@crossauth/sveltekit 0.0.36 → 0.0.38
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/index.cjs +1 -1
- package/dist/index.js +1261 -1220
- package/dist/sveltekitsession.d.ts +32 -6
- package/dist/sveltekituserendpoints.d.ts +4 -2
- package/package.json +3 -3
package/dist/index.js
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
|
-
import { minimatch as
|
|
2
|
-
import { ApiKeyManager as
|
|
3
|
-
import { CrossauthError as n, ErrorCode as
|
|
1
|
+
import { minimatch as N } from "minimatch";
|
|
2
|
+
import { ApiKeyManager as q, KeyStorage as $, toCookieSerializeOptions as P, Crypto as A, OAuthAuthorizationServer as Z, setParameter as y, ParamType as E, DoubleSubmitCsrfToken as ee, OAuthClientManager as B, OAuthClientBackend as re, OAuthResourceServer as se, OAuthTokenConsumer as te, TokenEmailer as oe, SessionManager as ie } from "@crossauth/backend";
|
|
3
|
+
import { CrossauthError as n, ErrorCode as h, CrossauthLogger as l, j as f, OAuthFlows as _, UserState as I, httpStatus as K } from "@crossauth/common";
|
|
4
4
|
import { json as v, redirect as Q, error as Y } from "@sveltejs/kit";
|
|
5
5
|
import "cookie";
|
|
6
6
|
import { jwtDecode as M } from "jwt-decode";
|
|
@@ -26,11 +26,11 @@ class b {
|
|
|
26
26
|
this.clone = r;
|
|
27
27
|
}
|
|
28
28
|
async loadData(r) {
|
|
29
|
-
var s, e, t,
|
|
29
|
+
var s, e, t, i;
|
|
30
30
|
if (!((s = r.request) != null && s.body))
|
|
31
31
|
return;
|
|
32
32
|
const o = r.request.headers.get("content-type");
|
|
33
|
-
o == "application/json" ? this.jsonData = this.clone ? await ((t = (e = r.request) == null ? void 0 : e.clone()) == null ? void 0 : t.json()) : await ((
|
|
33
|
+
o == "application/json" ? this.jsonData = this.clone ? await ((t = (e = r.request) == null ? void 0 : e.clone()) == null ? void 0 : t.json()) : await ((i = r.request) == null ? void 0 : i.json()) : (o == "application/x-www-form-urlencoded" || o != null && o.startsWith("multipart/form-data")) && (this.formData = this.clone ? await r.request.clone().formData() : await r.request.formData());
|
|
34
34
|
}
|
|
35
35
|
get(r) {
|
|
36
36
|
if (this.jsonData) return this.jsonData[r];
|
|
@@ -54,7 +54,7 @@ class b {
|
|
|
54
54
|
try {
|
|
55
55
|
return Number(o);
|
|
56
56
|
} catch {
|
|
57
|
-
throw new n(
|
|
57
|
+
throw new n(h.FormEntry, "Value for " + r + " is not a number");
|
|
58
58
|
}
|
|
59
59
|
}
|
|
60
60
|
has(r) {
|
|
@@ -84,7 +84,7 @@ class ne {
|
|
|
84
84
|
* @param options See {@link SvelteKitApiKeyServerOptions}
|
|
85
85
|
*/
|
|
86
86
|
constructor(r, o, s = {}) {
|
|
87
|
-
this.userStorage = r, this.apiKeyManager = new
|
|
87
|
+
this.userStorage = r, this.apiKeyManager = new q(o, s), this.hook = async ({ event: e }) => {
|
|
88
88
|
l.logger.debug("APIKey hook");
|
|
89
89
|
const t = e.request.headers.get("authorization");
|
|
90
90
|
if (t)
|
|
@@ -92,29 +92,29 @@ class ne {
|
|
|
92
92
|
l.logger.debug(f({
|
|
93
93
|
msg: "Received authorization header"
|
|
94
94
|
}));
|
|
95
|
-
const
|
|
95
|
+
const i = await this.apiKeyManager.validateToken(
|
|
96
96
|
t
|
|
97
97
|
);
|
|
98
98
|
l.logger.debug(f({
|
|
99
99
|
msg: "Valid API key",
|
|
100
|
-
hahedApiKey:
|
|
100
|
+
hahedApiKey: q.hashSignedApiKeyValue(i.value)
|
|
101
101
|
}));
|
|
102
|
-
const
|
|
103
|
-
if (e.locals.apiKey = { ...
|
|
102
|
+
const a = $.decodeData(i.data);
|
|
103
|
+
if (e.locals.apiKey = { ...i, ...a }, "scope" in a && Array.isArray(a.scope)) {
|
|
104
104
|
let c = [];
|
|
105
|
-
for (let d of
|
|
105
|
+
for (let d of a.scope)
|
|
106
106
|
typeof d == "string" && c.push(d);
|
|
107
107
|
e.locals.scope = c;
|
|
108
108
|
}
|
|
109
|
-
if (
|
|
109
|
+
if (i.userid)
|
|
110
110
|
try {
|
|
111
|
-
const { user: c } = await this.userStorage.getUserById(
|
|
112
|
-
e.locals.user = c, e.locals.authType = "apiKey", l.logger.debug(f({ msg: "API key is for user", userid: c.id, user: c.username, hahedApiKey:
|
|
111
|
+
const { user: c } = await this.userStorage.getUserById(i.userid);
|
|
112
|
+
e.locals.user = c, e.locals.authType = "apiKey", l.logger.debug(f({ msg: "API key is for user", userid: c.id, user: c.username, hahedApiKey: q.hashSignedApiKeyValue(i.value) }));
|
|
113
113
|
} catch (c) {
|
|
114
|
-
l.logger.error(f({ msg: "API key has invalid user", userid:
|
|
114
|
+
l.logger.error(f({ msg: "API key has invalid user", userid: i.userid, hashedApiKey: q.hashSignedApiKeyValue(i.value) })), l.logger.debug(f({ err: c }));
|
|
115
115
|
}
|
|
116
|
-
} catch (
|
|
117
|
-
l.logger.error(f({ msg: "Invalid authorization header received", header: t })), l.logger.debug(f({ err:
|
|
116
|
+
} catch (i) {
|
|
117
|
+
l.logger.error(f({ msg: "Invalid authorization header received", header: t })), l.logger.debug(f({ err: i }));
|
|
118
118
|
}
|
|
119
119
|
};
|
|
120
120
|
}
|
|
@@ -130,9 +130,9 @@ class ce {
|
|
|
130
130
|
* @param options see {@link SvelteKitAuthorizationServerOptions}
|
|
131
131
|
*/
|
|
132
132
|
constructor(r, o, s, e, t = {}) {
|
|
133
|
-
var
|
|
133
|
+
var i;
|
|
134
134
|
this.loginUrl = "/login", this.refreshTokenType = "json", this.refreshTokenCookieName = "CROSSAUTH_REFRESH_TOKEN", this.refreshTokenCookieDomain = void 0, this.refreshTokenCookieHttpOnly = !1, this.refreshTokenCookiePath = "/", this.refreshTokenCookieSecure = !0, this.refreshTokenCookieSameSite = "strict", this.authorizeEndpointUrl = "/oauth/authorize", this.tokenEndpointUrl = "/oauth/token", this.jwksEndpointUrl = "/oauth/jwks", this.oidcConfigurationEndpoint = {
|
|
135
|
-
get: async (
|
|
135
|
+
get: async (a) => v(this.authServer.oidcConfiguration(
|
|
136
136
|
{
|
|
137
137
|
authorizeEndpoint: this.authorizeEndpointUrl,
|
|
138
138
|
tokenEndpoint: this.tokenEndpointUrl,
|
|
@@ -141,7 +141,7 @@ class ce {
|
|
|
141
141
|
}
|
|
142
142
|
))
|
|
143
143
|
}, this.jwksGetEndpoint = {
|
|
144
|
-
get: async (
|
|
144
|
+
get: async (a) => {
|
|
145
145
|
try {
|
|
146
146
|
return v(this.authServer.jwks());
|
|
147
147
|
} catch (c) {
|
|
@@ -153,7 +153,7 @@ class ce {
|
|
|
153
153
|
}
|
|
154
154
|
}
|
|
155
155
|
}, this.getCsrfTokenEndpoint = {
|
|
156
|
-
get: async (
|
|
156
|
+
get: async (a) => {
|
|
157
157
|
var d;
|
|
158
158
|
if (!this.csrfTokens) return v({
|
|
159
159
|
ok: !1,
|
|
@@ -163,23 +163,23 @@ class ce {
|
|
|
163
163
|
let c = "";
|
|
164
164
|
try {
|
|
165
165
|
const {
|
|
166
|
-
csrfCookie:
|
|
166
|
+
csrfCookie: u,
|
|
167
167
|
csrfFormOrHeaderValue: g
|
|
168
168
|
} = await this.createCsrfToken();
|
|
169
|
-
return c =
|
|
170
|
-
|
|
171
|
-
|
|
172
|
-
|
|
169
|
+
return c = u.value, a.cookies.set(
|
|
170
|
+
u.name,
|
|
171
|
+
u.value,
|
|
172
|
+
P(u.options)
|
|
173
173
|
), v({ ok: !0, csrfToken: g });
|
|
174
|
-
} catch (
|
|
175
|
-
const g = n.asCrossauthError(
|
|
174
|
+
} catch (u) {
|
|
175
|
+
const g = n.asCrossauthError(u);
|
|
176
176
|
return l.logger.error(f({
|
|
177
177
|
msg: "getcsrftoken failure",
|
|
178
|
-
user: (d =
|
|
179
|
-
hashedCsrfCookie:
|
|
178
|
+
user: (d = a.locals.user) == null ? void 0 : d.username,
|
|
179
|
+
hashedCsrfCookie: A.hash(c.split(".")[0]),
|
|
180
180
|
error: g.code,
|
|
181
181
|
errorCodeName: g.codeName
|
|
182
|
-
})), l.logger.debug(f({ err:
|
|
182
|
+
})), l.logger.debug(f({ err: u })), l.logger.error({ cerr: u }), v({
|
|
183
183
|
ok: !1,
|
|
184
184
|
error: g.oauthErrorCode,
|
|
185
185
|
error_description: g.message
|
|
@@ -187,50 +187,50 @@ class ce {
|
|
|
187
187
|
}
|
|
188
188
|
}
|
|
189
189
|
}, this.authorizeEndpoint = {
|
|
190
|
-
load: async (
|
|
191
|
-
var
|
|
190
|
+
load: async (a) => {
|
|
191
|
+
var p, S;
|
|
192
192
|
if (!(this.authServer.validFlows.includes(_.AuthorizationCode) || this.authServer.validFlows.includes(_.AuthorizationCodeWithPKCE) || this.authServer.validFlows.includes(_.OidcAuthorizationCode)))
|
|
193
193
|
throw this.error(401, "authorize cannot be called because the authorization code flows are not supported");
|
|
194
|
-
if (!
|
|
194
|
+
if (!a.locals.user) return this.redirect(
|
|
195
195
|
302,
|
|
196
|
-
this.loginUrl + "?next=" + encodeURIComponent(
|
|
196
|
+
this.loginUrl + "?next=" + encodeURIComponent(a.request.url)
|
|
197
197
|
);
|
|
198
|
-
let c = this.getAuthorizeQuery(
|
|
198
|
+
let c = this.getAuthorizeQuery(a);
|
|
199
199
|
if (!c.query) return c.error;
|
|
200
200
|
let d = c.query;
|
|
201
201
|
l.logger.debug(f({ msg: "validating authorize parameters" }));
|
|
202
|
-
let { error_description:
|
|
203
|
-
if (
|
|
202
|
+
let { error_description: u } = this.authServer.validateAuthorizeParameters(d), g;
|
|
203
|
+
if (u ? (g = new n(h.BadRequest, u), l.logger.error(f({
|
|
204
204
|
msg: "authorize parameter invalid",
|
|
205
205
|
cerr: g,
|
|
206
|
-
user: (
|
|
206
|
+
user: (p = a.locals.user) == null ? void 0 : p.username
|
|
207
207
|
}))) : l.logger.error(f({
|
|
208
208
|
msg: "authorize parameter valid",
|
|
209
|
-
user: (S =
|
|
209
|
+
user: (S = a.locals.user) == null ? void 0 : S.username
|
|
210
210
|
})), g)
|
|
211
211
|
return {
|
|
212
212
|
ok: !1,
|
|
213
213
|
error: g.oauthErrorCode,
|
|
214
214
|
error_description: g.message
|
|
215
215
|
};
|
|
216
|
-
let
|
|
216
|
+
let w = !1;
|
|
217
217
|
if (l.logger.debug(f({
|
|
218
218
|
msg: "Checking scopes have been authorized",
|
|
219
219
|
scope: d.scope
|
|
220
|
-
})), d.scope ?
|
|
220
|
+
})), d.scope ? w = await this.authServer.hasAllScopes(
|
|
221
221
|
d.client_id,
|
|
222
|
-
|
|
222
|
+
a.locals.user,
|
|
223
223
|
d.scope.split(" ")
|
|
224
|
-
) :
|
|
224
|
+
) : w = await this.authServer.hasAllScopes(
|
|
225
225
|
d.client_id,
|
|
226
|
-
|
|
226
|
+
a.locals.user,
|
|
227
227
|
[null]
|
|
228
|
-
),
|
|
228
|
+
), w) {
|
|
229
229
|
l.logger.debug(f({
|
|
230
230
|
msg: "All scopes authorized",
|
|
231
231
|
scope: d.scope
|
|
232
232
|
}));
|
|
233
|
-
const C = await this.authorize(
|
|
233
|
+
const C = await this.authorize(a, !0, {
|
|
234
234
|
responseType: d.response_type,
|
|
235
235
|
client_id: d.client_id,
|
|
236
236
|
redirect_uri: d.redirect_uri,
|
|
@@ -254,7 +254,7 @@ class ce {
|
|
|
254
254
|
return {
|
|
255
255
|
ok: !0,
|
|
256
256
|
authorizationNeeded: {
|
|
257
|
-
user:
|
|
257
|
+
user: a.locals.user,
|
|
258
258
|
response_type: d.response_type,
|
|
259
259
|
client_id: d.client_id,
|
|
260
260
|
client_name: C.client_name,
|
|
@@ -264,13 +264,13 @@ class ce {
|
|
|
264
264
|
state: d.state,
|
|
265
265
|
code_challenge: d.code_challenge,
|
|
266
266
|
code_challenge_method: d.code_challenge_method,
|
|
267
|
-
csrfToken:
|
|
267
|
+
csrfToken: a.locals.csrfToken
|
|
268
268
|
},
|
|
269
269
|
...this.baseEndpoint
|
|
270
270
|
};
|
|
271
271
|
} catch (C) {
|
|
272
|
-
const
|
|
273
|
-
return l.logger.debug(f({ err:
|
|
272
|
+
const U = C;
|
|
273
|
+
return l.logger.debug(f({ err: U })), {
|
|
274
274
|
ok: !1,
|
|
275
275
|
error: "unauthorized_client",
|
|
276
276
|
error_description: "Not a valid client"
|
|
@@ -280,33 +280,33 @@ class ce {
|
|
|
280
280
|
},
|
|
281
281
|
// load
|
|
282
282
|
actions: {
|
|
283
|
-
default: async (
|
|
284
|
-
var
|
|
283
|
+
default: async (a) => {
|
|
284
|
+
var u;
|
|
285
285
|
let c;
|
|
286
286
|
try {
|
|
287
287
|
var d = new b();
|
|
288
|
-
await d.loadData(
|
|
289
|
-
const g = d.getAsBoolean("authorized"),
|
|
290
|
-
let
|
|
291
|
-
if (g == null && (
|
|
288
|
+
await d.loadData(a), c = d.toObject();
|
|
289
|
+
const g = d.getAsBoolean("authorized"), w = c.response_type, p = c.client_id, S = c.redirect_uri, C = c.scope, U = c.state, R = c.code_challenge, F = c.code_challenge_method;
|
|
290
|
+
let T;
|
|
291
|
+
if (g == null && (T = "authorized"), w ? p ? S ? U || (T = "state") : T = "redirect_uri" : T = "client_id" : T = "response_type", T)
|
|
292
292
|
return {
|
|
293
293
|
ok: !1,
|
|
294
294
|
error: "invalid_request",
|
|
295
|
-
error_description: "Invalid form: does not contain " +
|
|
295
|
+
error_description: "Invalid form: does not contain " + T + " parameter"
|
|
296
296
|
};
|
|
297
|
-
if (!
|
|
297
|
+
if (!a.locals.user) return this.redirect(
|
|
298
298
|
302,
|
|
299
|
-
this.loginUrl + "?next=" + encodeURIComponent(
|
|
299
|
+
this.loginUrl + "?next=" + encodeURIComponent(a.request.url)
|
|
300
300
|
);
|
|
301
|
-
if ((
|
|
302
|
-
const z = await this.authorize(
|
|
303
|
-
responseType:
|
|
304
|
-
client_id:
|
|
301
|
+
if ((u = this.svelteKitServer.sessionServer) != null && u.enableCsrfProtection && !a.locals.csrfToken) throw new n(h.InvalidCsrf);
|
|
302
|
+
const z = await this.authorize(a, g ?? !1, {
|
|
303
|
+
responseType: w,
|
|
304
|
+
client_id: p,
|
|
305
305
|
redirect_uri: S,
|
|
306
306
|
scope: C,
|
|
307
|
-
state:
|
|
308
|
-
codeChallenge:
|
|
309
|
-
codeChallengeMethod:
|
|
307
|
+
state: U,
|
|
308
|
+
codeChallenge: R,
|
|
309
|
+
codeChallengeMethod: F
|
|
310
310
|
});
|
|
311
311
|
return {
|
|
312
312
|
ok: !1,
|
|
@@ -315,10 +315,10 @@ class ce {
|
|
|
315
315
|
};
|
|
316
316
|
} catch (g) {
|
|
317
317
|
if (m.isSvelteKitError(g) || m.isSvelteKitRedirect(g)) throw g;
|
|
318
|
-
let
|
|
318
|
+
let w = n.asCrossauthError(g, "Couldn't process authorization code");
|
|
319
319
|
return {
|
|
320
|
-
error:
|
|
321
|
-
error_description:
|
|
320
|
+
error: w.oauthErrorCode,
|
|
321
|
+
error_description: w.message,
|
|
322
322
|
ok: !1,
|
|
323
323
|
formData: c
|
|
324
324
|
};
|
|
@@ -326,7 +326,7 @@ class ce {
|
|
|
326
326
|
}
|
|
327
327
|
}
|
|
328
328
|
}, this.tokenEndpoint = {
|
|
329
|
-
post: async (
|
|
329
|
+
post: async (a) => {
|
|
330
330
|
let c;
|
|
331
331
|
try {
|
|
332
332
|
if (!(this.authServer.validFlows.includes(_.AuthorizationCode) || this.authServer.validFlows.includes(_.AuthorizationCodeWithPKCE) || this.authServer.validFlows.includes(_.OidcAuthorizationCode) || this.authServer.validFlows.includes(_.ClientCredentials) || this.authServer.validFlows.includes(_.RefreshToken) || this.authServer.validFlows.includes(_.Password) || this.authServer.validFlows.includes(_.PasswordMfa || this.authServer.validFlows.includes(_.DeviceCode))))
|
|
@@ -336,32 +336,32 @@ class ce {
|
|
|
336
336
|
error_description: "Token endpoint cannot be called as the supported OAuth flow types don't require it"
|
|
337
337
|
}, { status: 500 });
|
|
338
338
|
var d = new b();
|
|
339
|
-
await d.loadData(
|
|
340
|
-
const { client_id:
|
|
341
|
-
let
|
|
342
|
-
if ((this.refreshTokenType == "cookie" &&
|
|
343
|
-
const C =
|
|
344
|
-
let
|
|
345
|
-
if (Array.isArray(
|
|
339
|
+
await d.loadData(a), c = d.toObject();
|
|
340
|
+
const { client_id: u, client_secret: g } = this.getClientIdAndSecret(c, a);
|
|
341
|
+
let w = c.refresh_token, p = a.cookies.get(this.refreshTokenCookieName);
|
|
342
|
+
if ((this.refreshTokenType == "cookie" && p || this.refreshTokenType == "both" && p && w == null) && this.csrfTokens) {
|
|
343
|
+
const C = a.cookies.get(this.csrfTokens.cookieName);
|
|
344
|
+
let U = a.request.headers.get(this.csrfTokens.headerName.toLowerCase());
|
|
345
|
+
if (Array.isArray(U) && (U = U[0]), !C || !U)
|
|
346
346
|
return v({
|
|
347
347
|
ok: !1,
|
|
348
348
|
error: "access_denied",
|
|
349
349
|
error_description: "Invalid csrf token"
|
|
350
350
|
}, { status: 401 });
|
|
351
351
|
try {
|
|
352
|
-
this.csrfTokens.validateDoubleSubmitCsrfToken(C,
|
|
353
|
-
} catch (
|
|
354
|
-
return l.logger.debug(f({ err:
|
|
352
|
+
this.csrfTokens.validateDoubleSubmitCsrfToken(C, U);
|
|
353
|
+
} catch (R) {
|
|
354
|
+
return l.logger.debug(f({ err: R })), l.logger.warn(f({ cerr: R, msg: "Invalid csrf token", client_id: c.client_id })), v({
|
|
355
355
|
ok: !1,
|
|
356
356
|
error: "access_denied",
|
|
357
357
|
error_description: "Invalid csrf token"
|
|
358
358
|
}, { status: 401 });
|
|
359
359
|
}
|
|
360
|
-
|
|
360
|
+
w = p;
|
|
361
361
|
}
|
|
362
362
|
const S = await this.authServer.tokenEndpoint({
|
|
363
363
|
grantType: c.grant_type,
|
|
364
|
-
client_id:
|
|
364
|
+
client_id: u,
|
|
365
365
|
client_secret: g,
|
|
366
366
|
scope: c.scope,
|
|
367
367
|
codeVerifier: c.code_verifier,
|
|
@@ -372,71 +372,71 @@ class ce {
|
|
|
372
372
|
oobCode: c.oob_code,
|
|
373
373
|
bindingCode: c.binding_code,
|
|
374
374
|
otp: c.otp,
|
|
375
|
-
refreshToken:
|
|
375
|
+
refreshToken: w,
|
|
376
376
|
deviceCode: c.device_code
|
|
377
377
|
});
|
|
378
|
-
if (S.refresh_token && this.refreshTokenType != "json" && this.setRefreshTokenCookie(
|
|
378
|
+
if (S.refresh_token && this.refreshTokenType != "json" && this.setRefreshTokenCookie(a, S.refresh_token, S.expires_in), S.error == "authorization_pending")
|
|
379
379
|
return v(S);
|
|
380
380
|
if (S.error || !S.access_token) {
|
|
381
|
-
let C = "server_error",
|
|
382
|
-
S.error && (C = S.error), S.error_description && (
|
|
383
|
-
const
|
|
384
|
-
return l.logger.error(f({ cerr:
|
|
381
|
+
let C = "server_error", U = "Neither code nor error received when requestoing authorization";
|
|
382
|
+
S.error && (C = S.error), S.error_description && (U = S.error_description);
|
|
383
|
+
const R = n.fromOAuthError(C, U);
|
|
384
|
+
return l.logger.error(f({ cerr: R })), v(S, { status: R.httpStatus });
|
|
385
385
|
}
|
|
386
386
|
return v(S);
|
|
387
|
-
} catch (
|
|
388
|
-
const g = n.asCrossauthError(
|
|
389
|
-
return l.logger.debug({ err:
|
|
387
|
+
} catch (u) {
|
|
388
|
+
const g = n.asCrossauthError(u);
|
|
389
|
+
return l.logger.debug({ err: u }), l.logger.error({ cerr: u }), v({
|
|
390
390
|
error: g.oauthErrorCode,
|
|
391
391
|
error_description: g.message
|
|
392
392
|
}, { status: g.httpStatus });
|
|
393
393
|
}
|
|
394
394
|
}
|
|
395
395
|
}, this.mfaAuthenticatorsEndpoint = {
|
|
396
|
-
get: async (
|
|
396
|
+
get: async (a) => {
|
|
397
397
|
try {
|
|
398
398
|
var c = new b();
|
|
399
|
-
return await c.loadData(
|
|
399
|
+
return await c.loadData(a), v(await this.mfaAuthenticators(a));
|
|
400
400
|
} catch (d) {
|
|
401
|
-
const
|
|
401
|
+
const u = n.asCrossauthError(d);
|
|
402
402
|
return l.logger.debug({ err: d }), l.logger.error({ cerr: d }), v({
|
|
403
|
-
error:
|
|
404
|
-
error_description:
|
|
403
|
+
error: u.oauthErrorCode,
|
|
404
|
+
error_description: u.message
|
|
405
405
|
});
|
|
406
406
|
}
|
|
407
407
|
},
|
|
408
|
-
post: async (
|
|
408
|
+
post: async (a) => {
|
|
409
409
|
try {
|
|
410
410
|
var c = new b();
|
|
411
|
-
await c.loadData(
|
|
412
|
-
let d = await this.mfaAuthenticators(
|
|
413
|
-
return !Array.isArray(d) && d.error == "access_denied" ?
|
|
411
|
+
await c.loadData(a);
|
|
412
|
+
let d = await this.mfaAuthenticators(a), u = 200;
|
|
413
|
+
return !Array.isArray(d) && d.error == "access_denied" ? u = 401 : !Array.isArray(d) && d.error && (u = 500), v(d, { status: u });
|
|
414
414
|
} catch (d) {
|
|
415
|
-
const
|
|
415
|
+
const u = n.asCrossauthError(d);
|
|
416
416
|
return l.logger.debug({ err: d }), l.logger.error({ cerr: d }), v({
|
|
417
|
-
error:
|
|
418
|
-
error_description:
|
|
419
|
-
}, { status:
|
|
417
|
+
error: u.oauthErrorCode,
|
|
418
|
+
error_description: u.message
|
|
419
|
+
}, { status: u.httpStatus });
|
|
420
420
|
}
|
|
421
421
|
}
|
|
422
422
|
}, this.mfaChallengeEndpoint = {
|
|
423
|
-
post: async (
|
|
423
|
+
post: async (a) => {
|
|
424
424
|
try {
|
|
425
425
|
var c = new b();
|
|
426
|
-
await c.loadData(
|
|
427
|
-
const d = await this.mfaChallenge(
|
|
428
|
-
let
|
|
429
|
-
return d.error == "access_denied" ?
|
|
426
|
+
await c.loadData(a);
|
|
427
|
+
const d = await this.mfaChallenge(a);
|
|
428
|
+
let u = 200;
|
|
429
|
+
return d.error == "access_denied" ? u = 401 : d.error && (u = 500), v(d, { status: u });
|
|
430
430
|
} catch (d) {
|
|
431
|
-
const
|
|
431
|
+
const u = n.asCrossauthError(d);
|
|
432
432
|
return l.logger.debug({ err: d }), l.logger.error({ cerr: d }), v({
|
|
433
|
-
error:
|
|
434
|
-
error_description:
|
|
433
|
+
error: u.oauthErrorCode,
|
|
434
|
+
error_description: u.message
|
|
435
435
|
}, { status: 500 });
|
|
436
436
|
}
|
|
437
437
|
}
|
|
438
438
|
}, this.deviceAuthorizationEndpoint = {
|
|
439
|
-
post: async (
|
|
439
|
+
post: async (a) => {
|
|
440
440
|
let c;
|
|
441
441
|
try {
|
|
442
442
|
if (!this.authServer.validFlows.includes(_.DeviceCode))
|
|
@@ -446,59 +446,59 @@ class ce {
|
|
|
446
446
|
error_description: "Device authorization endpoint cannot be called as the supported OAuth flow types don't require it"
|
|
447
447
|
});
|
|
448
448
|
var d = new b();
|
|
449
|
-
await d.loadData(
|
|
450
|
-
const { client_id:
|
|
451
|
-
client_id:
|
|
449
|
+
await d.loadData(a), c = d.toObject();
|
|
450
|
+
const { client_id: u, client_secret: g } = this.getClientIdAndSecret(c, a), w = await this.authServer.deviceAuthorizationEndpoint({
|
|
451
|
+
client_id: u,
|
|
452
452
|
client_secret: g,
|
|
453
453
|
scope: c.scope
|
|
454
454
|
});
|
|
455
|
-
if (
|
|
456
|
-
const
|
|
457
|
-
return l.logger.error(f({ cerr:
|
|
455
|
+
if (w.error) {
|
|
456
|
+
const p = n.fromOAuthError(w.error, w.error_description);
|
|
457
|
+
return l.logger.error(f({ cerr: p })), v(w, { status: 500 });
|
|
458
458
|
}
|
|
459
|
-
if (!
|
|
460
|
-
let
|
|
461
|
-
const C = new n(
|
|
459
|
+
if (!w.device_code || !w.user_code || !w.verification_uri || !w.verification_uri_complete || !w.expires_in) {
|
|
460
|
+
let p = "server_error", S = "Device authorization result has missing data";
|
|
461
|
+
const C = new n(h.UnknownError, S);
|
|
462
462
|
return l.logger.error(f({ cerr: C })), v({
|
|
463
|
-
error:
|
|
463
|
+
error: p,
|
|
464
464
|
error_description: S
|
|
465
465
|
}, { status: 500 });
|
|
466
466
|
}
|
|
467
|
-
return v(
|
|
468
|
-
} catch (
|
|
469
|
-
const g = n.asCrossauthError(
|
|
470
|
-
return l.logger.debug({ err:
|
|
467
|
+
return v(w);
|
|
468
|
+
} catch (u) {
|
|
469
|
+
const g = n.asCrossauthError(u);
|
|
470
|
+
return l.logger.debug({ err: u }), l.logger.error({ cerr: u }), v({
|
|
471
471
|
error: g.oauthErrorCode,
|
|
472
472
|
error_description: g.message
|
|
473
473
|
}, { status: 500 });
|
|
474
474
|
}
|
|
475
475
|
}
|
|
476
476
|
}, this.deviceEndpoint = {
|
|
477
|
-
load: async (
|
|
477
|
+
load: async (a) => {
|
|
478
478
|
if (!this.authServer.validFlows.includes(_.DeviceCode))
|
|
479
479
|
throw this.error(401, "device cannot be called because the device code flow is not supported");
|
|
480
|
-
if (!
|
|
480
|
+
if (!a.locals.user) return this.redirect(
|
|
481
481
|
302,
|
|
482
|
-
this.loginUrl + "?next=" + encodeURIComponent(
|
|
482
|
+
this.loginUrl + "?next=" + encodeURIComponent(a.request.url)
|
|
483
483
|
);
|
|
484
|
-
let c =
|
|
485
|
-
return c ? await this.applyUserCode(c,
|
|
484
|
+
let c = a.url.searchParams.get("user_code");
|
|
485
|
+
return c ? await this.applyUserCode(c, a, a.locals.user) : {
|
|
486
486
|
ok: !0,
|
|
487
487
|
completed: !1,
|
|
488
488
|
retryAllowed: !0,
|
|
489
|
-
user:
|
|
490
|
-
csrfToken:
|
|
489
|
+
user: a.locals.user,
|
|
490
|
+
csrfToken: a.locals.csrfToken
|
|
491
491
|
};
|
|
492
492
|
},
|
|
493
493
|
// load
|
|
494
494
|
actions: {
|
|
495
|
-
userCode: async (
|
|
496
|
-
if (!
|
|
495
|
+
userCode: async (a) => {
|
|
496
|
+
if (!a.locals.user) throw this.error(401, "Access Denied");
|
|
497
497
|
try {
|
|
498
498
|
var c = new b();
|
|
499
|
-
await c.loadData(
|
|
499
|
+
await c.loadData(a);
|
|
500
500
|
const d = c.get("user_code");
|
|
501
|
-
return d ? await this.applyUserCode(d,
|
|
501
|
+
return d ? await this.applyUserCode(d, a, a.locals.user) : {
|
|
502
502
|
ok: !1,
|
|
503
503
|
completed: !1,
|
|
504
504
|
retryAllowed: !0,
|
|
@@ -507,25 +507,25 @@ class ce {
|
|
|
507
507
|
};
|
|
508
508
|
} catch (d) {
|
|
509
509
|
if (m.isSvelteKitError(d) || m.isSvelteKitRedirect(d)) throw d;
|
|
510
|
-
let
|
|
510
|
+
let u = n.asCrossauthError(d, "Couldn't validate user code");
|
|
511
511
|
return {
|
|
512
512
|
ok: !1,
|
|
513
513
|
completed: !1,
|
|
514
514
|
retryAllowed: !0,
|
|
515
|
-
error:
|
|
516
|
-
error_description:
|
|
515
|
+
error: u.oauthErrorCode,
|
|
516
|
+
error_description: u.message
|
|
517
517
|
};
|
|
518
518
|
}
|
|
519
519
|
},
|
|
520
|
-
authorize: async (
|
|
521
|
-
var
|
|
520
|
+
authorize: async (a) => {
|
|
521
|
+
var u;
|
|
522
522
|
let c;
|
|
523
523
|
try {
|
|
524
524
|
var d = new b();
|
|
525
|
-
await d.loadData(
|
|
526
|
-
const g = d.getAsBoolean("authorized"),
|
|
525
|
+
await d.loadData(a), c = d.toObject();
|
|
526
|
+
const g = d.getAsBoolean("authorized"), w = c.scope, p = c.client_id, S = c.user_code;
|
|
527
527
|
let C;
|
|
528
|
-
if (g == null && (C = "authorized"),
|
|
528
|
+
if (g == null && (C = "authorized"), p == null && (C = "client_id"), S == null && (C = "user_code"), C)
|
|
529
529
|
return {
|
|
530
530
|
ok: !1,
|
|
531
531
|
completed: !1,
|
|
@@ -533,24 +533,24 @@ class ce {
|
|
|
533
533
|
error: "invalid_request",
|
|
534
534
|
error_description: "Invalid form: does not contain " + C + " parameter"
|
|
535
535
|
};
|
|
536
|
-
if (!
