@rudderjs/passport 1.1.1 → 1.1.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +96 -15
- package/dist/grants/authorization-code.d.ts.map +1 -1
- package/dist/grants/authorization-code.js +4 -17
- package/dist/grants/authorization-code.js.map +1 -1
- package/dist/grants/client-credentials.d.ts.map +1 -1
- package/dist/grants/client-credentials.js +4 -17
- package/dist/grants/client-credentials.js.map +1 -1
- package/dist/grants/device-code.d.ts.map +1 -1
- package/dist/grants/device-code.js +2 -1
- package/dist/grants/device-code.js.map +1 -1
- package/dist/grants/parse-scopes.d.ts +15 -0
- package/dist/grants/parse-scopes.d.ts.map +1 -0
- package/dist/grants/parse-scopes.js +17 -0
- package/dist/grants/parse-scopes.js.map +1 -0
- package/dist/grants/refresh-token.d.ts.map +1 -1
- package/dist/grants/refresh-token.js +5 -18
- package/dist/grants/refresh-token.js.map +1 -1
- package/dist/grants/verify-client.d.ts +29 -0
- package/dist/grants/verify-client.d.ts.map +1 -0
- package/dist/grants/verify-client.js +43 -0
- package/dist/grants/verify-client.js.map +1 -0
- package/dist/middleware/bearer.d.ts.map +1 -1
- package/dist/middleware/bearer.js +98 -103
- package/dist/middleware/bearer.js.map +1 -1
- package/dist/models/AccessToken.d.ts +3 -3
- package/dist/models/AuthCode.d.ts +3 -3
- package/dist/models/DeviceCode.d.ts +3 -3
- package/dist/models/RefreshToken.d.ts +3 -3
- package/dist/models/helpers.d.ts +27 -9
- package/dist/models/helpers.d.ts.map +1 -1
- package/dist/models/helpers.js +12 -6
- package/dist/models/helpers.js.map +1 -1
- package/dist/personal-access-tokens.d.ts.map +1 -1
- package/dist/personal-access-tokens.js.map +1 -1
- package/dist/routes/authorize.d.ts +17 -0
- package/dist/routes/authorize.d.ts.map +1 -0
- package/dist/routes/authorize.js +107 -0
- package/dist/routes/authorize.js.map +1 -0
- package/dist/routes/device.d.ts +23 -0
- package/dist/routes/device.d.ts.map +1 -0
- package/dist/routes/device.js +69 -0
- package/dist/routes/device.js.map +1 -0
- package/dist/routes/helpers.d.ts +64 -0
- package/dist/routes/helpers.d.ts.map +1 -0
- package/dist/routes/helpers.js +154 -0
- package/dist/routes/helpers.js.map +1 -0
- package/dist/routes/revoke.d.ts +16 -0
- package/dist/routes/revoke.d.ts.map +1 -0
- package/dist/routes/revoke.js +33 -0
- package/dist/routes/revoke.js.map +1 -0
- package/dist/routes/scopes.d.ts +9 -0
- package/dist/routes/scopes.d.ts.map +1 -0
- package/dist/routes/scopes.js +13 -0
- package/dist/routes/scopes.js.map +1 -0
- package/dist/routes/token.d.ts +24 -0
- package/dist/routes/token.d.ts.map +1 -0
- package/dist/routes/token.js +121 -0
- package/dist/routes/token.js.map +1 -0
- package/dist/routes/types.d.ts +132 -0
- package/dist/routes/types.d.ts.map +1 -0
- package/dist/routes/types.js +2 -0
- package/dist/routes/types.js.map +1 -0
- package/dist/routes.d.ts +2 -120
- package/dist/routes.d.ts.map +1 -1
- package/dist/routes.js +16 -411
- package/dist/routes.js.map +1 -1
- package/package.json +8 -5
|
@@ -17,66 +17,99 @@ function extractBearer(authHeader) {
|
|
|
17
17
|
return authHeader.slice(7).trim() || null;
|
|
18
18
|
}
|
|
19
19
|
/**
|
|
20
|
-
*
|
|
21
|
-
*
|
|
22
|
-
*
|
|
20
|
+
* Verify the JWT, look up the row by `jti`, and — on success — stamp
|
|
21
|
+
* `__passport_token` / `__passport_scopes` / `__passport_user_id` onto
|
|
22
|
+
* `req.raw`. If the JWT also carries a `sub`, resolve the user via the
|
|
23
|
+
* auth manager and copy a plain (function-stripped, password-stripped)
|
|
24
|
+
* snapshot onto `req.raw.__rjs_user` plus best-effort onto `req.user`.
|
|
25
|
+
*
|
|
26
|
+
* Returns the discriminated outcome so the two middleware exports can
|
|
27
|
+
* share the verification path without duplicating it. See `BearerMiddleware`
|
|
28
|
+
* and `RequireBearer` below for the failure-handling branches.
|
|
23
29
|
*/
|
|
24
|
-
|
|
25
|
-
|
|
26
|
-
|
|
27
|
-
|
|
28
|
-
|
|
29
|
-
|
|
30
|
+
async function authenticateBearer(req) {
|
|
31
|
+
const authHeader = req.headers['authorization'];
|
|
32
|
+
const jwt = extractBearer(authHeader);
|
|
33
|
+
if (!jwt)
|
|
34
|
+
return { kind: 'no-bearer' };
|
|
35
|
+
let payload;
|
|
36
|
+
try {
|
|
37
|
+
// Pass expectedIssuer when configured so verifyToken rejects
|
|
38
|
+
// tokens minted by an unrelated issuer sharing the same keypair
|
|
39
|
+
// (multi-tenant / staging+prod). Tokens with no `iss` claim are
|
|
40
|
+
// legacy and exempt — see verifyToken jsdoc.
|
|
41
|
+
const issuer = Passport.issuer();
|
|
42
|
+
payload = await verifyToken(jwt, issuer ? { expectedIssuer: issuer } : undefined);
|
|
43
|
+
}
|
|
44
|
+
catch {
|
|
45
|
+
return { kind: 'invalid' };
|
|
46
|
+
}
|
|
47
|
+
// Revocation lookup — JWT signature is necessary but not sufficient.
|
|
48
|
+
const AccessTokenCls = await Passport.tokenModel();
|
|
49
|
+
const token = await AccessTokenCls.query()
|
|
50
|
+
.where('id', payload.jti)
|
|
51
|
+
.first();
|
|
52
|
+
if (!token || token.revoked)
|
|
53
|
+
return { kind: 'revoked' };
|
|
54
|
+
const raw = req.raw;
|
|
55
|
+
raw.__passport_token = token;
|
|
56
|
+
raw.__passport_scopes = payload.scopes;
|
|
57
|
+
raw.__passport_user_id = payload.sub;
|
|
58
|
+
if (payload.sub) {
|
|
59
|
+
await resolveAndStampUser(req, raw, payload.sub, token);
|
|
60
|
+
}
|
|
61
|
+
return { kind: 'authenticated' };
|
|
62
|
+
}
|
|
63
|
+
/**
|
|
64
|
+
* Resolve the user via `auth.manager` and stamp `__passport_token` onto
|
|
65
|
+
* the resolved instance + a plain copy onto `raw.__rjs_user` and `req.user`.
|
|
66
|
+
*
|
|
67
|
+
* The plain copy strips functions + the `password` field so consumers reading
|
|
68
|
+
* `req.user` over an API can't accidentally leak the password hash. The
|
|
69
|
+
* `req.user` write is wrapped in try/catch because some adapters expose
|
|
70
|
+
* `req` as a frozen / read-only object (universal-middleware bridge); the
|
|
71
|
+
* raw-bag stamp is always reachable, the `req.user` write is best-effort.
|
|
72
|
+
*
|
|
73
|
+
* Failures inside this helper are swallowed — `@rudderjs/auth` is an
|
|
74
|
+
* optional peer, so a missing `auth.manager` binding is expected in apps
|
|
75
|
+
* that use bearer-only flows. The token bag on `req.raw` is already set
|
|
76
|
+
* by the caller; only the resolved-user convenience is missing.
|
|
77
|
+
*/
|
|
78
|
+
async function resolveAndStampUser(req, raw, userId, token) {
|
|
79
|
+
try {
|
|
80
|
+
const { app } = await import('@rudderjs/core');
|
|
81
|
+
const manager = app().make('auth.manager');
|
|
82
|
+
const user = await manager.guard().provider.retrieveById(userId);
|
|
83
|
+
if (!user)
|
|
30
84
|
return;
|
|
85
|
+
user['__passport_token'] = token;
|
|
86
|
+
const plain = {};
|
|
87
|
+
for (const [k, v] of Object.entries(user)) {
|
|
88
|
+
if (typeof v !== 'function' && k !== 'password')
|
|
89
|
+
plain[k] = v;
|
|
31
90
|
}
|
|
91
|
+
raw.__rjs_user = plain;
|
|
32
92
|
try {
|
|
33
|
-
|
|
34
|
-
|
|
35
|
-
// (multi-tenant / staging+prod). Tokens with no `iss` claim are
|
|
36
|
-
// legacy and exempt — see verifyToken jsdoc.
