@axa-fr/oidc-client 7.26.8 → 7.27.1

package/src/initSession.ts

@@ -1,7 +1,19 @@
-export const initSession = (configurationName, storage = sessionStorage) => {
+export const initSession = (
+  configurationName,
+  storage = sessionStorage,
+  loginStateStorage?: Storage,
+) => {
+  const loginStorage = loginStateStorage ?? storage;
+
   const clearAsync = status => {
     storage[`oidc.${configurationName}`] = JSON.stringify({ tokens: null, status });
     delete storage[`oidc.${configurationName}.userInfo`];
+    if (loginStateStorage && loginStateStorage !== storage) {
+      delete loginStorage[`oidc.login.${configurationName}`];
+      delete loginStorage[`oidc.state.${configurationName}`];
+      delete loginStorage[`oidc.code_verifier.${configurationName}`];
+      delete loginStorage[`oidc.nonce.${configurationName}`];
+    }
     return Promise.resolve();
   };
 
@@ -27,7 +39,7 @@ export const initSession = (configurationName, storage = sessionStorage) => {
   };
 
   const setNonceAsync = nonce => {
-    storage[`oidc.nonce.${configurationName}`] = nonce.nonce;
+    loginStorage[`oidc.nonce.${configurationName}`] = nonce.nonce;
   };
 
   const setDemonstratingProofOfPossessionJwkAsync = (jwk: JsonWebKey) => {
@@ -40,7 +52,7 @@ export const initSession = (configurationName, storage = sessionStorage) => {
 
   const getNonceAsync = async () => {
     // @ts-ignore
-    return { nonce: storage[`oidc.nonce.${configurationName}`] };
+    return { nonce: loginStorage[`oidc.nonce.${configurationName}`] };
   };
 
   const setDemonstratingProofOfPossessionNonce = async (dpopNonce: string) => {
@@ -61,10 +73,10 @@ export const initSession = (configurationName, storage = sessionStorage) => {
   const getLoginParamsCache = {};
   const setLoginParams = data => {
     getLoginParamsCache[configurationName] = data;
-    storage[`oidc.login.${configurationName}`] = JSON.stringify(data);
+    loginStorage[`oidc.login.${configurationName}`] = JSON.stringify(data);
   };
   const getLoginParams = () => {
-    const dataString = storage[`oidc.login.${configurationName}`];
+    const dataString = loginStorage[`oidc.login.${configurationName}`];
 
     if (!dataString) {
       console.warn(
@@ -80,19 +92,19 @@ export const initSession = (configurationName, storage = sessionStorage) => {
   };
 
   const getStateAsync = async () => {
-    return storage[`oidc.state.${configurationName}`];
+    return loginStorage[`oidc.state.${configurationName}`];
   };
 
   const setStateAsync = async (state: string) => {
-    storage[`oidc.state.${configurationName}`] = state;
+    loginStorage[`oidc.state.${configurationName}`] = state;
   };
 
   const getCodeVerifierAsync = async () => {
-    return storage[`oidc.code_verifier.${configurationName}`];
+    return loginStorage[`oidc.code_verifier.${configurationName}`];
   };
 
   const setCodeVerifierAsync = async codeVerifier => {
-    storage[`oidc.code_verifier.${configurationName}`] = codeVerifier;
+    loginStorage[`oidc.code_verifier.${configurationName}`] = codeVerifier;
   };
 
   return {

package/src/initWorker.ts

@@ -151,6 +151,46 @@ const waitForControllerAsync = async (timeoutMs: number) => {
   });
 };
 
