cloudcms-server 0.9.256 → 0.9.261

package/temp/passport-saml/lib/passport-saml/multiSamlStrategy.js

@@ -0,0 +1,63 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.MultiSamlStrategy = void 0;
+const node_saml_1 = require("../node-saml");
+const strategy_1 = require("./strategy");
+class MultiSamlStrategy extends strategy_1.AbstractStrategy {
+    constructor(options, verify) {
+        if (!options || typeof options.getSamlOptions !== "function") {
+            throw new Error("Please provide a getSamlOptions function");
+        }
+        // Force the type on this since we've disabled `newOnConstruct`
+        // so the `SAML` constructor will not be called at this time
+        // and there are defaults for all `strategy`-required options.
+        const samlConfig = {
+            ...options,
+        };
+        super(samlConfig, verify);
+        this._options = samlConfig;
+    }
+    authenticate(req, options) {
+        this._options.getSamlOptions(req, (err, samlOptions) => {
+            if (err) {
+                return this.error(err);
+            }
+            const samlService = new node_saml_1.SAML({ ...this._options, ...samlOptions });
+            const strategy = Object.assign({}, this, { _saml: samlService });
+            Object.setPrototypeOf(strategy, this);
+            super.authenticate.call(strategy, req, options);
+        });
+    }
+    logout(req, callback) {
+        this._options.getSamlOptions(req, (err, samlOptions) => {
+            if (err) {
+                return callback(err);
+            }
+            const samlService = new node_saml_1.SAML(Object.assign({}, this._options, samlOptions));
+            const strategy = Object.assign({}, this, { _saml: samlService });
+            Object.setPrototypeOf(strategy, this);
+            super.logout.call(strategy, req, callback);
+        });
+    }
+    generateServiceProviderMetadata(req, decryptionCert, signingCert, callback) {
+        if (typeof callback !== "function") {
+            throw new Error("Metadata can't be provided synchronously for MultiSamlStrategy.");
+        }
+        return this._options.getSamlOptions(req, (err, samlOptions) => {
+            if (err) {
+                return callback(err);
+            }
+            const samlService = new node_saml_1.SAML(Object.assign({}, this._options, samlOptions));
+            const strategy = Object.assign({}, this, { _saml: samlService });
+            Object.setPrototypeOf(strategy, this);
+            return callback(null, this._generateServiceProviderMetadata.call(strategy, decryptionCert, signingCert));
+        });
+    }
+    // This is reduntant, but helps with testing
+    error(err) {
+        super.error(err);
+    }
+}
+exports.MultiSamlStrategy = MultiSamlStrategy;
+MultiSamlStrategy.newSamlProviderOnConstruct = false;
+//# sourceMappingURL=multiSamlStrategy.js.map