|
|
37
|
-
const issuer = Passport.issuer();
|
|
38
|
-
const payload = await verifyToken(jwt, issuer ? { expectedIssuer: issuer } : undefined);
|
|
39
|
-
// Check revocation in DB
|
|
40
|
-
const AccessTokenCls = await Passport.tokenModel();
|
|
41
|
-
const token = await AccessTokenCls.query()
|
|
42
|
-
.where('id', payload.jti)
|
|
43
|
-
.first();
|
|
44
|
-
if (!token || token.revoked) {
|
|
45
|
-
await next();
|
|
46
|
-
return;
|
|
47
|
-
}
|
|
48
|
-
// Attach token info to the raw request
|
|
49
|
-
const raw = req.raw;
|
|
50
|
-
raw['__passport_token'] = token;
|
|
51
|
-
raw['__passport_scopes'] = payload.scopes;
|
|
52
|
-
raw['__passport_user_id'] = payload.sub;
|
|
53
|
-
// Resolve user if we have a userId
|
|
54
|
-
if (payload.sub) {
|
|
55
|
-
try {
|
|
56
|
-
const { app } = await import('@rudderjs/core');
|
|
57
|
-
const manager = app().make('auth.manager');
|
|
58
|
-
const user = await manager.guard().provider.retrieveById(payload.sub);
|
|
59
|
-
if (user) {
|
|
60
|
-
;
|
|
61
|
-
user['__passport_token'] = token;
|
|
62
|
-
const plain = {};
|
|
63
|
-
for (const [k, v] of Object.entries(user)) {
|
|
64
|
-
if (typeof v !== 'function' && k !== 'password')
|
|
65
|
-
plain[k] = v;
|
|
66
|
-
}
|
|
67
|
-
raw['__rjs_user'] = plain;
|
|
68
|
-
try {
|
|
69
|
-
req['user'] = plain;
|
|
70
|
-
}
|
|
71
|
-
catch { /* read-only */ }
|
|
72
|
-
}
|
|
73
|
-
}
|
|
74
|
-
catch { /* auth not available */ }
|
|
75
|
-
}
|
|
93
|
+
;
|
|
94
|
+
req['user'] = plain;
|
|
76
95
|
}
|
|
77
96
|
catch {
|
|
78
|
-
//
|
|
97
|
+
// Some adapters expose `req` as read-only — the raw-bag stamp above
|
|
98
|
+
// is the authoritative read path; this is the convenience copy.
|
|
79
99
|
}
|
|
100
|
+
}
|
|
101
|
+
catch {
|
|
102
|
+
// auth.manager not bound — bearer-only flows are fine without it.
|
|
103
|
+
}
|
|
104
|
+
}
|
|
105
|
+
/**
|
|
106
|
+
* Middleware that authenticates via Bearer token (JWT).
|
|
107
|
+
* Validates the JWT signature, checks expiration, checks revocation in DB.
|
|
108
|
+
* Attaches user to the request if valid. Does not block unauthenticated requests.
|
|
109
|
+
*/
|
|
110
|
+
export function BearerMiddleware() {
|
|
111
|
+
return async function BearerMiddleware(req, _res, next) {
|
|
112
|
+
await authenticateBearer(req);
|
|
80
113
|
await next();
|
|
81
114
|
};
|
|
82
115
|
}
|
|
@@ -85,58 +118,20 @@ export function BearerMiddleware() {
|
|
|
85
118
|
*/
|
|
86
119
|
export function RequireBearer() {
|
|
87
120
|
return async function RequireBearer(req, res, next) {
|
|
88
|
-
const
|
|
89
|
-
|
|
90
|
-
|
|
91
|
-
|
|
92
|
-
|
|
93
|
-
|
|
94
|
-
|
|
95
|
-
|
|
96
|
-
|
|
97
|
-
// (multi-tenant / staging+prod). Tokens with no `iss` claim are
|
|
98
|
-
// legacy and exempt — see verifyToken jsdoc.
|
|
99
|
-
const issuer = Passport.issuer();
|
|
100
|
-
const payload = await verifyToken(jwt, issuer ? { expectedIssuer: issuer } : undefined);
|
|
101
|
-
// Check revocation
|
|
102
|
-
const AccessTokenCls = await Passport.tokenModel();
|
|
103
|
-
const token = await AccessTokenCls.query()
|
|
104
|
-
.where('id', payload.jti)
|
|
105
|
-
.first();
|
|
106
|
-
if (!token || token.revoked) {
|
|
121
|
+
const outcome = await authenticateBearer(req);
|
|
122
|
+
switch (outcome.kind) {
|
|
123
|
+
case 'authenticated':
|
|
124
|
+
await next();
|
|
125
|
+
return;
|
|
126
|
+
case 'no-bearer':
|
|
127
|
+
res.status(401).json({ error: 'unauthenticated', message: 'Bearer token required.' });
|
|
128
|
+
return;
|
|
129
|
+
case 'revoked':
|
|
107
130
|
res.status(401).json({ error: 'unauthenticated', message: 'Token has been revoked.' });
|
|
108
131
|
return;
|
|
109
|
-
|
|
110
|
-
|
|
111
|
-
|
|
112
|
-
raw['__passport_scopes'] = payload.scopes;
|
|
113
|
-
raw['__passport_user_id'] = payload.sub;
|
|
114
|
-
if (payload.sub) {
|
|
115
|
-
try {
|
|
116
|
-
const { app } = await import('@rudderjs/core');
|
|
117
|
-
const manager = app().make('auth.manager');
|
|
118
|
-
const user = await manager.guard().provider.retrieveById(payload.sub);
|
|
119
|
-
if (user) {
|
|
120
|
-
;
|
|
121
|
-
user['__passport_token'] = token;
|
|
122
|
-
const plain = {};
|
|
123
|
-
for (const [k, v] of Object.entries(user)) {
|
|
124
|
-
if (typeof v !== 'function' && k !== 'password')
|
|
125
|
-
plain[k] = v;
|
|
126
|
-
}
|
|
127
|
-
raw['__rjs_user'] = plain;
|
|
128
|
-
try {
|
|
129
|
-
req['user'] = plain;
|
|
130
|
-
}
|
|
131
|
-
catch { /* read-only */ }
|
|
132
|
-
}
|
|
133
|
-
}
|
|
134
|
-
catch { /* auth not available */ }
|
|
135
|
-
}
|
|
136
|
-
await next();
|
|
137
|
-
}
|
|
138
|
-
catch {
|
|
139
|
-
res.status(401).json({ error: 'unauthenticated', message: 'Invalid or expired token.' });
|
|
132
|
+
case 'invalid':
|
|
133
|
+
res.status(401).json({ error: 'unauthenticated', message: 'Invalid or expired token.' });
|
|
134
|
+
return;
|
|
140
135
|
}
|
|
141
136
|
};
|
|
142
137
|
