@crossauth/sveltekit 0.0.36 → 0.0.37
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/index.cjs +1 -1
- package/dist/index.js +60 -59
- package/dist/sveltekitsession.d.ts +14 -2
- package/package.json +3 -3
package/dist/index.js
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
import { minimatch as I } from "minimatch";
|
|
2
|
-
import { ApiKeyManager as K, KeyStorage as $, toCookieSerializeOptions as R, Crypto as F, OAuthAuthorizationServer as Z, setParameter as y, ParamType as
|
|
3
|
-
import { CrossauthError as n, ErrorCode as u, CrossauthLogger as l, j as f, OAuthFlows as
|
|
2
|
+
import { ApiKeyManager as K, KeyStorage as $, toCookieSerializeOptions as R, Crypto as F, OAuthAuthorizationServer as Z, setParameter as y, ParamType as _, DoubleSubmitCsrfToken as ee, OAuthClientManager as B, OAuthClientBackend as re, OAuthResourceServer as se, OAuthTokenConsumer as te, TokenEmailer as oe, SessionManager as ie } from "@crossauth/backend";
|
|
3
|
+
import { CrossauthError as n, ErrorCode as u, CrossauthLogger as l, j as f, OAuthFlows as E, UserState as N, httpStatus as q } from "@crossauth/common";
|
|
4
4
|
import { json as v, redirect as Q, error as Y } from "@sveltejs/kit";
|
|
5
5
|
import "cookie";
|
|
6
6
|
import { jwtDecode as M } from "jwt-decode";
|
|
@@ -189,7 +189,7 @@ class ce {
|
|
|
189
189
|
}, this.authorizeEndpoint = {
|
|
190
190
|
load: async (i) => {
|
|
191
191
|
var w, S;
|
|
192
|
-
if (!(this.authServer.validFlows.includes(
|
|
192
|
+
if (!(this.authServer.validFlows.includes(E.AuthorizationCode) || this.authServer.validFlows.includes(E.AuthorizationCodeWithPKCE) || this.authServer.validFlows.includes(E.OidcAuthorizationCode)))
|
|
193
193
|
throw this.error(401, "authorize cannot be called because the authorization code flows are not supported");
|
|
194
194
|
if (!i.locals.user) return this.redirect(
|
|
195
195
|
302,
|
|
@@ -329,7 +329,7 @@ class ce {
|
|
|
329
329
|
post: async (i) => {
|
|
330
330
|
let c;
|
|
331
331
|
try {
|
|
332
|
-
if (!(this.authServer.validFlows.includes(
|
|
332
|
+
if (!(this.authServer.validFlows.includes(E.AuthorizationCode) || this.authServer.validFlows.includes(E.AuthorizationCodeWithPKCE) || this.authServer.validFlows.includes(E.OidcAuthorizationCode) || this.authServer.validFlows.includes(E.ClientCredentials) || this.authServer.validFlows.includes(E.RefreshToken) || this.authServer.validFlows.includes(E.Password) || this.authServer.validFlows.includes(E.PasswordMfa || this.authServer.validFlows.includes(E.DeviceCode))))
|
|
333
333
|
return v({
|
|
334
334
|
ok: !1,
|
|
335
335
|
error: "invalid_request",
|
|
@@ -439,7 +439,7 @@ class ce {
|
|
|
439
439
|
post: async (i) => {
|
|
440
440
|
let c;
|
|
441
441
|
try {
|
|
442
|
-
if (!this.authServer.validFlows.includes(
|
|
442
|
+
if (!this.authServer.validFlows.includes(E.DeviceCode))
|
|
443
443
|
return v({
|
|
444
444
|
ok: !1,
|
|
445
445
|
error: "invalid_request",
|
|
@@ -475,7 +475,7 @@ class ce {
|
|
|
475
475
|
}
|
|
476
476
|
}, this.deviceEndpoint = {
|
|
477
477
|
load: async (i) => {
|
|
478
|
-
if (!this.authServer.validFlows.includes(
|
|
478
|
+
if (!this.authServer.validFlows.includes(E.DeviceCode))
|
|
479
479
|
throw this.error(401, "device cannot be called because the device code flow is not supported");
|
|
480
480
|
if (!i.locals.user) return this.redirect(
|
|
481
481
|
302,
|
|
@@ -563,7 +563,7 @@ class ce {
|
|
|
563
563
|
s,
|
|
564
564
|
e,
|
|
565
565
|
t
|
|
566
|
-
), y("loginUrl",
|
|
566
|
+
), y("loginUrl", _.String, this, t, "LOGIN_URL"), y("refreshTokenType", _.String, this, t, "OAUTH_REFRESH_TOKEN_TYPE"), y("refreshTokenCookieName", _.String, this, t, "OAUTH_REFRESH_TOKEN_COOKIE_NAME"), y("refreshTokenCookieDomain", _.String, this, t, "OAUTH_REFRESH_TOKEN_COOKIE_DOMAIN"), y("refreshTokenCookieHttpOnly", _.Boolean, this, t, "OAUTH_REFRESH_TOKEN_COOKIE_HTTPONLY"), y("refreshTokenCookiePath", _.String, this, t, "OAUTH_REFRESH_TOKEN_COOKIE_PATH"), y("refreshTokenCookieSecure", _.Boolean, this, t, "OAUTH_REFRESH_TOKEN_COOKIE_SECURE"), y("refreshTokenCookieSameSite", _.String, this, t, "OAUTH_REFRESH_TOKEN_COOKIE_SAMESITE"), y("authorizeEndpointUrl", _.String, this, t, "OAUTH_AUTHORIZE_ENDPOINT"), y("tokenEndpointUrl", _.String, this, t, "OAUTH_TOKEN_ENDPOINT"), y("jwksEndpointUrl", _.String, this, t, "OAUTH_JWKS_ENDPOINT"), this.refreshTokenType != "json" && (((a = this.svelteKitServer.sessionServer) == null ? void 0 : a.enableCsrfProtection) == !0 ? this.csrfTokens = this.svelteKitServer.sessionServer.sessionManager.csrfTokens : this.csrfTokens = new ee(t.doubleSubmitCookieOptions));
