@crossauth/frontend 1.0.0 → 1.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +1 -1
- package/dist/index.cjs +1 -1
- package/dist/index.iife.js +1 -1
- package/dist/index.js +778 -665
- package/package.json +2 -2
package/dist/index.js
CHANGED
|
@@ -1,39 +1,45 @@
|
|
|
1
|
-
var
|
|
2
|
-
var
|
|
1
|
+
var xe = Object.defineProperty;
|
|
2
|
+
var ue = (r) => {
|
|
3
3
|
throw TypeError(r);
|
|
4
4
|
};
|
|
5
|
-
var
|
|
6
|
-
var f = (r, e, t) =>
|
|
7
|
-
var p = (r, e, t) => (
|
|
8
|
-
var
|
|
5
|
+
var He = (r, e, t) => e in r ? xe(r, e, { enumerable: !0, configurable: !0, writable: !0, value: t }) : r[e] = t;
|
|
6
|
+
var f = (r, e, t) => He(r, typeof e != "symbol" ? e + "" : e, t), fe = (r, e, t) => e.has(r) || ue("Cannot " + t);
|
|
7
|
+
var p = (r, e, t) => (fe(r, e, "read from private field"), t ? t.call(r) : e.get(r)), R = (r, e, t) => e.has(r) ? ue("Cannot add the same private member more than once") : e instanceof WeakSet ? e.add(r) : e.set(r, t), T = (r, e, t, o) => (fe(r, e, "write to private field"), o ? o.call(r, t) : e.set(r, t), t);
|
|
8
|
+
var je = Object.defineProperty, _e = (r) => {
|
|
9
9
|
throw TypeError(r);
|
|
10
|
-
},
|
|
11
|
-
class
|
|
10
|
+
}, De = (r, e, t) => e in r ? je(r, e, { enumerable: !0, configurable: !0, writable: !0, value: t }) : r[e] = t, u = (r, e, t) => De(r, typeof e != "symbol" ? e + "" : e, t), ke = (r, e, t) => e.has(r) || _e("Cannot " + t), w = (r, e, t) => (ke(r, e, "read from private field"), e.get(r)), ge = (r, e, t) => e.has(r) ? _e("Cannot add the same private member more than once") : e instanceof WeakSet ? e.add(r) : e.set(r, t), te = (r, e, t, o) => (ke(r, e, "write to private field"), e.set(r, t), t);
|
|
11
|
+
class K {
|
|
12
12
|
}
|
|
13
|
-
u(
|
|
14
|
-
u(
|
|
13
|
+
u(K, "active", "active"), /** Deactivated account. User cannot log in */
|
|
14
|
+
u(K, "disabled", "disabled"), /** Two factor authentication has been actived for this user
|
|
15
15
|
* but has not yet been configured. Once a user logs in,
|
|
16
16
|
* they will be directed to a page to configure 2FA and will
|
|
17
17
|
* not be able to do anything else (that requires login) until
|
|
18
18
|
* they have done so.
|
|
19
19
|
*/
|
|
20
|
-
u(
|
|
20
|
+
u(K, "awaitingTwoFactorSetup", "awaitingtwofactorsetup"), /** Two factor authentication has been actived for this user
|
|
21
|
+
* but has not yet been configured. Once a user logs in,
|
|
22
|
+
* they will be directed to a page to configure 2FA and will
|
|
23
|
+
* not be able to do anything else (that requires login) until
|
|
24
|
+
* they have done so. They will then have to verify their email
|
|
25
|
+
*/
|
|
26
|
+
u(K, "awaitingTwoFactorSetupAndEmailVerification", "awaitingtwofactorsetupandemailverification"), /** Email verification has been turned on but user has not
|
|
21
27
|
* verified his or her email address. Cannot log on until it has
|
|
22
28
|
* been verified.
|
|
23
29
|
*/
|
|
24
|
-
u(
|
|
30
|
+
u(K, "awaitingEmailVerification", "awaitingemailverification"), /**
|
|
25
31
|
* If the state is set to this, the user may not access any
|
|
26
32
|
* login-required functions unless he or she has changed their password.
|
|
27
33
|
*
|
|
28
34
|
* Upon login, the user is redirected to the change password page.
|
|
29
35
|
*/
|
|
30
|
-
u(
|
|
36
|
+
u(K, "passwordChangeNeeded", "passwordchangeneeded"), /**
|
|
31
37
|
* If the state is set to this, the user may not access any
|
|
32
38
|
* login-required functions unless he or she has reset their password.
|
|
33
39
|
*
|
|
34
40
|
* Upon login, the user is redirected to the reset password page.
|
|
35
41
|
*/
|
|
36
|
-
u(
|
|
42
|
+
u(K, "passwordResetNeeded", "passwordresetneeded"), /**
|
|
37
43
|
* If the state is set to this, the user may not access any
|
|
38
44
|
* login-required functions unless he or she has reset their second
|
|
39
45
|
* factor configuration.
|
|
@@ -44,26 +50,26 @@ u(H, "passwordResetNeeded", "passwordresetneeded"), /**
|
|
|
44
50
|
* this value and the user will then be prompted to configure 2FA
|
|
45
51
|
* upon login.
|
|
46
52
|
*/
|
|
47
|
-
u(
|
|
53
|
+
u(K, "factor2ResetNeeded", "factor2resetneeded"), /**
|
|
48
54
|
* If the state is set to this, the user may not access any
|
|
49
55
|
* login-required functions unless he or she has reset their password
|
|
50
56
|
* and then resets factor2.
|
|
51
57
|
*
|
|
52
58
|
* Upon login, the user is redirected to the reset password page.
|
|
53
59
|
*/
|
|
54
|
-
u(
|
|
55
|
-
class
|
|
60
|
+
u(K, "passwordAndFactor2ResetNeeded", "passwordandfactor2resetneeded");
|
|
61
|
+
class O {
|
|
56
62
|
}
|
|
57
|
-
u(
|
|
58
|
-
u(
|
|
59
|
-
u(
|
|
60
|
-
u(
|
|
61
|
-
u(
|
|
62
|
-
u(
|
|
63
|
-
u(
|
|
64
|
-
u(
|
|
65
|
-
u(
|
|
66
|
-
u(
|
|
63
|
+
u(O, "session", "s:"), /** Password Reset Token */
|
|
64
|
+
u(O, "passwordResetToken", "p:"), /** Email verification token */
|
|
65
|
+
u(O, "emailVerificationToken", "e:"), /** API key */
|
|
66
|
+
u(O, "apiKey", "api:"), /** OAuth authorization code */
|
|
67
|
+
u(O, "authorizationCode", "authz:"), /** OAuth access token */
|
|
68
|
+
u(O, "accessToken", "access:"), /** OAuth refresh token */
|
|
69
|
+
u(O, "refreshToken", "refresh:"), /** OAuth MFA key (used by the password MFA flow) */
|
|
70
|
+
u(O, "mfaToken", "omfa:"), /** Device code device code */
|
|
71
|
+
u(O, "deviceCode", "dc:"), /** Device code flow user code */
|
|
72
|
+
u(O, "userCode", "uc:");
|
|
67
73
|
var m = /* @__PURE__ */ ((r) => (r[r.UserNotExist = 0] = "UserNotExist", r[r.PasswordInvalid = 1] = "PasswordInvalid", r[r.EmailNotExist = 2] = "EmailNotExist", r[r.UsernameOrPasswordInvalid = 3] = "UsernameOrPasswordInvalid", r[r.InvalidClientId = 4] = "InvalidClientId", r[r.ClientExists = 5] = "ClientExists", r[r.InvalidClientSecret = 6] = "InvalidClientSecret", r[r.InvalidClientIdOrSecret = 7] = "InvalidClientIdOrSecret", r[r.InvalidRedirectUri = 8] = "InvalidRedirectUri", r[r.InvalidOAuthFlow = 9] = "InvalidOAuthFlow", r[r.UserNotActive = 10] = "UserNotActive", r[r.EmailNotVerified = 11] = "EmailNotVerified", r[r.TwoFactorIncomplete = 12] = "TwoFactorIncomplete", r[r.Unauthorized = 13] = "Unauthorized", r[r.UnauthorizedClient = 14] = "UnauthorizedClient", r[r.InvalidScope = 15] = "InvalidScope", r[r.InsufficientScope = 16] = "InsufficientScope", r[r.InsufficientPriviledges = 17] = "InsufficientPriviledges", r[r.Forbidden = 18] = "Forbidden", r[r.InvalidKey = 19] = "InvalidKey", r[r.InvalidCsrf = 20] = "InvalidCsrf", r[r.InvalidSession = 21] = "InvalidSession", r[r.Expired = 22] = "Expired", r[r.Connection = 23] = "Connection", r[r.InvalidHash = 24] = "InvalidHash", r[r.UnsupportedAlgorithm = 25] = "UnsupportedAlgorithm", r[r.KeyExists = 26] = "KeyExists", r[r.PasswordChangeNeeded = 27] = "PasswordChangeNeeded", r[r.PasswordResetNeeded = 28] = "PasswordResetNeeded", r[r.Factor2ResetNeeded = 29] = "Factor2ResetNeeded", r[r.Configuration = 30] = "Configuration", r[r.InvalidEmail = 31] = "InvalidEmail", r[r.InvalidPhoneNumber = 32] = "InvalidPhoneNumber", r[r.InvalidUsername = 33] = "InvalidUsername", r[r.PasswordMatch = 34] = "PasswordMatch", r[r.InvalidToken = 35] = "InvalidToken", r[r.MfaRequired = 36] = "MfaRequired", r[r.PasswordFormat = 37] = "PasswordFormat", r[r.DataFormat = 38] = "DataFormat", r[r.FetchError = 39] = "FetchError", r[r.UserExists = 40] = "UserExists", r[r.FormEntry = 41] = "FormEntry", r[r.BadRequest = 42] = "BadRequest", r[r.AuthorizationPending = 43] = "AuthorizationPending", r[r.SlowDown = 44] = "SlowDown", r[r.ExpiredToken = 45] = "ExpiredToken", r[r.ConstraintViolation = 46] = "ConstraintViolation", r[r.NotImplemented = 47] = "NotImplemented", r[r.UnknownError = 48] = "UnknownError", r))(m || {});
|
|
68
74
|
class g extends Error {
|
|
69
75
|
/**
|
|
@@ -73,14 +79,14 @@ class g extends Error {
|
|
|
73
79
|
* @param message if provided, this error will display. Otherwise a default one for the error code will be used.
|
|
74
80
|
*/
|
|
75
81
|
constructor(e, t = void 0) {
|
|
76
|
-
let o,
|
|
77
|
-
e == 0 ? (o = "User does not exist",
|
|
82
|
+
let o, s = 500;
|
|
83
|
+
e == 0 ? (o = "User does not exist", s = 401) : e == 1 ? (o = "Password doesn't match", s = 401) : e == 3 ? (o = "Username or password incorrect", s = 401) : e == 4 ? (o = "Client id is invalid", s = 401) : e == 5 ? (o = "Client ID or name already exists", s = 500) : e == 6 ? (o = "Client secret is invalid", s = 401) : e == 7 ? (o = "Client id or secret is invalid", s = 401) : e == 8 ? (o = "Redirect Uri is not registered", s = 401) : e == 9 ? (o = "Invalid OAuth flow type", s = 500) : e == 2 ? (o = "No user exists with that email address", s = 401) : e == 10 ? (o = "Account is not active", s = 403) : e == 33 ? (o = "Username is not in an allowed format", s = 400) : e == 31 ? (o = "Email is not in an allowed format", s = 400) : e == 32 ? (o = "Phone number is not in an allowed format", s = 400) : e == 11 ? (o = "Email address has not been verified", s = 403) : e == 12 ? (o = "Two-factor setup is not complete", s = 403) : e == 13 ? (o = "Not authorized", s = 401) : e == 14 ? (o = "Client not authorized", s = 401) : e == 15 ? (o = "Invalid scope", s = 403) : e == 16 ? (o = "Insufficient scope", s = 403) : e == 23 ? o = "Connection failure" : e == 22 ? (o = "Token has expired", s = 401) : e == 24 ? o = "Hash is not in a valid format" : e == 19 ? (o = "Key is invalid", s = 401) : e == 18 ? (o = "You do not have permission to access this resource", s = 403) : e == 17 ? (o = "You do not have the right privileges to access this resource", s = 401) : e == 20 ? (o = "CSRF token is invalid", s = 401) : e == 21 ? (o = "Session cookie is invalid", s = 401) : e == 25 ? o = "Algorithm not supported" : e == 26 ? o = "Attempt to create a key that already exists" : e == 27 ? (o = "User must change password", s = 403) : e == 28 ? (o = "User must reset password", s = 403) : e == 29 ? (o = "User must reset 2FA", s = 403) : e == 30 ? o = "There was an error in the configuration" : e == 34 ? (o = "Passwords do not match", s = 401) : e == 35 ? (o = "Token is not valid", s = 401) : e == 36 ? (o = "MFA is required", s = 401) : e == 37 ? (o = "Password format was incorrect", s = 401) : e == 40 ? (o = "User already exists", s = 400) : e == 42 ? (o = "The request is invalid", s = 400) : e == 38 ? (o = "Session data has unexpected format", s = 500) : e == 39 ? (o = "Couldn't execute a fetch", s = 500) : e == 43 ? (o = "Waiting for authorization", s = 200) : e == 44 ? (o = "Slow polling down by 5 seconds", s = 200) : e == 45 ? (o = "Token has expired", s = 401) : e == 46 ? (o = "Database update/insert caused a constraint violation", s = 500) : e == 47 ? (o = "This method has not been implemented", s = 500) : (o = "Unknown error", s = 500), t != null && !Array.isArray(t) ? o = t : Array.isArray(t) && (o = t.join(". ")), super(o), u(this, "isCrossauthError", !0), u(this, "httpStatus"), u(this, "code"), u(this, "codeName"), u(this, "messages"), this.code = e, this.codeName = m[e], this.httpStatus = s, this.name = "CrossauthError", Array.isArray(t) ? this.messages = t : this.messages = [o], Object.setPrototypeOf(this, g.prototype);
|
|
78
84
|
}
|
|
79
85
|
/**
|
|
80
86
|
* OAuth defines certain error types. To convert the error in an OAuth
|
|
81
87
|
* response into a CrossauthError object, call this function.
|
|
82
88
|
*
|
|
83
|
-
* @param error as returned by an OAuth call (converted to an {@link ErrorCode}).
|
|
89
|
+
* @param error as returned by an OAuth call (converted to an {@link @crossauth/common!ErrorCode}).
|
|
84
90
|
* @param error_description as returned by an OAuth call (put in the `message`)
|
|
85
91
|
* @returns a `CrossauthError` instance.
|
|
86
92
|
*/
|
|
@@ -164,7 +170,7 @@ class g extends Error {
|
|
|
164
170
|
* it.
|
|
165
171
|
* If not and it is an object with `errorCode` in it, creates a
|
|
166
172
|
* CrossauthError from that and `errorMessage`, if present.
|
|
167
|
-
* Otherwise creates a `CrossauthError` object with {@link ErrorCode}
|
|
173
|
+
* Otherwise creates a `CrossauthError` object with {@link @crossauth/common!ErrorCode}
|
|
168
174
|
* of `Unknown` from it, setting the `message` if possible.
|
|
169
175
|
*
|
|
170
176
|
* @param e the error to convert.