+// Module-level guards to prevent:
+// - registering multiple controllerchange listeners (one per initWorkerAsync call)
+// - reloading more than once per page lifetime
+let controllerChangeListenerRegistered = false;
+let controllerChangeReloading = false;
+
+// Session-level guard to prevent infinite reload loops caused by SW update cycles.
+// The controllerchange listener triggers a page reload, but after reload the module-level
+// guards above are reset. If the SW still hasn't been updated correctly (e.g. stale cache,
+// Firefox issues), the cycle would repeat forever. This key tracks reloads across page loads
+// via sessionStorage so we can break the loop.
+const SW_RELOAD_SESSION_KEY = 'oidc.sw.controllerchange_reload_count';
+const SW_RELOAD_MAX = 3;
+
+const getControllerChangeReloadCount = (): number => {
+  try {
+    return parseInt(sessionStorage.getItem(SW_RELOAD_SESSION_KEY) ?? '0', 10);
+  } catch {
+    return 0;
+  }
+};
+
+const incrementControllerChangeReloadCount = (): number => {
+  const count = getControllerChangeReloadCount() + 1;
+  try {
+    sessionStorage.setItem(SW_RELOAD_SESSION_KEY, String(count));
+  } catch {
+    // ignore
+  }
+  return count;
+};
+
+const clearControllerChangeReloadCount = () => {
+  try {
+    sessionStorage.removeItem(SW_RELOAD_SESSION_KEY);
+  } catch {
+    // ignore
+  }
+};
+
 export const initWorkerAsync = async (
   configuration: OidcConfiguration,
   configurationName: string,
@@ -183,25 +223,82 @@ export const initWorkerAsync = async (
 
   const versionMismatchKey = `oidc.sw.version_mismatch_reload.${configurationName}`;
 
-  const sendSkipWaiting = async () => {
+  const sendSkipWaitingToWorker = async (targetSw: ServiceWorker) => {
     stopKeepAlive();
     console.log('New SW waiting – SKIP_WAITING');
     try {
-      await sendMessageAsync(registration, { timeoutMs: 8000 })({
-        type: 'SKIP_WAITING',
-        configurationName,
-        data: null,
+      await new Promise<void>((resolve, reject) => {
+        const messageChannel = new MessageChannel();
+        let timeoutId: any = null;
+
+        const cleanup = () => {
+          try {
+            if (timeoutId != null) {
+              timer.clearTimeout(timeoutId);
+              timeoutId = null;
+            }
+            messageChannel.port1.onmessage = null;
+            messageChannel.port1.close();
+            messageChannel.port2.close();
+          } catch (ex) {
+            console.error(ex);
+          }
+        };
+
+        timeoutId = timer.setTimeout(() => {
+          cleanup();
+          reject(new Error('SKIP_WAITING did not respond within 8000ms'));
+        }, 8000);
+
+        messageChannel.port1.onmessage = event => {
+          cleanup();
+          if (event?.data?.error) reject(event.data.error);
+          else resolve();
+        };
+
+        try {
+          targetSw.postMessage(
+            {
+              type: 'SKIP_WAITING',
+              configurationName,
+              data: null,
+              tabId: getTabId(configurationName ?? 'default'),
+            },
+            [messageChannel.port2],
+          );
+        } catch (err) {
+          cleanup();
+          reject(err);
+        }
       });
     } catch (e) {
       console.warn('SKIP_WAITING failed', e);
     }
   };
 
+  const sendSkipWaiting = async () => {
+    const waitingSw = registration.waiting;
+    if (waitingSw) {
+      await sendSkipWaitingToWorker(waitingSw);
+    } else {
+      console.warn('sendSkipWaiting called but no waiting service worker found');
+    }
+  };
+
   const trackInstallingWorker = (newSW: ServiceWorker) => {
     stopKeepAlive();
     newSW.addEventListener('statechange', async () => {
       if (newSW.state === 'installed' && navigator.serviceWorker.controller) {
-        await sendSkipWaiting();
+        // Guard against infinite SKIP_WAITING → controllerchange → reload loops.
+        // If we've already exhausted the reload budget, don't force activation – let the
+        // browser handle it naturally on the next navigation instead.
+        if (getControllerChangeReloadCount() >= SW_RELOAD_MAX) {
+          console.warn(
+            'SW trackInstallingWorker: skipping SKIP_WAITING because the reload budget is exhausted',
+          );
+          return;
+        }
+        await sendSkipWaitingToWorker(newSW);
       }
     });
   };
@@ -219,33 +316,25 @@ export const initWorkerAsync = async (
   if (registration.installing) {
     trackInstallingWorker(registration.installing);
   } else if (registration.waiting && navigator.serviceWorker.controller) {
-    // A new SW is already waiting – activate it straight away
-    sendSkipWaiting();
+    // A new SW is already waiting – activate it straight away (unless reload budget exhausted)
+    if (getControllerChangeReloadCount() < SW_RELOAD_MAX) {
+      sendSkipWaiting();
+    } else {
+      console.warn(
+        'SW: a waiting worker exists but reload budget is exhausted – skipping activation',
+      );
+    }
   }
 