|
|
536
|
+
if (!a.locals.user) return this.redirect(
|
|
537
537
|
302,
|
|
538
|
-
this.loginUrl + "?next=" + encodeURIComponent(
|
|
538
|
+
this.loginUrl + "?next=" + encodeURIComponent(a.request.url)
|
|
539
539
|
);
|
|
540
|
-
if ((
|
|
541
|
-
return (await this.authServer.validateAndPersistScope(
|
|
540
|
+
if ((u = this.svelteKitServer.sessionServer) != null && u.enableCsrfProtection && !a.locals.csrfToken) throw new n(h.InvalidCsrf);
|
|
541
|
+
return (await this.authServer.validateAndPersistScope(p, w, a.locals.user)).error ? {
|
|
542
542
|
ok: !1,
|
|
543
543
|
completed: !1,
|
|
544
544
|
retryAllowed: !1,
|
|
545
545
|
error: "unauthorized_client",
|
|
546
546
|
error_description: "You did not authorize access to your account"
|
|
547
|
-
} : await this.applyUserCode(S,
|
|
547
|
+
} : await this.applyUserCode(S, a, a.locals.user);
|
|
548
548
|
} catch (g) {
|
|
549
549
|
if (m.isSvelteKitError(g) || m.isSvelteKitRedirect(g)) throw g;
|
|
550
|
-
let
|
|
550
|
+
let w = n.asCrossauthError(g, "Couldn't process authorization code");
|
|
551
551
|
return {
|
|
552
|
-
error:
|
|
553
|
-
error_description:
|
|
552
|
+
error: w.oauthErrorCode,
|
|
553
|
+
error_description: w.message,
|
|
554
554
|
ok: !1,
|
|
555
555
|
completed: !1,
|
|
556
556
|
retryAllowed: !1
|
|
@@ -563,7 +563,7 @@ class ce {
|
|
|
563
563
|
s,
|
|
564
564
|
e,
|
|
565
565
|
t
|
|
566
|
-
), y("loginUrl", E.String, this, t, "LOGIN_URL"), y("refreshTokenType", E.String, this, t, "OAUTH_REFRESH_TOKEN_TYPE"), y("refreshTokenCookieName", E.String, this, t, "OAUTH_REFRESH_TOKEN_COOKIE_NAME"), y("refreshTokenCookieDomain", E.String, this, t, "OAUTH_REFRESH_TOKEN_COOKIE_DOMAIN"), y("refreshTokenCookieHttpOnly", E.Boolean, this, t, "OAUTH_REFRESH_TOKEN_COOKIE_HTTPONLY"), y("refreshTokenCookiePath", E.String, this, t, "OAUTH_REFRESH_TOKEN_COOKIE_PATH"), y("refreshTokenCookieSecure", E.Boolean, this, t, "OAUTH_REFRESH_TOKEN_COOKIE_SECURE"), y("refreshTokenCookieSameSite", E.String, this, t, "OAUTH_REFRESH_TOKEN_COOKIE_SAMESITE"), y("authorizeEndpointUrl", E.String, this, t, "OAUTH_AUTHORIZE_ENDPOINT"), y("tokenEndpointUrl", E.String, this, t, "OAUTH_TOKEN_ENDPOINT"), y("jwksEndpointUrl", E.String, this, t, "OAUTH_JWKS_ENDPOINT"), this.refreshTokenType != "json" && (((
|
|
566
|
+
), y("loginUrl", E.String, this, t, "LOGIN_URL"), y("refreshTokenType", E.String, this, t, "OAUTH_REFRESH_TOKEN_TYPE"), y("refreshTokenCookieName", E.String, this, t, "OAUTH_REFRESH_TOKEN_COOKIE_NAME"), y("refreshTokenCookieDomain", E.String, this, t, "OAUTH_REFRESH_TOKEN_COOKIE_DOMAIN"), y("refreshTokenCookieHttpOnly", E.Boolean, this, t, "OAUTH_REFRESH_TOKEN_COOKIE_HTTPONLY"), y("refreshTokenCookiePath", E.String, this, t, "OAUTH_REFRESH_TOKEN_COOKIE_PATH"), y("refreshTokenCookieSecure", E.Boolean, this, t, "OAUTH_REFRESH_TOKEN_COOKIE_SECURE"), y("refreshTokenCookieSameSite", E.String, this, t, "OAUTH_REFRESH_TOKEN_COOKIE_SAMESITE"), y("authorizeEndpointUrl", E.String, this, t, "OAUTH_AUTHORIZE_ENDPOINT"), y("tokenEndpointUrl", E.String, this, t, "OAUTH_TOKEN_ENDPOINT"), y("jwksEndpointUrl", E.String, this, t, "OAUTH_JWKS_ENDPOINT"), this.refreshTokenType != "json" && (((i = this.svelteKitServer.sessionServer) == null ? void 0 : i.enableCsrfProtection) == !0 ? this.csrfTokens = this.svelteKitServer.sessionServer.sessionManager.csrfTokens : this.csrfTokens = new ee(t.doubleSubmitCookieOptions));
|
|
567
567
|
}
|
|
568
568
|
/**
|
|
569
569
|
* Returns this server's OIDC configuration. Just wraps
|
|
@@ -585,55 +585,55 @@ class ce {
|
|
|
585
585
|
responseType: s,
|
|
586
586
|
client_id: e,
|
|
587
587
|
redirect_uri: t,
|
|
588
|
-
scope:
|
|
589
|
-
state:
|
|
588
|
+
scope: i,
|
|
589
|
+
state: a,
|
|
590
590
|
codeChallenge: c,
|
|
591
591
|
codeChallengeMethod: d
|
|
592
592
|
}) {
|
|
593
|
-
let
|
|
593
|
+
let u, g, w;
|
|
594
594
|
if (o) {
|
|
595
|
-
const
|
|
595
|
+
const p = await this.authServer.authorizeGetEndpoint({
|
|
596
596
|
responseType: s,
|
|
597
597
|
client_id: e,
|
|
598
598
|
redirect_uri: t,
|
|
599
|
-
scope:
|
|
600
|
-
state:
|
|
599
|
+
scope: i,
|
|
600
|
+
state: a,
|
|
601
601
|
codeChallenge: c,
|
|
602
602
|
codeChallengeMethod: d,
|
|
603
603
|
user: r.locals.user
|
|
604
604
|
});
|
|
605
|
-
if (
|
|
605
|
+
if (w = p.code, u = p.error, g = p.error_description, u || !w) {
|
|
606
606
|
const S = n.fromOAuthError(
|
|
607
|
-
|
|
607
|
+
u ?? "server_error",
|
|
608
608
|
g ?? "Neither code nor error received"
|
|
609
609
|
);
|
|
610
610
|
return l.logger.error(f({ cerr: S })), {
|
|
611
611
|
ok: !1,
|
|
612
|
-
error:
|
|
612
|
+
error: u,
|
|
613
613
|
error_description: g
|
|
614
614
|
};
|
|
615
615
|
}
|
|
616
616
|
throw this.redirect(302, this.authServer.redirect_uri(
|
|
617
617
|
t,
|
|
618
|
-
|
|
619
|
-
|
|
618
|
+
w,
|
|
619
|
+
a
|
|
620
620
|
));
|
|
621
621
|
} else {
|
|
622
|
-
const
|
|
623
|
-
|
|
622
|
+
const p = new n(
|
|
623
|
+
h.Unauthorized,
|
|
624
624
|
"You have not granted access"
|
|
625
625
|
);
|
|
626
|
-
l.logger.debug(f({ err:
|
|
626
|
+
l.logger.debug(f({ err: p })), l.logger.error(f({ cerr: p })), l.logger.error(f({
|
|
627
627
|
msg: g,
|
|
628
|
-
errorCode:
|
|
629
|
-
errorCodeName:
|
|
628
|
+
errorCode: p.code,
|
|
629
|
+
errorCodeName: p.codeName
|
|
630
630
|
}));
|
|
631
631
|
try {
|
|
632
632
|
throw B.validateUri(t), this.redirect(302, t + "?error=access_denied&error_description=" + encodeURIComponent("Access was not granted"));
|
|
633
633
|
} catch (S) {
|
|
634
634
|
if (m.isSvelteKitError(S) || m.isSvelteKitRedirect(S)) throw S;
|
|
635
635
|
return l.logger.error(f({
|
|
636
|
-
msg: `Couldn't send error message ${
|
|
636
|
+
msg: `Couldn't send error message ${p.codeName} to ${t}}`
|
|
637
637
|
})), {
|
|
638
638
|
ok: !1,
|
|
639
639
|
error: "server_error",
|
|
@@ -651,7 +651,7 @@ class ce {
|
|
|
651
651
|
* @returns a CSRF cookie and value to put in the form or CSRF header
|
|
652
652
|
*/
|
|
653
653
|
async createCsrfToken() {
|
|
654
|
-
if (!this.csrfTokens) throw new n(
|
|
654
|
+
if (!this.csrfTokens) throw new n(h.Configuration, "CSRF tokens not enabled");
|
|
655
655
|
this.csrfTokens.makeCsrfCookie(this.csrfTokens.createCsrfToken());
|
|
656
656
|
const r = this.csrfTokens.createCsrfToken(), o = this.csrfTokens.makeCsrfFormOrHeaderToken(r);
|
|
657
657
|
return {
|
|
@@ -690,13 +690,13 @@ class ce {
|
|
|
690
690
|
if (o = this.requireGetParam(r, "client_id"), o) return { error: o };
|
|
691
691
|
if (o = this.requireGetParam(r, "redirect_uri"), o) return { error: o };
|
|
692
692
|
if (o = this.requireGetParam(r, "state"), o) return { error: o };
|
|
693
|
-
const s = r.url.searchParams.get("response_type") ?? "", e = r.url.searchParams.get("client_id") ?? "", t = r.url.searchParams.get("redirect_uri") ?? "",
|
|
693
|
+
const s = r.url.searchParams.get("response_type") ?? "", e = r.url.searchParams.get("client_id") ?? "", t = r.url.searchParams.get("redirect_uri") ?? "", i = r.url.searchParams.get("scope") ?? void 0, a = r.url.searchParams.get("state") ?? "", c = r.url.searchParams.get("code_challenge") ?? void 0, d = r.url.searchParams.get("code_challenge_method") ?? void 0;
|
|
694
694
|
return { query: {
|
|
695
695
|
response_type: s,
|
|
696
696
|
client_id: e,
|
|
697
697
|
redirect_uri: t,
|
|
698
|
-
scope:
|
|
699
|
-
state:
|
|
698
|
+
scope: i,
|
|
699
|
+
state: a,
|
|
700
700
|
code_challenge: c,
|
|
701
701
|
code_challenge_method: d
|
|
702
702
|
}, error: { error: "Unknown error", error_description: "Unknown error", ok: !0 } };
|
|
@@ -710,18 +710,18 @@ class ce {
|
|
|
710
710
|
if (e = this.requireBodyParam(s, "challenge_type"), e) return { error: e };
|
|
711
711
|
if (e = this.requireBodyParam(s, "mfa_token"), e) return { error: e };
|
|
712
712
|
if (e = this.requireBodyParam(s, "authenticator_id"), e) return { error: e };
|
|
713
|
-
const t = s.client_id ?? "",
|
|
713
|
+
const t = s.client_id ?? "", i = s.challenge_type ?? "", a = s.mfa_token ?? "", c = s.authenticator_id ?? "", d = s.client_secret ?? void 0;
|
|
714
714
|
return { query: {
|
|
715
715
|
client_id: t,
|
|
716
716
|
client_secret: d,
|
|
717
|
-
challenge_type:
|
|
718
|
-
mfa_token:
|
|
717
|
+
challenge_type: i,
|
|
718
|
+
mfa_token: a,
|
|
719
719
|
authenticator_id: c
|
|
720
720
|
}, error: { error: "Unknown error", error_description: "Unknown error", ok: !0 } };
|
|
721
721
|
}
|
|
722
722
|
async mfaAuthenticators(r) {
|
|
723
|
-
var
|
|
724
|
-
const o = (
|
|
723
|
+
var i;
|
|
724
|
+
const o = (i = r.request.headers.get("authorization")) == null ? void 0 : i.split(" ");
|
|
725
725
|
if (!o || o.length != 2)
|
|
726
726
|
return {
|
|
727
727
|
error: "access_denied",
|
|
@@ -752,65 +752,65 @@ class ce {
|
|
|
752
752
|
let s = r.client_id, e = r.client_secret;
|
|
753
753
|
const t = o.request.headers.get("authorization");
|
|
754
754
|
if (t) {
|
|
755
|
-
let
|
|
755
|
+
let i, a;
|
|
756
756
|
const c = t.split(" ");
|
|
757
757
|
if (c.length == 2 && c[0].toLocaleLowerCase() == "basic") {
|
|
758
|
-
const
|
|
759
|
-
|
|
758
|
+
const u = A.base64Decode(c[1]).split(":", 2);
|
|
759
|
+
u.length == 2 && (i = u[0], a = u[1]);
|
|
760
760
|
}
|
|
761
|
-
|
|
761
|
+
i == null || a == null ? l.logger.warn(f({
|
|
762
762
|
msg: "Ignoring malform authenization header " + t
|
|
763
|
-
})) : (s =
|
|
763
|
+
})) : (s = i, e = a);
|
|
764
764
|
}
|
|
765
765
|
return { client_id: s, client_secret: e };
|
|
766
766
|
}
|
|
767
767
|
async applyUserCode(r, o, s) {
|
|
768
|
-
var e, t,
|
|
768
|
+
var e, t, i;
|
|
769
769
|
try {
|
|
770
|
-
const
|
|
771
|
-
if (
|
|
770
|
+
const a = await this.authServer.deviceEndpoint({ userCode: r, user: s });
|
|
771
|
+
if (a.error)
|
|
772
772
|
return {
|
|
773
773
|
ok: !1,
|
|
774
774
|
completed: !1,
|
|
775
775
|
retryAllowed: !1,
|
|
776
|
-
error:
|
|
777
|
-
error_description:
|
|
776
|
+
error: a.error,
|
|
777
|
+
error_description: a.error_description
|
|
778
778
|
};
|
|
779
|
-
if (!
|
|
780
|
-
return l.logger.error(f({ msg: "No client id found for user code", userCodeHash:
|
|
779
|
+
if (!a.client_id)
|
|
780
|
+
return l.logger.error(f({ msg: "No client id found for user code", userCodeHash: A.hash(r), ip: o.request.referrer, username: (e = o.locals.user) == null ? void 0 : e.username })), {
|
|
781
781
|
ok: !1,
|
|
782
782
|
completed: !1,
|
|
783
783
|
retryAllowed: !1,
|
|
784
784
|
error: "server_error",
|
|
785
785
|
error_description: "No client id found for user code"
|
|
786
786
|
};
|
|
787
|
-
if (
|
|
788
|
-
return l.logger.error(f({ msg: "Incorrect user code given", userCodeHash:
|
|
787
|
+
if (a.error == "access_denied")
|
|
788
|
+
return l.logger.error(f({ msg: "Incorrect user code given", userCodeHash: A.hash(r), ip: o.request.referrer, username: (t = o.locals.user) == null ? void 0 : t.username })), this.authServer.userCodeThrottle > 0 && await ((u) => new Promise((g) => setTimeout(g, u)))(this.authServer.userCodeThrottle), {
|
|
789
789
|
ok: !1,
|
|
790
790
|
completed: !1,
|
|
791
791
|
retryAllowed: !0,
|
|
792
|
-
error:
|
|
793
|
-
error_description:
|
|
792
|
+
error: a.error,
|
|
793
|
+
error_description: a.error_description
|
|
794
794
|
};
|
|
795
|
-
if (
|
|
796
|
-
return l.logger.error(f({ msg: "Expired user code", userCodeHash:
|
|
795
|
+
if (a.error == "expired_token")
|
|
796
|
+
return l.logger.error(f({ msg: "Expired user code", userCodeHash: A.hash(r), ip: o.request.referrer, username: (i = o.locals.user) == null ? void 0 : i.username })), {
|
|
797
797
|
ok: !1,
|
|
798
798
|
completed: !1,
|
|
799
799
|
retryAllowed: !1,
|
|
800
|
-
error:
|
|
801
|
-
error_description:
|
|
800
|
+
error: a.error,
|
|
801
|
+
error_description: a.error_description
|
|
802
802
|
};
|
|
803
|
-
const c = await this.clientStorage.getClientById(
|
|
804
|
-
return
|
|
803
|
+
const c = await this.clientStorage.getClientById(a.client_id);
|
|
804
|
+
return a.scopeAuthorizationNeeded ? {
|
|
805
805
|
ok: !0,
|
|
806
806
|
completed: !1,
|
|
807
807
|
retryAllowed: !0,
|
|
808
808
|
authorizationNeeded: {
|
|
809
809
|
user: s,
|
|
810
|
-
client_id:
|
|
810
|
+
client_id: a.client_id,
|
|
811
811
|
client_name: c.client_name,
|
|
812
|
-
scope:
|
|
813
|
-
scopes:
|
|
812
|
+
scope: a.scope,
|
|
813
|
+
scopes: a.scope ? a.scope.split(" ") : [],
|
|
814
814
|
csrfToken: o.locals.csrfToken
|
|
815
815
|
},
|
|
816
816
|
user: o.locals.user,
|
|
@@ -823,8 +823,8 @@ class ce {
|
|
|
823
823
|
user: o.locals.user,
|
|
824
824
|
csrfToken: o.locals.csrfToken
|
|
825
825
|
};
|
|
826
|
-
} catch (
|
|
827
|
-
const c = n.asCrossauthError(
|
|
826
|
+
} catch (a) {
|
|
827
|
+
const c = n.asCrossauthError(a);
|
|
828
828
|
return l.logger.debug(f({ err: c })), l.logger.error(f({ msg: c.message, cerr: c })), {
|
|
829
829
|
ok: !1,
|
|
830
830
|
completed: !1,
|
|
@@ -870,7 +870,7 @@ function O(k) {
|
|
|
870
870
|
let r;
|
|
871
871
|
if (k)
|
|
872
872
|
try {
|
|
873
|
-
r = JSON.parse(
|
|
873
|
+
r = JSON.parse(A.base64Decode(k.split(".")[1]));
|
|
874
874
|
} catch (o) {
|
|
875
875
|
const s = n.asCrossauthError(o);
|
|
876
876
|
l.logger.debug(f({ err: s })), l.logger.error(f({ msg: "Couldn't decode token", cerr: s }));
|
|
@@ -886,7 +886,7 @@ function L(k, r) {
|
|
|
886
886
|
if (k.access_token)
|
|
887
887
|
try {
|
|
888
888
|
if (k.access_token && r.includes("access")) {
|
|
889
|
-
const s = M(k.access_token), e = s.jti ? s.jti : s.sid ? s.sid : "", t = e ?
|
|
889
|
+
const s = M(k.access_token), e = s.jti ? s.jti : s.sid ? s.sid : "", t = e ? A.hash(e) : void 0;
|
|
890
890
|
l.logger.debug(f({
|
|
891
891
|
msg: "Got access token",
|
|
892
892
|
accessTokenHash: t
|
|
@@ -900,7 +900,7 @@ function L(k, r) {
|
|
|
900
900
|
if (k.id_token && r.includes("id")) {
|
|
901
901
|
const s = k.id_payload ?? M(k.id_token);
|
|
902
902
|
if (s) {
|
|
903
|
-
const e = s.jti ? s.jti : s.sid ? s.sid : "", t = e ?
|
|
903
|
+
const e = s.jti ? s.jti : s.sid ? s.sid : "", t = e ? A.hash(e) : void 0;
|
|
904
904
|
l.logger.debug(f({
|
|
905
905
|
msg: "Got id token",
|
|
906
906
|
idTokenHash: t
|
|
@@ -913,7 +913,7 @@ function L(k, r) {
|
|
|
913
913
|
if (k.refresh_token && r.includes("refresh"))
|
|
914
914
|
try {
|
|
915
915
|
if (k.refresh_token) {
|
|
916
|
-
const s = (o = M(k.refresh_token)) == null ? void 0 : o.jti, e = s ?
|
|
916
|
+
const s = (o = M(k.refresh_token)) == null ? void 0 : o.jti, e = s ? A.hash(s) : void 0;
|
|
917
917
|
l.logger.debug(f({
|
|
918
918
|
msg: "Got refresh token",
|
|
919
919
|
refreshTokenHash: e
|
|
@@ -926,24 +926,24 @@ function L(k, r) {
|
|
|
926
926
|
async function j(k, r, o) {
|
|
927
927
|
if (!r.server.sessionAdapter)
|
|
928
928
|
throw new n(
|
|
929
|
-
|
|
929
|
+
h.Configuration,
|
|
930
930
|
"Cannot update session data if not using sessions"
|
|
931
931
|
);
|
|
932
932
|
let s = k.expires_in;
|
|
933
933
|
if (!s && k.access_token && r.jwtTokens.includes("access")) {
|
|
934
|
-
const
|
|
935
|
-
|
|
934
|
+
const i = M(k.access_token);
|
|
935
|
+
i.exp && (s = i.exp);
|
|
936
936
|
}
|
|
937
937
|
if (!s)
|
|
938
938
|
throw new n(
|
|
939
|
-
|
|
939
|
+
h.BadRequest,
|
|
940
940
|
"OAuth server did not return an expiry for the access token"
|
|
941
941
|
);
|
|
942
942
|
const e = Date.now() + s * 1e3;
|
|
943
943
|
let t = { ...k, expires_at: e };
|
|
944
944
|
if ("id_token" in k) {
|
|
945
|
-
let
|
|
946
|
-
|
|
945
|
+
let i = k.id_payload ?? O(k.id_token);
|
|
946
|
+
i && (t.id_payload = i);
|
|
947
947
|
}
|
|
948
948
|
await r.storeSessionData(o, t);
|
|
949
949
|
}
|
|
@@ -965,8 +965,8 @@ async function de(k, r, o, s, e) {
|
|
|
965
965
|
if (!s) return r.redirect(302, r.authorizedUrl);
|
|
966
966
|
} catch (t) {
|
|
967
967
|
if (m.isSvelteKitError(t) || m.isSvelteKitRedirect(t)) throw t;
|
|
968
|
-
const
|
|
969
|
-
return l.logger.debug(f({ err:
|
|
968
|
+
const i = n.asCrossauthError(t);
|
|
969
|
+
return l.logger.debug(f({ err: i })), l.logger.debug(f({ cerr: i, msg: "Error receiving tokens" })), r.errorFn(r.server, o, i);
|
|
970
970
|
}
|
|
971
971
|
}
|
|
972
972
|
async function he(k, r, o, s, e) {
|
|
@@ -987,8 +987,8 @@ async function he(k, r, o, s, e) {
|
|
|
987
987
|
return v({ ok: !0, ...k });
|
|
988
988
|
} catch (t) {
|
|
989
989
|
if (m.isSvelteKitError(t) || m.isSvelteKitRedirect(t)) throw t;
|
|
990
|
-
const
|
|
991
|
-
return l.logger.debug(f({ err:
|
|
990
|
+
const i = n.asCrossauthError(t);
|
|
991
|
+
return l.logger.debug(f({ err: i })), l.logger.debug(f({ cerr: i, msg: "Error receiving tokens" })), r.errorFn(r.server, o, i);
|
|
992
992
|
}
|
|
993
993
|
}
|
|
994
994
|
async function ue(k, r, o, s, e) {
|
|
@@ -1008,11 +1008,11 @@ async function ue(k, r, o, s, e) {
|
|
|
1008
1008
|
return r.jwtTokens.includes("id") && (t.id_payload = k.id_payload ?? O(k.id_token)), t.id_payload && await e(o, t.id_payload), t;
|
|
1009
1009
|
} catch (t) {
|
|
1010
1010
|
if (m.isSvelteKitError(t) || m.isSvelteKitRedirect(t)) throw t;
|
|
1011
|
-
const
|
|
1012
|
-
return l.logger.debug(f({ err:
|
|
1011
|
+
const i = n.asCrossauthError(t);
|
|
1012
|
+
return l.logger.debug(f({ err: i })), l.logger.debug(f({ cerr: i, msg: "Error receiving tokens" })), {
|
|
1013
1013
|
ok: !1,
|
|
1014
|
-
error:
|
|
1015
|
-
error_description:
|
|
1014
|
+
error: i.oauthErrorCode,
|
|
1015
|
+
error_description: i.message
|
|
1016
1016
|
};
|
|
1017
1017
|
}
|
|
1018
1018
|
}
|
|
@@ -1051,25 +1051,25 @@ class G extends re {
|
|
|
1051
1051
|
if (super(o, s), this.sessionDataName = "oauth", this.receiveTokenFn = J, this.errorFn = W, this.loginUrl = "/login", this.validFlows = [_.All], this.authorizedUrl = "", this.autoRefreshActive = {}, this.loginProtectedFlows = [], this.tokenResponseType = "sendJson", this.errorResponseType = "sendJson", this.bffEndpoints = [], this.bffEndpointName = "bff", this.tokenEndpoints = [], this.bffMaxTries = 1, this.bffSleepMilliseconds = 500, this.jwtTokens = ["access", "id", "refresh"], this.testMiddleware = !1, this.testEvent = void 0, this.authorizationCodeFlowEndpoint = {
|
|
1052
1052
|
get: async (e) => {
|
|
1053
1053
|
if (this.tokenResponseType == "saveInSessionAndLoad" || this.tokenResponseType == "sendInPage") {
|
|
1054
|
-
const t = new n(
|
|
1054
|
+
const t = new n(h.Configuration, "If tokenResponseType is " + this.tokenResponseType + ", use load not get");
|
|
1055
1055
|
return this.errorFn(this.server, e, t);
|
|
1056
1056
|
}
|
|
1057
1057
|
try {
|
|
1058
1058
|
if (!this.validFlows.includes(_.AuthorizationCode)) {
|
|
1059
|
-
const g = new n(
|
|
1059
|
+
const g = new n(h.Unauthorized, "Authorization flow is not supported");
|
|
1060
1060
|
return this.errorFn(this.server, e, g);
|
|
1061
1061
|
}
|
|
1062
1062
|
if (!this.server.sessionAdapter)
|
|
1063
|
-
throw new n(
|
|
1063
|
+
throw new n(h.Configuration, "Need session server or adapter for authorization code flow");
|
|
1064
1064
|
let t = e.url.searchParams.get("scope") ?? void 0;
|
|
1065
1065
|
t == "" && (t = void 0);
|
|
1066
|
-
const
|
|
1067
|
-
await this.storeSessionData(e,
|
|
1068
|
-
const { url: c, error: d, error_description:
|
|
1066
|
+
const i = this.randomValue(this.stateLength), a = { scope: t, state: i };
|
|
1067
|
+
await this.storeSessionData(e, a);
|
|
1068
|
+
const { url: c, error: d, error_description: u } = await this.startAuthorizationCodeFlow(i, t);
|
|
1069
1069
|
if (d || !c) {
|
|
1070
1070
|
const g = n.fromOAuthError(
|
|
1071
1071
|
d ?? "server_error",
|
|
1072
|
-
|
|
1072
|
+
u
|
|
1073
1073
|
);
|
|
1074
1074
|
return await this.errorFn(this.server, e, g);
|
|
1075
1075
|
}
|
|
@@ -1078,8 +1078,8 @@ class G extends re {
|
|
|
1078
1078
|
})), this.redirect(302, c);
|
|
1079
1079
|
} catch (t) {
|
|
1080
1080
|
if (m.isSvelteKitRedirect(t) || m.isSvelteKitError(t)) throw t;
|
|
1081
|
-
const
|
|
1082
|
-
return l.logger.debug({ err: t }), l.logger.error({ cerr: t }), this.errorFn(this.server, e,
|
|
1081
|
+
const i = n.asCrossauthError(t);
|
|
1082
|
+
return l.logger.debug({ err: t }), l.logger.error({ cerr: t }), this.errorFn(this.server, e, i);
|
|
1083
1083
|
}
|
|
1084
1084
|
},
|
|
1085
1085
|
load: async (e) => {
|
|
@@ -1087,7 +1087,7 @@ class G extends re {
|
|
|
1087
1087
|
/*this.tokenResponseType == "saveInSessionAndRedirect" ||*/
|
|
1088
1088
|
this.tokenResponseType == "sendJson" || this.tokenResponseType == "saveInSessionAndLoad"
|
|
1089
1089
|
) {
|
|
1090
|
-
const t = new n(
|
|
1090
|
+
const t = new n(h.Unauthorized, "Authorization flow is not supported");
|
|
1091
1091
|
return {
|
|
1092
1092
|
ok: !1,
|
|
1093
1093
|
error: t.oauthErrorCode,
|
|
@@ -1096,7 +1096,7 @@ class G extends re {
|
|
|
1096
1096
|
}
|
|
1097
1097
|
try {
|
|
1098
1098
|
if (!this.validFlows.includes(_.AuthorizationCode)) {
|
|
1099
|
-
const g = new n(
|
|
1099
|
+
const g = new n(h.Unauthorized, "Authorization flow is not supported");
|
|
1100
1100
|
return {
|
|
1101
1101
|
ok: !1,
|
|
1102
1102
|
error: g.oauthErrorCode,
|
|
@@ -1104,16 +1104,16 @@ class G extends re {
|
|
|
1104
1104
|
};
|
|
1105
1105
|
}
|
|
1106
1106
|
if (!this.server.sessionAdapter)
|
|
1107
|
-
throw new n(
|
|
1107
|
+
throw new n(h.Configuration, "Need session server or adapter for authorization code flow");
|
|
1108
1108
|
let t = e.url.searchParams.get("scope") ?? void 0;
|
|
1109
1109
|
t == "" && (t = void 0);
|
|
1110
|
-
const
|
|
1111
|
-
await this.storeSessionData(e,
|
|
1112
|
-
const { url: c, error: d, error_description:
|
|
1110
|
+
const i = this.randomValue(this.stateLength), a = { scope: t, state: i };
|
|
1111
|
+
await this.storeSessionData(e, a);
|
|
1112
|
+
const { url: c, error: d, error_description: u } = await this.startAuthorizationCodeFlow(i, t);
|
|
1113
1113
|
if (d || !c) {
|
|
1114
1114
|
const g = n.fromOAuthError(
|
|
1115
1115
|
d ?? "server_error",
|
|
1116
|
-
|
|
1116
|
+
u
|
|
1117
1117
|
);
|
|
1118
1118
|
return {
|
|
1119
1119
|
ok: !1,
|
|
@@ -1126,49 +1126,49 @@ class G extends re {
|
|
|
1126
1126
|
})), this.redirect(302, c);
|
|
1127
1127
|
} catch (t) {
|
|
1128
1128
|
if (m.isSvelteKitRedirect(t) || m.isSvelteKitError(t)) throw t;
|
|
1129
|
-
const
|
|
1129
|
+
const i = n.asCrossauthError(t);
|
|
1130
1130
|
return l.logger.debug({ err: t }), l.logger.error({ cerr: t }), {
|
|
1131
1131
|
ok: !1,
|
|
1132
|
-
error:
|
|
1133
|
-
error_description:
|
|
1132
|
+
error: i.oauthErrorCode,
|
|
1133
|
+
error_description: i.message
|
|
1134
1134
|
};
|
|
1135
1135
|
}
|
|
1136
1136
|
}
|
|
1137
1137
|
}, this.authorizationCodeFlowWithPKCEEndpoint = {
|
|
1138
1138
|
get: async (e) => {
|
|
1139
1139
|
if (this.tokenResponseType == "saveInSessionAndLoad" || this.tokenResponseType == "sendInPage") {
|
|
1140
|
-
const t = new n(
|
|
1140
|
+
const t = new n(h.Configuration, "If tokenResponseType is " + this.tokenResponseType + ", use load not get");
|
|
1141
1141
|
return this.errorFn(this.server, e, t);
|
|
1142
1142
|
}
|
|
1143
1143
|
try {
|
|
1144
1144
|
if (!this.validFlows.includes(_.AuthorizationCodeWithPKCE)) {
|
|
1145
|
-
const
|
|
1146
|
-
return this.errorFn(this.server, e,
|
|
1145
|
+
const p = new n(h.Unauthorized, "Authorization flow is not supported");
|
|
1146
|
+
return this.errorFn(this.server, e, p);
|
|
1147
1147
|
}
|
|
1148
1148
|
if (!this.server.sessionAdapter)
|
|
1149
|
-
throw new n(
|
|
1149
|
+
throw new n(h.Configuration, "Need session server or adapter for authorization code flow");
|
|
1150
1150
|
let t = e.url.searchParams.get("scope") ?? void 0;
|
|
1151
1151
|
t == "" && (t = void 0);
|
|
1152
|
-
const
|
|
1152
|
+
const i = this.randomValue(this.stateLength), { codeChallenge: a, codeVerifier: c } = await this.codeChallengeAndVerifier(), d = { scope: t, state: i, codeChallenge: a, codeVerifier: c };
|
|
1153
1153
|
await this.storeSessionData(e, d);
|
|
1154
|
-
const { url:
|
|
1155
|
-
if (g || !
|
|
1156
|
-
const
|
|
1154
|
+
const { url: u, error: g, error_description: w } = await this.startAuthorizationCodeFlow(i, t, a, !0);
|
|
1155
|
+
if (g || !u) {
|
|
1156
|
+
const p = n.fromOAuthError(
|
|
1157
1157
|
g ?? "server_error",
|
|
1158
|
-
|
|
1158
|
+
w
|
|
1159
1159
|
);
|
|
1160
|
-
return await this.errorFn(this.server, e,
|
|
1160
|
+
return await this.errorFn(this.server, e, p);
|
|
1161
1161
|
}
|
|
1162
|
-
throw this.oauthLogFetch ? l.logger.debug(f({ msg: "OAuth redirect", url:
|
|
1162
|
+
throw this.oauthLogFetch ? l.logger.debug(f({ msg: "OAuth redirect", url: u })) : l.logger.debug(f({
|
|
1163
1163
|
msg: "OAuth redirect"
|
|
1164
|
-
})), this.redirect(302,
|
|
1164
|
+
})), this.redirect(302, u);
|
|
1165
1165
|
} catch (t) {
|
|
1166
1166
|
if (m.isSvelteKitRedirect(t) || m.isSvelteKitError(t)) throw t;
|
|
1167
|
-
const
|
|
1167
|
+
const i = n.asCrossauthError(t);
|
|
1168
1168
|
return l.logger.debug({ err: t }), l.logger.error({ cerr: t }), v({
|
|
1169
|
-
error:
|
|
1170
|
-
error_description:
|
|
1171
|
-
}, { status:
|
|
1169
|
+
error: i.oauthErrorCode,
|
|
1170
|
+
error_description: i.message
|
|
1171
|
+
}, { status: i.httpStatus });
|
|
1172
1172
|
}
|
|
1173
1173
|
},
|
|
1174
1174
|
load: async (e) => {
|
|
@@ -1176,7 +1176,7 @@ class G extends re {
|
|
|
1176
1176
|
/*this.tokenResponseType == "saveInSessionAndRedirect" ||*/
|
|
1177
1177
|
this.tokenResponseType == "sendJson" || this.tokenResponseType == "saveInSessionAndLoad"
|
|
1178
1178
|
) {
|
|
1179
|
-
const t = new n(
|
|
1179
|
+
const t = new n(h.Configuration, "If tokenResponseType is " + this.tokenResponseType + ", use get not load");
|
|
1180
1180
|
return {
|
|
1181
1181
|
ok: !1,
|
|
1182
1182
|
error: t.oauthErrorCode,
|
|
@@ -1185,41 +1185,41 @@ class G extends re {
|
|
|
1185
1185
|
}
|
|
1186
1186
|
try {
|
|
1187
1187
|
if (!this.validFlows.includes(_.AuthorizationCodeWithPKCE)) {
|
|
1188
|
-
const
|
|
1188
|
+
const p = new n(h.Unauthorized, "Authorization flow is not supported");
|
|
1189
1189
|
return {
|
|
1190
1190
|
ok: !1,
|
|
1191
|
-
error:
|
|
1192
|
-
error_description:
|
|
1191
|
+
error: p.oauthErrorCode,
|
|
1192
|
+
error_description: p.message
|
|
1193
1193
|
};
|
|
1194
1194
|
}
|
|
1195
1195
|
if (!this.server.sessionAdapter)
|
|
1196
|
-
throw new n(
|
|
1196
|
+
throw new n(h.Configuration, "Need session server or adapter for authorization code flow");
|
|
1197
1197
|
let t = e.url.searchParams.get("scope") ?? void 0;
|
|
1198
1198
|
t == "" && (t = void 0);
|
|
1199
|
-
const
|
|
1199
|
+
const i = this.randomValue(this.stateLength), { codeChallenge: a, codeVerifier: c } = await this.codeChallengeAndVerifier(), d = { scope: t, state: i, codeChallenge: a, codeVerifier: c };
|
|
1200
1200
|
await this.storeSessionData(e, d);
|
|
1201
|
-
const { url:
|
|
1202
|
-
if (g || !
|
|
1203
|
-
const
|
|
1201
|
+
const { url: u, error: g, error_description: w } = await this.startAuthorizationCodeFlow(i, t, a, !0);
|
|
1202
|
+
if (g || !u) {
|
|
1203
|
+
const p = n.fromOAuthError(
|
|
1204
1204
|
g ?? "server_error",
|
|
1205
|
-
|
|
1205
|
+
w
|
|
1206
1206
|
);
|
|
1207
1207
|
return {
|
|
1208
1208
|
ok: !1,
|
|
1209
|
-
error:
|
|
1210
|
-
error_description:
|
|
1209
|
+
error: p.oauthErrorCode,
|
|
1210
|
+
error_description: p.message
|
|
1211
1211
|
};
|
|
1212
1212
|
}
|
|
1213
|
-
throw this.oauthLogFetch ? l.logger.debug(f({ msg: "OAuth redirect", url:
|
|
1213
|
+
throw this.oauthLogFetch ? l.logger.debug(f({ msg: "OAuth redirect", url: u })) : l.logger.debug(f({
|
|
1214
1214
|
msg: "OAuth redirect"
|
|
1215
|
-
})), this.redirect(302,
|
|
1215
|
+
})), this.redirect(302, u);
|
|
1216
1216
|
} catch (t) {
|
|
1217
1217
|
if (m.isSvelteKitRedirect(t) || m.isSvelteKitError(t)) throw t;
|
|
1218
|
-
const
|
|
1218
|
+
const i = n.asCrossauthError(t);
|
|
1219
1219
|
return l.logger.debug({ err: t }), l.logger.error({ cerr: t }), {
|
|
1220
1220
|
ok: !1,
|
|
1221
|
-
error:
|
|
1222
|
-
error_description:
|
|
1221
|
+
error: i.oauthErrorCode,
|
|
1222
|
+
error_description: i.message
|
|
1223
1223
|
};
|
|
1224
1224
|
}
|
|
1225
1225
|
}
|
|
@@ -1227,35 +1227,35 @@ class G extends re {
|
|
|
1227
1227
|
get: async (e) => {
|
|
1228
1228
|
var t;
|
|
1229
1229
|
if (this.tokenResponseType == "saveInSessionAndLoad" || this.tokenResponseType == "sendInPage") {
|
|
1230
|
-
const
|
|
1231
|
-
return this.errorFn(this.server, e,
|
|
1230
|
+
const i = new n(h.Configuration, "If tokenResponseType is " + this.tokenResponseType + ", use load not get");
|
|
1231
|
+
return this.errorFn(this.server, e, i);
|
|
1232
1232
|
}
|
|
1233
1233
|
try {
|
|
1234
1234
|
if (!(this.validFlows.includes(_.AuthorizationCode) || this.validFlows.includes(_.AuthorizationCodeWithPKCE) || this.validFlows.includes(_.OidcAuthorizationCode))) {
|
|
1235
|
-
const
|
|
1236
|
-
return this.errorFn(this.server, e,
|
|
1235
|
+
const w = new n(h.Unauthorized, "Authorization flows are not supported");
|
|
1236
|
+
return this.errorFn(this.server, e, w);
|
|
1237
1237
|
}
|
|
1238
1238
|
l.logger.debug(f({ msg: "redirectUriEndpoint, token response type " + this.tokenResponseType }));
|
|
1239
|
-
const
|
|
1240
|
-
if ((
|
|
1241
|
-
throw new n(
|
|
1239
|
+
const i = e.url.searchParams.get("code") ?? "", a = e.url.searchParams.get("state") ?? void 0, c = e.url.searchParams.get("error") ?? void 0, d = e.url.searchParams.get("error") ?? void 0, u = await ((t = this.server.sessionAdapter) == null ? void 0 : t.getSessionData(e, this.sessionDataName));
|
|
1240
|
+
if ((u == null ? void 0 : u.state) != a)
|
|
1241
|
+
throw new n(h.Unauthorized, "State does not match");
|
|
1242
1242
|
const g = this.errorIfIdTokenInvalid(await this.redirectEndpoint(
|
|
1243
|
-
|
|
1244
|
-
|
|
1245
|
-
|
|
1243
|
+
i,
|
|
1244
|
+
u == null ? void 0 : u.scope,
|
|
1245
|
+
u == null ? void 0 : u.codeVerifier,
|
|
1246
1246
|
c,
|
|
1247
1247
|
d
|
|
1248
1248
|
));
|
|
1249
1249
|
if (g.error) return this.errorFn(this.server, e, n.fromOAuthError(g.error, g.error_description));
|
|
1250
1250
|
if (g.error) {
|
|
1251
|
-
const
|
|
1251
|
+
const w = n.fromOAuthError(
|
|
1252
1252
|
g.error,
|
|
1253
1253
|
g.error_description
|
|
1254
1254
|
);
|
|
1255
1255
|
return await this.errorFn(
|
|
1256
1256
|
this.server,
|
|
1257
1257
|
e,
|
|
1258
|
-
|
|
1258
|
+
w
|
|
1259
1259
|
);
|
|
1260
1260
|
}
|
|
1261
1261
|
return await this.receiveTokenFn(
|
|
@@ -1265,10 +1265,10 @@ class G extends re {
|
|
|
1265
1265
|
!1,
|
|
1266
1266
|
this.setEventLocalsUser
|
|
1267
1267
|
);
|
|
1268
|
-
} catch (
|
|
1269
|
-
if (m.isSvelteKitRedirect(
|
|
1270
|
-
const
|
|
1271
|
-
return l.logger.debug({ err:
|
|
1268
|
+
} catch (i) {
|
|
1269
|
+
if (m.isSvelteKitRedirect(i) || m.isSvelteKitError(i)) throw i;
|
|
1270
|
+
const a = n.asCrossauthError(i);
|
|
1271
|
+
return l.logger.debug({ err: i }), l.logger.error({ cerr: i }), this.errorFn(this.server, e, a);
|
|
1272
1272
|
}
|
|
1273
1273
|
},
|
|
1274
1274
|
load: async (e) => {
|
|
@@ -1277,29 +1277,29 @@ class G extends re {
|
|
|
1277
1277
|
/*this.tokenResponseType == "saveInSessionAndRedirect" ||*/
|
|
1278
1278
|
this.tokenResponseType == "sendJson" || this.tokenResponseType == "saveInSessionAndLoad"
|
|
1279
1279
|
) {
|
|
1280
|
-
const
|
|
1280
|
+
const i = new n(h.Configuration, "If tokenResponseType is " + this.tokenResponseType + ", use get not load");
|
|
1281
1281
|
return {
|
|
1282
1282
|
ok: !1,
|
|
1283
|
-
error:
|
|
1284
|
-
error_description:
|
|
1283
|
+
error: i.oauthErrorCode,
|
|
1284
|
+
error_description: i.message
|
|
1285
1285
|
};
|
|
1286
1286
|
}
|
|
1287
1287
|
try {
|
|
1288
1288
|
if (!(this.validFlows.includes(_.AuthorizationCode) || this.validFlows.includes(_.AuthorizationCodeWithPKCE) || this.validFlows.includes(_.OidcAuthorizationCode))) {
|
|
1289
|
-
const
|
|
1289
|
+
const p = new n(h.Unauthorized, "Authorization flows are not supported");
|
|
1290
1290
|
return {
|
|
1291
1291
|
ok: !1,
|
|
1292
|
-
error:
|
|
1293
|
-
error_description:
|
|
1292
|
+
error: p.oauthErrorCode,
|
|
1293
|
+
error_description: p.message
|
|
1294
1294
|
};
|
|
1295
1295
|
}
|
|
1296
|
-
const
|
|
1297
|
-
if ((
|
|
1298
|
-
throw new n(
|
|
1296
|
+
const i = e.url.searchParams.get("code") ?? "", a = e.url.searchParams.get("state") ?? void 0, c = e.url.searchParams.get("error") ?? void 0, d = e.url.searchParams.get("error") ?? void 0, u = await ((t = this.server.sessionAdapter) == null ? void 0 : t.getSessionData(e, this.sessionDataName));
|
|
1297
|
+
if ((u == null ? void 0 : u.state) != a)
|
|
1298
|
+
throw new n(h.Unauthorized, "State does not match");
|
|
1299
1299
|
const g = this.errorIfIdTokenInvalid(await this.redirectEndpoint(
|
|
1300
|
-
|
|
1301
|
-
|
|
1302
|
-
|
|
1300
|
+
i,
|
|
1301
|
+
u == null ? void 0 : u.scope,
|
|
1302
|
+
u == null ? void 0 : u.codeVerifier,
|
|
1303
1303
|
c,
|
|
1304
1304
|
d
|
|
1305
1305
|
));
|
|
@@ -1309,67 +1309,67 @@ class G extends re {
|
|
|
1309
1309
|
error_description: g.error_description
|
|
1310
1310
|
};
|
|
1311
1311
|
if (g.error) {
|
|
1312
|
-
const
|
|
1312
|
+
const p = n.fromOAuthError(
|
|
1313
1313
|
g.error,
|
|
1314
1314
|
g.error_description
|
|
1315
1315
|
);
|
|
1316
1316
|
return {
|
|
1317
1317
|
ok: !1,
|
|
1318
|
-
error:
|
|
1319
|
-
error_description:
|
|
1318
|
+
error: p.oauthErrorCode,
|
|
1319
|
+
error_description: p.message
|
|
1320
1320
|
};
|
|
1321
1321
|
}
|
|
1322
|
-
const
|
|
1322
|
+
const w = await this.receiveTokenFn(
|
|
1323
1323
|
g,
|
|
1324
1324
|
this,
|
|
1325
1325
|
e,
|
|
1326
1326
|
!1,
|
|
1327
1327
|
this.setEventLocalsUser
|
|
1328
1328
|
);
|
|
1329
|
-
return
|
|
1329
|
+
return w instanceof Response ? {
|
|
1330
1330
|
ok: !1,
|
|
1331
1331
|
error: "server_error",
|
|
1332
1332
|
error_description: "When using load, receiveTokenFn should return an object not a Response"
|
|
1333
|
-
} :
|
|
1333
|
+
} : w == null ? {
|
|
1334
1334
|
ok: !1,
|
|
1335
1335
|
error: "server_error",
|
|
1336
1336
|
error_description: "No response received from receiveTokenFn"
|
|
1337
|
-
} :
|
|
1337
|
+
} : w.error ? {
|
|
1338
1338
|
ok: !1,
|
|
1339
|
-
error:
|
|
1340
|
-
error_description:
|
|
1339
|
+
error: w.error,
|
|
1340
|
+
error_description: w.error_description
|
|
1341
1341
|
} : {
|
|
1342
|
-
...