|
|
@@ -174,13 +180,13 @@ class g extends Error {
|
|
|
174
180
|
if (e instanceof Error)
|
|
175
181
|
return "isCrossauthError" in e ? e : new g(48, e.message);
|
|
176
182
|
if ("errorCode" in e) {
|
|
177
|
-
let
|
|
183
|
+
let s = 48;
|
|
178
184
|
try {
|
|
179
|
-
|
|
185
|
+
s = Number(e.errorCode) ?? 48;
|
|
180
186
|
} catch {
|
|
181
187
|
}
|
|
182
|
-
let n = t ?? m[
|
|
183
|
-
return "errorMessage" in e ? n = e.errorMessage : "message" in e && (n = e.message), new g(
|
|
188
|
+
let n = t ?? m[s];
|
|
189
|
+
return "errorMessage" in e ? n = e.errorMessage : "message" in e && (n = e.message), new g(s, n);
|
|
184
190
|
}
|
|
185
191
|
let o = t ?? m[
|
|
186
192
|
48
|
|
@@ -189,7 +195,7 @@ class g extends Error {
|
|
|
189
195
|
return "message" in e && (o = e.message), new g(48, o);
|
|
190
196
|
}
|
|
191
197
|
}
|
|
192
|
-
const
|
|
198
|
+
const L = class P {
|
|
193
199
|
/**
|
|
194
200
|
* Create a logger with the given level
|
|
195
201
|
* @param level the level to report to
|
|
@@ -257,13 +263,13 @@ const W = class P {
|
|
|
257
263
|
globalThis.crossauthLogger = e, globalThis.crossauthLoggerAcceptsJson = t;
|
|
258
264
|
}
|
|
259
265
|
};
|
|
260
|
-
u(
|
|
261
|
-
u(
|
|
262
|
-
u(
|
|
263
|
-
u(
|
|
264
|
-
u(
|
|
265
|
-
let d =
|
|
266
|
-
function
|
|
266
|
+
u(L, "None", 0), /** Only log errors */
|
|
267
|
+
u(L, "Error", 1), /** Log errors and warning */
|
|
268
|
+
u(L, "Warn", 2), /** Log errors, warnings and info messages */
|
|
269
|
+
u(L, "Info", 3), /** Log everything */
|
|
270
|
+
u(L, "Debug", 4), u(L, "levelName", ["NONE", "ERROR", "WARN", "INFO", "DEBUG"]);
|
|
271
|
+
let d = L;
|
|
272
|
+
function l(r) {
|
|
267
273
|
let e;
|
|
268
274
|
typeof r == "object" && "err" in r && typeof r.err == "object" && (e = r.err.stack);
|
|
269
275
|
try {
|
|
@@ -286,7 +292,7 @@ function h(r) {
|
|
|
286
292
|
}
|
|
287
293
|
globalThis.crossauthLogger = new d();
|
|
288
294
|
globalThis.crossauthLoggerAcceptsJson = !0;
|
|
289
|
-
const
|
|
295
|
+
const Ce = {
|
|
290
296
|
issuer: "",
|
|
291
297
|
authorization_endpoint: "",
|
|
292
298
|
token_endpoint: "",
|
|
@@ -301,79 +307,129 @@ const me = {
|
|
|
301
307
|
request_parameter_supported: !1,
|
|
302
308
|
request_uri_parameter_supported: !0,
|
|
303
309
|
require_request_uri_registration: !1
|
|
304
|
-
},
|
|
305
|
-
function
|
|
306
|
-
const e = r.reduce((
|
|
310
|
+
}, ae = crypto, Se = (r) => r instanceof CryptoKey, oe = new TextEncoder(), re = new TextDecoder();
|
|
311
|
+
function Je(...r) {
|
|
312
|
+
const e = r.reduce((s, { length: n }) => s + n, 0), t = new Uint8Array(e);
|
|
307
313
|
let o = 0;
|
|
308
|
-
for (const
|
|
309
|
-
t.set(
|
|
314
|
+
for (const s of r)
|
|
315
|
+
t.set(s, o), o += s.length;
|
|
310
316
|
return t;
|
|
311
317
|
}
|
|
312
|
-
const
|
|
318
|
+
const ze = (r) => {
|
|
313
319
|
const e = atob(r), t = new Uint8Array(e.length);
|
|
314
320
|
for (let o = 0; o < e.length; o++)
|
|
315
321
|
t[o] = e.charCodeAt(o);
|
|
316
322
|
return t;
|
|
317
|
-
},
|
|
323
|
+
}, z = (r) => {
|
|
318
324
|
let e = r;
|
|
319
|
-
e instanceof Uint8Array && (e =
|
|
325
|
+
e instanceof Uint8Array && (e = re.decode(e)), e = e.replace(/-/g, "+").replace(/_/g, "/").replace(/\s/g, "");
|
|
320
326
|
try {
|
|
321
|
-
return
|
|
327
|
+
return ze(e);
|
|
322
328
|
} catch {
|
|
323
329
|
throw new TypeError("The input to be decoded is not correctly encoded.");
|
|
324
330
|
}
|
|
325
331
|
};
|
|
326
|
-
class
|
|
327
|
-
|
|
328
|
-
|
|
332
|
+
class E extends Error {
|
|
333
|
+
constructor(e, t) {
|
|
334
|
+
var o;
|
|
335
|
+
super(e, t), this.code = "ERR_JOSE_GENERIC", this.name = this.constructor.name, (o = Error.captureStackTrace) == null || o.call(Error, this, this.constructor);
|
|
329
336
|
}
|
|
330
|
-
|
|
331
|
-
|
|
332
|
-
|
|
337
|
+
}
|
|
338
|
+
E.code = "ERR_JOSE_GENERIC";
|
|
339
|
+
class Le extends E {
|
|
340
|
+
constructor(e, t, o = "unspecified", s = "unspecified") {
|
|
341
|
+
super(e, { cause: { claim: o, reason: s, payload: t } }), this.code = "ERR_JWT_CLAIM_VALIDATION_FAILED", this.claim = o, this.reason = s, this.payload = t;
|
|
333
342
|
}
|
|
334
343
|
}
|
|
335
|
-
|
|
344
|
+
Le.code = "ERR_JWT_CLAIM_VALIDATION_FAILED";
|
|
345
|
+
class Fe extends E {
|
|
346
|
+
constructor(e, t, o = "unspecified", s = "unspecified") {
|
|
347
|
+
super(e, { cause: { claim: o, reason: s, payload: t } }), this.code = "ERR_JWT_EXPIRED", this.claim = o, this.reason = s, this.payload = t;
|
|
348
|
+
}
|
|
349
|
+
}
|
|
350
|
+
Fe.code = "ERR_JWT_EXPIRED";
|
|
351
|
+
class Me extends E {
|
|
352
|
+
constructor() {
|
|
353
|
+
super(...arguments), this.code = "ERR_JOSE_ALG_NOT_ALLOWED";
|
|
354
|
+
}
|
|
355
|
+
}
|
|
356
|
+
Me.code = "ERR_JOSE_ALG_NOT_ALLOWED";
|
|
357
|
+
class I extends E {
|
|
336
358
|
constructor() {
|
|
337
359
|
super(...arguments), this.code = "ERR_JOSE_NOT_SUPPORTED";
|
|
338
360
|
}
|
|
339
|
-
|
|
340
|
-
|
|
361
|
+
}
|
|
362
|
+
I.code = "ERR_JOSE_NOT_SUPPORTED";
|
|
363
|
+
class $e extends E {
|
|
364
|
+
constructor(e = "decryption operation failed", t) {
|
|
365
|
+
super(e, t), this.code = "ERR_JWE_DECRYPTION_FAILED";
|
|
341
366
|
}
|
|
342
367
|
}
|
|
343
|
-
|
|
368
|
+
$e.code = "ERR_JWE_DECRYPTION_FAILED";
|
|
369
|
+
class Be extends E {
|
|
344
370
|
constructor() {
|
|
345
|
-
super(...arguments), this.code = "
|
|
371
|
+
super(...arguments), this.code = "ERR_JWE_INVALID";
|
|
346
372
|
}
|
|
347
|
-
|
|
348
|
-
|
|
373
|
+
}
|
|
374
|
+
Be.code = "ERR_JWE_INVALID";
|
|
375
|
+
class C extends E {
|
|
376
|
+
constructor() {
|
|
377
|
+
super(...arguments), this.code = "ERR_JWS_INVALID";
|
|
349
378
|
}
|
|
350
379
|
}
|
|
351
|
-
|
|
380
|
+
C.code = "ERR_JWS_INVALID";
|
|
381
|
+
class x extends E {
|
|
352
382
|
constructor() {
|
|
353
383
|
super(...arguments), this.code = "ERR_JWT_INVALID";
|
|
354
384
|
}
|
|
355
|
-
|
|
356
|
-
|
|
385
|
+
}
|
|
386
|
+
x.code = "ERR_JWT_INVALID";
|
|
387
|
+
class qe extends E {
|
|
388
|
+
constructor() {
|
|
389
|
+
super(...arguments), this.code = "ERR_JWK_INVALID";
|
|
357
390
|
}
|
|
358
391
|
}
|
|
359
|
-
|
|
392
|
+
qe.code = "ERR_JWK_INVALID";
|
|
393
|
+
class Ve extends E {
|
|
360
394
|
constructor() {
|
|
361
|
-
super(...arguments), this.code = "
|
|
395
|
+
super(...arguments), this.code = "ERR_JWKS_INVALID";
|
|
396
|
+
}
|
|
397
|
+
}
|
|
398
|
+
Ve.code = "ERR_JWKS_INVALID";
|
|
399
|
+
class Ge extends E {
|
|
400
|
+
constructor(e = "no applicable key found in the JSON Web Key Set", t) {
|
|
401
|
+
super(e, t), this.code = "ERR_JWKS_NO_MATCHING_KEY";
|
|
402
|
+
}
|
|
403
|
+
}
|
|
404
|
+
Ge.code = "ERR_JWKS_NO_MATCHING_KEY";
|
|
405
|
+
class Ye extends E {
|
|
406
|
+
constructor(e = "multiple matching keys found in the JSON Web Key Set", t) {
|
|
407
|
+
super(e, t), this.code = "ERR_JWKS_MULTIPLE_MATCHING_KEYS";
|
|
362
408
|
}
|
|
363
|
-
|
|
364
|
-
|
|
409
|
+
}
|
|
410
|
+
Ye.code = "ERR_JWKS_MULTIPLE_MATCHING_KEYS";
|
|
411
|
+
class Xe extends E {
|
|
412
|
+
constructor(e = "request timed out", t) {
|
|
413
|
+
super(e, t), this.code = "ERR_JWKS_TIMEOUT";
|
|
414
|
+
}
|
|
415
|
+
}
|
|
416
|
+
Xe.code = "ERR_JWKS_TIMEOUT";
|
|
417
|
+
class Te extends E {
|
|
418
|
+
constructor(e = "signature verification failed", t) {
|
|
419
|
+
super(e, t), this.code = "ERR_JWS_SIGNATURE_VERIFICATION_FAILED";
|
|
365
420
|
}
|
|
366
421
|
}
|
|
367
|
-
|
|
422
|
+
Te.code = "ERR_JWS_SIGNATURE_VERIFICATION_FAILED";
|
|
423
|
+
function U(r, e = "algorithm.name") {
|
|
368
424
|
return new TypeError(`CryptoKey does not support this operation, its ${e} must be ${r}`);
|
|
369
425
|
}
|
|
370
|
-
function
|
|
426
|
+
function Q(r, e) {
|
|
371
427
|
return r.name === e;
|
|
372
428
|
}
|
|
373
|
-
function
|
|
429
|
+
function ce(r) {
|
|
374
430
|
return parseInt(r.name.slice(4), 10);
|
|
375
431
|
}
|
|
376
|
-
function
|
|
432
|
+
function Qe(r) {
|
|
377
433
|
switch (r) {
|
|
378
434
|
case "ES256":
|
|
379
435
|
return "P-256";
|
|
@@ -385,7 +441,7 @@ function ze(r) {
|
|
|
385
441
|
throw new Error("unreachable");
|
|
386
442
|
}
|
|
387
443
|
}
|
|
388
|
-
function
|
|
444
|
+
function Ze(r, e) {
|
|
389
445
|
if (e.length && !e.some((t) => r.usages.includes(t))) {
|
|
390
446
|
let t = "CryptoKey does not support this operation, its usages must include ";
|
|
391
447
|
if (e.length > 2) {
|
|
@@ -395,82 +451,87 @@ function De(r, e) {
|
|
|
395
451
|
throw new TypeError(t);
|
|
396
452
|
}
|
|
397
453
|
}
|
|
398
|
-
function
|
|
454
|
+
function er(r, e, ...t) {
|
|
399
455
|
switch (e) {
|
|
400
456
|
case "HS256":
|
|
401
457
|
case "HS384":
|
|
402
458
|
case "HS512": {
|
|
403
|
-
if (!
|
|
404
|
-
throw
|
|
459
|
+
if (!Q(r.algorithm, "HMAC"))
|
|
460
|
+
throw U("HMAC");
|
|
405
461
|
const o = parseInt(e.slice(2), 10);
|
|
406
|
-
if (
|
|
407
|
-
throw
|
|
462
|
+
if (ce(r.algorithm.hash) !== o)
|
|
463
|
+
throw U(`SHA-${o}`, "algorithm.hash");
|
|
408
464
|
break;
|
|
409
465
|
}
|
|
410
466
|
case "RS256":
|
|
411
467
|
case "RS384":
|
|
412
468
|
case "RS512": {
|
|
413
|
-
if (!
|
|
414
|
-
throw
|
|
469
|
+
if (!Q(r.algorithm, "RSASSA-PKCS1-v1_5"))
|
|
470
|
+
throw U("RSASSA-PKCS1-v1_5");
|
|
415
471
|
const o = parseInt(e.slice(2), 10);
|
|
416
|
-
if (
|
|
417
|
-
throw
|
|
472
|
+
if (ce(r.algorithm.hash) !== o)
|
|
473
|
+
throw U(`SHA-${o}`, "algorithm.hash");
|
|
418
474
|
break;
|
|
419
475
|
}
|
|
420
476
|
case "PS256":
|
|
421
477
|
case "PS384":
|
|
422
478
|
case "PS512": {
|
|
423
|
-
if (!
|
|
424
|
-
throw
|
|
479
|
+
if (!Q(r.algorithm, "RSA-PSS"))
|
|
480
|
+
throw U("RSA-PSS");
|
|
425
481
|
const o = parseInt(e.slice(2), 10);
|
|
426
|
-
if (
|
|
427
|
-
throw
|
|
482
|
+
if (ce(r.algorithm.hash) !== o)
|
|
483
|
+
throw U(`SHA-${o}`, "algorithm.hash");
|
|
428
484
|
break;
|
|
429
485
|
}
|
|
430
486
|
case "EdDSA": {
|
|
431
487
|
if (r.algorithm.name !== "Ed25519" && r.algorithm.name !== "Ed448")
|
|
432
|
-
throw
|
|
488
|
+
throw U("Ed25519 or Ed448");
|
|
489
|
+
break;
|
|
490
|
+
}
|
|
491
|
+
case "Ed25519": {
|
|
492
|
+
if (!Q(r.algorithm, "Ed25519"))
|
|
493
|
+
throw U("Ed25519");
|
|
433
494
|
break;
|
|
434
495
|
}
|
|
435
496
|
case "ES256":
|
|
436
497
|
case "ES384":
|
|
437
498
|
case "ES512": {
|
|
438
|
-
if (!
|
|
439
|
-
throw
|
|
440
|
-
const o =
|
|
499
|
+
if (!Q(r.algorithm, "ECDSA"))
|
|
500
|
+
throw U("ECDSA");
|
|
501
|
+
const o = Qe(e);
|
|
441
502
|
if (r.algorithm.namedCurve !== o)
|
|
442
|
-
throw
|
|
503
|
+
throw U(o, "algorithm.namedCurve");
|
|
443
504
|
break;
|
|
444
505
|
}
|
|
445
506
|
default:
|
|
446
507
|
throw new TypeError("CryptoKey does not support this operation");
|
|
447
508
|
}
|
|
448
|
-
|
|
509
|
+
Ze(r, t);
|
|
449
510
|
}
|
|
450
|
-
function
|
|
511
|
+
function Ee(r, e, ...t) {
|
|
451
512
|
var o;
|
|
452
|
-
if (t.length > 2) {
|
|
453
|
-
const
|
|
454
|
-
r += `one of type ${t.join(", ")}, or ${
|
|
513
|
+
if (t = t.filter(Boolean), t.length > 2) {
|
|
514
|
+
const s = t.pop();
|
|
515
|
+
r += `one of type ${t.join(", ")}, or ${s}.`;
|
|
455
516
|
} else t.length === 2 ? r += `one of type ${t[0]} or ${t[1]}.` : r += `of type ${t[0]}.`;
|
|
456
517
|
return e == null ? r += ` Received ${e}` : typeof e == "function" && e.name ? r += ` Received function ${e.name}` : typeof e == "object" && e != null && (o = e.constructor) != null && o.name && (r += ` Received an instance of ${e.constructor.name}`), r;
|
|
457
518
|
}
|
|
458
|
-
const
|
|
459
|
-
function
|
|
460
|
-
return
|
|
519
|
+
const pe = (r, ...e) => Ee("Key must be ", r, ...e);
|
|
520
|
+
function be(r, e, ...t) {
|
|
521
|
+
return Ee(`Key for the ${r} algorithm must be `, e, ...t);
|
|
461
522
|
}
|
|
462
|
-
const
|
|
523
|
+
const Ae = (r) => Se(r) ? !0 : (r == null ? void 0 : r[Symbol.toStringTag]) === "KeyObject", ie = ["CryptoKey"], rr = (...r) => {
|
|
463
524
|
const e = r.filter(Boolean);
|
|
464
525
|
if (e.length === 0 || e.length === 1)
|
|
465
526
|
return !0;
|
|
466
527
|
let t;
|
|
467
528
|
for (const o of e) {
|
|
468
|
-
const
|
|
529
|
+
const s = Object.keys(o);
|
|
469
530
|
if (!t || t.size === 0) {
|
|
470
|
-
t = new Set(
|
|
531
|
+
t = new Set(s);
|
|
471
532
|
continue;
|
|
472
533
|
}
|
|
473
|
-
for (const n of
|
|
534
|
+
for (const n of s) {
|
|
474
535
|
if (t.has(n))
|
|
475
536
|
return !1;
|
|
476
537
|
t.add(n);
|
|
@@ -478,11 +539,11 @@ const _e = (r) => ve(r) ? !0 : (r == null ? void 0 : r[Symbol.toStringTag]) ===
|
|
|
478
539
|
}
|
|
479
540
|
return !0;
|
|
480
541
|
};
|
|
481
|
-
function
|
|
542
|
+
function tr(r) {
|
|
482
543
|
return typeof r == "object" && r !== null;
|
|
483
544
|
}
|
|
484
|
-
function
|
|
485
|
-
if (!
|
|
545
|
+
function G(r) {
|
|
546
|
+
if (!tr(r) || Object.prototype.toString.call(r) !== "[object Object]")
|
|
486
547
|
return !1;
|
|
487
548
|
if (Object.getPrototypeOf(r) === null)
|
|
488
549
|
return !0;
|
|
@@ -491,14 +552,26 @@ function $(r) {
|
|
|
491
552
|
e = Object.getPrototypeOf(e);
|
|
492
553
|
return Object.getPrototypeOf(r) === e;
|
|
493
554
|
}
|
|
494
|
-
const
|
|
555
|
+
const or = (r, e) => {
|
|
495
556
|
if (r.startsWith("RS") || r.startsWith("PS")) {
|
|
496
557
|
const { modulusLength: t } = e.algorithm;
|
|
497
558
|
if (typeof t != "number" || t < 2048)
|
|
498
559
|
throw new TypeError(`${r} requires key modulusLength to be 2048 bits or larger`);
|
|
499
560
|
}
|
|
500
561
|
};
|
|
501
|
-
function
|
|
562
|
+
function Y(r) {
|
|
563
|
+
return G(r) && typeof r.kty == "string";
|
|
564
|
+
}
|
|
565
|
+
function sr(r) {
|
|
566
|
+
return r.kty !== "oct" && typeof r.d == "string";
|
|
567
|
+
}
|
|
568
|
+
function ir(r) {
|
|
569
|
+
return r.kty !== "oct" && typeof r.d > "u";
|
|
570
|
+
}
|
|
571
|
+
function nr(r) {
|
|
572
|
+
return Y(r) && r.kty === "oct" && typeof r.k == "string";
|
|
573
|
+
}
|
|
574
|
+
function ar(r) {
|
|
502
575
|
let e, t;
|
|
503
576
|
switch (r.kty) {
|
|
504
577
|
case "RSA": {
|
|
@@ -523,7 +596,7 @@ function Be(r) {
|
|
|
523
596
|
}, t = r.d ? ["decrypt", "unwrapKey"] : ["encrypt", "wrapKey"];
|
|
524
597
|
break;
|
|
525
598
|
default:
|
|
526
|
-
throw new
|
|
599
|
+
throw new I('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
|
|
527
600
|
}
|
|
528
601
|
break;
|
|
529
602
|
}
|
|
@@ -545,12 +618,15 @@ function Be(r) {
|
|
|
545
618
|
e = { name: "ECDH", namedCurve: r.crv }, t = r.d ? ["deriveBits"] : [];
|
|
546
619
|
break;
|
|
547
620
|
default:
|
|
548
|
-
throw new
|
|
621
|
+
throw new I('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
|
|
549
622
|
}
|
|
550
623
|
break;
|
|
551
624
|
}
|
|
552
625
|
case "OKP": {
|
|
553
626
|
switch (r.alg) {
|
|
627
|
+
case "Ed25519":
|
|
628
|
+
e = { name: "Ed25519" }, t = r.d ? ["sign"] : ["verify"];
|
|
629
|
+
break;
|
|
554
630
|
case "EdDSA":
|
|
555
631
|
e = { name: r.crv }, t = r.d ? ["sign"] : ["verify"];
|
|
556
632
|
break;
|
|
@@ -561,83 +637,83 @@ function Be(r) {
|
|
|
561
637
|
e = { name: r.crv }, t = r.d ? ["deriveBits"] : [];
|
|
562
638
|
break;
|
|
563
639
|
default:
|
|
564
|
-
throw new
|
|
640
|
+
throw new I('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
|
|
565
641
|
}
|
|
566
642
|
break;
|
|
567
643
|
}
|
|
568
644
|
default:
|
|
569
|
-
throw new
|
|
645
|
+
throw new I('Invalid or unsupported JWK "kty" (Key Type) Parameter value');
|
|
570
646
|
}
|
|
571
647
|
return { algorithm: e, keyUsages: t };
|
|
572
648
|
}
|
|
573
|
-
const
|
|
649
|
+
const Re = async (r) => {
|
|
574
650
|
if (!r.alg)
|
|
575
651
|
throw new TypeError('"alg" argument is required when "jwk.alg" is not present');
|
|
576
|
-
const { algorithm: e, keyUsages: t } =
|
|
652
|
+
const { algorithm: e, keyUsages: t } = ar(r), o = [
|
|
577
653
|
e,
|
|
578
654
|
r.ext ?? !1,
|
|
579
655
|
r.key_ops ?? t
|
|
580
|
-
],
|
|
581
|
-
return delete
|
|
582
|
-
},
|
|
583
|
-
let
|
|
584
|
-
const
|
|
585
|
-
let
|
|
586
|
-
if (
|
|
587
|
-
return
|
|
588
|
-
const
|
|
589
|
-
return
|
|
590
|
-
},
|
|
591
|
-
if (
|
|
656
|
+
], s = { ...r };
|
|
657
|
+
return delete s.alg, delete s.use, ae.subtle.importKey("jwk", s, ...o);
|
|
658
|
+
}, Pe = (r) => z(r);
|
|
659
|
+
let F, M;
|
|
660
|
+
const Ie = (r) => (r == null ? void 0 : r[Symbol.toStringTag]) === "KeyObject", ne = async (r, e, t, o, s = !1) => {
|
|
661
|
+
let n = r.get(e);
|
|
662
|
+
if (n != null && n[o])
|
|
663
|
+
return n[o];
|
|
664
|
+
const i = await Re({ ...t, alg: o });
|
|
665
|
+
return s && Object.freeze(e), n ? n[o] = i : r.set(e, { [o]: i }), i;
|
|
666
|
+
}, cr = (r, e) => {
|
|
667
|
+
if (Ie(r)) {
|
|
592
668
|
let t = r.export({ format: "jwk" });
|
|
593
|
-
return delete t.d, delete t.dp, delete t.dq, delete t.p, delete t.q, delete t.qi, t.k ?
|
|
669
|
+
return delete t.d, delete t.dp, delete t.dq, delete t.p, delete t.q, delete t.qi, t.k ? Pe(t.k) : (M || (M = /* @__PURE__ */ new WeakMap()), ne(M, r, t, e));
|
|
594
670
|
}
|
|
595
|
-
return r;
|
|
596
|
-
},
|
|
597
|
-
if (
|
|
671
|
+
return Y(r) ? r.k ? z(r.k) : (M || (M = /* @__PURE__ */ new WeakMap()), ne(M, r, r, e, !0)) : r;
|
|
672
|
+
}, dr = (r, e) => {
|
|
673
|
+
if (Ie(r)) {
|
|
598
674
|
let t = r.export({ format: "jwk" });
|
|
599
|
-
return t.k ?
