@robelest/convex-auth 0.0.4-preview.25 → 0.0.4-preview.28
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +43 -36
- package/dist/bin.js +5765 -4880
- package/dist/browser/index.d.ts +30 -0
- package/dist/browser/index.js +93 -0
- package/dist/browser/locks.js +11 -0
- package/dist/browser/navigation.js +14 -0
- package/dist/{factors → browser}/passkey.js +23 -32
- package/dist/browser/runtime.js +92 -0
- package/dist/client/core/types.d.ts +452 -5
- package/dist/client/core/types.js +17 -0
- package/dist/client/errors.js +19 -0
- package/dist/client/factors/device.js +94 -0
- package/dist/{factors → client/factors}/totp.js +12 -4
- package/dist/client/index.d.ts +47 -1
- package/dist/client/index.js +269 -232
- package/dist/client/runtime/mutex.js +24 -0
- package/dist/client/runtime/proxy.js +30 -0
- package/dist/client/runtime/storage.js +45 -0
- package/dist/client/services/adapters.js +7 -0
- package/dist/client/services/http.js +6 -0
- package/dist/client/services/resolve.js +13 -0
- package/dist/client/services/runtime.js +6 -0
- package/dist/component/_generated/component.d.ts +1355 -1399
- package/dist/component/convex.config.d.ts +2 -2
- package/dist/component/index.d.ts +4 -26
- package/dist/component/index.js +1 -1
- package/dist/component/model.d.ts +26 -112
- package/dist/component/model.js +76 -54
- package/dist/component/modules.js +38 -0
- package/dist/component/public/factors/devices.js +1 -1
- package/dist/component/public/factors/passkeys.js +1 -1
- package/dist/component/public/factors/totp.js +1 -1
- package/dist/component/public/groups/core.js +2 -2
- package/dist/component/public/groups/invites.js +1 -1
- package/dist/component/public/groups/members.js +1 -1
- package/dist/component/public/identity/accounts.js +1 -1
- package/dist/component/public/identity/codes.js +1 -1
- package/dist/component/public/identity/sessions.js +39 -2
- package/dist/component/public/identity/tokens.js +82 -4
- package/dist/component/public/identity/users.js +1 -1
- package/dist/component/public/identity/verifiers.js +10 -4
- package/dist/component/public/security/keys.js +1 -1
- package/dist/component/public/security/limits.js +1 -1
- package/dist/component/public/{enterprise → sso}/audit.js +26 -26
- package/dist/component/public/sso/core.js +263 -0
- package/dist/component/public/sso/domains.js +280 -0
- package/dist/component/public/{enterprise → sso}/scim.js +87 -87
- package/dist/component/public/sso/secrets.js +125 -0
- package/dist/component/public/{enterprise → sso}/webhooks.js +59 -59
- package/dist/component/public.js +9 -9
- package/dist/component/schema.d.ts +472 -393
- package/dist/component/schema.js +36 -35
- package/dist/core/index.d.ts +380 -0
- package/dist/core/index.js +83 -0
- package/dist/otel.d.ts +69 -0
- package/dist/otel.js +82 -0
- package/dist/providers/anonymous.d.ts +15 -34
- package/dist/providers/anonymous.js +27 -35
- package/dist/providers/apple.d.ts +59 -0
- package/dist/providers/apple.js +58 -0
- package/dist/providers/credentials.d.ts +18 -34
- package/dist/providers/credentials.js +16 -27
- package/dist/providers/custom.d.ts +94 -0
- package/dist/providers/custom.js +119 -0
- package/dist/providers/device.d.ts +15 -49
- package/dist/providers/device.js +17 -34
- package/dist/providers/email.d.ts +21 -38
- package/dist/providers/email.js +36 -55
- package/dist/providers/github.d.ts +54 -0
- package/dist/providers/github.js +75 -0
- package/dist/providers/google.d.ts +54 -0
- package/dist/providers/google.js +61 -0
- package/dist/providers/index.d.ts +16 -12
- package/dist/providers/index.js +15 -11
- package/dist/providers/microsoft.d.ts +57 -0
- package/dist/providers/microsoft.js +101 -0
- package/dist/providers/passkey.d.ts +19 -35
- package/dist/providers/passkey.js +20 -30
- package/dist/providers/password.d.ts +17 -18
- package/dist/providers/password.js +121 -143
- package/dist/providers/phone.d.ts +13 -28
- package/dist/providers/phone.js +21 -46
- package/dist/providers/sso.d.ts +16 -36
- package/dist/providers/sso.js +21 -22
- package/dist/providers/totp.d.ts +13 -29
- package/dist/providers/totp.js +17 -27
- package/dist/server/auth-context.d.ts +204 -0
- package/dist/server/auth-context.js +76 -0
- package/dist/server/auth.d.ts +99 -244
- package/dist/server/auth.js +56 -152
- package/dist/server/componentContext.d.ts +12 -0
- package/dist/server/componentContext.js +1 -0
- package/dist/server/config.js +6 -67
- package/dist/server/constants.js +6 -0
- package/dist/server/contract.d.ts +105 -0
- package/dist/server/contract.js +43 -0
- package/dist/server/cookies.js +3 -2
- package/dist/server/core.js +31 -36
- package/dist/server/crypto.js +34 -44
- package/dist/server/db.js +6 -1
- package/dist/server/device.js +96 -130
- package/dist/server/env.js +48 -0
- package/dist/server/errors.js +20 -0
- package/dist/server/http.d.ts +15 -59
- package/dist/server/http.js +136 -120
- package/dist/server/identity.js +2 -2
- package/dist/server/index.d.ts +5 -4
- package/dist/server/index.js +3 -3
- package/dist/server/keys.js +10 -1
- package/dist/server/limits.js +26 -26
- package/dist/server/log.js +28 -0
- package/dist/server/mounts.d.ts +1107 -296
- package/dist/server/mounts.js +315 -196
- package/dist/server/mutations/account.js +11 -14
- package/dist/server/mutations/code.js +6 -5
- package/dist/server/mutations/invalidate.js +9 -11
- package/dist/server/mutations/oauth.js +112 -73
- package/dist/server/mutations/refresh.js +47 -97
- package/dist/server/mutations/register.js +37 -35
- package/dist/server/mutations/retrieve.js +16 -16
- package/dist/server/mutations/signature.js +15 -18
- package/dist/server/mutations/signin.js +10 -5
- package/dist/server/mutations/signout.js +11 -14
- package/dist/server/mutations/store.js +25 -18
- package/dist/server/mutations/verifier.js +11 -8
- package/dist/server/mutations/verify.js +53 -41
- package/dist/server/oauth/factory.js +44 -0
- package/dist/server/oauth/index.js +12 -0
- package/dist/server/oauth/runtime.js +248 -0
- package/dist/server/passkey.js +331 -365
- package/dist/server/payloads.d.ts +16 -0
- package/dist/server/payloads.js +30 -0
- package/dist/server/{ssr.d.ts → prefetch.d.ts} +2 -2
- package/dist/server/prefetch.js +635 -0
- package/dist/server/random.js +19 -0
- package/dist/server/redirects.js +10 -5
- package/dist/server/refresh.js +14 -86
- package/dist/server/runtime.d.ts +531 -31
- package/dist/server/runtime.js +106 -267
- package/dist/server/secret.js +44 -0
- package/dist/server/services/config.js +10 -0
- package/dist/server/services/group.js +211 -0
- package/dist/server/services/logger.js +8 -0
- package/dist/server/services/providers.js +22 -0
- package/dist/server/services/refresh.js +8 -0
- package/dist/server/services/resolve.js +27 -0
- package/dist/server/services/signin.js +8 -0
- package/dist/server/sessions.js +35 -34
- package/dist/server/signin.js +229 -140
- package/dist/server/{enterprise → sso}/config.js +10 -3
- package/dist/server/sso/domain.d.ts +614 -0
- package/dist/server/sso/domain.js +1175 -0
- package/dist/server/sso/http.js +1060 -0
- package/dist/server/sso/oidc.js +324 -0
- package/dist/server/sso/policies.js +59 -0
- package/dist/server/sso/policy.js +139 -0
- package/dist/server/sso/profile.js +22 -0
- package/dist/server/sso/provision.js +179 -0
- package/dist/{component/server/enterprise → server/sso}/saml.js +142 -56
- package/dist/{component/server/enterprise → server/sso}/scim.js +13 -7
- package/dist/server/sso/shared.js +74 -0
- package/dist/server/sso/validators.js +88 -0
- package/dist/server/sso/webhook.js +94 -0
- package/dist/server/tokens.js +16 -4
- package/dist/server/totp.js +155 -164
- package/dist/server/types.d.ts +306 -296
- package/dist/server/types.js +1 -30
- package/dist/server/url.js +32 -0
- package/dist/server/users.js +74 -40
- package/dist/server/utils/cache.js +51 -0
- package/dist/server/utils/dispatch.js +36 -0
- package/dist/server/utils/retry.js +24 -0
- package/dist/server/utils/span.js +32 -0
- package/dist/shared/errors.js +19 -0
- package/dist/shared/log.js +45 -0
- package/{src/test.ts → dist/test.d.ts} +21 -22
- package/dist/test.js +51 -0
- package/package.json +70 -42
- package/dist/authorization/index.d.ts.map +0 -1
- package/dist/authorization/index.js.map +0 -1
- package/dist/client/core/types.d.ts.map +0 -1
- package/dist/client/index.d.ts.map +0 -1
- package/dist/client/index.js.map +0 -1
- package/dist/component/_generated/api.d.ts +0 -75
- package/dist/component/_generated/api.d.ts.map +0 -1
- package/dist/component/_generated/api.js.map +0 -1
- package/dist/component/_generated/component.d.ts.map +0 -1
- package/dist/component/_generated/dataModel.d.ts +0 -42
- package/dist/component/_generated/dataModel.d.ts.map +0 -1
- package/dist/component/_generated/server.d.ts +0 -117
