@crossauth/frontend 0.0.13 → 0.0.15
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/index.cjs +1 -1
- package/dist/index.d.ts +5 -1
- package/dist/index.iife.js +1 -1
- package/dist/index.js +429 -409
- package/dist/oauth/autorefresher.d.ts +1 -1
- package/dist/oauth/bffclient.d.ts +14 -13
- package/dist/oauth/client.d.ts +22 -23
- package/dist/oauth/devicecodepoller.d.ts +1 -1
- package/dist/oauth/tokenprovider.d.ts +1 -1
- package/package.json +2 -2
package/dist/index.js
CHANGED
|
@@ -73,14 +73,14 @@ class g extends Error {
|
|
|
73
73
|
* @param message if provided, this error will display. Otherwise a default one for the error code will be used.
|
|
74
74
|
*/
|
|
75
75
|
constructor(e, t = void 0) {
|
|
76
|
-
let o,
|
|
77
|
-
e == 0 ? (o = "User does not exist",
|
|
76
|
+
let o, i = 500;
|
|
77
|
+
e == 0 ? (o = "User does not exist", i = 401) : e == 1 ? (o = "Password doesn't match", i = 401) : e == 3 ? (o = "Username or password incorrect", i = 401) : e == 4 ? (o = "Client id is invalid", i = 401) : e == 5 ? (o = "Client ID or name already exists", i = 500) : e == 6 ? (o = "Client secret is invalid", i = 401) : e == 7 ? (o = "Client id or secret is invalid", i = 401) : e == 8 ? (o = "Redirect Uri is not registered", i = 401) : e == 9 ? (o = "Invalid OAuth flow type", i = 500) : e == 2 ? (o = "No user exists with that email address", i = 401) : e == 10 ? (o = "Account is not active", i = 403) : e == 33 ? (o = "Username is not in an allowed format", i = 400) : e == 31 ? (o = "Email is not in an allowed format", i = 400) : e == 32 ? (o = "Phone number is not in an allowed format", i = 400) : e == 11 ? (o = "Email address has not been verified", i = 403) : e == 12 ? (o = "Two-factor setup is not complete", i = 403) : e == 13 ? (o = "Not authorized", i = 401) : e == 14 ? (o = "Client not authorized", i = 401) : e == 15 ? (o = "Invalid scope", i = 403) : e == 16 ? (o = "Insufficient scope", i = 403) : e == 23 ? o = "Connection failure" : e == 22 ? (o = "Token has expired", i = 401) : e == 24 ? o = "Hash is not in a valid format" : e == 19 ? (o = "Key is invalid", i = 401) : e == 18 ? (o = "You do not have permission to access this resource", i = 403) : e == 17 ? (o = "You do not have the right privileges to access this resource", i = 401) : e == 20 ? (o = "CSRF token is invalid", i = 401) : e == 21 ? (o = "Session cookie is invalid", i = 401) : e == 25 ? o = "Algorithm not supported" : e == 26 ? o = "Attempt to create a key that already exists" : e == 27 ? (o = "User must change password", i = 403) : e == 28 ? (o = "User must reset password", i = 403) : e == 29 ? (o = "User must reset 2FA", i = 403) : e == 30 ? o = "There was an error in the configuration" : e == 34 ? (o = "Passwords do not match", i = 401) : e == 35 ? (o = "Token is not valid", i = 401) : e == 36 ? (o = "MFA is required", i = 401) : e == 37 ? (o = "Password format was incorrect", i = 401) : e == 40 ? (o = "User already exists", i = 400) : e == 42 ? (o = "The request is invalid", i = 400) : e == 38 ? (o = "Session data has unexpected format", i = 500) : e == 39 ? (o = "Couldn't execute a fetch", i = 500) : e == 43 ? (o = "Waiting for authorization", i = 200) : e == 44 ? (o = "Slow polling down by 5 seconds", i = 200) : e == 45 ? (o = "Token has expired", i = 401) : e == 46 ? (o = "Database update/insert caused a constraint violation", i = 500) : e == 47 ? (o = "This method has not been implemented", i = 500) : (o = "Unknown error", i = 500), t != null && !Array.isArray(t) ? o = t : Array.isArray(t) && (o = t.join(". ")), super(o), l(this, "isCrossauthError", !0), l(this, "httpStatus"), l(this, "code"), l(this, "codeName"), l(this, "messages"), this.code = e, this.codeName = m[e], this.httpStatus = i, this.name = "CrossauthError", Array.isArray(t) ? this.messages = t : this.messages = [o], Object.setPrototypeOf(this, g.prototype);
|
|
78
78
|
}
|
|
79
79
|
/**
|
|
80
80
|
* OAuth defines certain error types. To convert the error in an OAuth
|
|
81
81
|
* response into a CrossauthError object, call this function.
|
|
82
82
|
*
|
|
83
|
-
* @param error as returned by an OAuth call (converted to an {@link
|
|
83
|
+
* @param error as returned by an OAuth call (converted to an {@link ErrorCode}).
|
|
84
84
|
* @param error_description as returned by an OAuth call (put in the `message`)
|
|
85
85
|
* @returns a `CrossauthError` instance.
|
|
86
86
|
*/
|
|
@@ -164,7 +164,7 @@ class g extends Error {
|
|
|
164
164
|
* it.
|
|
165
165
|
* If not and it is an object with `errorCode` in it, creates a
|
|
166
166
|
* CrossauthError from that and `errorMessage`, if present.
|
|
167
|
-
* Otherwise creates a `CrossauthError` object with {@link
|
|
167
|
+
* Otherwise creates a `CrossauthError` object with {@link ErrorCode}
|
|
168
168
|
* of `Unknown` from it, setting the `message` if possible.
|
|
169
169
|
*
|
|
170
170
|
* @param e the error to convert.
|
|
@@ -174,13 +174,13 @@ class g extends Error {
|
|
|
174
174
|
if (e instanceof Error)
|
|
175
175
|
return "isCrossauthError" in e ? e : new g(48, e.message);
|
|
176
176
|
if ("errorCode" in e) {
|
|
177
|
-
let
|
|
177
|
+
let i = 48;
|
|
178
178
|
try {
|
|
179
|
-
|
|
179
|
+
i = Number(e.errorCode) ?? 48;
|
|
180
180
|
} catch {
|
|
181
181
|
}
|
|
182
|
-
let n = t ?? m[
|
|
183
|
-
return "errorMessage" in e ? n = e.errorMessage : "message" in e && (n = e.message), new g(
|
|
182
|
+
let n = t ?? m[i];
|
|
183
|
+
return "errorMessage" in e ? n = e.errorMessage : "message" in e && (n = e.message), new g(i, n);
|
|
184
184
|
}
|
|
185
185
|
let o = t ?? m[
|
|
186
186
|
48
|
|
@@ -262,8 +262,8 @@ l(W, "Error", 1), /** Log errors and warning */
|
|
|
262
262
|
l(W, "Warn", 2), /** Log errors, warnings and info messages */
|
|
263
263
|
l(W, "Info", 3), /** Log everything */
|
|
264
264
|
l(W, "Debug", 4), l(W, "levelName", ["NONE", "ERROR", "WARN", "INFO", "DEBUG"]);
|
|
265
|
-
let
|
|
266
|
-
function
|
|
265
|
+
let d = W;
|
|
266
|
+
function h(r) {
|
|
267
267
|
let e;
|
|
268
268
|
typeof r == "object" && "err" in r && typeof r.err == "object" && (e = r.err.stack);
|
|
269
269
|
try {
|
|
@@ -284,7 +284,7 @@ function d(r) {
|
|
|
284
284
|
}
|
|
285
285
|
return typeof r == "string" || globalThis.crossauthLoggerAcceptsJson ? r : JSON.stringify(r);
|
|
286
286
|
}
|
|
287
|
-
globalThis.crossauthLogger = new
|
|
287
|
+
globalThis.crossauthLogger = new d(d.None);
|
|
288
288
|
globalThis.crossauthLoggerAcceptsJson = !0;
|
|
289
289
|
const ye = {
|
|
290
290
|
issuer: "",
|
|
@@ -303,10 +303,10 @@ const ye = {
|
|
|
303
303
|
require_request_uri_registration: !1
|
|
304
304
|
}, te = crypto, we = (r) => r instanceof CryptoKey, X = new TextEncoder(), G = new TextDecoder();
|
|
305
305
|
function He(...r) {
|
|
306
|
-
const e = r.reduce((
|
|
306
|
+
const e = r.reduce((i, { length: n }) => i + n, 0), t = new Uint8Array(e);
|
|
307
307
|
let o = 0;
|
|
308
|
-
for (const
|
|
309
|
-
t.set(
|
|
308
|
+
for (const i of r)
|
|
309
|
+
t.set(i, o), o += i.length;
|
|
310
310
|
return t;
|
|
311
311
|
}
|
|
312
312
|
const xe = (r) => {
|
|
@@ -348,7 +348,7 @@ class S extends oe {
|
|
|
348
348
|
return "ERR_JWS_INVALID";
|
|
349
349
|
}
|
|
350
350
|
}
|
|
351
|
-
class
|
|
351
|
+
class z extends oe {
|
|
352
352
|
constructor() {
|
|
353
353
|
super(...arguments), this.code = "ERR_JWT_INVALID";
|
|
354
354
|
}
|
|
@@ -370,7 +370,7 @@ function U(r, e = "algorithm.name") {
|
|
|
370
370
|
function Q(r, e) {
|
|
371
371
|
return r.name === e;
|
|
372
372
|
}
|
|
373
|
-
function
|
|
373
|
+
function ie(r) {
|
|
374
374
|
return parseInt(r.name.slice(4), 10);
|
|
375
375
|
}
|
|
376
376
|
function Ke(r) {
|
|
@@ -385,7 +385,7 @@ function Ke(r) {
|
|
|
385
385
|
throw new Error("unreachable");
|
|
386
386
|
}
|
|
387
387
|
}
|
|
388
|
-
function
|
|
388
|
+
function De(r, e) {
|
|
389
389
|
if (e.length && !e.some((t) => r.usages.includes(t))) {
|
|
390
390
|
let t = "CryptoKey does not support this operation, its usages must include ";
|
|
391
391
|
if (e.length > 2) {
|
|
@@ -395,7 +395,7 @@ function ze(r, e) {
|
|
|
395
395
|
throw new TypeError(t);
|
|
396
396
|
}
|
|
397
397
|
}
|
|
398
|
-
function
|
|
398
|
+
function ze(r, e, ...t) {
|
|
399
399
|
switch (e) {
|
|
400
400
|
case "HS256":
|
|
401
401
|
case "HS384":
|
|
@@ -403,7 +403,7 @@ function De(r, e, ...t) {
|
|
|
403
403
|
if (!Q(r.algorithm, "HMAC"))
|
|
404
404
|
throw U("HMAC");
|
|
405
405
|
const o = parseInt(e.slice(2), 10);
|
|
406
|
-
if (
|
|
406
|
+
if (ie(r.algorithm.hash) !== o)
|
|
407
407
|
throw U(`SHA-${o}`, "algorithm.hash");
|
|
408
408
|
break;
|
|
409
409
|
}
|
|
@@ -413,7 +413,7 @@ function De(r, e, ...t) {
|
|
|
413
413
|
if (!Q(r.algorithm, "RSASSA-PKCS1-v1_5"))
|
|
414
414
|
throw U("RSASSA-PKCS1-v1_5");
|
|
415
415
|
const o = parseInt(e.slice(2), 10);
|
|
416
|
-
if (
|
|
416
|
+
if (ie(r.algorithm.hash) !== o)
|
|
417
417
|
throw U(`SHA-${o}`, "algorithm.hash");
|
|
418
418
|
break;
|
|
419
419
|
}
|
|
@@ -423,7 +423,7 @@ function De(r, e, ...t) {
|
|
|
423
423
|
if (!Q(r.algorithm, "RSA-PSS"))
|
|
424
424
|
throw U("RSA-PSS");
|
|
425
425
|
const o = parseInt(e.slice(2), 10);
|
|
426
|
-
if (
|
|
426
|
+
if (ie(r.algorithm.hash) !== o)
|
|
427
427
|
throw U(`SHA-${o}`, "algorithm.hash");
|
|
428
428
|
break;
|
|
429
429
|
}
|
|
@@ -445,13 +445,13 @@ function De(r, e, ...t) {
|
|
|
445
445
|
default:
|
|
446
446
|
throw new TypeError("CryptoKey does not support this operation");
|
|
447
447
|
}
|
|
448
|
-
|
|
448
|
+
De(r, t);
|
|
449
449
|
}
|
|
450
450
|
function me(r, e, ...t) {
|
|
451
451
|
var o;
|
|
452
452
|
if (t.length > 2) {
|
|
453
|
-
const
|
|
454
|
-
r += `one of type ${t.join(", ")}, or ${
|
|
453
|
+
const i = t.pop();
|
|
454
|
+
r += `one of type ${t.join(", ")}, or ${i}.`;
|
|
455
455
|
} else t.length === 2 ? r += `one of type ${t[0]} or ${t[1]}.` : r += `of type ${t[0]}.`;
|
|
456
456
|
return e == null ? r += ` Received ${e}` : typeof e == "function" && e.name ? r += ` Received function ${e.name}` : typeof e == "object" && e != null && (o = e.constructor) != null && o.name && (r += ` Received an instance of ${e.constructor.name}`), r;
|
|
457
457
|
}
|
|
@@ -459,18 +459,18 @@ const he = (r, ...e) => me("Key must be ", r, ...e);
|
|
|
459
459
|
function ve(r, e, ...t) {
|
|
460
460
|
return me(`Key for the ${r} algorithm must be `, e, ...t);
|
|
461
461
|
}
|
|
462
|
-
const
|
|
462
|
+
const ke = (r) => we(r) ? !0 : (r == null ? void 0 : r[Symbol.toStringTag]) === "KeyObject", re = ["CryptoKey"], We = (...r) => {
|
|
463
463
|
const e = r.filter(Boolean);
|
|
464
464
|
if (e.length === 0 || e.length === 1)
|
|
465
465
|
return !0;
|
|
466
466
|
let t;
|
|
467
467
|
for (const o of e) {
|
|
468
|
-
const
|
|
468
|
+
const i = Object.keys(o);
|
|
469
469
|
if (!t || t.size === 0) {
|
|
470
|
-
t = new Set(
|
|
470
|
+
t = new Set(i);
|
|
471
471
|
continue;
|
|
472
472
|
}
|
|
473
|
-
for (const n of
|
|
473
|
+
for (const n of i) {
|
|
474
474
|
if (t.has(n))
|
|
475
475
|
return !1;
|
|
476
476
|
t.add(n);
|
|
@@ -570,33 +570,33 @@ function Me(r) {
|
|
|
570
570
|
}
|
|
571
571
|
return { algorithm: e, keyUsages: t };
|
|
572
572
|
}
|
|
573
|
-
const
|
|
573
|
+
const Ce = async (r) => {
|
|
574
574
|
if (!r.alg)
|
|
575
575
|
throw new TypeError('"alg" argument is required when "jwk.alg" is not present');
|
|
576
576
|
const { algorithm: e, keyUsages: t } = Me(r), o = [
|
|
577
577
|
e,
|
|
578
578
|
r.ext ?? !1,
|
|
579
579
|
r.key_ops ?? t
|
|
580
|
-
],
|
|
581
|
-
return delete
|
|
582
|
-
},
|
|
583
|
-
let
|
|
584
|
-
const
|
|
585
|
-
let
|
|
586
|
-
if (
|
|
587
|
-
return
|
|
588
|
-
const n = await
|
|
589
|
-
return
|
|
580
|
+
], i = { ...r };
|
|
581
|
+
return delete i.alg, delete i.use, te.subtle.importKey("jwk", i, ...o);
|
|
582
|
+
}, _e = (r) => M(r);
|
|
583
|
+
let se, ne;
|
|
584
|
+
const Se = (r) => (r == null ? void 0 : r[Symbol.toStringTag]) === "KeyObject", Te = async (r, e, t, o) => {
|
|
585
|
+
let i = r.get(e);
|
|
586
|
+
if (i != null && i[o])
|
|
587
|
+
return i[o];
|
|
588
|
+
const n = await Ce({ ...t, alg: o });
|
|
589
|
+
return i ? i[o] = n : r.set(e, { [o]: n }), n;
|
|
590
590
|
}, Be = (r, e) => {
|
|
591
|
-
if (
|
|
591
|
+
if (Se(r)) {
|
|
592
592
|
let t = r.export({ format: "jwk" });
|
|
593
|
-
return delete t.d, delete t.dp, delete t.dq, delete t.p, delete t.q, delete t.qi, t.k ?
