npm - pico-auth - Versions diffs - 0.0.5 → 0.0.8 - Mend

pico-auth 0.0.5 → 0.0.8

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/dist/pico-auth.d.ts CHANGED Viewed

@@ -1,18 +1,29 @@
 declare module "core/auth" {
+    export interface UserProvider {
+        getUser(login: string): Promise<any>;
+        putUser(user: any): Promise<any>;
+        userSecretPath?: string;
+        userPasswordPath?: string;
+    }
+    export interface ImpersonateProvider {
+        canImpersonate(user: any, target: string): Promise<any>;
+        impersonateOrg(user: any, target: string): Promise<any>;
+    }
     /**
      * When mfaToken is provided
      */
-    export const authenticate: (login: string, password: string, mfaToken: string, impersonateEntity: string, userProvider: any, impersonateProvider: any) => Promise<any>;
+    export const authenticate: (login: string, password: string, mfaToken: string, impersonateEntity: string, userProvider: UserProvider, impersonateProvider: any) => Promise<any>;
     /**
      * Will prepare user for MFA activation. Next step is to call verify with token generated in MFA app by the user.
      */
-    export const mfaRegister: (appName: string, login: string, userProvider: any) => Promise<unknown>;
+    export const mfaRegister: (appName: string, login: string, userProvider: UserProvider) => Promise<unknown>;
     /**
      * Will return true and fully initialize MFA for user when token verification was ok. Otherwise will result false;
      */
-    export const mfaVerify: (login: string, mfaToken: string, userProvider: any) => Promise<boolean>;
-    export const mfaEnabled: (login: string, userProvider: any) => Promise<any>;
+    export const mfaVerify: (login: string, mfaToken: string, userProvider: UserProvider) => Promise<boolean>;
+    export const mfaEnabled: (login: string, userProvider: UserProvider) => Promise<any>;
 }
 declare module "pico-auth" {
     export { mfaRegister, mfaVerify, mfaEnabled, authenticate } from "core/auth";
+    export type { UserProvider, ImpersonateProvider } from "core/auth";
 }

package/dist/pico-auth.esm.js CHANGED Viewed

@@ -6,12 +6,14 @@ const jwt = require('jsonwebtoken');
  * When mfaToken is provided
  */
 const authenticate = async (login, password, mfaToken, impersonateEntity, userProvider, impersonateProvider) => {
-    var _a, _b, _c;
+    var _a;
     let user = await userProvider.getUser(login);
-    if ((_a = user.mfa) === null || _a === void 0 ? void 0 : _a.enabled) {
+    const mfaInfo = userProvider.userSecretPath ? user[userProvider.userSecretPath] : user.mfa;
+    const userPassword = userProvider.userPasswordPath ? user[userProvider.userPasswordPath] : user.password;
+    if (mfaInfo === null || mfaInfo === void 0 ? void 0 : mfaInfo.enabled) {
         // Validate the token against the user's saved secret
         const validated = speakeasy.totp.verify({
-            secret: (_c = (_b = user.mfa) === null || _b === void 0 ? void 0 : _b.secret) === null || _c === void 0 ? void 0 : _c.actual,
+            secret: (_a = mfaInfo === null || mfaInfo === void 0 ? void 0 : mfaInfo.secret) === null || _a === void 0 ? void 0 : _a.actual,
             encoding: 'base32',
             mfaToken,
             window: 1, // Adjust window size if tokens have a margin of error
@@ -19,7 +21,7 @@ const authenticate = async (login, password, mfaToken, impersonateEntity, userPr
         if (!validated)
             throw new Error(`Failed authentication attempt ${login}`);
     }
-    if (md5(password || '') == user.password) {
+    if (md5(password || '') == userPassword) {