-  // (Optional but useful on Safari) ask for update early
-  try {
-    await registration.update();
-  } catch (ex) {
+  // (Optional but useful on Safari) ask for update early – non-blocking to avoid slowing init
+  registration.update().catch(ex => {
     console.error(ex);
-  }
-
-  // 2) Quand le SW actif change, on reload (once per session)
-  const reloadKey = `oidc.sw.controllerchange.reloaded.${configurationName}`;
-  navigator.serviceWorker.addEventListener('controllerchange', () => {
-    try {
-      if (sessionStorage.getItem(reloadKey) === '1') return;
-      sessionStorage.setItem(reloadKey, '1');
-    } catch {
-      // ignore
-    }
-
-    console.log('SW controller changed – reloading page');
-    stopKeepAlive();
-    window.location.reload();
   });
 
-  // 3) Claim + init classique (Safari-safe)
+  // 2) Claim + init classique (Safari-safe)
+  // IMPORTANT: claim() is done BEFORE registering the controllerchange listener,
+  // because claim() can trigger a controllerchange event on first visit and we don't
+  // want that initial claim to cause a reload loop.
   try {
     await navigator.serviceWorker.ready;
 
@@ -264,6 +353,37 @@ export const initWorkerAsync = async (
     return null;
   }
 
+  // 3) Register the controllerchange listener AFTER claim, and only once per page lifetime.
+  // This prevents:
+  // - claim() from triggering a reload on first visit
+  // - multiple listeners being stacked (initWorkerAsync is called many times)
+  // - more than one reload per page lifetime (guard via controllerChangeReloading)
+  // - infinite loops across page reloads (guard via sessionStorage counter)
+  if (!controllerChangeListenerRegistered) {
+    controllerChangeListenerRegistered = true;
+    navigator.serviceWorker.addEventListener('controllerchange', () => {
+      if (controllerChangeReloading) {
+        return;
+      }
+
+      // Session-level guard: prevent infinite reload loops when the SW never converges
+      // to the expected version (e.g. stale cache, Firefox issues, Electron quirks).
+      const reloadCount = incrementControllerChangeReloadCount();
+      if (reloadCount > SW_RELOAD_MAX) {
+        console.warn(
+          `SW controllerchange: reload budget exhausted (${reloadCount - 1} reloads). ` +
+            'Skipping reload to avoid infinite loop.',
+        );
+        return;
+      }
+
+      controllerChangeReloading = true;
+      console.log('SW controller changed – reloading page');
+      stopKeepAlive();
+      window.location.reload();
+    });
+  }
+
   const clearAsync = async status => {
     return sendMessageAsync(registration)({ type: 'clear', data: { status }, configurationName });
   };
@@ -297,9 +417,18 @@ export const initWorkerAsync = async (
       const reloadCount = parseInt(sessionStorage.getItem(versionMismatchKey) ?? '0', 10);
       if (reloadCount < 3) {
         sessionStorage.setItem(versionMismatchKey, String(reloadCount + 1));
-        // If a new SW is already waiting, skip it into activation so controllerchange triggers reload
+
         if (registration.waiting) {
+          // A new SW is already waiting – activate it; controllerchange will trigger reload
           await sendSkipWaiting();
+          // If controllerchange did not reload yet, wait a moment then force reload
+          await sleepAsync({ milliseconds: 500 });
+          if (!controllerChangeReloading) {
+            controllerChangeReloading = true;
+            window.location.reload();
+          }
+          // Return a never-resolving promise to avoid returning stale tokens
+          return new Promise<never>(() => {});
         } else {
           // No waiting SW – force a fresh update and reload
           stopKeepAlive();
@@ -310,18 +439,24 @@ export const initWorkerAsync = async (
           }
           const isSuccess = await registration.unregister();
           console.log(`Service worker unregistering ${isSuccess}`);
-          await sleepAsync({ milliseconds: 2000 });
-          window.location.reload();
+          await sleepAsync({ milliseconds: 500 });
+          if (!controllerChangeReloading) {
+            controllerChangeReloading = true;
+            window.location.reload();
+          }
+          return new Promise<never>(() => {});
         }
       } else {
+        // Max retries reached – do NOT clear the key so future initAsync calls
+        // won't restart the cycle of 3 reloads
         console.error(
           `Service worker version mismatch persists after ${reloadCount} attempt(s). Continuing with mismatched version.`,
         );
-        sessionStorage.removeItem(versionMismatchKey);
       }
     } else {
-      // Version matches – clear any leftover mismatch counter
+      // Version matches – clear any leftover mismatch counter and reload counter
       sessionStorage.removeItem(versionMismatchKey);
+      clearControllerChangeReloadCount();
     }
 
