@crossauth/sveltekit 0.0.15 → 0.0.16
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/index.cjs +1 -1
- package/dist/index.js +259 -147
- package/dist/sveltekitoauthclient.d.ts +49 -3
- package/dist/tests/sveltekitoauthclient.test.d.ts +1 -1
- package/package.json +3 -3
package/dist/index.js
CHANGED
|
@@ -1,9 +1,9 @@
|
|
|
1
1
|
import { minimatch as P } from "minimatch";
|
|
2
|
-
import { ApiKeyManager as
|
|
3
|
-
import { CrossauthError as c, ErrorCode as u, CrossauthLogger as d, j as f, OAuthFlows as E, UserState as I, httpStatus as
|
|
4
|
-
import { json as v, redirect as
|
|
2
|
+
import { ApiKeyManager as M, KeyStorage as X, toCookieSerializeOptions as R, Crypto as A, OAuthAuthorizationServer as Z, setParameter as y, ParamType as _, DoubleSubmitCsrfToken as ee, OAuthClientManager as x, OAuthClientBackend as re, OAuthResourceServer as se, OAuthTokenConsumer as te, TokenEmailer as oe, SessionManager as ie } from "@crossauth/backend";
|
|
3
|
+
import { CrossauthError as c, ErrorCode as u, CrossauthLogger as d, j as f, OAuthFlows as E, UserState as I, httpStatus as q } from "@crossauth/common";
|
|
4
|
+
import { json as v, redirect as Q, error as Y } from "@sveltejs/kit";
|
|
5
5
|
import "cookie";
|
|
6
|
-
import { jwtDecode as
|
|
6
|
+
import { jwtDecode as K } from "jwt-decode";
|
|
7
7
|
import ae from "qrcode";
|
|
8
8
|
class V {
|
|
9
9
|
constructor(s) {
|
|
@@ -84,7 +84,7 @@ class ne {
|
|
|
84
84
|
* @param options See {@link SvelteKitApiKeyServerOptions}
|
|
85
85
|
*/
|
|
86
86
|
constructor(s, o, t = {}) {
|
|
87
|
-
this.userStorage = s, this.apiKeyManager = new
|
|
87
|
+
this.userStorage = s, this.apiKeyManager = new M(o, t), this.hook = async ({ event: e }) => {
|
|
88
88
|
d.logger.debug("APIKey hook");
|
|
89
89
|
const r = e.request.headers.get("authorization");
|
|
90
90
|
if (r)
|
|
@@ -97,7 +97,7 @@ class ne {
|
|
|
97
97
|
);
|
|
98
98
|
d.logger.debug(f({
|
|
99
99
|
msg: "Valid API key",
|
|
100
|
-
hahedApiKey:
|
|
100
|
+
hahedApiKey: M.hashSignedApiKeyValue(a.value)
|
|
101
101
|
}));
|
|
102
102
|
const i = X.decodeData(a.data);
|
|
103
103
|
if (e.locals.apiKey = { ...a, ...i }, "scope" in i && Array.isArray(i.scope)) {
|
|
@@ -109,9 +109,9 @@ class ne {
|
|
|
109
109
|
if (a.userid)
|
|
110
110
|
try {
|
|
111
111
|
const { user: n } = await this.userStorage.getUserById(a.userid);
|
|
112
|
-
e.locals.user = n, e.locals.authType = "apiKey", d.logger.debug(f({ msg: "API key is for user", userid: n.id, user: n.username, hahedApiKey:
|
|
112
|
+
e.locals.user = n, e.locals.authType = "apiKey", d.logger.debug(f({ msg: "API key is for user", userid: n.id, user: n.username, hahedApiKey: M.hashSignedApiKeyValue(a.value) }));
|
|
113
113
|
} catch (n) {
|
|
114
|
-
d.logger.error(f({ msg: "API key has invalid user", userid: a.userid, hashedApiKey:
|
|
114
|
+
d.logger.error(f({ msg: "API key has invalid user", userid: a.userid, hashedApiKey: M.hashSignedApiKeyValue(a.value) })), d.logger.debug(f({ err: n }));
|
|
115
115
|
}
|
|
116
116
|
} catch (a) {
|
|
117
117
|
d.logger.error(f({ msg: "Invalid authorization header received", header: r })), d.logger.debug(f({ err: a }));
|
|
@@ -176,7 +176,7 @@ class ce {
|
|
|
176
176
|
return d.logger.error(f({
|
|
177
177
|
msg: "getcsrftoken failure",
|
|
178
178
|
user: (l = i.locals.user) == null ? void 0 : l.username,
|
|
179
|
-
hashedCsrfCookie:
|
|
179
|
+
hashedCsrfCookie: A.hash(n.split(".")[0]),
|
|
180
180
|
error: g.code,
|
|
181
181
|
errorCodeName: g.codeName
|
|
182
182
|
})), d.logger.debug(f({ err: h })), d.logger.error({ cerr: h }), v({
|
|
@@ -286,32 +286,32 @@ class ce {
|
|
|
286
286
|
try {
|
|
287
287
|
var l = new b();
|
|
288
288
|
await l.loadData(i), n = l.toObject();
|
|
289
|
-
const g = l.getAsBoolean("authorized"), m = n.response_type, p = n.client_id, S = n.redirect_uri, C = n.scope, T = n.state, N = n.code_challenge,
|
|
290
|
-
let
|
|
291
|
-
if (g == null && (
|
|
289
|
+
const g = l.getAsBoolean("authorized"), m = n.response_type, p = n.client_id, S = n.redirect_uri, C = n.scope, T = n.state, N = n.code_challenge, F = n.code_challenge_method;
|
|
290
|
+
let U;
|
|
291
|
+
if (g == null && (U = "authorized"), m ? p ? S ? T || (U = "state") : U = "redirect_uri" : U = "client_id" : U = "response_type", U)
|
|
292
292
|
return {
|
|
293
293
|
ok: !1,
|
|
294
294
|
error: "invalid_request",
|
|
295
|
-
error_description: "Invalid form: does not contain " +
|
|
295
|
+
error_description: "Invalid form: does not contain " + U + " parameter"
|
|
296
296
|
};
|
|
297
297
|
if (!i.locals.user) return this.redirect(
|
|
298
298
|
302,
|
|
299
299
|
this.loginUrl + "?next=" + encodeURIComponent(i.request.url)
|
|
300
300
|
);
|
|
301
301
|
if ((h = this.svelteKitServer.sessionServer) != null && h.enableCsrfProtection && !i.locals.csrfToken) throw new c(u.InvalidCsrf);
|
|
302
|
-
const
|
|
302
|
+
const z = await this.authorize(i, g ?? !1, {
|
|
303
303
|
responseType: m,
|
|
304
304
|
client_id: p,
|
|
305
305
|
redirect_uri: S,
|
|
306
306
|
scope: C,
|
|
307
307
|
state: T,
|
|
308
308
|
codeChallenge: N,
|
|
309
|
-
codeChallengeMethod:
|
|
309
|
+
codeChallengeMethod: F
|
|
310
310
|
});
|
|
311
311
|
return {
|
|
312
312
|
ok: !1,
|
|
313
|
-
error:
|
|
314
|
-
error_description:
|
|
313
|
+
error: z.error ?? "server_error",
|
|
314
|
+
error_description: z.error_description ?? "An unexpected error occurred"
|
|
315
315
|
};
|
|
316
316
|
} catch (g) {
|
|
317
317
|
if (w.isSvelteKitError(g) || w.isSvelteKitRedirect(g)) throw g;
|
|
@@ -629,7 +629,7 @@ class ce {
|
|
|
629
629
|
errorCodeName: p.codeName
|
|
630
630
|
}));
|
|
631
631
|
try {
|
|
632
|
-
throw
|
|
632
|
+
