@axa-fr/oidc-client 7.27.16 → 7.27.18

package/src/oidc.ts

@@ -12,7 +12,7 @@ import {
 import { tryKeepSessionAsync } from './keepSession';
 import { ILOidcLocation, OidcLocation } from './location';
 import { defaultLoginAsync, loginCallbackAsync } from './login.js';
-import { destroyAsync, logoutAsync } from './logout.js';
+import { clearSessionAsync, destroyAsync, logoutAsync } from './logout.js';
 import { TokenRenewMode, Tokens } from './parseTokens.js';
 import { autoRenewTokens, renewTokensAndStartTimerAsync } from './renewTokens.js';
 import { fetchFromIssuer } from './requests.js';
@@ -99,6 +99,14 @@ export class Oidc {
   public checkSessionIFrame: CheckSessionIFrame;
   public getFetch: () => Fetch;
   public location: ILOidcLocation;
+  /**
+   * `true` while {@link logoutAsync} is executing or has scheduled a
+   * navigation to the identity provider's end-session endpoint that has not
+   * yet committed. Consumers (UI guards, silent-renew handlers, 401 retry
+   * interceptors, …) should check this flag and skip starting a new auth
+   * flow when it is set, even if `tokens` is null.
+   */
+  public isLoggingOut = false;
   constructor(
     configuration: OidcConfiguration,
     configurationName = 'default',
@@ -477,6 +485,27 @@ Please checkout that you are using OIDC hook inside a <OidcProvider configuratio
     return await destroyAsync(this)(status);
   }
 
+  /**
+   * Drops the local OIDC session (tokens, user info, service-worker storage)
+   * and broadcasts `logout_from_same_tab`, without contacting the identity
+   * provider's `end_session_endpoint` and without revoking tokens.
+   *
+   * Use this for SPA-only logouts, service-worker-only flows, or
+   * error-recovery paths where a full IdP logout is not needed or not
+   * desirable. For a standard OIDC RP-initiated logout use
+   * {@link logoutAsync} instead.
+   */
+  clearSessionPromise: Promise<void> = null;
+  async clearSessionAsync(): Promise<void> {
+    if (this.clearSessionPromise) {
+      return this.clearSessionPromise;
+    }
+    this.clearSessionPromise = clearSessionAsync(this, oidcDatabase)();
+    return this.clearSessionPromise.finally(() => {
+      this.clearSessionPromise = null;
+    });
+  }
+
   async logoutSameTabAsync(clientId: string, sub: any) {
     // @ts-ignore
     if (

package/src/oidcClient.ts

@@ -84,6 +84,32 @@ export class OidcClient {
     return this._oidc.logoutAsync(callbackPathOrUrl, extras);
   }
 
+  /**
+   * Drops the local OIDC session (tokens, user info, service-worker storage)
+   * and notifies same-tab listeners via the `logout_from_same_tab` event,
+   * without contacting the identity provider's `end_session_endpoint` and
+   * without revoking tokens.
+   *
+   * Use this for SPA-only logouts, service-worker-only flows, or
+   * error-recovery paths. For a standard OIDC RP-initiated logout (with
+   * token revocation and navigation to the IdP's end-session endpoint) use
+   * {@link logoutAsync} instead.
+   */
+  clearSessionAsync(): Promise<void> {
+    return this._oidc.clearSessionAsync();
+  }
+
+  /**
+   * `true` while a logout flow is in progress: between the moment
+   * {@link logoutAsync} starts and the moment the browser navigates away to
+   * the identity provider's end-session endpoint. UI guards and silent-renew
+   * handlers should check this flag to avoid kicking off a new auth flow
+   * during that window.
+   */
+  get isLoggingOut(): boolean {
+    return this._oidc.isLoggingOut === true;
+  }
+
   silentLoginCallbackAsync(): Promise<void> {
     return this._oidc.silentLoginCallbackAsync();
   }

