@steedos/accounts 2.2.52-beta.36 → 2.2.52-beta.39
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/lib/core/index.js +2 -2
- package/lib/core/index.js.map +1 -1
- package/lib/database-mongo/mongo.js +12 -12
- package/lib/database-mongo/mongo.js.map +1 -1
- package/lib/index.js +2 -19
- package/lib/index.js.map +1 -1
- package/package.json +12 -16
- package/src/core/index.ts +2 -2
- package/src/database-mongo/mongo.ts +26 -26
- package/src/index.ts +2 -16
- package/lib/oauth2/client.js +0 -1
- package/lib/oauth2/client.js.map +0 -1
- package/lib/oauth2/config.js +0 -14
- package/lib/oauth2/config.js.map +0 -1
- package/lib/oauth2/consent.js +0 -192
- package/lib/oauth2/consent.js.map +0 -1
- package/lib/oauth2/login.js +0 -166
- package/lib/oauth2/login.js.map +0 -1
- package/lib/oauth2/logout.js +0 -60
- package/lib/oauth2/logout.js.map +0 -1
- package/lib/oauth2/stub/oidc-cert.js +0 -67
- package/lib/oauth2/stub/oidc-cert.js.map +0 -1
- package/lib/saml-idp/config.js +0 -82
- package/lib/saml-idp/config.js.map +0 -1
- package/lib/saml-idp/connectedApps.js +0 -20
- package/lib/saml-idp/connectedApps.js.map +0 -1
- package/lib/saml-idp/express-middleware.js +0 -684
- package/lib/saml-idp/express-middleware.js.map +0 -1
- package/lib/saml-idp/index.js +0 -13
- package/lib/saml-idp/index.js.map +0 -1
- package/lib/saml-idp/simpleProfileMapper.js +0 -75
- package/lib/saml-idp/simpleProfileMapper.js.map +0 -1
- package/src/oauth2/client.ts +0 -0
- package/src/oauth2/config.ts +0 -15
- package/src/oauth2/consent.ts +0 -208
- package/src/oauth2/login.ts +0 -179
- package/src/oauth2/logout.ts +0 -66
- package/src/oauth2/stub/oidc-cert.ts +0 -86
- package/src/saml-idp/config.js +0 -85
- package/src/saml-idp/connectedApps.ts +0 -16
- package/src/saml-idp/express-middleware.js +0 -811
- package/src/saml-idp/index.ts +0 -14
- package/src/saml-idp/simpleProfileMapper.js +0 -82
- package/src/saml-idp/views/error.hbs +0 -11
- package/src/saml-idp/views/layout.hbs +0 -72
- package/src/saml-idp/views/samlresponse.hbs +0 -20
- package/src/saml-idp/views/settings.hbs +0 -175
- package/src/saml-idp/views/user.hbs +0 -261
- package/views/oauth2/consent.pug +0 -141
|
@@ -7,7 +7,7 @@ import {
|
|
|
7
7
|
User,
|
|
8
8
|
} from '../types';
|
|
9
9
|
import { get, merge, trim, map } from 'lodash';
|
|
10
|
-
import { Collection, Db,
|
|
10
|
+
import { Collection, Db, ObjectId } from 'mongodb';
|
|
11
11
|
|
|
12
12
|
import { AccountsMongoOptions, MongoUser } from './types';
|
|
13
13
|
import { getSessionByUserId, hashStampedToken } from '@steedos/auth';
|
|
@@ -17,9 +17,9 @@ import { getDataSource } from '@steedos/objectql';
|
|
|
17
17
|
|
|
18
18
|
const moment = require("moment");
|
|
19
19
|
|
|
20
|
-
const toMongoID = (objectId: string |
|
|
20
|
+
const toMongoID = (objectId: string | ObjectId) => {
|
|
21
21
|
if (typeof objectId === "string") {
|
|
22
|
-
return new
|
|
22
|
+
return new ObjectId(objectId);
|
|
23
23
|
}
|
|
24
24
|
return objectId;
|
|
25
25
|
};
|
|
@@ -164,15 +164,15 @@ export class Mongo implements DatabaseInterface {
|
|
|
164
164
|
}
|
|
165
165
|
|
|
166
166
|
user.steedos_id = user._id;
|
|
167
|
-
const ret = await this.collection.insertOne(user);
|
|
168
|
-
return
|
|
167
|
+
const ret = await this.collection.insertOne(user as any);
|
|
168
|
+
return user._id as string;
|
|
169
169
|
}
|
|
170
170
|
|
|
171
171
|
public async findUserById(userId: string): Promise<User | null> {
|
|
172
172
|
const id = this.options.convertUserIdToMongoObjectId
|
|
173
173
|
? toMongoID(userId)
|
|
174
174
|
: userId;
|
|
175
|
-
const user = await this.collection.findOne({ _id: id });
|
|
175
|
+
const user:any = await this.collection.findOne({ _id: id });
|
|
176
176
|
if (user) {
|
|
177
177
|
user.id = user._id.toString();
|
|
178
178
|
}
|
|
@@ -180,7 +180,7 @@ export class Mongo implements DatabaseInterface {
|
|
|
180
180
|
}
|
|
181
181
|
|
|
182
182
|
public async findUserByEmail(email: string): Promise<User | null> {
|
|
183
|
-
const user = await this.collection.findOne({
|
|
183
|
+
const user:any = await this.collection.findOne({
|
|
184
184
|
email: email.toLowerCase(),
|
|
185
185
|
});
|
|
186
186
|
if (user) {
|
|
@@ -197,7 +197,7 @@ export class Mongo implements DatabaseInterface {
|
|
|
197
197
|
if (encryptedMobile) {
|
|
198
198
|
selector.mobile = encryptedMobile;
|
|
199
199
|
}
|
|
200
|
-
const user = await this.collection.findOne(selector);
|
|
200
|
+
const user:any = await this.collection.findOne(selector);
|
|
201
201
|
if (user) {
|
|
202
202
|
user.id = user._id.toString();
|
|
203
203
|
}
|
|
@@ -210,7 +210,7 @@ export class Mongo implements DatabaseInterface {
|
|
|
210
210
|
: {
|
|
211
211
|
$where: `obj.username && (obj.username.toLowerCase() === "${username.toLowerCase()}")`,
|
|
212
212
|
};
|
|
213
|
-
const user = await this.collection.findOne(filter);
|
|
213
|
+
const user:any = await this.collection.findOne(filter);
|
|
214
214
|
if (user) {
|
|
215
215
|
user.id = user._id.toString();
|
|
216
216
|
}
|
|
@@ -228,7 +228,7 @@ export class Mongo implements DatabaseInterface {
|
|
|
228
228
|
public async findUserByEmailVerificationToken(
|
|
229
229
|
token: string
|
|
230
230
|
): Promise<User | null> {
|
|
231
|
-
const user = await this.collection.findOne({
|
|
231
|
+
const user:any = await this.collection.findOne({
|
|
232
232
|
"services.email.verificationTokens.token": token,
|
|
233
233
|
});
|
|
234
234
|
if (user) {
|
|
@@ -240,7 +240,7 @@ export class Mongo implements DatabaseInterface {
|
|
|
240
240
|
public async findUserByResetPasswordToken(
|
|
241
241
|
token: string
|
|
242
242
|
): Promise<User | null> {
|
|
243
|
-
const user = await this.collection.findOne({
|
|
243
|
+
const user:any = await this.collection.findOne({
|
|
244
244
|
"services.password.reset.token": token,
|
|
245
245
|
});
|
|
246
246
|
if (user) {
|
|
@@ -253,7 +253,7 @@ export class Mongo implements DatabaseInterface {
|
|
|
253
253
|
serviceName: string,
|
|
254
254
|
serviceId: string
|
|
255
255
|
): Promise<User | null> {
|
|
256
|
-
const user = await this.collection.findOne({
|
|
256
|
+
const user:any = await this.collection.findOne({
|
|
257
257
|
[`services.${serviceName}.id`]: serviceId,
|
|
258
258
|
});
|
|
259
259
|
if (user) {
|
|
@@ -299,7 +299,7 @@ export class Mongo implements DatabaseInterface {
|
|
|
299
299
|
},
|
|
300
300
|
}
|
|
301
301
|
);
|
|
302
|
-
if (ret.
