@steedos/accounts 2.5.1 → 2.5.3-beta.1

package/lib/oauth2/client.js

@@ -0,0 +1 @@
+//# sourceMappingURL=client.js.map

package/lib/oauth2/client.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"client.js","sourceRoot":"","sources":["../../src/oauth2/client.ts"],"names":[],"mappings":""}

package/lib/oauth2/config.js

@@ -0,0 +1,14 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.hydraAdmin = void 0;
+var hydra_client_1 = require("@oryd/hydra-client");
+var baseOptions = {};
+if (process.env.STEEDOS_MOCK_TLS_TERMINATION) {
+    baseOptions.headers = { 'X-Forwarded-Proto': 'https' };
+}
+var hydraAdmin = new hydra_client_1.AdminApi(new hydra_client_1.Configuration({
+    basePath: process.env.STEEDOS_HYDRA_ADMIN_URL,
+    baseOptions: baseOptions
+}));
+exports.hydraAdmin = hydraAdmin;
+//# sourceMappingURL=config.js.map

package/lib/oauth2/config.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.js","sourceRoot":"","sources":["../../src/oauth2/config.ts"],"names":[],"mappings":";;;AAAA,mDAA4D;AAC5D,IAAM,WAAW,GAAQ,EAAE,CAAA;AAE3B,IAAI,OAAO,CAAC,GAAG,CAAC,4BAA4B,EAAE;IAC5C,WAAW,CAAC,OAAO,GAAG,EAAE,mBAAmB,EAAE,OAAO,EAAE,CAAA;CACvD;AAED,IAAM,UAAU,GAAG,IAAI,uBAAQ,CAC7B,IAAI,4BAAa,CAAC;IAChB,QAAQ,EAAE,OAAO,CAAC,GAAG,CAAC,uBAAuB;IAC7C,WAAW,aAAA;CACZ,CAAC,CACH,CAAA;AAEQ,gCAAU"}

package/lib/oauth2/consent.js

@@ -0,0 +1,192 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+var express = require("express");
+var url = require("url");
+var config_1 = require("./config");
+var oidc_cert_1 = require("./stub/oidc-cert");
+var _ = require('lodash');
+var csrf = require('csurf');
+var urljoin = require('url-join');
+var pug = require('pug');
+var path = require('path');
+// Sets up csrf protection
+var csrfProtection = csrf({ cookie: true });
+var router = express.Router();
+var getOAuthSession = function (user, grantScope) {
+    // The session allows us to set session data for id and access tokens
+    var session = {
+        // This data will be available when introspecting the token. Try to avoid sensitive information here,
+        // unless you limit who can introspect tokens.
+        access_token: {
+        // foo: 'bar'
+        },
+        // This data will be available in the ID token.
+        id_token: {
+        // baz: 'bar'
+        }
+    };
+    var _grantScope = grantScope;
+    if (!_.isArray(_grantScope)) {
+        _grantScope = [_grantScope];
+    }
+    _.each(_grantScope, function (scope) {
+        if (scope === 'profile') {
+            session.id_token.steedos_id = user.steedos_id;
+            session.id_token.name = user.name;
+            session.id_token.username = user.username;
+            session.id_token.mobile = user.mobile;
+            session.id_token.email = user.email;
+            // (session.id_token as any).job_number = user.job_number;
+            session.id_token.locale = user.locale;
+            session.id_token.space = user.spaces && user.spaces.length > 0 ? user.spaces[0] : null;
+            // (session.id_token as any).profile = user.profile;
+            session.id_token.userId = user.userId;
+            session.id_token.mobile_verified = user.mobile_verified;
+            session.id_token.email_verified = user.email_verified;
+            session.id_token.utcOffset = user.utcOffset;
+        }
+    });
+    return session;
+};
+router.get('/', csrfProtection, function (req, res, next) {
+    // Parses the URL query
+    var query = url.parse(req.url, true).query;
+    // The challenge is used to fetch information about the consent request from ORY hydraAdmin.
+    var challenge = String(query.consent_challenge);
+    if (!challenge) {
+        next(new Error('Expected a consent challenge to be set but received none.'));
+        return;
+    }
+    var user = req.user;
+    if (!user) {
+        return res.redirect("/accounts/a/#/login?redirect_uri=" + encodeURIComponent(Meteor.absoluteUrl("/oauth2/consent?consent_challenge=".concat(challenge))));
+    }
+    // This section processes consent requests and either shows the consent UI or
+    // accepts the consent request right away if the user has given consent to this
+    // app before
+    config_1.hydraAdmin
+        .getConsentRequest(challenge)
+        // This will be called if the HTTP request was successful
+        .then(function (_a) {
+        var body = _a.data;
+        // If a user has granted this application the requested scope, hydra will tell us to not show the UI.
+        if (body.skip) {
+            // You can apply logic here, for example grant another scope, or do whatever...
+            // ...
+            // Now it's time to grant the consent request. You could also deny the request if something went terribly wrong
+            return config_1.hydraAdmin
+                .acceptConsentRequest(challenge, {
+                // We can grant all scopes that have been requested - hydra already checked for us that no additional scopes
+                // are requested accidentally.
+                grant_scope: body.requested_scope,
+                // ORY Hydra checks if requested audiences are allowed by the client, so we can simply echo this.
+                grant_access_token_audience: body.requested_access_token_audience,
+                // The session allows us to set session data for id and access tokens
+                session: getOAuthSession(user, body.requested_scope)
+            })
+                .then(function (_a) {
+                var body = _a.data;
+                // All we need to do now is to redirect the user back to hydra!
+                res.redirect(String(body.redirect_to));
+            });
+        }
+        // If consent can't be skipped we MUST show the consent UI.
+        // return res.status(200).send({
+        //   csrfToken: (req as any).csrfToken(),
+        //   challenge: challenge,
+        //   // We have a bunch of data available from the response, check out the API docs to find what these values mean
+        //   // and what additional data you have available.
+        //   requested_scope: body.requested_scope,
+        //   user: body.subject,
+        //   client: body.client,
+        //   action: urljoin(process.env.BASE_URL || '', '/consent')
+        // })
+        var fn = pug.compileFile(path.join(__dirname, '..', '..', './views/oauth2/consent.pug'), {});
+        return res.status(200).send(fn({
+            csrfToken: req.csrfToken(),
+            challenge: challenge,
+            // We have a bunch of data available from the response, check out the API docs to find what these values mean
+            // and what additional data you have available.
+            requested_scope: body.requested_scope,
+            user: body.subject,
+            userInfo: user,
+            client: body.client,
+            action: Meteor.absoluteUrl("/oauth2/consent")
+        }));
+    })
+        // This will handle any error that happens when making HTTP calls to hydra
+        .catch(next);
+    // The consent request has now either been accepted automatically or rendered.
+});
+router.post('/', csrfProtection, function (req, res, next) {
+    var user = req.user;
+    // The challenge is now a hidden input field, so let's take it from the request body instead
+    var challenge = req.body.challenge;
+    if (!challenge) {
+        next(new Error('Expected a consent challenge to be set but received none.'));
+        return;
+    }
+    if (!user) {
+        return res.redirect("/accounts/a/#/login?redirect_uri=" + encodeURIComponent(Meteor.absoluteUrl("/oauth2/consent?consent_challenge=".concat(challenge))));
+    }
+    // Let's see if the user decided to accept or reject the consent request..
+    if (req.body.submit === 'Deny access') {
+        // Looks like the consent request was denied by the user
+        return (config_1.hydraAdmin
+            .rejectConsentRequest(challenge, {
+            error: 'access_denied',
+            error_description: 'The resource owner denied the request'
+        })
+            .then(function (_a) {
+            var body = _a.data;
+            // All we need to do now is to redirect the browser back to hydra!
+            res.redirect(String(body.redirect_to));
+        })
+            // This will handle any error that happens when making HTTP calls to hydra
+            .catch(next));
+    }
+    // label:consent-deny-end
+    var grantScope = req.body.grant_scope;
+    if (!Array.isArray(grantScope)) {
+        grantScope = [grantScope];
+    }
+    // The session allows us to set session data for id and access tokens
+    var session = getOAuthSession(user, grantScope);
+    // Let's fetch the consent request again to be able to set `grantAccessTokenAudience` properly.
+    config_1.hydraAdmin
+        .getConsentRequest(challenge)
+        // This will be called if the HTTP request was successful
+        .then(function (_a) {
+        var body = _a.data;
+        return config_1.hydraAdmin
+            .acceptConsentRequest(challenge, {
+            // We can grant all scopes that have been requested - hydra already checked for us that no additional scopes
+            // are requested accidentally.
+            grant_scope: grantScope,
+            // If the environment variable CONFORMITY_FAKE_CLAIMS is set we are assuming that
+            // the app is built for the automated OpenID Connect Conformity Test Suite. You
+            // can peak inside the code for some ideas, but be aware that all data is fake
+            // and this only exists to fake a login system which works in accordance to OpenID Connect.
+            //
+            // If that variable is not set, the session will be used as-is.
+            session: (0, oidc_cert_1.oidcConformityMaybeFakeSession)(grantScope, body, session),
+            // ORY Hydra checks if requested audiences are allowed by the client, so we can simply echo this.
+            grant_access_token_audience: body.requested_access_token_audience,
+            // This tells hydra to remember this consent request and allow the same client to request the same
+            // scopes from the same user, without showing the UI, in the future.
+            remember: Boolean(req.body.remember),
+            // When this "remember" sesion expires, in seconds. Set this to 0 so it will never expire.
+            remember_for: 3600
+        })
+            .then(function (_a) {
+            var body = _a.data;
+            // All we need to do now is to redirect the user back to hydra!
+            res.redirect(String(body.redirect_to));
+        });
+    })
+        // This will handle any error that happens when making HTTP calls to hydra
+        .catch(next);
+    // label:docs-accept-consent
+});
+exports.default = router;
+//# sourceMappingURL=consent.js.map

