pico-auth 0.0.39 → 0.0.41

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (6) hide show
  1. package/dist/pico-auth.d.ts +7 -4
  2. package/dist/pico-auth.esm.js +20 -11
  3. package/dist/pico-auth.esm.min.js +1 -1
  4. package/dist/pico-auth.umd.js +20 -11
  5. package/dist/pico-auth.umd.min.js +1 -1
  6. package/package.json +1 -1
package/dist/pico-auth.d.ts CHANGED
@@ -4,6 +4,9 @@ declare module "core/auth" {
4
4
  expiryTimeMs: any;
5
5
  refreshExpiryTimeMs?: any;
6
6
  }
7
+ export interface AuxData {
8
+ [key: string]: any;
9
+ }
7
10
  export interface UserProvider {
8
11
  getUser(login: string): Promise<BaseUser>;
9
12
  putUser(user: any): Promise<any>;
@@ -24,14 +27,14 @@ declare module "core/auth" {
24
27
  blocked?: boolean;
25
28
  [key: string]: any;
26
29
  }
27
- export const issueJwtToken: (user: BaseUser, userProvider: UserProvider, jwtSpecs: JWTSpecs, issueRefreshToken: boolean) => Promise<{
30
+ export const issueJwtToken: (user: BaseUser, userProvider: UserProvider, jwtSpecs: JWTSpecs, issueRefreshToken: boolean, aux?: AuxData) => Promise<{
28
31
  token: any;
29
32
  clearedUser: BaseUser;
30
33
  }>;
31
34
  /**
32
35
  * When mfaToken is provided
33
36
  */
34
- export const authenticate: (login: string, password: string, mfaToken: string, impersonateEntity: string, userProvider: UserProvider, impersonateProvider: any, jwtSpecs: JWTSpecs) => Promise<{
37
+ export const authenticate: (login: string, password: string, mfaToken: string, impersonateEntity: string, userProvider: UserProvider, impersonateProvider: any, jwtSpecs: JWTSpecs, aux?: AuxData) => Promise<{
35
38
  token: any;
36
39
  refreshToken: any;
37
40
  }>;
@@ -45,7 +48,7 @@ declare module "core/auth" {
45
48
  * @param jwtSpecs
46
49
  * @returns
47
50
  */
48
- export const authenticateWithScratchCard: (cardCode: string, userProvider: UserProvider, scratchCardProvider: ScratchCardProvider, jwtSpecs: JWTSpecs, requesterLogin?: string) => Promise<{
51
+ export const authenticateWithScratchCard: (cardCode: string, userProvider: UserProvider, scratchCardProvider: ScratchCardProvider, jwtSpecs: JWTSpecs, requesterLogin?: string, aux?: AuxData) => Promise<{
49
52
  token: any;
50
53
  refreshToken: any;
51
54
  user: BaseUser;
@@ -59,7 +62,7 @@ declare module "core/auth" {
59
62
  * @param jwtSpecs
60
63
  * @returns short lived token
61
64
  */
62
- export const refreshToken: (login: string, refreshToken: string, userProvider: UserProvider, jwtSpecs: JWTSpecs) => Promise<{
65
+ export const refreshToken: (login: string, refreshToken: string, userProvider: UserProvider, jwtSpecs: JWTSpecs, aux?: AuxData) => Promise<{
63
66
  token: any;
64
67
  refreshToken: any;
65
68
  }>;
package/dist/pico-auth.esm.js CHANGED
@@ -2,13 +2,22 @@ const speakeasy = require('speakeasy');
2
2
  const qrcode = require('qrcode');
3
3
  const md5 = require("md5");
4
4
  const jwt = require('jsonwebtoken');
5
- const issueJwtToken = async (user, userProvider, jwtSpecs, issueRefreshToken) => {
5
+ const issueJwtToken = async (user, userProvider, jwtSpecs, issueRefreshToken, aux) => {
6
6
  let jwtSecretKey = jwtSpecs.secretKey;
7
7
  let clearedUser = userProvider.getSafeUser ? await userProvider.getSafeUser(user) : user;
8
8
  clearedUser = userProvider.getUserPostAuthenticate ? await userProvider.getUserPostAuthenticate(clearedUser) : clearedUser;
9
+ if (issueRefreshToken && !aux) {
10
+ aux = {
11
+ scenario: "REFRESH"
12
+ };
13
+ }
14
+ else if (issueRefreshToken && aux) {
15
+ aux['scenario'] = aux['scenario'] || "REFRESH";
16
+ }
9
17
  let data = {
10
18
  time: Date.now(),
11
- user: clearedUser
19
+ user: clearedUser,
20
+ aux: aux
12
21
  };
13
22
  let token;
14
23
  if (issueRefreshToken && jwtSpecs.refreshExpiryTimeMs) {
@@ -25,7 +34,7 @@ const issueJwtToken = async (user, userProvider, jwtSpecs, issueRefreshToken) =>
25
34
  /**
26
35
