@dereekb/firebase-server 13.6.16 → 13.7.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/index.cjs.js +2615 -951
- package/index.esm.js +2598 -932
- package/mailgun/package.json +9 -9
- package/model/package.json +9 -9
- package/model/src/lib/storagefile/storagefile.action.server.d.ts +4 -13
- package/oidc/index.cjs.js +245 -180
- package/oidc/index.esm.js +242 -178
- package/oidc/package.json +10 -10
- package/oidc/src/lib/middleware/oauth-auth.module.d.ts +18 -25
- package/package.json +11 -10
- package/src/lib/function/error.d.ts +11 -28
- package/src/lib/nest/app.d.ts +4 -45
- package/src/lib/nest/app.module.d.ts +4 -2
- package/src/lib/nest/auth/auth.util.d.ts +71 -5
- package/src/lib/nest/controller/index.d.ts +1 -0
- package/src/lib/nest/controller/model/index.d.ts +4 -0
- package/src/lib/nest/controller/model/model.api.controller.d.ts +93 -0
- package/src/lib/nest/controller/model/model.api.dispatch.d.ts +73 -0
- package/src/lib/nest/controller/model/model.api.get.service.d.ts +73 -0
- package/src/lib/nest/controller/model/model.api.module.d.ts +32 -0
- package/src/lib/nest/model/analytics.handler.d.ts +2 -0
- package/src/lib/nest/model/api.details.d.ts +53 -1
- package/src/lib/nest/model/call.model.function.d.ts +8 -5
- package/src/lib/nest/model/create.model.function.d.ts +1 -1
- package/src/lib/nest/model/crud.assert.function.d.ts +1 -1
- package/src/lib/nest/model/delete.model.function.d.ts +1 -1
- package/src/lib/nest/model/index.d.ts +1 -0
- package/src/lib/nest/model/query.model.function.d.ts +207 -0
- package/src/lib/nest/model/read.model.function.d.ts +1 -1
- package/src/lib/nest/model/update.model.function.d.ts +1 -1
- package/src/lib/nest/nest.provider.d.ts +19 -0
- package/test/index.cjs.js +1358 -398
- package/test/index.esm.js +1355 -400
- package/test/package.json +13 -11
- package/test/src/lib/firebase/firebase.test.d.ts +1 -1
- package/test/src/lib/index.d.ts +1 -0
- package/test/src/lib/oidc/index.d.ts +2 -0
- package/test/src/lib/oidc/oidc.test.fixture.d.ts +126 -0
- package/test/src/lib/oidc/oidc.test.flow.d.ts +43 -0
- package/zoho/package.json +9 -9
package/oidc/index.esm.js
CHANGED
|
@@ -1,5 +1,5 @@
|
|
|
1
|
-
import { createParamDecorator, Injectable, Inject, Optional, Logger, UnauthorizedException,
|
|
2
|
-
import { generateKeyPairSync, randomBytes } from 'crypto';
|
|
1
|
+
import { createParamDecorator, Injectable, Inject, Optional, Logger, UnauthorizedException, Get, Param, Req, Res, Post, HttpCode, HttpStatus, Body, Controller, HttpException, All } from '@nestjs/common';
|
|
2
|
+
import { generateKeyPairSync, randomBytes } from 'node:crypto';
|
|
3
3
|
import { resolveEncryptionKey, encryptValue, decryptValue, createAesStringEncryptionProvider, isValidAES256GCMEncryptionSecret } from '@dereekb/nestjs';
|
|
4
4
|
import { where, iterateFirestoreDocumentSnapshotPairs, firestoreModelIdentity, snapshotConverterFunctions, optionalFirestoreDate, firestoreDate, firestoreEnum, firestorePassThroughField, AbstractFirestoreDocument, createOidcClientParamsType, deleteOidcClientParamsType, rotateOidcClientSecretParamsType, updateOidcClientParamsType, firestoreModelKey, oidcEntryIdentity, OIDC_ENTRY_CLIENT_TYPE, oidcEntriesByUserCodeQuery, oidcEntriesByUidQuery, oidcEntriesByGrantIdQuery, oidcEntryFirestoreCollection } from '@dereekb/firebase';
|
|
5
5
|
import { cachedGetter, unixDateTimeSecondsNumberToDate, unixDateTimeSecondsNumberForNow, selectiveFieldEncryptor, filterUndefinedValues, websiteUrlFromPaths, firstValue, hasHttpPrefix } from '@dereekb/util';
|
|
@@ -50,7 +50,7 @@ function _class_call_check$g(instance, Constructor) {
|
|
|
50
50
|
throw new TypeError("Cannot call a class as a function");
|
|
51
51
|
}
|
|
52
52
|
}
|
|
53
|
-
function _defineProperties$
|
|
53
|
+
function _defineProperties$d(target, props) {
|
|
54
54
|
for(var i = 0; i < props.length; i++){
|
|
55
55
|
var descriptor = props[i];
|
|
56
56
|
descriptor.enumerable = descriptor.enumerable || false;
|
|
@@ -59,8 +59,8 @@ function _defineProperties$e(target, props) {
|
|
|
59
59
|
Object.defineProperty(target, descriptor.key, descriptor);
|
|
60
60
|
}
|
|
61
61
|
}
|
|
62
|
-
function _create_class$
|
|
63
|
-
if (staticProps) _defineProperties$
|
|
62
|
+
function _create_class$d(Constructor, protoProps, staticProps) {
|
|
63
|
+
if (staticProps) _defineProperties$d(Constructor, staticProps);
|
|
64
64
|
return Constructor;
|
|
65
65
|
}
|
|
66
66
|
function _define_property$f(obj, key, value) {
|
|
@@ -167,7 +167,7 @@ function _define_property$f(obj, key, value) {
|
|
|
167
167
|
* Defaults to `false`.
