@rudderjs/passport 2.0.1 → 2.0.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/grants/authorization-code.d.ts +25 -1
- package/dist/grants/authorization-code.d.ts.map +1 -1
- package/dist/grants/authorization-code.js +54 -24
- package/dist/grants/authorization-code.js.map +1 -1
- package/dist/grants/device-code.d.ts.map +1 -1
- package/dist/grants/device-code.js +21 -9
- package/dist/grants/device-code.js.map +1 -1
- package/dist/grants/index.d.ts +1 -1
- package/dist/grants/index.d.ts.map +1 -1
- package/dist/grants/index.js +1 -1
- package/dist/grants/index.js.map +1 -1
- package/dist/grants/refresh-token.d.ts +12 -0
- package/dist/grants/refresh-token.d.ts.map +1 -1
- package/dist/grants/refresh-token.js +13 -7
- package/dist/grants/refresh-token.js.map +1 -1
- package/dist/routes/authorize.d.ts.map +1 -1
- package/dist/routes/authorize.js +11 -7
- package/dist/routes/authorize.js.map +1 -1
- package/dist/routes/revoke.d.ts.map +1 -1
- package/dist/routes/revoke.js +14 -0
- package/dist/routes/revoke.js.map +1 -1
- package/package.json +5 -5
|
@@ -17,6 +17,25 @@ export interface ValidatedAuthRequest {
|
|
|
17
17
|
codeChallenge?: string;
|
|
18
18
|
codeChallengeMethod?: string;
|
|
19
19
|
}
|
|
20
|
+
/**
|
|
21
|
+
* Enforce the client-policy invariants that must hold at BOTH the GET (advisory
|
|
22
|
+
* consent render) and POST (actual code issuance) stages of /oauth/authorize:
|
|
23
|
+
*
|
|
24
|
+
* 1. the client must hold the `authorization_code` grant, and
|
|
25
|
+
* 2. PKCE policy — a public client MUST use PKCE, and MUST use S256 (never
|
|
26
|
+
* `plain`, which makes verifier == challenge so a stolen code alone mints
|
|
27
|
+
* tokens — RFC 7636 §4.4.1 / OAuth 2.0 BCP).
|
|
28
|
+
*
|
|
29
|
+
* The POST body is attacker-controlled and the GET result is never load-bearing,
|
|
30
|
+
* so these have to be re-checked at issuance. Validating only on GET let a public
|
|
31
|
+
* client obtain a code with NO code_challenge (or method=plain) — fully defeating
|
|
32
|
+
* PKCE — and let a client lacking the grant mint codes anyway. (#1082 closed the
|
|
33
|
+
* same GET-validates/POST-issues gap for scopes; this closes it for PKCE + grant.)
|
|
34
|
+
*/
|
|
35
|
+
export declare function enforceAuthCodePolicy(client: OAuthClient, pkce: {
|
|
36
|
+
codeChallenge?: string | undefined;
|
|
37
|
+
codeChallengeMethod?: string | undefined;
|
|
38
|
+
}): void;
|
|
20
39
|
/**
|
|
21
40
|
* Validate an authorization request (GET /oauth/authorize).
|
|
22
41
|
* Returns the validated request or throws with an error message.
|
|
@@ -66,7 +85,12 @@ export declare function exchangeAuthCode(params: TokenExchangeRequest): Promise<
|
|
|
66
85
|
* token already has its own narrowing logic (can only narrow vs. the original
|
|
67
86
|
* issuance, never widen) and skips this helper.
|
|
68
87
|
*
|
|
69
|
-
* The `*` wildcard is
|
|
88
|
+
* The `*` wildcard is exempt from the GLOBAL registry gate (it's a meta-scope,
|
|
89
|
+
* never an entry in `tokensCan(...)`), but it is NOT exempt from the PER-CLIENT
|
|
90
|
+
* allow-list: a client the operator restricted to a specific set must not be
|
|
91
|
+
* able to escalate to an all-scope token simply by asking for `*`. A client may
|
|
92
|
+
* only be granted `*` when its allow-list is empty (no restriction) or actually
|
|
93
|
+
* contains `*`.
|
|
70
94
|
*/
|
|
71
95
|
export declare function validateScopes(client: OAuthClient, requested: string[]): void;
|
|
72
96
|
export declare class OAuthError extends Error {
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"authorization-code.d.ts","sourceRoot":"","sources":["../../src/grants/authorization-code.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,0BAA0B,CAAA;AAK3D,OAAO,EAAe,KAAK,YAAY,EAAE,MAAM,mBAAmB,CAAA;AAMlE,MAAM,WAAW,oBAAoB;IACnC,QAAQ,EAAO,MAAM,CAAA;IACrB,WAAW,EAAI,MAAM,CAAA;IACrB,YAAY,EAAG,MAAM,CAAA;IACrB,KAAK,EAAU,MAAM,CAAA;IACrB,KAAK,CAAC,EAAS,MAAM,CAAA;IACrB,aAAa,CAAC,EAAE,MAAM,CAAA;IACtB,mBAAmB,CAAC,EAAE,MAAM,CAAA;CAC7B;AAED,MAAM,WAAW,oBAAoB;IACnC,MAAM,EAAS,WAAW,CAAA;IAC1B,WAAW,EAAI,MAAM,CAAA;IACrB,MAAM,EAAS,MAAM,EAAE,CAAA;IACvB,KAAK,CAAC,EAAS,MAAM,CAAA;IACrB,aAAa,CAAC,EAAE,MAAM,CAAA;IACtB,mBAAmB,CAAC,EAAE,MAAM,CAAA;CAC7B;AAED;;;GAGG;AACH,wBAAsB,4BAA4B,CAAC,MAAM,EAAE,oBAAoB,GAAG,OAAO,CAAC,oBAAoB,CAAC,
|
|
1
|
+
{"version":3,"file":"authorization-code.d.ts","sourceRoot":"","sources":["../../src/grants/authorization-code.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,0BAA0B,CAAA;AAK3D,OAAO,EAAe,KAAK,YAAY,EAAE,MAAM,mBAAmB,CAAA;AAMlE,MAAM,WAAW,oBAAoB;IACnC,QAAQ,EAAO,MAAM,CAAA;IACrB,WAAW,EAAI,MAAM,CAAA;IACrB,YAAY,EAAG,MAAM,CAAA;IACrB,KAAK,EAAU,MAAM,CAAA;IACrB,KAAK,CAAC,EAAS,MAAM,CAAA;IACrB,aAAa,CAAC,EAAE,MAAM,CAAA;IACtB,mBAAmB,CAAC,EAAE,MAAM,CAAA;CAC7B;AAED,MAAM,WAAW,oBAAoB;IACnC,MAAM,EAAS,WAAW,CAAA;IAC1B,WAAW,EAAI,MAAM,CAAA;IACrB,MAAM,EAAS,MAAM,EAAE,CAAA;IACvB,KAAK,CAAC,EAAS,MAAM,CAAA;IACrB,aAAa,CAAC,EAAE,MAAM,CAAA;IACtB,mBAAmB,CAAC,EAAE,MAAM,CAAA;CAC7B;AAED;;;;;;;;;;;;;;GAcG;AACH,wBAAgB,qBAAqB,CACnC,MAAM,EAAE,WAAW,EACnB,IAAI,EAAE;IAAE,aAAa,CAAC,EAAE,MAAM,GAAG,SAAS,CAAC;IAAC,mBAAmB,CAAC,EAAE,MAAM,GAAG,SAAS,CAAA;CAAE,GACrF,IAAI,CAgBN;AAED;;;GAGG;AACH,wBAAsB,4BAA4B,CAAC,MAAM,EAAE,oBAAoB,GAAG,OAAO,CAAC,oBAAoB,CAAC,CAoC9G;AAID;;;GAGG;AACH,wBAAsB,aAAa,CAAC,IAAI,EAAE;IACxC,MAAM,EAAK,MAAM,CAAA;IACjB,QAAQ,EAAG,MAAM,CAAA;IACjB,MAAM,EAAK,MAAM,EAAE,CAAA;IACnB,WAAW,EAAE,MAAM,CAAA;IACnB,aAAa,CAAC,EAAE,MAAM,CAAA;IACtB,mBAAmB,CAAC,EAAE,MAAM,CAAA;CAC7B,GAAG,OAAO,CAAC,MAAM,CAAC,CAwBlB;AAID,MAAM,WAAW,oBAAoB;IACnC,SAAS,EAAK,MAAM,CAAA;IACpB,IAAI,EAAU,MAAM,CAAA;IACpB,QAAQ,EAAM,MAAM,CAAA;IACpB,YAAY,CAAC,EAAE,MAAM,CAAA;IACrB,WAAW,EAAG,MAAM,CAAA;IACpB,YAAY,CAAC,EAAE,MAAM,CAAA;CACtB;AAED;;GAEG;AACH,wBAAsB,gBAAgB,CAAC,MAAM,EAAE,oBAAoB,GAAG,OAAO,CAAC,YAAY,CAAC,CAmH1F;AAID;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AACH,wBAAgB,cAAc,CAAC,MAAM,EAAE,WAAW,EAAE,SAAS,EAAE,MAAM,EAAE,GAAG,IAAI,CA6B7E;AAID,qBAAa,UAAW,SAAQ,KAAK;aAEjB,KAAK,EAAE,MAAM;aACb,gBAAgB,EAAE,MAAM;aACxB,UAAU,EAAE,MAAM;gBAFlB,KAAK,EAAE,MAAM,EACb,gBAAgB,EAAE,MAAM,EACxB,UAAU,GAAE,MAAY;IAM1C,MAAM,IAAI,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC;CAMjC"}
|
|
@@ -5,6 +5,38 @@ import { hashOpaqueToken, newOpaqueToken } from '../opaque-token.js';
|
|
|
5
5
|
import { issueTokens } from './issue-tokens.js';
|
|
6
6
|
import { parseScopes } from './parse-scopes.js';
|
|
7
7
|
import { verifyConfidentialCredentials } from './verify-client.js';
|
|
8
|
+
/**
|
|
9
|
+
* Enforce the client-policy invariants that must hold at BOTH the GET (advisory
|
|
10
|
+
* consent render) and POST (actual code issuance) stages of /oauth/authorize:
|
|
11
|
+
*
|
|
12
|
+
* 1. the client must hold the `authorization_code` grant, and
|
|
13
|
+
* 2. PKCE policy — a public client MUST use PKCE, and MUST use S256 (never
|
|
14
|
+
* `plain`, which makes verifier == challenge so a stolen code alone mints
|
|
15
|
+
* tokens — RFC 7636 §4.4.1 / OAuth 2.0 BCP).
|
|
16
|
+
*
|
|
17
|
+
* The POST body is attacker-controlled and the GET result is never load-bearing,
|
|
18
|
+
* so these have to be re-checked at issuance. Validating only on GET let a public
|
|
19
|
+
* client obtain a code with NO code_challenge (or method=plain) — fully defeating
|
|
20
|
+
* PKCE — and let a client lacking the grant mint codes anyway. (#1082 closed the
|
|
21
|
+
* same GET-validates/POST-issues gap for scopes; this closes it for PKCE + grant.)
|
|
22
|
+
*/
|
|
23
|
+
export function enforceAuthCodePolicy(client, pkce) {
|
|
24
|
+
if (!clientHelpers.hasGrantType(client, 'authorization_code')) {
|
|
25
|
+
throw new OAuthError('unauthorized_client', 'Client is not authorized for authorization_code grant.');
|
|
26
|
+
}
|
|
27
|
+
if (pkce.codeChallenge) {
|
|
28
|
+
const method = pkce.codeChallengeMethod ?? 'S256';
|
|
29
|
+
if (method !== 'S256' && method !== 'plain') {
|
|
30
|
+
throw new OAuthError('invalid_request', 'Unsupported code_challenge_method. Use S256 or plain.');
|
|
31
|
+
}
|
|
32
|
+
if (method === 'plain' && clientHelpers.isPublic(client)) {
|
|
33
|
+
throw new OAuthError('invalid_request', 'Public clients must use code_challenge_method=S256.');
|
|
34
|
+
}
|
|
35
|
+
}
|
|
36
|
+
else if (clientHelpers.isPublic(client)) {
|
|
37
|
+
throw new OAuthError('invalid_request', 'Public clients must use PKCE (code_challenge required).');
|
|
38
|
+
}
|
|
39
|
+
}
|
|
8
40
|
/**
|
|
9
41
|
* Validate an authorization request (GET /oauth/authorize).
|
|
10
42
|
* Returns the validated request or throws with an error message.
|
|
@@ -18,31 +50,15 @@ export async function validateAuthorizationRequest(params) {
|
|
|
18
50
|
if (!client || client.revoked) {
|
|
19
51
|
throw new OAuthError('invalid_client', 'Client not found.');
|
|
20
52
|
}
|
|
21
|
-
if (!clientHelpers.hasGrantType(client, 'authorization_code')) {
|
|
22
|
-
throw new OAuthError('unauthorized_client', 'Client is not authorized for authorization_code grant.');
|
|
23
|
-
}
|
|
24
53
|
if (!clientHelpers.hasRedirectUri(client, params.redirectUri)) {
|
|
25
54
|
throw new OAuthError('invalid_request', 'Invalid redirect_uri.');
|
|
26
55
|
}
|
|
27
|
-
// PKCE
|
|
28
|
-
|
|
29
|
-
|
|
30
|
-
|
|
31
|
-
|
|
32
|
-
|
|
33
|
-
// Public clients must use S256. RFC 7636 §4.4.1 + OAuth 2.0 BCP recommend
|
|
34
|
-
// S256 over `plain` because `plain` makes verifier == challenge — a stolen
|
|
35
|
-
// authorization code is already enough to mint tokens, defeating PKCE's
|
|
36
|
-
// entire purpose. Confidential clients keep the `plain` option for
|
|
37
|
-
// backward-compat with non-RFC-7636-compliant integrations.
