@crossauth/sveltekit 0.0.34 → 0.0.35
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/index.cjs +1 -1
- package/dist/index.js +640 -639
- package/package.json +3 -3
package/dist/index.js
CHANGED
|
@@ -26,11 +26,11 @@ class b {
|
|
|
26
26
|
this.clone = r;
|
|
27
27
|
}
|
|
28
28
|
async loadData(r) {
|
|
29
|
-
var s, e, t,
|
|
29
|
+
var s, e, t, i;
|
|
30
30
|
if (!((s = r.request) != null && s.body))
|
|
31
31
|
return;
|
|
32
32
|
const o = r.request.headers.get("content-type");
|
|
33
|
-
o == "application/json" ? this.jsonData = this.clone ? await ((t = (e = r.request) == null ? void 0 : e.clone()) == null ? void 0 : t.json()) : await ((
|
|
33
|
+
o == "application/json" ? this.jsonData = this.clone ? await ((t = (e = r.request) == null ? void 0 : e.clone()) == null ? void 0 : t.json()) : await ((i = r.request) == null ? void 0 : i.json()) : (o == "application/x-www-form-urlencoded" || o != null && o.startsWith("multipart/form-data")) && (this.formData = this.clone ? await r.request.clone().formData() : await r.request.formData());
|
|
34
34
|
}
|
|
35
35
|
get(r) {
|
|
36
36
|
if (this.jsonData) return this.jsonData[r];
|
|
@@ -92,29 +92,29 @@ class ne {
|
|
|
92
92
|
l.logger.debug(f({
|
|
93
93
|
msg: "Received authorization header"
|
|
94
94
|
}));
|
|
95
|
-
const
|
|
95
|
+
const i = await this.apiKeyManager.validateToken(
|
|
96
96
|
t
|
|
97
97
|
);
|
|
98
98
|
l.logger.debug(f({
|
|
99
99
|
msg: "Valid API key",
|
|
100
|
-
hahedApiKey: K.hashSignedApiKeyValue(
|
|
100
|
+
hahedApiKey: K.hashSignedApiKeyValue(i.value)
|
|
101
101
|
}));
|
|
102
|
-
const
|
|
103
|
-
if (e.locals.apiKey = { ...
|
|
102
|
+
const a = $.decodeData(i.data);
|
|
103
|
+
if (e.locals.apiKey = { ...i, ...a }, "scope" in a && Array.isArray(a.scope)) {
|
|
104
104
|
let c = [];
|
|
105
|
-
for (let d of
|
|
105
|
+
for (let d of a.scope)
|
|
106
106
|
typeof d == "string" && c.push(d);
|
|
107
107
|
e.locals.scope = c;
|
|
108
108
|
}
|
|
109
|
-
if (
|
|
109
|
+
if (i.userid)
|
|
110
110
|
try {
|
|
111
|
-
const { user: c } = await this.userStorage.getUserById(
|
|
112
|
-
e.locals.user = c, e.locals.authType = "apiKey", l.logger.debug(f({ msg: "API key is for user", userid: c.id, user: c.username, hahedApiKey: K.hashSignedApiKeyValue(
|
|
111
|
+
const { user: c } = await this.userStorage.getUserById(i.userid);
|
|
112
|
+
e.locals.user = c, e.locals.authType = "apiKey", l.logger.debug(f({ msg: "API key is for user", userid: c.id, user: c.username, hahedApiKey: K.hashSignedApiKeyValue(i.value) }));
|
|
113
113
|
} catch (c) {
|
|
114
|
-
l.logger.error(f({ msg: "API key has invalid user", userid:
|
|
114
|
+
l.logger.error(f({ msg: "API key has invalid user", userid: i.userid, hashedApiKey: K.hashSignedApiKeyValue(i.value) })), l.logger.debug(f({ err: c }));
|
|
115
115
|
}
|
|
116
|
-
} catch (
|
|
117
|
-
l.logger.error(f({ msg: "Invalid authorization header received", header: t })), l.logger.debug(f({ err:
|
|
116
|
+
} catch (i) {
|
|
117
|
+
l.logger.error(f({ msg: "Invalid authorization header received", header: t })), l.logger.debug(f({ err: i }));
|
|
118
118
|
}
|
|
119
119
|
};
|
|
120
120
|
}
|
|
@@ -130,9 +130,9 @@ class ce {
|
|
|
130
130
|
* @param options see {@link SvelteKitAuthorizationServerOptions}
|
|
131
131
|
*/
|
|
132
132
|
constructor(r, o, s, e, t = {}) {
|
|
133
|
-
var
|
|
133
|
+
var i;
|
|
134
134
|
this.loginUrl = "/login", this.refreshTokenType = "json", this.refreshTokenCookieName = "CROSSAUTH_REFRESH_TOKEN", this.refreshTokenCookieDomain = void 0, this.refreshTokenCookieHttpOnly = !1, this.refreshTokenCookiePath = "/", this.refreshTokenCookieSecure = !0, this.refreshTokenCookieSameSite = "strict", this.authorizeEndpointUrl = "/oauth/authorize", this.tokenEndpointUrl = "/oauth/token", this.jwksEndpointUrl = "/oauth/jwks", this.oidcConfigurationEndpoint = {
|
|
135
|
-
get: async (
|
|
135
|
+
get: async (a) => v(this.authServer.oidcConfiguration(
|
|
136
136
|
{
|
|
137
137
|
authorizeEndpoint: this.authorizeEndpointUrl,
|
|
138
138
|
tokenEndpoint: this.tokenEndpointUrl,
|
|
@@ -141,7 +141,7 @@ class ce {
|
|
|
141
141
|
}
|
|
142
142
|
))
|
|
143
143
|
}, this.jwksGetEndpoint = {
|
|
144
|
-
get: async (
|
|
144
|
+
get: async (a) => {
|
|
145
145
|
try {
|
|
146
146
|
return v(this.authServer.jwks());
|
|
147
147
|
} catch (c) {
|
|
@@ -153,7 +153,7 @@ class ce {
|
|
|
153
153
|
}
|
|
154
154
|
}
|
|
155
155
|
}, this.getCsrfTokenEndpoint = {
|
|
156
|
-
get: async (
|
|
156
|
+
get: async (a) => {
|
|
157
157
|
var d;
|
|
158
158
|
if (!this.csrfTokens) return v({
|
|
159
159
|
ok: !1,
|
|
@@ -166,7 +166,7 @@ class ce {
|
|
|
166
166
|
csrfCookie: h,
|
|
167
167
|
csrfFormOrHeaderValue: g
|
|
168
168
|
} = await this.createCsrfToken();
|
|
169
|
-
return c = h.value,
|
|
169
|
+
return c = h.value, a.cookies.set(
|
|
170
170
|
h.name,
|
|
171
171
|
h.value,
|
|
172
172
|
R(h.options)
|
|
@@ -175,7 +175,7 @@ class ce {
|
|
|
175
175
|
const g = n.asCrossauthError(h);
|
|
176
176
|
return l.logger.error(f({
|
|
177
177
|
msg: "getcsrftoken failure",
|
|
178
|
-
user: (d =
|
|
178
|
+
user: (d = a.locals.user) == null ? void 0 : d.username,
|
|
179
179
|
hashedCsrfCookie: F.hash(c.split(".")[0]),
|
|
180
180
|
error: g.code,
|
|
181
181
|
errorCodeName: g.codeName
|
|
@@ -187,15 +187,15 @@ class ce {
|
|
|
187
187
|
}
|
|
188
188
|
}
|
|
189
189
|
}, this.authorizeEndpoint = {
|
|
190
|
-
load: async (
|
|
190
|
+
load: async (a) => {
|
|
191
191
|
var w, S;
|
|
192
192
|
if (!(this.authServer.validFlows.includes(_.AuthorizationCode) || this.authServer.validFlows.includes(_.AuthorizationCodeWithPKCE) || this.authServer.validFlows.includes(_.OidcAuthorizationCode)))
|
|
193
193
|
throw this.error(401, "authorize cannot be called because the authorization code flows are not supported");
|
|
194
|
-
if (!
|
|
194
|
+
if (!a.locals.user) return this.redirect(
|
|
195
195
|
302,
|
|
196
|
-
this.loginUrl + "?next=" + encodeURIComponent(
|
|
196
|
+
this.loginUrl + "?next=" + encodeURIComponent(a.request.url)
|
|
197
197
|
);
|
|
198
|
-
let c = this.getAuthorizeQuery(
|
|
198
|
+
let c = this.getAuthorizeQuery(a);
|
|
199
199
|
if (!c.query) return c.error;
|
|
200
200
|
let d = c.query;
|
|
201
201
|
l.logger.debug(f({ msg: "validating authorize parameters" }));
|
|
@@ -203,10 +203,10 @@ class ce {
|
|
|
203
203
|
if (h ? (g = new n(u.BadRequest, h), l.logger.error(f({
|
|
204
204
|
msg: "authorize parameter invalid",
|
|
205
205
|
cerr: g,
|
|
206
|
-
user: (w =
|
|
206
|
+
user: (w = a.locals.user) == null ? void 0 : w.username
|
|
207
207
|
}))) : l.logger.error(f({
|
|
208
208
|
msg: "authorize parameter valid",
|
|
209
|
-
user: (S =
|
|
209
|
+
user: (S = a.locals.user) == null ? void 0 : S.username
|
|
210
210
|
})), g)
|
|
211
211
|
return {
|
|
212
212
|
ok: !1,
|
|
@@ -219,18 +219,18 @@ class ce {
|
|
|
219
219
|
scope: d.scope
|
|
220
220
|
})), d.scope ? p = await this.authServer.hasAllScopes(
|
|
221
221
|
d.client_id,
|
|
222
|
-
|
|
222
|
+
a.locals.user,
|
|
223
223
|
d.scope.split(" ")
|
|
224
224
|
) : p = await this.authServer.hasAllScopes(
|
|
225
225
|
d.client_id,
|
|
226
|
-
|
|
226
|
+
a.locals.user,
|
|
227
227
|
[null]
|
|
228
228
|
), p) {
|
|
229
229
|
l.logger.debug(f({
|
|
230
230
|
msg: "All scopes authorized",
|
|
231
231
|
scope: d.scope
|
|
232
232
|
}));
|
|
233
|
-
const C = await this.authorize(
|
|
233
|
+
const C = await this.authorize(a, !0, {
|
|
234
234
|
responseType: d.response_type,
|
|
235
235
|
client_id: d.client_id,
|
|
236
236
|
redirect_uri: d.redirect_uri,
|
|
@@ -254,7 +254,7 @@ class ce {
|
|
|
254
254
|
return {
|
|
255
255
|
ok: !0,
|
|
256
256
|
authorizationNeeded: {
|
|
257
|
-
user:
|
|
257
|
+
user: a.locals.user,
|
|
258
258
|
response_type: d.response_type,
|
|
259
259
|
client_id: d.client_id,
|
|
260
260
|
client_name: C.client_name,
|
|
@@ -264,7 +264,7 @@ class ce {
|
|
|
264
264
|
state: d.state,
|
|
265
265
|
code_challenge: d.code_challenge,
|
|
266
266
|
code_challenge_method: d.code_challenge_method,
|
|
267
|
-
csrfToken:
|
|
267
|
+
csrfToken: a.locals.csrfToken
|
|
268
268
|
},
|
|
269
269
|
...this.baseEndpoint
|
|
270
270
|
};
|
|
@@ -280,12 +280,12 @@ class ce {
|
|
|
280
280
|
},
|
|
281
281
|
// load
|
|
282
282
|
actions: {
|
|
283
|
-
default: async (
|
|
283
|
+
default: async (a) => {
|
|
284
284
|
var h;
|
|
285
285
|
let c;
|
|
286
286
|
try {
|
|
287
287
|
var d = new b();
|
|
288
|
-
await d.loadData(
|
|
288
|
+
await d.loadData(a), c = d.toObject();
|
|
289
289
|
const g = d.getAsBoolean("authorized"), p = c.response_type, w = c.client_id, S = c.redirect_uri, C = c.scope, T = c.state, P = c.code_challenge, U = c.code_challenge_method;
|
|
290
290
|
let A;
|
|
291
291
|
if (g == null && (A = "authorized"), p ? w ? S ? T || (A = "state") : A = "redirect_uri" : A = "client_id" : A = "response_type", A)
|
|
@@ -294,12 +294,12 @@ class ce {
|
|
|
294
294
|
error: "invalid_request",
|
|
295
295
|
error_description: "Invalid form: does not contain " + A + " parameter"
|
|
296
296
|
};
|
|
297
|
-
if (!
|
|
297
|
+
if (!a.locals.user) return this.redirect(
|
|
298
298
|
302,
|
|
299
|
-
this.loginUrl + "?next=" + encodeURIComponent(
|
|
299
|
+
this.loginUrl + "?next=" + encodeURIComponent(a.request.url)
|
|
300
300
|
);
|
|
301
|
-
if ((h = this.svelteKitServer.sessionServer) != null && h.enableCsrfProtection && !
|
|
302
|
-
const z = await this.authorize(
|
|
301
|
+
if ((h = this.svelteKitServer.sessionServer) != null && h.enableCsrfProtection && !a.locals.csrfToken) throw new n(u.InvalidCsrf);
|
|
302
|
+
const z = await this.authorize(a, g ?? !1, {
|
|
303
303
|
responseType: p,
|
|
304
304
|
client_id: w,
|
|
305
305
|
redirect_uri: S,
|
|
@@ -326,7 +326,7 @@ class ce {
|
|
|
326
326
|
}
|
|
327
327
|
}
|
|
328
328
|
}, this.tokenEndpoint = {
|
|
329
|
-
post: async (
|
|
329
|
+
post: async (a) => {
|
|
330
330
|
let c;
|
|
331
331
|
try {
|
|
332
332
|
if (!(this.authServer.validFlows.includes(_.AuthorizationCode) || this.authServer.validFlows.includes(_.AuthorizationCodeWithPKCE) || this.authServer.validFlows.includes(_.OidcAuthorizationCode) || this.authServer.validFlows.includes(_.ClientCredentials) || this.authServer.validFlows.includes(_.RefreshToken) || this.authServer.validFlows.includes(_.Password) || this.authServer.validFlows.includes(_.PasswordMfa || this.authServer.validFlows.includes(_.DeviceCode))))
|
|
@@ -336,12 +336,12 @@ class ce {
|
|
|
336
336
|
error_description: "Token endpoint cannot be called as the supported OAuth flow types don't require it"
|
|
337
337
|
}, { status: 500 });
|
|
338
338
|
var d = new b();
|
|
339
|
-
await d.loadData(
|
|
340
|
-
const { client_id: h, client_secret: g } = this.getClientIdAndSecret(c,
|
|
341
|
-
let p = c.refresh_token, w =
|
|
339
|
+
await d.loadData(a), c = d.toObject();
|
|
340
|
+
const { client_id: h, client_secret: g } = this.getClientIdAndSecret(c, a);
|
|
341
|
+
let p = c.refresh_token, w = a.cookies.get(this.refreshTokenCookieName);
|
|
342
342
|
if ((this.refreshTokenType == "cookie" && w || this.refreshTokenType == "both" && w && p == null) && this.csrfTokens) {
|
|
343
|
-
const C =
|
|
344
|
-
let T =
|
|
343
|
+
const C = a.cookies.get(this.csrfTokens.cookieName);
|
|
344
|
+
let T = a.request.headers.get(this.csrfTokens.headerName.toLowerCase());
|
|
345
345
|
if (Array.isArray(T) && (T = T[0]), !C || !T)
|
|
346
346
|
return v({
|
|
347
347
|
ok: !1,
|
|
@@ -375,7 +375,7 @@ class ce {
|
|
|
375
375
|
refreshToken: p,
|
|
376
376
|
deviceCode: c.device_code
|
|
377
377
|
});
|
|
378
|
-
if (S.refresh_token && this.refreshTokenType != "json" && this.setRefreshTokenCookie(
|
|
378
|
+
if (S.refresh_token && this.refreshTokenType != "json" && this.setRefreshTokenCookie(a, S.refresh_token, S.expires_in), S.error == "authorization_pending")
|
|
379
379
|
return v(S);
|
|
380
380
|
if (S.error || !S.access_token) {
|
|
381
381
|
let C = "server_error", T = "Neither code nor error received when requestoing authorization";
|
|
@@ -393,10 +393,10 @@ class ce {
|
|
|
393
393
|
}
|
|
394
394
|
}
|
|
395
395
|
}, this.mfaAuthenticatorsEndpoint = {
|
|
396
|
-
get: async (
|
|
396
|
+
get: async (a) => {
|
|
397
397
|
try {
|
|
398
398
|
var c = new b();
|
|
399
|
-
return await c.loadData(
|
|
399
|
+
return await c.loadData(a), v(await this.mfaAuthenticators(a));
|
|
400
400
|
} catch (d) {
|
|
401
401
|
const h = n.asCrossauthError(d);
|
|
402
402
|
return l.logger.debug({ err: d }), l.logger.error({ cerr: d }), v({
|
|
@@ -405,11 +405,11 @@ class ce {
|
|
|
405
405
|
});
|
|
406
406
|
}
|
|
407
407
|
},
|
|
408
|
-
post: async (
|
|
408
|
+
post: async (a) => {
|
|
409
409
|
try {
|
|
410
410
|
var c = new b();
|
|
411
|
-
await c.loadData(
|
|
412
|
-
let d = await this.mfaAuthenticators(
|
|
411
|
+
await c.loadData(a);
|
|
412
|
+
let d = await this.mfaAuthenticators(a), h = 200;
|
|
413
413
|
return !Array.isArray(d) && d.error == "access_denied" ? h = 401 : !Array.isArray(d) && d.error && (h = 500), v(d, { status: h });
|
|
414
414
|
} catch (d) {
|
|
415
415
|
const h = n.asCrossauthError(d);
|
|
@@ -420,11 +420,11 @@ class ce {
|
|
|
420
420
|
}
|
|
421
421
|
}
|
|
422
422
|
}, this.mfaChallengeEndpoint = {
|
|
423
|
-
post: async (
|
|
423
|
+
post: async (a) => {
|
|
424
424
|
try {
|
|
425
425
|
var c = new b();
|
|
426
|
-
await c.loadData(
|
|
427
|
-
const d = await this.mfaChallenge(
|
|
426
|
+
await c.loadData(a);
|
|
427
|
+
const d = await this.mfaChallenge(a);
|
|
428
428
|
let h = 200;
|
|
429
429
|
return d.error == "access_denied" ? h = 401 : d.error && (h = 500), v(d, { status: h });
|
|
430
430
|
} catch (d) {
|
|
@@ -436,7 +436,7 @@ class ce {
|
|
|
436
436
|
}
|
|
437
437
|
}
|
|
438
438
|
}, this.deviceAuthorizationEndpoint = {
|
|
439
|
-
post: async (
|
|
439
|
+
post: async (a) => {
|
|
440
440
|
let c;
|
|
441
441
|
try {
|
|
442
442
|
if (!this.authServer.validFlows.includes(_.DeviceCode))
|
|
@@ -446,8 +446,8 @@ class ce {
|
|
|
446
446
|
error_description: "Device authorization endpoint cannot be called as the supported OAuth flow types don't require it"
|
|
447
447
|
});
|
|
448
448
|
var d = new b();
|
|
449
|
-
await d.loadData(
|
|
450
|
-
const { client_id: h, client_secret: g } = this.getClientIdAndSecret(c,
|
|
449
|
+
await d.loadData(a), c = d.toObject();
|
|
450
|
+
const { client_id: h, client_secret: g } = this.getClientIdAndSecret(c, a), p = await this.authServer.deviceAuthorizationEndpoint({
|
|
451
451
|
client_id: h,
|
|
452
452
|
client_secret: g,
|
|
453
453
|
scope: c.scope
|
|
@@ -474,31 +474,31 @@ class ce {
|
|
|
474
474
|
}
|
|
475
475
|
}
|
|
476
476
|
}, this.deviceEndpoint = {
|
|
477
|
-
load: async (
|
|
477
|
+
load: async (a) => {
|
|
478
478
|
if (!this.authServer.validFlows.includes(_.DeviceCode))
|
|
479
479
|
throw this.error(401, "device cannot be called because the device code flow is not supported");
|
|
480
|
-
if (!
|
|
480
|
+
if (!a.locals.user) return this.redirect(
|
|
481
481
|
302,
|
|
482
|
-
this.loginUrl + "?next=" + encodeURIComponent(
|
|
482
|
+
this.loginUrl + "?next=" + encodeURIComponent(a.request.url)
|
|
483
483
|
);
|
|
484
|
-
let c =
|
|
485
|
-
return c ? await this.applyUserCode(c,
|
|
484
|
+
let c = a.url.searchParams.get("user_code");
|
|
485
|
+
return c ? await this.applyUserCode(c, a, a.locals.user) : {
|
|
486
486
|
ok: !0,
|
|
487
487
|
completed: !1,
|
|
488
488
|
retryAllowed: !0,
|
|
489
|
-
user:
|
|
490
|
-
csrfToken:
|
|
489
|
+
user: a.locals.user,
|
|
490
|
+
csrfToken: a.locals.csrfToken
|
|
491
491
|
};
|
|
492
492
|
},
|
|
493
493
|
// load
|
|
494
494
|
actions: {
|
|
495
|
-
userCode: async (
|
|
496
|
-
if (!
|
|
495
|
+
userCode: async (a) => {
|
|
496
|
+
if (!a.locals.user) throw this.error(401, "Access Denied");
|
|
497
497
|
try {
|
|
498
498
|
var c = new b();
|
|
499
|
-
await c.loadData(
|
|
499
|
+
await c.loadData(a);
|
|
500
500
|
const d = c.get("user_code");
|
|
501
|
-
return d ? await this.applyUserCode(d,
|
|
501
|
+
return d ? await this.applyUserCode(d, a, a.locals.user) : {
|
|
502
502
|
ok: !1,
|
|
503
503
|
completed: !1,
|
|
504
504
|
retryAllowed: !0,
|
|
@@ -517,12 +517,12 @@ class ce {
|
|
|
517
517
|
};
|
|
518
518
|
}
|
|
519
519
|
},
|
|
520
|
-
authorize: async (
|
|
520
|
+
authorize: async (a) => {
|
|
521
521
|
var h;
|
|
522
522
|
let c;
|
|
523
523
|
try {
|
|
524
524
|
var d = new b();
|
|
525
|
-
await d.loadData(
|
|
525
|
+
await d.loadData(a), c = d.toObject();
|
|
526
526
|
const g = d.getAsBoolean("authorized"), p = c.scope, w = c.client_id, S = c.user_code;
|
|
527
527
|
let C;
|
|
528
528
|
if (g == null && (C = "authorized"), w == null && (C = "client_id"), S == null && (C = "user_code"), C)
|
|
@@ -533,18 +533,18 @@ class ce {
|
|
|
533
533
|
error: "invalid_request",
|
|
534
534
|
error_description: "Invalid form: does not contain " + C + " parameter"
|
|
535
535
|
};
|
|
536
|
-
if (!
|
|
536
|
+
if (!a.locals.user) return this.redirect(
|
|
537
537
|
302,
|
|
538
|
-
this.loginUrl + "?next=" + encodeURIComponent(
|
|
538
|
+
this.loginUrl + "?next=" + encodeURIComponent(a.request.url)
|
|
539
539
|
);
|
|
540
|
-
if ((h = this.svelteKitServer.sessionServer) != null && h.enableCsrfProtection && !