|
|
593
|
+
return delete t.d, delete t.dp, delete t.dq, delete t.p, delete t.q, delete t.qi, t.k ? _e(t.k) : (ne || (ne = /* @__PURE__ */ new WeakMap()), Te(ne, r, t, e));
|
|
594
594
|
}
|
|
595
595
|
return r;
|
|
596
596
|
}, Le = (r, e) => {
|
|
597
|
-
if (
|
|
597
|
+
if (Se(r)) {
|
|
598
598
|
let t = r.export({ format: "jwk" });
|
|
599
|
-
return t.k ?
|
|
599
|
+
return t.k ? _e(t.k) : (se || (se = /* @__PURE__ */ new WeakMap()), Te(se, r, t, e));
|
|
600
600
|
}
|
|
601
601
|
return r;
|
|
602
602
|
}, $e = { normalizePublicKey: Be, normalizePrivateKey: Le }, x = (r, e, t = 0) => {
|
|
@@ -604,8 +604,8 @@ const _e = (r) => (r == null ? void 0 : r[Symbol.toStringTag]) === "KeyObject",
|
|
|
604
604
|
const o = r.indexOf(e[0], t);
|
|
605
605
|
if (o === -1)
|
|
606
606
|
return !1;
|
|
607
|
-
const
|
|
608
|
-
return
|
|
607
|
+
const i = r.subarray(o, o + e.length);
|
|
608
|
+
return i.length !== e.length ? !1 : i.every((n, s) => n === e[s]) || x(r, e, o + 1);
|
|
609
609
|
}, le = (r) => {
|
|
610
610
|
switch (!0) {
|
|
611
611
|
case x(r, [42, 134, 72, 206, 61, 3, 1, 7]):
|
|
@@ -625,19 +625,19 @@ const _e = (r) => (r == null ? void 0 : r[Symbol.toStringTag]) === "KeyObject",
|
|
|
625
625
|
default:
|
|
626
626
|
throw new I("Invalid or unsupported EC Key Curve or OKP Key Sub Type");
|
|
627
627
|
}
|
|
628
|
-
}, be = async (r, e, t, o,
|
|
629
|
-
let n,
|
|
630
|
-
const a = new Uint8Array(atob(t.replace(r, "")).split("").map((u) => u.charCodeAt(0))),
|
|
628
|
+
}, be = async (r, e, t, o, i) => {
|
|
629
|
+
let n, s;
|
|
630
|
+
const a = new Uint8Array(atob(t.replace(r, "")).split("").map((u) => u.charCodeAt(0))), c = e === "spki";
|
|
631
631
|
switch (o) {
|
|
632
632
|
case "PS256":
|
|
633
633
|
case "PS384":
|
|
634
634
|
case "PS512":
|
|
635
|
-
n = { name: "RSA-PSS", hash: `SHA-${o.slice(-3)}` },
|
|
635
|
+
n = { name: "RSA-PSS", hash: `SHA-${o.slice(-3)}` }, s = c ? ["verify"] : ["sign"];
|
|
636
636
|
break;
|
|
637
637
|
case "RS256":
|
|
638
638
|
case "RS384":
|
|
639
639
|
case "RS512":
|
|
640
|
-
n = { name: "RSASSA-PKCS1-v1_5", hash: `SHA-${o.slice(-3)}` },
|
|
640
|
+
n = { name: "RSASSA-PKCS1-v1_5", hash: `SHA-${o.slice(-3)}` }, s = c ? ["verify"] : ["sign"];
|
|
641
641
|
break;
|
|
642
642
|
case "RSA-OAEP":
|
|
643
643
|
case "RSA-OAEP-256":
|
|
@@ -646,32 +646,32 @@ const _e = (r) => (r == null ? void 0 : r[Symbol.toStringTag]) === "KeyObject",
|
|
|
646
646
|
n = {
|
|
647
647
|
name: "RSA-OAEP",
|
|
648
648
|
hash: `SHA-${parseInt(o.slice(-3), 10) || 1}`
|
|
649
|
-
},
|
|
649
|
+
}, s = c ? ["encrypt", "wrapKey"] : ["decrypt", "unwrapKey"];
|
|
650
650
|
break;
|
|
651
651
|
case "ES256":
|
|
652
|
-
n = { name: "ECDSA", namedCurve: "P-256" },
|
|
652
|
+
n = { name: "ECDSA", namedCurve: "P-256" }, s = c ? ["verify"] : ["sign"];
|
|
653
653
|
break;
|
|
654
654
|
case "ES384":
|
|
655
|
-
n = { name: "ECDSA", namedCurve: "P-384" },
|
|
655
|
+
n = { name: "ECDSA", namedCurve: "P-384" }, s = c ? ["verify"] : ["sign"];
|
|
656
656
|
break;
|
|
657
657
|
case "ES512":
|
|
658
|
-
n = { name: "ECDSA", namedCurve: "P-521" },
|
|
658
|
+
n = { name: "ECDSA", namedCurve: "P-521" }, s = c ? ["verify"] : ["sign"];
|
|
659
659
|
break;
|
|
660
660
|
case "ECDH-ES":
|
|
661
661
|
case "ECDH-ES+A128KW":
|
|
662
662
|
case "ECDH-ES+A192KW":
|
|
663
663
|
case "ECDH-ES+A256KW": {
|
|
664
664
|
const u = le(a);
|
|
665
|
-
n = u.startsWith("P-") ? { name: "ECDH", namedCurve: u } : { name: u },
|
|
665
|
+
n = u.startsWith("P-") ? { name: "ECDH", namedCurve: u } : { name: u }, s = c ? [] : ["deriveBits"];
|
|
666
666
|
break;
|
|
667
667
|
}
|
|
668
668
|
case "EdDSA":
|
|
669
|
-
n = { name: le(a) },
|
|
669
|
+
n = { name: le(a) }, s = c ? ["verify"] : ["sign"];
|
|
670
670
|
break;
|
|
671
671
|
default:
|
|
672
672
|
throw new I('Invalid or unsupported "alg" (Algorithm) value');
|
|
673
673
|
}
|
|
674
|
-
return te.subtle.importKey(e, a, n, !1,
|
|
674
|
+
return te.subtle.importKey(e, a, n, !1, s);
|
|
675
675
|
}, qe = (r, e, t) => be(/(?:-----(?:BEGIN|END) PRIVATE KEY-----|\s)/g, "pkcs8", r, e), Ve = (r, e, t) => be(/(?:-----(?:BEGIN|END) PUBLIC KEY-----|\s)/g, "spki", r, e);
|
|
676
676
|
async function Ge(r, e, t) {
|
|
677
677
|
if (typeof r != "string" || r.indexOf("-----BEGIN PUBLIC KEY-----") !== 0)
|
|
@@ -696,20 +696,20 @@ async function ue(r, e) {
|
|
|
696
696
|
throw new I('RSA JWK "oth" (Other Primes Info) Parameter value is not supported');
|
|
697
697
|
case "EC":
|
|
698
698
|
case "OKP":
|
|
699
|
-
return
|
|
699
|
+
return Ce({ ...r, alg: e });
|
|
700
700
|
default:
|
|
701
701
|
throw new I('Unsupported "kty" (Key Type) Parameter value');
|
|
702
702
|
}
|
|
703
703
|
}
|
|
704
704
|
const ee = (r) => r == null ? void 0 : r[Symbol.toStringTag], Xe = (r, e) => {
|
|
705
705
|
if (!(e instanceof Uint8Array)) {
|
|
706
|
-
if (!
|
|
706
|
+
if (!ke(e))
|
|
707
707
|
throw new TypeError(ve(r, e, ...re, "Uint8Array"));
|
|
708
708
|
if (e.type !== "secret")
|
|
709
709
|
throw new TypeError(`${ee(e)} instances for symmetric algorithms must be of type "secret"`);
|
|
710
710
|
}
|
|
711
711
|
}, Qe = (r, e, t) => {
|
|
712
|
-
if (!
|
|
712
|
+
if (!ke(e))
|
|
713
713
|
throw new TypeError(ve(r, e, ...re));
|
|
714
714
|
if (e.type === "secret")
|
|
715
715
|
throw new TypeError(`${ee(e)} instances for asymmetric algorithms must not be of type "secret"`);
|
|
@@ -720,22 +720,22 @@ const ee = (r) => r == null ? void 0 : r[Symbol.toStringTag], Xe = (r, e) => {
|
|
|
720
720
|
}, Ze = (r, e, t) => {
|
|
721
721
|
r.startsWith("HS") || r === "dir" || r.startsWith("PBES2") || /^A\d{3}(?:GCM)?KW$/.test(r) ? Xe(r, e) : Qe(r, e, t);
|
|
722
722
|
};
|
|
723
|
-
function er(r, e, t, o,
|
|
724
|
-
if (
|
|
723
|
+
function er(r, e, t, o, i) {
|
|
724
|
+
if (i.crit !== void 0 && (o == null ? void 0 : o.crit) === void 0)
|
|
725
725
|
throw new r('"crit" (Critical) Header Parameter MUST be integrity protected');
|
|
726
726
|
if (!o || o.crit === void 0)
|
|
727
727
|
return /* @__PURE__ */ new Set();
|
|
728
|
-
if (!Array.isArray(o.crit) || o.crit.length === 0 || o.crit.some((
|
|
728
|
+
if (!Array.isArray(o.crit) || o.crit.length === 0 || o.crit.some((s) => typeof s != "string" || s.length === 0))
|
|
729
729
|
throw new r('"crit" (Critical) Header Parameter MUST be an array of non-empty strings when present');
|
|
730
730
|
let n;
|
|
731
731
|
n = e;
|
|
732
|
-
for (const
|
|
733
|
-
if (!n.has(
|
|
734
|
-
throw new I(`Extension Header Parameter "${
|
|
735
|
-
if (s
|
|
736
|
-
throw new r(`Extension Header Parameter "${
|
|
737
|
-
if (n.get(
|
|
738
|
-
throw new r(`Extension Header Parameter "${
|
|
732
|
+
for (const s of o.crit) {
|
|
733
|
+
if (!n.has(s))
|
|
734
|
+
throw new I(`Extension Header Parameter "${s}" is not recognized`);
|
|
735
|
+
if (i[s] === void 0)
|
|
736
|
+
throw new r(`Extension Header Parameter "${s}" is missing`);
|
|
737
|
+
if (n.get(s) && o[s] === void 0)
|
|
738
|
+
throw new r(`Extension Header Parameter "${s}" MUST be integrity protected`);
|
|
739
739
|
}
|
|
740
740
|
return new Set(o.crit);
|
|
741
741
|
}
|
|
@@ -766,7 +766,7 @@ function rr(r, e) {
|
|
|
766
766
|
}
|
|
767
767
|
async function tr(r, e, t) {
|
|
768
768
|
if (e = await $e.normalizePublicKey(e, r), we(e))
|
|
769
|
-
return
|
|
769
|
+
return ze(e, r, t), e;
|
|
770
770
|
if (e instanceof Uint8Array) {
|
|
771
771
|
if (!r.startsWith("HS"))
|
|
772
772
|
throw new TypeError(he(e, ...re));
|
|
@@ -775,16 +775,16 @@ async function tr(r, e, t) {
|
|
|
775
775
|
throw new TypeError(he(e, ...re, "Uint8Array"));
|
|
776
776
|
}
|
|
777
777
|
const or = async (r, e, t, o) => {
|
|
778
|
-
const
|
|
779
|
-
Je(r,
|
|
780
|
-
const n = rr(r,
|
|
778
|
+
const i = await tr(r, e, "verify");
|
|
779
|
+
Je(r, i);
|
|
780
|
+
const n = rr(r, i.algorithm);
|
|
781
781
|
try {
|
|
782
|
-
return await te.subtle.verify(n,
|
|
782
|
+
return await te.subtle.verify(n, i, t, o);
|
|
783
783
|
} catch {
|
|
784
784
|
return !1;
|
|
785
785
|
}
|
|
786
786
|
};
|
|
787
|
-
async function
|
|
787
|
+
async function ir(r, e, t) {
|
|
788
788
|
if (!V(r))
|
|
789
789
|
throw new S("Flattened JWS must be an object");
|
|
790
790
|
if (r.protected === void 0 && r.header === void 0)
|
|
@@ -807,23 +807,23 @@ async function sr(r, e, t) {
|
|
|
807
807
|
}
|
|
808
808
|
if (!We(o, r.header))
|
|
809
809
|
throw new S("JWS Protected and JWS Unprotected Header Parameter names must be disjoint");
|
|
810
|
-
const
|
|
810
|
+
const i = {
|
|
811
811
|
...o,
|
|
812
812
|
...r.header
|
|
813
|
-
}, n = er(S, /* @__PURE__ */ new Map([["b64", !0]]), void 0, o,
|
|
814
|
-
let
|
|
815
|
-
if (n.has("b64") && (
|
|
813
|
+
}, n = er(S, /* @__PURE__ */ new Map([["b64", !0]]), void 0, o, i);
|
|
814
|
+
let s = !0;
|
|
815
|
+
if (n.has("b64") && (s = o.b64, typeof s != "boolean"))
|
|
816
816
|
throw new S('The "b64" (base64url-encode payload) Header Parameter must be a boolean');
|
|
817
|
-
const { alg: a } =
|
|
817
|
+
const { alg: a } = i;
|
|
818
818
|
if (typeof a != "string" || !a)
|
|
819
819
|
throw new S('JWS "alg" (Algorithm) Header Parameter missing or invalid');
|
|
820
|
-
if (
|
|
820
|
+
if (s) {
|
|
821
821
|
if (typeof r.payload != "string")
|
|
822
822
|
throw new S("JWS Payload must be a string");
|
|
823
823
|
} else if (typeof r.payload != "string" && !(r.payload instanceof Uint8Array))
|
|
824
824
|
throw new S("JWS Payload must be a string or an Uint8Array instance");
|
|
825
|
-
let
|
|
826
|
-
typeof e == "function" && (e = await e(o, r),
|
|
825
|
+
let c = !1;
|
|
826
|
+
typeof e == "function" && (e = await e(o, r), c = !0), Ze(a, e, "verify");
|
|
827
827
|
const u = He(X.encode(r.protected ?? ""), X.encode("."), typeof r.payload == "string" ? X.encode(r.payload) : r.payload);
|
|
828
828
|
let y;
|
|
829
829
|
try {
|
|
@@ -833,25 +833,25 @@ async function sr(r, e, t) {
|
|
|
833
833
|
}
|
|
834
834
|
if (!await or(a, e, y, u))
|
|
835
835
|
throw new je();
|
|
836
|
-
let
|
|
837
|
-
if (
|
|
836
|
+
let k;
|
|
837
|
+
if (s)
|
|
838
838
|
try {
|
|
839
|
-
|
|
839
|
+
k = M(r.payload);
|
|
840
840
|
} catch {
|
|
841
841
|
throw new S("Failed to base64url decode the payload");
|
|
842
842
|
}
|
|
843
|
-
else typeof r.payload == "string" ?
