@crossauth/fastify 0.0.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (35) hide show
  1. package/LICENSE +203 -0
  2. package/README.md +12 -0
  3. package/dist/fastifyadminclientendpoints.d.ts +149 -0
  4. package/dist/fastifyadminendpoints.d.ts +126 -0
  5. package/dist/fastifyapikey.d.ts +42 -0
  6. package/dist/fastifyoauthclient.d.ts +429 -0
  7. package/dist/fastifyoauthserver.d.ts +248 -0
  8. package/dist/fastifyresserver.d.ts +93 -0
  9. package/dist/fastifyserver.d.ts +293 -0
  10. package/dist/fastifysession.d.ts +767 -0
  11. package/dist/fastifysessionadapter.d.ts +48 -0
  12. package/dist/fastifyuserclientendpoints.d.ts +61 -0
  13. package/dist/fastifyuserendpoints.d.ts +193 -0
  14. package/dist/index.cjs +9085 -0
  15. package/dist/index.d.ts +40 -0
  16. package/dist/index.js +9085 -0
  17. package/dist/tests/admincommon.d.ts +20 -0
  18. package/dist/tests/fastifyadminapiendpoints.test.d.ts +13 -0
  19. package/dist/tests/fastifyadminclientapiendpoints.test.d.ts +13 -0
  20. package/dist/tests/fastifyadminclientendpoints.test.d.ts +13 -0
  21. package/dist/tests/fastifyadminendpoints.test.d.ts +13 -0
  22. package/dist/tests/fastifyapikeyserver.test.d.ts +13 -0
  23. package/dist/tests/fastifyapiserver.test.d.ts +11 -0
  24. package/dist/tests/fastifyapitwofactor.test.d.ts +11 -0
  25. package/dist/tests/fastifyauthserver.test.d.ts +17 -0
  26. package/dist/tests/fastifyclient.test.d.ts +1 -0
  27. package/dist/tests/fastifymfaclient.test.d.ts +4 -0
  28. package/dist/tests/fastifyresserver.test.d.ts +1 -0
  29. package/dist/tests/fastifysessionserver.test.d.ts +13 -0
  30. package/dist/tests/fastifytwofactorserver.test.d.ts +17 -0
  31. package/dist/tests/fastifyuserclientapiendpoints.test.d.ts +13 -0
  32. package/dist/tests/fastifyuserclientendpoints.test.d.ts +13 -0
  33. package/dist/tests/inmemorytestdata.d.ts +3 -0
  34. package/dist/tests/oauthcommon.d.ts +45 -0
  35. package/package.json +75 -0
package/dist/fastifysession.d.ts ADDED
@@ -0,0 +1,767 @@
1
+ import { FastifyInstance, FastifyRequest, FastifyReply } from 'fastify';
2
+ import { Server, IncomingMessage, ServerResponse } from 'http';
3
+ import { CrossauthError, User, Key, UserInputFields, OAuthClient } from '@crossauth/common';
4
+ import { UserStorage, KeyStorage, OAuthClientStorage, Authenticator, SessionManager, SessionManagerOptions, OAuthClientManagerOptions } from '@crossauth/backend';
5
+ import { UpdateUserBodyType } from './fastifyuserendpoints';
6
+ import { FastifySessionAdapter } from './fastifysessionadapter';
7
+
8
+ /**
9
+ * Options for {@link FastifySessionServer }.
10
+ */
11
+ export interface FastifySessionServerOptions extends SessionManagerOptions, OAuthClientManagerOptions {
12
+ /**
13
+ * If enabling user login, must provide the user storage
14
+ */
15
+ userStorage?: UserStorage;
16
+ /**
17
+ * Factor 1 and 2 authenticators.
18
+ *
19
+ * The key is what appears in the `factor1` and `factor2` filed in the
20
+ * Users table.
21
+ */
22
+ authenticators?: {
23
+ [key: string]: Authenticator;
24
+ };
25
+ /** All endpoint URLs will be prefixed with this. Default `/` */
26
+ prefix?: string;
27
+ /** Admin URLs will be prefixed with `this Default `admin/` */
28
+ adminPrefix?: string;
29
+ /** List of endpoints to add to the server ("login", "api/login", etc,
30
+ * prefixed by the `prefix` parameter. Empty for allMinusOAuth. Default allMinusOAuth. */
31
+ endpoints?: string[];
32
+ /** Page to redirect to after successful login, default "/" */
33
+ loginRedirect?: string;
34
+ /** Page to redirect to after successful logout, default "/" */
35
+ logoutRedirect?: string;
36
+ /** Function that throws a {@link @crossauth/common!CrossauthError}
37
+ * with {@link @crossauth/common!ErrorCode} `FormEnty` if the user
38
+ * doesn't confirm to local rules. Doesn't validate passwords */
39
+ validateUserFn?: (user: UserInputFields) => string[];
40
+ /** Function that creates a user from form fields.
