@axa-fr/react-oidc 6.24.27-alpha928 → 6.25.0-alpha939

package/service_worker/utils/tokens.ts

@@ -1,206 +0,0 @@
-import { TOKEN, TokenRenewMode } from '../constants';
-import { OidcConfig, OidcConfiguration, OidcServerConfiguration, Tokens } from '../types';
-import { countLetter } from './strings';
-
-function parseJwt(token: string) {
-  return JSON.parse(
-    b64DecodeUnicode(token.split('.')[1].replace('-', '+').replace('_', '/'))
-  );
-}
-function b64DecodeUnicode(str: string) {
-  return decodeURIComponent(
-    Array.prototype.map
-      .call(
-        atob(str),
-        (c) => '%' + ('00' + c.charCodeAt(0).toString(16)).slice(-2)
-      )
-      .join('')
-  );
-}
-
-function computeTimeLeft(
-  refreshTimeBeforeTokensExpirationInSecond: number,
-  expiresAt: number
-) {
-  const currentTimeUnixSecond = new Date().getTime() / 1000;
-  return Math.round(
-    expiresAt -
-      refreshTimeBeforeTokensExpirationInSecond -
-      currentTimeUnixSecond
-  );
-}
-
-function isTokensValid(tokens: Tokens | null) {
-  if (!tokens) {
-    return false;
-  }
-  return computeTimeLeft(0, tokens.expiresAt) > 0;
-}
-
-const extractTokenPayload = (token?: string) => {
-  try {
-    if (!token) {
-      return null;
-    }
-    if (countLetter(token, '.') === 2) {
-      return parseJwt(token);
-    } else {
-      return null;
-    }
-  } catch (e) {
-    console.warn(e);
-  }
-  return null;
-};
-
-// https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation (excluding rules #1, #4, #5, #7, #8, #12, and #13 which did not apply).
-// https://github.com/openid/AppAuth-JS/issues/65
-const isTokensOidcValid = (
-  tokens: Tokens,
-  nonce: string | null,
-  oidcServerConfiguration: OidcServerConfiguration
-): { isValid: boolean; reason: string } => {
-  if (tokens.idTokenPayload) {
-    const idTokenPayload = tokens.idTokenPayload;
-    // 2: The Issuer Identifier for the OpenID Provider (which is typically obtained during Discovery) MUST exactly match the value of the iss (issuer) Claim.
-    if (oidcServerConfiguration.issuer !== idTokenPayload.iss) {
-      return { isValid: false, reason: 'Issuer does not match' };
-    }
-    // 3: The Client MUST validate that the aud (audience) Claim contains its client_id value registered at the Issuer identified by the iss (issuer) Claim as an audience. The aud (audience) Claim MAY contain an array with more than one element. The ID Token MUST be rejected if the ID Token does not list the Client as a valid audience, or if it contains additional audiences not trusted by the Client.
-
-    // 6: If the ID Token is received via direct communication between the Client and the Token Endpoint (which it is in this flow), the TLS server validation MAY be used to validate the issuer in place of checking the token signature. The Client MUST validate the signature of all other ID Tokens according to JWS [JWS] using the algorithm specified in the JWT alg Header Parameter. The Client MUST use the keys provided by the Issuer.
-
-    // 9: The current time MUST be before the time represented by the exp Claim.
-    const currentTimeUnixSecond = new Date().getTime() / 1000;
-    if (idTokenPayload.exp && idTokenPayload.exp < currentTimeUnixSecond) {
-      return { isValid: false, reason: 'Token expired' };
-    }
-    // 10: The iat Claim can be used to reject tokens that were issued too far away from the current time, limiting the amount of time that nonces need to be stored to prevent attacks. The acceptable range is Client specific.
-    const timeInSevenDays = 60 * 60 * 24 * 7;
-    if (
-      idTokenPayload.iat &&
-      idTokenPayload.iat + timeInSevenDays < currentTimeUnixSecond
-    ) {
-      return { isValid: false, reason: 'Token is used from too long time' };
-    }
-    // 11: If a nonce value was sent in the Authentication Request, a nonce Claim MUST be present and its value checked to verify that it is the same value as the one that was sent in the Authentication Request. The Client SHOULD check the nonce value for replay attacks. The precise method for detecting replay attacks is Client specific.
