neonctl 2.22.2 → 2.23.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +84 -0
- package/analytics.js +5 -2
- package/commands/branches.js +9 -1
- package/commands/connection_string.js +9 -1
- package/commands/functions.js +268 -0
- package/commands/index.js +4 -0
- package/commands/neon_auth.js +1013 -0
- package/commands/projects.js +9 -1
- package/commands/psql.js +6 -1
- package/functions_api.js +43 -0
- package/package.json +15 -5
- package/psql/cli.js +51 -0
- package/psql/command/cmd_cond.js +437 -0
- package/psql/command/cmd_connect.js +815 -0
- package/psql/command/cmd_copy.js +1025 -0
- package/psql/command/cmd_describe.js +1810 -0
- package/psql/command/cmd_format.js +909 -0
- package/psql/command/cmd_io.js +2187 -0
- package/psql/command/cmd_lo.js +385 -0
- package/psql/command/cmd_meta.js +970 -0
- package/psql/command/cmd_misc.js +187 -0
- package/psql/command/cmd_pipeline.js +1141 -0
- package/psql/command/cmd_restrict.js +171 -0
- package/psql/command/cmd_show.js +751 -0
- package/psql/command/dispatch.js +343 -0
- package/psql/command/inputQueue.js +42 -0
- package/psql/command/shared.js +71 -0
- package/psql/complete/filenames.js +139 -0
- package/psql/complete/index.js +104 -0
- package/psql/complete/matcher.js +314 -0
- package/psql/complete/psqlVars.js +247 -0
- package/psql/complete/queries.js +491 -0
- package/psql/complete/rules.js +2387 -0
- package/psql/core/common.js +1250 -0
- package/psql/core/help.js +576 -0
- package/psql/core/mainloop.js +1353 -0
- package/psql/core/prompt.js +437 -0
- package/psql/core/settings.js +684 -0
- package/psql/core/sqlHelp.js +1066 -0
- package/psql/core/startup.js +840 -0
- package/psql/core/syncVars.js +116 -0
- package/psql/core/variables.js +287 -0
- package/psql/describe/formatters.js +1277 -0
- package/psql/describe/processNamePattern.js +270 -0
- package/psql/describe/queries.js +2373 -0
- package/psql/describe/versionGate.js +43 -0
- package/psql/index.js +2005 -0
- package/psql/io/history.js +299 -0
- package/psql/io/input.js +120 -0
- package/psql/io/lineEditor/buffer.js +323 -0
- package/psql/io/lineEditor/complete.js +227 -0
- package/psql/io/lineEditor/filename.js +159 -0
- package/psql/io/lineEditor/index.js +891 -0
- package/psql/io/lineEditor/keymap.js +738 -0
- package/psql/io/lineEditor/vt100.js +363 -0
- package/psql/io/pgpass.js +202 -0
- package/psql/io/pgservice.js +194 -0
- package/psql/io/psqlrc.js +422 -0
- package/psql/print/aligned.js +1756 -0
- package/psql/print/asciidoc.js +248 -0
- package/psql/print/crosstab.js +460 -0
- package/psql/print/csv.js +92 -0
- package/psql/print/html.js +258 -0
- package/psql/print/json.js +96 -0
- package/psql/print/latex.js +396 -0
- package/psql/print/pager.js +265 -0
- package/psql/print/troff.js +258 -0
- package/psql/print/unaligned.js +118 -0
- package/psql/print/units.js +135 -0
- package/psql/scanner/slash.js +513 -0
- package/psql/scanner/sql.js +910 -0
- package/psql/scanner/stringutils.js +390 -0
- package/psql/types/backslash.js +1 -0
- package/psql/types/connection.js +1 -0
- package/psql/types/index.js +7 -0
- package/psql/types/printer.js +1 -0
- package/psql/types/repl.js +1 -0
- package/psql/types/scanner.js +24 -0
- package/psql/types/settings.js +1 -0
- package/psql/types/variables.js +1 -0
- package/psql/wire/connection.js +2844 -0
- package/psql/wire/copy.js +108 -0
- package/psql/wire/notify.js +59 -0
- package/psql/wire/pipeline.js +519 -0
- package/psql/wire/protocol.js +466 -0
- package/psql/wire/sasl.js +296 -0
- package/psql/wire/tls.js +596 -0
- package/test_utils/fixtures.js +1 -0
- package/utils/esbuild.js +147 -0