41
+ * Default one takes fields that begin with `user_`, removing the `user_`
42
+ * prefix and filtering out anything not in the userEditableFields list in
43
+ * the user storage.
44
+ */
45
+ createUserFn?: (request: FastifyRequest<{
46
+ Body: SignupBodyType;
47
+ }>, userEditableFields: string[]) => UserInputFields;
48
+ /** Function that updates a user from form fields.
49
+ * Default one takes fields that begin with `user_`, removing the `user_`
50
+ * prefix and filtering out anything not in the userEditableFields list in
51
+ * the user storage.
52
+ */
53
+ updateUserFn?: (user: User, request: FastifyRequest<{
54
+ Body: UpdateUserBodyType;
55
+ }>, userEditableFields: string[]) => User;
56
+ /** Called when a new session token is going to be saved
57
+ * Add additional fields to your session storage here. Return a map of
58
+ * keys to values */
59
+ addToSession?: (request: FastifyRequest) => {
60
+ [key: string]: string | number | boolean | Date | undefined;
61
+ };
62
+ /** Called after the session ID is validated.
63
+ * Use this to add additional checks based on the request.
64
+ * Throw an exception if cecks fail
65
+ */
66
+ validateSession?: (session: Key, user: User | undefined, request: FastifyRequest) => void;
67
+ /** Template file containing the login page (with without error messages).
68
+ * See the class documentation for {@link FastifyServer} for more info.
69
+ * Defaults to "login.njk".
70
+ */
71
+ loginPage?: string;
72
+ /** Template file containing the page for getting the 2nd factor for 2FA
73
+ * protected pages. See the class documentation for {@link FastifyServer}
74
+ * for more info. Defaults to "factor2.njk".
75
+ */
76
+ factor2Page?: string;
77
+ /** Template file containing the signup page (with without error messages).
78
+ * See the class documentation for {@link FastifyServer} for more info.
79
+ * Defaults to "signup.njk".
80
+ * Signup form should contain at least `username` and `password` and may
81
+ * also contain `repeatPassword`. If you have additional
82
+ * fields in your user table you want to pass from your form, prefix
83
+ * them with `user_`, eg `user_email`.
84
+ * If you want to enable email verification, set `enableEmailVerification`
85
+ * and set `checkEmailVerified` on the user storage.
86
+ */
87
+ signupPage?: string;
88
+ /** Page to set up 2FA after sign up */
89
+ configureFactor2Page?: string;
90
+ /** Confirm deleting a user */
91
+ deleteUserPage?: string;
92
+ /** Confirm deleting an OAuth client */
93
+ deleteClientPage?: string;
94
+ /** Page to render error messages, including failed login.
95
+ * See the class documentation for {@link FastifyServer} for more info.
96
+ * Defaults to "error.njk".
97
+ */
98
+ errorPage?: string;
99
+ /** Page to render for password changing.
100
+ * See the class documentation for {@link FastifyServer} for more info.
101
+ * Defaults to "changepassword.njk".
102
+ */
103
+ changePasswordPage?: string;
104
+ /** Page to render for selecting a different 2FA.
105
+ * See the class documentation for {@link FastifyServer} for more info.
106
+ * Defaults to "changepassword.njk".
107
+ */
108
+ changeFactor2Page?: string;
109
+ /** Page to render for updating user details.
110
+ * See the class documentation for {@link FastifyServer} for more info.
111
+ * Defaults to "updateuser.njk".
112
+ */
113
+ updateUserPage?: string;
114
+ /** Page to ask user for email and reset his/her password.
115
+ * See the class documentation for {@link FastifyServer} for more info.
116
+ * Defaults to "requestpasswordreset.njk".
117
+ */
118
+ requestResetPasswordPage?: string;
119
+ /** Page to render for password reset, after the emailed token has been
120
+ * validated.
121
+ * See the class documentation for {@link FastifyServer} for more info.
122
+ * Defaults to "resetpassword.njk".
123
+ */
124
+ resetPasswordPage?: string;
125
+ /**
126
+ * Turns on email verification. This will cause the verification tokens to
127
+ * be sent when the account
128
+ * is activated and when email is changed. Default false.
129
+ */
130
+ enableEmailVerification?: boolean;
131
+ /** Page to render for to confirm email has been verified. Only created
132
+ * if `enableEmailVerification` is true.
133
+ * See the class documentation for {@link FastifyServer} for more info.
134
+ * Defaults to "emailverified.njk"
135
+ */
136
+ emailVerifiedPage?: string;
137
+ /**
138
+ * These page endpoints need the second factor to be entered. Visiting
139
+ * the page redirects the user to the factor2 page.
