@rudderjs/passport 1.1.7 → 1.1.8
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"keys.d.ts","sourceRoot":"","sources":["../../src/commands/keys.ts"],"names":[],"mappings":"AAEA,MAAM,WAAW,kBAAkB;IACjC,WAAW,EAAE,MAAM,CAAA;IACnB,UAAU,EAAG,MAAM,CAAA;IACnB,gFAAgF;IAChF,MAAM,EAAE;QAAE,WAAW,EAAE,MAAM,CAAC;QAAC,UAAU,EAAE,MAAM,CAAA;KAAE,GAAG,IAAI,CAAA;IAC1D;;;;;;;;OAQG;IACH,kBAAkB,EAAE,MAAM,GAAG,IAAI,CAAA;CAClC;AAED;;;;;;;;;;;GAWG;AACH,wBAAsB,YAAY,CAAC,IAAI,GAAE;IAAE,KAAK,CAAC,EAAE,OAAO,CAAA;CAAO,GAAG,OAAO,CAAC,kBAAkB,CAAC,
|
|
1
|
+
{"version":3,"file":"keys.d.ts","sourceRoot":"","sources":["../../src/commands/keys.ts"],"names":[],"mappings":"AAEA,MAAM,WAAW,kBAAkB;IACjC,WAAW,EAAE,MAAM,CAAA;IACnB,UAAU,EAAG,MAAM,CAAA;IACnB,gFAAgF;IAChF,MAAM,EAAE;QAAE,WAAW,EAAE,MAAM,CAAC;QAAC,UAAU,EAAE,MAAM,CAAA;KAAE,GAAG,IAAI,CAAA;IAC1D;;;;;;;;OAQG;IACH,kBAAkB,EAAE,MAAM,GAAG,IAAI,CAAA;CAClC;AAED;;;;;;;;;;;GAWG;AACH,wBAAsB,YAAY,CAAC,IAAI,GAAE;IAAE,KAAK,CAAC,EAAE,OAAO,CAAA;CAAO,GAAG,OAAO,CAAC,kBAAkB,CAAC,CA0D9F"}
|
package/dist/commands/keys.js
CHANGED
|
@@ -14,44 +14,73 @@ import { Passport } from '../Passport.js';
|
|
|
14
14
|
export async function generateKeys(opts = {}) {
|
|
15
15
|
const { generateKeyPairSync } = await import('node:crypto');
|
|
16
16
|
const { writeFile, mkdir, rename, copyFile } = await import('node:fs/promises');
|
|
17
|
-
const { existsSync } = await import('node:fs');
|
|
18
17
|
const { join } = await import('node:path');
|
|
18
|
+
const isENOENT = (err) => err.code === 'ENOENT';
|
|
19
19
|
const keyDir = join(process.cwd(), Passport.keyPath());
|
|
20
20
|
const privatePath = join(keyDir, 'oauth-private.key');
|
|
21
21
|
const publicPath = join(keyDir, 'oauth-public.key');
|
|
22
22
|
const previousPublicPath = join(keyDir, 'oauth-previous-public.key');
|
|
23
|
-
const privateExists = existsSync(privatePath);
|
|
24
|
-
const publicExists = existsSync(publicPath);
|
|
25
|
-
if (!opts.force && privateExists) {
|
|
26
|
-
throw new Error(`Keys already exist at ${privatePath}. Use --force to overwrite.`);
|
|
27
|
-
}
|
|
28
23
|
await mkdir(keyDir, { recursive: true });
|
|
29
24
|
let backup = null;
|
|
30
25
|
let previousPublicWritten = null;
|
|
31
|
-
if (opts.force
|
|
26
|
+
if (opts.force) {
|
|
27
|
+
// Rotate any existing keys out of the way. We don't pre-check existence
|
|
28
|
+
// (a check-then-write race) — instead we attempt the copy/rename and treat
|
|
29
|
+
// ENOENT as "nothing there to rotate" (first generation under --force).
|
|
32
30
|
const stamp = new Date().toISOString().replace(/[:.]/g, '-');
|
|
33
31
|
const privateBackup = `${privatePath}.bak.${stamp}`;
|
|
34
32
|
const publicBackup = `${publicPath}.bak.${stamp}`;
|
|
35
33
|
// Copy the public key to the rolling "previous" slot BEFORE renaming —
|
|
36
34
|
// the verifier loads from `oauth-previous-public.key` so JWTs signed by
|
|
37
35
|
// the about-to-rotate key keep verifying during their natural lifetime.
