pico-auth 0.0.25 → 0.0.27
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/dist/pico-auth.d.ts
CHANGED
|
@@ -9,12 +9,17 @@ declare module "core/auth" {
|
|
|
9
9
|
userSecretPath?: string;
|
|
10
10
|
userPasswordPath?: string;
|
|
11
11
|
getSafeUser?(user: any): Promise<BaseUser>;
|
|
12
|
+
getUserPostAuthenticate?(user: any): Promise<BaseUser>;
|
|
12
13
|
}
|
|
13
14
|
export interface ImpersonateProvider {
|
|
14
15
|
canImpersonate(user: any, target: string): Promise<any>;
|
|
15
16
|
impersonateOrg(user: any, target: string): Promise<any>;
|
|
16
17
|
}
|
|
18
|
+
export interface ScratchCardProvider {
|
|
19
|
+
consume(user: BaseUser, cardCode: string): Promise<BaseUser>;
|
|
20
|
+
}
|
|
17
21
|
export interface BaseUser {
|
|
22
|
+
id?: string;
|
|
18
23
|
blocked?: boolean;
|
|
19
24
|
[key: string]: any;
|
|
20
25
|
}
|
|
@@ -22,6 +27,17 @@ declare module "core/auth" {
|
|
|
22
27
|
* When mfaToken is provided
|
|
23
28
|
*/
|
|
24
29
|
export const authenticate: (login: string, password: string, mfaToken: string, impersonateEntity: string, userProvider: UserProvider, impersonateProvider: any, jwtSpecs: JWTSpecs) => Promise<any>;
|
|
30
|
+
/**
|
|
31
|
+
* Allows to login using scratch card. As scratch card may provide a different user to log in to
|
|
32
|
+
* it also allows to impersonate someone using scratch card.
|
|
33
|
+
* @param requesterLogin
|
|
34
|
+
* @param cardCode
|
|
35
|
+
* @param userProvider
|
|
36
|
+
* @param scratchCardProvider
|
|
37
|
+
* @param jwtSpecs
|
|
38
|
+
* @returns
|
|
39
|
+
*/
|
|
40
|
+
export const authenticateWithScratchCard: (requesterLogin: string, cardCode: string, userProvider: UserProvider, scratchCardProvider: ScratchCardProvider, jwtSpecs: JWTSpecs) => Promise<any>;
|
|
25
41
|
/**
|
|
26
42
|
* Will prepare user for MFA activation. Next step is to call verify with token generated in MFA app by the user.
|
|
27
43
|
*/
|
package/dist/pico-auth.esm.js
CHANGED
|
@@ -69,6 +69,7 @@ const authenticate = async (login, password, mfaToken, impersonateEntity, userPr
|
|
|
69
69
|
// let jwtSecretKey = process.env.JWT_SECRET_KEY;
|
|
70
70
|
let jwtSecretKey = jwtSpecs.secretKey;
|
|
71
71
|
let clearedUser = userProvider.getSafeUser ? await userProvider.getSafeUser(user) : user;
|
|
72
|
+
clearedUser = userProvider.getUserPostAuthenticate ? await userProvider.getUserPostAuthenticate(clearedUser) : clearedUser;
|
|
72
73
|
let data = {
|
|
73
74
|
time: Date.now(),
|
|
74
75
|
user: clearedUser
|
|
@@ -1 +1 @@
|
|
|
1
|
-
const speakeasy=require("speakeasy"),qrcode=require("qrcode"),md5=require("md5"),jwt=require("jsonwebtoken"),authenticate=async(e,t,a,r,s,o,i)=>{var n;let c=await s.getUser(e);const l=s.userSecretPath?c[s.userSecretPath]:c.mfa,d=s.userPasswordPath?c[s.userPasswordPath]:c.password;if(null==l?void 0:l.enabled){if(!speakeasy.totp.verify({secret:null===(n=null==l?void 0:l.secret)||void 0===n?void 0:n.actual,encoding:"base32",token:a,window:1}))throw new Error(`Failed authentication attempt ${e} (MFA Enabled)`)}if(c.blocked)throw new Error(`Failed authentication attempt ${e} (Blocked)`);if(md5(t||"")==d){const e=r,t=c;if(e){let a=!1;if(e.startsWith("@")){if(a=a||await o.canImpersonate(c,e),!a)throw new Error(`Failed impersonate attempt. From: ${t.id} into ${e}`);await o.impersonateOrg(c,e)}else{const r=await s.getUser(e);if(a=a||await o.canImpersonate(c,e),!a)throw new Error(`Failed impersonate attempt. From: ${t.id} into ${e}`);c=r}console.info(`Impersonate success. From: ${t.login} into ${e}`)}let a=i.secretKey,n=s.getSafeUser?await s.getSafeUser(c):c
|
|
1
|
+
const speakeasy=require("speakeasy"),qrcode=require("qrcode"),md5=require("md5"),jwt=require("jsonwebtoken"),authenticate=async(e,t,a,r,s,o,i)=>{var n;let c=await s.getUser(e);const l=s.userSecretPath?c[s.userSecretPath]:c.mfa,d=s.userPasswordPath?c[s.userPasswordPath]:c.password;if(null==l?void 0:l.enabled){if(!speakeasy.totp.verify({secret:null===(n=null==l?void 0:l.secret)||void 0===n?void 0:n.actual,encoding:"base32",token:a,window:1}))throw new Error(`Failed authentication attempt ${e} (MFA Enabled)`)}if(c.blocked)throw new Error(`Failed authentication attempt ${e} (Blocked)`);if(md5(t||"")==d){const e=r,t=c;if(e){let a=!1;if(e.startsWith("@")){if(a=a||await o.canImpersonate(c,e),!a)throw new Error(`Failed impersonate attempt. From: ${t.id} into ${e}`);await o.impersonateOrg(c,e)}else{const r=await s.getUser(e);if(a=a||await o.canImpersonate(c,e),!a)throw new Error(`Failed impersonate attempt. From: ${t.id} into ${e}`);c=r}console.info(`Impersonate success. From: ${t.login} into ${e}`)}let a=i.secretKey,n=s.getSafeUser?await s.getSafeUser(c):c;n=s.getUserPostAuthenticate?await s.getUserPostAuthenticate(n):n;let l={time:Date.now(),user:n};const d=jwt.sign(l,a,{expiresIn:i.expiryTimeMs});return console.log(`Successful login: ${c.id}`),d}throw new Error(`Failed authentication attempt ${e}`)},mfaRegister=async(e,t,a)=>new Promise(async(r,s)=>{let o=await a.getUser(t),i=a.userSecretPath?o[a.userSecretPath]:o.mfa;const n=speakeasy.generateSecret({name:`${e}: ${t}`});if(!i){i={secret:{temp:void 0,actual:void 0},enabled:!1};o[a.userSecretPath?a.userSecretPath:"mfa"]=i}i.secret.temp=n.base32,i.secret.actual=void 0,await a.putUser(o),qrcode.toDataURL(n.otpauth_url,(e,t)=>{if(e)throw new Error("Error generating QR code");r({qr_code:t,secret:n.base32})})}),mfaVerify=async(e,t,a)=>{var r,s;const o=t;let i=await a.getUser(e);const n=a.userSecretPath?i[a.userSecretPath]:i.mfa;return speakeasy.totp.verify({secret:null===(r=null==n?void 0:n.secret)||void 0===r?void 0:r.temp,encoding:"base32",token:o})?(n.secret.actual=null===(s=null==n?void 0:n.secret)||void 0===s?void 0:s.temp,n.enabled=!0,await a.putUser(i),!0):(console.log(`Failed mfa verification for ${e}`),!1)},mfaEnabled=async(e,t)=>{let a=await t.getUser(e);const r=t.userSecretPath?a[t.userSecretPath]:a.mfa;return(null==r?void 0:r.enabled)||!1};export{authenticate,mfaEnabled,mfaRegister,mfaVerify};
|
package/dist/pico-auth.umd.js
CHANGED
|
@@ -75,6 +75,7 @@
|
|
|
75
75
|
// let jwtSecretKey = process.env.JWT_SECRET_KEY;
|
|
76
76
|
let jwtSecretKey = jwtSpecs.secretKey;
|
|
77
77
|