package/temp/passport-saml/lib/passport-saml/multiSamlStrategy.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"multiSamlStrategy.js","sourceRoot":"","sources":["../../src/passport-saml/multiSamlStrategy.ts"],"names":[],"mappings":";;;AAAA,4CAAoC;AACpC,yCAA8C;AAW9C,MAAa,iBAAkB,SAAQ,2BAAgB;IAMrD,YAAY,OAAwB,EAAE,MAAa;QACjD,IAAI,CAAC,OAAO,IAAI,OAAO,OAAO,CAAC,cAAc,KAAK,UAAU,EAAE;YAC5D,MAAM,IAAI,KAAK,CAAC,0CAA0C,CAAC,CAAC;SAC7D;QAED,+DAA+D;QAC/D,4DAA4D;QAC5D,8DAA8D;QAC9D,MAAM,UAAU,GAAG;YACjB,GAAG,OAAO;SACqB,CAAC;QAElC,KAAK,CAAC,UAAU,EAAE,MAAM,CAAC,CAAC;QAC1B,IAAI,CAAC,QAAQ,GAAG,UAAU,CAAC;IAC7B,CAAC;IAED,YAAY,CAAC,GAAoB,EAAE,OAA4B;QAC7D,IAAI,CAAC,QAAQ,CAAC,cAAc,CAAC,GAAG,EAAE,CAAC,GAAG,EAAE,WAAW,EAAE,EAAE;YACrD,IAAI,GAAG,EAAE;gBACP,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;aACxB;YAED,MAAM,WAAW,GAAG,IAAI,gBAAI,CAAC,EAAE,GAAG,IAAI,CAAC,QAAQ,EAAE,GAAG,WAAW,EAAE,CAAC,CAAC;YACnE,MAAM,QAAQ,GAAG,MAAM,CAAC,MAAM,CAAC,EAAE,EAAE,IAAI,EAAE,EAAE,KAAK,EAAE,WAAW,EAAE,CAAC,CAAC;YACjE,MAAM,CAAC,cAAc,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC;YACtC,KAAK,CAAC,YAAY,CAAC,IAAI,CAAC,QAAQ,EAAE,GAAG,EAAE,OAAO,CAAC,CAAC;QAClD,CAAC,CAAC,CAAC;IACL,CAAC;IAED,MAAM,CACJ,GAAoB,EACpB,QAAsE;QAEtE,IAAI,CAAC,QAAQ,CAAC,cAAc,CAAC,GAAG,EAAE,CAAC,GAAG,EAAE,WAAW,EAAE,EAAE;YACrD,IAAI,GAAG,EAAE;gBACP,OAAO,QAAQ,CAAC,GAAG,CAAC,CAAC;aACtB;YAED,MAAM,WAAW,GAAG,IAAI,gBAAI,CAAC,MAAM,CAAC,MAAM,CAAC,EAAE,EAAE,IAAI,CAAC,QAAQ,EAAE,WAAW,CAAC,CAAC,CAAC;YAC5E,MAAM,QAAQ,GAAG,MAAM,CAAC,MAAM,CAAC,EAAE,EAAE,IAAI,EAAE,EAAE,KAAK,EAAE,WAAW,EAAE,CAAC,CAAC;YACjE,MAAM,CAAC,cAAc,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC;YACtC,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,QAAQ,EAAE,GAAG,EAAE,QAAQ,CAAC,CAAC;QAC7C,CAAC,CAAC,CAAC;IACL,CAAC;IAED,+BAA+B,CAC7B,GAAY,EACZ,cAA6B,EAC7B,WAA0B,EAC1B,QAAwD;QAExD,IAAI,OAAO,QAAQ,KAAK,UAAU,EAAE;YAClC,MAAM,IAAI,KAAK,CAAC,iEAAiE,CAAC,CAAC;SACpF;QAED,OAAO,IAAI,CAAC,QAAQ,CAAC,cAAc,CAAC,GAAG,EAAE,CAAC,GAAG,EAAE,WAAW,EAAE,EAAE;YAC5D,IAAI,GAAG,EAAE;gBACP,OAAO,QAAQ,CAAC,GAAG,CAAC,CAAC;aACtB;YAED,MAAM,WAAW,GAAG,IAAI,gBAAI,CAAC,MAAM,CAAC,MAAM,CAAC,EAAE,EAAE,IAAI,CAAC,QAAQ,EAAE,WAAW,CAAC,CAAC,CAAC;YAC5E,MAAM,QAAQ,GAAG,MAAM,CAAC,MAAM,CAAC,EAAE,EAAE,IAAI,EAAE,EAAE,KAAK,EAAE,WAAW,EAAE,CAAC,CAAC;YACjE,MAAM,CAAC,cAAc,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC;YACtC,OAAO,QAAQ,CACb,IAAI,EACJ,IAAI,CAAC,gCAAgC,CAAC,IAAI,CAAC,QAAQ,EAAE,cAAc,EAAE,WAAW,CAAC,CAClF,CAAC;QACJ,CAAC,CAAC,CAAC;IACL,CAAC;IAED,4CAA4C;IAC5C,KAAK,CAAC,GAAU;QACd,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IACnB,CAAC;;AA/EH,8CAgFC;AA/EiB,4CAA0B,GAAG,KAAK,CAAC","sourcesContent":["import { SAML } from \"../node-saml\";\nimport { AbstractStrategy } from \"./strategy\";\nimport type { Request } from \"express\";\nimport {\n  AuthenticateOptions,\n  MultiSamlConfig,\n  RequestWithUser,\n  SamlConfig,\n  VerifyWithoutRequest,\n  VerifyWithRequest,\n} from \"./types\";\n\nexport class MultiSamlStrategy extends AbstractStrategy {\n  static readonly newSamlProviderOnConstruct = false;\n  _options: SamlConfig & MultiSamlConfig;\n\n  constructor(options: MultiSamlConfig, verify: VerifyWithRequest);\n  constructor(options: MultiSamlConfig, verify: VerifyWithoutRequest);\n  constructor(options: MultiSamlConfig, verify: never) {\n    if (!options || typeof options.getSamlOptions !== \"function\") {\n      throw new Error(\"Please provide a getSamlOptions function\");\n    }\n\n    // Force the type on this since we've disabled `newOnConstruct`\n    // so the `SAML` constructor will not be called at this time\n    // and there are defaults for all `strategy`-required options.\n    const samlConfig = {\n      ...options,\n    } as SamlConfig & MultiSamlConfig;\n\n    super(samlConfig, verify);\n    this._options = samlConfig;\n  }\n\n  authenticate(req: RequestWithUser, options: AuthenticateOptions): void {\n    this._options.getSamlOptions(req, (err, samlOptions) => {\n      if (err) {\n        return this.error(err);\n      }\n\n      const samlService = new SAML({ ...this._options, ...samlOptions });\n      const strategy = Object.assign({}, this, { _saml: samlService });\n      Object.setPrototypeOf(strategy, this);\n      super.authenticate.call(strategy, req, options);\n    });\n  }\n\n  logout(\n    req: RequestWithUser,\n    callback: (err: Error | null, url?: string | null | undefined) => void\n  ) {\n    this._options.getSamlOptions(req, (err, samlOptions) => {\n      if (err) {\n        return callback(err);\n      }\n\n      const samlService = new SAML(Object.assign({}, this._options, samlOptions));\n      const strategy = Object.assign({}, this, { _saml: samlService });\n      Object.setPrototypeOf(strategy, this);\n      super.logout.call(strategy, req, callback);\n    });\n  }\n\n  generateServiceProviderMetadata(\n    req: Request,\n    decryptionCert: string | null,\n    signingCert: string | null,\n    callback: (err: Error | null, metadata?: string) => void\n  ) {\n    if (typeof callback !== \"function\") {\n      throw new Error(\"Metadata can't be provided synchronously for MultiSamlStrategy.\");\n    }\n\n    return this._options.getSamlOptions(req, (err, samlOptions) => {\n      if (err) {\n        return callback(err);\n      }\n\n      const samlService = new SAML(Object.assign({}, this._options, samlOptions));\n      const strategy = Object.assign({}, this, { _saml: samlService });\n      Object.setPrototypeOf(strategy, this);\n      return callback(\n        null,\n        this._generateServiceProviderMetadata.call(strategy, decryptionCert, signingCert)\n      );\n    });\n  }\n\n  // This is reduntant, but helps with testing\n  error(err: Error): void {\n    super.error(err);\n  }\n}\n"]}

package/temp/passport-saml/lib/passport-saml/strategy.d.ts

@@ -0,0 +1,20 @@
+import { Strategy as PassportStrategy } from "passport-strategy";
+import { SAML } from "../node-saml";
+import { AuthenticateOptions, RequestWithUser, SamlConfig, VerifyWithoutRequest, VerifyWithRequest } from "./types";
+export declare abstract class AbstractStrategy extends PassportStrategy {
+    static readonly newSamlProviderOnConstruct: boolean;
+    name: string;
+    _verify: VerifyWithRequest | VerifyWithoutRequest;
+    _saml: SAML | undefined;
+    _passReqToCallback?: boolean;
+    constructor(options: SamlConfig, verify: VerifyWithRequest);
+    constructor(options: SamlConfig, verify: VerifyWithoutRequest);
+    authenticate(req: RequestWithUser, options: AuthenticateOptions): void;
+    logout(req: RequestWithUser, callback: (err: Error | null, url?: string | null) => void): void;
+    protected _generateServiceProviderMetadata(decryptionCert: string | null, signingCert?: string | null): string;
+    error(err: Error): void;
+}
+export declare class Strategy extends AbstractStrategy {
+    static readonly newSamlProviderOnConstruct = true;
+    generateServiceProviderMetadata(decryptionCert: string | null, signingCert?: string | null): string;
+}

