@robelest/convex-auth 0.0.4-preview.25 → 0.0.4-preview.28
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +43 -36
- package/dist/bin.js +5765 -4880
- package/dist/browser/index.d.ts +30 -0
- package/dist/browser/index.js +93 -0
- package/dist/browser/locks.js +11 -0
- package/dist/browser/navigation.js +14 -0
- package/dist/{factors → browser}/passkey.js +23 -32
- package/dist/browser/runtime.js +92 -0
- package/dist/client/core/types.d.ts +452 -5
- package/dist/client/core/types.js +17 -0
- package/dist/client/errors.js +19 -0
- package/dist/client/factors/device.js +94 -0
- package/dist/{factors → client/factors}/totp.js +12 -4
- package/dist/client/index.d.ts +47 -1
- package/dist/client/index.js +269 -232
- package/dist/client/runtime/mutex.js +24 -0
- package/dist/client/runtime/proxy.js +30 -0
- package/dist/client/runtime/storage.js +45 -0
- package/dist/client/services/adapters.js +7 -0
- package/dist/client/services/http.js +6 -0
- package/dist/client/services/resolve.js +13 -0
- package/dist/client/services/runtime.js +6 -0
- package/dist/component/_generated/component.d.ts +1355 -1399
- package/dist/component/convex.config.d.ts +2 -2
- package/dist/component/index.d.ts +4 -26
- package/dist/component/index.js +1 -1
- package/dist/component/model.d.ts +26 -112
- package/dist/component/model.js +76 -54
- package/dist/component/modules.js +38 -0
- package/dist/component/public/factors/devices.js +1 -1
- package/dist/component/public/factors/passkeys.js +1 -1
- package/dist/component/public/factors/totp.js +1 -1
- package/dist/component/public/groups/core.js +2 -2
- package/dist/component/public/groups/invites.js +1 -1
- package/dist/component/public/groups/members.js +1 -1
- package/dist/component/public/identity/accounts.js +1 -1
- package/dist/component/public/identity/codes.js +1 -1
- package/dist/component/public/identity/sessions.js +39 -2
- package/dist/component/public/identity/tokens.js +82 -4
- package/dist/component/public/identity/users.js +1 -1
- package/dist/component/public/identity/verifiers.js +10 -4
- package/dist/component/public/security/keys.js +1 -1
- package/dist/component/public/security/limits.js +1 -1
- package/dist/component/public/{enterprise → sso}/audit.js +26 -26
- package/dist/component/public/sso/core.js +263 -0
- package/dist/component/public/sso/domains.js +280 -0
- package/dist/component/public/{enterprise → sso}/scim.js +87 -87
- package/dist/component/public/sso/secrets.js +125 -0
- package/dist/component/public/{enterprise → sso}/webhooks.js +59 -59
- package/dist/component/public.js +9 -9
- package/dist/component/schema.d.ts +472 -393
- package/dist/component/schema.js +36 -35
- package/dist/core/index.d.ts +380 -0
- package/dist/core/index.js +83 -0
- package/dist/otel.d.ts +69 -0
- package/dist/otel.js +82 -0
- package/dist/providers/anonymous.d.ts +15 -34
- package/dist/providers/anonymous.js +27 -35
- package/dist/providers/apple.d.ts +59 -0
- package/dist/providers/apple.js +58 -0
- package/dist/providers/credentials.d.ts +18 -34
- package/dist/providers/credentials.js +16 -27
- package/dist/providers/custom.d.ts +94 -0
- package/dist/providers/custom.js +119 -0
- package/dist/providers/device.d.ts +15 -49
- package/dist/providers/device.js +17 -34
- package/dist/providers/email.d.ts +21 -38
- package/dist/providers/email.js +36 -55
- package/dist/providers/github.d.ts +54 -0
- package/dist/providers/github.js +75 -0
- package/dist/providers/google.d.ts +54 -0
- package/dist/providers/google.js +61 -0
- package/dist/providers/index.d.ts +16 -12
- package/dist/providers/index.js +15 -11
- package/dist/providers/microsoft.d.ts +57 -0
- package/dist/providers/microsoft.js +101 -0
- package/dist/providers/passkey.d.ts +19 -35
- package/dist/providers/passkey.js +20 -30
- package/dist/providers/password.d.ts +17 -18
- package/dist/providers/password.js +121 -143
- package/dist/providers/phone.d.ts +13 -28
- package/dist/providers/phone.js +21 -46
- package/dist/providers/sso.d.ts +16 -36
- package/dist/providers/sso.js +21 -22
- package/dist/providers/totp.d.ts +13 -29
- package/dist/providers/totp.js +17 -27
- package/dist/server/auth-context.d.ts +204 -0
- package/dist/server/auth-context.js +76 -0
- package/dist/server/auth.d.ts +99 -244
- package/dist/server/auth.js +56 -152
- package/dist/server/componentContext.d.ts +12 -0
- package/dist/server/componentContext.js +1 -0
- package/dist/server/config.js +6 -67
- package/dist/server/constants.js +6 -0
- package/dist/server/contract.d.ts +105 -0
- package/dist/server/contract.js +43 -0
- package/dist/server/cookies.js +3 -2
- package/dist/server/core.js +31 -36
- package/dist/server/crypto.js +34 -44
- package/dist/server/db.js +6 -1
- package/dist/server/device.js +96 -130
- package/dist/server/env.js +48 -0
- package/dist/server/errors.js +20 -0
- package/dist/server/http.d.ts +15 -59
- package/dist/server/http.js +136 -120
- package/dist/server/identity.js +2 -2
- package/dist/server/index.d.ts +5 -4
- package/dist/server/index.js +3 -3
- package/dist/server/keys.js +10 -1
- package/dist/server/limits.js +26 -26
- package/dist/server/log.js +28 -0
- package/dist/server/mounts.d.ts +1107 -296
- package/dist/server/mounts.js +315 -196
- package/dist/server/mutations/account.js +11 -14
- package/dist/server/mutations/code.js +6 -5
- package/dist/server/mutations/invalidate.js +9 -11
- package/dist/server/mutations/oauth.js +112 -73
- package/dist/server/mutations/refresh.js +47 -97
- package/dist/server/mutations/register.js +37 -35
- package/dist/server/mutations/retrieve.js +16 -16
- package/dist/server/mutations/signature.js +15 -18
- package/dist/server/mutations/signin.js +10 -5
- package/dist/server/mutations/signout.js +11 -14
- package/dist/server/mutations/store.js +25 -18
- package/dist/server/mutations/verifier.js +11 -8
- package/dist/server/mutations/verify.js +53 -41
- package/dist/server/oauth/factory.js +44 -0
- package/dist/server/oauth/index.js +12 -0
- package/dist/server/oauth/runtime.js +248 -0
- package/dist/server/passkey.js +331 -365
- package/dist/server/payloads.d.ts +16 -0
- package/dist/server/payloads.js +30 -0
- package/dist/server/{ssr.d.ts → prefetch.d.ts} +2 -2
- package/dist/server/prefetch.js +635 -0
- package/dist/server/random.js +19 -0
- package/dist/server/redirects.js +10 -5
- package/dist/server/refresh.js +14 -86
- package/dist/server/runtime.d.ts +531 -31
- package/dist/server/runtime.js +106 -267
- package/dist/server/secret.js +44 -0
- package/dist/server/services/config.js +10 -0
- package/dist/server/services/group.js +211 -0
- package/dist/server/services/logger.js +8 -0
- package/dist/server/services/providers.js +22 -0
- package/dist/server/services/refresh.js +8 -0
- package/dist/server/services/resolve.js +27 -0
- package/dist/server/services/signin.js +8 -0
- package/dist/server/sessions.js +35 -34
- package/dist/server/signin.js +229 -140
- package/dist/server/{enterprise → sso}/config.js +10 -3
- package/dist/server/sso/domain.d.ts +614 -0
- package/dist/server/sso/domain.js +1175 -0
- package/dist/server/sso/http.js +1060 -0
- package/dist/server/sso/oidc.js +324 -0
- package/dist/server/sso/policies.js +59 -0
- package/dist/server/sso/policy.js +139 -0
- package/dist/server/sso/profile.js +22 -0
- package/dist/server/sso/provision.js +179 -0
- package/dist/{component/server/enterprise → server/sso}/saml.js +142 -56
- package/dist/{component/server/enterprise → server/sso}/scim.js +13 -7
- package/dist/server/sso/shared.js +74 -0
- package/dist/server/sso/validators.js +88 -0
- package/dist/server/sso/webhook.js +94 -0
- package/dist/server/tokens.js +16 -4
- package/dist/server/totp.js +155 -164
- package/dist/server/types.d.ts +306 -296
- package/dist/server/types.js +1 -30
- package/dist/server/url.js +32 -0
- package/dist/server/users.js +74 -40
- package/dist/server/utils/cache.js +51 -0
- package/dist/server/utils/dispatch.js +36 -0
- package/dist/server/utils/retry.js +24 -0
- package/dist/server/utils/span.js +32 -0
- package/dist/shared/errors.js +19 -0
- package/dist/shared/log.js +45 -0
- package/{src/test.ts → dist/test.d.ts} +21 -22
- package/dist/test.js +51 -0
- package/package.json +70 -42
- package/dist/authorization/index.d.ts.map +0 -1
- package/dist/authorization/index.js.map +0 -1
- package/dist/client/core/types.d.ts.map +0 -1
- package/dist/client/index.d.ts.map +0 -1
- package/dist/client/index.js.map +0 -1
- package/dist/component/_generated/api.d.ts +0 -75
- package/dist/component/_generated/api.d.ts.map +0 -1
- package/dist/component/_generated/api.js.map +0 -1
- package/dist/component/_generated/component.d.ts.map +0 -1
- package/dist/component/_generated/dataModel.d.ts +0 -42
- package/dist/component/_generated/dataModel.d.ts.map +0 -1
- package/dist/component/_generated/server.d.ts +0 -117
- package/dist/component/_generated/server.d.ts.map +0 -1
- package/dist/component/_generated/server.js.map +0 -1
- package/dist/component/_virtual/rolldown_runtime.js +0 -18
- package/dist/component/client/core/types.d.ts +0 -2
- package/dist/component/client/index.d.ts +0 -1
- package/dist/component/convex.config.d.ts.map +0 -1
- package/dist/component/convex.config.js.map +0 -1
- package/dist/component/functions.d.ts +0 -25
- package/dist/component/functions.d.ts.map +0 -1
- package/dist/component/functions.js.map +0 -1
- package/dist/component/index.d.ts.map +0 -1
- package/dist/component/model.d.ts.map +0 -1
- package/dist/component/model.js.map +0 -1
- package/dist/component/providers/anonymous.d.ts +0 -54
- package/dist/component/providers/anonymous.d.ts.map +0 -1
- package/dist/component/providers/credentials.d.ts +0 -38
- package/dist/component/providers/credentials.d.ts.map +0 -1
- package/dist/component/providers/device.d.ts +0 -67
- package/dist/component/providers/device.d.ts.map +0 -1
- package/dist/component/providers/email.d.ts +0 -62
- package/dist/component/providers/email.d.ts.map +0 -1
- package/dist/component/providers/oauth.d.ts +0 -25
- package/dist/component/providers/oauth.d.ts.map +0 -1
- package/dist/component/providers/oauth.js +0 -13
- package/dist/component/providers/oauth.js.map +0 -1
- package/dist/component/providers/passkey.d.ts +0 -57
- package/dist/component/providers/passkey.d.ts.map +0 -1
- package/dist/component/providers/password.d.ts +0 -88
- package/dist/component/providers/password.d.ts.map +0 -1
- package/dist/component/providers/phone.d.ts +0 -48
- package/dist/component/providers/phone.d.ts.map +0 -1
- package/dist/component/providers/sso.d.ts +0 -50
- package/dist/component/providers/sso.d.ts.map +0 -1
- package/dist/component/providers/totp.d.ts +0 -45
- package/dist/component/providers/totp.d.ts.map +0 -1
- package/dist/component/public/enterprise/audit.d.ts +0 -73
- package/dist/component/public/enterprise/audit.d.ts.map +0 -1
- package/dist/component/public/enterprise/audit.js.map +0 -1
- package/dist/component/public/enterprise/core.d.ts +0 -176
- package/dist/component/public/enterprise/core.d.ts.map +0 -1
- package/dist/component/public/enterprise/core.js +0 -292
- package/dist/component/public/enterprise/core.js.map +0 -1
- package/dist/component/public/enterprise/domains.d.ts +0 -174
- package/dist/component/public/enterprise/domains.d.ts.map +0 -1
- package/dist/component/public/enterprise/domains.js +0 -271
- package/dist/component/public/enterprise/domains.js.map +0 -1
- package/dist/component/public/enterprise/scim.d.ts +0 -245
- package/dist/component/public/enterprise/scim.d.ts.map +0 -1
- package/dist/component/public/enterprise/scim.js.map +0 -1
- package/dist/component/public/enterprise/secrets.d.ts +0 -78
- package/dist/component/public/enterprise/secrets.d.ts.map +0 -1
- package/dist/component/public/enterprise/secrets.js +0 -118
- package/dist/component/public/enterprise/secrets.js.map +0 -1
- package/dist/component/public/enterprise/webhooks.d.ts +0 -211
- package/dist/component/public/enterprise/webhooks.d.ts.map +0 -1
- package/dist/component/public/enterprise/webhooks.js.map +0 -1