|
|
567
567
|
}
|
|
568
568
|
/**
|
|
569
569
|
* Returns this server's OIDC configuration. Just wraps
|
|
@@ -1048,14 +1048,14 @@ class G extends re {
|
|
|
1048
1048
|
* @param options See {@link SvelteKitOAuthClientOptions}
|
|
1049
1049
|
*/
|
|
1050
1050
|
constructor(r, o, s) {
|
|
1051
|
-
if (super(o, s), this.sessionDataName = "oauth", this.receiveTokenFn = J, this.errorFn = W, this.loginUrl = "/login", this.validFlows = [
|
|
1051
|
+
if (super(o, s), this.sessionDataName = "oauth", this.receiveTokenFn = J, this.errorFn = W, this.loginUrl = "/login", this.validFlows = [E.All], this.authorizedUrl = "", this.autoRefreshActive = {}, this.loginProtectedFlows = [], this.tokenResponseType = "sendJson", this.errorResponseType = "sendJson", this.bffEndpoints = [], this.bffEndpointName = "bff", this.tokenEndpoints = [], this.bffMaxTries = 1, this.bffSleepMilliseconds = 500, this.jwtTokens = ["access", "id", "refresh"], this.testMiddleware = !1, this.testEvent = void 0, this.authorizationCodeFlowEndpoint = {
|
|
1052
1052
|
get: async (e) => {
|
|
1053
1053
|
if (this.tokenResponseType == "saveInSessionAndLoad" || this.tokenResponseType == "sendInPage") {
|
|
1054
1054
|
const t = new n(u.Configuration, "If tokenResponseType is " + this.tokenResponseType + ", use load not get");
|
|
1055
1055
|
return this.errorFn(this.server, e, t);
|
|
1056
1056
|
}
|
|
1057
1057
|
try {
|
|
1058
|
-
if (!this.validFlows.includes(
|
|
1058
|
+
if (!this.validFlows.includes(E.AuthorizationCode)) {
|
|
1059
1059
|
const g = new n(u.Unauthorized, "Authorization flow is not supported");
|
|
1060
1060
|
return this.errorFn(this.server, e, g);
|
|
1061
1061
|
}
|
|
@@ -1095,7 +1095,7 @@ class G extends re {
|
|
|
1095
1095
|
};
|
|
1096
1096
|
}
|
|
1097
1097
|
try {
|
|
1098
|
-
if (!this.validFlows.includes(
|
|
1098
|
+
if (!this.validFlows.includes(E.AuthorizationCode)) {
|
|
1099
1099
|
const g = new n(u.Unauthorized, "Authorization flow is not supported");
|
|
1100
1100
|
return {
|
|
1101
1101
|
ok: !1,
|
|
@@ -1141,7 +1141,7 @@ class G extends re {
|
|
|
1141
1141
|
return this.errorFn(this.server, e, t);
|
|
1142
1142
|
}
|
|
1143
1143
|
try {
|
|
1144
|
-
if (!this.validFlows.includes(
|
|
1144
|
+
if (!this.validFlows.includes(E.AuthorizationCodeWithPKCE)) {
|
|
1145
1145
|
const w = new n(u.Unauthorized, "Authorization flow is not supported");
|
|
1146
1146
|
return this.errorFn(this.server, e, w);
|
|
1147
1147
|
}
|
|
@@ -1184,7 +1184,7 @@ class G extends re {
|
|
|
1184
1184
|
};
|
|
1185
1185
|
}
|
|
1186
1186
|
try {
|
|
1187
|
-
if (!this.validFlows.includes(
|
|
1187
|
+
if (!this.validFlows.includes(E.AuthorizationCodeWithPKCE)) {
|
|
1188
1188
|
const w = new n(u.Unauthorized, "Authorization flow is not supported");
|
|
1189
1189
|
return {
|
|
1190
1190
|
ok: !1,
|
|
@@ -1231,7 +1231,7 @@ class G extends re {
|
|
|
1231
1231
|
return this.errorFn(this.server, e, a);
|
|
1232
1232
|
}
|
|
1233
1233
|
try {
|
|
1234
|
-
if (!(this.validFlows.includes(
|
|
1234
|
+
if (!(this.validFlows.includes(E.AuthorizationCode) || this.validFlows.includes(E.AuthorizationCodeWithPKCE) || this.validFlows.includes(E.OidcAuthorizationCode))) {
|
|
1235
1235
|
const p = new n(u.Unauthorized, "Authorization flows are not supported");
|
|
1236
1236
|
return this.errorFn(this.server, e, p);
|
|
1237
1237
|
}
|
|
@@ -1285,7 +1285,7 @@ class G extends re {
|
|
|
1285
1285
|
};
|
|
1286
1286
|
}
|
|
1287
1287
|
try {
|
|
1288
|
-
if (!(this.validFlows.includes(
|
|
1288
|
+
if (!(this.validFlows.includes(E.AuthorizationCode) || this.validFlows.includes(E.AuthorizationCodeWithPKCE) || this.validFlows.includes(E.OidcAuthorizationCode))) {
|
|
1289
1289
|
const w = new n(u.Unauthorized, "Authorization flows are not supported");
|
|
1290
1290
|
return {
|
|
1291
1291
|
ok: !1,
|
|
@@ -1359,7 +1359,7 @@ class G extends re {
|
|
|
1359
1359
|
}
|
|
1360
1360
|
let t;
|
|
1361
1361
|
try {
|
|
1362
|
-
if (!this.validFlows.includes(