140
+ *
141
+ * You probably want to do this for things like changing password. The
142
+ * default is
143
+ * `/requestpasswordreset`,
144
+ * `/updateuser`,
145
+ * `/changepassword`,
146
+ * `/resetpassword`,
147
+ * `/changefactor2`,
148
+ */
149
+ factor2ProtectedPageEndpoints?: string[];
150
+ /**
151
+ * These page endpoints need the second factor to be entered. Making
152
+ * a call to these endpoints results in a response of
153
+ * `{"ok": true, "factor2Required": true `}. The user should then
154
+ * make a call to `/api/factor2`. If the credetials are correct, the
155
+ * response will be that of the original request.
156
+ *
157
+ * You probably want to do this for things like changing password. The
158
+ * default is
159
+ * `/api/requestpasswordreset`,
160
+ * `/api/updateuser`,
161
+ * `/api/changepassword`,
162
+ * `/api/resetpassword`,
163
+ * `/api/changefactor2`,
164
+ */
165
+ factor2ProtectedApiEndpoints?: string[];
166
+ /**
167
+ * This parameter affects users who are not logged in with a session ID
168
+ * but with an OAuth access token. Such users can only update their user
169
+ * record if the scoped named in this variable has been authorized by
170
+ * that user for the client.
171
+ *
172
+ * By default, no scopes are authorized to edit the user.
173
+ */
174
+ editUserScope?: string;
175
+ /**
176
+ * If true, all administrator endpoints will be enabled.
177
+ *
178
+ * If you explicitly name which endpoints to enable with the `endpoints`
179
+ * option, this is ignored.
180
+ *
181
+ * Default false.
182
+ *
183
+ */
184
+ enableAdminEndpoints?: boolean;
185
+ /**
186
+ * If true, all endpoints for managing OAuth clients (including
187
+ * the admin ones if `enableAdminEndpoints` is also true).
188
+ *
189
+ * If you explicitly name which endpoints to enable with the `endpoints`
190
+ * option, this is ignored.
191
+ *
192
+ * Default false
193
+ */
194
+ enableOAuthClientManagement?: boolean;
195
+ /**
196
+ * The temaplte file for the admin create user page.
197
+ *
198
+ * Default `admin/createuser.njk`
199
+ */
200
+ adminCreateUserPage?: string;
201
+ /**
202
+ * The temaplte file for the admin selecting a user.
203
+ *
204
+ * Default `admin/selectuser.njk`
205
+ */
206
+ adminSelectUserPage?: string;
207
+ /**
208
+ * The temaplte file for the admin creating a user.
209
+ *
210
+ * Default `admin/createuser.njk`
211
+ */
212
+ adminCreateClientPage?: string;
213
+ /**
214
+ * Admin pages provide functionality for searching for users. By
215
+ * default the search string must exactly match a username or
216
+ * email address (depending on the storage, after normalizing
217
+ * and lowercasing). Override this behaviour with this function
218
+ * @param searchTerm the search term
219
+ * @param userStorage the user storage to search
220
+ * @returns array of matching users
221
+ */
222
+ userSearchFn?: (searchTerm: string, userStorage: UserStorage) => Promise<User[]>;
223
+ /**
224
+ * Admin pages provide functionality for searching for OAuth clients. By
225
+ * default the search string must exactly match the `client_name`.
226
+ * Override this behaviour with this function
227
+ * @param searchTerm the search term
228
+ * @param clientStorage the client storage to search
229
+ * @param userid if defined and non null, only clients owned by that
230
+ * user ID will be returned. If `null`, only clients not owned
231
+ * by a user will be returned. If undefined, all matching clients
232
+ * will be returned
233
+ * @returns array of matching clients
234
+ */
235
+ clientSearchFn?: (searchTerm: string, clientStorage: OAuthClientStorage, userid?: string | number | null) => Promise<OAuthClient[]>;
236
+ }
237
+ /**
238
+ * When not overriding which endpoints to enable, all of these will be.
239
+ */
240
+ export declare const SessionPageEndpoints: string[];
241
+ /**
242
+ * When not overriding which endpoints to enable,
243
+ * and with `enableAdminEndpoints` enabled, all of these will be.
244
+ */
245
+ export declare const SessionAdminPageEndpoints: string[];
246
+ /**
247
+ * When not overriding which endpoints to enable, and with
248
+ * both `enableAdminEndpoints` and `enableAdminClientManagement` enabled,
249
+ * all these will be.
250
+ */
251
+ export declare const SessionAdminClientPageEndpoints: string[];
252
+ /**
253
+ * When not overriding which endpoints to enable, and with
254
+ * `enableAdminClientManagement` enabled,
255
+ * all these will be.
256
+ */
257
+ export declare const SessionClientPageEndpoints: string[];
258
+ /**
259
+ * When not overriding which endpoints to enable, all of these will be.
260
+ */
261
+ export declare const SessionApiEndpoints: string[];
262
+ /**
263
+ * When not overriding which endpoints to enable,
264
+ * and with `enableAdminEndpoints` enabled, all of these will be.
