npm - @axa-fr/oidc-client - Versions diffs - 7.27.16 → 7.27.17 - Mend

@axa-fr/oidc-client 7.27.16 → 7.27.17

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (15) hide show

package/src/logout.spec.ts CHANGED Viewed

@@ -2,8 +2,9 @@
 import { describe, expect, it, vi } from 'vitest';
+import { eventNames } from './events';
 import { ILOidcLocation } from './location';
-import { logoutAsync } from './logout';
+import { clearSessionAsync, logoutAsync } from './logout';
 describe('Logout test suite', () => {
   const expectedFinalUrl =
@@ -138,4 +139,210 @@ describe('Logout test suite', () => {
       expect(finalUrl).toBe(expectedFinalUrl);
     },
   );
+  it('navigates to end_session_endpoint before clearing the local session (issue #1677)', async () => {
+    // This is the regression test for the race described in issue #1677.
+    // `OidcProvider`/`OidcSecure` watches `oidc.tokens`; if `destroyAsync`
+    // runs before `oicLocation.open`, the React tree can briefly observe a
+    // null token state and kick off a new auth flow before the navigation
+    // to the IdP's end-session endpoint commits.
+    const configuration = {
+      client_id: 'interactive.public.short',
+      authority: 'http://api',
+      logout_tokens_to_invalidate: ['access_token', 'refresh_token'],
+    };
+    const callOrder: string[] = [];
+    const mockFetchFn = vi.fn().mockImplementation(() => {
+      callOrder.push('revoke');
+      return Promise.resolve({ status: 200 });
+    });
+    const oidc: any = {
+      configuration,
+      tokens: {
+        idToken: 'abcd',
+        accessToken: 'abcd',
+        refreshToken: 'abdc',
+        idTokenPayload: { sub: 'sub-123' },
+      },
+      isLoggingOut: false,
+      initAsync: () =>
+        Promise.resolve({
+          revocationEndpoint: 'http://api/connect/revocation',
+          endSessionEndpoint: 'http://api/connect/endsession',
+        }),
+      destroyAsync: vi.fn().mockImplementation(() => {
+        callOrder.push('destroyAsync');
+        oidc.tokens = null;
+        return Promise.resolve();
+      }),
+      logoutSameTabAsync: () => Promise.resolve(),
+      publishEvent: (name: string) => callOrder.push(`publishEvent:${name}`),
+    };
+    const oidcDatabase = { default: oidc };
+    let navigatedUrl = '';
+    class OidcLocationMock implements ILOidcLocation {
+      open(url: string): void {
+        callOrder.push('open');
+        navigatedUrl = url;
+      }
+      getCurrentHref() {
+        return '';
+      }
+      getPath() {
+        return '';
+      }
+      reload() {
+        callOrder.push('reload');
+      }
+      getOrigin() {
+        return 'http://localhost:4200';
+      }
+    }
+    await logoutAsync(
+      oidc,
+      oidcDatabase,
+      mockFetchFn,
+      console,
+      new OidcLocationMock(),
+    )('/logged_out', null);
+    // Revocation comes first (so tokens are still valid when revoked),
+    // navigation comes second (page starts unloading), and only then we
+    // clear local state and broadcast `logout_from_same_tab`.
+    expect(callOrder[0]).toBe('revoke');
+    expect(callOrder[1]).toBe('revoke');
+    expect(callOrder[2]).toBe('open');
+    expect(callOrder.indexOf('destroyAsync')).toBeGreaterThan(callOrder.indexOf('open'));
+    expect(callOrder.indexOf(`publishEvent:${eventNames.logout_from_same_tab}`)).toBeGreaterThan(
+      callOrder.indexOf('open'),
+    );
+    // The id_token_hint must still be present on the navigation URL, even
+    // though local tokens have been cleared by `destroyAsync` afterwards.
+    expect(navigatedUrl).toContain('id_token_hint=abcd');
+    expect(navigatedUrl).toContain(
+      'post_logout_redirect_uri=http%3A%2F%2Flocalhost%3A4200%2Flogged_out',
+    );
+    // The flag stays set after the call returns: the page is expected to be