|
|
675
|
+
return t.k ? Pe(t.k) : (F || (F = /* @__PURE__ */ new WeakMap()), ne(F, r, t, e));
|
|
600
676
|
}
|
|
601
|
-
return r;
|
|
602
|
-
},
|
|
677
|
+
return Y(r) ? r.k ? z(r.k) : (F || (F = /* @__PURE__ */ new WeakMap()), ne(F, r, r, e, !0)) : r;
|
|
678
|
+
}, lr = { normalizePublicKey: cr, normalizePrivateKey: dr }, H = (r, e, t = 0) => {
|
|
603
679
|
t === 0 && (e.unshift(e.length), e.unshift(6));
|
|
604
680
|
const o = r.indexOf(e[0], t);
|
|
605
681
|
if (o === -1)
|
|
606
682
|
return !1;
|
|
607
|
-
const
|
|
608
|
-
return
|
|
609
|
-
},
|
|
683
|
+
const s = r.subarray(o, o + e.length);
|
|
684
|
+
return s.length !== e.length ? !1 : s.every((n, i) => n === e[i]) || H(r, e, o + 1);
|
|
685
|
+
}, ye = (r) => {
|
|
610
686
|
switch (!0) {
|
|
611
|
-
case
|
|
687
|
+
case H(r, [42, 134, 72, 206, 61, 3, 1, 7]):
|
|
612
688
|
return "P-256";
|
|
613
|
-
case
|
|
689
|
+
case H(r, [43, 129, 4, 0, 34]):
|
|
614
690
|
return "P-384";
|
|
615
|
-
case
|
|
691
|
+
case H(r, [43, 129, 4, 0, 35]):
|
|
616
692
|
return "P-521";
|
|
617
|
-
case
|
|
693
|
+
case H(r, [43, 101, 110]):
|
|
618
694
|
return "X25519";
|
|
619
|
-
case
|
|
695
|
+
case H(r, [43, 101, 111]):
|
|
620
696
|
return "X448";
|
|
621
|
-
case
|
|
697
|
+
case H(r, [43, 101, 112]):
|
|
622
698
|
return "Ed25519";
|
|
623
|
-
case
|
|
699
|
+
case H(r, [43, 101, 113]):
|
|
624
700
|
return "Ed448";
|
|
625
701
|
default:
|
|
626
|
-
throw new
|
|
702
|
+
throw new I("Invalid or unsupported EC Key Curve or OKP Key Sub Type");
|
|
627
703
|
}
|
|
628
|
-
},
|
|
629
|
-
let n,
|
|
630
|
-
const a = new Uint8Array(atob(t.replace(r, "")).split("").map((
|
|
704
|
+
}, Oe = async (r, e, t, o, s) => {
|
|
705
|
+
let n, i;
|
|
706
|
+
const a = new Uint8Array(atob(t.replace(r, "")).split("").map((h) => h.charCodeAt(0))), c = e === "spki";
|
|
631
707
|
switch (o) {
|
|
632
708
|
case "PS256":
|
|
633
709
|
case "PS384":
|
|
634
710
|
case "PS512":
|
|
635
|
-
n = { name: "RSA-PSS", hash: `SHA-${o.slice(-3)}` },
|
|
711
|
+
n = { name: "RSA-PSS", hash: `SHA-${o.slice(-3)}` }, i = c ? ["verify"] : ["sign"];
|
|
636
712
|
break;
|
|
637
713
|
case "RS256":
|
|
638
714
|
case "RS384":
|
|
639
715
|
case "RS512":
|
|
640
|
-
n = { name: "RSASSA-PKCS1-v1_5", hash: `SHA-${o.slice(-3)}` },
|
|
716
|
+
n = { name: "RSASSA-PKCS1-v1_5", hash: `SHA-${o.slice(-3)}` }, i = c ? ["verify"] : ["sign"];
|
|
641
717
|
break;
|
|
642
718
|
case "RSA-OAEP":
|
|
643
719
|
case "RSA-OAEP-256":
|
|
@@ -646,100 +722,135 @@ const be = (r) => (r == null ? void 0 : r[Symbol.toStringTag]) === "KeyObject",
|
|
|
646
722
|
n = {
|
|
647
723
|
name: "RSA-OAEP",
|
|
648
724
|
hash: `SHA-${parseInt(o.slice(-3), 10) || 1}`
|
|
649
|
-
},
|
|
725
|
+
}, i = c ? ["encrypt", "wrapKey"] : ["decrypt", "unwrapKey"];
|
|
650
726
|
break;
|
|
651
727
|
case "ES256":
|
|
652
|
-
n = { name: "ECDSA", namedCurve: "P-256" },
|
|
728
|
+
n = { name: "ECDSA", namedCurve: "P-256" }, i = c ? ["verify"] : ["sign"];
|
|
653
729
|
break;
|
|
654
730
|
case "ES384":
|
|
655
|
-
n = { name: "ECDSA", namedCurve: "P-384" },
|
|
731
|
+
n = { name: "ECDSA", namedCurve: "P-384" }, i = c ? ["verify"] : ["sign"];
|
|
656
732
|
break;
|
|
657
733
|
case "ES512":
|
|
658
|
-
n = { name: "ECDSA", namedCurve: "P-521" },
|
|
734
|
+
n = { name: "ECDSA", namedCurve: "P-521" }, i = c ? ["verify"] : ["sign"];
|
|
659
735
|
break;
|
|
660
736
|
case "ECDH-ES":
|
|
661
737
|
case "ECDH-ES+A128KW":
|
|
662
738
|
case "ECDH-ES+A192KW":
|
|
663
739
|
case "ECDH-ES+A256KW": {
|
|
664
|
-
const
|
|
665
|
-
n =
|
|
740
|
+
const h = ye(a);
|
|
741
|
+
n = h.startsWith("P-") ? { name: "ECDH", namedCurve: h } : { name: h }, i = c ? [] : ["deriveBits"];
|
|
666
742
|
break;
|
|
667
743
|
}
|
|
744
|
+
case "Ed25519":
|
|
745
|
+
n = { name: "Ed25519" }, i = c ? ["verify"] : ["sign"];
|
|
746
|
+
break;
|
|
668
747
|
case "EdDSA":
|
|
669
|
-
n = { name:
|
|
748
|
+
n = { name: ye(a) }, i = c ? ["verify"] : ["sign"];
|
|
670
749
|
break;
|
|
671
750
|
default:
|
|
672
|
-
throw new
|
|
751
|
+
throw new I('Invalid or unsupported "alg" (Algorithm) value');
|
|
673
752
|
}
|
|
674
|
-
return
|
|
675
|
-
},
|
|
676
|
-
async function
|
|
753
|
+
return ae.subtle.importKey(e, a, n, !1, i);
|
|
754
|
+
}, hr = (r, e, t) => Oe(/(?:-----(?:BEGIN|END) PRIVATE KEY-----|\s)/g, "pkcs8", r, e), ur = (r, e, t) => Oe(/(?:-----(?:BEGIN|END) PUBLIC KEY-----|\s)/g, "spki", r, e);
|
|
755
|
+
async function fr(r, e, t) {
|
|
677
756
|
if (typeof r != "string" || r.indexOf("-----BEGIN PUBLIC KEY-----") !== 0)
|
|
678
757
|
throw new TypeError('"spki" must be SPKI formatted string');
|
|
679
|
-
return
|
|
758
|
+
return ur(r, e);
|
|
680
759
|
}
|
|
681
|
-
async function
|
|
760
|
+
async function gr(r, e, t) {
|
|
682
761
|
if (typeof r != "string" || r.indexOf("-----BEGIN PRIVATE KEY-----") !== 0)
|
|
683
762
|
throw new TypeError('"pkcs8" must be PKCS#8 formatted string');
|
|
684
|
-
return
|
|
763
|
+
return hr(r, e);
|
|
685
764
|
}
|
|
686
|
-
async function
|
|
687
|
-
if (
|
|
765
|
+
async function le(r, e) {
|
|
766
|
+
if (!G(r))
|
|
688
767
|
throw new TypeError("JWK must be an object");
|
|
689
768
|
switch (e || (e = r.alg), r.kty) {
|
|
690
769
|
case "oct":
|
|
691
770
|
if (typeof r.k != "string" || !r.k)
|
|
692
771
|
throw new TypeError('missing "k" (Key Value) Parameter value');
|
|
693
|
-
return
|
|
772
|
+
return z(r.k);
|
|
694
773
|
case "RSA":
|
|
695
|
-
if (r.oth !== void 0)
|
|
696
|
-
throw new
|
|
774
|
+
if ("oth" in r && r.oth !== void 0)
|
|
775
|
+
throw new I('RSA JWK "oth" (Other Primes Info) Parameter value is not supported');
|
|
697
776
|
case "EC":
|
|
698
777
|
case "OKP":
|
|
699
|
-
return
|
|
778
|
+
return Re({ ...r, alg: e });
|
|
700
779
|
default:
|
|
701
|
-
throw new
|
|
780
|
+
throw new I('Unsupported "kty" (Key Type) Parameter value');
|
|
702
781
|
}
|
|
703
782
|
}
|
|
704
|
-
const
|
|
783
|
+
const $ = (r) => r == null ? void 0 : r[Symbol.toStringTag], he = (r, e, t) => {
|
|
784
|
+
var o, s;
|
|
785
|
+
if (e.use !== void 0 && e.use !== "sig")
|
|
786
|
+
throw new TypeError("Invalid key for this operation, when present its use must be sig");
|
|
787
|
+
if (e.key_ops !== void 0 && ((s = (o = e.key_ops).includes) == null ? void 0 : s.call(o, t)) !== !0)
|
|
788
|
+
throw new TypeError(`Invalid key for this operation, when present its key_ops must include ${t}`);
|
|
789
|
+
if (e.alg !== void 0 && e.alg !== r)
|
|
790
|
+
throw new TypeError(`Invalid key for this operation, when present its alg must be ${r}`);
|
|
791
|
+
return !0;
|
|
792
|
+
}, pr = (r, e, t, o) => {
|
|
705
793
|
if (!(e instanceof Uint8Array)) {
|
|
706
|
-
if (
|
|
707
|
-
|
|
794
|
+
if (o && Y(e)) {
|
|
795
|
+
if (nr(e) && he(r, e, t))
|
|
796
|
+
return;
|
|
797
|
+
throw new TypeError('JSON Web Key for symmetric algorithms must have JWK "kty" (Key Type) equal to "oct" and the JWK "k" (Key Value) present');
|
|
798
|
+
}
|
|
799
|
+
if (!Ae(e))
|
|
800
|
+
throw new TypeError(be(r, e, ...ie, "Uint8Array", o ? "JSON Web Key" : null));
|
|
708
801
|
if (e.type !== "secret")
|
|
709
|
-
throw new TypeError(`${
|
|
802
|
+
throw new TypeError(`${$(e)} instances for symmetric algorithms must be of type "secret"`);
|
|
710
803
|
}
|
|
711
|
-
},
|
|
712
|
-
if (
|
|
713
|
-
|
|
804
|
+
}, yr = (r, e, t, o) => {
|
|
805
|
+
if (o && Y(e))
|
|
806
|
+
switch (t) {
|
|
807
|
+
case "sign":
|
|
808
|
+
if (sr(e) && he(r, e, t))
|
|
809
|
+
return;
|
|
810
|
+
throw new TypeError("JSON Web Key for this operation be a private JWK");
|
|
811
|
+
case "verify":
|
|
812
|
+
if (ir(e) && he(r, e, t))
|
|
813
|
+
return;
|
|
814
|
+
throw new TypeError("JSON Web Key for this operation be a public JWK");
|
|
815
|
+
}
|
|
816
|
+
if (!Ae(e))
|
|
817
|
+
throw new TypeError(be(r, e, ...ie, o ? "JSON Web Key" : null));
|
|
714
818
|
if (e.type === "secret")
|
|
715
|
-
throw new TypeError(`${
|
|
819
|
+
throw new TypeError(`${$(e)} instances for asymmetric algorithms must not be of type "secret"`);
|
|
820
|
+
if (t === "sign" && e.type === "public")
|
|
821
|
+
throw new TypeError(`${$(e)} instances for asymmetric algorithm signing must be of type "private"`);
|
|
822
|
+
if (t === "decrypt" && e.type === "public")
|
|
823
|
+
throw new TypeError(`${$(e)} instances for asymmetric algorithm decryption must be of type "private"`);
|
|
716
824
|
if (e.algorithm && t === "verify" && e.type === "private")
|
|
717
|
-
throw new TypeError(`${
|
|
825
|
+
throw new TypeError(`${$(e)} instances for asymmetric algorithm verifying must be of type "public"`);
|
|
718
826
|
if (e.algorithm && t === "encrypt" && e.type === "private")
|
|
719
|
-
throw new TypeError(`${
|
|
720
|
-
}, er = (r, e, t) => {
|
|
721
|
-
r.startsWith("HS") || r === "dir" || r.startsWith("PBES2") || /^A\d{3}(?:GCM)?KW$/.test(r) ? Ze(r, e) : Qe(r, e, t);
|
|
827
|
+
throw new TypeError(`${$(e)} instances for asymmetric algorithm encryption must be of type "public"`);
|
|
722
828
|
};
|
|
723
|
-
function
|
|
724
|
-
|
|
829
|
+
function Ue(r, e, t, o) {
|
|
830
|
+
e.startsWith("HS") || e === "dir" || e.startsWith("PBES2") || /^A\d{3}(?:GCM)?KW$/.test(e) ? pr(e, t, o, r) : yr(e, t, o, r);
|
|
831
|
+
}
|
|
832
|
+
Ue.bind(void 0, !1);
|
|
833
|
+
const we = Ue.bind(void 0, !0);
|
|
834
|
+
function wr(r, e, t, o, s) {
|
|
835
|
+
if (s.crit !== void 0 && (o == null ? void 0 : o.crit) === void 0)
|
|
725
836
|
throw new r('"crit" (Critical) Header Parameter MUST be integrity protected');
|
|
726
837
|
if (!o || o.crit === void 0)
|
|
727
838
|
return /* @__PURE__ */ new Set();
|
|
728
|
-
if (!Array.isArray(o.crit) || o.crit.length === 0 || o.crit.some((
|
|
839
|
+
if (!Array.isArray(o.crit) || o.crit.length === 0 || o.crit.some((i) => typeof i != "string" || i.length === 0))
|
|
729
840
|
throw new r('"crit" (Critical) Header Parameter MUST be an array of non-empty strings when present');
|
|
730
841
|
let n;
|
|
731
842
|
n = e;
|
|
732
|
-
for (const
|
|
733
|
-
if (!n.has(
|
|
734
|
-
throw new
|
|
735
|
-
if (i
|
|
736
|
-
throw new r(`Extension Header Parameter "${
|
|
737
|
-
if (n.get(
|
|
738
|
-
throw new r(`Extension Header Parameter "${
|
|
843
|
+
for (const i of o.crit) {
|
|
844
|
+
if (!n.has(i))
|
|
845
|
+
throw new I(`Extension Header Parameter "${i}" is not recognized`);
|
|
846
|
+
if (s[i] === void 0)
|
|
847
|
+
throw new r(`Extension Header Parameter "${i}" is missing`);
|
|
848
|
+
if (n.get(i) && o[i] === void 0)
|
|
849
|
+
throw new r(`Extension Header Parameter "${i}" MUST be integrity protected`);
|
|
739
850
|
}
|
|
740
851
|
return new Set(o.crit);
|
|
741
852
|
}
|
|
742
|
-
function
|
|
853
|
+
function mr(r, e) {
|
|
743
854
|
const t = `SHA-${r.slice(-3)}`;
|
|
744
855
|
switch (r) {
|
|
745
856
|
case "HS256":
|
|
@@ -758,103 +869,105 @@ function tr(r, e) {
|
|
|
758
869
|
case "ES384":
|
|
759
870
|
case "ES512":
|
|
760
871
|
return { hash: t, name: "ECDSA", namedCurve: e.namedCurve };
|
|
872
|
+
case "Ed25519":
|
|
873
|
+
return { name: "Ed25519" };
|
|
761
874
|
case "EdDSA":
|
|
762
875
|
return { name: e.name };
|
|
763
876
|
default:
|
|
764
|
-
throw new
|
|
877
|
+
throw new I(`alg ${r} is not supported either by JOSE or your javascript runtime`);
|
|
765
878
|
}
|
|
766
879
|
}
|
|
767
|
-
async function
|
|
768
|
-
if (e = await
|
|
769
|
-
return
|
|
880
|
+
async function vr(r, e, t) {
|
|
881
|
+
if (e = await lr.normalizePublicKey(e, r), Se(e))
|
|
882
|
+
return er(e, r, t), e;
|
|
770
883
|
if (e instanceof Uint8Array) {
|
|
771
884
|
if (!r.startsWith("HS"))
|
|
772
|
-
throw new TypeError(
|
|
773
|
-
return
|
|
885
|
+
throw new TypeError(pe(e, ...ie));
|
|
886
|
+
return ae.subtle.importKey("raw", e, { hash: `SHA-${r.slice(-3)}`, name: "HMAC" }, !1, [t]);
|
|
774
887
|
}
|
|
775
|
-
throw new TypeError(
|
|
888
|
+
throw new TypeError(pe(e, ...ie, "Uint8Array", "JSON Web Key"));
|
|
776
889
|
}
|
|
777
|
-
const
|
|
778
|
-
const
|
|
779
|
-
|
|
780
|
-
const n =
|
|
890
|
+
const _r = async (r, e, t, o) => {
|
|
891
|
+
const s = await vr(r, e, "verify");
|
|
892
|
+
or(r, s);
|
|
893
|
+
const n = mr(r, s.algorithm);
|
|
781
894
|
try {
|
|
782
|
-
return await
|
|
895
|
+
return await ae.subtle.verify(n, s, t, o);
|
|
783
896
|
} catch {
|
|
784
897
|
return !1;
|
|
785
898
|
}
|
|
786
899
|
};
|
|
787
|
-
async function
|
|
788
|
-
if (
|
|
789
|
-
throw new
|
|
900
|
+
async function kr(r, e, t) {
|
|
901
|
+
if (!G(r))
|
|
902
|
+
throw new C("Flattened JWS must be an object");
|
|
790
903
|
if (r.protected === void 0 && r.header === void 0)
|
|
791
|
-
throw new
|
|
904
|
+
throw new C('Flattened JWS must have either of the "protected" or "header" members');
|
|
792
905
|
if (r.protected !== void 0 && typeof r.protected != "string")
|
|
793
|
-
throw new
|
|
906
|
+
throw new C("JWS Protected Header incorrect type");
|
|
794
907
|
if (r.payload === void 0)
|
|
795
|
-
throw new
|
|
908
|
+
throw new C("JWS Payload missing");
|
|
796
909
|
if (typeof r.signature != "string")
|
|
797
|
-
throw new
|
|
798
|
-
if (r.header !== void 0 &&
|
|
799
|
-
throw new
|
|
910
|
+
throw new C("JWS Signature missing or incorrect type");
|
|
911
|
+
if (r.header !== void 0 && !G(r.header))
|
|
912
|
+
throw new C("JWS Unprotected Header incorrect type");
|
|
800
913
|
let o = {};
|
|
801
914
|
if (r.protected)
|
|
802
915
|
try {
|
|
803
|
-
const
|
|
804
|
-
o = JSON.parse(
|
|
916
|
+
const X = z(r.protected);
|
|
917
|
+
o = JSON.parse(re.decode(X));
|
|
805
918
|
} catch {
|
|
806
|
-
throw new
|
|
919
|
+
throw new C("JWS Protected Header is invalid");
|
|
807
920
|
}
|
|
808
|
-
if (!
|
|
809
|
-
throw new
|
|
810
|
-
const
|
|
921
|
+
if (!rr(o, r.header))
|
|
922
|
+
throw new C("JWS Protected and JWS Unprotected Header Parameter names must be disjoint");
|
|
923
|
+
const s = {
|
|
811
924
|
...o,
|
|
812
925
|
...r.header
|
|
813
|
-
}, n =
|
|
814
|
-
let
|
|
815
|
-
if (n.has("b64") && (
|
|
816
|
-
throw new
|
|
817
|
-
const { alg: a } =
|
|
926
|
+
}, n = wr(C, /* @__PURE__ */ new Map([["b64", !0]]), void 0, o, s);
|
|
927
|
+
let i = !0;
|
|
928
|
+
if (n.has("b64") && (i = o.b64, typeof i != "boolean"))
|
|
929
|
+
throw new C('The "b64" (base64url-encode payload) Header Parameter must be a boolean');
|
|
930
|
+
const { alg: a } = s;
|
|
818
931
|
if (typeof a != "string" || !a)
|
|
819
|
-
throw new
|
|
820
|
-
if (
|
|
932
|
+
throw new C('JWS "alg" (Algorithm) Header Parameter missing or invalid');
|
|
933
|
+
if (i) {
|
|
821
934
|
if (typeof r.payload != "string")
|
|
822
|
-
throw new
|
|
935
|
+
throw new C("JWS Payload must be a string");
|
|
823
936
|
} else if (typeof r.payload != "string" && !(r.payload instanceof Uint8Array))
|
|
824
|
-
throw new
|
|
937
|
+
throw new C("JWS Payload must be a string or an Uint8Array instance");
|
|
825
938
|
let c = !1;
|
|
826
|
-
typeof e == "function"
|
|
827
|
-
const
|
|
939
|
+
typeof e == "function" ? (e = await e(o, r), c = !0, we(a, e, "verify"), Y(e) && (e = await le(e, a))) : we(a, e, "verify");
|
|
940
|
+
const h = Je(oe.encode(r.protected ?? ""), oe.encode("."), typeof r.payload == "string" ? oe.encode(r.payload) : r.payload);
|
|
828
941
|
let y;
|
|
829
942
|
try {
|
|
830
|
-
y =
|
|
943
|
+
y = z(r.signature);
|
|
831
944
|
} catch {
|
|
832
|
-
throw new
|
|
945
|
+
throw new C("Failed to base64url decode the signature");
|
|
833
946
|
}
|
|
834
|
-
if (!await
|
|
835
|
-
throw new
|
|
836
|
-
let
|
|
837
|
-
if (
|
|
947
|
+
if (!await _r(a, e, y, h))
|
|
948
|
+
throw new Te();
|
|
949
|
+
let _;
|
|
950
|
+
if (i)
|
|
838
951
|
try {
|
|
839
|
-
|
|
952
|
+
_ = z(r.payload);
|
|
840
953
|
} catch {
|
|
841
|
-
throw new
|
|
954
|
+
throw new C("Failed to base64url decode the payload");
|
|
842
955
|
}
|
|
843
|
-
else typeof r.payload == "string" ?
