@redocly/realm 0.129.0-next.5 → 0.129.0

package/dist/server/providers/database/databases/catalog-sqlite/migrations/meta/0004_snapshot.json

@@ -0,0 +1,392 @@
+{
+  "version": "6",
+  "dialect": "sqlite",
+  "id": "a1b2c3d4-e5f6-4789-a012-3456789abcde",
+  "prevId": "81397c74-6950-4f46-a595-b92bf6bded70",
+  "tables": {
+    "entities_relations": {
+      "name": "entities_relations",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "organization_id": {
+          "name": "organization_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "project_id": {
+          "name": "project_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "source_key": {
+          "name": "source_key",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "source_version": {
+          "name": "source_version",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "''"
+        },
+        "source_revision": {
+          "name": "source_revision",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "''"
+        },
+        "source_to_target_relation": {
+          "name": "source_to_target_relation",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "target_key": {
+          "name": "target_key",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "target_version": {
+          "name": "target_version",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "''"
+        },
+        "target_revision": {
+          "name": "target_revision",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "''"
+        },
+        "target_to_source_relation": {
+          "name": "target_to_source_relation",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "source_file": {
+          "name": "source_file",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "file_hash": {
+          "name": "file_hash",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "is_deleted": {
+          "name": "is_deleted",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        }
+      },
+      "indexes": {
+        "idx_entities_relations_source_key": {
+          "name": "idx_entities_relations_source_key",
+          "columns": ["source_key", "is_deleted"],
+          "isUnique": false
+        },
+        "idx_entities_relations_target_key": {
+          "name": "idx_entities_relations_target_key",
+          "columns": ["target_key", "is_deleted"],
+          "isUnique": false
+        },
+        "idx_entities_relations_source_target": {
+          "name": "idx_entities_relations_source_target",
+          "columns": ["source_to_target_relation"],
+          "isUnique": false
+        },
+        "idx_entities_relations_target_source": {
+          "name": "idx_entities_relations_target_source",
+          "columns": ["target_to_source_relation"],
+          "isUnique": false
+        },
+        "idx_entities_relations_unique": {
+          "name": "idx_entities_relations_unique",
+          "columns": [
+            "source_key",
+            "target_key",
+            "source_version",
+            "target_version",
+            "source_revision",
+            "target_revision"
+          ],
+          "isUnique": true
+        }
+      },
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "entities": {
+      "name": "entities",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "organization_id": {
+          "name": "organization_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "project_id": {
+          "name": "project_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "key": {
+          "name": "key",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "type": {
+          "name": "type",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "title": {
+          "name": "title",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "summary": {
+          "name": "summary",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "tags": {
+          "name": "tags",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "metadata": {
+          "name": "metadata",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "git": {
+          "name": "git",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "contact": {
+          "name": "contact",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "links": {
+          "name": "links",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "source": {
+          "name": "source",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "'file'"
+        },
+        "source_file": {
+          "name": "source_file",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "file_hash": {
+          "name": "file_hash",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "version": {
+          "name": "version",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "'not_specified_version'"
+        },
+        "revision": {
+          "name": "revision",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "hash": {
+          "name": "hash",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "is_current": {
+          "name": "is_current",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": true
+        },
+        "is_default_version": {
+          "name": "is_default_version",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": false
+        },
+        "is_deleted": {
+          "name": "is_deleted",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": false
+        },
+        "scorecards_status": {
+          "name": "scorecards_status",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        }
+      },
+      "indexes": {
+        "idx_entities_type": {
+          "name": "idx_entities_type",
+          "columns": ["type"],
+          "isUnique": false
+        },
+        "idx_entities_hash": {
+          "name": "idx_entities_hash",
+          "columns": ["hash"],
+          "isUnique": false
+        },
+        "idx_entities_key_source_created_at": {
+          "name": "idx_entities_key_source_created_at",
+          "columns": ["key", "created_at"],
+          "isUnique": false
+        },