}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"bearer.js","sourceRoot":"","sources":["../../src/middleware/bearer.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAA;AACzC,OAAO,EAAE,QAAQ,EAAE,MAAM,gBAAgB,CAAA;AAGzC;;;;;;GAMG;AACH,SAAS,aAAa,CAAC,UAA8B;IACnD,IAAI,CAAC,UAAU;QAAE,OAAO,IAAI,CAAA;IAC5B,IAAI,UAAU,CAAC,MAAM,GAAG,CAAC;QAAE,OAAO,IAAI,CAAA;IACtC,IAAI,UAAU,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,WAAW,EAAE,KAAK,SAAS;QAAE,OAAO,IAAI,CAAA;IACnE,OAAO,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,IAAI,IAAI,CAAA;AAC3C,CAAC;
|
|
1
|
+
{"version":3,"file":"bearer.js","sourceRoot":"","sources":["../../src/middleware/bearer.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAA;AACzC,OAAO,EAAE,QAAQ,EAAE,MAAM,gBAAgB,CAAA;AAGzC;;;;;;GAMG;AACH,SAAS,aAAa,CAAC,UAA8B;IACnD,IAAI,CAAC,UAAU;QAAE,OAAO,IAAI,CAAA;IAC5B,IAAI,UAAU,CAAC,MAAM,GAAG,CAAC;QAAE,OAAO,IAAI,CAAA;IACtC,IAAI,UAAU,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,WAAW,EAAE,KAAK,SAAS;QAAE,OAAO,IAAI,CAAA;IACnE,OAAO,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,IAAI,IAAI,CAAA;AAC3C,CAAC;AAaD;;;;;;;;;;GAUG;AACH,KAAK,UAAU,kBAAkB,CAAC,GAAe;IAC/C,MAAM,UAAU,GAAG,GAAG,CAAC,OAAO,CAAC,eAAe,CAAuB,CAAA;IACrE,MAAM,GAAG,GAAG,aAAa,CAAC,UAAU,CAAC,CAAA;IACrC,IAAI,CAAC,GAAG;QAAE,OAAO,EAAE,IAAI,EAAE,WAAW,EAAE,CAAA;IAEtC,IAAI,OAAgD,CAAA;IACpD,IAAI,CAAC;QACH,6DAA6D;QAC7D,gEAAgE;QAChE,gEAAgE;QAChE,6CAA6C;QAC7C,MAAM,MAAM,GAAG,QAAQ,CAAC,MAAM,EAAE,CAAA;QAChC,OAAO,GAAG,MAAM,WAAW,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC,CAAC,EAAE,cAAc,EAAE,MAAM,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC,CAAA;IACnF,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,CAAA;IAC5B,CAAC;IAED,qEAAqE;IACrE,MAAM,cAAc,GAAG,MAAM,QAAQ,CAAC,UAAU,EAAE,CAAA;IAClD,MAAM,KAAK,GAAG,MAAM,cAAc,CAAC,KAAK,EAAE;SACvC,KAAK,CAAC,IAAI,EAAE,OAAO,CAAC,GAAG,CAAC;SACxB,KAAK,EAAwB,CAAA;IAEhC,IAAI,CAAC,KAAK,IAAI,KAAK,CAAC,OAAO;QAAE,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,CAAA;IAEvD,MAAM,GAAG,GAAG,GAAG,CAAC,GAAiB,CAAA;IACjC,GAAG,CAAC,gBAAgB,GAAG,KAAK,CAAA;IAC5B,GAAG,CAAC,iBAAiB,GAAG,OAAO,CAAC,MAAM,CAAA;IACtC,GAAG,CAAC,kBAAkB,GAAG,OAAO,CAAC,GAAG,CAAA;IAEpC,IAAI,OAAO,CAAC,GAAG,EAAE,CAAC;QAChB,MAAM,mBAAmB,CAAC,GAAG,EAAE,GAAG,EAAE,OAAO,CAAC,GAAG,EAAE,KAAK,CAAC,CAAA;IACzD,CAAC;IAED,OAAO,EAAE,IAAI,EAAE,eAAe,EAAE,CAAA;AAClC,CAAC;AAED;;;;;;;;;;;;;;GAcG;AACH,KAAK,UAAU,mBAAmB,CAChC,GAAe,EACf,GAAe,EACf,MAAc,EACd,KAAkB;IAElB,IAAI,CAAC;QACH,MAAM,EAAE,GAAG,EAAE,GAAG,MAAM,MAAM,CAAC,gBAAgB,CAAC,CAAA;QAC9C,MAAM,OAAO,GAAG,GAAG,EAAE,CAAC,IAAI,CAA4E,cAAc,CAAC,CAAA;QACrH,MAAM,IAAI,GAAG,MAAM,OAAO,CAAC,KAAK,EAAE,CAAC,QAAQ,CAAC,YAAY,CAAC,MAAM,CAAC,CAAA;QAChE,IAAI,CAAC,IAAI;YAAE,OAEV;QAAC,IAAgC,CAAC,kBAAkB,CAAC,GAAG,KAAK,CAAA;QAC9D,MAAM,KAAK,GAA4B,EAAE,CAAA;QACzC,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,IAA+B,CAAC,EAAE,CAAC;YACrE,IAAI,OAAO,CAAC,KAAK,UAAU,IAAI,CAAC,KAAK,UAAU;gBAAE,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,CAAA;QAC/D,CAAC;QACD,GAAG,CAAC,UAAU,GAAG,KAAK,CAAA;QACtB,IAAI,CAAC;YACH,CAAC;YAAC,GAA0C,CAAC,MAAM,CAAC,GAAG,KAAK,CAAA;QAC9D,CAAC;QAAC,MAAM,CAAC;YACP,oEAAoE;YACpE,gEAAgE;QAClE,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,kEAAkE;IACpE,CAAC;AACH,CAAC;AAcD;;;;GAIG;AACH,MAAM,UAAU,gBAAgB;IAC9B,OAAO,KAAK,UAAU,gBAAgB,CAAC,GAAG,EAAE,IAAI,EAAE,IAAI;QACpD,MAAM,kBAAkB,CAAC,GAAG,CAAC,CAAA;QAC7B,MAAM,IAAI,EAAE,CAAA;IACd,CAAC,CAAA;AACH,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,aAAa;IAC3B,OAAO,KAAK,UAAU,aAAa,CAAC,GAAG,EAAE,GAAG,EAAE,IAAI;QAChD,MAAM,OAAO,GAAG,MAAM,kBAAkB,CAAC,GAAG,CAAC,CAAA;QAC7C,QAAQ,OAAO,CAAC,IAAI,EAAE,CAAC;YACrB,KAAK,eAAe;gBAClB,MAAM,IAAI,EAAE,CAAA;gBACZ,OAAM;YACR,KAAK,WAAW;gBACd,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,iBAAiB,EAAE,OAAO,EAAE,wBAAwB,EAAE,CAAC,CAAA;gBACrF,OAAM;YACR,KAAK,SAAS;gBACZ,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,iBAAiB,EAAE,OAAO,EAAE,yBAAyB,EAAE,CAAC,CAAA;gBACtF,OAAM;YACR,KAAK,SAAS;gBACZ,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,iBAAiB,EAAE,OAAO,EAAE,2BAA2B,EAAE,CAAC,CAAA;gBACxF,OAAM;QACV,CAAC;IACH,CAAC,CAAA;AACH,CAAC"}
|
|
@@ -29,9 +29,9 @@ export declare class AccessToken extends Model {
|
|
|
29
29
|
/** `MassPrunable` — bulk `deleteAll()` per chunk; mirrors `passport:purge`. */
|
|
30
30
|
static pruneMode: "mass";
|
|
31
31
|
/** Rows safe to remove: expired OR revoked. Same predicate as `passport:purge`. */
|
|
32
|
-
static prunable(): import("@rudderjs/
|
|
33
|
-
scope(name: string, ...args: unknown[]): import("@rudderjs/
|
|
34
|
-
withoutGlobalScope(name: string): import("@rudderjs/
|
|
32
|
+
static prunable(): import("@rudderjs/orm").HydratingQueryBuilder<AccessToken> & {
|
|
33
|
+
scope(name: string, ...args: unknown[]): import("@rudderjs/orm").HydratingQueryBuilder<AccessToken>;
|
|
34
|
+
withoutGlobalScope(name: string): import("@rudderjs/orm").HydratingQueryBuilder<AccessToken>;
|
|
35
35
|
};
|
|
36
36
|
id: string;
|
|
37
37
|
userId: string | null;
|
|
@@ -10,9 +10,9 @@ export declare class AuthCode extends Model {
|
|
|
10
10
|
* replay-detection diagnostics; we wait for the natural 10-minute TTL
|
|
11
11
|
* before reaping. Mirrors the `passport:purge` predicate.
