@crossauth/sveltekit 0.0.35 → 0.0.37
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/index.cjs +1 -1
- package/dist/index.js +689 -687
- package/dist/sveltekitsession.d.ts +14 -2
- package/package.json +3 -3
package/dist/index.js
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
import { minimatch as I } from "minimatch";
|
|
2
|
-
import { ApiKeyManager as K, KeyStorage as $, toCookieSerializeOptions as R, Crypto as F, OAuthAuthorizationServer as Z, setParameter as y, ParamType as
|
|
3
|
-
import { CrossauthError as n, ErrorCode as u, CrossauthLogger as l, j as f, OAuthFlows as
|
|
2
|
+
import { ApiKeyManager as K, KeyStorage as $, toCookieSerializeOptions as R, Crypto as F, OAuthAuthorizationServer as Z, setParameter as y, ParamType as _, DoubleSubmitCsrfToken as ee, OAuthClientManager as B, OAuthClientBackend as re, OAuthResourceServer as se, OAuthTokenConsumer as te, TokenEmailer as oe, SessionManager as ie } from "@crossauth/backend";
|
|
3
|
+
import { CrossauthError as n, ErrorCode as u, CrossauthLogger as l, j as f, OAuthFlows as E, UserState as N, httpStatus as q } from "@crossauth/common";
|
|
4
4
|
import { json as v, redirect as Q, error as Y } from "@sveltejs/kit";
|
|
5
5
|
import "cookie";
|
|
6
6
|
import { jwtDecode as M } from "jwt-decode";
|
|
@@ -26,11 +26,11 @@ class b {
|
|
|
26
26
|
this.clone = r;
|
|
27
27
|
}
|
|
28
28
|
async loadData(r) {
|
|
29
|
-
var s, e, t,
|
|
29
|
+
var s, e, t, a;
|
|
30
30
|
if (!((s = r.request) != null && s.body))
|
|
31
31
|
return;
|
|
32
32
|
const o = r.request.headers.get("content-type");
|
|
33
|
-
o == "application/json" ? this.jsonData = this.clone ? await ((t = (e = r.request) == null ? void 0 : e.clone()) == null ? void 0 : t.json()) : await ((
|
|
33
|
+
o == "application/json" ? this.jsonData = this.clone ? await ((t = (e = r.request) == null ? void 0 : e.clone()) == null ? void 0 : t.json()) : await ((a = r.request) == null ? void 0 : a.json()) : (o == "application/x-www-form-urlencoded" || o != null && o.startsWith("multipart/form-data")) && (this.formData = this.clone ? await r.request.clone().formData() : await r.request.formData());
|
|
34
34
|
}
|
|
35
35
|
get(r) {
|
|
36
36
|
if (this.jsonData) return this.jsonData[r];
|
|
@@ -92,29 +92,29 @@ class ne {
|
|
|
92
92
|
l.logger.debug(f({
|
|
93
93
|
msg: "Received authorization header"
|
|
94
94
|
}));
|
|
95
|
-
const
|
|
95
|
+
const a = await this.apiKeyManager.validateToken(
|
|
96
96
|
t
|
|
97
97
|
);
|
|
98
98
|
l.logger.debug(f({
|
|
99
99
|
msg: "Valid API key",
|
|
100
|
-
hahedApiKey: K.hashSignedApiKeyValue(
|
|
100
|
+
hahedApiKey: K.hashSignedApiKeyValue(a.value)
|
|
101
101
|
}));
|
|
102
|
-
const
|
|
103
|
-
if (e.locals.apiKey = { ...
|
|
102
|
+
const i = $.decodeData(a.data);
|
|
103
|
+
if (e.locals.apiKey = { ...a, ...i }, "scope" in i && Array.isArray(i.scope)) {
|
|
104
104
|
let c = [];
|
|
105
|
-
for (let d of
|
|
105
|
+
for (let d of i.scope)
|
|
106
106
|
typeof d == "string" && c.push(d);
|
|
107
107
|
e.locals.scope = c;
|
|
108
108
|
}
|
|
109
|
-
if (
|
|
109
|
+
if (a.userid)
|
|
110
110
|
try {
|
|
111
|
-
const { user: c } = await this.userStorage.getUserById(
|
|
112
|
-
e.locals.user = c, e.locals.authType = "apiKey", l.logger.debug(f({ msg: "API key is for user", userid: c.id, user: c.username, hahedApiKey: K.hashSignedApiKeyValue(
|
|
111
|
+
const { user: c } = await this.userStorage.getUserById(a.userid);
|
|
112
|
+
e.locals.user = c, e.locals.authType = "apiKey", l.logger.debug(f({ msg: "API key is for user", userid: c.id, user: c.username, hahedApiKey: K.hashSignedApiKeyValue(a.value) }));
|
|
113
113
|
} catch (c) {
|
|
114
|
-
l.logger.error(f({ msg: "API key has invalid user", userid:
|
|
114
|
+
l.logger.error(f({ msg: "API key has invalid user", userid: a.userid, hashedApiKey: K.hashSignedApiKeyValue(a.value) })), l.logger.debug(f({ err: c }));
|
|
115
115
|
}
|
|
116
|
-
} catch (
|
|
117
|
-
l.logger.error(f({ msg: "Invalid authorization header received", header: t })), l.logger.debug(f({ err:
|
|
116
|
+
} catch (a) {
|
|
117
|
+
l.logger.error(f({ msg: "Invalid authorization header received", header: t })), l.logger.debug(f({ err: a }));
|
|
118
118
|
}
|
|
119
119
|
};
|
|
120
120
|
}
|
|
@@ -130,9 +130,9 @@ class ce {
|
|
|
130
130
|
* @param options see {@link SvelteKitAuthorizationServerOptions}
|
|
131
131
|
*/
|
|
132
132
|
constructor(r, o, s, e, t = {}) {
|
|
133
|
-
var
|
|
133
|
+
var a;
|
|
134
134
|
this.loginUrl = "/login", this.refreshTokenType = "json", this.refreshTokenCookieName = "CROSSAUTH_REFRESH_TOKEN", this.refreshTokenCookieDomain = void 0, this.refreshTokenCookieHttpOnly = !1, this.refreshTokenCookiePath = "/", this.refreshTokenCookieSecure = !0, this.refreshTokenCookieSameSite = "strict", this.authorizeEndpointUrl = "/oauth/authorize", this.tokenEndpointUrl = "/oauth/token", this.jwksEndpointUrl = "/oauth/jwks", this.oidcConfigurationEndpoint = {
|
|
135
|
-
get: async (
|
|
135
|
+
get: async (i) => v(this.authServer.oidcConfiguration(
|
|
136
136
|
{
|
|
137
137
|
authorizeEndpoint: this.authorizeEndpointUrl,
|
|
138
138
|
tokenEndpoint: this.tokenEndpointUrl,
|
|
@@ -141,7 +141,7 @@ class ce {
|
|
|
141
141
|
}
|
|
142
142
|
))
|
|
143
143
|
}, this.jwksGetEndpoint = {
|
|
144
|
-
get: async (
|
|
144
|
+
get: async (i) => {
|
|
145
145
|
try {
|
|
146
146
|
return v(this.authServer.jwks());
|
|
147
147
|
} catch (c) {
|
|
@@ -153,7 +153,7 @@ class ce {
|
|
|
153
153
|
}
|
|
154
154
|
}
|
|
155
155
|
}, this.getCsrfTokenEndpoint = {
|
|
156
|
-
get: async (
|
|
156
|
+
get: async (i) => {
|
|
157
157
|
var d;
|
|
158
158
|
if (!this.csrfTokens) return v({
|
|
159
159
|
ok: !1,
|
|
@@ -166,7 +166,7 @@ class ce {
|
|
|
166
166
|
csrfCookie: h,
|
|
167
167
|
csrfFormOrHeaderValue: g
|
|
168
168
|
} = await this.createCsrfToken();
|
|
169
|
-
return c = h.value,
|
|
169
|
+
return c = h.value, i.cookies.set(
|
|
170
170
|
h.name,
|
|
171
171
|
h.value,
|
|
172
172
|
R(h.options)
|
|
@@ -175,7 +175,7 @@ class ce {
|
|
|
175
175
|
const g = n.asCrossauthError(h);
|
|
176
176
|
return l.logger.error(f({
|
|
177
177
|
msg: "getcsrftoken failure",
|
|
178
|
-
user: (d =
|
|
178
|
+
user: (d = i.locals.user) == null ? void 0 : d.username,
|
|
179
179
|
hashedCsrfCookie: F.hash(c.split(".")[0]),
|
|
180
180
|
error: g.code,
|
|
181
181
|
errorCodeName: g.codeName
|
|
@@ -187,15 +187,15 @@ class ce {
|
|
|
187
187
|
}
|
|
188
188
|
}
|
|
189
189
|
}, this.authorizeEndpoint = {
|
|
190
|
-
load: async (
|
|
190
|
+
load: async (i) => {
|
|
191
191
|
var w, S;
|
|
192
|
-
if (!(this.authServer.validFlows.includes(
|
|
192
|
+
if (!(this.authServer.validFlows.includes(E.AuthorizationCode) || this.authServer.validFlows.includes(E.AuthorizationCodeWithPKCE) || this.authServer.validFlows.includes(E.OidcAuthorizationCode)))
|
|
193
193
|
throw this.error(401, "authorize cannot be called because the authorization code flows are not supported");
|
|
194
|
-
if (!
|
|
194
|
+
if (!i.locals.user) return this.redirect(
|
|
195
195
|
302,
|
|
196
|
-
this.loginUrl + "?next=" + encodeURIComponent(
|
|
196
|
+
this.loginUrl + "?next=" + encodeURIComponent(i.request.url)
|
|
197
197
|
);
|
|
198
|
-
let c = this.getAuthorizeQuery(
|
|
198
|
+
let c = this.getAuthorizeQuery(i);
|
|
199
199
|
if (!c.query) return c.error;
|
|
200
200
|
let d = c.query;
|
|
201
201
|
l.logger.debug(f({ msg: "validating authorize parameters" }));
|
|
@@ -203,10 +203,10 @@ class ce {
|
|
|
203
203
|
if (h ? (g = new n(u.BadRequest, h), l.logger.error(f({
|
|
204
204
|
msg: "authorize parameter invalid",
|
|
205
205
|
cerr: g,
|
|
206
|
-
user: (w =
|
|
206
|
+
user: (w = i.locals.user) == null ? void 0 : w.username
|
|
207
207
|
}))) : l.logger.error(f({
|
|
208
208
|
msg: "authorize parameter valid",
|
|
209
|
-
user: (S =
|
|
209
|
+
user: (S = i.locals.user) == null ? void 0 : S.username
|
|
210
210
|
})), g)
|
|
211
211
|
return {
|
|
212
212
|
ok: !1,
|
|
@@ -219,18 +219,18 @@ class ce {
|
|
|
219
219
|
scope: d.scope
|
|
220
220
|
})), d.scope ? p = await this.authServer.hasAllScopes(
|
|
221
221
|
d.client_id,
|
|
222
|
-
|
|
222
|
+
i.locals.user,
|
|
223
223
|
d.scope.split(" ")
|
|
224
224
|
) : p = await this.authServer.hasAllScopes(
|
|
225
225
|
d.client_id,
|
|
226
|
-
|
|
226
|
+
i.locals.user,
|
|
227
227
|
[null]
|
|
228
228
|
), p) {
|
|
229
229
|
l.logger.debug(f({
|
|
230
230
|
msg: "All scopes authorized",
|
|
231
231
|
scope: d.scope
|
|
232
232
|
}));
|
|
233
|
-
const C = await this.authorize(
|
|
233
|
+
const C = await this.authorize(i, !0, {
|
|
234
234
|
responseType: d.response_type,
|
|
235
235
|
client_id: d.client_id,
|
|
236
236
|
redirect_uri: d.redirect_uri,
|
|
@@ -254,7 +254,7 @@ class ce {
|
|
|
254
254
|
return {
|
|
255
255
|
ok: !0,
|
|
256
256
|
authorizationNeeded: {
|
|
257
|
-
user:
|
|
257
|
+
user: i.locals.user,
|
|
258
258
|
response_type: d.response_type,
|
|
259
259
|
client_id: d.client_id,
|
|
260
260
|
client_name: C.client_name,
|
|
@@ -264,7 +264,7 @@ class ce {
|
|
|
264
264
|
state: d.state,
|
|
265
265
|
code_challenge: d.code_challenge,
|
|
266
266
|
code_challenge_method: d.code_challenge_method,
|
|
267
|
-
csrfToken:
|
|
267
|
+
csrfToken: i.locals.csrfToken
|
|
268
268
|
},
|
|
269
269
|
...this.baseEndpoint
|
|
270
270
|
};
|
|
@@ -280,12 +280,12 @@ class ce {
|
|
|
280
280
|
},
|
|
281
281
|
// load
|
|
282
282
|
actions: {
|
|
283
|
-
default: async (
|
|
283
|
+
default: async (i) => {
|
|
284
284
|
var h;
|
|
285
285
|
let c;
|
|
286
286
|
try {
|
|
287
287
|
var d = new b();
|
|
288
|
-
await d.loadData(
|
|
288
|
+
await d.loadData(i), c = d.toObject();
|
|
289
289
|
const g = d.getAsBoolean("authorized"), p = c.response_type, w = c.client_id, S = c.redirect_uri, C = c.scope, T = c.state, P = c.code_challenge, U = c.code_challenge_method;
|
|
290
290
|
let A;
|
|
291
291
|
if (g == null && (A = "authorized"), p ? w ? S ? T || (A = "state") : A = "redirect_uri" : A = "client_id" : A = "response_type", A)
|
|
@@ -294,12 +294,12 @@ class ce {
|
|
|
294
294
|
error: "invalid_request",
|
|
295
295
|
error_description: "Invalid form: does not contain " + A + " parameter"
|
|
296
296
|
};
|
|
297
|
-
if (!
|
|
297
|
+
if (!i.locals.user) return this.redirect(
|
|
298
298
|
302,
|
|
299
|
-
this.loginUrl + "?next=" + encodeURIComponent(
|
|
299
|
+
this.loginUrl + "?next=" + encodeURIComponent(i.request.url)
|
|
300
300
|
);
|
|
301
|
-
if ((h = this.svelteKitServer.sessionServer) != null && h.enableCsrfProtection && !
|
|
302
|
-
const z = await this.authorize(
|
|
301
|
+
if ((h = this.svelteKitServer.sessionServer) != null && h.enableCsrfProtection && !i.locals.csrfToken) throw new n(u.InvalidCsrf);
|
|
302
|
+
const z = await this.authorize(i, g ?? !1, {
|
|
303
303
|
responseType: p,
|
|
304
304
|
client_id: w,
|
|
305
305
|
redirect_uri: S,
|
|
@@ -326,22 +326,22 @@ class ce {
|
|
|
326
326
|
}
|
|
327
327
|
}
|
|
328
328
|
}, this.tokenEndpoint = {
|
|
329
|
-
post: async (
|
|
329
|
+
post: async (i) => {
|
|
330
330
|
let c;
|
|
331
331
|
try {
|
|
332
|
-
if (!(this.authServer.validFlows.includes(
|
|
332
|
+
if (!(this.authServer.validFlows.includes(E.AuthorizationCode) || this.authServer.validFlows.includes(E.AuthorizationCodeWithPKCE) || this.authServer.validFlows.includes(E.OidcAuthorizationCode) || this.authServer.validFlows.includes(E.ClientCredentials) || this.authServer.validFlows.includes(E.RefreshToken) || this.authServer.validFlows.includes(E.Password) || this.authServer.validFlows.includes(E.PasswordMfa || this.authServer.validFlows.includes(E.DeviceCode))))
|
|
333
333
|
return v({
|
|
334
334
|
ok: !1,
|
|
335
335
|
error: "invalid_request",
|
|
336
336
|
error_description: "Token endpoint cannot be called as the supported OAuth flow types don't require it"
|
|
337
337
|
}, { status: 500 });
|
|
338
338
|
var d = new b();
|
|
339
|
-
await d.loadData(
|
|
340
|
-
const { client_id: h, client_secret: g } = this.getClientIdAndSecret(c,
|
|
341
|
-
let p = c.refresh_token, w =
|
|
339
|
+
await d.loadData(i), c = d.toObject();
|
|
340
|
+
const { client_id: h, client_secret: g } = this.getClientIdAndSecret(c, i);
|
|
341
|
+
let p = c.refresh_token, w = i.cookies.get(this.refreshTokenCookieName);
|
|
342
342
|
if ((this.refreshTokenType == "cookie" && w || this.refreshTokenType == "both" && w && p == null) && this.csrfTokens) {
|
|
343
|
-
const C =
|
|
344
|
-
let T =
|
|
343
|
+
const C = i.cookies.get(this.csrfTokens.cookieName);
|
|
344
|
+
let T = i.request.headers.get(this.csrfTokens.headerName.toLowerCase());
|
|
345
345
|
if (Array.isArray(T) && (T = T[0]), !C || !T)
|
|
346
346
|
return v({
|
|
347
347
|
ok: !1,
|
|
@@ -375,7 +375,7 @@ class ce {
|
|
|
375
375
|
refreshToken: p,
|
|
376
376
|
deviceCode: c.device_code
|
|
377
377
|
});
|
|
378
|
-
if (S.refresh_token && this.refreshTokenType != "json" && this.setRefreshTokenCookie(
|
|
378
|
+
if (S.refresh_token && this.refreshTokenType != "json" && this.setRefreshTokenCookie(i, S.refresh_token, S.expires_in), S.error == "authorization_pending")
|
|
379
379
|
return v(S);
|
|
380
380
|
if (S.error || !S.access_token) {
|
|
381
381
|
let C = "server_error", T = "Neither code nor error received when requestoing authorization";
|
|
@@ -393,10 +393,10 @@ class ce {
|
|
|
393
393
|
}
|
|
394
394
|
}
|
|
395
395
|
}, this.mfaAuthenticatorsEndpoint = {
|
|
396
|
-
get: async (
|
|
396
|
+
get: async (i) => {
|
|
397
397
|
try {
|
|
398
398
|
var c = new b();
|
|
399
|
-
return await c.loadData(
|
|
399
|
+
return await c.loadData(i), v(await this.mfaAuthenticators(i));
|
|
400
400
|
} catch (d) {
|
|
401
401
|
const h = n.asCrossauthError(d);
|
|
402
402
|
return l.logger.debug({ err: d }), l.logger.error({ cerr: d }), v({
|
|
@@ -405,11 +405,11 @@ class ce {
|
|
|
405
405
|
});
|
|
406
406
|
}
|
|
407
407
|
},
|
|
408
|
-
post: async (
|
|
408
|
+
post: async (i) => {
|
|
409
409
|
try {
|
|
410
410
|
var c = new b();
|
|
411
|
-
await c.loadData(
|
|
412
|
-
let d = await this.mfaAuthenticators(
|
|
411
|
+
await c.loadData(i);
|
|
412
|
+
let d = await this.mfaAuthenticators(i), h = 200;
|
|
413
413
|
return !Array.isArray(d) && d.error == "access_denied" ? h = 401 : !Array.isArray(d) && d.error && (h = 500), v(d, { status: h });
|
|
414
414
|
} catch (d) {
|
|
415
415
|
const h = n.asCrossauthError(d);
|
|
@@ -420,11 +420,11 @@ class ce {
|
|
|
420
420
|
}
|
|
421
421
|
}
|
|
422
422
|
}, this.mfaChallengeEndpoint = {
|
|
423
|
-
post: async (
|
|
423
|
+
post: async (i) => {
|
|
424
424
|
try {
|
|
425
425
|
var c = new b();
|
|
426
|
-
await c.loadData(
|
|
427
|
-
const d = await this.mfaChallenge(
|
|
426
|
+
await c.loadData(i);
|
|
427
|
+
const d = await this.mfaChallenge(i);
|
|
428
428
|
let h = 200;
|
|
429
429
|
return d.error == "access_denied" ? h = 401 : d.error && (h = 500), v(d, { status: h });
|
|
430
430
|
} catch (d) {
|
|
@@ -436,18 +436,18 @@ class ce {
|
|
|
436
436
|
}
|
|
437
437
|
}
|
|
438
438
|
}, this.deviceAuthorizationEndpoint = {
|
|
439
|
-
post: async (
|
|
439
|
+
post: async (i) => {
|
|
440
440
|
let c;
|
|
441
441
|
try {
|
|
442
|
-
if (!this.authServer.validFlows.includes(
|
|
442
|
+
if (!this.authServer.validFlows.includes(E.DeviceCode))
|
|
443
443
|
return v({
|
|
444
444
|
ok: !1,
|
|
445
445
|
error: "invalid_request",
|
|
446
446
|
error_description: "Device authorization endpoint cannot be called as the supported OAuth flow types don't require it"
|
|
447
447
|
});
|
|
448
448
|
var d = new b();
|
|
449
|
-
await d.loadData(
|
|
450
|
-
const { client_id: h, client_secret: g } = this.getClientIdAndSecret(c,
|
|
449
|
+
await d.loadData(i), c = d.toObject();
|
|
450
|
+
const { client_id: h, client_secret: g } = this.getClientIdAndSecret(c, i), p = await this.authServer.deviceAuthorizationEndpoint({
|
|
451
451
|
client_id: h,
|
|
452
452
|
client_secret: g,
|
|
453
453
|
scope: c.scope
|
|
@@ -474,31 +474,31 @@ class ce {
|
|
|
474
474
|
}
|
|
475
475
|
}
|
|
476
476
|
}, this.deviceEndpoint = {
|
|
477
|
-
load: async (
|
|
478
|
-
if (!this.authServer.validFlows.includes(
|
|
477
|
+
load: async (i) => {
|
|
478
|
+
if (!this.authServer.validFlows.includes(E.DeviceCode))
|
|
479
479
|
throw this.error(401, "device cannot be called because the device code flow is not supported");
|
|
480
|
-
if (!
|
|
480
|
+
if (!i.locals.user) return this.redirect(
|
|
481
481
|
302,
|
|
482
|
-
this.loginUrl + "?next=" + encodeURIComponent(
|
|
482
|
+
this.loginUrl + "?next=" + encodeURIComponent(i.request.url)
|
|
483
483
|
);
|
|
484
|
-
let c =
|
|
485
|
-
return c ? await this.applyUserCode(c,
|
|
484
|
+
let c = i.url.searchParams.get("user_code");
|
|
485
|
+
return c ? await this.applyUserCode(c, i, i.locals.user) : {
|
|
486
486
|
ok: !0,
|
|
487
487
|
completed: !1,
|
|
488
488
|
retryAllowed: !0,
|
|
489
|
-
user:
|
|
490
|
-
csrfToken:
|
|
489
|
+
user: i.locals.user,
|
|
490
|
+
csrfToken: i.locals.csrfToken
|
|
491
491
|
};
|
|
492
492
|
},
|
|
493
493
|
// load
|
|
494
494
|
actions: {
|
|
495
|
-
userCode: async (
|
|
496
|
-
if (!
|
|
495
|
+
userCode: async (i) => {
|
|
496
|
+
if (!i.locals.user) throw this.error(401, "Access Denied");
|
|
497
497
|
try {
|
|
498
498
|
var c = new b();
|
|
499
|
-
await c.loadData(
|
|
499
|
+
await c.loadData(i);
|
|
500
500
|
const d = c.get("user_code");
|
|
501
|
-
return d ? await this.applyUserCode(d,
|
|
501
|
+
return d ? await this.applyUserCode(d, i, i.locals.user) : {
|
|
502
502
|
ok: !1,
|
|
503
503
|
completed: !1,
|
|
504
504
|
retryAllowed: !0,
|
|
@@ -517,12 +517,12 @@ class ce {
|
|
|
517
517
|
};
|
|
518
518
|
}
|
|
519
519
|
},
|
|
520
|
-
authorize: async (
|
|
520
|
+
authorize: async (i) => {
|
|
521
521
|
var h;
|
|
522
522
|
let c;
|
|
523
523
|
try {
|
|
524
524
|
var d = new b();
|
|
525
|
-
await d.loadData(
|
|
525
|
+
await d.loadData(i), c = d.toObject();
|
|
526
526
|
const g = d.getAsBoolean("authorized"), p = c.scope, w = c.client_id, S = c.user_code;
|
|
527
527
|
let C;
|
|
528
528
|
if (g == null && (C = "authorized"), w == null && (C = "client_id"), S == null && (C = "user_code"), C)
|
|
@@ -533,18 +533,18 @@ class ce {
|
|
|
533
533
|
error: "invalid_request",
|
|
534
534
|
error_description: "Invalid form: does not contain " + C + " parameter"
|
|
535
535
|
};
|
|
536
|
-
if (!
|
|
536
|
+
if (!i.locals.user) return this.redirect(
|
|
537
537
|
302,
|
|
538
|
-
this.loginUrl + "?next=" + encodeURIComponent(
|
|
538
|
+
this.loginUrl + "?next=" + encodeURIComponent(i.request.url)
|
|
539
539
|
);
|
|
540
|
-
if ((h = this.svelteKitServer.sessionServer) != null && h.enableCsrfProtection && !
