@api-client/core 0.5.20 → 0.5.21

package/src/authorization/OidcAuthorization.ts

@@ -0,0 +1,143 @@
+import { IOidcTokenInfo, IOidcTokenError, ITokenInfo } from '../models/Authorization.js';
+import { Tokens } from './lib/Tokens.js';
+import { OAuth2Authorization, grantResponseMapping, reportOAuthError, resolveFunction, rejectFunction, handleTokenInfo } from './OAuth2Authorization.js';
+import { nonceGenerator } from './Utils.js';
+
+export class OidcAuthorization extends OAuth2Authorization {
+  /**
+   * @returns The parameters to build popup URL.
+   */
+  async buildPopupUrlParams(): Promise<URL | null> {
+    const url = await super.buildPopupUrlParams();
+    if (url === null) {
+      return url;
+    }
+    const type = (this.settings.responseType || grantResponseMapping[this.settings.grantType!]);
+    // ID token nonce
+    if (type.includes('id_token')) {
+      url.searchParams.set('nonce', nonceGenerator());
+    }
+    return url;
+  }
+
+  /**
+   * @param params The instance of search params with the response from the auth dialog.
+   * @returns true when the params qualify as an authorization popup redirect response.
+   */
+  validateTokenResponse(params: URLSearchParams): boolean {
+    if (params.has('id_token')) {
+      return true;
+    }
+    return super.validateTokenResponse(params);
+  }
+
+  /**
+   * Processes the response returned by the popup or the iframe.
+   */
+  async processTokenResponse(params: URLSearchParams): Promise<void> {
+    this.clearObservers();
+    const state = params.get('state');
+    if (!state) {
+      this[reportOAuthError]('Server did not return the state parameter.', 'no_state');
+      return;
+    }
+    if (state !== this.state) {
+      // The authorization class (this) is created per token request so this can only have one state.
+      // When the app requests for more tokens at the same time is should create multiple instances of this.
+      this[reportOAuthError]('The state value returned by the authorization server is invalid.', 'invalid_state');
+      return;
+    }
+    if (params.has('error')) {
+      const info = this.createTokenResponseError(params);
+      // @ts-ignore
+      this[reportOAuthError](...info);
+      return;
+    }
+    // this is the time when the tokens are received. +- a few ms.
+    const time = Date.now();
+    const tokens: (IOidcTokenInfo|IOidcTokenError)[] | null = this.prepareTokens(params, time);
+    if (!Array.isArray(tokens) || !tokens.length) {
+      this[reportOAuthError]('The authorization response has unknown response type configuration.', 'unknown_state');
+      return;
+    }
+    const codeIndex = tokens.findIndex(i => i.responseType === 'code');
+    if (codeIndex >= 0) {
+      const codeToken = tokens[codeIndex] as IOidcTokenInfo;
+      try {
+        const info = await this.getCodeInfo(codeToken.code!);
+        if (info.error) {
+          tokens[codeIndex] = {
+            responseType: codeToken.responseType,
+            state: codeToken.state,
+            error: info.error,
+            errorDescription: info.errorDescription,
+          } as IOidcTokenError;
+        } else {
+          codeToken.accessToken = info.accessToken;
+          codeToken.refreshToken = info.refreshToken;
+          codeToken.idToken = info.idToken;
+          codeToken.tokenType = info.tokenType;
+          codeToken.expiresIn = info.expiresIn;
+          codeToken.scope = Tokens.computeTokenInfoScopes(this.settings.scopes, info.scope);
+        }
+      } catch (e) {
+        tokens[codeIndex] = {
+          responseType: codeToken.responseType,
+          state: codeToken.state,
+          error: 'unknown_state',
+          errorDescription: (e as Error).message,
+        } as IOidcTokenError;
+      }
+    }
+    this.finish(tokens);
+  }
+
+  /**
+   * Creates a token info object for each requested response type. These are created from the params received from the 
+   * redirect URI. This means that it might not be complete (for code response type).
+   * @param params
+   * @param time Timestamp when the tokens were created
+   */
+  prepareTokens(params: URLSearchParams, time: number): IOidcTokenInfo[] | null {
+    const { grantType, responseType='', scopes } = this.settings;
+    let type = responseType;
+    if (!type) {
+      type = grantResponseMapping[grantType!];
+    }
+    if (!type) {
+      return null;
+    }
+    const types = type.split(' ').map(i => i.trim()).filter(i => !!i);
+    const result: IOidcTokenInfo[] = [];
+    types.forEach(item => {
+      const info = Tokens.createTokenInfo(item, params, time, scopes);
+      if (info) {
+        result.push(info);
+      }
+    });
+    return result;
+  }
+
+  /**
+   * Finishes the authorization.
+   */
+  finish(tokens: (IOidcTokenInfo|IOidcTokenError)[]): void {
+    if (this[resolveFunction]) {
+      this[resolveFunction]!(tokens as any);
+    }
+    this[rejectFunction] = undefined;
+    this[resolveFunction] = undefined;
+  }
+
+  /**
+   * Processes token info object when it's ready.
+   *
+   * @param info Token info returned from the server.
+   */
+  [handleTokenInfo](info: ITokenInfo): void {
+    const { responseType } = this.settings;
+    const token = Tokens.fromTokenInfo(info);
+    token.responseType = responseType || '';
+    this.finish([token]);
+  }
+}