|
|
1342
|
+
...w
|
|
1343
1343
|
};
|
|
1344
|
-
} catch (
|
|
1345
|
-
if (m.isSvelteKitRedirect(
|
|
1346
|
-
const
|
|
1347
|
-
return l.logger.debug({ err:
|
|
1344
|
+
} catch (i) {
|
|
1345
|
+
if (m.isSvelteKitRedirect(i) || m.isSvelteKitError(i)) throw i;
|
|
1346
|
+
const a = n.asCrossauthError(i);
|
|
1347
|
+
return l.logger.debug({ err: i }), l.logger.error({ cerr: i }), {
|
|
1348
1348
|
ok: !1,
|
|
1349
|
-
error:
|
|
1350
|
-
error_description:
|
|
1349
|
+
error: a.oauthErrorCode,
|
|
1350
|
+
error_description: a.message
|
|
1351
1351
|
};
|
|
1352
1352
|
}
|
|
1353
1353
|
}
|
|
1354
1354
|
}, this.clientCredentialsFlowEndpoint = {
|
|
1355
1355
|
post: async (e) => {
|
|
1356
1356
|
if (this.tokenResponseType == "saveInSessionAndLoad" || this.tokenResponseType == "sendInPage") {
|
|
1357
|
-
const
|
|
1358
|
-
return this.errorFn(this.server, e,
|
|
1357
|
+
const a = new n(h.Configuration, "If tokenResponseType is " + this.tokenResponseType + ", use actions not post");
|
|
1358
|
+
return this.errorFn(this.server, e, a);
|
|
1359
1359
|
}
|
|
1360
1360
|
let t;
|
|
1361
1361
|
try {
|
|
1362
1362
|
if (!this.validFlows.includes(_.ClientCredentials)) {
|
|
1363
|
-
const d = new n(
|
|
1363
|
+
const d = new n(h.Unauthorized, "Client credentials flow is not supported");
|
|
1364
1364
|
return this.errorFn(this.server, e, d);
|
|
1365
1365
|
}
|
|
1366
|
-
var
|
|
1367
|
-
await
|
|
1368
|
-
const
|
|
1369
|
-
if (
|
|
1366
|
+
var i = new b();
|
|
1367
|
+
await i.loadData(e), t = i.toObject();
|
|
1368
|
+
const a = this.errorIfIdTokenInvalid(await this.clientCredentialsFlow(t == null ? void 0 : t.scope));
|
|
1369
|
+
if (a.error) {
|
|
1370
1370
|
const d = n.fromOAuthError(
|
|
1371
|
-
|
|
1372
|
-
|
|
1371
|
+
a.error,
|
|
1372
|
+
a.error_description
|
|
1373
1373
|
);
|
|
1374
1374
|
return await this.errorFn(
|
|
1375
1375
|
this.server,
|
|
@@ -1378,17 +1378,17 @@ class G extends re {
|
|
|
1378
1378
|
);
|
|
1379
1379
|
}
|
|
1380
1380
|
const c = await this.receiveTokenFn(
|
|
1381
|
-
|
|
1381
|
+
a,
|
|
1382
1382
|
this,
|
|
1383
1383
|
e,
|
|
1384
1384
|
!1,
|
|
1385
1385
|
this.setEventLocalsUser
|
|
1386
1386
|
);
|
|
1387
1387
|
return c instanceof Response ? c : this.pack(c);
|
|
1388
|
-
} catch (
|
|
1389
|
-
if (m.isSvelteKitRedirect(
|
|
1390
|
-
const c = n.asCrossauthError(
|
|
1391
|
-
return l.logger.debug({ err:
|
|
1388
|
+
} catch (a) {
|
|
1389
|
+
if (m.isSvelteKitRedirect(a) || m.isSvelteKitError(a)) throw a;
|
|
1390
|
+
const c = n.asCrossauthError(a);
|
|
1391
|
+
return l.logger.debug({ err: a }), l.logger.error({ cerr: a }), this.errorFn(this.server, e, c);
|
|
1392
1392
|
}
|
|
1393
1393
|
},
|
|
1394
1394
|
actions: {
|
|
@@ -1397,30 +1397,30 @@ class G extends re {
|
|
|
1397
1397
|
/*this.tokenResponseType == "saveInSessionAndRedirect" ||*/
|
|
1398
1398
|
this.tokenResponseType == "sendJson" || this.tokenResponseType == "saveInSessionAndLoad"
|
|
1399
1399
|
)
|
|
1400
|
-
throw new n(
|
|
1400
|
+
throw new n(h.Configuration, "If tokenResponseType is " + this.tokenResponseType + ", use post not load");
|
|
1401
1401
|
let t;
|
|
1402
1402
|
try {
|
|
1403
1403
|
if (!this.validFlows.includes(_.ClientCredentials))
|
|
1404
|
-
throw new n(
|
|
1405
|
-
var
|
|
1406
|
-
await
|
|
1407
|
-
const
|
|
1408
|
-
if (
|
|
1404
|
+
throw new n(h.Unauthorized, "Client credentials flow is not supported");
|
|
1405
|
+
var i = new b();
|
|
1406
|
+
await i.loadData(e), t = i.toObject();
|
|
1407
|
+
const a = this.errorIfIdTokenInvalid(await this.clientCredentialsFlow(t == null ? void 0 : t.scope));
|
|
1408
|
+
if (a.error)
|
|
1409
1409
|
throw n.fromOAuthError(
|
|
1410
|
-
|
|
1411
|
-
|
|
1410
|
+
a.error,
|
|
1411
|
+
a.error_description
|
|
1412
1412
|
);
|
|
1413
1413
|
return await this.receiveTokenFn(
|
|
1414
|
-
|
|
1414
|
+
a,
|
|
1415
1415
|
this,
|
|
1416
1416
|
e,
|
|
1417
1417
|
!1,
|
|
1418
1418
|
this.setEventLocalsUser
|
|
1419
1419
|
) ?? {};
|
|
1420
|
-
} catch (
|
|
1421
|
-
if (m.isSvelteKitRedirect(
|
|
1422
|
-
const c = n.asCrossauthError(
|
|
1423
|
-
return l.logger.debug({ err:
|
|
1420
|
+
} catch (a) {
|
|
1421
|
+
if (m.isSvelteKitRedirect(a) || m.isSvelteKitError(a)) throw a;
|
|
1422
|
+
const c = n.asCrossauthError(a);
|
|
1423
|
+
return l.logger.debug({ err: a }), l.logger.error({ cerr: a }), {
|
|
1424
1424
|
ok: !1,
|
|
1425
1425
|
error: c.oauthErrorCode,
|
|
1426
1426
|
error_description: c.message
|
|
@@ -1431,45 +1431,45 @@ class G extends re {
|
|
|
1431
1431
|
}, this.refreshTokenFlowEndpoint = {
|
|
1432
1432
|
post: async (e) => {
|
|
1433
1433
|
if (this.tokenResponseType == "saveInSessionAndLoad" || this.tokenResponseType == "sendInPage") {
|
|
1434
|
-
const
|
|
1435
|
-
return this.errorFn(this.server, e,
|
|
1434
|
+
const a = new n(h.Configuration, "If tokenResponseType is " + this.tokenResponseType + ", use actions not post");
|
|
1435
|
+
return this.errorFn(this.server, e, a);
|
|
1436
1436
|
}
|
|
1437
1437
|
let t;
|
|
1438
1438
|
try {
|
|
1439
1439
|
if (!this.validFlows.includes(_.RefreshToken)) {
|
|
1440
|
-
const
|
|
1441
|
-
return this.errorFn(this.server, e,
|
|
1440
|
+
const u = new n(h.Unauthorized, "Refresh token flow is not supported");
|
|
1441
|
+
return this.errorFn(this.server, e, u);
|
|
1442
1442
|
}
|
|
1443
|
-
var
|
|
1444
|
-
if (await
|
|
1443
|
+
var i = new b();
|
|
1444
|
+
if (await i.loadData(e), t = i.toObject(), this.server.sessionAdapter && this.server.sessionAdapter.csrfProtectionEnabled())
|
|
1445
1445
|
try {
|
|
1446
1446
|
if (!this.server.sessionAdapter.getCsrfToken(e))
|
|
1447
|
-
throw new n(
|
|
1448
|
-
} catch (
|
|
1449
|
-
if (m.isSvelteKitError(
|
|
1450
|
-
const g = new n(
|
|
1447
|
+
throw new n(h.InvalidCsrf);
|
|
1448
|
+
} catch (u) {
|
|
1449
|
+
if (m.isSvelteKitError(u) || m.isSvelteKitRedirect(u)) throw u;
|
|
1450
|
+
const g = new n(h.Unauthorized, "CSRF token not present");
|
|
1451
1451
|
return this.errorFn(this.server, e, g);
|
|
1452
1452
|
}
|
|
1453
|
-
let
|
|
1454
|
-
if (!
|
|
1455
|
-
const
|
|
1456
|
-
if (!(
|
|
1453
|
+
let a = t.refresh_token;
|
|
1454
|
+
if (!a && this.server.sessionAdapter) {
|
|
1455
|
+
const u = await this.server.sessionAdapter.getSessionData(e, this.sessionDataName);
|
|
1456
|
+
if (!(u != null && u.refresh_token)) {
|
|
1457
1457
|
const g = new n(
|
|
1458
|
-
|
|
1458
|
+
h.BadRequest,
|
|
1459
1459
|
"No refresh token in session or in parameters"
|
|
1460
1460
|
);
|
|
1461
1461
|
return this.errorFn(this.server, e, g);
|
|
1462
1462
|
}
|
|
1463
|
-
|
|
1463
|
+
a = u.refresh_token;
|
|
1464
1464
|
}
|
|
1465
|
-
if (!
|
|
1466
|
-
const
|
|
1467
|
-
|
|
1465
|
+
if (!a) {
|
|
1466
|
+
const u = new n(
|
|
1467
|
+
h.BadRequest,
|
|
1468
1468
|
"No refresh token supplied"
|
|
1469
1469
|
);
|
|
1470
|
-
return this.errorFn(this.server, e,
|
|
1470
|
+
return this.errorFn(this.server, e, u);
|
|
1471
1471
|
}
|
|
1472
|
-
const c = this.errorIfIdTokenInvalid(await this.refreshTokenFlow(
|
|
1472
|
+
const c = this.errorIfIdTokenInvalid(await this.refreshTokenFlow(a)), d = await this.receiveTokenFn(
|
|
1473
1473
|
c,
|
|
1474
1474
|
this,
|
|
1475
1475
|
e,
|
|
@@ -1477,11 +1477,11 @@ class G extends re {
|
|
|
1477
1477
|
this.setEventLocalsUser
|
|
1478
1478
|
);
|
|
1479
1479
|
if (c && d instanceof Response) return d;
|
|
1480
|
-
throw new n(
|
|
1481
|
-
} catch (
|
|
1482
|
-
if (m.isSvelteKitRedirect(
|
|
1483
|
-
const c = n.asCrossauthError(
|
|
1484
|
-
return l.logger.debug({ err:
|
|
1480
|
+
throw new n(h.UnknownError, "Receive token function did not return a Response");
|
|
1481
|
+
} catch (a) {
|
|
1482
|
+
if (m.isSvelteKitRedirect(a) || m.isSvelteKitError(a)) throw a;
|
|
1483
|
+
const c = n.asCrossauthError(a);
|
|
1484
|
+
return l.logger.debug({ err: a }), l.logger.error({ cerr: a }), this.errorFn(this.server, e, c);
|
|
1485
1485
|
}
|
|
1486
1486
|
},
|
|
1487
1487
|
actions: {
|
|
@@ -1490,49 +1490,49 @@ class G extends re {
|
|
|
1490
1490
|
/*this.tokenResponseType == "saveInSessionAndRedirect" ||*/
|
|
1491
1491
|
this.tokenResponseType == "sendJson" || this.tokenResponseType == "saveInSessionAndLoad"
|
|
1492
1492
|
)
|
|
1493
|
-
throw new n(
|
|
1493
|
+
throw new n(h.Configuration, "If tokenResponseType is " + this.tokenResponseType + ", use post not load");
|
|
1494
1494
|
let t;
|
|
1495
1495
|
try {
|
|
1496
1496
|
if (!this.validFlows.includes(_.RefreshToken)) {
|
|
1497
|
-
const
|
|
1498
|
-
return this.errorFn(this.server, e,
|
|
1497
|
+
const u = new n(h.Unauthorized, "Refresh token flow is not supported");
|
|
1498
|
+
return this.errorFn(this.server, e, u);
|
|
1499
1499
|
}
|
|
1500
|
-
var
|
|
1501
|
-
if (await
|
|
1500
|
+
var i = new b();
|
|
1501
|
+
if (await i.loadData(e), t = i.toObject(), this.server.sessionAdapter && this.server.sessionAdapter.csrfProtectionEnabled())
|
|
1502
1502
|
try {
|
|
1503
1503
|
if (!this.server.sessionAdapter.getCsrfToken(e))
|
|
1504
|
-
throw new n(
|
|
1505
|
-
} catch (
|
|
1506
|
-
throw m.isSvelteKitError(
|
|
1504
|
+
throw new n(h.InvalidCsrf);
|
|
1505
|
+
} catch (u) {
|
|
1506
|
+
throw m.isSvelteKitError(u) || m.isSvelteKitRedirect(u) ? u : new n(h.Unauthorized, "CSRF token not present");
|
|
1507
1507
|
}
|
|
1508
|
-
let
|
|
1509
|
-
if (!
|
|
1510
|
-
const
|
|
1511
|
-
if (!(
|
|
1508
|
+
let a = t.refresh_token;
|
|
1509
|
+
if (!a && this.server.sessionAdapter) {
|
|
1510
|
+
const u = await this.server.sessionAdapter.getSessionData(e, this.sessionDataName);
|
|
1511
|
+
if (!(u != null && u.refresh_token))
|
|
1512
1512
|
throw new n(
|
|
1513
|
-
|
|
1513
|
+
h.BadRequest,
|
|
1514
1514
|
"No refresh token in session or in parameters"
|
|
1515
1515
|
);
|
|
1516
|
-
|
|
1516
|
+
a = u.refresh_token;
|
|
1517
1517
|
}
|
|
1518
|
-
if (!
|
|
1518
|
+
if (!a)
|
|
1519
1519
|
throw new n(
|
|
1520
|
-
|
|
1520
|
+
h.BadRequest,
|
|
1521
1521
|
"No refresh token supplied"
|
|
1522
1522
|
);
|
|
1523
|
-
const c = this.errorIfIdTokenInvalid(await this.refreshTokenFlow(
|
|
1523
|
+
const c = this.errorIfIdTokenInvalid(await this.refreshTokenFlow(a)), d = await this.receiveTokenFn(
|
|
1524
1524
|
c,
|
|
1525
1525
|
this,
|
|
1526
1526
|
e,
|
|
1527
1527
|
!1,
|
|
1528
1528
|
this.setEventLocalsUser
|
|
1529
1529
|
) ?? {};
|
|
1530
|
-
if (d instanceof Response) throw new n(
|
|
1530
|
+
if (d instanceof Response) throw new n(h.Configuration, "Refresh token flow should return an object not Response");
|
|
1531
1531
|
return d;
|
|
1532
|
-
} catch (
|
|
1533
|
-
if (m.isSvelteKitRedirect(
|
|
1534
|
-
const c = n.asCrossauthError(
|
|
1535
|
-
return l.logger.debug({ err:
|
|
1532
|
+
} catch (a) {
|
|
1533
|
+
if (m.isSvelteKitRedirect(a) || m.isSvelteKitError(a)) throw a;
|
|
1534
|
+
const c = n.asCrossauthError(a);
|
|
1535
|
+
return l.logger.debug({ err: a }), l.logger.error({ cerr: a }), {
|
|
1536
1536
|
ok: !1,
|
|
1537
1537
|
error: c.oauthErrorCode,
|
|
1538
1538
|
error_description: c.message
|
|
@@ -1543,7 +1543,7 @@ class G extends re {
|
|
|
1543
1543
|
}, this.refreshTokensIfExpiredEndpoint = {
|
|
1544
1544
|
post: async (e) => {
|
|
1545
1545
|
if (this.tokenResponseType == "saveInSessionAndLoad" || this.tokenResponseType == "sendInPage") {
|
|
1546
|
-
const t = new n(
|
|
1546
|
+
const t = new n(h.Configuration, "If tokenResponseType is " + this.tokenResponseType + ", use actions not post");
|
|
1547
1547
|
return this.errorFn(this.server, e, t);
|
|
1548
1548
|
}
|
|
1549
1549
|
return this.pack(await this.refreshTokens(e, "post", !0));
|
|
@@ -1554,14 +1554,14 @@ class G extends re {
|
|
|
1554
1554
|
/*this.tokenResponseType == "saveInSessionAndRedirect" ||*/
|
|
1555
1555
|
this.tokenResponseType == "sendJson" || this.tokenResponseType == "saveInSessionAndLoad"
|
|
1556
1556
|
)
|
|
1557
|
-
throw new n(
|
|
1557
|
+
throw new n(h.Configuration, "If tokenResponseType is " + this.tokenResponseType + ", use post not load");
|
|
1558
1558
|
return this.refreshTokens(e, "page", !0);
|
|
1559
1559
|
}
|
|
1560
1560
|
}
|
|
1561
1561
|
}, this.autoRefreshTokensIfExpiredEndpoint = {
|
|
1562
1562
|
post: async (e) => {
|
|
1563
1563
|
if (this.tokenResponseType == "saveInSessionAndLoad" || this.tokenResponseType == "sendInPage") {
|
|
1564
|
-
const t = new n(
|
|
1564
|
+
const t = new n(h.Configuration, "If tokenResponseType is " + this.tokenResponseType + ", use actions not post");
|
|
1565
1565
|
return this.errorFn(this.server, e, t);
|
|
1566
1566
|
}
|
|
1567
1567
|
return this.pack(await this.refreshTokens(e, "silent", !0));
|
|
@@ -1569,7 +1569,7 @@ class G extends re {
|
|
|
1569
1569
|
}, this.autoRefreshTokensEndpoint = {
|
|
1570
1570
|
post: async (e) => {
|
|
1571
1571
|
if (this.tokenResponseType == "saveInSessionAndLoad" || this.tokenResponseType == "sendInPage") {
|
|
1572
|
-
const t = new n(
|
|
1572
|
+
const t = new n(h.Configuration, "If tokenResponseType is " + this.tokenResponseType + ", use actions not post");
|
|
1573
1573
|
return this.errorFn(this.server, e, t);
|
|
1574
1574
|
}
|
|
1575
1575
|
return this.pack(await this.refreshTokens(e, "silent", !1));
|
|
@@ -1581,8 +1581,8 @@ class G extends re {
|
|
|
1581
1581
|
post: async (e) => {
|
|
1582
1582
|
const t = await this.startDeviceCodeFlow_internal(e);
|
|
1583
1583
|
if (t.error) {
|
|
1584
|
-
const
|
|
1585
|
-
return v(t, { status:
|
|
1584
|
+
const i = n.fromOAuthError(t.error, t.error_description);
|
|
1585
|
+
return v(t, { status: i.httpStatus });
|
|
1586
1586
|
}
|
|
1587
1587
|
return v(t);
|
|
1588
1588
|
}
|
|
@@ -1598,40 +1598,40 @@ class G extends re {
|
|
|
1598
1598
|
if (t instanceof Response) return t;
|
|
1599
1599
|
if (t == null) return new Response(null, { status: 204 });
|
|
1600
1600
|
if (t.error) {
|
|
1601
|
-
const
|
|
1602
|
-
return v(t, { status:
|
|
1601
|
+
const i = n.fromOAuthError(t.error, t.error_description);
|
|
1602
|
+
return v(t, { status: i.httpStatus });
|
|
1603
1603
|
}
|
|
1604
1604
|
return v(t);
|
|
1605
1605
|
}
|
|
1606
1606
|
}, this.passwordFlowEndpoint = {
|
|
1607
|
-
post: async (e) => await this.passwordFlow_post(e, (t,
|
|
1607
|
+
post: async (e) => await this.passwordFlow_post(e, (t, i) => this.passwordPost(t, i)),
|
|
1608
1608
|
actions: {
|
|
1609
|
-
password: async (e) => await this.passwordFlow_action(e, (t,
|
|
1610
|
-
passwordOtp: async (e) => await this.passwordFlow_action(e, (t,
|
|
1611
|
-
passwordOob: async (e) => await this.passwordFlow_action(e, (t,
|
|
1609
|
+
password: async (e) => await this.passwordFlow_action(e, (t, i) => this.passwordPost(t, i)),
|
|
1610
|
+
passwordOtp: async (e) => await this.passwordFlow_action(e, (t, i) => this.passwordOtp(t, i)),
|
|
1611
|
+
passwordOob: async (e) => await this.passwordFlow_action(e, (t, i) => this.passwordOob(t, i))
|
|
1612
1612
|
}
|
|
1613
1613
|
}, this.passwordOtpEndpoint = {
|
|
1614
|
-
post: async (e) => await this.passwordFlow_post(e, (t,
|
|
1614
|
+
post: async (e) => await this.passwordFlow_post(e, (t, i) => this.passwordOtp(t, i)),
|
|
1615
1615
|
actions: {
|
|
1616
|
-
default: async (e) => await this.passwordFlow_action(e, (t,
|
|
1616
|
+
default: async (e) => await this.passwordFlow_action(e, (t, i) => this.passwordOtp(t, i))
|
|
1617
1617
|
}
|
|
1618
1618
|
}, this.passwordOobEndpoint = {
|
|
1619
|
-
post: async (e) => await this.passwordFlow_post(e, (t,
|
|
1619
|
+
post: async (e) => await this.passwordFlow_post(e, (t, i) => this.passwordOob(t, i)),
|
|
1620
1620
|
actions: {
|
|
1621
|
-
default: async (e) => await this.passwordFlow_action(e, (t,
|
|
1621
|
+
default: async (e) => await this.passwordFlow_action(e, (t, i) => this.passwordOob(t, i))
|
|
1622
1622
|
}
|
|
1623
1623
|
}, this.deleteTokensEndpoint = {
|
|
1624
1624
|
post: async (e) => {
|
|
1625
|
-
var t,
|
|
1625
|
+
var t, i;
|
|
1626
1626
|
try {
|
|
1627
1627
|
return await this.deleteSessionData(e), v({ ok: !0 });
|
|
1628
|
-
} catch (
|
|
1629
|
-
if (m.isSvelteKitRedirect(
|
|
1630
|
-
const c = n.asCrossauthError(
|
|
1628
|
+
} catch (a) {
|
|
1629
|
+
if (m.isSvelteKitRedirect(a) || m.isSvelteKitError(a)) throw a;
|
|
1630
|
+
const c = n.asCrossauthError(a);
|
|
1631
1631
|
return l.logger.debug({ err: c }), l.logger.error({ cerr: c }), v({
|
|
1632
1632
|
ok: !1,
|
|
1633
1633
|
user: (t = this.server.sessionAdapter) == null ? void 0 : t.getUser(e),
|
|
1634
|
-
csrfToken: (
|
|
1634
|
+
csrfToken: (i = this.server.sessionAdapter) == null ? void 0 : i.getCsrfToken(e),
|
|
1635
1635
|
errorCode: c.code,
|
|
1636
1636
|
errorCodeName: c.codeName,
|
|
1637
1637
|
errorMessage: c.message
|
|
@@ -1640,16 +1640,16 @@ class G extends re {
|
|
|
1640
1640
|
},
|
|
1641
1641
|
actions: {
|
|
1642
1642
|
default: async (e) => {
|
|
1643
|
-
var t,
|
|
1643
|
+
var t, i;
|
|
1644
1644
|
try {
|
|
1645
1645
|
return await this.deleteSessionData(e), { ok: !0 };
|
|
1646
|
-
} catch (
|
|
1647
|
-
if (m.isSvelteKitRedirect(
|
|
1648
|
-
const c = n.asCrossauthError(
|
|
1646
|
+
} catch (a) {
|
|
1647
|
+
if (m.isSvelteKitRedirect(a) || m.isSvelteKitError(a)) throw a;
|
|
1648
|
+
const c = n.asCrossauthError(a);
|
|
1649
1649
|
return l.logger.debug({ err: c }), l.logger.error({ cerr: c }), {
|
|
1650
1650
|
ok: !1,
|
|
1651
1651
|
user: (t = this.server.sessionAdapter) == null ? void 0 : t.getUser(e),
|
|
1652
|
-
csrfToken: (
|
|
1652
|
+
csrfToken: (i = this.server.sessionAdapter) == null ? void 0 : i.getCsrfToken(e),
|
|
1653
1653
|
errorCode: c.code,
|
|
1654
1654
|
errorCodeName: c.codeName,
|
|
1655
1655
|
errorMessage: c.message
|
|
@@ -1723,11 +1723,11 @@ class G extends re {
|
|
|
1723
1723
|
}, this.server = r, y("sessionDataName", E.String, this, s, "OAUTH_SESSION_DATA_NAME"), y("tokenResponseType", E.String, this, s, "OAUTH_TOKEN_RESPONSE_TYPE"), y("errorResponseType", E.String, this, s, "OAUTH_ERROR_RESPONSE_TYPE"), y("loginUrl", E.String, this, s, "LOGIN_URL"), y("bffEndpointName", E.String, this, s, "OAUTH_BFF_ENDPOINT_NAME"), y("bffBaseUrl", E.String, this, s, "OAUTH_BFF_BASEURL"), y("redirect_uri", E.String, this, s, "OAUTH_REDIRECTURI", !0), y("authorizedUrl", E.String, this, s, "AUTHORIZED_URL", !1), y("validFlows", E.JsonArray, this, s, "OAUTH_validFlows"), y("bffMaxTries", E.Number, this, s, "OAUTH_BFF_MAX_RETRIES"), y("bffSleepMilliseconds", E.Number, this, s, "OAUTH_BFF_SLEEP_MILLISECONDS"), y("jwtTokens", E.JsonArray, this, s, "OAUTH_JWT_TOKENS"), this.bffEndpointName && !this.bffEndpointName.startsWith("/") && (this.bffEndpointName = "/" + this.bffEndpointName), this.bffEndpointName && this.bffEndpointName.endsWith("/") && (this.bffEndpointName = this.bffEndpointName.substring(0, this.bffEndpointName.length - 1)), this.bffBaseUrl && this.bffBaseUrl.endsWith("/") && (this.bffBaseUrl = this.bffBaseUrl.substring(0, this.bffBaseUrl.length - 1)), s.redirect && (this.redirect = s.redirect), s.error && (this.error = s.error), this.validFlows.length == 1 && this.validFlows[0] == _.All)
|
|
1724
1724
|
this.validFlows = _.allFlows();
|
|
1725
1725
|
else if (!_.areAllValidFlows(this.validFlows))
|
|
1726
|
-
throw new n(
|
|
1726
|
+
throw new n(h.Configuration, "Invalid flows specificied in " + this.validFlows.join(","));
|
|
1727
1727
|
try {
|
|
1728
1728
|
new URL(this.redirect_uri ?? "");
|
|
1729
1729
|
} catch {
|
|
1730
|
-
throw new n(
|
|
1730
|
+
throw new n(h.Configuration, "Invalid redirect Uri " + this.redirect_uri);
|
|
1731
1731
|
}
|
|
1732
1732
|
if (s.tokenEndpoints && (this.tokenEndpoints = s.tokenEndpoints), this.bffEndpointName.endsWith("/") && (this.bffEndpointName = this.bffEndpointName.substring(0, this.bffEndpointName.length - 1)), s.bffEndpoints && (this.bffEndpoints = s.bffEndpoints.map((e) => ({ ...e, methodsString: e.methods.map((t) => t) }))), this.bffEndpoints)
|
|
1733
1733
|
for (let e of this.bffEndpoints)
|
|
@@ -1736,36 +1736,36 @@ class G extends re {
|
|
|
1736
1736
|
this.loginProtectedFlows = this.validFlows;
|
|
1737
1737
|
else if (!_.areAllValidFlows(this.loginProtectedFlows))
|
|
1738
1738
|
throw new n(
|
|
1739
|
-
|
|
1739
|
+
h.Configuration,
|
|
1740
1740
|
"Invalid flows specificied in " + this.loginProtectedFlows.join(",")
|
|
1741
1741
|
);
|
|
1742
1742
|
if (this.tokenResponseType == "custom" && !s.receiveTokenFn)
|
|
1743
1743
|
throw new n(
|
|
1744
|
-
|
|
1744
|
+
h.Configuration,
|
|
1745
1745
|
"Token response type of custom selected but receiveTokenFn not defined"
|
|
1746
1746
|
);
|
|
1747
1747
|
if (this.tokenResponseType == "custom" && s.receiveTokenFn ? this.receiveTokenFn = s.receiveTokenFn : this.tokenResponseType == "sendJson" ? this.receiveTokenFn = J : this.tokenResponseType == "sendInPage" ? this.receiveTokenFn = fe : this.tokenResponseType == "saveInSessionAndLoad" ? this.receiveTokenFn = ue : this.tokenResponseType == "saveInSessionAndRedirect" ? this.receiveTokenFn = de : this.tokenResponseType == "saveInSessionAndReturn" && (this.receiveTokenFn = he), (this.tokenResponseType == "saveInSessionAndLoad" || this.tokenResponseType == "saveInSessionAndRedirect") && this.authorizedUrl == "")
|
|
1748
|
-
throw new n(
|
|
1748
|
+
throw new n(h.Configuration, "If tokenResponseType is" + this.tokenResponseType + ", must provide authorizedUrl");
|
|
1749
1749
|
if ((this.tokenResponseType == "saveInSessionAndLoad" || this.tokenResponseType == "saveInSessionAndRedirect") && this.server.sessionAdapter == null)
|
|
1750
|
-
throw new n(
|
|
1750
|
+
throw new n(h.Configuration, "If tokenResponseType is" + this.tokenResponseType + ", must activate the session server");
|
|
1751
1751
|
if (this.errorResponseType == "custom" && !s.errorFn)
|
|
1752
1752
|
throw new n(
|
|
1753
|
-
|
|
1753
|
+
h.Configuration,
|
|
1754
1754
|
"Error response type of custom selected but errorFn not defined"
|
|
1755
1755
|
);
|
|
1756
|
-
if (this.errorResponseType == "custom" && s.errorFn ? this.errorFn = s.errorFn : this.errorResponseType == "sendJson" ? this.errorFn = W : this.errorResponseType == "svelteKitError" && (this.errorFn = le), !s.redirect) throw new n(
|
|
1757
|
-
if (!s.error && this.errorResponseType == "svelteKitError") throw new n(
|
|
1756
|
+
if (this.errorResponseType == "custom" && s.errorFn ? this.errorFn = s.errorFn : this.errorResponseType == "sendJson" ? this.errorFn = W : this.errorResponseType == "svelteKitError" && (this.errorFn = le), !s.redirect) throw new n(h.Configuration, "Must provide the SvelteKit redirect function");
|
|
1757
|
+
if (!s.error && this.errorResponseType == "svelteKitError") throw new n(h.Configuration, "Must provide the SvelteKit error function");
|
|
1758
1758
|
if (this.loginProtectedFlows.length > 0 && this.loginUrl == "")
|
|
1759
1759
|
throw new n(
|
|
1760
|
-
|
|
1760
|
+
h.Configuration,
|
|
1761
1761
|
"loginUrl must be set if protecting oauth endpoints"
|
|
1762
1762
|
);
|
|
1763
1763
|
this.hook = async ({ event: e }) => {
|
|
1764
1764
|
if (e.locals.user || !r.sessionAdapter) return;
|
|
1765
1765
|
let t = await r.sessionAdapter.getSessionData(e, this.sessionDataName);
|
|
1766
1766
|
if (t && t.id_payload) {
|
|
1767
|
-
let
|
|
1768
|
-
|
|
1767
|
+
let i = t.expires_at;
|
|
1768
|
+
i && i > Date.now() && t.id_payload.sub && await this.setEventLocalsUser(e, t.id_payload);
|
|
1769
1769
|
}
|
|
1770
1770
|
this.testMiddleware && (this.testEvent = e);
|
|
1771
1771
|
};
|
|
@@ -1800,10 +1800,10 @@ class G extends re {
|
|
|
1800
1800
|
);
|
|
1801
1801
|
if (e.error == "mfa_required" && e.mfa_token && this.validFlows.includes(_.PasswordMfa)) {
|
|
1802
1802
|
const t = e.mfa_token;
|
|
1803
|
-
let
|
|
1804
|
-
if (
|
|
1803
|
+
let i = o.scope;
|
|
1804
|
+
if (i == "" && (i = void 0), e = this.errorIfIdTokenInvalid(await this.passwordMfa(
|
|
1805
1805
|
t,
|
|
1806
|
-
|
|
1806
|
+
i,
|
|
1807
1807
|
r
|
|
1808
1808
|
)), e.error)
|
|
1809
1809
|
throw n.fromOAuthError(
|
|
@@ -1839,11 +1839,11 @@ class G extends re {
|
|
|
1839
1839
|
};
|
|
1840
1840
|
const t = e.authenticators[0];
|
|
1841
1841
|
if (t.authenticator_type == "otp") {
|
|
1842
|
-
const
|
|
1843
|
-
if (
|
|
1842
|
+
const a = await this.mfaOtpRequest(r, t.id);
|
|
1843
|
+
if (a.error || a.challenge_type != "otp") {
|
|
1844
1844
|
const c = n.fromOAuthError(
|
|
1845
|
-
|
|
1846
|
-
|
|
1845
|
+
a.error ?? "server_error",
|
|
1846
|
+
a.error_description ?? "Invalid response from MFA OTP challenge"
|
|
1847
1847
|
);
|
|
1848
1848
|
return l.logger.debug({ err: c }), l.logger.error({ cerr: c }), {
|
|
1849
1849
|
error: c.oauthErrorCode,
|
|
@@ -1853,14 +1853,14 @@ class G extends re {
|
|
|
1853
1853
|
return {
|
|
1854
1854
|
scope: o,
|
|
1855
1855
|
mfa_token: r,
|
|
1856
|
-
challenge_type:
|
|
1856
|
+
challenge_type: a.challenge_type
|
|
1857
1857
|
};
|
|
1858
1858
|
} else if (t.authenticator_type == "oob") {
|
|
1859
|
-
const
|
|
1860
|
-
if (
|
|
1859
|
+
const a = await this.mfaOobRequest(r, t.id);
|
|
1860
|
+
if (a.error || a.challenge_type != "oob" || !a.oob_code || a.binding_method != "prompt") {
|
|
1861
1861
|
const c = n.fromOAuthError(
|
|
1862
|
-
|
|
1863
|
-
|
|
1862
|
+
a.error ?? "server_error",
|
|
1863
|
+
a.error_description ?? "Invalid response from MFA OOB challenge"
|
|
1864
1864
|
);
|
|
1865
1865
|
return l.logger.debug({ err: c }), l.logger.error({ cerr: c }), {
|
|
1866
1866
|
error: c.oauthErrorCode,
|
|
@@ -1871,19 +1871,19 @@ class G extends re {
|
|
|
1871
1871
|
scope: o,
|
|
1872
1872
|
mfa_token: r,
|
|
1873
1873
|
oob_channel: t.oob_channel,
|
|
1874
|
-
challenge_type:
|
|
1875
|
-
binding_method:
|
|
1876
|
-
oob_code:
|
|
1874
|
+
challenge_type: a.challenge_type,
|
|
1875
|
+
binding_method: a.binding_method,
|
|
1876
|
+
oob_code: a.oob_code,
|
|
1877
1877
|
name: t.name
|
|
1878
1878
|
};
|
|
1879
1879
|
}
|
|
1880
|
-
const
|
|
1881
|
-
|
|
1880
|
+
const i = new n(
|
|
1881
|
+
h.UnknownError,
|
|
1882
1882
|
"Unsupported MFA type " + t.authenticator_type + " returned"
|
|
1883
1883
|
);
|
|
1884
1884
|
return {
|
|
1885
|
-
error:
|
|
1886
|
-
error_description:
|
|
1885
|
+
error: i.oauthErrorCode,
|
|
1886
|
+
error_description: i.message
|
|
1887
1887
|
};
|
|
1888
1888
|
}
|
|
1889
1889
|
async passwordOtp(r, o) {
|
|
@@ -1919,7 +1919,7 @@ class G extends re {
|
|
|
1919
1919
|
return e.error ? (l.logger.warn(f({
|
|
1920
1920
|
msg: "Error completing MFA",
|
|
1921
1921
|
user: (t = this.server.sessionAdapter) == null ? void 0 : t.getUser(r),
|
|
1922
|
-
hashedMfaToken: o.mfa_token ?
|
|
1922
|
+
hashedMfaToken: o.mfa_token ? A.hash(o.mfa_token) : void 0
|
|
1923
1923
|
})), {
|
|
1924
1924
|
error: e.error,
|
|
1925
1925
|
error_description: e.error_description
|
|
@@ -1938,10 +1938,10 @@ class G extends re {
|
|
|
1938
1938
|
if (o.locals.sessionId && this.autoRefreshActive[o.locals.sessionId]) return;
|
|
1939
1939
|
try {
|
|
1940
1940
|
o.locals.sessionId && (this.autoRefreshActive[o.locals.sessionId] = !0);
|
|
1941
|
-
const
|
|
1942
|
-
if (!
