@okta/okta-auth-js 7.6.0 → 7.7.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +15 -0
- package/README.md +142 -0
- package/cjs/base/types.js.map +1 -1
- package/cjs/errors/OAuthError.js +9 -1
- package/cjs/errors/OAuthError.js.map +1 -1
- package/cjs/errors/WWWAuthError.js +98 -0
- package/cjs/errors/WWWAuthError.js.map +1 -0
- package/cjs/errors/index.js +14 -1
- package/cjs/errors/index.js.map +1 -1
- package/cjs/features.js +10 -1
- package/cjs/features.js.map +1 -1
- package/cjs/http/OktaUserAgent.js +2 -2
- package/cjs/http/request.js +24 -25
- package/cjs/http/request.js.map +1 -1
- package/cjs/idx/IdxTransactionManager.js +5 -0
- package/cjs/idx/IdxTransactionManager.js.map +1 -1
- package/cjs/idx/run.js +6 -3
- package/cjs/idx/run.js.map +1 -1
- package/cjs/idx/types/options.js.map +1 -1
- package/cjs/oidc/dpop.js +231 -0
- package/cjs/oidc/dpop.js.map +1 -0
- package/cjs/oidc/endpoints/token.js +82 -28
- package/cjs/oidc/endpoints/token.js.map +1 -1
- package/cjs/oidc/exchangeCodeForTokens.js +53 -28
- package/cjs/oidc/exchangeCodeForTokens.js.map +1 -1
- package/cjs/oidc/getUserInfo.js +32 -17
- package/cjs/oidc/getUserInfo.js.map +1 -1
- package/cjs/oidc/handleOAuthResponse.js +21 -0
- package/cjs/oidc/handleOAuthResponse.js.map +1 -1
- package/cjs/oidc/mixin/index.js +63 -2
- package/cjs/oidc/mixin/index.js.map +1 -1
- package/cjs/oidc/options/OAuthOptionsConstructor.js +2 -0
- package/cjs/oidc/options/OAuthOptionsConstructor.js.map +1 -1
- package/cjs/oidc/renewToken.js +6 -2
- package/cjs/oidc/renewToken.js.map +1 -1
- package/cjs/oidc/renewTokens.js +5 -1
- package/cjs/oidc/renewTokens.js.map +1 -1
- package/cjs/oidc/renewTokensWithRefresh.js +17 -2
- package/cjs/oidc/renewTokensWithRefresh.js.map +1 -1
- package/cjs/oidc/types/Token.js.map +1 -1
- package/cjs/oidc/types/api.js.map +1 -1
- package/cjs/oidc/types/meta.js.map +1 -1
- package/cjs/oidc/types/options.js.map +1 -1
- package/cjs/oidc/util/defaultTokenParams.js +4 -2
- package/cjs/oidc/util/defaultTokenParams.js.map +1 -1
- package/cjs/oidc/util/oauthMeta.js +2 -1
- package/cjs/oidc/util/oauthMeta.js.map +1 -1
- package/cjs/oidc/util/prepareTokenParams.js +3 -0
- package/cjs/oidc/util/prepareTokenParams.js.map +1 -1
- package/dist/okta-auth-js.authn.min.analyzer.html +2 -2
- package/dist/okta-auth-js.authn.min.js +1 -1
- package/dist/okta-auth-js.authn.min.js.map +1 -1
- package/dist/okta-auth-js.core.min.analyzer.html +2 -2
- package/dist/okta-auth-js.core.min.js +1 -1
- package/dist/okta-auth-js.core.min.js.map +1 -1
- package/dist/okta-auth-js.idx.min.analyzer.html +2 -2
- package/dist/okta-auth-js.idx.min.js +1 -1
- package/dist/okta-auth-js.idx.min.js.map +1 -1
- package/dist/okta-auth-js.min.analyzer.html +2 -2
- package/dist/okta-auth-js.min.js +1 -1
- package/dist/okta-auth-js.min.js.map +1 -1
- package/dist/okta-auth-js.myaccount.min.analyzer.html +2 -2
- package/dist/okta-auth-js.myaccount.min.js +1 -1
- package/dist/okta-auth-js.myaccount.min.js.map +1 -1
- package/esm/browser/authn/api.js +1 -0
- package/esm/browser/authn/api.js.map +1 -1
- package/esm/browser/authn/util/link2fn.js +1 -0
- package/esm/browser/authn/util/link2fn.js.map +1 -1
- package/esm/browser/authn/util/poll.js +1 -0
- package/esm/browser/authn/util/poll.js.map +1 -1
- package/esm/browser/browser/fingerprint.js +1 -0
- package/esm/browser/browser/fingerprint.js.map +1 -1
- package/esm/browser/core/AuthStateManager.js +1 -0
- package/esm/browser/core/AuthStateManager.js.map +1 -1
- package/esm/browser/core/options.js +1 -0
- package/esm/browser/core/options.js.map +1 -1
- package/esm/browser/crypto/base64.js +1 -0
- package/esm/browser/crypto/base64.js.map +1 -1
- package/esm/browser/errors/OAuthError.js +5 -1
- package/esm/browser/errors/OAuthError.js.map +1 -1
- package/esm/browser/errors/WWWAuthError.js +61 -0
- package/esm/browser/errors/WWWAuthError.js.map +1 -0
- package/esm/browser/errors/index.js +6 -1
- package/esm/browser/errors/index.js.map +1 -1
- package/esm/browser/exports/exports/authn.js +2 -1
- package/esm/browser/exports/exports/authn.js.map +1 -1
- package/esm/browser/exports/exports/core.js +2 -1
- package/esm/browser/exports/exports/core.js.map +1 -1
- package/esm/browser/exports/exports/default.js +2 -1
- package/esm/browser/exports/exports/default.js.map +1 -1
- package/esm/browser/exports/exports/idx.js +2 -1
- package/esm/browser/exports/exports/idx.js.map +1 -1
- package/esm/browser/exports/exports/myaccount.js +2 -1
- package/esm/browser/exports/exports/myaccount.js.map +1 -1
- package/esm/browser/features.js +12 -2
- package/esm/browser/features.js.map +1 -1
- package/esm/browser/http/OktaUserAgent.js +2 -2
- package/esm/browser/http/options.js +1 -0
- package/esm/browser/http/options.js.map +1 -1
- package/esm/browser/http/request.js +14 -25
- package/esm/browser/http/request.js.map +1 -1
- package/esm/browser/idx/IdxTransactionManager.js +4 -1
- package/esm/browser/idx/IdxTransactionManager.js.map +1 -1
- package/esm/browser/idx/cancel.js +1 -0
- package/esm/browser/idx/cancel.js.map +1 -1
- package/esm/browser/idx/factory/api.js +1 -0
- package/esm/browser/idx/factory/api.js.map +1 -1
- package/esm/browser/idx/flow/AccountUnlockFlow.js +1 -0
- package/esm/browser/idx/flow/AccountUnlockFlow.js.map +1 -1
- package/esm/browser/idx/flow/AuthenticationFlow.js +1 -0
- package/esm/browser/idx/flow/AuthenticationFlow.js.map +1 -1
- package/esm/browser/idx/flow/PasswordRecoveryFlow.js +1 -0
- package/esm/browser/idx/flow/PasswordRecoveryFlow.js.map +1 -1
- package/esm/browser/idx/flow/RegistrationFlow.js +1 -0
- package/esm/browser/idx/flow/RegistrationFlow.js.map +1 -1
- package/esm/browser/idx/handleInteractionCodeRedirect.js +1 -0
- package/esm/browser/idx/handleInteractionCodeRedirect.js.map +1 -1
- package/esm/browser/idx/idxState/v1/generateIdxAction.js +1 -0
- package/esm/browser/idx/idxState/v1/generateIdxAction.js.map +1 -1
- package/esm/browser/idx/idxState/v1/idxResponseParser.js +1 -0
- package/esm/browser/idx/idxState/v1/idxResponseParser.js.map +1 -1
- package/esm/browser/idx/interact.js +1 -0
- package/esm/browser/idx/interact.js.map +1 -1
- package/esm/browser/idx/proceed.js +1 -0
- package/esm/browser/idx/proceed.js.map +1 -1
- package/esm/browser/idx/recoverPassword.js +1 -0
- package/esm/browser/idx/recoverPassword.js.map +1 -1
- package/esm/browser/idx/register.js +1 -0
- package/esm/browser/idx/register.js.map +1 -1
- package/esm/browser/idx/remediate.js +1 -0
- package/esm/browser/idx/remediate.js.map +1 -1
- package/esm/browser/idx/remediators/GenericRemediator/util.js +2 -0
- package/esm/browser/idx/remediators/GenericRemediator/util.js.map +1 -1
- package/esm/browser/idx/run.js +3 -3
- package/esm/browser/idx/run.js.map +1 -1
- package/esm/browser/idx/transactionMeta.js +1 -0
- package/esm/browser/idx/transactionMeta.js.map +1 -1
- package/esm/browser/idx/unlockAccount.js +1 -0
- package/esm/browser/idx/unlockAccount.js.map +1 -1
- package/esm/browser/myaccount/request.js +1 -0
- package/esm/browser/myaccount/request.js.map +1 -1
- package/esm/browser/oidc/TokenManager.js +1 -0
- package/esm/browser/oidc/TokenManager.js.map +1 -1
- package/esm/browser/oidc/decodeToken.js +1 -0
- package/esm/browser/oidc/decodeToken.js.map +1 -1
- package/esm/browser/oidc/dpop.js +160 -0
- package/esm/browser/oidc/dpop.js.map +1 -0
- package/esm/browser/oidc/endpoints/authorize.js +1 -0
- package/esm/browser/oidc/endpoints/authorize.js.map +1 -1
- package/esm/browser/oidc/endpoints/token.js +62 -25
- package/esm/browser/oidc/endpoints/token.js.map +1 -1
- package/esm/browser/oidc/endpoints/well-known.js +1 -0
- package/esm/browser/oidc/endpoints/well-known.js.map +1 -1
- package/esm/browser/oidc/enrollAuthenticator.js +1 -0
- package/esm/browser/oidc/enrollAuthenticator.js.map +1 -1
- package/esm/browser/oidc/exchangeCodeForTokens.js +41 -25
- package/esm/browser/oidc/exchangeCodeForTokens.js.map +1 -1
- package/esm/browser/oidc/factory/api.js +1 -0
- package/esm/browser/oidc/factory/api.js.map +1 -1
- package/esm/browser/oidc/factory/baseApi.js +1 -0
- package/esm/browser/oidc/factory/baseApi.js.map +1 -1
- package/esm/browser/oidc/getToken.js +1 -0
- package/esm/browser/oidc/getToken.js.map +1 -1
- package/esm/browser/oidc/getUserInfo.js +22 -18
- package/esm/browser/oidc/getUserInfo.js.map +1 -1
- package/esm/browser/oidc/getWithPopup.js +1 -0
- package/esm/browser/oidc/getWithPopup.js.map +1 -1
- package/esm/browser/oidc/getWithRedirect.js +1 -0
- package/esm/browser/oidc/getWithRedirect.js.map +1 -1
- package/esm/browser/oidc/getWithoutPrompt.js +1 -0
- package/esm/browser/oidc/getWithoutPrompt.js.map +1 -1
- package/esm/browser/oidc/handleOAuthResponse.js +19 -0
- package/esm/browser/oidc/handleOAuthResponse.js.map +1 -1
- package/esm/browser/oidc/introspect.js +1 -0
- package/esm/browser/oidc/introspect.js.map +1 -1
- package/esm/browser/oidc/mixin/index.js +62 -2
- package/esm/browser/oidc/mixin/index.js.map +1 -1
- package/esm/browser/oidc/mixin/minimal.js +1 -0
- package/esm/browser/oidc/mixin/minimal.js.map +1 -1
- package/esm/browser/oidc/options/OAuthOptionsConstructor.js +1 -0
- package/esm/browser/oidc/options/OAuthOptionsConstructor.js.map +1 -1
- package/esm/browser/oidc/parseFromUrl.js +1 -0
- package/esm/browser/oidc/parseFromUrl.js.map +1 -1
- package/esm/browser/oidc/renewToken.js +5 -2
- package/esm/browser/oidc/renewToken.js.map +1 -1
- package/esm/browser/oidc/renewTokens.js +6 -1
- package/esm/browser/oidc/renewTokens.js.map +1 -1
- package/esm/browser/oidc/renewTokensWithRefresh.js +15 -5
- package/esm/browser/oidc/renewTokensWithRefresh.js.map +1 -1
- package/esm/browser/oidc/revokeToken.js +1 -0
- package/esm/browser/oidc/revokeToken.js.map +1 -1
- package/esm/browser/oidc/storage.js +1 -0
- package/esm/browser/oidc/storage.js.map +1 -1
- package/esm/browser/oidc/types/Token.js.map +1 -1
- package/esm/browser/oidc/util/browser.js +1 -0
- package/esm/browser/oidc/util/browser.js.map +1 -1
- package/esm/browser/oidc/util/defaultTokenParams.js +3 -2
- package/esm/browser/oidc/util/defaultTokenParams.js.map +1 -1
- package/esm/browser/oidc/util/oauthMeta.js +1 -0