throw x.validateUri(r), this.redirect(302, r + "?error=access_denied&error_description=" + encodeURIComponent("Access was not granted"));
|
|
633
633
|
} catch (S) {
|
|
634
634
|
if (w.isSvelteKitError(S) || w.isSvelteKitRedirect(S)) throw S;
|
|
635
635
|
return d.logger.error(f({
|
|
@@ -755,7 +755,7 @@ class ce {
|
|
|
755
755
|
let a, i;
|
|
756
756
|
const n = r.split(" ");
|
|
757
757
|
if (n.length == 2 && n[0].toLocaleLowerCase() == "basic") {
|
|
758
|
-
const h =
|
|
758
|
+
const h = A.base64Decode(n[1]).split(":", 2);
|
|
759
759
|
h.length == 2 && (a = h[0], i = h[1]);
|
|
760
760
|
}
|
|
761
761
|
a == null || i == null ? d.logger.warn(f({
|
|
@@ -777,7 +777,7 @@ class ce {
|
|
|
777
777
|
error_description: i.error_description
|
|
778
778
|
};
|
|
779
779
|
if (!i.client_id)
|
|
780
|
-
return d.logger.error(f({ msg: "No client id found for user code", userCodeHash:
|
|
780
|
+
return d.logger.error(f({ msg: "No client id found for user code", userCodeHash: A.hash(s), ip: o.request.referrer, username: (e = o.locals.user) == null ? void 0 : e.username })), {
|
|
781
781
|
ok: !1,
|
|
782
782
|
completed: !1,
|
|
783
783
|
retryAllowed: !1,
|
|
@@ -785,7 +785,7 @@ class ce {
|
|
|
785
785
|
error_description: "No client id found for user code"
|
|
786
786
|
};
|
|
787
787
|
if (i.error == "access_denied")
|
|
788
|
-
return d.logger.error(f({ msg: "Incorrect user code given", userCodeHash:
|
|
788
|
+
return d.logger.error(f({ msg: "Incorrect user code given", userCodeHash: A.hash(s), ip: o.request.referrer, username: (r = o.locals.user) == null ? void 0 : r.username })), this.authServer.userCodeThrottle > 0 && await ((h) => new Promise((g) => setTimeout(g, h)))(this.authServer.userCodeThrottle), {
|
|
789
789
|
ok: !1,
|
|
790
790
|
completed: !1,
|
|
791
791
|
retryAllowed: !0,
|
|
@@ -793,7 +793,7 @@ class ce {
|
|
|
793
793
|
error_description: i.error_description
|
|
794
794
|
};
|
|
795
795
|
if (i.error == "expired_token")
|
|
796
|
-
return d.logger.error(f({ msg: "Expired user code", userCodeHash:
|
|
796
|
+
return d.logger.error(f({ msg: "Expired user code", userCodeHash: A.hash(s), ip: o.request.referrer, username: (a = o.locals.user) == null ? void 0 : a.username })), {
|
|
797
797
|
ok: !1,
|
|
798
798
|
completed: !1,
|
|
799
799
|
retryAllowed: !1,
|
|
@@ -866,26 +866,26 @@ async function le(k, s, o) {
|
|
|
866
866
|
var t;
|
|
867
867
|
throw (t = k.oAuthClient) == null ? void 0 : t.error(o.httpStatus, o.message);
|
|
868
868
|
}
|
|
869
|
-
function
|
|
869
|
+
function O(k) {
|
|
870
870
|
let s;
|
|
871
871
|
if (k)
|
|
872
872
|
try {
|
|
873
|
-
s = JSON.parse(
|
|
873
|
+
s = JSON.parse(A.base64Decode(k.split(".")[1]));
|
|
874
874
|
} catch {
|
|
875
875
|
d.logger.error(f({ msg: "Couldn't decode id token" }));
|
|
876
876
|
}
|
|
877
877
|
return s;
|
|
878
878
|
}
|
|
879
|
-
async function
|
|
880
|
-
let
|
|
881
|
-
return s.jwtTokens.includes("id") && (
|
|
879
|
+
async function J(k, s, o, t, e) {
|
|
880
|
+
let r = { ok: !0, ...k };
|
|
881
|
+
return s.jwtTokens.includes("id") && (r.id_payload = O(k.id_token)), v(r);
|
|
882
882
|
}
|
|
883
|
-
function
|
|
883
|
+
function L(k, s) {
|
|
884
884
|
var o, t, e;
|
|
885
885
|
if (k.access_token)
|
|
886
886
|
try {
|
|
887
887
|
if (k.access_token && s.includes("access")) {
|
|
888
|
-
const r = (o =
|
|
888
|
+
const r = (o = K(k.access_token)) == null ? void 0 : o.jti, a = r ? A.hash(r) : void 0;
|
|
889
889
|
d.logger.debug(f({
|
|
890
890
|
msg: "Got access token",
|
|
891
891
|
accessTokenHash: a
|
|
@@ -897,7 +897,7 @@ function H(k, s) {
|
|
|
897
897
|
if (k.id_token)
|
|
898
898
|
try {
|
|
899
899
|
if (k.id_token && s.includes("id")) {
|
|
900
|
-
const r = (t =
|
|
900
|
+
const r = (t = K(k.id_token)) == null ? void 0 : t.jti, a = r ? A.hash(r) : void 0;
|
|
901
901
|
d.logger.debug(f({
|
|
902
902
|
msg: "Got id token",
|
|
903
903
|
idTokenHash: a
|
|
@@ -909,7 +909,7 @@ function H(k, s) {
|
|
|
909
909
|
if (k.refresh_token && s.includes("refresh"))
|
|
910
910
|
try {
|
|
911
911
|
if (k.refresh_token) {
|
|
912
|
-
const r = (e =
|
|
912
|
+
const r = (e = K(k.refresh_token)) == null ? void 0 : e.jti, a = r ? A.hash(r) : void 0;
|
|
913
913
|
d.logger.debug(f({
|
|
914
914
|
msg: "Got refresh token",
|
|
915
915
|
refreshTokenHash: a
|
|
@@ -919,7 +919,7 @@ function H(k, s) {
|
|
|
919
919
|
d.logger.debug(f({ err: r }));
|
|
920
920
|
}
|
|
921
921
|
}
|
|
922
|
-
async function
|
|
922
|
+
async function j(k, s, o) {
|
|
923
923
|
var a, i, n, l;
|
|
924
924
|
if (!s.server.sessionAdapter)
|
|
925
925
|
throw new c(
|
|
@@ -928,7 +928,7 @@ async function Y(k, s, o) {
|
|
|
928
928
|
);
|
|
929
929
|
let t = k.expires_in;
|
|
930
930
|
if (!t && k.access_token && s.jwtTokens.includes("access")) {
|
|
931
|
-
const h =
|
|
931
|
+
const h = K(k.access_token);
|
|
932
932
|
h.exp && (t = h.exp);
|
|
933
933
|
}
|
|
934
934
|
if (!t)
|
|
@@ -939,7 +939,7 @@ async function Y(k, s, o) {
|
|
|
939
939
|
const e = Date.now() + t * 1e3;
|
|
940
940
|
let r = { ...k, expires_at: e };
|
|
941
941
|
if ("id_token" in k) {
|
|
942
|
-
let h =
|
|
942
|
+
let h = O(k.id_token);
|
|
943
943
|
h && (r.id_token = h);
|
|
944
944
|
}
|
|
945
945
|
if (s.server.sessionServer) {
|
|
@@ -959,55 +959,89 @@ async function Y(k, s, o) {
|
|
|
959
959
|
r
|
|
960
960
|
));
|
|
961
961
|
}
|
|
962
|
-
async function de(k, s, o, t) {
|
|
962
|
+
async function de(k, s, o, t, e) {
|
|
963
963
|
if (k.error) {
|
|
964
|
-
const
|
|
964
|
+
const r = c.fromOAuthError(
|
|
965
965
|
k.error,
|
|
966
966
|
k.error_description
|
|
967
967
|
);
|
|
968
|
-
return s.errorFn(s.server, o,
|
|
968
|
+
return s.errorFn(s.server, o, r);
|
|
969
969
|
}
|
|
970
|
-
|
|
970
|
+
