@crowi/api 2.0.0-alpha.0

package/dist/util/githubAuth.js

@@ -0,0 +1,82 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const debug_1 = __importDefault(require("debug"));
+const auth_1 = __importDefault(require("./auth"));
+const passport_1 = __importDefault(require("passport"));
+const passport_github_1 = require("passport-github");
+const url_1 = require("./url");
+// import Octokit from '@octokit/rest'
+const debug = (0, debug_1.default)('crowi:lib:githubAuth');
+exports.default = (config) => {
+    const lib = {};
+    lib.PROVIDER = 'github';
+    function useGitHubStrategy(config, callbackQuery = '') {
+        passport_1.default.use(new passport_github_1.Strategy({
+            clientID: config.crowi['github:clientId'],
+            clientSecret: config.crowi['github:clientSecret'],
+            callbackURL: `${config.crowi['app:url']}/github/callback${callbackQuery}`,
+            scope: ['user:email', 'read:org'],
+        }, async (accessToken, refreshToken, profile, callback) => {
+            debug('profile', profile);
+            // 一時的に組織情報を取得する機能を無効化
+            // const octokit = new Octokit({ auth: accessToken })
+            // const { data: orgs } = await octokit.orgs.listForAuthenticatedUser()
+            // const orgNames = orgs.map((org) => org.login)
+            const orgNames = [];
+            debug(orgNames);
+            callback(null, {
+                token: accessToken,
+                user_id: profile.id,
+                email: profile.emails.filter((v) => v.primary)[0].value,
+                name: profile.displayName || '',
+                picture: profile.photos[0].value,
+                organizations: orgNames,
+            });
+        }));
+    }
+    lib.authenticate = function (req, res, next) {
+        const continueUrl = (0, url_1.getContinueUrl)(req);
+        const query = continueUrl === '/' ? '' : `?continue=${continueUrl}`;
+        useGitHubStrategy(config, query);
+        passport_1.default.authenticate('github')(req, res, next);
+    };
+    lib.getOrganization = () => { };
+    lib.reauth = async function (id, { accessToken }) {
+        try {
+            // 一時的に再認証機能を簡略化
+            // const octokit = new Octokit({ auth: accessToken })
+            // const {
+            //   data: { id: userId },
+            // } = await octokit.users.getAuthenticated()
+            // const { data: orgs } = await octokit.orgs.listForAuthenticatedUser()
+            // const orgNames = orgs.map((org) => org.login)
+            // const organization = config.crowi['github:organization']
+            // const success = id === String(userId) && (!organization || orgNames.includes(organization))
+            // 常に成功を返す一時的な実装
+            const success = true;
+            const tokens = { accessToken };
+            return { success, tokens };
+        }
+        catch (err) {
+            debug('Error on reauthenticating', err);
+            return { success: false };
+        }
+    };
+    lib.handleCallback = function (req, res, next) {
+        return function (callback) {
+            useGitHubStrategy(config);
+            passport_1.default.authenticate('github', function (err, user, info) {
+                if (err) {
+                    return callback(err, null);
+                }
+                auth_1.default.saveTokenToSession(req, lib.PROVIDER, { accessToken: user.token, refreshToken: null, expiryDate: null });
+                return callback(err, user);
+            })(req, res, next);
+        };
+    };
+    return lib;
+};
+//# sourceMappingURL=githubAuth.js.map

package/dist/util/githubAuth.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"githubAuth.js","sourceRoot":"","sources":["../../src/util/githubAuth.ts"],"names":[],"mappings":";;;;;AACA,kDAA0B;AAC1B,kDAA0B;AAC1B,wDAAgC;AAChC,qDAA6D;AAC7D,+BAAuC;AACvC,sCAAsC;AAEtC,MAAM,KAAK,GAAG,IAAA,eAAK,EAAC,sBAAsB,CAAC,CAAC;AAE5C,kBAAe,CAAC,MAAM,EAAE,EAAE;IACxB,MAAM,GAAG,GAAQ,EAAE,CAAC;IAEpB,GAAG,CAAC,QAAQ,GAAG,QAAQ,CAAC;IAExB,SAAS,iBAAiB,CAAC,MAAM,EAAE,aAAa,GAAG,EAAE;QACnD,kBAAQ,CAAC,GAAG,CACV,IAAI,0BAAc,CAChB;YACE,QAAQ,EAAE,MAAM,CAAC,KAAK,CAAC,iBAAiB,CAAC;YACzC,YAAY,EAAE,MAAM,CAAC,KAAK,CAAC,qBAAqB,CAAC;YACjD,WAAW,EAAE,GAAG,MAAM,CAAC,KAAK,CAAC,SAAS,CAAC,mBAAmB,aAAa,EAAE;YACzE,KAAK,EAAE,CAAC,YAAY,EAAE,UAAU,CAAC;SAClC,EACD,KAAK,EAAE,WAAW,EAAE,YAAY,EAAE,OAAO,EAAE,QAAQ,EAAE,EAAE;YACrD,KAAK,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC;YAC1B,sBAAsB;YACtB,qDAAqD;YACrD,uEAAuE;YACvE,gDAAgD;YAChD,MAAM,QAAQ,GAAG,EAAE,CAAC;YAEpB,KAAK,CAAC,QAAQ,CAAC,CAAC;YAEhB,QAAQ,CAAC,IAAI,EAAE;gBACb,KAAK,EAAE,WAAW;gBAClB,OAAO,EAAE,OAAO,CAAC,EAAE;gBACnB,KAAK,EAAE,OAAO,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK;gBACvD,IAAI,EAAE,OAAO,CAAC,WAAW,IAAI,EAAE;gBAC/B,OAAO,EAAE,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,KAAK;gBAChC,aAAa,EAAE,QAAQ;aACxB,CAAC,CAAC;QACL,CAAC,CACF,CACF,CAAC;IACJ,CAAC;IAED,GAAG,CAAC,YAAY,GAAG,UAAU,GAAY,EAAE,GAAa,EAAE,IAAI;QAC5D,MAAM,WAAW,GAAG,IAAA,oBAAc,EAAC,GAAG,CAAC,CAAC;QACxC,MAAM,KAAK,GAAG,WAAW,KAAK,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,aAAa,WAAW,EAAE,CAAC;QACpE,iBAAiB,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC;QACjC,kBAAQ,CAAC,YAAY,CAAC,QAAQ,CAAC,CAAC,GAAG,EAAE,GAAG,EAAE,IAAI,CAAC,CAAC;IAClD,CAAC,CAAC;IAEF,GAAG,CAAC,eAAe,GAAG,GAAG,EAAE,GAAE,CAAC,CAAC;IAE/B,GAAG,CAAC,MAAM,GAAG,KAAK,WAAW,EAAE,EAAE,EAAE,WAAW,EAAE;QAC9C,IAAI,CAAC;YACH,gBAAgB;YAChB,qDAAqD;YACrD,UAAU;YACV,0BAA0B;YAC1B,6CAA6C;YAC7C,uEAAuE;YACvE,gDAAgD;YAChD,2DAA2D;YAC3D,8FAA8F;YAE9F,gBAAgB;YAChB,MAAM,OAAO,GAAG,IAAI,CAAC;YACrB,MAAM,MAAM,GAAG,EAAE,WAAW,EAAE,CAAC;YAC/B,OAAO,EAAE,OAAO,EAAE,MAAM,EAAE,CAAC;QAC7B,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,KAAK,CAAC,2BAA2B,EAAE,GAAG,CAAC,CAAC;YACxC,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC;QAC5B,CAAC;IACH,CAAC,CAAC;IAEF,GAAG,CAAC,cAAc,GAAG,UAAU,GAAY,EAAE,GAAa,EAAE,IAAI;QAC9D,OAAO,UAAU,QAAQ;YACvB,iBAAiB,CAAC,MAAM,CAAC,CAAC;YAC1B,kBAAQ,CAAC,YAAY,CAAC,QAAQ,EAAE,UAAU,GAAG,EAAE,IAAI,EAAE,IAAI;gBACvD,IAAI,GAAG,EAAE,CAAC;oBACR,OAAO,QAAQ,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;gBAC7B,CAAC;gBAED,cAAI,CAAC,kBAAkB,CAAC,GAAG,EAAE,GAAG,CAAC,QAAQ,EAAE,EAAE,WAAW,EAAE,IAAI,CAAC,KAAK,EAAE,YAAY,EAAE,IAAI,EAAE,UAAU,EAAE,IAAI,EAAE,CAAC,CAAC;gBAC9G,OAAO,QAAQ,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;YAC7B,CAAC,CAAC,CAAC,GAAG,EAAE,GAAG,EAAE,IAAI,CAAC,CAAC;QACrB,CAAC,CAAC;IACJ,CAAC,CAAC;IAEF,OAAO,GAAG,CAAC;AACb,CAAC,CAAC"}