+    // unloading and any UI re-render that briefly observes `tokens === null`
+    // should skip starting a new login flow.
+    expect(oidc.isLoggingOut).toBe(true);
+  });
+  it('resets isLoggingOut and does not navigate when no_reload is requested', async () => {
+    const configuration = {
+      client_id: 'interactive.public.short',
+      authority: 'http://api',
+      logout_tokens_to_invalidate: [],
+    };
+    const events: string[] = [];
+    let navigated = false;
+    const oidc: any = {
+      configuration,
+      tokens: {
+        idToken: 'abcd',
+        accessToken: 'abcd',
+        refreshToken: 'abdc',
+        idTokenPayload: { sub: 'sub-123' },
+      },
+      isLoggingOut: false,
+      initAsync: () =>
+        Promise.resolve({
+          revocationEndpoint: 'http://api/connect/revocation',
+          endSessionEndpoint: 'http://api/connect/endsession',
+        }),
+      destroyAsync: () => Promise.resolve(),
+      logoutSameTabAsync: () => Promise.resolve(),
+      publishEvent: (name: string) => events.push(name),
+    };
+    const oidcDatabase = { default: oidc };
+    class OidcLocationMock implements ILOidcLocation {
+      open() {
+        navigated = true;
+      }
+      getCurrentHref() {
+        return '';
+      }
+      getPath() {
+        return '';
+      }
+      reload() {
+        navigated = true;
+      }
+      getOrigin() {
+        return 'http://localhost:4200';
+      }
+    }
+    await logoutAsync(
+      oidc,
+      oidcDatabase,
+      vi.fn(),
+      console,
+      new OidcLocationMock(),
+    )('/logged_out', { 'no_reload:oidc': 'true' });
+    expect(navigated).toBe(false);
+    expect(events).toContain(eventNames.logout_from_same_tab);
+    expect(oidc.isLoggingOut).toBe(false);
+  });
+  describe('clearSessionAsync', () => {
+    it('clears the local session and emits logout_from_same_tab without contacting the IdP', async () => {
+      const events: { name: string; data: unknown }[] = [];
+      const oidc: any = {
+        configuration: { client_id: 'interactive.public.short' },
+        tokens: {
+          idToken: 'abcd',
+          accessToken: 'abcd',
+          refreshToken: 'abdc',
+          idTokenPayload: { sub: 'sub-123' },
+        },
+        destroyAsync: vi.fn().mockImplementation(status => {
+          oidc.tokens = null;
+          events.push({ name: 'destroyAsync', data: status });
+          return Promise.resolve();
+        }),
+        logoutSameTabAsync: vi.fn().mockResolvedValue(undefined),
+        publishEvent: (name: string, data: unknown) => events.push({ name, data }),
+      };
+      const oidcDatabase = { default: oidc };
+      await clearSessionAsync(oidc, oidcDatabase)();
+      expect(oidc.destroyAsync).toHaveBeenCalledWith('LOGGED_OUT');
+      expect(oidc.tokens).toBeNull();
+      expect(events.some(e => e.name === eventNames.logout_from_same_tab)).toBe(true);
+    });
+    it('calls logoutSameTabAsync for sibling OIDC clients registered in the same tab', async () => {
+      const oidc: any = {
+        configuration: { client_id: 'interactive.public.short' },
+        tokens: {
+          idToken: 'abcd',
+          accessToken: 'abcd',
+          refreshToken: 'abdc',
+          idTokenPayload: { sub: 'sub-123' },
+        },
+        destroyAsync: () => Promise.resolve(),
+        logoutSameTabAsync: vi.fn().mockResolvedValue(undefined),
+        publishEvent: () => undefined,
+      };
+      const sibling: any = { configuration: { client_id: 'other' } };
+      const oidcDatabase = { default: oidc, other: sibling };
+      await clearSessionAsync(oidc, oidcDatabase)();
+      expect(oidc.logoutSameTabAsync).toHaveBeenCalledWith('interactive.public.short', 'sub-123');
+    });
+  });
 });