|
|
12
12
|
*/
|
|
13
|
-
static prunable(): import("@rudderjs/
|
|
14
|
-
scope(name: string, ...args: unknown[]): import("@rudderjs/
|
|
15
|
-
withoutGlobalScope(name: string): import("@rudderjs/
|
|
13
|
+
static prunable(): import("@rudderjs/orm").HydratingQueryBuilder<AuthCode> & {
|
|
14
|
+
scope(name: string, ...args: unknown[]): import("@rudderjs/orm").HydratingQueryBuilder<AuthCode>;
|
|
15
|
+
withoutGlobalScope(name: string): import("@rudderjs/orm").HydratingQueryBuilder<AuthCode>;
|
|
16
16
|
};
|
|
17
17
|
id: string;
|
|
18
18
|
/** SHA-256 hex of the plaintext authorization code. See `opaque-token.ts`. */
|
|
@@ -5,9 +5,9 @@ export declare class DeviceCode extends Model {
|
|
|
5
5
|
/** `MassPrunable` — bulk `deleteAll()` per chunk; mirrors `passport:purge`. */
|
|
6
6
|
static pruneMode: "mass";
|
|
7
7
|
/** Rows safe to remove: expired only. Mirrors the `passport:purge` predicate. */
|
|
8
|
-
static prunable(): import("@rudderjs/
|
|
9
|
-
scope(name: string, ...args: unknown[]): import("@rudderjs/
|
|
10
|
-
withoutGlobalScope(name: string): import("@rudderjs/
|
|
8
|
+
static prunable(): import("@rudderjs/orm").HydratingQueryBuilder<DeviceCode> & {
|
|
9
|
+
scope(name: string, ...args: unknown[]): import("@rudderjs/orm").HydratingQueryBuilder<DeviceCode>;
|
|
10
|
+
withoutGlobalScope(name: string): import("@rudderjs/orm").HydratingQueryBuilder<DeviceCode>;
|
|
11
11
|
};
|
|
12
12
|
id: string;
|
|
13
13
|
clientId: string;
|
|
@@ -5,9 +5,9 @@ export declare class RefreshToken extends Model {
|
|
|
5
5
|
/** `MassPrunable` — bulk `deleteAll()` per chunk; mirrors `passport:purge`. */
|
|
6
6
|
static pruneMode: "mass";
|
|
7
7
|
/** Rows safe to remove: expired OR revoked. Same predicate as `passport:purge`. */
|
|
8
|
-
static prunable(): import("@rudderjs/
|
|
9
|
-
scope(name: string, ...args: unknown[]): import("@rudderjs/
|
|
10
|
-
withoutGlobalScope(name: string): import("@rudderjs/
|
|
8
|
+
static prunable(): import("@rudderjs/orm").HydratingQueryBuilder<RefreshToken> & {
|
|
9
|
+
scope(name: string, ...args: unknown[]): import("@rudderjs/orm").HydratingQueryBuilder<RefreshToken>;
|
|
10
|
+
withoutGlobalScope(name: string): import("@rudderjs/orm").HydratingQueryBuilder<RefreshToken>;
|
|
11
11
|
};
|
|
12
12
|
id: string;
|
|
13
13
|
accessTokenId: string;
|
package/dist/models/helpers.d.ts
CHANGED
|
@@ -2,9 +2,12 @@ export interface OAuthClientRecord {
|
|
|
2
2
|
id: string;
|
|
3
3
|
name: string;
|
|
4
4
|
secret: string | null;
|
|
5
|
-
|
|
6
|
-
|
|
7
|
-
|
|
5
|
+
/** JSON-encoded array on the wire; `string[]` after `@Cast('json')` hydration. */
|
|
6
|
+
redirectUris: unknown;
|
|
7
|
+
/** JSON-encoded array on the wire; `string[]` after `@Cast('json')` hydration. */
|
|
8
|
+
grantTypes: unknown;
|
|
9
|
+
/** JSON-encoded array on the wire; `string[]` after `@Cast('json')` hydration. */
|
|
10
|
+
scopes: unknown;
|
|
8
11
|
confidential: boolean;
|
|
9
12
|
revoked: boolean;
|
|
10
13
|
}
|
|
@@ -13,10 +16,17 @@ export interface AccessTokenRecord {
|
|
|
13
16
|
userId: string | null;
|
|
14
17
|
clientId: string;
|
|
15
18
|
name: string | null;
|
|
16
|
-
|
|
19
|
+
/**
|
|
20
|
+
* JSON-encoded array on the wire; `string[]` if a future `@Cast('json')`
|
|
21
|
+
* hydrates it. Optional in the type because `AccessToken` doesn't `declare`
|
|
22
|
+
* it (the Model carries it as an untyped DB-only column today); the runtime
|
|
23
|
+
* parser fail-closes to `[]` if missing.
|
|
24
|
+
*/
|
|
25
|
+
scopes?: unknown;
|
|
17
26
|
revoked: boolean;
|
|
18
27
|
expiresAt: Date;
|
|
19
|
-
|
|
28
|
+
/** Populated by the ORM; not declared on the Model. */
|
|
29
|
+
createdAt?: Date;
|
|
20
30
|
}
|
|
21
31
|
export interface RefreshTokenRecord {
|
|
22
32
|
id: string;
|
|
@@ -33,7 +43,12 @@ export interface AuthCodeRecord {
|
|
|
33
43
|
tokenHash: string;
|
|
34
44
|
userId: string;
|
|
35
45
|
clientId: string;
|
|
36
|
-
|
|
46
|
+
/**
|
|
47
|
+
* JSON-encoded array on the wire; `string[]` if a future `@Cast('json')`
|
|
48
|
+
* hydrates it. Optional because `AuthCode` doesn't `declare` it; the
|
|
49
|
+
* runtime parser fail-closes to `[]` if missing.
|
|
50
|
+
*/
|
|
51
|
+
scopes?: unknown;
|
|
37
52
|
revoked: boolean;
|
|
38
53
|
expiresAt: Date;
|
|
39
54
|
redirectUri: string | null;
|
|
@@ -43,9 +58,12 @@ export interface AuthCodeRecord {
|
|
|
43
58
|
export interface DeviceCodeRecord {
|
|
44
59
|
id: string;
|
|
45
60
|
clientId: string;
|
|
46
|
-
|
|
47
|
-
|
|
48
|
-
|
|
61
|
+
/**
|
|
62
|
+
* JSON-encoded array on the wire; `string[]` if a future `@Cast('json')`
|
|
63
|
+
* hydrates it. Optional because `DeviceCode` doesn't `declare` it; the
|
|
64
|
+
* runtime parser fail-closes to `[]` if missing.
|
|
65
|
+
*/
|
|
66
|
+
scopes?: unknown;
|
|
49
67
|
userId: string | null;
|
|
50
68
|
approved: boolean | null;
|
|
51
69
|
expiresAt: Date;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"helpers.d.ts","sourceRoot":"","sources":["../../src/models/helpers.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"helpers.d.ts","sourceRoot":"","sources":["../../src/models/helpers.ts"],"names":[],"mappings":"AAcA,MAAM,WAAW,iBAAiB;IAChC,EAAE,EAAY,MAAM,CAAA;IACpB,IAAI,EAAU,MAAM,CAAA;IACpB,MAAM,EAAQ,MAAM,GAAG,IAAI,CAAA;IAC3B,kFAAkF;IAClF,YAAY,EAAE,OAAO,CAAA;IACrB,kFAAkF;IAClF,UAAU,EAAI,OAAO,CAAA;IACrB,kFAAkF;IAClF,MAAM,EAAQ,OAAO,CAAA;IACrB,YAAY,EAAE,OAAO,CAAA;IACrB,OAAO,EAAO,OAAO,CAAA;CACtB;AAED,MAAM,WAAW,iBAAiB;IAChC,EAAE,EAAS,MAAM,CAAA;IACjB,MAAM,EAAK,MAAM,GAAG,IAAI,CAAA;IACxB,QAAQ,EAAG,MAAM,CAAA;IACjB,IAAI,EAAO,MAAM,GAAG,IAAI,CAAA;IACxB;;;;;OAKG;IACH,MAAM,CAAC,EAAI,OAAO,CAAA;IAClB,OAAO,EAAI,OAAO,CAAA;IAClB,SAAS,EAAE,IAAI,CAAA;IACf,uDAAuD;IACvD,SAAS,CAAC,EAAE,IAAI,CAAA;CACjB;AAED,MAAM,WAAW,kBAAkB;IACjC,EAAE,EAAa,MAAM,CAAA;IACrB,kDAAkD;IAClD,SAAS,EAAM,MAAM,CAAA;IACrB,aAAa,EAAE,MAAM,CAAA;IACrB,QAAQ,EAAO,MAAM,GAAG,IAAI,CAAA;IAC5B,OAAO,EAAQ,OAAO,CAAA;IACtB,SAAS,EAAM,IAAI,CAAA;CACpB;AAED,MAAM,WAAW,cAAc;IAC7B,EAAE,EAAmB,MAAM,CAAA;IAC3B,uDAAuD;IACvD,SAAS,EAAY,MAAM,CAAA;IAC3B,MAAM,EAAe,MAAM,CAAA;IAC3B,QAAQ,EAAa,MAAM,CAAA;IAC3B;;;;OAIG;IACH,MAAM,CAAC,EAAc,OAAO,CAAA;IAC5B,OAAO,EAAc,OAAO,CAAA;IAC5B,SAAS,EAAY,IAAI,CAAA;IACzB,WAAW,EAAU,MAAM,GAAG,IAAI,CAAA;IAClC,aAAa,EAAQ,MAAM,GAAG,IAAI,CAAA;IAClC,mBAAmB,EAAE,MAAM,GAAG,IAAI,CAAA;CACnC;AAED,MAAM,WAAW,gBAAgB;IAC/B,EAAE,EAAY,MAAM,CAAA;IACpB,QAAQ,EAAM,MAAM,CAAA;IACpB;;;;OAIG;IACH,MAAM,CAAC,EAAO,OAAO,CAAA;IACrB,MAAM,EAAQ,MAAM,GAAG,IAAI,CAAA;IAC3B,QAAQ,EAAM,OAAO,GAAG,IAAI,CAAA;IAC5B,SAAS,EAAK,IAAI,CAAA;IAClB,YAAY,EAAE,IAAI,GAAG,IAAI,CAAA;CAC1B;AA0BD,eAAO,MAAM,aAAa;yBACH,iBAAiB,KAAG,MAAM,EAAE;uBAC5B,iBAAiB,KAAG,MAAM,EAAE;mBAC5B,iBAAiB,KAAG,MAAM,EAAE;sBAE9B,iBAAiB,QAAQ,MAAM,KAAG,OAAO;wBACxC,iBAAiB,OAAO,MAAM,KAAG,OAAO;kBAE9C,iBAAiB,KAAG,OAAO;CAC1C,CAAA;AAID,eAAO,MAAM,kBAAkB;mBACd,iBAAiB,KAAG,MAAM,EAAE;aAElC,iBAAiB,SAAS,MAAM,KAAG,OAAO;mBAKpC,iBAAiB,KAAG,OAAO;iBAC3B,iBAAiB,KAAG,OAAO;CAC3C,CAAA;AAID,eAAO,MAAM,mBAAmB;mBACf,kBAAkB,KAAG,OAAO;CAC5C,CAAA;AAID,eAAO,MAAM,eAAe;mBACX,cAAc,KAAG,MAAM,EAAE;mBACzB,cAAc,KAAG,OAAO;gBACxB,cAAc,KAAG,OAAO;CACxC,CAAA;AAID,eAAO,MAAM,iBAAiB;mBACZ,gBAAgB,KAAG,MAAM,EAAE;mBAC3B,gBAAgB,KAAG,OAAO;oBAC1B,gBAAgB,KAAG,OAAO;kBAC1B,gBAAgB,KAAG,OAAO;mBAC1B,gBAAgB,KAAG,OAAO;CAC3C,CAAA"}
|
package/dist/models/helpers.js
CHANGED
|
@@ -1,10 +1,16 @@
|
|
|
1
|
-
// Helper functions that operate on
|
|
1
|
+
// Helper functions that operate on OAuth records — both Model instances
|
|
2
2
|
// (returned from the ORM read paths since PR #111 on 2026-04-30) and raw rows
|
|
3
|
-
// (cached JSON, fixtures, adapter-level snapshots).