|
|
541
|
-
return (await this.authServer.validateAndPersistScope(w, p,
|
|
540
|
+
if ((h = this.svelteKitServer.sessionServer) != null && h.enableCsrfProtection && !i.locals.csrfToken) throw new n(u.InvalidCsrf);
|
|
541
|
+
return (await this.authServer.validateAndPersistScope(w, p, i.locals.user)).error ? {
|
|
542
542
|
ok: !1,
|
|
543
543
|
completed: !1,
|
|
544
544
|
retryAllowed: !1,
|
|
545
545
|
error: "unauthorized_client",
|
|
546
546
|
error_description: "You did not authorize access to your account"
|
|
547
|
-
} : await this.applyUserCode(S,
|
|
547
|
+
} : await this.applyUserCode(S, i, i.locals.user);
|
|
548
548
|
} catch (g) {
|
|
549
549
|
if (m.isSvelteKitError(g) || m.isSvelteKitRedirect(g)) throw g;
|
|
550
550
|
let p = n.asCrossauthError(g, "Couldn't process authorization code");
|
|
@@ -563,7 +563,7 @@ class ce {
|
|
|
563
563
|
s,
|
|
564
564
|
e,
|
|
565
565
|
t
|
|
566
|
-
), y("loginUrl",
|
|
566
|
+
), y("loginUrl", _.String, this, t, "LOGIN_URL"), y("refreshTokenType", _.String, this, t, "OAUTH_REFRESH_TOKEN_TYPE"), y("refreshTokenCookieName", _.String, this, t, "OAUTH_REFRESH_TOKEN_COOKIE_NAME"), y("refreshTokenCookieDomain", _.String, this, t, "OAUTH_REFRESH_TOKEN_COOKIE_DOMAIN"), y("refreshTokenCookieHttpOnly", _.Boolean, this, t, "OAUTH_REFRESH_TOKEN_COOKIE_HTTPONLY"), y("refreshTokenCookiePath", _.String, this, t, "OAUTH_REFRESH_TOKEN_COOKIE_PATH"), y("refreshTokenCookieSecure", _.Boolean, this, t, "OAUTH_REFRESH_TOKEN_COOKIE_SECURE"), y("refreshTokenCookieSameSite", _.String, this, t, "OAUTH_REFRESH_TOKEN_COOKIE_SAMESITE"), y("authorizeEndpointUrl", _.String, this, t, "OAUTH_AUTHORIZE_ENDPOINT"), y("tokenEndpointUrl", _.String, this, t, "OAUTH_TOKEN_ENDPOINT"), y("jwksEndpointUrl", _.String, this, t, "OAUTH_JWKS_ENDPOINT"), this.refreshTokenType != "json" && (((a = this.svelteKitServer.sessionServer) == null ? void 0 : a.enableCsrfProtection) == !0 ? this.csrfTokens = this.svelteKitServer.sessionServer.sessionManager.csrfTokens : this.csrfTokens = new ee(t.doubleSubmitCookieOptions));
|
|
567
567
|
}
|
|
568
568
|
/**
|
|
569
569
|
* Returns this server's OIDC configuration. Just wraps
|
|
@@ -585,8 +585,8 @@ class ce {
|
|
|
585
585
|
responseType: s,
|
|
586
586
|
client_id: e,
|
|
587
587
|
redirect_uri: t,
|
|
588
|
-
scope:
|
|
589
|
-
state:
|
|
588
|
+
scope: a,
|
|
589
|
+
state: i,
|
|
590
590
|
codeChallenge: c,
|
|
591
591
|
codeChallengeMethod: d
|
|
592
592
|
}) {
|
|
@@ -596,8 +596,8 @@ class ce {
|
|
|
596
596
|
responseType: s,
|
|
597
597
|
client_id: e,
|
|
598
598
|
redirect_uri: t,
|
|
599
|
-
scope:
|
|
600
|
-
state:
|
|
599
|
+
scope: a,
|
|
600
|
+
state: i,
|
|
601
601
|
codeChallenge: c,
|
|
602
602
|
codeChallengeMethod: d,
|
|
603
603
|
user: r.locals.user
|
|
@@ -616,7 +616,7 @@ class ce {
|
|
|
616
616
|
throw this.redirect(302, this.authServer.redirect_uri(
|
|
617
617
|
t,
|
|
618
618
|
p,
|
|
619
|
-
|
|
619
|
+
i
|
|
620
620
|
));
|
|
621
621
|
} else {
|
|
622
622
|
const w = new n(
|
|
@@ -690,13 +690,13 @@ class ce {
|
|
|
690
690
|
if (o = this.requireGetParam(r, "client_id"), o) return { error: o };
|
|
691
691
|
if (o = this.requireGetParam(r, "redirect_uri"), o) return { error: o };
|
|
692
692
|
if (o = this.requireGetParam(r, "state"), o) return { error: o };
|
|
693
|
-
const s = r.url.searchParams.get("response_type") ?? "", e = r.url.searchParams.get("client_id") ?? "", t = r.url.searchParams.get("redirect_uri") ?? "",
|
|
693
|
+
const s = r.url.searchParams.get("response_type") ?? "", e = r.url.searchParams.get("client_id") ?? "", t = r.url.searchParams.get("redirect_uri") ?? "", a = r.url.searchParams.get("scope") ?? void 0, i = r.url.searchParams.get("state") ?? "", c = r.url.searchParams.get("code_challenge") ?? void 0, d = r.url.searchParams.get("code_challenge_method") ?? void 0;
|
|
694
694
|
return { query: {
|
|
695
695
|
response_type: s,
|
|
696
696
|
client_id: e,
|
|
697
697
|
redirect_uri: t,
|
|
698
|
-
scope:
|
|
699
|
-
state:
|
|
698
|
+
scope: a,
|
|
699
|
+
state: i,
|
|
700
700
|
code_challenge: c,
|
|
701
701
|
code_challenge_method: d
|
|
702
702
|
}, error: { error: "Unknown error", error_description: "Unknown error", ok: !0 } };
|
|
@@ -710,18 +710,18 @@ class ce {
|
|
|
710
710
|
if (e = this.requireBodyParam(s, "challenge_type"), e) return { error: e };
|
|
711
711
|
if (e = this.requireBodyParam(s, "mfa_token"), e) return { error: e };
|
|
712
712
|
if (e = this.requireBodyParam(s, "authenticator_id"), e) return { error: e };
|
|
713
|
-
const t = s.client_id ?? "",
|
|
713
|
+
const t = s.client_id ?? "", a = s.challenge_type ?? "", i = s.mfa_token ?? "", c = s.authenticator_id ?? "", d = s.client_secret ?? void 0;
|
|
714
714
|
return { query: {
|
|
715
715
|
client_id: t,
|
|
716
716
|
client_secret: d,
|
|
717
|
-
challenge_type:
|
|
718
|
-
mfa_token:
|
|
717
|
+
challenge_type: a,
|
|
718
|
+
mfa_token: i,
|
|
719
719
|
authenticator_id: c
|
|
720
720
|
}, error: { error: "Unknown error", error_description: "Unknown error", ok: !0 } };
|
|
721
721
|
}
|
|
722
722
|
async mfaAuthenticators(r) {
|
|
723
|
-
var
|
|
724
|
-
const o = (
|
|
723
|
+
var a;
|
|
724
|
+
const o = (a = r.request.headers.get("authorization")) == null ? void 0 : a.split(" ");
|
|
725
725
|
if (!o || o.length != 2)
|
|
726
726
|
return {
|
|
727
727
|
error: "access_denied",
|
|
@@ -752,31 +752,31 @@ class ce {
|
|
|
752
752
|
let s = r.client_id, e = r.client_secret;
|
|
753
753
|
const t = o.request.headers.get("authorization");
|
|
754
754
|
if (t) {
|
|
755
|
-
let
|
|
755
|
+
let a, i;
|
|
756
756
|
const c = t.split(" ");
|
|
757
757
|
if (c.length == 2 && c[0].toLocaleLowerCase() == "basic") {
|
|
758
758
|
const h = F.base64Decode(c[1]).split(":", 2);
|
|
759
|
-
h.length == 2 && (
|
|
759
|
+
h.length == 2 && (a = h[0], i = h[1]);
|
|
760
760
|
}
|
|
761
|
-
|
|
761
|
+
a == null || i == null ? l.logger.warn(f({
|
|
762
762
|
msg: "Ignoring malform authenization header " + t
|
|
763
|
-
})) : (s =
|
|
763
|
+
})) : (s = a, e = i);
|
|
764
764
|
}
|
|
765
765
|
return { client_id: s, client_secret: e };
|
|
766
766
|
}
|
|
767
767
|
async applyUserCode(r, o, s) {
|
|
768
|
-
var e, t,
|
|
768
|
+
var e, t, a;
|
|
769
769
|
try {
|
|
770
|
-
const
|
|
771
|
-
if (
|
|
770
|
+
const i = await this.authServer.deviceEndpoint({ userCode: r, user: s });
|
|
771
|
+
if (i.error)
|
|
772
772
|
return {
|
|
773
773
|
ok: !1,
|
|
774
774
|
completed: !1,
|
|
775
775
|
retryAllowed: !1,
|
|
776
|
-
error:
|
|
777
|
-
error_description:
|
|
776
|
+
error: i.error,
|
|
777
|
+
error_description: i.error_description
|
|
778
778
|
};
|
|
779
|
-
if (!
|
|
779
|
+
if (!i.client_id)
|
|
780
780
|
return l.logger.error(f({ msg: "No client id found for user code", userCodeHash: F.hash(r), ip: o.request.referrer, username: (e = o.locals.user) == null ? void 0 : e.username })), {
|
|
781
781
|
ok: !1,
|
|
782
782
|
completed: !1,
|
|
@@ -784,33 +784,33 @@ class ce {
|
|
|
784
784
|
error: "server_error",
|
|
785
785
|
error_description: "No client id found for user code"
|
|
786
786
|
};
|
|
787
|
-
if (
|
|
787
|
+
if (i.error == "access_denied")
|
|
788
788
|
return l.logger.error(f({ msg: "Incorrect user code given", userCodeHash: F.hash(r), ip: o.request.referrer, username: (t = o.locals.user) == null ? void 0 : t.username })), this.authServer.userCodeThrottle > 0 && await ((h) => new Promise((g) => setTimeout(g, h)))(this.authServer.userCodeThrottle), {
|
|
789
789
|
ok: !1,
|
|
790
790
|
completed: !1,
|
|
791
791
|
retryAllowed: !0,
|
|
792
|
-
error:
|
|
793
|
-
error_description:
|
|
792
|
+
error: i.error,
|
|
793
|
+
error_description: i.error_description
|
|
794
794
|
};
|
|
795
|
-
if (
|
|
796
|
-
return l.logger.error(f({ msg: "Expired user code", userCodeHash: F.hash(r), ip: o.request.referrer, username: (
|
|
795
|
+
if (i.error == "expired_token")
|
|
796
|
+
return l.logger.error(f({ msg: "Expired user code", userCodeHash: F.hash(r), ip: o.request.referrer, username: (a = o.locals.user) == null ? void 0 : a.username })), {
|
|
797
797
|
ok: !1,
|
|
798
798
|
completed: !1,
|
|
799
799
|
retryAllowed: !1,
|
|
800
|
-
error:
|
|
801
|
-
error_description:
|
|
800
|
+
error: i.error,
|
|
801
|
+
error_description: i.error_description
|
|
802
802
|
};
|
|
803
|
-
const c = await this.clientStorage.getClientById(
|
|
804
|
-
return
|
|
803
|
+
const c = await this.clientStorage.getClientById(i.client_id);
|
|
804
|
+
return i.scopeAuthorizationNeeded ? {
|
|
805
805
|
ok: !0,
|
|
806
806
|
completed: !1,
|
|
807
807
|
retryAllowed: !0,
|
|
808
808
|
authorizationNeeded: {
|
|
809
809
|
user: s,
|
|
810
|
-
client_id:
|
|
810
|
+
client_id: i.client_id,
|
|
811
811
|
client_name: c.client_name,
|
|
812
|
-
scope:
|
|
813
|
-
scopes:
|
|
812
|
+
scope: i.scope,
|
|
813
|
+
scopes: i.scope ? i.scope.split(" ") : [],
|
|
814
814
|
csrfToken: o.locals.csrfToken
|
|
815
815
|
},
|
|
816
816
|
user: o.locals.user,
|
|
@@ -823,8 +823,8 @@ class ce {
|
|
|
823
823
|
user: o.locals.user,
|
|
824
824
|
csrfToken: o.locals.csrfToken
|
|
825
825
|
};
|
|
826
|
-
} catch (
|
|
827
|
-
const c = n.asCrossauthError(
|
|
826
|
+
} catch (i) {
|
|
827
|
+
const c = n.asCrossauthError(i);
|
|
828
828
|
return l.logger.debug(f({ err: c })), l.logger.error(f({ msg: c.message, cerr: c })), {
|
|
829
829
|
ok: !1,
|
|
830
830
|
completed: !1,
|
|
@@ -931,8 +931,8 @@ async function j(k, r, o) {
|
|
|
931
931
|
);
|
|
932
932
|
let s = k.expires_in;
|
|
933
933
|
if (!s && k.access_token && r.jwtTokens.includes("access")) {
|
|
934
|
-
const
|
|
935
|
-
|
|
934
|
+
const a = M(k.access_token);
|
|
935
|
+
a.exp && (s = a.exp);
|
|
936
936
|
}
|
|
937
937
|
if (!s)
|
|
938
938
|
throw new n(
|
|
@@ -942,8 +942,8 @@ async function j(k, r, o) {
|
|
|
942
942
|
const e = Date.now() + s * 1e3;
|
|
943
943
|
let t = { ...k, expires_at: e };
|
|
944
944
|
if ("id_token" in k) {
|
|
945
|
-
let
|
|
946
|
-
|
|
945
|
+
let a = k.id_payload ?? O(k.id_token);
|
|
946
|
+
a && (t.id_payload = a);
|
|
947
947
|
}
|
|
948
948
|
await r.storeSessionData(o, t);
|
|
949
949
|
}
|
|
@@ -965,8 +965,8 @@ async function de(k, r, o, s, e) {
|
|
|
965
965
|
if (!s) return r.redirect(302, r.authorizedUrl);
|
|
966
966
|
} catch (t) {
|
|
967
967
|
if (m.isSvelteKitError(t) || m.isSvelteKitRedirect(t)) throw t;
|
|
968
|
-
const
|
|
969
|
-
return l.logger.debug(f({ err:
|
|
968
|
+
const a = n.asCrossauthError(t);
|
|
969
|
+
return l.logger.debug(f({ err: a })), l.logger.debug(f({ cerr: a, msg: "Error receiving tokens" })), r.errorFn(r.server, o, a);
|
|
970
970
|
}
|
|
971
971
|
}
|
|
972
972
|
async function he(k, r, o, s, e) {
|
|
@@ -987,8 +987,8 @@ async function he(k, r, o, s, e) {
|
|
|
987
987
|
return v({ ok: !0, ...k });
|
|
988
988
|
} catch (t) {
|
|
989
989
|
if (m.isSvelteKitError(t) || m.isSvelteKitRedirect(t)) throw t;
|
|
990
|
-
const
|
|
991
|
-
return l.logger.debug(f({ err:
|
|
990
|
+
const a = n.asCrossauthError(t);
|
|
991
|
+
return l.logger.debug(f({ err: a })), l.logger.debug(f({ cerr: a, msg: "Error receiving tokens" })), r.errorFn(r.server, o, a);
|
|
992
992
|
}
|
|
993
993
|
}
|
|
994
994
|
async function ue(k, r, o, s, e) {
|
|
@@ -1008,11 +1008,11 @@ async function ue(k, r, o, s, e) {
|
|
|
1008
1008
|
return r.jwtTokens.includes("id") && (t.id_payload = k.id_payload ?? O(k.id_token)), t.id_payload && await e(o, t.id_payload), t;
|
|
1009
1009
|
} catch (t) {
|
|
1010
1010
|
if (m.isSvelteKitError(t) || m.isSvelteKitRedirect(t)) throw t;
|
|
1011
|
-
const
|
|
1012
|
-
return l.logger.debug(f({ err:
|
|
1011
|
+
const a = n.asCrossauthError(t);
|
|
1012
|
+
return l.logger.debug(f({ err: a })), l.logger.debug(f({ cerr: a, msg: "Error receiving tokens" })), {
|
|
1013
1013
|
ok: !1,
|
|
1014
|
-
error:
|
|
1015
|
-
error_description:
|
|
1014
|
+
error: a.oauthErrorCode,
|
|
1015
|
+
error_description: a.message
|
|
1016
1016
|
};
|
|
1017
1017
|
}
|
|
1018
1018
|
}
|
|
@@ -1048,14 +1048,14 @@ class G extends re {
|
|
|
1048
1048
|
* @param options See {@link SvelteKitOAuthClientOptions}
|
|
1049
1049
|
*/
|
|
1050
1050
|
constructor(r, o, s) {
|
|
1051
|
-
if (super(o, s), this.sessionDataName = "oauth", this.receiveTokenFn = J, this.errorFn = W, this.loginUrl = "/login", this.validFlows = [
|
|
1051
|
+
if (super(o, s), this.sessionDataName = "oauth", this.receiveTokenFn = J, this.errorFn = W, this.loginUrl = "/login", this.validFlows = [E.All], this.authorizedUrl = "", this.autoRefreshActive = {}, this.loginProtectedFlows = [], this.tokenResponseType = "sendJson", this.errorResponseType = "sendJson", this.bffEndpoints = [], this.bffEndpointName = "bff", this.tokenEndpoints = [], this.bffMaxTries = 1, this.bffSleepMilliseconds = 500, this.jwtTokens = ["access", "id", "refresh"], this.testMiddleware = !1, this.testEvent = void 0, this.authorizationCodeFlowEndpoint = {
|
|
1052
1052
|
get: async (e) => {
|
|
1053
1053
|
if (this.tokenResponseType == "saveInSessionAndLoad" || this.tokenResponseType == "sendInPage") {
|
|
1054
1054
|
const t = new n(u.Configuration, "If tokenResponseType is " + this.tokenResponseType + ", use load not get");
|
|
1055
1055
|
return this.errorFn(this.server, e, t);
|
|
1056
1056
|
}
|
|
1057
1057
|
try {
|
|
1058
|
-
if (!this.validFlows.includes(
|
|
1058
|
+
if (!this.validFlows.includes(E.AuthorizationCode)) {
|
|
1059
1059
|
const g = new n(u.Unauthorized, "Authorization flow is not supported");
|
|
1060
1060
|
return this.errorFn(this.server, e, g);
|
|
1061
1061
|
}
|
|
@@ -1063,9 +1063,9 @@ class G extends re {
|
|
|
1063
1063
|
throw new n(u.Configuration, "Need session server or adapter for authorization code flow");
|
|
1064
1064
|
let t = e.url.searchParams.get("scope") ?? void 0;
|
|
1065
1065
|
t == "" && (t = void 0);
|
|
1066
|
-
const
|
|
1067
|
-
await this.storeSessionData(e,
|
|
1068
|
-
const { url: c, error: d, error_description: h } = await this.startAuthorizationCodeFlow(
|
|
1066
|
+
const a = this.randomValue(this.stateLength), i = { scope: t, state: a };
|
|
1067
|
+
await this.storeSessionData(e, i);
|
|
1068
|
+
const { url: c, error: d, error_description: h } = await this.startAuthorizationCodeFlow(a, t);
|
|
1069
1069
|
if (d || !c) {
|
|
1070
1070
|
const g = n.fromOAuthError(
|
|
1071
1071
|
d ?? "server_error",
|
|
@@ -1078,8 +1078,8 @@ class G extends re {
|
|
|
1078
1078
|
})), this.redirect(302, c);
|
|
1079
1079
|
} catch (t) {
|
|
1080
1080
|
if (m.isSvelteKitRedirect(t) || m.isSvelteKitError(t)) throw t;
|
|
1081
|
-
const
|
|
1082
|
-
return l.logger.debug({ err: t }), l.logger.error({ cerr: t }), this.errorFn(this.server, e,
|
|
1081
|
+
const a = n.asCrossauthError(t);
|
|
1082
|
+
return l.logger.debug({ err: t }), l.logger.error({ cerr: t }), this.errorFn(this.server, e, a);
|
|
1083
1083
|
}
|
|
1084
1084
|
},
|
|
1085
1085
|
load: async (e) => {
|
|
@@ -1095,7 +1095,7 @@ class G extends re {
|
|
|
1095
1095
|
};
|
|
1096
1096
|
}
|
|
1097
1097
|
try {
|
|
1098
|
-
if (!this.validFlows.includes(
|
|
1098
|
+
if (!this.validFlows.includes(E.AuthorizationCode)) {
|
|
1099
1099
|
const g = new n(u.Unauthorized, "Authorization flow is not supported");
|
|
1100
1100
|
return {
|
|
1101
1101
|
ok: !1,
|
|
@@ -1107,9 +1107,9 @@ class G extends re {
|
|
|
1107
1107
|
throw new n(u.Configuration, "Need session server or adapter for authorization code flow");
|
|
1108
1108
|
let t = e.url.searchParams.get("scope") ?? void 0;
|
|
1109
1109
|
t == "" && (t = void 0);
|
|
1110
|
-
const
|
|
1111
|
-
await this.storeSessionData(e,
|
|
1112
|
-
const { url: c, error: d, error_description: h } = await this.startAuthorizationCodeFlow(
|
|
1110
|
+
const a = this.randomValue(this.stateLength), i = { scope: t, state: a };
|
|
1111
|
+
await this.storeSessionData(e, i);
|
|
1112
|
+
const { url: c, error: d, error_description: h } = await this.startAuthorizationCodeFlow(a, t);
|
|
1113
1113
|
if (d || !c) {
|
|
1114
1114
|
const g = n.fromOAuthError(
|
|
1115
1115
|
d ?? "server_error",
|
|
@@ -1126,11 +1126,11 @@ class G extends re {
|
|
|
1126
1126
|
})), this.redirect(302, c);
|
|
1127
1127
|
} catch (t) {
|
|
1128
1128
|
if (m.isSvelteKitRedirect(t) || m.isSvelteKitError(t)) throw t;
|
|
1129
|
-
const
|
|
1129
|
+
const a = n.asCrossauthError(t);
|
|
1130
1130
|
return l.logger.debug({ err: t }), l.logger.error({ cerr: t }), {
|
|
1131
1131
|
ok: !1,
|
|
1132
|
-
error:
|
|
1133
|
-
error_description:
|
|
1132
|
+
error: a.oauthErrorCode,
|
|
1133
|
+
error_description: a.message
|
|
1134
1134
|
};
|
|
1135
1135
|
}
|
|
1136
1136
|
}
|
|
@@ -1141,7 +1141,7 @@ class G extends re {
|
|
|
1141
1141
|
return this.errorFn(this.server, e, t);
|
|
1142
1142
|
}
|
|
1143
1143
|
try {
|
|
1144
|
-
if (!this.validFlows.includes(
|
|
1144
|
+
if (!this.validFlows.includes(E.AuthorizationCodeWithPKCE)) {
|
|
1145
1145
|
const w = new n(u.Unauthorized, "Authorization flow is not supported");
|
|
1146
1146
|
return this.errorFn(this.server, e, w);
|
|
1147
1147
|
}
|
|
@@ -1149,9 +1149,9 @@ class G extends re {
|
|
|
1149
1149
|
throw new n(u.Configuration, "Need session server or adapter for authorization code flow");
|
|
1150
1150
|
let t = e.url.searchParams.get("scope") ?? void 0;
|
|
1151
1151
|
t == "" && (t = void 0);
|
|
1152
|
-
const
|
|
1152
|
+
const a = this.randomValue(this.stateLength), { codeChallenge: i, codeVerifier: c } = await this.codeChallengeAndVerifier(), d = { scope: t, state: a, codeChallenge: i, codeVerifier: c };
|
|
1153
1153
|
await this.storeSessionData(e, d);
|
|
1154
|
-
const { url: h, error: g, error_description: p } = await this.startAuthorizationCodeFlow(
|
|
1154
|
+
const { url: h, error: g, error_description: p } = await this.startAuthorizationCodeFlow(a, t, i, !0);
|
|
1155
1155
|
if (g || !h) {
|
|
1156
1156
|
const w = n.fromOAuthError(
|
|
1157
1157
|
g ?? "server_error",
|
|
@@ -1164,11 +1164,11 @@ class G extends re {
|
|
|
1164
1164
|
})), this.redirect(302, h);
|
|
1165
1165
|
} catch (t) {
|
|
1166
1166
|
if (m.isSvelteKitRedirect(t) || m.isSvelteKitError(t)) throw t;
|
|
1167
|
-
const
|
|
1167
|
+
const a = n.asCrossauthError(t);
|
|
1168
1168
|
return l.logger.debug({ err: t }), l.logger.error({ cerr: t }), v({
|
|
1169
|
-
error:
|
|
1170
|
-
error_description:
|
|
1171
|
-
}, { status:
|
|
1169
|
+
error: a.oauthErrorCode,
|
|
1170
|
+
error_description: a.message
|
|
1171
|
+
}, { status: a.httpStatus });
|
|
1172
1172
|
}
|
|
1173
1173
|
},
|
|
1174
1174
|
load: async (e) => {
|
|
@@ -1184,7 +1184,7 @@ class G extends re {
|
|
|
1184
1184
|
};
|
|
1185
1185
|
}
|
|
1186
1186
|
try {
|
|
1187
|
-
if (!this.validFlows.includes(
|
|
1187
|
+
if (!this.validFlows.includes(E.AuthorizationCodeWithPKCE)) {
|
|
1188
1188
|
const w = new n(u.Unauthorized, "Authorization flow is not supported");
|
|
1189
1189
|
return {
|
|
1190
1190
|
ok: !1,
|
|
@@ -1196,9 +1196,9 @@ class G extends re {
|
|
|
1196
1196
|
throw new n(u.Configuration, "Need session server or adapter for authorization code flow");
|
|
1197
1197
|
let t = e.url.searchParams.get("scope") ?? void 0;
|
|
1198
1198
|
t == "" && (t = void 0);
|
|
1199
|
-
const
|
|
1199
|
+
const a = this.randomValue(this.stateLength), { codeChallenge: i, codeVerifier: c } = await this.codeChallengeAndVerifier(), d = { scope: t, state: a, codeChallenge: i, codeVerifier: c };
|
|
1200
1200
|
await this.storeSessionData(e, d);
|
|
1201
|
-
const { url: h, error: g, error_description: p } = await this.startAuthorizationCodeFlow(
|
|
1201
|
+
const { url: h, error: g, error_description: p } = await this.startAuthorizationCodeFlow(a, t, i, !0);
|
|
1202
1202