|
|
168
168
|
*/ _define_property$f(this, "registrationEnabled", void 0);
|
|
169
169
|
}
|
|
170
|
-
_create_class$
|
|
170
|
+
_create_class$d(OidcModuleConfig, null, [
|
|
171
171
|
{
|
|
172
172
|
key: "assertValidConfig",
|
|
173
173
|
value: /**
|
|
@@ -290,7 +290,7 @@ function _class_call_check$e(instance, Constructor) {
|
|
|
290
290
|
throw new TypeError("Cannot call a class as a function");
|
|
291
291
|
}
|
|
292
292
|
}
|
|
293
|
-
function _defineProperties$
|
|
293
|
+
function _defineProperties$c(target, props) {
|
|
294
294
|
for(var i = 0; i < props.length; i++){
|
|
295
295
|
var descriptor = props[i];
|
|
296
296
|
descriptor.enumerable = descriptor.enumerable || false;
|
|
@@ -299,8 +299,8 @@ function _defineProperties$d(target, props) {
|
|
|
299
299
|
Object.defineProperty(target, descriptor.key, descriptor);
|
|
300
300
|
}
|
|
301
301
|
}
|
|
302
|
-
function _create_class$
|
|
303
|
-
if (protoProps) _defineProperties$
|
|
302
|
+
function _create_class$c(Constructor, protoProps, staticProps) {
|
|
303
|
+
if (protoProps) _defineProperties$c(Constructor.prototype, protoProps);
|
|
304
304
|
return Constructor;
|
|
305
305
|
}
|
|
306
306
|
function _define_property$e(obj, key, value) {
|
|
@@ -532,7 +532,7 @@ var JwksService = /*#__PURE__*/ function() {
|
|
|
532
532
|
this.saveJwksToStorage = (_config_enableSaveJwksToStorage = config.enableSaveJwksToStorage) !== null && _config_enableSaveJwksToStorage !== void 0 ? _config_enableSaveJwksToStorage : hasStorageFile;
|
|
533
533
|
this.serveJwksFromStorage = (_config_serveJwksFromStorage = config.serveJwksFromStorage) !== null && _config_serveJwksFromStorage !== void 0 ? _config_serveJwksFromStorage : this.saveJwksToStorage;
|
|
534
534
|
}
|
|
535
|
-
_create_class$
|
|
535
|
+
_create_class$c(JwksService, [
|
|
536
536
|
{
|
|
537
537
|
key: "jwksKeyCollection",
|
|
538
538
|
get: function get() {
|
|
@@ -996,7 +996,7 @@ function _class_call_check$d(instance, Constructor) {
|
|
|
996
996
|
throw new TypeError("Cannot call a class as a function");
|
|
997
997
|
}
|
|
998
998
|
}
|
|
999
|
-
function _defineProperties$
|
|
999
|
+
function _defineProperties$b(target, props) {
|
|
1000
1000
|
for(var i = 0; i < props.length; i++){
|
|
1001
1001
|
var descriptor = props[i];
|
|
1002
1002
|
descriptor.enumerable = descriptor.enumerable || false;
|
|
@@ -1005,8 +1005,8 @@ function _defineProperties$c(target, props) {
|
|
|
1005
1005
|
Object.defineProperty(target, descriptor.key, descriptor);
|
|
1006
1006
|
}
|
|
1007
1007
|
}
|
|
1008
|
-
function _create_class$
|
|
1009
|
-
if (protoProps) _defineProperties$
|
|
1008
|
+
function _create_class$b(Constructor, protoProps, staticProps) {
|
|
1009
|
+
if (protoProps) _defineProperties$b(Constructor.prototype, protoProps);
|
|
1010
1010
|
return Constructor;
|
|
1011
1011
|
}
|
|
1012
1012
|
function _define_property$d(obj, key, value) {
|
|
@@ -1181,7 +1181,7 @@ function _ts_generator$9(thisArg, body) {
|
|
|
1181
1181
|
this._uid = _uid;
|
|
1182
1182
|
this.authUserContext = this._service.authService.userContext(this._uid);
|
|
1183
1183
|
}
|
|
1184
|
-
_create_class$
|
|
1184
|
+
_create_class$b(OidcAccountServiceUserContext, [
|
|
1185
1185
|
{
|
|
1186
1186
|
key: "uid",
|
|
1187
1187
|
get: function get() {
|
|
@@ -1265,7 +1265,7 @@ function _ts_generator$9(thisArg, body) {
|
|
|
1265
1265
|
this.authService = authService;
|
|
1266
1266
|
this.delegate = delegate;
|
|
1267
1267
|
}
|
|
1268
|
-
_create_class$
|
|
1268
|
+
_create_class$b(OidcAccountService, [
|
|
1269
1269
|
{
|
|
1270
1270
|
key: "providerConfig",
|
|
1271
1271
|
get: /**
|
|
@@ -1307,7 +1307,7 @@ function _class_call_check$c(instance, Constructor) {
|
|
|
1307
1307
|
throw new TypeError("Cannot call a class as a function");
|
|
1308
1308
|
}
|
|
1309
1309
|
}
|
|
1310
|
-
function _defineProperties$
|
|
1310
|
+
function _defineProperties$a(target, props) {
|
|
1311
1311
|
for(var i = 0; i < props.length; i++){
|
|
1312
1312
|
var descriptor = props[i];
|
|
1313
1313
|
descriptor.enumerable = descriptor.enumerable || false;
|
|
@@ -1316,8 +1316,8 @@ function _defineProperties$b(target, props) {
|
|
|
1316
1316
|
Object.defineProperty(target, descriptor.key, descriptor);
|
|
1317
1317
|
}
|
|
1318
1318
|
}
|
|
1319
|
-
function _create_class$
|
|
1320
|
-
if (protoProps) _defineProperties$
|
|
1319
|
+
function _create_class$a(Constructor, protoProps, staticProps) {
|
|
1320
|
+
if (protoProps) _defineProperties$a(Constructor.prototype, protoProps);
|
|
1321
1321
|
return Constructor;
|
|
1322
1322
|
}
|
|
1323
1323
|
function _get_prototype_of(o) {
|
|
@@ -1386,7 +1386,7 @@ function _is_native_reflect_construct() {
|
|
|
1386
1386
|
_class_call_check$c(this, JwksKeyDocument);
|
|
1387
1387
|
return _call_super(this, JwksKeyDocument, arguments);
|
|
1388
1388
|
}
|
|
1389
|
-
_create_class$
|
|
1389
|
+
_create_class$a(JwksKeyDocument, [
|
|
1390
1390
|
{
|
|
1391
1391
|
key: "modelIdentity",
|
|
1392
1392
|
get: function get() {
|
|
@@ -1781,7 +1781,7 @@ function _class_call_check$a(instance, Constructor) {
|
|
|
1781
1781
|
throw new TypeError("Cannot call a class as a function");
|
|
1782
1782
|
}
|
|
1783
1783
|
}
|
|
1784
|
-
function _defineProperties$
|
|
1784
|
+
function _defineProperties$9(target, props) {
|
|
1785
1785
|
for(var i = 0; i < props.length; i++){
|
|
1786
1786
|
var descriptor = props[i];
|
|
1787
1787
|
descriptor.enumerable = descriptor.enumerable || false;
|
|
@@ -1790,8 +1790,8 @@ function _defineProperties$a(target, props) {
|
|
|
1790
1790
|
Object.defineProperty(target, descriptor.key, descriptor);
|
|
1791
1791
|
}
|
|
1792
1792
|
}
|
|
1793
|
-
function _create_class$
|
|
1794
|
-
if (protoProps) _defineProperties$
|
|
1793
|
+
function _create_class$9(Constructor, protoProps, staticProps) {
|
|
1794
|
+
if (protoProps) _defineProperties$9(Constructor.prototype, protoProps);
|
|
1795
1795
|
return Constructor;
|
|
1796
1796
|
}
|
|
1797
1797
|
function _define_property$c(obj, key, value) {
|
|
@@ -1952,7 +1952,7 @@ function _ts_generator$7(thisArg, body) {
|
|
|
1952
1952
|
_define_property$c(this, "oidcService", void 0);
|
|
1953
1953
|
this.oidcService = oidcService;
