@crossauth/sveltekit 0.0.35 → 0.0.36
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/index.cjs +1 -1
- package/dist/index.js +640 -639
- package/package.json +3 -3
package/dist/index.js
CHANGED
|
@@ -26,11 +26,11 @@ class b {
|
|
|
26
26
|
this.clone = r;
|
|
27
27
|
}
|
|
28
28
|
async loadData(r) {
|
|
29
|
-
var s, e, t,
|
|
29
|
+
var s, e, t, a;
|
|
30
30
|
if (!((s = r.request) != null && s.body))
|
|
31
31
|
return;
|
|
32
32
|
const o = r.request.headers.get("content-type");
|
|
33
|
-
o == "application/json" ? this.jsonData = this.clone ? await ((t = (e = r.request) == null ? void 0 : e.clone()) == null ? void 0 : t.json()) : await ((
|
|
33
|
+
o == "application/json" ? this.jsonData = this.clone ? await ((t = (e = r.request) == null ? void 0 : e.clone()) == null ? void 0 : t.json()) : await ((a = r.request) == null ? void 0 : a.json()) : (o == "application/x-www-form-urlencoded" || o != null && o.startsWith("multipart/form-data")) && (this.formData = this.clone ? await r.request.clone().formData() : await r.request.formData());
|
|
34
34
|
}
|
|
35
35
|
get(r) {
|
|
36
36
|
if (this.jsonData) return this.jsonData[r];
|
|
@@ -92,29 +92,29 @@ class ne {
|
|
|
92
92
|
l.logger.debug(f({
|
|
93
93
|
msg: "Received authorization header"
|
|
94
94
|
}));
|
|
95
|
-
const
|
|
95
|
+
const a = await this.apiKeyManager.validateToken(
|
|
96
96
|
t
|
|
97
97
|
);
|
|
98
98
|
l.logger.debug(f({
|
|
99
99
|
msg: "Valid API key",
|
|
100
|
-
hahedApiKey: K.hashSignedApiKeyValue(
|
|
100
|
+
hahedApiKey: K.hashSignedApiKeyValue(a.value)
|
|
101
101
|
}));
|
|
102
|
-
const
|
|
103
|
-
if (e.locals.apiKey = { ...
|
|
102
|
+
const i = $.decodeData(a.data);
|
|
103
|
+
if (e.locals.apiKey = { ...a, ...i }, "scope" in i && Array.isArray(i.scope)) {
|
|
104
104
|
let c = [];
|
|
105
|
-
for (let d of
|
|
105
|
+
for (let d of i.scope)
|
|
106
106
|
typeof d == "string" && c.push(d);
|
|
107
107
|
e.locals.scope = c;
|
|
108
108
|
}
|
|
109
|
-
if (
|
|
109
|
+
if (a.userid)
|
|
110
110
|
try {
|
|
111
|
-
const { user: c } = await this.userStorage.getUserById(
|
|
112
|
-
e.locals.user = c, e.locals.authType = "apiKey", l.logger.debug(f({ msg: "API key is for user", userid: c.id, user: c.username, hahedApiKey: K.hashSignedApiKeyValue(
|
|
111
|
+
const { user: c } = await this.userStorage.getUserById(a.userid);
|
|
112
|
+
e.locals.user = c, e.locals.authType = "apiKey", l.logger.debug(f({ msg: "API key is for user", userid: c.id, user: c.username, hahedApiKey: K.hashSignedApiKeyValue(a.value) }));
|
|
113
113
|
} catch (c) {
|
|
114
|
-
l.logger.error(f({ msg: "API key has invalid user", userid:
|
|
114
|
+
l.logger.error(f({ msg: "API key has invalid user", userid: a.userid, hashedApiKey: K.hashSignedApiKeyValue(a.value) })), l.logger.debug(f({ err: c }));
|
|
115
115
|
}
|
|
116
|
-
} catch (
|
|
117
|
-
l.logger.error(f({ msg: "Invalid authorization header received", header: t })), l.logger.debug(f({ err:
|
|
116
|
+
} catch (a) {
|
|
117
|
+
l.logger.error(f({ msg: "Invalid authorization header received", header: t })), l.logger.debug(f({ err: a }));
|
|
118
118
|
}
|
|
119
119
|
};
|
|
120
120
|
}
|
|
@@ -130,9 +130,9 @@ class ce {
|
|
|
130
130
|
* @param options see {@link SvelteKitAuthorizationServerOptions}
|
|
131
131
|
*/
|
|
132
132
|
constructor(r, o, s, e, t = {}) {
|
|
133
|
-
var
|
|
133
|
+
var a;
|
|
134
134
|
this.loginUrl = "/login", this.refreshTokenType = "json", this.refreshTokenCookieName = "CROSSAUTH_REFRESH_TOKEN", this.refreshTokenCookieDomain = void 0, this.refreshTokenCookieHttpOnly = !1, this.refreshTokenCookiePath = "/", this.refreshTokenCookieSecure = !0, this.refreshTokenCookieSameSite = "strict", this.authorizeEndpointUrl = "/oauth/authorize", this.tokenEndpointUrl = "/oauth/token", this.jwksEndpointUrl = "/oauth/jwks", this.oidcConfigurationEndpoint = {
|
|
135
|
-
get: async (
|
|
135
|
+
get: async (i) => v(this.authServer.oidcConfiguration(
|
|
136
136
|
{
|
|
137
137
|
authorizeEndpoint: this.authorizeEndpointUrl,
|
|
138
138
|
tokenEndpoint: this.tokenEndpointUrl,
|
|
@@ -141,7 +141,7 @@ class ce {
|
|
|
141
141
|
}
|
|
142
142
|
))
|
|
143
143
|
}, this.jwksGetEndpoint = {
|
|
144
|
-
get: async (
|
|
144
|
+
get: async (i) => {
|
|
145
145
|
try {
|
|
146
146
|
return v(this.authServer.jwks());
|
|
147
147
|
} catch (c) {
|
|
@@ -153,7 +153,7 @@ class ce {
|
|
|
153
153
|
}
|
|
154
154
|
}
|
|
155
155
|
}, this.getCsrfTokenEndpoint = {
|
|
156
|
-
get: async (
|
|
156
|
+
get: async (i) => {
|
|
157
157
|
var d;
|
|
158
158
|
if (!this.csrfTokens) return v({
|
|
159
159
|
ok: !1,
|
|
@@ -166,7 +166,7 @@ class ce {
|
|
|
166
166
|
csrfCookie: h,
|
|
167
167
|
csrfFormOrHeaderValue: g
|
|
168
168
|
} = await this.createCsrfToken();
|
|
169
|
-
return c = h.value,
|
|
169
|
+
return c = h.value, i.cookies.set(
|
|
170
170
|
h.name,
|
|
171
171
|
h.value,
|
|
172
172
|
R(h.options)
|
|
@@ -175,7 +175,7 @@ class ce {
|
|
|
175
175
|
const g = n.asCrossauthError(h);
|
|
176
176
|
return l.logger.error(f({
|
|
177
177
|
msg: "getcsrftoken failure",
|
|
178
|
-
user: (d =
|
|
178
|
+
user: (d = i.locals.user) == null ? void 0 : d.username,
|
|
179
179
|
hashedCsrfCookie: F.hash(c.split(".")[0]),
|
|
180
180
|
error: g.code,
|
|
181
181
|
errorCodeName: g.codeName
|
|
@@ -187,15 +187,15 @@ class ce {
|
|
|
187
187
|
}
|
|
188
188
|
}
|
|
189
189
|
}, this.authorizeEndpoint = {
|
|
190
|
-
load: async (
|
|
190
|
+
load: async (i) => {
|
|
191
191
|
var w, S;
|
|
192
192
|
if (!(this.authServer.validFlows.includes(_.AuthorizationCode) || this.authServer.validFlows.includes(_.AuthorizationCodeWithPKCE) || this.authServer.validFlows.includes(_.OidcAuthorizationCode)))
|
|
193
193
|
throw this.error(401, "authorize cannot be called because the authorization code flows are not supported");
|
|
194
|
-
if (!
|
|
194
|
+
if (!i.locals.user) return this.redirect(
|
|
195
195
|
302,
|
|
196
|
-
this.loginUrl + "?next=" + encodeURIComponent(
|
|
196
|
+
this.loginUrl + "?next=" + encodeURIComponent(i.request.url)
|
|
197
197
|
);
|
|
198
|
-
let c = this.getAuthorizeQuery(
|
|
198
|
+
let c = this.getAuthorizeQuery(i);
|
|
199
199
|
if (!c.query) return c.error;
|
|
200
200
|
let d = c.query;
|
|
201
201
|
l.logger.debug(f({ msg: "validating authorize parameters" }));
|
|
@@ -203,10 +203,10 @@ class ce {
|
|
|
203
203
|
if (h ? (g = new n(u.BadRequest, h), l.logger.error(f({
|
|
204
204
|
msg: "authorize parameter invalid",
|
|
205
205
|
cerr: g,
|
|
206
|
-
user: (w =
|
|
206
|
+
user: (w = i.locals.user) == null ? void 0 : w.username
|
|
207
207
|
}))) : l.logger.error(f({
|
|
208
208
|
msg: "authorize parameter valid",
|
|
209
|
-
user: (S =
|
|
209
|
+
user: (S = i.locals.user) == null ? void 0 : S.username
|
|
210
210
|
})), g)
|
|
211
211
|
return {
|
|
212
212
|
ok: !1,
|
|
@@ -219,18 +219,18 @@ class ce {
|
|
|
219
219
|
scope: d.scope
|
|
220
220
|
})), d.scope ? p = await this.authServer.hasAllScopes(
|
|
221
221
|
d.client_id,
|
|
222
|
-
|
|
222
|
+
i.locals.user,
|
|
223
223
|
d.scope.split(" ")
|
|
224
224
|
) : p = await this.authServer.hasAllScopes(
|
|
225
225
|
d.client_id,
|
|
226
|
-
|
|
226
|
+
i.locals.user,
|
|
227
227
|
[null]
|
|
228
228
|
), p) {
|
|
229
229
|
l.logger.debug(f({
|
|
230
230
|
msg: "All scopes authorized",
|
|
231
231
|
scope: d.scope
|
|
232
232
|
}));
|
|
233
|
-
const C = await this.authorize(
|
|
233
|
+
const C = await this.authorize(i, !0, {
|
|
234
234
|
responseType: d.response_type,
|
|
235
235
|
client_id: d.client_id,
|
|
236
236
|
redirect_uri: d.redirect_uri,
|
|
@@ -254,7 +254,7 @@ class ce {
|
|
|
254
254
|
return {
|
|
255
255
|
ok: !0,
|
|
256
256
|
authorizationNeeded: {
|
|
257
|
-
user:
|
|
257
|
+
user: i.locals.user,
|
|
258
258
|
response_type: d.response_type,
|
|
259
259
|
client_id: d.client_id,
|
|
260
260
|
client_name: C.client_name,
|
|
@@ -264,7 +264,7 @@ class ce {
|
|
|
264
264
|
state: d.state,
|
|
265
265
|
code_challenge: d.code_challenge,
|
|
266
266
|
code_challenge_method: d.code_challenge_method,
|
|
267
|
-
csrfToken:
|
|
267
|
+
csrfToken: i.locals.csrfToken
|
|
268
268
|
},
|
|
269
269
|
...this.baseEndpoint
|
|
270
270
|
};
|
|
@@ -280,12 +280,12 @@ class ce {
|
|
|
280
280
|
},
|
|
281
281
|
// load
|
|
282
282
|
actions: {
|
|
283
|
-
default: async (
|
|
283
|
+
default: async (i) => {
|
|
284
284
|
var h;
|
|
285
285
|
let c;
|
|
286
286
|
try {
|
|
287
287
|
var d = new b();
|
|
288
|
-
await d.loadData(
|
|
288
|
+
await d.loadData(i), c = d.toObject();
|
|
289
289
|
const g = d.getAsBoolean("authorized"), p = c.response_type, w = c.client_id, S = c.redirect_uri, C = c.scope, T = c.state, P = c.code_challenge, U = c.code_challenge_method;
|
|
290
290
|
let A;
|
|
291
291
|
if (g == null && (A = "authorized"), p ? w ? S ? T || (A = "state") : A = "redirect_uri" : A = "client_id" : A = "response_type", A)
|
|
@@ -294,12 +294,12 @@ class ce {
|
|
|
294
294
|
error: "invalid_request",
|
|
295
295
|
error_description: "Invalid form: does not contain " + A + " parameter"
|
|
296
296
|
};
|
|
297
|
-
if (!
|
|
297
|
+
if (!i.locals.user) return this.redirect(
|
|
298
298
|
302,
|
|
299
|
-
this.loginUrl + "?next=" + encodeURIComponent(
|
|
299
|
+
this.loginUrl + "?next=" + encodeURIComponent(i.request.url)
|
|
300
300
|
);
|
|
301
|
-
if ((h = this.svelteKitServer.sessionServer) != null && h.enableCsrfProtection && !
|
|
302
|
-
const z = await this.authorize(
|
|
301
|
+
if ((h = this.svelteKitServer.sessionServer) != null && h.enableCsrfProtection && !i.locals.csrfToken) throw new n(u.InvalidCsrf);
|
|
302
|
+
const z = await this.authorize(i, g ?? !1, {
|
|
303
303
|
responseType: p,
|
|
304
304
|
client_id: w,
|
|
305
305
|
redirect_uri: S,
|
|
@@ -326,7 +326,7 @@ class ce {
|
|
|
326
326
|
}
|
|
327
327
|
}
|
|
328
328
|
}, this.tokenEndpoint = {
|
|
329
|
-
post: async (
|
|
329
|
+
post: async (i) => {
|
|
330
330
|
let c;
|
|
331
331
|
try {
|
|
332
332
|
if (!(this.authServer.validFlows.includes(_.AuthorizationCode) || this.authServer.validFlows.includes(_.AuthorizationCodeWithPKCE) || this.authServer.validFlows.includes(_.OidcAuthorizationCode) || this.authServer.validFlows.includes(_.ClientCredentials) || this.authServer.validFlows.includes(_.RefreshToken) || this.authServer.validFlows.includes(_.Password) || this.authServer.validFlows.includes(_.PasswordMfa || this.authServer.validFlows.includes(_.DeviceCode))))
|
|
@@ -336,12 +336,12 @@ class ce {
|
|
|
336
336
|
error_description: "Token endpoint cannot be called as the supported OAuth flow types don't require it"
|
|
337
337
|
}, { status: 500 });
|
|
338
338
|
var d = new b();
|
|
339
|
-
await d.loadData(
|
|
340
|
-
const { client_id: h, client_secret: g } = this.getClientIdAndSecret(c,
|
|
341
|
-
let p = c.refresh_token, w =
|
|
339
|
+
await d.loadData(i), c = d.toObject();
|
|
340
|
+
const { client_id: h, client_secret: g } = this.getClientIdAndSecret(c, i);
|
|
341
|
+
let p = c.refresh_token, w = i.cookies.get(this.refreshTokenCookieName);
|
|
342
342
|
if ((this.refreshTokenType == "cookie" && w || this.refreshTokenType == "both" && w && p == null) && this.csrfTokens) {
|
|
343
|
-
const C =
|
|
344
|
-
let T =
|
|
343
|
+
const C = i.cookies.get(this.csrfTokens.cookieName);
|
|
344
|
+
let T = i.request.headers.get(this.csrfTokens.headerName.toLowerCase());
|
|
345
345
|
if (Array.isArray(T) && (T = T[0]), !C || !T)
|
|
346
346
|
return v({
|
|
347
347
|
ok: !1,
|
|
@@ -375,7 +375,7 @@ class ce {
|
|
|
375
375
|
refreshToken: p,
|
|
376
376
|
deviceCode: c.device_code
|
|
377
377
|
});
|
|
378
|
-
if (S.refresh_token && this.refreshTokenType != "json" && this.setRefreshTokenCookie(
|
|
378
|
+
if (S.refresh_token && this.refreshTokenType != "json" && this.setRefreshTokenCookie(i, S.refresh_token, S.expires_in), S.error == "authorization_pending")
|
|
379
379
|
return v(S);
|
|
380
380
|
if (S.error || !S.access_token) {
|
|
381
381
|
let C = "server_error", T = "Neither code nor error received when requestoing authorization";
|
|
@@ -393,10 +393,10 @@ class ce {
|
|
|
393
393
|
}
|
|
394
394
|
}
|
|
395
395
|
}, this.mfaAuthenticatorsEndpoint = {
|
|
396
|
-
get: async (
|
|
396
|
+
get: async (i) => {
|
|
397
397
|
try {
|
|
398
398
|
var c = new b();
|
|
399
|
-
return await c.loadData(
|
|
399
|
+
return await c.loadData(i), v(await this.mfaAuthenticators(i));
|
|
400
400
|
} catch (d) {
|
|
401
401
|
const h = n.asCrossauthError(d);
|
|
402
402
|
return l.logger.debug({ err: d }), l.logger.error({ cerr: d }), v({
|
|
@@ -405,11 +405,11 @@ class ce {
|
|
|
405
405
|
});
|
|
406
406
|
}
|
|
407
407
|
},
|
|
408
|
-
post: async (
|
|
408
|
+
post: async (i) => {
|
|
409
409
|
try {
|
|
410
410
|
var c = new b();
|
|
411
|
-
await c.loadData(
|
|
412
|
-
let d = await this.mfaAuthenticators(
|
|
411
|
+
await c.loadData(i);
|
|
412
|
+
let d = await this.mfaAuthenticators(i), h = 200;
|
|
413
413
|
return !Array.isArray(d) && d.error == "access_denied" ? h = 401 : !Array.isArray(d) && d.error && (h = 500), v(d, { status: h });
|
|
414
414
|
} catch (d) {
|
|
415
415
|
const h = n.asCrossauthError(d);
|
|
@@ -420,11 +420,11 @@ class ce {
|
|
|
420
420
|
}
|
|
421
421
|
}
|
|
422
422
|
}, this.mfaChallengeEndpoint = {
|
|
423
|
-
post: async (
|
|
423
|
+
post: async (i) => {
|
|
424
424
|
try {
|
|
425
425
|
var c = new b();
|
|
426
|
-
await c.loadData(
|
|
427
|
-
const d = await this.mfaChallenge(
|
|
426
|
+
await c.loadData(i);
|
|
427
|
+
const d = await this.mfaChallenge(i);
|
|
428
428
|
let h = 200;
|
|
429
429
|
return d.error == "access_denied" ? h = 401 : d.error && (h = 500), v(d, { status: h });
|
|
430
430
|
} catch (d) {
|
|
@@ -436,7 +436,7 @@ class ce {
|
|
|
436
436
|
}
|
|
437
437
|
}
|
|
438
438
|
}, this.deviceAuthorizationEndpoint = {
|
|
439
|
-
post: async (
|
|
439
|
+
post: async (i) => {
|
|
440
440
|
let c;
|
|
441
441
|
try {
|
|
442
442
|
if (!this.authServer.validFlows.includes(_.DeviceCode))
|
|
@@ -446,8 +446,8 @@ class ce {
|
|
|
446
446
|
error_description: "Device authorization endpoint cannot be called as the supported OAuth flow types don't require it"
|
|
447
447
|
});
|
|
448
448
|
var d = new b();
|
|
449
|
-
await d.loadData(
|
|
450
|
-
const { client_id: h, client_secret: g } = this.getClientIdAndSecret(c,
|
|
449
|
+
await d.loadData(i), c = d.toObject();
|
|
450
|
+
const { client_id: h, client_secret: g } = this.getClientIdAndSecret(c, i), p = await this.authServer.deviceAuthorizationEndpoint({
|
|
451
451
|
client_id: h,
|
|
452
452
|
client_secret: g,
|
|
453
453
|
scope: c.scope
|
|
@@ -474,31 +474,31 @@ class ce {
|
|
|
474
474
|
}
|
|
475
475
|
}
|
|
476
476
|
}, this.deviceEndpoint = {
|
|
477
|
-
load: async (
|
|
477
|
+
load: async (i) => {
|
|
478
478
|
if (!this.authServer.validFlows.includes(_.DeviceCode))
|
|
479
479
|
throw this.error(401, "device cannot be called because the device code flow is not supported");
|
|
480
|
-
if (!
|
|
480
|
+
if (!i.locals.user) return this.redirect(
|
|
481
481
|
302,
|
|
482
|
-
this.loginUrl + "?next=" + encodeURIComponent(
|
|
482
|
+
this.loginUrl + "?next=" + encodeURIComponent(i.request.url)
|
|
483
483
|
);
|
|
484
|
-
let c =
|
|
485
|
-
return c ? await this.applyUserCode(c,
|
|
484
|
+
let c = i.url.searchParams.get("user_code");
|
|
485
|
+
return c ? await this.applyUserCode(c, i, i.locals.user) : {
|
|
486
486
|
ok: !0,
|
|
487
487
|
completed: !1,
|
|
488
488
|
retryAllowed: !0,
|
|
489
|
-
user:
|
|
490
|
-
csrfToken:
|
|
489
|
+
user: i.locals.user,
|
|
490
|
+
csrfToken: i.locals.csrfToken
|
|
491
491
|
};
|
|
492
492
|
},
|
|
493
493
|
// load
|
|
494
494
|
actions: {
|
|
495
|
-
userCode: async (
|
|
496
|
-
if (!
|
|
495
|
+
userCode: async (i) => {
|
|
496
|
+
if (!i.locals.user) throw this.error(401, "Access Denied");
|
|
497
497
|
try {
|
|
498
498
|
var c = new b();
|
|
499
|
-
await c.loadData(
|
|
499
|
+
await c.loadData(i);
|
|
500
500
|
const d = c.get("user_code");
|
|
501
|
-
return d ? await this.applyUserCode(d,
|
|
501
|
+
return d ? await this.applyUserCode(d, i, i.locals.user) : {
|
|
502
502
|
ok: !1,
|
|
503
503
|
completed: !1,
|
|
504
504
|
retryAllowed: !0,
|
|
@@ -517,12 +517,12 @@ class ce {
|
|
|
517
517
|
};
|
|
518
518
|
}
|
|
519
519
|
},
|
|
520
|
-
authorize: async (
|
|
520
|
+
authorize: async (i) => {
|
|
521
521
|
var h;
|
|
522
522
|
let c;
|
|
523
523
|
try {
|
|
524
524
|
var d = new b();
|
|
525
|
-
await d.loadData(
|
|
525
|
+
await d.loadData(i), c = d.toObject();
|
|
526
526
|
const g = d.getAsBoolean("authorized"), p = c.scope, w = c.client_id, S = c.user_code;
|
|
527
527
|
let C;
|
|
528
528
|
if (g == null && (C = "authorized"), w == null && (C = "client_id"), S == null && (C = "user_code"), C)
|
|
@@ -533,18 +533,18 @@ class ce {
|
|
|
533
533
|
error: "invalid_request",
|
|
534
534
|
error_description: "Invalid form: does not contain " + C + " parameter"
|
|
535
535
|
};
|
|
536
|
-
if (!
|
|
536
|
+
if (!i.locals.user) return this.redirect(
|
|
537
537
|
302,
|
|
538
|
-
this.loginUrl + "?next=" + encodeURIComponent(
|
|
538
|
+
this.loginUrl + "?next=" + encodeURIComponent(i.request.url)
|
|
539
539
|
);
|
|
540
|
-
if ((h = this.svelteKitServer.sessionServer) != null && h.enableCsrfProtection && !