- package/dist/component/public/factors/devices.d.ts +0 -157
- package/dist/component/public/factors/devices.d.ts.map +0 -1
- package/dist/component/public/factors/devices.js.map +0 -1
- package/dist/component/public/factors/passkeys.d.ts +0 -175
- package/dist/component/public/factors/passkeys.d.ts.map +0 -1
- package/dist/component/public/factors/passkeys.js.map +0 -1
- package/dist/component/public/factors/totp.d.ts +0 -189
- package/dist/component/public/factors/totp.d.ts.map +0 -1
- package/dist/component/public/factors/totp.js.map +0 -1
- package/dist/component/public/groups/core.d.ts +0 -137
- package/dist/component/public/groups/core.d.ts.map +0 -1
- package/dist/component/public/groups/core.js.map +0 -1
- package/dist/component/public/groups/invites.d.ts +0 -217
- package/dist/component/public/groups/invites.d.ts.map +0 -1
- package/dist/component/public/groups/invites.js.map +0 -1
- package/dist/component/public/groups/members.d.ts +0 -204
- package/dist/component/public/groups/members.d.ts.map +0 -1
- package/dist/component/public/groups/members.js.map +0 -1
- package/dist/component/public/identity/accounts.d.ts +0 -147
- package/dist/component/public/identity/accounts.d.ts.map +0 -1
- package/dist/component/public/identity/accounts.js.map +0 -1
- package/dist/component/public/identity/codes.d.ts +0 -104
- package/dist/component/public/identity/codes.d.ts.map +0 -1
- package/dist/component/public/identity/codes.js.map +0 -1
- package/dist/component/public/identity/sessions.d.ts +0 -128
- package/dist/component/public/identity/sessions.d.ts.map +0 -1
- package/dist/component/public/identity/sessions.js.map +0 -1
- package/dist/component/public/identity/tokens.d.ts +0 -169
- package/dist/component/public/identity/tokens.d.ts.map +0 -1
- package/dist/component/public/identity/tokens.js.map +0 -1
- package/dist/component/public/identity/users.d.ts +0 -212
- package/dist/component/public/identity/users.d.ts.map +0 -1
- package/dist/component/public/identity/users.js.map +0 -1
- package/dist/component/public/identity/verifiers.d.ts +0 -116
- package/dist/component/public/identity/verifiers.d.ts.map +0 -1
- package/dist/component/public/identity/verifiers.js.map +0 -1
- package/dist/component/public/security/keys.d.ts +0 -209
- package/dist/component/public/security/keys.d.ts.map +0 -1
- package/dist/component/public/security/keys.js.map +0 -1
- package/dist/component/public/security/limits.d.ts +0 -114
- package/dist/component/public/security/limits.d.ts.map +0 -1
- package/dist/component/public/security/limits.js.map +0 -1
- package/dist/component/public.d.ts +0 -28
- package/dist/component/public.d.ts.map +0 -1
- package/dist/component/schema.d.ts.map +0 -1
- package/dist/component/schema.js.map +0 -1
- package/dist/component/server/auth.d.ts +0 -447
- package/dist/component/server/auth.d.ts.map +0 -1
- package/dist/component/server/auth.js +0 -254
- package/dist/component/server/auth.js.map +0 -1
- package/dist/component/server/config.js +0 -121
- package/dist/component/server/config.js.map +0 -1
- package/dist/component/server/context.js +0 -53
- package/dist/component/server/context.js.map +0 -1
- package/dist/component/server/cookies.js +0 -47
- package/dist/component/server/cookies.js.map +0 -1
- package/dist/component/server/core.js +0 -576
- package/dist/component/server/core.js.map +0 -1
- package/dist/component/server/crypto.js +0 -56
- package/dist/component/server/crypto.js.map +0 -1
- package/dist/component/server/db.js +0 -87
- package/dist/component/server/db.js.map +0 -1
- package/dist/component/server/device.js +0 -152
- package/dist/component/server/device.js.map +0 -1
- package/dist/component/server/enterprise/config.js +0 -46
- package/dist/component/server/enterprise/config.js.map +0 -1
- package/dist/component/server/enterprise/domain.js +0 -974
- package/dist/component/server/enterprise/domain.js.map +0 -1
- package/dist/component/server/enterprise/http.js +0 -787
- package/dist/component/server/enterprise/http.js.map +0 -1
- package/dist/component/server/enterprise/oidc.js +0 -248
- package/dist/component/server/enterprise/oidc.js.map +0 -1
- package/dist/component/server/enterprise/policy.js +0 -85
- package/dist/component/server/enterprise/policy.js.map +0 -1
- package/dist/component/server/enterprise/saml.js.map +0 -1
- package/dist/component/server/enterprise/scim.js.map +0 -1
- package/dist/component/server/enterprise/shared.js +0 -51
- package/dist/component/server/enterprise/shared.js.map +0 -1
- package/dist/component/server/http.d.ts +0 -85
- package/dist/component/server/http.d.ts.map +0 -1
- package/dist/component/server/http.js +0 -351
- package/dist/component/server/http.js.map +0 -1
- package/dist/component/server/identity.js +0 -16
- package/dist/component/server/identity.js.map +0 -1
- package/dist/component/server/keys.js +0 -96
- package/dist/component/server/keys.js.map +0 -1
- package/dist/component/server/limits.js +0 -52
- package/dist/component/server/limits.js.map +0 -1
- package/dist/component/server/mutations/account.js +0 -46
- package/dist/component/server/mutations/account.js.map +0 -1
- package/dist/component/server/mutations/code.js +0 -68
- package/dist/component/server/mutations/code.js.map +0 -1
- package/dist/component/server/mutations/invalidate.js +0 -32
- package/dist/component/server/mutations/invalidate.js.map +0 -1
- package/dist/component/server/mutations/oauth.js +0 -116
- package/dist/component/server/mutations/oauth.js.map +0 -1
- package/dist/component/server/mutations/refresh.js +0 -119
- package/dist/component/server/mutations/refresh.js.map +0 -1
- package/dist/component/server/mutations/register.js +0 -87
- package/dist/component/server/mutations/register.js.map +0 -1
- package/dist/component/server/mutations/retrieve.js +0 -61
- package/dist/component/server/mutations/retrieve.js.map +0 -1
- package/dist/component/server/mutations/signature.js +0 -38
- package/dist/component/server/mutations/signature.js.map +0 -1
- package/dist/component/server/mutations/signin.js +0 -27
- package/dist/component/server/mutations/signin.js.map +0 -1
- package/dist/component/server/mutations/signout.js +0 -27
- package/dist/component/server/mutations/signout.js.map +0 -1
- package/dist/component/server/mutations/store/refs.js +0 -15
- package/dist/component/server/mutations/store/refs.js.map +0 -1
- package/dist/component/server/mutations/store.js +0 -70
- package/dist/component/server/mutations/store.js.map +0 -1
- package/dist/component/server/mutations/verifier.js +0 -18
- package/dist/component/server/mutations/verifier.js.map +0 -1
- package/dist/component/server/mutations/verify.js +0 -98
- package/dist/component/server/mutations/verify.js.map +0 -1
- package/dist/component/server/oauth.js +0 -242
- package/dist/component/server/oauth.js.map +0 -1
- package/dist/component/server/passkey.js +0 -415
- package/dist/component/server/passkey.js.map +0 -1
- package/dist/component/server/redirects.js +0 -40
- package/dist/component/server/redirects.js.map +0 -1
- package/dist/component/server/refresh.js +0 -99
- package/dist/component/server/refresh.js.map +0 -1
- package/dist/component/server/runtime.d.ts +0 -136
- package/dist/component/server/runtime.d.ts.map +0 -1
- package/dist/component/server/runtime.js +0 -456
- package/dist/component/server/runtime.js.map +0 -1
- package/dist/component/server/sessions.js +0 -71
- package/dist/component/server/sessions.js.map +0 -1
- package/dist/component/server/signin.js +0 -225
- package/dist/component/server/signin.js.map +0 -1
- package/dist/component/server/tokens.js +0 -17
- package/dist/component/server/tokens.js.map +0 -1
- package/dist/component/server/totp.js +0 -208
- package/dist/component/server/totp.js.map +0 -1
- package/dist/component/server/types.d.ts +0 -949
- package/dist/component/server/types.d.ts.map +0 -1
- package/dist/component/server/types.js +0 -79
- package/dist/component/server/types.js.map +0 -1
- package/dist/component/server/users.js +0 -123
- package/dist/component/server/users.js.map +0 -1
- package/dist/component/server/utils.js +0 -140
- package/dist/component/server/utils.js.map +0 -1
- package/dist/core/types.d.ts +0 -361
- package/dist/core/types.d.ts.map +0 -1
- package/dist/factors/device.js +0 -104
- package/dist/factors/device.js.map +0 -1
- package/dist/factors/passkey.js.map +0 -1
- package/dist/factors/totp.js.map +0 -1
- package/dist/providers/anonymous.d.ts.map +0 -1
- package/dist/providers/anonymous.js.map +0 -1
- package/dist/providers/credentials.d.ts.map +0 -1
- package/dist/providers/credentials.js.map +0 -1
- package/dist/providers/device.d.ts.map +0 -1
- package/dist/providers/device.js.map +0 -1
- package/dist/providers/email.d.ts.map +0 -1
- package/dist/providers/email.js.map +0 -1
- package/dist/providers/oauth.d.ts +0 -69
- package/dist/providers/oauth.d.ts.map +0 -1
- package/dist/providers/oauth.js +0 -43
- package/dist/providers/oauth.js.map +0 -1
- package/dist/providers/passkey.d.ts.map +0 -1
- package/dist/providers/passkey.js.map +0 -1
- package/dist/providers/password.d.ts.map +0 -1
- package/dist/providers/password.js.map +0 -1
- package/dist/providers/phone.d.ts.map +0 -1
- package/dist/providers/phone.js.map +0 -1
- package/dist/providers/sso.d.ts.map +0 -1
- package/dist/providers/sso.js.map +0 -1
- package/dist/providers/totp.d.ts.map +0 -1
- package/dist/providers/totp.js.map +0 -1
- package/dist/runtime/browser.js +0 -68
- package/dist/runtime/browser.js.map +0 -1
- package/dist/runtime/invite.js.map +0 -1
- package/dist/runtime/proxy.js +0 -70
- package/dist/runtime/proxy.js.map +0 -1
- package/dist/runtime/storage.js +0 -37
- package/dist/runtime/storage.js.map +0 -1
- package/dist/server/auth.d.ts.map +0 -1
- package/dist/server/auth.js.map +0 -1
- package/dist/server/config.d.ts +0 -1
- package/dist/server/config.js.map +0 -1
- package/dist/server/context.d.ts +0 -1
- package/dist/server/context.js.map +0 -1
- package/dist/server/cookies.d.ts +0 -1
- package/dist/server/cookies.js.map +0 -1
- package/dist/server/core.d.ts +0 -1315
- package/dist/server/core.d.ts.map +0 -1
- package/dist/server/core.js.map +0 -1
- package/dist/server/crypto.d.ts +0 -8
- package/dist/server/crypto.d.ts.map +0 -1
- package/dist/server/crypto.js.map +0 -1
- package/dist/server/db.d.ts +0 -1
- package/dist/server/db.js.map +0 -1
- package/dist/server/device.d.ts +0 -1
- package/dist/server/device.js.map +0 -1
- package/dist/server/enterprise/config.d.ts +0 -1
- package/dist/server/enterprise/config.js.map +0 -1
- package/dist/server/enterprise/domain.d.ts +0 -401
- package/dist/server/enterprise/domain.d.ts.map +0 -1
- package/dist/server/enterprise/domain.js +0 -974
- package/dist/server/enterprise/domain.js.map +0 -1
- package/dist/server/enterprise/http.d.ts +0 -26
- package/dist/server/enterprise/http.d.ts.map +0 -1
- package/dist/server/enterprise/http.js +0 -787
- package/dist/server/enterprise/http.js.map +0 -1
- package/dist/server/enterprise/oidc.d.ts +0 -1
- package/dist/server/enterprise/oidc.js +0 -248
- package/dist/server/enterprise/oidc.js.map +0 -1
- package/dist/server/enterprise/policy.d.ts +0 -1
- package/dist/server/enterprise/policy.js +0 -85
- package/dist/server/enterprise/policy.js.map +0 -1
- package/dist/server/enterprise/saml.d.ts +0 -1
- package/dist/server/enterprise/saml.js +0 -338
- package/dist/server/enterprise/saml.js.map +0 -1
- package/dist/server/enterprise/scim.d.ts +0 -1
- package/dist/server/enterprise/scim.js +0 -97
- package/dist/server/enterprise/scim.js.map +0 -1
- package/dist/server/enterprise/shared.d.ts +0 -5
- package/dist/server/enterprise/shared.d.ts.map +0 -1
- package/dist/server/enterprise/shared.js +0 -51
- package/dist/server/enterprise/shared.js.map +0 -1
- package/dist/server/enterprise/validators.d.ts +0 -1
- package/dist/server/enterprise/validators.js +0 -60
- package/dist/server/enterprise/validators.js.map +0 -1
- package/dist/server/http.d.ts.map +0 -1