- package/esm/browser/oidc/util/oauthMeta.js.map +1 -1
- package/esm/browser/oidc/util/prepareEnrollAuthenticatorParams.js +1 -0
- package/esm/browser/oidc/util/prepareEnrollAuthenticatorParams.js.map +1 -1
- package/esm/browser/oidc/util/prepareTokenParams.js +4 -0
- package/esm/browser/oidc/util/prepareTokenParams.js.map +1 -1
- package/esm/browser/oidc/util/validateToken.js +1 -0
- package/esm/browser/oidc/util/validateToken.js.map +1 -1
- package/esm/browser/oidc/verifyToken.js +1 -0
- package/esm/browser/oidc/verifyToken.js.map +1 -1
- package/esm/browser/package.json +1 -1
- package/esm/browser/services/AutoRenewService.js +1 -0
- package/esm/browser/services/AutoRenewService.js.map +1 -1
- package/esm/browser/services/SyncStorageService.js +1 -0
- package/esm/browser/services/SyncStorageService.js.map +1 -1
- package/esm/browser/session/api.js +1 -0
- package/esm/browser/session/api.js.map +1 -1
- package/esm/node/authn/api.js +1 -0
- package/esm/node/authn/api.js.map +1 -1
- package/esm/node/authn/util/link2fn.js +1 -0
- package/esm/node/authn/util/link2fn.js.map +1 -1
- package/esm/node/authn/util/poll.js +1 -0
- package/esm/node/authn/util/poll.js.map +1 -1
- package/esm/node/browser/fingerprint.js +1 -0
- package/esm/node/browser/fingerprint.js.map +1 -1
- package/esm/node/core/AuthStateManager.js +1 -0
- package/esm/node/core/AuthStateManager.js.map +1 -1
- package/esm/node/core/options.js +1 -0
- package/esm/node/core/options.js.map +1 -1
- package/esm/node/crypto/base64.js +1 -0
- package/esm/node/crypto/base64.js.map +1 -1
- package/esm/node/errors/OAuthError.js +5 -1
- package/esm/node/errors/OAuthError.js.map +1 -1
- package/esm/node/errors/WWWAuthError.js +61 -0
- package/esm/node/errors/WWWAuthError.js.map +1 -0
- package/esm/node/errors/index.js +6 -1
- package/esm/node/errors/index.js.map +1 -1
- package/esm/node/exports/exports/authn.js +2 -1
- package/esm/node/exports/exports/authn.js.map +1 -1
- package/esm/node/exports/exports/core.js +2 -1
- package/esm/node/exports/exports/core.js.map +1 -1
- package/esm/node/exports/exports/default.js +2 -1
- package/esm/node/exports/exports/default.js.map +1 -1
- package/esm/node/exports/exports/idx.js +2 -1
- package/esm/node/exports/exports/idx.js.map +1 -1
- package/esm/node/exports/exports/myaccount.js +2 -1
- package/esm/node/exports/exports/myaccount.js.map +1 -1
- package/esm/node/features.js +12 -2
- package/esm/node/features.js.map +1 -1
- package/esm/node/http/OktaUserAgent.js +2 -2
- package/esm/node/http/options.js +1 -0
- package/esm/node/http/options.js.map +1 -1
- package/esm/node/http/request.js +14 -25
- package/esm/node/http/request.js.map +1 -1
- package/esm/node/idx/IdxTransactionManager.js +4 -1
- package/esm/node/idx/IdxTransactionManager.js.map +1 -1
- package/esm/node/idx/cancel.js +1 -0
- package/esm/node/idx/cancel.js.map +1 -1
- package/esm/node/idx/factory/api.js +1 -0
- package/esm/node/idx/factory/api.js.map +1 -1
- package/esm/node/idx/flow/AccountUnlockFlow.js +1 -0
- package/esm/node/idx/flow/AccountUnlockFlow.js.map +1 -1
- package/esm/node/idx/flow/AuthenticationFlow.js +1 -0
- package/esm/node/idx/flow/AuthenticationFlow.js.map +1 -1
- package/esm/node/idx/flow/PasswordRecoveryFlow.js +1 -0
- package/esm/node/idx/flow/PasswordRecoveryFlow.js.map +1 -1
- package/esm/node/idx/flow/RegistrationFlow.js +1 -0
- package/esm/node/idx/flow/RegistrationFlow.js.map +1 -1
- package/esm/node/idx/handleInteractionCodeRedirect.js +1 -0
- package/esm/node/idx/handleInteractionCodeRedirect.js.map +1 -1
- package/esm/node/idx/idxState/v1/generateIdxAction.js +1 -0
- package/esm/node/idx/idxState/v1/generateIdxAction.js.map +1 -1
- package/esm/node/idx/idxState/v1/idxResponseParser.js +1 -0
- package/esm/node/idx/idxState/v1/idxResponseParser.js.map +1 -1
- package/esm/node/idx/interact.js +1 -0
- package/esm/node/idx/interact.js.map +1 -1
- package/esm/node/idx/proceed.js +1 -0
- package/esm/node/idx/proceed.js.map +1 -1
- package/esm/node/idx/recoverPassword.js +1 -0
- package/esm/node/idx/recoverPassword.js.map +1 -1
- package/esm/node/idx/register.js +1 -0
- package/esm/node/idx/register.js.map +1 -1
- package/esm/node/idx/remediate.js +1 -0
- package/esm/node/idx/remediate.js.map +1 -1
- package/esm/node/idx/remediators/GenericRemediator/util.js +2 -0
- package/esm/node/idx/remediators/GenericRemediator/util.js.map +1 -1
- package/esm/node/idx/run.js +3 -3
- package/esm/node/idx/run.js.map +1 -1
- package/esm/node/idx/transactionMeta.js +1 -0
- package/esm/node/idx/transactionMeta.js.map +1 -1
- package/esm/node/idx/unlockAccount.js +1 -0
- package/esm/node/idx/unlockAccount.js.map +1 -1
- package/esm/node/myaccount/request.js +1 -0
- package/esm/node/myaccount/request.js.map +1 -1
- package/esm/node/oidc/TokenManager.js +1 -0
- package/esm/node/oidc/TokenManager.js.map +1 -1
- package/esm/node/oidc/decodeToken.js +1 -0
- package/esm/node/oidc/decodeToken.js.map +1 -1
- package/esm/node/oidc/dpop.js +160 -0
- package/esm/node/oidc/dpop.js.map +1 -0
- package/esm/node/oidc/endpoints/authorize.js +1 -0
- package/esm/node/oidc/endpoints/authorize.js.map +1 -1
- package/esm/node/oidc/endpoints/token.js +62 -25
- package/esm/node/oidc/endpoints/token.js.map +1 -1
- package/esm/node/oidc/endpoints/well-known.js +1 -0
- package/esm/node/oidc/endpoints/well-known.js.map +1 -1
- package/esm/node/oidc/enrollAuthenticator.js +1 -0
- package/esm/node/oidc/enrollAuthenticator.js.map +1 -1
- package/esm/node/oidc/exchangeCodeForTokens.js +41 -25
- package/esm/node/oidc/exchangeCodeForTokens.js.map +1 -1
- package/esm/node/oidc/factory/api.js +1 -0
- package/esm/node/oidc/factory/api.js.map +1 -1
- package/esm/node/oidc/factory/baseApi.js +1 -0
- package/esm/node/oidc/factory/baseApi.js.map +1 -1
- package/esm/node/oidc/getToken.js +1 -0
- package/esm/node/oidc/getToken.js.map +1 -1
- package/esm/node/oidc/getUserInfo.js +22 -18
- package/esm/node/oidc/getUserInfo.js.map +1 -1
- package/esm/node/oidc/getWithPopup.js +1 -0
- package/esm/node/oidc/getWithPopup.js.map +1 -1
- package/esm/node/oidc/getWithRedirect.js +1 -0
- package/esm/node/oidc/getWithRedirect.js.map +1 -1
- package/esm/node/oidc/getWithoutPrompt.js +1 -0
- package/esm/node/oidc/getWithoutPrompt.js.map +1 -1
- package/esm/node/oidc/handleOAuthResponse.js +19 -0
- package/esm/node/oidc/handleOAuthResponse.js.map +1 -1
- package/esm/node/oidc/introspect.js +1 -0
- package/esm/node/oidc/introspect.js.map +1 -1
- package/esm/node/oidc/mixin/index.js +62 -2
- package/esm/node/oidc/mixin/index.js.map +1 -1
- package/esm/node/oidc/mixin/minimal.js +1 -0
- package/esm/node/oidc/mixin/minimal.js.map +1 -1
- package/esm/node/oidc/options/OAuthOptionsConstructor.js +1 -0
- package/esm/node/oidc/options/OAuthOptionsConstructor.js.map +1 -1
- package/esm/node/oidc/parseFromUrl.js +1 -0
- package/esm/node/oidc/parseFromUrl.js.map +1 -1
- package/esm/node/oidc/renewToken.js +5 -2
- package/esm/node/oidc/renewToken.js.map +1 -1
- package/esm/node/oidc/renewTokens.js +6 -1
- package/esm/node/oidc/renewTokens.js.map +1 -1
- package/esm/node/oidc/renewTokensWithRefresh.js +15 -5
- package/esm/node/oidc/renewTokensWithRefresh.js.map +1 -1
- package/esm/node/oidc/revokeToken.js +1 -0
- package/esm/node/oidc/revokeToken.js.map +1 -1
- package/esm/node/oidc/storage.js +1 -0
- package/esm/node/oidc/storage.js.map +1 -1
- package/esm/node/oidc/types/Token.js.map +1 -1
- package/esm/node/oidc/util/browser.js +1 -0
- package/esm/node/oidc/util/browser.js.map +1 -1
- package/esm/node/oidc/util/defaultTokenParams.js +3 -2
- package/esm/node/oidc/util/defaultTokenParams.js.map +1 -1
- package/esm/node/oidc/util/oauthMeta.js +1 -0
- package/esm/node/oidc/util/oauthMeta.js.map +1 -1
- package/esm/node/oidc/util/prepareEnrollAuthenticatorParams.js +1 -0
- package/esm/node/oidc/util/prepareEnrollAuthenticatorParams.js.map +1 -1
- package/esm/node/oidc/util/prepareTokenParams.js +4 -0
- package/esm/node/oidc/util/prepareTokenParams.js.map +1 -1
- package/esm/node/oidc/util/validateToken.js +1 -0
- package/esm/node/oidc/util/validateToken.js.map +1 -1
- package/esm/node/oidc/verifyToken.js +1 -0
- package/esm/node/oidc/verifyToken.js.map +1 -1
- package/esm/node/package.json +1 -1
- package/esm/node/server/serverStorage.js +1 -0
- package/esm/node/server/serverStorage.js.map +1 -1
- package/esm/node/session/api.js +1 -0
- package/esm/node/session/api.js.map +1 -1
- package/esm/node/storage/options/StorageOptionsConstructor.js +1 -0
- package/esm/node/storage/options/StorageOptionsConstructor.js.map +1 -1
- package/package.json +4 -3
- package/types/lib/base/types.d.ts +1 -0
- package/types/lib/core/options.d.ts +1 -0
- package/types/lib/errors/OAuthError.d.ts +3 -1
- package/types/lib/errors/WWWAuthError.d.ts +29 -0
- package/types/lib/errors/index.d.ts +3 -1
- package/types/lib/features.d.ts +1 -0
- package/types/lib/idx/options.d.ts +1 -0
- package/types/lib/idx/types/options.d.ts +1 -0
- package/types/lib/oidc/dpop.d.ts +35 -0
- package/types/lib/oidc/endpoints/token.d.ts +5 -2
- package/types/lib/oidc/options/OAuthOptionsConstructor.d.ts +1 -0
- package/types/lib/oidc/types/Token.d.ts +3 -0
- package/types/lib/oidc/types/api.d.ts +13 -0
- package/types/lib/oidc/types/meta.d.ts +1 -1
- package/types/lib/oidc/types/options.d.ts +3 -0
- package/umd/authn.js +1 -1
- package/umd/authn.js.map +1 -1
- package/umd/core.js +1 -1
- package/umd/core.js.map +1 -1
- package/umd/default.js +1 -1
- package/umd/default.js.map +1 -1
- package/umd/idx.js +1 -1
- package/umd/idx.js.map +1 -1
- package/umd/myaccount.js +1 -1
- package/umd/myaccount.js.map +1 -1
|
@@ -5,6 +5,7 @@ exports.postToTokenEndpoint = postToTokenEndpoint;
|
|
|
5
5
|
var _errors = require("../../errors");
|
|
6
6
|
var _util = require("../../util");
|
|
7
7
|
var _http = require("../../http");
|
|
8
|
+
var _dpop = require("../dpop");
|
|
8
9
|
/*!
|
|
9
10
|
* Copyright (c) 2015-present, Okta, Inc. and/or its affiliates. All rights reserved.
|
|
10
11
|
* The Okta software accompanied by this notice is provided pursuant to the Apache License, Version 2.0 (the "License.")
