authhero 0.123.0 → 0.124.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (3) hide show
  1. package/dist/authhero.cjs +1 -1
  2. package/dist/authhero.mjs +21 -12
  3. package/package.json +1 -1
package/dist/authhero.cjs CHANGED
@@ -26,7 +26,7 @@
26
26
  }};
27
27
  <\/script>
28
28
  </body>
29
- </html>`;return new Response(i,{headers:{"Content-Type":"text/html"}})}async function Ey(t,e,n,r,i){var m,w,h;if(!n.redirect_uri)throw new I(400,{message:"Missing redirect_uri in authParams"});if(!r.email)throw new I(400,{message:"Missing email in user"});const[s]=await t.env.data.keys.list();if(!s)throw new I(500,{message:"No signing key found"});if(!((m=e.addons)!=null&&m.samlp))throw new I(400,{message:`SAML Addon is not enabled for client ${e.id}`});const{recipient:a,audience:c}=e.addons.samlp,l=n.state||"";if(!a||!l||!r||!n.state)throw new I(400,{message:"Missing recipient or inResponseTo"});const d=JSON.parse(n.state),u=new URL(n.redirect_uri),f=await Iy(t,{issuer:t.env.ISSUER,audience:c||n.client_id,destination:u.toString(),inResponseTo:d.requestId,userId:((h=(w=r.app_metadata)==null?void 0:w.vimeo)==null?void 0:h.user_id)||r.user_id,email:r.email,sessionIndex:i,signature:{privateKeyPem:s.pkcs7,cert:s.cert,kid:s.kid}});return zy(u.toString(),f,d.relayState)}async function Iy(t,e){const n=e.notBefore||new Date().toISOString(),r=e.notAfter||new Date(new Date(n).getTime()+10*60*1e3).toISOString(),i=e.issueInstant||n,s=e.sessionNotOnOrAfter||r,a=e.responseId||`_${ke()}`,c=e.assertionId||`_${ke()}`,l=[{"samlp:Response":[{"saml:Issuer":[{"#text":e.issuer}]},{"samlp:Status":[{"samlp:StatusCode":[],":@":{"@_Value":"urn:oasis:names:tc:SAML:2.0:status:Success"}}]},{"saml:Assertion":[{"saml:Issuer":[{"#text":e.issuer}]},{"saml:Subject":[{"saml:NameID":[{"#text":e.email}],":@":{"@_Format":"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"}},{"saml:SubjectConfirmation":[{"saml:SubjectConfirmationData":[],":@":{"@_InResponseTo":e.inResponseTo,"@_NotOnOrAfter":r,"@_Recipient":e.destination}}],":@":{"@_Method":"urn:oasis:names:tc:SAML:2.0:cm:bearer"}}]},{"saml:Conditions":[{"saml:AudienceRestriction":[{"saml:Audience":[{"#text":e.audience}]}]}],":@":{"@_NotBefore":n,"@_NotOnOrAfter":r}},{"saml:AuthnStatement":[{"saml:AuthnContext":[{"saml:AuthnContextClassRef":[{"#text":"urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified"}]}]}],":@":{"@_AuthnInstant":i,"@_SessionIndex":e.sessionIndex,"@_SessionNotOnOrAfter":s}},{"saml:AttributeStatement":[{"saml:Attribute":[{"saml:AttributeValue":[{"#text":e.userId}],":@":{"@_xmlns:xs":"http://www.w3.org/2001/XMLSchema","@_xmlns:xsi":"http://www.w3.org/2001/XMLSchema-instance","@_xsi:type":"xs:string"}}],":@":{"@_FriendlyName":"persistent","@_Name":"id","@_NameFormat":"urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"}},{"saml:Attribute":[{"saml:AttributeValue":[{"#text":e.email}],":@":{"@_xmlns:xs":"http://www.w3.org/2001/XMLSchema","@_xmlns:xsi":"http://www.w3.org/2001/XMLSchema-instance","@_xsi:type":"xs:string"}}],":@":{"@_Name":"email","@_NameFormat":"urn:oasis:names:tc:SAML:2.0:attrname-format:basic"}},{"saml:Attribute":[{"saml:AttributeValue":[{"#text":"manage-account"}],":@":{"@_xmlns:xs":"http://www.w3.org/2001/XMLSchema","@_xmlns:xsi":"http://www.w3.org/2001/XMLSchema-instance","@_xsi:type":"xs:string"}}],":@":{"@_Name":"Role","@_NameFormat":"urn:oasis:names:tc:SAML:2.0:attrname-format:basic"}},{"saml:Attribute":[{"saml:AttributeValue":[{"#text":"default-roles-master"}],":@":{"@_xmlns:xs":"http://www.w3.org/2001/XMLSchema","@_xmlns:xsi":"http://www.w3.org/2001/XMLSchema-instance","@_xsi:type":"xs:string"}}],":@":{"@_Name":"Role","@_NameFormat":"urn:oasis:names:tc:SAML:2.0:attrname-format:basic"}},{"saml:Attribute":[{"saml:AttributeValue":[{"#text":"offline_access"}],":@":{"@_xmlns:xs":"http://www.w3.org/2001/XMLSchema","@_xmlns:xsi":"http://www.w3.org/2001/XMLSchema-instance","@_xsi:type":"xs:string"}}],":@":{"@_Name":"Role","@_NameFormat":"urn:oasis:names:tc:SAML:2.0:attrname-format:basic"}},{"saml:Attribute":[{"saml:AttributeValue":[{"#text":"view-profile"}],":@":{"@_xmlns:xs":"http://www.w3.org/2001/XMLSchema","@_xmlns:xsi":"http://www.w3.org/2001/XMLSchema-instance","@_xsi:type":"xs:string"}}],":@":{"@_Name":"Role","@_NameFormat":"urn:oasis:names:tc:SAML:2.0:attrname-format:basic"}},{"saml:Attribute":[{"saml:AttributeValue":[{"#text":"uma_authorization"}],":@":{"@_xmlns:xs":"http://www.w3.org/2001/XMLSchema","@_xmlns:xsi":"http://www.w3.org/2001/XMLSchema-instance","@_xsi:type":"xs:string"}}],":@":{"@_Name":"Role","@_NameFormat":"urn:oasis:names:tc:SAML:2.0:attrname-format:basic"}},{"saml:Attribute":[{"saml:AttributeValue":[{"#text":"manage-account-links"}],":@":{"@_xmlns:xs":"http://www.w3.org/2001/XMLSchema","@_xmlns:xsi":"http://www.w3.org/2001/XMLSchema-instance","@_xsi:type":"xs:string"}}],":@":{"@_Name":"Role","@_NameFormat":"urn:oasis:names:tc:SAML:2.0:attrname-format:basic"}}]}],":@":{"@_xmlns":"urn:oasis:names:tc:SAML:2.0:assertion","@_ID":c,"@_IssueInstant":i,"@_Version":"2.0"}}],":@":{"@_xmlns:samlp":"urn:oasis:names:tc:SAML:2.0:protocol","@_xmlns:saml":"urn:oasis:names:tc:SAML:2.0:assertion","@_Destination":e.destination,"@_ID":a,"@_InResponseTo":e.inResponseTo,"@_IssueInstant":i,"@_Version":"2.0"}}];let u=new Ay.XMLBuilder({ignoreAttributes:!1,suppressEmptyNode:!0,preserveOrder:!0}).build(l);if(e.signature){const m=await fetch(t.env.SAML_SIGN_URL,{method:"POST",headers:{"Content-Type":"application/json"},body:JSON.stringify({xmlContent:u,privateKey:e.signature.privateKeyPem,publicCert:e.signature.cert})});if(!m.ok)throw new Error(`Failed to sign SAML response: ${m.status}`);u=await m.text()}return e.encode===!1?u:btoa(u)}var Cy={deno:"Deno",bun:"Bun",workerd:"Cloudflare-Workers",node:"Node.js"},Ny=()=>{var n,r;const t=globalThis;if(typeof navigator<"u"&&typeof navigator.userAgent=="string"){for(const[i,s]of Object.entries(Cy))if($y(s))return i}return typeof(t==null?void 0:t.EdgeRuntime)=="string"?"edge-light":(t==null?void 0:t.fastly)!