- package/utils/psql.js +107 -11
- package/utils/zip.js +4 -0
- package/writer.js +1 -1
- package/commands/auth.test.js +0 -211
- package/commands/branches.test.js +0 -460
- package/commands/checkout.test.js +0 -170
- package/commands/connection_string.test.js +0 -196
- package/commands/data_api.test.js +0 -169
- package/commands/databases.test.js +0 -39
- package/commands/help.test.js +0 -9
- package/commands/init.test.js +0 -56
- package/commands/ip_allow.test.js +0 -59
- package/commands/link.test.js +0 -381
- package/commands/operations.test.js +0 -7
- package/commands/orgs.test.js +0 -7
- package/commands/projects.test.js +0 -144
- package/commands/psql.test.js +0 -49
- package/commands/roles.test.js +0 -37
- package/commands/set_context.test.js +0 -159
- package/commands/vpc_endpoints.test.js +0 -69
- package/context.test.js +0 -119
- package/env.test.js +0 -55
- package/utils/formats.test.js +0 -32
- package/writer.test.js +0 -104
|
@@ -0,0 +1,296 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* SASL / SCRAM-SHA-256[-PLUS] client for the psql wire layer (WP-03).
|
|
3
|
+
*
|
|
4
|
+
* Ported from node-postgres' `packages/pg/lib/crypto/sasl.js` (MIT,
|
|
5
|
+
* Copyright (c) 2010-2020 Brian Carlson). Adaptations from upstream:
|
|
6
|
+
*
|
|
7
|
+
* - Pure Node `node:crypto` (sync PBKDF2 / HMAC) instead of SubtleCrypto;
|
|
8
|
+
* this module is sync because the wire layer drives it from a state
|
|
9
|
+
* machine that already buffers bytes.
|
|
10
|
+
* - The `pg` `Connection` / `Stream` plumbing is removed. Channel binding
|
|
11
|
+
* data (the certificate hash) is passed in as `Buffer` by the caller,
|
|
12
|
+
* not derived from a TLS socket. The caller (WP-02) is responsible for
|
|
13
|
+
* extracting `tls-server-end-point` per RFC 5929 (i.e. SHA-256 over
|
|
14
|
+
* the cert's `tbsCertificate`, or the cert's own signature hash when
|
|
15
|
+
* strong enough — that policy lives upstream of this module).
|
|
16
|
+
* - Returns Buffer-typed messages because the wire framer consumes
|
|
17
|
+
* Buffers; upstream pg works in strings because its message reader
|
|
18
|
+
* does the same.
|
|
19
|
+
* - SASLprep: ported upstream's permissive minimal SASLprep (the three
|
|
20
|
+
* transformations that actually change byte content). The full RFC
|
|
21
|
+
* 4013 prohibition + bidi tables are *not* implemented — matches
|
|
22
|
+
* libpq's and pg's behaviour, see comment on `saslprep` below.
|
|
23
|
+
*
|
|
24
|
+
* Server signature verification uses `crypto.timingSafeEqual` to avoid
|
|
25
|
+
* leaking timing information about the comparison result.
|
|
26
|
+
*/
|
|
27
|
+
import { createHash, createHmac, pbkdf2Sync, randomBytes as nodeRandomBytes, timingSafeEqual, } from 'node:crypto';
|
|
28
|
+
export class SaslMechanismError extends Error {
|
|
29
|
+
constructor(message) {
|
|
30
|
+
super(message);
|
|
31
|
+
this.name = 'SaslMechanismError';
|
|
32
|
+
}
|
|
33
|
+
}
|
|
34
|
+
export class SaslVerificationError extends Error {
|
|
35
|
+
constructor(message) {
|
|
36
|
+
super(message);
|
|
37
|
+
this.name = 'SaslVerificationError';
|
|
38
|
+
}
|
|
39
|
+
}
|
|
40
|
+
export class SaslProtocolError extends Error {
|
|
41
|
+
constructor(message) {
|
|
42
|
+
super(message);
|
|
43
|
+
this.name = 'SaslProtocolError';
|
|
44
|
+
}
|
|
45
|
+
}
|
|
46
|
+
export function createScramClient(opts) {
|
|
47
|
+
const { mechanism, gs2Header, cbindInput } = chooseMechanism(opts.mechanisms, opts.channelBinding);
|
|
48
|
+
const rng = opts.randomBytes ?? nodeRandomBytes;
|
|
49
|
+
// 18 raw bytes => 24 base64 chars; same width as upstream pg.