|
|
4
|
-
//
|
|
5
|
-
//
|
|
6
|
-
//
|
|
7
|
-
// the
|
|
3
|
+
// (cached JSON, fixtures, adapter-level snapshots). JSON-encoded columns are
|
|
4
|
+
// typed as `unknown` here because the runtime parser (`parseJsonArray`)
|
|
5
|
+
// already accepts both the wire shape (`string` JSON) and the hydrated shape
|
|
6
|
+
// (`string[]` from `@Cast('json')` on the Models). Same helper, same return
|
|
7
|
+
// type, no `as any` at the call site needed to bridge between the two.
|
|
8
|
+
//
|
|
9
|
+
// The Model classes also expose equivalent instance methods
|
|
10
|
+
// (`OAuthClient.hasGrantType()`, `AccessToken.can()`, `DeviceCode.isExpired()`)
|
|
11
|
+
// — those are the more direct API once you already hold a Model instance.
|
|
12
|
+
// These helpers stay for callers that genuinely have raw records (cached
|
|
13
|
+
// JSON, fixtures, the corrupt-JSON fail-closed test path).
|
|
8
14
|
// ─── Parsing helpers ──────────────────────────────────────
|
|
9
15
|
function parseJsonArray(raw) {
|
|
10
16
|
if (Array.isArray(raw))
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"helpers.js","sourceRoot":"","sources":["../../src/models/helpers.ts"],"names":[],"mappings":"AAAA,
|
|
1
|
+
{"version":3,"file":"helpers.js","sourceRoot":"","sources":["../../src/models/helpers.ts"],"names":[],"mappings":"AAAA,wEAAwE;AACxE,8EAA8E;AAC9E,6EAA6E;AAC7E,wEAAwE;AACxE,6EAA6E;AAC7E,4EAA4E;AAC5E,uEAAuE;AACvE,EAAE;AACF,4DAA4D;AAC5D,gFAAgF;AAChF,0EAA0E;AAC1E,yEAAyE;AACzE,2DAA2D;AA8E3D,6DAA6D;AAE7D,SAAS,cAAc,CAAC,GAAY;IAClC,IAAI,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC;QAAE,OAAO,GAAe,CAAA;IAC9C,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;QAC5B,IAAI,CAAC;YAAC,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAAa,CAAA;QAAC,CAAC;QAC1C,OAAO,GAAG,EAAE,CAAC;YACX,uEAAuE;YACvE,wEAAwE;YACxE,wEAAwE;YACxE,uEAAuE;YACvE,MAAM,OAAO,GAAG,GAAG,CAAC,MAAM,GAAG,EAAE,CAAC,CAAC,CAAC,GAAG,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAA;YAC9D,OAAO,CAAC,IAAI,CACV,4EAA4E;gBAC5E,0CAA0C,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,YAAa,GAAa,CAAC,OAAO,EAAE,CACtG,CAAA;YACD,OAAO,EAAE,CAAA;QACX,CAAC;IACH,CAAC;IACD,OAAO,EAAE,CAAA;AACX,CAAC;AAED,6DAA6D;AAE7D,MAAM,CAAC,MAAM,aAAa,GAAG;IAC3B,eAAe,EAAE,CAAC,CAAoB,EAAY,EAAE,CAAC,cAAc,CAAC,CAAC,CAAC,YAAY,CAAC;IACnF,aAAa,EAAI,CAAC,CAAoB,EAAY,EAAE,CAAC,cAAc,CAAC,CAAC,CAAC,UAAU,CAAC;IACjF,SAAS,EAAQ,CAAC,CAAoB,EAAY,EAAE,CAAC,cAAc,CAAC,CAAC,CAAC,MAAM,CAAC;IAE7E,YAAY,EAAG,CAAC,CAAoB,EAAE,IAAY,EAAW,EAAE,CAAC,aAAa,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC;IAC7G,cAAc,EAAE,CAAC,CAAoB,EAAE,GAAW,EAAW,EAAE,CAAC,aAAa,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC;IAE9G,QAAQ,EAAE,CAAC,CAAoB,EAAW,EAAE,CAAC,CAAC,CAAC,CAAC,YAAY;CAC7D,CAAA;AAED,6DAA6D;AAE7D,MAAM,CAAC,MAAM,kBAAkB,GAAG;IAChC,SAAS,EAAE,CAAC,CAAoB,EAAY,EAAE,CAAC,cAAc,CAAC,CAAC,CAAC,MAAM,CAAC;IAEvE,GAAG,EAAE,CAAC,CAAoB,EAAE,KAAa,EAAW,EAAE;QACpD,MAAM,MAAM,GAAG,kBAAkB,CAAC,SAAS,CAAC,CAAC,CAAC,CAAA;QAC9C,OAAO,MAAM,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAA;IACvD,CAAC;IAED,SAAS,EAAE,CAAC,CAAoB,EAAW,EAAE,CAAC,IAAI,IAAI,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,OAAO,EAAE,IAAI,IAAI,CAAC,GAAG,EAAE;IAC3F,OAAO,EAAI,CAAC,CAAoB,EAAW,EAAE,CAAC,CAAC,CAAC,CAAC,OAAO,IAAI,CAAC,kBAAkB,CAAC,SAAS,CAAC,CAAC,CAAC;CAC7F,CAAA;AAED,6DAA6D;AAE7D,MAAM,CAAC,MAAM,mBAAmB,GAAG;IACjC,SAAS,EAAE,CAAC,CAAqB,EAAW,EAAE,CAAC,IAAI,IAAI,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,OAAO,EAAE,IAAI,IAAI,CAAC,GAAG,EAAE;CAC7F,CAAA;AAED,6DAA6D;AAE7D,MAAM,CAAC,MAAM,eAAe,GAAG;IAC7B,SAAS,EAAE,CAAC,CAAiB,EAAY,EAAE,CAAC,cAAc,CAAC,CAAC,CAAC,MAAM,CAAC;IACpE,SAAS,EAAE,CAAC,CAAiB,EAAW,EAAE,CAAC,IAAI,IAAI,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,OAAO,EAAE,IAAI,IAAI,CAAC,GAAG,EAAE;IACxF,MAAM,EAAK,CAAC,CAAiB,EAAW,EAAE,CAAC,CAAC,CAAC,aAAa,KAAK,IAAI;CACpE,CAAA;AAED,6DAA6D;AAE7D,MAAM,CAAC,MAAM,iBAAiB,GAAG;IAC/B,SAAS,EAAG,CAAC,CAAmB,EAAY,EAAE,CAAC,cAAc,CAAC,CAAC,CAAC,MAAM,CAAC;IACvE,SAAS,EAAG,CAAC,CAAmB,EAAW,EAAE,CAAC,IAAI,IAAI,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,OAAO,EAAE,IAAI,IAAI,CAAC,GAAG,EAAE;IAC3F,UAAU,EAAE,CAAC,CAAmB,EAAW,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,IAAI;IACjE,QAAQ,EAAI,CAAC,CAAmB,EAAW,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,KAAK;IAClE,SAAS,EAAG,CAAC,CAAmB,EAAW,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,IAAI;CAClE,CAAA"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"personal-access-tokens.d.ts","sourceRoot":"","sources":["../src/personal-access-tokens.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,yBAAyB,CAAA;AAO1D,MAAM,WAAW,sBAAsB;IACrC,kCAAkC;IAClC,KAAK,EAAE,WAAW,CAAA;IAClB,qDAAqD;IACrD,cAAc,EAAE,MAAM,CAAA;CACvB;AAID;;;;;;;;;;;;GAYG;AACH,MAAM,WAAW,oBAAoB;IACnC,WAAW,CAAC,IAAI,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,MAAM,EAAE,EAAE,WAAW,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,sBAAsB,CAAC,CAAA;IACnG,MAAM,IAAI,OAAO,CAAC,WAAW,EAAE,CAAC,CAAA;IAChC,eAAe,IAAI,OAAO,CAAC,MAAM,CAAC,CAAA;IAClC,QAAQ,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAA;CACjC;
