@crossauth/sveltekit 0.0.20 → 0.0.21
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/index.cjs +1 -1
- package/dist/index.d.ts +1 -1
- package/dist/index.js +674 -666
- package/dist/sveltekitadminclientendpoints.d.ts +16 -17
- package/dist/sveltekitadminendpoints.d.ts +20 -21
- package/dist/sveltekitapikey.d.ts +3 -3
- package/dist/sveltekitoauthclient.d.ts +13 -14
- package/dist/sveltekitoauthserver.d.ts +14 -14
- package/dist/sveltekitresserver.d.ts +4 -5
- package/dist/sveltekitserver.d.ts +8 -8
- package/dist/sveltekitsession.d.ts +20 -5
- package/dist/sveltekitsessionadapter.d.ts +3 -2
- package/dist/sveltekitsharedclientendpoints.d.ts +7 -8
- package/dist/sveltekituserclientendpoints.d.ts +16 -17
- package/dist/sveltekituserendpoints.d.ts +36 -37
- package/dist/tests/sveltekitoauthclient.test.d.ts +6 -6
- package/dist/tests/sveltekitoauthresserver.test.d.ts +5 -5
- package/dist/tests/sveltemocks.d.ts +3 -2
- package/dist/tests/testshared.d.ts +8 -8
- package/dist/utils.d.ts +2 -1
- package/package.json +4 -4
package/dist/index.js
CHANGED
|
@@ -1,9 +1,9 @@
|
|
|
1
|
-
import { minimatch as
|
|
2
|
-
import { ApiKeyManager as
|
|
1
|
+
import { minimatch as R } from "minimatch";
|
|
2
|
+
import { ApiKeyManager as K, KeyStorage as $, toCookieSerializeOptions as P, Crypto as F, OAuthAuthorizationServer as Z, setParameter as y, ParamType as _, DoubleSubmitCsrfToken as ee, OAuthClientManager as B, OAuthClientBackend as re, OAuthResourceServer as se, OAuthTokenConsumer as te, TokenEmailer as oe, SessionManager as ie } from "@crossauth/backend";
|
|
3
3
|
import { CrossauthError as c, ErrorCode as h, CrossauthLogger as d, j as u, OAuthFlows as E, UserState as I, httpStatus as q } from "@crossauth/common";
|
|
4
4
|
import { json as v, redirect as Q, error as Y } from "@sveltejs/kit";
|
|
5
5
|
import "cookie";
|
|
6
|
-
import { jwtDecode as
|
|
6
|
+
import { jwtDecode as M } from "jwt-decode";
|
|
7
7
|
import ae from "qrcode";
|
|
8
8
|
class V {
|
|
9
9
|
constructor(r) {
|
|
@@ -26,11 +26,11 @@ class b {
|
|
|
26
26
|
this.clone = r;
|
|
27
27
|
}
|
|
28
28
|
async loadData(r) {
|
|
29
|
-
var t, e, s,
|
|
29
|
+
var t, e, s, i;
|
|
30
30
|
if (!((t = r.request) != null && t.body))
|
|
31
31
|
return;
|
|
32
32
|
const o = r.request.headers.get("content-type");
|
|
33
|
-
o == "application/json" ? this.jsonData = this.clone ? await ((s = (e = r.request) == null ? void 0 : e.clone()) == null ? void 0 : s.json()) : await ((
|
|
33
|
+
o == "application/json" ? this.jsonData = this.clone ? await ((s = (e = r.request) == null ? void 0 : e.clone()) == null ? void 0 : s.json()) : await ((i = r.request) == null ? void 0 : i.json()) : (o == "application/x-www-form-urlencoded" || o != null && o.startsWith("multipart/form-data")) && (this.formData = this.clone ? await r.request.clone().formData() : await r.request.formData());
|
|
34
34
|
}
|
|
35
35
|
get(r) {
|
|
36
36
|
if (this.jsonData) return this.jsonData[r];
|
|
@@ -84,7 +84,7 @@ class ne {
|
|
|
84
84
|
* @param options See {@link SvelteKitApiKeyServerOptions}
|
|
85
85
|
*/
|
|
86
86
|
constructor(r, o, t = {}) {
|
|
87
|
-
this.userStorage = r, this.apiKeyManager = new
|
|
87
|
+
this.userStorage = r, this.apiKeyManager = new K(o, t), this.hook = async ({ event: e }) => {
|
|
88
88
|
d.logger.debug("APIKey hook");
|
|
89
89
|
const s = e.request.headers.get("authorization");
|
|
90
90
|
if (s)
|
|
@@ -92,29 +92,29 @@ class ne {
|
|
|
92
92
|
d.logger.debug(u({
|
|
93
93
|
msg: "Received authorization header"
|
|
94
94
|
}));
|
|
95
|
-
const
|
|
95
|
+
const i = await this.apiKeyManager.validateToken(
|
|
96
96
|
s
|
|
97
97
|
);
|
|
98
98
|
d.logger.debug(u({
|
|
99
99
|
msg: "Valid API key",
|
|
100
|
-
hahedApiKey:
|
|
100
|
+
hahedApiKey: K.hashSignedApiKeyValue(i.value)
|
|
101
101
|
}));
|
|
102
|
-
const
|
|
103
|
-
if (e.locals.apiKey = { ...
|
|
102
|
+
const a = $.decodeData(i.data);
|
|
103
|
+
if (e.locals.apiKey = { ...i, ...a }, "scope" in a && Array.isArray(a.scope)) {
|
|
104
104
|
let n = [];
|
|
105
|
-
for (let l of
|
|
105
|
+
for (let l of a.scope)
|
|
106
106
|
typeof l == "string" && n.push(l);
|
|
107
107
|
e.locals.scope = n;
|
|
108
108
|
}
|
|
109
|
-
if (
|
|
109
|
+
if (i.userid)
|
|
110
110
|
try {
|
|
111
|
-
const { user: n } = await this.userStorage.getUserById(
|
|
112
|
-
e.locals.user = n, e.locals.authType = "apiKey", d.logger.debug(u({ msg: "API key is for user", userid: n.id, user: n.username, hahedApiKey:
|
|
111
|
+
const { user: n } = await this.userStorage.getUserById(i.userid);
|
|
112
|
+
e.locals.user = n, e.locals.authType = "apiKey", d.logger.debug(u({ msg: "API key is for user", userid: n.id, user: n.username, hahedApiKey: K.hashSignedApiKeyValue(i.value) }));
|
|
113
113
|
} catch (n) {
|
|
114
|
-
d.logger.error(u({ msg: "API key has invalid user", userid:
|
|
114
|
+
d.logger.error(u({ msg: "API key has invalid user", userid: i.userid, hashedApiKey: K.hashSignedApiKeyValue(i.value) })), d.logger.debug(u({ err: n }));
|
|
115
115
|
}
|
|
116
|
-
} catch (
|
|
117
|
-
d.logger.error(u({ msg: "Invalid authorization header received", header: s })), d.logger.debug(u({ err:
|
|
116
|
+
} catch (i) {
|
|
117
|
+
d.logger.error(u({ msg: "Invalid authorization header received", header: s })), d.logger.debug(u({ err: i }));
|
|
118
118
|
}
|
|
119
119
|
};
|
|
120
120
|
}
|
|
@@ -130,9 +130,9 @@ class ce {
|
|
|
130
130
|
* @param options see {@link SvelteKitAuthorizationServerOptions}
|
|
131
131
|
*/
|
|
132
132
|
constructor(r, o, t, e, s = {}) {
|
|
133
|
-
var
|
|
133
|
+
var i;
|
|
134
134
|
this.loginUrl = "/login", this.refreshTokenType = "json", this.refreshTokenCookieName = "CROSSAUTH_REFRESH_TOKEN", this.refreshTokenCookieDomain = void 0, this.refreshTokenCookieHttpOnly = !1, this.refreshTokenCookiePath = "/", this.refreshTokenCookieSecure = !0, this.refreshTokenCookieSameSite = "strict", this.authorizeEndpointUrl = "/oauth/authorize", this.tokenEndpointUrl = "/oauth/token", this.jwksEndpointUrl = "/oauth/jwks", this.oidcConfigurationEndpoint = {
|
|
135
|
-
get: async (
|
|
135
|
+
get: async (a) => v(this.authServer.oidcConfiguration(
|
|
136
136
|
{
|
|
137
137
|
authorizeEndpoint: this.authorizeEndpointUrl,
|
|
138
138
|
tokenEndpoint: this.tokenEndpointUrl,
|
|
@@ -141,7 +141,7 @@ class ce {
|
|
|
141
141
|
}
|
|
142
142
|
))
|
|
143
143
|
}, this.jwksGetEndpoint = {
|
|
144
|
-
get: async (
|
|
144
|
+
get: async (a) => {
|
|
145
145
|
try {
|
|
146
146
|
return v(this.authServer.jwks());
|
|
147
147
|
} catch (n) {
|
|
@@ -153,7 +153,7 @@ class ce {
|
|
|
153
153
|
}
|
|
154
154
|
}
|
|
155
155
|
}, this.getCsrfTokenEndpoint = {
|
|
156
|
-
get: async (
|
|
156
|
+
get: async (a) => {
|
|
157
157
|
var l;
|
|
158
158
|
if (!this.csrfTokens) return v({
|
|
159
159
|
ok: !1,
|
|
@@ -166,17 +166,17 @@ class ce {
|
|
|
166
166
|
csrfCookie: f,
|
|
167
167
|
csrfFormOrHeaderValue: g
|
|
168
168
|
} = await this.createCsrfToken();
|
|
169
|
-
return n = f.value,
|
|
169
|
+
return n = f.value, a.cookies.set(
|
|
170
170
|
f.name,
|
|
171
171
|
f.value,
|
|
172
|
-
|
|
172
|
+
P(f.options)
|
|
173
173
|
), v({ ok: !0, csrfToken: g });
|
|
174
174
|
} catch (f) {
|
|
175
175
|
const g = c.asCrossauthError(f);
|
|
176
176
|
return d.logger.error(u({
|
|
177
177
|
msg: "getcsrftoken failure",
|
|
178
|
-
user: (l =
|
|
179
|
-
hashedCsrfCookie:
|
|
178
|
+
user: (l = a.locals.user) == null ? void 0 : l.username,
|
|
179
|
+
hashedCsrfCookie: F.hash(n.split(".")[0]),
|
|
180
180
|
error: g.code,
|
|
181
181
|
errorCodeName: g.codeName
|
|
182
182
|
})), d.logger.debug(u({ err: f })), d.logger.error({ cerr: f }), v({
|
|
@@ -187,15 +187,15 @@ class ce {
|
|
|
187
187
|
}
|
|
188
188
|
}
|
|
189
189
|
}, this.authorizeEndpoint = {
|
|
190
|
-
load: async (
|
|
190
|
+
load: async (a) => {
|
|
191
191
|
var w, S;
|
|
192
192
|
if (!(this.authServer.validFlows.includes(E.AuthorizationCode) || this.authServer.validFlows.includes(E.AuthorizationCodeWithPKCE) || this.authServer.validFlows.includes(E.OidcAuthorizationCode)))
|
|
193
193
|
throw this.error(401, "authorize cannot be called because the authorization code flows are not supported");
|
|
194
|
-
if (!
|
|
194
|
+
if (!a.locals.user) return this.redirect(
|
|
195
195
|
302,
|
|
196
|
-
this.loginUrl + "?next=" + encodeURIComponent(
|
|
196
|
+
this.loginUrl + "?next=" + encodeURIComponent(a.request.url)
|
|
197
197
|
);
|
|
198
|
-
let n = this.getAuthorizeQuery(
|
|
198
|
+
let n = this.getAuthorizeQuery(a);
|
|
199
199
|
if (!n.query) return n.error;
|
|
200
200
|
let l = n.query;
|
|
201
201
|
d.logger.debug(u({ msg: "validating authorize parameters" }));
|
|
@@ -203,10 +203,10 @@ class ce {
|
|
|
203
203
|
if (f ? (g = new c(h.BadRequest, f), d.logger.error(u({
|
|
204
204
|
msg: "authorize parameter invalid",
|
|
205
205
|
cerr: g,
|
|
206
|
-
user: (w =
|
|
206
|
+
user: (w = a.locals.user) == null ? void 0 : w.username
|
|
207
207
|
}))) : d.logger.error(u({
|
|
208
208
|
msg: "authorize parameter valid",
|
|
209
|
-
user: (S =
|
|
209
|
+
user: (S = a.locals.user) == null ? void 0 : S.username
|
|
210
210
|
})), g)
|
|
211
211
|
return {
|
|
212
212
|
ok: !1,
|
|
@@ -219,18 +219,18 @@ class ce {
|
|
|
219
219
|
scope: l.scope
|
|
220
220
|
})), l.scope ? m = await this.authServer.hasAllScopes(
|
|
221
221
|
l.client_id,
|
|
222
|
-
|
|
222
|
+
a.locals.user,
|
|
223
223
|
l.scope.split(" ")
|
|
224
224
|
) : m = await this.authServer.hasAllScopes(
|
|
225
225
|
l.client_id,
|
|
226
|
-
|
|
226
|
+
a.locals.user,
|
|
227
227
|
[null]
|
|
228
228
|
), m) {
|
|
229
229
|
d.logger.debug(u({
|
|
230
230
|
msg: "All scopes authorized",
|
|
231
231
|
scope: l.scope
|
|
232
232
|
}));
|
|
233
|
-
const C = await this.authorize(
|
|
233
|
+
const C = await this.authorize(a, !0, {
|
|
234
234
|
responseType: l.response_type,
|
|
235
235
|
client_id: l.client_id,
|
|
236
236
|
redirect_uri: l.redirect_uri,
|
|
@@ -254,7 +254,7 @@ class ce {
|
|
|
254
254
|
return {
|
|
255
255
|
ok: !0,
|
|
256
256
|
authorizationNeeded: {
|
|
257
|
-
user:
|
|
257
|
+
user: a.locals.user,
|
|
258
258
|
response_type: l.response_type,
|
|
259
259
|
client_id: l.client_id,
|
|
260
260
|
client_name: C.client_name,
|
|
@@ -264,7 +264,7 @@ class ce {
|
|
|
264
264
|
state: l.state,
|
|
265
265
|
code_challenge: l.code_challenge,
|
|
266
266
|
code_challenge_method: l.code_challenge_method,
|
|
267
|
-
csrfToken:
|
|
267
|
+
csrfToken: a.locals.csrfToken
|
|
268
268
|
},
|
|
269
269
|
...this.baseEndpoint
|
|
270
270
|
};
|
|
@@ -280,13 +280,13 @@ class ce {
|
|
|
280
280
|
},
|
|
281
281
|
// load
|
|
282
282
|
actions: {
|
|
283
|
-
default: async (
|
|
283
|
+
default: async (a) => {
|
|
284
284
|
var f;
|
|
285
285
|
let n;
|
|
286
286
|
try {
|
|
287
287
|
var l = new b();
|
|
288
|
-
await l.loadData(
|
|
289
|
-
const g = l.getAsBoolean("authorized"), m = n.response_type, w = n.client_id, S = n.redirect_uri, C = n.scope, T = n.state, N = n.code_challenge,
|
|
288
|
+
await l.loadData(a), n = l.toObject();
|
|
289
|
+
const g = l.getAsBoolean("authorized"), m = n.response_type, w = n.client_id, S = n.redirect_uri, C = n.scope, T = n.state, N = n.code_challenge, A = n.code_challenge_method;
|
|
290
290
|
let U;
|
|
291
291
|
if (g == null && (U = "authorized"), m ? w ? S ? T || (U = "state") : U = "redirect_uri" : U = "client_id" : U = "response_type", U)
|
|
292
292
|
return {
|
|
@@ -294,19 +294,19 @@ class ce {
|
|
|
294
294
|
error: "invalid_request",
|
|
295
295
|
error_description: "Invalid form: does not contain " + U + " parameter"
|
|
296
296
|
};
|
|
297
|
-
if (!
|
|
297
|
+
if (!a.locals.user) return this.redirect(
|
|
298
298
|
302,
|
|
299
|
-
this.loginUrl + "?next=" + encodeURIComponent(
|
|
299
|
+
this.loginUrl + "?next=" + encodeURIComponent(a.request.url)
|
|
300
300
|
);
|
|
301
|
-
if ((f = this.svelteKitServer.sessionServer) != null && f.enableCsrfProtection && !
|
|
302
|
-
const z = await this.authorize(
|
|
301
|
+
if ((f = this.svelteKitServer.sessionServer) != null && f.enableCsrfProtection && !a.locals.csrfToken) throw new c(h.InvalidCsrf);
|
|
302
|
+
const z = await this.authorize(a, g ?? !1, {
|
|
303
303
|
responseType: m,
|
|
304
304
|
client_id: w,
|
|
305
305
|
redirect_uri: S,
|
|
306
306
|
scope: C,
|
|
307
307
|
state: T,
|
|
308
308
|
codeChallenge: N,
|
|
309
|
-
codeChallengeMethod:
|
|
309
|
+
codeChallengeMethod: A
|
|
310
310
|
});
|
|
311
311
|
return {
|
|
312
312
|
ok: !1,
|
|
@@ -326,7 +326,7 @@ class ce {
|
|
|
326
326
|
}
|
|
327
327
|
}
|
|
328
328
|
}, this.tokenEndpoint = {
|
|
329
|
-
post: async (
|
|
329
|
+
post: async (a) => {
|
|
330
330
|
let n;
|
|
331
331
|
try {
|
|
332
332
|
if (!(this.authServer.validFlows.includes(E.AuthorizationCode) || this.authServer.validFlows.includes(E.AuthorizationCodeWithPKCE) || this.authServer.validFlows.includes(E.OidcAuthorizationCode) || this.authServer.validFlows.includes(E.ClientCredentials) || this.authServer.validFlows.includes(E.RefreshToken) || this.authServer.validFlows.includes(E.Password) || this.authServer.validFlows.includes(E.PasswordMfa || this.authServer.validFlows.includes(E.DeviceCode))))
|
|
@@ -336,12 +336,12 @@ class ce {
|
|
|
336
336
|
error_description: "Token endpoint cannot be called as the supported OAuth flow types don't require it"
|
|
337
337
|
}, { status: 500 });
|
|
338
338
|
var l = new b();
|
|
339
|
-
await l.loadData(
|
|
340
|
-
const { client_id: f, client_secret: g } = this.getClientIdAndSecret(n,
|
|
341
|
-
let m = n.refresh_token, w =
|
|
339
|
+
await l.loadData(a), n = l.toObject();
|
|
340
|
+
const { client_id: f, client_secret: g } = this.getClientIdAndSecret(n, a);
|
|
341
|
+
let m = n.refresh_token, w = a.cookies.get(this.refreshTokenCookieName);
|
|
342
342
|
if ((this.refreshTokenType == "cookie" && w || this.refreshTokenType == "both" && w && m == null) && this.csrfTokens) {
|
|
343
|
-
const C =
|
|
344
|
-
let T =
|
|
343
|
+
const C = a.cookies.get(this.csrfTokens.cookieName);
|
|
344
|
+
let T = a.request.headers.get(this.csrfTokens.headerName.toLowerCase());
|
|
345
345
|
if (Array.isArray(T) && (T = T[0]), !C || !T)
|
|
346
346
|
return v({
|
|
347
347
|
ok: !1,
|
|
@@ -375,7 +375,7 @@ class ce {
|
|
|
375
375
|
refreshToken: m,
|
|
376
376
|
deviceCode: n.device_code
|
|
377
377
|
});
|
|
378
|
-
if (S.refresh_token && this.refreshTokenType != "json" && this.setRefreshTokenCookie(
|
|
378
|
+
if (S.refresh_token && this.refreshTokenType != "json" && this.setRefreshTokenCookie(a, S.refresh_token, S.expires_in), S.error == "authorization_pending")
|
|
379
379
|
return v(S);
|
|
380
380
|
if (S.error || !S.access_token) {
|
|
381
381
|
let C = "server_error", T = "Neither code nor error received when requestoing authorization";
|
|
@@ -393,10 +393,10 @@ class ce {
|
|
|
393
393
|
}
|
|
394
394
|
}
|
|
395
395
|
}, this.mfaAuthenticatorsEndpoint = {
|
|
396
|
-
get: async (
|
|
396
|
+
get: async (a) => {
|
|
397
397
|
try {
|
|
398
398
|
var n = new b();
|
|
399
|
-
return await n.loadData(
|
|
399
|
+
return await n.loadData(a), v(await this.mfaAuthenticators(a));
|
|
400
400
|
} catch (l) {
|
|
401
401
|
const f = c.asCrossauthError(l);
|
|
402
402
|
return d.logger.debug({ err: l }), d.logger.error({ cerr: l }), v({
|
|
@@ -405,11 +405,11 @@ class ce {
|
|
|
405
405
|
});
|
|
406
406
|
}
|
|
407
407
|
},
|
|
408
|
-
post: async (
|
|
408
|
+
post: async (a) => {
|
|
409
409
|
try {
|
|
410
410
|
var n = new b();
|
|
411
|
-
await n.loadData(
|
|
412
|
-
let l = await this.mfaAuthenticators(
|
|
411
|
+
await n.loadData(a);
|
|
412
|
+
let l = await this.mfaAuthenticators(a), f = 200;
|
|
413
413
|
return !Array.isArray(l) && l.error == "access_denied" ? f = 401 : !Array.isArray(l) && l.error && (f = 500), v(l, { status: f });
|
|
414
414
|
} catch (l) {
|
|
415
415
|
const f = c.asCrossauthError(l);
|
|
@@ -420,11 +420,11 @@ class ce {
|
|
|
420
420
|
}
|
|
421
421
|
}
|
|
422
422
|
}, this.mfaChallengeEndpoint = {
|
|
423
|
-
post: async (
|
|
423
|
+
post: async (a) => {
|
|
424
424
|
try {
|
|
425
425
|
var n = new b();
|
|
426
|
-
await n.loadData(
|
|
427
|
-
const l = await this.mfaChallenge(
|
|
426
|
+
await n.loadData(a);
|
|
427
|
+
const l = await this.mfaChallenge(a);
|
|
428
428
|
let f = 200;
|
|
429
429
|
return l.error == "access_denied" ? f = 401 : l.error && (f = 500), v(l, { status: f });
|
|
430
430
|
} catch (l) {
|
|
@@ -436,7 +436,7 @@ class ce {
|
|
|
436
436
|
}
|
|
437
437
|
}
|
|
438
438
|
}, this.deviceAuthorizationEndpoint = {
|
|
439
|
-
post: async (
|
|
439
|
+
post: async (a) => {
|
|
440
440
|
let n;
|
|
441
441
|
try {
|
|
442
442
|
if (!this.authServer.validFlows.includes(E.DeviceCode))
|
|
@@ -446,8 +446,8 @@ class ce {
|
|
|
446
446
|
error_description: "Device authorization endpoint cannot be called as the supported OAuth flow types don't require it"
|
|
447
447
|
});
|
|
448
448
|
var l = new b();
|
|
449
|
-
await l.loadData(
|
|
450
|
-
const { client_id: f, client_secret: g } = this.getClientIdAndSecret(n,
|
|
449
|
+
await l.loadData(a), n = l.toObject();
|
|
450
|
+
const { client_id: f, client_secret: g } = this.getClientIdAndSecret(n, a), m = await this.authServer.deviceAuthorizationEndpoint({
|
|
451
451
|
client_id: f,
|
|
452
452
|
client_secret: g,
|
|
453
453
|
scope: n.scope
|
|
@@ -474,31 +474,31 @@ class ce {
|
|
|
474
474
|
}
|
|
475
475
|
}
|
|
476
476
|
}, this.deviceEndpoint = {
|
|
477
|
-
load: async (
|
|
477
|
+
load: async (a) => {
|
|
478
478
|
if (!this.authServer.validFlows.includes(E.DeviceCode))
|
|
479
479
|
throw this.error(401, "device cannot be called because the device code flow is not supported");
|
|
480
|
-
if (!
|
|
480
|
+
if (!a.locals.user) return this.redirect(
|
|
481
481
|
302,
|
|
482
|
-
this.loginUrl + "?next=" + encodeURIComponent(
|
|
482
|
+
this.loginUrl + "?next=" + encodeURIComponent(a.request.url)
|
|
483
483
|
);
|
|
484
|
-
let n =
|
|
485
|
-
return n ? await this.applyUserCode(n,
|
|
484
|
+
let n = a.url.searchParams.get("user_code");
|
|
485
|
+
return n ? await this.applyUserCode(n, a, a.locals.user) : {
|
|
486
486
|
ok: !0,
|
|
487
487
|
completed: !1,
|
|
488
488
|
retryAllowed: !0,
|
|
489
|
-
user:
|
|
490
|
-
csrfToken:
|
|
489
|
+
user: a.locals.user,
|
|
490
|
+
csrfToken: a.locals.csrfToken
|
|
491
491
|
};
|
|
492
492
|
},
|
|
493
493
|
// load
|
|
494
494
|
actions: {
|
|
495
|
-
userCode: async (
|
|
496
|
-
if (!
|
|
495
|
+
userCode: async (a) => {
|
|
496
|
+
if (!a.locals.user) throw this.error(401, "Access Denied");
|
|
497
497
|
try {
|
|
498
498
|
var n = new b();
|
|
499
|
-
await n.loadData(
|
|
499
|
+
await n.loadData(a);
|
|
500
500
|
const l = n.get("user_code");
|
|
501
|
-
return l ? await this.applyUserCode(l,
|
|
501
|
+
return l ? await this.applyUserCode(l, a, a.locals.user) : {
|
|
502
502
|
ok: !1,
|
|
503
503
|
completed: !1,
|
|
504
504
|
retryAllowed: !0,
|
|
@@ -517,12 +517,12 @@ class ce {
|
|
|
517
517
|
};
|
|
518
518
|
}
|
|
519
519
|
},
|
|
520
|
-
authorize: async (
|
|
520
|
+
authorize: async (a) => {
|
|
521
521
|
var f;
|
|
522
522
|
let n;
|
|
523
523
|
try {
|
|
524
524
|
var l = new b();
|
|
525
|
-
await l.loadData(
|
|
525
|
+
await l.loadData(a), n = l.toObject();
|
|
526
526
|
const g = l.getAsBoolean("authorized"), m = n.scope, w = n.client_id, S = n.user_code;
|
|
527
527
|
let C;
|
|
528
528
|
if (g == null && (C = "authorized"), w == null && (C = "client_id"), S == null && (C = "user_code"), C)
|
|
@@ -533,18 +533,18 @@ class ce {
|
|
|
533
533
|
error: "invalid_request",
|
|
534
534
|
error_description: "Invalid form: does not contain " + C + " parameter"
|
|
535
535
|
};
|
|
536
|
-
if (!