|
|
844
|
-
const Y = { payload:
|
|
845
|
-
return r.protected !== void 0 && (Y.protectedHeader = o), r.header !== void 0 && (Y.unprotectedHeader = r.header),
|
|
843
|
+
else typeof r.payload == "string" ? k = X.encode(r.payload) : k = r.payload;
|
|
844
|
+
const Y = { payload: k };
|
|
845
|
+
return r.protected !== void 0 && (Y.protectedHeader = o), r.header !== void 0 && (Y.unprotectedHeader = r.header), c ? { ...Y, key: e } : Y;
|
|
846
846
|
}
|
|
847
|
-
async function
|
|
847
|
+
async function sr(r, e, t) {
|
|
848
848
|
if (r instanceof Uint8Array && (r = G.decode(r)), typeof r != "string")
|
|
849
849
|
throw new S("Compact JWS must be a string or Uint8Array");
|
|
850
|
-
const { 0: o, 1:
|
|
851
|
-
if (
|
|
850
|
+
const { 0: o, 1: i, 2: n, length: s } = r.split(".");
|
|
851
|
+
if (s !== 3)
|
|
852
852
|
throw new S("Invalid Compact JWS");
|
|
853
|
-
const a = await
|
|
854
|
-
return typeof e == "function" ? { ...
|
|
853
|
+
const a = await ir({ payload: i, protected: o, signature: n }, e), c = { payload: a.payload, protectedHeader: a.protectedHeader };
|
|
854
|
+
return typeof e == "function" ? { ...c, key: a.key } : c;
|
|
855
855
|
}
|
|
856
856
|
const Ee = M;
|
|
857
857
|
function nr(r) {
|
|
@@ -877,29 +877,29 @@ function nr(r) {
|
|
|
877
877
|
}
|
|
878
878
|
function ar(r) {
|
|
879
879
|
if (typeof r != "string")
|
|
880
|
-
throw new
|
|
880
|
+
throw new z("JWTs must use Compact JWS serialization, JWT must be a string");
|
|
881
881
|
const { 1: e, length: t } = r.split(".");
|
|
882
882
|
if (t === 5)
|
|
883
|
-
throw new
|
|
883
|
+
throw new z("Only JWTs using Compact JWS serialization can be decoded");
|
|
884
884
|
if (t !== 3)
|
|
885
|
-
throw new
|
|
885
|
+
throw new z("Invalid JWT");
|
|
886
886
|
if (!e)
|
|
887
|
-
throw new
|
|
887
|
+
throw new z("JWTs must contain a payload");
|
|
888
888
|
let o;
|
|
889
889
|
try {
|
|
890
890
|
o = Ee(e);
|
|
891
891
|
} catch {
|
|
892
|
-
throw new
|
|
892
|
+
throw new z("Failed to base64url decode the payload");
|
|
893
893
|
}
|
|
894
|
-
let
|
|
894
|
+
let i;
|
|
895
895
|
try {
|
|
896
|
-
|
|
896
|
+
i = JSON.parse(G.decode(o));
|
|
897
897
|
} catch {
|
|
898
|
-
throw new
|
|
898
|
+
throw new z("Failed to parse the decoded payload as JSON");
|
|
899
899
|
}
|
|
900
|
-
if (!V(
|
|
901
|
-
throw new
|
|
902
|
-
return
|
|
900
|
+
if (!V(i))
|
|
901
|
+
throw new z("Invalid JWT Claims Set");
|
|
902
|
+
return i;
|
|
903
903
|
}
|
|
904
904
|
const C = class v {
|
|
905
905
|
/**
|
|
@@ -996,7 +996,7 @@ l(C, "flowName", {
|
|
|
996
996
|
[C.PasswordMfa]: "Password MFA",
|
|
997
997
|
[C.OidcAuthorizationCode]: "OIDC Authorization Code"
|
|
998
998
|
});
|
|
999
|
-
var
|
|
999
|
+
var _, T, q, F, J;
|
|
1000
1000
|
class cr {
|
|
1001
1001
|
/**
|
|
1002
1002
|
* Constructor.
|
|
@@ -1029,19 +1029,19 @@ class cr {
|
|
|
1029
1029
|
authServerBaseUrl: e,
|
|
1030
1030
|
client_id: t,
|
|
1031
1031
|
client_secret: o,
|
|
1032
|
-
redirect_uri:
|
|
1032
|
+
redirect_uri: i,
|
|
1033
1033
|
codeChallengeMethod: n,
|
|
1034
|
-
stateLength:
|
|
1034
|
+
stateLength: s,
|
|
1035
1035
|
verifierLength: a,
|
|
1036
|
-
tokenConsumer:
|
|
1036
|
+
tokenConsumer: c,
|
|
1037
1037
|
authServerCredentials: u,
|
|
1038
1038
|
authServerMode: y,
|
|
1039
|
-
authServerHeaders:
|
|
1039
|
+
authServerHeaders: k
|
|
1040
1040
|
}) {
|
|
1041
|
-
l(this, "authServerBaseUrl", ""), $(this,
|
|
1041
|
+
l(this, "authServerBaseUrl", ""), $(this, _), $(this, T), $(this, q), l(this, "codeChallengeMethod", "S256"), $(this, F), l(this, "verifierLength", 32), l(this, "redirect_uri"), $(this, J, ""), l(this, "stateLength", 32), l(this, "authzCode", ""), l(this, "oidcConfig"), l(this, "tokenConsumer"), l(this, "authServerHeaders", {}), l(this, "authServerMode"), l(this, "authServerCredentials"), this.tokenConsumer = c, this.authServerBaseUrl = e, a && (this.verifierLength = a), s && (this.stateLength = s), t && A(this, _, t), o && A(this, T, o), i && (this.redirect_uri = i), n && (this.codeChallengeMethod = n), this.authServerBaseUrl = e, u && (this.authServerCredentials = u), y && (this.authServerMode = y), k && (this.authServerHeaders = k);
|
|
1042
1042
|
}
|
|
1043
1043
|
set client_id(e) {
|
|
1044
|
-
A(this,
|
|
1044
|
+
A(this, _, e);
|
|
1045
1045
|
}
|
|
1046
1046
|
set client_secret(e) {
|
|
1047
1047
|
A(this, T, e);
|
|
@@ -1063,12 +1063,12 @@ class cr {
|
|
|
1063
1063
|
* Otherwise, performs a fetch by appending
|
|
1064
1064
|
* `/.well-known/openid-configuration` to the
|
|
1065
1065
|
* `authServerBaseUrl`.
|
|
1066
|
-
* @throws {@link
|
|
1066
|
+
* @throws {@link CrossauthError} with the following {@link ErrorCode}s
|
|
1067
1067
|
* - `Connection` if data from the URL could not be fetched or parsed.
|
|
1068
1068
|
*/
|
|
1069
1069
|
async loadConfig(e) {
|
|
1070
1070
|
if (e) {
|
|
1071
|
-
|
|
1071
|
+
d.logger.debug(h({ msg: "Reading OIDC config locally" })), this.oidcConfig = e;
|
|
1072
1072
|
return;
|
|
1073
1073
|
}
|
|
1074
1074
|
let t;
|
|
@@ -1076,11 +1076,11 @@ class cr {
|
|
|
1076
1076
|
const o = new URL(
|
|
1077
1077
|
this.authServerBaseUrl + "/.well-known/openid-configuration"
|
|
1078
1078
|
);
|
|
1079
|
-
|
|
1080
|
-
let
|
|
1081
|
-
this.authServerMode && (
|
|
1079
|
+
d.logger.debug(h({ msg: `Fetching OIDC config from ${o}` }));
|
|
1080
|
+
let i = { headers: this.authServerHeaders };
|
|
1081
|
+
this.authServerMode && (i.mode = this.authServerMode), this.authServerCredentials && (i.credentials = this.authServerCredentials), t = await fetch(o, i);
|
|
1082
1082
|
} catch (o) {
|
|
1083
|
-
|
|
1083
|
+
d.logger.error(h({ err: o }));
|
|
1084
1084
|
}
|
|
1085
1085
|
if (!t || !t.ok)
|
|
1086
1086
|
throw new g(
|
|
@@ -1090,8 +1090,8 @@ class cr {
|
|
|
1090
1090
|
this.oidcConfig = { ...ye };
|
|
1091
1091
|
try {
|
|
1092
1092
|
const o = await t.json();
|
|
1093
|
-
for (const [
|
|
1094
|
-
this.oidcConfig[
|
|
1093
|
+
for (const [i, n] of Object.entries(o))
|
|
1094
|
+
this.oidcConfig[i] = n;
|
|
1095
1095
|
} catch {
|
|
1096
1096
|
throw new g(
|
|
1097
1097
|
m.Connection,
|
|
@@ -1122,8 +1122,8 @@ class cr {
|
|
|
1122
1122
|
* if no error
|
|
1123
1123
|
*/
|
|
1124
1124
|
async startAuthorizationCodeFlow(e, t = !1) {
|
|
1125
|
-
var o,
|
|
1126
|
-
if (
|
|
1125
|
+
var o, i, n;
|
|
1126
|
+
if (d.logger.debug(h({ msg: "Starting authorization code flow" })), this.oidcConfig || await this.loadConfig(), !((o = this.oidcConfig) != null && o.response_types_supported.includes("code")) || !((i = this.oidcConfig) != null && i.response_modes_supported.includes("query")))
|
|
1127
1127
|
return {
|
|
1128
1128
|
error: "invalid_request",
|
|
1129
1129
|
error_description: "Server does not support authorization code flow"
|
|
@@ -1133,7 +1133,7 @@ class cr {
|
|
|
1133
1133
|
error: "server_error",
|
|
1134
1134
|
error_description: "Cannot get authorize endpoint"
|
|
1135
1135
|
};
|
|
1136
|
-
if (A(this, J, this.randomValue(this.stateLength)), !p(this,
|
|
1136
|
+
if (A(this, J, this.randomValue(this.stateLength)), !p(this, _)) return {
|
|
1137
1137
|
error: "invalid_request",
|
|
1138
1138
|
error_description: "Cannot make authorization code flow without client id"
|
|
1139
1139
|
};
|
|
@@ -1141,8 +1141,8 @@ class cr {
|
|
|
1141
1141
|
error: "invalid_request",
|
|
1142
1142
|
error_description: "Cannot make authorization code flow without Redirect Uri"
|
|
1143
1143
|
};
|
|
1144
|
-
let
|
|
1145
|
-
return e && (
|
|
1144
|
+
let s = this.oidcConfig.authorization_endpoint + "?response_type=code&client_id=" + encodeURIComponent(p(this, _)) + "&state=" + encodeURIComponent(p(this, J)) + "&redirect_uri=" + encodeURIComponent(this.redirect_uri);
|
|
1145
|
+
return e && (s += "&scope=" + encodeURIComponent(e)), t && (A(this, F, this.randomValue(this.verifierLength)), A(this, q, this.codeChallengeMethod == "plain" ? p(this, F) : await this.sha256(p(this, F))), s += "&code_challenge=" + p(this, q)), { url: s };
|
|
1146
1146
|
}
|
|
1147
1147
|
/**
|
|
1148
1148
|
* This implements the functionality behind the redirect URI
|
|
@@ -1164,10 +1164,10 @@ class cr {
|
|
|
1164
1164
|
* @returns The {@link OAuthTokenResponse} from the `token` endpoint
|
|
1165
1165
|
* request, or `error` and `error_description`.