==void 0?"fastly":((r=(n=t==null?void 0:t.process)==null?void 0:n.release)==null?void 0:r.name)==="node"?"node":"other"},$y=t=>navigator.userAgent.startsWith(t);function zt(t,e){Ny()==="workerd"&&t.executionCtx.waitUntil(e)}function Ht(t){var e,n,r;return{auth0Client:(e=t.query("auth0Client"))==null?void 0:e.slice(0,255),ip:(n=t.header("x-real-ip"))==null?void 0:n.slice(0,45),useragent:(r=t.header("user-agent"))==null?void 0:r.slice(0,512)}}const nu=["sub","iss","aud","exp","nbf","iat","jti"];async function io(t,e){var v,S;const{authParams:n,user:r,client:i,session_id:s}=e,c=(await t.env.data.keys.list()).filter(C=>!C.revoked_at||new Date(C.revoked_at)>new Date),l=c[c.length-1];if(!(l!=null&&l.pkcs7))throw new I(500,{message:"No signing key available"});const d=Y0(l.pkcs7),u=t.var.custom_domain?`https://${t.var.custom_domain}/`:t.env.ISSUER,f={aud:n.audience||"default",scope:n.scope||"",sub:(r==null?void 0:r.user_id)||n.client_id,iss:u,tenant_id:t.var.tenant_id,sid:s},m=r&&((v=n.scope)!=null&&v.split(" ").includes("openid"))?{aud:n.client_id,sub:r.user_id,iss:u,sid:s,nonce:n.nonce,given_name:r.given_name,family_name:r.family_name,nickname:r.nickname,picture:r.picture,locale:r.locale,name:r.name,email:r.email,email_verified:r.email_verified}:void 0;(S=t.env.hooks)!=null&&S.onExecuteCredentialsExchange&&await t.env.hooks.onExecuteCredentialsExchange({client:i,user:r,request:{ip:t.req.header("x-real-ip")||"",user_agent:t.req.header("user-agent")||"",method:t.req.method,url:t.req.url},scope:n.scope||"",grant_type:""},{accessToken:{setCustomClaim:(C,j)=>{if(nu.includes(C))throw new Error(`Cannot overwrite reserved claim '${C}'`);f[C]=j}},idToken:{setCustomClaim:(C,j)=>{if(nu.includes(C))throw new Error(`Cannot overwrite reserved claim '${C}'`);m&&(m[C]=j)}},access:{deny:C=>{throw new I(400,{message:`Access denied: ${C}`})}}});const w={includeIssuedTimestamp:!0,expiresIn:new ul(1,"d"),headers:{kid:l.kid}},h=await Zd("RS256",d,f,w),_=m?await Zd("RS256",d,m,w):void 0;return{access_token:h,refresh_token:e.refresh_token,id_token:_,token_type:"Bearer",expires_in:86400}}async function Yf(t,e){return e.loginSession||(e.loginSession=await t.env.data.loginSessions.create(e.client.tenant.id,{expires_at:new Date(Date.now()+er*1e3).toISOString(),authParams:e.authParams,authorization_url:t.req.url,csrf_token:ke(),...Ht(t.req)})),{code:(await t.env.data.codes.create(e.client.tenant.id,{code_id:ke(),user_id:e.user.user_id,code_type:"authorization_code",login_id:e.loginSession.id,expires_at:new Date(Date.now()+t_*1e3).toISOString()})).code_id,state:e.authParams.state}}async function jy(t,e){const{client:n,scope:r,audience:i=n.tenant.audience,session_id:s}=e,a=Ht(t.req);return await t.env.data.refreshTokens.create(n.tenant.id,{id:ke(),session_id:s,client_id:n.id,idle_expires_at:new Date(Date.now()+no*1e3).toISOString(),user_id:e.user.user_id,device:{last_ip:a.ip||"",initial_ip:a.ip||"",last_user_agent:a.useragent||"",initial_user_agent:a.useragent||"",initial_asn:"",last_asn:""},resource_servers:[{audience:i,scopes:r}],rotating:!1})}async function Xf(t,{user:e,client:n,loginSession:r}){const i=await t.env.data.sessions.create(n.tenant.id,{id:ke(),user_id:e.user_id,idle_expires_at:new Date(Date.now()+no*1e3).toISOString(),device:{last_ip:t.req.header("x-real-ip")||"",initial_ip:t.req.header("x-real-ip")||"",last_user_agent:t.req.header("user-agent")||"",initial_user_agent:t.req.header("user-agent")||"",initial_asn:"",last_asn:""},clients:[n.id]});await t.env.data.loginSessions.update(n.tenant.id,r.id,{session_id:i.id});const{scope:s,audience:a}=r.authParams,c=s!=null&&s.split(" ").includes("offline_access")?await jy(t,{session_id:i.id,user:e,client:n,scope:s,audience:a}):void 0;return{...i,refresh_token:c}}async function ln(t,e){var w;const{authParams:n,user:r,client:i,ticketAuth:s}=e,a=we(t,{type:ge.SUCCESS_LOGIN,description:`Successful login for ${r.user_id}`,userId:r.user_id});if(zt(t,t.env.data.logs.create(i.tenant.id,a)),zt(t,t.env.data.users.update(i.tenant.id,r.user_id,{last_login:new Date().toISOString(),last_ip:t.req.header("x-real-ip")||"",login_count:r.login_count+1})),s){if(!e.loginSession)throw new I(500,{message:"Login session not found"});const h=Z0(),_=ke(12),v=await t.env.data.codes.create(i.tenant.id,{code_id:ke(),code_type:"ticket",login_id:e.loginSession.id,expires_at:new Date(Date.now()+r_).toISOString(),code_verifier:[_,h].join("|")});return t.json({login_ticket:v.code_id,co_verifier:h,co_id:_})}let c=e.refreshToken,l=e.sessionId,d=r;if(!l){if(!e.loginSession)throw new I(500,{message:"Login session not found"});d=await By(t,t.env.data)(i.tenant.id,r);const h=await Xf(t,{user:r,client:i,loginSession:e.loginSession});l=h.id,c=(w=h.refresh_token)==null?void 0:w.id}if(e.authParams.response_mode===Rt.SAML_POST)return Ey(t,e.client,e.authParams,d,l);const u=await io(t,{authParams:n,user:d,client:i,session_id:l,refresh_token:c}),f=new Headers({"set-cookie":Hf(i.tenant.id,l,t.var.custom_domain||t.req.header("host"))});if(n.response_mode===Rt.WEB_MESSAGE)return t.json(u,{headers:f});if((n.response_type||It.CODE)===It.CODE){const h=await Yf(t,e);if(!n.redirect_uri)throw new I(400,{message:"Redirect uri not found"});const _=new URL(n.redirect_uri);_.searchParams.set("code",h.code),h.state&&_.searchParams.set("state",h.state),f.set("location",_.toString())}return new Response("Redirecting",{status:302,headers:f})}async function Oy(t,e,n){const r=await t.env.data.tenants.get(e);if(!r)throw new Error(`Tenant not found: ${e}`);return io(t,{client:{id:t.env.ISSUER,tenant:r,created_at:new Date().toISOString(),updated_at:new Date().toISOString(),name:t.env.ISSUER,disable_sign_ups:!1,connections:[]},authParams:{client_id:t.env.ISSUER,response_type:It.TOKEN,scope:n}})}async function _l(t,e,n){const r=await Oy(t,n.tenant_id,"webhook");for await(const i of e)if(!(await fetch(i.url,{method:"POST",headers:{Authorization:`Bearer ${r.access_token}`,"Content-Type":"application/json"},body:JSON.stringify(n)})).ok){const a=we(t,{type:ge.FAILED_HOOK,description:`Failed to invoke hook ${i.hook_id}`});await t.env.data.logs.create(n.tenant_id,a)}}function Py(t){return async(e,n)=>{const{hooks:r}=await t.env.data.hooks.list(e);return await _l(t,r,{tenant_id:e,user:n,trigger_id:"post-user-registration"}),n}}function Ty(t){return async(e,n)=>{const{hooks:r}=await t.env.data.hooks.list(e,{q:"trigger_id:pre-user-signup",page:0,per_page:100,include_totals:!1});await _l(t,r,{tenant_id:e,email:n,trigger_id:"pre-user-signup"})}}function By(t,e){return async(n,r)=>{const{hooks:i}=await e.hooks.list(n,{q:"trigger_id:post-user-login",page:0,per_page:100,include_totals:!1});return await _l(t,i,{tenant_id:n,user:r,trigger_id:"post-user-login"}),r}}function Ry(t,e){return async(n,r)=>{var a,c,l;const i={method:t.req.method,ip:t.req.query("x-real-ip")||"",user_agent:t.req.query("user-agent"),url:((a=t.var.loginSession)==null?void 0:a.authorization_url)||t.req.url};if((c=t.env.hooks)!