|
|
541
|
-
return (await this.authServer.validateAndPersistScope(w, p,
|
|
540
|
+
if ((h = this.svelteKitServer.sessionServer) != null && h.enableCsrfProtection && !a.locals.csrfToken) throw new n(u.InvalidCsrf);
|
|
541
|
+
return (await this.authServer.validateAndPersistScope(w, p, a.locals.user)).error ? {
|
|
542
542
|
ok: !1,
|
|
543
543
|
completed: !1,
|
|
544
544
|
retryAllowed: !1,
|
|
545
545
|
error: "unauthorized_client",
|
|
546
546
|
error_description: "You did not authorize access to your account"
|
|
547
|
-
} : await this.applyUserCode(S,
|
|
547
|
+
} : await this.applyUserCode(S, a, a.locals.user);
|
|
548
548
|
} catch (g) {
|
|
549
549
|
if (m.isSvelteKitError(g) || m.isSvelteKitRedirect(g)) throw g;
|
|
550
550
|
let p = n.asCrossauthError(g, "Couldn't process authorization code");
|
|
@@ -563,7 +563,7 @@ class ce {
|
|
|
563
563
|
s,
|
|
564
564
|
e,
|
|
565
565
|
t
|
|
566
|
-
), y("loginUrl", E.String, this, t, "LOGIN_URL"), y("refreshTokenType", E.String, this, t, "OAUTH_REFRESH_TOKEN_TYPE"), y("refreshTokenCookieName", E.String, this, t, "OAUTH_REFRESH_TOKEN_COOKIE_NAME"), y("refreshTokenCookieDomain", E.String, this, t, "OAUTH_REFRESH_TOKEN_COOKIE_DOMAIN"), y("refreshTokenCookieHttpOnly", E.Boolean, this, t, "OAUTH_REFRESH_TOKEN_COOKIE_HTTPONLY"), y("refreshTokenCookiePath", E.String, this, t, "OAUTH_REFRESH_TOKEN_COOKIE_PATH"), y("refreshTokenCookieSecure", E.Boolean, this, t, "OAUTH_REFRESH_TOKEN_COOKIE_SECURE"), y("refreshTokenCookieSameSite", E.String, this, t, "OAUTH_REFRESH_TOKEN_COOKIE_SAMESITE"), y("authorizeEndpointUrl", E.String, this, t, "OAUTH_AUTHORIZE_ENDPOINT"), y("tokenEndpointUrl", E.String, this, t, "OAUTH_TOKEN_ENDPOINT"), y("jwksEndpointUrl", E.String, this, t, "OAUTH_JWKS_ENDPOINT"), this.refreshTokenType != "json" && (((
|
|
566
|
+
), y("loginUrl", E.String, this, t, "LOGIN_URL"), y("refreshTokenType", E.String, this, t, "OAUTH_REFRESH_TOKEN_TYPE"), y("refreshTokenCookieName", E.String, this, t, "OAUTH_REFRESH_TOKEN_COOKIE_NAME"), y("refreshTokenCookieDomain", E.String, this, t, "OAUTH_REFRESH_TOKEN_COOKIE_DOMAIN"), y("refreshTokenCookieHttpOnly", E.Boolean, this, t, "OAUTH_REFRESH_TOKEN_COOKIE_HTTPONLY"), y("refreshTokenCookiePath", E.String, this, t, "OAUTH_REFRESH_TOKEN_COOKIE_PATH"), y("refreshTokenCookieSecure", E.Boolean, this, t, "OAUTH_REFRESH_TOKEN_COOKIE_SECURE"), y("refreshTokenCookieSameSite", E.String, this, t, "OAUTH_REFRESH_TOKEN_COOKIE_SAMESITE"), y("authorizeEndpointUrl", E.String, this, t, "OAUTH_AUTHORIZE_ENDPOINT"), y("tokenEndpointUrl", E.String, this, t, "OAUTH_TOKEN_ENDPOINT"), y("jwksEndpointUrl", E.String, this, t, "OAUTH_JWKS_ENDPOINT"), this.refreshTokenType != "json" && (((i = this.svelteKitServer.sessionServer) == null ? void 0 : i.enableCsrfProtection) == !0 ? this.csrfTokens = this.svelteKitServer.sessionServer.sessionManager.csrfTokens : this.csrfTokens = new ee(t.doubleSubmitCookieOptions));
|
|
567
567
|
}
|
|
568
568
|
/**
|
|
569
569
|
* Returns this server's OIDC configuration. Just wraps
|
|
@@ -585,8 +585,8 @@ class ce {
|
|
|
585
585
|
responseType: s,
|
|
586
586
|
client_id: e,
|
|
587
587
|
redirect_uri: t,
|
|
588
|
-
scope:
|
|
589
|
-
state:
|
|
588
|
+
scope: i,
|
|
589
|
+
state: a,
|
|
590
590
|
codeChallenge: c,
|
|
591
591
|
codeChallengeMethod: d
|
|
592
592
|
}) {
|
|
@@ -596,8 +596,8 @@ class ce {
|
|
|
596
596
|
responseType: s,
|
|
597
597
|
client_id: e,
|
|
598
598
|
redirect_uri: t,
|
|
599
|
-
scope:
|
|
600
|
-
state:
|
|
599
|
+
scope: i,
|
|
600
|
+
state: a,
|
|
601
601
|
codeChallenge: c,
|
|
602
602
|
codeChallengeMethod: d,
|
|
603
603
|
user: r.locals.user
|
|
@@ -616,7 +616,7 @@ class ce {
|
|
|
616
616
|
throw this.redirect(302, this.authServer.redirect_uri(
|
|
617
617
|
t,
|
|
618
618
|
p,
|
|
619
|
-
|
|
619
|
+
a
|
|
620
620
|
));
|
|
621
621
|
} else {
|
|
622
622
|
const w = new n(
|
|
@@ -690,13 +690,13 @@ class ce {
|
|
|
690
690
|
if (o = this.requireGetParam(r, "client_id"), o) return { error: o };
|
|
691
691
|
if (o = this.requireGetParam(r, "redirect_uri"), o) return { error: o };
|
|
692
692
|
if (o = this.requireGetParam(r, "state"), o) return { error: o };
|
|
693
|
-
const s = r.url.searchParams.get("response_type") ?? "", e = r.url.searchParams.get("client_id") ?? "", t = r.url.searchParams.get("redirect_uri") ?? "",
|
|
693
|
+
const s = r.url.searchParams.get("response_type") ?? "", e = r.url.searchParams.get("client_id") ?? "", t = r.url.searchParams.get("redirect_uri") ?? "", i = r.url.searchParams.get("scope") ?? void 0, a = r.url.searchParams.get("state") ?? "", c = r.url.searchParams.get("code_challenge") ?? void 0, d = r.url.searchParams.get("code_challenge_method") ?? void 0;
|
|
694
694
|
return { query: {
|
|
695
695
|
response_type: s,
|
|
696
696
|
client_id: e,
|
|
697
697
|
redirect_uri: t,
|
|
698
|
-
scope:
|
|
699
|
-
state:
|
|
698
|
+
scope: i,
|
|
699
|
+
state: a,
|
|
700
700
|
code_challenge: c,
|
|
701
701
|
code_challenge_method: d
|
|
702
702
|
}, error: { error: "Unknown error", error_description: "Unknown error", ok: !0 } };
|
|
@@ -710,18 +710,18 @@ class ce {
|
|
|
710
710
|
if (e = this.requireBodyParam(s, "challenge_type"), e) return { error: e };
|
|
711
711
|
if (e = this.requireBodyParam(s, "mfa_token"), e) return { error: e };
|
|
712
712
|
if (e = this.requireBodyParam(s, "authenticator_id"), e) return { error: e };
|
|
713
|
-
const t = s.client_id ?? "",
|
|
713
|
+
const t = s.client_id ?? "", i = s.challenge_type ?? "", a = s.mfa_token ?? "", c = s.authenticator_id ?? "", d = s.client_secret ?? void 0;
|
|
714
714
|
return { query: {
|
|
715
715
|
client_id: t,
|
|
716
716
|
client_secret: d,
|
|
717
|
-
challenge_type:
|
|
718
|
-
mfa_token:
|
|
717
|
+
challenge_type: i,
|
|
718
|
+
mfa_token: a,
|
|
719
719
|
authenticator_id: c
|
|
720
720
|
}, error: { error: "Unknown error", error_description: "Unknown error", ok: !0 } };
|
|
721
721
|
}
|
|
722
722
|
async mfaAuthenticators(r) {
|
|
723
|
-
var
|
|
724
|
-
const o = (
|
|
723
|
+
var i;
|
|
724
|
+
const o = (i = r.request.headers.get("authorization")) == null ? void 0 : i.split(" ");
|
|
725
725
|
if (!o || o.length != 2)
|
|
726
726
|
return {
|
|
727
727
|
error: "access_denied",
|
|
@@ -752,31 +752,31 @@ class ce {
|
|
|
752
752
|
let s = r.client_id, e = r.client_secret;
|
|
753
753
|
const t = o.request.headers.get("authorization");
|
|
754
754
|
if (t) {
|
|
755
|
-
let
|
|
755
|
+
let i, a;
|
|
756
756
|
const c = t.split(" ");
|
|
757
757
|
if (c.length == 2 && c[0].toLocaleLowerCase() == "basic") {
|
|
758
758
|
const h = F.base64Decode(c[1]).split(":", 2);
|
|
759
|
-
h.length == 2 && (
|
|
759
|
+
h.length == 2 && (i = h[0], a = h[1]);
|
|
760
760
|
}
|
|
761
|
-
|
|
761
|
+
i == null || a == null ? l.logger.warn(f({
|
|
762
762
|
msg: "Ignoring malform authenization header " + t
|
|
763
|
-
})) : (s =
|
|
763
|
+
})) : (s = i, e = a);
|
|
764
764
|
}
|
|
765
765
|
return { client_id: s, client_secret: e };
|
|
766
766
|
}
|
|
767
767
|
async applyUserCode(r, o, s) {
|
|
768
|
-
var e, t,
|
|
768
|
+
var e, t, i;
|
|
769
769
|
try {
|
|
770
|
-
const
|
|
771
|
-
if (
|
|
770
|
+
const a = await this.authServer.deviceEndpoint({ userCode: r, user: s });
|
|
771
|
+
if (a.error)
|
|
772
772
|
return {
|
|
773
773
|
ok: !1,
|
|
774
774
|
completed: !1,
|
|
775
775
|
retryAllowed: !1,
|
|
776
|
-
error:
|
|
777
|
-
error_description:
|
|
776
|
+
error: a.error,
|
|
777
|
+
error_description: a.error_description
|
|
778
778
|
};
|
|
779
|
-
if (!
|
|
779
|
+
if (!a.client_id)
|
|
780
780
|
return l.logger.error(f({ msg: "No client id found for user code", userCodeHash: F.hash(r), ip: o.request.referrer, username: (e = o.locals.user) == null ? void 0 : e.username })), {
|
|
781
781
|
ok: !1,
|
|
782
782
|
completed: !1,
|
|
@@ -784,33 +784,33 @@ class ce {
|
|
|
784
784
|
error: "server_error",
|
|
785
785
|
error_description: "No client id found for user code"
|
|
786
786
|
};
|
|
787
|
-
if (
|
|
787
|
+
if (a.error == "access_denied")
|
|
788
788
|
return l.logger.error(f({ msg: "Incorrect user code given", userCodeHash: F.hash(r), ip: o.request.referrer, username: (t = o.locals.user) == null ? void 0 : t.username })), this.authServer.userCodeThrottle > 0 && await ((h) => new Promise((g) => setTimeout(g, h)))(this.authServer.userCodeThrottle), {
|
|
789
789
|
ok: !1,
|
|
790
790
|
completed: !1,
|
|
791
791
|
retryAllowed: !0,
|
|
792
|
-
error:
|
|
793
|
-
error_description:
|
|
792
|
+
error: a.error,
|
|
793
|
+
error_description: a.error_description
|
|
794
794
|
};
|
|
795
|
-
if (
|
|
796
|
-
return l.logger.error(f({ msg: "Expired user code", userCodeHash: F.hash(r), ip: o.request.referrer, username: (
|
|
795
|
+
if (a.error == "expired_token")
|
|
796
|
+
return l.logger.error(f({ msg: "Expired user code", userCodeHash: F.hash(r), ip: o.request.referrer, username: (i = o.locals.user) == null ? void 0 : i.username })), {
|
|
797
797
|
ok: !1,
|
|
798
798
|
completed: !1,
|
|
799
799
|
retryAllowed: !1,
|
|
800
|
-
error:
|
|
801
|
-
error_description:
|
|
800
|
+
error: a.error,
|
|
801
|
+
error_description: a.error_description
|
|
802
802
|
};
|
|
803
|
-
const c = await this.clientStorage.getClientById(
|
|
804
|
-
return
|
|
803
|
+
const c = await this.clientStorage.getClientById(a.client_id);
|
|
804
|
+
return a.scopeAuthorizationNeeded ? {
|
|
805
805
|
ok: !0,
|
|
806
806
|
completed: !1,
|
|
807
807
|
retryAllowed: !0,
|
|
808
808
|
authorizationNeeded: {
|
|
809
809
|
user: s,
|
|
810
|
-
client_id:
|
|
810
|
+
client_id: a.client_id,
|
|
811
811
|
client_name: c.client_name,
|
|
812
|
-
scope:
|
|
813
|
-
scopes:
|
|
812
|
+
scope: a.scope,
|
|
813
|
+
scopes: a.scope ? a.scope.split(" ") : [],
|
|
814
814
|
csrfToken: o.locals.csrfToken
|
|
815
815
|
},
|
|
816
816
|
user: o.locals.user,
|
|
@@ -823,8 +823,8 @@ class ce {
|
|
|
823
823
|
user: o.locals.user,
|
|
824
824
|
csrfToken: o.locals.csrfToken
|
|
825
825
|
};
|
|
826
|
-
} catch (
|
|
827
|
-
const c = n.asCrossauthError(
|
|
826
|
+
} catch (a) {
|
|
827
|
+
const c = n.asCrossauthError(a);
|
|
828
828
|
return l.logger.debug(f({ err: c })), l.logger.error(f({ msg: c.message, cerr: c })), {
|
|
829
829
|
ok: !1,
|
|
830
830
|
completed: !1,
|
|
@@ -931,8 +931,8 @@ async function j(k, r, o) {
|
|
|
931
931
|
);
|
|
932
932
|
let s = k.expires_in;
|
|
933
933
|
if (!s && k.access_token && r.jwtTokens.includes("access")) {
|
|
934
|
-
const
|
|
935
|
-
|
|
934
|
+
const i = M(k.access_token);
|
|
935
|
+
i.exp && (s = i.exp);
|
|
936
936
|
}
|
|
937
937
|
if (!s)
|
|
938
938
|
throw new n(
|
|
@@ -942,8 +942,8 @@ async function j(k, r, o) {
|
|
|
942
942
|
const e = Date.now() + s * 1e3;
|
|
943
943
|
let t = { ...k, expires_at: e };
|
|
944
944
|
if ("id_token" in k) {
|
|
945
|
-
let
|
|
946
|
-
|
|
945
|
+
let i = k.id_payload ?? O(k.id_token);
|
|
946
|
+
i && (t.id_payload = i);
|
|
947
947
|
}
|
|
948
948
|
await r.storeSessionData(o, t);
|
|
949
949
|
}
|
|
@@ -965,8 +965,8 @@ async function de(k, r, o, s, e) {
|
|
|
965
965
|
if (!s) return r.redirect(302, r.authorizedUrl);
|
|
966
966
|
} catch (t) {
|
|
967
967
|
if (m.isSvelteKitError(t) || m.isSvelteKitRedirect(t)) throw t;
|
|
968
|
-
const
|
|
969
|
-
return l.logger.debug(f({ err:
|
|
968
|
+
const i = n.asCrossauthError(t);
|
|
969
|
+
return l.logger.debug(f({ err: i })), l.logger.debug(f({ cerr: i, msg: "Error receiving tokens" })), r.errorFn(r.server, o, i);
|
|
970
970
|
}
|
|
971
971
|
}
|
|
972
972
|
async function he(k, r, o, s, e) {
|
|
@@ -987,8 +987,8 @@ async function he(k, r, o, s, e) {
|
|
|
987
987
|
return v({ ok: !0, ...k });
|
|
988
988
|
} catch (t) {
|
|
989
989
|
if (m.isSvelteKitError(t) || m.isSvelteKitRedirect(t)) throw t;
|
|
990
|
-
const
|
|
991
|
-
return l.logger.debug(f({ err:
|
|
990
|
+
const i = n.asCrossauthError(t);
|
|
991
|
+
return l.logger.debug(f({ err: i })), l.logger.debug(f({ cerr: i, msg: "Error receiving tokens" })), r.errorFn(r.server, o, i);
|
|
992
992
|
}
|
|
993
993
|
}
|
|
994
994
|
async function ue(k, r, o, s, e) {
|
|
@@ -1008,11 +1008,11 @@ async function ue(k, r, o, s, e) {
|
|
|
1008
1008
|
return r.jwtTokens.includes("id") && (t.id_payload = k.id_payload ?? O(k.id_token)), t.id_payload && await e(o, t.id_payload), t;
|
|
1009
1009
|
} catch (t) {
|
|
1010
1010
|
if (m.isSvelteKitError(t) || m.isSvelteKitRedirect(t)) throw t;
|
|
1011
|
-
const
|
|
1012
|
-
return l.logger.debug(f({ err:
|
|
1011
|
+
const i = n.asCrossauthError(t);
|
|
1012
|
+
return l.logger.debug(f({ err: i })), l.logger.debug(f({ cerr: i, msg: "Error receiving tokens" })), {
|
|
1013
1013
|
ok: !1,
|
|
1014
|
-
error:
|
|
1015
|
-
error_description:
|
|
1014
|
+
error: i.oauthErrorCode,
|
|
1015
|
+
error_description: i.message
|
|
1016
1016
|
};
|
|
1017
1017
|
}
|
|
1018
1018
|
}
|
|
@@ -1063,9 +1063,9 @@ class G extends re {
|
|
|
1063
1063
|
throw new n(u.Configuration, "Need session server or adapter for authorization code flow");
|
|
1064
1064
|
let t = e.url.searchParams.get("scope") ?? void 0;
|
|
1065
1065
|
t == "" && (t = void 0);
|
|
1066
|
-
const
|
|
1067
|
-
await this.storeSessionData(e,
|
|
1068
|
-
const { url: c, error: d, error_description: h } = await this.startAuthorizationCodeFlow(
|
|
1066
|
+
const i = this.randomValue(this.stateLength), a = { scope: t, state: i };
|
|
1067
|
+
await this.storeSessionData(e, a);
|
|
1068
|
+
const { url: c, error: d, error_description: h } = await this.startAuthorizationCodeFlow(i, t);
|
|
1069
1069
|
if (d || !c) {
|
|
1070
1070
|
const g = n.fromOAuthError(
|
|
1071
1071
|
d ?? "server_error",
|
|
@@ -1078,8 +1078,8 @@ class G extends re {
|
|
|
1078
1078
|
})), this.redirect(302, c);
|
|
1079
1079
|
} catch (t) {
|
|
1080
1080
|
if (m.isSvelteKitRedirect(t) || m.isSvelteKitError(t)) throw t;
|
|
1081
|
-
const
|
|
1082
|
-
return l.logger.debug({ err: t }), l.logger.error({ cerr: t }), this.errorFn(this.server, e,
|
|
1081
|
+
const i = n.asCrossauthError(t);
|
|
1082
|
+
return l.logger.debug({ err: t }), l.logger.error({ cerr: t }), this.errorFn(this.server, e, i);
|
|
1083
1083
|
}
|
|
1084
1084
|
},
|
|
1085
1085
|
load: async (e) => {
|
|
@@ -1107,9 +1107,9 @@ class G extends re {
|
|
|
1107
1107
|
throw new n(u.Configuration, "Need session server or adapter for authorization code flow");
|
|
1108
1108
|
let t = e.url.searchParams.get("scope") ?? void 0;
|
|
1109
1109
|
t == "" && (t = void 0);
|
|
1110
|
-
const
|
|
1111
|
-
await this.storeSessionData(e,
|
|
1112
|
-
const { url: c, error: d, error_description: h } = await this.startAuthorizationCodeFlow(
|
|
1110
|
+
const i = this.randomValue(this.stateLength), a = { scope: t, state: i };
|
|
1111
|
+
await this.storeSessionData(e, a);
|
|
1112
|
+
const { url: c, error: d, error_description: h } = await this.startAuthorizationCodeFlow(i, t);
|
|
1113
1113
|
if (d || !c) {
|
|
1114
1114
|
const g = n.fromOAuthError(
|
|
1115
1115
|
d ?? "server_error",
|
|
@@ -1126,11 +1126,11 @@ class G extends re {
|
|
|
1126
1126
|
})), this.redirect(302, c);
|
|
1127
1127
|
} catch (t) {
|
|
1128
1128
|
if (m.isSvelteKitRedirect(t) || m.isSvelteKitError(t)) throw t;
|
|
1129
|
-
const
|
|
1129
|
+
const i = n.asCrossauthError(t);
|
|
1130
1130
|
