@tinyrack/tinyauth-server 0.0.16 → 0.2.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/emails/components/email-layout.d.ts +1 -1
- package/dist/emails/components/email-layout.d.ts.map +1 -1
- package/dist/emails/templates/password-reset.d.ts +1 -1
- package/dist/emails/templates/password-reset.d.ts.map +1 -1
- package/dist/emails/templates/verification.d.ts +1 -1
- package/dist/emails/templates/verification.d.ts.map +1 -1
- package/dist/entities/background-job.entity.d.ts +42 -42
- package/dist/entities/background-job.entity.d.ts.map +1 -1
- package/dist/entities/base.entity.d.ts +8 -8
- package/dist/entities/base.entity.d.ts.map +1 -1
- package/dist/entities/bootstrap-state.entity.d.ts +15 -15
- package/dist/entities/bootstrap-state.entity.d.ts.map +1 -1
- package/dist/entities/email-verification.entity.d.ts +33 -27
- package/dist/entities/email-verification.entity.d.ts.map +1 -1
- package/dist/entities/jwt-key.entity.d.ts +36 -36
- package/dist/entities/jwt-key.entity.d.ts.map +1 -1
- package/dist/entities/oauth-client.entity.d.ts +519 -471
- package/dist/entities/oauth-client.entity.d.ts.map +1 -1
- package/dist/entities/oauth-code.entity.d.ts +519 -471
- package/dist/entities/oauth-code.entity.d.ts.map +1 -1
- package/dist/entities/password-reset.entity.d.ts +33 -27
- package/dist/entities/password-reset.entity.d.ts.map +1 -1
- package/dist/entities/pending-oauth-registration.entity.d.ts +39 -39
- package/dist/entities/pending-oauth-registration.entity.d.ts.map +1 -1
- package/dist/entities/revoked-token.entity.d.ts +519 -471
- package/dist/entities/revoked-token.entity.d.ts.map +1 -1
- package/dist/entities/scheduler-job.entity.d.ts +48 -48
- package/dist/entities/scheduler-job.entity.d.ts.map +1 -1
- package/dist/entities/terms-content.entity.d.ts +279 -249
- package/dist/entities/terms-content.entity.d.ts.map +1 -1
- package/dist/entities/terms.entity.d.ts +279 -249
- package/dist/entities/terms.entity.d.ts.map +1 -1
- package/dist/entities/user-consent.entity.d.ts +519 -471
- package/dist/entities/user-consent.entity.d.ts.map +1 -1
- package/dist/entities/user-oauth.entity.d.ts +36 -30
- package/dist/entities/user-oauth.entity.d.ts.map +1 -1
- package/dist/entities/user-passkey.entity.d.ts +45 -39
- package/dist/entities/user-passkey.entity.d.ts.map +1 -1
- package/dist/entities/user-terms-consent.entity.d.ts +279 -249
- package/dist/entities/user-terms-consent.entity.d.ts.map +1 -1
- package/dist/entities/user-totp-recovery-code.entity.d.ts +177 -159
- package/dist/entities/user-totp-recovery-code.entity.d.ts.map +1 -1
- package/dist/entities/user-totp.entity.d.ts +177 -159
- package/dist/entities/user-totp.entity.d.ts.map +1 -1
- package/dist/entities/user.entity.d.ts +177 -159
- package/dist/entities/user.entity.d.ts.map +1 -1
- package/dist/entrypoints/app.d.ts +8 -1
- package/dist/entrypoints/app.d.ts.map +1 -1
- package/dist/entrypoints/app.js +5 -0
- package/dist/entrypoints/app.js.map +1 -1
- package/dist/entrypoints/database/postgres/compiled-functions.js +1 -1
- package/dist/entrypoints/database/postgres/compiled-functions.js.map +1 -1
- package/dist/entrypoints/database/sqlite/compiled-functions.js +1 -1
- package/dist/entrypoints/database/sqlite/compiled-functions.js.map +1 -1
- package/dist/lib/config/client.d.ts.map +1 -1
- package/dist/lib/config/client.js +5 -1
- package/dist/lib/config/client.js.map +1 -1
- package/dist/lib/config/identity-providers.d.ts.map +1 -1
- package/dist/lib/config/identity-providers.js +10 -33
- package/dist/lib/config/identity-providers.js.map +1 -1
- package/dist/lib/config/url-policy.d.ts +4 -0
- package/dist/lib/config/url-policy.d.ts.map +1 -0
- package/dist/lib/config/url-policy.js +38 -0
- package/dist/lib/config/url-policy.js.map +1 -0
- package/dist/lib/pkce.d.ts.map +1 -1
- package/dist/lib/pkce.js +3 -0
- package/dist/lib/pkce.js.map +1 -1
- package/dist/middleware/csrf.d.ts +2 -0
- package/dist/middleware/csrf.d.ts.map +1 -0
- package/dist/middleware/csrf.js +51 -0
- package/dist/middleware/csrf.js.map +1 -0
- package/dist/repositories/revoked-token.repository.d.ts +20 -0
- package/dist/repositories/revoked-token.repository.d.ts.map +1 -1
- package/dist/repositories/revoked-token.repository.js +44 -1
- package/dist/repositories/revoked-token.repository.js.map +1 -1
- package/dist/repositories/user-passkey.repository.d.ts +45 -39
- package/dist/repositories/user-passkey.repository.d.ts.map +1 -1
- package/dist/repositories/user-totp-recovery-code.repository.d.ts +118 -106
- package/dist/repositories/user-totp-recovery-code.repository.d.ts.map +1 -1
- package/dist/repositories/user-totp.repository.d.ts +177 -159
- package/dist/repositories/user-totp.repository.d.ts.map +1 -1
- package/dist/routes/api/oauth/_provider/authorize/get.d.ts.map +1 -1