  * When mfaToken is provided
27
36
  */
28
- const authenticate = async (login, password, mfaToken, impersonateEntity, userProvider, impersonateProvider, jwtSpecs) => {
37
+ const authenticate = async (login, password, mfaToken, impersonateEntity, userProvider, impersonateProvider, jwtSpecs, aux) => {
29
38
  var _a;
30
39
  let user = await userProvider.getUser(login);
31
40
  const mfaInfo = userProvider.userSecretPath ? user[userProvider.userSecretPath] : user.mfa;
@@ -86,10 +95,10 @@ const authenticate = async (login, password, mfaToken, impersonateEntity, userPr
86
95
  }
87
96
  console.info(`Impersonate success. From: ${originalUser.login} into ${target}`);
88
97
  }
89
- const token = (await issueJwtToken(user, userProvider, jwtSpecs, false)).token;
98
+ const token = (await issueJwtToken(user, userProvider, jwtSpecs, false, aux)).token;
90
99
  let refreshToken;
91
100
  if (jwtSpecs.refreshExpiryTimeMs)
92
- refreshToken = (await issueJwtToken(user, userProvider, jwtSpecs, true)).token;
101
+ refreshToken = (await issueJwtToken(user, userProvider, jwtSpecs, true, aux)).token;
93
102
  console.log(`Successful login: ${user.id}`);
94
103
  return {
95
104
  token,
@@ -110,7 +119,7 @@ const authenticate = async (login, password, mfaToken, impersonateEntity, userPr
110
119
  * @param jwtSpecs
111
120
  * @returns
112
121
  */
113
- const authenticateWithScratchCard = async (cardCode, userProvider, scratchCardProvider, jwtSpecs, requesterLogin) => {
122
+ const authenticateWithScratchCard = async (cardCode, userProvider, scratchCardProvider, jwtSpecs, requesterLogin, aux) => {
114
123
  let user = requesterLogin ? await userProvider.getUser(requesterLogin) : undefined;
115
124
  if (user && user.blocked)
116
125
  throw new Error(`Failed card authentication attempt ${requesterLogin} (Blocked)`);
@@ -132,10 +141,10 @@ const authenticateWithScratchCard = async (cardCode, userProvider, scratchCardPr
132
141
  throw new Error(`Failed card authentication attempt ${requesterLogin} (Blocked as Target)`);
133
142
  // ok so we will use targetUser as a user that will be actually logged in
134
143
  // in impersonation scenario targetUser may be different then the user.
135
- const jwtData = await issueJwtToken(targetUser, userProvider, jwtSpecs, false);
144
+ const jwtData = await issueJwtToken(targetUser, userProvider, jwtSpecs, false, aux);
136
145
  let refreshToken;
137
146
  if (jwtSpecs.refreshExpiryTimeMs)
138
- refreshToken = (await issueJwtToken(targetUser, userProvider, jwtSpecs, true)).token;
147
+ refreshToken = (await issueJwtToken(targetUser, userProvider, jwtSpecs, true, aux)).token;
139
148
  console.info(`Card authentication success. Requester:${requesterLogin} Target:${targetUser.id}`);
140
149
  return {
141
150
  token: jwtData.token,
@@ -157,7 +166,7 @@ const authenticateWithScratchCard = async (cardCode, userProvider, scratchCardPr
157
166
  * @param jwtSpecs
158
167
  * @returns short lived token
159
168
  */
160
- const refreshToken = async (login, refreshToken, userProvider, jwtSpecs) => {
169
+ const refreshToken = async (login, refreshToken, userProvider, jwtSpecs, aux) => {
161
170
  let user = await userProvider.getUser(login);
162
171
  if (user.blocked)
163
172
  throw new Error(`Failed refresh token attempt ${login} (Blocked)`);
@@ -171,10 +180,10 @@ const refreshToken = async (login, refreshToken, userProvider, jwtSpecs) => {
171
180
  if (!refreshTokenUser || refreshTokenUser.id != user.id) {
172
181
  throw new Error(`Failed refresh token attempt ${login} (Invalid Token)`);
173
182
  }
174
- const token = (await issueJwtToken(user, userProvider, jwtSpecs, false)).token;
183
+ const token = (await issueJwtToken(user, userProvider, jwtSpecs, false, aux)).token;
175
184
  let newRefreshToken;
176
185
  if (jwtSpecs.refreshExpiryTimeMs)
177
- newRefreshToken = (await issueJwtToken(user, userProvider, jwtSpecs, true)).token;
