|
150
150
|
})
|
|
@@ -157,7 +157,7 @@ class De {
|
|
|
157
157
|
errorCodeName: n.codeName,
|
|
158
158
|
errorCode: n.code
|
|
159
159
|
})), d.logger.debug(c({ err: i })), this.sessionServer.handleError(i, e, o, (t, a) => {
|
|
160
|
-
t.status(this.sessionServer.errorStatus(i)).header(...
|
|
160
|
+
t.status(this.sessionServer.errorStatus(i)).header(...N).send({
|
|
161
161
|
ok: !1,
|
|
162
162
|
errorMessage: a.message,
|
|
163
163
|
errorMessages: a.messages,
|
|
@@ -280,7 +280,7 @@ class De {
|
|
|
280
280
|
return await this.changeFactor2(
|
|
281
281
|
e,
|
|
282
282
|
o,
|
|
283
|
-
(i, n, t) => i.header(...
|
|
283
|
+
(i, n, t) => i.header(...N).send({
|
|
284
284
|
ok: !0,
|
|
285
285
|
...n.userData
|
|
286
286
|
})
|
|
@@ -292,7 +292,7 @@ class De {
|
|
|
292
292
|
user: (s = e.user) == null ? void 0 : s.username,
|
|
293
293
|
errorCodeName: n.codeName,
|
|
294
294
|
errorCode: n.code
|
|
295
|
-
})), d.logger.debug(c({ err: i })), this.sessionServer.handleError(i, e, o, (t, a) => t.status(this.sessionServer.errorStatus(i)).header(...
|
|
295
|
+
})), d.logger.debug(c({ err: i })), this.sessionServer.handleError(i, e, o, (t, a) => t.status(this.sessionServer.errorStatus(i)).header(...N).send({
|
|
296
296
|
ok: !1,
|
|
297
297
|
errorMessage: a.message,
|
|
298
298
|
errorMessages: a.messages,
|
|
@@ -397,7 +397,7 @@ class De {
|
|
|
397
397
|
return await this.changePassword(
|
|
398
398
|
e,
|
|
399
399
|
o,
|
|
400
|
-
(i, n) => i.header(...
|
|
400
|
+
(i, n) => i.header(...N).send({
|
|
401
401
|
ok: !0
|
|
402
402
|
})
|
|
403
403
|
);
|
|
@@ -408,7 +408,7 @@ class De {
|
|
|
408
408
|
user: (s = e.user) == null ? void 0 : s.username,
|
|
409
409
|
errorCodeName: n.codeName,
|
|
410
410
|
errorCode: n.code
|
|
411
|
-
})), d.logger.debug(c({ err: i })), this.sessionServer.handleError(i, e, o, (t, a) => t.status(this.sessionServer.errorStatus(i)).header(...
|
|
411
|
+
})), d.logger.debug(c({ err: i })), this.sessionServer.handleError(i, e, o, (t, a) => t.status(this.sessionServer.errorStatus(i)).header(...N).send({
|
|
412
412
|
ok: !1,
|
|
413
413
|
errorMessage: a.message,
|
|
414
414
|
errorMessages: a.messages,
|
|
@@ -542,7 +542,7 @@ class De {
|
|
|
542
542
|
return await this.reconfigureFactor2(
|
|
543
543
|
o,
|
|
544
544
|
r,
|
|
545
|
-
(i, n, t) => i.header(...
|
|
545
|
+
(i, n, t) => i.header(...N).send({
|
|
546
546
|
ok: !0,
|
|
547
547
|
...n
|
|
548
548
|
})
|
|
@@ -555,7 +555,7 @@ class De {
|
|
|
555
555
|
errorCodeName: n.codeName,
|
|
556
556
|
errorCode: n.code
|
|
557
557
|
})), d.logger.debug(c({ err: i })), this.sessionServer.handleError(i, o, r, (t, a) => {
|
|
558
|
-
t.status(this.sessionServer.errorStatus(i)).header(...
|
|
558
|
+
t.status(this.sessionServer.errorStatus(i)).header(...N).send({
|
|
559
559
|
ok: !1,
|
|
560
560
|
errorMessage: a.message,
|
|
561
561
|
errorMessages: a.messages,
|
|
@@ -584,7 +584,7 @@ class De {
|
|
|
584
584
|
ok: !0,
|
|
585
585
|
user: n
|
|
586
586
|
};
|
|
587
|
-
return this.sessionServer.isSessionUser(o) || (t.emailVerificationNeeded = this.enableEmailVerification), i.header(...
|
|
587
|
+
return this.sessionServer.isSessionUser(o) || (t.emailVerificationNeeded = this.enableEmailVerification), i.header(...N).send(t);
|
|
588
588
|
}
|
|
589
589
|
);
|
|
590
590
|
} catch (i) {
|
|
@@ -595,7 +595,7 @@ class De {
|
|
|
595
595
|
errorCodeName: n.codeName,
|
|
596
596
|
errorCode: n.code
|
|
597
597
|
})), d.logger.debug(c({ err: i })), this.sessionServer.handleError(i, o, r, (t, a) => {
|
|
598
|
-
t.status(this.sessionServer.errorStatus(i)).header(...
|
|
598
|
+
t.status(this.sessionServer.errorStatus(i)).header(...N).send({
|
|
599
599
|
ok: !1,
|
|
600
600
|
errorMessage: a.message,
|
|
601
601
|
errorMessages: a.messages,
|
|
@@ -686,7 +686,7 @@ class De {
|
|
|
686
686
|
return await this.requestPasswordReset(
|
|
687
687
|
e,
|
|
688
688
|
o,
|
|
689
|
-
(r, s) => r.header(...
|
|
689
|
+
(r, s) => r.header(...N).send({
|
|
690
690
|
ok: !0
|
|
691
691
|
})
|
|
692
692
|
);
|
|
@@ -698,7 +698,7 @@ class De {
|
|
|
698
698
|
errorCodeName: s.codeName,
|
|
699
699
|
errorCode: s.code
|
|
700
700
|
})), d.logger.debug(c({ err: r })), this.sessionServer.handleError(r, e, o, (i, n) => {
|
|
701
|
-
i.status(this.sessionServer.errorStatus(r)).header(...
|
|
701
|
+
i.status(this.sessionServer.errorStatus(r)).header(...N).send({
|
|
702
702
|
ok: !1,
|
|
703
703
|
errorMessage: n.message,
|
|
704
704
|
errorMessages: n.messages,
|
|
@@ -761,7 +761,7 @@ class De {
|
|
|
761
761
|
const s = l.asCrossauthError(r);
|
|
762
762
|
return d.logger.error(c({
|
|
763
763
|
msg: "Reset password failure",
|
|
764
|
-
hashedToken:
|
|
764
|
+
hashedToken: F.hash(e.body.token),
|
|
765
765
|
errorCodeName: s.codeName,
|
|
766
766
|
errorCode: s.code
|
|
767
767
|
})), d.logger.debug(c({ err: r })), this.sessionServer.handleError(r, e, o, (i, n) => i.view(this.resetPasswordPage, {
|
|
@@ -794,7 +794,7 @@ class De {
|
|
|
794
794
|
return await this.resetPassword(
|
|
795
795
|
e,
|
|
796
796
|
o,
|
|
797
|
-
(r, s) => r.header(...
|
|
797
|
+
(r, s) => r.header(...N).send({
|
|
798
798
|
ok: !0
|
|
799
799
|
})
|
|
800
800
|
);
|
|
@@ -802,11 +802,11 @@ class De {
|
|
|
802
802
|
const s = l.asCrossauthError(r);
|
|
803
803
|
return d.logger.error(c({
|
|
804
804
|
msg: "Reset password failure",
|
|
805
|
-
hashedToken:
|
|
805
|
+
hashedToken: F.hash(e.body.token),
|
|
806
806
|
errorCodeName: s.codeName,
|
|
807
807
|
errorCode: s.code
|
|
808
808
|
})), d.logger.debug(c({ err: r })), this.sessionServer.handleError(r, e, o, (i, n) => {
|
|
809
|
-
i.status(this.sessionServer.errorStatus(r)).header(...
|
|
809
|
+
i.status(this.sessionServer.errorStatus(r)).header(...N).send({
|
|
810
810
|
ok: !1,
|
|
811
811
|
errorMessage: n.message,
|
|
812
812
|
errorMessages: n.messages,
|
|
@@ -844,7 +844,7 @@ class De {
|
|
|
844
844
|
const s = l.asCrossauthError(r);
|
|
845
845
|
return d.logger.error(c({
|
|
846
846
|
msg: "Verify email failed",
|
|
847
|
-
hashedToken:
|
|
847
|
+
hashedToken: F.hash(e.params.token),
|
|
848
848
|
errorCodeName: s.codeName,
|
|
849
849
|
errorCode: s.code
|
|
850
850
|
})), d.logger.debug(c({ err: r })), this.sessionServer.handleError(r, e, o, (i, n) => i.view(this.sessionServer.errorPage, {
|
|
@@ -875,7 +875,7 @@ class De {
|
|
|
875
875
|
return await this.verifyEmail(
|
|
876
876
|
e,
|
|
877
877
|
o,
|
|
878
|
-
(r, s) => r.header(...