|
|
536
|
+
if (!a.locals.user) return this.redirect(
|
|
537
537
|
302,
|
|
538
|
-
this.loginUrl + "?next=" + encodeURIComponent(
|
|
538
|
+
this.loginUrl + "?next=" + encodeURIComponent(a.request.url)
|
|
539
539
|
);
|
|
540
|
-
if ((f = this.svelteKitServer.sessionServer) != null && f.enableCsrfProtection && !
|
|
541
|
-
return (await this.authServer.validateAndPersistScope(w, m,
|
|
540
|
+
if ((f = this.svelteKitServer.sessionServer) != null && f.enableCsrfProtection && !a.locals.csrfToken) throw new c(h.InvalidCsrf);
|
|
541
|
+
return (await this.authServer.validateAndPersistScope(w, m, a.locals.user)).error ? {
|
|
542
542
|
ok: !1,
|
|
543
543
|
completed: !1,
|
|
544
544
|
retryAllowed: !1,
|
|
545
545
|
error: "unauthorized_client",
|
|
546
546
|
error_description: "You did not authorize access to your account"
|
|
547
|
-
} : await this.applyUserCode(S,
|
|
547
|
+
} : await this.applyUserCode(S, a, a.locals.user);
|
|
548
548
|
} catch (g) {
|
|
549
549
|
if (p.isSvelteKitError(g) || p.isSvelteKitRedirect(g)) throw g;
|
|
550
550
|
let m = c.asCrossauthError(g, "Couldn't process authorization code");
|
|
@@ -563,7 +563,7 @@ class ce {
|
|
|
563
563
|
t,
|
|
564
564
|
e,
|
|
565
565
|
s
|
|
566
|
-
), y("loginUrl", _.String, this, s, "LOGIN_URL"), y("refreshTokenType", _.String, this, s, "OAUTH_REFRESH_TOKEN_TYPE"), y("refreshTokenCookieName", _.String, this, s, "OAUTH_REFRESH_TOKEN_COOKIE_NAME"), y("refreshTokenCookieDomain", _.String, this, s, "OAUTH_REFRESH_TOKEN_COOKIE_DOMAIN"), y("refreshTokenCookieHttpOnly", _.Boolean, this, s, "OAUTH_REFRESH_TOKEN_COOKIE_HTTPONLY"), y("refreshTokenCookiePath", _.String, this, s, "OAUTH_REFRESH_TOKEN_COOKIE_PATH"), y("refreshTokenCookieSecure", _.Boolean, this, s, "OAUTH_REFRESH_TOKEN_COOKIE_SECURE"), y("refreshTokenCookieSameSite", _.String, this, s, "OAUTH_REFRESH_TOKEN_COOKIE_SAMESITE"), y("authorizeEndpointUrl", _.String, this, s, "OAUTH_AUTHORIZE_ENDPOINT"), y("tokenEndpointUrl", _.String, this, s, "OAUTH_TOKEN_ENDPOINT"), y("jwksEndpointUrl", _.String, this, s, "OAUTH_JWKS_ENDPOINT"), this.refreshTokenType != "json" && (((
|
|
566
|
+
), y("loginUrl", _.String, this, s, "LOGIN_URL"), y("refreshTokenType", _.String, this, s, "OAUTH_REFRESH_TOKEN_TYPE"), y("refreshTokenCookieName", _.String, this, s, "OAUTH_REFRESH_TOKEN_COOKIE_NAME"), y("refreshTokenCookieDomain", _.String, this, s, "OAUTH_REFRESH_TOKEN_COOKIE_DOMAIN"), y("refreshTokenCookieHttpOnly", _.Boolean, this, s, "OAUTH_REFRESH_TOKEN_COOKIE_HTTPONLY"), y("refreshTokenCookiePath", _.String, this, s, "OAUTH_REFRESH_TOKEN_COOKIE_PATH"), y("refreshTokenCookieSecure", _.Boolean, this, s, "OAUTH_REFRESH_TOKEN_COOKIE_SECURE"), y("refreshTokenCookieSameSite", _.String, this, s, "OAUTH_REFRESH_TOKEN_COOKIE_SAMESITE"), y("authorizeEndpointUrl", _.String, this, s, "OAUTH_AUTHORIZE_ENDPOINT"), y("tokenEndpointUrl", _.String, this, s, "OAUTH_TOKEN_ENDPOINT"), y("jwksEndpointUrl", _.String, this, s, "OAUTH_JWKS_ENDPOINT"), this.refreshTokenType != "json" && (((i = this.svelteKitServer.sessionServer) == null ? void 0 : i.enableCsrfProtection) == !0 ? this.csrfTokens = this.svelteKitServer.sessionServer.sessionManager.csrfTokens : this.csrfTokens = new ee(s.doubleSubmitCookieOptions));
|
|
567
567
|
}
|
|
568
568
|
/**
|
|
569
569
|
* Returns this server's OIDC configuration. Just wraps
|
|
@@ -585,8 +585,8 @@ class ce {
|
|
|
585
585
|
responseType: t,
|
|
586
586
|
client_id: e,
|
|
587
587
|
redirect_uri: s,
|
|
588
|
-
scope:
|
|
589
|
-
state:
|
|
588
|
+
scope: i,
|
|
589
|
+
state: a,
|
|
590
590
|
codeChallenge: n,
|
|
591
591
|
codeChallengeMethod: l
|
|
592
592
|
}) {
|
|
@@ -596,8 +596,8 @@ class ce {
|
|
|
596
596
|
responseType: t,
|
|
597
597
|
client_id: e,
|
|
598
598
|
redirect_uri: s,
|
|
599
|
-
scope:
|
|
600
|
-
state:
|
|
599
|
+
scope: i,
|
|
600
|
+
state: a,
|
|
601
601
|
codeChallenge: n,
|
|
602
602
|
codeChallengeMethod: l,
|
|
603
603
|
user: r.locals.user
|
|
@@ -616,7 +616,7 @@ class ce {
|
|
|
616
616
|
throw this.redirect(302, this.authServer.redirect_uri(
|
|
617
617
|
s,
|
|
618
618
|
m,
|
|
619
|
-
|
|
619
|
+
a
|
|
620
620
|
));
|
|
621
621
|
} else {
|
|
622
622
|
const w = new c(
|
|
@@ -629,7 +629,7 @@ class ce {
|
|
|
629
629
|
errorCodeName: w.codeName
|
|
630
630
|
}));
|
|
631
631
|
try {
|
|
632
|
-
throw
|
|
632
|
+
throw B.validateUri(s), this.redirect(302, s + "?error=access_denied&error_description=" + encodeURIComponent("Access was not granted"));
|
|
633
633
|
} catch (S) {
|
|
634
634
|
if (p.isSvelteKitError(S) || p.isSvelteKitRedirect(S)) throw S;
|
|
635
635
|
return d.logger.error(u({
|
|
@@ -690,13 +690,13 @@ class ce {
|
|
|
690
690
|
if (o = this.requireGetParam(r, "client_id"), o) return { error: o };
|
|
691
691
|
if (o = this.requireGetParam(r, "redirect_uri"), o) return { error: o };
|
|
692
692
|
if (o = this.requireGetParam(r, "state"), o) return { error: o };
|
|
693
|
-
const t = r.url.searchParams.get("response_type") ?? "", e = r.url.searchParams.get("client_id") ?? "", s = r.url.searchParams.get("redirect_uri") ?? "",
|
|
693
|
+
const t = r.url.searchParams.get("response_type") ?? "", e = r.url.searchParams.get("client_id") ?? "", s = r.url.searchParams.get("redirect_uri") ?? "", i = r.url.searchParams.get("scope") ?? void 0, a = r.url.searchParams.get("state") ?? "", n = r.url.searchParams.get("code_challenge") ?? void 0, l = r.url.searchParams.get("code_challenge_method") ?? void 0;
|
|
694
694
|
return { query: {
|
|
695
695
|
response_type: t,
|
|
696
696
|
client_id: e,
|
|
697
697
|
redirect_uri: s,
|
|
698
|
-
scope:
|
|
699
|
-
state:
|
|
698
|
+
scope: i,
|
|
699
|
+
state: a,
|
|
700
700
|
code_challenge: n,
|
|
701
701
|
code_challenge_method: l
|
|
702
702
|
}, error: { error: "Unknown error", error_description: "Unknown error", ok: !0 } };
|
|
@@ -710,18 +710,18 @@ class ce {
|
|
|
710
710
|
if (e = this.requireBodyParam(t, "challenge_type"), e) return { error: e };
|
|
711
711
|
if (e = this.requireBodyParam(t, "mfa_token"), e) return { error: e };
|
|
712
712
|
if (e = this.requireBodyParam(t, "authenticator_id"), e) return { error: e };
|
|
713
|
-
const s = t.client_id ?? "",
|
|
713
|
+
const s = t.client_id ?? "", i = t.challenge_type ?? "", a = t.mfa_token ?? "", n = t.authenticator_id ?? "", l = t.client_secret ?? void 0;
|
|
714
714
|
return { query: {
|
|
715
715
|
client_id: s,
|
|
716
716
|
client_secret: l,
|
|
717
|
-
challenge_type:
|
|
718
|
-
mfa_token:
|
|
717
|
+
challenge_type: i,
|
|
718
|
+
mfa_token: a,
|
|
719
719
|
authenticator_id: n
|
|
720
720
|
}, error: { error: "Unknown error", error_description: "Unknown error", ok: !0 } };
|
|
721
721
|
}
|
|
722
722
|
async mfaAuthenticators(r) {
|
|
723
|
-
var
|
|
724
|
-
const o = (
|
|
723
|
+
var i;
|
|
724
|
+
const o = (i = r.request.headers.get("authorization")) == null ? void 0 : i.split(" ");
|
|
725
725
|
if (!o || o.length != 2)
|
|
726
726
|
return {
|
|
727
727
|
error: "access_denied",
|
|
@@ -752,65 +752,65 @@ class ce {
|
|
|
752
752
|
let t = r.client_id, e = r.client_secret;
|
|
753
753
|
const s = o.request.headers.get("authorization");
|
|
754
754
|
if (s) {
|
|
755
|
-
let
|
|
755
|
+
let i, a;
|
|
756
756
|
const n = s.split(" ");
|
|
757
757
|
if (n.length == 2 && n[0].toLocaleLowerCase() == "basic") {
|
|
758
|
-
const f =
|
|
759
|
-
f.length == 2 && (
|
|
758
|
+
const f = F.base64Decode(n[1]).split(":", 2);
|
|
759
|
+
f.length == 2 && (i = f[0], a = f[1]);
|
|
760
760
|
}
|
|
761
|
-
|
|
761
|
+
i == null || a == null ? d.logger.warn(u({
|
|
762
762
|
msg: "Ignoring malform authenization header " + s
|
|
763
|
-
})) : (t =
|
|
763
|
+
})) : (t = i, e = a);
|
|
764
764
|
}
|
|
765
765
|
return { client_id: t, client_secret: e };
|
|
766
766
|
}
|
|
767
767
|
async applyUserCode(r, o, t) {
|
|
768
|
-
var e, s,
|
|
768
|
+
var e, s, i;
|
|
769
769
|
try {
|
|
770
|
-
const
|
|
771
|
-
if (
|
|
770
|
+
const a = await this.authServer.deviceEndpoint({ userCode: r, user: t });
|
|
771
|
+
if (a.error)
|
|
772
772
|
return {
|
|
773
773
|
ok: !1,
|
|
774
774
|
completed: !1,
|
|
775
775
|
retryAllowed: !1,
|
|
776
|
-
error:
|
|
777
|
-
error_description:
|
|
776
|
+
error: a.error,
|
|
777
|
+
error_description: a.error_description
|
|
778
778
|
};
|
|
779
|
-
if (!
|
|
780
|
-
return d.logger.error(u({ msg: "No client id found for user code", userCodeHash:
|
|
779
|
+
if (!a.client_id)
|
|
780
|
+
return d.logger.error(u({ msg: "No client id found for user code", userCodeHash: F.hash(r), ip: o.request.referrer, username: (e = o.locals.user) == null ? void 0 : e.username })), {
|
|
781
781
|
ok: !1,
|
|
782
782
|
completed: !1,
|
|
783
783
|
retryAllowed: !1,
|
|
784
784
|
error: "server_error",
|
|
785
785
|
error_description: "No client id found for user code"
|
|
786
786
|
};
|
|
787
|
-
if (
|
|
788
|
-
return d.logger.error(u({ msg: "Incorrect user code given", userCodeHash:
|
|
787
|
+
if (a.error == "access_denied")
|
|
788
|
+
return d.logger.error(u({ msg: "Incorrect user code given", userCodeHash: F.hash(r), ip: o.request.referrer, username: (s = o.locals.user) == null ? void 0 : s.username })), this.authServer.userCodeThrottle > 0 && await ((f) => new Promise((g) => setTimeout(g, f)))(this.authServer.userCodeThrottle), {
|
|
789
789
|
ok: !1,
|
|
790
790
|
completed: !1,
|
|
791
791
|
retryAllowed: !0,
|
|
792
|
-
error:
|
|
793
|
-
error_description:
|
|
792
|
+
error: a.error,
|
|
793
|
+
error_description: a.error_description
|
|
794
794
|
};
|
|
795
|
-
if (
|
|
796
|
-
return d.logger.error(u({ msg: "Expired user code", userCodeHash:
|
|
795
|
+
if (a.error == "expired_token")
|
|
796
|
+
return d.logger.error(u({ msg: "Expired user code", userCodeHash: F.hash(r), ip: o.request.referrer, username: (i = o.locals.user) == null ? void 0 : i.username })), {
|
|
797
797
|
ok: !1,
|
|
798
798
|
completed: !1,
|
|
799
799
|
retryAllowed: !1,
|
|
800
|
-
error:
|
|
801
|
-
error_description:
|
|
800
|
+
error: a.error,
|
|
801
|
+
error_description: a.error_description
|
|
802
802
|
};
|
|
803
|
-
const n = await this.clientStorage.getClientById(
|
|
804
|
-
return
|
|
803
|
+
const n = await this.clientStorage.getClientById(a.client_id);
|
|
804
|
+
return a.scopeAuthorizationNeeded ? {
|
|
805
805
|
ok: !0,
|
|
806
806
|
completed: !1,
|
|
807
807
|
retryAllowed: !0,
|
|
808
808
|
authorizationNeeded: {
|
|
809
809
|
user: t,
|
|
810
|
-
client_id:
|
|
810
|
+
client_id: a.client_id,
|
|
811
811
|
client_name: n.client_name,
|
|
812
|
-
scope:
|
|
813
|
-
scopes:
|
|
812
|
+
scope: a.scope,
|
|
813
|
+
scopes: a.scope ? a.scope.split(" ") : [],
|
|
814
814
|
csrfToken: o.locals.csrfToken
|
|
815
815
|
},
|
|
816
816
|
user: o.locals.user,
|
|
@@ -823,8 +823,8 @@ class ce {
|
|
|
823
823
|
user: o.locals.user,
|
|
824
824
|
csrfToken: o.locals.csrfToken
|
|
825
825
|
};
|
|
826
|
-
} catch (
|
|
827
|
-
const n = c.asCrossauthError(
|
|
826
|
+
} catch (a) {
|
|
827
|
+
const n = c.asCrossauthError(a);
|
|
828
828
|
return d.logger.debug(u({ err: n })), d.logger.error(u({ msg: n.message, cerr: n })), {
|
|
829
829
|
ok: !1,
|
|
830
830
|
completed: !1,
|
|
@@ -870,7 +870,7 @@ function O(k) {
|
|
|
870
870
|
let r;
|
|
871
871
|
if (k)
|
|
872
872
|
try {
|
|
873
|
-
r = JSON.parse(
|
|
873
|
+
r = JSON.parse(F.base64Decode(k.split(".")[1]));
|
|
874
874
|
} catch {
|
|
875
875
|
d.logger.error(u({ msg: "Couldn't decode id token" }));
|
|
876
876
|
}
|
|
@@ -885,10 +885,10 @@ function L(k, r) {
|
|
|
885
885
|
if (k.access_token)
|
|
886
886
|
try {
|
|
887
887
|
if (k.access_token && r.includes("access")) {
|
|
888
|
-
const s = (o =
|
|
888
|
+
const s = (o = M(k.access_token)) == null ? void 0 : o.jti, i = s ? F.hash(s) : void 0;
|
|
889
889
|
d.logger.debug(u({
|
|
890
890
|
msg: "Got access token",
|
|
891
|
-
accessTokenHash:
|
|
891
|
+
accessTokenHash: i
|
|
892
892
|
}));
|
|
893
893
|
}
|
|
894
894
|
} catch (s) {
|
|
@@ -897,10 +897,10 @@ function L(k, r) {
|
|
|
897
897
|
if (k.id_token)
|
|
898
898
|
try {
|
|
899
899
|
if (k.id_token && r.includes("id")) {
|
|
900
|
-
const s = (t =
|
|
900
|
+
const s = (t = M(k.id_token)) == null ? void 0 : t.jti, i = s ? F.hash(s) : void 0;
|
|
901
901
|
d.logger.debug(u({
|
|
902
902
|
msg: "Got id token",
|
|
903
|
-
idTokenHash:
|
|
903
|
+
idTokenHash: i
|
|
904
904
|
}));
|
|
905
905
|
}
|
|
906
906
|
} catch (s) {
|
|
@@ -909,10 +909,10 @@ function L(k, r) {
|
|
|
909
909
|
if (k.refresh_token && r.includes("refresh"))
|
|
910
910
|
try {
|
|
911
911
|
if (k.refresh_token) {
|
|
912
|
-
const s = (e =
|
|
912
|
+
const s = (e = M(k.refresh_token)) == null ? void 0 : e.jti, i = s ? F.hash(s) : void 0;
|
|
913
913
|
d.logger.debug(u({
|
|
914
914
|
msg: "Got refresh token",
|
|
915
|
-
refreshTokenHash:
|
|
915
|
+
refreshTokenHash: i
|
|
916
916
|
}));
|
|
917
917
|
}
|
|
918
918
|
} catch (s) {
|
|
@@ -920,7 +920,7 @@ function L(k, r) {
|
|
|
920
920
|
}
|
|
921
921
|
}
|
|
922
922
|
async function j(k, r, o) {
|
|
923
|
-
var
|
|
923
|
+
var i, a, n, l;
|
|
924
924
|
if (!r.server.sessionAdapter)
|
|
925
925
|
throw new c(
|
|
926
926
|
h.Configuration,
|
|
@@ -928,7 +928,7 @@ async function j(k, r, o) {
|
|
|
928
928
|
);
|
|
929
929
|
let t = k.expires_in;
|
|
930
930
|
if (!t && k.access_token && r.jwtTokens.includes("access")) {
|
|
931
|
-
const f =
|
|
931
|
+
const f = M(k.access_token);
|
|
932
932
|
f.exp && (t = f.exp);
|
|
933
933
|
}
|
|
934
934
|
if (!t)
|
|
@@ -943,12 +943,12 @@ async function j(k, r, o) {
|
|
|
943
943
|
f && (s.id_token = f);
|
|
944
944
|
}
|
|
945
945
|
if (r.server.sessionServer) {
|
|
946
|
-
let f = (
|
|
946
|
+
let f = (i = r.server.sessionServer) == null ? void 0 : i.getSessionCookieValue(o);
|
|
947
947
|
f ? await ((n = r.server.sessionAdapter) == null ? void 0 : n.updateSessionData(
|
|
948
948
|
o,
|
|
949
949
|
r.sessionDataName,
|
|
950
950
|
s
|
|
951
|
-
)) : f = await ((
|
|
951
|
+
)) : f = await ((a = r.server.sessionServer) == null ? void 0 : a.createAnonymousSession(
|
|
952
952
|
o,
|
|
953
953
|
{ [r.sessionDataName]: s }
|
|
954
954
|
));
|
|
@@ -977,8 +977,8 @@ async function de(k, r, o, t, e) {
|
|
|
977
977
|
if (!t) return r.redirect(302, r.authorizedUrl);
|
|
978
978
|
} catch (s) {
|
|
979
979
|
if (p.isSvelteKitError(s) || p.isSvelteKitRedirect(s)) throw s;
|
|
980
|
-
const
|
|
981
|
-
return d.logger.debug(u({ err:
|
|
980
|
+
const i = c.asCrossauthError(s);
|
|
981
|
+
return d.logger.debug(u({ err: i })), d.logger.debug(u({ cerr: i, msg: "Error receiving tokens" })), r.errorFn(r.server, o, i);
|
|
982
982
|
}
|
|
983
983
|
}
|
|
984
984
|
async function he(k, r, o, t, e) {
|
|
@@ -999,8 +999,8 @@ async function he(k, r, o, t, e) {
|
|
|
999
999
|
return v({ ok: !0, ...k });
|
|
1000
1000
|
} catch (s) {
|
|
1001
1001
|
if (p.isSvelteKitError(s) || p.isSvelteKitRedirect(s)) throw s;
|
|
1002
|
-
const
|
|
1003
|
-
return d.logger.debug(u({ err:
|
|
1002
|
+
const i = c.asCrossauthError(s);
|
|
1003
|
+
return d.logger.debug(u({ err: i })), d.logger.debug(u({ cerr: i, msg: "Error receiving tokens" })), r.errorFn(r.server, o, i);
|
|
1004
1004
|
}
|
|
1005
1005
|
}
|
|
1006
1006
|
async function ue(k, r, o, t, e) {
|
|
@@ -1020,11 +1020,11 @@ async function ue(k, r, o, t, e) {
|
|
|
1020
1020
|
return r.jwtTokens.includes("id") && (s.id_payload = O(k.id_token)), s.id_payload && await e(o, s.id_payload), s;
|
|
1021
1021
|
} catch (s) {
|
|
1022
1022
|
if (p.isSvelteKitError(s) || p.isSvelteKitRedirect(s)) throw s;
|
|
1023
|
-
const
|
|
1024
|
-
return d.logger.debug(u({ err:
|
|
1023
|
+
const i = c.asCrossauthError(s);
|
|
1024
|
+
return d.logger.debug(u({ err: i })), d.logger.debug(u({ cerr: i, msg: "Error receiving tokens" })), {
|
|
1025
1025
|
ok: !1,
|
|
1026
|
-
error:
|
|
1027
|
-
error_description:
|
|
1026
|
+
error: i.oauthErrorCode,
|
|
1027
|
+
error_description: i.message
|
|
1028
1028
|
};
|
|
1029
1029
|
}
|
|
1030
1030
|
}
|
|
@@ -1073,22 +1073,22 @@ class G extends re {
|
|
|
1073
1073
|
}
|
|
1074
1074
|
let s = e.url.searchParams.get("scope") ?? void 0;
|
|
1075
1075
|
s == "" && (s = void 0);
|
|
1076
|
-
const { url:
|
|
1077
|
-
if (
|
|
1076
|
+
const { url: i, error: a, error_description: n } = await this.startAuthorizationCodeFlow(s);
|
|
1077
|
+
if (a || !i) {
|
|
1078
1078
|
const l = c.fromOAuthError(
|
|
1079
|
-
|
|
1079
|
+
a ?? "server_error",
|
|
1080
1080
|
n
|
|
1081
1081
|
);
|
|
1082
1082
|
return await this.errorFn(this.server, e, l);
|
|
1083
1083
|
}
|
|
1084
1084
|
throw d.logger.debug(u({
|
|
1085
1085
|
msg: "Authorization code flow: redirecting",
|
|
1086
|
-
url:
|
|
1087
|
-
})), this.redirect(302,
|
|
1086
|
+
url: i
|
|
1087
|
+
})), this.redirect(302, i);
|
|
1088
1088
|
} catch (s) {
|
|
1089
1089
|
if (p.isSvelteKitRedirect(s) || p.isSvelteKitError(s)) throw s;
|
|
1090
|
-
const
|
|
1091
|
-
return d.logger.debug({ err: s }), d.logger.error({ cerr: s }), this.errorFn(this.server, e,
|
|
1090
|
+
const i = c.asCrossauthError(s);
|
|
1091
|
+
return d.logger.debug({ err: s }), d.logger.error({ cerr: s }), this.errorFn(this.server, e, i);
|
|
1092
1092
|
}
|
|
1093
1093
|
},
|
|
1094
1094
|
load: async (e) => {
|
|
@@ -1114,10 +1114,10 @@ class G extends re {
|
|
|
1114
1114
|
}
|
|
1115
1115
|
let s = e.url.searchParams.get("scope") ?? void 0;
|
|
1116
1116
|
s == "" && (s = void 0);
|
|
1117
|
-
const { url:
|
|
1118
|
-
if (
|
|
1117
|
+
const { url: i, error: a, error_description: n } = await this.startAuthorizationCodeFlow(s);
|
|
1118
|
+
if (a || !i) {
|
|
1119
1119
|
const l = c.fromOAuthError(
|
|
1120
|
-
|
|
1120
|
+
a ?? "server_error",
|
|
1121
1121
|
n
|
|
1122
1122
|
);
|
|
1123
1123
|
return {
|
|
@@ -1128,15 +1128,15 @@ class G extends re {
|
|
|
1128
1128
|
}
|
|
1129
1129
|
throw d.logger.debug(u({
|
|
1130
1130
|
msg: "Authorization code flow: redirecting",
|
|
1131
|
-
url:
|
|
1132
|
-
})), this.redirect(302,
|
|
1131
|
+
url: i
|
|
1132
|
+
})), this.redirect(302, i);
|
|
1133
1133
|
} catch (s) {
|
|
1134
1134
|
if (p.isSvelteKitRedirect(s) || p.isSvelteKitError(s)) throw s;
|
|
1135
|
-
const
|
|
1135
|
+
const i = c.asCrossauthError(s);
|
|
1136
1136
|
return d.logger.debug({ err: s }), d.logger.error({ cerr: s }), {
|
|
1137
1137
|
ok: !1,
|
|
1138
|
-
error:
|
|
1139
|
-
error_description:
|
|
1138
|
+
error: i.oauthErrorCode,
|
|
1139
|
+
error_description: i.message
|
|
1140
1140
|
};
|
|
1141
1141
|
}
|
|
1142
1142
|
}
|
|
@@ -1153,25 +1153,25 @@ class G extends re {
|
|
|
1153
1153
|
}
|
|
1154
1154
|
let s = e.url.searchParams.get("scope") ?? void 0;
|
|
1155
1155
|
s == "" && (s = void 0);
|
|
1156
|
-
const { url:
|
|
1157
|
-
if (
|
|
1156
|
+
const { url: i, error: a, error_description: n } = await this.startAuthorizationCodeFlow(s, !0);
|
|
1157
|
+
if (a || !i) {
|
|
1158
1158
|
const l = c.fromOAuthError(
|
|
1159
|
-
|
|
1159
|
+
a ?? "server_error",
|
|
1160
1160
|
n
|
|
1161
1161
|
);
|
|
1162
1162
|
return await this.errorFn(this.server, e, l);
|
|
1163
1163
|
}
|
|
1164
1164
|
throw d.logger.debug(u({
|
|
1165
1165
|
msg: "Authorization code flow: redirecting",
|
|
1166
|
-
url:
|
|
1167
|
-
})), this.redirect(302,
|
|
1166
|
+
url: i
|
|
1167
|
+
})), this.redirect(302, i);
|
|
1168
1168
|
} catch (s) {
|
|
1169
1169
|
if (p.isSvelteKitRedirect(s) || p.isSvelteKitError(s)) throw s;
|
|
1170
|
-
const
|
|
1170
|
+
const i = c.asCrossauthError(s);
|
|
1171
1171
|
return d.logger.debug({ err: s }), d.logger.error({ cerr: s }), v({
|
|
1172
|
-
error:
|
|
1173
|
-
error_description:
|
|
1174
|
-
}, { status:
|
|
1172
|
+
error: i.oauthErrorCode,
|
|
1173
|
+
error_description: i.message
|
|
1174
|
+
}, { status: i.httpStatus });
|
|
1175
1175
|
}
|
|
1176
1176
|
},
|
|
1177
1177
|
load: async (e) => {
|
|
@@ -1197,10 +1197,10 @@ class G extends re {
|
|
|
1197
1197
|
}
|
|
1198
1198
|
let s = e.url.searchParams.get("scope") ?? void 0;
|
|
1199
1199
|
s == "" && (s = void 0);
|
|
1200
|
-
const { url:
|
|
1201
|
-
if (
|
|
1200
|
+
const { url: i, error: a, error_description: n } = await this.startAuthorizationCodeFlow(s, !0);
|
|
1201
|
+
if (a || !i) {
|
|
1202
1202
|