         // check if impersonate mode - this is not yet implemented fully just copy pasta from GRM project
         const target = impersonateEntity; // either target user login or @organizationId
         const originalUser = user;
@@ -31,14 +33,14 @@ const authenticate = async (login, password, mfaToken, impersonateEntity, userPr
                 // only organization impersonation
                 // check requesting user has global admin
                 // mayImpersonate = mayImpersonate || user.roles.map(role=>role.toUpperCase()).includes(UserManager.CONST.ROLES.GRM_ADMIN);
-                mayImpersonate = mayImpersonate || impersonateProvider.canImpersonate(user, target);
+                mayImpersonate = mayImpersonate || await impersonateProvider.canImpersonate(user, target);
                 // mayImpersonate = true;
                 // todo check org exists
                 if (!mayImpersonate) {
                     throw new Error(`Failed impersonate attempt. From: ${originalUser.id} into ${target}`);
                 }
                 // switch original user organization_id
-                impersonateProvider.impersonate(user, target);
+                await impersonateProvider.impersonateOrg(user, target);
                 // await userManager.impersonateOrganization(user, target.substring(1).trim());
                 // const organization = await commons.dbApi.adminApi.organization();
                 // user.organization_id = parseInt(target.substring(1).trim()); // skip "@" at the beginning
@@ -52,7 +54,7 @@ const authenticate = async (login, password, mfaToken, impersonateEntity, userPr
                 // mayImpersonate = mayImpersonate || (user.organization_id == targetUser.organization_id && user.roles.map(role=>role.toUpperCase()).includes(UserManager.CONST.ROLES.ORG_ADMIN))
                 // check requesting user has global admin
                 // mayImpersonate = mayImpersonate || user.roles.map(role=>role.toUpperCase()).includes(UserManager.CONST.ROLES.GRM_ADMIN);
-                mayImpersonate = mayImpersonate || impersonateProvider.canImpersonate(user, target);
+                mayImpersonate = mayImpersonate || await impersonateProvider.canImpersonate(user, target);
                 if (!mayImpersonate) {
                     throw new Error(`Failed impersonate attempt. From: ${originalUser.id} into ${target}`);
                 }
@@ -80,19 +82,20 @@ const authenticate = async (login, password, mfaToken, impersonateEntity, userPr
 const mfaRegister = async (appName, login, userProvider) => {
     return new Promise(async (resolve, _reject) => {
         let user = await userProvider.getUser(login);
+        let mfaInfo = userProvider.userSecretPath ? user[userProvider.userSecretPath] : user.mfa;
         const secret = speakeasy.generateSecret({
             name: `${appName} (${login})`,
         });
-        if (!user.mfa)
-            user.mfa = {
+        if (!mfaInfo)
+            mfaInfo = {
                 secret: {
                     temp: undefined,
-                    actual: undefined,
-                    enabled: true
-                }
+                    actual: undefined
+                },
+                enabled: false
             };
-        user.mfa.secret.temp = secret.base32;
-        user.mfa.secret.actual = undefined;
+        mfaInfo.secret.temp = secret.base32;
+        mfaInfo.secret.actual = undefined;
         await userProvider.putUser(user);
         qrcode.toDataURL(secret.otpauth_url, (err, data) => {
             if (err) {
@@ -112,18 +115,20 @@ const mfaRegister = async (appName, login, userProvider) => {