|
|
50
|
+
// Commas are not part of the base64 alphabet, so the nonce is automatically
|
|
51
|
+
// SCRAM-safe (RFC 5802 §5.1 forbids `,` in `r=`).
|
|
52
|
+
const clientNonce = rng(18).toString('base64');
|
|
53
|
+
const internal = {
|
|
54
|
+
state: 'init',
|
|
55
|
+
mechanism,
|
|
56
|
+
clientNonce,
|
|
57
|
+
gs2Header,
|
|
58
|
+
cbindInput,
|
|
59
|
+
password: opts.password,
|
|
60
|
+
serverSignature: null,
|
|
61
|
+
};
|
|
62
|
+
return {
|
|
63
|
+
mechanism,
|
|
64
|
+
start: () => start(internal),
|
|
65
|
+
continue: (serverFirst) => continueSession(internal, serverFirst),
|
|
66
|
+
finish: (serverFinal) => {
|
|
67
|
+
finishSession(internal, serverFinal);
|
|
68
|
+
},
|
|
69
|
+
};
|
|
70
|
+
}
|
|
71
|
+
function chooseMechanism(advertised, channelBinding) {
|
|
72
|
+
const hasPlus = advertised.includes('SCRAM-SHA-256-PLUS');
|
|
73
|
+
const hasPlain = advertised.includes('SCRAM-SHA-256');
|
|
74
|
+
if (channelBinding && hasPlus) {
|
|
75
|
+
const gs2 = 'p=tls-server-end-point,,';
|
|
76
|
+
return {
|
|
77
|
+
mechanism: 'SCRAM-SHA-256-PLUS',
|
|
78
|
+
gs2Header: gs2,
|
|
79
|
+
cbindInput: Buffer.concat([
|
|
80
|
+
Buffer.from(gs2, 'utf8'),
|
|
81
|
+
channelBinding.data,
|
|
82
|
+
]),
|
|
83
|
+
};
|
|
84
|
+
}
|
|
85
|
+
if (hasPlain) {
|
|
86
|
+
// Client has channel-binding data but server doesn't advertise PLUS: per
|
|
87
|
+
// RFC 5802 §6 the client must signal this with `y` so a downgrade attack
|
|
88
|
+
// is detected (the server, if PLUS-capable, would have advertised it).
|
|
89
|
+
const gs2 = channelBinding ? 'y,,' : 'n,,';
|
|
90
|
+
return {
|
|
91
|
+
mechanism: 'SCRAM-SHA-256',
|
|
92
|
+
gs2Header: gs2,
|
|
93
|
+
cbindInput: Buffer.from(gs2, 'utf8'),
|
|
94
|
+
};
|
|
95
|
+
}
|
|
96
|
+
throw new SaslMechanismError(`SASL: server offered [${advertised.join(', ')}] but only SCRAM-SHA-256 and SCRAM-SHA-256-PLUS are supported`);
|
|
97
|
+
}
|
|
98
|
+
function start(s) {
|
|
99
|
+
if (s.state !== 'init') {
|
|
100
|
+
throw new SaslProtocolError(`SASL: start() called in state ${s.state}`);
|
|
101
|
+
}
|
|
102
|
+
// n=,r=<nonce> — the username field is empty because PostgreSQL ignores it
|
|
103
|
+
// (the actual user was sent in StartupMessage) and an empty `n=` matches
|
|
104
|
+
// libpq's wire output. Note pg sends `n=*` instead; both interoperate.