- package/dist/server/http.js.map +0 -1
- package/dist/server/identity.d.ts +0 -1
- package/dist/server/identity.js.map +0 -1
- package/dist/server/keys.d.ts +0 -1
- package/dist/server/keys.js.map +0 -1
- package/dist/server/limits.d.ts +0 -1
- package/dist/server/limits.js.map +0 -1
- package/dist/server/mounts.d.ts.map +0 -1
- package/dist/server/mounts.js.map +0 -1
- package/dist/server/mutations/account.d.ts +0 -29
- package/dist/server/mutations/account.d.ts.map +0 -1
- package/dist/server/mutations/account.js.map +0 -1
- package/dist/server/mutations/code.d.ts +0 -30
- package/dist/server/mutations/code.d.ts.map +0 -1
- package/dist/server/mutations/code.js.map +0 -1
- package/dist/server/mutations/index.d.ts +0 -14
- package/dist/server/mutations/invalidate.d.ts +0 -20
- package/dist/server/mutations/invalidate.d.ts.map +0 -1
- package/dist/server/mutations/invalidate.js.map +0 -1
- package/dist/server/mutations/oauth.d.ts +0 -30
- package/dist/server/mutations/oauth.d.ts.map +0 -1
- package/dist/server/mutations/oauth.js.map +0 -1
- package/dist/server/mutations/refresh.d.ts +0 -21
- package/dist/server/mutations/refresh.d.ts.map +0 -1
- package/dist/server/mutations/refresh.js.map +0 -1
- package/dist/server/mutations/register.d.ts +0 -38
- package/dist/server/mutations/register.d.ts.map +0 -1
- package/dist/server/mutations/register.js.map +0 -1
- package/dist/server/mutations/retrieve.d.ts +0 -33
- package/dist/server/mutations/retrieve.d.ts.map +0 -1
- package/dist/server/mutations/retrieve.js.map +0 -1
- package/dist/server/mutations/signature.d.ts +0 -21
- package/dist/server/mutations/signature.d.ts.map +0 -1
- package/dist/server/mutations/signature.js.map +0 -1
- package/dist/server/mutations/signin.d.ts +0 -22
- package/dist/server/mutations/signin.d.ts.map +0 -1
- package/dist/server/mutations/signin.js.map +0 -1
- package/dist/server/mutations/signout.d.ts +0 -16
- package/dist/server/mutations/signout.d.ts.map +0 -1
- package/dist/server/mutations/signout.js.map +0 -1
- package/dist/server/mutations/store/refs.d.ts +0 -12
- package/dist/server/mutations/store/refs.d.ts.map +0 -1
- package/dist/server/mutations/store/refs.js.map +0 -1
- package/dist/server/mutations/store.d.ts +0 -306
- package/dist/server/mutations/store.d.ts.map +0 -1
- package/dist/server/mutations/store.js.map +0 -1
- package/dist/server/mutations/verifier.d.ts +0 -13
- package/dist/server/mutations/verifier.d.ts.map +0 -1
- package/dist/server/mutations/verifier.js.map +0 -1
- package/dist/server/mutations/verify.d.ts +0 -26
- package/dist/server/mutations/verify.d.ts.map +0 -1
- package/dist/server/mutations/verify.js.map +0 -1
- package/dist/server/oauth.d.ts +0 -1
- package/dist/server/oauth.js +0 -242
- package/dist/server/oauth.js.map +0 -1
- package/dist/server/passkey.d.ts +0 -27
- package/dist/server/passkey.d.ts.map +0 -1
- package/dist/server/passkey.js.map +0 -1
- package/dist/server/redirects.d.ts +0 -1
- package/dist/server/redirects.js.map +0 -1
- package/dist/server/refresh.d.ts +0 -1
- package/dist/server/refresh.js.map +0 -1
- package/dist/server/runtime.d.ts.map +0 -1
- package/dist/server/runtime.js.map +0 -1
- package/dist/server/sessions.d.ts +0 -1
- package/dist/server/sessions.js.map +0 -1
- package/dist/server/signin.d.ts +0 -1
- package/dist/server/signin.js.map +0 -1
- package/dist/server/ssr.d.ts.map +0 -1
- package/dist/server/ssr.js +0 -777
- package/dist/server/ssr.js.map +0 -1
- package/dist/server/templates.d.ts +0 -1
- package/dist/server/templates.js.map +0 -1
- package/dist/server/tokens.d.ts +0 -1
- package/dist/server/tokens.js.map +0 -1
- package/dist/server/totp.d.ts +0 -1
- package/dist/server/totp.js.map +0 -1
- package/dist/server/types.d.ts.map +0 -1
- package/dist/server/types.js.map +0 -1
- package/dist/server/users.d.ts +0 -1
- package/dist/server/users.js.map +0 -1
- package/dist/server/utils.d.ts +0 -1
- package/dist/server/utils.js +0 -140
- package/dist/server/utils.js.map +0 -1
- package/src/authorization/index.ts +0 -83
- package/src/cli/bin.ts +0 -5
- package/src/cli/command.ts +0 -70
- package/src/cli/index.ts +0 -1112
- package/src/cli/keys.ts +0 -23
- package/src/client/core/types.ts +0 -437
- package/src/client/factors/device.ts +0 -158
- package/src/client/factors/passkey.ts +0 -279
- package/src/client/factors/totp.ts +0 -150
- package/src/client/index.ts +0 -1124
- package/src/client/runtime/browser.ts +0 -112
- package/src/client/runtime/invite.ts +0 -63
- package/src/client/runtime/proxy.ts +0 -111
- package/src/client/runtime/storage.ts +0 -79
- package/src/component/_generated/api.ts +0 -96
- package/src/component/_generated/component.ts +0 -3774
- package/src/component/_generated/dataModel.ts +0 -60
- package/src/component/_generated/server.ts +0 -156
- package/src/component/convex.config.ts +0 -5
- package/src/component/functions.ts +0 -104
- package/src/component/index.ts +0 -42
- package/src/component/model.ts +0 -449
- package/src/component/public/enterprise/audit.ts +0 -125
- package/src/component/public/enterprise/core.ts +0 -355
- package/src/component/public/enterprise/domains.ts +0 -327
- package/src/component/public/enterprise/scim.ts +0 -397
- package/src/component/public/enterprise/secrets.ts +0 -133
- package/src/component/public/enterprise/webhooks.ts +0 -307
- package/src/component/public/factors/devices.ts +0 -224
- package/src/component/public/factors/passkeys.ts +0 -243
- package/src/component/public/factors/totp.ts +0 -259
- package/src/component/public/groups/core.ts +0 -481
- package/src/component/public/groups/invites.ts +0 -608
- package/src/component/public/groups/members.ts +0 -410
- package/src/component/public/identity/accounts.ts +0 -207
- package/src/component/public/identity/codes.ts +0 -149
- package/src/component/public/identity/sessions.ts +0 -210
- package/src/component/public/identity/tokens.ts +0 -251
- package/src/component/public/identity/users.ts +0 -355
- package/src/component/public/identity/verifiers.ts +0 -158
- package/src/component/public/security/keys.ts +0 -366
- package/src/component/public/security/limits.ts +0 -174
- package/src/component/public.ts +0 -27
- package/src/component/schema.ts +0 -505
- package/src/providers/anonymous.ts +0 -99
- package/src/providers/credentials.ts +0 -102
- package/src/providers/device.ts +0 -87
- package/src/providers/email.ts +0 -99
- package/src/providers/index.ts +0 -31
- package/src/providers/oauth.ts +0 -117
- package/src/providers/passkey.ts +0 -77
- package/src/providers/password.ts +0 -441
- package/src/providers/phone.ts +0 -93
- package/src/providers/sso.ts +0 -54
- package/src/providers/totp.ts +0 -62
- package/src/samlify.d.ts +0 -53
- package/src/server/auth.ts +0 -949
- package/src/server/config.ts +0 -200
- package/src/server/context.ts +0 -90
- package/src/server/cookies.ts +0 -49
- package/src/server/core.ts +0 -2004
- package/src/server/crypto.ts +0 -90
- package/src/server/db.ts +0 -203
- package/src/server/device.ts +0 -254
- package/src/server/enterprise/config.ts +0 -51
- package/src/server/enterprise/domain.ts +0 -1739
- package/src/server/enterprise/http.ts +0 -1331
- package/src/server/enterprise/oidc.ts +0 -500
- package/src/server/enterprise/policy.ts +0 -128
- package/src/server/enterprise/saml.ts +0 -578
- package/src/server/enterprise/scim.ts +0 -135
- package/src/server/enterprise/shared.ts +0 -134
- package/src/server/enterprise/validators.ts +0 -93
- package/src/server/http.ts +0 -790
- package/src/server/identity.ts +0 -18
- package/src/server/index.ts +0 -40
- package/src/server/keys.ts +0 -158
- package/src/server/limits.ts +0 -107
- package/src/server/mounts.ts +0 -924
- package/src/server/mutations/account.ts +0 -62
- package/src/server/mutations/code.ts +0 -119
- package/src/server/mutations/index.ts +0 -13
- package/src/server/mutations/invalidate.ts +0 -50
- package/src/server/mutations/oauth.ts +0 -243
- package/src/server/mutations/refresh.ts +0 -299
- package/src/server/mutations/register.ts +0 -155
- package/src/server/mutations/retrieve.ts +0 -109
- package/src/server/mutations/signature.ts +0 -57
- package/src/server/mutations/signin.ts +0 -54
- package/src/server/mutations/signout.ts +0 -43
- package/src/server/mutations/store/refs.ts +0 -10
- package/src/server/mutations/store.ts +0 -123
- package/src/server/mutations/verifier.ts +0 -34
- package/src/server/mutations/verify.ts +0 -200
- package/src/server/oauth.ts +0 -418
- package/src/server/passkey.ts +0 -838
- package/src/server/redirects.ts +0 -59
- package/src/server/refresh.ts +0 -218
- package/src/server/runtime.ts +0 -918
- package/src/server/sessions.ts +0 -132
- package/src/server/signin.ts +0 -445
- package/src/server/ssr.ts +0 -1747
- package/src/server/templates.ts +0 -82
- package/src/server/tokens.ts +0 -35
- package/src/server/totp.ts +0 -399
- package/src/server/types.ts +0 -1942
- package/src/server/users.ts +0 -291
- package/src/server/utils.ts +0 -220
- /package/dist/{runtime → client/runtime}/invite.js +0 -0
|
@@ -1,338 +0,0 @@
|
|
|
1
|
-
import { asRecord, getEnterpriseSamlUrls } from "./shared.js";
|
|
2
|
-
import { getSamlConfig } from "./config.js";
|
|
3
|
-
import { decodeBase64urlIgnorePadding, encodeBase64urlNoPadding } from "@oslojs/encoding";
|
|
4
|
-
import { Constants, IdentityProvider, ServiceProvider, setSchemaValidator } from "@robelest/samlify";
|
|
5
|
-
|
|
6
|
-
//#region src/server/enterprise/saml.ts
|
|
7
|
-
const _samlifyPermissiveValidator = { validate: (_xml) => Promise.resolve("OK") };
|
|
8
|
-
function ensureSamlifyValidator() {
|
|
9
|
-
setSchemaValidator(_samlifyPermissiveValidator);
|
|
10
|
-
}
|
|
11
|
-
/** @internal */
|
|
12
|
-
function createSamlPostBindingResponse(opts) {
|
|
13
|
-
const fields = [`<input type="hidden" name="${opts.parameter}" value="${opts.value.replace(/"/g, """)}" />`, opts.relayState ? `<input type="hidden" name="RelayState" value="${opts.relayState.replace(/"/g, """)}" />` : ""].join("");
|
|
14
|
-
return new Response(`<!doctype html><html><body><form method="POST" action="${opts.endpoint}">${fields}</form><script>document.forms[0].submit();<\/script></body></html>`, {
|
|
15
|
-
status: 200,
|
|
16
|
-
headers: { "Content-Type": "text/html; charset=utf-8" }
|
|
17
|
-
});
|
|
18
|
-
}
|
|
19
|
-
/** @internal */
|
|
20
|
-
function decodeRelayState(value) {
|
|
21
|
-
if (!value) return {};
|
|
22
|
-
try {
|
|
23
|
-
return JSON.parse(new TextDecoder().decode(decodeBase64urlIgnorePadding(value)));
|
|
24
|
-
} catch {
|
|
25
|
-
return {};
|
|
26
|
-
}
|
|
27
|
-
}
|
|
28
|
-
/** @internal */
|
|
29
|
-
function encodeEnterpriseSamlRelayState(value) {
|
|
30
|
-
return encodeBase64urlNoPadding(new TextEncoder().encode(JSON.stringify({
|
|
31
|
-
source: `${value.source.kind}:${value.source.id}`,
|
|
32
|
-
signature: value.signature,
|
|
33
|
-
requestId: value.requestId,
|
|
34
|
-
state: value.state,
|
|
35
|
-
redirectTo: value.redirectTo
|
|
36
|
-
})));
|
|
37
|
-
}
|
|
38
|
-
/** @internal */
|
|
39
|
-
function decodeEnterpriseSamlRelayStateOrThrow(value) {
|
|
40
|
-
if (!value) throw new Error("Missing SAML RelayState.");
|
|
41
|
-
const decoded = decodeRelayState(value);
|
|
42
|
-
if (typeof decoded.source !== "string" || typeof decoded.signature !== "string" || typeof decoded.requestId !== "string" || typeof decoded.state !== "string") throw new Error("Invalid SAML RelayState.");
|
|
43
|
-
const [kind, ...rest] = decoded.source.split(":");
|
|
44
|
-
const id = rest.join(":");
|
|
45
|
-
if (kind !== "enterprise" || id.length === 0) throw new Error("Invalid enterprise SAML source.");
|
|
46
|
-
return {
|
|
47
|
-
source: {
|
|
48
|
-
kind,
|
|
49
|
-
id
|
|
50
|
-
},
|
|
51
|
-
signature: decoded.signature,
|
|
52
|
-
requestId: decoded.requestId,
|
|
53
|
-
state: decoded.state,
|
|
54
|
-
redirectTo: typeof decoded.redirectTo === "string" ? decoded.redirectTo : void 0
|
|
55
|
-
};
|
|
56
|
-
}
|
|
57
|
-
/** @internal */
|
|
58
|
-