package/temp/passport-saml/lib/passport-saml/strategy.js

@@ -0,0 +1,167 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.Strategy = exports.AbstractStrategy = void 0;
+const passport_strategy_1 = require("passport-strategy");
+const node_saml_1 = require("../node-saml");
+const url = require("url");
+class AbstractStrategy extends passport_strategy_1.Strategy {
+    constructor(options, verify) {
+        super();
+        if (typeof options === "function") {
+            throw new Error("Mandatory SAML options missing");
+        }
+        if (!verify) {
+            throw new Error("SAML authentication strategy requires a verify function");
+        }
+        // Customizing the name can be useful to support multiple SAML configurations at the same time.
+        // Unlike other options, this one gets deleted instead of passed along.
+        if (options.name) {
+            this.name = options.name;
+        }
+        else {
+            this.name = "saml";
+        }
+        this._verify = verify;
+        this._validateAssertion = options.validateAssertion;
+        if (typeof(this._validateAssertion) === "undefined") {
+            this._validateAssertion = true;
+        }
+        if (this.constructor.newSamlProviderOnConstruct) {
+            this._saml = new node_saml_1.SAML(options);
+        }
+        this._passReqToCallback = !!options.passReqToCallback;
+    }
+    authenticate(req, options) {
+        if (this._saml == null) {
+            throw new Error("Can't get authenticate without a SAML provider defined.");
+        }
+        options.samlFallback = options.samlFallback || "login-request";
+        const validateCallback = ({ profile, loggedOut, }) => {
+            if (loggedOut) {
+                req.logout();
+                if (profile) {
+                    if (this._saml == null) {
+                        throw new Error("Can't get logout response URL without a SAML provider defined.");
+                    }
+                    const RelayState = (req.query && req.query.RelayState) || (req.body && req.body.RelayState);
+                    return this._saml.getLogoutResponseUrl(profile, RelayState, options, redirectIfSuccess);
+                }
+                return this.pass();
+            }
+            const verified = (err, user, info) => {
+                if (err) {
+                    return this.error(err);
+                }
+                if (!user) {
+                    return this.fail(info, 401);
+                }
+                this.success(user, info);
+            };
+            if (this._passReqToCallback) {
+                this._verify(req, profile, verified);
+            }
+            else {
+                this._verify(profile, verified);
+            }
+        };
+        const redirectIfSuccess = (err, url) => {
+            if (err) {
+                this.error(err);
+            }
+            else {
+                this.redirect(url);
+            }
+        };
+        if (req.query && (req.query.SAMLResponse || req.query.SAMLRequest)) {
+            const originalQuery = url.parse(req.url).query;
+            
+            //console.log("S1: " + this._validateAssertion);
+            this._saml
+                .validateRedirectAsync(req.query, originalQuery, this._validateAssertion)
+                .then(validateCallback)
+                .catch((err) => this.error(err));
+        }
+        else if (req.body && req.body.SAMLResponse) {
+            this._saml
+                .validatePostResponseAsync(req.body, this._validateAssertion)
+                .then(validateCallback)
+                .catch((err) => this.error(err));
+        }
+        else if (req.body && req.body.SAMLRequest) {
+            this._saml
+                .validatePostRequestAsync(req.body)
+                .then(validateCallback)
+                .catch((err) => this.error(err));
+        }
+        else {
+            const requestHandler = {
+                "login-request": async () => {
+                    try {
+                        if (this._saml == null) {
+                            throw new Error("Can't process login request without a SAML provider defined.");
+                        }
+                        const RelayState = (req.query && req.query.RelayState) || (req.body && req.body.RelayState);
+                        const host = req.headers && req.headers.host;
+                        if (this._saml.options.authnRequestBinding === "HTTP-POST") {
+                            const data = await this._saml.getAuthorizeFormAsync(RelayState, host);
+                            const res = req.res;
+                            res.send(data);
+                        }
+                        else {
+                            // Defaults to HTTP-Redirect
+                            this.redirect(await this._saml.getAuthorizeUrlAsync(RelayState, host, options));
+                        }
+                    }
+                    catch (err) {
+                        this.error(err);
+                    }
+                },
+                "logout-request": async () => {
+                    if (this._saml == null) {
+                        throw new Error("Can't process logout request without a SAML provider defined.");
+                    }
+                    try {
+                        const RelayState = (req.query && req.query.RelayState) || (req.body && req.body.RelayState);
+                        this.redirect(await this._saml.getLogoutUrlAsync(req.user, RelayState, options));
+                    }
+                    catch (err) {
+                        this.error(err);
+                    }
+                },
+            }[options.samlFallback];
+            if (typeof requestHandler !== "function") {
+                return this.fail(401);
+            }
+            requestHandler();
+        }
+    }
+    logout(req, callback) {
+        if (this._saml == null) {
+            throw new Error("Can't logout without a SAML provider defined.");
+        }
+        const RelayState = (req.query && req.query.RelayState) || (req.body && req.body.RelayState);
+        this._saml
+            .getLogoutUrlAsync(req.user, RelayState, {})
+            .then((url) => callback(null, url))
+            .catch((err) => callback(err));
+    }
+    _generateServiceProviderMetadata(decryptionCert, signingCert) {
+        if (this._saml == null) {
+            throw new Error("Can't generate service provider metadata without a SAML provider defined.");
+        }
+        return this._saml.generateServiceProviderMetadata(decryptionCert, signingCert);
+    }
+    // This is reduntant, but helps with testing
+    error(err) {
+        super.error(err);
+    }
+}
+exports.AbstractStrategy = AbstractStrategy;
+class Strategy extends AbstractStrategy {
+    generateServiceProviderMetadata(decryptionCert, signingCert) {
+        return this._generateServiceProviderMetadata(decryptionCert, signingCert);
+    }
+}
+exports.Strategy = Strategy;
+Strategy.newSamlProviderOnConstruct = true;
+//# sourceMappingURL=strategy.js.map