|
|
302
|
+
if (ret.matchedCount === 0) {
|
|
303
303
|
throw new Error("User not found");
|
|
304
304
|
}
|
|
305
305
|
}
|
|
@@ -317,7 +317,7 @@ export class Mongo implements DatabaseInterface {
|
|
|
317
317
|
},
|
|
318
318
|
}
|
|
319
319
|
);
|
|
320
|
-
if (ret.
|
|
320
|
+
if (ret.matchedCount === 0) {
|
|
321
321
|
throw new Error("User not found");
|
|
322
322
|
}
|
|
323
323
|
}
|
|
@@ -348,7 +348,7 @@ export class Mongo implements DatabaseInterface {
|
|
|
348
348
|
},
|
|
349
349
|
}
|
|
350
350
|
);
|
|
351
|
-
if (ret.
|
|
351
|
+
if (ret.matchedCount === 0) {
|
|
352
352
|
throw new Error("User not found");
|
|
353
353
|
}
|
|
354
354
|
}
|
|
@@ -393,7 +393,7 @@ export class Mongo implements DatabaseInterface {
|
|
|
393
393
|
},
|
|
394
394
|
}
|
|
395
395
|
);
|
|
396
|
-
if (ret.
|
|
396
|
+
if (ret.matchedCount === 0) {
|
|
397
397
|
throw new Error("User not found");
|
|
398
398
|
}
|
|
399
399
|
}
|
|
@@ -409,9 +409,9 @@ export class Mongo implements DatabaseInterface {
|
|
|
409
409
|
if (existed > 0) {
|
|
410
410
|
throw new Error("该手机号已被其他用户注册");
|
|
411
411
|
}
|
|
412
|
-
let user = await this.collection.findOne(
|
|
412
|
+
let user:any = await this.collection.findOne(
|
|
413
413
|
{ _id: id },
|
|
414
|
-
{
|
|
414
|
+
{ projection: { mobile: 1 } }
|
|
415
415
|
);
|
|
416
416
|
if (user && user.mobile != newMobile) {
|
|
417
417
|
const ret = await this.collection.updateOne(
|
|
@@ -454,7 +454,7 @@ export class Mongo implements DatabaseInterface {
|
|
|
454
454
|
}
|
|
455
455
|
let user = await this.collection.findOne(
|
|
456
456
|
{ _id: id },
|
|
457
|
-
{
|
|
457
|
+
{ projection: { email: 1 } }
|
|
458
458
|
);
|
|
459
459
|
if (user && user.email != newEmail) {
|
|
460
460
|
const ret = await this.collection.updateOne(
|
|
@@ -498,7 +498,7 @@ export class Mongo implements DatabaseInterface {
|
|
|
498
498
|
},
|
|
499
499
|
}
|
|
500
500
|
);
|
|
501
|
-
if (ret.
|
|
501
|
+
if (ret.matchedCount === 0) {
|
|
502
502
|
throw new Error("User not found");
|
|
503
503
|
}
|
|
504
504
|
}
|
|
@@ -522,7 +522,7 @@ export class Mongo implements DatabaseInterface {
|
|
|
522
522
|
},
|
|
523
523
|
}
|
|
524
524
|
);
|
|
525
|
-
if (ret.
|
|
525
|
+
if (ret.matchedCount === 0) {
|
|
526
526
|
throw new Error("User not found");
|
|
527
527
|
}
|
|
528
528
|
}
|
|
@@ -651,7 +651,7 @@ export class Mongo implements DatabaseInterface {
|
|
|
651
651
|
|
|
652
652
|
const ret = await this.sessionCollection.insertOne(session);
|
|
653
653
|
await this.updateMeteorSession(userId, token, infos);
|
|
654
|
-
return ret.
|
|
654
|
+
return ret.insertedId.toString();
|
|
655
655
|
}
|
|
656
656
|
|
|
657
657
|
public async updateSession(
|
|
@@ -711,7 +711,7 @@ export class Mongo implements DatabaseInterface {
|
|
|
711
711
|
}
|
|
712
712
|
|
|
713
713
|
public async findSessionByToken(token: string): Promise<Session | null> {
|
|
714
|
-
const session = await this.sessionCollection.findOne({ token });
|
|
714
|
+
const session:any = await this.sessionCollection.findOne({ token });
|
|
715
715
|
if (session) {
|
|
716
716
|
session.id = session._id.toString();
|
|
717
717
|
}
|
|
@@ -722,7 +722,7 @@ export class Mongo implements DatabaseInterface {
|
|
|
722
722
|
const _id = this.options.convertSessionIdToMongoObjectId
|
|
723
723
|
? toMongoID(sessionId)
|
|
724
724
|
: sessionId;
|
|
725
|
-
const session = await this.sessionCollection.findOne({ _id });
|
|
725
|
+
const session:any = await this.sessionCollection.findOne({ _id });
|
|
726
726
|
if (session) {
|
|
727
727
|
session.id = session._id.toString();
|
|
728
728
|
}
|
|
@@ -799,7 +799,7 @@ export class Mongo implements DatabaseInterface {
|
|
|
799
799
|
if (owner) {
|
|
800
800
|
query.owner = owner;
|
|
801
801
|
}
|
|
802
|
-
let record = await this.codeCollection.findOne(query);
|
|
802
|
+
let record:any = await this.codeCollection.findOne(query);
|
|
803
803
|
if (record) {
|
|
804
804
|
// if(record.failureCount >= MAX_FAILURE_COUNT){
|
|
805
805
|
// throw new Error('accounts.tooManyFailures');
|
|
@@ -818,7 +818,7 @@ export class Mongo implements DatabaseInterface {
|
|
|
818
818
|
}
|
|
819
819
|
|
|
820
820
|
let result = await this.codeCollection.insertOne(doc);
|
|
821
|
-
record = result
|
|
821
|
+
record = result;
|
|
822
822
|
}
|
|
823
823
|
return record;
|
|
824
824
|
}
|
package/src/index.ts
CHANGED
|
@@ -15,11 +15,7 @@ import { URL } from 'url';
|
|
|
15
15
|
import * as bodyParser from 'body-parser';
|
|
16
16
|
import { sendMail, sendSMS } from './core';
|
|
17
17
|
|
|
18
|
-
import oauth2Consent from './oauth2/consent';
|
|
19
|
-
import oauth2Login from './oauth2/login';
|
|
20
|
-
import oauth2Logout from './oauth2/logout';
|
|
21
18
|
import initServer from './rest-express/endpoints/initServer';
|
|
22
|
-
export { hydraAdmin } from './oauth2/config';
|
|
23
19
|
export { setAuthCookies, clearAuthCookies } from './rest-express/utils/steedos-auth';
|
|
24
20
|
export { getMergedTenant } from './core';
|
|
25
21
|
|
|
@@ -39,17 +35,15 @@ function getAccountsServer() {
|
|
|
39
35
|
const { keyVaultNamespace, getKMSProviders } = getMongoFieldEncryptionConsts();
|
|
40
36
|
const kmsProvider = getKMSProviders();
|
|
41