|
|
541
|
-
return (await this.authServer.validateAndPersistScope(w, p,
|
|
540
|
+
if ((h = this.svelteKitServer.sessionServer) != null && h.enableCsrfProtection && !i.locals.csrfToken) throw new n(u.InvalidCsrf);
|
|
541
|
+
return (await this.authServer.validateAndPersistScope(w, p, i.locals.user)).error ? {
|
|
542
542
|
ok: !1,
|
|
543
543
|
completed: !1,
|
|
544
544
|
retryAllowed: !1,
|
|
545
545
|
error: "unauthorized_client",
|
|
546
546
|
error_description: "You did not authorize access to your account"
|
|
547
|
-
} : await this.applyUserCode(S,
|
|
547
|
+
} : await this.applyUserCode(S, i, i.locals.user);
|
|
548
548
|
} catch (g) {
|
|
549
549
|
if (m.isSvelteKitError(g) || m.isSvelteKitRedirect(g)) throw g;
|
|
550
550
|
let p = n.asCrossauthError(g, "Couldn't process authorization code");
|
|
@@ -563,7 +563,7 @@ class ce {
|
|
|
563
563
|
s,
|
|
564
564
|
e,
|
|
565
565
|
t
|
|
566
|
-
), y("loginUrl", E.String, this, t, "LOGIN_URL"), y("refreshTokenType", E.String, this, t, "OAUTH_REFRESH_TOKEN_TYPE"), y("refreshTokenCookieName", E.String, this, t, "OAUTH_REFRESH_TOKEN_COOKIE_NAME"), y("refreshTokenCookieDomain", E.String, this, t, "OAUTH_REFRESH_TOKEN_COOKIE_DOMAIN"), y("refreshTokenCookieHttpOnly", E.Boolean, this, t, "OAUTH_REFRESH_TOKEN_COOKIE_HTTPONLY"), y("refreshTokenCookiePath", E.String, this, t, "OAUTH_REFRESH_TOKEN_COOKIE_PATH"), y("refreshTokenCookieSecure", E.Boolean, this, t, "OAUTH_REFRESH_TOKEN_COOKIE_SECURE"), y("refreshTokenCookieSameSite", E.String, this, t, "OAUTH_REFRESH_TOKEN_COOKIE_SAMESITE"), y("authorizeEndpointUrl", E.String, this, t, "OAUTH_AUTHORIZE_ENDPOINT"), y("tokenEndpointUrl", E.String, this, t, "OAUTH_TOKEN_ENDPOINT"), y("jwksEndpointUrl", E.String, this, t, "OAUTH_JWKS_ENDPOINT"), this.refreshTokenType != "json" && (((
|
|
566
|
+
), y("loginUrl", E.String, this, t, "LOGIN_URL"), y("refreshTokenType", E.String, this, t, "OAUTH_REFRESH_TOKEN_TYPE"), y("refreshTokenCookieName", E.String, this, t, "OAUTH_REFRESH_TOKEN_COOKIE_NAME"), y("refreshTokenCookieDomain", E.String, this, t, "OAUTH_REFRESH_TOKEN_COOKIE_DOMAIN"), y("refreshTokenCookieHttpOnly", E.Boolean, this, t, "OAUTH_REFRESH_TOKEN_COOKIE_HTTPONLY"), y("refreshTokenCookiePath", E.String, this, t, "OAUTH_REFRESH_TOKEN_COOKIE_PATH"), y("refreshTokenCookieSecure", E.Boolean, this, t, "OAUTH_REFRESH_TOKEN_COOKIE_SECURE"), y("refreshTokenCookieSameSite", E.String, this, t, "OAUTH_REFRESH_TOKEN_COOKIE_SAMESITE"), y("authorizeEndpointUrl", E.String, this, t, "OAUTH_AUTHORIZE_ENDPOINT"), y("tokenEndpointUrl", E.String, this, t, "OAUTH_TOKEN_ENDPOINT"), y("jwksEndpointUrl", E.String, this, t, "OAUTH_JWKS_ENDPOINT"), this.refreshTokenType != "json" && (((a = this.svelteKitServer.sessionServer) == null ? void 0 : a.enableCsrfProtection) == !0 ? this.csrfTokens = this.svelteKitServer.sessionServer.sessionManager.csrfTokens : this.csrfTokens = new ee(t.doubleSubmitCookieOptions));
|
|
567
567
|
}
|
|
568
568
|
/**
|
|
569
569
|
* Returns this server's OIDC configuration. Just wraps
|
|
@@ -585,8 +585,8 @@ class ce {
|
|
|
585
585
|
responseType: s,
|
|
586
586
|
client_id: e,
|
|
587
587
|
redirect_uri: t,
|
|
588
|
-
scope:
|
|
589
|
-
state:
|
|
588
|
+
scope: a,
|
|
589
|
+
state: i,
|
|
590
590
|
codeChallenge: c,
|
|
591
591
|
codeChallengeMethod: d
|
|
592
592
|
}) {
|
|
@@ -596,8 +596,8 @@ class ce {
|
|
|
596
596
|
responseType: s,
|
|
597
597
|
client_id: e,
|
|
598
598
|
redirect_uri: t,
|
|
599
|
-
scope:
|
|
600
|
-
state:
|
|
599
|
+
scope: a,
|
|
600
|
+
state: i,
|
|
601
601
|
codeChallenge: c,
|
|
602
602
|
codeChallengeMethod: d,
|
|
603
603
|
user: r.locals.user
|
|
@@ -616,7 +616,7 @@ class ce {
|
|
|
616
616
|
throw this.redirect(302, this.authServer.redirect_uri(
|
|
617
617
|
t,
|
|
618
618
|
p,
|
|
619
|
-
|
|
619
|
+
i
|
|
620
620
|
));
|
|
621
621
|
} else {
|
|
622
622
|
const w = new n(
|
|
@@ -690,13 +690,13 @@ class ce {
|
|
|
690
690
|
if (o = this.requireGetParam(r, "client_id"), o) return { error: o };
|
|
691
691
|
if (o = this.requireGetParam(r, "redirect_uri"), o) return { error: o };
|
|
692
692
|
if (o = this.requireGetParam(r, "state"), o) return { error: o };
|
|
693
|
-
const s = r.url.searchParams.get("response_type") ?? "", e = r.url.searchParams.get("client_id") ?? "", t = r.url.searchParams.get("redirect_uri") ?? "",
|
|
693
|
+
const s = r.url.searchParams.get("response_type") ?? "", e = r.url.searchParams.get("client_id") ?? "", t = r.url.searchParams.get("redirect_uri") ?? "", a = r.url.searchParams.get("scope") ?? void 0, i = r.url.searchParams.get("state") ?? "", c = r.url.searchParams.get("code_challenge") ?? void 0, d = r.url.searchParams.get("code_challenge_method") ?? void 0;
|
|
694
694
|
return { query: {
|
|
695
695
|
response_type: s,
|
|
696
696
|
client_id: e,
|
|
697
697
|
redirect_uri: t,
|
|
698
|
-
scope:
|
|
699
|
-
state:
|
|
698
|
+
scope: a,
|
|
699
|
+
state: i,
|
|
700
700
|
code_challenge: c,
|
|
701
701
|
code_challenge_method: d
|
|
702
702
|
}, error: { error: "Unknown error", error_description: "Unknown error", ok: !0 } };
|
|
@@ -710,18 +710,18 @@ class ce {
|
|
|
710
710
|
if (e = this.requireBodyParam(s, "challenge_type"), e) return { error: e };
|
|
711
711
|
if (e = this.requireBodyParam(s, "mfa_token"), e) return { error: e };
|
|
712
712
|
if (e = this.requireBodyParam(s, "authenticator_id"), e) return { error: e };
|
|
713
|
-
const t = s.client_id ?? "",
|
|
713
|
+
const t = s.client_id ?? "", a = s.challenge_type ?? "", i = s.mfa_token ?? "", c = s.authenticator_id ?? "", d = s.client_secret ?? void 0;
|
|
714
714
|
return { query: {
|
|
715
715
|
client_id: t,
|
|
716
716
|
client_secret: d,
|
|
717
|
-
challenge_type:
|
|
718
|
-
mfa_token:
|
|
717
|
+
challenge_type: a,
|
|
718
|
+
mfa_token: i,
|
|
719
719
|
authenticator_id: c
|
|
720
720
|
}, error: { error: "Unknown error", error_description: "Unknown error", ok: !0 } };
|
|
721
721
|
}
|
|
722
722
|
async mfaAuthenticators(r) {
|
|
723
|
-
var
|
|
724
|
-
const o = (
|
|
723
|
+
var a;
|
|
724
|
+
const o = (a = r.request.headers.get("authorization")) == null ? void 0 : a.split(" ");
|
|
725
725
|
if (!o || o.length != 2)
|
|
726
726
|
return {
|
|
727
727
|
error: "access_denied",
|
|
@@ -752,31 +752,31 @@ class ce {
|
|
|
752
752
|
let s = r.client_id, e = r.client_secret;
|
|
753
753
|
const t = o.request.headers.get("authorization");
|
|
754
754
|
if (t) {
|
|
755
|
-
let
|
|
755
|
+
let a, i;
|
|
756
756
|
const c = t.split(" ");
|
|
757
757
|
if (c.length == 2 && c[0].toLocaleLowerCase() == "basic") {
|
|
758
758
|
const h = F.base64Decode(c[1]).split(":", 2);
|
|
759
|
-
h.length == 2 && (
|
|
759
|
+
h.length == 2 && (a = h[0], i = h[1]);
|
|
760
760
|
}
|
|
761
|
-
|
|
761
|
+
a == null || i == null ? l.logger.warn(f({
|
|
762
762
|
msg: "Ignoring malform authenization header " + t
|
|
763
|
-
})) : (s =
|
|
763
|
+
})) : (s = a, e = i);
|
|
764
764
|
}
|
|
765
765
|
return { client_id: s, client_secret: e };
|
|
766
766
|
}
|
|
767
767
|
async applyUserCode(r, o, s) {
|
|
768
|
-
var e, t,
|
|
768
|
+
var e, t, a;
|
|
769
769
|
try {
|
|
770
|
-
const
|
|
771
|
-
if (
|
|
770
|
+
const i = await this.authServer.deviceEndpoint({ userCode: r, user: s });
|
|
771
|
+
if (i.error)
|
|
772
772
|
return {
|
|
773
773
|
ok: !1,
|
|
774
774
|
completed: !1,
|
|
775
775
|
retryAllowed: !1,
|
|
776
|
-
error:
|
|
777
|
-
error_description:
|
|
776
|
+
error: i.error,
|
|
777
|
+
error_description: i.error_description
|
|
778
778
|
};
|
|
779
|
-
if (!
|
|
779
|
+
if (!i.client_id)
|
|
780
780
|
return l.logger.error(f({ msg: "No client id found for user code", userCodeHash: F.hash(r), ip: o.request.referrer, username: (e = o.locals.user) == null ? void 0 : e.username })), {
|
|
781
781
|
ok: !1,
|
|
782
782
|
completed: !1,
|
|
@@ -784,33 +784,33 @@ class ce {
|
|
|
784
784
|
error: "server_error",
|
|
785
785
|
error_description: "No client id found for user code"
|
|
786
786
|
};
|
|
787
|
-
if (
|
|
787
|
+
if (i.error == "access_denied")
|
|
788
788
|
return l.logger.error(f({ msg: "Incorrect user code given", userCodeHash: F.hash(r), ip: o.request.referrer, username: (t = o.locals.user) == null ? void 0 : t.username })), this.authServer.userCodeThrottle > 0 && await ((h) => new Promise((g) => setTimeout(g, h)))(this.authServer.userCodeThrottle), {
|
|
789
789
|
ok: !1,
|
|
790
790
|
completed: !1,
|
|
791
791
|
retryAllowed: !0,
|
|
792
|
-
error:
|
|
793
|
-
error_description:
|
|
792
|
+
error: i.error,
|
|
793
|
+
error_description: i.error_description
|
|
794
794
|
};
|
|
795
|
-
if (
|
|
796
|
-
return l.logger.error(f({ msg: "Expired user code", userCodeHash: F.hash(r), ip: o.request.referrer, username: (
|
|
795
|
+
if (i.error == "expired_token")
|
|
796
|
+
return l.logger.error(f({ msg: "Expired user code", userCodeHash: F.hash(r), ip: o.request.referrer, username: (a = o.locals.user) == null ? void 0 : a.username })), {
|
|
797
797
|
ok: !1,
|
|
798
798
|
completed: !1,
|
|
799
799
|
retryAllowed: !1,
|
|
800
|
-
error:
|
|
801
|
-
error_description:
|
|
800
|
+
error: i.error,
|
|
801
|
+
error_description: i.error_description
|
|
802
802
|
};
|
|
803
|
-
const c = await this.clientStorage.getClientById(
|
|
804
|
-
return
|
|
803
|
+
const c = await this.clientStorage.getClientById(i.client_id);
|
|
804
|
+
return i.scopeAuthorizationNeeded ? {
|
|
805
805
|
ok: !0,
|
|
806
806
|
completed: !1,
|
|
807
807
|
retryAllowed: !0,
|
|
808
808
|
authorizationNeeded: {
|
|
809
809
|
user: s,
|
|
810
|
-
client_id:
|
|
810
|
+
client_id: i.client_id,
|
|
811
811
|
client_name: c.client_name,
|
|
812
|
-
scope:
|
|
813
|
-
scopes:
|
|
812
|
+
scope: i.scope,
|
|
813
|
+
scopes: i.scope ? i.scope.split(" ") : [],
|
|
814
814
|
csrfToken: o.locals.csrfToken
|
|
815
815
|
},
|
|
816
816
|
user: o.locals.user,
|
|
@@ -823,8 +823,8 @@ class ce {
|
|
|
823
823
|
user: o.locals.user,
|
|
824
824
|
csrfToken: o.locals.csrfToken
|
|
825
825
|
};
|
|
826
|
-
} catch (
|
|
827
|
-
const c = n.asCrossauthError(
|
|
826
|
+
} catch (i) {
|
|
827
|
+
const c = n.asCrossauthError(i);
|
|
828
828
|
return l.logger.debug(f({ err: c })), l.logger.error(f({ msg: c.message, cerr: c })), {
|
|
829
829
|
ok: !1,
|
|
830
830
|
completed: !1,
|
|
@@ -931,8 +931,8 @@ async function j(k, r, o) {
|
|
|
931
931
|
);
|
|
932
932
|
let s = k.expires_in;
|
|
933
933
|
if (!s && k.access_token && r.jwtTokens.includes("access")) {
|
|
934
|
-
const
|
|
935
|
-
|
|
934
|
+
const a = M(k.access_token);
|
|
935
|
+
a.exp && (s = a.exp);
|
|
936
936
|
}
|
|
937
937
|
if (!s)
|
|
938
938
|
throw new n(
|
|
@@ -942,8 +942,8 @@ async function j(k, r, o) {
|
|
|
942
942
|
const e = Date.now() + s * 1e3;
|
|
943
943
|
let t = { ...k, expires_at: e };
|
|
944
944
|
if ("id_token" in k) {
|
|
945
|
-
let
|
|
946
|
-
|
|
945
|
+
let a = k.id_payload ?? O(k.id_token);
|
|
946
|
+
a && (t.id_payload = a);
|
|
947
947
|
}
|
|
948
948
|
await r.storeSessionData(o, t);
|
|
949
949
|
}
|
|
@@ -965,8 +965,8 @@ async function de(k, r, o, s, e) {
|
|
|
965
965
|
if (!s) return r.redirect(302, r.authorizedUrl);
|
|
966
966
|
} catch (t) {
|
|
967
967
|
if (m.isSvelteKitError(t) || m.isSvelteKitRedirect(t)) throw t;
|
|
968
|
-
const
|
|
969
|
-
return l.logger.debug(f({ err:
|
|
968
|
+
const a = n.asCrossauthError(t);
|
|
969
|
+
return l.logger.debug(f({ err: a })), l.logger.debug(f({ cerr: a, msg: "Error receiving tokens" })), r.errorFn(r.server, o, a);
|
|
970
970
|
}
|
|
971
971
|
}
|
|
972
972
|
async function he(k, r, o, s, e) {
|
|
@@ -987,8 +987,8 @@ async function he(k, r, o, s, e) {
|
|
|
987
987
|
return v({ ok: !0, ...k });
|
|
988
988
|
} catch (t) {
|
|
989
989
|
if (m.isSvelteKitError(t) || m.isSvelteKitRedirect(t)) throw t;
|
|
990
|
-
const
|
|
991
|
-
return l.logger.debug(f({ err:
|
|
990
|
+
const a = n.asCrossauthError(t);
|
|
991
|
+
return l.logger.debug(f({ err: a })), l.logger.debug(f({ cerr: a, msg: "Error receiving tokens" })), r.errorFn(r.server, o, a);
|
|
992
992
|
}
|
|
993
993
|
}
|
|
994
994
|
async function ue(k, r, o, s, e) {
|
|
@@ -1008,11 +1008,11 @@ async function ue(k, r, o, s, e) {
|
|
|
1008
1008
|
return r.jwtTokens.includes("id") && (t.id_payload = k.id_payload ?? O(k.id_token)), t.id_payload && await e(o, t.id_payload), t;
|
|
1009
1009
|
} catch (t) {
|
|
1010
1010
|
if (m.isSvelteKitError(t) || m.isSvelteKitRedirect(t)) throw t;
|
|
1011
|
-
const
|
|
1012
|
-
return l.logger.debug(f({ err:
|
|
1011
|
+
const a = n.asCrossauthError(t);
|
|
1012
|
+
return l.logger.debug(f({ err: a })), l.logger.debug(f({ cerr: a, msg: "Error receiving tokens" })), {
|
|
1013
1013
|
ok: !1,
|
|
1014
|
-
error:
|
|
1015
|
-
error_description:
|
|
1014
|
+
error: a.oauthErrorCode,
|
|
1015
|
+
error_description: a.message
|
|
1016
1016
|
};
|
|
1017
1017
|
}
|
|
1018
1018
|
}
|
|
@@ -1063,9 +1063,9 @@ class G extends re {
|
|
|
1063
1063
|
throw new n(u.Configuration, "Need session server or adapter for authorization code flow");
|
|
1064
1064
|
let t = e.url.searchParams.get("scope") ?? void 0;
|
|
1065
1065
|
t == "" && (t = void 0);
|
|
1066
|
-
const
|
|
1067
|
-
await this.storeSessionData(e,
|
|
1068
|
-
const { url: c, error: d, error_description: h } = await this.startAuthorizationCodeFlow(
|
|
1066
|
+
const a = this.randomValue(this.stateLength), i = { scope: t, state: a };
|
|
1067
|
+
await this.storeSessionData(e, i);
|
|
1068
|
+
const { url: c, error: d, error_description: h } = await this.startAuthorizationCodeFlow(a, t);
|
|
1069
1069
|
if (d || !c) {
|
|
1070
1070
|
const g = n.fromOAuthError(
|
|
1071
1071
|
d ?? "server_error",
|
|
@@ -1078,8 +1078,8 @@ class G extends re {
|
|
|
1078
1078
|
})), this.redirect(302, c);
|
|
1079
1079
|
} catch (t) {
|
|
1080
1080
|
if (m.isSvelteKitRedirect(t) || m.isSvelteKitError(t)) throw t;
|
|
1081
|
-
const
|
|
1082
|
-
return l.logger.debug({ err: t }), l.logger.error({ cerr: t }), this.errorFn(this.server, e,
|
|
1081
|
+
const a = n.asCrossauthError(t);
|
|
1082
|
+
return l.logger.debug({ err: t }), l.logger.error({ cerr: t }), this.errorFn(this.server, e, a);
|
|
1083
1083
|
}
|
|
1084
1084
|
},
|
|
1085
1085
|
load: async (e) => {
|
|
@@ -1107,9 +1107,9 @@ class G extends re {
|
|
|
1107
1107
|
throw new n(u.Configuration, "Need session server or adapter for authorization code flow");
|
|
1108
1108
|
let t = e.url.searchParams.get("scope") ?? void 0;
|
|
1109
1109
|
t == "" && (t = void 0);
|
|
1110
|
-
const
|
|
1111
|
-
await this.storeSessionData(e,
|
|
1112
|
-
const { url: c, error: d, error_description: h } = await this.startAuthorizationCodeFlow(
|
|
1110
|
+
const a = this.randomValue(this.stateLength), i = { scope: t, state: a };
|
|
1111
|
+
await this.storeSessionData(e, i);
|
|
1112
|
+
const { url: c, error: d, error_description: h } = await this.startAuthorizationCodeFlow(a, t);
|
|
1113
1113
|
if (d || !c) {
|
|
1114
1114
|
const g = n.fromOAuthError(
|
|
1115
1115
|
d ?? "server_error",
|
|
@@ -1126,11 +1126,11 @@ class G extends re {
|
|
|
1126
1126
|
})), this.redirect(302, c);
|
|
1127
1127
|
} catch (t) {
|
|
1128
1128
|
if (m.isSvelteKitRedirect(t) || m.isSvelteKitError(t)) throw t;
|
|
1129
|
-
const
|
|
1129
|
+
const a = n.asCrossauthError(t);
|
|
1130
1130
|