async function readRequestBody(request) {
|
|
59
|
-
const contentType = request.headers.get("Content-Type") ?? "";
|
|
60
|
-
if (contentType.includes("application/x-www-form-urlencoded") || contentType.includes("multipart/form-data")) {
|
|
61
|
-
const form = await request.formData();
|
|
62
|
-
const body = {};
|
|
63
|
-
form.forEach((value, key) => {
|
|
64
|
-
body[key] = typeof value === "string" ? value : value.name;
|
|
65
|
-
});
|
|
66
|
-
return body;
|
|
67
|
-
}
|
|
68
|
-
return {};
|
|
69
|
-
}
|
|
70
|
-
/** @internal */
|
|
71
|
-
async function readEnterpriseSamlHttpRequest(request) {
|
|
72
|
-
const url = new URL(request.url);
|
|
73
|
-
const body = await readRequestBody(request);
|
|
74
|
-
return {
|
|
75
|
-
url,
|
|
76
|
-
body,
|
|
77
|
-
query: Object.fromEntries(url.searchParams),
|
|
78
|
-
binding: request.method === "GET" ? "redirect" : body.SAMLResponse || body.SAMLRequest ? "post" : "redirect",
|
|
79
|
-
relayState: body.RelayState ?? url.searchParams.get("RelayState") ?? void 0,
|
|
80
|
-
hasSamlRequest: Boolean(body.SAMLRequest ?? url.searchParams.get("SAMLRequest")),
|
|
81
|
-
hasSamlResponse: Boolean(body.SAMLResponse ?? url.searchParams.get("SAMLResponse"))
|
|
82
|
-
};
|
|
83
|
-
}
|
|
84
|
-
/** @internal */
|
|
85
|
-
function parseSamlIdpMetadata(metadata) {
|
|
86
|
-
const entityMeta = IdentityProvider({ metadata }).entityMeta;
|
|
87
|
-
const normalizeService = (value) => {
|
|
88
|
-
return typeof value === "string" && value.length > 0 ? value : void 0;
|
|
89
|
-
};
|
|
90
|
-
return {
|
|
91
|
-
issuer: entityMeta.getEntityID(),
|
|
92
|
-
sso: {
|
|
93
|
-
redirect: normalizeService(entityMeta.getSingleSignOnService("redirect")),
|
|
94
|
-
post: normalizeService(entityMeta.getSingleSignOnService("post"))
|
|
95
|
-
},
|
|
96
|
-
slo: {
|
|
97
|
-
redirect: normalizeService(entityMeta.getSingleLogoutService("redirect")),
|
|
98
|
-
post: normalizeService(entityMeta.getSingleLogoutService("post"))
|
|
99
|
-
},
|
|
100
|
-
signingCert: entityMeta.getX509Certificate("signing"),
|
|
101
|
-
encryptionCert: entityMeta.getX509Certificate("encrypt"),
|
|
102
|
-
nameIdFormats: (() => {
|
|
103
|
-
const nameIdFormat = entityMeta.getNameIDFormat();
|
|
104
|
-
return Array.isArray(nameIdFormat) ? nameIdFormat : [];
|
|
105
|
-
})(),
|
|
106
|
-
wantsSignedAuthnRequests: entityMeta.isWantAuthnRequestsSigned()
|
|
107
|
-
};
|
|
108
|
-
}
|
|
109
|
-
/** @internal */
|
|
110
|
-
function createServiceProviderMetadata(opts) {
|
|
111
|
-
const binding = Constants.namespace.binding;
|
|
112
|
-
return ServiceProvider({
|
|
113
|
-
entityID: opts.entityId,
|
|
114
|
-
authnRequestsSigned: opts.authnRequestsSigned ?? false,
|
|
115
|
-
privateKey: opts.privateKey,
|
|
116
|
-
privateKeyPass: opts.privateKeyPass,
|
|
117
|
-
signingCert: opts.signingCert,
|
|
118
|
-
encryptCert: opts.encryptCert,
|
|
119
|
-
encPrivateKey: opts.encPrivateKey,
|
|
120
|
-
encPrivateKeyPass: opts.encPrivateKeyPass,
|
|
121
|
-
assertionConsumerService: [{
|
|
122
|
-
Binding: binding.post,
|
|
123
|
-
Location: opts.acsUrl
|
|
124
|
-
}],
|
|
125
|
-
singleLogoutService: opts.sloUrl ? [{
|
|
126
|
-
Binding: binding.redirect,
|
|
127
|
-
Location: opts.sloUrl
|
|
128
|
-
}, {
|
|
129
|
-
Binding: binding.post,
|
|
130
|
-
Location: opts.sloUrl
|
|
131
|
-
}] : void 0
|
|
132
|
-
}).getMetadata();
|
|
133
|
-
}
|
|
134
|
-
/** @internal */
|
|
135
|
-
function createEnterpriseSamlMetadataXml(opts) {
|
|
136
|
-
return createServiceProviderMetadata(getSamlServiceProviderOptions({
|
|
137
|
-
rootUrl: opts.rootUrl,
|
|
138
|
-
source: opts.source,
|
|
139
|
-
config: opts.config
|
|
140
|
-
}));
|
|
141
|
-
}
|
|
142
|
-
/** @internal */
|
|
143
|
-
function getSamlServiceProviderOptions(opts) {
|
|
144
|
-
const saml = getSamlConfig(opts.config);
|
|
145
|
-
const sp = asRecord(saml.sp) ?? {};
|
|
146
|
-
const urls = getEnterpriseSamlUrls({
|
|
147
|
-
rootUrl: opts.rootUrl,
|
|
148
|
-
source: opts.source
|
|
149
|
-
});
|
|
150
|
-
return {
|
|
151
|
-
entityId: opts.overrides?.entityId ?? sp.entityId ?? urls.metadataUrl,
|
|
152
|
-
acsUrl: opts.overrides?.acsUrl ?? sp.acsUrl ?? urls.acsUrl,
|
|
153
|
-
sloUrl: opts.overrides?.sloUrl ?? sp.sloUrl ?? urls.sloUrl,
|
|
154
|
-
relayState: opts.relayState,
|
|
155
|
-
authnRequestsSigned: saml.signAuthnRequests,
|
|
156
|
-
signingCert: sp.signingCert,
|
|
157
|
-
encryptCert: sp.encryptCert,
|
|
158
|
-
privateKey: sp.privateKey,
|
|
159
|
-
privateKeyPass: sp.privateKeyPass,
|
|
160
|
-
encPrivateKey: sp.encPrivateKey,
|
|
161
|
-
encPrivateKeyPass: sp.encPrivateKeyPass
|
|
162
|
-
};
|
|
163
|
-
}
|
|
164
|
-
/** @internal */
|
|
165
|
-
function createSamlServiceProvider(opts) {
|
|
166
|
-
const binding = Constants.namespace.binding;
|
|
167
|
-
return ServiceProvider({
|
|
168
|
-
entityID: opts.entityId,
|
|
169
|
-
relayState: opts.relayState ?? "",
|
|
170
|
-
authnRequestsSigned: opts.authnRequestsSigned ?? false,
|
|
171
|
-
privateKey: opts.privateKey,
|
|
172
|
-
privateKeyPass: opts.privateKeyPass,
|
|
173
|
-
signingCert: opts.signingCert,
|
|
174
|
-
encryptCert: opts.encryptCert,
|
|
175
|
-
encPrivateKey: opts.encPrivateKey,
|
|
176
|
-
encPrivateKeyPass: opts.encPrivateKeyPass,
|
|
177
|
-
assertionConsumerService: [{
|
|
178
|
-
Binding: binding.post,
|
|
179
|
-
Location: opts.acsUrl
|
|
180
|
-
}],
|
|
181
|
-
singleLogoutService: opts.sloUrl ? [{
|
|
182
|
-
Binding: binding.redirect,
|
|
183
|
-
Location: opts.sloUrl
|
|
184
|
-
}, {
|
|
185
|
-
Binding: binding.post,
|
|
186
|
-
Location: opts.sloUrl
|
|
187
|
-
}] : void 0
|
|
188
|
-
});
|
|
189
|
-
}
|
|
190
|
-
/** @internal */
|
|
191
|
-
function createEnterpriseSamlRuntime(opts) {
|
|
192
|
-
const saml = getSamlConfig(opts.config);
|
|
193
|
-
const spOptions = getSamlServiceProviderOptions({
|
|
194
|
-
rootUrl: opts.rootUrl,
|
|
195
|
-
source: opts.source,
|
|
196
|
-
config: opts.config,
|
|
197
|
-
relayState: opts.relayState,
|
|
198
|
-
overrides: opts.overrides
|
|
199
|
-
});
|
|
200
|
-
if (typeof saml.idp?.metadataXml !== "string") throw new Error("SAML IdP metadata is missing.");
|
|
201
|
-
return {
|
|
202
|
-
saml,
|
|
203
|
-
sp: createSamlServiceProvider(spOptions),
|
|
204
|
-
idp: IdentityProvider({ metadata: saml.idp.metadataXml }),
|
|
205
|
-
urls: getEnterpriseSamlUrls({
|
|
206
|
-
rootUrl: opts.rootUrl,
|
|
207
|
-
source: opts.source
|
|
208
|
-
})
|
|
209
|
-
};
|
|
210
|
-
}
|
|
211
|
-
/** @internal */
|
|
212
|
-
function createEnterpriseSamlSignInRequest(opts) {
|
|
213
|
-
const runtime = createEnterpriseSamlRuntime({
|
|
214
|
-
rootUrl: opts.rootUrl,
|
|
215
|
-
source: opts.source,
|
|
216
|
-
config: opts.config
|
|
217
|
-
});
|
|
218
|
-
const binding = runtime.saml.idp.sso?.redirect ? "redirect" : "post";
|
|
219
|
-
const loginRequest = runtime.sp.createLoginRequest(runtime.idp, binding);
|
|
220
|
-
const relayState = encodeEnterpriseSamlRelayState({
|
|
221
|
-
source: opts.source,
|
|
222
|
-
signature: opts.signature,
|
|
223
|
-
requestId: loginRequest.id,
|
|
224
|
-
state: opts.state,
|
|
225
|
-
redirectTo: opts.redirectTo
|
|
226
|
-
});
|
|
227
|
-
return {
|
|
228
|
-
requestId: loginRequest.id,
|
|
229
|
-
binding,
|
|
230
|
-
relayState,
|
|
231
|
-
redirectUrl: binding === "redirect" ? (() => {
|
|
232
|
-
const redirectUrl = new URL(loginRequest.context);
|
|
233
|
-
redirectUrl.searchParams.set("RelayState", relayState);
|
|
234
|
-
return redirectUrl.toString();
|
|
235
|
-
})() : void 0,
|
|
236
|
-
post: binding === "post" ? {
|
|
237
|
-
endpoint: loginRequest.entityEndpoint,
|
|
238
|
-
value: loginRequest.context
|
|
239
|
-
} : void 0
|
|
240
|
-
};
|
|
241
|
-
}
|
|
242
|
-
/** @internal */
|
|
243
|
-
async function parseEnterpriseSamlLoginResponse(opts) {
|
|
244
|
-
ensureSamlifyValidator();
|
|
245
|
-
const httpRequest = await readEnterpriseSamlHttpRequest(opts.request);
|
|
246
|
-
const runtime = createEnterpriseSamlRuntime({
|
|
247
|
-
rootUrl: opts.rootUrl,
|
|
248
|
-
source: opts.source,
|
|
249
|
-
config: opts.config
|
|
250
|
-
});
|
|
251
|
-
const parsed = await runtime.sp.parseLoginResponse(runtime.idp, httpRequest.binding, {
|
|
252
|
-
query: httpRequest.query,
|
|
253
|
-
body: httpRequest.body
|
|
254
|
-
});
|
|
255
|
-
warnWeakSamlAlgorithms(parsed);
|
|
256
|
-
return {
|
|
257
|
-
...httpRequest,
|
|
258
|
-
runtime,
|
|
259
|
-
parsed,
|
|
260
|
-
relayState: decodeEnterpriseSamlRelayStateOrThrow(httpRequest.relayState ?? null)
|
|
261
|
-
};
|
|
262
|
-
}
|
|
263
|
-
const WEAK_SAML_ALGORITHMS = new Set([
|
|
264
|
-
"http://www.w3.org/2000/09/xmldsig#rsa-sha1",
|
|
265
|
-
"http://www.w3.org/2000/09/xmldsig#dsa-sha1",
|
|
266
|
-
"http://www.w3.org/2000/09/xmldsig#sha1",
|
|
267
|
-
"http://www.w3.org/2001/04/xmlenc#rsa-1_5",
|
|
268
|
-
"http://www.w3.org/2001/04/xmlenc#tripledes-cbc"
|
|
269
|
-
]);
|
|
270
|
-
/**
|
|
271
|
-
* Warn when the SAML response uses weak cryptographic algorithms
|
|
272
|
-
* such as SHA-1, RSA 1.5, or 3DES.
|
|
273
|
-
*/
|
|
274
|
-
function warnWeakSamlAlgorithms(parsed) {
|
|
275
|
-
try {
|
|
276
|
-
const sigAlg = parsed?.extract?.signature?.signatureAlgorithm ?? parsed?.extract?.response?.signatureAlgorithm;
|
|
277
|
-
const digestAlg = parsed?.extract?.signature?.digestAlgorithm;
|
|
278
|
-
if (sigAlg && WEAK_SAML_ALGORITHMS.has(sigAlg)) console.warn(`[convex-auth] SAML response uses weak signature algorithm: ${sigAlg}. Consider upgrading your IdP to use RSA-SHA256 or stronger.`);
|
|
279
|
-
if (digestAlg && WEAK_SAML_ALGORITHMS.has(digestAlg)) console.warn(`[convex-auth] SAML response uses weak digest algorithm: ${digestAlg}. Consider upgrading your IdP to use SHA-256 or stronger.`);
|
|
280
|
-
} catch {}
|
|
281
|
-
}
|
|
282
|
-
/** @internal */
|
|
283
|
-
function validateEnterpriseSamlLoginRelayState(opts) {
|
|
284
|
-
if (opts.relayState.source.kind !== opts.source.kind || opts.relayState.source.id !== opts.source.id || opts.relayState.requestId !== opts.inResponseTo) throw new Error("SAML RelayState did not match the pending login request.");
|
|
285
|
-
}
|
|
286
|
-
/** @internal */
|
|
287
|
-
async function parseEnterpriseSamlLogoutMessage(opts) {
|
|
288
|
-
ensureSamlifyValidator();
|
|
289
|
-
const httpRequest = await readEnterpriseSamlHttpRequest(opts.request);
|
|
290
|
-
const runtime = createEnterpriseSamlRuntime({
|
|
291
|
-
rootUrl: opts.rootUrl,
|
|
292
|
-
source: opts.source,
|
|
293
|
-
config: opts.config,
|
|
294
|
-
relayState: httpRequest.relayState
|
|
295
|
-
});
|
|
296
|
-
const parsedRequest = httpRequest.hasSamlRequest ? await runtime.sp.parseLogoutRequest(runtime.idp, httpRequest.binding, {
|
|
297
|
-
query: httpRequest.query,
|
|
298
|
-
body: httpRequest.body
|
|
299
|
-
}) : void 0;
|
|
300
|
-
return {
|
|
301
|
-
...httpRequest,
|
|
302
|
-
runtime,
|
|
303
|
-
parsedRequest
|
|
304
|
-
};
|
|
305
|
-
}
|
|
306
|
-
/** @internal */
|
|
307
|
-
function profileFromSamlExtract(extract, mapping) {
|
|
308
|
-
const attributes = typeof extract?.attributes === "object" && extract.attributes !== null ? extract.attributes : {};
|
|
309
|
-
const resolveFirst = (...keys) => {
|
|
310
|
-
for (const key of keys) {
|
|
311
|
-
if (!key) continue;
|
|
312
|
-
const attribute = attributes[key];
|
|
313
|
-
const value = Array.isArray(attribute) ? attribute[0] : attribute;
|
|
314
|
-
if (value !== void 0) return value;
|
|
315
|
-
}
|
|
316
|
-
};
|
|
317
|
-
const fieldResolvers = {
|
|
318
|
-
email: () => resolveFirst(mapping?.email),
|
|
319
|
-
name: () => resolveFirst(mapping?.name) ?? ([resolveFirst(mapping?.firstName), resolveFirst(mapping?.lastName)].filter(Boolean).join(" ") || void 0),
|
|
320
|
-
subject: () => resolveFirst(mapping?.subject) ?? extract?.nameID
|
|
321
|
-
};
|
|
322
|
-
const subject = fieldResolvers.subject();
|
|
323
|
-
if (subject === void 0) throw new Error("SAML profile is missing a subject. Configure `attributeMapping.subject` or ensure the assertion includes a NameID.");