package/lib/oauth2/consent.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"consent.js","sourceRoot":"","sources":["../../src/oauth2/consent.ts"],"names":[],"mappings":";;AAAA,iCAAkC;AAClC,yBAA0B;AAC1B,mCAAqC;AACrC,8CAAiE;AAEjE,IAAM,CAAC,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAC;AAC5B,IAAM,IAAI,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;AAC9B,IAAM,OAAO,GAAG,OAAO,CAAC,UAAU,CAAC,CAAC;AACpC,IAAM,GAAG,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC;AAC3B,IAAM,IAAI,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;AAC7B,0BAA0B;AAC1B,IAAM,cAAc,GAAG,IAAI,CAAC,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC,CAAA;AAC7C,IAAM,MAAM,GAAG,OAAO,CAAC,MAAM,EAAE,CAAA;AAG/B,IAAM,eAAe,GAAG,UAAC,IAAI,EAAE,UAAU;IACvC,qEAAqE;IACrE,IAAI,OAAO,GAA0B;QACnC,qGAAqG;QACrG,8CAA8C;QAC9C,YAAY,EAAE;QACZ,aAAa;SACd;QAED,+CAA+C;QAC/C,QAAQ,EAAE;QACR,aAAa;SACd;KACF,CAAA;IACD,IAAI,WAAW,GAAG,UAAU,CAAA;IAC5B,IAAI,CAAC,CAAC,CAAC,OAAO,CAAC,WAAW,CAAC,EAAE;QAC3B,WAAW,GAAG,CAAC,WAAW,CAAC,CAAC;KAC7B;IACD,CAAC,CAAC,IAAI,CAAC,WAAW,EAAE,UAAC,KAAK;QACxB,IAAI,KAAK,KAAK,SAAS,EAAE;YACtB,OAAO,CAAC,QAAgB,CAAC,UAAU,GAAG,IAAI,CAAC,UAAU,CAAC;YACtD,OAAO,CAAC,QAAgB,CAAC,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC;YAC1C,OAAO,CAAC,QAAgB,CAAC,QAAQ,GAAG,IAAI,CAAC,QAAQ,CAAC;YAClD,OAAO,CAAC,QAAgB,CAAC,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC;YAC9C,OAAO,CAAC,QAAgB,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC;YAC7C,0DAA0D;YACzD,OAAO,CAAC,QAAgB,CAAC,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC;YAC9C,OAAO,CAAC,QAAgB,CAAC,KAAK,GAAG,IAAI,CAAC,MAAM,IAAI,IAAI,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;YAChG,oDAAoD;YACnD,OAAO,CAAC,QAAgB,CAAC,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC;YAC9C,OAAO,CAAC,QAAgB,CAAC,eAAe,GAAG,IAAI,CAAC,eAAe,CAAC;YAChE,OAAO,CAAC,QAAgB,CAAC,cAAc,GAAG,IAAI,CAAC,cAAc,CAAC;YAC9D,OAAO,CAAC,QAAgB,CAAC,SAAS,GAAG,IAAI,CAAC,SAAS,CAAC;SACtD;IACH,CAAC,CAAC,CAAA;IAEF,OAAO,OAAO,CAAC;AACjB,CAAC,CAAA;AAED,MAAM,CAAC,GAAG,CAAC,GAAG,EAAE,cAAc,EAAE,UAAC,GAAG,EAAE,GAAG,EAAE,IAAI;IAC7C,uBAAuB;IACvB,IAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC,KAAK,CAAA;IAE5C,4FAA4F;IAC5F,IAAM,SAAS,GAAG,MAAM,CAAC,KAAK,CAAC,iBAAiB,CAAC,CAAA;IACjD,IAAI,CAAC,SAAS,EAAE;QACd,IAAI,CAAC,IAAI,KAAK,CAAC,2DAA2D,CAAC,CAAC,CAAA;QAC5E,OAAM;KACP;IACD,IAAM,IAAI,GAAI,GAAW,CAAC,IAAI,CAAA;IAC9B,IAAI,CAAC,IAAI,EAAE;QACT,OAAO,GAAG,CAAC,QAAQ,CAAC,mCAAmC,GAAG,kBAAkB,CAAC,MAAM,CAAC,WAAW,CAAC,4CAAqC,SAAS,CAAE,CAAC,CAAC,CAAC,CAAA;KACpJ;IACD,6EAA6E;IAC7E,+EAA+E;IAC/E,aAAa;IACZ,mBAAU;SACR,iBAAiB,CAAC,SAAS,CAAS;QACrC,yDAAyD;SACxD,IAAI,CAAC,UAAC,EAAc;YAAN,IAAI,UAAA;QACjB,qGAAqG;QACrG,IAAI,IAAI,CAAC,IAAI,EAAE;YACb,+EAA+E;YAC/E,MAAM;YAEN,+GAA+G;YAC/G,OAAO,mBAAU;iBACd,oBAAoB,CAAC,SAAS,EAAE;gBAC/B,4GAA4G;gBAC5G,8BAA8B;gBAC9B,WAAW,EAAE,IAAI,CAAC,eAAe;gBAEjC,iGAAiG