|
|
1166
1166
|
*/
|
|
1167
|
-
async redirectEndpoint(e, t, o,
|
|
1168
|
-
var n,
|
|
1167
|
+
async redirectEndpoint(e, t, o, i) {
|
|
1168
|
+
var n, s;
|
|
1169
1169
|
if (this.oidcConfig || await this.loadConfig(), o || !e)
|
|
1170
|
-
return o || (o = "server_error"),
|
|
1170
|
+
return o || (o = "server_error"), i || (i = "Unknown error"), { error: o, error_description: i };
|
|
1171
1171
|
if (p(this, J) && t != p(this, J))
|
|
1172
1172
|
return { error: "access_denied", error_description: "State is not valid" };
|
|
1173
1173
|
if (this.authzCode = e, !((n = this.oidcConfig) != null && n.grant_types_supported.includes("authorization_code")))
|
|
@@ -1175,24 +1175,25 @@ class cr {
|
|
|
1175
1175
|
error: "invalid_request",
|
|
1176
1176
|
error_description: "Server does not support authorization code grant"
|
|
1177
1177
|
};
|
|
1178
|
-
if (!((
|
|
1178
|
+
if (!((s = this.oidcConfig) != null && s.token_endpoint))
|
|
1179
1179
|
return {
|
|
1180
1180
|
error: "server_error",
|
|
1181
1181
|
error_description: "Cannot get token endpoint"
|
|
1182
1182
|
};
|
|
1183
1183
|
const a = this.oidcConfig.token_endpoint;
|
|
1184
|
-
let
|
|
1185
|
-
|
|
1184
|
+
let c, u;
|
|
1185
|
+
c = "authorization_code", u = p(this, T);
|
|
1186
1186
|
let y = {
|
|
1187
|
-
grant_type:
|
|
1188
|
-
client_id: p(this,
|
|
1187
|
+
grant_type: c,
|
|
1188
|
+
client_id: p(this, _),
|
|
1189
1189
|
code: this.authzCode
|
|
1190
1190
|
};
|
|
1191
1191
|
u && (y.client_secret = u), y.code_verifier = p(this, F);
|
|
1192
1192
|
try {
|
|
1193
|
-
|
|
1194
|
-
|
|
1195
|
-
|
|
1193
|
+
const k = await this.post(a, y, this.authServerHeaders);
|
|
1194
|
+
return k.id_token && !await this.validateIdToken(k.id_token) ? { error: "access_denied", error_description: "Invalid ID token" } : k;
|
|
1195
|
+
} catch (k) {
|
|
1196
|
+
return d.logger.error(h({ err: k })), {
|
|
1196
1197
|
error: "server_error",
|
|
1197
1198
|
error_description: "Unable to get access token from server"
|
|
1198
1199
|
};
|
|
@@ -1214,28 +1215,28 @@ class cr {
|
|
|
1214
1215
|
*/
|
|
1215
1216
|
async clientCredentialsFlow(e) {
|
|
1216
1217
|
var t, o;
|
|
1217
|
-
if (
|
|
1218
|
+
if (d.logger.debug(h({ msg: "Starting client credentials flow" })), this.oidcConfig || await this.loadConfig(), !((t = this.oidcConfig) != null && t.grant_types_supported.includes("client_credentials")))
|
|
1218
1219
|
return {
|
|
1219
1220
|
error: "invalid_request",
|
|
1220
1221
|
error_description: "Server does not support client credentials grant"
|
|
1221
1222
|
};
|
|
1222
1223
|
if (!((o = this.oidcConfig) != null && o.token_endpoint))
|
|
1223
1224
|
return { error: "server_error", error_description: "Cannot get token endpoint" };
|
|
1224
|
-
if (!p(this,
|
|
1225
|
+
if (!p(this, _)) return {
|
|
1225
1226
|
error: "invalid_request",
|
|
1226
1227
|
error_description: "Cannot make client credentials flow without client id"
|
|
1227
1228
|
};
|
|
1228
|
-
const
|
|
1229
|
+
const i = this.oidcConfig.token_endpoint;
|
|
1229
1230
|
let n = {
|
|
1230
1231
|
grant_type: "client_credentials",
|
|
1231
|
-
client_id: p(this,
|
|
1232
|
+
client_id: p(this, _),
|
|
1232
1233
|
client_secret: p(this, T)
|
|
1233
1234
|
};
|
|
1234
1235
|
e && (n.scope = e);
|
|
1235
1236
|
try {
|
|
1236
|
-
return await this.post(
|
|
1237
|
-
} catch (
|
|
1238
|
-
return
|
|
1237
|
+
return await this.post(i, n, this.authServerHeaders);
|
|
1238
|
+
} catch (s) {
|
|
1239
|
+
return d.logger.error(h({ err: s })), {
|
|
1239
1240
|
error: "server_error",
|
|
1240
1241
|
error_description: "Error connecting to authorization server"
|
|
1241
1242
|
};
|
|
@@ -1257,8 +1258,8 @@ class cr {
|
|
|
1257
1258
|
*
|
|
1258
1259
|
*/
|
|
1259
1260
|
async passwordFlow(e, t, o) {
|
|
1260
|
-
var
|
|
1261
|
-
if (
|
|
1261
|
+
var i, n;
|
|
1262
|
+
if (d.logger.debug(h({ msg: "Starting password flow" })), this.oidcConfig || await this.loadConfig(), !((i = this.oidcConfig) != null && i.grant_types_supported.includes("password")))
|
|
1262
1263
|
return {
|
|
1263
1264
|
error: "invalid_request",
|
|
1264
1265
|
error_description: "Server does not support password grant"
|
|
@@ -1268,19 +1269,20 @@ class cr {
|
|
|
1268
1269
|
error: "server_error",
|
|
1269
1270
|
error_description: "Cannot get token endpoint"
|
|
1270
1271
|
};
|
|
1271
|
-
const
|
|
1272
|
+
const s = this.oidcConfig.token_endpoint;
|
|
1272
1273
|
let a = {
|
|
1273
1274
|
grant_type: "password",
|
|
1274
|
-
client_id: p(this,
|
|
1275
|
+
client_id: p(this, _),
|
|
1275
1276
|
client_secret: p(this, T),
|
|
1276
1277
|
username: e,
|
|
1277
1278
|
password: t
|
|
1278
1279
|
};
|
|
1279
1280
|
o && (a.scope = o);
|
|
1280
1281
|
try {
|
|
1281
|
-
|
|
1282
|
-
|
|
1283
|
-
|
|
1282
|
+
let c = await this.post(s, a, this.authServerHeaders);
|
|
1283
|
+
return c.id_token && !await this.validateIdToken(c.id_token) ? { error: "access_denied", error_description: "Invalid ID token" } : c;
|
|
1284
|
+
} catch (c) {
|
|
1285
|
+
return d.logger.error(h({ err: c })), {
|
|
1284
1286
|
error: "server_error",
|
|
1285
1287
|
error_description: "Error connecting to authorization server"
|
|
1286
1288
|
};
|
|
@@ -1300,23 +1302,23 @@ class cr {
|
|
|
1300
1302
|
* documentation
|
|
1301
1303
|
*/
|
|
1302
1304
|
async mfaAuthenticators(e) {
|
|
1303
|
-
var t, o,
|
|
1304
|
-
if (
|
|
1305
|
+
var t, o, i;
|
|
1306
|
+
if (d.logger.debug(h({ msg: "Getting valid MFA authenticators" })), this.oidcConfig || await this.loadConfig(), !((t = this.oidcConfig) != null && t.grant_types_supported.includes("http://auth0.com/oauth/grant-type/mfa-otp")) && (o = this.oidcConfig) != null && o.grant_types_supported.includes("http://auth0.com/oauth/grant-type/mfa-oob"))
|
|
1305
1307
|
return {
|
|
1306
1308
|
error: "invalid_request",
|
|
1307
1309
|
error_description: "Server does not support password_mfa grant"
|
|
1308
1310
|
};
|
|
1309
|
-
if (!((
|
|
1311
|
+
if (!((i = this.oidcConfig) != null && i.issuer))
|
|
1310
1312
|
return { error: "server_error", error_description: "Cannot get issuer" };
|
|
1311
|
-
const n = this.oidcConfig.issuer + (this.oidcConfig.issuer.endsWith("/") ? "" : "/") + "mfa/authenticators",
|
|
1312
|
-
if (!Array.isArray(
|
|
1313
|
+
const n = this.oidcConfig.issuer + (this.oidcConfig.issuer.endsWith("/") ? "" : "/") + "mfa/authenticators", s = await this.get(n, { authorization: "Bearer " + e, ...this.authServerHeaders });
|
|
1314
|
+
if (!Array.isArray(s))
|
|
1313
1315
|
return {
|
|
1314
1316
|
error: "server_error",
|
|
1315
1317
|
error_description: "Expected array of authenticators in mfa/authenticators response"
|
|
1316
1318
|
};
|
|
1317
1319
|
let a = [];
|
|
1318
|
-
for (let
|
|
1319
|
-
const u =
|
|
1320
|
+
for (let c = 0; c < s.length; ++c) {
|
|
1321
|
+
const u = s[c];
|
|
1320
1322
|
if (!u.id || !u.authenticator_type || !u.active)
|
|
1321
1323
|
return {
|
|
1322
1324
|
error: "server_error",
|
|
@@ -1345,25 +1347,25 @@ class cr {
|
|
|
1345
1347
|
* from the `mfaAuthenticators` request.
|
|
1346
1348
|
*/
|
|
1347
1349
|
async mfaOtpRequest(e, t) {
|
|
1348
|
-
var o,
|
|
1349
|
-
if (
|
|
1350
|
+
var o, i;
|
|
1351
|
+
if (d.logger.debug(h({ msg: "Making MFA OTB request" })), this.oidcConfig || await this.loadConfig(), !((o = this.oidcConfig) != null && o.grant_types_supported.includes("http://auth0.com/oauth/grant-type/mfa-otp")))
|
|
1350
1352
|
return {
|
|
1351
1353
|
error: "invalid_request",
|
|
1352
1354
|
error_description: "Server does not support password_mfa grant"
|
|
1353
1355
|
};
|
|
1354
|
-
if (!((
|
|
1356
|
+
if (!((i = this.oidcConfig) != null && i.issuer))
|
|
1355
1357
|
return { error: "server_error", error_description: "Cannot get issuer" };
|
|
1356
|
-
const n = this.oidcConfig.issuer + (this.oidcConfig.issuer.endsWith("/") ? "" : "/") + "mfa/challenge",
|
|
1357
|
-
client_id: p(this,
|
|
1358
|
+
const n = this.oidcConfig.issuer + (this.oidcConfig.issuer.endsWith("/") ? "" : "/") + "mfa/challenge", s = await this.post(n, {
|
|
1359
|
+
client_id: p(this, _),
|
|
1358
1360
|
client_secret: p(this, T),
|
|
1359
1361
|
challenge_type: "otp",
|
|
1360
1362
|
mfa_token: e,
|
|
1361
1363
|
authenticator_id: t
|
|
1362
1364
|
}, this.authServerHeaders);
|
|
1363
|
-
return
|
|
1364
|
-
error:
|
|
1365
|
-
error_description:
|
|
1366
|
-
} :
|
|
1365
|
+
return s.challenge_type != "otp" ? {
|
|
1366
|
+
error: s.error ?? "server_error",
|
|
1367
|
+
error_description: s.error_description ?? "Invalid OTP challenge response"
|
|
1368
|
+
} : s;
|
|
1367
1369
|
}
|
|
1368
1370
|
/**
|
|
1369
1371
|
* Completes the Password MFA OTP flow.
|
|
@@ -1383,17 +1385,17 @@ class cr {
|
|
|
1383
1385
|
* - `error_description` friendly error message
|
|
1384
1386
|
*/
|
|
1385
1387
|
async mfaOtpComplete(e, t, o) {
|
|
1386
|
-
var
|
|
1387
|
-
if (
|
|
1388
|
+
var i, n;
|
|
1389
|
+
if (d.logger.debug(h({ msg: "Completing MFA OTP request" })), this.oidcConfig || await this.loadConfig(), !((i = this.oidcConfig) != null && i.grant_types_supported.includes("http://auth0.com/oauth/grant-type/mfa-otp")))
|
|
1388
1390
|
return {
|
|
1389
1391
|
error: "invalid_request",
|
|
1390
1392
|
error_description: "Server does not support password_mfa grant"
|
|
1391
1393
|
};
|
|
1392
1394
|
if (!((n = this.oidcConfig) != null && n.issuer))
|
|
1393
1395
|
return { error: "server_error", error_description: "Cannot get issuer" };
|
|
1394
|
-
const
|
|
1396
|
+
const s = this.oidcConfig.token_endpoint, a = await this.post(s, {
|
|
1395
1397
|
grant_type: "http://auth0.com/oauth/grant-type/mfa-otp",
|
|
1396
|
-
client_id: p(this,
|
|
1398
|
+
client_id: p(this, _),
|
|
1397
1399
|
client_secret: p(this, T),
|
|
1398
1400
|
challenge_type: "otp",
|
|
1399
1401
|
mfa_token: e,
|
|
@@ -1430,27 +1432,27 @@ class cr {
|
|
|
1430
1432
|
* - `error_description` friendly error message
|
|
1431
1433
|
*/
|
|
1432
1434
|
async mfaOobRequest(e, t) {
|
|
1433
|
-
var o,
|
|
1434
|
-
if (
|
|
1435
|
+
var o, i;
|
|
1436
|
+
if (d.logger.debug(h({ msg: "Making MFA OOB request" })), this.oidcConfig || await this.loadConfig(), !((o = this.oidcConfig) != null && o.grant_types_supported.includes("http://auth0.com/oauth/grant-type/mfa-otp")))
|
|
1435
1437
|
return {
|
|
1436
1438
|
error: "invalid_request",
|
|
1437
1439
|
error_description: "Server does not support password_mfa grant"
|
|
1438
1440
|
};
|
|
1439
|
-
if (!((
|
|
1441
|
+
if (!((i = this.oidcConfig) != null && i.issuer))
|
|
1440
1442
|
return { error: "server_error", error_description: "Cannot get issuer" };
|
|
1441
|
-
const n = this.oidcConfig.issuer + (this.oidcConfig.issuer.endsWith("/") ? "" : "/") + "mfa/challenge",
|
|
1442
|
-
client_id: p(this,
|
|
1443
|
+
const n = this.oidcConfig.issuer + (this.oidcConfig.issuer.endsWith("/") ? "" : "/") + "mfa/challenge", s = await this.post(n, {
|
|
1444
|
+
client_id: p(this, _),
|
|
1443
1445
|
client_secret: p(this, T),
|
|
1444
1446
|
challenge_type: "oob",
|
|
1445
1447
|
mfa_token: e,
|
|
1446
1448
|
authenticator_id: t
|
|
1447
1449
|
}, this.authServerHeaders);
|
|
1448
|
-
return
|
|
1449
|
-
challenge_type:
|
|
1450
|
-
oob_code:
|
|
1451
|
-
binding_method:
|
|
1452
|
-
error:
|
|
1453
|
-
error_description:
|
|
1450
|
+
return s.challenge_type != "oob" || !s.oob_code || !s.binding_method ? { error: s.error ?? "server_error", error_description: s.error_description ?? "Invalid OOB challenge response" } : {
|
|
1451
|
+
challenge_type: s.challenge_type,
|
|
1452
|
+
oob_code: s.oob_code,
|
|
1453
|
+
binding_method: s.binding_method,
|
|
1454
|
+
error: s.error,
|
|
1455
|
+
error_description: s.error_description
|
|
1454
1456
|
};
|
|
1455
1457
|
}
|
|
1456
1458
|
/**
|
|
@@ -1464,42 +1466,42 @@ class cr {
|
|
|
1464
1466
|
* @returns an {@link OAuthTokenResponse} object, which may contain
|
|
1465
1467
|
* an error instead of the response fields.