- package/dist/routes/api/oauth/_provider/authorize/get.js +13 -1
- package/dist/routes/api/oauth/_provider/authorize/get.js.map +1 -1
- package/dist/routes/api/oauth/_provider/callback/post.d.ts.map +1 -1
- package/dist/routes/api/oauth/_provider/callback/post.js +30 -1
- package/dist/routes/api/oauth/_provider/callback/post.js.map +1 -1
- package/dist/routes/index.d.ts +8 -1
- package/dist/routes/index.d.ts.map +1 -1
- package/dist/routes/oauth/.well-known/openid-configuration/get.d.ts +4 -0
- package/dist/routes/oauth/.well-known/openid-configuration/get.d.ts.map +1 -1
- package/dist/routes/oauth/.well-known/openid-configuration/get.js +25 -2
- package/dist/routes/oauth/.well-known/openid-configuration/get.js.map +1 -1
- package/dist/routes/oauth/authorize/get.d.ts +2 -0
- package/dist/routes/oauth/authorize/get.d.ts.map +1 -1
- package/dist/routes/oauth/authorize/get.js +4 -0
- package/dist/routes/oauth/authorize/get.js.map +1 -1
- package/dist/routes/oauth/index.d.ts +8 -1
- package/dist/routes/oauth/index.d.ts.map +1 -1
- package/dist/routes/oauth/introspect/post.d.ts +1 -0
- package/dist/routes/oauth/introspect/post.d.ts.map +1 -1
- package/dist/routes/oauth/token/post.d.ts +1 -1
- package/dist/routes/oauth/token/post.d.ts.map +1 -1
- package/dist/routes/oauth/token/post.js +1 -0
- package/dist/routes/oauth/token/post.js.map +1 -1
- package/dist/routes/oauth/userinfo/get.d.ts.map +1 -1
- package/dist/routes/oauth/userinfo/get.js +3 -0
- package/dist/routes/oauth/userinfo/get.js.map +1 -1
- package/dist/schemas/error.d.ts +75 -0
- package/dist/schemas/error.d.ts.map +1 -1
- package/dist/schemas/error.js +3 -0
- package/dist/schemas/error.js.map +1 -1
- package/dist/schemas/field.d.ts +1 -6
- package/dist/schemas/field.d.ts.map +1 -1
- package/dist/schemas/field.js +2 -3
- package/dist/schemas/field.js.map +1 -1
- package/dist/schemas/oauth.d.ts +1 -1
- package/dist/schemas/oauth.js +1 -1
- package/dist/schemas/oauth.js.map +1 -1
- package/dist/schemas/response.d.ts +1 -1
- package/dist/services/jwt.service.d.ts +5 -0
- package/dist/services/jwt.service.d.ts.map +1 -1
- package/dist/services/jwt.service.js +31 -16
- package/dist/services/jwt.service.js.map +1 -1
- package/dist/services/oauth-authorize.service.d.ts +5 -1
- package/dist/services/oauth-authorize.service.d.ts.map +1 -1
- package/dist/services/oauth-authorize.service.js +65 -16
- package/dist/services/oauth-authorize.service.js.map +1 -1
- package/dist/services/oauth-client.service.d.ts +1 -0
- package/dist/services/oauth-client.service.d.ts.map +1 -1
- package/dist/services/oauth-client.service.js +5 -0
- package/dist/services/oauth-client.service.js.map +1 -1
- package/dist/services/oauth-connect.service.d.ts +1 -0
- package/dist/services/oauth-connect.service.d.ts.map +1 -1
- package/dist/services/oauth-connect.service.js +61 -7
- package/dist/services/oauth-connect.service.js.map +1 -1
- package/dist/services/oauth-token.service.d.ts +8 -1
- package/dist/services/oauth-token.service.d.ts.map +1 -1
- package/dist/services/oauth-token.service.js +111 -30
- package/dist/services/oauth-token.service.js.map +1 -1
- package/package.json +28 -28
- package/public/assets/index-5_9rzim1.css +2 -0
- package/public/assets/index-BTGeW26-.js +75 -0
- package/public/assets/index-BTGeW26-.js.map +1 -0
- package/public/index.html +2 -2
- package/readme.md +74 -25
- package/public/assets/index-6odabbrQ.css +0 -1
- package/public/assets/index-CLq6d6iO.js +0 -76
- package/public/assets/index-CLq6d6iO.js.map +0 -1
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"client.d.ts","sourceRoot":"","sources":["../../../src/lib/config/client.ts"],"names":[],"mappings":"AAAA,OAAO,CAAC,MAAM,KAAK,CAAC;
|
|
1
|
+
{"version":3,"file":"client.d.ts","sourceRoot":"","sources":["../../../src/lib/config/client.ts"],"names":[],"mappings":"AAAA,OAAO,CAAC,MAAM,KAAK,CAAC;AAQpB;;;GAGG;AACH,eAAO,MAAM,kBAAkB;;;;;;;;;;oBAuC4B,CAAC;AAE5D,MAAM,MAAM,YAAY,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,kBAAkB,CAAC,CAAC;AAE9D,eAAO,MAAM,sBAAsB,EAAE,YAAY,EAAO,CAAC;AAEzD,eAAO,MAAM,mBAAmB;;;;;;;;;;sBAGiC,CAAC"}
|
|
@@ -1,4 +1,8 @@
|
|
|
1
1
|
import z from 'zod';
|
|
2
|
+
import { isSecureRedirectUri } from './url-policy.js';
|
|
3
|
+
const RedirectUriSchema = z.string().refine(isSecureRedirectUri, {
|
|
4
|
+
message: 'Redirect URI must use HTTPS or local HTTP and must not contain fragments or wildcards.',
|
|
5
|
+
});
|
|
2
6
|
/**
|
|
3
7
|
* OAuth/OIDC client configuration.
|
|
4
8
|
* Defines applications that can authenticate through TinyAuth.
|
|
@@ -25,7 +29,7 @@ export const ClientConfigSchema = z
|
|
|
25
29
|
.optional()
|
|
26
30
|
.describe('OAuth client_secret for confidential clients. Omit for public clients.'),
|
|
27
31
|
redirect_uris: z
|
|
28
|
-
.array(
|
|
32
|
+
.array(RedirectUriSchema)
|
|
29
33
|
