@asgardeo/auth-spa 0.2.18 → 0.2.21

package/src/models/client.ts

@@ -21,6 +21,7 @@ import {
     BasicUserInfo,
     CustomGrantConfig,
     DecodedIDTokenPayload,
+    FetchResponse,
     OIDCEndpoints,
     OIDCProviderMetaData
 } from "@asgardeo/auth-js";
@@ -51,7 +52,7 @@ export interface MainThreadClientInterface {
         signInRedirectURL?: string
     ): Promise<BasicUserInfo>;
     signOut(signOutRedirectURL?: string): Promise<boolean>;
-    requestCustomGrant(config: CustomGrantConfig): Promise<BasicUserInfo | HttpResponse>;
+    requestCustomGrant(config: CustomGrantConfig): Promise<BasicUserInfo | FetchResponse>;
     refreshAccessToken(): Promise<BasicUserInfo>;
     revokeAccessToken(): Promise<boolean>;
     getBasicUserInfo(): Promise<BasicUserInfo>;
@@ -65,7 +66,7 @@ export interface MainThreadClientInterface {
 }
 
 export interface WebWorkerClientInterface {
-    requestCustomGrant(requestParams: CustomGrantConfig): Promise<HttpResponse | BasicUserInfo>;
+    requestCustomGrant(requestParams: CustomGrantConfig): Promise<FetchResponse | BasicUserInfo>;
     httpRequest<T = any>(config: HttpRequestConfig): Promise<HttpResponse<T>>;
     httpRequestAll<T = any>(configs: HttpRequestConfig[]): Promise<HttpResponse<T>[]>;
     enableHttpHandler(): Promise<boolean>;

package/src/models/http-client.ts

@@ -33,8 +33,9 @@ export interface HttpRequestConfig extends AxiosRequestConfig {
 
 export {
     AxiosResponse as HttpResponse,
-    Method,
-    AxiosTransformer as HttpTransformer,
+    Method as HttpMethod,
+    AxiosRequestTransformer as HttpRequestTransformer,
+    AxiosResponseTransformer as HttpResponseTransformer,
     AxiosAdapter as HttpAdapter,
     AxiosBasicCredentials as HttpBasicCredentials,
     ResponseType,

package/src/models/index.ts

@@ -23,3 +23,4 @@ export * from "./web-worker";
 export * from "./session-management-helper";
 export * from "./client-config";
 export * from "./sign-in";
+export * from "./sign-out-error";

package/src/models/message.ts

@@ -66,6 +66,7 @@ export interface AuthorizationInfo {
     code: string;
     sessionState: string;
     pkce?: string;
+    state: string;
 }
 
 export type MessageType =

package/src/models/request-custom-grant.ts

@@ -0,0 +1,26 @@
+/**
+* Copyright (c) 2022, WSO2 Inc. (http://www.wso2.com) All Rights Reserved.
+*
+* WSO2 Inc. licenses this file to you under the Apache License,
+* Version 2.0 (the "License"); you may not use this file except
+* in compliance with the License.
+* You may obtain a copy of the License at
+*
+*     http://www.apache.org/licenses/LICENSE-2.0
+*
+* Unless required by applicable law or agreed to in writing,
+* software distributed under the License is distributed on an
+* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+* KIND, either express or implied. See the License for the
+* specific language governing permissions and limitations
+* under the License.
+*/
+
+import { CustomGrantConfig } from "@asgardeo/auth-js";
+
+/**
+ * SPA Custom Request Grant config model
+ */
+export interface SPACustomGrantConfig extends CustomGrantConfig {
+    preventSignOutURLUpdate?: boolean;
+}

package/src/models/session-management-helper.ts

@@ -16,6 +16,8 @@
  * under the License.
  */
 
+import { GetAuthURLConfig } from "..";
+
 export interface SessionManagementHelperInterface {
     initialize(
         clientID: string,
@@ -24,8 +26,7 @@ export interface SessionManagementHelperInterface {
         interval: number,
         sessionRefreshInterval: number,
         redirectURL: string,
-        authorizationEndpoint: string,
-        isPKCEEnabled?: boolean
+        getAuthorizationURL: (params?: GetAuthURLConfig) => Promise<string>
     ): void;
     receivePromptNoneResponse(
         setSessionState?: (sessionState: string | null) => Promise<void>

