@axa-fr/oidc-client 7.27.17 → 7.27.19

package/src/initWorkerAbortError.spec.ts

@@ -0,0 +1,147 @@
+// Tests covering the AbortError handling added to initWorkerAsync.
+// See https://github.com/AxaFrance/oidc-client/issues/1675
+import { afterEach, beforeEach, describe, expect, it, vi } from 'vitest';
+
+import { initWorkerAsync, registrationCache } from './initWorker';
+import { OidcConfiguration } from './types';
+
+const SERVICE_WORKER_RELATIVE_URL = '/OidcServiceWorker.js';
+
+const buildConfiguration = (overrides: Partial<OidcConfiguration> = {}): OidcConfiguration => {
+  return {
+    client_id: 'test-client',
+    redirect_uri: 'http://localhost/callback',
+    scope: 'openid',
+    authority: 'http://authority',
+    service_worker_relative_url: SERVICE_WORKER_RELATIVE_URL,
+    service_worker_activate: () => true,
+    ...overrides,
+  } as OidcConfiguration;
+};
+
+const createAbortError = (): DOMException => {
+  // DOMException is available in the test environment (jsdom / happy-dom).
+  return new DOMException('The operation was aborted.', 'AbortError');
+};
+
+describe('initWorkerAsync AbortError handling', () => {
+  let originalNavigator: PropertyDescriptor | undefined;
+  let originalWindow: PropertyDescriptor | undefined;
+  let warnSpy: ReturnType<typeof vi.spyOn>;
+
+  beforeEach(() => {
+    registrationCache.clear();
+    originalNavigator = Object.getOwnPropertyDescriptor(globalThis, 'navigator');
+    originalWindow = Object.getOwnPropertyDescriptor(globalThis, 'window');
+    Object.defineProperty(globalThis, 'window', {
+      configurable: true,
+      value: {},
+    });
+    Object.defineProperty(globalThis, 'navigator', {
+      configurable: true,
+      value: {
+        serviceWorker: {
+          register: vi.fn(),
+          ready: Promise.resolve({} as ServiceWorkerRegistration),
+          controller: null,
+          addEventListener: vi.fn(),
+          removeEventListener: vi.fn(),
+        },
+      },
+    });
+    warnSpy = vi.spyOn(console, 'warn').mockImplementation(() => {});
+  });
+
+  afterEach(() => {
+    registrationCache.clear();
+    if (originalNavigator) {
+      Object.defineProperty(globalThis, 'navigator', originalNavigator);
+    } else {
+      delete (globalThis as { navigator?: unknown }).navigator;
+    }
+    if (originalWindow) {
+      Object.defineProperty(globalThis, 'window', originalWindow);
+    } else {
+      delete (globalThis as { window?: unknown }).window;
+    }
+    vi.restoreAllMocks();
+  });
+
+  it('returns null when a custom service_worker_register rejects with an AbortError', async () => {
+    const abortError = createAbortError();
+    const service_worker_register = vi.fn(() => Promise.reject(abortError));
+
+    const result = await initWorkerAsync(
+      buildConfiguration({ service_worker_register }),
+      'default',
+    );
+
+    expect(result).toBeNull();
+    expect(service_worker_register).toHaveBeenCalledOnce();
+    expect(registrationCache.has(SERVICE_WORKER_RELATIVE_URL)).toBe(false);
+    expect(warnSpy).toHaveBeenCalled();
+  });
+
+  it('returns null when navigator.serviceWorker.register rejects with an AbortError', async () => {
+    const abortError = createAbortError();
+    (navigator.serviceWorker.register as unknown as ReturnType<typeof vi.fn>).mockImplementation(
+      () => Promise.reject(abortError),
+    );
+
+    const result = await initWorkerAsync(buildConfiguration(), 'default');
+
+    expect(result).toBeNull();
+    // The cache entry for the SW URL should have been cleared so a later retry is possible.
+    expect(Array.from(registrationCache.keys())).toHaveLength(0);
+    expect(warnSpy).toHaveBeenCalled();
+  });
+
+  it('also treats plain { name: "AbortError" } rejections as aborts', async () => {
+    const plainAbort = { name: 'AbortError', message: 'aborted' };
+    const service_worker_register = vi.fn(() => Promise.reject(plainAbort));
+
+    const result = await initWorkerAsync(
+      buildConfiguration({ service_worker_register }),
+      'default',
+    );
+
+    expect(result).toBeNull();
+    expect(registrationCache.has(SERVICE_WORKER_RELATIVE_URL)).toBe(false);
+  });
+
+  it('allows a subsequent call to retry registration after an AbortError', async () => {
+    const abortError = createAbortError();
+    const service_worker_register = vi
+      .fn()
+      .mockImplementationOnce(() => Promise.reject(abortError))
+      // Returning a never-resolving promise on the retry is fine for the assertion below:
+      // we only need to confirm that the function was called a second time after the
+      // failed cache entry was cleared.
+      .mockImplementationOnce(() => new Promise<ServiceWorkerRegistration>(() => {}));
+
+    const configuration = buildConfiguration({ service_worker_register });
+
+    const firstResult = await initWorkerAsync(configuration, 'default');
+    expect(firstResult).toBeNull();
+    expect(service_worker_register).toHaveBeenCalledTimes(1);
+
+    // Kick off the second call (don't await – the mocked promise never resolves).
+    void initWorkerAsync(configuration, 'default');
+    // Allow the microtask queue to drain so the registration call is observed.
+    await Promise.resolve();
+
+    expect(service_worker_register).toHaveBeenCalledTimes(2);
+  });
+
+  it('propagates non-AbortError rejections to the caller', async () => {
+    const genericError = new Error('boom');
+    const service_worker_register = vi.fn(() => Promise.reject(genericError));
+
+    await expect(
+      initWorkerAsync(buildConfiguration({ service_worker_register }), 'default'),
+    ).rejects.toBe(genericError);
+
+    // Non-AbortError rejections keep the cache entry in place (existing behavior).
+    expect(registrationCache.has(SERVICE_WORKER_RELATIVE_URL)).toBe(true);
+  });
+});