L(k, s.jwtTokens);
|
|
971
971
|
try {
|
|
972
|
-
if (
|
|
973
|
-
|
|
974
|
-
|
|
975
|
-
|
|
976
|
-
|
|
972
|
+
if (k.access_token || k.id_token || k.refresh_token) {
|
|
973
|
+
await j(k, s, o);
|
|
974
|
+
const r = O(k.id_token);
|
|
975
|
+
r && await e(o, r);
|
|
976
|
+
}
|
|
977
|
+
if (!t) return s.redirect(302, s.authorizedUrl);
|
|
978
|
+
} catch (r) {
|
|
979
|
+
if (w.isSvelteKitError(r) || w.isSvelteKitRedirect(r)) throw r;
|
|
980
|
+
const a = c.asCrossauthError(r);
|
|
981
|
+
return d.logger.debug(f({ err: a })), d.logger.debug(f({ cerr: a, msg: "Error receiving tokens" })), s.errorFn(s.server, o, a);
|
|
977
982
|
}
|
|
978
983
|
}
|
|
979
|
-
async function he(k, s, o, t) {
|
|
984
|
+
async function he(k, s, o, t, e) {
|
|
980
985
|
if (k.error) {
|
|
981
|
-
const
|
|
986
|
+
const r = c.fromOAuthError(
|
|
982
987
|
k.error,
|
|
983
988
|
k.error_description
|
|
984
989
|
);
|
|
985
|
-
return s.errorFn(s.server, o,
|
|
990
|
+
return s.errorFn(s.server, o, r);
|
|
986
991
|
}
|
|
987
|
-
|
|
992
|
+
L(k, s.jwtTokens);
|
|
988
993
|
try {
|
|
989
|
-
|
|
990
|
-
|
|
991
|
-
|
|
992
|
-
|
|
993
|
-
|
|
994
|
-
return
|
|
994
|
+
if (k.access_token || k.id_token || k.refresh_token) {
|
|
995
|
+
await j(k, s, o);
|
|
996
|
+
const r = O(k.id_token);
|
|
997
|
+
r && await e(o, r);
|
|
998
|
+
}
|
|
999
|
+
return v({ ok: !0, ...k });
|
|
1000
|
+
} catch (r) {
|
|
1001
|
+
if (w.isSvelteKitError(r) || w.isSvelteKitRedirect(r)) throw r;
|
|
1002
|
+
const a = c.asCrossauthError(r);
|
|
1003
|
+
return d.logger.debug(f({ err: a })), d.logger.debug(f({ cerr: a, msg: "Error receiving tokens" })), s.errorFn(s.server, o, a);
|
|
995
1004
|
}
|
|
996
1005
|
}
|
|
997
|
-
async function ue(k, s, o, t) {
|
|
1006
|
+
async function ue(k, s, o, t, e) {
|
|
998
1007
|
if (k.error)
|
|
999
1008
|
return {
|
|
1000
1009
|
ok: !1,
|
|
1001
1010
|
error: k.error,
|
|
1002
1011
|
error_description: k.error_description
|
|
1003
1012
|
};
|
|
1004
|
-
|
|
1013
|
+
L(k, s.jwtTokens);
|
|
1014
|
+
try {
|
|
1015
|
+
(k.access_token || k.id_token || k.refresh_token) && await j(k, s, o);
|
|
1016
|
+
let r = {
|
|
1017
|
+
ok: !0,
|
|
1018
|
+
...k
|
|
1019
|
+
};
|
|
1020
|
+
return s.jwtTokens.includes("id") && (r.id_payload = O(k.id_token)), r.id_payload && await e(o, r.id_payload), r;
|
|
1021
|
+
} catch (r) {
|
|
1022
|
+
if (w.isSvelteKitError(r) || w.isSvelteKitRedirect(r)) throw r;
|
|
1023
|
+
const a = c.asCrossauthError(r);
|
|
1024
|
+
return d.logger.debug(f({ err: a })), d.logger.debug(f({ cerr: a, msg: "Error receiving tokens" })), {
|
|
1025
|
+
ok: !1,
|
|
1026
|
+
error: a.oauthErrorCode,
|
|
1027
|
+
error_description: a.message
|
|
1028
|
+
};
|
|
1029
|
+
}
|
|
1030
|
+
}
|
|
1031
|
+
async function fe(k, s, o, t) {
|
|
1032
|
+
if (k.error)
|
|
1033
|
+
return {
|
|
1034
|
+
ok: !1,
|
|
1035
|
+
error: k.error,
|
|
1036
|
+
error_description: k.error_description
|
|
1037
|
+
};
|
|
1038
|
+
L(k, s.jwtTokens);
|
|
1005
1039
|
try {
|
|
1006
1040
|
let e = {
|
|
1007
1041
|
ok: !0,
|
|
1008
1042
|
...k
|
|
1009
1043
|
};
|
|
1010
|
-
return s.jwtTokens.includes("id") && (e.id_payload =
|
|
1044
|
+
return s.jwtTokens.includes("id") && (e.id_payload = O(k.id_token)), e;
|
|
1011
1045
|
} catch (e) {
|
|
1012
1046
|
if (w.isSvelteKitError(e) || w.isSvelteKitRedirect(e)) throw e;
|
|
1013
1047
|
const r = c.asCrossauthError(e);
|
|
@@ -1018,7 +1052,7 @@ async function ue(k, s, o, t) {
|
|
|
1018
1052
|
};
|
|
1019
1053
|
}
|
|
1020
1054
|
}
|
|
1021
|
-
class
|
|
1055
|
+
class G extends re {
|
|
1022
1056
|
/**
|
|
1023
1057
|
* Constructor
|
|
1024
1058
|
* @param server the {@link SvelteKitServer} instance
|
|
@@ -1026,7 +1060,7 @@ class J extends re {
|
|
|
1026
1060
|
* @param options See {@link SvelteKitOAuthClientOptions}
|
|
1027
1061
|
*/
|
|
1028
1062
|
constructor(s, o, t) {
|
|
1029
|
-
if (super(o, t), this.sessionDataName = "oauth", this.receiveTokenFn =
|
|
1063
|
+
if (super(o, t), this.sessionDataName = "oauth", this.receiveTokenFn = J, this.errorFn = W, this.loginUrl = "/login", this.validFlows = [E.All], this.authorizedUrl = "", this.autoRefreshActive = {}, this.loginProtectedFlows = [], this.tokenResponseType = "sendJson", this.errorResponseType = "sendJson", this.bffEndpoints = [], this.bffEndpointName = "bff", this.tokenEndpoints = [], this.bffMaxTries = 1, this.bffSleepMilliseconds = 500, this.jwtTokens = ["access", "id", "refresh"], this.testMiddleware = !1, this.testEvent = void 0, this.authorizationCodeFlowEndpoint = {
|
|
1030
1064
|
get: async (e) => {
|
|
1031
1065
|
if (this.tokenResponseType == "saveInSessionAndLoad" || this.tokenResponseType == "sendInPage") {
|
|
1032
1066
|
const r = new c(u.Configuration, "If tokenResponseType is " + this.tokenResponseType + ", use load not get");
|
|
@@ -1218,7 +1252,13 @@ class J extends re {
|
|
|
1218
1252
|
h
|
|
1219
1253
|
);
|
|
1220
1254
|
}
|
|
1221
|
-
return await this.receiveTokenFn(
|
|
1255
|
+
return await this.receiveTokenFn(
|
|
1256
|
+
l,
|
|
1257
|
+
this,
|
|
1258
|
+
e,
|
|
1259
|
+
!1,
|
|
1260
|
+
this.setEventLocalsUser
|
|
1261
|
+
);
|
|
1222
1262
|
} catch (r) {
|
|
1223
1263
|
if (w.isSvelteKitRedirect(r) || w.isSvelteKitError(r)) throw r;
|
|
1224
1264
|
const a = c.asCrossauthError(r);
|
|
@@ -1268,7 +1308,13 @@ class J extends re {
|
|
|
1268
1308
|
error_description: g.message
|
|
1269
1309
|
};
|
|
1270
1310
|
}
|
|
1271
|
-
const h = await this.receiveTokenFn(
|
|
1311
|
+
const h = await this.receiveTokenFn(
|
|
1312
|
+
l,
|
|
1313
|
+
this,
|
|
1314
|
+
e,
|
|
1315
|
+
!1,
|
|
1316
|
+
this.setEventLocalsUser
|
|
1317
|
+
);
|
|
1272
1318
|
return h instanceof Response ? {
|
|
1273
1319
|
ok: !1,
|