|
if (g || !h) {
|
|
1203
1203
|
const w = n.fromOAuthError(
|
|
1204
1204
|
g ?? "server_error",
|
|
@@ -1215,11 +1215,11 @@ class G extends re {
|
|
|
1215
1215
|
})), this.redirect(302, h);
|
|
1216
1216
|
} catch (t) {
|
|
1217
1217
|
if (m.isSvelteKitRedirect(t) || m.isSvelteKitError(t)) throw t;
|
|
1218
|
-
const
|
|
1218
|
+
const a = n.asCrossauthError(t);
|
|
1219
1219
|
return l.logger.debug({ err: t }), l.logger.error({ cerr: t }), {
|
|
1220
1220
|
ok: !1,
|
|
1221
|
-
error:
|
|
1222
|
-
error_description:
|
|
1221
|
+
error: a.oauthErrorCode,
|
|
1222
|
+
error_description: a.message
|
|
1223
1223
|
};
|
|
1224
1224
|
}
|
|
1225
1225
|
}
|
|
@@ -1227,20 +1227,20 @@ class G extends re {
|
|
|
1227
1227
|
get: async (e) => {
|
|
1228
1228
|
var t;
|
|
1229
1229
|
if (this.tokenResponseType == "saveInSessionAndLoad" || this.tokenResponseType == "sendInPage") {
|
|
1230
|
-
const
|
|
1231
|
-
return this.errorFn(this.server, e,
|
|
1230
|
+
const a = new n(u.Configuration, "If tokenResponseType is " + this.tokenResponseType + ", use load not get");
|
|
1231
|
+
return this.errorFn(this.server, e, a);
|
|
1232
1232
|
}
|
|
1233
1233
|
try {
|
|
1234
|
-
if (!(this.validFlows.includes(
|
|
1234
|
+
if (!(this.validFlows.includes(E.AuthorizationCode) || this.validFlows.includes(E.AuthorizationCodeWithPKCE) || this.validFlows.includes(E.OidcAuthorizationCode))) {
|
|
1235
1235
|
const p = new n(u.Unauthorized, "Authorization flows are not supported");
|
|
1236
1236
|
return this.errorFn(this.server, e, p);
|
|
1237
1237
|
}
|
|
1238
1238
|
l.logger.debug(f({ msg: "redirectUriEndpoint, token response type " + this.tokenResponseType }));
|
|
1239
|
-
const
|
|
1240
|
-
if ((h == null ? void 0 : h.state) !=
|
|
1239
|
+
const a = e.url.searchParams.get("code") ?? "", i = e.url.searchParams.get("state") ?? void 0, c = e.url.searchParams.get("error") ?? void 0, d = e.url.searchParams.get("error") ?? void 0, h = await ((t = this.server.sessionAdapter) == null ? void 0 : t.getSessionData(e, this.sessionDataName));
|
|
1240
|
+
if ((h == null ? void 0 : h.state) != i)
|
|
1241
1241
|
throw new n(u.Unauthorized, "State does not match");
|
|
1242
1242
|
const g = this.errorIfIdTokenInvalid(await this.redirectEndpoint(
|
|
1243
|
-
|
|
1243
|
+
a,
|
|
1244
1244
|
h == null ? void 0 : h.scope,
|
|
1245
1245
|
h == null ? void 0 : h.codeVerifier,
|
|
1246
1246
|
c,
|
|
@@ -1265,10 +1265,10 @@ class G extends re {
|
|
|
1265
1265
|
!1,
|
|
1266
1266
|
this.setEventLocalsUser
|
|
1267
1267
|
);
|
|
1268
|
-
} catch (
|
|
1269
|
-
if (m.isSvelteKitRedirect(
|
|
1270
|
-
const
|
|
1271
|
-
return l.logger.debug({ err:
|
|
1268
|
+
} catch (a) {
|
|
1269
|
+
if (m.isSvelteKitRedirect(a) || m.isSvelteKitError(a)) throw a;
|
|
1270
|
+
const i = n.asCrossauthError(a);
|
|
1271
|
+
return l.logger.debug({ err: a }), l.logger.error({ cerr: a }), this.errorFn(this.server, e, i);
|
|
1272
1272
|
}
|
|
1273
1273
|
},
|
|
1274
1274
|
load: async (e) => {
|
|
@@ -1277,15 +1277,15 @@ class G extends re {
|
|
|
1277
1277
|
/*this.tokenResponseType == "saveInSessionAndRedirect" ||*/
|
|
1278
1278
|
this.tokenResponseType == "sendJson" || this.tokenResponseType == "saveInSessionAndLoad"
|
|
1279
1279
|
) {
|
|
1280
|
-
const
|
|
1280
|
+
const a = new n(u.Configuration, "If tokenResponseType is " + this.tokenResponseType + ", use get not load");
|
|
1281
1281
|
return {
|
|
1282
1282
|
ok: !1,
|
|
1283
|
-
error:
|
|
1284
|
-
error_description:
|
|
1283
|
+
error: a.oauthErrorCode,
|
|
1284
|
+
error_description: a.message
|
|
1285
1285
|
};
|
|
1286
1286
|
}
|
|
1287
1287
|
try {
|
|
1288
|
-
if (!(this.validFlows.includes(
|
|
1288
|
+
if (!(this.validFlows.includes(E.AuthorizationCode) || this.validFlows.includes(E.AuthorizationCodeWithPKCE) || this.validFlows.includes(E.OidcAuthorizationCode))) {
|
|
1289
1289
|
const w = new n(u.Unauthorized, "Authorization flows are not supported");
|
|
1290
1290
|
return {
|
|
1291
1291
|
ok: !1,
|
|
@@ -1293,11 +1293,11 @@ class G extends re {
|
|
|
1293
1293
|
error_description: w.message
|
|
1294
1294
|
};
|
|
1295
1295
|
}
|
|
1296
|
-
const
|
|
1297
|
-
if ((h == null ? void 0 : h.state) !=
|
|
1296
|
+
const a = e.url.searchParams.get("code") ?? "", i = e.url.searchParams.get("state") ?? void 0, c = e.url.searchParams.get("error") ?? void 0, d = e.url.searchParams.get("error") ?? void 0, h = await ((t = this.server.sessionAdapter) == null ? void 0 : t.getSessionData(e, this.sessionDataName));
|
|
1297
|
+
if ((h == null ? void 0 : h.state) != i)
|
|
1298
1298
|
throw new n(u.Unauthorized, "State does not match");
|
|
1299
1299
|
const g = this.errorIfIdTokenInvalid(await this.redirectEndpoint(
|
|
1300
|
-
|
|
1300
|
+
a,
|
|
1301
1301
|
h == null ? void 0 : h.scope,
|
|
1302
1302
|
h == null ? void 0 : h.codeVerifier,
|
|
1303
1303
|
c,
|
|
@@ -1341,35 +1341,35 @@ class G extends re {
|
|
|
1341
1341
|
} : {
|
|
1342
1342
|
...p
|
|
1343
1343
|
};
|
|
1344
|
-
} catch (
|
|
1345
|
-
if (m.isSvelteKitRedirect(
|
|
1346
|
-
const
|
|
1347
|
-
return l.logger.debug({ err:
|
|
1344
|
+
} catch (a) {
|
|
1345
|
+
if (m.isSvelteKitRedirect(a) || m.isSvelteKitError(a)) throw a;
|
|
1346
|
+
const i = n.asCrossauthError(a);
|
|
1347
|
+
return l.logger.debug({ err: a }), l.logger.error({ cerr: a }), {
|
|
1348
1348
|
ok: !1,
|
|
1349
|
-
error:
|
|
1350
|
-
error_description:
|
|
1349
|
+
error: i.oauthErrorCode,
|
|
1350
|
+
error_description: i.message
|
|
1351
1351
|
};
|
|
1352
1352
|
}
|
|
1353
1353
|
}
|
|
1354
1354
|
}, this.clientCredentialsFlowEndpoint = {
|
|
1355
1355
|
post: async (e) => {
|
|
1356
1356
|
if (this.tokenResponseType == "saveInSessionAndLoad" || this.tokenResponseType == "sendInPage") {
|
|
1357
|
-
const
|
|
1358
|
-
return this.errorFn(this.server, e,
|
|
1357
|
+
const i = new n(u.Configuration, "If tokenResponseType is " + this.tokenResponseType + ", use actions not post");
|
|
1358
|
+
return this.errorFn(this.server, e, i);
|
|
1359
1359
|
}
|
|
1360
1360
|
let t;
|
|
1361
1361
|
try {
|
|
1362
|
-
if (!this.validFlows.includes(
|
|
1362
|
+
if (!this.validFlows.includes(E.ClientCredentials)) {
|
|
1363
1363
|
const d = new n(u.Unauthorized, "Client credentials flow is not supported");
|
|
1364
1364
|
return this.errorFn(this.server, e, d);
|
|
1365
1365
|
}
|
|
1366
|
-
var
|
|
1367
|
-
await
|
|
1368
|
-
const
|
|
1369
|
-
if (
|
|
1366
|
+
var a = new b();
|
|
1367
|
+
await a.loadData(e), t = a.toObject();
|
|
1368
|
+
const i = this.errorIfIdTokenInvalid(await this.clientCredentialsFlow(t == null ? void 0 : t.scope));
|
|
1369
|
+
if (i.error) {
|
|
1370
1370
|
const d = n.fromOAuthError(
|
|
1371
|
-
|
|
1372
|
-
|
|
1371
|
+
i.error,
|
|
1372
|
+
i.error_description
|
|
1373
1373
|
);
|
|
1374
1374
|
return await this.errorFn(
|
|
1375
1375
|
this.server,
|
|
@@ -1378,17 +1378,17 @@ class G extends re {
|
|
|
1378
1378
|
);
|
|
1379
1379
|
}
|
|
1380
1380
|
const c = await this.receiveTokenFn(
|
|
1381
|
-
|
|
1381
|
+
i,
|
|
1382
1382
|
this,
|
|
1383
1383
|
e,
|
|
1384
1384
|
!1,
|
|
1385
1385
|
this.setEventLocalsUser
|
|
1386
1386
|
);
|
|
1387
1387
|
return c instanceof Response ? c : this.pack(c);
|
|
1388
|
-
} catch (
|
|
1389
|
-
if (m.isSvelteKitRedirect(
|
|
1390
|
-
const c = n.asCrossauthError(
|
|
1391
|
-
return l.logger.debug({ err:
|
|
1388
|
+
} catch (i) {
|
|
1389
|
+
if (m.isSvelteKitRedirect(i) || m.isSvelteKitError(i)) throw i;
|
|
1390
|
+
const c = n.asCrossauthError(i);
|
|
1391
|
+
return l.logger.debug({ err: i }), l.logger.error({ cerr: i }), this.errorFn(this.server, e, c);
|
|
1392
1392
|
}
|
|
1393
1393
|
},
|
|
1394
1394
|
actions: {
|
|
@@ -1400,27 +1400,27 @@ class G extends re {
|
|
|
1400
1400
|
throw new n(u.Configuration, "If tokenResponseType is " + this.tokenResponseType + ", use post not load");
|
|
1401
1401
|
let t;
|
|
1402
1402
|
try {
|
|
1403
|
-
if (!this.validFlows.includes(
|
|
1403
|
+
if (!this.validFlows.includes(E.ClientCredentials))
|
|
1404
1404
|
throw new n(u.Unauthorized, "Client credentials flow is not supported");
|
|
1405
|
-
var
|
|
1406
|
-
await
|
|
1407
|
-
const
|
|
1408
|
-
if (
|
|
1405
|
+
var a = new b();
|
|
1406
|
+
await a.loadData(e), t = a.toObject();
|
|
1407
|
+
const i = this.errorIfIdTokenInvalid(await this.clientCredentialsFlow(t == null ? void 0 : t.scope));
|
|
1408
|
+
if (i.error)
|
|
1409
1409
|
throw n.fromOAuthError(
|
|
1410
|
-
|
|
1411
|
-
|
|
1410
|
+
i.error,
|
|
1411
|
+
i.error_description
|
|
1412
1412
|
);
|
|
1413
1413
|
return await this.receiveTokenFn(
|
|
1414
|
-
|
|
1414
|
+
i,
|
|
1415
1415
|
this,
|
|
1416
1416
|
e,
|
|
1417
1417
|
!1,
|
|
1418
1418
|
this.setEventLocalsUser
|
|
1419
1419
|
) ?? {};
|
|
1420
|
-
} catch (
|
|
1421
|
-
if (m.isSvelteKitRedirect(
|
|
1422
|
-
const c = n.asCrossauthError(
|
|
1423
|
-
return l.logger.debug({ err:
|
|
1420
|
+
} catch (i) {
|
|
1421
|
+
if (m.isSvelteKitRedirect(i) || m.isSvelteKitError(i)) throw i;
|
|
1422
|
+
const c = n.asCrossauthError(i);
|
|
1423
|
+
return l.logger.debug({ err: i }), l.logger.error({ cerr: i }), {
|
|
1424
1424
|
ok: !1,
|
|
1425
1425
|
error: c.oauthErrorCode,
|
|
1426
1426
|
error_description: c.message
|
|
@@ -1431,17 +1431,17 @@ class G extends re {
|
|
|
1431
1431
|
}, this.refreshTokenFlowEndpoint = {
|
|
1432
1432
|
post: async (e) => {
|
|
1433
1433
|
if (this.tokenResponseType == "saveInSessionAndLoad" || this.tokenResponseType == "sendInPage") {
|
|
1434
|
-
const
|
|
1435
|
-
return this.errorFn(this.server, e,
|
|
1434
|
+
const i = new n(u.Configuration, "If tokenResponseType is " + this.tokenResponseType + ", use actions not post");
|
|
1435
|
+
return this.errorFn(this.server, e, i);
|
|
1436
1436
|
}
|
|
1437
1437
|
let t;
|
|
1438
1438
|
try {
|
|
1439
|
-
if (!this.validFlows.includes(
|
|
1439
|
+
if (!this.validFlows.includes(E.RefreshToken)) {
|
|
1440
1440
|
const h = new n(u.Unauthorized, "Refresh token flow is not supported");
|
|
1441
1441
|
return this.errorFn(this.server, e, h);
|
|
1442
1442
|
}
|
|
1443
|
-
var
|
|
1444
|
-
if (await
|
|
1443
|
+
var a = new b();
|
|
1444
|
+
if (await a.loadData(e), t = a.toObject(), this.server.sessionAdapter && this.server.sessionAdapter.csrfProtectionEnabled())
|
|
1445
1445
|
try {
|
|
1446
1446
|
if (!this.server.sessionAdapter.getCsrfToken(e))
|
|
1447
1447
|
throw new n(u.InvalidCsrf);
|
|
@@ -1450,8 +1450,8 @@ class G extends re {
|
|
|
1450
1450
|
const g = new n(u.Unauthorized, "CSRF token not present");
|
|
1451
1451
|
return this.errorFn(this.server, e, g);
|
|
1452
1452
|
}
|
|
1453
|
-
let
|
|
1454
|
-
if (!
|
|
1453
|
+
let i = t.refresh_token;
|
|
1454
|
+
if (!i && this.server.sessionAdapter) {
|
|
1455
1455
|
const h = await this.server.sessionAdapter.getSessionData(e, this.sessionDataName);
|
|
1456
1456
|
if (!(h != null && h.refresh_token)) {
|
|
1457
1457
|
const g = new n(
|
|
@@ -1460,16 +1460,16 @@ class G extends re {
|
|
|
1460
1460
|
);
|
|
1461
1461
|
return this.errorFn(this.server, e, g);
|
|
1462
1462
|
}
|
|
1463
|
-
|
|
1463
|
+
i = h.refresh_token;
|
|
1464
1464
|
}
|
|
1465
|
-
if (!
|
|
1465
|
+
if (!i) {
|
|
1466
1466
|
const h = new n(
|
|
1467
1467
|
u.BadRequest,
|
|
1468
1468
|
"No refresh token supplied"
|
|
1469
1469
|
);
|
|
1470
1470
|
return this.errorFn(this.server, e, h);
|
|
1471
1471
|
}
|
|
1472
|
-
const c = this.errorIfIdTokenInvalid(await this.refreshTokenFlow(
|
|
1472
|
+
const c = this.errorIfIdTokenInvalid(await this.refreshTokenFlow(i)), d = await this.receiveTokenFn(
|
|
1473
1473
|
c,
|
|
1474
1474
|
this,
|
|
1475
1475
|
e,
|
|
@@ -1478,10 +1478,10 @@ class G extends re {
|
|
|
1478
1478
|
);
|
|
1479
1479
|
if (c && d instanceof Response) return d;
|
|
1480
1480
|
throw new n(u.UnknownError, "Receive token function did not return a Response");
|
|
1481
|
-
} catch (
|
|
1482
|
-
if (m.isSvelteKitRedirect(
|
|
1483
|
-
const c = n.asCrossauthError(
|
|
1484
|
-
return l.logger.debug({ err:
|
|
1481
|
+
} catch (i) {
|
|
1482
|
+
if (m.isSvelteKitRedirect(i) || m.isSvelteKitError(i)) throw i;
|
|
1483
|
+
const c = n.asCrossauthError(i);
|
|
1484
|
+
return l.logger.debug({ err: i }), l.logger.error({ cerr: i }), this.errorFn(this.server, e, c);
|
|
1485
1485
|
}
|
|
1486
1486
|
},
|
|
1487
1487
|
actions: {
|
|
@@ -1493,34 +1493,34 @@ class G extends re {
|
|
|
1493
1493
|
throw new n(u.Configuration, "If tokenResponseType is " + this.tokenResponseType + ", use post not load");
|
|
1494
1494
|
let t;
|
|
1495
1495
|
try {
|
|
1496
|
-
if (!this.validFlows.includes(
|
|
1496
|
+
if (!this.validFlows.includes(E.RefreshToken)) {
|
|
1497
1497
|
const h = new n(u.Unauthorized, "Refresh token flow is not supported");
|
|
1498
1498
|
return this.errorFn(this.server, e, h);
|
|
1499
1499
|
}
|
|
1500
|
-
var
|
|
1501
|
-
if (await
|
|
1500
|
+
var a = new b();
|
|
1501
|
+
if (await a.loadData(e), t = a.toObject(), this.server.sessionAdapter && this.server.sessionAdapter.csrfProtectionEnabled())
|
|
1502
1502
|
try {
|
|
1503
1503
|
if (!this.server.sessionAdapter.getCsrfToken(e))
|
|
1504
1504
|
throw new n(u.InvalidCsrf);
|
|
1505
1505
|
} catch (h) {
|
|
1506
1506
|
throw m.isSvelteKitError(h) || m.isSvelteKitRedirect(h) ? h : new n(u.Unauthorized, "CSRF token not present");
|
|
1507
1507
|
}
|
|
1508
|
-
let
|
|
1509
|
-
if (!
|
|
1508
|
+
let i = t.refresh_token;
|
|
1509
|
+
if (!i && this.server.sessionAdapter) {
|
|
1510
1510
|
const h = await this.server.sessionAdapter.getSessionData(e, this.sessionDataName);
|
|
1511
1511
|
if (!(h != null && h.refresh_token))
|
|
1512
1512
|
throw new n(
|
|
1513
1513
|
u.BadRequest,
|
|
1514
1514
|
"No refresh token in session or in parameters"
|
|
1515
1515
|
);
|
|
1516
|
-
|
|
1516
|
+
i = h.refresh_token;
|
|
1517
1517
|
}
|
|
1518
|
-
if (!
|
|
1518
|
+
if (!i)
|
|
1519
1519
|
throw new n(
|
|
1520
1520
|
u.BadRequest,
|
|
1521
1521
|
"No refresh token supplied"
|
|
1522
1522
|
);
|
|
1523
|
-
const c = this.errorIfIdTokenInvalid(await this.refreshTokenFlow(
|
|
1523
|
+
const c = this.errorIfIdTokenInvalid(await this.refreshTokenFlow(i)), d = await this.receiveTokenFn(
|
|
1524
1524
|
c,
|
|
1525
1525
|
this,
|
|
1526
1526
|
e,
|
|
@@ -1529,10 +1529,10 @@ class G extends re {
|
|
|
1529
1529
|
) ?? {};
|
|
1530
1530
|
if (d instanceof Response) throw new n(u.Configuration, "Refresh token flow should return an object not Response");
|
|
1531
1531
|
return d;
|
|
1532
|
-
} catch (
|
|
1533
|
-
if (m.isSvelteKitRedirect(
|
|
1534
|
-
const c = n.asCrossauthError(
|
|
1535
|
-
return l.logger.debug({ err:
|
|
1532
|
+
} catch (i) {
|
|
1533
|
+
if (m.isSvelteKitRedirect(i) || m.isSvelteKitError(i)) throw i;
|
|
1534
|
+
const c = n.asCrossauthError(i);
|
|
1535
|
+
return l.logger.debug({ err: i }), l.logger.error({ cerr: i }), {
|
|
1536
1536
|
ok: !1,
|
|
1537
1537
|
error: c.oauthErrorCode,
|
|
1538
1538
|
error_description: c.message
|
|
@@ -1581,8 +1581,8 @@ class G extends re {
|
|
|
1581
1581
|
post: async (e) => {
|
|
1582
1582
|
const t = await this.startDeviceCodeFlow_internal(e);
|
|
1583
1583
|
if (t.error) {
|
|
1584
|
-
const
|
|
1585
|
-
return v(t, { status:
|
|
1584
|
+
const a = n.fromOAuthError(t.error, t.error_description);
|
|
1585
|
+
return v(t, { status: a.httpStatus });
|
|
1586
1586
|
}
|
|
1587
1587
|
return v(t);
|
|
1588
1588
|
}
|
|
@@ -1598,40 +1598,40 @@ class G extends re {
|
|
|
1598
1598
|
if (t instanceof Response) return t;
|
|
1599
1599
|
if (t == null) return new Response(null, { status: 204 });
|
|
1600
1600
|
if (t.error) {
|
|
1601
|
-
const
|
|
1602
|
-
return v(t, { status:
|
|
1601
|
+
const a = n.fromOAuthError(t.error, t.error_description);
|
|
1602
|
+
return v(t, { status: a.httpStatus });
|
|
1603
1603
|
}
|
|
1604
1604
|
return v(t);
|
|
1605
1605
|
}
|
|
1606
1606
|
}, this.passwordFlowEndpoint = {
|
|
1607
|
-
post: async (e) => await this.passwordFlow_post(e, (t,
|
|
1607
|
+
post: async (e) => await this.passwordFlow_post(e, (t, a) => this.passwordPost(t, a)),
|
|
1608
1608
|
actions: {
|
|
1609
|
-
password: async (e) => await this.passwordFlow_action(e, (t,
|
|
1610
|
-
passwordOtp: async (e) => await this.passwordFlow_action(e, (t,
|
|
1611
|
-
passwordOob: async (e) => await this.passwordFlow_action(e, (t,
|
|
1609
|
+
password: async (e) => await this.passwordFlow_action(e, (t, a) => this.passwordPost(t, a)),
|
|
1610
|
+
passwordOtp: async (e) => await this.passwordFlow_action(e, (t, a) => this.passwordOtp(t, a)),
|
|
1611
|
+
passwordOob: async (e) => await this.passwordFlow_action(e, (t, a) => this.passwordOob(t, a))
|
|
1612
1612
|
}
|
|
1613
1613
|
}, this.passwordOtpEndpoint = {
|
|
1614
|
-
post: async (e) => await this.passwordFlow_post(e, (t,
|
|
1614
|
+
post: async (e) => await this.passwordFlow_post(e, (t, a) => this.passwordOtp(t, a)),
|
|
1615
1615
|
actions: {
|
|
1616
|
-
default: async (e) => await this.passwordFlow_action(e, (t,
|
|
1616
|
+
default: async (e) => await this.passwordFlow_action(e, (t, a) => this.passwordOtp(t, a))
|
|
1617
1617
|
}
|
|
1618
1618
|
}, this.passwordOobEndpoint = {
|
|
1619
|
-
post: async (e) => await this.passwordFlow_post(e, (t,
|
|
1619
|
+
post: async (e) => await this.passwordFlow_post(e, (t, a) => this.passwordOob(t, a)),
|
|
1620
1620
|
actions: {
|
|
1621
|
-
default: async (e) => await this.passwordFlow_action(e, (t,
|
|
1621
|
+
default: async (e) => await this.passwordFlow_action(e, (t, a) => this.passwordOob(t, a))
|
|
1622
1622
|
}
|
|
1623
1623
|
}, this.deleteTokensEndpoint = {
|
|
1624
1624
|
post: async (e) => {
|
|
1625
|
-
var t,
|
|
1625
|
+
var t, a;
|
|
1626
1626
|
try {
|
|
1627
1627
|
return await this.deleteSessionData(e), v({ ok: !0 });
|
|
1628
|
-
} catch (
|
|
1629
|
-
if (m.isSvelteKitRedirect(
|
|
1630
|
-
const c = n.asCrossauthError(
|
|
1628
|
+
} catch (i) {
|
|
1629
|
+
if (m.isSvelteKitRedirect(i) || m.isSvelteKitError(i)) throw i;
|
|
1630
|
+
const c = n.asCrossauthError(i);
|
|
1631
1631
|
return l.logger.debug({ err: c }), l.logger.error({ cerr: c }), v({
|
|
1632
1632
|
ok: !1,
|
|
1633
1633
|
user: (t = this.server.sessionAdapter) == null ? void 0 : t.getUser(e),
|
|
1634
|
-
csrfToken: (
|
|
1634
|
+
csrfToken: (a = this.server.sessionAdapter) == null ? void 0 : a.getCsrfToken(e),
|
|
1635
1635
|
errorCode: c.code,
|
|
1636
1636
|
errorCodeName: c.codeName,
|
|
1637
1637
|
errorMessage: c.message
|
|
@@ -1640,16 +1640,16 @@ class G extends re {
|
|
|
1640
1640
|
},
|
|
1641
1641
|
actions: {
|
|
1642
1642
|
default: async (e) => {
|
|
1643
|
-
var t,
|
|
1643
|
+
var t, a;
|
|
1644
1644
|
try {
|
|
1645
1645
|
return await this.deleteSessionData(e), { ok: !0 };
|
|
1646
|
-
} catch (
|
|
1647
|
-
if (m.isSvelteKitRedirect(
|
|
1648
|
-
const c = n.asCrossauthError(
|
|
1646
|
+
} catch (i) {
|
|
1647
|
+
if (m.isSvelteKitRedirect(i) || m.isSvelteKitError(i)) throw i;
|
|
1648
|
+
const c = n.asCrossauthError(i);
|
|
1649
1649
|
return l.logger.debug({ err: c }), l.logger.error({ cerr: c }), {
|
|
1650
1650
|
ok: !1,
|
|
1651
1651
|
user: (t = this.server.sessionAdapter) == null ? void 0 : t.getUser(e),
|
|
1652
|
-
csrfToken: (
|
|
1652
|
+
csrfToken: (a = this.server.sessionAdapter) == null ? void 0 : a.getCsrfToken(e),
|
|
1653
1653
|
errorCode: c.code,
|
|
1654
1654
|
errorCodeName: c.codeName,
|
|
1655
1655
|
errorMessage: c.message
|
|
@@ -1720,9 +1720,9 @@ class G extends re {
|
|
|
1720
1720
|
actions: {
|
|
1721
1721
|
default: async (e) => await this.tokens(e, this.tokenEndpoints)
|
|
1722
1722
|
}
|
|
1723
|
-
}, this.server = r, y("sessionDataName",
|
|
1724
|
-
this.validFlows =
|
|
1725
|
-
else if (!