|
|
1954
1954
|
}
|
|
1955
|
-
_create_class$
|
|
1955
|
+
_create_class$9(OidcClientService, [
|
|
1956
1956
|
{
|
|
1957
1957
|
key: "createClient",
|
|
1958
1958
|
value: /**
|
|
@@ -2346,7 +2346,7 @@ function _class_call_check$9(instance, Constructor) {
|
|
|
2346
2346
|
throw new TypeError("Cannot call a class as a function");
|
|
2347
2347
|
}
|
|
2348
2348
|
}
|
|
2349
|
-
function _defineProperties$
|
|
2349
|
+
function _defineProperties$8(target, props) {
|
|
2350
2350
|
for(var i = 0; i < props.length; i++){
|
|
2351
2351
|
var descriptor = props[i];
|
|
2352
2352
|
descriptor.enumerable = descriptor.enumerable || false;
|
|
@@ -2355,8 +2355,8 @@ function _defineProperties$9(target, props) {
|
|
|
2355
2355
|
Object.defineProperty(target, descriptor.key, descriptor);
|
|
2356
2356
|
}
|
|
2357
2357
|
}
|
|
2358
|
-
function _create_class$
|
|
2359
|
-
if (protoProps) _defineProperties$
|
|
2358
|
+
function _create_class$8(Constructor, protoProps, staticProps) {
|
|
2359
|
+
if (protoProps) _defineProperties$8(Constructor.prototype, protoProps);
|
|
2360
2360
|
return Constructor;
|
|
2361
2361
|
}
|
|
2362
2362
|
function _define_property$a(obj, key, value) {
|
|
@@ -2528,7 +2528,7 @@ function _ts_generator$6(thisArg, body) {
|
|
|
2528
2528
|
this.name = name;
|
|
2529
2529
|
this.collection = collections.oidcEntryCollection;
|
|
2530
2530
|
}
|
|
2531
|
-
_create_class$
|
|
2531
|
+
_create_class$8(FirestoreAdapter, [
|
|
2532
2532
|
{
|
|
2533
2533
|
key: "upsert",
|
|
2534
2534
|
value: function upsert(id, payload, expiresIn) {
|
|
@@ -2768,20 +2768,20 @@ function _ts_generator$6(thisArg, body) {
|
|
|
2768
2768
|
return FirestoreAdapter;
|
|
2769
2769
|
}
|
|
2770
2770
|
|
|
2771
|
-
function _array_like_to_array$
|
|
2771
|
+
function _array_like_to_array$4(arr, len) {
|
|
2772
2772
|
if (len == null || len > arr.length) len = arr.length;
|
|
2773
2773
|
for(var i = 0, arr2 = new Array(len); i < len; i++)arr2[i] = arr[i];
|
|
2774
2774
|
return arr2;
|
|
2775
2775
|
}
|
|
2776
|
-
function _array_without_holes$
|
|
2777
|
-
if (Array.isArray(arr)) return _array_like_to_array$
|
|
2776
|
+
function _array_without_holes$3(arr) {
|
|
2777
|
+
if (Array.isArray(arr)) return _array_like_to_array$4(arr);
|
|
2778
2778
|
}
|
|
2779
2779
|
function _class_call_check$8(instance, Constructor) {
|
|
2780
2780
|
if (!(instance instanceof Constructor)) {
|
|
2781
2781
|
throw new TypeError("Cannot call a class as a function");
|
|
2782
2782
|
}
|
|
2783
2783
|
}
|
|
2784
|
-
function _defineProperties$
|
|
2784
|
+
function _defineProperties$7(target, props) {
|
|
2785
2785
|
for(var i = 0; i < props.length; i++){
|
|
2786
2786
|
var descriptor = props[i];
|
|
2787
2787
|
descriptor.enumerable = descriptor.enumerable || false;
|
|
@@ -2790,8 +2790,8 @@ function _defineProperties$8(target, props) {
|
|
|
2790
2790
|
Object.defineProperty(target, descriptor.key, descriptor);
|
|
2791
2791
|
}
|
|
2792
2792
|
}
|
|
2793
|
-
function _create_class$
|
|
2794
|
-
if (protoProps) _defineProperties$
|
|
2793
|
+
function _create_class$7(Constructor, protoProps, staticProps) {
|
|
2794
|
+
if (protoProps) _defineProperties$7(Constructor.prototype, protoProps);
|
|
2795
2795
|
return Constructor;
|
|
2796
2796
|
}
|
|
2797
2797
|
function _define_property$9(obj, key, value) {
|
|
@@ -2807,22 +2807,22 @@ function _define_property$9(obj, key, value) {
|
|
|
2807
2807
|
}
|
|
2808
2808
|
return obj;
|
|
2809
2809
|
}
|
|
2810
|
-
function _iterable_to_array$
|
|
2810
|
+
function _iterable_to_array$3(iter) {
|
|
2811
2811
|
if (typeof Symbol !== "undefined" && iter[Symbol.iterator] != null || iter["@@iterator"] != null) return Array.from(iter);
|
|
2812
2812
|
}
|
|
2813
|
-
function _non_iterable_spread$
|
|
2813
|
+
function _non_iterable_spread$3() {
|
|
2814
2814
|
throw new TypeError("Invalid attempt to spread non-iterable instance.\\nIn order to be iterable, non-array objects must have a [Symbol.iterator]() method.");
|
|
2815
2815
|
}
|
|
2816
|
-
function _to_consumable_array$
|
|
2817
|
-
return _array_without_holes$
|
|
2816
|
+
function _to_consumable_array$3(arr) {
|
|
2817
|
+
return _array_without_holes$3(arr) || _iterable_to_array$3(arr) || _unsupported_iterable_to_array$4(arr) || _non_iterable_spread$3();
|
|
2818
2818
|
}
|
|
2819
|
-
function _unsupported_iterable_to_array$
|
|
2819
|
+
function _unsupported_iterable_to_array$4(o, minLen) {
|
|
2820
2820
|
if (!o) return;
|
|
2821
|
-
if (typeof o === "string") return _array_like_to_array$
|
|
2821
|
+
if (typeof o === "string") return _array_like_to_array$4(o, minLen);
|
|
2822
2822
|
var n = Object.prototype.toString.call(o).slice(8, -1);
|
|
2823
2823
|
if (n === "Object" && o.constructor) n = o.constructor.name;
|
|
2824
2824
|
if (n === "Map" || n === "Set") return Array.from(n);
|
|
2825
|
-
if (n === "Arguments" || /^(?:Ui|I)nt(?:8|16|32)(?:Clamped)?Array$/.test(n)) return _array_like_to_array$
|
|
2825
|
+
if (n === "Arguments" || /^(?:Ui|I)nt(?:8|16|32)(?:Clamped)?Array$/.test(n)) return _array_like_to_array$4(o, minLen);
|
|
2826
2826
|
}
|
|
2827
2827
|
// MARK: Encrypted Fields
|
|
2828
2828
|
/**
|
|
@@ -2850,10 +2850,10 @@ function _unsupported_iterable_to_array$5(o, minLen) {
|
|
|
2850
2850
|
this.provider = createAesStringEncryptionProvider(config.jwksKeyConverterConfig.encryptionSecret);
|
|
2851
2851
|
this.adapterPayloadEncryptor = selectiveFieldEncryptor({
|
|
2852
2852
|
provider: this.provider,
|
|
2853
|
-
fields: _to_consumable_array$
|
|
2853
|
+
fields: _to_consumable_array$3(OIDC_ENCRYPTED_PAYLOAD_FIELDS)
|
|
2854
2854
|
});
|
|
2855
2855
|
}
|
|
2856
|
-
_create_class$
|
|
2856
|
+
_create_class$7(OidcEncryptionService, [
|
|
2857
2857
|
{
|
|
2858
2858
|
/**
|
|
2859
2859
|
* Encrypts sensitive fields in an adapter payload and returns it as a {@link JsonSerializableObject}
|
|
@@ -2886,20 +2886,20 @@ OidcEncryptionService = __decorate([
|
|
|
2886
2886
|
__param(0, Inject(OidcModuleConfig))
|
|
2887
2887
|
], OidcEncryptionService);
|
|
2888
2888
|
|
|
2889
|
-
function _array_like_to_array$
|
|
2889
|
+
function _array_like_to_array$3(arr, len) {
|
|
2890
2890
|
if (len == null || len > arr.length) len = arr.length;