+        "idx_entities_key_source_is_current": {
+          "name": "idx_entities_key_source_is_current",
+          "columns": ["key", "is_current", "is_deleted"],
+          "isUnique": false
+        },
+        "idx_entities_key_source_is_default": {
+          "name": "idx_entities_key_source_is_default",
+          "columns": ["key", "is_default_version"],
+          "isUnique": false
+        },
+        "idx_entities_key_source": {
+          "name": "idx_entities_key_source",
+          "columns": ["key", "source", "revision", "version"],
+          "isUnique": true
+        }
+      },
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    }
+  },
+  "views": {},
+  "enums": {},
+  "_meta": {
+    "schemas": {},
+    "tables": {},
+    "columns": {}
+  },
+  "internal": {
+    "indexes": {}
+  }
+}

package/dist/server/providers/database/databases/catalog-sqlite/migrations/meta/_journal.json

@@ -29,6 +29,13 @@
       "when": 1765198112079,
       "tag": "0003_catalog_versions_and_revisions_relations",
       "breakpoints": true
+    },
+    {
+      "idx": 4,
+      "version": "6",
+      "when": 1734624000000,
+      "tag": "0004_normalize_relation_types",
+      "breakpoints": true
     }
   ]
 }

package/dist/server/providers/database/databases/sqld-sqlite/migrations/0006_catalog-versions-and-revisions-relations.sql

@@ -9,9 +9,21 @@ DROP INDEX IF EXISTS `idx_entities_key_source_created_at`;--> statement-breakpoi
 DROP INDEX IF EXISTS `idx_entities_key_source_is_current`;--> statement-breakpoint
 DROP INDEX IF EXISTS `idx_entities_key_source_is_default`;--> statement-breakpoint
 DROP INDEX IF EXISTS `idx_entities_key_source`;--> statement-breakpoint
+-- Update all NULL values to '' first before creating unique index
 UPDATE `entities_relations` SET "source_version" = '' WHERE "source_version" IS NULL;--> statement-breakpoint
+UPDATE `entities_relations` SET "source_revision" = '' WHERE "source_revision" IS NULL;--> statement-breakpoint
+UPDATE `entities_relations` SET "target_version" = '' WHERE "target_version" IS NULL;--> statement-breakpoint
+UPDATE `entities_relations` SET "target_revision" = '' WHERE "target_revision" IS NULL;--> statement-breakpoint
+-- Delete duplicate relations keeping only the most recent one (by id)
+DELETE FROM `entities_relations` WHERE `id` NOT IN (
+  SELECT MAX(`id`) FROM `entities_relations`
+  GROUP BY `source_key`, `target_key`, `source_version`, `target_version`, `source_revision`, `target_revision`
+);--> statement-breakpoint
 -- We need to set default value to '', because NULL is not unique in sqlite
 ALTER TABLE `entities_relations` ALTER COLUMN "source_version" TO "source_version" text NOT NULL DEFAULT '';--> statement-breakpoint
+ALTER TABLE `entities_relations` ALTER COLUMN "source_revision" TO "source_revision" text NOT NULL DEFAULT '';--> statement-breakpoint
+ALTER TABLE `entities_relations` ALTER COLUMN "target_version" TO "target_version" text NOT NULL DEFAULT '';--> statement-breakpoint
+ALTER TABLE `entities_relations` ALTER COLUMN "target_revision" TO "target_revision" text NOT NULL DEFAULT '';--> statement-breakpoint
 ALTER TABLE `entities_relations` ADD `is_deleted` integer DEFAULT false;--> statement-breakpoint
 CREATE INDEX `idx_entities_relations_source_key` ON `entities_relations` (`source_key`,`is_deleted`);--> statement-breakpoint
 CREATE INDEX `idx_entities_relations_target_key` ON `entities_relations` (`target_key`,`is_deleted`);--> statement-breakpoint
@@ -25,12 +37,6 @@ ALTER TABLE `entities` ADD `is_deleted` integer DEFAULT false;--> statement-brea
 CREATE INDEX `idx_entities_key_source_is_current` ON `entities` (`key`,`is_current`,`is_deleted`);--> statement-breakpoint
 CREATE INDEX `idx_entities_key_source_is_default` ON `entities` (`key`,`is_default_version`);--> statement-breakpoint
 CREATE UNIQUE INDEX `idx_entities_key_source` ON `entities` (`key`,`source`,`revision`,`version`);--> statement-breakpoint
-UPDATE `entities_relations` SET "source_revision" = '' WHERE "source_revision" IS NULL;--> statement-breakpoint
-ALTER TABLE `entities_relations` ALTER COLUMN "source_revision" TO "source_revision" text NOT NULL DEFAULT '';--> statement-breakpoint
-UPDATE `entities_relations` SET "target_version" = '' WHERE "target_version" IS NULL;--> statement-breakpoint
-ALTER TABLE `entities_relations` ALTER COLUMN "target_version" TO "target_version" text NOT NULL DEFAULT '';--> statement-breakpoint
-UPDATE `entities_relations` SET "target_revision" = '' WHERE "target_revision" IS NULL;--> statement-breakpoint
-ALTER TABLE `entities_relations` ALTER COLUMN "target_revision" TO "target_revision" text NOT NULL DEFAULT '';--> statement-breakpoint
 ALTER TABLE `entities_relations` DROP COLUMN `source_id`;--> statement-breakpoint
 ALTER TABLE `entities_relations` DROP COLUMN `target_id`;--> statement-breakpoint
 DROP INDEX IF EXISTS `idx_entities_key_source_is_current`;--> statement-breakpoint

package/dist/server/providers/database/pagination/filter.d.ts

@@ -7,6 +7,7 @@ export declare function applyFilter<T extends SQLiteSelect | SQLiteDelete>(sqlBu
 };
 export declare function convertFilterToWhereCondition(filter?: Filter): SQL | undefined;
 export declare function getFirstFilterFieldValue(filter: Filter | undefined, fieldName: string): FilterClause['value'] | undefined;
+export declare function getAllFilterFieldValues(filter: Filter | undefined, fieldName: string): string[];
 export declare function parseFilterQuery(query?: string, availableFields?: string[], fieldsTransformations?: Record<string, string>): Filter | undefined;
 export declare function excludeFieldsFromFilter(filter: Filter | undefined, fieldsToExclude: string[]): Filter | undefined;
 //# sourceMappingURL=filter.d.ts.map

package/dist/server/providers/database/pagination/filter.js

@@ -1 +1 @@