- package/dist/component/_generated/server.d.ts.map +0 -1
- package/dist/component/_generated/server.js.map +0 -1
- package/dist/component/_virtual/rolldown_runtime.js +0 -18
- package/dist/component/client/core/types.d.ts +0 -2
- package/dist/component/client/index.d.ts +0 -1
- package/dist/component/convex.config.d.ts.map +0 -1
- package/dist/component/convex.config.js.map +0 -1
- package/dist/component/functions.d.ts +0 -25
- package/dist/component/functions.d.ts.map +0 -1
- package/dist/component/functions.js.map +0 -1
- package/dist/component/index.d.ts.map +0 -1
- package/dist/component/model.d.ts.map +0 -1
- package/dist/component/model.js.map +0 -1
- package/dist/component/providers/anonymous.d.ts +0 -54
- package/dist/component/providers/anonymous.d.ts.map +0 -1
- package/dist/component/providers/credentials.d.ts +0 -38
- package/dist/component/providers/credentials.d.ts.map +0 -1
- package/dist/component/providers/device.d.ts +0 -67
- package/dist/component/providers/device.d.ts.map +0 -1
- package/dist/component/providers/email.d.ts +0 -62
- package/dist/component/providers/email.d.ts.map +0 -1
- package/dist/component/providers/oauth.d.ts +0 -25
- package/dist/component/providers/oauth.d.ts.map +0 -1
- package/dist/component/providers/oauth.js +0 -13
- package/dist/component/providers/oauth.js.map +0 -1
- package/dist/component/providers/passkey.d.ts +0 -57
- package/dist/component/providers/passkey.d.ts.map +0 -1
- package/dist/component/providers/password.d.ts +0 -88
- package/dist/component/providers/password.d.ts.map +0 -1
- package/dist/component/providers/phone.d.ts +0 -48
- package/dist/component/providers/phone.d.ts.map +0 -1
- package/dist/component/providers/sso.d.ts +0 -50
- package/dist/component/providers/sso.d.ts.map +0 -1
- package/dist/component/providers/totp.d.ts +0 -45
- package/dist/component/providers/totp.d.ts.map +0 -1
- package/dist/component/public/enterprise/audit.d.ts +0 -73
- package/dist/component/public/enterprise/audit.d.ts.map +0 -1
- package/dist/component/public/enterprise/audit.js.map +0 -1
- package/dist/component/public/enterprise/core.d.ts +0 -176
- package/dist/component/public/enterprise/core.d.ts.map +0 -1
- package/dist/component/public/enterprise/core.js +0 -292
- package/dist/component/public/enterprise/core.js.map +0 -1
- package/dist/component/public/enterprise/domains.d.ts +0 -174
- package/dist/component/public/enterprise/domains.d.ts.map +0 -1
- package/dist/component/public/enterprise/domains.js +0 -271
- package/dist/component/public/enterprise/domains.js.map +0 -1
- package/dist/component/public/enterprise/scim.d.ts +0 -245
- package/dist/component/public/enterprise/scim.d.ts.map +0 -1
- package/dist/component/public/enterprise/scim.js.map +0 -1
- package/dist/component/public/enterprise/secrets.d.ts +0 -78
- package/dist/component/public/enterprise/secrets.d.ts.map +0 -1
- package/dist/component/public/enterprise/secrets.js +0 -118
- package/dist/component/public/enterprise/secrets.js.map +0 -1
- package/dist/component/public/enterprise/webhooks.d.ts +0 -211
- package/dist/component/public/enterprise/webhooks.d.ts.map +0 -1
- package/dist/component/public/enterprise/webhooks.js.map +0 -1
- package/dist/component/public/factors/devices.d.ts +0 -157
- package/dist/component/public/factors/devices.d.ts.map +0 -1
- package/dist/component/public/factors/devices.js.map +0 -1
- package/dist/component/public/factors/passkeys.d.ts +0 -175
- package/dist/component/public/factors/passkeys.d.ts.map +0 -1
- package/dist/component/public/factors/passkeys.js.map +0 -1
- package/dist/component/public/factors/totp.d.ts +0 -189
- package/dist/component/public/factors/totp.d.ts.map +0 -1
- package/dist/component/public/factors/totp.js.map +0 -1
- package/dist/component/public/groups/core.d.ts +0 -137
- package/dist/component/public/groups/core.d.ts.map +0 -1
- package/dist/component/public/groups/core.js.map +0 -1
- package/dist/component/public/groups/invites.d.ts +0 -217
- package/dist/component/public/groups/invites.d.ts.map +0 -1
- package/dist/component/public/groups/invites.js.map +0 -1
- package/dist/component/public/groups/members.d.ts +0 -204
- package/dist/component/public/groups/members.d.ts.map +0 -1
- package/dist/component/public/groups/members.js.map +0 -1
- package/dist/component/public/identity/accounts.d.ts +0 -147
- package/dist/component/public/identity/accounts.d.ts.map +0 -1
- package/dist/component/public/identity/accounts.js.map +0 -1
- package/dist/component/public/identity/codes.d.ts +0 -104
- package/dist/component/public/identity/codes.d.ts.map +0 -1
- package/dist/component/public/identity/codes.js.map +0 -1
- package/dist/component/public/identity/sessions.d.ts +0 -128
- package/dist/component/public/identity/sessions.d.ts.map +0 -1
- package/dist/component/public/identity/sessions.js.map +0 -1
- package/dist/component/public/identity/tokens.d.ts +0 -169
- package/dist/component/public/identity/tokens.d.ts.map +0 -1
- package/dist/component/public/identity/tokens.js.map +0 -1
- package/dist/component/public/identity/users.d.ts +0 -212
- package/dist/component/public/identity/users.d.ts.map +0 -1
- package/dist/component/public/identity/users.js.map +0 -1
- package/dist/component/public/identity/verifiers.d.ts +0 -116
- package/dist/component/public/identity/verifiers.d.ts.map +0 -1
- package/dist/component/public/identity/verifiers.js.map +0 -1
- package/dist/component/public/security/keys.d.ts +0 -209
- package/dist/component/public/security/keys.d.ts.map +0 -1
- package/dist/component/public/security/keys.js.map +0 -1
- package/dist/component/public/security/limits.d.ts +0 -114
- package/dist/component/public/security/limits.d.ts.map +0 -1
- package/dist/component/public/security/limits.js.map +0 -1
- package/dist/component/public.d.ts +0 -28
- package/dist/component/public.d.ts.map +0 -1
- package/dist/component/schema.d.ts.map +0 -1
- package/dist/component/schema.js.map +0 -1
- package/dist/component/server/auth.d.ts +0 -447
- package/dist/component/server/auth.d.ts.map +0 -1
- package/dist/component/server/auth.js +0 -254
- package/dist/component/server/auth.js.map +0 -1
- package/dist/component/server/config.js +0 -121
- package/dist/component/server/config.js.map +0 -1
- package/dist/component/server/context.js +0 -53
- package/dist/component/server/context.js.map +0 -1
- package/dist/component/server/cookies.js +0 -47
- package/dist/component/server/cookies.js.map +0 -1
- package/dist/component/server/core.js +0 -576
- package/dist/component/server/core.js.map +0 -1
- package/dist/component/server/crypto.js +0 -56
- package/dist/component/server/crypto.js.map +0 -1
- package/dist/component/server/db.js +0 -87
- package/dist/component/server/db.js.map +0 -1
- package/dist/component/server/device.js +0 -152
- package/dist/component/server/device.js.map +0 -1
- package/dist/component/server/enterprise/config.js +0 -46
- package/dist/component/server/enterprise/config.js.map +0 -1
- package/dist/component/server/enterprise/domain.js +0 -974
- package/dist/component/server/enterprise/domain.js.map +0 -1
- package/dist/component/server/enterprise/http.js +0 -787
- package/dist/component/server/enterprise/http.js.map +0 -1
- package/dist/component/server/enterprise/oidc.js +0 -248
- package/dist/component/server/enterprise/oidc.js.map +0 -1
- package/dist/component/server/enterprise/policy.js +0 -85
- package/dist/component/server/enterprise/policy.js.map +0 -1
- package/dist/component/server/enterprise/saml.js.map +0 -1
- package/dist/component/server/enterprise/scim.js.map +0 -1
- package/dist/component/server/enterprise/shared.js +0 -51
- package/dist/component/server/enterprise/shared.js.map +0 -1
- package/dist/component/server/http.d.ts +0 -85
- package/dist/component/server/http.d.ts.map +0 -1
- package/dist/component/server/http.js +0 -351
- package/dist/component/server/http.js.map +0 -1
- package/dist/component/server/identity.js +0 -16
- package/dist/component/server/identity.js.map +0 -1
- package/dist/component/server/keys.js +0 -96
- package/dist/component/server/keys.js.map +0 -1
- package/dist/component/server/limits.js +0 -52
- package/dist/component/server/limits.js.map +0 -1
- package/dist/component/server/mutations/account.js +0 -46
- package/dist/component/server/mutations/account.js.map +0 -1
- package/dist/component/server/mutations/code.js +0 -68
- package/dist/component/server/mutations/code.js.map +0 -1
- package/dist/component/server/mutations/invalidate.js +0 -32
- package/dist/component/server/mutations/invalidate.js.map +0 -1
- package/dist/component/server/mutations/oauth.js +0 -116
- package/dist/component/server/mutations/oauth.js.map +0 -1
- package/dist/component/server/mutations/refresh.js +0 -119
- package/dist/component/server/mutations/refresh.js.map +0 -1