|
|
1466
1468
|
*/
|
|
1467
|
-
async mfaOobComplete(e, t, o,
|
|
1468
|
-
var n,
|
|
1469
|
-
if (
|
|
1469
|
+
async mfaOobComplete(e, t, o, i) {
|
|
1470
|
+
var n, s;
|
|
1471
|
+
if (d.logger.debug(h({ msg: "Completing MFA OOB request" })), this.oidcConfig || await this.loadConfig(), !((n = this.oidcConfig) != null && n.grant_types_supported.includes("http://auth0.com/oauth/grant-type/mfa-oob")))
|
|
1470
1472
|
return {
|
|
1471
1473
|
error: "invalid_request",
|
|
1472
1474
|
error_description: "Server does not support password_mfa grant"
|
|
1473
1475
|
};
|
|
1474
|
-
if (!((
|
|
1476
|
+
if (!((s = this.oidcConfig) != null && s.issuer))
|
|
1475
1477
|
return { error: "server_error", error_description: "Cannot get issuer" };
|
|
1476
|
-
const a = this.oidcConfig.token_endpoint,
|
|
1478
|
+
const a = this.oidcConfig.token_endpoint, c = await this.post(a, {
|
|
1477
1479
|
grant_type: "http://auth0.com/oauth/grant-type/mfa-oob",
|
|
1478
|
-
client_id: p(this,
|
|
1480
|
+
client_id: p(this, _),
|
|
1479
1481
|
client_secret: p(this, T),
|
|
1480
1482
|
challenge_type: "otp",
|
|
1481
1483
|
mfa_token: e,
|
|
1482
1484
|
oob_code: t,
|
|
1483
1485
|
binding_code: o,
|
|
1484
|
-
scope:
|
|
1486
|
+
scope: i
|
|
1485
1487
|
}, this.authServerHeaders);
|
|
1486
|
-
return
|
|
1487
|
-
error:
|
|
1488
|
-
error_description:
|
|
1489
|
-
} : {
|
|
1490
|
-
id_token:
|
|
1491
|
-
access_token:
|
|
1492
|
-
refresh_token:
|
|
1493
|
-
expires_in: "expires_in" in
|
|
1494
|
-
scope:
|
|
1495
|
-
token_type:
|
|
1488
|
+
return c.error ? {
|
|
1489
|
+
error: c.error,
|
|
1490
|
+
error_description: c.error_description
|
|
1491
|
+
} : c.id_token && !await this.validateIdToken(c.id_token) ? { error: "access_denied", error_description: "Invalid ID token" } : {
|
|
1492
|
+
id_token: c.id_token,
|
|
1493
|
+
access_token: c.access_token,
|
|
1494
|
+
refresh_token: c.refresh_token,
|
|
1495
|
+
expires_in: "expires_in" in c ? Number(c.expires_in) : void 0,
|
|
1496
|
+
scope: c.scope,
|
|
1497
|
+
token_type: c.token_type
|
|
1496
1498
|
};
|
|
1497
1499
|
}
|
|
1498
1500
|
//////////////////////////////////////////////////////////////////////
|
|
1499
1501
|
// Refresh Token Flow
|
|
1500
1502
|
async refreshTokenFlow(e) {
|
|
1501
1503
|
var t, o;
|
|
1502
|
-
if (
|
|
1504
|
+
if (d.logger.debug(h({ msg: "Starting refresh token flow" })), this.oidcConfig || await this.loadConfig(), !((t = this.oidcConfig) != null && t.grant_types_supported.includes("refresh_token")))
|
|
1503
1505
|
return {
|
|
1504
1506
|
error: "invalid_request",
|
|
1505
1507
|
error_description: "Server does not support refresh_token grant"
|
|
@@ -1509,19 +1511,20 @@ class cr {
|
|
|
1509
1511
|
error: "server_error",
|
|
1510
1512
|
error_description: "Cannot get token endpoint"
|
|
1511
1513
|
};
|
|
1512
|
-
const
|
|
1514
|
+
const i = this.oidcConfig.token_endpoint;
|
|
1513
1515
|
let n;
|
|
1514
1516
|
n = p(this, T);
|
|
1515
|
-
let
|
|
1517
|
+
let s = {
|
|
1516
1518
|
grant_type: "refresh_token",
|
|
1517
1519
|
refresh_token: e,
|
|
1518
|
-
client_id: p(this,
|
|
1520
|
+
client_id: p(this, _)
|
|
1519
1521
|
};
|
|
1520
|
-
n && (
|
|
1522
|
+
n && (s.client_secret = n);
|
|
1521
1523
|
try {
|
|
1522
|
-
|
|
1524
|
+
let a = await this.post(i, s, this.authServerHeaders);
|
|
1525
|
+
return a.id_token && !await this.validateIdToken(a.id_token) ? { error: "access_denied", error_description: "Invalid ID token" } : a;
|
|
1523
1526
|
} catch (a) {
|
|
1524
|
-
return
|
|
1527
|
+
return d.logger.error(h({ err: a })), {
|
|
1525
1528
|
error: "server_error",
|
|
1526
1529
|
error_description: "Error connecting to authorization server"
|
|
1527
1530
|
};
|
|
@@ -1537,21 +1540,22 @@ class cr {
|
|
|
1537
1540
|
*/
|
|
1538
1541
|
async startDeviceCodeFlow(e, t) {
|
|
1539
1542
|
var o;
|
|
1540
|
-
if (
|
|
1543
|
+
if (d.logger.debug(h({ msg: "Starting device code flow" })), this.oidcConfig || await this.loadConfig(), !((o = this.oidcConfig) != null && o.grant_types_supported.includes("urn:ietf:params:oauth:grant-type:device_code")))
|
|
1541
1544
|
return {
|
|
1542
1545
|
error: "invalid_request",
|
|
1543
1546
|
error_description: "Server does not support device code grant"
|
|
1544
1547
|
};
|
|
1545
|
-
let
|
|
1548
|
+
let i = {
|
|
1546
1549
|
grant_type: "urn:ietf:params:oauth:grant-type:device_code",
|
|
1547
|
-
client_id: p(this,
|
|
1550
|
+
client_id: p(this, _),
|
|
1548
1551
|
client_secret: p(this, T)
|
|
1549
1552
|
};
|
|
1550
|
-
t && (
|
|
1553
|
+
t && (i.scope = t);
|
|
1551
1554
|
try {
|
|
1552
|
-
|
|
1555
|
+
let n = await this.post(e, i, this.authServerHeaders);
|
|
1556
|
+
return n.id_token && !await this.validateIdToken(n.id_token) ? { error: "access_denied", error_description: "Invalid ID token" } : n;
|
|
1553
1557
|
} catch (n) {
|
|
1554
|
-
return
|
|
1558
|
+
return d.logger.error(h({ err: n })), {
|
|
1555
1559
|
error: "server_error",
|
|
1556
1560
|
error_description: "Error connecting to authorization server"
|
|
1557
1561
|
};
|
|
@@ -1565,8 +1569,8 @@ class cr {
|
|
|
1565
1569
|
* @returns See {@link OAuthDeviceResponse}
|
|
1566
1570
|
*/
|
|
1567
1571
|
async pollDeviceCodeFlow(e) {
|
|
1568
|
-
var t, o,
|
|
1569
|
-
if (
|
|
1572
|
+
var t, o, i;
|
|
1573
|
+
if (d.logger.debug(h({ msg: "Starting device code flow" })), this.oidcConfig || await this.loadConfig(), !((t = this.oidcConfig) != null && t.grant_types_supported.includes("urn:ietf:params:oauth:grant-type:device_code")))
|
|
1570
1574
|
return {
|
|
1571
1575
|
error: "invalid_request",
|
|
1572
1576
|
error_description: "Server does not support device code grant"
|
|
@@ -1578,15 +1582,15 @@ class cr {
|
|
|
1578
1582
|
};
|
|
1579
1583
|
let n = {
|
|
1580
1584
|
grant_type: "urn:ietf:params:oauth:grant-type:device_code",
|
|
1581
|
-
client_id: p(this,
|
|
1585
|
+
client_id: p(this, _),
|
|
1582
1586
|
client_secret: p(this, T),
|
|
1583
1587
|
device_code: e
|
|
1584
1588
|
};
|
|
1585
1589
|
try {
|
|
1586
|
-
const
|
|
1587
|
-
return
|
|
1588
|
-
} catch (
|
|
1589
|
-
return
|
|
1590
|
+
const s = await this.post((i = this.oidcConfig) == null ? void 0 : i.token_endpoint, n, this.authServerHeaders);
|
|
1591
|
+
return s.error ? s : s.id_token && !await this.validateIdToken(s.id_token) ? { error: "access_denied", error_description: "Invalid ID token" } : s;
|
|
1592
|
+
} catch (s) {
|
|
1593
|
+
return d.logger.error(h({ err: s })), {
|
|
1590
1594
|
error: "server_error",
|
|
1591
1595
|
error_description: "Error connecting to authorization server"
|
|
1592
1596
|
};
|
|
@@ -1601,15 +1605,15 @@ class cr {
|
|
|
1601
1605
|
* @throws any exception raised by `fetch()`
|
|
1602
1606
|
*/
|
|
1603
1607
|
async post(e, t, o = {}) {
|
|
1604
|
-
|
|
1608
|
+
d.logger.debug(h({
|
|
1605
1609
|
msg: "Fetch POST",
|
|
1606
1610
|
url: e,
|
|
1607
1611
|
params: Object.keys(t)
|
|
1608
1612
|
}));
|
|
1609
|
-
let
|
|
1610
|
-
return this.authServerCredentials && (
|
|
1613
|
+
let i = {};
|
|
1614
|
+
return this.authServerCredentials && (i.credentials = this.authServerCredentials), this.authServerMode && (i.mode = this.authServerMode), await (await fetch(e, {
|
|
1611
1615
|
method: "POST",
|
|
1612
|
-
...
|
|
1616
|
+
...i,
|
|
1613
1617
|
headers: {
|
|
1614
1618
|
Accept: "application/json",
|
|
1615
1619
|
"Content-Type": "application/json",
|
|
@@ -1627,7 +1631,7 @@ class cr {
|
|
|
1627
1631
|
* @throws any exception raised by `fetch()`
|
|
1628
1632
|
*/
|
|
1629
1633
|
async get(e, t = {}) {
|
|
1630
|
-
|
|
1634
|
+
d.logger.debug(h({ msg: "Fetch GET", url: e }));
|
|
1631
1635
|
let o = {};
|
|
1632
1636
|
return this.authServerCredentials && (o.credentials = this.authServerCredentials), this.authServerMode && (o.mode = this.authServerMode), await (await fetch(e, {
|
|
1633
1637
|
method: "GET",
|
|
@@ -1666,7 +1670,7 @@ class cr {
|
|
|
1666
1670
|
try {
|
|
1667
1671
|
return await this.tokenConsumer.tokenAuthorized(e, "id");
|
|
1668
1672
|
} catch (t) {
|
|
1669
|
-
|
|
1673
|
+
d.logger.warn(h({ err: t }));
|
|
1670
1674
|
return;
|
|
1671
1675
|
}
|
|
1672
1676
|
}
|
|
@@ -1674,7 +1678,7 @@ class cr {
|
|
|
1674
1678
|
return ar(e);
|
|
1675
1679
|
}
|
|
1676
1680
|
}
|
|
1677
|
-
|
|
1681
|
+
_ = /* @__PURE__ */ new WeakMap(), T = /* @__PURE__ */ new WeakMap(), q = /* @__PURE__ */ new WeakMap(), F = /* @__PURE__ */ new WeakMap(), J = /* @__PURE__ */ new WeakMap();
|
|
1678
1682
|
class dr {
|
|
1679
1683
|
/**
|
|
1680
1684
|
* Constrctor
|
|
@@ -1724,7 +1728,7 @@ class dr {
|
|
|
1724
1728
|
await this.loadJwks();
|
|
1725
1729
|
}
|
|
1726
1730
|
} catch (e) {
|
|
1727
|
-
throw
|
|
1731
|
+
throw d.logger.debug(h({ err: e })), new g(m.Connection, "Couldn't load keys");
|
|
1728
1732
|
}
|
|
1729
1733
|
}
|
|
1730
1734
|
/**
|
|
@@ -1733,7 +1737,7 @@ class dr {
|
|
|
1733
1737
|
* to `authServerBaseUrl` )
|
|
1734
1738
|
* @param oidcConfig the configuration, or undefined to load it from
|
|
1735
1739
|
* the authorization server
|
|
1736
|
-
* @throws a {@link
|
|
1740
|
+
* @throws a {@link CrossauthError} object with {@link ErrorCode} of
|
|
1737
1741
|
* - `Connection` if the fetch to the authorization server failed.
|
|
1738
1742
|
*/
|
|
1739
1743
|
async loadConfig(e) {
|
|
@@ -1747,15 +1751,15 @@ class dr {
|
|
|
1747
1751
|
try {
|
|
1748
1752
|
t = await fetch(new URL("/.well-known/openid-configuration", this.authServerBaseUrl));
|
|
1749
1753
|
} catch (o) {
|
|
1750
|
-
|
|
1754
|
+
d.logger.error(h({ err: o }));
|
|
1751
1755
|
}
|
|
1752
1756
|
if (!t || !t.ok)
|
|
1753
1757
|
throw new g(m.Connection, "Couldn't get OIDC configuration");
|
|
1754
1758
|
this.oidcConfig = { ...ye };
|
|
1755
1759
|
try {
|
|
1756
1760
|
const o = await t.json();
|
|
1757
|
-
for (const [
|
|
1758
|
-
this.oidcConfig[
|
|
1761
|
+
for (const [i, n] of Object.entries(o))
|
|
1762
|
+
this.oidcConfig[i] = n;
|
|
1759
1763
|
} catch {
|
|
1760
1764
|
throw new g(m.Connection, "Unrecognized response from OIDC configuration endpoint");
|
|
1761
1765
|
}
|
|
@@ -1765,7 +1769,7 @@ class dr {
|
|
|
1765
1769
|
* authorization server (using the URL in the OIDC configuration).
|
|
1766
1770
|
* @param jwks the keys to load, or undefined to fetch them from
|
|
1767
1771
|
* the authorization server.
|
|
1768
|
-
* @throws a {@link
|
|
1772
|
+
* @throws a {@link CrossauthError} object with {@link ErrorCode} of
|
|
1769
1773
|
* - `Connection` if the fetch to the authorization server failed,
|
|
1770
1774
|
* the OIDC configuration wasn't set or the keys could not be parsed.