package/temp/passport-saml/lib/passport-saml/strategy.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"strategy.js","sourceRoot":"","sources":["../../src/passport-saml/strategy.ts"],"names":[],"mappings":";;;AAAA,yDAAiE;AACjE,4CAAoC;AACpC,2BAA2B;AAU3B,MAAsB,gBAAiB,SAAQ,4BAAgB;IAU7D,YAAY,OAAmB,EAAE,MAAa;QAC5C,KAAK,EAAE,CAAC;QACR,IAAI,OAAO,OAAO,KAAK,UAAU,EAAE;YACjC,MAAM,IAAI,KAAK,CAAC,gCAAgC,CAAC,CAAC;SACnD;QAED,IAAI,CAAC,MAAM,EAAE;YACX,MAAM,IAAI,KAAK,CAAC,yDAAyD,CAAC,CAAC;SAC5E;QAED,+FAA+F;QAC/F,uEAAuE;QACvE,IAAI,OAAO,CAAC,IAAI,EAAE;YAChB,IAAI,CAAC,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC;SAC1B;aAAM;YACL,IAAI,CAAC,IAAI,GAAG,MAAM,CAAC;SACpB;QAED,IAAI,CAAC,OAAO,GAAG,MAAM,CAAC;QACtB,IAAK,IAAI,CAAC,WAA+B,CAAC,0BAA0B,EAAE;YACpE,IAAI,CAAC,KAAK,GAAG,IAAI,gBAAI,CAAC,OAAO,CAAC,CAAC;SAChC;QACD,IAAI,CAAC,kBAAkB,GAAG,CAAC,CAAC,OAAO,CAAC,iBAAiB,CAAC;IACxD,CAAC;IAED,YAAY,CAAC,GAAoB,EAAE,OAA4B;QAC7D,IAAI,IAAI,CAAC,KAAK,IAAI,IAAI,EAAE;YACtB,MAAM,IAAI,KAAK,CAAC,yDAAyD,CAAC,CAAC;SAC5E;QAED,OAAO,CAAC,YAAY,GAAG,OAAO,CAAC,YAAY,IAAI,eAAe,CAAC;QAC/D,MAAM,gBAAgB,GAAG,CAAC,EACxB,OAAO,EACP,SAAS,GAIV,EAAE,EAAE;YACH,IAAI,SAAS,EAAE;gBACb,GAAG,CAAC,MAAM,EAAE,CAAC;gBACb,IAAI,OAAO,EAAE;oBACX,IAAI,IAAI,CAAC,KAAK,IAAI,IAAI,EAAE;wBACtB,MAAM,IAAI,KAAK,CAAC,gEAAgE,CAAC,CAAC;qBACnF;oBAED,MAAM,UAAU,GACd,CAAC,GAAG,CAAC,KAAK,IAAI,GAAG,CAAC,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,IAAI,GAAG,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;oBAC3E,OAAO,IAAI,CAAC,KAAK,CAAC,oBAAoB,CAAC,OAAO,EAAE,UAAU,EAAE,OAAO,EAAE,iBAAiB,CAAC,CAAC;iBACzF;gBACD,OAAO,IAAI,CAAC,IAAI,EAAE,CAAC;aACpB;YAED,MAAM,QAAQ,GAAG,CACf,GAAiB,EACjB,IAA8B,EAC9B,IAA8B,EAC9B,EAAE;gBACF,IAAI,GAAG,EAAE;oBACP,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;iBACxB;gBAED,IAAI,CAAC,IAAI,EAAE;oBACT,OAAO,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;iBAC7B;gBAED,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;YAC3B,CAAC,CAAC;YAEF,IAAI,IAAI,CAAC,kBAAkB,EAAE;gBAC1B,IAAI,CAAC,OAA6B,CAAC,GAAG,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;aAC7D;iBAAM;gBACJ,IAAI,CAAC,OAAgC,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;aAC3D;QACH,CAAC,CAAC;QAEF,MAAM,iBAAiB,GAAG,CAAC,GAAiB,EAAE,GAAmB,EAAE,EAAE;YACnE,IAAI,GAAG,EAAE;gBACP,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;aACjB;iBAAM;gBACL,IAAI,CAAC,QAAQ,CAAC,GAAI,CAAC,CAAC;aACrB;QACH,CAAC,CAAC;QAEF,IAAI,GAAG,CAAC,KAAK,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,YAAY,IAAI,GAAG,CAAC,KAAK,CAAC,WAAW,CAAC,EAAE;YAClE,MAAM,aAAa,GAAG,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC;YAC/C,IAAI,CAAC,KAAK;iBACP,qBAAqB,CAAC,GAAG,CAAC,KAAK,EAAE,aAAa,CAAC;iBAC/C,IAAI,CAAC,gBAAgB,CAAC;iBACtB,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC;SACpC;aAAM,IAAI,GAAG,CAAC,IAAI,IAAI,GAAG,CAAC,IAAI,CAAC,YAAY,EAAE;YAC5C,IAAI,CAAC,KAAK;iBACP,yBAAyB,CAAC,GAAG,CAAC,IAAI,CAAC;iBACnC,IAAI,CAAC,gBAAgB,CAAC;iBACtB,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC;SACpC;aAAM,IAAI,GAAG,CAAC,IAAI,IAAI,GAAG,CAAC,IAAI,CAAC,WAAW,EAAE;YAC3C,IAAI,CAAC,KAAK;iBACP,wBAAwB,CAAC,GAAG,CAAC,IAAI,CAAC;iBAClC,IAAI,CAAC,gBAAgB,CAAC;iBACtB,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC;SACpC;aAAM;YACL,MAAM,cAAc,GAAG;gBACrB,eAAe,EAAE,KAAK,IAAI,EAAE;oBAC1B,IAAI;wBACF,IAAI,IAAI,CAAC,KAAK,IAAI,IAAI,EAAE;4BACtB,MAAM,IAAI,KAAK,CAAC,8DAA8D,CAAC,CAAC;yBACjF;wBAED,MAAM,UAAU,GACd,CAAC,GAAG,CAAC,KAAK,IAAI,GAAG,CAAC,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,IAAI,GAAG,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;wBAC3E,MAAM,IAAI,GAAG,GAAG,CAAC,OAAO,IAAI,GAAG,CAAC,OAAO,CAAC,IAAI,CAAC;wBAC7C,IAAI,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,mBAAmB,KAAK,WAAW,EAAE;4BAC1D,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,qBAAqB,CAAC,UAAU,EAAE,IAAI,CAAC,CAAC;4BACtE,MAAM,GAAG,GAAG,GAAG,CAAC,GAAI,CAAC;4BACrB,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;yBAChB;6BAAM;4BACL,4BAA4B;4BAC5B,IAAI,CAAC,QAAQ,CAAC,MAAM,IAAI,CAAC,KAAK,CAAC,oBAAoB,CAAC,UAAU,EAAE,IAAI,EAAE,OAAO,CAAC,CAAC,CAAC;yBACjF;qBACF;oBAAC,OAAO,GAAG,EAAE;wBACZ,IAAI,CAAC,KAAK,CAAC,GAAY,CAAC,CAAC;qBAC1B;gBACH,CAAC;gBACD,gBAAgB,EAAE,KAAK,IAAI,EAAE;oBAC3B,IAAI,IAAI,CAAC,KAAK,IAAI,IAAI,EAAE;wBACtB,MAAM,IAAI,KAAK,CAAC,+DAA+D,CAAC,CAAC;qBAClF;oBAED,IAAI;wBACF,MAAM,UAAU,GACd,CAAC,GAAG,CAAC,KAAK,IAAI,GAAG,CAAC,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,IAAI,GAAG,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;wBAC3E,IAAI,CAAC,QAAQ,CACX,MAAM,IAAI,CAAC,KAAK,CAAC,iBAAiB,CAAC,GAAG,CAAC,IAAe,EAAE,UAAU,EAAE,OAAO,CAAC,CAC7E,CAAC;qBACH;oBAAC,OAAO,GAAG,EAAE;wBACZ,IAAI,CAAC,KAAK,CAAC,GAAY,CAAC,CAAC;qBAC1B;gBACH,CAAC;aACF,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC;YAExB,IAAI,OAAO,cAAc,KAAK,UAAU,EAAE;gBACxC,OAAO,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;aACvB;YAED,cAAc,EAAE,CAAC;SAClB;IACH,CAAC;IAED,MAAM,CAAC,GAAoB,EAAE,QAA0D;QACrF,IAAI,IAAI,CAAC,KAAK,IAAI,IAAI,EAAE;YACtB,MAAM,IAAI,KAAK,CAAC,+CAA+C,CAAC,CAAC;SAClE;QACD,MAAM,UAAU,GAAG,CAAC,GAAG,CAAC,KAAK,IAAI,GAAG,CAAC,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,IAAI,GAAG,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QAC5F,IAAI,CAAC,KAAK;aACP,iBAAiB,CAAC,GAAG,CAAC,IAAe,EAAE,UAAU,EAAE,EAAE,CAAC;aACtD,IAAI,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,QAAQ,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;aAClC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC;IACnC,CAAC;IAES,gCAAgC,CACxC,cAA6B,EAC7B,WAA2B;QAE3B,IAAI,IAAI,CAAC,KAAK,IAAI,IAAI,EAAE;YACtB,MAAM,IAAI,KAAK,CAAC,2EAA2E,CAAC,CAAC;SAC9F;QAED,OAAO,IAAI,CAAC,KAAK,CAAC,+BAA+B,CAAC,cAAc,EAAE,WAAW,CAAC,CAAC;IACjF,CAAC;IAED,4CAA4C;IAC5C,KAAK,CAAC,GAAU;QACd,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IACnB,CAAC;CACF;AAvLD,4CAuLC;AAED,MAAa,QAAS,SAAQ,gBAAgB;IAG5C,+BAA+B,CAC7B,cAA6B,EAC7B,WAA2B;QAE3B,OAAO,IAAI,CAAC,gCAAgC,CAAC,cAAc,EAAE,WAAW,CAAC,CAAC;IAC5E,CAAC;;AARH,4BASC;AARiB,mCAA0B,GAAG,IAAI,CAAC","sourcesContent":["import { Strategy as PassportStrategy } from \"passport-strategy\";\nimport { SAML } from \"../node-saml\";\nimport * as url from \"url\";\nimport {\n  AuthenticateOptions,\n  RequestWithUser,\n  SamlConfig,\n  VerifyWithoutRequest,\n  VerifyWithRequest,\n} from \"./types\";\nimport { Profile } from \"./types\";\n\nexport abstract class AbstractStrategy extends PassportStrategy {\n  static readonly newSamlProviderOnConstruct: boolean;\n\n  name: string;\n  _verify: VerifyWithRequest | VerifyWithoutRequest;\n  _saml: SAML | undefined;\n  _passReqToCallback?: boolean;\n\n  constructor(options: SamlConfig, verify: VerifyWithRequest);\n  constructor(options: SamlConfig, verify: VerifyWithoutRequest);\n  constructor(options: SamlConfig, verify: never) {\n    super();\n    if (typeof options === \"function\") {\n      throw new Error(\"Mandatory SAML options missing\");\n    }\n\n    if (!verify) {\n      throw new Error(\"SAML authentication strategy requires a verify function\");\n    }\n\n    // Customizing the name can be useful to support multiple SAML configurations at the same time.