|
|
324
|
-
const email = fieldResolvers.email();
|
|
325
|
-
const name = fieldResolvers.name();
|
|
326
|
-
return {
|
|
327
|
-
id: subject,
|
|
328
|
-
email,
|
|
329
|
-
emailVerified: typeof email === "string" ? true : void 0,
|
|
330
|
-
name,
|
|
331
|
-
samlAttributes: attributes,
|
|
332
|
-
samlSessionIndex: extract?.sessionIndex?.SessionIndex
|
|
333
|
-
};
|
|
334
|
-
}
|
|
335
|
-
|
|
336
|
-
//#endregion
|
|
337
|
-
export { createEnterpriseSamlMetadataXml, createEnterpriseSamlRuntime, createEnterpriseSamlSignInRequest, createSamlPostBindingResponse, createSamlServiceProvider, createServiceProviderMetadata, decodeEnterpriseSamlRelayStateOrThrow, decodeRelayState, encodeEnterpriseSamlRelayState, getSamlServiceProviderOptions, parseEnterpriseSamlLoginResponse, parseEnterpriseSamlLogoutMessage, parseSamlIdpMetadata, profileFromSamlExtract, readEnterpriseSamlHttpRequest, readRequestBody, validateEnterpriseSamlLoginRelayState };
|
|
338
|
-
//# sourceMappingURL=saml.js.map
|
|
@@ -1 +0,0 @@
|
|
|
1
|
-
{"version":3,"file":"saml.js","names":[],"sources":["../../../src/server/enterprise/saml.ts"],"sourcesContent":["import {\n decodeBase64urlIgnorePadding,\n encodeBase64urlNoPadding,\n} from \"@oslojs/encoding\";\nimport {\n Constants,\n IdentityProvider,\n ServiceProvider,\n setSchemaValidator,\n} from \"@robelest/samlify\";\n\nimport type { SAMLAttributeMapping } from \"../types\";\nimport { getSamlConfig } from \"./config\";\nimport type {\n EnterpriseSamlHttpRequest,\n EnterpriseSamlRelayState,\n EnterpriseSamlSource,\n ParsedSamlMetadata,\n} from \"./shared\";\nimport { asRecord, getEnterpriseSamlUrls } from \"./shared\";\n\n// Samlify requires a schema validator to be registered before parsing any SAML\n// response. We use a permissive validator that always resolves because Convex's\n// edge runtime has no file-system access for XML schema files, and structural\n// correctness is already ensured by the XML parser. This is called directly\n// before each parse operation since Convex can restart the V8 isolate between\n// requests, resetting module-level state.\nconst _samlifyPermissiveValidator = {\n validate: (_xml: string) => Promise.resolve(\"OK\"),\n};\nfunction ensureSamlifyValidator() {\n setSchemaValidator(_samlifyPermissiveValidator);\n}\n\n/** @internal */\nexport function createSamlPostBindingResponse(opts: {\n endpoint: string;\n parameter: \"SAMLRequest\" | \"SAMLResponse\";\n value: string;\n relayState?: string;\n}) {\n const fields = [\n `<input type=\"hidden\" name=\"${opts.parameter}\" value=\"${opts.value.replace(/\"/g, \""\")}\" />`,\n opts.relayState\n ? `<input type=\"hidden\" name=\"RelayState\" value=\"${opts.relayState.replace(/\"/g, \""\")}\" />`\n : \"\",\n ].join(\"\");\n return new Response(\n `<!doctype html><html><body><form method=\"POST\" action=\"${opts.endpoint}\">${fields}</form><script>document.forms[0].submit();</script></body></html>`,\n { status: 200, headers: { \"Content-Type\": \"text/html; charset=utf-8\" } },\n );\n}\n\n/** @internal */\nexport function decodeRelayState(\n value: string | null,\n): Record<string, unknown> {\n if (!value) {\n return {};\n }\n try {\n return JSON.parse(\n new TextDecoder().decode(decodeBase64urlIgnorePadding(value)),\n );\n } catch {\n return {};\n }\n}\n\n/** @internal */\nexport function encodeEnterpriseSamlRelayState(\n value: EnterpriseSamlRelayState,\n) {\n return encodeBase64urlNoPadding(\n new TextEncoder().encode(\n JSON.stringify({\n source: `${value.source.kind}:${value.source.id}`,\n signature: value.signature,\n requestId: value.requestId,\n state: value.state,\n redirectTo: value.redirectTo,\n }),\n ),\n );\n}\n\n/** @internal */\nexport function decodeEnterpriseSamlRelayStateOrThrow(\n value: string | null,\n): EnterpriseSamlRelayState {\n if (!value) {\n throw new Error(\"Missing SAML RelayState.\");\n }\n const decoded = decodeRelayState(value);\n if (\n typeof decoded.source !== \"string\" ||\n typeof decoded.signature !== \"string\" ||\n typeof decoded.requestId !== \"string\" ||\n typeof decoded.state !== \"string\"\n ) {\n throw new Error(\"Invalid SAML RelayState.\");\n }\n const [kind, ...rest] = decoded.source.split(\":\");\n const id = rest.join(\":\");\n if (kind !== \"enterprise\" || id.length === 0) {\n throw new Error(\"Invalid enterprise SAML source.\");\n }\n return {\n source: { kind, id } as EnterpriseSamlSource,\n signature: decoded.signature,\n requestId: decoded.requestId,\n state: decoded.state,\n redirectTo:\n typeof decoded.redirectTo === \"string\" ? decoded.redirectTo : undefined,\n };\n}\n\n/** @internal */\nexport async function readRequestBody(\n request: Request,\n): Promise<Record<string, string>> {\n const contentType = request.headers.get(\"Content-Type\") ?? \"\";\n if (\n contentType.includes(\"application/x-www-form-urlencoded\") ||\n contentType.includes(\"multipart/form-data\")\n ) {\n const form = await request.formData();\n const body: Record<string, string> = {};\n form.forEach((value, key) => {\n body[key] = typeof value === \"string\" ? value : value.name;\n });\n return body;\n }\n return {};\n}\n\n/** @internal */\nexport async function readEnterpriseSamlHttpRequest(\n request: Request,\n): Promise<EnterpriseSamlHttpRequest> {\n const url = new URL(request.url);\n const body = await readRequestBody(request);\n const query = Object.fromEntries(url.searchParams);\n const binding =\n request.method === \"GET\"\n ? \"redirect\"\n : body.SAMLResponse || body.SAMLRequest\n ? \"post\"\n : \"redirect\";\n return {\n url,\n body,\n query,\n binding,\n relayState:\n body.RelayState ?? url.searchParams.get(\"RelayState\") ?? undefined,\n hasSamlRequest: Boolean(\n body.SAMLRequest ?? url.searchParams.get(\"SAMLRequest\"),\n ),\n hasSamlResponse: Boolean(\n body.SAMLResponse ?? url.searchParams.get(\"SAMLResponse\"),\n ),\n };\n}\n\n/** @internal */\nexport function parseSamlIdpMetadata(metadata: string): ParsedSamlMetadata {\n const idp = IdentityProvider({ metadata });\n const entityMeta = idp.entityMeta;\n\n const normalizeService = (value: unknown): string | undefined => {\n return typeof value === \"string\" && value.length > 0 ? value : undefined;\n };\n\n return {\n issuer: entityMeta.getEntityID(),\n sso: {\n redirect: normalizeService(entityMeta.getSingleSignOnService(\"redirect\")),\n post: normalizeService(entityMeta.getSingleSignOnService(\"post\")),\n },\n slo: {\n redirect: normalizeService(entityMeta.getSingleLogoutService(\"redirect\")),\n post: normalizeService(entityMeta.getSingleLogoutService(\"post\")),\n },\n signingCert: entityMeta.getX509Certificate(\"signing\"),\n encryptionCert: entityMeta.getX509Certificate(\"encrypt\"),\n nameIdFormats: (() => {\n const nameIdFormat = entityMeta.getNameIDFormat();\n return Array.isArray(nameIdFormat) ? nameIdFormat : [];\n })(),\n wantsSignedAuthnRequests: entityMeta.isWantAuthnRequestsSigned(),\n };\n}\n\n/** @internal */\nexport function createServiceProviderMetadata(opts: {\n entityId: string;\n acsUrl: string;\n sloUrl?: string;\n authnRequestsSigned?: boolean;\n signingCert?: string | string[];\n encryptCert?: string | string[];\n privateKey?: string;\n privateKeyPass?: string;\n encPrivateKey?: string;\n encPrivateKeyPass?: string;\n}) {\n const binding = Constants.namespace.binding;\n const sp = ServiceProvider({\n entityID: opts.entityId,\n authnRequestsSigned: opts.authnRequestsSigned ?? false,\n privateKey: opts.privateKey,\n privateKeyPass: opts.privateKeyPass,\n signingCert: opts.signingCert,\n encryptCert: opts.encryptCert,\n encPrivateKey: opts.encPrivateKey,\n encPrivateKeyPass: opts.encPrivateKeyPass,\n assertionConsumerService: [\n {\n Binding: binding.post,\n Location: opts.acsUrl,\n },\n ],\n singleLogoutService: opts.sloUrl\n ? [\n {\n Binding: binding.redirect,\n Location: opts.sloUrl,\n },\n {\n Binding: binding.post,\n Location: opts.sloUrl,\n },\n ]\n : undefined,\n });\n return sp.getMetadata();\n}\n\n/** @internal */\nexport function createEnterpriseSamlMetadataXml(opts: {\n rootUrl: string;\n source: EnterpriseSamlSource;\n config: unknown;\n}) {\n return createServiceProviderMetadata(\n getSamlServiceProviderOptions({\n rootUrl: opts.rootUrl,\n source: opts.source,\n config: opts.config,\n }),\n );\n}\n\n/** @internal */\nexport function getSamlServiceProviderOptions(opts: {\n rootUrl: string;\n source: EnterpriseSamlSource;\n config: unknown;\n overrides?: {\n entityId?: string;\n acsUrl?: string;\n sloUrl?: string;\n };\n relayState?: string;\n}) {\n const saml = getSamlConfig(opts.config);\n const sp = asRecord(saml.sp) ?? {};\n const urls = getEnterpriseSamlUrls({\n rootUrl: opts.rootUrl,\n source: opts.source,\n });\n return {\n entityId: opts.overrides?.entityId ?? sp.entityId ?? urls.metadataUrl,\n acsUrl: opts.overrides?.acsUrl ?? sp.acsUrl ?? urls.acsUrl,\n sloUrl: opts.overrides?.sloUrl ?? sp.sloUrl ?? urls.sloUrl,\n relayState: opts.relayState,\n authnRequestsSigned: saml.signAuthnRequests,\n signingCert: sp.signingCert,\n encryptCert: sp.encryptCert,\n privateKey: sp.privateKey,\n privateKeyPass: sp.privateKeyPass,\n encPrivateKey: sp.encPrivateKey,\n encPrivateKeyPass: sp.encPrivateKeyPass,\n };\n}\n\n/** @internal */\nexport function createSamlServiceProvider(opts: {\n entityId: string;\n acsUrl: string;\n sloUrl?: string;\n relayState?: string;\n authnRequestsSigned?: boolean;\n signingCert?: string | string[];\n encryptCert?: string | string[];\n privateKey?: string;\n privateKeyPass?: string;\n encPrivateKey?: string;\n encPrivateKeyPass?: string;\n}) {\n const binding = Constants.namespace.binding;\n return ServiceProvider({\n entityID: opts.entityId,\n relayState: opts.relayState ?? \"\",\n authnRequestsSigned: opts.authnRequestsSigned ?? false,\n privateKey: opts.privateKey,\n privateKeyPass: opts.privateKeyPass,\n signingCert: opts.signingCert,\n encryptCert: opts.encryptCert,\n encPrivateKey: opts.encPrivateKey,\n encPrivateKeyPass: opts.encPrivateKeyPass,\n assertionConsumerService: [\n {\n Binding: binding.post,\n Location: opts.acsUrl,\n },\n ],\n singleLogoutService: opts.sloUrl\n ? [\n { Binding: binding.redirect, Location: opts.sloUrl },\n { Binding: binding.post, Location: opts.sloUrl },\n ]\n : undefined,\n });\n}\n\n/** @internal */\nexport function createEnterpriseSamlRuntime(opts: {\n rootUrl: string;\n source: EnterpriseSamlSource;\n config: unknown;\n relayState?: string;\n overrides?: {\n entityId?: string;\n acsUrl?: string;\n sloUrl?: string;\n };\n}) {\n const saml = getSamlConfig(opts.config);\n const spOptions = getSamlServiceProviderOptions({\n rootUrl: opts.rootUrl,\n source: opts.source,\n config: opts.config,\n relayState: opts.relayState,\n overrides: opts.overrides,\n });\n if (typeof saml.idp?.metadataXml !== \"string\") {\n throw new Error(\"SAML IdP metadata is missing.\");\n }\n return {\n saml,\n sp: createSamlServiceProvider(spOptions),\n idp: IdentityProvider({ metadata: saml.idp.metadataXml }),\n urls: getEnterpriseSamlUrls({ rootUrl: opts.rootUrl, source: opts.source }),\n };\n}\n\n/** @internal */\nexport function createEnterpriseSamlSignInRequest(opts: {\n rootUrl: string;\n source: EnterpriseSamlSource;\n config: unknown;\n state: string;\n signature: string;\n redirectTo?: string;\n}) {\n const runtime = createEnterpriseSamlRuntime({\n rootUrl: opts.rootUrl,\n source: opts.source,\n config: opts.config,\n });\n const binding = runtime.saml.idp.sso?.redirect ? \"redirect\" : \"post\";\n const loginRequest = runtime.sp.createLoginRequest(\n runtime.idp,\n binding as any,\n ) as any;\n const relayState = encodeEnterpriseSamlRelayState({\n source: opts.source,\n signature: opts.signature,\n requestId: loginRequest.id,\n state: opts.state,\n redirectTo: opts.redirectTo,\n });\n return {\n requestId: loginRequest.id as string,\n binding,\n relayState,\n redirectUrl:\n binding === \"redirect\"\n ? (() => {\n const redirectUrl = new URL(loginRequest.context);\n redirectUrl.searchParams.set(\"RelayState\", relayState);\n return redirectUrl.toString();\n })()\n : undefined,\n post:\n binding === \"post\"\n ? {\n endpoint: loginRequest.entityEndpoint as string,\n value: loginRequest.context as string,\n }\n : undefined,\n };\n}\n\n/** @internal */\nexport async function parseEnterpriseSamlLoginResponse(opts: {\n request: Request;\n rootUrl: string;\n source: EnterpriseSamlSource;\n config: unknown;\n}) {\n ensureSamlifyValidator();\n const httpRequest = await readEnterpriseSamlHttpRequest(opts.request);\n const runtime = createEnterpriseSamlRuntime({\n rootUrl: opts.rootUrl,\n source: opts.source,\n config: opts.config,\n });\n const parsed = (await runtime.sp.parseLoginResponse(\n runtime.idp as any,\n httpRequest.binding as any,\n {\n query: httpRequest.query,\n body: httpRequest.body,\n },\n )) as any;\n // Check for weak SAML algorithms and warn.