return l.logger.debug({ err: t }), l.logger.error({ cerr: t }), {
|
|
1131
1131
|
ok: !1,
|
|
1132
|
-
error:
|
|
1133
|
-
error_description:
|
|
1132
|
+
error: i.oauthErrorCode,
|
|
1133
|
+
error_description: i.message
|
|
1134
1134
|
};
|
|
1135
1135
|
}
|
|
1136
1136
|
}
|
|
@@ -1149,9 +1149,9 @@ class G extends re {
|
|
|
1149
1149
|
throw new n(u.Configuration, "Need session server or adapter for authorization code flow");
|
|
1150
1150
|
let t = e.url.searchParams.get("scope") ?? void 0;
|
|
1151
1151
|
t == "" && (t = void 0);
|
|
1152
|
-
const
|
|
1152
|
+
const i = this.randomValue(this.stateLength), { codeChallenge: a, codeVerifier: c } = await this.codeChallengeAndVerifier(), d = { scope: t, state: i, codeChallenge: a, codeVerifier: c };
|
|
1153
1153
|
await this.storeSessionData(e, d);
|
|
1154
|
-
const { url: h, error: g, error_description: p } = await this.startAuthorizationCodeFlow(
|
|
1154
|
+
const { url: h, error: g, error_description: p } = await this.startAuthorizationCodeFlow(i, t, a, !0);
|
|
1155
1155
|
if (g || !h) {
|
|
1156
1156
|
const w = n.fromOAuthError(
|
|
1157
1157
|
g ?? "server_error",
|
|
@@ -1164,11 +1164,11 @@ class G extends re {
|
|
|
1164
1164
|
})), this.redirect(302, h);
|
|
1165
1165
|
} catch (t) {
|
|
1166
1166
|
if (m.isSvelteKitRedirect(t) || m.isSvelteKitError(t)) throw t;
|
|
1167
|
-
const
|
|
1167
|
+
const i = n.asCrossauthError(t);
|
|
1168
1168
|
return l.logger.debug({ err: t }), l.logger.error({ cerr: t }), v({
|
|
1169
|
-
error:
|
|
1170
|
-
error_description:
|
|
1171
|
-
}, { status:
|
|
1169
|
+
error: i.oauthErrorCode,
|
|
1170
|
+
error_description: i.message
|
|
1171
|
+
}, { status: i.httpStatus });
|
|
1172
1172
|
}
|
|
1173
1173
|
},
|
|
1174
1174
|
load: async (e) => {
|
|
@@ -1196,9 +1196,9 @@ class G extends re {
|
|
|
1196
1196
|
throw new n(u.Configuration, "Need session server or adapter for authorization code flow");
|
|
1197
1197
|
let t = e.url.searchParams.get("scope") ?? void 0;
|
|
1198
1198
|
t == "" && (t = void 0);
|
|
1199
|
-
const
|
|
1199
|
+
const i = this.randomValue(this.stateLength), { codeChallenge: a, codeVerifier: c } = await this.codeChallengeAndVerifier(), d = { scope: t, state: i, codeChallenge: a, codeVerifier: c };
|
|
1200
1200
|
await this.storeSessionData(e, d);
|
|
1201
|
-
const { url: h, error: g, error_description: p } = await this.startAuthorizationCodeFlow(
|
|
1201
|
+
const { url: h, error: g, error_description: p } = await this.startAuthorizationCodeFlow(i, t, a, !0);
|
|
1202
1202
|
if (g || !h) {
|
|
1203
1203
|
const w = n.fromOAuthError(
|
|
1204
1204
|
g ?? "server_error",
|
|
@@ -1215,11 +1215,11 @@ class G extends re {
|
|
|
1215
1215
|
})), this.redirect(302, h);
|
|
1216
1216
|
} catch (t) {
|
|
1217
1217
|
if (m.isSvelteKitRedirect(t) || m.isSvelteKitError(t)) throw t;
|
|
1218
|
-
const
|
|
1218
|
+
const i = n.asCrossauthError(t);
|
|
1219
1219
|
return l.logger.debug({ err: t }), l.logger.error({ cerr: t }), {
|
|
1220
1220
|
ok: !1,
|
|
1221
|
-
error:
|
|
1222
|
-
error_description:
|
|
1221
|
+
error: i.oauthErrorCode,
|
|
1222
|
+
error_description: i.message
|
|
1223
1223
|
};
|
|
1224
1224
|
}
|
|
1225
1225
|
}
|
|
@@ -1227,8 +1227,8 @@ class G extends re {
|
|
|
1227
1227
|
get: async (e) => {
|
|
1228
1228
|
var t;
|
|
1229
1229
|
if (this.tokenResponseType == "saveInSessionAndLoad" || this.tokenResponseType == "sendInPage") {
|
|
1230
|
-
const
|
|
1231
|
-
return this.errorFn(this.server, e,
|
|
1230
|
+
const i = new n(u.Configuration, "If tokenResponseType is " + this.tokenResponseType + ", use load not get");
|
|
1231
|
+
return this.errorFn(this.server, e, i);
|
|
1232
1232
|
}
|
|
1233
1233
|
try {
|
|
1234
1234
|
if (!(this.validFlows.includes(_.AuthorizationCode) || this.validFlows.includes(_.AuthorizationCodeWithPKCE) || this.validFlows.includes(_.OidcAuthorizationCode))) {
|
|
@@ -1236,11 +1236,11 @@ class G extends re {
|
|
|
1236
1236
|
return this.errorFn(this.server, e, p);
|
|
1237
1237
|
}
|
|
1238
1238
|
l.logger.debug(f({ msg: "redirectUriEndpoint, token response type " + this.tokenResponseType }));
|
|
1239
|
-
const
|
|
1240
|
-
if ((h == null ? void 0 : h.state) !=
|
|
1239
|
+
const i = e.url.searchParams.get("code") ?? "", a = e.url.searchParams.get("state") ?? void 0, c = e.url.searchParams.get("error") ?? void 0, d = e.url.searchParams.get("error") ?? void 0, h = await ((t = this.server.sessionAdapter) == null ? void 0 : t.getSessionData(e, this.sessionDataName));
|
|
1240
|
+
if ((h == null ? void 0 : h.state) != a)
|
|
1241
1241
|
throw new n(u.Unauthorized, "State does not match");
|
|
1242
1242
|
const g = this.errorIfIdTokenInvalid(await this.redirectEndpoint(
|
|
1243
|
-
|
|
1243
|
+
i,
|
|
1244
1244
|
h == null ? void 0 : h.scope,
|
|
1245
1245
|
h == null ? void 0 : h.codeVerifier,
|
|
1246
1246
|
c,
|
|
@@ -1265,10 +1265,10 @@ class G extends re {
|
|
|
1265
1265
|
!1,
|
|
1266
1266
|
this.setEventLocalsUser
|
|
1267
1267
|
);
|
|
1268
|
-
} catch (
|
|
1269
|
-
if (m.isSvelteKitRedirect(
|
|
1270
|
-
const
|
|
1271
|
-
return l.logger.debug({ err:
|
|
1268
|
+
} catch (i) {
|
|
1269
|
+
if (m.isSvelteKitRedirect(i) || m.isSvelteKitError(i)) throw i;
|
|
1270
|
+
const a = n.asCrossauthError(i);
|
|
1271
|
+
return l.logger.debug({ err: i }), l.logger.error({ cerr: i }), this.errorFn(this.server, e, a);
|
|
1272
1272
|
}
|
|
1273
1273
|
},
|
|
1274
1274
|
load: async (e) => {
|
|
@@ -1277,11 +1277,11 @@ class G extends re {
|
|
|
1277
1277
|
/*this.tokenResponseType == "saveInSessionAndRedirect" ||*/
|
|
1278
1278
|
this.tokenResponseType == "sendJson" || this.tokenResponseType == "saveInSessionAndLoad"
|
|
1279
1279
|
) {
|
|
1280
|
-
const
|
|
1280
|
+
const i = new n(u.Configuration, "If tokenResponseType is " + this.tokenResponseType + ", use get not load");
|
|
1281
1281
|
return {
|
|
1282
1282
|
ok: !1,
|
|
1283
|
-
error:
|
|
1284
|
-
error_description:
|
|
1283
|
+
error: i.oauthErrorCode,
|
|
1284
|
+
error_description: i.message
|
|
1285
1285
|
};
|
|
1286
1286
|
}
|
|
1287
1287
|
try {
|
|
@@ -1293,11 +1293,11 @@ class G extends re {
|
|
|
1293
1293
|
error_description: w.message
|
|
1294
1294
|
};
|
|
1295
1295
|
}
|
|
1296
|
-
const
|
|
1297
|
-
if ((h == null ? void 0 : h.state) !=
|
|
1296
|
+
const i = e.url.searchParams.get("code") ?? "", a = e.url.searchParams.get("state") ?? void 0, c = e.url.searchParams.get("error") ?? void 0, d = e.url.searchParams.get("error") ?? void 0, h = await ((t = this.server.sessionAdapter) == null ? void 0 : t.getSessionData(e, this.sessionDataName));
|
|
1297
|
+
if ((h == null ? void 0 : h.state) != a)
|
|
1298
1298
|
throw new n(u.Unauthorized, "State does not match");
|
|
1299
1299
|
const g = this.errorIfIdTokenInvalid(await this.redirectEndpoint(
|
|
1300
|
-
|
|
1300
|
+
i,
|
|
1301
1301
|
h == null ? void 0 : h.scope,
|
|
1302
1302
|
h == null ? void 0 : h.codeVerifier,
|
|
1303
1303
|
c,
|
|
@@ -1341,21 +1341,21 @@ class G extends re {
|
|
|
1341
1341
|
} : {
|
|
1342
1342
|
...p
|
|
1343
1343
|
};
|
|
1344
|
-
} catch (
|
|
1345
|
-
if (m.isSvelteKitRedirect(
|
|
1346
|
-
const
|
|
1347
|
-
return l.logger.debug({ err:
|
|
1344
|
+
} catch (i) {
|
|
1345
|
+
if (m.isSvelteKitRedirect(i) || m.isSvelteKitError(i)) throw i;
|
|
1346
|
+
const a = n.asCrossauthError(i);
|
|
1347
|
+
return l.logger.debug({ err: i }), l.logger.error({ cerr: i }), {
|
|
1348
1348
|
ok: !1,
|
|
1349
|
-
error:
|
|
1350
|
-
error_description:
|
|
1349
|
+
error: a.oauthErrorCode,
|
|
1350
|
+
error_description: a.message
|
|
1351
1351
|
};
|
|
1352
1352
|
}
|
|
1353
1353
|
}
|
|
1354
1354
|
}, this.clientCredentialsFlowEndpoint = {
|
|
1355
1355
|
post: async (e) => {
|
|
1356
1356
|
if (this.tokenResponseType == "saveInSessionAndLoad" || this.tokenResponseType == "sendInPage") {
|
|
1357
|
-
const
|
|
1358
|
-
return this.errorFn(this.server, e,
|
|
1357
|
+
const a = new n(u.Configuration, "If tokenResponseType is " + this.tokenResponseType + ", use actions not post");
|
|
1358
|
+
return this.errorFn(this.server, e, a);
|
|
1359
1359
|
}
|
|
1360
1360
|
let t;
|
|
1361
1361
|
try {
|
|
@@ -1363,13 +1363,13 @@ class G extends re {
|
|
|
1363
1363
|
const d = new n(u.Unauthorized, "Client credentials flow is not supported");
|
|
1364
1364
|
return this.errorFn(this.server, e, d);
|
|
1365
1365
|
}
|
|
1366
|
-
var
|
|
1367
|
-
await
|
|
1368
|
-
const
|
|
1369
|
-
if (
|
|
1366
|
+
var i = new b();
|
|
1367
|
+
await i.loadData(e), t = i.toObject();
|
|
1368
|
+
const a = this.errorIfIdTokenInvalid(await this.clientCredentialsFlow(t == null ? void 0 : t.scope));
|
|
1369
|
+
if (a.error) {
|
|
1370
1370
|
const d = n.fromOAuthError(
|
|
1371
|
-
|
|
1372
|
-
|
|
1371
|
+
a.error,
|
|
1372
|
+
a.error_description
|
|
1373
1373
|
);
|
|
1374
1374
|
return await this.errorFn(
|
|
1375
1375
|
this.server,
|
|
@@ -1378,17 +1378,17 @@ class G extends re {
|
|
|
1378
1378
|
);
|
|
1379
1379
|
}
|
|
1380
1380
|
const c = await this.receiveTokenFn(
|
|
1381
|
-
|
|
1381
|
+
a,
|
|
1382
1382
|
this,
|
|
1383
1383
|
e,
|
|
1384
1384
|
!1,
|
|
1385
1385
|
this.setEventLocalsUser
|
|
1386
1386
|
);
|
|
1387
1387
|
return c instanceof Response ? c : this.pack(c);
|
|
1388
|
-
} catch (
|
|
1389
|
-
if (m.isSvelteKitRedirect(
|
|
1390
|
-
const c = n.asCrossauthError(
|
|
1391
|
-
return l.logger.debug({ err:
|
|
1388
|
+
} catch (a) {
|
|
1389
|
+
if (m.isSvelteKitRedirect(a) || m.isSvelteKitError(a)) throw a;
|
|
1390
|
+
const c = n.asCrossauthError(a);
|
|
1391
|
+
return l.logger.debug({ err: a }), l.logger.error({ cerr: a }), this.errorFn(this.server, e, c);
|
|
1392
1392
|
}
|
|
1393
1393
|
},
|
|
1394
1394
|
actions: {
|
|
@@ -1402,25 +1402,25 @@ class G extends re {
|
|
|
1402
1402
|
try {
|
|
1403
1403
|
if (!this.validFlows.includes(_.ClientCredentials))
|
|
1404
1404
|
throw new n(u.Unauthorized, "Client credentials flow is not supported");
|
|
1405
|
-
var
|
|
1406
|
-
await
|
|
1407
|
-
const
|
|
1408
|
-
if (
|
|
1405
|
+
var i = new b();
|
|
1406
|
+
await i.loadData(e), t = i.toObject();
|
|
1407
|
+
const a = this.errorIfIdTokenInvalid(await this.clientCredentialsFlow(t == null ? void 0 : t.scope));
|
|
1408
|
+
if (a.error)
|
|
1409
1409
|
throw n.fromOAuthError(
|
|
1410
|
-
|
|
1411
|
-
|
|
1410
|
+
a.error,
|
|
1411
|
+
a.error_description
|
|
1412
1412
|
);
|
|
1413
1413
|
return await this.receiveTokenFn(
|
|
1414
|
-
|
|
1414
|
+
a,
|
|
1415
1415
|
this,
|
|
1416
1416
|
e,
|
|
1417
1417
|
!1,
|
|
1418
1418
|
this.setEventLocalsUser
|
|
1419
1419
|
) ?? {};
|
|
1420
|
-
} catch (
|
|
1421
|
-
if (m.isSvelteKitRedirect(
|
|
1422
|
-
const c = n.asCrossauthError(
|
|
1423
|
-
return l.logger.debug({ err:
|
|
1420
|
+
} catch (a) {
|
|
1421
|
+
if (m.isSvelteKitRedirect(a) || m.isSvelteKitError(a)) throw a;
|
|
1422
|
+
const c = n.asCrossauthError(a);
|
|
1423
|
+
return l.logger.debug({ err: a }), l.logger.error({ cerr: a }), {
|
|
1424
1424
|
ok: !1,
|
|
1425
1425
|
error: c.oauthErrorCode,
|
|
1426
1426
|
error_description: c.message
|
|
@@ -1431,8 +1431,8 @@ class G extends re {
|
|
|
1431
1431
|
}, this.refreshTokenFlowEndpoint = {
|
|
1432
1432
|
post: async (e) => {
|
|
1433
1433
|
if (this.tokenResponseType == "saveInSessionAndLoad" || this.tokenResponseType == "sendInPage") {
|
|
1434
|
-
const
|
|
1435
|
-
return this.errorFn(this.server, e,
|
|
1434
|
+
const a = new n(u.Configuration, "If tokenResponseType is " + this.tokenResponseType + ", use actions not post");
|
|
1435
|
+
return this.errorFn(this.server, e, a);
|
|
1436
1436
|
}
|
|
1437
1437
|
let t;
|
|
1438
1438
|
try {
|
|
@@ -1440,8 +1440,8 @@ class G extends re {
|
|
|
1440
1440
|
const h = new n(u.Unauthorized, "Refresh token flow is not supported");
|
|
1441
1441
|
return this.errorFn(this.server, e, h);
|
|
1442
1442
|
}
|
|
1443
|
-
var
|
|
1444
|
-
if (await
|
|
1443
|
+
var i = new b();
|
|
1444
|
+
if (await i.loadData(e), t = i.toObject(), this.server.sessionAdapter && this.server.sessionAdapter.csrfProtectionEnabled())
|
|
1445
1445
|
try {
|
|
1446
1446
|
if (!this.server.sessionAdapter.getCsrfToken(e))
|
|
1447
1447
|
throw new n(u.InvalidCsrf);
|
|
@@ -1450,8 +1450,8 @@ class G extends re {
|
|
|
1450
1450
|
const g = new n(u.Unauthorized, "CSRF token not present");
|
|
1451
1451
|
return this.errorFn(this.server, e, g);
|
|
1452
1452
|
}
|
|
1453
|
-
let
|
|
1454
|
-
if (!
|
|
1453
|
+
let a = t.refresh_token;
|
|
1454
|
+
if (!a && this.server.sessionAdapter) {
|
|
1455
1455
|
const h = await this.server.sessionAdapter.getSessionData(e, this.sessionDataName);
|
|
1456
1456
|
if (!(h != null && h.refresh_token)) {
|
|
1457
1457
|
const g = new n(
|
|
@@ -1460,16 +1460,16 @@ class G extends re {
|
|
|
1460
1460
|
);
|
|
1461
1461
|
return this.errorFn(this.server, e, g);
|
|
1462
1462
|
}
|
|
1463
|
-
|
|
1463
|
+
a = h.refresh_token;
|
|
1464
1464
|
}
|
|
1465
|
-
if (!
|
|
1465
|
+
if (!a) {
|
|
1466
1466
|
const h = new n(
|
|
1467
1467
|
u.BadRequest,
|
|
1468
1468
|
"No refresh token supplied"
|
|
1469
1469
|
);
|
|
1470
1470
|
return this.errorFn(this.server, e, h);
|
|
1471
1471
|
}
|
|
1472
|
-
const c = this.errorIfIdTokenInvalid(await this.refreshTokenFlow(
|
|
1472
|
+
const c = this.errorIfIdTokenInvalid(await this.refreshTokenFlow(a)), d = await this.receiveTokenFn(
|
|
1473
1473
|
c,
|
|
1474
1474
|
this,
|
|
1475
1475
|
e,
|
|
@@ -1478,10 +1478,10 @@ class G extends re {
|
|
|
1478
1478
|
);
|
|
1479
1479
|
if (c && d instanceof Response) return d;
|
|
1480
1480
|
throw new n(u.UnknownError, "Receive token function did not return a Response");
|
|
1481
|
-
} catch (
|
|
1482
|
-
if (m.isSvelteKitRedirect(
|
|
1483
|
-
const c = n.asCrossauthError(
|
|
1484
|
-
return l.logger.debug({ err:
|
|
1481
|
+
} catch (a) {
|
|
1482
|
+
if (m.isSvelteKitRedirect(a) || m.isSvelteKitError(a)) throw a;
|
|
1483
|
+
const c = n.asCrossauthError(a);
|
|
1484
|
+
return l.logger.debug({ err: a }), l.logger.error({ cerr: a }), this.errorFn(this.server, e, c);
|
|
1485
1485
|
}
|
|
1486
1486
|
},
|
|
1487
1487
|
actions: {
|
|
@@ -1497,30 +1497,30 @@ class G extends re {
|
|
|
1497
1497
|
const h = new n(u.Unauthorized, "Refresh token flow is not supported");
|
|
1498
1498
|
return this.errorFn(this.server, e, h);
|
|
1499
1499
|
}
|
|
1500
|
-
var
|
|
1501
|
-
if (await
|
|
1500
|
+
var i = new b();
|
|
1501
|
+
if (await i.loadData(e), t = i.toObject(), this.server.sessionAdapter && this.server.sessionAdapter.csrfProtectionEnabled())
|
|
1502
1502
|
try {
|
|
1503
1503
|
if (!this.server.sessionAdapter.getCsrfToken(e))
|
|
1504
1504
|
throw new n(u.InvalidCsrf);
|
|
1505
1505
|
} catch (h) {
|
|
1506
1506
|
throw m.isSvelteKitError(h) || m.isSvelteKitRedirect(h) ? h : new n(u.Unauthorized, "CSRF token not present");
|
|
1507
1507
|
}
|
|
1508
|
-
let
|
|
1509
|
-
if (!
|
|
1508
|
+
let a = t.refresh_token;
|
|
1509
|
+
if (!a && this.server.sessionAdapter) {
|
|
1510
1510
|
const h = await this.server.sessionAdapter.getSessionData(e, this.sessionDataName);
|
|
1511
1511
|
if (!(h != null && h.refresh_token))
|
|
1512
1512
|
throw new n(
|
|
1513
1513
|
u.BadRequest,
|
|
1514
1514
|
"No refresh token in session or in parameters"
|
|
1515
1515
|
);
|
|
1516
|
-
|
|
1516
|
+
a = h.refresh_token;
|
|
1517
1517
|
}
|
|
1518
|
-
if (!
