@auth0/auth0-spa-js 2.18.3 → 2.19.1

package/src/worker/token.worker.ts

@@ -1,7 +1,11 @@
 import { MissingRefreshTokenError } from '../errors';
 import { FetchResponse } from '../global';
 import { createQueryParams, fromEntries } from '../utils';
-import { WorkerMessage, WorkerRefreshTokenMessage } from './worker.types';
+import {
+  WorkerMessage,
+  WorkerRefreshTokenMessage,
+  WorkerRevokeTokenMessage
+} from './worker.types';
 
 let refreshTokens: Record<string, string> = {};
 let allowedBaseUrl: string | null = null;
@@ -22,6 +26,24 @@ const setRefreshToken = (
 const deleteRefreshToken = (audience: string, scope: string) =>
   delete refreshTokens[cacheKey(audience, scope)];
 
+const getRefreshTokensByAudience = (audience: string): string[] => {
+  const seen = new Set<string>();
+  Object.entries(refreshTokens).forEach(([key, token]) => {
+    if (cacheKeyContainsAudience(audience, key)) {
+      seen.add(token);
+    }
+  });
+  return Array.from(seen);
+};
+
+const deleteRefreshTokensByValue = (refreshToken: string): void => {
+  Object.entries(refreshTokens).forEach(([key, token]) => {
+    if (token === refreshToken) {
+      delete refreshTokens[key];
+    }
+  });
+};
+
 const wait = (time: number) =>
   new Promise<void>(resolve => setTimeout(resolve, time));
 
@@ -181,8 +203,84 @@ const messageHandler = async ({
   }
 };
 
+const revokeMessageHandler = async ({
+  data: { timeout, auth, fetchUrl, fetchOptions, useFormData },
+  ports: [port]
+}: MessageEvent<WorkerRevokeTokenMessage>) => {
+  const { audience } = auth || {};
+
+  try {
+    const tokensToRevoke = getRefreshTokensByAudience(audience);
+
+    if (tokensToRevoke.length === 0) {
+      port.postMessage({ ok: true });
+      return;
+    }
+
+    // Parse the base body once; rebuild per RT so each request is independent.
+    const baseBody = useFormData
+      ? formDataToObject(fetchOptions.body as string)
+      : JSON.parse(fetchOptions.body as string);
+
+    for (const refreshToken of tokensToRevoke) {
+      const body = useFormData
+        ? createQueryParams({ ...baseBody, token: refreshToken })
+        : JSON.stringify({ ...baseBody, token: refreshToken });
+
+      let abortController: AbortController | undefined;
+      let signal: AbortSignal | undefined;
+
+      if (typeof AbortController === 'function') {
+        abortController = new AbortController();
+        signal = abortController.signal;
+      }
+
+      let timeoutId: ReturnType<typeof setTimeout>;
+      let response: void | Response;
+
+      try {
+        response = await Promise.race([
+          new Promise<void>(resolve => { timeoutId = setTimeout(resolve, timeout); }),
+          fetch(fetchUrl, { ...fetchOptions, body, signal })
+        ]).finally(() => clearTimeout(timeoutId));
+      } catch (error) {
+        port.postMessage({ error: error.message });
+        return;
+      }
+
+      if (!response) {
+        if (abortController) abortController.abort();
+        port.postMessage({ error: "Timeout when executing 'fetch'" });
+        return;
+      }
+
+      if (!response.ok) {
+        let errorDescription: string | undefined;
+        try {
+          const { error_description } = JSON.parse(await response.text());
+          errorDescription = error_description;
+        } catch {
+          // body absent or not valid JSON
+        }
+
+        port.postMessage({ error: errorDescription || `HTTP error ${response.status}` });
+        return;
+      }
+
+      deleteRefreshTokensByValue(refreshToken);
+    }
+
+    port.postMessage({ ok: true });
+  } catch (error) {
+    port.postMessage({
+      error: error.message || 'Unknown error during token revocation'
+    });
+  }
+};
+
 const isAuthorizedWorkerRequest = (
-  workerRequest: WorkerRefreshTokenMessage
+  workerRequest: WorkerRefreshTokenMessage | WorkerRevokeTokenMessage,
+  expectedPath: string
 ) => {
   if (!allowedBaseUrl) {
     return false;
@@ -194,7 +292,7 @@ const isAuthorizedWorkerRequest = (
 
     return (
       requestedUrl.origin === allowedBaseOrigin &&
-      requestedUrl.pathname === '/oauth/token'
+      requestedUrl.pathname === expectedPath
     );
   } catch {
     return false;
@@ -218,9 +316,26 @@ const messageRouter = (event: MessageEvent<WorkerMessage>) => {
     return;
   }
 