=null&&c.onExecutePreUserRegistration)try{await t.env.hooks.onExecutePreUserRegistration({user:r,request:i},{user:{setUserMetadata:async(d,u)=>{r[d]=u}}})}catch{const u=we(t,{type:ge.FAILED_SIGNUP,description:"Pre user registration hook failed"});await e.logs.create(n,u)}let s=await H0(e)(n,r);if((l=t.env.hooks)!=null&&l.onExecutePostUserRegistration)try{await t.env.hooks.onExecutePostUserRegistration({user:r,request:i},{user:{}})}catch{const u=we(t,{type:ge.FAILED_SIGNUP,description:"Post user registration hook failed"});await t.env.data.logs.create(n,u)}return await Py(t)(n,s),s}}async function Ly(t,e,n,r){var i;if(e.disable_sign_ups){const s=(i=t.var.loginSession)==null?void 0:i.authorization_url;if(!(s&&new URL(s).searchParams.get("screen_hint")==="signup")&&!await oo({userAdapter:n.users,tenant_id:e.tenant.id,email:r})){const l=we(t,{type:ge.FAILED_SIGNUP,description:"Public signup is disabled"});throw await n.logs.create(e.tenant.id,l),new I(400,{message:"Signups are disabled for this client"})}}await Ty(t)(t.var.tenant_id||"",r)}function so(t,e){return{...e,users:{...e.users,create:Ry(t,e)}}}function Qf(t){return so(t,t.env.data)}async function yl(t,e,n){return(await t.list(e,{page:0,per_page:10,include_totals:!1,q:`email:${n}`})).users}async function hr({userAdapter:t,tenant_id:e,username:n,provider:r}){const i=r==="sms"?`phone_number:${n}`:`email:${n}`,{users:s}=await t.list(e,{page:0,per_page:10,include_totals:!1,q:`${i} provider:${r}`});return s.length>1&&console.error("More than one user found for same email and provider"),s[0]||null}async function oo({userAdapter:t,tenant_id:e,email:n}){var c;const{users:r}=await t.list(e,{page:0,per_page:10,include_totals:!1,q:`email:${n}`}),i=r.filter(l=>!(l.provider==="auth2"&&!l.email_verified));if(i.length===0)return;const s=i.filter(l=>!l.linked_to);if(s.length>0)return s.length>1&&console.error("More than one primary user found for same email"),s[0];const a=await t.get(e,(c=i[0])==null?void 0:c.linked_to);if(!a)throw new Error("Primary account not found");return a}async function ps({userAdapter:t,tenant_id:e,username:n,provider:r}){const i=await hr({userAdapter:t,tenant_id:e,username:n,provider:r});return i?i.linked_to?t.get(e,i.linked_to):i:null}async function ao(t,e){const{username:n,provider:r,connection:i,client:s,userId:a,isSocial:c,profileData:l={},ip:d=""}=e;let u=await ps({userAdapter:t.env.data.users,tenant_id:e.client.tenant.id,username:n,provider:r});if(!u){const f={user_id:`${r}|${a||to()}`,email:i!=="sms"?n:void 0,phone_number:i==="sms"?n:void 0,name:n,provider:r,connection:i,email_verified:!0,last_ip:d,is_social:c,last_login:new Date().toISOString(),profileData:JSON.stringify(l)};u=await Qf(t).users.create(s.tenant.id,f),t.set("user_id",u.user_id)}return u}const tn=o.z.object({page:o.z.string().min(0).optional().default("0").transform(t=>parseInt(t,10)).openapi({description:"The page number where 0 is the first page"}),per_page:o.z.string().min(1).optional().default("10").transform(t=>parseInt(t,10)).openapi({description:"The number of items per page"}),include_totals:o.z.string().optional().default("false").transform(t=>t==="true").openapi({description:"If the total number of items should be included in the response"}),sort:o.z.string().regex(/^.+:(-1|1)$/).optional().openapi({description:"A property that should have the format 'string:-1' or 'string:1'"}),q:o.z.string().optional().openapi({description:"A lucene query string used to filter the results"})});function gr(t){if(!t)return;const[e,n]=t.split(":"),r=n==="1"?"asc":"desc";if(!(!e||!r))return{sort_by:e,sort_order:r}}const ru=an.extend({users:o.z.array(St)}),Uy=an.extend({sessions:o.z.array(eo)}),Vy=new o.OpenAPIHono().openapi(o.createRoute({tags:["users"],method:"get",path:"/",request:{query:tn,headers:o.z.object({"tenant-id":o.z.string()})},security:[{Bearer:["auth:read"]}],responses:{200:{content:{"application/json":{schema:o.z.union([o.z.array(St),ru])}},description:"List of users"}}}),async t=>{const{page:e,per_page:n,include_totals:r,sort:i,q:s}=t.req.valid("query"),{"tenant-id":a}=t.req.valid("header");if(s!=null&&s.includes("identities.profileData.email")){const u=s.split("=")[1],m=(await t.env.data.users.list(a,{page:e,per_page:n,include_totals:r,q:`email:${u}`})).users.filter(_=>_.linked_to),[w]=m;if(!w)return t.json([]);const h=await t.env.data.users.get(a,w.linked_to);if(!h)throw new I(500,{message:"Primary account not found"});return t.json([St.parse(h)])}const c=["-_exists_:linked_to"];s&&c.push(s);const l=await t.env.data.users.list(a,{page:e,per_page:n,include_totals:r,sort:gr(i),q:c.join(" ")}),d=l.users.filter(u=>!u.linked_to);return r?t.json(ru.parse({users:d,length:l.length,start:l.start,limit:l.limit})):t.json(o.z.array(St).parse(d))}).openapi(o.createRoute({tags:["users"],method:"get",path:"/{user_id}",request:{headers:o.z.object({"tenant-id":o.z.string()}),params:o.z.object({user_id:o.z.string()})},security:[{Bearer:["auth:read"]}],responses:{200:{content:{"application/json":{schema:St}},description:"List of users"}}}),async t=>{const{user_id:e}=t.req.valid("param"),{"tenant-id":n}=t.req.valid("header"),r=await t.env.data.users.get(n,e);if(!r)throw new I(404);if(r.linked_to)throw new I(404,{message:"User is linked to another user"});return t.json(r)}).openapi(o.createRoute({tags:["users"],method:"delete",path:"/{user_id}",request:{headers:o.z.object({"tenant-id":o.z.string()}),params:o.z.object({user_id:o.z.string()})},security:[{Bearer:["auth:write"]}],responses:{200:{description:"Status"}}}),async t=>{const{user_id:e}=t.req.valid("param"),{"tenant-id":n}=t.req.valid("header");if(!await t.env.data.users.remove(n,e))throw new I(404);return t.text("OK")}).openapi(o.createRoute({tags:["users"],method:"post",path:"/",request:{headers:o.z.object({"tenant-id":o.z.string()}),body:{content:{"application/json":{schema:o.z.object({...is.shape})}}}},security:[{Bearer:["auth:write"]}],responses:{200:{content:{"application/json":{schema:St}},description:"Status"}}}),async