.describe('Allowed redirect URIs after authorization.'),
|
|
30
34
|
response_types: z
|
|
31
35
|
.array(z.string())
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"client.js","sourceRoot":"","sources":["../../../src/lib/config/client.ts"],"names":[],"mappings":"AAAA,OAAO,CAAC,MAAM,KAAK,CAAC;
|
|
1
|
+
{"version":3,"file":"client.js","sourceRoot":"","sources":["../../../src/lib/config/client.ts"],"names":[],"mappings":"AAAA,OAAO,CAAC,MAAM,KAAK,CAAC;AACpB,OAAO,EAAE,mBAAmB,EAAE,MAAM,iBAAiB,CAAC;AAEtD,MAAM,iBAAiB,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC,MAAM,CAAC,mBAAmB,EAAE;IAC/D,OAAO,EACL,wFAAwF;CAC3F,CAAC,CAAC;AAEH;;;GAGG;AACH,MAAM,CAAC,MAAM,kBAAkB,GAAG,CAAC;KAChC,MAAM,CAAC;IACN,EAAE,EAAE,CAAC;SACF,MAAM,EAAE;SACR,GAAG,CAAC,CAAC,CAAC;SACN,GAAG,CAAC,GAAG,CAAC;SACR,QAAQ,CAAC,qCAAqC,CAAC;IAClD,IAAI,EAAE,CAAC;SACJ,MAAM,EAAE;SACR,QAAQ,CAAC,iDAAiD,CAAC;IAC9D,QAAQ,EAAE,CAAC;SACR,MAAM,EAAE;SACR,QAAQ,EAAE;SACV,QAAQ,CAAC,qCAAqC,CAAC;IAClD,SAAS,EAAE,CAAC;SACT,MAAM,EAAE;SACR,QAAQ,CAAC,iDAAiD,CAAC;IAC9D,aAAa,EAAE,CAAC;SACb,MAAM,EAAE;SACR,QAAQ,EAAE;SACV,QAAQ,CACP,wEAAwE,CACzE;IACH,aAAa,EAAE,CAAC;SACb,KAAK,CAAC,iBAAiB,CAAC;SACxB,QAAQ,CAAC,4CAA4C,CAAC;IACzD,cAAc,EAAE,CAAC;SACd,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC;SACjB,QAAQ,CAAC,8CAA8C,CAAC;IAC3D,WAAW,EAAE,CAAC;SACX,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC;SACjB,QAAQ,CACP,0EAA0E,CAC3E;IACH,KAAK,EAAE,CAAC;SACL,MAAM,EAAE;SACR,QAAQ,CAAC,yDAAyD,CAAC;CACvE,CAAC;KACD,MAAM,EAAE;KACR,QAAQ,CAAC,8CAA8C,CAAC,CAAC;AAI5D,MAAM,CAAC,MAAM,sBAAsB,GAAmB,EAAE,CAAC;AAEzD,MAAM,CAAC,MAAM,mBAAmB,GAAG,CAAC;KACjC,KAAK,CAAC,kBAAkB,CAAC;KACzB,OAAO,CAAC,sBAAsB,CAAC;KAC/B,QAAQ,CAAC,oDAAoD,CAAC,CAAC"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"identity-providers.d.ts","sourceRoot":"","sources":["../../../src/lib/config/identity-providers.ts"],"names":[],"mappings":"AAAA,OAAO,CAAC,MAAM,KAAK,CAAC;
|
|
1
|
+
{"version":3,"file":"identity-providers.d.ts","sourceRoot":"","sources":["../../../src/lib/config/identity-providers.ts"],"names":[],"mappings":"AAAA,OAAO,CAAC,MAAM,KAAK,CAAC;AAuCpB,eAAO,MAAM,4BAA4B;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;oBA+De,CAAC;AAEzD,MAAM,MAAM,sBAAsB,GAAG,CAAC,CAAC,KAAK,CAC1C,OAAO,4BAA4B,CACpC,CAAC;AAEF,eAAO,MAAM,iCAAiC,EAAE,sBAAsB,EAAO,CAAC;AAE9E,eAAO,MAAM,6BAA6B;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;sBAGuB,CAAC"}
|
|
@@ -1,26 +1,9 @@
|
|
|
1
1
|
import z from 'zod';
|
|
2
|
-
|
|
3
|
-
|
|
4
|
-
.
|
|
5
|
-
|
|
6
|
-
|
|
7
|
-
const { hostname, protocol } = new URL(value);
|
|
8
|
-
if (protocol === 'https:') {
|
|
9
|
-
return true;
|
|
10
|
-
}
|
|
11
|
-
return protocol === 'http:' && isLocalHttpHostname(hostname);
|
|
12
|
-
}
|
|
13
|
-
catch {
|
|
14
|
-
return false;
|
|
15
|
-
}
|
|
16
|
-
}, { message: 'JWKS URL must use HTTPS or local HTTP.' });
|
|
17
|
-
function isLocalHttpHostname(hostname) {
|
|
18
|
-
return (hostname === 'localhost' ||
|
|
19
|
-
hostname.endsWith('.localhost') ||
|
|
20
|
-
hostname === '127.0.0.1' ||
|
|
21
|
-
hostname === '[::1]' ||
|
|
22
|
-
hostname === '::1');
|
|
23
|
-
}
|
|
2
|
+
import { isHttpsOrLocalHttpUrl } from './url-policy.js';
|
|
3
|
+
const SecureEndpointUrlSchema = z.string().refine(isHttpsOrLocalHttpUrl, {
|
|
4
|
+
message: 'URL must use HTTPS or local HTTP.',
|
|
5
|
+
});
|
|
6
|
+
const JwksUrlSchema = SecureEndpointUrlSchema.describe('JWKS endpoint URL for providers that verify ID tokens.');
|
|
24
7
|
const UserinfoMappingConfigSchema = z
|
|
25
8
|
.object({
|
|
26
9
|
id: z
|
|
@@ -60,22 +43,16 @@ export const IdentityProviderConfigSchema = z
|
|
|
60
43
|
client_secret: z
|
|
61
44
|
.string()
|
|
62
45
|
.describe('OAuth client secret from the provider.'),
|
|
63
|
-
authorization_url:
|
|
64
|
-
token_url:
|
|
65
|
-
userinfo_url:
|
|
66
|
-
|
|
67
|
-
.nullable()
|
|
68
|
-
.describe('OAuth userinfo endpoint URL.'),
|
|
69
|
-
jwks_url: JwksUrlSchema.optional().describe('JWKS endpoint URL for providers that verify ID tokens.'),
|
|
46
|
+
authorization_url: SecureEndpointUrlSchema.describe('OAuth authorization endpoint URL.'),
|
|
47
|
+
token_url: SecureEndpointUrlSchema.describe('OAuth token endpoint URL.'),
|
|
48
|
+
userinfo_url: SecureEndpointUrlSchema.nullable().describe('OAuth userinfo endpoint URL.'),
|
|
49
|
+
jwks_url: JwksUrlSchema.optional(),
|
|
70
50
|
issuer: z
|
|
71
51
|
.string()
|
|
72
52
|
.url()
|
|
73
53
|
.optional()
|
|
74
54
|
.describe('Expected issuer for ID tokens verified with JWKS.'),
|
|
75
|
-
email_url:
|
|
76
|
-
.string()
|
|
77
|
-
.optional()
|
|
78
|
-
.describe('Separate endpoint URL for fetching user email.'),
|
|
55
|
+
email_url: SecureEndpointUrlSchema.optional().describe('Separate endpoint URL for fetching user email.'),
|
|
79
56
|
scopes: z
|
|
80
57
|
.array(z.string())
|
|
81
58
|
