fa-mcp-sdk 0.4.93 → 0.4.95
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/cli-template/.claude/skills/readme-generator/reference/satellite-templates.md +1 -1
- package/cli-template/CLAUDE.md +1 -1
- package/cli-template/FA-MCP-SDK-DOC/03-configuration.md +9 -5
- package/cli-template/FA-MCP-SDK-DOC/04-authentication.md +4 -4
- package/cli-template/FA-MCP-SDK-DOC/08-agent-tester-and-headless-api.md +1 -1
- package/config/_local.yaml +13 -6
- package/config/custom-environment-variables.yaml +1 -0
- package/config/default.yaml +14 -6
- package/dist/core/_types_/config.d.ts +1 -0
- package/dist/core/_types_/config.d.ts.map +1 -1
- package/dist/core/auth/admin-auth.d.ts.map +1 -1
- package/dist/core/auth/admin-auth.js +9 -10
- package/dist/core/auth/admin-auth.js.map +1 -1
- package/dist/core/auth/jwt.d.ts +18 -9
- package/dist/core/auth/jwt.d.ts.map +1 -1
- package/dist/core/auth/jwt.js +185 -51
- package/dist/core/auth/jwt.js.map +1 -1
- package/dist/core/auth/multi-auth.d.ts +4 -2
- package/dist/core/auth/multi-auth.d.ts.map +1 -1
- package/dist/core/auth/multi-auth.js +43 -31
- package/dist/core/auth/multi-auth.js.map +1 -1
- package/dist/core/auth/revocation.d.ts +1 -0
- package/dist/core/auth/revocation.d.ts.map +1 -1
- package/dist/core/auth/revocation.js +9 -2
- package/dist/core/auth/revocation.js.map +1 -1
- package/dist/core/auth/types.d.ts +5 -0
- package/dist/core/auth/types.d.ts.map +1 -1
- package/package.json +6 -2
- package/scripts/generate-jwt.js +61 -35
|
@@ -30,7 +30,7 @@ Configured under `webServer.auth` in `config/*.yaml`. Supported methods:
|
|
|
30
30
|
|
|
31
31
|
- **Permanent server tokens** — O(1) set lookup, for service-to-service callers
|
|
32
32
|
- **Basic** — `Authorization: Basic base64(user:pass)`
|
|
33
|
-
- **JWT** — `Authorization: Bearer <token>`;
|
|
33
|
+
- **JWT** — `Authorization: Bearer <token>`; standard signed JWT (HS256); optional IP restriction
|
|
34
34
|
- **Custom validator** — project-defined fallback
|
|
35
35
|
|
|
36
36
|
JWT tokens can be minted via:
|
package/cli-template/CLAUDE.md
CHANGED
|
@@ -106,7 +106,7 @@ Priority: environment variables > local.yaml > {NODE_ENV}.yaml > default.yaml. A
|
|
|
106
106
|
When multiple auth methods configured, detection from `Authorization` header:
|
|
107
107
|
1. `permanentServerTokens` — static tokens (O(1) lookup)
|
|
108
108
|
2. `basic` — base64 username:password
|
|
109
|
-
3. `jwtToken` —
|
|
109
|
+
3. `jwtToken` — standard signed JWT, HS256 (optional IP restriction via `isCheckIP` + `ip` field in payload; legacy `<expire>.<hex>` tokens still accepted for backward compatibility)
|
|
110
110
|
4. `custom` — user-defined validator (fallback)
|
|
111
111
|
|
|
112
112
|
## Framework Documentation
|
|
@@ -155,21 +155,25 @@ webServer:
|
|
|
155
155
|
permanentServerTokens: [ ] # Add your server tokens here: ['token1', 'token2']
|
|
156
156
|
|
|
157
157
|
# ========================================================================
|
|
158
|
-
# JWT TOKEN
|
|
159
|
-
#
|
|
160
|
-
#
|
|
158
|
+
# JWT TOKEN — standard signed JWT (HS256)
|
|
159
|
+
# Tokens issued by this SDK are standard 3-segment JWTs `header.payload.signature`.
|
|
160
|
+
# The verifier also temporarily accepts pre-migration legacy tokens
|
|
161
|
+
# (`<expire_ms>.<hex>` AES-256-CTR format) for backward compatibility.
|
|
162
|
+
# CPU cost: Medium - signature verification + JSON parsing
|
|
161
163
|
#
|
|
162
164
|
# To enable this authentication, you need to set auth.enabled = true and set
|
|
163
|
-
# encryptKey to at least
|
|
165
|
+
# encryptKey to at least 8 characters (used as the HS256 signing secret).
|
|
164
166
|
# ========================================================================
|
|
165
167
|
jwtToken:
|
|
166
|
-
#
|
|
168
|
+
# HS256 signing secret used to sign/verify tokens for this MCP (minimum 8 chars)
|
|
167
169
|
encryptKey: '***'
|
|
168
170
|
# If webServer.auth.enabled and the parameter true, the service name and the service specified in the token will be checked
|
|
169
171
|
checkMCPName: true
|
|
170
172
|
# If true and JWT token contains non-empty 'ip' field,
|
|
171
173
|
# the client IP will be checked against the allowed list in the token
|
|
172
174
|
isCheckIP: false
|
|
175
|
+
# Optional JWT `iss` claim. When non-empty, the generator stamps it and the verifier requires it.
|
|
176
|
+
issuer: ''
|
|
173
177
|
|
|
174
178
|
# ========================================================================
|
|
175
179
|
# Basic Authentication - Base64 encoded username:password
|
|
@@ -74,8 +74,8 @@ For `ntlm` — uses AD configuration from `ad.domains` section.
|
|
|
74
74
|
|
|
75
75
|
When `jwtToken` is used to authenticate into the admin panel (`/admin`), the decoded
|
|
76
76
|
payload **must** contain `allow: 'gen-token'`. Any JWT without this claim is rejected
|
|
77
|
-
with `401` even if
|
|
78
|
-
issued for other purposes (e.g. the Agent Tester page auto-fills a JWT into its
|
|
77
|
+
with `401` even if its signature verifies and it is not expired. This prevents short-lived
|
|
78
|
+
JWTs issued for other purposes (e.g. the Agent Tester page auto-fills a JWT into its
|
|
79
79
|
`Authorization` header — TTL is configurable via `agentTester.tokenTTLSec`, default
|
|
80
80
|
30 min) from being replayed against `/admin` to mint arbitrary long-lived tokens.
|
|
81
81
|
|
|
@@ -311,7 +311,7 @@ node scripts/generate-jwt.js -u <username> -ttl <duration> [-s <service>] [-p <p
|
|
|
311
311
|
| `-s`, `--service-name` | `JWT_PAYLOAD_SERVICE_NAME` | Service name (optional) |
|
|
312
312
|
| `-p`, `--params` | `JWT_PAYLOAD_PARAMS` | Extra payload `key=value;key=value` (optional) |
|
|
313
313
|
|
|
314
|
-
The
|
|
314
|
+
The HS256 signing secret is read from config `webServer.auth.jwtToken.encryptKey` (via `config/local.yaml` or ENV `WS_TOKEN_ENCRYPT_KEY`). Generated tokens are standard 3-segment JWTs.
|
|
315
315
|
|
|
316
316
|
**Examples:**
|
|
317
317
|
|
|
@@ -388,7 +388,7 @@ curl -X POST http://localhost:3000/gen-jwt \
|
|
|
388
388
|
```json
|
|
389
389
|
{
|
|
390
390
|
"success": true,
|
|
391
|
-
"token": "
|
|
391
|
+
"token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJ0ZXN0dXNlciJ9.signature",
|
|
392
392
|
"user": "testuser",
|
|
393
393
|
"expire": "2025-07-10T12:00:00.000Z",
|
|
394
394
|
"ttlSeconds": 2592000
|
|
@@ -130,7 +130,7 @@ When `useAuth` is `true`, a successful browser login creates a server-side sessi
|
|
|
130
130
|
|
|
131
131
|
When the MCP server requires authentication (`webServer.auth.enabled: true`) and the chat UI is configured to send the `Authorization` header, the page does **not** ask the user to type a token — it issues one for itself by calling `GET /api/auth-token` on load. The endpoint returns a header value derived from the configured method, in priority order:
|
|
132
132
|
|
|
133
|
-
1. **`jwtToken`** — `Bearer <
|
|
133
|
+
1. **`jwtToken`** — `Bearer <standard signed JWT>` issued by the server with `sub: 'agentTester'`, `aud: <appConfig.name>`, and TTL = `agentTester.tokenTTLSec` (default 1800 sec / 30 min). The response also includes `ttlSec` so the client can plan refresh.
|
|
134
134
|
2. **`basic`** — `Basic <base64(user:password)>` from `webServer.auth.basic`.
|
|
135
135
|
3. **`permanentServerTokens`** — `Bearer <first configured token>`.
|
|
136
136
|
|
package/config/_local.yaml
CHANGED
|
@@ -304,21 +304,25 @@ webServer:
|
|
|
304
304
|
permanentServerTokens: [ ]
|
|
305
305
|
|
|
306
306
|
#> ========================================================================
|
|
307
|
-
#> JWT TOKEN
|
|
308
|
-
#>
|
|
309
|
-
#>
|
|
307
|
+
#> JWT TOKEN — standard signed JWT (HS256)
|
|
308
|
+
#> Tokens issued by this SDK are standard 3-segment JWTs `header.payload.signature`.
|
|
309
|
+
#> The verifier also temporarily accepts pre-migration legacy tokens
|
|
310
|
+
#> (`<expire_ms>.<hex>` AES-256-CTR format) for backward compatibility.
|
|
311
|
+
#> CPU cost: Medium — signature verification + JSON parsing
|
|
310
312
|
#>
|
|
311
313
|
#> To enable this authentication, you need to set auth.enabled = true and set
|
|
312
|
-
#> encryptKey to at least
|
|
314
|
+
#> encryptKey to at least 8 characters (used as the HS256 signing secret).
|
|
313
315
|
#> ========================================================================
|
|
314
316
|
jwtToken:
|
|
315
|
-
#>
|
|
317
|
+
#> HS256 signing secret used to sign/verify tokens for this MCP (minimum 8 chars)
|
|
316
318
|
encryptKey: '{{webServer.auth.token.encryptKey}}'
|
|
317
319
|
#> If webServer.auth.enabled and the parameter true, the service name and the service specified in the token will be checked
|
|
318
320
|
checkMCPName: {{webServer.auth.token.checkMCPName}}
|
|
319
321
|
#> If true and JWT token contains non-empty 'ip' field,
|
|
320
322
|
#> the client IP will be checked against the allowed list in the token
|
|
321
323
|
isCheckIP: false
|
|
324
|
+
#> Optional JWT `iss` claim. When non-empty, the generator stamps it and the verifier requires it.
|
|
325
|
+
issuer: ''
|
|
322
326
|
|
|
323
327
|
#> ========================================================================
|
|
324
328
|
#> Basic Authentication — Base64 encoded username:password
|
|
@@ -338,7 +342,10 @@ webServer:
|
|
|
338
342
|
#> MCP endpoints, Admin panel, and Agent Tester.
|
|
339
343
|
#> ========================================================================
|
|
340
344
|
revoked:
|
|
341
|
-
#> Revoked JWT
|
|
345
|
+
#> Revoked JWT entries. Each entry: { token: '<value>', note?: '<reason>' }.
|
|
346
|
+
#> `token` may be:
|
|
347
|
+
#> - a full token string (legacy `<expire>.<hex>` or exact standard JWT `a.b.c`)
|
|
348
|
+
#> - a standard JWT ID (`jti`) — preferred for revoking standard JWTs
|
|
342
349
|
jwtTokens: [ ]
|
|
343
350
|
#> Revoked usernames matched against JWT payload.user (case-insensitive)
|
|
344
351
|
users: [ ]
|
package/config/default.yaml
CHANGED
|
@@ -302,21 +302,26 @@ webServer:
|
|
|
302
302
|
permanentServerTokens: [ ]
|
|
303
303
|
|
|
304
304
|
#> ========================================================================
|
|
305
|
-
#> JWT TOKEN
|
|
306
|
-
#>
|
|
307
|
-
#>
|
|
305
|
+
#> JWT TOKEN — standard signed JWT (HS256)
|
|
306
|
+
#> Tokens issued by this SDK are standard 3-segment JWTs `header.payload.signature`.
|
|
307
|
+
#> The verifier also temporarily accepts pre-migration legacy tokens
|
|
308
|
+
#> (`<expire_ms>.<hex>` AES-256-CTR format) for backward compatibility.
|
|
309
|
+
#> CPU cost: Medium — signature verification + JSON parsing
|
|
308
310
|
#>
|
|
309
311
|
#> To enable this authentication, you need to set auth.enabled = true and set
|
|
310
|
-
#> encryptKey to at least
|
|
312
|
+
#> encryptKey to at least 8 characters (used as the HS256 signing secret).
|
|
311
313
|
#> ========================================================================
|
|
312
314
|
jwtToken:
|
|
313
|
-
#>
|
|
315
|
+
#> HS256 signing secret used to sign/verify tokens for this MCP (minimum 8 chars)
|
|
314
316
|
encryptKey: '***'
|
|
315
317
|
#> If webServer.auth.enabled and the parameter true, the service name and the service specified in the token will be checked
|
|
316
318
|
checkMCPName: true
|
|
317
319
|
#> If true and JWT token contains non-empty 'ip' field,
|
|
318
320
|
#> the client IP will be checked against the allowed list in the token
|
|
319
321
|
isCheckIP: false
|
|
322
|
+
#> Optional JWT `iss` claim. When non-empty, the generator stamps it and the verifier requires it.
|
|
323
|
+
#> Leave empty to skip issuer enforcement.
|
|
324
|
+
issuer: ''
|
|
320
325
|
|
|
321
326
|
#> ========================================================================
|
|
322
327
|
#> Basic Authentication — Base64 encoded username:password
|
|
@@ -336,7 +341,10 @@ webServer:
|
|
|
336
341
|
#> MCP endpoints, Admin panel, and Agent Tester.
|
|
337
342
|
#> ========================================================================
|
|
338
343
|
revoked:
|
|
339
|
-
#> Revoked JWT
|
|
344
|
+
#> Revoked JWT entries. Each entry: { token: '<value>', note?: '<reason>' }.