|
|
@@ -56,38 +57,91 @@ function getPostData(sdk, options) {
|
|
|
56
57
|
return (0, _util.toQueryString)(params).slice(1);
|
|
57
58
|
}
|
|
58
59
|
|
|
59
|
-
|
|
60
|
-
function
|
|
61
|
-
|
|
62
|
-
|
|
60
|
+
/* eslint complexity: [2, 10] */
|
|
61
|
+
async function makeTokenRequest(sdk, {
|
|
62
|
+
url,
|
|
63
|
+
data,
|
|
64
|
+
nonce,
|
|
65
|
+
dpopKeyPair
|
|
66
|
+
}) {
|
|
67
|
+
const method = 'POST';
|
|
63
68
|
const headers = {
|
|
64
69
|
'Content-Type': 'application/x-www-form-urlencoded'
|
|
65
70
|
};
|
|
66
|
-
|
|
71
|
+
if (sdk.options.dpop) {
|
|
72
|
+
if (!dpopKeyPair) {
|
|
73
|
+
throw new _errors.AuthSdkError('DPoP is configured but no key pair was provided');
|
|
74
|
+
}
|
|
75
|
+
const proof = await (0, _dpop.generateDPoPForTokenRequest)({
|
|
76
|
+
url,
|
|
77
|
+
method,
|
|
78
|
+
nonce,
|
|
79
|
+
keyPair: dpopKeyPair
|
|
80
|
+
});
|
|
81
|
+
headers.DPoP = proof;
|
|
82
|
+
}
|
|
83
|
+
try {
|
|
84
|
+
const resp = await (0, _http.httpRequest)(sdk, {
|
|
85
|
+
url,
|
|
86
|
+
method,
|
|
87
|
+
args: data,
|
|
88
|
+
headers
|
|
89
|
+
});
|
|
90
|
+
return resp;
|
|
91
|
+
} catch (err) {
|
|
92
|
+
if ((0, _dpop.isDPoPNonceError)(err) && !nonce) {
|
|
93
|
+
const dpopNonce = err.resp?.headers['dpop-nonce'];
|
|
94
|
+
if (!dpopNonce) {
|
|
95
|
+
// throws error is dpop-nonce header cannot be found, prevents infinite loop
|
|
96
|
+
throw new _errors.AuthApiError({
|
|
97
|
+
errorSummary: 'No `dpop-nonce` header found when required'
|
|
98
|
+
}, err.resp ?? undefined // yay ts
|
|
99
|
+
);
|
|
100
|
+
}
|
|
101
|
+
|
|
102
|
+
return makeTokenRequest(sdk, {
|
|
103
|
+
url,
|
|
104
|
+
data,
|
|
105
|
+
dpopKeyPair,
|
|
106
|
+
nonce: dpopNonce
|
|
107
|
+
});
|
|
108
|
+
}
|
|
109
|
+
throw err;
|
|
110
|
+
}
|
|
111
|
+
}
|
|
112
|
+
|
|
113
|
+
// exchange authorization code for an access token
|
|
114
|
+
async function postToTokenEndpoint(sdk, options, urls) {
|
|
115
|
+
validateOptions(options);
|
|
116
|
+
var data = getPostData(sdk, options);
|
|
117
|
+
const params = {
|
|
67
118
|
url: urls.tokenUrl,
|
|
68
|
-
|
|
69
|
-
|
|
70
|
-
|
|
71
|
-
|
|
119
|
+
data,
|
|
120
|
+
dpopKeyPair: options?.dpopKeyPair
|
|
121
|
+
};
|
|
122
|
+
return makeTokenRequest(sdk, params);
|
|
72
123
|
}
|
|
73
|
-
function postRefreshToken(sdk, options, refreshToken) {
|
|
74
|
-
|
|
75
|
-
|
|
76
|
-
|
|
77
|
-
|
|
78
|
-
|
|
79
|
-
|
|
80
|
-
|
|
81
|
-
|
|
82
|
-
|
|
83
|
-
|
|
84
|
-
|
|
85
|
-
|
|
86
|
-
|
|
87
|
-
|
|
88
|
-
|
|
89
|
-
|
|
90
|
-
|
|
91
|
-
|
|
124
|
+
async function postRefreshToken(sdk, options, refreshToken) {
|
|
125
|
+
const data = Object.entries({
|
|
126
|
+
client_id: options.clientId,
|
|
127
|
+
// eslint-disable-line camelcase
|
|
128
|
+
grant_type: 'refresh_token',
|
|
129
|
+
// eslint-disable-line camelcase
|
|
130
|
+
scope: refreshToken.scopes.join(' '),
|
|
131
|
+
refresh_token: refreshToken.refreshToken // eslint-disable-line camelcase
|
|
132
|
+
}).map(function ([name, value]) {
|
|
133
|
+
// eslint-disable-next-line @typescript-eslint/no-non-null-assertion
|
|
134
|
+
return name + '=' + encodeURIComponent(value);
|
|
135
|
+
}).join('&');
|
|
136
|
+
let url = refreshToken.tokenUrl;
|
|
137
|
+
if (options.extraParams && Object.keys(options.extraParams).length >= 1) {
|
|
138
|
+
url += (0, _util.toQueryString)(options.extraParams);
|
|
139
|
+
}
|
|
140
|
+
const params = {
|
|
141
|
+
url,
|
|
142
|
+
data,
|
|
143
|
+
dpopKeyPair: options?.dpopKeyPair
|
|
144
|
+
};
|
|
145
|
+
return makeTokenRequest(sdk, params);
|
|
92
146
|
}
|
|
93
147
|
//# sourceMappingURL=token.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"token.js","names":["validateOptions","options","clientId","AuthSdkError","redirectUri","authorizationCode","interactionCode","codeVerifier","getPostData","sdk","params","removeNils","code","clientSecret","toQueryString","slice","
|
|
1
|
+
{"version":3,"file":"token.js","names":["validateOptions","options","clientId","AuthSdkError","redirectUri","authorizationCode","interactionCode","codeVerifier","getPostData","sdk","params","removeNils","code","clientSecret","toQueryString","slice","makeTokenRequest","url","data","nonce","dpopKeyPair","method","headers","dpop","proof","generateDPoPForTokenRequest","keyPair","DPoP","resp","httpRequest","args","err","isDPoPNonceError","dpopNonce","AuthApiError","errorSummary","undefined","postToTokenEndpoint","urls","tokenUrl","postRefreshToken","refreshToken","Object","entries","client_id","grant_type","scope","scopes","join","refresh_token","map","name","value","encodeURIComponent","extraParams","keys","length"],"sources":["../../../../lib/oidc/endpoints/token.ts"],"sourcesContent":["/*!\n * Copyright (c) 2015-present, Okta, Inc. and/or its affiliates. All rights reserved.\n * The Okta software accompanied by this notice is provided pursuant to the Apache License, Version 2.0 (the \"License.\")\n *\n * You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0.\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT\n * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * \n * See the License for the specific language governing permissions and limitations under the License.\n */\n\n\nimport { AuthSdkError, AuthApiError } from '../../errors';\nimport { CustomUrls, OAuthParams, OAuthResponse, RefreshToken, TokenParams } from '../types';\nimport { removeNils, toQueryString } from '../../util';\nimport { httpRequest, OktaAuthHttpInterface } from '../../http';\nimport { generateDPoPForTokenRequest, isDPoPNonceError } from '../dpop';\n\nexport interface TokenEndpointParams extends TokenParams {\n dpopKeyPair?: CryptoKeyPair;\n}\n\ninterface TokenRequestParams {\n url: string;\n data: any;\n dpopKeyPair?: CryptoKeyPair;\n nonce?: string;\n}\n\nfunction validateOptions(options: TokenEndpointParams) {\n // Quick validation\n if (!options.clientId) {\n throw new AuthSdkError('A clientId must be specified in the OktaAuth constructor to get a token');\n }\n\n if (!options.redirectUri) {\n throw new AuthSdkError('The redirectUri passed to /authorize must also be passed to /token');\n }\n\n if (!options.authorizationCode && !options.interactionCode) {\n throw new AuthSdkError('An authorization code (returned from /authorize) must be passed to /token');\n }\n\n if (!options.codeVerifier) {\n throw new AuthSdkError('The \"codeVerifier\" (generated and saved by your app) must be passed to /token');\n }\n}\n\nfunction getPostData(sdk, options: TokenParams): string {\n // Convert Token params to OAuth params, sent to the /token endpoint\n var params: OAuthParams = removeNils({\n 'client_id': options.clientId,\n 'redirect_uri': options.redirectUri,\n 'grant_type': options.interactionCode ? 'interaction_code' : 'authorization_code',\n 'code_verifier': options.codeVerifier\n });\n\n if (options.interactionCode) {\n params['interaction_code'] = options.interactionCode;\n } else if (options.authorizationCode) {\n params.code = options.authorizationCode;\n }\n\n const { clientSecret } = sdk.options;\n if (clientSecret) {\n params['client_secret'] = clientSecret;\n }\n\n // Encode as URL string\n return toQueryString(params).slice(1);\n}\n\n/* eslint complexity: [2, 10] */\nasync function makeTokenRequest (sdk, { url, data, nonce, dpopKeyPair }: TokenRequestParams): Promise<OAuthResponse> {\n const method = 'POST';\n const headers: any = {\n 'Content-Type': 'application/x-www-form-urlencoded',\n };\n\n if (sdk.options.dpop) {\n if (!dpopKeyPair) {\n throw new AuthSdkError('DPoP is configured but no key pair was provided');\n }\n\n const proof = await generateDPoPForTokenRequest({ url, method, nonce, keyPair: dpopKeyPair });\n headers.DPoP = proof;\n }\n\n try {\n const resp = await httpRequest(sdk, {\n url,\n method,\n args: data,\n headers\n });\n return resp;\n }\n catch (err) {\n if (isDPoPNonceError(err) && !nonce) {\n const dpopNonce = err.resp?.headers['dpop-nonce'];\n if (!dpopNonce) {\n // throws error is dpop-nonce header cannot be found, prevents infinite loop\n throw new AuthApiError(\n {errorSummary: 'No `dpop-nonce` header found when required'},\n err.resp ?? undefined // yay ts\n );\n }\n return makeTokenRequest(sdk, { url, data, dpopKeyPair, nonce: dpopNonce });\n }\n throw err;\n }\n}\n\n// exchange authorization code for an access token\nexport async function postToTokenEndpoint(sdk, options: TokenEndpointParams, urls: CustomUrls): Promise<OAuthResponse> {\n validateOptions(options);\n var data = getPostData(sdk, options);\n\n const params: TokenRequestParams = {\n url: urls.tokenUrl!,\n data,\n dpopKeyPair: options?.dpopKeyPair\n };\n\n return makeTokenRequest(sdk, params);\n}\n\nexport async function postRefreshToken(\n sdk: OktaAuthHttpInterface,\n options: TokenEndpointParams,\n refreshToken: RefreshToken\n): Promise<OAuthResponse> {\n const data = Object.entries({\n client_id: options.clientId, // eslint-disable-line camelcase\n grant_type: 'refresh_token', // eslint-disable-line camelcase\n scope: refreshToken.scopes.join(' '),\n refresh_token: refreshToken.refreshToken, // eslint-disable-line camelcase\n }).map(function ([name, value]) {\n // eslint-disable-next-line @typescript-eslint/no-non-null-assertion\n return name + '=' + encodeURIComponent(value!);\n }).join('&');\n\n let url = refreshToken.tokenUrl;\n if (options.extraParams && Object.keys(options.extraParams).length >= 1) {\n url += toQueryString(options.extraParams);\n }\n\n const params: TokenRequestParams = {\n url,\n data,\n dpopKeyPair: options?.dpopKeyPair\n };\n\n return makeTokenRequest(sdk, params);\n}\n"],"mappings":";;;;AAaA;AAEA;AACA;AACA;AAjBA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AAoBA,SAASA,eAAe,CAACC,OAA4B,EAAE;EACrD;EACA,IAAI,CAACA,OAAO,CAACC,QAAQ,EAAE;IACrB,MAAM,IAAIC,oBAAY,CAAC,yEAAyE,CAAC;EACnG;EAEA,IAAI,CAACF,OAAO,CAACG,WAAW,EAAE;IACxB,MAAM,IAAID,oBAAY,CAAC,oEAAoE,CAAC;EAC9F;EAEA,IAAI,CAACF,OAAO,CAACI,iBAAiB,IAAI,CAACJ,OAAO,CAACK,eAAe,EAAE;IAC1D,MAAM,IAAIH,oBAAY,CAAC,2EAA2E,CAAC;EACrG;EAEA,IAAI,CAACF,OAAO,CAACM,YAAY,EAAE;IACzB,MAAM,IAAIJ,oBAAY,CAAC,+EAA+E,CAAC;EACzG;AACF;AAEA,SAASK,WAAW,CAACC,GAAG,EAAER,OAAoB,EAAU;EACtD;EACA,IAAIS,MAAmB,GAAG,IAAAC,gBAAU,EAAC;IACnC,WAAW,EAAEV,OAAO,CAACC,QAAQ;IAC7B,cAAc,EAAED,OAAO,CAACG,WAAW;IACnC,YAAY,EAAEH,OAAO,CAACK,eAAe,GAAG,kBAAkB,GAAG,oBAAoB;IACjF,eAAe,EAAEL,OAAO,CAACM;EAC3B,CAAC,CAAC;EAEF,IAAIN,OAAO,CAACK,eAAe,EAAE;IAC3BI,MAAM,CAAC,kBAAkB,CAAC,GAAGT,OAAO,CAACK,eAAe;EACtD,CAAC,MAAM,IAAIL,OAAO,CAACI,iBAAiB,EAAE;IACpCK,MAAM,CAACE,IAAI,GAAGX,OAAO,CAACI,iBAAiB;EACzC;EAEA,MAAM;IAAEQ;EAAa,CAAC,GAAGJ,GAAG,CAACR,OAAO;EACpC,IAAIY,YAAY,EAAE;IAChBH,MAAM,CAAC,eAAe,CAAC,GAAGG,YAAY;EACxC;;EAEA;EACA,OAAO,IAAAC,mBAAa,EAACJ,MAAM,CAAC,CAACK,KAAK,CAAC,CAAC,CAAC;AACvC;;AAEA;AACA,eAAeC,gBAAgB,CAAEP,GAAG,EAAE;EAAEQ,GAAG;EAAEC,IAAI;EAAEC,KAAK;EAAEC;AAAgC,CAAC,EAA0B;EACnH,MAAMC,MAAM,GAAG,MAAM;EACrB,MAAMC,OAAY,GAAG;IACnB,cAAc,EAAE;EAClB,CAAC;EAED,IAAIb,GAAG,CAACR,OAAO,CAACsB,IAAI,EAAE;IACpB,IAAI,CAACH,WAAW,EAAE;MAChB,MAAM,IAAIjB,oBAAY,CAAC,iDAAiD,CAAC;IAC3E;IAEA,MAAMqB,KAAK,GAAG,MAAM,IAAAC,iCAA2B,EAAC;MAAER,GAAG;MAAEI,MAAM;MAAEF,KAAK;MAAEO,OAAO,EAAEN;IAAY,CAAC,CAAC;IAC7FE,OAAO,CAACK,IAAI,GAAGH,KAAK;EACtB;EAEA,IAAI;IACF,MAAMI,IAAI,GAAG,MAAM,IAAAC,iBAAW,EAACpB,GAAG,EAAE;MAClCQ,GAAG;MACHI,MAAM;MACNS,IAAI,EAAEZ,IAAI;MACVI;IACF,CAAC,CAAC;IACF,OAAOM,IAAI;EACb,CAAC,CACD,OAAOG,GAAG,EAAE;IACV,IAAI,IAAAC,sBAAgB,EAACD,GAAG,CAAC,IAAI,CAACZ,KAAK,EAAE;MACnC,MAAMc,SAAS,GAAGF,GAAG,CAACH,IAAI,EAAEN,OAAO,CAAC,YAAY,CAAC;MACjD,IAAI,CAACW,SAAS,EAAE;QACd;QACA,MAAM,IAAIC,oBAAY,CACpB;UAACC,YAAY,EAAE;QAA4C,CAAC,EAC5DJ,GAAG,CAACH,IAAI,IAAIQ,SAAS,CAAI;QAAA,CAC1B;MACH;;MACA,OAAOpB,gBAAgB,CAACP,GAAG,EAAE;QAAEQ,GAAG;QAAEC,IAAI;QAAEE,WAAW;QAAED,KAAK,EAAEc;MAAU,CAAC,CAAC;IAC5E;IACA,MAAMF,GAAG;EACX;AACF;;AAEA;AACO,eAAeM,mBAAmB,CAAC5B,GAAG,EAAER,OAA4B,EAAEqC,IAAgB,EAA0B;EACrHtC,eAAe,CAACC,OAAO,CAAC;EACxB,IAAIiB,IAAI,GAAGV,WAAW,CAACC,GAAG,EAAER,OAAO,CAAC;EAEpC,MAAMS,MAA0B,GAAG;IACjCO,GAAG,EAAEqB,IAAI,CAACC,QAAS;IACnBrB,IAAI;IACJE,WAAW,EAAEnB,OAAO,EAAEmB;EACxB,CAAC;EAED,OAAOJ,gBAAgB,CAACP,GAAG,EAAEC,MAAM,CAAC;AACtC;AAEO,eAAe8B,gBAAgB,CACpC/B,GAA0B,EAC1BR,OAA4B,EAC5BwC,YAA0B,EACF;EACxB,MAAMvB,IAAI,GAAGwB,MAAM,CAACC,OAAO,CAAC;IAC1BC,SAAS,EAAE3C,OAAO,CAACC,QAAQ;IAAE;IAC7B2C,UAAU,EAAE,eAAe;IAAE;IAC7BC,KAAK,EAAEL,YAAY,CAACM,MAAM,CAACC,IAAI,CAAC,GAAG,CAAC;IACpCC,aAAa,EAAER,YAAY,CAACA,YAAY,CAAE;EAC5C,CAAC,CAAC,CAACS,GAAG,CAAC,UAAU,CAACC,IAAI,EAAEC,KAAK,CAAC,EAAE;IAC9B;IACA,OAAOD,IAAI,GAAG,GAAG,GAAGE,kBAAkB,CAACD,KAAK,CAAE;EAChD,CAAC,CAAC,CAACJ,IAAI,CAAC,GAAG,CAAC;EAEZ,IAAI/B,GAAG,GAAGwB,YAAY,CAACF,QAAQ;EAC/B,IAAItC,OAAO,CAACqD,WAAW,IAAIZ,MAAM,CAACa,IAAI,CAACtD,OAAO,CAACqD,WAAW,CAAC,CAACE,MAAM,IAAI,CAAC,EAAE;IACvEvC,GAAG,IAAI,IAAAH,mBAAa,EAACb,OAAO,CAACqD,WAAW,CAAC;EAC3C;EAEA,MAAM5C,MAA0B,GAAG;IACjCO,GAAG;IACHC,IAAI;IACJE,WAAW,EAAEnB,OAAO,EAAEmB;EACxB,CAAC;EAED,OAAOJ,gBAAgB,CAACP,GAAG,EAAEC,MAAM,CAAC;AACtC"}
|
|
@@ -5,6 +5,7 @@ var _util = require("./util");
|
|
|
5
5
|
var _util2 = require("../util");
|
|
6
6
|
var _token = require("./endpoints/token");
|
|
7
7
|
var _handleOAuthResponse = require("./handleOAuthResponse");
|
|
8
|
+
var _dpop = require("./dpop");
|
|
8
9
|
/* eslint-disable @typescript-eslint/no-non-null-assertion */
|
|
9
10
|
/* eslint-disable max-len */
|
|
10
11
|
/*!
|
|
@@ -21,7 +22,7 @@ var _handleOAuthResponse = require("./handleOAuthResponse");
|
|
|
21
22
|
*/
|
|
22
23
|
|
|
23
24
|
// codeVerifier is required. May pass either an authorizationCode or interactionCode
|
|
24
|
-
function exchangeCodeForTokens(sdk, tokenParams, urls) {
|
|
25
|
+
async function exchangeCodeForTokens(sdk, tokenParams, urls) {
|
|
25
26
|
urls = urls || (0, _util.getOAuthUrls)(sdk, tokenParams);
|
|
26
27
|
// build params using defaults + options
|
|
27
28
|
tokenParams = Object.assign({}, (0, _util.getDefaultTokenParams)(sdk), (0, _util2.clone)(tokenParams));
|
|
@@ -34,40 +35,64 @@ function exchangeCodeForTokens(sdk, tokenParams, urls) {
|
|
|
34
35
|
scopes,
|
|
35
36
|
ignoreSignature,
|
|
36
37
|
state,
|
|
37
|
-
acrValues
|
|
38
|
+
acrValues,
|
|
39
|
+
dpop,
|
|
40
|
+
dpopPairId,
|
|
41
|
+
extraParams
|
|
38
42
|
} = tokenParams;
|
|
39
|
-
|
|
43
|
+
|
|
44
|
+
// postToTokenEndpoint() params
|
|
45
|
+
const getTokenOptions = {
|
|
40
46
|
clientId,
|
|
41
47
|
redirectUri,
|
|
42
48
|
authorizationCode,
|
|
43
49
|
interactionCode,
|
|
44
|
-
codeVerifier
|
|
50
|
+
codeVerifier,
|
|
51
|
+
dpop
|
|
45
52
|
};
|
|
46
|
-
return (0, _token.postToTokenEndpoint)(sdk, getTokenOptions, urls).then(response => {
|
|
47
|
-
// `handleOAuthResponse` hanadles responses from both `/authorize` and `/token` endpoints
|
|
48
|
-
// Here we modify the response from `/token` so that it more closely matches a response from `/authorize`
|
|
49
|
-
// `responseType` is used to validate that the expected tokens were returned
|
|
50
|
-
const responseType = ['token']; // an accessToken will always be returned
|
|
51
|
-
if (scopes.indexOf('openid') !== -1) {
|
|
52
|
-
responseType.push('id_token'); // an idToken will be returned if "openid" is in the scopes
|
|
53
|
-
}
|
|
54
53
|
|
|
55
|
-
|
|
56
|
-
|
|
57
|
-
|
|
58
|
-
|
|
59
|
-
|
|
60
|
-
|
|
61
|
-
|
|
62
|
-
|
|
63
|
-
|
|
64
|
-
|
|
65
|
-
|
|
66
|
-
|
|
67
|
-
|
|
68
|
-
|
|
69
|
-
|
|
54
|
+
// `handleOAuthResponse` hanadles responses from both `/authorize` and `/token` endpoints
|
|
55
|
+
// Here we modify the response from `/token` so that it more closely matches a response from `/authorize`
|
|
56
|
+
// `responseType` is used to validate that the expected tokens were returned
|
|
57
|
+
const responseType = ['token']; // an accessToken will always be returned
|
|
58
|
+
if (scopes.indexOf('openid') !== -1) {
|
|
59
|
+
responseType.push('id_token'); // an idToken will be returned if "openid" is in the scopes
|
|
60
|
+
}
|
|
61
|
+
// handleOAuthResponse() params
|
|
62
|
+
const handleResponseOptions = {
|
|
63
|
+
clientId,
|
|
64
|
+
redirectUri,
|
|
65
|
+
scopes,
|
|
66
|
+
responseType,
|
|
67
|
+
ignoreSignature,
|
|
68
|
+
acrValues,
|
|
69
|
+
extraParams
|
|
70
|
+
};
|
|
71
|
+
try {
|
|
72
|
+
if (dpop) {
|
|
73
|
+
// token refresh, KP should already exist
|
|
74
|
+
if (dpopPairId) {
|
|
75
|
+
const keyPair = await (0, _dpop.findKeyPair)(dpopPairId);
|
|
76
|
+
getTokenOptions.dpopKeyPair = keyPair;
|
|
77
|
+
handleResponseOptions.dpop = dpop;
|
|
78
|
+
handleResponseOptions.dpopPairId = dpopPairId;
|
|
79
|
+
} else {
|
|
80
|
+
const {
|
|
81
|
+
keyPair,
|
|
82
|
+
keyPairId
|
|
83
|
+
} = await (0, _dpop.createDPoPKeyPair)();
|
|
84
|
+
getTokenOptions.dpopKeyPair = keyPair;
|
|
85
|
+
handleResponseOptions.dpop = dpop;
|
|
86
|
+
handleResponseOptions.dpopPairId = keyPairId;
|
|
87
|
+
}
|
|
88
|
+
}
|
|
89
|
+
const oauthResponse = await (0, _token.postToTokenEndpoint)(sdk, getTokenOptions, urls);
|
|
90
|
+
const tokenResponse = await (0, _handleOAuthResponse.handleOAuthResponse)(sdk, handleResponseOptions, oauthResponse, urls);
|
|
91
|
+
tokenResponse.code = authorizationCode;
|
|
92
|
+
tokenResponse.state = state;
|
|
93
|
+
return tokenResponse;
|
|
94
|
+
} finally {
|
|
70
95
|
sdk.transactionManager.clear();
|
|
71
|
-
}
|
|
96
|
+
}
|
|
72
97
|
}
|
|
73
98
|
//# sourceMappingURL=exchangeCodeForTokens.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"exchangeCodeForTokens.js","names":["exchangeCodeForTokens","sdk","tokenParams","urls","getOAuthUrls","Object","assign","getDefaultTokenParams","clone","authorizationCode","interactionCode","codeVerifier","clientId","redirectUri","scopes","ignoreSignature","state","acrValues","
|
|
1
|
+