|
|
844
|
-
const b = { payload:
|
|
956
|
+
else typeof r.payload == "string" ? _ = oe.encode(r.payload) : _ = r.payload;
|
|
957
|
+
const b = { payload: _ };
|
|
845
958
|
return r.protected !== void 0 && (b.protectedHeader = o), r.header !== void 0 && (b.unprotectedHeader = r.header), c ? { ...b, key: e } : b;
|
|
846
959
|
}
|
|
847
|
-
async function
|
|
848
|
-
if (r instanceof Uint8Array && (r =
|
|
849
|
-
throw new
|
|
850
|
-
const { 0: o, 1:
|
|
851
|
-
if (
|
|
852
|
-
throw new
|
|
853
|
-
const a = await
|
|
960
|
+
async function Cr(r, e, t) {
|
|
961
|
+
if (r instanceof Uint8Array && (r = re.decode(r)), typeof r != "string")
|
|
962
|
+
throw new C("Compact JWS must be a string or Uint8Array");
|
|
963
|
+
const { 0: o, 1: s, 2: n, length: i } = r.split(".");
|
|
964
|
+
if (i !== 3)
|
|
965
|
+
throw new C("Invalid Compact JWS");
|
|
966
|
+
const a = await kr({ payload: s, protected: o, signature: n }, e), c = { payload: a.payload, protectedHeader: a.protectedHeader };
|
|
854
967
|
return typeof e == "function" ? { ...c, key: a.key } : c;
|
|
855
968
|
}
|
|
856
|
-
const
|
|
857
|
-
function
|
|
969
|
+
const Ne = z;
|
|
970
|
+
function me(r) {
|
|
858
971
|
let e;
|
|
859
972
|
if (typeof r == "string") {
|
|
860
973
|
const t = r.split(".");
|
|
@@ -867,41 +980,41 @@ function ge(r) {
|
|
|
867
980
|
try {
|
|
868
981
|
if (typeof e != "string" || !e)
|
|
869
982
|
throw new Error();
|
|
870
|
-
const t = JSON.parse(
|
|
871
|
-
if (
|
|
983
|
+
const t = JSON.parse(re.decode(Ne(e)));
|
|
984
|
+
if (!G(t))
|
|
872
985
|
throw new Error();
|
|
873
986
|
return t;
|
|
874
987
|
} catch {
|
|
875
988
|
throw new TypeError("Invalid Token or Protected Header formatting");
|
|
876
989
|
}
|
|
877
990
|
}
|
|
878
|
-
function
|
|
991
|
+
function Sr(r) {
|
|
879
992
|
if (typeof r != "string")
|
|
880
|
-
throw new
|
|
993
|
+
throw new x("JWTs must use Compact JWS serialization, JWT must be a string");
|
|
881
994
|
const { 1: e, length: t } = r.split(".");
|
|
882
995
|
if (t === 5)
|
|
883
|
-
throw new
|
|
996
|
+
throw new x("Only JWTs using Compact JWS serialization can be decoded");
|
|
884
997
|
if (t !== 3)
|
|
885
|
-
throw new
|
|
998
|
+
throw new x("Invalid JWT");
|
|
886
999
|
if (!e)
|
|
887
|
-
throw new
|
|
1000
|
+
throw new x("JWTs must contain a payload");
|
|
888
1001
|
let o;
|
|
889
1002
|
try {
|
|
890
|
-
o =
|
|
1003
|
+
o = Ne(e);
|
|
891
1004
|
} catch {
|
|
892
|
-
throw new
|
|
1005
|
+
throw new x("Failed to base64url decode the payload");
|
|
893
1006
|
}
|
|
894
|
-
let
|
|
1007
|
+
let s;
|
|
895
1008
|
try {
|
|
896
|
-
|
|
1009
|
+
s = JSON.parse(re.decode(o));
|
|
897
1010
|
} catch {
|
|
898
|
-
throw new
|
|
1011
|
+
throw new x("Failed to parse the decoded payload as JSON");
|
|
899
1012
|
}
|
|
900
|
-
if (
|
|
901
|
-
throw new
|
|
902
|
-
return
|
|
1013
|
+
if (!G(s))
|
|
1014
|
+
throw new x("Invalid JWT Claims Set");
|
|
1015
|
+
return s;
|
|
903
1016
|
}
|
|
904
|
-
const
|
|
1017
|
+
const k = class v {
|
|
905
1018
|
/**
|
|
906
1019
|
* Returns a user-friendly name for the given flow strings.
|
|
907
1020
|
*
|
|
@@ -971,33 +1084,33 @@ const C = class v {
|
|
|
971
1084
|
}
|
|
972
1085
|
}
|
|
973
1086
|
};
|
|
974
|
-
u(
|
|
975
|
-
u(
|
|
976
|
-
u(
|
|
977
|
-
u(
|
|
978
|
-
u(
|
|
979
|
-
u(
|
|
980
|
-
u(
|
|
981
|
-
u(
|
|
1087
|
+
u(k, "All", "all"), /** OAuth authorization code flow (without PKCE) */
|
|
1088
|
+
u(k, "AuthorizationCode", "authorizationCode"), /** OAuth authorization code flow with PKCE */
|
|
1089
|
+
u(k, "AuthorizationCodeWithPKCE", "authorizationCodeWithPKCE"), /** Auth client credentials flow */
|
|
1090
|
+
u(k, "ClientCredentials", "clientCredentials"), /** OAuth refresh token flow */
|
|
1091
|
+
u(k, "RefreshToken", "refreshToken"), /** OAuth device code flow */
|
|
1092
|
+
u(k, "DeviceCode", "deviceCode"), /** OAuth password flow */
|
|
1093
|
+
u(k, "Password", "password"), /** The Auth0 password MFA extension to the password flow */
|
|
1094
|
+
u(k, "PasswordMfa", "passwordMfa"), /** The OpenID Connect authorization code flow, with or without
|
|
982
1095
|
* PKCE.
|
|
983
1096
|
*/
|
|
984
|
-
u(
|
|
1097
|
+
u(k, "OidcAuthorizationCode", "oidcAuthorizationCode"), /** A user friendly name for the given flow ID
|
|
985
1098
|
*
|
|
986
1099
|
* For example, if you pass "authorizationCode"
|
|
987
1100
|
* (`OAuthFlows.AuthorizationCode`) you will get `"Authorization Code"`.
|
|
988
1101
|
*/
|
|
989
|
-
u(
|
|
990
|
-
[
|
|
991
|
-
[
|
|
992
|
-
[
|
|
993
|
-
[
|
|
994
|
-
[
|
|
995
|
-
[
|
|
996
|
-
[
|
|
997
|
-
[
|
|
1102
|
+
u(k, "flowName", {
|
|
1103
|
+
[k.AuthorizationCode]: "Authorization Code",
|
|
1104
|
+
[k.AuthorizationCodeWithPKCE]: "Authorization Code with PKCE",
|
|
1105
|
+
[k.ClientCredentials]: "Client Credentials",
|
|
1106
|
+
[k.RefreshToken]: "Refresh Token",
|
|
1107
|
+
[k.DeviceCode]: "Device Code",
|
|
1108
|
+
[k.Password]: "Password",
|
|
1109
|
+
[k.PasswordMfa]: "Password MFA",
|
|
1110
|
+
[k.OidcAuthorizationCode]: "OIDC Authorization Code"
|
|
998
1111
|
});
|
|
999
|
-
var
|
|
1000
|
-
class
|
|
1112
|
+
var S, A;
|
|
1113
|
+
class Tr {
|
|
1001
1114
|
/**
|
|
1002
1115
|
* Constructor.
|
|
1003
1116
|
*
|
|
@@ -1029,22 +1142,22 @@ class cr {
|
|
|
1029
1142
|
authServerBaseUrl: e,
|
|
1030
1143
|
client_id: t,
|
|
1031
1144
|
client_secret: o,
|
|
1032
|
-
redirect_uri:
|
|
1145
|
+
redirect_uri: s,
|
|
1033
1146
|
codeChallengeMethod: n,
|
|
1034
|
-
stateLength:
|
|
1147
|
+
stateLength: i,
|
|
1035
1148
|
verifierLength: a,
|
|
1036
1149
|
tokenConsumer: c,
|
|
1037
|
-
authServerCredentials:
|
|
1150
|
+
authServerCredentials: h,
|
|
1038
1151
|
authServerMode: y,
|
|
1039
|
-
authServerHeaders:
|
|
1152
|
+
authServerHeaders: _
|
|
1040
1153
|
}) {
|
|
1041
|
-
u(this, "authServerBaseUrl", ""),
|
|
1154
|
+
u(this, "authServerBaseUrl", ""), ge(this, S), ge(this, A), u(this, "codeChallengeMethod", "S256"), u(this, "verifierLength", 32), u(this, "redirect_uri"), u(this, "stateLength", 32), u(this, "authzCode", ""), u(this, "oidcConfig"), u(this, "tokenConsumer"), u(this, "authServerHeaders", {}), u(this, "authServerMode"), u(this, "authServerCredentials"), u(this, "oauthPostType", "json"), u(this, "oauthLogFetch", !1), u(this, "oauthUseUserInfoEndpoint", !1), u(this, "oauthAuthorizeRedirect"), this.tokenConsumer = c, this.authServerBaseUrl = e, a && (this.verifierLength = a), i && (this.stateLength = i), t && te(this, S, t), o && te(this, A, o), s && (this.redirect_uri = s), n && (this.codeChallengeMethod = n), this.authServerBaseUrl = e, h && (this.authServerCredentials = h), y && (this.authServerMode = y), _ && (this.authServerHeaders = _);
|
|
1042
1155
|
}
|
|
1043
1156
|
set client_id(e) {
|
|
1044
|
-
|
|
1157
|
+
te(this, S, e);
|
|
1045
1158
|
}
|
|
1046
1159
|
set client_secret(e) {
|
|
1047
|
-
|
|
1160
|
+
te(this, A, e);
|
|
1048
1161
|
}
|
|
1049
1162
|
/**
|
|
1050
1163
|
* Loads OpenID Connect configuration so that the client can determine
|
|
@@ -1054,12 +1167,12 @@ class cr {
|
|
|
1054
1167
|
* Otherwise, performs a fetch by appending
|
|
1055
1168
|
* `/.well-known/openid-configuration` to the
|
|
1056
1169
|
* `authServerBaseUrl`.
|
|
1057
|
-
* @throws {@link CrossauthError} with the following {@link ErrorCode}s
|
|
1170
|
+
* @throws {@link @crossauth/common!CrossauthError} with the following {@link @crossauth/common!ErrorCode}s
|
|
1058
1171
|
* - `Connection` if data from the URL could not be fetched or parsed.
|
|
1059
1172
|
*/
|
|
1060
1173
|
async loadConfig(e) {
|
|
1061
1174
|
if (e) {
|
|
1062
|
-
d.logger.debug(
|
|
1175
|
+
d.logger.debug(l({ msg: "Reading OIDC config locally" })), this.oidcConfig = e;
|
|
1063
1176
|
return;
|
|
1064
1177
|
}
|
|
1065
1178
|
let t;
|
|
@@ -1067,22 +1180,22 @@ class cr {
|
|
|
1067
1180
|
const o = new URL(
|
|
1068
1181
|
this.authServerBaseUrl + "/.well-known/openid-configuration"
|
|
1069
1182
|
);
|
|
1070
|
-
d.logger.debug(
|
|
1071
|
-
let
|
|
1072
|
-
this.authServerMode && (
|
|
1183
|
+
d.logger.debug(l({ msg: `Fetching OIDC config from ${o}` }));
|
|
1184
|
+
let s = { headers: this.authServerHeaders };
|
|
1185
|
+
this.authServerMode && (s.mode = this.authServerMode), this.authServerCredentials && (s.credentials = this.authServerCredentials), t = await fetch(o, s);
|
|
1073
1186
|
} catch (o) {
|
|
1074
|
-
d.logger.error(
|
|
1187
|
+
d.logger.error(l({ err: o }));
|
|
1075
1188
|
}
|
|
1076
1189
|
if (!t || !t.ok)
|
|
1077
1190
|
throw new g(
|
|
1078
1191
|
m.Connection,
|
|
1079
1192
|
"Couldn't get OIDC configuration from URL" + this.authServerBaseUrl + "/.well-known/openid-configuration"
|
|
1080
1193
|
);
|
|
1081
|
-
this.oidcConfig = { ...
|
|
1194
|
+
this.oidcConfig = { ...Ce };
|
|
1082
1195
|
try {
|
|
1083
1196
|
const o = await t.json();
|
|
1084
|
-
for (const [
|
|
1085
|
-
this.oidcConfig[
|
|
1197
|
+
for (const [s, n] of Object.entries(o))
|
|
1198
|
+
this.oidcConfig[s] = n;
|
|
1086
1199
|
} catch {
|
|
1087
1200
|
throw new g(
|
|
1088
1201
|
m.Connection,
|
|
@@ -1112,9 +1225,9 @@ class cr {
|
|
|
1112
1225
|
* - `error_description` friendly error message or undefined
|
|
1113
1226
|
* if no error
|
|
1114
1227
|
*/
|
|
1115
|
-
async startAuthorizationCodeFlow(e, t, o,
|
|
1116
|
-
var n,
|
|
1117
|
-
if (d.logger.debug(
|
|
1228
|
+
async startAuthorizationCodeFlow(e, t, o, s = !1) {
|
|
1229
|
+
var n, i, a;
|
|
1230
|
+
if (d.logger.debug(l({ msg: "Starting authorization code flow" })), this.oidcConfig || await this.loadConfig(), !((n = this.oidcConfig) != null && n.response_types_supported.includes("code")) || !((i = this.oidcConfig) != null && i.response_modes_supported.includes("query")))
|
|
1118
1231
|
return {
|
|
1119
1232
|
error: "invalid_request",
|
|
1120
1233
|
error_description: "Server does not support authorization code flow"
|
|
@@ -1124,7 +1237,7 @@ class cr {
|
|
|
1124
1237
|
error: "server_error",
|
|
1125
1238
|
error_description: "Cannot get authorize endpoint"
|
|
1126
1239
|
};
|
|
1127
|
-
if (!w(this,
|
|
1240
|
+
if (!w(this, S)) return {
|
|
1128
1241
|
error: "invalid_request",
|
|
1129
1242
|
error_description: "Cannot make authorization code flow without client id"
|
|
1130
1243
|
};
|
|
@@ -1134,39 +1247,39 @@ class cr {
|
|
|
1134
1247
|
};
|
|
1135
1248
|
let c = this.oidcConfig.authorization_endpoint;
|
|
1136
1249
|
this.oauthAuthorizeRedirect && (c = this.oauthAuthorizeRedirect);
|
|
1137
|
-
let
|
|
1138
|
-
return t && (
|
|
1250
|
+
let h = c + "?response_type=code&client_id=" + encodeURIComponent(w(this, S)) + "&state=" + encodeURIComponent(e) + "&redirect_uri=" + encodeURIComponent(this.redirect_uri);
|
|
1251
|
+
return t && (h += "&scope=" + encodeURIComponent(t)), s && o && (h += "&code_challenge=" + o), { url: h };
|
|
1139
1252
|
}
|
|
1140
1253
|
async codeChallengeAndVerifier() {
|
|
1141
1254
|
const e = this.randomValue(this.verifierLength);
|
|
1142
1255
|
return { codeChallenge: this.codeChallengeMethod == "plain" ? e : await this.sha256(e), codeVerifier: e };
|
|
1143
1256
|
}
|
|
1144
1257
|
async getIdPayload(e, t) {
|
|
1145
|
-
let o,
|
|
1258
|
+
let o, s;
|
|
1146
1259
|
try {
|
|
1147
1260
|
let n;
|
|
1148
1261
|
if (n = await this.validateIdToken(e), !n)
|
|
1149
|
-
return o = "access_denied",
|
|
1262
|
+
return o = "access_denied", s = "Invalid ID token received", { error: o, error_description: s };
|
|
1150
1263
|
if (t && this.oauthUseUserInfoEndpoint) {
|
|
1151
|
-
const
|
|
1152
|
-
if (
|
|
1153
|
-
return o =
|
|
1154
|
-
n = { ...n, ...
|
|
1264
|
+
const i = await this.userInfoEndpoint(t);
|
|
1265
|
+
if (i.error)
|
|
1266
|
+
return o = i.error, s = "Failed getting user info: " + (i.error_description ?? "unknown error"), { error: o, error_description: s };
|
|
1267
|
+
n = { ...n, ...i };
|
|
1155
1268
|
}
|
|
1156
1269
|
return { payload: n };
|
|
1157
1270
|
} catch (n) {
|
|
1158
|
-
const
|
|
1159
|
-
return d.logger.debug(
|
|
1271
|
+
const i = g.asCrossauthError(n);
|
|
1272
|
+
return d.logger.debug(l({ err: i })), d.logger.error(l({ msg: "Couldn't get user info", cerr: i })), o = i.oauthErrorCode, s = "Couldn't get user info: " + i.message, { error: o, error_description: s };
|
|
1160
1273
|
}
|
|
1161
1274
|
}
|
|
1162
1275
|
async getAccessPayload(e, t) {
|
|
1163
|
-
let o,
|
|
1276
|
+
let o, s;
|
|
1164
1277
|
try {
|
|
1165
1278
|
let n;
|
|
1166
|
-
return n = await this.validateAccessToken(e, t), n ? { payload: n } : (o = "access_denied",
|
|
1279
|
+
return n = await this.validateAccessToken(e, t), n ? { payload: n } : (o = "access_denied", s = "Invalid access token received", { error: o, error_description: s });
|
|
1167
1280
|
} catch (n) {
|
|
1168
|
-
const
|
|
1169
|
-
return d.logger.debug(
|
|
1281
|
+
const i = g.asCrossauthError(n);
|
|
1282
|
+
return d.logger.debug(l({ err: i })), d.logger.error(l({ msg: "Couldn't get user info", cerr: i })), o = i.oauthErrorCode, s = "Couldn't get user info: " + i.message, { error: o, error_description: s };
|
|
1170
1283
|
}
|
|
1171
1284
|
}
|
|
1172
1285
|
/**
|
|
@@ -1189,11 +1302,11 @@ class cr {
|
|
|
1189
1302
|
* @returns The {@link OAuthTokenResponse} from the `token` endpoint
|
|
1190
1303
|
* request, or `error` and `error_description`.
