@crossauth/fastify 0.0.29 → 0.0.32
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/fastifyoauthclient.d.ts +3 -0
- package/dist/fastifyresserver.d.ts +2 -0
- package/dist/index.cjs +2 -2
- package/dist/index.js +336 -308
- package/package.json +3 -3
package/dist/index.js
CHANGED
|
@@ -1,17 +1,17 @@
|
|
|
1
1
|
var ke = Object.defineProperty;
|
|
2
|
-
var Pe = (
|
|
3
|
-
var u = (
|
|
2
|
+
var Pe = (S, e, o) => e in S ? ke(S, e, { enumerable: !0, configurable: !0, writable: !0, value: o }) : S[e] = o;
|
|
3
|
+
var u = (S, e, o) => Pe(S, typeof e != "symbol" ? e + "" : e, o);
|
|
4
4
|
import Ee from "fastify";
|
|
5
5
|
import Te from "@fastify/view";
|
|
6
|
-
import
|
|
7
|
-
import
|
|
6
|
+
import be from "@fastify/formbody";
|
|
7
|
+
import ye from "@fastify/cors";
|
|
8
8
|
import _e from "@fastify/cookie";
|
|
9
9
|
import ue from "nunjucks";
|
|
10
|
-
import { setParameter as
|
|
10
|
+
import { setParameter as C, ParamType as k, Crypto as F, TokenEmailer as xe, OAuthClientManager as L, SessionManager as Ae, ApiKeyManager as Y, KeyStorage as Fe, OAuthAuthorizationServer as Ne, DoubleSubmitCsrfToken as Ue, OAuthClientBackend as Oe, OAuthResourceServer as Ie, OAuthTokenConsumer as Me } from "@crossauth/backend";
|
|
11
11
|
import { CrossauthLogger as d, j as c, CrossauthError as l, ErrorCode as g, UserState as O, OAuthFlows as E } from "@crossauth/common";
|
|
12
12
|
import { jwtDecode as J } from "jwt-decode";
|
|
13
13
|
import Re from "qrcode";
|
|
14
|
-
const
|
|
14
|
+
const U = ["Content-Type", "application/json; charset=utf-8"];
|
|
15
15
|
class De {
|
|
16
16
|
/**
|
|
17
17
|
* Constructor.
|
|
@@ -38,7 +38,7 @@ class De {
|
|
|
38
38
|
u(this, "emailVerifiedPage", "emailverified.njk");
|
|
39
39
|
u(this, "signupPage", "signup.njk");
|
|
40
40
|
u(this, "deleteUserPage", "deleteuser.njk");
|
|
41
|
-
this.sessionServer = e,
|
|
41
|
+
this.sessionServer = e, C("prefix", k.String, this, o, "PREFIX"), C("enableEmailVerification", k.Boolean, this, o, "ENABLE_EMAIL_VERIFICATION"), C("enablePasswordReset", k.Boolean, this, o, "ENABLE_PASSWORD_RESET"), C("updateUserPage", k.String, this, o, "UPDATE_USER_PAGE"), C("changeFactor2Page", k.String, this, o, "CHANGE_FACTOR2_PAGE"), C("configureFactor2Page", k.String, this, o, "SIGNUP_FACTOR2_PAGE"), C("changePasswordPage", k.String, this, o, "CHANGE_PASSWORD_PAGE"), C("resetPasswordPage", k.String, this, o, "RESET_PASSWORD_PAGE"), C("requestPasswordResetPage", k.String, this, o, "REQUEST_PASSWORD_RESET_PAGE"), C("emailVerifiedPage", k.String, this, o, "EMAIL_VERIFIED_PAGE"), C("signupPage", k.String, this, o, "SIGNUP_PAGE"), C("deleteUserPage", k.String, this, o, "DELETE_USER_PAGE");
|
|
42
42
|
}
|
|
43
43
|
//////////////////////////////////////////////////////////////////
|
|
44
44
|
// Endpoints
|
|
@@ -57,7 +57,7 @@ class De {
|
|
|
57
57
|
ip: e.ip,
|
|
58
58
|
user: (r = e.user) == null ? void 0 : r.username
|
|
59
59
|
})), !e.user || !this.sessionServer.canEditUser(e))
|
|
60
|
-
return
|
|
60
|
+
return b.sendPageError(
|
|
61
61
|
o,
|
|
62
62
|
401,
|
|
63
63
|
this.sessionServer.errorPage
|
|
@@ -82,7 +82,7 @@ class De {
|
|
|
82
82
|
url: this.prefix + "updateuser",
|
|
83
83
|
ip: e.ip,
|
|
84
84
|
user: (r = e.user) == null ? void 0 : r.username
|
|
85
|
-
})), !this.sessionServer.canEditUser(e)) return
|
|
85
|
+
})), !this.sessionServer.canEditUser(e)) return b.sendPageError(
|
|
86
86
|
o,
|
|
87
87
|
401,
|
|
88
88
|
this.sessionServer.errorPage
|
|
@@ -144,7 +144,7 @@ class De {
|
|
|
144
144
|
return await this.updateUser(
|
|
145
145
|
e,
|
|
146
146
|
o,
|
|
147
|
-
(i, n, t) => i.header(...
|
|
147
|
+
(i, n, t) => i.header(...U).send({
|
|
148
148
|
ok: !0,
|
|
149
149
|
emailVerificationRequired: t
|
|
150
150
|
})
|
|
@@ -157,7 +157,7 @@ class De {
|
|
|
157
157
|
errorCodeName: n.codeName,
|
|
158
158
|
errorCode: n.code
|
|
159
159
|
})), d.logger.debug(c({ err: i })), this.sessionServer.handleError(i, e, o, (t, a) => {
|
|
160
|
-
t.status(this.sessionServer.errorStatus(i)).header(...
|
|
160
|
+
t.status(this.sessionServer.errorStatus(i)).header(...U).send({
|
|
161
161
|
ok: !1,
|
|
162
162
|
errorMessage: a.message,
|
|
163
163
|
errorMessages: a.messages,
|
|
@@ -186,7 +186,7 @@ class De {
|
|
|
186
186
|
})), !this.sessionServer.isSessionUser(e) || !e.user) {
|
|
187
187
|
const n = await this.sessionServer.getSessionData(e, "factor2change");
|
|
188
188
|
if (!(n != null && n.username) && !this.sessionServer.isSessionUser(e))
|
|
189
|
-
return
|
|
189
|
+
return b.sendPageError(
|
|
190
190
|
o,
|
|
191
191
|
401,
|
|
192
192
|
this.sessionServer.errorPage
|
|
@@ -215,7 +215,7 @@ class De {
|
|
|
215
215
|
})), !this.sessionServer.isSessionUser(e) || !e.user) {
|
|
216
216
|
const i = await this.sessionServer.getSessionData(e, "factor2change");
|
|
217
217
|
if (!(i != null && i.username) && !this.sessionServer.isSessionUser(e))
|
|
218
|
-
return
|
|
218
|
+
return b.sendPageError(
|
|
219
219
|
o,
|
|
220
220
|
401,
|
|
221
221
|
this.sessionServer.errorPage
|
|
@@ -280,7 +280,7 @@ class De {
|
|
|
280
280
|
return await this.changeFactor2(
|
|
281
281
|
e,
|
|
282
282
|
o,
|
|
283
|
-
(i, n, t) => i.header(...
|
|
283
|
+
(i, n, t) => i.header(...U).send({
|
|
284
284
|
ok: !0,
|
|
285
285
|
...n.userData
|
|
286
286
|
})
|
|
@@ -292,7 +292,7 @@ class De {
|
|
|
292
292
|
user: (s = e.user) == null ? void 0 : s.username,
|
|
293
293
|
errorCodeName: n.codeName,
|
|
294
294
|
errorCode: n.code
|
|
295
|
-
})), d.logger.debug(c({ err: i })), this.sessionServer.handleError(i, e, o, (t, a) => t.status(this.sessionServer.errorStatus(i)).header(...
|
|
295
|
+
})), d.logger.debug(c({ err: i })), this.sessionServer.handleError(i, e, o, (t, a) => t.status(this.sessionServer.errorStatus(i)).header(...U).send({
|
|
296
296
|
ok: !1,
|
|
297
297
|
errorMessage: a.message,
|
|
298
298
|
errorMessages: a.messages,
|
|
@@ -320,7 +320,7 @@ class De {
|
|
|
320
320
|
})), !this.sessionServer.isSessionUser(e) || !e.user) {
|
|
321
321
|
const i = await this.sessionServer.getSessionData(e, "passwordchange");
|
|
322
322
|
if ((i == null ? void 0 : i.username) == null && !this.sessionServer.isSessionUser(e))
|
|
323
|
-
return
|
|
323
|
+
return b.sendPageError(
|
|
324
324
|
o,
|
|
325
325
|
401,
|
|
326
326
|
this.sessionServer.errorPage
|
|
@@ -397,7 +397,7 @@ class De {
|
|
|
397
397
|
return await this.changePassword(
|
|
398
398
|
e,
|
|
399
399
|
o,
|
|
400
|
-
(i, n) => i.header(...
|
|
400
|
+
(i, n) => i.header(...U).send({
|
|
401
401
|
ok: !0
|
|
402
402
|
})
|
|
403
403
|
);
|
|
@@ -408,7 +408,7 @@ class De {
|
|
|
408
408
|
user: (s = e.user) == null ? void 0 : s.username,
|
|
409
409
|
errorCodeName: n.codeName,
|
|
410
410
|
errorCode: n.code
|
|
411
|
-
})), d.logger.debug(c({ err: i })), this.sessionServer.handleError(i, e, o, (t, a) => t.status(this.sessionServer.errorStatus(i)).header(...
|
|
411
|
+
})), d.logger.debug(c({ err: i })), this.sessionServer.handleError(i, e, o, (t, a) => t.status(this.sessionServer.errorStatus(i)).header(...U).send({
|
|
412
412
|
ok: !1,
|
|
413
413
|
errorMessage: a.message,
|
|
414
414
|
errorMessages: a.messages,
|
|
@@ -542,7 +542,7 @@ class De {
|
|
|
542
542
|
return await this.reconfigureFactor2(
|
|
543
543
|
o,
|
|
544
544
|
r,
|
|
545
|
-
(i, n, t) => i.header(...
|
|
545
|
+
(i, n, t) => i.header(...U).send({
|
|
546
546
|
ok: !0,
|
|
547
547
|
...n
|
|
548
548
|
})
|
|
@@ -555,7 +555,7 @@ class De {
|
|
|
555
555
|
errorCodeName: n.codeName,
|
|
556
556
|
errorCode: n.code
|
|
557
557
|
})), d.logger.debug(c({ err: i })), this.sessionServer.handleError(i, o, r, (t, a) => {
|
|
558
|
-
t.status(this.sessionServer.errorStatus(i)).header(...
|
|
558
|
+
t.status(this.sessionServer.errorStatus(i)).header(...U).send({
|
|
559
559
|
ok: !1,
|
|
560
560
|
errorMessage: a.message,
|
|
561
561
|
errorMessages: a.messages,
|
|
@@ -584,7 +584,7 @@ class De {
|
|
|
584
584
|
ok: !0,
|
|
585
585
|
user: n
|
|
586
586
|
};
|
|
587
|
-
return this.sessionServer.isSessionUser(o) || (t.emailVerificationNeeded = this.enableEmailVerification), i.header(...
|
|
587
|
+
return this.sessionServer.isSessionUser(o) || (t.emailVerificationNeeded = this.enableEmailVerification), i.header(...U).send(t);
|
|
588
588
|
}
|
|
589
589
|
);
|
|
590
590
|
} catch (i) {
|
|
@@ -595,7 +595,7 @@ class De {
|
|
|
595
595
|
errorCodeName: n.codeName,
|
|
596
596
|
errorCode: n.code
|
|
597
597
|
})), d.logger.debug(c({ err: i })), this.sessionServer.handleError(i, o, r, (t, a) => {
|
|
598
|
-
t.status(this.sessionServer.errorStatus(i)).header(...
|
|
598
|
+
t.status(this.sessionServer.errorStatus(i)).header(...U).send({
|
|
599
599
|
ok: !1,
|
|
600
600
|
errorMessage: a.message,
|
|
601
601
|
errorMessages: a.messages,
|
|
@@ -686,7 +686,7 @@ class De {
|
|
|
686
686
|
return await this.requestPasswordReset(
|
|
687
687
|
e,
|
|
688
688
|
o,
|
|
689
|
-
(r, s) => r.header(...
|
|
689
|
+
(r, s) => r.header(...U).send({
|
|
690
690
|
ok: !0
|
|
691
691
|
})
|
|
692
692
|
);
|
|
@@ -698,7 +698,7 @@ class De {
|
|
|
698
698
|
errorCodeName: s.codeName,
|
|
699
699
|
errorCode: s.code
|
|
700
700
|
})), d.logger.debug(c({ err: r })), this.sessionServer.handleError(r, e, o, (i, n) => {
|
|
701
|
-
i.status(this.sessionServer.errorStatus(r)).header(...
|
|
701
|
+
i.status(this.sessionServer.errorStatus(r)).header(...U).send({
|
|
702
702
|
ok: !1,
|
|
703
703
|
errorMessage: n.message,
|
|
704
704
|
errorMessages: n.messages,
|
|
@@ -794,7 +794,7 @@ class De {
|
|
|
794
794
|
return await this.resetPassword(
|
|
795
795
|
e,
|
|
796
796
|
o,
|
|
797
|
-
(r, s) => r.header(...
|
|
797
|
+
(r, s) => r.header(...U).send({
|
|
798
798
|
ok: !0
|
|
799
799
|
})
|
|
800
800
|
);
|
|
@@ -806,7 +806,7 @@ class De {
|
|
|
806
806
|
errorCodeName: s.codeName,
|
|
807
807
|
errorCode: s.code
|
|
808
808
|
})), d.logger.debug(c({ err: r })), this.sessionServer.handleError(r, e, o, (i, n) => {
|
|
809
|
-
i.status(this.sessionServer.errorStatus(r)).header(...