  * Will return true and fully initialize MFA for user when token verification was ok. Otherwise will result false;
  */
 const mfaVerify = async (login, mfaToken, userProvider) => {
-    var _a, _b, _c, _d;
+    var _a, _b;
     const token = mfaToken;
     // load user
     let user = await userProvider.getUser(login);
+    const mfaInfo = userProvider.userSecretPath ? user[userProvider.userSecretPath] : user.mfa;
     // Verify the token using the saved secret
     const verified = speakeasy.totp.verify({
-        secret: (_b = (_a = user.mfa) === null || _a === void 0 ? void 0 : _a.secret) === null || _b === void 0 ? void 0 : _b.temp,
+        secret: (_a = mfaInfo === null || mfaInfo === void 0 ? void 0 : mfaInfo.secret) === null || _a === void 0 ? void 0 : _a.temp,
         encoding: 'base32',
         token,
     });
     if (verified) {
-        user.mfa.secret.actual = (_d = (_c = user.mfa) === null || _c === void 0 ? void 0 : _c.secret) === null || _d === void 0 ? void 0 : _d.temp;
+        mfaInfo.secret.actual = (_b = mfaInfo === null || mfaInfo === void 0 ? void 0 : mfaInfo.secret) === null || _b === void 0 ? void 0 : _b.temp;
+        mfaInfo.enabled = true;
         await userProvider.putUser(user);
         return true;
     }
@@ -133,9 +138,9 @@ const mfaVerify = async (login, mfaToken, userProvider) => {
     }
 };
 const mfaEnabled = async (login, userProvider) => {
-    var _a;
     let user = await userProvider.getUser(login);
-    return (_a = user.mfa) === null || _a === void 0 ? void 0 : _a.enabled;
+    const mfaInfo = userProvider.userSecretPath ? user[userProvider.userSecretPath] : user.mfa;
+    return mfaInfo === null || mfaInfo === void 0 ? void 0 : mfaInfo.enabled;
 };
 export { authenticate, mfaEnabled, mfaRegister, mfaVerify };

package/dist/pico-auth.esm.min.js CHANGED Viewed

	@@ -1 +1 @@
1	- const speakeasy=require("speakeasy"),qrcode=require("qrcode"),md5=require("md5"),jwt=require("jsonwebtoken"),authenticate=async(e,t,a,r,o,i)=>{var n~~,s,c~~;let l=await o.getUser(e);~~if(null===(n~~=l.~~mfa)\|\|void 0===n~~?void 0:n.enabled){if(!speakeasy.totp.verify({secret:null===(c=null~~===(s=l.mfa)\|\|void 0===s~~?void 0:s.secret)\|\|void 0===c?void 0:c.actual,encoding:"base32",mfaToken:a,window:1}))throw new Error(`Failed authentication attempt ${e}`)}if(md5(t\|\|"")==l~~.password~~){const e=r,t=l;if(e){let a=!1;if(e.startsWith("@")){if(a=a\|\|i.canImpersonate(l,e),!a)throw new Error(`Failed impersonate attempt. From: ${t.id} into ${e}`);i.~~impersonate~~(l,e)}else{const r=await o.getUser(e);if(a=a\|\|i.canImpersonate(l,e),!a)throw new Error(`Failed impersonate attempt. From: ${t.id} into ${e}`);l=r}console.info(`Impersonate success. From: ${t.login} into ${e}`)}let a=process.env.JWT_SECRET_KEY,n={time:Date.now(),user:l};const s=jwt.sign(n,a,{expiresIn:process.env.JWT_EXPIRY_TIME});return console.log(`Successful login: ${l.id}`),s}throw new Error(`Failed authentication attempt ${e}`)},mfaRegister=async(e,t,a)=>new Promise((async(r,o)=>{let i=await a.getUser(t);const n=speakeasy.generateSecret({name:`${e} (${t})`});~~i.mfa~~\|\|(~~i.mfa~~={secret:{temp:void 0,actual:void 0,enabled:!0}}),i.~~mfa.~~secret.temp=n.base32,i.~~mfa.~~secret.actual=void 0,await a.putUser(i),qrcode.toDataURL(n.otpauth_url,((e,t)=>{if(e)throw new Error("Error generating QR code");r({qr_code:t,secret:n.base32})}))})),mfaVerify=async(e,t,a)=>{var r,~~o,i,n~~;const s=t;let c=await a.getUser(e);return speakeasy.totp.verify({secret:null===(o=null~~===(r=c.mfa)\|\|void 0===r~~?void 0:r.secret)\|\|void 0===o?void 0:o.temp,encoding:"base32",token:s})?(c.~~mfa.~~secret.actual=null===(n=null~~===(~~i~~=c.mfa)\|\|void 0===i~~?void 0:i.secret)\|\|void 0===n?void 0:n.temp,await a.putUser(c),!0):(console.log(`Failed mfa verification for ${e}`),!1)},mfaEnabled=async(e,t)=>{~~var~~ a~~;return null===(a~~=(await t.getUser(e)).mfa~~)\|\|void~~ ~~0===a~~?void 0:a.enabled};export{authenticate,mfaEnabled,mfaRegister,mfaVerify};