|
|
878
|
+
(r, s) => r.header(...N).send({
|
|
879
879
|
ok: !0,
|
|
880
880
|
user: s
|
|
881
881
|
})
|
|
@@ -884,11 +884,11 @@ class De {
|
|
|
884
884
|
const s = l.asCrossauthError(r);
|
|
885
885
|
return d.logger.error(c({
|
|
886
886
|
msg: "Verify email failure",
|
|
887
|
-
hashedToken:
|
|
887
|
+
hashedToken: F.hash(e.params.token),
|
|
888
888
|
errorCodeName: s.codeName,
|
|
889
889
|
errorCode: s.code
|
|
890
890
|
})), d.logger.debug(c({ err: r })), this.sessionServer.handleError(r, e, o, (i, n) => {
|
|
891
|
-
i.status(this.sessionServer.errorStatus(r)).header(...
|
|
891
|
+
i.status(this.sessionServer.errorStatus(r)).header(...N).send({
|
|
892
892
|
ok: !1,
|
|
893
893
|
errorMessage: n.message,
|
|
894
894
|
errorMessages: n.messages,
|
|
@@ -1008,14 +1008,14 @@ class De {
|
|
|
1008
1008
|
ip: e.ip,
|
|
1009
1009
|
user: (r = e.user) == null ? void 0 : r.username
|
|
1010
1010
|
})), !e.user)
|
|
1011
|
-
return o.status(401).header(...
|
|
1011
|
+
return o.status(401).header(...N).send({ ok: !1 });
|
|
1012
1012
|
try {
|
|
1013
1013
|
return await this.deleteUser(
|
|
1014
1014
|
e,
|
|
1015
1015
|
o,
|
|
1016
1016
|
(i) => {
|
|
1017
1017
|
var n;
|
|
1018
|
-
return i.header(...
|
|
1018
|
+
return i.header(...N).send({
|
|
1019
1019
|
ok: !0,
|
|
1020
1020
|
userid: (n = e.user) == null ? void 0 : n.id
|
|
1021
1021
|
});
|
|
@@ -1029,7 +1029,7 @@ class De {
|
|
|
1029
1029
|
errorCodeName: n.codeName,
|
|
1030
1030
|
errorCode: n.code
|
|
1031
1031
|
})), d.logger.debug(c({ err: i })), this.sessionServer.handleError(i, e, o, (t, a) => {
|
|
1032
|
-
t.status(this.sessionServer.errorStatus(i)).header(...
|
|
1032
|
+
t.status(this.sessionServer.errorStatus(i)).header(...N).send({
|
|
1033
1033
|
ok: !1,
|
|
1034
1034
|
errorMessage: a.message,
|
|
1035
1035
|
errorMessages: a.messages,
|
|
@@ -1107,10 +1107,10 @@ class De {
|
|
|
1107
1107
|
if (!this.sessionServer.userStorage) throw new l(g.Configuration, "Cannot call changePassword unless a user storage is provided");
|
|
1108
1108
|
let s, i = !1;
|
|
1109
1109
|
if (!this.sessionServer.isSessionUser(e) || !e.user) {
|
|
1110
|
-
const
|
|
1111
|
-
if (
|
|
1110
|
+
const m = await this.sessionServer.getSessionData(e, "passwordchange");
|
|
1111
|
+
if (m != null && m.username) {
|
|
1112
1112
|
if (s = (await this.sessionServer.userStorage.getUserByUsername(
|
|
1113
|
-
|
|
1113
|
+
m == null ? void 0 : m.username,
|
|
1114
1114
|
{
|
|
1115
1115
|
skipActiveCheck: !0,
|
|
1116
1116
|
skipEmailVerifiedCheck: !0
|
|
@@ -1127,16 +1127,16 @@ class De {
|
|
|
1127
1127
|
throw new l(g.InsufficientPriviledges);
|
|
1128
1128
|
const n = this.sessionServer.authenticators[s.factor1], t = n.secretNames();
|
|
1129
1129
|
let a = {}, h = {}, f = {};
|
|
1130
|
-
for (let
|
|
1131
|
-
if (
|
|
1132
|
-
const
|
|
1133
|
-
t.includes(
|
|
1134
|
-
} else if (
|
|
1135
|
-
const
|
|
1136
|
-
t.includes(
|
|
1137
|
-
} else if (
|
|
1138
|
-
const
|
|
1139
|
-
t.includes(
|
|
1130
|
+
for (let m in e.body)
|
|
1131
|
+
if (m.startsWith("new_")) {
|
|
1132
|
+
const w = m.replace(/^new_/, "");
|
|
1133
|
+
t.includes(w) && (h[w] = e.body[m]);
|
|
1134
|
+
} else if (m.startsWith("old_")) {
|
|
1135
|
+
const w = m.replace(/^old_/, "");
|
|
1136
|
+
t.includes(w) && (a[w] = e.body[m]);
|
|
1137
|
+
} else if (m.startsWith("repeat_")) {
|
|
1138
|
+
const w = m.replace(/^repeat_/, "");
|
|
1139
|
+
t.includes(w) && (f[w] = e.body[m]);
|
|
1140
1140
|
}
|
|
1141
1141
|
if (Object.keys(f).length === 0 && (f = void 0), n.validateSecrets(h).length > 0)
|
|
1142
1142
|
throw new l(g.PasswordFormat);
|
|
@@ -1149,15 +1149,15 @@ class De {
|
|
|
1149
1149
|
f,
|
|
1150
1150
|
a
|
|
1151
1151
|
);
|
|
1152
|
-
} catch (
|
|
1153
|
-
const
|
|
1154
|
-
if (d.logger.debug(c({ err:
|
|
1152
|
+
} catch (m) {
|
|
1153
|
+
const w = l.asCrossauthError(m);
|
|
1154
|
+
if (d.logger.debug(c({ err: m })), i)
|
|
1155
1155
|
try {
|
|
1156
1156
|
await this.sessionServer.userStorage.updateUser({ id: s.id, state: v });
|
|
1157
1157
|
} catch (P) {
|
|
1158
1158
|
d.logger.debug(c({ err: P }));
|
|
1159
1159
|
}
|
|
1160
|
-
throw
|
|
1160
|
+
throw w;
|
|
1161
1161
|
}
|
|
1162
1162
|
return i ? await this.sessionServer.loginWithUser(s, !1, e, o, r) : r(o, void 0);
|
|
1163
1163
|
}
|
|
@@ -1229,11 +1229,11 @@ class De {
|
|
|
1229
1229
|
let a = {}, h = {};
|
|
1230
1230
|
for (let v in e.body)
|
|
1231
1231
|
if (v.startsWith("new_")) {
|
|
1232
|
-
const
|
|
1233
|
-
t.includes(
|
|
1232
|
+
const m = v.replace(/^new_/, "");
|
|
1233
|
+
t.includes(m) && (a[m] = e.body[v]);
|
|
1234
1234
|
} else if (v.startsWith("repeat_")) {
|
|
1235
|
-
const
|
|
1236
|
-
t.includes(
|
|
1235
|
+
const m = v.replace(/^repeat_/, "");
|
|
1236
|
+
t.includes(m) && (h[m] = e.body[v]);
|
|
1237
1237
|
}
|
|
1238
1238
|
if (Object.keys(h).length === 0 && (h = void 0), n.validateSecrets(a).length > 0)
|
|
1239
1239
|
throw new l(g.PasswordFormat);
|
|
@@ -1883,8 +1883,8 @@ class He {
|
|
|
1883
1883
|
t = this.sessionServer.authenticators[s.factor1].validateSecrets(e.body);
|
|
1884
1884
|
for (let v in e.body)
|
|
1885
1885
|
if (v.startsWith("repeat_")) {
|
|
1886
|
-
const
|
|
1887
|
-
i.includes(
|
|
1886
|
+
const m = v.replace(/^repeat_/, "");
|
|
1887
|
+
i.includes(m) && (a[m] = e.body[v]);
|
|
1888
1888
|
}
|
|
1889
1889
|
Object.keys(a).length === 0 && (a = void 0);
|
|
1890
1890
|
}
|
|
@@ -1911,8 +1911,8 @@ class He {
|
|
|
1911
1911
|
if (!n) {
|
|
1912
1912
|
let v = e.body.username;
|
|
1913
1913
|
if ("user_email" in e.body) {
|
|
1914
|
-
const
|
|
1915
|
-
typeof
|
|
1914
|
+
const m = e.body.user_email;
|
|
1915
|
+
typeof m == "string" && (v = m);
|
|
1916
1916
|
}
|
|
1917
1917
|
if (xe.validateEmail(v), !v) throw new l(g.FormEntry, "No password given but no email address found either");
|
|
1918
1918
|
await this.sessionServer.sessionManager.requestPasswordReset(v);
|
|
@@ -2302,9 +2302,9 @@ class Le {
|
|
|
2302
2302
|
errorCode: a.code
|
|
2303
2303
|
})), d.logger.debug(c({ err: t })), this.sessionServer.handleError(t, e, o, (h, f) => {
|
|
2304
2304
|
const v = l.asCrossauthError(t).httpStatus;
|
|
2305
|
-
let
|
|
2306
|
-
for (let
|
|
2307
|
-
|
|
2305
|
+
let m = {};
|
|
2306
|
+
for (let w of this.validFlows)
|
|
2307
|
+
w in e.body && (m[w] = !0);
|
|
2308
2308
|
return h.status(v).view(this.updateClientPage, {
|
|
2309
2309
|
errorMessage: f.message,