|
|
809
|
+
i.status(this.sessionServer.errorStatus(r)).header(...U).send({
|
|
810
810
|
ok: !1,
|
|
811
811
|
errorMessage: n.message,
|
|
812
812
|
errorMessages: n.messages,
|
|
@@ -875,7 +875,7 @@ class De {
|
|
|
875
875
|
return await this.verifyEmail(
|
|
876
876
|
e,
|
|
877
877
|
o,
|
|
878
|
-
(r, s) => r.header(...
|
|
878
|
+
(r, s) => r.header(...U).send({
|
|
879
879
|
ok: !0,
|
|
880
880
|
user: s
|
|
881
881
|
})
|
|
@@ -888,7 +888,7 @@ class De {
|
|
|
888
888
|
errorCodeName: s.codeName,
|
|
889
889
|
errorCode: s.code
|
|
890
890
|
})), d.logger.debug(c({ err: r })), this.sessionServer.handleError(r, e, o, (i, n) => {
|
|
891
|
-
i.status(this.sessionServer.errorStatus(r)).header(...
|
|
891
|
+
i.status(this.sessionServer.errorStatus(r)).header(...U).send({
|
|
892
892
|
ok: !1,
|
|
893
893
|
errorMessage: n.message,
|
|
894
894
|
errorMessages: n.messages,
|
|
@@ -1008,14 +1008,14 @@ class De {
|
|
|
1008
1008
|
ip: e.ip,
|
|
1009
1009
|
user: (r = e.user) == null ? void 0 : r.username
|
|
1010
1010
|
})), !e.user)
|
|
1011
|
-
return o.status(401).header(...
|
|
1011
|
+
return o.status(401).header(...U).send({ ok: !1 });
|
|
1012
1012
|
try {
|
|
1013
1013
|
return await this.deleteUser(
|
|
1014
1014
|
e,
|
|
1015
1015
|
o,
|
|
1016
1016
|
(i) => {
|
|
1017
1017
|
var n;
|
|
1018
|
-
return i.header(...
|
|
1018
|
+
return i.header(...U).send({
|
|
1019
1019
|
ok: !0,
|
|
1020
1020
|
userid: (n = e.user) == null ? void 0 : n.id
|
|
1021
1021
|
});
|
|
@@ -1029,7 +1029,7 @@ class De {
|
|
|
1029
1029
|
errorCodeName: n.codeName,
|
|
1030
1030
|
errorCode: n.code
|
|
1031
1031
|
})), d.logger.debug(c({ err: i })), this.sessionServer.handleError(i, e, o, (t, a) => {
|
|
1032
|
-
t.status(this.sessionServer.errorStatus(i)).header(...
|
|
1032
|
+
t.status(this.sessionServer.errorStatus(i)).header(...U).send({
|
|
1033
1033
|
ok: !1,
|
|
1034
1034
|
errorMessage: a.message,
|
|
1035
1035
|
errorMessages: a.messages,
|
|
@@ -1257,17 +1257,17 @@ class De {
|
|
|
1257
1257
|
return await this.sessionServer.userStorage.deleteUserById(e.user.id), r(o);
|
|
1258
1258
|
}
|
|
1259
1259
|
}
|
|
1260
|
-
async function ze(
|
|
1260
|
+
async function ze(S, e) {
|
|
1261
1261
|
let o = [];
|
|
1262
1262
|
try {
|
|
1263
|
-
const { user: r } = await e.getUserByUsername(
|
|
1263
|
+
const { user: r } = await e.getUserByUsername(S);
|
|
1264
1264
|
o.push(r);
|
|
1265
1265
|
} catch (r) {
|
|
1266
1266
|
const s = l.asCrossauthError(r);
|
|
1267
1267
|
if (s.code != g.UserNotExist)
|
|
1268
1268
|
throw d.logger.debug(c({ err: s })), s;
|
|
1269
1269
|
try {
|
|
1270
|
-
const { user: i } = await e.getUserByEmail(
|
|
1270
|
+
const { user: i } = await e.getUserByEmail(S);
|
|
1271
1271
|
o.push(i);
|
|
1272
1272
|
} catch (i) {
|
|
1273
1273
|
const n = l.asCrossauthError(i);
|
|
@@ -1290,7 +1290,7 @@ class He {
|
|
|
1290
1290
|
u(this, "adminUpdateUserPage", "admin/updateuser.njk");
|
|
1291
1291
|
u(this, "adminChangePasswordPage", "admin/changepassword.njk");
|
|
1292
1292
|
u(this, "deleteUserPage", "deleteuser.njk");
|
|
1293
|
-
this.sessionServer = e,
|
|
1293
|
+
this.sessionServer = e, C("adminPrefix", k.String, this, o, "ADMIN_PREFIX"), C("adminCreateUserPage", k.String, this, o, "ADMIN_CREATE_USER_PAGE"), C("adminSelectUserPage", k.String, this, o, "ADMIN_SELECT_USER_PAGE"), C("adminUpdateUserPage", k.String, this, o, "ADMIN_UPDATE_USER_PAGE"), C("adminChangePasswordPage", k.String, this, o, "ADMIN_CHANGE_PASSWORD_PAGE"), C("enableOAuthClientManagement", k.Boolean, this, o, "ENABLE_OAUTH_CLIENT_MANAGEMENT"), C("deleteUserPage", k.String, this, o, "DELETE_USER_PAGE"), this.adminPrefix.endsWith("/") || (this.adminPrefix += "/"), this.adminPrefix.startsWith("/") || "" + this.adminPrefix, o.userSearchFn && (this.userSearchFn = o.userSearchFn);
|
|
1294
1294
|
}
|
|
1295
1295
|
///////////////////////////////////////////////////////////////////
|
|
1296
1296
|
// Endpoints
|
|
@@ -1306,7 +1306,7 @@ class He {
|
|
|
1306
1306
|
method: "GET",
|
|
1307
1307
|
url: this.adminPrefix + "createuser",
|
|
1308
1308
|
ip: e.ip
|
|
1309
|
-
})), !(e != null && e.user) || !
|
|
1309
|
+
})), !(e != null && e.user) || !b.isAdmin(e.user))
|
|
1310
1310
|
return this.accessDeniedPage(e, o);
|
|
1311
1311
|
let r = {
|
|
1312
1312
|
urlPrefix: this.adminPrefix,
|
|
@@ -1417,7 +1417,7 @@ class He {
|
|
|
1417
1417
|
method: "GET",
|
|
1418
1418
|
url: this.adminPrefix + "selectuser",
|
|
1419
1419
|
ip: e.ip
|
|
1420
|
-
})), !(e != null && e.user) || !
|
|
1420
|
+
})), !(e != null && e.user) || !b.isAdmin(e.user))
|
|
1421
1421
|
return this.accessDeniedPage(e, o);
|
|
1422
1422
|
try {
|
|
1423
1423
|
let r = [], s = Number(e.query.skip), i = Number(e.query.take);
|
|
@@ -1439,7 +1439,7 @@ class He {
|
|
|
1439
1439
|
return e.query.next && (n.next = e.query.next), o.view(this.adminSelectUserPage, n);
|
|
1440
1440
|
} catch (r) {
|
|
1441
1441
|
const s = l.asCrossauthError(r);
|
|
1442
|
-
return d.logger.error(c({ err: r })),
|
|
1442
|
+
return d.logger.error(c({ err: r })), b.sendPageError(
|
|
1443
1443
|
o,
|
|
1444
1444
|
s.httpStatus,
|
|
1445
1445
|
this.sessionServer.errorPage,
|
|
@@ -1463,7 +1463,7 @@ class He {
|
|
|
1463
1463
|
method: "GET",
|
|
1464
1464
|
url: this.adminPrefix + "updateuser",
|
|
1465
1465
|
ip: e.ip
|
|
1466
|
-
})), !(e != null && e.user) || !
|
|
1466
|
+
})), !(e != null && e.user) || !b.isAdmin(e.user))
|
|
1467
1467
|
return this.accessDeniedPage(e, o);
|
|
1468
1468
|
try {
|
|
1469
1469
|
const { user: r } = await this.sessionServer.userStorage.getUserById(e.params.id);
|
|
@@ -1477,7 +1477,7 @@ class He {
|
|
|
1477
1477
|
return o.view(this.adminUpdateUserPage, s);
|
|
1478
1478
|
} catch (r) {
|
|
1479
1479
|
const s = l.asCrossauthError(r);
|
|
1480
|
-
return d.logger.error(c({ err: r })),
|
|
1480
|
+
return d.logger.error(c({ err: r })), b.sendPageError(
|
|
1481
1481
|
o,
|
|
1482
1482
|
s.httpStatus,
|
|
1483
1483
|
this.sessionServer.errorPage,
|
|
@@ -1496,7 +1496,7 @@ class He {
|
|
|
1496
1496
|
url: this.adminPrefix + "updateuser",
|
|
1497
1497
|
ip: e.ip,
|
|
1498
1498
|
user: (s = e.user) == null ? void 0 : s.username
|
|
1499
|
-
})), !this.sessionServer.canEditUser(e)) return
|
|
1499
|
+
})), !this.sessionServer.canEditUser(e)) return b.sendPageError(
|
|
1500
1500
|
o,
|
|
1501
1501
|
401,
|
|
1502
1502
|
this.sessionServer.errorPage
|
|
@@ -1531,7 +1531,7 @@ class He {
|
|
|
1531
1531
|
urlPrefix: this.adminPrefix,
|
|
1532
1532
|
allowedFactor2: this.sessionServer.allowedFactor2Details(),
|
|
1533
1533
|
...e.body
|
|
1534
|
-
}) :
|
|
1534
|
+
}) : b.sendPageError(
|
|
1535
1535
|
t,
|
|
1536
1536
|
n.httpStatus,
|
|
1537
1537
|
this.sessionServer.errorPage,
|
|
@@ -1556,7 +1556,7 @@ class He {
|
|
|
1556
1556
|
ip: e.ip
|
|
1557
1557
|
}));
|
|
1558
1558
|
let r;
|
|
1559
|
-
if (!(e != null && e.user) || !
|
|
1559
|
+
if (!(e != null && e.user) || !b.isAdmin(e.user))
|
|
1560
1560
|
return this.accessDeniedPage(e, o);
|
|
1561
1561
|
try {
|
|
1562
1562
|
if (!this.sessionServer.userStorage) throw new l(g.Configuration, "Cannot call deleteuser unless a user storage is provided");
|
|
@@ -1644,7 +1644,7 @@ class He {
|
|
|
1644
1644
|
url: this.adminPrefix + "api/updateuser",
|
|
1645
1645
|
ip: e.ip,
|
|
1646
1646
|
user: (s = e.user) == null ? void 0 : s.username
|
|
1647
|
-
})), !e.user || !
|
|
1647
|
+
})), !e.user || !b.isAdmin(e.user))
|
|
1648
1648
|
return this.sessionServer.sendJsonError(o, 401);
|
|
1649
1649
|
let r;
|
|
1650
1650
|
try {
|
|
@@ -1694,7 +1694,7 @@ class He {
|
|
|
1694
1694
|
url: this.adminPrefix + "changepassword",
|
|
1695
1695
|
ip: e.ip,
|
|
1696
1696
|
user: (r = e.user) == null ? void 0 : r.username
|
|
1697
|
-
})), !(e != null && e.user) || !
|
|
1697
|
+
})), !(e != null && e.user) || !b.isAdmin(e.user))
|
|
1698
1698
|
return this.accessDeniedPage(e, o);
|
|
1699
1699
|
try {
|
|
1700
1700
|
const { user: s } = await this.sessionServer.userStorage.getUserById(e.params.id);
|
|
@@ -1706,7 +1706,7 @@ class He {
|
|
|
1706
1706
|
return o.view(this.adminChangePasswordPage, i);
|
|
1707
1707
|
} catch (s) {
|
|
1708
1708
|
const i = l.asCrossauthError(s);
|
|
1709
|
-
return d.logger.error(c({ err: s })),
|
|
1709
|
+
return d.logger.error(c({ err: s })), b.sendPageError(
|
|
1710
1710
|
o,
|
|
1711
1711
|
i.httpStatus,
|
|
1712
1712
|
this.sessionServer.errorPage,
|
|
@@ -1776,7 +1776,7 @@ class He {
|
|
|
1776
1776
|
url: this.adminPrefix + "api/changepassword",
|
|
1777
1777
|
ip: e.ip,
|
|
1778
1778
|
user: (s = e.user) == null ? void 0 : s.username
|
|
1779
|
-
})), !e.user || !
|
|
1779
|
+
})), !e.user || !b.isAdmin(e.user))
|
|
1780
1780
|
return this.sessionServer.sendJsonError(o, 401);
|
|
1781
1781
|
let r;
|
|
1782
1782
|
try {
|
|
@@ -1859,7 +1859,7 @@ class He {
|
|
|
1859
1859
|
if (!this.sessionServer.userStorage) throw new l(g.Configuration, "Cannot call createUser unless a user storage is provided");
|
|
1860
1860
|
if (this.sessionServer.isSessionUser(e) && !e.csrfToken)
|
|
1861
1861
|
throw new l(g.InvalidCsrf);
|
|
1862
|
-
if (!e.user || !
|
|
1862
|
+
if (!e.user || !b.isAdmin(e.user))
|
|
1863
1863
|
throw new l(g.InsufficientPriviledges);
|
|
1864
1864
|
if (e.body.factor2 || (e.body.factor2 = this.sessionServer.allowedFactor2[0]), e.body.factor2 && !this.sessionServer.allowedFactor2.includes(e.body.factor2 ?? "none"))
|
|
1865
1865
|
throw new l(
|
|
@@ -1930,7 +1930,7 @@ class He {
|
|
|
1930
1930
|
}
|
|
1931
1931
|
async updateUser(e, o, r, s) {
|
|
1932
1932
|
if (!this.sessionServer.userStorage) throw new l(g.Configuration, "Cannot call updateUser unless a user storage is provided");
|
|
1933
|
-
if (!o.user || !