{"version":3,"file":"exchangeCodeForTokens.js","names":["exchangeCodeForTokens","sdk","tokenParams","urls","getOAuthUrls","Object","assign","getDefaultTokenParams","clone","authorizationCode","interactionCode","codeVerifier","clientId","redirectUri","scopes","ignoreSignature","state","acrValues","dpop","dpopPairId","extraParams","getTokenOptions","responseType","indexOf","push","handleResponseOptions","keyPair","findKeyPair","dpopKeyPair","keyPairId","createDPoPKeyPair","oauthResponse","postToTokenEndpoint","tokenResponse","handleOAuthResponse","code","transactionManager","clear"],"sources":["../../../lib/oidc/exchangeCodeForTokens.ts"],"sourcesContent":["/* eslint-disable @typescript-eslint/no-non-null-assertion */\n/* eslint-disable max-len */\n/*!\n * Copyright (c) 2015-present, Okta, Inc. and/or its affiliates. All rights reserved.\n * The Okta software accompanied by this notice is provided pursuant to the Apache License, Version 2.0 (the \"License.\")\n *\n * You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0.\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT\n * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n *\n * See the License for the specific language governing permissions and limitations under the License.\n *\n */\nimport { CustomUrls, OAuthResponse, OAuthResponseType, OktaAuthOAuthInterface, TokenParams, TokenResponse } from './types';\nimport { getOAuthUrls, getDefaultTokenParams } from './util';\nimport { clone } from '../util';\nimport { postToTokenEndpoint, TokenEndpointParams } from './endpoints/token';\nimport { handleOAuthResponse } from './handleOAuthResponse';\nimport { createDPoPKeyPair, findKeyPair } from './dpop';\n\n// codeVerifier is required. May pass either an authorizationCode or interactionCode\nexport async function exchangeCodeForTokens(sdk: OktaAuthOAuthInterface, tokenParams: TokenParams, urls?: CustomUrls): Promise<TokenResponse> {\n urls = urls || getOAuthUrls(sdk, tokenParams);\n // build params using defaults + options\n tokenParams = Object.assign({}, getDefaultTokenParams(sdk), clone(tokenParams));\n\n const {\n authorizationCode,\n interactionCode,\n codeVerifier,\n clientId,\n redirectUri,\n scopes,\n ignoreSignature,\n state,\n acrValues,\n dpop,\n dpopPairId,\n extraParams\n } = tokenParams;\n\n // postToTokenEndpoint() params\n const getTokenOptions: TokenEndpointParams = {\n clientId,\n redirectUri,\n authorizationCode,\n interactionCode,\n codeVerifier,\n dpop,\n };\n\n // `handleOAuthResponse` hanadles responses from both `/authorize` and `/token` endpoints\n // Here we modify the response from `/token` so that it more closely matches a response from `/authorize`\n // `responseType` is used to validate that the expected tokens were returned\n const responseType: OAuthResponseType[] = ['token']; // an accessToken will always be returned\n if (scopes!.indexOf('openid') !== -1) {\n responseType.push('id_token'); // an idToken will be returned if \"openid\" is in the scopes\n }\n // handleOAuthResponse() params\n const handleResponseOptions: TokenParams = {\n clientId,\n redirectUri,\n scopes,\n responseType,\n ignoreSignature,\n acrValues,\n extraParams\n };\n\n try {\n if (dpop) {\n // token refresh, KP should already exist\n if (dpopPairId) {\n const keyPair = await findKeyPair(dpopPairId);\n getTokenOptions.dpopKeyPair = keyPair;\n handleResponseOptions.dpop = dpop;\n handleResponseOptions.dpopPairId = dpopPairId;\n }\n else {\n const { keyPair, keyPairId } = await createDPoPKeyPair();\n getTokenOptions.dpopKeyPair = keyPair;\n handleResponseOptions.dpop = dpop;\n handleResponseOptions.dpopPairId = keyPairId;\n }\n }\n\n const oauthResponse: OAuthResponse = await postToTokenEndpoint(sdk, getTokenOptions, urls);\n\n const tokenResponse: TokenResponse = await handleOAuthResponse(sdk, handleResponseOptions, oauthResponse, urls!);\n tokenResponse.code = authorizationCode;\n tokenResponse.state = state!;\n return tokenResponse;\n }\n finally {\n sdk.transactionManager.clear();\n }\n}\n"],"mappings":";;;AAeA;AACA;AACA;AACA;AACA;AAnBA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AAQA;AACO,eAAeA,qBAAqB,CAACC,GAA2B,EAAEC,WAAwB,EAAEC,IAAiB,EAA0B;EAC5IA,IAAI,GAAGA,IAAI,IAAI,IAAAC,kBAAY,EAACH,GAAG,EAAEC,WAAW,CAAC;EAC7C;EACAA,WAAW,GAAGG,MAAM,CAACC,MAAM,CAAC,CAAC,CAAC,EAAE,IAAAC,2BAAqB,EAACN,GAAG,CAAC,EAAE,IAAAO,YAAK,EAACN,WAAW,CAAC,CAAC;EAE/E,MAAM;IACJO,iBAAiB;IACjBC,eAAe;IACfC,YAAY;IACZC,QAAQ;IACRC,WAAW;IACXC,MAAM;IACNC,eAAe;IACfC,KAAK;IACLC,SAAS;IACTC,IAAI;IACJC,UAAU;IACVC;EACF,CAAC,GAAGlB,WAAW;;EAEf;EACA,MAAMmB,eAAoC,GAAG;IAC3CT,QAAQ;IACRC,WAAW;IACXJ,iBAAiB;IACjBC,eAAe;IACfC,YAAY;IACZO;EACF,CAAC;;EAED;EACA;EACA;EACA,MAAMI,YAAiC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC;EACrD,IAAIR,MAAM,CAAES,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,EAAE;IACpCD,YAAY,CAACE,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC;EACjC;EACA;EACA,MAAMC,qBAAkC,GAAG;IACzCb,QAAQ;IACRC,WAAW;IACXC,MAAM;IACNQ,YAAY;IACZP,eAAe;IACfE,SAAS;IACTG;EACF,CAAC;EAED,IAAI;IACF,IAAIF,IAAI,EAAE;MACR;MACA,IAAIC,UAAU,EAAE;QACd,MAAMO,OAAO,GAAG,MAAM,IAAAC,iBAAW,EAACR,UAAU,CAAC;QAC7CE,eAAe,CAACO,WAAW,GAAGF,OAAO;QACrCD,qBAAqB,CAACP,IAAI,GAAGA,IAAI;QACjCO,qBAAqB,CAACN,UAAU,GAAGA,UAAU;MAC/C,CAAC,MACI;QACH,MAAM;UAAEO,OAAO;UAAEG;QAAU,CAAC,GAAG,MAAM,IAAAC,uBAAiB,GAAE;QACxDT,eAAe,CAACO,WAAW,GAAGF,OAAO;QACrCD,qBAAqB,CAACP,IAAI,GAAGA,IAAI;QACjCO,qBAAqB,CAACN,UAAU,GAAGU,SAAS;MAC9C;IACF;IAEA,MAAME,aAA4B,GAAG,MAAM,IAAAC,0BAAmB,EAAC/B,GAAG,EAAEoB,eAAe,EAAElB,IAAI,CAAC;IAE1F,MAAM8B,aAA4B,GAAG,MAAM,IAAAC,wCAAmB,EAACjC,GAAG,EAAEwB,qBAAqB,EAAEM,aAAa,EAAE5B,IAAI,CAAE;IAChH8B,aAAa,CAACE,IAAI,GAAG1B,iBAAiB;IACtCwB,aAAa,CAACjB,KAAK,GAAGA,KAAM;IAC5B,OAAOiB,aAAa;EACtB,CAAC,SACO;IACNhC,GAAG,CAACmC,kBAAkB,CAACC,KAAK,EAAE;EAChC;AACF"}
|
package/cjs/oidc/getUserInfo.js
CHANGED
|
@@ -1,7 +1,6 @@
|
|
|
1
1
|
"use strict";
|
|
2
2
|
|
|
3
3
|
exports.getUserInfo = getUserInfo;
|
|
4
|
-
var _util = require("../util");
|
|
5
4
|
var _errors = require("../errors");
|
|
6
5
|
var _http = require("../http");
|
|
7
6
|
var _types = require("./types");
|
|
@@ -33,32 +32,48 @@ async function getUserInfo(sdk, accessTokenObject, idTokenObject) {
|
|
|
33
32
|
if (!idTokenObject || !(0, _types.isIDToken)(idTokenObject)) {
|
|
34
33
|
return Promise.reject(new _errors.AuthSdkError('getUserInfo requires an ID token object'));
|
|
35
34
|
}
|
|
36
|
-
|
|
35
|
+
const options = {
|
|
37
36
|
url: accessTokenObject.userinfoUrl,
|
|
38
37
|
method: 'GET',
|
|
39
38
|
accessToken: accessTokenObject.accessToken
|
|
40
|
-
}
|
|
39
|
+
};
|
|
40
|
+
if (sdk.options.dpop) {
|
|
41
|
+
const headers = await sdk.getDPoPAuthorizationHeaders({
|
|
42
|
+
...options,
|
|
43
|
+
accessToken: accessTokenObject
|
|
44
|
+
});
|
|
45
|
+
options.headers = headers;
|
|
46
|
+
delete options.accessToken; // unset to prevent overriding Auth header with Bearer Token
|
|
47
|
+
}
|
|
48
|
+
|
|
49
|
+
return (0, _http.httpRequest)(sdk, options).then(userInfo => {
|
|
41
50
|
// Only return the userinfo response if subjects match to mitigate token substitution attacks
|
|
42
51
|
if (userInfo.sub === idTokenObject.claims.sub) {
|
|
43
52
|
return userInfo;
|
|
44
53
|
}
|
|
45
54
|
return Promise.reject(new _errors.AuthSdkError('getUserInfo request was rejected due to token mismatch'));
|
|
46
55
|
}).catch(function (err) {
|
|
47
|
-
|
|
48
|
-
|
|
49
|
-
|
|
50
|
-
|
|
51
|
-
|
|
52
|
-
|
|
56
|
+
// throw OAuthError to avoid breaking change (when dpop is not being used)
|
|
57
|
+
if (err instanceof _errors.WWWAuthError && !sdk.options.dpop) {
|
|
58
|
+
const {
|
|
59
|
+
error,
|
|
60
|
+
errorDescription
|
|
61
|
+
} = err;
|
|
62
|
+
throw new _errors.OAuthError(error, errorDescription);
|
|
63
|
+
}
|
|
64
|
+
|
|
65
|
+
// throw OAuthError to avoid breaking change (when dpop is not being used)
|
|
66
|
+
if (!sdk.options.dpop) {
|
|
67
|
+
let e = err;
|
|
68
|
+
if (err instanceof _errors.AuthApiError && err?.meta?.wwwAuthHeader) {
|
|
69
|
+
e = _errors.WWWAuthError.parseHeader(err.meta.wwwAuthHeader);
|
|
53
70
|
}
|
|
54
|
-
if (
|
|
55
|
-
|
|
56
|
-
|
|
57
|
-
|
|
58
|
-
|
|
59
|
-
|
|
60
|
-
err = new _errors.OAuthError(error, errorDescription);
|
|
61
|
-
}
|
|
71
|
+
if (e instanceof _errors.WWWAuthError) {
|
|
72
|
+
const {
|
|
73
|
+
error,
|
|
74
|
+
errorDescription
|
|
75
|
+
} = e;
|
|
76
|
+
throw new _errors.OAuthError(error, errorDescription);
|
|
62
77
|
}
|
|
63
78
|
}
|
|
64
79
|
throw err;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"getUserInfo.js","names":["getUserInfo","sdk","accessTokenObject","idTokenObject","tokenManager","getTokens","accessToken","idToken","isAccessToken","Promise","reject","AuthSdkError","isIDToken","
|
|
1
|
+