     // @ts-ignore

package/src/keepSession.ts

@@ -1,4 +1,4 @@
-import { eventNames } from './events';
+import { eventNames } from './events';
 import { initSession } from './initSession';
 import { initWorkerAsync } from './initWorker';
 import Oidc from './oidc';
@@ -62,7 +62,11 @@ export const tryKeepSessionAsync = async (oidc: Oidc) => {
           message: 'service worker is not supported by this browser',
         });
       }
-      const session = initSession(oidc.configurationName, configuration.storage ?? sessionStorage);
+      const session = initSession(
+        oidc.configurationName,
+        configuration.storage ?? sessionStorage,
+        configuration.login_state_storage ?? configuration.storage ?? sessionStorage,
+      );
       const { tokens } = await session.initAsync();
       if (tokens) {
         // @ts-ignore

package/src/login.ts

@@ -69,7 +69,11 @@ export const defaultLoginAsync =
           serviceWorker.startKeepAliveServiceWorker();
           storage = serviceWorker;
         } else {
-          const session = initSession(configurationName, configuration.storage ?? sessionStorage);
+          const session = initSession(
+            configurationName,
+            configuration.storage ?? sessionStorage,
+            configuration.login_state_storage ?? configuration.storage ?? sessionStorage,
+          );
           session.setLoginParams({ callbackPath: url, extras: originExtras, scope: scope });
           await session.setNonceAsync(nonce);
           storage = session;
@@ -131,6 +135,7 @@ export const loginCallbackAsync =
         const session = initSession(
           oidc.configurationName,
           configuration.storage ?? sessionStorage,
+          configuration.login_state_storage ?? configuration.storage ?? sessionStorage,
         );
         await session.setSessionStateAsync(sessionState);
         nonceData = await session.getNonceAsync();
@@ -186,7 +191,11 @@ export const loginCallbackAsync =
           const jwk = await generateJwkAsync(window)(
             configuration.demonstrating_proof_of_possession_configuration.generateKeyAlgorithm,
           );
-          const session = initSession(oidc.configurationName, configuration.storage);
+          const session = initSession(
+            oidc.configurationName,
+            configuration.storage,
+            configuration.login_state_storage ?? configuration.storage,
+          );
           await session.setDemonstratingProofOfPossessionJwkAsync(jwk);
           headersExtras['DPoP'] = await generateJwtDemonstratingProofOfPossessionAsync(window)(
             configuration.demonstrating_proof_of_possession_configuration,
@@ -251,7 +260,11 @@ export const loginCallbackAsync =
           );
         }
       } else {
-        const session = initSession(oidc.configurationName, configuration.storage);
+        const session = initSession(
+          oidc.configurationName,
+          configuration.storage,
+          configuration.login_state_storage ?? configuration.storage,
+        );
         loginParams = session.getLoginParams();
         if (demonstratingProofOfPossessionNonce) {
           await session.setDemonstratingProofOfPossessionNonce(demonstratingProofOfPossessionNonce);

package/src/logout.ts

@@ -46,7 +46,11 @@ export const destroyAsync = oidc => async status => {
   }
   const serviceWorker = await initWorkerAsync(oidc.configuration, oidc.configurationName);
   if (!serviceWorker) {
-    const session = initSession(oidc.configurationName, oidc.configuration.storage);
+    const session = initSession(
+      oidc.configurationName,
+      oidc.configuration.storage,
+      oidc.configuration.login_state_storage ?? oidc.configuration.storage,
+    );
     await session.clearAsync(status);
   } else {
     await serviceWorker.clearAsync(status);