|
|
1933
|
+
if (!o.user || !b.isAdmin(o.user))
|
|
1934
1934
|
throw new l(g.Unauthorized);
|
|
1935
1935
|
if (this.sessionServer.isSessionUser(o) && !o.csrfToken) throw new l(g.InvalidCsrf);
|
|
1936
1936
|
const i = e.factor2, n = e.state;
|
|
@@ -1961,7 +1961,7 @@ class He {
|
|
|
1961
1961
|
}
|
|
1962
1962
|
async changePassword(e, o, r, s) {
|
|
1963
1963
|
if (!this.sessionServer.userStorage) throw new l(g.Configuration, "Cannot call updateUser unless a user storage is provided");
|
|
1964
|
-
if (!o.user || !
|
|
1964
|
+
if (!o.user || !b.isAdmin(o.user))
|
|
1965
1965
|
throw new l(g.Unauthorized);
|
|
1966
1966
|
if (this.sessionServer.isSessionUser(o) && !o.csrfToken) throw new l(g.InvalidCsrf);
|
|
1967
1967
|
const i = this.sessionServer.authenticators[e.factor1], n = i.secretNames();
|
|
@@ -1987,22 +1987,22 @@ class He {
|
|
|
1987
1987
|
if (!this.sessionServer.userStorage) throw new l(g.Configuration, "Cannot call deleteUser unless a user storage is provided");
|
|
1988
1988
|
if (this.sessionServer.isSessionUser(e) && !e.csrfToken)
|
|
1989
1989
|
throw new l(g.InvalidCsrf);
|
|
1990
|
-
if (!e.user || !
|
|
1990
|
+
if (!e.user || !b.isAdmin(e.user))
|
|
1991
1991
|
throw new l(g.InsufficientPriviledges);
|
|
1992
1992
|
return await this.sessionServer.userStorage.deleteUserById(e.params.id), r(o);
|
|
1993
1993
|
}
|
|
1994
1994
|
}
|
|
1995
|
-
async function ve(
|
|
1995
|
+
async function ve(S, e, o) {
|
|
1996
1996
|
let r = [];
|
|
1997
1997
|
try {
|
|
1998
|
-
const s = await e.getClientById(
|
|
1998
|
+
const s = await e.getClientById(S);
|
|
1999
1999
|
r.push(s);
|
|
2000
2000
|
} catch (s) {
|
|
2001
2001
|
const i = l.asCrossauthError(s);
|
|
2002
2002
|
if (i.code != g.UserNotExist)
|
|
2003
2003
|
throw d.logger.debug(c({ err: i })), i;
|
|
2004
2004
|
try {
|
|
2005
|
-
r = await e.getClientByName(
|
|
2005
|
+
r = await e.getClientByName(S, o);
|
|
2006
2006
|
} catch (n) {
|
|
2007
2007
|
const t = l.asCrossauthError(n);
|
|
2008
2008
|
if (t.code != g.UserNotExist)
|
|
@@ -2029,7 +2029,7 @@ class Le {
|
|
|
2029
2029
|
g.Configuration,
|
|
2030
2030
|
"Must specify clientStorage if adding OAuth client endpoints"
|
|
2031
2031
|
);
|
|
2032
|
-
this.clientManager = new L(o), this.clientStorage = o.clientStorage,
|
|
2032
|
+
this.clientManager = new L(o), this.clientStorage = o.clientStorage, C("adminPrefix", k.String, this, o, "ADMIN_PREFIX"), C("createClientPage", k.String, this, o, "CREATE_CLIENT_PAGE"), C("updateClientPage", k.String, this, o, "UPDATE_CLIENT_PAGE"), C("selectClientPage", k.String, this, o, "SELECT_CLIENT_PAGE"), C("deleteClientPage", k.String, this, o, "DELETE_CLIENT_PAGE"), C("validFlows", k.JsonArray, this, o, "OAUTH_validFlows"), this.validFlows.length == 1 && this.validFlows[0] == E.All && (this.validFlows = E.allFlows()), o.clientSearchFn && (this.clientSearchFn = o.clientSearchFn);
|
|
2033
2033
|
}
|
|
2034
2034
|
///////////////////////////////////////////////////////////////////
|
|
2035
2035
|
// Endpoints
|
|
@@ -2045,7 +2045,7 @@ class Le {
|
|
|
2045
2045
|
method: "GET",
|
|
2046
2046
|
url: this.adminPrefix + "selectclient",
|
|
2047
2047
|
ip: e.ip
|
|
2048
|
-
})), !(e != null && e.user) || !
|
|
2048
|
+
})), !(e != null && e.user) || !b.isAdmin(e.user))
|
|
2049
2049
|
return this.accessDeniedPage(e, o);
|
|
2050
2050
|
const r = e.query.next ?? encodeURIComponent(e.url);
|
|
2051
2051
|
try {
|
|
@@ -2079,7 +2079,7 @@ class Le {
|
|
|
2079
2079
|
return e.query.next && (h.next = e.query.next), o.view(this.selectClientPage, h);
|
|
2080
2080
|
} catch (s) {
|
|
2081
2081
|
const i = l.asCrossauthError(s);
|
|
2082
|
-
return d.logger.error(c({ err: s })),
|
|
2082
|
+
return d.logger.error(c({ err: s })), b.sendPageError(
|
|
2083
2083
|
o,
|
|
2084
2084
|
i.httpStatus,
|
|
2085
2085
|
this.sessionServer.errorPage,
|
|
@@ -2102,7 +2102,7 @@ class Le {
|
|
|
2102
2102
|
method: "GET",
|
|
2103
2103
|
url: this.adminPrefix + "createclient",
|
|
2104
2104
|
ip: e.ip
|
|
2105
|
-
})), !(e != null && e.user) || !
|
|
2105
|
+
})), !(e != null && e.user) || !b.isAdmin(e.user))
|
|
2106
2106
|
return this.accessDeniedPage(e, o);
|
|
2107
2107
|
let r = e.query.next;
|
|
2108
2108
|
r || (e.query.userid ? r = this.adminPrefix + "selectuser" : r = this.adminPrefix + "selectclient");
|
|
@@ -2207,7 +2207,7 @@ class Le {
|
|
|
2207
2207
|
method: "GET",
|
|
2208
2208
|
url: this.adminPrefix + "updateclient",
|
|
2209
2209
|
ip: e.ip
|
|
2210
|
-
})), !(e != null && e.user) || !
|
|
2210
|
+
})), !(e != null && e.user) || !b.isAdmin(e.user))
|
|
2211
2211
|
return this.accessDeniedPage(e, o);
|
|
2212
2212
|
let r;
|
|
2213
2213
|
try {
|
|
@@ -2338,7 +2338,7 @@ class Le {
|
|
|
2338
2338
|
ip: e.ip
|
|
2339
2339
|
}));
|
|
2340
2340
|
let r;
|
|
2341
|
-
if (!(e != null && e.user) || !
|
|
2341
|
+
if (!(e != null && e.user) || !b.isAdmin(e.user))
|
|
2342
2342
|
return this.accessDeniedPage(e, o);
|
|
2343
2343
|
try {
|
|
2344
2344
|
r = await this.clientStorage.getClientById(e.params.client_id);
|
|
@@ -2566,7 +2566,7 @@ class Le {
|
|
|
2566
2566
|
async createClient(e, o, r, s) {
|
|
2567
2567
|
if (this.sessionServer.isSessionUser(e) && !e.csrfToken)
|
|
2568
2568
|
throw new l(g.InvalidCsrf);
|
|
2569
|
-
if (!e.user || !
|
|
2569
|
+
if (!e.user || !b.isAdmin(e.user))
|
|
2570
2570
|
throw new l(g.InsufficientPriviledges);
|
|
2571
2571
|
const i = e.body.confidential == "true", n = e.body.client_name, t = e.body.redirect_uris.trim().length == 0 ? [] : e.body.redirect_uris.trim().split(/[, ][ \t\n]*/);
|
|
2572
2572
|
let a = [];
|
|
@@ -2596,7 +2596,7 @@ class Le {
|
|
|
2596
2596
|
async updateClient(e, o, r) {
|
|
2597
2597
|
if (this.sessionServer.isSessionUser(e) && !e.csrfToken)
|
|
2598
2598
|
throw new l(g.InvalidCsrf);
|
|
2599
|
-
if (!e.user || !
|
|
2599
|
+
if (!e.user || !b.isAdmin(e.user))
|
|
2600
2600
|
throw new l(g.InsufficientPriviledges);
|
|
2601
2601
|
const s = e.body.redirect_uris.trim().length == 0 ? [] : e.body.redirect_uris.trim().split(/[, ][ \t\n]*/);
|
|
2602
2602
|
let i = [];
|
|
@@ -2626,7 +2626,7 @@ class Le {
|
|
|
2626
2626
|
async deleteClient(e, o, r) {
|
|
2627
2627
|
if (this.sessionServer.isSessionUser(e) && !e.csrfToken)
|
|
2628
2628
|
throw new l(g.InvalidCsrf);
|
|
2629
|
-
if (!e.user || !
|
|
2629
|
+
if (!e.user || !b.isAdmin(e.user))
|
|
2630
2630
|
throw new l(g.InsufficientPriviledges);
|
|
2631
2631
|
return await this.clientStorage.deleteClient(e.params.client_id), r(o);
|
|
2632
2632
|
}
|
|
@@ -2654,7 +2654,7 @@ class Ge {
|
|
|
2654
2654
|
g.Configuration,
|
|
2655
2655
|
"Must specify clientStorage if adding OAuth client endpoints"
|
|
2656
2656
|
);
|
|
2657
|
-
this.clientManager = new L(o), this.clientStorage = o.clientStorage,
|
|
2657
|
+
this.clientManager = new L(o), this.clientStorage = o.clientStorage, C("prefix", k.String, this, o, "PREFIX"), C("createClientPage", k.String, this, o, "CREATE_CLIENT_PAGE"), C("updateClientPage", k.String, this, o, "UPDATE_CLIENT_PAGE"), C("selectClientPage", k.String, this, o, "SELECT_CLIENT_PAGE"), C("deleteClientPage", k.String, this, o, "DELETE_CLIENT_PAGE"), C("validFlows", k.JsonArray, this, o, "OAUTH_validFlows"), this.validFlows.length == 1 && this.validFlows[0] == E.All && (this.validFlows = E.allFlows()), o.clientSearchFn && (this.clientSearchFn = o.clientSearchFn);
|
|
2658
2658
|
}
|
|
2659
2659
|
///////////////////////////////////////////////////////////////////
|
|
2660
2660
|
// Endpoints
|
|
@@ -2698,7 +2698,7 @@ class Ge {
|
|
|
2698
2698
|
return e.query.next && (t.next = e.query.next), o.view(this.selectClientPage, t);
|
|
2699
2699
|
} catch (r) {
|
|
2700
2700
|
const s = l.asCrossauthError(r);
|
|
2701
|
-
return d.logger.error(c({ err: r })),
|
|
2701
|
+
return d.logger.error(c({ err: r })), b.sendPageError(
|
|
2702
2702
|
o,
|
|
2703
2703
|
s.httpStatus,
|
|
2704
2704
|
this.sessionServer.errorPage,
|
|
@@ -3323,29 +3323,29 @@ const A = ["Content-Type", "application/json; charset=utf-8"], re = [
|
|
|
3323
3323
|
...ge,
|
|
3324
3324
|
...oe
|
|
3325
3325
|
];
|
|
3326
|
-
function Ve(
|
|
3326
|
+
function Ve(S) {
|
|
3327
3327
|
let e = [];
|
|
3328
|
-
return
|
|
3328
|
+
return S.username == null ? e.push("Username must be given") : S.username.length < 2 ? e.push("Username must be at least 2 characters") : S.username.length > 254 && e.push("Username must be no longer than 254 characters"), e;
|
|
3329
3329
|
}
|
|
3330
|
-
function We(
|
|
3330
|
+
function We(S, e) {
|
|
3331
3331
|
let r = {
|
|
3332
|
-
username:
|
|
3332
|
+
username: S.body.username,
|
|
3333
3333
|
state: "active"
|
|
3334
3334
|
};
|
|
3335
|
-
const s =
|
|
3336
|
-
for (let i in
|
|
3335
|
+
const s = S.user && b.isAdmin(S.user);
|
|
3336
|
+
for (let i in S.body) {
|
|
3337
3337
|
let n = i.replace(/^user_/, "");
|
|
3338
|
-
i.startsWith("user_") && (s || e.includes(n)) && (r[n] =
|
|
3338
|
+
i.startsWith("user_") && (s || e.includes(n)) && (r[n] = S.body[i]);
|
|
3339
3339
|
}
|
|
3340
|
-
return r.factor1 = "localpassword", r.factor2 =
|
|
3340
|
+
return r.factor1 = "localpassword", r.factor2 = S.body.factor2, r;
|
|
3341
3341
|
}
|
|
3342
|
-
function Je(
|
|
3343
|
-
const r = e.user &&
|
|
3342
|
+
function Je(S, e, o) {
|
|
3343
|
+
const r = e.user && b.isAdmin(e.user);
|
|
3344
3344
|
for (let s in e.body) {
|
|
3345
3345
|
let i = s.replace(/^user_/, "");
|
|
3346
|
-
s.startsWith("user_") && (r || o.includes(i)) && (
|
|
3346
|
+
s.startsWith("user_") && (r || o.includes(i)) && (S[i] = e.body[s]);
|
|
3347
3347
|
}
|
|
3348
|
-
return
|
|
3348
|
+
return S;
|
|
3349
3349
|
}
|
|
3350
3350
|
class Ke {
|
|
3351
3351
|
/**
|
|
@@ -3460,7 +3460,7 @@ class Ke {
|
|
|
3460
3460
|
]);
|
|
3461
3461
|
u(this, "editUserScope");
|
|
3462
3462
|