|
|
38
|
-
if (method === 'plain' && clientHelpers.isPublic(client)) {
|
|
39
|
-
throw new OAuthError('invalid_request', 'Public clients must use code_challenge_method=S256.');
|
|
40
|
-
}
|
|
41
|
-
}
|
|
42
|
-
else if (clientHelpers.isPublic(client)) {
|
|
43
|
-
// Public clients MUST use PKCE
|
|
44
|
-
throw new OAuthError('invalid_request', 'Public clients must use PKCE (code_challenge required).');
|
|
45
|
-
}
|
|
56
|
+
// Grant-type + PKCE policy — re-run on the issuance path too (see
|
|
57
|
+
// enforceAuthCodePolicy). The GET handler's result is advisory.
|
|
58
|
+
enforceAuthCodePolicy(client, {
|
|
59
|
+
codeChallenge: params.codeChallenge,
|
|
60
|
+
codeChallengeMethod: params.codeChallengeMethod,
|
|
61
|
+
});
|
|
46
62
|
const scopes = parseScopes(params.scope);
|
|
47
63
|
validateScopes(client, scopes);
|
|
48
64
|
const result = {
|
|
@@ -104,6 +120,12 @@ export async function exchangeAuthCode(params) {
|
|
|
104
120
|
if (!client || client.revoked) {
|
|
105
121
|
throw new OAuthError('invalid_client', 'Client not found.', 401);
|
|
106
122
|
}
|
|
123
|
+
// Defense-in-depth: a code should only have been minted for an
|
|
124
|
+
// authorization_code-grant client (enforced at issuance), but re-check here
|
|
125
|
+
// so a client that lost the grant after a code was issued can't still redeem.
|
|
126
|
+
if (!clientHelpers.hasGrantType(client, 'authorization_code')) {
|
|
127
|
+
throw new OAuthError('unauthorized_client', 'Client is not authorized for authorization_code grant.');
|
|
128
|
+
}
|
|
107
129
|
await verifyConfidentialCredentials(client, params.clientSecret);
|
|
108
130
|
// Validate auth code by hashed plaintext (M5/P6) — the row's `id` is no
|
|
109
131
|
// longer the bearer secret. Pre-migration codes won't match because their
|
|
@@ -209,7 +231,12 @@ export async function exchangeAuthCode(params) {
|
|
|
209
231
|
* token already has its own narrowing logic (can only narrow vs. the original
|
|
210
232
|
* issuance, never widen) and skips this helper.
|
|
211
233
|
*
|
|
212
|
-
* The `*` wildcard is
|
|
234
|
+
* The `*` wildcard is exempt from the GLOBAL registry gate (it's a meta-scope,
|
|
235
|
+
* never an entry in `tokensCan(...)`), but it is NOT exempt from the PER-CLIENT
|
|
236
|
+
* allow-list: a client the operator restricted to a specific set must not be
|
|
237
|
+
* able to escalate to an all-scope token simply by asking for `*`. A client may
|
|
238
|
+
* only be granted `*` when its allow-list is empty (no restriction) or actually
|
|
239
|
+
* contains `*`.
|
|
213
240
|
*/
|
|
214
241
|
export function validateScopes(client, requested) {
|
|
215
242
|
if (requested.length === 0)
|
|
@@ -225,7 +252,10 @@ export function validateScopes(client, requested) {
|
|
|
225
252
|
const clientScopes = clientHelpers.getScopes(client);
|
|
226
253
|
if (clientScopes.length > 0) {
|
|
227
254
|
const allow = new Set(clientScopes);
|
|
228
|
-
|
|
255
|
+
// No `*` exemption here: `*` must be explicitly in the client's allow-list
|
|
256
|
+
// to be grantable. Otherwise a restricted client could bypass its own
|
|
257
|
+
// allow-list by requesting the wildcard.
|
|
258
|
+
const denied = requested.filter(s => !allow.has(s));
|
|
229
259
|
if (denied.length > 0) {
|
|
230
260
|
throw new OAuthError('invalid_scope', `The requested scope is not authorized for this client: ${denied.join(' ')}.`);
|
|
231
261
|
}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"authorization-code.js","sourceRoot":"","sources":["../../src/grants/authorization-code.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,gBAAgB,CAAA;AAGzC,OAAO,EAAE,aAAa,EAAE,eAAe,EAAE,MAAM,sBAAsB,CAAA;AACrE,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAA;AAC/C,OAAO,EAAE,eAAe,EAAE,cAAc,EAAE,MAAM,oBAAoB,CAAA;AACpE,OAAO,EAAE,WAAW,EAAqB,MAAM,mBAAmB,CAAA;AAClE,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAA;AAC/C,OAAO,EAAE,6BAA6B,EAAE,MAAM,oBAAoB,CAAA;AAuBlE
|
|
1
|
+
{"version":3,"file":"authorization-code.js","sourceRoot":"","sources":["../../src/grants/authorization-code.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,gBAAgB,CAAA;AAGzC,OAAO,EAAE,aAAa,EAAE,eAAe,EAAE,MAAM,sBAAsB,CAAA;AACrE,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAA;AAC/C,OAAO,EAAE,eAAe,EAAE,cAAc,EAAE,MAAM,oBAAoB,CAAA;AACpE,OAAO,EAAE,WAAW,EAAqB,MAAM,mBAAmB,CAAA;AAClE,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAA;AAC/C,OAAO,EAAE,6BAA6B,EAAE,MAAM,oBAAoB,CAAA;AAuBlE;;;;;;;;;;;;;;GAcG;AACH,MAAM,UAAU,qBAAqB,CACnC,MAAmB,EACnB,IAAsF;IAEtF,IAAI,CAAC,aAAa,CAAC,YAAY,CAAC,MAAM,EAAE,oBAAoB,CAAC,EAAE,CAAC;QAC9D,MAAM,IAAI,UAAU,CAAC,qBAAqB,EAAE,wDAAwD,CAAC,CAAA;IACvG,CAAC;IAED,IAAI,IAAI,CAAC,aAAa,EAAE,CAAC;QACvB,MAAM,MAAM,GAAG,IAAI,CAAC,mBAAmB,IAAI,MAAM,CAAA;QACjD,IAAI,MAAM,KAAK,MAAM,IAAI,MAAM,KAAK,OAAO,EAAE,CAAC;YAC5C,MAAM,IAAI,UAAU,CAAC,iBAAiB,EAAE,uDAAuD,CAAC,CAAA;QAClG,CAAC;QACD,IAAI,MAAM,KAAK,OAAO,IAAI,aAAa,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;YACzD,MAAM,IAAI,UAAU,CAAC,iBAAiB,EAAE,qDAAqD,CAAC,CAAA;QAChG,CAAC;IACH,CAAC;SAAM,IAAI,aAAa,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;QAC1C,MAAM,IAAI,UAAU,CAAC,iBAAiB,EAAE,yDAAyD,CAAC,CAAA;IACpG,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,4BAA4B,CAAC,MAA4B;IAC7E,IAAI,MAAM,CAAC,YAAY,KAAK,MAAM,EAAE,CAAC;QACnC,MAAM,IAAI,UAAU,CAAC,2BAA2B,EAAE,uCAAuC,CAAC,CAAA;IAC5F,CAAC;IAED,MAAM,SAAS,GAAG,MAAM,QAAQ,CAAC,WAAW,EAAE,CAAA;IAC9C,MAAM,MAAM,GAAG,MAAM,SAAS,CAAC,KAAK,CAAC,IAAI,EAAE,MAAM,CAAC,QAAQ,CAAC,CAAC,KAAK,EAAwB,CAAA;IACzF,IAAI,CAAC,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;QAC9B,MAAM,IAAI,UAAU,CAAC,gBAAgB,EAAE,mBAAmB,CAAC,CAAA;IAC7D,CAAC;IAED,IAAI,CAAC,aAAa,CAAC,cAAc,CAAC,MAAM,EAAE,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC;QAC9D,MAAM,IAAI,UAAU,CAAC,iBAAiB,EAAE,uBAAuB,CAAC,CAAA;IAClE,CAAC;IAED,kEAAkE;IAClE,gEAAgE;IAChE,qBAAqB,CAAC,MAAM,EAAE;QAC5B,aAAa,EAAQ,MAAM,CAAC,aAAa;QACzC,mBAAmB,EAAE,MAAM,CAAC,mBAAmB;KAChD,CAAC,CAAA;IAEF,MAAM,MAAM,GAAG,WAAW,CAAC,MAAM,CAAC,KAAK,CAAC,CAAA;IACxC,cAAc,CAAC,MAAM,EAAE,MAAM,CAAC,CAAA;IAE9B,MAAM,MAAM,GAAyB;QACnC,MAAM;QACN,WAAW,EAAE,MAAM,CAAC,WAAW;QAC/B,MAAM;KACP,CAAA;IACD,IAAI,MAAM,CAAC,KAAK,KAAK,SAAS;QAAE,MAAM,CAAC,KAAK,GAAG,MAAM,CAAC,KAAK,CAAA;IAC3D,IAAI,MAAM,CAAC,aAAa,KAAK,SAAS;QAAE,MAAM,CAAC,aAAa,GAAG,MAAM,CAAC,aAAa,CAAA;IACnF,MAAM,MAAM,GAAG,MAAM,CAAC,mBAAmB,IAAI,CAAC,MAAM,CAAC,aAAa,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,SAAS,CAAC,CAAA;IACxF,IAAI,MAAM,KAAK,SAAS;QAAE,MAAM,CAAC,mBAAmB,GAAG,MAAM,CAAA;IAE7D,OAAO,MAAM,CAAA;AACf,CAAC;AAED,6DAA6D;AAE7D;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CAAC,IAOnC;IACC,MAAM,SAAS,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAA,CAAC,aAAa;IAErE,yEAAyE;IACzE,yEAAyE;IACzE,yEAAyE;IACzE,qEAAqE;IACrE,MAAM,aAAa,GAAG,MAAM,cAAc,EAAE,CAAA;IAC5C,MAAM,QAAQ,GAAQ,MAAM,eAAe,CAAC,aAAa,CAAC,CAAA;IAE1D,MAAM,WAAW,GAAG,MAAM,QAAQ,CAAC,aAAa,EAAE,CAAA;IAClD,MAAM,WAAW,CAAC,MAAM,CAAC;QACvB,MAAM,EAAe,IAAI,CAAC,MAAM;QAChC,QAAQ,EAAa,IAAI,CAAC,QAAQ;QAClC,SAAS,EAAY,QAAQ;QAC7B,MAAM,EAAe,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,MAAM,CAAC;QAChD,OAAO,EAAc,KAAK;QAC1B,SAAS;QACT,WAAW,EAAU,IAAI,CAAC,WAAW;QACrC,aAAa,EAAQ,IAAI,CAAC,aAAa,IAAI,IAAI;QAC/C,mBAAmB,EAAE,IAAI,CAAC,mBAAmB,IAAI,IAAI;KAC3B,CAAC,CAAA;IAE7B,OAAO,aAAa,CAAA;AACtB,CAAC;AAaD;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB,CAAC,MAA4B;IACjE,IAAI,MAAM,CAAC,SAAS,KAAK,oBAAoB,EAAE,CAAC;QAC9C,MAAM,IAAI,UAAU,CAAC,wBAAwB,EAAE,yCAAyC,CAAC,CAAA;IAC3F,CAAC;IAED,MAAM,SAAS,GAAK,MAAM,QAAQ,CAAC,WAAW,EAAE,CAAA;IAChD,MAAM,WAAW,GAAG,MAAM,QAAQ,CAAC,aAAa,EAAE,CAAA;IAElD,qEAAqE;IACrE,oEAAoE;IACpE,gEAAgE;IAChE