|
|
2310
2310
|
errorMessages: f.messages,
|
|
@@ -2315,7 +2315,7 @@ class Le {
|
|
|
2315
2315
|
isAdmin: !0,
|
|
2316
2316
|
next: r,
|
|
2317
2317
|
validFlows: this.validFlows,
|
|
2318
|
-
selectedFlows:
|
|
2318
|
+
selectedFlows: m,
|
|
2319
2319
|
flowNames: E.flowNames(this.validFlows),
|
|
2320
2320
|
...e.body
|
|
2321
2321
|
});
|
|
@@ -2941,9 +2941,9 @@ class Ge {
|
|
|
2941
2941
|
errorCode: a.code
|
|
2942
2942
|
})), d.logger.debug(c({ err: t })), this.sessionServer.handleError(t, e, o, (h, f) => {
|
|
2943
2943
|
const v = l.asCrossauthError(t).httpStatus;
|
|
2944
|
-
let
|
|
2945
|
-
for (let
|
|
2946
|
-
|
|
2944
|
+
let m = {};
|
|
2945
|
+
for (let w of this.validFlows)
|
|
2946
|
+
w in e.body && (m[w] = !0);
|
|
2947
2947
|
return h.status(v).view(this.updateClientPage, {
|
|
2948
2948
|
errorMessage: f.message,
|
|
2949
2949
|
errorMessages: f.messages,
|
|
@@ -2952,7 +2952,7 @@ class Ge {
|
|
|
2952
2952
|
csrfToken: e.csrfToken,
|
|
2953
2953
|
urlPrefix: this.prefix,
|
|
2954
2954
|
validFlows: this.validFlows,
|
|
2955
|
-
selectedFlows:
|
|
2955
|
+
selectedFlows: m,
|
|
2956
2956
|
flowNames: E.flowNames(this.validFlows),
|
|
2957
2957
|
isAdmin: !0,
|
|
2958
2958
|
next: r,
|
|
@@ -3475,62 +3475,62 @@ class Ke {
|
|
|
3475
3475
|
break;
|
|
3476
3476
|
}
|
|
3477
3477
|
n && (this.userClientEndpoints = new Ge(this, s)), this.addEndpoints(), S("endpoints", C.JsonArray, this, s, "ENDPOINTS"), s.userStorage && (this.userStorage = s.userStorage), this.authenticators = r, this.sessionManager = new Ae(o, r, s), e.addHook("preHandler", async (t, a) => {
|
|
3478
|
-
var v,
|
|
3478
|
+
var v, m;
|
|
3479
3479
|
d.logger.debug(c({ msg: "Getting session cookie" }));
|
|
3480
3480
|
let h = this.getSessionCookieValue(t), f = {};
|
|
3481
3481
|
if (h)
|
|
3482
3482
|
try {
|
|
3483
|
-
f.hashedSessionId =
|
|
3483
|
+
f.hashedSessionId = F.hash(this.sessionManager.getSessionId(h));
|
|
3484
3484
|
} catch {
|
|
3485
|
-
f.hashedSessionCookie =
|
|
3485
|
+
f.hashedSessionCookie = F.hash(h);
|
|
3486
3486
|
}
|
|
3487
3487
|
d.logger.debug(c({ msg: "Getting csrf cookie" }));
|
|
3488
3488
|
let p;
|
|
3489
3489
|
try {
|
|
3490
3490
|
p = this.getCsrfCookieValue(t), p && this.sessionManager.validateCsrfCookie(p);
|
|
3491
|
-
} catch (
|
|
3492
|
-
d.logger.warn(c({ msg: "Invalid csrf cookie received", cerr:
|
|
3491
|
+
} catch (w) {
|
|
3492
|
+
d.logger.warn(c({ msg: "Invalid csrf cookie received", cerr: w, hashedCsrfCookie: this.getHashOfCsrfCookie(t) })), a.clearCookie(this.sessionManager.csrfCookieName), p = void 0;
|
|
3493
3493
|
}
|
|
3494
3494
|
if (["GET", "OPTIONS", "HEAD"].includes(t.method))
|
|
3495
3495
|
try {
|
|
3496
3496
|
if (p) {
|
|
3497
3497
|
d.logger.debug(c({ msg: "Valid CSRF cookie - creating token" }));
|
|
3498
|
-
const
|
|
3499
|
-
t.csrfToken =
|
|
3498
|
+
const w = await this.sessionManager.createCsrfFormOrHeaderValue(p);
|
|
3499
|
+
t.csrfToken = w;
|
|
3500
3500
|
} else {
|
|
3501
3501
|
d.logger.debug(c({ msg: "Invalid CSRF cookie - recreating" }));
|
|
3502
|
-
const { csrfCookie:
|
|
3503
|
-
a.setCookie(
|
|
3502
|
+
const { csrfCookie: w, csrfFormOrHeaderValue: P } = await this.sessionManager.createCsrfToken();
|
|
3503
|
+
a.setCookie(w.name, w.value, w.options), t.csrfToken = P;
|
|
3504
3504
|
}
|
|
3505
3505
|
a.header(this.sessionManager.csrfHeaderName, t.csrfToken);
|
|
3506
|
-
} catch (
|
|
3506
|
+
} catch (w) {
|
|
3507
3507
|
d.logger.error(c({
|
|
3508
3508
|
msg: "Couldn't create CSRF token",
|
|
3509
|
-
cerr:
|
|
3509
|
+
cerr: w,
|
|
3510
3510
|
user: (v = t.user) == null ? void 0 : v.username,
|
|
3511
3511
|
...f
|
|
3512
|
-
})), d.logger.debug(c({ err:
|
|
3512
|
+
})), d.logger.debug(c({ err: w })), a.clearCookie(this.sessionManager.csrfCookieName);
|
|
3513
3513
|
}
|
|
3514
3514
|
else if (p)
|
|
3515
3515
|
try {
|
|
3516
3516
|
this.csrfToken(t, a);
|
|
3517
|
-
} catch (
|
|
3517
|
+
} catch (w) {
|
|
3518
3518
|
d.logger.error(c({
|
|
3519
3519
|
msg: "Couldn't create CSRF token",
|
|
3520
|
-
cerr:
|
|
3521
|
-
user: (
|
|
3520
|
+
cerr: w,
|
|
3521
|
+
user: (m = t.user) == null ? void 0 : m.username,
|
|
3522
3522
|
...f
|
|
3523
|
-
})), d.logger.debug(c({ err:
|
|
3523
|
+
})), d.logger.debug(c({ err: w }));
|
|
3524
3524
|
}
|
|
3525
3525
|
if (h = this.getSessionCookieValue(t), h)
|
|
3526
3526
|
try {
|
|
3527
|
-
const
|
|
3528
|
-
let { key: P, user: T } = await this.sessionManager.userForSessionId(
|
|
3527
|
+
const w = this.sessionManager.getSessionId(h);
|
|
3528
|
+
let { key: P, user: T } = await this.sessionManager.userForSessionId(w);
|
|
3529
3529
|
this.validateSession && this.validateSession(
|
|
3530
3530
|
P,
|
|
3531
3531
|
T,
|
|
3532
3532
|
t
|
|
3533
|
-
), t.sessionId =
|
|
3533
|
+
), t.sessionId = w, t.user = T, t.authType = "cookie", d.logger.debug(c({
|
|
3534
3534
|
msg: "Valid session id",
|
|
3535
3535
|
user: T == null ? void 0 : T.username
|
|
3536
3536
|
}));
|
|
@@ -3546,11 +3546,11 @@ class Ke {
|
|
|
3546
3546
|
var f, p, v;
|
|
3547
3547
|
const h = this.getSessionCookieValue(t);
|
|
3548
3548
|
if (h && ((f = t.user) != null && f.factor2) && (this.factor2ProtectedPageEndpoints.includes(t.url) || this.factor2ProtectedApiEndpoints.includes(t.url))) {
|
|
3549
|
-
const
|
|
3549
|
+
const m = this.sessionManager.getSessionId(h);
|
|
3550
3550
|
if (["GET", "OPTIONS", "HEAD"].includes(t.method)) {
|
|
3551
|
-
const
|
|
3552
|
-
if (
|
|
3553
|
-
const P = this.sessionManager.getSessionId(
|
|
3551
|
+
const w = this.getSessionCookieValue(t);
|
|
3552
|
+
if (w) {
|
|
3553
|
+
const P = this.sessionManager.getSessionId(w);
|
|
3554
3554
|
if ("pre2fa" in await this.sessionManager.dataForSessionId(P)) {
|
|
3555
3555
|
d.logger.debug("Cancelling 2FA");
|
|
3556
3556
|
try {
|
|
@@ -3561,16 +3561,16 @@ class Ke {
|
|
|
3561
3561
|
}
|
|
3562
3562
|
}
|
|
3563
3563
|
} else {
|
|
3564
|
-
const
|
|
3565
|
-
if ("pre2fa" in
|
|
3564
|
+
const w = await this.sessionManager.dataForSessionId(m);
|
|
3565
|
+
if ("pre2fa" in w) {
|
|
3566
3566
|
d.logger.debug("Completing 2FA");
|
|
3567
|
-
const T = [...this.authenticators[
|
|
3567
|
+
const T = [...this.authenticators[w.pre2fa.factor2].transientSecretNames()];
|
|
3568
3568
|
let U = {};
|
|
3569
3569
|
for (let M in t.body)
|
|
3570
3570
|
T.includes(M) && (U[M] = t.body[M]);
|
|
3571
3571
|
let _;
|
|
3572
3572
|
try {
|
|
3573
|
-