- package/dist/component/server/mutations/register.js +0 -87
- package/dist/component/server/mutations/register.js.map +0 -1
- package/dist/component/server/mutations/retrieve.js +0 -61
- package/dist/component/server/mutations/retrieve.js.map +0 -1
- package/dist/component/server/mutations/signature.js +0 -38
- package/dist/component/server/mutations/signature.js.map +0 -1
- package/dist/component/server/mutations/signin.js +0 -27
- package/dist/component/server/mutations/signin.js.map +0 -1
- package/dist/component/server/mutations/signout.js +0 -27
- package/dist/component/server/mutations/signout.js.map +0 -1
- package/dist/component/server/mutations/store/refs.js +0 -15
- package/dist/component/server/mutations/store/refs.js.map +0 -1
- package/dist/component/server/mutations/store.js +0 -70
- package/dist/component/server/mutations/store.js.map +0 -1
- package/dist/component/server/mutations/verifier.js +0 -18
- package/dist/component/server/mutations/verifier.js.map +0 -1
- package/dist/component/server/mutations/verify.js +0 -98
- package/dist/component/server/mutations/verify.js.map +0 -1
- package/dist/component/server/oauth.js +0 -242
- package/dist/component/server/oauth.js.map +0 -1
- package/dist/component/server/passkey.js +0 -415
- package/dist/component/server/passkey.js.map +0 -1
- package/dist/component/server/redirects.js +0 -40
- package/dist/component/server/redirects.js.map +0 -1
- package/dist/component/server/refresh.js +0 -99
- package/dist/component/server/refresh.js.map +0 -1
- package/dist/component/server/runtime.d.ts +0 -136
- package/dist/component/server/runtime.d.ts.map +0 -1
- package/dist/component/server/runtime.js +0 -456
- package/dist/component/server/runtime.js.map +0 -1
- package/dist/component/server/sessions.js +0 -71
- package/dist/component/server/sessions.js.map +0 -1
- package/dist/component/server/signin.js +0 -225
- package/dist/component/server/signin.js.map +0 -1
- package/dist/component/server/tokens.js +0 -17
- package/dist/component/server/tokens.js.map +0 -1
- package/dist/component/server/totp.js +0 -208
- package/dist/component/server/totp.js.map +0 -1
- package/dist/component/server/types.d.ts +0 -949
- package/dist/component/server/types.d.ts.map +0 -1
- package/dist/component/server/types.js +0 -79
- package/dist/component/server/types.js.map +0 -1
- package/dist/component/server/users.js +0 -123
- package/dist/component/server/users.js.map +0 -1
- package/dist/component/server/utils.js +0 -140
- package/dist/component/server/utils.js.map +0 -1
- package/dist/core/types.d.ts +0 -361
- package/dist/core/types.d.ts.map +0 -1
- package/dist/factors/device.js +0 -104
- package/dist/factors/device.js.map +0 -1
- package/dist/factors/passkey.js.map +0 -1
- package/dist/factors/totp.js.map +0 -1
- package/dist/providers/anonymous.d.ts.map +0 -1
- package/dist/providers/anonymous.js.map +0 -1
- package/dist/providers/credentials.d.ts.map +0 -1
- package/dist/providers/credentials.js.map +0 -1
- package/dist/providers/device.d.ts.map +0 -1
- package/dist/providers/device.js.map +0 -1
- package/dist/providers/email.d.ts.map +0 -1
- package/dist/providers/email.js.map +0 -1
- package/dist/providers/oauth.d.ts +0 -69
- package/dist/providers/oauth.d.ts.map +0 -1
- package/dist/providers/oauth.js +0 -43
- package/dist/providers/oauth.js.map +0 -1
- package/dist/providers/passkey.d.ts.map +0 -1
- package/dist/providers/passkey.js.map +0 -1
- package/dist/providers/password.d.ts.map +0 -1
- package/dist/providers/password.js.map +0 -1
- package/dist/providers/phone.d.ts.map +0 -1
- package/dist/providers/phone.js.map +0 -1
- package/dist/providers/sso.d.ts.map +0 -1
- package/dist/providers/sso.js.map +0 -1
- package/dist/providers/totp.d.ts.map +0 -1
- package/dist/providers/totp.js.map +0 -1
- package/dist/runtime/browser.js +0 -68
- package/dist/runtime/browser.js.map +0 -1
- package/dist/runtime/invite.js.map +0 -1
- package/dist/runtime/proxy.js +0 -70
- package/dist/runtime/proxy.js.map +0 -1
- package/dist/runtime/storage.js +0 -37
- package/dist/runtime/storage.js.map +0 -1
- package/dist/server/auth.d.ts.map +0 -1
- package/dist/server/auth.js.map +0 -1
- package/dist/server/config.d.ts +0 -1
- package/dist/server/config.js.map +0 -1
- package/dist/server/context.d.ts +0 -1
- package/dist/server/context.js.map +0 -1
- package/dist/server/cookies.d.ts +0 -1
- package/dist/server/cookies.js.map +0 -1
- package/dist/server/core.d.ts +0 -1315
- package/dist/server/core.d.ts.map +0 -1
- package/dist/server/core.js.map +0 -1
- package/dist/server/crypto.d.ts +0 -8
- package/dist/server/crypto.d.ts.map +0 -1
- package/dist/server/crypto.js.map +0 -1
- package/dist/server/db.d.ts +0 -1
- package/dist/server/db.js.map +0 -1
- package/dist/server/device.d.ts +0 -1
- package/dist/server/device.js.map +0 -1
- package/dist/server/enterprise/config.d.ts +0 -1
- package/dist/server/enterprise/config.js.map +0 -1
- package/dist/server/enterprise/domain.d.ts +0 -401
- package/dist/server/enterprise/domain.d.ts.map +0 -1
- package/dist/server/enterprise/domain.js +0 -974
- package/dist/server/enterprise/domain.js.map +0 -1
- package/dist/server/enterprise/http.d.ts +0 -26
- package/dist/server/enterprise/http.d.ts.map +0 -1
- package/dist/server/enterprise/http.js +0 -787
- package/dist/server/enterprise/http.js.map +0 -1
- package/dist/server/enterprise/oidc.d.ts +0 -1
- package/dist/server/enterprise/oidc.js +0 -248
- package/dist/server/enterprise/oidc.js.map +0 -1
- package/dist/server/enterprise/policy.d.ts +0 -1
- package/dist/server/enterprise/policy.js +0 -85
- package/dist/server/enterprise/policy.js.map +0 -1
- package/dist/server/enterprise/saml.d.ts +0 -1
- package/dist/server/enterprise/saml.js +0 -338
- package/dist/server/enterprise/saml.js.map +0 -1
- package/dist/server/enterprise/scim.d.ts +0 -1
- package/dist/server/enterprise/scim.js +0 -97
- package/dist/server/enterprise/scim.js.map +0 -1
- package/dist/server/enterprise/shared.d.ts +0 -5
- package/dist/server/enterprise/shared.d.ts.map +0 -1
- package/dist/server/enterprise/shared.js +0 -51
- package/dist/server/enterprise/shared.js.map +0 -1
- package/dist/server/enterprise/validators.d.ts +0 -1
- package/dist/server/enterprise/validators.js +0 -60
- package/dist/server/enterprise/validators.js.map +0 -1
- package/dist/server/http.d.ts.map +0 -1
- package/dist/server/http.js.map +0 -1
- package/dist/server/identity.d.ts +0 -1
- package/dist/server/identity.js.map +0 -1
- package/dist/server/keys.d.ts +0 -1
- package/dist/server/keys.js.map +0 -1
- package/dist/server/limits.d.ts +0 -1
- package/dist/server/limits.js.map +0 -1
- package/dist/server/mounts.d.ts.map +0 -1
- package/dist/server/mounts.js.map +0 -1
- package/dist/server/mutations/account.d.ts +0 -29
- package/dist/server/mutations/account.d.ts.map +0 -1
- package/dist/server/mutations/account.js.map +0 -1
- package/dist/server/mutations/code.d.ts +0 -30
- package/dist/server/mutations/code.d.ts.map +0 -1
- package/dist/server/mutations/code.js.map +0 -1
- package/dist/server/mutations/index.d.ts +0 -14
- package/dist/server/mutations/invalidate.d.ts +0 -20
- package/dist/server/mutations/invalidate.d.ts.map +0 -1
- package/dist/server/mutations/invalidate.js.map +0 -1
- package/dist/server/mutations/oauth.d.ts +0 -30
- package/dist/server/mutations/oauth.d.ts.map +0 -1
- package/dist/server/mutations/oauth.js.map +0 -1
- package/dist/server/mutations/refresh.d.ts +0 -21
- package/dist/server/mutations/refresh.d.ts.map +0 -1
- package/dist/server/mutations/refresh.js.map +0 -1
- package/dist/server/mutations/register.d.ts +0 -38
- package/dist/server/mutations/register.d.ts.map +0 -1
- package/dist/server/mutations/register.js.map +0 -1
- package/dist/server/mutations/retrieve.d.ts +0 -33
- package/dist/server/mutations/retrieve.d.ts.map +0 -1
- package/dist/server/mutations/retrieve.js.map +0 -1
- package/dist/server/mutations/signature.d.ts +0 -21
- package/dist/server/mutations/signature.d.ts.map +0 -1
- package/dist/server/mutations/signature.js.map +0 -1
- package/dist/server/mutations/signin.d.ts +0 -22
- package/dist/server/mutations/signin.d.ts.map +0 -1
- package/dist/server/mutations/signin.js.map +0 -1
- package/dist/server/mutations/signout.d.ts +0 -16
- package/dist/server/mutations/signout.d.ts.map +0 -1
- package/dist/server/mutations/signout.js.map +0 -1
- package/dist/server/mutations/store/refs.d.ts +0 -12
- package/dist/server/mutations/store/refs.d.ts.map +0 -1
- package/dist/server/mutations/store/refs.js.map +0 -1
- package/dist/server/mutations/store.d.ts +0 -306
- package/dist/server/mutations/store.d.ts.map +0 -1
- package/dist/server/mutations/store.js.map +0 -1
- package/dist/server/mutations/verifier.d.ts +0 -13
- package/dist/server/mutations/verifier.d.ts.map +0 -1
- package/dist/server/mutations/verifier.js.map +0 -1