|
|
105
|
+
const clientFirstBare = `n=,r=${s.clientNonce}`;
|
|
106
|
+
const clientFirstMessage = Buffer.from(s.gs2Header + clientFirstBare, 'utf8');
|
|
107
|
+
s.state = 'sent-first';
|
|
108
|
+
return { mechanism: s.mechanism, clientFirstMessage };
|
|
109
|
+
}
|
|
110
|
+
function continueSession(s, serverFirst) {
|
|
111
|
+
if (s.state !== 'sent-first') {
|
|
112
|
+
throw new SaslProtocolError(`SASL: continue() called in state ${s.state}`);
|
|
113
|
+
}
|
|
114
|
+
const serverFirstStr = serverFirst.toString('utf8');
|
|
115
|
+
const parsed = parseServerFirst(serverFirstStr);
|
|
116
|
+
if (!parsed.nonce.startsWith(s.clientNonce)) {
|
|
117
|
+
throw new SaslProtocolError('SASL: server nonce does not start with client nonce');
|
|
118
|
+
}
|
|
119
|
+
if (parsed.nonce.length === s.clientNonce.length) {
|
|
120
|
+
throw new SaslProtocolError('SASL: server nonce is too short');
|
|
121
|
+
}
|
|
122
|
+
const clientFirstBare = `n=,r=${s.clientNonce}`;
|
|
123
|
+
const serverFirstString = `r=${parsed.nonce},s=${parsed.salt},i=${String(parsed.iteration)}`;
|
|
124
|
+
// c=<base64 of GS2 header || optional CB data>
|
|
125
|
+
const channelBindingB64 = s.cbindInput.toString('base64');
|
|
126
|
+
const clientFinalWithoutProof = `c=${channelBindingB64},r=${parsed.nonce}`;
|
|
127
|
+
const authMessage = `${clientFirstBare},${serverFirstString},${clientFinalWithoutProof}`;
|
|
128
|
+
const saltBytes = Buffer.from(parsed.salt, 'base64');
|
|
129
|
+
// SASLprep the password before PBKDF2 (RFC 5802 §2.2). Our impl is minimal;
|
|
130
|
+
// see saslprep() comment for the deviation from full RFC 4013.
|
|
131
|
+
const normalizedPassword = saslprep(s.password);
|
|
132
|
+
const saltedPassword = pbkdf2Sync(Buffer.from(normalizedPassword, 'utf8'), saltBytes, parsed.iteration, 32, 'sha256');
|
|
133
|
+
const clientKey = hmac(saltedPassword, 'Client Key');
|
|
134
|
+
const storedKey = sha256(clientKey);
|
|
135
|
+
const clientSignature = hmac(storedKey, authMessage);
|
|
136
|
+
const clientProof = xor(clientKey, clientSignature);
|
|
137
|
+
const serverKey = hmac(saltedPassword, 'Server Key');
|
|
138
|
+
s.serverSignature = hmac(serverKey, authMessage);
|
|
139
|
+
s.state = 'sent-final';
|
|
140
|
+
return Buffer.from(`${clientFinalWithoutProof},p=${clientProof.toString('base64')}`, 'utf8');
|
|
141
|
+
}
|
|
142
|
+
function finishSession(s, serverFinal) {
|
|
143
|
+
if (s.state !== 'sent-final') {
|
|
144
|
+
throw new SaslProtocolError(`SASL: finish() called in state ${s.state}`);
|
|
145
|
+
}
|
|
146
|
+
if (s.serverSignature === null) {
|
|
147
|
+
// Defensive: should be impossible because state machine guards it.
|
|
148
|
+
throw new SaslProtocolError('SASL: no server signature recorded');
|
|
149
|
+
}
|
|
150
|
+
const parsed = parseServerFinal(serverFinal.toString('utf8'));
|
|
151
|
+
const received = Buffer.from(parsed.serverSignature, 'base64');
|
|
152
|
+
// Constant-time comparison: defeats timing side channels that could let an
|
|
153
|
+
// attacker (with control over `v=`) learn the prefix of our derived signature.