await this.sessionManager.completeTwoFactorPageVisit(U,
|
|
3573
|
+
await this.sessionManager.completeTwoFactorPageVisit(U, m);
|
|
3574
3574
|
} catch (M) {
|
|
3575
3575
|
_ = l.asCrossauthError(M), d.logger.debug(c({ err: M }));
|
|
3576
3576
|
const I = l.asCrossauthError(M);
|
|
@@ -3582,11 +3582,11 @@ class Ke {
|
|
|
3582
3582
|
errorCodeName: I.codeName
|
|
3583
3583
|
}));
|
|
3584
3584
|
}
|
|
3585
|
-
if (t.body =
|
|
3585
|
+
if (t.body = w.pre2fa.body, _)
|
|
3586
3586
|
if (_.code == g.Expired) {
|
|
3587
3587
|
d.logger.debug("Error - cancelling 2FA");
|
|
3588
3588
|
try {
|
|
3589
|
-
await this.sessionManager.cancelTwoFactorPageVisit(
|
|
3589
|
+
await this.sessionManager.cancelTwoFactorPageVisit(m);
|
|
3590
3590
|
} catch (M) {
|
|
3591
3591
|
d.logger.error(c({ msg: "Failed cancelling 2FA", cerr: M, user: (p = t.user) == null ? void 0 : p.username, hashOfSessionId: this.getHashOfSessionId(t) })), d.logger.debug(c({ err: M }));
|
|
3592
3592
|
}
|
|
@@ -3606,7 +3606,7 @@ class Ke {
|
|
|
3606
3606
|
errorCodeName: g[_.code]
|
|
3607
3607
|
}));
|
|
3608
3608
|
} else
|
|
3609
|
-
return this.validateCsrfToken(t), d.logger.debug("Starting 2FA"), this.sessionManager.initiateTwoFactorPageVisit(t.user,
|
|
3609
|
+
return this.validateCsrfToken(t), d.logger.debug("Starting 2FA"), this.sessionManager.initiateTwoFactorPageVisit(t.user, m, t.body, t.url.replace(/\?.*$/, "")), this.factor2ProtectedPageEndpoints.includes(t.url) ? a.redirect(this.prefix + "factor2") : a.send(JSON.stringify({
|
|
3610
3610
|
ok: !0,
|
|
3611
3611
|
factor2Required: !0
|
|
3612
3612
|
}));
|
|
@@ -4363,10 +4363,10 @@ class Ke {
|
|
|
4363
4363
|
let n = this.createUserFn(e, this.userStorage.userEditableFields), t = this.authenticators[n.factor1].validateSecrets(e.body);
|
|
4364
4364
|
const a = this.authenticators[n.factor1].secretNames();
|
|
4365
4365
|
let h = {};
|
|
4366
|
-
for (let
|
|
4367
|
-
if (
|
|
4368
|
-
const
|
|
4369
|
-
a.includes(
|
|
4366
|
+
for (let m in e.body)
|
|
4367
|
+
if (m.startsWith("repeat_")) {
|
|
4368
|
+
const w = m.replace(/^repeat_/, "");
|
|
4369
|
+
a.includes(w) && (h[w] = e.body[m]);
|
|
4370
4370
|
}
|
|
4371
4371
|
Object.keys(h).length === 0 && (h = void 0), n.state = "active", e.body.factor2 && e.body.factor2 != "none" ? n.state = "awaitingtwofactor" : this.enableEmailVerification && (n.state = "awaitingemailverification");
|
|
4372
4372
|
let p = [...this.validateUserFn(n), ...t];
|
|
@@ -4374,25 +4374,25 @@ class Ke {
|
|
|
4374
4374
|
throw new l(g.FormEntry, p);
|
|
4375
4375
|
let v = !1;
|
|
4376
4376
|
try {
|
|
4377
|
-
const { user:
|
|
4378
|
-
await this.sessionManager.authenticators[n.factor1].authenticateUser(
|
|
4379
|
-
} catch (
|
|
4380
|
-
l.asCrossauthError(
|
|
4377
|
+
const { user: m, secrets: w } = await this.userStorage.getUserByUsername(s);
|
|
4378
|
+
await this.sessionManager.authenticators[n.factor1].authenticateUser(m, w, e.body);
|
|
4379
|
+
} catch (m) {
|
|
4380
|
+
l.asCrossauthError(m).code == g.TwoFactorIncomplete && (v = !0);
|
|
4381
4381
|
}
|
|
4382
4382
|
if (!e.body.factor2 && !v)
|
|
4383
4383
|
return await this.sessionManager.createUser(
|
|
4384
4384
|
n,
|
|
4385
4385
|
e.body,
|
|
4386
4386
|
h
|
|
4387
|
-
), this.enableEmailVerification ? r(o, {}, void 0) : this.login(e, o, (
|
|
4387
|
+
), this.enableEmailVerification ? r(o, {}, void 0) : this.login(e, o, (m, w) => r(m, {}, w));
|
|
4388
4388
|
{
|
|
4389
|
-
let
|
|
4389
|
+
let m;
|
|
4390
4390
|
if (v) {
|
|
4391
4391
|
if (!e.sessionId) throw new l(g.Unauthorized);
|
|
4392
|
-
|
|
4392
|
+
m = (await this.sessionManager.repeatTwoFactorSignup(e.sessionId)).userData;
|
|
4393
4393
|
} else {
|
|
4394
|
-
const
|
|
4395
|
-
|
|
4394
|
+
const w = await this.createAnonymousSession(e, o), P = this.sessionManager.getSessionId(w);
|
|
4395
|
+
m = (await this.sessionManager.initiateTwoFactorSignup(
|
|
4396
4396
|
n,
|
|
4397
4397
|
e.body,
|
|
4398
4398
|
P,
|
|
@@ -4400,15 +4400,15 @@ class Ke {
|
|
|
4400
4400
|
)).userData;
|
|
4401
4401
|
}
|
|
4402
4402
|
try {
|
|
4403
|
-
let
|
|
4404
|
-
userData:
|
|
4403
|
+
let w = {
|
|
4404
|
+
userData: m,
|
|
4405
4405
|
username: s,
|
|
4406
4406
|
next: i ?? this.loginRedirect,
|
|
4407
4407
|
csrfToken: e.csrfToken
|
|
4408
4408
|
};
|
|
4409
|
-
return r(o,
|
|
4410
|
-
} catch (
|
|
4411
|
-
d.logger.error(c({ err:
|
|
4409
|
+
return r(o, w);
|
|
4410
|
+
} catch (w) {
|
|
4411
|
+
d.logger.error(c({ err: w }));
|
|
4412
4412
|
try {
|
|
4413
4413
|
this.sessionManager.deleteUserByUsername(s);
|
|
4414
4414
|
} catch (P) {
|
|
@@ -4521,7 +4521,7 @@ class Ke {
|
|
|
4521
4521
|
getHashOfSessionId(e) {
|
|
4522
4522
|
if (!e.sessionId) return "";
|
|
4523
4523
|
try {
|
|
4524
|
-
return
|
|
4524
|
+
return F.hash(e.sessionId);
|
|
4525
4525
|
} catch {
|
|
4526
4526
|
}
|
|
4527
4527
|
return "";
|
|
@@ -4536,7 +4536,7 @@ class Ke {
|
|
|
4536
4536
|
const o = this.getCsrfCookieValue(e);
|
|
4537
4537
|
if (!o) return "";
|
|
4538
4538
|
try {
|
|
4539
|
-
return
|
|
4539
|
+
return F.hash(o.split(".")[0]);
|
|
4540
4540
|
} catch {
|
|
4541
4541
|
}
|
|
4542
4542
|
return "";
|
|
@@ -4749,7 +4749,7 @@ class Ye {
|
|
|
4749
4749
|
msg: "Valid API key",
|
|
4750
4750
|
hahedApiKey: Y.hashSignedApiKeyValue(t.value)
|
|
4751
4751
|
}));
|
|
4752
|
-
const a =
|
|
4752
|
+
const a = Fe.decodeData(t.data);
|
|
4753
4753
|
if (i.apiKey = { ...t, ...a }, "scope" in a && Array.isArray(a.scope)) {
|
|
4754
4754
|
let h = [];
|
|
4755
4755
|
for (let f of a.scope)
|
|
@@ -4804,7 +4804,7 @@ class $e {
|
|
|
4804
4804
|
u(this, "refreshTokenCookieSameSite", "strict");
|
|
4805
4805
|
u(this, "csrfTokens");
|
|
4806
4806
|
u(this, "createGetCsrfTokenEndpoint", !1);
|
|
4807
|
-
this.app = e, this.fastifyServer = o, this.clientStorage = r, this.authServer = new
|
|
4807
|
+
this.app = e, this.fastifyServer = o, this.clientStorage = r, this.authServer = new Ne(
|
|
4808
4808
|
this.clientStorage,
|
|
4809
4809
|
s,
|
|
4810
4810
|
i,
|
|
@@ -4842,10 +4842,10 @@ class $e {
|
|
|
4842
4842
|
let h, f;
|
|
4843
4843
|
try {
|
|
4844
4844
|
h = await this.fastifyServer.validateCsrfToken(t);
|
|
4845
|
-
} catch (
|
|
4846
|
-
f = l.asCrossauthError(
|
|
4845
|
+
} catch (m) {
|
|
4846
|
+
f = l.asCrossauthError(m), f.message = "Invalid csrf cookie received", d.logger.error(c({
|
|
4847
4847
|
msg: f.message,
|
|
4848
|
-
hashedCsrfCookie: h ?