{"version":3,"file":"getUserInfo.js","names":["getUserInfo","sdk","accessTokenObject","idTokenObject","tokenManager","getTokens","accessToken","idToken","isAccessToken","Promise","reject","AuthSdkError","isIDToken","options","url","userinfoUrl","method","dpop","headers","getDPoPAuthorizationHeaders","httpRequest","then","userInfo","sub","claims","catch","err","WWWAuthError","error","errorDescription","OAuthError","e","AuthApiError","meta","wwwAuthHeader","parseHeader"],"sources":["../../../lib/oidc/getUserInfo.ts"],"sourcesContent":["/* eslint-disable complexity */\n/*!\n * Copyright (c) 2015-present, Okta, Inc. and/or its affiliates. All rights reserved.\n * The Okta software accompanied by this notice is provided pursuant to the Apache License, Version 2.0 (the \"License.\")\n *\n * You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0.\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT\n * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n *\n * See the License for the specific language governing permissions and limitations under the License.\n *\n */\nimport { AuthSdkError, OAuthError, WWWAuthError, AuthApiError } from '../errors';\nimport { httpRequest } from '../http';\nimport { AccessToken, IDToken, UserClaims, isAccessToken, isIDToken, CustomUserClaims } from './types';\n\nexport async function getUserInfo<T extends CustomUserClaims = CustomUserClaims>(\n sdk, accessTokenObject: AccessToken,\n idTokenObject: IDToken\n): Promise<UserClaims<T>> {\n // If token objects were not passed, attempt to read from the TokenManager\n if (!accessTokenObject) {\n accessTokenObject = (await sdk.tokenManager.getTokens()).accessToken as AccessToken;\n }\n if (!idTokenObject) {\n idTokenObject = (await sdk.tokenManager.getTokens()).idToken as IDToken;\n }\n\n if (!accessTokenObject || !isAccessToken(accessTokenObject)) {\n return Promise.reject(new AuthSdkError('getUserInfo requires an access token object'));\n }\n\n if (!idTokenObject || !isIDToken(idTokenObject)) {\n return Promise.reject(new AuthSdkError('getUserInfo requires an ID token object'));\n }\n\n const options: any = {\n url: accessTokenObject.userinfoUrl,\n method: 'GET',\n accessToken: accessTokenObject.accessToken\n };\n\n if (sdk.options.dpop) {\n const headers = await sdk.getDPoPAuthorizationHeaders({...options, accessToken: accessTokenObject });\n options.headers = headers;\n delete options.accessToken; // unset to prevent overriding Auth header with Bearer Token\n }\n\n return httpRequest(sdk, options)\n .then(userInfo => {\n // Only return the userinfo response if subjects match to mitigate token substitution attacks\n if (userInfo.sub === idTokenObject.claims.sub) {\n return userInfo;\n }\n return Promise.reject(new AuthSdkError('getUserInfo request was rejected due to token mismatch'));\n })\n .catch(function (err) {\n // throw OAuthError to avoid breaking change (when dpop is not being used)\n if (err instanceof WWWAuthError && !sdk.options.dpop) {\n const { error, errorDescription } = err;\n throw new OAuthError(error, errorDescription);\n }\n\n // throw OAuthError to avoid breaking change (when dpop is not being used)\n if (!sdk.options.dpop) {\n let e = err;\n if (err instanceof AuthApiError && err?.meta?.wwwAuthHeader) {\n e = WWWAuthError.parseHeader(err.meta.wwwAuthHeader as string);\n }\n\n if (e instanceof WWWAuthError) {\n const { error, errorDescription } = e;\n throw new OAuthError(error, errorDescription);\n }\n }\n\n throw err;\n });\n}\n"],"mappings":";;;AAaA;AACA;AACA;AAfA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AAKO,eAAeA,WAAW,CAC/BC,GAAG,EAAEC,iBAA8B,EACnCC,aAAsB,EACE;EACxB;EACA,IAAI,CAACD,iBAAiB,EAAE;IACtBA,iBAAiB,GAAG,CAAC,MAAMD,GAAG,CAACG,YAAY,CAACC,SAAS,EAAE,EAAEC,WAA0B;EACrF;EACA,IAAI,CAACH,aAAa,EAAE;IAClBA,aAAa,GAAG,CAAC,MAAMF,GAAG,CAACG,YAAY,CAACC,SAAS,EAAE,EAAEE,OAAkB;EACzE;EAEA,IAAI,CAACL,iBAAiB,IAAI,CAAC,IAAAM,oBAAa,EAACN,iBAAiB,CAAC,EAAE;IAC3D,OAAOO,OAAO,CAACC,MAAM,CAAC,IAAIC,oBAAY,CAAC,6CAA6C,CAAC,CAAC;EACxF;EAEA,IAAI,CAACR,aAAa,IAAI,CAAC,IAAAS,gBAAS,EAACT,aAAa,CAAC,EAAE;IAC/C,OAAOM,OAAO,CAACC,MAAM,CAAC,IAAIC,oBAAY,CAAC,yCAAyC,CAAC,CAAC;EACpF;EAEA,MAAME,OAAY,GAAG;IACnBC,GAAG,EAAEZ,iBAAiB,CAACa,WAAW;IAClCC,MAAM,EAAE,KAAK;IACbV,WAAW,EAAEJ,iBAAiB,CAACI;EACjC,CAAC;EAED,IAAIL,GAAG,CAACY,OAAO,CAACI,IAAI,EAAE;IACpB,MAAMC,OAAO,GAAG,MAAMjB,GAAG,CAACkB,2BAA2B,CAAC;MAAC,GAAGN,OAAO;MAAEP,WAAW,EAAEJ;IAAkB,CAAC,CAAC;IACpGW,OAAO,CAACK,OAAO,GAAGA,OAAO;IACzB,OAAOL,OAAO,CAACP,WAAW,CAAC,CAAM;EACnC;;EAEA,OAAO,IAAAc,iBAAW,EAACnB,GAAG,EAAEY,OAAO,CAAC,CAC7BQ,IAAI,CAACC,QAAQ,IAAI;IAChB;IACA,IAAIA,QAAQ,CAACC,GAAG,KAAKpB,aAAa,CAACqB,MAAM,CAACD,GAAG,EAAE;MAC7C,OAAOD,QAAQ;IACjB;IACA,OAAOb,OAAO,CAACC,MAAM,CAAC,IAAIC,oBAAY,CAAC,wDAAwD,CAAC,CAAC;EACnG,CAAC,CAAC,CACDc,KAAK,CAAC,UAAUC,GAAG,EAAE;IACpB;IACA,IAAIA,GAAG,YAAYC,oBAAY,IAAI,CAAC1B,GAAG,CAACY,OAAO,CAACI,IAAI,EAAE;MACpD,MAAM;QAAEW,KAAK;QAAEC;MAAiB,CAAC,GAAGH,GAAG;MACvC,MAAM,IAAII,kBAAU,CAACF,KAAK,EAAEC,gBAAgB,CAAC;IAC/C;;IAEA;IACA,IAAI,CAAC5B,GAAG,CAACY,OAAO,CAACI,IAAI,EAAE;MACrB,IAAIc,CAAC,GAAGL,GAAG;MACX,IAAIA,GAAG,YAAYM,oBAAY,IAAIN,GAAG,EAAEO,IAAI,EAAEC,aAAa,EAAE;QAC3DH,CAAC,GAAGJ,oBAAY,CAACQ,WAAW,CAACT,GAAG,CAACO,IAAI,CAACC,aAAa,CAAW;MAChE;MAEA,IAAIH,CAAC,YAAYJ,oBAAY,EAAE;QAC7B,MAAM;UAAEC,KAAK;UAAEC;QAAiB,CAAC,GAAGE,CAAC;QACrC,MAAM,IAAID,kBAAU,CAACF,KAAK,EAAEC,gBAAgB,CAAC;MAC/C;IACF;IAEA,MAAMH,GAAG;EACX,CAAC,CAAC;AACN"}
|
|
@@ -29,6 +29,12 @@ function validateResponse(res, oauthParams) {
|
|
|
29
29
|
if (res.state !== oauthParams.state) {
|
|
30
30
|
throw new _errors.AuthSdkError('OAuth flow response state doesn\'t match request state');
|
|
31
31
|
}
|
|
32
|
+
|
|
33
|
+
// https://datatracker.ietf.org/doc/html/rfc9449#token-response
|
|
34
|
+
// "A token_type of DPoP MUST be included in the access token response to signal to the client"
|
|
35
|
+
if (oauthParams.dpop && res.token_type !== 'DPoP') {
|
|
36
|
+
throw new _errors.AuthSdkError('Unable to parse OAuth flow response: DPoP was configured but "token_type" was not DPoP');
|
|
37
|
+
}
|
|
32
38
|
}
|
|
33
39
|
async function handleOAuthResponse(sdk, tokenParams, res, urls) {
|
|
34
40
|
const pkce = sdk.options.pkce !== false;
|
|
@@ -75,6 +81,12 @@ async function handleOAuthResponse(sdk, tokenParams, res, urls) {
|
|
|
75
81
|
authorizeUrl: urls.authorizeUrl,
|
|
76
82
|
userinfoUrl: urls.userinfoUrl
|
|
77
83
|
};
|
|
84
|
+
if (tokenParams.dpopPairId) {
|
|
85
|
+
tokenDict.accessToken.dpopPairId = tokenParams.dpopPairId;
|
|
86
|
+
}
|
|
87
|
+
if (tokenParams.extraParams) {
|
|
88
|
+
tokenDict.accessToken.extraParams = tokenParams.extraParams;
|
|
89
|
+
}
|
|
78
90
|
}
|
|
79
91
|
if (refreshToken) {
|
|
80
92
|
tokenDict.refreshToken = {
|
|
@@ -87,6 +99,12 @@ async function handleOAuthResponse(sdk, tokenParams, res, urls) {
|
|
|
87
99
|
authorizeUrl: urls.authorizeUrl,
|
|
88
100
|
issuer: urls.issuer
|
|
89
101
|
};
|
|
102
|
+
if (tokenParams.dpopPairId) {
|
|
103
|
+
tokenDict.refreshToken.dpopPairId = tokenParams.dpopPairId;
|
|
104
|
+
}
|
|
105
|
+
if (tokenParams.extraParams) {
|
|
106
|
+
tokenDict.refreshToken.extraParams = tokenParams.extraParams;
|
|
107
|
+
}
|
|
90
108
|
}
|
|
91
109
|
if (idToken) {
|
|
92
110
|
const idJwt = sdk.token.decode(idToken);
|
|
@@ -100,6 +118,9 @@ async function handleOAuthResponse(sdk, tokenParams, res, urls) {
|
|
|
100
118
|
issuer: urls.issuer,
|
|
101
119
|
clientId: clientId
|
|
102
120
|
};
|
|
121
|
+
if (tokenParams.extraParams) {
|
|
122
|
+
idTokenObj.extraParams = tokenParams.extraParams;
|
|
123
|
+
}
|
|
103
124
|
const validationParams = {
|
|
104
125
|
clientId: clientId,
|
|
105
126
|
issuer: urls.issuer,
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"handleOAuthResponse.js","names":["validateResponse","res","oauthParams","OAuthError","state","AuthSdkError","handleOAuthResponse","sdk","tokenParams","urls","pkce","options","code","interaction_code","token","exchangeCodeForTokens","Object","assign","authorizationCode","interactionCode","getDefaultTokenParams","getOAuthUrls","responseType","Array","isArray","scopes","scope","split","clone","clientId","tokenDict","expiresIn","expires_in","tokenType","token_type","accessToken","access_token","idToken","id_token","refreshToken","refresh_token","now","Math","floor","Date","accessJwt","decode","claims","payload","expiresAt","Number","authorizeUrl","userinfoUrl","tokenUrl","issuer","idJwt","idTokenObj","exp","iat","validationParams","nonce","acrValues","ignoreSignature","undefined","verifyToken","indexOf","tokens"],"sources":["../../../lib/oidc/handleOAuthResponse.ts"],"sourcesContent":["/* eslint-disable @typescript-eslint/no-non-null-assertion */\n\n/* eslint-disable complexity, max-statements */\n/*!\n * Copyright (c) 2015-present, Okta, Inc. and/or its affiliates. All rights reserved.\n * The Okta software accompanied by this notice is provided pursuant to the Apache License, Version 2.0 (the \"License.\")\n *\n * You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0.\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT\n * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n *\n * See the License for the specific language governing permissions and limitations under the License.\n *\n */\nimport { clone } from '../util';\nimport {\n getOAuthUrls,\n} from './util/oauth';\nimport { AuthSdkError, OAuthError } from '../errors';\nimport {\n OktaAuthOAuthInterface,\n TokenVerifyParams,\n IDToken,\n OAuthResponse,\n TokenParams,\n TokenResponse,\n CustomUrls,\n Tokens,\n} from './types';\nimport { verifyToken } from './verifyToken';\nimport { getDefaultTokenParams } from './util';\n\nfunction validateResponse(res: OAuthResponse, oauthParams: TokenParams) {\n if (res['error'] && res['error_description']) {\n throw new OAuthError(res['error'], res['error_description']);\n }\n\n if (res.state !