|
|
1723
|
+
}, this.server = r, y("sessionDataName", _.String, this, s, "OAUTH_SESSION_DATA_NAME"), y("tokenResponseType", _.String, this, s, "OAUTH_TOKEN_RESPONSE_TYPE"), y("errorResponseType", _.String, this, s, "OAUTH_ERROR_RESPONSE_TYPE"), y("loginUrl", _.String, this, s, "LOGIN_URL"), y("bffEndpointName", _.String, this, s, "OAUTH_BFF_ENDPOINT_NAME"), y("bffBaseUrl", _.String, this, s, "OAUTH_BFF_BASEURL"), y("redirect_uri", _.String, this, s, "OAUTH_REDIRECTURI", !0), y("authorizedUrl", _.String, this, s, "AUTHORIZED_URL", !1), y("validFlows", _.JsonArray, this, s, "OAUTH_validFlows"), y("bffMaxTries", _.Number, this, s, "OAUTH_BFF_MAX_RETRIES"), y("bffSleepMilliseconds", _.Number, this, s, "OAUTH_BFF_SLEEP_MILLISECONDS"), y("jwtTokens", _.JsonArray, this, s, "OAUTH_JWT_TOKENS"), this.bffEndpointName && !this.bffEndpointName.startsWith("/") && (this.bffEndpointName = "/" + this.bffEndpointName), this.bffEndpointName && this.bffEndpointName.endsWith("/") && (this.bffEndpointName = this.bffEndpointName.substring(0, this.bffEndpointName.length - 1)), this.bffBaseUrl && this.bffBaseUrl.endsWith("/") && (this.bffBaseUrl = this.bffBaseUrl.substring(0, this.bffBaseUrl.length - 1)), s.redirect && (this.redirect = s.redirect), s.error && (this.error = s.error), this.validFlows.length == 1 && this.validFlows[0] == E.All)
|
|
1724
|
+
this.validFlows = E.allFlows();
|
|
1725
|
+
else if (!E.areAllValidFlows(this.validFlows))
|
|
1726
1726
|
throw new n(u.Configuration, "Invalid flows specificied in " + this.validFlows.join(","));
|
|
1727
1727
|
try {
|
|
1728
1728
|
new URL(this.redirect_uri ?? "");
|
|
@@ -1732,9 +1732,9 @@ class G extends re {
|
|
|
1732
1732
|
if (s.tokenEndpoints && (this.tokenEndpoints = s.tokenEndpoints), this.bffEndpointName.endsWith("/") && (this.bffEndpointName = this.bffEndpointName.substring(0, this.bffEndpointName.length - 1)), s.bffEndpoints && (this.bffEndpoints = s.bffEndpoints.map((e) => ({ ...e, methodsString: e.methods.map((t) => t) }))), this.bffEndpoints)
|
|
1733
1733
|
for (let e of this.bffEndpoints)
|
|
1734
1734
|
e.url.startsWith("/") || (e.url = "/" + e.url);
|
|
1735
|
-
if (this.loginProtectedFlows.length == 1 && this.loginProtectedFlows[0] ==
|
|
1735
|
+
if (this.loginProtectedFlows.length == 1 && this.loginProtectedFlows[0] == E.All)
|
|
1736
1736
|
this.loginProtectedFlows = this.validFlows;
|
|
1737
|
-
else if (!
|
|
1737
|
+
else if (!E.areAllValidFlows(this.loginProtectedFlows))
|
|
1738
1738
|
throw new n(
|
|
1739
1739
|
u.Configuration,
|
|
1740
1740
|
"Invalid flows specificied in " + this.loginProtectedFlows.join(",")
|
|
@@ -1764,8 +1764,8 @@ class G extends re {
|
|
|
1764
1764
|
if (e.locals.user || !r.sessionAdapter) return;
|
|
1765
1765
|
let t = await r.sessionAdapter.getSessionData(e, this.sessionDataName);
|
|
1766
1766
|
if (t && t.id_payload) {
|
|
1767
|
-
let
|
|
1768
|
-
|
|
1767
|
+
let a = t.expires_at;
|
|
1768
|
+
a && a > Date.now() && t.id_payload.sub && await this.setEventLocalsUser(e, t.id_payload);
|
|
1769
1769
|
}
|
|
1770
1770
|
this.testMiddleware && (this.testEvent = e);
|
|
1771
1771
|
};
|
|
@@ -1798,12 +1798,12 @@ class G extends re {
|
|
|
1798
1798
|
o.password,
|
|
1799
1799
|
o.scope
|
|
1800
1800
|
);
|
|
1801
|
-
if (e.error == "mfa_required" && e.mfa_token && this.validFlows.includes(
|
|
1801
|
+
if (e.error == "mfa_required" && e.mfa_token && this.validFlows.includes(E.PasswordMfa)) {
|
|
1802
1802
|
const t = e.mfa_token;
|
|
1803
|
-
let
|
|
1804
|
-
if (
|
|
1803
|
+
let a = o.scope;
|
|
1804
|
+
if (a == "" && (a = void 0), e = this.errorIfIdTokenInvalid(await this.passwordMfa(
|
|
1805
1805
|
t,
|
|
1806
|
-
|
|
1806
|
+
a,
|
|
1807
1807
|
r
|
|
1808
1808
|
)), e.error)
|
|
1809
1809
|
throw n.fromOAuthError(
|
|
@@ -1839,11 +1839,11 @@ class G extends re {
|
|
|
1839
1839
|
};
|
|
1840
1840
|
const t = e.authenticators[0];
|
|
1841
1841
|
if (t.authenticator_type == "otp") {
|
|
1842
|
-
const
|
|
1843
|
-
if (
|
|
1842
|
+
const i = await this.mfaOtpRequest(r, t.id);
|
|
1843
|
+
if (i.error || i.challenge_type != "otp") {
|
|
1844
1844
|
const c = n.fromOAuthError(
|
|
1845
|
-
|
|
1846
|
-
|
|
1845
|
+
i.error ?? "server_error",
|
|
1846
|
+
i.error_description ?? "Invalid response from MFA OTP challenge"
|
|
1847
1847
|
);
|
|
1848
1848
|
return l.logger.debug({ err: c }), l.logger.error({ cerr: c }), {
|
|
1849
1849
|
error: c.oauthErrorCode,
|
|
@@ -1853,14 +1853,14 @@ class G extends re {
|
|
|
1853
1853
|
return {
|
|
1854
1854
|
scope: o,
|
|
1855
1855
|
mfa_token: r,
|
|
1856
|
-
challenge_type:
|
|
1856
|
+
challenge_type: i.challenge_type
|
|
1857
1857
|
};
|
|
1858
1858
|
} else if (t.authenticator_type == "oob") {
|
|
1859
|
-
const
|
|
1860
|
-
if (
|
|
1859
|
+
const i = await this.mfaOobRequest(r, t.id);
|
|
1860
|
+
if (i.error || i.challenge_type != "oob" || !i.oob_code || i.binding_method != "prompt") {
|
|
1861
1861
|
const c = n.fromOAuthError(
|
|
1862
|
-
|
|
1863
|
-
|
|
1862
|
+
i.error ?? "server_error",
|
|
1863
|
+
i.error_description ?? "Invalid response from MFA OOB challenge"
|
|
1864
1864
|
);
|
|
1865
1865
|
return l.logger.debug({ err: c }), l.logger.error({ cerr: c }), {
|
|
1866
1866
|
error: c.oauthErrorCode,
|
|
@@ -1871,19 +1871,19 @@ class G extends re {
|
|
|
1871
1871
|
scope: o,
|
|
1872
1872
|
mfa_token: r,
|
|
1873
1873
|
oob_channel: t.oob_channel,
|
|
1874
|
-
challenge_type:
|
|
1875
|
-
binding_method:
|
|
1876
|
-
oob_code:
|
|
1874
|
+
challenge_type: i.challenge_type,
|
|
1875
|
+
binding_method: i.binding_method,
|
|
1876
|
+
oob_code: i.oob_code,
|
|
1877
1877
|
name: t.name
|
|
1878
1878
|
};
|
|
1879
1879
|
}
|
|
1880
|
-
const
|
|
1880
|
+
const a = new n(
|
|
1881
1881
|
u.UnknownError,
|
|
1882
1882
|
"Unsupported MFA type " + t.authenticator_type + " returned"
|
|
1883
1883
|
);
|
|
1884
1884
|
return {
|
|
1885
|
-
error:
|
|
1886
|
-
error_description:
|
|
1885
|
+
error: a.oauthErrorCode,
|
|
1886
|
+
error_description: a.message
|
|
1887
1887
|
};
|
|
1888
1888
|
}
|
|
1889
1889
|
async passwordOtp(r, o) {
|
|
@@ -1938,10 +1938,10 @@ class G extends re {
|
|
|
1938
1938
|
if (o.locals.sessionId && this.autoRefreshActive[o.locals.sessionId]) return;
|
|
1939
1939
|
try {
|
|
1940
1940
|
o.locals.sessionId && (this.autoRefreshActive[o.locals.sessionId] = !0);
|
|
1941
|
-
const
|
|
1942
|
-
if (!
|
|
1941
|
+
const a = this.errorIfIdTokenInvalid(await this.refreshTokenFlow(e));
|
|
1942
|
+
if (!a.error && !a.access_token && (a.error = "server_error", a.error_description = "Unexpectedly did not receive error or access token"), !a.error) {
|
|
1943
1943
|
const d = await this.receiveTokenFn(
|
|
1944
|
-
|
|
1944
|
+
a,
|
|
1945
1945
|
this,
|
|
1946
1946
|
o,
|
|
1947
1947
|
r == "silent",
|
|
@@ -1951,43 +1951,43 @@ class G extends re {
|
|
|
1951
1951
|
}
|
|
1952
1952
|
if (r != "silent") {
|
|
1953
1953
|
const d = n.fromOAuthError(
|
|
1954
|
-
|
|
1955
|
-
|
|
1954
|
+
a.error ?? "server_error",
|
|
1955
|
+
a.error_description
|
|
1956
1956
|
);
|
|
1957
1957
|
return r == "page" ? this.errorFn(this.server, o, d) : {
|
|
1958
1958
|
error: d.oauthErrorCode,
|
|
1959
1959
|
error_description: d.message
|
|
1960
1960
|
};
|
|
1961
1961
|
}
|
|
1962
|
-
let
|
|
1963
|
-
if (!
|
|
1964
|
-
const d = M(
|
|
1965
|
-
d.exp && (
|
|
1962
|
+
let i = a.expires_in;
|
|
1963
|
+
if (!i && a.access_token) {
|
|
1964
|
+
const d = M(a.access_token);
|
|
1965
|
+
d.exp && (i = d.exp);
|
|
1966
1966
|
}
|
|
1967
|
-
if (!
|
|
1967
|
+
if (!i)
|
|
1968
1968
|
throw new n(
|
|
1969
1969
|
u.BadRequest,
|
|
1970
1970
|
"OAuth server did not return an expiry for the access token"
|
|
1971
1971
|
);
|
|
1972
|
-
const c = (/* @__PURE__ */ new Date()).getTime() +
|
|
1972
|
+
const c = (/* @__PURE__ */ new Date()).getTime() + i * 1e3;
|
|
1973
1973
|
return {
|
|
1974
|
-
access_token:
|
|
1975
|
-
refresh_token:
|
|
1976
|
-
expires_in:
|
|
1974
|
+
access_token: a.access_token,
|
|
1975
|
+
refresh_token: a.refresh_token,
|
|
1976
|
+
expires_in: a.expires_in,
|
|
1977
1977
|
expires_at: c,
|
|
1978
|
-
error:
|
|
1979
|
-
error_description:
|
|
1978
|
+
error: a.error,
|
|
1979
|
+
error_description: a.error_description
|
|
1980
1980
|
};
|
|
1981
|
-
} catch (
|
|
1982
|
-
if (m.isSvelteKitRedirect(
|
|
1983
|
-
if (l.logger.debug(f({ err:
|
|
1984
|
-
cerr:
|
|
1981
|
+
} catch (a) {
|
|
1982
|
+
if (m.isSvelteKitRedirect(a) || m.isSvelteKitError(a)) throw a;
|
|
1983
|
+
if (l.logger.debug(f({ err: a })), l.logger.error(f({
|
|
1984
|
+
cerr: a,
|
|
1985
1985
|
msg: "Failed refreshing access token"
|
|
1986
1986
|
})), r != "silent") {
|
|
1987
|
-
const
|
|
1988
|
-
return r == "page" ? this.errorFn(this.server, o,
|
|
1989
|
-
error:
|
|
1990
|
-
error_description:
|
|
1987
|
+
const i = n.asCrossauthError(a);
|
|
1988
|
+
return r == "page" ? this.errorFn(this.server, o, i) : {
|
|
1989
|
+
error: i.oauthErrorCode,
|
|
1990
|
+
error_description: i.message
|
|
1991
1991
|
};
|
|
1992
1992
|
}
|
|
1993
1993
|
return {
|
|
@@ -2063,17 +2063,17 @@ class G extends re {
|
|
|
2063
2063
|
}
|
|
2064
2064
|
let s;
|
|
2065
2065
|
try {
|
|
2066
|
-
if (!(this.validFlows.includes(
|
|
2067
|
-
const
|
|
2068
|
-
return this.errorFn(this.server, r,
|
|
2066
|
+
if (!(this.validFlows.includes(E.Password) || this.validFlows.includes(E.PasswordMfa))) {
|
|
2067
|
+
const i = new n(u.Unauthorized, "Password flow is not supported");
|
|
2068
|
+
return this.errorFn(this.server, r, i);
|
|
2069
2069
|
}
|
|
2070
2070
|
var e = new b();
|
|
2071
2071
|
if (await e.loadData(r), s = e.toObject(), this.server.sessionAdapter && this.server.sessionAdapter.csrfProtectionEnabled())
|
|
2072
2072
|
try {
|
|
2073
2073
|
if (!this.server.sessionAdapter.getCsrfToken(r))
|
|
2074
2074
|
throw new n(u.InvalidCsrf);
|
|
2075
|
-
} catch (
|
|
2076
|
-
if (m.isSvelteKitError(
|
|
2075
|
+
} catch (i) {
|
|
2076
|
+
if (m.isSvelteKitError(i) || m.isSvelteKitRedirect(i)) throw i;
|
|
2077
2077
|
const c = new n(u.Unauthorized, "CSRF token not present");
|
|
2078
2078
|
return this.errorFn(this.server, r, c);
|
|
2079
2079
|
}
|
|
@@ -2083,19 +2083,19 @@ class G extends re {
|
|
|
2083
2083
|
ok: !1,
|
|
2084
2084
|
...t
|
|
2085
2085
|
};
|
|
2086
|
-
const
|
|
2086
|
+
const a = await this.receiveTokenFn(
|
|
2087
2087
|
t,
|
|
2088
2088
|
this,
|
|
2089
2089
|
r,
|
|
2090
2090
|
!1,
|
|
2091
2091
|
this.setEventLocalsUser
|
|
2092
2092
|
);
|
|
2093
|
-
if (t &&
|
|
2093
|
+
if (t && a instanceof Response) return a;
|
|
2094
2094
|
throw new n(u.UnknownError, "Receive token function did not return a Response");
|
|
2095
2095
|
} catch (t) {
|
|
2096
2096
|
if (m.isSvelteKitRedirect(t) || m.isSvelteKitError(t)) throw t;
|
|
2097
|
-
const
|
|
2098
|
-
return l.logger.debug({ err: t }), l.logger.error({ cerr: t }), this.errorFn(this.server, r,
|
|
2097
|
+
const a = n.asCrossauthError(t);
|
|
2098
|
+
return l.logger.debug({ err: t }), l.logger.error({ cerr: t }), this.errorFn(this.server, r, a);
|
|
2099
2099
|
}
|
|
2100
2100
|
}
|
|
2101
2101
|
async passwordFlow_action(r, o) {
|
|
@@ -2106,17 +2106,17 @@ class G extends re {
|
|
|
2106
2106
|
throw new n(u.Configuration, "If tokenResponseType is " + this.tokenResponseType + ", use post not load");
|
|
2107
2107
|
let s;
|
|
2108
2108
|
try {
|
|
2109
|
-
if (!(this.validFlows.includes(
|
|
2110
|
-
const
|
|
2111
|
-
return this.errorFn(this.server, r,
|
|
2109
|
+
if (!(this.validFlows.includes(E.Password) || this.validFlows.includes(E.PasswordMfa))) {
|
|
2110
|
+
const i = new n(u.Unauthorized, "Password and Password MFA flows are not supported");
|
|
2111
|
+
return this.errorFn(this.server, r, i);
|
|
2112
2112
|
}
|
|
2113
2113
|
var e = new b();
|
|
2114
2114
|
if (await e.loadData(r), s = e.toObject(), this.server.sessionAdapter && this.server.sessionAdapter.csrfProtectionEnabled())
|
|
2115
2115
|
try {
|
|
2116
2116
|
if (!this.server.sessionAdapter.getCsrfToken(r))
|
|
2117
2117
|
throw new n(u.InvalidCsrf);
|
|
2118
|
-
} catch (
|
|
2119
|
-
throw m.isSvelteKitError(
|
|
2118
|
+
} catch (i) {
|
|
2119
|
+
throw m.isSvelteKitError(i) || m.isSvelteKitRedirect(i) ? i : new n(u.Unauthorized, "CSRF token not present");
|
|
2120
2120
|
}
|
|
2121
2121
|
const t = await o(r, s);
|
|
2122
2122
|
if (!t) throw new n(u.UnknownError, "Password flow returned no data");
|
|
@@ -2126,28 +2126,28 @@ class G extends re {
|
|
|
2126
2126
|
...t
|
|
2127
2127
|
};
|
|
2128
2128
|
if (t.challenge_type) {
|
|
2129
|
-
if (!this.validFlows.includes(
|
|
2130
|
-
const
|
|
2131
|
-
return this.errorFn(this.server, r,
|
|
2129
|
+
if (!this.validFlows.includes(E.PasswordMfa)) {
|
|
2130
|
+
const i = new n(u.Unauthorized, "Password MFA flow is not supported");
|
|
2131
|
+
return this.errorFn(this.server, r, i);
|
|
2132
2132
|
}
|
|
2133
2133
|
return t;
|
|
2134
2134
|
}
|
|
2135
|
-
const
|
|
2135
|
+
const a = await this.receiveTokenFn(
|
|
2136
2136
|
t,
|
|
2137
2137
|
this,
|
|
2138
2138
|
r,
|
|
2139
2139
|
!1,
|
|
2140
2140
|
this.setEventLocalsUser
|
|
2141
2141
|
) ?? {};
|
|
2142
|
-
if (
|
|
2143
|
-
return
|
|
2142
|
+
if (a instanceof Response) throw new n(u.Configuration, "Refresh token flow should return an object not Response");
|
|
2143
|
+
return a;
|
|
2144
2144
|
} catch (t) {
|
|
2145
2145
|
if (m.isSvelteKitRedirect(t) || m.isSvelteKitError(t)) throw t;
|
|
2146
|
-
const
|
|
2146
|
+
const a = n.asCrossauthError(t);
|
|
2147
2147
|
return l.logger.debug({ err: t }), l.logger.error({ cerr: t }), {
|
|
2148
2148
|
ok: !1,
|
|
2149
|
-
error:
|
|
2150
|
-
error_description:
|
|
2149
|
+
error: a.oauthErrorCode,
|
|
2150
|
+
error_description: a.message
|
|
2151
2151
|
};
|
|
2152
2152
|
}
|
|
2153
2153
|
}
|
|
@@ -2173,30 +2173,30 @@ class G extends re {
|
|
|
2173
2173
|
let t = o.url;
|
|
2174
2174
|
if (!t) {
|
|
2175
2175
|
if (!r.url.pathname.startsWith(this.bffEndpointName)) throw new n(u.Unauthorized, "Attempt to call BFF url with the wrong prefix");
|
|
2176
|
-
const
|
|
2177
|
-
let
|
|
2178
|
-
|
|
2176
|
+
const a = r.url.pathname.substring(this.bffEndpointName.length);
|
|
2177
|
+
let i = ((e = r.url.searchParams) == null ? void 0 : e.toString()) ?? void 0;
|
|
2178
|
+
i && i != "" && (i = "?" + i), t = new URL(this.bffBaseUrl + a + i);
|
|
2179
2179
|
}
|
|
2180
2180
|
o.headers || (o.headers = new Headers());
|
|
2181
|
-
for (let
|
|
2182
|
-
|
|
2183
|
-
const
|
|
2181
|
+
for (let a = 0; a < this.bffMaxTries; ++a) {
|
|
2182
|
+
a > 0 && await new Promise((g) => setTimeout(g, this.bffSleepMilliseconds));
|
|
2183
|
+
const i = await this.server.sessionAdapter.getSessionData(
|
|
2184
2184
|
r,
|
|
2185
2185
|
this.sessionDataName
|
|
2186
2186
|
);
|
|
2187
|
-
if (!
|
|
2188
|
-
if (
|
|
2187
|
+
if (!i) {
|
|
2188
|
+
if (a == this.bffMaxTries)
|
|
2189
2189
|
throw new n(u.Unauthorized, "No access token found");
|
|
2190
2190
|
continue;
|
|
2191
2191
|
}
|
|
2192
|
-
let c =
|
|
2193
|
-
if (
|
|
2192
|
+
let c = i.access_token;
|
|
2193
|
+
if (i && i.access_token) {
|
|
2194
2194
|
const g = await this.refresh(
|
|
2195
2195
|
"silent",
|
|
2196
2196
|
r,
|
|
2197
2197
|
!0,
|
|
2198
|
-
|
|
2199
|
-
|
|
2198
|
+
i.refresh_token,
|
|
2199
|
+
i.expires_at
|
|
2200
2200
|
);
|
|
2201
2201
|
if (g instanceof Response) throw new n(u.Configuration, "Expected object when refreshing tokens, not Response");
|
|
2202
2202
|
if (g != null && g.access_token)
|
|
@@ -2218,7 +2218,7 @@ class G extends re {
|
|
|
2218
2218
|
headers: o.headers,
|
|
2219
2219
|
method: o.method ?? r.request.method
|
|
2220
2220
|
}), d.status == 401) {
|
|
2221
|
-
if (
|
|
2221
|
+
if (a < this.bffMaxTries - 1)
|
|
2222
2222
|
continue;
|
|
2223
2223
|
return d;
|
|
2224
2224
|
} else
|
|
@@ -2227,11 +2227,11 @@ class G extends re {
|
|
|
2227
2227
|
return new Response(null, { status: 401 });
|
|
2228
2228
|
} catch (t) {
|
|
2229
2229
|
if (m.isSvelteKitError(t) || m.isSvelteKitRedirect(t)) throw t;
|
|
2230
|
-
const
|
|
2231
|
-
return l.logger.debug({ err:
|
|
2232
|
-
error:
|
|
2233
|
-
error_description:
|
|
2234
|
-
}, { status:
|
|
2230
|
+
const a = n.asCrossauthError(t);
|
|
2231
|
+
return l.logger.debug({ err: a }), l.logger.error({ cerr: a }), v({
|
|
2232
|
+
error: a.oauthErrorCode,
|
|
2233
|
+
error_description: a.message
|
|
2234
|
+
}, { status: a.httpStatus });
|
|
2235
2235
|
}
|
|
2236
2236
|
}
|
|
2237
2237
|
async unpack(r) {
|
|
@@ -2269,16 +2269,16 @@ class G extends re {
|
|
|
2269
2269
|
const s = r.url.pathname.substring(this.bffEndpointName.length);
|
|
2270
2270
|
let e;
|
|
2271
2271
|
for (let t = 0; t < this.bffEndpoints.length; ++t) {
|
|
2272
|
-
let
|
|
2273
|
-
if (
|
|
2274
|
-
let
|
|
2275
|
-
if (c.endsWith("/") || (c += "/"),
|
|
2272
|
+
let a = this.bffEndpoints[t];
|
|
2273
|
+
if (a.matchSubUrls) {
|
|
2274
|
+
let i = a.url, c = a.url;
|
|
2275
|
+
if (c.endsWith("/") || (c += "/"), a.methodsString.includes(r.request.method) && (s.startsWith(c) || s == i)) {
|
|
2276
2276
|
e = t;
|
|
2277
2277
|
break;
|
|
2278
2278
|
}
|
|
2279
2279
|
} else {
|
|
2280
|
-
let
|
|
2281
|
-
if (
|
|
2280
|
+
let i = a.url;
|
|
2281
|
+
if (a.methodsString.includes(r.request.method) && s == i) {
|
|
2282
2282
|
e = t;
|
|
2283
2283
|
break;
|
|
2284
2284
|
}
|
|
@@ -2308,23 +2308,23 @@ class G extends re {
|
|
|
2308
2308
|
if (!this.tokenEndpoints || this.tokenEndpoints.length == 0)
|
|
2309
2309
|
throw new n(u.Unauthorized, "No tokens have been made available");
|
|
2310
2310
|
let t = Array.isArray(o) ? o : [o];
|
|
2311
|
-
const
|
|
2311
|
+
const a = await this.server.sessionAdapter.getSessionData(
|
|
2312
2312
|
r,
|
|
2313
2313
|
this.sessionDataName
|
|
2314
2314
|
);
|
|
2315
|
-
if (!
|
|
2315
|
+
if (!a)
|
|
2316
2316
|
throw new n(u.Unauthorized, "No access token found");
|
|
2317
|
-
let
|
|
2317
|
+
let i = {}, c, d = !1;
|
|
2318
2318
|
for (let h of t) {
|
|
2319
2319
|
if (!this.tokenEndpoints.includes(h)) throw new n(u.Unauthorized, "Token type " + h + " may not be returned");
|
|
2320
2320
|
d = !1;
|
|
2321
2321
|
let g = h;
|
|
2322
2322
|
h.startsWith("have_") && (g = h.replace("have_", ""), d = !0);
|
|
2323
2323
|
const p = g.replace("_token", ""), w = e && this.jwtTokens.includes(p);
|
|
2324
|
-
let S = this.tokenPayload(g,
|
|
2325
|
-
d ?