t=>{const{"tenant-id":e}=t.req.valid("header"),n=t.req.valid("json");t.set("body",n);const{email:r}=n;if(!r)throw new I(400,{message:"Email is required"});const i=r.toLowerCase(),s=`${n.provider}|${n.user_id||to()}`;try{const a=await t.env.data.users.create(e,{email:i,user_id:s,name:n.name||i,provider:n.provider,connection:n.connection,email_verified:n.email_verified||!1,last_ip:"",is_social:!1,last_login:new Date().toISOString()});t.set("user_id",a.user_id);const c=we(t,{type:ge.SUCCESS_API_OPERATION,description:"User created"});zt(t,t.env.data.logs.create(e,c));const l={...a,identities:[{connection:a.connection,provider:a.provider,user_id:Gd(a.user_id),isSocial:a.is_social}]};return t.json(St.parse(l),{status:201})}catch(a){throw a.message==="User already exists"?new I(409,{message:"User already exists"}):a}}).openapi(o.createRoute({tags:["users"],method:"patch",path:"/{user_id}",request:{headers:o.z.object({"tenant-id":o.z.string()}),body:{content:{"application/json":{schema:o.z.object({...is.shape,verify_email:o.z.boolean(),password:o.z.string()}).partial()}}},params:o.z.object({user_id:o.z.string()})},security:[{Bearer:["auth:write"]}],responses:{200:{description:"Status"}}}),async t=>{var u;const{data:e}=t.env,{"tenant-id":n}=t.req.valid("header"),r=t.req.valid("json"),{user_id:i}=t.req.valid("param"),{verify_email:s,password:a,...c}=r,l=await e.users.get(n,i);if(!l)throw new I(404);if(c.email&&c.email!==l.email){const f=await yl(t.env.data.users,n,c.email);if(f.length&&f.some(m=>m.user_id!==i))throw new I(409,{message:"Another user with the same email address already exists."})}if(l.linked_to)throw new I(404,{message:"User is linked to another user"});if(await t.env.data.users.update(n,i,c),a){const f=(u=l.identities)==null?void 0:u.find(h=>h.connection==="Username-Password-Authentication");if(!f)throw new I(400,{message:"User does not have a password identity"});const m={user_id:f.user_id,password:await ai.hash(a,10),algorithm:"bcrypt"};await e.passwords.get(n,f.user_id)?await e.passwords.update(n,m):await e.passwords.create(n,m)}const d=await t.env.data.users.get(n,i);if(!d)throw new I(500);return t.json(d)}).openapi(o.createRoute({tags:["users"],method:"post",path:"/{user_id}/identities",request:{headers:o.z.object({"tenant-id":o.z.string()}),body:{content:{"application/json":{schema:o.z.union([o.z.object({link_with:o.z.string()}),o.z.object({user_id:o.z.string(),provider:o.z.string(),connection:o.z.string().optional()})])}}},params:o.z.object({user_id:o.z.string()})},security:[{Bearer:["auth:write"]}],responses:{200:{content:{"application/json":{schema:o.z.array(o.z.object({connection:o.z.string(),provider:o.z.string(),user_id:o.z.string(),isSocial:o.z.boolean()}))}},description:"Status"}}}),async t=>{const{"tenant-id":e}=t.req.valid("header"),n=t.req.valid("json"),{user_id:r}=t.req.valid("param"),i="link_with"in n?n.link_with:n.user_id,s=await t.env.data.users.get(e,r);if(!s)throw new I(400,{message:"Linking an inexistent identity is not allowed."});await t.env.data.users.update(e,i,{linked_to:r});const a=await t.env.data.users.list(e,{page:0,per_page:10,include_totals:!1,q:`linked_to:${r}`}),c=[s,...a.users].map(l=>({connection:l.connection,provider:l.provider,user_id:Gd(l.user_id),isSocial:l.is_social}));return t.json(c,{status:201})}).openapi(o.createRoute({tags:["users"],method:"delete",path:"/{user_id}/identities/{provider}/{linked_user_id}",request:{headers:o.z.object({"tenant-id":o.z.string()}),params:o.z.object({user_id:o.z.string(),provider:o.z.string(),linked_user_id:o.z.string()})},security:[{Bearer:["auth:write"]}],responses:{200:{content:{"application/json":{schema:o.z.array(St)}},description:"Status"}}}),async t=>{const{"tenant-id":e}=t.req.valid("header"),{user_id:n,provider:r,linked_user_id:i}=t.req.valid("param");await t.env.data.users.unlink(e,n,r,i);const s=await t.env.data.users.get(e,n);if(!s)throw new I(404);return t.json([St.parse(s)])}).openapi(o.createRoute({tags:["users"],method:"get",path:"/{user_id}/sessions",request:{query:tn,headers:o.z.object({"tenant-id":o.z.string()}),params:o.z.object({user_id:o.z.string()})},security:[{Bearer:["auth:read"]}],responses:{200:{content:{"application/json":{schema:o.z.union([o.z.array(eo),Uy])}},description:"List of sessions"}}}),async t=>{const{user_id:e}=t.req.valid("param"),{include_totals:n}=t.req.valid("query"),{"tenant-id":r}=t.req.valid("header"),i=await t.env.data.sessions.list(r,{page:0,per_page:10,include_totals:!1,q:`user_id:${e}`});return n?t.json(i):t.json(i.sessions)});/*! *****************************************************************************
29
+ </html>`;return new Response(i,{headers:{"Content-Type":"text/html"}})}async function Ey(t,e,n,r,i){var m,w,h;if(!n.redirect_uri)throw new I(400,{message:"Missing redirect_uri in authParams"});if(!r.email)throw new I(400,{message:"Missing email in user"});const[s]=await t.env.data.keys.list();if(!s)throw new I(500,{message:"No signing key found"});if(!((m=e.addons)!=null&&m.samlp))throw new I(400,{message:`SAML Addon is not enabled for client ${e.id}`});const{recipient:a,audience:c}=e.addons.samlp,l=n.state||"";if(!a||!l||!r||!n.state)throw new I(400,{message:"Missing recipient or inResponseTo"});const d=JSON.parse(n.state),u=new URL(n.redirect_uri),f=await Iy(t,{issuer:t.env.ISSUER,audience:c||n.client_id,destination:u.toString(),inResponseTo:d.requestId,userId:((h=(w=r.app_metadata)==null?void 0:w.vimeo)==null?void 0:h.user_id)||r.user_id,email:r.email,sessionIndex:i,signature:{privateKeyPem:s.pkcs7,cert:s.cert,kid:s.kid}});return zy(u.toString(),f,d.relayState)}async function Iy(t,e){const n=e.notBefore||new Date().toISOString(),r=e.notAfter||new Date(new