|
|
1941
|
+
const i = this.errorIfIdTokenInvalid(await this.refreshTokenFlow(e));
|
|
1942
|
+
if (!i.error && !i.access_token && (i.error = "server_error", i.error_description = "Unexpectedly did not receive error or access token"), !i.error) {
|
|
1943
1943
|
const d = await this.receiveTokenFn(
|
|
1944
|
-
|
|
1944
|
+
i,
|
|
1945
1945
|
this,
|
|
1946
1946
|
o,
|
|
1947
1947
|
r == "silent",
|
|
@@ -1951,43 +1951,43 @@ class G extends re {
|
|
|
1951
1951
|
}
|
|
1952
1952
|
if (r != "silent") {
|
|
1953
1953
|
const d = n.fromOAuthError(
|
|
1954
|
-
|
|
1955
|
-
|
|
1954
|
+
i.error ?? "server_error",
|
|
1955
|
+
i.error_description
|
|
1956
1956
|
);
|
|
1957
1957
|
return r == "page" ? this.errorFn(this.server, o, d) : {
|
|
1958
1958
|
error: d.oauthErrorCode,
|
|
1959
1959
|
error_description: d.message
|
|
1960
1960
|
};
|
|
1961
1961
|
}
|
|
1962
|
-
let
|
|
1963
|
-
if (!
|
|
1964
|
-
const d = M(
|
|
1965
|
-
d.exp && (
|
|
1962
|
+
let a = i.expires_in;
|
|
1963
|
+
if (!a && i.access_token) {
|
|
1964
|
+
const d = M(i.access_token);
|
|
1965
|
+
d.exp && (a = d.exp);
|
|
1966
1966
|
}
|
|
1967
|
-
if (!
|
|
1967
|
+
if (!a)
|
|
1968
1968
|
throw new n(
|
|
1969
|
-
|
|
1969
|
+
h.BadRequest,
|
|
1970
1970
|
"OAuth server did not return an expiry for the access token"
|
|
1971
1971
|
);
|
|
1972
|
-
const c = (/* @__PURE__ */ new Date()).getTime() +
|
|
1972
|
+
const c = (/* @__PURE__ */ new Date()).getTime() + a * 1e3;
|
|
1973
1973
|
return {
|
|
1974
|
-
access_token:
|
|
1975
|
-
refresh_token:
|
|
1976
|
-
expires_in:
|
|
1974
|
+
access_token: i.access_token,
|
|
1975
|
+
refresh_token: i.refresh_token,
|
|
1976
|
+
expires_in: i.expires_in,
|
|
1977
1977
|
expires_at: c,
|
|
1978
|
-
error:
|
|
1979
|
-
error_description:
|
|
1978
|
+
error: i.error,
|
|
1979
|
+
error_description: i.error_description
|
|
1980
1980
|
};
|
|
1981
|
-
} catch (
|
|
1982
|
-
if (m.isSvelteKitRedirect(
|
|
1983
|
-
if (l.logger.debug(f({ err:
|
|
1984
|
-
cerr:
|
|
1981
|
+
} catch (i) {
|
|
1982
|
+
if (m.isSvelteKitRedirect(i) || m.isSvelteKitError(i)) throw i;
|
|
1983
|
+
if (l.logger.debug(f({ err: i })), l.logger.error(f({
|
|
1984
|
+
cerr: i,
|
|
1985
1985
|
msg: "Failed refreshing access token"
|
|
1986
1986
|
})), r != "silent") {
|
|
1987
|
-
const
|
|
1988
|
-
return r == "page" ? this.errorFn(this.server, o,
|
|
1989
|
-
error:
|
|
1990
|
-
error_description:
|
|
1987
|
+
const a = n.asCrossauthError(i);
|
|
1988
|
+
return r == "page" ? this.errorFn(this.server, o, a) : {
|
|
1989
|
+
error: a.oauthErrorCode,
|
|
1990
|
+
error_description: a.message
|
|
1991
1991
|
};
|
|
1992
1992
|
}
|
|
1993
1993
|
return {
|
|
@@ -2018,7 +2018,7 @@ class G extends re {
|
|
|
2018
2018
|
if (o == "silent")
|
|
2019
2019
|
return new Response(null, { status: 204 });
|
|
2020
2020
|
throw new n(
|
|
2021
|
-
|
|
2021
|
+
h.InvalidSession,
|
|
2022
2022
|
"No tokens found in session"
|
|
2023
2023
|
);
|
|
2024
2024
|
}
|
|
@@ -2031,7 +2031,7 @@ class G extends re {
|
|
|
2031
2031
|
);
|
|
2032
2032
|
if (t && "id_token" in t && (t = this.errorIfIdTokenInvalid(t)), o == "silent") {
|
|
2033
2033
|
if (t instanceof Response)
|
|
2034
|
-
throw new n(
|
|
2034
|
+
throw new n(h.Configuration, "Unexpected error: refresh: mode is silent but didn't receive an object");
|
|
2035
2035
|
return { ok: !0, expires_at: t == null ? void 0 : t.expires_at };
|
|
2036
2036
|
} else if (o == "post") {
|
|
2037
2037
|
if (t == null) return this.receiveTokenFn(
|
|
@@ -2043,7 +2043,7 @@ class G extends re {
|
|
|
2043
2043
|
);
|
|
2044
2044
|
if (t != null) {
|
|
2045
2045
|
if (t instanceof Response) return t;
|
|
2046
|
-
throw new n(
|
|
2046
|
+
throw new n(h.Configuration, "refreshTokenFn for post should return Response not object");
|
|
2047
2047
|
}
|
|
2048
2048
|
}
|
|
2049
2049
|
} catch (e) {
|
|
@@ -2058,44 +2058,44 @@ class G extends re {
|
|
|
2058
2058
|
}
|
|
2059
2059
|
async passwordFlow_post(r, o) {
|
|
2060
2060
|
if (this.tokenResponseType == "saveInSessionAndLoad" || this.tokenResponseType == "sendInPage") {
|
|
2061
|
-
const t = new n(
|
|
2061
|
+
const t = new n(h.Configuration, "If tokenResponseType is " + this.tokenResponseType + ", use actions not post");
|
|
2062
2062
|
return this.errorFn(this.server, r, t);
|
|
2063
2063
|
}
|
|
2064
2064
|
let s;
|
|
2065
2065
|
try {
|
|
2066
2066
|
if (!(this.validFlows.includes(_.Password) || this.validFlows.includes(_.PasswordMfa))) {
|
|
2067
|
-
const
|
|
2068
|
-
return this.errorFn(this.server, r,
|
|
2067
|
+
const a = new n(h.Unauthorized, "Password flow is not supported");
|
|
2068
|
+
return this.errorFn(this.server, r, a);
|
|
2069
2069
|
}
|
|
2070
2070
|
var e = new b();
|
|
2071
2071
|
if (await e.loadData(r), s = e.toObject(), this.server.sessionAdapter && this.server.sessionAdapter.csrfProtectionEnabled())
|
|
2072
2072
|
try {
|
|
2073
2073
|
if (!this.server.sessionAdapter.getCsrfToken(r))
|
|
2074
|
-
throw new n(
|
|
2075
|
-
} catch (
|
|
2076
|
-
if (m.isSvelteKitError(
|
|
2077
|
-
const c = new n(
|
|
2074
|
+
throw new n(h.InvalidCsrf);
|
|
2075
|
+
} catch (a) {
|
|
2076
|
+
if (m.isSvelteKitError(a) || m.isSvelteKitRedirect(a)) throw a;
|
|
2077
|
+
const c = new n(h.Unauthorized, "CSRF token not present");
|
|
2078
2078
|
return this.errorFn(this.server, r, c);
|
|
2079
2079
|
}
|
|
2080
2080
|
const t = this.errorIfIdTokenInvalid(await o(r, s));
|
|
2081
|
-
if (!t) throw new n(
|
|
2081
|
+
if (!t) throw new n(h.UnknownError, "Password flow returned no data");
|
|
2082
2082
|
if (t.error) return {
|
|
2083
2083
|
ok: !1,
|
|
2084
2084
|
...t
|
|
2085
2085
|
};
|
|
2086
|
-
const
|
|
2086
|
+
const i = await this.receiveTokenFn(
|
|
2087
2087
|
t,
|
|
2088
2088
|
this,
|
|
2089
2089
|
r,
|
|
2090
2090
|
!1,
|
|
2091
2091
|
this.setEventLocalsUser
|
|
2092
2092
|
);
|
|
2093
|
-
if (t &&
|
|
2094
|
-
throw new n(
|
|
2093
|
+
if (t && i instanceof Response) return i;
|
|
2094
|
+
throw new n(h.UnknownError, "Receive token function did not return a Response");
|
|
2095
2095
|
} catch (t) {
|
|
2096
2096
|
if (m.isSvelteKitRedirect(t) || m.isSvelteKitError(t)) throw t;
|
|
2097
|
-
const
|
|
2098
|
-
return l.logger.debug({ err: t }), l.logger.error({ cerr: t }), this.errorFn(this.server, r,
|
|
2097
|
+
const i = n.asCrossauthError(t);
|
|
2098
|
+
return l.logger.debug({ err: t }), l.logger.error({ cerr: t }), this.errorFn(this.server, r, i);
|
|
2099
2099
|
}
|
|
2100
2100
|
}
|
|
2101
2101
|
async passwordFlow_action(r, o) {
|
|
@@ -2103,23 +2103,23 @@ class G extends re {
|
|
|
2103
2103
|
/*this.tokenResponseType == "saveInSessionAndRedirect" ||*/
|
|
2104
2104
|
this.tokenResponseType == "sendJson" || this.tokenResponseType == "saveInSessionAndLoad"
|
|
2105
2105
|
)
|
|
2106
|
-
throw new n(
|
|
2106
|
+
throw new n(h.Configuration, "If tokenResponseType is " + this.tokenResponseType + ", use post not load");
|
|
2107
2107
|
let s;
|
|
2108
2108
|
try {
|
|
2109
2109
|
if (!(this.validFlows.includes(_.Password) || this.validFlows.includes(_.PasswordMfa))) {
|
|
2110
|
-
const
|
|
2111
|
-
return this.errorFn(this.server, r,
|
|
2110
|
+
const a = new n(h.Unauthorized, "Password and Password MFA flows are not supported");
|
|
2111
|
+
return this.errorFn(this.server, r, a);
|
|
2112
2112
|
}
|
|
2113
2113
|
var e = new b();
|
|
2114
2114
|
if (await e.loadData(r), s = e.toObject(), this.server.sessionAdapter && this.server.sessionAdapter.csrfProtectionEnabled())
|
|
2115
2115
|
try {
|
|
2116
2116
|
if (!this.server.sessionAdapter.getCsrfToken(r))
|
|
2117
|
-
throw new n(
|
|
2118
|
-
} catch (
|
|
2119
|
-
throw m.isSvelteKitError(
|
|
2117
|
+
throw new n(h.InvalidCsrf);
|
|
2118
|
+
} catch (a) {
|
|
2119
|
+
throw m.isSvelteKitError(a) || m.isSvelteKitRedirect(a) ? a : new n(h.Unauthorized, "CSRF token not present");
|
|
2120
2120
|
}
|
|
2121
2121
|
const t = await o(r, s);
|
|
2122
|
-
if (!t) throw new n(
|
|
2122
|
+
if (!t) throw new n(h.UnknownError, "Password flow returned no data");
|
|
2123
2123
|
if (t.error)
|
|
2124
2124
|
return {
|
|
2125
2125
|
ok: !1,
|
|
@@ -2127,27 +2127,27 @@ class G extends re {
|
|
|
2127
2127
|
};
|
|
2128
2128
|
if (t.challenge_type) {
|
|
2129
2129
|
if (!this.validFlows.includes(_.PasswordMfa)) {
|
|
2130
|
-
const
|
|
2131
|
-
return this.errorFn(this.server, r,
|
|
2130
|
+
const a = new n(h.Unauthorized, "Password MFA flow is not supported");
|
|
2131
|
+
return this.errorFn(this.server, r, a);
|
|
2132
2132
|
}
|
|
2133
2133
|
return t;
|
|
2134
2134
|
}
|
|
2135
|
-
const
|
|
2135
|
+
const i = await this.receiveTokenFn(
|
|
2136
2136
|
t,
|
|
2137
2137
|
this,
|
|
2138
2138
|
r,
|
|
2139
2139
|
!1,
|
|
2140
2140
|
this.setEventLocalsUser
|
|
2141
2141
|
) ?? {};
|
|
2142
|
-
if (
|
|
2143
|
-
return
|
|
2142
|
+
if (i instanceof Response) throw new n(h.Configuration, "Refresh token flow should return an object not Response");
|
|
2143
|
+
return i;
|
|
2144
2144
|
} catch (t) {
|
|
2145
2145
|
if (m.isSvelteKitRedirect(t) || m.isSvelteKitError(t)) throw t;
|
|
2146
|
-
const
|
|
2146
|
+
const i = n.asCrossauthError(t);
|
|
2147
2147
|
return l.logger.debug({ err: t }), l.logger.error({ cerr: t }), {
|
|
2148
2148
|
ok: !1,
|
|
2149
|
-
error:
|
|
2150
|
-
error_description:
|
|
2149
|
+
error: i.oauthErrorCode,
|
|
2150
|
+
error_description: i.message
|
|
2151
2151
|
};
|
|
2152
2152
|
}
|
|
2153
2153
|
}
|
|
@@ -2166,59 +2166,59 @@ class G extends re {
|
|
|
2166
2166
|
async bff(r, o = {}) {
|
|
2167
2167
|
var e;
|
|
2168
2168
|
try {
|
|
2169
|
-
if (!this.server.sessionAdapter) throw new n(
|
|
2170
|
-
if (!this.server.oAuthClient) throw new n(
|
|
2171
|
-
if (!this.bffBaseUrl) throw new n(
|
|
2172
|
-
if (!this.bffEndpointName) throw new n(
|
|
2169
|
+
if (!this.server.sessionAdapter) throw new n(h.Configuration, "Session server must be instantiated to use bff()");
|
|
2170
|
+
if (!this.server.oAuthClient) throw new n(h.Configuration, "OAuth Client not found");
|
|
2171
|
+
if (!this.bffBaseUrl) throw new n(h.Configuration, "Must set bffBaseUrl to use bff()");
|
|
2172
|
+
if (!this.bffEndpointName) throw new n(h.Configuration, "Must set bffEndpointName to use bff()");
|
|
2173
2173
|
let t = o.url;
|
|
2174
2174
|
if (!t) {
|
|
2175
|
-
if (!r.url.pathname.startsWith(this.bffEndpointName)) throw new n(
|
|
2176
|
-
const
|
|
2177
|
-
let
|
|
2178
|
-
|
|
2175
|
+
if (!r.url.pathname.startsWith(this.bffEndpointName)) throw new n(h.Unauthorized, "Attempt to call BFF url with the wrong prefix");
|
|
2176
|
+
const i = r.url.pathname.substring(this.bffEndpointName.length);
|
|
2177
|
+
let a = ((e = r.url.searchParams) == null ? void 0 : e.toString()) ?? void 0;
|
|
2178
|
+
a && a != "" && (a = "?" + a), t = new URL(this.bffBaseUrl + i + a);
|
|
2179
2179
|
}
|
|
2180
2180
|
o.headers || (o.headers = new Headers());
|
|
2181
|
-
for (let
|
|
2182
|
-
|
|
2183
|
-
const
|
|
2181
|
+
for (let i = 0; i < this.bffMaxTries; ++i) {
|
|
2182
|
+
i > 0 && await new Promise((g) => setTimeout(g, this.bffSleepMilliseconds));
|
|
2183
|
+
const a = await this.server.sessionAdapter.getSessionData(
|
|
2184
2184
|
r,
|
|
2185
2185
|
this.sessionDataName
|
|
2186
2186
|
);
|
|
2187
|
-
if (!
|
|
2188
|
-
if (
|
|
2189
|
-
throw new n(
|
|
2187
|
+
if (!a) {
|
|
2188
|
+
if (i == this.bffMaxTries)
|
|
2189
|
+
throw new n(h.Unauthorized, "No access token found");
|
|
2190
2190
|
continue;
|
|
2191
2191
|
}
|
|
2192
|
-
let c =
|
|
2193
|
-
if (
|
|
2192
|
+
let c = a.access_token;
|
|
2193
|
+
if (a && a.access_token) {
|
|
2194
2194
|
const g = await this.refresh(
|
|
2195
2195
|
"silent",
|
|
2196
2196
|
r,
|
|
2197
2197
|
!0,
|
|
2198
|
-
|
|
2199
|
-
|
|
2198
|
+
a.refresh_token,
|
|
2199
|
+
a.expires_at
|
|
2200
2200
|
);
|
|
2201
|
-
if (g instanceof Response) throw new n(
|
|
2201
|
+
if (g instanceof Response) throw new n(h.Configuration, "Expected object when refreshing tokens, not Response");
|
|
2202
2202
|
if (g != null && g.access_token)
|
|
2203
2203
|
c = g.access_token;
|
|
2204
2204
|
else if (g != null && g.error)
|
|
2205
2205
|
continue;
|
|
2206
2206
|
}
|
|
2207
2207
|
o.headers.set("accept", "application/json"), o.headers.set("content-type", "application/json"), c && o.headers.set("authorization", "Bearer " + c);
|
|
2208
|
-
let d,
|
|
2208
|
+
let d, u;
|
|
2209
2209
|
if (r.request.body) {
|
|
2210
2210
|
var s = new b();
|
|
2211
|
-
await s.loadData(r),
|
|
2211
|
+
await s.loadData(r), u = s.toObject();
|
|
2212
2212
|
}
|
|
2213
|
-
if (l.logger.debug(f({ msg: "Calling BFF URL", url: t, method: r.request.method })),
|
|
2213
|
+
if (l.logger.debug(f({ msg: "Calling BFF URL", url: t, method: r.request.method })), u ? d = await fetch(t, {
|
|
2214
2214
|
headers: o.headers,
|
|
2215
2215
|
method: o.method ?? r.request.method,
|
|
2216
|
-
body: JSON.stringify(
|
|
2216
|
+
body: JSON.stringify(u ?? "{}")
|
|
2217
2217
|
}) : d = await fetch(t, {
|
|
2218
2218
|
headers: o.headers,
|
|
2219
2219
|
method: o.method ?? r.request.method
|
|
2220
2220
|
}), d.status == 401) {
|
|
2221
|
-
if (
|
|
2221
|
+
if (i < this.bffMaxTries - 1)
|
|
2222
2222
|
continue;
|
|
2223
2223
|
return d;
|
|
2224
2224
|
} else
|
|
@@ -2227,11 +2227,11 @@ class G extends re {
|
|
|
2227
2227
|
return new Response(null, { status: 401 });
|
|
2228
2228
|
} catch (t) {
|
|
2229
2229
|
if (m.isSvelteKitError(t) || m.isSvelteKitRedirect(t)) throw t;
|
|
2230
|
-
const
|
|
2231
|
-
return l.logger.debug({ err:
|
|
2232
|
-
error:
|
|
2233
|
-
error_description:
|
|
2234
|
-
}, { status:
|
|
2230
|
+
const i = n.asCrossauthError(t);
|
|
2231
|
+
return l.logger.debug({ err: i }), l.logger.error({ cerr: i }), v({
|
|
2232
|
+
error: i.oauthErrorCode,
|
|
2233
|
+
error_description: i.message
|
|
2234
|
+
}, { status: i.httpStatus });
|
|
2235
2235
|
}
|
|
2236
2236
|
}
|
|
2237
2237
|
async unpack(r) {
|
|
@@ -2260,32 +2260,32 @@ class G extends re {
|
|
|
2260
2260
|
*/
|
|
2261
2261
|
async allBff(r, o = {}) {
|
|
2262
2262
|
try {
|
|
2263
|
-
if (l.logger.debug(f({ msg: "Called allBff", url: r.url.toString() })), !this.server.sessionAdapter) throw new n(
|
|
2264
|
-
if (!this.server.oAuthClient) throw new n(
|
|
2265
|
-
if (!this.bffBaseUrl) throw new n(
|
|
2266
|
-
if (!this.bffEndpointName) throw new n(
|
|
2267
|
-
if (!this.bffEndpoints || this.bffEndpoints.length == 0) throw new n(
|
|
2268
|
-
if (!r.url.pathname.startsWith(this.bffEndpointName)) throw new n(
|
|
2263
|
+
if (l.logger.debug(f({ msg: "Called allBff", url: r.url.toString() })), !this.server.sessionAdapter) throw new n(h.Configuration, "Session server must be instantiated to use bff()");
|
|
2264
|
+
if (!this.server.oAuthClient) throw new n(h.Configuration, "OAuth Client not found");
|
|
2265
|
+
if (!this.bffBaseUrl) throw new n(h.Configuration, "Must set bffBaseUrl to use bff()");
|
|
2266
|
+
if (!this.bffEndpointName) throw new n(h.Configuration, "Must set bffEndpointName to use bff()");
|
|
2267
|
+
if (!this.bffEndpoints || this.bffEndpoints.length == 0) throw new n(h.Unauthorized, "Invalid BFF endpoint");
|
|
2268
|
+
if (!r.url.pathname.startsWith(this.bffEndpointName)) throw new n(h.Unauthorized, "Attempt to call BFF url with the wrong prefix");
|
|
2269
2269
|
const s = r.url.pathname.substring(this.bffEndpointName.length);
|
|
2270
2270
|
let e;
|
|
2271
2271
|
for (let t = 0; t < this.bffEndpoints.length; ++t) {
|
|
2272
|
-
let
|
|
2273
|
-
if (
|
|
2274
|
-
let
|
|
2275
|
-
if (c.endsWith("/") || (c += "/"),
|
|
2272
|
+
let i = this.bffEndpoints[t];
|
|
2273
|
+
if (i.matchSubUrls) {
|
|
2274
|
+
let a = i.url, c = i.url;
|
|
2275
|
+
if (c.endsWith("/") || (c += "/"), i.methodsString.includes(r.request.method) && (s.startsWith(c) || s == a)) {
|
|
2276
2276
|
e = t;
|
|
2277
2277
|
break;
|
|
2278
2278
|
}
|
|
2279
2279
|
} else {
|
|
2280
|
-
let
|
|
2281
|
-
if (
|
|
2280
|
+
let a = i.url;
|
|
2281
|
+
if (i.methodsString.includes(r.request.method) && s == a) {
|
|
2282
2282
|
e = t;
|
|
2283
2283
|
break;
|
|
2284
2284
|
}
|
|
2285
2285
|
}
|
|
2286
2286
|
}
|
|
2287
2287
|
if (e != null) return await this.bff(r, o);
|
|
2288
|
-
throw new n(
|
|
2288
|
+
throw new n(h.Unauthorized, "Illegal BFF URL called " + r.url.toString());
|
|
2289
2289
|
} catch (s) {
|
|
2290
2290
|
if (m.isSvelteKitError(s) || m.isSvelteKitRedirect(s)) throw s;
|
|
2291
2291
|
const e = n.asCrossauthError(s);
|
|
@@ -2303,28 +2303,28 @@ class G extends re {
|
|
|
2303
2303
|
let s = new b(!0);
|
|
2304
2304
|
await s.loadData(r);
|
|
2305
2305
|
const e = s.getAsBoolean("decode") ?? !0;
|
|
2306
|
-
if (!this.server.sessionAdapter) throw new n(
|
|
2307
|
-
if (!this.server.oAuthClient) throw new n(
|
|
2306
|
+
if (!this.server.sessionAdapter) throw new n(h.Configuration, "Session server must be instantiated to use bff()");
|
|
2307
|
+
if (!this.server.oAuthClient) throw new n(h.Configuration, "OAuth Client not found");
|
|
2308
2308
|
if (!this.tokenEndpoints || this.tokenEndpoints.length == 0)
|
|
2309
|
-
throw new n(
|
|
2309
|
+
throw new n(h.Unauthorized, "No tokens have been made available");
|
|
2310
2310
|
let t = Array.isArray(o) ? o : [o];
|
|
2311
|
-
const
|
|
2311
|
+
const i = await this.server.sessionAdapter.getSessionData(
|
|
2312
2312
|
r,
|
|
2313
2313
|
this.sessionDataName
|
|
2314
2314
|
);
|
|
2315
|
-
if (!
|
|
2316
|
-
throw new n(
|
|
2317
|
-
let
|
|
2318
|
-
for (let
|
|
2319
|
-
if (!this.tokenEndpoints.includes(
|
|
2315
|
+
if (!i)
|
|
2316
|
+
throw new n(h.Unauthorized, "No access token found");
|
|
2317
|
+
let a = {}, c, d = !1;
|
|
2318
|
+
for (let u of t) {
|
|
2319
|
+
if (!this.tokenEndpoints.includes(u)) throw new n(h.Unauthorized, "Token type " + u + " may not be returned");
|
|
2320
2320
|
d = !1;
|
|
2321
|
-
let g =
|
|
2322
|
-
|
|
2323
|
-
const
|
|
2324
|
-
let S = this.tokenPayload(g,
|
|
2325
|
-
d ?
|
|
2321
|
+
let g = u;
|
|
2322
|
+
u.startsWith("have_") && (g = u.replace("have_", ""), d = !0);
|
|
2323
|
+
const w = g.replace("_token", ""), p = e && this.jwtTokens.includes(w);
|
|
2324
|
+
let S = this.tokenPayload(g, i, d, p);
|
|
2325
|
+
d ? a[u] = S.ok : S && (a[u] = S), c = a[u];
|
|
2326
2326
|
}
|
|
2327
|
-
return Array.isArray(o) ? { status: 200, body:
|
|
2327
|
+
return Array.isArray(o) ? { status: 200, body: a } : c ? d ? { status: 200, body: typeof c == "boolean" ? { ok: c } : c } : { status: 200, body: c } : o.startsWith("have_") ? { status: 200, body: { ok: !1 } } : { status: 204 };
|
|
2328
2328
|
} catch (s) {
|
|
2329
2329
|
if (m.isSvelteKitError(s) || m.isSvelteKitRedirect(s)) throw s;
|
|
2330
2330
|
const e = n.asCrossauthError(s);
|
|
@@ -2342,26 +2342,26 @@ class G extends re {
|
|
|
2342
2342
|
let o;
|
|
2343
2343
|
try {
|
|
2344
2344
|
if (!this.validFlows.includes(_.DeviceCode))
|
|
2345
|
-
throw new n(
|
|
2345
|
+
throw new n(h.Unauthorized, "Device code flow is not supported");
|
|
2346
2346
|
var s = new b();
|
|
2347
2347
|
if (await s.loadData(r), o = s.toObject(), this.server.sessionAdapter && this.server.sessionAdapter.csrfProtectionEnabled())
|
|
2348
2348
|
try {
|
|
2349
2349
|
if (!this.server.sessionAdapter.getCsrfToken(r))
|
|
2350
|
-
throw new n(
|
|
2350
|
+
throw new n(h.InvalidCsrf);
|
|
2351
2351
|
} catch (c) {
|
|
2352
|
-
throw m.isSvelteKitError(c) || m.isSvelteKitRedirect(c) ? c : new n(
|
|
2352
|
+
throw m.isSvelteKitError(c) || m.isSvelteKitRedirect(c) ? c : new n(h.Unauthorized, "CSRF token not present");
|
|
2353
2353
|
}
|
|
2354
2354
|
let e = o.scope;
|
|
2355
2355
|
e == "" && (e = void 0);
|
|
2356
2356
|
let t = this.authServerBaseUrl;
|
|
2357
2357
|
t.endsWith("/") || (t += "/"), t += this.deviceAuthorizationUrl;
|
|
2358
|
-
const
|
|
2359
|
-
let
|
|
2360
|
-
return
|
|
2361
|
-
|
|
2358
|
+
const i = await this.startDeviceCodeFlow(t, e);
|
|
2359
|
+
let a;
|
|
2360
|
+
return i.verification_uri_complete && await ae.toDataURL(i.verification_uri_complete).then((c) => {
|
|
2361
|
+
a = c;
|
|
2362
2362
|
}).catch((c) => {
|
|
2363
2363
|
l.logger.debug(f({ err: c })), l.logger.warn(f({ msg: "Couldn't generate verification URL QR Code" }));
|
|
2364
|
-
}),
|
|
2364
|
+
}), a ? { verification_uri_qrdata: a, ...i } : i;
|
|
2365
2365
|
} catch (e) {
|
|
2366
2366
|
if (m.isSvelteKitRedirect(e) || m.isSvelteKitError(e)) throw e;
|
|
2367
2367
|
const t = n.asCrossauthError(e);
|
|
@@ -2375,17 +2375,17 @@ class G extends re {
|
|
|
2375
2375
|
let o;
|
|
2376
2376
|
try {
|
|
2377
2377
|
if (!this.validFlows.includes(_.DeviceCode))
|
|
2378
|
-
throw new n(
|
|
2378
|
+
throw new n(h.Unauthorized, "Device code flow is not supported");
|
|
2379
2379
|
var s = new b();
|
|
2380
2380
|
if (await s.loadData(r), o = s.toObject(), this.server.sessionAdapter && this.server.sessionAdapter.csrfProtectionEnabled())
|
|
2381
2381
|
try {
|
|
2382
2382
|
if (!this.server.sessionAdapter.getCsrfToken(r))
|
|
2383
|
-
throw new n(
|
|
2384
|
-
} catch (
|
|
2385
|
-
throw m.isSvelteKitError(
|
|
2383
|
+
throw new n(h.InvalidCsrf);
|
|
2384
|
+
} catch (i) {
|
|
2385
|
+
throw m.isSvelteKitError(i) || m.isSvelteKitRedirect(i) ? i : new n(h.Unauthorized, "CSRF token not present");
|
|
2386
2386
|
}
|
|
2387
2387
|
let e = o.device_code;
|
|
2388
|
-
if (!e) throw new n(
|
|
2388
|
+
if (!e) throw new n(h.BadRequest, "No device code given when polling for user authorization");
|
|
2389
2389
|
const t = this.errorIfIdTokenInvalid(await this.pollDeviceCodeFlow(e));
|
|
2390
2390
|
if (t.access_token && !t.error)
|
|
2391
2391
|
return await this.receiveTokenFn(
|
|
@@ -2397,8 +2397,8 @@ class G extends re {
|
|
|
2397
2397
|
);
|
|
2398
2398
|
{
|
|
2399
2399
|
if (t.error == "authorization_pending") return { ok: !0, ...t };
|
|
2400
|
-
let
|
|
2401
|
-
const c = n.fromOAuthError(
|
|
2400
|
+
let i = t.error ?? "server_error", a = t.error_description ?? "Didn't receive an access token";
|
|
2401
|
+
const c = n.fromOAuthError(i, a);
|
|
2402
2402
|
return this.errorFn(this.server, r, c);
|
|
2403
2403
|
}
|
|
2404
2404
|
} catch (e) {
|
|
@@ -2412,10 +2412,10 @@ class G extends re {
|
|
|
2412
2412
|
if (this.server.sessionAdapter && this.server.sessionAdapter.csrfProtectionEnabled())
|
|
2413
2413
|
try {
|
|
2414
2414
|
if (!this.server.sessionAdapter.getCsrfToken(r))
|
|
2415
|
-
throw new n(
|
|
2415
|
+
throw new n(h.InvalidCsrf);
|
|
2416
2416
|
} catch (s) {
|
|
2417
2417
|
if (m.isSvelteKitError(s) || m.isSvelteKitRedirect(s)) throw s;
|
|
2418
|
-
const e = new n(
|
|
2418
|
+
const e = new n(h.Unauthorized, "CSRF token not present");
|
|
2419
2419
|
return this.errorFn(this.server, r, e);
|
|
2420
2420
|
}
|
|
2421
2421
|
await ((o = this.server.sessionAdapter) == null ? void 0 : o.deleteSessionData(
|
|
@@ -2424,19 +2424,19 @@ class G extends re {
|
|
|
2424
2424
|
));
|
|
2425
2425
|
}
|
|
2426
2426
|
async storeSessionData(r, o) {
|
|
2427
|
-
var s, e, t,
|
|
2427
|
+
var s, e, t, i;
|
|
2428
2428
|
if (this.server.sessionServer) {
|
|
2429
|
-
let
|
|
2430
|
-
|
|
2429
|
+
let a = (s = this.server.sessionServer) == null ? void 0 : s.getSessionCookieValue(r);
|
|
2430
|
+
a ? await ((t = this.server.sessionAdapter) == null ? void 0 : t.updateSessionData(
|
|
2431
2431
|
r,
|
|
2432
2432
|
this.sessionDataName,
|
|
2433
2433
|
o
|
|
2434
|
-
)) :
|
|
2434
|
+
)) : a = await ((e = this.server.sessionServer) == null ? void 0 : e.createAnonymousSession(
|
|
2435
2435
|
r,
|
|
2436
2436
|
{ [this.sessionDataName]: o }
|
|
2437
2437
|
));
|
|
2438
2438
|
} else
|
|
2439
|
-
await ((
|
|
2439
|
+
await ((i = this.server.sessionAdapter) == null ? void 0 : i.updateSessionData(
|
|
2440
2440
|
r,
|
|
2441
2441
|
this.sessionDataName,
|
|
2442
2442
|
o
|
|
@@ -2446,7 +2446,7 @@ class G extends re {
|
|
|
2446
2446
|
return r.id_token && this.jwtTokens.includes("id"), r;
|
|
2447
2447
|
}
|
|
2448
2448
|
}
|
|
2449
|
-
class
|
|
2449
|
+
class Re {
|
|
2450
2450
|
}
|
|
2451
2451
|
class ge extends se {
|
|
2452
2452
|
/**
|
|
@@ -2459,9 +2459,9 @@ class ge extends se {
|
|
|
2459
2459
|
const s = /^[!#\$%&'\(\)\*\+,\.\/a-zA-Z\[\]\^_`-]+/;
|
|
2460
2460
|
for (const [e, t] of Object.entries(o.protectedEndpoints)) {
|
|
2461
2461
|
if (!e.startsWith("/"))
|
|
2462
|
-
throw new n(
|
|
2463
|
-
t.scope && t.scope.forEach((
|
|
2464
|
-
if (!s.test(
|
|
2462
|
+
throw new n(h.Configuration, "protected endpoints must be absolute paths without the protocol and hostname");
|
|
2463
|
+
t.scope && t.scope.forEach((i) => {
|
|
2464
|
+
if (!s.test(i)) throw new n(h.Configuration, "Illegal characters in scope " + i);
|
|
2465
2465
|
});
|
|
2466
2466
|
}
|
|
2467
2467
|
this.protectedEndpoints = { ...o.protectedEndpoints };
|
|
@@ -2473,48 +2473,48 @@ class ge extends se {
|
|
|
2473
2473
|
o.protectedEndpoints && (this.hook = async ({ event: s }) => {
|
|
2474
2474
|
var c, d;
|
|
2475
2475
|
const e = s.url.pathname;
|
|
2476
|
-
let t = !1,
|
|
2476
|
+
let t = !1, i = "";
|
|
2477
2477
|
if (e in this.protectedEndpoints)
|
|
2478
|
-
t = !0,
|
|
2478
|
+
t = !0, i = e;
|
|
2479
2479
|
else
|
|
2480
|
-
for (let
|
|
2481
|
-
e.startsWith(
|
|
2480
|
+
for (let u of this.protectedEndpointPrefixes)
|
|
2481
|
+
e.startsWith(u) && (t = !0), i = u;
|
|
2482
2482
|
if (!t) return;
|
|
2483
|
-
const
|
|
2484
|
-
if (!(s.locals.user && s.locals.authType == "cookie" && this.protectedEndpoints[
|
|
2485
|
-
if (!
|
|
2483
|
+
const a = await this.authorized(s);
|
|
2484
|
+
if (!(s.locals.user && s.locals.authType == "cookie" && this.protectedEndpoints[i].acceptSessionAuthorization != !0)) {
|
|
2485
|
+
if (!a) {
|
|
2486
2486
|
s.locals.authError = "access_denied", s.locals.authErrorDescription = "No access token";
|
|
2487
|
-
const
|
|
2487
|
+
const u = this.authenticateHeader(s);
|
|
2488
2488
|
return new Response(JSON.stringify(this.errorBody), {
|
|
2489
2489
|
headers: {
|
|
2490
2490
|
"content-type": "application/json",
|
|
2491
|
-
"WWW-Authenticate":
|
|
2491
|
+
"WWW-Authenticate": u
|
|
2492
2492
|
},
|
|
2493
2493
|
status: 401
|
|
2494
2494
|
});
|
|
2495
2495
|
}
|
|
2496
|
-
if (!