package/src/authorization/Utils.ts

@@ -0,0 +1,126 @@
+import { IOAuth2Authorization } from "../models/Authorization.js";
+
+/**
+ * Checks if the URL has valid scheme for OAuth flow.
+ * 
+ * Do not use this to validate redirect URIs as they can use any protocol.
+ *
+ * @param url The url value to test
+ * @throws {TypeError} When passed value is not set, empty, or not a string
+ * @throws {Error} When passed value is not a valid URL for OAuth 2 flow
+ */
+ export function checkUrl(url: string): void {
+  if (!url) {
+    throw new TypeError("the value is missing");
+  }
+  if (typeof url !== "string") {
+    throw new TypeError("the value is not a string");
+  }
+  if (!url.startsWith("http://") && !url.startsWith("https://")) {
+    throw new Error("the value has invalid scheme");
+  }
+}
+
+/**
+ * Checks if basic configuration of the OAuth 2 request is valid an can proceed
+ * with authentication.
+ * @param settings authorization settings
+ * @throws {Error} When settings are not valid
+ */
+export function sanityCheck(settings: IOAuth2Authorization): void {
+  if (["implicit", "authorization_code"].includes(settings.grantType!)) {
+    try {
+      checkUrl(settings.authorizationUri!);
+    } catch (e) {
+      throw new Error(`authorizationUri: ${(e as Error).message}`);
+    }
+    if (settings.accessTokenUri) {
+      try {
+        checkUrl(settings.accessTokenUri);
+      } catch (e) {
+        throw new Error(`accessTokenUri: ${(e as Error).message}`);
+      }
+    }
+  } else if (settings.accessTokenUri) {
+    try {
+      checkUrl(settings.accessTokenUri);
+    } catch (e) {
+      throw new Error(`accessTokenUri: ${(e as Error).message}`);
+    }
+  }
+}
+
+/**
+ * Generates a random string of characters.
+ *
+ * @returns A random string.
+ */
+export function randomString(): string {
+  const array = new Uint32Array(28);
+  window.crypto.getRandomValues(array);
+  return Array.from(array, (dec) => `0${dec.toString(16)}`.substr(-2)).join("");
+}
+
+/**
+ * Replaces `-` or `_` with camel case.
+ * @param {string} name The string to process
+ * @return {String|undefined} Camel cased string or `undefined` if not transformed.
+ */
+export function camel(name: string): string | undefined {
+  let i = 0;
+  let l;
+  let changed = false;
+  // eslint-disable-next-line no-cond-assign
+  while ((l = name[i])) {
+    if ((l === "_" || l === "-") && i + 1 < name.length) {
+      // eslint-disable-next-line no-param-reassign
+      name = name.substr(0, i) + name[i + 1].toUpperCase() + name.substr(i + 2);
+      changed = true;
+    }
+    // eslint-disable-next-line no-plusplus
+    i++;
+  }
+  return changed ? name : undefined;
+}
+
+/**
+ * Computes the SHA256 hash ogf the given input.
+ * @param value The value to encode.
+ */
+export async function sha256(value: string): Promise<ArrayBuffer> {
+  const encoder = new TextEncoder();
+  const data = encoder.encode(value);
+  return window.crypto.subtle.digest("SHA-256", data);
+}
+
+/**
+ * Encoded the array buffer to a base64 string value.
+ */
+export function base64Buffer(buffer: ArrayBuffer): string {
+  const view = new Uint8Array(buffer);
+  const str = String.fromCharCode.apply(null, view as any);
+  return btoa(str).replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/, '');
+}
+
+/**
+ * Generates code challenge for the PKCE extension to the OAuth2 specification.
+ * @param verifier The generated code verifier.
+ * @returns The code challenge string
+ */
+export async function generateCodeChallenge(verifier: string): Promise<string> {
+  const hashed = await sha256(verifier);
+  return base64Buffer(hashed);
+}
+
+/**
+ * Generates cryptographically significant random string.
+ * @param size The size of the generated nonce.
+ * @returns A nonce (number used once).
+ */
+export function nonceGenerator(size = 20): string {
+  const validChars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789';
+  let array = new Uint8Array(size);
+  window.crypto.getRandomValues(array);
+  array = array.map(x => validChars.charCodeAt(x % validChars.length));
+  return String.fromCharCode.apply(null, array as any);
+}