package/src/login.spec.ts

@@ -0,0 +1,151 @@
+// Tests for the guards added to loginCallbackAsync to surface missing /
+// mismatched state and missing nonce as typed `OidcStateError` instead of a
+// generic TypeError. See https://github.com/AxaFrance/oidc-client/issues/1678
+import { beforeEach, describe, expect, it, vi } from 'vitest';
+
+import { ILOidcLocation } from './location';
+import { loginCallbackAsync } from './login';
+import { OidcStateError, OidcStateErrorCode } from './oidcStateError';
+
+const makeStorage = (): Storage => {
+  const store: Record<string, string> = {};
+  return {
+    getItem: (key: string) => store[key] ?? null,
+    setItem: (key: string, value: string) => {
+      store[key] = value;
+    },
+    removeItem: (key: string) => {
+      delete store[key];
+    },
+    clear: () => {
+      for (const key of Object.keys(store)) {
+        delete store[key];
+      }
+    },
+    get length() {
+      return Object.keys(store).length;
+    },
+    key: (index: number) => Object.keys(store)[index] ?? null,
+    [Symbol.iterator]: function* () {
+      yield* Object.entries(store);
+    },
+  } as unknown as Storage;
+};
+
+class FakeLocation implements ILOidcLocation {
+  constructor(private currentHref: string) {}
+  open(): void {}
+  reload(): void {}
+  getCurrentHref(): string {
+    return this.currentHref;
+  }
+  getPath(): string {
+    return '/callback';
+  }
+  getOrigin(): string {
+    return 'http://localhost:4200';
+  }
+}
+
+const buildOidc = ({ href, storage }: { href: string; storage: Storage }) => {
+  const publishedEvents: Array<{ name: string; data: unknown }> = [];
+  const configurationName = 'default';
+  const configuration = {
+    client_id: 'interactive.public.short',
+    redirect_uri: 'http://localhost:4200/authentication/callback',
+    silent_redirect_uri: 'http://localhost:4200/authentication/silent-callback',
+    scope: 'openid profile email',
+    authority: 'http://api',
+    refresh_time_before_tokens_expiration_in_second: 70,
+    token_request_timeout: 30000,
+    authority_configuration: null,
+    storage,
+    login_state_storage: storage,
+    // no service_worker_relative_url -> initWorkerAsync returns null
+  };
+  const oidc: any = {
+    configuration,
+    configurationName,
+    location: new FakeLocation(href),
+    publishEvent: (name: string, data: unknown) => {
+      publishedEvents.push({ name, data });
+    },
+    initAsync: vi.fn(async () => ({
+      issuer: 'http://api',
+      authorizationEndpoint: 'http://api/connect/authorize',
+      tokenEndpoint: 'http://api/connect/token',
+      checkSessionIframe: 'http://api/connect/checksession',
+    })),
+    startCheckSessionAsync: vi.fn(async () => undefined),
+  };
+  return { oidc, publishedEvents };
+};
+
+describe('loginCallbackAsync — state/nonce guards (issue #1678)', () => {
+  let storage: Storage;
+
+  beforeEach(() => {
+    storage = makeStorage();
+  });
+