package/dist/util/googleAuth.d.ts

@@ -0,0 +1,2 @@
+declare const _default: (config: any) => any;
+export default _default;

package/dist/util/googleAuth.js

@@ -0,0 +1,85 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const debug_1 = __importDefault(require("debug"));
+const auth_1 = __importDefault(require("./auth"));
+const googleapis_1 = require("googleapis");
+const debug = (0, debug_1.default)('crowi:lib:googleAuth');
+exports.default = (config) => {
+    const lib = {};
+    lib.PROVIDER = 'google';
+    function createOauth2Client() {
+        const clientId = config.crowi['google:clientId'];
+        const clientSecret = config.crowi['google:clientSecret'];
+        const callbackUrl = config.crowi['app:url'] + '/google/callback';
+        return new googleapis_1.google.auth.OAuth2(clientId, clientSecret, callbackUrl);
+    }
+    lib.createAuthUrl = function (req, callback) {
+        const oauth2Client = createOauth2Client();
+        googleapis_1.google.options({ auth: oauth2Client });
+        const redirectUrl = oauth2Client.generateAuthUrl({
+            access_type: 'offline',
+            scope: ['profile', 'email'],
+            state: req.query.continue,
+            prompt: 'consent',
+        });
+        callback(null, redirectUrl);
+    };
+    lib.refreshAccessToken = async (tokens) => {
+        const oauth2Client = createOauth2Client();
+        googleapis_1.google.options({ auth: oauth2Client });
+        oauth2Client.setCredentials({ access_token: tokens.accessToken, refresh_token: tokens.refreshToken });
+        const { res: { data: { access_token: accessToken, refresh_token: refreshToken, expiry_date: expiryDate }, }, } = (await oauth2Client.refreshAccessToken());
+        return { accessToken, refreshToken, expiryDate };
+    };
+    lib.reauth = async (id, { accessToken, refreshToken }) => {
+        try {
+            const tokens = await lib.refreshAccessToken({ accessToken, refreshToken });
+            const oauth2Client = createOauth2Client();
+            googleapis_1.google.options({ auth: oauth2Client });
+            oauth2Client.setCredentials({ access_token: tokens.accessToken, refresh_token: tokens.refreshToken });
+            const { data: { user_id: userId }, } = await googleapis_1.google.oauth2('v2').tokeninfo({ access_token: tokens.accessToken });
+            const success = id === userId;
+            return { success, tokens };
+        }
+        catch (err) {
+            debug('Error on reauthenticating', err);
+            return { success: false };
+        }
+    };
+    lib.handleCallback = function (req, callback) {
+        const oauth2Client = createOauth2Client();
+        googleapis_1.google.options({ auth: oauth2Client });
+        const { google = {} } = req.session;
+        const { authCode: code } = google;
+        if (!code) {
+            return callback(new Error('No code exists.'), null);
+        }
+        debug('Request googleToken by auth code', code);
+        oauth2Client.getToken(code, function (err, tokens) {
+            debug('Result of google.getToken()', err, tokens);
+            if (err) {
+                return callback(new Error('[googleAuth.handleCallback] Error to get token.'), null);
+            }
+            oauth2Client.setCredentials({
+                access_token: tokens.access_token,
+            });
+            const oauth2 = googleapis_1.google.oauth2('v2');
+            oauth2.userinfo.get({}, function (err, response) {
+                debug('Response of oauth2.userinfo.get', err, response && response.data);
+                if (err) {
+                    return callback(new Error('[googleAuth.handleCallback] Error while proceccing userinfo.get.'), null);
+                }
+                const { access_token: accessToken, refresh_token: refreshToken, expiry_date: expiryDate } = tokens;
+                auth_1.default.saveTokenToSession(req, lib.PROVIDER, { accessToken, refreshToken, expiryDate });
+                const { data } = response;
+                data.user_id = data.id; // This is for B.C. (tokeninfo をつかっている前提のコードに対してのもの)
+                return callback(null, data);
+            });
+        });
+    };
+    return lib;
+};
+//# sourceMappingURL=googleAuth.js.map