- package/dist/server/mutations/verify.d.ts +0 -26
- package/dist/server/mutations/verify.d.ts.map +0 -1
- package/dist/server/mutations/verify.js.map +0 -1
- package/dist/server/oauth.d.ts +0 -1
- package/dist/server/oauth.js +0 -242
- package/dist/server/oauth.js.map +0 -1
- package/dist/server/passkey.d.ts +0 -27
- package/dist/server/passkey.d.ts.map +0 -1
- package/dist/server/passkey.js.map +0 -1
- package/dist/server/redirects.d.ts +0 -1
- package/dist/server/redirects.js.map +0 -1
- package/dist/server/refresh.d.ts +0 -1
- package/dist/server/refresh.js.map +0 -1
- package/dist/server/runtime.d.ts.map +0 -1
- package/dist/server/runtime.js.map +0 -1
- package/dist/server/sessions.d.ts +0 -1
- package/dist/server/sessions.js.map +0 -1
- package/dist/server/signin.d.ts +0 -1
- package/dist/server/signin.js.map +0 -1
- package/dist/server/ssr.d.ts.map +0 -1
- package/dist/server/ssr.js +0 -777
- package/dist/server/ssr.js.map +0 -1
- package/dist/server/templates.d.ts +0 -1
- package/dist/server/templates.js.map +0 -1
- package/dist/server/tokens.d.ts +0 -1
- package/dist/server/tokens.js.map +0 -1
- package/dist/server/totp.d.ts +0 -1
- package/dist/server/totp.js.map +0 -1
- package/dist/server/types.d.ts.map +0 -1
- package/dist/server/types.js.map +0 -1
- package/dist/server/users.d.ts +0 -1
- package/dist/server/users.js.map +0 -1
- package/dist/server/utils.d.ts +0 -1
- package/dist/server/utils.js +0 -140
- package/dist/server/utils.js.map +0 -1
- package/src/authorization/index.ts +0 -83
- package/src/cli/bin.ts +0 -5
- package/src/cli/command.ts +0 -70
- package/src/cli/index.ts +0 -1112
- package/src/cli/keys.ts +0 -23
- package/src/client/core/types.ts +0 -437
- package/src/client/factors/device.ts +0 -158
- package/src/client/factors/passkey.ts +0 -279
- package/src/client/factors/totp.ts +0 -150
- package/src/client/index.ts +0 -1124
- package/src/client/runtime/browser.ts +0 -112
- package/src/client/runtime/invite.ts +0 -63
- package/src/client/runtime/proxy.ts +0 -111
- package/src/client/runtime/storage.ts +0 -79
- package/src/component/_generated/api.ts +0 -96
- package/src/component/_generated/component.ts +0 -3774
- package/src/component/_generated/dataModel.ts +0 -60
- package/src/component/_generated/server.ts +0 -156
- package/src/component/convex.config.ts +0 -5
- package/src/component/functions.ts +0 -104
- package/src/component/index.ts +0 -42
- package/src/component/model.ts +0 -449
- package/src/component/public/enterprise/audit.ts +0 -125
- package/src/component/public/enterprise/core.ts +0 -355
- package/src/component/public/enterprise/domains.ts +0 -327
- package/src/component/public/enterprise/scim.ts +0 -397
- package/src/component/public/enterprise/secrets.ts +0 -133
- package/src/component/public/enterprise/webhooks.ts +0 -307
- package/src/component/public/factors/devices.ts +0 -224
- package/src/component/public/factors/passkeys.ts +0 -243
- package/src/component/public/factors/totp.ts +0 -259
- package/src/component/public/groups/core.ts +0 -481
- package/src/component/public/groups/invites.ts +0 -608
- package/src/component/public/groups/members.ts +0 -410
- package/src/component/public/identity/accounts.ts +0 -207
- package/src/component/public/identity/codes.ts +0 -149
- package/src/component/public/identity/sessions.ts +0 -210
- package/src/component/public/identity/tokens.ts +0 -251
- package/src/component/public/identity/users.ts +0 -355
- package/src/component/public/identity/verifiers.ts +0 -158
- package/src/component/public/security/keys.ts +0 -366
- package/src/component/public/security/limits.ts +0 -174
- package/src/component/public.ts +0 -27
- package/src/component/schema.ts +0 -505
- package/src/providers/anonymous.ts +0 -99
- package/src/providers/credentials.ts +0 -102
- package/src/providers/device.ts +0 -87
- package/src/providers/email.ts +0 -99
- package/src/providers/index.ts +0 -31
- package/src/providers/oauth.ts +0 -117
- package/src/providers/passkey.ts +0 -77
- package/src/providers/password.ts +0 -441
- package/src/providers/phone.ts +0 -93
- package/src/providers/sso.ts +0 -54
- package/src/providers/totp.ts +0 -62
- package/src/samlify.d.ts +0 -53
- package/src/server/auth.ts +0 -949
- package/src/server/config.ts +0 -200
- package/src/server/context.ts +0 -90
- package/src/server/cookies.ts +0 -49
- package/src/server/core.ts +0 -2004
- package/src/server/crypto.ts +0 -90
- package/src/server/db.ts +0 -203
- package/src/server/device.ts +0 -254
- package/src/server/enterprise/config.ts +0 -51
- package/src/server/enterprise/domain.ts +0 -1739
- package/src/server/enterprise/http.ts +0 -1331
- package/src/server/enterprise/oidc.ts +0 -500
- package/src/server/enterprise/policy.ts +0 -128
- package/src/server/enterprise/saml.ts +0 -578
- package/src/server/enterprise/scim.ts +0 -135
- package/src/server/enterprise/shared.ts +0 -134
- package/src/server/enterprise/validators.ts +0 -93
- package/src/server/http.ts +0 -790
- package/src/server/identity.ts +0 -18
- package/src/server/index.ts +0 -40
- package/src/server/keys.ts +0 -158
- package/src/server/limits.ts +0 -107
- package/src/server/mounts.ts +0 -924
- package/src/server/mutations/account.ts +0 -62
- package/src/server/mutations/code.ts +0 -119
- package/src/server/mutations/index.ts +0 -13
- package/src/server/mutations/invalidate.ts +0 -50
- package/src/server/mutations/oauth.ts +0 -243
- package/src/server/mutations/refresh.ts +0 -299
- package/src/server/mutations/register.ts +0 -155
- package/src/server/mutations/retrieve.ts +0 -109
- package/src/server/mutations/signature.ts +0 -57
- package/src/server/mutations/signin.ts +0 -54
- package/src/server/mutations/signout.ts +0 -43
- package/src/server/mutations/store/refs.ts +0 -10
- package/src/server/mutations/store.ts +0 -123
- package/src/server/mutations/verifier.ts +0 -34
- package/src/server/mutations/verify.ts +0 -200
- package/src/server/oauth.ts +0 -418
- package/src/server/passkey.ts +0 -838
- package/src/server/redirects.ts +0 -59
- package/src/server/refresh.ts +0 -218
- package/src/server/runtime.ts +0 -918
- package/src/server/sessions.ts +0 -132
- package/src/server/signin.ts +0 -445
- package/src/server/ssr.ts +0 -1747
- package/src/server/templates.ts +0 -82
- package/src/server/tokens.ts +0 -35
- package/src/server/totp.ts +0 -399
- package/src/server/types.ts +0 -1942
- package/src/server/users.ts +0 -291
- package/src/server/utils.ts +0 -220
- /package/dist/{runtime → client/runtime}/invite.js +0 -0
|
@@ -0,0 +1,179 @@
|
|
|
1
|
+
import { getGroupConnection, getScimConfigByConnection, getScimConfigByTokenHash, getScimIdentity, upsertScimConfig, upsertScimIdentity } from "../contract.js";
|
|
2
|
+
import { ConvexError } from "convex/values";
|
|
3
|
+
|
|
4
|
+
//#region src/server/sso/provision.ts
|
|
5
|
+
function getScimConfigShape(scimConfig) {
|
|
6
|
+
return typeof scimConfig?.extend === "object" && scimConfig.extend !== null ? scimConfig.extend : {};
|
|
7
|
+
}
|
|
8
|
+
const convexError = (data) => new ConvexError(data);
|
|
9
|
+
function createGroupScimDomain(deps) {
|
|
10
|
+
const { config, requireEnv, generateRandomString, INVITE_TOKEN_ALPHABET, sha256, loadGroupPolicyOrThrow, recordGroupAuditEvent, emitGroupWebhookDeliveries } = deps;
|
|
11
|
+
const getScimBasePath = (connectionId) => `${requireEnv("CONVEX_SITE_URL")}/api/auth/connections/${connectionId}/scim/v2`;
|
|
12
|
+
const validateScim = async (ctx, connectionId) => {
|
|
13
|
+
const checks = [];
|
|
14
|
+
const connection = await getGroupConnection(ctx, config.component.public, connectionId);
|
|
15
|
+
if (!connection) return {
|
|
16
|
+
ok: false,
|
|
17
|
+
connectionId,
|
|
18
|
+
checks: [{
|
|
19
|
+
name: "group_connection_exists",
|
|
20
|
+
ok: false,
|
|
21
|
+
message: "Connection not found."
|
|
22
|
+
}]
|
|
23
|
+
};
|
|
24
|
+
const policy = await loadGroupPolicyOrThrow(ctx, connection.groupId);
|
|
25
|
+
const scimConfig = await getScimConfigByConnection(ctx, config.component.public, connectionId);
|
|
26
|
+
const hasConfig = scimConfig !== null && scimConfig !== void 0;
|
|
27
|
+
checks.push({
|
|
28
|
+
name: "scim_config_exists",
|
|
29
|
+
ok: hasConfig,
|
|
30
|
+
message: hasConfig ? void 0 : "SCIM has not been configured."
|
|
31
|
+
});
|
|
32
|
+
const isActive = scimConfig?.status === "active";
|
|
33
|
+
checks.push({
|
|
34
|
+
name: "scim_config_active",
|
|
35
|
+
ok: isActive,
|
|
36
|
+
message: isActive ? void 0 : `SCIM config status is ${hasConfig ? scimConfig?.status : "unknown"}.`
|
|
37
|
+
});
|
|
38
|
+
const hasToken = typeof scimConfig?.tokenHash === "string" && scimConfig.tokenHash.length > 0;
|
|
39
|
+
checks.push({
|
|
40
|
+
name: "token_hash_set",
|
|
41
|
+
ok: hasToken,
|
|
42
|
+
message: hasToken ? void 0 : "SCIM bearer token has not been set."