,sEAAsE;IACtE,4CAA4C;IAC5C,MAAM,MAAM,GAAG,MAAM,SAAS,CAAC,KAAK,CAAC,IAAI,EAAE,MAAM,CAAC,QAAQ,CAAC,CAAC,KAAK,EAAwB,CAAA;IACzF,IAAI,CAAC,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;QAC9B,MAAM,IAAI,UAAU,CAAC,gBAAgB,EAAE,mBAAmB,EAAE,GAAG,CAAC,CAAA;IAClE,CAAC;IAED,+DAA+D;IAC/D,4EAA4E;IAC5E,8EAA8E;IAC9E,IAAI,CAAC,aAAa,CAAC,YAAY,CAAC,MAAM,EAAE,oBAAoB,CAAC,EAAE,CAAC;QAC9D,MAAM,IAAI,UAAU,CAAC,qBAAqB,EAAE,wDAAwD,CAAC,CAAA;IACvG,CAAC;IAED,MAAM,6BAA6B,CAAC,MAAM,EAAE,MAAM,CAAC,YAAY,CAAC,CAAA;IAEhE,wEAAwE;IACxE,0EAA0E;IAC1E,0EAA0E;IAC1E,wEAAwE;IACxE,MAAM,QAAQ,GAAG,MAAM,eAAe,CAAC,MAAM,CAAC,IAAI,CAAC,CAAA;IACnD,MAAM,QAAQ,GAAG,MAAM,WAAW,CAAC,KAAK,CAAC,WAAW,EAAE,QAAQ,CAAC,CAAC,KAAK,EAAqB,CAAA;IAC1F,IAAI,CAAC,QAAQ,EAAE,CAAC;QACd,MAAM,IAAI,UAAU,CAAC,eAAe,EAAE,+BAA+B,CAAC,CAAA;IACxE,CAAC;IACD,IAAI,QAAQ,CAAC,OAAO,EAAE,CAAC;QACrB,MAAM,IAAI,UAAU,CAAC,eAAe,EAAE,sCAAsC,CAAC,CAAA;IAC/E,CAAC;IACD,IAAI,eAAe,CAAC,SAAS,CAAC,QAAQ,CAAC,EAAE,CAAC;QACxC,MAAM,IAAI,UAAU,CAAC,eAAe,EAAE,iCAAiC,CAAC,CAAA;IAC1E,CAAC;IACD,IAAI,QAAQ,CAAC,QAAQ,KAAK,MAAM,CAAC,QAAQ,EAAE,CAAC;QAC1C,MAAM,IAAI,UAAU,CAAC,eAAe,EAAE,mDAAmD,CAAC,CAAA;IAC5F,CAAC;IAED,0EAA0E;IAC1E,sEAAsE;IACtE,wEAAwE;IACxE,2EAA2E;IAC3E,yEAAyE;IACzE,+DAA+D;IAC/D,IAAI,QAAQ,CAAC,WAAW,KAAK,IAAI,IAAI,QAAQ,CAAC,WAAW,KAAK,SAAS,EAAE,CAAC;QACxE,IAAI,CAAC,MAAM,CAAC,WAAW,EAAE,CAAC;YACxB,MAAM,IAAI,UAAU,CAAC,eAAe,EAAE,uDAAuD,CAAC,CAAA;QAChG,CAAC;QACD,IAAI,QAAQ,CAAC,WAAW,KAAK,MAAM,CAAC,WAAW,EAAE,CAAC;YAChD,MAAM,IAAI,UAAU,CAAC,eAAe,EAAE,mEAAmE,CAAC,CAAA;QAC5G,CAAC;IACH,CAAC;IAED,oBAAoB;IACpB,IAAI,QAAQ,CAAC,aAAa,EAAE,CAAC;QAC3B,IAAI,CAAC,MAAM,CAAC,YAAY,EAAE,CAAC;YACzB,MAAM,IAAI,UAAU,CAAC,eAAe,EAAE,8BAA8B,CAAC,CAAA;QACvE,CAAC;QAED,MAAM,EAAE,UAAU,EAAE,GAAG,MAAM,MAAM,CAAC,aAAa,CAAC,CAAA;QAClD,IAAI,QAAgB,CAAA;QAEpB,IAAI,QAAQ,CAAC,mBAAmB,KAAK,MAAM,EAAE,CAAC;YAC5C,QAAQ,GAAG,UAAU,CAAC,QAAQ,CAAC;iBAC5B,MAAM,CAAC,MAAM,CAAC,YAAY,CAAC;iBAC3B,MAAM,CAAC,WAAW,CAAC,CAAA;QACxB,CAAC;aAAM,CAAC;YACN,QAAQ;YACR,QAAQ,GAAG,MAAM,CAAC,YAAY,CAAA;QAChC,CAAC;QAED,uEAAuE;QACvE,sEAAsE;QACtE,oEAAoE;QACpE,iCAAiC;QACjC,IAAI,CAAC,CAAC,MAAM,WAAW,CAAC,QAAQ,EAAE,QAAQ,CAAC,aAAa,CAAC,CAAC,EAAE,CAAC;YAC3D,MAAM,IAAI,UAAU,CAAC,eAAe,EAAE,oCAAoC,CAAC,CAAA;QAC7E,CAAC;IACH,CAAC;IAED,kEAAkE;IAClE,iEAAiE;IACjE,sEAAsE;IACtE,kEAAkE;IAClE,wEAAwE;IACxE,kEAAkE;IAClE,oEAAoE;IACpE,wEAAwE;IACxE,wEAAwE;IACxE,mEAAmE;IACnE,qEAAqE;IACrE,mEAAmE;IACnE,MAAM,QAAQ,GAAG,MAAM,WAAW;SAC/B,KAAK,CAAC,IAAI,EAAE,QAAQ,CAAC,EAAE,CAAC;SACxB,KAAK,CAAC,SAAS,EAAE,KAAK,CAAC;SACvB,SAAS,CAAC,EAAE,OAAO,EAAE,IAAI,EAA6B,CAAC,CAAA;IAC1D,IAAI,QAAQ,KAAK,CAAC,EAAE,CAAC;QACnB,MAAM,IAAI,UAAU,CAAC,eAAe,EAAE,2CAA2C,CAAC,CAAA;IACpF,CAAC;IAED,eAAe;IACf,OAAO,WAAW,CAAC;QACjB,MAAM,EAAI,QAAQ,CAAC,MAAM;QACzB,QAAQ,EAAE,MAAM,CAAC,QAAQ;QACzB,MAAM,EAAI,eAAe,CAAC,SAAS,CAAC,QAAQ,CAAC;QAC7C,cAAc,EAAE,IAAI;KACrB,CAAC,CAAA;AACJ,CAAC;AAED,6DAA6D;AAE7D;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AACH,MAAM,UAAU,cAAc,CAAC,MAAmB,EAAE,SAAmB;IACrE,IAAI,SAAS,CAAC,MAAM,KAAK,CAAC;QAAE,OAAM;IAElC,MAAM,UAAU,GAAG,QAAQ,CAAC,MAAM,EAAE,CAAA;IACpC,IAAI,UAAU,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC1B,MAAM,QAAQ,GAAG,IAAI,GAAG,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAA;QACnD,MAAM,OAAO,GAAG,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,KAAK,GAAG,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAA;QACpE,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACvB,MAAM,IAAI,UAAU,CAClB,eAAe,EACf,0DAA0D,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,CAC/E,CAAA;QACH,CAAC;IACH,CAAC;IAED,MAAM,YAAY,GAAG,aAAa,CAAC,SAAS,CAAC,MAAM,CAAC,CAAA;IACpD,IAAI,YAAY,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC5B,MAAM,KAAK,GAAG,IAAI,GAAG,CAAC,YAAY,CAAC,CAAA;QACnC,2EAA2E;QAC3E,sEAAsE;QACtE,yCAAyC;QACzC,MAAM,MAAM,GAAG,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAA;QACnD,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACtB,MAAM,IAAI,UAAU,CAClB,eAAe,EACf,0DAA0D,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,CAC9E,CAAA;QACH,CAAC;IACH,CAAC;AACH,CAAC;AAED,6DAA6D;AAE7D,MAAM,OAAO,UAAW,SAAQ,KAAK;IAEjB;IACA;IACA;IAHlB,YACkB,KAAa,EACb,gBAAwB,EACxB,aAAqB,GAAG;QAExC,KAAK,CAAC,gBAAgB,CAAC,CAAA;QAJP,UAAK,GAAL,KAAK,CAAQ;QACb,qBAAgB,GAAhB,gBAAgB,CAAQ;QACxB,eAAU,GAAV,UAAU,CAAc;QAGxC,IAAI,CAAC,IAAI,GAAG,YAAY,CAAA;IAC1B,CAAC;IAED,MAAM;QACJ,OAAO;YACL,KAAK,EAAE,IAAI,CAAC,KAAK;YACjB,iBAAiB,EAAE,IAAI,CAAC,gBAAgB;SACzC,CAAA;IACH,CAAC;CACF"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"device-code.d.ts","sourceRoot":"","sources":["../../src/grants/device-code.ts"],"names":[],"mappings":"AAKA,OAAO,EAAe,KAAK,YAAY,EAAE,MAAM,mBAAmB,CAAA;AAgBlE,MAAM,WAAW,2BAA2B;IAC1C,WAAW,EAAiB,MAAM,CAAA;IAClC,SAAS,EAAmB,MAAM,CAAA;IAClC,gBAAgB,EAAY,MAAM,CAAA;IAClC,yBAAyB,CAAC,EAAE,MAAM,CAAA;IAClC,UAAU,EAAkB,MAAM,CAAA;IAClC,QAAQ,EAAoB,MAAM,CAAA;CACnC;AAED;;;GAGG;AACH,wBAAsB,iBAAiB,CAAC,MAAM,EAAE;IAC9C,QAAQ,EAAE,MAAM,CAAA;IAChB,KAAK,CAAC,EAAI,MAAM,CAAA;IAChB,eAAe,EAAE,MAAM,CAAA;CACxB,GAAG,OAAO,CAAC,2BAA2B,CAAC,CAiDvC;AAID;;GAEG;AACH,wBAAsB,iBAAiB,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,OAAO,GAAG,OAAO,CAAC,IAAI,CAAC,CAqB1G;AAID,MAAM,MAAM,gBAAgB,GACxB;IAAE,MAAM,EAAE,YAAY,CAAC;IAAC,MAAM,EAAE,YAAY,CAAA;CAAE,GAC9C;IAAE,MAAM,EAAE,uBAAuB,CAAA;CAAE;AACrC;;;;;;GAMG;GACD;IAAE,MAAM,EAAE,WAAW,CAAC;IAAC,QAAQ,EAAE,MAAM,CAAA;CAAE,GACzC;IAAE,MAAM,EAAE,eAAe,CAAA;CAAE,GAC3B;IAAE,MAAM,EAAE,eAAe,CAAA;CAAE,CAAA;AAE/B;;GAEG;AACH,wBAAsB,cAAc,CAAC,MAAM,EAAE;IAC3C,SAAS,EAAG,MAAM,CAAA;IAClB,UAAU,EAAE,MAAM,CAAA;IAClB,QAAQ,EAAI,MAAM,CAAA;CACnB,GAAG,OAAO,CAAC,gBAAgB,CAAC,
|
|
1
|
+
{"version":3,"file":"device-code.d.ts","sourceRoot":"","sources":["../../src/grants/device-code.ts"],"names":[],"mappings":"AAKA,OAAO,EAAe,KAAK,YAAY,EAAE,MAAM,mBAAmB,CAAA;AAgBlE,MAAM,WAAW,2BAA2B;IAC1C,WAAW,EAAiB,MAAM,CAAA;IAClC,SAAS,EAAmB,MAAM,CAAA;IAClC,gBAAgB,EAAY,MAAM,CAAA;IAClC,yBAAyB,CAAC,EAAE,MAAM,CAAA;IAClC,UAAU,EAAkB,MAAM,CAAA;IAClC,QAAQ,EAAoB,MAAM,CAAA;CACnC;AAED;;;GAGG;AACH,wBAAsB,iBAAiB,CAAC,MAAM,EAAE;IAC9C,QAAQ,EAAE,MAAM,CAAA;IAChB,KAAK,CAAC,EAAI,MAAM,CAAA;IAChB,eAAe,EAAE,MAAM,CAAA;CACxB,GAAG,OAAO,CAAC,2BAA2B,CAAC,CAiDvC;AAID;;GAEG;AACH,wBAAsB,iBAAiB,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,OAAO,GAAG,OAAO,CAAC,IAAI,CAAC,CAqB1G;AAID,MAAM,MAAM,gBAAgB,GACxB;IAAE,MAAM,EAAE,YAAY,CAAC;IAAC,MAAM,EAAE,YAAY,CAAA;CAAE,GAC9C;IAAE,MAAM,EAAE,uBAAuB,CAAA;CAAE;AACrC;;;;;;GAMG;GACD;IAAE,MAAM,EAAE,WAAW,CAAC;IAAC,QAAQ,EAAE,MAAM,CAAA;CAAE,GACzC;IAAE,MAAM,EAAE,eAAe,CAAA;CAAE,GAC3B;IAAE,MAAM,EAAE,eAAe,CAAA;CAAE,CAAA;AAE/B;;GAEG;AACH,wBAAsB,cAAc,CAAC,MAAM,EAAE;IAC3C,SAAS,EAAG,MAAM,CAAA;IAClB,UAAU,EAAE,MAAM,CAAA;IAClB,QAAQ,EAAI,MAAM,CAAA;CACnB,GAAG,OAAO,CAAC,gBAAgB,CAAC,CAiF5B"}
|
|
@@ -106,11 +106,27 @@ export async function pollDeviceCode(params) {
|
|
|
106
106
|
return { status: 'expired_token' };
|
|
107
107
|
}
|
|
108
108
|
// Rate limiting (RFC 8628 §3.5). Enforce against the per-row `interval`
|
|
109
|
-
// (defaults to 5s, escalates by 5s per slow_down, capped at 60s).
|
|
110
|
-
//
|
|
111
|
-
|
|
112
|
-
|
|
113
|
-
|
|
109
|
+
// (defaults to 5s, escalates by 5s per slow_down, capped at 60s).
|
|
110
|
+
//
|
|
111
|
+
// The check + the `lastPolledAt` bump are a SINGLE conditional UPDATE so that:
|
|
112
|
+
// (a) two concurrent polls can't both read a stale `lastPolledAt` and both
|
|
113
|
+
// slip past the gate — exactly one matches (count 1) and proceeds, the
|
|
114
|
+
// rest match 0 and are told to slow down; and
|
|
115
|
+
// (b) the back-off clock anchors to the last ALLOWED poll — a throttled poll
|
|
116
|
+
// does NOT advance `lastPolledAt` (the row didn't match), so a client
|
|
117
|
+
// hammering the endpoint can't keep pushing the window forward.
