@axa-fr/oidc-client 6.26.6

package/src/parseTokens.ts

@@ -0,0 +1,194 @@
+import { sleepAsync } from './initWorker.js';
+
+const b64DecodeUnicode = (str) =>
+    decodeURIComponent(Array.prototype.map.call(atob(str), (c) => '%' + ('00' + c.charCodeAt(0).toString(16)).slice(-2)).join(''));
+const parseJwt = (token) => JSON.parse(b64DecodeUnicode(token.split('.')[1].replace('-', '+').replace('_', '/')));
+
+const extractTokenPayload = (token) => {
+    try {
+        if (!token) {
+            return null;
+        }
+        if (countLetter(token, '.') === 2) {
+            return parseJwt(token);
+        } else {
+            return null;
+        }
+    } catch (e) {
+        console.warn(e);
+    }
+    return null;
+};
+
+const countLetter = (str, find) => {
+    return (str.split(find)).length - 1;
+};
+
+export type Tokens = {
+    refreshToken: string;
+    idTokenPayload:any;
+    idToken:string;
+    accessTokenPayload:any;
+    accessToken:string;
+    expiresAt: number;
+    issuedAt: number;
+};
+
+export type TokenRenewModeType = {
+    access_token_or_id_token_invalid: string;
+    access_token_invalid:string;
+    id_token_invalid: string;
+}
+
+export const TokenRenewMode = {
+    access_token_or_id_token_invalid: 'access_token_or_id_token_invalid',
+    access_token_invalid: 'access_token_invalid',
+    id_token_invalid: 'id_token_invalid',
+};
+
+export const setTokens = (tokens, oldTokens = null, tokenRenewMode: string):Tokens => {
+    if (!tokens) {
+        return null;
+    }
+    let accessTokenPayload;
+
+    if (!tokens.issuedAt) {
+        const currentTimeUnixSecond = new Date().getTime() / 1000;
+        tokens.issuedAt = currentTimeUnixSecond;
+    }
+
+    if (tokens.accessTokenPayload !== undefined) {
+        accessTokenPayload = tokens.accessTokenPayload;
+    } else {
+        accessTokenPayload = extractTokenPayload(tokens.accessToken);
+    }
+    const _idTokenPayload = tokens.idTokenPayload ? tokens.idTokenPayload : extractTokenPayload(tokens.idToken);
+
+    const idTokenExpireAt = (_idTokenPayload && _idTokenPayload.exp) ? _idTokenPayload.exp : Number.MAX_VALUE;
+    const accessTokenExpiresAt = (accessTokenPayload && accessTokenPayload.exp) ? accessTokenPayload.exp : tokens.issuedAt + tokens.expiresIn;
+
+    let expiresAt;
+
+    if (tokenRenewMode === TokenRenewMode.access_token_invalid) {
+        expiresAt = accessTokenExpiresAt;
+    } else if (tokenRenewMode === TokenRenewMode.id_token_invalid) {
+        expiresAt = idTokenExpireAt;
+    } else {
+        expiresAt = idTokenExpireAt < accessTokenExpiresAt ? idTokenExpireAt : accessTokenExpiresAt;
+    }
+
+    const newTokens = { ...tokens, idTokenPayload: _idTokenPayload, accessTokenPayload, expiresAt };
+    // When refresh_token is not rotated we reuse ald refresh_token
+    if (oldTokens != null && 'refreshToken' in oldTokens && !('refreshToken' in tokens)) {
+        const refreshToken = oldTokens.refreshToken;
+        return { ...newTokens, refreshToken };
+    }
+
+    return newTokens;
+};
+
+export const parseOriginalTokens = (tokens, oldTokens, tokenRenewMode: string) => {
+    if (!tokens) {
+        return null;
+    }
+    if (!tokens.issued_at) {
+        const currentTimeUnixSecond = new Date().getTime() / 1000;
+        tokens.issued_at = currentTimeUnixSecond;
+    }
+
+    const data = {
+        accessToken: tokens.access_token,
+        expiresIn: tokens.expires_in,
+        idToken: tokens.id_token,
+        scope: tokens.scope,
+        tokenType: tokens.token_type,
+        issuedAt: tokens.issued_at,
+    };
+
+    if ('refresh_token' in tokens) {
+        // @ts-ignore
+        data.refreshToken = tokens.refresh_token;
+    }
+
+    if (tokens.accessTokenPayload !== undefined) {
+        // @ts-ignore
+        data.accessTokenPayload = tokens.accessTokenPayload;
+    }
+
+    if (tokens.idTokenPayload !== undefined) {
+        // @ts-ignore
+        data.idTokenPayload = tokens.idTokenPayload;
+    }
+
+    return setTokens(data, oldTokens, tokenRenewMode);