+  it('throws OidcStateError(STATE_MISSING) when stored state is missing but callback URL contains state', async () => {
+    // No `oidc.state.default` written into storage at all (simulates a
+    // private-browsing tab, manual storage clear, or browser eviction
+    // between the authorize redirect and the callback).
+    const href = 'http://localhost:4200/authentication/callback?code=abc&state=server-state-value';
+    const { oidc, publishedEvents } = buildOidc({ href, storage });
+
+    await expect(loginCallbackAsync(oidc)()).rejects.toBeInstanceOf(OidcStateError);
+    await expect(loginCallbackAsync(oidc)()).rejects.toMatchObject({
+      code: OidcStateErrorCode.STATE_MISSING,
+    });
+
+    // The error must also be published as a loginCallbackAsync_error event
+    // so listeners (incl. the React provider) can react to it.
+    const errorEvent = publishedEvents.find(e => e.name === 'loginCallbackAsync_error');
+    expect(errorEvent).toBeDefined();
+    expect(errorEvent!.data).toBeInstanceOf(OidcStateError);
+  });
+
+  it('throws OidcStateError(STATE_MISMATCH) when the stored state differs from the returned one', async () => {
+    storage[`oidc.state.default`] = 'stored-state-value';
+    storage[`oidc.nonce.default`] = 'stored-nonce-value';
+    const href =
+      'http://localhost:4200/authentication/callback?code=abc&state=different-state-value';
+    const { oidc } = buildOidc({ href, storage });
+
+    await expect(loginCallbackAsync(oidc)()).rejects.toBeInstanceOf(OidcStateError);
+    await expect(loginCallbackAsync(oidc)()).rejects.toMatchObject({
+      code: OidcStateErrorCode.STATE_MISMATCH,
+    });
+  });
+
+  it('throws OidcStateError(NONCE_MISSING) when state is valid but nonce is missing from storage', async () => {
+    storage[`oidc.state.default`] = 'matching-state';
+    // No oidc.nonce.default written -> getNonceAsync returns { nonce: undefined }
+    const href = 'http://localhost:4200/authentication/callback?code=abc&state=matching-state';
+    const { oidc } = buildOidc({ href, storage });
+
+    await expect(loginCallbackAsync(oidc)()).rejects.toBeInstanceOf(OidcStateError);
+    await expect(loginCallbackAsync(oidc)()).rejects.toMatchObject({
+      code: OidcStateErrorCode.NONCE_MISSING,
+    });
+  });
+
+  it('does not throw a generic TypeError when state and nonce are both missing', async () => {
+    // Regression: before the fix, a missing nonce would surface as
+    // "Cannot read properties of undefined (reading 'nonce')" when reaching
+    // isTokensOidcValid(..., nonceData.nonce, ...).
+    const href = 'http://localhost:4200/authentication/callback?code=abc&state=server-state-value';
+    const { oidc } = buildOidc({ href, storage });
+
+    let caught: unknown;
+    try {
+      await loginCallbackAsync(oidc)();
+    } catch (e) {
+      caught = e;
+    }
+    expect(caught).toBeInstanceOf(OidcStateError);
+    expect(caught).not.toBeInstanceOf(TypeError);
+  });
+});