|
|
43
|
+
});
|
|
44
|
+
const hasBasePath = typeof scimConfig?.basePath === "string" && scimConfig.basePath === getScimBasePath(connection._id);
|
|
45
|
+
checks.push({
|
|
46
|
+
name: "base_path_matches_route",
|
|
47
|
+
ok: hasBasePath,
|
|
48
|
+
message: hasBasePath ? void 0 : "SCIM basePath does not match the derived route."
|
|
49
|
+
});
|
|
50
|
+
const supportsIdempotentExternalId = policy.provisioning.scimReuse.user === "externalId";
|
|
51
|
+
checks.push({
|
|
52
|
+
name: "user_external_id_reuse_enabled",
|
|
53
|
+
ok: supportsIdempotentExternalId,
|
|
54
|
+
message: supportsIdempotentExternalId ? void 0 : "SCIM user retry-safe provisioning works best with scimReuse.user = externalId."
|
|
55
|
+
});
|
|
56
|
+
checks.push({
|
|
57
|
+
name: "filter_subset_supported",
|
|
58
|
+
ok: true,
|
|
59
|
+
message: "Supported filters: eq, co, sw, ew, pr on common user/group fields."
|
|
60
|
+
});
|
|
61
|
+
checks.push({
|
|
62
|
+
name: "protocol_capabilities_declared",
|
|
63
|
+
ok: true
|
|
64
|
+
});
|
|
65
|
+
return {
|
|
66
|
+
ok: checks.every((c) => c.ok),
|
|
67
|
+
connectionId: connection._id,
|
|
68
|
+
basePath: getScimBasePath(connection._id),
|
|
69
|
+
deprovisionMode: policy.provisioning.deprovision.mode,
|
|
70
|
+
capabilities: {
|
|
71
|
+
users: true,
|
|
72
|
+
groups: true,
|
|
73
|
+
patch: true,
|
|
74
|
+
put: true,
|
|
75
|
+
filters: [
|
|
76
|
+
"eq",
|
|
77
|
+
"co",
|
|
78
|
+
"sw",
|
|
79
|
+
"ew",
|
|
80
|
+
"pr"
|
|
81
|
+
],
|
|
82
|
+
bulk: false,
|
|
83
|
+
etag: false
|
|
84
|
+
},
|
|
85
|
+
checks
|
|
86
|
+
};
|
|
87
|
+
};
|
|
88
|
+
return {
|
|
89
|
+
configure: async (ctx, data) => {
|
|
90
|
+
const connection = await getGroupConnection(ctx, config.component.public, data.connectionId);
|
|
91
|
+
if (connection === null) throw convexError({
|
|
92
|
+
code: "INVALID_PARAMETERS",
|
|
93
|
+
message: "Connection not found."
|
|
94
|
+
});
|
|
95
|
+
const rawToken = generateRandomString(48, INVITE_TOKEN_ALPHABET);
|
|
96
|
+
const tokenHash = await sha256(rawToken);
|
|
97
|
+
const basePath = getScimBasePath(connection._id);
|
|
98
|
+
const configId = await upsertScimConfig(ctx, config.component.public, {
|
|
99
|
+
connectionId: connection._id,
|
|
100
|
+
groupId: connection.groupId,
|
|
101
|
+
status: data.status ?? "active",
|
|
102
|
+
basePath,
|
|
103
|
+
tokenHash,
|
|
104
|
+
lastRotatedAt: Date.now(),
|
|
105
|
+
extend: {
|
|
106
|
+
security: data.security,
|
|
107
|
+
profile: data.profile
|
|
108
|
+
}
|
|
109
|
+
});
|
|
110
|
+
const auditEventId = await recordGroupAuditEvent(ctx, {
|
|
111
|
+
connectionId: connection._id,
|
|
112
|
+
groupId: connection.groupId,
|
|
113
|
+
eventType: "group.sso.scim.configured",
|
|
114
|
+
actorType: "system",
|
|
115
|
+
subjectType: "group_connection_scim",
|
|
116
|
+
subjectId: configId,
|
|
117
|
+
ok: true
|
|
118
|
+
});
|
|
119
|
+
await emitGroupWebhookDeliveries(ctx, {
|
|
120
|
+
connectionId: connection._id,
|
|
121
|
+
eventType: "group.sso.scim.configured",
|
|
122
|
+
auditEventId,
|
|
123
|
+
payload: {
|
|
124
|
+
connectionId: connection._id,
|
|
125
|
+
scimConfigId: configId
|
|
126
|
+
}
|
|
127
|
+
});
|
|
128
|
+
return {
|
|
129
|
+
connectionId: connection._id,
|
|
130
|
+
configId,
|
|
131
|
+
basePath,
|
|
132
|
+
token: rawToken
|
|
133
|
+
};
|
|
134
|
+
},
|
|
135
|
+
get: async (ctx, connectionId) => {
|
|
136
|
+
const scimConfig = await getScimConfigByConnection(ctx, config.component.public, connectionId);
|
|
137
|
+
if (!scimConfig) return null;
|
|
138
|
+
const shape = getScimConfigShape(scimConfig);
|
|
139
|
+
return {
|
|
140
|
+
...scimConfig,
|
|
141
|
+
security: shape.security,
|
|
142
|
+
profile: shape.profile
|
|
143
|
+
};
|
|
144
|
+
},
|
|
145
|
+
status: async (ctx, connectionId) => {
|
|
146
|
+
const currentConfig = await getScimConfigByConnection(ctx, config.component.public, connectionId);
|
|
147
|
+
const result = await validateScim(ctx, connectionId);
|
|
148
|
+
return {
|
|
149
|
+
connectionId,
|
|
150
|
+
configured: currentConfig?.status !== void 0,
|
|
151
|
+
ready: result.ok,
|
|
152
|
+
config: currentConfig,
|
|
153
|
+
checks: result.checks,
|
|
154
|
+
capabilities: "capabilities" in result ? result.capabilities : void 0
|
|
155
|
+
};
|
|
156
|
+
},
|
|
157
|
+
getConfigByToken: async (ctx, token) => {
|
|
158
|
+
return await getScimConfigByTokenHash(ctx, config.component.public, await sha256(token));
|
|
159
|
+
},
|
|
160
|
+
validate: async (ctx, connectionId) => {
|
|
161
|
+
return await validateScim(ctx, connectionId);
|
|
162
|
+
},
|
|
163
|
+
identity: {
|
|
164
|
+
get: async (ctx, data) => {
|
|
165
|
+
return await getScimIdentity(ctx, config.component.public, data);
|
|
166
|
+
},
|
|
167
|
+
upsert: async (ctx, data) => {
|
|
168
|
+
return await upsertScimIdentity(ctx, config.component.public, {
|
|
169
|
+
...data,
|
|
170
|
+
lastProvisionedAt: Date.now()
|
|
171
|
+
});
|
|
172
|
+
}
|
|
173
|
+
}
|
|
174
|
+
};
|
|
175
|
+
}
|
|
176
|
+
|
|
177
|
+
//#endregion
|
|
178
|
+
export { createGroupScimDomain };
|
|
179
|
+
//# sourceMappingURL=provision.js.map
|
|
@@ -1,9 +1,11 @@
|
|
|
1
|
-
import {
|
|
1
|
+
import { log } from "../log.js";
|
|
2
|
+
import { finalizeNormalizedProfile, normalizeStringArray } from "./profile.js";
|
|
3
|
+
import { asRecord, getGroupSamlUrls } from "./shared.js";
|
|
2
4
|
import { getSamlConfig } from "./config.js";
|
|
3
5
|
import { decodeBase64urlIgnorePadding, encodeBase64urlNoPadding } from "@oslojs/encoding";
|
|
4
6
|
import { Constants, IdentityProvider, ServiceProvider, setSchemaValidator } from "@robelest/samlify";
|
|
5
7
|
|
|
6
|
-
//#region src/server/
|
|
8
|
+
//#region src/server/sso/saml.ts
|
|
7
9
|
const _samlifyPermissiveValidator = { validate: (_xml) => Promise.resolve("OK") };
|
|
8
10
|
function ensureSamlifyValidator() {
|
|
9
11
|
setSchemaValidator(_samlifyPermissiveValidator);
|
|
@@ -26,7 +28,7 @@ function decodeRelayState(value) {
|
|
|
26
28
|
}
|
|
27
29
|
}
|
|
28
30
|
/** @internal */
|
|
29
|
-
function
|
|
31
|
+
function encodeGroupSamlRelayState(value) {
|
|
30
32
|
return encodeBase64urlNoPadding(new TextEncoder().encode(JSON.stringify({
|
|
31
33
|
source: `${value.source.kind}:${value.source.id}`,
|
|
32
34
|
signature: value.signature,
|
|
@@ -36,13 +38,13 @@ function encodeEnterpriseSamlRelayState(value) {
|
|
|
36
38
|
})));
|
|
37
39
|
}
|
|
38
40
|
/** @internal */
|
|
39
|
-
function
|
|
41
|
+
function decodeGroupSamlRelayStateOrThrow(value) {
|
|
40
42
|
if (!value) throw new Error("Missing SAML RelayState.");
|
|
41
43