|
|
118
|
+
// The first poll (lastPolledAt null) is never throttled, per RFC 8628.
|
|
119
|
+
const now = new Date();
|
|
120
|
+
if (device.lastPolledAt === null || device.lastPolledAt === undefined) {
|
|
121
|
+
await DeviceCodeCls.update(device.id, { lastPolledAt: now });
|
|
122
|
+
}
|
|
123
|
+
else {
|
|
124
|
+
const threshold = new Date(now.getTime() - device.interval * 1000);
|
|
125
|
+
const allowed = await DeviceCodeCls.query()
|
|
126
|
+
.where('id', device.id)
|
|
127
|
+
.where('lastPolledAt', '<=', threshold)
|
|
128
|
+
.updateAll({ lastPolledAt: now });
|
|
129
|
+
if (allowed === 0) {
|
|
114
130
|
const nextInterval = Math.min(device.interval + 5, Passport.deviceMaxIntervalSeconds());
|
|
115
131
|
if (nextInterval !== device.interval) {
|
|
116
132
|
await DeviceCodeCls.update(device.id, { interval: nextInterval });
|
|
@@ -118,10 +134,6 @@ export async function pollDeviceCode(params) {
|
|
|
118
134
|
return { status: 'slow_down', interval: nextInterval };
|
|
119
135
|
}
|
|
120
136
|
}
|
|
121
|
-
// Update last polled time
|
|
122
|
-
await DeviceCodeCls.update(device.id, {
|
|
123
|
-
lastPolledAt: new Date(),
|
|
124
|
-
});
|
|
125
137
|
if (deviceCodeHelpers.isPending(device)) {
|
|
126
138
|
return { status: 'authorization_pending' };
|
|
127
139
|
}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"device-code.js","sourceRoot":"","sources":["../../src/grants/device-code.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,gBAAgB,CAAA;AAGzC,OAAO,EAAE,aAAa,EAAE,iBAAiB,EAAE,MAAM,sBAAsB,CAAA;AACvE,OAAO,EAAE,gBAAgB,EAAE,MAAM,0BAA0B,CAAA;AAC3D,OAAO,EAAE,WAAW,EAAqB,MAAM,mBAAmB,CAAA;AAClE,OAAO,EAAE,UAAU,EAAE,cAAc,EAAE,MAAM,yBAAyB,CAAA;AACpE,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAA;AAE/C;;;;;;;GAOG;AACH,MAAM,wBAAwB,GAAG,CAAC,CAAA;AAalC;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,iBAAiB,CAAC,MAIvC;IACC,MAAM,SAAS,GAAO,MAAM,QAAQ,CAAC,WAAW,EAAE,CAAA;IAClD,MAAM,aAAa,GAAG,MAAM,QAAQ,CAAC,eAAe,EAAE,CAAA;IAEtD,MAAM,MAAM,GAAG,MAAM,SAAS,CAAC,KAAK,CAAC,IAAI,EAAE,MAAM,CAAC,QAAQ,CAAC,CAAC,KAAK,EAAwB,CAAA;IACzF,IAAI,CAAC,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;QAC9B,MAAM,IAAI,UAAU,CAAC,gBAAgB,EAAE,mBAAmB,CAAC,CAAA;IAC7D,CAAC;IAED,IAAI,CAAC,aAAa,CAAC,YAAY,CAAC,MAAM,EAAE,8CAA8C,CAAC,EAAE,CAAC;QACxF,MAAM,IAAI,UAAU,CAAC,qBAAqB,EAAE,0DAA0D,CAAC,CAAA;IACzG,CAAC;IAED,MAAM,MAAM,GAAO,WAAW,CAAC,MAAM,CAAC,KAAK,CAAC,CAAA;IAC5C,cAAc,CAAC,MAAM,EAAE,MAAM,CAAC,CAAA;IAE9B,MAAM,EAAE,WAAW,EAAE,GAAG,MAAM,MAAM,CAAC,aAAa,CAAC,CAAA;IACnD,MAAM,UAAU,GAAG,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAA;IAClD,MAAM,QAAQ,GAAK,MAAM,gBAAgB,EAAE,CAAA;IAC3C,MAAM,SAAS,GAAI,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAA,CAAC,aAAa;IAEtE,uEAAuE;IACvE,wEAAwE;IACxE,uBAAuB;IACvB,MAAM,CAAC,cAAc,EAAE,YAAY,CAAC,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC;QACvD,gBAAgB,CAAC,UAAU,CAAC;QAC5B,gBAAgB,CAAC,QAAQ,CAAC;KAC3B,CAAC,CAAA;IAEF,MAAM,aAAa,CAAC,MAAM,CAAC;QACzB,QAAQ,EAAQ,MAAM,CAAC,QAAQ;QAC/B,cAAc;QACd,YAAY;QACZ,MAAM,EAAU,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC;QACtC,MAAM,EAAU,IAAI;QACpB,QAAQ,EAAQ,IAAI;QACpB,QAAQ,EAAQ,wBAAwB;QACxC,SAAS;QACT,YAAY,EAAI,IAAI;KACM,CAAC,CAAA;IAE7B,OAAO;QACL,WAAW,EAAO,UAAU;QAC5B,SAAS,EAAS,QAAQ;QAC1B,gBAAgB,EAAE,MAAM,CAAC,eAAe;QACxC,yBAAyB,EAAE,GAAG,MAAM,CAAC,eAAe,cAAc,QAAQ,EAAE;QAC5E,UAAU,EAAQ,EAAE,GAAG,EAAE,EAAE,wBAAwB;QACnD,QAAQ,EAAU,wBAAwB;KAC3C,CAAA;AACH,CAAC;AAED,6DAA6D;AAE7D;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,iBAAiB,CAAC,QAAgB,EAAE,MAAc,EAAE,QAAiB;IACzF,MAAM,aAAa,GAAG,MAAM,QAAQ,CAAC,eAAe,EAAE,CAAA;IACtD,sEAAsE;IACtE,uEAAuE;IACvE,4CAA4C;IAC5C,MAAM,YAAY,GAAG,MAAM,gBAAgB,CAAC,QAAQ,CAAC,CAAA;IACrD,MAAM,MAAM,GAAG,MAAM,aAAa,CAAC,KAAK,CAAC,cAAc,EAAE,YAAY,CAAC,CAAC,KAAK,EAAuB,CAAA;IACnG,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,MAAM,IAAI,UAAU,CAAC,iBAAiB,EAAE,wBAAwB,CAAC,CAAA;IACnE,CAAC;IACD,IAAI,iBAAiB,CAAC,SAAS,CAAC,MAAM,CAAC,EAAE,CAAC;QACxC,MAAM,IAAI,UAAU,CAAC,eAAe,EAAE,0BAA0B,CAAC,CAAA;IACnE,CAAC;IACD,IAAI,CAAC,iBAAiB,CAAC,SAAS,CAAC,MAAM,CAAC,EAAE,CAAC;QACzC,MAAM,IAAI,UAAU,CAAC,iBAAiB,EAAE,oCAAoC,CAAC,CAAA;IAC/E,CAAC;IAED,MAAM,aAAa,CAAC,MAAM,CAAC,MAAM,CAAC,EAAE,EAAE;QACpC,MAAM;QACN,QAAQ;KACkB,CAAC,CAAA;AAC/B,CAAC;AAkBD;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAAC,MAIpC;IACC,IAAI,MAAM,CAAC,SAAS,KAAK,8CAA8C,EAAE,CAAC;QACxE,MAAM,IAAI,UAAU,CAAC,wBAAwB,EAAE,mEAAmE,CAAC,CAAA;IACrH,CAAC;IAED,MAAM,aAAa,GAAG,MAAM,QAAQ,CAAC,eAAe,EAAE,CAAA;IACtD,wDAAwD;IACxD,MAAM,cAAc,GAAG,MAAM,gBAAgB,CAAC,MAAM,CAAC,UAAU,CAAC,CAAA;IAChE,MAAM,MAAM,GAAG,MAAM,aAAa,CAAC,KAAK,CAAC,gBAAgB,EAAE,cAAc,CAAC,CAAC,KAAK,EAAuB,CAAA;IACvG,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,MAAM,IAAI,UAAU,CAAC,eAAe,EAAE,wBAAwB,CAAC,CAAA;IACjE,CAAC;IACD,IAAI,MAAM,CAAC,QAAQ,KAAK,MAAM,CAAC,QAAQ,EAAE,CAAC;QACxC,MAAM,IAAI,UAAU,CAAC,eAAe,EAAE,4CAA4C,CAAC,CAAA;IACrF,CAAC;IACD,IAAI,iBAAiB,CAAC,SAAS,CAAC,MAAM,CAAC,EAAE,CAAC;QACxC,OAAO,EAAE,MAAM,EAAE,eAAe,EAAE,CAAA;IACpC,CAAC;IAED,wEAAwE;IACxE,
|
|
1
|
+
{"version":3,"file":"device-code.js","sourceRoot":"","sources":["../../src/grants/device-code.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,gBAAgB,CAAA;AAGzC,OAAO,EAAE,aAAa,EAAE,iBAAiB,EAAE,MAAM,sBAAsB,CAAA;AACvE,OAAO,EAAE,gBAAgB,EAAE,MAAM,0BAA0B,CAAA;AAC3D,OAAO,EAAE,WAAW,EAAqB,MAAM,mBAAmB,CAAA;AAClE,OAAO,EAAE,UAAU,EAAE,cAAc,EAAE,MAAM,yBAAyB,CAAA;AACpE,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAA;AAE/C;;;;;;;GAOG;AACH,MAAM,wBAAwB,GAAG,CAAC,CAAA;AAalC;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,iBAAiB,CAAC,MAIvC;IACC,MAAM,SAAS,GAAO,MAAM,QAAQ,CAAC,WAAW,EAAE,CAAA;IAClD,MAAM,aAAa,GAAG,MAAM,QAAQ,CAAC,eAAe,EAAE,CAAA;IAEtD,MAAM,MAAM,GAAG,MAAM,SAAS,CAAC,KAAK,CAAC,IAAI,EAAE,MAAM,CAAC,QAAQ,CAAC,CAAC,KAAK,EAAwB,CAAA;IACzF,IAAI,CAAC,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;QAC9B,MAAM,IAAI,UAAU,CAAC,gBAAgB,EAAE,mBAAmB,CAAC,CAAA;IAC7D,CAAC;IAED,IAAI,CAAC,aAAa,CAAC,YAAY,CAAC,MAAM,EAAE,8CAA8C,CAAC,EAAE,CAAC;QACxF,MAAM,IAAI,UAAU,CAAC,qBAAqB,EAAE,0DAA0D,CAAC,CAAA;IACzG,CAAC;IAED,MAAM,MAAM,GAAO,WAAW,CAAC,MAAM,CAAC,KAAK,CAAC,CAAA;IAC5C,cAAc,CAAC,MAAM,EAAE,MAAM,CAAC,CAAA;IAE9B,MAAM,EAAE,WAAW,EAAE,GAAG,MAAM,MAAM,CAAC,aAAa,CAAC,CAAA;IACnD,MAAM,UAAU,GAAG,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAA;IAClD,MAAM,QAAQ,GAAK,MAAM,gBAAgB,EAAE,CAAA;IAC3C,MAAM,SAAS,GAAI,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAA,CAAC,aAAa;IAEtE,uEAAuE;IACvE,wEAAwE;IACxE,uBAAuB;IACvB,MAAM,CAAC,cAAc,EAAE,YAAY,CAAC,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC;QACvD,gBAAgB,CAAC,UAAU,CAAC;QAC5B,gBAAgB,CAAC,QAAQ,CAAC;KAC3B,CAAC,CAAA;IAEF,MAAM,aAAa,CAAC,MAAM,CAAC;QACzB,QAAQ,EAAQ,MAAM,CAAC,QAAQ;QAC/B,cAAc;QACd,YAAY;QACZ,MAAM,EAAU,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC;QACtC,MAAM,EAAU,IAAI;QACpB,QAAQ,EAAQ,IAAI;QACpB,QAAQ,EAAQ,wBAAwB;QACxC,SAAS;QACT,YAAY,EAAI,IAAI;KACM,CAAC,CAAA;IAE7B,OAAO;QACL,WAAW,EAAO,UAAU;QAC5B,SAAS,EAAS,QAAQ;QAC1B,gBAAgB,EAAE,MAAM,CAAC,eAAe;QACxC,yBAAyB,EAAE,GAAG,MAAM,CAAC,eAAe,cAAc,QAAQ,EAAE;QAC5E,UAAU,EAAQ,EAAE,GAAG,EAAE,EAAE,wBAAwB;QACnD,QAAQ,EAAU,wBAAwB;KAC3C,CAAA;AACH,CAAC;AAED,6DAA6D;AAE7D;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,iBAAiB,CAAC,QAAgB,EAAE,MAAc,EAAE,QAAiB;IACzF,MAAM,aAAa,GAAG,MAAM,QAAQ,CAAC,eAAe,EAAE,CAAA;IACtD,sEAAsE;IACtE,uEAAuE;IACvE,4CAA4C;IAC5C,MAAM,YAAY,GAAG,MAAM,gBAAgB,CAAC,QAAQ,CAAC,CAAA;IACrD,MAAM,MAAM,GAAG,MAAM,aAAa,CAAC,KAAK,CAAC,cAAc,EAAE,YAAY,CAAC,CAAC,KAAK,EAAuB,CAAA;IACnG,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,MAAM,IAAI,UAAU,CAAC,iBAAiB,EAAE,wBAAwB,CAAC,CAAA;IACnE,CAAC;IACD,IAAI,iBAAiB,CAAC,SAAS,CAAC,MAAM,CAAC,EAAE,CAAC;QACxC,MAAM,IAAI,UAAU,CAAC,eAAe,EAAE,0BAA0B,CAAC,CAAA;IACnE,CAAC;IACD,IAAI,CAAC,iBAAiB,CAAC,SAAS,CAAC,MAAM,CAAC,EAAE,CAAC;QACzC,MAAM,IAAI,UAAU,CAAC,iBAAiB,EAAE,oCAAoC,CAAC,CAAA;IAC/E,CAAC;IAED,MAAM,aAAa,CAAC,MAAM,CAAC,MAAM,CAAC,EAAE,EAAE;QACpC,MAAM;QACN,QAAQ;KACkB,CAAC,CAAA;AAC/B,CAAC;AAkBD;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAAC,MAIpC;IACC,IAAI,MAAM,CAAC,SAAS,KAAK,8CAA8C,EAAE,CAAC;QACxE,MAAM,IAAI,UAAU,CAAC,wBAAwB,EAAE,mEAAmE,CAAC,CAAA;IACrH,CAAC;IAED,MAAM,aAAa,GAAG,MAAM,QAAQ,CAAC,eAAe,EAAE,CAAA;IACtD,wDAAwD;IACxD,MAAM,cAAc,GAAG,MAAM,gBAAgB,CAAC,MAAM,CAAC,UAAU,CAAC,CAAA;IAChE,MAAM,MAAM,GAAG,MAAM,aAAa,CAAC,KAAK,CAAC,gBAAgB,EAAE,cAAc,CAAC,CAAC,KAAK,EAAuB,CAAA;IACvG,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,MAAM,IAAI,UAAU,CAAC,eAAe,EAAE,wBAAwB,CAAC,CAAA;IACjE,CAAC;IACD,IAAI,MAAM,CAAC,QAAQ,KAAK,MAAM,CAAC,QAAQ,EAAE,CAAC;QACxC,MAAM,IAAI,UAAU,CAAC,eAAe,EAAE,4CAA4C,CAAC,CAAA;IACrF,CAAC;IACD,IAAI,iBAAiB,CAAC,SAAS,CAAC,MAAM,CAAC,EAAE,CAAC;QACxC,OAAO,EAAE,MAAM,EAAE,eAAe,EAAE,CAAA;IACpC,CAAC;IAED,wEAAwE;IACxE,kEAAkE;IAClE,EAAE;IACF,+EAA+E;IAC/E,6EAA6E;IAC7E,6EAA6E;IAC7E,oDAAoD;IACpD,+EAA+E;IAC/E,4EAA4E;IAC5E,sEAAsE;IACtE,uEAAuE;IACvE,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAA;IACtB,IAAI,MAAM,CAAC,YAAY,KAAK,IAAI,IAAI,MAAM,CAAC,YAAY,KAAK,SAAS,EAAE,CAAC;QACtE,MAAM,aAAa,CAAC,MAAM,CAAC,MAAM,CAAC,EAAE,EAAE,EAAE,YAAY,EAAE,GAAG,EAA6B,CAAC,CAAA;IACzF,CAAC;SAAM,CAAC;QACN,MAAM,SAAS,GAAG,IAAI,IAAI,CAAC,GAAG,CAAC,OAAO,EAAE,GAAG,MAAM,CAAC,QAAQ,GAAG,IAAI,CAAC,CAAA;QAClE,MAAM,OAAO,GAAG,MAAM,aAAa,CAAC,KAAK,EAAE;aACxC,KAAK,CAAC,IAAI,EAAE,MAAM,CAAC,EAAE,CAAC;aACtB,KAAK,CAAC,cAAc,EAAE,IAAI,EAAE,SAAS,CAAC;aACtC,SAAS,CAAC,EAAE,YAAY,EAAE,GAAG,EAA6B,CAAC,CAAA;QAC9D,IAAI,OAAO,KAAK,CAAC,EAAE,CAAC;YAClB,MAAM,YAAY,GAAG,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,QAAQ,GAAG,CAAC,EAAE,QAAQ,CAAC,wBAAwB,EAAE,CAAC,CAAA;YACvF,IAAI,YAAY,KAAK,MAAM,CAAC,QAAQ,EAAE,CAAC;gBACrC,MAAM,aAAa,CAAC,MAAM,CAAC,MAAM,CAAC,EAAE,EAAE,EAAE,QAAQ,EAAE,YAAY,EAA6B,CAAC,CAAA;YAC9F,CAAC;YACD,OAAO,EAAE,MAAM,EAAE,WAAW,EAAE,QAAQ,EAAE,YAAY,EAAE,CAAA;QACxD,CAAC;IACH,CAAC;IAED,IAAI,iBAAiB,CAAC,SAAS,CAAC,MAAM,CAAC,EAAE,CAAC;QACxC,OAAO,EAAE,MAAM,EAAE,uBAAuB,EAAE,CAAA;IAC5C,CAAC;IAED,IAAI,iBAAiB,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;QACvC,OAAO,EAAE,MAAM,EAAE,eAAe,EAAE,CAAA;IACpC,CAAC;IAED,uEAAuE;IACvE,uEAAuE;IACvE,4EAA4E;IAC5E,wEAAwE;IACxE,0EAA0E;IAC1E,qEAAqE;IACrE,MAAM,OAAO,GAAG,MAAM,aAAa;SAChC,KAAK,CAAC,IAAI,EAAE,MAAM,CAAC,EAAE,CAAC;SACtB,KAAK,CAAC,UAAU,EAAE,IAAI,CAAC;SACvB,SAAS,EAAE,CAAA;IACd,IAAI,OAAO,KAAK,CAAC,EAAE,CAAC;QAClB,MAAM,IAAI,UAAU,CAAC,eAAe,EAAE,oCAAoC,CAAC,CAAA;IAC7E,CAAC;IAED,yEAAyE;IACzE,0EAA0E;IAC1E,yDAAyD;IACzD,MAAM,MAAM,GAAG,MAAM,WAAW,CAAC;QAC/B,MAAM,EAAI,MAAM,CAAC,MAAM;QACvB,QAAQ,EAAE,MAAM,CAAC,QAAQ;QACzB,MAAM,EAAI,iBAAiB,CAAC,SAAS,CAAC,MAAM,CAAC;QAC7C,cAAc,EAAE,IAAI;KACrB,CAAC,CAAA;IAEF,OAAO,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,EAAE,CAAA;AACzC,CAAC;AAED,6DAA6D;AAE7D,oFAAoF;AACpF,KAAK,UAAU,gBAAgB;IAC7B,MAAM,KAAK,GAAG,kCAAkC,CAAA,CAAC,gBAAgB;IACjE,MAAM,EAAE,SAAS,EAAE,GAAG,MAAM,MAAM,CAAC,aAAa,CAAC,CAAA;IACjD,IAAI,IAAI,GAAG,EAAE,CAAA;IACb,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;QAC3B,IAAI,CAAC,KAAK,CAAC;YAAE,IAAI,IAAI,GAAG,CAAA,CAAC,mBAAmB;QAC5C,IAAI,IAAI,KAAK,CAAC,SAAS,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAA;IACxC,CAAC;IACD,OAAO,IAAI,CAAA;AACb,CAAC"}
|
package/dist/grants/index.d.ts
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
export { issueTokens } from './issue-tokens.js';
|
|
2
2
|
export type { IssuedTokens } from './issue-tokens.js';
|
|
3
|
-
export { validateAuthorizationRequest, issueAuthCode, exchangeAuthCode, validateScopes, OAuthError, } from './authorization-code.js';
|
|
3
|
+
export { validateAuthorizationRequest, enforceAuthCodePolicy, issueAuthCode, exchangeAuthCode, validateScopes, OAuthError, } from './authorization-code.js';
|
|
4
4
|
export type { AuthorizationRequest, ValidatedAuthRequest, TokenExchangeRequest, } from './authorization-code.js';
|
|
5
5
|
export { clientCredentialsGrant } from './client-credentials.js';
|
|
6
6
|
export type { ClientCredentialsRequest } from './client-credentials.js';
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/grants/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAA;AAC/C,YAAY,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAA;AAErD,OAAO,EACL,4BAA4B,EAC5B,aAAa,EACb,gBAAgB,EAChB,cAAc,EACd,UAAU,GACX,MAAM,yBAAyB,CAAA;AAChC,YAAY,EACV,oBAAoB,EACpB,oBAAoB,EACpB,oBAAoB,GACrB,MAAM,yBAAyB,CAAA;AAEhC,OAAO,EAAE,sBAAsB,EAAE,MAAM,yBAAyB,CAAA;AAChE,YAAY,EAAE,wBAAwB,EAAE,MAAM,yBAAyB,CAAA;AAEvE,OAAO,EAAE,iBAAiB,EAAE,MAAM,oBAAoB,CAAA;AACtD,YAAY,EAAE,mBAAmB,EAAE,MAAM,oBAAoB,CAAA;AAE7D,OAAO,EACL,iBAAiB,EACjB,iBAAiB,EACjB,cAAc,GACf,MAAM,kBAAkB,CAAA;AACzB,YAAY,EACV,2BAA2B,EAC3B,gBAAgB,GACjB,MAAM,kBAAkB,CAAA"}
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/grants/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAA;AAC/C,YAAY,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAA;AAErD,OAAO,EACL,4BAA4B,EAC5B,qBAAqB,EACrB,aAAa,EACb,gBAAgB,EAChB,cAAc,EACd,UAAU,GACX,MAAM,yBAAyB,CAAA;AAChC,YAAY,EACV,oBAAoB,EACpB,oBAAoB,EACpB,oBAAoB,GACrB,MAAM,yBAAyB,CAAA;AAEhC,OAAO,EAAE,sBAAsB,EAAE,MAAM,yBAAyB,CAAA;AAChE,YAAY,EAAE,wBAAwB,EAAE,MAAM,yBAAyB,CAAA;AAEvE,OAAO,EAAE,iBAAiB,EAAE,MAAM,oBAAoB,CAAA;AACtD,YAAY,EAAE,mBAAmB,EAAE,MAAM,oBAAoB,CAAA;AAE7D,OAAO,EACL,iBAAiB,EACjB,iBAAiB,EACjB,cAAc,GACf,MAAM,kBAAkB,CAAA;AACzB,YAAY,EACV,2BAA2B,EAC3B,gBAAgB,GACjB,MAAM,kBAAkB,CAAA"}
|
package/dist/grants/index.js
CHANGED
|
@@ -1,5 +1,5 @@
|
|
|
1
1
|
export { issueTokens } from './issue-tokens.js';
|
|
2
|
-
export { validateAuthorizationRequest, issueAuthCode, exchangeAuthCode, validateScopes, OAuthError, } from './authorization-code.js';
|
|
2
|
+
export { validateAuthorizationRequest, enforceAuthCodePolicy, issueAuthCode, exchangeAuthCode, validateScopes, OAuthError, } from './authorization-code.js';
|
|
3
3
|
export { clientCredentialsGrant } from './client-credentials.js';
|
|
4
4
|
export { refreshTokenGrant } from './refresh-token.js';
|
|
5
5
|
export { requestDeviceCode, approveDeviceCode, pollDeviceCode, } from './device-code.js';
|
package/dist/grants/index.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/grants/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAA;AAG/C,OAAO,EACL,4BAA4B,EAC5B,aAAa,EACb,gBAAgB,EAChB,cAAc,EACd,UAAU,GACX,MAAM,yBAAyB,CAAA;AAOhC,OAAO,EAAE,sBAAsB,EAAE,MAAM,yBAAyB,CAAA;AAGhE,OAAO,EAAE,iBAAiB,EAAE,MAAM,oBAAoB,CAAA;AAGtD,OAAO,EACL,iBAAiB,EACjB,iBAAiB,EACjB,cAAc,GACf,MAAM,kBAAkB,CAAA"}
|
|
1
|
+
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/grants/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAA;AAG/C,OAAO,EACL,4BAA4B,EAC5B,qBAAqB,EACrB,aAAa,EACb,gBAAgB,EAChB,cAAc,EACd,UAAU,GACX,MAAM,yBAAyB,CAAA;AAOhC,OAAO,EAAE,sBAAsB,EAAE,MAAM,yBAAyB,CAAA;AAGhE,OAAO,EAAE,iBAAiB,EAAE,MAAM,oBAAoB,CAAA;AAGtD,OAAO,EACL,iBAAiB,EACjB,iBAAiB,EACjB,cAAc,GACf,MAAM,kBAAkB,CAAA"}
|
|
@@ -1,3 +1,5 @@
|
|
|
1
|
+
import type { AccessToken } from '../models/AccessToken.js';
|
|
2
|
+
import type { RefreshToken } from '../models/RefreshToken.js';
|
|
1
3
|
import { type IssuedTokens } from './issue-tokens.js';
|
|
2
4
|
export interface RefreshTokenRequest {
|
|
3
5
|
grantType: string;
|
|
@@ -11,4 +13,14 @@ export interface RefreshTokenRequest {
|
|
|
11
13
|
* The old refresh token is revoked.