265
+ */
266
+ export declare const SessionAdminApiEndpoints: string[];
267
+ /**
268
+ * When not overriding which endpoints to enable, and with
269
+ * both `enableAdminEndpoints` and `enableAdminClientManagement` enabled,
270
+ * all these will be.
271
+ */
272
+ export declare const SessionAdminClientApiEndpoints: string[];
273
+ /**
274
+ * When not overriding which endpoints to enable, and with
275
+ * `enableAdminClientManagement` enabled,
276
+ * all these will be.
277
+ */
278
+ export declare const SessionClientApiEndpoints: string[];
279
+ /**
280
+ * API (JSON) endpoints that depend on 2FA being enabled.
281
+ *
282
+ * If not overriding which endpoints to enable with `endpoints`,
283
+ * and if any 2FA factors are enabled, then this endpoints will be added.
284
+ */
285
+ export declare const Factor2ApiEndpoints: string[];
286
+ /**
287
+ * Page endpoints that depend on email verification being enabled.
288
+ *
289
+ * If not overriding which endpoints to enable with `endpoints`,
290
+ * and if email verification is enabled, then this endpoints will be added.
291
+ */
292
+ export declare const EmailVerificationPageEndpoints: string[];
293
+ /**
294
+ * API (JSON) endpoints that depend on email verification.
295
+ *
296
+ * If not overriding which endpoints to enable with `endpoints`,
297
+ * and if email verification is enabled, then this endpoints will be added.
298
+ */
299
+ export declare const EmailVerificationApiEndpoints: string[];
300
+ /**
301
+ * Page endpoints that depend on password reset being enabled
302
+ *
303
+ * If not overriding which endpoints to enable with `endpoints`,
304
+ * and if password reset is enabled, then this endpoints will be added.
305
+ */
306
+ export declare const PasswordResetPageEndpoints: string[];
307
+ /**
308
+ * API (JSON) endpoints that depend on password reset being enabled
309
+ *
310
+ * If not overriding which endpoints to enable with `endpoints`,
311
+ * and if password reset is enabled, then this endpoints will be added.
312
+ */
313
+ export declare const PasswordResetApiEndpoints: string[];
314
+ /**
315
+ * Endpoints for signing a user up that display HTML
316
+ *
317
+ * When not overriding which endpoints to enable, all of these will be.
318
+ */
319
+ export declare const SignupPageEndpoints: string[];
320
+ /**
321
+ * API (JSON) endpoints for signing a user up that display HTML
322
+ *
323
+ * When not overriding which endpoints to enable, all of these will be.
324
+ */
325
+ export declare const SignupApiEndpoints: string[];
326
+ /**
327
+ * Endpoints for signing a user up that display HTML
328
+ */
329
+ export declare const Factor2PageEndpoints: string[];
330
+ /**
331
+ * These are the endpoints created ig `endpoints` is set to `allMinusOAuth`
332
+ */
333
+ export declare const AllEndpointsMinusOAuth: string[];
334
+ /**
335
+ * These are all the endpoints
336
+ */
337
+ export declare const AllEndpoints: string[];
338
+ /**
339
+ * Fastify body type for optionally passing a CSRF token in the body.
340
+ */
341
+ export interface CsrfBodyType {
342
+ csrfToken?: string;
343
+ }
344
+ /**
345
+ * Fastify body type for passing any body parameter
346
+ */
347
+ export interface ArbitraryBodyType {
348
+ [key: string]: string;
349
+ }
350
+ /**
351
+ * Body parameters for the /login URL
352
+ */
353
+ export interface LoginBodyType extends CsrfBodyType {
354
+ username: string;
355
+ password: string;
356
+ persist?: boolean;
357
+ next?: string;
358
+ }
359
+ /**
360
+ * Body parameters for the /loginfactor2 URL
361
+ */
362
+ export interface LoginFactor2BodyType extends CsrfBodyType {
363
+ persist?: boolean;
364
+ next?: string;
365
+ otp?: string;
366
+ token?: string;
367
+ }
368
+ /**
369
+ * Fastidy body type for users signing up
370
+ */
371
+ export interface SignupBodyType extends LoginBodyType {
372
+ repeatPassword?: string;
373
+ email?: string;
374
+ factor2?: string;
375
+ [key: string]: string | number | Date | boolean | undefined;
376
+ }
377
+ /**
378
+ * Fastidy query type for users logging in (just a parameter for next page to load)
379
+ */
380
+ export interface LoginQueryType {
381
+ next?: string;
382
+ }
383
+ /**
384
+ * For passing authenticator details to page templates.
385
+ */
386
+ export interface AuthenticatorDetails {
387
+ name: string;
388
+ friendlyName: string;
389
+ hasSecrets: boolean;
390
+ }
391
+ /**
392
+ * This class adds user endpoints to the Fastidfy session server.