|
|
2891
2891
|
for(var i = 0, arr2 = new Array(len); i < len; i++)arr2[i] = arr[i];
|
|
2892
2892
|
return arr2;
|
|
2893
2893
|
}
|
|
2894
|
-
function _array_without_holes$
|
|
2895
|
-
if (Array.isArray(arr)) return _array_like_to_array$
|
|
2894
|
+
function _array_without_holes$2(arr) {
|
|
2895
|
+
if (Array.isArray(arr)) return _array_like_to_array$3(arr);
|
|
2896
2896
|
}
|
|
2897
2897
|
function _class_call_check$7(instance, Constructor) {
|
|
2898
2898
|
if (!(instance instanceof Constructor)) {
|
|
2899
2899
|
throw new TypeError("Cannot call a class as a function");
|
|
2900
2900
|
}
|
|
2901
2901
|
}
|
|
2902
|
-
function _defineProperties$
|
|
2902
|
+
function _defineProperties$6(target, props) {
|
|
2903
2903
|
for(var i = 0; i < props.length; i++){
|
|
2904
2904
|
var descriptor = props[i];
|
|
2905
2905
|
descriptor.enumerable = descriptor.enumerable || false;
|
|
@@ -2908,8 +2908,8 @@ function _defineProperties$7(target, props) {
|
|
|
2908
2908
|
Object.defineProperty(target, descriptor.key, descriptor);
|
|
2909
2909
|
}
|
|
2910
2910
|
}
|
|
2911
|
-
function _create_class$
|
|
2912
|
-
if (protoProps) _defineProperties$
|
|
2911
|
+
function _create_class$6(Constructor, protoProps, staticProps) {
|
|
2912
|
+
if (protoProps) _defineProperties$6(Constructor.prototype, protoProps);
|
|
2913
2913
|
return Constructor;
|
|
2914
2914
|
}
|
|
2915
2915
|
function _define_property$8(obj, key, value) {
|
|
@@ -2925,22 +2925,22 @@ function _define_property$8(obj, key, value) {
|
|
|
2925
2925
|
}
|
|
2926
2926
|
return obj;
|
|
2927
2927
|
}
|
|
2928
|
-
function _iterable_to_array$
|
|
2928
|
+
function _iterable_to_array$2(iter) {
|
|
2929
2929
|
if (typeof Symbol !== "undefined" && iter[Symbol.iterator] != null || iter["@@iterator"] != null) return Array.from(iter);
|
|
2930
2930
|
}
|
|
2931
|
-
function _non_iterable_spread$
|
|
2931
|
+
function _non_iterable_spread$2() {
|
|
2932
2932
|
throw new TypeError("Invalid attempt to spread non-iterable instance.\\nIn order to be iterable, non-array objects must have a [Symbol.iterator]() method.");
|
|
2933
2933
|
}
|
|
2934
|
-
function _to_consumable_array$
|
|
2935
|
-
return _array_without_holes$
|
|
2934
|
+
function _to_consumable_array$2(arr) {
|
|
2935
|
+
return _array_without_holes$2(arr) || _iterable_to_array$2(arr) || _unsupported_iterable_to_array$3(arr) || _non_iterable_spread$2();
|
|
2936
2936
|
}
|
|
2937
|
-
function _unsupported_iterable_to_array$
|
|
2937
|
+
function _unsupported_iterable_to_array$3(o, minLen) {
|
|
2938
2938
|
if (!o) return;
|
|
2939
|
-
if (typeof o === "string") return _array_like_to_array$
|
|
2939
|
+
if (typeof o === "string") return _array_like_to_array$3(o, minLen);
|
|
2940
2940
|
var n = Object.prototype.toString.call(o).slice(8, -1);
|
|
2941
2941
|
if (n === "Object" && o.constructor) n = o.constructor.name;
|
|
2942
2942
|
if (n === "Map" || n === "Set") return Array.from(n);
|
|
2943
|
-
if (n === "Arguments" || /^(?:Ui|I)nt(?:8|16|32)(?:Clamped)?Array$/.test(n)) return _array_like_to_array$
|
|
2943
|
+
if (n === "Arguments" || /^(?:Ui|I)nt(?:8|16|32)(?:Clamped)?Array$/.test(n)) return _array_like_to_array$3(o, minLen);
|
|
2944
2944
|
}
|
|
2945
2945
|
// MARK: Routes
|
|
2946
2946
|
/**
|
|
@@ -3017,7 +3017,7 @@ var DEFAULT_OIDC_CODE_CHALLENGE_METHODS = [
|
|
|
3017
3017
|
this.providerConfig = accountService.providerConfig;
|
|
3018
3018
|
this.scopesSupported = Object.keys(this.providerConfig.claims);
|
|
3019
3019
|
this.claimsSupported = Array.from(new Set(Object.values(this.providerConfig.claims).flat()));
|
|
3020
|
-
this.tokenEndpointAuthMethodsSupported = (_this_config_tokenEndpointAuthMethods = this.config.tokenEndpointAuthMethods) !== null && _this_config_tokenEndpointAuthMethods !== void 0 ? _this_config_tokenEndpointAuthMethods : _to_consumable_array$
|
|
3020
|
+
this.tokenEndpointAuthMethodsSupported = (_this_config_tokenEndpointAuthMethods = this.config.tokenEndpointAuthMethods) !== null && _this_config_tokenEndpointAuthMethods !== void 0 ? _this_config_tokenEndpointAuthMethods : _to_consumable_array$2(DEFAULT_OIDC_TOKEN_ENDPOINT_AUTH_METHODS);
|
|
3021
3021
|
var appUrl = envService.appUrl;
|
|
3022
3022
|
this.appLoginUrl = websiteUrlFromPaths(appUrl, [
|
|
3023
3023
|
this.config.appOAuthInteractionPath,
|
|
@@ -3029,7 +3029,7 @@ var DEFAULT_OIDC_CODE_CHALLENGE_METHODS = [
|
|
|
3029
3029
|
]);
|
|
3030
3030
|
this.oidcRegistrationRouteEnabled = config.registrationEnabled === true;
|
|
3031
3031
|
}
|
|
3032
|
-
_create_class$
|
|
3032
|
+
_create_class$6(OidcProviderConfigService, [
|
|
3033
3033
|
{
|
|
3034
3034
|
/**
|
|
3035
3035
|
* Builds the OpenID Connect Discovery metadata document.
|
|
@@ -3050,16 +3050,16 @@ var DEFAULT_OIDC_CODE_CHALLENGE_METHODS = [
|
|
|
3050
3050
|
jwks_uri: jwksUri !== null && jwksUri !== void 0 ? jwksUri : "".concat(issuer).concat(routes.jwks),
|
|
3051
3051
|
registration_endpoint: this.oidcRegistrationRouteEnabled ? "".concat(issuer).concat(routes.registration) : undefined,
|
|
3052
3052
|
scopes_supported: this.scopesSupported,
|
|
3053
|
-
response_types_supported: _to_consumable_array$
|
|
3053
|
+
response_types_supported: _to_consumable_array$2(providerConfig.responseTypes),
|
|
3054
3054
|
response_modes_supported: [
|
|
3055
3055
|
'query'
|
|
3056
3056
|
],
|
|
3057
|
-
grant_types_supported: _to_consumable_array$
|
|
3058
|
-
subject_types_supported: _to_consumable_array$
|
|
3059
|
-
id_token_signing_alg_values_supported: _to_consumable_array$
|
|
3060
|
-
token_endpoint_auth_methods_supported: _to_consumable_array$
|
|
3057
|
+
grant_types_supported: _to_consumable_array$2(providerConfig.grantTypes),
|
|
3058
|
+
subject_types_supported: _to_consumable_array$2(DEFAULT_OIDC_SUBJECT_TYPES),
|
|
3059
|
+
id_token_signing_alg_values_supported: _to_consumable_array$2(DEFAULT_OIDC_ID_TOKEN_SIGNING_ALG_VALUES),
|
|
3060
|
+
token_endpoint_auth_methods_supported: _to_consumable_array$2(this.tokenEndpointAuthMethodsSupported),
|
|
3061
3061
|
claims_supported: this.claimsSupported,
|
|
3062
|
-
code_challenge_methods_supported: _to_consumable_array$
|
|
3062
|
+