u(this, "enableCsrfProtection", !0);
|
|
3463
|
-
this.app = e, this.userEndpoints = new De(this, s), this.adminEndpoints = new He(this, s),
|
|
3463
|
+
this.app = e, this.userEndpoints = new De(this, s), this.adminEndpoints = new He(this, s), C("prefix", k.String, this, s, "PREFIX"), this.prefix.endsWith("/") || (this.prefix += "/"), this.prefix.startsWith("/") || "" + this.prefix, this.loginUrl = this.prefix + "login", C("signupPage", k.String, this, s, "SIGNUP_PAGE"), C("loginPage", k.String, this, s, "LOGIN_PAGE"), C("factor2Page", k.String, this, s, "FACTOR2_PAGE"), C("configureFactor2Page", k.String, this, s, "SIGNUP_FACTOR2_PAGE"), C("errorPage", k.String, this, s, "ERROR_PAGE"), C("emailFrom", k.String, this, s, "EMAIL_FROM"), C("allowedFactor2", k.JsonArray, this, s, "ALLOWED_FACTOR2"), C("enableEmailVerification", k.Boolean, this, s, "ENABLE_EMAIL_VERIFICATION"), C("enablePasswordReset", k.Boolean, this, s, "ENABLE_PASSWORD_RESET"), C("factor2ProtectedPageEndpoints", k.JsonArray, this, s, "FACTOR2_PROTECTED_PAGE_ENDPOINTS"), C("factor2ProtectedApiEndpoints", k.JsonArray, this, s, "FACTOR2_PROTECTED_API_ENDPOINTS"), C("enableAdminEndpoints", k.Boolean, this, s, "ENABLE_ADMIN_ENDPOINTS"), C("enableOAuthClientManagement", k.Boolean, this, s, "ENABLE_OAUTH_CLIENT_MANAGEMENT"), C("editUserScope", k.String, this, s, "EDIT_USER_SCOPE"), s.validateUserFn && (this.validateUserFn = s.validateUserFn), s.createUserFn && (this.createUserFn = s.createUserFn), s.updateUserFn && (this.updateUserFn = s.updateUserFn), s.addToSession && (this.addToSession = s.addToSession), s.validateSession && (this.validateSession = s.validateSession), this.endpoints = [...he, ...le], this.endpoints = [...this.endpoints, ...re, ...ie], this.enableAdminEndpoints && (this.endpoints = [...this.endpoints, ...se, ...te]), this.enableOAuthClientManagement && (this.endpoints = [...this.endpoints, ...Z, ...ee, ...Q, ...q]), this.enableEmailVerification && (this.endpoints = [...this.endpoints, ...ae, ...ne]), this.enablePasswordReset && (this.endpoints = [...this.endpoints, ...de, ...ce]), s.endpoints && (C("endpoints", k.JsonArray, this, s, "SESSION_ENDPOINTS"), this.endpoints.length == 1 && this.endpoints[0] == "all" && (this.endpoints = je), this.endpoints.length == 1 && this.endpoints[0] == "allMinusOAuth" && (this.endpoints = Be)), this.allowedFactor2.length > 0 && (this.endpoints = [...this.endpoints, ...ge, ...oe]);
|
|
3464
3464
|
let i = !1;
|
|
3465
3465
|
for (let t of this.endpoints)
|
|
3466
3466
|
if (q.includes(t) || Q.includes(t)) {
|
|
@@ -3474,7 +3474,7 @@ class Ke {
|
|
|
3474
3474
|
n = !0;
|
|
3475
3475
|
break;
|
|
3476
3476
|
}
|
|
3477
|
-
n && (this.userClientEndpoints = new Ge(this, s)), this.addEndpoints(),
|
|
3477
|
+
n && (this.userClientEndpoints = new Ge(this, s)), this.addEndpoints(), C("endpoints", k.JsonArray, this, s, "ENDPOINTS"), s.userStorage && (this.userStorage = s.userStorage), this.authenticators = r, this.sessionManager = new Ae(o, r, s), e.addHook("preHandler", async (t, a) => {
|
|
3478
3478
|
var v, m;
|
|
3479
3479
|
d.logger.debug(c({ msg: "Getting session cookie" }));
|
|
3480
3480
|
let h = this.getSessionCookieValue(t), f = {};
|
|
@@ -3555,8 +3555,8 @@ class Ke {
|
|
|
3555
3555
|
d.logger.debug("Cancelling 2FA");
|
|
3556
3556
|
try {
|
|
3557
3557
|
await this.sessionManager.cancelTwoFactorPageVisit(P);
|
|
3558
|
-
} catch (
|
|
3559
|
-
d.logger.debug(c({ err:
|
|
3558
|
+
} catch (N) {
|
|
3559
|
+
d.logger.debug(c({ err: N })), d.logger.error(c({ msg: "Failed cancelling 2FA", cerr: N, user: (v = t.user) == null ? void 0 : v.username, hashOfSessionId: this.getHashOfSessionId(t) }));
|
|
3560
3560
|
}
|
|
3561
3561
|
}
|
|
3562
3562
|
}
|
|
@@ -3565,25 +3565,25 @@ class Ke {
|
|
|
3565
3565
|
if ("pre2fa" in w) {
|
|
3566
3566
|
d.logger.debug("Completing 2FA");
|
|
3567
3567
|
const T = [...this.authenticators[w.pre2fa.factor2].transientSecretNames()];
|
|
3568
|
-
let
|
|
3568
|
+
let N = {};
|
|
3569
3569
|
for (let M in t.body)
|
|
3570
|
-
T.includes(M) && (
|
|
3571
|
-
let
|
|
3570
|
+
T.includes(M) && (N[M] = t.body[M]);
|
|
3571
|
+
let y;
|
|
3572
3572
|
try {
|
|
3573
|
-
await this.sessionManager.completeTwoFactorPageVisit(
|
|
3573
|
+
await this.sessionManager.completeTwoFactorPageVisit(N, m);
|
|
3574
3574
|
} catch (M) {
|
|
3575
|
-
|
|
3575
|
+
y = l.asCrossauthError(M), d.logger.debug(c({ err: M }));
|
|
3576
3576
|
const I = l.asCrossauthError(M);
|
|
3577
3577
|
d.logger.error(c({
|
|
3578
|
-
msg:
|
|
3578
|
+
msg: y.message,
|
|
3579
3579
|
cerr: M,
|
|
3580
3580
|
user: t.body.username,
|
|
3581
3581
|
errorCode: I.code,
|
|
3582
3582
|
errorCodeName: I.codeName
|
|
3583
3583
|
}));
|
|
3584
3584
|
}
|
|
3585
|
-
if (t.body = w.pre2fa.body,
|
|
3586
|
-
if (
|
|
3585
|
+
if (t.body = w.pre2fa.body, y)
|
|
3586
|
+
if (y.code == g.Expired) {
|
|
3587
3587
|
d.logger.debug("Error - cancelling 2FA");
|
|
3588
3588
|
try {
|
|
3589
3589
|
await this.sessionManager.cancelTwoFactorPageVisit(m);
|
|
@@ -3592,18 +3592,18 @@ class Ke {
|
|
|
3592
3592
|
}
|
|
3593
3593
|
t.body = {
|
|
3594
3594
|
...t.body,
|
|
3595
|
-
errorMessage:
|
|
3596
|
-
errorMessages:
|
|
3597
|
-
errorCode: "" +
|
|
3598
|
-
errorCodeName: g[
|
|
3595
|
+
errorMessage: y.message,
|
|
3596
|
+
errorMessages: y.message,
|
|
3597
|
+
errorCode: "" + y.code,
|
|
3598
|
+
errorCodeName: g[y.code]
|
|
3599
3599
|
};
|
|
3600
3600
|
} else
|
|
3601
|
-
return this.factor2ProtectedPageEndpoints.includes(t.url) ? a.redirect(this.prefix + "factor2?error=" + g[
|
|
3601
|
+
return this.factor2ProtectedPageEndpoints.includes(t.url) ? a.redirect(this.prefix + "factor2?error=" + g[y.code]) : a.status(y.httpStatus).send(JSON.stringify({
|
|
3602
3602
|
ok: !1,
|
|
3603
|
-
errorMessage:
|
|
3604
|
-
errorMessages:
|
|
3605
|
-
errorCode:
|
|
3606
|
-
errorCodeName: g[
|
|
3603
|
+
errorMessage: y.message,
|
|
3604
|
+
errorMessages: y.messages,
|
|
3605
|
+
errorCode: y.code,
|
|
3606
|
+
errorCodeName: g[y.code]
|
|
3607
3607
|
}));
|
|
3608
3608
|
} else
|
|
3609
3609
|
return this.validateCsrfToken(t), d.logger.debug("Starting 2FA"), this.sessionManager.initiateTwoFactorPageVisit(t.user, m, t.body, t.url.replace(/\?.*$/, "")), this.factor2ProtectedPageEndpoints.includes(t.url) ? a.redirect(this.prefix + "factor2") : a.send(JSON.stringify({
|
|
@@ -4809,7 +4809,7 @@ class $e {
|
|
|
4809
4809
|
s,
|
|
4810
4810
|
i,
|
|
4811
4811
|
n
|
|
4812
|
-
),
|
|
4812
|
+
), C("prefix", k.String, this, n, "PREFIX"), this.prefix.endsWith("/") || (this.prefix += "/"), C("errorPage", k.String, this, n, "ERROR_PAGE"), C("devicePage", k.String, this, n, "OAUTH_DEVICE_PAGE"), C("loginUrl", k.String, this, n, "LOGIN_URL"), C("oauthAuthorizePage", k.String, this, n, "OAUTH_AUTHORIZE_PAGE"), C("refreshTokenType", k.String, this, n, "OAUTH_REFRESH_TOKEN_TYPE"), C("refreshTokenCookieName", k.String, this, n, "OAUTH_REFRESH_TOKEN_COOKIE_NAME"), C("refreshTokenCookieDomain", k.String, this, n, "OAUTH_REFRESH_TOKEN_COOKIE_DOMAIN"), C("refreshTokenCookieHttpOnly", k.Boolean, this, n, "OAUTH_REFRESH_TOKEN_COOKIE_HTTPONLY"), C("refreshTokenCookiePath", k.String, this, n, "OAUTH_REFRESH_TOKEN_COOKIE_PATH"), C("refreshTokenCookieSecure", k.Boolean, this, n, "OAUTH_REFRESH_TOKEN_COOKIE_SECURE"), C("refreshTokenCookieSameSite", k.String, this, n, "OAUTH_REFRESH_TOKEN_COOKIE_SAMESITE"), C("createGetCsrfTokenEndpoint", k.String, this, n, "OAUTH_CREATE_GET_CSRF_TOKEN_ENDPOINT"), this.refreshTokenType != "json" && (this.createGetCsrfTokenEndpoint ? this.csrfTokens = new Ue(n.doubleSubmitCookieOptions) : this.fastifyServer.sessionServer && (this.csrfTokens = this.fastifyServer.sessionServer.sessionManager.csrfTokens)), this.createGetCsrfTokenEndpoint && this.addApiGetCsrfTokenEndpoints(), e.get(
|
|
4813
4813
|
this.prefix + ".well-known/openid-configuration",
|
|
4814
4814
|
async (t, a) => a.header(...x).status(200).send(
|
|
4815
4815
|
this.authServer.oidcConfiguration({
|
|
@@ -4834,7 +4834,7 @@ class $e {
|
|
|
4834
4834
|
this.prefix + "userauthorize",
|
|
4835
4835
|
async (t, a) => {
|
|
4836
4836
|
var p, v;
|
|
4837
|
-
if (d.logger.info(c({ msg: "Page visit", method: "POST", url: this.prefix + "authorize", ip: t.ip, user: (p = t.user) == null ? void 0 : p.username })), !t.user) return
|
|
4837
|
+
if (d.logger.info(c({ msg: "Page visit", method: "POST", url: this.prefix + "authorize", ip: t.ip, user: (p = t.user) == null ? void 0 : p.username })), !t.user) return b.sendPageError(
|
|
4838
4838
|
a,
|
|
4839
4839
|
401,
|
|
4840
4840
|
this.errorPage
|
|
@@ -4903,8 +4903,8 @@ class $e {
|
|
|
4903
4903
|
let w, P;
|
|
4904
4904
|
const T = t.headers.authorization.split(" ");
|
|
4905
4905
|
if (T.length == 2 && T[0].toLocaleLowerCase() == "basic") {
|
|
4906
|
-
const
|
|
4907
|
-
|
|
4906
|
+
const y = F.base64Decode(T[1]).split(":", 2);
|
|
4907
|
+
y.length == 2 && (w = y[0], P = y[1]);
|
|
4908
4908
|
}
|
|
4909
4909
|
w == null || P == null ? d.logger.warn(c({
|
|
4910
4910
|
msg: "Ignoring malform authenization header " + t.headers.authorization
|
|
@@ -5007,8 +5007,8 @@ class $e {
|
|
|
5007
5007
|
let m, w;
|
|
5008
5008
|
const P = t.headers.authorization.split(" ");
|
|
5009
5009
|
if (P.length == 2 && P[0].toLocaleLowerCase() == "basic") {
|
|
5010
|
-
const
|
|
5011
|
-
|
|
5010
|
+
const N = F.base64Decode(P[1]).split(":", 2);
|
|
5011
|
+
N.length == 2 && (m = N[0], w = N[1]);
|
|
5012
5012
|
}
|
|
5013
5013
|
m == null || w == null ? d.logger.warn(c({
|
|
5014
5014
|
msg: "Ignoring malform authenization header " + t.headers.authorization
|
|
@@ -5567,9 +5567,9 @@ class $e {
|
|
|
5567
5567
|
}
|
|
5568
5568
|
}
|
|
5569
5569
|
}
|
|
5570
|
-
const
|
|
5571
|
-
async function pe(
|
|
5572
|
-
return d.logger.debug(c({ err: r })), o.header(...