186
+ newRefreshToken = (await issueJwtToken(user, userProvider, jwtSpecs, true, aux)).token;
178
187
  console.log(`Successful token refresh: ${user.id}`);
179
188
  return { token, refreshToken: newRefreshToken };
180
189
  }
package/dist/pico-auth.esm.min.js CHANGED
@@ -1 +1 @@
1
- const speakeasy=require("speakeasy"),qrcode=require("qrcode"),md5=require("md5"),jwt=require("jsonwebtoken"),issueJwtToken=async(e,t,r,a)=>{let i=r.secretKey,o=t.getSafeUser?await t.getSafeUser(e):e;o=t.getUserPostAuthenticate?await t.getUserPostAuthenticate(o):o;let s,n={time:Date.now(),user:o};return a&&r.refreshExpiryTimeMs?s=jwt.sign(n,i,{expiresIn:r.refreshExpiryTimeMs}):r.expiryTimeMs&&(s=jwt.sign(n,i,{expiresIn:r.expiryTimeMs})),{token:s,clearedUser:o}},authenticate=async(e,t,r,a,i,o,s)=>{var n;let c=await i.getUser(e);const l=i.userSecretPath?c[i.userSecretPath]:c.mfa,d=i.userPasswordPath?c[i.userPasswordPath]:c.password;if(null==l?void 0:l.enabled){if(!speakeasy.totp.verify({secret:null===(n=null==l?void 0:l.secret)||void 0===n?void 0:n.actual,encoding:"base32",token:r,window:1}))throw new Error(`Failed authentication attempt ${e} (MFA Enabled)`)}if(c.blocked)throw new Error(`Failed authentication attempt ${e} (Blocked)`);if(md5(t||"")==d){const e=a,t=c;if(e){let r=!1;if(e.startsWith("@")){if(r=r||await o.canImpersonate(c,e),!r)throw new Error(`Failed impersonate attempt. From: ${t.id} into ${e}`);await o.impersonateOrg(c,e)}else{const a=await i.getUser(e);if(r=r||await o.canImpersonate(c,e),!r)throw new Error(`Failed impersonate attempt. From: ${t.id} into ${e}`);c=a}console.info(`Impersonate success. From: ${t.login} into ${e}`)}const r=(await issueJwtToken(c,i,s,!1)).token;let n;return s.refreshExpiryTimeMs&&(n=(await issueJwtToken(c,i,s,!0)).token),console.log(`Successful login: ${c.id}`),{token:r,refreshToken:n}}throw new Error(`Failed authentication attempt ${e}`)},authenticateWithScratchCard=async(e,t,r,a,i)=>{let o,s=i?await t.getUser(i):void 0;if(s&&s.blocked)throw new Error(`Failed card authentication attempt ${i} (Blocked)`);if(i&&!s)throw new Error(`Failed card authentication attempt ${i} (Missing user)`);try{o=await r.consume(e,s)}catch(e){throw new Error(`Failed card authentication attempt ${i} (Consume Failed)`)}try{if(!o)throw new Error(`Failed card authentication attempt ${i} (Consume Failed)`);if(o.blocked)throw new Error(`Failed card authentication attempt ${i} (Blocked as Target)`);const e=await issueJwtToken(o,t,a,!1);let r;return a.refreshExpiryTimeMs&&(r=(await issueJwtToken(o,t,a,!0)).token),console.info(`Card authentication success. Requester:${i} Target:${o.id}`),{token:e.token,refreshToken:r,user:e.clearedUser}}catch(e){throw new Error(`Failed card authentication attempt ${i}`)}},refreshToken=async(e,t,r,a)=>{let i=await r.getUser(e);if(i.blocked)throw new Error(`Failed refresh token attempt ${e} (Blocked)`);if(t){let o=a.secretKey;const s=jwt.verify(t,o).user;if(!s||s.id!=i.id)throw new Error(`Failed refresh token attempt ${e} (Invalid Token)`);const n=(await issueJwtToken(i,r,a,!1)).token;let c;return a.refreshExpiryTimeMs&&(c=(await issueJwtToken(i,r,a,!0)).token),console.log(`Successful token refresh: ${i.id}`),{token:n,refreshToken:c}}throw new Error(`Failed refresh token attempt ${e}`)},mfaRegister=async(e,t,r)=>new Promise(async(a,i)=>{let o=await r.getUser(t),s=r.userSecretPath?o[r.userSecretPath]:o.mfa;const n=speakeasy.generateSecret({name:`${e}: ${t}`});if(!s){s={secret:{temp:void 0,actual:void 0},enabled:!1};o[r.userSecretPath?r.userSecretPath:"mfa"]=s}s.secret.temp=n.base32,s.secret.actual=void 0,await r.putUser(o),qrcode.toDataURL(n.otpauth_url,(e,t)=>{if(e)throw new Error("Error generating QR code");a({qr_code:t,secret:n.base32})})}),mfaVerify=async(e,t,r)=>{var a,i;const o=t;let s=await r.getUser(e);const n=r.userSecretPath?s[r.userSecretPath]:s.mfa;return speakeasy.totp.verify({secret:null===(a=null==n?void 0:n.secret)||void 0===a?void 0:a.temp,encoding:"base32",token:o})?(n.secret.actual=null===(i=null==n?void 0:n.secret)||void 0===i?void 0:i.temp,n.enabled=!0,await r.putUser(s),!0):(console.log(`Failed mfa verification for ${e}`),!1)},mfaEnabled=async(e,t)=>{let r=await t.getUser(e);const a=t.userSecretPath?r[t.userSecretPath]:r.mfa;return(null==a?void 0:a.enabled)||!1};export{authenticate,authenticateWithScratchCard,issueJwtToken,mfaEnabled,mfaRegister,mfaVerify,refreshToken};