\n    // Unlike other options, this one gets deleted instead of passed along.\n    if (options.name) {\n      this.name = options.name;\n    } else {\n      this.name = \"saml\";\n    }\n\n    this._verify = verify;\n    if ((this.constructor as typeof Strategy).newSamlProviderOnConstruct) {\n      this._saml = new SAML(options);\n    }\n    this._passReqToCallback = !!options.passReqToCallback;\n  }\n\n  authenticate(req: RequestWithUser, options: AuthenticateOptions): void {\n    if (this._saml == null) {\n      throw new Error(\"Can't get authenticate without a SAML provider defined.\");\n    }\n\n    options.samlFallback = options.samlFallback || \"login-request\";\n    const validateCallback = ({\n      profile,\n      loggedOut,\n    }: {\n      profile?: Profile | null;\n      loggedOut?: boolean;\n    }) => {\n      if (loggedOut) {\n        req.logout();\n        if (profile) {\n          if (this._saml == null) {\n            throw new Error(\"Can't get logout response URL without a SAML provider defined.\");\n          }\n\n          const RelayState =\n            (req.query && req.query.RelayState) || (req.body && req.body.RelayState);\n          return this._saml.getLogoutResponseUrl(profile, RelayState, options, redirectIfSuccess);\n        }\n        return this.pass();\n      }\n\n      const verified = (\n        err: Error | null,\n        user?: Record<string, unknown>,\n        info?: Record<string, unknown>\n      ) => {\n        if (err) {\n          return this.error(err);\n        }\n\n        if (!user) {\n          return this.fail(info, 401);\n        }\n\n        this.success(user, info);\n      };\n\n      if (this._passReqToCallback) {\n        (this._verify as VerifyWithRequest)(req, profile, verified);\n      } else {\n        (this._verify as VerifyWithoutRequest)(profile, verified);\n      }\n    };\n\n    const redirectIfSuccess = (err: Error | null, url?: string | null) => {\n      if (err) {\n        this.error(err);\n      } else {\n        this.redirect(url!);\n      }\n    };\n\n    if (req.query && (req.query.SAMLResponse || req.query.SAMLRequest)) {\n      const originalQuery = url.parse(req.url).query;\n      this._saml\n        .validateRedirectAsync(req.query, originalQuery)\n        .then(validateCallback)\n        .catch((err) => this.error(err));\n    } else if (req.body && req.body.SAMLResponse) {\n      this._saml\n        .validatePostResponseAsync(req.body)\n        .then(validateCallback)\n        .catch((err) => this.error(err));\n    } else if (req.body && req.body.SAMLRequest) {\n      this._saml\n        .validatePostRequestAsync(req.body)\n        .then(validateCallback)\n        .catch((err) => this.error(err));\n    } else {\n      const requestHandler = {\n        \"login-request\": async () => {\n          try {\n            if (this._saml == null) {\n              throw new Error(\"Can't process login request without a SAML provider defined.\");\n            }\n\n            const RelayState =\n              (req.query && req.query.RelayState) || (req.body && req.body.RelayState);\n            const host = req.headers && req.headers.host;\n            if (this._saml.options.authnRequestBinding === \"HTTP-POST\") {\n              const data = await this._saml.getAuthorizeFormAsync(RelayState, host);\n              const res = req.res!;\n              res.send(data);\n            } else {\n              // Defaults to HTTP-Redirect\n              this.redirect(await this._saml.getAuthorizeUrlAsync(RelayState, host, options));\n            }\n          } catch (err) {\n            this.error(err as Error);\n          }\n        },\n        \"logout-request\": async () => {\n          if (this._saml == null) {\n            throw new Error(\"Can't process logout request without a SAML provider defined.\");\n          }\n\n          try {\n            const RelayState =\n              (req.query && req.query.RelayState) || (req.body && req.body.RelayState);\n            this.redirect(\n              await this._saml.getLogoutUrlAsync(req.user as Profile, RelayState, options)\n            );\n          } catch (err) {\n            this.error(err as Error);\n          }\n        },\n      }[options.samlFallback];\n\n      if (typeof requestHandler !== \"function\") {\n        return this.fail(401);\n      }\n\n      requestHandler();\n    }\n  }\n\n  logout(req: RequestWithUser, callback: (err: Error | null, url?: string | null) => void): void {\n    if (this._saml == null) {\n      throw new Error(\"Can't logout without a SAML provider defined.\");\n    }\n    const RelayState = (req.query && req.query.RelayState) || (req.body && req.body.RelayState);\n    this._saml\n      .getLogoutUrlAsync(req.user as Profile, RelayState, {})\n      .then((url) => callback(null, url))\n      .catch((err) => callback(err));\n  }\n\n  protected _generateServiceProviderMetadata(\n    decryptionCert: string | null,\n    signingCert?: string | null\n  ): string {\n    if (this._saml == null) {\n      throw new Error(\"Can't generate service provider metadata without a SAML provider defined.\");\n    }\n\n    return this._saml.generateServiceProviderMetadata(decryptionCert, signingCert);\n  }\n\n  // This is reduntant, but helps with testing\n  error(err: Error): void {\n    super.error(err);\n  }\n}\n\nexport class Strategy extends AbstractStrategy {\n  static readonly newSamlProviderOnConstruct = true;\n\n  generateServiceProviderMetadata(\n    decryptionCert: string | null,\n    signingCert?: string | null\n  ): string {\n    return this._generateServiceProviderMetadata(decryptionCert, signingCert);\n  }\n}\n"]}