package/src/oidc.ts

@@ -348,7 +348,11 @@ Please checkout that you are using OIDC hook inside a <OidcProvider configuratio
       this.tokens = parsedTokens;
       const serviceWorker = await initWorkerAsync(this.configuration, this.configurationName);
       if (!serviceWorker) {
-        const session = initSession(this.configurationName, this.configuration.storage);
+        const session = initSession(
+          this.configurationName,
+          this.configuration.storage,
+          this.configuration.login_state_storage ?? this.configuration.storage,
+        );
         session.setTokens(parsedTokens);
       }
       this.publishEvent(Oidc.eventNames.token_acquired, parsedTokens);
@@ -388,7 +392,11 @@ Please checkout that you are using OIDC hook inside a <OidcProvider configuratio
       return `DPOP_SECURED_BY_OIDC_SERVICE_WORKER_${this.configurationName}#tabId=${getTabId(this.configurationName)}`;
     }
 
-    const session = initSession(this.configurationName, configuration.storage);
+    const session = initSession(
+      this.configurationName,
+      configuration.storage,
+      configuration.login_state_storage ?? configuration.storage,
+    );
     const jwk = await session.getDemonstratingProofOfPossessionJwkAsync();
     const demonstratingProofOfPossessionNonce = session.getDemonstratingProofOfPossessionNonce();
 

package/src/renewTokens.ts

@@ -28,7 +28,11 @@ async function syncTokens(
 
   const serviceWorker = await initWorkerAsync(oidc.configuration, oidc.configurationName);
   if (!serviceWorker) {
-    const session = initSession(oidc.configurationName, oidc.configuration.storage);
+    const session = initSession(
+      oidc.configurationName,
+      oidc.configuration.storage,
+      oidc.configuration.login_state_storage ?? oidc.configuration.storage,
+    );
     session.setTokens(oidc.tokens);
   }
 
@@ -169,7 +173,11 @@ export const syncTokensInfoAsync =
       }
       nonce = await serviceWorker.getNonceAsync();
     } else {
-      const session = initSession(configurationName, configuration.storage ?? sessionStorage);
+      const session = initSession(
+        configurationName,
+        configuration.storage ?? sessionStorage,
+        configuration.login_state_storage ?? configuration.storage ?? sessionStorage,
+      );
       const initAsyncResponse = await session.initAsync();
       let { tokens } = initAsyncResponse;
       const { status } = initAsyncResponse;
@@ -263,7 +271,11 @@ const synchroniseTokensAsync =
         if (serviceWorker) {
           loginParams = serviceWorker.getLoginParams();
         } else {
-          const session = initSession(oidc.configurationName, configuration.storage);
+          const session = initSession(
+            oidc.configurationName,
+            configuration.storage,
+            configuration.login_state_storage ?? configuration.storage,
+          );
           loginParams = session.getLoginParams();
         }
         const silentLoginInput = {};
@@ -454,7 +466,11 @@ const synchroniseTokensAsync =
                     tokenResponse.demonstratingProofOfPossessionNonce,
                   );
                 } else {
-                  const session = initSession(oidc.configurationName, configuration.storage);
+                  const session = initSession(
+                    oidc.configurationName,
+                    configuration.storage,
+                    configuration.login_state_storage ?? configuration.storage,
+                  );
                   await session.setDemonstratingProofOfPossessionNonce(
                     tokenResponse.demonstratingProofOfPossessionNonce,
                   );

package/src/types.ts

@@ -39,6 +39,7 @@ export type OidcConfiguration = {
   extras?: StringMap;
   token_request_extras?: StringMap;
   storage?: Storage;
+  login_state_storage?: Storage;
   monitor_session?: boolean;
   token_renew_mode?: string;
   logout_tokens_to_invalidate?: Array<LogoutToken>;

package/src/version.ts

@@ -1 +1 @@
-export default '7.26.8';
+export default '7.27.1';