package/dist/util/googleAuth.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"googleAuth.js","sourceRoot":"","sources":["../../src/util/googleAuth.ts"],"names":[],"mappings":";;;;;AAAA,kDAA0B;AAC1B,kDAA0B;AAC1B,2CAAkD;AAElD,MAAM,KAAK,GAAG,IAAA,eAAK,EAAC,sBAAsB,CAAC,CAAC;AAE5C,kBAAe,CAAC,MAAM,EAAE,EAAE;IACxB,MAAM,GAAG,GAAQ,EAAE,CAAC;IAEpB,GAAG,CAAC,QAAQ,GAAG,QAAQ,CAAC;IAExB,SAAS,kBAAkB;QACzB,MAAM,QAAQ,GAAG,MAAM,CAAC,KAAK,CAAC,iBAAiB,CAAC,CAAC;QACjD,MAAM,YAAY,GAAG,MAAM,CAAC,KAAK,CAAC,qBAAqB,CAAC,CAAC;QACzD,MAAM,WAAW,GAAG,MAAM,CAAC,KAAK,CAAC,SAAS,CAAC,GAAG,kBAAkB,CAAC;QACjE,OAAO,IAAI,mBAAU,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,EAAE,YAAY,EAAE,WAAW,CAAC,CAAC;IACzE,CAAC;IAED,GAAG,CAAC,aAAa,GAAG,UAAU,GAAG,EAAE,QAAQ;QACzC,MAAM,YAAY,GAAG,kBAAkB,EAAE,CAAC;QAC1C,mBAAU,CAAC,OAAO,CAAC,EAAE,IAAI,EAAE,YAAY,EAAE,CAAC,CAAC;QAE3C,MAAM,WAAW,GAAG,YAAY,CAAC,eAAe,CAAC;YAC/C,WAAW,EAAE,SAAS;YACtB,KAAK,EAAE,CAAC,SAAS,EAAE,OAAO,CAAC;YAC3B,KAAK,EAAE,GAAG,CAAC,KAAK,CAAC,QAAQ;YACzB,MAAM,EAAE,SAAS;SAClB,CAAC,CAAC;QAEH,QAAQ,CAAC,IAAI,EAAE,WAAW,CAAC,CAAC;IAC9B,CAAC,CAAC;IAEF,GAAG,CAAC,kBAAkB,GAAG,KAAK,EAAE,MAAM,EAAE,EAAE;QACxC,MAAM,YAAY,GAAG,kBAAkB,EAAE,CAAC;QAC1C,mBAAU,CAAC,OAAO,CAAC,EAAE,IAAI,EAAE,YAAY,EAAE,CAAC,CAAC;QAC3C,YAAY,CAAC,cAAc,CAAC,EAAE,YAAY,EAAE,MAAM,CAAC,WAAW,EAAE,aAAa,EAAE,MAAM,CAAC,YAAY,EAAE,CAAC,CAAC;QACtG,MAAM,EACJ,GAAG,EAAE,EACH,IAAI,EAAE,EAAE,YAAY,EAAE,WAAW,EAAE,aAAa,EAAE,YAAY,EAAE,WAAW,EAAE,UAAU,EAAE,GAC1F,GACF,GAAG,CAAC,MAAM,YAAY,CAAC,kBAAkB,EAAE,CAAQ,CAAC;QACrD,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,UAAU,EAAE,CAAC;IACnD,CAAC,CAAC;IAEF,GAAG,CAAC,MAAM,GAAG,KAAK,EAAE,EAAE,EAAE,EAAE,WAAW,EAAE,YAAY,EAAE,EAAE,EAAE;QACvD,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,GAAG,CAAC,kBAAkB,CAAC,EAAE,WAAW,EAAE,YAAY,EAAE,CAAC,CAAC;YAC3E,MAAM,YAAY,GAAG,kBAAkB,EAAE,CAAC;YAC1C,mBAAU,CAAC,OAAO,CAAC,EAAE,IAAI,EAAE,YAAY,EAAE,CAAC,CAAC;YAC3C,YAAY,CAAC,cAAc,CAAC,EAAE,YAAY,EAAE,MAAM,CAAC,WAAW,EAAE,aAAa,EAAE,MAAM,CAAC,YAAY,EAAE,CAAC,CAAC;YACtG,MAAM,EACJ,IAAI,EAAE,EAAE,OAAO,EAAE,MAAM,EAAE,GAC1B,GAAG,MAAM,mBAAU,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,SAAS,CAAC,EAAE,YAAY,EAAE,MAAM,CAAC,WAAW,EAAE,CAAC,CAAC;YAClF,MAAM,OAAO,GAAG,EAAE,KAAK,MAAM,CAAC;YAE9B,OAAO,EAAE,OAAO,EAAE,MAAM,EAAE,CAAC;QAC7B,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,KAAK,CAAC,2BAA2B,EAAE,GAAG,CAAC,CAAC;YAExC,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC;QAC5B,CAAC;IACH,CAAC,CAAC;IAEF,GAAG,CAAC,cAAc,GAAG,UAAU,GAAG,EAAE,QAAQ;QAC1C,MAAM,YAAY,GAAG,kBAAkB,EAAE,CAAC;QAC1C,mBAAU,CAAC,OAAO,CAAC,EAAE,IAAI,EAAE,YAAY,EAAE,CAAC,CAAC;QAC3C,MAAM,EAAE,MAAM,GAAG,EAAE,EAAE,GAAG,GAAG,CAAC,OAAO,CAAC;QACpC,MAAM,EAAE,QAAQ,EAAE,IAAI,EAAE,GAAG,MAAM,CAAC;QAElC,IAAI,CAAC,IAAI,EAAE,CAAC;YACV,OAAO,QAAQ,CAAC,IAAI,KAAK,CAAC,iBAAiB,CAAC,EAAE,IAAI,CAAC,CAAC;QACtD,CAAC;QAED,KAAK,CAAC,kCAAkC,EAAE,IAAI,CAAC,CAAC;QAChD,YAAY,CAAC,QAAQ,CAAC,IAAI,EAAE,UAAU,GAAG,EAAE,MAAM;YAC/C,KAAK,CAAC,6BAA6B,EAAE,GAAG,EAAE,MAAM,CAAC,CAAC;YAClD,IAAI,GAAG,EAAE,CAAC;gBACR,OAAO,QAAQ,CAAC,IAAI,KAAK,CAAC,iDAAiD,CAAC,EAAE,IAAI,CAAC,CAAC;YACtF,CAAC;YAED,YAAY,CAAC,cAAc,CAAC;gBAC1B,YAAY,EAAG,MAAc,CAAC,YAAY;aAC3C,CAAC,CAAC;YAEH,MAAM,MAAM,GAAG,mBAAU,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;YACvC,MAAM,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,EAAE,UAAU,GAAG,EAAE,QAAQ;gBAC7C,KAAK,CAAC,iCAAiC,EAAE,GAAG,EAAE,QAAQ,IAAI,QAAQ,CAAC,IAAI,CAAC,CAAC;gBACzE,IAAI,GAAG,EAAE,CAAC;oBACR,OAAO,QAAQ,CAAC,IAAI,KAAK,CAAC,kEAAkE,CAAC,EAAE,IAAI,CAAC,CAAC;gBACvG,CAAC;gBACD,MAAM,EAAE,YAAY,EAAE,WAAW,EAAE,aAAa,EAAE,YAAY,EAAE,WAAW,EAAE,UAAU,EAAE,GAAG,MAAa,CAAC;gBAC1G,cAAI,CAAC,kBAAkB,CAAC,GAAG,EAAE,GAAG,CAAC,QAAQ,EAAE,EAAE,WAAW,EAAE,YAAY,EAAE,UAAU,EAAE,CAAC,CAAC;gBACtF,MAAM,EAAE,IAAI,EAAE,GAAG,QAAe,CAAC;gBACjC,IAAI,CAAC,OAAO,GAAG,IAAI,CAAC,EAAE,CAAC,CAAC,oDAAoD;gBAC5E,OAAO,QAAQ,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;YAC9B,CAAC,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;IACL,CAAC,CAAC;IAEF,OAAO,GAAG,CAAC;AACb,CAAC,CAAC"}