393
+ *
394
+ * You shouldn't have create create this directly - it is created by
395
+ * {@link FastifyServer}.
396
+ *
397
+ * **Endpoints that can be activated**
398
+ *
399
+ * All page POST methods are passed user, csrfToken, errorCode, errorCodeName, errorMessage, errorMessages, urlPrefix,
400
+ * errorMessages is an array, errorMessage is a single value or concatenation of errorMessages.
401
+ *
402
+ * All JSON responses have ok, errorMessage, errorMEssages, errorCode, errorCodeName, other than OAuth endpoints.
403
+ *
404
+ * | METHOD | ENDPOINT | PATH PARAMS | GET/BODY PARAMS | VARIABLES PASSED/RESPONSE JSON | FILE |
405
+ * | ------ | -------------------------- | ----------- | -------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------ | ------------------------ |
406
+ * | GET | /login | | next | next | loginPage |
407
+ * | POST | /login | | next, username, password | request params, next, persist, username | loginPage | loginPage |
408
+ * | POST | /api/login | | username, password | | |
409
+ * | POST | /logout | | next | | |
410
+ * | POST | /api/logout | | | | |
411
+ * | GET | /signup | | next | | signupPage |
412
+ * | POST | /signup | | next, persist, username, password, repeat_password, factor2, user_* | message, next, persist, username, factor2, allowedFactor2 | signupPage |
413
+ * | POST | /api/signup | | username, password, repeat_password, factor2, user_* | message, next, persist, username, factor2, allowedFactor2 | signupPage |
414
+ * | GET | /changepassword | | next, required | next, required | changePasswordPage |
415
+ * | POST | /changepassword | | next, required, old_password, new_password, repeat_password | message, next, required | changePasswordPage |
416
+ * | POST | /api/changepassword | | old_password, new_password, repeat_password | | |
417
+ * | GET | /changefactor2 | | next, required, factor2 | next, required, allowedFactor2 | changeFactor2Page |
418
+ * | POST | /changefactor2 | | next, required, factor2 | next, required, allowedFactor2 | changeFactor2Page |
419
+ * | POST | /api/changefactor2 | | factor2 | | |
420
+ * | GET | /configurefactor2 | | next | next, (userData from authenticator) | configureFactor2Page |
421
+ * | POST | /configurefactor2 | | next, otp, token, (any) | next, (userData from authenticator) | configureFactor2Page |
422
+ * | GET | /api/configurefactor2 | | | (userData from authenticator) | |
423
+ * | POST | /api/configurefactor2 | | otp, token, (any) | emailVerificationNeeded | |
424
+ * | GET | /updateuser | | | user, allowedFactor2 | updatePasswordPage |
425
+ * | POST | /updateuser | | user_* | message, user_*, allowedFactor2 | updatePasswordPage |
426
+ * | POST | /api/updateuser | | user_* | emailVerificationRequired | |
427
+ * | GET | /deleteuser | | next | next, isAdmin, user | deleteUserPAge |
428
+ * | POST | /deleteuser | | next | message, next, isAdmin, userid | deleteUserPAge |
429
+ * | POST | /api/deleteuser | | | | |
430
+ * | GET | /requestpasswordreset | | next, required | next, required | requestPasswordResetPage |
431
+ * | POST | /requestpasswordreset | | email, next, required | next, required, email, message | requestPasswordResetPage |
432
+ * | POST | /api/requestpasswordreset | | email | | |
433
+ * | GET | /resetpassword | token | | token | resetPasswordPage |
434
+ * | POST | /resetpassword | | token | token, message | resetPasswordPage |
435
+ * | POST | /api/resetpassword | | token | | |
436
+ * | GET | /verifyemail | token | user | | emailVerifiedPage |
437
+ * | GET | /api/verifyemail | token | | | |
438
+ * | GET | /api/userforsessionkey | | | | |
439
+ * | GET | /api/getcsrftoken | | | | |
440
+ * | GET | /selectclient | | next, search, skip, take, haveNext, havePrevious | next, search, skip, take, haveNext, havePrevious, user, clients, isAdmin | selectClient |
441
+ * | GET | /createclient | | next | next, validFLows, flowNames, user, isAdmin | createClientPage |
442
+ * | POST | /createclient | | next, client_name, confidential, redirect_uris, (flows) | message, client, next, validFLows, flowNames, user, isAdmin | createClientPage |
443
+ * | POST | /api/createclient | | client_name, confidential, redirect_uris, (flows) | client | |
444
+ * | GET | /updateclient | client_id | next | next, validFLows, flowNames, selectedFlows, redirect_uris, client_id, client_name, user, isAdmin | updateClientPage |
445
+ * | POST | /updateclient | client_id | next, client_name, confidential, redirect_uris, (flows), resetSecret | message, next, validFLows, flowNames, selectedFlows, redirect_uris, client_id, client_name, user, isAdmin | updateClientPage |
446
+ * | POST | /api/updateclient | client_id | client_name, confidential, redirect_uris, (flows), resetSecret | client, newSecret | |
447
+ * | GET | /deleteclient | client_id | next, backUrl | next, backUrl, client | deleteClientPage |
448
+ * | POST | /deleteclient | client_id | next | message, next, client_id | deleteClientPage |
449
+ * | POST | /api/deleteclient | client_id | | | |
450
+ *
451
+ * ** Admin Endpoints **
452
+ *
453
+ * For administrator endpoints, see {@link FastifyAdminEndpoints}
454
+ *
455
+ * ** Endpoints requiring 2FA **
456
+ *
457
+ * Endpoints listed in `factor2ProtectedPageEndpoints` and
458
+ * `factor2ProtectedApiEndpoints` require the second factor to be entered again,
459
+ * if 2FA is enabled for the user. For page endpoints, the user will
460
+ * be redirected to the page for entering the second factor.