package/src/authorization/lib/IframeAuthorization.ts

@@ -0,0 +1,128 @@
+/* eslint-disable class-methods-use-this */
+export const loadHandler = Symbol('loadHandler');
+export const timeoutValue = Symbol('timeoutValue');
+export const checkInterval = Symbol('checkInterval');
+export const limitValue = Symbol('limitValue');
+export const targetValue = Symbol('targetValue');
+
+/**
+ * Adds the support for the iframe authorization.
+ * 
+ * This class creates and loads an iframe for the given URL. Then it runs a timer recursively 
+ * that increases its interval multiplying its last timeout value by 2. 
+ * The the timer reaches timeout it dispatches the timeout event.
+ * 
+ * The library takes into the account the redirects.
+ * 
+ * Call the `cancel()` and the `cleanUp()` functions when the authorization data is received.
+ */
+export class IframeAuthorization extends EventTarget {
+  loadTimeout?: any;
+
+  timedOut = false;
+
+  [timeoutValue] = 8;
+
+  [limitValue]: number;
+
+  [targetValue]: HTMLElement;
+
+  frame?: HTMLIFrameElement;
+
+  /**
+   * @param limit The timeout limit after which the library calls timeout if it wasn't cancelled.
+   * @param target A target node where to add the iframe into.
+   */
+  constructor(limit=1020, target:HTMLElement=document.body) {
+    super();
+    this[limitValue] = limit;
+    this[targetValue] = target;
+
+    this[loadHandler] = this[loadHandler].bind(this);
+    this[checkInterval] = this[checkInterval].bind(this);
+  }
+
+  /**
+   * A function to be called when the timer is no longer needed.
+   */
+  cancel(): void {
+    if (this.loadTimeout) {
+      clearTimeout(this.loadTimeout);
+      this.loadTimeout = undefined;
+    }
+  }
+
+  /**
+   * Removes any existing frame and removes any remaining listeners.
+   */
+  cleanUp(): void {
+    if (!this.frame) {
+      return;
+    }
+    this.frame.removeEventListener('load', this[loadHandler]);
+    if (this.frame.parentElement) {
+      this.frame.parentElement.removeChild(this.frame);
+    }
+    this.frame = undefined;
+  }
+
+  /**
+   * Creates an invisible frame and loads the given URL
+   * @param url THe resource to load.
+   */
+  load(url: string): void {
+    const iframe = document.createElement('iframe');
+    iframe.style.border = '0';
+    iframe.style.width = '0';
+    iframe.style.height = '0';
+    iframe.style.overflow = 'hidden';
+    iframe.addEventListener('load', this[loadHandler]);
+    iframe.id = 'oauth2-authorization-frame';
+    iframe.setAttribute('data-owner', 'oauth2-authorization');
+    iframe.setAttribute('aria-hidden', 'true');
+    this[targetValue].appendChild(iframe);
+    iframe.src = url;
+    this.frame = iframe;
+  }
+
+  /**
+   * Handler for the `load` event on the frame.
+   * @param {Event} e
+   */
+  [loadHandler](e: Event): void {
+    this.cancel();
+    const iframe = e.target as HTMLIFrameElement
+    try {
+      if (iframe.contentWindow) {
+        iframe.contentWindow.addEventListener('unload', () => {
+          this.cancel();
+        });
+      }
+    } catch (_) {
+      // ...
+    }
+
+    this[timeoutValue] = 8;
+    this.loadTimeout = setTimeout(this[checkInterval], this[timeoutValue]);
+  }
+
+  /**
+   * A callback function that runs in the timeout.
+   * It calls the timeout if the timeout value reaches the limit or increases the timeout value
+   * and runs the counter once again.
+   */
+  [checkInterval](): void {
+    if (this.timedOut) {
+      return;
+    }
+    if (this[timeoutValue] >= this[limitValue]) {
+      this.cancel();
+      this.dispatchEvent(new Event('timeout'));
+      this.timedOut = true;
+      this.cleanUp();
+      return;
+    }
+    this[timeoutValue] *= 2;
+    this.loadTimeout = setTimeout(this[checkInterval], this[timeoutValue]);
+  }
+}