37
|
mongoose.connect(mongoUrl, {
|
|
42
|
-
useNewUrlParser: true,
|
|
43
|
-
useUnifiedTopology: true,
|
|
44
38
|
monitorCommands: true,
|
|
45
39
|
autoEncryption: {
|
|
46
40
|
keyVaultNamespace: keyVaultNamespace,
|
|
47
41
|
kmsProviders: kmsProvider,
|
|
48
42
|
bypassAutoEncryption: true,
|
|
49
43
|
}
|
|
50
|
-
});
|
|
44
|
+
} as any);
|
|
51
45
|
} else {
|
|
52
|
-
mongoose.connect(mongoUrl
|
|
46
|
+
mongoose.connect(mongoUrl);
|
|
53
47
|
}
|
|
54
48
|
const connection = mongoose.connection;
|
|
55
49
|
|
|
@@ -178,13 +172,5 @@ export function init(context) {
|
|
|
178
172
|
|
|
179
173
|
context.app.use("/initServer", initServer);
|
|
180
174
|
|
|
181
|
-
context.app.use("/oauth2/consent", userLoader(accountsServer), oauth2Consent);
|
|
182
|
-
context.app.use("/oauth2/login", userLoader(accountsServer), oauth2Login);
|
|
183
|
-
context.app.use("/oauth2/logout", oauth2Logout);
|
|
184
|
-
// if (typeof WebApp !== 'undefined'){
|
|
185
|
-
// const app = express();
|
|
186
|
-
// app.use("/accounts", bodyParser.urlencoded({ extended: false }), bodyParser.json(), accountsRouter)
|
|
187
|
-
// WebApp.rawConnectHandlers.use(app)
|
|
188
|
-
// }
|
|
189
175
|
})
|
|
190
176
|
}
|
package/lib/oauth2/client.js
DELETED
|
@@ -1 +0,0 @@
|
|
|
1
|
-
//# sourceMappingURL=client.js.map
|
package/lib/oauth2/client.js.map
DELETED
|
@@ -1 +0,0 @@
|
|
|
1
|
-
{"version":3,"file":"client.js","sourceRoot":"","sources":["../../src/oauth2/client.ts"],"names":[],"mappings":""}
|
package/lib/oauth2/config.js
DELETED
|
@@ -1,14 +0,0 @@
|
|
|
1
|
-
"use strict";
|
|
2
|
-
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
|
-
exports.hydraAdmin = void 0;
|
|
4
|
-
var hydra_client_1 = require("@oryd/hydra-client");
|
|
5
|
-
var baseOptions = {};
|
|
6
|
-
if (process.env.STEEDOS_MOCK_TLS_TERMINATION) {
|
|
7
|
-
baseOptions.headers = { 'X-Forwarded-Proto': 'https' };
|
|
8
|
-
}
|
|
9
|
-
var hydraAdmin = new hydra_client_1.AdminApi(new hydra_client_1.Configuration({
|
|
10
|
-
basePath: process.env.STEEDOS_HYDRA_ADMIN_URL,
|
|
11
|
-
baseOptions: baseOptions
|
|
12
|
-
}));
|
|
13
|
-
exports.hydraAdmin = hydraAdmin;
|
|
14
|
-
//# sourceMappingURL=config.js.map
|
package/lib/oauth2/config.js.map
DELETED
|
@@ -1 +0,0 @@
|
|
|
1
|
-
{"version":3,"file":"config.js","sourceRoot":"","sources":["../../src/oauth2/config.ts"],"names":[],"mappings":";;;AAAA,mDAA4D;AAC5D,IAAM,WAAW,GAAQ,EAAE,CAAA;AAE3B,IAAI,OAAO,CAAC,GAAG,CAAC,4BAA4B,EAAE;IAC5C,WAAW,CAAC,OAAO,GAAG,EAAE,mBAAmB,EAAE,OAAO,EAAE,CAAA;CACvD;AAED,IAAM,UAAU,GAAG,IAAI,uBAAQ,CAC7B,IAAI,4BAAa,CAAC;IAChB,QAAQ,EAAE,OAAO,CAAC,GAAG,CAAC,uBAAuB;IAC7C,WAAW,aAAA;CACZ,CAAC,CACH,CAAA;AAEQ,gCAAU"}
|
package/lib/oauth2/consent.js
DELETED
|
@@ -1,192 +0,0 @@
|
|
|
1
|
-
"use strict";
|
|
2
|
-
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
|
-
var express = require("express");
|
|
4
|
-
var url = require("url");
|
|
5
|
-
var config_1 = require("./config");
|
|
6
|
-
var oidc_cert_1 = require("./stub/oidc-cert");
|
|
7
|
-
var _ = require('lodash');
|
|
8
|
-
var csrf = require('csurf');
|
|
9
|
-
var urljoin = require('url-join');
|
|
10
|
-
var pug = require('pug');
|
|
11
|
-
var path = require('path');
|
|
12
|
-
// Sets up csrf protection
|
|
13
|
-
var csrfProtection = csrf({ cookie: true });
|
|
14
|
-
var router = express.Router();
|
|
15
|
-
var getOAuthSession = function (user, grantScope) {
|
|
16
|
-
// The session allows us to set session data for id and access tokens
|
|
17
|
-
var session = {
|
|
18
|
-
// This data will be available when introspecting the token. Try to avoid sensitive information here,
|
|
19
|
-
// unless you limit who can introspect tokens.
|
|
20
|
-
access_token: {
|
|
21
|
-
// foo: 'bar'
|
|
22
|
-
},
|
|
23
|
-
// This data will be available in the ID token.
|
|
24
|
-
id_token: {
|
|
25
|
-
// baz: 'bar'
|
|
26
|
-
}
|
|
27
|
-
};
|
|
28
|
-
var _grantScope = grantScope;
|
|
29
|
-
if (!_.isArray(_grantScope)) {
|
|
30
|
-
_grantScope = [_grantScope];
|
|
31
|
-
}
|
|
32
|
-
_.each(_grantScope, function (scope) {
|
|
33
|
-
if (scope === 'profile') {
|
|
34
|
-
session.id_token.steedos_id = user.steedos_id;
|
|
35
|
-
session.id_token.name = user.name;
|
|
36
|
-
session.id_token.username = user.username;
|
|
37
|
-
session.id_token.mobile = user.mobile;
|
|
38
|
-
session.id_token.email = user.email;
|
|
39
|
-
// (session.id_token as any).job_number = user.job_number;
|
|
40
|
-
session.id_token.locale = user.locale;
|
|
41
|
-
session.id_token.space = user.spaces && user.spaces.length > 0 ? user.spaces[0] : null;
|
|
42
|
-
// (session.id_token as any).profile = user.profile;
|
|
43
|
-
session.id_token.userId = user.userId;
|
|
44
|
-
session.id_token.mobile_verified = user.mobile_verified;
|
|
45
|
-
session.id_token.email_verified = user.email_verified;
|
|
46
|
-
session.id_token.utcOffset = user.utcOffset;
|
|
47
|
-
}
|
|
48
|
-
});
|
|
49
|
-
return session;
|
|
50
|
-
};
|
|
51
|
-
router.get('/', csrfProtection, function (req, res, next) {
|
|
52
|
-
// Parses the URL query
|
|
53
|
-
var query = url.parse(req.url, true).query;
|
|
54
|
-
// The challenge is used to fetch information about the consent request from ORY hydraAdmin.