-    if (nonce && idTokenPayload.nonce && idTokenPayload.nonce !== nonce) {
-      return { isValid: false, reason: 'Nonce does not match' };
-    }
-  }
-  return { isValid: true, reason: '' };
-};
-
-function _hideTokens(tokens: Tokens, currentDatabaseElement: OidcConfig, configurationName: string) {
-  if (!tokens.issued_at) {
-    const currentTimeUnixSecond = new Date().getTime() / 1000;
-    tokens.issued_at = currentTimeUnixSecond;
-  }
-
-  const accessTokenPayload = extractTokenPayload(tokens.access_token);
-  const secureTokens = {
-    ...tokens,
-    accessTokenPayload,
-  };
-  if (currentDatabaseElement.hideAccessToken) {
-    secureTokens.access_token = TOKEN.ACCESS_TOKEN + '_' + configurationName;
-  }
-  tokens.accessTokenPayload = accessTokenPayload;
-
-  let _idTokenPayload = null;
-  if (tokens.id_token) {
-    _idTokenPayload = extractTokenPayload(tokens.id_token);
-    tokens.idTokenPayload = {..._idTokenPayload};
-    if (_idTokenPayload.nonce && currentDatabaseElement.nonce != null) {
-      const keyNonce =
-          TOKEN.NONCE_TOKEN + '_' + currentDatabaseElement.configurationName;
-      _idTokenPayload.nonce = keyNonce;
-    }
-    secureTokens.idTokenPayload = _idTokenPayload;
-  }
-  if (tokens.refresh_token) {
-    secureTokens.refresh_token =
-        TOKEN.REFRESH_TOKEN + '_' + configurationName;
-  }
-
-  const idTokenExpiresAt =
-      _idTokenPayload && _idTokenPayload.exp
-          ? _idTokenPayload.exp
-          : Number.MAX_VALUE;
-  const accessTokenExpiresAt =
-      accessTokenPayload && accessTokenPayload.exp
-          ? accessTokenPayload.exp
-          : tokens.issued_at + tokens.expires_in;
-
-  let expiresAt: number;
-  const tokenRenewMode = (
-      currentDatabaseElement.oidcConfiguration as OidcConfiguration
-  ).token_renew_mode;
-  if (tokenRenewMode === TokenRenewMode.access_token_invalid) {
-    expiresAt = accessTokenExpiresAt;
-  } else if (tokenRenewMode === TokenRenewMode.id_token_invalid) {
-    expiresAt = idTokenExpiresAt;
-  } else {
-    expiresAt =
-        idTokenExpiresAt < accessTokenExpiresAt
-            ? idTokenExpiresAt
-            : accessTokenExpiresAt;
-  }
-  secureTokens.expiresAt = expiresAt;
-
-  tokens.expiresAt = expiresAt;
-  const nonce = currentDatabaseElement.nonce
-      ? currentDatabaseElement.nonce.nonce
-      : null;
-  const {isValid, reason} = isTokensOidcValid(
-      tokens,
-      nonce,
-      currentDatabaseElement.oidcServerConfiguration as OidcServerConfiguration
-  ); //TODO: Type assertion, could be null.
-  if (!isValid) {
-    throw Error(`Tokens are not OpenID valid, reason: ${reason}`);
-  }
-
-  // When refresh_token is not rotated we reuse ald refresh_token
-  if (
-      currentDatabaseElement.tokens != null &&
-      'refresh_token' in currentDatabaseElement.tokens &&
-      !('refresh_token' in tokens)
-  ) {
-    const refreshToken = currentDatabaseElement.tokens.refresh_token;
-
-    currentDatabaseElement.tokens = {
-      ...tokens,
-      refresh_token: refreshToken,
-    };
-  } else {
-    currentDatabaseElement.tokens = tokens;
-  }
-
-  currentDatabaseElement.status = 'LOGGED_IN';
-  return secureTokens;
-}
-
-function hideTokens(currentDatabaseElement: OidcConfig) {
-  const configurationName = currentDatabaseElement.configurationName;
-  return (response: Response) => {
-    if (response.status !== 200) {
-      return response;
-    }
-    return response.json().then<Response>((tokens: Tokens) => {
-      const secureTokens = _hideTokens(tokens, currentDatabaseElement, configurationName);
-      const body = JSON.stringify(secureTokens);
-      return new Response(body, response);
-    });
-  };
-}
-
-export {
-  b64DecodeUnicode,
-  computeTimeLeft,
-  isTokensValid,
-  extractTokenPayload,
-  isTokensOidcValid,
-  hideTokens,
-  _hideTokens
-};