code_challenge_methods_supported: _to_consumable_array$2(DEFAULT_OIDC_CODE_CHALLENGE_METHODS)
|
|
3063
3063
|
};
|
|
3064
3064
|
}
|
|
3065
3065
|
}
|
|
@@ -3073,13 +3073,13 @@ OidcProviderConfigService = __decorate([
|
|
|
3073
3073
|
__param(2, Inject(FirebaseServerEnvService))
|
|
3074
3074
|
], OidcProviderConfigService);
|
|
3075
3075
|
|
|
3076
|
-
function _array_like_to_array$
|
|
3076
|
+
function _array_like_to_array$2(arr, len) {
|
|
3077
3077
|
if (len == null || len > arr.length) len = arr.length;
|
|
3078
3078
|
for(var i = 0, arr2 = new Array(len); i < len; i++)arr2[i] = arr[i];
|
|
3079
3079
|
return arr2;
|
|
3080
3080
|
}
|
|
3081
|
-
function _array_without_holes$
|
|
3082
|
-
if (Array.isArray(arr)) return _array_like_to_array$
|
|
3081
|
+
function _array_without_holes$1(arr) {
|
|
3082
|
+
if (Array.isArray(arr)) return _array_like_to_array$2(arr);
|
|
3083
3083
|
}
|
|
3084
3084
|
function asyncGeneratorStep$5(gen, resolve, reject, _next, _throw, key, arg) {
|
|
3085
3085
|
try {
|
|
@@ -3115,7 +3115,7 @@ function _class_call_check$6(instance, Constructor) {
|
|
|
3115
3115
|
throw new TypeError("Cannot call a class as a function");
|
|
3116
3116
|
}
|
|
3117
3117
|
}
|
|
3118
|
-
function _defineProperties$
|
|
3118
|
+
function _defineProperties$5(target, props) {
|
|
3119
3119
|
for(var i = 0; i < props.length; i++){
|
|
3120
3120
|
var descriptor = props[i];
|
|
3121
3121
|
descriptor.enumerable = descriptor.enumerable || false;
|
|
@@ -3124,8 +3124,8 @@ function _defineProperties$6(target, props) {
|
|
|
3124
3124
|
Object.defineProperty(target, descriptor.key, descriptor);
|
|
3125
3125
|
}
|
|
3126
3126
|
}
|
|
3127
|
-
function _create_class$
|
|
3128
|
-
if (protoProps) _defineProperties$
|
|
3127
|
+
function _create_class$5(Constructor, protoProps, staticProps) {
|
|
3128
|
+
if (protoProps) _defineProperties$5(Constructor.prototype, protoProps);
|
|
3129
3129
|
return Constructor;
|
|
3130
3130
|
}
|
|
3131
3131
|
function _define_property$7(obj, key, value) {
|
|
@@ -3141,10 +3141,10 @@ function _define_property$7(obj, key, value) {
|
|
|
3141
3141
|
}
|
|
3142
3142
|
return obj;
|
|
3143
3143
|
}
|
|
3144
|
-
function _iterable_to_array$
|
|
3144
|
+
function _iterable_to_array$1(iter) {
|
|
3145
3145
|
if (typeof Symbol !== "undefined" && iter[Symbol.iterator] != null || iter["@@iterator"] != null) return Array.from(iter);
|
|
3146
3146
|
}
|
|
3147
|
-
function _non_iterable_spread$
|
|
3147
|
+
function _non_iterable_spread$1() {
|
|
3148
3148
|
throw new TypeError("Invalid attempt to spread non-iterable instance.\\nIn order to be iterable, non-array objects must have a [Symbol.iterator]() method.");
|
|
3149
3149
|
}
|
|
3150
3150
|
function _object_spread$2(target) {
|
|
@@ -3181,16 +3181,52 @@ function _object_spread_props(target, source) {
|
|
|
3181
3181
|
}
|
|
3182
3182
|
return target;
|
|
3183
3183
|
}
|
|
3184
|
-
function
|
|
3185
|
-
|
|
3184
|
+
function _object_without_properties(source, excluded) {
|
|
3185
|
+
if (source == null) return {};
|
|
3186
|
+
var target = {}, sourceKeys, key, i;
|
|
3187
|
+
if (typeof Reflect !== "undefined" && Reflect.ownKeys) {
|
|
3188
|
+
sourceKeys = Reflect.ownKeys(Object(source));
|
|
3189
|
+
for(i = 0; i < sourceKeys.length; i++){
|
|
3190
|
+
key = sourceKeys[i];
|
|
3191
|
+
if (excluded.indexOf(key) >= 0) continue;
|
|
3192
|
+
if (!Object.prototype.propertyIsEnumerable.call(source, key)) continue;
|
|
3193
|
+
target[key] = source[key];
|
|
3194
|
+
}
|
|
3195
|
+
return target;
|
|
3196
|
+
}
|
|
3197
|
+
target = _object_without_properties_loose(source, excluded);
|
|
3198
|
+
if (Object.getOwnPropertySymbols) {
|
|
3199
|
+
sourceKeys = Object.getOwnPropertySymbols(source);
|
|
3200
|
+
for(i = 0; i < sourceKeys.length; i++){
|
|
3201
|
+
key = sourceKeys[i];
|
|
3202
|
+
if (excluded.indexOf(key) >= 0) continue;
|
|
3203
|
+
if (!Object.prototype.propertyIsEnumerable.call(source, key)) continue;
|
|
3204
|
+
target[key] = source[key];
|
|
3205
|
+
}
|
|
3206
|
+
}
|
|
3207
|
+
return target;
|
|
3186
3208
|
}
|
|
3187
|
-
function
|
|
3209
|
+
function _object_without_properties_loose(source, excluded) {
|
|
3210
|
+
if (source == null) return {};
|
|
3211
|
+
var target = {}, sourceKeys = Object.getOwnPropertyNames(source), key, i;
|
|
3212
|
+
for(i = 0; i < sourceKeys.length; i++){
|
|
3213
|
+
key = sourceKeys[i];
|
|
3214
|
+
if (excluded.indexOf(key) >= 0) continue;
|
|
3215
|
+
if (!Object.prototype.propertyIsEnumerable.call(source, key)) continue;
|
|
3216
|
+
target[key] = source[key];
|
|
3217
|
+
}
|
|
3218
|
+
return target;
|
|
3219
|
+
}
|
|
3220
|
+
function _to_consumable_array$1(arr) {
|
|
3221
|
+
return _array_without_holes$1(arr) || _iterable_to_array$1(arr) || _unsupported_iterable_to_array$2(arr) || _non_iterable_spread$1();
|
|
3222
|
+
}
|
|
3223
|
+
function _unsupported_iterable_to_array$2(o, minLen) {
|
|
3188
3224
|
if (!o) return;
|
|
3189
|
-
if (typeof o === "string") return _array_like_to_array$
|
|
3225
|
+
if (typeof o === "string") return _array_like_to_array$2(o, minLen);
|
|
3190
3226
|
var n = Object.prototype.toString.call(o).slice(8, -1);
|
|
3191
3227
|
if (n === "Object" && o.constructor) n = o.constructor.name;
|
|
3192
3228
|
if (n === "Map" || n === "Set") return Array.from(n);
|
|
3193
|
-
if (n === "Arguments" || /^(?:Ui|I)nt(?:8|16|32)(?:Clamped)?Array$/.test(n)) return _array_like_to_array$
|
|
3229
|
+
if (n === "Arguments" || /^(?:Ui|I)nt(?:8|16|32)(?:Clamped)?Array$/.test(n)) return _array_like_to_array$2(o, minLen);
|
|
3194
3230
|
}
|
|
3195
3231
|
function _ts_generator$5(thisArg, body) {
|
|
3196
3232
|
var f, y, t, _ = {
|
|
@@ -3315,7 +3351,7 @@ function _ts_generator$5(thisArg, body) {
|
|
|
3315
3351
|
this.collections = collections;
|
|
3316
3352
|
this.encryptionService = encryptionService;
|
|
3317
3353
|
}
|
|
3318
|
-
_create_class$
|
|
3354
|
+
_create_class$5(OidcService, [
|
|
3319
3355
|
{
|
|
3320
3356
|
/**
|
|
3321
3357
|
* Returns the oidc-provider instance, initializing it on first access.
|
|
@@ -3339,7 +3375,7 @@ function _ts_generator$5(thisArg, body) {
|
|
|
3339
3375
|
* @returns The auth context, or `undefined` if the token is invalid or expired.