|
|
345
|
+
#> `token` may be:
|
|
346
|
+
#> - a full token string (legacy `<expire>.<hex>` or exact standard JWT `a.b.c`)
|
|
347
|
+
#> - a standard JWT ID (`jti`) — preferred for revoking standard JWTs
|
|
340
348
|
jwtTokens: [ ]
|
|
341
349
|
#> Revoked usernames matched against JWT payload.user (case-insensitive)
|
|
342
350
|
users: [ ]
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../../../src/core/_types_/config.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,kBAAkB,EAAE,MAAM,UAAU,CAAC;AAC9C,OAAO,EAAE,aAAa,EAAE,MAAM,cAAc,CAAC;AAC7C,OAAO,EAAE,eAAe,EAAE,aAAa,EAAE,MAAM,WAAW,CAAC;AAE3D,OAAO,EAAE,SAAS,EAAE,MAAM,8BAA8B,CAAC;AAEzD,MAAM,MAAM,aAAa,GAAG,uBAAuB,GAAG,OAAO,GAAG,UAAU,GAAG,MAAM,CAAC;AACpF,MAAM,MAAM,kBAAkB,GAAG,aAAa,GAAG,MAAM,CAAC;AAExD,UAAU,gBAAgB;IACxB,SAAS,EAAE;QACT,IAAI,EAAE,MAAM,CAAC;QACb,IAAI,EAAE,MAAM,CAAC;QACb,WAAW,EAAE,MAAM,EAAE,CAAC;QACtB,IAAI,EAAE;YACJ,OAAO,EAAE,OAAO,CAAC;YACjB,KAAK,CAAC,EAAE;gBACN,QAAQ,EAAE,MAAM,CAAC;gBACjB,QAAQ,EAAE,MAAM,CAAC;aAClB,CAAC;YACF,QAAQ,EAAE;gBACR,UAAU,EAAE,MAAM,CAAC;gBACnB,YAAY,EAAE,OAAO,CAAC;gBACtB,SAAS,EAAE,OAAO,CAAC;
|
|
1
|
+
{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../../../src/core/_types_/config.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,kBAAkB,EAAE,MAAM,UAAU,CAAC;AAC9C,OAAO,EAAE,aAAa,EAAE,MAAM,cAAc,CAAC;AAC7C,OAAO,EAAE,eAAe,EAAE,aAAa,EAAE,MAAM,WAAW,CAAC;AAE3D,OAAO,EAAE,SAAS,EAAE,MAAM,8BAA8B,CAAC;AAEzD,MAAM,MAAM,aAAa,GAAG,uBAAuB,GAAG,OAAO,GAAG,UAAU,GAAG,MAAM,CAAC;AACpF,MAAM,MAAM,kBAAkB,GAAG,aAAa,GAAG,MAAM,CAAC;AAExD,UAAU,gBAAgB;IACxB,SAAS,EAAE;QACT,IAAI,EAAE,MAAM,CAAC;QACb,IAAI,EAAE,MAAM,CAAC;QACb,WAAW,EAAE,MAAM,EAAE,CAAC;QACtB,IAAI,EAAE;YACJ,OAAO,EAAE,OAAO,CAAC;YACjB,KAAK,CAAC,EAAE;gBACN,QAAQ,EAAE,MAAM,CAAC;gBACjB,QAAQ,EAAE,MAAM,CAAC;aAClB,CAAC;YACF,QAAQ,EAAE;gBACR,UAAU,EAAE,MAAM,CAAC;gBACnB,YAAY,EAAE,OAAO,CAAC;gBACtB,SAAS,EAAE,OAAO,CAAC;gBACnB,MAAM,CAAC,EAAE,MAAM,CAAC;aACjB,CAAC;YACF,qBAAqB,EAAE,MAAM,EAAE,CAAC;YAEhC,OAAO,CAAC,EAAE;gBAER,SAAS,CAAC,EAAE,KAAK,CAAC;oBAAE,KAAK,EAAE,MAAM,CAAC;oBAAC,IAAI,CAAC,EAAE,MAAM,CAAA;iBAAE,CAAC,CAAC;gBAEpD,KAAK,CAAC,EAAE,MAAM,EAAE,CAAC;aAClB,CAAC;SACH,CAAC;QACF,eAAe,EAAE,OAAO,CAAC;KAC1B,CAAC;CACH;AAKD,UAAU,iBAAiB;IACzB,UAAU,CAAC,EAAE;QACX,OAAO,EAAE,OAAO,CAAC;QACjB,QAAQ,CAAC,EAAE,kBAAkB,GAAG,kBAAkB,EAAE,GAAG,IAAI,CAAC;KAC7D,CAAC;CACH;AAGD,UAAU,aAAa;IACrB,MAAM,EAAE;QACN,KAAK,EAAE,aAAa,CAAC;QACrB,aAAa,EAAE,OAAO,CAAC;QACvB,GAAG,CAAC,EAAE,MAAM,CAAC;KACd,CAAC;CACH;AAED,UAAU,UAAU;IAClB,GAAG,EAAE;QACH,SAAS,EAAE;YACT,WAAW,EAAE,MAAM,CAAC;YACpB,QAAQ,EAAE,MAAM,CAAC;SAClB,CAAC;QACF,aAAa,EAAE,OAAO,GAAG,MAAM,CAAC;QAChC,KAAK,EAAE;YACL,QAAQ,EAAE,MAAM,GAAG,mBAAmB,CAAC;YACvC,eAAe,EAAE,OAAO,CAAC;SAC1B,CAAC;KACH,CAAC;CACH;AAED,UAAU,cAAc;IACtB,OAAO,EAAE;QACP,OAAO,CAAC,EAAE;YACR,GAAG,EAAE,MAAM,CAAC;YACZ,WAAW,EAAE,MAAM,CAAC;SACrB,EAAE,CAAC;KACL,CAAC;CACH;AAED,UAAU,kBAAkB;IAC1B,WAAW,CAAC,EAAE;QACZ,OAAO,EAAE,OAAO,CAAC;QACjB,cAAc,CAAC,EAAE,OAAO,CAAC;QACzB,OAAO,EAAE,OAAO,CAAC;QACjB,YAAY,CAAC,EAAE,MAAM,CAAC;QACtB,WAAW,CAAC,EAAE,MAAM,CAAC;QACrB,OAAO,CAAC,EAAE,OAAO,CAAC;QAClB,MAAM,CAAC,EAAE;YACP,MAAM,EAAE,MAAM,CAAC;YACf,OAAO,CAAC,EAAE,MAAM,CAAC;YACjB,cAAc,CAAC,EAAE,OAAO,CAAC;SAC1B,CAAC;QACF,WAAW,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;KACtC,CAAC;CACH;AAED,UAAU,eAAe;IACvB,QAAQ,CAAC,EAAE;QACT,QAAQ,CAAC,EAAE;YACT,IAAI,EAAE,MAAM,CAAC;YACb,IAAI,CAAC,EAAE,MAAM,CAAC;SACf,CAAC;QACF,UAAU,CAAC,EAAE;YACX,IAAI,EAAE,MAAM,CAAC;YACb,IAAI,CAAC,EAAE,MAAM,CAAC;SACf,CAAC;KACH,CAAC;CACH;AAED,UAAU,YAAY;IACpB,KAAK,EAAE;QACL,UAAU,EAAE,GAAG,CAAC;QAChB,QAAQ,EAAE,IAAI,CAAC;KAChB,CAAC;CACH;AAED,MAAM,WAAW,SACf,SACE,SAAS,EACT,YAAY,EACZ,aAAa,EACb,kBAAkB,EAClB,gBAAgB,EAChB,iBAAiB,EACjB,UAAU,EACV,cAAc,EACd,kBAAkB,EAClB,eAAe;IACjB,YAAY,EAAE,OAAO,CAAC;IAEtB,IAAI,EAAE,MAAM,CAAC;IACb,SAAS,EAAE,MAAM,CAAC;IAClB,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;IAChB,WAAW,EAAE,MAAM,CAAC;IACpB,WAAW,EAAE,MAAM,CAAC;IAEpB,YAAY,EAAE,aAAa,CAAC;IAC5B,MAAM,EAAE,eAAe,GAAG;QACxB,OAAO,EAAE;YACP,IAAI,EAAE,MAAM,CAAC;YACb,GAAG,EAAE,MAAM,CAAC;SACb,CAAC;KACH,CAAC;IACF,OAAO,EAAE;QACP,OAAO,EAAE,MAAM,CAAC;KACjB,CAAC;CACH"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"admin-auth.d.ts","sourceRoot":"","sources":["../../../src/core/auth/admin-auth.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAGH,OAAO,EAAmC,cAAc,EAAE,MAAM,SAAS,CAAC;AAE1E,OAAO,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC;AAarD,YAAY,EAAE,aAAa,EAAE,CAAC;AAI9B;;;;GAIG;AACH,wBAAgB,iBAAiB,IAAI,aAAa,EAAE,CAOnD;AA6CD;;;;GAIG;AACH,wBAAgB,uBAAuB,IAAI,MAAM,GAAG,IAAI,CAavD;AAED;;;GAGG;AACH,wBAAgB,mBAAmB,IAAI,MAAM,EAAE,CAe9C;
|
|
1
|
+
{"version":3,"file":"admin-auth.d.ts","sourceRoot":"","sources":["../../../src/core/auth/admin-auth.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAGH,OAAO,EAAmC,cAAc,EAAE,MAAM,SAAS,CAAC;AAE1E,OAAO,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC;AAarD,YAAY,EAAE,aAAa,EAAE,CAAC;AAI9B;;;;GAIG;AACH,wBAAgB,iBAAiB,IAAI,aAAa,EAAE,CAOnD;AA6CD;;;;GAIG;AACH,wBAAgB,uBAAuB,IAAI,MAAM,GAAG,IAAI,CAavD;AAED;;;GAGG;AACH,wBAAgB,mBAAmB,IAAI,MAAM,EAAE,CAe9C;AAkED;;;;GAIG;AACH,wBAAgB,iBAAiB,IAAI,cAAc,EAAE,CAqEpD"}
|
|
@@ -106,16 +106,15 @@ export function getAdminAuthMethods() {
|
|
|
106
106
|
return [...new Set(methods)];
|
|
107
107
|
}
|
|
108
108
|
/**
|
|
109
|
-
* Build an actionable 401 message
|
|
110
|
-
*
|
|
111
|
-
*
|
|
112
|
-
*
|
|
113
|
-
* `<13+digits>.<32+hex>`, 'basic' for Basic auth, or 'permanentServerTokens' otherwise.
|
|
109
|
+
* Build an actionable 401 message. `scheme` here is what `getTokenFromHttpHeader` returned:
|
|
110
|
+
* 'basic' for Basic auth, 'bearer' for anything else. `looksLikeJwt` indicates the bearer
|
|
111
|
+
* credential matches a known JWT format (legacy `<expire>.<hex>` or standard `a.b.c`) — but
|
|
112
|
+
* since permanent tokens may also contain dots, this is only a hint for diagnostics.
|
|
114
113
|
*/
|
|
115
|
-
function buildAuthFailureMessage(scheme, allowedTypes) {
|
|
114
|
+
function buildAuthFailureMessage(scheme, looksLikeJwt, allowedTypes) {
|
|
116
115
|
const allowed = allowedTypes.length > 0 ? allowedTypes.join(', ') : 'none';
|
|
117
|
-
if (scheme === '
|
|
118
|
-
return `Authentication failed: token
|
|
116
|
+
if (scheme === 'bearer' && looksLikeJwt && !allowedTypes.includes('jwtToken')) {
|
|
117
|
+
return `Authentication failed: token looks like a JWT, but 'jwtToken' is not enabled in adminPanel.authType (configured: ${allowed}).`;
|
|
119
118
|
}
|
|
120
119
|
if (scheme === 'basic' && !allowedTypes.includes('basic')) {
|
|
121
120
|
return `Authentication failed: Basic auth is not enabled in adminPanel.authType (configured: ${allowed}).`;
|
|
@@ -203,7 +202,7 @@ export function createAdminAuthMW() {
|
|
|
203
202
|
username: 'Unknown',
|
|
204
203
|
domain: 'Unknown',
|
|
205
204
|
};
|
|
206
|
-
const { scheme, credentials } = getTokenFromHttpHeader(req);
|
|
205
|
+
const { scheme, credentials, looksLikeJwt } = getTokenFromHttpHeader(req);
|
|
207
206
|
// If no credentials provided, request authentication
|
|
208
207
|
if (!credentials) {
|
|
209
208
|
return sendAuthRequired(res, standardTypes);
|
|
@@ -224,7 +223,7 @@ export function createAdminAuthMW() {
|
|
|
224
223
|
}
|
|
225
224
|
}
|
|
226
225
|
logger.debug('Admin auth failed: no matching auth type');
|
|
227
|
-
return sendAuthRequired(res, standardTypes, buildAuthFailureMessage(scheme || '', standardTypes));
|
|
226
|
+
return sendAuthRequired(res, standardTypes, buildAuthFailureMessage(scheme || '', !!looksLikeJwt, standardTypes));
|
|
228
227
|
},
|
|
229
228
|
];
|
|
230
229
|
}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"admin-auth.js","sourceRoot":"","sources":["../../../src/core/auth/admin-auth.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,KAAK,MAAM,OAAO,CAAC;AAI1B,OAAO,EAAE,SAAS,EAAE,MAAM,6BAA6B,CAAC;AACxD,OAAO,EAAE,MAAM,IAAI,GAAG,EAAE,MAAM,cAAc,CAAC;AAE7C,OAAO,EAAE,cAAc,EAAE,MAAM,YAAY,CAAC;AAC5C,OAAO,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AACzC,OAAO,EAAE,sBAAsB,EAAE,MAAM,iBAAiB,CAAC;AACzD,OAAO,EAAE,mBAAmB,EAAE,MAAM,gBAAgB,CAAC;AACrD,OAAO,EAAE,WAAW,EAAE,MAAM,8CAA8C,CAAC;AAC3E,OAAO,EAAE,uBAAuB,EAAE,MAAM,4CAA4C,CAAC;AAErF,MAAM,MAAM,GAAG,GAAG,CAAC,YAAY,CAAC,EAAE,IAAI,EAAE,KAAK,CAAC,MAAM,CAAC,YAAY,CAAC,EAAE,CAAC,CAAC;AAGtE,MAAM,EAAE,UAAU,EAAE,GAAG,SAAS,CAAC;AACjC,MAAM,EAAE,IAAI,EAAE,GAAG,SAAS,CAAC,SAAS,IAAI,EAAE,CAAC;AAE3C;;;;GAIG;AACH,MAAM,UAAU,iBAAiB;IAC/B,MAAM,GAAG,GAAG,UAAU,EAAE,QAAQ,CAAC;IACjC,IAAI,CAAC,GAAG,IAAI,GAAG,KAAK,MAAM,EAAE,CAAC;QAC3B,OAAO,EAAE,CAAC;IACZ,CAAC;IACD,MAAM,IAAI,GAAG,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;IAC9C,OAAO,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,EAAsB,EAAE,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,MAAM,CAAC,CAAC;AACrE,CAAC;AAED;;GAEG;AACH,SAAS,sBAAsB,CAAC,QAAuB;IACrD,QAAQ,QAAQ,EAAE,CAAC;QACjB,KAAK,uBAAuB,CAAC,CAAC,CAAC;YAC7B,MAAM,MAAM,GAAG,IAAI,EAAE,qBAAqB,CAAC;YAC3C,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,MAAM,EAAE,CAAC;gBAC7D,OAAO,wBAAwB,QAAQ,wEAAwE,CAAC;YAClH,CAAC;YACD,MAAM;QACR,CAAC;QAED,KAAK,OAAO,CAAC,CAAC,CAAC;YACb,MAAM,KAAK,GAAG,IAAI,EAAE,KAAK,CAAC;YAC1B,IAAI,CAAC,KAAK,EAAE,QAAQ,IAAI,CAAC,KAAK,EAAE,QAAQ,EAAE,CAAC;gBACzC,OAAO,wBAAwB,QAAQ,+DAA+D,CAAC;YACzG,CAAC;YACD,MAAM;QACR,CAAC;QAED,KAAK,UAAU,CAAC,CAAC,CAAC;YAChB,MAAM,GAAG,GAAG,IAAI,EAAE,QAAQ,CAAC;YAC3B,IAAI,CAAC,GAAG,EAAE,UAAU,IAAI,GAAG,CAAC,UAAU,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBAClD,OAAO,wBAAwB,QAAQ,qEAAqE,CAAC;YAC/G,CAAC;YACD,MAAM;QACR,CAAC;QAED,KAAK,MAAM,CAAC,CAAC,CAAC;YACZ,IAAI,CAAC,WAAW,EAAE,CAAC;gBACjB,OAAO,wBAAwB,QAAQ,kEAAkE,CAAC;YAC5G,CAAC;YACD,MAAM;QACR,CAAC;QAED;YACE,OAAO,gCAAgC,QAAQ,mEAAmE,CAAC;IACvH,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,uBAAuB;IACrC,IAAI,CAAC,UAAU,EAAE,OAAO,EAAE,CAAC;QACzB,OAAO,IAAI,CAAC,CAAC,iCAAiC;IAChD,CAAC;IAED,KAAK,MAAM,CAAC,IAAI,iBAAiB,EAAE,EAAE,CAAC;QACpC,MAAM,KAAK,GAAG,sBAAsB,CAAC,CAAC,CAAC,CAAC;QACxC,IAAI,KAAK,EAAE,CAAC;YACV,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,mBAAmB;IACjC,IAAI,CAAC,UAAU,EAAE,OAAO,EAAE,CAAC;QACzB,OAAO,EAAE,CAAC;IACZ,CAAC;IACD,MAAM,KAAK,GAAG,iBAAiB,EAAE,CAAC;IAClC,MAAM,OAAO,GAAa,EAAE,CAAC;IAC7B,KAAK,MAAM,CAAC,IAAI,KAAK,EAAE,CAAC;QACtB,IAAI,CAAC,KAAK,uBAAuB,IAAI,CAAC,KAAK,UAAU,EAAE,CAAC;YACtD,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACxB,CAAC;aAAM,IAAI,CAAC,KAAK,OAAO,EAAE,CAAC;YACzB,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACxB,CAAC;QACD,mEAAmE;IACrE,CAAC;IACD,OAAO,CAAC,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC;AAC/B,CAAC;AAED
|
|
1
|
+