+};
+
+export const computeTimeLeft = (refreshTimeBeforeTokensExpirationInSecond, expiresAt) => {
+    const currentTimeUnixSecond = new Date().getTime() / 1000;
+    return Math.round(((expiresAt - refreshTimeBeforeTokensExpirationInSecond) - currentTimeUnixSecond));
+};
+
+export const isTokensValid = (tokens) => {
+    if (!tokens) {
+        return false;
+    }
+    return computeTimeLeft(0, tokens.expiresAt) > 0;
+};
+
+export type ValidToken = {
+    isTokensValid: boolean;
+    tokens: Tokens;
+    numberWaited: number;
+}
+
+export interface OidcToken{
+    tokens?: Tokens;
+}
+
+export const getValidTokenAsync = async (oidc: OidcToken, waitMs = 200, numberWait = 50): Promise<ValidToken> => {
+    let numberWaitTemp = numberWait;
+    if (!oidc.tokens) {
+        return null;
+    }
+    while (!isTokensValid(oidc.tokens) && numberWaitTemp > 0) {
+        await sleepAsync(waitMs);
+        numberWaitTemp = numberWaitTemp - 1;
+    }
+    const isValid = isTokensValid(oidc.tokens);
+    return {
+        isTokensValid: isValid,
+        tokens: oidc.tokens,
+        numberWaited: numberWaitTemp - numberWait,
+    };
+};
+
+// https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation (excluding rules #1, #4, #5, #7, #8, #12, and #13 which did not apply).
+// https://github.com/openid/AppAuth-JS/issues/65
+export const isTokensOidcValid = (tokens, nonce, oidcServerConfiguration) => {
+    if (tokens.idTokenPayload) {
+        const idTokenPayload = tokens.idTokenPayload;
+        // 2: The Issuer Identifier for the OpenID Provider (which is typically obtained during Discovery) MUST exactly match the value of the iss (issuer) Claim.
+        if (oidcServerConfiguration.issuer !== idTokenPayload.iss) {
+            return { isValid: false, reason: 'Issuer does not match' };
+        }
+        // 3: The Client MUST validate that the aud (audience) Claim contains its client_id value registered at the Issuer identified by the iss (issuer) Claim as an audience. The aud (audience) Claim MAY contain an array with more than one element. The ID Token MUST be rejected if the ID Token does not list the Client as a valid audience, or if it contains additional audiences not trusted by the Client.
+
+        // 6: If the ID Token is received via direct communication between the Client and the Token Endpoint (which it is in this flow), the TLS server validation MAY be used to validate the issuer in place of checking the token signature. The Client MUST validate the signature of all other ID Tokens according to JWS [JWS] using the algorithm specified in the JWT alg Header Parameter. The Client MUST use the keys provided by the Issuer.
+
+        // 9: The current time MUST be before the time represented by the exp Claim.
+        const currentTimeUnixSecond = new Date().getTime() / 1000;
+        if (idTokenPayload.exp && idTokenPayload.exp < currentTimeUnixSecond) {
+            return { isValid: false, reason: 'Token expired' };
+        }
+        // 10: The iat Claim can be used to reject tokens that were issued too far away from the current time, limiting the amount of time that nonces need to be stored to prevent attacks. The acceptable range is Client specific.
+        const timeInSevenDays = 60 * 60 * 24 * 7;
+        if (idTokenPayload.iat && (idTokenPayload.iat + timeInSevenDays) < currentTimeUnixSecond) {
+            return { isValid: false, reason: 'Token is used from too long time' };
+        }
+        // 11: If a nonce value was sent in the Authentication Request, a nonce Claim MUST be present and its value checked to verify that it is the same value as the one that was sent in the Authentication Request. The Client SHOULD check the nonce value for replay attacks. The precise method for detecting replay attacks is Client specific.
+        if (idTokenPayload.nonce && idTokenPayload.nonce !== nonce) {
+            return { isValid: false, reason: 'Nonce does not match' };
+        }
+    }
+    return { isValid: true, reason: '' };
+};