|
const decoded = decodeRelayState(value);
|
|
42
44
|
if (typeof decoded.source !== "string" || typeof decoded.signature !== "string" || typeof decoded.requestId !== "string" || typeof decoded.state !== "string") throw new Error("Invalid SAML RelayState.");
|
|
43
45
|
const [kind, ...rest] = decoded.source.split(":");
|
|
44
46
|
const id = rest.join(":");
|
|
45
|
-
if (kind !== "
|
|
47
|
+
if (kind !== "connection" || id.length === 0) throw new Error("Invalid group connection SAML source.");
|
|
46
48
|
return {
|
|
47
49
|
source: {
|
|
48
50
|
kind,
|
|
@@ -68,7 +70,7 @@ async function readRequestBody(request) {
|
|
|
68
70
|
return {};
|
|
69
71
|
}
|
|
70
72
|
/** @internal */
|
|
71
|
-
async function
|
|
73
|
+
async function readGroupConnectionSamlHttpRequest(request) {
|
|
72
74
|
const url = new URL(request.url);
|
|
73
75
|
const body = await readRequestBody(request);
|
|
74
76
|
return {
|
|
@@ -81,32 +83,76 @@ async function readEnterpriseSamlHttpRequest(request) {
|
|
|
81
83
|
hasSamlResponse: Boolean(body.SAMLResponse ?? url.searchParams.get("SAMLResponse"))
|
|
82
84
|
};
|
|
83
85
|
}
|
|
86
|
+
function getSamlSecurityConfig(config) {
|
|
87
|
+
return asRecord(getSamlConfig(config).security) ?? {};
|
|
88
|
+
}
|
|
84
89
|
/** @internal */
|
|
85
90
|
function parseSamlIdpMetadata(metadata) {
|
|
86
|
-
const
|
|
87
|
-
const
|
|
88
|
-
|
|
91
|
+
const source = typeof metadata === "string" ? metadata : String(metadata);
|
|
92
|
+
const entityId = source.match(/<[^>]*EntityDescriptor\b[^>]*\bentityID="([^"]+)"/i)?.[1] ?? null;
|
|
93
|
+
if (!entityId) throw new Error("SAML metadata is missing EntityDescriptor@entityID.");
|
|
94
|
+
const parseAttributes = (source$1) => {
|
|
95
|
+
const attributes = {};
|
|
96
|
+
for (const match of source$1.matchAll(/([A-Za-z_:][\w:.-]*)="([^"]*)"/g)) attributes[match[1]] = match[2];
|
|
97
|
+
return attributes;
|
|
98
|
+
};
|
|
99
|
+
const readServiceBindings = (tagName) => {
|
|
100
|
+
const bindings = {};
|
|
101
|
+
const pattern = new RegExp(`<(?:[A-Za-z0-9_.-]+:)?${tagName}\\b([^>]*)\\/?>(?:<\\/(?:[A-Za-z0-9_.-]+:)?${tagName}>)?`, "gi");
|
|
102
|
+
for (const match of source.matchAll(pattern)) {
|
|
103
|
+
const attrs = parseAttributes(match[1] ?? "");
|
|
104
|
+
const binding = attrs.Binding ?? attrs.binding;
|
|
105
|
+
const location = attrs.Location ?? attrs.location;
|
|
106
|
+
if (!binding || !location) continue;
|
|
107
|
+
if (binding.includes("HTTP-Redirect")) bindings.redirect = location;
|
|
108
|
+
if (binding.includes("HTTP-POST")) bindings.post = location;
|
|
109
|
+
}
|
|
110
|
+
return bindings;
|
|
111
|
+
};
|
|
112
|
+
const readCertificates = (use) => {
|
|
113
|
+
const certs = [];
|
|
114
|
+
const blockPattern = new RegExp(`<(?:[A-Za-z0-9_.-]+:)?KeyDescriptor\\b([^>]*)>([\\s\\S]*?)<\\/(?:[A-Za-z0-9_.-]+:)?KeyDescriptor>`, "gi");
|
|
115
|
+
for (const match of source.matchAll(blockPattern)) {
|
|
116
|
+
const attrs = parseAttributes(match[1] ?? "");
|
|
117
|
+
if ((attrs.use ?? attrs.Use ?? "signing").toLowerCase() !== use) continue;
|
|
118
|
+
for (const certMatch of (match[2] ?? "").matchAll(/<(?:[A-Za-z0-9_.-]+:)?X509Certificate>([\s\S]*?)<\/(?:[A-Za-z0-9_.-]+:)?X509Certificate>/gi)) {
|
|
119
|
+
const certificate = certMatch[1]?.replace(/\s+/g, "").trim();
|
|
120
|
+
if (certificate) certs.push(certificate);
|
|
121
|
+
}
|
|
122
|
+
}
|
|
123
|
+
if (certs.length === 0) return null;
|
|
124
|
+
return certs.length === 1 ? certs[0] : certs;
|
|
89
125
|
};
|
|
126
|
+
const nameIdFormats = [...source.matchAll(/<(?:[A-Za-z0-9_.-]+:)?NameIDFormat>([\s\S]*?)<\/(?:[A-Za-z0-9_.-]+:)?NameIDFormat>/gi)].map((match) => match[1]?.trim()).filter((value) => Boolean(value));
|
|
90
127
|
return {
|
|
91
|
-
|
|
92
|
-
|
|
93
|
-
|
|
94
|
-
|
|
95
|
-
|
|
96
|
-
|
|
97
|
-
|
|
98
|
-
|
|
99
|
-
},
|
|
100
|
-
signingCert: entityMeta.getX509Certificate("signing"),
|
|
101
|
-
encryptionCert: entityMeta.getX509Certificate("encrypt"),
|
|
102
|
-
nameIdFormats: (() => {
|
|
103
|
-
const nameIdFormat = entityMeta.getNameIDFormat();
|
|
104
|
-
return Array.isArray(nameIdFormat) ? nameIdFormat : [];
|
|
105
|
-
})(),
|
|
106
|
-
wantsSignedAuthnRequests: entityMeta.isWantAuthnRequestsSigned()
|
|
128
|
+
entityId,
|
|
129
|
+
issuer: entityId,
|
|
130
|
+
sso: readServiceBindings("SingleSignOnService"),
|
|
131
|
+
slo: readServiceBindings("SingleLogoutService"),
|
|
132
|
+
signingCert: readCertificates("signing"),
|
|
133
|
+
encryptionCert: readCertificates("encryption"),
|
|
134
|
+
nameIdFormats,
|
|
135
|
+
wantsSignedAuthnRequests: /WantAuthnRequestsSigned="true"/i.test(source)
|
|
107
136
|
};
|
|
108
137
|
}
|
|
109
138
|
/** @internal */
|
|
139
|
+
function enforceSamlMetadataSize(opts) {
|
|
140
|
+
const maxMetadataSize = getSamlSecurityConfig(opts.config).maxMetadataSize;
|
|
141
|
+
if (typeof maxMetadataSize === "number" && maxMetadataSize > 0 && opts.metadataXml.length > maxMetadataSize) throw new Error("SAML metadata exceeds the configured size limit.");
|
|
142
|
+
}
|
|
143
|
+
/** @internal */
|
|
144
|
+
function parseSamlIdpMetadataChecked(opts) {
|
|
145
|
+
enforceSamlMetadataSize(opts);
|
|
146
|
+
return parseSamlIdpMetadata(opts.metadataXml);
|
|
147
|
+
}
|
|
148
|
+
/** @internal */
|
|
149
|
+
function enforceSamlResponseSize(opts) {
|
|
150
|
+
const maxResponseSize = getSamlSecurityConfig(opts.config).maxResponseSize;
|
|
151
|
+
if (typeof maxResponseSize !== "number" || maxResponseSize <= 0) return;
|
|
152
|
+
const encoded = opts.request.body.SAMLResponse ?? opts.request.query.SAMLResponse;
|
|
153
|
+
if (typeof encoded === "string" && encoded.length > maxResponseSize) throw new Error("SAML response exceeds the configured size limit.");
|
|
154
|
+
}
|
|
155
|
+
/** @internal */
|
|
110
156
|
function createServiceProviderMetadata(opts) {
|
|
111
157
|
const binding = Constants.namespace.binding;
|
|
112
158
|
return ServiceProvider({
|
|
@@ -132,7 +178,7 @@ function createServiceProviderMetadata(opts) {
|
|
|
132
178
|
}).getMetadata();
|
|
133
179
|
}
|
|
134
180
|
/** @internal */
|
|
135
|
-
function
|
|
181
|
+
function createGroupConnectionSamlMetadataXml(opts) {
|
|
136
182
|
return createServiceProviderMetadata(getSamlServiceProviderOptions({
|
|
137
183
|
rootUrl: opts.rootUrl,
|
|
138
184
|
source: opts.source,
|
|
@@ -142,8 +188,8 @@ function createEnterpriseSamlMetadataXml(opts) {
|
|
|
142
188
|
/** @internal */
|
|
143
189
|
function getSamlServiceProviderOptions(opts) {
|
|
144
190
|
const saml = getSamlConfig(opts.config);
|
|
145
|
-
const sp = asRecord(saml.