|
|
1362
|
+
if (!this.validFlows.includes(E.ClientCredentials)) {
|
|
1363
1363
|
const d = new n(u.Unauthorized, "Client credentials flow is not supported");
|
|
1364
1364
|
return this.errorFn(this.server, e, d);
|
|
1365
1365
|
}
|
|
@@ -1400,7 +1400,7 @@ class G extends re {
|
|
|
1400
1400
|
throw new n(u.Configuration, "If tokenResponseType is " + this.tokenResponseType + ", use post not load");
|
|
1401
1401
|
let t;
|
|
1402
1402
|
try {
|
|
1403
|
-
if (!this.validFlows.includes(
|
|
1403
|
+
if (!this.validFlows.includes(E.ClientCredentials))
|
|
1404
1404
|
throw new n(u.Unauthorized, "Client credentials flow is not supported");
|
|
1405
1405
|
var a = new b();
|
|
1406
1406
|
await a.loadData(e), t = a.toObject();
|
|
@@ -1436,7 +1436,7 @@ class G extends re {
|
|
|
1436
1436
|
}
|
|
1437
1437
|
let t;
|
|
1438
1438
|
try {
|
|
1439
|
-
if (!this.validFlows.includes(
|
|
1439
|
+
if (!this.validFlows.includes(E.RefreshToken)) {
|
|
1440
1440
|
const h = new n(u.Unauthorized, "Refresh token flow is not supported");
|
|
1441
1441
|
return this.errorFn(this.server, e, h);
|
|
1442
1442
|
}
|
|
@@ -1493,7 +1493,7 @@ class G extends re {
|
|
|
1493
1493
|
throw new n(u.Configuration, "If tokenResponseType is " + this.tokenResponseType + ", use post not load");
|
|
1494
1494
|
let t;
|
|
1495
1495
|
try {
|
|
1496
|
-
if (!this.validFlows.includes(
|
|
1496
|
+
if (!this.validFlows.includes(E.RefreshToken)) {
|
|
1497
1497
|
const h = new n(u.Unauthorized, "Refresh token flow is not supported");
|
|
1498
1498
|
return this.errorFn(this.server, e, h);
|
|
1499
1499
|
}
|
|
@@ -1720,9 +1720,9 @@ class G extends re {
|
|
|
1720
1720
|
actions: {
|
|
1721
1721
|
default: async (e) => await this.tokens(e, this.tokenEndpoints)
|
|
1722
1722
|
}
|
|
1723
|
-
}, this.server = r, y("sessionDataName",
|
|
1724
|
-
this.validFlows =
|
|
1725
|
-
else if (!
|
|
1723
|
+
}, this.server = r, y("sessionDataName", _.String, this, s, "OAUTH_SESSION_DATA_NAME"), y("tokenResponseType", _.String, this, s, "OAUTH_TOKEN_RESPONSE_TYPE"), y("errorResponseType", _.String, this, s, "OAUTH_ERROR_RESPONSE_TYPE"), y("loginUrl", _.String, this, s, "LOGIN_URL"), y("bffEndpointName", _.String, this, s, "OAUTH_BFF_ENDPOINT_NAME"), y("bffBaseUrl", _.String, this, s, "OAUTH_BFF_BASEURL"), y("redirect_uri", _.String, this, s, "OAUTH_REDIRECTURI", !0), y("authorizedUrl", _.String, this, s, "AUTHORIZED_URL", !1), y("validFlows", _.JsonArray, this, s, "OAUTH_validFlows"), y("bffMaxTries", _.Number, this, s, "OAUTH_BFF_MAX_RETRIES"), y("bffSleepMilliseconds", _.Number, this, s, "OAUTH_BFF_SLEEP_MILLISECONDS"), y("jwtTokens", _.JsonArray, this, s, "OAUTH_JWT_TOKENS"), this.bffEndpointName && !this.bffEndpointName.startsWith("/") && (this.bffEndpointName = "/" + this.bffEndpointName), this.bffEndpointName && this.bffEndpointName.endsWith("/") && (this.bffEndpointName = this.bffEndpointName.substring(0, this.bffEndpointName.length - 1)), this.bffBaseUrl && this.bffBaseUrl.endsWith("/") && (this.bffBaseUrl = this.bffBaseUrl.substring(0, this.bffBaseUrl.length - 1)), s.redirect && (this.redirect = s.redirect), s.error && (this.error = s.error), this.validFlows.length == 1 && this.validFlows[0] == E.All)
|
|
1724
|
+
this.validFlows = E.allFlows();
|
|
1725
|
+
else if (!E.areAllValidFlows(this.validFlows))
|
|
1726
1726
|
throw new n(u.Configuration, "Invalid flows specificied in " + this.validFlows.join(","));
|
|
1727
1727
|
try {
|
|
1728
1728
|
new URL(this.redirect_uri ?? "");
|
|
@@ -1732,9 +1732,9 @@ class G extends re {
|
|
|
1732
1732
|
if (s.tokenEndpoints && (this.tokenEndpoints = s.tokenEndpoints), this.bffEndpointName.endsWith("/") && (this.bffEndpointName = this.bffEndpointName.substring(0, this.bffEndpointName.length - 1)), s.bffEndpoints && (this.bffEndpoints = s.bffEndpoints.map((e) => ({ ...e, methodsString: e.methods.map((t) => t) }))), this.bffEndpoints)
|
|
1733
1733
|
for (let e of this.bffEndpoints)
|
|
1734
1734
|
e.url.startsWith("/") || (e.url = "/" + e.url);
|
|
1735
|
-
if (this.loginProtectedFlows.length == 1 && this.loginProtectedFlows[0] ==
|
|
1735
|
+
if (this.loginProtectedFlows.length == 1 && this.loginProtectedFlows[0] == E.All)
|
|
1736
1736
|
this.loginProtectedFlows = this.validFlows;
|
|
1737
|
-
else if (!
