@txstate-mws/sveltekit-utils 1.2.9 → 1.3.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/unifiedauth.d.ts +40 -0
- package/dist/unifiedauth.js +141 -2
- package/package.json +2 -1
package/dist/unifiedauth.d.ts
CHANGED
|
@@ -21,5 +21,45 @@ export declare const unifiedAuth: {
|
|
|
21
21
|
loginRedirect(api: APIBase, currentUrl: string): URL;
|
|
22
22
|
logout(api: APIBase): void;
|
|
23
23
|
requireAuth(api: APIBase, input: LoadEvent): void;
|
|
24
|
+
/**
|
|
25
|
+
* Start impersonating a user. This will store the current token and replace it with
|
|
26
|
+
* an impersonation token obtained from Unified Auth.
|
|
27
|
+
*
|
|
28
|
+
* The impersonation token will expire in 1 hour.
|
|
29
|
+
*/
|
|
30
|
+
impersonate(api: APIBase, netid: string): Promise<void>;
|
|
31
|
+
/**
|
|
32
|
+
* Exit impersonation and restore the original token.
|
|
33
|
+
*/
|
|
34
|
+
exitImpersonation(api: APIBase): void;
|
|
35
|
+
/**
|
|
36
|
+
* Check if the current token is an impersonation token.
|
|
37
|
+
* Returns { isImpersonating: false } if not impersonating.
|
|
38
|
+
* Returns { isImpersonating: true, impersonatedUser: string, impersonatedBy: string } if impersonating.
|
|
39
|
+
*/
|
|
40
|
+
getImpersonationStatus(api: APIBase): {
|
|
41
|
+
isImpersonating: false;
|
|
42
|
+
} | {
|
|
43
|
+
isImpersonating: true;
|
|
44
|
+
impersonatedUser: string;
|
|
45
|
+
impersonatedBy: string;
|
|
46
|
+
};
|
|
47
|
+
/**
|
|
48
|
+
* Check if the current user is authorized to impersonate anyone.
|
|
49
|
+
* Results are cached to avoid repeated requests.
|
|
50
|
+
*
|
|
51
|
+
* @param api The API instance
|
|
52
|
+
* @returns A promise that resolves to true if authorized to impersonate, false otherwise
|
|
53
|
+
*/
|
|
54
|
+
mayImpersonateAny(api: APIBase): Promise<boolean>;
|
|
55
|
+
/**
|
|
56
|
+
* Check if the current user is authorized to impersonate a specific user.
|
|
57
|
+
* Results are cached to avoid repeated requests.
|
|
58
|
+
*
|
|
59
|
+
* @param api The API instance
|
|
60
|
+
* @param netid The netid to check authorization for
|
|
61
|
+
* @returns A promise that resolves to true if authorized, false otherwise
|
|
62
|
+
*/
|
|
63
|
+
mayImpersonate(api: APIBase, netid: string): Promise<boolean>;
|
|
24
64
|
};
|
|
25
65
|
export {};
|
package/dist/unifiedauth.js
CHANGED
|
@@ -1,5 +1,52 @@
|
|
|
1
1
|
import { redirect } from '@sveltejs/kit';
|
|
2
|
-
import { isBlank } from 'txstate-utils';
|
|
2
|
+
import { isBlank, Cache } from 'txstate-utils';
|
|
3
|
+
import { decodeJwt } from 'jose';
|
|
4
|
+
const mayImpersonateAnyCache = new Cache(async (api) => {
|
|
5
|
+
if (isBlank(api.token))
|
|
6
|
+
return false;
|
|
7
|
+
const authUrl = new URL(api.authRedirect);
|
|
8
|
+
const mayImpersonateUrl = new URL('/mayImpersonate', authUrl.origin);
|
|
9
|
+
try {
|
|
10
|
+
const resp = await fetch(mayImpersonateUrl, {
|
|
11
|
+
method: 'POST',
|
|
12
|
+
headers: {
|
|
13
|
+
'Authorization': `Bearer ${api.token}`,
|
|
14
|
+
'Content-Type': 'application/json'
|
|
15
|
+
},
|
|
16
|
+
body: JSON.stringify({})
|
|
17
|
+
});
|
|
18
|
+
if (!resp.ok)
|
|
19
|
+
return false;
|
|
20
|
+
const { authorized } = await resp.json();
|
|
21
|
+
return !!authorized;
|
|
22
|
+
}
|
|
23
|
+
catch {
|
|
24
|
+
return false;
|
|
25
|
+
}
|
|
26
|
+
});
|
|
27
|
+
const mayImpersonateNetidCache = new Cache(async (api, netid) => {