|
1274
1320
|
error: "server_error",
|
|
@@ -1320,7 +1366,13 @@ class J extends re {
|
|
|
1320
1366
|
l
|
|
1321
1367
|
);
|
|
1322
1368
|
}
|
|
1323
|
-
const n = await this.receiveTokenFn(
|
|
1369
|
+
const n = await this.receiveTokenFn(
|
|
1370
|
+
i,
|
|
1371
|
+
this,
|
|
1372
|
+
e,
|
|
1373
|
+
!1,
|
|
1374
|
+
this.setEventLocalsUser
|
|
1375
|
+
);
|
|
1324
1376
|
return n instanceof Response ? n : this.pack(n);
|
|
1325
1377
|
} catch (i) {
|
|
1326
1378
|
if (w.isSvelteKitRedirect(i) || w.isSvelteKitError(i)) throw i;
|
|
@@ -1347,7 +1399,13 @@ class J extends re {
|
|
|
1347
1399
|
i.error,
|
|
1348
1400
|
i.error_description
|
|
1349
1401
|
);
|
|
1350
|
-
return await this.receiveTokenFn(
|
|
1402
|
+
return await this.receiveTokenFn(
|
|
1403
|
+
i,
|
|
1404
|
+
this,
|
|
1405
|
+
e,
|
|
1406
|
+
!1,
|
|
1407
|
+
this.setEventLocalsUser
|
|
1408
|
+
) ?? {};
|
|
1351
1409
|
} catch (i) {
|
|
1352
1410
|
if (w.isSvelteKitRedirect(i) || w.isSvelteKitError(i)) throw i;
|
|
1353
1411
|
const n = c.asCrossauthError(i);
|
|
@@ -1400,7 +1458,13 @@ class J extends re {
|
|
|
1400
1458
|
);
|
|
1401
1459
|
return this.errorFn(this.server, e, h);
|
|
1402
1460
|
}
|
|
1403
|
-
const n = this.errorIfIdTokenInvalid(await this.refreshTokenFlow(i)), l = await this.receiveTokenFn(
|
|
1461
|
+
const n = this.errorIfIdTokenInvalid(await this.refreshTokenFlow(i)), l = await this.receiveTokenFn(
|
|
1462
|
+
n,
|
|
1463
|
+
this,
|
|
1464
|
+
e,
|
|
1465
|
+
!1,
|
|
1466
|
+
this.setEventLocalsUser
|
|
1467
|
+
);
|
|
1404
1468
|
if (n && l instanceof Response) return l;
|
|
1405
1469
|
throw new c(u.UnknownError, "Receive token function did not return a Response");
|
|
1406
1470
|
} catch (i) {
|
|
@@ -1445,7 +1509,13 @@ class J extends re {
|
|
|
1445
1509
|
u.BadRequest,
|
|
1446
1510
|
"No refresh token supplied"
|
|
1447
1511
|
);
|
|
1448
|
-
const n = this.errorIfIdTokenInvalid(await this.refreshTokenFlow(i)), l = await this.receiveTokenFn(
|
|
1512
|
+
const n = this.errorIfIdTokenInvalid(await this.refreshTokenFlow(i)), l = await this.receiveTokenFn(
|
|
1513
|
+
n,
|
|
1514
|
+
this,
|
|
1515
|
+
e,
|
|
1516
|
+
!1,
|
|
1517
|
+
this.setEventLocalsUser
|
|
1518
|
+
) ?? {};
|
|
1449
1519
|
if (l instanceof Response) throw new c(u.Configuration, "Refresh token flow should return an object not Response");
|
|
1450
1520
|
return l;
|
|
1451
1521
|
} catch (i) {
|
|
@@ -1663,7 +1733,7 @@ class J extends re {
|
|
|
1663
1733
|
u.Configuration,
|
|
1664
1734
|
"Token response type of custom selected but receiveTokenFn not defined"
|
|
1665
1735
|
);
|
|
1666
|
-
if (this.tokenResponseType == "custom" && t.receiveTokenFn ? this.receiveTokenFn = t.receiveTokenFn : this.tokenResponseType == "sendJson" ? this.receiveTokenFn =
|
|
1736
|
+
if (this.tokenResponseType == "custom" && t.receiveTokenFn ? this.receiveTokenFn = t.receiveTokenFn : this.tokenResponseType == "sendJson" ? this.receiveTokenFn = J : this.tokenResponseType == "sendInPage" ? this.receiveTokenFn = fe : this.tokenResponseType == "saveInSessionAndLoad" ? this.receiveTokenFn = ue : this.tokenResponseType == "saveInSessionAndRedirect" ? this.receiveTokenFn = de : this.tokenResponseType == "saveInSessionAndReturn" && (this.receiveTokenFn = he), (this.tokenResponseType == "saveInSessionAndLoad" || this.tokenResponseType == "saveInSessionAndRedirect") && this.authorizedUrl == "")
|
|
1667
1737
|
throw new c(u.Configuration, "If tokenResponseType is" + this.tokenResponseType + ", must provide authorizedUrl");
|
|
1668
1738
|
if ((this.tokenResponseType == "saveInSessionAndLoad" || this.tokenResponseType == "saveInSessionAndRedirect") && this.server.sessionAdapter == null)
|
|
1669
1739
|
throw new c(u.Configuration, "If tokenResponseType is" + this.tokenResponseType + ", must activate the session server");
|
|
@@ -1684,15 +1754,31 @@ class J extends re {
|
|
|
1684
1754
|
let r = await s.sessionAdapter.getSessionData(e, this.sessionDataName);
|
|
1685
1755
|
if (r && r.id_payload) {
|
|
1686
1756
|
let a = r.expires_at;
|
|
1687
|
-
a && a > Date.now() && r.id_payload.sub && (e.
|
|
1688
|
-
id: r.id_payload.userid ?? r.id_payload.sub,
|
|
1689
|
-
username: r.id_payload.sub,
|
|
1690
|
-
state: r.id_payload.state ?? "active"
|
|
1691
|
-
}, e.locals.idTokenPayload = r.id_payload, e.locals.authType = "oidc");
|
|
1757
|
+
a && a > Date.now() && r.id_payload.sub && await this.setEventLocalsUser(e, r.id_payload);
|
|
1692
1758
|
}
|
|
1693
1759
|
this.testMiddleware && (this.testEvent = e);
|
|
1694
1760
|
};
|
|
1695
1761
|
}
|
|
1762
|
+
/**
|
|
1763
|
+
* If you implement your own function to receive tokens and you use BFF,
|
|
1764
|
+
* use this function to set `event.locals.user`.
|
|
1765
|
+
* @param event the Sveltekit request event
|
|
1766
|
+
* @param token the ID token
|
|
1767
|
+
*/
|
|
1768
|
+
async setEventLocalsUser(s, o) {
|
|
1769
|
+
let t;
|
|
1770
|
+
s.locals.idTokenPayload = o;
|
|
1771
|
+
try {
|
|
1772
|
+
t = await this.userCreationFn(
|
|
1773
|
+
o,
|
|
1774
|
+
this.userStorage,
|
|
1775
|
+
this.userMatchField,
|
|
1776
|
+
this.idTokenMatchField
|
|
1777
|
+
), s.locals.user = t, s.locals.authType = t ? "oidc" : void 0;
|
|
1778
|
+
} catch (e) {
|
|
1779
|
+
d.logger.error(f({ cerr: e })), s.locals.user = void 0, s.locals.authType = void 0;
|
|
1780
|
+
}
|
|
1781
|
+
}
|
|
1696
1782
|
async passwordPost(s, o) {
|
|
1697
1783
|
var t;
|
|
1698
1784
|
try {
|
|
@@ -1822,7 +1908,7 @@ class J extends re {
|
|
|
1822
1908
|
return e.error ? (d.logger.warn(f({
|
|
1823
1909
|
msg: "Error completing MFA",
|
|
1824
1910
|
user: (r = this.server.sessionAdapter) == null ? void 0 : r.getUser(s),
|
|
1825
|
-
hashedMfaToken: o.mfa_token ?