;gBACjG,2BAA2B,EAAE,IAAI,CAAC,+BAA+B;gBAEjE,qEAAqE;gBACrE,OAAO,EAAE,eAAe,CAAC,IAAI,EAAE,IAAI,CAAC,eAAe,CAAC;aACrD,CAAC;iBACD,IAAI,CAAC,UAAC,EAAc;oBAAN,IAAI,UAAA;gBACjB,+DAA+D;gBAC/D,GAAG,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,CAAA;YACxC,CAAC,CAAC,CAAA;SACL;QAED,2DAA2D;QAC3D,gCAAgC;QAChC,yCAAyC;QACzC,0BAA0B;QAC1B,kHAAkH;QAClH,oDAAoD;QACpD,2CAA2C;QAC3C,wBAAwB;QACxB,yBAAyB;QACzB,4DAA4D;QAC5D,KAAK;QACL,IAAI,EAAE,GAAG,GAAG,CAAC,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,IAAI,EAAE,IAAI,EAAE,4BAA4B,CAAC,EAAE,EAAE,CAAC,CAAC;QAC7F,OAAO,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC;YAC7B,SAAS,EAAG,GAAW,CAAC,SAAS,EAAE;YACnC,SAAS,EAAE,SAAS;YACpB,6GAA6G;YAC7G,+CAA+C;YAC/C,eAAe,EAAE,IAAI,CAAC,eAAe;YACrC,IAAI,EAAE,IAAI,CAAC,OAAO;YAClB,QAAQ,EAAE,IAAI;YACd,MAAM,EAAE,IAAI,CAAC,MAAM;YACnB,MAAM,EAAE,MAAM,CAAC,WAAW,CAAC,iBAAiB,CAAC;SAC9C,CAAC,CAAC,CAAC;IACN,CAAC,CAAC;QACF,0EAA0E;SACzE,KAAK,CAAC,IAAI,CAAC,CAAA;IACd,8EAA8E;AAChF,CAAC,CAAC,CAAA;AAEF,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,cAAc,EAAE,UAAC,GAAG,EAAE,GAAG,EAAE,IAAI;IAC9C,IAAM,IAAI,GAAI,GAAW,CAAC,IAAI,CAAA;IAE9B,4FAA4F;IAC5F,IAAM,SAAS,GAAG,GAAG,CAAC,IAAI,CAAC,SAAS,CAAA;IACpC,IAAI,CAAC,SAAS,EAAE;QACd,IAAI,CAAC,IAAI,KAAK,CAAC,2DAA2D,CAAC,CAAC,CAAA;QAC5E,OAAM;KACP;IACD,IAAI,CAAC,IAAI,EAAE;QACT,OAAO,GAAG,CAAC,QAAQ,CAAC,mCAAmC,GAAG,kBAAkB,CAAC,MAAM,CAAC,WAAW,CAAC,4CAAqC,SAAS,CAAE,CAAC,CAAC,CAAC,CAAA;KACpJ;IAED,0EAA0E;IAC1E,IAAI,GAAG,CAAC,IAAI,CAAC,MAAM,KAAK,aAAa,EAAE;QACrC,wDAAwD;QACxD,OAAO,CACL,mBAAU;aACP,oBAAoB,CAAC,SAAS,EAAE;YAC/B,KAAK,EAAE,eAAe;YACtB,iBAAiB,EAAE,uCAAuC;SAC3D,CAAC;aACD,IAAI,CAAC,UAAC,EAAc;gBAAN,IAAI,UAAA;YACjB,kEAAkE;YAClE,GAAG,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,CAAA;QACxC,CAAC,CAAC;YACF,0EAA0E;aACzE,KAAK,CAAC,IAAI,CAAC,CACf,CAAA;KACF;IACD,yBAAyB;IAEzB,IAAI,UAAU,GAAG,GAAG,CAAC,IAAI,CAAC,WAAW,CAAA;IACrC,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,UAAU,CAAC,EAAE;QAC9B,UAAU,GAAG,CAAC,UAAU,CAAC,CAAA;KAC1B;IAED,qEAAqE;IACrE,IAAI,OAAO,GAA0B,eAAe,CAAC,IAAI,EAAE,UAAU,CAAC,CAAA;IAEtE,+FAA+F;IAC/F,mBAAU;SACP,iBAAiB,CAAC,SAAS,CAAC;QAC7B,yDAAyD;SACxD,IAAI,CAAC,UAAC,EAAc;YAAN,IAAI,UAAA;QACjB,OAAO,mBAAU;aACd,oBAAoB,CAAC,SAAS,EAAE;YAC/B,4GAA4G;YAC5G,8BAA8B;YAC9B,WAAW,EAAE,UAAU;YAEvB,iFAAiF;YACjF,+EAA+E;YAC/E,8EAA8E;YAC9E,2FAA2F;YAC3F,EAAE;YACF,+DAA+D;YAC/D,OAAO,EAAE,IAAA,0CAA8B,EAAC,UAAU,EAAE,IAAI,EAAE,OAAO,CAAC;YAElE,iGAAiG;YACjG,2BAA2B,EAAE,IAAI,CAAC,+BAA+B;YAEjE,kGAAkG;YAClG,oEAAoE;YACpE,QAAQ,EAAE,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC;YAEpC,0FAA0F;YAC1F,YAAY,EAAE,IAAI;SACnB,CAAC;aACD,IAAI,CAAC,UAAC,EAAc;gBAAN,IAAI,UAAA;YACjB,+DAA+D;YAC/D,GAAG,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,CAAA;QACxC,CAAC,CAAC,CAAA;IACN,CAAC,CAAC;QACF,0EAA0E;SACzE,KAAK,CAAC,IAAI,CAAC,CAAA;IACd,4BAA4B;AAC9B,CAAC,CAAC,CAAA;AAEF,kBAAe,MAAM,CAAA"}