|
|
28
|
+
if (isBlank(api.token))
|
|
29
|
+
return false;
|
|
30
|
+
const authUrl = new URL(api.authRedirect);
|
|
31
|
+
const mayImpersonateUrl = new URL('/mayImpersonate', authUrl.origin);
|
|
32
|
+
try {
|
|
33
|
+
const resp = await fetch(mayImpersonateUrl, {
|
|
34
|
+
method: 'POST',
|
|
35
|
+
headers: {
|
|
36
|
+
'Authorization': `Bearer ${api.token}`,
|
|
37
|
+
'Content-Type': 'application/json'
|
|
38
|
+
},
|
|
39
|
+
body: JSON.stringify({ netid })
|
|
40
|
+
});
|
|
41
|
+
if (!resp.ok)
|
|
42
|
+
return false;
|
|
43
|
+
const { authorized } = await resp.json();
|
|
44
|
+
return !!authorized;
|
|
45
|
+
}
|
|
46
|
+
catch {
|
|
47
|
+
return false;
|
|
48
|
+
}
|
|
49
|
+
});
|
|
3
50
|
export const unifiedAuth = {
|
|
4
51
|
/**
|
|
5
52
|
* Your root +layout.ts' load function should call this method to ensure that it
|
|
@@ -32,16 +79,108 @@ export const unifiedAuth = {
|
|
|
32
79
|
logout(api) {
|
|
33
80
|
if (isBlank(api.token))
|
|
34
81
|
return;
|
|
82
|
+
// If impersonating, use the original token for logout
|
|
83
|
+
const originalToken = sessionStorage.getItem('originalToken');
|
|
84
|
+
const token = originalToken ?? api.token;
|
|
35
85
|
const authRedirect = new URL(api.authRedirect);
|
|
36
86
|
authRedirect.pathname = [...authRedirect.pathname.split('/').slice(0, -1), 'logout'].join('/');
|
|
37
|
-
authRedirect.searchParams.set('unifiedJwt',
|
|
87
|
+
authRedirect.searchParams.set('unifiedJwt', token);
|
|
38
88
|
api.token = undefined;
|
|
39
89
|
sessionStorage.removeItem('token');
|
|
90
|
+
sessionStorage.removeItem('originalToken');
|
|
40
91
|
window.location.href = authRedirect.toString();
|
|
41
92
|
},
|
|
42
93
|
requireAuth(api, input) {
|
|
43
94
|
if (!api.token) {
|
|
44
95
|
throw redirect(302, this.loginRedirect(api, input.url.toString()));
|
|
45
96
|
}
|
|
97
|
+
},
|
|
98
|
+
/**
|
|
99
|
+
* Start impersonating a user. This will store the current token and replace it with
|
|
100
|
+
* an impersonation token obtained from Unified Auth.
|
|
101
|
+
*
|
|
102
|
+
* The impersonation token will expire in 1 hour.
|
|
103
|
+
*/
|
|
104
|
+
async impersonate(api, netid) {
|
|
105
|
+
if (isBlank(api.token))
|
|
106
|
+
throw new Error('Must be authenticated to impersonate.');
|
|
107
|
+
// Store original token before impersonating
|
|
108
|
+
const originalToken = api.token;
|
|
109
|
+
sessionStorage.setItem('originalToken', originalToken);
|
|
110
|
+
// Get impersonation token from unified-auth
|
|
111
|
+
const authUrl = new URL(api.authRedirect);
|
|
112
|
+
const impersonateUrl = new URL('/impersonate', authUrl.origin);
|
|
113
|
+
const resp = await fetch(impersonateUrl, {
|
|
114
|
+
method: 'POST',
|
|
115
|
+
headers: {
|
|
116
|
+
'Authorization': `Bearer ${originalToken}`,
|
|
117
|
+
'Content-Type': 'application/json'
|
|
118
|
+
},
|
|
119
|
+
body: JSON.stringify({ netid })
|
|
120
|
+
});
|
|
121
|
+
if (!resp.ok) {
|
|
122
|
+
const error = await resp.text();
|
|
123
|
+
throw new Error(`Failed to impersonate: ${error}`);
|
|
124
|
+
}
|
|
125
|
+
const { token } = await resp.json();
|
|
126
|
+
// Replace current token with impersonation token
|
|
127
|
+
api.token = token;
|
|
128
|
+
sessionStorage.setItem('token', token);
|
|
129
|
+
},
|
|
130
|
+
/**
|
|
131
|
+
* Exit impersonation and restore the original token.