package/src/authorization/lib/KnownGrants.ts

@@ -0,0 +1,6 @@
+export const implicit = 'implicit';
+export const code = 'authorization_code';
+export const clientCredentials = 'client_credentials';
+export const password = 'password';
+export const jwtBearer = 'urn:ietf:params:oauth:grant-type:jwt-bearer';
+export const deviceCode = 'urn:ietf:params:oauth:grant-type:device_code';

package/src/authorization/lib/PopupAuthorization.ts

@@ -0,0 +1,80 @@
+export const observePopupState = Symbol('observePopupState');
+export const popupInterval = Symbol('popupInterval');
+export const popupObserver = Symbol('popupObserver');
+export const intervalValue = Symbol('intervalValue');
+
+/**
+ * Adds support for the popup window authorization.
+ * 
+ * The set timeout hack is used because I can't see other way of doing this 
+ * as load/unload events are called only once (even with redirects)
+ * and there's no way of knowing what is happening in the popup (so no timeouts).
+ * The user may need more time to authorize themselves and then the application.
+ * 
+ * This class dispatches the `close` event when the popup was closed.
+ * 
+ * Call the `cleanUp()` function when the authorization data is received.
+ */
+export class PopupAuthorization extends EventTarget {
+  [intervalValue]: number;
+
+  popup?: Window;
+
+  [popupInterval]: any;
+
+  /**
+   * @param interval The popup state check interval
+   */
+  constructor(interval = 50) {
+    super();
+    this[intervalValue] = interval;
+    this[popupObserver] = this[popupObserver].bind(this);
+  }
+
+  /**
+   * Removes any existing frame and removes any remaining listeners.
+   */
+  cleanUp(): void {
+    if (this[popupInterval]) {
+      clearInterval(this[popupInterval]);
+      this[popupInterval] = undefined;
+    }
+    const { popup } = this;
+    if (popup && !popup.closed) {
+      popup.close();
+    }
+    this.popup = undefined;
+  }
+
+  /**
+   * Opens a popup to request authorization from the user.
+   * @param url The URL to open.
+   */
+  load(url: string): void {
+    const op = 'menubar=no,location=no,resizable=yes,scrollbars=yes,status=no,width=800,height=600';
+    const popup = window.open(url, 'oauth-window', op);
+    if (!popup) {
+      throw new Error('Authorization popup is being blocked.');
+    }
+    popup.window.focus();
+    this.popup = popup;
+    this[observePopupState]();
+  }
+
+  /**
+   * Initializes an interval to check whether the popup window is still present.
+   * The web security model does not allow pages to read the URL for the cross domain
+   * connections.
+   */
+  [observePopupState](): void {
+    this[popupInterval] = setInterval(this[popupObserver], this[intervalValue]);
+  }
+
+  [popupObserver](): void {
+    const { popup } = this;
+    if (!popup || popup.closed) {
+      this.cleanUp();
+      this.dispatchEvent(new Event('close'));
+    }
+  }
+}