461
+ *
462
+ * For API endpoints., the response will be
463
+ * `{"ok": true, "factor2Reqiored': true}`. The user should then make a POST
464
+ * request to the same endpoint but with the 2FA field in the body instead
465
+ * of the original request body, eg `{"otp": 123456}`. If the factor is
466
+ * valid, the JSON data from the original post will be submittd.
467
+ *
468
+ * ** Creating and updating users **
469
+ *
470
+ * If you have fields other than `id`, `username` and `password` in your user
471
+ * table, add them in
472
+ * `extraFields` when you create your {@link UserStorage} object. In your
473
+ * signup and user update pages
474
+ * (`signupPage`, `updateUserPage`), prefix these with `user_` in field names
475
+ * and they will be passed
476
+ * into the user object when processing the form. If there is an error
477
+ * processing the form, they will
478
+ * be back as psot parameters, again prefixed with `user_`.
479
+ *
480
+ * **Using your own Fastify app**
481
+ *
482
+ * If you are serving other endpoints, or you want to use something other than
483
+ * Nunjucks, you can create
484
+ * and pass in your own Fastify app.
485
+ */
486
+ export declare class FastifySessionServer implements FastifySessionAdapter {
487
+ /**
488
+ * The Fastify app taken from constructor args.
489
+ * See {@link FastifySessionServer.constructor}.
490
+ */
491
+ readonly app: FastifyInstance<Server, IncomingMessage, ServerResponse>;
492
+ /**
493
+ * The prefix taken from the options during
494
+ * construction or the default value.
495
+ * See {@link FastifySessionServerOptions}.
496
+ */
497
+ readonly prefix: string;
498
+ /**
499
+ * THe URL for the login page. Taken from the options during
500
+ * construction or the default value.
501
+ * See {@link FastifySessionServerOptions}.
502
+ */
503
+ readonly loginUrl: string;
504
+ /**
505
+ * THe default URL to redirect to after login. Taken from the options during
506
+ * construction or the default value.
507
+ * See {@link FastifySessionServerOptions}.
508
+ */
509
+ loginRedirect: string;
510
+ /**
511
+ * THe default URL to redirect to after logout. Taken from the options during
512
+ * construction or the default value.
513
+ * See {@link FastifySessionServerOptions}.
514
+ */
515
+ logoutRedirect: string;
516
+ /**
517
+ * The page to show on error. Taken from the options during
518
+ * construction or the default value.
519
+ * See {@link FastifySessionServerOptions}.
520
+ */
521
+ readonly errorPage: string;
522
+ /**
523
+ * Funtion to validate users upon creation. Taken from the options during
524
+ * construction or the default value.
525
+ * See {@link FastifySessionServerOptions}.
526
+ */
527
+ validateUserFn: (user: UserInputFields) => string[];
528
+ /**
529
+ * Funtion to create a user record from form fields. Taken from the options during
530
+ * construction or the default value.
531
+ * See {@link FastifySessionServerOptions}.
532
+ */
533
+ createUserFn: (request: FastifyRequest<{
534
+ Body: SignupBodyType;
535
+ }>, userEditableFields: string[]) => UserInputFields;
536
+ /**
537
+ * Funtion to update a user record from form fields. Taken from the options during
538
+ * construction or the default value.
539
+ * See {@link FastifySessionServerOptions}.
540
+ */
541
+ updateUserFn: (user: User, request: FastifyRequest<{
542
+ Body: UpdateUserBodyType;
543
+ }>, userEditableFields: string[]) => User;
544
+ /**
545
+ * User storage taken from constructor args.
546
+ * See {@link FastifySessionServer.constructor}.
547
+ */
548
+ readonly userStorage?: UserStorage;
549
+ /**
550
+ * The set of authenticators taken from constructor args.