package/lib/oauth2/login.js

@@ -0,0 +1,166 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+var express = require("express");
+var url = require("url");
+var config_1 = require("./config");
+var oidc_cert_1 = require("./stub/oidc-cert");
+var csrf = require('csurf');
+var urljoin = require('url-join');
+// Sets up csrf protection
+var csrfProtection = csrf({ cookie: true });
+var router = express.Router();
+router.get('/', csrfProtection, function (req, res, next) {
+    // Parses the URL query
+    var query = url.parse(req.url, true).query;
+    // The challenge is used to fetch information about the login request from ORY Hydra.
+    var challenge = String(query.login_challenge);
+    if (!challenge) {
+        next(new Error('Expected a login challenge to be set but received none.'));
+        return;
+    }
+    config_1.hydraAdmin.getLoginRequest(challenge)
+        .then(function (_a) {
+        var body = _a.data;
+        // If hydra was already able to authenticate the user, skip will be true and we do not need to re-authenticate
+        // the user.
+        if (body.skip) {
+            // You can apply logic here, for example update the number of times the user logged in.
+            // ...
+            // Now it's time to grant the login request. You could also deny the request if something went terribly wrong
+            // (e.g. your arch-enemy logging in...)
+            return config_1.hydraAdmin
+                .acceptLoginRequest(challenge, {
+                // All we need to do is to confirm that we indeed want to log in the user.
+                subject: String(body.subject)
+            })
+                .then(function (_a) {
+                var body = _a.data;
+                // All we need to do now is to redirect the user back to hydra!
+                res.redirect(String(body.redirect_to));
+            });
+        }
+        // If authentication can't be skipped we MUST show the login UI.
+        // return res.json({
+        //     csrfToken: (req as any).csrfToken(),
+        //     challenge: challenge,
+        //     action: urljoin(process.env.BASE_URL || '', '/login'),
+        //     hint: body.oidc_context?.login_hint || ''
+        // })
+        var user = req.user;
+        if (user) {
+            config_1.hydraAdmin
+                .acceptLoginRequest(challenge, {
+                // Subject is an alias for user ID. A subject can be a random string, a UUID, an email address, ....
+                subject: user.userId,
+                // This tells hydra to remember the browser and automatically authenticate the user in future requests. This will
+                // set the "skip" parameter in the other route to true on subsequent requests!
+                remember: Boolean(req.body.remember),
+                // When the session expires, in seconds. Set this to 0 so it will never expire.
+                remember_for: 3600,
+                // Sets which "level" (e.g. 2-factor authentication) of authentication the user has. The value is really arbitrary
+                // and optional. In the context of OpenID Connect, a value of 0 indicates the lowest authorization level.
+                // acr: '0',
+                //
+                // If the environment variable CONFORMITY_FAKE_CLAIMS is set we are assuming that
+                // the app is built for the automated OpenID Connect Conformity Test Suite. You
+                // can peak inside the code for some ideas, but be aware that all data is fake
+                // and this only exists to fake a login system which works in accordance to OpenID Connect.
+                //
+                // If that variable is not set, the ACR value will be set to the default passed here ('0')
+                acr: (0, oidc_cert_1.oidcConformityMaybeFakeAcr)(body, '0')
+            })
+                .then(function (_a) {
+                var body = _a.data;
+                // All we need to do now is to redirect the user back to hydra!
+                res.redirect(String(body.redirect_to));
+            }).catch(function (error) {
+                console.log("oauth2 login acceptLoginRequest error", error.message);
+                next();
+            });
+        }
+        else {
+            res.redirect("/accounts/a/#/login?redirect_uri=" + encodeURIComponent(Meteor.absoluteUrl("/oauth2/login?login_challenge=".concat(challenge))));
+        }
+    })
+        // This will handle any error that happens when making HTTP calls to hydra
+        .catch(function (error) {
+        console.log("oauth2 login error", error.message);
+        next();
+    });
+});
+// router.post('/', csrfProtection, (req, res, next) => {
+//     // The challenge is now a hidden input field, so let's take it from the request body instead
+//     const challenge = req.body.challenge
+//     // Let's see if the user decided to accept or reject the consent request..
+//     if (req.body.submit === 'Deny access') {
+//         // Looks like the consent request was denied by the user
+//         return (
+//             hydraAdmin
+//                 .rejectLoginRequest(challenge, {
+//                     error: 'access_denied',
+//                     error_description: 'The resource owner denied the request'
+//                 })
+//                 .then(({ data: body }) => {
+//                     // All we need to do now is to redirect the browser back to hydra!
+//                     res.redirect(String(body.redirect_to))
+//                 })
+//                 // This will handle any error that happens when making HTTP calls to hydra
+//                 .catch(next)
+//         )
+//     }
+//     // Let's check if the user provided valid credentials. Of course, you'd use a database or some third-party service
+//     // for this!
+//     if (!(req.body.email === 'foo@bar.com' && req.body.password === 'foobar')) {
+//         // Looks like the user provided invalid credentials, let's show the ui again...
+//         return res.json({
+//             csrfToken: (req as any).csrfToken(),
+//             challenge: challenge,
+//             error: 'The username / password combination is not correct'
+//         });
+//     }
+//     // Seems like the user authenticated! Let's tell hydra...
+//     hydraAdmin
+//         .getLoginRequest(challenge)
+//         .then(({ data: loginRequest }) =>
+//             hydraAdmin
+//                 .acceptLoginRequest(challenge, {
+//                     // Subject is an alias for user ID. A subject can be a random string, a UUID, an email address, ....
+//                     subject: 'foo@bar.com',
+//                     // This tells hydra to remember the browser and automatically authenticate the user in future requests. This will
+//                     // set the "skip" parameter in the other route to true on subsequent requests!
+//                     remember: Boolean(req.body.remember),
+//                     // When the session expires, in seconds. Set this to 0 so it will never expire.
+//                     remember_for: 3600,
+//                     // Sets which "level" (e.g. 2-factor authentication) of authentication the user has. The value is really arbitrary
+//                     // and optional. In the context of OpenID Connect, a value of 0 indicates the lowest authorization level.
+//                     // acr: '0',
+//                     //
+//                     // If the environment variable CONFORMITY_FAKE_CLAIMS is set we are assuming that
+//                     // the app is built for the automated OpenID Connect Conformity Test Suite. You
+//                     // can peak inside the code for some ideas, but be aware that all data is fake
+//                     // and this only exists to fake a login system which works in accordance to OpenID Connect.
+//                     //
+//                     // If that variable is not set, the ACR value will be set to the default passed here ('0')
+//                     acr: oidcConformityMaybeFakeAcr(loginRequest, '0')
+//                 })
+//                 .then(({ data: body }) => {
+//                     // All we need to do now is to redirect the user back to hydra!
+//                     res.redirect(String(body.redirect_to))
+//                 })
+//         )
+//         // This will handle any error that happens when making HTTP calls to hydra
+//         .catch(next)
+//     // You could also deny the login request which tells hydra that no one authenticated!
+//     // hydra.rejectLoginRequest(challenge, {
+//     //   error: 'invalid_request',
+//     //   errorDescription: 'The user did something stupid...'
+//     // })
+//     //   .then(({body}) => {
+//     //     // All we need to do now is to redirect the browser back to hydra!
+//     //     res.redirect(String(body.redirectTo));
+//     //   })
+//     //   // This will handle any error that happens when making HTTP calls to hydra
+//     //   .catch(next);
+// })
+exports.default = router;
+//# sourceMappingURL=login.js.map