-import{and as O,between as R,eq as T,inArray as C,isNotNull as L,isNull as I,like as v,ne as k,notBetween as y,notInArray as W,notLike as b,or as d,sql as a}from"drizzle-orm";import{isFilterCondition as F}from"./types.js";import{transformToSnakeCase as q}from"./utils/transform-to-snake-case.js";import{isFieldAllowed as D}from"./utils/field-pattern-matcher.js";import{OPERATORS as h}from"./constants.js";const U=["domains","owners"],P=["tags"];function z(t,e){const o=J(e);return o?{sqlBuilder:t,whereCondition:o}:{sqlBuilder:t,whereCondition:null}}function J(t){if(t)return F(t)?j(t):x(t)}const j=t=>{const{op:e,conditions:o}=t,n=[];for(const l of o){if(F(l)){const r=j(l);r&&n.push(r);continue}const i=x(l);i&&n.push(i)}return e===h.AND?O(...n):d(...n)},H=(t,e)=>e.length>1?`$.${e.slice(1).join(".")}.${t}`:`$.${t}`,m=({operator:t,value:e,field:o,parentFields:n,negation:l})=>{const i=a.identifier(n[0]),r=H(o,n);switch(t){case"equal":return l?a`(json_extract(${i}, ${r}) != ${e} OR json_extract(${i}, ${r}) IS NULL)`:a`json_extract(${i}, ${r}) == ${e}`;case"equalNull":return l?a`json_extract(${i}, ${r}) IS NOT NULL`:a`json_extract(${i}, ${r}) IS NULL`;case"contains":return l?a`(json_extract(${i}, ${r}) NOT LIKE ${e} OR json_extract(${i}, ${r}) IS NULL)`:a`json_extract(${i}, ${r}) LIKE ${e}`;case"in":if(Array.isArray(e)){const s=e.map(c=>a`json_extract(${i}, ${r}) == ${c}`);return l?a`(NOT (${d(...s)}) OR json_extract(${i}, ${r}) IS NULL)`:d(...s)}break;case"between":if(Array.isArray(e)&&e.length===2)return l?a`(NOT (json_extract(${i}, ${r}) BETWEEN ${e[0]} AND ${e[1]}) OR json_extract(${i}, ${r}) IS NULL)`:a`json_extract(${i}, ${r}) BETWEEN ${e[0]} AND ${e[1]}`;break;default:throw new Error(`Unsupported operator: ${t} for json path`)}};function G(t,e){if(!t)return;const o=l=>{if(F(l)){for(const i of l.conditions){const r=o(i);if(r!==void 0)return r}return}if(l.field===e)return l.value},n=o(t);return typeof n=="string"?n.trim()===""?null:n.trim():n??null}const M=t=>{const{field:e,operator:o,value:n,modifier:l,parentFields:i}=t,r=l==="not";if(!i||i.length<1)throw new Error("convertNestedFilterClauseToSql called without parentFields");switch(o){case"equal":return m(n===null?{operator:"equalNull",value:n,field:e,parentFields:i,negation:r}:{operator:o,value:n,field:e,parentFields:i,negation:r});case"contains":if(typeof n=="string"){const s=n.startsWith("%")||n.endsWith("%")?n:`%${n}%`;return m({operator:o,value:s,field:e,parentFields:i,negation:r})}break;case"in":if(Array.isArray(n))return m({operator:o,value:n,field:e,parentFields:i,negation:r});break;case"between":if(Array.isArray(n)&&n.length===2)return m({operator:o,value:n,field:e,parentFields:i,negation:r});break;default:throw new Error(`Unsupported filter operator: ${o}`)}},x=t=>{const{field:e,operator:o,value:n,modifier:l,parentFields:i}=t;if(i&&i.length>=1)return M(t);const r=l==="not",s=a.identifier(e),c=P.includes(e),f=U.includes(e);switch(o){case"equal":return n===null?r?L(s):I(s):f?r?a`NOT EXISTS (SELECT 1 FROM json_each(${s}) WHERE json_extract(json_each.value, '$.key') = ${n})`:a`EXISTS (SELECT 1 FROM json_each(${s}) WHERE json_extract(json_each.value, '$.key') = ${n})`:c?r?a`NOT EXISTS (SELECT 1 FROM json_each(${s}) WHERE json_each.value = ${n})`:a`EXISTS (SELECT 1 FROM json_each(${s}) WHERE json_each.value = ${n})`:r?k(s,n):T(s,n);case"contains":if(typeof n=="string"){const u=n.startsWith("%")||n.endsWith("%")?n:`%${n}%`;return r?b(s,u):v(s,u)}break;case"in":if(Array.isArray(n)){if(f){const u=n.map(p=>a`EXISTS (SELECT 1 FROM json_each(${s}) WHERE json_extract(json_each.value, '$.key') = ${p})`);return r?a`NOT (${d(...u)})`:d(...u)}else if(c){const u=n.map(p=>a`EXISTS (SELECT 1 FROM json_each(${s}) WHERE json_each.value = ${p})`);return r?a`NOT (${d(...u)})`:d(...u)}return r?W(s,n):C(s,n)}break;case"between":if(Array.isArray(n)&&n.length===2)return r?y(s,n[0],n[1]):R(s,n[0],n[1]);break;default:throw new Error(`Unsupported filter operator: ${o}`)}},A=["'",'"'];function Z(t="",e=[],o={}){if(!t||!t.trim())return;const n=g(t);return w(n,e,o)}function S(t){const e=X(t);if(e.operator===":"){const o=N(e.value,",");if(o.length>1)return{operator:"in",field:e.field,parentFields:e.parentFields,value:o.map(E),modifier:e.modifier};const n=N(e.value,"..");return n.length===2?{operator:"between",field:e.field,parentFields:e.parentFields,value:[E(n[0]),E(n[1])],modifier:e.modifier}:{operator:"equal",field:e.field,parentFields:e.parentFields,value:e.value==="null"?null:E(e.value),modifier:e.modifier}}else if(e.operator==="~")return{operator:"contains",field:e.field,parentFields:e.parentFields,value:E(e.value),modifier:e.modifier};throw new Error(`Unsupported filter clause: ${t}`)}function X(t){const e="^(?<modifier>^-?)",o="(?<field>[a-z][\\w.]*)",n="(?<operator>:|~)",l="(?<value>.+)",i=new RegExp(`^${e}${o}${n}${l}$`,"i"),r=t.match(i);if(!r||!r.groups)throw new Error(`Invalid filter clause: ${t}`);const{operator:s,value:c,modifier:f}=r.groups,u=r.groups.field.split(".");return{field:u.pop(),parentFields:u,operator:s,value:c,modifier:f==="-"?"not":void 0}}function N(t,e){const o=[];let n="",l=!1,i=0;for(let r=0;r<t.length;r++){const s=t[r-1],c=t[r];if(i>0){i--;continue}s!=="\\"&&A.includes(c)&&(l=!l),!l&&t.slice(r,r+e.length)===e?(o.push(n),n="",i=e.length-1):n+=c}return n&&o.push(n),o}function E(t){for(const e of A)if(t.startsWith(e)&&t.endsWith(e))return t.slice(1,-1);return t}function g(t){let e="",o=0,n=!1,l="";const i=[];for(let s=0;s<t.length;s++){const c=t[s],f=t[s+1];if(['"',"'"].includes(c)&&(s===0||t[s-1]!=="\\")){if(!n){n=!0,l=c,e+=c;continue}if(c===l){n=!1,l="",e+=c;continue}}if(n){e+=c;continue}if(o===0){const u=f==="A"&&t.slice(s+1,s+5)===`${h.AND} `;if(c===" "&&u){const $=e.trim();$&&(i.push(S($)),e="");const _=g(t.slice(s+5));return{op:h.AND,conditions:[...i,_]}}const p=f==="O"&&t.slice(s+1,s+4)===`${h.OR} `;if(c===" "&&p){const $=e.trim();$&&(i.push(S($)),e="");const _=g(t.slice(s+4));return{op:h.OR,conditions:[...i,_]}}}if(c==="("){const u=e.trim();o===0&&u&&(i.push(S(u)),e=""),o++,e+=c;continue}if(c===")"){if(o--,e+=c,o===0){const u=e.slice(1,-1);i.push(g(u)),e=""}continue}e+=c}const r=e.trim();return r&&i.push(S(r)),i.length===1?i[0]:{op:h.AND,conditions:i}}function w(t,e,o){if("field"in t){const n=t.parentFields?.length?`${t.parentFields.join(".")}.${t.field}`:t.field;if(!D(n,e))throw new Error(`Invalid filter field: ${n}`);const l=t.parentFields?.length?t.field:o[t.field]||q(t.field);return{...t,field:l}}else return{...t,conditions:t.conditions.map(n=>w(n,e,o))}}function ee(t,e){if(!t)return;const o=i=>e.includes(i),n=i=>{if(F(i)){const r=i.conditions.map(n).filter(s=>s!==null);return r.length===0?null:r.length===1?r[0]:{...i,conditions:r}}else return o(i.field)?null:i};return n(t)||void 0}export{z as applyFilter,J as convertFilterToWhereCondition,ee as excludeFieldsFromFilter,G as getFirstFilterFieldValue,Z as parseFilterQuery};