return l.logger.debug({ err: t }), l.logger.error({ cerr: t }), {
|
|
1131
1131
|
ok: !1,
|
|
1132
|
-
error:
|
|
1133
|
-
error_description:
|
|
1132
|
+
error: a.oauthErrorCode,
|
|
1133
|
+
error_description: a.message
|
|
1134
1134
|
};
|
|
1135
1135
|
}
|
|
1136
1136
|
}
|
|
@@ -1149,9 +1149,9 @@ class G extends re {
|
|
|
1149
1149
|
throw new n(u.Configuration, "Need session server or adapter for authorization code flow");
|
|
1150
1150
|
let t = e.url.searchParams.get("scope") ?? void 0;
|
|
1151
1151
|
t == "" && (t = void 0);
|
|
1152
|
-
const
|
|
1152
|
+
const a = this.randomValue(this.stateLength), { codeChallenge: i, codeVerifier: c } = await this.codeChallengeAndVerifier(), d = { scope: t, state: a, codeChallenge: i, codeVerifier: c };
|
|
1153
1153
|
await this.storeSessionData(e, d);
|
|
1154
|
-
const { url: h, error: g, error_description: p } = await this.startAuthorizationCodeFlow(
|
|
1154
|
+
const { url: h, error: g, error_description: p } = await this.startAuthorizationCodeFlow(a, t, i, !0);
|
|
1155
1155
|
if (g || !h) {
|
|
1156
1156
|
const w = n.fromOAuthError(
|
|
1157
1157
|
g ?? "server_error",
|
|
@@ -1164,11 +1164,11 @@ class G extends re {
|
|
|
1164
1164
|
})), this.redirect(302, h);
|
|
1165
1165
|
} catch (t) {
|
|
1166
1166
|
if (m.isSvelteKitRedirect(t) || m.isSvelteKitError(t)) throw t;
|
|
1167
|
-
const
|
|
1167
|
+
const a = n.asCrossauthError(t);
|
|
1168
1168
|
return l.logger.debug({ err: t }), l.logger.error({ cerr: t }), v({
|
|
1169
|
-
error:
|
|
1170
|
-
error_description:
|
|
1171
|
-
}, { status:
|
|
1169
|
+
error: a.oauthErrorCode,
|
|
1170
|
+
error_description: a.message
|
|
1171
|
+
}, { status: a.httpStatus });
|
|
1172
1172
|
}
|
|
1173
1173
|
},
|
|
1174
1174
|
load: async (e) => {
|
|
@@ -1196,9 +1196,9 @@ class G extends re {
|
|
|
1196
1196
|
throw new n(u.Configuration, "Need session server or adapter for authorization code flow");
|
|
1197
1197
|
let t = e.url.searchParams.get("scope") ?? void 0;
|
|
1198
1198
|
t == "" && (t = void 0);
|
|
1199
|
-
const
|
|
1199
|
+
const a = this.randomValue(this.stateLength), { codeChallenge: i, codeVerifier: c } = await this.codeChallengeAndVerifier(), d = { scope: t, state: a, codeChallenge: i, codeVerifier: c };
|
|
1200
1200
|
await this.storeSessionData(e, d);
|
|
1201
|
-
const { url: h, error: g, error_description: p } = await this.startAuthorizationCodeFlow(
|
|
1201
|
+
const { url: h, error: g, error_description: p } = await this.startAuthorizationCodeFlow(a, t, i, !0);
|
|
1202
1202
|
if (g || !h) {
|
|
1203
1203
|
const w = n.fromOAuthError(
|
|
1204
1204
|
g ?? "server_error",
|
|
@@ -1215,11 +1215,11 @@ class G extends re {
|
|
|
1215
1215
|
})), this.redirect(302, h);
|
|
1216
1216
|
} catch (t) {
|
|
1217
1217
|
if (m.isSvelteKitRedirect(t) || m.isSvelteKitError(t)) throw t;
|
|
1218
|
-
const
|
|
1218
|
+
const a = n.asCrossauthError(t);
|
|
1219
1219
|
return l.logger.debug({ err: t }), l.logger.error({ cerr: t }), {
|
|
1220
1220
|
ok: !1,
|
|
1221
|
-
error:
|
|
1222
|
-
error_description:
|
|
1221
|
+
error: a.oauthErrorCode,
|
|
1222
|
+
error_description: a.message
|
|
1223
1223
|
};
|
|
1224
1224
|
}
|
|
1225
1225
|
}
|
|
@@ -1227,8 +1227,8 @@ class G extends re {
|
|
|
1227
1227
|
get: async (e) => {
|
|
1228
1228
|
var t;
|
|
1229
1229
|
if (this.tokenResponseType == "saveInSessionAndLoad" || this.tokenResponseType == "sendInPage") {
|
|
1230
|
-
const
|
|
1231
|
-
return this.errorFn(this.server, e,
|
|
1230
|
+
const a = new n(u.Configuration, "If tokenResponseType is " + this.tokenResponseType + ", use load not get");
|
|
1231
|
+
return this.errorFn(this.server, e, a);
|
|
1232
1232
|
}
|
|
1233
1233
|
try {
|
|
1234
1234
|
if (!(this.validFlows.includes(_.AuthorizationCode) || this.validFlows.includes(_.AuthorizationCodeWithPKCE) || this.validFlows.includes(_.OidcAuthorizationCode))) {
|
|
@@ -1236,11 +1236,11 @@ class G extends re {
|
|
|
1236
1236
|
return this.errorFn(this.server, e, p);
|
|
1237
1237
|
}
|
|
1238
1238
|
l.logger.debug(f({ msg: "redirectUriEndpoint, token response type " + this.tokenResponseType }));
|
|
1239
|
-
const
|
|
1240
|
-
if ((h == null ? void 0 : h.state) !=
|
|
1239
|
+
const a = e.url.searchParams.get("code") ?? "", i = e.url.searchParams.get("state") ?? void 0, c = e.url.searchParams.get("error") ?? void 0, d = e.url.searchParams.get("error") ?? void 0, h = await ((t = this.server.sessionAdapter) == null ? void 0 : t.getSessionData(e, this.sessionDataName));
|
|
1240
|
+
if ((h == null ? void 0 : h.state) != i)
|
|
1241
1241
|
throw new n(u.Unauthorized, "State does not match");
|
|
1242
1242
|
const g = this.errorIfIdTokenInvalid(await this.redirectEndpoint(
|
|
1243
|
-
|
|
1243
|
+
a,
|
|
1244
1244
|
h == null ? void 0 : h.scope,
|
|
1245
1245
|
h == null ? void 0 : h.codeVerifier,
|
|
1246
1246
|
c,
|
|
@@ -1265,10 +1265,10 @@ class G extends re {
|
|
|
1265
1265
|
!1,
|
|
1266
1266
|
this.setEventLocalsUser
|
|
1267
1267
|
);
|
|
1268
|
-
} catch (
|
|
1269
|
-
if (m.isSvelteKitRedirect(
|
|
1270
|
-
const
|
|
1271
|
-
return l.logger.debug({ err:
|
|
1268
|
+
} catch (a) {
|
|
1269
|
+
if (m.isSvelteKitRedirect(a) || m.isSvelteKitError(a)) throw a;
|
|
1270
|
+
const i = n.asCrossauthError(a);
|
|
1271
|
+
return l.logger.debug({ err: a }), l.logger.error({ cerr: a }), this.errorFn(this.server, e, i);
|
|
1272
1272
|
}
|
|
1273
1273
|
},
|
|
1274
1274
|
load: async (e) => {
|
|
@@ -1277,11 +1277,11 @@ class G extends re {
|
|
|
1277
1277
|
/*this.tokenResponseType == "saveInSessionAndRedirect" ||*/
|
|
1278
1278
|
this.tokenResponseType == "sendJson" || this.tokenResponseType == "saveInSessionAndLoad"
|
|
1279
1279
|
) {
|
|
1280
|
-
const
|
|
1280
|
+
const a = new n(u.Configuration, "If tokenResponseType is " + this.tokenResponseType + ", use get not load");
|
|
1281
1281
|
return {
|
|
1282
1282
|
ok: !1,
|
|
1283
|
-
error:
|
|
1284
|
-
error_description:
|
|
1283
|
+
error: a.oauthErrorCode,
|
|
1284
|
+
error_description: a.message
|
|
1285
1285
|
};
|
|
1286
1286
|
}
|
|
1287
1287
|
try {
|
|
@@ -1293,11 +1293,11 @@ class G extends re {
|
|
|
1293
1293
|
error_description: w.message
|
|
1294
1294
|
};
|
|
1295
1295
|
}
|
|
1296
|
-
const
|
|
1297
|
-
if ((h == null ? void 0 : h.state) !=
|
|
1296
|
+
const a = e.url.searchParams.get("code") ?? "", i = e.url.searchParams.get("state") ?? void 0, c = e.url.searchParams.get("error") ?? void 0, d = e.url.searchParams.get("error") ?? void 0, h = await ((t = this.server.sessionAdapter) == null ? void 0 : t.getSessionData(e, this.sessionDataName));
|
|
1297
|
+
if ((h == null ? void 0 : h.state) != i)
|
|
1298
1298
|
throw new n(u.Unauthorized, "State does not match");
|
|
1299
1299
|
const g = this.errorIfIdTokenInvalid(await this.redirectEndpoint(
|
|
1300
|
-
|
|
1300
|
+
a,
|
|
1301
1301
|
h == null ? void 0 : h.scope,
|
|
1302
1302
|
h == null ? void 0 : h.codeVerifier,
|
|
1303
1303
|
c,
|
|
@@ -1341,21 +1341,21 @@ class G extends re {
|
|
|
1341
1341
|
} : {
|
|
1342
1342
|
...p
|
|
1343
1343
|
};
|
|
1344
|
-
} catch (
|
|
1345
|
-
if (m.isSvelteKitRedirect(
|
|
1346
|
-
const
|
|
1347
|
-
return l.logger.debug({ err:
|
|
1344
|
+
} catch (a) {
|
|
1345
|
+
if (m.isSvelteKitRedirect(a) || m.isSvelteKitError(a)) throw a;
|
|
1346
|
+
const i = n.asCrossauthError(a);
|
|
1347
|
+
return l.logger.debug({ err: a }), l.logger.error({ cerr: a }), {
|
|
1348
1348
|
ok: !1,
|
|
1349
|
-
error:
|
|
1350
|
-
error_description:
|
|
1349
|
+
error: i.oauthErrorCode,
|
|
1350
|
+
error_description: i.message
|
|
1351
1351
|
};
|
|
1352
1352
|
}
|
|
1353
1353
|
}
|
|
1354
1354
|
}, this.clientCredentialsFlowEndpoint = {
|
|
1355
1355
|
post: async (e) => {
|
|
1356
1356
|
if (this.tokenResponseType == "saveInSessionAndLoad" || this.tokenResponseType == "sendInPage") {
|
|
1357
|
-
const
|
|
1358
|
-
return this.errorFn(this.server, e,
|
|
1357
|
+
const i = new n(u.Configuration, "If tokenResponseType is " + this.tokenResponseType + ", use actions not post");
|
|
1358
|
+
return this.errorFn(this.server, e, i);
|
|
1359
1359
|
}
|
|
1360
1360
|
let t;
|
|
1361
1361
|
try {
|
|
@@ -1363,13 +1363,13 @@ class G extends re {
|
|
|
1363
1363
|
const d = new n(u.Unauthorized, "Client credentials flow is not supported");
|
|
1364
1364
|
return this.errorFn(this.server, e, d);
|
|
1365
1365
|
}
|
|
1366
|
-
var
|
|
1367
|
-
await
|
|
1368
|
-
const
|
|
1369
|
-
if (
|
|
1366
|
+
var a = new b();
|
|
1367
|
+
await a.loadData(e), t = a.toObject();
|
|
1368
|
+
const i = this.errorIfIdTokenInvalid(await this.clientCredentialsFlow(t == null ? void 0 : t.scope));
|
|
1369
|
+
if (i.error) {
|
|
1370
1370
|
const d = n.fromOAuthError(
|
|
1371
|
-
|
|
1372
|
-
|
|
1371
|
+
i.error,
|
|
1372
|
+
i.error_description
|
|
1373
1373
|
);
|
|
1374
1374
|
return await this.errorFn(
|
|
1375
1375
|
this.server,
|
|
@@ -1378,17 +1378,17 @@ class G extends re {
|
|
|
1378
1378
|
);
|
|
1379
1379
|
}
|
|
1380
1380
|
const c = await this.receiveTokenFn(
|
|
1381
|
-
|
|
1381
|
+
i,
|
|
1382
1382
|
this,
|
|
1383
1383
|
e,
|
|
1384
1384
|
!1,
|
|
1385
1385
|
this.setEventLocalsUser
|
|
1386
1386
|
);
|
|
1387
1387
|
return c instanceof Response ? c : this.pack(c);
|
|
1388
|
-
} catch (
|
|
1389
|
-
if (m.isSvelteKitRedirect(
|
|
1390
|
-
const c = n.asCrossauthError(
|
|
1391
|
-
return l.logger.debug({ err:
|
|
1388
|
+
} catch (i) {
|
|
1389
|
+
if (m.isSvelteKitRedirect(i) || m.isSvelteKitError(i)) throw i;
|
|
1390
|
+
const c = n.asCrossauthError(i);
|
|
1391
|
+
return l.logger.debug({ err: i }), l.logger.error({ cerr: i }), this.errorFn(this.server, e, c);
|
|
1392
1392
|
}
|
|
1393
1393
|
},
|
|
1394
1394
|
actions: {
|
|
@@ -1402,25 +1402,25 @@ class G extends re {
|
|
|
1402
1402
|
try {
|
|
1403
1403
|
if (!this.validFlows.includes(_.ClientCredentials))
|
|
1404
1404
|
throw new n(u.Unauthorized, "Client credentials flow is not supported");
|
|
1405
|
-
var
|
|
1406
|
-
await
|
|
1407
|
-
const
|
|
1408
|
-
if (
|
|
1405
|
+
var a = new b();
|
|
1406
|
+
await a.loadData(e), t = a.toObject();
|
|
1407
|
+
const i = this.errorIfIdTokenInvalid(await this.clientCredentialsFlow(t == null ? void 0 : t.scope));
|
|
1408
|
+
if (i.error)
|
|
1409
1409
|
throw n.fromOAuthError(
|
|
1410
|
-
|
|
1411
|
-
|
|
1410
|
+
i.error,
|
|
1411
|
+
i.error_description
|
|
1412
1412
|
);
|
|
1413
1413
|
return await this.receiveTokenFn(
|
|
1414
|
-
|
|
1414
|
+
i,
|
|
1415
1415
|
this,
|
|
1416
1416
|
e,
|
|
1417
1417
|
!1,
|
|
1418
1418
|
this.setEventLocalsUser
|
|
1419
1419
|
) ?? {};
|
|
1420
|
-
} catch (
|
|
1421
|
-
if (m.isSvelteKitRedirect(
|
|
1422
|
-
const c = n.asCrossauthError(
|
|
1423
|
-
return l.logger.debug({ err:
|
|
1420
|
+
} catch (i) {
|
|
1421
|
+
if (m.isSvelteKitRedirect(i) || m.isSvelteKitError(i)) throw i;
|
|
1422
|
+
const c = n.asCrossauthError(i);
|
|
1423
|
+
return l.logger.debug({ err: i }), l.logger.error({ cerr: i }), {
|
|
1424
1424
|
ok: !1,
|
|
1425
1425
|
error: c.oauthErrorCode,
|
|
1426
1426
|
error_description: c.message
|
|
@@ -1431,8 +1431,8 @@ class G extends re {
|
|
|
1431
1431
|
}, this.refreshTokenFlowEndpoint = {
|
|
1432
1432
|
post: async (e) => {
|
|
1433
1433
|
if (this.tokenResponseType == "saveInSessionAndLoad" || this.tokenResponseType == "sendInPage") {
|
|
1434
|
-
const
|
|
1435
|
-
return this.errorFn(this.server, e,
|
|
1434
|
+
const i = new n(u.Configuration, "If tokenResponseType is " + this.tokenResponseType + ", use actions not post");
|
|
1435
|
+
return this.errorFn(this.server, e, i);
|
|
1436
1436
|
}
|
|
1437
1437
|
let t;
|
|
1438
1438
|
try {
|
|
@@ -1440,8 +1440,8 @@ class G extends re {
|
|
|
1440
1440
|
const h = new n(u.Unauthorized, "Refresh token flow is not supported");
|
|
1441
1441
|
return this.errorFn(this.server, e, h);
|
|
1442
1442
|
}
|
|
1443
|
-
var
|
|
1444
|
-
if (await
|
|
1443
|
+
var a = new b();
|
|
1444
|
+
if (await a.loadData(e), t = a.toObject(), this.server.sessionAdapter && this.server.sessionAdapter.csrfProtectionEnabled())
|
|
1445
1445
|
try {
|
|
1446
1446
|
if (!this.server.sessionAdapter.getCsrfToken(e))
|
|
1447
1447
|
throw new n(u.InvalidCsrf);
|
|
@@ -1450,8 +1450,8 @@ class G extends re {
|
|
|
1450
1450
|
const g = new n(u.Unauthorized, "CSRF token not present");
|
|
1451
1451
|
return this.errorFn(this.server, e, g);
|
|
1452
1452
|
}
|
|
1453
|
-
let
|
|
1454
|
-
if (!
|
|
1453
|
+
let i = t.refresh_token;
|
|
1454
|
+
if (!i && this.server.sessionAdapter) {
|
|
1455
1455
|
const h = await this.server.sessionAdapter.getSessionData(e, this.sessionDataName);
|
|
1456
1456
|
if (!(h != null && h.refresh_token)) {
|
|
1457
1457
|
const g = new n(
|
|
@@ -1460,16 +1460,16 @@ class G extends re {
|
|
|
1460
1460
|
);
|
|
1461
1461
|
return this.errorFn(this.server, e, g);
|
|
1462
1462
|
}
|
|
1463
|
-
|
|
1463
|
+
i = h.refresh_token;
|
|
1464
1464
|
}
|
|
1465
|
-
if (!
|
|
1465
|
+
if (!i) {
|
|
1466
1466
|
const h = new n(
|
|
1467
1467
|
u.BadRequest,
|
|
1468
1468
|
"No refresh token supplied"
|
|
1469
1469
|
);
|
|
1470
1470
|
return this.errorFn(this.server, e, h);
|
|
1471
1471
|
}
|
|
1472
|
-
const c = this.errorIfIdTokenInvalid(await this.refreshTokenFlow(
|
|
1472
|
+
const c = this.errorIfIdTokenInvalid(await this.refreshTokenFlow(i)), d = await this.receiveTokenFn(
|
|
1473
1473
|
c,
|
|
1474
1474
|
this,
|
|
1475
1475
|
e,
|
|
@@ -1478,10 +1478,10 @@ class G extends re {
|
|
|
1478
1478
|
);
|
|
1479
1479
|
if (c && d instanceof Response) return d;
|
|
1480
1480
|
throw new n(u.UnknownError, "Receive token function did not return a Response");
|
|
1481
|
-
} catch (
|
|
1482
|
-
if (m.isSvelteKitRedirect(
|
|
1483
|
-
const c = n.asCrossauthError(
|
|
1484
|
-
return l.logger.debug({ err:
|
|
1481
|
+
} catch (i) {
|
|
1482
|
+
if (m.isSvelteKitRedirect(i) || m.isSvelteKitError(i)) throw i;
|
|
1483
|
+
const c = n.asCrossauthError(i);
|
|
1484
|
+
return l.logger.debug({ err: i }), l.logger.error({ cerr: i }), this.errorFn(this.server, e, c);
|
|
1485
1485
|
}
|
|
1486
1486
|
},
|
|
1487
1487
|
actions: {
|
|
@@ -1497,30 +1497,30 @@ class G extends re {
|
|
|
1497
1497
|
const h = new n(u.Unauthorized, "Refresh token flow is not supported");
|
|
1498
1498
|
return this.errorFn(this.server, e, h);
|
|
1499
1499
|
}
|
|
1500
|
-
var
|
|
1501
|
-
if (await
|
|
1500
|
+
var a = new b();
|
|
1501
|
+
if (await a.loadData(e), t = a.toObject(), this.server.sessionAdapter && this.server.sessionAdapter.csrfProtectionEnabled())
|
|
1502
1502
|
try {
|
|
1503
1503
|
if (!this.server.sessionAdapter.getCsrfToken(e))
|
|
1504
1504
|
throw new n(u.InvalidCsrf);
|
|
1505
1505
|
} catch (h) {
|
|
1506
1506
|
throw m.isSvelteKitError(h) || m.isSvelteKitRedirect(h) ? h : new n(u.Unauthorized, "CSRF token not present");
|
|
1507
1507
|
}
|
|
1508
|
-
let
|
|
1509
|
-
if (!
|
|
1508
|
+
let i = t.refresh_token;
|
|
1509
|
+
if (!i && this.server.sessionAdapter) {
|
|
1510
1510
|
const h = await this.server.sessionAdapter.getSessionData(e, this.sessionDataName);
|
|
1511
1511
|
if (!(h != null && h.refresh_token))
|
|
1512
1512
|
throw new n(
|
|
1513
1513
|
u.BadRequest,
|
|
1514
1514
|
"No refresh token in session or in parameters"
|
|
1515
1515
|
);
|
|
1516
|
-
|
|
1516
|
+
i = h.refresh_token;
|
|
1517
1517
|
}
|
|
1518
|
-
if (!