|
|
12
14
|
*/
|
|
13
15
|
export declare function refreshTokenGrant(params: RefreshTokenRequest): Promise<IssuedTokens>;
|
|
16
|
+
/**
|
|
17
|
+
* Revoke every access + refresh token in a rotation family. Called on
|
|
18
|
+
* detected reuse of an already-revoked refresh token (and from the revoke
|
|
19
|
+
* endpoint, to kill a whole session). Best-effort: ORM errors are not
|
|
20
|
+
* propagated to the caller because the outer flow is already going to throw
|
|
21
|
+
* `invalid_grant` / return 204. But the failure IS reported — family
|
|
22
|
+
* revocation is the security-critical anti-replay action, so a silent no-op
|
|
23
|
+
* (e.g. a transient DB error mid-attack) must not pass unnoticed.
|
|
24
|
+
*/
|
|
25
|
+
export declare function revokeFamily(RefreshTokenCls: typeof RefreshToken, AccessTokenCls: typeof AccessToken, familyId: string): Promise<void>;
|
|
14
26
|
//# sourceMappingURL=refresh-token.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"refresh-token.d.ts","sourceRoot":"","sources":["../../src/grants/refresh-token.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"refresh-token.d.ts","sourceRoot":"","sources":["../../src/grants/refresh-token.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAO,0BAA0B,CAAA;AAC5D,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,2BAA2B,CAAA;AAG7D,OAAO,EAAe,KAAK,YAAY,EAAE,MAAM,mBAAmB,CAAA;AAKlE,MAAM,WAAW,mBAAmB;IAClC,SAAS,EAAK,MAAM,CAAA;IACpB,YAAY,EAAE,MAAM,CAAA;IACpB,QAAQ,EAAM,MAAM,CAAA;IACpB,YAAY,CAAC,EAAE,MAAM,CAAA;IACrB,KAAK,CAAC,EAAQ,MAAM,CAAA;CACrB;AAED;;;GAGG;AACH,wBAAsB,iBAAiB,CAAC,MAAM,EAAE,mBAAmB,GAAG,OAAO,CAAC,YAAY,CAAC,CA8F1F;AAED;;;;;;;;GAQG;AACH,wBAAsB,YAAY,CAChC,eAAe,EAAE,OAAO,YAAY,EACpC,cAAc,EAAG,OAAO,WAAW,EACnC,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC,IAAI,CAAC,CA0Bf"}
|
|
@@ -1,3 +1,4 @@
|
|
|
1
|
+
import { report } from '@rudderjs/core';
|
|
1
2
|
import { Passport } from '../Passport.js';
|
|
2
3
|
import { accessTokenHelpers, refreshTokenHelpers } from '../models/helpers.js';
|
|
3
4
|
import { hashOpaqueToken } from '../opaque-token.js';
|
|
@@ -97,12 +98,14 @@ export async function refreshTokenGrant(params) {
|
|
|
97
98
|
}
|
|
98
99
|
/**
|
|
99
100
|
* Revoke every access + refresh token in a rotation family. Called on
|
|
100
|
-
* detected reuse of an already-revoked refresh token
|
|
101
|
-
*
|
|
102
|
-
*
|
|
103
|
-
*
|
|
101
|
+
* detected reuse of an already-revoked refresh token (and from the revoke
|
|
102
|
+
* endpoint, to kill a whole session). Best-effort: ORM errors are not
|
|
103
|
+
* propagated to the caller because the outer flow is already going to throw
|
|
104
|
+
* `invalid_grant` / return 204. But the failure IS reported — family
|
|
105
|
+
* revocation is the security-critical anti-replay action, so a silent no-op
|
|
106
|
+
* (e.g. a transient DB error mid-attack) must not pass unnoticed.
|
|
104
107
|
*/
|
|
105
|
-
async function revokeFamily(RefreshTokenCls, AccessTokenCls, familyId) {
|
|
108
|
+
export async function revokeFamily(RefreshTokenCls, AccessTokenCls, familyId) {
|
|
106
109
|
try {
|
|
107
110
|
// Two bulk QueryBuilder.updateAll() calls — one per table — replace
|
|
108
111
|
// the prior read-then-N+1-update loop. Each is idempotent: refresh
|
|
@@ -122,8 +125,11 @@ async function revokeFamily(RefreshTokenCls, AccessTokenCls, familyId) {
|
|
|
122
125
|
await AccessTokenCls.query().where('id', 'IN', accessTokenIds)
|
|
123
126
|
.updateAll({ revoked: true });
|
|
124
127
|
}
|
|
125
|
-
catch {
|
|
126
|
-
//
|
|
128
|
+
catch (e) {
|
|
129
|
+
// Don't propagate (the outer handler already throws invalid_grant / 204),
|
|
130
|
+
// but DO report: a failed family revocation during a detected-reuse event
|
|
131
|
+
// is exactly the signal operators need to see.
|
|
132
|
+
report(e);
|
|
127
133
|
}
|
|
128
134
|
}
|
|
129
135
|
//# sourceMappingURL=refresh-token.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"refresh-token.js","sourceRoot":"","sources":["../../src/grants/refresh-token.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,gBAAgB,CAAA;AAIzC,OAAO,EAAE,kBAAkB,EAAE,mBAAmB,EAAE,MAAM,sBAAsB,CAAA;AAC9E,OAAO,EAAE,eAAe,EAAE,MAAM,oBAAoB,CAAA;AACpD,OAAO,EAAE,WAAW,EAAqB,MAAM,mBAAmB,CAAA;AAClE,OAAO,EAAE,UAAU,EAAE,MAAM,yBAAyB,CAAA;AACpD,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAA;AAC/C,OAAO,EAAE,6BAA6B,EAAE,MAAM,oBAAoB,CAAA;AAUlE;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,iBAAiB,CAAC,MAA2B;IACjE,IAAI,MAAM,CAAC,SAAS,KAAK,eAAe,EAAE,CAAC;QACzC,MAAM,IAAI,UAAU,CAAC,wBAAwB,EAAE,oCAAoC,CAAC,CAAA;IACtF,CAAC;IAED,MAAM,SAAS,GAAS,MAAM,QAAQ,CAAC,WAAW,EAAE,CAAA;IACpD,MAAM,eAAe,GAAG,MAAM,QAAQ,CAAC,iBAAiB,EAAE,CAAA;IAC1D,MAAM,cAAc,GAAI,MAAM,QAAQ,CAAC,UAAU,EAAE,CAAA;IAEnD,kBAAkB;IAClB,MAAM,MAAM,GAAG,MAAM,SAAS,CAAC,KAAK,CAAC,IAAI,EAAE,MAAM,CAAC,QAAQ,CAAC,CAAC,KAAK,EAAwB,CAAA;IACzF,IAAI,CAAC,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;QAC9B,MAAM,IAAI,UAAU,CAAC,gBAAgB,EAAE,mBAAmB,EAAE,GAAG,CAAC,CAAA;IAClE,CAAC;IAED,MAAM,6BAA6B,CAAC,MAAM,EAAE,MAAM,CAAC,YAAY,CAAC,CAAA;IAEhE,wEAAwE;IACxE,2EAA2E;IAC3E,sEAAsE;IACtE,0EAA0E;IAC1E,sEAAsE;IACtE,MAAM,gBAAgB,GAAG,MAAM,eAAe,CAAC,MAAM,CAAC,YAAY,CAAC,CAAA;IACnE,MAAM,YAAY,GAAG,MAAM,eAAe,CAAC,KAAK,CAAC,WAAW,EAAE,gBAAgB,CAAC,CAAC,KAAK,EAAyB,CAAA;IAC9G,IAAI,CAAC,YAAY,EAAE,CAAC;QAClB,MAAM,IAAI,UAAU,CAAC,eAAe,EAAE,0BAA0B,CAAC,CAAA;IACnE,CAAC;IACD,IAAI,YAAY,CAAC,OAAO,EAAE,CAAC;QACzB,sEAAsE;QACtE,oEAAoE;QACpE,qEAAqE;QACrE,kEAAkE;QAClE,gEAAgE;QAChE,IAAI,YAAY,CAAC,QAAQ,EAAE,CAAC;YAC1B,MAAM,YAAY,CAAC,eAAe,EAAE,cAAc,EAAE,YAAY,CAAC,QAAQ,CAAC,CAAA;QAC5E,CAAC;QACD,MAAM,IAAI,UAAU,CAAC,eAAe,EAAE,iCAAiC,CAAC,CAAA;IAC1E,CAAC;IACD,IAAI,mBAAmB,CAAC,SAAS,CAAC,YAAY,CAAC,EAAE,CAAC;QAChD,MAAM,IAAI,UAAU,CAAC,eAAe,EAAE,4BAA4B,CAAC,CAAA;IACrE,CAAC;IAED,sDAAsD;IACtD,MAAM,WAAW,GAAG,MAAM,cAAc,CAAC,KAAK,CAAC,IAAI,EAAE,YAAY,CAAC,aAAa,CAAC,CAAC,KAAK,EAAwB,CAAA;IAC9G,IAAI,CAAC,WAAW,EAAE,CAAC;QACjB,MAAM,IAAI,UAAU,CAAC,eAAe,EAAE,oCAAoC,CAAC,CAAA;IAC7E,CAAC;IACD,IAAI,WAAW,CAAC,QAAQ,KAAK,MAAM,CAAC,QAAQ,EAAE,CAAC;QAC7C,MAAM,IAAI,UAAU,CAAC,eAAe,EAAE,8CAA8C,CAAC,CAAA;IACvF,CAAC;IAED,gDAAgD;IAChD,MAAM,cAAc,GAAG,kBAAkB,CAAC,SAAS,CAAC,WAAW,CAAC,CAAA;IAChE,IAAI,MAAM,GAAG,cAAc,CAAA;IAC3B,MAAM,SAAS,GAAG,WAAW,CAAC,MAAM,CAAC,KAAK,CAAC,CAAA;IAC3C,IAAI,SAAS,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACzB,MAAM,OAAO,GAAG,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,cAAc,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,cAAc,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAA;QACnG,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACvB,MAAM,IAAI,UAAU,CAAC,eAAe,EAAE,gDAAgD,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAA;QAC7G,CAAC;QACD,MAAM,GAAG,SAAS,CAAA;IACpB,CAAC;IAED,2EAA2E;IAC3E,2EAA2E;IAC3E,0EAA0E;IAC1E,2EAA2E;IAC3E,wEAAwE;IACxE,4DAA4D;IAC5D,MAAM,OAAO,GAAG,MAAM,eAAe;SAClC,KAAK,CAAC,IAAI,EAAE,YAAY,CAAC,EAAE,CAAC;SAC5B,KAAK,CAAC,SAAS,EAAE,KAAK,CAAC;SACvB,SAAS,CAAC,EAAE,OAAO,EAAE,IAAI,EAA6B,CAAC,CAAA;IAC1D,IAAI,OAAO,KAAK,CAAC,EAAE,CAAC;QAClB,IAAI,YAAY,CAAC,QAAQ,EAAE,CAAC;YAC1B,MAAM,YAAY,CAAC,eAAe,EAAE,cAAc,EAAE,YAAY,CAAC,QAAQ,CAAC,CAAA;QAC5E,CAAC;QACD,MAAM,IAAI,UAAU,CAAC,eAAe,EAAE,iCAAiC,CAAC,CAAA;IAC1E,CAAC;IAED,2EAA2E;IAC3E,wEAAwE;IACxE,sDAAsD;IACtD,MAAM,cAAc,CAAC,KAAK,CAAC,IAAI,EAAE,WAAW,CAAC,EAAE,CAAC,CAAC,SAAS,CAAC,EAAE,OAAO,EAAE,IAAI,EAA6B,CAAC,CAAA;IAExG,yEAAyE;IACzE,2EAA2E;IAC3E,OAAO,WAAW,CAAC;QACjB,MAAM,EAAU,WAAW,CAAC,MAAM;QAClC,QAAQ,EAAQ,MAAM,CAAC,QAAQ;QAC/B,MAAM;QACN,cAAc,EAAE,IAAI;QACpB,QAAQ,EAAQ,YAAY,CAAC,QAAQ,IAAI,IAAI;KAC9C,CAAC,CAAA;AACJ,CAAC;AAED