package/src/renewTokens.ts

@@ -0,0 +1,37 @@
+import { initSession } from './initSession.js';
+import { initWorkerAsync } from './initWorker.js';
+import Oidc from './oidc.js';
+import { computeTimeLeft } from './parseTokens.js';
+import timer from './timer.js';
+import { StringMap } from './types.js';
+
+export async function renewTokensAndStartTimerAsync(oidc, refreshToken, forceRefresh = false, extras:StringMap = null) {
+    const updateTokens = (tokens) => { oidc.tokens = tokens; };
+    const { tokens, status } = await oidc.synchroniseTokensAsync(refreshToken, 0, forceRefresh, extras, updateTokens);
+
+    const serviceWorker = await initWorkerAsync(oidc.configuration.service_worker_relative_url, oidc.configurationName);
+    if (!serviceWorker) {
+        const session = initSession(oidc.configurationName, oidc.configuration.storage);
+        await session.setTokens(oidc.tokens);
+    }
+
+    if (!oidc.tokens) {
+        await oidc.destroyAsync(status);
+        return;
+    }
+
+    if (oidc.timeoutId) {
+        oidc.timeoutId = autoRenewTokens(oidc, tokens.refreshToken, oidc.tokens.expiresAt, extras);
+    }
+    return oidc.tokens;
+}
+
+export const autoRenewTokens = (oidc, refreshToken, expiresAt, extras:StringMap = null) => {
+    const refreshTimeBeforeTokensExpirationInSecond = oidc.configuration.refresh_time_before_tokens_expiration_in_second;
+    return timer.setTimeout(async () => {
+        const timeLeft = computeTimeLeft(refreshTimeBeforeTokensExpirationInSecond, expiresAt);
+        const timeInfo = { timeLeft };
+        oidc.publishEvent(Oidc.eventNames.token_timer, timeInfo);
+        await renewTokensAndStartTimerAsync(oidc, refreshToken, false, extras);
+    }, 1000);
+};

package/src/requests.spec.ts

@@ -0,0 +1,9 @@
+
+import { describe, expect,it } from 'vitest';
+
+
+describe('Requests test Suite', () => {
+    it('performAuthorizationRequestAsync', async () => {
+        expect(true).toBe(true);
+    });
+});