const l = c.fromOAuthError(
|
|
1203
|
-
|
|
1203
|
+
a ?? "server_error",
|
|
1204
1204
|
n
|
|
1205
1205
|
);
|
|
1206
1206
|
return {
|
|
@@ -1211,15 +1211,15 @@ class G extends re {
|
|
|
1211
1211
|
}
|
|
1212
1212
|
throw d.logger.debug(u({
|
|
1213
1213
|
msg: "Authorization code flow: redirecting",
|
|
1214
|
-
url:
|
|
1215
|
-
})), this.redirect(302,
|
|
1214
|
+
url: i
|
|
1215
|
+
})), this.redirect(302, i);
|
|
1216
1216
|
} catch (s) {
|
|
1217
1217
|
if (p.isSvelteKitRedirect(s) || p.isSvelteKitError(s)) throw s;
|
|
1218
|
-
const
|
|
1218
|
+
const i = c.asCrossauthError(s);
|
|
1219
1219
|
return d.logger.debug({ err: s }), d.logger.error({ cerr: s }), {
|
|
1220
1220
|
ok: !1,
|
|
1221
|
-
error:
|
|
1222
|
-
error_description:
|
|
1221
|
+
error: i.oauthErrorCode,
|
|
1222
|
+
error_description: i.message
|
|
1223
1223
|
};
|
|
1224
1224
|
}
|
|
1225
1225
|
}
|
|
@@ -1234,10 +1234,10 @@ class G extends re {
|
|
|
1234
1234
|
const f = new c(h.Unauthorized, "Authorization flows are not supported");
|
|
1235
1235
|
return this.errorFn(this.server, e, f);
|
|
1236
1236
|
}
|
|
1237
|
-
const s = e.url.searchParams.get("code") ?? "",
|
|
1237
|
+
const s = e.url.searchParams.get("code") ?? "", i = e.url.searchParams.get("state") ?? void 0, a = e.url.searchParams.get("error") ?? void 0, n = e.url.searchParams.get("error") ?? void 0, l = this.errorIfIdTokenInvalid(await this.redirectEndpoint(
|
|
1238
1238
|
s,
|
|
1239
|
-
a,
|
|
1240
1239
|
i,
|
|
1240
|
+
a,
|
|
1241
1241
|
n
|
|
1242
1242
|
));
|
|
1243
1243
|
if (l.error) return this.errorFn(this.server, e, c.fromOAuthError(l.error, l.error_description));
|
|
@@ -1261,8 +1261,8 @@ class G extends re {
|
|
|
1261
1261
|
);
|
|
1262
1262
|
} catch (s) {
|
|
1263
1263
|
if (p.isSvelteKitRedirect(s) || p.isSvelteKitError(s)) throw s;
|
|
1264
|
-
const
|
|
1265
|
-
return d.logger.debug({ err: s }), d.logger.error({ cerr: s }), this.errorFn(this.server, e,
|
|
1264
|
+
const i = c.asCrossauthError(s);
|
|
1265
|
+
return d.logger.debug({ err: s }), d.logger.error({ cerr: s }), this.errorFn(this.server, e, i);
|
|
1266
1266
|
}
|
|
1267
1267
|
},
|
|
1268
1268
|
load: async (e) => {
|
|
@@ -1286,10 +1286,10 @@ class G extends re {
|
|
|
1286
1286
|
error_description: g.message
|
|
1287
1287
|
};
|
|
1288
1288
|
}
|
|
1289
|
-
const s = e.url.searchParams.get("code") ?? "",
|
|
1289
|
+
const s = e.url.searchParams.get("code") ?? "", i = e.url.searchParams.get("state") ?? void 0, a = e.url.searchParams.get("error") ?? void 0, n = e.url.searchParams.get("error") ?? void 0, l = this.errorIfIdTokenInvalid(await this.redirectEndpoint(
|
|
1290
1290
|
s,
|
|
1291
|
-
a,
|
|
1292
1291
|
i,
|
|
1292
|
+
a,
|
|
1293
1293
|
n
|
|
1294
1294
|
));
|
|
1295
1295
|
if (l.error) return {
|
|
@@ -1332,19 +1332,19 @@ class G extends re {
|
|
|
1332
1332
|
};
|
|
1333
1333
|
} catch (s) {
|
|
1334
1334
|
if (p.isSvelteKitRedirect(s) || p.isSvelteKitError(s)) throw s;
|
|
1335
|
-
const
|
|
1335
|
+
const i = c.asCrossauthError(s);
|
|
1336
1336
|
return d.logger.debug({ err: s }), d.logger.error({ cerr: s }), {
|
|
1337
1337
|
ok: !1,
|
|
1338
|
-
error:
|
|
1339
|
-
error_description:
|
|
1338
|
+
error: i.oauthErrorCode,
|
|
1339
|
+
error_description: i.message
|
|
1340
1340
|
};
|
|
1341
1341
|
}
|
|
1342
1342
|
}
|
|
1343
1343
|
}, this.clientCredentialsFlowEndpoint = {
|
|
1344
1344
|
post: async (e) => {
|
|
1345
1345
|
if (this.tokenResponseType == "saveInSessionAndLoad" || this.tokenResponseType == "sendInPage") {
|
|
1346
|
-
const
|
|
1347
|
-
return this.errorFn(this.server, e,
|
|
1346
|
+
const a = new c(h.Configuration, "If tokenResponseType is " + this.tokenResponseType + ", use actions not post");
|
|
1347
|
+
return this.errorFn(this.server, e, a);
|
|
1348
1348
|
}
|
|
1349
1349
|
let s;
|
|
1350
1350
|
try {
|
|
@@ -1352,13 +1352,13 @@ class G extends re {
|
|
|
1352
1352
|
const l = new c(h.Unauthorized, "Client credentials flow is not supported");
|
|
1353
1353
|
return this.errorFn(this.server, e, l);
|
|
1354
1354
|
}
|
|
1355
|
-
var
|
|
1356
|
-
await
|
|
1357
|
-
const
|
|
1358
|
-
if (
|
|
1355
|
+
var i = new b();
|
|
1356
|
+
await i.loadData(e), s = i.toObject();
|
|
1357
|
+
const a = this.errorIfIdTokenInvalid(await this.clientCredentialsFlow(s == null ? void 0 : s.scope));
|
|
1358
|
+
if (a.error) {
|
|
1359
1359
|
const l = c.fromOAuthError(
|
|
1360
|
-
|
|
1361
|
-
|
|
1360
|
+
a.error,
|
|
1361
|
+
a.error_description
|
|
1362
1362
|
);
|
|
1363
1363
|
return await this.errorFn(
|
|
1364
1364
|
this.server,
|
|
@@ -1367,17 +1367,17 @@ class G extends re {
|
|
|
1367
1367
|
);
|
|
1368
1368
|
}
|
|
1369
1369
|
const n = await this.receiveTokenFn(
|
|
1370
|
-
|
|
1370
|
+
a,
|
|
1371
1371
|
this,
|
|
1372
1372
|
e,
|
|
1373
1373
|
!1,
|
|
1374
1374
|
this.setEventLocalsUser
|
|
1375
1375
|
);
|
|
1376
1376
|
return n instanceof Response ? n : this.pack(n);
|
|
1377
|
-
} catch (
|
|
1378
|
-
if (p.isSvelteKitRedirect(
|
|
1379
|
-
const n = c.asCrossauthError(
|
|
1380
|
-
return d.logger.debug({ err:
|
|
1377
|
+
} catch (a) {
|
|
1378
|
+
if (p.isSvelteKitRedirect(a) || p.isSvelteKitError(a)) throw a;
|
|
1379
|
+
const n = c.asCrossauthError(a);
|
|
1380
|
+
return d.logger.debug({ err: a }), d.logger.error({ cerr: a }), this.errorFn(this.server, e, n);
|
|
1381
1381
|
}
|
|
1382
1382
|
},
|
|
1383
1383
|
actions: {
|
|
@@ -1391,25 +1391,25 @@ class G extends re {
|
|
|
1391
1391
|
try {
|
|
1392
1392
|
if (!this.validFlows.includes(E.ClientCredentials))
|
|
1393
1393
|
throw new c(h.Unauthorized, "Client credentials flow is not supported");
|
|
1394
|
-
var
|
|
1395
|
-
await
|
|
1396
|
-
const
|
|
1397
|
-
if (
|
|
1394
|
+
var i = new b();
|
|
1395
|
+
await i.loadData(e), s = i.toObject();
|
|
1396
|
+
const a = this.errorIfIdTokenInvalid(await this.clientCredentialsFlow(s == null ? void 0 : s.scope));
|
|
1397
|
+
if (a.error)
|
|
1398
1398
|
throw c.fromOAuthError(
|
|
1399
|
-
|
|
1400
|
-
|
|
1399
|
+
a.error,
|
|
1400
|
+
a.error_description
|
|
1401
1401
|
);
|
|
1402
1402
|
return await this.receiveTokenFn(
|
|
1403
|
-
|
|
1403
|
+
a,
|
|
1404
1404
|
this,
|
|
1405
1405
|
e,
|
|
1406
1406
|
!1,
|
|
1407
1407
|
this.setEventLocalsUser
|
|
1408
1408
|
) ?? {};
|
|
1409
|
-
} catch (
|
|
1410
|
-
if (p.isSvelteKitRedirect(
|
|
1411
|
-
const n = c.asCrossauthError(
|
|
1412
|
-
return d.logger.debug({ err:
|
|
1409
|
+
} catch (a) {
|
|
1410
|
+
if (p.isSvelteKitRedirect(a) || p.isSvelteKitError(a)) throw a;
|
|
1411
|
+
const n = c.asCrossauthError(a);
|
|
1412
|
+
return d.logger.debug({ err: a }), d.logger.error({ cerr: a }), {
|
|
1413
1413
|
ok: !1,
|
|
1414
1414
|
error: n.oauthErrorCode,
|
|
1415
1415
|
error_description: n.message
|
|
@@ -1420,8 +1420,8 @@ class G extends re {
|
|
|
1420
1420
|
}, this.refreshTokenFlowEndpoint = {
|
|
1421
1421
|
post: async (e) => {
|
|
1422
1422
|
if (this.tokenResponseType == "saveInSessionAndLoad" || this.tokenResponseType == "sendInPage") {
|
|
1423
|
-
const
|
|
1424
|
-
return this.errorFn(this.server, e,
|
|
1423
|
+
const a = new c(h.Configuration, "If tokenResponseType is " + this.tokenResponseType + ", use actions not post");
|
|
1424
|
+
return this.errorFn(this.server, e, a);
|
|
1425
1425
|
}
|
|
1426
1426
|
let s;
|
|
1427
1427
|
try {
|
|
@@ -1429,8 +1429,8 @@ class G extends re {
|
|
|
1429
1429
|
const f = new c(h.Unauthorized, "Refresh token flow is not supported");
|
|
1430
1430
|
return this.errorFn(this.server, e, f);
|
|
1431
1431
|
}
|
|
1432
|
-
var
|
|
1433
|
-
if (await
|
|
1432
|
+
var i = new b();
|
|
1433
|
+
if (await i.loadData(e), s = i.toObject(), this.server.sessionAdapter && this.server.sessionAdapter.csrfProtectionEnabled())
|
|
1434
1434
|
try {
|
|
1435
1435
|
if (!this.server.sessionAdapter.getCsrfToken(e))
|
|
1436
1436
|
throw new c(h.InvalidCsrf);
|
|
@@ -1439,8 +1439,8 @@ class G extends re {
|
|
|
1439
1439
|
const g = new c(h.Unauthorized, "CSRF token not present");
|
|
1440
1440
|
return this.errorFn(this.server, e, g);
|
|
1441
1441
|
}
|
|
1442
|
-
let
|
|
1443
|
-
if (!
|
|
1442
|
+
let a = s.refresh_token;
|
|
1443
|
+
if (!a && this.server.sessionAdapter) {
|
|
1444
1444
|
const f = await this.server.sessionAdapter.getSessionData(e, this.sessionDataName);
|
|
1445
1445
|
if (!(f != null && f.refresh_token)) {
|
|
1446
1446
|
const g = new c(
|
|
@@ -1449,16 +1449,16 @@ class G extends re {
|
|
|
1449
1449
|
);
|
|
1450
1450
|
return this.errorFn(this.server, e, g);
|
|
1451
1451
|
}
|
|
1452
|
-
|
|
1452
|
+
a = f.refresh_token;
|
|
1453
1453
|
}
|
|
1454
|
-
if (!
|
|
1454
|
+
if (!a) {
|
|
1455
1455
|
const f = new c(
|
|
1456
1456
|
h.BadRequest,
|
|
1457
1457
|
"No refresh token supplied"
|
|
1458
1458
|
);
|
|
1459
1459
|
return this.errorFn(this.server, e, f);
|
|
1460
1460
|
}
|
|
1461
|
-
const n = this.errorIfIdTokenInvalid(await this.refreshTokenFlow(
|
|
1461
|
+
const n = this.errorIfIdTokenInvalid(await this.refreshTokenFlow(a)), l = await this.receiveTokenFn(
|
|
1462
1462
|
n,
|
|
1463
1463
|
this,
|
|
1464
1464
|
e,
|
|
@@ -1467,10 +1467,10 @@ class G extends re {
|
|
|
1467
1467
|
);
|
|
1468
1468
|
if (n && l instanceof Response) return l;
|
|
1469
1469
|
throw new c(h.UnknownError, "Receive token function did not return a Response");
|
|
1470
|
-
} catch (
|
|
1471
|
-
if (p.isSvelteKitRedirect(
|
|
1472
|
-
const n = c.asCrossauthError(
|
|
1473
|
-
return d.logger.debug({ err:
|
|
1470
|
+
} catch (a) {
|
|
1471
|
+
if (p.isSvelteKitRedirect(a) || p.isSvelteKitError(a)) throw a;
|
|
1472
|
+
const n = c.asCrossauthError(a);
|
|
1473
|
+
return d.logger.debug({ err: a }), d.logger.error({ cerr: a }), this.errorFn(this.server, e, n);
|
|
1474
1474
|
}
|
|
1475
1475
|
},
|
|
1476
1476
|
actions: {
|
|
@@ -1486,30 +1486,30 @@ class G extends re {
|
|
|
1486
1486
|
const f = new c(h.Unauthorized, "Refresh token flow is not supported");
|
|
1487
1487
|
return this.errorFn(this.server, e, f);
|
|
1488
1488
|
}
|
|
1489
|
-
var
|
|
1490
|
-
if (await
|
|
1489
|
+
var i = new b();
|
|
1490
|
+
if (await i.loadData(e), s = i.toObject(), this.server.sessionAdapter && this.server.sessionAdapter.csrfProtectionEnabled())
|
|
1491
1491
|
try {
|
|
1492
1492
|
if (!this.server.sessionAdapter.getCsrfToken(e))
|
|
1493
1493
|
throw new c(h.InvalidCsrf);
|
|
1494
1494
|
} catch (f) {
|
|
1495
1495
|
throw p.isSvelteKitError(f) || p.isSvelteKitRedirect(f) ? f : new c(h.Unauthorized, "CSRF token not present");
|
|
1496
1496
|
}
|
|
1497
|
-
let
|
|
1498
|
-
if (!
|
|
1497
|
+
let a = s.refresh_token;
|
|
1498
|
+
if (!a && this.server.sessionAdapter) {
|
|
1499
1499
|
const f = await this.server.sessionAdapter.getSessionData(e, this.sessionDataName);
|
|
1500
1500
|
if (!(f != null && f.refresh_token))
|
|
1501
1501
|
throw new c(
|
|
1502
1502
|
h.BadRequest,
|
|
1503
1503
|
"No refresh token in session or in parameters"
|
|
1504
1504
|
);
|
|
1505
|
-
|
|
1505
|
+
a = f.refresh_token;
|
|
1506
1506
|
}
|
|
1507
|
-
if (!
|
|
1507
|
+
if (!a)
|
|
1508
1508
|
throw new c(
|
|
1509
1509
|
h.BadRequest,
|
|
1510
1510
|
"No refresh token supplied"
|
|
1511
1511
|
);
|
|
1512
|
-
const n = this.errorIfIdTokenInvalid(await this.refreshTokenFlow(
|
|
1512
|
+
const n = this.errorIfIdTokenInvalid(await this.refreshTokenFlow(a)), l = await this.receiveTokenFn(
|
|
1513
1513
|
n,
|
|
1514
1514
|
this,
|
|
1515
1515
|
e,
|
|
@@ -1518,10 +1518,10 @@ class G extends re {
|
|
|
1518
1518
|
) ?? {};
|
|
1519
1519
|
if (l instanceof Response) throw new c(h.Configuration, "Refresh token flow should return an object not Response");
|
|
1520
1520
|
return l;
|
|
1521
|
-
} catch (
|
|
1522
|
-
if (p.isSvelteKitRedirect(
|
|
1523
|
-
const n = c.asCrossauthError(
|
|
1524
|
-
return d.logger.debug({ err:
|
|
1521
|
+
} catch (a) {
|
|
1522
|
+
if (p.isSvelteKitRedirect(a) || p.isSvelteKitError(a)) throw a;
|
|
1523
|
+
const n = c.asCrossauthError(a);
|
|
1524
|
+
return d.logger.debug({ err: a }), d.logger.error({ cerr: a }), {
|
|
1525
1525
|
ok: !1,
|
|
1526
1526
|
error: n.oauthErrorCode,
|
|
1527
1527
|
error_description: n.message
|
|
@@ -1570,8 +1570,8 @@ class G extends re {
|
|
|
1570
1570
|
post: async (e) => {
|
|
1571
1571
|
const s = await this.startDeviceCodeFlow_internal(e);
|
|
1572
1572
|
if (s.error) {
|
|
1573
|
-
const
|
|
1574
|
-
return v(s, { status:
|
|
1573
|
+
const i = c.fromOAuthError(s.error, s.error_description);
|
|
1574
|
+
return v(s, { status: i.httpStatus });
|
|
1575
1575
|
}
|
|
1576
1576
|
return v(s);
|
|
1577
1577
|
}
|
|
@@ -1587,40 +1587,40 @@ class G extends re {
|
|
|
1587
1587
|
if (s instanceof Response) return s;
|
|
1588
1588
|
if (s == null) return new Response(null, { status: 204 });
|
|
1589
1589
|
if (s.error) {
|
|
1590
|
-
const
|
|
1591
|
-
return v(s, { status:
|
|
1590
|
+
const i = c.fromOAuthError(s.error, s.error_description);
|
|
1591
|
+
return v(s, { status: i.httpStatus });
|
|
1592
1592
|
}
|
|
1593
1593
|
return v(s);
|
|
1594
1594
|
}
|
|
1595
1595
|
}, this.passwordFlowEndpoint = {
|
|
1596
|
-
post: async (e) => await this.passwordFlow_post(e, (s,
|
|
1596
|
+
post: async (e) => await this.passwordFlow_post(e, (s, i) => this.passwordPost(s, i)),
|
|
1597
1597
|
actions: {
|
|
1598
|
-
password: async (e) => await this.passwordFlow_action(e, (s,
|
|
1599
|
-
passwordOtp: async (e) => await this.passwordFlow_action(e, (s,
|
|
1600
|
-
passwordOob: async (e) => await this.passwordFlow_action(e, (s,
|
|
1598
|
+
password: async (e) => await this.passwordFlow_action(e, (s, i) => this.passwordPost(s, i)),
|
|
1599
|
+
passwordOtp: async (e) => await this.passwordFlow_action(e, (s, i) => this.passwordOtp(s, i)),
|
|
1600
|
+
passwordOob: async (e) => await this.passwordFlow_action(e, (s, i) => this.passwordOob(s, i))
|
|
1601
1601
|
}
|
|
1602
1602
|
}, this.passwordOtpEndpoint = {
|
|
1603
|
-
post: async (e) => await this.passwordFlow_post(e, (s,
|
|
1603
|
+
post: async (e) => await this.passwordFlow_post(e, (s, i) => this.passwordOtp(s, i)),
|
|
1604
1604
|
actions: {
|
|
1605
|
-
default: async (e) => await this.passwordFlow_action(e, (s,
|
|
1605
|
+
default: async (e) => await this.passwordFlow_action(e, (s, i) => this.passwordOtp(s, i))
|
|
1606
1606
|
}
|
|
1607
1607
|
}, this.passwordOobEndpoint = {
|
|
1608
|
-
post: async (e) => await this.passwordFlow_post(e, (s,
|
|
1608
|
+
post: async (e) => await this.passwordFlow_post(e, (s, i) => this.passwordOob(s, i)),
|
|
1609
1609
|
actions: {
|
|
1610
|
-
default: async (e) => await this.passwordFlow_action(e, (s,
|
|
1610
|
+
default: async (e) => await this.passwordFlow_action(e, (s, i) => this.passwordOob(s, i))
|
|
1611
1611
|
}
|
|
1612
1612
|
}, this.deleteTokensEndpoint = {
|
|
1613
1613
|
post: async (e) => {
|
|
1614
|
-
var s,
|
|
1614
|
+
var s, i;
|
|
1615
1615
|
try {
|
|
1616
1616
|
return await this.deleteSessionData(e), v({ ok: !0 });
|
|
1617
|
-
} catch (
|
|
1618
|
-
if (p.isSvelteKitRedirect(
|
|
1619
|
-
const n = c.asCrossauthError(
|
|
1617
|
+
} catch (a) {
|
|
1618
|
+
if (p.isSvelteKitRedirect(a) || p.isSvelteKitError(a)) throw a;
|
|
1619
|
+
const n = c.asCrossauthError(a);
|
|
1620
1620
|
return d.logger.debug({ err: n }), d.logger.error({ cerr: n }), v({
|
|
1621
1621
|
ok: !1,
|
|
1622
1622
|
user: (s = this.server.sessionAdapter) == null ? void 0 : s.getUser(e),
|
|
1623
|
-
csrfToken: (
|
|
1623
|
+
csrfToken: (i = this.server.sessionAdapter) == null ? void 0 : i.getCsrfToken(e),
|
|
1624
1624
|
errorCode: n.code,
|
|
1625
1625
|
errorCodeName: n.codeName,
|
|
1626
1626
|
errorMessage: n.message
|
|
@@ -1629,16 +1629,16 @@ class G extends re {
|
|
|
1629
1629
|
},
|
|
1630
1630
|
actions: {
|
|
1631
1631
|
default: async (e) => {
|
|
1632
|
-
var s,
|
|
1632
|
+
var s, i;
|
|
1633
1633
|
try {
|
|
1634
1634
|
return await this.deleteSessionData(e), { ok: !0 };
|
|
1635
|
-
} catch (
|
|
1636
|
-
if (p.isSvelteKitRedirect(
|
|
1637
|
-
const n = c.asCrossauthError(
|
|
1635
|
+
} catch (a) {
|
|
1636
|
+
if (p.isSvelteKitRedirect(a) || p.isSvelteKitError(a)) throw a;
|
|
1637
|
+
const n = c.asCrossauthError(a);
|
|
1638
1638
|
return d.logger.debug({ err: n }), d.logger.error({ cerr: n }), {
|
|
1639
1639
|
ok: !1,
|
|
1640
1640
|
user: (s = this.server.sessionAdapter) == null ? void 0 : s.getUser(e),
|
|
1641
|
-
csrfToken: (
|
|
1641
|
+
csrfToken: (i = this.server.sessionAdapter) == null ? void 0 : i.getCsrfToken(e),
|
|
1642
1642
|
errorCode: n.code,
|
|
1643
1643
|
errorCodeName: n.codeName,
|
|
1644
1644
|
errorMessage: n.message
|
|
@@ -1753,8 +1753,8 @@ class G extends re {
|
|
|
1753
1753
|
if (e.locals.user || !r.sessionAdapter) return;
|
|
1754
1754
|
let s = await r.sessionAdapter.getSessionData(e, this.sessionDataName);
|
|
1755
1755
|
if (s && s.id_payload) {
|
|
1756
|
-
let
|
|
1757
|
-
|
|
1756
|
+
let i = s.expires_at;
|
|
1757
|
+
i && i > Date.now() && s.id_payload.sub && await this.setEventLocalsUser(e, s.id_payload);
|
|
1758
1758
|
}
|
|
1759
1759
|
this.testMiddleware && (this.testEvent = e);
|
|
1760
1760
|
};
|
|
@@ -1789,10 +1789,10 @@ class G extends re {
|
|
|
1789
1789
|
);
|
|
1790
1790
|
if (e.error == "mfa_required" && e.mfa_token && this.validFlows.includes(E.PasswordMfa)) {
|
|
1791
1791
|
const s = e.mfa_token;
|
|
1792
|
-
let
|
|
1793
|
-
if (
|
|
1792
|
+
let i = o.scope;
|
|
1793
|
+
if (i == "" && (i = void 0), e = this.errorIfIdTokenInvalid(await this.passwordMfa(
|
|
1794
1794
|
s,
|
|
1795
|
-
|
|
1795
|
+
i,
|
|
1796
1796
|
r
|
|
1797
1797
|
)), e.error)
|
|
1798
1798
|
throw c.fromOAuthError(
|
|
@@ -1828,11 +1828,11 @@ class G extends re {
|
|
|
1828
1828
|
};
|
|
1829
1829
|
const s = e.authenticators[0];
|
|
1830
1830
|
if (s.authenticator_type == "otp") {
|
|
1831
|
-
const
|
|
1832
|
-
if (
|
|
1831
|
+
const a = await this.mfaOtpRequest(r, s.id);
|
|
1832
|
+
if (a.error || a.challenge_type != "otp") {
|
|
1833
1833
|
const n = c.fromOAuthError(
|
|
1834
|
-
|
|
1835
|
-
|
|
1834
|
+
a.error ?? "server_error",
|
|
1835
|
+
a.error_description ?? "Invalid response from MFA OTP challenge"
|
|
1836
1836
|
);
|
|
1837
1837
|
return d.logger.debug({ err: n }), d.logger.error({ cerr: n }), {
|
|
1838
1838
|
error: n.oauthErrorCode,
|
|
@@ -1842,14 +1842,14 @@ class G extends re {
|
|
|
1842
1842
|
return {
|
|
1843
1843
|
scope: o,
|
|
1844
1844
|
mfa_token: r,
|
|
1845
|
-
challenge_type:
|
|
1845
|
+
challenge_type: a.challenge_type
|
|
1846
1846
|
};
|
|
1847
1847
|
} else if (s.authenticator_type == "oob") {
|
|
1848
|
-
const
|
|
1849
|
-
if (
|
|
1848
|
+
const a = await this.mfaOobRequest(r, s.id);
|
|
1849
|
+
if (a.error || a.challenge_type != "oob" || !a.oob_code || a.binding_method != "prompt") {
|
|
1850
1850
|
const n = c.fromOAuthError(
|
|
1851
|
-
|
|
1852
|
-
|
|
1851
|
+
a.error ?? "server_error",
|
|
1852
|
+
a.error_description ?? "Invalid response from MFA OOB challenge"
|
|
1853
1853
|
);
|
|
1854
1854
|
return d.logger.debug({ err: n }), d.logger.error({ cerr: n }), {
|
|
1855
1855
|
error: n.oauthErrorCode,
|
|
@@ -1860,19 +1860,19 @@ class G extends re {
|
|
|
1860
1860
|
scope: o,
|
|
1861
1861
|
mfa_token: r,
|
|
1862
1862
|
oob_channel: s.oob_channel,
|
|
1863
|
-
challenge_type:
|
|
1864
|
-
binding_method:
|
|
1865
|
-
oob_code:
|
|
1863
|
+
challenge_type: a.challenge_type,
|
|
1864
|
+
binding_method: a.binding_method,
|
|
1865
|
+
oob_code: a.oob_code,
|
|
1866
1866
|
name: s.name
|
|
1867
1867
|
};
|
|
1868
1868
|
}
|
|
1869
|
-
const
|
|
1869
|
+
const i = new c(
|
|
1870
1870
|
h.UnknownError,
|
|
1871
1871
|
"Unsupported MFA type " + s.authenticator_type + " returned"
|
|
1872
1872
|
);
|
|
1873
1873
|
return {
|
|
1874
|
-
error:
|
|
1875
|
-
error_description:
|
|
1874
|
+
error: i.oauthErrorCode,
|
|
1875
|
+
error_description: i.message
|
|
1876
1876
|
};
|
|
1877
1877
|
}
|
|
1878
1878
|
async passwordOtp(r, o) {
|
|
@@ -1908,7 +1908,7 @@ class G extends re {
|
|
|
1908
1908
|
return e.error ? (d.logger.warn(u({
|
|
1909
1909
|
msg: "Error completing MFA",
|
|
1910
1910
|
user: (s = this.server.sessionAdapter) == null ? void 0 : s.getUser(r),
|
|
1911
|
-
hashedMfaToken: o.mfa_token ?