{"version":3,"file":"admin-auth.js","sourceRoot":"","sources":["../../../src/core/auth/admin-auth.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,KAAK,MAAM,OAAO,CAAC;AAI1B,OAAO,EAAE,SAAS,EAAE,MAAM,6BAA6B,CAAC;AACxD,OAAO,EAAE,MAAM,IAAI,GAAG,EAAE,MAAM,cAAc,CAAC;AAE7C,OAAO,EAAE,cAAc,EAAE,MAAM,YAAY,CAAC;AAC5C,OAAO,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AACzC,OAAO,EAAE,sBAAsB,EAAE,MAAM,iBAAiB,CAAC;AACzD,OAAO,EAAE,mBAAmB,EAAE,MAAM,gBAAgB,CAAC;AACrD,OAAO,EAAE,WAAW,EAAE,MAAM,8CAA8C,CAAC;AAC3E,OAAO,EAAE,uBAAuB,EAAE,MAAM,4CAA4C,CAAC;AAErF,MAAM,MAAM,GAAG,GAAG,CAAC,YAAY,CAAC,EAAE,IAAI,EAAE,KAAK,CAAC,MAAM,CAAC,YAAY,CAAC,EAAE,CAAC,CAAC;AAGtE,MAAM,EAAE,UAAU,EAAE,GAAG,SAAS,CAAC;AACjC,MAAM,EAAE,IAAI,EAAE,GAAG,SAAS,CAAC,SAAS,IAAI,EAAE,CAAC;AAE3C;;;;GAIG;AACH,MAAM,UAAU,iBAAiB;IAC/B,MAAM,GAAG,GAAG,UAAU,EAAE,QAAQ,CAAC;IACjC,IAAI,CAAC,GAAG,IAAI,GAAG,KAAK,MAAM,EAAE,CAAC;QAC3B,OAAO,EAAE,CAAC;IACZ,CAAC;IACD,MAAM,IAAI,GAAG,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;IAC9C,OAAO,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,EAAsB,EAAE,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,MAAM,CAAC,CAAC;AACrE,CAAC;AAED;;GAEG;AACH,SAAS,sBAAsB,CAAC,QAAuB;IACrD,QAAQ,QAAQ,EAAE,CAAC;QACjB,KAAK,uBAAuB,CAAC,CAAC,CAAC;YAC7B,MAAM,MAAM,GAAG,IAAI,EAAE,qBAAqB,CAAC;YAC3C,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,MAAM,EAAE,CAAC;gBAC7D,OAAO,wBAAwB,QAAQ,wEAAwE,CAAC;YAClH,CAAC;YACD,MAAM;QACR,CAAC;QAED,KAAK,OAAO,CAAC,CAAC,CAAC;YACb,MAAM,KAAK,GAAG,IAAI,EAAE,KAAK,CAAC;YAC1B,IAAI,CAAC,KAAK,EAAE,QAAQ,IAAI,CAAC,KAAK,EAAE,QAAQ,EAAE,CAAC;gBACzC,OAAO,wBAAwB,QAAQ,+DAA+D,CAAC;YACzG,CAAC;YACD,MAAM;QACR,CAAC;QAED,KAAK,UAAU,CAAC,CAAC,CAAC;YAChB,MAAM,GAAG,GAAG,IAAI,EAAE,QAAQ,CAAC;YAC3B,IAAI,CAAC,GAAG,EAAE,UAAU,IAAI,GAAG,CAAC,UAAU,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBAClD,OAAO,wBAAwB,QAAQ,qEAAqE,CAAC;YAC/G,CAAC;YACD,MAAM;QACR,CAAC;QAED,KAAK,MAAM,CAAC,CAAC,CAAC;YACZ,IAAI,CAAC,WAAW,EAAE,CAAC;gBACjB,OAAO,wBAAwB,QAAQ,kEAAkE,CAAC;YAC5G,CAAC;YACD,MAAM;QACR,CAAC;QAED;YACE,OAAO,gCAAgC,QAAQ,mEAAmE,CAAC;IACvH,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,uBAAuB;IACrC,IAAI,CAAC,UAAU,EAAE,OAAO,EAAE,CAAC;QACzB,OAAO,IAAI,CAAC,CAAC,iCAAiC;IAChD,CAAC;IAED,KAAK,MAAM,CAAC,IAAI,iBAAiB,EAAE,EAAE,CAAC;QACpC,MAAM,KAAK,GAAG,sBAAsB,CAAC,CAAC,CAAC,CAAC;QACxC,IAAI,KAAK,EAAE,CAAC;YACV,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,mBAAmB;IACjC,IAAI,CAAC,UAAU,EAAE,OAAO,EAAE,CAAC;QACzB,OAAO,EAAE,CAAC;IACZ,CAAC;IACD,MAAM,KAAK,GAAG,iBAAiB,EAAE,CAAC;IAClC,MAAM,OAAO,GAAa,EAAE,CAAC;IAC7B,KAAK,MAAM,CAAC,IAAI,KAAK,EAAE,CAAC;QACtB,IAAI,CAAC,KAAK,uBAAuB,IAAI,CAAC,KAAK,UAAU,EAAE,CAAC;YACtD,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACxB,CAAC;aAAM,IAAI,CAAC,KAAK,OAAO,EAAE,CAAC;YACzB,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACxB,CAAC;QACD,mEAAmE;IACrE,CAAC;IACD,OAAO,CAAC,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC;AAC/B,CAAC;AAED;;;;;GAKG;AACH,SAAS,uBAAuB,CAAC,MAAc,EAAE,YAAqB,EAAE,YAA6B;IACnG,MAAM,OAAO,GAAG,YAAY,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC;IAE3E,IAAI,MAAM,KAAK,QAAQ,IAAI,YAAY,IAAI,CAAC,YAAY,CAAC,QAAQ,CAAC,UAAU,CAAC,EAAE,CAAC;QAC9E,OAAO,oHAAoH,OAAO,IAAI,CAAC;IACzI,CAAC;IACD,IAAI,MAAM,KAAK,OAAO,IAAI,CAAC,YAAY,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;QAC1D,OAAO,wFAAwF,OAAO,IAAI,CAAC;IAC7G,CAAC;IACD,OAAO,+CAA+C,OAAO,GAAG,CAAC;AACnE,CAAC;AAED;;;GAGG;AACH,SAAS,WAAW,CAClB,QAAuB,EACvB,MAAc,EACd,WAAmB;IAEnB,QAAQ,QAAQ,EAAE,CAAC;QACjB,KAAK,uBAAuB,CAAC,CAAC,CAAC;YAC7B,IAAI,MAAM,KAAK,OAAO,EAAE,CAAC;gBACvB,OAAO,IAAI,CAAC;YACd,CAAC,CAAC,qBAAqB;YACvB,MAAM,MAAM,GAAG,mBAAmB,CAAC,WAAW,CAAC,CAAC;YAChD,OAAO,MAAM,CAAC,WAAW;gBACvB,CAAC,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,CAAC,WAAW,EAAE;gBAC/C,CAAC,CAAC,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,aAAa,EAAE,CAAC;QACjD,CAAC;QAED,KAAK,OAAO,CAAC,CAAC,CAAC;YACb,IAAI,MAAM,KAAK,OAAO,EAAE,CAAC;gBACvB,OAAO,IAAI,CAAC;YACd,CAAC,CAAC,iBAAiB;YACnB,OAAO,cAAc,CAAC,WAAW,CAAC,CAAC;QACrC,CAAC;QAED,KAAK,UAAU,CAAC,CAAC,CAAC;YAChB,IAAI,MAAM,KAAK,OAAO,EAAE,CAAC;gBACvB,OAAO,IAAI,CAAC;YACd,CAAC,CAAC,qBAAqB;YACvB,MAAM,MAAM,GAAG,aAAa,CAAC,EAAE,KAAK,EAAE,WAAW,EAAE,CAAC,CAAC;YACrD,IAAI,MAAM,CAAC,WAAW,EAAE,CAAC;gBACvB,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,CAAC,WAAW,EAAE,CAAC;YACvD,CAAC;YACD,IAAI,MAAM,CAAC,OAAO,EAAE,KAAK,KAAK,WAAW,EAAE,CAAC;gBAC1C,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,mEAAmE,EAAE,CAAC;YACxG,CAAC;YACD,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,MAAM,CAAC,OAAO,EAAE,IAAI,IAAI,UAAU,EAAE,OAAO,EAAE,MAAM,CAAC,OAAO,EAAE,CAAC;QAClG,CAAC;QAED;YACE,OAAO,IAAI,CAAC;IAChB,CAAC;AACH,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,iBAAiB;IAC/B,MAAM,KAAK,GAAG,iBAAiB,EAAE,CAAC;IAElC,8EAA8E;IAC9E,+EAA+E;IAC/E,kDAAkD;IAClD,IAAI,CAAC,UAAU,EAAE,OAAO,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC/C,IAAI,UAAU,EAAE,OAAO,EAAE,CAAC;YACxB,MAAM,CAAC,IAAI,CAAC,uDAAuD,CAAC,CAAC;QACvE,CAAC;aAAM,CAAC;YACN,MAAM,CAAC,IAAI,CAAC,kCAAkC,CAAC,CAAC;QAClD,CAAC;QACD,OAAO;YACL,CAAC,GAAY,EAAE,GAAa,EAAE,IAAkB,EAAE,EAAE;gBAClD,GAAG,CAAC,IAAI,GAAG;oBACT,eAAe,EAAE,KAAK;oBACtB,QAAQ,EAAE,WAAW;oBACrB,MAAM,EAAE,QAAQ;iBACjB,CAAC;gBACF,IAAI,EAAE,CAAC;YACT,CAAC;SACF,CAAC;IACJ,CAAC;IAED,yDAAyD;IACzD,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,IAAI,KAAK,CAAC,CAAC,CAAC,KAAK,MAAM,EAAE,CAAC;QAC9C,OAAO,uBAAuB,EAAE,CAAC;IACnC,CAAC;IAED,gFAAgF;IAChF,MAAM,aAAa,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,KAAK,MAAM,CAAC,CAAC;IAExD,6CAA6C;IAC7C,OAAO;QACL,CAAC,GAAY,EAAE,GAAa,EAAE,IAAkB,EAAE,EAAE;YAClD,yEAAyE;YACzE,GAAG,CAAC,IAAI,GAAG;gBACT,eAAe,EAAE,KAAK;gBACtB,QAAQ,EAAE,SAAS;gBACnB,MAAM,EAAE,SAAS;aAClB,CAAC;YAEF,MAAM,EAAE,MAAM,EAAE,WAAW,EAAE,YAAY,EAAE,GAAG,sBAAsB,CAAC,GAAG,CAAC,CAAC;YAE1E,qDAAqD;YACrD,IAAI,CAAC,WAAW,EAAE,CAAC;gBACjB,OAAO,gBAAgB,CAAC,GAAG,EAAE,aAAa,CAAC,CAAC;YAC9C,CAAC;YAED,yCAAyC;YACzC,KAAK,MAAM,QAAQ,IAAI,aAAa,EAAE,CAAC;gBACrC,MAAM,MAAM,GAAG,WAAW,CAAC,QAAQ,EAAE,MAAM,IAAI,EAAE,EAAE,WAAW,CAAC,CAAC;gBAChE,IAAI,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;oBAC7B,GAAG,CAAC,IAAI,GAAG;wBACT,eAAe,EAAE,IAAI;wBACrB,QAAQ,EAAE,MAAM,CAAC,QAAQ,IAAI,eAAe;wBAC5C,MAAM,EAAE,QAAQ;qBACjB,CAAC;oBACF,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;wBAClB,GAAW,CAAC,WAAW,GAAG,MAAM,CAAC,OAAO,CAAC;oBAC5C,CAAC;oBACD,OAAO,IAAI,EAAE,CAAC;gBAChB,CAAC;YACH,CAAC;YAED,MAAM,CAAC,KAAK,CAAC,0CAA0C,CAAC,CAAC;YACzD,OAAO,gBAAgB,CAAC,GAAG,EAAE,aAAa,EAAE,uBAAuB,CAAC,MAAM,IAAI,EAAE,EAAE,CAAC,CAAC,YAAY,EAAE,aAAa,CAAC,CAAC,CAAC;QACpH,CAAC;KACF,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,SAAS,gBAAgB,CAAC,GAAa,EAAE,SAA0B,EAAE,OAAgB;IACnF,MAAM,YAAY,GAAG,OAAO,IAAI,yBAAyB,CAAC;IAE1D,MAAM,QAAQ,GAAG,SAAS,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;IAC7C,MAAM,SAAS,GAAG,SAAS,CAAC,QAAQ,CAAC,uBAAuB,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC;IAEhG,yDAAyD;IACzD,MAAM,UAAU,GAAa,EAAE,CAAC;IAChC,IAAI,SAAS,EAAE,CAAC;QACd,UAAU,CAAC,IAAI,CAAC,4BAA4B,CAAC,CAAC;IAChD,CAAC;IACD,IAAI,QAAQ,EAAE,CAAC;QACb,UAAU,CAAC,IAAI,CAAC,2BAA2B,CAAC,CAAC;IAC/C,CAAC;IACD,IAAI,UAAU,CAAC,MAAM,EAAE,CAAC;QACtB,GAAG,CAAC,SAAS,CAAC,kBAAkB,EAAE,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;IAC3D,CAAC;IAED,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;QACnB,OAAO,EAAE,KAAK;QACd,KAAK,EAAE,YAAY;QACnB,gBAAgB,EAAE,SAAS;KAC5B,CAAC,CAAC;AACL,CAAC"}
|
package/dist/core/auth/jwt.d.ts
CHANGED
|
@@ -1,25 +1,34 @@
|
|
|
1
1
|
import { ICheckTokenResult } from './types.js';
|
|
2
2
|
export declare const MIN_ENCRYPT_KEY_LENGTH = 8;
|
|
3
|
+
export declare const legacyJwtRE: RegExp;
|
|
4
|
+
export declare const standardJwtRE: RegExp;
|
|
3
5
|
export declare const jwtTokenRE: RegExp;
|
|
4
6
|
/**
|
|
5
|
-
*
|
|
7
|
+
* Legacy: encrypts text with the symmetric key from config.
|
|
8
|
+
* Retained ONLY for backward-compatible reading of pre-migration tokens.
|
|
6
9
|
*/
|
|
7
10
|
export declare const encrypt: (text: string) => string;
|
|
8
11
|
/**
|
|
9
|
-
*
|
|
12
|
+
* Legacy: decrypts text with the symmetric key from config.
|
|
13
|
+
* Retained ONLY for backward-compatible reading of pre-migration tokens.
|
|
10
14
|
*/
|
|
11
15
|
export declare const decrypt: (encryptedStr: string) => string;
|
|
12
16
|
/**
|
|
13
|
-
*
|
|
14
|
-
*
|
|
15
|
-
*
|
|
17
|
+
* Generates a standard signed JWT (HS256).
|
|
18
|
+
* - `user` becomes `sub`
|
|
19
|
+
* - `service` becomes `aud`
|
|
20
|
+
* - `expire` becomes `exp`
|
|
21
|
+
* - `jti` is auto-generated via crypto.randomUUID()
|
|
22
|
+
* - other payload keys are written as private claims
|
|
23
|
+
* - `iss` is added only when webServer.auth.jwtToken.issuer is configured
|
|
16
24
|
*/
|
|
17
25
|
export declare const generateToken: (user: string, liveTimeSec: number, payload?: any) => string;
|
|
18
26
|
/**
|
|
19
|
-
*
|
|
20
|
-
*
|
|
21
|
-
*
|
|
22
|
-
*
|
|
27
|
+
* Verifies a token.
|
|
28
|
+
* Routes by format:
|
|
29
|
+
* - `header.payload.signature` → standard JWT verification
|
|
30
|
+
* - `<expire_ms>.<hex>` → legacy AES-256-CTR fallback
|
|
31
|
+
* Returns a normalized `ITokenPayload`.
|
|
23
32
|
*/
|
|
24
33
|
export declare const checkJwtToken: (arg: {
|
|
25
34
|
token: string;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"jwt.d.ts","sourceRoot":"","sources":["../../../src/core/auth/jwt.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"jwt.d.ts","sourceRoot":"","sources":["../../../src/core/auth/jwt.ts"],"names":[],"mappings":"AAYA,OAAO,EAAE,iBAAiB,EAAiB,MAAM,YAAY,CAAC;AAS9D,eAAO,MAAM,sBAAsB,IAAI,CAAC;AAQxC,eAAO,MAAM,WAAW,QAAmC,CAAC;AAC5D,eAAO,MAAM,aAAa,QAAqD,CAAC;AAEhF,eAAO,MAAM,UAAU,QAAkF,CAAC;AAI1G;;;GAGG;AACH,eAAO,MAAM,OAAO,GAAI,MAAM,MAAM,KAAG,MAMtC,CAAC;AAEF;;;GAGG;AACH,eAAO,MAAM,OAAO,GAAI,cAAc,MAAM,WAO3C,CAAC;AAEF;;;;;;;;GAQG;AACH,eAAO,MAAM,aAAa,GAAI,MAAM,MAAM,EAAE,aAAa,MAAM,EAAE,UAAU,GAAG,KAAG,MAgChF,CAAC;AAEF;;;;;;GAMG;AACH,eAAO,MAAM,aAAa,GAAI,KAAK;IACjC,KAAK,EAAE,MAAM,CAAC;IACd,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB,KAAG,iBAYH,CAAC"}
|
package/dist/core/auth/jwt.js
CHANGED
|
@@ -1,82 +1,220 @@
|
|
|
1
1
|
// noinspection UnnecessaryLocalVariableJS
|
|
2
2
|
import crypto from 'crypto';
|
|
3
3
|
import chalk from 'chalk';
|
|
4
|
+
import jwt from 'jsonwebtoken';
|
|
4
5
|
import { appConfig } from '../bootstrap/init-config.js';
|
|
5
6
|
import { logger as lgr } from '../logger.js';
|
|
6
7
|
import { isObject, trim } from '../utils/utils.js';
|
|
7
8
|
import { parseIpList, isIpAllowed } from './ip-check.js';
|
|
8
|
-
import { isJwtTokenRevoked, isUserRevoked } from './revocation.js';
|
|
9
|
+
import { isJtiRevoked, isJwtTokenRevoked, isUserRevoked } from './revocation.js';
|
|
9
10
|
const logger = lgr.getSubLogger({ name: chalk.cyan('token-auth') });
|
|
10
11
|
const { jwtToken } = appConfig.webServer?.auth || {};
|
|
11
12
|
const checkMCPName = jwtToken?.checkMCPName || false;
|
|
12
13
|
const isCheckIP = jwtToken?.isCheckIP || false;
|
|
14
|
+
const configuredIssuer = trim(jwtToken?.issuer);
|
|
13
15
|
export const MIN_ENCRYPT_KEY_LENGTH = 8;
|
|
14
|
-
const
|
|
15
|
-
|
|
16
|
-
|
|
17
|
-
|
|
18
|
-
|
|
19
|
-
|
|
20
|
-
|
|
16
|
+
const ENCRYPT_KEY = String(jwtToken?.encryptKey || '11111111-7777-8888-9999-000000000000');
|
|
17
|
+
// Legacy AES-256-CTR — used ONLY to read tokens issued before the migration to standard JWT.
|
|
18
|
+
const LEGACY_ALGORITHM = 'aes-256-ctr';
|
|
19
|
+
const LEGACY_KEY = crypto.createHash('sha256').update(ENCRYPT_KEY).digest('base64').substring(0, 32);
|
|
20
|
+
export const legacyJwtRE = /^(\d{13,})\.([\da-fA-F]{32,})$/;
|
|
21
|
+
export const standardJwtRE = /^[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+$/;
|
|
22
|
+
// "Looks like JWT" helper (either legacy or standard). Not used as the only criterion for auth routing.
|
|
23
|
+
export const jwtTokenRE = /^(?:\d{13,}\.[\da-fA-F]{32,}|[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+)$/;
|
|
24
|
+
const STANDARD_CLAIMS = new Set(['user', 'expire', 'iat', 'service', 'iss', 'sub', 'aud', 'exp', 'jti']);
|
|
21
25
|
/**
|
|
22
|
-
*
|
|
26
|
+
* Legacy: encrypts text with the symmetric key from config.
|
|
27
|
+
* Retained ONLY for backward-compatible reading of pre-migration tokens.
|
|
23
28
|
*/
|
|
24
29
|
export const encrypt = (text) => {
|
|
25
30
|
const buffer = Buffer.from(text);
|
|
26
|
-
// Create an initialization vector
|
|
27
31
|
const iv = crypto.randomBytes(16);
|
|
28
|
-
|
|
29
|
-
const cipher = crypto.createCipheriv(ALGORITHM, KEY, iv);
|
|
30
|
-
// Create the new (encrypted) buffer
|
|
32
|
+
const cipher = crypto.createCipheriv(LEGACY_ALGORITHM, LEGACY_KEY, iv);
|
|
31
33
|
const encryptedBuf = Buffer.concat([iv, cipher.update(buffer), cipher.final()]);
|
|
32
34
|
return encryptedBuf.toString('hex');
|
|
33
35
|
};
|
|
34
36
|
/**
|
|
35
|
-
*
|
|
37
|
+
* Legacy: decrypts text with the symmetric key from config.