package/src/authorization/lib/Tokens.ts

@@ -0,0 +1,124 @@
+import { IOidcTokenInfo, ITokenInfo } from "../../models/Authorization.js";
+
+export class Tokens {
+  /**
+   * Creates a OidcTokenInfo object for the corresponding response type.
+   * 
+   * @param responseType The response type of the token to prepare the info for.
+   * @param params params received from the authorization endpoint.
+   * @param time Timestamp when the tokens were created
+   * @param requestedScopes The list of requested scopes. Optional.
+   * @returns 
+   */
+  static createTokenInfo(responseType: string, params: URLSearchParams, time: number, requestedScopes?: string[]): IOidcTokenInfo | null {
+    switch (responseType) {
+      case 'code': return Tokens.createCodeToken(params, time, requestedScopes);
+      case 'token': return Tokens.createTokenToken(params, time, requestedScopes);
+      case 'id_token': return Tokens.createIdTokenToken(params, time, requestedScopes);
+      default: return null;
+    }
+  }
+
+  /**
+   * Creates a "code" response type token info.
+   * @param params
+   * @param time Timestamp when the tokens were created
+   * @param requestedScopes The list of requested scopes. Optional.
+   * @returns 
+   */
+  static createBaseToken(params: URLSearchParams, time: number, requestedScopes?: string[]): IOidcTokenInfo {
+    const scope = Tokens.computeTokenInfoScopes(requestedScopes, params.get('scope')!);
+    const tokenInfo: IOidcTokenInfo = {
+      state: params.get('state')!,
+      expiresIn: Number(params.get('expires_in')),
+      tokenType: params.get('token_type')!,
+      scope,
+      time,
+      responseType: '',
+    };
+    return tokenInfo;
+  }
+
+  /**
+   * Creates a "code" response type token info.
+   * @param params
+   * @param time Timestamp when the tokens were created
+   * @param requestedScopes The list of requested scopes. Optional.
+   * @returns 
+   */
+  static createCodeToken(params: URLSearchParams, time: number, requestedScopes?: string[]): IOidcTokenInfo {
+    const token = Tokens.createBaseToken(params, time, requestedScopes);
+    token.responseType = 'code';
+    token.code = params.get('code')!;
+    return token;
+  }
+
+  /**
+   * Creates a "token" response type token info.
+   * @param params
+   * @param time Timestamp when the tokens were created
+   * @param requestedScopes The list of requested scopes. Optional.
+   * @returns 
+   */
+  static createTokenToken(params: URLSearchParams, time: number, requestedScopes?: string[]): IOidcTokenInfo {
+    const token = Tokens.createBaseToken(params, time, requestedScopes);
+    token.responseType = 'token';
+    token.accessToken = params.get('access_token')!;
+    token.refreshToken = params.get('refresh_token')!;
+    return token;
+  }
+
+  /**
+   * Creates a "id_token" response type token info.
+   * @param time Timestamp when the tokens were created
+   * @param requestedScopes The list of requested scopes. Optional.
+   */
+  static createIdTokenToken(params: URLSearchParams, time: number, requestedScopes?: string[]): IOidcTokenInfo {
+    const token = Tokens.createBaseToken(params, time, requestedScopes);
+    token.responseType = 'id_token';
+    token.accessToken = params.get('access_token')!;
+    token.refreshToken = params.get('refresh_token')!;
+    token.idToken = params.get('id_token')!;
+    return token;
+  }
+
+  /**
+   * Computes the final list of granted scopes.
+   * It is a list of scopes received in the response or the list of requested scopes.
+   * Because the user may change the list of scopes during the authorization process
+   * the received list of scopes can be different than the one requested by the user.
+   *
+   * @param requestedScopes The list of requested scopes. Optional.
+   * @param tokenScopes The `scope` parameter received with the response. It's null safe.
+   * @returns The list of scopes for the token.
+   */
+  static computeTokenInfoScopes(requestedScopes?: string[], tokenScopes?: string): string[] {
+    if (!tokenScopes && requestedScopes) {
+      return requestedScopes;
+    }
+    let listScopes: string[] = [];
+    if (typeof tokenScopes === 'string') {
+      listScopes = tokenScopes.split(' ');
+    }
+    return listScopes;
+  }
+
+  static fromTokenInfo(info: ITokenInfo): IOidcTokenInfo {
+    const result: IOidcTokenInfo = {
+      responseType: '',
+      state: info.state,
+      accessToken: info.accessToken,
+      time: Date.now(),
+    };
+    if (info.scope) {
+      result.scope = info.scope;
+    }
+    if (info.tokenType) {
+      result.tokenType = info.tokenType;
+    }
+    if (info.expiresIn) {
+      result.expiresIn = info.expiresIn;
+    }
+    return result;
+  }
+}