\n warnWeakSamlAlgorithms(parsed);\n\n return {\n ...httpRequest,\n runtime,\n parsed,\n relayState: decodeEnterpriseSamlRelayStateOrThrow(\n httpRequest.relayState ?? null,\n ),\n };\n}\n\nconst WEAK_SAML_ALGORITHMS = new Set([\n // Signature algorithms\n \"http://www.w3.org/2000/09/xmldsig#rsa-sha1\",\n \"http://www.w3.org/2000/09/xmldsig#dsa-sha1\",\n // Digest algorithms\n \"http://www.w3.org/2000/09/xmldsig#sha1\",\n // Key encryption\n \"http://www.w3.org/2001/04/xmlenc#rsa-1_5\",\n // Data encryption\n \"http://www.w3.org/2001/04/xmlenc#tripledes-cbc\",\n]);\n\n/**\n * Warn when the SAML response uses weak cryptographic algorithms\n * such as SHA-1, RSA 1.5, or 3DES.\n */\nfunction warnWeakSamlAlgorithms(parsed: any) {\n try {\n const sigAlg =\n parsed?.extract?.signature?.signatureAlgorithm ??\n parsed?.extract?.response?.signatureAlgorithm;\n const digestAlg = parsed?.extract?.signature?.digestAlgorithm;\n\n if (sigAlg && WEAK_SAML_ALGORITHMS.has(sigAlg)) {\n console.warn(\n `[convex-auth] SAML response uses weak signature algorithm: ${sigAlg}. ` +\n `Consider upgrading your IdP to use RSA-SHA256 or stronger.`,\n );\n }\n if (digestAlg && WEAK_SAML_ALGORITHMS.has(digestAlg)) {\n console.warn(\n `[convex-auth] SAML response uses weak digest algorithm: ${digestAlg}. ` +\n `Consider upgrading your IdP to use SHA-256 or stronger.`,\n );\n }\n } catch {\n // Non-critical — don't break auth flow for algorithm check failures\n }\n}\n\n/** @internal */\nexport function validateEnterpriseSamlLoginRelayState(opts: {\n relayState: EnterpriseSamlRelayState;\n source: EnterpriseSamlSource;\n inResponseTo?: string;\n}) {\n if (\n opts.relayState.source.kind !== opts.source.kind ||\n opts.relayState.source.id !== opts.source.id ||\n opts.relayState.requestId !== opts.inResponseTo\n ) {\n throw new Error(\"SAML RelayState did not match the pending login request.\");\n }\n}\n\n/** @internal */\nexport async function parseEnterpriseSamlLogoutMessage(opts: {\n request: Request;\n rootUrl: string;\n source: EnterpriseSamlSource;\n config: unknown;\n}) {\n ensureSamlifyValidator();\n const httpRequest = await readEnterpriseSamlHttpRequest(opts.request);\n const runtime = createEnterpriseSamlRuntime({\n rootUrl: opts.rootUrl,\n source: opts.source,\n config: opts.config,\n relayState: httpRequest.relayState,\n });\n const parsedRequest = httpRequest.hasSamlRequest\n ? ((await runtime.sp.parseLogoutRequest(\n runtime.idp as any,\n httpRequest.binding as any,\n {\n query: httpRequest.query,\n body: httpRequest.body,\n },\n )) as any)\n : undefined;\n return {\n ...httpRequest,\n runtime,\n parsedRequest,\n };\n}\n\n/** @internal */\nexport function profileFromSamlExtract(\n extract: any,\n mapping?: SAMLAttributeMapping,\n) {\n const attributes =\n typeof extract?.attributes === \"object\" && extract.attributes !== null\n ? (extract.attributes as Record<string, unknown>)\n : {};\n const resolveFirst = (...keys: Array<string | undefined>) => {\n for (const key of keys) {\n if (!key) {\n continue;\n }\n const attribute = attributes[key];\n const value = Array.isArray(attribute) ? attribute[0] : attribute;\n if (value !== undefined) {\n return value;\n }\n }\n return undefined;\n };\n const fieldResolvers = {\n email: () => resolveFirst(mapping?.email),\n name: () =>\n resolveFirst(mapping?.name) ??\n ([resolveFirst(mapping?.firstName), resolveFirst(mapping?.lastName)]\n .filter(Boolean)\n .join(\" \") ||\n undefined),\n subject: () =>\n resolveFirst(mapping?.subject) ?? (extract?.nameID as string | undefined),\n } as const;\n const subject = fieldResolvers.subject() as string | undefined;\n if (subject === undefined) {\n throw new Error(\n \"SAML profile is missing a subject. Configure `attributeMapping.subject` or ensure the assertion includes a NameID.\",\n );\n }\n const email = fieldResolvers.email() as string | undefined;\n const name = fieldResolvers.name() as string | undefined;\n return {\n id: subject,\n email,\n emailVerified: typeof email === \"string\" ? true : undefined,\n name,\n samlAttributes: attributes,\n samlSessionIndex: extract?.sessionIndex?.SessionIndex as string | undefined,\n };\n}\n"],"mappings":";;;;;;AA2BA,MAAM,8BAA8B,EAClC,WAAW,SAAiB,QAAQ,QAAQ,KAAK,EAClD;AACD,SAAS,yBAAyB;AAChC,oBAAmB,4BAA4B;;;AAIjD,SAAgB,8BAA8B,MAK3C;CACD,MAAM,SAAS,CACb,8BAA8B,KAAK,UAAU,WAAW,KAAK,MAAM,QAAQ,MAAM,SAAS,CAAC,OAC3F,KAAK,aACD,iDAAiD,KAAK,WAAW,QAAQ,MAAM,SAAS,CAAC,QACzF,GACL,CAAC,KAAK,GAAG;AACV,QAAO,IAAI,SACT,0DAA0D,KAAK,SAAS,IAAI,OAAO,qEACnF;EAAE,QAAQ;EAAK,SAAS,EAAE,gBAAgB,4BAA4B;EAAE,CACzE;;;AAIH,SAAgB,iBACd,OACyB;AACzB,KAAI,CAAC,MACH,QAAO,EAAE;AAEX,KAAI;AACF,SAAO,KAAK,MACV,IAAI,aAAa,CAAC,OAAO,6BAA6B,MAAM,CAAC,CAC9D;SACK;AACN,SAAO,EAAE;;;;AAKb,SAAgB,+BACd,OACA;AACA,QAAO,yBACL,IAAI,aAAa,CAAC,OAChB,KAAK,UAAU;EACb,QAAQ,GAAG,MAAM,OAAO,KAAK,GAAG,MAAM,OAAO;EAC7C,WAAW,MAAM;EACjB,WAAW,MAAM;EACjB,OAAO,MAAM;EACb,YAAY,MAAM;EACnB,CAAC,CACH,CACF;;;AAIH,SAAgB,sCACd,OAC0B;AAC1B,KAAI,CAAC,MACH,OAAM,IAAI,MAAM,2BAA2B;CAE7C,MAAM,UAAU,iBAAiB,MAAM;AACvC,KACE,OAAO,QAAQ,WAAW,YAC1B,OAAO,QAAQ,cAAc,YAC7B,OAAO,QAAQ,cAAc,YAC7B,OAAO,QAAQ,UAAU,SAEzB,OAAM,IAAI,MAAM,2BAA2B;CAE7C,MAAM,CAAC,MAAM,GAAG,QAAQ,QAAQ,OAAO,MAAM,IAAI;CACjD,MAAM,KAAK,KAAK,KAAK,IAAI;AACzB,KAAI,SAAS,gBAAgB,GAAG,WAAW,EACzC,OAAM,IAAI,MAAM,kCAAkC;AAEpD,QAAO;EACL,QAAQ;GAAE;GAAM;GAAI;EACpB,WAAW,QAAQ;EACnB,WAAW,QAAQ;EACnB,OAAO,QAAQ;EACf,YACE,OAAO,QAAQ,eAAe,WAAW,QAAQ,aAAa;EACjE;;;AAIH,eAAsB,gBACpB,SACiC;CACjC,MAAM,cAAc,QAAQ,QAAQ,IAAI,eAAe,IAAI;AAC3D,KACE,YAAY,SAAS,oCAAoC,IACzD,YAAY,SAAS,sBAAsB,EAC3C;EACA,MAAM,OAAO,MAAM,QAAQ,UAAU;EACrC,MAAM,OAA+B,EAAE;AACvC,OAAK,SAAS,OAAO,QAAQ;AAC3B,QAAK,OAAO,OAAO,UAAU,WAAW,QAAQ,MAAM;IACtD;AACF,SAAO;;AAET,QAAO,EAAE;;;AAIX,eAAsB,8BACpB,SACoC;CACpC,MAAM,MAAM,IAAI,IAAI,QAAQ,IAAI;CAChC,MAAM,OAAO,MAAM,gBAAgB,QAAQ;AAQ3C,QAAO;EACL;EACA;EACA,OAVY,OAAO,YAAY,IAAI,aAAa;EAWhD,SATA,QAAQ,WAAW,QACf,aACA,KAAK,gBAAgB,KAAK,cACxB,SACA;EAMN,YACE,KAAK,cAAc,IAAI,aAAa,IAAI,aAAa,IAAI;EAC3D,gBAAgB,QACd,KAAK,eAAe,IAAI,aAAa,IAAI,cAAc,CACxD;EACD,iBAAiB,QACf,KAAK,gBAAgB,IAAI,aAAa,IAAI,eAAe,CAC1D;EACF;;;AAIH,SAAgB,qBAAqB,UAAsC;CAEzE,MAAM,aADM,iBAAiB,EAAE,UAAU,CAAC,CACnB;CAEvB,MAAM,oBAAoB,UAAuC;AAC/D,SAAO,OAAO,UAAU,YAAY,MAAM,SAAS,IAAI,QAAQ;;AAGjE,QAAO;EACL,QAAQ,WAAW,aAAa;EAChC,KAAK;GACH,UAAU,iBAAiB,WAAW,uBAAuB,WAAW,CAAC;GACzE,MAAM,iBAAiB,WAAW,uBAAuB,OAAO,CAAC;GAClE;EACD,KAAK;GACH,UAAU,iBAAiB,WAAW,uBAAuB,WAAW,CAAC;GACzE,MAAM,iBAAiB,WAAW,uBAAuB,OAAO,CAAC;GAClE;EACD,aAAa,WAAW,mBAAmB,UAAU;EACrD,gBAAgB,WAAW,mBAAmB,UAAU;EACxD,sBAAsB;GACpB,MAAM,eAAe,WAAW,iBAAiB;AACjD,UAAO,MAAM,QAAQ,aAAa,GAAG,eAAe,EAAE;MACpD;EACJ,0BAA0B,WAAW,2BAA2B;EACjE;;;AAIH,SAAgB,8BAA8B,MAW3C;CACD,MAAM,UAAU,UAAU,UAAU;AA6BpC,QA5BW,gBAAgB;EACzB,UAAU,KAAK;EACf,qBAAqB,KAAK,uBAAuB;EACjD,YAAY,KAAK;EACjB,gBAAgB,KAAK;EACrB,aAAa,KAAK;EAClB,aAAa,KAAK;EAClB,eAAe,KAAK;EACpB,mBAAmB,KAAK;EACxB,0BAA0B,CACxB;GACE,SAAS,QAAQ;GACjB,UAAU,KAAK;GAChB,CACF;EACD,qBAAqB,KAAK,SACtB,CACE;GACE,SAAS,QAAQ;GACjB,UAAU,KAAK;GAChB,EACD;GACE,SAAS,QAAQ;GACjB,UAAU,KAAK;GAChB,CACF,GACD;EACL,CAAC,CACQ,aAAa;;;AAIzB,SAAgB,gCAAgC,MAI7C;AACD,QAAO,8BACL,8BAA8B;EAC5B,SAAS,KAAK;EACd,QAAQ,KAAK;EACb,QAAQ,KAAK;EACd,CAAC,CACH;;;AAIH,SAAgB,8BAA8B,MAU3C;CACD,MAAM,OAAO,cAAc,KAAK,OAAO;CACvC,MAAM,KAAK,SAAS,KAAK,GAAG,IAAI,EAAE;CAClC,MAAM,OAAO,sBAAsB;EACjC,SAAS,KAAK;EACd,QAAQ,KAAK;EACd,CAAC;AACF,QAAO;EACL,UAAU,KAAK,WAAW,YAAY,GAAG,YAAY,KAAK;EAC1D,QAAQ,KAAK,WAAW,UAAU,GAAG,UAAU,KAAK;EACpD,QAAQ,KAAK,WAAW,UAAU,GAAG,UAAU,KAAK;EACpD,YAAY,KAAK;EACjB,qBAAqB,KAAK;EAC1B,aAAa,GAAG;EAChB,aAAa,GAAG;EAChB,YAAY,GAAG;EACf,gBAAgB,GAAG;EACnB,eAAe,GAAG;EAClB,mBAAmB,GAAG;EACvB;;;AAIH,SAAgB,0BAA0B,MAYvC;CACD,MAAM,UAAU,UAAU,UAAU;AACpC,QAAO,gBAAgB;EACrB,UAAU,KAAK;EACf,YAAY,KAAK,cAAc;EAC/B,qBAAqB,KAAK,uBAAuB;EACjD,YAAY,KAAK;EACjB,gBAAgB,KAAK;EACrB,aAAa,KAAK;EAClB,aAAa,KAAK;EAClB,eAAe,KAAK;EACpB,mBAAmB,KAAK;EACxB,0BAA0B,CACxB;GACE,SAAS,QAAQ;GACjB,UAAU,KAAK;GAChB,CACF;EACD,qBAAqB,KAAK,SACtB,CACE;GAAE,SAAS,QAAQ;GAAU,UAAU,KAAK;GAAQ,EACpD;GAAE,SAAS,QAAQ;GAAM,UAAU,KAAK;GAAQ,CACjD,GACD;EACL,CAAC;;;AAIJ,SAAgB,4BAA4B,MAUzC;CACD,MAAM,OAAO,cAAc,KAAK,OAAO;CACvC,MAAM,YAAY,8BAA8B;EAC9C,SAAS,KAAK;EACd,QAAQ,KAAK;EACb,QAAQ,KAAK;EACb,YAAY,KAAK;EACjB,WAAW,KAAK;EACjB,CAAC;AACF,KAAI,OAAO,KAAK,KAAK,gBAAgB,SACnC,OAAM,IAAI,MAAM,gCAAgC;AAElD,QAAO;EACL;EACA,IAAI,0BAA0B,UAAU;EACxC,KAAK,iBAAiB,EAAE,UAAU,KAAK,IAAI,aAAa,CAAC;EACzD,MAAM,sBAAsB;GAAE,SAAS,KAAK;GAAS,QAAQ,KAAK;GAAQ,CAAC;EAC5E;;;AAIH,SAAgB,kCAAkC,MAO/C;CACD,MAAM,UAAU,4BAA4B;EAC1C,SAAS,KAAK;EACd,QAAQ,KAAK;EACb,QAAQ,KAAK;EACd,CAAC;CACF,MAAM,UAAU,QAAQ,KAAK,IAAI,KAAK,WAAW,aAAa;CAC9D,MAAM,eAAe,QAAQ,GAAG,mBAC9B,QAAQ,KACR,QACD;CACD,MAAM,aAAa,+BAA+B;EAChD,QAAQ,KAAK;EACb,WAAW,KAAK;EAChB,WAAW,aAAa;EACxB,OAAO,KAAK;EACZ,YAAY,KAAK;EAClB,CAAC;AACF,QAAO;EACL,WAAW,aAAa;EACxB;EACA;EACA,aACE,YAAY,oBACD;GACL,MAAM,cAAc,IAAI,IAAI,aAAa,QAAQ;AACjD,eAAY,aAAa,IAAI,cAAc,WAAW;AACtD,UAAO,YAAY,UAAU;MAC3B,GACJ;EACN,MACE,YAAY,SACR;GACE,UAAU,aAAa;GACvB,OAAO,aAAa;GACrB,GACD;EACP;;;AAIH,eAAsB,iCAAiC,MAKpD;AACD,yBAAwB;CACxB,MAAM,cAAc,MAAM,8BAA8B,KAAK,QAAQ;CACrE,MAAM,UAAU,4BAA4B;EAC1C,SAAS,KAAK;EACd,QAAQ,KAAK;EACb,QAAQ,KAAK;EACd,CAAC;CACF,MAAM,SAAU,MAAM,QAAQ,GAAG,mBAC/B,QAAQ,KACR,YAAY,SACZ;EACE,OAAO,YAAY;EACnB,MAAM,YAAY;EACnB,CACF;AAED,wBAAuB,OAAO;AAE9B,QAAO;EACL,GAAG;EACH;EACA;EACA,YAAY,sCACV,YAAY,cAAc,KAC3B;EACF;;AAGH,MAAM,uBAAuB,IAAI,IAAI;CAEnC;CACA;CAEA;CAEA;CAEA;CACD,CAAC;;;;;AAMF,SAAS,uBAAuB,QAAa;AAC3C,KAAI;EACF,MAAM,SACJ,QAAQ,SAAS,WAAW,sBAC5B,QAAQ,SAAS,UAAU;EAC7B,MAAM,YAAY,QAAQ,SAAS,WAAW;AAE9C,MAAI,UAAU,qBAAqB,IAAI,OAAO,CAC5C,SAAQ,KACN,8DAA8D,OAAO,8DAEtE;AAEH,MAAI,aAAa,qBAAqB,IAAI,UAAU,CAClD,SAAQ,KACN,2DAA2D,UAAU,2DAEtE;SAEG;;;AAMV,SAAgB,sCAAsC,MAInD;AACD,KACE,KAAK,WAAW,OAAO,SAAS,KAAK,OAAO,QAC5C,KAAK,WAAW,OAAO,OAAO,KAAK,OAAO,MAC1C,KAAK,WAAW,cAAc,KAAK,aAEnC,OAAM,IAAI,MAAM,2DAA2D;;;AAK/E,eAAsB,iCAAiC,MAKpD;AACD,yBAAwB;CACxB,MAAM,cAAc,MAAM,8BAA8B,KAAK,QAAQ;CACrE,MAAM,UAAU,4BAA4B;EAC1C,SAAS,KAAK;EACd,QAAQ,KAAK;EACb,QAAQ,KAAK;EACb,YAAY,YAAY;EACzB,CAAC;CACF,MAAM,gBAAgB,YAAY,iBAC5B,MAAM,QAAQ,GAAG,mBACjB,QAAQ,KACR,YAAY,SACZ;EACE,OAAO,YAAY;EACnB,MAAM,YAAY;EACnB,CACF,GACD;AACJ,QAAO;EACL,GAAG;EACH;EACA;EACD;;;AAIH,SAAgB,uBACd,SACA,SACA;CACA,MAAM,aACJ,OAAO,SAAS,eAAe,YAAY,QAAQ,eAAe,OAC7D,QAAQ,aACT,EAAE;CACR,MAAM,gBAAgB,GAAG,SAAoC;AAC3D,OAAK,MAAM,OAAO,MAAM;AACtB,OAAI,CAAC,IACH;GAEF,MAAM,YAAY,WAAW;GAC7B,MAAM,QAAQ,MAAM,QAAQ,UAAU,GAAG,UAAU,KAAK;AACxD,OAAI,UAAU,OACZ,QAAO;;;CAKb,MAAM,iBAAiB;EACrB,aAAa,aAAa,SAAS,MAAM;EACzC,YACE,aAAa,SAAS,KAAK,KAC1B,CAAC,aAAa,SAAS,UAAU,EAAE,aAAa,SAAS,SAAS,CAAC,CACjE,OAAO,QAAQ,CACf,KAAK,IAAI,IACV;EACJ,eACE,aAAa,SAAS,QAAQ,IAAK,SAAS;EAC/C;CACD,MAAM,UAAU,eAAe,SAAS;AACxC,KAAI,YAAY,OACd,OAAM,IAAI,MACR,qHACD;CAEH,MAAM,QAAQ,eAAe,OAAO;CACpC,MAAM,OAAO,eAAe,MAAM;AAClC,QAAO;EACL,IAAI;EACJ;EACA,eAAe,OAAO,UAAU,WAAW,OAAO;EAClD;EACA,gBAAgB;EAChB,kBAAkB,SAAS,cAAc;EAC1C"}
|
|
@@ -1 +0,0 @@
|
|
|
1
|
-
export { };
|
|
@@ -1,97 +0,0 @@
|
|
|
1
|
-
import { SCIM_GROUP_SCHEMA_ID, SCIM_USER_SCHEMA_ID } from "./shared.js";
|
|
2
|
-
|
|
3
|
-
//#region src/server/enterprise/scim.ts
|
|
4
|
-
/** @internal */
|
|
5
|
-
function parseScimPath(pathname) {
|
|
6
|
-
const [api, auth, sso, enterpriseId, protocol, version, ...rest] = pathname.split("/").filter(Boolean);
|
|
7
|
-
if (api !== "api" || auth !== "auth" || sso !== "sso" || !enterpriseId || enterpriseId === "setup" || protocol !== "scim" || version !== "v2") return {