package/temp/passport-saml/lib/passport-saml/types.d.ts

@@ -0,0 +1,51 @@
+import type * as express from "express";
+import * as passport from "passport";
+import type { SamlOptions, MandatorySamlOptions } from "../node-saml/types";
+export interface AuthenticateOptions extends passport.AuthenticateOptions {
+    samlFallback?: "login-request" | "logout-request";
+    additionalParams?: Record<string, any>;
+}
+export interface AuthorizeOptions extends AuthenticateOptions {
+    samlFallback?: "login-request" | "logout-request";
+}
+export interface StrategyOptions {
+    name?: string;
+    passReqToCallback?: boolean;
+}
+/**
+ * These options are availble for configuring a SAML strategy
+ */
+export declare type SamlConfig = Partial<SamlOptions> & StrategyOptions & MandatorySamlOptions;
+export interface Profile {
+    issuer?: string;
+    sessionIndex?: string;
+    nameID?: string;
+    nameIDFormat?: string;
+    nameQualifier?: string;
+    spNameQualifier?: string;
+    ID?: string;
+    mail?: string;
+    email?: string;
+    ["urn:oid:0.9.2342.19200300.100.1.3"]?: string;
+    getAssertionXml?(): string;
+    getAssertion?(): Record<string, unknown>;
+    getSamlResponseXml?(): string;
+    [attributeName: string]: unknown;
+}
+export interface RequestWithUser extends express.Request {
+    samlLogoutRequest: any;
+    user?: Profile;
+}
+export declare type VerifiedCallback = (err: Error | null, user?: Record<string, unknown>, info?: Record<string, unknown>) => void;
+export declare type VerifyWithRequest = (req: express.Request, profile: Profile | null | undefined, done: VerifiedCallback) => void;
+export declare type VerifyWithoutRequest = (profile: Profile | null | undefined, done: VerifiedCallback) => void;
+export declare type SamlOptionsCallback = (err: Error | null, samlOptions?: SamlConfig) => void;
+interface BaseMultiSamlConfig {
+    getSamlOptions(req: express.Request, callback: SamlOptionsCallback): void;
+}
+export declare type MultiSamlConfig = Partial<SamlConfig> & StrategyOptions & BaseMultiSamlConfig;
+export declare class ErrorWithXmlStatus extends Error {
+    readonly xmlStatus: string;
+    constructor(message: string, xmlStatus: string);
+}
+export {};

package/temp/passport-saml/lib/passport-saml/types.js

@@ -0,0 +1,11 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ErrorWithXmlStatus = void 0;
+class ErrorWithXmlStatus extends Error {
+    constructor(message, xmlStatus) {
+        super(message);
+        this.xmlStatus = xmlStatus;
+    }
+}
+exports.ErrorWithXmlStatus = ErrorWithXmlStatus;
+//# sourceMappingURL=types.js.map

package/temp/passport-saml/lib/passport-saml/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../../src/passport-saml/types.ts"],"names":[],"mappings":";;;AAsEA,MAAa,kBAAmB,SAAQ,KAAK;IAC3C,YAAY,OAAe,EAAkB,SAAiB;QAC5D,KAAK,CAAC,OAAO,CAAC,CAAC;QAD4B,cAAS,GAAT,SAAS,CAAQ;IAE9D,CAAC;CACF;AAJD,gDAIC","sourcesContent":["import type * as express from \"express\";\nimport * as passport from \"passport\";\nimport type { SamlOptions, MandatorySamlOptions, SamlIDPListConfig } from \"../node-saml/types\";\n\nexport interface AuthenticateOptions extends passport.AuthenticateOptions {\n  samlFallback?: \"login-request\" | \"logout-request\";\n  additionalParams?: Record<string, any>;\n}\n\nexport interface AuthorizeOptions extends AuthenticateOptions {\n  samlFallback?: \"login-request\" | \"logout-request\";\n}\n\nexport interface StrategyOptions {\n  name?: string;\n  passReqToCallback?: boolean;\n}\n\n/**\n * These options are availble for configuring a SAML strategy\n */\nexport type SamlConfig = Partial<SamlOptions> & StrategyOptions & MandatorySamlOptions;\n\nexport interface Profile {\n  issuer?: string;\n  sessionIndex?: string;\n  nameID?: string;\n  nameIDFormat?: string;\n  nameQualifier?: string;\n  spNameQualifier?: string;\n  ID?: string;\n  mail?: string; // InCommon Attribute urn:oid:0.9.2342.19200300.100.1.3\n  email?: string; // `mail` if not present in the assertion\n  [\"urn:oid:0.9.2342.19200300.100.1.3\"]?: string;\n  getAssertionXml?(): string; // get the raw assertion XML\n  getAssertion?(): Record<string, unknown>; // get the assertion XML parsed as a JavaScript object\n  getSamlResponseXml?(): string; // get the raw SAML response XML\n  [attributeName: string]: unknown; // arbitrary `AttributeValue`s\n}\n\nexport interface RequestWithUser extends express.Request {\n  samlLogoutRequest: any;\n  user?: Profile;\n}\n\nexport type VerifiedCallback = (\n  err: Error | null,\n  user?: Record<string, unknown>,\n  info?: Record<string, unknown>\n) => void;\n\nexport type VerifyWithRequest = (\n  req: express.Request,\n  profile: Profile | null | undefined,\n  done: VerifiedCallback\n) => void;\n\nexport type VerifyWithoutRequest = (\n  profile: Profile | null | undefined,\n  done: VerifiedCallback\n) => void;\n\nexport type SamlOptionsCallback = (err: Error | null, samlOptions?: SamlConfig) => void;\n\ninterface BaseMultiSamlConfig {\n  getSamlOptions(req: express.Request, callback: SamlOptionsCallback): void;\n}\n\nexport type MultiSamlConfig = Partial<SamlConfig> & StrategyOptions & BaseMultiSamlConfig;\n\nexport class ErrorWithXmlStatus extends Error {\n  constructor(message: string, public readonly xmlStatus: string) {\n    super(message);\n  }\n}\n"]}