|
|
5570
|
+
const _ = ["Content-Type", "application/json; charset=utf-8"];
|
|
5571
|
+
async function pe(S, e, o, r) {
|
|
5572
|
+
return d.logger.debug(c({ err: r })), o.header(..._).status(r.httpStatus).send({
|
|
5573
5573
|
ok: !1,
|
|
5574
5574
|
status: r.httpStatus,
|
|
5575
5575
|
errorMessage: r.message,
|
|
@@ -5578,75 +5578,79 @@ async function pe(k, e, o, r) {
|
|
|
5578
5578
|
errorCodeName: r.codeName
|
|
5579
5579
|
});
|
|
5580
5580
|
}
|
|
5581
|
-
async function Xe(
|
|
5581
|
+
async function Xe(S, e, o, r) {
|
|
5582
5582
|
var s;
|
|
5583
|
-
return d.logger.debug(c({ err: r })), o.status(r.httpStatus).view(((s =
|
|
5583
|
+
return d.logger.debug(c({ err: r })), o.status(r.httpStatus).view(((s = S.oAuthClient) == null ? void 0 : s.errorPage) ?? "error.njk", {
|
|
5584
5584
|
status: r.httpStatus,
|
|
5585
5585
|
errorMessage: r.message,
|
|
5586
5586
|
errorMessages: r.messages,
|
|
5587
5587
|
errorCodeName: r.codeName
|
|
5588
5588
|
});
|
|
5589
5589
|
}
|
|
5590
|
-
function j(
|
|
5590
|
+
function j(S) {
|
|
5591
5591
|
let e;
|
|
5592
|
-
if (
|
|
5592
|
+
if (S)
|
|
5593
5593
|
try {
|
|
5594
|
-
e = JSON.parse(F.base64Decode(
|
|
5595
|
-
} catch {
|
|
5596
|
-
|
|
5594
|
+
e = JSON.parse(F.base64Decode(S.split(".")[1]));
|
|
5595
|
+
} catch (o) {
|
|
5596
|
+
const r = l.asCrossauthError(o);
|
|
5597
|
+
d.logger.debug(c({ err: r })), d.logger.error(c({ msg: "Couldn't decode id token", cerr: r }));
|
|
5597
5598
|
}
|
|
5598
5599
|
return e;
|
|
5599
5600
|
}
|
|
5600
|
-
async function me(
|
|
5601
|
+
async function me(S, e, o, r) {
|
|
5601
5602
|
if (r) {
|
|
5602
|
-
let s = { ok: !0, ...
|
|
5603
|
-
return e.jwtTokens.includes("id") && (s.id_payload = j(
|
|
5603
|
+
let s = { ok: !0, ...S };
|
|
5604
|
+
return e.jwtTokens.includes("id") && (s.id_payload = S.id_payload ?? j(S.id_token)), r.header(..._).status(200).send(s);
|
|
5604
5605
|
}
|
|
5605
5606
|
}
|
|
5606
|
-
function fe(
|
|
5607
|
-
var o
|
|
5608
|
-
if (
|
|
5607
|
+
function fe(S, e) {
|
|
5608
|
+
var o;
|
|
5609
|
+
if (S.access_token)
|
|
5609
5610
|
try {
|
|
5610
|
-
if (
|
|
5611
|
-
const
|
|
5611
|
+
if (S.access_token && e.includes("access")) {
|
|
5612
|
+
const r = J(S.access_token), s = r.jti ? r.jti : r.sid ? r.sid : "", i = s ? F.hash(s) : void 0;
|
|
5612
5613
|
d.logger.debug(c({
|
|
5613
5614
|
msg: "Got access token",
|
|
5614
|
-
accessTokenHash:
|
|
5615
|
+
accessTokenHash: i
|
|
5615
5616
|
}));
|
|
5616
5617
|
}
|
|
5617
|
-
} catch (
|
|
5618
|
-
d.logger.debug(c({ err:
|
|
5618
|
+
} catch (r) {
|
|
5619
|
+
d.logger.debug(c({ err: r }));
|
|
5619
5620
|
}
|
|
5620
|
-
if (
|
|
5621
|
+
if (S.id_token)
|
|
5621
5622
|
try {
|
|
5622
|
-
if (
|
|
5623
|
-
|
|
5624
|
-
|
|
5625
|
-
|
|
5626
|
-
|
|
5627
|
-
|
|
5623
|
+
if (S.id_token && e.includes("id")) {
|
|
5624
|
+
let r = S.id_payload ?? J(S.id_token);
|
|
5625
|
+
if (r) {
|
|
5626
|
+
const s = r.jti ? r.jti : r.sid ? r.sid : "", i = s ? F.hash(s) : void 0;
|
|
5627
|
+
d.logger.debug(c({
|
|
5628
|
+
msg: "Got id token",
|
|
5629
|
+
idTokenHash: i
|
|
5630
|
+
}));
|
|
5631
|
+
}
|
|
5628
5632
|
}
|
|
5629
|
-
} catch (
|
|
5630
|
-
d.logger.debug(c({ err:
|
|
5633
|
+
} catch (r) {
|
|
5634
|
+
d.logger.debug(c({ err: r }));
|
|
5631
5635
|
}
|
|
5632
|
-
if (
|
|
5636
|
+
if (S.refresh_token && e.includes("refresh"))
|
|
5633
5637
|
try {
|
|
5634
|
-
if (
|
|
5635
|
-
const
|
|
5638
|
+
if (S.refresh_token) {
|
|
5639
|
+
const r = (o = J(S.refresh_token)) == null ? void 0 : o.jti, s = r ? F.hash(r) : void 0;
|
|
5636
5640
|
d.logger.debug(c({
|
|
5637
5641
|
msg: "Got refresh token",
|
|
5638
|
-
refreshTokenHash:
|
|
5642
|
+
refreshTokenHash: s
|
|
5639
5643
|
}));
|
|
5640
5644
|
}
|
|
5641
|
-
} catch (
|
|
5642
|
-
d.logger.debug(c({ err:
|
|
5645
|
+
} catch (r) {
|
|
5646
|
+
d.logger.debug(c({ err: r }));
|
|
5643
5647
|
}
|
|
5644
5648
|
}
|
|
5645
|
-
async function Qe(
|
|
5646
|
-
if (
|
|
5649
|
+
async function Qe(S, e, o, r) {
|
|
5650
|
+
if (S.error) {
|
|
5647
5651
|
const s = l.fromOAuthError(
|
|
5648
|
-
|
|
5649
|
-
|
|
5652
|
+
S.error,
|
|
5653
|
+
S.error_description
|
|
5650
5654
|
);
|
|
5651
5655
|
if (r)
|
|
5652
5656
|
return r.status(s.httpStatus).view(e.errorPage, {
|
|
@@ -5656,10 +5660,10 @@ async function Qe(k, e, o, r) {
|
|
|
5656
5660
|
errorCode: s.code
|
|
5657
5661
|
});
|
|
5658
5662
|
}
|
|
5659
|
-
if (fe(
|
|
5663
|
+
if (fe(S, e.jwtTokens), r)
|
|
5660
5664
|
try {
|
|
5661
|
-
let s = { ...
|
|
5662
|
-
return e.jwtTokens.includes("id") && (s.id_payload = j(
|
|
5665
|
+
let s = { ...S };
|
|
5666
|
+
return e.jwtTokens.includes("id") && S.id_token && (s.id_payload = S.id_payload ?? j(S.id_token)), r.status(200).view(e.authorizedPage, s);
|
|
5663
5667
|
} catch (s) {
|
|
5664
5668
|
const i = l.asCrossauthError(s);
|
|
5665
5669
|
return r.status(i.httpStatus).view(e.errorPage, {
|
|
@@ -5669,11 +5673,11 @@ async function Qe(k, e, o, r) {
|
|
|
5669
5673
|
});
|
|
5670
5674
|
}
|
|
5671
5675
|
}
|
|
5672
|
-
async function Ze(
|
|
5673
|
-
if (
|
|
5676
|
+
async function Ze(S, e, o, r) {
|
|
5677
|
+
if (S.error) {
|
|
5674
5678
|
const s = l.fromOAuthError(
|
|
5675
|
-
|
|
5676
|
-
|
|
5679
|
+
S.error,
|
|
5680
|
+
S.error_description
|
|
5677
5681
|
);
|
|
5678
5682
|
if (r)
|
|
5679
5683
|
return r.status(s.httpStatus).view(e.errorPage, {
|
|
@@ -5683,9 +5687,9 @@ async function Ze(k, e, o, r) {
|
|
|
5683
5687
|
errorCode: s.code
|
|
5684
5688
|
});
|
|
5685
5689
|
}
|
|
5686
|
-
fe(
|
|
5690
|
+
fe(S, e.jwtTokens);
|
|
5687
5691
|
try {
|
|
5688
|
-
if ((
|
|
5692
|
+
if ((S.access_token || S.id_token || S.refresh_token) && await Se(S, e, o, r), r) {
|
|
5689
5693
|
if (!e.authorizedPage)
|
|
5690
5694
|
return r.status(500).view(e.errorPage, {
|
|
5691
5695
|
status: 500,
|
|
@@ -5693,8 +5697,8 @@ async function Ze(k, e, o, r) {
|
|
|
5693
5697
|
errorCodeName: g[g.Configuration],
|
|
5694
5698
|
errorCode: g.Configuration
|
|
5695
5699
|
});
|
|
5696
|
-
let s = { ...
|
|
5697
|
-
return e.jwtTokens.includes("id") && (s.id_payload = j(
|
|
5700
|
+
let s = { ...S };
|
|
5701
|
+
return e.jwtTokens.includes("id") && (s.id_payload = S.id_payload ?? j(S.id_token)), r.status(200).view(e.authorizedPage, s);
|
|
5698
5702
|
}
|
|
5699
5703
|
} catch (s) {
|
|
5700
5704
|
const i = l.asCrossauthError(s);
|
|
@@ -5706,14 +5710,14 @@ async function Ze(k, e, o, r) {
|
|
|
5706
5710
|
});
|
|
5707
5711
|
}
|
|
5708
5712
|
}
|
|
5709
|
-
async function Se(
|
|
5713
|
+
async function Se(S, e, o, r) {
|
|
5710
5714
|
if (!e.server.sessionAdapter) throw new l(
|
|
5711
5715
|
g.Configuration,
|
|
5712
5716
|
"Cannot update session data if sessions not enabled"
|
|
5713
5717
|
);
|
|
5714
|
-
let s =
|
|
5715
|
-
if (!s &&
|
|
5716
|
-
const t = J(
|
|
5718
|
+
let s = S.expires_in;
|
|
5719
|
+
if (!s && S.access_token && e.jwtTokens.includes("access")) {
|
|
5720
|
+
const t = J(S.access_token);
|
|
5717
5721
|
t.exp && (s = t.exp);
|
|
5718
5722
|
}
|
|
5719
5723
|
if (!s)
|
|
@@ -5722,31 +5726,18 @@ async function Se(k, e, o, r) {
|
|
|
5722
5726
|
"OAuth server did not return an expiry for the access token"
|
|
5723
5727
|
);
|
|
5724
5728
|
const i = Date.now() + s * 1e3;
|
|
5725
|
-
let n = { ...