|
|
38
|
-
|
|
36
|
+
try {
|
|
39
37
|
await copyFile(publicPath, previousPublicPath);
|
|
40
38
|
previousPublicWritten = previousPublicPath;
|
|
41
39
|
}
|
|
42
|
-
|
|
40
|
+
catch (err) {
|
|
41
|
+
if (!isENOENT(err))
|
|
42
|
+
throw err;
|
|
43
|
+
}
|
|
44
|
+
let rotated = false;
|
|
45
|
+
try {
|
|
43
46
|
await rename(privatePath, privateBackup);
|
|
44
|
-
|
|
47
|
+
rotated = true;
|
|
48
|
+
}
|
|
49
|
+
catch (err) {
|
|
50
|
+
if (!isENOENT(err))
|
|
51
|
+
throw err;
|
|
52
|
+
}
|
|
53
|
+
try {
|
|
45
54
|
await rename(publicPath, publicBackup);
|
|
46
|
-
|
|
55
|
+
rotated = true;
|
|
56
|
+
}
|
|
57
|
+
catch (err) {
|
|
58
|
+
if (!isENOENT(err))
|
|
59
|
+
throw err;
|
|
60
|
+
}
|
|
61
|
+
if (rotated)
|
|
62
|
+
backup = { privatePath: privateBackup, publicPath: publicBackup };
|
|
47
63
|
}
|
|
48
64
|
const { privateKey, publicKey } = generateKeyPairSync('rsa', {
|
|
49
65
|
modulusLength: 4096,
|
|
50
66
|
publicKeyEncoding: { type: 'spki', format: 'pem' },
|
|
51
67
|
privateKeyEncoding: { type: 'pkcs8', format: 'pem' },
|
|
52
68
|
});
|
|
53
|
-
|
|
54
|
-
|
|
69
|
+
// `wx` = create exclusively. This is both the security boundary (the write
|
|
70
|
+
// fails rather than following a pre-planted file/symlink at the key path)
|
|
71
|
+
// AND the existence guard: without --force, an existing key makes the write
|
|
72
|
+
// fail with EEXIST, which we surface as the "use --force" message. No
|
|
73
|
+
// separate existsSync check — so there's no check-then-write window at all.
|
|
74
|
+
try {
|
|
75
|
+
await writeFile(privatePath, privateKey, { mode: 0o600, flag: 'wx' });
|
|
76
|
+
await writeFile(publicPath, publicKey, { mode: 0o644, flag: 'wx' });
|
|
77
|
+
}
|
|
78
|
+
catch (err) {
|
|
79
|
+
if (err.code === 'EEXIST') {
|
|
80
|
+
throw new Error(`Keys already exist in ${keyDir}. Use --force to overwrite.`, { cause: err });
|
|
81
|
+
}
|
|
82
|
+
throw err;
|
|
83
|
+
}
|
|
55
84
|
return { privatePath, publicPath, backup, previousPublicPath: previousPublicWritten };
|
|
56
85
|
}
|
|
57
86
|
//# sourceMappingURL=keys.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"keys.js","sourceRoot":"","sources":["../../src/commands/keys.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,gBAAgB,CAAA;AAmBzC;;;;;;;;;;;GAWG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY,CAAC,OAA4B,EAAE;IAC/D,MAAM,EAAE,mBAAmB,EAAE,GAAG,MAAM,MAAM,CAAC,aAAa,CAAC,CAAA;IAC3D,MAAM,EAAE,SAAS,EAAE,KAAK,EAAE,MAAM,EAAE,QAAQ,EAAE,GAAG,MAAM,MAAM,CAAC,kBAAkB,CAAC,CAAA;IAC/E,MAAM,EAAE,
|
|
1
|
+
{"version":3,"file":"keys.js","sourceRoot":"","sources":["../../src/commands/keys.