|
|
4848
|
+
hashedCsrfCookie: h ? F.hash(h) : void 0,
|
|
4849
4849
|
user: (v = t.user) == null ? void 0 : v.username,
|
|
4850
4850
|
cerr: f
|
|
4851
4851
|
}));
|
|
@@ -4862,21 +4862,21 @@ class $e {
|
|
|
4862
4862
|
}
|
|
4863
4863
|
);
|
|
4864
4864
|
{
|
|
4865
|
-
let
|
|
4865
|
+
let m = "500";
|
|
4866
4866
|
switch (f.httpStatus) {
|
|
4867
4867
|
case 401:
|
|
4868
|
-
|
|
4868
|
+
m = "401";
|
|
4869
4869
|
break;
|
|
4870
4870
|
case 400:
|
|
4871
|
-
|
|
4871
|
+
m = "400";
|
|
4872
4872
|
break;
|
|
4873
4873
|
}
|
|
4874
|
-
return a.status(f.httpStatus).send($[
|
|
4874
|
+
return a.status(f.httpStatus).send($[m] ?? G);
|
|
4875
4875
|
}
|
|
4876
4876
|
}
|
|
4877
4877
|
if (!f) {
|
|
4878
|
-
const
|
|
4879
|
-
return await this.authorize(t, a,
|
|
4878
|
+
const m = t.body.authorized == "true";
|
|
4879
|
+
return await this.authorize(t, a, m, {
|
|
4880
4880
|
responseType: t.body.response_type,
|
|
4881
4881
|
client_id: t.body.client_id,
|
|
4882
4882
|
redirect_uri: t.body.redirect_uri,
|
|
@@ -4890,37 +4890,37 @@ class $e {
|
|
|
4890
4890
|
)), (this.authServer.validFlows.includes(E.AuthorizationCode) || this.authServer.validFlows.includes(E.AuthorizationCodeWithPKCE) || this.authServer.validFlows.includes(E.OidcAuthorizationCode) || this.authServer.validFlows.includes(E.ClientCredentials) || this.authServer.validFlows.includes(E.RefreshToken) || this.authServer.validFlows.includes(E.Password) || this.authServer.validFlows.includes(E.PasswordMfa) || this.authServer.validFlows.includes(E.DeviceCode)) && this.app.post(
|
|
4891
4891
|
this.prefix + "token",
|
|
4892
4892
|
async (t, a) => {
|
|
4893
|
-
var
|
|
4893
|
+
var m;
|
|
4894
4894
|
d.logger.info(c({
|
|
4895
4895
|
msg: "Page visit",
|
|
4896
4896
|
method: "POST",
|
|
4897
4897
|
url: this.prefix + "token",
|
|
4898
4898
|
ip: t.ip,
|
|
4899
|
-
user: (
|
|
4899
|
+
user: (m = t.user) == null ? void 0 : m.username
|
|
4900
4900
|
}));
|
|
4901
4901
|
let h = t.body.client_id, f = t.body.client_secret;
|
|
4902
4902
|
if (t.headers.authorization) {
|
|
4903
|
-
let
|
|
4903
|
+
let w, P;
|
|
4904
4904
|
const T = t.headers.authorization.split(" ");
|
|
4905
4905
|
if (T.length == 2 && T[0].toLocaleLowerCase() == "basic") {
|
|
4906
|
-
const _ =
|
|
4907
|
-
_.length == 2 && (
|
|
4906
|
+
const _ = F.base64Decode(T[1]).split(":", 2);
|
|
4907
|
+
_.length == 2 && (w = _[0], P = _[1]);
|
|
4908
4908
|
}
|
|
4909
|
-
|
|
4909
|
+
w == null || P == null ? d.logger.warn(c({
|
|
4910
4910
|
msg: "Ignoring malform authenization header " + t.headers.authorization
|
|
4911
|
-
})) : (h =
|
|
4911
|
+
})) : (h = w, f = P);
|
|
4912
4912
|
}
|
|
4913
4913
|
let p = t.body.refresh_token;
|
|
4914
4914
|
if ((this.refreshTokenType == "cookie" && t.cookies && this.refreshTokenCookieName in t.cookies || this.refreshTokenType == "both" && t.cookies && this.refreshTokenCookieName in t.cookies && p == null) && this.csrfTokens) {
|
|
4915
|
-
const
|
|
4915
|
+
const w = t.cookies[this.csrfTokens.cookieName];
|
|
4916
4916
|
let P = t.headers[this.csrfTokens.headerName.toLowerCase()];
|
|
4917
|
-
if (Array.isArray(P) && (P = P[0]), !
|
|
4917
|
+
if (Array.isArray(P) && (P = P[0]), !w || !P)
|
|
4918
4918
|
return {
|
|
4919
4919
|
error: "access_denied",
|
|
4920
4920
|
error_description: "Invalid csrf token"
|
|
4921
4921
|
};
|
|
4922
4922
|
try {
|
|
4923
|
-
this.csrfTokens.validateDoubleSubmitCsrfToken(
|
|
4923
|
+
this.csrfTokens.validateDoubleSubmitCsrfToken(w, P);
|
|
4924
4924
|
} catch (T) {
|
|
4925
4925
|
return d.logger.debug(c({ err: T })), d.logger.warn(c({ cerr: T, msg: "Invalid csrf token", client_id: t.body.client_id })), {
|
|
4926
4926
|
error: "access_denied",
|
|
@@ -4948,9 +4948,9 @@ class $e {
|
|
|
4948
4948
|
if (v.error == "authorization_pending")
|
|
4949
4949
|
return a.header(...x).status(200).send(v);
|
|
4950
4950
|
if (v.refresh_token && this.refreshTokenType != "json" && this.setRefreshTokenCookie(a, v.refresh_token, v.expires_in), v.error || !v.access_token) {
|
|
4951
|
-
let
|
|
4952
|
-
v.error && (
|
|
4953
|
-
const T = l.fromOAuthError(
|
|
4951
|
+
let w = "server_error", P = "Neither code nor error received when requesting authorization";
|
|
4952
|
+
v.error && (w = v.error), v.error_description && (P = v.error_description);
|
|
4953
|
+
const T = l.fromOAuthError(w, P);
|
|
4954
4954
|
return d.logger.error(c({ cerr: T })), a.header(...x).status(T.httpStatus).send(v);
|
|
4955
4955
|
}
|
|
4956
4956
|
return a.header(...x).send(v);
|
|
@@ -5004,15 +5004,15 @@ class $e {
|
|
|
5004
5004
|
}));
|
|
5005
5005
|
let h = t.body.client_id, f = t.body.client_secret;
|
|
5006
5006
|
if (t.headers.authorization) {
|
|
5007
|
-
let
|
|
5007
|
+
let m, w;
|
|
5008
5008
|
const P = t.headers.authorization.split(" ");
|
|
5009
5009
|
if (P.length == 2 && P[0].toLocaleLowerCase() == "basic") {
|
|
5010
|
-
const U =
|
|
5011
|
-
U.length == 2 && (
|
|
5010
|
+
const U = F.base64Decode(P[1]).split(":", 2);
|
|
5011
|
+
U.length == 2 && (m = U[0], w = U[1]);
|
|
5012
5012
|
}
|
|
5013
|
-
|
|
5013
|
+
m == null || w == null ? d.logger.warn(c({
|
|
5014
5014
|
msg: "Ignoring malform authenization header " + t.headers.authorization
|
|
5015
|
-
})) : (h =
|
|
5015
|
+
})) : (h = m, f = w);
|
|
5016
5016
|
}
|
|
5017
5017
|
const p = await this.authServer.deviceAuthorizationEndpoint({
|
|
5018
5018
|
client_id: h,
|
|
@@ -5020,9 +5020,9 @@ class $e {
|
|
|
5020
5020
|
scope: t.body.scope
|
|
5021
5021
|
});
|
|
5022
5022
|
if (p.error || !p.device_code || !p.user_code) {
|
|
5023
|
-
let
|
|
5024
|
-
p.error && (
|
|
5025
|
-