1	+ const speakeasy=require("speakeasy"),qrcode=require("qrcode"),md5=require("md5"),jwt=require("jsonwebtoken"),authenticate=async(e,t,a,r,s,o)=>{var n;let i=await s.getUser(e);const c=s.userSecretPath?i[s.userSecretPath]:i.mfa,l=s.userPasswordPath?i[s.userPasswordPath]:i.password;if(null==c?void 0:c.enabled){if(!speakeasy.totp.verify({secret:null===(n=null==c?void 0:c.secret)\|\|void 0===n?void 0:n.actual,encoding:"base32",mfaToken:a,window:1}))throw new Error(`Failed authentication attempt ${e}`)}if(md5(t\|\|"")==l){const e=r,t=i;if(e){let a=!1;if(e.startsWith("@")){if(a=a\|\|await o.canImpersonate(i,e),!a)throw new Error(`Failed impersonate attempt. From: ${t.id} into ${e}`);await o.impersonateOrg(i,e)}else{const r=await s.getUser(e);if(a=a\|\|await o.canImpersonate(i,e),!a)throw new Error(`Failed impersonate attempt. From: ${t.id} into ${e}`);i=r}console.info(`Impersonate success. From: ${t.login} into ${e}`)}let a=process.env.JWT_SECRET_KEY,n={time:Date.now(),user:i};const c=jwt.sign(n,a,{expiresIn:process.env.JWT_EXPIRY_TIME});return console.log(`Successful login: ${i.id}`),c}throw new Error(`Failed authentication attempt ${e}`)},mfaRegister=async(e,t,a)=>new Promise((async(r,s)=>{let o=await a.getUser(t),n=a.userSecretPath?o[a.userSecretPath]:o.mfa;const i=speakeasy.generateSecret({name:`${e} (${t})`});n\|\|(n={secret:{temp:void 0,actual:void 0},enabled:!1}),n.secret.temp=i.base32,n.secret.actual=void 0,await a.putUser(o),qrcode.toDataURL(i.otpauth_url,((e,t)=>{if(e)throw new Error("Error generating QR code");r({qr_code:t,secret:i.base32})}))})),mfaVerify=async(e,t,a)=>{var r,s;const o=t;let n=await a.getUser(e);const i=a.userSecretPath?n[a.userSecretPath]:n.mfa;return speakeasy.totp.verify({secret:null===(r=null==i?void 0:i.secret)\|\|void 0===r?void 0:r.temp,encoding:"base32",token:o})?(i.secret.actual=null===(s=null==i?void 0:i.secret)\|\|void 0===s?void 0:s.temp,i.enabled=!0,await a.putUser(n),!0):(console.log(`Failed mfa verification for ${e}`),!1)},mfaEnabled=async(e,t)=>{let a=await t.getUser(e);const r=t.userSecretPath?a[t.userSecretPath]:a.mfa;return null==r?void 0:r.enabled};export{authenticate,mfaEnabled,mfaRegister,mfaVerify};

package/dist/pico-auth.umd.js CHANGED Viewed

@@ -12,12 +12,14 @@
      * When mfaToken is provided
      */
     const authenticate = async (login, password, mfaToken, impersonateEntity, userProvider, impersonateProvider) => {
-        var _a, _b, _c;
+        var _a;
         let user = await userProvider.getUser(login);
-        if ((_a = user.mfa) === null || _a === void 0 ? void 0 : _a.enabled) {
+        const mfaInfo = userProvider.userSecretPath ? user[userProvider.userSecretPath] : user.mfa;
+        const userPassword = userProvider.userPasswordPath ? user[userProvider.userPasswordPath] : user.password;
+        if (mfaInfo === null || mfaInfo === void 0 ? void 0 : mfaInfo.enabled) {
             // Validate the token against the user's saved secret
             const validated = speakeasy.totp.verify({
-                secret: (_c = (_b = user.mfa) === null || _b === void 0 ? void 0 : _b.secret) === null || _c === void 0 ? void 0 : _c.actual,
+                secret: (_a = mfaInfo === null || mfaInfo === void 0 ? void 0 : mfaInfo.secret) === null || _a === void 0 ? void 0 : _a.actual,