package/src/oidcStateError.spec.ts

@@ -0,0 +1,33 @@
+import { describe, expect, it } from 'vitest';
+
+import { isOidcStateError, OidcStateError, OidcStateErrorCode } from './oidcStateError';
+
+describe('OidcStateError', () => {
+  it('exposes the well-known state error codes', () => {
+    expect(OidcStateErrorCode.STATE_MISSING).toBe('STATE_MISSING');
+    expect(OidcStateErrorCode.STATE_MISMATCH).toBe('STATE_MISMATCH');
+    expect(OidcStateErrorCode.NONCE_MISSING).toBe('NONCE_MISSING');
+  });
+
+  it('is an Error subclass with name "OidcStateError"', () => {
+    const err = new OidcStateError(OidcStateErrorCode.STATE_MISSING, 'missing');
+    expect(err).toBeInstanceOf(Error);
+    expect(err).toBeInstanceOf(OidcStateError);
+    expect(err.name).toBe('OidcStateError');
+  });
+
+  it('preserves the code and message passed to the constructor', () => {
+    const err = new OidcStateError(OidcStateErrorCode.STATE_MISMATCH, 'mismatch happened');
+    expect(err.code).toBe('STATE_MISMATCH');
+    expect(err.message).toBe('mismatch happened');
+  });
+
+  it('is detectable via isOidcStateError', () => {
+    const err = new OidcStateError(OidcStateErrorCode.NONCE_MISSING, 'nonce missing');
+    expect(isOidcStateError(err)).toBe(true);
+    expect(isOidcStateError(new Error('boom'))).toBe(false);
+    expect(isOidcStateError(null)).toBe(false);
+    expect(isOidcStateError(undefined)).toBe(false);
+    expect(isOidcStateError({ code: 'STATE_MISSING' })).toBe(false);
+  });
+});

package/src/oidcStateError.ts

@@ -0,0 +1,50 @@
+/**
+ * Stable, machine-readable codes for OIDC state / nonce failures occurring
+ * between the authorization redirect and the callback handling.
+ *
+ * These codes let consumers react to specific failure modes without having to
+ * pattern-match against error message strings.
+ */
+export const OidcStateErrorCode = {
+  /** No state was found in storage when handling the callback. */
+  STATE_MISSING: 'STATE_MISSING',
+  /** The state returned by the server does not match the stored one. */
+  STATE_MISMATCH: 'STATE_MISMATCH',
+  /** No nonce was found in storage when handling the callback / renewal. */
+  NONCE_MISSING: 'NONCE_MISSING',
+} as const;
+
+// Companion type that mirrors the const above. This is the standard TS
+// "string-enum-like" pattern; we intentionally reuse the same name so that
+// `OidcStateErrorCode` works as both a value namespace and a type for
+// consumers.
+// eslint-disable-next-line @typescript-eslint/no-redeclare
+export type OidcStateErrorCode = (typeof OidcStateErrorCode)[keyof typeof OidcStateErrorCode];
+
+/**
+ * Typed error thrown when the OIDC login state or nonce is missing,
+ * corrupted, or does not match the value returned by the authorization server.
+ *
+ * Consumers can use `instanceof OidcStateError` and inspect `code` instead of
+ * relying on the (unstable) error message text.
+ */
+export class OidcStateError extends Error {
+  readonly code: OidcStateErrorCode;
+
+  constructor(code: OidcStateErrorCode, message: string) {
+    super(message);
+    this.name = 'OidcStateError';
+    this.code = code;
+
+    // Keep prototype chain intact when transpiled to ES5.
+    Object.setPrototypeOf(this, OidcStateError.prototype);
+  }
+}
+
+/**
+ * Type guard for {@link OidcStateError}. Useful in callers that want to react
+ * specifically to state/nonce failures.
+ */
+export const isOidcStateError = (value: unknown): value is OidcStateError => {
+  return value instanceof OidcStateError;
+};

package/src/renewTokens.ts

@@ -446,6 +446,19 @@ const synchroniseTokensAsync =
             );
 
             if (tokenResponse.success) {
+              // Guard against a missing/corrupted nonce reaching id_token validation.
+              // Without this guard, accessing `nonce.nonce` would throw a TypeError
+              // when the underlying storage has been cleared (private mode, manual
+              // clearing, browser eviction). We prefer a defined SESSION_LOST result
+              // so silent renew stays non-throwing for consumers.
+              // See https://github.com/AxaFrance/oidc-client/issues/1678
+              if (!nonce || !nonce.nonce) {
+                updateTokens(null);
+                oidc.publishEvent(eventNames.refreshTokensAsync_error, {
+                  message: 'refresh token: nonce missing from storage',
+                });
+                return { tokens: null, status: 'SESSION_LOST' };
+              }
               const { isValid, reason } = isTokensOidcValid(
                 tokenResponse.data,
                 nonce.nonce,

package/src/version.ts

@@ -1 +1 @@
-export default '7.27.16';
+export default '7.27.18';