|
|
1518
|
+
if (!i)
|
|
1519
1519
|
throw new n(
|
|
1520
1520
|
u.BadRequest,
|
|
1521
1521
|
"No refresh token supplied"
|
|
1522
1522
|
);
|
|
1523
|
-
const c = this.errorIfIdTokenInvalid(await this.refreshTokenFlow(
|
|
1523
|
+
const c = this.errorIfIdTokenInvalid(await this.refreshTokenFlow(i)), d = await this.receiveTokenFn(
|
|
1524
1524
|
c,
|
|
1525
1525
|
this,
|
|
1526
1526
|
e,
|
|
@@ -1529,10 +1529,10 @@ class G extends re {
|
|
|
1529
1529
|
) ?? {};
|
|
1530
1530
|
if (d instanceof Response) throw new n(u.Configuration, "Refresh token flow should return an object not Response");
|
|
1531
1531
|
return d;
|
|
1532
|
-
} catch (
|
|
1533
|
-
if (m.isSvelteKitRedirect(
|
|
1534
|
-
const c = n.asCrossauthError(
|
|
1535
|
-
return l.logger.debug({ err:
|
|
1532
|
+
} catch (i) {
|
|
1533
|
+
if (m.isSvelteKitRedirect(i) || m.isSvelteKitError(i)) throw i;
|
|
1534
|
+
const c = n.asCrossauthError(i);
|
|
1535
|
+
return l.logger.debug({ err: i }), l.logger.error({ cerr: i }), {
|
|
1536
1536
|
ok: !1,
|
|
1537
1537
|
error: c.oauthErrorCode,
|
|
1538
1538
|
error_description: c.message
|
|
@@ -1581,8 +1581,8 @@ class G extends re {
|
|
|
1581
1581
|
post: async (e) => {
|
|
1582
1582
|
const t = await this.startDeviceCodeFlow_internal(e);
|
|
1583
1583
|
if (t.error) {
|
|
1584
|
-
const
|
|
1585
|
-
return v(t, { status:
|
|
1584
|
+
const a = n.fromOAuthError(t.error, t.error_description);
|
|
1585
|
+
return v(t, { status: a.httpStatus });
|
|
1586
1586
|
}
|
|
1587
1587
|
return v(t);
|
|
1588
1588
|
}
|
|
@@ -1598,40 +1598,40 @@ class G extends re {
|
|
|
1598
1598
|
if (t instanceof Response) return t;
|
|
1599
1599
|
if (t == null) return new Response(null, { status: 204 });
|
|
1600
1600
|
if (t.error) {
|
|
1601
|
-
const
|
|
1602
|
-
return v(t, { status:
|
|
1601
|
+
const a = n.fromOAuthError(t.error, t.error_description);
|
|
1602
|
+
return v(t, { status: a.httpStatus });
|
|
1603
1603
|
}
|
|
1604
1604
|
return v(t);
|
|
1605
1605
|
}
|
|
1606
1606
|
}, this.passwordFlowEndpoint = {
|
|
1607
|
-
post: async (e) => await this.passwordFlow_post(e, (t,
|
|
1607
|
+
post: async (e) => await this.passwordFlow_post(e, (t, a) => this.passwordPost(t, a)),
|
|
1608
1608
|
actions: {
|
|
1609
|
-
password: async (e) => await this.passwordFlow_action(e, (t,
|
|
1610
|
-
passwordOtp: async (e) => await this.passwordFlow_action(e, (t,
|
|
1611
|
-
passwordOob: async (e) => await this.passwordFlow_action(e, (t,
|
|
1609
|
+
password: async (e) => await this.passwordFlow_action(e, (t, a) => this.passwordPost(t, a)),
|
|
1610
|
+
passwordOtp: async (e) => await this.passwordFlow_action(e, (t, a) => this.passwordOtp(t, a)),
|
|
1611
|
+
passwordOob: async (e) => await this.passwordFlow_action(e, (t, a) => this.passwordOob(t, a))
|
|
1612
1612
|
}
|
|
1613
1613
|
}, this.passwordOtpEndpoint = {
|
|
1614
|
-
post: async (e) => await this.passwordFlow_post(e, (t,
|
|
1614
|
+
post: async (e) => await this.passwordFlow_post(e, (t, a) => this.passwordOtp(t, a)),
|
|
1615
1615
|
actions: {
|
|
1616
|
-
default: async (e) => await this.passwordFlow_action(e, (t,
|
|
1616
|
+
default: async (e) => await this.passwordFlow_action(e, (t, a) => this.passwordOtp(t, a))
|
|
1617
1617
|
}
|
|
1618
1618
|
}, this.passwordOobEndpoint = {
|
|
1619
|
-
post: async (e) => await this.passwordFlow_post(e, (t,
|
|
1619
|
+
post: async (e) => await this.passwordFlow_post(e, (t, a) => this.passwordOob(t, a)),
|
|
1620
1620
|
actions: {
|
|
1621
|
-
default: async (e) => await this.passwordFlow_action(e, (t,
|
|
1621
|
+
default: async (e) => await this.passwordFlow_action(e, (t, a) => this.passwordOob(t, a))
|
|
1622
1622
|
}
|
|
1623
1623
|
}, this.deleteTokensEndpoint = {
|
|
1624
1624
|
post: async (e) => {
|
|
1625
|
-
var t,
|
|
1625
|
+
var t, a;
|
|
1626
1626
|
try {
|
|
1627
1627
|
return await this.deleteSessionData(e), v({ ok: !0 });
|
|
1628
|
-
} catch (
|
|
1629
|
-
if (m.isSvelteKitRedirect(
|
|
1630
|
-
const c = n.asCrossauthError(
|
|
1628
|
+
} catch (i) {
|
|
1629
|
+
if (m.isSvelteKitRedirect(i) || m.isSvelteKitError(i)) throw i;
|
|
1630
|
+
const c = n.asCrossauthError(i);
|
|
1631
1631
|
return l.logger.debug({ err: c }), l.logger.error({ cerr: c }), v({
|
|
1632
1632
|
ok: !1,
|
|
1633
1633
|
user: (t = this.server.sessionAdapter) == null ? void 0 : t.getUser(e),
|
|
1634
|
-
csrfToken: (
|
|
1634
|
+
csrfToken: (a = this.server.sessionAdapter) == null ? void 0 : a.getCsrfToken(e),
|
|
1635
1635
|
errorCode: c.code,
|
|
1636
1636
|
errorCodeName: c.codeName,
|
|
1637
1637
|
errorMessage: c.message
|
|
@@ -1640,16 +1640,16 @@ class G extends re {
|
|
|
1640
1640
|
},
|
|
1641
1641
|
actions: {
|
|
1642
1642
|
default: async (e) => {
|
|
1643
|
-
var t,
|
|
1643
|
+
var t, a;
|
|
1644
1644
|
try {
|
|
1645
1645
|
return await this.deleteSessionData(e), { ok: !0 };
|
|
1646
|
-
} catch (
|
|
1647
|
-
if (m.isSvelteKitRedirect(
|
|
1648
|
-
const c = n.asCrossauthError(
|
|
1646
|
+
} catch (i) {
|
|
1647
|
+
if (m.isSvelteKitRedirect(i) || m.isSvelteKitError(i)) throw i;
|
|
1648
|
+
const c = n.asCrossauthError(i);
|
|
1649
1649
|
return l.logger.debug({ err: c }), l.logger.error({ cerr: c }), {
|
|
1650
1650
|
ok: !1,
|
|
1651
1651
|
user: (t = this.server.sessionAdapter) == null ? void 0 : t.getUser(e),
|
|
1652
|
-
csrfToken: (
|
|
1652
|
+
csrfToken: (a = this.server.sessionAdapter) == null ? void 0 : a.getCsrfToken(e),
|
|
1653
1653
|
errorCode: c.code,
|
|
1654
1654
|
errorCodeName: c.codeName,
|
|
1655
1655
|
errorMessage: c.message
|
|
@@ -1764,8 +1764,8 @@ class G extends re {
|
|
|
1764
1764
|
if (e.locals.user || !r.sessionAdapter) return;
|
|
1765
1765
|
let t = await r.sessionAdapter.getSessionData(e, this.sessionDataName);
|
|
1766
1766
|
if (t && t.id_payload) {
|
|
1767
|
-
let
|
|
1768
|
-
|
|
1767
|
+
let a = t.expires_at;
|
|
1768
|
+
a && a > Date.now() && t.id_payload.sub && await this.setEventLocalsUser(e, t.id_payload);
|
|
1769
1769
|
}
|
|
1770
1770
|
this.testMiddleware && (this.testEvent = e);
|
|
1771
1771
|
};
|
|
@@ -1800,10 +1800,10 @@ class G extends re {
|
|
|
1800
1800
|
);
|
|
1801
1801
|
if (e.error == "mfa_required" && e.mfa_token && this.validFlows.includes(_.PasswordMfa)) {
|
|
1802
1802
|
const t = e.mfa_token;
|
|
1803
|
-
let
|
|
1804
|
-
if (
|
|
1803
|
+
let a = o.scope;
|
|
1804
|
+
if (a == "" && (a = void 0), e = this.errorIfIdTokenInvalid(await this.passwordMfa(
|
|
1805
1805
|
t,
|
|
1806
|
-
|
|
1806
|
+
a,
|
|
1807
1807
|
r
|
|
1808
1808
|
)), e.error)
|
|
1809
1809
|
throw n.fromOAuthError(
|
|
@@ -1839,11 +1839,11 @@ class G extends re {
|
|
|
1839
1839
|
};
|
|
1840
1840
|
const t = e.authenticators[0];
|
|
1841
1841
|
if (t.authenticator_type == "otp") {
|
|
1842
|
-
const
|
|
1843
|
-
if (
|
|
1842
|
+
const i = await this.mfaOtpRequest(r, t.id);
|
|
1843
|
+
if (i.error || i.challenge_type != "otp") {
|
|
1844
1844
|
const c = n.fromOAuthError(
|
|
1845
|
-
|
|
1846
|
-
|
|
1845
|
+
i.error ?? "server_error",
|
|
1846
|
+
i.error_description ?? "Invalid response from MFA OTP challenge"
|
|
1847
1847
|
);
|
|
1848
1848
|
return l.logger.debug({ err: c }), l.logger.error({ cerr: c }), {
|
|
1849
1849
|
error: c.oauthErrorCode,
|
|
@@ -1853,14 +1853,14 @@ class G extends re {
|
|
|
1853
1853
|
return {
|
|
1854
1854
|
scope: o,
|
|
1855
1855
|
mfa_token: r,
|
|
1856
|
-
challenge_type:
|
|
1856
|
+
challenge_type: i.challenge_type
|
|
1857
1857
|
};
|
|
1858
1858
|
} else if (t.authenticator_type == "oob") {
|
|
1859
|
-
const
|
|
1860
|
-
if (
|
|
1859
|
+
const i = await this.mfaOobRequest(r, t.id);
|
|
1860
|
+
if (i.error || i.challenge_type != "oob" || !i.oob_code || i.binding_method != "prompt") {
|
|
1861
1861
|
const c = n.fromOAuthError(
|
|
1862
|
-
|
|
1863
|
-
|
|
1862
|
+
i.error ?? "server_error",
|
|
1863
|
+
i.error_description ?? "Invalid response from MFA OOB challenge"
|
|
1864
1864
|
);
|
|
1865
1865
|
return l.logger.debug({ err: c }), l.logger.error({ cerr: c }), {
|
|
1866
1866
|
error: c.oauthErrorCode,
|
|
@@ -1871,19 +1871,19 @@ class G extends re {
|
|
|
1871
1871
|
scope: o,
|
|
1872
1872
|
mfa_token: r,
|
|
1873
1873
|
oob_channel: t.oob_channel,
|
|
1874
|
-
challenge_type:
|
|
1875
|
-
binding_method:
|
|
1876
|
-
oob_code:
|
|
1874
|
+
challenge_type: i.challenge_type,
|
|
1875
|
+
binding_method: i.binding_method,
|
|
1876
|
+
oob_code: i.oob_code,
|
|
1877
1877
|
name: t.name
|
|
1878
1878
|
};
|
|
1879
1879
|
}
|
|
1880
|
-
const
|
|
1880
|
+
const a = new n(
|
|
1881
1881
|
u.UnknownError,
|
|
1882
1882
|
"Unsupported MFA type " + t.authenticator_type + " returned"
|
|
1883
1883
|
);
|
|
1884
1884
|
return {
|
|
1885
|
-
error:
|
|
1886
|
-
error_description:
|
|
1885
|
+
error: a.oauthErrorCode,
|
|
1886
|
+
error_description: a.message
|
|
1887
1887
|
};
|
|
1888
1888
|
}
|
|
1889
1889
|
async passwordOtp(r, o) {
|
|
@@ -1938,10 +1938,10 @@ class G extends re {
|
|
|
1938
1938
|
if (o.locals.sessionId && this.autoRefreshActive[o.locals.sessionId]) return;
|
|
1939
1939
|
try {
|
|
1940
1940
|
o.locals.sessionId && (this.autoRefreshActive[o.locals.sessionId] = !0);
|
|
1941
|
-
const
|
|
1942
|
-
if (!
|
|
1941
|
+
const a = this.errorIfIdTokenInvalid(await this.refreshTokenFlow(e));
|
|
1942
|
+
if (!a.error && !a.access_token && (a.error = "server_error", a.error_description = "Unexpectedly did not receive error or access token"), !a.error) {
|
|
1943
1943
|
const d = await this.receiveTokenFn(
|
|
1944
|
-
|
|
1944
|
+
a,
|
|
1945
1945
|
this,
|
|
1946
1946
|
o,
|
|
1947
1947
|
r == "silent",
|
|
@@ -1951,43 +1951,43 @@ class G extends re {
|
|
|
1951
1951
|
}
|
|
1952
1952
|
if (r != "silent") {
|
|
1953
1953
|
const d = n.fromOAuthError(
|
|
1954
|
-
|
|
1955
|
-
|
|
1954
|
+
a.error ?? "server_error",
|
|
1955
|
+
a.error_description
|
|
1956
1956
|
);
|
|
1957
1957
|
return r == "page" ? this.errorFn(this.server, o, d) : {
|
|
1958
1958
|
error: d.oauthErrorCode,
|
|
1959
1959
|
error_description: d.message
|
|
1960
1960
|
};
|
|
1961
1961
|
}
|
|
1962
|
-
let
|
|
1963
|
-
if (!
|
|
1964
|
-
const d = M(
|
|
1965
|
-
d.exp && (
|
|
1962
|
+
let i = a.expires_in;
|
|
1963
|
+
if (!i && a.access_token) {
|
|
1964
|
+
const d = M(a.access_token);
|
|
1965
|
+
d.exp && (i = d.exp);
|
|
1966
1966
|
}
|
|
1967
|
-
if (!
|
|
1967
|
+
if (!i)
|
|
1968
1968
|
throw new n(
|
|
1969
1969
|
u.BadRequest,
|
|
1970
1970
|
"OAuth server did not return an expiry for the access token"
|
|
1971
1971
|
);
|
|
1972
|
-
const c = (/* @__PURE__ */ new Date()).getTime() +
|
|
1972
|
+
const c = (/* @__PURE__ */ new Date()).getTime() + i * 1e3;
|
|
1973
1973
|
return {
|
|
1974
|
-
access_token:
|
|
1975
|
-
refresh_token:
|
|
1976
|
-
expires_in:
|
|
1974
|
+
access_token: a.access_token,
|
|
1975
|
+
refresh_token: a.refresh_token,
|
|
1976
|
+
expires_in: a.expires_in,
|
|
1977
1977
|
expires_at: c,
|
|
1978
|
-
error:
|
|
1979
|
-
error_description:
|
|
1978
|
+
error: a.error,
|
|
1979
|
+
error_description: a.error_description
|
|
1980
1980
|
};
|
|
1981
|
-
} catch (
|
|
1982
|
-
if (m.isSvelteKitRedirect(
|
|
1983
|
-
if (l.logger.debug(f({ err:
|
|
1984
|
-
cerr:
|
|
1981
|
+
} catch (a) {
|
|
1982
|
+
if (m.isSvelteKitRedirect(a) || m.isSvelteKitError(a)) throw a;
|
|
1983
|
+
if (l.logger.debug(f({ err: a })), l.logger.error(f({
|
|
1984
|
+
cerr: a,
|
|
1985
1985
|
msg: "Failed refreshing access token"
|
|
1986
1986
|
})), r != "silent") {
|
|
1987
|
-
const
|
|
1988
|
-
return r == "page" ? this.errorFn(this.server, o,
|
|
1989
|
-
error:
|
|
1990
|
-
error_description:
|
|
1987
|
+
const i = n.asCrossauthError(a);
|
|
1988
|
+
return r == "page" ? this.errorFn(this.server, o, i) : {
|
|
1989
|
+
error: i.oauthErrorCode,
|
|
1990
|
+
error_description: i.message
|
|
1991
1991
|
};
|
|
1992
1992
|
}
|
|
1993
1993
|
return {
|
|
@@ -2064,16 +2064,16 @@ class G extends re {
|
|
|
2064
2064
|
let s;
|
|
2065
2065
|
try {
|
|
2066
2066
|
if (!(this.validFlows.includes(_.Password) || this.validFlows.includes(_.PasswordMfa))) {
|
|
2067
|
-
const
|
|
2068
|
-
return this.errorFn(this.server, r,
|
|
2067
|
+
const i = new n(u.Unauthorized, "Password flow is not supported");
|
|
2068
|
+
return this.errorFn(this.server, r, i);
|
|
2069
2069
|
}
|
|
2070
2070
|
var e = new b();
|
|
2071
2071
|
if (await e.loadData(r), s = e.toObject(), this.server.sessionAdapter && this.server.sessionAdapter.csrfProtectionEnabled())
|
|
2072
2072
|
try {
|
|
2073
2073
|
if (!this.server.sessionAdapter.getCsrfToken(r))
|
|
2074
2074
|
throw new n(u.InvalidCsrf);
|
|
2075
|
-
} catch (
|
|
2076
|
-
if (m.isSvelteKitError(
|
|
2075
|
+
} catch (i) {
|
|
2076
|
+
if (m.isSvelteKitError(i) || m.isSvelteKitRedirect(i)) throw i;
|
|
2077
2077
|
const c = new n(u.Unauthorized, "CSRF token not present");
|
|
2078
2078
|
return this.errorFn(this.server, r, c);
|
|
2079
2079
|
}
|
|
@@ -2083,19 +2083,19 @@ class G extends re {
|
|
|
2083
2083
|
ok: !1,
|
|
2084
2084
|
...t
|
|
2085
2085
|
};
|
|
2086
|
-
const
|
|
2086
|
+
const a = await this.receiveTokenFn(
|
|
2087
2087
|
t,
|
|
2088
2088
|
this,
|
|
2089
2089
|
r,
|
|
2090
2090
|
!1,
|
|
2091
2091
|
this.setEventLocalsUser
|
|
2092
2092
|
);
|
|
2093
|
-
if (t &&
|
|
2093
|
+
if (t && a instanceof Response) return a;
|
|
2094
2094
|
throw new n(u.UnknownError, "Receive token function did not return a Response");
|
|
2095
2095
|
} catch (t) {
|
|
2096
2096
|
if (m.isSvelteKitRedirect(t) || m.isSvelteKitError(t)) throw t;
|
|
2097
|
-
const
|
|
2098
|
-
return l.logger.debug({ err: t }), l.logger.error({ cerr: t }), this.errorFn(this.server, r,
|
|
2097
|
+
const a = n.asCrossauthError(t);
|
|
2098
|
+
return l.logger.debug({ err: t }), l.logger.error({ cerr: t }), this.errorFn(this.server, r, a);
|
|
2099
2099
|
}
|
|
2100
2100
|
}
|
|
2101
2101
|
async passwordFlow_action(r, o) {
|
|
@@ -2107,16 +2107,16 @@ class G extends re {
|
|
|
2107
2107
|
let s;
|
|
2108
2108
|
try {
|
|
2109
2109
|
if (!(this.validFlows.includes(_.Password) || this.validFlows.includes(_.PasswordMfa))) {
|
|
2110
|
-
const
|
|
2111
|
-
return this.errorFn(this.server, r,
|
|
2110
|
+
const i = new n(u.Unauthorized, "Password and Password MFA flows are not supported");
|
|
2111
|
+
return this.errorFn(this.server, r, i);
|
|
2112
2112
|
}
|
|
2113
2113
|
var e = new b();
|
|
2114
2114
|
if (await e.loadData(r), s = e.toObject(), this.server.sessionAdapter && this.server.sessionAdapter.csrfProtectionEnabled())
|
|
2115
2115
|
try {
|
|
2116
2116
|
if (!this.server.sessionAdapter.getCsrfToken(r))
|
|
2117
2117
|
throw new n(u.InvalidCsrf);
|
|
2118
|
-
} catch (
|
|
2119
|
-
throw m.isSvelteKitError(
|
|
2118
|
+
} catch (i) {
|
|
2119
|
+
throw m.isSvelteKitError(i) || m.isSvelteKitRedirect(i) ? i : new n(u.Unauthorized, "CSRF token not present");
|
|
2120
2120
|
}
|
|
2121
2121
|
const t = await o(r, s);
|
|
2122
2122
|
if (!t) throw new n(u.UnknownError, "Password flow returned no data");
|
|
@@ -2127,27 +2127,27 @@ class G extends re {
|
|
|
2127
2127
|
};
|
|
2128
2128
|
if (t.challenge_type) {
|
|
2129
2129
|
if (!this.validFlows.includes(_.PasswordMfa)) {
|
|
2130
|
-
const
|
|
2131
|
-
return this.errorFn(this.server, r,
|
|
2130
|
+
const i = new n(u.Unauthorized, "Password MFA flow is not supported");
|
|
2131
|
+
return this.errorFn(this.server, r, i);
|
|
2132
2132
|
}
|
|
2133
2133
|
return t;
|
|
2134
2134
|
}
|
|
2135
|
-
const
|
|
2135
|
+
const a = await this.receiveTokenFn(
|
|
2136
2136
|
t,
|
|
2137
2137
|
this,
|
|
2138
2138
|
r,
|
|
2139
2139
|
!1,
|
|
2140
2140
|
this.setEventLocalsUser
|
|
2141
2141
|
) ?? {};
|
|
2142
|
-
if (
|
|
2143
|
-
return
|
|
2142
|
+
if (a instanceof Response) throw new n(u.Configuration, "Refresh token flow should return an object not Response");
|
|
2143
|
+
return a;
|
|
2144
2144
|
} catch (t) {
|
|
2145
2145
|
if (m.isSvelteKitRedirect(t) || m.isSvelteKitError(t)) throw t;
|
|
2146
|
-
const
|
|
2146
|
+
const a = n.asCrossauthError(t);
|
|
2147
2147
|
return l.logger.debug({ err: t }), l.logger.error({ cerr: t }), {
|
|
2148
2148
|
ok: !1,
|
|
2149
|
-
error:
|
|
2150
|
-
error_description:
|
|
2149
|
+
error: a.oauthErrorCode,
|
|
2150
|
+
error_description: a.message
|
|
2151
2151
|
};
|
|
2152
2152
|
}
|
|
2153
2153
|
}
|
|
@@ -2173,30 +2173,30 @@ class G extends re {
|
|
|
2173
2173
|
let t = o.url;
|
|
2174
2174
|
if (!t) {
|
|
2175
2175
|
if (!r.url.pathname.startsWith(this.bffEndpointName)) throw new n(u.Unauthorized, "Attempt to call BFF url with the wrong prefix");
|
|
2176
|
-
const
|
|
2177
|
-
let
|
|
2178
|
-
|
|
2176
|
+
const a = r.url.pathname.substring(this.bffEndpointName.length);
|
|
2177
|
+
let i = ((e = r.url.searchParams) == null ? void 0 : e.toString()) ?? void 0;
|
|
2178
|
+
i && i != "" && (i = "?" + i), t = new URL(this.bffBaseUrl + a + i);
|
|
2179
2179
|
}
|
|
2180
2180
|
o.headers || (o.headers = new Headers());
|
|
2181
|
-
for (let
|
|
2182
|
-
|
|
2183
|
-
const
|
|
2181
|
+
for (let a = 0; a < this.bffMaxTries; ++a) {
|
|
2182
|
+
a > 0 && await new Promise((g) => setTimeout(g, this.bffSleepMilliseconds));
|
|
2183
|
+
const i = await this.server.sessionAdapter.getSessionData(
|
|
2184
2184
|
r,
|
|
2185
2185
|
this.sessionDataName
|
|
2186
2186
|
);
|
|
2187
|
-
if (!
|
|
2188
|
-
if (
|
|
2187
|
+
if (!i) {
|
|
2188
|
+
if (a == this.bffMaxTries)
|
|
2189
2189
|
throw new n(u.Unauthorized, "No access token found");
|
|
2190
2190
|
continue;
|
|
2191
2191
|
}
|
|
2192
|
-
let c =
|
|
2193
|
-
if (
|
|
2192
|
+
let c = i.access_token;
|
|
2193
|
+
if (i && i.access_token) {
|
|
2194
2194
|
const g = await this.refresh(
|
|
2195
2195
|
"silent",
|
|
2196
2196
|
r,
|
|
2197
2197
|
!0,
|
|
2198
|
-
|
|
2199
|
-
|
|
2198
|
+
i.refresh_token,
|
|
2199
|
+
i.expires_at
|
|
2200
2200
|
);
|
|
2201
2201
|
if (g instanceof Response) throw new n(u.Configuration, "Expected object when refreshing tokens, not Response");
|
|
2202
2202
|
if (g != null && g.access_token)
|
|
@@ -2218,7 +2218,7 @@ class G extends re {
|
|
|
2218
2218
|
headers: o.headers,
|
|
2219
2219
|
method: o.method ?? r.request.method
|
|
2220
2220
|
}), d.status == 401) {
|
|
2221
|
-
if (
|
|
2221
|
+
if (a < this.bffMaxTries - 1)
|
|
2222
2222
|
continue;
|
|
2223
2223
|
return d;
|
|
2224
2224
|
} else
|
|
@@ -2227,11 +2227,11 @@ class G extends re {
|
|
|
2227
2227
|
return new Response(null, { status: 401 });
|
|
2228
2228
|
} catch (t) {
|
|
2229
2229
|
if (m.isSvelteKitError(t) || m.isSvelteKitRedirect(t)) throw t;
|
|
2230
|
-
const
|
|
2231
|
-
return l.logger.debug({ err:
|
|
2232
|
-
error:
|
|
2233
|
-
error_description:
|
|
2234
|
-
}, { status:
|
|
2230
|
+
const a = n.asCrossauthError(t);
|
|
2231
|
+
return l.logger.debug({ err: a }), l.logger.error({ cerr: a }), v({
|
|
2232
|
+
error: a.oauthErrorCode,
|
|
2233
|
+
error_description: a.message
|
|
2234
|
+
}, { status: a.httpStatus });
|
|
2235
2235
|
}
|
|
2236
2236
|
}
|
|
2237
2237
|
async unpack(r) {
|
|
@@ -2269,16 +2269,16 @@ class G extends re {
|
|
|
2269
2269
|
const s = r.url.pathname.substring(this.bffEndpointName.length);
|
|
2270
2270
|
let e;
|
|
2271
2271
|
for (let t = 0; t < this.bffEndpoints.length; ++t) {
|
|
2272
|
-
let
|
|
2273
|
-
if (
|
|
2274
|
-
let
|
|
2275
|
-
if (c.endsWith("/") || (c += "/"),
|
|
2272
|
+
let a = this.bffEndpoints[t];
|
|
2273
|
+
if (a.matchSubUrls) {
|
|
2274
|
+
let i = a.url, c = a.url;
|
|
2275
|
+
if (c.endsWith("/") || (c += "/"), a.methodsString.includes(r.request.method) && (s.startsWith(c) || s == i)) {
|
|
2276
2276
|
e = t;
|
|
2277
2277
|
break;
|
|
2278
2278
|
}
|
|
2279
2279
|
} else {
|
|
2280
|
-
let
|
|
2281
|
-
if (
|
|
2280
|
+
let i = a.url;
|
|
2281
|
+
if (a.methodsString.includes(r.request.method) && s == i) {
|
|
2282
2282
|
e = t;
|
|
2283
2283
|
break;
|
|
2284
2284
|
}
|
|
@@ -2308,23 +2308,23 @@ class G extends re {
|
|
|
2308
2308
|
if (!this.tokenEndpoints || this.tokenEndpoints.length == 0)
|
|
2309
2309
|
throw new n(u.Unauthorized, "No tokens have been made available");
|
|
2310
2310
|
let t = Array.isArray(o) ? o : [o];
|
|
2311
|
-
const
|
|
2311
|
+
const a = await this.server.sessionAdapter.getSessionData(
|
|
2312
2312
|
r,
|
|
2313
2313
|
this.sessionDataName
|
|
2314
2314
|
);
|
|
2315
|
-
if (!
|
|
2315
|
+
if (!a)
|
|
2316
2316
|
throw new n(u.Unauthorized, "No access token found");
|
|
2317
|
-
let
|
|
2317
|
+
let i = {}, c, d = !1;
|
|
2318
2318
|
for (let h of t) {
|
|
2319
2319
|
if (!this.tokenEndpoints.includes(h)) throw new n(u.Unauthorized, "Token type " + h + " may not be returned");
|
|
2320
2320
|
d = !1;
|
|
2321
2321
|
let g = h;
|
|
2322
2322
|
h.startsWith("have_") && (g = h.replace("have_", ""), d = !0);
|
|
2323
2323
|
const p = g.replace("_token", ""), w = e && this.jwtTokens.includes(p);
|
|
2324
|
-
let S = this.tokenPayload(g,
|
|
2325
|
-
d ?