|
|
2497
|
-
const
|
|
2496
|
+
if (!a.authorized) {
|
|
2497
|
+
const u = this.authenticateHeader(s);
|
|
2498
2498
|
return new Response(JSON.stringify(this.errorBody), {
|
|
2499
2499
|
headers: {
|
|
2500
2500
|
"content-type": "application/json",
|
|
2501
|
-
"WWW-Authenticate":
|
|
2501
|
+
"WWW-Authenticate": u
|
|
2502
2502
|
},
|
|
2503
2503
|
status: 401
|
|
2504
2504
|
});
|
|
2505
2505
|
}
|
|
2506
2506
|
}
|
|
2507
|
-
if (
|
|
2508
|
-
if (s.locals.accessTokenPayload =
|
|
2509
|
-
if (Array.isArray(
|
|
2510
|
-
let
|
|
2511
|
-
for (let g of
|
|
2512
|
-
typeof g == "string" &&
|
|
2513
|
-
s.locals.scope =
|
|
2514
|
-
} else typeof
|
|
2515
|
-
if (this.protectedEndpoints[
|
|
2516
|
-
for (let
|
|
2517
|
-
if (!s.locals.scope || !s.locals.scope.includes(
|
|
2507
|
+
if (a) {
|
|
2508
|
+
if (s.locals.accessTokenPayload = a.tokenPayload, s.locals.user = a.user, (c = a.tokenPayload) != null && c.scope)
|
|
2509
|
+
if (Array.isArray(a.tokenPayload.scope)) {
|
|
2510
|
+
let u = [];
|
|
2511
|
+
for (let g of a.tokenPayload.scope)
|
|
2512
|
+
typeof g == "string" && u.push(g);
|
|
2513
|
+
s.locals.scope = u;
|
|
2514
|
+
} else typeof a.tokenPayload.scope == "string" && (s.locals.scope = a.tokenPayload.scope.split(" "));
|
|
2515
|
+
if (this.protectedEndpoints[i].scope) {
|
|
2516
|
+
for (let u of this.protectedEndpoints[i].scope ?? [])
|
|
2517
|
+
if (!s.locals.scope || !s.locals.scope.includes(u) && this.protectedEndpoints[i].acceptSessionAuthorization != !0) {
|
|
2518
2518
|
l.logger.warn(f({
|
|
2519
2519
|
msg: "Access token does not have sufficient scope",
|
|
2520
2520
|
username: (d = s.locals.user) == null ? void 0 : d.username,
|
|
@@ -2530,23 +2530,23 @@ class ge extends se {
|
|
|
2530
2530
|
});
|
|
2531
2531
|
}
|
|
2532
2532
|
}
|
|
2533
|
-
if (s.locals.authType = "oauth", s.locals.authError =
|
|
2534
|
-
const
|
|
2533
|
+
if (s.locals.authType = "oauth", s.locals.authError = a == null ? void 0 : a.error, (a == null ? void 0 : a.error) == "access_denied") {
|
|
2534
|
+
const u = this.authenticateHeader(s);
|
|
2535
2535
|
return new Response(JSON.stringify(this.errorBody), {
|
|
2536
2536
|
headers: {
|
|
2537
2537
|
"content-type": "application/json",
|
|
2538
|
-
"WWW-Authenticate":
|
|
2538
|
+
"WWW-Authenticate": u
|
|
2539
2539
|
},
|
|
2540
2540
|
status: 401
|
|
2541
2541
|
});
|
|
2542
|
-
} else if (
|
|
2542
|
+
} else if (a != null && a.error)
|
|
2543
2543
|
return new Response(JSON.stringify(this.errorBody), {
|
|
2544
2544
|
headers: {
|
|
2545
2545
|
"content-type": "application/json"
|
|
2546
2546
|
},
|
|
2547
2547
|
status: 500
|
|
2548
2548
|
});
|
|
2549
|
-
s.locals.authErrorDescription =
|
|
2549
|
+
s.locals.authErrorDescription = a == null ? void 0 : a.error_description, l.logger.debug(f({ msg: "Resource server url", url: s.request.url, authorized: s.locals.accessTokenPayload != null }));
|
|
2550
2550
|
}
|
|
2551
2551
|
});
|
|
2552
2552
|
}
|
|
@@ -2617,7 +2617,7 @@ class ge extends se {
|
|
|
2617
2617
|
}
|
|
2618
2618
|
async tokenFromSession(r) {
|
|
2619
2619
|
if (!this.sessionAdapter) throw new n(
|
|
2620
|
-
|
|
2620
|
+
h.Configuration,
|
|
2621
2621
|
"Cannot get session data if sessions not enabled"
|
|
2622
2622
|
);
|
|
2623
2623
|
const o = await this.sessionAdapter.getSessionData(r, this.sessionDataName);
|
|
@@ -2672,22 +2672,22 @@ const D = class D {
|
|
|
2672
2672
|
apiKey: s,
|
|
2673
2673
|
oAuthAuthServer: e,
|
|
2674
2674
|
oAuthClient: t,
|
|
2675
|
-
oAuthClients:
|
|
2676
|
-
oAuthResServer:
|
|
2675
|
+
oAuthClients: i,
|
|
2676
|
+
oAuthResServer: a,
|
|
2677
2677
|
options: c
|
|
2678
2678
|
}) {
|
|
2679
|
-
this.loginUrl = "/login", this.audience = "", this.dummyLoad = async (
|
|
2679
|
+
this.loginUrl = "/login", this.audience = "", this.dummyLoad = async (u) => ({}), this.dummyActions = {}, this.dummyBff = async (u) => ({ status: 500, body: { error: "Unimplemented" } }), c || (c = {}), y("loginUrl", E.String, this, c, "LOGIN_URL", !1), c.isAdminFn && (D.isAdminFn = c.isAdminFn);
|
|
2680
2680
|
let d = {};
|
|
2681
2681
|
if (c.authenticators && (d = c.authenticators), this.userStorage = c.userStorage, r) {
|
|
2682
2682
|
if (!d)
|
|
2683
2683
|
throw new n(
|
|
2684
|
-
|
|
2684
|
+
h.Configuration,
|
|
2685
2685
|
"If using session management, must supply authenticators"
|
|
2686
2686
|
);
|
|
2687
2687
|
this.sessionServer = new H(r.keyStorage, d, { ...r.options, ...c }), this.sessionAdapter = this.sessionServer;
|
|
2688
2688
|
} else o && (this.sessionAdapter = o);
|
|
2689
2689
|
if (s) {
|
|
2690
|
-
if (!this.userStorage) throw new n(
|
|
2690
|
+
if (!this.userStorage) throw new n(h.Configuration, "Must define a user storage if using API keys");
|
|
2691
2691
|
this.apiKeyServer = new ne(
|
|
2692
2692
|
this.userStorage,
|
|
2693
2693
|
s.keyStorage,
|
|
@@ -2695,61 +2695,67 @@ const D = class D {
|
|
|
2695
2695
|
);
|
|
2696
2696
|
}
|
|
2697
2697
|
if (e) {
|
|
2698
|
-
let
|
|
2699
|
-
this.loginUrl && (
|
|
2698
|
+
let u = {};
|
|
2699
|
+
this.loginUrl && (u.loginUrl = this.loginUrl), this.oAuthAuthServer = new ce(
|
|
2700
2700
|
this,
|
|
2701
2701
|
e.clientStorage,
|
|
2702
2702
|
e.keyStorage,
|
|
2703
2703
|
d,
|
|
2704
|
-
{ ...
|
|
2704
|
+
{ ...u, ...c, ...e.options }
|
|
2705
2705
|
);
|
|
2706
2706
|
}
|
|
2707
|
-
if (t &&
|
|
2708
|
-
throw new n(
|
|
2707
|
+
if (t && i)
|
|
2708
|
+
throw new n(h.Configuration, "Cannot specify both oAuthClient and oAuthClients");
|
|
2709
2709
|
if (t && (this.oAuthClient = new G(
|
|
2710
2710
|
this,
|
|
2711
2711
|
t.authServerBaseUrl,
|
|
2712
2712
|
{ ...c, ...t.options }
|
|
2713
|
-
)),
|
|
2713
|
+
)), i) {
|
|
2714
2714
|
this.oAuthClients = [];
|
|
2715
|
-
for (let
|
|
2715
|
+
for (let u of i)
|
|
2716
2716
|
this.oAuthClients.push(
|
|
2717
2717
|
new G(
|
|
2718
2718
|
this,
|
|
2719
|
-
|
|
2720
|
-
{ ...c, ...
|
|
2719
|
+
u.authServerBaseUrl,
|
|
2720
|
+
{ ...c, ...u.options }
|
|
2721
2721
|
)
|
|
2722
2722
|
);
|
|
2723
2723
|
}
|
|
2724
|
-
|
|
2724
|
+
a && (y("audience", E.String, this, c, "OAUTH_AUDIENCE", !0), this.oAuthResServer = new ge(
|
|
2725
2725
|
[new te(this.audience, c)],
|
|
2726
|
-
{ sessionAdapter: this.sessionAdapter, ...
|
|
2727
|
-
)), this.hooks = async ({ event:
|
|
2728
|
-
const
|
|
2729
|
-
return
|
|
2726
|
+
{ sessionAdapter: this.sessionAdapter, ...a.options, ...c }
|
|
2727
|
+
)), this.hooks = async ({ event: u, resolve: g }) => {
|
|
2728
|
+
const w = await this.unresolvedHooks(u);
|
|
2729
|
+
return w instanceof Response ? w : await g(w);
|
|
2730
2730
|
};
|
|
2731
2731
|
}
|
|
2732
2732
|
async unresolvedHooks(r) {
|
|
2733
2733
|
var o;
|
|
2734
2734
|
if (r.locals.user = void 0, r.locals.sessionId = void 0, r.locals.csrfToken = void 0, r.locals.authType = void 0, r.locals.scope = void 0, this.sessionServer) {
|
|
2735
|
-
await this.sessionServer.sessionHook({ event: r });
|
|
2736
|
-
|
|
2737
|
-
|
|
2735
|
+
let s = await this.sessionServer.sessionHook({ event: r });
|
|
2736
|
+
if (s.status == 302) {
|
|
2737
|
+
let t;
|
|
2738
|
+
for (let i of s.headers)
|
|
2739
|
+
i.name == "location" && (t = i.value);
|
|
2740
|
+
t && await this.sessionServer.redirect(302, t);
|
|
2741
|
+
}
|
|
2742
|
+
const e = this.userStorage ? await this.sessionServer.twoFAHook({ event: r }) : void 0;
|
|
2743
|
+
if (!(e && e.twofa) && !r.locals.user) {
|
|
2738
2744
|
if (this.sessionServer.isLoginPageProtected(r)) {
|
|
2739
2745
|
if (this.loginUrl) {
|
|
2740
|
-
let
|
|
2741
|
-
return new Response(null, { status: 302, headers: { location: this.loginUrl + "?next=" +
|
|
2746
|
+
let t = encodeURIComponent(r.request.url);
|
|
2747
|
+
return new Response(null, { status: 302, headers: { location: this.loginUrl + "?next=" + t } });
|
|
2742
2748
|
}
|
|
2743
2749
|
return this.sessionServer.error(401, "Unauthorized");
|
|
2744
2750
|
}
|
|
2745
2751
|
if (this.sessionServer.isLoginApiProtected(r))
|
|
2746
2752
|
return this.sessionServer.error(401, "Unauthorized");
|
|
2747
2753
|
}
|
|
2748
|
-
if (!(
|
|
2754
|
+
if (!(e && e.twofa) && this.sessionServer.isAdminPageEndpoint(r) && (!r.locals.user || !D.isAdminFn(r.locals.user)))
|
|
2749
2755
|
return this.sessionServer.unauthorizedUrl ? new Response(null, { status: 302, headers: { location: this.sessionServer.unauthorizedUrl } }) : this.sessionServer.error(401, "Unauthorized");
|
|
2750
|
-
if (!(
|
|
2756
|
+
if (!(e && e.twofa) && this.sessionServer.isAdminApiEndpoint(r) && (!r.locals.user || !D.isAdminFn(r.locals.user)))
|
|
2751
2757
|
return this.sessionServer.error(401, "Unauthorized");
|
|
2752
|
-
if (
|
|
2758
|
+
if (e != null && e.response) return e.response;
|
|
2753
2759
|
}
|
|
2754
2760
|
if (this.apiKeyServer && await this.apiKeyServer.hook({ event: r }), this.oAuthClient && await this.oAuthClient.hook({ event: r }), (o = this.oAuthResServer) != null && o.hook) {
|
|
2755
2761
|
const s = await this.oAuthResServer.hook({ event: r });
|
|
@@ -2782,7 +2788,7 @@ D.isAdminFn = pe;
|
|
|
2782
2788
|
let m = D;
|
|
2783
2789
|
class we {
|
|
2784
2790
|
constructor(r, o) {
|
|
2785
|
-
this.changePasswordUrl =
|
|
2791
|
+
if (this.changePasswordUrl = void 0, this.changeFactor2Url = void 0, this.configureFactor2Url = void 0, this.requestPasswordResetUrl = void 0, this.loginRedirectUrl = "/", this.loginUrl = "/login", this.signupEndpoint = {
|
|
2786
2792
|
load: async (s) => {
|
|
2787
2793
|
var t;
|
|
2788
2794
|
return {
|
|
@@ -2802,7 +2808,7 @@ class we {
|
|
|
2802
2808
|
login: async (s) => {
|
|
2803
2809
|
var t;
|
|
2804
2810
|
const e = await this.login(s);
|
|
2805
|
-
return (e == null ? void 0 : e.ok) == !0 && !(e != null && e.factor2Required) && this.sessionServer.redirect(302, ((t = e.formData) == null ? void 0 : t.next) ?? this.loginRedirectUrl), e && ((e == null ? void 0 : e.errorCode) ==
|
|
2811
|
+
return (e == null ? void 0 : e.ok) == !0 && !(e != null && e.factor2Required) && this.sessionServer.redirect(302, ((t = e.formData) == null ? void 0 : t.next) ?? this.loginRedirectUrl), e && ((e == null ? void 0 : e.errorCode) == h.UserNotExist || (e == null ? void 0 : e.errorCode) == h.PasswordInvalid) && (e.error = "Username or password is invalid"), e;
|
|
2806
2812
|
},
|
|
2807
2813
|
factor2: async (s) => {
|
|
2808
2814
|
var t;
|
|
@@ -2828,18 +2834,18 @@ class we {
|
|
|
2828
2834
|
reconfigure: async (s) => await this.reconfigureFactor2(s)
|
|
2829
2835
|
},
|
|
2830
2836
|
load: async (s) => {
|
|
2831
|
-
var
|
|
2832
|
-
let e = (
|
|
2837
|
+
var u;
|
|
2838
|
+
let e = (u = s.locals.user) == null ? void 0 : u.username;
|
|
2833
2839
|
if (!this.isSessionUser(s) || !s.locals.user) {
|
|
2834
2840
|
const g = await this.sessionServer.getSessionData(s, "factor2change");
|
|
2835
2841
|
g != null && g.username || this.isSessionUser(s) || (this.sessionServer.unauthorizedUrl && this.sessionServer.redirect(302, this.sessionServer.unauthorizedUrl), this.sessionServer.error(401, "Unauthorized")), e = g == null ? void 0 : g.username;
|
|
2836
2842
|
}
|
|
2837
|
-
let t = this.sessionServer.allowedFactor2 ?? [{ name: "none", friendlyName: "None", configurable: !1 }],
|
|
2838
|
-
|
|
2843
|
+
let t = this.sessionServer.allowedFactor2 ?? [{ name: "none", friendlyName: "None", configurable: !1 }], i = {}, a = s.url.searchParams.get("required"), c;
|
|
2844
|
+
a && (a = a.toLowerCase(), c = a == "true" || a == "1", c == !0 && (i.required = !0));
|
|
2839
2845
|
let d = s.url.searchParams.get("next");
|
|
2840
|
-
return d && (
|
|
2846
|
+
return d && (i.next = d), {
|
|
2841
2847
|
allowedFactor2: t,
|
|
2842
|
-
...
|
|
2848
|
+
...i,
|
|
2843
2849
|
username: e,
|
|
2844
2850
|
...this.baseEndpoint(s)
|
|
2845
2851
|
};
|
|
@@ -2849,12 +2855,12 @@ class we {
|
|
|
2849
2855
|
default: async (s) => await this.changePassword(s)
|
|
2850
2856
|
},
|
|
2851
2857
|
load: async (s) => {
|
|
2852
|
-
let e = {}, t = s.url.searchParams.get("required"),
|
|
2853
|
-
if (!
|
|
2858
|
+
let e = {}, t = s.url.searchParams.get("required"), i, a = s.locals.user != null;
|
|
2859
|
+
if (!a) {
|
|
2854
2860
|
const d = await this.sessionServer.getSessionData(s, "passwordchange");
|
|
2855
|
-
d != null && d.username && (
|
|
2861
|
+
d != null && d.username && (a = !0);
|
|
2856
2862
|
}
|
|
2857
|
-
|
|
2863
|
+
a || this.sessionServer.redirect(302, this.loginUrl), t && (t = t.toLowerCase(), i = t == "true" || t == "1", i == !0 && (e.required = !0));
|
|
2858
2864
|
let c = s.url.searchParams.get("next");
|
|
2859
2865
|
return c && (e.next = c), {
|
|
2860
2866
|
...e,
|
|
@@ -2880,8 +2886,8 @@ class we {
|
|
|
2880
2886
|
default: async (s) => await this.requestPasswordReset(s)
|
|
2881
2887
|
},
|
|
2882
2888
|
load: async (s) => {
|
|
2883
|
-
let e = {}, t = s.url.searchParams.get("required"),
|
|
2884
|
-
return t && (t = t.toLowerCase(),
|
|
2889
|
+
let e = {}, t = s.url.searchParams.get("required"), i;
|
|
2890
|
+
return t && (t = t.toLowerCase(), i = t == "true" || t == "1", i == !0 && (e.required = !0)), {
|
|
2885
2891
|
...e,
|
|
2886
2892
|
...this.baseEndpoint(s)
|
|
2887
2893
|
};
|
|
@@ -2890,7 +2896,7 @@ class we {
|
|
|
2890
2896
|
actions: {
|
|
2891
2897
|
default: async (s) => {
|
|
2892
2898
|
let e = await this.validatePasswordResetToken(s);
|
|
2893
|
-
if (!(e != null && e.user)) throw new n(
|
|
2899
|
+
if (!(e != null && e.user)) throw new n(h.InvalidToken, "The password reset token is invalid");
|
|
2894
2900
|
if (e.user.factor2 != "" && !s.locals.sessionId && await this.sessionServer.createAnonymousSession(s, { user: { username: e.user.username } }), e != null && e.error)
|
|
2895
2901
|
return {
|
|
2896
2902
|
ok: !1,
|
|
@@ -2901,14 +2907,14 @@ class we {
|
|
|
2901
2907
|
try {
|
|
2902
2908
|
return e = await this.resetPassword(s), e;
|
|
2903
2909
|
} catch (t) {
|
|
2904
|
-
const
|
|
2910
|
+
const i = n.asCrossauthError(t);
|
|
2905
2911
|
if (m.isSvelteKitRedirect(t) || m.isSvelteKitError(t)) throw t;
|
|
2906
|
-
return l.logger.debug(f({ err:
|
|
2912
|
+
return l.logger.debug(f({ err: i })), l.logger.error(f({ cerr: i })), {
|
|
2907
2913
|
ok: !1,
|
|
2908
2914
|
tokenValidated: !1,
|
|
2909
2915
|
error: e == null ? void 0 : e.error,
|
|
2910
|
-
errorCode:
|
|
2911
|
-
errorCodeName:
|
|
2916
|
+
errorCode: i.code,
|
|
2917
|
+
errorCodeName: i.codeName,
|
|
2912
2918
|
...this.baseEndpoint(s)
|
|
2913
2919
|
};
|
|
2914
2920
|
}
|
|
@@ -2918,7 +2924,7 @@ class we {
|
|
|
2918
2924
|
try {
|
|
2919
2925
|
if (s.request.method != "POST") {
|
|
2920
2926
|
const e = await this.validatePasswordResetToken(s);
|
|
2921
|
-
if (!(e != null && e.user)) throw new n(
|
|
2927
|
+
if (!(e != null && e.user)) throw new n(h.InvalidToken, "The password reset token is invalid");
|
|
2922
2928
|
return e.user.factor2 != "" && !s.locals.sessionId && await this.sessionServer.createAnonymousSession(s, { user: { username: e.user.username } }), {
|
|
2923
2929
|
tokenValidated: (e == null ? void 0 : e.ok) ?? !1,
|
|
2924
2930
|
error: e == null ? void 0 : e.error,
|
|
@@ -2956,7 +2962,16 @@ class we {
|
|
|
2956
2962
|
...e
|
|
2957
2963
|
};
|
|
2958
2964
|
}
|
|
2959
|
-
}, this.sessionServer = r, y("changePasswordUrl", E.String, this, o, "CHANGE_PASSWORD_URL"), y("requestPasswordResetUrl", E.String, this, o, "REQUEST_PASSWORD_RESET_URL"), y("changeFactor2Url", E.String, this, o, "CHANGE_FACTOR2_URL"), y("loginRedirectUrl", E.JsonArray, this, o, "LOGIN_REDIRECT_URL"), y("loginUrl", E.JsonArray, this, o, "LOGIN_URL"), o.addToSession && (this.addToSession = o.addToSession)
|
|
2965
|
+
}, this.sessionServer = r, y("changePasswordUrl", E.String, this, o, "CHANGE_PASSWORD_URL"), y("requestPasswordResetUrl", E.String, this, o, "REQUEST_PASSWORD_RESET_URL"), y("changeFactor2Url", E.String, this, o, "CHANGE_FACTOR2_URL"), y("configureFactor2Url", E.String, this, o, "CONFIGURE_FACTOR2_URL"), y("loginRedirectUrl", E.JsonArray, this, o, "LOGIN_REDIRECT_URL"), y("loginUrl", E.JsonArray, this, o, "LOGIN_URL"), o.addToSession && (this.addToSession = o.addToSession), this.changePasswordUrl && !this.changePasswordUrl.startsWith("/"))
|
|
2966
|
+
throw new n(h.Configuration, "changePasswordUrl must be an absolute path");
|
|
2967
|
+
if (this.requestPasswordResetUrl && !this.requestPasswordResetUrl.startsWith("/"))
|
|
2968
|
+
throw new n(h.Configuration, "requestPasswordResetUrl must be an absolute path");
|
|
2969
|
+
if (this.changeFactor2Url && !this.changeFactor2Url.startsWith("/"))
|
|
2970
|
+
throw new n(h.Configuration, "changeFactor2Url must be an absolute path");
|
|
2971
|
+
if (this.configureFactor2Url && !this.configureFactor2Url.startsWith("/"))
|
|
2972
|
+
throw new n(h.Configuration, "configureFactor2Url must be an absolute path");
|
|
2973
|
+
if (!this.loginUrl.startsWith("/"))
|
|
2974
|
+
throw new n(h.Configuration, "loginUrl must be an absolute path");
|
|
2960
2975
|
}
|
|
2961
2976
|
/** Returns whether there is a user logged in with a cookie-based session
|
|
2962
2977
|
*/
|
|
@@ -3010,49 +3025,56 @@ class we {
|
|
|
3010
3025
|
await s.loadData(r), o = s.toObject();
|
|
3011
3026
|
const e = s.get("username") ?? "", t = s.getAsBoolean("persist") ?? !1;
|
|
3012
3027
|
o.next.includes("/__data.json") && (o.next = o.next.substring(0, o.next.indexOf("/__data.json")));
|
|
3013
|
-
let
|
|
3014
|
-
if (e == "") throw new n(
|
|
3015
|
-
let
|
|
3016
|
-
if (this.sessionServer.enableCsrfProtection && !r.locals.csrfToken) throw new n(
|
|
3028
|
+
let i = o.next ?? this.loginRedirectUrl;
|
|
3029
|
+
if (e == "") throw new n(h.InvalidUsername, "Username field may not be empty");
|
|
3030
|
+
let a = this.addToSession ? this.addToSession(r, o) : {};
|
|
3031
|
+
if (this.sessionServer.enableCsrfProtection && !r.locals.csrfToken) throw new n(h.InvalidCsrf);
|
|
3017
3032
|
const c = this.sessionServer.getSessionCookieValue(r);
|
|
3018
|
-
let { sessionCookie: d, csrfCookie:
|
|
3033
|
+
let { sessionCookie: d, csrfCookie: u, user: g } = await this.sessionServer.sessionManager.login(e, s.toObject(), a, t);
|
|
3019
3034
|
if (l.logger.debug(f({
|
|
3020
3035
|
msg: "Login: set session cookie " + d.name + " opts " + JSON.stringify(d.options),
|
|
3021
3036
|
user: e
|
|
3022
3037
|
})), r.cookies.set(
|
|
3023
3038
|
d.name,
|
|
3024
3039
|
d.value,
|
|
3025
|
-
|
|
3040
|
+
P(d.options)
|
|
3026
3041
|
), l.logger.debug(f({
|
|
3027
|
-
msg: "Login: set csrf cookie " +
|
|
3042
|
+
msg: "Login: set csrf cookie " + u.name + " opts " + JSON.stringify(d.options),
|
|
3028
3043
|
user: e
|
|
3029
3044
|
})), this.sessionServer.enableCsrfProtection && (r.cookies.set(
|
|
3030
|
-
|
|
3031
|
-
|
|
3032
|
-
|
|
3033
|
-
), r.locals.csrfToken = await this.sessionServer.sessionManager.createCsrfFormOrHeaderValue(
|
|
3045
|
+
u.name,
|
|
3046
|
+
u.value,
|
|
3047
|
+
P(u.options)
|
|
3048
|
+
), r.locals.csrfToken = await this.sessionServer.sessionManager.createCsrfFormOrHeaderValue(u.value)), c)
|
|
3034
3049
|
try {
|
|
3035
3050
|
await this.sessionServer.sessionManager.deleteSession(c);
|
|
3036
|
-
} catch (
|
|
3051
|
+
} catch (w) {
|
|
3037
3052
|
l.logger.warn(f({
|
|
3038
3053
|
msg: "Couldn't delete session ID from database",
|
|
3039
3054
|
hashOfSessionId: this.sessionServer.getHashOfSessionId(r)
|
|
3040
|
-
})), l.logger.debug(f({ err:
|
|
3055
|
+
})), l.logger.debug(f({ err: w }));
|
|
3041
3056
|
}
|
|
3042
|
-
if (g.state ==
|
|
3043
|
-
|
|
3044
|
-
|
|
3045
|
-
|
|
3046
|
-
|
|
3047
|
-
if (g.state ==
|
|
3048
|
-
throw new n(
|
|
3049
|
-
|
|
3057
|
+
if (g.state == I.passwordChangeNeeded) {
|
|
3058
|
+
if (!this.changePasswordUrl)
|
|
3059
|
+
throw new n(h.Configuration, "Must set changePasswordUrl in session server");
|
|
3060
|
+
this.sessionServer.redirect(302, this.changePasswordUrl + "?required=true&next=" + encodeURIComponent("login?next=" + i));
|
|
3061
|
+
} else {
|
|
3062
|
+
if (g.state == I.passwordResetNeeded)
|
|
3063
|
+
throw new n(h.PasswordResetNeeded, "Please click on the link we sent you to reset your password");
|
|
3064
|
+
if (g.state == I.passwordAndFactor2ResetNeeded)
|
|
3065
|
+
throw new n(h.PasswordResetNeeded, "Please click on the link we sent you to reset your password");
|
|
3066
|
+
if (this.sessionServer.allowedFactor2.length > 0 && g.state == I.factor2ResetNeeded || !this.sessionServer.allowedFactor2Names.includes(g.factor2 ? g.factor2 : "none")) {
|
|
3067
|
+
if (!this.changeFactor2Url)
|
|
3068
|
+
throw new n(h.Configuration, "Must set changeFactor2Url in session server");
|
|
3069
|
+
this.sessionServer.redirect(302, this.changeFactor2Url + "?required=true&next=" + encodeURIComponent("login?next=" + i));
|
|
3070
|
+
} else
|
|
3071
|
+
(!g.factor2 || g.factor2 == "") && (r.locals.user = g);
|
|
3050
3072
|
}
|
|
3051
3073
|
return {
|
|
3052
3074
|
user: g,
|
|
3053
3075
|
formData: o,
|
|
3054
3076
|
factor2Required: g.factor2 && g.factor2 != "",
|
|
3055
|
-
next:
|
|
3077
|
+
next: i,
|
|
3056
3078
|
ok: !0
|
|
3057
3079
|
};
|
|
3058
3080
|
} catch (e) {
|
|
@@ -3073,29 +3095,29 @@ class we {
|
|
|
3073
3095
|
async loginWithUser(r, o, s) {
|
|
3074
3096
|
const e = s.locals.sessionId, t = new b();
|
|
3075
3097
|
await t.loadData(s);
|
|
3076
|
-
let
|
|
3098
|
+
let i = this.addToSession ? this.addToSession(s, t.toObject()) : {}, { sessionCookie: a, csrfCookie: c, csrfFormOrHeaderValue: d } = await this.sessionServer.sessionManager.login("", {}, i, void 0, r, o);
|
|
3077
3099
|
if (l.logger.debug(f({
|
|
3078
|
-
msg: "Login: set session cookie " +
|
|
3100
|
+
msg: "Login: set session cookie " + a.name + " opts " + JSON.stringify(a.options),
|
|
3079
3101
|
user: r.username
|
|
3080
3102
|
})), s.cookies.set(
|
|
3081
|
-
|
|
3082
|
-
|
|
3083
|
-
|
|
3103
|
+
a.name,
|
|
3104
|
+
a.value,
|
|
3105
|
+
P(a.options)
|
|
3084
3106
|
), l.logger.debug(f({
|
|
3085
|
-
msg: "Login: set csrf cookie " + c.name + " opts " + JSON.stringify(
|
|
3107
|
+
msg: "Login: set csrf cookie " + c.name + " opts " + JSON.stringify(a.options),
|
|
3086
3108
|
user: r.username
|
|
3087
3109
|
})), this.sessionServer.enableCsrfProtection && s.cookies.set(
|
|
3088
3110
|
c.name,
|
|
3089
3111
|
c.value,
|
|
3090
|
-
|
|
3091
|
-
), s.locals.user = r, s.locals.csrfToken = d, s.locals.sessionId = this.sessionServer.sessionManager.getSessionId(
|
|
3112
|
+
P(c.options)
|
|
3113
|
+
), s.locals.user = r, s.locals.csrfToken = d, s.locals.sessionId = this.sessionServer.sessionManager.getSessionId(a.value), e)
|
|
3092
3114
|
try {
|
|
3093
3115
|
await this.sessionServer.sessionManager.deleteSession(e);
|
|
3094
|
-
} catch (
|
|
3116
|
+
} catch (u) {
|
|
3095
3117
|
l.logger.warn(f({
|
|
3096
3118
|
msg: "Couldn't delete session ID from database",
|
|
3097
3119
|
hashOfSessionId: this.sessionServer.getHashOfSessionId(s)
|
|
3098
|
-
})), l.logger.debug(f({ err:
|
|
3120
|
+
})), l.logger.debug(f({ err: u }));
|
|
3099
3121
|
}
|
|
3100
3122
|
return {
|
|
3101
3123
|
user: r,
|
|
@@ -3192,38 +3214,38 @@ class we {
|
|
|
3192
3214
|
async signup(r) {
|
|
3193
3215
|
let o;
|
|
3194
3216
|
try {
|
|
3195
|
-
if (!this.sessionServer.userStorage) throw new n(
|
|
3217
|
+
if (!this.sessionServer.userStorage) throw new n(h.Configuration, "Must provide user storage to use this function");
|
|
3196
3218
|
var s = new b();
|
|
3197
3219
|
await s.loadData(r), o = s.toObject();
|
|
3198
3220
|
const e = s.get("username") ?? "";
|
|
3199
3221
|
let t;
|
|
3200
3222
|
if (this.isSessionUser(r) && this.sessionServer.enableCsrfProtection && !r.locals.csrfToken)
|
|
3201
|
-
throw new n(
|
|
3202
|
-
if (e == "") throw new n(
|
|
3223
|
+
throw new n(h.InvalidCsrf);
|
|
3224
|
+
if (e == "") throw new n(h.InvalidUsername, "Username field may not be empty");
|
|
3203
3225
|
if (o.factor2 || (o.factor2 = this.sessionServer.allowedFactor2Names[0]), o.factor2 && !this.sessionServer.allowedFactor2Names.includes(o.factor2 ?? "none"))
|
|
3204
3226
|
throw new n(
|
|
3205
|
-
|
|
3227
|
+
h.Forbidden,
|
|
3206
3228
|
"Illegal second factor " + o.factor2 + " requested"
|
|
3207
3229
|
);
|
|
3208
|
-
(o.factor2 == "none" || o.factor2 == "") && (o.factor2 = void 0), t = this.sessionServer.createUserFn(r, o, this.sessionServer.userStorage.userEditableFields);
|
|
3209
|
-
let
|
|
3210
|
-
const
|
|
3230
|
+
(o.factor2 == "none" || o.factor2 == "") && (o.factor2 = void 0), t = this.sessionServer.createUserFn(r, o, this.sessionServer.userStorage.userEditableFields, this.sessionServer.userAllowedFactor1);
|
|
3231
|
+
let i = this.sessionServer.authenticators[t.factor1].validateSecrets(o);
|
|
3232
|
+
const a = this.sessionServer.authenticators[t.factor1].secretNames();
|
|
3211
3233
|
let c = {};
|
|
3212
|
-
for (let
|
|
3213
|
-
if (
|
|
3214
|
-
const
|
|
3215
|
-
|
|
3234
|
+
for (let w in o)
|
|
3235
|
+
if (w.startsWith("repeat_")) {
|
|
3236
|
+
const p = w.replace(/^repeat_/, "");
|
|
3237
|
+
a.includes(p) && (c[p] = o[w]);
|
|
3216
3238
|
}
|
|
3217
3239
|
Object.keys(c).length === 0 && (c = void 0), t.state = "active", o.factor2 && o.factor2 != "none" ? t.state = "awaitingtwofactor" : this.sessionServer.enableEmailVerification && (t.state = "awaitingemailverification");
|
|
3218
|
-
let
|
|
3219
|
-
if (
|
|
3220
|
-
throw new n(
|
|
3240
|
+
let u = [...this.sessionServer.validateUserFn(t), ...i];
|
|
3241
|
+
if (u.length > 0)
|
|
3242
|
+
throw new n(h.FormEntry, u);
|
|
3221
3243
|
let g = !1;
|
|
3222
3244
|
try {
|
|
3223
|
-
const { user:
|
|
3224
|
-
await this.sessionServer.sessionManager.authenticators[t.factor1].authenticateUser(
|
|
3225
|
-
} catch (
|
|
3226
|
-
n.asCrossauthError(
|
|
3245
|
+
const { user: w, secrets: p } = await this.sessionServer.userStorage.getUserByUsername(e);
|
|
3246
|
+
await this.sessionServer.sessionManager.authenticators[t.factor1].authenticateUser(w, p, o);
|
|
3247
|
+
} catch (w) {
|
|
3248
|
+
n.asCrossauthError(w).code == h.TwoFactorIncomplete && (g = !0);
|
|
3227
3249
|
}
|
|
3228
3250
|
if (!o.factor2 && !g)
|
|
3229
3251
|
return await this.sessionServer.sessionManager.createUser(
|
|
@@ -3232,13 +3254,13 @@ class we {
|
|
|
3232
3254
|
c
|
|
3233
3255
|
), this.sessionServer.enableEmailVerification ? { emailVerificationRequired: !0, user: t, ok: !0, formData: o } : { ...await this.login(r), formData: o };
|
|
3234
3256
|
{
|
|
3235
|
-
let
|
|
3257
|
+
let w;
|
|
3236
3258
|
if (g) {
|
|
3237
|
-
if (!r.locals.sessionId) throw new n(
|
|
3238
|
-
|
|
3259
|
+
if (!r.locals.sessionId) throw new n(h.Unauthorized);
|
|
3260
|
+
w = (await this.sessionServer.sessionManager.repeatTwoFactorSignup(r.locals.sessionId)).userData;
|
|
3239
3261
|
} else {
|
|
3240
|
-
const
|
|
3241
|
-
|
|
3262
|
+
const p = await this.sessionServer.createAnonymousSession(r), S = this.sessionServer.sessionManager.getSessionId(p);
|
|
3263
|
+
w = (await this.sessionServer.sessionManager.initiateTwoFactorSignup(
|
|
3242
3264
|
t,
|
|
3243
3265
|
o,
|
|
3244
3266
|
S,
|
|
@@ -3246,14 +3268,14 @@ class we {
|
|
|
3246
3268
|
)).userData;
|
|
3247
3269
|
}
|
|
3248
3270
|
try {
|
|
3249
|
-
let
|
|
3250
|
-
userData:
|
|
3271
|
+
let p = {
|
|
3272
|
+
userData: w,
|
|
3251
3273
|
username: e,
|
|
3252
3274
|
factor2: o.factor2 ?? "none"
|
|
3253
3275
|
};
|
|
3254
|
-
return this.sessionServer.enableCsrfProtection && (
|
|
3255
|
-
} catch (
|
|
3256
|
-
l.logger.error(f({ err:
|
|
3276
|
+
return this.sessionServer.enableCsrfProtection && (p.csrfToken = r.locals.csrfToken), { factor2Data: p, ok: !0, factor2Required: !0, formData: o };
|
|
3277
|
+
} catch (p) {
|
|
3278
|
+
l.logger.error(f({ err: p }));
|
|
3257
3279
|
try {
|
|
3258
3280
|
this.sessionServer.sessionManager.deleteUserByUsername(e);
|
|
3259
3281
|
} catch (S) {
|
|
@@ -3301,9 +3323,9 @@ class we {
|
|
|
3301
3323
|
async verifyEmail(r) {
|
|
3302
3324
|
var o;
|
|
3303
3325
|
try {
|
|
3304
|
-
if (!this.sessionServer.userStorage) throw new n(
|
|
3326
|
+
if (!this.sessionServer.userStorage) throw new n(h.Configuration, "Must provide user storage to use this function");
|
|
3305
3327
|
const s = r.params.token;
|
|
3306
|
-
if (!s) throw new n(
|
|
3328
|
+
if (!s) throw new n(h.InvalidToken, "Invalid email verification token");
|
|
3307
3329
|
const e = await this.sessionServer.sessionManager.applyEmailVerificationToken(s);
|
|
3308
3330
|
if (await this.loginWithUser(e, !0, r), r.locals.user) {
|
|
3309
3331
|
const t = await this.sessionServer.userStorage.getUserById((o = r.locals.user) == null ? void 0 : o.id);
|
|
@@ -3349,41 +3371,46 @@ class we {
|
|
|
3349
3371
|
try {
|
|
3350
3372
|
var t = new b();
|
|
3351
3373
|
await t.loadData(r), o = t.toObject();
|
|
3352
|
-
const
|
|
3353
|
-