package/lib/oauth2/login.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"login.js","sourceRoot":"","sources":["../../src/oauth2/login.ts"],"names":[],"mappings":";;AAAA,iCAAkC;AAClC,yBAA0B;AAC1B,mCAAqC;AACrC,8CAA6D;AAC7D,IAAM,IAAI,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;AAC9B,IAAM,OAAO,GAAG,OAAO,CAAC,UAAU,CAAC,CAAC;AACpC,0BAA0B;AAC1B,IAAM,cAAc,GAAG,IAAI,CAAC,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC,CAAA;AAC7C,IAAM,MAAM,GAAG,OAAO,CAAC,MAAM,EAAE,CAAA;AAI/B,MAAM,CAAC,GAAG,CAAC,GAAG,EAAE,cAAc,EAAE,UAAC,GAAG,EAAE,GAAG,EAAE,IAAI;IAC3C,uBAAuB;IACvB,IAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC,KAAK,CAAA;IAE5C,qFAAqF;IACrF,IAAM,SAAS,GAAG,MAAM,CAAC,KAAK,CAAC,eAAe,CAAC,CAAA;IAC/C,IAAI,CAAC,SAAS,EAAE;QACZ,IAAI,CAAC,IAAI,KAAK,CAAC,yDAAyD,CAAC,CAAC,CAAA;QAC1E,OAAM;KACT;IACA,mBAAU,CAAC,eAAe,CAAC,SAAS,CAAS;SACzC,IAAI,CAAC,UAAC,EAAc;YAAN,IAAI,UAAA;QACf,8GAA8G;QAC9G,YAAY;QACZ,IAAI,IAAI,CAAC,IAAI,EAAE;YACX,uFAAuF;YACvF,MAAM;YAEN,6GAA6G;YAC7G,uCAAuC;YACvC,OAAO,mBAAU;iBACZ,kBAAkB,CAAC,SAAS,EAAE;gBAC3B,0EAA0E;gBAC1E,OAAO,EAAE,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC;aAChC,CAAC;iBACD,IAAI,CAAC,UAAC,EAAc;oBAAN,IAAI,UAAA;gBACf,+DAA+D;gBAC/D,GAAG,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,CAAA;YAC1C,CAAC,CAAC,CAAA;SACT;QAED,gEAAgE;QAChE,oBAAoB;QACpB,2CAA2C;QAC3C,4BAA4B;QAC5B,6DAA6D;QAC7D,gDAAgD;QAChD,KAAK;QACL,IAAM,IAAI,GAAI,GAAW,CAAC,IAAI,CAAA;QAC9B,IAAI,IAAI,EAAE;YACN,mBAAU;iBACL,kBAAkB,CAAC,SAAS,EAAE;gBAC3B,oGAAoG;gBACpG,OAAO,EAAE,IAAI,CAAC,MAAM;gBAEpB,iHAAiH;gBACjH,8EAA8E;gBAC9E,QAAQ,EAAE,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC;gBAEpC,+EAA+E;gBAC/E,YAAY,EAAE,IAAI;gBAElB,kHAAkH;gBAClH,yGAAyG;gBACzG,YAAY;gBACZ,EAAE;gBACF,iFAAiF;gBACjF,+EAA+E;gBAC/E,8EAA8E;gBAC9E,2FAA2F;gBAC3F,EAAE;gBACF,0FAA0F;gBAC1F,GAAG,EAAE,IAAA,sCAA0B,EAAC,IAAI,EAAE,GAAG,CAAC;aAC7C,CAAC;iBACD,IAAI,CAAC,UAAC,EAAc;oBAAN,IAAI,UAAA;gBACf,+DAA+D;gBAC/D,GAAG,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,CAAA;YAC1C,CAAC,CAAC,CAAC,KAAK,CAAC,UAAC,KAAK;gBACX,OAAO,CAAC,GAAG,CAAC,uCAAuC,EAAE,KAAK,CAAC,OAAO,CAAC,CAAC;gBACpE,IAAI,EAAE,CAAA;YACV,CAAC,CAAC,CAAA;SACT;aAAM;YACH,GAAG,CAAC,QAAQ,CAAC,mCAAmC,GAAG,kBAAkB,CAAC,MAAM,CAAC,WAAW,CAAC,wCAAiC,SAAS,CAAE,CAAC,CAAC,CAAC,CAAA;SAC3I;IACL,CAAC,CAAC;QACF,0EAA0E;SACzE,KAAK,CAAC,UAAC,KAAK;QACT,OAAO,CAAC,GAAG,CAAC,oBAAoB,EAAE,KAAK,CAAC,OAAO,CAAC,CAAC;QACjD,IAAI,EAAE,CAAA;IACV,CAAC,CAAC,CAAA;AACV,CAAC,CAAC,CAAA;AAEF,yDAAyD;AACzD,mGAAmG;AACnG,2CAA2C;AAE3C,iFAAiF;AACjF,+CAA+C;AAC/C,mEAAmE;AACnE,mBAAmB;AACnB,yBAAyB;AACzB,mDAAmD;AACnD,8CAA8C;AAC9C,iFAAiF;AACjF,qBAAqB;AACrB,8CAA8C;AAC9C,yFAAyF;AACzF,6DAA6D;AAC7D,qBAAqB;AACrB,6FAA6F;AAC7F,+BAA+B;AAC/B,YAAY;AACZ,QAAQ;AAER,yHAAyH;AACzH,mBAAmB;AACnB,mFAAmF;AACnF,0FAA0F;AAE1F,4BAA4B;AAC5B,mDAAmD;AACnD,oCAAoC;AACpC,0EAA0E;AAC1E,cAAc;AACd,QAAQ;AAER,gEAAgE;AAEhE,iBAAiB;AACjB,sCAAsC;AACtC,4CAA4C;AAC5C,yBAAyB;AACzB,mDAAmD;AACnD,2HAA2H;AAC3H,8CAA8C;AAE9C,wIAAwI;AACxI,qGAAqG;AACrG,4DAA4D;AAE5D,sGAAsG;AACtG,0CAA0C;AAE1C,yIAAyI;AACzI,gIAAgI;AAChI,mCAAmC;AACnC,yBAAyB;AACzB,wGAAwG;AACxG,sGAAsG;AACtG,qGAAqG;AACrG,kHAAkH;AAClH,yBAAyB;AACzB,iHAAiH;AACjH,yEAAyE;AACzE,qBAAqB;AACrB,8CAA8C;AAC9C,sFAAsF;AACtF,6DAA6D;AAC7D,qBAAqB;AACrB,YAAY;AACZ,qFAAqF;AACrF,uBAAuB;AAEvB,4FAA4F;AAC5F,+CAA+C;AAC/C,qCAAqC;AACrC,gEAAgE;AAChE,YAAY;AACZ,+BAA+B;AAC/B,gFAAgF;AAChF,oDAAoD;AACpD,cAAc;AACd,sFAAsF;AACtF,yBAAyB;AACzB,KAAK;AAEL,kBAAe,MAAM,CAAA"}