+import{and as O,between as R,eq as T,inArray as C,isNotNull as v,isNull as L,like as I,ne as y,notBetween as k,notInArray as W,notLike as b,or as d,sql as u}from"drizzle-orm";import{isFilterCondition as m}from"./types.js";import{transformToSnakeCase as q}from"./utils/transform-to-snake-case.js";import{isFieldAllowed as D}from"./utils/field-pattern-matcher.js";import{OPERATORS as h}from"./constants.js";const U=["domains","owners"],P=["tags"];function z(t,e){const o=J(e);return o?{sqlBuilder:t,whereCondition:o}:{sqlBuilder:t,whereCondition:null}}function J(t){if(t)return m(t)?A(t):j(t)}const A=t=>{const{op:e,conditions:o}=t,n=[];for(const s of o){if(m(s)){const i=A(s);i&&n.push(i);continue}const r=j(s);r&&n.push(r)}return e===h.AND?O(...n):d(...n)},H=(t,e)=>e.length>1?`$.${e.slice(1).join(".")}.${t}`:`$.${t}`,E=({operator:t,value:e,field:o,parentFields:n,negation:s})=>{const r=u.identifier(n[0]),i=H(o,n);switch(t){case"equal":return s?u`(json_extract(${r}, ${i}) != ${e} OR json_extract(${r}, ${i}) IS NULL)`:u`json_extract(${r}, ${i}) == ${e}`;case"equalNull":return s?u`json_extract(${r}, ${i}) IS NOT NULL`:u`json_extract(${r}, ${i}) IS NULL`;case"contains":return s?u`(json_extract(${r}, ${i}) NOT LIKE ${e} OR json_extract(${r}, ${i}) IS NULL)`:u`json_extract(${r}, ${i}) LIKE ${e}`;case"in":if(Array.isArray(e)){const l=e.map(c=>u`json_extract(${r}, ${i}) == ${c}`);return s?u`(NOT (${d(...l)}) OR json_extract(${r}, ${i}) IS NULL)`:d(...l)}break;case"between":if(Array.isArray(e)&&e.length===2)return s?u`(NOT (json_extract(${r}, ${i}) BETWEEN ${e[0]} AND ${e[1]}) OR json_extract(${r}, ${i}) IS NULL)`:u`json_extract(${r}, ${i}) BETWEEN ${e[0]} AND ${e[1]}`;break;default:throw new Error(`Unsupported operator: ${t} for json path`)}};function G(t,e){if(!t)return;const o=s=>{if(m(s)){for(const r of s.conditions){const i=o(r);if(i!==void 0)return i}return}if(s.field===e)return s.value},n=o(t);return typeof n=="string"?n.trim()===""?null:n.trim():n??null}function Z(t,e){if(!t)return[];const o=[],n=s=>{if(m(s)){for(const r of s.conditions)n(r);return}if(s.field===e){if(Array.isArray(s.value))o.push(...s.value.map(r=>String(r).trim()).filter(r=>r!==""));else if(s.value!==null&&s.value!==void 0){const r=String(s.value).trim();r!==""&&o.push(r)}}};return n(t),o}const M=t=>{const{field:e,operator:o,value:n,modifier:s,parentFields:r}=t,i=s==="not";if(!r||r.length<1)throw new Error("convertNestedFilterClauseToSql called without parentFields");switch(o){case"equal":return E(n===null?{operator:"equalNull",value:n,field:e,parentFields:r,negation:i}:{operator:o,value:n,field:e,parentFields:r,negation:i});case"contains":if(typeof n=="string"){const l=n.startsWith("%")||n.endsWith("%")?n:`%${n}%`;return E({operator:o,value:l,field:e,parentFields:r,negation:i})}break;case"in":if(Array.isArray(n))return E({operator:o,value:n,field:e,parentFields:r,negation:i});break;case"between":if(Array.isArray(n)&&n.length===2)return E({operator:o,value:n,field:e,parentFields:r,negation:i});break;default:throw new Error(`Unsupported filter operator: ${o}`)}},j=t=>{const{field:e,operator:o,value:n,modifier:s,parentFields:r}=t;if(r&&r.length>=1)return M(t);const i=s==="not",l=u.identifier(e),c=P.includes(e),f=U.includes(e);switch(o){case"equal":return n===null?i?v(l):L(l):f?i?u`NOT EXISTS (SELECT 1 FROM json_each(${l}) WHERE json_extract(json_each.value, '$.key') = ${n})`:u`EXISTS (SELECT 1 FROM json_each(${l}) WHERE json_extract(json_each.value, '$.key') = ${n})`:c?i?u`NOT EXISTS (SELECT 1 FROM json_each(${l}) WHERE json_each.value = ${n})`:u`EXISTS (SELECT 1 FROM json_each(${l}) WHERE json_each.value = ${n})`:i?y(l,n):T(l,n);case"contains":if(typeof n=="string"){const a=n.startsWith("%")||n.endsWith("%")?n:`%${n}%`;return i?b(l,a):I(l,a)}break;case"in":if(Array.isArray(n)){if(f){const a=n.map(p=>u`EXISTS (SELECT 1 FROM json_each(${l}) WHERE json_extract(json_each.value, '$.key') = ${p})`);return i?u`NOT (${d(...a)})`:d(...a)}else if(c){const a=n.map(p=>u`EXISTS (SELECT 1 FROM json_each(${l}) WHERE json_each.value = ${p})`);return i?u`NOT (${d(...a)})`:d(...a)}return i?W(l,n):C(l,n)}break;case"between":if(Array.isArray(n)&&n.length===2)return i?k(l,n[0],n[1]):R(l,n[0],n[1]);break;default:throw new Error(`Unsupported filter operator: ${o}`)}},x=["'",'"'];function ee(t="",e=[],o={}){if(!t||!t.trim())return;const n=g(t);return w(n,e,o)}function S(t){const e=X(t);if(e.operator===":"){const o=N(e.value,",");if(o.length>1)return{operator:"in",field:e.field,parentFields:e.parentFields,value:o.map(F),modifier:e.modifier};const n=N(e.value,"..");return n.length===2?{operator:"between",field:e.field,parentFields:e.parentFields,value:[F(n[0]),F(n[1])],modifier:e.modifier}:{operator:"equal",field:e.field,parentFields:e.parentFields,value:e.value==="null"?null:F(e.value),modifier:e.modifier}}else if(e.operator==="~")return{operator:"contains",field:e.field,parentFields:e.parentFields,value:F(e.value),modifier:e.modifier};throw new Error(`Unsupported filter clause: ${t}`)}function X(t){const e="^(?<modifier>^-?)",o="(?<field>[a-z][\\w.]*)",n="(?<operator>:|~)",s="(?<value>.+)",r=new RegExp(`^${e}${o}${n}${s}$`,"i"),i=t.match(r);if(!i||!i.groups)throw new Error(`Invalid filter clause: ${t}`);const{operator:l,value:c,modifier:f}=i.groups,a=i.groups.field.split(".");return{field:a.pop(),parentFields:a,operator:l,value:c,modifier:f==="-"?"not":void 0}}function N(t,e){const o=[];let n="",s=!1,r=0;for(let i=0;i<t.length;i++){const l=t[i-1],c=t[i];if(r>0){r--;continue}l!