package/src/models/sign-out-error.ts

@@ -0,0 +1,22 @@
+/**
+* Copyright (c) 2022, WSO2 Inc. (http://www.wso2.com) All Rights Reserved.
+*
+* WSO2 Inc. licenses this file to you under the Apache License,
+* Version 2.0 (the "License"); you may not use this file except
+* in compliance with the License.
+* You may obtain a copy of the License at
+*
+*     http://www.apache.org/licenses/LICENSE-2.0
+*
+* Unless required by applicable law or agreed to in writing,
+* software distributed under the License is distributed on an
+* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+* KIND, either express or implied. See the License for the
+* specific language governing permissions and limitations
+* under the License.
+*/
+
+export interface SignOutError {
+    error: string;
+    description: string;
+}

package/src/models/web-worker.ts

@@ -22,6 +22,7 @@ import {
     BasicUserInfo,
     CustomGrantConfig,
     DecodedIDTokenPayload,
+    FetchResponse,
     OIDCEndpoints
 } from "@asgardeo/auth-js";
 import { HttpRequestConfig, HttpResponse, Message } from ".";
@@ -44,10 +45,15 @@ export interface WebWorkerCoreInterface {
     enableHttpHandler(): void;
     disableHttpHandler(): void;
     getAuthorizationURL(params?: AuthorizationURLParams, signInRedirectURL?: string): Promise<AuthorizationResponse>;
-    requestAccessToken(authorizationCode?: string, sessionState?: string, pkce?: string): Promise<BasicUserInfo>;
+    requestAccessToken(
+        authorizationCode?: string,
+        sessionState?: string,
+        pkce?: string,
+        state?: string
+    ): Promise<BasicUserInfo>;
     signOut(signOutRedirectURL?: string): Promise<string>;
     getSignOutURL(signOutRedirectURL?: string): Promise<string>;
-    requestCustomGrant(config: CustomGrantConfig): Promise<BasicUserInfo | HttpResponse>;
+    requestCustomGrant(config: CustomGrantConfig): Promise<BasicUserInfo | FetchResponse>;
     refreshAccessToken(): Promise<BasicUserInfo>;
     revokeAccessToken(): Promise<boolean>;
     getBasicUserInfo(): Promise<BasicUserInfo>;

package/src/public-api.ts

@@ -26,6 +26,7 @@ export * from "./models";
 export * from "./utils/spa-utils"
 
 // Constants
-export * from "@asgardeo/auth-js";
 export * from "./constants/storage";
 export * from "./constants/hooks";
+
+export * from "@asgardeo/auth-js";

package/src/utils/crypto-utils.ts

@@ -0,0 +1,78 @@
+/**
+ * Copyright (c) 2019, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
+ *
+ * WSO2 Inc. licenses this file to you under the Apache License,
+ * Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+import { Buffer } from "buffer";
+import { CryptoUtils, JWKInterface } from "@asgardeo/auth-js";
+import base64url from "base64url";
+import sha256 from "fast-sha256";
+import { createLocalJWKSet, jwtVerify } from "jose";
+import { FlattenedJWSInput, GetKeyFunction, JWSHeaderParameters } from "jose/dist/types/types";
+import randombytes from "randombytes";
+
+export class SPACryptoUtils
+    implements CryptoUtils<Buffer | string, GetKeyFunction<JWSHeaderParameters, FlattenedJWSInput>>
+{
+    /**
+     * Get URL encoded string.
+     *
+     * @returns {string} base 64 url encoded value.
+     */
+    public base64URLEncode(value: Buffer | string): string {
+        return base64url.encode(value).replace(/\+/g, "-").replace(/\//g, "_").replace(/=/g, "");
+    }
+
+    public base64URLDecode(value: string): string {
+        return base64url.decode(value).toString();
+    }
+
+    public hashSha256(data: string): string | Buffer {
+        return Buffer.from(sha256(new TextEncoder().encode(data)));
+    }
+
+    public generateRandomBytes(length: number): string | Buffer {
+        return randombytes(length);
+    }
+
+    public parseJwk(key: Partial<JWKInterface>): Promise<GetKeyFunction<JWSHeaderParameters, FlattenedJWSInput>> {
+        return Promise.resolve(
+            createLocalJWKSet({
+                keys: [ key ]
+            })
+        );
+    }
+
+    public verifyJwt(
+        idToken: string,
+        jwk: GetKeyFunction<JWSHeaderParameters, FlattenedJWSInput>,
+        algorithms: string[],
+        clientID: string,
+        issuer: string,
+        subject: string,
+        clockTolerance?: number
+    ): Promise<boolean> {
+        return jwtVerify(idToken, jwk, {
+            algorithms: algorithms,
+            audience: clientID,
+            clockTolerance: clockTolerance,
+            issuer: issuer,
+            subject: subject
+        }).then(() => {
+            return Promise.resolve(true);
+        });
+    }
+}