|
|
1911
|
+
hashedMfaToken: o.mfa_token ? A.hash(o.mfa_token) : void 0
|
|
1826
1912
|
})), {
|
|
1827
1913
|
error: e.error,
|
|
1828
1914
|
error_description: e.error_description
|
|
@@ -1834,7 +1920,8 @@ class J extends re {
|
|
|
1834
1920
|
{},
|
|
1835
1921
|
this,
|
|
1836
1922
|
o,
|
|
1837
|
-
!0
|
|
1923
|
+
!0,
|
|
1924
|
+
this.setEventLocalsUser
|
|
1838
1925
|
) : void 0;
|
|
1839
1926
|
if (!t || r <= Date.now()) {
|
|
1840
1927
|
if (o.locals.sessionId && this.autoRefreshActive[o.locals.sessionId]) return;
|
|
@@ -1846,7 +1933,8 @@ class J extends re {
|
|
|
1846
1933
|
a,
|
|
1847
1934
|
this,
|
|
1848
1935
|
o,
|
|
1849
|
-
s == "silent"
|
|
1936
|
+
s == "silent",
|
|
1937
|
+
this.setEventLocalsUser
|
|
1850
1938
|
);
|
|
1851
1939
|
if (s != "silent") return l;
|
|
1852
1940
|
}
|
|
@@ -1862,7 +1950,7 @@ class J extends re {
|
|
|
1862
1950
|
}
|
|
1863
1951
|
let i = a.expires_in;
|
|
1864
1952
|
if (!i && a.access_token) {
|
|
1865
|
-
const l =
|
|
1953
|
+
const l = K(a.access_token);
|
|
1866
1954
|
l.exp && (i = l.exp);
|
|
1867
1955
|
}
|
|
1868
1956
|
if (!i)
|
|
@@ -1935,7 +2023,13 @@ class J extends re {
|
|
|
1935
2023
|
throw new c(u.Configuration, "Unexpected error: refresh: mode is silent but didn't receive an object");
|
|
1936
2024
|
return { ok: !0, expires_at: r == null ? void 0 : r.expires_at };
|
|
1937
2025
|
} else if (o == "post") {
|
|
1938
|
-
if (r == null) return this.receiveTokenFn(
|
|
2026
|
+
if (r == null) return this.receiveTokenFn(
|
|
2027
|
+
{},
|
|
2028
|
+
this,
|
|
2029
|
+
s,
|
|
2030
|
+
!1,
|
|
2031
|
+
this.setEventLocalsUser
|
|
2032
|
+
);
|
|
1939
2033
|
if (r != null) {
|
|
1940
2034
|
if (r instanceof Response) return r;
|
|
1941
2035
|
throw new c(u.Configuration, "refreshTokenFn for post should return Response not object");
|
|
@@ -1978,7 +2072,13 @@ class J extends re {
|
|
|
1978
2072
|
ok: !1,
|
|
1979
2073
|
...r
|
|
1980
2074
|
};
|
|
1981
|
-
const a = await this.receiveTokenFn(
|
|
2075
|
+
const a = await this.receiveTokenFn(
|
|
2076
|
+
r,
|
|
2077
|
+
this,
|
|
2078
|
+
s,
|
|
2079
|
+
!1,
|
|
2080
|
+
this.setEventLocalsUser
|
|
2081
|
+
);
|
|
1982
2082
|
if (r && a instanceof Response) return a;
|
|
1983
2083
|
throw new c(u.UnknownError, "Receive token function did not return a Response");
|
|
1984
2084
|
} catch (r) {
|
|
@@ -2021,7 +2121,13 @@ class J extends re {
|
|
|
2021
2121
|
}
|
|
2022
2122
|
return r;
|
|
2023
2123
|
}
|
|
2024
|
-
const a = await this.receiveTokenFn(
|
|
2124
|
+
const a = await this.receiveTokenFn(
|
|
2125
|
+
r,
|
|
2126
|
+
this,
|
|
2127
|
+
s,
|
|
2128
|
+
!1,
|
|
2129
|
+
this.setEventLocalsUser
|
|
2130
|
+
) ?? {};
|
|
2025
2131
|
if (a instanceof Response) throw new c(u.Configuration, "Refresh token flow should return an object not Response");
|
|
2026
2132
|
return a;
|
|
2027
2133
|
} catch (r) {
|
|
@@ -2179,7 +2285,7 @@ class J extends re {
|
|
|
2179
2285
|
}
|
|
2180
2286
|
}
|
|
2181
2287
|
tokenPayload(s, o, t, e) {
|
|
2182
|
-
return s in o ? t ? { ok: !0 } : e ?
|
|
2288
|
+
return s in o ? t ? { ok: !0 } : e ? O(o[s]) : o[s] : t ? { ok: !1 } : void 0;
|
|
2183
2289
|
}
|
|
2184
2290
|
async tokens(s, o) {
|
|
2185
2291
|
try {
|
|
@@ -2271,7 +2377,13 @@ class J extends re {
|
|
|
2271
2377
|
if (!e) throw new c(u.BadRequest, "No device code given when polling for user authorization");
|
|
2272
2378
|
const r = this.errorIfIdTokenInvalid(await this.pollDeviceCodeFlow(e));
|
|
2273
2379
|
if (r.access_token && !r.error)
|
|
2274
|
-
return await this.receiveTokenFn(
|
|
2380
|
+
return await this.receiveTokenFn(
|
|
2381
|
+
r,
|
|
2382
|
+
this,
|
|
2383
|
+
s,
|
|
2384
|
+
!1,
|
|
2385
|
+
this.setEventLocalsUser
|
|
2386
|
+
);
|
|
2275
2387
|
{
|
|
2276
2388
|
if (r.error == "authorization_pending") return { ok: !0, ...r };
|
|
2277
2389
|
let a = r.error ?? "server_error", i = r.error_description ?? "Didn't receive an access token";
|
|
@@ -2307,9 +2419,9 @@ class J extends re {
|
|
|
2307
2419
|
} : s;
|
|
2308
2420
|
}
|
|
2309
2421
|
}
|
|
2310
|
-
class
|
|
2422
|
+
class Re {
|
|
2311
2423
|
}
|
|
2312
|
-
class
|
|
2424
|
+
class ge extends se {
|
|
2313
2425
|
/**
|
|
2314
2426
|
* Constructor
|
|
2315
2427
|
* @param tokenConsumers the token consumers, one per issuer and audience
|
|
@@ -2476,10 +2588,10 @@ class fe extends se {
|
|
|
2476
2588
|
return o.expires_at && o.expires_at < Date.now() ? void 0 : await this.accessTokenAuthorized(o.session_token);
|
|
2477
2589
|
}
|
|
2478
2590
|
}
|
|
2479
|
-
function
|
|
2591
|
+
function pe(k) {
|
|
2480
2592
|
return k.admin == !0;
|
|
2481
2593
|
}
|
|
2482
|
-
const
|
|
2594
|
+
const D = class D {
|
|
2483
2595
|
/**
|
|
2484
2596
|
* Constructor.
|
|
2485
2597
|
*
|
|
@@ -2527,7 +2639,7 @@ const O = class O {
|
|
|
2527
2639
|
oAuthResServer: i,
|
|
2528
2640
|
options: n
|
|
2529
2641
|
}) {
|
|
2530
|
-
this.loginUrl = "/login", this.audience = "", this.dummyLoad = async (h) => ({}), this.dummyActions = {}, this.dummyBff = async (h) => ({ status: 500, body: { error: "Unimplemented" } }), n || (n = {}), y("loginUrl", _.String, this, n, "LOGIN_URL", !1), n.isAdminFn && (
|
|
2642
|
+
this.loginUrl = "/login", this.audience = "", this.dummyLoad = async (h) => ({}), this.dummyActions = {}, this.dummyBff = async (h) => ({ status: 500, body: { error: "Unimplemented" } }), n || (n = {}), y("loginUrl", _.String, this, n, "LOGIN_URL", !1), n.isAdminFn && (D.isAdminFn = n.isAdminFn);
|
|
2531
2643
|
let l = {};
|
|
2532
2644
|
if (n.authenticators && (l = n.authenticators), this.userStorage = n.userStorage, s) {
|
|
2533
2645
|
if (!l)
|
|
@@ -2535,7 +2647,7 @@ const O = class O {
|
|
|
2535
2647
|
u.Configuration,
|
|
2536
2648
|
"If using session management, must supply authenticators"
|
|
2537
2649
|
);
|
|
2538
|
-
this.sessionServer = new
|
|
2650
|
+
this.sessionServer = new H(s.keyStorage, l, { ...s.options, ...n }), this.sessionAdapter = this.sessionServer;
|
|
2539
2651
|
} else o && (this.sessionAdapter = o);
|
|
2540
2652
|
if (t) {
|
|
2541
2653
|
if (!this.userStorage) throw new c(u.Configuration, "Must define a user storage if using API keys");
|
|
@@ -2557,7 +2669,7 @@ const O = class O {
|
|
|
2557
2669
|
}
|
|
2558
2670
|
if (r && a)
|
|
2559
2671
|
throw new c(u.Configuration, "Cannot specify both oAuthClient and oAuthClients");
|
|
2560
|
-
if (r && (this.oAuthClient = new
|
|
2672
|
+
if (r && (this.oAuthClient = new G(
|
|
2561
2673
|
this,
|
|
2562
2674
|
r.authServerBaseUrl,
|
|
2563
2675
|
{ ...n, ...r.options }
|
|
@@ -2565,14 +2677,14 @@ const O = class O {
|
|
|
2565
2677
|
this.oAuthClients = [];
|
|
2566
2678
|
for (let h of a)
|
|
2567
2679
|
this.oAuthClients.push(
|
|
2568
|
-
new
|
|
2680
|
+
new G(
|
|
2569
2681
|
this,
|
|
2570
2682
|
h.authServerBaseUrl,
|
|
2571
2683
|
{ ...n, ...h.options }
|
|
2572
2684
|
)
|
|
2573
2685
|
);
|
|
2574
2686
|
}
|
|
2575
|
-
i && (y("audience", _.String, this, n, "OAUTH_AUDIENCE", !0), this.oAuthResServer = new
|
|
2687
|
+
i && (y("audience", _.String, this, n, "OAUTH_AUDIENCE", !0), this.oAuthResServer = new ge(
|
|
2576
2688
|
[new te(this.audience, n)],
|
|
2577
2689
|
{ sessionAdapter: this.sessionAdapter, ...i.options, ...n }
|
|
2578
2690
|
)), this.hooks = async ({ event: h, resolve: g }) => {
|
|
@@ -2591,9 +2703,9 @@ const O = class O {
|
|
|
2591
2703
|
if (this.sessionServer.isLoginApiProtected(h))
|
|
2592
2704
|
return this.sessionServer.error(401, "Unauthorized");
|
|
2593
2705
|
}
|
|
2594
|
-
if (!(p && p.twofa) && this.sessionServer.isAdminPageEndpoint(h) && (!h.locals.user || !