|
|
38
|
+
* Retained ONLY for backward-compatible reading of pre-migration tokens.
|
|
36
39
|
*/
|
|
37
40
|
export const decrypt = (encryptedStr) => {
|
|
38
41
|
const encryptedByf = Buffer.from(encryptedStr, 'hex');
|
|
39
|
-
// Get the iv: the first 16 bytes
|
|
40
42
|
const iv2 = encryptedByf.subarray(0, 16);
|
|
41
|
-
// Get the rest
|
|
42
43
|
const restBuf = encryptedByf.subarray(16);
|
|
43
|
-
|
|
44
|
-
const decipher = crypto.createDecipheriv(ALGORITHM, KEY, iv2);
|
|
45
|
-
// Actually decrypt it
|
|
44
|
+
const decipher = crypto.createDecipheriv(LEGACY_ALGORITHM, LEGACY_KEY, iv2);
|
|
46
45
|
const decryptedBuf = Buffer.concat([decipher.update(restBuf), decipher.final()]);
|
|
47
46
|
return decryptedBuf.toString();
|
|
48
47
|
};
|
|
49
48
|
/**
|
|
50
|
-
*
|
|
51
|
-
*
|
|
52
|
-
*
|
|
49
|
+
* Generates a standard signed JWT (HS256).
|
|
50
|
+
* - `user` becomes `sub`
|
|
51
|
+
* - `service` becomes `aud`
|
|
52
|
+
* - `expire` becomes `exp`
|
|
53
|
+
* - `jti` is auto-generated via crypto.randomUUID()
|
|
54
|
+
* - other payload keys are written as private claims
|
|
55
|
+
* - `iss` is added only when webServer.auth.jwtToken.issuer is configured
|
|
53
56
|
*/
|
|
54
57
|
export const generateToken = (user, liveTimeSec, payload) => {
|
|
55
58
|
user = trim(user).toLowerCase();
|
|
56
59
|
if (!user) {
|
|
57
60
|
throw new Error('generateToken: Username is empty');
|
|
58
61
|
}
|
|
59
|
-
const
|
|
60
|
-
|
|
61
|
-
|
|
62
|
-
|
|
63
|
-
|
|
64
|
-
|
|
65
|
-
|
|
62
|
+
const inputPayload = isObject(payload) ? { ...payload } : {};
|
|
63
|
+
// Extract reserved fields and drop them from the private claims
|
|
64
|
+
const service = trim(inputPayload.service) || undefined;
|
|
65
|
+
delete inputPayload.user;
|
|
66
|
+
delete inputPayload.expire;
|
|
67
|
+
delete inputPayload.iat;
|
|
68
|
+
delete inputPayload.service;
|
|
69
|
+
delete inputPayload.sub;
|
|
70
|
+
delete inputPayload.aud;
|
|
71
|
+
delete inputPayload.exp;
|
|
72
|
+
delete inputPayload.iss;
|
|
73
|
+
delete inputPayload.jti;
|
|
74
|
+
const signOptions = {
|
|
75
|
+
algorithm: 'HS256',
|
|
76
|
+
subject: user,
|
|
77
|
+
expiresIn: liveTimeSec,
|
|
78
|
+
jwtid: crypto.randomUUID(),
|
|
79
|
+
};
|
|
80
|
+
if (service) {
|
|
81
|
+
signOptions.audience = service;
|
|
82
|
+
}
|
|
83
|
+
if (configuredIssuer) {
|
|
84
|
+
signOptions.issuer = configuredIssuer;
|
|
85
|
+
}
|
|
86
|
+
return jwt.sign(inputPayload, ENCRYPT_KEY, signOptions);
|
|
66
87
|
};
|
|
67
88
|
/**
|
|
68
|
-
*
|
|
69
|
-
*
|
|
70
|
-
*
|
|
71
|
-
*
|
|
89
|
+
* Verifies a token.
|
|
90
|
+
* Routes by format:
|
|
91
|
+
* - `header.payload.signature` → standard JWT verification
|
|
92
|
+
* - `<expire_ms>.<hex>` → legacy AES-256-CTR fallback
|
|
93
|
+
* Returns a normalized `ITokenPayload`.
|
|
72
94
|
*/
|
|
73
95
|
export const checkJwtToken = (arg) => {
|
|
74
|
-
|
|
75
|
-
token = (token || '').trim();
|
|
96
|
+
const token = trim(arg.token);
|
|
76
97
|
if (!token) {
|
|
77
98
|
return { errorReason: 'Token not passed' };
|
|
78
99
|
}
|
|
79
|
-
|
|
100
|
+
if (standardJwtRE.test(token)) {
|
|
101
|
+
return checkStandardJwt(token, arg);
|
|
102
|
+
}
|
|
103
|
+
if (legacyJwtRE.test(token)) {
|
|
104
|
+
return checkLegacyJwt(token, arg);
|
|
105
|
+
}
|
|
106
|
+
return { errorReason: 'The token is not a JWT' };
|
|
107
|
+
};
|
|
108
|
+
function checkStandardJwt(token, arg) {
|
|
109
|
+
// Exact-match revoke against the full token string (works for legacy revoke records too)
|
|
110
|
+
if (isJwtTokenRevoked(token)) {
|
|
111
|
+
return { errorReason: 'JWT Token has been revoked' };
|
|
112
|
+
}
|
|
113
|
+
let decoded;
|
|
114
|
+
try {
|
|
115
|
+
const verifyOptions = { algorithms: ['HS256'] };
|
|
116
|
+
if (configuredIssuer) {
|
|
117
|
+
verifyOptions.issuer = configuredIssuer;
|
|
118
|
+
}
|
|
119
|
+
const result = jwt.verify(token, ENCRYPT_KEY, verifyOptions);
|
|
120
|
+
if (typeof result === 'string') {
|
|
121
|
+
return { errorReason: 'The token is not a JWT' };
|
|
122
|
+
}
|
|
123
|
+
decoded = result;
|
|
124
|
+
}
|
|
125
|
+
catch (err) {
|
|
126
|
+
if (err?.name === 'TokenExpiredError') {
|
|
127
|
+
const expiredAt = err.expiredAt instanceof Date ? err.expiredAt.getTime() : 0;
|
|
128
|
+
const expiredOn = expiredAt ? Date.now() - expiredAt : 0;
|
|
129
|
+
return {
|
|
130
|
+
isTokenDecrypted: true,
|
|
131
|
+
errorReason: expiredOn > 0 ? `JWT Token expired :: on ${expiredOn} mc` : 'JWT Token expired',
|
|
132
|
+
};
|
|
133
|
+
}
|
|
134
|
+
if (err?.name === 'JsonWebTokenError') {
|
|
135
|
+
if (typeof err.message === 'string' && err.message.toLowerCase().includes('signature')) {
|
|
136
|
+
return { errorReason: 'Invalid signature' };
|
|
137
|
+
}
|
|
138
|
+
if (typeof err.message === 'string' && err.message.toLowerCase().includes('issuer')) {
|
|
139
|
+
return { errorReason: `JWT Token: ${err.message}` };
|
|
140
|
+
}
|
|
141
|
+
return { errorReason: 'The token is not a JWT' };
|
|
142
|
+
}
|
|
143
|
+
logger.error(err);
|
|
144
|
+
return { errorReason: `Error verifying JWT token :: ${err?.message ?? 'unknown error'}` };
|
|
145
|
+
}
|
|
146
|
+
// Normalize to ITokenPayload shape
|
|
147
|
+
const sub = typeof decoded.sub === 'string' ? decoded.sub : '';
|
|
148
|
+
if (!sub) {
|
|
149
|
+
return { errorReason: 'JWT Token: missing subject' };
|
|
150
|
+
}
|
|
151
|
+
const expSec = typeof decoded.exp === 'number' ? decoded.exp : 0;
|
|
152
|
+
if (!expSec) {
|
|
153
|
+
return { isTokenDecrypted: true, errorReason: 'JWT Token: missing expiration' };
|
|
154
|
+
}
|
|
155
|
+
const iatSec = typeof decoded.iat === 'number' ? decoded.iat : 0;
|
|
156
|
+
const audValues = Array.isArray(decoded.aud)
|
|
157
|
+
? decoded.aud.filter((value) => typeof value === 'string' && !!trim(value))
|
|
158
|
+
: typeof decoded.aud === 'string' && trim(decoded.aud)
|
|
159
|
+
? [decoded.aud]
|
|
160
|
+
: [];
|
|
161
|
+
const expectedService = arg.expectedService ?? appConfig.name;
|
|
162
|
+
const normalizedService = expectedService && audValues.includes(expectedService) ? expectedService : audValues[0];
|
|
163
|
+
const payload = { user: sub, expire: expSec * 1000 };
|
|
164
|
+
if (iatSec) {
|
|
165
|
+
payload.iat = new Date(iatSec * 1000).toISOString();
|
|
166
|
+
}
|
|
167
|
+
if (normalizedService) {
|
|
168
|
+
payload.service = normalizedService;
|
|
169
|
+
}
|
|
170
|
+
if (typeof decoded.iss === 'string') {
|
|
171
|
+
payload.iss = decoded.iss;
|
|
172
|
+
}
|
|
173
|
+
if (typeof decoded.jti === 'string') {
|
|
174
|
+
payload.jti = decoded.jti;
|
|
175
|
+
}
|
|
176
|
+
// copy private claims (everything not in STANDARD_CLAIMS)
|
|
177
|
+
for (const [k, v] of Object.entries(decoded)) {
|
|
178
|
+
if (!STANDARD_CLAIMS.has(k)) {
|
|
179
|
+
payload[k] = v;
|
|
180
|
+
}
|
|
181
|
+
}
|
|
182
|
+
// Revoke by jti
|
|
183
|
+
if (payload.jti && isJtiRevoked(payload.jti)) {
|
|
184
|
+
return { isTokenDecrypted: true, errorReason: 'JWT Token has been revoked' };
|
|
185
|
+
}
|
|
186
|
+
if (isUserRevoked(payload.user)) {
|
|
187
|
+
return { isTokenDecrypted: true, errorReason: `JWT Token: user '${payload.user}' has been revoked` };
|
|
188
|
+
}
|
|
189
|
+
const expectedUser = trim(arg.expectedUser).toLowerCase();
|
|
190
|
+
if (expectedUser && payload.user !== expectedUser) {
|
|
191
|
+
return {
|
|
192
|
+
isTokenDecrypted: true,
|
|
193
|
+
errorReason: `JWT Token: user not match :: Expected '${expectedUser}' / obtained from the token: '${payload.user}'`,
|
|
194
|
+
};
|
|
195
|
+
}
|
|
196
|
+
if (checkMCPName) {
|
|
197
|
+
const obtainedService = audValues.length > 1 ? audValues.join(', ') : payload.service;
|
|
198
|
+
if (expectedService && !audValues.includes(expectedService)) {
|
|
199
|
+
return {
|
|
200
|
+
isTokenDecrypted: true,
|
|
201
|
+
errorReason: `JWT Token: service not match :: Expected '${expectedService}' / obtained from the token: '${obtainedService}'`,
|
|
202
|
+
};
|
|
203
|
+
}
|
|
204
|
+
}
|
|
205
|
+
if (isCheckIP && payload.ip && arg.clientIp) {
|
|
206
|
+
const allowedIps = parseIpList(payload.ip);
|
|
207
|
+
if (allowedIps.length > 0 && !isIpAllowed(arg.clientIp, allowedIps)) {
|
|
208
|
+
return {
|
|
209
|
+
isTokenDecrypted: true,
|
|
210
|
+
errorReason: `JWT Token: client IP ${arg.clientIp} is not in the allowed list`,
|
|
211
|
+
};
|
|
212
|
+
}
|
|
213
|
+
}
|
|
214
|
+
return { payload };
|
|
215
|
+
}
|
|
216
|
+
function checkLegacyJwt(token, arg) {
|
|
217
|
+
const [, expirePartStr, encryptedPayload] = legacyJwtRE.exec(token) || [];
|
|
80
218
|
if (!expirePartStr || !encryptedPayload) {
|
|
81
219
|
return { errorReason: 'The token is not a JWT' };
|
|
82
220
|
}
|
|
@@ -108,7 +246,7 @@ export const checkJwtToken = (arg) => {
|
|
|
108
246
|
errorReason: `JWT Token: user '${payload.user}' has been revoked`,
|
|
109
247
|
};
|
|
110
248
|
}
|
|
111
|
-
expectedUser = trim(expectedUser).toLowerCase();
|
|
249
|
+
const expectedUser = trim(arg.expectedUser).toLowerCase();
|
|
112
250
|
if (expectedUser && payload.user !== expectedUser) {
|
|
113
251
|
return {
|
|
114
252
|
isTokenDecrypted: true,
|
|
@@ -116,6 +254,7 @@ export const checkJwtToken = (arg) => {
|
|
|
116
254
|
};
|
|
117
255
|
}
|
|
118
256
|
if (checkMCPName) {
|
|
257
|
+
const expectedService = arg.expectedService ?? appConfig.name;
|
|
119
258
|
if (expectedService && payload.service !== expectedService) {
|
|
120
259
|
return {
|
|
121
260
|
isTokenDecrypted: true,
|
|
@@ -123,28 +262,23 @@ export const checkJwtToken = (arg) => {
|
|
|
123
262
|
};
|
|
124
263
|
}
|
|
125
264
|
}
|
|
126
|
-
|
|
265
|
+
const expire = Number(expirePartStr) || 0;
|
|
127
266
|
const expiredOn = Date.now() - expire;
|
|
128
267
|
if (expiredOn > 0) {
|
|
129
|
-
// Token deprecated
|
|
130
268
|
return {
|
|
131
269
|
isTokenDecrypted: true,
|
|
132
270
|
errorReason: `JWT Token expired :: on ${expiredOn} mc`,
|
|
133
271
|
};
|
|
134
272
|
}
|
|
135
|
-
|
|
136
|
-
|
|
137
|
-
if (clientIp) {
|
|
138
|
-
|
|
139
|
-
|
|
140
|
-
|
|
141
|
-
|
|
142
|
-
errorReason: `JWT Token: client IP ${clientIp} is not in the allowed list`,
|
|
143
|
-
};
|
|
144
|
-
}
|
|
273
|
+
if (isCheckIP && payload.ip && arg.clientIp) {
|
|
274
|
+
const allowedIps = parseIpList(payload.ip);
|
|
275
|
+
if (allowedIps.length > 0 && !isIpAllowed(arg.clientIp, allowedIps)) {
|
|
276
|
+
return {
|
|
277
|
+
isTokenDecrypted: true,
|
|
278
|
+
errorReason: `JWT Token: client IP ${arg.clientIp} is not in the allowed list`,
|
|
279
|
+
};
|
|
145
280
|
}
|
|
146
281
|
}
|
|
147
|
-
// OK!