|
|
1911
|
+
hashedMfaToken: o.mfa_token ? F.hash(o.mfa_token) : void 0
|
|
1912
1912
|
})), {
|
|
1913
1913
|
error: e.error,
|
|
1914
1914
|
error_description: e.error_description
|
|
@@ -1927,10 +1927,10 @@ class G extends re {
|
|
|
1927
1927
|
if (o.locals.sessionId && this.autoRefreshActive[o.locals.sessionId]) return;
|
|
1928
1928
|
try {
|
|
1929
1929
|
o.locals.sessionId && (this.autoRefreshActive[o.locals.sessionId] = !0);
|
|
1930
|
-
const
|
|
1931
|
-
if (!
|
|
1930
|
+
const i = this.errorIfIdTokenInvalid(await this.refreshTokenFlow(e));
|
|
1931
|
+
if (!i.error && !i.access_token && (i.error = "server_error", i.error_description = "Unexpectedly did not receive error or access token"), !i.error) {
|
|
1932
1932
|
const l = await this.receiveTokenFn(
|
|
1933
|
-
|
|
1933
|
+
i,
|
|
1934
1934
|
this,
|
|
1935
1935
|
o,
|
|
1936
1936
|
r == "silent",
|
|
@@ -1940,43 +1940,43 @@ class G extends re {
|
|
|
1940
1940
|
}
|
|
1941
1941
|
if (r != "silent") {
|
|
1942
1942
|
const l = c.fromOAuthError(
|
|
1943
|
-
|
|
1944
|
-
|
|
1943
|
+
i.error ?? "server_error",
|
|
1944
|
+
i.error_description
|
|
1945
1945
|
);
|
|
1946
1946
|
return r == "page" ? this.errorFn(this.server, o, l) : {
|
|
1947
1947
|
error: l.oauthErrorCode,
|
|
1948
1948
|
error_description: l.message
|
|
1949
1949
|
};
|
|
1950
1950
|
}
|
|
1951
|
-
let
|
|
1952
|
-
if (!
|
|
1953
|
-
const l =
|
|
1954
|
-
l.exp && (
|
|
1951
|
+
let a = i.expires_in;
|
|
1952
|
+
if (!a && i.access_token) {
|
|
1953
|
+
const l = M(i.access_token);
|
|
1954
|
+
l.exp && (a = l.exp);
|
|
1955
1955
|
}
|
|
1956
|
-
if (!
|
|
1956
|
+
if (!a)
|
|
1957
1957
|
throw new c(
|
|
1958
1958
|
h.BadRequest,
|
|
1959
1959
|
"OAuth server did not return an expiry for the access token"
|
|
1960
1960
|
);
|
|
1961
|
-
const n = (/* @__PURE__ */ new Date()).getTime() +
|
|
1961
|
+
const n = (/* @__PURE__ */ new Date()).getTime() + a * 1e3;
|
|
1962
1962
|
return {
|
|
1963
|
-
access_token:
|
|
1964
|
-
refresh_token:
|
|
1965
|
-
expires_in:
|
|
1963
|
+
access_token: i.access_token,
|
|
1964
|
+
refresh_token: i.refresh_token,
|
|
1965
|
+
expires_in: i.expires_in,
|
|
1966
1966
|
expires_at: n,
|
|
1967
|
-
error:
|
|
1968
|
-
error_description:
|
|
1967
|
+
error: i.error,
|
|
1968
|
+
error_description: i.error_description
|
|
1969
1969
|
};
|
|
1970
|
-
} catch (
|
|
1971
|
-
if (p.isSvelteKitRedirect(
|
|
1972
|
-
if (d.logger.debug(u({ err:
|
|
1973
|
-
cerr:
|
|
1970
|
+
} catch (i) {
|
|
1971
|
+
if (p.isSvelteKitRedirect(i) || p.isSvelteKitError(i)) throw i;
|
|
1972
|
+
if (d.logger.debug(u({ err: i })), d.logger.error(u({
|
|
1973
|
+
cerr: i,
|
|
1974
1974
|
msg: "Failed refreshing access token"
|
|
1975
1975
|
})), r != "silent") {
|
|
1976
|
-
const
|
|
1977
|
-
return r == "page" ? this.errorFn(this.server, o,
|
|
1978
|
-
error:
|
|
1979
|
-
error_description:
|
|
1976
|
+
const a = c.asCrossauthError(i);
|
|
1977
|
+
return r == "page" ? this.errorFn(this.server, o, a) : {
|
|
1978
|
+
error: a.oauthErrorCode,
|
|
1979
|
+
error_description: a.message
|
|
1980
1980
|
};
|
|
1981
1981
|
}
|
|
1982
1982
|
return {
|
|
@@ -2053,16 +2053,16 @@ class G extends re {
|
|
|
2053
2053
|
let t;
|
|
2054
2054
|
try {
|
|
2055
2055
|
if (!(this.validFlows.includes(E.Password) || this.validFlows.includes(E.PasswordMfa))) {
|
|
2056
|
-
const
|
|
2057
|
-
return this.errorFn(this.server, r,
|
|
2056
|
+
const a = new c(h.Unauthorized, "Password flow is not supported");
|
|
2057
|
+
return this.errorFn(this.server, r, a);
|
|
2058
2058
|
}
|
|
2059
2059
|
var e = new b();
|
|
2060
2060
|
if (await e.loadData(r), t = e.toObject(), this.server.sessionAdapter && this.server.sessionAdapter.csrfProtectionEnabled())
|
|
2061
2061
|
try {
|
|
2062
2062
|
if (!this.server.sessionAdapter.getCsrfToken(r))
|
|
2063
2063
|
throw new c(h.InvalidCsrf);
|
|
2064
|
-
} catch (
|
|
2065
|
-
if (p.isSvelteKitError(
|
|
2064
|
+
} catch (a) {
|
|
2065
|
+
if (p.isSvelteKitError(a) || p.isSvelteKitRedirect(a)) throw a;
|
|
2066
2066
|
const n = new c(h.Unauthorized, "CSRF token not present");
|
|
2067
2067
|
return this.errorFn(this.server, r, n);
|
|
2068
2068
|
}
|
|
@@ -2072,19 +2072,19 @@ class G extends re {
|
|
|
2072
2072
|
ok: !1,
|
|
2073
2073
|
...s
|
|
2074
2074
|
};
|
|
2075
|
-
const
|
|
2075
|
+
const i = await this.receiveTokenFn(
|
|
2076
2076
|
s,
|
|
2077
2077
|
this,
|
|
2078
2078
|
r,
|
|
2079
2079
|
!1,
|
|
2080
2080
|
this.setEventLocalsUser
|
|
2081
2081
|
);
|
|
2082
|
-
if (s &&
|
|
2082
|
+
if (s && i instanceof Response) return i;
|
|
2083
2083
|
throw new c(h.UnknownError, "Receive token function did not return a Response");
|
|
2084
2084
|
} catch (s) {
|
|
2085
2085
|
if (p.isSvelteKitRedirect(s) || p.isSvelteKitError(s)) throw s;
|
|
2086
|
-
const
|
|
2087
|
-
return d.logger.debug({ err: s }), d.logger.error({ cerr: s }), this.errorFn(this.server, r,
|
|
2086
|
+
const i = c.asCrossauthError(s);
|
|
2087
|
+
return d.logger.debug({ err: s }), d.logger.error({ cerr: s }), this.errorFn(this.server, r, i);
|
|
2088
2088
|
}
|
|
2089
2089
|
}
|
|
2090
2090
|
async passwordFlow_action(r, o) {
|
|
@@ -2096,16 +2096,16 @@ class G extends re {
|
|
|
2096
2096
|
let t;
|
|
2097
2097
|
try {
|
|
2098
2098
|
if (!(this.validFlows.includes(E.Password) || this.validFlows.includes(E.PasswordMfa))) {
|
|
2099
|
-
const
|
|
2100
|
-
return this.errorFn(this.server, r,
|
|
2099
|
+
const a = new c(h.Unauthorized, "Password and Password MFA flows are not supported");
|
|
2100
|
+
return this.errorFn(this.server, r, a);
|
|
2101
2101
|
}
|
|
2102
2102
|
var e = new b();
|
|
2103
2103
|
if (await e.loadData(r), t = e.toObject(), this.server.sessionAdapter && this.server.sessionAdapter.csrfProtectionEnabled())
|
|
2104
2104
|
try {
|
|
2105
2105
|
if (!this.server.sessionAdapter.getCsrfToken(r))
|
|
2106
2106
|
throw new c(h.InvalidCsrf);
|
|
2107
|
-
} catch (
|
|
2108
|
-
throw p.isSvelteKitError(
|
|
2107
|
+
} catch (a) {
|
|
2108
|
+
throw p.isSvelteKitError(a) || p.isSvelteKitRedirect(a) ? a : new c(h.Unauthorized, "CSRF token not present");
|
|
2109
2109
|
}
|
|
2110
2110
|
const s = await o(r, t);
|
|
2111
2111
|
if (!s) throw new c(h.UnknownError, "Password flow returned no data");
|
|
@@ -2116,27 +2116,27 @@ class G extends re {
|
|
|
2116
2116
|
};
|
|
2117
2117
|
if (s.challenge_type) {
|
|
2118
2118
|
if (!this.validFlows.includes(E.PasswordMfa)) {
|
|
2119
|
-
const
|
|
2120
|
-
return this.errorFn(this.server, r,
|
|
2119
|
+
const a = new c(h.Unauthorized, "Password MFA flow is not supported");
|
|
2120
|
+
return this.errorFn(this.server, r, a);
|
|
2121
2121
|
}
|
|
2122
2122
|
return s;
|
|
2123
2123
|
}
|
|
2124
|
-
const
|
|
2124
|
+
const i = await this.receiveTokenFn(
|
|
2125
2125
|
s,
|
|
2126
2126
|
this,
|
|
2127
2127
|
r,
|
|
2128
2128
|
!1,
|
|
2129
2129
|
this.setEventLocalsUser
|
|
2130
2130
|
) ?? {};
|
|
2131
|
-
if (
|
|
2132
|
-
return
|
|
2131
|
+
if (i instanceof Response) throw new c(h.Configuration, "Refresh token flow should return an object not Response");
|
|
2132
|
+
return i;
|
|
2133
2133
|
} catch (s) {
|
|
2134
2134
|
if (p.isSvelteKitRedirect(s) || p.isSvelteKitError(s)) throw s;
|
|
2135
|
-
const
|
|
2135
|
+
const i = c.asCrossauthError(s);
|
|
2136
2136
|
return d.logger.debug({ err: s }), d.logger.error({ cerr: s }), {
|
|
2137
2137
|
ok: !1,
|
|
2138
|
-
error:
|
|
2139
|
-
error_description:
|
|
2138
|
+
error: i.oauthErrorCode,
|
|
2139
|
+
error_description: i.message
|
|
2140
2140
|
};
|
|
2141
2141
|
}
|
|
2142
2142
|
}
|
|
@@ -2162,30 +2162,30 @@ class G extends re {
|
|
|
2162
2162
|
let s = o.url;
|
|
2163
2163
|
if (!s) {
|
|
2164
2164
|
if (!r.url.pathname.startsWith(this.bffEndpointName)) throw new c(h.Unauthorized, "Attempt to call BFF url with the wrong prefix");
|
|
2165
|
-
const
|
|
2166
|
-
let
|
|
2167
|
-
|
|
2165
|
+
const i = r.url.pathname.substring(this.bffEndpointName.length);
|
|
2166
|
+
let a = ((e = r.url.searchParams) == null ? void 0 : e.toString()) ?? void 0;
|
|
2167
|
+
a && a != "" && (a = "?" + a), s = new URL(this.bffBaseUrl + i + a);
|
|
2168
2168
|
}
|
|
2169
2169
|
o.headers || (o.headers = new Headers());
|
|
2170
|
-
for (let
|
|
2171
|
-
|
|
2172
|
-
const
|
|
2170
|
+
for (let i = 0; i < this.bffMaxTries; ++i) {
|
|
2171
|
+
i > 0 && await new Promise((g) => setTimeout(g, this.bffSleepMilliseconds));
|
|
2172
|
+
const a = await this.server.sessionAdapter.getSessionData(
|
|
2173
2173
|
r,
|
|
2174
2174
|
this.sessionDataName
|
|
2175
2175
|
);
|
|
2176
|
-
if (!
|
|
2177
|
-
if (
|
|
2176
|
+
if (!a) {
|
|
2177
|
+
if (i == this.bffMaxTries)
|
|
2178
2178
|
throw new c(h.Unauthorized, "No access token found");
|
|
2179
2179
|
continue;
|
|
2180
2180
|
}
|
|
2181
|
-
let n =
|
|
2182
|
-
if (
|
|
2181
|
+
let n = a.access_token;
|
|
2182
|
+
if (a && a.access_token) {
|
|
2183
2183
|
const g = await this.refresh(
|
|
2184
2184
|
"silent",
|
|
2185
2185
|
r,
|
|
2186
2186
|
!0,
|
|
2187
|
-
|
|
2188
|
-
|
|
2187
|
+
a.refresh_token,
|
|
2188
|
+
a.expires_at
|
|
2189
2189
|
);
|
|
2190
2190
|
if (g instanceof Response) throw new c(h.Configuration, "Expected object when refreshing tokens, not Response");
|
|
2191
2191
|
if (g != null && g.access_token)
|
|
@@ -2207,7 +2207,7 @@ class G extends re {
|
|
|
2207
2207
|
headers: o.headers,
|
|
2208
2208
|
method: o.method ?? r.request.method
|
|
2209
2209
|
}), l.status == 401) {
|
|
2210
|
-
if (
|
|
2210
|
+
if (i < this.bffMaxTries - 1)
|
|
2211
2211
|
continue;
|
|
2212
2212
|
return l;
|
|
2213
2213
|
} else
|
|
@@ -2216,11 +2216,11 @@ class G extends re {
|
|
|
2216
2216
|
return new Response(null, { status: 401 });
|
|
2217
2217
|
} catch (s) {
|
|
2218
2218
|
if (p.isSvelteKitError(s) || p.isSvelteKitRedirect(s)) throw s;
|
|
2219
|
-
const
|
|
2220
|
-
return d.logger.debug({ err:
|
|
2221
|
-
error:
|
|
2222
|
-
error_description:
|
|
2223
|
-
}, { status:
|
|
2219
|
+
const i = c.asCrossauthError(s);
|
|
2220
|
+
return d.logger.debug({ err: i }), d.logger.error({ cerr: i }), v({
|
|
2221
|
+
error: i.oauthErrorCode,
|
|
2222
|
+
error_description: i.message
|
|
2223
|
+
}, { status: i.httpStatus });
|
|
2224
2224
|
}
|
|
2225
2225
|
}
|
|
2226
2226
|
async unpack(r) {
|
|
@@ -2258,16 +2258,16 @@ class G extends re {
|
|
|
2258
2258
|
const t = r.url.pathname.substring(this.bffEndpointName.length);
|
|
2259
2259
|
let e;
|
|
2260
2260
|
for (let s = 0; s < this.bffEndpoints.length; ++s) {
|
|
2261
|
-
let
|
|
2262
|
-
if (
|
|
2263
|
-
let
|
|
2264
|
-
if (n.endsWith("/") || (n += "/"),
|
|
2261
|
+
let i = this.bffEndpoints[s];
|
|
2262
|
+
if (i.matchSubUrls) {
|
|
2263
|
+
let a = i.url, n = i.url;
|
|
2264
|
+
if (n.endsWith("/") || (n += "/"), i.methodsString.includes(r.request.method) && (t.startsWith(n) || t == a)) {
|
|
2265
2265
|
e = s;
|
|
2266
2266
|
break;
|
|
2267
2267
|
}
|
|
2268
2268
|
} else {
|
|
2269
|
-
let
|
|
2270
|
-
if (
|
|
2269
|
+
let a = i.url;
|
|
2270
|
+
if (i.methodsString.includes(r.request.method) && t == a) {
|
|
2271
2271
|
e = s;
|
|
2272
2272
|
break;
|
|
2273
2273
|
}
|
|
@@ -2297,23 +2297,23 @@ class G extends re {
|
|
|
2297
2297
|
if (!this.tokenEndpoints || this.tokenEndpoints.length == 0)
|
|
2298
2298
|
throw new c(h.Unauthorized, "No tokens have been made available");
|
|
2299
2299
|
let s = Array.isArray(o) ? o : [o];
|
|
2300
|
-
const
|
|
2300
|
+
const i = await this.server.sessionAdapter.getSessionData(
|
|
2301
2301
|
r,
|
|
2302
2302
|
this.sessionDataName
|
|
2303
2303
|
);
|
|
2304
|
-
if (!
|
|
2304
|
+
if (!i)
|
|
2305
2305
|
throw new c(h.Unauthorized, "No access token found");
|
|
2306
|
-
let
|
|
2306
|
+
let a = {}, n, l = !1;
|
|
2307
2307
|
for (let f of s) {
|
|
2308
2308
|
if (!this.tokenEndpoints.includes(f)) throw new c(h.Unauthorized, "Token type " + f + " may not be returned");
|
|
2309
2309
|
l = !1;
|
|
2310
2310
|
let g = f;
|
|
2311
2311
|
f.startsWith("have_") && (g = f.replace("have_", ""), l = !0);
|
|
2312
2312
|
const m = g.replace("_token", ""), w = e && this.jwtTokens.includes(m);
|
|
2313
|
-
let S = this.tokenPayload(g,
|
|
2314
|
-
l ?
