@auth0/auth0-spa-js 2.18.2 → 2.19.0

package/src/worker/token.worker.ts

@@ -1,9 +1,14 @@
 import { MissingRefreshTokenError } from '../errors';
 import { FetchResponse } from '../global';
 import { createQueryParams, fromEntries } from '../utils';
-import { WorkerRefreshTokenMessage } from './worker.types';
+import {
+  WorkerMessage,
+  WorkerRefreshTokenMessage,
+  WorkerRevokeTokenMessage
+} from './worker.types';
 
 let refreshTokens: Record<string, string> = {};
+let allowedBaseUrl: string | null = null;
 
 const cacheKey = (audience: string, scope: string) => `${audience}|${scope}`;
 
@@ -21,6 +26,24 @@ const setRefreshToken = (
 const deleteRefreshToken = (audience: string, scope: string) =>
   delete refreshTokens[cacheKey(audience, scope)];
 
+const getRefreshTokensByAudience = (audience: string): string[] => {
+  const seen = new Set<string>();
+  Object.entries(refreshTokens).forEach(([key, token]) => {
+    if (cacheKeyContainsAudience(audience, key)) {
+      seen.add(token);
+    }
+  });
+  return Array.from(seen);
+};
+
+const deleteRefreshTokensByValue = (refreshToken: string): void => {
+  Object.entries(refreshTokens).forEach(([key, token]) => {
+    if (token === refreshToken) {
+      delete refreshTokens[key];
+    }
+  });
+};
+
 const wait = (time: number) =>
   new Promise<void>(resolve => setTimeout(resolve, time));
 
@@ -180,11 +203,159 @@ const messageHandler = async ({
   }
 };
 
+const revokeMessageHandler = async ({
+  data: { timeout, auth, fetchUrl, fetchOptions, useFormData },
+  ports: [port]
+}: MessageEvent<WorkerRevokeTokenMessage>) => {
+  const { audience } = auth || {};
+
+  try {
+    const tokensToRevoke = getRefreshTokensByAudience(audience);
+
+    if (tokensToRevoke.length === 0) {
+      port.postMessage({ ok: true });
+      return;
+    }
+
+    // Parse the base body once; rebuild per RT so each request is independent.
+    const baseBody = useFormData
+      ? formDataToObject(fetchOptions.body as string)
+      : JSON.parse(fetchOptions.body as string);
+
+    for (const refreshToken of tokensToRevoke) {
+      const body = useFormData
+        ? createQueryParams({ ...baseBody, token: refreshToken })
+        : JSON.stringify({ ...baseBody, token: refreshToken });
+
+      let abortController: AbortController | undefined;
+      let signal: AbortSignal | undefined;
+
+      if (typeof AbortController === 'function') {
+        abortController = new AbortController();
+        signal = abortController.signal;
+      }
+
+      let timeoutId: ReturnType<typeof setTimeout>;
+      let response: void | Response;
+
+      try {
+        response = await Promise.race([
+          new Promise<void>(resolve => { timeoutId = setTimeout(resolve, timeout); }),
+          fetch(fetchUrl, { ...fetchOptions, body, signal })
+        ]).finally(() => clearTimeout(timeoutId));
+      } catch (error) {
+        port.postMessage({ error: error.message });
+        return;
+      }
+
+      if (!response) {
+        if (abortController) abortController.abort();
+        port.postMessage({ error: "Timeout when executing 'fetch'" });
+        return;
+      }
+
+      if (!response.ok) {
+        let errorDescription: string | undefined;
+        try {
+          const { error_description } = JSON.parse(await response.text());
+          errorDescription = error_description;
+        } catch {
+          // body absent or not valid JSON
+        }
+
+        port.postMessage({ error: errorDescription || `HTTP error ${response.status}` });
+        return;
+      }
+
+      deleteRefreshTokensByValue(refreshToken);
+    }
+
+    port.postMessage({ ok: true });
+  } catch (error) {
+    port.postMessage({
+      error: error.message || 'Unknown error during token revocation'
+    });
+  }
+};
+
+const isAuthorizedWorkerRequest = (
+  workerRequest: WorkerRefreshTokenMessage | WorkerRevokeTokenMessage,
+  expectedPath: string
+) => {
+  if (!allowedBaseUrl) {
+    return false;
+  }
+
+  try {
+    const allowedBaseOrigin = new URL(allowedBaseUrl).origin;
+    const requestedUrl = new URL(workerRequest.fetchUrl);
+
+    return (
+      requestedUrl.origin === allowedBaseOrigin &&
+      requestedUrl.pathname === expectedPath
+    );
+  } catch {
+    return false;
+  }
+};
+
+const messageRouter = (event: MessageEvent<WorkerMessage>) => {
+  const { data, ports } = event;
+  const [port] = ports;
+
+  if ('type' in data && data.type === 'init') {
+    if (allowedBaseUrl === null) {
+      try {
+        new URL(data.allowedBaseUrl);
+        allowedBaseUrl = data.allowedBaseUrl;
+      } catch {
+        return;
+      }
+    }
+
+    return;
+  }
+
+  if ('type' in data && data.type === 'revoke') {
+    if (!isAuthorizedWorkerRequest(data as WorkerRevokeTokenMessage, '/oauth/revoke')) {
+      port?.postMessage({
+        ok: false,
+        json: {
+          error: 'invalid_fetch_url',
+          error_description: 'Unauthorized fetch URL'
+        },
+        headers: {}
+      });
+      return;
+    }
+
+    revokeMessageHandler(event as MessageEvent<WorkerRevokeTokenMessage>);
+    return;
+  }
+
+  if (
+    !('fetchUrl' in data) ||
+    !isAuthorizedWorkerRequest(data as WorkerRefreshTokenMessage, '/oauth/token')
+  ) {
+    port?.postMessage({
+      ok: false,
+      json: {
+        error: 'invalid_fetch_url',
+        error_description: 'Unauthorized fetch URL'
+      },
+      headers: {}
+    });
+    return;
+  }
+
+  messageHandler(event as MessageEvent<WorkerRefreshTokenMessage>);
+};
+
 // Don't run `addEventListener` in our tests (this is replaced in rollup)
 if (process.env.NODE_ENV === 'test') {
-  module.exports = { messageHandler };
+  module.exports = { messageHandler, revokeMessageHandler, messageRouter };
   /* c8 ignore next 4  */
 } else {
   // @ts-ignore
-  addEventListener('message', messageHandler);
+  addEventListener('message', messageRouter);
 }