|
|
1191
1304
|
*/
|
|
1192
|
-
async redirectEndpoint(e, t, o,
|
|
1193
|
-
var
|
|
1194
|
-
if (this.oidcConfig || await this.loadConfig(),
|
|
1195
|
-
return
|
|
1196
|
-
if (this.authzCode = e, !((
|
|
1305
|
+
async redirectEndpoint(e, t, o, s, n) {
|
|
1306
|
+
var i, a;
|
|
1307
|
+
if (this.oidcConfig || await this.loadConfig(), s || !e)
|
|
1308
|
+
return s || (s = "server_error"), n || (n = "Unknown error"), { error: s, error_description: n };
|
|
1309
|
+
if (this.authzCode = e, !((i = this.oidcConfig) != null && i.grant_types_supported.includes("authorization_code")))
|
|
1197
1310
|
return {
|
|
1198
1311
|
error: "invalid_request",
|
|
1199
1312
|
error_description: "Server does not support authorization code grant"
|
|
@@ -1204,26 +1317,26 @@ class cr {
|
|
|
1204
1317
|
error_description: "Cannot get token endpoint"
|
|
1205
1318
|
};
|
|
1206
1319
|
const c = this.oidcConfig.token_endpoint;
|
|
1207
|
-
let
|
|
1208
|
-
|
|
1209
|
-
let
|
|
1210
|
-
grant_type:
|
|
1211
|
-
client_id: w(this,
|
|
1320
|
+
let h, y;
|
|
1321
|
+
h = "authorization_code", y = w(this, A);
|
|
1322
|
+
let _ = {
|
|
1323
|
+
grant_type: h,
|
|
1324
|
+
client_id: w(this, S),
|
|
1212
1325
|
code: this.authzCode,
|
|
1213
1326
|
redirect_uri: this.redirect_uri
|
|
1214
1327
|
};
|
|
1215
|
-
t && (
|
|
1328
|
+
t && (_.scope = t), y && (_.client_secret = y), o && (_.code_verifier = o);
|
|
1216
1329
|
try {
|
|
1217
|
-
let b = await this.post(c,
|
|
1330
|
+
let b = await this.post(c, _, this.authServerHeaders);
|
|
1218
1331
|
if (b.id_token) {
|
|
1219
|
-
const
|
|
1220
|
-
if (
|
|
1221
|
-
return
|
|
1222
|
-
b.id_payload =
|
|
1332
|
+
const X = await this.getIdPayload(b.id_token, b.access_token);
|
|
1333
|
+
if (X.error)
|
|
1334
|
+
return X;
|
|
1335
|
+
b.id_payload = X.payload;
|
|
1223
1336
|
}
|
|
1224
1337
|
return b;
|
|
1225
1338
|
} catch (b) {
|
|
1226
|
-
return d.logger.error(
|
|
1339
|
+
return d.logger.error(l({ err: b })), {
|
|
1227
1340
|
error: "server_error",
|
|
1228
1341
|
error_description: "Unable to get access token from server"
|
|
1229
1342
|
};
|
|
@@ -1245,35 +1358,35 @@ class cr {
|
|
|
1245
1358
|
*/
|
|
1246
1359
|
async clientCredentialsFlow(e) {
|
|
1247
1360
|
var t, o;
|
|
1248
|
-
if (d.logger.debug(
|
|
1361
|
+
if (d.logger.debug(l({ msg: "Starting client credentials flow" })), this.oidcConfig || await this.loadConfig(), !((t = this.oidcConfig) != null && t.grant_types_supported.includes("client_credentials")))
|
|
1249
1362
|
return {
|
|
1250
1363
|
error: "invalid_request",
|
|
1251
1364
|
error_description: "Server does not support client credentials grant"
|
|
1252
1365
|
};
|
|
1253
1366
|
if (!((o = this.oidcConfig) != null && o.token_endpoint))
|
|
1254
1367
|
return { error: "server_error", error_description: "Cannot get token endpoint" };
|
|
1255
|
-
if (!w(this,
|
|
1368
|
+
if (!w(this, S)) return {
|
|
1256
1369
|
error: "invalid_request",
|
|
1257
1370
|
error_description: "Cannot make client credentials flow without client id"
|
|
1258
1371
|
};
|
|
1259
|
-
const
|
|
1372
|
+
const s = this.oidcConfig.token_endpoint;
|
|
1260
1373
|
let n = {
|
|
1261
1374
|
grant_type: "client_credentials",
|
|
1262
|
-
client_id: w(this,
|
|
1375
|
+
client_id: w(this, S),
|
|
1263
1376
|
client_secret: w(this, A)
|
|
1264
1377
|
};
|
|
1265
1378
|
e && (n.scope = e);
|
|
1266
1379
|
try {
|
|
1267
|
-
let
|
|
1268
|
-
if (
|
|
1269
|
-
const a = await this.getIdPayload(
|
|
1380
|
+
let i = await this.post(s, n, this.authServerHeaders);
|
|
1381
|
+
if (i.id_token) {
|
|
1382
|
+
const a = await this.getIdPayload(i.id_token, i.access_token);
|
|
1270
1383
|
if (a.error)
|
|
1271
1384
|
return a;
|
|
1272
|
-
|
|
1385
|
+
i.id_payload = a.payload;
|
|
1273
1386
|
}
|
|
1274
|
-
return
|
|
1275
|
-
} catch (
|
|
1276
|
-
return d.logger.error(
|
|
1387
|
+
return i;
|
|
1388
|
+
} catch (i) {
|
|
1389
|
+
return d.logger.error(l({ err: i })), {
|
|
1277
1390
|
error: "server_error",
|
|
1278
1391
|
error_description: "Error connecting to authorization server"
|
|
1279
1392
|
};
|
|
@@ -1295,8 +1408,8 @@ class cr {
|
|
|
1295
1408
|
*
|
|
1296
1409
|
*/
|
|
1297
1410
|
async passwordFlow(e, t, o) {
|
|
1298
|
-
var
|
|
1299
|
-
if (d.logger.debug(
|
|
1411
|
+
var s, n;
|
|
1412
|
+
if (d.logger.debug(l({ msg: "Starting password flow" })), this.oidcConfig || await this.loadConfig(), !((s = this.oidcConfig) != null && s.grant_types_supported.includes("password")))
|
|
1300
1413
|
return {
|
|
1301
1414
|
error: "invalid_request",
|
|
1302
1415
|
error_description: "Server does not support password grant"
|
|
@@ -1306,26 +1419,26 @@ class cr {
|
|
|
1306
1419
|
error: "server_error",
|
|
1307
1420
|
error_description: "Cannot get token endpoint"
|
|
1308
1421
|
};
|
|
1309
|
-
const
|
|
1422
|
+
const i = this.oidcConfig.token_endpoint;
|
|
1310
1423
|
let a = {
|
|
1311
1424
|
grant_type: "password",
|
|
1312
|
-
client_id: w(this,
|
|
1425
|
+
client_id: w(this, S),
|
|
1313
1426
|
client_secret: w(this, A),
|
|
1314
1427
|
username: e,
|
|
1315
1428
|
password: t
|
|
1316
1429
|
};
|
|
1317
1430
|
o && (a.scope = o);
|
|
1318
1431
|
try {
|
|
1319
|
-
let c = await this.post(
|
|
1432
|
+
let c = await this.post(i, a, this.authServerHeaders);
|
|
1320
1433
|
if (c.id_token) {
|
|
1321
|
-
const
|
|
1322
|
-
if (
|
|
1323
|
-
return
|
|
1324
|
-
c.id_payload =
|
|
1434
|
+
const h = await this.getIdPayload(c.id_token, c.access_token);
|
|
1435
|
+
if (h.error)
|
|
1436
|
+
return h;
|
|
1437
|
+
c.id_payload = h.payload;
|
|
1325
1438
|
}
|
|
1326
1439
|
return c;
|
|
1327
1440
|
} catch (c) {
|
|
1328
|
-
return d.logger.error(
|
|
1441
|
+
return d.logger.error(l({ err: c })), {
|
|
1329
1442
|
error: "server_error",
|
|
1330
1443
|
error_description: "Error connecting to authorization server"
|
|
1331
1444
|
};
|
|
@@ -1345,34 +1458,34 @@ class cr {
|
|
|
1345
1458
|
* documentation
|
|
1346
1459
|
*/
|
|
1347
1460
|
async mfaAuthenticators(e) {
|
|
1348
|
-
var t, o,
|
|
1349
|
-
if (d.logger.debug(
|
|
1461
|
+
var t, o, s;
|
|
1462
|
+
if (d.logger.debug(l({ msg: "Getting valid MFA authenticators" })), this.oidcConfig || await this.loadConfig(), !((t = this.oidcConfig) != null && t.grant_types_supported.includes("http://auth0.com/oauth/grant-type/mfa-otp")) && (o = this.oidcConfig) != null && o.grant_types_supported.includes("http://auth0.com/oauth/grant-type/mfa-oob"))
|
|
1350
1463
|
return {
|
|
1351
1464
|
error: "invalid_request",
|
|
1352
1465
|
error_description: "Server does not support password_mfa grant"
|
|
1353
1466
|
};
|
|
1354
|
-
if (!((
|
|
1467
|
+
if (!((s = this.oidcConfig) != null && s.issuer))
|
|
1355
1468
|
return { error: "server_error", error_description: "Cannot get issuer" };
|
|
1356
|
-
const n = this.oidcConfig.issuer + (this.oidcConfig.issuer.endsWith("/") ? "" : "/") + "mfa/authenticators",
|
|
1357
|
-
if (!Array.isArray(
|
|
1469
|
+
const n = this.oidcConfig.issuer + (this.oidcConfig.issuer.endsWith("/") ? "" : "/") + "mfa/authenticators", i = await this.get(n, { authorization: "Bearer " + e, ...this.authServerHeaders });
|
|
1470
|
+
if (!Array.isArray(i))
|
|
1358
1471
|
return {
|
|
1359
1472
|
error: "server_error",
|
|
1360
1473
|
error_description: "Expected array of authenticators in mfa/authenticators response"
|
|
1361
1474
|
};
|
|
1362
1475
|
let a = [];
|
|
1363
|
-
for (let c = 0; c <
|
|
1364
|
-
const
|
|
1365
|
-
if (!
|
|
1476
|
+
for (let c = 0; c < i.length; ++c) {
|
|
1477
|
+
const h = i[c];
|
|
1478
|
+
if (!h.id || !h.authenticator_type || !h.active)
|
|
1366
1479
|
return {
|
|
1367
1480
|
error: "server_error",
|
|
1368
1481
|
error_description: "Invalid mfa/authenticators response"
|
|
1369
1482
|
};
|
|
1370
1483
|
a.push({
|
|
1371
|
-
id:
|
|
1372
|
-
authenticator_type:
|
|
1373
|
-
active:
|
|
1374
|
-
name:
|
|
1375
|
-
oob_channel:
|
|
1484
|
+
id: h.id,
|
|
1485
|
+
authenticator_type: h.authenticator_type,
|
|
1486
|
+
active: h.active,
|
|
1487
|
+
name: h.name,
|
|
1488
|
+
oob_channel: h.oob_channel
|
|
1376
1489
|
});
|
|
1377
1490
|
}
|
|
1378
1491
|
return { authenticators: a };
|
|
@@ -1390,25 +1503,25 @@ class cr {
|
|
|
1390
1503
|
* from the `mfaAuthenticators` request.
|
|
1391
1504
|
*/
|
|
1392
1505
|
async mfaOtpRequest(e, t) {
|
|
1393
|
-
var o,
|
|
1394
|
-
if (d.logger.debug(
|
|
1506
|
+
var o, s;
|
|
1507
|
+
if (d.logger.debug(l({ msg: "Making MFA OTB request" })), this.oidcConfig || await this.loadConfig(), !((o = this.oidcConfig) != null && o.grant_types_supported.includes("http://auth0.com/oauth/grant-type/mfa-otp")))
|
|
1395
1508
|
return {
|
|
1396
1509
|
error: "invalid_request",
|
|
1397
1510
|
error_description: "Server does not support password_mfa grant"
|
|
1398
1511
|
};
|
|
1399
|
-
if (!((
|
|
1512
|
+
if (!((s = this.oidcConfig) != null && s.issuer))
|
|
1400
1513
|
return { error: "server_error", error_description: "Cannot get issuer" };
|
|
1401
|
-
const n = this.oidcConfig.issuer + (this.oidcConfig.issuer.endsWith("/") ? "" : "/") + "mfa/challenge",
|
|
1402
|
-
client_id: w(this,
|
|
1514
|
+
const n = this.oidcConfig.issuer + (this.oidcConfig.issuer.endsWith("/") ? "" : "/") + "mfa/challenge", i = await this.post(n, {
|
|
1515
|
+
client_id: w(this, S),
|
|
1403
1516
|
client_secret: w(this, A),
|
|
1404
1517
|
challenge_type: "otp",
|
|
1405
1518
|
mfa_token: e,
|
|
1406
1519
|
authenticator_id: t
|
|
1407
1520
|
}, this.authServerHeaders);
|
|
1408
|
-
return
|
|
1409
|
-
error:
|
|
1410
|
-
error_description:
|
|
1411
|
-
} :
|
|
1521
|
+
return i.challenge_type != "otp" ? {
|
|
1522
|
+
error: i.error ?? "server_error",
|
|
1523
|
+
error_description: i.error_description ?? "Invalid OTP challenge response"
|
|
1524
|
+
} : i;
|
|
1412
1525
|
}
|
|
1413
1526
|
/**
|
|
1414
1527
|
* Completes the Password MFA OTP flow.
|
|
@@ -1428,17 +1541,17 @@ class cr {
|
|
|
1428
1541
|
* - `error_description` friendly error message
|
|
1429
1542
|
*/
|
|
1430
1543
|
async mfaOtpComplete(e, t, o) {
|
|
1431
|
-
var
|
|
1432
|
-
if (d.logger.debug(
|
|
1544
|
+
var s, n;
|
|
1545
|
+
if (d.logger.debug(l({ msg: "Completing MFA OTP request" })), this.oidcConfig || await this.loadConfig(), !((s = this.oidcConfig) != null && s.grant_types_supported.includes("http://auth0.com/oauth/grant-type/mfa-otp")))
|
|
1433
1546
|
return {
|
|
1434
1547
|
error: "invalid_request",
|
|
1435
1548
|
error_description: "Server does not support password_mfa grant"
|
|
1436
1549
|
};
|
|
1437
1550
|
if (!((n = this.oidcConfig) != null && n.issuer))
|
|
1438
1551
|
return { error: "server_error", error_description: "Cannot get issuer" };
|
|
1439
|
-
const
|
|
1552
|
+
const i = this.oidcConfig.token_endpoint, a = await this.post(i, {
|
|
1440
1553
|
grant_type: "http://auth0.com/oauth/grant-type/mfa-otp",
|
|
1441
|
-
client_id: w(this,
|
|
1554
|
+
client_id: w(this, S),
|
|
1442
1555
|
client_secret: w(this, A),
|
|
1443
1556
|
challenge_type: "otp",
|
|
1444
1557
|
mfa_token: e,
|
|
@@ -1481,27 +1594,27 @@ class cr {
|
|
|
1481
1594
|
* - `error_description` friendly error message
|
|
1482
1595
|
*/
|
|
1483
1596
|
async mfaOobRequest(e, t) {
|
|
1484
|
-
var o,
|
|
1485
|
-
if (d.logger.debug(
|
|
1597
|
+
var o, s;
|
|
1598
|
+
if (d.logger.debug(l({ msg: "Making MFA OOB request" })), this.oidcConfig || await this.loadConfig(), !((o = this.oidcConfig) != null && o.grant_types_supported.includes("http://auth0.com/oauth/grant-type/mfa-otp")))
|
|
1486
1599
|
return {
|
|
1487
1600
|
error: "invalid_request",
|
|
1488
1601
|
error_description: "Server does not support password_mfa grant"
|
|
1489
1602
|
};
|
|
1490
|
-
if (!((
|
|
1603
|
+
if (!((s = this.oidcConfig) != null && s.issuer))
|
|
1491
1604
|
return { error: "server_error", error_description: "Cannot get issuer" };
|
|
1492
|
-
const n = this.oidcConfig.issuer + (this.oidcConfig.issuer.endsWith("/") ? "" : "/") + "mfa/challenge",
|
|
1493
|
-
client_id: w(this,
|
|
1605
|
+
const n = this.oidcConfig.issuer + (this.oidcConfig.issuer.endsWith("/") ? "" : "/") + "mfa/challenge", i = await this.post(n, {
|
|
1606
|
+
client_id: w(this, S),
|
|
1494
1607
|
client_secret: w(this, A),
|
|
1495
1608
|
challenge_type: "oob",
|
|
1496
1609
|
mfa_token: e,
|
|
1497
1610
|
authenticator_id: t
|
|
1498
1611
|
}, this.authServerHeaders);
|
|
1499
|
-
return
|
|
1500
|
-
challenge_type:
|
|
1501
|
-
oob_code:
|
|
1502
|
-
binding_method:
|
|
1503
|
-
error:
|
|
1504
|
-
error_description:
|
|
1612
|
+
return i.challenge_type != "oob" || !i.oob_code || !i.binding_method ? { error: i.error ?? "server_error", error_description: i.error_description ?? "Invalid OOB challenge response" } : {
|
|
1613
|
+
challenge_type: i.challenge_type,
|
|
1614
|
+
oob_code: i.oob_code,
|
|
1615
|
+
binding_method: i.binding_method,
|
|
1616
|
+
error: i.error,
|
|
1617
|
+
error_description: i.error_description
|
|
1505
1618
|
};
|
|
1506
1619
|
}
|
|
1507
1620
|
/**
|
|
@@ -1515,24 +1628,24 @@ class cr {
|
|
|
1515
1628
|
* @returns an {@link OAuthTokenResponse} object, which may contain
|
|
1516
1629
|
* an error instead of the response fields.
|
|
1517
1630
|
*/
|
|
1518
|
-
async mfaOobComplete(e, t, o,
|
|
1519
|
-
var n,
|
|
1520
|
-
if (d.logger.debug(
|
|
1631
|
+
async mfaOobComplete(e, t, o, s) {
|
|
1632
|
+
var n, i;
|
|
1633
|
+
if (d.logger.debug(l({ msg: "Completing MFA OOB request" })), this.oidcConfig || await this.loadConfig(), !((n = this.oidcConfig) != null && n.grant_types_supported.includes("http://auth0.com/oauth/grant-type/mfa-oob")))
|
|
1521
1634
|
return {
|
|
1522
1635
|
error: "invalid_request",
|
|
1523
1636
|
error_description: "Server does not support password_mfa grant"
|
|
1524
1637
|
};
|
|
1525
|
-
if (!((
|
|
1638
|
+
if (!((i = this.oidcConfig) != null && i.issuer))
|
|
1526
1639
|
return { error: "server_error", error_description: "Cannot get issuer" };
|
|
1527
1640
|
const a = this.oidcConfig.token_endpoint, c = await this.post(a, {
|
|
1528
1641
|
grant_type: "http://auth0.com/oauth/grant-type/mfa-oob",
|
|
1529
|
-
client_id: w(this,
|
|
1642
|
+
client_id: w(this, S),
|
|
1530
1643
|
client_secret: w(this, A),
|
|
1531
1644
|
challenge_type: "otp",
|
|
1532
1645
|
mfa_token: e,
|
|
1533
1646
|
oob_code: t,
|
|
1534
1647
|
binding_code: o,
|
|
1535
|
-
scope:
|
|
1648
|
+
scope: s
|
|
1536
1649
|
}, this.authServerHeaders);
|
|
1537
1650
|
if (c.error)
|
|
1538
1651
|
return {
|
|
@@ -1540,10 +1653,10 @@ class cr {
|
|
|
1540
1653
|
error_description: c.error_description
|
|
1541
1654
|
};
|
|
1542
1655
|
if (c.id_token) {
|
|
1543
|
-
const
|
|
1544
|
-
if (
|
|
1545
|
-
return
|
|
1546
|
-
c.id_payload =
|
|
1656
|
+
const h = await this.getIdPayload(c.id_token, c.access_token);
|
|
1657
|
+
if (h.error)
|
|
1658
|
+
return h;
|
|
1659
|
+
c.id_payload = h.payload;
|
|
1547
1660
|
}
|
|
1548
1661
|
return {
|
|
1549
1662
|
id_token: c.id_token,
|
|
@@ -1558,7 +1671,7 @@ class cr {
|
|
|
1558
1671
|
// Refresh Token Flow
|
|
1559
1672
|
async refreshTokenFlow(e) {
|
|
1560
1673
|
var t, o;
|
|
1561
|
-
if (d.logger.debug(
|
|
1674
|
+
if (d.logger.debug(l({ msg: "Starting refresh token flow" })), this.oidcConfig || await this.loadConfig(), !((t = this.oidcConfig) != null && t.grant_types_supported.includes("refresh_token")))
|
|
1562
1675
|
return {
|
|
1563
1676
|
error: "invalid_request",
|
|
1564
1677
|
error_description: "Server does not support refresh_token grant"
|
|
@@ -1568,17 +1681,17 @@ class cr {
|
|
|
1568
1681
|
error: "server_error",
|
|
1569
1682
|
error_description: "Cannot get token endpoint"
|
|
1570
1683
|
};
|
|
1571
|
-
const
|
|
1684
|
+
const s = this.oidcConfig.token_endpoint;
|
|
1572
1685
|
let n;
|
|
1573
1686
|
n = w(this, A);
|
|
1574
|
-
let
|
|
1687
|
+
let i = {
|
|
1575
1688
|
grant_type: "refresh_token",
|
|
1576
1689
|
refresh_token: e,
|
|
1577
|
-
client_id: w(this,
|
|
1690
|
+
client_id: w(this, S)
|
|
1578
1691
|
};
|
|
1579
|
-
n && (
|
|
1692
|
+
n && (i.client_secret = n);
|
|
1580
1693
|
try {
|
|
1581
|
-
let a = await this.post(
|
|
1694
|
+
let a = await this.post(s, i, this.authServerHeaders);
|
|
1582
1695
|
if (a.id_token) {
|
|
1583
1696
|
const c = await this.getIdPayload(a.id_token, a.access_token);
|
|
1584
1697
|
if (c.error)
|
|
@@ -1587,7 +1700,7 @@ class cr {
|
|
|
1587
1700
|
}
|
|
1588
1701
|
return a;
|
|
1589
1702
|
} catch (a) {
|
|
1590
|
-
return d.logger.error(
|
|
1703
|
+
return d.logger.error(l({ err: a })), {
|
|
1591
1704
|
error: "server_error",
|
|
1592
1705
|
error_description: "Error connecting to authorization server"
|
|
1593
1706
|
};
|
|
@@ -1603,22 +1716,22 @@ class cr {
|
|
|
1603
1716
|
*/
|
|
1604
1717
|
async startDeviceCodeFlow(e, t) {
|
|
1605
1718
|
var o;
|
|
1606
|
-
if (d.logger.debug(
|
|
1719
|
+
if (d.logger.debug(l({ msg: "Starting device code flow" })), this.oidcConfig || await this.loadConfig(), !((o = this.oidcConfig) != null && o.grant_types_supported.includes("urn:ietf:params:oauth:grant-type:device_code")))
|
|
1607
1720
|
return {
|
|
1608
1721
|
error: "invalid_request",
|
|
1609
1722
|
error_description: "Server does not support device code grant"
|
|
1610
1723
|
};
|
|
1611
|
-
let
|
|
1724
|
+
let s = {
|
|
1612
1725
|
grant_type: "urn:ietf:params:oauth:grant-type:device_code",
|
|
1613
|
-
client_id: w(this,
|
|
1726
|
+
client_id: w(this, S),
|
|
1614
1727
|
client_secret: w(this, A)
|
|
1615
1728
|
};
|
|
1616
|
-
t && (
|
|
1729
|
+
t && (s.scope = t);
|
|
1617
1730
|
try {
|
|
1618
|
-
let n = await this.post(e,
|
|
1731
|
+
let n = await this.post(e, s, this.authServerHeaders);
|
|
1619
1732
|
return n.id_token && !await this.validateIdToken(n.id_token) ? { error: "access_denied", error_description: "Invalid ID token" } : n;
|
|
1620
1733
|
} catch (n) {
|
|
1621
|
-
return d.logger.error(
|
|
1734
|
+
return d.logger.error(l({ err: n })), {
|
|
1622
1735
|
error: "server_error",
|
|
1623
1736
|
error_description: "Error connecting to authorization server"
|
|
1624
1737
|
};
|
|
@@ -1632,8 +1745,8 @@ class cr {
|
|
|
1632
1745
|
* @returns See {@link OAuthDeviceResponse}
|
|
1633
1746
|
*/
|
|
1634
1747
|
async pollDeviceCodeFlow(e) {
|
|
1635
|
-
var t, o,
|
|
1636
|
-
if (d.logger.debug(
|
|
1748
|
+
var t, o, s;
|
|
1749
|
+
if (d.logger.debug(l({ msg: "Starting device code flow" })), this.oidcConfig || await this.loadConfig(), !((t = this.oidcConfig) != null && t.grant_types_supported.includes("urn:ietf:params:oauth:grant-type:device_code")))
|
|
1637
1750
|
return {
|
|
1638
1751
|
error: "invalid_request",
|
|
1639
1752
|
error_description: "Server does not support device code grant"
|
|
@@ -1645,22 +1758,22 @@ class cr {
|
|
|
1645
1758
|
};
|
|
1646
1759
|
let n = {
|
|
1647
1760
|
grant_type: "urn:ietf:params:oauth:grant-type:device_code",
|
|
1648
|
-
client_id: w(this,
|
|
1761
|
+
client_id: w(this, S),
|
|
1649
1762
|
client_secret: w(this, A),
|
|
1650
1763
|
device_code: e
|
|
1651
1764
|
};
|
|
1652
1765
|
try {
|
|
1653
|
-
const
|
|
1654
|
-
if (
|
|
1655
|
-
if (
|
|
1656
|
-
const a = await this.getIdPayload(
|
|
1766
|
+
const i = await this.post((s = this.oidcConfig) == null ? void 0 : s.token_endpoint, n, this.authServerHeaders);
|
|
1767
|
+
if (i.error) return i;
|
|
1768
|
+
if (i.id_token) {
|
|
1769
|
+
const a = await this.getIdPayload(i.id_token, i.access_token);
|
|
1657
1770
|
if (a.error)
|
|
1658
1771
|
return a;
|
|
1659
|
-
|
|
1772
|
+
i.id_payload = a.payload;
|
|
1660
1773
|
}
|
|
1661
|
-
return
|
|
1662
|
-
} catch (
|
|
1663
|
-
return d.logger.error(
|
|
1774
|
+
return i;
|
|
1775
|
+
} catch (i) {
|
|
1776
|
+
return d.logger.error(l({ err: i })), {
|
|
1664
1777
|
error: "server_error",
|
|
1665
1778
|
error_description: "Error connecting to authorization server"
|
|
1666
1779
|
};
|
|
@@ -1687,34 +1800,34 @@ class cr {
|
|
|
1687
1800
|
* @throws any exception raised by `fetch()`
|
|
1688
1801
|
*/
|
|
1689
1802
|
async post(e, t, o = {}) {
|
|
1690
|
-
d.logger.debug(
|
|
1803
|
+
d.logger.debug(l({
|
|
1691
1804
|
msg: "Fetch POST",
|
|
1692
1805
|
url: e,
|
|
1693
1806
|
params: Object.keys(t)
|
|
1694
1807
|
}));
|
|
1695
|
-
let
|
|
1696
|
-
this.authServerCredentials && (
|
|
1697
|
-
let n = "",
|
|
1808
|
+
let s = {};
|
|
1809
|
+
this.authServerCredentials && (s.credentials = this.authServerCredentials), this.authServerMode && (s.mode = this.authServerMode);
|
|
1810
|
+
let n = "", i = "";
|
|
1698
1811
|
if (this.oauthPostType == "json")
|
|
1699
|
-
n = JSON.stringify(t),
|
|
1812
|
+
n = JSON.stringify(t), i = "application/json";
|
|
1700
1813
|
else {
|
|
1701
1814
|
n = "";
|
|
1702
1815
|
for (let c in t)
|
|
1703
1816
|
n != "" && (n += "&"), n += encodeURIComponent(c) + "=" + encodeURIComponent(t[c]);
|
|
1704
|
-
|
|
1817
|
+
i = "application/x-www-form-urlencoded";
|
|
1705
1818
|
}
|
|
1706
|
-
this.oauthLogFetch && d.logger.debug(
|
|
1819
|
+
this.oauthLogFetch && d.logger.debug(l({ msg: "OAuth fetch", method: "POST", url: e, body: n }));
|
|
1707
1820
|
const a = await (await fetch(e, {
|
|
1708
1821
|
method: "POST",
|
|
1709
|
-
...