1
+ const speakeasy=require("speakeasy"),qrcode=require("qrcode"),md5=require("md5"),jwt=require("jsonwebtoken"),issueJwtToken=async(e,t,r,a,i)=>{let o=r.secretKey,s=t.getSafeUser?await t.getSafeUser(e):e;s=t.getUserPostAuthenticate?await t.getUserPostAuthenticate(s):s,a&&!i?i={scenario:"REFRESH"}:a&&i&&(i.scenario=i.scenario||"REFRESH");let n,c={time:Date.now(),user:s,aux:i};return a&&r.refreshExpiryTimeMs?n=jwt.sign(c,o,{expiresIn:r.refreshExpiryTimeMs}):r.expiryTimeMs&&(n=jwt.sign(c,o,{expiresIn:r.expiryTimeMs})),{token:n,clearedUser:s}},authenticate=async(e,t,r,a,i,o,s,n)=>{var c;let l=await i.getUser(e);const d=i.userSecretPath?l[i.userSecretPath]:l.mfa,u=i.userPasswordPath?l[i.userPasswordPath]:l.password;if(null==d?void 0:d.enabled){if(!speakeasy.totp.verify({secret:null===(c=null==d?void 0:d.secret)||void 0===c?void 0:c.actual,encoding:"base32",token:r,window:1}))throw new Error(`Failed authentication attempt ${e} (MFA Enabled)`)}if(l.blocked)throw new Error(`Failed authentication attempt ${e} (Blocked)`);if(md5(t||"")==u){const e=a,t=l;if(e){let r=!1;if(e.startsWith("@")){if(r=r||await o.canImpersonate(l,e),!r)throw new Error(`Failed impersonate attempt. From: ${t.id} into ${e}`);await o.impersonateOrg(l,e)}else{const a=await i.getUser(e);if(r=r||await o.canImpersonate(l,e),!r)throw new Error(`Failed impersonate attempt. From: ${t.id} into ${e}`);l=a}console.info(`Impersonate success. From: ${t.login} into ${e}`)}const r=(await issueJwtToken(l,i,s,!1,n)).token;let c;return s.refreshExpiryTimeMs&&(c=(await issueJwtToken(l,i,s,!0,n)).token),console.log(`Successful login: ${l.id}`),{token:r,refreshToken:c}}throw new Error(`Failed authentication attempt ${e}`)},authenticateWithScratchCard=async(e,t,r,a,i,o)=>{let s,n=i?await t.getUser(i):void 0;if(n&&n.blocked)throw new Error(`Failed card authentication attempt ${i} (Blocked)`);if(i&&!n)throw new Error(`Failed card authentication attempt ${i} (Missing user)`);try{s=await r.consume(e,n)}catch(e){throw new Error(`Failed card authentication attempt ${i} (Consume Failed)`)}try{if(!s)throw new Error(`Failed card authentication attempt ${i} (Consume Failed)`);if(s.blocked)throw new Error(`Failed card authentication attempt ${i} (Blocked as Target)`);const e=await issueJwtToken(s,t,a,!1,o);let r;return a.refreshExpiryTimeMs&&(r=(await issueJwtToken(s,t,a,!0,o)).token),console.info(`Card authentication success. Requester:${i} Target:${s.id}`),{token:e.token,refreshToken:r,user:e.clearedUser}}catch(e){throw new Error(`Failed card authentication attempt ${i}`)}},refreshToken=async(e,t,r,a,i)=>{let o=await r.getUser(e);if(o.blocked)throw new Error(`Failed refresh token attempt ${e} (Blocked)`);if(t){let s=a.secretKey;const n=jwt.verify(t,s).user;if(!n||n.id!=o.id)throw new Error(`Failed refresh token attempt ${e} (Invalid Token)`);const c=(await issueJwtToken(o,r,a,!1,i)).token;let l;return a.refreshExpiryTimeMs&&(l=(await issueJwtToken(o,r,a,!0,i)).token),console.log(`Successful token refresh: ${o.id}`),{token:c,refreshToken:l}}throw new Error(`Failed refresh token attempt ${e}`)},mfaRegister=async(e,t,r)=>new Promise(async(a,i)=>{let o=await r.getUser(t),s=r.userSecretPath?o[r.userSecretPath]:o.mfa;const n=speakeasy.generateSecret({name:`${e}: ${t}`});if(!s){s={secret:{temp:void 0,actual:void 0},enabled:!1};o[r.userSecretPath?r.userSecretPath:"mfa"]=s}s.secret.temp=n.base32,s.secret.actual=void 0,await r.putUser(o),qrcode.toDataURL(n.otpauth_url,(e,t)=>{if(e)throw new Error("Error generating QR code");a({qr_code:t,secret:n.base32})})}),mfaVerify=async(e,t,r)=>{var a,i;const o=t;let s=await r.getUser(e);const n=r.userSecretPath?s[r.userSecretPath]:s.mfa;return speakeasy.totp.verify({secret:null===(a=null==n?void 0:n.secret)||void 0===a?void 0:a.temp,encoding:"base32",token:o})?