package/src/oidc/vanilla/cache.ts

@@ -1,27 +0,0 @@
-
-const fetchFromIssuerCache = {};
-
-export const getFromCache = (localStorageKey, storage = window.sessionStorage, timeCacheSecond) => {
-    if (!fetchFromIssuerCache[localStorageKey]) {
-        if (storage) {
-            const cacheJson = storage.getItem(localStorageKey);
-            if (cacheJson) {
-                fetchFromIssuerCache[localStorageKey] = JSON.parse(cacheJson);
-            }
-        }
-    }
-    const oneHourMinisecond = 1000 * timeCacheSecond;
-    // @ts-ignore
-    if (fetchFromIssuerCache[localStorageKey] && (fetchFromIssuerCache[localStorageKey].timestamp + oneHourMinisecond) > Date.now()) {
-        return fetchFromIssuerCache[localStorageKey].result;
-    }
-    return null;
-};
-
-export const setCache = (localStorageKey, result, storage = window.sessionStorage) => {
-    const timestamp = Date.now();
-    fetchFromIssuerCache[localStorageKey] = { result, timestamp };
-    if (storage) {
-        storage.setItem(localStorageKey, JSON.stringify({ result, timestamp }));
-    }
-};

package/src/oidc/vanilla/checkSession.ts

@@ -1,60 +0,0 @@
-import { CheckSessionIFrame } from './checkSessionIFrame.js';
-import { _silentLoginAsync, SilentLoginResponse } from './silentLogin.js';
-import { OidcConfiguration } from './types.js';
-
-// eslint-disable-next-line @typescript-eslint/ban-types
-export const startCheckSessionAsync = (oidc:any, oidcDatabase:any, configuration :OidcConfiguration) => (checkSessionIFrameUri, clientId, sessionState, isSilentSignin = false) => {
-    const silentLoginAsync = (extras, state = undefined, scope = undefined):Promise<SilentLoginResponse> => {
-        return _silentLoginAsync(oidc.configurationName, configuration, oidc.publishEvent.bind(oidc))(extras, state, scope);
-    };
-
-    return new Promise<CheckSessionIFrame>((resolve, reject): void => {
-        if (configuration.silent_login_uri && configuration.silent_redirect_uri && configuration.monitor_session && checkSessionIFrameUri && sessionState && !isSilentSignin) {
-            const checkSessionCallback = () => {
-                oidc.checkSessionIFrame.stop();
-                const tokens = oidc.tokens;
-                if (tokens === null) {
-                    return;
-                }
-                const idToken = tokens.idToken;
-                const idTokenPayload = tokens.idTokenPayload;
-                return silentLoginAsync({
-                    prompt: 'none',
-                    id_token_hint: idToken,
-                    scope: configuration.scope || 'openid',
-                }).then((silentSigninResponse) => {
-                    const iFrameIdTokenPayload = silentSigninResponse.tokens.idTokenPayload;
-                    if (idTokenPayload.sub === iFrameIdTokenPayload.sub) {
-                        const sessionState = silentSigninResponse.sessionState;
-                        oidc.checkSessionIFrame.start(silentSigninResponse.sessionState);
-                        if (idTokenPayload.sid === iFrameIdTokenPayload.sid) {
-                            console.debug('SessionMonitor._callback: Same sub still logged in at OP, restarting check session iframe; session_state:', sessionState);
-                        } else {
-                            console.debug('SessionMonitor._callback: Same sub still logged in at OP, session state has changed, restarting check session iframe; session_state:', sessionState);
-                        }
-                    } else {
-                        console.debug('SessionMonitor._callback: Different subject signed into OP:', iFrameIdTokenPayload.sub);
-                    }
-                    // eslint-disable-next-line @typescript-eslint/no-unused-vars
-                }).catch(async (e) => {
-                    console.warn('SessionMonitor._callback: Silent login failed, logging out other tabs:', e);
-                    // eslint-disable-next-line @typescript-eslint/no-unused-vars
-                    for (const [key, oidc] of Object.entries(oidcDatabase)) {
-                        // @ts-ignore
-                        await oidc.logoutOtherTabAsync(configuration.client_id, idTokenPayload.sub);
-                    }
-                });
-            };
-
-            oidc.checkSessionIFrame = new CheckSessionIFrame(checkSessionCallback, clientId, checkSessionIFrameUri);
-            oidc.checkSessionIFrame.load().then(() => {
-                oidc.checkSessionIFrame.start(sessionState);
-                resolve(oidc.checkSessionIFrame);
-            }).catch((e) => {
-                reject(e);
-            });
-        } else {
-            resolve(null);
-        }
-    });
-};