package/src/login.ts

@@ -5,6 +5,7 @@ import { initWorkerAsync } from './initWorker.js';
 import { generateJwkAsync, generateJwtDemonstratingProofOfPossessionAsync } from './jwt';
 import { ILOidcLocation } from './location';
 import Oidc from './oidc';
+import { OidcStateError, OidcStateErrorCode } from './oidcStateError.js';
 import { isTokensOidcValid } from './parseTokens.js';
 import { performAuthorizationRequestAsync, performFirstTokenRequestAsync } from './requests.js';
 import { getParseQueryStringFromLocation } from './route-utils.js';
@@ -156,8 +157,28 @@ export const loginCallbackAsync =
           `Issuer not valid (expected: ${oidcServerConfiguration.issuer}, received: ${queryParams.iss})`,
         );
       }
-      if (queryParams.state && queryParams.state !== state) {
-        throw new Error(`State not valid (expected: ${state}, received: ${queryParams.state})`);
+      // Surface missing / mismatched login state as a typed, identifiable error
+      // rather than a generic TypeError when later dereferencing nonceData.nonce.
+      // See https://github.com/AxaFrance/oidc-client/issues/1678
+      if (queryParams.state) {
+        if (!state) {
+          throw new OidcStateError(
+            OidcStateErrorCode.STATE_MISSING,
+            'OIDC state is missing from storage. The login state may have been cleared between the authorization redirect and the callback (e.g., private browsing, storage cleared, or browser eviction).',
+          );
+        }
+        if (queryParams.state !== state) {
+          throw new OidcStateError(
+            OidcStateErrorCode.STATE_MISMATCH,
+            `OIDC state does not match the stored one (expected: ${state}, received: ${queryParams.state}).`,
+          );
+        }
+      }
+      if (!nonceData || !nonceData.nonce) {
+        throw new OidcStateError(
+          OidcStateErrorCode.NONCE_MISSING,
+          'OIDC nonce is missing from storage. The login state may have been cleared between the authorization redirect and the callback (e.g., private browsing, storage cleared, or browser eviction).',
+        );
       }
 
       const data = {

package/src/oidcStateError.spec.ts

@@ -0,0 +1,33 @@
+import { describe, expect, it } from 'vitest';
+
+import { isOidcStateError, OidcStateError, OidcStateErrorCode } from './oidcStateError';
+
+describe('OidcStateError', () => {
+  it('exposes the well-known state error codes', () => {
+    expect(OidcStateErrorCode.STATE_MISSING).toBe('STATE_MISSING');
+    expect(OidcStateErrorCode.STATE_MISMATCH).toBe('STATE_MISMATCH');
+    expect(OidcStateErrorCode.NONCE_MISSING).toBe('NONCE_MISSING');
+  });
+
+  it('is an Error subclass with name "OidcStateError"', () => {
+    const err = new OidcStateError(OidcStateErrorCode.STATE_MISSING, 'missing');
+    expect(err).toBeInstanceOf(Error);
+    expect(err).toBeInstanceOf(OidcStateError);
+    expect(err.name).toBe('OidcStateError');
+  });
+
+  it('preserves the code and message passed to the constructor', () => {
+    const err = new OidcStateError(OidcStateErrorCode.STATE_MISMATCH, 'mismatch happened');
+    expect(err.code).toBe('STATE_MISMATCH');
+    expect(err.message).toBe('mismatch happened');
+  });
+
+  it('is detectable via isOidcStateError', () => {
+    const err = new OidcStateError(OidcStateErrorCode.NONCE_MISSING, 'nonce missing');
+    expect(isOidcStateError(err)).toBe(true);
+    expect(isOidcStateError(new Error('boom'))).toBe(false);
+    expect(isOidcStateError(null)).toBe(false);
+    expect(isOidcStateError(undefined)).toBe(false);
+    expect(isOidcStateError({ code: 'STATE_MISSING' })).toBe(false);
+  });
+});