|
|
3340
3376
|
*/ function verifyAccessToken(rawToken) {
|
|
3341
3377
|
return _async_to_generator$5(function() {
|
|
3342
|
-
var _accessToken_exp, provider, accessToken, token;
|
|
3378
|
+
var _accessToken_extra, _accessToken_exp, provider, accessToken, accountClaims, token;
|
|
3343
3379
|
return _ts_generator$5(this, function(_state) {
|
|
3344
3380
|
switch(_state.label){
|
|
3345
3381
|
case 0:
|
|
@@ -3361,7 +3397,12 @@ function _ts_generator$5(thisArg, body) {
|
|
|
3361
3397
|
undefined
|
|
3362
3398
|
];
|
|
3363
3399
|
}
|
|
3364
|
-
token
|
|
3400
|
+
// Extract account claims baked into the access token at issuance time.
|
|
3401
|
+
// These are the claims built by OidcAccountServiceDelegate.buildClaimsForUser()
|
|
3402
|
+
// (e.g., `a` for admin, `o` for onboarded) based on the granted scopes.
|
|
3403
|
+
// Read the account claims baked into the token at issuance time via extraAccessTokenClaims.
|
|
3404
|
+
accountClaims = (_accessToken_extra = accessToken.extra) !== null && _accessToken_extra !== void 0 ? _accessToken_extra : {};
|
|
3405
|
+
token = _object_spread_props(_object_spread$2({}, accountClaims), {
|
|
3365
3406
|
// Standard JWT claims — sourced from the access token
|
|
3366
3407
|
aud: firstValue(accessToken.aud),
|
|
3367
3408
|
iss: this.config.issuer,
|
|
@@ -3379,18 +3420,18 @@ function _ts_generator$5(thisArg, body) {
|
|
|
3379
3420
|
identities: {},
|
|
3380
3421
|
sign_in_provider: 'dbx_oidc'
|
|
3381
3422
|
}
|
|
3382
|
-
};
|
|
3423
|
+
});
|
|
3383
3424
|
return [
|
|
3384
3425
|
2,
|
|
3385
3426
|
{
|
|
3386
3427
|
uid: accessToken.accountId,
|
|
3387
3428
|
token: token,
|
|
3388
3429
|
rawToken: rawToken,
|
|
3389
|
-
oidcValidatedToken: {
|
|
3430
|
+
oidcValidatedToken: _object_spread$2({
|
|
3390
3431
|
sub: accessToken.accountId,
|
|
3391
3432
|
scope: accessToken.scope,
|
|
3392
3433
|
client_id: accessToken.clientId
|
|
3393
|
-
}
|
|
3434
|
+
}, accountClaims)
|
|
3394
3435
|
}
|
|
3395
3436
|
];
|
|
3396
3437
|
}
|
|
@@ -3461,10 +3502,10 @@ function _ts_generator$5(thisArg, body) {
|
|
|
3461
3502
|
var _this = this;
|
|
3462
3503
|
var config = this.config;
|
|
3463
3504
|
var providerConfig = this.providerConfigService.providerConfig;
|
|
3464
|
-
return _object_spread$2({
|
|
3505
|
+
return _object_spread_props(_object_spread$2({
|
|
3465
3506
|
routes: _object_spread$2({}, this.providerConfigService.routes),
|
|
3466
3507
|
claims: _object_spread$2({}, providerConfig.claims),
|
|
3467
|
-
responseTypes: _to_consumable_array$
|
|
3508
|
+
responseTypes: _to_consumable_array$1(providerConfig.responseTypes),
|
|
3468
3509
|
pkce: {
|
|
3469
3510
|
required: function required() {
|
|
3470
3511
|
return true;
|
|
@@ -3550,7 +3591,55 @@ function _ts_generator$5(thisArg, body) {
|
|
|
3550
3591
|
}
|
|
3551
3592
|
}, config.renderError ? {
|
|
3552
3593
|
renderError: config.renderError
|
|
3553
|
-
} : {})
|
|
3594
|
+
} : {}), {
|
|
3595
|
+
// Bake account claims into the access token at issuance time so they're
|
|
3596
|
+
// available via `accessToken.extra` during verification without an extra DB call.
|
|
3597
|
+
extraTokenClaims: function extraTokenClaims(_ctx, token) {
|
|
3598
|
+
return _async_to_generator$5(function() {
|
|
3599
|
+
var accountId, scope, account, claims, extraClaims;
|
|
3600
|
+
return _ts_generator$5(this, function(_state) {
|
|
3601
|
+
switch(_state.label){
|
|
3602
|
+
case 0:
|
|
3603
|
+
accountId = token.accountId;
|
|
3604
|
+
scope = token.scope;
|
|
3605
|
+
if (!(accountId && scope)) return [
|
|
3606
|
+
3,
|
|
3607
|
+
3
|
|
3608
|
+
];
|
|
3609
|
+
return [
|
|
3610
|
+
4,
|
|
3611
|
+
this.accountService.userContext(accountId).findAccount()
|
|
3612
|
+
];
|
|
3613
|
+
case 1:
|
|
3614
|
+
account = _state.sent();
|
|
3615
|
+
if (!account) return [
|
|
3616
|
+
3,
|
|
3617
|
+
3
|
|
3618
|
+
];
|
|
3619
|
+
return [
|
|
3620
|
+
4,
|
|
3621
|
+
account.claims('access_token', scope)
|
|
3622
|
+
];
|
|
3623
|
+
case 2:
|
|
3624
|
+
claims = _state.sent();
|
|
3625
|
+
claims.sub, extraClaims = _object_without_properties(claims, [
|
|
3626
|
+
"sub"
|
|
3627
|
+
]);
|
|
3628
|
+
// Filter out undefined values — the Firestore adapter cannot serialize them.