const P = l.fromOAuthError(
|
|
5023
|
+
let m = "server_error", w = "Neither code nor error received when requesting authorization";
|
|
5024
|
+
p.error && (m = p.error), p.error_description && (w = p.error_description);
|
|
5025
|
+
const P = l.fromOAuthError(m, w);
|
|
5026
5026
|
return d.logger.error(c({ cerr: P })), a.header(...x).status(P.httpStatus).send(p);
|
|
5027
5027
|
}
|
|
5028
5028
|
return a.header(...x).send(p);
|
|
@@ -5125,7 +5125,7 @@ class $e {
|
|
|
5125
5125
|
return d.logger.error(c({
|
|
5126
5126
|
msg: "getcsrftoken failure",
|
|
5127
5127
|
user: (i = e.user) == null ? void 0 : i.username,
|
|
5128
|
-
hashedCsrfCookie:
|
|
5128
|
+
hashedCsrfCookie: F.hash(r.split(".")[0]),
|
|
5129
5129
|
errorCode: t.code,
|
|
5130
5130
|
errorCodeName: t.codeName
|
|
5131
5131
|
})), d.logger.debug(c({ err: n })), o.status(t.httpStatus).header(...x).send({
|
|
@@ -5240,9 +5240,9 @@ class $e {
|
|
|
5240
5240
|
codeChallenge: h,
|
|
5241
5241
|
codeChallengeMethod: f
|
|
5242
5242
|
}) {
|
|
5243
|
-
let p, v,
|
|
5243
|
+
let p, v, m;
|
|
5244
5244
|
if (r) {
|
|
5245
|
-
const
|
|
5245
|
+
const w = await this.authServer.authorizeGetEndpoint({
|
|
5246
5246
|
responseType: s,
|
|
5247
5247
|
client_id: i,
|
|
5248
5248
|
redirect_uri: n,
|
|
@@ -5252,7 +5252,7 @@ class $e {
|
|
|
5252
5252
|
codeChallengeMethod: f,
|
|
5253
5253
|
user: e.user
|
|
5254
5254
|
});
|
|
5255
|
-
if (
|
|
5255
|
+
if (m = w.code, p = w.error, v = w.error_description, p || !m) {
|
|
5256
5256
|
const P = l.fromOAuthError(
|
|
5257
5257
|
p ?? "server_error",
|
|
5258
5258
|
v ?? "Neither code nor error received"
|
|
@@ -5282,24 +5282,24 @@ class $e {
|
|
|
5282
5282
|
}
|
|
5283
5283
|
return o.redirect(this.authServer.redirect_uri(
|
|
5284
5284
|
n,
|
|
5285
|
-
|
|
5285
|
+
m,
|
|
5286
5286
|
a
|
|
5287
5287
|
));
|
|
5288
5288
|
} else {
|
|
5289
|
-
const
|
|
5289
|
+
const w = new l(
|
|
5290
5290
|
g.Unauthorized,
|
|
5291
5291
|
"You have not granted access"
|
|
5292
5292
|
);
|
|
5293
5293
|
d.logger.error(c({
|
|
5294
5294
|
msg: v,
|
|
5295
|
-
errorCode:
|
|
5296
|
-
errorCodeName:
|
|
5295
|
+
errorCode: w.code,
|
|
5296
|
+
errorCodeName: w.codeName
|
|
5297
5297
|
}));
|
|
5298
5298
|
try {
|
|
5299
5299
|
return L.validateUri(n), o.redirect(n);
|
|
5300
5300
|
} catch {
|
|
5301
5301
|
d.logger.error(c({
|
|
5302
|
-
msg: `Couldn't send error message ${
|
|
5302
|
+
msg: `Couldn't send error message ${w.codeName} to ${n}}`
|
|
5303
5303
|
}));
|
|
5304
5304
|
}
|
|
5305
5305
|
}
|
|
@@ -5365,7 +5365,7 @@ class $e {
|
|
|
5365
5365
|
error_description: t.error_description
|
|
5366
5366
|
};
|
|
5367
5367
|
if (!t.client_id)
|
|
5368
|
-
return d.logger.error(c({ msg: "No client id found for user code", userCodeHash:
|
|
5368
|
+
return d.logger.error(c({ msg: "No client id found for user code", userCodeHash: F.hash(e), ip: o.ip, username: (s = o.user) == null ? void 0 : s.username })), {
|
|
5369
5369
|
ok: !1,
|
|
5370
5370
|
completed: !1,
|
|
5371
5371
|
retryAllowed: !1,
|
|
@@ -5373,7 +5373,7 @@ class $e {
|
|
|
5373
5373
|
error_description: "No client id found for user code"
|
|
5374
5374
|
};
|
|
5375
5375
|
if (t.error == "access_denied")
|
|
5376
|
-
return d.logger.error(c({ msg: "Incorrect user code given", userCodeHash:
|
|
5376
|
+
return d.logger.error(c({ msg: "Incorrect user code given", userCodeHash: F.hash(e), ip: o.ip, username: (i = o.user) == null ? void 0 : i.username })), this.authServer.userCodeThrottle > 0 && await ((f) => new Promise((p) => setTimeout(p, f)))(this.authServer.userCodeThrottle), {
|
|
5377
5377
|
ok: !1,
|
|
5378
5378
|
completed: !1,
|
|
5379
5379
|
retryAllowed: !0,
|
|
@@ -5381,7 +5381,7 @@ class $e {
|
|
|
5381
5381
|
error_description: t.error_description
|
|
5382
5382
|
};
|
|
5383
5383
|
if (t.error == "expired_token")
|
|
5384
|
-
return d.logger.error(c({ msg: "Expired user code", userCodeHash:
|
|
5384
|
+
return d.logger.error(c({ msg: "Expired user code", userCodeHash: F.hash(e), ip: o.ip, username: (n = o.user) == null ? void 0 : n.username })), {
|
|
5385
5385
|
ok: !1,
|
|
5386
5386
|
completed: !1,
|
|
5387
5387
|
retryAllowed: !1,
|
|
@@ -5591,7 +5591,7 @@ function j(k) {
|
|
|
5591
5591
|
let e;
|
|
5592
5592
|
if (k)
|
|
5593
5593
|
try {
|
|
5594
|
-
e = JSON.parse(
|
|
5594
|
+
e = JSON.parse(F.base64Decode(k.split(".")[1]));
|
|
5595
5595
|
} catch {
|
|
5596
5596
|
d.logger.error(c({ msg: "Couldn't decode id token" }));
|
|
5597
5597
|
}
|
|
@@ -5608,7 +5608,7 @@ function fe(k, e) {
|
|
|
5608
5608
|
if (k.access_token)
|
|
5609
5609
|
try {
|
|
5610
5610
|
if (k.access_token && e.includes("access")) {
|
|
5611
|
-
const i = (o = J(k.access_token)) == null ? void 0 : o.jti, n = i ?
|
|
5611
|
+
const i = (o = J(k.access_token)) == null ? void 0 : o.jti, n = i ? F.hash(i) : void 0;
|
|
5612
5612
|
d.logger.debug(c({
|
|
5613
5613
|
msg: "Got access token",
|
|
5614
5614
|
accessTokenHash: n
|
|
@@ -5620,7 +5620,7 @@ function fe(k, e) {
|
|
|
5620
5620
|
if (k.id_token)
|
|
5621
5621
|
try {
|
|
5622
5622
|
if (k.id_token && e.includes("id")) {
|
|
5623
|
-
const i = (r = J(k.id_token)) == null ? void 0 : r.jti, n = i ?
|
|
5623
|
+
const i = (r = J(k.id_token)) == null ? void 0 : r.jti, n = i ? F.hash(i) : void 0;
|
|
5624
5624
|
d.logger.debug(c({
|
|
5625
5625
|
msg: "Got id token",
|
|
5626
5626
|
idTokenHash: n
|
|
@@ -5632,7 +5632,7 @@ function fe(k, e) {
|
|
|
5632
5632
|
if (k.refresh_token && e.includes("refresh"))
|
|
5633
5633
|
try {
|
|
5634
5634
|
if (k.refresh_token) {
|
|
5635
|
-
const i = (s = J(k.refresh_token)) == null ? void 0 : s.jti, n = i ?