|
|
1518
|
+
if (!a)
|
|
1519
1519
|
throw new n(
|
|
1520
1520
|
u.BadRequest,
|
|
1521
1521
|
"No refresh token supplied"
|
|
1522
1522
|
);
|
|
1523
|
-
const c = this.errorIfIdTokenInvalid(await this.refreshTokenFlow(
|
|
1523
|
+
const c = this.errorIfIdTokenInvalid(await this.refreshTokenFlow(a)), d = await this.receiveTokenFn(
|
|
1524
1524
|
c,
|
|
1525
1525
|
this,
|
|
1526
1526
|
e,
|
|
@@ -1529,10 +1529,10 @@ class G extends re {
|
|
|
1529
1529
|
) ?? {};
|
|
1530
1530
|
if (d instanceof Response) throw new n(u.Configuration, "Refresh token flow should return an object not Response");
|
|
1531
1531
|
return d;
|
|
1532
|
-
} catch (
|
|
1533
|
-
if (m.isSvelteKitRedirect(
|
|
1534
|
-
const c = n.asCrossauthError(
|
|
1535
|
-
return l.logger.debug({ err:
|
|
1532
|
+
} catch (a) {
|
|
1533
|
+
if (m.isSvelteKitRedirect(a) || m.isSvelteKitError(a)) throw a;
|
|
1534
|
+
const c = n.asCrossauthError(a);
|
|
1535
|
+
return l.logger.debug({ err: a }), l.logger.error({ cerr: a }), {
|
|
1536
1536
|
ok: !1,
|
|
1537
1537
|
error: c.oauthErrorCode,
|
|
1538
1538
|
error_description: c.message
|
|
@@ -1581,8 +1581,8 @@ class G extends re {
|
|
|
1581
1581
|
post: async (e) => {
|
|
1582
1582
|
const t = await this.startDeviceCodeFlow_internal(e);
|
|
1583
1583
|
if (t.error) {
|
|
1584
|
-
const
|
|
1585
|
-
return v(t, { status:
|
|
1584
|
+
const i = n.fromOAuthError(t.error, t.error_description);
|
|
1585
|
+
return v(t, { status: i.httpStatus });
|
|
1586
1586
|
}
|
|
1587
1587
|
return v(t);
|
|
1588
1588
|
}
|
|
@@ -1598,40 +1598,40 @@ class G extends re {
|
|
|
1598
1598
|
if (t instanceof Response) return t;
|
|
1599
1599
|
if (t == null) return new Response(null, { status: 204 });
|
|
1600
1600
|
if (t.error) {
|
|
1601
|
-
const
|
|
1602
|
-
return v(t, { status:
|
|
1601
|
+
const i = n.fromOAuthError(t.error, t.error_description);
|
|
1602
|
+
return v(t, { status: i.httpStatus });
|
|
1603
1603
|
}
|
|
1604
1604
|
return v(t);
|
|
1605
1605
|
}
|
|
1606
1606
|
}, this.passwordFlowEndpoint = {
|
|
1607
|
-
post: async (e) => await this.passwordFlow_post(e, (t,
|
|
1607
|
+
post: async (e) => await this.passwordFlow_post(e, (t, i) => this.passwordPost(t, i)),
|
|
1608
1608
|
actions: {
|
|
1609
|
-
password: async (e) => await this.passwordFlow_action(e, (t,
|
|
1610
|
-
passwordOtp: async (e) => await this.passwordFlow_action(e, (t,
|
|
1611
|
-
passwordOob: async (e) => await this.passwordFlow_action(e, (t,
|
|
1609
|
+
password: async (e) => await this.passwordFlow_action(e, (t, i) => this.passwordPost(t, i)),
|
|
1610
|
+
passwordOtp: async (e) => await this.passwordFlow_action(e, (t, i) => this.passwordOtp(t, i)),
|
|
1611
|
+
passwordOob: async (e) => await this.passwordFlow_action(e, (t, i) => this.passwordOob(t, i))
|
|
1612
1612
|
}
|
|
1613
1613
|
}, this.passwordOtpEndpoint = {
|
|
1614
|
-
post: async (e) => await this.passwordFlow_post(e, (t,
|
|
1614
|
+
post: async (e) => await this.passwordFlow_post(e, (t, i) => this.passwordOtp(t, i)),
|
|
1615
1615
|
actions: {
|
|
1616
|
-
default: async (e) => await this.passwordFlow_action(e, (t,
|
|
1616
|
+
default: async (e) => await this.passwordFlow_action(e, (t, i) => this.passwordOtp(t, i))
|
|
1617
1617
|
}
|
|
1618
1618
|
}, this.passwordOobEndpoint = {
|
|
1619
|
-
post: async (e) => await this.passwordFlow_post(e, (t,
|
|
1619
|
+
post: async (e) => await this.passwordFlow_post(e, (t, i) => this.passwordOob(t, i)),
|
|
1620
1620
|
actions: {
|
|
1621
|
-
default: async (e) => await this.passwordFlow_action(e, (t,
|
|
1621
|
+
default: async (e) => await this.passwordFlow_action(e, (t, i) => this.passwordOob(t, i))
|
|
1622
1622
|
}
|
|
1623
1623
|
}, this.deleteTokensEndpoint = {
|
|
1624
1624
|
post: async (e) => {
|
|
1625
|
-
var t,
|
|
1625
|
+
var t, i;
|
|
1626
1626
|
try {
|
|
1627
1627
|
return await this.deleteSessionData(e), v({ ok: !0 });
|
|
1628
|
-
} catch (
|
|
1629
|
-
if (m.isSvelteKitRedirect(
|
|
1630
|
-
const c = n.asCrossauthError(
|
|
1628
|
+
} catch (a) {
|
|
1629
|
+
if (m.isSvelteKitRedirect(a) || m.isSvelteKitError(a)) throw a;
|
|
1630
|
+
const c = n.asCrossauthError(a);
|
|
1631
1631
|
return l.logger.debug({ err: c }), l.logger.error({ cerr: c }), v({
|
|
1632
1632
|
ok: !1,
|
|
1633
1633
|
user: (t = this.server.sessionAdapter) == null ? void 0 : t.getUser(e),
|
|
1634
|
-
csrfToken: (
|
|
1634
|
+
csrfToken: (i = this.server.sessionAdapter) == null ? void 0 : i.getCsrfToken(e),
|
|
1635
1635
|
errorCode: c.code,
|
|
1636
1636
|
errorCodeName: c.codeName,
|
|
1637
1637
|
errorMessage: c.message
|
|
@@ -1640,16 +1640,16 @@ class G extends re {
|
|
|
1640
1640
|
},
|
|
1641
1641
|
actions: {
|
|
1642
1642
|
default: async (e) => {
|
|
1643
|
-
var t,
|
|
1643
|
+
var t, i;
|
|
1644
1644
|
try {
|
|
1645
1645
|
return await this.deleteSessionData(e), { ok: !0 };
|
|
1646
|
-
} catch (
|
|
1647
|
-
if (m.isSvelteKitRedirect(
|
|
1648
|
-
const c = n.asCrossauthError(
|
|
1646
|
+
} catch (a) {
|
|
1647
|
+
if (m.isSvelteKitRedirect(a) || m.isSvelteKitError(a)) throw a;
|
|
1648
|
+
const c = n.asCrossauthError(a);
|
|
1649
1649
|
return l.logger.debug({ err: c }), l.logger.error({ cerr: c }), {
|
|
1650
1650
|
ok: !1,
|
|
1651
1651
|
user: (t = this.server.sessionAdapter) == null ? void 0 : t.getUser(e),
|
|
1652
|
-
csrfToken: (
|
|
1652
|
+
csrfToken: (i = this.server.sessionAdapter) == null ? void 0 : i.getCsrfToken(e),
|
|
1653
1653
|
errorCode: c.code,
|
|
1654
1654
|
errorCodeName: c.codeName,
|
|
1655
1655
|
errorMessage: c.message
|
|
@@ -1764,8 +1764,8 @@ class G extends re {
|
|
|
1764
1764
|
if (e.locals.user || !r.sessionAdapter) return;
|
|
1765
1765
|
let t = await r.sessionAdapter.getSessionData(e, this.sessionDataName);
|
|
1766
1766
|
if (t && t.id_payload) {
|
|
1767
|
-
let
|
|
1768
|
-
|
|
1767
|
+
let i = t.expires_at;
|
|
1768
|
+
i && i > Date.now() && t.id_payload.sub && await this.setEventLocalsUser(e, t.id_payload);
|
|
1769
1769
|
}
|
|
1770
1770
|
this.testMiddleware && (this.testEvent = e);
|
|
1771
1771
|
};
|
|
@@ -1800,10 +1800,10 @@ class G extends re {
|
|
|
1800
1800
|
);
|
|
1801
1801
|
if (e.error == "mfa_required" && e.mfa_token && this.validFlows.includes(_.PasswordMfa)) {
|
|
1802
1802
|
const t = e.mfa_token;
|
|
1803
|
-
let
|
|
1804
|
-
if (
|
|
1803
|
+
let i = o.scope;
|
|
1804
|
+
if (i == "" && (i = void 0), e = this.errorIfIdTokenInvalid(await this.passwordMfa(
|
|
1805
1805
|
t,
|
|
1806
|
-
|
|
1806
|
+
i,
|
|
1807
1807
|
r
|
|
1808
1808
|
)), e.error)
|
|
1809
1809
|
throw n.fromOAuthError(
|
|
@@ -1839,11 +1839,11 @@ class G extends re {
|
|
|
1839
1839
|
};
|
|
1840
1840
|
const t = e.authenticators[0];
|
|
1841
1841
|
if (t.authenticator_type == "otp") {
|
|
1842
|
-
const
|
|
1843
|
-
if (
|
|
1842
|
+
const a = await this.mfaOtpRequest(r, t.id);
|
|
1843
|
+
if (a.error || a.challenge_type != "otp") {
|
|
1844
1844
|
const c = n.fromOAuthError(
|
|
1845
|
-
|
|
1846
|
-
|
|
1845
|
+
a.error ?? "server_error",
|
|
1846
|
+
a.error_description ?? "Invalid response from MFA OTP challenge"
|
|
1847
1847
|
);
|
|
1848
1848
|
return l.logger.debug({ err: c }), l.logger.error({ cerr: c }), {
|
|
1849
1849
|
error: c.oauthErrorCode,
|
|
@@ -1853,14 +1853,14 @@ class G extends re {
|
|
|
1853
1853
|
return {
|
|
1854
1854
|
scope: o,
|
|
1855
1855
|
mfa_token: r,
|
|
1856
|
-
challenge_type:
|
|
1856
|
+
challenge_type: a.challenge_type
|
|
1857
1857
|
};
|
|
1858
1858
|
} else if (t.authenticator_type == "oob") {
|
|
1859
|
-
const
|
|
1860
|
-
if (
|
|
1859
|
+
const a = await this.mfaOobRequest(r, t.id);
|
|
1860
|
+
if (a.error || a.challenge_type != "oob" || !a.oob_code || a.binding_method != "prompt") {
|
|
1861
1861
|
const c = n.fromOAuthError(
|
|
1862
|
-
|
|
1863
|
-
|
|
1862
|
+
a.error ?? "server_error",
|
|
1863
|
+
a.error_description ?? "Invalid response from MFA OOB challenge"
|
|
1864
1864
|
);
|
|
1865
1865
|
return l.logger.debug({ err: c }), l.logger.error({ cerr: c }), {
|
|
1866
1866
|
error: c.oauthErrorCode,
|
|
@@ -1871,19 +1871,19 @@ class G extends re {
|
|
|
1871
1871
|
scope: o,
|
|
1872
1872
|
mfa_token: r,
|
|
1873
1873
|
oob_channel: t.oob_channel,
|
|
1874
|
-
challenge_type:
|
|
1875
|
-
binding_method:
|
|
1876
|
-
oob_code:
|
|
1874
|
+
challenge_type: a.challenge_type,
|
|
1875
|
+
binding_method: a.binding_method,
|
|
1876
|
+
oob_code: a.oob_code,
|
|
1877
1877
|
name: t.name
|
|
1878
1878
|
};
|
|
1879
1879
|
}
|
|
1880
|
-
const
|
|
1880
|
+
const i = new n(
|
|
1881
1881
|
u.UnknownError,
|
|
1882
1882
|
"Unsupported MFA type " + t.authenticator_type + " returned"
|
|
1883
1883
|
);
|
|
1884
1884
|
return {
|
|
1885
|
-
error:
|
|
1886
|
-
error_description:
|
|
1885
|
+
error: i.oauthErrorCode,
|
|
1886
|
+
error_description: i.message
|
|
1887
1887
|
};
|
|
1888
1888
|
}
|
|
1889
1889
|
async passwordOtp(r, o) {
|
|
@@ -1938,10 +1938,10 @@ class G extends re {
|
|
|
1938
1938
|
if (o.locals.sessionId && this.autoRefreshActive[o.locals.sessionId]) return;
|
|
1939
1939
|
try {
|
|
1940
1940
|
o.locals.sessionId && (this.autoRefreshActive[o.locals.sessionId] = !0);
|
|
1941
|
-
const
|
|
1942
|
-
if (!
|
|
1941
|
+
const i = this.errorIfIdTokenInvalid(await this.refreshTokenFlow(e));
|
|
1942
|
+
if (!i.error && !i.access_token && (i.error = "server_error", i.error_description = "Unexpectedly did not receive error or access token"), !i.error) {
|
|
1943
1943
|
const d = await this.receiveTokenFn(
|
|
1944
|
-
|
|
1944
|
+
i,
|
|
1945
1945
|
this,
|
|
1946
1946
|
o,
|
|
1947
1947
|
r == "silent",
|
|
@@ -1951,43 +1951,43 @@ class G extends re {
|
|
|
1951
1951
|
}
|
|
1952
1952
|
if (r != "silent") {
|
|
1953
1953
|
const d = n.fromOAuthError(
|
|
1954
|
-
|
|
1955
|
-
|
|
1954
|
+
i.error ?? "server_error",
|
|
1955
|
+
i.error_description
|
|
1956
1956
|
);
|
|
1957
1957
|
return r == "page" ? this.errorFn(this.server, o, d) : {
|
|
1958
1958
|
error: d.oauthErrorCode,
|
|
1959
1959
|
error_description: d.message
|
|
1960
1960
|
};
|
|
1961
1961
|
}
|
|
1962
|
-
let
|
|
1963
|
-
if (!
|
|
1964
|
-
const d = M(
|
|
1965
|
-
d.exp && (
|
|
1962
|
+
let a = i.expires_in;
|
|
1963
|
+
if (!a && i.access_token) {
|
|
1964
|
+
const d = M(i.access_token);
|
|
1965
|
+
d.exp && (a = d.exp);
|
|
1966
1966
|
}
|
|
1967
|
-
if (!
|
|
1967
|
+
if (!a)
|
|
1968
1968
|
throw new n(
|
|
1969
1969
|
u.BadRequest,
|
|
1970
1970
|
"OAuth server did not return an expiry for the access token"
|
|
1971
1971
|
);
|
|
1972
|
-
const c = (/* @__PURE__ */ new Date()).getTime() +
|
|
1972
|
+
const c = (/* @__PURE__ */ new Date()).getTime() + a * 1e3;
|
|
1973
1973
|
return {
|
|
1974
|
-
access_token:
|
|
1975
|
-
refresh_token:
|
|
1976
|
-
expires_in:
|
|
1974
|
+
access_token: i.access_token,
|
|
1975
|
+
refresh_token: i.refresh_token,
|
|
1976
|
+
expires_in: i.expires_in,
|
|
1977
1977
|
expires_at: c,
|
|
1978
|
-
error:
|
|
1979
|
-
error_description:
|
|
1978
|
+
error: i.error,
|
|
1979
|
+
error_description: i.error_description
|
|
1980
1980
|
};
|
|
1981
|
-
} catch (
|
|
1982
|
-
if (m.isSvelteKitRedirect(
|
|
1983
|
-
if (l.logger.debug(f({ err:
|
|
1984
|
-
cerr:
|
|
1981
|
+
} catch (i) {
|
|
1982
|
+
if (m.isSvelteKitRedirect(i) || m.isSvelteKitError(i)) throw i;
|
|
1983
|
+
if (l.logger.debug(f({ err: i })), l.logger.error(f({
|
|
1984
|
+
cerr: i,
|
|
1985
1985
|
msg: "Failed refreshing access token"
|
|
1986
1986
|
})), r != "silent") {
|
|
1987
|
-
const
|
|
1988
|
-
return r == "page" ? this.errorFn(this.server, o,
|
|
1989
|
-
error:
|
|
1990
|
-
error_description:
|
|
1987
|
+
const a = n.asCrossauthError(i);
|
|
1988
|
+
return r == "page" ? this.errorFn(this.server, o, a) : {
|
|
1989
|
+
error: a.oauthErrorCode,
|
|
1990
|
+
error_description: a.message
|
|
1991
1991
|
};
|
|
1992
1992
|
}
|
|
1993
1993
|
return {
|
|
@@ -2064,16 +2064,16 @@ class G extends re {
|
|
|
2064
2064
|
let s;
|
|
2065
2065
|
try {
|
|
2066
2066
|
if (!(this.validFlows.includes(_.Password) || this.validFlows.includes(_.PasswordMfa))) {
|
|
2067
|
-
const
|
|
2068
|
-
return this.errorFn(this.server, r,
|
|
2067
|
+
const a = new n(u.Unauthorized, "Password flow is not supported");
|
|
2068
|
+
return this.errorFn(this.server, r, a);
|
|
2069
2069
|
}
|
|
2070
2070
|
var e = new b();
|
|
2071
2071
|
if (await e.loadData(r), s = e.toObject(), this.server.sessionAdapter && this.server.sessionAdapter.csrfProtectionEnabled())
|
|
2072
2072
|
try {
|
|
2073
2073
|
if (!this.server.sessionAdapter.getCsrfToken(r))
|
|
2074
2074
|
throw new n(u.InvalidCsrf);
|
|
2075
|
-
} catch (
|
|
2076
|
-
if (m.isSvelteKitError(
|
|
2075
|
+
} catch (a) {
|
|
2076
|
+
if (m.isSvelteKitError(a) || m.isSvelteKitRedirect(a)) throw a;
|
|
2077
2077
|
const c = new n(u.Unauthorized, "CSRF token not present");
|
|
2078
2078
|
return this.errorFn(this.server, r, c);
|
|
2079
2079
|
}
|
|
@@ -2083,19 +2083,19 @@ class G extends re {
|
|
|
2083
2083
|
ok: !1,
|
|
2084
2084
|
...t
|
|
2085
2085
|
};
|
|
2086
|
-
const
|
|
2086
|
+
const i = await this.receiveTokenFn(
|
|
2087
2087
|
t,
|
|
2088
2088
|
this,
|
|
2089
2089
|
r,
|
|
2090
2090
|
!1,
|
|
2091
2091
|
this.setEventLocalsUser
|
|
2092
2092
|
);
|
|
2093
|
-
if (t &&
|
|
2093
|
+
if (t && i instanceof Response) return i;
|
|
2094
2094
|
throw new n(u.UnknownError, "Receive token function did not return a Response");
|
|
2095
2095
|
} catch (t) {
|
|
2096
2096
|
if (m.isSvelteKitRedirect(t) || m.isSvelteKitError(t)) throw t;
|
|
2097
|
-
const
|
|
2098
|
-
return l.logger.debug({ err: t }), l.logger.error({ cerr: t }), this.errorFn(this.server, r,
|
|
2097
|
+
const i = n.asCrossauthError(t);
|
|
2098
|
+
return l.logger.debug({ err: t }), l.logger.error({ cerr: t }), this.errorFn(this.server, r, i);
|
|
2099
2099
|
}
|
|
2100
2100
|
}
|
|
2101
2101
|
async passwordFlow_action(r, o) {
|
|
@@ -2107,16 +2107,16 @@ class G extends re {
|
|
|
2107
2107
|
let s;
|
|
2108
2108
|
try {
|
|
2109
2109
|
if (!(this.validFlows.includes(_.Password) || this.validFlows.includes(_.PasswordMfa))) {
|
|
2110
|
-
const
|
|
2111
|
-
return this.errorFn(this.server, r,
|
|
2110
|
+
const a = new n(u.Unauthorized, "Password and Password MFA flows are not supported");
|
|
2111
|
+
return this.errorFn(this.server, r, a);
|
|
2112
2112
|
}
|
|
2113
2113
|
var e = new b();
|
|
2114
2114
|
if (await e.loadData(r), s = e.toObject(), this.server.sessionAdapter && this.server.sessionAdapter.csrfProtectionEnabled())
|
|
2115
2115
|
try {
|
|
2116
2116
|
if (!this.server.sessionAdapter.getCsrfToken(r))
|
|
2117
2117
|
throw new n(u.InvalidCsrf);
|
|
2118
|
-
} catch (
|
|
2119
|
-
throw m.isSvelteKitError(
|
|
2118
|
+
} catch (a) {
|
|
2119
|
+
throw m.isSvelteKitError(a) || m.isSvelteKitRedirect(a) ? a : new n(u.Unauthorized, "CSRF token not present");
|
|
2120
2120
|
}
|
|
2121
2121
|
const t = await o(r, s);
|
|
2122
2122
|
if (!t) throw new n(u.UnknownError, "Password flow returned no data");
|
|
@@ -2127,27 +2127,27 @@ class G extends re {
|
|
|
2127
2127
|
};
|
|
2128
2128
|
if (t.challenge_type) {
|
|
2129
2129
|
if (!this.validFlows.includes(_.PasswordMfa)) {
|
|
2130
|
-
const
|
|
2131
|
-
return this.errorFn(this.server, r,
|
|
2130
|
+
const a = new n(u.Unauthorized, "Password MFA flow is not supported");
|
|
2131
|
+
return this.errorFn(this.server, r, a);
|
|
2132
2132
|
}
|
|
2133
2133
|
return t;
|
|
2134
2134
|
}
|
|
2135
|
-
const
|
|
2135
|
+
const i = await this.receiveTokenFn(
|
|
2136
2136
|
t,
|
|
2137
2137
|
this,
|
|
2138
2138
|
r,
|
|
2139
2139
|
!1,
|
|
2140
2140
|
this.setEventLocalsUser
|
|
2141
2141
|
) ?? {};
|
|
2142
|
-
if (
|
|
2143
|
-
return
|
|
2142
|
+
if (i instanceof Response) throw new n(u.Configuration, "Refresh token flow should return an object not Response");
|
|
2143
|
+
return i;
|
|
2144
2144
|
} catch (t) {
|
|
2145
2145
|
if (m.isSvelteKitRedirect(t) || m.isSvelteKitError(t)) throw t;
|
|
2146
|
-
const
|
|
2146
|
+
const i = n.asCrossauthError(t);
|
|
2147
2147
|
return l.logger.debug({ err: t }), l.logger.error({ cerr: t }), {
|
|
2148
2148
|
ok: !1,
|
|
2149
|
-
error:
|
|
2150
|
-
error_description:
|
|
2149
|
+
error: i.oauthErrorCode,
|
|
2150
|
+
error_description: i.message
|
|
2151
2151
|
};
|
|
2152
2152
|
}
|
|
2153
2153
|
}
|
|
@@ -2173,30 +2173,30 @@ class G extends re {
|
|
|
2173
2173
|
let t = o.url;
|
|
2174
2174
|
if (!t) {
|
|
2175
2175
|
if (!r.url.pathname.startsWith(this.bffEndpointName)) throw new n(u.Unauthorized, "Attempt to call BFF url with the wrong prefix");
|
|
2176
|
-
const
|
|
2177
|
-
let
|
|
2178
|
-
|
|
2176
|
+
const i = r.url.pathname.substring(this.bffEndpointName.length);
|
|
2177
|
+
let a = ((e = r.url.searchParams) == null ? void 0 : e.toString()) ?? void 0;
|
|
2178
|
+
a && a != "" && (a = "?" + a), t = new URL(this.bffBaseUrl + i + a);
|
|
2179
2179
|
}
|
|
2180
2180
|
o.headers || (o.headers = new Headers());
|
|
2181
|
-
for (let
|
|
2182
|
-
|
|
2183
|
-
const
|
|
2181
|
+
for (let i = 0; i < this.bffMaxTries; ++i) {
|
|
2182
|
+
i > 0 && await new Promise((g) => setTimeout(g, this.bffSleepMilliseconds));
|
|
2183
|
+
const a = await this.server.sessionAdapter.getSessionData(
|
|
2184
2184
|
r,
|
|
2185
2185
|
this.sessionDataName
|
|
2186
2186
|
);
|
|
2187
|
-
if (!
|
|
2188
|
-
if (
|
|
2187
|
+
if (!a) {
|
|
2188
|
+
if (i == this.bffMaxTries)
|
|
2189
2189
|
throw new n(u.Unauthorized, "No access token found");
|
|
2190
2190
|
continue;
|
|
2191
2191
|
}
|
|
2192
|
-
let c =
|
|
2193
|
-
if (
|
|
2192
|
+
let c = a.access_token;
|
|
2193
|
+
if (a && a.access_token) {
|
|
2194
2194
|
const g = await this.refresh(
|
|
2195
2195
|
"silent",
|
|
2196
2196
|
r,
|
|
2197
2197
|
!0,
|
|
2198
|
-
|
|
2199
|
-
|
|
2198
|
+
a.refresh_token,
|
|
2199
|
+
a.expires_at
|
|
2200
2200
|
);
|
|
2201
2201
|
if (g instanceof Response) throw new n(u.Configuration, "Expected object when refreshing tokens, not Response");
|
|
2202
2202
|
if (g != null && g.access_token)
|
|
@@ -2218,7 +2218,7 @@ class G extends re {
|
|
|
2218
2218
|
headers: o.headers,
|
|
2219
2219
|
method: o.method ?? r.request.method
|
|
2220
2220
|
}), d.status == 401) {
|
|
2221
|
-
if (
|
|
2221
|
+
if (i < this.bffMaxTries - 1)
|
|
2222
2222
|
continue;
|
|
2223
2223
|
return d;
|
|
2224
2224
|
} else
|
|
@@ -2227,11 +2227,11 @@ class G extends re {
|
|
|
2227
2227
|
return new Response(null, { status: 401 });
|
|
2228
2228
|
} catch (t) {
|
|
2229
2229
|
if (m.isSvelteKitError(t) || m.isSvelteKitRedirect(t)) throw t;
|
|
2230
|
-
const
|
|
2231
|
-
return l.logger.debug({ err:
|
|
2232
|
-
error:
|
|
2233
|
-
error_description:
|
|
2234
|
-
}, { status:
|
|
2230
|
+
const i = n.asCrossauthError(t);
|
|
2231
|
+
return l.logger.debug({ err: i }), l.logger.error({ cerr: i }), v({
|
|
2232
|
+
error: i.oauthErrorCode,
|
|
2233
|
+
error_description: i.message
|
|
2234
|
+
}, { status: i.httpStatus });
|
|
2235
2235
|
}
|
|
2236
2236
|
}
|
|
2237
2237
|
async unpack(r) {
|
|
@@ -2269,16 +2269,16 @@ class G extends re {
|
|
|
2269
2269
|
const s = r.url.pathname.substring(this.bffEndpointName.length);
|
|
2270
2270
|
let e;
|
|
2271
2271
|
for (let t = 0; t < this.bffEndpoints.length; ++t) {
|
|
2272
|
-
let
|
|
2273
|
-
if (
|
|
2274
|
-
let
|
|
2275
|
-
if (c.endsWith("/") || (c += "/"),
|
|
2272
|
+
let i = this.bffEndpoints[t];
|
|
2273
|
+
if (i.matchSubUrls) {
|
|
2274
|
+
let a = i.url, c = i.url;
|
|
2275
|
+
if (c.endsWith("/") || (c += "/"), i.methodsString.includes(r.request.method) && (s.startsWith(c) || s == a)) {
|
|
2276
2276
|
e = t;
|
|
2277
2277
|
break;
|
|
2278
2278
|
}
|
|
2279
2279
|
} else {
|
|
2280
|
-
let
|
|
2281
|
-
if (
|
|
2280
|
+
let a = i.url;
|
|
2281
|
+
if (i.methodsString.includes(r.request.method) && s == a) {
|
|
2282
2282
|
e = t;
|
|
2283
2283
|
break;
|
|
2284
2284
|
}
|
|
@@ -2308,23 +2308,23 @@ class G extends re {
|
|
|
2308
2308
|
if (!this.tokenEndpoints || this.tokenEndpoints.length == 0)
|
|
2309
2309
|
throw new n(u.Unauthorized, "No tokens have been made available");
|
|
2310
2310
|
let t = Array.isArray(o) ? o : [o];
|
|
2311
|
-
const
|
|
2311
|
+
const i = await this.server.sessionAdapter.getSessionData(
|
|
2312
2312
|
r,
|
|
2313
2313
|
this.sessionDataName
|
|
2314
2314
|
);
|
|
2315
|
-
if (!
|
|
2315
|
+
if (!i)
|
|
2316
2316
|
throw new n(u.Unauthorized, "No access token found");
|
|
2317
|
-
let
|
|
2317
|
+
let a = {}, c, d = !1;
|
|
2318
2318
|
for (let h of t) {
|
|
2319
2319
|
if (!this.tokenEndpoints.includes(h)) throw new n(u.Unauthorized, "Token type " + h + " may not be returned");
|
|
2320
2320
|
d = !1;
|
|
2321
2321
|
let g = h;
|
|
2322
2322
|
h.startsWith("have_") && (g = h.replace("have_", ""), d = !0);
|
|
2323
2323
|
const p = g.replace("_token", ""), w = e && this.jwtTokens.includes(p);
|
|
2324
|
-
let S = this.tokenPayload(g,
|
|
2325
|
-
d ?