package/src/requests.ts

@@ -0,0 +1,169 @@
+import { getFromCache, setCache } from './cache.js';
+import { deriveChallengeAsync, generateRandom } from './crypto.js';
+import { OidcAuthorizationServiceConfiguration } from './oidc.js';
+import { parseOriginalTokens } from './parseTokens.js';
+import { Fetch, StringMap } from './types.js';
+
+const oneHourSecond = 60 * 60;
+export const fetchFromIssuer = (fetch) => async (openIdIssuerUrl: string, timeCacheSecond = oneHourSecond, storage = window.sessionStorage, timeoutMs = 10000):
+    Promise<OidcAuthorizationServiceConfiguration> => {
+    const fullUrl = `${openIdIssuerUrl}/.well-known/openid-configuration`;
+
+    const localStorageKey = `oidc.server:${openIdIssuerUrl}`;
+    const data = getFromCache(localStorageKey, storage, timeCacheSecond);
+    if (data) {
+        return new OidcAuthorizationServiceConfiguration(data);
+    }
+    const response = await internalFetch(fetch)(fullUrl, {}, timeoutMs);
+
+    if (response.status !== 200) {
+        return null;
+    }
+
+    const result = await response.json();
+
+    setCache(localStorageKey, result, storage);
+    return new OidcAuthorizationServiceConfiguration(result);
+};
+
+const internalFetch = (fetch) => async (url, headers = {}, timeoutMs = 10000, numberRetry = 0) : Promise<Response> => {
+    let response;
+    try {
+        const controller = new AbortController();
+        setTimeout(() => controller.abort(), timeoutMs);
+        response = await fetch(url, { ...headers, signal: controller.signal });
+    } catch (e: any) {
+        if (e.name === 'AbortError' ||
+            e.message === 'Network request failed') {
+            if (numberRetry <= 1) {
+                return await internalFetch(fetch)(url, headers, timeoutMs, numberRetry + 1);
+            } else {
+                throw e;
+            }
+        } else {
+            console.error(e.message);
+            throw e; // rethrow other unexpected errors
+        }
+    }
+    return response;
+};
+
+export const TOKEN_TYPE = {
+    refresh_token: 'refresh_token',
+    access_token: 'access_token',
+};
+
+export const performRevocationRequestAsync = (fetch) => async (url, token, token_type = TOKEN_TYPE.refresh_token, client_id, timeoutMs = 10000) => {
+    const details = {
+        token,
+        token_type_hint: token_type,
+        client_id,
+    };
+
+    const formBody = [];
+    for (const property in details) {
+        const encodedKey = encodeURIComponent(property);
+        const encodedValue = encodeURIComponent(details[property]);
+        formBody.push(`${encodedKey}=${encodedValue}`);
+    }
+    const formBodyString = formBody.join('&');
+
+    const response = await internalFetch(fetch)(url, {
+        method: 'POST',
+        headers: {
+            'Content-Type': 'application/x-www-form-urlencoded;charset=UTF-8',
+        },
+        body: formBodyString,
+    }, timeoutMs);
+    if (response.status !== 200) {
+        return { success: false };
+    }
+    return {
+        success: true,
+    };
+};
+
+export const performTokenRequestAsync = (fetch:Fetch) => async (url, details, extras, oldTokens, tokenRenewMode: string, timeoutMs = 10000) => {
+    for (const [key, value] of Object.entries(extras)) {
+        if (details[key] === undefined) {
+            details[key] = value;
+        }
+    }
+
+    const formBody = [];
+    for (const property in details) {
+        const encodedKey = encodeURIComponent(property);
+        const encodedValue = encodeURIComponent(details[property]);
+        formBody.push(`${encodedKey}=${encodedValue}`);
+    }
+    const formBodyString = formBody.join('&');
+
+    const response = await internalFetch(fetch)(url, {
+        method: 'POST',
+        headers: {
+            'Content-Type': 'application/x-www-form-urlencoded;charset=UTF-8',
+        },
+        body: formBodyString,
+    }, timeoutMs);
+    if (response.status !== 200) {
+        return { success: false, status: response.status };
+    }
+    const tokens = await response.json();
+    return {
+        success: true,
+        data: parseOriginalTokens(tokens, oldTokens, tokenRenewMode),
+    };
+};
+
+export const performAuthorizationRequestAsync = (storage: any) => async (url, extras: StringMap) => {
+    extras = extras ? { ...extras } : {};
+    const codeVerifier = generateRandom(128);
+    const codeChallenge = await deriveChallengeAsync(codeVerifier);
+    await storage.setCodeVerifierAsync(codeVerifier);
+    await storage.setStateAsync(extras.state);
+    extras.code_challenge = codeChallenge;
+    extras.code_challenge_method = 'S256';
+    let queryString = '';
+    if (extras) {
+        for (const [key, value] of Object.entries(extras)) {
+            if (queryString === '') {
+                queryString += '?';
+            } else {
+                queryString += '&';
+            }
+            queryString += `${key}=${encodeURIComponent(value)}`;
+        }
+    }
+    window.location.href = `${url}${queryString}`;
+};
+
+export const performFirstTokenRequestAsync = (storage:any) => async (url, extras, tokenRenewMode: string, timeoutMs = 10000) => {
+    extras = extras ? { ...extras } : {};
+    extras.code_verifier = await storage.getCodeVerifierAsync();
+    const formBody = [];
+    for (const property in extras) {
+        const encodedKey = encodeURIComponent(property);
+        const encodedValue = encodeURIComponent(extras[property]);
+        formBody.push(`${encodedKey}=${encodedValue}`);
+    }
+    const formBodyString = formBody.join('&');
+    const response = await internalFetch(fetch)(url, {
+        method: 'POST',
+        headers: {
+            'Content-Type': 'application/x-www-form-urlencoded;charset=UTF-8',
+        },
+        body: formBodyString,
+    }, timeoutMs);
+    await Promise.all([storage.setCodeVerifierAsync(null), storage.setStateAsync(null)]);
+    if (response.status !== 200) {
+        return { success: false, status: response.status };
+    }
+    const tokens = await response.json();
+    return {
+        success: true,
+        data: {
+            state: extras.state,
+            tokens: parseOriginalTokens(tokens, null, tokenRenewMode),
+            },
+    };
+};