|
|
5726
|
-
if ("id_token" in
|
|
5727
|
-
let t = j(
|
|
5729
|
+
let n = { ...S, expires_at: i };
|
|
5730
|
+
if ("id_token" in S) {
|
|
5731
|
+
let t = S.id_payload ?? j(S.id_token);
|
|
5728
5732
|
t && (n.id_token = t);
|
|
5729
5733
|
}
|
|
5730
|
-
|
|
5731
|
-
let t = e.server.sessionServer.getSessionCookieValue(o);
|
|
5732
|
-
!t && r ? t = await e.server.createAnonymousSession(
|
|
5733
|
-
o,
|
|
5734
|
-
r,
|
|
5735
|
-
{ [e.sessionDataName]: n }
|
|
5736
|
-
) : await e.server.sessionAdapter.updateSessionData(o, e.sessionDataName, n);
|
|
5737
|
-
} else {
|
|
5738
|
-
if (!e.server.sessionAdapter) throw new l(
|
|
5739
|
-
g.Configuration,
|
|
5740
|
-
"Cannot get session data if sessions not enabled"
|
|
5741
|
-
);
|
|
5742
|
-
await e.server.sessionAdapter.updateSessionData(o, e.sessionDataName, n);
|
|
5743
|
-
}
|
|
5734
|
+
await e.storeSessionData(n, o, r);
|
|
5744
5735
|
}
|
|
5745
|
-
async function qe(
|
|
5746
|
-
if (
|
|
5736
|
+
async function qe(S, e, o, r) {
|
|
5737
|
+
if (S.error) {
|
|
5747
5738
|
const s = l.fromOAuthError(
|
|
5748
|
-
|
|
5749
|
-
|
|
5739
|
+
S.error,
|
|
5740
|
+
S.error_description
|
|
5750
5741
|
);
|
|
5751
5742
|
if (r)
|
|
5752
5743
|
return r.status(s.httpStatus).view(e.errorPage, {
|
|
@@ -5756,9 +5747,9 @@ async function qe(k, e, o, r) {
|
|
|
5756
5747
|
errorCode: s.code
|
|
5757
5748
|
});
|
|
5758
5749
|
}
|
|
5759
|
-
fe(
|
|
5750
|
+
fe(S, e.jwtTokens);
|
|
5760
5751
|
try {
|
|
5761
|
-
if ((
|
|
5752
|
+
if ((S.access_token || S.id_token || S.refresh_token) && await Se(S, e, o, r), r)
|
|
5762
5753
|
return e.authorizedUrl ? r.redirect(e.authorizedUrl) : r.status(500).view(e.errorPage, {
|
|
5763
5754
|
status: 500,
|
|
5764
5755
|
errorMessage: "Authorized url not configured",
|
|
@@ -5823,7 +5814,7 @@ class we extends Oe {
|
|
|
5823
5814
|
u(this, "bffEndpointName", "bff");
|
|
5824
5815
|
u(this, "bffBaseUrl");
|
|
5825
5816
|
u(this, "tokenEndpoints", []);
|
|
5826
|
-
if (this.server = o,
|
|
5817
|
+
if (this.server = o, C("sessionDataName", k.String, this, s, "OAUTH_SESSION_DATA_NAME"), C("siteUrl", k.String, this, s, "SITE_URL", !0), C("tokenResponseType", k.String, this, s, "OAUTH_TOKEN_RESPONSE_TYPE"), C("errorResponseType", k.String, this, s, "OAUTH_ERROR_RESPONSE_TYPE"), C("prefix", k.String, this, s, "PREFIX"), this.prefix.endsWith("/") || (this.prefix += "/"), C("loginUrl", k.String, this, s, "LOGIN_URL"), C("errorPage", k.String, this, s, "ERROR_PAGE"), C("authorizedPage", k.String, this, s, "AUTHORIZED_PAGE"), C("authorizedUrl", k.String, this, s, "AUTHORIZED_URL"), C("loginProtectedFlows", k.JsonArray, this, s, "OAUTH_LOGIN_PROTECTED_FLOWS"), C("passwordFlowUrl", k.String, this, s, "OAUTH_PASSWORD_FLOW_URL"), C("passwordOtpUrl", k.String, this, s, "OAUTH_PASSWORD_OTP_URL"), C("passwordOobUrl", k.String, this, s, "OAUTH_PASSWORD_OOB_URL"), C("passwordFlowPage", k.String, this, s, "OAUTH_PASSWORD_FLOW_PAGE"), C("deviceCodeFlowPage", k.String, this, s, "OAUTH_DEVICECODE_FLOW_PAGE"), C("deleteTokensPage", k.String, this, s, "OAUTH_DELETE_TOKENS_PAGE"), C("deleteTokensGetUrl", k.String, this, s, "OAUTH_DELETE_TOKENS_GET_URL"), C("deleteTokensPostUrl", k.String, this, s, "OAUTH_DELETE_TOKENS_POST_URL"), C("apiDeleteTokensPostUrl", k.String, this, s, "OAUTHAPI__DELETE_TOKENS_POST_URL"), C("mfaOtpPage", k.String, this, s, "OAUTH_MFA_OTP_PAGE"), C("mfaOobPage", k.String, this, s, "OAUTH_MFA_OOB_PAGE"), C("deviceCodeFlowUrl", k.String, this, s, "OAUTH_DEVICECODE_FLOW_URL"), C("deviceCodePollUrl", k.String, this, s, "OAUTH_DEVICECODE_POLL_URL"), C("bffEndpointName", k.String, this, s, "OAUTH_BFF_ENDPOINT_NAME"), C("bffBaseUrl", k.String, this, s, "OAUTH_BFF_BASEURL"), C("validFlows", k.JsonArray, this, s, "OAUTH_VALIDFLOWS"), C("jwtTokens", k.JsonArray, this, s, "OAUTH_JWT_TOKENS"), (i = this.deleteTokensGetUrl) != null && i.startsWith("/") && (this.deleteTokensGetUrl = this.deleteTokensGetUrl.substring(1)), (n = this.deleteTokensPostUrl) != null && n.startsWith("/") && (this.deleteTokensPostUrl = this.deleteTokensPostUrl.substring(1)), (t = this.deleteTokensPostUrl) != null && t.startsWith("/") && (this.deleteTokensPostUrl = this.deleteTokensPostUrl.substring(1)), this.validFlows.length == 1 && this.validFlows[0] == E.All)
|
|
5827
5818
|
this.validFlows = E.allFlows();
|
|
5828
5819
|
else if (!E.areAllValidFlows(this.validFlows))
|
|
5829
5820
|
throw new l(g.Configuration, "Invalid flows specificied in " + this.validFlows.join(","));
|
|
@@ -5852,30 +5843,36 @@ class we extends Oe {
|
|
|
5852
5843
|
this.prefix.endsWith("/") || (this.prefix += "/"), this.redirect_uri = this.siteUrl + this.prefix + "authzcode", this.validFlows.includes(E.AuthorizationCode) && this.server.app.get(
|
|
5853
5844
|
this.prefix + "authzcodeflow",
|
|
5854
5845
|
async (a, h) => {
|
|
5855
|
-
var
|
|
5846
|
+
var P;
|
|
5856
5847
|
if (d.logger.info(c({
|
|
5857
5848
|
msg: "Page visit",
|
|
5858
5849
|
method: "GET",
|
|
5859
5850
|
url: this.prefix + "authzcodeflow",
|
|
5860
5851
|
ip: a.ip,
|
|
5861
|
-
user: (
|
|
5862
|
-
})), !
|
|
5863
|
-
|
|
5864
|
-
|
|
5865
|
-
|
|
5866
|
-
|
|
5867
|
-
|
|
5868
|
-
if (
|
|
5869
|
-
const
|
|
5870
|
-
|
|
5871
|
-
|
|
5852
|
+
user: (P = a.user) == null ? void 0 : P.username
|
|
5853
|
+
})), !this.server.sessionAdapter) {
|
|
5854
|
+
const T = new l(g.Configuration, "Need a session server or adapter for authorization code flow");
|
|
5855
|
+
return await this.errorFn(this.server, a, h, T);
|
|
5856
|
+
}
|
|
5857
|
+
if (!a.user && this.loginProtectedFlows.includes(E.AuthorizationCode))
|
|
5858
|
+
return h.redirect(this.loginUrl + "?next=" + encodeURIComponent(a.url), 302);
|
|
5859
|
+
if (!this.server.sessionAdapter) {
|
|
5860
|
+
const T = new l(g.Configuration, "Need a session server or adapter for authorization code flow");
|
|
5861
|
+
return await this.errorFn(this.server, a, h, T);
|
|
5862
|
+
}
|
|
5863
|
+
const f = this.randomValue(this.stateLength), p = { scope: a.query.scope, state: f };
|
|
5864
|
+
await this.storeSessionData(p, a, h);
|
|
5865
|
+
const { url: v, error: m, error_description: w } = await this.startAuthorizationCodeFlow(f, a.query.scope);
|
|
5866
|
+
if (m || !v) {
|
|
5867
|
+
const T = l.fromOAuthError(
|
|
5868
|
+
m ?? "server_error",
|
|
5869
|
+
w
|
|
5872
5870
|
);
|
|
5873
|
-
return await this.errorFn(this.server, a, h,
|
|
5871
|
+
return await this.errorFn(this.server, a, h, T);
|
|
5874
5872
|
}
|
|
5875
|
-
return d.logger.debug(c({
|
|
5876
|
-
msg: "
|
|
5877
|
-
|
|
5878
|
-
})), h.redirect(f);
|
|
5873
|
+
return this.oauthLogFetch ? d.logger.debug(c({ msg: "OAuth redirect", url: v })) : d.logger.debug(c({
|
|
5874
|
+
msg: "OAuth redirect"
|
|
5875
|
+
})), h.redirect(v);
|
|
5879
5876
|
}
|
|
5880
5877
|
), o.app.addHook("preHandler", async (a, h) => {
|
|
5881
5878
|
if (a.user || !o.sessionAdapter) return;
|
|
@@ -5905,74 +5902,77 @@ class we extends Oe {
|
|
|
5905
5902
|
}), this.validFlows.includes(E.AuthorizationCodeWithPKCE) && this.server.app.get(
|
|
5906
5903
|
this.prefix + "authzcodeflowpkce",
|
|
5907
5904
|
async (a, h) => {
|
|
5908
|
-
var
|
|
5905
|
+
var N;
|
|
5909
5906
|
if (d.logger.info(c({
|
|
5910
5907
|
msg: "Page visit",
|
|
5911
5908
|
method: "GET",
|
|
5912
5909
|
url: this.prefix + "authzcodeflowpkce",
|
|
5913
5910
|
ip: a.ip,
|
|
5914
|
-
user: (
|
|
5911
|
+
user: (N = a.user) == null ? void 0 : N.username
|
|
5915
5912
|
})), !a.user && this.loginProtectedFlows.includes(E.AuthorizationCodeWithPKCE))
|
|
5916
|
-
return h.redirect(
|
|
5917
|
-
|
|
5918
|
-
|
|
5919
|
-
|
|
5920
|
-
|
|
5913
|
+
return h.redirect(this.loginUrl + "?next=" + encodeURIComponent(a.url), 302);
|
|
5914
|
+
const f = this.randomValue(this.stateLength), { codeChallenge: p, codeVerifier: v } = await this.codeChallengeAndVerifier(), m = { scope: a.query.scope, state: f, codeChallenge: p, codeVerifier: v };
|
|
5915
|
+
await this.storeSessionData(m, a, h);
|
|
5916
|
+
const { url: w, error: P, error_description: T } = await this.startAuthorizationCodeFlow(
|
|
5917
|
+
f,
|
|
5921
5918
|
a.query.scope,
|
|
5919
|
+
p,
|
|
5922
5920
|
!0
|
|
5923
5921
|
);
|
|
5924
|
-
if (
|
|
5925
|
-
const
|
|
5926
|
-
|
|
5927
|
-
|
|
5922
|
+
if (P || !w) {
|
|
5923
|
+
const y = l.fromOAuthError(
|
|
5924
|
+
P ?? "server_error",
|
|
5925
|
+
T
|
|
5928
5926
|
);
|
|
5929
|
-
return await this.errorFn(this.server, a, h,
|
|
5927
|
+
return await this.errorFn(this.server, a, h, y);
|
|
5930
5928
|
}
|
|
5931
|
-
return
|
|
5929
|
+
return this.oauthLogFetch ? d.logger.debug(c({ msg: "OAuth redirect", url: w })) : d.logger.debug(c({
|
|
5930
|
+
msg: "OAuth redirect"
|
|
5931
|
+
})), h.redirect(w);
|
|
5932
5932
|
}
|
|
5933
5933
|
), (this.validFlows.includes(E.AuthorizationCode) || this.validFlows.includes(E.AuthorizationCodeWithPKCE) || this.validFlows.includes(E.OidcAuthorizationCode)) && this.server.app.get(
|
|
5934
5934
|
this.prefix + "authzcode",
|
|
5935
5935
|
async (a, h) => {
|
|
5936
|
-
var
|
|
5936
|
+
var v, m, w;
|
|
5937
5937
|
if (d.logger.info(c({
|
|
5938
5938
|
msg: "Page visit",
|
|
5939
5939
|
method: "GET",
|
|
5940
5940
|
url: this.prefix + "authzcode",
|
|
5941
5941
|
ip: a.ip,
|
|
5942
|
-
user: (
|
|
5943
|
-
})), !a.user && (this.loginProtectedFlows.includes(E.AuthorizationCodeWithPKCE) || this.loginProtectedFlows.includes(E.AuthorizationCode)))
|
|
5944
|
-
return h.redirect(
|
|
5945
|
-
|
|
5946
|
-
|
|
5947
|
-
);
|
|
5948
|
-
|
|
5942
|
+
user: (v = a.user) == null ? void 0 : v.username
|
|
5943
|
+
})), this.oauthLogFetch && d.logger.debug(c({ msg: "Received OAuth redirect", url: a.url })), !a.user && (this.loginProtectedFlows.includes(E.AuthorizationCodeWithPKCE) || this.loginProtectedFlows.includes(E.AuthorizationCode)))
|
|
5944
|
+
return h.redirect(this.loginUrl + "?next=" + encodeURIComponent(a.url), 302);
|
|
5945
|
+
const f = await ((m = this.server.sessionAdapter) == null ? void 0 : m.getSessionData(a, this.sessionDataName));
|
|
5946
|
+
if (!(f != null && f.state) || (f == null ? void 0 : f.state) != a.query.state)
|
|
5947
|
+
throw new l(g.Unauthorized, "State does not match");
|
|
5948
|
+
let p = await this.redirectEndpoint(
|
|
5949
5949
|
a.query.code,
|
|
5950
|
-
|
|
5950
|
+
f == null ? void 0 : f.scope,
|
|
5951
|
+
f == null ? void 0 : f.codeVerifier,
|
|
5951
5952
|
a.query.error,
|
|
5952
5953
|
a.query.error_description
|
|
5953
5954
|
);
|
|
5954
|
-
f.id_token && (this.validateIdToken(f.id_token) || (f.error = "access_denied", f.error_description = "Invalid ID token received"));
|
|
5955
5955
|
try {
|
|
5956
|
-
if (
|
|
5957
|
-
const
|
|
5958
|
-
|
|
5959
|
-
|
|
5956
|
+
if (p.error) {
|
|
5957
|
+
const P = l.fromOAuthError(
|
|
5958
|
+
p.error,
|
|
5959
|
+
p.error_description
|
|
5960
5960
|
);
|
|
5961
5961
|
return await this.errorFn(
|
|
5962
5962
|
this.server,
|
|
5963
5963
|
a,
|
|
5964
5964
|
h,
|
|
5965
|
-
|
|
5965
|
+
P
|
|
5966
5966
|
);
|
|
5967
5967
|
}
|
|
5968
|
-
return await this.receiveTokenFn(
|
|
5969
|
-
} catch (
|
|
5970
|
-
const
|
|
5968
|
+
return await this.receiveTokenFn(p, this, a, h);
|
|
5969
|
+
} catch (P) {
|
|
5970
|
+
const T = l.asCrossauthError(P);
|
|
5971
5971
|
return d.logger.error(c({
|
|
5972
5972
|
msg: "Error receiving token",
|
|
5973
|
-
cerr:
|
|
5974
|
-
user: (
|
|
5975
|
-
})), d.logger.debug(c({ err:
|
|
5973
|
+
cerr: T,
|
|
5974
|
+
user: (w = a.user) == null ? void 0 : w.user
|
|
5975
|
+
})), d.logger.debug(c({ err: P })), await this.errorFn(this.server, a, h, T);
|
|
5976
5976
|
}
|
|
5977
5977
|
}
|
|
5978
5978
|
), this.validFlows.includes(E.ClientCredentials) && this.server.app.post(
|
|
@@ -5994,10 +5994,10 @@ class we extends Oe {
|
|
|
5994
5994
|
if (m) return w;
|
|
5995
5995
|
}
|
|
5996
5996
|
if (!a.user && this.loginProtectedFlows.includes(E.ClientCredentials))
|
|
5997
|
-
return h.status(401).header(...