package/src/oidc/vanilla/checkSessionIFrame.ts

@@ -1,83 +0,0 @@
-const DefaultInterval = 2000;
-
-const Log = console;
-
-export class CheckSessionIFrame {
-    private readonly _client_id: any;
-    private readonly _callback: any;
-    private _url: any;
-    private readonly _interval: number;
-    private readonly _stopOnError: boolean;
-    private readonly _frame_origin: string;
-    private readonly _frame: HTMLIFrameElement;
-    private _boundMessageEvent: any;
-    private _timer: number;
-    constructor(callback, client_id, url, interval = DefaultInterval, stopOnError = true) {
-        this._callback = callback;
-        this._client_id = client_id;
-        this._url = url;
-        this._interval = interval || DefaultInterval;
-        this._stopOnError = stopOnError;
-        const idx = url.indexOf('/', url.indexOf('//') + 2);
-        this._frame_origin = url.substr(0, idx);
-        this._frame = window.document.createElement('iframe');
-        this._frame.style.visibility = 'hidden';
-        this._frame.style.position = 'absolute';
-        this._frame.style.display = 'none';
-        // @ts-ignore
-        this._frame.width = 0;
-        // @ts-ignore
-        this._frame.height = 0;
-
-        this._frame.src = url;
-    }
-
-    load() {
-        return new Promise<void>((resolve) => {
-            this._frame.onload = () => {
-                resolve();
-            };
-            window.document.body.appendChild(this._frame);
-            this._boundMessageEvent = this._message.bind(this);
-            window.addEventListener('message', this._boundMessageEvent, false);
-        });
-    }
-
-    _message(e) {
-        if (e.origin === this._frame_origin &&
-            e.source === this._frame.contentWindow
-        ) {
-            if (e.data === 'error') {
-                Log.error('CheckSessionIFrame: error message from check session op iframe');
-                if (this._stopOnError) {
-                    this.stop();
-                }
-            } else if (e.data === 'changed') {
-                Log.debug(e);
-                Log.debug('CheckSessionIFrame: changed message from check session op iframe');
-                this.stop();
-                this._callback();
-            } else {
-                Log.debug('CheckSessionIFrame: ' + e.data + ' message from check session op iframe');
-            }
-        }
-    }
-
-    start(session_state) {
-            Log.debug('CheckSessionIFrame.start :' + session_state);
-            this.stop();
-            const send = () => {
-                this._frame.contentWindow.postMessage(this._client_id + ' ' + session_state, this._frame_origin);
-            };
-            send();
-            this._timer = window.setInterval(send, this._interval);
-    }
-
-    stop() {
-        if (this._timer) {
-            Log.debug('CheckSessionIFrame.stop');
-            window.clearInterval(this._timer);
-            this._timer = null;
-        }
-    }
-}