                 encoding: 'base32',
                 mfaToken,
                 window: 1, // Adjust window size if tokens have a margin of error
@@ -25,7 +27,7 @@
             if (!validated)
                 throw new Error(`Failed authentication attempt ${login}`);
         }
-        if (md5(password || '') == user.password) {
+        if (md5(password || '') == userPassword) {
             // check if impersonate mode - this is not yet implemented fully just copy pasta from GRM project
             const target = impersonateEntity; // either target user login or @organizationId
             const originalUser = user;
@@ -37,14 +39,14 @@
                     // only organization impersonation
                     // check requesting user has global admin
                     // mayImpersonate = mayImpersonate || user.roles.map(role=>role.toUpperCase()).includes(UserManager.CONST.ROLES.GRM_ADMIN);
-                    mayImpersonate = mayImpersonate || impersonateProvider.canImpersonate(user, target);
+                    mayImpersonate = mayImpersonate || await impersonateProvider.canImpersonate(user, target);
                     // mayImpersonate = true;
                     // todo check org exists
                     if (!mayImpersonate) {
                         throw new Error(`Failed impersonate attempt. From: ${originalUser.id} into ${target}`);
                     }
                     // switch original user organization_id
-                    impersonateProvider.impersonate(user, target);
+                    await impersonateProvider.impersonateOrg(user, target);
                     // await userManager.impersonateOrganization(user, target.substring(1).trim());
                     // const organization = await commons.dbApi.adminApi.organization();
                     // user.organization_id = parseInt(target.substring(1).trim()); // skip "@" at the beginning
@@ -58,7 +60,7 @@
                     // mayImpersonate = mayImpersonate || (user.organization_id == targetUser.organization_id && user.roles.map(role=>role.toUpperCase()).includes(UserManager.CONST.ROLES.ORG_ADMIN))
                     // check requesting user has global admin
                     // mayImpersonate = mayImpersonate || user.roles.map(role=>role.toUpperCase()).includes(UserManager.CONST.ROLES.GRM_ADMIN);
-                    mayImpersonate = mayImpersonate || impersonateProvider.canImpersonate(user, target);
+                    mayImpersonate = mayImpersonate || await impersonateProvider.canImpersonate(user, target);
                     if (!mayImpersonate) {
                         throw new Error(`Failed impersonate attempt. From: ${originalUser.id} into ${target}`);
                     }
@@ -86,19 +88,20 @@
     const mfaRegister = async (appName, login, userProvider) => {
         return new Promise(async (resolve, _reject) => {
             let user = await userProvider.getUser(login);
+            let mfaInfo = userProvider.userSecretPath ? user[userProvider.userSecretPath] : user.mfa;
             const secret = speakeasy.generateSecret({
                 name: `${appName} (${login})`,
             });
-            if (!user.mfa)
-                user.mfa = {
+            if (!mfaInfo)
+                mfaInfo = {
                     secret: {
                         temp: undefined,
-                        actual: undefined,
-                        enabled: true
-                    }
+                        actual: undefined
+                    },
+                    enabled: false
                 };