|
|
1822
|
+
...s,
|
|
1710
1823
|
headers: {
|
|
1711
1824
|
Accept: "application/json",
|
|
1712
|
-
"Content-Type":
|
|
1825
|
+
"Content-Type": i,
|
|
1713
1826
|
...o
|
|
1714
1827
|
},
|
|
1715
1828
|
body: n
|
|
1716
1829
|
})).json();
|
|
1717
|
-
return this.oauthLogFetch && d.logger.debug(
|
|
1830
|
+
return this.oauthLogFetch && d.logger.debug(l({ msg: "OAuth fetch response", body: JSON.stringify(a) })), a;
|
|
1718
1831
|
}
|
|
1719
1832
|
/**
|
|
1720
1833
|
* Makes a GET request to the given URL using `fetch()`.
|
|
@@ -1725,10 +1838,10 @@ class cr {
|
|
|
1725
1838
|
* @throws any exception raised by `fetch()`
|
|
1726
1839
|
*/
|
|
1727
1840
|
async get(e, t = {}) {
|
|
1728
|
-
d.logger.debug(
|
|
1841
|
+
d.logger.debug(l({ msg: "Fetch GET", url: e }));
|
|
1729
1842
|
let o = {};
|
|
1730
|
-
this.authServerCredentials && (o.credentials = this.authServerCredentials), this.authServerMode && (o.mode = this.authServerMode), this.oauthLogFetch && d.logger.debug(
|
|
1731
|
-
const
|
|
1843
|
+
this.authServerCredentials && (o.credentials = this.authServerCredentials), this.authServerMode && (o.mode = this.authServerMode), this.oauthLogFetch && d.logger.debug(l({ msg: "OAuth fetch", method: "GET", url: e }));
|
|
1844
|
+
const s = await (await fetch(e, {
|
|
1732
1845
|
method: "GET",
|
|
1733
1846
|
...o,
|
|
1734
1847
|
headers: {
|
|
@@ -1736,7 +1849,7 @@ class cr {
|
|
|
1736
1849
|
...t
|
|
1737
1850
|
}
|
|
1738
1851
|
})).json();
|
|
1739
|
-
return this.oauthLogFetch && d.logger.debug(
|
|
1852
|
+
return this.oauthLogFetch && d.logger.debug(l({ msg: "OAuth fetch response", body: JSON.stringify(s) })), s;
|
|
1740
1853
|
}
|
|
1741
1854
|
/**
|
|
1742
1855
|
* Validates an OpenID ID token, returning undefined if it is invalid.
|
|
@@ -1781,16 +1894,16 @@ class cr {
|
|
|
1781
1894
|
try {
|
|
1782
1895
|
return await this.tokenConsumer.tokenAuthorized(e, "id", t);
|
|
1783
1896
|
} catch (o) {
|
|
1784
|
-
d.logger.warn(
|
|
1897
|
+
d.logger.warn(l({ err: o }));
|
|
1785
1898
|
return;
|
|
1786
1899
|
}
|
|
1787
1900
|
}
|
|
1788
1901
|
getTokenPayload(e) {
|
|
1789
|
-
return
|
|
1902
|
+
return Sr(e);
|
|
1790
1903
|
}
|
|
1791
1904
|
}
|
|
1792
|
-
|
|
1793
|
-
class
|
|
1905
|
+
S = /* @__PURE__ */ new WeakMap(), A = /* @__PURE__ */ new WeakMap();
|
|
1906
|
+
class Er {
|
|
1794
1907
|
/**
|
|
1795
1908
|
* Constrctor
|
|
1796
1909
|
*
|
|
@@ -1821,14 +1934,14 @@ class dr {
|
|
|
1821
1934
|
m.Configuration,
|
|
1822
1935
|
"Must specify jwtKeyType if setting jwtSecretKey"
|
|
1823
1936
|
);
|
|
1824
|
-
this.keys._default = await
|
|
1937
|
+
this.keys._default = await gr(this.jwtSecretKey, this.jwtKeyType);
|
|
1825
1938
|
} else if (this.jwtPublicKey) {
|
|
1826
1939
|
if (!this.jwtKeyType)
|
|
1827
1940
|
throw new g(
|
|
1828
1941
|
m.Configuration,
|
|
1829
1942
|
"Must specify jwtKeyType if setting jwtPublicKey"
|
|
1830
1943
|
);
|
|
1831
|
-
const t = await
|
|
1944
|
+
const t = await fr(this.jwtPublicKey, this.jwtKeyType);
|
|
1832
1945
|
this.keys._default = t;
|
|
1833
1946
|
} else {
|
|
1834
1947
|
if (this.oidcConfig || await this.loadConfig(), !this.oidcConfig)
|
|
@@ -1839,7 +1952,7 @@ class dr {
|
|
|
1839
1952
|
await this.loadJwks(void 0, e);
|
|
1840
1953
|
}
|
|
1841
1954
|
} catch (t) {
|
|
1842
|
-
throw d.logger.debug(
|
|
1955
|
+
throw d.logger.debug(l({ err: t })), new g(m.Connection, "Couldn't load keys");
|
|
1843
1956
|
}
|
|
1844
1957
|
}
|
|
1845
1958
|
/**
|
|
@@ -1848,7 +1961,7 @@ class dr {
|
|
|
1848
1961
|
* to `authServerBaseUrl` )
|
|
1849
1962
|
* @param oidcConfig the configuration, or undefined to load it from
|
|
1850
1963
|
* the authorization server
|
|
1851
|
-
* @throws a {@link CrossauthError} object with {@link ErrorCode} of
|
|
1964
|
+
* @throws a {@link @crossauth/common!CrossauthError} object with {@link @crossauth/common!ErrorCode} of
|
|
1852
1965
|
* - `Connection` if the fetch to the authorization server failed.
|
|
1853
1966
|
*/
|
|
1854
1967
|
async loadConfig(e) {
|
|
@@ -1863,15 +1976,15 @@ class dr {
|
|
|
1863
1976
|
let o = this.authServerBaseUrl;
|
|
1864
1977
|
o.endsWith("/") || (o += "/"), t = await fetch(new URL(".well-known/openid-configuration", o));
|
|
1865
1978
|
} catch (o) {
|
|
1866
|
-
d.logger.error(
|
|
1979
|
+
d.logger.error(l({ err: o }));
|
|
1867
1980
|
}
|
|
1868
1981
|
if (!t || !t.ok)
|
|
1869
1982
|
throw new g(m.Connection, "Couldn't get OIDC configuration");
|
|
1870
|
-
this.oidcConfig = { ...
|
|
1983
|
+
this.oidcConfig = { ...Ce };
|
|
1871
1984
|
try {
|
|
1872
1985
|
const o = await t.json();
|
|
1873
|
-
for (const [
|
|
1874
|
-
this.oidcConfig[
|
|
1986
|
+
for (const [s, n] of Object.entries(o))
|
|
1987
|
+
this.oidcConfig[s] = n;
|
|
1875
1988
|
} catch {
|
|
1876
1989
|
throw new g(m.Connection, "Unrecognized response from OIDC configuration endpoint");
|
|
1877
1990
|
}
|
|
@@ -1881,7 +1994,7 @@ class dr {
|
|
|
1881
1994
|
* authorization server (using the URL in the OIDC configuration).
|
|
1882
1995
|
* @param jwks the keys to load, or undefined to fetch them from
|
|
1883
1996
|
* the authorization server.
|
|
1884
|
-
* @throws a {@link CrossauthError} object with {@link ErrorCode} of
|
|
1997
|
+
* @throws a {@link @crossauth/common!CrossauthError} object with {@link @crossauth/common!ErrorCode} of
|
|
1885
1998
|
* - `Connection` if the fetch to the authorization server failed,
|
|
1886
1999
|
* the OIDC configuration wasn't set or the keys could not be parsed.
|
|
1887
2000
|
*/
|
|
@@ -1889,8 +2002,8 @@ class dr {
|
|
|
1889
2002
|
if (e) {
|
|
1890
2003
|
this.keys = {};
|
|
1891
2004
|
for (let o = 0; o < e.keys.length; ++o) {
|
|
1892
|
-
const
|
|
1893
|
-
this.keys[
|
|
2005
|
+
const s = e.keys[o], n = "kid" in s && s.kid ? s.kid : "_default";
|
|
2006
|
+
this.keys[n] = await le(e.keys[o]);
|
|
1894
2007
|
}
|
|
1895
2008
|
} else {
|
|
1896
2009
|
if (!this.oidcConfig)
|
|
@@ -1898,33 +2011,33 @@ class dr {
|
|
|
1898
2011
|
let o;
|
|
1899
2012
|
try {
|
|
1900
2013
|
o = await fetch(new URL(this.oidcConfig.jwks_uri));
|
|
1901
|
-
} catch (
|
|
1902
|
-
d.logger.error(
|
|
2014
|
+
} catch (s) {
|
|
2015
|
+
d.logger.error(l({ err: s }));
|
|
1903
2016
|
}
|
|
1904
2017
|
if (!o || !o.ok)
|
|
1905
2018
|
throw new g(m.Connection, "Couldn't get OIDC configuration");
|
|
1906
2019
|
this.keys = {};
|
|
1907
2020
|
try {
|
|
1908
|
-
const
|
|
1909
|
-
if (!("keys" in
|
|
2021
|
+
const s = await o.json();
|
|
2022
|
+
if (!("keys" in s) || !Array.isArray(s.keys))
|
|
1910
2023
|
throw new g(m.Connection, "Couldn't fetch keys");
|
|
1911
|
-
for (let n = 0; n <
|
|
2024
|
+
for (let n = 0; n < s.keys.length; ++n)
|
|
1912
2025
|
try {
|
|
1913
|
-
let
|
|
1914
|
-
if ("kid" in a && typeof a.kid == "string" && (
|
|
2026
|
+
let i = "_default", a = { ...s.keys[n] };
|
|
2027
|
+
if ("kid" in a && typeof a.kid == "string" && (i = String(a.kid)), a && !a.alg && !a.jwk_alg && t)
|
|
1915
2028
|
if (t.startsWith("RS") && a.kty == "RSA")
|
|
1916
2029
|
a.alg = t;
|
|
1917
2030
|
else {
|
|
1918
|
-
d.logger.debug(
|
|
2031
|
+
d.logger.debug(l({ msg: "Skipping key with " + a.kty }));
|
|
1919
2032
|
continue;
|
|
1920
2033
|
}
|
|
1921
|
-
const c = await
|
|
1922
|
-
this.keys[
|
|
1923
|
-
} catch (
|
|
1924
|
-
throw d.logger.error(
|
|
2034
|
+
const c = await le(a);
|
|
2035
|
+
this.keys[i] = c;
|
|
2036
|
+
} catch (i) {
|
|
2037
|
+
throw d.logger.error(l({ err: i })), new g(m.Connection, "Couldn't load keys");
|
|
1925
2038
|
}
|
|
1926
|
-
} catch (
|
|
1927
|
-
throw d.logger.error(
|
|
2039
|
+
} catch (s) {
|
|
2040
|
+
throw d.logger.error(l({ err: s })), new g(m.Connection, "Unrecognized response from OIDC jwks endpoint");
|
|
1928
2041
|
}
|
|
1929
2042
|
}
|
|
1930
2043
|
}
|
|
@@ -1941,61 +2054,61 @@ class dr {
|
|
|
1941
2054
|
*/
|
|
1942
2055
|
async tokenAuthorized(e, t, o) {
|
|
1943
2056
|
if (!this.keys || Object.keys(this.keys).length == 0) {
|
|
1944
|
-
const n =
|
|
2057
|
+
const n = me(e);
|
|
1945
2058
|
await this.loadKeys(n.alg);
|
|
1946
2059
|
}
|
|
1947
|
-
const
|
|
1948
|
-
if (
|
|
1949
|
-
if (
|
|
1950
|
-
const n =
|
|
1951
|
-
d.logger.error(
|
|
2060
|
+
const s = await this.validateToken(e);
|
|
2061
|
+
if (s) {
|
|
2062
|
+
if (s.iss != this.authServerBaseUrl) {
|
|
2063
|
+
const n = s.jti ? s.jti : s.sid ? s.sid : "";
|
|
2064
|
+
d.logger.error(l({ msg: `Invalid issuer ${s.iss} ${t} token`, hashedAccessToken: await this.hash(n) }));
|
|
1952
2065
|
return;
|
|
1953
2066
|
}
|
|
1954
|
-
if (o != !1 &&
|
|
1955
|
-
const n =
|
|
1956
|
-
if (Array.isArray(
|
|
1957
|
-
d.logger.error(
|
|
2067
|
+
if (o != !1 && s.aud) {
|
|
2068
|
+
const n = s.jti ? s.jti : s.sid ? s.sid : "";
|
|
2069
|
+
if (Array.isArray(s.aud) && !s.aud.includes(this.audience) || !Array.isArray(s.aud) && s.aud != this.audience) {
|
|
2070
|
+
d.logger.error(l({ msg: `Invalid audience ${s.aud} in ${t} token`, hashedAccessToken: await this.hash(n) }));
|
|
1958
2071
|
return;
|
|
1959
2072
|
}
|
|
1960
2073
|
}
|
|
1961
|
-
return
|
|
2074
|
+
return s;
|
|
1962
2075
|
}
|
|
1963
2076
|
}
|
|
1964
2077
|
async validateToken(e) {
|
|
1965
2078
|
(!this.keys || Object.keys(this.keys).length == 0) && d.logger.warn("No keys loaded so cannot validate tokens");
|
|
1966
2079
|
let t;
|
|
1967
2080
|
try {
|
|
1968
|
-
t =
|
|
2081
|
+
t = me(e).kid;
|
|
1969
2082
|
} catch {
|
|
1970
|
-
d.logger.warn(
|
|
2083
|
+
d.logger.warn(l({ msg: "Invalid access token format" }));
|
|
1971
2084
|
return;
|
|
1972
2085
|
}
|
|
1973
2086
|
let o;
|
|
1974
|
-
for (let
|
|
1975
|
-
if (t ==
|
|
1976
|
-
o = this.keys[
|
|
2087
|
+
for (let s in this.keys)
|
|
2088
|
+
if (t == s) {
|
|
2089
|
+
o = this.keys[s];
|
|
1977
2090
|
break;
|
|
1978
2091
|
}
|
|
1979
2092
|
if (!o && "_default" in this.keys && (o = this.keys._default), !o) {
|
|
1980
|
-
d.logger.warn(
|
|
2093
|
+
d.logger.warn(l({ msg: "No matching keys found for access token" }));
|
|
1981
2094
|
return;
|
|
1982
2095
|
}
|
|
1983
2096
|
try {
|
|
1984
|
-
const { payload:
|
|
2097
|
+
const { payload: s } = await Cr(e, o), n = JSON.parse(new TextDecoder().decode(s));
|
|
1985
2098
|
if (n.exp * 1e3 < Date.now() + this.clockTolerance) {
|
|
1986
|
-
d.logger.warn(
|
|
2099
|
+
d.logger.warn(l({ msg: "Access token has expired" }));
|
|
1987
2100
|
return;
|
|
1988
2101
|
}
|
|
1989
2102
|
return n;
|
|
1990
|
-
} catch (
|
|
1991
|
-
const n = g.asCrossauthError(
|
|
1992
|
-
d.logger.debug(
|
|
2103
|
+
} catch (s) {
|
|
2104
|
+
const n = g.asCrossauthError(s);
|
|
2105
|
+
d.logger.debug(l({ err: n })), d.logger.warn(l({ msg: "Access token did not validate", cerr: n }));
|
|
1993
2106
|
return;
|
|
1994
2107
|
}
|
|
1995
2108
|
}
|
|
1996
2109
|
}
|
|
1997
|
-
const
|
|
1998
|
-
class
|
|
2110
|
+
const ve = 30, se = 2, de = 30;
|
|
2111
|
+
class Ke {
|
|
1999
2112
|
/**
|
|
2000
2113
|
* Constructor
|
|
2001
2114
|
*
|
|
@@ -2020,50 +2133,50 @@ class Re {
|
|
|
2020
2133
|
}
|
|
2021
2134
|
async startAutoRefresh(e = ["access", "id"], t) {
|
|
2022
2135
|
if (!this.autoRefreshActive) {
|
|
2023
|
-
this.autoRefreshActive = !0, d.logger.debug(
|
|
2136
|
+
this.autoRefreshActive = !0, d.logger.debug(l({ msg: "Starting auto refresh" }));
|
|
2024
2137
|
try {
|
|
2025
2138
|
await this.scheduleAutoRefresh(e, t);
|
|
2026
2139
|
} catch (o) {
|
|
2027
|
-
const
|
|
2028
|
-
d.logger.error(
|
|
2140
|
+
const s = g.asCrossauthError(o);
|
|
2141
|
+
d.logger.error(l({ cerr: s })), d.logger.debug(l({ err: s }));
|
|
2029
2142
|
}
|
|
2030
2143
|
}
|
|
2031
2144
|
}
|
|
2032
2145
|
stopAutoRefresh() {
|
|
2033
|
-
this.autoRefreshActive = !1, d.logger.debug(
|
|
2146
|
+
this.autoRefreshActive = !1, d.logger.debug(l({ msg: "Stopping auto refresh" }));
|
|
2034
2147
|
}
|
|
2035
2148
|
async scheduleAutoRefresh(e, t) {
|
|
2036
2149
|
let o;
|
|
2037
|
-
const
|
|
2038
|
-
if (
|
|
2039
|
-
d.logger.debug(
|
|
2150
|
+
const s = this.tokenProvider.getCsrfToken(), n = s ? await s : void 0, i = await this.tokenProvider.getTokenExpiries([...e, "refresh"], n);
|
|
2151
|
+
if (i.refresh == null) {
|
|
2152
|
+
d.logger.debug(l({ msg: "No refresh token found" }));
|
|
2040
2153
|
return;
|
|
2041
2154
|
}
|
|
2042
2155
|
const a = Date.now();
|
|
2043
|
-
let c =
|
|
2044
|
-
if ((!c ||
|
|
2045
|
-
d.logger.debug(
|
|
2156
|
+
let c = i.id;
|
|
2157
|
+
if ((!c || i.access && i.access < c) && (c = i.access), !c) {
|
|
2158
|
+
d.logger.debug(l({ msg: "No tokens expire" }));
|
|
2046
2159
|
return;
|
|
2047
2160
|
}
|
|
2048
|
-
let
|
|
2049
|
-
if (
|
|
2050
|
-
d.logger.debug(
|
|
2161
|
+
let h = c * 1e3 - a - ve;
|
|
2162
|
+
if (h < 0 && o != null && o <= 0) {
|
|
2163
|
+
d.logger.debug(l({ msg: "Expiry time has passed" }));
|
|
2051
2164
|
return;
|
|
2052
2165
|
}
|
|
2053
|
-
if (
|
|
2054
|
-
d.logger.debug(
|
|
2166
|
+
if (h < 0 && (h = 0), i.refresh && i.refresh - ve < h) {
|
|
2167
|
+
d.logger.debug(l({ msg: "Refresh token has expired" }));
|
|
2055
2168
|
return;
|
|
2056
2169
|
}
|
|
2057
|
-
let y = (
|
|
2058
|
-
d.logger.debug(
|
|
2170
|
+
let y = (_) => new Promise((b) => setTimeout(b, _));
|
|
2171
|
+
d.logger.debug(l({ msg: `Waiting ${h} before refreshing tokens` })), o = h, await y(h), await this.autoRefresh(e, n, t);
|
|
2059
2172
|
}
|
|
2060
2173
|
async autoRefresh(e, t, o) {
|
|
2061
2174
|
if (this.autoRefreshActive) {
|
|
2062
|
-
let
|
|
2063
|
-
for (; !n &&
|
|
2175
|
+
let s, n = !1, i = 0;
|
|
2176
|
+
for (; !n && i <= se; )
|
|
2064
2177
|
try {
|
|
2065
2178
|
let a = { ...this.headers };
|
|
2066
|
-
t && (a[this.csrfHeader] = t), d.logger.debug(
|
|
2179
|
+
t && (a[this.csrfHeader] = t), d.logger.debug(l({ msg: "Initiating auto refresh" }));
|
|
2067
2180
|
const c = await this.tokenProvider.jsonFetchWithToken(
|
|
2068
2181
|
this.autoRefreshUrl,
|
|
2069
2182
|
{
|
|
@@ -2081,35 +2194,35 @@ class Re {
|
|
|
2081
2194
|
},
|
|
2082
2195
|
"refresh"
|
|
2083
2196
|
);
|
|
2084
|
-
c.ok || d.logger.error(
|
|
2197
|
+
c.ok || d.logger.error(l({ msg: "Failed auto refreshing tokens", status: c.status }));
|
|
2085
2198
|
try {
|
|
2086
|
-
|
|
2199
|
+
s = await c.json();
|
|
2087
2200
|
} catch {
|
|
2088
2201
|
try {
|
|
2089
|