.describe('OAuth scopes to request from the provider.'),
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"identity-providers.js","sourceRoot":"","sources":["../../../src/lib/config/identity-providers.ts"],"names":[],"mappings":"AAAA,OAAO,CAAC,MAAM,KAAK,CAAC;
|
|
1
|
+
{"version":3,"file":"identity-providers.js","sourceRoot":"","sources":["../../../src/lib/config/identity-providers.ts"],"names":[],"mappings":"AAAA,OAAO,CAAC,MAAM,KAAK,CAAC;AACpB,OAAO,EAAE,qBAAqB,EAAE,MAAM,iBAAiB,CAAC;AAExD,MAAM,uBAAuB,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC,MAAM,CAAC,qBAAqB,EAAE;IACvE,OAAO,EAAE,mCAAmC;CAC7C,CAAC,CAAC;AAEH,MAAM,aAAa,GAAG,uBAAuB,CAAC,QAAQ,CACpD,wDAAwD,CACzD,CAAC;AAEF,MAAM,2BAA2B,GAAG,CAAC;KAClC,MAAM,CAAC;IACN,EAAE,EAAE,CAAC;SACF,MAAM,EAAE;SACR,QAAQ,CAAC,sDAAsD,CAAC;IACnE,KAAK,EAAE,CAAC;SACL,MAAM,EAAE;SACR,QAAQ,CAAC,oDAAoD,CAAC;IACjE,cAAc,EAAE,CAAC;SACd,MAAM,EAAE;SACR,QAAQ,EAAE;SACV,QAAQ,CACP,kEAAkE,CACnE;IACH,IAAI,EAAE,CAAC;SACJ,MAAM,EAAE;SACR,QAAQ,EAAE;SACV,QAAQ,CAAC,2DAA2D,CAAC;IACxE,OAAO,EAAE,CAAC;SACP,MAAM,EAAE;SACR,QAAQ,EAAE;SACV,QAAQ,CACP,kEAAkE,CACnE;CACJ,CAAC;KACD,MAAM,EAAE;KACR,QAAQ,CAAC,yDAAyD,CAAC,CAAC;AAEvE,MAAM,CAAC,MAAM,4BAA4B,GAAG,CAAC;KAC1C,MAAM,CAAC;IACN,EAAE,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,sCAAsC,CAAC;IAC/D,IAAI,EAAE,CAAC;SACJ,IAAI,CAAC,CAAC,QAAQ,EAAE,QAAQ,EAAE,OAAO,EAAE,eAAe,CAAC,CAAC;SACpD,QAAQ,CAAC,yBAAyB,CAAC;IACtC,OAAO,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,CAAC,4CAA4C,CAAC;IAC3E,YAAY,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,uCAAuC,CAAC;IAC1E,QAAQ,EAAE,CAAC;SACR,MAAM,EAAE;SACR,QAAQ,EAAE;SACV,QAAQ,CAAC,mDAAmD,CAAC;IAChE,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,oCAAoC,CAAC;IACpE,aAAa,EAAE,CAAC;SACb,MAAM,EAAE;SACR,QAAQ,CAAC,wCAAwC,CAAC;IACrD,iBAAiB,EAAE,uBAAuB,CAAC,QAAQ,CACjD,mCAAmC,CACpC;IACD,SAAS,EAAE,uBAAuB,CAAC,QAAQ,CAAC,2BAA2B,CAAC;IACxE,YAAY,EAAE,uBAAuB,CAAC,QAAQ,EAAE,CAAC,QAAQ,CACvD,8BAA8B,CAC/B;IACD,QAAQ,EAAE,aAAa,CAAC,QAAQ,EAAE;IAClC,MAAM,EAAE,CAAC;SACN,MAAM,EAAE;SACR,GAAG,EAAE;SACL,QAAQ,EAAE;SACV,QAAQ,CAAC,mDAAmD,CAAC;IAChE,SAAS,EAAE,uBAAuB,CAAC,QAAQ,EAAE,CAAC,QAAQ,CACpD,gDAAgD,CACjD;IACD,MAAM,EAAE,CAAC;SACN,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC;SACjB,QAAQ,CAAC,4CAA4C,CAAC;IACzD,aAAa,EAAE,CAAC;SACb,MAAM,EAAE;SACR,QAAQ,EAAE;SACV,QAAQ,CAAC,qDAAqD,CAAC;IAClE,uBAAuB,EAAE,CAAC;SACvB,IAAI,CAAC,CAAC,WAAW,EAAE,cAAc,CAAC,CAAC;SACnC,QAAQ,CACP,iDAAiD;QAC/C,6EAA6E,CAChF;IACH,gBAAgB,EAAE,2BAA2B;CAC9C,CAAC;KACD,WAAW,CAAC,CAAC,QAAQ,EAAE,GAAG,EAAE,EAAE;IAC7B,IACE,QAAQ,CAAC,IAAI,KAAK,eAAe;QACjC,QAAQ,CAAC,YAAY,KAAK,IAAI;QAC9B,QAAQ,CAAC,QAAQ;QACjB,CAAC,QAAQ,CAAC,MAAM,EAChB,CAAC;QACD,GAAG,CAAC,QAAQ,CAAC;YACX,IAAI,EAAE,QAAQ;YACd,IAAI,EAAE,CAAC,QAAQ,CAAC;YAChB,OAAO,EACL,mEAAmE;SACtE,CAAC,CAAC;IACL,CAAC;AACH,CAAC,CAAC;KACD,MAAM,EAAE;KACR,QAAQ,CAAC,2CAA2C,CAAC,CAAC;AAMzD,MAAM,CAAC,MAAM,iCAAiC,GAA6B,EAAE,CAAC;AAE9E,MAAM,CAAC,MAAM,6BAA6B,GAAG,CAAC;KAC3C,KAAK,CAAC,4BAA4B,CAAC;KACnC,OAAO,CAAC,iCAAiC,CAAC;KAC1C,QAAQ,CAAC,oDAAoD,CAAC,CAAC"}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"url-policy.d.ts","sourceRoot":"","sources":["../../../src/lib/config/url-policy.ts"],"names":[],"mappings":"AAeA,wBAAgB,mBAAmB,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAQ7D;AAED,wBAAgB,qBAAqB,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAY5D;AAED,wBAAgB,mBAAmB,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAU1D"}
|
|
@@ -0,0 +1,38 @@
|
|
|
1
|
+
import { parseIPv4 } from '../ip-utils.js';
|
|
2
|
+
function parseUrl(value) {
|
|
3
|
+
try {
|
|
4
|
+
return new URL(value);
|
|
5
|
+
}
|
|
6
|
+
catch {
|
|
7
|
+
return null;
|
|
8
|
+
}
|
|
9
|
+
}
|
|
10
|
+
function isIPv4Loopback(hostname) {
|
|
11
|
+
const ipv4 = parseIPv4(hostname);
|
|
12
|
+
return ipv4 !== null && (ipv4 & 0xff000000) === 0x7f000000;
|
|
13
|
+
}
|
|
14
|
+
export function isLocalHttpHostname(hostname) {
|
|
15
|
+
return (hostname === 'localhost' ||
|
|
16
|
+
hostname.endsWith('.localhost') ||
|
|
17
|
+
isIPv4Loopback(hostname) ||
|
|
18
|
+
hostname === '[::1]' ||
|
|
19
|
+
hostname === '::1');
|
|
20
|
+
}
|
|
21
|
+
export function isHttpsOrLocalHttpUrl(value) {
|
|
22
|
+
const url = parseUrl(value);
|
|
23
|
+
if (!url) {
|
|
24
|
+
return false;
|
|
25
|
+
}
|
|
26
|
+
if (url.protocol === 'https:') {
|
|
27
|
+
return true;
|
|
28
|
+
}
|
|
29
|
+
return url.protocol === 'http:' && isLocalHttpHostname(url.hostname);
|
|
30
|
+
}
|
|
31
|
+
export function isSecureRedirectUri(value) {
|
|
32
|
+
const url = parseUrl(value);
|
|
33
|
+
if (!url) {
|
|
34
|
+
return false;
|
|
35
|
+
}
|
|
36
|
+
return (!value.includes('*') && url.hash === '' && isHttpsOrLocalHttpUrl(value));
|
|
37
|
+
}
|
|
38
|
+