|
|
2324
|
+
let S = this.tokenPayload(g, i, d, w);
|
|
2325
|
+
d ? a[h] = S.ok : S && (a[h] = S), c = a[h];
|
|
2326
2326
|
}
|
|
2327
|
-
return Array.isArray(o) ? { status: 200, body:
|
|
2327
|
+
return Array.isArray(o) ? { status: 200, body: a } : c ? d ? { status: 200, body: typeof c == "boolean" ? { ok: c } : c } : { status: 200, body: c } : o.startsWith("have_") ? { status: 200, body: { ok: !1 } } : { status: 204 };
|
|
2328
2328
|
} catch (s) {
|
|
2329
2329
|
if (m.isSvelteKitError(s) || m.isSvelteKitRedirect(s)) throw s;
|
|
2330
2330
|
const e = n.asCrossauthError(s);
|
|
@@ -2355,13 +2355,13 @@ class G extends re {
|
|
|
2355
2355
|
e == "" && (e = void 0);
|
|
2356
2356
|
let t = this.authServerBaseUrl;
|
|
2357
2357
|
t.endsWith("/") || (t += "/"), t += this.deviceAuthorizationUrl;
|
|
2358
|
-
const
|
|
2359
|
-
let
|
|
2360
|
-
return
|
|
2361
|
-
|
|
2358
|
+
const i = await this.startDeviceCodeFlow(t, e);
|
|
2359
|
+
let a;
|
|
2360
|
+
return i.verification_uri_complete && await ae.toDataURL(i.verification_uri_complete).then((c) => {
|
|
2361
|
+
a = c;
|
|
2362
2362
|
}).catch((c) => {
|
|
2363
2363
|
l.logger.debug(f({ err: c })), l.logger.warn(f({ msg: "Couldn't generate verification URL QR Code" }));
|
|
2364
|
-
}),
|
|
2364
|
+
}), a ? { verification_uri_qrdata: a, ...i } : i;
|
|
2365
2365
|
} catch (e) {
|
|
2366
2366
|
if (m.isSvelteKitRedirect(e) || m.isSvelteKitError(e)) throw e;
|
|
2367
2367
|
const t = n.asCrossauthError(e);
|
|
@@ -2381,8 +2381,8 @@ class G extends re {
|
|
|
2381
2381
|
try {
|
|
2382
2382
|
if (!this.server.sessionAdapter.getCsrfToken(r))
|
|
2383
2383
|
throw new n(u.InvalidCsrf);
|
|
2384
|
-
} catch (
|
|
2385
|
-
throw m.isSvelteKitError(
|
|
2384
|
+
} catch (i) {
|
|
2385
|
+
throw m.isSvelteKitError(i) || m.isSvelteKitRedirect(i) ? i : new n(u.Unauthorized, "CSRF token not present");
|
|
2386
2386
|
}
|
|
2387
2387
|
let e = o.device_code;
|
|
2388
2388
|
if (!e) throw new n(u.BadRequest, "No device code given when polling for user authorization");
|
|
@@ -2397,8 +2397,8 @@ class G extends re {
|
|
|
2397
2397
|
);
|
|
2398
2398
|
{
|
|
2399
2399
|
if (t.error == "authorization_pending") return { ok: !0, ...t };
|
|
2400
|
-
let
|
|
2401
|
-
const c = n.fromOAuthError(
|
|
2400
|
+
let i = t.error ?? "server_error", a = t.error_description ?? "Didn't receive an access token";
|
|
2401
|
+
const c = n.fromOAuthError(i, a);
|
|
2402
2402
|
return this.errorFn(this.server, r, c);
|
|
2403
2403
|
}
|
|
2404
2404
|
} catch (e) {
|
|
@@ -2424,19 +2424,19 @@ class G extends re {
|
|
|
2424
2424
|
));
|
|
2425
2425
|
}
|
|
2426
2426
|
async storeSessionData(r, o) {
|
|
2427
|
-
var s, e, t,
|
|
2427
|
+
var s, e, t, i;
|
|
2428
2428
|
if (this.server.sessionServer) {
|
|
2429
|
-
let
|
|
2430
|
-
|
|
2429
|
+
let a = (s = this.server.sessionServer) == null ? void 0 : s.getSessionCookieValue(r);
|
|
2430
|
+
a ? await ((t = this.server.sessionAdapter) == null ? void 0 : t.updateSessionData(
|
|
2431
2431
|
r,
|
|
2432
2432
|
this.sessionDataName,
|
|
2433
2433
|
o
|
|
2434
|
-
)) :
|
|
2434
|
+
)) : a = await ((e = this.server.sessionServer) == null ? void 0 : e.createAnonymousSession(
|
|
2435
2435
|
r,
|
|
2436
2436
|
{ [this.sessionDataName]: o }
|
|
2437
2437
|
));
|
|
2438
2438
|
} else
|
|
2439
|
-
await ((
|
|
2439
|
+
await ((i = this.server.sessionAdapter) == null ? void 0 : i.updateSessionData(
|
|
2440
2440
|
r,
|
|
2441
2441
|
this.sessionDataName,
|
|
2442
2442
|
o
|
|
@@ -2460,8 +2460,8 @@ class ge extends se {
|
|
|
2460
2460
|
for (const [e, t] of Object.entries(o.protectedEndpoints)) {
|
|
2461
2461
|
if (!e.startsWith("/"))
|
|
2462
2462
|
throw new n(u.Configuration, "protected endpoints must be absolute paths without the protocol and hostname");
|
|
2463
|
-
t.scope && t.scope.forEach((
|
|
2464
|
-
if (!s.test(
|
|
2463
|
+
t.scope && t.scope.forEach((i) => {
|
|
2464
|
+
if (!s.test(i)) throw new n(u.Configuration, "Illegal characters in scope " + i);
|
|
2465
2465
|
});
|
|
2466
2466
|
}
|
|
2467
2467
|
this.protectedEndpoints = { ...o.protectedEndpoints };
|
|
@@ -2473,16 +2473,16 @@ class ge extends se {
|
|
|
2473
2473
|
o.protectedEndpoints && (this.hook = async ({ event: s }) => {
|
|
2474
2474
|
var c, d;
|
|
2475
2475
|
const e = s.url.pathname;
|
|
2476
|
-
let t = !1,
|
|
2476
|
+
let t = !1, i = "";
|
|
2477
2477
|
if (e in this.protectedEndpoints)
|
|
2478
|
-
t = !0,
|
|
2478
|
+
t = !0, i = e;
|
|
2479
2479
|
else
|
|
2480
2480
|
for (let h of this.protectedEndpointPrefixes)
|
|
2481
|
-
e.startsWith(h) && (t = !0),
|
|
2481
|
+
e.startsWith(h) && (t = !0), i = h;
|
|
2482
2482
|
if (!t) return;
|
|
2483
|
-
const
|
|
2484
|
-
if (!(s.locals.user && s.locals.authType == "cookie" && this.protectedEndpoints[
|
|
2485
|
-
if (!
|
|
2483
|
+
const a = await this.authorized(s);
|
|
2484
|
+
if (!(s.locals.user && s.locals.authType == "cookie" && this.protectedEndpoints[i].acceptSessionAuthorization != !0)) {
|
|
2485
|
+
if (!a) {
|
|
2486
2486
|
s.locals.authError = "access_denied", s.locals.authErrorDescription = "No access token";
|
|
2487
2487
|
const h = this.authenticateHeader(s);
|
|
2488
2488
|
return new Response(JSON.stringify(this.errorBody), {
|
|
@@ -2493,7 +2493,7 @@ class ge extends se {
|
|
|
2493
2493
|
status: 401
|
|
2494
2494
|
});
|
|
2495
2495
|
}
|
|
2496
|
-
if (!
|
|
2496
|
+
if (!a.authorized) {
|
|
2497
2497
|
const h = this.authenticateHeader(s);
|
|
2498
2498
|
return new Response(JSON.stringify(this.errorBody), {
|
|
2499
2499
|
headers: {
|
|
@@ -2504,17 +2504,17 @@ class ge extends se {
|
|
|
2504
2504
|
});
|
|
2505
2505
|
}
|
|
2506
2506
|
}
|
|
2507
|
-
if (
|
|
2508
|
-
if (s.locals.accessTokenPayload =
|
|
2509
|
-
if (Array.isArray(
|
|
2507
|
+
if (a) {
|
|
2508
|
+
if (s.locals.accessTokenPayload = a.tokenPayload, s.locals.user = a.user, (c = a.tokenPayload) != null && c.scope)
|
|
2509
|
+
if (Array.isArray(a.tokenPayload.scope)) {
|
|
2510
2510
|
let h = [];
|
|
2511
|
-
for (let g of
|
|
2511
|
+
for (let g of a.tokenPayload.scope)
|
|
2512
2512
|
typeof g == "string" && h.push(g);
|
|
2513
2513
|
s.locals.scope = h;
|
|
2514
|
-
} else typeof
|
|
2515
|
-
if (this.protectedEndpoints[
|
|
2516
|
-
for (let h of this.protectedEndpoints[
|
|
2517
|
-
if (!s.locals.scope || !s.locals.scope.includes(h) && this.protectedEndpoints[
|
|
2514
|
+
} else typeof a.tokenPayload.scope == "string" && (s.locals.scope = a.tokenPayload.scope.split(" "));
|
|
2515
|
+
if (this.protectedEndpoints[i].scope) {
|
|
2516
|
+
for (let h of this.protectedEndpoints[i].scope ?? [])
|
|
2517
|
+
if (!s.locals.scope || !s.locals.scope.includes(h) && this.protectedEndpoints[i].acceptSessionAuthorization != !0) {
|
|
2518
2518
|
l.logger.warn(f({
|
|
2519
2519
|
msg: "Access token does not have sufficient scope",
|
|
2520
2520
|
username: (d = s.locals.user) == null ? void 0 : d.username,
|
|
@@ -2530,7 +2530,7 @@ class ge extends se {
|
|
|
2530
2530
|
});
|
|
2531
2531
|
}
|
|
2532
2532
|
}
|
|
2533
|
-
if (s.locals.authType = "oauth", s.locals.authError =
|
|
2533
|
+
if (s.locals.authType = "oauth", s.locals.authError = a == null ? void 0 : a.error, (a == null ? void 0 : a.error) == "access_denied") {
|
|
2534
2534
|
const h = this.authenticateHeader(s);
|
|
2535
2535
|
return new Response(JSON.stringify(this.errorBody), {
|
|
2536
2536
|
headers: {
|
|
@@ -2539,14 +2539,14 @@ class ge extends se {
|
|
|
2539
2539
|
},
|
|
2540
2540
|
status: 401
|
|
2541
2541
|
});
|
|
2542
|
-
} else if (
|
|
2542
|
+
} else if (a != null && a.error)
|
|
2543
2543
|
return new Response(JSON.stringify(this.errorBody), {
|
|
2544
2544
|
headers: {
|
|
2545
2545
|
"content-type": "application/json"
|
|
2546
2546
|
},
|
|
2547
2547
|
status: 500
|
|
2548
2548
|
});
|
|
2549
|
-
s.locals.authErrorDescription =
|
|
2549
|
+
s.locals.authErrorDescription = a == null ? void 0 : a.error_description, l.logger.debug(f({ msg: "Resource server url", url: s.request.url, authorized: s.locals.accessTokenPayload != null }));
|
|
2550
2550
|
}
|
|
2551
2551
|
});
|
|
2552
2552
|
}
|
|
@@ -2672,8 +2672,8 @@ const D = class D {
|
|
|
2672
2672
|
apiKey: s,
|
|
2673
2673
|
oAuthAuthServer: e,
|
|
2674
2674
|
oAuthClient: t,
|
|
2675
|
-
oAuthClients:
|
|
2676
|
-
oAuthResServer:
|
|
2675
|
+
oAuthClients: i,
|
|
2676
|
+
oAuthResServer: a,
|
|
2677
2677
|
options: c
|
|
2678
2678
|
}) {
|
|
2679
2679
|
this.loginUrl = "/login", this.audience = "", this.dummyLoad = async (h) => ({}), this.dummyActions = {}, this.dummyBff = async (h) => ({ status: 500, body: { error: "Unimplemented" } }), c || (c = {}), y("loginUrl", E.String, this, c, "LOGIN_URL", !1), c.isAdminFn && (D.isAdminFn = c.isAdminFn);
|
|
@@ -2704,15 +2704,15 @@ const D = class D {
|
|
|
2704
2704
|
{ ...h, ...c, ...e.options }
|
|
2705
2705
|
);
|
|
2706
2706
|
}
|
|
2707
|
-
if (t &&
|
|
2707
|
+
if (t && i)
|
|
2708
2708
|
throw new n(u.Configuration, "Cannot specify both oAuthClient and oAuthClients");
|
|
2709
2709
|
if (t && (this.oAuthClient = new G(
|
|
2710
2710
|
this,
|
|
2711
2711
|
t.authServerBaseUrl,
|
|
2712
2712
|
{ ...c, ...t.options }
|
|
2713
|
-
)),
|
|
2713
|
+
)), i) {
|
|
2714
2714
|
this.oAuthClients = [];
|
|
2715
|
-
for (let h of
|
|
2715
|
+
for (let h of i)
|
|
2716
2716
|
this.oAuthClients.push(
|
|
2717
2717
|
new G(
|
|
2718
2718
|
this,
|
|
@@ -2721,9 +2721,9 @@ const D = class D {
|
|
|
2721
2721
|
)
|
|
2722
2722
|
);
|
|
2723
2723
|
}
|
|
2724
|
-
|
|
2724
|
+
a && (y("audience", E.String, this, c, "OAUTH_AUDIENCE", !0), this.oAuthResServer = new ge(
|
|
2725
2725
|
[new te(this.audience, c)],
|
|
2726
|
-
{ sessionAdapter: this.sessionAdapter, ...
|
|
2726
|
+
{ sessionAdapter: this.sessionAdapter, ...a.options, ...c }
|
|
2727
2727
|
)), this.hooks = async ({ event: h, resolve: g }) => {
|
|
2728
2728
|
const p = await this.unresolvedHooks(h);
|
|
2729
2729
|
return p instanceof Response ? p : await g(p);
|
|
@@ -2834,12 +2834,12 @@ class we {
|
|
|
2834
2834
|
const g = await this.sessionServer.getSessionData(s, "factor2change");
|
|
2835
2835
|
g != null && g.username || this.isSessionUser(s) || (this.sessionServer.unauthorizedUrl && this.sessionServer.redirect(302, this.sessionServer.unauthorizedUrl), this.sessionServer.error(401, "Unauthorized")), e = g == null ? void 0 : g.username;
|
|
2836
2836
|
}
|
|
2837
|
-
let t = this.sessionServer.allowedFactor2 ?? [{ name: "none", friendlyName: "None", configurable: !1 }],
|
|
2838
|
-
|
|
2837
|
+
let t = this.sessionServer.allowedFactor2 ?? [{ name: "none", friendlyName: "None", configurable: !1 }], i = {}, a = s.url.searchParams.get("required"), c;
|
|
2838
|
+
a && (a = a.toLowerCase(), c = a == "true" || a == "1", c == !0 && (i.required = !0));
|
|
2839
2839
|
let d = s.url.searchParams.get("next");
|
|
2840
|
-
return d && (
|
|
2840
|
+
return d && (i.next = d), {
|
|
2841
2841
|
allowedFactor2: t,
|
|
2842
|
-
...
|
|
2842
|
+
...i,
|
|
2843
2843
|
username: e,
|
|
2844
2844
|
...this.baseEndpoint(s)
|
|
2845
2845
|
};
|
|
@@ -2849,12 +2849,12 @@ class we {
|
|
|
2849
2849
|
default: async (s) => await this.changePassword(s)
|
|
2850
2850
|
},
|
|
2851
2851
|
load: async (s) => {
|
|
2852
|
-
let e = {}, t = s.url.searchParams.get("required"),
|
|
2853
|
-
if (!
|
|
2852
|
+
let e = {}, t = s.url.searchParams.get("required"), i, a = s.locals.user != null;
|
|
2853
|
+
if (!a) {
|
|
2854
2854
|
const d = await this.sessionServer.getSessionData(s, "passwordchange");
|
|
2855
|
-
d != null && d.username && (
|
|
2855
|
+
d != null && d.username && (a = !0);
|
|
2856
2856
|
}
|
|
2857
|
-
|
|
2857
|
+
a || this.sessionServer.redirect(302, this.loginUrl), t && (t = t.toLowerCase(), i = t == "true" || t == "1", i == !0 && (e.required = !0));
|
|
2858
2858
|
let c = s.url.searchParams.get("next");
|
|
2859
2859
|
return c && (e.next = c), {
|
|
2860
2860
|
...e,
|
|
@@ -2880,8 +2880,8 @@ class we {
|
|
|
2880
2880
|
default: async (s) => await this.requestPasswordReset(s)
|
|
2881
2881
|
},
|
|
2882
2882
|
load: async (s) => {
|
|
2883
|
-
let e = {}, t = s.url.searchParams.get("required"),
|
|
2884
|
-
return t && (t = t.toLowerCase(),
|
|
2883
|
+
let e = {}, t = s.url.searchParams.get("required"), i;
|
|
2884
|
+
return t && (t = t.toLowerCase(), i = t == "true" || t == "1", i == !0 && (e.required = !0)), {
|
|
2885
2885
|
...e,
|
|
2886
2886
|
...this.baseEndpoint(s)
|
|
2887
2887
|
};
|
|
@@ -2901,14 +2901,14 @@ class we {
|
|
|
2901
2901
|
try {
|
|
2902
2902
|
return e = await this.resetPassword(s), e;
|
|
2903
2903
|
} catch (t) {
|
|
2904
|
-
const
|
|
2904
|
+
const i = n.asCrossauthError(t);
|
|
2905
2905
|
if (m.isSvelteKitRedirect(t) || m.isSvelteKitError(t)) throw t;
|
|
2906
|
-
return l.logger.debug(f({ err:
|
|
2906
|
+
return l.logger.debug(f({ err: i })), l.logger.error(f({ cerr: i })), {
|
|
2907
2907
|
ok: !1,
|
|
2908
2908
|
tokenValidated: !1,
|
|
2909
2909
|
error: e == null ? void 0 : e.error,
|
|
2910
|
-
errorCode:
|
|
2911
|
-
errorCodeName:
|
|
2910
|
+
errorCode: i.code,
|
|
2911
|
+
errorCodeName: i.codeName,
|
|
2912
2912
|
...this.baseEndpoint(s)
|
|
2913
2913
|
};
|
|
2914
2914
|
}
|
|
@@ -3008,12 +3008,13 @@ class we {
|
|
|
3008
3008
|
try {
|
|
3009
3009
|
var s = new b();
|
|
3010
3010
|
await s.loadData(r), o = s.toObject();
|
|
3011
|
-
const e = s.get("username") ?? "", t = s.getAsBoolean("persist") ?? !1
|
|
3012
|
-
|
|
3013
|
-
|
|
3011
|
+
const e = s.get("username") ?? "", t = s.getAsBoolean("persist") ?? !1;
|
|
3012
|
+
let i = o.next ?? this.loginRedirectUrl;
|
|
3013
|
+
if (i.includes("/__data.json") && (i = i.substring(0, i.indexOf("/__data.json"))), e == "") throw new n(u.InvalidUsername, "Username field may not be empty");
|
|
3014
|
+
let a = this.addToSession ? this.addToSession(r, o) : {};
|
|
3014
3015
|
if (this.sessionServer.enableCsrfProtection && !r.locals.csrfToken) throw new n(u.InvalidCsrf);
|
|
3015
3016
|
const c = this.sessionServer.getSessionCookieValue(r);
|
|
3016
|
-
let { sessionCookie: d, csrfCookie: h, user: g } = await this.sessionServer.sessionManager.login(e, s.toObject(),
|
|
3017
|
+
let { sessionCookie: d, csrfCookie: h, user: g } = await this.sessionServer.sessionManager.login(e, s.toObject(), a, t);
|
|
3017
3018
|
if (l.logger.debug(f({
|
|
3018
3019
|
msg: "Login: set session cookie " + d.name + " opts " + JSON.stringify(d.options),
|
|
3019
3020
|
user: e
|
|
@@ -3038,19 +3039,19 @@ class we {
|
|
|
3038
3039
|
})), l.logger.debug(f({ err: p }));
|
|
3039
3040
|
}
|
|
3040
3041
|
if (g.state == N.passwordChangeNeeded)
|
|
3041
|
-
this.sessionServer.redirect(302, this.changePasswordUrl + "?required=true&next=" + encodeURIComponent("login?next=" +
|
|
3042
|
+
this.sessionServer.redirect(302, this.changePasswordUrl + "?required=true&next=" + encodeURIComponent("login?next=" + i));
|
|
3042
3043
|
else {
|
|
3043
3044
|
if (g.state == N.passwordResetNeeded)
|
|
3044
3045
|
throw new n(u.PasswordResetNeeded, "Please click on the link we sent you to reset your password");
|
|
3045
3046
|
if (g.state == N.passwordAndFactor2ResetNeeded)
|
|
3046
3047
|
throw new n(u.PasswordResetNeeded, "Please click on the link we sent you to reset your password");
|
|
3047
|
-
this.sessionServer.allowedFactor2.length > 0 && g.state == N.factor2ResetNeeded || !this.sessionServer.allowedFactor2Names.includes(g.factor2 ? g.factor2 : "none") ? this.sessionServer.redirect(302, this.changeFactor2Url + "?required=true&next=" + encodeURIComponent("login?next=" +
|
|
3048
|
+
this.sessionServer.allowedFactor2.length > 0 && g.state == N.factor2ResetNeeded || !this.sessionServer.allowedFactor2Names.includes(g.factor2 ? g.factor2 : "none") ? this.sessionServer.redirect(302, this.changeFactor2Url + "?required=true&next=" + encodeURIComponent("login?next=" + i)) : (!g.factor2 || g.factor2 == "") && (r.locals.user = g);
|
|
3048
3049
|
}
|
|
3049
3050
|
return {
|
|
3050
3051
|
user: g,
|
|
3051
3052
|
formData: o,
|
|
3052
3053
|
factor2Required: g.factor2 && g.factor2 != "",
|
|
3053
|
-
next:
|
|
3054
|
+
next: i,
|
|
3054
3055
|
ok: !0
|
|
3055
3056
|
};
|
|
3056
3057
|
} catch (e) {
|
|
@@ -3071,22 +3072,22 @@ class we {
|
|
|
3071
3072
|
async loginWithUser(r, o, s) {
|
|
3072
3073
|
const e = s.locals.sessionId, t = new b();
|
|
3073
3074
|
await t.loadData(s);
|
|
3074
|
-
let
|
|
3075
|
+
let i = this.addToSession ? this.addToSession(s, t.toObject()) : {}, { sessionCookie: a, csrfCookie: c, csrfFormOrHeaderValue: d } = await this.sessionServer.sessionManager.login("", {}, i, void 0, r, o);
|
|
3075
3076
|
if (l.logger.debug(f({
|
|
3076
|
-
msg: "Login: set session cookie " +
|
|
3077
|
+
msg: "Login: set session cookie " + a.name + " opts " + JSON.stringify(a.options),
|
|
3077
3078
|
user: r.username
|
|
3078
3079
|
})), s.cookies.set(
|
|
3079
|
-
|
|
3080
|
-
|
|
3081
|
-
R(
|
|
3080
|
+
a.name,
|
|
3081
|
+
a.value,
|
|
3082
|
+
R(a.options)
|
|
3082
3083
|
), l.logger.debug(f({
|
|
3083
|
-
msg: "Login: set csrf cookie " + c.name + " opts " + JSON.stringify(
|
|
3084
|
+
msg: "Login: set csrf cookie " + c.name + " opts " + JSON.stringify(a.options),
|
|
3084
3085
|
user: r.username
|
|
3085
3086
|
})), this.sessionServer.enableCsrfProtection && s.cookies.set(
|
|
3086
3087
|
c.name,
|
|
3087
3088
|
c.value,
|
|
3088
3089
|
R(c.options)
|
|
3089
|
-
), s.locals.user = r, s.locals.csrfToken = d, s.locals.sessionId = this.sessionServer.sessionManager.getSessionId(
|
|
3090
|
+
), s.locals.user = r, s.locals.csrfToken = d, s.locals.sessionId = this.sessionServer.sessionManager.getSessionId(a.value), e)
|
|
3090
3091
|
try {
|
|
3091
3092
|
await this.sessionServer.sessionManager.deleteSession(e);
|
|
3092
3093
|
} catch (h) {
|
|
@@ -3204,16 +3205,16 @@ class we {
|
|
|
3204
3205
|
"Illegal second factor " + o.factor2 + " requested"
|
|
3205
3206
|
);
|
|
3206
3207
|
(o.factor2 == "none" || o.factor2 == "") && (o.factor2 = void 0), t = this.sessionServer.createUserFn(r, o, this.sessionServer.userStorage.userEditableFields);
|
|
3207
|
-
let
|
|
3208
|
-
const
|
|
3208
|
+
let i = this.sessionServer.authenticators[t.factor1].validateSecrets(o);
|
|
3209
|
+
const a = this.sessionServer.authenticators[t.factor1].secretNames();
|
|
3209
3210
|
let c = {};
|
|
3210
3211
|
for (let p in o)
|
|
3211
3212
|
if (p.startsWith("repeat_")) {
|
|
3212
3213
|
const w = p.replace(/^repeat_/, "");
|
|
3213
|
-
|
|
3214
|
+
a.includes(w) && (c[w] = o[p]);
|
|
3214
3215
|
}
|
|
3215
3216
|
Object.keys(c).length === 0 && (c = void 0), t.state = "active", o.factor2 && o.factor2 != "none" ? t.state = "awaitingtwofactor" : this.sessionServer.enableEmailVerification && (t.state = "awaitingemailverification");
|
|
3216
|
-
let h = [...this.sessionServer.validateUserFn(t), ...