package/dist/util/jwt.d.ts

@@ -0,0 +1,50 @@
+import Crowi from '../crowi';
+/**
+ * Web session tokens (`access` / `refresh`) carry no scope claim and are
+ * treated as "all scopes" by the auth middleware. OAuth access tokens
+ * (RFC-0010) add a space-delimited `scope` claim (RFC 6749 §3.3) and the
+ * issuing `client_id`. Modelled as a discriminated union on `type` so
+ * only `oauth_access` payloads expose `scope` / `client_id` — web-session
+ * callers can never accidentally read a scope off a session token.
+ */
+export type TokenPayload = {
+    userId: string;
+    email: string;
+    type: 'access' | 'refresh';
+} | {
+    userId: string;
+    email: string;
+    type: 'oauth_access';
+    /** space-delimited scope claim (RFC 6749 §3.3) */
+    scope: string;
+    client_id: string;
+};
+/** Token types a Bearer credential may carry through `verifyToken`. */
+export type VerifiableTokenType = TokenPayload['type'];
+export declare function createJwtUtil(crowi: Crowi): {
+    generateTokens: (user: any) => {
+        accessToken: string;
+        refreshToken: string;
+        expiresIn: number;
+    };
+    signOauthAccessToken: (params: {
+        user: {
+            _id: {
+                toString(): string;
+            };
+            email: string;
+        };
+        scopes: readonly string[];
+        clientId: string;
+        expiresInSec?: number;
+    }) => string;
+    verifyToken: <T extends VerifiableTokenType>(token: string, type: T | readonly T[]) => (TokenPayload & {
+        type: T;
+    }) | null;
+    extractTokenFromHeader: (authHeader: string | undefined) => string | null;
+    refreshAccessToken: (refreshToken: string) => Promise<{
+        accessToken: string;
+        refreshToken: string;
+        expiresIn: number;
+    } | null>;
+};

package/dist/util/jwt.js

@@ -0,0 +1,127 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createJwtUtil = createJwtUtil;
+const jsonwebtoken_1 = __importDefault(require("jsonwebtoken"));
+const debug_1 = __importDefault(require("debug"));
+const debug = (0, debug_1.default)('crowi:util:jwt');
+/**
+ * Access / refresh token lifetimes in seconds. Env-overridable; the
+ * 1h default for access tokens is long enough that brief idle periods
+ * don't churn the refresh endpoint and short enough that a leaked
+ * token stays useful for at most an hour. The client's 401 interceptor
+ * (see `packages/web/src/lib/api-client.ts`) trades the refresh token
+ * for a fresh access token whenever a request lands a 401.
+ */
+const ACCESS_TOKEN_TTL_SEC = Number(process.env.JWT_ACCESS_TOKEN_TTL_SECONDS) || 60 * 60; // 1 hour
+const REFRESH_TOKEN_TTL_SEC = Number(process.env.JWT_REFRESH_TOKEN_TTL_SECONDS) || 30 * 24 * 60 * 60; // 30 days
+function createJwtUtil(crowi) {
+    const config = crowi.getConfig();
+    const secret = config.crowi['app:secret'] || config.crowi['SECRET_TOKEN'] || 'your-secret-key';
+    /**
+     * Generate access and refresh tokens for a user
+     */
+    function generateTokens(user) {
+        const payload = {
+            userId: user._id.toString(),
+            email: user.email,
+        };
+        const accessToken = jsonwebtoken_1.default.sign({ ...payload, type: 'access' }, secret, {
+            expiresIn: ACCESS_TOKEN_TTL_SEC,
+            issuer: 'crowi',
+        });
+        const refreshToken = jsonwebtoken_1.default.sign({ ...payload, type: 'refresh' }, secret, {
+            expiresIn: REFRESH_TOKEN_TTL_SEC,
+            issuer: 'crowi',
+        });
+        return {
+            accessToken,
+            refreshToken,
+            expiresIn: ACCESS_TOKEN_TTL_SEC,
+        };
+    }
+    /**
+     * Sign a scope-bearing OAuth access token (RFC-0010). The real issuing
+     * path (`POST /oauth/token`) lands in Phase 3; this helper exists so
+     * Phase 1's scope-aware middleware can be exercised end-to-end in tests
+     * (mint a token with a known scope, assert `requireScope` accepts /
+     * rejects it). `scopes` is space-joined into the `scope` claim per
+     * RFC 6749 §3.3. The web-session `generateTokens` path is untouched.
+     */
+    function signOauthAccessToken(params) {
+        const { user, scopes, clientId, expiresInSec } = params;
+        return jsonwebtoken_1.default.sign({
+            userId: user._id.toString(),
+            email: user.email,
+            type: 'oauth_access',
+            scope: scopes.join(' '),
+            client_id: clientId,
+        }, secret, {
+            expiresIn: expiresInSec ?? ACCESS_TOKEN_TTL_SEC,
+            issuer: 'crowi',
+        });
+    }
+    /**
+     * Verify and decode a token. `type` may be a single accepted type or a
+     * list — passing `['access', 'oauth_access']` lets the unified Bearer
+     * middleware accept both web-session and OAuth access tokens in one
+     * call while still rejecting refresh tokens presented as access. The
+     * decoded payload is the `TokenPayload` discriminated union, so callers
+     * narrow on `payload.type` to read `scope` / `client_id`.
+     */
+    function verifyToken(token, type) {
+        const accepted = Array.isArray(type) ? type : [type];
+        try {
+            const decoded = jsonwebtoken_1.default.verify(token, secret, {
+                issuer: 'crowi',
+            });
+            if (!accepted.includes(decoded.type)) {
+                debug(`Invalid token type. Expected ${accepted.join('|')}, got ${decoded.type}`);
+                return null;
+            }
+            return decoded;
+        }
+        catch (error) {
+            debug('Token verification failed:', error);
+            return null;
+        }
+    }
+    /**
+     * Extract token from Authorization header
+     */
+    function extractTokenFromHeader(authHeader) {
+        if (!authHeader) {
+            return null;
+        }
+        const parts = authHeader.split(' ');
+        if (parts.length !== 2 || parts[0] !== 'Bearer') {
+            return null;
+        }
+        return parts[1];
+    }
+    /**
+     * Generate a new access token from a refresh token
+     */
+    async function refreshAccessToken(refreshToken) {
+        const payload = verifyToken(refreshToken, 'refresh');
+        if (!payload) {
+            return null;
+        }
+        const User = crowi.model('User');
+        const user = await User.findById(payload.userId);
+        if (!user || user.status !== User.STATUS_ACTIVE) {
+            return null;
+        }
+        return generateTokens(user);
+    }
+    return {
+        generateTokens,
+        signOauthAccessToken,
+        verifyToken,
+        extractTokenFromHeader,
+        refreshAccessToken,
+    };
+}
+//# sourceMappingURL=jwt.js.map