|
|
1737
|
+
else if (!E.areAllValidFlows(this.loginProtectedFlows))
|
|
1738
1738
|
throw new n(
|
|
1739
1739
|
u.Configuration,
|
|
1740
1740
|
"Invalid flows specificied in " + this.loginProtectedFlows.join(",")
|
|
@@ -1798,7 +1798,7 @@ class G extends re {
|
|
|
1798
1798
|
o.password,
|
|
1799
1799
|
o.scope
|
|
1800
1800
|
);
|
|
1801
|
-
if (e.error == "mfa_required" && e.mfa_token && this.validFlows.includes(
|
|
1801
|
+
if (e.error == "mfa_required" && e.mfa_token && this.validFlows.includes(E.PasswordMfa)) {
|
|
1802
1802
|
const t = e.mfa_token;
|
|
1803
1803
|
let a = o.scope;
|
|
1804
1804
|
if (a == "" && (a = void 0), e = this.errorIfIdTokenInvalid(await this.passwordMfa(
|
|
@@ -2063,7 +2063,7 @@ class G extends re {
|
|
|
2063
2063
|
}
|
|
2064
2064
|
let s;
|
|
2065
2065
|
try {
|
|
2066
|
-
if (!(this.validFlows.includes(
|
|
2066
|
+
if (!(this.validFlows.includes(E.Password) || this.validFlows.includes(E.PasswordMfa))) {
|
|
2067
2067
|
const i = new n(u.Unauthorized, "Password flow is not supported");
|
|
2068
2068
|
return this.errorFn(this.server, r, i);
|
|
2069
2069
|
}
|
|
@@ -2106,7 +2106,7 @@ class G extends re {
|
|
|
2106
2106
|
throw new n(u.Configuration, "If tokenResponseType is " + this.tokenResponseType + ", use post not load");
|
|
2107
2107
|
let s;
|
|
2108
2108
|
try {
|
|
2109
|
-
if (!(this.validFlows.includes(
|
|
2109
|
+
if (!(this.validFlows.includes(E.Password) || this.validFlows.includes(E.PasswordMfa))) {
|
|
2110
2110
|
const i = new n(u.Unauthorized, "Password and Password MFA flows are not supported");
|
|
2111
2111
|
return this.errorFn(this.server, r, i);
|
|
2112
2112
|
}
|
|
@@ -2126,7 +2126,7 @@ class G extends re {
|
|
|
2126
2126
|
...t
|
|
2127
2127
|
};
|
|
2128
2128
|
if (t.challenge_type) {
|
|
2129
|
-
if (!this.validFlows.includes(
|
|
2129
|
+
if (!this.validFlows.includes(E.PasswordMfa)) {
|
|
2130
2130
|
const i = new n(u.Unauthorized, "Password MFA flow is not supported");
|
|
2131
2131
|
return this.errorFn(this.server, r, i);
|
|
2132
2132
|
}
|
|
@@ -2341,7 +2341,7 @@ class G extends re {
|
|
|
2341
2341
|
async startDeviceCodeFlow_internal(r) {
|
|
2342
2342
|
let o;
|
|
2343
2343
|
try {
|
|
2344
|
-
if (!this.validFlows.includes(
|
|
2344
|
+
if (!this.validFlows.includes(E.DeviceCode))
|
|
2345
2345
|
throw new n(u.Unauthorized, "Device code flow is not supported");
|
|
2346
2346
|
var s = new b();
|
|
2347
2347
|
if (await s.loadData(r), o = s.toObject(), this.server.sessionAdapter && this.server.sessionAdapter.csrfProtectionEnabled())
|
|
@@ -2374,7 +2374,7 @@ class G extends re {
|
|
|
2374
2374
|
async pollDeviceCodeFlow_internal(r) {
|
|
2375
2375
|
let o;
|
|
2376
2376
|
try {
|
|
2377
|
-
if (!this.validFlows.includes(
|
|
2377
|
+
if (!this.validFlows.includes(E.DeviceCode))
|
|
2378
2378
|
throw new n(u.Unauthorized, "Device code flow is not supported");
|
|
2379
2379
|
var s = new b();
|
|
2380
2380
|
if (await s.loadData(r), o = s.toObject(), this.server.sessionAdapter && this.server.sessionAdapter.csrfProtectionEnabled())
|
|
@@ -2455,7 +2455,7 @@ class ge extends se {
|
|
|
2455
2455
|
* @param options See {@link SvelteKitOAuthResourceServerOptions}
|
|
2456
2456
|
*/
|
|
2457
2457
|
constructor(r, o = {}) {
|
|
2458
|
-
if (super(r, o), this.errorBody = {}, this.protectedEndpoints = {}, this.protectedEndpointPrefixes = [], this.sessionDataName = "oauth", this.tokenLocations = ["header"], y("errorBody",
|
|
2458
|
+
if (super(r, o), this.errorBody = {}, this.protectedEndpoints = {}, this.protectedEndpointPrefixes = [], this.sessionDataName = "oauth", this.tokenLocations = ["header"], y("errorBody", _.Json, this, o, "OAUTH_RESSERVER_ACCESS_DENIED_BODY"), y("tokenLocations", _.JsonArray, this, o, "OAUTH_TOKEN_LOCATIONS"), y("sessionDataName", _.String, this, o, "OAUTH_SESSION_DATA_NAME"), this.userStorage = o.userStorage, this.sessionAdapter = o.sessionAdapter, o.protectedEndpoints) {
