@rudderjs/passport 2.0.0 → 2.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (4) hide show
  1. package/dist/routes/authorize.d.ts.map +1 -1
  2. package/dist/routes/authorize.js +11 -3
  3. package/dist/routes/authorize.js.map +1 -1
  4. package/package.json +5 -5
package/dist/routes/authorize.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"authorize.d.ts","sourceRoot":"","sources":["../../src/routes/authorize.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,qBAAqB,CAAA;AAG5D,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,YAAY,CAAA;AAGxC;;;;;;;;;;;;GAYG;AACH,wBAAgB,uBAAuB,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,EAAE,EAAE,iBAAiB,EAAE,GAAG,IAAI,CA+FrG"}
1
+ {"version":3,"file":"authorize.d.ts","sourceRoot":"","sources":["../../src/routes/authorize.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,qBAAqB,CAAA;AAG5D,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,YAAY,CAAA;AAGxC;;;;;;;;;;;;GAYG;AACH,wBAAgB,uBAAuB,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,EAAE,EAAE,iBAAiB,EAAE,GAAG,IAAI,CAwGrG"}
package/dist/routes/authorize.js CHANGED
@@ -1,5 +1,5 @@
1
1
  import { Passport } from '../Passport.js';
2
- import { validateAuthorizationRequest, issueAuthCode } from '../grants/index.js';
2
+ import { validateAuthorizationRequest, issueAuthCode, validateScopes } from '../grants/index.js';
3
3
  import { authErrorResponse, requesterIdFrom, validateClientRedirect } from './helpers.js';
4
4
  /**
5
5
  * Register `GET/POST/DELETE /oauth/authorize` — the consent flow.
@@ -68,11 +68,19 @@ export function registerAuthorizeRoutes(router, prefix, mw) {
68
68
  res.status(401).json({ error: 'unauthenticated', error_description: 'User must be signed in.', ...stateEcho });
69
69
  return;
70
70
  }
71
- await validateClientRedirect(body['client_id'], body['redirect_uri']);
71
+ const client = await validateClientRedirect(body['client_id'], body['redirect_uri']);
72
+ // The POST body is attacker-controlled, so re-validate the requested
73
+ // scopes against the global registry and the client's allow-list — the
74
+ // GET handler's `validateAuthorizationRequest` check is only advisory
75
+ // (its result is echoed to the consent UI, never enforced here).
76
+ // Without this, a client could mint a code for scopes it isn't
77
+ // authorized for simply by POSTing them.
78
+ const requestedScopes = Array.isArray(body['scopes']) ? body['scopes'] : [];
79
+ validateScopes(client, requestedScopes);
72
80
  const code = await issueAuthCode({
73
81
  userId,
74
82