|
|
2313
|
+
let S = this.tokenPayload(g, i, l, w);
|
|
2314
|
+
l ? a[f] = S.ok : S && (a[f] = S), n = a[f];
|
|
2315
2315
|
}
|
|
2316
|
-
return Array.isArray(o) ? { status: 200, body:
|
|
2316
|
+
return Array.isArray(o) ? { status: 200, body: a } : n ? l ? { status: 200, body: typeof n == "boolean" ? { ok: n } : n } : { status: 200, body: n } : o.startsWith("have_") ? { status: 200, body: { ok: !1 } } : { status: 204 };
|
|
2317
2317
|
} catch (t) {
|
|
2318
2318
|
if (p.isSvelteKitError(t) || p.isSvelteKitRedirect(t)) throw t;
|
|
2319
2319
|
const e = c.asCrossauthError(t);
|
|
@@ -2344,13 +2344,13 @@ class G extends re {
|
|
|
2344
2344
|
e == "" && (e = void 0);
|
|
2345
2345
|
let s = this.authServerBaseUrl;
|
|
2346
2346
|
s.endsWith("/") || (s += "/"), s += this.deviceAuthorizationUrl;
|
|
2347
|
-
const
|
|
2348
|
-
let
|
|
2349
|
-
return
|
|
2350
|
-
|
|
2347
|
+
const i = await this.startDeviceCodeFlow(s, e);
|
|
2348
|
+
let a;
|
|
2349
|
+
return i.verification_uri_complete && await ae.toDataURL(i.verification_uri_complete).then((n) => {
|
|
2350
|
+
a = n;
|
|
2351
2351
|
}).catch((n) => {
|
|
2352
2352
|
d.logger.debug(u({ err: n })), d.logger.warn(u({ msg: "Couldn't generate verification URL QR Code" }));
|
|
2353
|
-
}),
|
|
2353
|
+
}), a ? { verification_uri_qrdata: a, ...i } : i;
|
|
2354
2354
|
} catch (e) {
|
|
2355
2355
|
if (p.isSvelteKitRedirect(e) || p.isSvelteKitError(e)) throw e;
|
|
2356
2356
|
const s = c.asCrossauthError(e);
|
|
@@ -2370,8 +2370,8 @@ class G extends re {
|
|
|
2370
2370
|
try {
|
|
2371
2371
|
if (!this.server.sessionAdapter.getCsrfToken(r))
|
|
2372
2372
|
throw new c(h.InvalidCsrf);
|
|
2373
|
-
} catch (
|
|
2374
|
-
throw p.isSvelteKitError(
|
|
2373
|
+
} catch (i) {
|
|
2374
|
+
throw p.isSvelteKitError(i) || p.isSvelteKitRedirect(i) ? i : new c(h.Unauthorized, "CSRF token not present");
|
|
2375
2375
|
}
|
|
2376
2376
|
let e = o.device_code;
|
|
2377
2377
|
if (!e) throw new c(h.BadRequest, "No device code given when polling for user authorization");
|
|
@@ -2386,8 +2386,8 @@ class G extends re {
|
|
|
2386
2386
|
);
|
|
2387
2387
|
{
|
|
2388
2388
|
if (s.error == "authorization_pending") return { ok: !0, ...s };
|
|
2389
|
-
let
|
|
2390
|
-
const n = c.fromOAuthError(
|
|
2389
|
+
let i = s.error ?? "server_error", a = s.error_description ?? "Didn't receive an access token";
|
|
2390
|
+
const n = c.fromOAuthError(i, a);
|
|
2391
2391
|
return this.errorFn(this.server, r, n);
|
|
2392
2392
|
}
|
|
2393
2393
|
} catch (e) {
|
|
@@ -2433,14 +2433,14 @@ class ge extends se {
|
|
|
2433
2433
|
for (const [e, s] of Object.entries(o.protectedEndpoints)) {
|
|
2434
2434
|
if (!e.startsWith("/"))
|
|
2435
2435
|
throw new c(h.Configuration, "protected endpoints must be absolute paths without the protocol and hostname");
|
|
2436
|
-
s.scope && s.scope.forEach((
|
|
2437
|
-
if (!t.test(
|
|
2436
|
+
s.scope && s.scope.forEach((i) => {
|
|
2437
|
+
if (!t.test(i)) throw new c(h.Configuration, "Illegal characters in scope " + i);
|
|
2438
2438
|
});
|
|
2439
2439
|
}
|
|
2440
2440
|
this.protectedEndpoints = o.protectedEndpoints;
|
|
2441
2441
|
}
|
|
2442
2442
|
o.protectedEndpoints && (this.hook = async ({ event: t }) => {
|
|
2443
|
-
var
|
|
2443
|
+
var i, a;
|
|
2444
2444
|
const e = t.url.pathname;
|
|
2445
2445
|
if (!(e in this.protectedEndpoints)) return;
|
|
2446
2446
|
const s = await this.authorized(t);
|
|
@@ -2468,7 +2468,7 @@ class ge extends se {
|
|
|
2468
2468
|
}
|
|
2469
2469
|
}
|
|
2470
2470
|
if (s) {
|
|
2471
|
-
if (t.locals.accessTokenPayload = s.tokenPayload, t.locals.user = s.user, (
|
|
2471
|
+
if (t.locals.accessTokenPayload = s.tokenPayload, t.locals.user = s.user, (i = s.tokenPayload) != null && i.scope)
|
|
2472
2472
|
if (Array.isArray(s.tokenPayload.scope)) {
|
|
2473
2473
|
let n = [];
|
|
2474
2474
|
for (let l of s.tokenPayload.scope)
|
|
@@ -2480,7 +2480,7 @@ class ge extends se {
|
|
|
2480
2480
|
if (!t.locals.scope || !t.locals.scope.includes(n) && this.protectedEndpoints[e].acceptSessionAuthorization != !0) {
|
|
2481
2481
|
d.logger.warn(u({
|
|
2482
2482
|
msg: "Access token does not have sufficient scope",
|
|
2483
|
-
username: (
|
|
2483
|
+
username: (a = t.locals.user) == null ? void 0 : a.username,
|
|
2484
2484
|
url: t.request.url
|
|
2485
2485
|
})), t.locals.scope = void 0, t.locals.accessTokenPayload = void 0, t.locals.user = void 0, t.locals.authError = "access_denied", t.locals.authErrorDescription = "Access token does not have sufficient scope";
|
|
2486
2486
|
const l = this.authenticateHeader(t);
|
|
@@ -2635,8 +2635,8 @@ const D = class D {
|
|
|
2635
2635
|
apiKey: t,
|
|
2636
2636
|
oAuthAuthServer: e,
|
|
2637
2637
|
oAuthClient: s,
|
|
2638
|
-
oAuthClients:
|
|
2639
|
-
oAuthResServer:
|
|
2638
|
+
oAuthClients: i,
|
|
2639
|
+
oAuthResServer: a,
|
|
2640
2640
|
options: n
|
|
2641
2641
|
}) {
|
|
2642
2642
|
this.loginUrl = "/login", this.audience = "", this.dummyLoad = async (f) => ({}), this.dummyActions = {}, this.dummyBff = async (f) => ({ status: 500, body: { error: "Unimplemented" } }), n || (n = {}), y("loginUrl", _.String, this, n, "LOGIN_URL", !1), n.isAdminFn && (D.isAdminFn = n.isAdminFn);
|
|
@@ -2667,15 +2667,15 @@ const D = class D {
|
|
|
2667
2667
|
{ ...f, ...n, ...e.options }
|
|
2668
2668
|
);
|
|
2669
2669
|
}
|
|
2670
|
-
if (s &&
|
|
2670
|
+
if (s && i)
|
|
2671
2671
|
throw new c(h.Configuration, "Cannot specify both oAuthClient and oAuthClients");
|
|
2672
2672
|
if (s && (this.oAuthClient = new G(
|
|
2673
2673
|
this,
|
|
2674
2674
|
s.authServerBaseUrl,
|
|
2675
2675
|
{ ...n, ...s.options }
|
|
2676
|
-
)),
|
|
2676
|
+
)), i) {
|
|
2677
2677
|
this.oAuthClients = [];
|
|
2678
|
-
for (let f of
|
|
2678
|
+
for (let f of i)
|
|
2679
2679
|
this.oAuthClients.push(
|
|
2680
2680
|
new G(
|
|
2681
2681
|
this,
|
|
@@ -2684,9 +2684,9 @@ const D = class D {
|
|
|
2684
2684
|
)
|
|
2685
2685
|
);
|
|
2686
2686
|
}
|
|
2687
|
-
|
|
2687
|
+
a && (y("audience", _.String, this, n, "OAUTH_AUDIENCE", !0), this.oAuthResServer = new ge(
|
|
2688
2688
|
[new te(this.audience, n)],
|
|
2689
|
-
{ sessionAdapter: this.sessionAdapter, ...
|
|
2689
|
+
{ sessionAdapter: this.sessionAdapter, ...a.options, ...n }
|
|
2690
2690
|
)), this.hooks = async ({ event: f, resolve: g }) => {
|
|
2691
2691
|
const m = await this.unresolvedHooks(f);
|
|
2692
2692
|
return await g(m);
|
|
@@ -2797,12 +2797,12 @@ class we {
|
|
|
2797
2797
|
const g = await this.sessionServer.getSessionData(t, "factor2change");
|
|
2798
2798
|
g != null && g.username || this.isSessionUser(t) || (this.sessionServer.unauthorizedUrl && this.sessionServer.redirect(302, this.sessionServer.unauthorizedUrl), this.sessionServer.error(401, "Unauthorized")), e = g == null ? void 0 : g.username;
|
|
2799
2799
|
}
|
|
2800
|
-
let s = this.sessionServer.allowedFactor2 ?? [{ name: "none", friendlyName: "None", configurable: !1 }],
|
|
2801
|
-
|
|
2800
|
+
let s = this.sessionServer.allowedFactor2 ?? [{ name: "none", friendlyName: "None", configurable: !1 }], i = {}, a = t.url.searchParams.get("required"), n;
|
|
2801
|
+
a && (a = a.toLowerCase(), n = a == "true" || a == "1", n == !0 && (i.required = !0));
|
|
2802
2802
|
let l = t.url.searchParams.get("next");
|
|
2803
|
-
return l && (
|
|
2803
|
+
return l && (i.next = l), {
|
|
2804
2804
|
allowedFactor2: s,
|
|
2805
|
-
...
|
|
2805
|
+
...i,
|
|
2806
2806
|
username: e,
|
|
2807
2807
|
...this.baseEndpoint(t)
|
|
2808
2808
|
};
|
|
@@ -2812,12 +2812,12 @@ class we {
|
|
|
2812
2812
|
default: async (t) => await this.changePassword(t)
|
|
2813
2813
|
},
|
|
2814
2814
|
load: async (t) => {
|
|
2815
|
-
let e = {}, s = t.url.searchParams.get("required"),
|
|
2816
|
-
if (!
|
|
2815
|
+
let e = {}, s = t.url.searchParams.get("required"), i, a = t.locals.user != null;
|
|
2816
|
+
if (!a) {
|
|
2817
2817
|
const l = await this.sessionServer.getSessionData(t, "passwordchange");
|
|
2818
|
-
l != null && l.username && (
|
|
2818
|
+
l != null && l.username && (a = !0);
|
|
2819
2819
|
}
|
|
2820
|
-
|
|
2820
|
+
a || this.sessionServer.redirect(302, this.loginUrl), s && (s = s.toLowerCase(), i = s == "true" || s == "1", i == !0 && (e.required = !0));
|
|
2821
2821
|
let n = t.url.searchParams.get("next");
|
|
2822
2822
|
return n && (e.next = n), {
|
|
2823
2823
|
...e,
|
|
@@ -2843,8 +2843,8 @@ class we {
|
|
|
2843
2843
|
default: async (t) => await this.requestPasswordReset(t)
|
|
2844
2844
|
},
|
|
2845
2845
|
load: async (t) => {
|
|
2846
|
-
let e = {}, s = t.url.searchParams.get("required"),
|
|
2847
|
-
return s && (s = s.toLowerCase(),
|
|
2846
|
+
let e = {}, s = t.url.searchParams.get("required"), i;
|
|
2847
|
+
return s && (s = s.toLowerCase(), i = s == "true" || s == "1", i == !0 && (e.required = !0)), {
|
|
2848
2848
|
...e,
|
|
2849
2849
|
...this.baseEndpoint(t)
|
|
2850
2850
|
};
|
|
@@ -2864,14 +2864,14 @@ class we {
|
|
|
2864
2864
|
try {
|
|
2865
2865
|
return e = await this.resetPassword(t), e;
|
|
2866
2866
|
} catch (s) {
|
|
2867
|
-
const
|
|
2867
|
+
const i = c.asCrossauthError(s);
|
|
2868
2868
|
if (p.isSvelteKitRedirect(s) || p.isSvelteKitError(s)) throw s;
|
|
2869
|
-
return d.logger.debug(u({ err:
|
|
2869
|
+
return d.logger.debug(u({ err: i })), d.logger.error(u({ cerr: i })), {
|
|
2870
2870
|
ok: !1,
|
|
2871
2871
|
tokenValidated: !1,
|
|
2872
2872
|
error: e == null ? void 0 : e.error,
|
|
2873
|
-
errorCode:
|
|
2874
|
-
errorCodeName:
|
|
2873
|
+
errorCode: i.code,
|
|
2874
|
+
errorCodeName: i.codeName,
|
|
2875
2875
|
...this.baseEndpoint(t)
|
|
2876
2876
|
};
|
|
2877
2877
|
}
|
|
@@ -2971,26 +2971,26 @@ class we {
|
|
|
2971
2971
|
try {
|
|
2972
2972
|
var t = new b();
|
|
2973
2973
|
await t.loadData(r), o = t.toObject();
|
|
2974
|
-
const e = t.get("username") ?? "", s = t.getAsBoolean("persist") ?? !1,
|
|
2974
|
+
const e = t.get("username") ?? "", s = t.getAsBoolean("persist") ?? !1, i = o.next ?? this.loginRedirectUrl;
|
|
2975
2975
|
if (e == "") throw new c(h.InvalidUsername, "Username field may not be empty");
|
|
2976
|
-
let
|
|
2976
|
+
let a = this.addToSession ? this.addToSession(r, o) : {};
|
|
2977
2977
|
if (this.sessionServer.enableCsrfProtection && !r.locals.csrfToken) throw new c(h.InvalidCsrf);
|
|
2978
2978
|
const n = this.sessionServer.getSessionCookieValue(r);
|
|
2979
|
-
let { sessionCookie: l, csrfCookie: f, user: g } = await this.sessionServer.sessionManager.login(e, t.toObject(),
|
|
2979
|
+
let { sessionCookie: l, csrfCookie: f, user: g } = await this.sessionServer.sessionManager.login(e, t.toObject(), a, s);
|
|
2980
2980
|
if (d.logger.debug(u({
|
|
2981
2981
|
msg: "Login: set session cookie " + l.name + " opts " + JSON.stringify(l.options),
|
|
2982
2982
|
user: e
|
|
2983
2983
|
})), r.cookies.set(
|
|
2984
2984
|
l.name,
|
|
2985
2985
|
l.value,
|
|
2986
|
-
|
|
2986
|
+
P(l.options)
|
|
2987
2987
|
), d.logger.debug(u({
|
|
2988
2988
|
msg: "Login: set csrf cookie " + f.name + " opts " + JSON.stringify(l.options),
|
|
2989
2989
|
user: e
|
|
2990
2990
|
})), this.sessionServer.enableCsrfProtection && (r.cookies.set(
|
|
2991
2991
|
f.name,
|
|
2992
2992
|
f.value,
|
|
2993
|
-
|
|
2993
|
+
P(f.options)
|
|
2994
2994
|
), r.locals.csrfToken = await this.sessionServer.sessionManager.createCsrfFormOrHeaderValue(f.value)), n)
|
|
2995
2995
|
try {
|
|
2996
2996
|
await this.sessionServer.sessionManager.deleteSession(n);
|
|
@@ -3001,13 +3001,13 @@ class we {
|
|
|
3001
3001
|
})), d.logger.debug(u({ err: m }));
|
|
3002
3002
|
}
|
|
3003
3003
|
if (g.state == I.passwordChangeNeeded)
|
|
3004
|
-
this.sessionServer.redirect(302, this.changePasswordUrl + "?required=true&next=" + encodeURIComponent("login?next=" +
|
|
3004
|
+
this.sessionServer.redirect(302, this.changePasswordUrl + "?required=true&next=" + encodeURIComponent("login?next=" + i));
|
|
3005
3005
|
else {
|
|
3006
3006
|
if (g.state == I.passwordResetNeeded)
|
|
3007
3007
|
throw new c(h.PasswordResetNeeded, "Please click on the link we sent you to reset your password");
|
|
3008
3008
|
if (g.state == I.passwordAndFactor2ResetNeeded)
|
|
3009
3009
|
throw new c(h.PasswordResetNeeded, "Please click on the link we sent you to reset your password");
|
|
3010
|
-
this.sessionServer.allowedFactor2.length > 0 && g.state == I.factor2ResetNeeded || !this.sessionServer.allowedFactor2Names.includes(g.factor2 ? g.factor2 : "none") ? this.sessionServer.redirect(302, this.changeFactor2Url + "?required=true&next=" + encodeURIComponent("login?next=" +
|
|
3010
|
+
this.sessionServer.allowedFactor2.length > 0 && g.state == I.factor2ResetNeeded || !this.sessionServer.allowedFactor2Names.includes(g.factor2 ? g.factor2 : "none") ? this.sessionServer.redirect(302, this.changeFactor2Url + "?required=true&next=" + encodeURIComponent("login?next=" + i)) : (!g.factor2 || g.factor2 == "") && (r.locals.user = g);
|
|
3011
3011
|
}
|
|
3012
3012
|
return {
|
|
3013
3013
|
user: g,
|
|
@@ -3033,22 +3033,22 @@ class we {
|
|
|
3033
3033
|
async loginWithUser(r, o, t) {
|
|
3034
3034
|
const e = t.locals.sessionId, s = new b();
|
|
3035
3035
|
await s.loadData(t);
|
|
3036
|
-
let
|
|
3036
|
+
let i = this.addToSession ? this.addToSession(t, s.toObject()) : {}, { sessionCookie: a, csrfCookie: n, csrfFormOrHeaderValue: l } = await this.sessionServer.sessionManager.login("", {}, i, void 0, r, o);
|
|
3037
3037
|
if (d.logger.debug(u({
|
|
3038
|
-
msg: "Login: set session cookie " +
|
|
3038
|
+
msg: "Login: set session cookie " + a.name + " opts " + JSON.stringify(a.options),
|
|
3039
3039
|
user: r.username
|
|
3040
3040
|
})), t.cookies.set(
|
|
3041
|
-
|
|
3042
|
-
|
|
3043
|
-
|
|
3041
|
+
a.name,
|
|
3042
|
+
a.value,
|
|
3043
|
+
P(a.options)
|
|
3044
3044
|
), d.logger.debug(u({
|
|
3045
|
-
msg: "Login: set csrf cookie " + n.name + " opts " + JSON.stringify(
|
|
3045
|
+
msg: "Login: set csrf cookie " + n.name + " opts " + JSON.stringify(a.options),
|
|
3046
3046
|
user: r.username
|
|
3047
3047
|
})), this.sessionServer.enableCsrfProtection && t.cookies.set(
|
|
3048
3048
|
n.name,
|
|
3049
3049
|
n.value,
|
|
3050
|
-
|
|
3051
|
-
), t.locals.user = r, t.locals.csrfToken = l, t.locals.sessionId = this.sessionServer.sessionManager.getSessionId(
|
|
3050
|
+
P(n.options)
|
|
3051
|
+
), t.locals.user = r, t.locals.csrfToken = l, t.locals.sessionId = this.sessionServer.sessionManager.getSessionId(a.value), e)
|
|
3052
3052
|
try {
|
|
3053
3053
|
await this.sessionServer.sessionManager.deleteSession(e);
|
|
3054
3054
|
} catch (f) {
|
|
@@ -3166,16 +3166,16 @@ class we {
|
|
|
3166
3166
|
"Illegal second factor " + o.factor2 + " requested"
|
|
3167
3167
|
);
|
|
3168
3168
|
(o.factor2 == "none" || o.factor2 == "") && (o.factor2 = void 0), s = this.sessionServer.createUserFn(r, o, this.sessionServer.userStorage.userEditableFields);
|
|
3169
|
-
let
|
|
3170
|
-
const
|
|
3169
|
+
let i = this.sessionServer.authenticators[s.factor1].validateSecrets(o);
|
|
3170
|
+
const a = this.sessionServer.authenticators[s.factor1].secretNames();
|
|
3171
3171
|
let n = {};
|
|
3172
3172
|
for (let m in o)
|
|
3173
3173
|
if (m.startsWith("repeat_")) {
|
|
3174
3174
|
const w = m.replace(/^repeat_/, "");
|
|
3175
|
-
|
|
3175
|
+
a.includes(w) && (n[w] = o[m]);
|
|
3176
3176
|
}
|
|
3177
3177
|
Object.keys(n).length === 0 && (n = void 0), s.state = "active", o.factor2 && o.factor2 != "none" ? s.state = "awaitingtwofactor" : this.sessionServer.enableEmailVerification && (s.state = "awaitingemailverification");
|
|
3178
|
-
let f = [...this.sessionServer.validateUserFn(s), ...
|
|
3178
|
+
let f = [...this.sessionServer.validateUserFn(s), ...i];
|
|
3179
3179
|
if (f.length > 0)
|
|
3180
3180
|
throw new c(h.FormEntry, f);
|
|
3181
3181
|
let g = !1;
|
|
@@ -3309,8 +3309,8 @@ class we {
|
|
|
3309
3309
|
try {
|
|
3310
3310
|
var s = new b();
|
|
3311
3311
|
await s.loadData(r), o = s.toObject();
|
|
3312
|
-
const
|
|
3313
|
-
if (
|
|
3312
|
+
const i = await this.sessionServer.getSessionData(r, "2fa");
|
|
3313
|
+
if (i != null && i.factor2) e = i == null ? void 0 : i.factor2;
|
|
3314
3314
|
else throw new c(h.BadRequest, "Two factor authentication was not started");
|
|
3315
3315
|
if (this.isSessionUser(r) && this.sessionServer.enableCsrfProtection && !r.locals.csrfToken)
|
|
3316
3316
|
throw new c(h.InvalidCsrf);
|
|
@@ -3318,17 +3318,17 @@ class we {
|
|
|
3318
3318
|
h.Unauthorized,
|
|
3319
3319
|
"No session active while enabling 2FA. Please enable cookies"
|
|
3320
3320
|
);
|
|
3321
|
-
let
|
|
3321
|
+
let a = await this.sessionServer.sessionManager.completeTwoFactorSetup(
|
|
3322
3322
|
o,
|
|
3323
3323
|
r.locals.sessionId
|
|
3324
3324
|
);
|
|
3325
|
-
return this.sessionServer.enableEmailVerification || await this.loginWithUser(
|
|
3325
|
+
return this.sessionServer.enableEmailVerification || await this.loginWithUser(a, !0, r), r.locals.user ? {
|
|
3326
3326
|
ok: !0,
|
|
3327
|
-
user:
|
|
3327
|
+
user: a,
|
|
3328
3328
|
emailVerificationRequired: this.sessionServer.enableEmailVerification
|
|
3329
|
-
} : await this.loginWithUser(
|
|
3330
|
-
} catch (
|
|
3331
|
-
const
|
|
3329
|
+
} : await this.loginWithUser(a, !0, r);
|
|
3330
|
+
} catch (i) {
|
|
3331
|
+
const a = c.asCrossauthError(i);
|
|
3332
3332
|
let n;
|
|
3333
3333
|
try {
|
|
3334
3334
|
n = (await this.sessionServer.sessionManager.repeatTwoFactorSignup(r.locals.sessionId ?? "")).userData;
|
|
@@ -3339,11 +3339,11 @@ class we {
|
|
|
3339
3339
|
csrfToken: r.locals.csrfToken,
|
|
3340
3340
|
username: n.username ?? "",
|
|
3341
3341
|
factor2: e
|
|
3342
|
-
}), d.logger.debug(u({ err:
|
|
3342
|
+
}), d.logger.debug(u({ err: i })), d.logger.error(u({ cerr: i })), {
|
|
3343
3343
|
ok: !1,
|
|
3344
|
-
error:
|
|
3345
|
-
errorCode:
|
|
3346
|
-
errorCodeName:
|
|
3344
|
+
error: a.message,
|
|
3345
|
+
errorCode: a.code,
|
|
3346
|
+
errorCodeName: a.codeName,
|
|
3347
3347
|
formData: o,
|
|
3348
3348
|
factor2Data: t,
|
|
3349
3349
|
emailVerificationRequired: this.sessionServer.enableEmailVerification
|
|
@@ -3379,27 +3379,27 @@ class we {
|
|
|
3379
3379
|
if (!s) throw new c(h.Unauthorized);
|
|
3380
3380
|
if (this.isSessionUser(r) && this.sessionServer.enableCsrfProtection && !r.locals.csrfToken)
|
|
3381
3381
|
throw new c(h.InvalidCsrf);
|
|
3382
|
-
let
|
|
3383
|
-
const { sessionCookie:
|
|
3382
|
+
let i = this.addToSession ? this.addToSession(r, o) : {};
|
|
3383
|
+
const { sessionCookie: a, csrfCookie: n, user: l } = await this.sessionServer.sessionManager.completeTwoFactorLogin(
|
|
3384
3384
|
o,
|
|
3385
3385
|
s,
|
|
3386
|
-
|
|
3386
|
+
i,
|
|
3387
3387
|
e
|
|
3388
3388
|
);
|
|
3389
3389
|
return d.logger.debug(u({
|
|
3390
|
-
msg: "Login: set session cookie " +
|
|
3390
|
+
msg: "Login: set session cookie " + a.name + " opts " + JSON.stringify(a.options),
|
|
3391
3391
|
user: l == null ? void 0 : l.username
|
|
3392
3392
|
})), r.cookies.set(
|
|
3393
|
-
|
|
3394
|
-
|
|
3395
|
-
|
|
3393
|
+
a.name,
|
|
3394
|
+
a.value,
|
|
3395
|
+
P(a.options)
|
|
3396
3396
|
), d.logger.debug(u({
|
|
3397
|
-
msg: "Login: set csrf cookie " + n.name + " opts " + JSON.stringify(
|
|
3397
|
+
msg: "Login: set csrf cookie " + n.name + " opts " + JSON.stringify(a.options),
|
|
3398
3398
|
user: l == null ? void 0 : l.username
|
|
3399
3399
|
})), r.cookies.set(
|
|
3400
3400
|
n.name,
|
|
3401
3401
|
n.value,
|
|
3402
|
-
|
|
3402
|
+
P(n.options)
|
|
3403
3403
|
), this.sessionServer.enableCsrfProtection && (r.locals.csrfToken = await this.sessionServer.sessionManager.createCsrfFormOrHeaderValue(n.value)), r.locals.user = l, {
|
|
3404
3404
|
user: l,
|
|
3405
3405
|
ok: !0
|
|
@@ -3512,17 +3512,17 @@ class we {
|
|
|
3512
3512
|
);
|
|
3513
3513
|
const e = r.params.token ?? "";
|
|
3514
3514
|
if (e == "") throw new c(h.InvalidUsername, "No token provided");
|
|
3515
|
-
const s = await this.sessionServer.sessionManager.userForPasswordResetToken(e),
|
|
3515
|
+
const s = await this.sessionServer.sessionManager.userForPasswordResetToken(e), i = this.sessionServer.authenticators[s.factor1], a = i.secretNames();
|
|
3516
3516
|
let n = {}, l = {};
|
|
3517
3517
|
for (let m in o)
|
|
3518
3518
|
if (m.startsWith("new_")) {
|
|
3519
3519
|
const w = m.replace(/^new_/, "");
|
|
3520
|
-
|
|
3520
|
+
a.includes(w) && (n[w] = o[m]);
|
|
3521
3521
|
} else if (m.startsWith("repeat_")) {
|
|
3522
3522
|
const w = m.replace(/^repeat_/, "");
|
|
3523
|
-
|
|
3523
|
+
a.includes(w) && (l[w] = o[m]);
|
|
3524
3524
|
}
|
|
3525
|
-
if (Object.keys(l).length === 0 && (l = void 0),
|
|
3525
|
+
if (Object.keys(l).length === 0 && (l = void 0), i.validateSecrets(n).length > 0)
|
|
3526
3526
|
throw new c(h.PasswordFormat);
|
|
3527
3527
|
const g = await this.sessionServer.sessionManager.resetSecret(e, 1, n, l);
|
|
3528
3528
|
if (g.state == I.active)
|
|
@@ -3637,20 +3637,20 @@ class we {
|
|
|
3637
3637
|
e = r.locals.user;
|
|
3638
3638
|
} else
|
|
3639
3639
|
throw new c(h.InsufficientPriviledges);
|
|
3640
|
-
const
|
|
3640
|
+
const i = this.sessionServer.authenticators[e.factor1], a = i.secretNames();
|
|
3641
3641
|
let n = {}, l = {}, f = {};
|
|
3642
3642
|
for (let w in o)
|
|
3643
3643
|
if (w.startsWith("new_")) {
|
|
3644
3644
|
const S = w.replace(/^new_/, "");
|
|
3645
|
-
|
|
3645
|
+
a.includes(S) && (l[S] = o[w]);
|
|
3646
3646
|
} else if (w.startsWith("old_")) {
|
|
3647
3647
|
const S = w.replace(/^old_/, "");
|
|
3648
|
-
|
|
3648
|
+
a.includes(S) && (n[S] = o[w]);
|
|
3649
3649
|
} else if (w.startsWith("repeat_")) {
|
|
3650
3650
|
const S = w.replace(/^repeat_/, "");
|
|
3651
|
-
|
|
3651
|
+
a.includes(S) && (f[S] = o[w]);
|
|
3652
3652
|
}
|
|
3653
|
-
if (Object.keys(f).length === 0 && (f = void 0),
|
|
3653
|
+
if (Object.keys(f).length === 0 && (f = void 0), i.validateSecrets(l).length > 0)
|
|
3654
3654
|
throw new c(h.PasswordFormat);
|
|
3655
3655
|
const m = e.state;
|
|
3656
3656
|
try {
|
|
@@ -3768,15 +3768,15 @@ class we {
|
|
|
3768
3768
|
let s = this.sessionServer.validateUserFn(e);
|
|
3769
3769
|
if (s.length > 0)
|
|
3770
3770
|
throw new c(h.FormEntry, s);
|
|
3771
|
-
let { emailVerificationTokenSent:
|
|
3772
|
-
if (!