|
|
2459
2459
|
const s = /^[!#\$%&'\(\)\*\+,\.\/a-zA-Z\[\]\^_`-]+/;
|
|
2460
2460
|
for (const [e, t] of Object.entries(o.protectedEndpoints)) {
|
|
2461
2461
|
if (!e.startsWith("/"))
|
|
@@ -2676,7 +2676,7 @@ const D = class D {
|
|
|
2676
2676
|
oAuthResServer: i,
|
|
2677
2677
|
options: c
|
|
2678
2678
|
}) {
|
|
2679
|
-
this.loginUrl = "/login", this.audience = "", this.dummyLoad = async (h) => ({}), this.dummyActions = {}, this.dummyBff = async (h) => ({ status: 500, body: { error: "Unimplemented" } }), c || (c = {}), y("loginUrl",
|
|
2679
|
+
this.loginUrl = "/login", this.audience = "", this.dummyLoad = async (h) => ({}), this.dummyActions = {}, this.dummyBff = async (h) => ({ status: 500, body: { error: "Unimplemented" } }), c || (c = {}), y("loginUrl", _.String, this, c, "LOGIN_URL", !1), c.isAdminFn && (D.isAdminFn = c.isAdminFn);
|
|
2680
2680
|
let d = {};
|
|
2681
2681
|
if (c.authenticators && (d = c.authenticators), this.userStorage = c.userStorage, r) {
|
|
2682
2682
|
if (!d)
|
|
@@ -2721,7 +2721,7 @@ const D = class D {
|
|
|
2721
2721
|
)
|
|
2722
2722
|
);
|
|
2723
2723
|
}
|
|
2724
|
-
i && (y("audience",
|
|
2724
|
+
i && (y("audience", _.String, this, c, "OAUTH_AUDIENCE", !0), this.oAuthResServer = new ge(
|
|
2725
2725
|
[new te(this.audience, c)],
|
|
2726
2726
|
{ sessionAdapter: this.sessionAdapter, ...i.options, ...c }
|
|
2727
2727
|
)), this.hooks = async ({ event: h, resolve: g }) => {
|
|
@@ -2956,7 +2956,7 @@ class we {
|
|
|
2956
2956
|
...e
|
|
2957
2957
|
};
|
|
2958
2958
|
}
|
|
2959
|
-
}, this.sessionServer = r, y("changePasswordUrl",
|
|
2959
|
+
}, this.sessionServer = r, y("changePasswordUrl", _.String, this, o, "CHANGE_PASSWORD_URL"), y("requestPasswordResetUrl", _.String, this, o, "REQUEST_PASSWORD_RESET_URL"), y("changeFactor2Url", _.String, this, o, "CHANGE_FACTOR2_URL"), y("loginRedirectUrl", _.JsonArray, this, o, "LOGIN_REDIRECT_URL"), y("loginUrl", _.JsonArray, this, o, "LOGIN_URL"), o.addToSession && (this.addToSession = o.addToSession);
|
|
2960
2960
|
}
|
|
2961
2961
|
/** Returns whether there is a user logged in with a cookie-based session
|
|
2962
2962
|
*/
|
|
@@ -3205,7 +3205,7 @@ class we {
|
|
|
3205
3205
|
u.Forbidden,
|
|
3206
3206
|
"Illegal second factor " + o.factor2 + " requested"
|
|
3207
3207
|
);
|
|
3208
|
-
(o.factor2 == "none" || o.factor2 == "") && (o.factor2 = void 0), t = this.sessionServer.createUserFn(r, o, this.sessionServer.userStorage.userEditableFields);
|
|
3208
|
+
(o.factor2 == "none" || o.factor2 == "") && (o.factor2 = void 0), t = this.sessionServer.createUserFn(r, o, this.sessionServer.userStorage.userEditableFields, this.sessionServer.userAllowedFactor1);
|
|
3209
3209
|
let a = this.sessionServer.authenticators[t.factor1].validateSecrets(o);
|
|
3210
3210
|
const i = this.sessionServer.authenticators[t.factor1].secretNames();
|
|
3211
3211
|
let c = {};
|
|
@@ -4427,7 +4427,8 @@ class ke {
|
|
|
4427
4427
|
{
|
|
4428
4428
|
...this.sessionServer.userStorage.userEditableFields,
|
|
4429
4429
|
...this.sessionServer.userStorage.adminEditableFields
|
|
4430
|
-
}
|
|
4430
|
+
},
|
|
4431
|
+
this.sessionServer.adminAllowedFactor1
|
|
4431
4432
|
);
|
|
4432
4433
|
const a = this.sessionServer.authenticators[t.factor1].secretNames();
|
|
4433
4434
|
let i = !0;
|
|
@@ -4552,7 +4553,7 @@ class X {
|
|
|
4552
4553
|
* @param options See {@link SvelteKitSessionServerOptions}
|
|
4553
4554
|
*/
|
|
4554
4555
|
constructor(r, o) {
|
|
4555
|
-
this.loginUrl = "/login", this.clientSearchFn = Se, this.validFlows = ["all"], this.sessionServer = r, y("loginUrl",
|
|
4556
|
+