package/src/logout.ts CHANGED Viewed

@@ -59,6 +59,58 @@ export const destroyAsync = oidc => async status => {
   oidc.userInfo = null;
 };
+/**
+ * Clears the local OIDC session (tokens, user info, service-worker storage)
+ * and broadcasts `logout_from_same_tab` to any other OIDC clients registered
+ * in the same tab.
+ *
+ * It is intentionally decoupled from `logoutAsync`: callers that want to drop
+ * the local session without contacting the identity provider — for example a
+ * service-worker-only flow, a SPA-only logout, or an error-recovery path —
+ * can use this helper directly. `logoutAsync` itself calls it as the very
+ * last step, after the browser navigation to `end_session_endpoint` has been
+ * scheduled, so that the React tree never observes a transient "no tokens"
+ * state before the page is unloaded.
+ */
+export const clearSessionAsync = (oidc, oidcDatabase) => async () => {
+  const sub = oidc.tokens?.idTokenPayload?.sub ?? null;
+  await oidc.destroyAsync('LOGGED_OUT');
+  for (const [, itemOidc] of Object.entries(oidcDatabase)) {
+    if (itemOidc !== oidc) {
+      // @ts-ignore
+      await oidc.logoutSameTabAsync(oidc.configuration.client_id, sub);
+    } else {
+      oidc.publishEvent(eventNames.logout_from_same_tab, {});
+    }
+  }
+};
+const buildEndSessionUrl = (
+  endSessionEndpoint: string,
+  endPointExtras: StringMap,
+  idToken: string,
+  postLogoutRedirectUri: string | null,
+): string => {
+  if (!('id_token_hint' in endPointExtras)) {
+    endPointExtras['id_token_hint'] = idToken;
+  }
+  if (!('post_logout_redirect_uri' in endPointExtras) && postLogoutRedirectUri !== null) {
+    endPointExtras['post_logout_redirect_uri'] = postLogoutRedirectUri;
+  }
+  let queryString = '';
+  for (const [key, value] of Object.entries(endPointExtras)) {
+    if (value !== null && value !== undefined) {
+      if (queryString === '') {
+        queryString += '?';
+      } else {
+        queryString += '&';
+      }
+      queryString += `${key}=${encodeURIComponent(value)}`;
+    }
+  }
+  return `${endSessionEndpoint}${queryString}`;
+};
 export const logoutAsync =
   (oidc, oidcDatabase, fetch, console, oicLocation: ILOidcLocation) =>
   async (callbackPathOrUrl: string | null | undefined = undefined, extras: StringMap = null) => {
@@ -79,94 +131,111 @@ export const logoutAsync =
     if (callbackPathOrUrl) {
       isUri = callbackPathOrUrl.includes('https://') || callbackPathOrUrl.includes('http://');
     }
-    const url = isUri ? callbackPathOrUrl : oicLocation.getOrigin() + path;
+    const postLogoutRedirectUri =
+      callbackPathOrUrl === null
+        ? null
+        : isUri
+          ? callbackPathOrUrl
+          : oicLocation.getOrigin() + path;
+    // Capture identifiers from the live session *before* any clear happens, so the
+    // values stay valid no matter when we drop local state.
     // @ts-ignore
     const idToken = oidc.tokens ? oidc.tokens.idToken : '';
+    // Mark the instance as "logout in progress" so consumers (OidcSecure, route
+    // guards, silent renew, 401 retry interceptors, …) can back off from
+    // triggering a new auth flow during the window between us clearing the
+    // local session and the browser actually navigating away.
+    oidc.isLoggingOut = true;
     try {
-      const revocationEndpoint = oidcServerConfiguration.revocationEndpoint;
-      if (revocationEndpoint) {
-        const promises = [];
-        const accessToken = oidc.tokens ? oidc.tokens.accessToken : null;
-        if (
-          accessToken &&
-          configuration.logout_tokens_to_invalidate.includes(oidcLogoutTokens.access_token)
-        ) {
-          const revokeAccessTokenExtras = extractExtras(extras, ':revoke_access_token');
-          const revokeAccessTokenPromise = performRevocationRequestAsync(fetch)(
-            revocationEndpoint,
-            accessToken,
-            TOKEN_TYPE.access_token,
-            configuration.client_id,
-            revokeAccessTokenExtras,
-          );
-          promises.push(revokeAccessTokenPromise);
-        }
-        const refreshToken = oidc.tokens ? oidc.tokens.refreshToken : null;
-        if (
-          refreshToken &&
-          configuration.logout_tokens_to_invalidate.includes(oidcLogoutTokens.refresh_token)
-        ) {
-          const revokeAccessTokenExtras = extractExtras(extras, ':revoke_refresh_token');
-          const revokeRefreshTokenPromise = performRevocationRequestAsync(fetch)(
-            revocationEndpoint,
-            refreshToken,
-            TOKEN_TYPE.refresh_token,
-            configuration.client_id,
-            revokeAccessTokenExtras,
-          );
-          promises.push(revokeRefreshTokenPromise);
-        }
-        if (promises.length > 0) {
-          await Promise.all(promises);
+      try {
+        const revocationEndpoint = oidcServerConfiguration.revocationEndpoint;
+        if (revocationEndpoint) {
+          const promises = [];
+          const accessToken = oidc.tokens ? oidc.tokens.accessToken : null;
+          if (
+            accessToken &&
+            configuration.logout_tokens_to_invalidate.includes(oidcLogoutTokens.access_token)
+          ) {