|
|
2324
|
+
let S = this.tokenPayload(g, a, d, w);
|
|
2325
|
+
d ? i[h] = S.ok : S && (i[h] = S), c = i[h];
|
|
2326
2326
|
}
|
|
2327
|
-
return Array.isArray(o) ? { status: 200, body:
|
|
2327
|
+
return Array.isArray(o) ? { status: 200, body: i } : c ? d ? { status: 200, body: typeof c == "boolean" ? { ok: c } : c } : { status: 200, body: c } : o.startsWith("have_") ? { status: 200, body: { ok: !1 } } : { status: 204 };
|
|
2328
2328
|
} catch (s) {
|
|
2329
2329
|
if (m.isSvelteKitError(s) || m.isSvelteKitRedirect(s)) throw s;
|
|
2330
2330
|
const e = n.asCrossauthError(s);
|
|
@@ -2341,7 +2341,7 @@ class G extends re {
|
|
|
2341
2341
|
async startDeviceCodeFlow_internal(r) {
|
|
2342
2342
|
let o;
|
|
2343
2343
|
try {
|
|
2344
|
-
if (!this.validFlows.includes(
|
|
2344
|
+
if (!this.validFlows.includes(E.DeviceCode))
|
|
2345
2345
|
throw new n(u.Unauthorized, "Device code flow is not supported");
|
|
2346
2346
|
var s = new b();
|
|
2347
2347
|
if (await s.loadData(r), o = s.toObject(), this.server.sessionAdapter && this.server.sessionAdapter.csrfProtectionEnabled())
|
|
@@ -2355,13 +2355,13 @@ class G extends re {
|
|
|
2355
2355
|
e == "" && (e = void 0);
|
|
2356
2356
|
let t = this.authServerBaseUrl;
|
|
2357
2357
|
t.endsWith("/") || (t += "/"), t += this.deviceAuthorizationUrl;
|
|
2358
|
-
const
|
|
2359
|
-
let
|
|
2360
|
-
return
|
|
2361
|
-
|
|
2358
|
+
const a = await this.startDeviceCodeFlow(t, e);
|
|
2359
|
+
let i;
|
|
2360
|
+
return a.verification_uri_complete && await ae.toDataURL(a.verification_uri_complete).then((c) => {
|
|
2361
|
+
i = c;
|
|
2362
2362
|
}).catch((c) => {
|
|
2363
2363
|
l.logger.debug(f({ err: c })), l.logger.warn(f({ msg: "Couldn't generate verification URL QR Code" }));
|
|
2364
|
-
}),
|
|
2364
|
+
}), i ? { verification_uri_qrdata: i, ...a } : a;
|
|
2365
2365
|
} catch (e) {
|
|
2366
2366
|
if (m.isSvelteKitRedirect(e) || m.isSvelteKitError(e)) throw e;
|
|
2367
2367
|
const t = n.asCrossauthError(e);
|
|
@@ -2374,15 +2374,15 @@ class G extends re {
|
|
|
2374
2374
|
async pollDeviceCodeFlow_internal(r) {
|
|
2375
2375
|
let o;
|
|
2376
2376
|
try {
|
|
2377
|
-
if (!this.validFlows.includes(
|
|
2377
|
+
if (!this.validFlows.includes(E.DeviceCode))
|
|
2378
2378
|
throw new n(u.Unauthorized, "Device code flow is not supported");
|
|
2379
2379
|
var s = new b();
|
|
2380
2380
|
if (await s.loadData(r), o = s.toObject(), this.server.sessionAdapter && this.server.sessionAdapter.csrfProtectionEnabled())
|
|
2381
2381
|
try {
|
|
2382
2382
|
if (!this.server.sessionAdapter.getCsrfToken(r))
|
|
2383
2383
|
throw new n(u.InvalidCsrf);
|
|
2384
|
-
} catch (
|
|
2385
|
-
throw m.isSvelteKitError(
|
|
2384
|
+
} catch (a) {
|
|
2385
|
+
throw m.isSvelteKitError(a) || m.isSvelteKitRedirect(a) ? a : new n(u.Unauthorized, "CSRF token not present");
|
|
2386
2386
|
}
|
|
2387
2387
|
let e = o.device_code;
|
|
2388
2388
|
if (!e) throw new n(u.BadRequest, "No device code given when polling for user authorization");
|
|
@@ -2397,8 +2397,8 @@ class G extends re {
|
|
|
2397
2397
|
);
|
|
2398
2398
|
{
|
|
2399
2399
|
if (t.error == "authorization_pending") return { ok: !0, ...t };
|
|
2400
|
-
let
|
|
2401
|
-
const c = n.fromOAuthError(
|
|
2400
|
+
let a = t.error ?? "server_error", i = t.error_description ?? "Didn't receive an access token";
|
|
2401
|
+
const c = n.fromOAuthError(a, i);
|
|
2402
2402
|
return this.errorFn(this.server, r, c);
|
|
2403
2403
|
}
|
|
2404
2404
|
} catch (e) {
|
|
@@ -2424,19 +2424,19 @@ class G extends re {
|
|
|
2424
2424
|
));
|
|
2425
2425
|
}
|
|
2426
2426
|
async storeSessionData(r, o) {
|
|
2427
|
-
var s, e, t,
|
|
2427
|
+
var s, e, t, a;
|
|
2428
2428
|
if (this.server.sessionServer) {
|
|
2429
|
-
let
|
|
2430
|
-
|
|
2429
|
+
let i = (s = this.server.sessionServer) == null ? void 0 : s.getSessionCookieValue(r);
|
|
2430
|
+
i ? await ((t = this.server.sessionAdapter) == null ? void 0 : t.updateSessionData(
|
|
2431
2431
|
r,
|
|
2432
2432
|
this.sessionDataName,
|
|
2433
2433
|
o
|
|
2434
|
-
)) :
|
|
2434
|
+
)) : i = await ((e = this.server.sessionServer) == null ? void 0 : e.createAnonymousSession(
|
|
2435
2435
|
r,
|
|
2436
2436
|
{ [this.sessionDataName]: o }
|
|
2437
2437
|
));
|
|
2438
2438
|
} else
|
|
2439
|
-
await ((
|
|
2439
|
+
await ((a = this.server.sessionAdapter) == null ? void 0 : a.updateSessionData(
|
|
2440
2440
|
r,
|
|
2441
2441
|
this.sessionDataName,
|
|
2442
2442
|
o
|
|
@@ -2455,13 +2455,13 @@ class ge extends se {
|
|
|
2455
2455
|
* @param options See {@link SvelteKitOAuthResourceServerOptions}
|
|
2456
2456
|
*/
|
|
2457
2457
|
constructor(r, o = {}) {
|
|
2458
|
-
if (super(r, o), this.errorBody = {}, this.protectedEndpoints = {}, this.protectedEndpointPrefixes = [], this.sessionDataName = "oauth", this.tokenLocations = ["header"], y("errorBody",
|
|
2458
|
+
if (super(r, o), this.errorBody = {}, this.protectedEndpoints = {}, this.protectedEndpointPrefixes = [], this.sessionDataName = "oauth", this.tokenLocations = ["header"], y("errorBody", _.Json, this, o, "OAUTH_RESSERVER_ACCESS_DENIED_BODY"), y("tokenLocations", _.JsonArray, this, o, "OAUTH_TOKEN_LOCATIONS"), y("sessionDataName", _.String, this, o, "OAUTH_SESSION_DATA_NAME"), this.userStorage = o.userStorage, this.sessionAdapter = o.sessionAdapter, o.protectedEndpoints) {
|
|
2459
2459
|
const s = /^[!#\$%&'\(\)\*\+,\.\/a-zA-Z\[\]\^_`-]+/;
|
|
2460
2460
|
for (const [e, t] of Object.entries(o.protectedEndpoints)) {
|
|
2461
2461
|
if (!e.startsWith("/"))
|
|
2462
2462
|
throw new n(u.Configuration, "protected endpoints must be absolute paths without the protocol and hostname");
|
|
2463
|
-
t.scope && t.scope.forEach((
|
|
2464
|
-
if (!s.test(
|
|
2463
|
+
t.scope && t.scope.forEach((a) => {
|
|
2464
|
+
if (!s.test(a)) throw new n(u.Configuration, "Illegal characters in scope " + a);
|
|
2465
2465
|
});
|
|
2466
2466
|
}
|
|
2467
2467
|
this.protectedEndpoints = { ...o.protectedEndpoints };
|
|
@@ -2473,16 +2473,16 @@ class ge extends se {
|
|
|
2473
2473
|
o.protectedEndpoints && (this.hook = async ({ event: s }) => {
|
|
2474
2474
|
var c, d;
|
|
2475
2475
|
const e = s.url.pathname;
|
|
2476
|
-
let t = !1,
|
|
2476
|
+
let t = !1, a = "";
|
|
2477
2477
|
if (e in this.protectedEndpoints)
|
|
2478
|
-
t = !0,
|
|
2478
|
+
t = !0, a = e;
|
|
2479
2479
|
else
|
|
2480
2480
|
for (let h of this.protectedEndpointPrefixes)
|
|
2481
|
-
e.startsWith(h) && (t = !0),
|
|
2481
|
+
e.startsWith(h) && (t = !0), a = h;
|
|
2482
2482
|
if (!t) return;
|
|
2483
|
-
const
|
|
2484
|
-
if (!(s.locals.user && s.locals.authType == "cookie" && this.protectedEndpoints[
|
|
2485
|
-
if (!
|
|
2483
|
+
const i = await this.authorized(s);
|
|
2484
|
+
if (!(s.locals.user && s.locals.authType == "cookie" && this.protectedEndpoints[a].acceptSessionAuthorization != !0)) {
|
|
2485
|
+
if (!i) {
|
|
2486
2486
|
s.locals.authError = "access_denied", s.locals.authErrorDescription = "No access token";
|
|
2487
2487
|
const h = this.authenticateHeader(s);
|
|
2488
2488
|
return new Response(JSON.stringify(this.errorBody), {
|
|
@@ -2493,7 +2493,7 @@ class ge extends se {
|
|
|
2493
2493
|
status: 401
|
|
2494
2494
|
});
|
|
2495
2495
|
}
|
|
2496
|
-
if (!
|
|
2496
|
+
if (!i.authorized) {
|
|
2497
2497
|
const h = this.authenticateHeader(s);
|
|
2498
2498
|
return new Response(JSON.stringify(this.errorBody), {
|
|
2499
2499
|
headers: {
|
|
@@ -2504,17 +2504,17 @@ class ge extends se {
|
|
|
2504
2504
|
});
|
|
2505
2505
|
}
|
|
2506
2506
|
}
|
|
2507
|
-
if (
|
|
2508
|
-
if (s.locals.accessTokenPayload =
|
|
2509
|
-
if (Array.isArray(
|
|
2507
|
+
if (i) {
|
|
2508
|
+
if (s.locals.accessTokenPayload = i.tokenPayload, s.locals.user = i.user, (c = i.tokenPayload) != null && c.scope)
|
|
2509
|
+
if (Array.isArray(i.tokenPayload.scope)) {
|
|
2510
2510
|
let h = [];
|
|
2511
|
-
for (let g of
|
|
2511
|
+
for (let g of i.tokenPayload.scope)
|
|
2512
2512
|
typeof g == "string" && h.push(g);
|
|
2513
2513
|
s.locals.scope = h;
|
|
2514
|
-
} else typeof
|
|
2515
|
-
if (this.protectedEndpoints[
|
|
2516
|
-
for (let h of this.protectedEndpoints[
|
|
2517
|
-
if (!s.locals.scope || !s.locals.scope.includes(h) && this.protectedEndpoints[
|
|
2514
|
+
} else typeof i.tokenPayload.scope == "string" && (s.locals.scope = i.tokenPayload.scope.split(" "));
|
|
2515
|
+
if (this.protectedEndpoints[a].scope) {
|
|
2516
|
+
for (let h of this.protectedEndpoints[a].scope ?? [])
|
|
2517
|
+
if (!s.locals.scope || !s.locals.scope.includes(h) && this.protectedEndpoints[a].acceptSessionAuthorization != !0) {
|
|
2518
2518
|
l.logger.warn(f({
|
|
2519
2519
|
msg: "Access token does not have sufficient scope",
|
|
2520
2520
|
username: (d = s.locals.user) == null ? void 0 : d.username,
|
|
@@ -2530,7 +2530,7 @@ class ge extends se {
|
|
|
2530
2530
|
});
|
|
2531
2531
|
}
|
|
2532
2532
|
}
|
|
2533
|
-
if (s.locals.authType = "oauth", s.locals.authError =
|
|
2533
|
+
if (s.locals.authType = "oauth", s.locals.authError = i == null ? void 0 : i.error, (i == null ? void 0 : i.error) == "access_denied") {
|
|
2534
2534
|
const h = this.authenticateHeader(s);
|
|
2535
2535
|
return new Response(JSON.stringify(this.errorBody), {
|
|
2536
2536
|
headers: {
|
|
@@ -2539,14 +2539,14 @@ class ge extends se {
|
|
|
2539
2539
|
},
|
|
2540
2540
|
status: 401
|
|
2541
2541
|
});
|
|
2542
|
-
} else if (
|
|
2542
|
+
} else if (i != null && i.error)
|
|
2543
2543
|
return new Response(JSON.stringify(this.errorBody), {
|
|
2544
2544
|
headers: {
|
|
2545
2545
|
"content-type": "application/json"
|
|
2546
2546
|
},
|
|
2547
2547
|
status: 500
|
|
2548
2548
|
});
|
|
2549
|
-
s.locals.authErrorDescription =
|
|
2549
|
+
s.locals.authErrorDescription = i == null ? void 0 : i.error_description, l.logger.debug(f({ msg: "Resource server url", url: s.request.url, authorized: s.locals.accessTokenPayload != null }));
|
|
2550
2550
|
}
|
|
2551
2551
|
});
|
|
2552
2552
|
}
|
|
@@ -2672,11 +2672,11 @@ const D = class D {
|
|
|
2672
2672
|
apiKey: s,
|
|
2673
2673
|
oAuthAuthServer: e,
|
|
2674
2674
|
oAuthClient: t,
|
|
2675
|
-
oAuthClients:
|
|
2676
|
-
oAuthResServer:
|
|
2675
|
+
oAuthClients: a,
|
|
2676
|
+
oAuthResServer: i,
|
|
2677
2677
|
options: c
|
|
2678
2678
|
}) {
|
|
2679
|
-
this.loginUrl = "/login", this.audience = "", this.dummyLoad = async (h) => ({}), this.dummyActions = {}, this.dummyBff = async (h) => ({ status: 500, body: { error: "Unimplemented" } }), c || (c = {}), y("loginUrl",
|
|
2679
|
+
this.loginUrl = "/login", this.audience = "", this.dummyLoad = async (h) => ({}), this.dummyActions = {}, this.dummyBff = async (h) => ({ status: 500, body: { error: "Unimplemented" } }), c || (c = {}), y("loginUrl", _.String, this, c, "LOGIN_URL", !1), c.isAdminFn && (D.isAdminFn = c.isAdminFn);
|
|
2680
2680
|
let d = {};
|
|
2681
2681
|
if (c.authenticators && (d = c.authenticators), this.userStorage = c.userStorage, r) {
|
|
2682
2682
|
if (!d)
|
|
@@ -2704,15 +2704,15 @@ const D = class D {
|
|
|
2704
2704
|
{ ...h, ...c, ...e.options }
|
|
2705
2705
|
);
|
|
2706
2706
|
}
|
|
2707
|
-
if (t &&
|
|
2707
|
+
if (t && a)
|
|
2708
2708
|
throw new n(u.Configuration, "Cannot specify both oAuthClient and oAuthClients");
|
|
2709
2709
|
if (t && (this.oAuthClient = new G(
|
|
2710
2710
|
this,
|
|
2711
2711
|
t.authServerBaseUrl,
|
|
2712
2712
|
{ ...c, ...t.options }
|
|
2713
|
-
)),
|
|
2713
|
+
)), a) {
|
|
2714
2714
|
this.oAuthClients = [];
|
|
2715
|
-
for (let h of
|
|
2715
|
+
for (let h of a)
|
|
2716
2716
|
this.oAuthClients.push(
|
|
2717
2717
|
new G(
|
|
2718
2718
|
this,
|
|
@@ -2721,9 +2721,9 @@ const D = class D {
|
|
|
2721
2721
|
)
|
|
2722
2722
|
);
|
|
2723
2723
|
}
|
|
2724
|
-
|
|
2724
|
+
i && (y("audience", _.String, this, c, "OAUTH_AUDIENCE", !0), this.oAuthResServer = new ge(
|
|
2725
2725
|
[new te(this.audience, c)],
|
|
2726
|
-
{ sessionAdapter: this.sessionAdapter, ...
|
|
2726
|
+
{ sessionAdapter: this.sessionAdapter, ...i.options, ...c }
|
|
2727
2727
|
)), this.hooks = async ({ event: h, resolve: g }) => {
|
|
2728
2728
|
const p = await this.unresolvedHooks(h);
|
|
2729
2729
|
return p instanceof Response ? p : await g(p);
|
|
@@ -2834,12 +2834,12 @@ class we {
|
|
|
2834
2834
|
const g = await this.sessionServer.getSessionData(s, "factor2change");
|
|
2835
2835
|
g != null && g.username || this.isSessionUser(s) || (this.sessionServer.unauthorizedUrl && this.sessionServer.redirect(302, this.sessionServer.unauthorizedUrl), this.sessionServer.error(401, "Unauthorized")), e = g == null ? void 0 : g.username;
|
|
2836
2836
|
}
|
|
2837
|
-
let t = this.sessionServer.allowedFactor2 ?? [{ name: "none", friendlyName: "None", configurable: !1 }],
|
|
2838
|
-
|
|
2837
|
+
let t = this.sessionServer.allowedFactor2 ?? [{ name: "none", friendlyName: "None", configurable: !1 }], a = {}, i = s.url.searchParams.get("required"), c;
|
|
2838
|
+
i && (i = i.toLowerCase(), c = i == "true" || i == "1", c == !0 && (a.required = !0));
|
|
2839
2839
|
let d = s.url.searchParams.get("next");
|
|
2840
|
-
return d && (
|
|
2840
|
+
return d && (a.next = d), {
|
|
2841
2841
|
allowedFactor2: t,
|
|
2842
|
-
...
|
|
2842
|
+
...a,
|
|
2843
2843
|
username: e,
|
|
2844
2844
|
...this.baseEndpoint(s)
|
|
2845
2845
|
};
|
|
@@ -2849,12 +2849,12 @@ class we {
|
|
|
2849
2849
|
default: async (s) => await this.changePassword(s)
|
|
2850
2850
|
},
|
|
2851
2851
|
load: async (s) => {
|
|
2852
|
-
let e = {}, t = s.url.searchParams.get("required"),
|
|
2853
|
-
if (!
|
|
2852
|
+
let e = {}, t = s.url.searchParams.get("required"), a, i = s.locals.user != null;
|
|
2853
|
+
if (!i) {
|
|
2854
2854
|
const d = await this.sessionServer.getSessionData(s, "passwordchange");
|
|
2855
|
-
d != null && d.username && (
|
|
2855
|
+
d != null && d.username && (i = !0);
|
|
2856
2856
|
}
|
|
2857
|
-
|
|
2857
|
+
i || this.sessionServer.redirect(302, this.loginUrl), t && (t = t.toLowerCase(), a = t == "true" || t == "1", a == !0 && (e.required = !0));
|
|
2858
2858
|
let c = s.url.searchParams.get("next");
|
|
2859
2859
|
return c && (e.next = c), {
|
|
2860
2860
|
...e,
|
|
@@ -2880,8 +2880,8 @@ class we {
|
|
|
2880
2880
|
default: async (s) => await this.requestPasswordReset(s)
|
|
2881
2881
|
},
|
|
2882
2882
|
load: async (s) => {
|
|
2883
|
-
let e = {}, t = s.url.searchParams.get("required"),
|
|
2884
|
-
return t && (t = t.toLowerCase(),
|
|
2883
|
+
let e = {}, t = s.url.searchParams.get("required"), a;
|
|
2884
|
+
return t && (t = t.toLowerCase(), a = t == "true" || t == "1", a == !0 && (e.required = !0)), {
|
|
2885
2885
|
...e,
|
|
2886
2886
|
...this.baseEndpoint(s)
|
|
2887
2887
|
};
|
|
@@ -2901,14 +2901,14 @@ class we {
|
|
|
2901
2901
|
try {
|
|
2902
2902
|
return e = await this.resetPassword(s), e;
|
|
2903
2903
|
} catch (t) {
|
|
2904
|
-
const
|
|
2904
|
+
const a = n.asCrossauthError(t);
|
|
2905
2905
|
if (m.isSvelteKitRedirect(t) || m.isSvelteKitError(t)) throw t;
|
|
2906
|
-
return l.logger.debug(f({ err:
|
|
2906
|
+
return l.logger.debug(f({ err: a })), l.logger.error(f({ cerr: a })), {
|
|
2907
2907
|
ok: !1,
|
|
2908
2908
|
tokenValidated: !1,
|
|
2909
2909
|
error: e == null ? void 0 : e.error,
|
|
2910
|
-
errorCode:
|
|
2911
|
-
errorCodeName:
|
|
2910
|
+
errorCode: a.code,
|
|
2911
|
+
errorCodeName: a.codeName,
|
|
2912
2912
|
...this.baseEndpoint(s)
|
|
2913
2913
|
};
|
|
2914
2914
|
}
|
|
@@ -2956,7 +2956,7 @@ class we {
|
|
|
2956
2956
|
...e
|
|
2957
2957
|
};
|
|
2958
2958
|
}
|
|
2959
|
-
}, this.sessionServer = r, y("changePasswordUrl",
|
|
2959
|
+
}, this.sessionServer = r, y("changePasswordUrl", _.String, this, o, "CHANGE_PASSWORD_URL"), y("requestPasswordResetUrl", _.String, this, o, "REQUEST_PASSWORD_RESET_URL"), y("changeFactor2Url", _.String, this, o, "CHANGE_FACTOR2_URL"), y("loginRedirectUrl", _.JsonArray, this, o, "LOGIN_REDIRECT_URL"), y("loginUrl", _.JsonArray, this, o, "LOGIN_URL"), o.addToSession && (this.addToSession = o.addToSession);
|
|
2960
2960
|
}
|
|
2961
2961
|
/** Returns whether there is a user logged in with a cookie-based session
|
|
2962
2962
|
*/
|
|
@@ -3009,12 +3009,13 @@ class we {
|
|
|
3009
3009
|
var s = new b();
|
|
3010
3010
|
await s.loadData(r), o = s.toObject();
|
|
3011
3011
|
const e = s.get("username") ?? "", t = s.getAsBoolean("persist") ?? !1;
|
|
3012
|
-
|
|
3013
|
-
|
|
3014
|
-
|
|
3012
|
+
o.next.includes("/__data.json") && (o.next = o.next.substring(0, o.next.indexOf("/__data.json")));
|
|
3013
|
+
let a = o.next ?? this.loginRedirectUrl;
|
|
3014
|
+
if (e == "") throw new n(u.InvalidUsername, "Username field may not be empty");
|
|
3015
|
+
let i = this.addToSession ? this.addToSession(r, o) : {};
|
|
3015
3016
|
if (this.sessionServer.enableCsrfProtection && !r.locals.csrfToken) throw new n(u.InvalidCsrf);
|
|
3016
3017
|
const c = this.sessionServer.getSessionCookieValue(r);
|
|
3017
|
-
let { sessionCookie: d, csrfCookie: h, user: g } = await this.sessionServer.sessionManager.login(e, s.toObject(),
|
|
3018
|
+
let { sessionCookie: d, csrfCookie: h, user: g } = await this.sessionServer.sessionManager.login(e, s.toObject(), i, t);
|
|
3018
3019
|
if (l.logger.debug(f({
|
|
3019
3020
|
msg: "Login: set session cookie " + d.name + " opts " + JSON.stringify(d.options),
|
|
3020
3021
|
user: e
|
|
@@ -3039,19 +3040,19 @@ class we {
|
|
|
3039
3040
|
})), l.logger.debug(f({ err: p }));
|
|
3040
3041
|
}
|
|
3041
3042
|
if (g.state == N.passwordChangeNeeded)
|
|
3042
|
-
this.sessionServer.redirect(302, this.changePasswordUrl + "?required=true&next=" + encodeURIComponent("login?next=" +
|
|
3043
|
+
this.sessionServer.redirect(302, this.changePasswordUrl + "?required=true&next=" + encodeURIComponent("login?next=" + a));
|
|
3043
3044
|
else {
|
|
3044
3045
|
if (g.state == N.passwordResetNeeded)
|
|
3045
3046
|
throw new n(u.PasswordResetNeeded, "Please click on the link we sent you to reset your password");
|
|
3046
3047
|
if (g.state == N.passwordAndFactor2ResetNeeded)
|
|
3047
3048
|
throw new n(u.PasswordResetNeeded, "Please click on the link we sent you to reset your password");
|
|
3048
|
-
this.sessionServer.allowedFactor2.length > 0 && g.state == N.factor2ResetNeeded || !this.sessionServer.allowedFactor2Names.includes(g.factor2 ? g.factor2 : "none") ? this.sessionServer.redirect(302, this.changeFactor2Url + "?required=true&next=" + encodeURIComponent("login?next=" +
|
|
3049
|
+
this.sessionServer.allowedFactor2.length > 0 && g.state == N.factor2ResetNeeded || !this.sessionServer.allowedFactor2Names.includes(g.factor2 ? g.factor2 : "none") ? this.sessionServer.redirect(302, this.changeFactor2Url + "?required=true&next=" + encodeURIComponent("login?next=" + a)) : (!g.factor2 || g.factor2 == "") && (r.locals.user = g);
|
|
3049
3050
|
}
|
|
3050
3051
|
return {
|
|
3051
3052
|
user: g,
|
|
3052
3053
|
formData: o,
|
|
3053
3054
|
factor2Required: g.factor2 && g.factor2 != "",
|
|
3054
|
-
next:
|
|
3055
|
+
next: a,
|
|
3055
3056
|
ok: !0
|
|
3056
3057
|
};
|
|
3057
3058
|
} catch (e) {
|
|
@@ -3072,22 +3073,22 @@ class we {
|
|
|
3072
3073
|
async loginWithUser(r, o, s) {
|
|
3073
3074
|
const e = s.locals.sessionId, t = new b();
|
|
3074
3075
|
await t.loadData(s);
|
|
3075
|
-
let
|
|
3076
|
+
let a = this.addToSession ? this.addToSession(s, t.toObject()) : {}, { sessionCookie: i, csrfCookie: c, csrfFormOrHeaderValue: d } = await this.sessionServer.sessionManager.login("", {}, a, void 0, r, o);
|
|
3076
3077
|
if (l.logger.debug(f({
|
|
3077
|
-
msg: "Login: set session cookie " +
|
|
3078
|
+
msg: "Login: set session cookie " + i.name + " opts " + JSON.stringify(i.options),
|
|
3078
3079
|
user: r.username
|
|
3079
3080
|
})), s.cookies.set(
|
|
3080
|
-
|
|
3081
|
-
|
|
3082
|
-
R(
|
|
3081
|
+
i.name,
|
|
3082
|
+
i.value,
|
|
3083
|
+
R(i.options)
|
|
3083
3084
|
), l.logger.debug(f({
|
|
3084
|
-
msg: "Login: set csrf cookie " + c.name + " opts " + JSON.stringify(
|
|
3085
|
+
msg: "Login: set csrf cookie " + c.name + " opts " + JSON.stringify(i.options),
|
|
3085
3086
|
user: r.username
|
|
3086
3087
|
})), this.sessionServer.enableCsrfProtection && s.cookies.set(
|
|
3087
3088
|
c.name,
|
|
3088
3089
|
c.value,
|
|
3089
3090
|
R(c.options)
|
|
3090
|
-
), s.locals.user = r, s.locals.csrfToken = d, s.locals.sessionId = this.sessionServer.sessionManager.getSessionId(
|
|
3091
|
+
), s.locals.user = r, s.locals.csrfToken = d, s.locals.sessionId = this.sessionServer.sessionManager.getSessionId(i.value), e)
|
|
3091
3092
|
try {
|
|
3092
3093
|
await this.sessionServer.sessionManager.deleteSession(e);
|
|
3093
3094
|
} catch (h) {
|
|
@@ -3204,17 +3205,17 @@ class we {
|
|
|
3204
3205
|
u.Forbidden,
|
|
3205
3206
|
"Illegal second factor " + o.factor2 + " requested"
|
|
3206
3207
|
);
|
|
3207
|
-
(o.factor2 == "none" || o.factor2 == "") && (o.factor2 = void 0), t = this.sessionServer.createUserFn(r, o, this.sessionServer.userStorage.userEditableFields);
|
|
3208
|
-
let
|
|
3209
|
-
const
|
|
3208
|
+
(o.factor2 == "none" || o.factor2 == "") && (o.factor2 = void 0), t = this.sessionServer.createUserFn(r, o, this.sessionServer.userStorage.userEditableFields, this.sessionServer.userAllowedFactor1);
|
|
3209
|
+
let a = this.sessionServer.authenticators[t.factor1].validateSecrets(o);
|
|
3210
|
+
const i = this.sessionServer.authenticators[t.factor1].secretNames();
|
|
3210
3211
|
let c = {};
|
|
3211
3212
|
for (let p in o)
|
|
3212
3213
|
if (p.startsWith("repeat_")) {
|
|
3213
3214
|
const w = p.replace(/^repeat_/, "");
|
|
3214
|
-
|
|
3215
|
+
i.includes(w) && (c[w] = o[p]);
|
|
3215
3216
|
}
|
|
3216
3217
|
Object.keys(c).length === 0 && (c = void 0), t.state = "active", o.factor2 && o.factor2 != "none" ? t.state = "awaitingtwofactor" : this.sessionServer.enableEmailVerification && (t.state = "awaitingemailverification");
|
|
3217
|
-
let h = [...this.sessionServer.validateUserFn(t), ...