if (
|
|
3354
|
-
else throw new n(
|
|
3374
|
+
const i = await this.sessionServer.getSessionData(r, "2fa");
|
|
3375
|
+
if (i != null && i.factor2) e = i == null ? void 0 : i.factor2;
|
|
3376
|
+
else throw new n(h.BadRequest, "Two factor authentication was not started");
|
|
3355
3377
|
if (this.isSessionUser(r) && this.sessionServer.enableCsrfProtection && !r.locals.csrfToken)
|
|
3356
|
-
throw new n(
|
|
3378
|
+
throw new n(h.InvalidCsrf);
|
|
3357
3379
|
if (!r.locals.sessionId) throw new n(
|
|
3358
|
-
|
|
3380
|
+
h.Unauthorized,
|
|
3359
3381
|
"No session active while enabling 2FA. Please enable cookies"
|
|
3360
3382
|
);
|
|
3361
|
-
let
|
|
3383
|
+
let a = await this.sessionServer.sessionManager.completeTwoFactorSetup(
|
|
3362
3384
|
o,
|
|
3363
3385
|
r.locals.sessionId
|
|
3364
3386
|
);
|
|
3365
|
-
return this.sessionServer.enableEmailVerification || await this.loginWithUser(
|
|
3387
|
+
return this.sessionServer.enableEmailVerification || await this.loginWithUser(a, !0, r), r.locals.user ? {
|
|
3366
3388
|
ok: !0,
|
|
3367
|
-
user:
|
|
3389
|
+
user: a,
|
|
3368
3390
|
emailVerificationRequired: this.sessionServer.enableEmailVerification
|
|
3369
|
-
} : await this.loginWithUser(
|
|
3370
|
-
} catch (
|
|
3371
|
-
const
|
|
3391
|
+
} : await this.loginWithUser(a, !0, r);
|
|
3392
|
+
} catch (i) {
|
|
3393
|
+
const a = n.asCrossauthError(i);
|
|
3372
3394
|
let c;
|
|
3373
3395
|
try {
|
|
3374
3396
|
c = (await this.sessionServer.sessionManager.repeatTwoFactorSignup(r.locals.sessionId ?? "")).userData;
|
|
3375
3397
|
} catch {
|
|
3376
3398
|
}
|
|
3377
|
-
return c
|
|
3399
|
+
return c ? s = {
|
|
3378
3400
|
userData: c,
|
|
3379
3401
|
csrfToken: r.locals.csrfToken,
|
|
3380
3402
|
username: c.username ?? "",
|
|
3381
3403
|
factor2: e
|
|
3382
|
-
}
|
|
3404
|
+
} : s = {
|
|
3405
|
+
userData: {},
|
|
3406
|
+
csrfToken: r.locals.csrfToken,
|
|
3407
|
+
username: "",
|
|
3408
|
+
factor2: e
|
|
3409
|
+
}, l.logger.debug(f({ err: i })), l.logger.error(f({ cerr: i })), {
|
|
3383
3410
|
ok: !1,
|
|
3384
|
-
error:
|
|
3385
|
-
errorCode:
|
|
3386
|
-
errorCodeName:
|
|
3411
|
+
error: a.message,
|
|
3412
|
+
errorCode: a.code,
|
|
3413
|
+
errorCodeName: a.codeName,
|
|
3387
3414
|
formData: o,
|
|
3388
3415
|
factor2Data: s,
|
|
3389
3416
|
emailVerificationRequired: this.sessionServer.enableEmailVerification
|
|
@@ -3416,30 +3443,30 @@ class we {
|
|
|
3416
3443
|
var s = new b();
|
|
3417
3444
|
await s.loadData(r), o = s.toObject();
|
|
3418
3445
|
const e = s.getAsBoolean("persist") ?? !1, t = r.locals.sessionId;
|
|
3419
|
-
if (!t) throw new n(
|
|
3446
|
+
if (!t) throw new n(h.Unauthorized);
|
|
3420
3447
|
if (this.isSessionUser(r) && this.sessionServer.enableCsrfProtection && !r.locals.csrfToken)
|
|
3421
|
-
throw new n(
|
|
3422
|
-
let
|
|
3423
|
-
const { sessionCookie:
|
|
3448
|
+
throw new n(h.InvalidCsrf);
|
|
3449
|
+
let i = this.addToSession ? this.addToSession(r, o) : {};
|
|
3450
|
+
const { sessionCookie: a, csrfCookie: c, user: d } = await this.sessionServer.sessionManager.completeTwoFactorLogin(
|
|
3424
3451
|
o,
|
|
3425
3452
|
t,
|
|
3426
|
-
|
|
3453
|
+
i,
|
|
3427
3454
|
e
|
|
3428
3455
|
);
|
|
3429
3456
|
return l.logger.debug(f({
|
|
3430
|
-
msg: "Login: set session cookie " +
|
|
3457
|
+
msg: "Login: set session cookie " + a.name + " opts " + JSON.stringify(a.options),
|
|
3431
3458
|
user: d == null ? void 0 : d.username
|
|
3432
3459
|
})), r.cookies.set(
|
|
3433
|
-
|
|
3434
|
-
|
|
3435
|
-
|
|
3460
|
+
a.name,
|
|
3461
|
+
a.value,
|
|
3462
|
+
P(a.options)
|
|
3436
3463
|
), l.logger.debug(f({
|
|
3437
|
-
msg: "Login: set csrf cookie " + c.name + " opts " + JSON.stringify(
|
|
3464
|
+
msg: "Login: set csrf cookie " + c.name + " opts " + JSON.stringify(a.options),
|
|
3438
3465
|
user: d == null ? void 0 : d.username
|
|
3439
3466
|
})), r.cookies.set(
|
|
3440
3467
|
c.name,
|
|
3441
3468
|
c.value,
|
|
3442
|
-
|
|
3469
|
+
P(c.options)
|
|
3443
3470
|
), this.sessionServer.enableCsrfProtection && (r.locals.csrfToken = await this.sessionServer.sessionManager.createCsrfFormOrHeaderValue(c.value)), r.locals.user = d, {
|
|
3444
3471
|
user: d,
|
|
3445
3472
|
ok: !0,
|
|
@@ -3462,12 +3489,12 @@ class we {
|
|
|
3462
3489
|
var s = new b();
|
|
3463
3490
|
await s.loadData(r), o = s.toObject();
|
|
3464
3491
|
const e = s.get("email") ?? "";
|
|
3465
|
-
if (e == "") throw new n(
|
|
3492
|
+
if (e == "") throw new n(h.InvalidUsername, "Email field may not be empty");
|
|
3466
3493
|
if (this.isSessionUser(r) && this.sessionServer.enableCsrfProtection && !r.locals.csrfToken)
|
|
3467
|
-
throw new n(
|
|
3494
|
+
throw new n(h.InvalidCsrf);
|
|
3468
3495
|
if (!this.sessionServer.enablePasswordReset)
|
|
3469
3496
|
throw new n(
|
|
3470
|
-
|
|
3497
|
+
h.Configuration,
|
|
3471
3498
|
"Password reset not enabled"
|
|
3472
3499
|
);
|
|
3473
3500
|
return await this.sessionServer.sessionManager.requestPasswordReset(e), { formData: o, ok: !0 };
|
|
@@ -3504,7 +3531,7 @@ class we {
|
|
|
3504
3531
|
l.logger.debug(f({ msg: "validatePasswordResetToken " + r.request.method }));
|
|
3505
3532
|
try {
|
|
3506
3533
|
const o = r.params.token;
|
|
3507
|
-
if (!o) throw new n(
|
|
3534
|
+
if (!o) throw new n(h.InvalidToken, "Invalid email verification token");
|
|
3508
3535
|
return {
|
|
3509
3536
|
ok: !0,
|
|
3510
3537
|
user: await this.sessionServer.sessionManager.userForPasswordResetToken(o),
|
|
@@ -3545,32 +3572,34 @@ class we {
|
|
|
3545
3572
|
try {
|
|
3546
3573
|
var s = new b();
|
|
3547
3574
|
if (await s.loadData(r), o = s.toObject(), this.isSessionUser(r) && this.sessionServer.enableCsrfProtection && !r.locals.csrfToken)
|
|
3548
|
-
throw new n(
|
|
3575
|
+
throw new n(h.InvalidCsrf);
|
|
3549
3576
|
if (!this.sessionServer.enablePasswordReset)
|
|
3550
3577
|
throw new n(
|
|
3551
|
-
|
|
3578
|
+
h.Configuration,
|
|
3552
3579
|
"Password reset not enabled"
|
|
3553
3580
|
);
|
|
3554
3581
|
const e = r.params.token ?? "";
|
|
3555
|
-
if (e == "") throw new n(
|
|
3556
|
-
const t = await this.sessionServer.sessionManager.userForPasswordResetToken(e),
|
|
3582
|
+
if (e == "") throw new n(h.InvalidUsername, "No token provided");
|
|
3583
|
+
const t = await this.sessionServer.sessionManager.userForPasswordResetToken(e), i = this.sessionServer.authenticators[t.factor1], a = i.secretNames();
|
|
3557
3584
|
let c = {}, d = {};
|
|
3558
|
-
for (let
|
|
3559
|
-
if (
|
|
3560
|
-
const
|
|
3561
|
-
|
|
3562
|
-
} else if (
|
|
3563
|
-
const
|
|
3564
|
-
|
|
3585
|
+
for (let w in o)
|
|
3586
|
+
if (w.startsWith("new_")) {
|
|
3587
|
+
const p = w.replace(/^new_/, "");
|
|
3588
|
+
a.includes(p) && (c[p] = o[w]);
|
|
3589
|
+
} else if (w.startsWith("repeat_")) {
|
|
3590
|
+
const p = w.replace(/^repeat_/, "");
|
|
3591
|
+
a.includes(p) && (d[p] = o[w]);
|
|
3565
3592
|
}
|
|
3566
|
-
if (Object.keys(d).length === 0 && (d = void 0),
|
|
3567
|
-
throw new n(
|
|
3593
|
+
if (Object.keys(d).length === 0 && (d = void 0), i.validateSecrets(c).length > 0)
|
|
3594
|
+
throw new n(h.PasswordFormat);
|
|
3568
3595
|
const g = await this.sessionServer.sessionManager.resetSecret(e, 1, c, d);
|
|
3569
|
-
if (g.state ==
|
|
3596
|
+
if (g.state == I.active)
|
|
3570
3597
|
return await this.loginWithUser(g, !0, r);
|
|
3571
3598
|
{
|
|
3572
|
-
|
|
3573
|
-
|
|
3599
|
+
if (!this.changeFactor2Url)
|
|
3600
|
+
throw new n(h.Configuration, "Must set changeFactor2Url in session server");
|
|
3601
|
+
const w = this.sessionServer.getSessionCookieValue(r), p = this.sessionServer.sessionManager.getSessionId(w ?? "");
|
|
3602
|
+
throw await this.sessionServer.sessionManager.updateSessionData(p, "factor2change", { username: t.username }), this.sessionServer.redirect(302, this.changeFactor2Url + "?required=true");
|
|
3574
3603
|
}
|
|
3575
3604
|
} catch (e) {
|
|
3576
3605
|
if (m.isSvelteKitRedirect(e)) throw e;
|
|
@@ -3609,12 +3638,12 @@ class we {
|
|
|
3609
3638
|
async requestFactor2(r) {
|
|
3610
3639
|
try {
|
|
3611
3640
|
if (!r.locals.sessionId) throw new n(
|
|
3612
|
-
|
|
3641
|
+
h.Unauthorized,
|
|
3613
3642
|
"No session cookie present"
|
|
3614
3643
|
);
|
|
3615
3644
|
const o = this.sessionServer.getSessionCookieValue(r), s = this.sessionServer.sessionManager.getSessionId(o ?? ""), e = await this.sessionServer.sessionManager.dataForSessionId(s);
|
|
3616
3645
|
if (!(e != null && e.pre2fa)) throw new n(
|
|
3617
|
-
|
|
3646
|
+
h.Unauthorized,
|
|
3618
3647
|
"2FA not initiated"
|
|
3619
3648
|
);
|
|
3620
3649
|
return {
|
|
@@ -3655,58 +3684,58 @@ class we {
|
|
|
3655
3684
|
l.logger.debug(f({ msg: "changePassword" }));
|
|
3656
3685
|
let o;
|
|
3657
3686
|
try {
|
|
3658
|
-
if (!this.sessionServer.userStorage) throw new n(
|
|
3687
|
+
if (!this.sessionServer.userStorage) throw new n(h.Configuration, "Must provide user storage to use this function");
|
|
3659
3688
|
var s = new b();
|
|
3660
3689
|
await s.loadData(r), o = s.toObject();
|
|
3661
3690
|
let e, t = !1;
|
|
3662
3691
|
if (!this.isSessionUser(r) || !r.locals.user) {
|
|
3663
|
-
const
|
|
3664
|
-
if (
|
|
3692
|
+
const p = await this.sessionServer.getSessionData(r, "passwordchange");
|
|
3693
|
+
if (p != null && p.username) {
|
|
3665
3694
|
if (e = (await this.sessionServer.userStorage.getUserByUsername(
|
|
3666
|
-
|
|
3695
|
+
p == null ? void 0 : p.username,
|
|
3667
3696
|
{
|
|
3668
3697
|
skipActiveCheck: !0,
|
|
3669
3698
|
skipEmailVerifiedCheck: !0
|
|
3670
3699
|
}
|
|
3671
3700
|
)).user, t = !0, this.sessionServer.enableCsrfProtection && !r.locals.csrfToken)
|
|
3672
|
-
throw new n(
|
|
3701
|
+
throw new n(h.InvalidCsrf);
|
|
3673
3702
|
} else
|
|
3674
|
-
throw new n(
|
|
3703
|
+
throw new n(h.Unauthorized);
|
|
3675
3704
|
} else if (this.canEditUser(r)) {
|
|
3676
3705
|
if (this.isSessionUser(r) && this.sessionServer.enableCsrfProtection && !r.locals.csrfToken)
|
|
3677
|
-
throw new n(
|
|
3706
|
+
throw new n(h.InvalidCsrf);
|
|
3678
3707
|
e = r.locals.user;
|
|
3679
3708
|
} else
|
|
3680
|
-
throw new n(
|
|
3681
|
-
const
|
|
3682
|
-
let c = {}, d = {},
|
|
3683
|
-
for (let
|
|
3684
|
-
if (
|
|
3685
|
-
const S =
|
|
3686
|
-
|
|
3687
|
-
} else if (
|
|
3688
|
-
const S =
|
|
3689
|
-
|
|
3690
|
-
} else if (
|
|
3691
|
-
const S =
|
|
3692
|
-
|
|
3709
|
+
throw new n(h.InsufficientPriviledges);
|
|
3710
|
+
const i = this.sessionServer.authenticators[e.factor1], a = i.secretNames();
|
|
3711
|
+
let c = {}, d = {}, u = {};
|
|
3712
|
+
for (let p in o)
|
|
3713
|
+
if (p.startsWith("new_")) {
|
|
3714
|
+
const S = p.replace(/^new_/, "");
|
|
3715
|
+
a.includes(S) && (d[S] = o[p]);
|
|
3716
|
+
} else if (p.startsWith("old_")) {
|
|
3717
|
+
const S = p.replace(/^old_/, "");
|
|
3718
|
+
a.includes(S) && (c[S] = o[p]);
|
|
3719
|
+
} else if (p.startsWith("repeat_")) {
|
|
3720
|
+
const S = p.replace(/^repeat_/, "");
|
|
3721
|
+
a.includes(S) && (u[S] = o[p]);
|
|
3693
3722
|
}
|
|
3694
|
-
if (Object.keys(
|
|
3695
|
-
throw new n(
|
|
3696
|
-
const
|
|
3723
|
+
if (Object.keys(u).length === 0 && (u = void 0), i.validateSecrets(d).length > 0)
|
|
3724
|
+
throw new n(h.PasswordFormat);
|
|
3725
|
+
const w = e.state;
|
|
3697
3726
|
try {
|
|
3698
3727
|
t && (e.state = "active", await this.sessionServer.userStorage.updateUser({ id: e.id, state: e.state })), await this.sessionServer.sessionManager.changeSecrets(
|
|
3699
3728
|
e.username,
|
|
3700
3729
|
1,
|
|
3701
3730
|
d,
|
|
3702
|
-
|
|
3731
|
+
u,
|
|
3703
3732
|
c
|
|
3704
3733
|
);
|
|
3705
|
-
} catch (
|
|
3706
|
-
const S = n.asCrossauthError(
|
|
3707
|
-
if (l.logger.debug(f({ err:
|
|
3734
|
+
} catch (p) {
|
|
3735
|
+
const S = n.asCrossauthError(p);
|
|
3736
|
+
if (l.logger.debug(f({ err: p })), t)
|
|
3708
3737
|
try {
|
|
3709
|
-
await this.sessionServer.userStorage.updateUser({ id: e.id, state:
|
|
3738
|
+
await this.sessionServer.userStorage.updateUser({ id: e.id, state: w });
|
|
3710
3739
|
} catch (C) {
|
|
3711
3740
|
l.logger.debug(f({ err: C }));
|
|
3712
3741
|
}
|
|
@@ -3743,11 +3772,11 @@ class we {
|
|
|
3743
3772
|
async deleteUser(r) {
|
|
3744
3773
|
l.logger.debug(f({ msg: "deleteUser" }));
|
|
3745
3774
|
try {
|
|
3746
|
-
if (!this.sessionServer.userStorage) throw new n(
|
|
3775
|
+
if (!this.sessionServer.userStorage) throw new n(h.Configuration, "Must provide user storage to use this function");
|
|
3747
3776
|
if (this.sessionServer.enableCsrfProtection && !r.locals.csrfToken)
|
|
3748
|
-
throw new n(
|
|
3777
|
+
throw new n(h.InvalidCsrf);
|
|
3749
3778
|
if (!r.locals.user)
|
|
3750
|
-
throw new n(
|
|
3779
|
+
throw new n(h.InsufficientPriviledges);
|
|
3751
3780
|
return await this.sessionServer.userStorage.deleteUserById(r.locals.user.id), r.cookies.delete(this.sessionServer.sessionManager.sessionCookieName, { path: "/" }), r.locals.sessionId = void 0, r.locals.user = void 0, {
|
|
3752
3781
|
ok: !0
|
|
3753
3782
|
};
|
|
@@ -3789,12 +3818,12 @@ class we {
|
|
|
3789
3818
|
l.logger.debug(f({ msg: "updateUser" }));
|
|
3790
3819
|
let o;
|
|
3791
3820
|
try {
|
|
3792
|
-
if (!this.sessionServer.userStorage) throw new n(
|
|
3821
|
+
if (!this.sessionServer.userStorage) throw new n(h.Configuration, "Must provide user storage to use this function");
|
|
3793
3822
|
var s = new b();
|
|
3794
3823
|
if (await s.loadData(r), o = s.toObject(), this.sessionServer.enableCsrfProtection && !r.locals.csrfToken)
|
|
3795
|
-
throw new n(
|
|
3824
|
+
throw new n(h.InvalidCsrf);
|
|
3796
3825
|
if (!r.locals.user)
|
|
3797
|
-
throw new n(
|
|
3826
|
+
throw new n(h.InsufficientPriviledges);
|
|
3798
3827
|
let e = {
|
|
3799
3828
|
id: r.locals.user.id,
|
|
3800
3829
|
username: r.locals.user.username,
|
|
@@ -3808,16 +3837,16 @@ class we {
|
|
|
3808
3837
|
);
|
|
3809
3838
|
let t = this.sessionServer.validateUserFn(e);
|
|
3810
3839
|
if (t.length > 0)
|
|
3811
|
-
throw new n(
|
|
3812
|
-
let { emailVerificationTokenSent:
|
|
3813
|
-
if (!
|
|
3814
|
-
const
|
|
3815
|
-
r.locals.user =
|
|
3840
|
+
throw new n(h.FormEntry, t);
|
|
3841
|
+
let { emailVerificationTokenSent: i } = await this.sessionServer.sessionManager.updateUser(r.locals.user, e);
|
|
3842
|
+
if (!i) {
|
|
3843
|
+
const a = await this.sessionServer.userStorage.getUserById(r.locals.user.id);
|
|
3844
|
+
r.locals.user = a.user;
|
|
3816
3845
|
}
|
|
3817
3846
|
return {
|
|
3818
3847
|
ok: !0,
|
|
3819
3848
|
formData: o,
|
|
3820
|
-
emailVerificationNeeded:
|
|
3849
|
+
emailVerificationNeeded: i
|
|
3821
3850
|
};
|
|
3822
3851
|
} catch (e) {
|
|
3823
3852
|
let t = n.asCrossauthError(e, "Couldn't update account");
|
|
@@ -3856,41 +3885,41 @@ class we {
|
|
|
3856
3885
|
l.logger.debug(f({ msg: "updateUser" }));
|
|
3857
3886
|
let o;
|
|
3858
3887
|
try {
|
|
3859
|
-
if (!this.sessionServer.userStorage) throw new n(
|
|
3888
|
+
if (!this.sessionServer.userStorage) throw new n(h.Configuration, "Must provide user storage to use this function");
|
|
3860
3889
|
var s = new b();
|
|
3861
3890
|
if (await s.loadData(r), o = s.toObject(), this.sessionServer.enableCsrfProtection && !r.locals.csrfToken)
|
|
3862
|
-
throw new n(
|
|
3891
|
+
throw new n(h.InvalidCsrf);
|
|
3863
3892
|
let t = (e = r.locals.user) == null ? void 0 : e.username;
|
|
3864
3893
|
if (!this.isSessionUser(r) || !r.locals.user) {
|
|
3865
3894
|
const d = await this.sessionServer.getSessionData(r, "factor2change");
|
|
3866
3895
|
d != null && d.username || this.isSessionUser(r) || (this.sessionServer.unauthorizedUrl && this.sessionServer.redirect(302, this.sessionServer.unauthorizedUrl), this.sessionServer.error(401, "Unauthorized")), t = d == null ? void 0 : d.username;
|
|
3867
3896
|
}
|
|
3868
|
-
let
|
|
3869
|
-
if (!
|
|
3897
|
+
let i = r.locals.user;
|
|
3898
|
+
if (!i && t && (i = (await this.sessionServer.userStorage.getUserByUsername(
|
|
3870
3899
|
t,
|
|
3871
3900
|
{
|
|
3872
3901
|
skipActiveCheck: !0,
|
|
3873
3902
|
skipEmailVerifiedCheck: !0
|
|
3874
3903
|
}
|
|
3875
|
-
)).user), !
|
|
3876
|
-
throw new n(
|
|
3904
|
+
)).user), !i)
|
|
3905
|
+
throw new n(h.InsufficientPriviledges);
|
|
3877
3906
|
if (!r.locals.sessionId)
|
|
3878
|
-
throw new n(
|
|
3879
|
-
let
|
|
3907
|
+
throw new n(h.Unauthorized);
|
|
3908
|
+
let a = o.factor2;
|
|
3880
3909
|
if (o.factor2 && !this.sessionServer.allowedFactor2Names.includes(o.factor2))
|
|
3881
3910
|
throw new n(
|
|
3882
|
-
|
|
3911
|
+
h.Forbidden,
|
|
3883
3912
|
"Illegal second factor " + o.factor2 + " requested"
|
|
3884
3913
|
);
|
|
3885
|
-
if ((o.factor2 == "none" || o.factor2 == "") && (
|
|
3886
|
-
return await this.loginWithUser(
|
|
3887
|
-
const c = await this.sessionServer.sessionManager.initiateTwoFactorSetup(
|
|
3888
|
-
return
|
|
3914
|
+
if ((o.factor2 == "none" || o.factor2 == "") && (a = void 0, !r.locals.user))
|
|
3915
|
+
return await this.loginWithUser(i, !0, r);
|
|
3916
|
+
const c = await this.sessionServer.sessionManager.initiateTwoFactorSetup(i, a, r.locals.sessionId);
|
|
3917
|
+
return a ? {
|
|
3889
3918
|
ok: !0,
|
|
3890
3919
|
formData: o,
|
|
3891
3920
|
factor2Data: {
|
|
3892
|
-
username:
|
|
3893
|
-
factor2:
|
|
3921
|
+
username: i.username,
|
|
3922
|
+
factor2: a ?? "",
|
|
3894
3923
|
userData: c,
|
|
3895
3924
|
csrfToken: r.locals.csrfToken
|
|
3896
3925
|
}
|
|
@@ -3899,11 +3928,11 @@ class we {
|
|
|
3899
3928
|
formData: o
|
|
3900
3929
|
};
|
|
3901
3930
|
} catch (t) {
|
|
3902
|
-
let
|
|
3903
|
-
return l.logger.debug(f({ err:
|
|
3904
|
-
error:
|
|
3905
|
-
errorCode:
|
|
3906
|
-
errorCodeName:
|
|
3931
|
+
let i = n.asCrossauthError(t, "Couldn't update account");
|
|
3932
|
+
return l.logger.debug(f({ err: i })), l.logger.error(f({ cerr: i })), {
|
|
3933
|
+
error: i.message,
|
|
3934
|
+
errorCode: i.code,
|
|
3935
|
+
errorCodeName: i.codeName,
|
|
3907
3936
|
ok: !1,
|
|
3908
3937
|
formData: o
|
|
3909
3938
|
};
|
|
@@ -3932,56 +3961,56 @@ class we {
|
|
|
3932
3961
|
l.logger.debug(f({ msg: "updateUser" }));
|
|
3933
3962
|
let o;
|
|
3934
3963
|
try {
|
|
3935
|
-
if (!this.sessionServer.userStorage) throw new n(
|
|
3964
|
+
if (!this.sessionServer.userStorage) throw new n(h.Configuration, "Must provide user storage to use this function");
|
|
3936
3965
|
var s = new b();
|
|
3937
3966
|
if (await s.loadData(r), o = s.toObject(), this.sessionServer.enableCsrfProtection && !r.locals.csrfToken)
|
|
3938
|
-
throw new n(
|
|
3967
|
+
throw new n(h.InvalidCsrf);
|
|
3939
3968
|
let t = (e = r.locals.user) == null ? void 0 : e.username;
|
|
3940
3969
|
if (!this.isSessionUser(r) || !r.locals.user) {
|
|
3941
|
-
const
|
|
3942
|
-
|
|
3970
|
+
const u = await this.sessionServer.getSessionData(r, "factor2change");
|
|
3971
|
+
u != null && u.username || this.isSessionUser(r) || (this.sessionServer.unauthorizedUrl && this.sessionServer.redirect(302, this.sessionServer.unauthorizedUrl), this.sessionServer.error(401, "Unauthorized")), t = u == null ? void 0 : u.username;
|
|
3943
3972
|
}
|
|
3944
|
-
let
|
|
3945
|
-
if (!
|
|
3973
|
+
let i = r.locals.user;
|
|
3974
|
+
if (!i && t && (i = (await this.sessionServer.userStorage.getUserByUsername(
|
|
3946
3975
|
t,
|
|
3947
3976
|
{
|
|
3948
3977
|
skipActiveCheck: !0,
|
|
3949
3978
|
skipEmailVerifiedCheck: !0
|
|
3950
3979
|
}
|
|
3951
|
-
)).user), !
|
|
3952
|
-
throw new n(
|
|
3980
|
+
)).user), !i)
|
|
3981
|
+
throw new n(h.InsufficientPriviledges);
|
|
3953
3982
|
if (!r.locals.sessionId)
|
|
3954
|
-
throw new n(
|
|
3983
|
+
throw new n(h.Unauthorized);
|
|
3955
3984
|
if (!r.locals.sessionId)
|
|
3956
|
-
throw new n(
|
|
3957
|
-
let
|
|
3958
|
-
const c = this.sessionServer.authenticators[
|
|
3985
|
+
throw new n(h.Unauthorized);
|
|
3986
|
+
let a = i.factor2;
|
|
3987
|
+
const c = this.sessionServer.authenticators[a];
|
|
3959
3988
|
if (!c || c.secretNames().length == 0)
|
|
3960
3989
|
throw new n(
|
|
3961
|
-
|
|
3990
|
+
h.BadRequest,
|
|
3962
3991
|
"Selected second factor does not have configuration"
|
|
3963
3992
|
);
|
|
3964
3993
|
const d = await this.sessionServer.sessionManager.initiateTwoFactorSetup(
|
|
3965
|
-
a,
|
|
3966
3994
|
i,
|
|
3995
|
+
a,
|
|
3967
3996
|
r.locals.sessionId
|
|
3968
3997
|
);
|
|
3969
3998
|
return {
|
|
3970
3999
|
ok: !0,
|
|
3971
4000
|
formData: o,
|
|
3972
4001
|
factor2Data: {
|
|
3973
|
-
username:
|
|
3974
|
-
factor2:
|
|
4002
|
+
username: i.username,
|
|
4003
|
+
factor2: i.factor2 ?? "",
|
|
3975
4004
|
userData: d,
|
|
3976
4005
|
csrfToken: r.locals.csrfToken
|
|
3977
4006
|
}
|
|
3978
4007
|
};
|
|
3979
4008
|
} catch (t) {
|
|
3980
|
-
let
|
|
3981
|
-
return l.logger.debug(f({ err:
|
|
3982
|
-
error:
|
|
3983
|
-
errorCode:
|
|
3984
|
-
errorCodeName:
|
|
4009
|
+
let i = n.asCrossauthError(t, "Couldn't update account");
|
|
4010
|
+
return l.logger.debug(f({ err: i })), l.logger.error(f({ cerr: i })), {
|
|
4011
|
+
error: i.message,
|
|
4012
|
+
errorCode: i.code,
|
|
4013
|
+
errorCodeName: i.codeName,
|
|
3985
4014
|
ok: !1,
|
|
3986
4015
|
formData: o
|
|
3987
4016
|
};
|
|
@@ -4003,16 +4032,16 @@ async function me(k, r, o = 0, s = 10) {
|
|
|
4003
4032
|
const { user: t } = await r.getUserByUsername(k);
|
|
4004
4033
|
e.push(t);
|
|
4005
4034
|
} catch (t) {
|
|
4006
|
-
const
|
|
4007
|
-
if (
|
|
4008
|
-
throw l.logger.debug(f({ err:
|
|
4035
|
+
const i = n.asCrossauthError(t);
|
|
4036
|
+
if (i.code != h.UserNotExist)
|
|
4037
|
+
throw l.logger.debug(f({ err: i })), i;
|
|
4009
4038
|
try {
|
|
4010
|
-
const { user:
|
|
4011
|
-
e.push(
|
|
4012
|
-
} catch (
|
|
4013
|
-
const c = n.asCrossauthError(
|
|
4014
|
-
if (c.code !=
|
|
4015
|
-
throw l.logger.debug(f({ err: c })),
|
|
4039
|
+
const { user: a } = await r.getUserByEmail(k);
|
|
4040
|
+
e.push(a);
|
|
4041
|
+
} catch (a) {
|
|
4042
|
+
const c = n.asCrossauthError(a);
|
|
4043
|
+
if (c.code != h.UserNotExist)
|
|
4044
|
+
throw l.logger.debug(f({ err: c })), i;
|
|
4016
4045
|
}
|
|
4017
4046
|
}
|
|
4018
4047
|
return e;
|
|
@@ -4031,12 +4060,12 @@ class ke {
|
|
|
4031
4060
|
}, this.updateUserEndpoint = {
|
|
4032
4061
|
actions: {
|
|
4033
4062
|
default: async (s) => {
|
|
4034
|
-
var
|
|
4063
|
+
var i, a, c;
|
|
4035
4064
|
const e = await this.getUserFromParam(s);
|
|
4036
4065
|
return e.exception || !e.user ? {
|
|
4037
4066
|
ok: !1,
|
|
4038
|
-
error: ((
|
|
4039
|
-
errorCode: (
|
|
4067
|
+
error: ((i = e.exception) == null ? void 0 : i.message) ?? "Couldn't get user",
|
|
4068
|
+
errorCode: (a = e.exception) == null ? void 0 : a.code,
|
|
4040
4069
|
errorCodeName: (c = e.exception) == null ? void 0 : c.codeName
|
|
4041
4070
|
} : await this.updateUser(e.user, s);
|
|
4042
4071
|
}
|
|
@@ -4058,12 +4087,12 @@ class ke {
|
|
|
4058
4087
|
}, this.changePasswordEndpoint = {
|
|
4059
4088
|
actions: {
|
|
4060
4089
|
default: async (s) => {
|
|
4061
|
-
var
|
|
4090
|
+
var i, a, c;
|
|
4062
4091
|
const e = await this.getUserFromParam(s);
|
|
4063
4092
|
return e.exception || !e.user ? {
|
|
4064
4093
|
ok: !1,
|
|
4065
|
-
error: ((
|
|
4066
|
-
errorCode: (
|
|
4094
|
+
error: ((i = e.exception) == null ? void 0 : i.message) ?? "Couldn't get user",
|
|
4095
|
+
errorCode: (a = e.exception) == null ? void 0 : a.code,
|
|
4067
4096
|
errorCodeName: (c = e.exception) == null ? void 0 : c.codeName
|
|
4068
4097
|
} : await this.changePassword(e.user, s);
|
|
4069
4098
|
}
|
|
@@ -4076,8 +4105,8 @@ class ke {
|
|
|
4076
4105
|
editUser: e.user,
|
|
4077
4106
|
...this.baseEndpoint(s)
|
|
4078
4107
|
};
|
|
4079
|
-
let t = {},
|
|
4080
|
-
return
|
|
4108
|
+
let t = {}, i = s.url.searchParams.get("next");
|
|
4109
|
+
return i && (t.next = i), {
|
|
4081
4110
|
...t,
|
|
4082
4111
|
editUser: e.user,
|
|
4083
4112
|
...this.baseEndpoint(s)
|
|
@@ -4099,15 +4128,15 @@ class ke {
|
|
|
4099
4128
|
default: async (s) => await this.deleteUser(s)
|
|
4100
4129
|
},
|
|
4101
4130
|
load: async (s) => {
|
|
4102
|
-
var t,
|
|
4131
|
+
var t, i, a;
|
|
4103
4132
|
const e = await this.getUserFromParam(s);
|
|
4104
4133
|
return e.exception || !e.user ? {
|
|
4105
4134
|
error: "User doesn't exist",
|
|
4106
4135
|
errorCode: (t = e.exception) == null ? void 0 : t.code,
|
|
4107
|
-
errorCodeName: (
|
|
4136
|
+
errorCodeName: (i = e.exception) == null ? void 0 : i.codeName,
|
|
4108
4137
|
...this.baseEndpoint(s)
|
|
4109
4138
|
} : {
|
|
4110
|
-
username: (
|
|
4139
|
+
username: (a = e.user) == null ? void 0 : a.username,
|
|
4111
4140
|
...this.baseEndpoint(s)
|
|
4112
4141
|
};
|
|
4113
4142
|
}
|
|
@@ -4156,9 +4185,9 @@ class ke {
|
|
|
4156
4185
|
*/
|
|
4157
4186
|
async searchUsers(r, o, s, e) {
|
|
4158
4187
|
try {
|
|
4159
|
-
if (!this.sessionServer.userStorage) throw new n(
|
|
4188
|
+
if (!this.sessionServer.userStorage) throw new n(h.Configuration, "Must provide user storage to use this function");
|
|
4160
4189
|
(!r.locals.user || !m.isAdminFn(r.locals.user)) && this.sessionServer.error(401);
|
|
4161
|
-
let t = [],
|
|
4190
|
+
let t = [], i = [], a = [];
|
|
4162
4191
|
if (!s)
|
|
4163
4192
|
try {
|
|
4164
4193
|
const d = r.url.searchParams.get("skip");
|
|
@@ -4180,7 +4209,7 @@ class ke {
|
|
|
4180
4209
|
this.sessionServer.userStorage,
|
|
4181
4210
|
s,
|
|
4182
4211
|
e
|
|
4183
|
-
), s > 0 && (
|
|
4212
|
+
), s > 0 && (i = await this.userSearchFn(
|
|
4184
4213
|
o,
|
|
4185
4214
|
this.sessionServer.userStorage,
|
|
4186
4215
|
s - 1,
|
|
@@ -4188,7 +4217,7 @@ class ke {
|
|
|
4188
4217
|
))) : (t = await this.sessionServer.userStorage.getUsers(
|
|
4189
4218
|
s,
|
|
4190
4219
|
e
|
|
4191
|
-
), t.length == e && (
|
|
4220
|
+
), t.length == e && (a = await this.sessionServer.userStorage.getUsers(
|
|
4192
4221
|
s + e,
|
|
4193
4222
|
1
|
|
4194
4223
|
))), {
|
|
@@ -4196,17 +4225,17 @@ class ke {
|
|
|
4196
4225
|
users: t,
|
|
4197
4226
|
skip: s,
|
|
4198
4227
|
take: e,
|
|
4199
|
-
hasPrevious:
|
|
4200
|
-
hasNext:
|
|
4228
|
+
hasPrevious: i.length > 0,
|
|
4229
|
+
hasNext: a.length > 0,
|
|
4201
4230
|
search: o
|
|
4202
4231
|
};
|
|
4203
4232
|
} catch (t) {
|
|
4204
|
-
const
|
|
4205
|
-
return l.logger.debug(f({ err:
|
|
4233
|
+
const i = n.asCrossauthError(t);
|
|
4234
|
+
return l.logger.debug(f({ err: i })), l.logger.error(f({ cerr: i })), {
|
|
4206
4235
|
ok: !1,
|
|
4207
|
-
error:
|
|
4208
|
-
errorCode:
|
|
4209
|
-
errorCodeName:
|
|
4236
|
+
error: i.message,
|
|
4237
|
+
errorCode: i.code,
|
|
4238
|
+
errorCodeName: i.codeName,
|
|
4210
4239
|
hasPrevious: !1,
|
|
4211
4240
|
hasNext: !1,
|
|
4212
4241
|
skip: s ?? 0,
|
|
@@ -4249,10 +4278,10 @@ class ke {
|
|
|
4249
4278
|
async updateUser(r, o) {
|
|
4250
4279
|
let s;
|
|
4251
4280
|
try {
|
|
4252
|
-
if (!this.sessionServer.userStorage) throw new n(
|
|
4281
|
+
if (!this.sessionServer.userStorage) throw new n(h.Configuration, "Must provide user storage to use this function");
|
|
4253
4282
|
var e = new b();
|
|
4254
|
-
if (await e.loadData(o), s = e.toObject(), (!o.locals.user || !m.isAdminFn(o.locals.user)) && this.sessionServer.error(401), this.isSessionUser(o) && this.sessionServer.enableCsrfProtection && !o.locals.csrfToken) throw new n(
|
|
4255
|
-
const t = r.factor2,
|
|
4283
|
+
if (await e.loadData(o), s = e.toObject(), (!o.locals.user || !m.isAdminFn(o.locals.user)) && this.sessionServer.error(401), this.isSessionUser(o) && this.sessionServer.enableCsrfProtection && !o.locals.csrfToken) throw new n(h.InvalidCsrf);
|
|
4284
|
+
const t = r.factor2, i = r.state;
|
|
4256
4285
|
r.state = s.state ?? "active", r = this.sessionServer.updateUserFn(
|
|
4257
4286
|
r,
|
|
4258
4287
|
o,
|
|
@@ -4262,30 +4291,30 @@ class ke {
|
|
|
4262
4291
|
...this.sessionServer.userStorage.adminEditableFields
|
|
4263
4292
|
}
|
|
4264
4293
|
);
|
|
4265
|
-
const
|
|
4266
|
-
if (
|
|
4267
|
-
throw new n(
|
|
4268
|
-
|
|
4269
|
-
msg: `Setting state for user to ${
|
|
4294
|
+
const a = r.factor2 && r.factor2 != "none" && r.factor2 != t;
|
|
4295
|
+
if (a && !(r.state == i || r.state == "factor2ResetNeeded"))
|
|
4296
|
+
throw new n(h.BadRequest, "Cannot change both factor2 and state at the same time");
|
|
4297
|
+
a && (r.state = I.factor2ResetNeeded, l.logger.warn(f({
|
|
4298
|
+
msg: `Setting state for user to ${I.factor2ResetNeeded}`,
|
|
4270
4299
|
username: r.username
|
|
4271
4300
|
})));
|
|
4272
4301
|
let c = this.sessionServer.validateUserFn(r);
|
|
4273
4302
|
if (c.length > 0)
|
|
4274
|
-
throw new n(
|
|
4303
|
+
throw new n(h.FormEntry, c);
|
|
4275
4304
|
const d = await this.sessionServer.sessionManager.updateUser(r, r, !0, !0);
|
|
4276
|
-
let
|
|
4277
|
-
return d.emailVerificationTokenSent ?