+            const revokeAccessTokenExtras = extractExtras(extras, ':revoke_access_token');
+            const revokeAccessTokenPromise = performRevocationRequestAsync(fetch)(
+              revocationEndpoint,
+              accessToken,
+              TOKEN_TYPE.access_token,
+              configuration.client_id,
+              revokeAccessTokenExtras,
+            );
+            promises.push(revokeAccessTokenPromise);
+          }
+          const refreshToken = oidc.tokens ? oidc.tokens.refreshToken : null;
+          if (
+            refreshToken &&
+            configuration.logout_tokens_to_invalidate.includes(oidcLogoutTokens.refresh_token)
+          ) {
+            const revokeAccessTokenExtras = extractExtras(extras, ':revoke_refresh_token');
+            const revokeRefreshTokenPromise = performRevocationRequestAsync(fetch)(
+              revocationEndpoint,
+              refreshToken,
+              TOKEN_TYPE.refresh_token,
+              configuration.client_id,
+              revokeAccessTokenExtras,
+            );
+            promises.push(revokeRefreshTokenPromise);
+          }
+          if (promises.length > 0) {
+            // Revocation must be awaited *before* navigation, so a cancelled
+            // navigation can never leave valid tokens behind both in storage
+            // and on the authorization server.
+            await Promise.all(promises);
+          }
         }
+      } catch (exception) {
+        console.warn(
+          'logoutAsync: error when revoking tokens, if the error persist, you ay configure property logout_tokens_to_invalidate from configuration to avoid this error',
+        );
+        console.warn(exception);
       }
-    } catch (exception) {
-      console.warn(
-        'logoutAsync: error when revoking tokens, if the error persist, you ay configure property logout_tokens_to_invalidate from configuration to avoid this error',
-      );
-      console.warn(exception);
-    }
-    const sub = oidc.tokens?.idTokenPayload?.sub ?? null;
-    await oidc.destroyAsync('LOGGED_OUT');
-    for (const [, itemOidc] of Object.entries(oidcDatabase)) {
-      if (itemOidc !== oidc) {
-        // @ts-ignore
-        await oidc.logoutSameTabAsync(oidc.configuration.client_id, sub);
-      } else {
-        oidc.publishEvent(eventNames.logout_from_same_tab, {});
-      }
-    }
-    const oidcExtras = extractExtras(extras, ':oidc');
-    const noReload = oidcExtras && oidcExtras['no_reload'] === 'true';
-    if (noReload) {
-      return;
-    }
-    const endPointExtras = keepExtras(extras);
+      const oidcExtras = extractExtras(extras, ':oidc');
+      const noReload = oidcExtras && oidcExtras['no_reload'] === 'true';
-    if (oidcServerConfiguration.endSessionEndpoint) {
-      if (!('id_token_hint' in endPointExtras)) {
-        endPointExtras['id_token_hint'] = idToken;
-      }
-      if (!('post_logout_redirect_uri' in endPointExtras) && callbackPathOrUrl !== null) {
-        endPointExtras['post_logout_redirect_uri'] = url;
+      if (noReload) {
+        // No navigation happens here: this branch is essentially a "clear local
+        // session" call dressed as a logout. We can drop state immediately and
+        // reset the flag since the call returns normally to the caller.
+        await clearSessionAsync(oidc, oidcDatabase)();
+        oidc.isLoggingOut = false;
+        return;
       }
-      let queryString = '';
-      for (const [key, value] of Object.entries(endPointExtras)) {
-        if (value !== null && value !== undefined) {
-          if (queryString === '') {
-            queryString += '?';
-          } else {
-            queryString += '&';
-          }
-          queryString += `${key}=${encodeURIComponent(value)}`;
-        }
+      // Navigate to the end-session endpoint (or reload) *before* clearing the
+      // local session. This closes the race where `OidcProvider` /
+      // `OidcSecure` / silent-renew timers observe a null `tokens` and kick
+      // off a new auth flow in the window between local clear and navigation.
+      const endPointExtras = keepExtras(extras);
+      if (oidcServerConfiguration.endSessionEndpoint) {
+        const endSessionUrl = buildEndSessionUrl(
+          oidcServerConfiguration.endSessionEndpoint,
+          endPointExtras,
+          idToken,
+          postLogoutRedirectUri,
+        );
+        oicLocation.open(endSessionUrl);
+      } else {
+        oicLocation.reload();
       }
-      oicLocation.open(`${oidcServerConfiguration.endSessionEndpoint}${queryString}`);
-    } else {
-      oicLocation.reload();
+      // Now that navigation has been scheduled, drop the local session. By the
+      // time React re-renders against the null tokens the page is already
+      // unloading; if for any reason it is not (e.g. navigation cancelled by a
+      // `beforeunload` handler) the `isLoggingOut` flag stays set so guards
+      // still know not to start a fresh auth flow.
+      await clearSessionAsync(oidc, oidcDatabase)();
+    } catch (exception) {
+      // If anything went wrong, reset the flag so the app is not stuck in a
+      // "logging out forever" state.
+      oidc.isLoggingOut = false;
+      throw exception;
     }
   };