(n.secret.actual=null===(i=null==n?void 0:n.secret)||void 0===i?void 0:i.temp,n.enabled=!0,await r.putUser(s),!0):(console.log(`Failed mfa verification for ${e}`),!1)},mfaEnabled=async(e,t)=>{let r=await t.getUser(e);const a=t.userSecretPath?r[t.userSecretPath]:r.mfa;return(null==a?void 0:a.enabled)||!1};export{authenticate,authenticateWithScratchCard,issueJwtToken,mfaEnabled,mfaRegister,mfaVerify,refreshToken};
package/dist/pico-auth.umd.js CHANGED
@@ -8,13 +8,22 @@
8
8
  const qrcode = require('qrcode');
9
9
  const md5 = require("md5");
10
10
  const jwt = require('jsonwebtoken');
11
- const issueJwtToken = async (user, userProvider, jwtSpecs, issueRefreshToken) => {
11
+ const issueJwtToken = async (user, userProvider, jwtSpecs, issueRefreshToken, aux) => {
12
12
  let jwtSecretKey = jwtSpecs.secretKey;
13
13
  let clearedUser = userProvider.getSafeUser ? await userProvider.getSafeUser(user) : user;
14
14
  clearedUser = userProvider.getUserPostAuthenticate ? await userProvider.getUserPostAuthenticate(clearedUser) : clearedUser;
15
+ if (issueRefreshToken && !aux) {
16
+ aux = {
17
+ scenario: "REFRESH"
18
+ };
19
+ }
20
+ else if (issueRefreshToken && aux) {
21
+ aux['scenario'] = aux['scenario'] || "REFRESH";
22
+ }
15
23
  let data = {
16
24
  time: Date.now(),
17
- user: clearedUser
25
+ user: clearedUser,
26
+ aux: aux
18
27
  };
19
28
  let token;
20
29
  if (issueRefreshToken && jwtSpecs.refreshExpiryTimeMs) {
@@ -31,7 +40,7 @@
31
40
  /**
32
41
  * When mfaToken is provided
33
42
  */
34
- const authenticate = async (login, password, mfaToken, impersonateEntity, userProvider, impersonateProvider, jwtSpecs) => {
43
+ const authenticate = async (login, password, mfaToken, impersonateEntity, userProvider, impersonateProvider, jwtSpecs, aux) => {
35
44
  var _a;
36
45
  let user = await userProvider.getUser(login);
37
46
  const mfaInfo = userProvider.userSecretPath ? user[userProvider.userSecretPath] : user.mfa;
@@ -92,10 +101,10 @@
92
101
  }
93
102
  console.info(`Impersonate success. From: ${originalUser.login} into ${target}`);
94
103
  }
95
- const token = (await issueJwtToken(user, userProvider, jwtSpecs, false)).token;
104
+ const token = (await issueJwtToken(user, userProvider, jwtSpecs, false, aux)).token;
96
105
  let refreshToken;
97
106
  if (jwtSpecs.refreshExpiryTimeMs)
98
- refreshToken = (await issueJwtToken(user, userProvider, jwtSpecs, true)).token;
107
+ refreshToken = (await issueJwtToken(user, userProvider, jwtSpecs, true, aux)).token;
99
108
  console.log(`Successful login: ${user.id}`);
100
109
  return {
101
110
  token,
@@ -116,7 +125,7 @@
116
125
  * @param jwtSpecs
117
126
  * @returns
118
127
  */
119
- const authenticateWithScratchCard = async (cardCode, userProvider, scratchCardProvider, jwtSpecs, requesterLogin) => {
128
+ const authenticateWithScratchCard = async (cardCode, userProvider, scratchCardProvider, jwtSpecs, requesterLogin, aux) => {
120
129
  let user = requesterLogin ? await userProvider.getUser(requesterLogin) : undefined;
121
130
  if (user && user.blocked)
122
131
  throw new Error(`Failed card authentication attempt ${requesterLogin} (Blocked)`);
@@ -138,10 +147,10 @@
138
147
  throw new Error(`Failed card authentication attempt ${requesterLogin} (Blocked as Target)`);
139
148
  // ok so we will use targetUser as a user that will be actually logged in
140
149
  // in impersonation scenario targetUser may be different then the user.