//# sourceMappingURL=url-policy.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"url-policy.js","sourceRoot":"","sources":["../../../src/lib/config/url-policy.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,gBAAgB,CAAC;AAE3C,SAAS,QAAQ,CAAC,KAAa;IAC7B,IAAI,CAAC;QACH,OAAO,IAAI,GAAG,CAAC,KAAK,CAAC,CAAC;IACxB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,SAAS,cAAc,CAAC,QAAgB;IACtC,MAAM,IAAI,GAAG,SAAS,CAAC,QAAQ,CAAC,CAAC;IACjC,OAAO,IAAI,KAAK,IAAI,IAAI,CAAC,IAAI,GAAG,UAAU,CAAC,KAAK,UAAU,CAAC;AAC7D,CAAC;AAED,MAAM,UAAU,mBAAmB,CAAC,QAAgB;IAClD,OAAO,CACL,QAAQ,KAAK,WAAW;QACxB,QAAQ,CAAC,QAAQ,CAAC,YAAY,CAAC;QAC/B,cAAc,CAAC,QAAQ,CAAC;QACxB,QAAQ,KAAK,OAAO;QACpB,QAAQ,KAAK,KAAK,CACnB,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,qBAAqB,CAAC,KAAa;IACjD,MAAM,GAAG,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC;IAE5B,IAAI,CAAC,GAAG,EAAE,CAAC;QACT,OAAO,KAAK,CAAC;IACf,CAAC;IAED,IAAI,GAAG,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;QAC9B,OAAO,IAAI,CAAC;IACd,CAAC;IAED,OAAO,GAAG,CAAC,QAAQ,KAAK,OAAO,IAAI,mBAAmB,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;AACvE,CAAC;AAED,MAAM,UAAU,mBAAmB,CAAC,KAAa;IAC/C,MAAM,GAAG,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC;IAE5B,IAAI,CAAC,GAAG,EAAE,CAAC;QACT,OAAO,KAAK,CAAC;IACf,CAAC;IAED,OAAO,CACL,CAAC,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,GAAG,CAAC,IAAI,KAAK,EAAE,IAAI,qBAAqB,CAAC,KAAK,CAAC,CACxE,CAAC;AACJ,CAAC"}
|
package/dist/lib/pkce.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"pkce.d.ts","sourceRoot":"","sources":["../../src/lib/pkce.ts"],"names":[],"mappings":"AAmBA;;;;;;;;GAQG;AACH,wBAAsB,YAAY,CAAC,MAAM,GAAE,MAAW;;;;GAWrD;AAED;;;;;;;;;GASG;AACH,wBAAsB,YAAY,CAChC,QAAQ,EAAE,MAAM,EAChB,SAAS,EAAE,MAAM,EACjB,MAAM,GAAE,MAAM,GAAG,OAAgB,
|
|
1
|
+
{"version":3,"file":"pkce.d.ts","sourceRoot":"","sources":["../../src/lib/pkce.ts"],"names":[],"mappings":"AAmBA;;;;;;;;GAQG;AACH,wBAAsB,YAAY,CAAC,MAAM,GAAE,MAAW;;;;GAWrD;AAED;;;;;;;;;GASG;AACH,wBAAsB,YAAY,CAChC,QAAQ,EAAE,MAAM,EAChB,SAAS,EAAE,MAAM,EACjB,MAAM,GAAE,MAAM,GAAG,OAAgB,oBAalC"}
|
package/dist/lib/pkce.js
CHANGED
|
@@ -46,6 +46,9 @@ export async function generatePKCE(length = 64) {
|
|
|
46
46
|
* @see {@link https://datatracker.ietf.org/doc/html/rfc7636#section-4.6 | RFC 7636 §4.6 - Client Sends the Authorization Code and the Code Verifier to the Token Endpoint}
|
|
47
47
|
*/
|
|
48
48
|
export async function validatePKCE(verifier, challenge, method = 'S256') {
|
|
49
|
+
if (method !== 'S256') {
|
|
50
|
+
return false;
|
|
51
|
+
}
|
|
49
52
|
if (!CODE_VERIFIER_PATTERN.test(verifier)) {
|
|
50
53
|
return false;
|
|
51
54
|
}
|
package/dist/lib/pkce.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"pkce.js","sourceRoot":"","sources":["../../src/lib/pkce.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,MAAM,CAAC;AACjC,OAAO,EAAE,CAAC,EAAE,MAAM,qBAAqB,CAAC;AAExC,MAAM,qBAAqB,GAAG,2BAA2B,CAAC;AAE1D,SAAS,gBAAgB,CAAC,MAAc;IACtC,MAAM,MAAM,GAAG,IAAI,UAAU,CAAC,MAAM,CAAC,CAAC;IACtC,MAAM,CAAC,eAAe,CAAC,MAAM,CAAC,CAAC;IAC/B,OAAO,SAAS,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC;AACnD,CAAC;AAED,KAAK,UAAU,iBAAiB,CAAC,QAAgB,EAAE,MAAwB;IACzE,IAAI,MAAM,KAAK,OAAO;QAAE,OAAO,QAAQ,CAAC;IACxC,MAAM,OAAO,GAAG,IAAI,WAAW,EAAE,CAAC;IAClC,MAAM,IAAI,GAAG,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;IACtC,MAAM,IAAI,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,IAAI,CAAC,CAAC;IACzD,OAAO,SAAS,CAAC,MAAM,CAAC,IAAI,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC;AAChD,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY,CAAC,SAAiB,EAAE;IACpD,IAAI,MAAM,GAAG,EAAE,IAAI,MAAM,GAAG,GAAG,EAAE,CAAC;QAChC,MAAM,IAAI,CAAC,CAAC,yBAAyB,CAAC,KAAK,EAAE,CAAC;IAChD,CAAC;IACD,MAAM,QAAQ,GAAG,gBAAgB,CAAC,MAAM,CAAC,CAAC;IAC1C,MAAM,SAAS,GAAG,MAAM,iBAAiB,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;IAC5D,OAAO;QACL,QAAQ;QACR,SAAS;QACT,MAAM,EAAE,MAAM;KACf,CAAC;AACJ,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY,CAChC,QAAgB,EAChB,SAAiB,EACjB,SAA2B,MAAM;IAEjC,IAAI,CAAC,qBAAqB,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC1C,OAAO,KAAK,CAAC;IACf,CAAC;IAED,MAAM,kBAAkB,GAAG,MAAM,iBAAiB,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;IACrE,sBAAsB;IACtB,OAAO,kBAAkB,KAAK,SAAS,CAAC;AAC1C,CAAC"}
|
|
1
|
+
{"version":3,"file":"pkce.js","sourceRoot":"","sources":["../../src/lib/pkce.