-            user.mfa.secret.temp = secret.base32;
-            user.mfa.secret.actual = undefined;
+            mfaInfo.secret.temp = secret.base32;
+            mfaInfo.secret.actual = undefined;
             await userProvider.putUser(user);
             qrcode.toDataURL(secret.otpauth_url, (err, data) => {
                 if (err) {
@@ -118,18 +121,20 @@
      * Will return true and fully initialize MFA for user when token verification was ok. Otherwise will result false;
      */
     const mfaVerify = async (login, mfaToken, userProvider) => {
-        var _a, _b, _c, _d;
+        var _a, _b;
         const token = mfaToken;
         // load user
         let user = await userProvider.getUser(login);
+        const mfaInfo = userProvider.userSecretPath ? user[userProvider.userSecretPath] : user.mfa;
         // Verify the token using the saved secret
         const verified = speakeasy.totp.verify({
-            secret: (_b = (_a = user.mfa) === null || _a === void 0 ? void 0 : _a.secret) === null || _b === void 0 ? void 0 : _b.temp,
+            secret: (_a = mfaInfo === null || mfaInfo === void 0 ? void 0 : mfaInfo.secret) === null || _a === void 0 ? void 0 : _a.temp,
             encoding: 'base32',
             token,
         });
         if (verified) {
-            user.mfa.secret.actual = (_d = (_c = user.mfa) === null || _c === void 0 ? void 0 : _c.secret) === null || _d === void 0 ? void 0 : _d.temp;
+            mfaInfo.secret.actual = (_b = mfaInfo === null || mfaInfo === void 0 ? void 0 : mfaInfo.secret) === null || _b === void 0 ? void 0 : _b.temp;
+            mfaInfo.enabled = true;
             await userProvider.putUser(user);
             return true;
         }
@@ -139,9 +144,9 @@
         }
     };
     const mfaEnabled = async (login, userProvider) => {
-        var _a;
         let user = await userProvider.getUser(login);
-        return (_a = user.mfa) === null || _a === void 0 ? void 0 : _a.enabled;
+        const mfaInfo = userProvider.userSecretPath ? user[userProvider.userSecretPath] : user.mfa;
+        return mfaInfo === null || mfaInfo === void 0 ? void 0 : mfaInfo.enabled;
     };
     exports.authenticate = authenticate;

package/dist/pico-auth.umd.min.js CHANGED Viewed

	@@ -1 +1 @@
1	- !function(e,t){"object"==typeof exports&&"undefined"!=typeof module?t(exports):"function"==typeof define&&define.amd?define(["exports"],t):t((e="undefined"!=typeof globalThis?globalThis:e\|\|self).picoAuth={})}(this,(function(e){"use strict";const t=require("speakeasy"),o=require("qrcode"),a=require("md5"),r=require("jsonwebtoken");e.authenticate=async(e,o,i,n,s,c)=>{var l~~,d,f~~;let u=await s.getUser(e);~~if(null===(l~~=u.mfa~~)\|\|void 0===l~~?void 0:l.enabled){if(!t.totp.verify({secret:null===(f=null~~===(~~d~~=u.mfa)\|\|void 0===d~~?void 0:d.secret)\|\|void 0===f?void 0:f.actual,encoding:"base32",mfaToken:i,window:1}))throw new Error(`Failed authentication attempt ${e}`)}if(a(o\|\|"")==~~u.password~~){const e=n,t=u;if(e){let o=!1;if(e.startsWith("@")){if(o=o\|\|c.canImpersonate(u,e),!o)throw new Error(`Failed impersonate attempt. From: ${t.id} into ${e}`);c.~~impersonate~~(u,e)}else{const a=await s.getUser(e);if(o=o\|\|c.canImpersonate(u,e),!o)throw new Error(`Failed impersonate attempt. From: ${t.id} into ${e}`);u=a}console.info(`Impersonate success. From: ${t.login} into ${e}`)}let o=process.env.JWT_SECRET_KEY,a={time:Date.now(),user:u};const i=r.sign(a,o,{expiresIn:process.env.JWT_EXPIRY_TIME});return console.log(`Successful login: ${u.id}`),i}throw new Error(`Failed authentication attempt ${e}`)},e.mfaEnabled=async(e,t)=>{~~var~~ ~~o;return null===(o~~=(await t.getUser(e)).mfa~~)\|\|void~~ ~~0===o~~?void 0:o.enabled},e.mfaRegister=async(e,a,r)=>new Promise((async(i,n)=>{let s=await r.getUser(a);const c=t.generateSecret({name:`${e} (${a})`});~~s.mfa~~\|\|(~~s.mfa~~={secret:{temp:void 0,actual:void 0,enabled:!0}}),s.