141
- const jwtData = await issueJwtToken(targetUser, userProvider, jwtSpecs, false);
150
+ const jwtData = await issueJwtToken(targetUser, userProvider, jwtSpecs, false, aux);
142
151
  let refreshToken;
143
152
  if (jwtSpecs.refreshExpiryTimeMs)
144
- refreshToken = (await issueJwtToken(targetUser, userProvider, jwtSpecs, true)).token;
153
+ refreshToken = (await issueJwtToken(targetUser, userProvider, jwtSpecs, true, aux)).token;
145
154
  console.info(`Card authentication success. Requester:${requesterLogin} Target:${targetUser.id}`);
146
155
  return {
147
156
  token: jwtData.token,
@@ -163,7 +172,7 @@
163
172
  * @param jwtSpecs
164
173
  * @returns short lived token
165
174
  */
166
- const refreshToken = async (login, refreshToken, userProvider, jwtSpecs) => {
175
+ const refreshToken = async (login, refreshToken, userProvider, jwtSpecs, aux) => {
167
176
  let user = await userProvider.getUser(login);
168
177
  if (user.blocked)
169
178
  throw new Error(`Failed refresh token attempt ${login} (Blocked)`);
@@ -177,10 +186,10 @@
177
186
  if (!refreshTokenUser || refreshTokenUser.id != user.id) {
178
187
  throw new Error(`Failed refresh token attempt ${login} (Invalid Token)`);
179
188
  }
180
- const token = (await issueJwtToken(user, userProvider, jwtSpecs, false)).token;
189
+ const token = (await issueJwtToken(user, userProvider, jwtSpecs, false, aux)).token;
181
190
  let newRefreshToken;
182
191
  if (jwtSpecs.refreshExpiryTimeMs)
183
- newRefreshToken = (await issueJwtToken(user, userProvider, jwtSpecs, true)).token;
192
+ newRefreshToken = (await issueJwtToken(user, userProvider, jwtSpecs, true, aux)).token;
184
193
  console.log(`Successful token refresh: ${user.id}`);
185
194
  return { token, refreshToken: newRefreshToken };
186
195
  }
package/dist/pico-auth.umd.min.js CHANGED
@@ -1 +1 @@
1
- !function(e,t){"object"==typeof exports&&"undefined"!=typeof module?t(exports):"function"==typeof define&&define.amd?define(["exports"],t):t((e="undefined"!=typeof globalThis?globalThis:e||self).picoAuth={})}(this,function(e){"use strict";const t=require("speakeasy"),r=require("qrcode"),a=require("md5"),o=require("jsonwebtoken"),i=async(e,t,r,a)=>{let i=r.secretKey,n=t.getSafeUser?await t.getSafeUser(e):e;n=t.getUserPostAuthenticate?await t.getUserPostAuthenticate(n):n;let s,c={time:Date.now(),user:n};return a&&r.refreshExpiryTimeMs?s=o.sign(c,i,{expiresIn:r.refreshExpiryTimeMs}):r.expiryTimeMs&&(s=o.sign(c,i,{expiresIn:r.expiryTimeMs})),{token:s,clearedUser:n}};e.authenticate=async(e,r,o,n,s,c,l)=>{var d;let u=await s.getUser(e);const f=s.userSecretPath?u[s.userSecretPath]:u.mfa,h=s.userPasswordPath?u[s.userPasswordPath]:u.password;if(null==f?void 0:f.enabled){if(!t.totp.verify({secret:null===(d=null==f?void 0:f.secret)||void 0===d?void 0:d.actual,encoding:"base32",token:o,window:1}))throw new Error(`Failed authentication attempt ${e} (MFA Enabled)`)}if(u.blocked)throw new Error(`Failed authentication attempt ${e} (Blocked)`);if(a(r||"")==h){const e=n,t=u;if(e){let r=!1;if(e.startsWith("@")){if(r=r||await c.canImpersonate(u,e),!r)throw new Error(`Failed impersonate attempt. From: ${t.id} into ${e}`);await c.impersonateOrg(u,e)}else{const a=await s.getUser(e);if(r=r||await c.canImpersonate(u,e),!r)throw new Error(`Failed impersonate attempt. From: ${t.id} into ${e}`);u=a}console.info(`Impersonate success. From: ${t.login} into ${e}`)}const r=(await i(u,s,l,!1)).token;let a;return l.refreshExpiryTimeMs&&(a=(await i(u,s,l,!0)).token),console.log(`Successful