|
|
1771
1775
|
*/
|
|
@@ -1783,7 +1787,7 @@ class dr {
|
|
|
1783
1787
|
try {
|
|
1784
1788
|
t = await fetch(new URL(this.oidcConfig.jwks_uri));
|
|
1785
1789
|
} catch (o) {
|
|
1786
|
-
|
|
1790
|
+
d.logger.error(h({ err: o }));
|
|
1787
1791
|
}
|
|
1788
1792
|
if (!t || !t.ok)
|
|
1789
1793
|
throw new g(m.Connection, "Couldn't get OIDC configuration");
|
|
@@ -1792,17 +1796,17 @@ class dr {
|
|
|
1792
1796
|
const o = await t.json();
|
|
1793
1797
|
if (!("keys" in o) || !Array.isArray(o.keys))
|
|
1794
1798
|
throw new g(m.Connection, "Couldn't fetch keys");
|
|
1795
|
-
for (let
|
|
1799
|
+
for (let i = 0; i < o.keys.length; ++i)
|
|
1796
1800
|
try {
|
|
1797
1801
|
let n = "_default";
|
|
1798
|
-
"kid" in o.keys[
|
|
1799
|
-
const
|
|
1800
|
-
this.keys[n] =
|
|
1802
|
+
"kid" in o.keys[i] && typeof o.keys[i] == "string" && (n = String(o.keys[i]));
|
|
1803
|
+
const s = await ue(o.keys[i]);
|
|
1804
|
+
this.keys[n] = s;
|
|
1801
1805
|
} catch (n) {
|
|
1802
|
-
throw
|
|
1806
|
+
throw d.logger.error(h({ err: n })), new g(m.Connection, "Couldn't load keys");
|
|
1803
1807
|
}
|
|
1804
1808
|
} catch (o) {
|
|
1805
|
-
throw
|
|
1809
|
+
throw d.logger.error(h({ err: o })), new g(m.Connection, "Unrecognized response from OIDC jwks endpoint");
|
|
1806
1810
|
}
|
|
1807
1811
|
}
|
|
1808
1812
|
}
|
|
@@ -1821,46 +1825,50 @@ class dr {
|
|
|
1821
1825
|
(!this.keys || Object.keys(this.keys).length == 0) && await this.loadKeys();
|
|
1822
1826
|
const o = await this.validateToken(e);
|
|
1823
1827
|
if (o) {
|
|
1824
|
-
if (o.type != t
|
|
1825
|
-
|
|
1828
|
+
if (o.type != t) {
|
|
1829
|
+
d.logger.error(h({ msg: t + " expected but got " + o.type }));
|
|
1830
|
+
return;
|
|
1831
|
+
}
|
|
1832
|
+
if (o.iss != this.authServerBaseUrl) {
|
|
1833
|
+
d.logger.error(h({ msg: `Invalid issuer ${o.iss} in access token`, hashedAccessToken: await this.hash(o.jti) }));
|
|
1826
1834
|
return;
|
|
1827
1835
|
}
|
|
1828
1836
|
if (o.aud && (Array.isArray(o.aud) && !o.aud.includes(this.audience) || !Array.isArray(o.aud) && o.aud != this.audience)) {
|
|
1829
|
-
|
|
1837
|
+
d.logger.error(h({ msg: `Invalid audience ${o.aud} in access token`, hashedAccessToken: await this.hash(o.jti) }));
|
|
1830
1838
|
return;
|
|
1831
1839
|
}
|
|
1832
1840
|
return o;
|
|
1833
1841
|
}
|
|
1834
1842
|
}
|
|
1835
1843
|
async validateToken(e) {
|
|
1836
|
-
(!this.keys || Object.keys(this.keys).length == 0) &&
|
|
1844
|
+
(!this.keys || Object.keys(this.keys).length == 0) && d.logger.warn("No keys loaded so cannot validate tokens");
|
|
1837
1845
|
let t;
|
|
1838
1846
|
try {
|
|
1839
1847
|
t = nr(e).kid;
|
|
1840
1848
|
} catch {
|
|
1841
|
-
|
|
1849
|
+
d.logger.warn(h({ msg: "Invalid access token format" }));
|
|
1842
1850
|
return;
|
|
1843
1851
|
}
|
|
1844
1852
|
let o;
|
|
1845
1853
|
"_default" in this.keys && (o = this.keys._default);
|
|
1846
|
-
for (let
|
|
1847
|
-
if (t ==
|
|
1848
|
-
o = this.keys[
|
|
1854
|
+
for (let i in this.keys)
|
|
1855
|
+
if (t == i) {
|
|
1856
|
+
o = this.keys[i];
|
|
1849
1857
|
break;
|
|
1850
1858
|
}
|
|
1851
1859
|
if (!o) {
|
|
1852
|
-
|
|
1860
|
+
d.logger.warn(h({ msg: "No matching keys found for access token" }));
|
|
1853
1861
|
return;
|
|
1854
1862
|
}
|
|
1855
1863
|
try {
|
|
1856
|
-
const { payload:
|
|
1864
|
+
const { payload: i } = await sr(e, o), n = JSON.parse(new TextDecoder().decode(i));
|
|
1857
1865
|
if (n.exp * 1e3 < Date.now() + this.clockTolerance) {
|
|
1858
|
-
|
|
1866
|
+
d.logger.warn(h({ msg: "Access token has expired" }));
|
|
1859
1867
|
return;
|
|
1860
1868
|
}
|
|
1861
1869
|
return n;
|
|
1862
1870
|
} catch {
|
|
1863
|
-
|
|
1871
|
+
d.logger.warn(h({ msg: "Access token did not validate" }));
|
|
1864
1872
|
return;
|
|
1865
1873
|
}
|
|
1866
1874
|
}
|
|
@@ -1890,43 +1898,43 @@ class Ae {
|
|
|
1890
1898
|
this.tokenProvider = e.tokenProvider, this.autoRefreshUrl = e.autoRefreshUrl, e.csrfHeader && (this.csrfHeader = e.csrfHeader), e.headers && (this.headers = e.headers), e.mode && (this.mode = e.mode), e.credentials && (this.credentials = e.credentials);
|
|
1891
1899
|
}
|
|
1892
1900
|
async startAutoRefresh(e = ["access", "id"], t) {
|
|
1893
|
-
this.autoRefreshActive || (this.autoRefreshActive = !0,
|
|
1901
|
+
this.autoRefreshActive || (this.autoRefreshActive = !0, d.logger.debug(h({ msg: "Starting auto refresh" })), await this.scheduleAutoRefresh(e, t));
|
|
1894
1902
|
}
|
|
1895
1903
|
stopAutoRefresh() {
|
|
1896
|
-
this.autoRefreshActive = !1,
|
|
1904
|
+
this.autoRefreshActive = !1, d.logger.debug(h({ msg: "Stopping auto refresh" }));
|
|
1897
1905
|
}
|
|
1898
1906
|
async scheduleAutoRefresh(e, t) {
|
|
1899
|
-
const o = this.tokenProvider.getCsrfToken(),
|
|
1907
|
+
const o = this.tokenProvider.getCsrfToken(), i = o ? await o : void 0, n = await this.tokenProvider.getTokenExpiries([...e, "refresh"], i);
|
|
1900
1908
|
if (n.refresh == null) {
|
|
1901
|
-
|
|
1909
|
+
d.logger.debug(h({ msg: "No refresh token found" }));
|
|
1902
1910
|
return;
|
|
1903
1911
|
}
|
|
1904
|
-
const
|
|
1912
|
+
const s = Date.now();
|
|
1905
1913
|
let a = n.id;
|
|
1906
1914
|
if ((!a || n.access && n.access < a) && (a = n.access), !a) {
|
|
1907
|
-
|
|
1915
|
+
d.logger.debug(h({ msg: "No tokens expire" }));
|
|
1908
1916
|
return;
|
|
1909
1917
|
}
|
|
1910
|
-
const
|
|
1911
|
-
if (
|
|
1912
|
-
|
|
1918
|
+
const c = a * 1e3 - s - fe;
|
|
1919
|
+
if (c < 0) {
|
|
1920
|
+
d.logger.debug(h({ msg: "Expiry time has passed" }));
|
|
1913
1921
|
return;
|
|
1914
1922
|
}
|
|
1915
|
-
if (n.refresh && n.refresh - fe <
|
|
1916
|
-
|
|
1923
|
+
if (n.refresh && n.refresh - fe < c) {
|
|
1924
|
+
d.logger.debug(h({ msg: "Refresh token has expired" }));
|
|
1917
1925
|
return;
|
|
1918
1926
|
}
|
|
1919
|
-
let u = (y) => new Promise((
|
|
1920
|
-
|
|
1927
|
+
let u = (y) => new Promise((k) => setTimeout(k, y));
|
|
1928
|
+
d.logger.debug(h({ msg: `Waiting ${c} before refreshing tokens` })), await u(c), await this.autoRefresh(e, i, t);
|
|
1921
1929
|
}
|
|
1922
1930
|
async autoRefresh(e, t, o) {
|
|
1923
1931
|
if (this.autoRefreshActive) {
|
|
1924
|
-
let
|
|
1925
|
-
for (; !n &&
|
|
1932
|
+
let i, n = !1, s = 0;
|
|
1933
|
+
for (; !n && s <= Z; )
|
|
1926
1934
|
try {
|
|
1927
1935
|
let a = { ...this.headers };
|
|
1928
|
-
t && (a[this.csrfHeader] = t),
|
|
1929
|
-
const
|
|
1936
|
+
t && (a[this.csrfHeader] = t), d.logger.debug(h({ msg: "Initiating auto refresh" }));
|
|
1937
|
+
const c = await this.tokenProvider.jsonFetchWithToken(
|
|
1930
1938
|
this.autoRefreshUrl,
|
|
1931
1939
|
{
|
|
1932
1940
|
method: "POST",
|
|
@@ -1943,19 +1951,19 @@ class Ae {
|
|
|
1943
1951
|
},
|
|
1944
1952
|
"refresh"
|
|
1945
1953
|
);
|
|
1946
|
-
if (
|
|
1954
|
+
if (c.ok || d.logger.error(h({ msg: "Failed auto refreshing tokens", status: c.status })), i = await c.json(), i != null && i.ok) {
|
|
1947
1955
|
await this.scheduleAutoRefresh(e, o), n = !0;
|
|
1948
1956
|
try {
|
|
1949
|
-
await this.tokenProvider.receiveTokens(
|
|
1957
|
+
await this.tokenProvider.receiveTokens(i);
|
|
1950
1958
|
} catch (u) {
|
|
1951
1959
|
const y = g.asCrossauthError(u);
|
|
1952
|
-
o ? o("Couldn't receive tokens", y) : (
|
|
1960
|
+
o ? o("Couldn't receive tokens", y) : (d.logger.debug(h({ err: u })), d.logger.error(h({ msg: "Error receiving tokens", cerr: y })));
|
|
1953
1961
|
}
|
|
1954
1962
|
} else
|
|
1955
|
-
|
|
1963
|
+
s < Z ? (d.logger.error(h({ msg: `Failed auto refreshing tokens. Retrying in ${ae} seconds` })), await ((y) => new Promise((k) => setTimeout(k, y)))(ae * 1e3)) : (d.logger.error(h({ msg: "Failed auto refreshing tokens. Number of retries exceeded" })), o && o("Failed auto refreshing tokens")), s++;
|
|
1956
1964
|
} catch (a) {
|
|
1957
|
-
const
|
|
1958
|
-
|
|
1965
|
+
const c = g.asCrossauthError(a);
|
|
1966
|
+
d.logger.debug(h({ err: c })), s < Z ? (d.logger.error(h({ msg: `Failed auto refreshing tokens. Retrying in ${Z} seconds` })), await ((y) => new Promise((k) => setTimeout(k, y)))(ae)) : (d.logger.error(h({ msg: "Failed auto refreshing tokens. Number of retries exceeded" })), o && o(c.message, c)), s++;
|
|
1959
1967
|
}
|
|
1960
1968
|
}
|
|
1961
1969
|
}
|
|
@@ -1981,29 +1989,29 @@ class Pe {
|
|
|
1981
1989
|
this.oauthClient = e.oauthClient, e.deviceCodePollUrl != null && (this.deviceCodePollUrl = e.deviceCodePollUrl), e.headers && (this.headers = e.headers), e.mode && (this.mode = e.mode), e.credentials && (this.credentials = e.credentials);
|
|
1982
1990
|
}
|
|
1983
1991
|
async startPolling(e, t, o = 5) {
|
|
1984
|
-
this.pollingActive || (this.pollingActive = !0,
|
|
1992
|
+
this.pollingActive || (this.pollingActive = !0, d.logger.debug(h({ msg: "Starting auto refresh" })), await this.poll(e, o, t));
|
|
1985
1993
|
}
|
|
1986
1994
|
stopPolling() {
|
|
1987
|
-
this.pollingActive = !1,
|
|
1995
|
+
this.pollingActive = !1, d.logger.debug(h({ msg: "Stopping auto refresh" }));
|
|
1988
1996
|
}
|
|
1989
1997
|
async poll(e, t, o) {
|
|
1990
|
-
var
|
|
1998
|
+
var i;
|
|
1991
1999
|
if (!e)
|
|
1992
|
-
|
|
2000
|
+
d.logger.debug(h({ msg: "device code poll: no device code provided" })), o("error", "Error waiting for authorization");
|
|
1993
2001
|
else
|
|
1994
2002
|
try {
|
|
1995
|
-
if (
|
|
1996
|
-
if (this.oauthClient.getOidcConfig() || await this.oauthClient.loadConfig(), !((
|
|
2003
|
+
if (d.logger.debug(h({ msg: "device code poll: poll" })), !this.deviceCodePollUrl && this.oauthClient) {
|
|
2004
|
+
if (this.oauthClient.getOidcConfig() || await this.oauthClient.loadConfig(), !((i = this.oauthClient.getOidcConfig()) != null && i.grant_types_supported.includes("http://auth0.com/oauth/grant-type/mfa-oob")))
|
|
1997
2005
|
return {
|
|
1998
2006
|
error: "invalid_request",
|
|
1999
2007
|
error_description: "Server does not support password_mfa grant"
|
|
2000
2008
|
};
|
|
2001
|
-
let
|
|
2002
|
-
if (!(
|
|
2009
|
+
let s = this.oauthClient.getOidcConfig();
|
|
2010
|
+
if (!(s != null && s.token_endpoint)) return {
|
|
2003
2011
|
error: "server_error",
|
|
2004
2012
|
error_description: "Couldn't get OIDC configuration"
|
|
2005
2013
|
};
|
|
2006
|
-
this.deviceCodePollUrl =
|
|
2014
|
+
this.deviceCodePollUrl = s.token_endpoint;
|
|
2007
2015
|
}
|
|
2008
2016
|
if (!this.deviceCodePollUrl)
|
|
2009
2017
|
return {
|
|
@@ -2020,19 +2028,19 @@ class Pe {
|
|
|
2020
2028
|
else if (!n.ok)
|
|
2021
2029
|
this.pollingActive = !1, o("error", "Received an error from the authorization server");
|
|
2022
2030
|
else {
|
|
2023
|
-
const
|
|
2024
|
-
if (
|
|
2031
|
+
const s = await n.json();
|
|
2032
|
+
if (d.logger.debug(h({ msg: "device code poll: received" + JSON.stringify(s) })), s.error == "expired_token")
|
|
2025
2033
|
this.pollingActive = !1, o("expired_token", "Timeout waiting for authorization");
|
|
2026
|
-
else if (
|
|
2027
|
-
|
|
2028
|
-
let a =
|
|
2029
|
-
|
|
2030
|
-
} else
|
|
2034
|
+
else if (s.error == "authorization_pending" || s.error == "slow_down") {
|
|
2035
|
+
s.error == "slow_down" && (t += 5);
|
|
2036
|
+
let a = s.interval ?? t, c = (u) => new Promise((y) => setTimeout(y, u));
|
|
2037
|
+
d.logger.debug(h({ msg: "device code poll: waiting " + String(a) + " seconds" })), await c(a * 1e3), this.pollingActive && this.poll(e, t, o);
|
|
2038
|
+
} else s.error ? (this.pollingActive = !1, o("error", s.error_description ?? s.error)) : (this.pollingActive = !1, o("complete"));
|
|
2031
2039
|
}
|
|
2032
2040
|
} catch (n) {
|
|
2033
2041
|
this.pollingActive = !1;
|
|
2034
|
-
const
|
|
2035
|
-
|
|
2042
|
+
const s = g.asCrossauthError(n);
|
|
2043
|
+
d.logger.debug(h({ err: s })), d.logger.error(h({ msg: "Polling failed", cerr: s })), o("error", s.message);
|
|
2036
2044
|
}
|
|
2037
2045
|
}
|
|
2038
2046
|
}
|
|
@@ -2100,7 +2108,7 @@ class ur {
|
|
|
2100
2108
|
* This only returns something if the ID token was returned to the BFF
|
|
2101
2109
|
* client in a previous OAuth call. Otherwise it returns an empty JSON.
|
|
2102
2110
|
*
|
|
2103
|
-
* @param
|
|
2111
|
+
* @param csrfToken the CSRF token. If emtpy, one will be fetched before
|
|
2104
2112
|
* making the request
|
|
2105
2113
|
* @returns the ID token payload or an empty object if there isn't one
|
|
2106
2114
|
*/
|
|
@@ -2112,7 +2120,7 @@ class ur {
|
|
|
2112
2120
|
* Returns whether or not there is an ID token stored in the BFF server
|
|
2113
2121
|
* for this client.
|
|
2114
2122
|
*
|
|
2115
|
-
* @param
|
|
2123
|
+
* @param csrfToken the CSRF token. If emtpy, one will be fetched before
|
|
2116
2124
|
* making the request
|
|
2117
2125
|
* @returns true or false
|
|
2118
2126
|
*/
|
|
@@ -2126,10 +2134,8 @@ class ur {
|
|
|
2126
2134
|
* This only returns something if the access token was returned to the BFF
|
|
2127
2135
|
* client in a previous OAuth call. Otherwise it returns an empty JSON.