-
d.logger.error(
|
|
2202
|
+
d.logger.error(l({ msg: "/refresh returned a non-JSON response " + (s ? await s.text() : void 0) }));
|
|
2090
2203
|
} catch {
|
|
2091
|
-
d.logger.error(
|
|
2204
|
+
d.logger.error(l({ msg: "/refresh returned a with no body " }));
|
|
2092
2205
|
}
|
|
2093
|
-
|
|
2206
|
+
s = { ok: !1, error: "Unknown" };
|
|
2094
2207
|
}
|
|
2095
|
-
if (
|
|
2208
|
+
if (s != null && s.ok) {
|
|
2096
2209
|
await this.scheduleAutoRefresh(e, o), n = !0;
|
|
2097
2210
|
try {
|
|
2098
|
-
await this.tokenProvider.receiveTokens(
|
|
2099
|
-
} catch (
|
|
2100
|
-
const y = g.asCrossauthError(
|
|
2101
|
-
o ? o("Couldn't receive tokens", y) : (d.logger.debug(
|
|
2211
|
+
await this.tokenProvider.receiveTokens(s);
|
|
2212
|
+
} catch (h) {
|
|
2213
|
+
const y = g.asCrossauthError(h);
|
|
2214
|
+
o ? o("Couldn't receive tokens", y) : (d.logger.debug(l({ err: h })), d.logger.error(l({ msg: "Error receiving tokens", cerr: y })));
|
|
2102
2215
|
}
|
|
2103
2216
|
} else
|
|
2104
|
-
|
|
2217
|
+
i < se ? (d.logger.error(l({ msg: `Failed auto refreshing tokens. Retrying in ${de} seconds` })), await ((y) => new Promise((_) => setTimeout(_, y)))(de * 1e3)) : (d.logger.error(l({ msg: "Failed auto refreshing tokens. Number of retries exceeded" })), o && o("Failed auto refreshing tokens")), i++;
|
|
2105
2218
|
} catch (a) {
|
|
2106
2219
|
const c = g.asCrossauthError(a);
|
|
2107
|
-
d.logger.debug(
|
|
2220
|
+
d.logger.debug(l({ err: c })), i < se ? (d.logger.error(l({ msg: `Failed auto refreshing tokens. Retrying in ${se} seconds` })), await ((y) => new Promise((_) => setTimeout(_, y)))(de * 1e3)) : (d.logger.error(l({ msg: "Failed auto refreshing tokens. Number of retries exceeded" })), o && o(c.message, c)), i++;
|
|
2108
2221
|
}
|
|
2109
2222
|
}
|
|
2110
2223
|
}
|
|
2111
2224
|
}
|
|
2112
|
-
class
|
|
2225
|
+
class We {
|
|
2113
2226
|
/**
|
|
2114
2227
|
* Constructor
|
|
2115
2228
|
*
|
|
@@ -2130,29 +2243,29 @@ class Ie {
|
|
|
2130
2243
|
this.oauthClient = e.oauthClient, e.deviceCodePollUrl != null && (this.deviceCodePollUrl = e.deviceCodePollUrl), e.headers && (this.headers = e.headers), e.mode && (this.mode = e.mode), e.credentials && (this.credentials = e.credentials);
|
|
2131
2244
|
}
|
|
2132
2245
|
async startPolling(e, t, o = 5) {
|
|
2133
|
-
this.pollingActive || (this.pollingActive = !0, d.logger.debug(
|
|
2246
|
+
this.pollingActive || (this.pollingActive = !0, d.logger.debug(l({ msg: "Starting auto refresh" })), await this.poll(e, o, t));
|
|
2134
2247
|
}
|
|
2135
2248
|
stopPolling() {
|
|
2136
|
-
this.pollingActive = !1, d.logger.debug(
|
|
2249
|
+
this.pollingActive = !1, d.logger.debug(l({ msg: "Stopping auto refresh" }));
|
|
2137
2250
|
}
|
|
2138
2251
|
async poll(e, t, o) {
|
|
2139
|
-
var
|
|
2252
|
+
var s;
|
|
2140
2253
|
if (!e)
|
|
2141
|
-
d.logger.debug(
|
|
2254
|
+
d.logger.debug(l({ msg: "device code poll: no device code provided" })), o("error", "Error waiting for authorization");
|
|
2142
2255
|
else
|
|
2143
2256
|
try {
|
|
2144
|
-
if (d.logger.debug(
|
|
2145
|
-
if (this.oauthClient.getOidcConfig() || await this.oauthClient.loadConfig(), !((
|
|
2257
|
+
if (d.logger.debug(l({ msg: "device code poll: poll" })), !this.deviceCodePollUrl && this.oauthClient) {
|
|
2258
|
+
if (this.oauthClient.getOidcConfig() || await this.oauthClient.loadConfig(), !((s = this.oauthClient.getOidcConfig()) != null && s.grant_types_supported.includes("http://auth0.com/oauth/grant-type/mfa-oob")))
|
|
2146
2259
|
return {
|
|
2147
2260
|
error: "invalid_request",
|
|
2148
2261
|
error_description: "Server does not support password_mfa grant"
|
|
2149
2262
|
};
|
|
2150
|
-
let
|
|
2151
|
-
if (!(
|
|
2263
|
+
let i = this.oauthClient.getOidcConfig();
|
|
2264
|
+
if (!(i != null && i.token_endpoint)) return {
|
|
2152
2265
|
error: "server_error",
|
|
2153
2266
|
error_description: "Couldn't get OIDC configuration"
|
|
2154
2267
|
};
|
|
2155
|
-
this.deviceCodePollUrl =
|
|
2268
|
+
this.deviceCodePollUrl = i.token_endpoint;
|
|
2156
2269
|
}
|
|
2157
2270
|
if (!this.deviceCodePollUrl)
|
|
2158
2271
|
return {
|
|
@@ -2169,23 +2282,23 @@ class Ie {
|
|
|
2169
2282
|
else if (!n.ok)
|
|
2170
2283
|
this.pollingActive = !1, o("error", "Received an error from the authorization server");
|
|
2171
2284
|
else {
|
|
2172
|
-
const
|
|
2173
|
-
if (d.logger.debug(
|
|
2285
|
+
const i = await n.json();
|
|
2286
|
+
if (d.logger.debug(l({ msg: "device code poll: received" + JSON.stringify(i) })), i.error == "expired_token")
|
|
2174
2287
|
this.pollingActive = !1, o("expired_token", "Timeout waiting for authorization");
|
|
2175
|
-
else if (
|
|
2176
|
-
|
|
2177
|
-
let a =
|
|
2178
|
-
d.logger.debug(
|
|
2179
|
-
} else
|
|
2288
|
+
else if (i.error == "authorization_pending" || i.error == "slow_down") {
|
|
2289
|
+
i.error == "slow_down" && (t += 5);
|
|
2290
|
+
let a = i.interval ?? t, c = (h) => new Promise((y) => setTimeout(y, h));
|
|
2291
|
+
d.logger.debug(l({ msg: "device code poll: waiting " + String(a) + " seconds" })), await c(a * 1e3), this.pollingActive && this.poll(e, t, o);
|
|
2292
|
+
} else i.error ? (this.pollingActive = !1, o("error", i.error_description ?? i.error)) : (this.pollingActive = !1, o("complete"));
|
|
2180
2293
|
}
|
|
2181
2294
|
} catch (n) {
|
|
2182
2295
|
this.pollingActive = !1;
|
|
2183
|
-
const
|
|
2184
|
-
d.logger.debug(
|
|
2296
|
+
const i = g.asCrossauthError(n);
|
|
2297
|
+
d.logger.debug(l({ err: i })), d.logger.error(l({ msg: "Polling failed", cerr: i })), o("error", i.message);
|
|
2185
2298
|
}
|
|
2186
2299
|
}
|
|
2187
2300
|
}
|
|
2188
|
-
class
|
|
2301
|
+
class Rr {
|
|
2189
2302
|
/**
|
|
2190
2303
|
* Constructor
|
|
2191
2304
|
*
|
|
@@ -2218,11 +2331,11 @@ class ur {
|
|
|
2218
2331
|
f(this, "getCsrfTokenUrl", "/api/getcsrftoken");
|
|
2219
2332
|
f(this, "autoRefreshUrl", "/api/refreshtokens");
|
|
2220
2333
|
f(this, "tokensUrl", "/tokens");
|
|
2221
|
-
e.bffPrefix && (this.bffPrefix = e.bffPrefix), e.csrfHeader && (this.csrfHeader = e.csrfHeader), e.enableCsrfProtection != null && (this.enableCsrfProtection = e.enableCsrfProtection), e.getCsrfTokenUrl && (this.getCsrfTokenUrl = e.getCsrfTokenUrl), e.tokensUrl && (this.tokensUrl = e.tokensUrl), e.autoRefreshUrl && (this.autoRefreshUrl = e.autoRefreshUrl), this.bffPrefix.endsWith("/") || (this.bffPrefix += "/"), e.headers && (this.headers = e.headers), e.mode && (this.mode = e.mode), e.credentials && (this.credentials = e.credentials), this.autoRefresher = new
|
|
2334
|
+
e.bffPrefix && (this.bffPrefix = e.bffPrefix), e.csrfHeader && (this.csrfHeader = e.csrfHeader), e.enableCsrfProtection != null && (this.enableCsrfProtection = e.enableCsrfProtection), e.getCsrfTokenUrl && (this.getCsrfTokenUrl = e.getCsrfTokenUrl), e.tokensUrl && (this.tokensUrl = e.tokensUrl), e.autoRefreshUrl && (this.autoRefreshUrl = e.autoRefreshUrl), this.bffPrefix.endsWith("/") || (this.bffPrefix += "/"), e.headers && (this.headers = e.headers), e.mode && (this.mode = e.mode), e.credentials && (this.credentials = e.credentials), this.autoRefresher = new Ke({
|
|
2222
2335
|
...e,
|
|
2223
2336
|
autoRefreshUrl: this.autoRefreshUrl,
|
|
2224
2337
|
tokenProvider: this
|
|
2225
|
-
}), this.deviceCodePoller = new
|
|
2338
|
+
}), this.deviceCodePoller = new We({ ...e, oauthClient: void 0 });
|
|
2226
2339
|
}
|
|
2227
2340
|
/**
|
|
2228
2341
|
* Gets a CSRF token from the server
|
|
@@ -2329,11 +2442,11 @@ class ur {
|
|
|
2329
2442
|
* @param csrfToken : the CSRF token
|
|
2330
2443
|
* @returns the HTTP status code and the body or null
|
|
2331
2444
|
*/
|
|
2332
|
-
async api(e, t, o,
|
|
2445
|
+
async api(e, t, o, s) {
|
|
2333
2446
|
let n = { ...this.headers };
|
|
2334
|
-
!
|
|
2335
|
-
let
|
|
2336
|
-
o && (
|
|
2447
|
+
!s && !["GET", "HEAD", "OPTIONS"].includes(e) && (s = await this.getCsrfToken(), s && (n[this.csrfHeader] = s)), t.startsWith("/") && (t = t.substring(1));
|
|
2448
|
+
let i = {};
|
|
2449
|
+
o && (i.body = JSON.stringify(o));
|
|
2337
2450
|
const a = await fetch(
|
|
2338
2451
|
this.bffPrefix + t,
|
|
2339
2452
|
{
|
|
@@ -2341,7 +2454,7 @@ class ur {
|
|
|
2341
2454
|
method: e,
|
|
2342
2455
|
mode: this.mode,
|
|
2343
2456
|
credentials: this.credentials,
|
|
2344
|
-
...
|
|
2457
|
+
...i
|
|
2345
2458
|
}
|
|
2346
2459
|
);
|
|
2347
2460
|
let c = null;
|
|
@@ -2416,15 +2529,15 @@ class ur {
|
|
|
2416
2529
|
async getTokenExpiries(e, t) {
|
|
2417
2530
|
const o = await this.getTokens(t);
|
|
2418
2531
|
try {
|
|
2419
|
-
const
|
|
2420
|
-
let a, c,
|
|
2421
|
-
return
|
|
2532
|
+
const s = e.includes("id") ? (o == null ? void 0 : o.id_token) ?? null : null, n = e.includes("access") ? (o == null ? void 0 : o.access_token) ?? null : null, i = e.includes("refresh") ? (o == null ? void 0 : o.refresh_token) ?? null : null;
|
|
2533
|
+
let a, c, h;
|
|
2534
|
+
return s && (a = s.exp ? s.exp : null), n && (c = n.exp ? n.exp : null), i && (h = i.exp ? i.exp : null), {
|
|
2422
2535
|
id: a,
|
|
2423
2536
|
access: c,
|
|
2424
|
-
refresh:
|
|
2537
|
+
refresh: h
|
|
2425
2538
|
};
|
|
2426
2539
|
} catch {
|
|
2427
|
-
return d.logger.error(
|
|
2540
|
+
return d.logger.error(l({ msg: "getTokenExpiries received non JSON response " + o })), {
|
|
2428
2541
|
id: 0,
|
|
2429
2542
|
access: 0,
|
|
2430
2543
|
refresh: 0
|
|
@@ -2446,7 +2559,7 @@ class ur {
|
|
|
2446
2559
|
});
|
|
2447
2560
|
}
|
|
2448
2561
|
}
|
|
2449
|
-
class
|
|
2562
|
+
class Pr {
|
|
2450
2563
|
/**
|
|
2451
2564
|
* Gets a CSRF token from the server
|
|
2452
2565
|
* @returns the CSRF token that can be included in
|
|
@@ -2457,19 +2570,19 @@ class fr {
|
|
|
2457
2570
|
});
|
|
2458
2571
|
}
|
|
2459
2572
|
}
|
|
2460
|
-
class
|
|
2573
|
+
class br extends Er {
|
|
2461
2574
|
/**
|
|
2462
2575
|
* SHA256 and Base64-url-encodes the given test
|
|
2463
2576
|
* @param plaintext the text to encode
|
|
2464
2577
|
* @returns the SHA256 hash, Base64-url-encode
|
|
2465
2578
|
*/
|
|
2466
2579
|
async hash(e) {
|
|
2467
|
-
const o = new TextEncoder().encode(e),
|
|
2468
|
-
return btoa(n.reduce((
|
|
2580
|
+
const o = new TextEncoder().encode(e), s = await crypto.subtle.digest("SHA-256", o), n = Array.from(new Uint8Array(s));
|
|
2581
|
+
return btoa(n.reduce((i, a) => i + String.fromCharCode(a), "")).replace(/\//g, "_").replace(/\+/g, "-").replace(/=+$/, "");
|
|
2469
2582
|
}
|
|
2470
2583
|
}
|
|
2471
|
-
var
|
|
2472
|
-
class
|
|
2584
|
+
var j, W, N, D, J, B, q, Z, ee, V;
|
|
2585
|
+
class Ir extends Tr {
|
|
2473
2586
|
/**
|
|
2474
2587
|
* Constructor
|
|
2475
2588
|
*
|
|
@@ -2511,7 +2624,7 @@ class gr extends cr {
|
|
|
2511
2624
|
* For other options see {@link OAuthClientBase}.
|
|
2512
2625
|
*/
|
|
2513
2626
|
constructor(t) {
|
|
2514
|
-
t.tokenConsumer || (t.tokenConsumer = new
|
|
2627
|
+
t.tokenConsumer || (t.tokenConsumer = new br(
|
|
2515
2628
|
t.client_id,
|
|
2516
2629
|
{
|
|
2517
2630
|
authServerBaseUrl: t.authServerBaseUrl
|
|
@@ -2528,58 +2641,58 @@ class gr extends cr {
|
|
|
2528
2641
|
f(this, "accessTokenName", "CROSSAUTH_AT");
|
|
2529
2642
|
f(this, "refreshTokenName", "CROSSAUTH_RT");
|
|
2530
2643
|
f(this, "idTokenName", "CROSSAUTH_IT");
|
|
2531
|
-
|
|
2532
|
-
|
|
2533
|
-
|
|
2534
|
-
|
|
2535
|
-
|
|
2536
|
-
|
|
2537
|
-
|
|
2644
|
+
R(this, j);
|
|
2645
|
+
R(this, W);
|
|
2646
|
+
R(this, N);
|
|
2647
|
+
R(this, D);
|
|
2648
|
+
R(this, J);
|
|
2649
|
+
R(this, B);
|
|
2650
|
+
R(this, q);
|
|
2538
2651
|
f(this, "autoRefresher");
|
|
2539
2652
|
f(this, "deviceCodePoller");
|
|
2540
2653
|
f(this, "deviceAuthorizationUrl", "device_authorization");
|
|
2541
|
-
|
|
2542
|
-
|
|
2543
|
-
|
|
2654
|
+
R(this, Z);
|
|
2655
|
+
R(this, ee);
|
|
2656
|
+
R(this, V);
|
|
2544
2657
|
f(this, "scope");
|
|
2545
2658
|
f(this, "logFetch", !1);
|
|
2546
|
-
this.resServerBaseUrl != null && (this.resServerBaseUrl = t.resServerBaseUrl ?? "", this.resServerBaseUrl.length > 0 && !this.resServerBaseUrl.endsWith("/") && (this.resServerBaseUrl += "/")), t.accessTokenResponseType && (this.accessTokenResponseType = t.accessTokenResponseType), t.idTokenResponseType && (this.idTokenResponseType = t.idTokenResponseType), t.refreshTokenResponseType && (this.refreshTokenResponseType = t.refreshTokenResponseType), t.accessTokenName && (this.accessTokenName = t.accessTokenName), t.idTokenName && (this.idTokenName = t.idTokenName), t.refreshTokenName && (this.refreshTokenName = t.refreshTokenName), t.resServerHeaders && (this.resServerHeaders = t.resServerHeaders), t.resServerMode && (this.resServerMode = t.resServerMode), t.resServerCredentials && (this.resServerCredentials = t.resServerCredentials), t.client_id && T(this,
|
|
2659
|
+
this.resServerBaseUrl != null && (this.resServerBaseUrl = t.resServerBaseUrl ?? "", this.resServerBaseUrl.length > 0 && !this.resServerBaseUrl.endsWith("/") && (this.resServerBaseUrl += "/")), t.accessTokenResponseType && (this.accessTokenResponseType = t.accessTokenResponseType), t.idTokenResponseType && (this.idTokenResponseType = t.idTokenResponseType), t.refreshTokenResponseType && (this.refreshTokenResponseType = t.refreshTokenResponseType), t.accessTokenName && (this.accessTokenName = t.accessTokenName), t.idTokenName && (this.idTokenName = t.idTokenName), t.refreshTokenName && (this.refreshTokenName = t.refreshTokenName), t.resServerHeaders && (this.resServerHeaders = t.resServerHeaders), t.resServerMode && (this.resServerMode = t.resServerMode), t.resServerCredentials && (this.resServerCredentials = t.resServerCredentials), t.client_id && T(this, B, t.client_id), t.client_secret && T(this, q, t.client_secret), t.deviceAuthorizationUrl && (this.deviceAuthorizationUrl = t.deviceAuthorizationUrl), this.autoRefresher = new Ke({
|
|
2547
2660
|
...t,
|
|
2548
2661
|
autoRefreshUrl: this.authServerBaseUrl + "/token",
|
|
2549
2662
|
tokenProvider: this
|
|
2550
|
-
}), this.deviceCodePoller = new
|
|
2551
|
-
let o,
|
|
2552
|
-
if (this.idTokenResponseType == "sessionStorage" ? o = sessionStorage.getItem(this.idTokenName) : this.idTokenResponseType == "localStorage" && (o = localStorage.getItem(this.idTokenName)), this.accessTokenResponseType == "sessionStorage" ?