|
|
3773
|
-
const
|
|
3774
|
-
r.locals.user =
|
|
3771
|
+
let { emailVerificationTokenSent: i } = await this.sessionServer.sessionManager.updateUser(r.locals.user, e);
|
|
3772
|
+
if (!i) {
|
|
3773
|
+
const a = await this.sessionServer.userStorage.getUserById(r.locals.user.id);
|
|
3774
|
+
r.locals.user = a.user;
|
|
3775
3775
|
}
|
|
3776
3776
|
return {
|
|
3777
3777
|
ok: !0,
|
|
3778
3778
|
formData: o,
|
|
3779
|
-
emailVerificationNeeded:
|
|
3779
|
+
emailVerificationNeeded: i
|
|
3780
3780
|
};
|
|
3781
3781
|
} catch (e) {
|
|
3782
3782
|
let s = c.asCrossauthError(e, "Couldn't update account");
|
|
@@ -3824,32 +3824,32 @@ class we {
|
|
|
3824
3824
|
const l = await this.sessionServer.getSessionData(r, "factor2change");
|
|
3825
3825
|
l != null && l.username || this.isSessionUser(r) || (this.sessionServer.unauthorizedUrl && this.sessionServer.redirect(302, this.sessionServer.unauthorizedUrl), this.sessionServer.error(401, "Unauthorized")), s = l == null ? void 0 : l.username;
|
|
3826
3826
|
}
|
|
3827
|
-
let
|
|
3828
|
-
if (!
|
|
3827
|
+
let i = r.locals.user;
|
|
3828
|
+
if (!i && s && (i = (await this.sessionServer.userStorage.getUserByUsername(
|
|
3829
3829
|
s,
|
|
3830
3830
|
{
|
|
3831
3831
|
skipActiveCheck: !0,
|
|
3832
3832
|
skipEmailVerifiedCheck: !0
|
|
3833
3833
|
}
|
|
3834
|
-
)).user), !
|
|
3834
|
+
)).user), !i)
|
|
3835
3835
|
throw new c(h.InsufficientPriviledges);
|
|
3836
3836
|
if (!r.locals.sessionId)
|
|
3837
3837
|
throw new c(h.Unauthorized);
|
|
3838
|
-
let
|
|
3838
|
+
let a = o.factor2;
|
|
3839
3839
|
if (o.factor2 && !this.sessionServer.allowedFactor2Names.includes(o.factor2))
|
|
3840
3840
|
throw new c(
|
|
3841
3841
|
h.Forbidden,
|
|
3842
3842
|
"Illegal second factor " + o.factor2 + " requested"
|
|
3843
3843
|
);
|
|
3844
|
-
if ((o.factor2 == "none" || o.factor2 == "") && (
|
|
3845
|
-
return await this.loginWithUser(
|
|
3846
|
-
const n = await this.sessionServer.sessionManager.initiateTwoFactorSetup(
|
|
3847
|
-
return
|
|
3844
|
+
if ((o.factor2 == "none" || o.factor2 == "") && (a = void 0, !r.locals.user))
|
|
3845
|
+
return await this.loginWithUser(i, !0, r);
|
|
3846
|
+
const n = await this.sessionServer.sessionManager.initiateTwoFactorSetup(i, a, r.locals.sessionId);
|
|
3847
|
+
return a ? {
|
|
3848
3848
|
ok: !0,
|
|
3849
3849
|
formData: o,
|
|
3850
3850
|
factor2Data: {
|
|
3851
|
-
username:
|
|
3852
|
-
factor2:
|
|
3851
|
+
username: i.username,
|
|
3852
|
+
factor2: a ?? "",
|
|
3853
3853
|
userData: n,
|
|
3854
3854
|
csrfToken: r.locals.csrfToken
|
|
3855
3855
|
}
|
|
@@ -3858,11 +3858,11 @@ class we {
|
|
|
3858
3858
|
formData: o
|
|
3859
3859
|
};
|
|
3860
3860
|
} catch (s) {
|
|
3861
|
-
let
|
|
3862
|
-
return d.logger.debug(u({ err:
|
|
3863
|
-
error:
|
|
3864
|
-
errorCode:
|
|
3865
|
-
errorCodeName:
|
|
3861
|
+
let i = c.asCrossauthError(s, "Couldn't update account");
|
|
3862
|
+
return d.logger.debug(u({ err: i })), d.logger.error(u({ cerr: i })), {
|
|
3863
|
+
error: i.message,
|
|
3864
|
+
errorCode: i.code,
|
|
3865
|
+
errorCodeName: i.codeName,
|
|
3866
3866
|
ok: !1,
|
|
3867
3867
|
formData: o
|
|
3868
3868
|
};
|
|
@@ -3900,47 +3900,47 @@ class we {
|
|
|
3900
3900
|
const f = await this.sessionServer.getSessionData(r, "factor2change");
|
|
3901
3901
|
f != null && f.username || this.isSessionUser(r) || (this.sessionServer.unauthorizedUrl && this.sessionServer.redirect(302, this.sessionServer.unauthorizedUrl), this.sessionServer.error(401, "Unauthorized")), s = f == null ? void 0 : f.username;
|
|
3902
3902
|
}
|
|
3903
|
-
let
|
|
3904
|
-
if (!
|
|
3903
|
+
let i = r.locals.user;
|
|
3904
|
+
if (!i && s && (i = (await this.sessionServer.userStorage.getUserByUsername(
|
|
3905
3905
|
s,
|
|
3906
3906
|
{
|
|
3907
3907
|
skipActiveCheck: !0,
|
|
3908
3908
|
skipEmailVerifiedCheck: !0
|
|
3909
3909
|
}
|
|
3910
|
-
)).user), !
|
|
3910
|
+
)).user), !i)
|
|
3911
3911
|
throw new c(h.InsufficientPriviledges);
|
|
3912
3912
|
if (!r.locals.sessionId)
|
|
3913
3913
|
throw new c(h.Unauthorized);
|
|
3914
3914
|
if (!r.locals.sessionId)
|
|
3915
3915
|
throw new c(h.Unauthorized);
|
|
3916
|
-
let
|
|
3917
|
-
const n = this.sessionServer.authenticators[
|
|
3916
|
+
let a = i.factor2;
|
|
3917
|
+
const n = this.sessionServer.authenticators[a];
|
|
3918
3918
|
if (!n || n.secretNames().length == 0)
|
|
3919
3919
|
throw new c(
|
|
3920
3920
|
h.BadRequest,
|
|
3921
3921
|
"Selected second factor does not have configuration"
|
|
3922
3922
|
);
|
|
3923
3923
|
const l = await this.sessionServer.sessionManager.initiateTwoFactorSetup(
|
|
3924
|
-
a,
|
|
3925
3924
|
i,
|
|
3925
|
+
a,
|
|
3926
3926
|
r.locals.sessionId
|
|
3927
3927
|
);
|
|
3928
3928
|
return {
|
|
3929
3929
|
ok: !0,
|
|
3930
3930
|
formData: o,
|
|
3931
3931
|
factor2Data: {
|
|
3932
|
-
username:
|
|
3933
|
-
factor2:
|
|
3932
|
+
username: i.username,
|
|
3933
|
+
factor2: i.factor2 ?? "",
|
|
3934
3934
|
userData: l,
|
|
3935
3935
|
csrfToken: r.locals.csrfToken
|
|
3936
3936
|
}
|
|
3937
3937
|
};
|
|
3938
3938
|
} catch (s) {
|
|
3939
|
-
let
|
|
3940
|
-
return d.logger.debug(u({ err:
|
|
3941
|
-
error:
|
|
3942
|
-
errorCode:
|
|
3943
|
-
errorCodeName:
|
|
3939
|
+
let i = c.asCrossauthError(s, "Couldn't update account");
|
|
3940
|
+
return d.logger.debug(u({ err: i })), d.logger.error(u({ cerr: i })), {
|
|
3941
|
+
error: i.message,
|
|
3942
|
+
errorCode: i.code,
|
|
3943
|
+
errorCodeName: i.codeName,
|
|
3944
3944
|
ok: !1,
|
|
3945
3945
|
formData: o
|
|
3946
3946
|
};
|
|
@@ -3962,16 +3962,16 @@ async function me(k, r, o = 0, t = 10) {
|
|
|
3962
3962
|
const { user: s } = await r.getUserByUsername(k);
|
|
3963
3963
|
e.push(s);
|
|
3964
3964
|
} catch (s) {
|
|
3965
|
-
const
|
|
3966
|
-
if (
|
|
3967
|
-
throw d.logger.debug(u({ err:
|
|
3965
|
+
const i = c.asCrossauthError(s);
|
|
3966
|
+
if (i.code != h.UserNotExist)
|
|
3967
|
+
throw d.logger.debug(u({ err: i })), i;
|
|
3968
3968
|
try {
|
|
3969
|
-
const { user:
|
|
3970
|
-
e.push(
|
|
3971
|
-
} catch (
|
|
3972
|
-
const n = c.asCrossauthError(
|
|
3969
|
+
const { user: a } = await r.getUserByEmail(k);
|
|
3970
|
+
e.push(a);
|
|
3971
|
+
} catch (a) {
|
|
3972
|
+
const n = c.asCrossauthError(a);
|
|
3973
3973
|
if (n.code != h.UserNotExist)
|
|
3974
|
-
throw d.logger.debug(u({ err: n })),
|
|
3974
|
+
throw d.logger.debug(u({ err: n })), i;
|
|
3975
3975
|
}
|
|
3976
3976
|
}
|
|
3977
3977
|
return e;
|
|
@@ -3990,12 +3990,12 @@ class ke {
|
|
|
3990
3990
|
}, this.updateUserEndpoint = {
|
|
3991
3991
|
actions: {
|
|
3992
3992
|
default: async (t) => {
|
|
3993
|
-
var
|
|
3993
|
+
var i, a, n;
|
|
3994
3994
|
const e = await this.getUserFromParam(t);
|
|
3995
3995
|
return e.exception || !e.user ? {
|
|
3996
3996
|
ok: !1,
|
|
3997
|
-
error: ((
|
|
3998
|
-
errorCode: (
|
|
3997
|
+
error: ((i = e.exception) == null ? void 0 : i.message) ?? "Couldn't get user",
|
|
3998
|
+
errorCode: (a = e.exception) == null ? void 0 : a.code,
|
|
3999
3999
|
errorCodeName: (n = e.exception) == null ? void 0 : n.codeName
|
|
4000
4000
|
} : await this.updateUser(e.user, t);
|
|
4001
4001
|
}
|
|
@@ -4017,12 +4017,12 @@ class ke {
|
|
|
4017
4017
|
}, this.changePasswordEndpoint = {
|
|
4018
4018
|
actions: {
|
|
4019
4019
|
default: async (t) => {
|
|
4020
|
-
var
|
|
4020
|
+
var i, a, n;
|
|
4021
4021
|
const e = await this.getUserFromParam(t);
|
|
4022
4022
|
return e.exception || !e.user ? {
|
|
4023
4023
|
ok: !1,
|
|
4024
|
-
error: ((
|
|
4025
|
-
errorCode: (
|
|
4024
|
+
error: ((i = e.exception) == null ? void 0 : i.message) ?? "Couldn't get user",
|
|
4025
|
+
errorCode: (a = e.exception) == null ? void 0 : a.code,
|
|
4026
4026
|
errorCodeName: (n = e.exception) == null ? void 0 : n.codeName
|
|
4027
4027
|
} : await this.changePassword(e.user, t);
|
|
4028
4028
|
}
|
|
@@ -4035,8 +4035,8 @@ class ke {
|
|
|
4035
4035
|
editUser: e.user,
|
|
4036
4036
|
...this.baseEndpoint(t)
|
|
4037
4037
|
};
|
|
4038
|
-
let s = {},
|
|
4039
|
-
return
|
|
4038
|
+
let s = {}, i = t.url.searchParams.get("next");
|
|
4039
|
+
return i && (s.next = i), {
|
|
4040
4040
|
...s,
|
|
4041
4041
|
editUser: e.user,
|
|
4042
4042
|
...this.baseEndpoint(t)
|
|
@@ -4058,15 +4058,15 @@ class ke {
|
|
|
4058
4058
|
default: async (t) => await this.deleteUser(t)
|
|
4059
4059
|
},
|
|
4060
4060
|
load: async (t) => {
|
|
4061
|
-
var s,
|
|
4061
|
+
var s, i, a;
|
|
4062
4062
|
const e = await this.getUserFromParam(t);
|
|
4063
4063
|
return e.exception || !e.user ? {
|
|
4064
4064
|
error: "User doesn't exist",
|
|
4065
4065
|
errorCode: (s = e.exception) == null ? void 0 : s.code,
|
|
4066
|
-
errorCodeName: (
|
|
4066
|
+
errorCodeName: (i = e.exception) == null ? void 0 : i.codeName,
|
|
4067
4067
|
...this.baseEndpoint(t)
|
|
4068
4068
|
} : {
|
|
4069
|
-
username: (
|
|
4069
|
+
username: (a = e.user) == null ? void 0 : a.username,
|
|
4070
4070
|
...this.baseEndpoint(t)
|
|
4071
4071
|
};
|
|
4072
4072
|
}
|
|
@@ -4117,7 +4117,7 @@ class ke {
|
|
|
4117
4117
|
try {
|
|
4118
4118
|
if (!this.sessionServer.userStorage) throw new c(h.Configuration, "Must provide user storage to use this function");
|
|
4119
4119
|
(!r.locals.user || !p.isAdminFn(r.locals.user)) && this.sessionServer.error(401);
|
|
4120
|
-
let s = [],
|
|
4120
|
+
let s = [], i = [], a = [];
|
|
4121
4121
|
if (!t)
|
|
4122
4122
|
try {
|
|
4123
4123
|
const l = r.url.searchParams.get("skip");
|
|
@@ -4139,7 +4139,7 @@ class ke {
|
|
|
4139
4139
|
this.sessionServer.userStorage,
|
|
4140
4140
|
t,
|
|
4141
4141
|
e
|
|
4142
|
-
), t > 0 && (
|
|
4142
|
+
), t > 0 && (i = await this.userSearchFn(
|
|
4143
4143
|
o,
|
|
4144
4144
|
this.sessionServer.userStorage,
|
|
4145
4145
|
t - 1,
|
|
@@ -4147,7 +4147,7 @@ class ke {
|
|
|
4147
4147
|
))) : (s = await this.sessionServer.userStorage.getUsers(
|
|
4148
4148
|
t,
|
|
4149
4149
|
e
|
|
4150
|
-
), s.length == e && (
|
|
4150
|
+
), s.length == e && (a = await this.sessionServer.userStorage.getUsers(
|
|
4151
4151
|
t + e,
|
|
4152
4152
|
1
|
|
4153
4153
|
))), {
|
|
@@ -4155,17 +4155,17 @@ class ke {
|
|
|
4155
4155
|
users: s,
|
|
4156
4156
|
skip: t,
|
|
4157
4157
|
take: e,
|
|
4158
|
-
hasPrevious:
|
|
4159
|
-
hasNext:
|
|
4158
|
+
hasPrevious: i.length > 0,
|
|
4159
|
+
hasNext: a.length > 0,
|
|
4160
4160
|
search: o
|
|
4161
4161
|
};
|
|
4162
4162
|
} catch (s) {
|
|
4163
|
-
const
|
|
4164
|
-
return d.logger.debug(u({ err:
|
|
4163
|
+
const i = c.asCrossauthError(s);
|
|
4164
|
+
return d.logger.debug(u({ err: i })), d.logger.error(u({ cerr: i })), {
|
|
4165
4165
|
ok: !1,
|
|
4166
|
-
error:
|
|
4167
|
-
errorCode:
|
|
4168
|
-
errorCodeName:
|
|
4166
|
+
error: i.message,
|
|
4167
|
+
errorCode: i.code,
|
|
4168
|
+
errorCodeName: i.codeName,
|
|
4169
4169
|
hasPrevious: !1,
|
|
4170
4170
|
hasNext: !1,
|
|
4171
4171
|
skip: t ?? 0,
|
|
@@ -4211,7 +4211,7 @@ class ke {
|
|
|
4211
4211
|
if (!this.sessionServer.userStorage) throw new c(h.Configuration, "Must provide user storage to use this function");
|
|
4212
4212
|
var e = new b();
|
|
4213
4213
|
if (await e.loadData(o), t = e.toObject(), (!o.locals.user || !p.isAdminFn(o.locals.user)) && this.sessionServer.error(401), this.isSessionUser(o) && this.sessionServer.enableCsrfProtection && !o.locals.csrfToken) throw new c(h.InvalidCsrf);
|
|
4214
|
-
const s = r.factor2,
|
|
4214
|
+
const s = r.factor2, i = r.state;
|
|
4215
4215
|
r.state = t.state ?? "active", r = this.sessionServer.updateUserFn(
|
|
4216
4216
|
r,
|
|
4217
4217
|
o,
|
|
@@ -4221,10 +4221,10 @@ class ke {
|
|
|
4221
4221
|
...this.sessionServer.userStorage.adminEditableFields
|
|
4222
4222
|
}
|
|
4223
4223
|
);
|
|
4224
|
-
const
|
|
4225
|
-
if (
|
|
4224
|
+
const a = r.factor2 && r.factor2 != "none" && r.factor2 != s;
|
|
4225
|
+
if (a && !(r.state == i || r.state == "factor2ResetNeeded"))
|
|
4226
4226
|
throw new c(h.BadRequest, "Cannot change both factor2 and state at the same time");
|
|
4227
|
-
|
|
4227
|
+
a && (r.state = I.factor2ResetNeeded, d.logger.warn(u({
|
|
4228
4228
|
msg: `Setting state for user to ${I.factor2ResetNeeded}`,
|
|
4229
4229
|
username: r.username
|
|
4230
4230
|
})));
|
|
@@ -4240,11 +4240,11 @@ class ke {
|
|
|
4240
4240
|
};
|
|
4241
4241
|
} catch (s) {
|
|
4242
4242
|
if (p.isSvelteKitRedirect(s) || p.isSvelteKitError(s, 401)) throw s;
|
|
4243
|
-
let
|
|
4244
|
-
return d.logger.debug(u({ err:
|
|
4245
|
-
error:
|
|
4246
|
-
errorCode:
|
|
4247
|
-
errorCodeName:
|
|
4243
|
+
let i = c.asCrossauthError(s, "Couldn't log in");
|
|
4244
|
+
return d.logger.debug(u({ err: i })), d.logger.error(u({ cerr: i })), {
|
|
4245
|
+
error: i.message,
|
|
4246
|
+
errorCode: i.code,
|
|
4247
|
+
errorCodeName: i.codeName,
|
|
4248
4248
|
ok: !1,
|
|
4249
4249
|
formData: t
|
|
4250
4250
|
};
|
|
@@ -4276,18 +4276,18 @@ class ke {
|
|
|
4276
4276
|
var e = new b();
|
|
4277
4277
|
if (await e.loadData(o), t = e.toObject(), (!o.locals.user || !p.isAdminFn(o.locals.user)) && this.sessionServer.error(401), this.isSessionUser(o) && this.sessionServer.enableCsrfProtection && !o.locals.csrfToken)
|
|
4278
4278
|
throw new c(h.InvalidCsrf);
|
|
4279
|
-
const s = this.sessionServer.authenticators[r.factor1],
|
|
4280
|
-
let
|
|
4279
|
+
const s = this.sessionServer.authenticators[r.factor1], i = s.secretNames();
|
|
4280
|
+
let a = {}, n = {}, l = {};
|
|
4281
4281
|
for (let g in t)
|
|
4282
4282
|
if (g.startsWith("new_")) {
|
|
4283
4283
|
const m = g.replace(/^new_/, "");
|
|
4284
|
-
|
|
4284
|
+
i.includes(m) && (n[m] = t[g]);
|
|
4285
4285
|
} else if (g.startsWith("old_")) {
|
|
4286
4286
|
const m = g.replace(/^old_/, "");
|
|
4287
|
-
|
|
4287
|
+
i.includes(m) && (a[m] = t[g]);
|
|
4288
4288
|
} else if (g.startsWith("repeat_")) {
|
|
4289
4289
|
const m = g.replace(/^repeat_/, "");
|
|
4290
|
-
|
|
4290
|
+
i.includes(m) && (l[m] = t[g]);
|
|
4291
4291
|
}
|
|
4292
4292
|
if (Object.keys(l).length === 0 && (l = void 0), s.validateSecrets(n).length > 0)
|
|
4293
4293
|
throw new c(h.PasswordFormat);
|
|
@@ -4297,7 +4297,7 @@ class ke {
|
|
|
4297
4297
|
1,
|
|
4298
4298
|
n,
|
|
4299
4299
|
l,
|
|
4300
|
-
|
|
4300
|
+
a
|
|
4301
4301
|
);
|
|
4302
4302
|
} catch (g) {
|
|
4303
4303
|
const m = c.asCrossauthError(g);
|
|
@@ -4309,11 +4309,11 @@ class ke {
|
|
|
4309
4309
|
};
|
|
4310
4310
|
} catch (s) {
|
|
4311
4311
|
if (p.isSvelteKitRedirect(s) || p.isSvelteKitError(s, 401)) throw s;
|
|
4312
|
-
let
|
|
4313
|
-
return d.logger.debug(u({ err:
|
|
4314
|
-
error:
|
|
4315
|
-
errorCode:
|
|
4316
|
-
errorCodeName:
|
|
4312
|
+
let i = c.asCrossauthError(s, "Couldn't change password");
|
|
4313
|
+
return d.logger.debug(u({ err: i })), d.logger.error(u({ cerr: i })), {
|
|
4314
|
+
error: i.message,
|
|
4315
|
+
errorCode: i.code,
|
|
4316
|
+
errorCodeName: i.codeName,
|
|
4317
4317
|
ok: !1,
|
|
4318
4318
|
formData: t
|
|
4319
4319
|
};
|
|
@@ -4388,21 +4388,21 @@ class ke {
|
|
|
4388
4388
|
...this.sessionServer.userStorage.adminEditableFields
|
|
4389
4389
|
}
|
|
4390
4390
|
);
|
|
4391
|
-
const
|
|
4392
|
-
let
|
|
4393
|
-
for (let w of
|
|
4394
|
-
!o[w] && !o["repeat_" + w] && (
|
|
4391
|
+
const i = this.sessionServer.authenticators[s.factor1].secretNames();
|
|
4392
|
+
let a = !0;
|
|
4393
|
+
for (let w of i)
|
|
4394
|
+
!o[w] && !o["repeat_" + w] && (a = !1);
|
|
4395
4395
|
let n = [], l = {};
|
|
4396
|
-
if (
|
|
4396
|
+
if (a) {
|
|
4397
4397
|
n = this.sessionServer.authenticators[s.factor1].validateSecrets(o);
|
|
4398
4398
|
for (let w in o)
|
|
4399
4399
|
if (w.startsWith("repeat_")) {
|
|
4400
4400
|
const S = w.replace(/^repeat_/, "");
|
|
4401
|
-
|
|
4401
|
+
i.includes(S) && (l[S] = o[w]);
|
|
4402
4402
|
}
|
|
4403
4403
|
Object.keys(l).length === 0 && (l = void 0);
|
|
4404
4404
|
}
|
|
4405
|
-
|
|
4405
|
+
a ? o.factor2 != null && (s.state = I.factor2ResetNeeded) : o.factor2 == null ? s.state = I.passwordResetNeeded : s.state = I.passwordAndFactor2ResetNeeded;
|
|
4406
4406
|
let g = [...this.sessionServer.validateUserFn(s), ...n];
|
|
4407
4407
|
if (g.length > 0)
|
|
4408
4408
|
throw new c(h.FormEntry, g);
|
|
@@ -4411,9 +4411,9 @@ class ke {
|
|
|
4411
4411
|
o,
|
|
4412
4412
|
l,
|
|
4413
4413
|
!0,
|
|
4414
|
-
!
|
|
4414
|
+
!a
|
|
4415
4415
|
);
|
|
4416
|
-
if (!