|
|
2324
|
+
let S = this.tokenPayload(g, a, d, w);
|
|
2325
|
+
d ? i[h] = S.ok : S && (i[h] = S), c = i[h];
|
|
2326
2326
|
}
|
|
2327
|
-
return Array.isArray(o) ? { status: 200, body:
|
|
2327
|
+
return Array.isArray(o) ? { status: 200, body: i } : c ? d ? { status: 200, body: typeof c == "boolean" ? { ok: c } : c } : { status: 200, body: c } : o.startsWith("have_") ? { status: 200, body: { ok: !1 } } : { status: 204 };
|
|
2328
2328
|
} catch (s) {
|
|
2329
2329
|
if (m.isSvelteKitError(s) || m.isSvelteKitRedirect(s)) throw s;
|
|
2330
2330
|
const e = n.asCrossauthError(s);
|
|
@@ -2355,13 +2355,13 @@ class G extends re {
|
|
|
2355
2355
|
e == "" && (e = void 0);
|
|
2356
2356
|
let t = this.authServerBaseUrl;
|
|
2357
2357
|
t.endsWith("/") || (t += "/"), t += this.deviceAuthorizationUrl;
|
|
2358
|
-
const
|
|
2359
|
-
let
|
|
2360
|
-
return
|
|
2361
|
-
|
|
2358
|
+
const a = await this.startDeviceCodeFlow(t, e);
|
|
2359
|
+
let i;
|
|
2360
|
+
return a.verification_uri_complete && await ae.toDataURL(a.verification_uri_complete).then((c) => {
|
|
2361
|
+
i = c;
|
|
2362
2362
|
}).catch((c) => {
|
|
2363
2363
|
l.logger.debug(f({ err: c })), l.logger.warn(f({ msg: "Couldn't generate verification URL QR Code" }));
|
|
2364
|
-
}),
|
|
2364
|
+
}), i ? { verification_uri_qrdata: i, ...a } : a;
|
|
2365
2365
|
} catch (e) {
|
|
2366
2366
|
if (m.isSvelteKitRedirect(e) || m.isSvelteKitError(e)) throw e;
|
|
2367
2367
|
const t = n.asCrossauthError(e);
|
|
@@ -2381,8 +2381,8 @@ class G extends re {
|
|
|
2381
2381
|
try {
|
|
2382
2382
|
if (!this.server.sessionAdapter.getCsrfToken(r))
|
|
2383
2383
|
throw new n(u.InvalidCsrf);
|
|
2384
|
-
} catch (
|
|
2385
|
-
throw m.isSvelteKitError(
|
|
2384
|
+
} catch (a) {
|
|
2385
|
+
throw m.isSvelteKitError(a) || m.isSvelteKitRedirect(a) ? a : new n(u.Unauthorized, "CSRF token not present");
|
|
2386
2386
|
}
|
|
2387
2387
|
let e = o.device_code;
|
|
2388
2388
|
if (!e) throw new n(u.BadRequest, "No device code given when polling for user authorization");
|
|
@@ -2397,8 +2397,8 @@ class G extends re {
|
|
|
2397
2397
|
);
|
|
2398
2398
|
{
|
|
2399
2399
|
if (t.error == "authorization_pending") return { ok: !0, ...t };
|
|
2400
|
-
let
|
|
2401
|
-
const c = n.fromOAuthError(
|
|
2400
|
+
let a = t.error ?? "server_error", i = t.error_description ?? "Didn't receive an access token";
|
|
2401
|
+
const c = n.fromOAuthError(a, i);
|
|
2402
2402
|
return this.errorFn(this.server, r, c);
|
|
2403
2403
|
}
|
|
2404
2404
|
} catch (e) {
|
|
@@ -2424,19 +2424,19 @@ class G extends re {
|
|
|
2424
2424
|
));
|
|
2425
2425
|
}
|
|
2426
2426
|
async storeSessionData(r, o) {
|
|
2427
|
-
var s, e, t,
|
|
2427
|
+
var s, e, t, a;
|
|
2428
2428
|
if (this.server.sessionServer) {
|
|
2429
|
-
let
|
|
2430
|
-
|
|
2429
|
+
let i = (s = this.server.sessionServer) == null ? void 0 : s.getSessionCookieValue(r);
|
|
2430
|
+
i ? await ((t = this.server.sessionAdapter) == null ? void 0 : t.updateSessionData(
|
|
2431
2431
|
r,
|
|
2432
2432
|
this.sessionDataName,
|
|
2433
2433
|
o
|
|
2434
|
-
)) :
|
|
2434
|
+
)) : i = await ((e = this.server.sessionServer) == null ? void 0 : e.createAnonymousSession(
|
|
2435
2435
|
r,
|
|
2436
2436
|
{ [this.sessionDataName]: o }
|
|
2437
2437
|
));
|
|
2438
2438
|
} else
|
|
2439
|
-
await ((
|
|
2439
|
+
await ((a = this.server.sessionAdapter) == null ? void 0 : a.updateSessionData(
|
|
2440
2440
|
r,
|
|
2441
2441
|
this.sessionDataName,
|
|
2442
2442
|
o
|
|
@@ -2460,8 +2460,8 @@ class ge extends se {
|
|
|
2460
2460
|
for (const [e, t] of Object.entries(o.protectedEndpoints)) {
|
|
2461
2461
|
if (!e.startsWith("/"))
|
|
2462
2462
|
throw new n(u.Configuration, "protected endpoints must be absolute paths without the protocol and hostname");
|
|
2463
|
-
t.scope && t.scope.forEach((
|
|
2464
|
-
if (!s.test(
|
|
2463
|
+
t.scope && t.scope.forEach((a) => {
|
|
2464
|
+
if (!s.test(a)) throw new n(u.Configuration, "Illegal characters in scope " + a);
|
|
2465
2465
|
});
|
|
2466
2466
|
}
|
|
2467
2467
|
this.protectedEndpoints = { ...o.protectedEndpoints };
|
|
@@ -2473,16 +2473,16 @@ class ge extends se {
|
|
|
2473
2473
|
o.protectedEndpoints && (this.hook = async ({ event: s }) => {
|
|
2474
2474
|
var c, d;
|
|
2475
2475
|
const e = s.url.pathname;
|
|
2476
|
-
let t = !1,
|
|
2476
|
+
let t = !1, a = "";
|
|
2477
2477
|
if (e in this.protectedEndpoints)
|
|
2478
|
-
t = !0,
|
|
2478
|
+
t = !0, a = e;
|
|
2479
2479
|
else
|
|
2480
2480
|
for (let h of this.protectedEndpointPrefixes)
|
|
2481
|
-
e.startsWith(h) && (t = !0),
|
|
2481
|
+
e.startsWith(h) && (t = !0), a = h;
|
|
2482
2482
|
if (!t) return;
|
|
2483
|
-
const
|
|
2484
|
-
if (!(s.locals.user && s.locals.authType == "cookie" && this.protectedEndpoints[
|
|
2485
|
-
if (!
|
|
2483
|
+
const i = await this.authorized(s);
|
|
2484
|
+
if (!(s.locals.user && s.locals.authType == "cookie" && this.protectedEndpoints[a].acceptSessionAuthorization != !0)) {
|
|
2485
|
+
if (!i) {
|
|
2486
2486
|
s.locals.authError = "access_denied", s.locals.authErrorDescription = "No access token";
|
|
2487
2487
|
const h = this.authenticateHeader(s);
|
|
2488
2488
|
return new Response(JSON.stringify(this.errorBody), {
|
|
@@ -2493,7 +2493,7 @@ class ge extends se {
|
|
|
2493
2493
|
status: 401
|
|
2494
2494
|
});
|
|
2495
2495
|
}
|
|
2496
|
-
if (!
|
|
2496
|
+
if (!i.authorized) {
|
|
2497
2497
|
const h = this.authenticateHeader(s);
|
|
2498
2498
|
return new Response(JSON.stringify(this.errorBody), {
|
|
2499
2499
|
headers: {
|
|
@@ -2504,17 +2504,17 @@ class ge extends se {
|
|
|
2504
2504
|
});
|
|
2505
2505
|
}
|
|
2506
2506
|
}
|
|
2507
|
-
if (
|
|
2508
|
-
if (s.locals.accessTokenPayload =
|
|
2509
|
-
if (Array.isArray(
|
|
2507
|
+
if (i) {
|
|
2508
|
+
if (s.locals.accessTokenPayload = i.tokenPayload, s.locals.user = i.user, (c = i.tokenPayload) != null && c.scope)
|
|
2509
|
+
if (Array.isArray(i.tokenPayload.scope)) {
|
|
2510
2510
|
let h = [];
|
|
2511
|
-
for (let g of
|
|
2511
|
+
for (let g of i.tokenPayload.scope)
|
|
2512
2512
|
typeof g == "string" && h.push(g);
|
|
2513
2513
|
s.locals.scope = h;
|
|
2514
|
-
} else typeof
|
|
2515
|
-
if (this.protectedEndpoints[
|
|
2516
|
-
for (let h of this.protectedEndpoints[
|
|
2517
|
-
if (!s.locals.scope || !s.locals.scope.includes(h) && this.protectedEndpoints[
|
|
2514
|
+
} else typeof i.tokenPayload.scope == "string" && (s.locals.scope = i.tokenPayload.scope.split(" "));
|
|
2515
|
+
if (this.protectedEndpoints[a].scope) {
|
|
2516
|
+
for (let h of this.protectedEndpoints[a].scope ?? [])
|
|
2517
|
+
if (!s.locals.scope || !s.locals.scope.includes(h) && this.protectedEndpoints[a].acceptSessionAuthorization != !0) {
|
|
2518
2518
|
l.logger.warn(f({
|
|
2519
2519
|
msg: "Access token does not have sufficient scope",
|
|
2520
2520
|
username: (d = s.locals.user) == null ? void 0 : d.username,
|
|
@@ -2530,7 +2530,7 @@ class ge extends se {
|
|
|
2530
2530
|
});
|
|
2531
2531
|
}
|
|
2532
2532
|
}
|
|
2533
|
-
if (s.locals.authType = "oauth", s.locals.authError =
|
|
2533
|
+
if (s.locals.authType = "oauth", s.locals.authError = i == null ? void 0 : i.error, (i == null ? void 0 : i.error) == "access_denied") {
|
|
2534
2534
|
const h = this.authenticateHeader(s);
|
|
2535
2535
|
return new Response(JSON.stringify(this.errorBody), {
|
|
2536
2536
|
headers: {
|
|
@@ -2539,14 +2539,14 @@ class ge extends se {
|
|
|
2539
2539
|
},
|
|
2540
2540
|
status: 401
|
|
2541
2541
|
});
|
|
2542
|
-
} else if (
|
|
2542
|
+
} else if (i != null && i.error)
|
|
2543
2543
|
return new Response(JSON.stringify(this.errorBody), {
|
|
2544
2544
|
headers: {
|
|
2545
2545
|
"content-type": "application/json"
|
|
2546
2546
|
},
|
|
2547
2547
|
status: 500
|
|
2548
2548
|
});
|
|
2549
|
-
s.locals.authErrorDescription =
|
|
2549
|
+
s.locals.authErrorDescription = i == null ? void 0 : i.error_description, l.logger.debug(f({ msg: "Resource server url", url: s.request.url, authorized: s.locals.accessTokenPayload != null }));
|
|
2550
2550
|
}
|
|
2551
2551
|
});
|
|
2552
2552
|
}
|
|
@@ -2672,8 +2672,8 @@ const D = class D {
|
|
|
2672
2672
|
apiKey: s,
|
|
2673
2673
|
oAuthAuthServer: e,
|
|
2674
2674
|
oAuthClient: t,
|
|
2675
|
-
oAuthClients:
|
|
2676
|
-
oAuthResServer:
|
|
2675
|
+
oAuthClients: a,
|
|
2676
|
+
oAuthResServer: i,
|
|
2677
2677
|
options: c
|
|
2678
2678
|
}) {
|
|
2679
2679
|
this.loginUrl = "/login", this.audience = "", this.dummyLoad = async (h) => ({}), this.dummyActions = {}, this.dummyBff = async (h) => ({ status: 500, body: { error: "Unimplemented" } }), c || (c = {}), y("loginUrl", E.String, this, c, "LOGIN_URL", !1), c.isAdminFn && (D.isAdminFn = c.isAdminFn);
|
|
@@ -2704,15 +2704,15 @@ const D = class D {
|
|
|
2704
2704
|
{ ...h, ...c, ...e.options }
|
|
2705
2705
|
);
|
|
2706
2706
|
}
|
|
2707
|
-
if (t &&
|
|
2707
|
+
if (t && a)
|
|
2708
2708
|
throw new n(u.Configuration, "Cannot specify both oAuthClient and oAuthClients");
|
|
2709
2709
|
if (t && (this.oAuthClient = new G(
|
|
2710
2710
|
this,
|
|
2711
2711
|
t.authServerBaseUrl,
|
|
2712
2712
|
{ ...c, ...t.options }
|
|
2713
|
-
)),
|
|
2713
|
+
)), a) {
|
|
2714
2714
|
this.oAuthClients = [];
|
|
2715
|
-
for (let h of
|
|
2715
|
+
for (let h of a)
|
|
2716
2716
|
this.oAuthClients.push(
|
|
2717
2717
|
new G(
|
|
2718
2718
|
this,
|
|
@@ -2721,9 +2721,9 @@ const D = class D {
|
|
|
2721
2721
|
)
|
|
2722
2722
|
);
|
|
2723
2723
|
}
|
|
2724
|
-
|
|
2724
|
+
i && (y("audience", E.String, this, c, "OAUTH_AUDIENCE", !0), this.oAuthResServer = new ge(
|
|
2725
2725
|
[new te(this.audience, c)],
|
|
2726
|
-
{ sessionAdapter: this.sessionAdapter, ...
|
|
2726
|
+
{ sessionAdapter: this.sessionAdapter, ...i.options, ...c }
|
|
2727
2727
|
)), this.hooks = async ({ event: h, resolve: g }) => {
|
|
2728
2728
|
const p = await this.unresolvedHooks(h);
|
|
2729
2729
|
return p instanceof Response ? p : await g(p);
|
|
@@ -2834,12 +2834,12 @@ class we {
|
|
|
2834
2834
|
const g = await this.sessionServer.getSessionData(s, "factor2change");
|
|
2835
2835
|
g != null && g.username || this.isSessionUser(s) || (this.sessionServer.unauthorizedUrl && this.sessionServer.redirect(302, this.sessionServer.unauthorizedUrl), this.sessionServer.error(401, "Unauthorized")), e = g == null ? void 0 : g.username;
|
|
2836
2836
|
}
|
|
2837
|
-
let t = this.sessionServer.allowedFactor2 ?? [{ name: "none", friendlyName: "None", configurable: !1 }],
|
|
2838
|
-
|
|
2837
|
+
let t = this.sessionServer.allowedFactor2 ?? [{ name: "none", friendlyName: "None", configurable: !1 }], a = {}, i = s.url.searchParams.get("required"), c;
|
|
2838
|
+
i && (i = i.toLowerCase(), c = i == "true" || i == "1", c == !0 && (a.required = !0));
|
|
2839
2839
|
let d = s.url.searchParams.get("next");
|
|
2840
|
-
return d && (
|
|
2840
|
+
return d && (a.next = d), {
|
|
2841
2841
|
allowedFactor2: t,
|
|
2842
|
-
...
|
|
2842
|
+
...a,
|
|
2843
2843
|
username: e,
|
|
2844
2844
|
...this.baseEndpoint(s)
|
|
2845
2845
|
};
|
|
@@ -2849,12 +2849,12 @@ class we {
|
|
|
2849
2849
|
default: async (s) => await this.changePassword(s)
|
|
2850
2850
|
},
|
|
2851
2851
|
load: async (s) => {
|
|
2852
|
-
let e = {}, t = s.url.searchParams.get("required"),
|
|
2853
|
-
if (!
|
|
2852
|
+
let e = {}, t = s.url.searchParams.get("required"), a, i = s.locals.user != null;
|
|
2853
|
+
if (!i) {
|
|
2854
2854
|
const d = await this.sessionServer.getSessionData(s, "passwordchange");
|
|
2855
|
-
d != null && d.username && (
|
|
2855
|
+
d != null && d.username && (i = !0);
|
|
2856
2856
|
}
|
|
2857
|
-
|
|
2857
|
+
i || this.sessionServer.redirect(302, this.loginUrl), t && (t = t.toLowerCase(), a = t == "true" || t == "1", a == !0 && (e.required = !0));
|
|
2858
2858
|
let c = s.url.searchParams.get("next");
|
|
2859
2859
|
return c && (e.next = c), {
|
|
2860
2860
|
...e,
|
|
@@ -2880,8 +2880,8 @@ class we {
|
|
|
2880
2880
|
default: async (s) => await this.requestPasswordReset(s)
|
|
2881
2881
|
},
|
|
2882
2882
|
load: async (s) => {
|
|
2883
|
-
let e = {}, t = s.url.searchParams.get("required"),
|
|
2884
|
-
return t && (t = t.toLowerCase(),
|
|
2883
|
+
let e = {}, t = s.url.searchParams.get("required"), a;
|
|
2884
|
+
return t && (t = t.toLowerCase(), a = t == "true" || t == "1", a == !0 && (e.required = !0)), {
|
|
2885
2885
|
...e,
|
|
2886
2886
|
...this.baseEndpoint(s)
|
|
2887
2887
|
};
|
|
@@ -2901,14 +2901,14 @@ class we {
|
|
|
2901
2901
|
try {
|
|
2902
2902
|
return e = await this.resetPassword(s), e;
|
|
2903
2903
|
} catch (t) {
|
|
2904
|
-
const
|
|
2904
|
+
const a = n.asCrossauthError(t);
|
|
2905
2905
|
if (m.isSvelteKitRedirect(t) || m.isSvelteKitError(t)) throw t;
|
|
2906
|
-
return l.logger.debug(f({ err:
|
|
2906
|
+
return l.logger.debug(f({ err: a })), l.logger.error(f({ cerr: a })), {
|
|
2907
2907
|
ok: !1,
|
|
2908
2908
|
tokenValidated: !1,
|
|
2909
2909
|
error: e == null ? void 0 : e.error,
|
|
2910
|
-
errorCode:
|
|
2911
|
-
errorCodeName:
|
|
2910
|
+
errorCode: a.code,
|
|
2911
|
+
errorCodeName: a.codeName,
|
|
2912
2912
|
...this.baseEndpoint(s)
|
|
2913
2913
|
};
|
|
2914
2914
|
}
|
|
@@ -3009,12 +3009,13 @@ class we {
|
|
|
3009
3009
|
var s = new b();
|
|
3010
3010
|
await s.loadData(r), o = s.toObject();
|
|
3011
3011
|
const e = s.get("username") ?? "", t = s.getAsBoolean("persist") ?? !1;
|
|
3012
|
-
|
|
3013
|
-
|
|
3014
|
-
|
|
3012
|
+
o.next.includes("/__data.json") && (o.next = o.next.substring(0, o.next.indexOf("/__data.json")));
|
|
3013
|
+
let a = o.next ?? this.loginRedirectUrl;
|
|
3014
|
+
if (e == "") throw new n(u.InvalidUsername, "Username field may not be empty");
|
|
3015
|
+
let i = this.addToSession ? this.addToSession(r, o) : {};
|
|
3015
3016
|
if (this.sessionServer.enableCsrfProtection && !r.locals.csrfToken) throw new n(u.InvalidCsrf);
|
|
3016
3017
|
const c = this.sessionServer.getSessionCookieValue(r);
|
|
3017
|
-
let { sessionCookie: d, csrfCookie: h, user: g } = await this.sessionServer.sessionManager.login(e, s.toObject(),
|
|
3018
|
+
let { sessionCookie: d, csrfCookie: h, user: g } = await this.sessionServer.sessionManager.login(e, s.toObject(), i, t);
|
|
3018
3019
|
if (l.logger.debug(f({
|
|
3019
3020
|
msg: "Login: set session cookie " + d.name + " opts " + JSON.stringify(d.options),
|
|
3020
3021
|
user: e
|
|
@@ -3039,19 +3040,19 @@ class we {
|
|
|
3039
3040
|
})), l.logger.debug(f({ err: p }));
|
|
3040
3041
|
}
|
|
3041
3042
|
if (g.state == N.passwordChangeNeeded)
|
|
3042
|
-
this.sessionServer.redirect(302, this.changePasswordUrl + "?required=true&next=" + encodeURIComponent("login?next=" +
|
|
3043
|
+
this.sessionServer.redirect(302, this.changePasswordUrl + "?required=true&next=" + encodeURIComponent("login?next=" + a));
|
|
3043
3044
|
else {
|
|
3044
3045
|
if (g.state == N.passwordResetNeeded)
|
|
3045
3046
|
throw new n(u.PasswordResetNeeded, "Please click on the link we sent you to reset your password");
|
|
3046
3047
|
if (g.state == N.passwordAndFactor2ResetNeeded)
|
|
3047
3048
|
throw new n(u.PasswordResetNeeded, "Please click on the link we sent you to reset your password");
|
|
3048
|
-
this.sessionServer.allowedFactor2.length > 0 && g.state == N.factor2ResetNeeded || !this.sessionServer.allowedFactor2Names.includes(g.factor2 ? g.factor2 : "none") ? this.sessionServer.redirect(302, this.changeFactor2Url + "?required=true&next=" + encodeURIComponent("login?next=" +
|
|
3049
|
+
this.sessionServer.allowedFactor2.length > 0 && g.state == N.factor2ResetNeeded || !this.sessionServer.allowedFactor2Names.includes(g.factor2 ? g.factor2 : "none") ? this.sessionServer.redirect(302, this.changeFactor2Url + "?required=true&next=" + encodeURIComponent("login?next=" + a)) : (!g.factor2 || g.factor2 == "") && (r.locals.user = g);
|
|
3049
3050
|
}
|
|
3050
3051
|
return {
|
|
3051
3052
|
user: g,
|
|
3052
3053
|
formData: o,
|
|
3053
3054
|
factor2Required: g.factor2 && g.factor2 != "",
|
|
3054
|
-
next:
|
|
3055
|
+
next: a,
|
|
3055
3056
|
ok: !0
|
|
3056
3057
|
};
|
|
3057
3058
|
} catch (e) {
|
|
@@ -3072,22 +3073,22 @@ class we {
|
|
|
3072
3073
|
async loginWithUser(r, o, s) {
|
|
3073
3074
|
const e = s.locals.sessionId, t = new b();
|
|
3074
3075
|
await t.loadData(s);
|
|
3075
|
-
let
|
|
3076
|
+
let a = this.addToSession ? this.addToSession(s, t.toObject()) : {}, { sessionCookie: i, csrfCookie: c, csrfFormOrHeaderValue: d } = await this.sessionServer.sessionManager.login("", {}, a, void 0, r, o);
|
|
3076
3077
|
if (l.logger.debug(f({
|
|
3077
|
-
msg: "Login: set session cookie " +
|
|
3078
|
+
msg: "Login: set session cookie " + i.name + " opts " + JSON.stringify(i.options),
|
|
3078
3079
|
user: r.username
|
|
3079
3080
|
})), s.cookies.set(
|
|
3080
|
-
|
|
3081
|
-
|
|
3082
|
-
R(
|
|
3081
|
+
i.name,
|
|
3082
|
+
i.value,
|
|
3083
|
+
R(i.options)
|
|
3083
3084
|
), l.logger.debug(f({
|
|
3084
|
-
msg: "Login: set csrf cookie " + c.name + " opts " + JSON.stringify(
|
|
3085
|
+
msg: "Login: set csrf cookie " + c.name + " opts " + JSON.stringify(i.options),
|
|
3085
3086
|
user: r.username
|
|
3086
3087
|
})), this.sessionServer.enableCsrfProtection && s.cookies.set(
|
|
3087
3088
|
c.name,
|
|
3088
3089
|
c.value,
|
|
3089
3090
|
R(c.options)
|
|
3090
|
-
), s.locals.user = r, s.locals.csrfToken = d, s.locals.sessionId = this.sessionServer.sessionManager.getSessionId(
|
|
3091
|
+
), s.locals.user = r, s.locals.csrfToken = d, s.locals.sessionId = this.sessionServer.sessionManager.getSessionId(i.value), e)
|
|
3091
3092
|
try {
|
|
3092
3093
|
await this.sessionServer.sessionManager.deleteSession(e);
|
|
3093
3094
|
} catch (h) {
|
|
@@ -3205,16 +3206,16 @@ class we {
|
|
|
3205
3206
|
"Illegal second factor " + o.factor2 + " requested"
|
|
3206
3207
|
);
|
|
3207
3208
|
(o.factor2 == "none" || o.factor2 == "") && (o.factor2 = void 0), t = this.sessionServer.createUserFn(r, o, this.sessionServer.userStorage.userEditableFields);
|
|
3208
|
-
let
|
|
3209
|
-
const
|
|
3209
|
+
let a = this.sessionServer.authenticators[t.factor1].validateSecrets(o);
|
|
3210
|
+
const i = this.sessionServer.authenticators[t.factor1].secretNames();
|
|
3210
3211
|
let c = {};
|
|
3211
3212
|
for (let p in o)
|
|
3212
3213
|
if (p.startsWith("repeat_")) {
|
|
3213
3214
|
const w = p.replace(/^repeat_/, "");
|
|
3214
|
-
|
|
3215
|
+
i.includes(w) && (c[w] = o[p]);
|
|
3215
3216
|
}
|
|
3216
3217
|
Object.keys(c).length === 0 && (c = void 0), t.state = "active", o.factor2 && o.factor2 != "none" ? t.state = "awaitingtwofactor" : this.sessionServer.enableEmailVerification && (t.state = "awaitingemailverification");
|
|
3217
|
-
let h = [...this.sessionServer.validateUserFn(t), ...
