@civic/auth 0.0.1--.tsc.alpha.1

package/dist/esm/src/services/AuthenticationService.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"AuthenticationService.js","sourceRoot":"","sources":["../../../../src/services/AuthenticationService.ts"],"names":[],"mappings":"AAAA,8EAA8E;AAS9E,OAAO,EAAE,+BAA+B,EAAE,MAAM,oBAAoB,CAAC;AACrE,OAAO,EACL,WAAW,EACX,SAAS,EACT,cAAc,EACd,qBAAqB,EACrB,sBAAsB,EACtB,yBAAyB,EACzB,cAAc,EACd,WAAW,EACX,oBAAoB,GACrB,MAAM,sBAAsB,CAAC;AAC9B,OAAO,EAAE,oBAAoB,EAAE,aAAa,EAAE,MAAM,gBAAgB,CAAC;AACrE,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAC3C,OAAO,EAAE,mBAAmB,EAAE,MAAM,sBAAsB,CAAC;AAM3D,OAAO,EAAE,UAAU,EAAE,MAAM,qBAAqB,CAAC;AACjD,OAAO,EAAE,yBAAyB,EAAE,MAAM,qBAAqB,CAAC;AAChE,OAAO,EAAE,wBAAwB,EAAE,MAAM,gBAAgB,CAAC;AAC1D,OAAO,EAAE,2BAA2B,EAAE,MAAM,sBAAsB,CAAC;AAEnE;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,MAAM,OAAO,8BAA8B;IACjC,kBAAkB,GAA2C,IAAI,CAAC;IAEhE,MAAM,CAcd;IAEF,YAAY,MAA0B;QACpC,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;QACrB,OAAO,CAAC,GAAG,CAAC,4CAA4C,EAAE,IAAI,CAAC,MAAM,CAAC,CAAC;IACzE,CAAC;IAED,KAAK,CAAC,yBAAyB,CAAC,WAAmB;QACjD,OAAO,CAAC,IAAI,CACV,qEAAqE,EACrE,WAAW,CACZ,CAAC;QACF,MAAM,CAAC,QAAQ,CAAC,IAAI,GAAG,WAAW,CAAC;IACrC,CAAC;IAED,uGAAuG;IACvG,qEAAqE;IACrE,KAAK,CAAC,MAAM,CAAC,SAAmC;QAC9C,MAAM,GAAG,GAAG,MAAM,qBAAqB,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAErD,IAAI,CAAC,kBAAkB,GAAG,CAAC,KAAmB,EAAE,EAAE;YAChD,MAAM,OAAO,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;YAC9C,IACE,KAAK,CAAC,MAAM,CAAC,QAAQ,CAAC,WAAW,CAAC;gBAClC,OAAO,CAAC,QAAQ,KAAK,WAAW,EAChC,CAAC;gBACD,IAAI,CAAC,2BAA2B,CAAC,KAAK,CAAC,IAAI,EAAE,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,EAAE,CAAC;oBACnE,OAAO,CAAC,GAAG,CAAC,yCAAyC,EAAE,KAAK,CAAC,IAAI,CAAC,CAAC;oBACnE,OAAO;gBACT,CAAC;gBACD,MAAM,YAAY,GAAG,KAAK,CAAC,IAAwB,CAAC;gBACpD,OAAO,CAAC,GAAG,CAAC,iCAAiC,EAAE,KAAK,CAAC,IAAI,CAAC,CAAC;gBAC3D,IAAI,CAAC,yBAAyB,CAAC,YAAY,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;YACxD,CAAC;QACH,CAAC,CAAC;QACF,MAAM,CAAC,gBAAgB,CAAC,SAAS,EAAE,IAAI,CAAC,kBAAkB,CAAC,CAAC;QAC5D,IAAI,IAAI,CAAC,MAAM,CAAC,WAAW,KAAK,QAAQ,EAAE,CAAC;YACzC,IAAI,CAAC,SAAS;gBACZ,MAAM,IAAI,KAAK,CAAC,gDAAgD,CAAC,CAAC;YACpE,SAAS,CAAC,YAAY,CAAC,KAAK,EAAE,GAAG,CAAC,QAAQ,EAAE,CAAC,CAAC;QAChD,CAAC;QACD,IAAI,IAAI,CAAC,MAAM,CAAC,WAAW,KAAK,UAAU,EAAE,CAAC;YAC3C,MAAM,CAAC,QAAQ,CAAC,IAAI,GAAG,GAAG,CAAC,QAAQ,EAAE,CAAC;QACxC,CAAC;QACD,IAAI,IAAI,CAAC,MAAM,CAAC,WAAW,KAAK,SAAS,EAAE,CAAC;YAC1C,IAAI,CAAC;gBACH,MAAM,WAAW,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,QAAQ,EAAE,EAAE,QAAQ,CAAC,CAAC;gBAC1D,OAAO,CAAC,GAAG,CAAC,QAAQ,EAAE,WAAW,CAAC,CAAC;gBACnC,IAAI,CAAC,WAAW,EAAE,CAAC;oBACjB,MAAM,IAAI,UAAU,CAAC,6BAA6B,CAAC,CAAC;gBACtD,CAAC;YACH,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACf,OAAO,CAAC,KAAK,CAAC,aAAa,EAAE,KAAK,CAAC,CAAC;gBACpC,MAAM,IAAI,UAAU,CAClB,qDAAqD,CACtD,CAAC;YACJ,CAAC;QACH,CAAC;QACD,OAAO,GAAG,CAAC;IACb,CAAC;IAED,KAAK,CAAC,OAAO;QACX,MAAM,YAAY,GAAG,IAAI,mBAAmB,EAAE,CAAC;QAC/C,WAAW,CAAC,YAAY,CAAC,CAAC;QAC1B,SAAS,CAAC,YAAY,CAAC,CAAC;QACxB,uEAAuE;QACvE,4DAA4D;QAC5D,MAAM,GAAG,GAAG,MAAM,sBAAsB,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QACtD,OAAO,GAAG,CAAC;IACb,CAAC;IAED,OAAO;QACL,IAAI,IAAI,CAAC,kBAAkB,EAAE,CAAC;YAC5B,MAAM,CAAC,mBAAmB,CAAC,SAAS,EAAE,IAAI,CAAC,kBAAkB,CAAC,CAAC;QACjE,CAAC;IACH,CAAC;CACF;AAED;;;GAGG;AACH,MAAM,OAAO,8BAA8B;IAC/B,MAAM,CAWd;IAEF,YAAY,MAA0B;QACpC,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;QACrB,OAAO,CAAC,GAAG,CAAC,4CAA4C,EAAE;YACxD,MAAM;SACP,CAAC,CAAC;IACL,CAAC;IAED,uGAAuG;IACvG,4BAA4B;IAC5B,KAAK,CAAC,MAAM;QACV,OAAO,qBAAqB,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IAC5C,CAAC;IAED,KAAK,CAAC,OAAO;QACX,OAAO,sBAAsB,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IAC7C,CAAC;CACF;AAWD;;;GAGG;AACH,MAAM,OAAO,4BAA6B,SAAQ,8BAA8B;IAQlE;IAPJ,YAAY,CAA2B;IACvC,SAAS,CAAwB;IAEzC,0EAA0E;IAC1E,YACE,MAAmC;IACnC,6FAA6F;IACnF,eAAe,IAAI,+BAA+B,EAAE;QAE9D,OAAO,CAAC,GAAG,CAAC,0CAA0C,EAAE;YACtD,MAAM;SACP,CAAC,CAAC;QACH,KAAK,CAAC;YACJ,GAAG,MAAM;YACT,KAAK,EAAE,aAAa,CAAC,MAAM,CAAC,WAAW,CAAC;YACxC,yDAAyD;YACzD,YAAY,EAAE,YAAY;SAC3B,CAAC,CAAC;QAVO,iBAAY,GAAZ,YAAY,CAAwC;IAWhE,CAAC;IAED,kFAAkF;IAClF,oGAAoG;IACpG,kDAAkD;IAClD,KAAK,CAAC,IAAI;QACR,uBAAuB;QACvB,IAAI,CAAC,SAAS,GAAG,MAAM,yBAAyB,CAC9C,IAAI,CAAC,MAAM,CAAC,WAAW,EACvB,IAAI,CAAC,MAAM,CAAC,iBAAiB,CAC9B,CAAC;QACF,IAAI,CAAC,YAAY,GAAG,IAAI,YAAY,CAClC,IAAI,CAAC,MAAM,CAAC,QAAQ,EACpB,IAAI,CAAC,SAAS,CAAC,IAAI,EACnB,IAAI,CAAC,SAAS,CAAC,KAAK,EACpB;YACE,WAAW,EAAE,IAAI,CAAC,MAAM,CAAC,WAAW;SACrC,CACF,CAAC;QAEF,OAAO,IAAI,CAAC;IACd,CAAC;IAED,wBAAwB;IACxB,uEAAuE;IACvE,uCAAuC;IACvC,KAAK,CAAC,aAAa,CACjB,IAAY,EACZ,KAAa;QAEb,IAAI,CAAC,IAAI,CAAC,YAAY;YAAE,MAAM,IAAI,CAAC,IAAI,EAAE,CAAC;QAC1C,MAAM,YAAY,GAAG,MAAM,IAAI,CAAC,YAAY,CAAC,eAAe,EAAE,CAAC;QAC/D,IAAI,CAAC,YAAY;YAAE,MAAM,IAAI,KAAK,CAAC,oCAAoC,CAAC,CAAC;QAEzE,gCAAgC;QAChC,MAAM,MAAM,GAAG,MAAM,cAAc,CACjC,IAAI,EACJ,KAAK,EACL,IAAI,CAAC,YAAY,EACjB,IAAI,CAAC,YAAa,EAAE,8CAA8C;QAClE,IAAI,CAAC,MAAM,CAAC,WAAW,EACvB,IAAI,CAAC,SAAU,CAChB,CAAC;QAEF,WAAW,CAAC,IAAI,mBAAmB,EAAE,EAAE,MAAM,CAAC,CAAC;QAE/C,uCAAuC;QACvC,MAAM,iBAAiB,GAAG,oBAAoB,CAC5C,KAAK,EACL,IAAI,CAAC,MAAM,CAAC,WAAW,CACxB,CAAC;QAEF,IAAI,iBAAiB,KAAK,SAAS,EAAE,CAAC;YACpC,yBAAyB;YACzB,MAAM,CAAC,KAAK,EAAE,CAAC;QACjB,CAAC;QACD,8GAA8G;QAC9G,yBAAyB,CAAC,wBAAwB,CAAC,CAAC;QACpD,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,0CAA0C;IAC1C,KAAK,CAAC,cAAc;QAClB,MAAM,WAAW,GAAG,cAAc,CAAC,IAAI,mBAAmB,EAAE,CAAC,CAAC;QAE9D,IAAI,CAAC,WAAW;YAAE,OAAO,IAAI,CAAC;QAE9B,OAAO;YACL,aAAa,EAAE,CAAC,CAAC,WAAW,CAAC,QAAQ;YACrC,OAAO,EAAE,WAAW,CAAC,QAAQ;YAC7B,WAAW,EAAE,WAAW,CAAC,YAAY;YACrC,YAAY,EAAE,WAAW,CAAC,aAAa;SACxC,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,uBAAuB;QAC3B,IAAI,CAAC;YACH,MAAM,WAAW,GAAG,MAAM,IAAI,CAAC,cAAc,EAAE,CAAC;YAChD,IAAI,CAAC,WAAW,EAAE,OAAO,IAAI,CAAC,WAAW,CAAC,WAAW,EAAE,CAAC;gBACtD,MAAM,sBAAsB,GAAG,EAAE,GAAG,WAAW,EAAE,aAAa,EAAE,KAAK,EAAE,CAAC;gBACxE,WAAW,CAAC,IAAI,mBAAmB,EAAE,CAAC,CAAC;gBACvC,OAAO,sBAAsB,CAAC;YAChC,CAAC;YACD,IAAI,CAAC,IAAI,CAAC,SAAS,IAAI,CAAC,IAAI,CAAC,YAAY;gBAAE,MAAM,IAAI,CAAC,IAAI,EAAE,CAAC;YAE7D,4DAA4D;YAC5D,MAAM,oBAAoB,CACxB;gBACE,YAAY,EAAE,WAAW,CAAC,WAAW;gBACrC,QAAQ,EAAE,WAAW,CAAC,OAAO;gBAC7B,aAAa,EAAE,WAAW,CAAC,YAAY;aACxC,EACD,IAAI,CAAC,SAAU,EACf,IAAI,CAAC,YAAa,EAClB,IAAI,CAAC,MAAM,CAAC,WAAW,CACxB,CAAC;YACF,OAAO,WAAW,CAAC;QACrB,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO,CAAC,IAAI,CAAC,oCAAoC,EAAE,KAAK,CAAC,CAAC;YAC1D,MAAM,sBAAsB,GAAG;gBAC7B,aAAa,EAAE,KAAK;aACrB,CAAC;YACF,WAAW,CAAC,IAAI,mBAAmB,EAAE,CAAC,CAAC;YACvC,OAAO,sBAAsB,CAAC;QAChC,CAAC;IACH,CAAC;IAED,MAAM,CAAC,KAAK,CAAC,KAAK,CAChB,MAAmC;QAEnC,MAAM,QAAQ,GAAG,IAAI,4BAA4B,CAAC,MAAM,CAAC,CAAC;QAC1D,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;QAEtB,OAAO,QAAQ,CAAC;IAClB,CAAC;CACF","sourcesContent":["// Proposals for revised versions of the SessionService AKA AuthSessionService\n\nimport type {\n  DisplayMode,\n  Endpoints,\n  LoginPostMessage,\n  OIDCTokenResponseBody,\n  SessionData,\n} from \"@/types.js\";\nimport { BrowserPublicClientPKCEProducer } from \"@/services/PKCE.js\";\nimport {\n  clearTokens,\n  clearUser,\n  exchangeTokens,\n  generateOauthLoginUrl,\n  generateOauthLogoutUrl,\n  getEndpointsWithOverrides,\n  retrieveTokens,\n  storeTokens,\n  validateOauth2Tokens,\n} from \"@/shared/lib/util.js\";\nimport { displayModeFromState, generateState } from \"@/lib/oauth.js\";\nimport { OAuth2Client } from \"oslo/oauth2\";\nimport { LocalStorageAdapter } from \"@/browser/storage.js\";\nimport type {\n  AuthenticationInitiator,\n  AuthenticationResolver,\n  PKCEConsumer,\n} from \"@/services/types.js\";\nimport { PopupError } from \"@/services/types.js\";\nimport { removeParamsWithoutReload } from \"@/lib/windowUtil.js\";\nimport { DEFAULT_OAUTH_GET_PARAMS } from \"@/constants.js\";\nimport { validateLoginAppPostMessage } from \"@/lib/postMessage.js\";\n\n/**\n * An authentication initiator that works on a browser. Since this is just triggering\n * login and logout, session data is not stored here.\n * An associated AuthenticationResolver would be needed to get the session data.\n * Storage is needed for the code verifier, this is the domain of the PKCEConsumer\n * The storage used by the PKCEConsumer should be available to the AuthenticationResolver.