|
|
5997
|
+
return h.status(401).header(..._).send({ ok: !1, msg: "Access denied" });
|
|
5998
5998
|
try {
|
|
5999
5999
|
const m = await this.clientCredentialsFlow((p = a.body) == null ? void 0 : p.scope);
|
|
6000
|
-
if (m.
|
|
6000
|
+
if (m.error) {
|
|
6001
6001
|
const w = l.fromOAuthError(
|
|
6002
6002
|
m.error,
|
|
6003
6003
|
m.error_description
|
|
@@ -6070,10 +6070,10 @@ class we extends Oe {
|
|
|
6070
6070
|
);
|
|
6071
6071
|
}
|
|
6072
6072
|
if (!a.user && this.loginProtectedFlows.includes(E.RefreshToken))
|
|
6073
|
-
return h.status(401).header(...
|
|
6073
|
+
return h.status(401).header(..._).send({ ok: !1, msg: "Access denied" });
|
|
6074
6074
|
try {
|
|
6075
6075
|
const P = await this.refreshTokenFlow(v);
|
|
6076
|
-
if (P.
|
|
6076
|
+
if (P.error) {
|
|
6077
6077
|
const T = l.fromOAuthError(
|
|
6078
6078
|
P.error,
|
|
6079
6079
|
P.error_description
|
|
@@ -6311,10 +6311,10 @@ class we extends Oe {
|
|
|
6311
6311
|
user: (f = a.user) == null ? void 0 : f.username
|
|
6312
6312
|
}));
|
|
6313
6313
|
try {
|
|
6314
|
-
return await this.deleteTokens(a), h.header(...
|
|
6314
|
+
return await this.deleteTokens(a), h.header(..._).send('{"ok": true}');
|
|
6315
6315
|
} catch (p) {
|
|
6316
6316
|
const v = l.asCrossauthError(p);
|
|
6317
|
-
return d.logger.debug(c({ err: v })), d.logger.error(c({ msg: "Couldn't delete oauth tokens", cerr: v })), h.header(...
|
|
6317
|
+
return d.logger.debug(c({ err: v })), d.logger.error(c({ msg: "Couldn't delete oauth tokens", cerr: v })), h.header(..._).status(v.httpStatus).send(JSON.stringify({
|
|
6318
6318
|
ok: !1,
|
|
6319
6319
|
errorMessage: v.message,
|
|
6320
6320
|
errorCode: v.code,
|
|
@@ -6328,15 +6328,15 @@ class we extends Oe {
|
|
|
6328
6328
|
this.server.app.post(
|
|
6329
6329
|
this.prefix + a,
|
|
6330
6330
|
async (h, f) => {
|
|
6331
|
-
var
|
|
6331
|
+
var N;
|
|
6332
6332
|
if (d.logger.info(c({
|
|
6333
6333
|
msg: "Page visit",
|
|
6334
6334
|
method: "POST",
|
|
6335
6335
|
url: this.prefix + a,
|
|
6336
6336
|
ip: h.ip,
|
|
6337
|
-
user: (
|
|
6337
|
+
user: (N = h.user) == null ? void 0 : N.username
|
|
6338
6338
|
})), !h.csrfToken)
|
|
6339
|
-
return f.header(...
|
|
6339
|
+
return f.header(..._).status(401).send({ ok: !1, msg: "No csrf token given" });
|
|
6340
6340
|
let p = !1, v = a;
|
|
6341
6341
|
a.startsWith("have_") && (v = a.replace("have_", ""), p = !0);
|
|
6342
6342
|
let m = v.replace("_token", ""), w = !1;
|
|
@@ -6346,9 +6346,9 @@ class we extends Oe {
|
|
|
6346
6346
|
);
|
|
6347
6347
|
const P = await this.server.sessionAdapter.getSessionData(h, this.sessionDataName);
|
|
6348
6348
|
if (!P)
|
|
6349
|
-
return p ? f.header(...
|
|
6349
|
+
return p ? f.header(..._).status(200).send({ ok: !1 }) : f.header(..._).status(204).send();
|
|
6350
6350
|
let T = P[v];
|
|
6351
|
-
return w && (T = j(P[v])), T ? p ? f.header(...
|
|
6351
|
+
return w && (T = j(P[v])), T ? p ? f.header(..._).status(200).send({ ok: !0 }) : f.header(..._).status(200).send({ ...T }) : p ? f.header(..._).status(200).send({ ok: !1 }) : f.header(..._).status(204).send();
|
|
6352
6352
|
}
|
|
6353
6353
|
);
|
|
6354
6354
|
if (this.server.app.post(
|
|
@@ -6362,25 +6362,25 @@ class we extends Oe {
|
|
|
6362
6362
|
ip: a.ip,
|
|
6363
6363
|
user: (v = a.user) == null ? void 0 : v.username
|
|
6364
6364
|
})), !a.csrfToken)
|
|
6365
|
-
return h.header(...
|
|
6365
|
+
return h.header(..._).status(401).send({ ok: !1, msg: "No csrf token given" });
|
|
6366
6366
|
if (!this.server.sessionAdapter) throw new l(
|
|
6367
6367
|
g.Configuration,
|
|
6368
6368
|
"Cannot get session data if sessions not enabled"
|
|
6369
6369
|
);
|
|
6370
6370
|
const f = await this.server.sessionAdapter.getSessionData(a, this.sessionDataName);
|
|
6371
6371
|
if (!f)
|
|
6372
|
-
return h.header(...
|
|
6372
|
+
return h.header(..._).status(204).send();
|
|
6373
6373
|
let p = {};
|
|
6374
6374
|
for (let m of this.tokenEndpoints) {
|
|
6375
6375
|
let w = !1, P = m;
|
|
6376
6376
|
m.startsWith("have_") && (P = m.replace("have_", ""), w = !0);
|
|
6377
|
-
let T = P.replace("_token", ""),
|
|
6378
|
-
if (this.jwtTokens.includes(T) && (
|
|
6379
|
-
let
|
|
6380
|
-
|
|
6377
|
+
let T = P.replace("_token", ""), N = !1;
|
|
6378
|
+
if (this.jwtTokens.includes(T) && (N = a.body.decode ?? !0), P in f) {
|
|
6379
|
+
let y = f[P];
|
|
6380
|
+
N && (y = j(f[P])), y && (p[m] = w ? !0 : y);
|
|
6381
6381
|
} else w && (p[m] = !1);
|
|
6382
6382
|
}
|
|
6383
|
-
return h.header(...
|
|
6383
|
+
return h.header(..._).status(200).send({ ...p });
|
|
6384
6384
|
}
|
|
6385
6385
|
), this.bffEndpoints.length > 0 && !this.bffBaseUrl)
|
|
6386
6386
|
throw new l(g.Configuration, "If enabling BFF endpoints, must also define bffBaseUrl");
|
|
@@ -6400,18 +6400,18 @@ class we extends Oe {
|
|
|
6400
6400
|
url: this.prefix + this.bffEndpointName + v,
|
|
6401
6401
|
// was url
|
|
6402
6402
|
handler: async (w, P) => {
|
|
6403
|
-
var
|
|
6403
|
+
var y, M;
|
|
6404
6404
|
d.logger.info(c({
|
|
6405
6405
|
msg: "Page visit",
|
|
6406
6406
|
method: w.method,
|
|
6407
6407
|
url: w.url,
|
|
6408
6408
|
ip: w.ip,
|
|
6409
|
-
user: (
|
|
6409
|
+
user: (y = w.user) == null ? void 0 : y.username
|
|
6410
6410
|
}));
|
|
6411
6411
|
const T = w.url.substring(this.prefix.length + this.bffEndpointName.length);
|
|
6412
6412
|
d.logger.debug(c({ msg: "Resource server URL " + T }));
|
|
6413
|
-
const
|
|
6414
|
-
if (this.server.sessionAdapter &&
|
|
6413
|
+
const N = f[m] != "GET" && f[m] != "HEAD" && f[m] != "OPTIONS";
|
|
6414
|
+
if (this.server.sessionAdapter && N) {
|
|
6415
6415
|
const { error: I, reply: V } = await o.errorIfCsrfInvalid(
|
|
6416
6416
|
w,
|
|
6417
6417
|
P,
|
|
@@ -6426,7 +6426,7 @@ class we extends Oe {
|
|
|
6426
6426
|
);
|
|
6427
6427
|
const I = await this.server.sessionAdapter.getSessionData(w, this.sessionDataName);
|
|
6428
6428
|
if (!I)
|
|
6429
|
-
return P.header(...
|
|
6429
|
+
return P.header(..._).status(401).send({ ok: !1 });
|
|
6430
6430
|
let V = I == null ? void 0 : I.access_token;
|
|
6431
6431
|
if (I && I.access_token) {
|
|
6432
6432
|
const H = await ((M = o.oAuthClient) == null ? void 0 : M.refresh(
|
|
@@ -6456,9 +6456,9 @@ class we extends Oe {
|
|
|
6456
6456
|
const Ce = await W.json();
|
|
6457
6457
|
for (const H of W.headers.entries())
|
|
6458
6458
|
P = P.header(H[0], H[1]);
|
|
6459
|
-
return P.header(...
|
|
6459
|
+
return P.header(..._).status(W.status).send(Ce);
|
|
6460
6460
|
} catch (I) {
|
|
6461
|
-
return d.logger.error(c({ err: I })), P.header(...
|
|
6461
|
+
return d.logger.error(c({ err: I })), P.header(..._).status(500).send({});
|
|
6462
6462
|
}
|
|
6463
6463
|
}
|
|
6464
6464
|
});
|
|
@@ -6480,7 +6480,7 @@ class we extends Oe {
|
|
|
6480
6480
|
r.body.password,
|
|
6481
6481
|
r.body.scope
|
|
6482
6482
|
);
|
|
6483
|
-
if (n.
|
|
6483
|
+
if (n.error == "mfa_required" && n.mfa_token && this.validFlows.includes(E.PasswordMfa)) {
|
|
6484
6484
|
const t = n.mfa_token;
|
|
6485
6485
|
if (n = await this.passwordMfa(
|
|
6486
6486
|
o,
|
|
@@ -6488,7 +6488,7 @@ class we extends Oe {
|
|
|
6488
6488
|
r.body.scope,
|
|
6489
6489
|
r,
|
|
6490
6490
|
s
|
|
6491
|
-
), n.
|
|
6491
|
+
), n.error) {
|
|
6492
6492
|
const a = l.fromOAuthError(
|
|
6493
6493
|
n.error,
|
|
6494
6494
|
n.error_description
|
|
@@ -6638,7 +6638,7 @@ class we extends Oe {
|
|
|
6638
6638
|
r.body.oob_code,
|
|
6639
6639
|
r.body.binding_code
|
|
6640
6640
|
);
|
|
6641
|
-
if (i.
|
|
6641
|
+
if (i.error) {
|
|
6642
6642
|
const t = l.fromOAuthError(
|
|
6643
6643
|
i.error,
|
|
6644
6644
|
i.error_description ?? "Error completing MFA"
|
|
@@ -6695,14 +6695,14 @@ class we extends Oe {
|
|
|
6695
6695
|
error: t.error,
|
|
6696
6696
|
error_description: t.error_description
|
|
6697
6697
|
};
|
|
6698
|
-
return o ? s.header(...
|
|
6698
|
+
return o ? s.header(..._).status(h.httpStatus).send(t) : s.view(this.deviceCodeFlowPage, f);
|
|
6699
6699
|
}
|
|
6700
6700
|
let a;
|
|
6701
6701
|
return t.verification_uri_complete && await Re.toDataURL(t.verification_uri_complete).then((h) => {
|
|
6702
6702
|
a = h;
|
|
6703
6703
|
}).catch((h) => {
|
|
6704
6704
|
d.logger.debug(c({ err: h })), d.logger.warn(c({ msg: "Couldn't generate verification URL QR Code" }));
|
|
6705
|
-
}), o ? s.header(...
|
|
6705
|
+
}), o ? s.header(..._).send(t) : s.view(
|
|
6706
6706
|
this.deviceCodeFlowPage,
|
|
6707
6707
|
{
|
|
6708
6708
|
user: r.user,
|
|
@@ -6723,7 +6723,7 @@ class we extends Oe {
|
|
|
6723
6723
|
errorCode: t.code,
|
|
6724
6724
|
errorCodeName: t.codeName
|
|
6725
6725
|
};
|
|
6726
|
-
return o ? s.header(...
|
|
6726
|
+
return o ? s.header(..._).status(t.httpStatus).send(a) : s.view(this.deviceCodeFlowPage, {
|
|
6727
6727
|
user: r.user,
|
|
6728
6728
|
csrfToken: r.csrfToken,
|
|
6729
6729
|
scope: r.body.scope,
|
|
@@ -6735,7 +6735,7 @@ class we extends Oe {
|
|
|
6735
6735
|
var i;
|
|
6736
6736
|
try {
|
|
6737
6737
|
const n = await this.pollDeviceCodeFlow(r.body.device_code);
|
|
6738
|
-
return n.
|
|
6738
|
+
return n.error ? s.header(..._).send(n) : await this.receiveTokenFn(
|
|
6739
6739
|
n,
|
|
6740
6740
|
this,
|
|
6741
6741
|
r,
|
|
@@ -6766,7 +6766,7 @@ class we extends Oe {
|
|
|
6766
6766
|
if (!i || t <= Date.now())
|
|
6767
6767
|
try {
|
|
6768
6768
|
const a = await this.refreshTokenFlow(n);
|
|
6769
|
-
if (
|
|
6769
|
+
if (!a.error && !a.access_token && (a.error = "server_error", a.error_description = "Unexpectedly did not receive error or access token"), !a.error) {
|
|
6770
6770
|
const p = await this.receiveTokenFn(
|
|
6771
6771
|
a,
|
|
6772
6772
|
this,
|
|
@@ -6817,7 +6817,7 @@ class we extends Oe {
|
|
|
6817
6817
|
}
|
|
6818
6818
|
async refreshTokens(o, r, s, i) {
|
|
6819
6819
|
if (!o.csrfToken)
|
|
6820
|
-
return r.header(...