|
|
1
|
+
{"version":3,"file":"personal-access-tokens.d.ts","sourceRoot":"","sources":["../src/personal-access-tokens.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,yBAAyB,CAAA;AAO1D,MAAM,WAAW,sBAAsB;IACrC,kCAAkC;IAClC,KAAK,EAAE,WAAW,CAAA;IAClB,qDAAqD;IACrD,cAAc,EAAE,MAAM,CAAA;CACvB;AAID;;;;;;;;;;;;GAYG;AACH,MAAM,WAAW,oBAAoB;IACnC,WAAW,CAAC,IAAI,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,MAAM,EAAE,EAAE,WAAW,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,sBAAsB,CAAC,CAAA;IACnG,MAAM,IAAI,OAAO,CAAC,WAAW,EAAE,CAAC,CAAA;IAChC,eAAe,IAAI,OAAO,CAAC,MAAM,CAAC,CAAA;IAClC,QAAQ,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAA;CACjC;AAiBD,wBAAgB,YAAY,CAAC,CAAC,SAAS,QAAQ,MAAM,GAAG,IAAI,EAAE,GAAG,EAAE,KAAK,GAAG,EACzE,IAAI,EAAE,CAAC,GACN,CAAC,GAAG,CAAC,KAAK,GAAG,IAAI,EAAE,GAAG,EAAE,KAAK,oBAAoB,CAAC,CAwGpD;AAoCD,wDAAwD;AACxD,wBAAgB,yBAAyB,IAAI,IAAI,CAEhD"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"personal-access-tokens.js","sourceRoot":"","sources":["../src/personal-access-tokens.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,eAAe,CAAA;AAGxC,OAAO,EAAE,kBAAkB,EAAE,MAAM,qBAAqB,CAAA;AACxD,OAAO,EAAE,WAAW,EAAE,MAAM,YAAY,CAAA;
|
|
1
|
+
{"version":3,"file":"personal-access-tokens.js","sourceRoot":"","sources":["../src/personal-access-tokens.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,eAAe,CAAA;AAGxC,OAAO,EAAE,kBAAkB,EAAE,MAAM,qBAAqB,CAAA;AACxD,OAAO,EAAE,WAAW,EAAE,MAAM,YAAY,CAAA;AAgDxC,MAAM,UAAU,YAAY,CAC1B,IAAO;IAEP,MAAe,aAAc,SAAQ,IAAI;QACvC;;;WAGG;QACH,KAAK,CAAC,WAAW,CAAC,IAAY,EAAE,SAAmB,CAAC,GAAG,CAAC,EAAE,WAAoB;YAC5E,MAAM,MAAM,GAAI,IAAoC,CAAC,EAAE,CAAA;YACvD,MAAM,QAAQ,GAAG,WAAW,IAAI,QAAQ,CAAC,qBAAqB,EAAE,CAAA;YAChE,MAAM,SAAS,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,QAAQ,CAAC,CAAA;YAEjD,mDAAmD;YACnD,MAAM,QAAQ,GAAG,MAAM,yBAAyB,EAAE,CAAA;YAElD,MAAM,cAAc,GAAG,MAAM,QAAQ,CAAC,UAAU,EAAE,CAAA;YAClD,MAAM,WAAW,GAAG,MAAM,cAAc,CAAC,MAAM,CAAC;gBAC9C,MAAM;gBACN,QAAQ;gBACR,IAAI;gBACJ,MAAM,EAAK,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC;gBACjC,OAAO,EAAI,KAAK;gBAChB,SAAS;aACiB,CAAgB,CAAA;YAE5C,MAAM,OAAO,GAAG,WAAW,CAAC,EAAE,CAAA;YAE9B,MAAM,GAAG,GAAG,MAAM,WAAW,CAAC;gBAC5B,OAAO;gBACP,MAAM;gBACN,QAAQ;gBACR,MAAM;gBACN,SAAS;aACV,CAAC,CAAA;YAEF,OAAO,EAAE,KAAK,EAAE,WAAW,EAAE,cAAc,EAAE,GAAG,EAAE,CAAA;QACpD,CAAC;QAED;;;;;;;;;;;;;;;;;;;;WAoBG;QACH,KAAK,CAAC,MAAM;YACV,MAAM,MAAM,GAAI,IAAoC,CAAC,EAAE,CAAA;YACvD,MAAM,cAAc,GAAG,MAAM,QAAQ,CAAC,UAAU,EAAE,CAAA;YAClD,MAAM,gBAAgB,GAAG,MAAM,yBAAyB,EAAE,CAAA;YAC1D,OAAO,cAAc;iBAClB,KAAK,CAAC,QAAQ,EAAE,MAAM,CAAC;iBACvB,KAAK,CAAC,UAAU,EAAE,gBAAgB,CAAC;iBACnC,GAAG,EAA4B,CAAA;QACpC,CAAC;QAED;;;;;;;WAOG;QACH,KAAK,CAAC,eAAe;YACnB,kEAAkE;YAClE,gEAAgE;YAChE,iDAAiD;YACjD,MAAM,MAAM,GAAI,IAAoC,CAAC,EAAE,CAAA;YACvD,MAAM,cAAc,GAAG,MAAM,QAAQ,CAAC,UAAU,EAAE,CAAA;YAClD,MAAM,gBAAgB,GAAG,MAAM,yBAAyB,EAAE,CAAA;YAC1D,OAAO,cAAc;iBAClB,KAAK,CAAC,QAAQ,EAAE,MAAM,CAAC;iBACvB,KAAK,CAAC,UAAU,EAAE,gBAAgB,CAAC;iBACnC,KAAK,CAAC,SAAS,EAAE,KAAK,CAAC;iBACvB,SAAS,CAAC,EAAE,OAAO,EAAE,IAAI,EAA6B,CAAC,CAAA;QAC5D,CAAC;QAED;;;;;WAKG;QACH,QAAQ,CAAC,KAAa;YACpB,MAAM,KAAK,GAAI,IAAoC,CAAC,gBAAgB,CAAA;YACpE,IAAI,CAAC,KAAK;gBAAE,OAAO,KAAK,CAAA;YACxB,OAAO,kBAAkB,CAAC,GAAG,CAAC,KAAK,EAAE,KAAK,CAAC,CAAA;QAC7C,CAAC;KACF;IAED,OAAO,aAA8E,CAAA;AACvF,CAAC;AAED,6DAA6D;AAE7D,IAAI,iBAAiB,GAAkB,IAAI,CAAA;AAE3C;;;GAGG;AACH,KAAK,UAAU,yBAAyB;IACtC,IAAI,iBAAiB;QAAE,OAAO,iBAAiB,CAAA;IAE/C,MAAM,SAAS,GAAG,MAAM,QAAQ,CAAC,WAAW,EAAE,CAAA;IAE9C,2CAA2C;IAC3C,MAAM,QAAQ,GAAG,MAAM,SAAS,CAAC,KAAK,CAAC,MAAM,EAAE,qBAAqB,CAAC,CAAC,KAAK,EAAwB,CAAA;IACnG,IAAI,QAAQ,EAAE,CAAC;QACb,iBAAiB,GAAG,QAAQ,CAAC,EAAE,CAAA;QAC/B,OAAO,iBAAiB,CAAA;IAC1B,CAAC;IAED,aAAa;IACb,MAAM,MAAM,GAAG,MAAM,SAAS,CAAC,MAAM,CAAC;QACpC,IAAI,EAAU,qBAAqB;QACnC,MAAM,EAAQ,IAAI;QAClB,YAAY,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC;QAChC,UAAU,EAAI,IAAI,CAAC,SAAS,CAAC,CAAC,iBAAiB,CAAC,CAAC;QACjD,MAAM,EAAQ,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC;QAChC,YAAY,EAAE,KAAK;KACO,CAAgB,CAAA;IAE5C,iBAAiB,GAAG,MAAM,CAAC,EAAE,CAAA;IAC7B,OAAO,iBAAiB,CAAA;AAC1B,CAAC;AAED,wDAAwD;AACxD,MAAM,UAAU,yBAAyB;IACvC,iBAAiB,GAAG,IAAI,CAAA;AAC1B,CAAC"}
|
|
@@ -0,0 +1,17 @@
|
|
|
1
|
+
import type { MiddlewareHandler } from '@rudderjs/contracts';
|
|
2
|
+
import type { Router } from './types.js';
|
|
3
|
+
/**
|
|
4
|
+
* Register `GET/POST/DELETE /oauth/authorize` — the consent flow.
|
|
5
|
+
*
|
|
6
|
+
* - `GET` validates the authorization request and renders the consent screen
|
|
7
|
+
* (custom via `Passport.authorizationView()` or JSON by default).
|
|
8
|
+
* - `POST` requires a signed-in user and issues an authorization code on
|
|
9
|
+
* approval, redirecting back to `redirect_uri` with `code` + `state`.