package/src/route-utils.spec.ts

@@ -0,0 +1,24 @@
+import { describe, expect,it } from 'vitest';
+
+import { getPath } from './route-utils';
+
+describe('Route test Suite', () => {
+    it.each([['http://example.com/pathname', '/pathname'], 
+      ['http://example.com:3000/pathname/?search=test#hash', '/pathname#hash'], 
+      ['http://example.com:3000/pathname/#hash?search=test', '/pathname#hash'], 
+      ['http://example.com:3000/pathname#hash?search=test', '/pathname#hash'], 
+      ['capacitor://localhost/index.html', '/index.html'], 
+      ['capacitor://localhost/pathname#hash?search=test', '/pathname#hash'], 
+      ['http://example.com:3000/', '']])(
+        'getPath should return the full path of an url',
+        (uri, expected) => {
+    
+          const path = getPath(uri);
+          expect(path).toBe(expected);
+        },
+    );
+
+    it('wrong uri format', () => {
+        expect(() => getPath("urimybad/toto.com")).toThrowError();
+    });
+});

package/src/route-utils.ts

@@ -0,0 +1,79 @@
+export const getLocation = (href: string) => {
+  const match = href.match(
+    // eslint-disable-next-line no-useless-escape
+      /^([a-z][\w-]+\:)\/\/(([^:\/?#]*)(?:\:([0-9]+))?)([\/]{0,1}[^?#]*)(\?[^#]*|)(#.*|)$/,
+  );
+  if (!match) {
+      throw new Error('Invalid URL');
+  }
+
+  let search = match[6];
+  let hash = match[7];
+
+    if (hash) {
+        const splits = hash.split('?');
+        if (splits.length === 2) {
+            hash = splits[0];
+            search = splits[1];
+        }
+    }
+
+    if (search.startsWith('?')) {
+        search = search.slice(1);
+    }
+
+  return (
+    match && {
+      href,
+      protocol: match[1],
+      host: match[2],
+      hostname: match[3],
+      port: match[4],
+      path: match[5],
+      search,
+      hash,
+    }
+  );
+};
+
+export const getPath = (href: string) => {
+  const location = getLocation(href);
+  let { path } = location;
+
+  if (path.endsWith('/')) {
+      path = path.slice(0, -1);
+  }
+  let { hash } = location;
+
+  if (hash === '#_=_') {
+      hash = '';
+  }
+
+  if (hash) {
+    path += hash;
+  }
+
+  return path;
+};
+
+export const getParseQueryStringFromLocation = (href: string) => {
+    const location = getLocation(href);
+    const { search } = location;
+
+    return parseQueryString(search);
+};
+
+const parseQueryString = (queryString:string) => {
+    const params:any = {}; let temp; let i; let l;
+
+    // Split into key/value pairs
+    const queries = queryString.split('&');
+
+    // Convert the array of strings into an object
+    for (i = 0, l = queries.length; i < l; i++) {
+        temp = queries[i].split('=');
+        params[decodeURIComponent(temp[0])] = decodeURIComponent(temp[1]);
+    }
+
+    return params;
+};