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,MAAM,CAAC;AACjC,OAAO,EAAE,CAAC,EAAE,MAAM,qBAAqB,CAAC;AAExC,MAAM,qBAAqB,GAAG,2BAA2B,CAAC;AAE1D,SAAS,gBAAgB,CAAC,MAAc;IACtC,MAAM,MAAM,GAAG,IAAI,UAAU,CAAC,MAAM,CAAC,CAAC;IACtC,MAAM,CAAC,eAAe,CAAC,MAAM,CAAC,CAAC;IAC/B,OAAO,SAAS,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC;AACnD,CAAC;AAED,KAAK,UAAU,iBAAiB,CAAC,QAAgB,EAAE,MAAwB;IACzE,IAAI,MAAM,KAAK,OAAO;QAAE,OAAO,QAAQ,CAAC;IACxC,MAAM,OAAO,GAAG,IAAI,WAAW,EAAE,CAAC;IAClC,MAAM,IAAI,GAAG,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;IACtC,MAAM,IAAI,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,IAAI,CAAC,CAAC;IACzD,OAAO,SAAS,CAAC,MAAM,CAAC,IAAI,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC;AAChD,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY,CAAC,SAAiB,EAAE;IACpD,IAAI,MAAM,GAAG,EAAE,IAAI,MAAM,GAAG,GAAG,EAAE,CAAC;QAChC,MAAM,IAAI,CAAC,CAAC,yBAAyB,CAAC,KAAK,EAAE,CAAC;IAChD,CAAC;IACD,MAAM,QAAQ,GAAG,gBAAgB,CAAC,MAAM,CAAC,CAAC;IAC1C,MAAM,SAAS,GAAG,MAAM,iBAAiB,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;IAC5D,OAAO;QACL,QAAQ;QACR,SAAS;QACT,MAAM,EAAE,MAAM;KACf,CAAC;AACJ,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY,CAChC,QAAgB,EAChB,SAAiB,EACjB,SAA2B,MAAM;IAEjC,IAAI,MAAM,KAAK,MAAM,EAAE,CAAC;QACtB,OAAO,KAAK,CAAC;IACf,CAAC;IAED,IAAI,CAAC,qBAAqB,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC1C,OAAO,KAAK,CAAC;IACf,CAAC;IAED,MAAM,kBAAkB,GAAG,MAAM,iBAAiB,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;IACrE,sBAAsB;IACtB,OAAO,kBAAkB,KAAK,SAAS,CAAC;AAC1C,CAAC"}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"csrf.d.ts","sourceRoot":"","sources":["../../src/middleware/csrf.ts"],"names":[],"mappings":"AAmBA,wBAAgB,cAAc,CAAC,YAAY,EAAE,MAAM,+DA0ClD"}
|
|
@@ -0,0 +1,51 @@
|
|
|
1
|
+
import { getCookie } from 'hono/cookie';
|
|
2
|
+
import { createMiddleware } from 'hono/factory';
|
|
3
|
+
import { e } from "../schemas/error.js";
|
|
4
|
+
const SAFE_METHODS = new Set(['GET', 'HEAD', 'OPTIONS']);
|
|
5
|
+
const OAUTH_PROVIDER_CALLBACK_PATTERN = /^\/api\/oauth\/[^/]+\/callback$/;
|
|
6
|
+
function normalizeOrigin(value) {
|
|
7
|
+
try {
|
|
8
|
+
return new URL(value).origin;
|
|
9
|
+
}
|
|
10
|
+
catch {
|
|
11
|
+
return undefined;
|
|
12
|
+
}
|
|
13
|
+
}
|
|
14
|
+
function isOAuthProviderCallback(path) {
|
|
15
|
+
return OAUTH_PROVIDER_CALLBACK_PATTERN.test(path);
|
|
16
|
+
}
|
|
17
|
+
export function csrfProtection(publicOrigin) {
|
|
18
|
+
const trustedOrigin = normalizeOrigin(publicOrigin);
|
|
19
|
+
return createMiddleware(async (c, next) => {
|
|
20
|
+
if (SAFE_METHODS.has(c.req.method)) {
|
|
21
|
+
await next();
|
|
22
|
+
return;
|
|
23
|
+
}
|
|
24
|
+
if (isOAuthProviderCallback(c.req.path)) {
|
|
25
|
+
await next();
|
|
26
|
+
return;
|
|
27
|
+
}
|
|
28
|
+
if (!getCookie(c, 'session')) {
|
|
29
|
+
await next();
|
|
30
|
+
return;
|
|
31
|
+
}
|
|
32
|
+
const requestOrigin = c.req.header('Origin');
|
|
33
|
+
if (requestOrigin &&
|
|
34
|
+
trustedOrigin &&
|
|
35
|
+
normalizeOrigin(requestOrigin) === trustedOrigin) {
|
|
36
|
+
await next();
|
|
37
|
+
return;
|
|
38
|
+
}
|
|
39
|
+
const fetchSite = c.req.header('Sec-Fetch-Site');
|
|
40
|
+
if (!requestOrigin && fetchSite === 'same-origin') {
|
|
41
|
+
await next();
|
|
42
|
+
return;
|
|
43
|
+
}
|
|
44
|
+
if (!requestOrigin && !fetchSite && !c.req.header('User-Agent')) {
|
|
45
|
+
await next();
|
|
46
|
+
return;
|
|
47
|
+
}
|
|
48
|
+
throw new e.CsrfViolation.Error();
|
|
49
|
+
});
|
|
50
|
+
}
|
|
51
|
+
//# sourceMappingURL=csrf.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"csrf.js","sourceRoot":"","sources":["../../src/middleware/csrf.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,aAAa,CAAC;AACxC,OAAO,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAChD,OAAO,EAAE,CAAC,EAAE,MAAM,qBAAqB,CAAC;AAExC,MAAM,YAAY,GAAG,IAAI,GAAG,CAAC,CAAC,KAAK,EAAE,MAAM,EAAE,SAAS,CAAC,CAAC,CAAC;AACzD,MAAM,+BAA+B,GAAG,iCAAiC,CAAC;AAE1E,SAAS,eAAe,CAAC,KAAa;IACpC,IAAI,CAAC;QACH,OAAO,IAAI,GAAG,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC;IAC/B,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,SAAS,CAAC;IACnB,CAAC;AACH,CAAC;AAED,SAAS,uBAAuB,CAAC,IAAY;IAC3C,OAAO,+BAA+B,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AACpD,CAAC;AAED,MAAM,UAAU,cAAc,CAAC,YAAoB;IACjD,MAAM,aAAa,GAAG,eAAe,CAAC,YAAY,CAAC,CAAC;IAEpD,OAAO,gBAAgB,CAAC,KAAK,EAAE,CAAC,EAAE,IAAI,EAAE,EAAE;QACxC,IAAI,YAAY,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC;YACnC,MAAM,IAAI,EAAE,CAAC;YACb,OAAO;QACT,CAAC;QAED,IAAI,uBAAuB,CAAC,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC;YACxC,MAAM,IAAI,EAAE,CAAC;YACb,OAAO;QACT,CAAC;QAED,IAAI,CAAC,SAAS,CAAC,CAAC,EAAE,SAAS,CAAC,EAAE,CAAC;YAC7B,MAAM,IAAI,EAAE,CAAC;YACb,OAAO;QACT,CAAC;QAED,MAAM,aAAa,GAAG,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;QAC7C,IACE,aAAa;YACb,aAAa;YACb,eAAe,CAAC,aAAa,CAAC,KAAK,aAAa,EAChD,CAAC;YACD,MAAM,IAAI,EAAE,CAAC;YACb,OAAO;QACT,CAAC;QAED,MAAM,SAAS,GAAG,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,gBAAgB,CAAC,CAAC;QACjD,IAAI,CAAC,aAAa,IAAI,SAAS,KAAK,aAAa,EAAE,CAAC;YAClD,MAAM,IAAI,EAAE,CAAC;YACb,OAAO;QACT,CAAC;QAED,IAAI,CAAC,aAAa,IAAI,CAAC,SAAS,IAAI,CAAC,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,YAAY,CAAC,EAAE,CAAC;YAChE,MAAM,IAAI,EAAE,CAAC;YACb,OAAO;QACT,CAAC;QAED,MAAM,IAAI,CAAC,CAAC,aAAa,CAAC,KAAK,EAAE,CAAC;IACpC,CAAC,CAAC,CAAC;AACL,CAAC"}
|
|
@@ -8,6 +8,7 @@ import type { IRevokedTokenEntity, TokenType } from '../entities/revoked-token.e
|
|
|
8
8
|
* by user/client combination.