|
|
3629
|
+
return [
|
|
3630
|
+
2,
|
|
3631
|
+
filterUndefinedValues(extraClaims)
|
|
3632
|
+
];
|
|
3633
|
+
case 3:
|
|
3634
|
+
return [
|
|
3635
|
+
2,
|
|
3636
|
+
{}
|
|
3637
|
+
];
|
|
3638
|
+
}
|
|
3639
|
+
});
|
|
3640
|
+
}).call(_this);
|
|
3641
|
+
}
|
|
3642
|
+
});
|
|
3554
3643
|
}
|
|
3555
3644
|
},
|
|
3556
3645
|
{
|
|
@@ -3666,7 +3755,7 @@ function _class_call_check$5(instance, Constructor) {
|
|
|
3666
3755
|
throw new TypeError("Cannot call a class as a function");
|
|
3667
3756
|
}
|
|
3668
3757
|
}
|
|
3669
|
-
function _defineProperties$
|
|
3758
|
+
function _defineProperties$4(target, props) {
|
|
3670
3759
|
for(var i = 0; i < props.length; i++){
|
|
3671
3760
|
var descriptor = props[i];
|
|
3672
3761
|
descriptor.enumerable = descriptor.enumerable || false;
|
|
@@ -3675,8 +3764,8 @@ function _defineProperties$5(target, props) {
|
|
|
3675
3764
|
Object.defineProperty(target, descriptor.key, descriptor);
|
|
3676
3765
|
}
|
|
3677
3766
|
}
|
|
3678
|
-
function _create_class$
|
|
3679
|
-
if (protoProps) _defineProperties$
|
|
3767
|
+
function _create_class$4(Constructor, protoProps, staticProps) {
|
|
3768
|
+
if (protoProps) _defineProperties$4(Constructor.prototype, protoProps);
|
|
3680
3769
|
return Constructor;
|
|
3681
3770
|
}
|
|
3682
3771
|
function _define_property$6(obj, key, value) {
|
|
@@ -3816,7 +3905,7 @@ function _ts_generator$4(thisArg, body) {
|
|
|
3816
3905
|
_define_property$6(this, "logger", new Logger('OidcAuthBearerTokenMiddleware'));
|
|
3817
3906
|
this.oidcService = oidcService;
|
|
3818
3907
|
}
|
|
3819
|
-
_create_class$
|
|
3908
|
+
_create_class$4(OidcAuthBearerTokenMiddleware, [
|
|
3820
3909
|
{
|
|
3821
3910
|
key: "use",
|
|
3822
3911
|
value: function use(req, _res, next) {
|
|
@@ -3877,32 +3966,11 @@ OidcAuthBearerTokenMiddleware = __decorate([
|
|
|
3877
3966
|
__param(0, Inject(OidcService))
|
|
3878
3967
|
], OidcAuthBearerTokenMiddleware);
|
|
3879
3968
|
|
|
3880
|
-
function _array_like_to_array$2(arr, len) {
|
|
3881
|
-
if (len == null || len > arr.length) len = arr.length;
|
|
3882
|
-
for(var i = 0, arr2 = new Array(len); i < len; i++)arr2[i] = arr[i];
|
|
3883
|
-
return arr2;
|
|
3884
|
-
}
|
|
3885
|
-
function _array_without_holes$1(arr) {
|
|
3886
|
-
if (Array.isArray(arr)) return _array_like_to_array$2(arr);
|
|
3887
|
-
}
|
|
3888
3969
|
function _class_call_check$4(instance, Constructor) {
|
|
3889
3970
|
if (!(instance instanceof Constructor)) {
|
|
3890
3971
|
throw new TypeError("Cannot call a class as a function");
|
|
3891
3972
|
}
|
|
3892
3973
|
}
|
|
3893
|
-
function _defineProperties$4(target, props) {
|
|
3894
|
-
for(var i = 0; i < props.length; i++){
|
|
3895
|
-
var descriptor = props[i];
|
|
3896
|
-
descriptor.enumerable = descriptor.enumerable || false;
|
|
3897
|
-
descriptor.configurable = true;
|
|
3898
|
-
if ("value" in descriptor) descriptor.writable = true;
|
|
3899
|
-
Object.defineProperty(target, descriptor.key, descriptor);
|
|
3900
|
-
}
|
|
3901
|
-
}
|
|
3902
|
-
function _create_class$4(Constructor, protoProps, staticProps) {
|
|
3903
|
-
if (protoProps) _defineProperties$4(Constructor.prototype, protoProps);
|
|
3904
|
-
return Constructor;
|
|
3905
|
-
}
|
|
3906
3974
|
function _define_property$5(obj, key, value) {
|
|
3907
3975
|
if (key in obj) {
|
|
3908
3976
|
Object.defineProperty(obj, key, {
|
|
@@ -3916,23 +3984,6 @@ function _define_property$5(obj, key, value) {
|
|
|
3916
3984
|
}
|
|
3917
3985
|
return obj;
|
|
3918
3986
|
}
|
|
3919
|
-
function _iterable_to_array$1(iter) {
|
|
3920
|
-
if (typeof Symbol !== "undefined" && iter[Symbol.iterator] != null || iter["@@iterator"] != null) return Array.from(iter);
|
|
3921
|
-
}
|
|
3922
|
-
function _non_iterable_spread$1() {
|
|
3923
|
-
throw new TypeError("Invalid attempt to spread non-iterable instance.\\nIn order to be iterable, non-array objects must have a [Symbol.iterator]() method.");
|
|
3924
|
-
}
|
|
3925
|
-
function _to_consumable_array$1(arr) {
|
|
3926
|
-
return _array_without_holes$1(arr) || _iterable_to_array$1(arr) || _unsupported_iterable_to_array$2(arr) || _non_iterable_spread$1();
|
|
3927
|
-
}
|
|
3928
|
-
function _unsupported_iterable_to_array$2(o, minLen) {
|
|
3929
|
-
if (!o) return;
|
|
3930
|
-
if (typeof o === "string") return _array_like_to_array$2(o, minLen);
|
|
3931
|
-
var n = Object.prototype.toString.call(o).slice(8, -1);
|
|
3932
|
-
if (n === "Object" && o.constructor) n = o.constructor.name;
|
|
3933
|
-
if (n === "Map" || n === "Set") return Array.from(n);
|
|
3934
|
-
if (n === "Arguments" || /^(?:Ui|I)nt(?:8|16|32)(?:Clamped)?Array$/.test(n)) return _array_like_to_array$2(o, minLen);
|
|
3935
|
-
}
|
|
3936
3987
|
// MARK: Config
|
|
3937
3988
|
/**
|
|
3938
3989
|
* Configuration for `OidcAuthBearerTokenMiddleware` route protection.
|
|
@@ -3940,12 +3991,6 @@ function _unsupported_iterable_to_array$2(o, minLen) {
|
|
|
3940
3991
|
* Works in reverse of `FirebaseAppCheckMiddlewareConfig`: instead of protecting
|
|
3941
3992
|
* all routes and ignoring some, this only protects explicitly specified paths.
|
|
3942
3993
|
* Routes under the global API prefix (protected by AppCheck) are excluded.
|
|
3943
|
-
*
|
|
3944
|
-
* @example
|
|
3945
|
-
* ```ts
|
|
3946
|
-
* // Provide in your module:
|
|
3947
|
-
* { provide: OidcAuthMiddlewareConfig, useValue: { protectedPaths: ['/mcp'] } }
|
|
3948
|
-
* ```
|
|
3949
3994
|
*/ var OidcAuthMiddlewareConfig = function OidcAuthMiddlewareConfig() {
|
|
3950
3995
|
_class_call_check$4(this, OidcAuthMiddlewareConfig);
|
|
3951
3996
|
/**
|
|
@@ -3957,56 +4002,75 @@ function _unsupported_iterable_to_array$2(o, minLen) {
|
|
|
3957
4002
|
*/ _define_property$5(this, "protectedPaths", void 0);
|
|
3958
4003
|
};
|
|
3959
4004
|
// MARK: Module
|
|
4005
|
+
var _logger = new Logger('applyOidcAuthMiddleware');
|
|
4006
|
+
// MARK: Express-Level Helper
|
|
3960
4007
|
/**
|
|
3961
|
-
*
|
|
3962
|
-
*
|
|
4008
|
+
* Applies OAuth bearer token verification as global Express middleware on
|
|
4009
|
+
* the given NestJS application.
|
|
3963
4010
|
*
|
|
3964
|
-
*
|
|
3965
|
-
*
|
|
3966
|
-
*
|
|
4011
|
+
* Resolves `OidcService` and `OidcAuthMiddlewareConfig` from the app's DI container,
|
|
4012
|
+
* then registers an Express middleware that verifies bearer tokens for the configured
|
|
4013
|
+
* protected paths and attaches auth data to `req.auth`.
|
|
4014
|
+
*
|
|
4015
|
+
* This is an alternative to {@link ConfigureOidcAuthMiddlewareModule} for cases where
|
|
4016
|
+
* NestJS module scoping makes the module approach impractical.
|
|
4017
|
+
*
|
|
4018
|
+
* @param nestApp - The NestJS application instance used to resolve dependencies and register the middleware.