package/src/oidc/vanilla/crypto.ts

@@ -1,61 +0,0 @@
-import * as base64 from 'base64-js';
-
-const crytoInfo = () => {
-  const hasCrypto = typeof window !== 'undefined' && !!(window.crypto as any);
-  const hasSubtleCrypto = hasCrypto && !!(window.crypto.subtle as any);
-  return { hasCrypto, hasSubtleCrypto };
-};
-const charset = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789';
-
-const bufferToString = (buffer: Uint8Array) => {
-  const state = [];
-  for (let i = 0; i < buffer.byteLength; i += 1) {
-    const index = buffer[i] % charset.length;
-    state.push(charset[index]);
-  }
-  return state.join('');
-};
-
-const urlSafe = (buffer: Uint8Array): string => {
-  const encoded = base64.fromByteArray(new Uint8Array(buffer));
-  return encoded.replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
-};
-
-export const generateRandom = (size: number) => {
-    const buffer = new Uint8Array(size);
-    const { hasCrypto } = crytoInfo();
-    if (hasCrypto) {
-      window.crypto.getRandomValues(buffer);
-    } else {
-      // fall back to Math.random() if nothing else is available
-      for (let i = 0; i < size; i += 1) {
-        buffer[i] = (Math.random() * charset.length) | 0;
-      }
-    }
-    return bufferToString(buffer);
-  };
-
-export function textEncodeLite(str: string) {
-  const buf = new ArrayBuffer(str.length);
-  const bufView = new Uint8Array(buf);
-
-  for (let i = 0; i < str.length; i++) {
-    bufView[i] = str.charCodeAt(i);
-  }
-  return bufView;
-}
-  export const deriveChallengeAsync = (code: string): Promise<string> => {
-    if (code.length < 43 || code.length > 128) {
-      return Promise.reject(new Error('Invalid code length.'));
-    }
-    const { hasSubtleCrypto } = crytoInfo();
-    if (!hasSubtleCrypto) {
-      return Promise.reject(new Error('window.crypto.subtle is unavailable.'));
-    }
-
-    return new Promise((resolve, reject) => {
-      crypto.subtle.digest('SHA-256', textEncodeLite(code)).then(buffer => {
-        return resolve(urlSafe(new Uint8Array(buffer)));
-      }, error => reject(error));
-    });
-};

package/src/oidc/vanilla/events.ts

@@ -1,29 +0,0 @@
-
-export const eventNames = {
-    service_worker_not_supported_by_browser: 'service_worker_not_supported_by_browser',
-    token_aquired: 'token_aquired',
-    logout_from_another_tab: 'logout_from_another_tab',
-    logout_from_same_tab: 'logout_from_same_tab',
-    token_renewed: 'token_renewed',
-    token_timer: 'token_timer',
-    loginAsync_begin: 'loginAsync_begin',
-    loginAsync_error: 'loginAsync_error',
-    loginCallbackAsync_begin: 'loginCallbackAsync_begin',
-    loginCallbackAsync_end: 'loginCallbackAsync_end',
-    loginCallbackAsync_error: 'loginCallbackAsync_error',
-    refreshTokensAsync_begin: 'refreshTokensAsync_begin',
-    refreshTokensAsync: 'refreshTokensAsync',
-    refreshTokensAsync_end: 'refreshTokensAsync_end',
-    refreshTokensAsync_error: 'refreshTokensAsync_error',
-    refreshTokensAsync_silent_error: 'refreshTokensAsync_silent_error',
-    tryKeepExistingSessionAsync_begin: 'tryKeepExistingSessionAsync_begin',
-    tryKeepExistingSessionAsync_end: 'tryKeepExistingSessionAsync_end',
-    tryKeepExistingSessionAsync_error: 'tryKeepExistingSessionAsync_error',
-    silentLoginAsync_begin: 'silentLoginAsync_begin',
-    silentLoginAsync: 'silentLoginAsync',
-    silentLoginAsync_end: 'silentLoginAsync_end',
-    silentLoginAsync_error: 'silentLoginAsync_error',
-    syncTokensAsync_begin: 'syncTokensAsync_begin',
-    syncTokensAsync_end: 'syncTokensAsync_end',
-    syncTokensAsync_error: 'syncTokensAsync_error',
-};

package/src/oidc/vanilla/index.ts

@@ -1,2 +0,0 @@
-export { AuthorityConfiguration, Fetch, OidcConfiguration, StringMap } from './types.js';
-export { OidcUserInfo, VanillaOidc } from './vanillaOidc.js';