package/src/oidc.ts CHANGED Viewed

@@ -12,7 +12,7 @@ import {
 import { tryKeepSessionAsync } from './keepSession';
 import { ILOidcLocation, OidcLocation } from './location';
 import { defaultLoginAsync, loginCallbackAsync } from './login.js';
-import { destroyAsync, logoutAsync } from './logout.js';
+import { clearSessionAsync, destroyAsync, logoutAsync } from './logout.js';
 import { TokenRenewMode, Tokens } from './parseTokens.js';
 import { autoRenewTokens, renewTokensAndStartTimerAsync } from './renewTokens.js';
 import { fetchFromIssuer } from './requests.js';
@@ -99,6 +99,14 @@ export class Oidc {
   public checkSessionIFrame: CheckSessionIFrame;
   public getFetch: () => Fetch;
   public location: ILOidcLocation;
+  /**
+   * `true` while {@link logoutAsync} is executing or has scheduled a
+   * navigation to the identity provider's end-session endpoint that has not
+   * yet committed. Consumers (UI guards, silent-renew handlers, 401 retry
+   * interceptors, …) should check this flag and skip starting a new auth
+   * flow when it is set, even if `tokens` is null.
+   */
+  public isLoggingOut = false;
   constructor(
     configuration: OidcConfiguration,
     configurationName = 'default',
@@ -477,6 +485,27 @@ Please checkout that you are using OIDC hook inside a <OidcProvider configuratio
     return await destroyAsync(this)(status);
   }
+  /**
+   * Drops the local OIDC session (tokens, user info, service-worker storage)
+   * and broadcasts `logout_from_same_tab`, without contacting the identity
+   * provider's `end_session_endpoint` and without revoking tokens.
+   *
+   * Use this for SPA-only logouts, service-worker-only flows, or
+   * error-recovery paths where a full IdP logout is not needed or not
+   * desirable. For a standard OIDC RP-initiated logout use
+   * {@link logoutAsync} instead.
+   */
+  clearSessionPromise: Promise<void> = null;
+  async clearSessionAsync(): Promise<void> {
+    if (this.clearSessionPromise) {
+      return this.clearSessionPromise;
+    }
+    this.clearSessionPromise = clearSessionAsync(this, oidcDatabase)();
+    return this.clearSessionPromise.finally(() => {
+      this.clearSessionPromise = null;
+    });
+  }
   async logoutSameTabAsync(clientId: string, sub: any) {
     // @ts-ignore
     if (

package/src/oidcClient.ts CHANGED Viewed

@@ -84,6 +84,32 @@ export class OidcClient {
     return this._oidc.logoutAsync(callbackPathOrUrl, extras);
   }
+  /**
+   * Drops the local OIDC session (tokens, user info, service-worker storage)
+   * and notifies same-tab listeners via the `logout_from_same_tab` event,
+   * without contacting the identity provider's `end_session_endpoint` and
+   * without revoking tokens.
+   *
+   * Use this for SPA-only logouts, service-worker-only flows, or
+   * error-recovery paths. For a standard OIDC RP-initiated logout (with
+   * token revocation and navigation to the IdP's end-session endpoint) use
+   * {@link logoutAsync} instead.
+   */
+  clearSessionAsync(): Promise<void> {
+    return this._oidc.clearSessionAsync();
+  }
+  /**
+   * `true` while a logout flow is in progress: between the moment
+   * {@link logoutAsync} starts and the moment the browser navigates away to
+   * the identity provider's end-session endpoint. UI guards and silent-renew
+   * handlers should check this flag to avoid kicking off a new auth flow
+   * during that window.
+   */
+  get isLoggingOut(): boolean {
+    return this._oidc.isLoggingOut === true;
+  }
   silentLoginCallbackAsync(): Promise<void> {
     return this._oidc.silentLoginCallbackAsync();
   }

package/src/version.ts CHANGED Viewed

	@@ -1 +1 @@
1	- export default '7.27.16';
1	+ export default '7.27.17';