this.loginUrl = "/login", this.clientSearchFn = Se, this.validFlows = ["all"], this.sessionServer = r, y("loginUrl", _.JsonArray, this, o, "LOGIN_URL"), o.clientSearchFn && (this.clientSearchFn = o.clientSearchFn), this.redirect = o.redirect ?? Q, this.error = o.error ?? Y, y("validFlows", _.JsonArray, this, o, "OAUTH_validFlows"), this.validFlows.length == 1 && this.validFlows[0] == E.All && (this.validFlows = E.allFlows()), this.valid_flowNames = E.flowNames(this.validFlows), o.clientStorage && (this.clientManager = new B(o)), this.clientStorage = o.clientStorage;
|
|
4556
4557
|
}
|
|
4557
4558
|
///////////////////////////////////////////////////////////////////
|
|
4558
4559
|
// Functions callable from apps
|
|
@@ -5018,7 +5019,7 @@ class Ce extends X {
|
|
|
5018
5019
|
actions: {
|
|
5019
5020
|
default: async (s) => await this.deleteClient(s)
|
|
5020
5021
|
}
|
|
5021
|
-
}, this.sessionServer = r, y("loginUrl",
|
|
5022
|
+
}, this.sessionServer = r, y("loginUrl", _.JsonArray, this, o, "LOGIN_URL"), o.clientSearchFn && (this.clientSearchFn = o.clientSearchFn), this.redirect = o.redirect, this.error = o.error;
|
|
5022
5023
|
}
|
|
5023
5024
|
///////////////////////////////////////////////////////////////////
|
|
5024
5025
|
// Functions callable from apps
|
|
@@ -5200,7 +5201,7 @@ class ye extends X {
|
|
|
5200
5201
|
actions: {
|
|
5201
5202
|
default: async (s) => await this.deleteClient(s)
|
|
5202
5203
|
}
|
|
5203
|
-
}, this.sessionServer = r, y("loginUrl",
|
|
5204
|
+
}, this.sessionServer = r, y("loginUrl", _.String, this, o, "LOGIN_URL"), o.clientSearchFn && (this.clientSearchFn = o.clientSearchFn), this.redirect = o.redirect, this.error = o.error;
|
|
5204
5205
|
}
|
|
5205
5206
|
///////////////////////////////////////////////////////////////////
|
|
5206
5207
|
// Functions callable from apps
|
|
@@ -5262,33 +5263,33 @@ class ye extends X {
|
|
|
5262
5263
|
}
|
|
5263
5264
|
}
|
|
5264
5265
|
const x = "X-CROSSAUTH-CSRF";
|
|
5265
|
-
function
|
|
5266
|
+
function _e(k) {
|
|
5266
5267
|
let r = [];
|
|
5267
5268
|
return k.username == null ? r.push("Username must be given") : k.username.length < 2 ? r.push("Username must be at least 2 characters") : k.username.length > 254 && r.push("Username must be no longer than 254 characters"), r;
|
|
5268
5269
|
}
|
|
5269
|
-
function
|
|
5270
|
-
var
|
|
5271
|
-
let
|
|
5270
|
+
function Ee(k, r, o, s = ["localpassword"]) {
|
|
5271
|
+
var i;
|
|
5272
|
+
let t = {
|
|
5272
5273
|
username: r.username ?? "",
|
|
5273
5274
|
state: "active"
|
|
5274
5275
|
};
|
|
5275
|
-
const
|
|
5276
|
-
for (let
|
|
5277
|
-
let
|
|
5278
|
-
if (
|
|
5279
|
-
if ("type_" +
|
|
5280
|
-
if (r["type_" +
|
|
5281
|
-
|
|
5282
|
-
else if (r["type_" +
|
|
5283
|
-
|
|
5284
|
-
else if (r["type_" +
|
|
5285
|
-
const
|
|
5286
|
-
|
|
5276
|
+
const a = k.locals.user && m.isAdminFn(k.locals.user);
|
|
5277
|
+
for (let c in r) {
|
|
5278
|
+
let d = c.replace(/^user_/, "");
|
|
5279
|
+
if (c.startsWith("user_") && (a || o.includes(d)))
|
|
5280
|
+
if ("type_" + d in r) {
|
|
5281
|
+
if (r["type_" + d] == "string")
|
|
5282
|
+
t[d] = r[c];
|
|
5283
|
+
else if (r["type_" + d] == "number" || r["type_" + d] == "integer" || r["type_" + d] == "float")
|
|
5284
|
+
t[d] = Number(r[c]);
|
|
5285
|
+
else if (r["type_" + d] == "boolean") {
|
|
5286
|
+
const h = (i = r[c]) == null ? void 0 : i.toLocaleLowerCase();
|
|
5287
|
+
t[d] = h == "1" || h == "y" || h == "t" || h == "yes" || h == "true";
|
|
5287
5288
|
}
|
|
5288
5289
|
} else
|
|
5289
|
-
|
|
5290
|
+
t[d] = r[c];
|
|
5290
5291
|
}
|
|
5291
|
-
return
|
|
5292
|
+
return t.factor1 = "localpassword", r.factor1 && s.includes(r.factor1) && (t.factor1 = r.factor1), t.factor2 = r.factor2, t;
|
|
5292
5293
|
}
|
|
5293
5294
|
function ve(k, r, o, s) {
|
|
5294
5295
|
var t;
|
|
@@ -5319,9 +5320,9 @@ class H {
|
|
|
5319
5320
|
* @param options See {@link SvelteKitSessionServerOptions}.