|
|
3218
|
+
let h = [...this.sessionServer.validateUserFn(t), ...a];
|
|
3218
3219
|
if (h.length > 0)
|
|
3219
3220
|
throw new n(u.FormEntry, h);
|
|
3220
3221
|
let g = !1;
|
|
@@ -3348,8 +3349,8 @@ class we {
|
|
|
3348
3349
|
try {
|
|
3349
3350
|
var t = new b();
|
|
3350
3351
|
await t.loadData(r), o = t.toObject();
|
|
3351
|
-
const
|
|
3352
|
-
if (
|
|
3352
|
+
const a = await this.sessionServer.getSessionData(r, "2fa");
|
|
3353
|
+
if (a != null && a.factor2) e = a == null ? void 0 : a.factor2;
|
|
3353
3354
|
else throw new n(u.BadRequest, "Two factor authentication was not started");
|
|
3354
3355
|
if (this.isSessionUser(r) && this.sessionServer.enableCsrfProtection && !r.locals.csrfToken)
|
|
3355
3356
|
throw new n(u.InvalidCsrf);
|
|
@@ -3357,17 +3358,17 @@ class we {
|
|
|
3357
3358
|
u.Unauthorized,
|
|
3358
3359
|
"No session active while enabling 2FA. Please enable cookies"
|
|
3359
3360
|
);
|
|
3360
|
-
let
|
|
3361
|
+
let i = await this.sessionServer.sessionManager.completeTwoFactorSetup(
|
|
3361
3362
|
o,
|
|
3362
3363
|
r.locals.sessionId
|
|
3363
3364
|
);
|
|
3364
|
-
return this.sessionServer.enableEmailVerification || await this.loginWithUser(
|
|
3365
|
+
return this.sessionServer.enableEmailVerification || await this.loginWithUser(i, !0, r), r.locals.user ? {
|
|
3365
3366
|
ok: !0,
|
|
3366
|
-
user:
|
|
3367
|
+
user: i,
|
|
3367
3368
|
emailVerificationRequired: this.sessionServer.enableEmailVerification
|
|
3368
|
-
} : await this.loginWithUser(
|
|
3369
|
-
} catch (
|
|
3370
|
-
const
|
|
3369
|
+
} : await this.loginWithUser(i, !0, r);
|
|
3370
|
+
} catch (a) {
|
|
3371
|
+
const i = n.asCrossauthError(a);
|
|
3371
3372
|
let c;
|
|
3372
3373
|
try {
|
|
3373
3374
|
c = (await this.sessionServer.sessionManager.repeatTwoFactorSignup(r.locals.sessionId ?? "")).userData;
|
|
@@ -3378,11 +3379,11 @@ class we {
|
|
|
3378
3379
|
csrfToken: r.locals.csrfToken,
|
|
3379
3380
|
username: c.username ?? "",
|
|
3380
3381
|
factor2: e
|
|
3381
|
-
}), l.logger.debug(f({ err:
|
|
3382
|
+
}), l.logger.debug(f({ err: a })), l.logger.error(f({ cerr: a })), {
|
|
3382
3383
|
ok: !1,
|
|
3383
|
-
error:
|
|
3384
|
-
errorCode:
|
|
3385
|
-
errorCodeName:
|
|
3384
|
+
error: i.message,
|
|
3385
|
+
errorCode: i.code,
|
|
3386
|
+
errorCodeName: i.codeName,
|
|
3386
3387
|
formData: o,
|
|
3387
3388
|
factor2Data: s,
|
|
3388
3389
|
emailVerificationRequired: this.sessionServer.enableEmailVerification
|
|
@@ -3418,22 +3419,22 @@ class we {
|
|
|
3418
3419
|
if (!t) throw new n(u.Unauthorized);
|
|
3419
3420
|
if (this.isSessionUser(r) && this.sessionServer.enableCsrfProtection && !r.locals.csrfToken)
|
|
3420
3421
|
throw new n(u.InvalidCsrf);
|
|
3421
|
-
let
|
|
3422
|
-
const { sessionCookie:
|
|
3422
|
+
let a = this.addToSession ? this.addToSession(r, o) : {};
|
|
3423
|
+
const { sessionCookie: i, csrfCookie: c, user: d } = await this.sessionServer.sessionManager.completeTwoFactorLogin(
|
|
3423
3424
|
o,
|
|
3424
3425
|
t,
|
|
3425
|
-
|
|
3426
|
+
a,
|
|
3426
3427
|
e
|
|
3427
3428
|
);
|
|
3428
3429
|
return l.logger.debug(f({
|
|
3429
|
-
msg: "Login: set session cookie " +
|
|
3430
|
+
msg: "Login: set session cookie " + i.name + " opts " + JSON.stringify(i.options),
|
|
3430
3431
|
user: d == null ? void 0 : d.username
|
|
3431
3432
|
})), r.cookies.set(
|
|
3432
|
-
|
|
3433
|
-
|
|
3434
|
-
R(
|
|
3433
|
+
i.name,
|
|
3434
|
+
i.value,
|
|
3435
|
+
R(i.options)
|
|
3435
3436
|
), l.logger.debug(f({
|
|
3436
|
-
msg: "Login: set csrf cookie " + c.name + " opts " + JSON.stringify(
|
|
3437
|
+
msg: "Login: set csrf cookie " + c.name + " opts " + JSON.stringify(i.options),
|
|
3437
3438
|
user: d == null ? void 0 : d.username
|
|
3438
3439
|
})), r.cookies.set(
|
|
3439
3440
|
c.name,
|
|
@@ -3552,17 +3553,17 @@ class we {
|
|
|
3552
3553
|
);
|
|
3553
3554
|
const e = r.params.token ?? "";
|
|
3554
3555
|
if (e == "") throw new n(u.InvalidUsername, "No token provided");
|
|
3555
|
-
const t = await this.sessionServer.sessionManager.userForPasswordResetToken(e),
|
|
3556
|
+
const t = await this.sessionServer.sessionManager.userForPasswordResetToken(e), a = this.sessionServer.authenticators[t.factor1], i = a.secretNames();
|
|
3556
3557
|
let c = {}, d = {};
|
|
3557
3558
|
for (let p in o)
|
|
3558
3559
|
if (p.startsWith("new_")) {
|
|
3559
3560
|
const w = p.replace(/^new_/, "");
|
|
3560
|
-
|
|
3561
|
+
i.includes(w) && (c[w] = o[p]);
|
|
3561
3562
|
} else if (p.startsWith("repeat_")) {
|
|
3562
3563
|
const w = p.replace(/^repeat_/, "");
|
|
3563
|
-
|
|
3564
|
+
i.includes(w) && (d[w] = o[p]);
|
|
3564
3565
|
}
|
|
3565
|
-
if (Object.keys(d).length === 0 && (d = void 0),
|
|
3566
|
+
if (Object.keys(d).length === 0 && (d = void 0), a.validateSecrets(c).length > 0)
|
|
3566
3567
|
throw new n(u.PasswordFormat);
|
|
3567
3568
|
const g = await this.sessionServer.sessionManager.resetSecret(e, 1, c, d);
|
|
3568
3569
|
if (g.state == N.active)
|
|
@@ -3677,20 +3678,20 @@ class we {
|
|
|
3677
3678
|
e = r.locals.user;
|
|
3678
3679
|
} else
|
|
3679
3680
|
throw new n(u.InsufficientPriviledges);
|
|
3680
|
-
const
|
|
3681
|
+
const a = this.sessionServer.authenticators[e.factor1], i = a.secretNames();
|
|
3681
3682
|
let c = {}, d = {}, h = {};
|
|
3682
3683
|
for (let w in o)
|
|
3683
3684
|
if (w.startsWith("new_")) {
|
|
3684
3685
|
const S = w.replace(/^new_/, "");
|
|
3685
|
-
|
|
3686
|
+
i.includes(S) && (d[S] = o[w]);
|
|
3686
3687
|
} else if (w.startsWith("old_")) {
|
|
3687
3688
|
const S = w.replace(/^old_/, "");
|
|
3688
|
-
|
|
3689
|
+
i.includes(S) && (c[S] = o[w]);
|
|
3689
3690
|
} else if (w.startsWith("repeat_")) {
|
|
3690
3691
|
const S = w.replace(/^repeat_/, "");
|
|
3691
|
-
|
|
3692
|
+
i.includes(S) && (h[S] = o[w]);
|
|
3692
3693
|
}
|
|
3693
|
-
if (Object.keys(h).length === 0 && (h = void 0),
|
|
3694
|
+
if (Object.keys(h).length === 0 && (h = void 0), a.validateSecrets(d).length > 0)
|
|
3694
3695
|
throw new n(u.PasswordFormat);
|
|
3695
3696
|
const p = e.state;
|
|
3696
3697
|
try {
|
|
@@ -3808,15 +3809,15 @@ class we {
|
|
|
3808
3809
|
let t = this.sessionServer.validateUserFn(e);
|
|
3809
3810
|
if (t.length > 0)
|
|
3810
3811
|
throw new n(u.FormEntry, t);
|
|
3811
|
-
let { emailVerificationTokenSent:
|
|
3812
|
-
if (!
|
|
3813
|
-
const
|
|
3814
|
-
r.locals.user =
|
|
3812
|
+
let { emailVerificationTokenSent: a } = await this.sessionServer.sessionManager.updateUser(r.locals.user, e);
|
|
3813
|
+
if (!a) {
|
|
3814
|
+
const i = await this.sessionServer.userStorage.getUserById(r.locals.user.id);
|
|
3815
|
+
r.locals.user = i.user;
|
|
3815
3816
|
}
|
|
3816
3817
|
return {
|
|
3817
3818
|
ok: !0,
|
|
3818
3819
|
formData: o,
|
|
3819
|
-
emailVerificationNeeded:
|
|
3820
|
+
emailVerificationNeeded: a
|
|
3820
3821
|
};
|
|
3821
3822
|
} catch (e) {
|
|
3822
3823
|
let t = n.asCrossauthError(e, "Couldn't update account");
|
|
@@ -3864,32 +3865,32 @@ class we {
|
|
|
3864
3865
|
const d = await this.sessionServer.getSessionData(r, "factor2change");
|
|
3865
3866
|
d != null && d.username || this.isSessionUser(r) || (this.sessionServer.unauthorizedUrl && this.sessionServer.redirect(302, this.sessionServer.unauthorizedUrl), this.sessionServer.error(401, "Unauthorized")), t = d == null ? void 0 : d.username;
|
|
3866
3867
|
}
|
|
3867
|
-
let
|
|
3868
|
-
if (!
|
|
3868
|
+
let a = r.locals.user;
|
|
3869
|
+
if (!a && t && (a = (await this.sessionServer.userStorage.getUserByUsername(
|
|
3869
3870
|
t,
|
|
3870
3871
|
{
|
|
3871
3872
|
skipActiveCheck: !0,
|
|
3872
3873
|
skipEmailVerifiedCheck: !0
|
|
3873
3874
|
}
|
|
3874
|
-
)).user), !
|
|
3875
|
+
)).user), !a)
|
|
3875
3876
|
throw new n(u.InsufficientPriviledges);
|
|
3876
3877
|
if (!r.locals.sessionId)
|
|
3877
3878
|
throw new n(u.Unauthorized);
|
|
3878
|
-
let
|
|
3879
|
+
let i = o.factor2;
|
|
3879
3880
|
if (o.factor2 && !this.sessionServer.allowedFactor2Names.includes(o.factor2))
|
|
3880
3881
|
throw new n(
|
|
3881
3882
|
u.Forbidden,
|
|
3882
3883
|
"Illegal second factor " + o.factor2 + " requested"
|
|
3883
3884
|
);
|
|
3884
|
-
if ((o.factor2 == "none" || o.factor2 == "") && (
|
|
3885
|
-
return await this.loginWithUser(
|
|
3886
|
-
const c = await this.sessionServer.sessionManager.initiateTwoFactorSetup(
|
|
3887
|
-
return
|
|
3885
|
+
if ((o.factor2 == "none" || o.factor2 == "") && (i = void 0, !r.locals.user))
|
|
3886
|
+
return await this.loginWithUser(a, !0, r);
|
|
3887
|
+
const c = await this.sessionServer.sessionManager.initiateTwoFactorSetup(a, i, r.locals.sessionId);
|
|
3888
|
+
return i ? {
|
|
3888
3889
|
ok: !0,
|
|
3889
3890
|
formData: o,
|
|
3890
3891
|
factor2Data: {
|
|
3891
|
-
username:
|
|
3892
|
-
factor2:
|
|
3892
|
+
username: a.username,
|
|
3893
|
+
factor2: i ?? "",
|
|
3893
3894
|
userData: c,
|
|
3894
3895
|
csrfToken: r.locals.csrfToken
|
|
3895
3896
|
}
|
|
@@ -3898,11 +3899,11 @@ class we {
|
|
|
3898
3899
|
formData: o
|
|
3899
3900
|
};
|
|
3900
3901
|
} catch (t) {
|
|
3901
|
-
let
|
|
3902
|
-
return l.logger.debug(f({ err:
|
|
3903
|
-
error:
|
|
3904
|
-
errorCode:
|
|
3905
|
-
errorCodeName:
|
|
3902
|
+
let a = n.asCrossauthError(t, "Couldn't update account");
|
|
3903
|
+
return l.logger.debug(f({ err: a })), l.logger.error(f({ cerr: a })), {
|
|
3904
|
+
error: a.message,
|
|
3905
|
+
errorCode: a.code,
|
|
3906
|
+
errorCodeName: a.codeName,
|
|
3906
3907
|
ok: !1,
|
|
3907
3908
|
formData: o
|
|
3908
3909
|
};
|
|
@@ -3940,47 +3941,47 @@ class we {
|
|
|
3940
3941
|
const h = await this.sessionServer.getSessionData(r, "factor2change");
|
|
3941
3942
|
h != null && h.username || this.isSessionUser(r) || (this.sessionServer.unauthorizedUrl && this.sessionServer.redirect(302, this.sessionServer.unauthorizedUrl), this.sessionServer.error(401, "Unauthorized")), t = h == null ? void 0 : h.username;
|
|
3942
3943
|
}
|
|
3943
|
-
let
|
|
3944
|
-
if (!
|
|
3944
|
+
let a = r.locals.user;
|
|
3945
|
+
if (!a && t && (a = (await this.sessionServer.userStorage.getUserByUsername(
|
|
3945
3946
|
t,
|
|
3946
3947
|
{
|
|
3947
3948
|
skipActiveCheck: !0,
|
|
3948
3949
|
skipEmailVerifiedCheck: !0
|
|
3949
3950
|
}
|
|
3950
|
-
)).user), !
|
|
3951
|
+
)).user), !a)
|
|
3951
3952
|
throw new n(u.InsufficientPriviledges);
|
|
3952
3953
|
if (!r.locals.sessionId)
|
|
3953
3954
|
throw new n(u.Unauthorized);
|
|
3954
3955
|
if (!r.locals.sessionId)
|
|
3955
3956
|
throw new n(u.Unauthorized);
|
|
3956
|
-
let
|
|
3957
|
-
const c = this.sessionServer.authenticators[
|
|
3957
|
+
let i = a.factor2;
|
|
3958
|
+
const c = this.sessionServer.authenticators[i];
|
|
3958
3959
|
if (!c || c.secretNames().length == 0)
|
|
3959
3960
|
throw new n(
|
|
3960
3961
|
u.BadRequest,
|
|
3961
3962
|
"Selected second factor does not have configuration"
|
|
3962
3963
|
);
|
|
3963
3964
|
const d = await this.sessionServer.sessionManager.initiateTwoFactorSetup(
|
|
3964
|
-
i,
|
|
3965
3965
|
a,
|
|
3966
|
+
i,
|
|
3966
3967
|
r.locals.sessionId
|
|
3967
3968
|
);
|
|
3968
3969
|
return {
|
|
3969
3970
|
ok: !0,
|
|
3970
3971
|
formData: o,
|
|
3971
3972
|
factor2Data: {
|
|
3972
|
-
username:
|
|
3973
|
-
factor2:
|
|
3973
|
+
username: a.username,
|
|
3974
|
+
factor2: a.factor2 ?? "",
|
|
3974
3975
|
userData: d,
|
|
3975
3976
|
csrfToken: r.locals.csrfToken
|
|
3976
3977
|
}
|
|
3977
3978
|
};
|
|
3978
3979
|
} catch (t) {
|
|
3979
|
-
let
|
|
3980
|
-
return l.logger.debug(f({ err:
|
|
3981
|
-
error:
|
|
3982
|
-
errorCode:
|
|
3983
|
-
errorCodeName:
|
|
3980
|
+
let a = n.asCrossauthError(t, "Couldn't update account");
|
|
3981
|
+
return l.logger.debug(f({ err: a })), l.logger.error(f({ cerr: a })), {
|
|
3982
|
+
error: a.message,
|
|
3983
|
+
errorCode: a.code,
|
|
3984
|
+
errorCodeName: a.codeName,
|
|
3984
3985
|
ok: !1,
|
|
3985
3986
|
formData: o
|
|
3986
3987
|
};
|
|
@@ -4002,16 +4003,16 @@ async function me(k, r, o = 0, s = 10) {
|
|
|
4002
4003
|
const { user: t } = await r.getUserByUsername(k);
|
|
4003
4004
|
e.push(t);
|
|
4004
4005
|
} catch (t) {
|
|
4005
|
-
const
|
|
4006
|
-
if (
|
|
4007
|
-
throw l.logger.debug(f({ err:
|
|
4006
|
+
const a = n.asCrossauthError(t);
|
|
4007
|
+
if (a.code != u.UserNotExist)
|
|
4008
|
+
throw l.logger.debug(f({ err: a })), a;
|
|
4008
4009
|
try {
|
|
4009
|
-
const { user:
|
|
4010
|
-
e.push(
|
|
4011
|
-
} catch (
|
|
4012
|
-
const c = n.asCrossauthError(
|
|
4010
|
+
const { user: i } = await r.getUserByEmail(k);
|
|
4011
|
+
e.push(i);
|
|
4012
|
+
} catch (i) {
|
|
4013
|
+
const c = n.asCrossauthError(i);
|
|
4013
4014
|
if (c.code != u.UserNotExist)
|
|
4014
|
-
throw l.logger.debug(f({ err: c })),
|
|
4015
|
+
throw l.logger.debug(f({ err: c })), a;
|
|
4015
4016
|
}
|
|
4016
4017
|
}
|
|
4017
4018
|
return e;
|
|
@@ -4030,12 +4031,12 @@ class ke {
|
|
|
4030
4031
|
}, this.updateUserEndpoint = {
|
|
4031
4032
|
actions: {
|
|
4032
4033
|
default: async (s) => {
|
|
4033
|
-
var
|
|
4034
|
+
var a, i, c;
|
|
4034
4035
|
const e = await this.getUserFromParam(s);
|
|
4035
4036
|
return e.exception || !e.user ? {
|
|
4036
4037
|
ok: !1,
|
|
4037
|
-
error: ((
|
|
4038
|
-
errorCode: (
|
|
4038
|
+
error: ((a = e.exception) == null ? void 0 : a.message) ?? "Couldn't get user",
|
|
4039
|
+
errorCode: (i = e.exception) == null ? void 0 : i.code,
|
|
4039
4040
|
errorCodeName: (c = e.exception) == null ? void 0 : c.codeName
|
|
4040
4041
|
} : await this.updateUser(e.user, s);
|
|
4041
4042
|
}
|
|
@@ -4057,12 +4058,12 @@ class ke {
|
|
|
4057
4058
|
}, this.changePasswordEndpoint = {
|
|
4058
4059
|
actions: {
|
|
4059
4060
|
default: async (s) => {
|
|
4060
|
-
var
|
|
4061
|
+
var a, i, c;
|
|
4061
4062
|
const e = await this.getUserFromParam(s);
|
|
4062
4063
|
return e.exception || !e.user ? {
|
|
4063
4064
|
ok: !1,
|
|
4064
|
-
error: ((
|
|
4065
|
-
errorCode: (
|
|
4065
|
+
error: ((a = e.exception) == null ? void 0 : a.message) ?? "Couldn't get user",
|
|
4066
|
+
errorCode: (i = e.exception) == null ? void 0 : i.code,
|
|
4066
4067
|
errorCodeName: (c = e.exception) == null ? void 0 : c.codeName
|
|
4067
4068
|
} : await this.changePassword(e.user, s);
|
|
4068
4069
|
}
|
|
@@ -4075,8 +4076,8 @@ class ke {
|
|
|
4075
4076
|
editUser: e.user,
|
|
4076
4077
|
...this.baseEndpoint(s)
|
|
4077
4078
|
};
|
|
4078
|
-
let t = {},
|
|
4079
|
-
return
|
|
4079
|
+
let t = {}, a = s.url.searchParams.get("next");
|
|
4080
|
+
return a && (t.next = a), {
|
|
4080
4081
|
...t,
|
|
4081
4082
|
editUser: e.user,
|
|
4082
4083
|
...this.baseEndpoint(s)
|
|
@@ -4098,15 +4099,15 @@ class ke {
|
|
|
4098
4099
|
default: async (s) => await this.deleteUser(s)
|
|
4099
4100
|
},
|
|
4100
4101
|
load: async (s) => {
|
|
4101
|
-
var t,
|
|
4102
|
+
var t, a, i;
|
|
4102
4103
|
const e = await this.getUserFromParam(s);
|
|
4103
4104
|
return e.exception || !e.user ? {
|
|
4104
4105
|
error: "User doesn't exist",
|
|
4105
4106
|
errorCode: (t = e.exception) == null ? void 0 : t.code,
|
|
4106
|
-
errorCodeName: (
|
|
4107
|
+
errorCodeName: (a = e.exception) == null ? void 0 : a.codeName,
|
|
4107
4108
|
...this.baseEndpoint(s)
|
|
4108
4109
|
} : {
|
|
4109
|
-
username: (
|
|
4110
|
+
username: (i = e.user) == null ? void 0 : i.username,
|
|
4110
4111
|
...this.baseEndpoint(s)
|
|
4111
4112
|
};
|
|
4112
4113
|
}
|
|
@@ -4157,7 +4158,7 @@ class ke {
|
|
|
4157
4158
|
try {
|
|
4158
4159
|
if (!this.sessionServer.userStorage) throw new n(u.Configuration, "Must provide user storage to use this function");
|
|
4159
4160
|
(!r.locals.user || !m.isAdminFn(r.locals.user)) && this.sessionServer.error(401);
|
|
4160
|
-
let t = [],
|
|
4161
|
+