|
|
55
|
-
var challenge = String(query.consent_challenge);
|
|
56
|
-
if (!challenge) {
|
|
57
|
-
next(new Error('Expected a consent challenge to be set but received none.'));
|
|
58
|
-
return;
|
|
59
|
-
}
|
|
60
|
-
var user = req.user;
|
|
61
|
-
if (!user) {
|
|
62
|
-
return res.redirect("/accounts/a/#/login?redirect_uri=" + encodeURIComponent(Meteor.absoluteUrl("/oauth2/consent?consent_challenge=".concat(challenge))));
|
|
63
|
-
}
|
|
64
|
-
// This section processes consent requests and either shows the consent UI or
|
|
65
|
-
// accepts the consent request right away if the user has given consent to this
|
|
66
|
-
// app before
|
|
67
|
-
config_1.hydraAdmin
|
|
68
|
-
.getConsentRequest(challenge)
|
|
69
|
-
// This will be called if the HTTP request was successful
|
|
70
|
-
.then(function (_a) {
|
|
71
|
-
var body = _a.data;
|
|
72
|
-
// If a user has granted this application the requested scope, hydra will tell us to not show the UI.
|
|
73
|
-
if (body.skip) {
|
|
74
|
-
// You can apply logic here, for example grant another scope, or do whatever...
|
|
75
|
-
// ...
|
|
76
|
-
// Now it's time to grant the consent request. You could also deny the request if something went terribly wrong
|
|
77
|
-
return config_1.hydraAdmin
|
|
78
|
-
.acceptConsentRequest(challenge, {
|
|
79
|
-
// We can grant all scopes that have been requested - hydra already checked for us that no additional scopes
|
|
80
|
-
// are requested accidentally.
|
|
81
|
-
grant_scope: body.requested_scope,
|
|
82
|
-
// ORY Hydra checks if requested audiences are allowed by the client, so we can simply echo this.
|
|
83
|
-
grant_access_token_audience: body.requested_access_token_audience,
|
|
84
|
-
// The session allows us to set session data for id and access tokens
|
|
85
|
-
session: getOAuthSession(user, body.requested_scope)
|
|
86
|
-
})
|
|
87
|
-
.then(function (_a) {
|
|
88
|
-
var body = _a.data;
|
|
89
|
-
// All we need to do now is to redirect the user back to hydra!
|
|
90
|
-
res.redirect(String(body.redirect_to));
|
|
91
|
-
});
|
|
92
|
-
}
|
|
93
|
-
// If consent can't be skipped we MUST show the consent UI.
|
|
94
|
-
// return res.status(200).send({
|
|
95
|
-
// csrfToken: (req as any).csrfToken(),
|
|
96
|
-
// challenge: challenge,
|
|
97
|
-
// // We have a bunch of data available from the response, check out the API docs to find what these values mean
|
|
98
|
-
// // and what additional data you have available.
|
|
99
|
-
// requested_scope: body.requested_scope,
|
|
100
|
-
// user: body.subject,
|
|
101
|
-
// client: body.client,
|
|
102
|
-
// action: urljoin(process.env.BASE_URL || '', '/consent')
|
|
103
|
-
// })
|
|
104
|
-
var fn = pug.compileFile(path.join(__dirname, '..', '..', './views/oauth2/consent.pug'), {});
|
|
105
|
-
return res.status(200).send(fn({
|
|
106
|
-
csrfToken: req.csrfToken(),
|
|
107
|
-
challenge: challenge,
|
|
108
|
-
// We have a bunch of data available from the response, check out the API docs to find what these values mean
|
|
109
|
-
// and what additional data you have available.
|
|
110
|
-
requested_scope: body.requested_scope,
|
|
111
|
-
user: body.subject,
|
|
112
|
-
userInfo: user,
|
|
113
|
-
client: body.client,
|
|
114
|
-
action: Meteor.absoluteUrl("/oauth2/consent")
|
|
115
|
-
}));
|
|
116
|
-
})
|
|
117
|
-
// This will handle any error that happens when making HTTP calls to hydra
|
|
118
|
-
.catch(next);
|
|
119
|
-
// The consent request has now either been accepted automatically or rendered.
|
|
120
|
-
});
|
|
121
|
-
router.post('/', csrfProtection, function (req, res, next) {
|
|
122
|
-
var user = req.user;
|
|
123
|
-
// The challenge is now a hidden input field, so let's take it from the request body instead
|
|
124
|
-
var challenge = req.body.challenge;
|
|
125
|
-
if (!challenge) {
|
|
126
|
-
next(new Error('Expected a consent challenge to be set but received none.'));
|
|
127
|
-
return;
|
|
128
|
-
}
|
|
129
|
-
if (!user) {
|
|
130
|
-
return res.redirect("/accounts/a/#/login?redirect_uri=" + encodeURIComponent(Meteor.absoluteUrl("/oauth2/consent?consent_challenge=".concat(challenge))));
|
|
131
|
-
}
|
|
132
|
-
// Let's see if the user decided to accept or reject the consent request..
|
|
133
|
-
if (req.body.submit === 'Deny access') {
|
|
134
|
-
// Looks like the consent request was denied by the user
|
|
135
|
-
return (config_1.hydraAdmin
|
|
136
|
-
.rejectConsentRequest(challenge, {
|
|
137
|
-
error: 'access_denied',
|
|
138
|
-
error_description: 'The resource owner denied the request'
|
|
139
|
-
})
|
|
140
|
-
.then(function (_a) {
|
|
141
|
-
var body = _a.data;
|
|
142
|
-
// All we need to do now is to redirect the browser back to hydra!
|
|
143
|
-
res.redirect(String(body.redirect_to));
|
|
144
|
-
})
|
|
145
|
-
// This will handle any error that happens when making HTTP calls to hydra
|
|
146
|
-
.catch(next));
|
|
147
|
-
}
|
|
148
|
-
// label:consent-deny-end
|
|
149
|
-
var grantScope = req.body.grant_scope;
|
|
150
|
-
if (!Array.isArray(grantScope)) {
|
|
151
|
-
grantScope = [grantScope];
|
|
152
|
-
}
|
|
153
|
-
// The session allows us to set session data for id and access tokens
|
|
154
|
-
var session = getOAuthSession(user, grantScope);
|
|
155
|
-
// Let's fetch the consent request again to be able to set `grantAccessTokenAudience` properly.
|
|
156
|
-
config_1.hydraAdmin
|
|
157
|
-
.getConsentRequest(challenge)
|
|
158
|
-
// This will be called if the HTTP request was successful
|
|
159
|
-
.then(function (_a) {
|
|
160
|
-
var body = _a.data;
|
|
161
|
-
return config_1.hydraAdmin
|
|
162
|
-
.acceptConsentRequest(challenge, {
|
|
163
|
-
// We can grant all scopes that have been requested - hydra already checked for us that no additional scopes
|
|
164
|
-
// are requested accidentally.
|
|
165
|
-
grant_scope: grantScope,
|
|
166
|
-
// If the environment variable CONFORMITY_FAKE_CLAIMS is set we are assuming that
|
|
167
|
-
// the app is built for the automated OpenID Connect Conformity Test Suite. You
|
|
168
|
-
// can peak inside the code for some ideas, but be aware that all data is fake
|
|
169
|
-
// and this only exists to fake a login system which works in accordance to OpenID Connect.
|
|
170
|
-
//
|
|
171
|
-
// If that variable is not set, the session will be used as-is.