|
|
4416
|
+
if (!a) {
|
|
4417
4417
|
let w = o.username;
|
|
4418
4418
|
if ("user_email" in o && (w = o.user_email), oe.validateEmail(w), !w) throw new c(h.FormEntry, "No password given but no email address found either");
|
|
4419
4419
|
await this.sessionServer.sessionManager.requestPasswordReset(w);
|
|
@@ -4487,23 +4487,23 @@ async function Se(k, r, o, t, e) {
|
|
|
4487
4487
|
let s = [];
|
|
4488
4488
|
if (o > 0) return [];
|
|
4489
4489
|
try {
|
|
4490
|
-
const
|
|
4491
|
-
s.push(
|
|
4492
|
-
} catch (
|
|
4493
|
-
const
|
|
4494
|
-
if (
|
|
4495
|
-
throw d.logger.debug(u({ err:
|
|
4490
|
+
const i = await r.getClientById(k);
|
|
4491
|
+
s.push(i);
|
|
4492
|
+
} catch (i) {
|
|
4493
|
+
const a = c.asCrossauthError(i);
|
|
4494
|
+
if (a.code != h.UserNotExist)
|
|
4495
|
+
throw d.logger.debug(u({ err: a })), a;
|
|
4496
4496
|
try {
|
|
4497
4497
|
s = await r.getClientByName(k, e);
|
|
4498
4498
|
} catch (n) {
|
|
4499
4499
|
const l = c.asCrossauthError(n);
|
|
4500
4500
|
if (l.code != h.UserNotExist)
|
|
4501
|
-
throw d.logger.debug(u({ err: l })),
|
|
4501
|
+
throw d.logger.debug(u({ err: l })), a;
|
|
4502
4502
|
}
|
|
4503
4503
|
}
|
|
4504
4504
|
return s;
|
|
4505
4505
|
}
|
|
4506
|
-
class
|
|
4506
|
+
class X {
|
|
4507
4507
|
/**
|
|
4508
4508
|
* Constructor
|
|
4509
4509
|
*
|
|
@@ -4511,7 +4511,7 @@ class $ {
|
|
|
4511
4511
|
* @param options See {@link SvelteKitSessionServerOptions}
|
|
4512
4512
|
*/
|
|
4513
4513
|
constructor(r, o) {
|
|
4514
|
-
this.loginUrl = "/login", this.clientSearchFn = Se, this.validFlows = ["all"], this.sessionServer = r, y("loginUrl", _.JsonArray, this, o, "LOGIN_URL"), o.clientSearchFn && (this.clientSearchFn = o.clientSearchFn), this.redirect = o.redirect ?? Q, this.error = o.error ?? Y, y("validFlows", _.JsonArray, this, o, "OAUTH_validFlows"), this.validFlows.length == 1 && this.validFlows[0] == E.All && (this.validFlows = E.allFlows()), this.valid_flowNames = E.flowNames(this.validFlows), o.clientStorage && (this.clientManager = new
|
|
4514
|
+
this.loginUrl = "/login", this.clientSearchFn = Se, this.validFlows = ["all"], this.sessionServer = r, y("loginUrl", _.JsonArray, this, o, "LOGIN_URL"), o.clientSearchFn && (this.clientSearchFn = o.clientSearchFn), this.redirect = o.redirect ?? Q, this.error = o.error ?? Y, y("validFlows", _.JsonArray, this, o, "OAUTH_validFlows"), this.validFlows.length == 1 && this.validFlows[0] == E.All && (this.validFlows = E.allFlows()), this.valid_flowNames = E.flowNames(this.validFlows), o.clientStorage && (this.clientManager = new B(o)), this.clientStorage = o.clientStorage;
|
|
4515
4515
|
}
|
|
4516
4516
|
///////////////////////////////////////////////////////////////////
|
|
4517
4517
|
// Functions callable from apps
|
|
@@ -4557,7 +4557,7 @@ class $ {
|
|
|
4557
4557
|
if (!this.sessionServer.clientStorage) throw new c(h.Configuration, "Must provide client storage to use this function");
|
|
4558
4558
|
if (!r.locals.user)
|
|
4559
4559
|
throw this.redirect(302, this.loginUrl + "?next=" + encodeURIComponent(r.request.url));
|
|
4560
|
-
let
|
|
4560
|
+
let i = [], a = [], n = [];
|
|
4561
4561
|
if (!t)
|
|
4562
4562
|
try {
|
|
4563
4563
|
const f = r.url.searchParams.get("skip");
|
|
@@ -4574,44 +4574,44 @@ class $ {
|
|
|
4574
4574
|
}
|
|
4575
4575
|
e || (e = 10);
|
|
4576
4576
|
const l = r.url.searchParams.get("search");
|
|
4577
|
-
return !o && l != null && l != "" && (o = l), o || (o = ""), o.length == 0 && (o = void 0), o ? (
|
|
4577
|
+
return !o && l != null && l != "" && (o = l), o || (o = ""), o.length == 0 && (o = void 0), o ? (i = await this.clientSearchFn(
|
|
4578
4578
|
o,
|
|
4579
4579
|
this.sessionServer.clientStorage,
|
|
4580
4580
|
t,
|
|
4581
4581
|
e
|
|
4582
|
-
), t > 0 && (
|
|
4582
|
+
), t > 0 && (a = await this.clientSearchFn(
|
|
4583
4583
|
o,
|
|
4584
4584
|
this.sessionServer.clientStorage,
|
|
4585
4585
|
t - 1,
|
|
4586
4586
|
1,
|
|
4587
4587
|
s
|
|
4588
|
-
))) : (
|
|
4588
|
+
))) : (i = await this.sessionServer.clientStorage.getClients(
|
|
4589
4589
|
t,
|
|
4590
4590
|
e,
|
|
4591
4591
|
s
|
|
4592
|
-
),
|
|
4592
|
+
), i.length == e && (n = await this.sessionServer.clientStorage.getClients(
|
|
4593
4593
|
t + e,
|
|
4594
4594
|
1,
|
|
4595
4595
|
s
|
|
4596
4596
|
))), {
|
|
4597
4597
|
ok: !0,
|
|
4598
|
-
clients:
|
|
4598
|
+
clients: i,
|
|
4599
4599
|
skip: t,
|
|
4600
4600
|
take: e,
|
|
4601
|
-
hasPrevious:
|
|
4601
|
+
hasPrevious: a.length > 0,
|
|
4602
4602
|
hasNext: n.length > 0,
|
|
4603
4603
|
search: o,
|
|
4604
4604
|
clientUserId: s
|
|
4605
4605
|
};
|
|
4606
|
-
} catch (
|
|
4607
|
-
if (p.isSvelteKitRedirect(
|
|
4608
|
-
throw
|
|
4609
|
-
const
|
|
4610
|
-
return d.logger.debug(u({ err:
|
|
4606
|
+
} catch (i) {
|
|
4607
|
+
if (p.isSvelteKitRedirect(i) || p.isSvelteKitRedirect(i))
|
|
4608
|
+
throw i;
|
|
4609
|
+
const a = c.asCrossauthError(i);
|
|
4610
|
+
return d.logger.debug(u({ err: a })), d.logger.error(u({ cerr: a })), {
|
|
4611
4611
|
ok: !1,
|
|
4612
|
-
error:
|
|
4613
|
-
errorCode:
|
|
4614
|
-
errorCodeName:
|
|
4612
|
+
error: a.message,
|
|
4613
|
+
errorCode: a.code,
|
|
4614
|
+
errorCodeName: a.codeName,
|
|
4615
4615
|
hasPrevious: !1,
|
|
4616
4616
|
hasNext: !1,
|
|
4617
4617
|
skip: t ?? 0,
|
|
@@ -4634,21 +4634,21 @@ class $ {
|
|
|
4634
4634
|
try {
|
|
4635
4635
|
if (!o) throw new c(h.BadRequest, "No client ID specified");
|
|
4636
4636
|
if (!this.clientStorage) throw new c(h.Configuration, "No client storage specified");
|
|
4637
|
-
const
|
|
4637
|
+
const i = await this.clientStorage.getClientById(o), a = i.userid == null ? void 0 : await ((e = (t = this.sessionServer) == null ? void 0 : t.userStorage) == null ? void 0 : e.getUserById(i.userid)), n = (s = a == null ? void 0 : a.user) == null ? void 0 : s.username;
|
|
4638
4638
|
return {
|
|
4639
4639
|
ok: !0,
|
|
4640
|
-
client:
|
|
4640
|
+
client: i,
|
|
4641
4641
|
validFlows: this.validFlows,
|
|
4642
4642
|
valid_flowNames: this.valid_flowNames,
|
|
4643
4643
|
client_id: o,
|
|
4644
4644
|
clientUsername: n
|
|
4645
4645
|
};
|
|
4646
|
-
} catch (
|
|
4647
|
-
let
|
|
4648
|
-
return d.logger.debug(u({ err:
|
|
4649
|
-
error:
|
|
4650
|
-
errorCode:
|
|
4651
|
-
errorCodeName:
|
|
4646
|
+
} catch (i) {
|
|
4647
|
+
let a = c.asCrossauthError(i, "Couldn't load client");
|
|
4648
|
+
return d.logger.debug(u({ err: a })), d.logger.error(u({ cerr: a })), {
|
|
4649
|
+
error: a.message,
|
|
4650
|
+
errorCode: a.code,
|
|
4651
|
+
errorCodeName: a.codeName,
|
|
4652
4652
|
ok: !1,
|
|
4653
4653
|
validFlows: this.validFlows,
|
|
4654
4654
|
valid_flowNames: this.valid_flowNames,
|
|
@@ -4669,11 +4669,11 @@ class $ {
|
|
|
4669
4669
|
* @returns {@link UpdateClientFormData}. If a new secret was created, it will be placed as plaintext in the client that is returned.
|
|
4670
4670
|
*/
|
|
4671
4671
|
async updateClient_internal(r, o) {
|
|
4672
|
-
var s,
|
|
4672
|
+
var s, i;
|
|
4673
4673
|
let t;
|
|
4674
4674
|
try {
|
|
4675
|
-
const
|
|
4676
|
-
if (!
|
|
4675
|
+
const a = r.params.client_id;
|
|
4676
|
+
if (!a) throw new c(h.BadRequest, "No client ID given");
|
|
4677
4677
|
var e = new b();
|
|
4678
4678
|
if (await e.loadData(r), t = e.toObject(), this.sessionServer.enableCsrfProtection && r.locals.authType == "cookie" && !r.locals.csrfToken)
|
|
4679
4679
|
throw new c(h.InvalidCsrf);
|
|
@@ -4681,7 +4681,7 @@ class $ {
|
|
|
4681
4681
|
let l = [];
|
|
4682
4682
|
for (let C of n)
|
|
4683
4683
|
try {
|
|
4684
|
-
|
|
4684
|
+
B.validateUri(C);
|
|
4685
4685
|
} catch (T) {
|
|
4686
4686
|
d.logger.error(u({ err: T })), l.push("[" + C + "]");
|
|
4687
4687
|
}
|
|
@@ -4697,7 +4697,7 @@ class $ {
|
|
|
4697
4697
|
if (g.client_name = t.client_name, g.confidential = e.getAsBoolean("confidential") ?? !1, g.valid_flow = f, g.redirect_uri = n, o) {
|
|
4698
4698
|
let C = t.userid ?? void 0;
|
|
4699
4699
|
if (C && ((s = this.sessionServer) != null && s.userStorage)) {
|
|
4700
|
-
const { user: T } = await ((
|
|
4700
|
+
const { user: T } = await ((i = this.sessionServer) == null ? void 0 : i.userStorage.getUserById(C));
|
|
4701
4701
|
C = T.id;
|
|
4702
4702
|
}
|
|
4703
4703
|
g.userid = t.userid ? Number(t.userid) : null;
|
|
@@ -4705,7 +4705,7 @@ class $ {
|
|
|
4705
4705
|
const m = e.getAsBoolean("resetSecret");
|
|
4706
4706
|
if (!this.clientManager) throw new c(h.Configuration, "Cannot call this endpoint as you did not provide a clientStorage");
|
|
4707
4707
|
const { client: w, newSecret: S } = await this.clientManager.updateClient(
|
|
4708
|
-
|
|
4708
|
+
a,
|
|
4709
4709
|
g,
|
|
4710
4710
|
m
|
|
4711
4711
|
);
|
|
@@ -4716,9 +4716,9 @@ class $ {
|
|
|
4716
4716
|
//plaintextSecret: resetSecret ? formData.client_secret : undefined,
|
|
4717
4717
|
plaintextSecret: S && w.client_secret ? w.client_secret : void 0
|
|
4718
4718
|
};
|
|
4719
|
-
} catch (
|
|
4720
|
-
if (p.isSvelteKitRedirect(
|
|
4721
|
-
let n = c.asCrossauthError(
|
|
4719
|
+
} catch (a) {
|
|
4720
|
+
if (p.isSvelteKitRedirect(a) || p.isSvelteKitError(a)) throw a;
|
|
4721
|
+
let n = c.asCrossauthError(a, "Couldn't update client");
|
|
4722
4722
|
return d.logger.debug(u({ err: n })), d.logger.error(u({ cerr: n })), {
|
|
4723
4723
|
error: n.message,
|
|
4724
4724
|
errorCode: n.code,
|
|
@@ -4737,7 +4737,7 @@ class $ {
|
|
|
4737
4737
|
* @returns {@link CreateClientPageData}.
|
|
4738
4738
|
*/
|
|
4739
4739
|
async emptyClient_internal(r, o) {
|
|
4740
|
-
var e, s,
|
|
4740
|
+
var e, s, i, a, n, l, f;
|
|
4741
4741
|
try {
|
|
4742
4742
|
var t = new b();
|
|
4743
4743
|
await t.loadData(r);
|
|
@@ -4749,8 +4749,8 @@ class $ {
|
|
|
4749
4749
|
g = T.id;
|
|
4750
4750
|
}
|
|
4751
4751
|
const C = t.get("userid");
|
|
4752
|
-
if (C && ((
|
|
4753
|
-
const { user: T } = await ((
|
|
4752
|
+
if (C && ((i = this.sessionServer) != null && i.userStorage)) {
|
|
4753
|
+
const { user: T } = await ((a = this.sessionServer) == null ? void 0 : a.userStorage.getUserById(C));
|
|
4754
4754
|
g = T.id;
|
|
4755
4755
|
}
|
|
4756
4756
|
} else {
|
|
@@ -4790,7 +4790,7 @@ class $ {
|
|
|
4790
4790
|
* @returns {@link UpdateClientFormData}. If a secret was created, it will be placed as plaintext in the client that is returned. A random `client_id` is created.
|
|
4791
4791
|
*/
|
|
4792
4792
|
async createClient_internal(r, o) {
|
|
4793
|
-
var s,
|
|
4793
|
+
var s, i, a, n;
|
|
4794
4794
|
let t;
|
|
4795
4795
|
try {
|
|
4796
4796
|
var e = new b();
|
|
@@ -4799,7 +4799,7 @@ class $ {
|
|
|
4799
4799
|
if (o) {
|
|
4800
4800
|
const C = e.get("userid");
|
|
4801
4801
|
if (C && ((s = this.sessionServer) != null && s.userStorage)) {
|
|
4802
|
-
const { user: T } = await ((
|
|
4802
|
+
const { user: T } = await ((i = this.sessionServer) == null ? void 0 : i.userStorage.getUserById(C));
|
|
4803
4803
|
l = T.id;
|
|
4804
4804
|
}
|
|
4805
4805
|
} else {
|
|
@@ -4807,13 +4807,13 @@ class $ {
|
|
|
4807
4807
|
l = r.locals.user.id;
|
|
4808
4808
|
}
|
|
4809
4809
|
if (!this.clientStorage) throw new c(h.Configuration, "No client storage specified");
|
|
4810
|
-
if (l && await ((n = (
|
|
4810
|
+
if (l && await ((n = (a = this.sessionServer) == null ? void 0 : a.userStorage) == null ? void 0 : n.getUserById(l)), this.sessionServer.enableCsrfProtection && r.locals.authType == "cookie" && !r.locals.csrfToken)
|
|
4811
4811
|
throw new c(h.InvalidCsrf);
|
|
4812
4812
|
const f = !t.redirect_uri || t.redirect_uri.trim().length == 0 ? [] : t.redirect_uri.trim().split(/[, ][ \t\n]*/);
|
|
4813
4813
|
let g = [];
|
|
4814
4814
|
for (let C of f)
|
|
4815
4815
|
try {
|
|
4816
|
-
|
|
4816
|
+
B.validateUri(C);
|
|
4817
4817
|
} catch (T) {
|
|
4818
4818
|
d.logger.error(u({ err: T })), g.push("[" + C + "]");
|
|
4819
4819
|
}
|
|
@@ -4863,19 +4863,19 @@ class $ {
|
|
|
4863
4863
|
try {
|
|
4864
4864
|
if (!o) throw new c(h.BadRequest, "No client ID specified");
|
|
4865
4865
|
if (!this.clientStorage) throw new c(h.Configuration, "No client storage specified");
|
|
4866
|
-
const
|
|
4866
|
+
const i = await this.clientStorage.getClientById(o), a = i.userid == null ? void 0 : await ((e = (t = this.sessionServer) == null ? void 0 : t.userStorage) == null ? void 0 : e.getUserById(i.userid)), n = (s = a == null ? void 0 : a.user) == null ? void 0 : s.username;
|
|
4867
4867
|
return {
|
|
4868
4868
|
ok: !0,
|
|
4869
|
-
client:
|
|
4869
|
+
client: i,
|
|
4870
4870
|
client_id: o,
|
|
4871
4871
|
clientUsername: n
|
|
4872
4872
|
};
|
|
4873
|
-
} catch (
|
|
4874
|
-
let
|
|
4875
|
-
return d.logger.debug(u({ err:
|
|
4876
|
-
error:
|
|
4877
|
-
errorCode:
|
|
4878
|
-
errorCodeName:
|
|
4873
|
+
} catch (i) {
|
|
4874
|
+
let a = c.asCrossauthError(i, "Couldn't load client");
|
|
4875
|
+
return d.logger.debug(u({ err: a })), d.logger.error(u({ cerr: a })), {
|
|
4876
|
+
error: a.message,
|
|
4877
|
+
errorCode: a.code,
|
|
4878
|
+
errorCodeName: a.codeName,
|
|
4879
4879
|
ok: !1,
|
|
4880
4880
|
client_id: o
|
|
4881
4881
|
};
|
|
@@ -4896,19 +4896,19 @@ class $ {
|
|
|
4896
4896
|
const s = r.params.client_id;
|
|
4897
4897
|
if (!s) throw new c(h.BadRequest, "No client ID given");
|
|
4898
4898
|
if (!this.clientStorage) throw new c(h.Configuration, "No client storage specified");
|
|
4899
|
-
const
|
|
4900
|
-
if (!o &&
|
|
4899
|
+
const i = await ((t = this.clientStorage) == null ? void 0 : t.getClientById(s));
|
|
4900
|
+
if (!o && i.userid != ((e = r.locals.user) == null ? void 0 : e.id))
|
|
4901
4901
|
throw this.error(401, "Unauthorized");
|
|
4902
4902
|
return await this.clientStorage.deleteClient(s), {
|
|
4903
4903
|
ok: !0
|
|
4904
4904
|
};
|
|
4905
4905
|
} catch (s) {
|
|
4906
4906
|
if (p.isSvelteKitRedirect(s) || p.isSvelteKitError(s)) throw s;
|
|
4907
|
-
let
|
|
4908
|
-
return d.logger.debug(u({ err:
|
|
4909
|
-
error:
|
|
4910
|
-
errorCode:
|
|
4911
|
-
errorCodeName:
|
|
4907
|
+
let i = c.asCrossauthError(s, "Couldn't delete client");
|
|
4908
|
+
return d.logger.debug(u({ err: i })), d.logger.error(u({ cerr: i })), {
|
|
4909
|
+
error: i.message,
|
|
4910
|
+
errorCode: i.code,
|
|
4911
|
+
errorCodeName: i.codeName,
|
|
4912
4912
|
ok: !1
|
|
4913
4913
|
};
|
|
4914
4914
|
}
|
|
@@ -4929,7 +4929,7 @@ class $ {
|
|
|
4929
4929
|
};
|
|
4930
4930
|
}
|
|
4931
4931
|
}
|
|
4932
|
-
class Ce extends
|
|
4932
|
+
class Ce extends X {
|
|
4933
4933
|
/**
|
|
4934
4934
|
* Constructor
|
|
4935
4935
|
* @param sessionServer the session server which will have these endpoints
|
|
@@ -5105,7 +5105,7 @@ class Ce extends $ {
|
|
|
5105
5105
|
return this.createClient_internal(r, !1);
|
|
5106
5106
|
}
|
|
5107
5107
|
}
|
|
5108
|
-
class ye extends
|
|
5108
|
+
class ye extends X {
|
|
5109
5109
|
/**
|
|
5110
5110
|
* Constructor
|
|
5111
5111
|
* @param sessionServer the session server which will have these endpoints
|
|
@@ -5220,52 +5220,52 @@ class ye extends $ {
|
|
|
5220
5220
|
return this.deleteClient_internal(r, !0);
|
|
5221
5221
|
}
|
|
5222
5222
|
}
|
|
5223
|
-
const
|
|
5223
|
+
const x = "X-CROSSAUTH-CSRF";
|
|
5224
5224
|
function _e(k) {
|
|
5225
5225
|
let r = [];
|
|
5226
5226
|
return k.username == null ? r.push("Username must be given") : k.username.length < 2 ? r.push("Username must be at least 2 characters") : k.username.length > 254 && r.push("Username must be no longer than 254 characters"), r;
|
|
5227
5227
|
}
|
|
5228
5228
|
function Ee(k, r, o) {
|
|
5229
|
-
var
|
|
5229
|
+
var i;
|
|
5230
5230
|
let e = {
|
|
5231
5231
|
username: r.username ?? "",
|
|
5232
5232
|
state: "active"
|
|
5233
5233
|
};
|
|
5234
5234
|
const s = k.locals.user && p.isAdminFn(k.locals.user);
|
|
5235
|
-
for (let
|
|
5236
|
-
let n =
|
|
5237
|
-
if (
|
|
5235
|
+
for (let a in r) {
|
|
5236
|
+
let n = a.replace(/^user_/, "");
|
|
5237
|
+
if (a.startsWith("user_") && (s || o.includes(n)))
|
|
5238
5238
|
if ("type_" + n in r) {
|
|
5239
5239
|
if (r["type_" + n] == "string")
|
|
5240
|
-
e[n] = r[
|
|
5240
|
+
e[n] = r[a];
|
|
5241
5241
|
else if (r["type_" + n] == "number" || r["type_" + n] == "integer" || r["type_" + n] == "float")
|
|
5242
|
-
e[n] = Number(r[
|
|
5242
|
+
e[n] = Number(r[a]);
|
|
5243
5243
|
else if (r["type_" + n] == "boolean") {
|
|
5244
|
-
const l = (
|
|
5244
|
+
const l = (i = r[a]) == null ? void 0 : i.toLocaleLowerCase();
|
|
5245
5245
|
e[n] = l == "1" || l == "y" || l == "t" || l == "yes" || l == "true";
|
|
5246
5246
|
}
|
|
5247
5247
|
} else
|
|
5248
|
-
e[n] = r[
|
|
5248
|
+
e[n] = r[a];
|
|
5249
5249
|
}
|
|
5250
5250
|
return e.factor1 = "localpassword", e.factor2 = r.factor2, e;
|
|
5251
5251
|
}
|
|
5252
5252
|
function ve(k, r, o, t) {
|
|
5253
5253
|
var s;
|
|
5254
5254
|
const e = r.locals.user && p.isAdminFn(r.locals.user);
|
|
5255
|
-
for (let
|
|
5256
|
-
let
|
|
5257
|
-
if (
|
|
5258
|
-
if ("type_" +
|
|
5259
|
-
if (o["type_" +
|
|
5260
|
-
k[
|
|
5261
|
-
else if (o["type_" +
|
|
5262
|
-
k[
|
|
5263
|
-
else if (o["type_" +
|
|
5264
|
-
const n = (s = o[
|
|
5265
|
-
k[
|
|
5255
|
+
for (let i in o) {
|
|
5256
|
+
let a = i.replace(/^user_/, "");
|
|
5257
|
+
if (i.startsWith("user_") && (e || t.includes(a)))
|
|
5258
|
+
if ("type_" + a in o) {
|
|
5259
|
+
if (o["type_" + a] == "string")
|
|
5260
|
+
k[a] = o[i];
|
|
5261
|
+
else if (o["type_" + a] == "number" || o["type_" + a] == "integer" || o["type_" + a] == "float")
|
|
5262
|
+
k[a] = Number(o[i]);
|
|
5263
|
+
else if (o["type_" + a] == "boolean") {
|
|
5264
|
+
const n = (s = o[i]) == null ? void 0 : s.toLocaleLowerCase();
|
|
5265
|
+
k[a] = n == "1" || n == "y" || n == "t" || n == "yes" || n == "true";
|
|
5266
5266
|
}
|
|
5267
5267
|
} else
|
|
5268
|
-
k[
|
|
5268
|
+
k[a] = o[i];
|
|
5269
5269
|
}
|
|
5270
5270
|
return k;
|
|
5271
5271
|
}
|
|
@@ -5278,7 +5278,7 @@ class H {
|
|
|
5278
5278
|
* @param options See {@link SvelteKitSessionServerOptions}.