|
|
132
|
+
*/
|
|
133
|
+
exitImpersonation(api) {
|
|
134
|
+
const originalToken = sessionStorage.getItem('originalToken');
|
|
135
|
+
if (!originalToken) {
|
|
136
|
+
throw new Error('No original token found. Not currently impersonating.');
|
|
137
|
+
}
|
|
138
|
+
api.token = originalToken;
|
|
139
|
+
sessionStorage.setItem('token', originalToken);
|
|
140
|
+
sessionStorage.removeItem('originalToken');
|
|
141
|
+
},
|
|
142
|
+
/**
|
|
143
|
+
* Check if the current token is an impersonation token.
|
|
144
|
+
* Returns { isImpersonating: false } if not impersonating.
|
|
145
|
+
* Returns { isImpersonating: true, impersonatedUser: string, impersonatedBy: string } if impersonating.
|
|
146
|
+
*/
|
|
147
|
+
getImpersonationStatus(api) {
|
|
148
|
+
if (isBlank(api.token))
|
|
149
|
+
return { isImpersonating: false };
|
|
150
|
+
try {
|
|
151
|
+
const payload = decodeJwt(api.token);
|
|
152
|
+
if (payload.act && payload.act.sub) {
|
|
153
|
+
return {
|
|
154
|
+
isImpersonating: true,
|
|
155
|
+
impersonatedUser: payload.sub,
|
|
156
|
+
impersonatedBy: payload.act.sub
|
|
157
|
+
};
|
|
158
|
+
}
|
|
159
|
+
}
|
|
160
|
+
catch (e) {
|
|
161
|
+
// Invalid token, treat as not impersonating
|
|
162
|
+
}
|
|
163
|
+
return { isImpersonating: false };
|
|
164
|
+
},
|
|
165
|
+
/**
|
|
166
|
+
* Check if the current user is authorized to impersonate anyone.
|
|
167
|
+
* Results are cached to avoid repeated requests.
|
|
168
|
+
*
|
|
169
|
+
* @param api The API instance
|
|
170
|
+
* @returns A promise that resolves to true if authorized to impersonate, false otherwise
|
|
171
|
+
*/
|
|
172
|
+
async mayImpersonateAny(api) {
|
|
173
|
+
return await mayImpersonateAnyCache.get(api);
|
|
174
|
+
},
|
|
175
|
+
/**
|
|
176
|
+
* Check if the current user is authorized to impersonate a specific user.
|
|
177
|
+
* Results are cached to avoid repeated requests.
|
|
178
|
+
*
|
|
179
|
+
* @param api The API instance
|
|
180
|
+
* @param netid The netid to check authorization for
|
|
181
|
+
* @returns A promise that resolves to true if authorized, false otherwise
|
|
182
|
+
*/
|
|
183
|
+
async mayImpersonate(api, netid) {
|
|
184
|
+
return await mayImpersonateNetidCache.get(api, netid);
|
|
46
185
|
}
|
|
47
186
|
};
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@txstate-mws/sveltekit-utils",
|
|
3
|
-
"version": "1.
|
|
3
|
+
"version": "1.3.0",
|
|
4
4
|
"description": "Shared library for code that is specifically tied to sveltekit in addition to svelte.",
|
|
5
5
|
"type": "module",
|
|
6
6
|
"exports": {
|
|
@@ -16,6 +16,7 @@
|
|
|
16
16
|
"@txstate-mws/fastify-shared": "^1.0.4",
|
|
17
17
|
"@txstate-mws/svelte-components": "^1.6.1",
|
|
18
18
|
"@txstate-mws/svelte-forms": "^1.5.8",
|
|
19
|
+
"jose": "^5.0.0",
|
|
19
20
|
"txstate-utils": "^1.8.15"
|
|
20
21
|
},
|
|
21
22
|
"devDependencies": {
|