package/dist/util/jwt.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"jwt.js","sourceRoot":"","sources":["../../src/util/jwt.ts"],"names":[],"mappings":";;;;;AA2CA,sCAkIC;AA7KD,gEAA+B;AAE/B,kDAA0B;AAE1B,MAAM,KAAK,GAAG,IAAA,eAAK,EAAC,gBAAgB,CAAC,CAAC;AA4BtC;;;;;;;GAOG;AACH,MAAM,oBAAoB,GAAG,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,4BAA4B,CAAC,IAAI,EAAE,GAAG,EAAE,CAAC,CAAC,SAAS;AACnG,MAAM,qBAAqB,GAAG,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,6BAA6B,CAAC,IAAI,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,CAAC,CAAC,UAAU;AAEhH,SAAgB,aAAa,CAAC,KAAY;IACxC,MAAM,MAAM,GAAG,KAAK,CAAC,SAAS,EAAE,CAAC;IACjC,MAAM,MAAM,GAAG,MAAM,CAAC,KAAK,CAAC,YAAY,CAAC,IAAI,MAAM,CAAC,KAAK,CAAC,cAAc,CAAC,IAAI,iBAAiB,CAAC;IAE/F;;OAEG;IACH,SAAS,cAAc,CAAC,IAAS;QAC/B,MAAM,OAAO,GAAG;YACd,MAAM,EAAE,IAAI,CAAC,GAAG,CAAC,QAAQ,EAAE;YAC3B,KAAK,EAAE,IAAI,CAAC,KAAK;SAClB,CAAC;QAEF,MAAM,WAAW,GAAG,sBAAG,CAAC,IAAI,CAAC,EAAE,GAAG,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,EAAE,MAAM,EAAE;YACnE,SAAS,EAAE,oBAAoB;YAC/B,MAAM,EAAE,OAAO;SAChB,CAAC,CAAC;QAEH,MAAM,YAAY,GAAG,sBAAG,CAAC,IAAI,CAAC,EAAE,GAAG,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,EAAE,MAAM,EAAE;YACrE,SAAS,EAAE,qBAAqB;YAChC,MAAM,EAAE,OAAO;SAChB,CAAC,CAAC;QAEH,OAAO;YACL,WAAW;YACX,YAAY;YACZ,SAAS,EAAE,oBAAoB;SAChC,CAAC;IACJ,CAAC;IAED;;;;;;;OAOG;IACH,SAAS,oBAAoB,CAAC,MAK7B;QACC,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,QAAQ,EAAE,YAAY,EAAE,GAAG,MAAM,CAAC;QACxD,OAAO,sBAAG,CAAC,IAAI,CACb;YACE,MAAM,EAAE,IAAI,CAAC,GAAG,CAAC,QAAQ,EAAE;YAC3B,KAAK,EAAE,IAAI,CAAC,KAAK;YACjB,IAAI,EAAE,cAAc;YACpB,KAAK,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC;YACvB,SAAS,EAAE,QAAQ;SACpB,EACD,MAAM,EACN;YACE,SAAS,EAAE,YAAY,IAAI,oBAAoB;YAC/C,MAAM,EAAE,OAAO;SAChB,CACF,CAAC;IACJ,CAAC;IAED;;;;;;;OAOG;IACH,SAAS,WAAW,CAAgC,KAAa,EAAE,IAAsB;QACvF,MAAM,QAAQ,GAAG,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAS,CAAC,CAAC;QAC1D,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,sBAAG,CAAC,MAAM,CAAC,KAAK,EAAE,MAAM,EAAE;gBACxC,MAAM,EAAE,OAAO;aAChB,CAAiB,CAAC;YAEnB,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAS,CAAC,EAAE,CAAC;gBAC1C,KAAK,CAAC,gCAAgC,QAAQ,CAAC,IAAI,CAAC,GAAG,CAAC,SAAS,OAAO,CAAC,IAAI,EAAE,CAAC,CAAC;gBACjF,OAAO,IAAI,CAAC;YACd,CAAC;YAED,OAAO,OAAqC,CAAC;QAC/C,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,KAAK,CAAC,4BAA4B,EAAE,KAAK,CAAC,CAAC;YAC3C,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAED;;OAEG;IACH,SAAS,sBAAsB,CAAC,UAA8B;QAC5D,IAAI,CAAC,UAAU,EAAE,CAAC;YAChB,OAAO,IAAI,CAAC;QACd,CAAC;QAED,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QACpC,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,IAAI,KAAK,CAAC,CAAC,CAAC,KAAK,QAAQ,EAAE,CAAC;YAChD,OAAO,IAAI,CAAC;QACd,CAAC;QAED,OAAO,KAAK,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED;;OAEG;IACH,KAAK,UAAU,kBAAkB,CAAC,YAAoB;QACpD,MAAM,OAAO,GAAG,WAAW,CAAC,YAAY,EAAE,SAAS,CAAC,CAAC;QACrD,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,OAAO,IAAI,CAAC;QACd,CAAC;QAED,MAAM,IAAI,GAAG,KAAK,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;QACjC,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;QAEjD,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,MAAM,KAAK,IAAI,CAAC,aAAa,EAAE,CAAC;YAChD,OAAO,IAAI,CAAC;QACd,CAAC;QAED,OAAO,cAAc,CAAC,IAAI,CAAC,CAAC;IAC9B,CAAC;IAED,OAAO;QACL,cAAc;QACd,oBAAoB;QACpB,WAAW;QACX,sBAAsB;QACtB,kBAAkB;KACnB,CAAC;AACJ,CAAC"}

package/dist/util/linkDetector.d.ts

@@ -0,0 +1,3 @@
+import Crowi from '../crowi';
+declare const _default: (crowi: Crowi) => any;
+export default _default;