|
|
3218
|
+
let h = [...this.sessionServer.validateUserFn(t), ...a];
|
|
3218
3219
|
if (h.length > 0)
|
|
3219
3220
|
throw new n(u.FormEntry, h);
|
|
3220
3221
|
let g = !1;
|
|
@@ -3348,8 +3349,8 @@ class we {
|
|
|
3348
3349
|
try {
|
|
3349
3350
|
var t = new b();
|
|
3350
3351
|
await t.loadData(r), o = t.toObject();
|
|
3351
|
-
const
|
|
3352
|
-
if (
|
|
3352
|
+
const a = await this.sessionServer.getSessionData(r, "2fa");
|
|
3353
|
+
if (a != null && a.factor2) e = a == null ? void 0 : a.factor2;
|
|
3353
3354
|
else throw new n(u.BadRequest, "Two factor authentication was not started");
|
|
3354
3355
|
if (this.isSessionUser(r) && this.sessionServer.enableCsrfProtection && !r.locals.csrfToken)
|
|
3355
3356
|
throw new n(u.InvalidCsrf);
|
|
@@ -3357,17 +3358,17 @@ class we {
|
|
|
3357
3358
|
u.Unauthorized,
|
|
3358
3359
|
"No session active while enabling 2FA. Please enable cookies"
|
|
3359
3360
|
);
|
|
3360
|
-
let
|
|
3361
|
+
let i = await this.sessionServer.sessionManager.completeTwoFactorSetup(
|
|
3361
3362
|
o,
|
|
3362
3363
|
r.locals.sessionId
|
|
3363
3364
|
);
|
|
3364
|
-
return this.sessionServer.enableEmailVerification || await this.loginWithUser(
|
|
3365
|
+
return this.sessionServer.enableEmailVerification || await this.loginWithUser(i, !0, r), r.locals.user ? {
|
|
3365
3366
|
ok: !0,
|
|
3366
|
-
user:
|
|
3367
|
+
user: i,
|
|
3367
3368
|
emailVerificationRequired: this.sessionServer.enableEmailVerification
|
|
3368
|
-
} : await this.loginWithUser(
|
|
3369
|
-
} catch (
|
|
3370
|
-
const
|
|
3369
|
+
} : await this.loginWithUser(i, !0, r);
|
|
3370
|
+
} catch (a) {
|
|
3371
|
+
const i = n.asCrossauthError(a);
|
|
3371
3372
|
let c;
|
|
3372
3373
|
try {
|
|
3373
3374
|
c = (await this.sessionServer.sessionManager.repeatTwoFactorSignup(r.locals.sessionId ?? "")).userData;
|
|
@@ -3378,11 +3379,11 @@ class we {
|
|
|
3378
3379
|
csrfToken: r.locals.csrfToken,
|
|
3379
3380
|
username: c.username ?? "",
|
|
3380
3381
|
factor2: e
|
|
3381
|
-
}), l.logger.debug(f({ err:
|
|
3382
|
+
}), l.logger.debug(f({ err: a })), l.logger.error(f({ cerr: a })), {
|
|
3382
3383
|
ok: !1,
|
|
3383
|
-
error:
|
|
3384
|
-
errorCode:
|
|
3385
|
-
errorCodeName:
|
|
3384
|
+
error: i.message,
|
|
3385
|
+
errorCode: i.code,
|
|
3386
|
+
errorCodeName: i.codeName,
|
|
3386
3387
|
formData: o,
|
|
3387
3388
|
factor2Data: s,
|
|
3388
3389
|
emailVerificationRequired: this.sessionServer.enableEmailVerification
|
|
@@ -3418,22 +3419,22 @@ class we {
|
|
|
3418
3419
|
if (!t) throw new n(u.Unauthorized);
|
|
3419
3420
|
if (this.isSessionUser(r) && this.sessionServer.enableCsrfProtection && !r.locals.csrfToken)
|
|
3420
3421
|
throw new n(u.InvalidCsrf);
|
|
3421
|
-
let
|
|
3422
|
-
const { sessionCookie:
|
|
3422
|
+
let a = this.addToSession ? this.addToSession(r, o) : {};
|
|
3423
|
+
const { sessionCookie: i, csrfCookie: c, user: d } = await this.sessionServer.sessionManager.completeTwoFactorLogin(
|
|
3423
3424
|
o,
|
|
3424
3425
|
t,
|
|
3425
|
-
|
|
3426
|
+
a,
|
|
3426
3427
|
e
|
|
3427
3428
|
);
|
|
3428
3429
|
return l.logger.debug(f({
|
|
3429
|
-
msg: "Login: set session cookie " +
|
|
3430
|
+
msg: "Login: set session cookie " + i.name + " opts " + JSON.stringify(i.options),
|
|
3430
3431
|
user: d == null ? void 0 : d.username
|
|
3431
3432
|
})), r.cookies.set(
|
|
3432
|
-
|
|
3433
|
-
|
|
3434
|
-
R(
|
|
3433
|
+
i.name,
|
|
3434
|
+
i.value,
|
|
3435
|
+
R(i.options)
|
|
3435
3436
|
), l.logger.debug(f({
|
|
3436
|
-
msg: "Login: set csrf cookie " + c.name + " opts " + JSON.stringify(
|
|
3437
|
+
msg: "Login: set csrf cookie " + c.name + " opts " + JSON.stringify(i.options),
|
|
3437
3438
|
user: d == null ? void 0 : d.username
|
|
3438
3439
|
})), r.cookies.set(
|
|
3439
3440
|
c.name,
|
|
@@ -3552,17 +3553,17 @@ class we {
|
|
|
3552
3553
|
);
|
|
3553
3554
|
const e = r.params.token ?? "";
|
|
3554
3555
|
if (e == "") throw new n(u.InvalidUsername, "No token provided");
|
|
3555
|
-
const t = await this.sessionServer.sessionManager.userForPasswordResetToken(e),
|
|
3556
|
+
const t = await this.sessionServer.sessionManager.userForPasswordResetToken(e), a = this.sessionServer.authenticators[t.factor1], i = a.secretNames();
|
|
3556
3557
|
let c = {}, d = {};
|
|
3557
3558
|
for (let p in o)
|
|
3558
3559
|
if (p.startsWith("new_")) {
|
|
3559
3560
|
const w = p.replace(/^new_/, "");
|
|
3560
|
-
|
|
3561
|
+
i.includes(w) && (c[w] = o[p]);
|
|
3561
3562
|
} else if (p.startsWith("repeat_")) {
|
|
3562
3563
|
const w = p.replace(/^repeat_/, "");
|
|
3563
|
-
|
|
3564
|
+
i.includes(w) && (d[w] = o[p]);
|
|
3564
3565
|
}
|
|
3565
|
-
if (Object.keys(d).length === 0 && (d = void 0),
|
|
3566
|
+
if (Object.keys(d).length === 0 && (d = void 0), a.validateSecrets(c).length > 0)
|
|
3566
3567
|
throw new n(u.PasswordFormat);
|
|
3567
3568
|
const g = await this.sessionServer.sessionManager.resetSecret(e, 1, c, d);
|
|
3568
3569
|
if (g.state == N.active)
|
|
@@ -3677,20 +3678,20 @@ class we {
|
|
|
3677
3678
|
e = r.locals.user;
|
|
3678
3679
|
} else
|
|
3679
3680
|
throw new n(u.InsufficientPriviledges);
|
|
3680
|
-
const
|
|
3681
|
+
const a = this.sessionServer.authenticators[e.factor1], i = a.secretNames();
|
|
3681
3682
|
let c = {}, d = {}, h = {};
|
|
3682
3683
|
for (let w in o)
|
|
3683
3684
|
if (w.startsWith("new_")) {
|
|
3684
3685
|
const S = w.replace(/^new_/, "");
|
|
3685
|
-
|
|
3686
|
+
i.includes(S) && (d[S] = o[w]);
|
|
3686
3687
|
} else if (w.startsWith("old_")) {
|
|
3687
3688
|
const S = w.replace(/^old_/, "");
|
|
3688
|
-
|
|
3689
|
+
i.includes(S) && (c[S] = o[w]);
|
|
3689
3690
|
} else if (w.startsWith("repeat_")) {
|
|
3690
3691
|
const S = w.replace(/^repeat_/, "");
|
|
3691
|
-
|
|
3692
|
+
i.includes(S) && (h[S] = o[w]);
|
|
3692
3693
|
}
|
|
3693
|
-
if (Object.keys(h).length === 0 && (h = void 0),
|
|
3694
|
+
if (Object.keys(h).length === 0 && (h = void 0), a.validateSecrets(d).length > 0)
|
|
3694
3695
|
throw new n(u.PasswordFormat);
|
|
3695
3696
|
const p = e.state;
|
|
3696
3697
|
try {
|
|
@@ -3808,15 +3809,15 @@ class we {
|
|
|
3808
3809
|
let t = this.sessionServer.validateUserFn(e);
|
|
3809
3810
|
if (t.length > 0)
|
|
3810
3811
|
throw new n(u.FormEntry, t);
|
|
3811
|
-
let { emailVerificationTokenSent:
|
|
3812
|
-
if (!
|
|
3813
|
-
const
|
|
3814
|
-
r.locals.user =
|
|
3812
|
+
let { emailVerificationTokenSent: a } = await this.sessionServer.sessionManager.updateUser(r.locals.user, e);
|
|
3813
|
+
if (!a) {
|
|
3814
|
+
const i = await this.sessionServer.userStorage.getUserById(r.locals.user.id);
|
|
3815
|
+
r.locals.user = i.user;
|
|
3815
3816
|
}
|
|
3816
3817
|
return {
|
|
3817
3818
|
ok: !0,
|
|
3818
3819
|
formData: o,
|
|
3819
|
-
emailVerificationNeeded:
|
|
3820
|
+
emailVerificationNeeded: a
|
|
3820
3821
|
};
|
|
3821
3822
|
} catch (e) {
|
|
3822
3823
|
let t = n.asCrossauthError(e, "Couldn't update account");
|
|
@@ -3864,32 +3865,32 @@ class we {
|
|
|
3864
3865
|
const d = await this.sessionServer.getSessionData(r, "factor2change");
|
|
3865
3866
|
d != null && d.username || this.isSessionUser(r) || (this.sessionServer.unauthorizedUrl && this.sessionServer.redirect(302, this.sessionServer.unauthorizedUrl), this.sessionServer.error(401, "Unauthorized")), t = d == null ? void 0 : d.username;
|
|
3866
3867
|
}
|
|
3867
|
-
let
|
|
3868
|
-
if (!
|
|
3868
|
+
let a = r.locals.user;
|
|
3869
|
+
if (!a && t && (a = (await this.sessionServer.userStorage.getUserByUsername(
|
|
3869
3870
|
t,
|
|
3870
3871
|
{
|
|
3871
3872
|
skipActiveCheck: !0,
|
|
3872
3873
|
skipEmailVerifiedCheck: !0
|
|
3873
3874
|
}
|
|
3874
|
-
)).user), !
|
|
3875
|
+
)).user), !a)
|
|
3875
3876
|
throw new n(u.InsufficientPriviledges);
|
|
3876
3877
|
if (!r.locals.sessionId)
|
|
3877
3878
|
throw new n(u.Unauthorized);
|
|
3878
|
-
let
|
|
3879
|
+
let i = o.factor2;
|
|
3879
3880
|
if (o.factor2 && !this.sessionServer.allowedFactor2Names.includes(o.factor2))
|
|
3880
3881
|
throw new n(
|
|
3881
3882
|
u.Forbidden,
|
|
3882
3883
|
"Illegal second factor " + o.factor2 + " requested"
|
|
3883
3884
|
);
|
|
3884
|
-
if ((o.factor2 == "none" || o.factor2 == "") && (
|
|
3885
|
-
return await this.loginWithUser(
|
|
3886
|
-
const c = await this.sessionServer.sessionManager.initiateTwoFactorSetup(
|
|
3887
|
-
return
|
|
3885
|
+
if ((o.factor2 == "none" || o.factor2 == "") && (i = void 0, !r.locals.user))
|
|
3886
|
+
return await this.loginWithUser(a, !0, r);
|
|
3887
|
+
const c = await this.sessionServer.sessionManager.initiateTwoFactorSetup(a, i, r.locals.sessionId);
|
|
3888
|
+
return i ? {
|
|
3888
3889
|
ok: !0,
|
|
3889
3890
|
formData: o,
|
|
3890
3891
|
factor2Data: {
|
|
3891
|
-
username:
|
|
3892
|
-
factor2:
|
|
3892
|
+
username: a.username,
|
|
3893
|
+
factor2: i ?? "",
|
|
3893
3894
|
userData: c,
|
|
3894
3895
|
csrfToken: r.locals.csrfToken
|
|
3895
3896
|
}
|
|
@@ -3898,11 +3899,11 @@ class we {
|
|
|
3898
3899
|
formData: o
|
|
3899
3900
|
};
|
|
3900
3901
|
} catch (t) {
|
|
3901
|
-
let
|
|
3902
|
-
return l.logger.debug(f({ err:
|
|
3903
|
-
error:
|
|
3904
|
-
errorCode:
|
|
3905
|
-
errorCodeName:
|
|
3902
|
+
let a = n.asCrossauthError(t, "Couldn't update account");
|
|
3903
|
+
return l.logger.debug(f({ err: a })), l.logger.error(f({ cerr: a })), {
|
|
3904
|
+
error: a.message,
|
|
3905
|
+
errorCode: a.code,
|
|
3906
|
+
errorCodeName: a.codeName,
|
|
3906
3907
|
ok: !1,
|
|
3907
3908
|
formData: o
|
|
3908
3909
|
};
|
|
@@ -3940,47 +3941,47 @@ class we {
|
|
|
3940
3941
|
const h = await this.sessionServer.getSessionData(r, "factor2change");
|
|
3941
3942
|
h != null && h.username || this.isSessionUser(r) || (this.sessionServer.unauthorizedUrl && this.sessionServer.redirect(302, this.sessionServer.unauthorizedUrl), this.sessionServer.error(401, "Unauthorized")), t = h == null ? void 0 : h.username;
|
|
3942
3943
|
}
|
|
3943
|
-
let
|
|
3944
|
-
if (!
|
|
3944
|
+
let a = r.locals.user;
|
|
3945
|
+
if (!a && t && (a = (await this.sessionServer.userStorage.getUserByUsername(
|
|
3945
3946
|
t,
|
|
3946
3947
|
{
|
|
3947
3948
|
skipActiveCheck: !0,
|
|
3948
3949
|
skipEmailVerifiedCheck: !0
|
|
3949
3950
|
}
|
|
3950
|
-
)).user), !
|
|
3951
|
+
)).user), !a)
|
|
3951
3952
|
throw new n(u.InsufficientPriviledges);
|
|
3952
3953
|
if (!r.locals.sessionId)
|
|
3953
3954
|
throw new n(u.Unauthorized);
|
|
3954
3955
|
if (!r.locals.sessionId)
|
|
3955
3956
|
throw new n(u.Unauthorized);
|
|
3956
|
-
let
|
|
3957
|
-
const c = this.sessionServer.authenticators[
|
|
3957
|
+
let i = a.factor2;
|
|
3958
|
+
const c = this.sessionServer.authenticators[i];
|
|
3958
3959
|
if (!c || c.secretNames().length == 0)
|
|
3959
3960
|
throw new n(
|
|
3960
3961
|
u.BadRequest,
|
|
3961
3962
|
"Selected second factor does not have configuration"
|
|
3962
3963
|
);
|
|
3963
3964
|
const d = await this.sessionServer.sessionManager.initiateTwoFactorSetup(
|
|
3964
|
-
i,
|
|
3965
3965
|
a,
|
|
3966
|
+
i,
|
|
3966
3967
|
r.locals.sessionId
|
|
3967
3968
|
);
|
|
3968
3969
|
return {
|
|
3969
3970
|
ok: !0,
|
|
3970
3971
|
formData: o,
|
|
3971
3972
|
factor2Data: {
|
|
3972
|
-
username:
|
|
3973
|
-
factor2:
|
|
3973
|
+
username: a.username,
|
|
3974
|
+
factor2: a.factor2 ?? "",
|
|
3974
3975
|
userData: d,
|
|
3975
3976
|
csrfToken: r.locals.csrfToken
|
|
3976
3977
|
}
|
|
3977
3978
|
};
|
|
3978
3979
|
} catch (t) {
|
|
3979
|
-
let
|
|
3980
|
-
return l.logger.debug(f({ err:
|
|
3981
|
-
error:
|
|
3982
|
-
errorCode:
|
|
3983
|
-
errorCodeName:
|
|
3980
|
+
let a = n.asCrossauthError(t, "Couldn't update account");
|
|
3981
|
+
return l.logger.debug(f({ err: a })), l.logger.error(f({ cerr: a })), {
|
|
3982
|
+
error: a.message,
|
|
3983
|
+
errorCode: a.code,
|
|
3984
|
+
errorCodeName: a.codeName,
|
|
3984
3985
|
ok: !1,
|
|
3985
3986
|
formData: o
|
|
3986
3987
|
};
|
|
@@ -4002,16 +4003,16 @@ async function me(k, r, o = 0, s = 10) {
|
|
|
4002
4003
|
const { user: t } = await r.getUserByUsername(k);
|
|
4003
4004
|
e.push(t);
|
|
4004
4005
|
} catch (t) {
|
|
4005
|
-
const
|
|
4006
|
-
if (
|
|
4007
|
-
throw l.logger.debug(f({ err:
|
|
4006
|
+
const a = n.asCrossauthError(t);
|
|
4007
|
+
if (a.code != u.UserNotExist)
|
|
4008
|
+
throw l.logger.debug(f({ err: a })), a;
|
|
4008
4009
|
try {
|
|
4009
|
-
const { user:
|
|
4010
|
-
e.push(
|
|
4011
|
-
} catch (
|
|
4012
|
-
const c = n.asCrossauthError(
|
|
4010
|
+
const { user: i } = await r.getUserByEmail(k);
|
|
4011
|
+
e.push(i);
|
|
4012
|
+
} catch (i) {
|
|
4013
|
+
const c = n.asCrossauthError(i);
|
|
4013
4014
|
if (c.code != u.UserNotExist)
|
|
4014
|
-
throw l.logger.debug(f({ err: c })),
|
|
4015
|
+
throw l.logger.debug(f({ err: c })), a;
|
|
4015
4016
|
}
|
|
4016
4017
|
}
|
|
4017
4018
|
return e;
|
|
@@ -4030,12 +4031,12 @@ class ke {
|
|
|
4030
4031
|
}, this.updateUserEndpoint = {
|
|
4031
4032
|
actions: {
|
|
4032
4033
|
default: async (s) => {
|
|
4033
|
-
var
|
|
4034
|
+
var a, i, c;
|
|
4034
4035
|
const e = await this.getUserFromParam(s);
|
|
4035
4036
|
return e.exception || !e.user ? {
|
|
4036
4037
|
ok: !1,
|
|
4037
|
-
error: ((
|
|
4038
|
-
errorCode: (
|
|
4038
|
+
error: ((a = e.exception) == null ? void 0 : a.message) ?? "Couldn't get user",
|
|
4039
|
+
errorCode: (i = e.exception) == null ? void 0 : i.code,
|
|
4039
4040
|
errorCodeName: (c = e.exception) == null ? void 0 : c.codeName
|
|
4040
4041
|
} : await this.updateUser(e.user, s);
|
|
4041
4042
|
}
|
|
@@ -4057,12 +4058,12 @@ class ke {
|
|
|
4057
4058
|
}, this.changePasswordEndpoint = {
|
|
4058
4059
|
actions: {
|
|
4059
4060
|
default: async (s) => {
|
|
4060
|
-
var
|
|
4061
|
+
var a, i, c;
|
|
4061
4062
|
const e = await this.getUserFromParam(s);
|
|
4062
4063
|
return e.exception || !e.user ? {
|
|
4063
4064
|
ok: !1,
|
|
4064
|
-
error: ((
|
|
4065
|
-
errorCode: (
|
|
4065
|
+
error: ((a = e.exception) == null ? void 0 : a.message) ?? "Couldn't get user",
|
|
4066
|
+
errorCode: (i = e.exception) == null ? void 0 : i.code,
|
|
4066
4067
|
errorCodeName: (c = e.exception) == null ? void 0 : c.codeName
|
|
4067
4068
|
} : await this.changePassword(e.user, s);
|
|
4068
4069
|
}
|
|
@@ -4075,8 +4076,8 @@ class ke {
|
|
|
4075
4076
|
editUser: e.user,
|
|
4076
4077
|
...this.baseEndpoint(s)
|
|
4077
4078
|
};
|
|
4078
|
-
let t = {},
|
|
4079
|
-
return
|
|
4079
|
+
let t = {}, a = s.url.searchParams.get("next");
|
|
4080
|
+
return a && (t.next = a), {
|
|
4080
4081
|
...t,
|
|
4081
4082
|
editUser: e.user,
|
|
4082
4083
|
...this.baseEndpoint(s)
|
|
@@ -4098,15 +4099,15 @@ class ke {
|
|
|
4098
4099
|
default: async (s) => await this.deleteUser(s)
|
|
4099
4100
|
},
|
|
4100
4101
|
load: async (s) => {
|
|
4101
|
-
var t,
|
|
4102
|
+
var t, a, i;
|
|
4102
4103
|
const e = await this.getUserFromParam(s);
|
|
4103
4104
|
return e.exception || !e.user ? {
|
|
4104
4105
|
error: "User doesn't exist",
|
|
4105
4106
|
errorCode: (t = e.exception) == null ? void 0 : t.code,
|
|
4106
|
-
errorCodeName: (
|
|
4107
|
+
errorCodeName: (a = e.exception) == null ? void 0 : a.codeName,
|
|
4107
4108
|
...this.baseEndpoint(s)
|
|
4108
4109
|
} : {
|
|
4109
|
-
username: (
|
|
4110
|
+
username: (i = e.user) == null ? void 0 : i.username,
|
|
4110
4111
|
...this.baseEndpoint(s)
|
|
4111
4112
|
};
|
|
4112
4113
|
}
|
|
@@ -4157,7 +4158,7 @@ class ke {
|
|
|
4157
4158
|
try {
|
|
4158
4159
|
if (!this.sessionServer.userStorage) throw new n(u.Configuration, "Must provide user storage to use this function");
|
|
4159
4160
|
(!r.locals.user || !m.isAdminFn(r.locals.user)) && this.sessionServer.error(401);
|
|
4160
|
-
let t = [],
|
|
4161
|
+
let t = [], a = [], i = [];
|
|
4161
4162
|
if (!s)
|
|
4162
4163
|
try {
|
|
4163
4164
|
const d = r.url.searchParams.get("skip");
|
|
@@ -4179,7 +4180,7 @@ class ke {
|
|
|
4179
4180
|
this.sessionServer.userStorage,
|
|
4180
4181
|
s,
|
|
4181
4182
|
e
|
|
4182
|
-
), s > 0 && (
|
|
4183
|
+
), s > 0 && (a = await this.userSearchFn(
|
|
4183
4184
|
o,
|
|
4184
4185
|
this.sessionServer.userStorage,
|
|
4185
4186
|
s - 1,
|
|
@@ -4187,7 +4188,7 @@ class ke {
|
|
|
4187
4188
|
))) : (t = await this.sessionServer.userStorage.getUsers(
|
|
4188
4189
|
s,
|
|
4189
4190
|
e
|
|
4190
|
-
), t.length == e && (