=="\\"&&x.includes(c)&&(s=!s),!s&&t.slice(i,i+e.length)===e?(o.push(n),n="",r=e.length-1):n+=c}return n&&o.push(n),o}function F(t){for(const e of x)if(t.startsWith(e)&&t.endsWith(e))return t.slice(1,-1);return t}function g(t){let e="",o=0,n=!1,s="";const r=[];for(let l=0;l<t.length;l++){const c=t[l],f=t[l+1];if(['"',"'"].includes(c)&&(l===0||t[l-1]!=="\\")){if(!n){n=!0,s=c,e+=c;continue}if(c===s){n=!1,s="",e+=c;continue}}if(n){e+=c;continue}if(o===0){const a=f==="A"&&t.slice(l+1,l+5)===`${h.AND} `;if(c===" "&&a){const $=e.trim();$&&(r.push(S($)),e="");const _=g(t.slice(l+5));return{op:h.AND,conditions:[...r,_]}}const p=f==="O"&&t.slice(l+1,l+4)===`${h.OR} `;if(c===" "&&p){const $=e.trim();$&&(r.push(S($)),e="");const _=g(t.slice(l+4));return{op:h.OR,conditions:[...r,_]}}}if(c==="("){const a=e.trim();o===0&&a&&(r.push(S(a)),e=""),o++,e+=c;continue}if(c===")"){if(o--,e+=c,o===0){const a=e.slice(1,-1);r.push(g(a)),e=""}continue}e+=c}const i=e.trim();return i&&r.push(S(i)),r.length===1?r[0]:{op:h.AND,conditions:r}}function w(t,e,o){if("field"in t){const n=t.parentFields?.length?`${t.parentFields.join(".")}.${t.field}`:t.field;if(!D(n,e))throw new Error(`Invalid filter field: ${n}`);const s=t.parentFields?.length?t.field:o[t.field]||q(t.field);return{...t,field:s}}else return{...t,conditions:t.conditions.map(n=>w(n,e,o))}}function ne(t,e){if(!t)return;const o=r=>e.includes(r),n=r=>{if(m(r)){const i=r.conditions.map(n).filter(l=>l!==null);return i.length===0?null:i.length===1?i[0]:{...r,conditions:i}}else return o(r.field)?null:r};return n(t)||void 0}export{z as applyFilter,J as convertFilterToWhereCondition,ne as excludeFieldsFromFilter,Z as getAllFilterFieldValues,G as getFirstFilterFieldValue,ee as parseFilterQuery};

package/dist/server/web-server/auth.js

@@ -1,4 +1,4 @@
-import"../node-crypto-polyfill.js";import{DOMParser as U}from"@xmldom/xmldom";import{SignedXml as B}from"xml-crypto";import F from"xpath";import{deflateSync as J,inflateSync as q}from"fflate";import{createHash as H}from"crypto";import{ulid as W}from"ulid";import{AuthProviderType as d,DEFAULT_TEAM_CLAIM_NAME as K}from"@redocly/config";import{AUTH_URL as Q,JWT_SECRET_KEY as _}from"../constants/common.js";import{getPathPrefix as X,withPathPrefix as Y}from"@redocly/theme/core/utils";import{DEFAULT_AUTHENTICATED_TEAM as G,REQUIRED_OIDC_SCOPES as D,ServerRoutes as P}from"../../constants/common.js";import{appendQueryParams as Z}from"../../utils/url/append-query-params.js";import{logger as ee}from"../tools/notifiers/logger.js";import{randomString as te}from"../utils/crypto/random-string.js";import{randomUUID as R}from"../utils/crypto/random-uuid.js";import{AlgorithmTypes as I,JwtTokenExpired as ne}from"./jwt/types.js";import*as p from"./jwt/jwt.js";import{parseTeamClaimToArray as re}from"../utils/index.js";import{arrayBufferToBase64 as oe,decodeBase64 as j,encodeBase64URL as ae,urlSafeBase64 as v}from"./jwt/encode.js";import{formatSamlCertificate as se}from"./utils/format-saml-certificate.js";function E(e){return e?.type===d.OIDC}function ie(e){return e?.type===d.SAML2}async function ze(e,t){if(E(t))return ce(e,t);if(ie(t))return ue(e,t)}async function ce(e,t){const n=await V(e,t),r=new Set((t.scopes||[]).concat(D)),o=t.authorizationRequestCustomParams||{};return{type:d.OIDC,idpId:e,name:"OAuth provider",authorizationEndpoint:n.authorization_endpoint,clientId:t.clientId,responseType:"code",scope:Array.from(r).join(" "),extraParams:o,pkce:t.pkce}}function ue(e,t){return{type:d.SAML2,idpId:e,name:"SAML2 provider",ssoUrl:t.ssoUrl,issuerId:t.issuerId,entityId:t.entityId||t.issuerId}}async function Be(e,t,n,r,o={}){const a=new Set((r.scopes||[]).concat(D));return await fetch(e,{method:"POST",body:new URLSearchParams({client_id:r.clientId,scope:Array.from(a).join(" "),code:t,redirect_uri:N(n),grant_type:"authorization_code",...r.clientSecret?{client_secret:r.clientSecret}:{},...o}).toString(),headers:{"Content-Type":"application/x-www-form-urlencoded",Accept:"application/json"}}).then(s=>s.json())}function de(e,{authorizationEndpoint:t,clientId:n,responseType:r,scope:o,extraParams:a,idpId:s,pkce:i},l,A,w){if(!t||!n||!r||!o)return{loginUrl:void 0};const u=new URL(t),f=w?.redirectUriOverride??`${e}${Y(P.OIDC_CALLBACK)}`,S={state:R(),idpId:s,redirectUri:f,redirectTo:l,branch:w?.branchOverride??me(e),inviteCode:A,source:w?.sourceOverride??"portal"},h={};if(i){const m=v(te(50)),g=v(H("sha256").update(m).digest("base64")),x="S256";u.searchParams.append("code_challenge",g),u.searchParams.append("code_challenge_method",x),h.code_verifier={value:m,options:{secure:!0,httpOnly:!0,expires:new Date(Date.now()+1e3*60*10),path:X()||"/"}}}u.searchParams.append("client_id",n),u.searchParams.append("scope",o),u.searchParams.append("response_type",r),u.searchParams.append("redirect_uri",N(f)),u.searchParams.append("state",ae(JSON.stringify(S)));for(const m in a)a[m]!==void 0&&u.searchParams.append(m,a[m]);return{loginUrl:u.toString(),cookies:h}}function Fe(e,t,n,r){const o=new URL(e);return o.searchParams.append("post_logout_redirect_uri",t),r&&o.searchParams.append("state",r),o.searchParams.append("id_token_hint",n),o.toString()}async function Je(e){const t=Math.floor(Date.now()/1e3),n=t+(e.ttlSec??600);return p.sign({type:"mcp_auth_code",client_id:e.clientId,redirect_uri:e.redirectUri,id_token:e.idToken,iat:t,exp:n},_)}async function qe(e){const{header:t,payload:n}=p.decode(e),o=Object.values(I).includes(t.alg)?t.alg:I.HS256;if(await p.verify(e,_,o),!n||typeof n!="object")throw new Error("Malformed authorization code");const a=n;if((a.typ??a.type)!=="mcp_auth_code")throw new Error("Invalid authorization code type");const i=n;if(!i.client_id||!i.redirect_uri)throw new Error("Authorization code missing required claims");if(i.exp&&Date.now()>=i.exp*1e3)throw new Error("Authorization code expired");return i}function He(e){const t=e||W(),n=t.startsWith("mcp_")?t:`mcp_${t}`;return{id:n,object:"mcp_session",uri:`urn:redocly:realm:mcp:session:${n}`}}function N(e){return e.match(/^https:\/\/preview-[^\.]+--/)?"https://previewauth--"+e.split("--")[1]:e.match(/^(https:\/\/[^\.]+)--[^\.]+\.preview\./)?e.replace(/^(https:\/\/[^\.]+?)--[^\.]+\.preview\./,"$1.previewauth."):e}function me(e){return e.match(/^(https:\/\/[^\.]+)--([^\.]+)\.preview\./)?.[2]||void 0}function le(e){return e.type===d.OIDC}function pe(e){return e.type===d.SAML2}function We(e,t,n,r){return le(e)?de(t,e,n,r):pe(e)?fe(t,e,n,r):{}}function fe(e,t,n,r){const a=`<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