== oauthParams.state) {\n throw new AuthSdkError('OAuth flow response state doesn\\'t match request state');\n }\n}\n\nexport async function handleOAuthResponse(\n sdk: OktaAuthOAuthInterface,\n tokenParams: TokenParams,\n res: OAuthResponse,\n urls?: CustomUrls\n): Promise<TokenResponse> {\n const pkce = sdk.options.pkce !== false;\n\n // The result contains an authorization_code and PKCE is enabled \n // `exchangeCodeForTokens` will call /token then call `handleOauthResponse` recursively with the result\n if (pkce && (res.code || res.interaction_code)) {\n return sdk.token.exchangeCodeForTokens(Object.assign({}, tokenParams, {\n authorizationCode: res.code,\n interactionCode: res.interaction_code\n }), urls);\n }\n\n tokenParams = tokenParams || getDefaultTokenParams(sdk);\n urls = urls || getOAuthUrls(sdk, tokenParams);\n\n let responseType = tokenParams.responseType || [];\n if (!Array.isArray(responseType) && responseType !== 'none') {\n responseType = [responseType];\n }\n\n let scopes;\n if (res.scope) {\n scopes = res.scope.split(' ');\n } else {\n scopes = clone(tokenParams.scopes);\n }\n const clientId = tokenParams.clientId || sdk.options.clientId;\n\n // Handling the result from implicit flow or PKCE token exchange\n validateResponse(res, tokenParams);\n\n const tokenDict = {} as Tokens;\n const expiresIn = res.expires_in;\n const tokenType = res.token_type;\n const accessToken = res.access_token;\n const idToken = res.id_token;\n const refreshToken = res.refresh_token;\n const now = Math.floor(Date.now()/1000);\n\n if (accessToken) {\n const accessJwt = sdk.token.decode(accessToken);\n tokenDict.accessToken = {\n accessToken: accessToken,\n claims: accessJwt.payload,\n expiresAt: Number(expiresIn) + now,\n tokenType: tokenType!,\n scopes: scopes,\n authorizeUrl: urls.authorizeUrl!,\n userinfoUrl: urls.userinfoUrl!\n };\n }\n\n if (refreshToken) {\n tokenDict.refreshToken = {\n refreshToken: refreshToken,\n // should not be used, this is the accessToken expire time\n // TODO: remove \"expiresAt\" in the next major version OKTA-407224\n expiresAt: Number(expiresIn) + now, \n scopes: scopes,\n tokenUrl: urls.tokenUrl!,\n authorizeUrl: urls.authorizeUrl!,\n issuer: urls.issuer!,\n };\n }\n\n if (idToken) {\n const idJwt = sdk.token.decode(idToken);\n const idTokenObj: IDToken = {\n idToken: idToken,\n claims: idJwt.payload,\n expiresAt: idJwt.payload.exp! - idJwt.payload.iat! + now, // adjusting expiresAt to be in local time\n scopes: scopes,\n authorizeUrl: urls.authorizeUrl!,\n issuer: urls.issuer!,\n clientId: clientId!\n };\n\n const validationParams: TokenVerifyParams = {\n clientId: clientId!,\n issuer: urls.issuer!,\n nonce: tokenParams.nonce,\n accessToken: accessToken,\n acrValues: tokenParams.acrValues\n };\n\n if (tokenParams.ignoreSignature !== undefined) {\n validationParams.ignoreSignature = tokenParams.ignoreSignature;\n }\n\n await verifyToken(sdk, idTokenObj, validationParams);\n tokenDict.idToken = idTokenObj;\n }\n\n // Validate received tokens against requested response types \n if (responseType.indexOf('token') !== -1 && !tokenDict.accessToken) {\n // eslint-disable-next-line max-len\n throw new AuthSdkError('Unable to parse OAuth flow response: response type \"token\" was requested but \"access_token\" was not returned.');\n }\n if (responseType.indexOf('id_token') !== -1 && !tokenDict.idToken) {\n // eslint-disable-next-line max-len\n throw new AuthSdkError('Unable to parse OAuth flow response: response type \"id_token\" was requested but \"id_token\" was not returned.');\n }\n\n return {\n tokens: tokenDict,\n state: res.state!,\n code: res.code,\n responseType\n };\n \n}"],"mappings":";;;AAeA;AACA;AAGA;AAWA;AACA;AA/BA;;AAEA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AAmBA,SAASA,gBAAgB,CAACC,GAAkB,EAAEC,WAAwB,EAAE;EACtE,IAAID,GAAG,CAAC,OAAO,CAAC,IAAIA,GAAG,CAAC,mBAAmB,CAAC,EAAE;IAC5C,MAAM,IAAIE,kBAAU,CAACF,GAAG,CAAC,OAAO,CAAC,EAAEA,GAAG,CAAC,mBAAmB,CAAC,CAAC;EAC9D;EAEA,IAAIA,GAAG,CAACG,KAAK,KAAKF,WAAW,CAACE,KAAK,EAAE;IACnC,MAAM,IAAIC,oBAAY,CAAC,wDAAwD,CAAC;EAClF;AACF;AAEO,eAAeC,mBAAmB,CACvCC,GAA2B,EAC3BC,WAAwB,EACxBP,GAAkB,EAClBQ,IAAiB,EACO;EACxB,MAAMC,IAAI,GAAGH,GAAG,CAACI,OAAO,CAACD,IAAI,KAAK,KAAK;;EAEvC;EACA;EACA,IAAIA,IAAI,KAAKT,GAAG,CAACW,IAAI,IAAIX,GAAG,CAACY,gBAAgB,CAAC,EAAE;IAC9C,OAAON,GAAG,CAACO,KAAK,CAACC,qBAAqB,CAACC,MAAM,CAACC,MAAM,CAAC,CAAC,CAAC,EAAET,WAAW,EAAE;MACpEU,iBAAiB,EAAEjB,GAAG,CAACW,IAAI;MAC3BO,eAAe,EAAElB,GAAG,CAACY;IACvB,CAAC,CAAC,EAAEJ,IAAI,CAAC;EACX;EAEAD,WAAW,GAAGA,WAAW,IAAI,IAAAY,4BAAqB,EAACb,GAAG,CAAC;EACvDE,IAAI,GAAGA,IAAI,IAAI,IAAAY,mBAAY,EAACd,GAAG,EAAEC,WAAW,CAAC;EAE7C,IAAIc,YAAY,GAAGd,WAAW,CAACc,YAAY,IAAI,EAAE;EACjD,IAAI,CAACC,KAAK,CAACC,OAAO,CAACF,YAAY,CAAC,IAAIA,YAAY,KAAK,MAAM,EAAE;IAC3DA,YAAY,GAAG,CAACA,YAAY,CAAC;EAC/B;EAEA,IAAIG,MAAM;EACV,IAAIxB,GAAG,CAACyB,KAAK,EAAE;IACbD,MAAM,GAAGxB,GAAG,CAACyB,KAAK,CAACC,KAAK,CAAC,GAAG,CAAC;EAC/B,CAAC,MAAM;IACLF,MAAM,GAAG,IAAAG,WAAK,EAACpB,WAAW,CAACiB,MAAM,CAAC;EACpC;EACA,MAAMI,QAAQ,GAAGrB,WAAW,CAACqB,QAAQ,IAAItB,GAAG,CAACI,OAAO,CAACkB,QAAQ;;EAE7D;EACA7B,gBAAgB,CAACC,GAAG,EAAEO,WAAW,CAAC;EAElC,MAAMsB,SAAS,GAAG,CAAC,CAAW;EAC9B,MAAMC,SAAS,GAAG9B,GAAG,CAAC+B,UAAU;EAChC,MAAMC,SAAS,GAAGhC,GAAG,CAACiC,UAAU;EAChC,MAAMC,WAAW,GAAGlC,GAAG,CAACmC,YAAY;EACpC,MAAMC,OAAO,GAAGpC,GAAG,CAACqC,QAAQ;EAC5B,MAAMC,YAAY,GAAGtC,GAAG,CAACuC,aAAa;EACtC,MAAMC,GAAG,GAAGC,IAAI,CAACC,KAAK,CAACC,IAAI,CAACH,GAAG,EAAE,GAAC,IAAI,CAAC;EAEvC,IAAIN,WAAW,EAAE;IACf,MAAMU,SAAS,GAAGtC,GAAG,CAACO,KAAK,CAACgC,MAAM,CAACX,WAAW,CAAC;IAC/CL,SAAS,CAACK,WAAW,GAAG;MACtBA,WAAW,EAAEA,WAAW;MACxBY,MAAM,EAAEF,SAAS,CAACG,OAAO;MACzBC,SAAS,EAAEC,MAAM,CAACnB,SAAS,CAAC,GAAGU,GAAG;MAClCR,SAAS,EAAEA,SAAU;MACrBR,MAAM,EAAEA,MAAM;MACd0B,YAAY,EAAE1C,IAAI,CAAC0C,YAAa;MAChCC,WAAW,EAAE3C,IAAI,CAAC2C;IACpB,CAAC;EACH;EAEA,IAAIb,YAAY,EAAE;IAChBT,SAAS,CAACS,YAAY,GAAG;MACvBA,YAAY,EAAEA,YAAY;MAC1B;MACA;MACAU,SAAS,EAAEC,MAAM,CAACnB,SAAS,CAAC,GAAGU,GAAG;MAClChB,MAAM,EAAEA,MAAM;MACd4B,QAAQ,EAAE5C,IAAI,CAAC4C,QAAS;MACxBF,YAAY,EAAE1C,IAAI,CAAC0C,YAAa;MAChCG,MAAM,EAAE7C,IAAI,CAAC6C;IACf,CAAC;EACH;EAEA,IAAIjB,OAAO,EAAE;IACX,MAAMkB,KAAK,GAAGhD,GAAG,CAACO,KAAK,CAACgC,MAAM,CAACT,OAAO,CAAC;IACvC,MAAMmB,UAAmB,GAAG;MAC1BnB,OAAO,EAAEA,OAAO;MAChBU,MAAM,EAAEQ,KAAK,CAACP,OAAO;MACrBC,SAAS,EAAEM,KAAK,CAACP,OAAO,CAACS,GAAG,GAAIF,KAAK,CAACP,OAAO,CAACU,GAAI,GAAGjB,GAAG;MAAE;MAC1DhB,MAAM,EAAEA,MAAM;MACd0B,YAAY,EAAE1C,IAAI,CAAC0C,YAAa;MAChCG,MAAM,EAAE7C,IAAI,CAAC6C,MAAO;MACpBzB,QAAQ,EAAEA;IACZ,CAAC;IAED,MAAM8B,gBAAmC,GAAG;MAC1C9B,QAAQ,EAAEA,QAAS;MACnByB,MAAM,EAAE7C,IAAI,CAAC6C,MAAO;MACpBM,KAAK,EAAEpD,WAAW,CAACoD,KAAK;MACxBzB,WAAW,EAAEA,WAAW;MACxB0B,SAAS,EAAErD,WAAW,CAACqD;IACzB,CAAC;IAED,IAAIrD,WAAW,CAACsD,eAAe,KAAKC,SAAS,EAAE;MAC7CJ,gBAAgB,CAACG,eAAe,GAAGtD,WAAW,CAACsD,eAAe;IAChE;IAEA,MAAM,IAAAE,wBAAW,EAACzD,GAAG,EAAEiD,UAAU,EAAEG,gBAAgB,CAAC;IACpD7B,SAAS,CAACO,OAAO,GAAGmB,UAAU;EAChC;;EAEA;EACA,IAAIlC,YAAY,CAAC2C,OAAO,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,IAAI,CAACnC,SAAS,CAACK,WAAW,EAAE;IAClE;IACA,MAAM,IAAI9B,oBAAY,CAAC,+GAA+G,CAAC;EACzI;EACA,IAAIiB,YAAY,CAAC2C,OAAO,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC,IAAI,CAACnC,SAAS,CAACO,OAAO,EAAE;IACjE;IACA,MAAM,IAAIhC,oBAAY,CAAC,8GAA8G,CAAC;EACxI;EAEA,OAAO;IACL6D,MAAM,EAAEpC,SAAS;IACjB1B,KAAK,EAAEH,GAAG,CAACG,KAAM;IACjBQ,IAAI,EAAEX,GAAG,CAACW,IAAI;IACdU;EACF,CAAC;AAEH"}
|
|
1
|
+
{"version":3,"file":"handleOAuthResponse.js","names":["validateResponse","res","oauthParams","OAuthError","state","AuthSdkError","dpop","token_type","handleOAuthResponse","sdk","tokenParams","urls","pkce","options","code","interaction_code","token","exchangeCodeForTokens","Object","assign","authorizationCode","interactionCode","getDefaultTokenParams","getOAuthUrls","responseType","Array","isArray","scopes","scope","split","clone","clientId","tokenDict","expiresIn","expires_in","tokenType","accessToken","access_token","idToken","id_token","refreshToken","refresh_token","now","Math","floor","Date","accessJwt","decode","claims","payload","expiresAt","Number","authorizeUrl","userinfoUrl","dpopPairId","extraParams","tokenUrl","issuer","idJwt","idTokenObj","exp","iat","validationParams","nonce","acrValues","ignoreSignature","undefined","verifyToken","indexOf","tokens"],"sources":["../../../lib/oidc/handleOAuthResponse.ts"],"sourcesContent":["/* eslint-disable @typescript-eslint/no-non-null-assertion */\n\n/* eslint-disable complexity, max-statements */\n/*!\n * Copyright (c) 2015-present, Okta, Inc. and/or its affiliates. All rights reserved.\n * The Okta software accompanied by this notice is provided pursuant to the Apache License, Version 2.0 (the \"License.\")\n *\n * You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0.\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT\n * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n *\n * See the License for the specific language governing permissions and limitations under the License.