|
|
2706
|
+
if (!(p && p.twofa) && this.sessionServer.isAdminPageEndpoint(h) && (!h.locals.user || !D.isAdminFn(h.locals.user)))
|
|
2595
2707
|
return this.sessionServer.unauthorizedUrl ? new Response(null, { status: 302, headers: { location: this.sessionServer.unauthorizedUrl } }) : this.sessionServer.error(401, "Unauthorized");
|
|
2596
|
-
if (!(p && p.twofa) && this.sessionServer.isAdminApiEndpoint(h) && (!h.locals.user || !
|
|
2708
|
+
if (!(p && p.twofa) && this.sessionServer.isAdminApiEndpoint(h) && (!h.locals.user || !D.isAdminFn(h.locals.user)))
|
|
2597
2709
|
return this.sessionServer.error(401, "Unauthorized");
|
|
2598
2710
|
if (p != null && p.response) return p.response;
|
|
2599
2711
|
}
|
|
@@ -2625,9 +2737,9 @@ const O = class O {
|
|
|
2625
2737
|
return o ? typeof s == "object" && s != null && "status" in s && "text" in s && "message" in s && s.status == o : typeof s == "object" && s != null && "status" in s && "text" in s && "message" in s;
|
|
2626
2738
|
}
|
|
2627
2739
|
};
|
|
2628
|
-
|
|
2629
|
-
let w =
|
|
2630
|
-
class
|
|
2740
|
+
D.isAdminFn = pe;
|
|
2741
|
+
let w = D;
|
|
2742
|
+
class we {
|
|
2631
2743
|
constructor(s, o) {
|
|
2632
2744
|
this.changePasswordUrl = "/changepassword", this.changeFactor2Url = "/changefactor2", this.loginRedirectUrl = "/", this.loginUrl = "/login", this.signupEndpoint = {
|
|
2633
2745
|
load: async (t) => {
|
|
@@ -3839,7 +3951,7 @@ class pe {
|
|
|
3839
3951
|
};
|
|
3840
3952
|
}
|
|
3841
3953
|
}
|
|
3842
|
-
async function
|
|
3954
|
+
async function me(k, s, o = 0, t = 10) {
|
|
3843
3955
|
let e = [];
|
|
3844
3956
|
if (o > 0) return [];
|
|
3845
3957
|
try {
|
|
@@ -3860,9 +3972,9 @@ async function we(k, s, o = 0, t = 10) {
|
|
|
3860
3972
|
}
|
|
3861
3973
|
return e;
|
|
3862
3974
|
}
|
|
3863
|
-
class
|
|
3975
|
+
class ke {
|
|
3864
3976
|
constructor(s, o) {
|
|
3865
|
-
this.userSearchFn =
|
|
3977
|
+
this.userSearchFn = me, this.searchUsersEndpoint = {
|
|
3866
3978
|
load: async (t) => {
|
|
3867
3979
|
(!t.locals.user || !w.isAdminFn(t.locals.user)) && this.sessionServer.error(t, 401);
|
|
3868
3980
|
const e = await this.searchUsers(t);
|
|
@@ -4367,7 +4479,7 @@ class me {
|
|
|
4367
4479
|
}
|
|
4368
4480
|
}
|
|
4369
4481
|
}
|
|
4370
|
-
async function
|
|
4482
|
+
async function Se(k, s, o, t, e) {
|
|
4371
4483
|
let r = [];
|
|
4372
4484
|
if (o > 0) return [];
|
|
4373
4485
|
try {
|
|
@@ -4395,7 +4507,7 @@ class $ {
|
|
|
4395
4507
|
* @param options See {@link SvelteKitSessionServerOptions}
|
|
4396
4508
|
*/
|
|
4397
4509
|
constructor(s, o) {
|
|
4398
|
-
this.loginUrl = "/login", this.clientSearchFn =
|
|
4510
|
+
this.loginUrl = "/login", this.clientSearchFn = Se, this.validFlows = ["all"], this.sessionServer = s, y("loginUrl", _.JsonArray, this, o, "LOGIN_URL"), o.clientSearchFn && (this.clientSearchFn = o.clientSearchFn), this.redirect = o.redirect ?? Q, this.error = o.error ?? Y, y("validFlows", _.JsonArray, this, o, "OAUTH_validFlows"), this.validFlows.length == 1 && this.validFlows[0] == E.All && (this.validFlows = E.allFlows()), this.valid_flowNames = E.flowNames(this.validFlows), o.clientStorage && (this.clientManager = new x(o)), this.clientStorage = o.clientStorage;
|
|
4399
4511
|
}
|
|
4400
4512
|
///////////////////////////////////////////////////////////////////
|
|
4401
4513
|
// Functions callable from apps
|
|
@@ -4565,7 +4677,7 @@ class $ {
|
|
|
4565
4677
|
let l = [];
|
|
4566
4678
|
for (let C of n)
|
|
4567
4679
|
try {
|
|
4568
|
-
|
|
4680
|
+
x.validateUri(C);
|
|
4569
4681
|
} catch (T) {
|
|
4570
4682
|
d.logger.error(f({ err: T })), l.push("[" + C + "]");
|
|
4571
4683
|
}
|
|
@@ -4697,7 +4809,7 @@ class $ {
|
|
|
4697
4809
|
let g = [];
|
|
4698
4810
|
for (let C of h)
|
|
4699
4811
|
try {
|
|
4700
|
-
|
|
4812
|
+
x.validateUri(C);
|
|
4701
4813
|
} catch (T) {
|
|
4702
4814
|
d.logger.error(f({ err: T })), g.push("[" + C + "]");
|
|
4703
4815
|
}
|
|
@@ -4813,7 +4925,7 @@ class $ {
|
|
|
4813
4925
|
};
|
|
4814
4926
|
}
|
|
4815
4927
|
}
|
|
4816
|
-
class
|
|
4928
|
+
class Ce extends $ {
|
|
4817
4929
|
/**
|
|
4818
4930
|
* Constructor
|
|
4819
4931
|
* @param sessionServer the session server which will have these endpoints
|
|
@@ -4989,7 +5101,7 @@ class Se extends $ {
|
|
|
4989
5101
|
return this.createClient_internal(s, !1);
|
|
4990
5102
|
}
|
|
4991
5103
|
}
|
|
4992
|
-
class
|
|
5104
|
+
class ye extends $ {
|
|
4993
5105
|
/**
|
|
4994
5106
|
* Constructor
|
|
4995
5107
|
* @param sessionServer the session server which will have these endpoints
|
|
@@ -5104,12 +5216,12 @@ class Ce extends $ {
|
|
|
5104
5216
|
return this.deleteClient_internal(s, !0);
|
|
5105
5217
|
}
|
|
5106
5218
|
}
|
|
5107
|
-
const
|
|
5108
|
-
function
|
|
5219
|
+
const B = "X-CROSSAUTH-CSRF";
|
|
5220
|
+
function _e(k) {
|
|
5109
5221
|
let s = [];
|
|
5110
5222
|
return k.username == null ? s.push("Username must be given") : k.username.length < 2 ? s.push("Username must be at least 2 characters") : k.username.length > 254 && s.push("Username must be no longer than 254 characters"), s;
|
|
5111
5223
|
}
|
|
5112
|
-
function
|
|
5224
|
+
function Ee(k, s, o) {
|
|
5113
5225
|
var a;
|
|
5114
5226
|
let e = {
|
|
5115
5227
|
username: s.username ?? "",
|
|
@@ -5133,7 +5245,7 @@ function _e(k, s, o) {
|
|
|
5133
5245
|
}
|
|
5134
5246
|
return e.factor1 = "localpassword", e.factor2 = s.factor2, e;
|
|
5135
5247
|
}
|
|
5136
|
-
function
|
|
5248
|
+
function ve(k, s, o, t) {
|
|
5137
5249
|
var r;
|
|
5138
5250
|
const e = s.locals.user && w.isAdminFn(s.locals.user);
|
|
5139
5251
|
for (let a in o) {
|
|
@@ -5153,7 +5265,7 @@ function Ee(k, s, o, t) {
|
|
|
5153
5265
|
}
|
|
5154
5266
|
return k;
|
|
5155
5267
|
}
|
|
5156
|
-
class
|
|
5268
|
+
class H {
|
|
5157
5269
|
/**
|
|
5158
5270
|
* Constructor
|
|
5159
5271
|
* @param keyStorage where session IDs, email verification and reset tokens are stored
|
|
@@ -5162,7 +5274,7 @@ class L {
|
|
|
5162
5274
|
* @param options See {@link SvelteKitSessionServerOptions}.