+import"../node-crypto-polyfill.js";import{DOMParser as U}from"@xmldom/xmldom";import{SignedXml as B}from"xml-crypto";import F from"xpath";import{deflateSync as J,inflateSync as q}from"fflate";import{createHash as H}from"crypto";import{ulid as W}from"ulid";import{AuthProviderType as u,DEFAULT_TEAM_CLAIM_NAME as K}from"@redocly/config";import{AUTH_URL as Q,JWT_SECRET_KEY as _}from"../constants/common.js";import{getPathPrefix as X,withPathPrefix as Y}from"@redocly/theme/core/utils";import{DEFAULT_AUTHENTICATED_TEAM as G,REQUIRED_OIDC_SCOPES as D,ServerRoutes as P}from"../../constants/common.js";import{appendQueryParams as Z}from"../../utils/url/append-query-params.js";import{logger as ee}from"../tools/notifiers/logger.js";import{randomString as te}from"../utils/crypto/random-string.js";import{randomUUID as R}from"../utils/crypto/random-uuid.js";import{AlgorithmTypes as I,JwtTokenExpired as ne}from"./jwt/types.js";import*as p from"./jwt/jwt.js";import{parseTeamClaimToArray as re}from"../utils/index.js";import{arrayBufferToBase64 as ae,decodeBase64 as v,encodeBase64URL as oe,urlSafeBase64 as j}from"./jwt/encode.js";import{formatSamlCertificate as se}from"./utils/format-saml-certificate.js";function N(e){return e?.type===u.OIDC}function ie(e){return e?.type===u.SAML2}async function ze(e,t){if(N(t))return ce(e,t);if(ie(t))return ue(e,t)}async function ce(e,t){const n=await V(e,t),r=new Set((t.scopes||[]).concat(D)),a=t.authorizationRequestCustomParams||{};return{type:u.OIDC,idpId:e,name:"OAuth provider",authorizationEndpoint:n.authorization_endpoint,clientId:t.clientId,responseType:"code",scope:Array.from(r).join(" "),extraParams:a,pkce:t.pkce}}function ue(e,t){return{type:u.SAML2,idpId:e,name:"SAML2 provider",ssoUrl:t.ssoUrl,issuerId:t.issuerId,entityId:t.entityId||t.issuerId}}async function Be(e,t,n,r,a={}){const o=new Set((r.scopes||[]).concat(D));return await fetch(e,{method:"POST",body:new URLSearchParams({client_id:r.clientId,scope:Array.from(o).join(" "),code:t,redirect_uri:E(n),grant_type:"authorization_code",...r.clientSecret?{client_secret:r.clientSecret}:{},...a}).toString(),headers:{"Content-Type":"application/x-www-form-urlencoded",Accept:"application/json"}}).then(s=>s.json())}function de(e,{authorizationEndpoint:t,clientId:n,responseType:r,scope:a,extraParams:o,idpId:s,pkce:l},m,A,w){if(!t||!n||!r||!a)return{loginUrl:void 0};const c=new URL(t),f=w?.redirectUriOverride??`${e}${Y(P.OIDC_CALLBACK)}`,S={state:R(),idpId:s,redirectUri:f,redirectTo:m,branch:w?.branchOverride??me(e),inviteCode:A,source:w?.sourceOverride??"portal"},h={};if(l){const d=j(te(50)),g=j(H("sha256").update(d).digest("base64")),x="S256";c.searchParams.append("code_challenge",g),c.searchParams.append("code_challenge_method",x),h.code_verifier={value:d,options:{secure:!0,httpOnly:!0,expires:new Date(Date.now()+1e3*60*10),path:X()||"/"}}}c.searchParams.append("client_id",n),c.searchParams.append("scope",a),c.searchParams.append("response_type",r),c.searchParams.append("redirect_uri",E(f)),c.searchParams.append("state",oe(JSON.stringify(S)));for(const d in o)o[d]!==void 0&&c.searchParams.append(d,o[d]);return{loginUrl:c.toString(),cookies:h}}function Fe(e,t,n,r){const a=new URL(e);return a.searchParams.append("post_logout_redirect_uri",t),r&&a.searchParams.append("state",r),a.searchParams.append("id_token_hint",n),a.toString()}async function Je(e){const t=Math.floor(Date.now()/1e3),n=t+(e.ttlSec??600);return p.sign({type:"mcp_auth_code",client_id:e.clientId,redirect_uri:e.redirectUri,id_token:e.idToken,iat:t,exp:n},_)}async function qe(e){const{header:t,payload:n}=p.decode(e),a=Object.values(I).includes(t.alg)?t.alg:I.HS256;if(await p.verify(e,_,a),n.type!=="mcp_auth_code")throw new Error("Invalid authorization code type");if(!n.client_id||!n.redirect_uri)throw new Error("Authorization code missing required claims");if(typeof n.exp=="number"&&Date.now()>=n.exp*1e3)throw new Error("Authorization code expired");return n}function He(e){const t=e||W(),n=t.startsWith("mcp_")?t:`mcp_${t}`;return{id:n,object:"mcp_session",uri:`urn:redocly:realm:mcp:session:${n}`}}function E(e){return e.match(/^https:\/\/preview-[^\.]+--/)?"https://previewauth--"+e.split("--")[1]:e.match(/^(https:\/\/[^\.]+)--[^\.]+\.preview\./)?e.replace(/^(https:\/\/[^\.]+?)--[^\.]+\.preview\./,"$1.previewauth."):e}function me(e){return e.match(/^(https:\/\/[^\.]+)--([^\.]+)\.preview\./)?.[2]||void 0}function le(e){return e.type===u.OIDC}function pe(e){return e.type===u.SAML2}function We(e,t,n,r){return le(e)?de(t,e,n,r):pe(e)?fe(t,e,n,r):{}}function fe(e,t,n,r){const o=`<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
     xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
     Version="2.0"
     ID="_${R()}"
@@ -9,4 +9,4 @@ import"../node-crypto-polyfill.js";import{DOMParser as U}from"@xmldom/xmldom";im
     <samlp:NameIDPolicy
       AllowCreate="true"
       Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"/>