|
|
5320
5321
|
*/
|
|
5321
5322
|
constructor(r, o, s = {}) {
|
|
5322
|
-
this.validateUserFn =
|
|
5323
|
+
this.validateUserFn = _e, this.createUserFn = Ee, this.updateUserFn = ve, this.allowedFactor2 = [], this.allowedFactor2Names = [], this.factor2ProtectedPageEndpoints = [], this.factor2ProtectedApiEndpoints = [], this.loginProtectedPageEndpoints = [], this.loginProtectedApiEndpoints = [], this.loginProtectedExceptionPageEndpoints = [], this.loginProtectedExceptionApiEndpoints = [], this.adminPageEndpoints = [], this.adminApiEndpoints = [], this.adminProtectedExceptionPageEndpoints = [], this.adminProtectedExceptionApiEndpoints = [], this.unauthorizedUrl = void 0, this.enableCsrfProtection = !0, this.enableEmailVerification = !1, this.enablePasswordReset = !1, this.factor2Url = "/factor2", this.loginUrl = "/login", this.userAllowedFactor1 = ["localpassword"], this.adminAllowedFactor1 = ["localpassword"], this.keyStorage = r, this.userStorage = s.userStorage, this.clientStorage = s.clientStorage, this.authenticators = o, this.sessionManager = new ie(r, o, s), this.redirect = s.redirect ?? Q, this.error = s.error ?? Y, y("factor2Url", _.String, this, s, "FACTOR2_URL"), this.factor2Url.endsWith("/") || (this.factor2Url += "/"), y("factor2ProtectedPageEndpoints", _.JsonArray, this, s, "FACTOR2_PROTECTED_PAGE_ENDPOINTS"), y("factor2ProtectedApiEndpoints", _.JsonArray, this, s, "FACTOR2_PROTECTED_API_ENDPOINTS"), y("loginProtectedPageEndpoints", _.JsonArray, this, s, "LOGIN_PROTECTED_PAGE_ENDPOINTS"), y("loginProtectedApiEndpoints", _.JsonArray, this, s, "LOGIN_PROTECTED_API_ENDPOINTS"), y("loginProtectedExceptionPageEndpoints", _.JsonArray, this, s, "LOGIN_PROTECTED_EXCEPTION_PAGE_ENDPOINTS"), y("loginProtectedExceptionApiEndpoints", _.JsonArray, this, s, "LOGIN_PROTECTED_EXCEPTION_API_ENDPOINTS"), y("adminPageEndpoints", _.JsonArray, this, s, "ADMIN_PAGE_ENDPOINTS"), y("adminApiEndpoints", _.JsonArray, this, s, "ADMIN_API_ENDPOINTS"), y("adminProtectedExceptionPageEndpoints", _.JsonArray, this, s, "ADMIN_PROTECTED_EXCEPTION_PAGE_ENDPOINTS"), y("adminProtectedExceptionApiEndpoints", _.JsonArray, this, s, "ADMIN_PROTECTED_EXCEPTION_API_ENDPOINTS"), y("loginUrl", _.JsonArray, this, s, "LOGIN_URL"), y("unauthorizedUrl", _.JsonArray, this, s, "UNAUTHORIZED_PAGE"), y("userAllowedFactor1", _.JsonArray, this, s, "USER_ALLOWED_FACTOR1"), y("adminAllowedFactor1", _.JsonArray, this, s, "ADMIN_ALLOWED_FACTOR1");
|
|
5323
5324
|
let e = {};
|
|
5324
|
-
if (y("allowedFactor2",
|
|
5325
|
+
if (y("allowedFactor2", _.JsonArray, e, s, "ALLOWED_FACTOR2"), this.allowedFactor2Names = s.allowedFactor2 ?? ["none"], e.allowedFactor2)
|
|
5325
5326
|
for (let t of e.allowedFactor2)
|
|
5326
5327
|
t in this.authenticators ? this.allowedFactor2.push({
|
|
5327
5328
|
name: t,
|
|
@@ -5332,7 +5333,7 @@ class H {
|
|
|
5332
5333
|
friendlyName: "None",
|
|
5333
5334
|
configurable: !1
|
|
5334
5335
|
});
|
|
5335
|
-
y("enableEmailVerification",
|
|
5336
|
+
y("enableEmailVerification", _.Boolean, this, s, "ENABLE_EMAIL_VERIFICATION"), y("enablePasswordReset", _.Boolean, this, s, "ENABLE_PASSWORD_RESET"), y("enableCsrfProtection", _.Boolean, this, s, "ENABLE_CSRF_PROTECTION"), y("editUserScope", _.String, this, s, "EDIT_USER_SCOPE"), s.validateUserFn && (this.validateUserFn = s.validateUserFn), s.createUserFn && (this.createUserFn = s.createUserFn), s.updateUserFn && (this.updateUserFn = s.updateUserFn), s.addToSession && (this.addToSession = s.addToSession), s.validateSession && (this.validateSession = s.validateSession), this.userEndpoints = new we(this, s), this.adminEndpoints = new ke(this, s), this.userClientEndpoints = new Ce(this, s), this.adminClientEndpoints = new ye(this, s), this.sessionHook = async ({ event: t }) => {