|
|
9
9
|
*/
|
|
10
10
|
export declare class RevokedTokenRepository extends EntityRepository<IRevokedTokenEntity> {
|
|
11
|
+
private grantRevocationJti;
|
|
11
12
|
/**
|
|
12
13
|
* Revoke a single token by its JTI
|
|
13
14
|
*
|
|
@@ -21,6 +22,24 @@ export declare class RevokedTokenRepository extends EntityRepository<IRevokedTok
|
|
|
21
22
|
userSub: string;
|
|
22
23
|
expires_at: Date;
|
|
23
24
|
}): Promise<IRevokedTokenEntity>;
|
|
25
|
+
/**
|
|
26
|
+
* Revoke a single token only if it has not already been revoked.
|
|
27
|
+
*
|
|
28
|
+
* @returns true when this call created the revocation entry.
|
|
29
|
+
*/
|
|
30
|
+
revokeTokenOnce(params: {
|
|
31
|
+
jti: string;
|
|
32
|
+
token_type: TokenType;
|
|
33
|
+
clientId: string;
|
|
34
|
+
userSub: string;
|
|
35
|
+
expires_at: Date;
|
|
36
|
+
}): Promise<boolean>;
|
|
37
|
+
revokeGrant(params: {
|
|
38
|
+
grantId: string;
|
|
39
|
+
clientId: string;
|
|
40
|
+
userSub: string;
|
|
41
|
+
expires_at: Date;
|
|
42
|
+
}): Promise<IRevokedTokenEntity>;
|
|
24
43
|
/**
|
|
25
44
|
* Check if a token is revoked by its JTI
|
|
26
45
|
*
|
|
@@ -28,5 +47,6 @@ export declare class RevokedTokenRepository extends EntityRepository<IRevokedTok
|
|
|
28
47
|
* @returns true if the token is revoked
|
|
29
48
|
*/
|
|
30
49
|
isRevoked(jti: string): Promise<boolean>;
|
|
50
|
+
isGrantRevoked(grantId: string): Promise<boolean>;
|
|
31
51
|
}
|
|
32
52
|
//# sourceMappingURL=revoked-token.repository.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"revoked-token.repository.d.ts","sourceRoot":"","sources":["../../src/repositories/revoked-token.repository.ts"],"names":[],"mappings":"AAAA,OAAO,
|
|
1
|
+
{"version":3,"file":"revoked-token.repository.d.ts","sourceRoot":"","sources":["../../src/repositories/revoked-token.repository.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,gBAAgB,EAEjB,MAAM,iBAAiB,CAAC;AACzB,OAAO,KAAK,EACV,mBAAmB,EACnB,SAAS,EACV,MAAM,qCAAqC,CAAC;AAE7C;;;;;;GAMG;AACH,qBAAa,sBAAuB,SAAQ,gBAAgB,CAAC,mBAAmB,CAAC;IAC/E,OAAO,CAAC,kBAAkB;IAI1B;;;;;OAKG;IACG,WAAW,CAAC,MAAM,EAAE;QACxB,GAAG,EAAE,MAAM,CAAC;QACZ,UAAU,EAAE,SAAS,CAAC;QACtB,QAAQ,EAAE,MAAM,CAAC;QACjB,OAAO,EAAE,MAAM,CAAC;QAChB,UAAU,EAAE,IAAI,CAAC;KAClB,GAAG,OAAO,CAAC,mBAAmB,CAAC;IAmBhC;;;;OAIG;IACG,eAAe,CAAC,MAAM,EAAE;QAC5B,GAAG,EAAE,MAAM,CAAC;QACZ,UAAU,EAAE,SAAS,CAAC;QACtB,QAAQ,EAAE,MAAM,CAAC;QACjB,OAAO,EAAE,MAAM,CAAC;QAChB,UAAU,EAAE,IAAI,CAAC;KAClB,GAAG,OAAO,CAAC,OAAO,CAAC;IAyBd,WAAW,CAAC,MAAM,EAAE;QACxB,OAAO,EAAE,MAAM,CAAC;QAChB,QAAQ,EAAE,MAAM,CAAC;QACjB,OAAO,EAAE,MAAM,CAAC;QAChB,UAAU,EAAE,IAAI,CAAC;KAClB,GAAG,OAAO,CAAC,mBAAmB,CAAC;IAUhC;;;;;OAKG;IACG,SAAS,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAKxC,cAAc,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;CAGxD"}
|
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
import { EntityRepository } from '@mikro-orm/core';
|
|
1
|
+
import { EntityRepository, UniqueConstraintViolationException, } from '@mikro-orm/core';
|
|
2
2
|
/**
|
|
3
3
|
* Repository for managing revoked tokens
|
|
4
4
|
*
|
|
@@ -7,6 +7,9 @@ import { EntityRepository } from '@mikro-orm/core';
|
|
|
7
7
|
* by user/client combination.