~~mfa.~~secret.temp=c.base32,s.~~mfa.~~secret.actual=void 0,await r.putUser(s),o.toDataURL(c.otpauth_url,((e,t)=>{if(e)throw new Error("Error generating QR code");i({qr_code:t,secret:c.base32})}))})),e.mfaVerify=async(e,o,a)=>{var r,i,n,s;const c=o;let l=await a.getUser(e);return t.totp.verify({secret:null===(i=null~~===(r=l.mfa)\|\|void 0===r~~?void 0:r.secret)\|\|void 0===i?void 0:i.temp,encoding:"base32",token:c})?(l.~~mfa.~~secret.actual=null===(s=null~~===(n=l.mfa)\|\|void 0===n~~?void 0:n.secret)\|\|void 0===s?void 0:s.temp,await a.putUser(l),!0):(console.log(`Failed mfa verification for ${e}`),!1)},Object.defineProperty(e,"__esModule",{value:!0})}));
1	+ !function(e,t){"object"==typeof exports&&"undefined"!=typeof module?t(exports):"function"==typeof define&&define.amd?define(["exports"],t):t((e="undefined"!=typeof globalThis?globalThis:e\|\|self).picoAuth={})}(this,(function(e){"use strict";const t=require("speakeasy"),r=require("qrcode"),a=require("md5"),o=require("jsonwebtoken");e.authenticate=async(e,r,n,s,i,c)=>{var l;let u=await i.getUser(e);const d=i.userSecretPath?u[i.userSecretPath]:u.mfa,f=i.userPasswordPath?u[i.userPasswordPath]:u.password;if(null==d?void 0:d.enabled){if(!t.totp.verify({secret:null===(l=null==d?void 0:d.secret)\|\|void 0===l?void 0:l.actual,encoding:"base32",mfaToken:n,window:1}))throw new Error(`Failed authentication attempt ${e}`)}if(a(r\|\|"")==f){const e=s,t=u;if(e){let r=!1;if(e.startsWith("@")){if(r=r\|\|await c.canImpersonate(u,e),!r)throw new Error(`Failed impersonate attempt. From: ${t.id} into ${e}`);await c.impersonateOrg(u,e)}else{const a=await i.getUser(e);if(r=r\|\|await c.canImpersonate(u,e),!r)throw new Error(`Failed impersonate attempt. From: ${t.id} into ${e}`);u=a}console.info(`Impersonate success. From: ${t.login} into ${e}`)}let r=process.env.JWT_SECRET_KEY,a={time:Date.now(),user:u};const n=o.sign(a,r,{expiresIn:process.env.JWT_EXPIRY_TIME});return console.log(`Successful login: ${u.id}`),n}throw new Error(`Failed authentication attempt ${e}`)},e.mfaEnabled=async(e,t)=>{let r=await t.getUser(e);const a=t.userSecretPath?r[t.userSecretPath]:r.mfa;return null==a?void 0:a.enabled},e.mfaRegister=async(e,a,o)=>new Promise((async(n,s)=>{let i=await o.getUser(a),c=o.userSecretPath?i[o.userSecretPath]:i.mfa;const l=t.generateSecret({name:`${e} (${a})`});c\|\|(c={secret:{temp:void 0,actual:void 0},enabled:!1}),c.secret.temp=l.base32,c.secret.actual=void 0,await o.putUser(i),r.toDataURL(l.otpauth_url,((e,t)=>{if(e)throw new Error("Error generating QR code");n({qr_code:t,secret:l.base32})}))})),e.mfaVerify=async(e,r,a)=>{var o,n;const s=r;let i=await a.getUser(e);const c=a.userSecretPath?i[a.userSecretPath]:i.mfa;return t.totp.verify({secret:null===(o=null==c?void 0:c.secret)\|\|void 0===o?void 0:o.temp,encoding:"base32",token:s})?(c.secret.actual=null===(n=null==c?void 0:c.secret)\|\|void 0===n?void 0:n.temp,c.enabled=!0,await a.putUser(i),!0):(console.log(`Failed mfa verification for ${e}`),!1)},Object.defineProperty(e,"__esModule",{value:!0})}));

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "pico-auth",
-  "version": "0.0.5",
+  "version": "0.0.8",
   "description": "Minimal auth with user/pass, impersonation and mfa authentication",
   "main": "dist/pico-auth.umd.js",
   "types": "dist/pico-auth.d.ts",