|
|
5336
5337
|
var h, g;
|
|
5337
5338
|
l.logger.debug("Session hook");
|
|
5338
5339
|
let a = [];
|
|
@@ -88,7 +88,7 @@ export interface SvelteKitSessionServerOptions extends SessionManagerOptions {
|
|
|
88
88
|
*/
|
|
89
89
|
createUserFn?: (event: RequestEvent, data: {
|
|
90
90
|
[key: string]: string | undefined;
|
|
91
|
-
}, userEditableFields: string[]) => UserInputFields;
|
|
91
|
+
}, userEditableFields: string[], allowableFactor1: string[]) => UserInputFields;
|
|
92
92
|
/** Function that updates a user from form fields.
|
|
93
93
|
* Default one takes fields that begin with `user_`, removing the `user_`
|
|
94
94
|
* prefix and filtering out anything not in the userEditableFields list in
|
|
@@ -264,6 +264,16 @@ export interface SvelteKitSessionServerOptions extends SessionManagerOptions {
|
|
|
264
264
|
redirect?: any;
|
|
265
265
|
/** Pass the Sveltekit error function */
|
|
266
266
|
error?: any;
|
|
267
|
+
/**
|
|
268
|
+
* When signing up themselves, users may choose any of these.
|
|
269
|
+
* Default: ["localpassword"]
|
|
270
|
+
*/
|
|
271
|
+
userAllowedFactor1?: string[];
|
|
272
|
+
/**
|
|
273
|
+
* When admins create a user, they may choose any of these.
|
|
274
|
+
* Default: ["localpassword"]
|
|
275
|
+
*/
|
|
276
|
+
adminAllowedFactor1?: string[];
|
|
267
277
|
}
|
|
268
278
|
/**
|
|
269
279
|
* The Sveltekit session server.
|
|
@@ -331,7 +341,7 @@ export declare class SvelteKitSessionServer implements SvelteKitSessionAdapter {
|
|
|
331
341
|
*/
|
|
332
342
|
createUserFn: (event: RequestEvent, data: {
|
|
333
343
|
[key: string]: string | undefined;
|
|
334
|
-
}, userEditableFields: string[]) => UserInputFields;
|
|
344
|
+
}, userEditableFields: string[], allowableFactor1: string[]) => UserInputFields;
|
|
335
345
|
/**
|
|
336
346
|
* Funtion to update a user record from form fields. Taken from the options during
|
|
337
347
|
* construction or the default value.
|
|
@@ -444,6 +454,8 @@ export declare class SvelteKitSessionServer implements SvelteKitSessionAdapter {
|
|
|
444
454
|
* See {@link SvelteKitServerOptions}.
|
|
445
455
|
*/
|
|
446
456
|
readonly editUserScope?: string;
|
|
457
|
+
readonly userAllowedFactor1: string[];
|
|
458
|
+
readonly adminAllowedFactor1: string[];
|
|
447
459
|
/**
|
|
448
460
|
* Constructor
|
|
449
461
|
* @param keyStorage where session IDs, email verification and reset tokens are stored
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@crossauth/sveltekit",
|
|
3
|
-
"version": "0.0.
|
|
3
|
+
"version": "0.0.37",
|
|
4
4
|
"license": "Apache-2.0",
|
|
5
5
|
"private": false,
|
|
6
6
|
"type": "module",
|
|
@@ -46,8 +46,8 @@
|
|
|
46
46
|
"minimatch": "^10.0.1",
|
|
47
47
|
"qrcode": "^1.5.4",
|
|
48
48
|
"vite-plugin-dts": "^3.6.4",
|
|
49
|
-
"@crossauth/backend": "^0.0.
|
|
50
|
-
"@crossauth/common": "^0.0.
|
|
49
|
+
"@crossauth/backend": "^0.0.37",
|
|
50
|
+
"@crossauth/common": "^0.0.37"
|
|
51
51
|
},
|
|
52
52
|
"scripts": {
|
|
53
53
|
"preparex": "svelte-kit sync",
|