  clientId: body['client_id'],
75
- scopes: body['scopes'] ?? [],
83
+ scopes: requestedScopes,
76
84
  redirectUri: body['redirect_uri'],
77
85
  codeChallenge: body['code_challenge'],
78
86
  codeChallengeMethod: body['code_challenge_method'],
package/dist/routes/authorize.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"authorize.js","sourceRoot":"","sources":["../../src/routes/authorize.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,QAAQ,EAAE,MAAM,gBAAgB,CAAA;AACzC,OAAO,EAAE,4BAA4B,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAA;AAEhF,OAAO,EAAE,iBAAiB,EAAE,eAAe,EAAE,sBAAsB,EAAE,MAAM,cAAc,CAAA;AAEzF;;;;;;;;;;;;GAYG;AACH,MAAM,UAAU,uBAAuB,CAAC,MAAc,EAAE,MAAc,EAAE,EAAuB;IAC7F,4EAA4E;IAC5E,MAAM,CAAC,GAAG,CAAC,GAAG,MAAM,YAAY,EAAE,KAAK,EAAE,GAAQ,EAAE,GAAQ,EAAE,EAAE;QAC7D,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,IAAI,EAAE,CAAA;QAC7B,IAAI,CAAC;YACH,MAAM,SAAS,GAAG,MAAM,4BAA4B,CAAC;gBACnD,QAAQ,EAAa,KAAK,CAAC,WAAW,CAAC,IAAI,EAAE;gBAC7C,WAAW,EAAU,KAAK,CAAC,cAAc,CAAC,IAAI,EAAE;gBAChD,YAAY,EAAS,KAAK,CAAC,eAAe,CAAC,IAAI,EAAE;gBACjD,KAAK,EAAgB,KAAK,CAAC,OAAO,CAAC,IAAI,EAAE;gBACzC,KAAK,EAAgB,KAAK,CAAC,OAAO,CAAC;gBACnC,aAAa,EAAQ,KAAK,CAAC,gBAAgB,CAAC;gBAC5C,mBAAmB,EAAE,KAAK,CAAC,uBAAuB,CAAC;aACpD,CAAC,CAAA;YAEF,MAAM,GAAG,GAAG;gBACV,MAAM,EAAE;oBACN,EAAE,EAAI,SAAS,CAAC,MAAM,CAAC,EAAE;oBACzB,IAAI,EAAE,SAAS,CAAC,MAAM,CAAC,IAAI;iBAC5B;gBACD,MAAM,EAAO,SAAS,CAAC,MAAM;gBAC7B,WAAW,EAAE,SAAS,CAAC,WAAW;gBAClC,GAAG,CAAC,SAAS,CAAC,KAAK,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,SAAS,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;gBACpE,GAAG,CAAC,SAAS,CAAC,aAAa,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,aAAa,EAAE,SAAS,CAAC,aAAa,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;gBAC5F,GAAG,CAAC,SAAS,CAAC,mBAAmB,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,mBAAmB,EAAE,SAAS,CAAC,mBAAmB,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;gBAC9G,OAAO,EAAE,GAAG;aACb,CAAA;YAED,MAAM,MAAM,GAAG,QAAQ,CAAC,mBAAmB,EAAE,CAAA;YAC7C,IAAI,MAAM,EAAE,CAAC;gBACX,OAAO,MAAM,MAAM,CAAC,GAAG,CAAC,CAAA;YAC1B,CAAC;YAED,+DAA+D;YAC/D,GAAG,CAAC,IAAI,CAAC;gBACP,MAAM,EAAO,GAAG,CAAC,MAAM;gBACvB,MAAM,EAAO,GAAG,CAAC,MAAM;gBACvB,KAAK,EAAQ,GAAG,CAAC,KAAK;gBACtB,WAAW,EAAE,GAAG,CAAC,WAAW;aAC7B,CAAC,CAAA;QACJ,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,iBAAiB,CAAC,GAAG,EAAE,CAAC,EAAE,KAAK,CAAC,OAAO,CAAC,CAAC,CAAA;QAC3C,CAAC;IACH,CAAC,EAAE,EAAE,CAAC,CAAA;IAEN,wCAAwC;IACxC,MAAM,CAAC,IAAI,CAAC,GAAG,MAAM,YAAY,EAAE,KAAK,EAAE,GAAQ,EAAE,GAAQ,EAAE,EAAE;QAC9D,MAAM,IAAI,GAAG,GAAG,CAAC,IAAI,IAAI,EAAE,CAAA;QAC3B,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,eAAe,CAAC,GAAG,CAAC,CAAA;YACnC,IAAI,CAAC,MAAM,EAAE,CAAC;gBACZ,gEAAgE;gBAChE,mEAAmE;gBACnE,MAAM,SAAS,GAAG,OAAO,IAAI,CAAC,OAAO,CAAC,KAAK,QAAQ,IAAI,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,CAAA;gBACpG,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,iBAAiB,EAAE,iBAAiB,EAAE,yBAAyB,EAAE,GAAG,SAAS,EAAE,CAAC,CAAA;gBAC9G,OAAM;YACR,CAAC;YAED,MAAM,sBAAsB,CAAC,IAAI,CAAC,WAAW,CAAC,EAAE,IAAI,CAAC,cAAc,CAAC,CAAC,CAAA;YAErE,MAAM,IAAI,GAAG,MAAM,aAAa,CAAC;gBAC/B,MAAM;gBACN,QAAQ,EAAa,IAAI,CAAC,WAAW,CAAC;gBACtC,MAAM,EAAe,IAAI,CAAC,QAAQ,CAAC,IAAI,EAAE;gBACzC,WAAW,EAAU,IAAI,CAAC,cAAc,CAAC;gBACzC,aAAa,EAAQ,IAAI,CAAC,gBAAgB,CAAC;gBAC3C,mBAAmB,EAAE,IAAI,CAAC,uBAAuB,CAAC;aACnD,CAAC,CAAA;YAEF,MAAM,WAAW,GAAG,IAAI,GAAG,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC,CAAA;YACjD,WAAW,CAAC,YAAY,CAAC,GAAG,CAAC,MAAM,EAAE,IAAI,CAAC,CAAA;YAC1C,IAAI,IAAI,CAAC,OAAO,CAAC;gBAAE,WAAW,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,IAAI,CAAC,OAAO,CAAC,CAAC,CAAA;YAEvE,GAAG,CAAC,IAAI,CAAC,EAAE,YAAY,EAAE,WAAW,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAA;QACpD,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,iBAAiB,CAAC,GAAG,EAAE,CAAC,EAAE,IAAI,CAAC,OAAO,CAAC,CAAC,CAAA;QAC1C,CAAC;IACH,CAAC,EAAE,EAAE,CAAC,CAAA;IAEN,wCAAwC;IACxC,MAAM,CAAC,MAAM,CAAC,GAAG,MAAM,YAAY,EAAE,KAAK,EAAE,GAAQ,EAAE,GAAQ,EAAE,EAAE;QAChE,MAAM,IAAI,GAAG,GAAG,CAAC,IAAI,IAAI,EAAE,CAAA;QAC3B,IAAI,CAAC;YACH,MAAM,sBAAsB,CAAC,IAAI,CAAC,WAAW,CAAC,EAAE,IAAI,CAAC,cAAc,CAAC,CAAC,CAAA;YAErE,MAAM,WAAW,GAAG,IAAI,GAAG,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC,CAAA;YACjD,WAAW,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,eAAe,CAAC,CAAA;YACtD,WAAW,CAAC,YAAY,CAAC,GAAG,CAAC,mBAAmB,EAAE,8BAA8B,CAAC,CAAA;YACjF,IAAI,IAAI,CAAC,OAAO,CAAC;gBAAE,WAAW,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,IAAI,CAAC,OAAO,CAAC,CAAC,CAAA;YAEvE,GAAG,CAAC,IAAI,CAAC,EAAE,YAAY,EAAE,WAAW,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAA;QACpD,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,iBAAiB,CAAC,GAAG,EAAE,CAAC,EAAE,IAAI,CAAC,OAAO,CAAC,CAAC,CAAA;QAC1C,CAAC;IACH,CAAC,EAAE,EAAE,CAAC,CAAA;AACR,CAAC"}
1