|
|
8
|
-
enterpriseId: "",
|
|
9
|
-
resource: "",
|
|
10
|
-
resourceId: void 0
|
|
11
|
-
};
|
|
12
|
-
return {
|
|
13
|
-
enterpriseId,
|
|
14
|
-
resource: rest[0] ?? "",
|
|
15
|
-
resourceId: rest[1]
|
|
16
|
-
};
|
|
17
|
-
}
|
|
18
|
-
/** @internal */
|
|
19
|
-
function parseScimListRequest(url) {
|
|
20
|
-
const startIndex = Math.max(1, Number(url.searchParams.get("startIndex") ?? "1"));
|
|
21
|
-
const count = Math.min(100, Math.max(1, Number(url.searchParams.get("count") ?? "100")));
|
|
22
|
-
const filterParam = url.searchParams.get("filter");
|
|
23
|
-
return {
|
|
24
|
-
startIndex,
|
|
25
|
-
count,
|
|
26
|
-
filter: filterParam ? (() => {
|
|
27
|
-
const match = filterParam.match(/^([A-Za-z0-9_.]+)\s+eq\s+"([^"]+)"$/);
|
|
28
|
-
if (!match) throw new Error("Unsupported SCIM filter.");
|
|
29
|
-
return {
|
|
30
|
-
attribute: match[1],
|
|
31
|
-
value: match[2]
|
|
32
|
-
};
|
|
33
|
-
})() : void 0
|
|
34
|
-
};
|
|
35
|
-
}
|
|
36
|
-
/** @internal */
|
|
37
|
-
function scimJson(data, status = 200, headers) {
|
|
38
|
-
const responseHeaders = new Headers({ "Content-Type": "application/scim+json" });
|
|
39
|
-
if (headers) new Headers(headers).forEach((value, key) => {
|
|
40
|
-
responseHeaders.set(key, value);
|
|
41
|
-
});
|
|
42
|
-
return new Response(JSON.stringify(data), {
|
|
43
|
-
status,
|
|
44
|
-
headers: responseHeaders
|
|
45
|
-
});
|
|
46
|
-
}
|
|
47
|
-
/** @internal */
|
|
48
|
-
function scimError(status, scimType, detail) {
|
|
49
|
-
return scimJson({
|
|
50
|
-
schemas: ["urn:ietf:params:scim:api:messages:2.0:Error"],
|
|
51
|
-
status: String(status),
|
|
52
|
-
scimType,
|
|
53
|
-
detail
|
|
54
|
-
}, status);
|
|
55
|
-
}
|
|
56
|
-
/** @internal */
|
|
57
|
-
function serializeScimUser(args) {
|
|
58
|
-
return {
|
|
59
|
-
schemas: [SCIM_USER_SCHEMA_ID],
|
|
60
|
-
id: args.id,
|
|
61
|
-
externalId: args.externalId,
|
|
62
|
-
meta: {
|
|
63
|
-
resourceType: "User",
|
|
64
|
-
location: args.location
|
|
65
|
-
},
|
|
66
|
-
userName: args.user.email ?? args.user.phone ?? args.user.name ?? args.id,
|
|
67
|
-
active: args.active ?? true,
|
|
68
|
-
name: args.user.name !== void 0 ? { formatted: args.user.name } : void 0,
|
|
69
|
-
emails: typeof args.user.email === "string" ? [{
|
|
70
|
-
value: args.user.email,
|
|
71
|
-
primary: true
|
|
72
|
-
}] : void 0,
|
|
73
|
-
phoneNumbers: typeof args.user.phone === "string" ? [{
|
|
74
|
-
value: args.user.phone,
|
|
75
|
-
primary: true
|
|
76
|
-
}] : void 0,
|
|
77
|
-
displayName: args.user.name
|
|
78
|
-
};
|
|
79
|
-
}
|
|
80
|
-
/** @internal */
|
|
81
|
-
function serializeScimGroup(args) {
|
|
82
|
-
return {
|
|
83
|
-
schemas: [SCIM_GROUP_SCHEMA_ID],
|
|
84
|
-
id: args.id,
|
|
85
|
-
externalId: args.externalId,
|
|
86
|
-
meta: {
|
|
87
|
-
resourceType: "Group",
|
|
88
|
-
location: args.location
|
|
89
|
-
},
|
|
90
|
-
displayName: args.group.name ?? args.id,
|
|
91
|
-
members: args.members ?? []
|
|
92
|
-
};
|
|
93
|
-
}
|
|
94
|
-
|
|
95
|
-
//#endregion
|
|
96
|
-
export { parseScimListRequest, parseScimPath, scimError, scimJson, serializeScimGroup, serializeScimUser };
|
|
97
|
-
//# sourceMappingURL=scim.js.map
|
|
@@ -1 +0,0 @@
|
|
|
1
|
-
{"version":3,"file":"scim.js","names":[],"sources":["../../../src/server/enterprise/scim.ts"],"sourcesContent":["import type { ScimListRequest } from \"./shared\";\nimport { SCIM_GROUP_SCHEMA_ID, SCIM_USER_SCHEMA_ID } from \"./shared\";\n\n/** @internal */\nexport function parseScimPath(pathname: string) {\n const parts = pathname.split(\"/\").filter(Boolean);\n const [api, auth, sso, enterpriseId, protocol, version, ...rest] = parts;\n\n if (\n api !== \"api\" ||\n auth !== \"auth\" ||\n sso !== \"sso\" ||\n !enterpriseId ||\n enterpriseId === \"setup\" ||\n protocol !== \"scim\" ||\n version !== \"v2\"\n ) {\n return {\n enterpriseId: \"\",\n resource: \"\",\n resourceId: undefined,\n };\n }\n\n return {\n enterpriseId,\n resource: rest[0] ?? \"\",\n resourceId: rest[1],\n };\n}\n\n/** @internal */\nexport function parseScimListRequest(url: URL): ScimListRequest {\n const startIndex = Math.max(\n 1,\n Number(url.searchParams.get(\"startIndex\") ?? \"1\"),\n );\n const count = Math.min(\n 100,\n Math.max(1, Number(url.searchParams.get(\"count\") ?? \"100\")),\n );\n const filterParam = url.searchParams.get(\"filter\");\n const filter = filterParam\n ? (() => {\n const match = filterParam.match(/^([A-Za-z0-9_.]+)\\s+eq\\s+\"([^\"]+)\"$/);\n if (!match) {\n throw new Error(\"Unsupported SCIM filter.\");\n }\n return { attribute: match[1]!, value: match[2]! };\n })()\n : undefined;\n return { startIndex, count, filter };\n}\n\n/** @internal */\nexport function scimJson(data: unknown, status = 200, headers?: HeadersInit) {\n const responseHeaders = new Headers({\n \"Content-Type\": \"application/scim+json\",\n });\n if (headers) {\n new Headers(headers).forEach((value, key) => {\n responseHeaders.set(key, value);\n });\n }\n return new Response(JSON.stringify(data), {\n status,\n headers: responseHeaders,\n });\n}\n\n/** @internal */\nexport function scimError(status: number, scimType: string, detail: string) {\n return scimJson(\n {\n schemas: [\"urn:ietf:params:scim:api:messages:2.0:Error\"],\n status: String(status),\n scimType,\n detail,\n },\n status,\n );\n}\n\n/** @internal */\nexport function serializeScimUser(args: {\n id: string;\n user: Record<string, any>;\n externalId?: string;\n active?: boolean;\n location?: string;\n}) {\n return {\n schemas: [SCIM_USER_SCHEMA_ID],\n id: args.id,\n externalId: args.externalId,\n meta: {\n resourceType: \"User\",\n location: args.location,\n },\n userName: args.user.email ?? args.user.phone ?? args.user.name ?? args.id,\n active: args.active ?? true,\n name:\n args.user.name !== undefined ? { formatted: args.user.name } : undefined,\n emails:\n typeof args.user.email === \"string\"\n ? [{ value: args.user.email, primary: true }]\n : undefined,\n phoneNumbers:\n typeof args.user.phone === \"string\"\n ? [{ value: args.user.phone, primary: true }]\n : undefined,\n displayName: args.user.name,\n };\n}\n\n/** @internal */\nexport function serializeScimGroup(args: {\n id: string;\n group: Record<string, any>;\n externalId?: string;\n members?: Array<{ value: string; display?: string }>;\n location?: string;\n}) {\n return {\n schemas: [SCIM_GROUP_SCHEMA_ID],\n id: args.id,\n externalId: args.externalId,\n meta: {\n resourceType: \"Group\",\n location: args.location,\n },\n displayName: args.group.name ?? args.id,\n members: args.members ?? [],\n };\n}\n"],"mappings":";;;;AAIA,SAAgB,cAAc,UAAkB;CAE9C,MAAM,CAAC,KAAK,MAAM,KAAK,cAAc,UAAU,SAAS,GAAG,QAD7C,SAAS,MAAM,IAAI,CAAC,OAAO,QAAQ;AAGjD,KACE,QAAQ,SACR,SAAS,UACT,QAAQ,SACR,CAAC,gBACD,iBAAiB,WACjB,aAAa,UACb,YAAY,KAEZ,QAAO;EACL,cAAc;EACd,UAAU;EACV,YAAY;EACb;AAGH,QAAO;EACL;EACA,UAAU,KAAK,MAAM;EACrB,YAAY,KAAK;EAClB;;;AAIH,SAAgB,qBAAqB,KAA2B;CAC9D,MAAM,aAAa,KAAK,IACtB,GACA,OAAO,IAAI,aAAa,IAAI,aAAa,IAAI,IAAI,CAClD;CACD,MAAM,QAAQ,KAAK,IACjB,KACA,KAAK,IAAI,GAAG,OAAO,IAAI,aAAa,IAAI,QAAQ,IAAI,MAAM,CAAC,CAC5D;CACD,MAAM,cAAc,IAAI,aAAa,IAAI,SAAS;AAUlD,QAAO;EAAE;EAAY;EAAO,QATb,qBACJ;GACL,MAAM,QAAQ,YAAY,MAAM,sCAAsC;AACtE,OAAI,CAAC,MACH,OAAM,IAAI,MAAM,2BAA2B;AAE7C,UAAO;IAAE,WAAW,MAAM;IAAK,OAAO,MAAM;IAAK;MAC/C,GACJ;EACgC;;;AAItC,SAAgB,SAAS,MAAe,SAAS,KAAK,SAAuB;CAC3E,MAAM,kBAAkB,IAAI,QAAQ,EAClC,gBAAgB,yBACjB,CAAC;AACF,KAAI,QACF,KAAI,QAAQ,QAAQ,CAAC,SAAS,OAAO,QAAQ;AAC3C,kBAAgB,IAAI,KAAK,MAAM;GAC/B;AAEJ,QAAO,IAAI,SAAS,KAAK,UAAU,KAAK,EAAE;EACxC;EACA,SAAS;EACV,CAAC;;;AAIJ,SAAgB,UAAU,QAAgB,UAAkB,QAAgB;AAC1E,QAAO,SACL;EACE,SAAS,CAAC,8CAA8C;EACxD,QAAQ,OAAO,OAAO;EACtB;EACA;EACD,EACD,OACD;;;AAIH,SAAgB,kBAAkB,MAM/B;AACD,QAAO;EACL,SAAS,CAAC,oBAAoB;EAC9B,IAAI,KAAK;EACT,YAAY,KAAK;EACjB,MAAM;GACJ,cAAc;GACd,UAAU,KAAK;GAChB;EACD,UAAU,KAAK,KAAK,SAAS,KAAK,KAAK,SAAS,KAAK,KAAK,QAAQ,KAAK;EACvE,QAAQ,KAAK,UAAU;EACvB,MACE,KAAK,KAAK,SAAS,SAAY,EAAE,WAAW,KAAK,KAAK,MAAM,GAAG;EACjE,QACE,OAAO,KAAK,KAAK,UAAU,WACvB,CAAC;GAAE,OAAO,KAAK,KAAK;GAAO,SAAS;GAAM,CAAC,GAC3C;EACN,cACE,OAAO,KAAK,KAAK,UAAU,WACvB,CAAC;GAAE,OAAO,KAAK,KAAK;GAAO,SAAS;GAAM,CAAC,GAC3C;EACN,aAAa,KAAK,KAAK;EACxB;;;AAIH,SAAgB,mBAAmB,MAMhC;AACD,QAAO;EACL,SAAS,CAAC,qBAAqB;EAC/B,IAAI,KAAK;EACT,YAAY,KAAK;EACjB,MAAM;GACJ,cAAc;GACd,UAAU,KAAK;GAChB;EACD,aAAa,KAAK,MAAM,QAAQ,KAAK;EACrC,SAAS,KAAK,WAAW,EAAE;EAC5B"}
|
|
@@ -1 +0,0 @@
|
|
|
1
|
-
{"version":3,"file":"shared.d.ts","names":[],"sources":["../../../src/server/enterprise/shared.ts"],"mappings":";cAkIa,QAAA,GAAY,KAAA,cAAc,MAAA"}
|
|
@@ -1,51 +0,0 @@
|
|
|
1
|
-
//#region src/server/enterprise/shared.ts
|
|
2
|
-
/** @internal */
|
|
3
|
-
const SCIM_USER_SCHEMA_ID = "urn:ietf:params:scim:schemas:core:2.0:User";
|
|
4
|
-
/** @internal */
|
|
5
|
-
const SCIM_GROUP_SCHEMA_ID = "urn:ietf:params:scim:schemas:core:2.0:Group";
|
|
6
|
-
/** @internal */
|
|
7
|
-
const ENTERPRISE_OIDC_PROVIDER_PREFIX = "enterprise:oidc:";
|
|
8
|
-
/** @internal */
|
|
9
|
-
const ENTERPRISE_SAML_PROVIDER_PREFIX = "enterprise:saml:";
|
|
10
|
-
/** @internal */
|
|
11
|
-
function normalizeDomain(domain) {
|
|
12
|
-
return domain.trim().toLowerCase().replace(/^@+/, "");
|
|
13
|
-
}
|
|
14
|
-
/** @internal */
|
|
15
|
-
function enterpriseOidcProviderId(enterpriseId) {
|
|
16
|
-
return `${ENTERPRISE_OIDC_PROVIDER_PREFIX}${enterpriseId}`;
|
|
17
|
-
}
|
|
18
|
-
/** @internal */
|
|
19
|
-
function enterpriseSamlProviderId(enterpriseId) {
|
|
20
|
-
return `${ENTERPRISE_SAML_PROVIDER_PREFIX}${enterpriseId}`;
|
|
21
|
-
}
|
|
22
|
-
/** @internal */
|
|
23
|
-
function getEnterpriseSamlUrls(opts) {
|
|
24
|
-
const root = opts.rootUrl.replace(/\/$/, "");
|
|
25
|
-
return {
|
|
26
|
-
metadataUrl: `${root}/api/auth/sso/${opts.source.id}/saml/metadata`,
|
|
27
|
-
acsUrl: `${root}/api/auth/sso/${opts.source.id}/saml/acs`,
|
|
28
|
-
sloUrl: `${root}/api/auth/sso/${opts.source.id}/saml/slo`
|
|
29
|
-
};
|
|
30
|
-
}
|
|
31
|
-
/** @internal */
|
|
32
|
-
function getEnterpriseOidcUrls(opts) {
|
|
33
|
-
const root = opts.rootUrl.replace(/\/$/, "");
|
|
34
|
-
return {
|
|
35
|
-
signInUrl: `${root}/api/auth/sso/${opts.enterpriseId}/oidc/signin`,
|
|
36
|
-
callbackUrl: `${root}/api/auth/sso/${opts.enterpriseId}/oidc/callback`
|
|
37
|
-
};
|
|
38
|
-
}
|
|
39
|
-
/** @internal */
|
|
40
|
-
function isEnterpriseSamlSourceActive(source) {
|
|
41
|
-
return source.status === "active";
|
|
42
|
-
}
|
|
43
|
-
/** @internal */
|
|
44
|
-
function isEnterpriseProviderId(providerId) {
|
|
45
|
-
return providerId.startsWith(ENTERPRISE_OIDC_PROVIDER_PREFIX) || providerId.startsWith(ENTERPRISE_SAML_PROVIDER_PREFIX);
|
|
46
|
-
}
|
|
47
|
-
const asRecord = (value) => typeof value === "object" && value !== null ? value : null;
|
|
48
|
-
|
|
49
|
-
//#endregion
|
|
50
|
-
export { ENTERPRISE_OIDC_PROVIDER_PREFIX, ENTERPRISE_SAML_PROVIDER_PREFIX, SCIM_GROUP_SCHEMA_ID, SCIM_USER_SCHEMA_ID, asRecord, enterpriseOidcProviderId, enterpriseSamlProviderId, getEnterpriseOidcUrls, getEnterpriseSamlUrls, isEnterpriseProviderId, isEnterpriseSamlSourceActive, normalizeDomain };
|
|
51
|
-
//# sourceMappingURL=shared.js.map
|
|
@@ -1 +0,0 @@
|
|
|
1
|
-