|
|
5279
5279
|
*/
|
|
5280
5280
|
constructor(r, o, t = {}) {
|
|
5281
|
-
this.validateUserFn = _e, this.createUserFn = Ee, this.updateUserFn = ve, this.allowedFactor2 = [], this.allowedFactor2Names = [], this.factor2ProtectedPageEndpoints = [], this.factor2ProtectedApiEndpoints = [], this.loginProtectedPageEndpoints = [], this.loginProtectedApiEndpoints = [], this.loginProtectedExceptionPageEndpoints = [], this.loginProtectedExceptionApiEndpoints = [], this.adminPageEndpoints = [], this.adminApiEndpoints = [], this.unauthorizedUrl = void 0, this.enableCsrfProtection = !0, this.enableEmailVerification = !1, this.enablePasswordReset = !1, this.factor2Url = "/factor2", this.loginUrl = "/login", this.keyStorage = r, this.userStorage = t.userStorage, this.clientStorage = t.clientStorage, this.authenticators = o, this.sessionManager = new ie(r, o, t), this.redirect = t.redirect ?? Q, this.error = t.error ?? Y, y("factor2Url", _.String, this, t, "FACTOR2_URL"), this.factor2Url.endsWith("/") || (this.factor2Url += "/"), y("factor2ProtectedPageEndpoints", _.JsonArray, this, t, "FACTOR2_PROTECTED_PAGE_ENDPOINTS"), y("factor2ProtectedApiEndpoints", _.JsonArray, this, t, "FACTOR2_PROTECTED_API_ENDPOINTS"), y("loginProtectedPageEndpoints", _.JsonArray, this, t, "LOGIN_PROTECTED_PAGE_ENDPOINTS"), y("loginProtectedApiEndpoints", _.JsonArray, this, t, "LOGIN_PROTECTED_API_ENDPOINTS"), y("loginProtectedExceptionPageEndpoints", _.JsonArray, this, t, "LOGIN_PROTECTED_EXCEPTION_PAGE_ENDPOINTS"), y("loginProtectedExceptionApiEndpoints", _.JsonArray, this, t, "LOGIN_PROTECTED_EXCEPTION_API_ENDPOINTS"), y("adminPageEndpoints", _.JsonArray, this, t, "ADMIN_PAGE_ENDPOINTS"), y("adminApiEndpoints", _.JsonArray, this, t, "ADMIN_API_ENDPOINTS"), y("loginUrl", _.JsonArray, this, t, "LOGIN_URL"), y("unauthorizedUrl", _.JsonArray, this, t, "UNAUTHORIZED_PAGE");
|
|
5281
|
+
this.validateUserFn = _e, this.createUserFn = Ee, this.updateUserFn = ve, this.allowedFactor2 = [], this.allowedFactor2Names = [], this.factor2ProtectedPageEndpoints = [], this.factor2ProtectedApiEndpoints = [], this.loginProtectedPageEndpoints = [], this.loginProtectedApiEndpoints = [], this.loginProtectedExceptionPageEndpoints = [], this.loginProtectedExceptionApiEndpoints = [], this.adminPageEndpoints = [], this.adminApiEndpoints = [], this.adminProtectedExceptionPageEndpoints = [], this.adminProtectedExceptionApiEndpoints = [], this.unauthorizedUrl = void 0, this.enableCsrfProtection = !0, this.enableEmailVerification = !1, this.enablePasswordReset = !1, this.factor2Url = "/factor2", this.loginUrl = "/login", this.keyStorage = r, this.userStorage = t.userStorage, this.clientStorage = t.clientStorage, this.authenticators = o, this.sessionManager = new ie(r, o, t), this.redirect = t.redirect ?? Q, this.error = t.error ?? Y, y("factor2Url", _.String, this, t, "FACTOR2_URL"), this.factor2Url.endsWith("/") || (this.factor2Url += "/"), y("factor2ProtectedPageEndpoints", _.JsonArray, this, t, "FACTOR2_PROTECTED_PAGE_ENDPOINTS"), y("factor2ProtectedApiEndpoints", _.JsonArray, this, t, "FACTOR2_PROTECTED_API_ENDPOINTS"), y("loginProtectedPageEndpoints", _.JsonArray, this, t, "LOGIN_PROTECTED_PAGE_ENDPOINTS"), y("loginProtectedApiEndpoints", _.JsonArray, this, t, "LOGIN_PROTECTED_API_ENDPOINTS"), y("loginProtectedExceptionPageEndpoints", _.JsonArray, this, t, "LOGIN_PROTECTED_EXCEPTION_PAGE_ENDPOINTS"), y("loginProtectedExceptionApiEndpoints", _.JsonArray, this, t, "LOGIN_PROTECTED_EXCEPTION_API_ENDPOINTS"), y("adminPageEndpoints", _.JsonArray, this, t, "ADMIN_PAGE_ENDPOINTS"), y("adminApiEndpoints", _.JsonArray, this, t, "ADMIN_API_ENDPOINTS"), y("adminProtectedExceptionPageEndpoints", _.JsonArray, this, t, "ADMIN_PROTECTED_EXCEPTION_PAGE_ENDPOINTS"), y("adminProtectedExceptionApiEndpoints", _.JsonArray, this, t, "ADMIN_PROTECTED_EXCEPTION_API_ENDPOINTS"), y("loginUrl", _.JsonArray, this, t, "LOGIN_URL"), y("unauthorizedUrl", _.JsonArray, this, t, "UNAUTHORIZED_PAGE");
|
|
5282
5282
|
let e = {};
|
|
5283
5283
|
if (y("allowedFactor2", _.JsonArray, e, t, "ALLOWED_FACTOR2"), this.allowedFactor2Names = t.allowedFactor2 ?? ["none"], e.allowedFactor2)
|
|
5284
5284
|
for (let s of e.allowedFactor2)
|
|
@@ -5294,8 +5294,8 @@ class H {
|
|
|
5294
5294
|
y("enableEmailVerification", _.Boolean, this, t, "ENABLE_EMAIL_VERIFICATION"), y("enablePasswordReset", _.Boolean, this, t, "ENABLE_PASSWORD_RESET"), y("enableCsrfProtection", _.Boolean, this, t, "ENABLE_CSRF_PROTECTION"), y("editUserScope", _.String, this, t, "EDIT_USER_SCOPE"), t.validateUserFn && (this.validateUserFn = t.validateUserFn), t.createUserFn && (this.createUserFn = t.createUserFn), t.updateUserFn && (this.updateUserFn = t.updateUserFn), t.addToSession && (this.addToSession = t.addToSession), t.validateSession && (this.validateSession = t.validateSession), this.userEndpoints = new we(this, t), this.adminEndpoints = new ke(this, t), this.userClientEndpoints = new Ce(this, t), this.adminClientEndpoints = new ye(this, t), this.sessionHook = async ({ event: s }) => {
|
|
5295
5295
|
var f, g;
|
|
5296
5296
|
d.logger.debug("Session hook");
|
|
5297
|
-
let
|
|
5298
|
-
const
|
|
5297
|
+
let i = [];
|
|
5298
|
+
const a = this.sessionManager.csrfCookieName, n = this.sessionManager.sessionCookieName;
|
|
5299
5299
|
if (this.enableCsrfProtection) {
|
|
5300
5300
|
d.logger.debug(u({ msg: "Getting csrf cookie" }));
|
|
5301
5301
|
let m;
|
|
@@ -5304,7 +5304,7 @@ class H {
|
|
|
5304
5304
|
} catch (w) {
|
|
5305
5305
|
d.logger.warn(u({ msg: "Invalid csrf cookie received", cerr: w, hashedCsrfCookie: this.getHashOfCsrfCookie(s) }));
|
|
5306
5306
|
try {
|
|
5307
|
-
this.clearCookie(
|
|
5307
|
+
this.clearCookie(a, this.sessionManager.csrfCookiePath, s);
|
|
5308
5308
|
} catch (S) {
|
|
5309
5309
|
d.logger.debug(u({ err: S })), d.logger.error(u({ cerr: S, msg: "Couldn't delete CSRF cookie", ip: s.request.referrer, hashedCsrfCookie: this.getHashOfCsrfCookie(s) }));
|
|
5310
5310
|
}
|
|
@@ -5321,13 +5321,13 @@ class H {
|
|
|
5321
5321
|
const { csrfCookie: w, csrfFormOrHeaderValue: S } = await this.sessionManager.createCsrfToken();
|
|
5322
5322
|
this.setCsrfCookie(w, s), s.locals.csrfToken = S;
|
|
5323
5323
|
}
|
|
5324
|
-
this.setHeader(
|
|
5324
|
+
this.setHeader(x, s.locals.csrfToken, i);
|
|
5325
5325
|
} catch (w) {
|
|
5326
|
-
d.logger.error(u({ msg: "Couldn't create CSRF token", cerr: w, user: (f = s.locals.user) == null ? void 0 : f.username, hashedSessionCookie: this.getHashOfSessionCookie(s) })), d.logger.debug(u({ err: w })), this.clearCookie(
|
|
5326
|
+
d.logger.error(u({ msg: "Couldn't create CSRF token", cerr: w, user: (f = s.locals.user) == null ? void 0 : f.username, hashedSessionCookie: this.getHashOfSessionCookie(s) })), d.logger.debug(u({ err: w })), this.clearCookie(a, this.sessionManager.csrfCookiePath, s), s.locals.csrfToken = void 0;
|
|
5327
5327
|
}
|
|
5328
5328
|
else if (m)
|
|
5329
5329
|
try {
|
|
5330
|
-
await this.csrfToken(s,
|
|
5330
|
+
await this.csrfToken(s, i);
|
|
5331
5331
|
} catch (w) {
|
|
5332
5332
|
d.logger.error(u({ msg: "Couldn't create CSRF token", cerr: w, user: (g = s.locals.user) == null ? void 0 : g.username, hashedSessionCookie: this.getHashOfSessionCookie(s) })), d.logger.debug(u({ err: w }));
|
|
5333
5333
|
}
|
|
@@ -5342,13 +5342,13 @@ class H {
|
|
|
5342
5342
|
} catch {
|
|
5343
5343
|
d.logger.warn(u({ msg: "Invalid session cookie received", hashedSessionCookie: this.getHashOfSessionCookie(s) })), this.clearCookie(n, this.sessionManager.sessionCookiePath, s);
|
|
5344
5344
|
}
|
|
5345
|
-
return { headers:
|
|
5345
|
+
return { headers: i };
|
|
5346
5346
|
}, this.twoFAHook = async ({ event: s }) => {
|
|
5347
5347
|
var f;
|
|
5348
5348
|
if (d.logger.debug(u({ msg: "twoFAHook", username: (f = s.locals.user) == null ? void 0 : f.username })), !this.userStorage) throw this.error(500, "No user storage defined");
|
|
5349
|
-
const
|
|
5349
|
+
const i = this.getSessionCookieValue(s), a = this.isFactor2PageProtected(s), n = this.isFactor2ApiProtected(s);
|
|
5350
5350
|
let l;
|
|
5351
|
-
if (
|
|
5351
|
+
if (i)
|
|
5352
5352
|
if (s.locals.user) l = s.locals.user;
|
|
5353
5353
|
else {
|
|
5354
5354
|
const g = await this.getSessionData(s, "user");
|
|
@@ -5357,7 +5357,7 @@ class H {
|
|
|
5357
5357
|
(m.user.status == I.active || m.user.state == I.factor2ResetNeeded) && (l = m.user);
|
|
5358
5358
|
}
|
|
5359
5359
|
}
|
|
5360
|
-
if (l &&
|
|
5360
|
+
if (l && i && l.factor2 != "" && (a || n))
|
|
5361
5361
|
if (d.logger.debug(u({ msg: "Factor2-protected endpoint visited" })), ["GET", "OPTIONS", "HEAD"].includes(s.request.method)) {
|
|
5362
5362
|
d.logger.debug(u({ msg: "Factor2-protected GET endpoint - cancelling 2FA" }));
|
|
5363
5363
|
const g = this.getSessionCookieValue(s);
|
|
@@ -5373,7 +5373,7 @@ class H {
|
|
|
5373
5373
|
}
|
|
5374
5374
|
}
|
|
5375
5375
|
} else {
|
|
5376
|
-
const g = this.sessionManager.getSessionId(
|
|
5376
|
+
const g = this.sessionManager.getSessionId(i), m = await this.sessionManager.dataForSessionId(g);
|
|
5377
5377
|
if ("pre2fa" in m) {
|
|
5378
5378
|
d.logger.debug(u({ msg: "Completing 2FA" }));
|
|
5379
5379
|
const w = this.authenticators[m.pre2fa.factor2], S = [...w.secretNames(), ...w.transientSecretNames()];
|
|
@@ -5384,16 +5384,16 @@ class H {
|
|
|
5384
5384
|
S.includes(U) && (C[U] = T.get(U) ?? "");
|
|
5385
5385
|
const N = this.getSessionCookieValue(s);
|
|
5386
5386
|
if (!N) throw new c(h.Unauthorized, "No session cookie found");
|
|
5387
|
-
let
|
|
5387
|
+
let A;
|
|
5388
5388
|
try {
|
|
5389
5389
|
await this.sessionManager.completeTwoFactorPageVisit(C, s.locals.sessionId ?? "");
|
|
5390
5390
|
} catch (U) {
|
|
5391
|
-
|
|
5391
|
+
A = c.asCrossauthError(U), d.logger.debug(u({ err: U }));
|
|
5392
5392
|
const z = c.asCrossauthError(U);
|
|
5393
|
-
d.logger.error(u({ msg:
|
|
5393
|
+
d.logger.error(u({ msg: A.message, cerr: U, user: T.get("username"), errorCode: z.code, errorCodeName: z.codeName }));
|
|
5394
5394
|
}
|
|
5395
|
-
if (
|
|
5396
|
-
if (
|
|
5395
|
+
if (A)
|
|
5396
|
+
if (A.code == h.Expired) {
|
|
5397
5397
|
d.logger.debug(u({ msg: "Error - cancelling 2FA" }));
|
|
5398
5398
|
try {
|
|
5399
5399
|
await this.sessionManager.cancelTwoFactorPageVisit(N);
|
|
@@ -5402,26 +5402,26 @@ class H {
|
|
|
5402
5402
|
}
|
|
5403
5403
|
return this.error(401, { message: "Sorry, your code has expired" }), { ok: !1, twofa: !0 };
|
|
5404
5404
|
} else
|
|
5405
|
-
return
|
|
5405
|
+
return a ? {
|
|
5406
5406
|
twofa: !0,
|
|
5407
5407
|
ok: !1,
|
|
5408
5408
|
response: new Response("", {
|
|
5409
5409
|
status: 302,
|
|
5410
5410
|
statusText: q(302),
|
|
5411
|
-
headers: { Location: this.factor2Url + "?error=" + h[
|
|
5411
|
+
headers: { Location: this.factor2Url + "?error=" + h[A.code] }
|
|
5412
5412
|
})
|
|
5413
5413
|
} : {
|
|
5414
5414
|
twofa: !0,
|
|
5415
5415
|
ok: !1,
|
|
5416
5416
|
response: new Response(JSON.stringify({
|
|
5417
5417
|
ok: !1,
|
|
5418
|
-
errorMessage:
|
|
5419
|
-
errorMessages:
|
|
5420
|
-
errorCode:
|
|
5421
|
-
errorCodeName: h[
|
|
5418
|
+
errorMessage: A.message,
|
|
5419
|
+
errorMessages: A.messages,
|
|
5420
|
+
errorCode: A.code,
|
|
5421
|
+
errorCodeName: h[A.code]
|
|
5422
5422
|
}), {
|
|
5423
|
-
status:
|
|
5424
|
-
statusText: q(
|
|
5423
|
+
status: A.httpStatus,
|
|
5424
|
+
statusText: q(A.httpStatus),
|
|
5425
5425
|
headers: { "content-tyoe": "application/json" }
|
|
5426
5426
|
})
|
|
5427
5427
|
};
|
|
@@ -5450,7 +5450,7 @@ class H {
|
|
|
5450
5450
|
const w = new b();
|
|
5451
5451
|
await w.loadData(s);
|
|
5452
5452
|
let S = s.request.headers.get("content-type");
|
|
5453
|
-
return await this.sessionManager.initiateTwoFactorPageVisit(l, s.locals.sessionId ?? "", w.toObject(), s.request.url.replace(/\?.*$/, ""), S || void 0),
|
|
5453
|
+
return await this.sessionManager.initiateTwoFactorPageVisit(l, s.locals.sessionId ?? "", w.toObject(), s.request.url.replace(/\?.*$/, ""), S || void 0), a ? {
|
|
5454
5454
|
twofa: !0,
|
|
5455
5455
|
ok: !0,
|
|
5456
5456
|
response: new Response("", {
|
|
@@ -5519,7 +5519,7 @@ class H {
|
|
|
5519
5519
|
* @param event the request event
|
|
5520
5520
|
*/
|
|
5521
5521
|
setCsrfCookie(r, o) {
|
|
5522
|
-
o.cookies.set(r.name, r.value,
|
|
5522
|
+
o.cookies.set(r.name, r.value, P(r.options));
|
|
5523
5523
|
}
|
|
5524
5524
|
setHeader(r, o, t) {
|
|
5525
5525
|
t.push({
|
|
@@ -5539,7 +5539,7 @@ class H {
|
|
|
5539
5539
|
const o = this.getSessionCookieValue(r);
|
|
5540
5540
|
if (!o) return "";
|
|
5541
5541
|
try {
|
|
5542
|
-
return
|
|
5542
|
+
return F.hash(o);
|
|
5543
5543
|
} catch {
|
|
5544
5544
|
}
|
|
5545
5545
|
return "";
|
|
@@ -5556,7 +5556,7 @@ class H {
|
|
|
5556
5556
|
const o = this.getCsrfCookieValue(r);
|
|
5557
5557
|
if (!o) return "";
|
|
5558
5558
|
try {
|
|
5559
|
-
return
|
|
5559
|
+
return F.hash(o);
|
|
5560
5560
|
} catch {
|
|
5561
5561
|
}
|
|
5562
5562
|
return "";
|
|
@@ -5573,28 +5573,28 @@ class H {
|
|
|
5573
5573
|
* @returns the string CSRF token for inclusion in forms
|
|
5574
5574
|
*/
|
|
5575
5575
|
async csrfToken(r, o) {
|
|
5576
|
-
var e, s,
|
|
5576
|
+
var e, s, i;
|
|
5577
5577
|
let t;
|
|
5578
|
-
if (r.request.headers && r.request.headers.has(
|
|
5579
|
-
const
|
|
5580
|
-
Array.isArray(
|
|
5578
|
+
if (r.request.headers && r.request.headers.has(x.toLowerCase())) {
|
|
5579
|
+
const a = r.request.headers.get(x.toLowerCase());
|
|
5580
|
+
Array.isArray(a) ? t = a[0] : a && (t = a);
|
|
5581
5581
|
}
|
|
5582
5582
|
if (!t) {
|
|
5583
5583
|
if (!((e = r.request) != null && e.body)) {
|
|
5584
5584
|
d.logger.warn(u({ msg: "Received CSRF header but not token", ip: r.request.referrerPolicy, hashedCsrfCookie: this.getHashOfCsrfCookie(r) }));
|
|
5585
5585
|
return;
|
|
5586
5586
|
}
|
|
5587
|
-
const
|
|
5588
|
-
if (
|
|
5589
|
-
t = (await ((
|
|
5590
|
-
else if (
|
|
5587
|
+
const a = r.request.headers.get("content-type");
|
|
5588
|
+
if (a == "application/json")
|
|
5589
|
+
t = (await ((i = (s = r.request) == null ? void 0 : s.clone()) == null ? void 0 : i.json())).csrfToken;
|
|
5590
|
+
else if (a == "application/x-www-form-urlencoded" || a == "multipart/form-data") {
|
|
5591
5591
|
const l = (await r.request.clone().formData()).get("csrfToken");
|
|
5592
5592
|
l && typeof l == "string" && (t = l);
|
|
5593
5593
|
}
|
|
5594
5594
|
}
|
|
5595
5595
|
if (t)
|
|
5596
5596
|
try {
|
|
5597
|
-
this.sessionManager.validateDoubleSubmitCsrfToken(this.getCsrfCookieValue(r), t), r.locals.csrfToken = t, this.setHeader(
|
|
5597
|
+
this.sessionManager.validateDoubleSubmitCsrfToken(this.getCsrfCookieValue(r), t), r.locals.csrfToken = t, this.setHeader(x, t, o);
|
|
5598
5598
|
} catch {
|
|
5599
5599
|
d.logger.warn(u({ msg: "Invalid CSRF token", hashedCsrfCookie: this.getHashOfCsrfCookie(r) })), this.clearCookie(this.sessionManager.csrfCookieName, this.sessionManager.csrfCookiePath, r), r.locals.csrfToken = void 0;
|
|
5600
5600
|
}
|
|
@@ -5620,8 +5620,8 @@ class H {
|
|
|
5620
5620
|
else {
|
|
5621
5621
|
e = "";
|
|
5622
5622
|
for (let s in o) {
|
|
5623
|
-
const
|
|
5624
|
-
e.length > 0 && (e += "&"), e += encodeURIComponent(s) + "=" + encodeURIComponent(
|
|
5623
|
+
const i = o[s];
|
|
5624
|
+
e.length > 0 && (e += "&"), e += encodeURIComponent(s) + "=" + encodeURIComponent(i);
|
|
5625
5625
|
}
|
|
5626
5626
|
}
|
|
5627
5627
|
return r.request = new Request(r.request.url, {
|
|
@@ -5639,7 +5639,7 @@ class H {
|
|
|
5639
5639
|
getHashOfSessionId(r) {
|
|
5640
5640
|
if (!r.locals.sessionId) return "";
|
|
5641
5641
|
try {
|
|
5642
|
-
return
|
|
5642
|
+
return F.hash(r.locals.sessionId);
|
|
5643
5643
|
} catch {
|
|
5644
5644
|
}
|
|
5645
5645
|
return "";
|
|
@@ -5675,10 +5675,10 @@ class H {
|
|
|
5675
5675
|
if (o.pathname == this.loginUrl) return !1;
|
|
5676
5676
|
let t = !1;
|
|
5677
5677
|
return t = this.loginProtectedExceptionPageEndpoints.reduce(
|
|
5678
|
-
(s,
|
|
5678
|
+
(s, i) => s || R(o.pathname, i),
|
|
5679
5679
|
t
|
|
5680
5680
|
), t ? !1 : this.loginProtectedPageEndpoints.reduce(
|
|
5681
|
-
(s,
|
|
5681
|
+
(s, i) => s || R(o.pathname, i),
|
|
5682
5682
|
!1
|
|
5683
5683
|
);
|
|
5684
5684
|
}
|
|
@@ -5696,10 +5696,10 @@ class H {
|
|
|
5696
5696
|
if (o.pathname == this.loginUrl) return !1;
|
|
5697
5697
|
let t = !1;
|
|
5698
5698
|
return t = this.loginProtectedExceptionApiEndpoints.reduce(
|
|
5699
|
-
(s,
|
|
5699
|
+
(s, i) => s || R(o.pathname, i),
|
|
5700
5700
|
t
|
|
5701
5701
|
), t ? !1 : this.loginProtectedApiEndpoints.reduce(
|
|
5702
|
-
(s,
|
|
5702
|
+
(s, i) => s || R(o.pathname, i),
|
|
5703
5703
|
!1
|
|
5704
5704
|
);
|
|
5705
5705
|
}
|
|
@@ -5715,7 +5715,7 @@ class H {
|
|
|
5715
5715
|
isFactor2PageProtected(r) {
|
|
5716
5716
|
const o = new URL(typeof r == "string" ? r : r.request.url);
|
|
5717
5717
|
return this.factor2ProtectedPageEndpoints.reduce(
|
|
5718
|
-
(e, s) => e ||
|
|
5718
|
+
(e, s) => e || R(o.pathname, s),
|
|
5719
5719
|
!1
|
|
5720
5720
|
);
|
|
5721
5721
|
}
|
|
@@ -5731,7 +5731,7 @@ class H {
|
|
|
5731
5731
|
isFactor2ApiProtected(r) {
|
|
5732
5732
|
const o = new URL(typeof r == "string" ? r : r.request.url);
|
|
5733
5733
|
return this.factor2ProtectedApiEndpoints.reduce(
|
|
5734
|
-
(e, s) => e ||
|
|
5734
|
+
(e, s) => e || R(o.pathname, s),
|
|
5735
5735
|
!1
|
|
5736
5736
|
);
|
|
5737
5737
|
}
|
|
@@ -5746,8 +5746,12 @@ class H {
|
|
|
5746
5746
|
*/
|
|
5747
5747
|
isAdminPageEndpoint(r) {
|
|
5748
5748
|
const o = new URL(typeof r == "string" ? r : r.request.url);
|
|
5749
|
-
|
|
5750
|
-
|
|
5749
|
+
let t = !1;
|
|
5750
|
+
return t = this.adminProtectedExceptionPageEndpoints.reduce(
|
|
5751
|
+
(s, i) => s || R(o.pathname, i),
|
|
5752
|
+
t
|
|
5753
|
+
), t ? !1 : this.adminPageEndpoints.reduce(
|
|
5754
|
+
(s, i) => s || R(o.pathname, i),
|
|
5751
5755
|
!1
|
|
5752
5756
|
);
|
|
5753
5757
|
}
|
|
@@ -5762,8 +5766,12 @@ class H {
|
|
|
5762
5766
|
*/
|
|
5763
5767
|
isAdminApiEndpoint(r) {
|
|
5764
5768
|
const o = new URL(typeof r == "string" ? r : r.request.url);
|
|
5765
|
-
|
|
5766
|
-
|
|
5769
|
+
let t = !1;
|
|
5770
|
+
return t = this.adminProtectedExceptionApiEndpoints.reduce(
|
|
5771
|
+
(s, i) => s || R(o.pathname, i),
|
|
5772
|
+
t
|
|
5773
|
+
), t ? !1 : this.adminApiEndpoints.reduce(
|
|
5774
|
+
(s, i) => s || R(o.pathname, i),
|
|
5767
5775
|
!1
|
|
5768
5776
|
);
|
|
5769
5777
|
}
|
|
@@ -5785,15 +5793,15 @@ class H {
|
|
|
5785
5793
|
await t.loadData(r);
|
|
5786
5794
|
let e = this.addToSession ? this.addToSession(r, t.toObject()) : {};
|
|
5787
5795
|
o && (e.data = JSON.stringify(o));
|
|
5788
|
-
let { sessionCookie: s, csrfCookie:
|
|
5796
|
+
let { sessionCookie: s, csrfCookie: i, csrfFormOrHeaderValue: a } = await this.sessionManager.createAnonymousSession(e);
|
|
5789
5797
|
r.cookies.set(
|
|
5790
5798
|
s.name,
|
|
5791
5799
|
s.value,
|
|
5792
|
-
|
|
5793
|
-
), this.enableCsrfProtection && (r.locals.csrfToken =
|
|
5794
|
-
|
|
5795
|
-
|
|
5796
|
-
|
|
5800
|
+
P(s.options)
|
|
5801
|
+
), this.enableCsrfProtection && (r.locals.csrfToken = a, r.cookies.set(
|
|
5802
|
+
i.name,
|
|
5803
|
+
i.value,
|
|
5804
|
+
P(i.options)
|
|
5797
5805
|
)), r.locals.user = void 0;
|
|
5798
5806
|
const n = this.sessionManager.getSessionId(s.value);
|
|
5799
5807
|
return r.locals.sessionId = n, s.value;
|
|
@@ -5896,7 +5904,7 @@ export {
|
|
|
5896
5904
|
p as SvelteKitServer,
|
|
5897
5905
|
Re as SvelteKitSessionAdapter,
|
|
5898
5906
|
H as SvelteKitSessionServer,
|
|
5899
|
-
|
|
5907
|
+
X as SvelteKitSharedClientEndpoints,
|
|
5900
5908
|
Ce as SvelteKitUserClientEndpoints,
|
|
5901
5909
|
we as SvelteKitUserEndpoints,
|
|
5902
5910
|
Se as defaultClientSearchFn
|