+ {"version":3,"file":"authorize.js","sourceRoot":"","sources":["../../src/routes/authorize.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,QAAQ,EAAE,MAAM,gBAAgB,CAAA;AACzC,OAAO,EAAE,4BAA4B,EAAE,aAAa,EAAE,cAAc,EAAE,MAAM,oBAAoB,CAAA;AAEhG,OAAO,EAAE,iBAAiB,EAAE,eAAe,EAAE,sBAAsB,EAAE,MAAM,cAAc,CAAA;AAEzF;;;;;;;;;;;;GAYG;AACH,MAAM,UAAU,uBAAuB,CAAC,MAAc,EAAE,MAAc,EAAE,EAAuB;IAC7F,4EAA4E;IAC5E,MAAM,CAAC,GAAG,CAAC,GAAG,MAAM,YAAY,EAAE,KAAK,EAAE,GAAQ,EAAE,GAAQ,EAAE,EAAE;QAC7D,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,IAAI,EAAE,CAAA;QAC7B,IAAI,CAAC;YACH,MAAM,SAAS,GAAG,MAAM,4BAA4B,CAAC;gBACnD,QAAQ,EAAa,KAAK,CAAC,WAAW,CAAC,IAAI,EAAE;gBAC7C,WAAW,EAAU,KAAK,CAAC,cAAc,CAAC,IAAI,EAAE;gBAChD,YAAY,EAAS,KAAK,CAAC,eAAe,CAAC,IAAI,EAAE;gBACjD,KAAK,EAAgB,KAAK,CAAC,OAAO,CAAC,IAAI,EAAE;gBACzC,KAAK,EAAgB,KAAK,CAAC,OAAO,CAAC;gBACnC,aAAa,EAAQ,KAAK,CAAC,gBAAgB,CAAC;gBAC5C,mBAAmB,EAAE,KAAK,CAAC,uBAAuB,CAAC;aACpD,CAAC,CAAA;YAEF,MAAM,GAAG,GAAG;gBACV,MAAM,EAAE;oBACN,EAAE,EAAI,SAAS,CAAC,MAAM,CAAC,EAAE;oBACzB,IAAI,EAAE,SAAS,CAAC,MAAM,CAAC,IAAI;iBAC5B;gBACD,MAAM,EAAO,SAAS,CAAC,MAAM;gBAC7B,WAAW,EAAE,SAAS,CAAC,WAAW;gBAClC,GAAG,CAAC,SAAS,CAAC,KAAK,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,SAAS,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;gBACpE,GAAG,CAAC,SAAS,CAAC,aAAa,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,aAAa,EAAE,SAAS,CAAC,aAAa,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;gBAC5F,GAAG,CAAC,SAAS,CAAC,mBAAmB,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,mBAAmB,EAAE,SAAS,CAAC,mBAAmB,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;gBAC9G,OAAO,EAAE,GAAG;aACb,CAAA;YAED,MAAM,MAAM,GAAG,QAAQ,CAAC,mBAAmB,EAAE,CAAA;YAC7C,IAAI,MAAM,EAAE,CAAC;gBACX,OAAO,MAAM,MAAM,CAAC,GAAG,CAAC,CAAA;YAC1B,CAAC;YAED,+DAA+D;YAC/D,GAAG,CAAC,IAAI,CAAC;gBACP,MAAM,EAAO,GAAG,CAAC,MAAM;gBACvB,MAAM,EAAO,GAAG,CAAC,MAAM;gBACvB,KAAK,EAAQ,GAAG,CAAC,KAAK;gBACtB,WAAW,EAAE,GAAG,CAAC,WAAW;aAC7B,CAAC,CAAA;QACJ,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,iBAAiB,CAAC,GAAG,EAAE,CAAC,EAAE,KAAK,CAAC,OAAO,CAAC,CAAC,CAAA;QAC3C,CAAC;IACH,CAAC,EAAE,EAAE,CAAC,CAAA;IAEN,wCAAwC;IACxC,MAAM,CAAC,IAAI,CAAC,GAAG,MAAM,YAAY,EAAE,KAAK,EAAE,GAAQ,EAAE,GAAQ,EAAE,EAAE;QAC9D,MAAM,IAAI,GAAG,GAAG,CAAC,IAAI,IAAI,EAAE,CAAA;QAC3B,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,eAAe,CAAC,GAAG,CAAC,CAAA;YACnC,IAAI,CAAC,MAAM,EAAE,CAAC;gBACZ,gEAAgE;gBAChE,mEAAmE;gBACnE,MAAM,SAAS,GAAG,OAAO,IAAI,CAAC,OAAO,CAAC,KAAK,QAAQ,IAAI,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,CAAA;gBACpG,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,iBAAiB,EAAE,iBAAiB,EAAE,yBAAyB,EAAE,GAAG,SAAS,EAAE,CAAC,CAAA;gBAC9G,OAAM;YACR,CAAC;YAED,MAAM,MAAM,GAAG,MAAM,sBAAsB,CAAC,IAAI,CAAC,WAAW,CAAC,EAAE,IAAI,CAAC,cAAc,CAAC,CAAC,CAAA;YAEpF,qEAAqE;YACrE,uEAAuE;YACvE,sEAAsE;YACtE,iEAAiE;YACjE,+DAA+D;YAC/D,yCAAyC;YACzC,MAAM,eAAe,GAAa,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,EAAE,CAAA;YACrF,cAAc,CAAC,MAAM,EAAE,eAAe,CAAC,CAAA;YAEvC,MAAM,IAAI,GAAG,MAAM,aAAa,CAAC;gBAC/B,MAAM;gBACN,QAAQ,EAAa,IAAI,CAAC,WAAW,CAAC;gBACtC,MAAM,EAAe,eAAe;gBACpC,WAAW,EAAU,IAAI,CAAC,cAAc,CAAC;gBACzC,aAAa,EAAQ,IAAI,CAAC,gBAAgB,CAAC;gBAC3C,mBAAmB,EAAE,IAAI,CAAC,uBAAuB,CAAC;aACnD,CAAC,CAAA;YAEF,MAAM,WAAW,GAAG,IAAI,GAAG,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC,CAAA;YACjD,WAAW,CAAC,YAAY,CAAC,GAAG,CAAC,MAAM,EAAE,IAAI,CAAC,CAAA;YAC1C,IAAI,IAAI,CAAC,OAAO,CAAC;gBAAE,WAAW,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,IAAI,CAAC,OAAO,CAAC,CAAC,CAAA;YAEvE,GAAG,CAAC,IAAI,CAAC,EAAE,YAAY,EAAE,WAAW,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAA;QACpD,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,iBAAiB,CAAC,GAAG,EAAE,CAAC,EAAE,IAAI,CAAC,OAAO,CAAC,CAAC,CAAA;QAC1C,CAAC;IACH,CAAC,EAAE,EAAE,CAAC,CAAA;IAEN,wCAAwC;IACxC,MAAM,CAAC,MAAM,CAAC,GAAG,MAAM,YAAY,EAAE,KAAK,EAAE,GAAQ,EAAE,GAAQ,EAAE,EAAE;QAChE,MAAM,IAAI,GAAG,GAAG,CAAC,IAAI,IAAI,EAAE,CAAA;QAC3B,IAAI,CAAC;YACH,MAAM,sBAAsB,CAAC,IAAI,CAAC,WAAW,CAAC,EAAE,IAAI,CAAC,cAAc,CAAC,CAAC,CAAA;YAErE,MAAM,WAAW,GAAG,IAAI,GAAG,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC,CAAA;YACjD,WAAW,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,eAAe,CAAC,CAAA;YACtD,WAAW,CAAC,YAAY,CAAC,GAAG,CAAC,mBAAmB,EAAE,8BAA8B,CAAC,CAAA;YACjF,IAAI,IAAI,CAAC,OAAO,CAAC;gBAAE,WAAW,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,IAAI,CAAC,OAAO,CAAC,CAAC,CAAA;YAEvE,GAAG,CAAC,IAAI,CAAC,EAAE,YAAY,EAAE,WAAW,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAA;QACpD,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,iBAAiB,CAAC,GAAG,EAAE,CAAC,EAAE,IAAI,CAAC,OAAO,CAAC,CAAC,CAAA;QAC1C,CAAC;IACH,CAAC,EAAE,EAAE,CAAC,CAAA;AACR,CAAC"}
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@rudderjs/passport",
3
- "version": "2.0.0",
3
+ "version": "2.0.1",
4
4
  "rudderjs": {
5
5
  "provider": "PassportProvider",
6
6
  "stage": "infrastructure",
@@ -41,9 +41,9 @@
41
41
  }
42
42
  },
43
43
  "dependencies": {
44
- "@rudderjs/core": "^1.11.0",
45
- "@rudderjs/contracts": "^1.15.0",
46
- "@rudderjs/orm": "^1.20.0"
44
+ "@rudderjs/core": "^1.12.4",
45
+ "@rudderjs/contracts": "^1.17.1",
46
+ "@rudderjs/orm": "^1.21.2"
47
47
  },
48
48
  "devDependencies": {
49
49
  "@types/node": "^20.0.0",
@@ -58,6 +58,6 @@
58
58
  "typecheck": "tsc --noEmit",
59
59
  "lint": "eslint src",
60
60
  "clean": "rm -rf dist",
61
- "test": "tsc -p tsconfig.test.json && node --test dist-test/index.test.js"
61
+ "test": "tsc -p tsconfig.test.json && node --test \"dist-test/**/*.test.js\""
62
62
  }
63
63
  }