|
|
146
|
-
const urls =
|
|
191
|
+
const sp = asRecord(saml.serviceProvider) ?? {};
|
|
192
|
+
const urls = getGroupSamlUrls({
|
|
147
193
|
rootUrl: opts.rootUrl,
|
|
148
194
|
source: opts.source
|
|
149
195
|
});
|
|
@@ -152,7 +198,7 @@ function getSamlServiceProviderOptions(opts) {
|
|
|
152
198
|
acsUrl: opts.overrides?.acsUrl ?? sp.acsUrl ?? urls.acsUrl,
|
|
153
199
|
sloUrl: opts.overrides?.sloUrl ?? sp.sloUrl ?? urls.sloUrl,
|
|
154
200
|
relayState: opts.relayState,
|
|
155
|
-
authnRequestsSigned: saml.signAuthnRequests,
|
|
201
|
+
authnRequestsSigned: saml.request?.signAuthnRequests,
|
|
156
202
|
signingCert: sp.signingCert,
|
|
157
203
|
encryptCert: sp.encryptCert,
|
|
158
204
|
privateKey: sp.privateKey,
|
|
@@ -188,7 +234,7 @@ function createSamlServiceProvider(opts) {
|
|
|
188
234
|
});
|
|
189
235
|
}
|
|
190
236
|
/** @internal */
|
|
191
|
-
function
|
|
237
|
+
function createGroupConnectionSamlRuntime(opts) {
|
|
192
238
|
const saml = getSamlConfig(opts.config);
|
|
193
239
|
const spOptions = getSamlServiceProviderOptions({
|
|
194
240
|
rootUrl: opts.rootUrl,
|
|
@@ -202,22 +248,51 @@ function createEnterpriseSamlRuntime(opts) {
|
|
|
202
248
|
saml,
|
|
203
249
|
sp: createSamlServiceProvider(spOptions),
|
|
204
250
|
idp: IdentityProvider({ metadata: saml.idp.metadataXml }),
|
|
205
|
-
urls:
|
|
251
|
+
urls: getGroupSamlUrls({
|
|
206
252
|
rootUrl: opts.rootUrl,
|
|
207
253
|
source: opts.source
|
|
208
254
|
})
|
|
209
255
|
};
|
|
210
256
|
}
|
|
257
|
+
function verifySamlTimeWindow(notBefore, notOnOrAfter, clockSkewSeconds) {
|
|
258
|
+
const now = Date.now();
|
|
259
|
+
const drift = clockSkewSeconds * 1e3;
|
|
260
|
+
if (notBefore) {
|
|
261
|
+
const notBeforeTime = new Date(notBefore).getTime();
|
|
262
|
+
if (Number.isFinite(notBeforeTime) && now < notBeforeTime - drift) throw new Error("SAML assertion is not yet valid.");
|
|
263
|
+
}
|
|
264
|
+
if (notOnOrAfter) {
|
|
265
|
+
const notOnOrAfterTime = new Date(notOnOrAfter).getTime();
|
|
266
|
+
if (Number.isFinite(notOnOrAfterTime) && now >= notOnOrAfterTime + drift) throw new Error("SAML assertion has expired.");
|
|
267
|
+
}
|
|
268
|
+
}
|
|
269
|
+
/** @internal */
|
|
270
|
+
function enforceGroupConnectionSamlSecurity(opts) {
|
|
271
|
+
enforceSamlAlgorithmPolicy(opts);
|
|
272
|
+
const security = asRecord(getSamlConfig(opts.config).security) ?? {};
|
|
273
|
+
const conditions = opts.extract?.conditions;
|
|
274
|
+
if (security.requireSignedAssertions === true && typeof opts.extract?.signature?.signatureAlgorithm !== "string") throw new Error("SAML assertion must be signed.");
|
|
275
|
+
if (security.requireTimestamps === true) {
|
|
276
|
+
if (!conditions?.notBefore && !conditions?.notOnOrAfter) throw new Error("SAML assertion missing required timestamp conditions.");
|
|
277
|
+
}
|
|
278
|
+
if (conditions?.notBefore || conditions?.notOnOrAfter) verifySamlTimeWindow(conditions.notBefore, conditions.notOnOrAfter, security.clockSkewSeconds ?? 300);
|
|
279
|
+
}
|
|
280
|
+
function toSamlHttpRequest(request) {
|
|
281
|
+
return {
|
|
282
|
+
query: request.query,
|
|
283
|
+
body: request.body
|
|
284
|
+
};
|
|
285
|
+
}
|
|
211
286
|
/** @internal */
|
|
212
|
-
function
|
|
213
|
-
const runtime =
|
|
287
|
+
function createGroupConnectionSamlSignInRequest(opts) {
|
|
288
|
+
const runtime = createGroupConnectionSamlRuntime({
|
|
214
289
|
rootUrl: opts.rootUrl,
|
|
215
290
|
source: opts.source,
|
|
216
291
|
config: opts.config
|
|
217
292
|
});
|
|
218
|
-
const binding = runtime.saml.idp
|
|
293
|
+
const binding = runtime.saml.idp?.sso?.redirect ? "redirect" : "post";
|
|
219
294
|
const loginRequest = runtime.sp.createLoginRequest(runtime.idp, binding);
|
|
220
|
-
const relayState =
|
|
295
|
+
const relayState = encodeGroupSamlRelayState({
|
|
221
296
|
source: opts.source,
|
|
222
297
|
signature: opts.signature,
|
|
223
298
|
requestId: loginRequest.id,
|
|
@@ -240,24 +315,25 @@ function createEnterpriseSamlSignInRequest(opts) {
|
|
|
240
315
|
};
|
|
241
316
|
}
|
|
242
317
|
/** @internal */
|
|
243
|
-
async function
|
|
318
|
+
async function parseGroupConnectionSamlLoginResponse(opts) {
|
|
244
319
|
ensureSamlifyValidator();
|
|
245
|
-
const httpRequest = await
|
|
246
|
-
|
|
320
|
+
const httpRequest = await readGroupConnectionSamlHttpRequest(opts.request);
|
|
321
|
+
enforceSamlResponseSize({
|
|
322
|
+
request: httpRequest,
|
|
323
|
+
config: opts.config
|
|
324
|
+
});
|
|
325
|
+
const runtime = createGroupConnectionSamlRuntime({
|
|
247
326
|
rootUrl: opts.rootUrl,
|
|
248
327
|
source: opts.source,
|
|
249
328
|
config: opts.config
|
|
250
329
|
});
|
|
251
|
-
const parsed = await runtime.sp.parseLoginResponse(runtime.idp, httpRequest.binding,
|
|
252
|
-
query: httpRequest.query,
|
|
253
|
-
body: httpRequest.body
|
|
254
|
-
});
|
|
330
|
+
const parsed = await runtime.sp.parseLoginResponse(runtime.idp, httpRequest.binding, toSamlHttpRequest(httpRequest));
|
|
255
331
|
warnWeakSamlAlgorithms(parsed);
|
|
256
332
|
return {
|
|
257
333
|
...httpRequest,
|
|
258
334
|
runtime,
|
|
259
335
|
parsed,
|
|
260
|
-
relayState:
|
|
336
|
+
relayState: decodeGroupSamlRelayStateOrThrow(httpRequest.relayState ?? null)
|
|
261
337
|
};
|
|
262
338
|
}
|
|
263
339
|
const WEAK_SAML_ALGORITHMS = new Set([
|
|
@@ -275,28 +351,32 @@ function warnWeakSamlAlgorithms(parsed) {
|
|
|
275
351
|
try {
|
|
276
352
|
const sigAlg = parsed?.extract?.signature?.signatureAlgorithm ?? parsed?.extract?.response?.signatureAlgorithm;
|
|
277
353
|
const digestAlg = parsed?.extract?.signature?.digestAlgorithm;
|
|
278
|
-
if (sigAlg && WEAK_SAML_ALGORITHMS.has(sigAlg))
|
|
279
|
-
if (digestAlg && WEAK_SAML_ALGORITHMS.has(digestAlg))
|
|
354
|
+
if (sigAlg && WEAK_SAML_ALGORITHMS.has(sigAlg)) log("WARN", `[convex-auth] SAML response uses weak signature algorithm: ${sigAlg}. Consider upgrading your IdP to use RSA-SHA256 or stronger.`);
|
|
355
|
+
if (digestAlg && WEAK_SAML_ALGORITHMS.has(digestAlg)) log("WARN", `[convex-auth] SAML response uses weak digest algorithm: ${digestAlg}. Consider upgrading your IdP to use SHA-256 or stronger.`);
|
|
280
356
|
} catch {}
|
|
281
357
|
}
|
|
282
358
|
/** @internal */
|
|
283
|
-
function
|
|
359
|
+
function enforceSamlAlgorithmPolicy(opts) {
|
|
360
|
+
if (getSamlSecurityConfig(opts.config).weakAlgorithmHandling !== "reject") return;
|
|
361
|
+
const sigAlg = opts.extract?.signature?.signatureAlgorithm ?? opts.extract?.response?.signatureAlgorithm;
|
|
362
|
+
const digestAlg = opts.extract?.signature?.digestAlgorithm;
|
|
363
|
+
if (sigAlg && WEAK_SAML_ALGORITHMS.has(sigAlg) || digestAlg && WEAK_SAML_ALGORITHMS.has(digestAlg)) throw new Error("SAML response uses a rejected weak cryptographic algorithm.");
|
|
364
|
+
}
|
|
365
|
+
/** @internal */
|
|
366
|
+
function validateGroupConnectionSamlLoginRelayState(opts) {
|
|
284
367
|
if (opts.relayState.source.kind !== opts.source.kind || opts.relayState.source.id !== opts.source.id || opts.relayState.requestId !== opts.inResponseTo) throw new Error("SAML RelayState did not match the pending login request.");
|
|
285
368
|
}
|
|
286
369
|
/** @internal */
|
|
287
|
-
async function
|
|
370
|
+
async function parseGroupConnectionSamlLogoutMessage(opts) {
|
|
288
371
|
ensureSamlifyValidator();
|
|
289
|
-
const httpRequest = await
|
|
290
|
-
const runtime =
|
|
372
|
+
const httpRequest = await readGroupConnectionSamlHttpRequest(opts.request);
|
|
373
|
+
const runtime = createGroupConnectionSamlRuntime({
|
|
291
374
|
rootUrl: opts.rootUrl,
|
|
292
375
|
source: opts.source,
|
|
293
376
|
config: opts.config,
|
|
294
377
|
relayState: httpRequest.relayState
|
|
295
378
|
});
|
|
296
|
-
const parsedRequest = httpRequest.hasSamlRequest ? await runtime.sp.parseLogoutRequest(runtime.idp, httpRequest.binding,