|
|
10
|
+
* - `DELETE` issues an `access_denied` redirect on rejection.
|
|
11
|
+
*
|
|
12
|
+
* The redirect_uri on POST/DELETE bodies is attacker-controlled and is
|
|
13
|
+
* re-validated against the client's registered list (see
|
|
14
|
+
* `validateClientRedirect` in `helpers.ts`).
|
|
15
|
+
*/
|
|
16
|
+
export declare function registerAuthorizeRoutes(router: Router, prefix: string, mw: MiddlewareHandler[]): void;
|
|
17
|
+
//# sourceMappingURL=authorize.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"authorize.d.ts","sourceRoot":"","sources":["../../src/routes/authorize.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,qBAAqB,CAAA;AAG5D,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,YAAY,CAAA;AAGxC;;;;;;;;;;;;GAYG;AACH,wBAAgB,uBAAuB,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,EAAE,EAAE,iBAAiB,EAAE,GAAG,IAAI,CA+FrG"}
|
|
@@ -0,0 +1,107 @@
|
|
|
1
|
+
import { Passport } from '../Passport.js';
|
|
2
|
+
import { validateAuthorizationRequest, issueAuthCode } from '../grants/index.js';
|
|
3
|
+
import { authErrorResponse, requesterIdFrom, validateClientRedirect } from './helpers.js';
|
|
4
|
+
/**
|
|
5
|
+
* Register `GET/POST/DELETE /oauth/authorize` — the consent flow.
|
|
6
|
+
*
|
|
7
|
+
* - `GET` validates the authorization request and renders the consent screen
|
|
8
|
+
* (custom via `Passport.authorizationView()` or JSON by default).
|
|
9
|
+
* - `POST` requires a signed-in user and issues an authorization code on
|
|
10
|
+
* approval, redirecting back to `redirect_uri` with `code` + `state`.
|
|
11
|
+
* - `DELETE` issues an `access_denied` redirect on rejection.
|
|
12
|
+
*
|
|
13
|
+
* The redirect_uri on POST/DELETE bodies is attacker-controlled and is
|
|
14
|
+
* re-validated against the client's registered list (see
|
|
15
|
+
* `validateClientRedirect` in `helpers.ts`).
|
|
16
|
+
*/
|
|
17
|
+
export function registerAuthorizeRoutes(router, prefix, mw) {
|
|
18
|
+
// GET /oauth/authorize — show consent (returns JSON or renders custom view)
|
|
19
|
+
router.get(`${prefix}/authorize`, async (req, res) => {
|
|
20
|
+
const query = req.query ?? {};
|
|
21
|
+
try {
|
|
22
|
+
const validated = await validateAuthorizationRequest({
|
|
23
|
+
clientId: query['client_id'] ?? '',
|
|
24
|
+
redirectUri: query['redirect_uri'] ?? '',
|
|
25
|
+
responseType: query['response_type'] ?? '',
|
|
26
|
+
scope: query['scope'] ?? '',
|
|
27
|
+
state: query['state'],
|
|
28
|
+
codeChallenge: query['code_challenge'],
|
|
29
|
+
codeChallengeMethod: query['code_challenge_method'],
|
|
30
|
+
});
|
|
31
|
+
const ctx = {
|
|
32
|
+
client: {
|
|
33
|
+
id: validated.client.id,
|
|
34
|
+
name: validated.client.name,
|
|
35
|
+
},
|
|
36
|
+
scopes: validated.scopes,
|
|
37
|
+
redirectUri: validated.redirectUri,
|
|
38
|
+
...(validated.state !== undefined ? { state: validated.state } : {}),
|
|
39
|
+
...(validated.codeChallenge !== undefined ? { codeChallenge: validated.codeChallenge } : {}),
|
|
40
|
+
...(validated.codeChallengeMethod !== undefined ? { codeChallengeMethod: validated.codeChallengeMethod } : {}),
|
|
41
|
+
request: req,
|
|
42
|
+
};
|
|
43
|
+
const viewFn = Passport.authorizationViewFn();
|
|
44
|
+
if (viewFn) {
|
|
45
|
+
return await viewFn(ctx);
|
|
46
|
+
}
|
|
47
|
+
// Default: JSON response — the app's consent screen reads this
|
|
48
|
+
res.json({
|
|
49
|
+
client: ctx.client,
|
|
50
|
+
scopes: ctx.scopes,
|
|
51
|
+
state: ctx.state,
|
|
52
|
+
redirectUri: ctx.redirectUri,
|
|
53
|
+
});
|
|
54
|
+
}
|
|
55
|
+
catch (e) {
|
|
56
|
+
authErrorResponse(res, e, query['state']);
|
|
57
|
+
}
|
|
58
|
+
}, mw);
|
|
59
|
+
// POST /oauth/authorize — user approves
|
|
60
|
+
router.post(`${prefix}/authorize`, async (req, res) => {
|
|
61
|
+
const body = req.body ?? {};
|
|
62
|
+
try {
|
|
63
|
+
const userId = requesterIdFrom(req);
|
|
64
|
+
if (!userId) {
|
|
65
|
+
// Echo state on the unauthenticated branch too — the consent UI
|
|
66
|
+
// round-trips the same payload regardless of the auth gate result.
|
|
67
|
+
const stateEcho = typeof body['state'] === 'string' && body['state'] ? { state: body['state'] } : {};
|
|
68
|
+
res.status(401).json({ error: 'unauthenticated', error_description: 'User must be signed in.', ...stateEcho });
|
|
69
|
+
return;
|
|
70
|
+
}
|
|
71
|
+
await validateClientRedirect(body['client_id'], body['redirect_uri']);
|
|
72
|
+
const code = await issueAuthCode({
|
|
73
|
+
userId,
|
|
74
|
+
clientId: body['client_id'],
|
|
75
|
+
scopes: body['scopes'] ?? [],
|
|
76
|
+
redirectUri: body['redirect_uri'],
|
|
77
|
+
codeChallenge: body['code_challenge'],
|
|
78
|
+
codeChallengeMethod: body['code_challenge_method'],
|
|
79
|
+
});
|
|
80
|
+
const redirectUri = new URL(body['redirect_uri']);
|
|
81
|
+
redirectUri.searchParams.set('code', code);
|
|
82
|
+
if (body['state'])
|
|
83
|
+
redirectUri.searchParams.set('state', body['state']);
|
|
84
|
+
res.json({ redirect_uri: redirectUri.toString() });
|
|
85
|
+
}
|
|
86
|
+
catch (e) {
|
|
87
|
+
authErrorResponse(res, e, body['state']);
|
|
88
|
+
}
|
|
89
|
+
}, mw);
|
|
90
|
+
// DELETE /oauth/authorize — user denies
|
|
91
|
+
router.delete(`${prefix}/authorize`, async (req, res) => {
|
|
92
|
+
const body = req.body ?? {};
|
|
93
|
+
try {
|
|
94
|
+
await validateClientRedirect(body['client_id'], body['redirect_uri']);
|
|
95
|
+
const redirectUri = new URL(body['redirect_uri']);
|
|
96
|
+
redirectUri.searchParams.set('error', 'access_denied');
|
|
97
|
+
redirectUri.searchParams.set('error_description', 'The user denied the request.');
|
|
98
|
+
if (body['state'])
|
|
99
|
+
redirectUri.searchParams.set('state', body['state']);
|
|
100
|
+
res.json({ redirect_uri: redirectUri.toString() });
|
|
101
|
+
}
|
|
102
|
+
catch (e) {
|
|
103
|
+
authErrorResponse(res, e, body['state']);
|
|
104
|
+
}
|
|
105
|
+
}, mw);
|
|
106
|
+
}
|
|
107
|
+