|
|
2128
2136
|
*
|
|
2129
|
-
* @param
|
|
2137
|
+
* @param csrfToken the CSRF token. If emtpy, one will be fetched before
|
|
2130
2138
|
* making the request
|
|
2131
|
-
* @param headers any additional headers to add (will be added to
|
|
2132
|
-
* the ones given with {@link OAuthBffClient.addHeader} )
|
|
2133
2139
|
* @returns the access token payload or an empty object if there isn't one
|
|
2134
2140
|
*/
|
|
2135
2141
|
async getAccessToken(e) {
|
|
@@ -2140,7 +2146,7 @@ class ur {
|
|
|
2140
2146
|
* Returns whether or not there is an access token stored in the BFF server
|
|
2141
2147
|
* for this client.
|
|
2142
2148
|
*
|
|
2143
|
-
* @param
|
|
2149
|
+
* @param csrfToken the CSRF token. If emtpy, one will be fetched before
|
|
2144
2150
|
* making the request
|
|
2145
2151
|
* @returns true or false
|
|
2146
2152
|
*/
|
|
@@ -2154,7 +2160,7 @@ class ur {
|
|
|
2154
2160
|
* This only returns something if the refresh token was returned to the BFF
|
|
2155
2161
|
* client in a previous OAuth call. Otherwise it returns an empty JSON.
|
|
2156
2162
|
*
|
|
2157
|
-
* @param
|
|
2163
|
+
* @param csrfToken the CSRF token. If emtpy, one will be fetched before
|
|
2158
2164
|
* making the request
|
|
2159
2165
|
* @returns the refresh token payload or an empty object if there isn't one
|
|
2160
2166
|
*/
|
|
@@ -2166,7 +2172,7 @@ class ur {
|
|
|
2166
2172
|
* Returns whether or not there is a refresh token stored in the BFF server
|
|
2167
2173
|
* for this client.
|
|
2168
2174
|
*
|
|
2169
|
-
* @param
|
|
2175
|
+
* @param csrfToken the CSRF token. If emtpy, one will be fetched before
|
|
2170
2176
|
* making the request
|
|
2171
2177
|
* @returns true or false
|
|
2172
2178
|
*/
|
|
@@ -2182,11 +2188,11 @@ class ur {
|
|
|
2182
2188
|
* @param csrfToken : the CSRF token
|
|
2183
2189
|
* @returns the HTTP status code and the body or null
|
|
2184
2190
|
*/
|
|
2185
|
-
async api(e, t, o,
|
|
2191
|
+
async api(e, t, o, i) {
|
|
2186
2192
|
let n = { ...this.headers };
|
|
2187
|
-
!
|
|
2188
|
-
let
|
|
2189
|
-
o && (
|
|
2193
|
+
!i && !["GET", "HEAD", "OPTIONS"].includes(e) && (i = await this.getCsrfToken(), i && (n[this.csrfHeader] = i)), t.startsWith("/") && (t = t.substring(1));
|
|
2194
|
+
let s = {};
|
|
2195
|
+
o && (s.body = JSON.stringify(o));
|
|
2190
2196
|
const a = await fetch(
|
|
2191
2197
|
this.bffPrefix + t,
|
|
2192
2198
|
{
|
|
@@ -2194,11 +2200,11 @@ class ur {
|
|
|
2194
2200
|
method: e,
|
|
2195
2201
|
mode: this.mode,
|
|
2196
2202
|
credentials: this.credentials,
|
|
2197
|
-
...
|
|
2203
|
+
...s
|
|
2198
2204
|
}
|
|
2199
2205
|
);
|
|
2200
|
-
let
|
|
2201
|
-
return a.body && (
|
|
2206
|
+
let c = null;
|
|
2207
|
+
return a.body && (c = await a.json()), { status: a.status, body: c };
|
|
2202
2208
|
}
|
|
2203
2209
|
/**
|
|
2204
2210
|
* Return all tokens that the client has been enabled to return.
|
|
@@ -2244,8 +2250,8 @@ class ur {
|
|
|
2244
2250
|
}
|
|
2245
2251
|
/**
|
|
2246
2252
|
* Turns polling for a device code
|
|
2247
|
-
* @param
|
|
2248
|
-
* @param
|
|
2253
|
+
* @param deviceCode the device code to poll for (returned when the device code flow was started)
|
|
2254
|
+
* @param pollResultFn THis function will be called with the result of each poll
|
|
2249
2255
|
*/
|
|
2250
2256
|
async startDeviceCodePolling(e, t, o = 5) {
|
|
2251
2257
|
return this.deviceCodePoller.startPolling(e, t, o);
|
|
@@ -2260,18 +2266,18 @@ class ur {
|
|
|
2260
2266
|
// OAuthTokenProvider interface
|
|
2261
2267
|
/**
|
|
2262
2268
|
* Fetches the expiry times for each token.
|
|
2263
|
-
* @param
|
|
2269
|
+
* @param csrfToken the CSRF token. If emtpy
|
|
2264
2270
|
* , one will be fetched before
|
|
2265
2271
|
* making the request
|
|
2266
2272
|
* @returns for each token, either the expiry, `null` if it does not
|
|
2267
2273
|
* expire, or `undefined` if the token does not exist
|
|
2268
2274
|
*/
|
|
2269
2275
|
async getTokenExpiries(e, t) {
|
|
2270
|
-
const o = await this.getTokens(t),
|
|
2271
|
-
let a,
|
|
2272
|
-
return
|
|
2276
|
+
const o = await this.getTokens(t), i = e.includes("id") ? (o == null ? void 0 : o.id_token) ?? null : null, n = e.includes("access") ? (o == null ? void 0 : o.access_token) ?? null : null, s = e.includes("refresh") ? (o == null ? void 0 : o.refresh_token) ?? null : null;
|
|
2277
|
+
let a, c, u;
|
|
2278
|
+
return i && (a = i.exp ? i.exp : null), n && (c = n.exp ? n.exp : null), s && (u = s.exp ? s.exp : null), {
|
|
2273
2279
|
id: a,
|
|
2274
|
-
access:
|
|
2280
|
+
access: c,
|
|
2275
2281
|
refresh: u
|
|
2276
2282
|
};
|
|
2277
2283
|
}
|
|
@@ -2279,7 +2285,7 @@ class ur {
|
|
|
2279
2285
|
* Makes a fetch, adding in the requested token
|
|
2280
2286
|
* @param url the URL to fetch
|
|
2281
2287
|
* @param params parameters to add to the fetch
|
|
2282
|
-
* @param
|
|
2288
|
+
* @param _token unused
|
|
2283
2289
|
* @returns parsed JSON response
|
|
2284
2290
|
*/
|
|
2285
2291
|
async jsonFetchWithToken(e, t, o) {
|
|
@@ -2290,6 +2296,17 @@ class ur {
|
|
|
2290
2296
|
});
|
|
2291
2297
|
}
|
|
2292
2298
|
}
|
|
2299
|
+
class fr {
|
|
2300
|
+
/**
|
|
2301
|
+
* Gets a CSRF token from the server
|
|
2302
|
+
* @returns the CSRF token that can be included in
|
|
2303
|
+
* the `X-CROSSAUTH-CSRF` header
|
|
2304
|
+
*/
|
|
2305
|
+
getCsrfToken() {
|
|
2306
|
+
return new Promise((e) => {
|
|
2307
|
+
});
|
|
2308
|
+
}
|
|
2309
|
+
}
|
|
2293
2310
|
class hr extends dr {
|
|
2294
2311
|
/**
|
|
2295
2312
|
* SHA256 and Base64-url-encodes the given test
|
|
@@ -2297,12 +2314,12 @@ class hr extends dr {
|
|
|
2297
2314
|
* @returns the SHA256 hash, Base64-url-encode
|
|
2298
2315
|
*/
|
|
2299
2316
|
async hash(e) {
|
|
2300
|
-
const o = new TextEncoder().encode(e),
|
|
2301
|
-
return btoa(n.reduce((
|
|
2317
|
+
const o = new TextEncoder().encode(e), i = await crypto.subtle.digest("SHA-256", o), n = Array.from(new Uint8Array(i));
|
|
2318
|
+
return btoa(n.reduce((s, a) => s + String.fromCharCode(a), "")).replace(/\//g, "_").replace(/\+/g, "-").replace(/=+$/, "");
|
|
2302
2319
|
}
|
|
2303
2320
|
}
|
|
2304
|
-
var j, O, R, K,
|
|
2305
|
-
class
|
|
2321
|
+
var j, O, R, K, D, B, L;
|
|
2322
|
+
class gr extends cr {
|
|
2306
2323
|
/**
|
|
2307
2324
|
* Constructor
|
|
2308
2325
|
*
|
|
@@ -2341,7 +2358,7 @@ class fr extends cr {
|
|
|
2341
2358
|
* - `deviceAuthorization` URL, relative to the authorization server base,
|
|
2342
2359
|
* for starting the device code flow. Default `device_authorization`
|
|
2343
2360
|
* Default is `/devicecodepoll`
|
|
2344
|
-
* For other options see {@link
|
|
2361
|
+
* For other options see {@link OAuthClientBase}.
|
|
2345
2362
|
*/
|
|
2346
2363
|
constructor(t) {
|
|
2347
2364
|
t.tokenConsumer || (t.tokenConsumer = new hr(
|
|
@@ -2365,7 +2382,7 @@ class fr extends cr {
|
|
|
2365
2382
|
N(this, O);
|
|
2366
2383
|
N(this, R);
|
|
2367
2384
|
N(this, K);
|
|
2368
|
-
N(this,
|
|
2385
|
+
N(this, D);
|
|
2369
2386
|
N(this, B);
|
|
2370
2387
|
N(this, L);
|
|
2371
2388
|
f(this, "autoRefresher");
|
|
@@ -2376,34 +2393,34 @@ class fr extends cr {
|
|
|
2376
2393
|
autoRefreshUrl: this.authServerBaseUrl + "/token",
|
|
2377
2394
|
tokenProvider: this
|
|
2378
2395
|
}), this.deviceCodePoller = new Pe({ ...t, oauthClient: this, deviceCodePollUrl: null });
|
|
2379
|
-
let o,
|
|
2380
|
-
if (this.idTokenResponseType == "sessionStorage" ? o = sessionStorage.getItem(this.idTokenName) : this.idTokenResponseType == "localStorage" && (o = localStorage.getItem(this.idTokenName)), this.accessTokenResponseType == "sessionStorage" ?
|
|
2381
|
-
access_token:
|
|
2396
|
+
let o, i, n;
|
|
2397
|
+
if (this.idTokenResponseType == "sessionStorage" ? o = sessionStorage.getItem(this.idTokenName) : this.idTokenResponseType == "localStorage" && (o = localStorage.getItem(this.idTokenName)), this.accessTokenResponseType == "sessionStorage" ? i = sessionStorage.getItem(this.accessTokenName) : this.accessTokenResponseType == "localStorage" && (i = localStorage.getItem(this.accessTokenName)), this.refreshTokenResponseType == "sessionStorage" ? n = sessionStorage.getItem(this.refreshTokenName) : this.refreshTokenResponseType == "localStorage" && (n = localStorage.getItem(this.refreshTokenName)), this.receiveTokens({
|
|
2398
|
+
access_token: i,
|
|
2382
2399
|
id_token: o,
|
|
2383
2400
|
refresh_token: n
|
|
2384
|
-
}),
|
|
2385
|
-
const
|
|
2386
|
-
|
|
2401
|
+
}), i) {
|
|
2402
|
+
const s = this.getTokenPayload(i);
|
|
2403
|
+
s && (b(this, j, i), b(this, K, s));
|
|
2387
2404
|
}
|
|
2388
2405
|
if (n) {
|
|
2389
|
-
const
|
|
2390
|
-
|
|
2406
|
+
const s = this.getTokenPayload(n);
|
|
2407
|
+
s && (b(this, O, n), b(this, D, s));
|
|
2391
2408
|
}
|
|
2392
|
-
o ? this.validateIdToken(o).then((
|
|
2393
|
-
b(this, R,
|
|
2394
|
-
|
|
2409
|
+
o ? this.validateIdToken(o).then((s) => {
|
|
2410
|
+
b(this, R, s), t.autoRefresh && this.startAutoRefresh(t.autoRefresh).then().catch((a) => {
|
|
2411
|
+
d.logger.debug(h({ err: a, msg: "Couldn't start auto refresh" }));
|
|
2395
2412
|
});
|
|
2396
|
-
}).catch((
|
|
2397
|
-
|
|
2398
|
-
}) : w(this, j) && t.autoRefresh && n ? this.startAutoRefresh(t.autoRefresh).then().catch((
|
|
2399
|
-
|
|
2400
|
-
}) : n && !
|
|
2401
|
-
|
|
2402
|
-
|
|
2413
|
+
}).catch((s) => {
|
|
2414
|
+
d.logger.debug(h({ err: s, msg: "Couldn't validate ID token" }));
|
|
2415
|
+
}) : w(this, j) && t.autoRefresh && n ? this.startAutoRefresh(t.autoRefresh).then().catch((s) => {
|
|
2416
|
+
d.logger.debug(h({ err: s, msg: "Couldn't start auto refresh" }));
|
|
2417
|
+
}) : n && !i && this.refreshTokenFlow(n).then((s) => {
|
|
2418
|
+
d.logger.debug(h({ msg: "Refreshed tokens" })), t.autoRefresh && this.startAutoRefresh(t.autoRefresh).then().catch((a) => {
|
|
2419
|
+
d.logger.debug(h({ err: a, msg: "Couldn't start auto refresh" }));
|
|
2403
2420
|
});
|
|
2404
|
-
}).catch((
|
|
2405
|
-
const a = g.asCrossauthError(
|
|
2406
|
-
|
|
2421
|
+
}).catch((s) => {
|
|
2422
|
+
const a = g.asCrossauthError(s);
|
|
2423
|
+
d.logger.debug(h({ err: a })), d.logger.error(h({ msg: "failed refreshing tokens", cerr: a }));
|
|
2407
2424
|
});
|
|
2408
2425
|
}
|
|
2409
2426
|
get idTokenPayload() {
|
|
@@ -2426,34 +2443,29 @@ class fr extends cr {
|
|
|
2426
2443
|
* endpoint is called. Depending on whether that returned an error,
|
|
2427
2444
|
* either `receiveTokenFn` or `errorFn` will be called.
|
|
2428
2445
|
*
|
|
2429
|
-
* @
|
|
2430
|
-
*
|
|
2431
|
-
* @
|
|
2432
|
-
* or if the `state` was not correct.
|
|
2433
|
-
*
|
|
2434
|
-
* @returns the result of `receiveTokenFn`, `errorFn` or `undefined`. If
|
|
2435
|
-
* `receiveTokenFn`/`errorFn` is not defined, rather than calling
|
|
2436
|
-
* it, this function just returns the OAuth response.
|
|
2446
|
+
* @returns the result of `receiveTokenFn` or undefined if there was
|
|
2447
|
+
* neither a code in the URL search params nor an error `undefined`. If
|
|
2448
|
+
* @throws CrossauthError if an `error` was passed in the URL search params
|
|
2437
2449
|
*
|
|
2438
2450
|
*/
|
|
2439
2451
|
async handleRedirectUri() {
|
|
2440
2452
|
const t = new URL(window.location.href);
|
|
2441
2453
|
if (t.origin + t.pathname != this.redirect_uri) return;
|
|
2442
2454
|
const o = new URLSearchParams(window.location.search);
|
|
2443
|
-
let
|
|
2455
|
+
let i, n, s, a;
|
|
2444
2456
|
for (const [u, y] of o)
|
|
2445
|
-
u == "code" && (
|
|
2446
|
-
if (!