login: ${u.id}`),{token:r,refreshToken:a}}throw new Error(`Failed authentication attempt ${e}`)},e.authenticateWithScratchCard=async(e,t,r,a,o)=>{let n,s=o?await t.getUser(o):void 0;if(s&&s.blocked)throw new Error(`Failed card authentication attempt ${o} (Blocked)`);if(o&&!s)throw new Error(`Failed card authentication attempt ${o} (Missing user)`);try{n=await r.consume(e,s)}catch(e){throw new Error(`Failed card authentication attempt ${o} (Consume Failed)`)}try{if(!n)throw new Error(`Failed card authentication attempt ${o} (Consume Failed)`);if(n.blocked)throw new Error(`Failed card authentication attempt ${o} (Blocked as Target)`);const e=await i(n,t,a,!1);let r;return a.refreshExpiryTimeMs&&(r=(await i(n,t,a,!0)).token),console.info(`Card authentication success. Requester:${o} Target:${n.id}`),{token:e.token,refreshToken:r,user:e.clearedUser}}catch(e){throw new Error(`Failed card authentication attempt ${o}`)}},e.issueJwtToken=i,e.mfaEnabled=async(e,t)=>{let r=await t.getUser(e);const a=t.userSecretPath?r[t.userSecretPath]:r.mfa;return(null==a?void 0:a.enabled)||!1},e.mfaRegister=async(e,a,o)=>new Promise(async(i,n)=>{let s=await o.getUser(a),c=o.userSecretPath?s[o.userSecretPath]:s.mfa;const l=t.generateSecret({name:`${e}: ${a}`});if(!c){c={secret:{temp:void 0,actual:void 0},enabled:!1};s[o.userSecretPath?o.userSecretPath:"mfa"]=c}c.secret.temp=l.base32,c.secret.actual=void 0,await o.putUser(s),r.toDataURL(l.otpauth_url,(e,t)=>{if(e)throw new Error("Error generating QR code");i({qr_code:t,secret:l.base32})})}),e.mfaVerify=async(e,r,a)=>{var o,i;const n=r;let s=await a.getUser(e);const c=a.userSecretPath?s[a.userSecretPath]:s.mfa;return t.totp.verify({secret:null===(o=null==c?void 0:c.secret)||void 0===o?void 0:o.temp,encoding:"base32",token:n})?(c.secret.actual=null===(i=null==c?void 0:c.secret)||void 0===i?void 0:i.temp,c.enabled=!0,await a.putUser(s),!0):(console.log(`Failed mfa verification for ${e}`),!1)},e.refreshToken=async(e,t,r,a)=>{let n=await r.getUser(e);if(n.blocked)throw new Error(`Failed refresh token attempt ${e} (Blocked)`);if(t){let s=a.secretKey;const c=o.verify(t,s).user;if(!c||c.id!=n.id)throw new Error(`Failed refresh token attempt ${e} (Invalid Token)`);const l=(await i(n,r,a,!1)).token;let d;return a.refreshExpiryTimeMs&&(d=(await i(n,r,a,!0)).token),console.log(`Successful token refresh: ${n.id}`),{token:l,refreshToken:d}}throw new Error(`Failed refresh token attempt ${e}`)},Object.defineProperty(e,"__esModule",{value:!0})});
1
+ !function(e,t){"object"==typeof exports&&"undefined"!=typeof module?t(exports):"function"==typeof define&&define.amd?define(["exports"],t):t((e="undefined"!=typeof globalThis?globalThis:e||self).picoAuth={})}(this,function(e){"use strict";const t=require("speakeasy"),r=require("qrcode"),a=require("md5"),o=require("jsonwebtoken"),i=async(e,t,r,a,i)=>{let n=r.secretKey,s=t.getSafeUser?await t.getSafeUser(e):e;s=t.getUserPostAuthenticate?await t.getUserPostAuthenticate(s):s,a&&!i?i={scenario:"REFRESH"}:a&&i&&(i.scenario=i.scenario||"REFRESH");let c,l={time:Date.now(),user:s,aux:i};return a&&r.refreshExpiryTimeMs?c=o.sign(l,n,{expiresIn:r.refreshExpiryTimeMs}):r.expiryTimeMs&&(c=o.sign(l,n,{expiresIn:r.expiryTimeMs})),{token:c,clearedUser:s}};e.authenticate=async(e,r,o,n,s,c,l,d)=>{var u;let f=await s.getUser(e);const h=s.userSecretPath?f[s.userSecretPath]:f.mfa,w=s.userPasswordPath?f[s.userPasswordPath]:f.password;if(null==h?void 0:h.enabled){if(!t.totp.verify({secret:null===(u=null==h?void 0:h.secret)||void 0===u?void 