package/dist/util/linkDetector.js

@@ -0,0 +1,91 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const path_1 = require("./path");
+const regex_1 = require("./regex");
+exports.default = (crowi) => {
+    // const debug = Debug('crowi:lib:url')
+    const linkDetector = {};
+    /**
+     * Origins that count as "this Crowi instance" when classifying an
+     * absolute-URL link as internal. Both are included because they can
+     * differ — `getBaseUrl()` is the api's `BASE_URL` / `app:url` config,
+     * while `CLIENT_URL` is the web app's public origin, and a user
+     * copies page URLs from the latter (e.g. `http://localhost:4302/...`).
+     * Trailing slashes are trimmed and duplicates dropped.
+     */
+    linkDetector.getAppOrigins = () => {
+        const raw = [crowi.getBaseUrl(), process.env.CLIENT_URL];
+        const origins = [];
+        const seen = new Set();
+        for (const candidate of raw) {
+            if (!candidate || typeof candidate !== 'string')
+                continue;
+            const normalized = candidate.replace(/\/+$/, '');
+            if (normalized && !seen.has(normalized)) {
+                seen.add(normalized);
+                origins.push(normalized);
+            }
+        }
+        return origins;
+    };
+    /**
+     * Loopback-origin pattern (`http(s)://localhost|127.0.0.1|[::1]` on any
+     * port). In development the web app and the api both run on localhost
+     * and `CLIENT_URL` is frequently left unset; without this a page URL
+     * pasted from the dev address bar (`http://localhost:4302/…`) would
+     * not register as a backlink. Restricted to non-production so a
+     * production instance only trusts its configured origins.
+     */
+    const LOOPBACK_ORIGIN = 'https?://(?:localhost|127\\.0\\.0\\.1|\\[::1\\])(?::\\d+)?';
+    linkDetector.getLinkRegexp = () => {
+        const alternatives = linkDetector.getAppOrigins().map(regex_1.escapeRegExp);
+        if (process.env.NODE_ENV !== 'production') {
+            alternatives.push(LOOPBACK_ORIGIN);
+        }
+        // No origin to match against — return a never-match regexp rather
+        // than building `RegExp('null(/…)?')` from a null base url (which
+        // would match the literal text "null" in page bodies).
+        if (alternatives.length === 0) {
+            return /(?!)/g;
+        }
+        return new RegExp('(?:' + alternatives.join('|') + ')(/[^\\s"?)#]*)?', 'g');
+    };
+    linkDetector.getObjectIdRegexp = () => new RegExp('/([0-9a-fA-F]{24})');
+    // [0] `<...>`: angle-bracket wiki link
+    // [1] `[/path]`: bare bracket form, only when NOT followed by `(` (= not a Markdown link)
+    // [2] `[label](/path)`: Markdown link whose target is a same-host relative path.
+    //     Markdown links pointing at full URLs (http://…) are handled by linkRegexp instead.
+    linkDetector.getPathRegexps = () => [new RegExp('<(/[^>]+)>', 'g'), /\[(\/[^\]]+)\](?!\()/g, /\[[^\]]+\]\((\/[^)\s#]+)\)/g];
+    linkDetector.search = function (text) {
+        const unique = function (array) {
+            return array.filter(function (x, i, self) {
+                return self.indexOf(x) === i;
+            });
+        };
+        const objectIds = [];
+        const paths = [];
+        const linkRegexp = linkDetector.getLinkRegexp();
+        const objectIdRegexp = linkDetector.getObjectIdRegexp();
+        while (linkRegexp.exec(text)) {
+            const path = (0, path_1.decodeSpace)(decodeURIComponent(RegExp.$1));
+            if (objectIdRegexp.test(path)) {
+                objectIds.push(RegExp.$1);
+            }
+            else {
+                paths.push(path);
+            }
+        }
+        const pathRegexps = linkDetector.getPathRegexps();
+        for (const pathRegexp of pathRegexps) {
+            while (pathRegexp.exec(text)) {
+                paths.push((0, path_1.decodeSpace)(decodeURIComponent(RegExp.$1)));
+            }
+        }
+        return {
+            objectIds: unique(objectIds),
+            paths: unique(paths),
+        };
+    };
+    return linkDetector;
+};
+//# sourceMappingURL=linkDetector.js.map

package/dist/util/linkDetector.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"linkDetector.js","sourceRoot":"","sources":["../../src/util/linkDetector.ts"],"names":[],"mappings":";;AACA,iCAAqC;AACrC,mCAAuC;AAEvC,kBAAe,CAAC,KAAY,EAAE,EAAE;IAC9B,uCAAuC;IACvC,MAAM,YAAY,GAAQ,EAAE,CAAC;IAE7B;;;;;;;OAOG;IACH,YAAY,CAAC,aAAa,GAAG,GAAa,EAAE;QAC1C,MAAM,GAAG,GAAG,CAAC,KAAK,CAAC,UAAU,EAAE,EAAE,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;QACzD,MAAM,OAAO,GAAa,EAAE,CAAC;QAC7B,MAAM,IAAI,GAAG,IAAI,GAAG,EAAU,CAAC;QAC/B,KAAK,MAAM,SAAS,IAAI,GAAG,EAAE,CAAC;YAC5B,IAAI,CAAC,SAAS,IAAI,OAAO,SAAS,KAAK,QAAQ;gBAAE,SAAS;YAC1D,MAAM,UAAU,GAAG,SAAS,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;YACjD,IAAI,UAAU,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,EAAE,CAAC;gBACxC,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;gBACrB,OAAO,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;YAC3B,CAAC;QACH,CAAC;QACD,OAAO,OAAO,CAAC;IACjB,CAAC,CAAC;IAEF;;;;;;;OAOG;IACH,MAAM,eAAe,GAAG,4DAA4D,CAAC;IAErF,YAAY,CAAC,aAAa,GAAG,GAAG,EAAE;QAChC,MAAM,YAAY,GAAG,YAAY,CAAC,aAAa,EAAE,CAAC,GAAG,CAAC,oBAAY,CAAC,CAAC;QACpE,IAAI,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,YAAY,EAAE,CAAC;YAC1C,YAAY,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;QACrC,CAAC;QACD,kEAAkE;QAClE,kEAAkE;QAClE,uDAAuD;QACvD,IAAI,YAAY,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC9B,OAAO,OAAO,CAAC;QACjB,CAAC;QACD,OAAO,IAAI,MAAM,CAAC,KAAK,GAAG,YAAY,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,kBAAkB,EAAE,GAAG,CAAC,CAAC;IAC9E,CAAC,CAAC;IAEF,YAAY,CAAC,iBAAiB,GAAG,GAAG,EAAE,CAAC,IAAI,MAAM,CAAC,oBAAoB,CAAC,CAAC;IAExE,uCAAuC;IACvC,0FAA0F;IAC1F,iFAAiF;IACjF,yFAAyF;IACzF,YAAY,CAAC,cAAc,GAAG,GAAG,EAAE,CAAC,CAAC,IAAI,MAAM,CAAC,YAAY,EAAE,GAAG,CAAC,EAAE,uBAAuB,EAAE,6BAA6B,CAAC,CAAC;IAE5H,YAAY,CAAC,MAAM,GAAG,UAAU,IAAI;QAClC,MAAM,MAAM,GAAG,UAAU,KAAK;YAC5B,OAAO,KAAK,CAAC,MAAM,CAAC,UAAU,CAAC,EAAE,CAAC,EAAE,IAAI;gBACtC,OAAO,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC;YAC/B,CAAC,CAAC,CAAC;QACL,CAAC,CAAC;QAEF,MAAM,SAAS,GAAQ,EAAE,CAAC;QAC1B,MAAM,KAAK,GAAQ,EAAE,CAAC;QAEtB,MAAM,UAAU,GAAG,YAAY,CAAC,aAAa,EAAE,CAAC;QAChD,MAAM,cAAc,GAAG,YAAY,CAAC,iBAAiB,EAAE,CAAC;QAExD,OAAO,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;YAC7B,MAAM,IAAI,GAAG,IAAA,kBAAW,EAAC,kBAAkB,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,CAAC;YACxD,IAAI,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBAC9B,SAAS,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;YAC5B,CAAC;iBAAM,CAAC;gBACN,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACnB,CAAC;QACH,CAAC;QAED,MAAM,WAAW,GAAG,YAAY,CAAC,cAAc,EAAE,CAAC;QAClD,KAAK,MAAM,UAAU,IAAI,WAAW,EAAE,CAAC;YACrC,OAAO,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBAC7B,KAAK,CAAC,IAAI,CAAC,IAAA,kBAAW,EAAC,kBAAkB,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;YACzD,CAAC;QACH,CAAC;QAED,OAAO;YACL,SAAS,EAAE,MAAM,CAAC,SAAS,CAAC;YAC5B,KAAK,EAAE,MAAM,CAAC,KAAK,CAAC;SACrB,CAAC;IACJ,CAAC,CAAC;IAEF,OAAO,YAAY,CAAC;AACtB,CAAC,CAAC"}