|
|
4191
|
+
), t.length == e && (i = await this.sessionServer.userStorage.getUsers(
|
|
4191
4192
|
s + e,
|
|
4192
4193
|
1
|
|
4193
4194
|
))), {
|
|
@@ -4195,17 +4196,17 @@ class ke {
|
|
|
4195
4196
|
users: t,
|
|
4196
4197
|
skip: s,
|
|
4197
4198
|
take: e,
|
|
4198
|
-
hasPrevious:
|
|
4199
|
-
hasNext:
|
|
4199
|
+
hasPrevious: a.length > 0,
|
|
4200
|
+
hasNext: i.length > 0,
|
|
4200
4201
|
search: o
|
|
4201
4202
|
};
|
|
4202
4203
|
} catch (t) {
|
|
4203
|
-
const
|
|
4204
|
-
return l.logger.debug(f({ err:
|
|
4204
|
+
const a = n.asCrossauthError(t);
|
|
4205
|
+
return l.logger.debug(f({ err: a })), l.logger.error(f({ cerr: a })), {
|
|
4205
4206
|
ok: !1,
|
|
4206
|
-
error:
|
|
4207
|
-
errorCode:
|
|
4208
|
-
errorCodeName:
|
|
4207
|
+
error: a.message,
|
|
4208
|
+
errorCode: a.code,
|
|
4209
|
+
errorCodeName: a.codeName,
|
|
4209
4210
|
hasPrevious: !1,
|
|
4210
4211
|
hasNext: !1,
|
|
4211
4212
|
skip: s ?? 0,
|
|
@@ -4251,7 +4252,7 @@ class ke {
|
|
|
4251
4252
|
if (!this.sessionServer.userStorage) throw new n(u.Configuration, "Must provide user storage to use this function");
|
|
4252
4253
|
var e = new b();
|
|
4253
4254
|
if (await e.loadData(o), s = e.toObject(), (!o.locals.user || !m.isAdminFn(o.locals.user)) && this.sessionServer.error(401), this.isSessionUser(o) && this.sessionServer.enableCsrfProtection && !o.locals.csrfToken) throw new n(u.InvalidCsrf);
|
|
4254
|
-
const t = r.factor2,
|
|
4255
|
+
const t = r.factor2, a = r.state;
|
|
4255
4256
|
r.state = s.state ?? "active", r = this.sessionServer.updateUserFn(
|
|
4256
4257
|
r,
|
|
4257
4258
|
o,
|
|
@@ -4261,10 +4262,10 @@ class ke {
|
|
|
4261
4262
|
...this.sessionServer.userStorage.adminEditableFields
|
|
4262
4263
|
}
|
|
4263
4264
|
);
|
|
4264
|
-
const
|
|
4265
|
-
if (
|
|
4265
|
+
const i = r.factor2 && r.factor2 != "none" && r.factor2 != t;
|
|
4266
|
+
if (i && !(r.state == a || r.state == "factor2ResetNeeded"))
|
|
4266
4267
|
throw new n(u.BadRequest, "Cannot change both factor2 and state at the same time");
|
|
4267
|
-
|
|
4268
|
+
i && (r.state = N.factor2ResetNeeded, l.logger.warn(f({
|
|
4268
4269
|
msg: `Setting state for user to ${N.factor2ResetNeeded}`,
|
|
4269
4270
|
username: r.username
|
|
4270
4271
|
})));
|
|
@@ -4280,11 +4281,11 @@ class ke {
|
|
|
4280
4281
|
};
|
|
4281
4282
|
} catch (t) {
|
|
4282
4283
|
if (m.isSvelteKitRedirect(t) || m.isSvelteKitError(t, 401)) throw t;
|
|
4283
|
-
let
|
|
4284
|
-
return l.logger.debug(f({ err:
|
|
4285
|
-
error:
|
|
4286
|
-
errorCode:
|
|
4287
|
-
errorCodeName:
|
|
4284
|
+
let a = n.asCrossauthError(t, "Couldn't log in");
|
|
4285
|
+
return l.logger.debug(f({ err: a })), l.logger.error(f({ cerr: a })), {
|
|
4286
|
+
error: a.message,
|
|
4287
|
+
errorCode: a.code,
|
|
4288
|
+
errorCodeName: a.codeName,
|
|
4288
4289
|
ok: !1,
|
|
4289
4290
|
formData: s
|
|
4290
4291
|
};
|
|
@@ -4316,20 +4317,20 @@ class ke {
|
|
|
4316
4317
|
var e = new b();
|
|
4317
4318
|
if (await e.loadData(o), s = e.toObject(), (!o.locals.user || !m.isAdminFn(o.locals.user)) && this.sessionServer.error(401), this.isSessionUser(o) && this.sessionServer.enableCsrfProtection && !o.locals.csrfToken)
|
|
4318
4319
|
throw new n(u.InvalidCsrf);
|
|
4319
|
-
const t = this.sessionServer.authenticators[r.factor1],
|
|
4320
|
-
let
|
|
4320
|
+
const t = this.sessionServer.authenticators[r.factor1], a = t.secretNames();
|
|
4321
|
+
let i = {}, c = {}, d = {};
|
|
4321
4322
|
for (let g in s)
|
|
4322
4323
|
if (g.startsWith("new_")) {
|
|
4323
4324
|
const p = g.replace(/^new_/, "");
|
|
4324
|
-
|
|
4325
|
+
a.includes(p) && (c[p] = s[g]);
|
|
4325
4326
|
} else if (g.startsWith("old_")) {
|
|
4326
4327
|
const p = g.replace(/^old_/, "");
|
|
4327
|
-
|
|
4328
|
+
a.includes(p) && (i[p] = s[g]);
|
|
4328
4329
|
} else if (g.startsWith("repeat_")) {
|
|
4329
4330
|
const p = g.replace(/^repeat_/, "");
|
|
4330
|
-
|
|
4331
|
+
a.includes(p) && (d[p] = s[g]);
|
|
4331
4332
|
}
|
|
4332
|
-
if (Object.keys(d).length === 0 && (d = void 0), Object.keys(
|
|
4333
|
+
if (Object.keys(d).length === 0 && (d = void 0), Object.keys(i).length === 0 && (i = void 0), t.validateSecrets(c).length > 0)
|
|
4333
4334
|
throw new n(u.PasswordFormat);
|
|
4334
4335
|
try {
|
|
4335
4336
|
await this.sessionServer.sessionManager.changeSecrets(
|
|
@@ -4337,7 +4338,7 @@ class ke {
|
|
|
4337
4338
|
1,
|
|
4338
4339
|
c,
|
|
4339
4340
|
d,
|
|
4340
|
-
|
|
4341
|
+
i
|
|
4341
4342
|
);
|
|
4342
4343
|
} catch (g) {
|
|
4343
4344
|
const p = n.asCrossauthError(g);
|
|
@@ -4349,11 +4350,11 @@ class ke {
|
|
|
4349
4350
|
};
|
|
4350
4351
|
} catch (t) {
|
|
4351
4352
|
if (m.isSvelteKitRedirect(t) || m.isSvelteKitError(t, 401)) throw t;
|
|
4352
|
-
let
|
|
4353
|
-
return l.logger.debug(f({ err:
|
|
4354
|
-
error:
|
|
4355
|
-
errorCode:
|
|
4356
|
-
errorCodeName:
|
|
4353
|
+
let a = n.asCrossauthError(t, "Couldn't change password");
|
|
4354
|
+
return l.logger.debug(f({ err: a })), l.logger.error(f({ cerr: a })), {
|
|
4355
|
+
error: a.message,
|
|
4356
|
+
errorCode: a.code,
|
|
4357
|
+
errorCodeName: a.codeName,
|
|
4357
4358
|
ok: !1,
|
|
4358
4359
|
formData: s
|
|
4359
4360
|
};
|
|
@@ -4426,23 +4427,24 @@ class ke {
|
|
|
4426
4427
|
{
|
|
4427
4428
|
...this.sessionServer.userStorage.userEditableFields,
|
|
4428
4429
|
...this.sessionServer.userStorage.adminEditableFields
|
|
4429
|
-
}
|
|
4430
|
+
},
|
|
4431
|
+
this.sessionServer.adminAllowedFactor1
|
|
4430
4432
|
);
|
|
4431
|
-
const
|
|
4432
|
-
let
|
|
4433
|
-
for (let w of
|
|
4434
|
-
!o[w] && !o["repeat_" + w] && (
|
|
4433
|
+
const a = this.sessionServer.authenticators[t.factor1].secretNames();
|
|
4434
|
+
let i = !0;
|
|
4435
|
+
for (let w of a)
|
|
4436
|
+
!o[w] && !o["repeat_" + w] && (i = !1);
|
|
4435
4437
|
let c = [], d = {};
|
|
4436
|
-
if (
|
|
4438
|
+
if (i) {
|
|
4437
4439
|
c = this.sessionServer.authenticators[t.factor1].validateSecrets(o);
|
|
4438
4440
|
for (let w in o)
|
|
4439
4441
|
if (w.startsWith("repeat_")) {
|
|
4440
4442
|
const S = w.replace(/^repeat_/, "");
|
|
4441
|
-
|
|
4443
|
+
a.includes(S) && (d[S] = o[w]);
|
|
4442
4444
|
}
|
|
4443
4445
|
Object.keys(d).length === 0 && (d = void 0);
|
|
4444
4446
|
}
|
|
4445
|
-
|
|
4447
|
+
i ? o.factor2 != null && (t.state = N.factor2ResetNeeded) : o.factor2 == null ? t.state = N.passwordResetNeeded : t.state = N.passwordAndFactor2ResetNeeded;
|
|
4446
4448
|
let g = [...this.sessionServer.validateUserFn(t), ...c];
|
|
4447
4449
|
if (g.length > 0)
|
|
4448
4450
|
throw new n(u.FormEntry, g);
|
|
@@ -4451,9 +4453,9 @@ class ke {
|
|
|
4451
4453
|
o,
|
|
4452
4454
|
d,
|
|
4453
4455
|
!0,
|
|
4454
|
-
!
|
|
4456
|
+
!i
|
|
4455
4457
|
);
|
|
4456
|
-
if (!
|
|
4458
|
+
if (!i) {
|
|
4457
4459
|
let w = o.username;
|
|
4458
4460
|
if ("user_email" in o && (w = o.user_email), oe.validateEmail(w), !w) throw new n(u.FormEntry, "No password given but no email address found either");
|
|
4459
4461
|
await this.sessionServer.sessionManager.requestPasswordReset(w);
|
|
@@ -4527,18 +4529,18 @@ async function Se(k, r, o, s, e) {
|
|
|
4527
4529
|
let t = [];
|
|
4528
4530
|
if (o > 0) return [];
|
|
4529
4531
|
try {
|
|
4530
|
-
const
|
|
4531
|
-
t.push(
|
|
4532
|
-
} catch (
|
|
4533
|
-
const
|
|
4534
|
-
if (
|
|
4535
|
-
throw l.logger.debug(f({ err:
|
|
4532
|
+
const a = await r.getClientById(k);
|
|
4533
|
+
t.push(a);
|
|
4534
|
+
} catch (a) {
|
|
4535
|
+
const i = n.asCrossauthError(a);
|
|
4536
|
+
if (i.code != u.UserNotExist)
|
|
4537
|
+
throw l.logger.debug(f({ err: i })), i;
|
|
4536
4538
|
try {
|
|
4537
4539
|
t = await r.getClientByName(k, e);
|
|
4538
4540
|
} catch (c) {
|
|
4539
4541
|
const d = n.asCrossauthError(c);
|
|
4540
4542
|
if (d.code != u.UserNotExist)
|
|
4541
|
-
throw l.logger.debug(f({ err: d })),
|
|
4543
|
+
throw l.logger.debug(f({ err: d })), i;
|
|
4542
4544
|
}
|
|
4543
4545
|
}
|
|
4544
4546
|
return t;
|
|
@@ -4551,7 +4553,7 @@ class X {
|
|
|
4551
4553
|
* @param options See {@link SvelteKitSessionServerOptions}
|
|
4552
4554
|
*/
|
|
4553
4555
|
constructor(r, o) {
|
|
4554
|
-
this.loginUrl = "/login", this.clientSearchFn = Se, this.validFlows = ["all"], this.sessionServer = r, y("loginUrl",
|
|
4556
|
+
this.loginUrl = "/login", this.clientSearchFn = Se, this.validFlows = ["all"], this.sessionServer = r, y("loginUrl", _.JsonArray, this, o, "LOGIN_URL"), o.clientSearchFn && (this.clientSearchFn = o.clientSearchFn), this.redirect = o.redirect ?? Q, this.error = o.error ?? Y, y("validFlows", _.JsonArray, this, o, "OAUTH_validFlows"), this.validFlows.length == 1 && this.validFlows[0] == E.All && (this.validFlows = E.allFlows()), this.valid_flowNames = E.flowNames(this.validFlows), o.clientStorage && (this.clientManager = new B(o)), this.clientStorage = o.clientStorage;
|
|
4555
4557
|
}
|
|
4556
4558
|
///////////////////////////////////////////////////////////////////
|
|
4557
4559
|
// Functions callable from apps
|
|
@@ -4597,7 +4599,7 @@ class X {
|
|
|
4597
4599
|
if (!this.sessionServer.clientStorage) throw new n(u.Configuration, "Must provide client storage to use this function");
|
|
4598
4600
|
if (!r.locals.user)
|
|
4599
4601
|
throw this.redirect(302, this.loginUrl + "?next=" + encodeURIComponent(r.request.url));
|
|
4600
|
-
let
|
|
4602
|
+
let a = [], i = [], c = [];
|
|
4601
4603
|
if (!s)
|
|
4602
4604
|
try {
|
|
4603
4605
|
const h = r.url.searchParams.get("skip");
|
|
@@ -4614,44 +4616,44 @@ class X {
|
|
|
4614
4616
|
}
|
|
4615
4617
|
e || (e = 10);
|
|
4616
4618
|
const d = r.url.searchParams.get("search");
|
|
4617
|
-
return !o && d != null && d != "" && (o = d), o || (o = ""), o.length == 0 && (o = void 0), o ? (
|
|
4619
|
+
return !o && d != null && d != "" && (o = d), o || (o = ""), o.length == 0 && (o = void 0), o ? (a = await this.clientSearchFn(
|
|
4618
4620
|
o,
|
|
4619
4621
|
this.sessionServer.clientStorage,
|
|
4620
4622
|
s,
|
|
4621
4623
|
e
|
|
4622
|
-
), s > 0 && (
|
|
4624
|
+
), s > 0 && (i = await this.clientSearchFn(
|
|
4623
4625
|
o,
|
|
4624
4626
|
this.sessionServer.clientStorage,
|
|
4625
4627
|
s - 1,
|
|
4626
4628
|
1,
|
|
4627
4629
|
t
|
|
4628
|
-
))) : (
|
|
4630
|
+
))) : (a = await this.sessionServer.clientStorage.getClients(
|
|
4629
4631
|
s,
|
|
4630
4632
|
e,
|
|
4631
4633
|
t
|
|
4632
|
-
),
|
|
4634
|
+
), a.length == e && (c = await this.sessionServer.clientStorage.getClients(
|
|
4633
4635
|
s + e,
|
|
4634
4636
|
1,
|
|
4635
4637
|
t
|
|
4636
4638
|
))), {
|
|
4637
4639
|
ok: !0,
|
|
4638
|
-
clients:
|
|
4640
|
+
clients: a,
|
|
4639
4641
|
skip: s,
|
|
4640
4642
|
take: e,
|
|
4641
|
-
hasPrevious:
|
|
4643
|
+
hasPrevious: i.length > 0,
|
|
4642
4644
|
hasNext: c.length > 0,
|
|
4643
4645
|
search: o,
|
|
4644
4646
|
clientUserId: t
|
|
4645
4647
|
};
|
|
4646
|
-
} catch (
|
|
4647
|
-
if (m.isSvelteKitRedirect(
|
|
4648
|
-
throw
|
|
4649
|
-
const
|
|
4650
|
-
return l.logger.debug(f({ err:
|
|
4648
|
+
} catch (a) {
|
|
4649
|
+
if (m.isSvelteKitRedirect(a) || m.isSvelteKitRedirect(a))
|
|
4650
|
+
throw a;
|
|
4651
|
+
const i = n.asCrossauthError(a);
|
|
4652
|
+
return l.logger.debug(f({ err: i })), l.logger.error(f({ cerr: i })), {
|
|
4651
4653
|
ok: !1,
|
|
4652
|
-
error:
|
|
4653
|
-
errorCode:
|
|
4654
|
-
errorCodeName:
|
|
4654
|
+
error: i.message,
|
|
4655
|
+
errorCode: i.code,
|
|
4656
|
+
errorCodeName: i.codeName,
|
|
4655
4657
|
hasPrevious: !1,
|
|
4656
4658
|
hasNext: !1,
|
|
4657
4659
|
skip: s ?? 0,
|
|
@@ -4674,21 +4676,21 @@ class X {
|
|
|
4674
4676
|
try {
|
|
4675
4677
|
if (!o) throw new n(u.BadRequest, "No client ID specified");
|
|
4676
4678
|
if (!this.clientStorage) throw new n(u.Configuration, "No client storage specified");
|
|
4677
|
-
const
|
|
4679
|
+
const a = await this.clientStorage.getClientById(o), i = a.userid == null ? void 0 : await ((e = (s = this.sessionServer) == null ? void 0 : s.userStorage) == null ? void 0 : e.getUserById(a.userid)), c = (t = i == null ? void 0 : i.user) == null ? void 0 : t.username;
|
|
4678
4680
|
return {
|
|
4679
4681
|
ok: !0,
|
|
4680
|
-
client:
|
|
4682
|
+
client: a,
|
|
4681
4683
|
validFlows: this.validFlows,
|
|
4682
4684
|
valid_flowNames: this.valid_flowNames,
|
|
4683
4685
|
client_id: o,
|
|
4684
4686
|
clientUsername: c
|
|
4685
4687
|
};
|
|
4686
|
-
} catch (
|
|
4687
|
-
let
|
|
4688
|
-
return l.logger.debug(f({ err:
|
|
4689
|
-
error:
|
|
4690
|
-
errorCode:
|
|
4691
|
-
errorCodeName:
|
|
4688
|
+
} catch (a) {
|
|
4689
|
+
let i = n.asCrossauthError(a, "Couldn't load client");
|
|
4690
|
+
return l.logger.debug(f({ err: i })), l.logger.error(f({ cerr: i })), {
|
|
4691
|
+
error: i.message,
|
|
4692
|
+
errorCode: i.code,
|
|
4693
|
+
errorCodeName: i.codeName,
|
|
4692
4694
|
ok: !1,
|
|
4693
4695
|
validFlows: this.validFlows,
|
|
4694
4696
|
valid_flowNames: this.valid_flowNames,
|
|
@@ -4709,11 +4711,11 @@ class X {
|
|
|
4709
4711
|
* @returns {@link UpdateClientFormData}. If a new secret was created, it will be placed as plaintext in the client that is returned.
|
|
4710
4712
|
*/
|
|
4711
4713
|
async updateClient_internal(r, o) {
|
|
4712
|
-
var t,
|
|
4714
|
+
var t, a;
|
|
4713
4715
|
let s;
|
|
4714
4716
|
try {
|
|
4715
|
-
const
|
|
4716
|
-
if (!
|
|
4717
|
+
const i = r.params.client_id;
|
|
4718
|
+
if (!i) throw new n(u.BadRequest, "No client ID given");
|
|
4717
4719
|
var e = new b();
|
|
4718
4720
|
if (await e.loadData(r), s = e.toObject(), this.sessionServer.enableCsrfProtection && r.locals.authType == "cookie" && !r.locals.csrfToken)
|
|
4719
4721
|
throw new n(u.InvalidCsrf);
|
|
@@ -4737,7 +4739,7 @@ class X {
|
|
|
4737
4739
|
if (g.client_name = s.client_name, g.confidential = e.getAsBoolean("confidential") ?? !1, g.valid_flow = h, g.redirect_uri = c, o) {
|
|
4738
4740
|
let C = s.userid ?? void 0;
|
|
4739
4741
|
if (C && ((t = this.sessionServer) != null && t.userStorage)) {
|
|
4740
|
-
const { user: T } = await ((
|
|
4742
|
+
const { user: T } = await ((a = this.sessionServer) == null ? void 0 : a.userStorage.getUserById(C));
|
|
4741
4743
|
C = T.id;
|
|
4742
4744
|
}
|
|
4743
4745
|
g.userid = s.userid ? Number(s.userid) : null;
|
|
@@ -4745,7 +4747,7 @@ class X {
|
|
|
4745
4747
|
const p = e.getAsBoolean("resetSecret");
|
|
4746
4748
|
if (!this.clientManager) throw new n(u.Configuration, "Cannot call this endpoint as you did not provide a clientStorage");
|
|
4747
4749
|
const { client: w, newSecret: S } = await this.clientManager.updateClient(
|
|
4748
|
-
|
|
4750
|
+
i,
|
|
4749
4751
|
g,
|
|
4750
4752
|
p
|
|
4751
4753
|
);
|
|
@@ -4756,9 +4758,9 @@ class X {
|
|
|
4756
4758
|
//plaintextSecret: resetSecret ? formData.client_secret : undefined,
|
|
4757
4759
|
plaintextSecret: S && w.client_secret ? w.client_secret : void 0
|
|
4758
4760
|
};
|
|
4759
|
-
} catch (
|
|
4760
|
-
if (m.isSvelteKitRedirect(
|
|
4761
|
-
let c = n.asCrossauthError(
|
|
4761
|
+
} catch (i) {
|
|
4762
|
+
if (m.isSvelteKitRedirect(i) || m.isSvelteKitError(i)) throw i;
|
|
4763
|
+
let c = n.asCrossauthError(i, "Couldn't update client");
|
|
4762
4764
|
return l.logger.debug(f({ err: c })), l.logger.error(f({ cerr: c })), {
|
|
4763
4765
|
error: c.message,
|
|
4764
4766
|
errorCode: c.code,
|
|
@@ -4777,7 +4779,7 @@ class X {
|
|
|
4777
4779
|
* @returns {@link CreateClientPageData}.
|
|
4778
4780
|
*/
|
|
4779
4781
|
async emptyClient_internal(r, o) {
|
|
4780
|
-
var e, t,
|
|
4782
|
+
var e, t, a, i, c, d, h;
|
|
4781
4783
|
try {
|
|
4782
4784
|
var s = new b();
|
|
4783
4785
|
await s.loadData(r);
|
|
@@ -4789,8 +4791,8 @@ class X {
|
|
|
4789
4791
|
g = T.id;
|
|
4790
4792
|
}
|
|
4791
4793
|
const C = s.get("userid");
|
|
4792
|
-
if (C && ((
|
|
4793
|
-
const { user: T } = await ((
|
|
4794
|
+
if (C && ((a = this.sessionServer) != null && a.userStorage)) {
|
|
4795
|
+
const { user: T } = await ((i = this.sessionServer) == null ? void 0 : i.userStorage.getUserById(C));
|
|
4794
4796
|
g = T.id;
|
|
4795
4797
|
}
|
|
4796
4798
|
} else {
|
|
@@ -4830,7 +4832,7 @@ class X {
|
|
|
4830
4832
|
* @returns {@link UpdateClientFormData}. If a secret was created, it will be placed as plaintext in the client that is returned. A random `client_id` is created.