Date(n).getTime()+10*60*1e3).toISOString(),i=e.issueInstant||n,s=e.sessionNotOnOrAfter||r,a=e.responseId||`_${ke()}`,c=e.assertionId||`_${ke()}`,l=[{"samlp:Response":[{"saml:Issuer":[{"#text":e.issuer}]},{"samlp:Status":[{"samlp:StatusCode":[],":@":{"@_Value":"urn:oasis:names:tc:SAML:2.0:status:Success"}}]},{"saml:Assertion":[{"saml:Issuer":[{"#text":e.issuer}]},{"saml:Subject":[{"saml:NameID":[{"#text":e.email}],":@":{"@_Format":"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"}},{"saml:SubjectConfirmation":[{"saml:SubjectConfirmationData":[],":@":{"@_InResponseTo":e.inResponseTo,"@_NotOnOrAfter":r,"@_Recipient":e.destination}}],":@":{"@_Method":"urn:oasis:names:tc:SAML:2.0:cm:bearer"}}]},{"saml:Conditions":[{"saml:AudienceRestriction":[{"saml:Audience":[{"#text":e.audience}]}]}],":@":{"@_NotBefore":n,"@_NotOnOrAfter":r}},{"saml:AuthnStatement":[{"saml:AuthnContext":[{"saml:AuthnContextClassRef":[{"#text":"urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified"}]}]}],":@":{"@_AuthnInstant":i,"@_SessionIndex":e.sessionIndex,"@_SessionNotOnOrAfter":s}},{"saml:AttributeStatement":[{"saml:Attribute":[{"saml:AttributeValue":[{"#text":e.userId}],":@":{"@_xmlns:xs":"http://www.w3.org/2001/XMLSchema","@_xmlns:xsi":"http://www.w3.org/2001/XMLSchema-instance","@_xsi:type":"xs:string"}}],":@":{"@_FriendlyName":"persistent","@_Name":"id","@_NameFormat":"urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"}},{"saml:Attribute":[{"saml:AttributeValue":[{"#text":e.email}],":@":{"@_xmlns:xs":"http://www.w3.org/2001/XMLSchema","@_xmlns:xsi":"http://www.w3.org/2001/XMLSchema-instance","@_xsi:type":"xs:string"}}],":@":{"@_Name":"email","@_NameFormat":"urn:oasis:names:tc:SAML:2.0:attrname-format:basic"}},{"saml:Attribute":[{"saml:AttributeValue":[{"#text":"manage-account"}],":@":{"@_xmlns:xs":"http://www.w3.org/2001/XMLSchema","@_xmlns:xsi":"http://www.w3.org/2001/XMLSchema-instance","@_xsi:type":"xs:string"}}],":@":{"@_Name":"Role","@_NameFormat":"urn:oasis:names:tc:SAML:2.0:attrname-format:basic"}},{"saml:Attribute":[{"saml:AttributeValue":[{"#text":"default-roles-master"}],":@":{"@_xmlns:xs":"http://www.w3.org/2001/XMLSchema","@_xmlns:xsi":"http://www.w3.org/2001/XMLSchema-instance","@_xsi:type":"xs:string"}}],":@":{"@_Name":"Role","@_NameFormat":"urn:oasis:names:tc:SAML:2.0:attrname-format:basic"}},{"saml:Attribute":[{"saml:AttributeValue":[{"#text":"offline_access"}],":@":{"@_xmlns:xs":"http://www.w3.org/2001/XMLSchema","@_xmlns:xsi":"http://www.w3.org/2001/XMLSchema-instance","@_xsi:type":"xs:string"}}],":@":{"@_Name":"Role","@_NameFormat":"urn:oasis:names:tc:SAML:2.0:attrname-format:basic"}},{"saml:Attribute":[{"saml:AttributeValue":[{"#text":"view-profile"}],":@":{"@_xmlns:xs":"http://www.w3.org/2001/XMLSchema","@_xmlns:xsi":"http://www.w3.org/2001/XMLSchema-instance","@_xsi:type":"xs:string"}}],":@":{"@_Name":"Role","@_NameFormat":"urn:oasis:names:tc:SAML:2.0:attrname-format:basic"}},{"saml:Attribute":[{"saml:AttributeValue":[{"#text":"uma_authorization"}],":@":{"@_xmlns:xs":"http://www.w3.org/2001/XMLSchema","@_xmlns:xsi":"http://www.w3.org/2001/XMLSchema-instance","@_xsi:type":"xs:string"}}],":@":{"@_Name":"Role","@_NameFormat":"urn:oasis:names:tc:SAML:2.0:attrname-format:basic"}},{"saml:Attribute":[{"saml:AttributeValue":[{"#text":"manage-account-links"}],":@":{"@_xmlns:xs":"http://www.w3.org/2001/XMLSchema","@_xmlns:xsi":"http://www.w3.org/2001/XMLSchema-instance","@_xsi:type":"xs:string"}}],":@":{"@_Name":"Role","@_NameFormat":"urn:oasis:names:tc:SAML:2.0:attrname-format:basic"}}]}],":@":{"@_xmlns":"urn:oasis:names:tc:SAML:2.0:assertion","@_ID":c,"@_IssueInstant":i,"@_Version":"2.0"}}],":@":{"@_xmlns:samlp":"urn:oasis:names:tc:SAML:2.0:protocol","@_xmlns:saml":"urn:oasis:names:tc:SAML:2.0:assertion","@_Destination":e.destination,"@_ID":a,"@_InResponseTo":e.inResponseTo,"@_IssueInstant":i,"@_Version":"2.0"}}];let u=new Ay.XMLBuilder({ignoreAttributes:!1,suppressEmptyNode:!0,preserveOrder:!0}).build(l);if(e.signature){const m=await fetch(t.env.SAML_SIGN_URL,{method:"POST",headers:{"Content-Type":"application/json"},body:JSON.stringify({xmlContent:u,privateKey:e.signature.privateKeyPem,publicCert:e.signature.cert})});if(!m.ok)throw new Error(`Failed to sign SAML response: ${m.status}`);u=await m.text()}return e.encode===!1?u:btoa(u)}var Cy={deno:"Deno",bun:"Bun",workerd:"Cloudflare-Workers",node:"Node.js"},Ny=()=>{var n,r;const t=globalThis;if(typeof navigator<"u"&&typeof navigator.userAgent=="string"){for(const[i,s]of Object.entries(Cy))if($y(s))return i}return typeof(t==null?void 0:t.EdgeRuntime)=="string"?"edge-light":(t==null?void 0:t.fastly)!==void 0?"fastly":((r=(n=t==null?void 0:t.process)==null?void 0:n.release)==null?void 0:r.name)==="node"?"node":"other"},$y=t=>navigator.userAgent.startsWith(t);function zt(t,e){Ny()==="workerd"&&t.executionCtx.waitUntil(e)}function Ht(t){var e,n,r;return{auth0Client:(e=t.query("auth0Client"))==null?void 0:e.slice(0,255),ip:(n=t.header("x-real-ip"))==null?void 0:n.slice(0,45),useragent:(r=t.header("user-agent"))==null?void 0:r.slice(0,512)}}const nu=["sub","iss","aud","exp","nbf","iat","jti"];async function io(t,e){var v,S;const{authParams:n,user:r,client:i,session_id:s}=e,c=(await t.env.data.keys.list()).filter(C=>!C.revoked_at||new Date(C.revoked_at)>new Date),l=c[c.length-1];if(!(l!=null&&l.pkcs7))throw new I(500,{message:"No signing key available"});const d=Y0(l.pkcs7),u=t.var.custom_domain?`https://${t.var.custom_domain}/`:t.env.ISSUER,f={aud:n.audience||"default",scope:n.scope||"",sub:(r==null?void 0:r.user_id)||n.client_id,iss:u,tenant_id:t.var.tenant_id,sid:s},m=r&&((v=n.scope)!=null&&v.split(" ").includes("openid"))?{aud:n.client_id,sub:r.user_id,iss:u,sid:s,nonce:n.nonce,given_name:r.given_name,family_name:r.family_name,nickname:r.nickname,picture:r.picture,locale:r.locale,name:r.name,email:r.email,email_verified:r.email_verified}:void 0;(S=t.env.hooks)!=null&&S.onExecuteCredentialsExchange&&await t.env.hooks.onExecuteCredentialsExchange({client:i,user:r,request:{ip:t.req.header("x-real-ip")||"",user_agent:t.req.header("user-agent")||"",method:t.req.method,url:t.req.url},scope:n.scope||"",grant_type:""},{accessToken:{setCustomClaim:(C,j)=>{if(nu.includes(C))throw new Error(`Cannot overwrite reserved claim '${C}'`);f[C]=j}},idToken:{setCustomClaim:(C,j)=>{if(nu.includes(C))throw new Error(`Cannot overwrite reserved claim '${C}'`);m&&(m[C]=j)}},access:{deny:C=>{throw new I(400,{message:`Access denied: ${C}`})}}});const w={includeIssuedTimestamp:!0,expiresIn:new ul(1,"d"),headers:{kid:l.kid}},h=await Zd("RS256",d,f,w),_=m?await Zd("RS256",d,m,w):void 0;return{access_token:h,refresh_token:e.refresh_token,id_token:_,token_type:"Bearer",expires_in:86400}}async function Yf(t,e){return e.loginSession||(e.loginSession=await t.env.data.loginSessions.create(e.client.tenant.id,{expires_at:new Date(Date.now()+er*1e3).toISOString(),authParams:e.authParams,authorization_url:t.req.url,csrf_token:ke(),...Ht(t.req)})),{code:(await