let clearedUser = userProvider.getSafeUser ? await userProvider.getSafeUser(user) : user;
|
|
78
|
+
clearedUser = userProvider.getUserPostAuthenticate ? await userProvider.getUserPostAuthenticate(clearedUser) : clearedUser;
|
|
78
79
|
let data = {
|
|
79
80
|
time: Date.now(),
|
|
80
81
|
user: clearedUser
|
|
@@ -1 +1 @@
|
|
|
1
|
-
!function(e,t){"object"==typeof exports&&"undefined"!=typeof module?t(exports):"function"==typeof define&&define.amd?define(["exports"],t):t((e="undefined"!=typeof globalThis?globalThis:e||self).picoAuth={})}(this,
|
|
1
|
+
!function(e,t){"object"==typeof exports&&"undefined"!=typeof module?t(exports):"function"==typeof define&&define.amd?define(["exports"],t):t((e="undefined"!=typeof globalThis?globalThis:e||self).picoAuth={})}(this,function(e){"use strict";const t=require("speakeasy"),r=require("qrcode"),a=require("md5"),o=require("jsonwebtoken");e.authenticate=async(e,r,i,s,n,c,l)=>{var u;let d=await n.getUser(e);const f=n.userSecretPath?d[n.userSecretPath]:d.mfa,m=n.userPasswordPath?d[n.userPasswordPath]:d.password;if(null==f?void 0:f.enabled){if(!t.totp.verify({secret:null===(u=null==f?void 0:f.secret)||void 0===u?void 0:u.actual,encoding:"base32",token:i,window:1}))throw new Error(`Failed authentication attempt ${e} (MFA Enabled)`)}if(d.blocked)throw new Error(`Failed authentication attempt ${e} (Blocked)`);if(a(r||"")==m){const e=s,t=d;if(e){let r=!1;if(e.startsWith("@")){if(r=r||await c.canImpersonate(d,e),!r)throw new Error(`Failed impersonate attempt. From: ${t.id} into ${e}`);await c.impersonateOrg(d,e)}else{const a=await n.getUser(e);if(r=r||await c.canImpersonate(d,e),!r)throw new Error(`Failed impersonate attempt. From: ${t.id} into ${e}`);d=a}console.info(`Impersonate success. From: ${t.login} into ${e}`)}let r=l.secretKey,a=n.getSafeUser?await n.getSafeUser(d):d;a=n.getUserPostAuthenticate?await n.getUserPostAuthenticate(a):a;let i={time:Date.now(),user:a};const u=o.sign(i,r,{expiresIn:l.expiryTimeMs});return console.log(`Successful login: ${d.id}`),u}throw new Error(`Failed authentication attempt ${e}`)},e.mfaEnabled=async(e,t)=>{let r=await t.getUser(e);const a=t.userSecretPath?r[t.userSecretPath]:r.mfa;return(null==a?void 0:a.enabled)||!1},e.mfaRegister=async(e,a,o)=>new Promise(async(i,s)=>{let n=await o.getUser(a),c=o.userSecretPath?n[o.userSecretPath]:n.mfa;const l=t.generateSecret({name:`${e}: ${a}`});if(!c){c={secret:{temp:void 0,actual:void 0},enabled:!1};n[o.userSecretPath?o.userSecretPath:"mfa"]=c}c.secret.temp=l.base32,c.secret.actual=void 0,await o.putUser(n),r.toDataURL(l.otpauth_url,(e,t)=>{if(e)throw new Error("Error generating QR code");i({qr_code:t,secret:l.base32})})}),e.mfaVerify=async(e,r,a)=>{var o,i;const s=r;let n=await a.getUser(e);const c=a.userSecretPath?n[a.userSecretPath]:n.mfa;return t.totp.verify({secret:null===(o=null==c?void 0:c.secret)||void 0===o?void 0:o.temp,encoding:"base32",token:s})?(c.secret.actual=null===(i=null==c?void 0:c.secret)||void 0===i?void 0:i.temp,c.enabled=!0,await a.putUser(n),!0):(console.log(`Failed mfa verification for ${e}`),!1)},Object.defineProperty(e,"__esModule",{value:!0})});
|