+  if ('type' in data && data.type === 'revoke') {
+    if (!isAuthorizedWorkerRequest(data as WorkerRevokeTokenMessage, '/oauth/revoke')) {
+      port?.postMessage({
+        ok: false,
+        json: {
+          error: 'invalid_fetch_url',
+          error_description: 'Unauthorized fetch URL'
+        },
+        headers: {}
+      });
+      return;
+    }
+
+    revokeMessageHandler(event as MessageEvent<WorkerRevokeTokenMessage>);
+    return;
+  }
+
   if (
     !('fetchUrl' in data) ||
-    !isAuthorizedWorkerRequest(data as WorkerRefreshTokenMessage)
+    !isAuthorizedWorkerRequest(data as WorkerRefreshTokenMessage, '/oauth/token')
   ) {
     port?.postMessage({
       ok: false,
@@ -238,7 +353,7 @@ const messageRouter = (event: MessageEvent<WorkerMessage>) => {
 
 // Don't run `addEventListener` in our tests (this is replaced in rollup)
 if (process.env.NODE_ENV === 'test') {
-  module.exports = { messageHandler, messageRouter };
+  module.exports = { messageHandler, revokeMessageHandler, messageRouter };
   /* c8 ignore next 4  */
 } else {
   // @ts-ignore

package/src/worker/worker.types.ts

@@ -1,23 +1,34 @@
 import { FetchOptions } from '../global';
 
-/**
- * @ts-ignore
- */
 export type WorkerInitMessage = {
   type: 'init';
   allowedBaseUrl: string;
 };
 
-export type WorkerRefreshTokenMessage = {
+type WorkerTokenMessage = {
   timeout: number;
   fetchUrl: string;
   fetchOptions: FetchOptions;
   useFormData?: boolean;
-  useMrrt?: boolean;
   auth: {
     audience: string;
     scope: string;
   };
 };
 
-export type WorkerMessage = WorkerInitMessage | WorkerRefreshTokenMessage;
+export type WorkerRefreshTokenMessage = WorkerTokenMessage & {
+  type: 'refresh';
+  useMrrt?: boolean;
+};
+
+export type WorkerRevokeTokenMessage = Omit<WorkerTokenMessage, 'auth'> & {
+  type: 'revoke';
+  auth: {
+    audience: string;
+  };
+};
+
+export type WorkerMessage =
+  | WorkerInitMessage
+  | WorkerRefreshTokenMessage
+  | WorkerRevokeTokenMessage;

package/src/worker/worker.utils.ts

@@ -1,16 +1,27 @@
-import { WorkerRefreshTokenMessage } from './worker.types';
+import {
+  WorkerRefreshTokenMessage,
+  WorkerRevokeTokenMessage
+} from './worker.types';
 
 /**
- * Sends the specified message to the web worker
- * @param message The message to send
- * @param to The worker to send the message to
+ * Sends a message to a Web Worker and returns a Promise that resolves with
+ * the worker's response, or rejects if the worker replies with an error.
+ *
+ * Uses a {@link MessageChannel} so each call gets its own private reply port,
+ * making concurrent calls safe without shared state.
+ *
+ * @param message - The typed message to send (`refresh` or `revoke`).
+ * @param to      - The target {@link Worker} instance.
+ * @returns A Promise that resolves with the worker's response payload.
  */
-export const sendMessage = (message: WorkerRefreshTokenMessage, to: Worker) =>
-  new Promise(function (resolve, reject) {
+export const sendMessage = <T = any>(
+  message: WorkerRefreshTokenMessage | WorkerRevokeTokenMessage,
+  to: Worker
+): Promise<T> =>
+  new Promise<T>(function (resolve, reject) {
     const messageChannel = new MessageChannel();
 
     messageChannel.port1.onmessage = function (event) {
-      // Only for fetch errors, as these get retried
       if (event.data.error) {
         reject(new Error(event.data.error));
       } else {