t.env.data.codes.create(e.client.tenant.id,{code_id:ke(),user_id:e.user.user_id,code_type:"authorization_code",login_id:e.loginSession.id,expires_at:new Date(Date.now()+t_*1e3).toISOString()})).code_id,state:e.authParams.state}}async function jy(t,e){const{client:n,scope:r,audience:i=n.tenant.audience,session_id:s}=e,a=Ht(t.req);return await t.env.data.refreshTokens.create(n.tenant.id,{id:ke(),session_id:s,client_id:n.id,idle_expires_at:new Date(Date.now()+no*1e3).toISOString(),user_id:e.user.user_id,device:{last_ip:a.ip||"",initial_ip:a.ip||"",last_user_agent:a.useragent||"",initial_user_agent:a.useragent||"",initial_asn:"",last_asn:""},resource_servers:[{audience:i,scopes:r}],rotating:!1})}async function Xf(t,{user:e,client:n,loginSession:r}){const i=await t.env.data.sessions.create(n.tenant.id,{id:ke(),user_id:e.user_id,idle_expires_at:new Date(Date.now()+no*1e3).toISOString(),device:{last_ip:t.req.header("x-real-ip")||"",initial_ip:t.req.header("x-real-ip")||"",last_user_agent:t.req.header("user-agent")||"",initial_user_agent:t.req.header("user-agent")||"",initial_asn:"",last_asn:""},clients:[n.id]});await t.env.data.loginSessions.update(n.tenant.id,r.id,{session_id:i.id});const{scope:s,audience:a}=r.authParams,c=s!=null&&s.split(" ").includes("offline_access")?await jy(t,{session_id:i.id,user:e,client:n,scope:s,audience:a}):void 0;return{...i,refresh_token:c}}async function ln(t,e){var w,h;const{authParams:n,user:r,client:i,ticketAuth:s}=e,a=we(t,{type:ge.SUCCESS_LOGIN,description:`Successful login for ${r.user_id}`,userId:r.user_id});if(zt(t,t.env.data.logs.create(i.tenant.id,a)),zt(t,t.env.data.users.update(i.tenant.id,r.user_id,{last_login:new Date().toISOString(),last_ip:t.req.header("x-real-ip")||"",login_count:r.login_count+1})),s){if(!e.loginSession)throw new I(500,{message:"Login session not found"});const _=Z0(),v=ke(12),S=await t.env.data.codes.create(i.tenant.id,{code_id:ke(),code_type:"ticket",login_id:e.loginSession.id,expires_at:new Date(Date.now()+r_).toISOString(),code_verifier:[v,_].join("|")});return t.json({login_ticket:S.code_id,co_verifier:_,co_id:v})}let c=e.refreshToken,l=e.sessionId,d=r;if(!l&&((w=e.loginSession)!=null&&w.session_id)){l=e.loginSession.session_id;const _=await t.env.data.sessions.get(i.tenant.id,l);_&&!_.clients.includes(i.id)&&await t.env.data.sessions.update(i.tenant.id,l,{clients:[..._.clients,i.id]})}else if(!l){if(!e.loginSession)throw new I(500,{message:"Login session not found"});d=await By(t,t.env.data)(i.tenant.id,r);const _=await Xf(t,{user:r,client:i,loginSession:e.loginSession});l=_.id,c=(h=_.refresh_token)==null?void 0:h.id}if(e.authParams.response_mode===Rt.SAML_POST)return Ey(t,e.client,e.authParams,d,l);const u=await io(t,{authParams:n,user:d,client:i,session_id:l,refresh_token:c}),f=new Headers({"set-cookie":Hf(i.tenant.id,l,t.var.custom_domain||t.req.header("host"))});if(n.response_mode===Rt.WEB_MESSAGE)return t.json(u,{headers:f});if((n.response_type||It.CODE)===It.CODE){const _=await Yf(t,e);if(!n.redirect_uri)throw new I(400,{message:"Redirect uri not found"});const v=new URL(n.redirect_uri);v.searchParams.set("code",_.code),_.state&&v.searchParams.set("state",_.state),f.set("location",v.toString())}return new Response("Redirecting",{status:302,headers:f})}async function Oy(t,e,n){const r=await t.env.data.tenants.get(e);if(!r)throw new Error(`Tenant not found: ${e}`);return io(t,{client:{id:t.env.ISSUER,tenant:r,created_at:new Date().toISOString(),updated_at:new Date().toISOString(),name:t.env.ISSUER,disable_sign_ups:!1,connections:[]},authParams:{client_id:t.env.ISSUER,response_type:It.TOKEN,scope:n}})}async function _l(t,e,n){const r=await Oy(t,n.tenant_id,"webhook");for await(const i of e)if(!(await fetch(i.url,{method:"POST",headers:{Authorization:`Bearer ${r.access_token}`,"Content-Type":"application/json"},body:JSON.stringify(n)})).ok){const a=we(t,{type:ge.FAILED_HOOK,description:`Failed to invoke hook ${i.hook_id}`});await t.env.data.logs.create(n.tenant_id,a)}}function Py(t){return async(e,n)=>{const{hooks:r}=await t.env.data.hooks.list(e);return await _l(t,r,{tenant_id:e,user:n,trigger_id:"post-user-registration"}),n}}function Ty(t){return async(e,n)=>{const{hooks:r}=await t.env.data.hooks.list(e,{q:"trigger_id:pre-user-signup",page:0,per_page:100,include_totals:!1});await _l(t,r,{tenant_id:e,email:n,trigger_id:"pre-user-signup"})}}function By(t,e){return async(n,r)=>{const{hooks:i}=await e.hooks.list(n,{q:"trigger_id:post-user-login",page:0,per_page:100,include_totals:!1});return await _l(t,i,{tenant_id:n,user:r,trigger_id:"post-user-login"}),r}}function Ry(t,e){return async(n,r)=>{var a,c,l;const i={method:t.req.method,ip:t.req.query("x-real-ip")||"",user_agent:t.req.query("user-agent"),url:((a=t.var.loginSession)==null?void 0:a.authorization_url)||t.req.url};if((c=t.env.hooks)!=null&&c.onExecutePreUserRegistration)try{await t.env.hooks.onExecutePreUserRegistration({user:r,request:i},{user:{setUserMetadata:async(d,u)=>{r[d]=u}}})}catch{const u=we(t,{type:ge.FAILED_SIGNUP,description:"Pre user registration hook failed"});await e.logs.create(n,u)}let s=await H0(e)(n,r);if((l=t.env.hooks)!=null&&l.onExecutePostUserRegistration)try{await t.env.hooks.onExecutePostUserRegistration({user:r,request:i},{user:{}})}catch{const u=we(t,{type:ge.FAILED_SIGNUP,description:"Post user registration hook failed"});await t.env.data.logs.create(n,u)}return await Py(t)(n,s),s}}async function Ly(t,e,n,r){var i;if(e.disable_sign_ups){const s=(i=t.var.loginSession)==null?void 0:i.authorization_url;if(!(s&&new URL(s).searchParams.get("screen_hint")==="signup")&&!await oo({userAdapter:n.users,tenant_id:e.tenant.id,email:r})){const l=we(t,{type:ge.FAILED_SIGNUP,description:"Public signup is disabled"});throw await n.logs.create(e.tenant.id,l),new I(400,{message:"Signups are disabled for this client"})}}await Ty(t)(t.var.tenant_id||"",r)}function so(t,e){return{...e,users:{...e.users,create:Ry(t,e)}}}function Qf(t){return so(t,t.env.data)}async function yl(t,e,n){return(await t.list(e,{page:0,per_page:10,include_totals:!1,q:`email:${n}`})).users}async function hr({userAdapter:t,tenant_id:e,username:n,provider:r}){const i=r==="sms"?