package/src/oidc/vanilla/iniWorker.spec.ts

@@ -1,21 +0,0 @@
-import { excludeOs, getOperatingSystem } from './initWorker';
-
-import { describe, it, expect } from 'vitest';
-
-describe('initWorker test Suite', () => {
-
-    it.each([['Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1', 'iOS', '12.1.0'],
-    ['Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/69.0.3497.105 Mobile/15E148 Safari/605.1', 'Mac OS X', '10_15_6'],
-    ])(
-        'getOperatingSystem should return OS for Version',
-        (userAgent, expectedOs, expectedVersion) => {
-            const operatingSystem = getOperatingSystem({ userAgent, appVersion: 'OS ' + expectedVersion.replaceAll('.', '_') });
-            expect(expectedOs).toBe(operatingSystem.os);
-            expect(expectedVersion).toBe(operatingSystem.osVersion);
-    
-            const isExcluded = excludeOs(operatingSystem);
-            expect(isExcluded).toBe(true);
-        },
-    );
-
-});

package/src/oidc/vanilla/initSession.ts

@@ -1,90 +0,0 @@
-
-export const initSession = (configurationName, storage = sessionStorage) => {
-    const clearAsync = (status) => {
-        storage[`oidc.${configurationName}`] = JSON.stringify({ tokens: null, status });
-        return Promise.resolve();
-    };
-
-    const initAsync = async () => {
-        if (!storage[`oidc.${configurationName}`]) {
-            storage[`oidc.${configurationName}`] = JSON.stringify({ tokens: null, status: null });
-            return { tokens: null, status: null };
-        }
-        const data = JSON.parse(storage[`oidc.${configurationName}`]);
-        return Promise.resolve({ tokens: data.tokens, status: data.status });
-    };
-
-    const setTokens = (tokens) => {
-        storage[`oidc.${configurationName}`] = JSON.stringify({ tokens });
-    };
-
-    const setSessionStateAsync = async (sessionState) => {
-        storage[`oidc.session_state.${configurationName}`] = sessionState;
-    };
-
-    const getSessionStateAsync = async () => {
-        return storage[`oidc.session_state.${configurationName}`];
-    };
-
-    const setNonceAsync = (nonce) => {
-        localStorage[`oidc.nonce.${configurationName}`] = nonce.nonce;
-    };
-
-    const getNonceAsync = async () => {
-        // @ts-ignore
-        return { nonce: localStorage[`oidc.nonce.${configurationName}`] };
-    };
-
-    const getTokens = () => {
-        if (!storage[`oidc.${configurationName}`]) {
-            return null;
-        }
-        return JSON.stringify({ tokens: JSON.parse(storage[`oidc.${configurationName}`]).tokens });
-    };
-
-    let getLoginParamsCache = null;
-    const setLoginParams = (configurationName:string, data) => {
-        getLoginParamsCache = data;
-        storage[`oidc.login.${configurationName}`] = JSON.stringify(data);
-    };
-    const getLoginParams = (configurationName) => {
-        const dataString = storage[`oidc.login.${configurationName}`];
-        if (!getLoginParamsCache) {
-            getLoginParamsCache = JSON.parse(dataString);
-        }
-        return getLoginParamsCache;
-    };
-
-    const getStateAsync = async () => {
-        return storage[`oidc.state.${configurationName}`];
-    };
-
-    const setStateAsync = async (state:string) => {
-        storage[`oidc.state.${configurationName}`] = state;
-    };
-
-    const getCodeVerifierAsync = async () => {
-        return storage[`oidc.code_verifier.${configurationName}`];
-    };
-
-    const setCodeVerifierAsync = async (codeVerifier) => {
-        storage[`oidc.code_verifier.${configurationName}`] = codeVerifier;
-    };
-
-    return {
-        clearAsync,
-        initAsync,
-        setTokens,
-        getTokens,
-        setSessionStateAsync,
-        getSessionStateAsync,
-        setNonceAsync,
-        getNonceAsync,
-        setLoginParams,
-        getLoginParams,
-        getStateAsync,
-        setStateAsync,
-        getCodeVerifierAsync,
-        setCodeVerifierAsync,
-    };
-};