let t = [], a = [], i = [];
|
|
4161
4162
|
if (!s)
|
|
4162
4163
|
try {
|
|
4163
4164
|
const d = r.url.searchParams.get("skip");
|
|
@@ -4179,7 +4180,7 @@ class ke {
|
|
|
4179
4180
|
this.sessionServer.userStorage,
|
|
4180
4181
|
s,
|
|
4181
4182
|
e
|
|
4182
|
-
), s > 0 && (
|
|
4183
|
+
), s > 0 && (a = await this.userSearchFn(
|
|
4183
4184
|
o,
|
|
4184
4185
|
this.sessionServer.userStorage,
|
|
4185
4186
|
s - 1,
|
|
@@ -4187,7 +4188,7 @@ class ke {
|
|
|
4187
4188
|
))) : (t = await this.sessionServer.userStorage.getUsers(
|
|
4188
4189
|
s,
|
|
4189
4190
|
e
|
|
4190
|
-
), t.length == e && (
|
|
4191
|
+
), t.length == e && (i = await this.sessionServer.userStorage.getUsers(
|
|
4191
4192
|
s + e,
|
|
4192
4193
|
1
|
|
4193
4194
|
))), {
|
|
@@ -4195,17 +4196,17 @@ class ke {
|
|
|
4195
4196
|
users: t,
|
|
4196
4197
|
skip: s,
|
|
4197
4198
|
take: e,
|
|
4198
|
-
hasPrevious:
|
|
4199
|
-
hasNext:
|
|
4199
|
+
hasPrevious: a.length > 0,
|
|
4200
|
+
hasNext: i.length > 0,
|
|
4200
4201
|
search: o
|
|
4201
4202
|
};
|
|
4202
4203
|
} catch (t) {
|
|
4203
|
-
const
|
|
4204
|
-
return l.logger.debug(f({ err:
|
|
4204
|
+
const a = n.asCrossauthError(t);
|
|
4205
|
+
return l.logger.debug(f({ err: a })), l.logger.error(f({ cerr: a })), {
|
|
4205
4206
|
ok: !1,
|
|
4206
|
-
error:
|
|
4207
|
-
errorCode:
|
|
4208
|
-
errorCodeName:
|
|
4207
|
+
error: a.message,
|
|
4208
|
+
errorCode: a.code,
|
|
4209
|
+
errorCodeName: a.codeName,
|
|
4209
4210
|
hasPrevious: !1,
|
|
4210
4211
|
hasNext: !1,
|
|
4211
4212
|
skip: s ?? 0,
|
|
@@ -4251,7 +4252,7 @@ class ke {
|
|
|
4251
4252
|
if (!this.sessionServer.userStorage) throw new n(u.Configuration, "Must provide user storage to use this function");
|
|
4252
4253
|
var e = new b();
|
|
4253
4254
|
if (await e.loadData(o), s = e.toObject(), (!o.locals.user || !m.isAdminFn(o.locals.user)) && this.sessionServer.error(401), this.isSessionUser(o) && this.sessionServer.enableCsrfProtection && !o.locals.csrfToken) throw new n(u.InvalidCsrf);
|
|
4254
|
-
const t = r.factor2,
|
|
4255
|
+
const t = r.factor2, a = r.state;
|
|
4255
4256
|
r.state = s.state ?? "active", r = this.sessionServer.updateUserFn(
|
|
4256
4257
|
r,
|
|
4257
4258
|
o,
|
|
@@ -4261,10 +4262,10 @@ class ke {
|
|
|
4261
4262
|
...this.sessionServer.userStorage.adminEditableFields
|
|
4262
4263
|
}
|
|
4263
4264
|
);
|
|
4264
|
-
const
|
|
4265
|
-
if (
|
|
4265
|
+
const i = r.factor2 && r.factor2 != "none" && r.factor2 != t;
|
|
4266
|
+
if (i && !(r.state == a || r.state == "factor2ResetNeeded"))
|
|
4266
4267
|
throw new n(u.BadRequest, "Cannot change both factor2 and state at the same time");
|
|
4267
|
-
|
|
4268
|
+
i && (r.state = N.factor2ResetNeeded, l.logger.warn(f({
|
|
4268
4269
|
msg: `Setting state for user to ${N.factor2ResetNeeded}`,
|
|
4269
4270
|
username: r.username
|
|
4270
4271
|
})));
|
|
@@ -4280,11 +4281,11 @@ class ke {
|
|
|
4280
4281
|
};
|
|
4281
4282
|
} catch (t) {
|
|
4282
4283
|
if (m.isSvelteKitRedirect(t) || m.isSvelteKitError(t, 401)) throw t;
|
|
4283
|
-
let
|
|
4284
|
-
return l.logger.debug(f({ err:
|
|
4285
|
-
error:
|
|
4286
|
-
errorCode:
|
|
4287
|
-
errorCodeName:
|
|
4284
|
+
let a = n.asCrossauthError(t, "Couldn't log in");
|
|
4285
|
+
return l.logger.debug(f({ err: a })), l.logger.error(f({ cerr: a })), {
|
|
4286
|
+
error: a.message,
|
|
4287
|
+
errorCode: a.code,
|
|
4288
|
+
errorCodeName: a.codeName,
|
|
4288
4289
|
ok: !1,
|
|
4289
4290
|
formData: s
|
|
4290
4291
|
};
|
|
@@ -4316,20 +4317,20 @@ class ke {
|
|
|
4316
4317
|
var e = new b();
|
|
4317
4318
|
if (await e.loadData(o), s = e.toObject(), (!o.locals.user || !m.isAdminFn(o.locals.user)) && this.sessionServer.error(401), this.isSessionUser(o) && this.sessionServer.enableCsrfProtection && !o.locals.csrfToken)
|
|
4318
4319
|
throw new n(u.InvalidCsrf);
|
|
4319
|
-
const t = this.sessionServer.authenticators[r.factor1],
|
|
4320
|
-
let
|
|
4320
|
+
const t = this.sessionServer.authenticators[r.factor1], a = t.secretNames();
|
|
4321
|
+
let i = {}, c = {}, d = {};
|
|
4321
4322
|
for (let g in s)
|
|
4322
4323
|
if (g.startsWith("new_")) {
|
|
4323
4324
|
const p = g.replace(/^new_/, "");
|
|
4324
|
-
|
|
4325
|
+
a.includes(p) && (c[p] = s[g]);
|
|
4325
4326
|
} else if (g.startsWith("old_")) {
|
|
4326
4327
|
const p = g.replace(/^old_/, "");
|
|
4327
|
-
|
|
4328
|
+
a.includes(p) && (i[p] = s[g]);
|
|
4328
4329
|
} else if (g.startsWith("repeat_")) {
|
|
4329
4330
|
const p = g.replace(/^repeat_/, "");
|
|
4330
|
-
|
|
4331
|
+
a.includes(p) && (d[p] = s[g]);
|
|
4331
4332
|
}
|
|
4332
|
-
if (Object.keys(d).length === 0 && (d = void 0), Object.keys(
|
|
4333
|
+
if (Object.keys(d).length === 0 && (d = void 0), Object.keys(i).length === 0 && (i = void 0), t.validateSecrets(c).length > 0)
|
|
4333
4334
|
throw new n(u.PasswordFormat);
|
|
4334
4335
|
try {
|
|
4335
4336
|
await this.sessionServer.sessionManager.changeSecrets(
|
|
@@ -4337,7 +4338,7 @@ class ke {
|
|
|
4337
4338
|
1,
|
|
4338
4339
|
c,
|
|
4339
4340
|
d,
|
|
4340
|
-
|
|
4341
|
+
i
|
|
4341
4342
|
);
|
|
4342
4343
|
} catch (g) {
|
|
4343
4344
|
const p = n.asCrossauthError(g);
|
|
@@ -4349,11 +4350,11 @@ class ke {
|
|
|
4349
4350
|
};
|
|
4350
4351
|
} catch (t) {
|
|
4351
4352
|
if (m.isSvelteKitRedirect(t) || m.isSvelteKitError(t, 401)) throw t;
|
|
4352
|
-
let
|
|
4353
|
-
return l.logger.debug(f({ err:
|
|
4354
|
-
error:
|
|
4355
|
-
errorCode:
|
|
4356
|
-
errorCodeName:
|
|
4353
|
+
let a = n.asCrossauthError(t, "Couldn't change password");
|
|
4354
|
+
return l.logger.debug(f({ err: a })), l.logger.error(f({ cerr: a })), {
|
|
4355
|
+
error: a.message,
|
|
4356
|
+
errorCode: a.code,
|
|
4357
|
+
errorCodeName: a.codeName,
|
|
4357
4358
|
ok: !1,
|
|
4358
4359
|
formData: s
|
|
4359
4360
|
};
|
|
@@ -4428,21 +4429,21 @@ class ke {
|
|
|
4428
4429
|
...this.sessionServer.userStorage.adminEditableFields
|
|
4429
4430
|
}
|
|
4430
4431
|
);
|
|
4431
|
-
const
|
|
4432
|
-
let
|
|
4433
|
-
for (let w of
|
|
4434
|
-
!o[w] && !o["repeat_" + w] && (
|
|
4432
|
+
const a = this.sessionServer.authenticators[t.factor1].secretNames();
|
|
4433
|
+
let i = !0;
|
|
4434
|
+
for (let w of a)
|
|
4435
|
+
!o[w] && !o["repeat_" + w] && (i = !1);
|
|
4435
4436
|
let c = [], d = {};
|
|
4436
|
-
if (
|
|
4437
|
+
if (i) {
|
|
4437
4438
|
c = this.sessionServer.authenticators[t.factor1].validateSecrets(o);
|
|
4438
4439
|
for (let w in o)
|
|
4439
4440
|
if (w.startsWith("repeat_")) {
|
|
4440
4441
|
const S = w.replace(/^repeat_/, "");
|
|
4441
|
-
|
|
4442
|
+
a.includes(S) && (d[S] = o[w]);
|
|
4442
4443
|
}
|
|
4443
4444
|
Object.keys(d).length === 0 && (d = void 0);
|
|
4444
4445
|
}
|
|
4445
|
-
|
|
4446
|
+
i ? o.factor2 != null && (t.state = N.factor2ResetNeeded) : o.factor2 == null ? t.state = N.passwordResetNeeded : t.state = N.passwordAndFactor2ResetNeeded;
|
|
4446
4447
|
let g = [...this.sessionServer.validateUserFn(t), ...c];
|
|
4447
4448
|
if (g.length > 0)
|
|
4448
4449
|
throw new n(u.FormEntry, g);
|
|
@@ -4451,9 +4452,9 @@ class ke {
|
|
|
4451
4452
|
o,
|
|
4452
4453
|
d,
|
|
4453
4454
|
!0,
|
|
4454
|
-
!
|
|
4455
|
+
!i
|
|
4455
4456
|
);
|
|
4456
|
-
if (!
|
|
4457
|
+
if (!i) {
|
|
4457
4458
|
let w = o.username;
|
|
4458
4459
|
if ("user_email" in o && (w = o.user_email), oe.validateEmail(w), !w) throw new n(u.FormEntry, "No password given but no email address found either");
|
|
4459
4460
|
await this.sessionServer.sessionManager.requestPasswordReset(w);
|
|
@@ -4527,18 +4528,18 @@ async function Se(k, r, o, s, e) {
|
|
|
4527
4528
|
let t = [];
|
|
4528
4529
|
if (o > 0) return [];
|
|
4529
4530
|
try {
|
|
4530
|
-
const
|
|
4531
|
-
t.push(
|
|
4532
|
-
} catch (
|
|
4533
|
-
const
|
|
4534
|
-
if (
|
|
4535
|
-
throw l.logger.debug(f({ err:
|
|
4531
|
+
const a = await r.getClientById(k);
|
|
4532
|
+
t.push(a);
|
|
4533
|
+
} catch (a) {
|
|
4534
|
+
const i = n.asCrossauthError(a);
|
|
4535
|
+
if (i.code != u.UserNotExist)
|
|
4536
|
+
throw l.logger.debug(f({ err: i })), i;
|
|
4536
4537
|
try {
|
|
4537
4538
|
t = await r.getClientByName(k, e);
|
|
4538
4539
|
} catch (c) {
|
|
4539
4540
|
const d = n.asCrossauthError(c);
|
|
4540
4541
|
if (d.code != u.UserNotExist)
|
|
4541
|
-
throw l.logger.debug(f({ err: d })),
|
|
4542
|
+
throw l.logger.debug(f({ err: d })), i;
|
|
4542
4543
|
}
|
|
4543
4544
|
}
|
|
4544
4545
|
return t;
|
|
@@ -4597,7 +4598,7 @@ class X {
|
|
|
4597
4598
|
if (!this.sessionServer.clientStorage) throw new n(u.Configuration, "Must provide client storage to use this function");
|
|
4598
4599
|
if (!r.locals.user)
|
|
4599
4600
|
throw this.redirect(302, this.loginUrl + "?next=" + encodeURIComponent(r.request.url));
|
|
4600
|
-
let
|
|
4601
|
+
let a = [], i = [], c = [];
|
|
4601
4602
|
if (!s)
|
|
4602
4603
|
try {
|
|
4603
4604
|
const h = r.url.searchParams.get("skip");
|
|
@@ -4614,44 +4615,44 @@ class X {
|
|
|
4614
4615
|
}
|
|
4615
4616
|
e || (e = 10);
|
|
4616
4617
|
const d = r.url.searchParams.get("search");
|
|
4617
|
-
return !o && d != null && d != "" && (o = d), o || (o = ""), o.length == 0 && (o = void 0), o ? (
|
|
4618
|
+
return !o && d != null && d != "" && (o = d), o || (o = ""), o.length == 0 && (o = void 0), o ? (a = await this.clientSearchFn(
|
|
4618
4619
|
o,
|
|
4619
4620
|
this.sessionServer.clientStorage,
|
|
4620
4621
|
s,
|
|
4621
4622
|
e
|
|
4622
|
-
), s > 0 && (
|
|
4623
|
+
), s > 0 && (i = await this.clientSearchFn(
|
|
4623
4624
|
o,
|
|
4624
4625
|
this.sessionServer.clientStorage,
|
|
4625
4626
|
s - 1,
|
|
4626
4627
|
1,
|
|
4627
4628
|
t
|
|
4628
|
-
))) : (
|
|
4629
|
+
))) : (a = await this.sessionServer.clientStorage.getClients(
|
|
4629
4630
|
s,
|
|
4630
4631
|
e,
|
|
4631
4632
|
t
|
|
4632
|
-
),
|
|
4633
|
+
), a.length == e && (c = await this.sessionServer.clientStorage.getClients(
|
|
4633
4634
|
s + e,
|
|
4634
4635
|
1,
|
|
4635
4636
|
t
|
|
4636
4637
|
))), {
|
|
4637
4638
|
ok: !0,
|
|
4638
|
-
clients:
|
|
4639
|
+
clients: a,
|
|
4639
4640
|
skip: s,
|
|
4640
4641
|
take: e,
|
|
4641
|
-
hasPrevious:
|
|
4642
|
+
hasPrevious: i.length > 0,
|
|
4642
4643
|
hasNext: c.length > 0,
|
|
4643
4644
|
search: o,
|
|
4644
4645
|
clientUserId: t
|
|
4645
4646
|
};
|
|
4646
|
-
} catch (
|
|
4647
|
-
if (m.isSvelteKitRedirect(
|
|
4648
|
-
throw
|
|
4649
|
-
const
|
|
4650
|
-
return l.logger.debug(f({ err:
|
|
4647
|
+
} catch (a) {
|
|
4648
|
+
if (m.isSvelteKitRedirect(a) || m.isSvelteKitRedirect(a))
|
|
4649
|
+
throw a;
|
|
4650
|
+
const i = n.asCrossauthError(a);
|
|
4651
|
+
return l.logger.debug(f({ err: i })), l.logger.error(f({ cerr: i })), {
|
|
4651
4652
|
ok: !1,
|
|
4652
|
-
error:
|
|
4653
|
-
errorCode:
|
|
4654
|
-
errorCodeName:
|
|
4653
|
+
error: i.message,
|
|
4654
|
+
errorCode: i.code,
|
|
4655
|
+
errorCodeName: i.codeName,
|
|
4655
4656
|
hasPrevious: !1,
|
|
4656
4657
|
hasNext: !1,
|
|
4657
4658
|
skip: s ?? 0,
|
|
@@ -4674,21 +4675,21 @@ class X {
|
|
|
4674
4675
|
try {
|
|
4675
4676
|
if (!o) throw new n(u.BadRequest, "No client ID specified");
|
|
4676
4677
|
if (!this.clientStorage) throw new n(u.Configuration, "No client storage specified");
|
|
4677
|
-
const
|
|
4678
|
+
const a = await this.clientStorage.getClientById(o), i = a.userid == null ? void 0 : await ((e = (s = this.sessionServer) == null ? void 0 : s.userStorage) == null ? void 0 : e.getUserById(a.userid)), c = (t = i == null ? void 0 : i.user) == null ? void 0 : t.username;
|
|
4678
4679
|
return {
|
|
4679
4680
|
ok: !0,
|
|
4680
|
-
client:
|
|
4681
|
+
client: a,
|
|
4681
4682
|
validFlows: this.validFlows,
|
|
4682
4683
|
valid_flowNames: this.valid_flowNames,
|
|
4683
4684
|
client_id: o,
|
|
4684
4685
|
clientUsername: c
|
|
4685
4686
|
};
|
|
4686
|
-
} catch (
|
|
4687
|
-
let
|
|
4688
|
-
return l.logger.debug(f({ err:
|
|
4689
|
-
error:
|
|
4690
|
-
errorCode:
|
|
4691
|
-
errorCodeName:
|
|
4687
|
+
} catch (a) {
|
|
4688
|
+
let i = n.asCrossauthError(a, "Couldn't load client");
|
|
4689
|
+
return l.logger.debug(f({ err: i })), l.logger.error(f({ cerr: i })), {
|
|
4690
|
+
error: i.message,
|
|
4691
|
+
errorCode: i.code,
|
|
4692
|
+
errorCodeName: i.codeName,
|
|
4692
4693
|
ok: !1,
|
|
4693
4694
|
validFlows: this.validFlows,
|
|
4694
4695
|
valid_flowNames: this.valid_flowNames,
|
|
@@ -4709,11 +4710,11 @@ class X {
|
|
|
4709
4710
|
* @returns {@link UpdateClientFormData}. If a new secret was created, it will be placed as plaintext in the client that is returned.
|
|
4710
4711
|
*/
|
|
4711
4712
|
async updateClient_internal(r, o) {
|
|
4712
|
-
var t,
|
|
4713
|
+
var t, a;
|
|
4713
4714
|
let s;
|
|
4714
4715
|
try {
|
|
4715
|
-
const
|
|
4716
|
-
if (!
|
|
4716
|
+
const i = r.params.client_id;
|
|
4717
|
+
if (!i) throw new n(u.BadRequest, "No client ID given");
|
|
4717
4718
|
var e = new b();
|
|
4718
4719
|
if (await e.loadData(r), s = e.toObject(), this.sessionServer.enableCsrfProtection && r.locals.authType == "cookie" && !r.locals.csrfToken)
|
|
4719
4720
|
throw new n(u.InvalidCsrf);
|
|
@@ -4737,7 +4738,7 @@ class X {
|
|
|
4737
4738
|
if (g.client_name = s.client_name, g.confidential = e.getAsBoolean("confidential") ?? !1, g.valid_flow = h, g.redirect_uri = c, o) {
|
|
4738
4739
|
let C = s.userid ?? void 0;
|
|
4739
4740
|
if (C && ((t = this.sessionServer) != null && t.userStorage)) {
|
|
4740
|
-
const { user: T } = await ((
|
|
4741
|
+
const { user: T } = await ((a = this.sessionServer) == null ? void 0 : a.userStorage.getUserById(C));
|
|
4741
4742
|
C = T.id;
|
|
4742
4743
|
}
|
|
4743
4744
|
g.userid = s.userid ? Number(s.userid) : null;
|
|
@@ -4745,7 +4746,7 @@ class X {
|
|
|
4745
4746
|
const p = e.getAsBoolean("resetSecret");
|
|
4746
4747
|
if (!this.clientManager) throw new n(u.Configuration, "Cannot call this endpoint as you did not provide a clientStorage");
|
|
4747
4748
|
const { client: w, newSecret: S } = await this.clientManager.updateClient(
|
|
4748
|
-
|
|
4749
|
+
i,
|
|
4749
4750
|
g,
|
|
4750
4751
|
p
|
|
4751
4752
|
);
|
|
@@ -4756,9 +4757,9 @@ class X {
|
|
|
4756
4757
|
//plaintextSecret: resetSecret ? formData.client_secret : undefined,
|
|
4757
4758
|
plaintextSecret: S && w.client_secret ? w.client_secret : void 0
|
|
4758
4759
|
};
|
|
4759
|
-
} catch (
|
|
4760
|
-
if (m.isSvelteKitRedirect(
|
|
4761
|
-
let c = n.asCrossauthError(
|
|
4760
|
+
} catch (i) {
|
|
4761
|
+
if (m.isSvelteKitRedirect(i) || m.isSvelteKitError(i)) throw i;
|
|
4762
|
+
let c = n.asCrossauthError(i, "Couldn't update client");
|
|
4762
4763
|
return l.logger.debug(f({ err: c })), l.logger.error(f({ cerr: c })), {
|
|
4763
4764
|
error: c.message,
|
|
4764
4765
|
errorCode: c.code,
|
|
@@ -4777,7 +4778,7 @@ class X {
|
|
|
4777
4778
|
* @returns {@link CreateClientPageData}.
|
|
4778
4779
|
*/
|
|
4779
4780
|
async emptyClient_internal(r, o) {
|
|
4780
|
-
var e, t,
|
|
4781
|
+
var e, t, a, i, c, d, h;
|
|
4781
4782
|
try {
|
|
4782
4783
|
var s = new b();
|
|
4783
4784
|
await s.loadData(r);
|
|
@@ -4789,8 +4790,8 @@ class X {
|
|
|
4789
4790
|
g = T.id;
|
|
4790
4791
|
}
|
|
4791
4792
|
const C = s.get("userid");
|
|
4792
|
-
if (C && ((
|
|
4793
|
-
const { user: T } = await ((
|
|
4793
|
+
if (C && ((a = this.sessionServer) != null && a.userStorage)) {
|
|
4794
|
+
const { user: T } = await ((i = this.sessionServer) == null ? void 0 : i.userStorage.getUserById(C));
|
|
4794
4795
|
g = T.id;
|
|
4795
4796
|
}
|
|
4796
4797
|
} else {
|
|
@@ -4830,7 +4831,7 @@ class X {
|
|
|
4830
4831
|
* @returns {@link UpdateClientFormData}. If a secret was created, it will be placed as plaintext in the client that is returned. A random `client_id` is created.