|
|
3217
|
+
let h = [...this.sessionServer.validateUserFn(t), ...i];
|
|
3217
3218
|
if (h.length > 0)
|
|
3218
3219
|
throw new n(u.FormEntry, h);
|
|
3219
3220
|
let g = !1;
|
|
@@ -3347,8 +3348,8 @@ class we {
|
|
|
3347
3348
|
try {
|
|
3348
3349
|
var t = new b();
|
|
3349
3350
|
await t.loadData(r), o = t.toObject();
|
|
3350
|
-
const
|
|
3351
|
-
if (
|
|
3351
|
+
const i = await this.sessionServer.getSessionData(r, "2fa");
|
|
3352
|
+
if (i != null && i.factor2) e = i == null ? void 0 : i.factor2;
|
|
3352
3353
|
else throw new n(u.BadRequest, "Two factor authentication was not started");
|
|
3353
3354
|
if (this.isSessionUser(r) && this.sessionServer.enableCsrfProtection && !r.locals.csrfToken)
|
|
3354
3355
|
throw new n(u.InvalidCsrf);
|
|
@@ -3356,17 +3357,17 @@ class we {
|
|
|
3356
3357
|
u.Unauthorized,
|
|
3357
3358
|
"No session active while enabling 2FA. Please enable cookies"
|
|
3358
3359
|
);
|
|
3359
|
-
let
|
|
3360
|
+
let a = await this.sessionServer.sessionManager.completeTwoFactorSetup(
|
|
3360
3361
|
o,
|
|
3361
3362
|
r.locals.sessionId
|
|
3362
3363
|
);
|
|
3363
|
-
return this.sessionServer.enableEmailVerification || await this.loginWithUser(
|
|
3364
|
+
return this.sessionServer.enableEmailVerification || await this.loginWithUser(a, !0, r), r.locals.user ? {
|
|
3364
3365
|
ok: !0,
|
|
3365
|
-
user:
|
|
3366
|
+
user: a,
|
|
3366
3367
|
emailVerificationRequired: this.sessionServer.enableEmailVerification
|
|
3367
|
-
} : await this.loginWithUser(
|
|
3368
|
-
} catch (
|
|
3369
|
-
const
|
|
3368
|
+
} : await this.loginWithUser(a, !0, r);
|
|
3369
|
+
} catch (i) {
|
|
3370
|
+
const a = n.asCrossauthError(i);
|
|
3370
3371
|
let c;
|
|
3371
3372
|
try {
|
|
3372
3373
|
c = (await this.sessionServer.sessionManager.repeatTwoFactorSignup(r.locals.sessionId ?? "")).userData;
|
|
@@ -3377,11 +3378,11 @@ class we {
|
|
|
3377
3378
|
csrfToken: r.locals.csrfToken,
|
|
3378
3379
|
username: c.username ?? "",
|
|
3379
3380
|
factor2: e
|
|
3380
|
-
}), l.logger.debug(f({ err:
|
|
3381
|
+
}), l.logger.debug(f({ err: i })), l.logger.error(f({ cerr: i })), {
|
|
3381
3382
|
ok: !1,
|
|
3382
|
-
error:
|
|
3383
|
-
errorCode:
|
|
3384
|
-
errorCodeName:
|
|
3383
|
+
error: a.message,
|
|
3384
|
+
errorCode: a.code,
|
|
3385
|
+
errorCodeName: a.codeName,
|
|
3385
3386
|
formData: o,
|
|
3386
3387
|
factor2Data: s,
|
|
3387
3388
|
emailVerificationRequired: this.sessionServer.enableEmailVerification
|
|
@@ -3417,22 +3418,22 @@ class we {
|
|
|
3417
3418
|
if (!t) throw new n(u.Unauthorized);
|
|
3418
3419
|
if (this.isSessionUser(r) && this.sessionServer.enableCsrfProtection && !r.locals.csrfToken)
|
|
3419
3420
|
throw new n(u.InvalidCsrf);
|
|
3420
|
-
let
|
|
3421
|
-
const { sessionCookie:
|
|
3421
|
+
let i = this.addToSession ? this.addToSession(r, o) : {};
|
|
3422
|
+
const { sessionCookie: a, csrfCookie: c, user: d } = await this.sessionServer.sessionManager.completeTwoFactorLogin(
|
|
3422
3423
|
o,
|
|
3423
3424
|
t,
|
|
3424
|
-
|
|
3425
|
+
i,
|
|
3425
3426
|
e
|
|
3426
3427
|
);
|
|
3427
3428
|
return l.logger.debug(f({
|
|
3428
|
-
msg: "Login: set session cookie " +
|
|
3429
|
+
msg: "Login: set session cookie " + a.name + " opts " + JSON.stringify(a.options),
|
|
3429
3430
|
user: d == null ? void 0 : d.username
|
|
3430
3431
|
})), r.cookies.set(
|
|
3431
|
-
|
|
3432
|
-
|
|
3433
|
-
R(
|
|
3432
|
+
a.name,
|
|
3433
|
+
a.value,
|
|
3434
|
+
R(a.options)
|
|
3434
3435
|
), l.logger.debug(f({
|
|
3435
|
-
msg: "Login: set csrf cookie " + c.name + " opts " + JSON.stringify(
|
|
3436
|
+
msg: "Login: set csrf cookie " + c.name + " opts " + JSON.stringify(a.options),
|
|
3436
3437
|
user: d == null ? void 0 : d.username
|
|
3437
3438
|
})), r.cookies.set(
|
|
3438
3439
|
c.name,
|
|
@@ -3551,17 +3552,17 @@ class we {
|
|
|
3551
3552
|
);
|
|
3552
3553
|
const e = r.params.token ?? "";
|
|
3553
3554
|
if (e == "") throw new n(u.InvalidUsername, "No token provided");
|
|
3554
|
-
const t = await this.sessionServer.sessionManager.userForPasswordResetToken(e),
|
|
3555
|
+
const t = await this.sessionServer.sessionManager.userForPasswordResetToken(e), i = this.sessionServer.authenticators[t.factor1], a = i.secretNames();
|
|
3555
3556
|
let c = {}, d = {};
|
|
3556
3557
|
for (let p in o)
|
|
3557
3558
|
if (p.startsWith("new_")) {
|
|
3558
3559
|
const w = p.replace(/^new_/, "");
|
|
3559
|
-
|
|
3560
|
+
a.includes(w) && (c[w] = o[p]);
|
|
3560
3561
|
} else if (p.startsWith("repeat_")) {
|
|
3561
3562
|
const w = p.replace(/^repeat_/, "");
|
|
3562
|
-
|
|
3563
|
+
a.includes(w) && (d[w] = o[p]);
|
|
3563
3564
|
}
|
|
3564
|
-
if (Object.keys(d).length === 0 && (d = void 0),
|
|
3565
|
+
if (Object.keys(d).length === 0 && (d = void 0), i.validateSecrets(c).length > 0)
|
|
3565
3566
|
throw new n(u.PasswordFormat);
|
|
3566
3567
|
const g = await this.sessionServer.sessionManager.resetSecret(e, 1, c, d);
|
|
3567
3568
|
if (g.state == N.active)
|
|
@@ -3676,20 +3677,20 @@ class we {
|
|
|
3676
3677
|
e = r.locals.user;
|
|
3677
3678
|
} else
|
|
3678
3679
|
throw new n(u.InsufficientPriviledges);
|
|
3679
|
-
const
|
|
3680
|
+
const i = this.sessionServer.authenticators[e.factor1], a = i.secretNames();
|
|
3680
3681
|
let c = {}, d = {}, h = {};
|
|
3681
3682
|
for (let w in o)
|
|
3682
3683
|
if (w.startsWith("new_")) {
|
|
3683
3684
|
const S = w.replace(/^new_/, "");
|
|
3684
|
-
|
|
3685
|
+
a.includes(S) && (d[S] = o[w]);
|
|
3685
3686
|
} else if (w.startsWith("old_")) {
|
|
3686
3687
|
const S = w.replace(/^old_/, "");
|
|
3687
|
-
|
|
3688
|
+
a.includes(S) && (c[S] = o[w]);
|
|
3688
3689
|
} else if (w.startsWith("repeat_")) {
|
|
3689
3690
|
const S = w.replace(/^repeat_/, "");
|
|
3690
|
-
|
|
3691
|
+
a.includes(S) && (h[S] = o[w]);
|
|
3691
3692
|
}
|
|
3692
|
-
if (Object.keys(h).length === 0 && (h = void 0),
|
|
3693
|
+
if (Object.keys(h).length === 0 && (h = void 0), i.validateSecrets(d).length > 0)
|
|
3693
3694
|
throw new n(u.PasswordFormat);
|
|
3694
3695
|
const p = e.state;
|
|
3695
3696
|
try {
|
|
@@ -3807,15 +3808,15 @@ class we {
|
|
|
3807
3808
|
let t = this.sessionServer.validateUserFn(e);
|
|
3808
3809
|
if (t.length > 0)
|
|
3809
3810
|
throw new n(u.FormEntry, t);
|
|
3810
|
-
let { emailVerificationTokenSent:
|
|
3811
|
-
if (!
|
|
3812
|
-
const
|
|
3813
|
-
r.locals.user =
|
|
3811
|
+
let { emailVerificationTokenSent: i } = await this.sessionServer.sessionManager.updateUser(r.locals.user, e);
|
|
3812
|
+
if (!i) {
|
|
3813
|
+
const a = await this.sessionServer.userStorage.getUserById(r.locals.user.id);
|
|
3814
|
+
r.locals.user = a.user;
|
|
3814
3815
|
}
|
|
3815
3816
|
return {
|
|
3816
3817
|
ok: !0,
|
|
3817
3818
|
formData: o,
|
|
3818
|
-
emailVerificationNeeded:
|
|
3819
|
+
emailVerificationNeeded: i
|
|
3819
3820
|
};
|
|
3820
3821
|
} catch (e) {
|
|
3821
3822
|
let t = n.asCrossauthError(e, "Couldn't update account");
|
|
@@ -3863,32 +3864,32 @@ class we {
|
|
|
3863
3864
|
const d = await this.sessionServer.getSessionData(r, "factor2change");
|
|
3864
3865
|
d != null && d.username || this.isSessionUser(r) || (this.sessionServer.unauthorizedUrl && this.sessionServer.redirect(302, this.sessionServer.unauthorizedUrl), this.sessionServer.error(401, "Unauthorized")), t = d == null ? void 0 : d.username;
|
|
3865
3866
|
}
|
|
3866
|
-
let
|
|
3867
|
-
if (!
|
|
3867
|
+
let i = r.locals.user;
|
|
3868
|
+
if (!i && t && (i = (await this.sessionServer.userStorage.getUserByUsername(
|
|
3868
3869
|
t,
|
|
3869
3870
|
{
|
|
3870
3871
|
skipActiveCheck: !0,
|
|
3871
3872
|
skipEmailVerifiedCheck: !0
|
|
3872
3873
|
}
|
|
3873
|
-
)).user), !
|
|
3874
|
+
)).user), !i)
|
|
3874
3875
|
throw new n(u.InsufficientPriviledges);
|
|
3875
3876
|
if (!r.locals.sessionId)
|
|
3876
3877
|
throw new n(u.Unauthorized);
|
|
3877
|
-
let
|
|
3878
|
+
let a = o.factor2;
|
|
3878
3879
|
if (o.factor2 && !this.sessionServer.allowedFactor2Names.includes(o.factor2))
|
|
3879
3880
|
throw new n(
|
|
3880
3881
|
u.Forbidden,
|
|
3881
3882
|
"Illegal second factor " + o.factor2 + " requested"
|
|
3882
3883
|
);
|
|
3883
|
-
if ((o.factor2 == "none" || o.factor2 == "") && (
|
|
3884
|
-
return await this.loginWithUser(
|
|
3885
|
-
const c = await this.sessionServer.sessionManager.initiateTwoFactorSetup(
|
|
3886
|
-
return
|
|
3884
|
+
if ((o.factor2 == "none" || o.factor2 == "") && (a = void 0, !r.locals.user))
|
|
3885
|
+
return await this.loginWithUser(i, !0, r);
|
|
3886
|
+
const c = await this.sessionServer.sessionManager.initiateTwoFactorSetup(i, a, r.locals.sessionId);
|
|
3887
|
+
return a ? {
|
|
3887
3888
|
ok: !0,
|
|
3888
3889
|
formData: o,
|
|
3889
3890
|
factor2Data: {
|
|
3890
|
-
username:
|
|
3891
|
-
factor2:
|
|
3891
|
+
username: i.username,
|
|
3892
|
+
factor2: a ?? "",
|
|
3892
3893
|
userData: c,
|
|
3893
3894
|
csrfToken: r.locals.csrfToken
|
|
3894
3895
|
}
|
|
@@ -3897,11 +3898,11 @@ class we {
|
|
|
3897
3898
|
formData: o
|
|
3898
3899
|
};
|
|
3899
3900
|
} catch (t) {
|
|
3900
|
-
let
|
|
3901
|
-
return l.logger.debug(f({ err:
|
|
3902
|
-
error:
|
|
3903
|
-
errorCode:
|
|
3904
|
-
errorCodeName:
|
|
3901
|
+
let i = n.asCrossauthError(t, "Couldn't update account");
|
|
3902
|
+
return l.logger.debug(f({ err: i })), l.logger.error(f({ cerr: i })), {
|
|
3903
|
+
error: i.message,
|
|
3904
|
+
errorCode: i.code,
|
|
3905
|
+
errorCodeName: i.codeName,
|
|
3905
3906
|
ok: !1,
|
|
3906
3907
|
formData: o
|
|
3907
3908
|
};
|
|
@@ -3939,47 +3940,47 @@ class we {
|
|
|
3939
3940
|
const h = await this.sessionServer.getSessionData(r, "factor2change");
|
|
3940
3941
|
h != null && h.username || this.isSessionUser(r) || (this.sessionServer.unauthorizedUrl && this.sessionServer.redirect(302, this.sessionServer.unauthorizedUrl), this.sessionServer.error(401, "Unauthorized")), t = h == null ? void 0 : h.username;
|
|
3941
3942
|
}
|
|
3942
|
-
let
|
|
3943
|
-
if (!
|
|
3943
|
+
let i = r.locals.user;
|
|
3944
|
+
if (!i && t && (i = (await this.sessionServer.userStorage.getUserByUsername(
|
|
3944
3945
|
t,
|
|
3945
3946
|
{
|
|
3946
3947
|
skipActiveCheck: !0,
|
|
3947
3948
|
skipEmailVerifiedCheck: !0
|
|
3948
3949
|
}
|
|
3949
|
-
)).user), !
|
|
3950
|
+
)).user), !i)
|
|
3950
3951
|
throw new n(u.InsufficientPriviledges);
|
|
3951
3952
|
if (!r.locals.sessionId)
|
|
3952
3953
|
throw new n(u.Unauthorized);
|
|
3953
3954
|
if (!r.locals.sessionId)
|
|
3954
3955
|
throw new n(u.Unauthorized);
|
|
3955
|
-
let
|
|
3956
|
-
const c = this.sessionServer.authenticators[
|
|
3956
|
+
let a = i.factor2;
|
|
3957
|
+
const c = this.sessionServer.authenticators[a];
|
|
3957
3958
|
if (!c || c.secretNames().length == 0)
|
|
3958
3959
|
throw new n(
|
|
3959
3960
|
u.BadRequest,
|
|
3960
3961
|
"Selected second factor does not have configuration"
|
|
3961
3962
|
);
|
|
3962
3963
|
const d = await this.sessionServer.sessionManager.initiateTwoFactorSetup(
|
|
3963
|
-
a,
|
|
3964
3964
|
i,
|
|
3965
|
+
a,
|
|
3965
3966
|
r.locals.sessionId
|
|
3966
3967
|
);
|
|
3967
3968
|
return {
|
|
3968
3969
|
ok: !0,
|
|
3969
3970
|
formData: o,
|
|
3970
3971
|
factor2Data: {
|
|
3971
|
-
username:
|
|
3972
|
-
factor2:
|
|
3972
|
+
username: i.username,
|
|
3973
|
+
factor2: i.factor2 ?? "",
|
|
3973
3974
|
userData: d,
|
|
3974
3975
|
csrfToken: r.locals.csrfToken
|
|
3975
3976
|
}
|
|
3976
3977
|
};
|
|
3977
3978
|
} catch (t) {
|
|
3978
|
-
let
|
|
3979
|
-
return l.logger.debug(f({ err:
|
|
3980
|
-
error:
|
|
3981
|
-
errorCode:
|
|
3982
|
-
errorCodeName:
|
|
3979
|
+
let i = n.asCrossauthError(t, "Couldn't update account");
|
|
3980
|
+
return l.logger.debug(f({ err: i })), l.logger.error(f({ cerr: i })), {
|
|
3981
|
+
error: i.message,
|
|
3982
|
+
errorCode: i.code,
|
|
3983
|
+
errorCodeName: i.codeName,
|
|
3983
3984
|
ok: !1,
|
|
3984
3985
|
formData: o
|
|
3985
3986
|
};
|
|
@@ -4001,16 +4002,16 @@ async function me(k, r, o = 0, s = 10) {
|
|
|
4001
4002
|
const { user: t } = await r.getUserByUsername(k);
|
|
4002
4003
|
e.push(t);
|
|
4003
4004
|
} catch (t) {
|
|
4004
|
-
const
|
|
4005
|
-
if (
|
|
4006
|
-
throw l.logger.debug(f({ err:
|
|
4005
|
+
const i = n.asCrossauthError(t);
|
|
4006
|
+
if (i.code != u.UserNotExist)
|
|
4007
|
+
throw l.logger.debug(f({ err: i })), i;
|
|
4007
4008
|
try {
|
|
4008
|
-
const { user:
|
|
4009
|
-
e.push(
|
|
4010
|
-
} catch (
|
|
4011
|
-
const c = n.asCrossauthError(
|
|
4009
|
+
const { user: a } = await r.getUserByEmail(k);
|
|
4010
|
+
e.push(a);
|
|
4011
|
+
} catch (a) {
|
|
4012
|
+
const c = n.asCrossauthError(a);
|
|
4012
4013
|
if (c.code != u.UserNotExist)
|
|
4013
|
-
throw l.logger.debug(f({ err: c })),
|
|
4014
|
+
throw l.logger.debug(f({ err: c })), i;
|
|
4014
4015
|
}
|
|
4015
4016
|
}
|
|
4016
4017
|
return e;
|
|
@@ -4029,12 +4030,12 @@ class ke {
|
|
|
4029
4030
|
}, this.updateUserEndpoint = {
|
|
4030
4031
|
actions: {
|
|
4031
4032
|
default: async (s) => {
|
|
4032
|
-
var
|
|
4033
|
+
var i, a, c;
|
|
4033
4034
|
const e = await this.getUserFromParam(s);
|
|
4034
4035
|
return e.exception || !e.user ? {
|
|
4035
4036
|
ok: !1,
|
|
4036
|
-
error: ((
|
|
4037
|
-
errorCode: (
|
|
4037
|
+
error: ((i = e.exception) == null ? void 0 : i.message) ?? "Couldn't get user",
|
|
4038
|
+
errorCode: (a = e.exception) == null ? void 0 : a.code,
|
|
4038
4039
|
errorCodeName: (c = e.exception) == null ? void 0 : c.codeName
|
|
4039
4040
|
} : await this.updateUser(e.user, s);
|
|
4040
4041
|
}
|
|
@@ -4056,12 +4057,12 @@ class ke {
|
|
|
4056
4057
|
}, this.changePasswordEndpoint = {
|
|
4057
4058
|
actions: {
|
|
4058
4059
|
default: async (s) => {
|
|
4059
|
-
var
|
|
4060
|
+
var i, a, c;
|
|
4060
4061
|
const e = await this.getUserFromParam(s);
|
|
4061
4062
|
return e.exception || !e.user ? {
|
|
4062
4063
|
ok: !1,
|
|
4063
|
-
error: ((
|
|
4064
|
-
errorCode: (
|
|
4064
|
+
error: ((i = e.exception) == null ? void 0 : i.message) ?? "Couldn't get user",
|
|
4065
|
+
errorCode: (a = e.exception) == null ? void 0 : a.code,
|
|
4065
4066
|
errorCodeName: (c = e.exception) == null ? void 0 : c.codeName
|
|
4066
4067
|
} : await this.changePassword(e.user, s);
|
|
4067
4068
|
}
|
|
@@ -4074,8 +4075,8 @@ class ke {
|
|
|
4074
4075
|
editUser: e.user,
|
|
4075
4076
|
...this.baseEndpoint(s)
|
|
4076
4077
|
};
|
|
4077
|
-
let t = {},
|
|
4078
|
-
return
|
|
4078
|
+
let t = {}, i = s.url.searchParams.get("next");
|
|
4079
|
+
return i && (t.next = i), {
|
|
4079
4080
|
...t,
|
|
4080
4081
|
editUser: e.user,
|
|
4081
4082
|
...this.baseEndpoint(s)
|
|
@@ -4097,15 +4098,15 @@ class ke {
|
|
|
4097
4098
|
default: async (s) => await this.deleteUser(s)
|
|
4098
4099
|
},
|
|
4099
4100
|
load: async (s) => {
|
|
4100
|
-
var t,
|
|
4101
|
+
var t, i, a;
|
|
4101
4102
|
const e = await this.getUserFromParam(s);
|
|
4102
4103
|
return e.exception || !e.user ? {
|
|
4103
4104
|
error: "User doesn't exist",
|
|
4104
4105
|
errorCode: (t = e.exception) == null ? void 0 : t.code,
|
|
4105
|
-
errorCodeName: (
|
|
4106
|
+
errorCodeName: (i = e.exception) == null ? void 0 : i.codeName,
|
|
4106
4107
|
...this.baseEndpoint(s)
|
|
4107
4108
|
} : {
|
|
4108
|
-
username: (
|
|
4109
|
+
username: (a = e.user) == null ? void 0 : a.username,
|
|
4109
4110
|
...this.baseEndpoint(s)
|
|
4110
4111
|
};
|
|
4111
4112
|
}
|
|
@@ -4156,7 +4157,7 @@ class ke {
|
|
|
4156
4157
|
try {
|
|
4157
4158
|
if (!this.sessionServer.userStorage) throw new n(u.Configuration, "Must provide user storage to use this function");
|
|
4158
4159
|
(!r.locals.user || !m.isAdminFn(r.locals.user)) && this.sessionServer.error(401);
|
|
4159
|
-
let t = [],
|
|
4160
|
+