//# sourceMappingURL=authorize.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"authorize.js","sourceRoot":"","sources":["../../src/routes/authorize.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,QAAQ,EAAE,MAAM,gBAAgB,CAAA;AACzC,OAAO,EAAE,4BAA4B,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAA;AAEhF,OAAO,EAAE,iBAAiB,EAAE,eAAe,EAAE,sBAAsB,EAAE,MAAM,cAAc,CAAA;AAEzF;;;;;;;;;;;;GAYG;AACH,MAAM,UAAU,uBAAuB,CAAC,MAAc,EAAE,MAAc,EAAE,EAAuB;IAC7F,4EAA4E;IAC5E,MAAM,CAAC,GAAG,CAAC,GAAG,MAAM,YAAY,EAAE,KAAK,EAAE,GAAQ,EAAE,GAAQ,EAAE,EAAE;QAC7D,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,IAAI,EAAE,CAAA;QAC7B,IAAI,CAAC;YACH,MAAM,SAAS,GAAG,MAAM,4BAA4B,CAAC;gBACnD,QAAQ,EAAa,KAAK,CAAC,WAAW,CAAC,IAAI,EAAE;gBAC7C,WAAW,EAAU,KAAK,CAAC,cAAc,CAAC,IAAI,EAAE;gBAChD,YAAY,EAAS,KAAK,CAAC,eAAe,CAAC,IAAI,EAAE;gBACjD,KAAK,EAAgB,KAAK,CAAC,OAAO,CAAC,IAAI,EAAE;gBACzC,KAAK,EAAgB,KAAK,CAAC,OAAO,CAAC;gBACnC,aAAa,EAAQ,KAAK,CAAC,gBAAgB,CAAC;gBAC5C,mBAAmB,EAAE,KAAK,CAAC,uBAAuB,CAAC;aACpD,CAAC,CAAA;YAEF,MAAM,GAAG,GAAG;gBACV,MAAM,EAAE;oBACN,EAAE,EAAI,SAAS,CAAC,MAAM,CAAC,EAAE;oBACzB,IAAI,EAAE,SAAS,CAAC,MAAM,CAAC,IAAI;iBAC5B;gBACD,MAAM,EAAO,SAAS,CAAC,MAAM;gBAC7B,WAAW,EAAE,SAAS,CAAC,WAAW;gBAClC,GAAG,CAAC,SAAS,CAAC,KAAK,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,SAAS,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;gBACpE,GAAG,CAAC,SAAS,CAAC,aAAa,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,aAAa,EAAE,SAAS,CAAC,aAAa,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;gBAC5F,GAAG,CAAC,SAAS,CAAC,mBAAmB,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,mBAAmB,EAAE,SAAS,CAAC,mBAAmB,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;gBAC9G,OAAO,EAAE,GAAG;aACb,CAAA;YAED,MAAM,MAAM,GAAG,QAAQ,CAAC,mBAAmB,EAAE,CAAA;YAC7C,IAAI,MAAM,EAAE,CAAC;gBACX,OAAO,MAAM,MAAM,CAAC,GAAG,CAAC,CAAA;YAC1B,CAAC;YAED,+DAA+D;YAC/D,GAAG,CAAC,IAAI,CAAC;gBACP,MAAM,EAAO,GAAG,CAAC,MAAM;gBACvB,MAAM,EAAO,GAAG,CAAC,MAAM;gBACvB,KAAK,EAAQ,GAAG,CAAC,KAAK;gBACtB,WAAW,EAAE,GAAG,CAAC,WAAW;aAC7B,CAAC,CAAA;QACJ,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,iBAAiB,CAAC,GAAG,EAAE,CAAC,EAAE,KAAK,CAAC,OAAO,CAAC,CAAC,CAAA;QAC3C,CAAC;IACH,CAAC,EAAE,EAAE,CAAC,CAAA;IAEN,wCAAwC;IACxC,MAAM,CAAC,IAAI,CAAC,GAAG,MAAM,YAAY,EAAE,KAAK,EAAE,GAAQ,EAAE,GAAQ,EAAE,EAAE;QAC9D,MAAM,IAAI,GAAG,GAAG,CAAC,IAAI,IAAI,EAAE,CAAA;QAC3B,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,eAAe,CAAC,GAAG,CAAC,CAAA;YACnC,IAAI,CAAC,MAAM,EAAE,CAAC;gBACZ,gEAAgE;gBAChE,mEAAmE;gBACnE,MAAM,SAAS,GAAG,OAAO,IAAI,CAAC,OAAO,CAAC,KAAK,QAAQ,IAAI,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,CAAA;gBACpG,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,iBAAiB,EAAE,iBAAiB,EAAE,yBAAyB,EAAE,GAAG,SAAS,EAAE,CAAC,CAAA;gBAC9G,OAAM;YACR,CAAC;YAED,MAAM,sBAAsB,CAAC,IAAI,CAAC,WAAW,CAAC,EAAE,IAAI,CAAC,cAAc,CAAC,CAAC,CAAA;YAErE,MAAM,IAAI,GAAG,MAAM,aAAa,CAAC;gBAC/B,MAAM;gBACN,QAAQ,EAAa,IAAI,CAAC,WAAW,CAAC;gBACtC,MAAM,EAAe,IAAI,CAAC,QAAQ,CAAC,IAAI,EAAE;gBACzC,WAAW,EAAU,IAAI,CAAC,cAAc,CAAC;gBACzC,aAAa,EAAQ,IAAI,CAAC,gBAAgB,CAAC;gBAC3C,mBAAmB,EAAE,IAAI,CAAC,uBAAuB,CAAC;aACnD,CAAC,CAAA;YAEF,MAAM,WAAW,GAAG,IAAI,GAAG,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC,CAAA;YACjD,WAAW,CAAC,YAAY,CAAC,GAAG,CAAC,MAAM,EAAE,IAAI,CAAC,CAAA;YAC1C,IAAI,IAAI,CAAC,OAAO,CAAC;gBAAE,WAAW,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,IAAI,CAAC,OAAO,CAAC,CAAC,CAAA;YAEvE,GAAG,CAAC,IAAI,CAAC,EAAE,YAAY,EAAE,WAAW,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAA;QACpD,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,iBAAiB,CAAC,GAAG,EAAE,CAAC,EAAE,IAAI,CAAC,OAAO,CAAC,CAAC,CAAA;QAC1C,CAAC;IACH,CAAC,EAAE,EAAE,CAAC,CAAA;IAEN,wCAAwC;IACxC,MAAM,CAAC,MAAM,CAAC,GAAG,MAAM,YAAY,EAAE,KAAK,EAAE,GAAQ,EAAE,GAAQ,EAAE,EAAE;QAChE,MAAM,IAAI,GAAG,GAAG,CAAC,IAAI,IAAI,EAAE,CAAA;QAC3B,IAAI,CAAC;YACH,MAAM,sBAAsB,CAAC,IAAI,CAAC,WAAW,CAAC,EAAE,IAAI,CAAC,cAAc,CAAC,CAAC,CAAA;YAErE,MAAM,WAAW,GAAG,IAAI,GAAG,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC,CAAA;YACjD,WAAW,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,eAAe,CAAC,CAAA;YACtD,WAAW,CAAC,YAAY,CAAC,GAAG,CAAC,mBAAmB,EAAE,8BAA8B,CAAC,CAAA;YACjF,IAAI,IAAI,CAAC,OAAO,CAAC;gBAAE,WAAW,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,IAAI,CAAC,OAAO,CAAC,CAAC,CAAA;YAEvE,GAAG,CAAC,IAAI,CAAC,EAAE,YAAY,EAAE,WAAW,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAA;QACpD,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,iBAAiB,CAAC,GAAG,EAAE,CAAC,EAAE,IAAI,CAAC,OAAO,CAAC,CAAC,CAAA;QAC1C,CAAC;IACH,CAAC,EAAE,EAAE,CAAC,CAAA;AACR,CAAC"}
|
|
@@ -0,0 +1,23 @@
|
|
|
1
|
+
import type { MiddlewareHandler } from '@rudderjs/contracts';
|
|
2
|
+
import type { PassportRouteOptions, Router } from './types.js';
|
|
3
|
+
/**
|
|
4
|
+
* Register `POST /oauth/device/code` + `POST /oauth/device/approve` — the
|
|
5
|
+
* RFC 8628 device authorization flow.
|
|
6
|
+
*
|
|
7
|
+
* - `POST /oauth/device/code` is stateless: a device requests a `device_code`
|
|
8
|
+
* + `user_code` pair, plus the `verification_uri` for the user to visit.
|
|
9
|
+
* - `POST /oauth/device/approve` is session-backed: the signed-in user
|
|
10
|
+
* approves or denies the device after typing the user_code.
|
|
11
|
+
*
|
|
12
|
+
* `mw` runs ahead of both handlers. The RFC 8628 §5.2 brute-force concern
|
|
13
|
+
* on user_code is already covered by a typical 60/min api-group rate
|
|
14
|
+
* limiter; pass a tighter per-route limiter via `deviceMiddleware` if your
|
|
15
|
+
* threat model warrants it.
|
|
16
|
+
*
|
|
17
|
+
* `verification_uri` resolution priority: explicit `opts.verificationUri`
|
|
18
|
+
* > `config('app.url')` > `req.protocol + req.hostname` (last resort with
|
|
19
|
+
* a one-shot warning, since `Host` is attacker-controlled behind a
|
|
20
|
+
* reverse proxy without trust-proxy).
|
|
21
|
+
*/
|
|
22
|
+
export declare function registerDeviceRoutes(router: Router, opts: PassportRouteOptions, prefix: string, mw: MiddlewareHandler[]): void;
|
|
23
|
+
//# sourceMappingURL=device.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"device.d.ts","sourceRoot":"","sources":["../../src/routes/device.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,qBAAqB,CAAA;AAG5D,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,EAAE,MAAM,YAAY,CAAA;AAG9D;;;;;;;;;;;;;;;;;;GAkBG;AACH,wBAAgB,oBAAoB,CAClC,MAAM,EAAE,MAAM,EACd,IAAI,EAAE,oBAAoB,EAC1B,MAAM,EAAE,MAAM,EACd,EAAE,EAAE,iBAAiB,EAAE,GACtB,IAAI,CA0CN"}
|