|
|
2553
|
-
access_token:
|
|
2663
|
+
}), this.deviceCodePoller = new We({ ...t, oauthClient: this, deviceCodePollUrl: null });
|
|
2664
|
+
let o, s, n;
|
|
2665
|
+
if (this.idTokenResponseType == "sessionStorage" ? o = sessionStorage.getItem(this.idTokenName) : this.idTokenResponseType == "localStorage" && (o = localStorage.getItem(this.idTokenName)), this.accessTokenResponseType == "sessionStorage" ? s = sessionStorage.getItem(this.accessTokenName) : this.accessTokenResponseType == "localStorage" && (s = localStorage.getItem(this.accessTokenName)), this.refreshTokenResponseType == "sessionStorage" ? n = sessionStorage.getItem(this.refreshTokenName) : this.refreshTokenResponseType == "localStorage" && (n = localStorage.getItem(this.refreshTokenName)), this.receiveTokens({
|
|
2666
|
+
access_token: s,
|
|
2554
2667
|
id_token: o,
|
|
2555
2668
|
refresh_token: n
|
|
2556
|
-
}),
|
|
2557
|
-
const
|
|
2558
|
-
|
|
2669
|
+
}), s) {
|
|
2670
|
+
const i = this.getTokenPayload(s);
|
|
2671
|
+
i && (T(this, j, s), T(this, D, i));
|
|
2559
2672
|
}
|
|
2560
2673
|
if (n) {
|
|
2561
|
-
const
|
|
2562
|
-
|
|
2674
|
+
const i = this.getTokenPayload(n);
|
|
2675
|
+
i && (T(this, W, n), T(this, J, i));
|
|
2563
2676
|
}
|
|
2564
|
-
o ? this.validateIdToken(o).then((
|
|
2565
|
-
T(this,
|
|
2566
|
-
d.logger.debug(
|
|
2677
|
+
o ? this.validateIdToken(o).then((i) => {
|
|
2678
|
+
T(this, N, i), t.autoRefresh && this.startAutoRefresh(t.autoRefresh).then().catch((a) => {
|
|
2679
|
+
d.logger.debug(l({ err: a, msg: "Couldn't start auto refresh" }));
|
|
2567
2680
|
});
|
|
2568
|
-
}).catch((
|
|
2569
|
-
d.logger.debug(
|
|
2570
|
-
}) : p(this,
|
|
2571
|
-
d.logger.debug(
|
|
2572
|
-
}) : n && !
|
|
2573
|
-
d.logger.debug(
|
|
2574
|
-
d.logger.debug(
|
|
2681
|
+
}).catch((i) => {
|
|
2682
|
+
d.logger.debug(l({ err: i, msg: "Couldn't validate ID token" }));
|
|
2683
|
+
}) : p(this, j) && t.autoRefresh && n ? this.startAutoRefresh(t.autoRefresh).then().catch((i) => {
|
|
2684
|
+
d.logger.debug(l({ err: i, msg: "Couldn't start auto refresh" }));
|
|
2685
|
+
}) : n && !s && this.refreshTokenFlow(n).then((i) => {
|
|
2686
|
+
d.logger.debug(l({ msg: "Refreshed tokens" })), t.autoRefresh && this.startAutoRefresh(t.autoRefresh).then().catch((a) => {
|
|
2687
|
+
d.logger.debug(l({ err: a, msg: "Couldn't start auto refresh" }));
|
|
2575
2688
|
});
|
|
2576
|
-
}).catch((
|
|
2577
|
-
const a = g.asCrossauthError(
|
|
2578
|
-
d.logger.debug(
|
|
2689
|
+
}).catch((i) => {
|
|
2690
|
+
const a = g.asCrossauthError(i);
|
|
2691
|
+
d.logger.debug(l({ err: a })), d.logger.error(l({ msg: "failed refreshing tokens", cerr: a }));
|
|
2579
2692
|
});
|
|
2580
2693
|
}
|
|
2581
2694
|
get idTokenPayload() {
|
|
2582
|
-
return p(this,
|
|
2695
|
+
return p(this, N);
|
|
2583
2696
|
}
|
|
2584
2697
|
/**
|
|
2585
2698
|
* Processes the query parameters for a Redirect URI request if they
|
|
@@ -2607,23 +2720,23 @@ class gr extends cr {
|
|
|
2607
2720
|
const t = new URL(window.location.href);
|
|
2608
2721
|
if (t.origin + t.pathname != this.redirect_uri) return;
|
|
2609
2722
|
const o = new URLSearchParams(window.location.search);
|
|
2610
|
-
let
|
|
2611
|
-
for (const [
|
|
2612
|
-
|
|
2613
|
-
if (!
|
|
2614
|
-
if (
|
|
2615
|
-
const
|
|
2616
|
-
throw d.logger.debug(
|
|
2723
|
+
let s, n, i, a;
|
|
2724
|
+
for (const [h, y] of o)
|
|
2725
|
+
h == "code" && (s = y), h == "state" && (n = y), h == "error" && (i = y), h == "error_description" && (a = y);
|
|
2726
|
+
if (!i && !s) return;
|
|
2727
|
+
if (i) {
|
|
2728
|
+
const h = g.fromOAuthError(i, a);
|
|
2729
|
+
throw d.logger.debug(l({ err: h })), d.logger.error(l({ cerr: h, msg: "Error from authorize endpoint: " + i })), h;
|
|
2617
2730
|
}
|
|
2618
|
-
if (p(this,
|
|
2731
|
+
if (p(this, V) && n != p(this, V))
|
|
2619
2732
|
return {
|
|
2620
2733
|
error: "access_denied",
|
|
2621
2734
|
error_description: "Invalid state"
|
|
2622
2735
|
};
|
|
2623
|
-
const c = await this.redirectEndpoint(
|
|
2736
|
+
const c = await this.redirectEndpoint(s, this.scope, p(this, ee), i, a);
|
|
2624
2737
|
if (c.error) {
|
|
2625
|
-
const
|
|
2626
|
-
throw d.logger.debug(
|
|
2738
|
+
const h = g.fromOAuthError(c.error, a);
|
|
2739
|
+
throw d.logger.debug(l({ err: h })), d.logger.error(l({ cerr: h, msg: "Error from redirect endpoint: " + c.error })), h;
|
|
2627
2740
|
}
|
|
2628
2741
|
return await this.receiveTokens(c), c;
|
|
2629
2742
|
}
|
|
@@ -2646,8 +2759,8 @@ class gr extends cr {
|
|
|
2646
2759
|
* @param deviceCode the device code to poll for (this was returned when the device code flow was started)
|
|
2647
2760
|
* @param pollResultFn called with the result of each poll
|
|
2648
2761
|
*/
|
|
2649
|
-
async startDeviceCodePolling(t, o,
|
|
2650
|
-
return this.deviceCodePoller.startPolling(t, o,
|
|
2762
|
+
async startDeviceCodePolling(t, o, s = 5) {
|
|
2763
|
+
return this.deviceCodePoller.startPolling(t, o, s);
|
|
2651
2764
|
}
|
|
2652
2765
|
/**
|
|
2653
2766
|
* Turns off polling for a device code
|
|
@@ -2664,7 +2777,7 @@ class gr extends cr {
|
|
|
2664
2777
|
* @returns the payload as an object
|
|
2665
2778
|
*/
|
|
2666
2779
|
getIdToken() {
|
|
2667
|
-
return p(this,
|
|
2780
|
+
return p(this, N);
|
|
2668
2781
|
}
|
|
2669
2782
|
///////
|
|
2670
2783
|
// Implementation of abstract methods
|
|
@@ -2676,7 +2789,7 @@ class gr extends cr {
|
|
|
2676
2789
|
*/
|
|
2677
2790
|
randomValue(t) {
|
|
2678
2791
|
const o = new Uint8Array(t);
|
|
2679
|
-
return self.crypto.getRandomValues(o), btoa(o.reduce((
|
|
2792
|
+
return self.crypto.getRandomValues(o), btoa(o.reduce((s, n) => s + String.fromCharCode(n), "")).replace(/\//g, "_").replace(/\+/g, "-").replace(/=+$/, "");
|
|
2680
2793
|
}
|
|
2681
2794
|
/**
|
|
2682
2795
|
* SHA256 and Base64-url-encodes the given test
|
|
@@ -2684,8 +2797,8 @@ class gr extends cr {
|
|
|
2684
2797
|
* @returns the SHA256 hash, Base64-url-encode
|
|
2685
2798
|
*/
|
|
2686
2799
|
async sha256(t) {
|
|
2687
|
-
const
|
|
2688
|
-
return btoa(
|
|
2800
|
+
const s = new TextEncoder().encode(t), n = await crypto.subtle.digest("SHA-256", s), i = Array.from(new Uint8Array(n));
|
|
2801
|
+
return btoa(i.reduce((a, c) => a + String.fromCharCode(c), "")).replace(/\//g, "_").replace(/\+/g, "-").replace(/=+$/, "");
|
|
2689
2802
|
}
|
|
2690
2803
|
/**
|
|
2691
2804
|
* Calls an API endpoint on the resource server
|
|
@@ -2694,11 +2807,11 @@ class gr extends cr {
|
|
|
2694
2807
|
* @param body : the body to pass to the call
|
|
2695
2808
|
* @returns the HTTP status code and the body or null
|
|
2696
2809
|
*/
|
|
2697
|
-
async api(t, o,
|
|
2810
|
+
async api(t, o, s) {
|
|
2698
2811
|
let n = { ...this.resServerHeaders };
|
|
2699
2812
|
o.startsWith("/") && (o = o.substring(1));
|
|
2700
|
-
let
|
|
2701
|
-
|
|
2813
|
+
let i = {};
|
|
2814
|
+
s && (i.body = JSON.stringify(s));
|
|
2702
2815
|
let a;
|
|
2703
2816
|
this.accessTokenResponseType == "sessionStorage" ? a = sessionStorage.getItem(this.accessTokenName) : this.accessTokenResponseType == "localStorage" && (a = localStorage.getItem(this.accessTokenName)), n.authorization = "Bearer " + a;
|
|
2704
2817
|
const c = await fetch(
|
|
@@ -2708,11 +2821,11 @@ class gr extends cr {
|
|
|
2708
2821
|
method: t,
|
|
2709
2822
|
mode: this.resServerMode,
|
|
2710
2823
|
credentials: this.resServerCredentials,
|
|
2711
|
-
...
|
|
2824
|
+
...i
|
|
2712
2825
|
}
|
|
2713
2826
|
);
|
|
2714
|
-
let
|
|
2715
|
-
return c.body && (
|
|
2827
|
+
let h = null;
|
|
2828
|
+
return c.body && (h = await c.json()), { status: c.status, body: h };
|
|
2716
2829
|
}
|
|
2717
2830
|
///////////////////////////////////////////////////////////
|
|
2718
2831
|
// OAuthTokenProvider interface
|
|
@@ -2724,11 +2837,11 @@ class gr extends cr {
|
|
|
2724
2837
|
* expire, or `undefined` if the token does not exist
|
|
2725
2838
|
*/
|
|
2726
2839
|
async getTokenExpiries(t, o) {
|
|
2727
|
-
let
|
|
2728
|
-
return p(this,
|
|
2729
|
-
id:
|
|
2840
|
+
let s, n, i;
|
|
2841
|
+
return p(this, N) && (s = p(this, N).exp ? p(this, N).exp : null), p(this, D) && (n = p(this, D).exp ? p(this, D).exp : null), p(this, J) && (i = p(this, J).exp ? p(this, J).exp : null), {
|
|
2842
|
+
id: s,
|
|
2730
2843
|
access: n,
|
|
2731
|
-
refresh:
|
|
2844
|
+
refresh: i
|
|
2732
2845
|
};
|
|
2733
2846
|
}
|
|
2734
2847
|
/**
|
|
@@ -2741,17 +2854,17 @@ class gr extends cr {
|
|
|
2741
2854
|
* @param token which token to add
|
|
2742
2855
|
* @returns parsed JSON response
|
|
2743
2856
|
*/
|
|
2744
|
-
async jsonFetchWithToken(t, o,
|
|
2745
|
-
if (
|
|
2746
|
-
if (!p(this,
|
|
2857
|
+
async jsonFetchWithToken(t, o, s) {
|
|
2858
|
+
if (s == "access") {
|
|
2859
|
+
if (!p(this, j))
|
|
2747
2860
|
throw new g(m.InvalidToken, "Cannot make fetch with access token - no access token defined");
|
|
2748
|
-
o.headers || (o.headers = {}), o.headers.authorization = "Bearer " + p(this,
|
|
2861
|
+
o.headers || (o.headers = {}), o.headers.authorization = "Bearer " + p(this, j);
|
|
2749
2862
|
} else {
|
|
2750
|
-
if (o.body || (o.body = {}), !p(this,
|
|
2863
|
+
if (o.body || (o.body = {}), !p(this, W))
|
|
2751
2864
|
throw new g(m.InvalidToken, "Cannot make fetch with refresh token - no refresh token defined");
|
|
2752
|
-
o.body.refresh_token = p(this,
|
|
2865
|
+
o.body.refresh_token = p(this, W), o.body.grant_type = "refresh_token";
|
|
2753
2866
|
}
|
|
2754
|
-
return p(this,
|
|
2867
|
+
return p(this, B) && (o.body || (o.body = {}), o.body.client_id = p(this, B), p(this, q) && (o.body.client_secret = p(this, q))), typeof o.body != "string" && (o.body = JSON.stringify(o.body)), await fetch(t, o);
|
|
2755
2868
|
}
|
|
2756
2869
|
/**
|
|
2757
2870
|
* Does nothing as CSRF tokens are not needed for this class
|
|
@@ -2762,15 +2875,15 @@ class gr extends cr {
|
|
|
2762
2875
|
async receiveTokens(t) {
|
|
2763
2876
|
if (t.access_token) {
|
|
2764
2877
|
const o = this.getTokenPayload(t.access_token);
|
|
2765
|
-
o && (T(this,
|
|
2878
|
+
o && (T(this, j, t.access_token), T(this, D, o)), this.accessTokenResponseType == "localStorage" ? localStorage.setItem(this.accessTokenName, t.access_token) : this.accessTokenResponseType == "sessionStorage" && sessionStorage.setItem(this.accessTokenName, t.access_token);
|
|
2766
2879
|
}
|
|
2767
2880
|
if (t.refresh_token) {
|
|
2768
2881
|
const o = this.getTokenPayload(t.refresh_token);
|
|
2769
|
-
o && (T(this,
|
|
2882
|
+
o && (T(this, W, t.refresh_token), T(this, J, o)), this.refreshTokenResponseType == "localStorage" ? localStorage.setItem(this.refreshTokenName, t.refresh_token) : this.accessTokenResponseType == "sessionStorage" && sessionStorage.setItem(this.refreshTokenName, t.refresh_token);
|
|
2770
2883
|
}
|
|
2771
2884
|
if (t.id_token) {
|
|
2772
2885
|
const o = await this.validateIdToken(t.id_token);
|
|
2773
|
-
T(this,
|
|
2886
|
+
T(this, N, o), this.idTokenResponseType == "localStorage" ? localStorage.setItem(this.idTokenName, t.id_token) : this.idTokenResponseType == "sessionStorage" && sessionStorage.setItem(this.idTokenName, t.id_token);
|
|
2774
2887
|
}
|
|
2775
2888
|
}
|
|
2776
2889
|
/////////
|
|
@@ -2789,8 +2902,8 @@ class gr extends cr {
|
|
|
2789
2902
|
* then saves the tokens, as per the requested method
|
|
2790
2903
|
* @param scope
|
|
2791
2904
|
*/
|
|
2792
|
-
async passwordFlow(t, o,
|
|
2793
|
-
const n = await super.passwordFlow(t, o,
|
|
2905
|
+
async passwordFlow(t, o, s) {
|
|
2906
|
+
const n = await super.passwordFlow(t, o, s);
|
|
2794
2907
|
return await this.receiveTokens(n), n;
|
|
2795
2908
|
}
|
|
2796
2909
|
/**
|
|
@@ -2810,8 +2923,8 @@ class gr extends cr {
|
|
|
2810
2923
|
* @return the response from the MFA OTP OAuth call
|
|
2811
2924
|
*/
|
|
2812
2925
|
async mfaOtpComplete(t, o) {
|
|
2813
|
-
const
|
|
2814
|
-
return await this.receiveTokens(
|
|
2926
|
+
const s = await super.mfaOtpComplete(t, o);
|
|
2927
|
+
return await this.receiveTokens(s), s;
|
|
2815
2928
|
}
|
|
2816
2929
|
/**
|
|
2817
2930
|
* See {@link OAuthClientBase}. Calls the base function
|
|
@@ -2820,8 +2933,8 @@ class gr extends cr {
|
|
|
2820
2933
|
* @param oobCode the code entered by the user
|
|
2821
2934
|
* @return the response from the MFA OOB OAuth call
|
|
2822
2935
|
*/
|
|
2823
|
-
async mfaOobComplete(t, o,
|
|
2824
|
-
const n = await super.mfaOobComplete(t, o,
|
|
2936
|
+
async mfaOobComplete(t, o, s) {
|
|
2937
|
+
const n = await super.mfaOobComplete(t, o, s);
|
|
2825
2938
|
return await this.receiveTokens(n), n;
|
|
2826
2939
|
}
|
|
2827
2940
|
/**
|
|
@@ -2832,8 +2945,8 @@ class gr extends cr {
|
|
|
2832
2945
|
*/
|
|
2833
2946
|
async refreshTokenFlow(t) {
|
|
2834
2947
|
if (!t)
|
|
2835
|
-
if (p(this,
|
|
2836
|
-
t = p(this,
|
|
2948
|
+
if (p(this, W))
|
|
2949
|
+
t = p(this, W);
|
|
2837
2950
|
else
|
|
2838
2951
|
throw new g(m.InvalidToken, "Cannot refresh tokens: no refresh token present");
|
|
2839
2952
|
const o = await super.refreshTokenFlow(t);
|
|
@@ -2845,31 +2958,31 @@ class gr extends cr {
|
|
|
2845
2958
|
* @param pkce whether or not to use PKCE.
|
|
2846
2959
|
*/
|
|
2847
2960
|
async authorizationCodeFlow(t, o = !1) {
|
|
2848
|
-
const
|
|
2961
|
+
const s = this.randomValue(this.stateLength);
|
|
2849
2962
|
if (this.scope = t, o) {
|
|
2850
|
-
const
|
|
2851
|
-
T(this,
|
|
2963
|
+
const i = await this.codeChallengeAndVerifier();
|
|
2964
|
+
T(this, Z, i.codeChallenge), T(this, ee, i.codeVerifier), T(this, V, s);
|
|
2852
2965
|
}
|
|
2853
|
-
const n = await super.startAuthorizationCodeFlow(
|
|
2966
|
+
const n = await super.startAuthorizationCodeFlow(s, t, p(this, Z), o);
|
|
2854
2967
|
if (n.error || !n.url) {
|
|
2855
|
-
const
|
|
2968
|
+
const i = g.fromOAuthError(
|
|
2856
2969
|
n.error ?? "Couldn't create URL for authorization code flow",
|
|
2857
2970
|
n.error_description
|
|
2858
2971
|
);
|
|
2859
|
-
throw d.logger.debug(
|
|
2972
|
+
throw d.logger.debug(l({ err: i })), i;
|
|
2860
2973
|
}
|
|
2861
2974
|
location.href = n.url;
|
|
2862
2975
|
}
|
|
2863
2976
|
}
|
|
2864
|
-
|
|
2977
|
+
j = new WeakMap(), W = new WeakMap(), N = new WeakMap(), D = new WeakMap(), J = new WeakMap(), B = new WeakMap(), q = new WeakMap(), Z = new WeakMap(), ee = new WeakMap(), V = new WeakMap();
|
|
2865
2978
|
export {
|
|
2866
2979
|
g as CrossauthError,
|
|
2867
2980
|
d as CrossauthLogger,
|
|
2868
|
-
|
|
2869
|
-
|
|
2870
|
-
|
|
2871
|
-
|
|
2872
|
-
|
|
2873
|
-
|
|
2874
|
-
|
|
2981
|
+
Ke as OAuthAutoRefresher,
|
|
2982
|
+
Rr as OAuthBffClient,
|
|
2983
|
+
Ir as OAuthClient,
|
|
2984
|
+
We as OAuthDeviceCodePoller,
|
|
2985
|
+
br as OAuthTokenConsumer,
|
|
2986
|
+
Pr as OAuthTokenProvider,
|
|
2987
|
+
l as j
|
|
2875
2988
|
};
|