|
|
4305
|
+
let u;
|
|
4306
|
+
return d.emailVerificationTokenSent ? u = "An email verification token has been sent to the user" : d.passwordResetTokenSent && (u = "A password reset token has been sent to the user"), {
|
|
4278
4307
|
ok: !0,
|
|
4279
4308
|
formData: s,
|
|
4280
|
-
info:
|
|
4309
|
+
info: u
|
|
4281
4310
|
};
|
|
4282
4311
|
} catch (t) {
|
|
4283
4312
|
if (m.isSvelteKitRedirect(t) || m.isSvelteKitError(t, 401)) throw t;
|
|
4284
|
-
let
|
|
4285
|
-
return l.logger.debug(f({ err:
|
|
4286
|
-
error:
|
|
4287
|
-
errorCode:
|
|
4288
|
-
errorCodeName:
|
|
4313
|
+
let i = n.asCrossauthError(t, "Couldn't log in");
|
|
4314
|
+
return l.logger.debug(f({ err: i })), l.logger.error(f({ cerr: i })), {
|
|
4315
|
+
error: i.message,
|
|
4316
|
+
errorCode: i.code,
|
|
4317
|
+
errorCodeName: i.codeName,
|
|
4289
4318
|
ok: !1,
|
|
4290
4319
|
formData: s
|
|
4291
4320
|
};
|
|
@@ -4316,33 +4345,33 @@ class ke {
|
|
|
4316
4345
|
try {
|
|
4317
4346
|
var e = new b();
|
|
4318
4347
|
if (await e.loadData(o), s = e.toObject(), (!o.locals.user || !m.isAdminFn(o.locals.user)) && this.sessionServer.error(401), this.isSessionUser(o) && this.sessionServer.enableCsrfProtection && !o.locals.csrfToken)
|
|
4319
|
-
throw new n(
|
|
4320
|
-
const t = this.sessionServer.authenticators[r.factor1],
|
|
4321
|
-
let
|
|
4348
|
+
throw new n(h.InvalidCsrf);
|
|
4349
|
+
const t = this.sessionServer.authenticators[r.factor1], i = t.secretNames();
|
|
4350
|
+
let a = {}, c = {}, d = {};
|
|
4322
4351
|
for (let g in s)
|
|
4323
4352
|
if (g.startsWith("new_")) {
|
|
4324
|
-
const
|
|
4325
|
-
|
|
4353
|
+
const w = g.replace(/^new_/, "");
|
|
4354
|
+
i.includes(w) && (c[w] = s[g]);
|
|
4326
4355
|
} else if (g.startsWith("old_")) {
|
|
4327
|
-
const
|
|
4328
|
-
|
|
4356
|
+
const w = g.replace(/^old_/, "");
|
|
4357
|
+
i.includes(w) && (a[w] = s[g]);
|
|
4329
4358
|
} else if (g.startsWith("repeat_")) {
|
|
4330
|
-
const
|
|
4331
|
-
|
|
4359
|
+
const w = g.replace(/^repeat_/, "");
|
|
4360
|
+
i.includes(w) && (d[w] = s[g]);
|
|
4332
4361
|
}
|
|
4333
|
-
if (Object.keys(d).length === 0 && (d = void 0), Object.keys(
|
|
4334
|
-
throw new n(
|
|
4362
|
+
if (Object.keys(d).length === 0 && (d = void 0), Object.keys(a).length === 0 && (a = void 0), t.validateSecrets(c).length > 0)
|
|
4363
|
+
throw new n(h.PasswordFormat);
|
|
4335
4364
|
try {
|
|
4336
4365
|
await this.sessionServer.sessionManager.changeSecrets(
|
|
4337
4366
|
r.username,
|
|
4338
4367
|
1,
|
|
4339
4368
|
c,
|
|
4340
4369
|
d,
|
|
4341
|
-
|
|
4370
|
+
a
|
|
4342
4371
|
);
|
|
4343
4372
|
} catch (g) {
|
|
4344
|
-
const
|
|
4345
|
-
throw l.logger.debug(f({ err: g })),
|
|
4373
|
+
const w = n.asCrossauthError(g);
|
|
4374
|
+
throw l.logger.debug(f({ err: g })), w;
|
|
4346
4375
|
}
|
|
4347
4376
|
return {
|
|
4348
4377
|
ok: !0,
|
|
@@ -4350,11 +4379,11 @@ class ke {
|
|
|
4350
4379
|
};
|
|
4351
4380
|
} catch (t) {
|
|
4352
4381
|
if (m.isSvelteKitRedirect(t) || m.isSvelteKitError(t, 401)) throw t;
|
|
4353
|
-
let
|
|
4354
|
-
return l.logger.debug(f({ err:
|
|
4355
|
-
error:
|
|
4356
|
-
errorCode:
|
|
4357
|
-
errorCodeName:
|
|
4382
|
+
let i = n.asCrossauthError(t, "Couldn't change password");
|
|
4383
|
+
return l.logger.debug(f({ err: i })), l.logger.error(f({ cerr: i })), {
|
|
4384
|
+
error: i.message,
|
|
4385
|
+
errorCode: i.code,
|
|
4386
|
+
errorCodeName: i.codeName,
|
|
4358
4387
|
ok: !1,
|
|
4359
4388
|
formData: s
|
|
4360
4389
|
};
|
|
@@ -4408,17 +4437,17 @@ class ke {
|
|
|
4408
4437
|
async createUser(r) {
|
|
4409
4438
|
let o;
|
|
4410
4439
|
try {
|
|
4411
|
-
if (!this.sessionServer.userStorage) throw new n(
|
|
4440
|
+
if (!this.sessionServer.userStorage) throw new n(h.Configuration, "Must provide user storage to use this function");
|
|
4412
4441
|
var s = new b();
|
|
4413
4442
|
await s.loadData(r), o = s.toObject();
|
|
4414
4443
|
const e = s.get("username") ?? "";
|
|
4415
4444
|
let t;
|
|
4416
4445
|
if ((!r.locals.user || !m.isAdminFn(r.locals.user)) && this.sessionServer.error(401), this.isSessionUser(r) && this.sessionServer.enableCsrfProtection && !r.locals.csrfToken)
|
|
4417
|
-
throw new n(
|
|
4418
|
-
if (e == "") throw new n(
|
|
4446
|
+
throw new n(h.InvalidCsrf);
|
|
4447
|
+
if (e == "") throw new n(h.InvalidUsername, "Username field may not be empty");
|
|
4419
4448
|
if (o.factor2 || (o.factor2 = this.sessionServer.allowedFactor2Names[0]), o.factor2 && !this.sessionServer.allowedFactor2Names.includes(o.factor2 ?? "none"))
|
|
4420
4449
|
throw new n(
|
|
4421
|
-
|
|
4450
|
+
h.Forbidden,
|
|
4422
4451
|
"Illegal second factor " + o.factor2 + " requested"
|
|
4423
4452
|
);
|
|
4424
4453
|
(o.factor2 == "none" || o.factor2 == "") && (o.factor2 = void 0), t = this.sessionServer.createUserFn(
|
|
@@ -4427,39 +4456,40 @@ class ke {
|
|
|
4427
4456
|
{
|
|
4428
4457
|
...this.sessionServer.userStorage.userEditableFields,
|
|
4429
4458
|
...this.sessionServer.userStorage.adminEditableFields
|
|
4430
|
-
}
|
|
4459
|
+
},
|
|
4460
|
+
this.sessionServer.adminAllowedFactor1
|
|
4431
4461
|
);
|
|
4432
|
-
const
|
|
4433
|
-
let
|
|
4434
|
-
for (let
|
|
4435
|
-
!o[
|
|
4462
|
+
const i = this.sessionServer.authenticators[t.factor1].secretNames();
|
|
4463
|
+
let a = !0;
|
|
4464
|
+
for (let p of i)
|
|
4465
|
+
!o[p] && !o["repeat_" + p] && (a = !1);
|
|
4436
4466
|
let c = [], d = {};
|
|
4437
|
-
if (
|
|
4467
|
+
if (a) {
|
|
4438
4468
|
c = this.sessionServer.authenticators[t.factor1].validateSecrets(o);
|
|
4439
|
-
for (let
|
|
4440
|
-
if (
|
|
4441
|
-
const S =
|
|
4442
|
-
|
|
4469
|
+
for (let p in o)
|
|
4470
|
+
if (p.startsWith("repeat_")) {
|
|
4471
|
+
const S = p.replace(/^repeat_/, "");
|
|
4472
|
+
i.includes(S) && (d[S] = o[p]);
|
|
4443
4473
|
}
|
|
4444
4474
|
Object.keys(d).length === 0 && (d = void 0);
|
|
4445
4475
|
}
|
|
4446
|
-
|
|
4476
|
+
a ? o.factor2 != null && (t.state = I.factor2ResetNeeded) : o.factor2 == null ? t.state = I.passwordResetNeeded : t.state = I.passwordAndFactor2ResetNeeded;
|
|
4447
4477
|
let g = [...this.sessionServer.validateUserFn(t), ...c];
|
|
4448
4478
|
if (g.length > 0)
|
|
4449
|
-
throw new n(
|
|
4450
|
-
const
|
|
4479
|
+
throw new n(h.FormEntry, g);
|
|
4480
|
+
const w = await this.sessionServer.sessionManager.createUser(
|
|
4451
4481
|
t,
|
|
4452
4482
|
o,
|
|
4453
4483
|
d,
|
|
4454
4484
|
!0,
|
|
4455
|
-
!
|
|
4485
|
+
!a
|
|
4456
4486
|
);
|
|
4457
|
-
if (!
|
|
4458
|
-
let
|
|
4459
|
-
if ("user_email" in o && (
|
|
4460
|
-
await this.sessionServer.sessionManager.requestPasswordReset(
|
|
4487
|
+
if (!a) {
|
|
4488
|
+
let p = o.username;
|
|
4489
|
+
if ("user_email" in o && (p = o.user_email), oe.validateEmail(p), !p) throw new n(h.FormEntry, "No password given but no email address found either");
|
|
4490
|
+
await this.sessionServer.sessionManager.requestPasswordReset(p);
|
|
4461
4491
|
}
|
|
4462
|
-
return { ok: !0, user:
|
|
4492
|
+
return { ok: !0, user: w, formData: o };
|
|
4463
4493
|
} catch (e) {
|
|
4464
4494
|
let t = n.asCrossauthError(e, "Couldn't create user");
|
|
4465
4495
|
return l.logger.debug(f({ err: t })), l.logger.error(f({ cerr: t })), {
|
|
@@ -4485,12 +4515,12 @@ class ke {
|
|
|
4485
4515
|
* exception was raised
|
|
4486
4516
|
*/
|
|
4487
4517
|
async deleteUser(r) {
|
|
4488
|
-
if (l.logger.debug(f({ msg: "deleteUser" })), !this.sessionServer.userStorage) throw new n(
|
|
4518
|
+
if (l.logger.debug(f({ msg: "deleteUser" })), !this.sessionServer.userStorage) throw new n(h.Configuration, "Must provide user storage to use this function");
|
|
4489
4519
|
try {
|
|
4490
4520
|
const o = r.params.id;
|
|
4491
|
-
if (!o) throw new n(
|
|
4521
|
+
if (!o) throw new n(h.BadRequest, "User ID is undefined");
|
|
4492
4522
|
if (this.sessionServer.enableCsrfProtection && !r.locals.csrfToken)
|
|
4493
|
-
throw new n(
|
|
4523
|
+
throw new n(h.InvalidCsrf);
|
|
4494
4524
|
return (!r.locals.user || !m.isAdminFn(r.locals.user)) && this.sessionServer.error(401), await this.sessionServer.userStorage.deleteUserById(o), {
|
|
4495
4525
|
ok: !0
|
|
4496
4526
|
};
|
|
@@ -4515,9 +4545,9 @@ class ke {
|
|
|
4515
4545
|
async getUserFromParam(r, o = "id") {
|
|
4516
4546
|
let s = r.params[o];
|
|
4517
4547
|
if (!s)
|
|
4518
|
-
return { exception: new n(
|
|
4548
|
+
return { exception: new n(h.BadRequest, "Must give user id") };
|
|
4519
4549
|
try {
|
|
4520
|
-
if (!this.sessionServer.userStorage) throw new n(
|
|
4550
|
+
if (!this.sessionServer.userStorage) throw new n(h.Configuration, "Must provide user storage to use this function");
|
|
4521
4551
|
return { user: (await this.sessionServer.userStorage.getUserById(s, { skipEmailVerifiedCheck: !0, skipActiveCheck: !0 })).user };
|
|
4522
4552
|
} catch (e) {
|
|
4523
4553
|
return { exception: n.asCrossauthError(e) };
|
|
@@ -4528,18 +4558,18 @@ async function Se(k, r, o, s, e) {
|
|
|
4528
4558
|
let t = [];
|
|
4529
4559
|
if (o > 0) return [];
|
|
4530
4560
|
try {
|
|
4531
|
-
const
|
|
4532
|
-
t.push(
|
|
4533
|
-
} catch (
|
|
4534
|
-
const
|
|
4535
|
-
if (
|
|
4536
|
-
throw l.logger.debug(f({ err:
|
|
4561
|
+
const i = await r.getClientById(k);
|
|
4562
|
+
t.push(i);
|
|
4563
|
+
} catch (i) {
|
|
4564
|
+
const a = n.asCrossauthError(i);
|
|
4565
|
+
if (a.code != h.UserNotExist)
|
|
4566
|
+
throw l.logger.debug(f({ err: a })), a;
|
|
4537
4567
|
try {
|
|
4538
4568
|
t = await r.getClientByName(k, e);
|
|
4539
4569
|
} catch (c) {
|
|
4540
4570
|
const d = n.asCrossauthError(c);
|
|
4541
|
-
if (d.code !=
|
|
4542
|
-
throw l.logger.debug(f({ err: d })),
|
|
4571
|
+
if (d.code != h.UserNotExist)
|
|
4572
|
+
throw l.logger.debug(f({ err: d })), a;
|
|
4543
4573
|
}
|
|
4544
4574
|
}
|
|
4545
4575
|
return t;
|
|
@@ -4594,65 +4624,65 @@ class X {
|
|
|
4594
4624
|
*/
|
|
4595
4625
|
async searchClients_internal(r, o, s, e, t) {
|
|
4596
4626
|
try {
|
|
4597
|
-
if (!this.sessionServer.userStorage) throw new n(
|
|
4598
|
-
if (!this.sessionServer.clientStorage) throw new n(
|
|
4627
|
+
if (!this.sessionServer.userStorage) throw new n(h.Configuration, "Must provide user storage to use this function");
|
|
4628
|
+
if (!this.sessionServer.clientStorage) throw new n(h.Configuration, "Must provide client storage to use this function");
|
|
4599
4629
|
if (!r.locals.user)
|
|
4600
4630
|
throw this.redirect(302, this.loginUrl + "?next=" + encodeURIComponent(r.request.url));
|
|
4601
|
-
let
|
|
4631
|
+
let i = [], a = [], c = [];
|
|
4602
4632
|
if (!s)
|
|
4603
4633
|
try {
|
|
4604
|
-
const
|
|
4605
|
-
|
|
4606
|
-
} catch (
|
|
4607
|
-
l.logger.warn(f({ cerr:
|
|
4634
|
+
const u = r.url.searchParams.get("skip");
|
|
4635
|
+
u && (s = parseInt(u));
|
|
4636
|
+
} catch (u) {
|
|
4637
|
+
l.logger.warn(f({ cerr: u, msg: "skip parameter is not an integer" }));
|
|
4608
4638
|
}
|
|
4609
4639
|
if (s || (s = 0), !e)
|
|
4610
4640
|
try {
|
|
4611
|
-
const
|
|
4612
|
-
|
|
4613
|
-
} catch (
|
|
4614
|
-
l.logger.warn(f({ cerr:
|
|
4641
|
+
const u = r.url.searchParams.get("take");
|
|
4642
|
+
u && (e = parseInt(u));
|
|
4643
|
+
} catch (u) {
|
|
4644
|
+
l.logger.warn(f({ cerr: u, msg: "take parameter is not an integer" }));
|
|
4615
4645
|
}
|
|
4616
4646
|
e || (e = 10);
|
|
4617
4647
|
const d = r.url.searchParams.get("search");
|
|
4618
|
-
return !o && d != null && d != "" && (o = d), o || (o = ""), o.length == 0 && (o = void 0), o ? (
|
|
4648
|
+
return !o && d != null && d != "" && (o = d), o || (o = ""), o.length == 0 && (o = void 0), o ? (i = await this.clientSearchFn(
|
|
4619
4649
|
o,
|
|
4620
4650
|
this.sessionServer.clientStorage,
|
|
4621
4651
|
s,
|
|
4622
4652
|
e
|
|
4623
|
-
), s > 0 && (
|
|
4653
|
+
), s > 0 && (a = await this.clientSearchFn(
|
|
4624
4654
|
o,
|
|
4625
4655
|
this.sessionServer.clientStorage,
|
|
4626
4656
|
s - 1,
|
|
4627
4657
|
1,
|
|
4628
4658
|
t
|
|
4629
|
-
))) : (
|
|
4659
|
+
))) : (i = await this.sessionServer.clientStorage.getClients(
|
|
4630
4660
|
s,
|
|
4631
4661
|
e,
|
|
4632
4662
|
t
|
|
4633
|
-
),
|
|
4663
|
+
), i.length == e && (c = await this.sessionServer.clientStorage.getClients(
|
|
4634
4664
|
s + e,
|
|
4635
4665
|
1,
|
|
4636
4666
|
t
|
|
4637
4667
|
))), {
|
|
4638
4668
|
ok: !0,
|
|
4639
|
-
clients:
|
|
4669
|
+
clients: i,
|
|
4640
4670
|
skip: s,
|
|
4641
4671
|
take: e,
|
|
4642
|
-
hasPrevious:
|
|
4672
|
+
hasPrevious: a.length > 0,
|
|
4643
4673
|
hasNext: c.length > 0,
|
|
4644
4674
|
search: o,
|
|
4645
4675
|
clientUserId: t
|
|
4646
4676
|
};
|
|
4647
|
-
} catch (
|
|
4648
|
-
if (m.isSvelteKitRedirect(
|
|
4649
|
-
throw
|
|
4650
|
-
const
|
|
4651
|
-
return l.logger.debug(f({ err:
|
|
4677
|
+
} catch (i) {
|
|
4678
|
+
if (m.isSvelteKitRedirect(i) || m.isSvelteKitRedirect(i))
|
|
4679
|
+
throw i;
|
|
4680
|
+
const a = n.asCrossauthError(i);
|
|
4681
|
+
return l.logger.debug(f({ err: a })), l.logger.error(f({ cerr: a })), {
|
|
4652
4682
|
ok: !1,
|
|
4653
|
-
error:
|
|
4654
|
-
errorCode:
|
|
4655
|
-
errorCodeName:
|
|
4683
|
+
error: a.message,
|
|
4684
|
+
errorCode: a.code,
|
|
4685
|
+
errorCodeName: a.codeName,
|
|
4656
4686
|
hasPrevious: !1,
|
|
4657
4687
|
hasNext: !1,
|
|
4658
4688
|
skip: s ?? 0,
|
|
@@ -4673,23 +4703,23 @@ class X {
|
|
|
4673
4703
|
var s, e, t;
|
|
4674
4704
|
const o = r.params.client_id;
|
|
4675
4705
|
try {
|
|
4676
|
-
if (!o) throw new n(
|
|
4677
|
-
if (!this.clientStorage) throw new n(
|
|
4678
|
-
const
|
|
4706
|
+
if (!o) throw new n(h.BadRequest, "No client ID specified");
|
|
4707
|
+
if (!this.clientStorage) throw new n(h.Configuration, "No client storage specified");
|
|
4708
|
+
const i = await this.clientStorage.getClientById(o), a = i.userid == null ? void 0 : await ((e = (s = this.sessionServer) == null ? void 0 : s.userStorage) == null ? void 0 : e.getUserById(i.userid)), c = (t = a == null ? void 0 : a.user) == null ? void 0 : t.username;
|
|
4679
4709
|
return {
|
|
4680
4710
|
ok: !0,
|
|
4681
|
-
client:
|
|
4711
|
+
client: i,
|
|
4682
4712
|
validFlows: this.validFlows,
|
|
4683
4713
|
valid_flowNames: this.valid_flowNames,
|
|
4684
4714
|
client_id: o,
|
|
4685
4715
|
clientUsername: c
|
|
4686
4716
|
};
|
|
4687
|
-
} catch (
|
|
4688
|
-
let
|
|
4689
|
-
return l.logger.debug(f({ err:
|
|
4690
|
-
error:
|
|
4691
|
-
errorCode:
|
|
4692
|
-
errorCodeName:
|
|
4717
|
+
} catch (i) {
|
|
4718
|
+
let a = n.asCrossauthError(i, "Couldn't load client");
|
|
4719
|
+
return l.logger.debug(f({ err: a })), l.logger.error(f({ cerr: a })), {
|
|
4720
|
+
error: a.message,
|
|
4721
|
+
errorCode: a.code,
|
|
4722
|
+
errorCodeName: a.codeName,
|
|
4693
4723
|
ok: !1,
|
|
4694
4724
|
validFlows: this.validFlows,
|
|
4695
4725
|
valid_flowNames: this.valid_flowNames,
|
|
@@ -4710,56 +4740,56 @@ class X {
|
|
|
4710
4740
|
* @returns {@link UpdateClientFormData}. If a new secret was created, it will be placed as plaintext in the client that is returned.
|
|
4711
4741
|
*/
|
|
4712
4742
|
async updateClient_internal(r, o) {
|
|
4713
|
-
var t,
|
|
4743
|
+
var t, i;
|
|
4714
4744
|
let s;
|
|
4715
4745
|
try {
|
|
4716
|
-
const
|
|
4717
|
-
if (!
|
|
4746
|
+
const a = r.params.client_id;
|
|
4747
|
+
if (!a) throw new n(h.BadRequest, "No client ID given");
|
|
4718
4748
|
var e = new b();
|
|
4719
4749
|
if (await e.loadData(r), s = e.toObject(), this.sessionServer.enableCsrfProtection && r.locals.authType == "cookie" && !r.locals.csrfToken)
|
|
4720
|
-
throw new n(
|
|
4750
|
+
throw new n(h.InvalidCsrf);
|
|
4721
4751
|
const c = !s.redirect_uri || s.redirect_uri.trim().length == 0 ? [] : s.redirect_uri.trim().split(/[, ][ \t\n]*/);
|
|
4722
4752
|
let d = [];
|
|
4723
4753
|
for (let C of c)
|
|
4724
4754
|
try {
|
|
4725
4755
|
B.validateUri(C);
|
|
4726
|
-
} catch (
|
|
4727
|
-
l.logger.error(f({ err:
|
|
4756
|
+
} catch (U) {
|
|
4757
|
+
l.logger.error(f({ err: U })), d.push("[" + C + "]");
|
|
4728
4758
|
}
|
|
4729
4759
|
if (d.length > 0)
|
|
4730
4760
|
throw new n(
|
|
4731
|
-
|
|
4761
|
+
h.BadRequest,
|
|
4732
4762
|
"The following redirect URIs are invalid: " + d.join(" ")
|
|
4733
4763
|
);
|
|
4734
|
-
let
|
|
4764
|
+
let u = [];
|
|
4735
4765
|
for (let C of this.validFlows)
|
|
4736
|
-
C in s &&
|
|
4766
|
+
C in s && u.push(C);
|
|
4737
4767
|
const g = {};
|
|
4738
|
-
if (g.client_name = s.client_name, g.confidential = e.getAsBoolean("confidential") ?? !1, g.valid_flow =
|
|
4768
|
+
if (g.client_name = s.client_name, g.confidential = e.getAsBoolean("confidential") ?? !1, g.valid_flow = u, g.redirect_uri = c, o) {
|
|
4739
4769
|
let C = s.userid ?? void 0;
|
|
4740
4770
|
if (C && ((t = this.sessionServer) != null && t.userStorage)) {
|
|
4741
|
-
const { user:
|
|
4742
|
-
C =
|
|
4771
|
+
const { user: U } = await ((i = this.sessionServer) == null ? void 0 : i.userStorage.getUserById(C));
|
|
4772
|
+
C = U.id;
|
|
4743
4773
|
}
|
|
4744
4774
|
g.userid = s.userid ? Number(s.userid) : null;
|
|
4745
4775
|
}
|
|
4746
|
-
const
|
|
4747
|
-
if (!this.clientManager) throw new n(
|
|
4748
|
-
const { client:
|
|
4749
|
-
|
|
4776
|
+
const w = e.getAsBoolean("resetSecret");
|
|
4777
|
+
if (!this.clientManager) throw new n(h.Configuration, "Cannot call this endpoint as you did not provide a clientStorage");
|
|
4778
|
+
const { client: p, newSecret: S } = await this.clientManager.updateClient(
|
|
4779
|
+
a,
|
|
4750
4780
|
g,
|
|
4751
|
-
|
|
4781
|
+
w
|
|
4752
4782
|
);
|
|
4753
4783
|
return {
|
|
4754
4784
|
ok: !0,
|
|
4755
|
-
client:
|
|
4785
|
+
client: p,
|
|
4756
4786
|
formData: s,
|
|
4757
4787
|
//plaintextSecret: resetSecret ? formData.client_secret : undefined,
|
|
4758
|
-
plaintextSecret: S &&
|
|
4788
|
+
plaintextSecret: S && p.client_secret ? p.client_secret : void 0
|
|
4759
4789
|
};
|
|
4760
|
-
} catch (
|
|
4761
|
-
if (m.isSvelteKitRedirect(
|
|
4762
|
-
let c = n.asCrossauthError(
|
|
4790
|
+
} catch (a) {
|
|
4791
|
+
if (m.isSvelteKitRedirect(a) || m.isSvelteKitError(a)) throw a;
|
|
4792
|
+
let c = n.asCrossauthError(a, "Couldn't update client");
|
|
4763
4793
|
return l.logger.debug(f({ err: c })), l.logger.error(f({ cerr: c })), {
|
|
4764
4794
|
error: c.message,
|
|
4765
4795
|
errorCode: c.code,
|
|
@@ -4778,7 +4808,7 @@ class X {
|
|
|
4778
4808
|
* @returns {@link CreateClientPageData}.
|
|
4779
4809
|
*/
|
|
4780
4810
|
async emptyClient_internal(r, o) {
|
|
4781
|
-
var e, t,
|
|
4811
|
+
var e, t, i, a, c, d, u;
|
|
4782
4812
|
try {
|
|
4783
4813
|
var s = new b();
|
|
4784
4814
|
await s.loadData(r);
|
|
@@ -4786,33 +4816,33 @@ class X {
|
|
|
4786
4816
|
if (o) {
|
|
4787
4817
|
const S = r.url.searchParams.get("userid");
|
|
4788
4818
|
if (S && ((e = this.sessionServer) != null && e.userStorage)) {
|
|
4789
|
-
const { user:
|
|
4790
|
-
g =
|
|
4819
|
+
const { user: U } = await ((t = this.sessionServer) == null ? void 0 : t.userStorage.getUserById(S));
|
|
4820
|
+
g = U.id;
|
|
4791
4821
|
}
|
|
4792
4822
|
const C = s.get("userid");
|
|
4793
|
-
if (C && ((
|
|
4794
|
-
const { user:
|
|
4795
|
-
g =
|
|
4823
|
+
if (C && ((i = this.sessionServer) != null && i.userStorage)) {
|
|
4824
|
+
const { user: U } = await ((a = this.sessionServer) == null ? void 0 : a.userStorage.getUserById(C));
|
|
4825
|
+
g = U.id;
|
|
4796
4826
|
}
|
|
4797
4827
|
} else {
|
|
4798
|
-
if (!r.locals.user) throw new n(
|
|
4828
|
+
if (!r.locals.user) throw new n(h.Unauthorized);
|
|
4799
4829
|
g = r.locals.user.id;
|
|
4800
4830
|
}
|
|
4801
|
-
if (!this.clientStorage) throw new n(
|
|
4802
|
-
const
|
|
4831
|
+
if (!this.clientStorage) throw new n(h.Configuration, "No client storage specified");
|
|
4832
|
+
const w = g == null ? void 0 : await ((d = (c = this.sessionServer) == null ? void 0 : c.userStorage) == null ? void 0 : d.getUserById(g)), p = (u = w == null ? void 0 : w.user) == null ? void 0 : u.username;
|
|
4803
4833
|
return {
|
|
4804
4834
|
ok: !0,
|
|
4805
4835
|
validFlows: this.validFlows,
|
|
4806
4836
|
valid_flowNames: this.valid_flowNames,
|
|
4807
4837
|
clientUserId: g,
|
|
4808
|
-
clientUsername:
|
|
4838
|
+
clientUsername: p
|
|
4809
4839
|
};
|
|
4810
4840
|
} catch (g) {
|
|
4811
|
-
let
|
|
4812
|
-
return l.logger.debug(f({ err:
|
|
4813
|
-
error:
|
|
4814
|
-
errorCode:
|
|
4815
|
-
errorCodeName:
|
|
4841
|
+
let w = n.asCrossauthError(g, "Couldn't initialize new client");
|
|
4842
|
+
return l.logger.debug(f({ err: w })), l.logger.error(f({ cerr: w })), {
|
|
4843
|
+
error: w.message,
|
|
4844
|
+
errorCode: w.code,
|
|
4845
|
+
errorCodeName: w.codeName,
|
|
4816
4846
|
ok: !1,
|
|
4817
4847
|
validFlows: this.validFlows,
|
|
4818
4848
|
valid_flowNames: this.valid_flowNames
|
|
@@ -4831,7 +4861,7 @@ class X {
|
|
|
4831
4861
|
* @returns {@link UpdateClientFormData}. If a secret was created, it will be placed as plaintext in the client that is returned. A random `client_id` is created.
|
|
4832
4862
|
*/
|
|
4833
4863
|
async createClient_internal(r, o) {
|
|
4834
|
-
var t,
|
|
4864
|
+
var t, i, a, c;
|
|
4835
4865
|
let s;
|
|
4836
4866
|
try {
|
|
4837
4867
|
var e = new b();
|
|
@@ -4840,40 +4870,40 @@ class X {
|
|
|
4840
4870
|
if (o) {
|
|
4841
4871
|
const C = e.get("userid");
|
|
4842
4872
|
if (C && ((t = this.sessionServer) != null && t.userStorage)) {
|
|
4843
|
-
const { user:
|
|
4844
|
-
d =
|
|
4873
|
+
const { user: U } = await ((i = this.sessionServer) == null ? void 0 : i.userStorage.getUserById(C));
|
|
4874
|
+
d = U.id;
|
|
4845
4875
|
}
|
|
4846
4876
|
} else {
|
|
4847
|
-
if (!r.locals.user) throw new n(
|
|
4877
|
+
if (!r.locals.user) throw new n(h.Unauthorized);
|
|
4848
4878
|
d = r.locals.user.id;
|
|
4849
4879
|
}
|
|
4850
|
-
if (!this.clientStorage) throw new n(
|
|
4851
|
-
if (d && await ((c = (
|
|
4852
|
-
throw new n(
|
|
4853
|
-
const
|
|
4880
|
+
if (!this.clientStorage) throw new n(h.Configuration, "No client storage specified");
|
|
4881
|
+
if (d && await ((c = (a = this.sessionServer) == null ? void 0 : a.userStorage) == null ? void 0 : c.getUserById(d)), this.sessionServer.enableCsrfProtection && r.locals.authType == "cookie" && !r.locals.csrfToken)
|
|
4882
|
+
throw new n(h.InvalidCsrf);
|
|
4883
|
+
const u = !s.redirect_uri || s.redirect_uri.trim().length == 0 ? [] : s.redirect_uri.trim().split(/[, ][ \t\n]*/);
|
|
4854
4884
|
let g = [];
|
|
4855
|
-
for (let C of
|
|
4885
|
+
for (let C of u)
|
|
4856
4886
|
try {
|
|
4857
4887
|
B.validateUri(C);
|
|
4858
|
-
} catch (
|
|
4859
|
-
l.logger.error(f({ err:
|
|
4888
|
+
} catch (U) {
|
|
4889
|
+
l.logger.error(f({ err: U })), g.push("[" + C + "]");
|
|
4860
4890
|
}
|
|
4861
4891
|
if (g.length > 0)
|
|
4862
4892
|
throw new n(
|
|
4863
|
-
|
|
4893
|
+
h.BadRequest,
|
|
4864
4894
|
"The following redirect URIs are invalid: " + g.join(" ")
|
|
4865
4895
|
);
|
|
4866
|
-
let
|
|
4896
|
+
let w = [];
|
|
4867
4897
|
for (let C of this.validFlows)
|
|
4868
|
-
C in s &&
|
|
4869
|
-
const
|
|
4870
|
-
if (
|
|
4898
|
+
C in s && w.push(C);
|
|
4899
|
+
const p = {};
|
|
4900
|
+
if (p.client_name = s.client_name, p.confidential = e.getAsBoolean("confidential"), p.valid_flow = w, p.redirect_uri = u, o && (p.userid = s.userid ? Number(s.userid) : null), !this.clientManager) throw new n(h.Configuration, "Cannot call this endpoint as you did not provide a clientStorage");
|
|
4871
4901
|
return {
|
|
4872
4902
|
ok: !0,
|
|
4873
4903
|
client: await this.clientManager.createClient(
|
|
4874
4904
|
s.client_name,
|
|
4875
|
-
|
|
4876
|
-
|
|
4905
|
+
u,
|
|
4906
|
+
w,
|
|
4877
4907
|
e.getAsBoolean("confidential") ?? !1,
|
|
4878
4908
|
d
|
|
4879
4909
|
),
|
|
@@ -4881,11 +4911,11 @@ class X {
|
|
|
4881
4911
|
};
|
|
4882
4912
|
} catch (d) {
|
|
4883
4913
|
if (m.isSvelteKitRedirect(d) || m.isSvelteKitError(d)) throw d;
|
|
4884
|
-
let
|
|
4885
|
-
return l.logger.debug(f({ err:
|
|
4886
|
-
error:
|
|
4887
|
-
errorCode:
|
|
4888
|
-
errorCodeName:
|
|
4914
|
+
let u = n.asCrossauthError(d, "Couldn't create client");
|
|
4915
|
+
return l.logger.debug(f({ err: u })), l.logger.error(f({ cerr: u })), {
|
|
4916
|
+
error: u.message,
|
|
4917
|
+
errorCode: u.code,
|
|
4918
|
+
errorCodeName: u.codeName,
|
|
4889
4919
|
ok: !1,
|
|
4890
4920
|
formData: s
|
|
4891
4921
|
};
|
|
@@ -4902,21 +4932,21 @@ class X {
|
|
|
4902
4932
|
var s, e, t;
|
|
4903
4933
|
const o = r.params.client_id;
|
|
4904
4934
|
try {
|
|
4905
|
-
if (!o) throw new n(
|
|
4906
|
-
if (!this.clientStorage) throw new n(
|
|
4907
|
-
const
|
|
4935
|
+
if (!o) throw new n(h.BadRequest, "No client ID specified");
|
|
4936
|
+
if (!this.clientStorage) throw new n(h.Configuration, "No client storage specified");
|
|
4937
|
+
const i = await this.clientStorage.getClientById(o), a = i.userid == null ? void 0 : await ((e = (s = this.sessionServer) == null ? void 0 : s.userStorage) == null ? void 0 : e.getUserById(i.userid)), c = (t = a == null ? void 0 : a.user) == null ? void 0 : t.username;
|
|
4908
4938
|
return {
|
|
4909
4939
|
ok: !0,
|
|
4910
|
-
client:
|
|
4940
|
+
client: i,
|
|
4911
4941
|
client_id: o,
|
|
4912
4942
|
clientUsername: c
|
|
4913
4943
|
};
|
|
4914
|
-
} catch (
|
|
4915
|
-
let
|
|
4916
|
-
return l.logger.debug(f({ err:
|
|
4917
|
-
error:
|
|
4918
|
-
errorCode:
|
|
4919
|
-
errorCodeName:
|
|
4944
|
+
} catch (i) {
|
|
4945
|
+
let a = n.asCrossauthError(i, "Couldn't load client");
|
|
4946
|
+
return l.logger.debug(f({ err: a })), l.logger.error(f({ cerr: a })), {
|
|
4947
|
+
error: a.message,
|
|
4948
|
+
errorCode: a.code,
|
|
4949
|
+
errorCodeName: a.codeName,
|
|
4920
4950
|
ok: !1,
|
|
4921
4951
|
client_id: o
|
|
4922
4952
|
};
|
|
@@ -4933,23 +4963,23 @@ class X {
|
|
|
4933
4963
|
var s, e;
|
|
4934
4964
|
try {
|
|
4935
4965
|
if (this.sessionServer.enableCsrfProtection && r.locals.authType == "cookie" && !r.locals.csrfToken)
|
|
4936
|
-
throw new n(
|
|
4966
|
+
throw new n(h.InvalidCsrf);
|
|
4937
4967
|
const t = r.params.client_id;
|
|
4938
|
-
if (!t) throw new n(
|
|
4939
|
-
if (!this.clientStorage) throw new n(
|
|
4940
|
-
const
|
|
4941
|
-
if (!o &&
|
|
4968
|
+
if (!t) throw new n(h.BadRequest, "No client ID given");
|
|
4969
|
+
if (!this.clientStorage) throw new n(h.Configuration, "No client storage specified");
|
|
4970
|
+
const i = await ((s = this.clientStorage) == null ? void 0 : s.getClientById(t));
|
|
4971
|
+
if (!o && i.userid != ((e = r.locals.user) == null ? void 0 : e.id))
|
|
4942
4972
|
throw this.error(401, "Unauthorized");
|
|
4943
4973
|
return await this.clientStorage.deleteClient(t), {
|
|
4944
4974
|
ok: !0
|
|
4945
4975
|
};
|
|
4946
4976
|
} catch (t) {
|
|
4947
4977
|
if (m.isSvelteKitRedirect(t) || m.isSvelteKitError(t)) throw t;
|
|
4948
|
-
let
|
|
4949
|
-
return l.logger.debug(f({ err:
|
|
4950
|
-
error:
|
|
4951
|
-
errorCode:
|
|
4952
|
-
errorCodeName:
|
|
4978
|
+
let i = n.asCrossauthError(t, "Couldn't delete client");
|
|
4979
|
+
return l.logger.debug(f({ err: i })), l.logger.error(f({ cerr: i })), {
|
|
4980
|
+
error: i.message,
|
|
4981
|
+
errorCode: i.code,
|
|
4982
|
+
errorCodeName: i.codeName,
|
|
4953
4983
|
ok: !1
|
|
4954
4984
|
};
|
|
4955
4985
|
}
|
|
@@ -5040,7 +5070,7 @@ class Ce extends X {
|
|
|
5040
5070
|
throw this.redirect(302, this.loginUrl + "?next=" + encodeURIComponent(r.request.url));
|
|
5041
5071
|
try {
|
|
5042
5072
|
const s = r.params.client_id;
|
|
5043
|
-
if (!s) throw new n(
|
|
5073
|
+
if (!s) throw new n(h.BadRequest, "No client ID given");
|
|
5044
5074
|
const e = await ((o = this.clientStorage) == null ? void 0 : o.getClientById(s));
|
|
5045
5075
|
if ((e == null ? void 0 : e.userid) != r.locals.user.id) return this.error(401, "Access denied");
|
|
5046
5076
|
} catch (s) {
|
|
@@ -5066,7 +5096,7 @@ class Ce extends X {
|
|
|
5066
5096
|
throw this.redirect(302, this.loginUrl + "?next=" + encodeURIComponent(r.request.url));
|
|
5067
5097
|
try {
|
|
5068
5098
|
const s = r.params.client_id;
|
|
5069
|
-
if (!s) throw new n(
|
|
5099
|
+
if (!s) throw new n(h.BadRequest, "No client ID given");
|
|
5070
5100
|
const e = await ((o = this.clientStorage) == null ? void 0 : o.getClientById(s));
|
|
5071
5101
|
if ((e == null ? void 0 : e.userid) != r.locals.user.id) return this.error(401, "Access denied");
|
|
5072
5102
|
} catch (s) {
|
|
@@ -5090,7 +5120,7 @@ class Ce extends X {
|
|
|
5090
5120
|
throw this.redirect(302, this.loginUrl + "?next=" + encodeURIComponent(r.request.url));
|
|
5091
5121
|
try {
|
|
5092
5122
|
const s = r.params.client_id;
|
|
5093
|
-
if (!s) throw new n(
|
|
5123
|
+
if (!s) throw new n(h.BadRequest, "No client ID given");
|
|
5094
5124
|
const e = await ((o = this.clientStorage) == null ? void 0 : o.getClientById(s));
|
|
5095
5125
|
if ((e == null ? void 0 : e.userid) != r.locals.user.id) return this.error(401, "Access denied");
|
|
5096
5126
|
} catch (s) {
|
|
@@ -5114,7 +5144,7 @@ class Ce extends X {
|
|
|
5114
5144
|
throw this.redirect(302, this.loginUrl + "?next=" + encodeURIComponent(r.request.url));
|
|
5115
5145
|
try {
|
|
5116
5146
|
const s = r.params.client_id;
|
|
5117
|
-
if (!s) throw new n(
|
|
5147
|
+
if (!s) throw new n(h.BadRequest, "No client ID given");
|
|
5118
5148
|
const e = await ((o = this.clientStorage) == null ? void 0 : o.getClientById(s));
|
|
5119
5149
|
if ((e == null ? void 0 : e.userid) != r.locals.user.id) return this.error(401, "Access denied");
|
|
5120
5150
|
} catch (s) {
|
|
@@ -5266,47 +5296,47 @@ function Ee(k) {
|
|
|
5266
5296
|
let r = [];
|
|
5267
5297
|
return k.username == null ? r.push("Username must be given") : k.username.length < 2 ? r.push("Username must be at least 2 characters") : k.username.length > 254 && r.push("Username must be no longer than 254 characters"), r;
|
|
5268
5298
|
}
|
|
5269
|
-
function _e(k, r, o) {
|
|
5299
|
+
function _e(k, r, o, s = ["localpassword"]) {
|
|
5270
5300
|
var a;
|
|
5271
|
-
let
|
|
5301
|
+
let t = {
|
|
5272
5302
|
username: r.username ?? "",
|
|
5273
5303
|
state: "active"
|
|
5274
5304
|
};
|
|
5275
|
-
const
|
|
5276
|
-
for (let
|
|
5277
|
-
let
|
|
5278
|
-
if (
|
|
5279
|
-
if ("type_" +
|
|
5280
|
-
if (r["type_" +
|
|
5281
|
-
|
|
5282
|
-
else if (r["type_" +
|
|
5283
|
-
|
|
5284
|
-
else if (r["type_" +
|
|
5285
|
-
const
|
|
5286
|
-
|
|
5305
|
+
const i = k.locals.user && m.isAdminFn(k.locals.user);
|
|
5306
|
+
for (let c in r) {
|
|
5307
|
+
let d = c.replace(/^user_/, "");
|
|
5308
|
+
if (c.startsWith("user_") && (i || o.includes(d)))
|
|
5309
|
+
if ("type_" + d in r) {
|
|
5310
|
+
if (r["type_" + d] == "string")
|
|
5311
|
+
t[d] = r[c];
|
|
5312
|
+
else if (r["type_" + d] == "number" || r["type_" + d] == "integer" || r["type_" + d] == "float")
|
|
5313
|
+
t[d] = Number(r[c]);
|
|
5314
|
+
else if (r["type_" + d] == "boolean") {
|
|
5315
|
+
const u = (a = r[c]) == null ? void 0 : a.toLocaleLowerCase();
|
|
5316
|
+
t[d] = u == "1" || u == "y" || u == "t" || u == "yes" || u == "true";
|
|
5287
5317
|
}
|
|
5288
5318
|
} else
|
|
5289
|
-
|
|
5319
|
+
t[d] = r[c];
|
|
5290
5320
|
}
|
|
5291
|
-
return
|
|
5321
|
+
return t.factor1 = "localpassword", r.factor1 && s.includes(r.factor1) && (t.factor1 = r.factor1), t.factor2 = r.factor2, t;
|
|
5292
5322
|
}
|
|
5293
5323
|
function ve(k, r, o, s) {
|
|
5294
5324
|
var t;
|
|
5295
5325
|
const e = r.locals.user && m.isAdminFn(r.locals.user);
|
|
5296
|
-
for (let
|
|
5297
|
-
let
|
|
5298
|
-
if (
|
|
5299
|
-
if ("type_" +
|
|
5300
|
-
if (o["type_" +
|
|
5301
|
-
k[
|
|
5302
|
-
else if (o["type_" +
|
|
5303
|
-
k[
|
|
5304
|
-
else if (o["type_" +
|
|
5305
|
-
const c = (t = o[
|
|
5306
|
-
k[
|
|
5326
|
+
for (let i in o) {
|
|
5327
|
+
let a = i.replace(/^user_/, "");
|
|
5328
|
+
if (i.startsWith("user_") && (e || s.includes(a)))
|
|
5329
|
+
if ("type_" + a in o) {
|
|
5330
|
+
if (o["type_" + a] == "string")
|
|
5331
|
+
k[a] = o[i];
|
|
5332
|
+
else if (o["type_" + a] == "number" || o["type_" + a] == "integer" || o["type_" + a] == "float")
|
|
5333
|
+
k[a] = Number(o[i]);
|
|
5334
|
+
else if (o["type_" + a] == "boolean") {
|
|
5335
|
+
const c = (t = o[i]) == null ? void 0 : t.toLocaleLowerCase();
|
|
5336
|
+
k[a] = c == "1" || c == "y" || c == "t" || c == "yes" || c == "true";
|
|
5307
5337
|
}
|
|
5308
5338
|
} else
|
|
5309
|
-
k[
|
|
5339
|
+
k[a] = o[i];
|
|
5310
5340
|
}
|
|
5311
5341
|
return k;
|
|
5312
5342
|
}
|
|
@@ -5319,7 +5349,7 @@ class H {
|
|
|
5319
5349
|
* @param options See {@link SvelteKitSessionServerOptions}.