\n *\n * Example usage:\n *\n * 1) Client-only SPA -eg a react app with no server:\n * new BrowserAuthenticationInitiator({\n *   pkceConsumer: new BrowserPublicClientPKCEProducer(), // generate and retrieve the challenge client-side\n *   ... other config\n * })\n *\n * 2) Client-side of a client/server app - eg a react app with a backend:\n * new BrowserAuthenticationInitiator({\n *  pkceConsumer: new ConfidentialClientPKCEConsumer(\"https://myserver.com/pkce\"), // get the challenge from the server\n *  ... other config\n * })\n */\nexport class BrowserAuthenticationInitiator implements AuthenticationInitiator {\n  private postMessageHandler: null | ((event: MessageEvent) => void) = null;\n\n  protected config: {\n    clientId: string;\n    redirectUrl: string;\n    state: string;\n    scopes: string[];\n    // determines whether to trigger the login/logout in an iframe, a new browser window, or redirect the current one.\n    displayMode: DisplayMode;\n    oauthServer: string;\n    // the endpoints to use for the login (if not obtained from the auth server\n    endpointOverrides?: Partial<Endpoints>;\n    // used to get the PKCE challenge\n    pkceConsumer: PKCEConsumer;\n    // the nonce to use for the login\n    nonce?: string;\n  };\n\n  constructor(config: typeof this.config) {\n    this.config = config;\n    console.log(\"BrowserAuthenticationInitiator constructor\", this.config);\n  }\n\n  async handleLoginAppPopupFailed(redirectUrl: string) {\n    console.warn(\n      \"Login app popup failed open a popup, using redirect mode instead...\",\n      redirectUrl,\n    );\n    window.location.href = redirectUrl;\n  }\n\n  // Use the config (Client ID, scopes OAuth Server, Endpoints, PKCEConsumer) to generate a new login url\n  // and then use the display mode to decide how to send the user there\n  async signIn(iframeRef: HTMLIFrameElement | null): Promise<URL> {\n    const url = await generateOauthLoginUrl(this.config);\n\n    this.postMessageHandler = (event: MessageEvent) => {\n      const thisURL = new URL(window.location.href);\n      if (\n        event.origin.endsWith(\"civic.com\") ||\n        thisURL.hostname === \"localhost\"\n      ) {\n        if (!validateLoginAppPostMessage(event.data, this.config.clientId)) {\n          console.log(\"Received invalid message from login app\", event.data);\n          return;\n        }\n        const loginMessage = event.data as LoginPostMessage;\n        console.log(\"Received message from login app\", event.data);\n        this.handleLoginAppPopupFailed(loginMessage.data.url);\n      }\n    };\n    window.addEventListener(\"message\", this.postMessageHandler);\n    if (this.config.displayMode === \"iframe\") {\n      if (!iframeRef)\n        throw new Error(\"iframeRef is required for displayMode 'iframe'\");\n      iframeRef.setAttribute(\"src\", url.toString());\n    }\n    if (this.config.displayMode === \"redirect\") {\n      window.location.href = url.toString();\n    }\n    if (this.config.displayMode === \"new_tab\") {\n      try {\n        const popupWindow = window.open(url.toString(), \"_blank\");\n        console.log(\"signIn\", popupWindow);\n        if (!popupWindow) {\n          throw new PopupError(\"Failed to open popup window\");\n        }\n      } catch (error) {\n        