let t = [], i = [], a = [];
|
|
4160
4161
|
if (!s)
|
|
4161
4162
|
try {
|
|
4162
4163
|
const d = r.url.searchParams.get("skip");
|
|
@@ -4178,7 +4179,7 @@ class ke {
|
|
|
4178
4179
|
this.sessionServer.userStorage,
|
|
4179
4180
|
s,
|
|
4180
4181
|
e
|
|
4181
|
-
), s > 0 && (
|
|
4182
|
+
), s > 0 && (i = await this.userSearchFn(
|
|
4182
4183
|
o,
|
|
4183
4184
|
this.sessionServer.userStorage,
|
|
4184
4185
|
s - 1,
|
|
@@ -4186,7 +4187,7 @@ class ke {
|
|
|
4186
4187
|
))) : (t = await this.sessionServer.userStorage.getUsers(
|
|
4187
4188
|
s,
|
|
4188
4189
|
e
|
|
4189
|
-
), t.length == e && (
|
|
4190
|
+
), t.length == e && (a = await this.sessionServer.userStorage.getUsers(
|
|
4190
4191
|
s + e,
|
|
4191
4192
|
1
|
|
4192
4193
|
))), {
|
|
@@ -4194,17 +4195,17 @@ class ke {
|
|
|
4194
4195
|
users: t,
|
|
4195
4196
|
skip: s,
|
|
4196
4197
|
take: e,
|
|
4197
|
-
hasPrevious:
|
|
4198
|
-
hasNext:
|
|
4198
|
+
hasPrevious: i.length > 0,
|
|
4199
|
+
hasNext: a.length > 0,
|
|
4199
4200
|
search: o
|
|
4200
4201
|
};
|
|
4201
4202
|
} catch (t) {
|
|
4202
|
-
const
|
|
4203
|
-
return l.logger.debug(f({ err:
|
|
4203
|
+
const i = n.asCrossauthError(t);
|
|
4204
|
+
return l.logger.debug(f({ err: i })), l.logger.error(f({ cerr: i })), {
|
|
4204
4205
|
ok: !1,
|
|
4205
|
-
error:
|
|
4206
|
-
errorCode:
|
|
4207
|
-
errorCodeName:
|
|
4206
|
+
error: i.message,
|
|
4207
|
+
errorCode: i.code,
|
|
4208
|
+
errorCodeName: i.codeName,
|
|
4208
4209
|
hasPrevious: !1,
|
|
4209
4210
|
hasNext: !1,
|
|
4210
4211
|
skip: s ?? 0,
|
|
@@ -4250,7 +4251,7 @@ class ke {
|
|
|
4250
4251
|
if (!this.sessionServer.userStorage) throw new n(u.Configuration, "Must provide user storage to use this function");
|
|
4251
4252
|
var e = new b();
|
|
4252
4253
|
if (await e.loadData(o), s = e.toObject(), (!o.locals.user || !m.isAdminFn(o.locals.user)) && this.sessionServer.error(401), this.isSessionUser(o) && this.sessionServer.enableCsrfProtection && !o.locals.csrfToken) throw new n(u.InvalidCsrf);
|
|
4253
|
-
const t = r.factor2,
|
|
4254
|
+
const t = r.factor2, i = r.state;
|
|
4254
4255
|
r.state = s.state ?? "active", r = this.sessionServer.updateUserFn(
|
|
4255
4256
|
r,
|
|
4256
4257
|
o,
|
|
@@ -4260,10 +4261,10 @@ class ke {
|
|
|
4260
4261
|
...this.sessionServer.userStorage.adminEditableFields
|
|
4261
4262
|
}
|
|
4262
4263
|
);
|
|
4263
|
-
const
|
|
4264
|
-
if (
|
|
4264
|
+
const a = r.factor2 && r.factor2 != "none" && r.factor2 != t;
|
|
4265
|
+
if (a && !(r.state == i || r.state == "factor2ResetNeeded"))
|
|
4265
4266
|
throw new n(u.BadRequest, "Cannot change both factor2 and state at the same time");
|
|
4266
|
-
|
|
4267
|
+
a && (r.state = N.factor2ResetNeeded, l.logger.warn(f({
|
|
4267
4268
|
msg: `Setting state for user to ${N.factor2ResetNeeded}`,
|
|
4268
4269
|
username: r.username
|
|
4269
4270
|
})));
|
|
@@ -4279,11 +4280,11 @@ class ke {
|
|
|
4279
4280
|
};
|
|
4280
4281
|
} catch (t) {
|
|
4281
4282
|
if (m.isSvelteKitRedirect(t) || m.isSvelteKitError(t, 401)) throw t;
|
|
4282
|
-
let
|
|
4283
|
-
return l.logger.debug(f({ err:
|
|
4284
|
-
error:
|
|
4285
|
-
errorCode:
|
|
4286
|
-
errorCodeName:
|
|
4283
|
+
let i = n.asCrossauthError(t, "Couldn't log in");
|
|
4284
|
+
return l.logger.debug(f({ err: i })), l.logger.error(f({ cerr: i })), {
|
|
4285
|
+
error: i.message,
|
|
4286
|
+
errorCode: i.code,
|
|
4287
|
+
errorCodeName: i.codeName,
|
|
4287
4288
|
ok: !1,
|
|
4288
4289
|
formData: s
|
|
4289
4290
|
};
|
|
@@ -4315,20 +4316,20 @@ class ke {
|
|
|
4315
4316
|
var e = new b();
|
|
4316
4317
|
if (await e.loadData(o), s = e.toObject(), (!o.locals.user || !m.isAdminFn(o.locals.user)) && this.sessionServer.error(401), this.isSessionUser(o) && this.sessionServer.enableCsrfProtection && !o.locals.csrfToken)
|
|
4317
4318
|
throw new n(u.InvalidCsrf);
|
|
4318
|
-
const t = this.sessionServer.authenticators[r.factor1],
|
|
4319
|
-
let
|
|
4319
|
+
const t = this.sessionServer.authenticators[r.factor1], i = t.secretNames();
|
|
4320
|
+
let a = {}, c = {}, d = {};
|
|
4320
4321
|
for (let g in s)
|
|
4321
4322
|
if (g.startsWith("new_")) {
|
|
4322
4323
|
const p = g.replace(/^new_/, "");
|
|
4323
|
-
|
|
4324
|
+
i.includes(p) && (c[p] = s[g]);
|
|
4324
4325
|
} else if (g.startsWith("old_")) {
|
|
4325
4326
|
const p = g.replace(/^old_/, "");
|
|
4326
|
-
|
|
4327
|
+
i.includes(p) && (a[p] = s[g]);
|
|
4327
4328
|
} else if (g.startsWith("repeat_")) {
|
|
4328
4329
|
const p = g.replace(/^repeat_/, "");
|
|
4329
|
-
|
|
4330
|
+
i.includes(p) && (d[p] = s[g]);
|
|
4330
4331
|
}
|
|
4331
|
-
if (Object.keys(d).length === 0 && (d = void 0), Object.keys(
|
|
4332
|
+
if (Object.keys(d).length === 0 && (d = void 0), Object.keys(a).length === 0 && (a = void 0), t.validateSecrets(c).length > 0)
|
|
4332
4333
|
throw new n(u.PasswordFormat);
|
|
4333
4334
|
try {
|
|
4334
4335
|
await this.sessionServer.sessionManager.changeSecrets(
|
|
@@ -4336,7 +4337,7 @@ class ke {
|
|
|
4336
4337
|
1,
|
|
4337
4338
|
c,
|
|
4338
4339
|
d,
|
|
4339
|
-
|
|
4340
|
+
a
|
|
4340
4341
|
);
|
|
4341
4342
|
} catch (g) {
|
|
4342
4343
|
const p = n.asCrossauthError(g);
|
|
@@ -4348,11 +4349,11 @@ class ke {
|
|
|
4348
4349
|
};
|
|
4349
4350
|
} catch (t) {
|
|
4350
4351
|
if (m.isSvelteKitRedirect(t) || m.isSvelteKitError(t, 401)) throw t;
|
|
4351
|
-
let
|
|
4352
|
-
return l.logger.debug(f({ err:
|
|
4353
|
-
error:
|
|
4354
|
-
errorCode:
|
|
4355
|
-
errorCodeName:
|
|
4352
|
+
let i = n.asCrossauthError(t, "Couldn't change password");
|
|
4353
|
+
return l.logger.debug(f({ err: i })), l.logger.error(f({ cerr: i })), {
|
|
4354
|
+
error: i.message,
|
|
4355
|
+
errorCode: i.code,
|
|
4356
|
+
errorCodeName: i.codeName,
|
|
4356
4357
|
ok: !1,
|
|
4357
4358
|
formData: s
|
|
4358
4359
|
};
|
|
@@ -4427,21 +4428,21 @@ class ke {
|
|
|
4427
4428
|
...this.sessionServer.userStorage.adminEditableFields
|
|
4428
4429
|
}
|
|
4429
4430
|
);
|
|
4430
|
-
const
|
|
4431
|
-
let
|
|
4432
|
-
for (let w of
|
|
4433
|
-
!o[w] && !o["repeat_" + w] && (
|
|
4431
|
+
const i = this.sessionServer.authenticators[t.factor1].secretNames();
|
|
4432
|
+
let a = !0;
|
|
4433
|
+
for (let w of i)
|
|
4434
|
+
!o[w] && !o["repeat_" + w] && (a = !1);
|
|
4434
4435
|
let c = [], d = {};
|
|
4435
|
-
if (
|
|
4436
|
+
if (a) {
|
|
4436
4437
|
c = this.sessionServer.authenticators[t.factor1].validateSecrets(o);
|
|
4437
4438
|
for (let w in o)
|
|
4438
4439
|
if (w.startsWith("repeat_")) {
|
|
4439
4440
|
const S = w.replace(/^repeat_/, "");
|
|
4440
|
-
|
|
4441
|
+
i.includes(S) && (d[S] = o[w]);
|
|
4441
4442
|
}
|
|
4442
4443
|
Object.keys(d).length === 0 && (d = void 0);
|
|
4443
4444
|
}
|
|
4444
|
-
|
|
4445
|
+
a ? o.factor2 != null && (t.state = N.factor2ResetNeeded) : o.factor2 == null ? t.state = N.passwordResetNeeded : t.state = N.passwordAndFactor2ResetNeeded;
|
|
4445
4446
|
let g = [...this.sessionServer.validateUserFn(t), ...c];
|
|
4446
4447
|
if (g.length > 0)
|
|
4447
4448
|
throw new n(u.FormEntry, g);
|
|
@@ -4450,9 +4451,9 @@ class ke {
|
|
|
4450
4451
|
o,
|
|
4451
4452
|
d,
|
|
4452
4453
|
!0,
|
|
4453
|
-
!
|
|
4454
|
+
!a
|
|
4454
4455
|
);
|
|
4455
|
-
if (!
|
|
4456
|
+
if (!a) {
|
|
4456
4457
|
let w = o.username;
|
|
4457
4458
|
if ("user_email" in o && (w = o.user_email), oe.validateEmail(w), !w) throw new n(u.FormEntry, "No password given but no email address found either");
|
|
4458
4459
|
await this.sessionServer.sessionManager.requestPasswordReset(w);
|
|
@@ -4526,18 +4527,18 @@ async function Se(k, r, o, s, e) {
|
|
|
4526
4527
|
let t = [];
|
|
4527
4528
|
if (o > 0) return [];
|
|
4528
4529
|
try {
|
|
4529
|
-
const
|
|
4530
|
-
t.push(
|
|
4531
|
-
} catch (
|
|
4532
|
-
const
|
|
4533
|
-
if (
|
|
4534
|
-
throw l.logger.debug(f({ err:
|
|
4530
|
+
const i = await r.getClientById(k);
|
|
4531
|
+
t.push(i);
|
|
4532
|
+
} catch (i) {
|
|
4533
|
+
const a = n.asCrossauthError(i);
|
|
4534
|
+
if (a.code != u.UserNotExist)
|
|
4535
|
+
throw l.logger.debug(f({ err: a })), a;
|
|
4535
4536
|
try {
|
|
4536
4537
|
t = await r.getClientByName(k, e);
|
|
4537
4538
|
} catch (c) {
|
|
4538
4539
|
const d = n.asCrossauthError(c);
|
|
4539
4540
|
if (d.code != u.UserNotExist)
|
|
4540
|
-
throw l.logger.debug(f({ err: d })),
|
|
4541
|
+
throw l.logger.debug(f({ err: d })), a;
|
|
4541
4542
|
}
|
|
4542
4543
|
}
|
|
4543
4544
|
return t;
|
|
@@ -4596,7 +4597,7 @@ class X {
|
|
|
4596
4597
|
if (!this.sessionServer.clientStorage) throw new n(u.Configuration, "Must provide client storage to use this function");
|
|
4597
4598
|
if (!r.locals.user)
|
|
4598
4599
|
throw this.redirect(302, this.loginUrl + "?next=" + encodeURIComponent(r.request.url));
|
|
4599
|
-
let
|
|
4600
|
+
let i = [], a = [], c = [];
|
|
4600
4601
|
if (!s)
|
|
4601
4602
|
try {
|
|
4602
4603
|
const h = r.url.searchParams.get("skip");
|
|
@@ -4613,44 +4614,44 @@ class X {
|
|
|
4613
4614
|
}
|
|
4614
4615
|
e || (e = 10);
|
|
4615
4616
|
const d = r.url.searchParams.get("search");
|
|
4616
|
-
return !o && d != null && d != "" && (o = d), o || (o = ""), o.length == 0 && (o = void 0), o ? (
|
|
4617
|
+
return !o && d != null && d != "" && (o = d), o || (o = ""), o.length == 0 && (o = void 0), o ? (i = await this.clientSearchFn(
|
|
4617
4618
|
o,
|
|
4618
4619
|
this.sessionServer.clientStorage,
|
|
4619
4620
|
s,
|
|
4620
4621
|
e
|
|
4621
|
-
), s > 0 && (
|
|
4622
|
+
), s > 0 && (a = await this.clientSearchFn(
|
|
4622
4623
|
o,
|
|
4623
4624
|
this.sessionServer.clientStorage,
|
|
4624
4625
|
s - 1,
|
|
4625
4626
|
1,
|
|
4626
4627
|
t
|
|
4627
|
-
))) : (
|
|
4628
|
+
))) : (i = await this.sessionServer.clientStorage.getClients(
|
|
4628
4629
|
s,
|
|
4629
4630
|
e,
|
|
4630
4631
|
t
|
|
4631
|
-
),
|
|
4632
|
+
), i.length == e && (c = await this.sessionServer.clientStorage.getClients(
|
|
4632
4633
|
s + e,
|
|
4633
4634
|
1,
|
|
4634
4635
|
t
|
|
4635
4636
|
))), {
|
|
4636
4637
|
ok: !0,
|
|
4637
|
-
clients:
|
|
4638
|
+
clients: i,
|
|
4638
4639
|
skip: s,
|
|
4639
4640
|
take: e,
|
|
4640
|
-
hasPrevious:
|
|
4641
|
+
hasPrevious: a.length > 0,
|
|
4641
4642
|
hasNext: c.length > 0,
|
|
4642
4643
|
search: o,
|
|
4643
4644
|
clientUserId: t
|
|
4644
4645
|
};
|
|
4645
|
-
} catch (
|
|
4646
|
-
if (m.isSvelteKitRedirect(
|
|
4647
|
-
throw
|
|
4648
|
-
const
|
|
4649
|
-
return l.logger.debug(f({ err:
|
|
4646
|
+
} catch (i) {
|
|
4647
|
+
if (m.isSvelteKitRedirect(i) || m.isSvelteKitRedirect(i))
|
|
4648
|
+
throw i;
|
|
4649
|
+
const a = n.asCrossauthError(i);
|
|
4650
|
+
return l.logger.debug(f({ err: a })), l.logger.error(f({ cerr: a })), {
|
|
4650
4651
|
ok: !1,
|
|
4651
|
-
error:
|
|
4652
|
-
errorCode:
|
|
4653
|
-
errorCodeName:
|
|
4652
|
+
error: a.message,
|
|
4653
|
+
errorCode: a.code,
|
|
4654
|
+
errorCodeName: a.codeName,
|
|
4654
4655
|
hasPrevious: !1,
|
|
4655
4656
|
hasNext: !1,
|
|
4656
4657
|
skip: s ?? 0,
|
|
@@ -4673,21 +4674,21 @@ class X {
|
|
|
4673
4674
|
try {
|
|
4674
4675
|
if (!o) throw new n(u.BadRequest, "No client ID specified");
|
|
4675
4676
|
if (!this.clientStorage) throw new n(u.Configuration, "No client storage specified");
|
|
4676
|
-
const
|
|
4677
|
+
const i = await this.clientStorage.getClientById(o), a = i.userid == null ? void 0 : await ((e = (s = this.sessionServer) == null ? void 0 : s.userStorage) == null ? void 0 : e.getUserById(i.userid)), c = (t = a == null ? void 0 : a.user) == null ? void 0 : t.username;
|
|
4677
4678
|
return {
|
|
4678
4679
|
ok: !0,
|
|
4679
|
-
client:
|
|
4680
|
+
client: i,
|
|
4680
4681
|
validFlows: this.validFlows,
|
|
4681
4682
|
valid_flowNames: this.valid_flowNames,
|
|
4682
4683
|
client_id: o,
|
|
4683
4684
|
clientUsername: c
|
|
4684
4685
|
};
|
|
4685
|
-
} catch (
|
|
4686
|
-
let
|
|
4687
|
-
return l.logger.debug(f({ err:
|
|
4688
|
-
error:
|
|
4689
|
-
errorCode:
|
|
4690
|
-
errorCodeName:
|
|
4686
|
+
} catch (i) {
|
|
4687
|
+
let a = n.asCrossauthError(i, "Couldn't load client");
|
|
4688
|
+
return l.logger.debug(f({ err: a })), l.logger.error(f({ cerr: a })), {
|
|
4689
|
+
error: a.message,
|
|
4690
|
+
errorCode: a.code,
|
|
4691
|
+
errorCodeName: a.codeName,
|
|
4691
4692
|
ok: !1,
|
|
4692
4693
|
validFlows: this.validFlows,
|
|
4693
4694
|
valid_flowNames: this.valid_flowNames,
|
|
@@ -4708,11 +4709,11 @@ class X {
|
|
|
4708
4709
|
* @returns {@link UpdateClientFormData}. If a new secret was created, it will be placed as plaintext in the client that is returned.
|
|
4709
4710
|
*/
|
|
4710
4711
|
async updateClient_internal(r, o) {
|
|
4711
|
-
var t,
|
|
4712
|
+
var t, i;
|
|
4712
4713
|
let s;
|
|
4713
4714
|
try {
|
|
4714
|
-
const
|
|
4715
|
-
if (!
|
|
4715
|
+
const a = r.params.client_id;
|
|
4716
|
+
if (!a) throw new n(u.BadRequest, "No client ID given");
|
|
4716
4717
|
var e = new b();
|
|
4717
4718
|
if (await e.loadData(r), s = e.toObject(), this.sessionServer.enableCsrfProtection && r.locals.authType == "cookie" && !r.locals.csrfToken)
|
|
4718
4719
|
throw new n(u.InvalidCsrf);
|
|
@@ -4736,7 +4737,7 @@ class X {
|
|
|
4736
4737
|
if (g.client_name = s.client_name, g.confidential = e.getAsBoolean("confidential") ?? !1, g.valid_flow = h, g.redirect_uri = c, o) {
|
|
4737
4738
|
let C = s.userid ?? void 0;
|
|
4738
4739
|
if (C && ((t = this.sessionServer) != null && t.userStorage)) {
|
|
4739
|
-
const { user: T } = await ((
|
|
4740
|
+
const { user: T } = await ((i = this.sessionServer) == null ? void 0 : i.userStorage.getUserById(C));
|
|
4740
4741
|
C = T.id;
|
|
4741
4742
|
}
|
|
4742
4743
|
g.userid = s.userid ? Number(s.userid) : null;
|
|
@@ -4744,7 +4745,7 @@ class X {
|
|
|
4744
4745
|
const p = e.getAsBoolean("resetSecret");
|
|
4745
4746
|
if (!this.clientManager) throw new n(u.Configuration, "Cannot call this endpoint as you did not provide a clientStorage");
|
|
4746
4747
|
const { client: w, newSecret: S } = await this.clientManager.updateClient(
|
|
4747
|
-
|
|
4748
|
+
a,
|
|
4748
4749
|
g,
|
|
4749
4750
|
p
|
|
4750
4751
|
);
|
|
@@ -4755,9 +4756,9 @@ class X {
|
|
|
4755
4756
|
//plaintextSecret: resetSecret ? formData.client_secret : undefined,
|
|
4756
4757
|
plaintextSecret: S && w.client_secret ? w.client_secret : void 0
|
|
4757
4758
|
};
|
|
4758
|
-
} catch (
|
|
4759
|
-
if (m.isSvelteKitRedirect(
|
|
4760
|
-
let c = n.asCrossauthError(
|
|
4759
|
+
} catch (a) {
|
|
4760
|
+
if (m.isSvelteKitRedirect(a) || m.isSvelteKitError(a)) throw a;
|
|
4761
|
+
let c = n.asCrossauthError(a, "Couldn't update client");
|
|
4761
4762
|
return l.logger.debug(f({ err: c })), l.logger.error(f({ cerr: c })), {
|
|
4762
4763
|
error: c.message,
|
|
4763
4764
|
errorCode: c.code,
|
|
@@ -4776,7 +4777,7 @@ class X {
|
|
|
4776
4777
|
* @returns {@link CreateClientPageData}.
|
|
4777
4778
|
*/
|
|
4778
4779
|
async emptyClient_internal(r, o) {
|
|
4779
|
-
var e, t,
|
|
4780
|
+
var e, t, i, a, c, d, h;
|
|
4780
4781
|
try {
|
|
4781
4782
|
var s = new b();
|
|
4782
4783
|
await s.loadData(r);
|
|
@@ -4788,8 +4789,8 @@ class X {
|
|
|
4788
4789
|
g = T.id;
|
|
4789
4790
|
}
|
|
4790
4791
|
const C = s.get("userid");
|
|
4791
|
-
if (C && ((
|
|
4792
|
-
const { user: T } = await ((
|
|
4792
|
+
if (C && ((i = this.sessionServer) != null && i.userStorage)) {
|
|
4793
|
+
const { user: T } = await ((a = this.sessionServer) == null ? void 0 : a.userStorage.getUserById(C));
|
|
4793
4794
|
g = T.id;
|
|
4794
4795
|
}
|
|
4795
4796
|
} else {
|
|
@@ -4829,7 +4830,7 @@ class X {
|
|
|
4829
4830
|
* @returns {@link UpdateClientFormData}. If a secret was created, it will be placed as plaintext in the client that is returned. A random `client_id` is created.