\n *\n */\nimport { clone } from '../util';\nimport {\n getOAuthUrls,\n} from './util/oauth';\nimport { AuthSdkError, OAuthError } from '../errors';\nimport {\n OktaAuthOAuthInterface,\n TokenVerifyParams,\n IDToken,\n OAuthResponse,\n TokenParams,\n TokenResponse,\n CustomUrls,\n Tokens,\n} from './types';\nimport { verifyToken } from './verifyToken';\nimport { getDefaultTokenParams } from './util';\n\nfunction validateResponse(res: OAuthResponse, oauthParams: TokenParams) {\n if (res['error'] && res['error_description']) {\n throw new OAuthError(res['error'], res['error_description']);\n }\n\n if (res.state !== oauthParams.state) {\n throw new AuthSdkError('OAuth flow response state doesn\\'t match request state');\n }\n\n // https://datatracker.ietf.org/doc/html/rfc9449#token-response\n // \"A token_type of DPoP MUST be included in the access token response to signal to the client\"\n if (oauthParams.dpop && res.token_type !== 'DPoP') {\n throw new AuthSdkError('Unable to parse OAuth flow response: DPoP was configured but \"token_type\" was not DPoP');\n }\n}\n\nexport async function handleOAuthResponse(\n sdk: OktaAuthOAuthInterface,\n tokenParams: TokenParams,\n res: OAuthResponse,\n urls?: CustomUrls\n): Promise<TokenResponse> {\n const pkce = sdk.options.pkce !== false;\n\n\n // The result contains an authorization_code and PKCE is enabled \n // `exchangeCodeForTokens` will call /token then call `handleOauthResponse` recursively with the result\n if (pkce && (res.code || res.interaction_code)) {\n return sdk.token.exchangeCodeForTokens(Object.assign({}, tokenParams, {\n authorizationCode: res.code,\n interactionCode: res.interaction_code\n }), urls);\n }\n\n tokenParams = tokenParams || getDefaultTokenParams(sdk);\n urls = urls || getOAuthUrls(sdk, tokenParams);\n\n let responseType = tokenParams.responseType || [];\n if (!Array.isArray(responseType) && responseType !== 'none') {\n responseType = [responseType];\n }\n\n let scopes;\n if (res.scope) {\n scopes = res.scope.split(' ');\n } else {\n scopes = clone(tokenParams.scopes);\n }\n const clientId = tokenParams.clientId || sdk.options.clientId;\n\n // Handling the result from implicit flow or PKCE token exchange\n validateResponse(res, tokenParams);\n\n const tokenDict = {} as Tokens;\n const expiresIn = res.expires_in;\n const tokenType = res.token_type;\n const accessToken = res.access_token;\n const idToken = res.id_token;\n const refreshToken = res.refresh_token;\n const now = Math.floor(Date.now()/1000);\n\n if (accessToken) {\n const accessJwt = sdk.token.decode(accessToken);\n tokenDict.accessToken = {\n accessToken: accessToken,\n claims: accessJwt.payload,\n expiresAt: Number(expiresIn) + now,\n tokenType: tokenType!,\n scopes: scopes,\n authorizeUrl: urls.authorizeUrl!,\n userinfoUrl: urls.userinfoUrl!\n };\n\n if (tokenParams.dpopPairId) {\n tokenDict.accessToken.dpopPairId = tokenParams.dpopPairId;\n }\n\n if (tokenParams.extraParams) {\n tokenDict.accessToken.extraParams = tokenParams.extraParams;\n }\n }\n\n if (refreshToken) {\n tokenDict.refreshToken = {\n refreshToken: refreshToken,\n // should not be used, this is the accessToken expire time\n // TODO: remove \"expiresAt\" in the next major version OKTA-407224\n expiresAt: Number(expiresIn) + now, \n scopes: scopes,\n tokenUrl: urls.tokenUrl!,\n authorizeUrl: urls.authorizeUrl!,\n issuer: urls.issuer!,\n };\n\n if (tokenParams.dpopPairId) {\n tokenDict.refreshToken.dpopPairId = tokenParams.dpopPairId;\n }\n\n if (tokenParams.extraParams) {\n tokenDict.refreshToken.extraParams = tokenParams.extraParams;\n }\n }\n\n if (idToken) {\n const idJwt = sdk.token.decode(idToken);\n const idTokenObj: IDToken = {\n idToken: idToken,\n claims: idJwt.payload,\n expiresAt: idJwt.payload.exp! - idJwt.payload.iat! + now, // adjusting expiresAt to be in local time\n scopes: scopes,\n authorizeUrl: urls.authorizeUrl!,\n issuer: urls.issuer!,\n clientId: clientId!\n };\n\n if (tokenParams.extraParams) {\n idTokenObj.extraParams = tokenParams.extraParams;\n }\n\n const validationParams: TokenVerifyParams = {\n clientId: clientId!,\n issuer: urls.issuer!,\n nonce: tokenParams.nonce,\n accessToken: accessToken,\n acrValues: tokenParams.acrValues\n };\n\n if (tokenParams.ignoreSignature !== undefined) {\n validationParams.ignoreSignature = tokenParams.ignoreSignature;\n }\n\n await verifyToken(sdk, idTokenObj, validationParams);\n tokenDict.idToken = idTokenObj;\n }\n\n // Validate received tokens against requested response types \n if (responseType.indexOf('token') !== -1 && !tokenDict.accessToken) {\n // eslint-disable-next-line max-len\n throw new AuthSdkError('Unable to parse OAuth flow response: response type \"token\" was requested but \"access_token\" was not returned.');\n }\n if (responseType.indexOf('id_token') !== -1 && !tokenDict.idToken) {\n // eslint-disable-next-line max-len\n throw new AuthSdkError('Unable to parse OAuth flow response: response type \"id_token\" was requested but \"id_token\" was not returned.');\n }\n\n return {\n tokens: tokenDict,\n state: res.state!,\n code: res.code,\n responseType\n };\n \n}"],"mappings":";;;AAeA;AACA;AAGA;AAWA;AACA;AA/BA;;AAEA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AAmBA,SAASA,gBAAgB,CAACC,GAAkB,EAAEC,WAAwB,EAAE;EACtE,IAAID,GAAG,CAAC,OAAO,CAAC,IAAIA,GAAG,CAAC,mBAAmB,CAAC,EAAE;IAC5C,MAAM,IAAIE,kBAAU,CAACF,GAAG,CAAC,OAAO,CAAC,EAAEA,GAAG,CAAC,mBAAmB,CAAC,CAAC;EAC9D;EAEA,IAAIA,GAAG,CAACG,KAAK,KAAKF,WAAW,CAACE,KAAK,EAAE;IACnC,MAAM,IAAIC,oBAAY,CAAC,wDAAwD,CAAC;EAClF;;EAEA;EACA;EACA,IAAIH,WAAW,CAACI,IAAI,IAAIL,GAAG,CAACM,UAAU,KAAK,MAAM,EAAE;IACjD,MAAM,IAAIF,oBAAY,CAAC,wFAAwF,CAAC;EAClH;AACF;AAEO,eAAeG,mBAAmB,CACvCC,GAA2B,EAC3BC,WAAwB,EACxBT,GAAkB,EAClBU,IAAiB,EACO;EACxB,MAAMC,IAAI,GAAGH,GAAG,CAACI,OAAO,CAACD,IAAI,KAAK,KAAK;;EAGvC;EACA;EACA,IAAIA,IAAI,KAAKX,GAAG,CAACa,IAAI,IAAIb,GAAG,CAACc,gBAAgB,CAAC,EAAE;IAC9C,OAAON,GAAG,CAACO,KAAK,CAACC,qBAAqB,CAACC,MAAM,CAACC,MAAM,CAAC,CAAC,CAAC,EAAET,WAAW,EAAE;MACpEU,iBAAiB,EAAEnB,GAAG,CAACa,IAAI;MAC3BO,eAAe,EAAEpB,GAAG,CAACc;IACvB,CAAC,CAAC,EAAEJ,IAAI,CAAC;EACX;EAEAD,WAAW,GAAGA,WAAW,IAAI,IAAAY,4BAAqB,EAACb,GAAG,CAAC;EACvDE,IAAI,GAAGA,IAAI,IAAI,IAAAY,mBAAY,EAACd,GAAG,EAAEC,WAAW,CAAC;EAE7C,IAAIc,YAAY,GAAGd,WAAW,CAACc,YAAY,IAAI,EAAE;EACjD,IAAI,CAACC,KAAK,CAACC,OAAO,CAACF,YAAY,CAAC,IAAIA,YAAY,KAAK,MAAM,EAAE;IAC3DA,YAAY,GAAG,CAACA,YAAY,CAAC;EAC/B;EAEA,IAAIG,MAAM;EACV,IAAI1B,GAAG,CAAC2B,KAAK,EAAE;IACbD,MAAM,GAAG1B,GAAG,CAAC2B,KAAK,CAACC,KAAK,CAAC,GAAG,CAAC;EAC/B,CAAC,MAAM;IACLF,MAAM,GAAG,IAAAG,WAAK,EAACpB,WAAW,CAACiB,MAAM,CAAC;EACpC;EACA,MAAMI,QAAQ,GAAGrB,WAAW,CAACqB,QAAQ,IAAItB,GAAG,CAACI,OAAO,CAACkB,QAAQ;;EAE7D;EACA/B,gBAAgB,CAACC,GAAG,EAAES,WAAW,CAAC;EAElC,MAAMsB,SAAS,GAAG,CAAC,CAAW;EAC9B,MAAMC,SAAS,GAAGhC,GAAG,CAACiC,UAAU;EAChC,MAAMC,SAAS,GAAGlC,GAAG,CAACM,UAAU;EAChC,MAAM6B,WAAW,GAAGnC,GAAG,CAACoC,YAAY;EACpC,MAAMC,OAAO,GAAGrC,GAAG,CAACsC,QAAQ;EAC5B,MAAMC,YAAY,GAAGvC,GAAG,CAACwC,aAAa;EACtC,MAAMC,GAAG,GAAGC,IAAI,CAACC,KAAK,CAACC,IAAI,CAACH,GAAG,EAAE,GAAC,IAAI,CAAC;EAEvC,IAAIN,WAAW,EAAE;IACf,MAAMU,SAAS,GAAGrC,GAAG,CAACO,KAAK,CAAC+B,MAAM,CAACX,WAAW,CAAC;IAC/CJ,SAAS,CAACI,WAAW,GAAG;MACtBA,WAAW,EAAEA,WAAW;MACxBY,MAAM,EAAEF,SAAS,CAACG,OAAO;MACzBC,SAAS,EAAEC,MAAM,CAAClB,SAAS,CAAC,GAAGS,GAAG;MAClCP,SAAS,EAAEA,SAAU;MACrBR,MAAM,EAAEA,MAAM;MACdyB,YAAY,EAAEzC,IAAI,CAACyC,YAAa;MAChCC,WAAW,EAAE1C,IAAI,CAAC0C;IACpB,CAAC;IAED,IAAI3C,WAAW,CAAC4C,UAAU,EAAE;MAC1BtB,SAAS,CAACI,WAAW,CAACkB,UAAU,GAAG5C,WAAW,CAAC4C,UAAU;IAC3D;IAEA,IAAI5C,WAAW,CAAC6C,WAAW,EAAE;MAC3BvB,SAAS,CAACI,WAAW,CAACmB,WAAW,GAAG7C,WAAW,CAAC6C,WAAW;IAC7D;EACF;EAEA,IAAIf,YAAY,EAAE;IAChBR,SAAS,CAACQ,YAAY,GAAG;MACvBA,YAAY,EAAEA,YAAY;MAC1B;MACA;MACAU,SAAS,EAAEC,MAAM,CAAClB,SAAS,CAAC,GAAGS,GAAG;MAClCf,MAAM,EAAEA,MAAM;MACd6B,QAAQ,EAAE7C,IAAI,CAAC6C,QAAS;MACxBJ,YAAY,EAAEzC,IAAI,CAACyC,YAAa;MAChCK,MAAM,EAAE9C,IAAI,CAAC8C;IACf,CAAC;IAED,IAAI/C,WAAW,CAAC4C,UAAU,EAAE;MAC1BtB,SAAS,CAACQ,YAAY,CAACc,UAAU,GAAG5C,WAAW,CAAC4C,UAAU;IAC5D;IAEA,IAAI5C,WAAW,CAAC6C,WAAW,EAAE;MAC3BvB,SAAS,CAACQ,YAAY,CAACe,WAAW,GAAG7C,WAAW,CAAC6C,WAAW;IAC9D;EACF;EAEA,IAAIjB,OAAO,EAAE;IACX,MAAMoB,KAAK,GAAGjD,GAAG,CAACO,KAAK,CAAC+B,MAAM,CAACT,OAAO,CAAC;IACvC,MAAMqB,UAAmB,GAAG;MAC1BrB,OAAO,EAAEA,OAAO;MAChBU,MAAM,EAAEU,KAAK,CAACT,OAAO;MACrBC,SAAS,EAAEQ,KAAK,CAACT,OAAO,CAACW,GAAG,GAAIF,KAAK,CAACT,OAAO,CAACY,GAAI,GAAGnB,GAAG;MAAE;MAC1Df,MAAM,EAAEA,MAAM;MACdyB,YAAY,EAAEzC,IAAI,CAACyC,YAAa;MAChCK,MAAM,EAAE9C,IAAI,CAAC8C,MAAO;MACpB1B,QAAQ,EAAEA;IACZ,CAAC;IAED,IAAIrB,WAAW,CAAC6C,WAAW,EAAE;MAC3BI,UAAU,CAACJ,WAAW,GAAG7C,WAAW,CAAC6C,WAAW;IAClD;IAEA,MAAMO,gBAAmC,GAAG;MAC1C/B,QAAQ,EAAEA,QAAS;MACnB0B,MAAM,EAAE9C,IAAI,CAAC8C,MAAO;MACpBM,KAAK,EAAErD,WAAW,CAACqD,KAAK;MACxB3B,WAAW,EAAEA,WAAW;MACxB4B,SAAS,EAAEtD,WAAW,CAACsD;IACzB,CAAC;IAED,IAAItD,WAAW,CAACuD,eAAe,KAAKC,SAAS,EAAE;MAC7CJ,gBAAgB,CAACG,eAAe,GAAGvD,WAAW,CAACuD,eAAe;IAChE;IAEA,MAAM,IAAAE,wBAAW,EAAC1D,GAAG,EAAEkD,UAAU,EAAEG,gBAAgB,CAAC;IACpD9B,SAAS,CAACM,OAAO,GAAGqB,UAAU;EAChC;;EAEA;EACA,IAAInC,YAAY,CAAC4C,OAAO,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,IAAI,CAACpC,SAAS,CAACI,WAAW,EAAE;IAClE;IACA,MAAM,IAAI/B,oBAAY,CAAC,+GAA+G,CAAC;EACzI;EACA,IAAImB,YAAY,CAAC4C,OAAO,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC,IAAI,CAACpC,SAAS,CAACM,OAAO,EAAE;IACjE;IACA,MAAM,IAAIjC,oBAAY,CAAC,8GAA8G,CAAC;EACxI;EAEA,OAAO;IACLgE,MAAM,EAAErC,SAAS;IACjB5B,KAAK,EAAEH,GAAG,CAACG,KAAM;IACjBU,IAAI,EAAEb,GAAG,CAACa,IAAI;IACdU;EACF,CAAC;AAEH"}
|