|
|
2447
|
-
if (
|
|
2448
|
-
const u = g.fromOAuthError(
|
|
2449
|
-
throw
|
|
2457
|
+
u == "code" && (i = y), u == "state" && (n = y), u == "error" && (s = y), u == "error_description" && (a = y);
|
|
2458
|
+
if (!s && !i) return;
|
|
2459
|
+
if (s) {
|
|
2460
|
+
const u = g.fromOAuthError(s, a);
|
|
2461
|
+
throw d.logger.debug(h({ err: u })), d.logger.error(h({ cerr: u, msg: "Error from authorize endpoint: " + s })), u;
|
|
2450
2462
|
}
|
|
2451
|
-
const
|
|
2452
|
-
if (
|
|
2453
|
-
const u = g.fromOAuthError(
|
|
2454
|
-
throw
|
|
2463
|
+
const c = await this.redirectEndpoint(i, n, s, a);
|
|
2464
|
+
if (c.error) {
|
|
2465
|
+
const u = g.fromOAuthError(c.error, a);
|
|
2466
|
+
throw d.logger.debug(h({ err: u })), d.logger.error(h({ cerr: u, msg: "Error from redirect endpoint: " + c.error })), u;
|
|
2455
2467
|
}
|
|
2456
|
-
return await this.receiveTokens(
|
|
2468
|
+
return await this.receiveTokens(c), c;
|
|
2457
2469
|
}
|
|
2458
2470
|
/**
|
|
2459
2471
|
* Turns auto refresh of tokens on
|
|
@@ -2471,11 +2483,11 @@ class fr extends cr {
|
|
|
2471
2483
|
}
|
|
2472
2484
|
/**
|
|
2473
2485
|
* Turns polling for a device code
|
|
2474
|
-
* @param
|
|
2475
|
-
* @param
|
|
2486
|
+
* @param deviceCode the device code to poll for (this was returned when the device code flow was started)
|
|
2487
|
+
* @param pollResultFn called with the result of each poll
|
|
2476
2488
|
*/
|
|
2477
|
-
async startDeviceCodePolling(t, o,
|
|
2478
|
-
return this.deviceCodePoller.startPolling(t, o,
|
|
2489
|
+
async startDeviceCodePolling(t, o, i = 5) {
|
|
2490
|
+
return this.deviceCodePoller.startPolling(t, o, i);
|
|
2479
2491
|
}
|
|
2480
2492
|
/**
|
|
2481
2493
|
* Turns off polling for a device code
|
|
@@ -2504,7 +2516,7 @@ class fr extends cr {
|
|
|
2504
2516
|
*/
|
|
2505
2517
|
randomValue(t) {
|
|
2506
2518
|
const o = new Uint8Array(t);
|
|
2507
|
-
return self.crypto.getRandomValues(o), btoa(o.reduce((
|
|
2519
|
+
return self.crypto.getRandomValues(o), btoa(o.reduce((i, n) => i + String.fromCharCode(n), "")).replace(/\//g, "_").replace(/\+/g, "-").replace(/=+$/, "");
|
|
2508
2520
|
}
|
|
2509
2521
|
/**
|
|
2510
2522
|
* SHA256 and Base64-url-encodes the given test
|
|
@@ -2512,8 +2524,8 @@ class fr extends cr {
|
|
|
2512
2524
|
* @returns the SHA256 hash, Base64-url-encode
|
|
2513
2525
|
*/
|
|
2514
2526
|
async sha256(t) {
|
|
2515
|
-
const
|
|
2516
|
-
return btoa(
|
|
2527
|
+
const i = new TextEncoder().encode(t), n = await crypto.subtle.digest("SHA-256", i), s = Array.from(new Uint8Array(n));
|
|
2528
|
+
return btoa(s.reduce((a, c) => a + String.fromCharCode(c), "")).replace(/\//g, "_").replace(/\+/g, "-").replace(/=+$/, "");
|
|
2517
2529
|
}
|
|
2518
2530
|
/**
|
|
2519
2531
|
* Calls an API endpoint on the resource server
|
|
@@ -2522,42 +2534,41 @@ class fr extends cr {
|
|
|
2522
2534
|
* @param body : the body to pass to the call
|
|
2523
2535
|
* @returns the HTTP status code and the body or null
|
|
2524
2536
|
*/
|
|
2525
|
-
async api(t, o,
|
|
2537
|
+
async api(t, o, i) {
|
|
2526
2538
|
let n = { ...this.resServerHeaders };
|
|
2527
2539
|
o.startsWith("/") && (o = o.substring(1));
|
|
2528
|
-
let
|
|
2529
|
-
|
|
2540
|
+
let s = {};
|
|
2541
|
+
i && (s.body = JSON.stringify(i));
|
|
2530
2542
|
let a;
|
|
2531
2543
|
this.accessTokenResponseType == "sessionStorage" ? a = sessionStorage.getItem(this.accessTokenName) : this.accessTokenResponseType == "localStorage" && (a = localStorage.getItem(this.accessTokenName)), n.authorization = "Bearer " + a;
|
|
2532
|
-
const
|
|
2544
|
+
const c = await fetch(
|
|
2533
2545
|
this.resServerBaseUrl + o,
|
|
2534
2546
|
{
|
|
2535
2547
|
headers: n,
|
|
2536
2548
|
method: t,
|
|
2537
2549
|
mode: this.resServerMode,
|
|
2538
2550
|
credentials: this.resServerCredentials,
|
|
2539
|
-
...
|
|
2551
|
+
...s
|
|
2540
2552
|
}
|
|
2541
2553
|
);
|
|
2542
2554
|
let u = null;
|
|
2543
|
-
return
|
|
2555
|
+
return c.body && (u = await c.json()), { status: c.status, body: u };
|
|
2544
2556
|
}
|
|
2545
2557
|
///////////////////////////////////////////////////////////
|
|
2546
2558
|
// OAuthTokenProvider interface
|
|
2547
2559
|
/**
|
|
2548
2560
|
* Fetches the expiry times for each token.
|
|
2549
|
-
* @param
|
|
2550
|
-
*
|
|
2551
|
-
* making the request
|
|
2561
|
+
* @param _tokensToFetch unused
|
|
2562
|
+
* @param _csrfToken unused
|
|
2552
2563
|
* @returns for each token, either the expiry, `null` if it does not
|
|
2553
2564
|
* expire, or `undefined` if the token does not exist
|
|
2554
2565
|
*/
|
|
2555
2566
|
async getTokenExpiries(t, o) {
|
|
2556
|
-
let
|
|
2557
|
-
return w(this, R) && (
|
|
2558
|
-
id:
|
|
2567
|
+
let i, n, s;
|
|
2568
|
+
return w(this, R) && (i = w(this, R).exp ? w(this, R).exp : null), w(this, K) && (n = w(this, K).exp ? w(this, K).exp : null), w(this, D) && (s = w(this, D).exp ? w(this, D).exp : null), {
|
|
2569
|
+
id: i,
|
|
2559
2570
|
access: n,
|
|
2560
|
-
refresh:
|
|
2571
|
+
refresh: s
|
|
2561
2572
|
};
|
|
2562
2573
|
}
|
|
2563
2574
|
/**
|
|
@@ -2570,8 +2581,8 @@ class fr extends cr {
|
|
|
2570
2581
|
* @param token which token to add
|
|
2571
2582
|
* @returns parsed JSON response
|
|
2572
2583
|
*/
|
|
2573
|
-
async jsonFetchWithToken(t, o,
|
|
2574
|
-
if (
|
|
2584
|
+
async jsonFetchWithToken(t, o, i) {
|
|
2585
|
+
if (i == "access") {
|
|
2575
2586
|
if (!w(this, j))
|
|
2576
2587
|
throw new g(m.InvalidToken, "Cannot make fetch with access token - no access token defined");
|
|
2577
2588
|
o.headers || (o.headers = {}), o.headers.authorization = "Bearer " + w(this, j);
|
|
@@ -2595,7 +2606,7 @@ class fr extends cr {
|
|
|
2595
2606
|
}
|
|
2596
2607
|
if (t.refresh_token) {
|
|
2597
2608
|
const o = this.getTokenPayload(t.refresh_token);
|
|
2598
|
-
o && (b(this, O, t.refresh_token), b(this,
|
|
2609
|
+
o && (b(this, O, t.refresh_token), b(this, D, o)), this.refreshTokenResponseType == "localStorage" ? localStorage.setItem(this.refreshTokenName, t.refresh_token) : this.accessTokenResponseType == "sessionStorage" && sessionStorage.setItem(this.refreshTokenName, t.refresh_token);
|
|
2599
2610
|
}
|
|
2600
2611
|
if (t.id_token) {
|
|
2601
2612
|
const o = await this.validateIdToken(t.id_token);
|
|
@@ -2605,7 +2616,7 @@ class fr extends cr {
|
|
|
2605
2616
|
/////////
|
|
2606
2617
|
// Wrap flow functions
|
|
2607
2618
|
/**
|
|
2608
|
-
* See {@link
|
|
2619
|
+
* See {@link OAuthClientBase}. Calls the base function
|
|
2609
2620
|
* then saves the tokens, as per the requested method
|
|
2610
2621
|
* @param scope
|
|
2611
2622
|
*/
|
|
@@ -2614,16 +2625,16 @@ class fr extends cr {
|
|
|
2614
2625
|
return await this.receiveTokens(o), o;
|
|
2615
2626
|
}
|
|
2616
2627
|
/**
|
|
2617
|
-
* See {@link
|
|
2628
|
+
* See {@link OAuthClientBase}. Calls the base function
|
|
2618
2629
|
* then saves the tokens, as per the requested method
|
|
2619
2630
|
* @param scope
|
|
2620
2631
|
*/
|
|
2621
|
-
async passwordFlow(t, o,
|
|
2622
|
-
const n = await super.passwordFlow(t, o,
|
|
2632
|
+
async passwordFlow(t, o, i) {
|
|
2633
|
+
const n = await super.passwordFlow(t, o, i);
|
|
2623
2634
|
return await this.receiveTokens(n), n;
|
|
2624
2635
|
}
|
|
2625
2636
|
/**
|
|
2626
|
-
* See {@link
|
|
2637
|
+
* See {@link OAuthClientBase}. Calls the base function
|
|
2627
2638
|
* then saves the tokens, as per the requested method
|
|
2628
2639
|
* @param scope
|
|
2629
2640
|
*/
|
|
@@ -2632,27 +2643,32 @@ class fr extends cr {
|
|
|
2632
2643
|
return o.endsWith("/") || (o += "/"), o += this.deviceAuthorizationUrl, await super.startDeviceCodeFlow(o, t);
|
|
2633
2644
|
}
|
|
2634
2645
|
/**
|
|
2635
|
-
* See {@link
|
|
2646
|
+
* See {@link OAuthClientBase}. Calls the base function
|
|
2636
2647
|
* then saves the tokens, as per the requested method
|
|
2637
|
-
* @param
|
|
2648
|
+
* @param mfaToken the MFA token returned when the flow was started
|
|
2649
|
+
* @param otp the One time password entered by the user
|
|
2650
|
+
* @return the response from the MFA OTP OAuth call
|
|
2638
2651
|
*/
|
|
2639
2652
|
async mfaOtpComplete(t, o) {
|
|
2640
|
-
const
|
|
2641
|
-
return await this.receiveTokens(
|
|
2653
|
+
const i = await super.mfaOtpComplete(t, o);
|
|
2654
|
+
return await this.receiveTokens(i), i;
|
|
2642
2655
|
}
|
|
2643
2656
|
/**
|
|
2644
|
-
* See {@link
|
|
2657
|
+
* See {@link OAuthClientBase}. Calls the base function
|
|
2645
2658
|
* then saves the tokens, as per the requested method
|
|
2646
|
-
* @param
|
|
2659
|
+
* @param mfaToken the MFA token returned when the flow was started
|
|
2660
|
+
* @param oobCode the code entered by the user
|
|
2661
|
+
* @return the response from the MFA OOB OAuth call
|
|
2647
2662
|
*/
|
|
2648
|
-
async mfaOobComplete(t, o,
|
|
2649
|
-
const n = await super.mfaOobComplete(t, o,
|
|
2663
|
+
async mfaOobComplete(t, o, i) {
|
|
2664
|
+
const n = await super.mfaOobComplete(t, o, i);
|
|
2650
2665
|
return await this.receiveTokens(n), n;
|
|
2651
2666
|
}
|
|
2652
2667
|
/**
|
|
2653
|
-
* See {@link
|
|
2668
|
+
* See {@link OAuthClientBase}. Calls the base function
|
|
2654
2669
|
* then saves the tokens, as per the requested method
|
|
2655
|
-
* @param
|
|
2670
|
+
* @param refreshToken the refresh token. Do not pass this if you have
|
|
2671
|
+
* it stored in this object already
|
|
2656
2672
|
*/
|
|
2657
2673
|
async refreshTokenFlow(t) {
|
|
2658
2674
|
if (!t)
|
|
@@ -2669,22 +2685,26 @@ class fr extends cr {
|
|
|
2669
2685
|
* @param pkce whether or not to use PKCE.
|
|
2670
2686
|
*/
|
|
2671
2687
|
async authorizationCodeFlow(t, o = !1) {
|
|
2672
|
-
const
|
|
2673
|
-
if (
|
|
2688
|
+
const i = await super.startAuthorizationCodeFlow(t, o);
|
|
2689
|
+
if (i.error || !i.url) {
|
|
2674
2690
|
const n = g.fromOAuthError(
|
|
2675
|
-
|
|
2676
|
-
|
|
2691
|
+
i.error ?? "Couldn't create URL for authorization code flow",
|
|
2692
|
+
i.error_description
|
|
2677
2693
|
);
|
|
2678
|
-
throw
|
|
2694
|
+
throw d.logger.debug(h({ err: n })), n;
|
|
2679
2695
|
}
|
|
2680
|
-
location.href =
|
|
2696
|
+
location.href = i.url;
|
|
2681
2697
|
}
|
|
2682
2698
|
}
|
|
2683
|
-
j = new WeakMap(), O = new WeakMap(), R = new WeakMap(), K = new WeakMap(),
|
|
2699
|
+
j = new WeakMap(), O = new WeakMap(), R = new WeakMap(), K = new WeakMap(), D = new WeakMap(), B = new WeakMap(), L = new WeakMap();
|
|
2684
2700
|
export {
|
|
2685
2701
|
g as CrossauthError,
|
|
2686
|
-
|
|
2702
|
+
d as CrossauthLogger,
|
|
2703
|
+
Ae as OAuthAutoRefresher,
|
|
2687
2704
|
ur as OAuthBffClient,
|
|
2688
|
-
|
|
2689
|
-
|
|
2705
|
+
gr as OAuthClient,
|
|
2706
|
+
Pe as OAuthDeviceCodePoller,
|
|
2707
|
+
hr as OAuthTokenConsumer,
|
|
2708
|
+
fr as OAuthTokenProvider,
|
|
2709
|
+
h as j
|
|
2690
2710
|
};
|