package/src/silentLogin.ts

@@ -0,0 +1,144 @@
+import { eventNames } from './events.js';
+import { Tokens } from './parseTokens.js';
+import { autoRenewTokens } from './renewTokens.js';
+import timer from './timer.js';
+import { OidcConfiguration, StringMap } from './types.js';
+export type SilentLoginResponse = {
+    tokens:Tokens;
+    sessionState:string;
+};
+
+// eslint-disable-next-line @typescript-eslint/ban-types
+export const _silentLoginAsync = (configurationName:string, configuration:OidcConfiguration, publishEvent:Function) => (extras:StringMap = null, state:string = null, scope:string = null):Promise<SilentLoginResponse> => {
+    if (!configuration.silent_redirect_uri || !configuration.silent_login_uri) {
+        return Promise.resolve(null);
+    }
+
+    try {
+        publishEvent(eventNames.silentLoginAsync_begin, {});
+        let queries = '';
+
+        if (state) {
+            if (extras == null) {
+                extras = {};
+            }
+            extras.state = state;
+        }
+
+        if (scope) {
+            if (extras == null) {
+                extras = {};
+            }
+            extras.scope = scope;
+        }
+
+        if (extras != null) {
+            for (const [key, value] of Object.entries(extras)) {
+                if (queries === '') {
+                    queries = `?${encodeURIComponent(key)}=${encodeURIComponent(value)}`;
+                } else {
+                    queries += `&${encodeURIComponent(key)}=${encodeURIComponent(value)}`;
+                }
+            }
+        }
+        const link = configuration.silent_login_uri + queries;
+        const idx = link.indexOf('/', link.indexOf('//') + 2);
+        const iFrameOrigin = link.substr(0, idx);
+        const iframe = document.createElement('iframe');
+        iframe.width = '0px';
+        iframe.height = '0px';
+
+        iframe.id = `${configurationName}_oidc_iframe`;
+        iframe.setAttribute('src', link);
+        document.body.appendChild(iframe);
+        return new Promise((resolve, reject) => {
+            try {
+                let isResolved = false;
+                window.onmessage = (e: MessageEvent<any>) => {
+                    if (e.origin === iFrameOrigin &&
+                        e.source === iframe.contentWindow
+                    ) {
+                        const key = `${configurationName}_oidc_tokens:`;
+                        const key_error = `${configurationName}_oidc_error:`;
+                        const data = e.data;
+                        if (data && typeof (data) === 'string') {
+                            if (!isResolved) {
+                                if (data.startsWith(key)) {
+                                    const result = JSON.parse(e.data.replace(key, ''));
+                                    publishEvent(eventNames.silentLoginAsync_end, {});
+                                    iframe.remove();
+                                    isResolved = true;
+                                    resolve(result);
+                                } else if (data.startsWith(key_error)) {
+                                    const result = JSON.parse(e.data.replace(key_error, ''));
+                                    publishEvent(eventNames.silentLoginAsync_error, result);
+                                    iframe.remove();
+                                    isResolved = true;
+                                    reject(new Error('oidc_' + result.error));
+                                }
+                            }
+                        }
+                    }
+                };
+                const silentSigninTimeout = configuration.silent_login_timeout;
+                setTimeout(() => {
+                    if (!isResolved) {
+                        publishEvent(eventNames.silentLoginAsync_error, { reason: 'timeout' });
+                        iframe.remove();
+                        isResolved = true;
+                        reject(new Error('timeout'));
+                    }
+                }, silentSigninTimeout);
+            } catch (e) {
+                iframe.remove();
+                publishEvent(eventNames.silentLoginAsync_error, e);
+                reject(e);
+            }
+        });
+    } catch (e) {
+        publishEvent(eventNames.silentLoginAsync_error, e);
+        throw e;
+    }
+};
+
+// eslint-disable-next-line @typescript-eslint/ban-types
+export const defaultSilentLoginAsync = (window, configurationName, configuration:OidcConfiguration, publishEvent :(string, any)=>void, oidc:any) => (extras:StringMap = null, scope:string = undefined) => {
+    extras = { ...extras };
+
+    const silentLoginAsync = (extras, state, scope) => {
+        return _silentLoginAsync(configurationName, configuration, publishEvent.bind(oidc))(extras, state, scope);
+    };
+
+    const loginLocalAsync = async () => {
+        if (oidc.timeoutId) {
+            timer.clearTimeout(oidc.timeoutId);
+        }
+
+        let state;
+        if (extras && 'state' in extras) {
+            state = extras.state;
+            delete extras.state;
+        }
+
+        try {
+            const extraFinal = !configuration.extras ? extras : { ...configuration.extras, ...extras };
+            const silentResult = await silentLoginAsync({
+                ...extraFinal,
+                prompt: 'none',
+            }, state, scope);
+
+            if (silentResult) {
+                oidc.tokens = silentResult.tokens;
+                publishEvent(eventNames.token_aquired, {});
+                // @ts-ignore
+                oidc.timeoutId = autoRenewTokens(oidc, oidc.tokens.refreshToken, oidc.tokens.expiresAt, extras);
+                return {};
+            }
+        } catch (e) {
+            return e;
+        }
+    };
+    return loginLocalAsync();
+};
+
+export default defaultSilentLoginAsync;