|
|
172
|
-
session: (0, oidc_cert_1.oidcConformityMaybeFakeSession)(grantScope, body, session),
|
|
173
|
-
// ORY Hydra checks if requested audiences are allowed by the client, so we can simply echo this.
|
|
174
|
-
grant_access_token_audience: body.requested_access_token_audience,
|
|
175
|
-
// This tells hydra to remember this consent request and allow the same client to request the same
|
|
176
|
-
// scopes from the same user, without showing the UI, in the future.
|
|
177
|
-
remember: Boolean(req.body.remember),
|
|
178
|
-
// When this "remember" sesion expires, in seconds. Set this to 0 so it will never expire.
|
|
179
|
-
remember_for: 3600
|
|
180
|
-
})
|
|
181
|
-
.then(function (_a) {
|
|
182
|
-
var body = _a.data;
|
|
183
|
-
// All we need to do now is to redirect the user back to hydra!
|
|
184
|
-
res.redirect(String(body.redirect_to));
|
|
185
|
-
});
|
|
186
|
-
})
|
|
187
|
-
// This will handle any error that happens when making HTTP calls to hydra
|
|
188
|
-
.catch(next);
|
|
189
|
-
// label:docs-accept-consent
|
|
190
|
-
});
|
|
191
|
-
exports.default = router;
|
|
192
|
-
//# sourceMappingURL=consent.js.map
|
|
@@ -1 +0,0 @@
|
|
|
1
|
-
{"version":3,"file":"consent.js","sourceRoot":"","sources":["../../src/oauth2/consent.ts"],"names":[],"mappings":";;AAAA,iCAAkC;AAClC,yBAA0B;AAC1B,mCAAqC;AACrC,8CAAiE;AAEjE,IAAM,CAAC,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAC;AAC5B,IAAM,IAAI,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;AAC9B,IAAM,OAAO,GAAG,OAAO,CAAC,UAAU,CAAC,CAAC;AACpC,IAAM,GAAG,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC;AAC3B,IAAM,IAAI,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;AAC7B,0BAA0B;AAC1B,IAAM,cAAc,GAAG,IAAI,CAAC,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC,CAAA;AAC7C,IAAM,MAAM,GAAG,OAAO,CAAC,MAAM,EAAE,CAAA;AAG/B,IAAM,eAAe,GAAG,UAAC,IAAI,EAAE,UAAU;IACvC,qEAAqE;IACrE,IAAI,OAAO,GAA0B;QACnC,qGAAqG;QACrG,8CAA8C;QAC9C,YAAY,EAAE;QACZ,aAAa;SACd;QAED,+CAA+C;QAC/C,QAAQ,EAAE;QACR,aAAa;SACd;KACF,CAAA;IACD,IAAI,WAAW,GAAG,UAAU,CAAA;IAC5B,IAAI,CAAC,CAAC,CAAC,OAAO,CAAC,WAAW,CAAC,EAAE;QAC3B,WAAW,GAAG,CAAC,WAAW,CAAC,CAAC;KAC7B;IACD,CAAC,CAAC,IAAI,CAAC,WAAW,EAAE,UAAC,KAAK;QACxB,IAAI,KAAK,KAAK,SAAS,EAAE;YACtB,OAAO,CAAC,QAAgB,CAAC,UAAU,GAAG,IAAI,CAAC,UAAU,CAAC;YACtD,OAAO,CAAC,QAAgB,CAAC,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC;YAC1C,OAAO,CAAC,QAAgB,CAAC,QAAQ,GAAG,IAAI,CAAC,QAAQ,CAAC;YAClD,OAAO,CAAC,QAAgB,CAAC,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC;YAC9C,OAAO,CAAC,QAAgB,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC;YAC7C,0DAA0D;YACzD,OAAO,CAAC,QAAgB,CAAC,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC;YAC9C,OAAO,CAAC,QAAgB,CAAC,KAAK,GAAG,IAAI,CAAC,MAAM,IAAI,IAAI,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;YAChG,oDAAoD;YACnD,OAAO,CAAC,QAAgB,CAAC,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC;YAC9C,OAAO,CAAC,QAAgB,CAAC,eAAe,GAAG,IAAI,CAAC,eAAe,CAAC;YAChE,OAAO,CAAC,QAAgB,CAAC,cAAc,GAAG,IAAI,CAAC,cAAc,CAAC;YAC9D,OAAO,CAAC,QAAgB,CAAC,SAAS,GAAG,IAAI,CAAC,SAAS,CAAC;SACtD;IACH,CAAC,CAAC,CAAA;IAEF,OAAO,OAAO,CAAC;AACjB,CAAC,CAAA;AAED,MAAM,CAAC,GAAG,CAAC,GAAG,EAAE,cAAc,EAAE,UAAC,GAAG,EAAE,GAAG,EAAE,IAAI;IAC7C,uBAAuB;IACvB,IAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC,KAAK,CAAA;IAE5C,4FAA4F;IAC5F,IAAM,SAAS,GAAG,MAAM,CAAC,KAAK,CAAC,iBAAiB,CAAC,CAAA;IACjD,IAAI,CAAC,SAAS,EAAE;QACd,IAAI,CAAC,IAAI,KAAK,CAAC,2DAA2D,CAAC,CAAC,CAAA;QAC5E,OAAM;KACP;IACD,IAAM,IAAI,GAAI,GAAW,CAAC,IAAI,CAAA;IAC9B,IAAI,CAAC,IAAI,EAAE;QACT,OAAO,GAAG,CAAC,QAAQ,CAAC,mCAAmC,GAAG,kBAAkB,CAAC,MAAM,CAAC,WAAW,CAAC,4CAAqC,SAAS,CAAE,CAAC,CAAC,CAAC,CAAA;KACpJ;IACD,6EAA6E;IAC7E,+EAA+E;IAC/E,aAAa;IACZ,mBAAU;SACR,iBAAiB,CAAC,SAAS,CAAS;QACrC,yDAAyD;SACxD,IAAI,CAAC,UAAC,EAAc;YAAN,IAAI,UAAA;QACjB,qGAAqG;QACrG,IAAI,IAAI,CAAC,IAAI,EAAE;YACb,+EAA+E;YAC/E,MAAM;YAEN,+GAA+G;YAC/G,OAAO,mBAAU;iBACd,oBAAoB,CAAC,SAAS,EAAE;gBAC/B,4GAA4G;gBAC5G,8BAA8B;gBAC9B,WAAW,EAAE,IAAI,CAAC,eAAe;gBAEjC,iGAAiG;gBACjG,2BAA2B,EAAE,IAAI,CAAC,+BAA+B;gBAEjE,qEAAqE;gBACrE,OAAO,EAAE,eAAe,CAAC,IAAI,EAAE,IAAI,CAAC,eAAe,CAAC;aACrD,CAAC;iBACD,IAAI,CAAC,UAAC,EAAc;oBAAN,IAAI,UAAA;gBACjB,+DAA+D;gBAC/D,GAAG,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,CAAA;YACxC,CAAC,CAAC,CAAA;SACL;QAED,2DAA2D;QAC3D,gCAAgC;QAChC,yCAAyC;QACzC,0BAA0B;QAC1B,kHAAkH;QAClH,oDAAoD;QACpD,2CAA2C;QAC3C,wBAAwB;QACxB,yBAAyB;QACzB,4DAA4D;QAC5D,KAAK;QACL,IAAI,EAAE,GAAG,GAAG,CAAC,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