console.error(\"popupWindow\", error);\n        throw new PopupError(\n          \"window.open has thrown: Failed to open popup window\",\n        );\n      }\n    }\n    return url;\n  }\n\n  async signOut(): Promise<URL> {\n    const localStorage = new LocalStorageAdapter();\n    clearTokens(localStorage);\n    clearUser(localStorage);\n    // TODO open the iframe or new tab etc: the logout URL is not currently\n    // supported by on the oauth, so just clear state until then\n    const url = await generateOauthLogoutUrl(this.config);\n    return url;\n  }\n\n  cleanup() {\n    if (this.postMessageHandler) {\n      window.removeEventListener(\"message\", this.postMessageHandler);\n    }\n  }\n}\n\n/** A general-purpose authentication initiator, that just generates urls, but lets\n * the caller decide how to use them. This is useful for server-side applications\n * that may serve this URL to their front-ends or just call them directly\n */\nexport class GenericAuthenticationInitiator implements AuthenticationInitiator {\n  protected config: {\n    clientId: string;\n    redirectUrl: string;\n    state: string;\n    scopes: string[];\n    oauthServer: string;\n    nonce?: string;\n    // the endpoints to use for the login (if not obtained from the auth server)\n    endpointOverrides?: Partial<Endpoints>;\n    // used to get the PKCE challenge\n    pkceConsumer: PKCEConsumer;\n  };\n\n  constructor(config: typeof this.config) {\n    this.config = config;\n    console.log(\"GenericAuthenticationInitiator constructor\", {\n      config,\n    });\n  }\n\n  // Use the config (Client ID, scopes OAuth Server, Endpoints, PKCEConsumer) to generate a new login url\n  // and simply return the url\n  async signIn(): Promise<URL> {\n    return generateOauthLoginUrl(this.config);\n  }\n\n  async signOut(): Promise<URL> {\n    return generateOauthLogoutUrl(this.config);\n  }\n}\n\ntype BrowserAuthenticationConfig = {\n  clientId: string;\n  redirectUrl: string;\n  scopes: string[];\n  oauthServer: string;\n  endpointOverrides?: Partial<Endpoints>;\n  displayMode: DisplayMode;\n};\n\n/**\n * An authentication resolver that can run on the browser (i.e. a public client)\n * It uses PKCE for security. PKCE and Session data are stored in local storage\n */\nexport class BrowserAuthenticationService extends BrowserAuthenticationInitiator {\n  private oauth2client: OAuth2Client | undefined;\n  private endpoints: Endpoints | undefined;\n\n  // TODO WIP - perhaps we want to keep resolver and initiator separate here\n  constructor(\n    config: BrowserAuthenticationConfig,\n    // Since we are running fully on the client, we produce as well as consume the PKCE challenge\n    protected pkceProducer = new BrowserPublicClientPKCEProducer(),\n  ) {\n    console.log(\"BrowserAuthenticationService constructor\", {\n      config,\n    });\n    super({\n      ...config,\n      state: generateState(config.displayMode),\n      // Store and retrieve the PKCE challenge in local storage\n      pkceConsumer: pkceProducer,\n    });\n  }\n\n  // TODO too much code duplication here between the browser and the server variant.