`phone_number:${n}`:`email:${n}`,{users:s}=await t.list(e,{page:0,per_page:10,include_totals:!1,q:`${i} provider:${r}`});return s.length>1&&console.error("More than one user found for same email and provider"),s[0]||null}async function oo({userAdapter:t,tenant_id:e,email:n}){var c;const{users:r}=await t.list(e,{page:0,per_page:10,include_totals:!1,q:`email:${n}`}),i=r.filter(l=>!(l.provider==="auth2"&&!l.email_verified));if(i.length===0)return;const s=i.filter(l=>!l.linked_to);if(s.length>0)return s.length>1&&console.error("More than one primary user found for same email"),s[0];const a=await t.get(e,(c=i[0])==null?void 0:c.linked_to);if(!a)throw new Error("Primary account not found");return a}async function ps({userAdapter:t,tenant_id:e,username:n,provider:r}){const i=await hr({userAdapter:t,tenant_id:e,username:n,provider:r});return i?i.linked_to?t.get(e,i.linked_to):i:null}async function ao(t,e){const{username:n,provider:r,connection:i,client:s,userId:a,isSocial:c,profileData:l={},ip:d=""}=e;let u=await ps({userAdapter:t.env.data.users,tenant_id:e.client.tenant.id,username:n,provider:r});if(!u){const f={user_id:`${r}|${a||to()}`,email:i!=="sms"?n:void 0,phone_number:i==="sms"?n:void 0,name:n,provider:r,connection:i,email_verified:!0,last_ip:d,is_social:c,last_login:new Date().toISOString(),profileData:JSON.stringify(l)};u=await Qf(t).users.create(s.tenant.id,f),t.set("user_id",u.user_id)}return u}const tn=o.z.object({page:o.z.string().min(0).optional().default("0").transform(t=>parseInt(t,10)).openapi({description:"The page number where 0 is the first page"}),per_page:o.z.string().min(1).optional().default("10").transform(t=>parseInt(t,10)).openapi({description:"The number of items per page"}),include_totals:o.z.string().optional().default("false").transform(t=>t==="true").openapi({description:"If the total number of items should be included in the response"}),sort:o.z.string().regex(/^.+:(-1|1)$/).optional().openapi({description:"A property that should have the format 'string:-1' or 'string:1'"}),q:o.z.string().optional().openapi({description:"A lucene query string used to filter the results"})});function gr(t){if(!t)return;const[e,n]=t.split(":"),r=n==="1"?"asc":"desc";if(!(!e||!r))return{sort_by:e,sort_order:r}}const ru=an.extend({users:o.z.array(St)}),Uy=an.extend({sessions:o.z.array(eo)}),Vy=new o.OpenAPIHono().openapi(o.createRoute({tags:["users"],method:"get",path:"/",request:{query:tn,headers:o.z.object({"tenant-id":o.z.string()})},security:[{Bearer:["auth:read"]}],responses:{200:{content:{"application/json":{schema:o.z.union([o.z.array(St),ru])}},description:"List of users"}}}),async t=>{const{page:e,per_page:n,include_totals:r,sort:i,q:s}=t.req.valid("query"),{"tenant-id":a}=t.req.valid("header");if(s!=null&&s.includes("identities.profileData.email")){const u=s.split("=")[1],m=(await t.env.data.users.list(a,{page:e,per_page:n,include_totals:r,q:`email:${u}`})).users.filter(_=>_.linked_to),[w]=m;if(!w)return t.json([]);const h=await t.env.data.users.get(a,w.linked_to);if(!h)throw new I(500,{message:"Primary account not found"});return t.json([St.parse(h)])}const c=["-_exists_:linked_to"];s&&c.push(s);const l=await t.env.data.users.list(a,{page:e,per_page:n,include_totals:r,sort:gr(i),q:c.join(" ")}),d=l.users.filter(u=>!u.linked_to);return r?t.json(ru.parse({users:d,length:l.length,start:l.start,limit:l.limit})):t.json(o.z.array(St).parse(d))}).openapi(o.createRoute({tags:["users"],method:"get",path:"/{user_id}",request:{headers:o.z.object({"tenant-id":o.z.string()}),params:o.z.object({user_id:o.z.string()})},security:[{Bearer:["auth:read"]}],responses:{200:{content:{"application/json":{schema:St}},description:"List of users"}}}),async t=>{const{user_id:e}=t.req.valid("param"),{"tenant-id":n}=t.req.valid("header"),r=await t.env.data.users.get(n,e);if(!r)throw new I(404);if(r.linked_to)throw new I(404,{message:"User is linked to another user"});return t.json(r)}).openapi(o.createRoute({tags:["users"],method:"delete",path:"/{user_id}",request:{headers:o.z.object({"tenant-id":o.z.string()}),params:o.z.object({user_id:o.z.string()})},security:[{Bearer:["auth:write"]}],responses:{200:{description:"Status"}}}),async t=>{const{user_id:e}=t.req.valid("param"),{"tenant-id":n}=t.req.valid("header");if(!await t.env.data.users.remove(n,e))throw new I(404);return t.text("OK")}).openapi(o.createRoute({tags:["users"],method:"post",path:"/",request:{headers:o.z.object({"tenant-id":o.z.string()}),body:{content:{"application/json":{schema:o.z.object({...is.shape})}}}},security:[{Bearer:["auth:write"]}],responses:{200:{content:{"application/json":{schema:St}},description:"Status"}}}),async t=>{const{"tenant-id":e}=t.req.valid("header"),n=t.req.valid("json");t.set("body",n);const{email:r}=n;if(!r)throw new I(400,{message:"Email is required"});const i=r.toLowerCase(),s=`${n.provider}|${n.user_id||to()}`;try{const a=await t.env.data.users.create(e,{email:i,user_id:s,name:n.name||i,provider:n.provider,connection:n.connection,email_verified:n.email_verified||!1,last_ip:"",is_social:!1,last_login:new Date().toISOString()});t.set("user_id",a.user_id);const c=we(t,{type:ge.SUCCESS_API_OPERATION,description:"User created"});zt(t,t.env.data.logs.create(e,c));const l={...a,identities:[{connection:a.connection,provider:a.provider,user_id:Gd(a.user_id),isSocial:a.is_social}]};return t.json(St.parse(l),{status:201})}catch(a){throw a.message==="User already exists"?new I(409,{message:"User already exists"}):a}}).openapi(o.createRoute({tags:["users"],method:"patch",path:"/{user_id}",request:{headers:o.z.object({"tenant-id":o.z.string()}),body:{content:{"application/json":{schema:o.z.object({...is.shape,verify_email:o.z.boolean(),password:o.z.string()}).partial()}}},params:o.z.object({user_id:o.z.string()})},security:[{Bearer:["auth:write"]}],responses:{200:{description:"Status"}}}),async t=>{var u;const{data:e}=t.env,{"tenant-id":n}=t.req.valid("header"),r=t.req.valid("json"),{user_id:i}=t.req.valid("param"),{verify_email:s,password:a,...c}=r,l=await e.users.get(n,i);if(!l)throw new I(404);if(c.email&&c.email!==l.email){const f=await yl(t.env.data.users,n,c.email);if(f.length&&f.some(m=>m.user_id!==i))throw new I(409,{message:"Another user with the same email address already exists."