|
|
6820
|
+
return r.header(..._).status(401).send({ ok: !1, msg: "No csrf token given" });
|
|
6821
6821
|
if (!this.server.sessionAdapter) throw new l(
|
|
6822
6822
|
g.Configuration,
|
|
6823
6823
|
"Cannot get session data if sessions not enabled"
|
|
@@ -6825,7 +6825,7 @@ class we extends Oe {
|
|
|
6825
6825
|
const n = await this.server.sessionAdapter.getSessionData(o, this.sessionDataName);
|
|
6826
6826
|
if (!(n != null && n.refresh_token)) {
|
|
6827
6827
|
if (s)
|
|
6828
|
-
return r.header(...
|
|
6828
|
+
return r.header(..._).status(204).send();
|
|
6829
6829
|
{
|
|
6830
6830
|
const a = new l(
|
|
6831
6831
|
g.InvalidSession,
|
|
@@ -6848,11 +6848,11 @@ class we extends Oe {
|
|
|
6848
6848
|
//onlyIfExpired ? oauthData.expires_at : undefined
|
|
6849
6849
|
n.expires_at
|
|
6850
6850
|
);
|
|
6851
|
-
if (
|
|
6851
|
+
if (!s) {
|
|
6852
6852
|
if (t == null) return this.receiveTokenFn({}, this, o, r);
|
|
6853
6853
|
if (t != null) return t;
|
|
6854
6854
|
}
|
|
6855
|
-
return r.header(...
|
|
6855
|
+
return r.header(..._).status(200).send({ ok: !0, expires_at: t == null ? void 0 : t.expires_at });
|
|
6856
6856
|
}
|
|
6857
6857
|
async deleteTokens(o) {
|
|
6858
6858
|
if (!this.server.sessionAdapter) throw new l(
|
|
@@ -6870,6 +6870,23 @@ class we extends Oe {
|
|
|
6870
6870
|
);
|
|
6871
6871
|
await this.server.sessionAdapter.deleteSessionData(o, this.sessionDataName);
|
|
6872
6872
|
}
|
|
6873
|
+
async storeSessionData(o, r, s) {
|
|
6874
|
+
var i;
|
|
6875
|
+
if (this.server.sessionServer) {
|
|
6876
|
+
let n = this.server.sessionServer.getSessionCookieValue(r);
|
|
6877
|
+
!n && s ? n = await this.server.createAnonymousSession(
|
|
6878
|
+
r,
|
|
6879
|
+
s,
|
|
6880
|
+
{ [this.sessionDataName]: o }
|
|
6881
|
+
) : await ((i = this.server.sessionAdapter) == null ? void 0 : i.updateSessionData(r, this.sessionDataName, o));
|
|
6882
|
+
} else {
|
|
6883
|
+
if (!this.server.sessionAdapter) throw new l(
|
|
6884
|
+
g.Configuration,
|
|
6885
|
+
"Cannot get session data if sessions not enabled"
|
|
6886
|
+
);
|
|
6887
|
+
await this.server.sessionAdapter.updateSessionData(r, this.sessionDataName, o);
|
|
6888
|
+
}
|
|
6889
|
+
}
|
|
6873
6890
|
}
|
|
6874
6891
|
class er extends Ie {
|
|
6875
6892
|
/**
|
|
@@ -6882,11 +6899,12 @@ class er extends Ie {
|
|
|
6882
6899
|
super(r, s);
|
|
6883
6900
|
u(this, "userStorage");
|
|
6884
6901
|
u(this, "protectedEndpoints", {});
|
|
6902
|
+
u(this, "protectedEndpointPrefixes", []);
|
|
6885
6903
|
u(this, "errorBody", {});
|
|
6886
6904
|
u(this, "sessionDataName", "oauth");
|
|
6887
6905
|
u(this, "tokenLocations", ["header"]);
|
|
6888
6906
|
u(this, "sessionAdapter");
|
|
6889
|
-
if (
|
|
6907
|
+
if (C("errorBody", k.Json, this, s, "OAUTH_RESSERVER_ACCESS_DENIED_BODY"), C("tokenLocations", k.JsonArray, this, s, "OAUTH_TOKEN_LOCATIONS"), C("sessionDataName", k.String, this, s, "OAUTH_SESSION_DATA_NAME"), this.userStorage = s.userStorage, this.sessionAdapter = s.sessionAdapter, s.protectedEndpoints) {
|
|
6890
6908
|
const i = /^[!#\$%&'\(\)\*\+,\.\/a-zA-Z\[\]\^_`-]+/;
|
|
6891
6909
|
for (const [n, t] of Object.entries(s.protectedEndpoints)) {
|
|
6892
6910
|
if (!n.startsWith("/"))
|
|
@@ -6895,47 +6913,57 @@ class er extends Ie {
|
|
|
6895
6913
|
if (!i.test(a)) throw new l(g.Configuration, "Illegal characters in scope " + a);
|
|
6896
6914
|
});
|
|
6897
6915
|
}
|
|
6898
|
-
this.protectedEndpoints = s.protectedEndpoints;
|
|
6916
|
+
this.protectedEndpoints = { ...s.protectedEndpoints };
|
|
6917
|
+
for (let n in s.protectedEndpoints) {
|
|
6918
|
+
let t = this.protectedEndpoints[n];
|
|
6919
|
+
t.suburls == !0 && (n.endsWith("/") || (n += "/", this.protectedEndpoints[n] = t), this.protectedEndpointPrefixes.push(n));
|
|
6920
|
+
}
|
|
6899
6921
|
}
|
|
6900
6922
|
s.protectedEndpoints && o.addHook("preHandler", async (i, n) => {
|
|
6901
|
-
var
|
|
6923
|
+
var p, v;
|
|
6902
6924
|
const t = i.url.split("?", 2)[0];
|
|
6903
|
-
|
|
6904
|
-
|
|
6905
|
-
|
|
6906
|
-
|
|
6925
|
+
let a = !1, h = "";
|
|
6926
|
+
if (t in this.protectedEndpoints)
|
|
6927
|
+
a = !0, h = t;
|
|
6928
|
+
else
|
|
6929
|
+
for (let m of this.protectedEndpointPrefixes)
|
|
6930
|
+
t.startsWith(m) && (a = !0), h = m;
|
|
6931
|
+
if (!a) return;
|
|
6932
|
+
const f = await this.authorized(i);
|
|
6933
|
+
if (!(i.user && i.authType == "cookie" && this.protectedEndpoints[h].acceptSessionAuthorization != !0)) {
|
|
6934
|
+
if (!f) {
|
|
6907
6935
|
i.authError = "access_denied", i.authErrorDescription = "No access token";
|
|
6908
|
-
const
|
|
6909
|
-
return n.header("WWW-Authenticate",
|
|
6936
|
+
const m = this.authenticateHeader(i);
|
|
6937
|
+
return n.header("WWW-Authenticate", m).status(401).send(this.errorBody);
|
|
6910
6938
|
}
|
|
6911
|
-
if (!
|
|
6912
|
-
const
|
|
6913
|
-
return n.header("WWW-Authenticate",
|
|
6939
|
+
if (!f.authorized) {
|
|
6940
|
+
const m = this.authenticateHeader(i);
|
|
6941
|
+
return n.header("WWW-Authenticate", m).status(401).send(this.errorBody);
|
|
6914
6942
|
}
|
|
6915
6943
|
}
|
|
6916
|
-
if (
|
|
6917
|
-
if (i.accessTokenPayload =
|
|
6918
|
-
if (Array.isArray(
|
|
6919
|
-
let
|
|
6920
|
-
for (let
|
|
6921
|
-
typeof
|
|
6922
|
-
i.scope =
|
|
6923
|
-
} else typeof
|
|
6924
|
-
if (this.protectedEndpoints[
|
|
6925
|
-
for (let
|
|
6926
|
-
if (!i.scope || !i.scope.includes(
|
|
6944
|
+
if (f) {
|
|
6945
|
+
if (i.accessTokenPayload = f.tokenPayload, i.user = f.user, (p = f.tokenPayload) != null && p.scope)
|
|
6946
|
+
if (Array.isArray(f.tokenPayload.scope)) {
|
|
6947
|
+
let m = [];
|
|
6948
|
+
for (let w of f.tokenPayload.scope)
|
|
6949
|
+
typeof w == "string" && m.push(w);
|
|
6950
|
+
i.scope = m;
|
|
6951
|
+
} else typeof f.tokenPayload.scope == "string" && (i.scope = f.tokenPayload.scope.split(" "));
|
|
6952
|
+
if (this.protectedEndpoints[h].scope) {
|
|
6953
|
+
for (let m of this.protectedEndpoints[h].scope ?? [])
|
|
6954
|
+
if (!i.scope || !i.scope.includes(m) && this.protectedEndpoints[h].acceptSessionAuthorization != !0)
|
|
6927
6955
|
return d.logger.warn(c({
|
|
6928
6956
|
msg: "Access token does not have sufficient scope",
|
|
6929
|
-
username: (
|
|
6957
|
+
username: (v = i.user) == null ? void 0 : v.username,
|
|
6930
6958
|
url: i.url
|
|
6931
6959
|
})), i.scope = void 0, i.accessTokenPayload = void 0, i.user = void 0, i.authError = "access_denied", i.authErrorDescription = "Access token does not have sufficient scope", n.status(401).send(this.errorBody);
|
|
6932
6960
|
}
|
|
6933
|
-
if (i.authType = "oauth", i.authError =
|
|
6934
|
-
const
|
|
6935
|
-
return n.header("WWW-Authenticate",
|
|
6936
|
-
} else if (
|
|
6961
|
+
if (i.authType = "oauth", i.authError = f == null ? void 0 : f.error, (f == null ? void 0 : f.error) == "access_denied") {
|
|
6962
|
+
const m = this.authenticateHeader(i);
|
|
6963
|
+
return n.header("WWW-Authenticate", m).status(401).send(this.errorBody);
|
|
6964
|
+
} else if (f != null && f.error)
|
|
6937
6965
|
return n.status(500).send(this.errorBody);
|
|
6938
|
-
i.authErrorDescription =
|
|
6966
|
+
i.authErrorDescription = f == null ? void 0 : f.error_description, d.logger.debug(c({ msg: "Resource server url", url: i.url, authorized: i.accessTokenPayload != null }));
|
|
6939
6967
|
}
|
|
6940
6968
|
});
|
|
6941
6969
|
}
|
|
@@ -7037,8 +7065,8 @@ const rr = `<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
|
|
|
7037
7065
|
401: z,
|
|
7038
7066
|
500: G
|
|
7039
7067
|
};
|
|
7040
|
-
function sr(
|
|
7041
|
-
return
|
|
7068
|
+
function sr(S) {
|
|
7069
|
+
return S.admin == !0;
|
|
7042
7070
|
}
|
|
7043
7071
|
const K = class K {
|
|
7044
7072
|
/**
|
|
@@ -7119,7 +7147,7 @@ const K = class K {
|
|
|
7119
7147
|
/** Config for `@fastify/cors` */
|
|
7120
7148
|
u(this, "cors");
|
|
7121
7149
|
u(this, "audience", "");
|
|
7122
|
-
|
|
7150
|
+
C("views", k.String, this, a, "VIEWS"), C("cors", k.Json, this, a, "CORS"), a.isAdminFn && (K.isAdminFn = a.isAdminFn), a.app ? this.app = a.app : (this.views && ue.configure(this.views, {
|
|
7123
7151
|
autoescape: !0
|
|
7124
7152
|
}), this.app = Ee({ logger: !1 }), this.app.register(Te, {
|
|
7125
7153
|
engine: {
|
|
@@ -7129,11 +7157,11 @@ const K = class K {
|
|
|
7129
7157
|
"node_modules/shared-components",
|
|
7130
7158
|
this.views
|
|
7131
7159
|
]
|
|
7132
|
-
})), this.cors && this.app.register(
|
|
7160
|
+
})), this.cors && this.app.register(ye, this.cors), this.app.addContentTypeParser(
|
|
7133
7161
|
"text/json",
|
|
7134
7162
|
{ parseAs: "string" },
|
|
7135
7163
|
this.app.getDefaultJsonParser("ignore", "ignore")
|
|
7136
|
-
), this.app.register(
|
|
7164
|
+
), this.app.register(be), this.app.register(_e, {
|
|
7137
7165
|
// secret: "my-secret", // for cookies signature
|
|
7138
7166
|
parseOptions: {}
|
|
7139
7167
|
// options for parsing cookies
|
|
@@ -7190,7 +7218,7 @@ const K = class K {
|
|
|
7190
7218
|
)
|
|
7191
7219
|
);
|
|
7192
7220
|
}
|
|
7193
|
-
t && (this.audience = "",
|
|
7221
|
+
t && (this.audience = "", C("audience", k.String, this, a, "OAUTH_AUDIENCE", !0), this.oAuthResServer = new er(
|
|
7194
7222
|
this.app,
|
|
7195
7223
|
[new Me(this.audience, a)],
|
|
7196
7224
|
{ sessionAdapter: this.sessionAdapter, ...t.options, ...a }
|
|
@@ -7424,7 +7452,7 @@ const K = class K {
|
|
|
7424
7452
|
}
|
|
7425
7453
|
};
|
|
7426
7454
|
u(K, "isAdminFn", sr);
|
|
7427
|
-
let
|
|
7455
|
+
let b = K;
|
|
7428
7456
|
class ur {
|
|
7429
7457
|
}
|
|
7430
7458
|
export {
|
|
@@ -7434,7 +7462,7 @@ export {
|
|
|
7434
7462
|
$e as FastifyAuthorizationServer,
|
|
7435
7463
|
we as FastifyOAuthClient,
|
|
7436
7464
|
er as FastifyOAuthResourceServer,
|
|
7437
|
-
|
|
7465
|
+
b as FastifyServer,
|
|
7438
7466
|
ur as FastifySessionAdapter,
|
|
7439
7467
|
Ke as FastifySessionServer,
|
|
7440
7468
|
Ge as FastifyUserClientEndpoints,
|