package/lib/oauth2/logout.js

@@ -0,0 +1,60 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+var express = require("express");
+var url = require("url");
+var config_1 = require("./config");
+var csrf = require('csurf');
+var urljoin = require('url-join');
+// Sets up csrf protection
+var csrfProtection = csrf({ cookie: true });
+var router = express.Router();
+router.get('/', csrfProtection, function (req, res, next) {
+    // Parses the URL query
+    var query = url.parse(req.url, true).query;
+    // The challenge is used to fetch information about the logout request from ORY Hydra.
+    var challenge = String(query.logout_challenge);
+    if (!challenge) {
+        next(new Error('Expected a logout challenge to be set but received none.'));
+        return;
+    }
+    config_1.hydraAdmin
+        .getLogoutRequest(challenge)
+        // This will be called if the HTTP request was successful
+        .then(function () {
+        // Here we have access to e.g. response.subject, response.sid, ...
+        // The most secure way to perform a logout request is by asking the user if he/she really want to log out.
+        return res.status(200).send({
+            csrfToken: req.csrfToken(),
+            challenge: challenge,
+            action: urljoin(process.env.BASE_URL || '', '/logout')
+        });
+    })
+        // This will handle any error that happens when making HTTP calls to hydra
+        .catch(next);
+});
+router.post('/', csrfProtection, function (req, res, next) {
+    // The challenge is now a hidden input field, so let's take it from the request body instead
+    var challenge = req.body.challenge;
+    if (req.body.submit === 'No') {
+        return (config_1.hydraAdmin
+            .rejectLogoutRequest(challenge)
+            .then(function () {
+            // The user did not want to log out. Let's redirect him back somewhere or do something else.
+            res.redirect('https://www.ory.sh/');
+        })
+            // This will handle any error that happens when making HTTP calls to hydra
+            .catch(next));
+    }
+    // The user agreed to log out, let's accept the logout request.
+    config_1.hydraAdmin
+        .acceptLogoutRequest(challenge)
+        .then(function (_a) {
+        var body = _a.data;
+        // All we need to do now is to redirect the user back to hydra!
+        res.redirect(String(body.redirect_to));
+    })
+        // This will handle any error that happens when making HTTP calls to hydra
+        .catch(next);
+});
+exports.default = router;
+//# sourceMappingURL=logout.js.map

package/lib/oauth2/logout.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"logout.js","sourceRoot":"","sources":["../../src/oauth2/logout.ts"],"names":[],"mappings":";;AAAA,iCAAkC;AAClC,yBAA0B;AAC1B,mCAAqC;AACrC,IAAM,IAAI,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;AAC9B,IAAM,OAAO,GAAG,OAAO,CAAC,UAAU,CAAC,CAAC;AACpC,0BAA0B;AAC1B,IAAM,cAAc,GAAG,IAAI,CAAC,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC,CAAA;AAC7C,IAAM,MAAM,GAAG,OAAO,CAAC,MAAM,EAAE,CAAA;AAE/B,MAAM,CAAC,GAAG,CAAC,GAAG,EAAE,cAAc,EAAE,UAAC,GAAG,EAAE,GAAG,EAAE,IAAI;IAC7C,uBAAuB;IACvB,IAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC,KAAK,CAAA;IAE5C,sFAAsF;IACtF,IAAM,SAAS,GAAG,MAAM,CAAC,KAAK,CAAC,gBAAgB,CAAC,CAAA;IAChD,IAAI,CAAC,SAAS,EAAE;QACd,IAAI,CAAC,IAAI,KAAK,CAAC,0DAA0D,CAAC,CAAC,CAAA;QAC3E,OAAM;KACP;IAED,mBAAU;SACP,gBAAgB,CAAC,SAAS,CAAC;QAC5B,yDAAyD;SACxD,IAAI,CAAC;QACJ,kEAAkE;QAElE,0GAA0G;QAC1G,OAAO,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;YAC1B,SAAS,EAAG,GAAW,CAAC,SAAS,EAAE;YACnC,SAAS,EAAE,SAAS;YACpB,MAAM,EAAE,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,IAAI,EAAE,EAAE,SAAS,CAAC;SACvD,CAAC,CAAA;IACJ,CAAC,CAAC;QACF,0EAA0E;SACzE,KAAK,CAAC,IAAI,CAAC,CAAA;AAChB,CAAC,CAAC,CAAA;AAEF,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,cAAc,EAAE,UAAC,GAAG,EAAE,GAAG,EAAE,IAAI;IAC9C,4FAA4F;IAC5F,IAAM,SAAS,GAAG,GAAG,CAAC,IAAI,CAAC,SAAS,CAAA;IAEpC,IAAI,GAAG,CAAC,IAAI,CAAC,MAAM,KAAK,IAAI,EAAE;QAC5B,OAAO,CACL,mBAAU;aACP,mBAAmB,CAAC,SAAS,CAAC;aAC9B,IAAI,CAAC;YACJ,4FAA4F;YAC5F,GAAG,CAAC,QAAQ,CAAC,qBAAqB,CAAC,CAAA;QACrC,CAAC,CAAC;YACF,0EAA0E;aACzE,KAAK,CAAC,IAAI,CAAC,CACf,CAAA;KACF;IAED,+DAA+D;IAC/D,mBAAU;SACP,mBAAmB,CAAC,SAAS,CAAC;SAC9B,IAAI,CAAC,UAAC,EAAc;YAAN,IAAI,UAAA;QACjB,+DAA+D;QAC/D,GAAG,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,CAAA;IACxC,CAAC,CAAC;QACF,0EAA0E;SACzE,KAAK,CAAC,IAAI,CAAC,CAAA;AAChB,CAAC,CAAC,CAAA;AAEF,kBAAe,MAAM,CAAA"}