|
|
5635
|
+
const i = (s = J(k.refresh_token)) == null ? void 0 : s.jti, n = i ? F.hash(i) : void 0;
|
|
5636
5636
|
d.logger.debug(c({
|
|
5637
5637
|
msg: "Got refresh token",
|
|
5638
5638
|
refreshTokenHash: n
|
|
@@ -5852,13 +5852,13 @@ class we extends Oe {
|
|
|
5852
5852
|
this.prefix.endsWith("/") || (this.prefix += "/"), this.redirect_uri = this.siteUrl + this.prefix + "authzcode", this.validFlows.includes(E.AuthorizationCode) && this.server.app.get(
|
|
5853
5853
|
this.prefix + "authzcodeflow",
|
|
5854
5854
|
async (a, h) => {
|
|
5855
|
-
var
|
|
5855
|
+
var m;
|
|
5856
5856
|
if (d.logger.info(c({
|
|
5857
5857
|
msg: "Page visit",
|
|
5858
5858
|
method: "GET",
|
|
5859
5859
|
url: this.prefix + "authzcodeflow",
|
|
5860
5860
|
ip: a.ip,
|
|
5861
|
-
user: (
|
|
5861
|
+
user: (m = a.user) == null ? void 0 : m.username
|
|
5862
5862
|
})), !a.user && this.loginProtectedFlows.includes(E.AuthorizationCode))
|
|
5863
5863
|
return h.redirect(
|
|
5864
5864
|
302,
|
|
@@ -5866,11 +5866,11 @@ class we extends Oe {
|
|
|
5866
5866
|
);
|
|
5867
5867
|
const { url: f, error: p, error_description: v } = await this.startAuthorizationCodeFlow(a.query.scope);
|
|
5868
5868
|
if (p || !f) {
|
|
5869
|
-
const
|
|
5869
|
+
const w = l.fromOAuthError(
|
|
5870
5870
|
p ?? "server_error",
|
|
5871
5871
|
v
|
|
5872
5872
|
);
|
|
5873
|
-
return await this.errorFn(this.server, a, h,
|
|
5873
|
+
return await this.errorFn(this.server, a, h, w);
|
|
5874
5874
|
}
|
|
5875
5875
|
return d.logger.debug(c({
|
|
5876
5876
|
msg: "Authorization code flow: redirecting",
|
|
@@ -5882,23 +5882,36 @@ class we extends Oe {
|
|
|
5882
5882
|
let f = await o.sessionAdapter.getSessionData(a, this.sessionDataName);
|
|
5883
5883
|
if (f && f.id_payload) {
|
|
5884
5884
|
let p = f.expires_at;
|
|
5885
|
-
p && p > Date.now() && f.id_payload.sub
|
|
5886
|
-
|
|
5887
|
-
|
|
5888
|
-
|
|
5889
|
-
|
|
5885
|
+
if (p && p > Date.now() && f.id_payload.sub) {
|
|
5886
|
+
a.user = {
|
|
5887
|
+
id: f.id_payload.userid ?? f.id_payload.sub,
|
|
5888
|
+
username: f.id_payload.sub,
|
|
5889
|
+
state: f.id_payload.state ?? "active"
|
|
5890
|
+
}, a.idTokenPayload = f.id_payload;
|
|
5891
|
+
let v;
|
|
5892
|
+
try {
|
|
5893
|
+
v = await this.userCreationFn(
|
|
5894
|
+
f.id_payload,
|
|
5895
|
+
this.userStorage,
|
|
5896
|
+
this.userMatchField,
|
|
5897
|
+
this.idTokenMatchField
|
|
5898
|
+
), a.user = v, a.authType = v ? "oidc" : void 0;
|
|
5899
|
+
} catch (m) {
|
|
5900
|
+
d.logger.error(c({ cerr: m })), a.user = void 0, a.authType = void 0;
|
|
5901
|
+
}
|
|
5902
|
+
}
|
|
5890
5903
|
}
|
|
5891
5904
|
this.testMiddleware && (this.requestObj = a);
|
|
5892
5905
|
}), this.validFlows.includes(E.AuthorizationCodeWithPKCE) && this.server.app.get(
|
|
5893
5906
|
this.prefix + "authzcodeflowpkce",
|
|
5894
5907
|
async (a, h) => {
|
|
5895
|
-
var
|
|
5908
|
+
var m;
|
|
5896
5909
|
if (d.logger.info(c({
|
|
5897
5910
|
msg: "Page visit",
|
|
5898
5911
|
method: "GET",
|
|
5899
5912
|
url: this.prefix + "authzcodeflowpkce",
|
|
5900
5913
|
ip: a.ip,
|
|
5901
|
-
user: (
|
|
5914
|
+
user: (m = a.user) == null ? void 0 : m.username
|
|
5902
5915
|
})), !a.user && this.loginProtectedFlows.includes(E.AuthorizationCodeWithPKCE))
|
|
5903
5916
|
return h.redirect(
|
|
5904
5917
|
302,
|
|
@@ -5909,11 +5922,11 @@ class we extends Oe {
|
|
|
5909
5922
|
!0
|
|
5910
5923
|
);
|
|
5911
5924
|
if (p || !f) {
|
|
5912
|
-
const
|
|
5925
|
+
const w = l.fromOAuthError(
|
|
5913
5926
|
p ?? "server_error",
|
|
5914
5927
|
v
|
|
5915
5928
|
);
|
|
5916
|
-
return await this.errorFn(this.server, a, h,
|
|
5929
|
+
return await this.errorFn(this.server, a, h, w);
|
|
5917
5930
|
}
|
|
5918
5931
|
return h.redirect(f);
|
|
5919
5932
|
}
|
|
@@ -5941,7 +5954,7 @@ class we extends Oe {
|
|
|
5941
5954
|
f.id_token && (this.validateIdToken(f.id_token) || (f.error = "access_denied", f.error_description = "Invalid ID token received"));
|
|
5942
5955
|
try {
|
|
5943
5956
|
if (f.error) {
|
|
5944
|
-
const
|
|
5957
|
+
const m = l.fromOAuthError(
|
|
5945
5958
|
f.error,
|
|
5946
5959
|
f.error_description
|
|
5947
5960
|
);
|
|
@@ -5949,17 +5962,17 @@ class we extends Oe {
|
|
|
5949
5962
|
this.server,
|
|
5950
5963
|
a,
|
|
5951
5964
|
h,
|
|
5952
|
-
|
|
5965
|
+
m
|
|
5953
5966
|
);
|
|
5954
5967
|
}
|
|
5955
5968
|
return await this.receiveTokenFn(f, this, a, h);
|
|
5956
|
-
} catch (
|
|
5957
|
-
const
|
|
5969
|
+
} catch (m) {
|
|
5970
|
+
const w = l.asCrossauthError(m);
|
|
5958
5971
|
return d.logger.error(c({
|
|
5959
5972
|
msg: "Error receiving token",
|
|
5960
|
-
cerr:
|
|
5973
|
+
cerr: w,
|
|
5961
5974
|
user: (v = a.user) == null ? void 0 : v.user
|
|
5962
|
-
})), d.logger.debug(c({ err:
|
|
5975
|
+
})), d.logger.debug(c({ err: m })), await this.errorFn(this.server, a, h, w);
|
|
5963
5976
|
}
|
|
5964
5977
|
}
|
|
5965
5978
|
), this.validFlows.includes(E.ClientCredentials) && this.server.app.post(
|
|
@@ -5973,49 +5986,49 @@ class we extends Oe {
|
|
|
5973
5986
|
ip: a.ip,
|
|
5974
5987
|
user: (f = a.user) == null ? void 0 : f.username
|
|
5975
5988
|
})), this.server.sessionAdapter) {
|
|
5976
|
-
const { error:
|
|
5989
|
+
const { error: m, reply: w } = await o.errorIfCsrfInvalid(
|
|
5977
5990
|
a,
|
|
5978
5991
|
h,
|
|
5979
5992
|
this.errorFn
|
|
5980
5993
|
);
|
|
5981
|
-
if (
|
|
5994
|
+
if (m) return w;
|
|
5982
5995
|
}
|
|
5983
5996
|
if (!a.user && this.loginProtectedFlows.includes(E.ClientCredentials))
|
|
5984
5997
|
return h.status(401).header(...b).send({ ok: !1, msg: "Access denied" });
|
|
5985
5998
|
try {
|
|
5986
|
-
const
|
|
5987
|
-
if (
|
|
5988
|
-
const
|
|
5989
|
-
|
|
5990
|
-
|
|
5999
|
+
const m = await this.clientCredentialsFlow((p = a.body) == null ? void 0 : p.scope);
|
|
6000
|
+
if (m.id_token && (this.validateIdToken(m.id_token) || (m.error = "access_denied", m.error_description = "Invalid ID token received")), m.error) {
|
|
6001
|
+
const w = l.fromOAuthError(
|
|
6002
|
+
m.error,
|
|
6003
|
+
m.error_description
|
|
5991
6004
|
);
|
|
5992
6005
|
return await this.errorFn(
|
|
5993
6006
|
this.server,
|
|
5994
6007
|
a,
|
|
5995
6008
|
h,
|
|
5996
|
-
|
|
6009
|
+
w
|
|
5997
6010
|
);
|
|
5998
6011
|
}
|
|
5999
|
-
return await this.receiveTokenFn(
|
|
6000
|
-
} catch (
|
|
6001
|
-
const
|
|
6012
|
+
return await this.receiveTokenFn(m, this, a, h);
|
|
6013
|
+
} catch (m) {
|
|
6014
|
+
const w = l.asCrossauthError(m);
|
|
6002
6015
|
return d.logger.error(c({
|
|
6003
6016
|
msg: "Error receiving token",
|
|
6004
|
-
cerr:
|
|
6017
|
+
cerr: w,
|
|
6005
6018
|
user: (v = a.user) == null ? void 0 : v.user
|
|
6006
|
-
})), d.logger.debug(c({ err:
|
|
6019
|
+
})), d.logger.debug(c({ err: m })), await this.errorFn(this.server, a, h, w);
|
|
6007
6020
|
}
|
|
6008
6021
|
}
|
|
6009
6022
|
), this.validFlows.includes(E.RefreshToken) && (this.server.app.post(
|
|
6010
6023
|
this.prefix + "refreshtokenflow",
|
|
6011
6024
|
async (a, h) => {
|
|
6012
|
-
var
|
|
6025
|
+
var m, w;
|
|
6013
6026
|
d.logger.info(c({
|
|
6014
6027
|
msg: "Page visit",
|
|
6015
6028
|
method: "POST",
|
|
6016
6029
|
url: this.prefix + "refreshtokenflow",