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,gBAAgB,CAAA;AAmBzC;;;;;;;;;;;GAWG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY,CAAC,OAA4B,EAAE;IAC/D,MAAM,EAAE,mBAAmB,EAAE,GAAG,MAAM,MAAM,CAAC,aAAa,CAAC,CAAA;IAC3D,MAAM,EAAE,SAAS,EAAE,KAAK,EAAE,MAAM,EAAE,QAAQ,EAAE,GAAG,MAAM,MAAM,CAAC,kBAAkB,CAAC,CAAA;IAC/E,MAAM,EAAE,IAAI,EAAE,GAAG,MAAM,MAAM,CAAC,WAAW,CAAC,CAAA;IAE1C,MAAM,QAAQ,GAAG,CAAC,GAAY,EAAW,EAAE,CAAE,GAA6B,CAAC,IAAI,KAAK,QAAQ,CAAA;IAE5F,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,QAAQ,CAAC,OAAO,EAAE,CAAC,CAAA;IACtD,MAAM,WAAW,GAAG,IAAI,CAAC,MAAM,EAAE,mBAAmB,CAAC,CAAA;IACrD,MAAM,UAAU,GAAI,IAAI,CAAC,MAAM,EAAE,kBAAkB,CAAC,CAAA;IACpD,MAAM,kBAAkB,GAAG,IAAI,CAAC,MAAM,EAAE,2BAA2B,CAAC,CAAA;IAEpE,MAAM,KAAK,CAAC,MAAM,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAA;IAExC,IAAI,MAAM,GAAiC,IAAI,CAAA;IAC/C,IAAI,qBAAqB,GAAkB,IAAI,CAAA;IAC/C,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;QACf,wEAAwE;QACxE,2EAA2E;QAC3E,wEAAwE;QACxE,MAAM,KAAK,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC,OAAO,CAAC,OAAO,EAAE,GAAG,CAAC,CAAA;QAC5D,MAAM,aAAa,GAAG,GAAG,WAAW,QAAQ,KAAK,EAAE,CAAA;QACnD,MAAM,YAAY,GAAI,GAAG,UAAU,QAAQ,KAAK,EAAE,CAAA;QAClD,uEAAuE;QACvE,wEAAwE;QACxE,wEAAwE;QACxE,IAAI,CAAC;YACH,MAAM,QAAQ,CAAC,UAAU,EAAE,kBAAkB,CAAC,CAAA;YAC9C,qBAAqB,GAAG,kBAAkB,CAAA;QAC5C,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YAAC,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC;gBAAE,MAAM,GAAG,CAAA;QAAC,CAAC;QAC/C,IAAI,OAAO,GAAG,KAAK,CAAA;QACnB,IAAI,CAAC;YAAC,MAAM,MAAM,CAAC,WAAW,EAAE,aAAa,CAAC,CAAC;YAAC,OAAO,GAAG,IAAI,CAAA;QAAC,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YAAC,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC;gBAAE,MAAM,GAAG,CAAA;QAAC,CAAC;QAC9G,IAAI,CAAC;YAAC,MAAM,MAAM,CAAC,UAAU,EAAG,YAAY,CAAC,CAAC;YAAE,OAAO,GAAG,IAAI,CAAA;QAAC,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YAAC,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC;gBAAE,MAAM,GAAG,CAAA;QAAC,CAAC;QAC9G,IAAI,OAAO;YAAE,MAAM,GAAG,EAAE,WAAW,EAAE,aAAa,EAAE,UAAU,EAAE,YAAY,EAAE,CAAA;IAChF,CAAC;IAED,MAAM,EAAE,UAAU,EAAE,SAAS,EAAE,GAAG,mBAAmB,CAAC,KAAK,EAAE;QAC3D,aAAa,EAAE,IAAI;QACnB,iBAAiB,EAAG,EAAE,IAAI,EAAE,MAAM,EAAG,MAAM,EAAE,KAAK,EAAE;QACpD,kBAAkB,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE;KACrD,CAAC,CAAA;IAEF,2EAA2E;IAC3E,0EAA0E;IAC1E,4EAA4E;IAC5E,sEAAsE;IACtE,4EAA4E;IAC5E,IAAI,CAAC;QACH,MAAM,SAAS,CAAC,WAAW,EAAE,UAAU,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC,CAAA;QACrE,MAAM,SAAS,CAAC,UAAU,EAAE,SAAS,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC,CAAA;IACrE,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAK,GAA6B,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;YACrD,MAAM,IAAI,KAAK,CAAC,yBAAyB,MAAM,6BAA6B,EAAE,EAAE,KAAK,EAAE,GAAG,EAAE,CAAC,CAAA;QAC/F,CAAC;QACD,MAAM,GAAG,CAAA;IACX,CAAC;IAED,OAAO,EAAE,WAAW,EAAE,UAAU,EAAE,MAAM,EAAE,kBAAkB,EAAE,qBAAqB,EAAE,CAAA;AACvF,CAAC"}
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@rudderjs/passport",
|
|
3
|
-
"version": "1.1.
|
|
3
|
+
"version": "1.1.8",
|
|
4
4
|
"rudderjs": {
|
|
5
5
|
"provider": "PassportProvider",
|
|
6
6
|
"stage": "infrastructure",
|
|
@@ -49,7 +49,7 @@
|
|
|
49
49
|
"@types/node": "^20.0.0",
|
|
50
50
|
"typescript": "^5.4.0",
|
|
51
51
|
"tsx": "^4.0.0",
|
|
52
|
-
"@rudderjs/console": "^1.
|
|
52
|
+
"@rudderjs/console": "^1.3.0"
|
|
53
53
|
},
|
|
54
54
|
"author": "Suleiman Shahbari",
|
|
55
55
|
"scripts": {
|