|
|
5320
5350
|
*/
|
|
5321
5351
|
constructor(r, o, s = {}) {
|
|
5322
|
-
this.validateUserFn = Ee, this.createUserFn = _e, this.updateUserFn = ve, this.allowedFactor2 = [], this.allowedFactor2Names = [], this.factor2ProtectedPageEndpoints = [], this.factor2ProtectedApiEndpoints = [], this.loginProtectedPageEndpoints = [], this.loginProtectedApiEndpoints = [], this.loginProtectedExceptionPageEndpoints = [], this.loginProtectedExceptionApiEndpoints = [], this.adminPageEndpoints = [], this.adminApiEndpoints = [], this.adminProtectedExceptionPageEndpoints = [], this.adminProtectedExceptionApiEndpoints = [], this.unauthorizedUrl = void 0, this.enableCsrfProtection = !0, this.enableEmailVerification = !1, this.enablePasswordReset = !1, this.factor2Url = "/factor2", this.loginUrl = "/login", this.keyStorage = r, this.userStorage = s.userStorage, this.clientStorage = s.clientStorage, this.authenticators = o, this.sessionManager = new ie(r, o, s), this.redirect = s.redirect ?? Q, this.error = s.error ?? Y, y("factor2Url", E.String, this, s, "FACTOR2_URL"), this.factor2Url.endsWith("/") || (this.factor2Url += "/"), y("factor2ProtectedPageEndpoints", E.JsonArray, this, s, "FACTOR2_PROTECTED_PAGE_ENDPOINTS"), y("factor2ProtectedApiEndpoints", E.JsonArray, this, s, "FACTOR2_PROTECTED_API_ENDPOINTS"), y("loginProtectedPageEndpoints", E.JsonArray, this, s, "LOGIN_PROTECTED_PAGE_ENDPOINTS"), y("loginProtectedApiEndpoints", E.JsonArray, this, s, "LOGIN_PROTECTED_API_ENDPOINTS"), y("loginProtectedExceptionPageEndpoints", E.JsonArray, this, s, "LOGIN_PROTECTED_EXCEPTION_PAGE_ENDPOINTS"), y("loginProtectedExceptionApiEndpoints", E.JsonArray, this, s, "LOGIN_PROTECTED_EXCEPTION_API_ENDPOINTS"), y("adminPageEndpoints", E.JsonArray, this, s, "ADMIN_PAGE_ENDPOINTS"), y("adminApiEndpoints", E.JsonArray, this, s, "ADMIN_API_ENDPOINTS"), y("adminProtectedExceptionPageEndpoints", E.JsonArray, this, s, "ADMIN_PROTECTED_EXCEPTION_PAGE_ENDPOINTS"), y("adminProtectedExceptionApiEndpoints", E.JsonArray, this, s, "ADMIN_PROTECTED_EXCEPTION_API_ENDPOINTS"), y("loginUrl", E.JsonArray, this, s, "LOGIN_URL"), y("unauthorizedUrl", E.JsonArray, this, s, "UNAUTHORIZED_PAGE");
|
|
5352
|
+
this.validateUserFn = Ee, this.createUserFn = _e, this.updateUserFn = ve, this.allowedFactor2 = [], this.allowedFactor2Names = [], this.factor2ProtectedPageEndpoints = [], this.factor2ProtectedApiEndpoints = [], this.loginProtectedPageEndpoints = [], this.loginProtectedApiEndpoints = [], this.loginProtectedExceptionPageEndpoints = [], this.loginProtectedExceptionApiEndpoints = [], this.adminPageEndpoints = [], this.adminApiEndpoints = [], this.adminProtectedExceptionPageEndpoints = [], this.adminProtectedExceptionApiEndpoints = [], this.unauthorizedUrl = void 0, this.enableCsrfProtection = !0, this.enableEmailVerification = !1, this.enablePasswordReset = !1, this.factor2Url = "/factor2", this.loginUrl = "/login", this.logoutUrl = "/logout", this.userAllowedFactor1 = ["localpassword"], this.adminAllowedFactor1 = ["localpassword"], this.keyStorage = r, this.userStorage = s.userStorage, this.clientStorage = s.clientStorage, this.authenticators = o, this.sessionManager = new ie(r, o, s), this.redirect = s.redirect ?? Q, this.error = s.error ?? Y, y("factor2Url", E.String, this, s, "FACTOR2_URL"), this.factor2Url.endsWith("/") || (this.factor2Url += "/"), y("factor2ProtectedPageEndpoints", E.JsonArray, this, s, "FACTOR2_PROTECTED_PAGE_ENDPOINTS"), y("factor2ProtectedApiEndpoints", E.JsonArray, this, s, "FACTOR2_PROTECTED_API_ENDPOINTS"), y("loginProtectedPageEndpoints", E.JsonArray, this, s, "LOGIN_PROTECTED_PAGE_ENDPOINTS"), y("loginProtectedApiEndpoints", E.JsonArray, this, s, "LOGIN_PROTECTED_API_ENDPOINTS"), y("loginProtectedExceptionPageEndpoints", E.JsonArray, this, s, "LOGIN_PROTECTED_EXCEPTION_PAGE_ENDPOINTS"), y("loginProtectedExceptionApiEndpoints", E.JsonArray, this, s, "LOGIN_PROTECTED_EXCEPTION_API_ENDPOINTS"), y("adminPageEndpoints", E.JsonArray, this, s, "ADMIN_PAGE_ENDPOINTS"), y("adminApiEndpoints", E.JsonArray, this, s, "ADMIN_API_ENDPOINTS"), y("adminProtectedExceptionPageEndpoints", E.JsonArray, this, s, "ADMIN_PROTECTED_EXCEPTION_PAGE_ENDPOINTS"), y("adminProtectedExceptionApiEndpoints", E.JsonArray, this, s, "ADMIN_PROTECTED_EXCEPTION_API_ENDPOINTS"), y("loginUrl", E.JsonArray, this, s, "LOGIN_URL"), y("logoutUrl", E.JsonArray, this, s, "LOGOUT_URL"), y("unauthorizedUrl", E.JsonArray, this, s, "UNAUTHORIZED_PAGE"), y("userAllowedFactor1", E.JsonArray, this, s, "USER_ALLOWED_FACTOR1"), y("adminAllowedFactor1", E.JsonArray, this, s, "ADMIN_ALLOWED_FACTOR1");
|
|
5323
5353
|
let e = {};
|
|
5324
5354
|
if (y("allowedFactor2", E.JsonArray, e, s, "ALLOWED_FACTOR2"), this.allowedFactor2Names = s.allowedFactor2 ?? ["none"], e.allowedFactor2)
|
|
5325
5355
|
for (let t of e.allowedFactor2)
|
|
@@ -5333,21 +5363,21 @@ class H {
|
|
|
5333
5363
|
configurable: !1
|
|
5334
5364
|
});
|
|
5335
5365
|
y("enableEmailVerification", E.Boolean, this, s, "ENABLE_EMAIL_VERIFICATION"), y("enablePasswordReset", E.Boolean, this, s, "ENABLE_PASSWORD_RESET"), y("enableCsrfProtection", E.Boolean, this, s, "ENABLE_CSRF_PROTECTION"), y("editUserScope", E.String, this, s, "EDIT_USER_SCOPE"), s.validateUserFn && (this.validateUserFn = s.validateUserFn), s.createUserFn && (this.createUserFn = s.createUserFn), s.updateUserFn && (this.updateUserFn = s.updateUserFn), s.addToSession && (this.addToSession = s.addToSession), s.validateSession && (this.validateSession = s.validateSession), this.userEndpoints = new we(this, s), this.adminEndpoints = new ke(this, s), this.userClientEndpoints = new Ce(this, s), this.adminClientEndpoints = new ye(this, s), this.sessionHook = async ({ event: t }) => {
|
|
5336
|
-
var
|
|
5366
|
+
var g, w;
|
|
5337
5367
|
l.logger.debug("Session hook");
|
|
5338
|
-
let
|
|
5339
|
-
const
|
|
5368
|
+
let i = [], a;
|
|
5369
|
+
const c = this.sessionManager.csrfCookieName, d = this.sessionManager.sessionCookieName;
|
|
5340
5370
|
if (this.enableCsrfProtection) {
|
|
5341
5371
|
l.logger.debug(f({ msg: "Getting csrf cookie" }));
|
|
5342
5372
|
let p;
|
|
5343
5373
|
try {
|
|
5344
5374
|
p = this.getCsrfCookieValue(t), p && this.sessionManager.validateCsrfCookie(p);
|
|
5345
|
-
} catch (
|
|
5346
|
-
l.logger.warn(f({ msg: "Invalid csrf cookie received", cerr:
|
|
5375
|
+
} catch (S) {
|
|
5376
|
+
l.logger.warn(f({ msg: "Invalid csrf cookie received", cerr: S, hashedCsrfCookie: this.getHashOfCsrfCookie(t) }));
|
|
5347
5377
|
try {
|
|
5348
|
-
this.clearCookie(
|
|
5349
|
-
} catch (
|
|
5350
|
-
l.logger.debug(f({ err:
|
|
5378
|
+
this.clearCookie(c, this.sessionManager.csrfCookiePath, t);
|
|
5379
|
+
} catch (C) {
|
|
5380
|
+
l.logger.debug(f({ err: C })), l.logger.error(f({ cerr: C, msg: "Couldn't delete CSRF cookie", ip: t.request.referrer, hashedCsrfCookie: this.getHashOfCsrfCookie(t) }));
|
|
5351
5381
|
}
|
|
5352
5382
|
p = void 0, t.locals.csrfToken = void 0;
|
|
5353
5383
|
}
|
|
@@ -5355,56 +5385,67 @@ class H {
|
|
|
5355
5385
|
try {
|
|
5356
5386
|
if (p) {
|
|
5357
5387
|
l.logger.debug(f({ msg: "Valid CSRF cookie - creating token" }));
|
|
5358
|
-
const
|
|
5359
|
-
t.locals.csrfToken =
|
|
5388
|
+
const S = await this.sessionManager.createCsrfFormOrHeaderValue(p);
|
|
5389
|
+
t.locals.csrfToken = S;
|
|
5360
5390
|
} else {
|
|
5361
5391
|
l.logger.debug(f({ msg: "Invalid CSRF cookie - recreating" }));
|
|
5362
|
-
const { csrfCookie:
|
|
5363
|
-
this.setCsrfCookie(
|
|
5392
|
+
const { csrfCookie: S, csrfFormOrHeaderValue: C } = await this.sessionManager.createCsrfToken();
|
|
5393
|
+
this.setCsrfCookie(S, t), t.locals.csrfToken = C;
|
|
5364
5394
|
}
|
|
5365
|
-
this.setHeader(x, t.locals.csrfToken,
|
|
5366
|
-
} catch (
|
|
5367
|
-
l.logger.error(f({ msg: "Couldn't create CSRF token", cerr:
|
|
5395
|
+
this.setHeader(x, t.locals.csrfToken, i);
|
|
5396
|
+
} catch (S) {
|
|
5397
|
+
l.logger.error(f({ msg: "Couldn't create CSRF token", cerr: S, user: (g = t.locals.user) == null ? void 0 : g.username, hashedSessionCookie: this.getHashOfSessionCookie(t) })), l.logger.debug(f({ err: S })), this.clearCookie(c, this.sessionManager.csrfCookiePath, t), t.locals.csrfToken = void 0;
|
|
5368
5398
|
}
|
|
5369
5399
|
else if (p)
|
|
5370
5400
|
try {
|
|
5371
|
-
await this.csrfToken(t,
|
|
5372
|
-
} catch (
|
|
5373
|
-
l.logger.error(f({ msg: "Couldn't create CSRF token", cerr:
|
|
5401
|
+
await this.csrfToken(t, i);
|
|
5402
|
+
} catch (S) {
|
|
5403
|
+
l.logger.error(f({ msg: "Couldn't create CSRF token", cerr: S, user: (w = t.locals.user) == null ? void 0 : w.username, hashedSessionCookie: this.getHashOfSessionCookie(t) })), l.logger.debug(f({ err: S }));
|
|
5374
5404
|
}
|
|
5375
5405
|
}
|
|
5376
5406
|
t.locals.user = void 0, t.locals.authType = void 0;
|
|
5377
|
-
const
|
|
5378
|
-
if (l.logger.debug(f({ msg: "Getting session cookie" })),
|
|
5407
|
+
const u = this.getSessionCookieValue(t);
|
|
5408
|
+
if (l.logger.debug(f({ msg: "Getting session cookie" })), u)
|
|
5379
5409
|
try {
|
|
5380
|
-
const p = this.sessionManager.getSessionId(
|
|
5381
|
-
let { key:
|
|
5382
|
-
this.validateSession && this.validateSession(
|
|
5410
|
+
const p = this.sessionManager.getSessionId(u);
|
|
5411
|
+
let { key: S, user: C } = await this.sessionManager.userForSessionId(p);
|
|
5412
|
+
this.validateSession && this.validateSession(S, C, t);
|
|
5413
|
+
const U = t.url.pathname;
|
|
5414
|
+
if (C && this.allowedFactor2.length > 0 && (C.state == I.factor2ResetNeeded || !this.allowedFactor2Names.includes(C.factor2 ? C.factor2 : "none"))) {
|
|
5415
|
+
if (!this.userEndpoints.configureFactor2Url)
|
|
5416
|
+
throw new n(h.Configuration, "Must set configureFactor2Url in session server");
|
|
5417
|
+
if (!this.userEndpoints.changeFactor2Url)
|
|
5418
|
+
throw new n(h.Configuration, "Must set changeFactor2Url in session server");
|
|
5419
|
+
if (!this.logoutUrl)
|
|
5420
|
+
throw new n(h.Configuration, "Must set logoutUrl in session server");
|
|
5421
|
+
[this.userEndpoints.changeFactor2Url, this.userEndpoints.configureFactor2Url, this.loginUrl, this.logoutUrl].includes(U) || (a = 302, i.push({ name: "location", value: this.userEndpoints.changeFactor2Url + "?required=true&next=" + encodeURIComponent("login?next=" + t.url) }));
|
|
5422
|
+
}
|
|
5423
|
+
t.locals.sessionId = p, t.locals.user = C, t.locals.authType = "cookie", l.logger.debug(f({ msg: "Valid session id", user: C == null ? void 0 : C.username }));
|
|
5383
5424
|
} catch {
|
|
5384
|
-
l.logger.warn(f({ msg: "Invalid session cookie received", hashedSessionCookie: this.getHashOfSessionCookie(t) })), this.clearCookie(
|
|
5425
|
+
l.logger.warn(f({ msg: "Invalid session cookie received", hashedSessionCookie: this.getHashOfSessionCookie(t) })), this.clearCookie(d, this.sessionManager.sessionCookiePath, t);
|
|
5385
5426
|
}
|
|
5386
|
-
return { headers: a };
|
|
5427
|
+
return { headers: i, status: a };
|
|
5387
5428
|
}, this.twoFAHook = async ({ event: t }) => {
|
|
5388
|
-
var
|
|
5389
|
-
if (l.logger.debug(f({ msg: "twoFAHook", username: (
|
|
5390
|
-
const
|
|
5429
|
+
var u;
|
|
5430
|
+
if (l.logger.debug(f({ msg: "twoFAHook", username: (u = t.locals.user) == null ? void 0 : u.username })), !this.userStorage) throw this.error(500, "No user storage defined");
|
|
5431
|
+
const i = this.getSessionCookieValue(t), a = this.isFactor2PageProtected(t), c = this.isFactor2ApiProtected(t);
|
|
5391
5432
|
let d;
|
|
5392
|
-
if (
|
|
5433
|
+
if (i)
|
|
5393
5434
|
if (t.locals.user) d = t.locals.user;
|
|
5394
5435
|
else {
|
|
5395
5436
|
const g = await this.getSessionData(t, "user");
|
|
5396
5437
|
if (g) {
|
|
5397
|
-
const
|
|
5398
|
-
(
|
|
5438
|
+
const w = await this.userStorage.getUserByUsername(g.username, { skipActiveCheck: !0 });
|
|
5439
|
+
(w.user.status == I.active || w.user.state == I.factor2ResetNeeded) && (d = w.user);
|
|
5399
5440
|
}
|
|
5400
5441
|
}
|
|
5401
|
-
if (d &&
|
|
5442
|
+
if (d && i && d.factor2 != "" && (a || c))
|
|
5402
5443
|
if (l.logger.debug(f({ msg: "Factor2-protected endpoint visited" })), ["GET", "OPTIONS", "HEAD"].includes(t.request.method)) {
|
|
5403
5444
|
l.logger.debug(f({ msg: "Factor2-protected GET endpoint - cancelling 2FA" }));
|
|
5404
5445
|
const g = this.getSessionCookieValue(t);
|
|
5405
5446
|
if (g) {
|
|
5406
|
-
const
|
|
5407
|
-
if ("pre2fa" in await this.sessionManager.dataForSessionId(
|
|
5447
|
+
const w = this.sessionManager.getSessionId(g);
|
|
5448
|
+
if ("pre2fa" in await this.sessionManager.dataForSessionId(w)) {
|
|
5408
5449
|
l.logger.debug(f({ msg: "Cancelling 2FA" }));
|
|
5409
5450
|
try {
|
|
5410
5451
|
await this.sessionManager.cancelTwoFactorPageVisit(g);
|
|
@@ -5414,62 +5455,62 @@ class H {
|
|
|
5414
5455
|
}
|
|
5415
5456
|
}
|
|
5416
5457
|
} else {
|
|
5417
|
-
const g = this.sessionManager.getSessionId(
|
|
5418
|
-
if ("pre2fa" in
|
|
5458
|
+
const g = this.sessionManager.getSessionId(i), w = await this.sessionManager.dataForSessionId(g);
|
|
5459
|
+
if ("pre2fa" in w) {
|
|
5419
5460
|
l.logger.debug(f({ msg: "Completing 2FA" }));
|
|
5420
|
-
const
|
|
5461
|
+
const p = this.authenticators[w.pre2fa.factor2], S = [...p.secretNames(), ...p.transientSecretNames()];
|
|
5421
5462
|
let C = {};
|
|
5422
|
-
const
|
|
5423
|
-
await
|
|
5424
|
-
for (let
|
|
5425
|
-
S.includes(
|
|
5426
|
-
const
|
|
5427
|
-
if (!
|
|
5428
|
-
let
|
|
5463
|
+
const U = new b();
|
|
5464
|
+
await U.loadData(t);
|
|
5465
|
+
for (let T of U.keys())
|
|
5466
|
+
S.includes(T) && (C[T] = U.get(T) ?? "");
|
|
5467
|
+
const R = this.getSessionCookieValue(t);
|
|
5468
|
+
if (!R) throw new n(h.Unauthorized, "No session cookie found");
|
|
5469
|
+
let F;
|
|
5429
5470
|
try {
|
|
5430
5471
|
await this.sessionManager.completeTwoFactorPageVisit(C, t.locals.sessionId ?? "");
|
|
5431
|
-
} catch (
|
|
5432
|
-
|
|
5433
|
-
const z = n.asCrossauthError(
|
|
5434
|
-
l.logger.error(f({ msg:
|
|
5472
|
+
} catch (T) {
|
|
5473
|
+
F = n.asCrossauthError(T), l.logger.debug(f({ err: T }));
|
|
5474
|
+
const z = n.asCrossauthError(T);
|
|
5475
|
+
l.logger.error(f({ msg: F.message, cerr: T, user: U.get("username"), errorCode: z.code, errorCodeName: z.codeName }));
|
|
5435
5476
|
}
|
|
5436
|
-
if (
|
|
5437
|
-
if (
|
|
5477
|
+
if (F)
|
|
5478
|
+
if (F.code == h.Expired) {
|
|
5438
5479
|
l.logger.debug(f({ msg: "Error - cancelling 2FA" }));
|
|
5439
5480
|
try {
|
|
5440
|
-
await this.sessionManager.cancelTwoFactorPageVisit(
|
|
5441
|
-
} catch (
|
|
5442
|
-
l.logger.error(f({ msg: "Failed cancelling 2FA", cerr:
|
|
5481
|
+
await this.sessionManager.cancelTwoFactorPageVisit(R);
|
|
5482
|
+
} catch (T) {
|
|
5483
|
+
l.logger.error(f({ msg: "Failed cancelling 2FA", cerr: T, user: d.username, hashedSessionCookie: this.getHashOfSessionCookie(t) })), l.logger.debug(f({ err: T }));
|
|
5443
5484
|
}
|
|
5444
5485
|
return this.error(401, { message: "Sorry, your code has expired" }), { ok: !1, twofa: !0 };
|
|
5445
5486
|
} else
|
|
5446
|
-
return
|
|
5487
|
+
return a ? {
|
|
5447
5488
|
twofa: !0,
|
|
5448
5489
|
ok: !1,
|
|
5449
5490
|
response: new Response("", {
|
|
5450
5491
|
status: 302,
|
|
5451
|
-
statusText:
|
|
5452
|
-
headers: { Location: this.factor2Url + "?error=" +
|
|
5492
|
+
statusText: K(302),
|
|
5493
|
+
headers: { Location: this.factor2Url + "?error=" + h[F.code] }
|
|
5453
5494
|
})
|
|
5454
5495
|
} : {
|
|
5455
5496
|
twofa: !0,
|
|
5456
5497
|
ok: !1,
|
|
5457
5498
|
response: new Response(JSON.stringify({
|
|
5458
5499
|
ok: !1,
|
|
5459
|
-
errorMessage:
|
|
5460
|
-
errorMessages:
|
|
5461
|
-
errorCode:
|
|
5462
|
-
errorCodeName:
|
|
5500
|
+
errorMessage: F.message,
|
|
5501
|
+
errorMessages: F.messages,
|
|
5502
|
+
errorCode: F.code,
|
|
5503
|
+
errorCodeName: h[F.code]
|
|
5463
5504
|
}), {
|
|
5464
|
-
status:
|
|
5465
|
-
statusText:
|
|
5505
|
+
status: F.httpStatus,
|
|
5506
|
+
statusText: K(F.httpStatus),
|
|
5466
5507
|
headers: { "content-tyoe": "application/json" }
|
|
5467
5508
|
})
|
|
5468
5509
|
};
|
|
5469
|
-
return H.updateRequest(t,
|
|
5510
|
+
return H.updateRequest(t, w.pre2fa.body, w.pre2fa["content-type"]), { twofa: !0, ok: !0 };
|
|
5470
5511
|
} else {
|
|
5471
5512
|
if (l.logger.debug(f({ msg: "Starting 2FA", username: d.username })), this.enableCsrfProtection && !t.locals.csrfToken) {
|
|
5472
|
-
const C = new n(
|
|
5513
|
+
const C = new n(h.Forbidden, "CSRF token missing");
|
|
5473
5514
|
return {
|
|
5474
5515
|
twofa: !0,
|
|
5475
5516
|
ok: !1,
|
|
@@ -5478,25 +5519,25 @@ class H {
|
|
|
5478
5519
|
errorMessage: C.message,
|
|
5479
5520
|
errorMessages: C.messages,
|
|
5480
5521
|
errorCode: C.code,
|
|
5481
|
-
errorCodeName:
|
|
5522
|
+
errorCodeName: h[C.code]
|
|
5482
5523
|
}), {
|
|
5483
5524
|
status: C.httpStatus,
|
|
5484
|
-
statusText:
|
|
5525
|
+
statusText: K(C.httpStatus),
|
|
5485
5526
|
headers: {
|
|
5486
5527
|
"content-tyoe": "application/json"
|
|
5487
5528
|
}
|
|
5488
5529
|
})
|
|
5489
5530
|
};
|
|
5490
5531
|
}
|
|
5491
|
-
const
|
|
5492
|
-
await
|
|
5532
|
+
const p = new b();
|
|
5533
|
+
await p.loadData(t);
|
|
5493
5534
|
let S = t.request.headers.get("content-type");
|
|
5494
|
-
return await this.sessionManager.initiateTwoFactorPageVisit(d, t.locals.sessionId ?? "",
|
|
5535
|
+
return await this.sessionManager.initiateTwoFactorPageVisit(d, t.locals.sessionId ?? "", p.toObject(), t.request.url.replace(/\?.*$/, ""), S || void 0), a ? {
|
|
5495
5536
|
twofa: !0,
|
|
5496
5537
|
ok: !0,
|
|
5497
5538
|
response: new Response("", {
|
|
5498
5539
|
status: 302,
|
|
5499
|
-
statusText:
|
|
5540
|
+
statusText: K(302),
|
|
5500
5541
|
headers: { Location: this.factor2Url }
|
|
5501
5542
|
})
|
|
5502
5543
|
} : {
|
|
@@ -5560,7 +5601,7 @@ class H {
|
|
|
5560
5601
|
* @param event the request event
|
|
5561
5602
|
*/
|
|
5562
5603
|
setCsrfCookie(r, o) {
|
|
5563
|
-
o.cookies.set(r.name, r.value,
|
|
5604
|
+
o.cookies.set(r.name, r.value, P(r.options));
|
|
5564
5605
|
}
|
|
5565
5606
|
setHeader(r, o, s) {
|
|
5566
5607
|
s.push({
|
|
@@ -5580,7 +5621,7 @@ class H {
|
|
|
5580
5621
|
const o = this.getSessionCookieValue(r);
|
|
5581
5622
|
if (!o) return "";
|
|
5582
5623
|
try {
|
|
5583
|
-
return
|
|
5624
|
+
return A.hash(o);
|
|
5584
5625
|
} catch {
|
|
5585
5626
|
}
|
|
5586
5627
|
return "";
|
|
@@ -5597,7 +5638,7 @@ class H {
|
|
|
5597
5638
|
const o = this.getCsrfCookieValue(r);
|
|
5598
5639
|
if (!o) return "";
|
|
5599
5640
|
try {
|
|
5600
|
-
return
|
|
5641
|
+
return A.hash(o);
|
|
5601
5642
|
} catch {
|
|
5602
5643
|
}
|
|
5603
5644
|
return "";
|
|
@@ -5614,21 +5655,21 @@ class H {
|
|
|
5614
5655
|
* @returns the string CSRF token for inclusion in forms
|
|
5615
5656
|
*/
|
|
5616
5657
|
async csrfToken(r, o) {
|
|
5617
|
-
var e, t,
|
|
5658
|
+
var e, t, i;
|
|
5618
5659
|
let s;
|
|
5619
5660
|
if (r.request.headers && r.request.headers.has(x.toLowerCase())) {
|
|
5620
|
-
const
|
|
5621
|
-
Array.isArray(
|
|
5661
|
+
const a = r.request.headers.get(x.toLowerCase());
|
|
5662
|
+
Array.isArray(a) ? s = a[0] : a && (s = a);
|
|
5622
5663
|
}
|
|
5623
5664
|
if (!s) {
|
|
5624
5665
|
if (!((e = r.request) != null && e.body)) {
|
|
5625
5666
|
l.logger.warn(f({ msg: "Received CSRF header but not token", ip: r.request.referrerPolicy, hashedCsrfCookie: this.getHashOfCsrfCookie(r) }));
|
|
5626
5667
|
return;
|
|
5627
5668
|
}
|
|
5628
|
-
const
|
|
5629
|
-
if (
|
|
5630
|
-
s = (await ((
|
|
5631
|
-
else if (
|
|
5669
|
+
const a = r.request.headers.get("content-type");
|
|
5670
|
+
if (a == "application/json")
|
|
5671
|
+
s = (await ((i = (t = r.request) == null ? void 0 : t.clone()) == null ? void 0 : i.json())).csrfToken;
|
|
5672
|
+
else if (a == "application/x-www-form-urlencoded" || a == "multipart/form-data") {
|
|
5632
5673
|
const d = (await r.request.clone().formData()).get("csrfToken");
|
|
5633
5674
|
d && typeof d == "string" && (s = d);
|
|
5634
5675
|
}
|
|
@@ -5661,8 +5702,8 @@ class H {
|
|
|
5661
5702
|
else {
|
|
5662
5703
|
e = "";
|
|
5663
5704
|
for (let t in o) {
|
|
5664
|
-
const
|
|
5665
|
-
e.length > 0 && (e += "&"), e += encodeURIComponent(t) + "=" + encodeURIComponent(
|
|
5705
|
+
const i = o[t];
|
|
5706
|
+
e.length > 0 && (e += "&"), e += encodeURIComponent(t) + "=" + encodeURIComponent(i);
|
|
5666
5707
|
}
|
|
5667
5708
|
}
|
|
5668
5709
|
return r.request = new Request(r.request.url, {
|
|
@@ -5680,7 +5721,7 @@ class H {
|
|
|
5680
5721
|
getHashOfSessionId(r) {
|
|
5681
5722
|
if (!r.locals.sessionId) return "";
|
|
5682
5723
|
try {
|
|
5683
|
-
return
|
|
5724
|
+
return A.hash(r.locals.sessionId);
|
|
5684
5725
|
} catch {
|
|
5685
5726
|
}
|
|
5686
5727
|
return "";
|
|
@@ -5716,10 +5757,10 @@ class H {
|
|
|
5716
5757
|
if (o.pathname == this.loginUrl) return !1;
|
|
5717
5758
|
let s = !1;
|
|
5718
5759
|
return s = this.loginProtectedExceptionPageEndpoints.reduce(
|
|
5719
|
-
(t,
|
|
5760
|
+
(t, i) => t || N(o.pathname, i),
|
|
5720
5761
|
s
|
|
5721
5762
|
), s ? !1 : this.loginProtectedPageEndpoints.reduce(
|
|
5722
|
-
(t,
|
|
5763
|
+
(t, i) => t || N(o.pathname, i),
|
|
5723
5764
|
!1
|
|
5724
5765
|
);
|
|
5725
5766
|
}
|
|
@@ -5737,10 +5778,10 @@ class H {
|
|
|
5737
5778
|
if (o.pathname == this.loginUrl) return !1;
|
|
5738
5779
|
let s = !1;
|
|
5739
5780
|
return s = this.loginProtectedExceptionApiEndpoints.reduce(
|
|
5740
|
-
(t,
|
|
5781
|
+
(t, i) => t || N(o.pathname, i),
|
|
5741
5782
|
s
|
|
5742
5783
|
), s ? !1 : this.loginProtectedApiEndpoints.reduce(
|
|
5743
|
-
(t,
|
|
5784
|
+
(t, i) => t || N(o.pathname, i),
|
|
5744
5785
|
!1
|
|
5745
5786
|
);
|
|
5746
5787
|
}
|
|
@@ -5756,7 +5797,7 @@ class H {
|
|
|
5756
5797
|
isFactor2PageProtected(r) {
|
|
5757
5798
|
const o = new URL(typeof r == "string" ? r : r.request.url);
|
|
5758
5799
|
return this.factor2ProtectedPageEndpoints.reduce(
|
|
5759
|
-
(e, t) => e ||
|
|
5800
|
+
(e, t) => e || N(o.pathname, t),
|
|
5760
5801
|
!1
|
|
5761
5802
|
);
|
|
5762
5803
|
}
|
|
@@ -5772,7 +5813,7 @@ class H {
|
|
|
5772
5813
|
isFactor2ApiProtected(r) {
|
|
5773
5814
|
const o = new URL(typeof r == "string" ? r : r.request.url);
|
|
5774
5815
|
return this.factor2ProtectedApiEndpoints.reduce(
|
|
5775
|
-
(e, t) => e ||
|
|
5816
|
+
(e, t) => e || N(o.pathname, t),
|
|
5776
5817
|
!1
|
|
5777
5818
|
);
|
|
5778
5819
|
}
|
|
@@ -5789,13 +5830,13 @@ class H {
|
|
|
5789
5830
|
const o = new URL(typeof r == "string" ? r : r.request.url);
|
|
5790
5831
|
let s = !1;
|
|
5791
5832
|
return s = this.adminProtectedExceptionPageEndpoints.reduce(
|
|
5792
|
-
(t,
|
|
5833
|
+
(t, i) => t || N(o.pathname, i),
|
|
5793
5834
|
s
|
|
5794
5835
|
), s || (s = this.loginProtectedExceptionPageEndpoints.reduce(
|
|
5795
|
-
(t,
|
|
5836
|
+
(t, i) => t || N(o.pathname, i),
|
|
5796
5837
|
s
|
|
5797
5838
|
), s) ? !1 : this.adminPageEndpoints.reduce(
|
|
5798
|
-
(t,
|
|
5839
|
+
(t, i) => t || N(o.pathname, i),
|
|
5799
5840
|
!1
|
|
5800
5841
|
);
|
|
5801
5842
|
}
|
|
@@ -5812,13 +5853,13 @@ class H {
|
|
|
5812
5853
|
const o = new URL(typeof r == "string" ? r : r.request.url);
|
|
5813
5854
|
let s = !1;
|
|
5814
5855
|
return s = this.adminProtectedExceptionApiEndpoints.reduce(
|
|
5815
|
-
(t,
|
|
5856
|
+
(t, i) => t || N(o.pathname, i),
|
|
5816
5857
|
s
|
|
5817
5858
|
), s || (s = this.loginProtectedExceptionApiEndpoints.reduce(
|
|
5818
|
-
(t,
|
|
5859
|
+
(t, i) => t || N(o.pathname, i),
|
|
5819
5860
|
s
|
|
5820
5861
|
), s) ? !1 : this.adminApiEndpoints.reduce(
|
|
5821
|
-
(t,
|
|
5862
|
+
(t, i) => t || N(o.pathname, i),
|
|
5822
5863
|
!1
|
|
5823
5864
|
);
|
|
5824
5865
|
}
|
|
@@ -5840,15 +5881,15 @@ class H {
|
|
|
5840
5881
|
await s.loadData(r);
|
|
5841
5882
|
let e = this.addToSession ? this.addToSession(r, s.toObject()) : {};
|
|
5842
5883
|
o && (e.data = JSON.stringify(o));
|
|
5843
|
-
let { sessionCookie: t, csrfCookie:
|
|
5884
|
+
let { sessionCookie: t, csrfCookie: i, csrfFormOrHeaderValue: a } = await this.sessionManager.createAnonymousSession(e);
|
|
5844
5885
|
r.cookies.set(
|
|
5845
5886
|
t.name,
|
|
5846
5887
|
t.value,
|
|
5847
|
-
|
|
5848
|
-
), this.enableCsrfProtection && (r.locals.csrfToken =
|
|
5849
|
-
|
|
5850
|
-
|
|
5851
|
-
|
|
5888
|
+
P(t.options)
|
|
5889
|
+
), this.enableCsrfProtection && (r.locals.csrfToken = a, r.cookies.set(
|
|
5890
|
+
i.name,
|
|
5891
|
+
i.value,
|
|
5892
|
+
P(i.options)
|
|
5852
5893
|
)), r.locals.user = void 0;
|
|
5853
5894
|
const c = this.sessionManager.getSessionId(t.value);
|
|
5854
5895
|
return r.locals.sessionId = c, t.value;
|
|
@@ -5916,14 +5957,14 @@ class H {
|
|
|
5916
5957
|
*/
|
|
5917
5958
|
async updateSessionData(r, o, s) {
|
|
5918
5959
|
if (!r.locals.sessionId) throw new n(
|
|
5919
|
-
|
|
5960
|
+
h.Unauthorized,
|
|
5920
5961
|
"No session present"
|
|
5921
5962
|
);
|
|
5922
5963
|
await this.sessionManager.updateSessionData(r.locals.sessionId, o, s);
|
|
5923
5964
|
}
|
|
5924
5965
|
async updateManySessionData(r, o) {
|
|
5925
5966
|
if (!r.locals.sessionId) throw new n(
|
|
5926
|
-
|
|
5967
|
+
h.Unauthorized,
|
|
5927
5968
|
"No session present"
|
|
5928
5969
|
);
|
|
5929
5970
|
await this.sessionManager.updateManySessionData(r.locals.sessionId, o);
|
|
@@ -5949,7 +5990,7 @@ export {
|
|
|
5949
5990
|
G as SvelteKitOAuthClient,
|
|
5950
5991
|
ge as SvelteKitOAuthResourceServer,
|
|
5951
5992
|
m as SvelteKitServer,
|
|
5952
|
-
|
|
5993
|
+
Re as SvelteKitSessionAdapter,
|
|
5953
5994
|
H as SvelteKitSessionServer,
|
|
5954
5995
|
X as SvelteKitSharedClientEndpoints,
|
|
5955
5996
|
Ce as SvelteKitUserClientEndpoints,
|