|
|
148
282
|
return { payload };
|
|
149
|
-
}
|
|
283
|
+
}
|
|
150
284
|
//# sourceMappingURL=jwt.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"jwt.js","sourceRoot":"","sources":["../../../src/core/auth/jwt.ts"],"names":[],"mappings":"AAAA,0CAA0C;AAC1C,OAAO,MAAM,MAAM,QAAQ,CAAC;AAE5B,OAAO,KAAK,MAAM,OAAO,CAAC;AAE1B,OAAO,EAAE,SAAS,EAAE,MAAM,6BAA6B,CAAC;AACxD,OAAO,EAAE,MAAM,IAAI,GAAG,EAAE,MAAM,cAAc,CAAC;AAC7C,OAAO,EAAE,QAAQ,EAAE,IAAI,EAAE,MAAM,mBAAmB,CAAC;AAEnD,OAAO,EAAE,WAAW,EAAE,WAAW,EAAE,MAAM,eAAe,CAAC;AACzD,OAAO,EAAE,iBAAiB,EAAE,aAAa,EAAE,MAAM,iBAAiB,CAAC;AAGnE,MAAM,MAAM,GAAG,GAAG,CAAC,YAAY,CAAC,EAAE,IAAI,EAAE,KAAK,CAAC,IAAI,CAAC,YAAY,CAAC,EAAE,CAAC,CAAC;AAEpE,MAAM,EAAE,QAAQ,EAAE,GAAG,SAAS,CAAC,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC;AACrD,MAAM,YAAY,GAAG,QAAQ,EAAE,YAAY,IAAI,KAAK,CAAC;AACrD,MAAM,SAAS,GAAG,QAAQ,EAAE,SAAS,IAAI,KAAK,CAAC;AAE/C,MAAM,CAAC,MAAM,sBAAsB,GAAG,CAAC,CAAC;AAExC,MAAM,SAAS,GAAG,aAAa,CAAC;AAChC,MAAM,GAAG,GAAG,MAAM;KACf,UAAU,CAAC,QAAQ,CAAC;KACpB,MAAM,CAAC,MAAM,CAAC,QAAQ,EAAE,UAAU,IAAI,sCAAsC,CAAC,CAAC;KAC9E,MAAM,CAAC,QAAQ,CAAC;KAChB,SAAS,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;AAEpB,MAAM,CAAC,MAAM,UAAU,GAAG,gCAAgC,CAAC;AAE3D;;GAEG;AACH,MAAM,CAAC,MAAM,OAAO,GAAG,CAAC,IAAY,EAAU,EAAE;IAC9C,MAAM,MAAM,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACjC,kCAAkC;IAClC,MAAM,EAAE,GAAG,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC;IAClC,uDAAuD;IACvD,MAAM,MAAM,GAAG,MAAM,CAAC,cAAc,CAAC,SAAS,EAAE,GAAG,EAAE,EAAE,CAAC,CAAC;IACzD,oCAAoC;IACpC,MAAM,YAAY,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,EAAE,EAAE,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,EAAE,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;IAChF,OAAO,YAAY,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;AACtC,CAAC,CAAC;AAEF;;GAEG;AACH,MAAM,CAAC,MAAM,OAAO,GAAG,CAAC,YAAoB,EAAE,EAAE;IAC9C,MAAM,YAAY,GAAG,MAAM,CAAC,IAAI,CAAC,YAAY,EAAE,KAAK,CAAC,CAAC;IACtD,iCAAiC;IACjC,MAAM,GAAG,GAAG,YAAY,CAAC,QAAQ,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IACzC,eAAe;IACf,MAAM,OAAO,GAAG,YAAY,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC;IAC1C,kBAAkB;IAClB,MAAM,QAAQ,GAAG,MAAM,CAAC,gBAAgB,CAAC,SAAS,EAAE,GAAG,EAAE,GAAG,CAAC,CAAC;IAC9D,sBAAsB;IACtB,MAAM,YAAY,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,OAAO,CAAC,EAAE,QAAQ,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;IACjF,OAAO,YAAY,CAAC,QAAQ,EAAE,CAAC;AACjC,CAAC,CAAC;AAEF;;;;GAIG;AACH,MAAM,CAAC,MAAM,aAAa,GAAG,CAAC,IAAY,EAAE,WAAmB,EAAE,OAAa,EAAU,EAAE;IACxF,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,WAAW,EAAE,CAAC;IAChC,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,MAAM,IAAI,KAAK,CAAC,kCAAkC,CAAC,CAAC;IACtD,CAAC;IACD,MAAM,MAAM,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,WAAW,GAAG,IAAI,CAAC;IAC/C,MAAM,QAAQ,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;IAC1C,OAAO,GAAG,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,CAAC;IAC3C,OAAO,CAAC,IAAI,GAAG,IAAI,CAAC;IACpB,OAAO,CAAC,MAAM,GAAG,MAAM,CAAC;IACxB,OAAO,CAAC,GAAG,GAAG,QAAQ,CAAC;IACvB,OAAO,GAAG,MAAM,IAAI,OAAO,CAAC,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC,EAAE,CAAC;AACzD,CAAC,CAAC;AAEF;;;;;GAKG;AACH,MAAM,CAAC,MAAM,aAAa,GAAG,CAAC,GAK7B,EAAqB,EAAE;IACtB,IAAI,EAAE,KAAK,EAAE,YAAY,EAAE,eAAe,GAAG,SAAS,CAAC,IAAI,EAAE,QAAQ,EAAE,GAAG,GAAG,CAAC;IAC9E,KAAK,GAAG,CAAC,KAAK,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;IAC7B,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,OAAO,EAAE,WAAW,EAAE,kBAAkB,EAAE,CAAC;IAC7C,CAAC;IAED,MAAM,CAAC,EAAE,aAAa,EAAE,gBAAgB,CAAC,GAAG,UAAU,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC;IAEzE,IAAI,CAAC,aAAa,IAAI,CAAC,gBAAgB,EAAE,CAAC;QACxC,OAAO,EAAE,WAAW,EAAE,wBAAwB,EAAE,CAAC;IACnD,CAAC;IAED,IAAI,iBAAiB,CAAC,KAAK,CAAC,EAAE,CAAC;QAC7B,OAAO,EAAE,WAAW,EAAE,4BAA4B,EAAE,CAAC;IACvD,CAAC;IAED,IAAI,UAAU,GAAW,EAAE,CAAC;IAC5B,IAAI,CAAC;QACH,UAAU,GAAG,OAAO,CAAC,gBAAgB,CAAC,CAAC;QACvC,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;YAChC,OAAO,EAAE,WAAW,EAAE,gEAAgE,EAAE,CAAC;QAC3F,CAAC;IACH,CAAC;IAAC,OAAO,GAAgB,EAAE,CAAC;QAC1B,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAClB,OAAO,EAAE,WAAW,EAAE,iCAAiC,GAAG,CAAC,OAAO,EAAE,EAAE,CAAC;IACzE,CAAC;IACD,IAAI,OAAsB,CAAC;IAC3B,IAAI,CAAC;QACH,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC;IACnC,CAAC;IAAC,OAAO,GAAgB,EAAE,CAAC;QAC1B,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAClB,OAAO,EAAE,WAAW,EAAE,+CAA+C,GAAG,CAAC,OAAO,EAAE,EAAE,CAAC;IACvF,CAAC;IAED,IAAI,aAAa,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;QAChC,OAAO;YACL,gBAAgB,EAAE,IAAI;YACtB,WAAW,EAAE,oBAAoB,OAAO,CAAC,IAAI,oBAAoB;SAClE,CAAC;IACJ,CAAC;IAED,YAAY,GAAG,IAAI,CAAC,YAAY,CAAC,CAAC,WAAW,EAAE,CAAC;IAChD,IAAI,YAAY,IAAI,OAAO,CAAC,IAAI,KAAK,YAAY,EAAE,CAAC;QAClD,OAAO;YACL,gBAAgB,EAAE,IAAI;YACtB,WAAW,EAAE,2CAA2C,YAAY,iCAAiC,OAAO,CAAC,IAAI,GAAG;SACrH,CAAC;IACJ,CAAC;IAED,IAAI,YAAY,EAAE,CAAC;QACjB,IAAI,eAAe,IAAI,OAAO,CAAC,OAAO,KAAK,eAAe,EAAE,CAAC;YAC3D,OAAO;gBACL,gBAAgB,EAAE,IAAI;gBACtB,WAAW,EAAE,8CAA8C,eAAe,iCAAiC,OAAO,CAAC,OAAO,GAAG;aAC9H,CAAC;QACJ,CAAC;IACH,CAAC;IACD,IAAI,MAAM,GAAG,MAAM,CAAC,aAAa,CAAC,IAAI,CAAC,CAAC;IAExC,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,MAAM,CAAC;IACtC,IAAI,SAAS,GAAG,CAAC,EAAE,CAAC;QAClB,mBAAmB;QACnB,OAAO;YACL,gBAAgB,EAAE,IAAI;YACtB,WAAW,EAAE,2BAA2B,SAAS,KAAK;SACvD,CAAC;IACJ,CAAC;IAED,8CAA8C;IAC9C,IAAI,SAAS,IAAI,OAAO,CAAC,EAAE,EAAE,CAAC;QAC5B,IAAI,QAAQ,EAAE,CAAC;YACb,MAAM,UAAU,GAAG,WAAW,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;YAC3C,IAAI,UAAU,CAAC,MAAM,GAAG,CAAC,IAAI,CAAC,WAAW,CAAC,QAAQ,EAAE,UAAU,CAAC,EAAE,CAAC;gBAChE,OAAO;oBACL,gBAAgB,EAAE,IAAI;oBACtB,WAAW,EAAE,wBAAwB,QAAQ,6BAA6B;iBAC3E,CAAC;YACJ,CAAC;QACH,CAAC;IACH,CAAC;IAED,MAAM;IACN,OAAO,EAAE,OAAO,EAAE,CAAC;AACrB,CAAC,CAAC"}
|
|
1
|
+
{"version":3,"file":"jwt.js","sourceRoot":"","sources":["../../../src/core/auth/jwt.ts"],"names":[],"mappings":"AAAA,0CAA0C;AAC1C,OAAO,MAAM,MAAM,QAAQ,CAAC;AAE5B,OAAO,KAAK,MAAM,OAAO,CAAC;AAC1B,OAAO,GAA+C,MAAM,cAAc,CAAC;AAE3E,OAAO,EAAE,SAAS,EAAE,MAAM,6BAA6B,CAAC;AACxD,OAAO,EAAE,MAAM,IAAI,GAAG,EAAE,MAAM,cAAc,CAAC;AAC7C,OAAO,EAAE,QAAQ,EAAE,IAAI,EAAE,MAAM,mBAAmB,CAAC;AAEnD,OAAO,EAAE,WAAW,EAAE,WAAW,EAAE,MAAM,eAAe,CAAC;AACzD,OAAO,EAAE,YAAY,EAAE,iBAAiB,EAAE,aAAa,EAAE,MAAM,iBAAiB,CAAC;AAGjF,MAAM,MAAM,GAAG,GAAG,CAAC,YAAY,CAAC,EAAE,IAAI,EAAE,KAAK,CAAC,IAAI,CAAC,YAAY,CAAC,EAAE,CAAC,CAAC;AAEpE,MAAM,EAAE,QAAQ,EAAE,GAAG,SAAS,CAAC,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC;AACrD,MAAM,YAAY,GAAG,QAAQ,EAAE,YAAY,IAAI,KAAK,CAAC;AACrD,MAAM,SAAS,GAAG,QAAQ,EAAE,SAAS,IAAI,KAAK,CAAC;AAC/C,MAAM,gBAAgB,GAAG,IAAI,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;AAEhD,MAAM,CAAC,MAAM,sBAAsB,GAAG,CAAC,CAAC;AAExC,MAAM,WAAW,GAAG,MAAM,CAAC,QAAQ,EAAE,UAAU,IAAI,sCAAsC,CAAC,CAAC;AAE3F,6FAA6F;AAC7F,MAAM,gBAAgB,GAAG,aAAa,CAAC;AACvC,MAAM,UAAU,GAAG,MAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,SAAS,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;AAErG,MAAM,CAAC,MAAM,WAAW,GAAG,gCAAgC,CAAC;AAC5D,MAAM,CAAC,MAAM,aAAa,GAAG,kDAAkD,CAAC;AAChF,wGAAwG;AACxG,MAAM,CAAC,MAAM,UAAU,GAAG,+EAA+E,CAAC;AAE1G,MAAM,eAAe,GAAG,IAAI,GAAG,CAAC,CAAC,MAAM,EAAE,QAAQ,EAAE,KAAK,EAAE,SAAS,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,CAAC,CAAC,CAAC;AAEzG;;;GAGG;AACH,MAAM,CAAC,MAAM,OAAO,GAAG,CAAC,IAAY,EAAU,EAAE;IAC9C,MAAM,MAAM,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACjC,MAAM,EAAE,GAAG,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC;IAClC,MAAM,MAAM,GAAG,MAAM,CAAC,cAAc,CAAC,gBAAgB,EAAE,UAAU,EAAE,EAAE,CAAC,CAAC;IACvE,MAAM,YAAY,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,EAAE,EAAE,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,EAAE,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;IAChF,OAAO,YAAY,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;AACtC,CAAC,CAAC;AAEF;;;GAGG;AACH,MAAM,CAAC,MAAM,OAAO,GAAG,CAAC,YAAoB,EAAE,EAAE;IAC9C,MAAM,YAAY,GAAG,MAAM,CAAC,IAAI,CAAC,YAAY,EAAE,KAAK,CAAC,CAAC;IACtD,MAAM,GAAG,GAAG,YAAY,CAAC,QAAQ,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IACzC,MAAM,OAAO,GAAG,YAAY,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC;IAC1C,MAAM,QAAQ,GAAG,MAAM,CAAC,gBAAgB,CAAC,gBAAgB,EAAE,UAAU,EAAE,GAAG,CAAC,CAAC;IAC5E,MAAM,YAAY,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,OAAO,CAAC,EAAE,QAAQ,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;IACjF,OAAO,YAAY,CAAC,QAAQ,EAAE,CAAC;AACjC,CAAC,CAAC;AAEF;;;;;;;;GAQG;AACH,MAAM,CAAC,MAAM,aAAa,GAAG,CAAC,IAAY,EAAE,WAAmB,EAAE,OAAa,EAAU,EAAE;IACxF,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,WAAW,EAAE,CAAC;IAChC,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,MAAM,IAAI,KAAK,CAAC,kCAAkC,CAAC,CAAC;IACtD,CAAC;IACD,MAAM,YAAY,GAAG,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,EAAE,GAAG,OAAO,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;IAE7D,gEAAgE;IAChE,MAAM,OAAO,GAAG,IAAI,CAAC,YAAY,CAAC,OAAO,CAAC,IAAI,SAAS,CAAC;IACxD,OAAO,YAAY,CAAC,IAAI,CAAC;IACzB,OAAO,YAAY,CAAC,MAAM,CAAC;IAC3B,OAAO,YAAY,CAAC,GAAG,CAAC;IACxB,OAAO,YAAY,CAAC,OAAO,CAAC;IAC5B,OAAO,YAAY,CAAC,GAAG,CAAC;IACxB,OAAO,YAAY,CAAC,GAAG,CAAC;IACxB,OAAO,YAAY,CAAC,GAAG,CAAC;IACxB,OAAO,YAAY,CAAC,GAAG,CAAC;IACxB,OAAO,YAAY,CAAC,GAAG,CAAC;IAExB,MAAM,WAAW,GAAgB;QAC/B,SAAS,EAAE,OAAO;QAClB,OAAO,EAAE,IAAI;QACb,SAAS,EAAE,WAAW;QACtB,KAAK,EAAE,MAAM,CAAC,UAAU,EAAE;KAC3B,CAAC;IACF,IAAI,OAAO,EAAE,CAAC;QACZ,WAAW,CAAC,QAAQ,GAAG,OAAO,CAAC;IACjC,CAAC;IACD,IAAI,gBAAgB,EAAE,CAAC;QACrB,WAAW,CAAC,MAAM,GAAG,gBAAgB,CAAC;IACxC,CAAC;IACD,OAAO,GAAG,CAAC,IAAI,CAAC,YAAY,EAAE,WAAW,EAAE,WAAW,CAAC,CAAC;AAC1D,CAAC,CAAC;AAEF;;;;;;GAMG;AACH,MAAM,CAAC,MAAM,aAAa,GAAG,CAAC,GAK7B,EAAqB,EAAE;IACtB,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;IAC9B,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,OAAO,EAAE,WAAW,EAAE,kBAAkB,EAAE,CAAC;IAC7C,CAAC;IACD,IAAI,aAAa,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;QAC9B,OAAO,gBAAgB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;IACtC,CAAC;IACD,IAAI,WAAW,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;QAC5B,OAAO,cAAc,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;IACpC,CAAC;IACD,OAAO,EAAE,WAAW,EAAE,wBAAwB,EAAE,CAAC;AACnD,CAAC,CAAC;AAEF,SAAS,gBAAgB,CACvB,KAAa,EACb,GAA2E;IAE3E,yFAAyF;IACzF,IAAI,iBAAiB,CAAC,KAAK,CAAC,EAAE,CAAC;QAC7B,OAAO,EAAE,WAAW,EAAE,4BAA4B,EAAE,CAAC;IACvD,CAAC;IAED,IAAI,OAAmB,CAAC;IACxB,IAAI,CAAC;QACH,MAAM,aAAa,GAAkB,EAAE,UAAU,EAAE,CAAC,OAAO,CAAC,EAAE,CAAC;QAC/D,IAAI,gBAAgB,EAAE,CAAC;YACrB,aAAa,CAAC,MAAM,GAAG,gBAAgB,CAAC;QAC1C,CAAC;QACD,MAAM,MAAM,GAAG,GAAG,CAAC,MAAM,CAAC,KAAK,EAAE,WAAW,EAAE,aAAa,CAAC,CAAC;QAC7D,IAAI,OAAO,MAAM,KAAK,QAAQ,EAAE,CAAC;YAC/B,OAAO,EAAE,WAAW,EAAE,wBAAwB,EAAE,CAAC;QACnD,CAAC;QACD,OAAO,GAAG,MAAM,CAAC;IACnB,CAAC;IAAC,OAAO,GAAgB,EAAE,CAAC;QAC1B,IAAI,GAAG,EAAE,IAAI,KAAK,mBAAmB,EAAE,CAAC;YACtC,MAAM,SAAS,GAAG,GAAG,CAAC,SAAS,YAAY,IAAI,CAAC,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC;YAC9E,MAAM,SAAS,GAAG,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC;YACzD,OAAO;gBACL,gBAAgB,EAAE,IAAI;gBACtB,WAAW,EAAE,SAAS,GAAG,CAAC,CAAC,CAAC,CAAC,2BAA2B,SAAS,KAAK,CAAC,CAAC,CAAC,mBAAmB;aAC7F,CAAC;QACJ,CAAC;QACD,IAAI,GAAG,EAAE,IAAI,KAAK,mBAAmB,EAAE,CAAC;YACtC,IAAI,OAAO,GAAG,CAAC,OAAO,KAAK,QAAQ,IAAI,GAAG,CAAC,OAAO,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,WAAW,CAAC,EAAE,CAAC;gBACvF,OAAO,EAAE,WAAW,EAAE,mBAAmB,EAAE,CAAC;YAC9C,CAAC;YACD,IAAI,OAAO,GAAG,CAAC,OAAO,KAAK,QAAQ,IAAI,GAAG,CAAC,OAAO,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC;gBACpF,OAAO,EAAE,WAAW,EAAE,cAAc,GAAG,CAAC,OAAO,EAAE,EAAE,CAAC;YACtD,CAAC;YACD,OAAO,EAAE,WAAW,EAAE,wBAAwB,EAAE,CAAC;QACnD,CAAC;QACD,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAClB,OAAO,EAAE,WAAW,EAAE,gCAAgC,GAAG,EAAE,OAAO,IAAI,eAAe,EAAE,EAAE,CAAC;IAC5F,CAAC;IAED,mCAAmC;IACnC,MAAM,GAAG,GAAG,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;IAC/D,IAAI,CAAC,GAAG,EAAE,CAAC;QACT,OAAO,EAAE,WAAW,EAAE,4BAA4B,EAAE,CAAC;IACvD,CAAC;IACD,MAAM,MAAM,GAAG,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;IACjE,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,OAAO,EAAE,gBAAgB,EAAE,IAAI,EAAE,WAAW,EAAE,+BAA+B,EAAE,CAAC;IAClF,CAAC;IACD,MAAM,MAAM,GAAG,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;IACjE,MAAM,SAAS,GAAG,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC;QAC1C,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,KAAK,EAAmB,EAAE,CAAC,OAAO,KAAK,KAAK,QAAQ,IAAI,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAC5F,CAAC,CAAC,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ,IAAI,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC;YACpD,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC;YACf,CAAC,CAAC,EAAE,CAAC;IACT,MAAM,eAAe,GAAG,GAAG,CAAC,eAAe,IAAI,SAAS,CAAC,IAAI,CAAC;IAC9D,MAAM,iBAAiB,GAAG,eAAe,IAAI,SAAS,CAAC,QAAQ,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC;IAElH,MAAM,OAAO,GAAkB,EAAE,IAAI,EAAE,GAAG,EAAE,MAAM,EAAE,MAAM,GAAG,IAAI,EAAE,CAAC;IACpE,IAAI,MAAM,EAAE,CAAC;QACX,OAAO,CAAC,GAAG,GAAG,IAAI,IAAI,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC,WAAW,EAAE,CAAC;IACtD,CAAC;IACD,IAAI,iBAAiB,EAAE,CAAC;QACtB,OAAO,CAAC,OAAO,GAAG,iBAAiB,CAAC;IACtC,CAAC;IACD,IAAI,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ,EAAE,CAAC;QACpC,OAAO,CAAC,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC;IAC5B,CAAC;IACD,IAAI,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ,EAAE,CAAC;QACpC,OAAO,CAAC,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC;IAC5B,CAAC;IACD,0DAA0D;IAC1D,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC;QAC7C,IAAI,CAAC,eAAe,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;YAC5B,OAAO,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;QACjB,CAAC;IACH,CAAC;IAED,gBAAgB;IAChB,IAAI,OAAO,CAAC,GAAG,IAAI,YAAY,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;QAC7C,OAAO,EAAE,gBAAgB,EAAE,IAAI,EAAE,WAAW,EAAE,4BAA4B,EAAE,CAAC;IAC/E,CAAC;IAED,IAAI,aAAa,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;QAChC,OAAO,EAAE,gBAAgB,EAAE,IAAI,EAAE,WAAW,EAAE,oBAAoB,OAAO,CAAC,IAAI,oBAAoB,EAAE,CAAC;IACvG,CAAC;IAED,MAAM,YAAY,GAAG,IAAI,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC,WAAW,EAAE,CAAC;IAC1D,IAAI,YAAY,IAAI,OAAO,CAAC,IAAI,KAAK,YAAY,EAAE,CAAC;QAClD,OAAO;YACL,gBAAgB,EAAE,IAAI;YACtB,WAAW,EAAE,2CAA2C,YAAY,iCAAiC,OAAO,CAAC,IAAI,GAAG;SACrH,CAAC;IACJ,CAAC;IAED,IAAI,YAAY,EAAE,CAAC;QACjB,MAAM,eAAe,GAAG,SAAS,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC;QACtF,IAAI,eAAe,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,eAAe,CAAC,EAAE,CAAC;YAC5D,OAAO;gBACL,gBAAgB,EAAE,IAAI;gBACtB,WAAW,EAAE,8CAA8C,eAAe,iCAAiC,eAAe,GAAG;aAC9H,CAAC;QACJ,CAAC;IACH,CAAC;IAED,IAAI,SAAS,IAAI,OAAO,CAAC,EAAE,IAAI,GAAG,CAAC,QAAQ,EAAE,CAAC;QAC5C,MAAM,UAAU,GAAG,WAAW,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;QAC3C,IAAI,UAAU,CAAC,MAAM,GAAG,CAAC,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,QAAQ,EAAE,UAAU,CAAC,EAAE,CAAC;YACpE,OAAO;gBACL,gBAAgB,EAAE,IAAI;gBACtB,WAAW,EAAE,wBAAwB,GAAG,CAAC,QAAQ,6BAA6B;aAC/E,CAAC;QACJ,CAAC;IACH,CAAC;IAED,OAAO,EAAE,OAAO,EAAE,CAAC;AACrB,CAAC;AAED,SAAS,cAAc,CACrB,KAAa,EACb,GAA2E;IAE3E,MAAM,CAAC,EAAE,aAAa,EAAE,gBAAgB,CAAC,GAAG,WAAW,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC;IAC1E,IAAI,CAAC,aAAa,IAAI,CAAC,gBAAgB,EAAE,CAAC;QACxC,OAAO,EAAE,WAAW,EAAE,wBAAwB,EAAE,CAAC;IACnD,CAAC;IAED,IAAI,iBAAiB,CAAC,KAAK,CAAC,EAAE,CAAC;QAC7B,OAAO,EAAE,WAAW,EAAE,4BAA4B,EAAE,CAAC;IACvD,CAAC;IAED,IAAI,UAAU,GAAW,EAAE,CAAC;IAC5B,IAAI,CAAC;QACH,UAAU,GAAG,OAAO,CAAC,gBAAgB,CAAC,CAAC;QACvC,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;YAChC,OAAO,EAAE,WAAW,EAAE,gEAAgE,EAAE,CAAC;QAC3F,CAAC;IACH,CAAC;IAAC,OAAO,GAAgB,EAAE,CAAC;QAC1B,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAClB,OAAO,EAAE,WAAW,EAAE,iCAAiC,GAAG,CAAC,OAAO,EAAE,EAAE,CAAC;IACzE,CAAC;IACD,IAAI,OAAsB,CAAC;IAC3B,IAAI,CAAC;QACH,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC;IACnC,CAAC;IAAC,OAAO,GAAgB,EAAE,CAAC;QAC1B,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAClB,OAAO,EAAE,WAAW,EAAE,+CAA+C,GAAG,CAAC,OAAO,EAAE,EAAE,CAAC;IACvF,CAAC;IAED,IAAI,aAAa,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;QAChC,OAAO;YACL,gBAAgB,EAAE,IAAI;YACtB,WAAW,EAAE,oBAAoB,OAAO,CAAC,IAAI,oBAAoB;SAClE,CAAC;IACJ,CAAC;IAED,MAAM,YAAY,GAAG,IAAI,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC,WAAW,EAAE,CAAC;IAC1D,IAAI,YAAY,IAAI,OAAO,CAAC,IAAI,KAAK,YAAY,EAAE,CAAC;QAClD,OAAO;YACL,gBAAgB,EAAE,IAAI;YACtB,WAAW,EAAE,2CAA2C,YAAY,iCAAiC,OAAO,CAAC,IAAI,GAAG;SACrH,CAAC;IACJ,CAAC;IAED,IAAI,YAAY,EAAE,CAAC;QACjB,MAAM,eAAe,GAAG,GAAG,CAAC,eAAe,IAAI,SAAS,CAAC,IAAI,CAAC;QAC9D,IAAI,eAAe,IAAI,OAAO,CAAC,OAAO,KAAK,eAAe,EAAE,CAAC;YAC3D,OAAO;gBACL,gBAAgB,EAAE,IAAI;gBACtB,WAAW,EAAE,8CAA8C,eAAe,iCAAiC,OAAO,CAAC,OAAO,GAAG;aAC9H,CAAC;QACJ,CAAC;IACH,CAAC;IAED,MAAM,MAAM,GAAG,MAAM,CAAC,aAAa,CAAC,IAAI,CAAC,CAAC;IAC1C,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,MAAM,CAAC;IACtC,IAAI,SAAS,GAAG,CAAC,EAAE,CAAC;QAClB,OAAO;YACL,gBAAgB,EAAE,IAAI;YACtB,WAAW,EAAE,2BAA2B,SAAS,KAAK;SACvD,CAAC;IACJ,CAAC;IAED,IAAI,SAAS,IAAI,OAAO,CAAC,EAAE,IAAI,GAAG,CAAC,QAAQ,EAAE,CAAC;QAC5C,MAAM,UAAU,GAAG,WAAW,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;QAC3C,IAAI,UAAU,CAAC,MAAM,GAAG,CAAC,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,QAAQ,EAAE,UAAU,CAAC,EAAE,CAAC;YACpE,OAAO;gBACL,gBAAgB,EAAE,IAAI;gBACtB,WAAW,EAAE,wBAAwB,GAAG,CAAC,QAAQ,6BAA6B;aAC/E,CAAC;QACJ,CAAC;IACH,CAAC;IAED,OAAO,EAAE,OAAO,EAAE,CAAC;AACrB,CAAC"}
|
|
@@ -1,8 +1,10 @@
|
|
|
1
1
|
import { Request } from 'express';
|
|
2
|
-
import { AuthDetectionResult, AuthResult
|
|
2
|
+
import { AuthDetectionResult, AuthResult } from './types.js';
|
|
3
|
+
export type AuthScheme = 'basic' | 'bearer';
|
|
3
4
|
export declare const getTokenFromHttpHeader: (req: Request) => {
|
|
4
|
-
scheme?:
|
|
5
|
+
scheme?: AuthScheme;
|
|
5
6
|
credentials?: string;
|
|
7
|
+
looksLikeJwt?: boolean;
|
|
6
8
|
};
|
|
7
9
|
/**
|
|
8
10
|
* Detects configured authentication types in priority order (ascending CPU load)
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"multi-auth.d.ts","sourceRoot":"","sources":["../../../src/core/auth/multi-auth.ts"],"names":[],"mappings":"AAOA,OAAO,EAAE,OAAO,EAAE,MAAM,SAAS,CAAC;AAUlC,OAAO,EAAE,mBAAmB,EAAE,UAAU,
|
|
1
|
+
{"version":3,"file":"multi-auth.d.ts","sourceRoot":"","sources":["../../../src/core/auth/multi-auth.ts"],"names":[],"mappings":"AAOA,OAAO,EAAE,OAAO,EAAE,MAAM,SAAS,CAAC;AAUlC,OAAO,EAAE,mBAAmB,EAAE,UAAU,EAAY,MAAM,YAAY,CAAC;AAqBvE,MAAM,MAAM,UAAU,GAAG,OAAO,GAAG,QAAQ,CAAC;AAG5C,eAAO,MAAM,sBAAsB,GACjC,KAAK,OAAO,KACX;IAAE,MAAM,CAAC,EAAE,UAAU,CAAC;IAAC,WAAW,CAAC,EAAE,MAAM,CAAC;IAAC,YAAY,CAAC,EAAE,OAAO,CAAA;CAcrE,CAAC;AAyBF;;GAEG;AACH,wBAAgB,uBAAuB,IAAI,mBAAmB,CAgD7D;AAsBD;;GAEG;AACH,wBAAsB,cAAc,CAAC,GAAG,EAAE,OAAO,GAAG,OAAO,CAAC,UAAU,CAAC,CAgGtE;AAED;;GAEG;AACH,wBAAgB,oBAAoB,IAAI,IAAI,CAa3C;AAED;;;;;;;GAOG;AACH,wBAAgB,sBAAsB,IAAI,MAAM,CAuC/C"}
|
|
@@ -34,10 +34,7 @@ export const getTokenFromHttpHeader = (req) => {
|
|
|
34
34
|
if (scheme.toLowerCase() === 'basic') {
|
|
35
35
|
return { scheme: 'basic', credentials };
|
|
36
36
|
}
|
|
37
|
-
|
|
38
|
-
return { scheme: 'jwtToken', credentials };
|
|
39
|
-
}
|
|
40
|
-
return { scheme: 'permanentServerTokens', credentials };
|
|
37
|
+
return { scheme: 'bearer', credentials, looksLikeJwt: jwtTokenRE.test(credentials) };
|
|
41
38
|
};
|
|
42
39
|
/**
|
|
43
40
|
* Gets custom auth validator from global context.
|
|
@@ -150,54 +147,69 @@ export async function checkMultiAuth(req) {
|
|
|
150
147
|
// fall through to standard auth
|
|
151
148
|
}
|
|
152
149
|
}
|
|
153
|
-
const { scheme
|
|
150
|
+
const { scheme, credentials } = getTokenFromHttpHeader(req);
|
|
154
151
|
if (!credentials) {
|
|
155
152
|
return { success: false, error: `${E_PFX}credentials not provided` };
|
|
156
153
|
}
|
|
157
|
-
if (!
|
|
158
|
-
return { success: false, error: `${E_PFX}Cannot detect auth
|
|
154
|
+
if (!scheme) {
|
|
155
|
+
return { success: false, error: `${E_PFX}Cannot detect auth scheme from Authorization header` };
|
|
159
156
|
}
|
|
160
157
|
logger.debug(`Checking auth types: ${configuredTypes}`);
|
|
161
|
-
if (!configuredSet.has(authType)) {
|
|
162
|
-
return { success: false, error: `${E_PFX}Detected in Authorisation header auth type ${authType} not configured` };
|
|
163
|
-
}
|
|
164
158
|
let errorResult = undefined;
|
|
165
159
|
try {
|
|
166
|
-
|
|
167
|
-
|
|
160
|
+
if (scheme === 'basic') {
|
|
161
|
+
if (!configuredSet.has('basic')) {
|
|
162
|
+
return {
|
|
163
|
+
success: false,
|
|
164
|
+
error: `${E_PFX}Detected Basic auth in Authorization header, but 'basic' is not configured`,
|
|
165
|
+
};
|
|
166
|
+
}
|
|
167
|
+
const result = checkBasicAuth(credentials);
|
|
168
|
+
if (result.success) {
|
|
169
|
+
return { ...result, authType: 'basic', payload: { user: result.username } };
|
|
170
|
+
}
|
|
171
|
+
errorResult = { ...result, authType: 'basic' };
|
|
172
|
+
}
|
|
173
|
+
else {
|
|
174
|
+
// Bearer / non-Basic: try permanent tokens first (O(1)), then JWT.
|
|
175
|
+
// Permanent tokens can contain dots, so we never classify purely by shape.
|
|
176
|
+
let permError;
|
|
177
|
+
let jwtErrorResult;
|
|
178
|
+
if (configuredSet.has('permanentServerTokens')) {
|
|
168
179
|
const { errorReason } = checkPermanentToken(credentials);
|
|
169
180
|
if (!errorReason) {
|
|
170
|
-
return { success: true, authType };
|
|
181
|
+
return { success: true, authType: 'permanentServerTokens' };
|
|
171
182
|
}
|
|
172
|
-
|
|
173
|
-
break;
|
|
183
|
+
permError = errorReason;
|
|
174
184
|
}
|
|
175
|
-
|
|
176
|
-
const result = checkBasicAuth(credentials);
|
|
177
|
-
if (result.success) {
|
|
178
|
-
// For basic auth, create payload with user property
|
|
179
|
-
return { ...result, authType, payload: { user: result.username } };
|
|
180
|
-
}
|
|
181
|
-
errorResult = { ...result, authType };
|
|
182
|
-
break;
|
|
183
|
-
}
|
|
184
|
-
case 'jwtToken': {
|
|
185
|
+
if (configuredSet.has('jwtToken')) {
|
|
185
186
|
const xff = req.headers['x-forwarded-for'];
|
|
186
187
|
const xffStr = (Array.isArray(xff) ? (xff[0] ?? '') : (xff ?? '')).split(',').shift() ?? '';
|
|
187
188
|
const clientIp = req.ip ?? (xffStr.trim() || (req.socket?.remoteAddress ?? ''));
|
|
188
189
|
const { errorReason, payload, isTokenDecrypted } = checkJwtToken({ token: credentials, clientIp });
|
|
189
190
|
if (!errorReason) {
|
|
190
|
-
return { success: true, authType, payload };
|
|
191
|
+
return { success: true, authType: 'jwtToken', payload };
|
|
191
192
|
}
|
|
192
|
-
|
|
193
|
-
|
|
193
|
+
jwtErrorResult = { success: false, error: `${E_PFX}${errorReason}`, authType: 'jwtToken', isTokenDecrypted };
|
|
194
|
+
}
|
|
195
|
+
// Prefer the JWT-specific error (it's more informative for malformed/expired JWTs).
|
|
196
|
+
// Fall back to the permanent token error if JWT wasn't configured/attempted.