{"version":3,"file":"shared.js","names":[],"sources":["../../../src/server/enterprise/shared.ts"],"sourcesContent":["/** @internal */\nexport type ParsedSamlMetadata = {\n issuer: string;\n sso: {\n redirect?: string;\n post?: string;\n };\n slo: {\n redirect?: string;\n post?: string;\n };\n signingCert: string | string[] | null;\n encryptionCert: string | string[] | null;\n nameIdFormats: string[];\n wantsSignedAuthnRequests: boolean;\n};\n\n/** @internal */\nexport type EnterpriseSamlSource = { kind: \"enterprise\"; id: string };\n\n/** @internal */\nexport type EnterpriseSamlRelayState = {\n source: EnterpriseSamlSource;\n signature: string;\n requestId: string;\n state: string;\n redirectTo?: string;\n};\n\n/** @internal */\nexport type EnterpriseSamlUrls = {\n metadataUrl: string;\n acsUrl: string;\n sloUrl?: string;\n};\n\n/** @internal */\nexport type EnterpriseSamlLoadedSource = {\n source: EnterpriseSamlSource;\n config: unknown;\n status?: string;\n};\n\n/** @internal */\nexport type EnterpriseSamlHttpRequest = {\n url: URL;\n body: Record<string, string>;\n query: Record<string, string>;\n binding: \"redirect\" | \"post\";\n relayState?: string;\n hasSamlRequest: boolean;\n hasSamlResponse: boolean;\n};\n\n/** @internal */\nexport type ScimListRequest = {\n startIndex: number;\n count: number;\n filter?: { attribute: string; value: string };\n};\n\n/** @internal */\nexport const SCIM_USER_SCHEMA_ID = \"urn:ietf:params:scim:schemas:core:2.0:User\";\n/** @internal */\nexport const SCIM_GROUP_SCHEMA_ID =\n \"urn:ietf:params:scim:schemas:core:2.0:Group\";\n\n/** @internal */\nexport const ENTERPRISE_OIDC_PROVIDER_PREFIX = \"enterprise:oidc:\";\n/** @internal */\nexport const ENTERPRISE_SAML_PROVIDER_PREFIX = \"enterprise:saml:\";\n\n/** @internal */\nexport function normalizeDomain(domain: string): string {\n return domain.trim().toLowerCase().replace(/^@+/, \"\");\n}\n\n/** @internal */\nexport function enterpriseOidcProviderId(enterpriseId: string): string {\n return `${ENTERPRISE_OIDC_PROVIDER_PREFIX}${enterpriseId}`;\n}\n\n/** @internal */\nexport function enterpriseSamlProviderId(enterpriseId: string): string {\n return `${ENTERPRISE_SAML_PROVIDER_PREFIX}${enterpriseId}`;\n}\n\n/** @internal */\nexport function getEnterpriseSamlUrls(opts: {\n rootUrl: string;\n source: EnterpriseSamlSource;\n}): EnterpriseSamlUrls {\n const root = opts.rootUrl.replace(/\\/$/, \"\");\n const metadataBase = `${root}/api/auth/sso/${opts.source.id}/saml/metadata`;\n const acsBase = `${root}/api/auth/sso/${opts.source.id}/saml/acs`;\n const sloBase = `${root}/api/auth/sso/${opts.source.id}/saml/slo`;\n return {\n metadataUrl: metadataBase,\n acsUrl: acsBase,\n sloUrl: sloBase,\n };\n}\n\n/** @internal */\nexport function getEnterpriseOidcUrls(opts: {\n rootUrl: string;\n enterpriseId: string;\n}) {\n const root = opts.rootUrl.replace(/\\/$/, \"\");\n return {\n signInUrl: `${root}/api/auth/sso/${opts.enterpriseId}/oidc/signin`,\n callbackUrl: `${root}/api/auth/sso/${opts.enterpriseId}/oidc/callback`,\n };\n}\n\n/** @internal */\nexport function isEnterpriseSamlSourceActive(\n source: EnterpriseSamlLoadedSource,\n) {\n return source.status === \"active\";\n}\n\n/** @internal */\nexport function isEnterpriseProviderId(providerId: string): boolean {\n return (\n providerId.startsWith(ENTERPRISE_OIDC_PROVIDER_PREFIX) ||\n providerId.startsWith(ENTERPRISE_SAML_PROVIDER_PREFIX)\n );\n}\n\nexport const asRecord = (value: unknown) =>\n typeof value === \"object\" && value !== null\n ? (value as Record<string, any>)\n : null;\n"],"mappings":";;AA8DA,MAAa,sBAAsB;;AAEnC,MAAa,uBACX;;AAGF,MAAa,kCAAkC;;AAE/C,MAAa,kCAAkC;;AAG/C,SAAgB,gBAAgB,QAAwB;AACtD,QAAO,OAAO,MAAM,CAAC,aAAa,CAAC,QAAQ,OAAO,GAAG;;;AAIvD,SAAgB,yBAAyB,cAA8B;AACrE,QAAO,GAAG,kCAAkC;;;AAI9C,SAAgB,yBAAyB,cAA8B;AACrE,QAAO,GAAG,kCAAkC;;;AAI9C,SAAgB,sBAAsB,MAGf;CACrB,MAAM,OAAO,KAAK,QAAQ,QAAQ,OAAO,GAAG;AAI5C,QAAO;EACL,aAJmB,GAAG,KAAK,gBAAgB,KAAK,OAAO,GAAG;EAK1D,QAJc,GAAG,KAAK,gBAAgB,KAAK,OAAO,GAAG;EAKrD,QAJc,GAAG,KAAK,gBAAgB,KAAK,OAAO,GAAG;EAKtD;;;AAIH,SAAgB,sBAAsB,MAGnC;CACD,MAAM,OAAO,KAAK,QAAQ,QAAQ,OAAO,GAAG;AAC5C,QAAO;EACL,WAAW,GAAG,KAAK,gBAAgB,KAAK,aAAa;EACrD,aAAa,GAAG,KAAK,gBAAgB,KAAK,aAAa;EACxD;;;AAIH,SAAgB,6BACd,QACA;AACA,QAAO,OAAO,WAAW;;;AAI3B,SAAgB,uBAAuB,YAA6B;AAClE,QACE,WAAW,WAAW,gCAAgC,IACtD,WAAW,WAAW,gCAAgC;;AAI1D,MAAa,YAAY,UACvB,OAAO,UAAU,YAAY,UAAU,OAClC,QACD"}
|
|
@@ -1 +0,0 @@
|
|
|
1
|
-
export { };
|
|
@@ -1,60 +0,0 @@
|
|
|
1
|
-
import { v } from "convex/values";
|
|
2
|
-
|
|
3
|
-
//#region src/server/enterprise/validators.ts
|
|
4
|
-
/** @internal Shared validator for mounted enterprise connection status fields. */
|
|
5
|
-
const enterpriseStatusValidator = v.union(v.literal("draft"), v.literal("active"), v.literal("disabled"));
|
|
6
|
-
/** @internal Structured validator for mounted enterprise policy patch payloads. */
|
|
7
|
-
const enterprisePolicyPatchValidator = v.object({
|
|
8
|
-
identity: v.optional(v.object({ accountLinking: v.optional(v.object({
|
|
9
|
-
oidc: v.optional(v.union(v.literal("verifiedEmail"), v.literal("none"))),
|
|
10
|
-
saml: v.optional(v.union(v.literal("verifiedEmail"), v.literal("none")))
|
|
11
|
-
})) })),
|
|
12
|
-
provisioning: v.optional(v.object({
|
|
13
|
-
scimReuse: v.optional(v.object({ user: v.optional(v.union(v.literal("externalId"), v.literal("none"))) })),
|
|
14
|
-
jit: v.optional(v.object({
|
|
15
|
-
mode: v.optional(v.union(v.literal("off"), v.literal("createUser"), v.literal("createUserAndMembership"))),
|
|
16
|
-
defaultRoleIds: v.optional(v.array(v.string()))
|
|
17
|
-
})),
|
|
18
|
-
deprovision: v.optional(v.object({ mode: v.optional(v.union(v.literal("soft"), v.literal("hard"))) }))
|
|
19
|
-
}))
|
|
20
|
-
});
|
|
21
|
-
/** @internal Filter validator for mounted enterprise connection list queries. */
|
|
22
|
-
const enterpriseConnectionWhereValidator = v.object({
|
|
23
|
-
groupId: v.optional(v.string()),
|
|
24
|
-
slug: v.optional(v.string()),
|
|
25
|
-
status: v.optional(enterpriseStatusValidator)
|
|
26
|
-
});
|
|
27
|
-
/** @internal Domain replacement input validator for mounted enterprise APIs. */
|
|
28
|
-
const enterpriseDomainInputValidator = v.object({
|
|
29
|
-
domain: v.string(),
|
|
30
|
-
isPrimary: v.optional(v.boolean())
|
|
31
|
-
});
|
|
32
|
-
/** @internal Input validator for enterprise domain verification actions. */
|
|
33
|
-
const enterpriseDomainVerificationInputValidator = v.object({
|
|
34
|
-
enterpriseId: v.string(),
|
|
35
|
-
domain: v.string()
|
|
36
|
-
});
|
|
37
|
-
/** @internal SAML attribute mapping validator for mounted SSO admin APIs. */
|
|
38
|
-
const enterpriseSamlAttributeMappingValidator = v.object({
|
|
39
|
-
subject: v.optional(v.string()),
|
|
40
|
-
email: v.optional(v.string()),
|
|
41
|
-
name: v.optional(v.string()),
|
|
42
|
-
firstName: v.optional(v.string()),
|
|
43
|
-
lastName: v.optional(v.string())
|
|
44
|
-
});
|
|
45
|
-
/** @internal SAML service-provider override validator for mounted admin APIs. */
|
|
46
|
-
const enterpriseSamlSpValidator = v.object({
|
|
47
|
-
entityId: v.optional(v.string()),
|
|
48
|
-
acsUrl: v.optional(v.string()),
|
|
49
|
-
sloUrl: v.optional(v.string()),
|
|
50
|
-
signingCert: v.optional(v.union(v.string(), v.array(v.string()))),
|
|
51
|
-
encryptCert: v.optional(v.union(v.string(), v.array(v.string()))),
|
|
52
|
-
privateKey: v.optional(v.string()),
|
|
53
|
-
privateKeyPass: v.optional(v.string()),
|
|
54
|
-
encPrivateKey: v.optional(v.string()),
|
|
55
|
-
encPrivateKeyPass: v.optional(v.string())
|
|
56
|
-
});
|
|
57
|
-
|
|
58
|
-
//#endregion
|
|
59
|
-
export { enterpriseConnectionWhereValidator, enterpriseDomainInputValidator, enterpriseDomainVerificationInputValidator, enterprisePolicyPatchValidator, enterpriseSamlAttributeMappingValidator, enterpriseSamlSpValidator, enterpriseStatusValidator };
|
|
60
|
-
//# sourceMappingURL=validators.js.map
|
|
@@ -1 +0,0 @@
|
|
|
1
|
-
{"version":3,"file":"validators.js","names":[],"sources":["../../../src/server/enterprise/validators.ts"],"sourcesContent":["import { v } from \"convex/values\";\n\n/** @internal Shared validator for mounted enterprise connection status fields. */\nexport const enterpriseStatusValidator = v.union(\n v.literal(\"draft\"),\n v.literal(\"active\"),\n v.literal(\"disabled\"),\n);\n\n/** @internal Structured validator for mounted enterprise policy patch payloads. */\nexport const enterprisePolicyPatchValidator = v.object({\n identity: v.optional(\n v.object({\n accountLinking: v.optional(\n v.object({\n oidc: v.optional(\n v.union(v.literal(\"verifiedEmail\"), v.literal(\"none\")),\n ),\n saml: v.optional(\n v.union(v.literal(\"verifiedEmail\"), v.literal(\"none\")),\n ),\n }),\n ),\n }),\n ),\n provisioning: v.optional(\n v.object({\n scimReuse: v.optional(\n v.object({\n user: v.optional(v.union(v.literal(\"externalId\"), v.literal(\"none\"))),\n }),\n ),\n jit: v.optional(\n v.object({\n mode: v.optional(\n v.union(\n v.literal(\"off\"),\n v.literal(\"createUser\"),\n v.literal(\"createUserAndMembership\"),\n ),\n ),\n defaultRoleIds: v.optional(v.array(v.string())),\n }),\n ),\n deprovision: v.optional(\n v.object({\n mode: v.optional(v.union(v.literal(\"soft\"), v.literal(\"hard\"))),\n }),\n ),\n }),\n ),\n});\n\n/** @internal Filter validator for mounted enterprise connection list queries. */\nexport const enterpriseConnectionWhereValidator = v.object({\n groupId: v.optional(v.string()),\n slug: v.optional(v.string()),\n status: v.optional(enterpriseStatusValidator),\n});\n\n/** @internal Domain replacement input validator for mounted enterprise APIs. */\nexport const enterpriseDomainInputValidator = v.object({\n domain: v.string(),\n isPrimary: v.optional(v.boolean()),\n});\n\n/** @internal Input validator for enterprise domain verification actions. */\nexport const enterpriseDomainVerificationInputValidator = v.object({\n enterpriseId: v.string(),\n domain: v.string(),\n});\n\n/** @internal SAML attribute mapping validator for mounted SSO admin APIs. */\nexport const enterpriseSamlAttributeMappingValidator = v.object({\n subject: v.optional(v.string()),\n email: v.optional(v.string()),\n name: v.optional(v.string()),\n firstName: v.optional(v.string()),\n lastName: v.optional(v.string()),\n});\n\n/** @internal SAML service-provider override validator for mounted admin APIs. */\nexport const enterpriseSamlSpValidator = v.object({\n entityId: v.optional(v.string()),\n acsUrl: v.optional(v.string()),\n sloUrl: v.optional(v.string()),\n signingCert: v.optional(v.union(v.string(), v.array(v.string()))),\n encryptCert: v.optional(v.union(v.string(), v.array(v.string()))),\n privateKey: v.optional(v.string()),\n privateKeyPass: v.optional(v.string()),\n encPrivateKey: v.optional(v.string()),\n encPrivateKeyPass: v.optional(v.string()),\n});\n"],"mappings":";;;;AAGA,MAAa,4BAA4B,EAAE,MACzC,EAAE,QAAQ,QAAQ,EAClB,EAAE,QAAQ,SAAS,EACnB,EAAE,QAAQ,WAAW,CACtB;;AAGD,MAAa,iCAAiC,EAAE,OAAO;CACrD,UAAU,EAAE,SACV,EAAE,OAAO,EACP,gBAAgB,EAAE,SAChB,EAAE,OAAO;EACP,MAAM,EAAE,SACN,EAAE,MAAM,EAAE,QAAQ,gBAAgB,EAAE,EAAE,QAAQ,OAAO,CAAC,CACvD;EACD,MAAM,EAAE,SACN,EAAE,MAAM,EAAE,QAAQ,gBAAgB,EAAE,EAAE,QAAQ,OAAO,CAAC,CACvD;EACF,CAAC,CACH,EACF,CAAC,CACH;CACD,cAAc,EAAE,SACd,EAAE,OAAO;EACP,WAAW,EAAE,SACX,EAAE,OAAO,EACP,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,QAAQ,aAAa,EAAE,EAAE,QAAQ,OAAO,CAAC,CAAC,EACtE,CAAC,CACH;EACD,KAAK,EAAE,SACL,EAAE,OAAO;GACP,MAAM,EAAE,SACN,EAAE,MACA,EAAE,QAAQ,MAAM,EAChB,EAAE,QAAQ,aAAa,EACvB,EAAE,QAAQ,0BAA0B,CACrC,CACF;GACD,gBAAgB,EAAE,SAAS,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC;GAChD,CAAC,CACH;EACD,aAAa,EAAE,SACb,EAAE,OAAO,EACP,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,QAAQ,OAAO,EAAE,EAAE,QAAQ,OAAO,CAAC,CAAC,EAChE,CAAC,CACH;EACF,CAAC,CACH;CACF,CAAC;;AAGF,MAAa,qCAAqC,EAAE,OAAO;CACzD,SAAS,EAAE,SAAS,EAAE,QAAQ,CAAC;CAC/B,MAAM,EAAE,SAAS,EAAE,QAAQ,CAAC;CAC5B,QAAQ,EAAE,SAAS,0BAA0B;CAC9C,CAAC;;AAGF,MAAa,iCAAiC,EAAE,OAAO;CACrD,QAAQ,EAAE,QAAQ;CAClB,WAAW,EAAE,SAAS,EAAE,SAAS,CAAC;CACnC,CAAC;;AAGF,MAAa,6CAA6C,EAAE,OAAO;CACjE,cAAc,EAAE,QAAQ;CACxB,QAAQ,EAAE,QAAQ;CACnB,CAAC;;AAGF,MAAa,0CAA0C,EAAE,OAAO;CAC9D,SAAS,EAAE,SAAS,EAAE,QAAQ,CAAC;CAC/B,OAAO,EAAE,SAAS,EAAE,QAAQ,CAAC;CAC7B,MAAM,EAAE,SAAS,EAAE,QAAQ,CAAC;CAC5B,WAAW,EAAE,SAAS,EAAE,QAAQ,CAAC;CACjC,UAAU,EAAE,SAAS,EAAE,QAAQ,CAAC;CACjC,CAAC;;AAGF,MAAa,4BAA4B,EAAE,OAAO;CAChD,UAAU,EAAE,SAAS,EAAE,QAAQ,CAAC;CAChC,QAAQ,EAAE,SAAS,EAAE,QAAQ,CAAC;CAC9B,QAAQ,EAAE,SAAS,EAAE,QAAQ,CAAC;CAC9B,aAAa,EAAE,SAAS,EAAE,MAAM,EAAE,QAAQ,EAAE,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC,CAAC;CACjE,aAAa,EAAE,SAAS,EAAE,MAAM,EAAE,QAAQ,EAAE,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC,CAAC;CACjE,YAAY,EAAE,SAAS,EAAE,QAAQ,CAAC;CAClC,gBAAgB,EAAE,SAAS,EAAE,QAAQ,CAAC;CACtC,eAAe,EAAE,SAAS,EAAE,QAAQ,CAAC;CACrC,mBAAmB,EAAE,SAAS,EAAE,QAAQ,CAAC;CAC1C,CAAC"}
|