package/src/utils/spa-utils.ts

@@ -16,12 +16,15 @@
  * under the License.
  */
 
-import { AsgardeoAuthClient, PKCE_CODE_VERIFIER, SIGN_OUT_URL } from "@asgardeo/auth-js";
+import { AsgardeoAuthClient, SIGN_OUT_SUCCESS_PARAM, SIGN_OUT_URL } from "@asgardeo/auth-js";
+import { SignOutError } from "..";
 import {
     ERROR,
+    ERROR_DESCRIPTION,
     INITIALIZED_SILENT_SIGN_IN,
     PROMPT_NONE_REQUEST_SENT,
-    SILENT_SIGN_IN_STATE
+    SILENT_SIGN_IN_STATE,
+    STATE_QUERY
 } from "../constants";
 
 export class SPAUtils {
@@ -34,12 +37,12 @@ export class SPAUtils {
         history.pushState({}, document.title, url.replace(/\?code=.*$/, ""));
     }
 
-    public static getPKCE(): string {
-        return sessionStorage.getItem(PKCE_CODE_VERIFIER) ?? "";
+    public static getPKCE(pkceKey: string): string {
+        return sessionStorage.getItem(pkceKey) ?? "";
     }
 
-    public static setPKCE(pkce: string): void {
-        sessionStorage.setItem(PKCE_CODE_VERIFIER, pkce);
+    public static setPKCE(pkceKey: string, pkce: string): void {
+        sessionStorage.setItem(pkceKey, pkce);
     }
 
     public static setSignOutURL(url: string): void {
@@ -50,8 +53,8 @@ export class SPAUtils {
         return sessionStorage.getItem(SIGN_OUT_URL) ?? "";
     }
 
-    public static removePKCE(): void {
-        sessionStorage.removeItem(PKCE_CODE_VERIFIER);
+    public static removePKCE(pkceKey: string): void {
+        sessionStorage.removeItem(pkceKey);
     }
 
     /**
@@ -121,6 +124,23 @@ export class SPAUtils {
         return false;
     }
 
+    public static didSignOutFail(): boolean | SignOutError {
+        if (AsgardeoAuthClient.didSignOutFail(window.location.href)) {
+            const url: URL = new URL(window.location.href);
+            const error: string | null = url.searchParams.get(ERROR);
+            const description: string | null = url.searchParams.get(ERROR_DESCRIPTION);
+            const newUrl = window.location.href.split("?")[0];
+            history.pushState({}, document.title, newUrl);
+
+            return {
+                description: description ?? "",
+                error: error ?? ""
+            };
+        }
+
+        return false;
+    }
+
     /**
      * Checks if the URL the user agent is redirected to after an authorization request has the state parameter.
      *
@@ -129,7 +149,7 @@ export class SPAUtils {
     public static isSilentStatePresentInURL(): boolean {
         const state = new URL(window.location.href).searchParams.get("state");
 
-        return state === SILENT_SIGN_IN_STATE;
+        return state?.includes(SILENT_SIGN_IN_STATE) ?? false;
     }
 
     /**
@@ -153,7 +173,10 @@ export class SPAUtils {
      * @returns {boolean} - True if the URL contains an error.
      */
     public static hasErrorInURL(url: string = window.location.href): boolean {
-        return !!new URL(url).searchParams.get(ERROR);
+        const urlObject: URL = new URL(url);
+        return (
+            !!urlObject.searchParams.get(ERROR) && urlObject.searchParams.get(STATE_QUERY) !== SIGN_OUT_SUCCESS_PARAM
+        );
     }
 