|
|
8
8
|
*/
|
|
9
9
|
export class RevokedTokenRepository extends EntityRepository {
|
|
10
|
+
grantRevocationJti(grantId) {
|
|
11
|
+
return `grant:${grantId}`;
|
|
12
|
+
}
|
|
10
13
|
/**
|
|
11
14
|
* Revoke a single token by its JTI
|
|
12
15
|
*
|
|
@@ -29,6 +32,43 @@ export class RevokedTokenRepository extends EntityRepository {
|
|
|
29
32
|
await this.getEntityManager().persist(entity).flush();
|
|
30
33
|
return entity;
|
|
31
34
|
}
|
|
35
|
+
/**
|
|
36
|
+
* Revoke a single token only if it has not already been revoked.
|
|
37
|
+
*
|
|
38
|
+
* @returns true when this call created the revocation entry.
|
|
39
|
+
*/
|
|
40
|
+
async revokeTokenOnce(params) {
|
|
41
|
+
const existing = await this.findOne({ jti: params.jti });
|
|
42
|
+
if (existing) {
|
|
43
|
+
return false;
|
|
44
|
+
}
|
|
45
|
+
const entity = this.create({
|
|
46
|
+
jti: params.jti,
|
|
47
|
+
token_type: params.token_type,
|
|
48
|
+
client: params.clientId,
|
|
49
|
+
user: params.userSub,
|
|
50
|
+
expires_at: params.expires_at,
|
|
51
|
+
});
|
|
52
|
+
try {
|
|
53
|
+
await this.getEntityManager().persist(entity).flush();
|
|
54
|
+
return true;
|
|
55
|
+
}
|
|
56
|
+
catch (error) {
|
|
57
|
+
if (error instanceof UniqueConstraintViolationException) {
|
|
58
|
+
return false;
|
|
59
|
+
}
|
|
60
|
+
throw error;
|
|
61
|
+
}
|
|
62
|
+
}
|
|
63
|
+
async revokeGrant(params) {
|
|
64
|
+
return this.revokeToken({
|
|
65
|
+
jti: this.grantRevocationJti(params.grantId),
|
|
66
|
+
token_type: 'refresh_token',
|
|
67
|
+
clientId: params.clientId,
|
|
68
|
+
userSub: params.userSub,
|
|
69
|
+
expires_at: params.expires_at,
|
|
70
|
+
});
|
|
71
|
+
}
|
|
32
72
|
/**
|
|
33
73
|
* Check if a token is revoked by its JTI
|
|
34
74
|
*
|
|
@@ -39,5 +79,8 @@ export class RevokedTokenRepository extends EntityRepository {
|
|
|
39
79
|
const count = await this.count({ jti });
|
|
40
80
|
return count > 0;
|
|
41
81
|
}
|
|
82
|
+
async isGrantRevoked(grantId) {
|
|
83
|
+
return this.isRevoked(this.grantRevocationJti(grantId));
|
|
84
|
+
}
|
|
42
85
|
}
|
|
43
86
|
//# sourceMappingURL=revoked-token.repository.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"revoked-token.repository.js","sourceRoot":"","sources":["../../src/repositories/revoked-token.repository.ts"],"names":[],"mappings":"AAAA,OAAO,
|
|
1
|
+
{"version":3,"file":"revoked-token.repository.js","sourceRoot":"","sources":["../../src/repositories/revoked-token.repository.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,gBAAgB,EAChB,kCAAkC,GACnC,MAAM,iBAAiB,CAAC;AAMzB;;;;;;GAMG;AACH,MAAM,OAAO,sBAAuB,SAAQ,gBAAqC;IACvE,kBAAkB,CAAC,OAAe;QACxC,OAAO,SAAS,OAAO,EAAE,CAAC;IAC5B,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,WAAW,CAAC,MAMjB;QACC,2BAA2B;QAC3B,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,EAAE,GAAG,EAAE,MAAM,CAAC,GAAG,EAAE,CAAC,CAAC;QACzD,IAAI,QAAQ,EAAE,CAAC;YACb,OAAO,QAAQ,CAAC;QAClB,CAAC;QAED,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC;YACzB,GAAG,EAAE,MAAM,CAAC,GAAG;YACf,UAAU,EAAE,MAAM,CAAC,UAAU;YAC7B,MAAM,EAAE,MAAM,CAAC,QAAQ;YACvB,IAAI,EAAE,MAAM,CAAC,OAAO;YACpB,UAAU,EAAE,MAAM,CAAC,UAAU;SAC9B,CAAC,CAAC;QAEH,MAAM,IAAI,CAAC,gBAAgB,EAAE,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,KAAK,EAAE,CAAC;QACtD,OAAO,MAAM,CAAC;IAChB,CAAC;IAED;;;;OAIG;IACH,KAAK,CAAC,eAAe,CAAC,MAMrB;QACC,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,EAAE,GAAG,EAAE,MAAM,CAAC,GAAG,EAAE,CAAC,CAAC;QACzD,IAAI,QAAQ,EAAE,CAAC;YACb,OAAO,KAAK,CAAC;QACf,CAAC;QAED,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC;YACzB,GAAG,EAAE,MAAM,CAAC,GAAG;YACf,UAAU,EAAE,MAAM,CAAC,UAAU;YAC7B,MAAM,EAAE,MAAM,CAAC,QAAQ;YACvB,IAAI,EAAE,MAAM,CAAC,OAAO;YACpB,UAAU,EAAE,MAAM,CAAC,UAAU;SAC9B,CAAC,CAAC;QAEH,IAAI,CAAC;YACH,MAAM,IAAI,CAAC,gBAAgB,EAAE,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,KAAK,EAAE,CAAC;YACtD,OAAO,IAAI,CAAC;QACd,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,KAAK,YAAY,kCAAkC,EAAE,CAAC;gBACxD,OAAO,KAAK,CAAC;YACf,CAAC;YACD,MAAM,KAAK,CAAC;QACd,CAAC;IACH,CAAC;IAED,KAAK,CAAC,WAAW,CAAC,MAKjB;QACC,OAAO,IAAI,CAAC,WAAW,CAAC;YACtB,GAAG,EAAE,IAAI,CAAC,kBAAkB,CAAC,MAAM,CAAC,OAAO,CAAC;YAC5C,UAAU,EAAE,eAAe;YAC3B,QAAQ,EAAE,MAAM,CAAC,QAAQ;YACzB,OAAO,EAAE,MAAM,CAAC,OAAO;YACvB,UAAU,EAAE,MAAM,CAAC,UAAU;SAC9B,CAAC,CAAC;IACL,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,SAAS,CAAC,GAAW;QACzB,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,EAAE,GAAG,EAAE,CAAC,CAAC;QACxC,OAAO,KAAK,GAAG,CAAC,CAAC;IACnB,CAAC;IAED,KAAK,CAAC,cAAc,CAAC,OAAe;QAClC,OAAO,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,kBAAkB,CAAC,OAAO,CAAC,CAAC,CAAC;IAC1D,CAAC;CACF"}
|