|
|
4831
4832
|
*/
|
|
4832
4833
|
async createClient_internal(r, o) {
|
|
4833
|
-
var t,
|
|
4834
|
+
var t, a, i, c;
|
|
4834
4835
|
let s;
|
|
4835
4836
|
try {
|
|
4836
4837
|
var e = new b();
|
|
@@ -4839,7 +4840,7 @@ class X {
|
|
|
4839
4840
|
if (o) {
|
|
4840
4841
|
const C = e.get("userid");
|
|
4841
4842
|
if (C && ((t = this.sessionServer) != null && t.userStorage)) {
|
|
4842
|
-
const { user: T } = await ((
|
|
4843
|
+
const { user: T } = await ((a = this.sessionServer) == null ? void 0 : a.userStorage.getUserById(C));
|
|
4843
4844
|
d = T.id;
|
|
4844
4845
|
}
|
|
4845
4846
|
} else {
|
|
@@ -4847,7 +4848,7 @@ class X {
|
|
|
4847
4848
|
d = r.locals.user.id;
|
|
4848
4849
|
}
|
|
4849
4850
|
if (!this.clientStorage) throw new n(u.Configuration, "No client storage specified");
|
|
4850
|
-
if (d && await ((c = (
|
|
4851
|
+
if (d && await ((c = (i = this.sessionServer) == null ? void 0 : i.userStorage) == null ? void 0 : c.getUserById(d)), this.sessionServer.enableCsrfProtection && r.locals.authType == "cookie" && !r.locals.csrfToken)
|
|
4851
4852
|
throw new n(u.InvalidCsrf);
|
|
4852
4853
|
const h = !s.redirect_uri || s.redirect_uri.trim().length == 0 ? [] : s.redirect_uri.trim().split(/[, ][ \t\n]*/);
|
|
4853
4854
|
let g = [];
|
|
@@ -4903,19 +4904,19 @@ class X {
|
|
|
4903
4904
|
try {
|
|
4904
4905
|
if (!o) throw new n(u.BadRequest, "No client ID specified");
|
|
4905
4906
|
if (!this.clientStorage) throw new n(u.Configuration, "No client storage specified");
|
|
4906
|
-
const
|
|
4907
|
+
const a = await this.clientStorage.getClientById(o), i = a.userid == null ? void 0 : await ((e = (s = this.sessionServer) == null ? void 0 : s.userStorage) == null ? void 0 : e.getUserById(a.userid)), c = (t = i == null ? void 0 : i.user) == null ? void 0 : t.username;
|
|
4907
4908
|
return {
|
|
4908
4909
|
ok: !0,
|
|
4909
|
-
client:
|
|
4910
|
+
client: a,
|
|
4910
4911
|
client_id: o,
|
|
4911
4912
|
clientUsername: c
|
|
4912
4913
|
};
|
|
4913
|
-
} catch (
|
|
4914
|
-
let
|
|
4915
|
-
return l.logger.debug(f({ err:
|
|
4916
|
-
error:
|
|
4917
|
-
errorCode:
|
|
4918
|
-
errorCodeName:
|
|
4914
|
+
} catch (a) {
|
|
4915
|
+
let i = n.asCrossauthError(a, "Couldn't load client");
|
|
4916
|
+
return l.logger.debug(f({ err: i })), l.logger.error(f({ cerr: i })), {
|
|
4917
|
+
error: i.message,
|
|
4918
|
+
errorCode: i.code,
|
|
4919
|
+
errorCodeName: i.codeName,
|
|
4919
4920
|
ok: !1,
|
|
4920
4921
|
client_id: o
|
|
4921
4922
|
};
|
|
@@ -4936,19 +4937,19 @@ class X {
|
|
|
4936
4937
|
const t = r.params.client_id;
|
|
4937
4938
|
if (!t) throw new n(u.BadRequest, "No client ID given");
|
|
4938
4939
|
if (!this.clientStorage) throw new n(u.Configuration, "No client storage specified");
|
|
4939
|
-
const
|
|
4940
|
-
if (!o &&
|
|
4940
|
+
const a = await ((s = this.clientStorage) == null ? void 0 : s.getClientById(t));
|
|
4941
|
+
if (!o && a.userid != ((e = r.locals.user) == null ? void 0 : e.id))
|
|
4941
4942
|
throw this.error(401, "Unauthorized");
|
|
4942
4943
|
return await this.clientStorage.deleteClient(t), {
|
|
4943
4944
|
ok: !0
|
|
4944
4945
|
};
|
|
4945
4946
|
} catch (t) {
|
|
4946
4947
|
if (m.isSvelteKitRedirect(t) || m.isSvelteKitError(t)) throw t;
|
|
4947
|
-
let
|
|
4948
|
-
return l.logger.debug(f({ err:
|
|
4949
|
-
error:
|
|
4950
|
-
errorCode:
|
|
4951
|
-
errorCodeName:
|
|
4948
|
+
let a = n.asCrossauthError(t, "Couldn't delete client");
|
|
4949
|
+
return l.logger.debug(f({ err: a })), l.logger.error(f({ cerr: a })), {
|
|
4950
|
+
error: a.message,
|
|
4951
|
+
errorCode: a.code,
|
|
4952
|
+
errorCodeName: a.codeName,
|
|
4952
4953
|
ok: !1
|
|
4953
4954
|
};
|
|
4954
4955
|
}
|
|
@@ -5266,46 +5267,46 @@ function Ee(k) {
|
|
|
5266
5267
|
return k.username == null ? r.push("Username must be given") : k.username.length < 2 ? r.push("Username must be at least 2 characters") : k.username.length > 254 && r.push("Username must be no longer than 254 characters"), r;
|
|
5267
5268
|
}
|
|
5268
5269
|
function _e(k, r, o) {
|
|
5269
|
-
var
|
|
5270
|
+
var a;
|
|
5270
5271
|
let e = {
|
|
5271
5272
|
username: r.username ?? "",
|
|
5272
5273
|
state: "active"
|
|
5273
5274
|
};
|
|
5274
5275
|
const t = k.locals.user && m.isAdminFn(k.locals.user);
|
|
5275
|
-
for (let
|
|
5276
|
-
let c =
|
|
5277
|
-
if (
|
|
5276
|
+
for (let i in r) {
|
|
5277
|
+
let c = i.replace(/^user_/, "");
|
|
5278
|
+
if (i.startsWith("user_") && (t || o.includes(c)))
|
|
5278
5279
|
if ("type_" + c in r) {
|
|
5279
5280
|
if (r["type_" + c] == "string")
|
|
5280
|
-
e[c] = r[
|
|
5281
|
+
e[c] = r[i];
|
|
5281
5282
|
else if (r["type_" + c] == "number" || r["type_" + c] == "integer" || r["type_" + c] == "float")
|
|
5282
|
-
e[c] = Number(r[
|
|
5283
|
+
e[c] = Number(r[i]);
|
|
5283
5284
|
else if (r["type_" + c] == "boolean") {
|
|
5284
|
-
const d = (
|
|
5285
|
+
const d = (a = r[i]) == null ? void 0 : a.toLocaleLowerCase();
|
|
5285
5286
|
e[c] = d == "1" || d == "y" || d == "t" || d == "yes" || d == "true";
|
|
5286
5287
|
}
|
|
5287
5288
|
} else
|
|
5288
|
-
e[c] = r[
|
|
5289
|
+
e[c] = r[i];
|
|
5289
5290
|
}
|
|
5290
5291
|
return e.factor1 = "localpassword", e.factor2 = r.factor2, e;
|
|
5291
5292
|
}
|
|
5292
5293
|
function ve(k, r, o, s) {
|
|
5293
5294
|
var t;
|
|
5294
5295
|
const e = r.locals.user && m.isAdminFn(r.locals.user);
|
|
5295
|
-
for (let
|
|
5296
|
-
let
|
|
5297
|
-
if (
|
|
5298
|
-
if ("type_" +
|
|
5299
|
-
if (o["type_" +
|
|
5300
|
-
k[
|
|
5301
|
-
else if (o["type_" +
|
|
5302
|
-
k[
|
|
5303
|
-
else if (o["type_" +
|
|
5304
|
-
const c = (t = o[
|
|
5305
|
-
k[
|
|
5296
|
+
for (let a in o) {
|
|
5297
|
+
let i = a.replace(/^user_/, "");
|
|
5298
|
+
if (a.startsWith("user_") && (e || s.includes(i)))
|
|
5299
|
+
if ("type_" + i in o) {
|
|
5300
|
+
if (o["type_" + i] == "string")
|
|
5301
|
+
k[i] = o[a];
|
|
5302
|
+
else if (o["type_" + i] == "number" || o["type_" + i] == "integer" || o["type_" + i] == "float")
|
|
5303
|
+
k[i] = Number(o[a]);
|
|
5304
|
+
else if (o["type_" + i] == "boolean") {
|
|
5305
|
+
const c = (t = o[a]) == null ? void 0 : t.toLocaleLowerCase();
|
|
5306
|
+
k[i] = c == "1" || c == "y" || c == "t" || c == "yes" || c == "true";
|
|
5306
5307
|
}
|
|
5307
5308
|
} else
|
|
5308
|
-
k[
|
|
5309
|
+
k[i] = o[a];
|
|
5309
5310
|
}
|
|
5310
5311
|
return k;
|
|
5311
5312
|
}
|
|
@@ -5334,8 +5335,8 @@ class H {
|
|
|
5334
5335
|
y("enableEmailVerification", E.Boolean, this, s, "ENABLE_EMAIL_VERIFICATION"), y("enablePasswordReset", E.Boolean, this, s, "ENABLE_PASSWORD_RESET"), y("enableCsrfProtection", E.Boolean, this, s, "ENABLE_CSRF_PROTECTION"), y("editUserScope", E.String, this, s, "EDIT_USER_SCOPE"), s.validateUserFn && (this.validateUserFn = s.validateUserFn), s.createUserFn && (this.createUserFn = s.createUserFn), s.updateUserFn && (this.updateUserFn = s.updateUserFn), s.addToSession && (this.addToSession = s.addToSession), s.validateSession && (this.validateSession = s.validateSession), this.userEndpoints = new we(this, s), this.adminEndpoints = new ke(this, s), this.userClientEndpoints = new Ce(this, s), this.adminClientEndpoints = new ye(this, s), this.sessionHook = async ({ event: t }) => {
|
|
5335
5336
|
var h, g;
|
|
5336
5337
|
l.logger.debug("Session hook");
|
|
5337
|
-
let
|
|
5338
|
-
const
|
|
5338
|
+
let a = [];
|
|
5339
|
+
const i = this.sessionManager.csrfCookieName, c = this.sessionManager.sessionCookieName;
|
|
5339
5340
|
if (this.enableCsrfProtection) {
|
|
5340
5341
|
l.logger.debug(f({ msg: "Getting csrf cookie" }));
|
|
5341
5342
|
let p;
|
|
@@ -5344,7 +5345,7 @@ class H {
|
|
|
5344
5345
|
} catch (w) {
|
|
5345
5346
|
l.logger.warn(f({ msg: "Invalid csrf cookie received", cerr: w, hashedCsrfCookie: this.getHashOfCsrfCookie(t) }));
|
|
5346
5347
|
try {
|
|
5347
|
-
this.clearCookie(
|
|
5348
|
+
this.clearCookie(i, this.sessionManager.csrfCookiePath, t);
|
|
5348
5349
|
} catch (S) {
|
|
5349
5350
|
l.logger.debug(f({ err: S })), l.logger.error(f({ cerr: S, msg: "Couldn't delete CSRF cookie", ip: t.request.referrer, hashedCsrfCookie: this.getHashOfCsrfCookie(t) }));
|
|
5350
5351
|
}
|
|
@@ -5361,13 +5362,13 @@ class H {
|
|
|
5361
5362
|
const { csrfCookie: w, csrfFormOrHeaderValue: S } = await this.sessionManager.createCsrfToken();
|
|
5362
5363
|
this.setCsrfCookie(w, t), t.locals.csrfToken = S;
|
|
5363
5364
|
}
|
|
5364
|
-
this.setHeader(x, t.locals.csrfToken,
|
|
5365
|
+
this.setHeader(x, t.locals.csrfToken, a);
|
|
5365
5366
|
} catch (w) {
|
|
5366
|
-
l.logger.error(f({ msg: "Couldn't create CSRF token", cerr: w, user: (h = t.locals.user) == null ? void 0 : h.username, hashedSessionCookie: this.getHashOfSessionCookie(t) })), l.logger.debug(f({ err: w })), this.clearCookie(
|
|
5367
|
+
l.logger.error(f({ msg: "Couldn't create CSRF token", cerr: w, user: (h = t.locals.user) == null ? void 0 : h.username, hashedSessionCookie: this.getHashOfSessionCookie(t) })), l.logger.debug(f({ err: w })), this.clearCookie(i, this.sessionManager.csrfCookiePath, t), t.locals.csrfToken = void 0;
|
|
5367
5368
|
}
|
|
5368
5369
|
else if (p)
|
|
5369
5370
|
try {
|
|
5370
|
-
await this.csrfToken(t,
|
|
5371
|
+
await this.csrfToken(t, a);
|
|
5371
5372
|
} catch (w) {
|
|
5372
5373
|
l.logger.error(f({ msg: "Couldn't create CSRF token", cerr: w, user: (g = t.locals.user) == null ? void 0 : g.username, hashedSessionCookie: this.getHashOfSessionCookie(t) })), l.logger.debug(f({ err: w }));
|
|
5373
5374
|
}
|
|
@@ -5382,13 +5383,13 @@ class H {
|
|
|
5382
5383
|
} catch {
|
|
5383
5384
|
l.logger.warn(f({ msg: "Invalid session cookie received", hashedSessionCookie: this.getHashOfSessionCookie(t) })), this.clearCookie(c, this.sessionManager.sessionCookiePath, t);
|
|
5384
5385
|
}
|
|
5385
|
-
return { headers:
|
|
5386
|
+
return { headers: a };
|
|
5386
5387
|
}, this.twoFAHook = async ({ event: t }) => {
|
|
5387
5388
|
var h;
|
|
5388
5389
|
if (l.logger.debug(f({ msg: "twoFAHook", username: (h = t.locals.user) == null ? void 0 : h.username })), !this.userStorage) throw this.error(500, "No user storage defined");
|
|
5389
|
-
const
|
|
5390
|
+
const a = this.getSessionCookieValue(t), i = this.isFactor2PageProtected(t), c = this.isFactor2ApiProtected(t);
|
|
5390
5391
|
let d;
|
|
5391
|
-
if (
|
|
5392
|
+
if (a)
|
|
5392
5393
|
if (t.locals.user) d = t.locals.user;
|
|
5393
5394
|
else {
|
|
5394
5395
|
const g = await this.getSessionData(t, "user");
|
|
@@ -5397,7 +5398,7 @@ class H {
|
|
|
5397
5398
|
(p.user.status == N.active || p.user.state == N.factor2ResetNeeded) && (d = p.user);
|
|
5398
5399
|
}
|
|
5399
5400
|
}
|
|
5400
|
-
if (d &&
|
|
5401
|
+
if (d && a && d.factor2 != "" && (i || c))
|
|
5401
5402
|
if (l.logger.debug(f({ msg: "Factor2-protected endpoint visited" })), ["GET", "OPTIONS", "HEAD"].includes(t.request.method)) {
|
|
5402
5403
|
l.logger.debug(f({ msg: "Factor2-protected GET endpoint - cancelling 2FA" }));
|
|
5403
5404
|
const g = this.getSessionCookieValue(t);
|
|
@@ -5413,7 +5414,7 @@ class H {
|
|
|
5413
5414
|
}
|
|
5414
5415
|
}
|
|
5415
5416
|
} else {
|
|
5416
|
-
const g = this.sessionManager.getSessionId(
|
|
5417
|
+
const g = this.sessionManager.getSessionId(a), p = await this.sessionManager.dataForSessionId(g);
|
|
5417
5418
|
if ("pre2fa" in p) {
|
|
5418
5419
|
l.logger.debug(f({ msg: "Completing 2FA" }));
|
|
5419
5420
|
const w = this.authenticators[p.pre2fa.factor2], S = [...w.secretNames(), ...w.transientSecretNames()];
|
|
@@ -5442,7 +5443,7 @@ class H {
|
|
|
5442
5443
|
}
|
|
5443
5444
|
return this.error(401, { message: "Sorry, your code has expired" }), { ok: !1, twofa: !0 };
|
|
5444
5445
|
} else
|
|
5445
|
-
return
|
|
5446
|
+
return i ? {
|
|
5446
5447
|
twofa: !0,
|
|
5447
5448
|
ok: !1,
|
|
5448
5449
|
response: new Response("", {
|
|
@@ -5490,7 +5491,7 @@ class H {
|
|
|
5490
5491
|
const w = new b();
|
|
5491
5492
|
await w.loadData(t);
|
|
5492
5493
|
let S = t.request.headers.get("content-type");
|
|
5493
|
-
return await this.sessionManager.initiateTwoFactorPageVisit(d, t.locals.sessionId ?? "", w.toObject(), t.request.url.replace(/\?.*$/, ""), S || void 0),
|
|
5494
|
+
return await this.sessionManager.initiateTwoFactorPageVisit(d, t.locals.sessionId ?? "", w.toObject(), t.request.url.replace(/\?.*$/, ""), S || void 0), i ? {
|
|
5494
5495
|
twofa: !0,
|
|
5495
5496
|
ok: !0,
|
|
5496
5497
|
response: new Response("", {
|
|
@@ -5613,21 +5614,21 @@ class H {
|
|
|
5613
5614
|
* @returns the string CSRF token for inclusion in forms
|
|
5614
5615
|
*/
|
|
5615
5616
|
async csrfToken(r, o) {
|
|
5616
|
-
var e, t,
|
|
5617
|
+
var e, t, a;
|
|
5617
5618
|
let s;
|
|
5618
5619
|
if (r.request.headers && r.request.headers.has(x.toLowerCase())) {
|
|
5619
|
-
const
|
|
5620
|
-
Array.isArray(
|
|
5620
|
+
const i = r.request.headers.get(x.toLowerCase());
|
|
5621
|
+
Array.isArray(i) ? s = i[0] : i && (s = i);
|
|
5621
5622
|
}
|
|
5622
5623
|
if (!s) {
|
|
5623
5624
|
if (!((e = r.request) != null && e.body)) {
|
|
5624
5625
|
l.logger.warn(f({ msg: "Received CSRF header but not token", ip: r.request.referrerPolicy, hashedCsrfCookie: this.getHashOfCsrfCookie(r) }));
|
|
5625
5626
|
return;
|
|
5626
5627
|
}
|
|
5627
|
-
const
|
|
5628
|
-
if (
|
|
5629
|
-
s = (await ((
|
|
5630
|
-
else if (
|
|
5628
|
+
const i = r.request.headers.get("content-type");
|
|
5629
|
+
if (i == "application/json")
|
|
5630
|
+
s = (await ((a = (t = r.request) == null ? void 0 : t.clone()) == null ? void 0 : a.json())).csrfToken;
|
|
5631
|
+
else if (i == "application/x-www-form-urlencoded" || i == "multipart/form-data") {
|
|
5631
5632
|
const d = (await r.request.clone().formData()).get("csrfToken");
|
|
5632
5633
|
d && typeof d == "string" && (s = d);
|
|
5633
5634
|
}
|
|
@@ -5660,8 +5661,8 @@ class H {
|
|
|
5660
5661
|
else {
|
|
5661
5662
|
e = "";
|
|
5662
5663
|
for (let t in o) {
|
|
5663
|
-
const
|
|
5664
|
-
e.length > 0 && (e += "&"), e += encodeURIComponent(t) + "=" + encodeURIComponent(
|
|
5664
|
+
const a = o[t];
|
|
5665
|
+
e.length > 0 && (e += "&"), e += encodeURIComponent(t) + "=" + encodeURIComponent(a);
|
|
5665
5666
|
}
|
|
5666
5667
|
}
|
|
5667
5668
|
return r.request = new Request(r.request.url, {
|
|
@@ -5715,10 +5716,10 @@ class H {
|
|
|
5715
5716
|
if (o.pathname == this.loginUrl) return !1;
|
|
5716
5717
|
let s = !1;
|
|
5717
5718
|
return s = this.loginProtectedExceptionPageEndpoints.reduce(
|
|
5718
|
-
(t,
|
|
5719
|
+
(t, a) => t || I(o.pathname, a),
|
|
5719
5720
|
s
|
|
5720
5721
|
), s ? !1 : this.loginProtectedPageEndpoints.reduce(
|
|
5721
|
-
(t,
|
|
5722
|
+
(t, a) => t || I(o.pathname, a),
|
|
5722
5723
|
!1
|
|
5723
5724
|
);
|
|
5724
5725
|
}
|
|
@@ -5736,10 +5737,10 @@ class H {
|
|
|
5736
5737
|
if (o.pathname == this.loginUrl) return !1;
|
|
5737
5738
|
let s = !1;
|
|
5738
5739
|
return s = this.loginProtectedExceptionApiEndpoints.reduce(
|
|
5739
|
-
(t,
|
|
5740
|
+
(t, a) => t || I(o.pathname, a),
|
|
5740
5741
|
s
|
|
5741
5742
|
), s ? !1 : this.loginProtectedApiEndpoints.reduce(
|
|
5742
|
-
(t,
|
|
5743
|
+
(t, a) => t || I(o.pathname, a),
|
|
5743
5744
|
!1
|
|
5744
5745
|
);
|
|
5745
5746
|
}
|
|
@@ -5788,13 +5789,13 @@ class H {
|
|
|
5788
5789
|
const o = new URL(typeof r == "string" ? r : r.request.url);
|
|
5789
5790
|
let s = !1;
|
|
5790
5791
|
return s = this.adminProtectedExceptionPageEndpoints.reduce(
|
|
5791
|
-
(t,
|
|
5792
|
+
(t, a) => t || I(o.pathname, a),
|
|
5792
5793
|
s
|
|
5793
5794
|
), s || (s = this.loginProtectedExceptionPageEndpoints.reduce(
|
|
5794
|
-
(t,
|
|
5795
|
+
(t, a) => t || I(o.pathname, a),
|
|
5795
5796
|
s
|
|
5796
5797
|
), s) ? !1 : this.adminPageEndpoints.reduce(
|
|
5797
|
-
(t,
|
|
5798
|
+
(t, a) => t || I(o.pathname, a),
|
|
5798
5799
|
!1
|
|
5799
5800
|
);
|
|
5800
5801
|
}
|
|
@@ -5811,13 +5812,13 @@ class H {
|
|
|
5811
5812
|
const o = new URL(typeof r == "string" ? r : r.request.url);
|
|
5812
5813
|
let s = !1;
|
|
5813
5814
|
return s = this.adminProtectedExceptionApiEndpoints.reduce(
|
|
5814
|
-
(t,
|
|
5815
|
+
(t, a) => t || I(o.pathname, a),
|
|
5815
5816
|
s
|
|
5816
5817
|
), s || (s = this.loginProtectedExceptionApiEndpoints.reduce(
|
|
5817
|
-
(t,
|
|
5818
|
+
(t, a) => t || I(o.pathname, a),
|
|
5818
5819
|
s
|
|
5819
5820
|
), s) ? !1 : this.adminApiEndpoints.reduce(
|
|
5820
|
-
(t,
|
|
5821
|
+
(t, a) => t || I(o.pathname, a),
|
|
5821
5822
|
!1
|
|
5822
5823
|
);
|
|
5823
5824
|
}
|
|
@@ -5839,15 +5840,15 @@ class H {
|
|
|
5839
5840
|
await s.loadData(r);
|
|
5840
5841
|
let e = this.addToSession ? this.addToSession(r, s.toObject()) : {};
|
|
5841
5842
|
o && (e.data = JSON.stringify(o));
|
|
5842
|
-
let { sessionCookie: t, csrfCookie:
|
|
5843
|
+
let { sessionCookie: t, csrfCookie: a, csrfFormOrHeaderValue: i } = await this.sessionManager.createAnonymousSession(e);
|
|
5843
5844
|
r.cookies.set(
|
|
5844
5845
|
t.name,
|
|
5845
5846
|
t.value,
|
|
5846
5847
|
R(t.options)
|
|
5847
|
-
), this.enableCsrfProtection && (r.locals.csrfToken =
|
|
5848
|
-
|
|
5849
|
-
|
|
5850
|
-
R(
|
|
5848
|
+
), this.enableCsrfProtection && (r.locals.csrfToken = i, r.cookies.set(
|
|
5849
|
+
a.name,
|
|
5850
|
+
a.value,
|
|
5851
|
+
R(a.options)
|
|
5851
5852
|
)), r.locals.user = void 0;
|
|
5852
5853
|
const c = this.sessionManager.getSessionId(t.value);
|
|
5853
5854
|
return r.locals.sessionId = c, t.value;
|