|
|
197
|
+
if (jwtErrorResult) {
|
|
198
|
+
errorResult = jwtErrorResult;
|
|
199
|
+
}
|
|
200
|
+
else if (permError) {
|
|
201
|
+
errorResult = { success: false, authType: 'permanentServerTokens', error: `${E_PFX}${permError}` };
|
|
202
|
+
}
|
|
203
|
+
else {
|
|
204
|
+
errorResult = {
|
|
205
|
+
success: false,
|
|
206
|
+
error: `${E_PFX}No bearer auth method is configured (need permanentServerTokens or jwtToken)`,
|
|
207
|
+
};
|
|
194
208
|
}
|
|
195
|
-
default:
|
|
196
|
-
errorResult = { success: false, error: `${E_PFX}Unknown auth type: ${authType}` };
|
|
197
209
|
}
|
|
198
210
|
}
|
|
199
211
|
catch (error) {
|
|
200
|
-
logger.warn(`Auth
|
|
212
|
+
logger.warn(`Auth scheme ${scheme} failed with exception:`, error instanceof Error ? E_PFX + error.message : 'Unknown error');
|
|
201
213
|
}
|
|
202
214
|
return (errorResult || {
|
|
203
215
|
success: false,
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"multi-auth.js","sourceRoot":"","sources":["../../../src/core/auth/multi-auth.ts"],"names":[],"mappings":"AAAA,0CAA0C;AAE1C;;GAEG;AAEH,OAAO,KAAK,MAAM,OAAO,CAAC;AAI1B,OAAO,EAAE,SAAS,EAAE,MAAM,6BAA6B,CAAC;AACxD,OAAO,EAAE,MAAM,IAAI,GAAG,EAAE,MAAM,cAAc,CAAC;AAC7C,OAAO,EAAE,gBAAgB,EAAE,IAAI,EAAE,MAAM,mBAAmB,CAAC;AAE3D,OAAO,EAAE,cAAc,EAAE,MAAM,YAAY,CAAC;AAC5C,OAAO,EAAE,aAAa,EAAE,aAAa,EAAE,UAAU,EAAE,sBAAsB,EAAE,MAAM,UAAU,CAAC;AAC5F,OAAO,EAAE,mBAAmB,EAAE,MAAM,gBAAgB,CAAC;AAGrD,MAAM,MAAM,GAAG,GAAG,CAAC,YAAY,CAAC,EAAE,IAAI,EAAE,KAAK,CAAC,OAAO,CAAC,YAAY,CAAC,EAAE,CAAC,CAAC;AAEvE,MAAM,EACJ,OAAO,EAAE,WAAW,EACpB,qBAAqB,EAAE,EAAE,EACzB,KAAK,EAAE,EAAE,QAAQ,EAAE,SAAS,EAAE,QAAQ,EAAE,SAAS,EAAE,GAAG,EAAE,EACxD,QAAQ,EAAE,EAAE,UAAU,EAAE,GAAG,EAAE,GAC9B,GAAG,SAAS,CAAC,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC;AAEpC;;GAEG;AACH,MAAM,SAAS,GAAG;IAChB,qBAAqB,EAAE,CAAC,EAAE,iBAAiB;IAC3C,KAAK,EAAE,CAAC,EAAE,kBAAkB;IAC5B,QAAQ,EAAE,CAAC,EAAE,oCAAoC;IACjD,MAAM,EAAE,CAAC;CACV,CAAC;
|
|
1
|
+
{"version":3,"file":"multi-auth.js","sourceRoot":"","sources":["../../../src/core/auth/multi-auth.ts"],"names":[],"mappings":"AAAA,0CAA0C;AAE1C;;GAEG;AAEH,OAAO,KAAK,MAAM,OAAO,CAAC;AAI1B,OAAO,EAAE,SAAS,EAAE,MAAM,6BAA6B,CAAC;AACxD,OAAO,EAAE,MAAM,IAAI,GAAG,EAAE,MAAM,cAAc,CAAC;AAC7C,OAAO,EAAE,gBAAgB,EAAE,IAAI,EAAE,MAAM,mBAAmB,CAAC;AAE3D,OAAO,EAAE,cAAc,EAAE,MAAM,YAAY,CAAC;AAC5C,OAAO,EAAE,aAAa,EAAE,aAAa,EAAE,UAAU,EAAE,sBAAsB,EAAE,MAAM,UAAU,CAAC;AAC5F,OAAO,EAAE,mBAAmB,EAAE,MAAM,gBAAgB,CAAC;AAGrD,MAAM,MAAM,GAAG,GAAG,CAAC,YAAY,CAAC,EAAE,IAAI,EAAE,KAAK,CAAC,OAAO,CAAC,YAAY,CAAC,EAAE,CAAC,CAAC;AAEvE,MAAM,EACJ,OAAO,EAAE,WAAW,EACpB,qBAAqB,EAAE,EAAE,EACzB,KAAK,EAAE,EAAE,QAAQ,EAAE,SAAS,EAAE,QAAQ,EAAE,SAAS,EAAE,GAAG,EAAE,EACxD,QAAQ,EAAE,EAAE,UAAU,EAAE,GAAG,EAAE,GAC9B,GAAG,SAAS,CAAC,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC;AAEpC;;GAEG;AACH,MAAM,SAAS,GAAG;IAChB,qBAAqB,EAAE,CAAC,EAAE,iBAAiB;IAC3C,KAAK,EAAE,CAAC,EAAE,kBAAkB;IAC5B,QAAQ,EAAE,CAAC,EAAE,oCAAoC;IACjD,MAAM,EAAE,CAAC;CACV,CAAC;AAIF,MAAM,QAAQ,GAAG,iBAAiB,CAAC;AACnC,MAAM,CAAC,MAAM,sBAAsB,GAAG,CACpC,GAAY,EAC2D,EAAE;IACzE,MAAM,CAAC,GAAG,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,aAAa,CAAC,CAAC;IAC1C,IAAI,CAAC,CAAC,EAAE,CAAC;QACP,OAAO,EAAE,CAAC;IACZ,CAAC;IACD,IAAI,MAAM,GAAW,EAAE,CAAC;IACxB,IAAI,WAAW,GAAW,CAAC,CAAC;IAC5B,IAAI,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC;QACrB,CAAC,MAAM,GAAG,EAAE,EAAE,WAAW,GAAG,EAAE,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAClD,CAAC;IACD,IAAI,MAAM,CAAC,WAAW,EAAE,KAAK,OAAO,EAAE,CAAC;QACrC,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,WAAW,EAAE,CAAC;IAC1C,CAAC;IACD,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,WAAW,EAAE,YAAY,EAAE,UAAU,CAAC,IAAI,CAAC,WAAW,CAAC,EAAE,CAAC;AACvF,CAAC,CAAC;AAEF;;;;;;GAMG;AACH,IAAI,gBAAwD,CAAC;AAE7D,SAAS,sBAAsB;IAC7B,IAAI,gBAAgB,KAAK,SAAS,EAAE,CAAC;QACnC,OAAO,gBAAgB,IAAI,SAAS,CAAC;IACvC,CAAC;IACD,MAAM,WAAW,GAAG,MAAM,CAAC,oBAAoB,CAAC;IAChD,IAAI,CAAC,WAAW,EAAE,CAAC;QACjB,4DAA4D;QAC5D,OAAO,SAAS,CAAC;IACnB,CAAC;IACD,MAAM,EAAE,GAAG,WAAW,CAAC,mBAAmB,CAAC;IAC3C,gBAAgB,GAAG,OAAO,EAAE,KAAK,UAAU,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC;IACxD,OAAO,gBAAgB,IAAI,SAAS,CAAC;AACvC,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,uBAAuB;IACrC,MAAM,UAAU,GAAe,EAAE,CAAC;IAClC,MAAM,MAAM,GAA6B,EAAE,CAAC;IAC5C,MAAM,MAAM,GAAwB,EAAE,UAAU,EAAE,MAAM,EAAE,aAAa,EAAE,IAAI,GAAG,EAAE,EAAE,eAAe,EAAE,EAAE,EAAE,CAAC;IAE1G,IAAI,WAAW,EAAE,CAAC;QAChB,8BAA8B;QAC9B,IAAI,KAAK,CAAC,OAAO,CAAC,EAAE,CAAC,IAAI,EAAE,CAAC,MAAM,CAAC,OAAO,CAAC,EAAE,CAAC;YAC5C,UAAU,CAAC,IAAI,CAAC,uBAAuB,CAAC,CAAC;QAC3C,CAAC;QAED,kBAAkB;QAClB,IAAI,UAAU,EAAE,MAAM,EAAE,CAAC;YACvB,IAAI,UAAU,CAAC,MAAM,GAAG,sBAAsB,EAAE,CAAC;gBAC/C,MAAM,CAAC,QAAQ,GAAG;oBAChB,oCAAoC,UAAU,CAAC,MAAM,4BAA4B,sBAAsB,aAAa;iBACrH,CAAC;YACJ,CAAC;iBAAM,CAAC;gBACN,UAAU,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;YAC9B,CAAC;QACH,CAAC;QAED,mBAAmB;QACnB,IAAI,SAAS,IAAI,SAAS,EAAE,CAAC;YAC3B,MAAM,IAAI,GAAG,EAAE,CAAC;YAChB,0DAA0D;YAC1D,IAAI,CAAC,SAAS,EAAE,CAAC;gBACf,IAAI,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC;YAChC,CAAC;YACD,IAAI,CAAC,SAAS,EAAE,CAAC;gBACf,IAAI,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC;YAChC,CAAC;YACD,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC;gBACjB,UAAU,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YAC3B,CAAC;iBAAM,CAAC;gBACN,MAAM,CAAC,KAAK,GAAG,IAAI,CAAC;YACtB,CAAC;QACH,CAAC;IACH,CAAC;IAED,IAAI,sBAAsB,EAAE,EAAE,CAAC;QAC7B,UAAU,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IAC5B,CAAC;IAED,MAAM,CAAC,UAAU,GAAG,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,SAAS,CAAC,CAAC,CAAC,GAAG,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC;IAC3E,MAAM,CAAC,aAAa,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;IAClD,MAAM,CAAC,eAAe,GAAG,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACtD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;;;GAIG;AACH,IAAI,iBAAkD,CAAC;AAEvD,SAAS,oBAAoB;IAC3B,IAAI,iBAAiB,EAAE,CAAC;QACtB,OAAO,iBAAiB,CAAC;IAC3B,CAAC;IACD,MAAM,MAAM,GAAG,uBAAuB,EAAE,CAAC;IACzC,IAAI,MAAM,CAAC,oBAAoB,EAAE,CAAC;QAChC,iBAAiB,GAAG,MAAM,CAAC;IAC7B,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,MAAM,KAAK,GAAG,YAAY,CAAC;AAE3B;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAAC,GAAY;IAC/C,MAAM,EAAE,UAAU,EAAE,aAAa,EAAE,eAAe,EAAE,GAAG,oBAAoB,EAAE,CAAC;IAC9E,IAAI,CAAC,UAAU,CAAC,MAAM,EAAE,CAAC;QACvB,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,GAAG,KAAK,sCAAsC,EAAE,CAAC;IACnF,CAAC;IAED,yFAAyF;IACzF,MAAM,eAAe,GAAG,sBAAsB,EAAE,CAAC;IACjD,IAAI,eAAe,EAAE,CAAC;QACpB,MAAM,4BAA4B,GAAG,EAAE,GAAG,GAAG,EAAE,OAAO,EAAE,gBAAgB,CAAC,GAAG,CAAC,OAAO,IAAI,EAAE,CAAC,EAAE,CAAC;QAC9F,IAAI,CAAC;YACH,MAAM,YAAY,GAAG,MAAM,eAAe,CAAC,4BAA4B,CAAC,CAAC;YACzE,IAAI,YAAY,CAAC,OAAO,EAAE,CAAC;gBACzB,OAAO,YAAY,CAAC;YACtB,CAAC;YACD,iDAAiD;QACnD,CAAC;QAAC,OAAO,KAAkB,EAAE,CAAC;YAC5B,MAAM,CAAC,KAAK,CAAC,+BAA+B,EAAE,KAAK,CAAC,CAAC;YACrD,gCAAgC;QAClC,CAAC;IACH,CAAC;IAED,MAAM,EAAE,MAAM,EAAE,WAAW,EAAE,GAAG,sBAAsB,CAAC,GAAG,CAAC,CAAC;IAC5D,IAAI,CAAC,WAAW,EAAE,CAAC;QACjB,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,GAAG,KAAK,0BAA0B,EAAE,CAAC;IACvE,CAAC;IACD,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,GAAG,KAAK,qDAAqD,EAAE,CAAC;IAClG,CAAC;IACD,MAAM,CAAC,KAAK,CAAC,wBAAwB,eAAe,EAAE,CAAC,CAAC;IAExD,IAAI,WAAW,GAA2B,SAAS,CAAC;IACpD,IAAI,CAAC;QACH,IAAI,MAAM,KAAK,OAAO,EAAE,CAAC;YACvB,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,CAAC;gBAChC,OAAO;oBACL,OAAO,EAAE,KAAK;oBACd,KAAK,EAAE,GAAG,KAAK,4EAA4E;iBAC5F,CAAC;YACJ,CAAC;YACD,MAAM,MAAM,GAAG,cAAc,CAAC,WAAW,CAAC,CAAC;YAC3C,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;gBACnB,OAAO,EAAE,GAAG,MAAM,EAAE,QAAQ,EAAE,OAAO,EAAE,OAAO,EAAE,EAAE,IAAI,EAAE,MAAM,CAAC,QAAS,EAAE,EAAE,CAAC;YAC/E,CAAC;YACD,WAAW,GAAG,EAAE,GAAG,MAAM,EAAE,QAAQ,EAAE,OAAO,EAAE,CAAC;QACjD,CAAC;aAAM,CAAC;YACN,mEAAmE;YACnE,2EAA2E;YAC3E,IAAI,SAA6B,CAAC;YAClC,IAAI,cAAsC,CAAC;YAE3C,IAAI,aAAa,CAAC,GAAG,CAAC,uBAAuB,CAAC,EAAE,CAAC;gBAC/C,MAAM,EAAE,WAAW,EAAE,GAAG,mBAAmB,CAAC,WAAW,CAAC,CAAC;gBACzD,IAAI,CAAC,WAAW,EAAE,CAAC;oBACjB,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,uBAAuB,EAAE,CAAC;gBAC9D,CAAC;gBACD,SAAS,GAAG,WAAW,CAAC;YAC1B,CAAC;YAED,IAAI,aAAa,CAAC,GAAG,CAAC,UAAU,CAAC,EAAE,CAAC;gBAClC,MAAM,GAAG,GAAG,GAAG,CAAC,OAAO,CAAC,iBAAiB,CAAC,CAAC;gBAC3C,MAAM,MAAM,GAAG,CAAC,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,IAAI,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,IAAI,EAAE,CAAC;gBAC5F,MAAM,QAAQ,GAAG,GAAG,CAAC,EAAE,IAAI,CAAC,MAAM,CAAC,IAAI,EAAE,IAAI,CAAC,GAAG,CAAC,MAAM,EAAE,aAAa,IAAI,EAAE,CAAC,CAAC,CAAC;gBAChF,MAAM,EAAE,WAAW,EAAE,OAAO,EAAE,gBAAgB,EAAE,GAAG,aAAa,CAAC,EAAE,KAAK,EAAE,WAAW,EAAE,QAAQ,EAAE,CAAC,CAAC;gBACnG,IAAI,CAAC,WAAW,EAAE,CAAC;oBACjB,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,UAAU,EAAE,OAAO,EAAE,CAAC;gBAC1D,CAAC;gBACD,cAAc,GAAG,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,GAAG,KAAK,GAAG,WAAW,EAAE,EAAE,QAAQ,EAAE,UAAU,EAAE,gBAAgB,EAAE,CAAC;YAC/G,CAAC;YAED,oFAAoF;YACpF,6EAA6E;YAC7E,IAAI,cAAc,EAAE,CAAC;gBACnB,WAAW,GAAG,cAAc,CAAC;YAC/B,CAAC;iBAAM,IAAI,SAAS,EAAE,CAAC;gBACrB,WAAW,GAAG,EAAE,OAAO,EAAE,KAAK,EAAE,QAAQ,EAAE,uBAAuB,EAAE,KAAK,EAAE,GAAG,KAAK,GAAG,SAAS,EAAE,EAAE,CAAC;YACrG,CAAC;iBAAM,CAAC;gBACN,WAAW,GAAG;oBACZ,OAAO,EAAE,KAAK;oBACd,KAAK,EAAE,GAAG,KAAK,8EAA8E;iBAC9F,CAAC;YACJ,CAAC;QACH,CAAC;IACH,CAAC;IAAC,OAAO,KAAkB,EAAE,CAAC;QAC5B,MAAM,CAAC,IAAI,CACT,eAAe,MAAM,yBAAyB,EAC9C,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,GAAG,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe,CACjE,CAAC;IACJ,CAAC;IAED,OAAO,CACL,WAAW,IAAI;QACb,OAAO,EAAE,KAAK;QACd,KAAK,EAAE,GAAG,KAAK,qDAAqD,eAAe,EAAE;KACtF,CACF,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,oBAAoB;IAClC,MAAM,EAAE,UAAU,EAAE,MAAM,EAAE,GAAG,oBAAoB,EAAE,CAAC;IAEtD,MAAM,CAAC,IAAI,CAAC,4BAA4B,CAAC,CAAC;IAC1C,MAAM,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC,SAAS,CAAC,SAAS,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC,CAAC;IAClE,MAAM,CAAC,IAAI,CAAC,uBAAuB,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAE5D,IAAI,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,MAAM,EAAE,CAAC;QAC/B,MAAM,CAAC,IAAI,CAAC,4BAA4B,CAAC,CAAC;QAC1C,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI,EAAE,OAAO,CAAC,EAAE,EAAE;YACjD,MAAM,CAAC,IAAI,CAAC,KAAK,IAAI,KAAK,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QAClD,CAAC,CAAC,CAAC;IACL,CAAC;AACH,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,sBAAsB;IACpC,MAAM,IAAI,GAAG,SAAS,CAAC,SAAS,EAAE,IAAI,CAAC;IAEvC,4CAA4C;IAC5C,IAAI,CAAC,IAAI,EAAE,OAAO,EAAE,CAAC;QACnB,OAAO,EAAE,CAAC;IACZ,CAAC;IAED,0DAA0D;IAC1D,MAAM,MAAM,GAAG,IAAI,CAAC,qBAAqB,CAAC;IAC1C,IAAI,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC/C,6BAA6B;QAC7B,MAAM,UAAU,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACrC,IAAI,UAAU,EAAE,CAAC;YACf,OAAO,CAAC,GAAG,CAAC,iDAAiD,CAAC,CAAC;YAC/D,OAAO,EAAE,aAAa,EAAE,UAAU,UAAU,EAAE,EAAE,CAAC;QACnD,CAAC;IACH,CAAC;IAED,+DAA+D;IAC/D,MAAM,EAAE,KAAK,EAAE,GAAG,IAAI,CAAC;IACvB,IAAI,KAAK,EAAE,QAAQ,IAAI,KAAK,EAAE,QAAQ,EAAE,CAAC;QACvC,MAAM,WAAW,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,KAAK,CAAC,QAAQ,IAAI,KAAK,CAAC,QAAQ,EAAE,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;QAC1F,OAAO,CAAC,GAAG,CAAC,8BAA8B,CAAC,CAAC;QAC5C,OAAO,EAAE,aAAa,EAAE,SAAS,WAAW,EAAE,EAAE,CAAC;IACnD,CAAC;IAED,gEAAgE;IAChE,MAAM,SAAS,GAAG,IAAI,CAAC,QAAQ,CAAC;IAChC,IAAI,SAAS,EAAE,UAAU,IAAI,SAAS,CAAC,UAAU,CAAC,IAAI,EAAE,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACpE,MAAM,KAAK,GAAG,aAAa,CAAC,SAAS,EAAE,GAAG,EAAE,EAAE,OAAO,EAAE,SAAS,CAAC,IAAI,EAAE,CAAC,CAAC;QACzE,OAAO,CAAC,GAAG,CAAC,gDAAgD,CAAC,CAAC;QAC9D,OAAO,EAAE,aAAa,EAAE,UAAU,KAAK,EAAE,EAAE,CAAC;IAC9C,CAAC;IAED,sDAAsD;IACtD,OAAO,CAAC,IAAI,CAAC,uEAAuE,CAAC,CAAC;IACtF,OAAO,CAAC,IAAI,CAAC,gFAAgF,CAAC,CAAC;IAC/F,OAAO,EAAE,CAAC;AACZ,CAAC"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"revocation.d.ts","sourceRoot":"","sources":["../../../src/core/auth/revocation.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"revocation.d.ts","sourceRoot":"","sources":["../../../src/core/auth/revocation.ts"],"names":[],"mappings":"AAmBA,eAAO,MAAM,iBAAiB,GAAI,OAAO,MAAM,KAAG,OAAgD,CAAC;AAEnG,eAAO,MAAM,YAAY,GAAI,KAAK,MAAM,KAAG,OAAuC,CAAC;AAEnF,eAAO,MAAM,aAAa,GAAI,MAAM,MAAM,KAAG,OAAwD,CAAC"}
|