package/dist/util/mail-token.d.ts

@@ -0,0 +1,24 @@
+import { type MailTokenPayload, type MailTokenPurpose } from '@crowi/api-contract';
+/** Claims the caller supplies; `iat` / `exp` are added by `signMailToken`. */
+export interface MailTokenClaims {
+    purpose: MailTokenPurpose;
+    userId: string;
+    email: string;
+    /** email-change only: the account's email at issue time (single-use binding). */
+    fromEmail?: string;
+}
+export interface SignMailTokenResult {
+    /** Compact JWT to embed in the email link's `?token=` query. */
+    token: string;
+    /** Absolute expiry; mirrors `exp * 1000`. */
+    expiresAt: Date;
+}
+declare function buildMailTokenUtil(): {
+    signMailToken: (claims: MailTokenClaims) => SignMailTokenResult;
+    verifyMailToken: (token: string, expectedPurpose: MailTokenPurpose) => MailTokenPayload | null;
+    issuer: string;
+    ttlSeconds: Record<"invite" | "activate" | "reset" | "email-change", number>;
+};
+export type MailTokenUtil = ReturnType<typeof buildMailTokenUtil>;
+export declare function createMailTokenUtil(): MailTokenUtil;
+export {};

package/dist/util/mail-token.js

@@ -0,0 +1,117 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createMailTokenUtil = createMailTokenUtil;
+const node_crypto_1 = __importDefault(require("node:crypto"));
+const jsonwebtoken_1 = __importDefault(require("jsonwebtoken"));
+const api_contract_1 = require("@crowi/api-contract");
+const debug_1 = __importDefault(require("debug"));
+const debug = (0, debug_1.default)('crowi:util:mail-token');
+/**
+ * Issuer claim for tokens embedded in transactional email links.
+ *
+ * Distinct from the WebSocket issuers (`crowi-collab` / `crowi-presence`
+ * / `crowi-notifications`, see `util/ws-token.ts` et al.) and the HTTP
+ * access/refresh issuer (`crowi`). All of these share the same
+ * `WS_TOKEN_SECRET` key material but verify against different `iss`
+ * claims, so a token minted for one channel is never replayable against
+ * another. A single mail-token issuer is reused across invite /
+ * activate / reset; the `purpose` claim (verified per endpoint) scopes
+ * each token to one flow, so an invite link cannot be replayed against
+ * the password-reset endpoint.
+ */
+const MAIL_TOKEN_ISSUER = 'crowi-mail-token';
+/**
+ * Per-purpose token lifetimes (seconds). Invite links are long-lived (a
+ * person may not check email immediately); reset links are short to
+ * limit the blast radius of a leaked inbox.
+ */
+const MAIL_TOKEN_TTL_SECONDS = {
+    invite: 7 * 24 * 60 * 60, // 7 days
+    activate: 24 * 60 * 60, // 1 day
+    reset: 60 * 60, // 1 hour
+    'email-change': 24 * 60 * 60, // 1 day
+};
+/**
+ * Process-wide random fallback secret, generated at most once. Must NOT
+ * be per-call: a mail token is signed in one request (e.g. the invite
+ * email) and verified in a later, separate request (the accept link) —
+ * often by a different `createMailTokenUtil()` instance. If each call
+ * minted its own random secret, every cross-handler token would fail
+ * verification whenever WS_TOKEN_SECRET is unset.
+ */
+let fallbackSecret = null;
+/**
+ * Resolve the signing secret. Reads WS_TOKEN_SECRET per call so a test
+ * mutating the env between imports still picks up the latest value; the
+ * random fallback is memoized process-wide.
+ *
+ * The "secret missing" warning is emitted here (lazily, on first
+ * resolution) rather than at module-load time: this module is imported
+ * transitively before `app.ts` runs `dotenv.config()`, so a load-time
+ * `process.env` read fires a false warning even when `.env` defines
+ * `WS_TOKEN_SECRET`. The memoized `fallbackSecret` makes the warn fire
+ * exactly once per process. Silenced under tests.
+ */
+const resolveMailTokenSecret = () => {
+    const fromEnv = process.env.WS_TOKEN_SECRET;
+    if (fromEnv && fromEnv.length > 0) {
+        return fromEnv;
+    }
+    if (!fallbackSecret) {
+        fallbackSecret = node_crypto_1.default.randomBytes(32).toString('base64');
+        if (process.env.NODE_ENV !== 'test') {
+            console.warn('[crowi] WS_TOKEN_SECRET is not set — mail tokens (invite / activate / reset links) will be signed ' +
+                'with a random in-memory secret. Process restarts will invalidate outstanding links, and multi-instance ' +
+                'deployments will not be able to cross-verify them. Set WS_TOKEN_SECRET to a stable base64-encoded ' +
+                '32-byte value (`openssl rand -base64 32`) in production.');
+        }
+    }
+    return fallbackSecret;
+};
+function buildMailTokenUtil() {
+    const secret = resolveMailTokenSecret();
+    function signMailToken(claims) {
+        const iat = Math.floor(Date.now() / 1000);
+        const exp = iat + MAIL_TOKEN_TTL_SECONDS[claims.purpose];
+        const token = jsonwebtoken_1.default.sign({ ...claims, iat, exp }, secret, {
+            issuer: MAIL_TOKEN_ISSUER,
+            algorithm: 'HS256',
+        });
+        return { token, expiresAt: new Date(exp * 1000) };
+    }
+    /**
+     * Verify a mail token and require its `purpose` to match. Returns the
+     * validated payload, or `null` for any failure (expired, bad
+     * signature, wrong issuer, malformed claims, purpose mismatch).
+     */
+    function verifyMailToken(token, expectedPurpose) {
+        try {
+            const decoded = jsonwebtoken_1.default.verify(token, secret, {
+                issuer: MAIL_TOKEN_ISSUER,
+                algorithms: ['HS256'],
+            });
+            const parsed = api_contract_1.MailTokenPayloadSchema.safeParse(decoded);
+            if (!parsed.success) {
+                debug('mail token payload failed schema validation:', parsed.error.issues);
+                return null;
+            }
+            if (parsed.data.purpose !== expectedPurpose) {
+                debug('mail token purpose mismatch: expected %s, got %s', expectedPurpose, parsed.data.purpose);
+                return null;
+            }
+            return parsed.data;
+        }
+        catch (err) {
+            debug('mail token verification failed:', err.message);
+            return null;
+        }
+    }
+    return { signMailToken, verifyMailToken, issuer: MAIL_TOKEN_ISSUER, ttlSeconds: MAIL_TOKEN_TTL_SECONDS };
+}
+function createMailTokenUtil() {
+    return buildMailTokenUtil();
+}
+//# sourceMappingURL=mail-token.js.map