|
|
1
|
+
{"version":3,"file":"refresh-token.js","sourceRoot":"","sources":["../../src/grants/refresh-token.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,gBAAgB,CAAA;AACvC,OAAO,EAAE,QAAQ,EAAE,MAAM,gBAAgB,CAAA;AAIzC,OAAO,EAAE,kBAAkB,EAAE,mBAAmB,EAAE,MAAM,sBAAsB,CAAA;AAC9E,OAAO,EAAE,eAAe,EAAE,MAAM,oBAAoB,CAAA;AACpD,OAAO,EAAE,WAAW,EAAqB,MAAM,mBAAmB,CAAA;AAClE,OAAO,EAAE,UAAU,EAAE,MAAM,yBAAyB,CAAA;AACpD,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAA;AAC/C,OAAO,EAAE,6BAA6B,EAAE,MAAM,oBAAoB,CAAA;AAUlE;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,iBAAiB,CAAC,MAA2B;IACjE,IAAI,MAAM,CAAC,SAAS,KAAK,eAAe,EAAE,CAAC;QACzC,MAAM,IAAI,UAAU,CAAC,wBAAwB,EAAE,oCAAoC,CAAC,CAAA;IACtF,CAAC;IAED,MAAM,SAAS,GAAS,MAAM,QAAQ,CAAC,WAAW,EAAE,CAAA;IACpD,MAAM,eAAe,GAAG,MAAM,QAAQ,CAAC,iBAAiB,EAAE,CAAA;IAC1D,MAAM,cAAc,GAAI,MAAM,QAAQ,CAAC,UAAU,EAAE,CAAA;IAEnD,kBAAkB;IAClB,MAAM,MAAM,GAAG,MAAM,SAAS,CAAC,KAAK,CAAC,IAAI,EAAE,MAAM,CAAC,QAAQ,CAAC,CAAC,KAAK,EAAwB,CAAA;IACzF,IAAI,CAAC,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;QAC9B,MAAM,IAAI,UAAU,CAAC,gBAAgB,EAAE,mBAAmB,EAAE,GAAG,CAAC,CAAA;IAClE,CAAC;IAED,MAAM,6BAA6B,CAAC,MAAM,EAAE,MAAM,CAAC,YAAY,CAAC,CAAA;IAEhE,wEAAwE;IACxE,2EAA2E;IAC3E,sEAAsE;IACtE,0EAA0E;IAC1E,sEAAsE;IACtE,MAAM,gBAAgB,GAAG,MAAM,eAAe,CAAC,MAAM,CAAC,YAAY,CAAC,CAAA;IACnE,MAAM,YAAY,GAAG,MAAM,eAAe,CAAC,KAAK,CAAC,WAAW,EAAE,gBAAgB,CAAC,CAAC,KAAK,EAAyB,CAAA;IAC9G,IAAI,CAAC,YAAY,EAAE,CAAC;QAClB,MAAM,IAAI,UAAU,CAAC,eAAe,EAAE,0BAA0B,CAAC,CAAA;IACnE,CAAC;IACD,IAAI,YAAY,CAAC,OAAO,EAAE,CAAC;QACzB,sEAAsE;QACtE,oEAAoE;QACpE,qEAAqE;QACrE,kEAAkE;QAClE,gEAAgE;QAChE,IAAI,YAAY,CAAC,QAAQ,EAAE,CAAC;YAC1B,MAAM,YAAY,CAAC,eAAe,EAAE,cAAc,EAAE,YAAY,CAAC,QAAQ,CAAC,CAAA;QAC5E,CAAC;QACD,MAAM,IAAI,UAAU,CAAC,eAAe,EAAE,iCAAiC,CAAC,CAAA;IAC1E,CAAC;IACD,IAAI,mBAAmB,CAAC,SAAS,CAAC,YAAY,CAAC,EAAE,CAAC;QAChD,MAAM,IAAI,UAAU,CAAC,eAAe,EAAE,4BAA4B,CAAC,CAAA;IACrE,CAAC;IAED,sDAAsD;IACtD,MAAM,WAAW,GAAG,MAAM,cAAc,CAAC,KAAK,CAAC,IAAI,EAAE,YAAY,CAAC,aAAa,CAAC,CAAC,KAAK,EAAwB,CAAA;IAC9G,IAAI,CAAC,WAAW,EAAE,CAAC;QACjB,MAAM,IAAI,UAAU,CAAC,eAAe,EAAE,oCAAoC,CAAC,CAAA;IAC7E,CAAC;IACD,IAAI,WAAW,CAAC,QAAQ,KAAK,MAAM,CAAC,QAAQ,EAAE,CAAC;QAC7C,MAAM,IAAI,UAAU,CAAC,eAAe,EAAE,8CAA8C,CAAC,CAAA;IACvF,CAAC;IAED,gDAAgD;IAChD,MAAM,cAAc,GAAG,kBAAkB,CAAC,SAAS,CAAC,WAAW,CAAC,CAAA;IAChE,IAAI,MAAM,GAAG,cAAc,CAAA;IAC3B,MAAM,SAAS,GAAG,WAAW,CAAC,MAAM,CAAC,KAAK,CAAC,CAAA;IAC3C,IAAI,SAAS,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACzB,MAAM,OAAO,GAAG,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,cAAc,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,cAAc,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAA;QACnG,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACvB,MAAM,IAAI,UAAU,CAAC,eAAe,EAAE,gDAAgD,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAA;QAC7G,CAAC;QACD,MAAM,GAAG,SAAS,CAAA;IACpB,CAAC;IAED,2EAA2E;IAC3E,2EAA2E;IAC3E,0EAA0E;IAC1E,2EAA2E;IAC3E,wEAAwE;IACxE,4DAA4D;IAC5D,MAAM,OAAO,GAAG,MAAM,eAAe;SAClC,KAAK,CAAC,IAAI,EAAE,YAAY,CAAC,EAAE,CAAC;SAC5B,KAAK,CAAC,SAAS,EAAE,KAAK,CAAC;SACvB,SAAS,CAAC,EAAE,OAAO,EAAE,IAAI,EAA6B,CAAC,CAAA;IAC1D,IAAI,OAAO,KAAK,CAAC,EAAE,CAAC;QAClB,IAAI,YAAY,CAAC,QAAQ,EAAE,CAAC;YAC1B,MAAM,YAAY,CAAC,eAAe,EAAE,cAAc,EAAE,YAAY,CAAC,QAAQ,CAAC,CAAA;QAC5E,CAAC;QACD,MAAM,IAAI,UAAU,CAAC,eAAe,EAAE,iCAAiC,CAAC,CAAA;IAC1E,CAAC;IAED,2EAA2E;IAC3E,wEAAwE;IACxE,sDAAsD;IACtD,MAAM,cAAc,CAAC,KAAK,CAAC,IAAI,EAAE,WAAW,CAAC,EAAE,CAAC,CAAC,SAAS,CAAC,EAAE,OAAO,EAAE,IAAI,EAA6B,CAAC,CAAA;IAExG,yEAAyE;IACzE,2EAA2E;IAC3E,OAAO,WAAW,CAAC;QACjB,MAAM,EAAU,WAAW,CAAC,MAAM;QAClC,QAAQ,EAAQ,MAAM,CAAC,QAAQ;QAC/B,MAAM;QACN,cAAc,EAAE,IAAI;QACpB,QAAQ,EAAQ,YAAY,CAAC,QAAQ,IAAI,IAAI;KAC9C,CAAC,CAAA;AACJ,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY,CAChC,eAAoC,EACpC,cAAmC,EACnC,QAAgB;IAEhB,IAAI,CAAC;QACH,oEAAoE;QACpE,mEAAmE;QACnE,qEAAqE;QACrE,+DAA+D;QAC/D,qEAAqE;QACrE,6CAA6C;QAC7C,MAAM,MAAM,GAAG,MAAM,eAAe,CAAC,KAAK,CAAC,UAAU,EAAE,QAAQ,CAAC,CAAC,GAAG,EAAoB,CAAA;QACxF,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC;YAAE,OAAM;QAE/B,MAAM,eAAe,CAAC,KAAK,CAAC,UAAU,EAAE,QAAQ,CAAC;aAC9C,KAAK,CAAC,SAAS,EAAE,KAAK,CAAC;aACvB,SAAS,CAAC,EAAE,OAAO,EAAE,IAAI,EAA6B,CAAC,CAAA;QAE1D,MAAM,cAAc,GAAG,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,aAAa,CAAC,CAAA;QACzD,wEAAwE;QACxE,mEAAmE;QACnE,MAAM,cAAc,CAAC,KAAK,EAAE,CAAC,KAAK,CAAC,IAAI,EAAE,IAAI,EAAE,cAAc,CAAC;aAC3D,SAAS,CAAC,EAAE,OAAO,EAAE,IAAI,EAA6B,CAAC,CAAA;IAC5D,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,0EAA0E;QAC1E,0EAA0E;QAC1E,+CAA+C;QAC/C,MAAM,CAAC,CAAC,CAAC,CAAA;IACX,CAAC;AACH,CAAC"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"authorize.d.ts","sourceRoot":"","sources":["../../src/routes/authorize.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,qBAAqB,CAAA;AAG5D,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,YAAY,CAAA;AAGxC;;;;;;;;;;;;GAYG;AACH,wBAAgB,uBAAuB,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,EAAE,EAAE,iBAAiB,EAAE,GAAG,IAAI,
|
|
1
|
+
{"version":3,"file":"authorize.d.ts","sourceRoot":"","sources":["../../src/routes/authorize.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,qBAAqB,CAAA;AAG5D,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,YAAY,CAAA;AAGxC;;;;;;;;;;;;GAYG;AACH,wBAAgB,uBAAuB,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,EAAE,EAAE,iBAAiB,EAAE,GAAG,IAAI,CA4GrG"}
|
package/dist/routes/authorize.js
CHANGED
|
@@ -1,5 +1,5 @@
|
|
|
1
1
|
import { Passport } from '../Passport.js';
|
|
2
|
-
import { validateAuthorizationRequest, issueAuthCode, validateScopes } from '../grants/index.js';
|
|
2
|
+
import { validateAuthorizationRequest, issueAuthCode, validateScopes, enforceAuthCodePolicy } from '../grants/index.js';
|
|
3
3
|
import { authErrorResponse, requesterIdFrom, validateClientRedirect } from './helpers.js';
|
|
4
4
|
/**
|
|
5
5
|
* Register `GET/POST/DELETE /oauth/authorize` — the consent flow.
|
|
@@ -69,12 +69,16 @@ export function registerAuthorizeRoutes(router, prefix, mw) {
|
|
|
69
69
|
return;
|
|
70
70
|
}
|
|
71
71
|
const client = await validateClientRedirect(body['client_id'], body['redirect_uri']);
|
|
72
|
-
// The POST body is attacker-controlled
|
|
73
|
-
//
|
|
74
|
-
//
|
|
75
|
-
//
|
|
76
|
-
//
|
|
77
|
-
//
|
|
72
|
+
// The POST body is attacker-controlled and the GET validation is only
|
|
73
|
+
// advisory (echoed to the consent UI, never enforced here), so re-enforce
|
|
74
|
+
// the client policy on issuance: grant-type + PKCE (a public client MUST
|
|
75
|
+
// send a code_challenge and MUST use S256 — otherwise PKCE is defeated)
|
|
76
|
+
// and the requested scopes (global registry + per-client allow-list).
|
|
77
|
+
// #1082 closed the scope half; the PKCE/grant half was still open.