|
|
3967
4019
|
*
|
|
3968
4020
|
* @example
|
|
3969
4021
|
* ```ts
|
|
3970
|
-
*
|
|
3971
|
-
*
|
|
3972
|
-
*
|
|
3973
|
-
*
|
|
3974
|
-
*
|
|
3975
|
-
* }
|
|
3976
|
-
* export class AppModule {}
|
|
4022
|
+
* export const APP_NEST_SERVER_CONFIG: NestServerInstanceConfig<AppModule> = {
|
|
4023
|
+
* moduleClass: AppModule,
|
|
4024
|
+
* configureNestServerInstance: (nestApp) => {
|
|
4025
|
+
* applyOidcAuthMiddleware(nestApp);
|
|
4026
|
+
* }
|
|
4027
|
+
* };
|
|
3977
4028
|
* ```
|
|
3978
|
-
*/
|
|
3979
|
-
|
|
3980
|
-
|
|
3981
|
-
|
|
3982
|
-
|
|
3983
|
-
|
|
4029
|
+
*/ function applyOidcAuthMiddleware(nestApp) {
|
|
4030
|
+
var _ref;
|
|
4031
|
+
var oidcService = nestApp.get(OidcService);
|
|
4032
|
+
var config = nestApp.get(OidcAuthMiddlewareConfig);
|
|
4033
|
+
var protectedPaths = (_ref = config === null || config === void 0 ? void 0 : config.protectedPaths) !== null && _ref !== void 0 ? _ref : [];
|
|
4034
|
+
if (protectedPaths.length === 0) {
|
|
4035
|
+
return;
|
|
3984
4036
|
}
|
|
3985
|
-
|
|
3986
|
-
|
|
3987
|
-
|
|
3988
|
-
|
|
3989
|
-
|
|
3990
|
-
|
|
3991
|
-
|
|
3992
|
-
if (protectedPaths.length > 0) {
|
|
3993
|
-
var _consumer_apply;
|
|
3994
|
-
var routes = protectedPaths.map(function(path) {
|
|
3995
|
-
return "".concat(path, "/*path");
|
|
3996
|
-
});
|
|
3997
|
-
(_consumer_apply = consumer.apply(OidcAuthBearerTokenMiddleware)).forRoutes.apply(_consumer_apply, _to_consumable_array$1(routes));
|
|
3998
|
-
this.logger.debug("Configured OAuth bearer token middleware for routes: ".concat(protectedPaths.join(', ')));
|
|
3999
|
-
}
|
|
4000
|
-
}
|
|
4037
|
+
var logger = new Logger('OidcAuthMiddleware');
|
|
4038
|
+
nestApp.use(function(req, res, next) {
|
|
4039
|
+
var isProtected = protectedPaths.some(function(prefix) {
|
|
4040
|
+
return req.path.startsWith(prefix);
|
|
4041
|
+
});
|
|
4042
|
+
if (!isProtected) {
|
|
4043
|
+
return next();
|
|
4001
4044
|
}
|
|
4002
|
-
|
|
4003
|
-
|
|
4004
|
-
|
|
4005
|
-
|
|
4006
|
-
|
|
4007
|
-
|
|
4008
|
-
|
|
4009
|
-
|
|
4045
|
+
var authHeader = req.headers.authorization;
|
|
4046
|
+
if (!(authHeader === null || authHeader === void 0 ? void 0 : authHeader.startsWith('Bearer '))) {
|
|
4047
|
+
res.status(401).json({
|
|
4048
|
+
statusCode: 401,
|
|
4049
|
+
message: 'Missing or invalid Authorization header'
|
|
4050
|
+
});
|
|
4051
|
+
return;
|
|
4052
|
+
}
|
|
4053
|
+
var token = authHeader.slice(7);
|
|
4054
|
+
oidcService.verifyAccessToken(token).then(function(oauthAuth) {
|
|
4055
|
+
if (!oauthAuth) {
|
|
4056
|
+
res.status(401).json({
|
|
4057
|
+
statusCode: 401,
|
|
4058
|
+
message: 'Invalid or expired access token'
|
|
4059
|
+
});
|
|
4060
|
+
return;
|
|
4061
|
+
}
|
|
4062
|
+
req.auth = oauthAuth;
|
|
4063
|
+
next();
|
|
4064
|
+
}).catch(function(err) {
|
|
4065
|
+
logger.error('Bearer token verification failed', err);
|
|
4066
|
+
res.status(401).json({
|
|
4067
|
+
statusCode: 401,
|
|
4068
|
+
message: 'Token verification failed'
|
|
4069
|
+
});
|
|
4070
|
+
});
|
|
4071
|
+
});
|
|
4072
|
+
_logger.debug("Applied OAuth bearer token middleware for paths: ".concat(protectedPaths.join(', ')));
|
|
4073
|
+
}
|
|
4010
4074
|
|
|
4011
4075
|
function asyncGeneratorStep$3(gen, resolve, reject, _next, _throw, key, arg) {
|
|
4012
4076
|
try {
|
|
@@ -5591,8 +5655,7 @@ function _unsupported_iterable_to_array(o, minLen) {
|
|
|
5591
5655
|
return {
|
|
5592
5656
|
imports: [
|
|
5593
5657
|
ConfigModule,
|
|
5594
|
-
FirebaseServerFirestoreContextModule
|
|
5595
|
-
ConfigureOidcAuthMiddlewareModule
|
|
5658
|
+
FirebaseServerFirestoreContextModule
|
|
5596
5659
|
].concat(_to_consumable_array(dependencyModuleImport), _to_consumable_array(imports !== null && imports !== void 0 ? imports : [])),
|
|
5597
5660
|
controllers: [
|
|
5598
5661
|
OidcWellKnownController,
|
|
@@ -5602,6 +5665,7 @@ function _unsupported_iterable_to_array(o, minLen) {
|
|
|
5602
5665
|
exports: [
|
|
5603
5666
|
OidcClientService,
|
|
5604
5667
|
OidcModuleConfig,
|
|
5668
|
+
OidcAuthMiddlewareConfig,
|
|
5605
5669
|
OidcServerFirestoreCollections
|
|
5606
5670
|
].concat(_to_consumable_array(exports$1 !== null && exports$1 !== void 0 ? exports$1 : [])),
|
|
5607
5671
|
providers: [
|
|
@@ -5667,4 +5731,4 @@ function _unsupported_iterable_to_array(o, minLen) {
|
|
|
5667
5731
|
};
|
|
5668
5732
|
}
|
|
5669
5733
|
|
|
5670
|
-
export {
|
|
5734
|
+
export { DEFAULT_APP_OAUTH_CONSENT_PATH_PART, DEFAULT_APP_OAUTH_INTERACTION_PATH, DEFAULT_APP_OAUTH_LOGIN_PATH_PART, DEFAULT_OIDC_CODE_CHALLENGE_METHODS, DEFAULT_OIDC_ID_TOKEN_SIGNING_ALG_VALUES, DEFAULT_OIDC_ISSUER_PATH, DEFAULT_OIDC_ROUTES, DEFAULT_OIDC_SUBJECT_TYPES, DEFAULT_OIDC_TOKEN_ENDPOINT_AUTH_METHODS, DEFAULT_OIDC_TOKEN_LIFETIMES, DEFAULT_ROTATED_KEY_MAX_AGE, FIREBASE_SERVER_OIDC_ROUTES_FOR_GLOBAL_ROUTE_EXCLUDE, JwksFirestoreCollections, JwksKeyDocument, JwksService, JwksServiceConfig, JwksServiceStorageConfig, OIDC_ENCRYPTED_PAYLOAD_FIELDS, OIDC_JWKS_ENCRYPTION_SECRET_ENV_KEY, OidcAccountService, OidcAccountServiceDelegate, OidcAccountServiceUserContext, OidcAuth, OidcAuthBearerTokenMiddleware, OidcAuthMiddlewareConfig, OidcClientService, OidcEncryptionService, OidcInteractionController, OidcInteractionService, OidcModelServerActions, OidcModuleConfig, OidcProviderConfigService, OidcProviderController, OidcServerFirestoreCollections, OidcService, OidcWellKnownController, activeJwksKeysQuery, appOidcModelModuleMetadata, applyOidcAuthMiddleware, createAdapterFactory, createOidcClientFactory, deleteOidcClientFactory, jwksKeyCollectionReference, jwksKeyConverter, jwksKeyFirestoreCollection, jwksKeyIdentity, jwksKeysWithStatusQuery, nonRetiredJwksKeysQuery, oidcFirestoreCollectionsFactory, oidcModelServerActions, oidcModelServerActionsFactory, oidcModuleConfigFactory, oidcModuleMetadata, rotateOidcClientSecretFactory, rotatedJwksKeysQuery, updateOidcClientFactory };
|