package/src/oidcStateError.ts

@@ -0,0 +1,50 @@
+/**
+ * Stable, machine-readable codes for OIDC state / nonce failures occurring
+ * between the authorization redirect and the callback handling.
+ *
+ * These codes let consumers react to specific failure modes without having to
+ * pattern-match against error message strings.
+ */
+export const OidcStateErrorCode = {
+  /** No state was found in storage when handling the callback. */
+  STATE_MISSING: 'STATE_MISSING',
+  /** The state returned by the server does not match the stored one. */
+  STATE_MISMATCH: 'STATE_MISMATCH',
+  /** No nonce was found in storage when handling the callback / renewal. */
+  NONCE_MISSING: 'NONCE_MISSING',
+} as const;
+
+// Companion type that mirrors the const above. This is the standard TS
+// "string-enum-like" pattern; we intentionally reuse the same name so that
+// `OidcStateErrorCode` works as both a value namespace and a type for
+// consumers.
+// eslint-disable-next-line @typescript-eslint/no-redeclare
+export type OidcStateErrorCode = (typeof OidcStateErrorCode)[keyof typeof OidcStateErrorCode];
+
+/**
+ * Typed error thrown when the OIDC login state or nonce is missing,
+ * corrupted, or does not match the value returned by the authorization server.
+ *
+ * Consumers can use `instanceof OidcStateError` and inspect `code` instead of
+ * relying on the (unstable) error message text.
+ */
+export class OidcStateError extends Error {
+  readonly code: OidcStateErrorCode;
+
+  constructor(code: OidcStateErrorCode, message: string) {
+    super(message);
+    this.name = 'OidcStateError';
+    this.code = code;
+
+    // Keep prototype chain intact when transpiled to ES5.
+    Object.setPrototypeOf(this, OidcStateError.prototype);
+  }
+}
+
+/**
+ * Type guard for {@link OidcStateError}. Useful in callers that want to react
+ * specifically to state/nonce failures.
+ */
+export const isOidcStateError = (value: unknown): value is OidcStateError => {
+  return value instanceof OidcStateError;
+};

package/src/renewTokens.ts

@@ -446,6 +446,19 @@ const synchroniseTokensAsync =
             );
 
             if (tokenResponse.success) {
+              // Guard against a missing/corrupted nonce reaching id_token validation.
+              // Without this guard, accessing `nonce.nonce` would throw a TypeError
+              // when the underlying storage has been cleared (private mode, manual
+              // clearing, browser eviction). We prefer a defined SESSION_LOST result
+              // so silent renew stays non-throwing for consumers.
+              // See https://github.com/AxaFrance/oidc-client/issues/1678
+              if (!nonce || !nonce.nonce) {
+                updateTokens(null);
+                oidc.publishEvent(eventNames.refreshTokensAsync_error, {
+                  message: 'refresh token: nonce missing from storage',
+                });
+                return { tokens: null, status: 'SESSION_LOST' };
+              }
               const { isValid, reason } = isTokensOidcValid(
                 tokenResponse.data,
                 nonce.nonce,

package/src/version.ts

@@ -1 +1 @@
-export default '7.27.17';
+export default '7.27.19';