|
|
4831
4833
|
*/
|
|
4832
4834
|
async createClient_internal(r, o) {
|
|
4833
|
-
var t,
|
|
4835
|
+
var t, a, i, c;
|
|
4834
4836
|
let s;
|
|
4835
4837
|
try {
|
|
4836
4838
|
var e = new b();
|
|
@@ -4839,7 +4841,7 @@ class X {
|
|
|
4839
4841
|
if (o) {
|
|
4840
4842
|
const C = e.get("userid");
|
|
4841
4843
|
if (C && ((t = this.sessionServer) != null && t.userStorage)) {
|
|
4842
|
-
const { user: T } = await ((
|
|
4844
|
+
const { user: T } = await ((a = this.sessionServer) == null ? void 0 : a.userStorage.getUserById(C));
|
|
4843
4845
|
d = T.id;
|
|
4844
4846
|
}
|
|
4845
4847
|
} else {
|
|
@@ -4847,7 +4849,7 @@ class X {
|
|
|
4847
4849
|
d = r.locals.user.id;
|
|
4848
4850
|
}
|
|
4849
4851
|
if (!this.clientStorage) throw new n(u.Configuration, "No client storage specified");
|
|
4850
|
-
if (d && await ((c = (
|
|
4852
|
+
if (d && await ((c = (i = this.sessionServer) == null ? void 0 : i.userStorage) == null ? void 0 : c.getUserById(d)), this.sessionServer.enableCsrfProtection && r.locals.authType == "cookie" && !r.locals.csrfToken)
|
|
4851
4853
|
throw new n(u.InvalidCsrf);
|
|
4852
4854
|
const h = !s.redirect_uri || s.redirect_uri.trim().length == 0 ? [] : s.redirect_uri.trim().split(/[, ][ \t\n]*/);
|
|
4853
4855
|
let g = [];
|
|
@@ -4903,19 +4905,19 @@ class X {
|
|
|
4903
4905
|
try {
|
|
4904
4906
|
if (!o) throw new n(u.BadRequest, "No client ID specified");
|
|
4905
4907
|
if (!this.clientStorage) throw new n(u.Configuration, "No client storage specified");
|
|
4906
|
-
const
|
|
4908
|
+
const a = await this.clientStorage.getClientById(o), i = a.userid == null ? void 0 : await ((e = (s = this.sessionServer) == null ? void 0 : s.userStorage) == null ? void 0 : e.getUserById(a.userid)), c = (t = i == null ? void 0 : i.user) == null ? void 0 : t.username;
|
|
4907
4909
|
return {
|
|
4908
4910
|
ok: !0,
|
|
4909
|
-
client:
|
|
4911
|
+
client: a,
|
|
4910
4912
|
client_id: o,
|
|
4911
4913
|
clientUsername: c
|
|
4912
4914
|
};
|
|
4913
|
-
} catch (
|
|
4914
|
-
let
|
|
4915
|
-
return l.logger.debug(f({ err:
|
|
4916
|
-
error:
|
|
4917
|
-
errorCode:
|
|
4918
|
-
errorCodeName:
|
|
4915
|
+
} catch (a) {
|
|
4916
|
+
let i = n.asCrossauthError(a, "Couldn't load client");
|
|
4917
|
+
return l.logger.debug(f({ err: i })), l.logger.error(f({ cerr: i })), {
|
|
4918
|
+
error: i.message,
|
|
4919
|
+
errorCode: i.code,
|
|
4920
|
+
errorCodeName: i.codeName,
|
|
4919
4921
|
ok: !1,
|
|
4920
4922
|
client_id: o
|
|
4921
4923
|
};
|
|
@@ -4936,19 +4938,19 @@ class X {
|
|
|
4936
4938
|
const t = r.params.client_id;
|
|
4937
4939
|
if (!t) throw new n(u.BadRequest, "No client ID given");
|
|
4938
4940
|
if (!this.clientStorage) throw new n(u.Configuration, "No client storage specified");
|
|
4939
|
-
const
|
|
4940
|
-
if (!o &&
|
|
4941
|
+
const a = await ((s = this.clientStorage) == null ? void 0 : s.getClientById(t));
|
|
4942
|
+
if (!o && a.userid != ((e = r.locals.user) == null ? void 0 : e.id))
|
|
4941
4943
|
throw this.error(401, "Unauthorized");
|
|
4942
4944
|
return await this.clientStorage.deleteClient(t), {
|
|
4943
4945
|
ok: !0
|
|
4944
4946
|
};
|
|
4945
4947
|
} catch (t) {
|
|
4946
4948
|
if (m.isSvelteKitRedirect(t) || m.isSvelteKitError(t)) throw t;
|
|
4947
|
-
let
|
|
4948
|
-
return l.logger.debug(f({ err:
|
|
4949
|
-
error:
|
|
4950
|
-
errorCode:
|
|
4951
|
-
errorCodeName:
|
|
4949
|
+
let a = n.asCrossauthError(t, "Couldn't delete client");
|
|
4950
|
+
return l.logger.debug(f({ err: a })), l.logger.error(f({ cerr: a })), {
|
|
4951
|
+
error: a.message,
|
|
4952
|
+
errorCode: a.code,
|
|
4953
|
+
errorCodeName: a.codeName,
|
|
4952
4954
|
ok: !1
|
|
4953
4955
|
};
|
|
4954
4956
|
}
|
|
@@ -5017,7 +5019,7 @@ class Ce extends X {
|
|
|
5017
5019
|
actions: {
|
|
5018
5020
|
default: async (s) => await this.deleteClient(s)
|
|
5019
5021
|
}
|
|
5020
|
-
}, this.sessionServer = r, y("loginUrl",
|
|
5022
|
+
}, this.sessionServer = r, y("loginUrl", _.JsonArray, this, o, "LOGIN_URL"), o.clientSearchFn && (this.clientSearchFn = o.clientSearchFn), this.redirect = o.redirect, this.error = o.error;
|
|
5021
5023
|
}
|
|
5022
5024
|
///////////////////////////////////////////////////////////////////
|
|
5023
5025
|
// Functions callable from apps
|
|
@@ -5199,7 +5201,7 @@ class ye extends X {
|
|
|
5199
5201
|
actions: {
|
|
5200
5202
|
default: async (s) => await this.deleteClient(s)
|
|
5201
5203
|
}
|
|
5202
|
-
}, this.sessionServer = r, y("loginUrl",
|
|
5204
|
+
}, this.sessionServer = r, y("loginUrl", _.String, this, o, "LOGIN_URL"), o.clientSearchFn && (this.clientSearchFn = o.clientSearchFn), this.redirect = o.redirect, this.error = o.error;
|
|
5203
5205
|
}
|
|
5204
5206
|
///////////////////////////////////////////////////////////////////
|
|
5205
5207
|
// Functions callable from apps
|
|
@@ -5261,51 +5263,51 @@ class ye extends X {
|
|
|
5261
5263
|
}
|
|
5262
5264
|
}
|
|
5263
5265
|
const x = "X-CROSSAUTH-CSRF";
|
|
5264
|
-
function
|
|
5266
|
+
function _e(k) {
|
|
5265
5267
|
let r = [];
|
|
5266
5268
|
return k.username == null ? r.push("Username must be given") : k.username.length < 2 ? r.push("Username must be at least 2 characters") : k.username.length > 254 && r.push("Username must be no longer than 254 characters"), r;
|
|
5267
5269
|
}
|
|
5268
|
-
function
|
|
5270
|
+
function Ee(k, r, o, s = ["localpassword"]) {
|
|
5269
5271
|
var i;
|
|
5270
|
-
let
|
|
5272
|
+
let t = {
|
|
5271
5273
|
username: r.username ?? "",
|
|
5272
5274
|
state: "active"
|
|
5273
5275
|
};
|
|
5274
|
-
const
|
|
5275
|
-
for (let
|
|
5276
|
-
let
|
|
5277
|
-
if (
|
|
5278
|
-
if ("type_" +
|
|
5279
|
-
if (r["type_" +
|
|
5280
|
-
|
|
5281
|
-
else if (r["type_" +
|
|
5282
|
-
|
|
5283
|
-
else if (r["type_" +
|
|
5284
|
-
const
|
|
5285
|
-
|
|
5276
|
+
const a = k.locals.user && m.isAdminFn(k.locals.user);
|
|
5277
|
+
for (let c in r) {
|
|
5278
|
+
let d = c.replace(/^user_/, "");
|
|
5279
|
+
if (c.startsWith("user_") && (a || o.includes(d)))
|
|
5280
|
+
if ("type_" + d in r) {
|
|
5281
|
+
if (r["type_" + d] == "string")
|
|
5282
|
+
t[d] = r[c];
|
|
5283
|
+
else if (r["type_" + d] == "number" || r["type_" + d] == "integer" || r["type_" + d] == "float")
|
|
5284
|
+
t[d] = Number(r[c]);
|
|
5285
|
+
else if (r["type_" + d] == "boolean") {
|
|
5286
|
+
const h = (i = r[c]) == null ? void 0 : i.toLocaleLowerCase();
|
|
5287
|
+
t[d] = h == "1" || h == "y" || h == "t" || h == "yes" || h == "true";
|
|
5286
5288
|
}
|
|
5287
5289
|
} else
|
|
5288
|
-
|
|
5290
|
+
t[d] = r[c];
|
|
5289
5291
|
}
|
|
5290
|
-
return
|
|
5292
|
+
return t.factor1 = "localpassword", r.factor1 && s.includes(r.factor1) && (t.factor1 = r.factor1), t.factor2 = r.factor2, t;
|
|
5291
5293
|
}
|
|
5292
5294
|
function ve(k, r, o, s) {
|
|
5293
5295
|
var t;
|
|
5294
5296
|
const e = r.locals.user && m.isAdminFn(r.locals.user);
|
|
5295
|
-
for (let
|
|
5296
|
-
let
|
|
5297
|
-
if (
|
|
5298
|
-
if ("type_" +
|
|
5299
|
-
if (o["type_" +
|
|
5300
|
-
k[
|
|
5301
|
-
else if (o["type_" +
|
|
5302
|
-
k[
|
|
5303
|
-
else if (o["type_" +
|
|
5304
|
-
const c = (t = o[
|
|
5305
|
-
k[
|
|
5297
|
+
for (let a in o) {
|
|
5298
|
+
let i = a.replace(/^user_/, "");
|
|
5299
|
+
if (a.startsWith("user_") && (e || s.includes(i)))
|
|
5300
|
+
if ("type_" + i in o) {
|
|
5301
|
+
if (o["type_" + i] == "string")
|
|
5302
|
+
k[i] = o[a];
|
|
5303
|
+
else if (o["type_" + i] == "number" || o["type_" + i] == "integer" || o["type_" + i] == "float")
|
|
5304
|
+
k[i] = Number(o[a]);
|
|
5305
|
+
else if (o["type_" + i] == "boolean") {
|
|
5306
|
+
const c = (t = o[a]) == null ? void 0 : t.toLocaleLowerCase();
|
|
5307
|
+
k[i] = c == "1" || c == "y" || c == "t" || c == "yes" || c == "true";
|
|
5306
5308
|
}
|
|
5307
5309
|
} else
|
|
5308
|
-
k[
|
|
5310
|
+
k[i] = o[a];
|
|
5309
5311
|
}
|
|
5310
5312
|
return k;
|
|
5311
5313
|
}
|
|
@@ -5318,9 +5320,9 @@ class H {
|
|
|
5318
5320
|
* @param options See {@link SvelteKitSessionServerOptions}.
|
|
5319
5321
|
*/
|
|
5320
5322
|
constructor(r, o, s = {}) {
|
|
5321
|
-
this.validateUserFn =
|
|
5323
|
+
this.validateUserFn = _e, this.createUserFn = Ee, this.updateUserFn = ve, this.allowedFactor2 = [], this.allowedFactor2Names = [], this.factor2ProtectedPageEndpoints = [], this.factor2ProtectedApiEndpoints = [], this.loginProtectedPageEndpoints = [], this.loginProtectedApiEndpoints = [], this.loginProtectedExceptionPageEndpoints = [], this.loginProtectedExceptionApiEndpoints = [], this.adminPageEndpoints = [], this.adminApiEndpoints = [], this.adminProtectedExceptionPageEndpoints = [], this.adminProtectedExceptionApiEndpoints = [], this.unauthorizedUrl = void 0, this.enableCsrfProtection = !0, this.enableEmailVerification = !1, this.enablePasswordReset = !1, this.factor2Url = "/factor2", this.loginUrl = "/login", this.userAllowedFactor1 = ["localpassword"], this.adminAllowedFactor1 = ["localpassword"], this.keyStorage = r, this.userStorage = s.userStorage, this.clientStorage = s.clientStorage, this.authenticators = o, this.sessionManager = new ie(r, o, s), this.redirect = s.redirect ?? Q, this.error = s.error ?? Y, y("factor2Url", _.String, this, s, "FACTOR2_URL"), this.factor2Url.endsWith("/") || (this.factor2Url += "/"), y("factor2ProtectedPageEndpoints", _.JsonArray, this, s, "FACTOR2_PROTECTED_PAGE_ENDPOINTS"), y("factor2ProtectedApiEndpoints", _.JsonArray, this, s, "FACTOR2_PROTECTED_API_ENDPOINTS"), y("loginProtectedPageEndpoints", _.JsonArray, this, s, "LOGIN_PROTECTED_PAGE_ENDPOINTS"), y("loginProtectedApiEndpoints", _.JsonArray, this, s, "LOGIN_PROTECTED_API_ENDPOINTS"), y("loginProtectedExceptionPageEndpoints", _.JsonArray, this, s, "LOGIN_PROTECTED_EXCEPTION_PAGE_ENDPOINTS"), y("loginProtectedExceptionApiEndpoints", _.JsonArray, this, s, "LOGIN_PROTECTED_EXCEPTION_API_ENDPOINTS"), y("adminPageEndpoints", _.JsonArray, this, s, "ADMIN_PAGE_ENDPOINTS"), y("adminApiEndpoints", _.JsonArray, this, s, "ADMIN_API_ENDPOINTS"), y("adminProtectedExceptionPageEndpoints", _.JsonArray, this, s, "ADMIN_PROTECTED_EXCEPTION_PAGE_ENDPOINTS"), y("adminProtectedExceptionApiEndpoints", _.JsonArray, this, s, "ADMIN_PROTECTED_EXCEPTION_API_ENDPOINTS"), y("loginUrl", _.JsonArray, this, s, "LOGIN_URL"), y("unauthorizedUrl", _.JsonArray, this, s, "UNAUTHORIZED_PAGE"), y("userAllowedFactor1", _.JsonArray, this, s, "USER_ALLOWED_FACTOR1"), y("adminAllowedFactor1", _.JsonArray, this, s, "ADMIN_ALLOWED_FACTOR1");
|
|
5322
5324
|
let e = {};
|
|
5323
|
-
if (y("allowedFactor2",
|
|
5325
|
+
if (y("allowedFactor2", _.JsonArray, e, s, "ALLOWED_FACTOR2"), this.allowedFactor2Names = s.allowedFactor2 ?? ["none"], e.allowedFactor2)
|
|
5324
5326
|
for (let t of e.allowedFactor2)
|
|
5325
5327
|
t in this.authenticators ? this.allowedFactor2.push({
|
|
5326
5328
|
name: t,
|
|
@@ -5331,11 +5333,11 @@ class H {
|
|
|
5331
5333
|
friendlyName: "None",
|
|
5332
5334
|
configurable: !1
|
|
5333
5335
|
});
|
|
5334
|
-
y("enableEmailVerification",
|
|
5336
|
+
y("enableEmailVerification", _.Boolean, this, s, "ENABLE_EMAIL_VERIFICATION"), y("enablePasswordReset", _.Boolean, this, s, "ENABLE_PASSWORD_RESET"), y("enableCsrfProtection", _.Boolean, this, s, "ENABLE_CSRF_PROTECTION"), y("editUserScope", _.String, this, s, "EDIT_USER_SCOPE"), s.validateUserFn && (this.validateUserFn = s.validateUserFn), s.createUserFn && (this.createUserFn = s.createUserFn), s.updateUserFn && (this.updateUserFn = s.updateUserFn), s.addToSession && (this.addToSession = s.addToSession), s.validateSession && (this.validateSession = s.validateSession), this.userEndpoints = new we(this, s), this.adminEndpoints = new ke(this, s), this.userClientEndpoints = new Ce(this, s), this.adminClientEndpoints = new ye(this, s), this.sessionHook = async ({ event: t }) => {
|
|
5335
5337
|
var h, g;
|
|
5336
5338
|
l.logger.debug("Session hook");
|
|
5337
|
-
let
|
|
5338
|
-
const
|
|
5339
|
+
let a = [];
|
|
5340
|
+
const i = this.sessionManager.csrfCookieName, c = this.sessionManager.sessionCookieName;
|
|
5339
5341
|
if (this.enableCsrfProtection) {
|
|
5340
5342
|
l.logger.debug(f({ msg: "Getting csrf cookie" }));
|
|
5341
5343
|
let p;
|
|
@@ -5344,7 +5346,7 @@ class H {
|
|
|
5344
5346
|
} catch (w) {
|
|
5345
5347
|
l.logger.warn(f({ msg: "Invalid csrf cookie received", cerr: w, hashedCsrfCookie: this.getHashOfCsrfCookie(t) }));
|
|
5346
5348
|
try {
|
|
5347
|
-
this.clearCookie(
|
|
5349
|
+
this.clearCookie(i, this.sessionManager.csrfCookiePath, t);
|
|
5348
5350
|
} catch (S) {
|
|
5349
5351
|
l.logger.debug(f({ err: S })), l.logger.error(f({ cerr: S, msg: "Couldn't delete CSRF cookie", ip: t.request.referrer, hashedCsrfCookie: this.getHashOfCsrfCookie(t) }));
|
|
5350
5352
|
}
|
|
@@ -5361,13 +5363,13 @@ class H {
|
|
|
5361
5363
|
const { csrfCookie: w, csrfFormOrHeaderValue: S } = await this.sessionManager.createCsrfToken();
|
|
5362
5364
|
this.setCsrfCookie(w, t), t.locals.csrfToken = S;
|
|
5363
5365
|
}
|
|
5364
|
-
this.setHeader(x, t.locals.csrfToken,
|
|
5366
|
+
this.setHeader(x, t.locals.csrfToken, a);
|
|
5365
5367
|
} catch (w) {
|
|
5366
|
-
l.logger.error(f({ msg: "Couldn't create CSRF token", cerr: w, user: (h = t.locals.user) == null ? void 0 : h.username, hashedSessionCookie: this.getHashOfSessionCookie(t) })), l.logger.debug(f({ err: w })), this.clearCookie(
|
|
5368
|
+
l.logger.error(f({ msg: "Couldn't create CSRF token", cerr: w, user: (h = t.locals.user) == null ? void 0 : h.username, hashedSessionCookie: this.getHashOfSessionCookie(t) })), l.logger.debug(f({ err: w })), this.clearCookie(i, this.sessionManager.csrfCookiePath, t), t.locals.csrfToken = void 0;
|
|
5367
5369
|
}
|
|
5368
5370
|
else if (p)
|
|
5369
5371
|
try {
|
|
5370
|
-
await this.csrfToken(t,
|
|
5372
|
+
await this.csrfToken(t, a);
|
|
5371
5373
|
} catch (w) {
|
|
5372
5374
|
l.logger.error(f({ msg: "Couldn't create CSRF token", cerr: w, user: (g = t.locals.user) == null ? void 0 : g.username, hashedSessionCookie: this.getHashOfSessionCookie(t) })), l.logger.debug(f({ err: w }));
|
|
5373
5375
|
}
|
|
@@ -5382,13 +5384,13 @@ class H {
|
|
|
5382
5384
|
} catch {
|
|
5383
5385
|
l.logger.warn(f({ msg: "Invalid session cookie received", hashedSessionCookie: this.getHashOfSessionCookie(t) })), this.clearCookie(c, this.sessionManager.sessionCookiePath, t);
|
|
5384
5386
|
}
|
|
5385
|
-
return { headers:
|
|
5387
|
+
return { headers: a };
|
|
5386
5388
|
}, this.twoFAHook = async ({ event: t }) => {
|
|
5387
5389
|
var h;
|
|
5388
5390
|
if (l.logger.debug(f({ msg: "twoFAHook", username: (h = t.locals.user) == null ? void 0 : h.username })), !this.userStorage) throw this.error(500, "No user storage defined");
|
|
5389
|
-
const
|
|
5391
|
+
const a = this.getSessionCookieValue(t), i = this.isFactor2PageProtected(t), c = this.isFactor2ApiProtected(t);
|
|
5390
5392
|
let d;
|
|
5391
|
-
if (
|
|
5393
|
+
if (a)
|
|
5392
5394
|
if (t.locals.user) d = t.locals.user;
|
|
5393
5395
|
else {
|
|
5394
5396
|
const g = await this.getSessionData(t, "user");
|
|
@@ -5397,7 +5399,7 @@ class H {
|
|
|
5397
5399
|
(p.user.status == N.active || p.user.state == N.factor2ResetNeeded) && (d = p.user);
|
|
5398
5400
|
}
|
|
5399
5401
|
}
|
|
5400
|
-
if (d &&
|
|
5402
|
+
if (d && a && d.factor2 != "" && (i || c))
|
|
5401
5403
|
if (l.logger.debug(f({ msg: "Factor2-protected endpoint visited" })), ["GET", "OPTIONS", "HEAD"].includes(t.request.method)) {
|
|
5402
5404
|
l.logger.debug(f({ msg: "Factor2-protected GET endpoint - cancelling 2FA" }));
|
|
5403
5405
|
const g = this.getSessionCookieValue(t);
|
|
@@ -5413,7 +5415,7 @@ class H {
|
|
|
5413
5415
|
}
|
|
5414
5416
|
}
|
|
5415
5417
|
} else {
|
|
5416
|
-
const g = this.sessionManager.getSessionId(
|
|
5418
|
+
const g = this.sessionManager.getSessionId(a), p = await this.sessionManager.dataForSessionId(g);
|
|
5417
5419
|
if ("pre2fa" in p) {
|
|
5418
5420
|
l.logger.debug(f({ msg: "Completing 2FA" }));
|
|
5419
5421
|
const w = this.authenticators[p.pre2fa.factor2], S = [...w.secretNames(), ...w.transientSecretNames()];
|
|
@@ -5442,7 +5444,7 @@ class H {
|
|
|
5442
5444
|
}
|
|
5443
5445
|
return this.error(401, { message: "Sorry, your code has expired" }), { ok: !1, twofa: !0 };
|
|
5444
5446
|
} else
|
|
5445
|
-
return
|
|
5447
|
+
return i ? {
|
|
5446
5448
|
twofa: !0,
|
|
5447
5449
|
ok: !1,
|
|
5448
5450
|
response: new Response("", {
|
|
@@ -5490,7 +5492,7 @@ class H {
|
|
|
5490
5492
|
const w = new b();
|
|
5491
5493
|
await w.loadData(t);
|
|
5492
5494
|
let S = t.request.headers.get("content-type");
|
|
5493
|
-
return await this.sessionManager.initiateTwoFactorPageVisit(d, t.locals.sessionId ?? "", w.toObject(), t.request.url.replace(/\?.*$/, ""), S || void 0),
|
|
5495
|
+
return await this.sessionManager.initiateTwoFactorPageVisit(d, t.locals.sessionId ?? "", w.toObject(), t.request.url.replace(/\?.*$/, ""), S || void 0), i ? {
|
|
5494
5496
|
twofa: !0,
|
|
5495
5497
|
ok: !0,
|
|
5496
5498
|
response: new Response("", {
|
|
@@ -5613,21 +5615,21 @@ class H {
|
|
|
5613
5615
|
* @returns the string CSRF token for inclusion in forms
|
|
5614
5616
|
*/
|
|
5615
5617
|
async csrfToken(r, o) {
|
|
5616
|
-
var e, t,
|
|
5618
|
+
var e, t, a;
|
|
5617
5619
|
let s;
|
|
5618
5620
|
if (r.request.headers && r.request.headers.has(x.toLowerCase())) {
|
|
5619
|
-
const
|
|
5620
|
-
Array.isArray(
|
|
5621
|
+
const i = r.request.headers.get(x.toLowerCase());
|
|
5622
|
+
Array.isArray(i) ? s = i[0] : i && (s = i);
|
|
5621
5623
|
}
|
|
5622
5624
|
if (!s) {
|
|
5623
5625
|
if (!((e = r.request) != null && e.body)) {
|
|
5624
5626
|
l.logger.warn(f({ msg: "Received CSRF header but not token", ip: r.request.referrerPolicy, hashedCsrfCookie: this.getHashOfCsrfCookie(r) }));
|
|
5625
5627
|
return;
|
|
5626
5628
|
}
|
|
5627
|
-
const
|
|
5628
|
-
if (
|
|
5629
|
-
s = (await ((
|
|
5630
|
-
else if (
|
|
5629
|
+
const i = r.request.headers.get("content-type");
|
|
5630
|
+
if (i == "application/json")
|
|
5631
|
+
s = (await ((a = (t = r.request) == null ? void 0 : t.clone()) == null ? void 0 : a.json())).csrfToken;
|
|
5632
|
+
else if (i == "application/x-www-form-urlencoded" || i == "multipart/form-data") {
|
|
5631
5633
|
const d = (await r.request.clone().formData()).get("csrfToken");
|
|
5632
5634
|
d && typeof d == "string" && (s = d);
|
|
5633
5635
|
}
|
|
@@ -5660,8 +5662,8 @@ class H {
|
|
|
5660
5662
|
else {
|
|
5661
5663
|
e = "";
|
|
5662
5664
|
for (let t in o) {
|
|
5663
|
-
const
|
|
5664
|
-
e.length > 0 && (e += "&"), e += encodeURIComponent(t) + "=" + encodeURIComponent(
|
|
5665
|
+
const a = o[t];
|
|
5666
|
+
e.length > 0 && (e += "&"), e += encodeURIComponent(t) + "=" + encodeURIComponent(a);
|
|
5665
5667
|
}
|
|
5666
5668
|
}
|
|
5667
5669
|
return r.request = new Request(r.request.url, {
|
|
@@ -5715,10 +5717,10 @@ class H {
|
|
|
5715
5717
|
if (o.pathname == this.loginUrl) return !1;
|
|
5716
5718
|
let s = !1;
|
|
5717
5719
|
return s = this.loginProtectedExceptionPageEndpoints.reduce(
|
|
5718
|
-
(t,
|
|
5720
|
+
(t, a) => t || I(o.pathname, a),
|
|
5719
5721
|
s
|
|
5720
5722
|
), s ? !1 : this.loginProtectedPageEndpoints.reduce(
|
|
5721
|
-
(t,
|
|
5723
|
+
(t, a) => t || I(o.pathname, a),
|
|
5722
5724
|
!1
|
|
5723
5725
|
);
|
|
5724
5726
|
}
|
|
@@ -5736,10 +5738,10 @@ class H {
|
|
|
5736
5738
|
if (o.pathname == this.loginUrl) return !1;
|
|
5737
5739
|
let s = !1;
|
|
5738
5740
|
return s = this.loginProtectedExceptionApiEndpoints.reduce(
|
|
5739
|
-
(t,
|
|
5741
|
+
(t, a) => t || I(o.pathname, a),
|
|
5740
5742
|
s
|
|
5741
5743
|
), s ? !1 : this.loginProtectedApiEndpoints.reduce(
|
|
5742
|
-
(t,
|
|
5744
|
+
(t, a) => t || I(o.pathname, a),
|
|
5743
5745
|
!1
|
|
5744
5746
|
);
|
|
5745
5747
|
}
|
|
@@ -5788,13 +5790,13 @@ class H {
|
|
|
5788
5790
|
const o = new URL(typeof r == "string" ? r : r.request.url);
|
|
5789
5791
|
let s = !1;
|
|
5790
5792
|
return s = this.adminProtectedExceptionPageEndpoints.reduce(
|
|
5791
|
-
(t,
|
|
5793
|
+
(t, a) => t || I(o.pathname, a),
|
|
5792
5794
|
s
|
|
5793
5795
|
), s || (s = this.loginProtectedExceptionPageEndpoints.reduce(
|
|
5794
|
-
(t,
|
|
5796
|
+
(t, a) => t || I(o.pathname, a),
|
|
5795
5797
|
s
|
|
5796
5798
|
), s) ? !1 : this.adminPageEndpoints.reduce(
|
|
5797
|
-
(t,
|
|
5799
|
+
(t, a) => t || I(o.pathname, a),
|
|
5798
5800
|
!1
|
|
5799
5801
|
);
|
|
5800
5802
|
}
|
|
@@ -5811,13 +5813,13 @@ class H {
|
|
|
5811
5813
|
const o = new URL(typeof r == "string" ? r : r.request.url);
|
|
5812
5814
|
let s = !1;
|
|
5813
5815
|
return s = this.adminProtectedExceptionApiEndpoints.reduce(
|
|
5814
|
-
(t,
|
|
5816
|
+
(t, a) => t || I(o.pathname, a),
|
|
5815
5817
|
s
|
|
5816
5818
|
), s || (s = this.loginProtectedExceptionApiEndpoints.reduce(
|
|
5817
|
-
(t,
|
|
5819
|
+
(t, a) => t || I(o.pathname, a),
|
|
5818
5820
|
s
|
|
5819
5821
|
), s) ? !1 : this.adminApiEndpoints.reduce(
|
|
5820
|
-
(t,
|
|
5822
|
+
(t, a) => t || I(o.pathname, a),
|
|
5821
5823
|
!1
|
|
5822
5824
|
);
|
|
5823
5825
|
}
|
|
@@ -5839,15 +5841,15 @@ class H {
|
|
|
5839
5841
|
await s.loadData(r);
|
|
5840
5842
|
let e = this.addToSession ? this.addToSession(r, s.toObject()) : {};
|
|
5841
5843
|
o && (e.data = JSON.stringify(o));
|
|
5842
|
-
let { sessionCookie: t, csrfCookie:
|
|
5844
|
+
let { sessionCookie: t, csrfCookie: a, csrfFormOrHeaderValue: i } = await this.sessionManager.createAnonymousSession(e);
|
|
5843
5845
|
r.cookies.set(
|
|
5844
5846
|
t.name,
|
|
5845
5847
|
t.value,
|
|
5846
5848
|
R(t.options)
|
|
5847
|
-
), this.enableCsrfProtection && (r.locals.csrfToken =
|
|
5848
|
-
|
|
5849
|
-
|
|
5850
|
-
R(
|
|
5849
|
+
), this.enableCsrfProtection && (r.locals.csrfToken = i, r.cookies.set(
|
|
5850
|
+
a.name,
|
|
5851
|
+
a.value,
|
|
5852
|
+
R(a.options)
|
|
5851
5853
|
)), r.locals.user = void 0;
|
|
5852
5854
|
const c = this.sessionManager.getSessionId(t.value);
|
|
5853
5855
|
return r.locals.sessionId = c, t.value;
|