package/src/worker/worker.types.ts

@@ -1,16 +1,34 @@
 import { FetchOptions } from '../global';
 
-/**
- * @ts-ignore
- */
-export type WorkerRefreshTokenMessage = {
+export type WorkerInitMessage = {
+  type: 'init';
+  allowedBaseUrl: string;
+};
+
+type WorkerTokenMessage = {
   timeout: number;
   fetchUrl: string;
   fetchOptions: FetchOptions;
   useFormData?: boolean;
-  useMrrt?: boolean;
   auth: {
     audience: string;
     scope: string;
   };
 };
+
+export type WorkerRefreshTokenMessage = WorkerTokenMessage & {
+  type: 'refresh';
+  useMrrt?: boolean;
+};
+
+export type WorkerRevokeTokenMessage = Omit<WorkerTokenMessage, 'auth'> & {
+  type: 'revoke';
+  auth: {
+    audience: string;
+  };
+};
+
+export type WorkerMessage =
+  | WorkerInitMessage
+  | WorkerRefreshTokenMessage
+  | WorkerRevokeTokenMessage;

package/src/worker/worker.utils.ts

@@ -1,16 +1,27 @@
-import { WorkerRefreshTokenMessage } from './worker.types';
+import {
+  WorkerRefreshTokenMessage,
+  WorkerRevokeTokenMessage
+} from './worker.types';
 
 /**
- * Sends the specified message to the web worker
- * @param message The message to send
- * @param to The worker to send the message to
+ * Sends a message to a Web Worker and returns a Promise that resolves with
+ * the worker's response, or rejects if the worker replies with an error.
+ *
+ * Uses a {@link MessageChannel} so each call gets its own private reply port,
+ * making concurrent calls safe without shared state.
+ *
+ * @param message - The typed message to send (`refresh` or `revoke`).
+ * @param to      - The target {@link Worker} instance.
+ * @returns A Promise that resolves with the worker's response payload.
  */
-export const sendMessage = (message: WorkerRefreshTokenMessage, to: Worker) =>
-  new Promise(function (resolve, reject) {
+export const sendMessage = <T = any>(
+  message: WorkerRefreshTokenMessage | WorkerRevokeTokenMessage,
+  to: Worker
+): Promise<T> =>
+  new Promise<T>(function (resolve, reject) {
     const messageChannel = new MessageChannel();
 
     messageChannel.port1.onmessage = function (event) {
-      // Only for fetch errors, as these get retried
       if (event.data.error) {
         reject(new Error(event.data.error));
       } else {