|
|
154
|
+
if (received.length !== s.serverSignature.length ||
|
|
155
|
+
!timingSafeEqual(received, s.serverSignature)) {
|
|
156
|
+
throw new SaslVerificationError('SASL: server signature does not match — possible MITM or wrong password');
|
|
157
|
+
}
|
|
158
|
+
s.state = 'done';
|
|
159
|
+
}
|
|
160
|
+
function parseServerFirst(text) {
|
|
161
|
+
const attrs = parseAttributePairs(text);
|
|
162
|
+
const nonce = attrs.get('r');
|
|
163
|
+
if (!nonce) {
|
|
164
|
+
throw new SaslProtocolError('SASL: server-first missing `r=` (nonce)');
|
|
165
|
+
}
|
|
166
|
+
if (!isPrintableChars(nonce)) {
|
|
167
|
+
throw new SaslProtocolError('SASL: server-first nonce contains non-printable characters');
|
|
168
|
+
}
|
|
169
|
+
const salt = attrs.get('s');
|
|
170
|
+
if (!salt) {
|
|
171
|
+
throw new SaslProtocolError('SASL: server-first missing `s=` (salt)');
|
|
172
|
+
}
|
|
173
|
+
if (!isBase64(salt)) {
|
|
174
|
+
throw new SaslProtocolError('SASL: server-first salt is not base64');
|
|
175
|
+
}
|
|
176
|
+
const iterStr = attrs.get('i');
|
|
177
|
+
if (!iterStr) {
|
|
178
|
+
throw new SaslProtocolError('SASL: server-first missing `i=` (iterations)');
|
|
179
|
+
}
|
|
180
|
+
if (!/^[1-9][0-9]*$/.test(iterStr)) {
|
|
181
|
+
throw new SaslProtocolError(`SASL: server-first iteration count is not a positive integer: ${iterStr}`);
|
|
182
|
+
}
|
|
183
|
+
return { nonce, salt, iteration: parseInt(iterStr, 10) };
|
|
184
|
+
}
|
|
185
|
+
function parseServerFinal(text) {
|
|
186
|
+
const attrs = parseAttributePairs(text);
|
|
187
|
+
const errorAttr = attrs.get('e');
|
|
188
|
+
if (errorAttr) {
|
|
189
|
+
throw new SaslVerificationError(`SASL: server-final returned error: ${errorAttr}`);
|
|
190
|
+
}
|
|
191
|
+
const v = attrs.get('v');
|
|
192
|
+
if (!v) {
|
|
193
|
+
throw new SaslProtocolError('SASL: server-final missing `v=` (server signature)');
|
|
194
|
+
}
|
|
195
|
+
if (!isBase64(v)) {
|
|
196
|
+
throw new SaslProtocolError('SASL: server-final `v=` is not base64');
|
|
197
|
+
}
|
|
198
|
+
return { serverSignature: v };
|
|
199
|
+
}
|
|
200
|
+
function parseAttributePairs(text) {
|
|
201
|
+
const out = new Map();
|
|
202
|
+
for (const pair of text.split(',')) {
|
|
203
|
+
if (pair.length < 2 || pair[1] !== '=') {
|
|
204
|
+
throw new SaslProtocolError(`SASL: malformed attribute pair: ${JSON.stringify(pair)}`);
|
|
205
|
+
}
|
|
206
|
+
const key = pair[0];
|
|
207
|
+
// RFC 5802 attribute lists never repeat an attribute; a duplicate is
|
|
208
|
+
// malformed server input. Reject it rather than silently last-wins,
|
|
209
|
+
// so a non-conformant/hostile server can't smuggle a shadow value
|
|
210
|
+
// (e.g. `v=<good>,v=<evil>`) past the parse.
|
|
211
|
+
if (out.has(key)) {
|
|
212
|
+
throw new SaslProtocolError(`SASL: duplicate attribute ${JSON.stringify(key)} in message`);
|
|
213
|
+
}
|
|
214
|
+
out.set(key, pair.substring(2));
|
|
215
|
+
}
|
|
216
|
+
return out;
|
|
217
|
+
}
|
|
218
|
+
// printable = %x21-2B / %x2D-7E ;; printable ASCII except ","
|
|
219
|
+
function isPrintableChars(text) {
|
|
220
|
+
for (let i = 0; i < text.length; i++) {
|
|
221
|
+
const c = text.charCodeAt(i);
|
|
222
|
+
if (!((c >= 0x21 && c <= 0x2b) || (c >= 0x2d && c <= 0x7e))) {
|
|
223
|
+
return false;
|
|
224
|
+
}
|
|
225
|
+
}
|
|
226
|
+
return true;
|
|
227
|
+
}
|
|
228
|
+
function isBase64(text) {
|
|
229
|
+
return /^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$/.test(text);