551
+ * See {@link FastifySessionServer.constructor}.
552
+ */
553
+ readonly authenticators: {
554
+ [key: string]: Authenticator;
555
+ };
556
+ /**
557
+ * The set of allowed authenticators taken from the options during
558
+ * construction.
559
+ */
560
+ readonly allowedFactor2: string[];
561
+ /**
562
+ * Session manager that was created from options during construction.
563
+ */
564
+ readonly sessionManager: SessionManager;
565
+ private endpoints;
566
+ private signupPage;
567
+ private loginPage;
568
+ private factor2Page;
569
+ private configureFactor2Page;
570
+ private addToSession?;
571
+ private validateSession?;
572
+ private userEndpoints;
573
+ private adminEndpoints;
574
+ private adminClientEndpoints?;
575
+ private userClientEndpoints?;
576
+ private enableEmailVerification;
577
+ private enablePasswordReset;
578
+ private enableAdminEndpoints?;
579
+ private enableOAuthClientManagement?;
580
+ private factor2ProtectedPageEndpoints;
581
+ private factor2ProtectedApiEndpoints;
582
+ private editUserScope?;
583
+ readonly enableCsrfProtection = true;
584
+ /**
585
+ * Constructor
586
+ *
587
+ * @param app the Fastify app
588
+ * @param keyStorage where session IDs are stored
589
+ * @param authenticators list of authenticators
590
+ * @param options See {@link FastifySessionServerOptions}.
591
+ */
592
+ constructor(app: FastifyInstance<Server, IncomingMessage, ServerResponse>, keyStorage: KeyStorage, authenticators: {
593
+ [key: string]: Authenticator;
594
+ }, options?: FastifySessionServerOptions);
595
+ /**
596
+ * Adds all endpoints enabled in the options passed to the constructor.
597
+ */
598
+ addEndpoints(): void;
599
+ private addLoginEndpoints;
600
+ private addLoginFactor2Endpoints;
601
+ private addFactor2Endpoints;
602
+ private addSignupEndpoints;
603
+ private addLogoutEndpoints;
604
+ private addApiLoginEndpoints;
605
+ private addApiCancelFactor2Endpoints;
606
+ private addApiLoginFactor2Endpoints;
607
+ private addApiLogoutEndpoints;
608
+ private addApiSignupEndpoints;
609
+ private addApiUserForSessionKeyEndpoints;
610
+ private addApiGetCsrfTokenEndpoints;
611
+ private login;
612
+ private loginFactor2;
613
+ private cancelFactor2;
614
+ /**
615
+ * This is called after the user has been validated to log the user in
616
+ */
617
+ loginWithUser(user: User, bypass2FA: boolean, request: FastifyRequest, reply: FastifyReply, successFn: (res: FastifyReply, user: User) => void): Promise<void>;
618
+ private signup;
619
+ private logout;
620
+ /**
621
+ * Creates an anonymous session, setting the `Set-Cookue` headers
622
+ * in the reply.
623
+ *
624
+ * An anonymous sessiin is a session cookie that is not associated
625
+ * with a user (`userid` is undefined). It can be used to persist
626
+ * data between sessions just like a regular user session ID.
627
+ *
628
+ * @param request the Fastify request
629
+ * @param reply the Fastify reply
630
+ * @param data session data to save
631
+ * @returns the session cookie value
632
+ */
633
+ createAnonymousSession(request: FastifyRequest, reply: FastifyReply, data?: {
634
+ [key: string]: any;
635
+ }): Promise<string>;
636
+ /**
637
+ * Called by each endpoint on error.
638
+ *
639
+ * Sanitises errors to not give too much away to the user. Logs
640
+ * the error (`error` level) and the stack trace (`debug` level).
641
+ *
642
+ * @param e the exceptioin that was thrown
643
+ * @param request the Fastify request
644
+ * @param reply the Fastify reply
645
+ * @param errorFn the error function to call to send the output to the client
646
+ * @param passwordInvalidOk if true, can report that the password is
647
+ * incorrect. If false, report that the username or password is
648
+ * incorrect. Default false.