|
|
6017
6030
|
ip: a.ip,
|
|
6018
|
-
user: (
|
|
6031
|
+
user: (m = a.user) == null ? void 0 : m.username
|
|
6019
6032
|
}));
|
|
6020
6033
|
const { error: f, reply: p } = await o.errorIfCsrfInvalid(
|
|
6021
6034
|
a,
|
|
@@ -6078,7 +6091,7 @@ class we extends Oe {
|
|
|
6078
6091
|
return d.logger.error(c({
|
|
6079
6092
|
msg: "Error receiving token",
|
|
6080
6093
|
cerr: T,
|
|
6081
|
-
user: (
|
|
6094
|
+
user: (w = a.user) == null ? void 0 : w.user
|
|
6082
6095
|
})), d.logger.debug(c({ err: P })), await this.errorFn(this.server, a, h, T);
|
|
6083
6096
|
}
|
|
6084
6097
|
}
|
|
@@ -6271,17 +6284,17 @@ class we extends Oe {
|
|
|
6271
6284
|
csrfToken: a.csrfToken
|
|
6272
6285
|
}
|
|
6273
6286
|
);
|
|
6274
|
-
} catch (
|
|
6275
|
-
const
|
|
6276
|
-
return d.logger.debug(c({ err:
|
|
6287
|
+
} catch (m) {
|
|
6288
|
+
const w = l.asCrossauthError(m);
|
|
6289
|
+
return d.logger.debug(c({ err: w })), d.logger.error(c({ msg: "Couldn't delete oauth tokens", cerr: w })), h.view(
|
|
6277
6290
|
this.deleteTokensPage,
|
|
6278
6291
|
{
|
|
6279
6292
|
ok: !1,
|
|
6280
6293
|
user: (v = a.user) == null ? void 0 : v.username,
|
|
6281
6294
|
csrfToken: a.csrfToken,
|
|
6282
|
-
errorMessage:
|
|
6283
|
-
errorCode:
|
|
6284
|
-
errorCodeName:
|
|
6295
|
+
errorMessage: w.message,
|
|
6296
|
+
errorCode: w.code,
|
|
6297
|
+
errorCodeName: w.codeName
|
|
6285
6298
|
}
|
|
6286
6299
|
);
|
|
6287
6300
|
}
|
|
@@ -6326,8 +6339,8 @@ class we extends Oe {
|
|
|
6326
6339
|
return f.header(...b).status(401).send({ ok: !1, msg: "No csrf token given" });
|
|
6327
6340
|
let p = !1, v = a;
|
|
6328
6341
|
a.startsWith("have_") && (v = a.replace("have_", ""), p = !0);
|
|
6329
|
-
let
|
|
6330
|
-
if (this.jwtTokens.includes(
|
|
6342
|
+
let m = v.replace("_token", ""), w = !1;
|
|
6343
|
+
if (this.jwtTokens.includes(m) && (w = h.body.decode ?? !0), !this.server.sessionAdapter) throw new l(
|
|
6331
6344
|
g.Configuration,
|
|
6332
6345
|
"Cannot get session data if sessions not enabled"
|
|
6333
6346
|
);
|
|
@@ -6335,7 +6348,7 @@ class we extends Oe {
|
|
|
6335
6348
|
if (!P)
|
|
6336
6349
|
return p ? f.header(...b).status(200).send({ ok: !1 }) : f.header(...b).status(204).send();
|
|
6337
6350
|
let T = P[v];
|
|
6338
|
-
return
|
|
6351
|
+
return w && (T = j(P[v])), T ? p ? f.header(...b).status(200).send({ ok: !0 }) : f.header(...b).status(200).send({ ...T }) : p ? f.header(...b).status(200).send({ ok: !1 }) : f.header(...b).status(204).send();
|
|
6339
6352
|
}
|
|
6340
6353
|
);
|
|
6341
6354
|
if (this.server.app.post(
|
|
@@ -6358,14 +6371,14 @@ class we extends Oe {
|
|
|
6358
6371
|
if (!f)
|
|
6359
6372
|
return h.header(...b).status(204).send();
|
|
6360
6373
|
let p = {};
|
|
6361
|
-
for (let
|
|
6362
|
-
let
|
|
6363
|
-
|
|
6374
|
+
for (let m of this.tokenEndpoints) {
|
|
6375
|
+
let w = !1, P = m;
|
|
6376
|
+
m.startsWith("have_") && (P = m.replace("have_", ""), w = !0);
|
|
6364
6377
|
let T = P.replace("_token", ""), U = !1;
|
|
6365
6378
|
if (this.jwtTokens.includes(T) && (U = a.body.decode ?? !0), P in f) {
|
|
6366
6379
|
let _ = f[P];
|
|
6367
|
-
U && (_ = j(f[P])), _ && (p[
|
|
6368
|
-
} else
|
|
6380
|
+
U && (_ = j(f[P])), _ && (p[m] = w ? !0 : _);
|
|
6381
|
+
} else w && (p[m] = !1);
|
|
6369
6382
|
}
|
|
6370
6383
|
return h.header(...b).status(200).send({ ...p });
|
|
6371
6384
|
}
|
|
@@ -6381,26 +6394,26 @@ class we extends Oe {
|
|
|
6381
6394
|
const f = this.bffEndpoints[a].methods, p = this.bffEndpoints[a].matchSubUrls ?? !1;
|
|
6382
6395
|
let v = h;
|
|
6383
6396
|
p && (v.endsWith("/") || (v += "/"), v += "*");
|
|
6384
|
-
for (let
|
|
6397
|
+
for (let m in f)
|
|
6385
6398
|
this.server.app.route({
|
|
6386
|
-
method: f[
|
|
6399
|
+
method: f[m],
|
|
6387
6400
|
url: this.prefix + this.bffEndpointName + v,
|
|
6388
6401
|
// was url
|
|
6389
|
-
handler: async (
|
|
6402
|
+
handler: async (w, P) => {
|
|
6390
6403
|
var _, M;
|
|
6391
6404
|
d.logger.info(c({
|
|
6392
6405
|
msg: "Page visit",
|
|
6393
|
-
method:
|
|
6394
|
-
url:
|
|
6395
|
-
ip:
|
|
6396
|
-
user: (_ =
|
|
6406
|
+
method: w.method,
|
|
6407
|
+
url: w.url,
|
|
6408
|
+
ip: w.ip,
|
|
6409
|
+
user: (_ = w.user) == null ? void 0 : _.username
|
|
6397
6410
|
}));
|
|
6398
|
-
const T =
|
|
6411
|
+
const T = w.url.substring(this.prefix.length + this.bffEndpointName.length);
|
|
6399
6412
|
d.logger.debug(c({ msg: "Resource server URL " + T }));
|
|
6400
|
-
const U = f[
|
|
6413
|
+
const U = f[m] != "GET" && f[m] != "HEAD" && f[m] != "OPTIONS";
|
|
6401
6414
|
if (this.server.sessionAdapter && U) {
|
|
6402
6415
|
const { error: I, reply: V } = await o.errorIfCsrfInvalid(
|
|
6403
|
-
|
|
6416
|
+
w,
|
|
6404
6417
|
P,
|
|
6405
6418
|
this.errorFn
|
|
6406
6419
|
);
|
|
@@ -6411,13 +6424,13 @@ class we extends Oe {
|
|
|
6411
6424
|
g.Configuration,
|
|
6412
6425
|
"Cannot get session data if sessions not enabled"
|
|
6413
6426
|
);
|
|
6414
|
-
const I = await this.server.sessionAdapter.getSessionData(
|
|
6427
|
+
const I = await this.server.sessionAdapter.getSessionData(w, this.sessionDataName);
|
|
6415
6428
|
if (!I)
|
|
6416
6429
|
return P.header(...b).status(401).send({ ok: !1 });
|
|
6417
6430
|
let V = I == null ? void 0 : I.access_token;
|
|
6418
6431
|
if (I && I.access_token) {
|
|
6419
6432
|
const H = await ((M = o.oAuthClient) == null ? void 0 : M.refresh(
|
|
6420
|
-
|
|
6433
|
+
w,
|
|
6421
6434
|
P,
|
|
6422
6435
|
!0,
|
|
6423
6436
|
!0,
|
|
@@ -6432,13 +6445,13 @@ class we extends Oe {
|
|
|
6432
6445
|
};
|
|
6433
6446
|
V && (X.Authorization = "Bearer " + V);
|
|
6434
6447
|
let W;
|
|
6435
|
-
|
|
6448
|
+
w.body ? W = await fetch(this.bffBaseUrl + T, {
|
|
6436
6449
|
headers: X,
|
|
6437
|
-
method:
|
|
6438
|
-
body: JSON.stringify(
|
|
6450
|
+
method: w.method,
|
|
6451
|
+
body: JSON.stringify(w.body ?? "{}")
|
|
6439
6452
|
}) : W = await fetch(this.bffBaseUrl + T, {
|
|
6440
6453
|
headers: X,
|
|
6441
|
-
method:
|
|
6454
|
+
method: w.method
|
|
6442
6455
|
});
|
|
6443
6456
|
const Ce = await W.json();
|
|
6444
6457
|
for (const H of W.headers.entries())
|
|
@@ -6599,7 +6612,7 @@ class we extends Oe {
|
|
|
6599
6612
|
msg: "Error completing MFA",
|
|
6600
6613
|
cerr: t,
|
|
6601
6614
|
user: (n = r.user) == null ? void 0 : n.user,
|
|
6602
|
-
hashedMfaToken:
|
|
6615
|
+
hashedMfaToken: F.hash(r.body.mfa_token)
|
|
6603
6616
|
})), d.logger.debug(c({ err: t })), o ? await this.errorFn(
|
|
6604
6617
|
this.server,
|
|
6605
6618
|
r,
|
|
@@ -6634,7 +6647,7 @@ class we extends Oe {
|
|
|
6634
6647
|
msg: "Error completing MFA",
|
|
6635
6648
|
cerr: t,
|
|
6636
6649
|
user: (n = r.user) == null ? void 0 : n.user,
|
|
6637
|
-
hashedMfaToken:
|
|
6650
|
+
hashedMfaToken: F.hash(r.body.mfa_token)
|
|
6638
6651
|
})), d.logger.debug(c({ err: t })), o ? await this.errorFn(
|
|
6639
6652
|
this.server,
|
|
6640
6653
|
r,
|
|
@@ -7404,7 +7417,7 @@ const K = class K {
|
|
|
7404
7417
|
getHashOfSessionId(e) {
|
|
7405
7418
|
if (!e.sessionId) return "";
|
|
7406
7419
|
try {
|
|
7407
|
-
return
|
|
7420
|
+
return F.hash(e.sessionId);
|
|
7408
7421
|
} catch {
|
|
7409
7422
|
}
|
|
7410
7423
|
return "";
|