,IAAI,EAAE,IAAI,EAAE,4BAA4B,CAAC,EAAE,EAAE,CAAC,CAAC;QAC7F,OAAO,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC;YAC7B,SAAS,EAAG,GAAW,CAAC,SAAS,EAAE;YACnC,SAAS,EAAE,SAAS;YACpB,6GAA6G;YAC7G,+CAA+C;YAC/C,eAAe,EAAE,IAAI,CAAC,eAAe;YACrC,IAAI,EAAE,IAAI,CAAC,OAAO;YAClB,QAAQ,EAAE,IAAI;YACd,MAAM,EAAE,IAAI,CAAC,MAAM;YACnB,MAAM,EAAE,MAAM,CAAC,WAAW,CAAC,iBAAiB,CAAC;SAC9C,CAAC,CAAC,CAAC;IACN,CAAC,CAAC;QACF,0EAA0E;SACzE,KAAK,CAAC,IAAI,CAAC,CAAA;IACd,8EAA8E;AAChF,CAAC,CAAC,CAAA;AAEF,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,cAAc,EAAE,UAAC,GAAG,EAAE,GAAG,EAAE,IAAI;IAC9C,IAAM,IAAI,GAAI,GAAW,CAAC,IAAI,CAAA;IAE9B,4FAA4F;IAC5F,IAAM,SAAS,GAAG,GAAG,CAAC,IAAI,CAAC,SAAS,CAAA;IACpC,IAAI,CAAC,SAAS,EAAE;QACd,IAAI,CAAC,IAAI,KAAK,CAAC,2DAA2D,CAAC,CAAC,CAAA;QAC5E,OAAM;KACP;IACD,IAAI,CAAC,IAAI,EAAE;QACT,OAAO,GAAG,CAAC,QAAQ,CAAC,mCAAmC,GAAG,kBAAkB,CAAC,MAAM,CAAC,WAAW,CAAC,4CAAqC,SAAS,CAAE,CAAC,CAAC,CAAC,CAAA;KACpJ;IAED,0EAA0E;IAC1E,IAAI,GAAG,CAAC,IAAI,CAAC,MAAM,KAAK,aAAa,EAAE;QACrC,wDAAwD;QACxD,OAAO,CACL,mBAAU;aACP,oBAAoB,CAAC,SAAS,EAAE;YAC/B,KAAK,EAAE,eAAe;YACtB,iBAAiB,EAAE,uCAAuC;SAC3D,CAAC;aACD,IAAI,CAAC,UAAC,EAAc;gBAAN,IAAI,UAAA;YACjB,kEAAkE;YAClE,GAAG,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,CAAA;QACxC,CAAC,CAAC;YACF,0EAA0E;aACzE,KAAK,CAAC,IAAI,CAAC,CACf,CAAA;KACF;IACD,yBAAyB;IAEzB,IAAI,UAAU,GAAG,GAAG,CAAC,IAAI,CAAC,WAAW,CAAA;IACrC,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,UAAU,CAAC,EAAE;QAC9B,UAAU,GAAG,CAAC,UAAU,CAAC,CAAA;KAC1B;IAED,qEAAqE;IACrE,IAAI,OAAO,GAA0B,eAAe,CAAC,IAAI,EAAE,UAAU,CAAC,CAAA;IAEtE,+FAA+F;IAC/F,mBAAU;SACP,iBAAiB,CAAC,SAAS,CAAC;QAC7B,yDAAyD;SACxD,IAAI,CAAC,UAAC,EAAc;YAAN,IAAI,UAAA;QACjB,OAAO,mBAAU;aACd,oBAAoB,CAAC,SAAS,EAAE;YAC/B,4GAA4G;YAC5G,8BAA8B;YAC9B,WAAW,EAAE,UAAU;YAEvB,iFAAiF;YACjF,+EAA+E;YAC/E,8EAA8E;YAC9E,2FAA2F;YAC3F,EAAE;YACF,+DAA+D;YAC/D,OAAO,EAAE,IAAA,0CAA8B,EAAC,UAAU,EAAE,IAAI,EAAE,OAAO,CAAC;YAElE,iGAAiG;YACjG,2BAA2B,EAAE,IAAI,CAAC,+BAA+B;YAEjE,kGAAkG;YAClG,oEAAoE;YACpE,QAAQ,EAAE,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC;YAEpC,0FAA0F;YAC1F,YAAY,EAAE,IAAI;SACnB,CAAC;aACD,IAAI,CAAC,UAAC,EAAc;gBAAN,IAAI,UAAA;YACjB,+DAA+D;YAC/D,GAAG,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,CAAA;QACxC,CAAC,CAAC,CAAA;IACN,CAAC,CAAC;QACF,0EAA0E;SACzE,KAAK,CAAC,IAAI,CAAC,CAAA;IACd,4BAA4B;AAC9B,CAAC,CAAC,CAAA;AAEF,kBAAe,MAAM,CAAA"}
|
package/lib/oauth2/login.js
DELETED
|
@@ -1,166 +0,0 @@
|
|
|
1
|
-
"use strict";
|
|
2
|
-
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
|
-
var express = require("express");
|
|
4
|
-
var url = require("url");
|
|
5
|
-
var config_1 = require("./config");
|
|
6
|
-
var oidc_cert_1 = require("./stub/oidc-cert");
|
|
7
|
-
var csrf = require('csurf');
|
|
8
|
-
var urljoin = require('url-join');
|
|
9
|
-
// Sets up csrf protection
|
|
10
|
-
var csrfProtection = csrf({ cookie: true });
|
|
11
|
-
var router = express.Router();
|
|
12
|
-
router.get('/', csrfProtection, function (req, res, next) {
|
|
13
|
-
// Parses the URL query
|
|
14
|
-
var query = url.parse(req.url, true).query;
|
|
15
|
-
// The challenge is used to fetch information about the login request from ORY Hydra.
|
|
16
|
-
var challenge = String(query.login_challenge);
|
|
17
|
-
if (!challenge) {
|
|
18
|
-
next(new Error('Expected a login challenge to be set but received none.'));
|
|
19
|
-
return;
|
|
20
|
-
}
|
|
21
|
-
config_1.hydraAdmin.getLoginRequest(challenge)
|
|
22
|
-
.then(function (_a) {
|
|
23
|
-
var body = _a.data;
|
|
24
|
-
// If hydra was already able to authenticate the user, skip will be true and we do not need to re-authenticate
|
|
25
|
-
// the user.
|
|
26
|
-
if (body.skip) {
|
|
27
|
-
// You can apply logic here, for example update the number of times the user logged in.
|
|
28
|
-
// ...
|
|
29
|
-
// Now it's time to grant the login request. You could also deny the request if something went terribly wrong
|
|
30
|
-
// (e.g. your arch-enemy logging in...)
|
|
31
|
-
return config_1.hydraAdmin
|
|
32
|
-
.acceptLoginRequest(challenge, {
|
|
33
|
-
// All we need to do is to confirm that we indeed want to log in the user.
|
|
34
|
-
subject: String(body.subject)
|
|
35
|
-
})
|
|
36
|
-
.then(function (_a) {
|
|
37
|
-
var body = _a.data;
|
|
38
|
-
// All we need to do now is to redirect the user back to hydra!
|
|
39
|
-
res.redirect(String(body.redirect_to));
|
|
40
|
-
});
|
|
41
|
-
}
|
|
42
|
-
// If authentication can't be skipped we MUST show the login UI.