-  </samlp:AuthnRequest>`,s=he(a);return{loginUrl:Z(t.ssoUrl,{SAMLRequest:s,RelayState:JSON.stringify({idpId:t.idpId,redirectTo:n,inviteCode:r,source:"portal"})})}}function he(e){return oe(J(new TextEncoder().encode(e)).buffer)}function Ke(e){const t=j(e);if(t.startsWith("<samlp:Response")||t.indexOf("<saml2p:Response")>-1)return t;const n=q(new Uint8Array(atob(e).split("").map(r=>r.charCodeAt(0))));return new TextDecoder().decode(n)}function Qe(e){try{return JSON.parse(j(e||""))}catch{throw new Error("Invalid OAuth2 state")}}function Xe(e){const t=new U().parseFromString(e,"application/xml"),r=c(t,"//*[local-name(.)='StatusCode']/@Value")[0]?.nodeValue?.endsWith("Success")||!1,a=c(t,"//*[local-name(.)='Response']/@Destination")[0]?.nodeValue||"",s=c(t,"//*[local-name(.)='Assertion']//*[local-name(.)='Issuer']/text()")[0],i=s&&s.nodeValue||void 0,l=c(t,"//*[local-name(.)='Audience']/text()")[0],A=l&&l.nodeValue||void 0,u=c(t,"//*[local-name(.)='Assertion']//*[local-name(.)='X509Certificate']/text()")[0]?.nodeValue||"",f=c(t,"//*[local-name(.)='Subject']//*[local-name(.)='NameID']/text()")[0],S=f&&f.nodeValue||"",h=c(t,"//*[local-name(.)='Subject']//*[local-name(.)='NameID']/@Format")[0],m=h&&h.nodeValue||"",g=c(t,"//*[local-name(.)='Conditions']/@NotOnOrAfter")[0],x=ye(g),T={},k=c(t,"//*[local-name(.)='AttributeStatement']//*[local-name(.)='Attribute']");if(k.length)for(const C of k){const O=c(C,"./@Name")[0];if(O.nodeValue){const b=c(C,"./*[local-name(.)='AttributeValue']/text()")[0];b?.nodeValue&&(T[O.nodeValue]=b.nodeValue)}}return{uid:S,success:r,expiresAt:x,issuerId:i,entityId:A,attrs:T,cert:u,nameFormat:m,destination:a}}function ye(e){const t=typeof e?.nodeValue=="string"&&L(Date.parse(e.nodeValue)),n=L(Date.now()),r=L(Date.now()+720*60*1e3);return t?t>n&&t<r?r:t:n}function L(e){return Math.floor(e/1e3)}const M={},y={jwks:{}};async function V(e,t){return M[e]||(M[e]=t.configurationUrl?await $(t.configurationUrl):t.configuration),M[e]}async function we(e){for(const t of Object.keys(e)){const n=e[t];if(!E(n))continue;const r=await V(t,n);if(r.jwks_uri){const o=await $(r.jwks_uri);for(const a of o.keys)y.jwks[a.kid]={...a,idpId:t}}}}async function $(e){return fetch(e,{headers:{Accept:"application/json"}}).then(t=>t.json())}async function Ye(e){return fetch(`${Q}/oidc/userinfo`,{headers:{Accept:"application/json",Authorization:`Bearer ${e}`}}).then(t=>t.status===200?t.json():void 0).catch(()=>{})}function Ge(e){if(!e.configurationUrl)return!1;const t=new URL(e.configurationUrl);return["localhost","127.0.0.1","blueharvest.cloud","bhstage.cloud","cloud.redocly.com","beta.redocly.com","cloud.eu.redocly.com","beta.eu.redocly.com","cba.au.redocly.com"].some(r=>Ae(t.hostname,r))}function Ae(e,t){return e===t||e.endsWith(`.${t}`)}async function Ze(e,t){const n=new U().parseFromString(e),r=c(n,"//*[local-name(.)='Signature' and namespace-uri(.)='http://www.w3.org/2000/09/xmldsig#']")[0];if(!r)throw new Error("Cannot find Signature in the SAML response");const o=se(t),a=new B({publicCert:o});a.loadSignature(r);try{return a.checkSignature(e)}catch{return!1}}function et(e,t,n,r){t==="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"&&(e=n["http://schemas.microsoft.com/identity/claims/objectidentifier"]);let o;(t==="urn:oasis:names:tc:SAML:2.0:nameid-format:email"||t==="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress")&&(o=e),t==="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"&&e?.match(/.+@.+/)&&(o=e);const a=n["http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"],s=a?.match(/.+@.+/);return o=o||n["http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"]||(s?a:void 0),o=o?.toLowerCase(),{sub:e,given_name:n["http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"],family_name:n["http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"],name:n["http://schemas.microsoft.com/identity/claims/displayname"]||a,email:o,email_verified:!0,teams:r?re(n[r]):[]}}function z(e,t={}){return e.map(n=>t[n]||n)}async function tt(e,t){if(!t)return{};const n=t.authorization;if(!n)return{};try{const r=p.decode(n);if(r.header.alg===I.RS256){y.jwks[r.header.kid]===void 0&&await we(e);const l=y.jwks[r.header.kid];if(!l)return y.jwks[r.header.kid]=null,{};await p.verify(n,l,r.header.alg)}else await p.verify(n,_,r.header.alg);const o=r.payload.idpId||y.jwks[r.header.kid]?.idpId,a=e[o]||{},s=xe(a),i=ge(a);return{...r.payload,email:r.payload.email?.toLowerCase(),idpId:o,teams:Array.from(new Set([...z(r.payload.teams||[],i),..."defaultTeams"in a&&a.defaultTeams||[],...z("teamsClaimName"in a&&r.payload[s||""]||[],i),G])),name:Se(r.payload),isAuthenticated:!0,idpAccessToken:t.idp_access_token,federatedAccessToken:t.federated_access_token,federatedIdToken:t.federated_id_token,authCookie:n}}catch(r){r instanceof ne||ee.error("Malformed JWT token: %s",r.message)}return{}}function Se(e){return e.name||e.given_name||e.email}function ge(e){switch(e.type){case d.SAML2:return e.teamsAttributeMap;case d.OIDC:return e.teamsClaimMap;default:return}}function xe(e){switch(e.type){case d.SAML2:return e.teamsAttributeName;case d.OIDC:return e.teamsClaimName;default:return K}}function c(e,t){return F.select(t,e)||[]}export{We as buildLoginUrl,de as buildOidcLoginUrl,Fe as buildOidcLogoutUrl,fe as buildSAML2LoginUrl,Je as createMcpAuthorizationCode,He as createMcpSessionResource,Ke as decodeSamlResponse,he as encodeSAML2,et as extractUserClaims,ze as getAuthProviderLoginParams,ce as getOidcLoginParams,V as getOidcMetadata,Ye as getRedoclyTokenPayload,ue as getSaml2LoginParams,tt as getUserParamsFromCookies,Se as getUsernameFromPayload,E as isOidcProviderConfig,Ge as isRedoclySso,ie as isSaml2ProviderConfig,Be as oidcExchangeCodeForToken,Qe as parseOidcState,me as parsePreviewBranch,Xe as parseSamlResponse,N as rewritePreviewAuthRedirectUri,qe as verifyMcpAuthorizationCode,Ze as verifySAMLResponse};