package/temp/passport-saml/package.json

@@ -0,0 +1,96 @@
+{
+  "name": "passport-saml",
+  "version": "3.2.1",
+  "description": "SAML 2.0 authentication strategy for Passport",
+  "keywords": [
+    "saml",
+    "adfs",
+    "sso",
+    "shibboleth"
+  ],
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/node-saml/passport-saml.git"
+  },
+  "license": "MIT",
+  "author": {
+    "name": "Henri Bergius",
+    "email": "henri.bergius@iki.fi",
+    "url": "http://bergie.iki.fi"
+  },
+  "contributors": [
+    "Michael Bosworth",
+    "Herbert Vojčík",
+    "Peter Loer",
+    "Mark Stosberg",
+    "Chris Barth",
+    "Andrii Kostenko"
+  ],
+  "main": "./lib/passport-saml",
+  "files": [
+    "lib",
+    "README.md",
+    "LICENSE"
+  ],
+  "scripts": {
+    "build": "tsc",
+    "changelog": "gren changelog --override --generate",
+    "lint": "eslint --ext .ts \"**/*.ts\" --cache",
+    "lint-watch": "onchange -k -p 100 \"**/*.ts\" -- eslint {{file}}",
+    "lint:fix": "eslint --ext .ts --fix src",
+    "prepare": "tsc",
+    "prettier-check": "prettier --config .prettierrc.json --check .",
+    "prettier-format": "prettier --config .prettierrc.json --write .",
+    "prettier-watch": "onchange -k -p 100 \".\" -- prettier --config .prettierrc.json --write {{file}}",
+    "release": "release-it",
+    "test": "npm run prettier-check && npm run lint && npm run tsc && mocha",
+    "test-watch": "mocha --watch",
+    "tsc": "tsc",
+    "tsc-watch": "tsc --watch",
+    "watch": "concurrently --kill-others \"npm:*-watch\""
+  },
+  "dependencies": {
+    "@xmldom/xmldom": "^0.7.5",
+    "debug": "^4.3.2",
+    "passport-strategy": "^1.0.0",
+    "xml-crypto": "^2.1.3",
+    "xml-encryption": "^2.0.0",
+    "xml2js": "^0.4.23",
+    "xmlbuilder": "^15.1.1"
+  },
+  "devDependencies": {
+    "@types/debug": "^4.1.7",
+    "@types/mocha": "^8.2.3",
+    "@types/node": "^14.17.17",
+    "@types/passport-strategy": "^0.2.35",
+    "@types/request": "^2.48.7",
+    "@types/sinon": "^10.0.2",
+    "@types/xml-crypto": "^1.4.2",
+    "@types/xml-encryption": "^1.2.1",
+    "@types/xml2js": "^0.4.9",
+    "@typescript-eslint/eslint-plugin": "^4.31.1",
+    "@typescript-eslint/parser": "^4.31.1",
+    "body-parser": "^1.19.0",
+    "choma": "^1.2.1",
+    "concurrently": "^6.2.1",
+    "eslint": "^7.32.0",
+    "eslint-config-prettier": "^8.3.0",
+    "eslint-plugin-prettier": "^3.4.1",
+    "express": "^4.17.1",
+    "github-release-notes": "^0.17.3",
+    "mocha": "^8.4.0",
+    "onchange": "^7.1.0",
+    "passport": "^0.4.1",
+    "prettier": "^2.4.1",
+    "prettier-plugin-packagejson": "^2.2.12",
+    "release-it": "^14.12.3",
+    "request": "^2.83.0",
+    "should": "^13.2.3",
+    "sinon": "^10.0.0",
+    "ts-node": "^9.1.1",
+    "typescript": "^4.4.3"
+  },
+  "engines": {
+    "node": ">= 12"
+  }
+}

package/util/auth.js

@@ -324,7 +324,7 @@ var syncProfile = exports.syncProfile = function(req, res, strategy, domainId, p
                     }
                 }
 
-                _LOCK([CACHE_IDENTIFIER], function(releaseLockFn) {
+                _LOCK([CACHE_IDENTIFIER], function(err, releaseLockFn) {
                     _handleSyncUser(req, strategy, settings, key, domainId, providerId, providerUserId, token, refreshToken, userObject, groupsArray, function (err, gitanaUser) {
 
                         if (err) {

package/util/cloudcms.js

@@ -1072,7 +1072,7 @@ exports = module.exports = function()
     r.download = function(contentStore, gitana, repositoryId, branchId, nodeId, attachmentId, nodePath, locale, forceReload, callback)
     {
         // claim a lock around this node for this server
-        _LOCK(contentStore, _lock_identifier(repositoryId, branchId, nodeId), function(releaseLockFn) {
+        _LOCK(contentStore, _lock_identifier(repositoryId, branchId, nodeId), function(err, releaseLockFn) {
 
             // workhorse - pass releaseLockFn back to callback
             downloadNode(contentStore, gitana, repositoryId, branchId, nodeId, attachmentId, nodePath, locale, forceReload, function (err, filePath, cacheInfo) {
@@ -1085,7 +1085,7 @@ exports = module.exports = function()
     r.preview = function(contentStore, gitana, repositoryId, branchId, nodeId, nodePath, attachmentId, locale, previewId, size, mimetype, forceReload, callback)
     {
         // claim a lock around this node for this server
-        _LOCK(contentStore, _lock_identifier(repositoryId, branchId, nodeId), function(releaseLockFn) {
+        _LOCK(contentStore, _lock_identifier(repositoryId, branchId, nodeId), function(err, releaseLockFn) {
 