})}if(l.linked_to)throw new I(404,{message:"User is linked to another user"});if(await t.env.data.users.update(n,i,c),a){const f=(u=l.identities)==null?void 0:u.find(h=>h.connection==="Username-Password-Authentication");if(!f)throw new I(400,{message:"User does not have a password identity"});const m={user_id:f.user_id,password:await ai.hash(a,10),algorithm:"bcrypt"};await e.passwords.get(n,f.user_id)?await e.passwords.update(n,m):await e.passwords.create(n,m)}const d=await t.env.data.users.get(n,i);if(!d)throw new I(500);return t.json(d)}).openapi(o.createRoute({tags:["users"],method:"post",path:"/{user_id}/identities",request:{headers:o.z.object({"tenant-id":o.z.string()}),body:{content:{"application/json":{schema:o.z.union([o.z.object({link_with:o.z.string()}),o.z.object({user_id:o.z.string(),provider:o.z.string(),connection:o.z.string().optional()})])}}},params:o.z.object({user_id:o.z.string()})},security:[{Bearer:["auth:write"]}],responses:{200:{content:{"application/json":{schema:o.z.array(o.z.object({connection:o.z.string(),provider:o.z.string(),user_id:o.z.string(),isSocial:o.z.boolean()}))}},description:"Status"}}}),async t=>{const{"tenant-id":e}=t.req.valid("header"),n=t.req.valid("json"),{user_id:r}=t.req.valid("param"),i="link_with"in n?n.link_with:n.user_id,s=await t.env.data.users.get(e,r);if(!s)throw new I(400,{message:"Linking an inexistent identity is not allowed."});await t.env.data.users.update(e,i,{linked_to:r});const a=await t.env.data.users.list(e,{page:0,per_page:10,include_totals:!1,q:`linked_to:${r}`}),c=[s,...a.users].map(l=>({connection:l.connection,provider:l.provider,user_id:Gd(l.user_id),isSocial:l.is_social}));return t.json(c,{status:201})}).openapi(o.createRoute({tags:["users"],method:"delete",path:"/{user_id}/identities/{provider}/{linked_user_id}",request:{headers:o.z.object({"tenant-id":o.z.string()}),params:o.z.object({user_id:o.z.string(),provider:o.z.string(),linked_user_id:o.z.string()})},security:[{Bearer:["auth:write"]}],responses:{200:{content:{"application/json":{schema:o.z.array(St)}},description:"Status"}}}),async t=>{const{"tenant-id":e}=t.req.valid("header"),{user_id:n,provider:r,linked_user_id:i}=t.req.valid("param");await t.env.data.users.unlink(e,n,r,i);const s=await t.env.data.users.get(e,n);if(!s)throw new I(404);return t.json([St.parse(s)])}).openapi(o.createRoute({tags:["users"],method:"get",path:"/{user_id}/sessions",request:{query:tn,headers:o.z.object({"tenant-id":o.z.string()}),params:o.z.object({user_id:o.z.string()})},security:[{Bearer:["auth:read"]}],responses:{200:{content:{"application/json":{schema:o.z.union([o.z.array(eo),Uy])}},description:"List of sessions"}}}),async t=>{const{user_id:e}=t.req.valid("param"),{include_totals:n}=t.req.valid("query"),{"tenant-id":r}=t.req.valid("header"),i=await t.env.data.sessions.list(r,{page:0,per_page:10,include_totals:!1,q:`user_id:${e}`});return n?t.json(i):t.json(i.sessions)});/*! *****************************************************************************
30
30
  Copyright (C) Microsoft. All rights reserved.
31
31
  Licensed under the Apache License, Version 2.0 (the "License"); you may not use
32
32
  this file except in compliance with the License. You may obtain a copy of the
package/dist/authhero.mjs CHANGED
@@ -5733,7 +5733,7 @@ async function Bf(t, { user: e, client: n, loginSession: r }) {
5733
5733
  return { ...i, refresh_token: c };
5734
5734
  }
5735
5735
  async function an(t, e) {
5736
- var w;
5736
+ var w, h;
5737
5737
  const { authParams: n, user: r, client: i, ticketAuth: s } = e, o = be(t, {
5738
5738
  type: ye.SUCCESS_LOGIN,
5739
5739
  description: `Successful login for ${r.user_id}`,
@@ -5751,22 +5751,31 @@ async function an(t, e) {
5751
5751
  throw new C(500, {
5752
5752
  message: "Login session not found"
5753
5753
  });
5754
- const h = N0(), _ = Ae(12), v = await t.env.data.codes.create(i.tenant.id, {
5754
+ const _ = N0(), v = Ae(12), S = await t.env.data.codes.create(i.tenant.id, {
5755
5755
  code_id: Ae(),
5756
5756
  code_type: "ticket",
5757
5757
  login_id: e.loginSession.id,
5758
5758
  expires_at: new Date(Date.now() + R0).toISOString(),
5759
5759
  // Concat the co_id and co_verifier
5760
- code_verifier: [_, h].join("|")
5760
+ code_verifier: [v, _].join("|")
5761
5761
  });
5762
5762
  return t.json({
5763
- login_ticket: v.code_id,
5764
- co_verifier: h,
5765
- co_id: _
5763
+ login_ticket: S.code_id,
5764
+ co_verifier: _,
5765
+ co_id: v
5766
5766
  });
5767
5767
  }
5768
5768
  let c = e.refreshToken, l = e.sessionId, d = r;
5769
- if (!l) {
5769
+ if (!l && ((w = e.loginSession) != null && w.session_id)) {
5770
+ l = e.loginSession.session_id;
5771
+ const _ = await t.env.data.sessions.get(
5772
+ i.tenant.id,
5773
+ l
5774
+ );
5775
+ _ && !_.clients.includes(i.id) && await t.env.data.sessions.update(i.tenant.id, l, {
5776
+ clients: [..._.clients, i.id]
5777
+ });
5778
+ } else if (!l) {
5770
5779
  if (!e.loginSession)
5771
5780
  throw new C(500, {
5772
5781
  message: "Login session not found"
@@ -5775,12 +5784,12 @@ async function an(t, e) {
5775
5784
  i.tenant.id,
5776
5785
  r
5777
5786
  );
5778
- const h = await Bf(t, {
5787
+ const _ = await Bf(t, {
5779
5788
  user: r,
5780
5789
  client: i,
5781
5790
  loginSession: e.loginSession
5782
5791
  });
5783
- l = h.id, c = (w = h.refresh_token) == null ? void 0 : w.id;
5792
+ l = _.id, c = (h = _.refresh_token) == null ? void 0 : h.id;
5784
5793
  }
5785
5794
  if (e.authParams.response_mode === Qt.SAML_POST)
5786
5795
  return oy(
@@ -5808,13 +5817,13 @@ async function an(t, e) {
5808
5817
  headers: f
5809
5818
  });
5810
5819
  if ((n.response_type || Ut.CODE) === Ut.CODE) {
5811
- const h = await Tf(t, e);
5820
+ const _ = await Tf(t, e);
5812
5821
  if (!n.redirect_uri)
5813
5822
  throw new C(400, {
5814
5823
  message: "Redirect uri not found"
5815
5824
  });
5816
- const _ = new URL(n.redirect_uri);
5817
- _.searchParams.set("code", h.code), h.state && _.searchParams.set("state", h.state), f.set("location", _.toString());
5825
+ const v = new URL(n.redirect_uri);
5826
+ v.searchParams.set("code", _.code), _.state && v.searchParams.set("state", _.state), f.set("location", v.toString());
5818
5827
  }
5819
5828
  return new Response("Redirecting", {
5820
5829
  status: 302,
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "authhero",
3
- "version": "0.123.0",
3
+ "version": "0.124.0",
4
4
  "files": [
5
5
  "dist"
6
6
  ],