+  </samlp:AuthnRequest>`,s=he(o);return{loginUrl:Z(t.ssoUrl,{SAMLRequest:s,RelayState:JSON.stringify({idpId:t.idpId,redirectTo:n,inviteCode:r,source:"portal"})})}}function he(e){return ae(J(new TextEncoder().encode(e)).buffer)}function Ke(e){const t=v(e);if(t.startsWith("<samlp:Response")||t.indexOf("<saml2p:Response")>-1)return t;const n=q(new Uint8Array(atob(e).split("").map(r=>r.charCodeAt(0))));return new TextDecoder().decode(n)}function Qe(e){try{return JSON.parse(v(e||""))}catch{throw new Error("Invalid OAuth2 state")}}function Xe(e){const t=new U().parseFromString(e,"application/xml"),r=i(t,"//*[local-name(.)='StatusCode']/@Value")[0]?.nodeValue?.endsWith("Success")||!1,o=i(t,"//*[local-name(.)='Response']/@Destination")[0]?.nodeValue||"",s=i(t,"//*[local-name(.)='Assertion']//*[local-name(.)='Issuer']/text()")[0],l=s&&s.nodeValue||void 0,m=i(t,"//*[local-name(.)='Audience']/text()")[0],A=m&&m.nodeValue||void 0,c=i(t,"//*[local-name(.)='Assertion']//*[local-name(.)='X509Certificate']/text()")[0]?.nodeValue||"",f=i(t,"//*[local-name(.)='Subject']//*[local-name(.)='NameID']/text()")[0],S=f&&f.nodeValue||"",h=i(t,"//*[local-name(.)='Subject']//*[local-name(.)='NameID']/@Format")[0],d=h&&h.nodeValue||"",g=i(t,"//*[local-name(.)='Conditions']/@NotOnOrAfter")[0],x=ye(g),k={},T=i(t,"//*[local-name(.)='AttributeStatement']//*[local-name(.)='Attribute']");if(T.length)for(const C of T){const O=i(C,"./@Name")[0];if(O.nodeValue){const b=i(C,"./*[local-name(.)='AttributeValue']/text()")[0];b?.nodeValue&&(k[O.nodeValue]=b.nodeValue)}}return{uid:S,success:r,expiresAt:x,issuerId:l,entityId:A,attrs:k,cert:c,nameFormat:d,destination:o}}function ye(e){const t=typeof e?.nodeValue=="string"&&L(Date.parse(e.nodeValue)),n=L(Date.now()),r=L(Date.now()+720*60*1e3);return t?t>n&&t<r?r:t:n}function L(e){return Math.floor(e/1e3)}const M={},y={jwks:{}};async function V(e,t){return M[e]||(M[e]=t.configurationUrl?await $(t.configurationUrl):t.configuration),M[e]}async function we(e){for(const t of Object.keys(e)){const n=e[t];if(!N(n))continue;const r=await V(t,n);if(r.jwks_uri){const a=await $(r.jwks_uri);for(const o of a.keys)y.jwks[o.kid]={...o,idpId:t}}}}async function $(e){return fetch(e,{headers:{Accept:"application/json"}}).then(t=>t.json())}async function Ye(e){return fetch(`${Q}/oidc/userinfo`,{headers:{Accept:"application/json",Authorization:`Bearer ${e}`}}).then(t=>t.status===200?t.json():void 0).catch(()=>{})}function Ge(e){if(!e.configurationUrl)return!1;const t=new URL(e.configurationUrl);return["localhost","127.0.0.1","blueharvest.cloud","bhstage.cloud","cloud.redocly.com","beta.redocly.com","cloud.eu.redocly.com","beta.eu.redocly.com","cba.au.redocly.com"].some(r=>Ae(t.hostname,r))}function Ae(e,t){return e===t||e.endsWith(`.${t}`)}async function Ze(e,t){const n=new U().parseFromString(e),r=i(n,"//*[local-name(.)='Signature' and namespace-uri(.)='http://www.w3.org/2000/09/xmldsig#']")[0];if(!r)throw new Error("Cannot find Signature in the SAML response");const a=se(t),o=new B({publicCert:a});o.loadSignature(r);try{return o.checkSignature(e)}catch{return!1}}function et(e,t,n,r){t==="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"&&(e=n["http://schemas.microsoft.com/identity/claims/objectidentifier"]);let a;(t==="urn:oasis:names:tc:SAML:2.0:nameid-format:email"||t==="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress")&&(a=e),t==="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"&&e?.match(/.+@.+/)&&(a=e);const o=n["http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"],s=o?.match(/.+@.+/);return a=a||n["http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"]||(s?o:void 0),a=a?.toLowerCase(),{sub:e,given_name:n["http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"],family_name:n["http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"],name:n["http://schemas.microsoft.com/identity/claims/displayname"]||o,email:a,email_verified:!0,teams:r?re(n[r]):[]}}function z(e,t={}){return e.map(n=>t[n]||n)}async function tt(e,t){if(!t)return{};const n=t.authorization;if(!n)return{};try{const r=p.decode(n);if(r.header.alg===I.RS256){y.jwks[r.header.kid]===void 0&&await we(e);const m=y.jwks[r.header.kid];if(!m)return y.jwks[r.header.kid]=null,{};await p.verify(n,m,r.header.alg)}else await p.verify(n,_,r.header.alg);const a=r.payload.idpId||y.jwks[r.header.kid]?.idpId,o=e[a]||{},s=xe(o),l=ge(o);return{...r.payload,email:r.payload.email?.toLowerCase(),idpId:a,teams:Array.from(new Set([...z(r.payload.teams||[],l),..."defaultTeams"in o&&o.defaultTeams||[],...z("teamsClaimName"in o&&r.payload[s||""]||[],l),G])),name:Se(r.payload),isAuthenticated:!0,idpAccessToken:t.idp_access_token,federatedAccessToken:t.federated_access_token,federatedIdToken:t.federated_id_token,authCookie:n}}catch(r){r instanceof ne||ee.error("Malformed JWT token: %s",r.message)}return{}}function Se(e){return e.name||e.given_name||e.email}function ge(e){switch(e.type){case u.SAML2:return e.teamsAttributeMap;case u.OIDC:return e.teamsClaimMap;default:return}}function xe(e){switch(e.type){case u.SAML2:return e.teamsAttributeName;case u.OIDC:return e.teamsClaimName;default:return K}}function i(e,t){return F.select(t,e)||[]}export{We as buildLoginUrl,de as buildOidcLoginUrl,Fe as buildOidcLogoutUrl,fe as buildSAML2LoginUrl,Je as createMcpAuthorizationCode,He as createMcpSessionResource,Ke as decodeSamlResponse,he as encodeSAML2,et as extractUserClaims,ze as getAuthProviderLoginParams,ce as getOidcLoginParams,V as getOidcMetadata,Ye as getRedoclyTokenPayload,ue as getSaml2LoginParams,tt as getUserParamsFromCookies,Se as getUsernameFromPayload,N as isOidcProviderConfig,Ge as isRedoclySso,ie as isSaml2ProviderConfig,Be as oidcExchangeCodeForToken,Qe as parseOidcState,me as parsePreviewBranch,Xe as parseSamlResponse,E as rewritePreviewAuthRedirectUri,qe as verifyMcpAuthorizationCode,Ze as verifySAMLResponse};

package/dist/server/web-server/routes/auth.d.ts

@@ -4,6 +4,7 @@ export declare function authorizeHandler(ctx: Context): Promise<Response>;
 export declare function redoclyLoginCallbackHandler(): Handler;
 export declare function oidcCallbackHandler(store: Store): Handler;
 export declare function logoutHandler(store: Store): (ctx: Context) => Promise<Response>;
+export declare function postLogoutHandler(store: Store): (ctx: Context) => Promise<Response>;
 export declare function inviteHandler(store: Store): (ctx: Context) => Promise<Response>;
 export declare function idpLoginHandler(store: Store): (ctx: Context) => Promise<Response>;
 export declare function samlCallbackHandler(store: Store): Handler;