649
+ */
650
+ handleError(e: any, request: FastifyRequest, reply: FastifyReply, errorFn: (reply: FastifyReply, error: CrossauthError) => void, passwordInvalidOk?: boolean): void;
651
+ /**
652
+ * Returns the session ID cookie value from the request
653
+ * @param request the Fastify request
654
+ * @returns the session cookie value
655
+ */
656
+ getSessionCookieValue(request: FastifyRequest): string | undefined;
657
+ /**
658
+ * Returns the CSRF token cookie value from the request
659
+ * @param request the Fastify request
660
+ * @returns the CSRF token cookie value
661
+ */
662
+ getCsrfCookieValue(request: FastifyRequest): string | undefined;
663
+ /**
664
+ * Returns a hash of the session ID. Used for logging (for security,
665
+ * the actual session ID is not logged)
666
+ * @param request the Fastify request
667
+ * @returns hash of the session ID
668
+ */
669
+ getHashOfSessionId(request: FastifyRequest): string;
670
+ /**
671
+ * Returns a hash of the CSRF token cookie value. Used for logging (for security,
672
+ * the actual CSRF token is not logged)
673
+ * @param request the Fastify request
674
+ * @returns hash of the CSRF token
675
+ */
676
+ getHashOfCsrfCookie(request: FastifyRequest): string;
677
+ /**
678
+ * Returns an error if the CSRF token in the request's cookie and
679
+ * either the `csrfToken` form field or `X-CROSSAUTH-CSRF` header
680
+ * is invalid (ie, the two do not match or the signature on the
681
+ * cookie is invalid).
682
+ * @param request the Fastify request
683
+ * @returns the CSRF token cookie value if valid, undefined
684
+ * otherwise.
685
+ */
686
+ validateCsrfToken(request: FastifyRequest<{
687
+ Body: CsrfBodyType;
688
+ }>): string | undefined;
689
+ /**
690
+ * Creates and returns a new CSRF token, setting it in the reply both
691
+ * as a cookue and as a `X-CROSSAUTH-CSRF` header.
692
+ *
693
+ * To mitigate against the BREACH attack, a new CSRF token is created
694
+ * with every request by masking it with a random value.
695
+ *
696
+ * @param request the Fastify request
697
+ * @param reply the Fastify reply
698
+ * @returns the Fastiy reply
699
+ */
700
+ csrfToken(request: FastifyRequest<{
701
+ Body: CsrfBodyType;
702
+ }>, reply: FastifyReply): string | undefined;
703
+ /**
704
+ * Sends a JSON error message
705
+ * @param reply the Fastify reply
706
+ * @param status the HTTP status to return
707
+ * @param error the error string to report (overrides `e`)
708
+ * @param e the exception that was raised
709
+ * @returns the Fastify reply
710
+ */
711
+ sendJsonError(reply: FastifyReply, status: number, error?: string, e?: any): FastifyReply<import('fastify').RawServerDefault, IncomingMessage, ServerResponse<IncomingMessage>, import('fastify').RouteGenericInterface, unknown, import('fastify').FastifySchema, import('fastify').FastifyTypeProviderDefault, unknown>;
712
+ /**
713
+ * Returns an appropriate HTTP status from an exception.
714
+ *
715
+ * If the exception is of type {@link @crossauth/common!CrossauthError}
716
+ * then the status is taken from it. Otherwise 500 is returned.
717
+ * @param e the exception to try to take the status from
718
+ * @returns the HTTP status
719
+ */
720
+ errorStatus(e: any): any;
721
+ /**
722
+ * For each of the authenticators passed to the constructor, retruns
723
+ * some details about it
724
+ * @returns a vector of {@link AuthenticatorDetails} objects.
725
+ */
726
+ allowedFactor2Details(): AuthenticatorDetails[];
727
+ /** Returns whether there is a user logged in with a cookie-based session
728
+ */
729
+ isSessionUser(request: FastifyRequest): boolean;
730
+ /**
731
+ * A user can edit his or her account if they are logged in with
732
+ * session management, or are logged in with some other means and
733
+ * e`ditUserScope` has been set and is included in the user's scopes.
734
+ * @param request the Fastify request
735
+ * @returns true or false
736
+ */
737
+ canEditUser(request: FastifyRequest): boolean | "" | undefined;
738
+ csrfProtectionEnabled(): boolean;
739
+ getCsrfToken(request: FastifyRequest): string | undefined;
740
+ getUser(request: FastifyRequest): User | undefined;
741
+ /**
742
+ * Updates a field in the session data in the key storage record,
743
+ *
744
+ * The `data` field is assumed to be JSON. Just the field with the given
745
+ * name is updated and the rest is unchanged.
746
+ * @param request the Fastifdy request
747
+ * @param name the field within `data` to update
748
+ * @param value the value to set it to
749
+ */
750
+ updateSessionData(request: FastifyRequest, name: string, value: any): Promise<void>;
751
+ updateManySessionData(request: FastifyRequest, dataArray: {
752
+ dataName: string;
753
+ value: any;
754
+ }[]): Promise<void>;
755
+ /**
756
+ * Deletes a field from the session data in the key storage record,
757
+ *
758
+ * The `data` field is assumed to be JSON. Just the field with the given
759
+ * name is updated and the rest is unchanged.
760
+ * @param request the Fastifdy request
761
+ * @param name the field within `data` to update
762
+ */
763
+ deleteSessionData(request: FastifyRequest, name: string): Promise<void>;
764
+ getSessionData(request: FastifyRequest, name: string): Promise<{
765
+ [key: string]: any;
766
+ } | undefined>;
767
+ }