|
|
4830
4831
|
*/
|
|
4831
4832
|
async createClient_internal(r, o) {
|
|
4832
|
-
var t,
|
|
4833
|
+
var t, i, a, c;
|
|
4833
4834
|
let s;
|
|
4834
4835
|
try {
|
|
4835
4836
|
var e = new b();
|
|
@@ -4838,7 +4839,7 @@ class X {
|
|
|
4838
4839
|
if (o) {
|
|
4839
4840
|
const C = e.get("userid");
|
|
4840
4841
|
if (C && ((t = this.sessionServer) != null && t.userStorage)) {
|
|
4841
|
-
const { user: T } = await ((
|
|
4842
|
+
const { user: T } = await ((i = this.sessionServer) == null ? void 0 : i.userStorage.getUserById(C));
|
|
4842
4843
|
d = T.id;
|
|
4843
4844
|
}
|
|
4844
4845
|
} else {
|
|
@@ -4846,7 +4847,7 @@ class X {
|
|
|
4846
4847
|
d = r.locals.user.id;
|
|
4847
4848
|
}
|
|
4848
4849
|
if (!this.clientStorage) throw new n(u.Configuration, "No client storage specified");
|
|
4849
|
-
if (d && await ((c = (
|
|
4850
|
+
if (d && await ((c = (a = this.sessionServer) == null ? void 0 : a.userStorage) == null ? void 0 : c.getUserById(d)), this.sessionServer.enableCsrfProtection && r.locals.authType == "cookie" && !r.locals.csrfToken)
|
|
4850
4851
|
throw new n(u.InvalidCsrf);
|
|
4851
4852
|
const h = !s.redirect_uri || s.redirect_uri.trim().length == 0 ? [] : s.redirect_uri.trim().split(/[, ][ \t\n]*/);
|
|
4852
4853
|
let g = [];
|
|
@@ -4902,19 +4903,19 @@ class X {
|
|
|
4902
4903
|
try {
|
|
4903
4904
|
if (!o) throw new n(u.BadRequest, "No client ID specified");
|
|
4904
4905
|
if (!this.clientStorage) throw new n(u.Configuration, "No client storage specified");
|
|
4905
|
-
const
|
|
4906
|
+
const i = await this.clientStorage.getClientById(o), a = i.userid == null ? void 0 : await ((e = (s = this.sessionServer) == null ? void 0 : s.userStorage) == null ? void 0 : e.getUserById(i.userid)), c = (t = a == null ? void 0 : a.user) == null ? void 0 : t.username;
|
|
4906
4907
|
return {
|
|
4907
4908
|
ok: !0,
|
|
4908
|
-
client:
|
|
4909
|
+
client: i,
|
|
4909
4910
|
client_id: o,
|
|
4910
4911
|
clientUsername: c
|
|
4911
4912
|
};
|
|
4912
|
-
} catch (
|
|
4913
|
-
let
|
|
4914
|
-
return l.logger.debug(f({ err:
|
|
4915
|
-
error:
|
|
4916
|
-
errorCode:
|
|
4917
|
-
errorCodeName:
|
|
4913
|
+
} catch (i) {
|
|
4914
|
+
let a = n.asCrossauthError(i, "Couldn't load client");
|
|
4915
|
+
return l.logger.debug(f({ err: a })), l.logger.error(f({ cerr: a })), {
|
|
4916
|
+
error: a.message,
|
|
4917
|
+
errorCode: a.code,
|
|
4918
|
+
errorCodeName: a.codeName,
|
|
4918
4919
|
ok: !1,
|
|
4919
4920
|
client_id: o
|
|
4920
4921
|
};
|
|
@@ -4935,19 +4936,19 @@ class X {
|
|
|
4935
4936
|
const t = r.params.client_id;
|
|
4936
4937
|
if (!t) throw new n(u.BadRequest, "No client ID given");
|
|
4937
4938
|
if (!this.clientStorage) throw new n(u.Configuration, "No client storage specified");
|
|
4938
|
-
const
|
|
4939
|
-
if (!o &&
|
|
4939
|
+
const i = await ((s = this.clientStorage) == null ? void 0 : s.getClientById(t));
|
|
4940
|
+
if (!o && i.userid != ((e = r.locals.user) == null ? void 0 : e.id))
|
|
4940
4941
|
throw this.error(401, "Unauthorized");
|
|
4941
4942
|
return await this.clientStorage.deleteClient(t), {
|
|
4942
4943
|
ok: !0
|
|
4943
4944
|
};
|
|
4944
4945
|
} catch (t) {
|
|
4945
4946
|
if (m.isSvelteKitRedirect(t) || m.isSvelteKitError(t)) throw t;
|
|
4946
|
-
let
|
|
4947
|
-
return l.logger.debug(f({ err:
|
|
4948
|
-
error:
|
|
4949
|
-
errorCode:
|
|
4950
|
-
errorCodeName:
|
|
4947
|
+
let i = n.asCrossauthError(t, "Couldn't delete client");
|
|
4948
|
+
return l.logger.debug(f({ err: i })), l.logger.error(f({ cerr: i })), {
|
|
4949
|
+
error: i.message,
|
|
4950
|
+
errorCode: i.code,
|
|
4951
|
+
errorCodeName: i.codeName,
|
|
4951
4952
|
ok: !1
|
|
4952
4953
|
};
|
|
4953
4954
|
}
|
|
@@ -5265,46 +5266,46 @@ function Ee(k) {
|
|
|
5265
5266
|
return k.username == null ? r.push("Username must be given") : k.username.length < 2 ? r.push("Username must be at least 2 characters") : k.username.length > 254 && r.push("Username must be no longer than 254 characters"), r;
|
|
5266
5267
|
}
|
|
5267
5268
|
function _e(k, r, o) {
|
|
5268
|
-
var
|
|
5269
|
+
var i;
|
|
5269
5270
|
let e = {
|
|
5270
5271
|
username: r.username ?? "",
|
|
5271
5272
|
state: "active"
|
|
5272
5273
|
};
|
|
5273
5274
|
const t = k.locals.user && m.isAdminFn(k.locals.user);
|
|
5274
|
-
for (let
|
|
5275
|
-
let c =
|
|
5276
|
-
if (
|
|
5275
|
+
for (let a in r) {
|
|
5276
|
+
let c = a.replace(/^user_/, "");
|
|
5277
|
+
if (a.startsWith("user_") && (t || o.includes(c)))
|
|
5277
5278
|
if ("type_" + c in r) {
|
|
5278
5279
|
if (r["type_" + c] == "string")
|
|
5279
|
-
e[c] = r[
|
|
5280
|
+
e[c] = r[a];
|
|
5280
5281
|
else if (r["type_" + c] == "number" || r["type_" + c] == "integer" || r["type_" + c] == "float")
|
|
5281
|
-
e[c] = Number(r[
|
|
5282
|
+
e[c] = Number(r[a]);
|
|
5282
5283
|
else if (r["type_" + c] == "boolean") {
|
|
5283
|
-
const d = (
|
|
5284
|
+
const d = (i = r[a]) == null ? void 0 : i.toLocaleLowerCase();
|
|
5284
5285
|
e[c] = d == "1" || d == "y" || d == "t" || d == "yes" || d == "true";
|
|
5285
5286
|
}
|
|
5286
5287
|
} else
|
|
5287
|
-
e[c] = r[
|
|
5288
|
+
e[c] = r[a];
|
|
5288
5289
|
}
|
|
5289
5290
|
return e.factor1 = "localpassword", e.factor2 = r.factor2, e;
|
|
5290
5291
|
}
|
|
5291
5292
|
function ve(k, r, o, s) {
|
|
5292
5293
|
var t;
|
|
5293
5294
|
const e = r.locals.user && m.isAdminFn(r.locals.user);
|
|
5294
|
-
for (let
|
|
5295
|
-
let
|
|
5296
|
-
if (
|
|
5297
|
-
if ("type_" +
|
|
5298
|
-
if (o["type_" +
|
|
5299
|
-
k[
|
|
5300
|
-
else if (o["type_" +
|
|
5301
|
-
k[
|
|
5302
|
-
else if (o["type_" +
|
|
5303
|
-
const c = (t = o[
|
|
5304
|
-
k[
|
|
5295
|
+
for (let i in o) {
|
|
5296
|
+
let a = i.replace(/^user_/, "");
|
|
5297
|
+
if (i.startsWith("user_") && (e || s.includes(a)))
|
|
5298
|
+
if ("type_" + a in o) {
|
|
5299
|
+
if (o["type_" + a] == "string")
|
|
5300
|
+
k[a] = o[i];
|
|
5301
|
+
else if (o["type_" + a] == "number" || o["type_" + a] == "integer" || o["type_" + a] == "float")
|
|
5302
|
+
k[a] = Number(o[i]);
|
|
5303
|
+
else if (o["type_" + a] == "boolean") {
|
|
5304
|
+
const c = (t = o[i]) == null ? void 0 : t.toLocaleLowerCase();
|
|
5305
|
+
k[a] = c == "1" || c == "y" || c == "t" || c == "yes" || c == "true";
|
|
5305
5306
|
}
|
|
5306
5307
|
} else
|
|
5307
|
-
k[
|
|
5308
|
+
k[a] = o[i];
|
|
5308
5309
|
}
|
|
5309
5310
|
return k;
|
|
5310
5311
|
}
|
|
@@ -5333,8 +5334,8 @@ class H {
|
|
|
5333
5334
|
y("enableEmailVerification", E.Boolean, this, s, "ENABLE_EMAIL_VERIFICATION"), y("enablePasswordReset", E.Boolean, this, s, "ENABLE_PASSWORD_RESET"), y("enableCsrfProtection", E.Boolean, this, s, "ENABLE_CSRF_PROTECTION"), y("editUserScope", E.String, this, s, "EDIT_USER_SCOPE"), s.validateUserFn && (this.validateUserFn = s.validateUserFn), s.createUserFn && (this.createUserFn = s.createUserFn), s.updateUserFn && (this.updateUserFn = s.updateUserFn), s.addToSession && (this.addToSession = s.addToSession), s.validateSession && (this.validateSession = s.validateSession), this.userEndpoints = new we(this, s), this.adminEndpoints = new ke(this, s), this.userClientEndpoints = new Ce(this, s), this.adminClientEndpoints = new ye(this, s), this.sessionHook = async ({ event: t }) => {
|
|
5334
5335
|
var h, g;
|
|
5335
5336
|
l.logger.debug("Session hook");
|
|
5336
|
-
let
|
|
5337
|
-
const
|
|
5337
|
+
let i = [];
|
|
5338
|
+
const a = this.sessionManager.csrfCookieName, c = this.sessionManager.sessionCookieName;
|
|
5338
5339
|
if (this.enableCsrfProtection) {
|
|
5339
5340
|
l.logger.debug(f({ msg: "Getting csrf cookie" }));
|
|
5340
5341
|
let p;
|
|
@@ -5343,7 +5344,7 @@ class H {
|
|
|
5343
5344
|
} catch (w) {
|
|
5344
5345
|
l.logger.warn(f({ msg: "Invalid csrf cookie received", cerr: w, hashedCsrfCookie: this.getHashOfCsrfCookie(t) }));
|
|
5345
5346
|
try {
|
|
5346
|
-
this.clearCookie(
|
|
5347
|
+
this.clearCookie(a, this.sessionManager.csrfCookiePath, t);
|
|
5347
5348
|
} catch (S) {
|
|
5348
5349
|
l.logger.debug(f({ err: S })), l.logger.error(f({ cerr: S, msg: "Couldn't delete CSRF cookie", ip: t.request.referrer, hashedCsrfCookie: this.getHashOfCsrfCookie(t) }));
|
|
5349
5350
|
}
|
|
@@ -5360,13 +5361,13 @@ class H {
|
|
|
5360
5361
|
const { csrfCookie: w, csrfFormOrHeaderValue: S } = await this.sessionManager.createCsrfToken();
|
|
5361
5362
|
this.setCsrfCookie(w, t), t.locals.csrfToken = S;
|
|
5362
5363
|
}
|
|
5363
|
-
this.setHeader(x, t.locals.csrfToken,
|
|
5364
|
+
this.setHeader(x, t.locals.csrfToken, i);
|
|
5364
5365
|
} catch (w) {
|
|
5365
|
-
l.logger.error(f({ msg: "Couldn't create CSRF token", cerr: w, user: (h = t.locals.user) == null ? void 0 : h.username, hashedSessionCookie: this.getHashOfSessionCookie(t) })), l.logger.debug(f({ err: w })), this.clearCookie(
|
|
5366
|
+
l.logger.error(f({ msg: "Couldn't create CSRF token", cerr: w, user: (h = t.locals.user) == null ? void 0 : h.username, hashedSessionCookie: this.getHashOfSessionCookie(t) })), l.logger.debug(f({ err: w })), this.clearCookie(a, this.sessionManager.csrfCookiePath, t), t.locals.csrfToken = void 0;
|
|
5366
5367
|
}
|
|
5367
5368
|
else if (p)
|
|
5368
5369
|
try {
|
|
5369
|
-
await this.csrfToken(t,
|
|
5370
|
+
await this.csrfToken(t, i);
|
|
5370
5371
|
} catch (w) {
|
|
5371
5372
|
l.logger.error(f({ msg: "Couldn't create CSRF token", cerr: w, user: (g = t.locals.user) == null ? void 0 : g.username, hashedSessionCookie: this.getHashOfSessionCookie(t) })), l.logger.debug(f({ err: w }));
|
|
5372
5373
|
}
|
|
@@ -5381,13 +5382,13 @@ class H {
|
|
|
5381
5382
|
} catch {
|
|
5382
5383
|
l.logger.warn(f({ msg: "Invalid session cookie received", hashedSessionCookie: this.getHashOfSessionCookie(t) })), this.clearCookie(c, this.sessionManager.sessionCookiePath, t);
|
|
5383
5384
|
}
|
|
5384
|
-
return { headers:
|
|
5385
|
+
return { headers: i };
|
|
5385
5386
|
}, this.twoFAHook = async ({ event: t }) => {
|
|
5386
5387
|
var h;
|
|
5387
5388
|
if (l.logger.debug(f({ msg: "twoFAHook", username: (h = t.locals.user) == null ? void 0 : h.username })), !this.userStorage) throw this.error(500, "No user storage defined");
|
|
5388
|
-
const
|
|
5389
|
+
const i = this.getSessionCookieValue(t), a = this.isFactor2PageProtected(t), c = this.isFactor2ApiProtected(t);
|
|
5389
5390
|
let d;
|
|
5390
|
-
if (
|
|
5391
|
+
if (i)
|
|
5391
5392
|
if (t.locals.user) d = t.locals.user;
|
|
5392
5393
|
else {
|
|
5393
5394
|
const g = await this.getSessionData(t, "user");
|
|
@@ -5396,7 +5397,7 @@ class H {
|
|
|
5396
5397
|
(p.user.status == N.active || p.user.state == N.factor2ResetNeeded) && (d = p.user);
|
|
5397
5398
|
}
|
|
5398
5399
|
}
|
|
5399
|
-
if (d &&
|
|
5400
|
+
if (d && i && d.factor2 != "" && (a || c))
|
|
5400
5401
|
if (l.logger.debug(f({ msg: "Factor2-protected endpoint visited" })), ["GET", "OPTIONS", "HEAD"].includes(t.request.method)) {
|
|
5401
5402
|
l.logger.debug(f({ msg: "Factor2-protected GET endpoint - cancelling 2FA" }));
|
|
5402
5403
|
const g = this.getSessionCookieValue(t);
|
|
@@ -5412,7 +5413,7 @@ class H {
|
|
|
5412
5413
|
}
|
|
5413
5414
|
}
|
|
5414
5415
|
} else {
|
|
5415
|
-
const g = this.sessionManager.getSessionId(
|
|
5416
|
+
const g = this.sessionManager.getSessionId(i), p = await this.sessionManager.dataForSessionId(g);
|
|
5416
5417
|
if ("pre2fa" in p) {
|
|
5417
5418
|
l.logger.debug(f({ msg: "Completing 2FA" }));
|
|
5418
5419
|
const w = this.authenticators[p.pre2fa.factor2], S = [...w.secretNames(), ...w.transientSecretNames()];
|
|
@@ -5441,7 +5442,7 @@ class H {
|
|
|
5441
5442
|
}
|
|
5442
5443
|
return this.error(401, { message: "Sorry, your code has expired" }), { ok: !1, twofa: !0 };
|
|
5443
5444
|
} else
|
|
5444
|
-
return
|
|
5445
|
+
return a ? {
|
|
5445
5446
|
twofa: !0,
|
|
5446
5447
|
ok: !1,
|
|
5447
5448
|
response: new Response("", {
|
|
@@ -5489,7 +5490,7 @@ class H {
|
|
|
5489
5490
|
const w = new b();
|
|
5490
5491
|
await w.loadData(t);
|
|
5491
5492
|
let S = t.request.headers.get("content-type");
|
|
5492
|
-
return await this.sessionManager.initiateTwoFactorPageVisit(d, t.locals.sessionId ?? "", w.toObject(), t.request.url.replace(/\?.*$/, ""), S || void 0),
|
|
5493
|
+
return await this.sessionManager.initiateTwoFactorPageVisit(d, t.locals.sessionId ?? "", w.toObject(), t.request.url.replace(/\?.*$/, ""), S || void 0), a ? {
|
|
5493
5494
|
twofa: !0,
|
|
5494
5495
|
ok: !0,
|
|
5495
5496
|
response: new Response("", {
|
|
@@ -5612,21 +5613,21 @@ class H {
|
|
|
5612
5613
|
* @returns the string CSRF token for inclusion in forms
|
|
5613
5614
|
*/
|
|
5614
5615
|
async csrfToken(r, o) {
|
|
5615
|
-
var e, t,
|
|
5616
|
+
var e, t, i;
|
|
5616
5617
|
let s;
|
|
5617
5618
|
if (r.request.headers && r.request.headers.has(x.toLowerCase())) {
|
|
5618
|
-
const
|
|
5619
|
-
Array.isArray(
|
|
5619
|
+
const a = r.request.headers.get(x.toLowerCase());
|
|
5620
|
+
Array.isArray(a) ? s = a[0] : a && (s = a);
|
|
5620
5621
|
}
|
|
5621
5622
|
if (!s) {
|
|
5622
5623
|
if (!((e = r.request) != null && e.body)) {
|
|
5623
5624
|
l.logger.warn(f({ msg: "Received CSRF header but not token", ip: r.request.referrerPolicy, hashedCsrfCookie: this.getHashOfCsrfCookie(r) }));
|
|
5624
5625
|
return;
|
|
5625
5626
|
}
|
|
5626
|
-
const
|
|
5627
|
-
if (
|
|
5628
|
-
s = (await ((
|
|
5629
|
-
else if (
|
|
5627
|
+
const a = r.request.headers.get("content-type");
|
|
5628
|
+
if (a == "application/json")
|
|
5629
|
+
s = (await ((i = (t = r.request) == null ? void 0 : t.clone()) == null ? void 0 : i.json())).csrfToken;
|
|
5630
|
+
else if (a == "application/x-www-form-urlencoded" || a == "multipart/form-data") {
|
|
5630
5631
|
const d = (await r.request.clone().formData()).get("csrfToken");
|
|
5631
5632
|
d && typeof d == "string" && (s = d);
|
|
5632
5633
|
}
|
|
@@ -5659,8 +5660,8 @@ class H {
|
|
|
5659
5660
|
else {
|
|
5660
5661
|
e = "";
|
|
5661
5662
|
for (let t in o) {
|
|
5662
|
-
const
|
|
5663
|
-
e.length > 0 && (e += "&"), e += encodeURIComponent(t) + "=" + encodeURIComponent(
|
|
5663
|
+
const i = o[t];
|
|
5664
|
+
e.length > 0 && (e += "&"), e += encodeURIComponent(t) + "=" + encodeURIComponent(i);
|
|
5664
5665
|
}
|
|
5665
5666
|
}
|
|
5666
5667
|
return r.request = new Request(r.request.url, {
|
|
@@ -5714,10 +5715,10 @@ class H {
|
|
|
5714
5715
|
if (o.pathname == this.loginUrl) return !1;
|
|
5715
5716
|
let s = !1;
|
|
5716
5717
|
return s = this.loginProtectedExceptionPageEndpoints.reduce(
|
|
5717
|
-
(t,
|
|
5718
|
+
(t, i) => t || I(o.pathname, i),
|
|
5718
5719
|
s
|
|
5719
5720
|
), s ? !1 : this.loginProtectedPageEndpoints.reduce(
|
|
5720
|
-
(t,
|
|
5721
|
+
(t, i) => t || I(o.pathname, i),
|
|
5721
5722
|
!1
|
|
5722
5723
|
);
|
|
5723
5724
|
}
|
|
@@ -5735,10 +5736,10 @@ class H {
|
|
|
5735
5736
|
if (o.pathname == this.loginUrl) return !1;
|
|
5736
5737
|
let s = !1;
|
|
5737
5738
|
return s = this.loginProtectedExceptionApiEndpoints.reduce(
|
|
5738
|
-
(t,
|
|
5739
|
+
(t, i) => t || I(o.pathname, i),
|
|
5739
5740
|
s
|
|
5740
5741
|
), s ? !1 : this.loginProtectedApiEndpoints.reduce(
|
|
5741
|
-
(t,
|
|
5742
|
+
(t, i) => t || I(o.pathname, i),
|
|
5742
5743
|
!1
|
|
5743
5744
|
);
|
|
5744
5745
|
}
|
|
@@ -5787,13 +5788,13 @@ class H {
|
|
|
5787
5788
|
const o = new URL(typeof r == "string" ? r : r.request.url);
|
|
5788
5789
|
let s = !1;
|
|
5789
5790
|
return s = this.adminProtectedExceptionPageEndpoints.reduce(
|
|
5790
|
-
(t,
|
|
5791
|
+
(t, i) => t || I(o.pathname, i),
|
|
5791
5792
|
s
|
|
5792
5793
|
), s || (s = this.loginProtectedExceptionPageEndpoints.reduce(
|
|
5793
|
-
(t,
|
|
5794
|
+
(t, i) => t || I(o.pathname, i),
|
|
5794
5795
|
s
|
|
5795
5796
|
), s) ? !1 : this.adminPageEndpoints.reduce(
|
|
5796
|
-
(t,
|
|
5797
|
+
(t, i) => t || I(o.pathname, i),
|
|
5797
5798
|
!1
|
|
5798
5799
|
);
|
|
5799
5800
|
}
|
|
@@ -5810,13 +5811,13 @@ class H {
|
|
|
5810
5811
|
const o = new URL(typeof r == "string" ? r : r.request.url);
|
|
5811
5812
|
let s = !1;
|
|
5812
5813
|
return s = this.adminProtectedExceptionApiEndpoints.reduce(
|
|
5813
|
-
(t,
|
|
5814
|
+
(t, i) => t || I(o.pathname, i),
|
|
5814
5815
|
s
|
|
5815
5816
|
), s || (s = this.loginProtectedExceptionApiEndpoints.reduce(
|
|
5816
|
-
(t,
|
|
5817
|
+
(t, i) => t || I(o.pathname, i),
|
|
5817
5818
|
s
|
|
5818
5819
|
), s) ? !1 : this.adminApiEndpoints.reduce(
|
|
5819
|
-
(t,
|
|
5820
|
+
(t, i) => t || I(o.pathname, i),
|
|
5820
5821
|
!1
|
|
5821
5822
|
);
|
|
5822
5823
|
}
|
|
@@ -5838,15 +5839,15 @@ class H {
|
|
|
5838
5839
|
await s.loadData(r);
|
|
5839
5840
|
let e = this.addToSession ? this.addToSession(r, s.toObject()) : {};
|
|
5840
5841
|
o && (e.data = JSON.stringify(o));
|
|
5841
|
-
let { sessionCookie: t, csrfCookie:
|
|
5842
|
+
let { sessionCookie: t, csrfCookie: i, csrfFormOrHeaderValue: a } = await this.sessionManager.createAnonymousSession(e);
|
|
5842
5843
|
r.cookies.set(
|
|
5843
5844
|
t.name,
|
|
5844
5845
|
t.value,
|
|
5845
5846
|
R(t.options)
|
|
5846
|
-
), this.enableCsrfProtection && (r.locals.csrfToken =
|
|
5847
|
-
|
|
5848
|
-
|
|
5849
|
-
R(
|
|
5847
|
+
), this.enableCsrfProtection && (r.locals.csrfToken = a, r.cookies.set(
|
|
5848
|
+
i.name,
|
|
5849
|
+
i.value,
|
|
5850
|
+
R(i.options)
|
|
5850
5851
|
)), r.locals.user = void 0;
|
|
5851
5852
|
const c = this.sessionManager.getSessionId(t.value);
|
|
5852
5853
|
return r.locals.sessionId = c, t.value;
|