0:u.actual,encoding:"base32",token:o,window:1}))throw new Error(`Failed authentication attempt ${e} (MFA Enabled)`)}if(f.blocked)throw new Error(`Failed authentication attempt ${e} (Blocked)`);if(a(r||"")==w){const e=n,t=f;if(e){let r=!1;if(e.startsWith("@")){if(r=r||await c.canImpersonate(f,e),!r)throw new Error(`Failed impersonate attempt. From: ${t.id} into ${e}`);await c.impersonateOrg(f,e)}else{const a=await s.getUser(e);if(r=r||await c.canImpersonate(f,e),!r)throw new Error(`Failed impersonate attempt. From: ${t.id} into ${e}`);f=a}console.info(`Impersonate success. From: ${t.login} into ${e}`)}const r=(await i(f,s,l,!1,d)).token;let a;return l.refreshExpiryTimeMs&&(a=(await i(f,s,l,!0,d)).token),console.log(`Successful login: ${f.id}`),{token:r,refreshToken:a}}throw new Error(`Failed authentication attempt ${e}`)},e.authenticateWithScratchCard=async(e,t,r,a,o,n)=>{let s,c=o?await t.getUser(o):void 0;if(c&&c.blocked)throw new Error(`Failed card authentication attempt ${o} (Blocked)`);if(o&&!c)throw new Error(`Failed card authentication attempt ${o} (Missing user)`);try{s=await r.consume(e,c)}catch(e){throw new Error(`Failed card authentication attempt ${o} (Consume Failed)`)}try{if(!s)throw new Error(`Failed card authentication attempt ${o} (Consume Failed)`);if(s.blocked)throw new Error(`Failed card authentication attempt ${o} (Blocked as Target)`);const e=await i(s,t,a,!1,n);let r;return a.refreshExpiryTimeMs&&(r=(await i(s,t,a,!0,n)).token),console.info(`Card authentication success. Requester:${o} Target:${s.id}`),{token:e.token,refreshToken:r,user:e.clearedUser}}catch(e){throw new Error(`Failed card authentication attempt ${o}`)}},e.issueJwtToken=i,e.mfaEnabled=async(e,t)=>{let r=await t.getUser(e);const a=t.userSecretPath?r[t.userSecretPath]:r.mfa;return(null==a?void 0:a.enabled)||!1},e.mfaRegister=async(e,a,o)=>new Promise(async(i,n)=>{let s=await o.getUser(a),c=o.userSecretPath?s[o.userSecretPath]:s.mfa;const l=t.generateSecret({name:`${e}: ${a}`});if(!c){c={secret:{temp:void 0,actual:void 0},enabled:!1};s[o.userSecretPath?o.userSecretPath:"mfa"]=c}c.secret.temp=l.base32,c.secret.actual=void 0,await o.putUser(s),r.toDataURL(l.otpauth_url,(e,t)=>{if(e)throw new Error("Error generating QR code");i({qr_code:t,secret:l.base32})})}),e.mfaVerify=async(e,r,a)=>{var o,i;const n=r;let s=await a.getUser(e);const c=a.userSecretPath?s[a.userSecretPath]:s.mfa;return t.totp.verify({secret:null===(o=null==c?void 0:c.secret)||void 0===o?void 0:o.temp,encoding:"base32",token:n})?(c.secret.actual=null===(i=null==c?void 0:c.secret)||void 0===i?void 0:i.temp,c.enabled=!0,await a.putUser(s),!0):(console.log(`Failed mfa verification for ${e}`),!1)},e.refreshToken=async(e,t,r,a,n)=>{let s=await r.getUser(e);if(s.blocked)throw new Error(`Failed refresh token attempt ${e} (Blocked)`);if(t){let c=a.secretKey;const l=o.verify(t,c).user;if(!l||l.id!=s.id)throw new Error(`Failed refresh token attempt ${e} (Invalid Token)`);const d=(await i(s,r,a,!1,n)).token;let u;return a.refreshExpiryTimeMs&&(u=(await i(s,r,a,!0,n)).token),console.log(`Successful token refresh: ${s.id}`),{token:d,refreshToken:u}}throw new Error(`Failed refresh token attempt ${e}`)},Object.defineProperty(e,"__esModule",{value:!0})});
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "pico-auth",
3
- "version": "0.0.39",
3
+ "version": "0.0.41",
4
4
  "description": "Minimal auth with user/pass, impersonation and mfa authentication",
5
5
  "main": "dist/pico-auth.umd.js",
6
6
  "types": "dist/pico-auth.d.ts",