|
|
230
|
+
}
|
|
231
|
+
// ---------------------------------------------------------------------------
|
|
232
|
+
// Crypto helpers
|
|
233
|
+
// ---------------------------------------------------------------------------
|
|
234
|
+
function hmac(key, msg) {
|
|
235
|
+
const h = createHmac('sha256', key);
|
|
236
|
+
h.update(msg);
|
|
237
|
+
return h.digest();
|
|
238
|
+
}
|
|
239
|
+
function sha256(data) {
|
|
240
|
+
return createHash('sha256').update(data).digest();
|
|
241
|
+
}
|
|
242
|
+
function xor(a, b) {
|
|
243
|
+
if (a.length !== b.length) {
|
|
244
|
+
throw new SaslProtocolError(`SASL: XOR length mismatch (${String(a.length)} vs ${String(b.length)})`);
|
|
245
|
+
}
|
|
246
|
+
const out = Buffer.alloc(a.length);
|
|
247
|
+
for (let i = 0; i < a.length; i++) {
|
|
248
|
+
out[i] = a[i] ^ b[i];
|
|
249
|
+
}
|
|
250
|
+
return out;
|
|
251
|
+
}
|
|
252
|
+
// ---------------------------------------------------------------------------
|
|
253
|
+
// SASLprep
|
|
254
|
+
// ---------------------------------------------------------------------------
|
|
255
|
+
/**
|
|
256
|
+
* Minimal SASLprep (RFC 4013) — exactly the three transformations that
|
|
257
|
+
* change byte content, ported from node-postgres' implementation:
|
|
258
|
+
*
|
|
259
|
+
* 1. RFC 3454 Table C.1.2 (non-ASCII space) -> U+0020 SPACE.
|
|
260
|
+
* 2. RFC 3454 Table B.1 (commonly mapped to nothing) -> empty.
|
|
261
|
+
* 3. NFKC normalization.
|
|
262
|
+
*
|
|
263
|
+
* We deliberately *skip* the RFC 4013 §2.3 prohibition table and the §6
|
|
264
|
+
* bidi checks. libpq is forgiving on those paths and PostgreSQL's own
|
|
265
|
+
* SASLprep matches that leniency for legacy roles — implementing strict
|
|
266
|
+
* RFC 4013 here would lock out passwords that already auth against the
|
|
267
|
+
* server. This deviation matches upstream pg.
|
|
268
|
+
*
|
|
269
|
+
* The character classes below intentionally contain combining marks and
|
|
270
|
+
* zero-width joiners (RFC 3454 Table B.1) and named spaces (Table C.1.2);
|
|
271
|
+
* they are spelled with `\u` escapes so the source is portable across
|
|
272
|
+
* encodings.
|
|
273
|
+
*/
|
|
274
|
+
// Built once at module load: regex character classes for the two SASLprep
|
|
275
|
+
// transformations. They are constructed from \uXXXX escape sequences in a
|
|
276
|
+
// string so the source file stays ASCII-only and so we sidestep ESLint's
|
|
277
|
+
// `no-irregular-whitespace` and `no-misleading-character-class` rules —
|
|
278
|
+
// those only inspect raw regex literals, not dynamically-built patterns.
|
|
279
|
+
const NON_ASCII_SPACE_RE = new RegExp('[' + '\u00A0\u1680' + '\u2000-\u200B' + '\u202F\u205F\u3000' + ']', 'g');
|
|
280
|
+
// Combining marks and ZWJ are intentionally in this class; RFC 3454 Table B.1
|
|
281
|
+
// strips them precisely because they combine with neighbouring code points.
|
|
282
|
+
/* eslint-disable no-misleading-character-class */
|
|
283
|
+
const MAPPED_TO_NOTHING_RE = new RegExp('[' +
|
|
284
|
+
'\u00AD\u034F\u1806' +
|
|
285
|
+
'\u180B-\u180D' +
|
|
286
|
+
'\u200C\u200D\u2060' +
|
|
287
|
+
'\uFE00-\uFE0F' +
|
|
288
|
+
'\uFEFF' +
|
|
289
|
+
']', 'g');
|
|
290
|
+
/* eslint-enable no-misleading-character-class */
|
|
291
|
+
function saslprep(password) {
|
|
292
|
+
return password
|
|
293
|
+
.replace(NON_ASCII_SPACE_RE, ' ')
|
|
294
|
+
.replace(MAPPED_TO_NOTHING_RE, '')
|
|
295
|
+
.normalize('NFKC');
|
|
296
|
+
}
|