     /**

package/src/worker/client.worker.ts

@@ -103,7 +103,7 @@ ctx.onmessage = async ({ data, ports }) => {
             break;
         case REQUEST_ACCESS_TOKEN:
             webWorker
-                .requestAccessToken(data?.data?.code, data?.data?.sessionState, data?.data?.pkce)
+                .requestAccessToken(data?.data?.code, data?.data?.sessionState, data?.data?.pkce, data?.data?.state)
                 .then((response: BasicUserInfo) => {
                     port.postMessage(MessageUtils.generateSuccessMessage(response));
                 })

package/src/worker/worker-core.ts

@@ -23,8 +23,10 @@ import {
     BasicUserInfo,
     CustomGrantConfig,
     DecodedIDTokenPayload,
+    FetchResponse,
     OIDCEndpoints,
     SESSION_STATE,
+    STATE,
     Store,
     TokenResponse
 } from "@asgardeo/auth-js";
@@ -41,21 +43,19 @@ import {
     WebWorkerCoreInterface
 } from "../models";
 import { MemoryStore } from "../stores";
+import { SPACryptoUtils } from "../utils/crypto-utils";
 
 export const WebWorkerCore = async (
     config: AuthClientConfig<WebWorkerClientConfig>
 ): Promise<WebWorkerCoreInterface> => {
     const _store: Store = new MemoryStore();
-    const _authenticationClient = new AsgardeoAuthClient<WebWorkerClientConfig>(_store);
+    const _cryptoUtils: SPACryptoUtils = new SPACryptoUtils();
+    const _authenticationClient = new AsgardeoAuthClient<WebWorkerClientConfig>(_store, _cryptoUtils);
     await _authenticationClient.initialize(config);
 
     const _spaHelper = new SPAHelper<WebWorkerClientConfig>(_authenticationClient);
     const _dataLayer = _authenticationClient.getDataLayer();
 
-    let _onHttpRequestStart: () => void;
-    let _onHttpRequestSuccess: (response: HttpResponse) => void;
-    let _onHttpRequestFinish: () => void;
-    let _onHttpRequestError: (error: HttpError) => void;
     const _httpClient: HttpClientInstance = HttpClient.getInstance();
 
     const attachToken = async (request: HttpRequestConfig): Promise<void> => {
@@ -247,7 +247,11 @@ export const WebWorkerCore = async (
         return _authenticationClient
             .getAuthorizationURL(params)
             .then(async (url: string) => {
-                return { authorizationURL: url, pkce: (await _authenticationClient.getPKCECode()) as string };
+                const urlObject: URL = new URL(url);
+                const state: string = urlObject.searchParams.get(STATE) ?? "";
+                const pkce: string = await _authenticationClient.getPKCECode(state);
+
+                return { authorizationURL: url, pkce: pkce };
             })
             .catch((error) => Promise.reject(error));
     };
@@ -262,17 +266,18 @@ export const WebWorkerCore = async (
     const requestAccessToken = async (
         authorizationCode?: string,
         sessionState?: string,
-        pkce?: string
+        pkce?: string,
+        state?: string
     ): Promise<BasicUserInfo> => {
         const config = await _dataLayer.getConfigData();
 
         if (pkce && config.enablePKCE) {
-            await _authenticationClient.setPKCECode(pkce);
+            await _authenticationClient.setPKCECode(pkce, state ?? "");
         }
 
         if (authorizationCode) {
             return _authenticationClient
-                .requestAccessToken(authorizationCode, sessionState ?? "")
+                .requestAccessToken(authorizationCode, sessionState ?? "", state ?? "'")
                 .then(() => {
                     _spaHelper.refreshAccessTokenAutomatically();
 
@@ -304,7 +309,7 @@ export const WebWorkerCore = async (
         return await _authenticationClient.getSignOutURL();
     };
 
-    const requestCustomGrant = async (config: CustomGrantConfig): Promise<BasicUserInfo | HttpResponse> => {
+    const requestCustomGrant = async (config: CustomGrantConfig): Promise<BasicUserInfo | FetchResponse> => {
         let useDefaultEndpoint = true;
         let matches = false;
         const clientConfig = await _dataLayer.getConfigData();
@@ -329,13 +334,13 @@ export const WebWorkerCore = async (
         if (useDefaultEndpoint || matches) {
             return _authenticationClient
                 .requestCustomGrant(config)
-                .then(async (response: HttpResponse | TokenResponse) => {
+                .then(async (response: FetchResponse | TokenResponse) => {
                     if (config.returnsSession) {
                         _spaHelper.refreshAccessTokenAutomatically();
 
                         return _authenticationClient.getBasicUserInfo();
                     } else {
-                        return response as HttpResponse;
+                        return response as FetchResponse;
                     }
                 })
                 .catch((error) => {