|
|
43
|
-
// return res.json({
|
|
44
|
-
// csrfToken: (req as any).csrfToken(),
|
|
45
|
-
// challenge: challenge,
|
|
46
|
-
// action: urljoin(process.env.BASE_URL || '', '/login'),
|
|
47
|
-
// hint: body.oidc_context?.login_hint || ''
|
|
48
|
-
// })
|
|
49
|
-
var user = req.user;
|
|
50
|
-
if (user) {
|
|
51
|
-
config_1.hydraAdmin
|
|
52
|
-
.acceptLoginRequest(challenge, {
|
|
53
|
-
// Subject is an alias for user ID. A subject can be a random string, a UUID, an email address, ....
|
|
54
|
-
subject: user.userId,
|
|
55
|
-
// This tells hydra to remember the browser and automatically authenticate the user in future requests. This will
|
|
56
|
-
// set the "skip" parameter in the other route to true on subsequent requests!
|
|
57
|
-
remember: Boolean(req.body.remember),
|
|
58
|
-
// When the session expires, in seconds. Set this to 0 so it will never expire.
|
|
59
|
-
remember_for: 3600,
|
|
60
|
-
// Sets which "level" (e.g. 2-factor authentication) of authentication the user has. The value is really arbitrary
|
|
61
|
-
// and optional. In the context of OpenID Connect, a value of 0 indicates the lowest authorization level.
|
|
62
|
-
// acr: '0',
|
|
63
|
-
//
|
|
64
|
-
// If the environment variable CONFORMITY_FAKE_CLAIMS is set we are assuming that
|
|
65
|
-
// the app is built for the automated OpenID Connect Conformity Test Suite. You
|
|
66
|
-
// can peak inside the code for some ideas, but be aware that all data is fake
|
|
67
|
-
// and this only exists to fake a login system which works in accordance to OpenID Connect.
|
|
68
|
-
//
|
|
69
|
-
// If that variable is not set, the ACR value will be set to the default passed here ('0')
|
|
70
|
-
acr: (0, oidc_cert_1.oidcConformityMaybeFakeAcr)(body, '0')
|
|
71
|
-
})
|
|
72
|
-
.then(function (_a) {
|
|
73
|
-
var body = _a.data;
|
|
74
|
-
// All we need to do now is to redirect the user back to hydra!
|
|
75
|
-
res.redirect(String(body.redirect_to));
|
|
76
|
-
}).catch(function (error) {
|
|
77
|
-
console.log("oauth2 login acceptLoginRequest error", error.message);
|
|
78
|
-
next();
|
|
79
|
-
});
|
|
80
|
-
}
|
|
81
|
-
else {
|
|
82
|
-
res.redirect("/accounts/a/#/login?redirect_uri=" + encodeURIComponent(Meteor.absoluteUrl("/oauth2/login?login_challenge=".concat(challenge))));
|
|
83
|
-
}
|
|
84
|
-
})
|
|
85
|
-
// This will handle any error that happens when making HTTP calls to hydra
|
|
86
|
-
.catch(function (error) {
|
|
87
|
-
console.log("oauth2 login error", error.message);
|
|
88
|
-
next();
|
|
89
|
-
});
|
|
90
|
-
});
|
|
91
|
-
// router.post('/', csrfProtection, (req, res, next) => {
|
|
92
|
-
// // The challenge is now a hidden input field, so let's take it from the request body instead
|
|
93
|
-
// const challenge = req.body.challenge
|
|
94
|
-
// // Let's see if the user decided to accept or reject the consent request..
|
|
95
|
-
// if (req.body.submit === 'Deny access') {
|
|
96
|
-
// // Looks like the consent request was denied by the user
|
|
97
|
-
// return (
|
|
98
|
-
// hydraAdmin
|
|
99
|
-
// .rejectLoginRequest(challenge, {
|
|
100
|
-
// error: 'access_denied',
|
|
101
|
-
// error_description: 'The resource owner denied the request'
|
|
102
|
-
// })
|
|
103
|
-
// .then(({ data: body }) => {
|
|
104
|
-
// // All we need to do now is to redirect the browser back to hydra!
|
|
105
|
-
// res.redirect(String(body.redirect_to))
|
|
106
|
-
// })
|
|
107
|
-
// // This will handle any error that happens when making HTTP calls to hydra
|
|
108
|
-
// .catch(next)
|
|
109
|
-
// )
|
|
110
|
-
// }
|
|
111
|
-
// // Let's check if the user provided valid credentials. Of course, you'd use a database or some third-party service
|
|
112
|
-
// // for this!
|
|
113
|
-
// if (!(req.body.email === 'foo@bar.com' && req.body.password === 'foobar')) {
|
|
114
|
-
// // Looks like the user provided invalid credentials, let's show the ui again...
|
|
115
|
-
// return res.json({
|
|
116
|
-
// csrfToken: (req as any).csrfToken(),
|
|
117
|
-
// challenge: challenge,
|
|
118
|
-
// error: 'The username / password combination is not correct'
|
|
119
|
-
// });
|
|
120
|
-
// }
|
|
121
|
-
// // Seems like the user authenticated! Let's tell hydra...
|
|
122
|
-
// hydraAdmin
|
|
123
|
-
// .getLoginRequest(challenge)
|
|
124
|
-
// .then(({ data: loginRequest }) =>
|
|
125
|
-
// hydraAdmin
|
|
126
|
-
// .acceptLoginRequest(challenge, {
|
|
127
|
-
// // Subject is an alias for user ID. A subject can be a random string, a UUID, an email address, ....
|
|
128
|
-
// subject: 'foo@bar.com',
|
|
129
|
-
// // This tells hydra to remember the browser and automatically authenticate the user in future requests. This will
|
|
130
|
-
// // set the "skip" parameter in the other route to true on subsequent requests!
|
|
131
|
-
// remember: Boolean(req.body.remember),
|
|
132
|
-
// // When the session expires, in seconds. Set this to 0 so it will never expire.
|
|
133
|
-
// remember_for: 3600,
|
|
134
|
-
// // Sets which "level" (e.g. 2-factor authentication) of authentication the user has. The value is really arbitrary
|
|
135
|
-
// // and optional. In the context of OpenID Connect, a value of 0 indicates the lowest authorization level.
|
|
136
|
-
// // acr: '0',
|
|
137
|
-
// //
|
|
138
|
-
// // If the environment variable CONFORMITY_FAKE_CLAIMS is set we are assuming that
|
|
139
|
-
// // the app is built for the automated OpenID Connect Conformity Test Suite. You
|
|
140
|
-
// // can peak inside the code for some ideas, but be aware that all data is fake
|
|
141
|
-
// // and this only exists to fake a login system which works in accordance to OpenID Connect.
|
|
142
|
-
// //
|
|
143
|
-
// // If that variable is not set, the ACR value will be set to the default passed here ('0')
|
|
144
|
-
// acr: oidcConformityMaybeFakeAcr(loginRequest, '0')
|
|
145
|
-
// })
|
|
146
|
-
// .then(({ data: body }) => {
|
|
147
|
-
// // All we need to do now is to redirect the user back to hydra!
|
|
148
|
-
// res.redirect(String(body.redirect_to))
|
|
149
|
-
// })
|
|
150
|
-
// )
|
|
151
|
-
// // This will handle any error that happens when making HTTP calls to hydra
|
|
152
|
-
// .catch(next)
|
|
153
|
-
// // You could also deny the login request which tells hydra that no one authenticated!
|
|
154
|
-
// // hydra.rejectLoginRequest(challenge, {
|
|
155
|
-
// // error: 'invalid_request',
|
|
156
|
-
// // errorDescription: 'The user did something stupid...'
|
|
157
|
-
// // })
|
|
158
|
-
// // .then(({body}) => {
|
|
159
|
-
// // // All we need to do now is to redirect the browser back to hydra!