|
|
5163
5275
|
*/
|
|
5164
5276
|
constructor(s, o, t = {}) {
|
|
5165
|
-
this.validateUserFn =
|
|
5277
|
+
this.validateUserFn = _e, this.createUserFn = Ee, this.updateUserFn = ve, this.allowedFactor2 = [], this.allowedFactor2Names = [], this.factor2ProtectedPageEndpoints = [], this.factor2ProtectedApiEndpoints = [], this.loginProtectedPageEndpoints = [], this.loginProtectedApiEndpoints = [], this.loginProtectedExceptionPageEndpoints = [], this.loginProtectedExceptionApiEndpoints = [], this.adminPageEndpoints = [], this.adminApiEndpoints = [], this.unauthorizedUrl = void 0, this.enableCsrfProtection = !0, this.enableEmailVerification = !1, this.enablePasswordReset = !1, this.factor2Url = "/factor2", this.loginUrl = "/login", this.keyStorage = s, this.userStorage = t.userStorage, this.clientStorage = t.clientStorage, this.authenticators = o, this.sessionManager = new ie(s, o, t), this.redirect = t.redirect ?? Q, this.error = t.error ?? Y, y("factor2Url", _.String, this, t, "FACTOR2_URL"), this.factor2Url.endsWith("/") || (this.factor2Url += "/"), y("factor2ProtectedPageEndpoints", _.JsonArray, this, t, "FACTOR2_PROTECTED_PAGE_ENDPOINTS"), y("factor2ProtectedApiEndpoints", _.JsonArray, this, t, "FACTOR2_PROTECTED_API_ENDPOINTS"), y("loginProtectedPageEndpoints", _.JsonArray, this, t, "LOGIN_PROTECTED_PAGE_ENDPOINTS"), y("loginProtectedApiEndpoints", _.JsonArray, this, t, "LOGIN_PROTECTED_API_ENDPOINTS"), y("loginProtectedExceptionPageEndpoints", _.JsonArray, this, t, "LOGIN_PROTECTED_EXCEPTION_PAGE_ENDPOINTS"), y("loginProtectedExceptionApiEndpoints", _.JsonArray, this, t, "LOGIN_PROTECTED_EXCEPTION_API_ENDPOINTS"), y("adminPageEndpoints", _.JsonArray, this, t, "ADMIN_PAGE_ENDPOINTS"), y("adminApiEndpoints", _.JsonArray, this, t, "ADMIN_API_ENDPOINTS"), y("loginUrl", _.JsonArray, this, t, "LOGIN_URL"), y("unauthorizedUrl", _.JsonArray, this, t, "UNAUTHORIZED_PAGE");
|
|
5166
5278
|
let e = {};
|
|
5167
5279
|
if (y("allowedFactor2", _.JsonArray, e, t, "ALLOWED_FACTOR2"), this.allowedFactor2Names = t.allowedFactor2 ?? ["none"], e.allowedFactor2)
|
|
5168
5280
|
for (let r of e.allowedFactor2)
|
|
@@ -5175,7 +5287,7 @@ class L {
|
|
|
5175
5287
|
friendlyName: "None",
|
|
5176
5288
|
configurable: !1
|
|
5177
5289
|
});
|
|
5178
|
-
y("enableEmailVerification", _.Boolean, this, t, "ENABLE_EMAIL_VERIFICATION"), y("enablePasswordReset", _.Boolean, this, t, "ENABLE_PASSWORD_RESET"), y("enableCsrfProtection", _.Boolean, this, t, "ENABLE_CSRF_PROTECTION"), y("editUserScope", _.String, this, t, "EDIT_USER_SCOPE"), t.validateUserFn && (this.validateUserFn = t.validateUserFn), t.createUserFn && (this.createUserFn = t.createUserFn), t.updateUserFn && (this.updateUserFn = t.updateUserFn), t.addToSession && (this.addToSession = t.addToSession), t.validateSession && (this.validateSession = t.validateSession), this.userEndpoints = new
|
|
5290
|
+
y("enableEmailVerification", _.Boolean, this, t, "ENABLE_EMAIL_VERIFICATION"), y("enablePasswordReset", _.Boolean, this, t, "ENABLE_PASSWORD_RESET"), y("enableCsrfProtection", _.Boolean, this, t, "ENABLE_CSRF_PROTECTION"), y("editUserScope", _.String, this, t, "EDIT_USER_SCOPE"), t.validateUserFn && (this.validateUserFn = t.validateUserFn), t.createUserFn && (this.createUserFn = t.createUserFn), t.updateUserFn && (this.updateUserFn = t.updateUserFn), t.addToSession && (this.addToSession = t.addToSession), t.validateSession && (this.validateSession = t.validateSession), this.userEndpoints = new we(this, t), this.adminEndpoints = new ke(this, t), this.userClientEndpoints = new Ce(this, t), this.adminClientEndpoints = new ye(this, t), this.sessionHook = async ({ event: r }) => {
|
|
5179
5291
|
var h, g;
|
|
5180
5292
|
d.logger.debug("Session hook");
|
|
5181
5293
|
let a = [];
|
|
@@ -5205,7 +5317,7 @@ class L {
|
|
|
5205
5317
|
const { csrfCookie: p, csrfFormOrHeaderValue: S } = await this.sessionManager.createCsrfToken();
|
|
5206
5318
|
this.setCsrfCookie(p, r), r.locals.csrfToken = S;
|
|
5207
5319
|
}
|
|
5208
|
-
this.setHeader(
|
|
5320
|
+
this.setHeader(B, r.locals.csrfToken, a);
|
|
5209
5321
|
} catch (p) {
|
|
5210
5322
|
d.logger.error(f({ msg: "Couldn't create CSRF token", cerr: p, user: (h = r.locals.user) == null ? void 0 : h.username, hashedSessionCookie: this.getHashOfSessionCookie(r) })), d.logger.debug(f({ err: p })), this.clearCookie(i, this.sessionManager.csrfCookiePath, r), r.locals.csrfToken = void 0;
|
|
5211
5323
|
}
|
|
@@ -5264,25 +5376,25 @@ class L {
|
|
|
5264
5376
|
let C = {};
|
|
5265
5377
|
const T = new b();
|
|
5266
5378
|
await T.loadData(r);
|
|
5267
|
-
for (let
|
|
5268
|
-
S.includes(
|
|
5379
|
+
for (let U of T.keys())
|
|
5380
|
+
S.includes(U) && (C[U] = T.get(U) ?? "");
|
|
5269
5381
|
const N = this.getSessionCookieValue(r);
|
|
5270
5382
|
if (!N) throw new c(u.Unauthorized, "No session cookie found");
|
|
5271
|
-
let
|
|
5383
|
+
let F;
|
|
5272
5384
|
try {
|
|
5273
5385
|
await this.sessionManager.completeTwoFactorPageVisit(C, r.locals.sessionId ?? "");
|
|
5274
|
-
} catch (
|
|
5275
|
-
|
|
5276
|
-
const
|
|
5277
|
-
d.logger.error(f({ msg:
|
|
5386
|
+
} catch (U) {
|
|
5387
|
+
F = c.asCrossauthError(U), d.logger.debug(f({ err: U }));
|
|
5388
|
+
const z = c.asCrossauthError(U);
|
|
5389
|
+
d.logger.error(f({ msg: F.message, cerr: U, user: T.get("username"), errorCode: z.code, errorCodeName: z.codeName }));
|
|
5278
5390
|
}
|
|
5279
|
-
if (
|
|
5280
|
-
if (
|