package/lib/oauth2/stub/oidc-cert.js

@@ -0,0 +1,67 @@
+"use strict";
+// This file contains logic which is used when running this application as part of the
+// OpenID Connect Conformance test suite. You can use it for inspiration, but please
+// do not use it in production as is.
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.oidcConformityMaybeFakeSession = exports.oidcConformityMaybeFakeAcr = void 0;
+var tslib_1 = require("tslib");
+var oidcConformityMaybeFakeAcr = function (request, fallback) {
+    var _a;
+    if (process.env.CONFORMITY_FAKE_CLAIMS !== '1') {
+        return fallback;
+    }
+    return ((_a = request.oidc_context) === null || _a === void 0 ? void 0 : _a.acr_values) &&
+        request.oidc_context.acr_values.length > 0
+        ? request.oidc_context.acr_values[request.oidc_context.acr_values.length - 1]
+        : fallback;
+};
+exports.oidcConformityMaybeFakeAcr = oidcConformityMaybeFakeAcr;
+var oidcConformityMaybeFakeSession = function (grantScope, request, session) {
+    if (process.env.CONFORMITY_FAKE_CLAIMS !== '1') {
+        return session;
+    }
+    var idToken = {};
+    // If the email scope was granted, fake the email claims.
+    if (grantScope.indexOf('email') > -1) {
+        // But only do so if the email was requested!
+        idToken.email = 'foo@bar.com';
+        idToken.email_verified = true;
+    }
+    // If the phone scope was granted, fake the phone claims.
+    if (grantScope.indexOf('phone') > -1) {
+        idToken.phone_number = '1337133713371337';
+        idToken.phone_number_verified = true;
+    }
+    // If the profile scope was granted, fake the profile claims.
+    if (grantScope.indexOf('profile') > -1) {
+        idToken.name = 'Foo Bar';
+        idToken.given_name = 'Foo';
+        idToken.family_name = 'Bar';
+        idToken.website = 'https://www.ory.sh';
+        idToken.zoneinfo = 'Europe/Belrin';
+        idToken.birthdate = '1.1.2014';
+        idToken.gender = 'robot';
+        idToken.profile = 'https://www.ory.sh';
+        idToken.preferred_username = 'robot';
+        idToken.middle_name = 'Baz';
+        idToken.locale = 'en-US';
+        idToken.picture =
+            'https://raw.githubusercontent.com/ory/web/master/static/images/favico.png';
+        idToken.updated_at = 1604416603;
+        idToken.nickname = 'foobot';
+    }
+    // If the address scope was granted, fake the address claims.
+    if (grantScope.indexOf('address') > -1) {
+        idToken.address = {
+            country: 'Localhost',
+            region: 'Intranet',
+            street_address: 'Local Street 1337'
+        };
+    }
+    return {
+        access_token: session.access_token,
+        id_token: tslib_1.__assign(tslib_1.__assign({}, idToken), session.id_token)
+    };
+};
+exports.oidcConformityMaybeFakeSession = oidcConformityMaybeFakeSession;
+//# sourceMappingURL=oidc-cert.js.map

package/lib/oauth2/stub/oidc-cert.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"oidc-cert.js","sourceRoot":"","sources":["../../../src/oauth2/stub/oidc-cert.ts"],"names":[],"mappings":";AAAA,sFAAsF;AACtF,oFAAoF;AACpF,qCAAqC;;;;AAQ9B,IAAM,0BAA0B,GAAG,UACxC,OAAqB,EACrB,QAAgB;;IAEhB,IAAI,OAAO,CAAC,GAAG,CAAC,sBAAsB,KAAK,GAAG,EAAE;QAC9C,OAAO,QAAQ,CAAA;KAChB;IAED,OAAO,CAAA,MAAA,OAAO,CAAC,YAAY,0CAAE,UAAU;QACrC,OAAO,CAAC,YAAY,CAAC,UAAU,CAAC,MAAM,GAAG,CAAC;QAC1C,CAAC,CAAC,OAAO,CAAC,YAAY,CAAC,UAAU,CAC7B,OAAO,CAAC,YAAY,CAAC,UAAU,CAAC,MAAM,GAAG,CAAC,CAC3C;QACH,CAAC,CAAC,QAAQ,CAAA;AACd,CAAC,CAAA;AAdY,QAAA,0BAA0B,8BActC;AAEM,IAAM,8BAA8B,GAAG,UAC5C,UAAoB,EACpB,OAAuB,EACvB,OAA8B;IAE9B,IAAI,OAAO,CAAC,GAAG,CAAC,sBAAsB,KAAK,GAAG,EAAE;QAC9C,OAAO,OAAO,CAAA;KACf;IAED,IAAM,OAAO,GAA2B,EAAE,CAAA;IAE1C,yDAAyD;IACzD,IAAI,UAAU,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,EAAE;QACpC,6CAA6C;QAC7C,OAAO,CAAC,KAAK,GAAG,aAAa,CAAA;QAC7B,OAAO,CAAC,cAAc,GAAG,IAAI,CAAA;KAC9B;IAED,yDAAyD;IACzD,IAAI,UAAU,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,EAAE;QACpC,OAAO,CAAC,YAAY,GAAG,kBAAkB,CAAA;QACzC,OAAO,CAAC,qBAAqB,GAAG,IAAI,CAAA;KACrC;IAED,6DAA6D;IAC7D,IAAI,UAAU,CAAC,OAAO,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,EAAE;QACtC,OAAO,CAAC,IAAI,GAAG,SAAS,CAAA;QACxB,OAAO,CAAC,UAAU,GAAG,KAAK,CAAA;QAC1B,OAAO,CAAC,WAAW,GAAG,KAAK,CAAA;QAC3B,OAAO,CAAC,OAAO,GAAG,oBAAoB,CAAA;QACtC,OAAO,CAAC,QAAQ,GAAG,eAAe,CAAA;QAClC,OAAO,CAAC,SAAS,GAAG,UAAU,CAAA;QAC9B,OAAO,CAAC,MAAM,GAAG,OAAO,CAAA;QACxB,OAAO,CAAC,OAAO,GAAG,oBAAoB,CAAA;QACtC,OAAO,CAAC,kBAAkB,GAAG,OAAO,CAAA;QACpC,OAAO,CAAC,WAAW,GAAG,KAAK,CAAA;QAC3B,OAAO,CAAC,MAAM,GAAG,OAAO,CAAA;QACxB,OAAO,CAAC,OAAO;YACb,2EAA2E,CAAA;QAC7E,OAAO,CAAC,UAAU,GAAG,UAAU,CAAA;QAC/B,OAAO,CAAC,QAAQ,GAAG,QAAQ,CAAA;KAC5B;IAED,6DAA6D;IAC7D,IAAI,UAAU,CAAC,OAAO,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,EAAE;QACtC,OAAO,CAAC,OAAO,GAAG;YAChB,OAAO,EAAE,WAAW;YACpB,MAAM,EAAE,UAAU;YAClB,cAAc,EAAE,mBAAmB;SACpC,CAAA;KACF;IAED,OAAO;QACL,YAAY,EAAE,OAAO,CAAC,YAAY;QAClC,QAAQ,wCACH,OAAO,GACP,OAAO,CAAC,QAAQ,CACpB;KACF,CAAA;AACH,CAAC,CAAA;AA3DY,QAAA,8BAA8B,kCA2D1C"}