|
|
297
|
-
query: httpRequest.query,
|
|
298
|
-
body: httpRequest.body
|
|
299
|
-
}) : void 0;
|
|
379
|
+
const parsedRequest = httpRequest.hasSamlRequest ? await runtime.sp.parseLogoutRequest(runtime.idp, httpRequest.binding, toSamlHttpRequest(httpRequest)) : void 0;
|
|
300
380
|
return {
|
|
301
381
|
...httpRequest,
|
|
302
382
|
runtime,
|
|
@@ -316,23 +396,29 @@ function profileFromSamlExtract(extract, mapping) {
|
|
|
316
396
|
};
|
|
317
397
|
const fieldResolvers = {
|
|
318
398
|
email: () => resolveFirst(mapping?.email),
|
|
399
|
+
groups: () => normalizeStringArray(resolveFirst(mapping?.groups)),
|
|
319
400
|
name: () => resolveFirst(mapping?.name) ?? ([resolveFirst(mapping?.firstName), resolveFirst(mapping?.lastName)].filter(Boolean).join(" ") || void 0),
|
|
401
|
+
roles: () => normalizeStringArray(resolveFirst(mapping?.roles)),
|
|
320
402
|
subject: () => resolveFirst(mapping?.subject) ?? extract?.nameID
|
|
321
403
|
};
|
|
322
404
|
const subject = fieldResolvers.subject();
|
|
323
405
|
if (subject === void 0) throw new Error("SAML profile is missing a subject. Configure `attributeMapping.subject` or ensure the assertion includes a NameID.");
|
|
324
406
|
const email = fieldResolvers.email();
|
|
407
|
+
const groups = fieldResolvers.groups();
|
|
325
408
|
const name = fieldResolvers.name();
|
|
326
|
-
|
|
409
|
+
const roles = fieldResolvers.roles();
|
|
410
|
+
return finalizeNormalizedProfile({
|
|
327
411
|
id: subject,
|
|
328
412
|
email,
|
|
329
413
|
emailVerified: typeof email === "string" ? true : void 0,
|
|
414
|
+
groups,
|
|
330
415
|
name,
|
|
416
|
+
roles,
|
|
331
417
|
samlAttributes: attributes,
|
|
332
418
|
samlSessionIndex: extract?.sessionIndex?.SessionIndex
|
|
333
|
-
};
|
|
419
|
+
});
|
|
334
420
|
}
|
|
335
421
|
|
|
336
422
|
//#endregion
|
|
337
|
-
export {
|
|
423
|
+
export { createGroupConnectionSamlMetadataXml, createGroupConnectionSamlSignInRequest, createSamlPostBindingResponse, createServiceProviderMetadata, encodeGroupSamlRelayState, enforceGroupConnectionSamlSecurity, getSamlServiceProviderOptions, parseGroupConnectionSamlLoginResponse, parseGroupConnectionSamlLogoutMessage, parseSamlIdpMetadataChecked, profileFromSamlExtract, validateGroupConnectionSamlLoginRelayState };
|
|
338
424
|
//# sourceMappingURL=saml.js.map
|
|
@@ -1,16 +1,16 @@
|
|
|
1
1
|
import { SCIM_GROUP_SCHEMA_ID, SCIM_USER_SCHEMA_ID } from "./shared.js";
|
|
2
2
|
|
|
3
|
-
//#region src/server/
|
|
3
|
+
//#region src/server/sso/scim.ts
|
|
4
4
|
/** @internal */
|
|
5
5
|
function parseScimPath(pathname) {
|
|
6
|
-
const [api, auth,
|
|
7
|
-
if (api !== "api" || auth !== "auth" ||
|
|
8
|
-
|
|
6
|
+
const [api, auth, connections, connectionId, protocol, version, ...rest] = pathname.split("/").filter(Boolean);
|
|
7
|
+
if (api !== "api" || auth !== "auth" || connections !== "connections" || !connectionId || connectionId === "setup" || protocol !== "scim" || version !== "v2") return {
|
|
8
|
+
connectionId: "",
|
|
9
9
|
resource: "",
|
|
10
10
|
resourceId: void 0
|
|
11
11
|
};
|
|
12
12
|
return {
|
|
13
|
-
|
|
13
|
+
connectionId,
|
|
14
14
|
resource: rest[0] ?? "",
|
|
15
15
|
resourceId: rest[1]
|
|
16
16
|
};
|
|
@@ -24,11 +24,17 @@ function parseScimListRequest(url) {
|
|
|
24
24
|
startIndex,
|
|
25
25
|
count,
|
|
26
26
|
filter: filterParam ? (() => {
|
|
27
|
-
const
|
|
27
|
+
const presentMatch = filterParam.match(/^([A-Za-z0-9_.]+)\s+pr$/);
|
|
28
|
+
if (presentMatch) return {
|
|
29
|
+
attribute: presentMatch[1],
|
|
30
|
+
operator: "pr"
|
|
31
|
+
};
|
|
32
|
+
const match = filterParam.match(/^([A-Za-z0-9_.]+(?:\[value eq "[^"]+"\])?)\s+(eq|co|sw|ew)\s+"([^"]+)"$/);
|
|
28
33
|
if (!match) throw new Error("Unsupported SCIM filter.");
|
|
29
34
|
return {
|
|
30
35
|
attribute: match[1],
|
|
31
|
-
|
|
36
|
+
operator: match[2],
|
|
37
|
+
value: match[3]
|
|
32
38
|
};
|
|
33
39
|
})() : void 0
|
|
34
40
|
};
|
|
@@ -0,0 +1,74 @@
|
|
|
1
|
+
//#region src/server/sso/shared.ts
|
|
2
|
+
/** @internal */
|
|
3
|
+
const SCIM_USER_SCHEMA_ID = "urn:ietf:params:scim:schemas:core:2.0:User";
|
|
4
|
+
/** @internal */
|
|
5
|
+
const SCIM_GROUP_SCHEMA_ID = "urn:ietf:params:scim:schemas:core:2.0:Group";
|
|
6
|
+
/** @internal */
|
|
7
|
+
const GROUP_OIDC_PROVIDER_PREFIX = "group:oidc:";
|
|
8
|
+
/** @internal */
|
|
9
|
+
const GROUP_SAML_PROVIDER_PREFIX = "group:saml:";
|
|
10
|
+
/** @internal */
|
|
11
|
+
function normalizeDomain(domain) {
|
|
12
|
+
return domain.trim().toLowerCase().replace(/^@+/, "");
|
|
13
|
+
}
|
|
14
|
+
/** @internal */
|
|
15
|
+
function groupOidcProviderId(connectionId) {
|
|
16
|
+
return `${GROUP_OIDC_PROVIDER_PREFIX}${connectionId}`;
|
|
17
|
+
}
|
|
18
|
+
/** @internal */
|
|
19
|
+
function groupSamlProviderId(connectionId) {
|
|
20
|
+
return `${GROUP_SAML_PROVIDER_PREFIX}${connectionId}`;
|
|
21
|
+
}
|
|
22
|
+
/** @internal */
|
|
23
|
+
function getGroupSamlUrls(opts) {
|
|
24
|
+
const root = opts.rootUrl.replace(/\/$/, "");
|
|
25
|
+
return {
|
|
26
|
+
metadataUrl: `${root}/api/auth/connections/${opts.source.id}/saml/metadata`,
|
|
27
|
+
acsUrl: `${root}/api/auth/connections/${opts.source.id}/saml/acs`,
|
|
28
|
+
sloUrl: `${root}/api/auth/connections/${opts.source.id}/saml/slo`
|
|
29
|
+
};
|
|
30
|
+
}
|
|
31
|
+
/** @internal */
|
|
32
|
+
function getGroupOidcUrls(opts) {
|
|
33
|
+
const root = opts.rootUrl.replace(/\/$/, "");
|
|
34
|
+
const callbackUrl = (() => {
|
|
35
|
+
if (typeof opts.sharedRedirectURI !== "string") return `${root}/api/auth/connections/${opts.connectionId}/oidc/callback`;
|
|
36
|
+
if (/^https?:\/\//.test(opts.sharedRedirectURI)) return opts.sharedRedirectURI;
|
|
37
|
+
return `${root}${opts.sharedRedirectURI.startsWith("/") ? "" : "/"}${opts.sharedRedirectURI}`;
|
|
38
|
+
})();
|
|
39
|
+
return {
|
|
40
|
+
signInUrl: `${root}/api/auth/connections/${opts.connectionId}/oidc/signin`,
|
|
41
|
+
callbackUrl
|
|
42
|
+
};
|
|
43
|
+
}
|
|
44
|
+
/** @internal */
|
|
45
|
+
function encodeGroupOidcState(opts) {
|
|
46
|
+
const json = JSON.stringify(opts);
|
|
47
|
+
return (typeof btoa === "function" ? btoa(json) : Buffer.from(json, "utf8").toString("base64")).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/g, "");
|
|
48
|
+
}
|
|
49
|
+
/** @internal */
|
|
50
|
+
function decodeGroupOidcState(value) {
|
|
51
|
+
if (!value) throw new Error("Missing OIDC state.");
|
|
52
|
+
const normalized = value.replace(/-/g, "+").replace(/_/g, "/");
|
|
53
|
+
const padded = normalized + "=".repeat((4 - normalized.length % 4) % 4);
|
|
54
|
+
const decoded = typeof atob === "function" ? atob(padded) : Buffer.from(padded, "base64").toString("utf8");
|
|
55
|
+
const parsed = JSON.parse(decoded);
|
|
56
|
+
if (typeof parsed.connectionId !== "string" || typeof parsed.state !== "string") throw new Error("Invalid OIDC state.");
|
|
57
|
+
return {
|
|
58
|
+
connectionId: parsed.connectionId,
|
|
59
|
+
state: parsed.state
|
|
60
|
+
};
|
|
61
|
+
}
|
|
62
|
+
/** @internal */
|
|
63
|
+
function isGroupSamlSourceActive(source) {
|
|
64
|
+
return source.status === "active";
|
|
65
|
+
}
|
|
66
|
+
/** @internal */
|
|
67
|
+
function isGroupProviderId(providerId) {
|
|
68
|
+
return providerId.startsWith(GROUP_OIDC_PROVIDER_PREFIX) || providerId.startsWith(GROUP_SAML_PROVIDER_PREFIX);
|
|
69
|
+
}
|
|
70
|
+
const asRecord = (value) => typeof value === "object" && value !== null ? value : null;
|
|
71
|
+
|
|
72
|
+
//#endregion
|
|
73
|
+
export { GROUP_OIDC_PROVIDER_PREFIX, GROUP_SAML_PROVIDER_PREFIX, SCIM_GROUP_SCHEMA_ID, SCIM_USER_SCHEMA_ID, asRecord, decodeGroupOidcState, encodeGroupOidcState, getGroupOidcUrls, getGroupSamlUrls, groupOidcProviderId, groupSamlProviderId, isGroupProviderId, isGroupSamlSourceActive, normalizeDomain };
|
|
74
|
+
//# sourceMappingURL=shared.js.map
|