|
|
160
|
-
// // res.redirect(String(body.redirectTo));
|
|
161
|
-
// // })
|
|
162
|
-
// // // This will handle any error that happens when making HTTP calls to hydra
|
|
163
|
-
// // .catch(next);
|
|
164
|
-
// })
|
|
165
|
-
exports.default = router;
|
|
166
|
-
//# sourceMappingURL=login.js.map
|
package/lib/oauth2/login.js.map
DELETED
|
@@ -1 +0,0 @@
|
|
|
1
|
-
{"version":3,"file":"login.js","sourceRoot":"","sources":["../../src/oauth2/login.ts"],"names":[],"mappings":";;AAAA,iCAAkC;AAClC,yBAA0B;AAC1B,mCAAqC;AACrC,8CAA6D;AAC7D,IAAM,IAAI,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;AAC9B,IAAM,OAAO,GAAG,OAAO,CAAC,UAAU,CAAC,CAAC;AACpC,0BAA0B;AAC1B,IAAM,cAAc,GAAG,IAAI,CAAC,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC,CAAA;AAC7C,IAAM,MAAM,GAAG,OAAO,CAAC,MAAM,EAAE,CAAA;AAI/B,MAAM,CAAC,GAAG,CAAC,GAAG,EAAE,cAAc,EAAE,UAAC,GAAG,EAAE,GAAG,EAAE,IAAI;IAC3C,uBAAuB;IACvB,IAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC,KAAK,CAAA;IAE5C,qFAAqF;IACrF,IAAM,SAAS,GAAG,MAAM,CAAC,KAAK,CAAC,eAAe,CAAC,CAAA;IAC/C,IAAI,CAAC,SAAS,EAAE;QACZ,IAAI,CAAC,IAAI,KAAK,CAAC,yDAAyD,CAAC,CAAC,CAAA;QAC1E,OAAM;KACT;IACA,mBAAU,CAAC,eAAe,CAAC,SAAS,CAAS;SACzC,IAAI,CAAC,UAAC,EAAc;YAAN,IAAI,UAAA;QACf,8GAA8G;QAC9G,YAAY;QACZ,IAAI,IAAI,CAAC,IAAI,EAAE;YACX,uFAAuF;YACvF,MAAM;YAEN,6GAA6G;YAC7G,uCAAuC;YACvC,OAAO,mBAAU;iBACZ,kBAAkB,CAAC,SAAS,EAAE;gBAC3B,0EAA0E;gBAC1E,OAAO,EAAE,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC;aAChC,CAAC;iBACD,IAAI,CAAC,UAAC,EAAc;oBAAN,IAAI,UAAA;gBACf,+DAA+D;gBAC/D,GAAG,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,CAAA;YAC1C,CAAC,CAAC,CAAA;SACT;QAED,gEAAgE;QAChE,oBAAoB;QACpB,2CAA2C;QAC3C,4BAA4B;QAC5B,6DAA6D;QAC7D,gDAAgD;QAChD,KAAK;QACL,IAAM,IAAI,GAAI,GAAW,CAAC,IAAI,CAAA;QAC9B,IAAI,IAAI,EAAE;YACN,mBAAU;iBACL,kBAAkB,CAAC,SAAS,EAAE;gBAC3B,oGAAoG;gBACpG,OAAO,EAAE,IAAI,CAAC,MAAM;gBAEpB,iHAAiH;gBACjH,8EAA8E;gBAC9E,QAAQ,EAAE,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC;gBAEpC,+EAA+E;gBAC/E,YAAY,EAAE,IAAI;gBAElB,kHAAkH;gBAClH,yGAAyG;gBACzG,YAAY;gBACZ,EAAE;gBACF,iFAAiF;gBACjF,+EAA+E;gBAC/E,8EAA8E;gBAC9E,2FAA2F;gBAC3F,EAAE;gBACF,0FAA0F;gBAC1F,GAAG,EAAE,IAAA,sCAA0B,EAAC,IAAI,EAAE,GAAG,CAAC;aAC7C,CAAC;iBACD,IAAI,CAAC,UAAC,EAAc;oBAAN,IAAI,UAAA;gBACf,+DAA+D;gBAC/D,GAAG,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,CAAA;YAC1C,CAAC,CAAC,CAAC,KAAK,CAAC,UAAC,KAAK;gBACX,OAAO,CAAC,GAAG,CAAC,uCAAuC,EAAE,KAAK,CAAC,OAAO,CAAC,CAAC;gBACpE,IAAI,EAAE,CAAA;YACV,CAAC,CAAC,CAAA;SACT;aAAM;YACH,GAAG,CAAC,QAAQ,CAAC,mCAAmC,GAAG,kBAAkB,CAAC,MAAM,CAAC,WAAW,CAAC,wCAAiC,SAAS,CAAE,CAAC,CAAC,CAAC,CAAA;SAC3I;IACL,CAAC,CAAC;QACF,0EAA0E;SACzE,KAAK,CAAC,UAAC,KAAK;QACT,OAAO,CAAC,GAAG,CAAC,oBAAoB,EAAE,KAAK,CAAC,OAAO,CAAC,CAAC;QACjD,IAAI,EAAE,CAAA;IACV,CAAC,CAAC,CAAA;AACV,CAAC,CAAC,CAAA;AAEF,yDAAyD;AACzD,mGAAmG;AACnG,2CAA2C;AAE3C,iFAAiF;AACjF,+CAA+C;AAC/C,mEAAmE;AACnE,mBAAmB;AACnB,yBAAyB;AACzB,mDAAmD;AACnD,8CAA8C;AAC9C,iFAAiF;AACjF,qBAAqB;AACrB,8CAA8C;AAC9C,yFAAyF;AACzF,6DAA6D;AAC7D,qBAAqB;AACrB,6FAA6F;AAC7F,+BAA+B;AAC/B,YAAY;AACZ,QAAQ;AAER,yHAAyH;AACzH,mBAAmB;AACnB,mFAAmF;AACnF,0FAA0F;AAE1F,4BAA4B;AAC5B,mDAAmD;AACnD,oCAAoC;AACpC,0EAA0E;AAC1E,cAAc;AACd,QAAQ;AAER,gEAAgE;AAEhE,iBAAiB;AACjB,sCAAsC;AACtC,4CAA4C;AAC5C,yBAAyB;AACzB,mDAAmD;AACnD,2HAA2H;AAC3H,8CAA8C;AAE9C,wIAAwI;AACxI,qGAAqG;AACrG,4DAA4D;AAE5D,sGAAsG;AACtG,0CAA0C;AAE1C,yIAAyI;AACzI,gIAAgI;AAChI,mCAAmC;AACnC,yBAAyB;AACzB,wGAAwG;AACxG,sGAAsG;AACtG,qGAAqG;AACrG,kHAAkH;AAClH,yBAAyB;AACzB,iHAAiH;AACjH,yEAAyE;AACzE,qBAAqB;AACrB,8CAA8C;AAC9C,sFAAsF;AACtF,6DAA6D;AAC7D,qBAAqB;AACrB,YAAY;AACZ,qFAAqF;AACrF,uBAAuB;AAEvB,4FAA4F;AAC5F,+CAA+C;AAC/C,qCAAqC;AACrC,gEAAgE;AAChE,YAAY;AACZ,+BAA+B;AAC/B,gFAAgF;AAChF,oDAAoD;AACpD,cAAc;AACd,sFAAsF;AACtF,yBAAyB;AACzB,KAAK;AAEL,kBAAe,MAAM,CAAA"}
|