package/lib/saml-idp/config.js

@@ -0,0 +1,82 @@
+/**
+ * User Profile
+ */
+var profile = {
+    userName: 'zhuangjianguo@steedos.com',
+    nameIdFormat: 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
+    firstName: 'Jack',
+    lastName: 'Zhuang',
+    displayName: 'Jack Zhuang',
+    email: 'zhuangjianguo@steedos.com',
+    mobilePhone: '+86-01777701',
+    groups: 'Users'
+};
+/**
+ * SAML Attribute Metadata
+ */
+var metadata = [
+    // {
+    //   id: "firstName",
+    //   optional: false,
+    //   displayName: 'First Name',
+    //   description: 'The given name of the user',
+    //   multiValue: false
+    // }, {
+    //   id: "lastName",
+    //   optional: false,
+    //   displayName: 'Last Name',
+    //   description: 'The surname of the user',
+    //   multiValue: false
+    // }, 
+    {
+        id: "userId",
+        optional: true,
+        displayName: 'User Id',
+        description: 'The id of the user',
+        multiValue: false
+    },
+    {
+        id: "username",
+        optional: true,
+        displayName: 'User Name',
+        description: 'The username of the user',
+        multiValue: false
+    },
+    {
+        id: "name",
+        optional: true,
+        displayName: 'Display Name',
+        description: 'The display name of the user',
+        multiValue: false
+    }, {
+        id: "email",
+        optional: false,
+        displayName: 'E-Mail Address',
+        description: 'The e-mail address of the user',
+        multiValue: false
+    }, {
+        id: "mobile",
+        optional: true,
+        displayName: 'Mobile',
+        description: 'The mobile phone of the user',
+        multiValue: false
+    },
+    // {
+    //   id: "groups",
+    //   optional: true,
+    //   displayName: 'Groups',
+    //   description: 'Group memberships of the user',
+    //   multiValue: true
+    // }, {
+    //   id: "userType",
+    //   optional: true,
+    //   displayName: 'User Type',
+    //   description: 'The type of user',
+    //   options: ['Admin', 'User']
+    // }
+];
+module.exports = {
+    user: profile,
+    metadata: metadata
+};
+//# sourceMappingURL=config.js.map

package/lib/saml-idp/config.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.js","sourceRoot":"","sources":["../../src/saml-idp/config.js"],"names":[],"mappings":"AACA;;GAEG;AACH,IAAI,OAAO,GAAG;IACV,QAAQ,EAAE,2BAA2B;IACrC,YAAY,EAAE,wDAAwD;IACtE,SAAS,EAAE,MAAM;IACjB,QAAQ,EAAE,QAAQ;IAClB,WAAW,EAAE,aAAa;IAC1B,KAAK,EAAE,2BAA2B;IAClC,WAAW,EAAE,cAAc;IAC3B,MAAM,EAAE,OAAO;CAChB,CAAA;AAED;;GAEG;AACH,IAAI,QAAQ,GAAG;IACf,IAAI;IACJ,qBAAqB;IACrB,qBAAqB;IACrB,+BAA+B;IAC/B,+CAA+C;IAC/C,sBAAsB;IACtB,OAAO;IACP,oBAAoB;IACpB,qBAAqB;IACrB,8BAA8B;IAC9B,4CAA4C;IAC5C,sBAAsB;IACtB,MAAM;IACN;QACE,EAAE,EAAE,QAAQ;QACZ,QAAQ,EAAE,IAAI;QACd,WAAW,EAAE,SAAS;QACtB,WAAW,EAAE,oBAAoB;QACjC,UAAU,EAAE,KAAK;KAClB;IACD;QACE,EAAE,EAAE,UAAU;QACd,QAAQ,EAAE,IAAI;QACd,WAAW,EAAE,WAAW;QACxB,WAAW,EAAE,0BAA0B;QACvC,UAAU,EAAE,KAAK;KAClB;IACD;QACE,EAAE,EAAE,MAAM;QACV,QAAQ,EAAE,IAAI;QACd,WAAW,EAAE,cAAc;QAC3B,WAAW,EAAE,8BAA8B;QAC3C,UAAU,EAAE,KAAK;KAClB,EAAE;QACD,EAAE,EAAE,OAAO;QACX,QAAQ,EAAE,KAAK;QACf,WAAW,EAAE,gBAAgB;QAC7B,WAAW,EAAE,gCAAgC;QAC7C,UAAU,EAAE,KAAK;KAClB,EAAC;QACA,EAAE,EAAE,QAAQ;QACZ,QAAQ,EAAE,IAAI;QACd,WAAW,EAAE,QAAQ;QACrB,WAAW,EAAE,8BAA8B;QAC3C,UAAU,EAAE,KAAK;KAClB;IACD,IAAI;IACJ,kBAAkB;IAClB,oBAAoB;IACpB,2BAA2B;IAC3B,kDAAkD;IAClD,qBAAqB;IACrB,OAAO;IACP,oBAAoB;IACpB,oBAAoB;IACpB,8BAA8B;IAC9B,qCAAqC;IACrC,+BAA+B;IAC/B,IAAI;CACL,CAAC;AAEA,MAAM,CAAC,OAAO,GAAG;IACf,IAAI,EAAE,OAAO;IACb,QAAQ,EAAE,QAAQ;CACnB,CAAA"}