             // workhorse - pass releaseLockFn back to callback
             previewNode(contentStore, gitana, repositoryId, branchId, nodeId, nodePath, attachmentId, locale, previewId, size, mimetype, forceReload, function(err, filePath, cacheInfo) {
@@ -1098,7 +1098,7 @@ exports = module.exports = function()
     r.invalidate = function(contentStore, repositoryId, branchId, nodeId, paths, callback)
     {
         // claim a lock around this node for this server
-        _LOCK(contentStore, _lock_identifier(repositoryId, branchId, nodeId), function(releaseLockFn) {
+        _LOCK(contentStore, _lock_identifier(repositoryId, branchId, nodeId), function(err, releaseLockFn) {
 
             invalidateNode(contentStore, repositoryId, branchId, nodeId, function () {
 
@@ -1118,7 +1118,7 @@ exports = module.exports = function()
     r.downloadAttachable = function(contentStore, gitana, datastoreTypeId, datastoreId, objectTypeId, objectId, attachmentId, locale, forceReload, callback)
     {
         // claim a lock around this node for this server
-        _LOCK(contentStore, _lock_identifier(datastoreId, objectId), function(releaseLockFn) {
+        _LOCK(contentStore, _lock_identifier(datastoreId, objectId), function(err, releaseLockFn) {
 
             // workhorse - pass releaseLockFn back to callback
             downloadAttachable(contentStore, gitana, datastoreTypeId, datastoreId, objectTypeId, objectId, attachmentId, locale, forceReload, function(err, filePath, cacheInfo) {
@@ -1131,7 +1131,7 @@ exports = module.exports = function()
     r.previewAttachable = function(contentStore, gitana, datastoreTypeId, datastoreId, objectTypeId, objectId, attachmentId, locale, previewId, size, mimetype, forceReload, callback)
     {
         // claim a lock around this node for this server
-        _LOCK(contentStore, _lock_identifier(datastoreId, objectId), function(releaseLockFn) {
+        _LOCK(contentStore, _lock_identifier(datastoreId, objectId), function(err, releaseLockFn) {
 
             // workhorse - pass releaseLockFn back to callback
             previewAttachable(contentStore, gitana, datastoreTypeId, datastoreId, objectTypeId, objectId, attachmentId, locale, previewId, size, mimetype, forceReload, function (err, filePath, cacheInfo) {
@@ -1144,7 +1144,7 @@ exports = module.exports = function()
     r.invalidateAttachable = function(contentStore, datastoreTypeId, datastoreId, objectTypeId, objectId, callback)
     {
         // claim a lock around this node for this server
-        _LOCK(contentStore, _lock_identifier(datastoreId, objectId), function(releaseLockFn) {
+        _LOCK(contentStore, _lock_identifier(datastoreId, objectId), function(err, releaseLockFn) {
 
             // TODO: not implemented
             callback();

package/util/proxy-factory.js

@@ -15,7 +15,8 @@ var exports = module.exports;
 
 var _LOCK = function(lockIdentifiers, workFunction)
 {
-    process.locks.lock(lockIdentifiers.join("_"), workFunction);
+    var name = lockIdentifiers.join("_");
+    process.locks.lock(name, workFunction);
 };
 
 var NAMED_PROXY_HANDLERS_CACHE = require("lru-cache")({
@@ -34,9 +35,15 @@ var acquireProxyHandler = exports.acquireProxyHandler = function(proxyTarget, pa
     {
         return callback(null, _cachedHandler);
     }
-
+    
     // take out a thread lock
-    _LOCK(["acquireProxyHandler", name], function(releaseLockFn) {
+    _LOCK(["acquireProxyHandler", name], function(err, releaseLockFn) {
+        
+        if (err)
+        {
+            // failed to acquire lock
+            return callback(err);
+        }
 
         // second check to make sure another thread didn't create the handler in the meantime
         _cachedHandler = NAMED_PROXY_HANDLERS_CACHE[name];
@@ -48,7 +55,7 @@ var acquireProxyHandler = exports.acquireProxyHandler = function(proxyTarget, pa
 
         // create the proxy handler and cache it into LRU cache
         _cachedHandler = createProxyHandler(proxyTarget, pathPrefix);
-
+    
         // store back into LRU cache
         NAMED_PROXY_HANDLERS_CACHE[name] = _cachedHandler;
 
@@ -141,8 +148,16 @@ var createProxyHandler = function(proxyTarget, pathPrefix)
                     {
                         var identifier = req.identity_properties.provider_id + "/" + req.identity_properties.user_identifier;
 
-                        _LOCK([identifier], function(releaseLockFn) {
-
+                        _LOCK([identifier], function(err, releaseLockFn) {
+    
+                            if (err)
+                            {
+                                // failed to acquire lock
+                                console.log("FAILED TO ACQUIRE LOCK", err);
+                                req.log("FAILED TO ACQUIRE LOCK", err);
+                                return;
+                            }
+    
                             var cleanup = function (full)
                             {
                                 delete Gitana.APPS[req.identity_properties.token];
@@ -375,7 +390,7 @@ var createProxyHandler = function(proxyTarget, pathPrefix)
                 req.headers["authorization"] = "Bearer " + req.gitana_proxy_access_token;
             }
         }
-
+        
         if (pathPrefix) {
             req.url = path.join(pathPrefix, req.url);
         }

package/util/redis.js

@@ -1,5 +1,39 @@
+var redis = require("redis");
+const logFactory = require("./logger");
+
 exports = module.exports;
 
+var redisLogger = exports.redisLogger = function(name, prefix, defaultLevel)
+{
+    if (!defaultLevel) {
+        defaultLevel = "error";
+    }
+    
+    var level = null;
+    
+    // allow for global redis default
+    // allow for prefix specific
+    if (typeof(process.env["CLOUDCMS_REDIS_DEBUG_LEVEL"]) !== "undefined") {
+        level = "" + process.env["CLOUDCMS_REDIS_DEBUG_LEVEL"].toLowerCase();
+    }
+    
+    if (!level && prefix)
+    {
+        if (typeof(process.env[prefix + "REDIS_DEBUG_LEVEL"]) !== "undefined") {
+            level = "" + process.env[prefix + "REDIS_DEBUG_LEVEL"].toLowerCase();
+        }
+    }
+    
+    if (!level) {
+        level = defaultLevel;
+    }
+    
+    var logger = logFactory(name);
+    logger.setLevel(level);
+    
+    return logger;
+}
+
 var redisOptions = exports.redisOptions = function(config, prefix)
 {
     if (!config) {
@@ -57,7 +91,23 @@ var redisOptions = exports.redisOptions = function(config, prefix)
     
     var redisOptions = {};
     redisOptions.url = redisUrl;
-    redisOptions.legacyMode = true;
     
     return redisOptions;
 }
+
+var createAndConnect = exports.createAndConnect = async function(redisOptions, callback)
+{
+    var client = redis.createClient(redisOptions);
+    
+    var connectErr = null;
+    client.on('error', function(err) {
+        console.log('Redis Client Error', err);
+        connectErr = err;
+    });
+    
+    // connect
+    await client.connect();
+    //console.log("Connected to redis, options: " + JSON.stringify(redisOptions, null, 2) + ", err: " + connectErr + ", client: " + client);
+
+    return callback(connectErr, client);
+}