|
|
78
|
+
enforceAuthCodePolicy(client, {
|
|
79
|
+
codeChallenge: body['code_challenge'],
|
|
80
|
+
codeChallengeMethod: body['code_challenge_method'],
|
|
81
|
+
});
|
|
78
82
|
const requestedScopes = Array.isArray(body['scopes']) ? body['scopes'] : [];
|
|
79
83
|
validateScopes(client, requestedScopes);
|
|
80
84
|
const code = await issueAuthCode({
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"authorize.js","sourceRoot":"","sources":["../../src/routes/authorize.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,QAAQ,EAAE,MAAM,gBAAgB,CAAA;AACzC,OAAO,EAAE,4BAA4B,EAAE,aAAa,EAAE,cAAc,EAAE,MAAM,oBAAoB,CAAA;
|
|
1
|
+
{"version":3,"file":"authorize.js","sourceRoot":"","sources":["../../src/routes/authorize.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,QAAQ,EAAE,MAAM,gBAAgB,CAAA;AACzC,OAAO,EAAE,4BAA4B,EAAE,aAAa,EAAE,cAAc,EAAE,qBAAqB,EAAE,MAAM,oBAAoB,CAAA;AAEvH,OAAO,EAAE,iBAAiB,EAAE,eAAe,EAAE,sBAAsB,EAAE,MAAM,cAAc,CAAA;AAEzF;;;;;;;;;;;;GAYG;AACH,MAAM,UAAU,uBAAuB,CAAC,MAAc,EAAE,MAAc,EAAE,EAAuB;IAC7F,4EAA4E;IAC5E,MAAM,CAAC,GAAG,CAAC,GAAG,MAAM,YAAY,EAAE,KAAK,EAAE,GAAQ,EAAE,GAAQ,EAAE,EAAE;QAC7D,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,IAAI,EAAE,CAAA;QAC7B,IAAI,CAAC;YACH,MAAM,SAAS,GAAG,MAAM,4BAA4B,CAAC;gBACnD,QAAQ,EAAa,KAAK,CAAC,WAAW,CAAC,IAAI,EAAE;gBAC7C,WAAW,EAAU,KAAK,CAAC,cAAc,CAAC,IAAI,EAAE;gBAChD,YAAY,EAAS,KAAK,CAAC,eAAe,CAAC,IAAI,EAAE;gBACjD,KAAK,EAAgB,KAAK,CAAC,OAAO,CAAC,IAAI,EAAE;gBACzC,KAAK,EAAgB,KAAK,CAAC,OAAO,CAAC;gBACnC,aAAa,EAAQ,KAAK,CAAC,gBAAgB,CAAC;gBAC5C,mBAAmB,EAAE,KAAK,CAAC,uBAAuB,CAAC;aACpD,CAAC,CAAA;YAEF,MAAM,GAAG,GAAG;gBACV,MAAM,EAAE;oBACN,EAAE,EAAI,SAAS,CAAC,MAAM,CAAC,EAAE;oBACzB,IAAI,EAAE,SAAS,CAAC,MAAM,CAAC,IAAI;iBAC5B;gBACD,MAAM,EAAO,SAAS,CAAC,MAAM;gBAC7B,WAAW,EAAE,SAAS,CAAC,WAAW;gBAClC,GAAG,CAAC,SAAS,CAAC,KAAK,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,SAAS,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;gBACpE,GAAG,CAAC,SAAS,CAAC,aAAa,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,aAAa,EAAE,SAAS,CAAC,aAAa,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;gBAC5F,GAAG,CAAC,SAAS,CAAC,mBAAmB,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,mBAAmB,EAAE,SAAS,CAAC,mBAAmB,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;gBAC9G,OAAO,EAAE,GAAG;aACb,CAAA;YAED,MAAM,MAAM,GAAG,QAAQ,CAAC,mBAAmB,EAAE,CAAA;YAC7C,IAAI,MAAM,EAAE,CAAC;gBACX,OAAO,MAAM,MAAM,CAAC,GAAG,CAAC,CAAA;YAC1B,CAAC;YAED,+DAA+D;YAC/D,GAAG,CAAC,IAAI,CAAC;gBACP,MAAM,EAAO,GAAG,CAAC,MAAM;gBACvB,MAAM,EAAO,GAAG,CAAC,MAAM;gBACvB,KAAK,EAAQ,GAAG,CAAC,KAAK;gBACtB,WAAW,EAAE,GAAG,CAAC,WAAW;aAC7B,CAAC,CAAA;QACJ,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,iBAAiB,CAAC,GAAG,EAAE,CAAC,EAAE,KAAK,CAAC,OAAO,CAAC,CAAC,CAAA;QAC3C,CAAC;IACH,CAAC,EAAE,EAAE,CAAC,CAAA;IAEN,wCAAwC;IACxC,MAAM,CAAC,IAAI,CAAC,GAAG,MAAM,YAAY,EAAE,KAAK,EAAE,GAAQ,EAAE,GAAQ,EAAE,EAAE;QAC9D,MAAM,IAAI,GAAG,GAAG,CAAC,IAAI,IAAI,EAAE,CAAA;QAC3B,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,eAAe,CAAC,GAAG,CAAC,CAAA;YACnC,IAAI,CAAC,MAAM,EAAE,CAAC;gBACZ,gEAAgE;gBAChE,mEAAmE;gBACnE,MAAM,SAAS,GAAG,OAAO,IAAI,CAAC,OAAO,CAAC,KAAK,QAAQ,IAAI,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,CAAA;gBACpG,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,iBAAiB,EAAE,iBAAiB,EAAE,yBAAyB,EAAE,GAAG,SAAS,EAAE,CAAC,CAAA;gBAC9G,OAAM;YACR,CAAC;YAED,MAAM,MAAM,GAAG,MAAM,sBAAsB,CAAC,IAAI,CAAC,WAAW,CAAC,EAAE,IAAI,CAAC,cAAc,CAAC,CAAC,CAAA;YAEpF,sEAAsE;YACtE,0EAA0E;YAC1E,yEAAyE;YACzE,wEAAwE;YACxE,sEAAsE;YACtE,mEAAmE;YACnE,qBAAqB,CAAC,MAAM,EAAE;gBAC5B,aAAa,EAAQ,IAAI,CAAC,gBAAgB,CAAC;gBAC3C,mBAAmB,EAAE,IAAI,CAAC,uBAAuB,CAAC;aACnD,CAAC,CAAA;YACF,MAAM,eAAe,GAAa,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,EAAE,CAAA;YACrF,cAAc,CAAC,MAAM,EAAE,eAAe,CAAC,CAAA;YAEvC,MAAM,IAAI,GAAG,MAAM,aAAa,CAAC;gBAC/B,MAAM;gBACN,QAAQ,EAAa,IAAI,CAAC,WAAW,CAAC;gBACtC,MAAM,EAAe,eAAe;gBACpC,WAAW,EAAU,IAAI,CAAC,cAAc,CAAC;gBACzC,aAAa,EAAQ,IAAI,CAAC,gBAAgB,CAAC;gBAC3C,mBAAmB,EAAE,IAAI,CAAC,uBAAuB,CAAC;aACnD,CAAC,CAAA;YAEF,MAAM,WAAW,GAAG,IAAI,GAAG,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC,CAAA;YACjD,WAAW,CAAC,YAAY,CAAC,GAAG,CAAC,MAAM,EAAE,IAAI,CAAC,CAAA;YAC1C,IAAI,IAAI,CAAC,OAAO,CAAC;gBAAE,WAAW,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,IAAI,CAAC,OAAO,CAAC,CAAC,CAAA;YAEvE,GAAG,CAAC,IAAI,CAAC,EAAE,YAAY,EAAE,WAAW,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAA;QACpD,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,iBAAiB,CAAC,GAAG,EAAE,CAAC,EAAE,IAAI,CAAC,OAAO,CAAC,CAAC,CAAA;QAC1C,CAAC;IACH,CAAC,EAAE,EAAE,CAAC,CAAA;IAEN,wCAAwC;IACxC,MAAM,CAAC,MAAM,CAAC,GAAG,MAAM,YAAY,EAAE,KAAK,EAAE,GAAQ,EAAE,GAAQ,EAAE,EAAE;QAChE,MAAM,IAAI,GAAG,GAAG,CAAC,IAAI,IAAI,EAAE,CAAA;QAC3B,IAAI,CAAC;YACH,MAAM,sBAAsB,CAAC,IAAI,CAAC,WAAW,CAAC,EAAE,IAAI,CAAC,cAAc,CAAC,CAAC,CAAA;YAErE,MAAM,WAAW,GAAG,IAAI,GAAG,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC,CAAA;YACjD,WAAW,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,eAAe,CAAC,CAAA;YACtD,WAAW,CAAC,YAAY,CAAC,GAAG,CAAC,mBAAmB,EAAE,8BAA8B,CAAC,CAAA;YACjF,IAAI,IAAI,CAAC,OAAO,CAAC;gBAAE,WAAW,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,IAAI,CAAC,OAAO,CAAC,CAAC,CAAA;YAEvE,GAAG,CAAC,IAAI,CAAC,EAAE,YAAY,EAAE,WAAW,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAA;QACpD,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,iBAAiB,CAAC,GAAG,EAAE,CAAC,EAAE,IAAI,CAAC,OAAO,CAAC,CAAC,CAAA;QAC1C,CAAC;IACH,CAAC,EAAE,EAAE,CAAC,CAAA;AACR,CAAC"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"revoke.d.ts","sourceRoot":"","sources":["../../src/routes/revoke.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,qBAAqB,CAAA;
|
|
1
|
+
{"version":3,"file":"revoke.d.ts","sourceRoot":"","sources":["../../src/routes/revoke.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,qBAAqB,CAAA;AAM5D,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,YAAY,CAAA;AAGxC;;;;;;;;;;;GAWG;AACH,wBAAgB,mBAAmB,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,EAAE,EAAE,iBAAiB,EAAE,GAAG,IAAI,CAiCjG"}
|
package/dist/routes/revoke.js
CHANGED
|
@@ -1,5 +1,6 @@
|
|
|
1
1
|
import { Passport } from '../Passport.js';
|
|
2
2
|
import { RequireBearer } from '../middleware/bearer.js';
|
|
3
|
+
import { revokeFamily } from '../grants/refresh-token.js';
|
|
3
4
|
import { requesterIdFrom } from './helpers.js';
|
|
4
5
|
/**
|
|
5
6
|
* Register `DELETE /oauth/tokens/:id` — revoke a specific access token.
|
|
@@ -27,6 +28,19 @@ export function registerRevokeRoute(router, prefix, mw) {
|
|
|
27
28
|
// `revoked` is no longer in `AccessToken.fillable`.
|
|
28
29
|
await AccessTokenCls.where('id', token.id)
|
|
29
30
|
.updateAll({ revoked: true });
|
|
31
|
+
// RFC 7009 §2.1: revoking an access token MUST also invalidate the refresh
|
|
32
|
+
// token issued with it — otherwise the holder of the refresh token just
|
|
33
|
+
// mints a fresh pair and the revocation is moot. Revoke the directly-paired
|
|
34
|
+
// refresh token(s), and if any belong to a rotation family, kill the whole
|
|
35
|
+
// chain so an earlier-rotated refresh token can't resurrect the session.
|
|
36
|
+
const RefreshTokenCls = await Passport.refreshTokenModel();
|
|
37
|
+
const paired = await RefreshTokenCls.where('accessTokenId', token.id).get();
|
|
38
|
+
await RefreshTokenCls.where('accessTokenId', token.id)
|
|
39
|
+
.updateAll({ revoked: true });
|
|
40
|
+
const familyIds = [...new Set(paired.map(rt => rt.familyId).filter((f) => !!f))];
|
|
41
|
+
for (const familyId of familyIds) {
|
|
42
|
+
await revokeFamily(RefreshTokenCls, AccessTokenCls, familyId);
|
|
43
|
+
}
|
|
30
44
|
res.status(204).send();
|
|
31
45
|
}, [RequireBearer(), ...mw]);
|
|
32
46
|
}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"revoke.js","sourceRoot":"","sources":["../../src/routes/revoke.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,QAAQ,EAAE,MAAM,gBAAgB,CAAA;
|
|
1
|
+
{"version":3,"file":"revoke.js","sourceRoot":"","sources":["../../src/routes/revoke.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,QAAQ,EAAE,MAAM,gBAAgB,CAAA;AAGzC,OAAO,EAAE,aAAa,EAAE,MAAM,yBAAyB,CAAA;AACvD,OAAO,EAAE,YAAY,EAAE,MAAM,4BAA4B,CAAA;AAEzD,OAAO,EAAE,eAAe,EAAE,MAAM,cAAc,CAAA;AAE9C;;;;;;;;;;;GAWG;AACH,MAAM,UAAU,mBAAmB,CAAC,MAAc,EAAE,MAAc,EAAE,EAAuB;IACzF,MAAM,CAAC,MAAM,CAAC,GAAG,MAAM,aAAa,EAAE,KAAK,EAAE,GAAQ,EAAE,GAAQ,EAAE,EAAE;QACjE,MAAM,OAAO,GAAG,GAAG,CAAC,MAAM,EAAE,CAAC,IAAI,CAAC,IAAI,EAAE,CAAA;QACxC,MAAM,cAAc,GAAG,MAAM,QAAQ,CAAC,UAAU,EAAE,CAAA;QAClD,MAAM,KAAK,GAAG,MAAM,cAAc,CAAC,KAAK,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC,KAAK,EAAwB,CAAA;QAErF,MAAM,WAAW,GAAG,eAAe,CAAC,GAAG,CAAC,CAAA;QACxC,IAAI,CAAC,KAAK,IAAI,CAAC,WAAW,IAAI,KAAK,CAAC,MAAM,KAAK,WAAW,EAAE,CAAC;YAC3D,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,WAAW,EAAE,iBAAiB,EAAE,kBAAkB,EAAE,CAAC,CAAA;YACnF,OAAM;QACR,CAAC;QAED,gEAAgE;QAChE,oDAAoD;QACpD,MAAM,cAAc,CAAC,KAAK,CAAC,IAAI,EAAE,KAAK,CAAC,EAAE,CAAC;aACvC,SAAS,CAAC,EAAE,OAAO,EAAE,IAAI,EAA6B,CAAC,CAAA;QAE1D,2EAA2E;QAC3E,wEAAwE;QACxE,4EAA4E;QAC5E,2EAA2E;QAC3E,yEAAyE;QACzE,MAAM,eAAe,GAAG,MAAM,QAAQ,CAAC,iBAAiB,EAAE,CAAA;QAC1D,MAAM,MAAM,GAAG,MAAM,eAAe,CAAC,KAAK,CAAC,eAAe,EAAE,KAAK,CAAC,EAAE,CAAC,CAAC,GAAG,EAAoB,CAAA;QAC7F,MAAM,eAAe,CAAC,KAAK,CAAC,eAAe,EAAE,KAAK,CAAC,EAAE,CAAC;aACnD,SAAS,CAAC,EAAE,OAAO,EAAE,IAAI,EAA6B,CAAC,CAAA;QAC1D,MAAM,SAAS,GAAG,CAAC,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAe,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAA;QAC7F,KAAK,MAAM,QAAQ,IAAI,SAAS,EAAE,CAAC;YACjC,MAAM,YAAY,CAAC,eAAe,EAAE,cAAc,EAAE,QAAQ,CAAC,CAAA;QAC/D,CAAC;QAED,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,CAAA;IACxB,CAAC,EAAE,CAAC,aAAa,EAAE,EAAE,GAAG,EAAE,CAAC,CAAC,CAAA;AAC9B,CAAC"}
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@rudderjs/passport",
|
|
3
|
-
"version": "2.0.
|
|
3
|
+
"version": "2.0.2",
|
|
4
4
|
"rudderjs": {
|
|
5
5
|
"provider": "PassportProvider",
|
|
6
6
|
"stage": "infrastructure",
|
|
@@ -41,15 +41,15 @@
|
|
|
41
41
|
}
|
|
42
42
|
},
|
|
43
43
|
"dependencies": {
|
|
44
|
-
"@rudderjs/
|
|
45
|
-
"@rudderjs/
|
|
46
|
-
"@rudderjs/
|
|
44
|
+
"@rudderjs/orm": "^1.21.2",
|
|
45
|
+
"@rudderjs/core": "^1.13.0",
|
|
46
|
+
"@rudderjs/contracts": "^1.17.1"
|
|
47
47
|
},
|
|
48
48
|
"devDependencies": {
|
|
49
49
|
"@types/node": "^20.0.0",
|
|
50
50
|
"typescript": "^5.4.0",
|
|
51
51
|
"tsx": "^4.0.0",
|
|
52
|
-
"@rudderjs/console": "^1.4.
|
|
52
|
+
"@rudderjs/console": "^1.4.2"
|
|
53
53
|
},
|
|
54
54
|
"author": "Suleiman Shahbari",
|
|
55
55
|
"scripts": {
|