package/dist/util/mail-token.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"mail-token.js","sourceRoot":"","sources":["../../src/util/mail-token.ts"],"names":[],"mappings":";;;;;AAwIA,kDAEC;AA1ID,8DAAiC;AACjC,gEAA+B;AAC/B,sDAA2G;AAC3G,kDAA0B;AAE1B,MAAM,KAAK,GAAG,IAAA,eAAK,EAAC,uBAAuB,CAAC,CAAC;AAE7C;;;;;;;;;;;;GAYG;AACH,MAAM,iBAAiB,GAAG,kBAAkB,CAAC;AAE7C;;;;GAIG;AACH,MAAM,sBAAsB,GAAqC;IAC/D,MAAM,EAAE,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,EAAE,SAAS;IACnC,QAAQ,EAAE,EAAE,GAAG,EAAE,GAAG,EAAE,EAAE,QAAQ;IAChC,KAAK,EAAE,EAAE,GAAG,EAAE,EAAE,SAAS;IACzB,cAAc,EAAE,EAAE,GAAG,EAAE,GAAG,EAAE,EAAE,QAAQ;CACvC,CAAC;AAkBF;;;;;;;GAOG;AACH,IAAI,cAAc,GAAkB,IAAI,CAAC;AAEzC;;;;;;;;;;;GAWG;AACH,MAAM,sBAAsB,GAAG,GAAW,EAAE;IAC1C,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC;IAC5C,IAAI,OAAO,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAClC,OAAO,OAAO,CAAC;IACjB,CAAC;IACD,IAAI,CAAC,cAAc,EAAE,CAAC;QACpB,cAAc,GAAG,qBAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;QAC3D,IAAI,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,MAAM,EAAE,CAAC;YACpC,OAAO,CAAC,IAAI,CACV,oGAAoG;gBAClG,yGAAyG;gBACzG,oGAAoG;gBACpG,0DAA0D,CAC7D,CAAC;QACJ,CAAC;IACH,CAAC;IACD,OAAO,cAAc,CAAC;AACxB,CAAC,CAAC;AAEF,SAAS,kBAAkB;IACzB,MAAM,MAAM,GAAG,sBAAsB,EAAE,CAAC;IAExC,SAAS,aAAa,CAAC,MAAuB;QAC5C,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;QAC1C,MAAM,GAAG,GAAG,GAAG,GAAG,sBAAsB,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;QACzD,MAAM,KAAK,GAAG,sBAAG,CAAC,IAAI,CAAC,EAAE,GAAG,MAAM,EAAE,GAAG,EAAE,GAAG,EAAE,EAAE,MAAM,EAAE;YACtD,MAAM,EAAE,iBAAiB;YACzB,SAAS,EAAE,OAAO;SACnB,CAAC,CAAC;QACH,OAAO,EAAE,KAAK,EAAE,SAAS,EAAE,IAAI,IAAI,CAAC,GAAG,GAAG,IAAI,CAAC,EAAE,CAAC;IACpD,CAAC;IAED;;;;OAIG;IACH,SAAS,eAAe,CAAC,KAAa,EAAE,eAAiC;QACvE,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,sBAAG,CAAC,MAAM,CAAC,KAAK,EAAE,MAAM,EAAE;gBACxC,MAAM,EAAE,iBAAiB;gBACzB,UAAU,EAAE,CAAC,OAAO,CAAC;aACtB,CAAC,CAAC;YACH,MAAM,MAAM,GAAG,qCAAsB,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;YACzD,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;gBACpB,KAAK,CAAC,8CAA8C,EAAE,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;gBAC3E,OAAO,IAAI,CAAC;YACd,CAAC;YACD,IAAI,MAAM,CAAC,IAAI,CAAC,OAAO,KAAK,eAAe,EAAE,CAAC;gBAC5C,KAAK,CAAC,kDAAkD,EAAE,eAAe,EAAE,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;gBAChG,OAAO,IAAI,CAAC;YACd,CAAC;YACD,OAAO,MAAM,CAAC,IAAI,CAAC;QACrB,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,KAAK,CAAC,iCAAiC,EAAG,GAAa,CAAC,OAAO,CAAC,CAAC;YACjE,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAED,OAAO,EAAE,aAAa,EAAE,eAAe,EAAE,MAAM,EAAE,iBAAiB,EAAE,UAAU,EAAE,sBAAsB,EAAE,CAAC;AAC3G,CAAC;AAID,SAAgB,mBAAmB;IACjC,OAAO,kBAAkB,EAAE,CAAC;AAC9B,CAAC"}

package/dist/util/mailer.d.ts

@@ -0,0 +1,7 @@
+declare const _default: (crowi: any) => {
+    createSMTPClient: (option?: any) => any;
+    createSESClient: (option?: any) => any;
+    mailer: any;
+    send: (config: any, callback: any) => any;
+};
+export default _default;