|
@@ -1,8 +1,15 @@
|
|
|
1
1
|
import { appConfig } from '../bootstrap/init-config.js';
|
|
2
2
|
import { trim } from '../utils/utils.js';
|
|
3
3
|
const revoked = appConfig.webServer?.auth?.revoked || {};
|
|
4
|
-
const
|
|
4
|
+
const entries = (Array.isArray(revoked.jwtTokens) ? revoked.jwtTokens : [])
|
|
5
|
+
.map((e) => trim(e?.token))
|
|
6
|
+
.filter(Boolean);
|
|
7
|
+
// Full-token entries (legacy `<expire>.<hex>` or full standard JWT `a.b.c`) — exact match
|
|
8
|
+
const revokedExactTokenSet = new Set(entries.filter((v) => v.includes('.')));
|
|
9
|
+
// Bare jti entries (no dots) — match by JWT id
|
|
10
|
+
const revokedJtiSet = new Set(entries.filter((v) => !v.includes('.')));
|
|
5
11
|
const revokedUsersSet = new Set((Array.isArray(revoked.users) ? revoked.users : []).map((u) => trim(u).toLowerCase()).filter(Boolean));
|
|
6
|
-
export const isJwtTokenRevoked = (token) =>
|
|
12
|
+
export const isJwtTokenRevoked = (token) => revokedExactTokenSet.has(trim(token));
|
|
13
|
+
export const isJtiRevoked = (jti) => revokedJtiSet.has(trim(jti));
|
|
7
14
|
export const isUserRevoked = (user) => revokedUsersSet.has(trim(user).toLowerCase());
|
|
8
15
|
//# sourceMappingURL=revocation.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"revocation.js","sourceRoot":"","sources":["../../../src/core/auth/revocation.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,6BAA6B,CAAC;AACxD,OAAO,EAAE,IAAI,EAAE,MAAM,mBAAmB,CAAC;AAEzC,MAAM,OAAO,GAAG,SAAS,CAAC,SAAS,EAAE,IAAI,EAAE,OAAO,IAAK,EAAU,CAAC;AAElE,MAAM,
|
|
1
|
+
{"version":3,"file":"revocation.js","sourceRoot":"","sources":["../../../src/core/auth/revocation.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,6BAA6B,CAAC;AACxD,OAAO,EAAE,IAAI,EAAE,MAAM,mBAAmB,CAAC;AAEzC,MAAM,OAAO,GAAG,SAAS,CAAC,SAAS,EAAE,IAAI,EAAE,OAAO,IAAK,EAAU,CAAC;AAElE,MAAM,OAAO,GAAa,CAAC,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC,CAAC,EAAE,CAAC;KAClF,GAAG,CAAC,CAAC,CAAM,EAAE,EAAE,CAAC,IAAI,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC;KAC/B,MAAM,CAAC,OAAO,CAAC,CAAC;AAEnB,0FAA0F;AAC1F,MAAM,oBAAoB,GAAgB,IAAI,GAAG,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;AAE1F,+CAA+C;AAC/C,MAAM,aAAa,GAAgB,IAAI,GAAG,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;AAEpF,MAAM,eAAe,GAAgB,IAAI,GAAG,CAC1C,CAAC,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAM,EAAE,EAAE,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAC3G,CAAC;AAEF,MAAM,CAAC,MAAM,iBAAiB,GAAG,CAAC,KAAa,EAAW,EAAE,CAAC,oBAAoB,CAAC,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC;AAEnG,MAAM,CAAC,MAAM,YAAY,GAAG,CAAC,GAAW,EAAW,EAAE,CAAC,aAAa,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;AAEnF,MAAM,CAAC,MAAM,aAAa,GAAG,CAAC,IAAY,EAAW,EAAE,CAAC,eAAe,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC"}
|
|
@@ -5,6 +5,11 @@ export type TTokenType = 'permanent' | 'JWT';
|
|
|
5
5
|
export interface ITokenPayload {
|
|
6
6
|
user: string;
|
|
7
7
|
expire: number;
|
|
8
|
+
iat?: string;
|
|
9
|
+
service?: string;
|
|
10
|
+
jti?: string;
|
|
11
|
+
iss?: string;
|
|
12
|
+
ip?: string;
|
|
8
13
|
[key: string]: any;
|
|
9
14
|
}
|
|
10
15
|
export interface ICheckTokenResult {
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../../src/core/auth/types.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,MAAM,MAAM,UAAU,GAAG,WAAW,GAAG,KAAK,CAAC;AAE7C,MAAM,WAAW,aAAa;IAC5B,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,MAAM,CAAC;
|
|
1
|
+
{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../../src/core/auth/types.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,MAAM,MAAM,UAAU,GAAG,WAAW,GAAG,KAAK,CAAC;AAE7C,MAAM,WAAW,aAAa;IAC5B,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,MAAM,CAAC;IACf,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,EAAE,CAAC,EAAE,MAAM,CAAC;IAEZ,CAAC,GAAG,EAAE,MAAM,GAAG,GAAG,CAAC;CACpB;AAED,MAAM,WAAW,iBAAiB;IAChC,OAAO,CAAC,EAAE,aAAa,CAAC;IAExB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,gBAAgB,CAAC,EAAE,OAAO,CAAC;CAC5B;AAED,MAAM,MAAM,QAAQ,GAAG,uBAAuB,GAAG,UAAU,GAAG,OAAO,GAAG,QAAQ,CAAC;AAEjF,MAAM,WAAW,mBAAmB;IAClC,UAAU,EAAE,QAAQ,EAAE,CAAC;IACvB,aAAa,EAAE,GAAG,CAAC,QAAQ,CAAC,CAAC;IAC7B,eAAe,EAAE,MAAM,CAAC;IACxB,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC;CAClC;AAED,MAAM,WAAW,UAAU;IACzB,OAAO,EAAE,OAAO,CAAC;IACjB,KAAK,CAAC,EAAE,MAAM,CAAC;IAEf,QAAQ,CAAC,EAAE,QAAQ,CAAC;IACpB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,gBAAgB,CAAC,EAAE,OAAO,GAAG,SAAS,CAAC;IACvC,OAAO,CAAC,EAAE,GAAG,CAAC;CACf"}
|
package/package.json
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "fa-mcp-sdk",
|
|
3
3
|
"productName": "FA MCP SDK",
|
|
4
|
-
"version": "0.4.
|
|
4
|
+
"version": "0.4.95",
|
|
5
5
|
"description": "Core infrastructure and templates for building Model Context Protocol (MCP) servers with TypeScript",
|
|
6
6
|
"type": "module",
|
|
7
7
|
"main": "dist/core/index.js",
|
|
@@ -46,7 +46,9 @@
|
|
|
46
46
|
"template:stdio": "node dist/template/start.js stdio",
|
|
47
47
|
"token-gen": "node dist/core/auth/token-generator/server.js",
|
|
48
48
|
"tsoa:spec": "tsoa spec",
|
|
49
|
-
"check-llm": "node dist/core/agent-tester/check-llm.js"
|
|
49
|
+
"check-llm": "node dist/core/agent-tester/check-llm.js",
|
|
50
|
+
"test:ip-check": "npm run build && node tests/ip-check.test.mjs",
|
|
51
|
+
"test:jwt": "npm run build && node tests/jwt.test.mjs"
|
|
50
52
|
},
|
|
51
53
|
"keywords": [
|
|
52
54
|
"mcp",
|
|
@@ -86,6 +88,7 @@
|
|
|
86
88
|
"fa-consul": "^1.0.7",
|
|
87
89
|
"helmet": "^8.1.0",
|
|
88
90
|
"js-yaml": "^4.1.1",
|
|
91
|
+
"jsonwebtoken": "^9.0.3",
|
|
89
92
|
"node-cache": "^5.1.2",
|
|
90
93
|
"openai": "^6.33.0",
|
|
91
94
|
"pgvector": "^0.2.1",
|
|
@@ -101,6 +104,7 @@
|
|
|
101
104
|
"@types/cors": "^2.8.19",
|
|
102
105
|
"@types/express": "^5.0.6",
|
|
103
106
|
"@types/js-yaml": "^4.0.9",
|
|
107
|
+
"@types/jsonwebtoken": "^9.0.10",
|
|
104
108
|
"@types/mssql": "^9.1.11",
|
|
105
109
|
"@types/node": "^25.5.2",
|
|
106
110
|
"@types/swagger-ui-express": "^4.1.8",
|
package/scripts/generate-jwt.js
CHANGED
|
@@ -11,7 +11,8 @@
|
|
|
11
11
|
* -s, --service-name Service name (optional). ENV: JWT_PAYLOAD_SERVICE_NAME
|
|
12
12
|
* -p, --params Extra payload "key=value;key=value" (optional). ENV: JWT_PAYLOAD_PARAMS
|
|
13
13
|
*
|
|
14
|
-
* The
|
|
14
|
+
* The signing secret is read from config: webServer.auth.jwtToken.encryptKey
|
|
15
|
+
* Token format: standard signed JWT (HS256), 3 segments header.payload.signature.
|
|
15
16
|
*/
|
|
16
17
|
|
|
17
18
|
import crypto from 'crypto';
|
|
@@ -19,6 +20,7 @@ import { readFileSync } from 'fs';
|
|
|
19
20
|
import { fileURLToPath } from 'url';
|
|
20
21
|
import { dirname, resolve } from 'path';
|
|
21
22
|
import configModule from 'config';
|
|
23
|
+
import jwt from 'jsonwebtoken';
|
|
22
24
|
|
|
23
25
|
// ── CLI argument parsing ────────────────────────────────────────────
|
|
24
26
|
|
|
@@ -81,17 +83,11 @@ if (!encryptKey || String(encryptKey).trim() === '' || encryptKey === '***') {
|
|
|
81
83
|
process.exit(1);
|
|
82
84
|
}
|
|
83
85
|
|
|
84
|
-
|
|
85
|
-
|
|
86
|
-
|
|
87
|
-
|
|
88
|
-
|
|
89
|
-
function encrypt(text) {
|
|
90
|
-
const buffer = Buffer.from(text);
|
|
91
|
-
const iv = crypto.randomBytes(16);
|
|
92
|
-
const cipher = crypto.createCipheriv(ALGORITHM, KEY, iv);
|
|
93
|
-
const encryptedBuf = Buffer.concat([iv, cipher.update(buffer), cipher.final()]);
|
|
94
|
-
return encryptedBuf.toString('hex');
|
|
86
|
+
let configuredIssuer = '';
|
|
87
|
+
try {
|
|
88
|
+
configuredIssuer = String(configModule.get('webServer.auth.jwtToken.issuer') || '').trim();
|
|
89
|
+
} catch {
|
|
90
|
+
// optional field, ignore
|
|
95
91
|
}
|
|
96
92
|
|
|
97
93
|
// ── Auto-detect service name if checkMCPName is enabled ─────────────
|
|
@@ -126,14 +122,9 @@ if (!effectiveService || !effectiveService.trim()) {
|
|
|
126
122
|
}
|
|
127
123
|
}
|
|
128
124
|
|
|
129
|
-
// ── Build payload
|
|
130
|
-
|
|
131
|
-
const payload = {};
|
|
132
|
-
payload.user = username.trim().toLowerCase();
|
|
125
|
+
// ── Build payload (private claims only) ─────────────────────────────
|
|
133
126
|
|
|
134
|
-
|
|
135
|
-
payload.service = effectiveService.trim();
|
|
136
|
-
}
|
|
127
|
+
const privateClaims = {};
|
|
137
128
|
|
|
138
129
|
// Parse extra params: "key1=value1;key2=value2"
|
|
139
130
|
if (paramsRaw && paramsRaw.trim()) {
|
|
@@ -150,32 +141,67 @@ if (paramsRaw && paramsRaw.trim()) {
|
|
|
150
141
|
console.error(`Error: empty key in param "${pair}"`);
|
|
151
142
|
process.exit(1);
|
|
152
143
|
}
|
|
153
|
-
|
|
144
|
+
// Skip reserved fields if user accidentally passes them
|
|
145
|
+
if (['user', 'expire', 'iat', 'service', 'sub', 'aud', 'exp', 'iss', 'jti'].includes(key)) {
|
|
146
|
+
continue;
|
|
147
|
+
}
|
|
148
|
+
privateClaims[key] = value;
|
|
154
149
|
}
|
|
155
150
|
}
|
|
156
151
|
|
|
157
|
-
const expire = Date.now() + liveTimeSec * 1000;
|
|
158
|
-
payload.expire = expire;
|
|
159
|
-
payload.iat = new Date().toISOString();
|
|
160
|
-
|
|
161
152
|
// ── Generate token ──────────────────────────────────────────────────
|
|
162
153
|
|
|
163
|
-
const
|
|
154
|
+
const normalizedUser = username.trim().toLowerCase();
|
|
155
|
+
const signOptions = {
|
|
156
|
+
algorithm: 'HS256',
|
|
157
|
+
subject: normalizedUser,
|
|
158
|
+
expiresIn: liveTimeSec,
|
|
159
|
+
jwtid: crypto.randomUUID(),
|
|
160
|
+
};
|
|
161
|
+
if (effectiveService && effectiveService.trim()) {
|
|
162
|
+
signOptions.audience = effectiveService.trim();
|
|
163
|
+
}
|
|
164
|
+
if (configuredIssuer) {
|
|
165
|
+
signOptions.issuer = configuredIssuer;
|
|
166
|
+
}
|
|
167
|
+
|
|
168
|
+
const token = jwt.sign(privateClaims, String(encryptKey), signOptions);
|
|
169
|
+
|
|
170
|
+
// ── Decode for display (normalized payload, mirrors checkJwtToken) ──
|
|
171
|
+
|
|
172
|
+
const decoded = jwt.decode(token, { json: true }) || {};
|
|
173
|
+
const expireMs = (decoded.exp || 0) * 1000;
|
|
174
|
+
const iatIso = decoded.iat ? new Date(decoded.iat * 1000).toISOString() : new Date().toISOString();
|
|
175
|
+
|
|
176
|
+
const displayPayload = { user: normalizedUser };
|
|
177
|
+
if (decoded.aud) {
|
|
178
|
+
displayPayload.service = Array.isArray(decoded.aud) ? decoded.aud[0] : decoded.aud;
|
|
179
|
+
}
|
|
180
|
+
displayPayload.expire = expireMs;
|
|
181
|
+
displayPayload.iat = iatIso;
|
|
182
|
+
if (decoded.jti) {
|
|
183
|
+
displayPayload.jti = decoded.jti;
|
|
184
|
+
}
|
|
185
|
+
if (decoded.iss) {
|
|
186
|
+
displayPayload.iss = decoded.iss;
|
|
187
|
+
}
|
|
188
|
+
for (const [k, v] of Object.entries(privateClaims)) {
|
|
189
|
+
displayPayload[k] = v;
|
|
190
|
+
}
|
|
164
191
|
|
|
165
192
|
console.log('');
|
|
166
193
|
console.log('JWT Token generated successfully');
|
|
167
194
|
console.log('─'.repeat(50));
|
|
168
|
-
console.log(` User: ${
|
|
169
|
-
if (
|
|
170
|
-
console.log(` Service: ${
|
|
195
|
+
console.log(` User: ${displayPayload.user}`);
|
|
196
|
+
if (displayPayload.service) {
|
|
197
|
+
console.log(` Service: ${displayPayload.service}`);
|
|
171
198
|
}
|
|
172
199
|
console.log(` TTL: ${ttlRaw} (${liveTimeSec} seconds)`);
|
|
173
|
-
console.log(` Expires: ${new Date(
|
|
174
|
-
|
|
175
|
-
|
|
176
|
-
|
|
177
|
-
|
|
178
|
-
.join('; ');
|
|
200
|
+
console.log(` Expires: ${new Date(expireMs).toISOString()}`);
|
|
201
|
+
console.log(` JTI: ${displayPayload.jti || ''}`);
|
|
202
|
+
const extraEntries = Object.entries(privateClaims);
|
|
203
|
+
if (extraEntries.length) {
|
|
204
|
+
const extra = extraEntries.map(([k, v]) => `${k}=${v}`).join('; ');
|
|
179
205
|
console.log(` Params: ${extra}`);
|
|
180
206
|
}
|
|
181
207
|
console.log('─'.repeat(50));
|
|
@@ -183,5 +209,5 @@ console.log('');
|
|
|
183
209
|
console.log(token);
|
|
184
210
|
console.log('');
|
|
185
211
|
console.log('__PAYLOAD_JSON__');
|
|
186
|
-
console.log(JSON.stringify({ ...
|
|
212
|
+
console.log(JSON.stringify({ ...displayPayload, ttl: ttlRaw, expire_iso: new Date(expireMs).toISOString() }));
|
|
187
213
|
console.log('__END_PAYLOAD_JSON__');
|