|
5391
|
+
if (F)
|
|
5392
|
+
if (F.code == u.Expired) {
|
|
5281
5393
|
d.logger.debug(f({ msg: "Error - cancelling 2FA" }));
|
|
5282
5394
|
try {
|
|
5283
5395
|
await this.sessionManager.cancelTwoFactorPageVisit(N);
|
|
5284
|
-
} catch (
|
|
5285
|
-
d.logger.error(f({ msg: "Failed cancelling 2FA", cerr:
|
|
5396
|
+
} catch (U) {
|
|
5397
|
+
d.logger.error(f({ msg: "Failed cancelling 2FA", cerr: U, user: l.username, hashedSessionCookie: this.getHashOfSessionCookie(r) })), d.logger.debug(f({ err: U }));
|
|
5286
5398
|
}
|
|
5287
5399
|
return this.error(401, { message: "Sorry, your code has expired" }), { ok: !1, twofa: !0 };
|
|
5288
5400
|
} else
|
|
@@ -5291,25 +5403,25 @@ class L {
|
|
|
5291
5403
|
ok: !1,
|
|
5292
5404
|
response: new Response("", {
|
|
5293
5405
|
status: 302,
|
|
5294
|
-
statusText:
|
|
5295
|
-
headers: { Location: this.factor2Url + "?error=" + u[
|
|
5406
|
+
statusText: q(302),
|
|
5407
|
+
headers: { Location: this.factor2Url + "?error=" + u[F.code] }
|
|
5296
5408
|
})
|
|
5297
5409
|
} : {
|
|
5298
5410
|
twofa: !0,
|
|
5299
5411
|
ok: !1,
|
|
5300
5412
|
response: new Response(JSON.stringify({
|
|
5301
5413
|
ok: !1,
|
|
5302
|
-
errorMessage:
|
|
5303
|
-
errorMessages:
|
|
5304
|
-
errorCode:
|
|
5305
|
-
errorCodeName: u[
|
|
5414
|
+
errorMessage: F.message,
|
|
5415
|
+
errorMessages: F.messages,
|
|
5416
|
+
errorCode: F.code,
|
|
5417
|
+
errorCodeName: u[F.code]
|
|
5306
5418
|
}), {
|
|
5307
|
-
status:
|
|
5308
|
-
statusText:
|
|
5419
|
+
status: F.httpStatus,
|
|
5420
|
+
statusText: q(F.httpStatus),
|
|
5309
5421
|
headers: { "content-tyoe": "application/json" }
|
|
5310
5422
|
})
|
|
5311
5423
|
};
|
|
5312
|
-
return
|
|
5424
|
+
return H.updateRequest(r, m.pre2fa.body, m.pre2fa["content-type"]), { twofa: !0, ok: !0 };
|
|
5313
5425
|
} else {
|
|
5314
5426
|
if (d.logger.debug(f({ msg: "Starting 2FA", username: l.username })), this.enableCsrfProtection && !r.locals.csrfToken) {
|
|
5315
5427
|
const C = new c(u.Forbidden, "CSRF token missing");
|
|
@@ -5324,7 +5436,7 @@ class L {
|
|
|
5324
5436
|
errorCodeName: u[C.code]
|
|
5325
5437
|
}), {
|
|
5326
5438
|
status: C.httpStatus,
|
|
5327
|
-
statusText:
|
|
5439
|
+
statusText: q(C.httpStatus),
|
|
5328
5440
|
headers: {
|
|
5329
5441
|
"content-tyoe": "application/json"
|
|
5330
5442
|
}
|
|
@@ -5339,7 +5451,7 @@ class L {
|
|
|
5339
5451
|
ok: !0,
|
|
5340
5452
|
response: new Response("", {
|
|
5341
5453
|
status: 302,
|
|
5342
|
-
statusText:
|
|
5454
|
+
statusText: q(302),
|
|
5343
5455
|
headers: { Location: this.factor2Url }
|
|
5344
5456
|
})
|
|
5345
5457
|
} : {
|
|
@@ -5423,7 +5535,7 @@ class L {
|
|
|
5423
5535
|
const o = this.getSessionCookieValue(s);
|
|
5424
5536
|
if (!o) return "";
|
|
5425
5537
|
try {
|
|
5426
|
-
return
|
|
5538
|
+
return A.hash(o);
|
|
5427
5539
|
} catch {
|
|
5428
5540
|
}
|
|
5429
5541
|
return "";
|
|
@@ -5440,7 +5552,7 @@ class L {
|
|
|
5440
5552
|
const o = this.getCsrfCookieValue(s);
|
|
5441
5553
|
if (!o) return "";
|
|
5442
5554
|
try {
|
|
5443
|
-
return
|
|
5555
|
+
return A.hash(o);
|
|
5444
5556
|
} catch {
|
|
5445
5557
|
}
|
|
5446
5558
|
return "";
|
|
@@ -5459,8 +5571,8 @@ class L {
|
|
|
5459
5571
|
async csrfToken(s, o) {
|
|
5460
5572
|
var e, r, a;
|
|
5461
5573
|
let t;
|
|
5462
|
-
if (s.request.headers && s.request.headers.has(
|
|
5463
|
-
const i = s.request.headers.get(
|
|
5574
|
+
if (s.request.headers && s.request.headers.has(B.toLowerCase())) {
|
|
5575
|
+
const i = s.request.headers.get(B.toLowerCase());
|
|
5464
5576
|
Array.isArray(i) ? t = i[0] : i && (t = i);
|
|
5465
5577
|
}
|
|
5466
5578
|
if (!t) {
|
|
@@ -5478,7 +5590,7 @@ class L {
|
|
|
5478
5590
|
}
|
|
5479
5591
|
if (t)
|
|
5480
5592
|
try {
|
|
5481
|
-
this.sessionManager.validateDoubleSubmitCsrfToken(this.getCsrfCookieValue(s), t), s.locals.csrfToken = t, this.setHeader(
|
|
5593
|
+
this.sessionManager.validateDoubleSubmitCsrfToken(this.getCsrfCookieValue(s), t), s.locals.csrfToken = t, this.setHeader(B, t, o);
|
|
5482
5594
|
} catch {
|
|
5483
5595
|
d.logger.warn(f({ msg: "Invalid CSRF token", hashedCsrfCookie: this.getHashOfCsrfCookie(s) })), this.clearCookie(this.sessionManager.csrfCookieName, this.sessionManager.csrfCookiePath, s), s.locals.csrfToken = void 0;
|
|
5484
5596
|
}
|
|
@@ -5523,7 +5635,7 @@ class L {
|
|
|
5523
5635
|
getHashOfSessionId(s) {
|
|
5524
5636
|
if (!s.locals.sessionId) return "";
|
|
5525
5637
|
try {
|
|
5526
|
-
return
|
|
5638
|
+
return A.hash(s.locals.sessionId);
|
|
5527
5639
|
} catch {
|
|
5528
5640
|
}
|
|
5529
5641
|
return "";
|
|
@@ -5771,17 +5883,17 @@ class L {
|
|
|
5771
5883
|
}
|
|
5772
5884
|
export {
|
|
5773
5885
|
b as JsonOrFormData,
|
|
5774
|
-
|
|
5775
|
-
|
|
5886
|
+
ye as SvelteKitAdminClientEndpoints,
|
|
5887
|
+
ke as SvelteKitAdminEndpoints,
|
|
5776
5888
|
ne as SvelteKitApiKeyServer,
|
|
5777
5889
|
ce as SvelteKitAuthorizationServer,
|
|
5778
|
-
|
|
5779
|
-
|
|
5890
|
+
G as SvelteKitOAuthClient,
|
|
5891
|
+
ge as SvelteKitOAuthResourceServer,
|
|
5780
5892
|
w as SvelteKitServer,
|
|
5781
|
-
|
|
5782
|
-
|
|
5893
|
+
Re as SvelteKitSessionAdapter,
|
|
5894
|
+
H as SvelteKitSessionServer,
|
|
5783
5895
|
$ as SvelteKitSharedClientEndpoints,
|
|
5784
|
-
|
|
5785
|
-
|
|
5786
|
-
|
|
5896
|
+
Ce as SvelteKitUserClientEndpoints,
|
|
5897
|
+
we as SvelteKitUserEndpoints,
|
|
5898
|
+
Se as defaultClientSearchFn
|
|
5787
5899
|
};
|