\n  // Suggestion for refactor: Standardise the config for AuthenticationResolvers and create a one-shot\n  // function for generating an oauth2client from it\n  async init(): Promise<this> {\n    // resolve oauth config\n    this.endpoints = await getEndpointsWithOverrides(\n      this.config.oauthServer,\n      this.config.endpointOverrides,\n    );\n    this.oauth2client = new OAuth2Client(\n      this.config.clientId,\n      this.endpoints.auth,\n      this.endpoints.token,\n      {\n        redirectURI: this.config.redirectUrl,\n      },\n    );\n\n    return this;\n  }\n\n  // Two responsibilities:\n  // 1. resolve the auth code to get the tokens (should use library code)\n  // 2. store the tokens in local storage\n  async tokenExchange(\n    code: string,\n    state: string,\n  ): Promise<OIDCTokenResponseBody> {\n    if (!this.oauth2client) await this.init();\n    const codeVerifier = await this.pkceProducer.getCodeVerifier();\n    if (!codeVerifier) throw new Error(\"Code verifier not found in storage\");\n\n    // exchange auth code for tokens\n    const tokens = await exchangeTokens(\n      code,\n      state,\n      this.pkceProducer,\n      this.oauth2client!, // clean up types here to avoid the ! operator\n      this.config.oauthServer,\n      this.endpoints!, // clean up types here to avoid the ! operator\n    );\n\n    storeTokens(new LocalStorageAdapter(), tokens);\n\n    // cleanup the browser window if needed\n    const parsedDisplayMode = displayModeFromState(\n      state,\n      this.config.displayMode,\n    );\n\n    if (parsedDisplayMode === \"new_tab\") {\n      // Close the popup window\n      window.close();\n    }\n    // these are the default oAuth params that get added to the URL in redirect which we want to remove if present\n    removeParamsWithoutReload(DEFAULT_OAUTH_GET_PARAMS);\n    return tokens;\n  }\n\n  // Get the session data from local storage\n  async getSessionData(): Promise<SessionData | null> {\n    const storageData = retrieveTokens(new LocalStorageAdapter());\n\n    if (!storageData) return null;\n\n    return {\n      authenticated: !!storageData.id_token,\n      idToken: storageData.id_token,\n      accessToken: storageData.access_token,\n      refreshToken: storageData.refresh_token,\n    };\n  }\n\n  async validateExistingSession(): Promise<SessionData> {\n    try {\n      const sessionData = await this.getSessionData();\n      if (!sessionData?.idToken || !sessionData.accessToken) {\n        const unAuthenticatedSession = { ...sessionData, authenticated: false };\n        clearTokens(new LocalStorageAdapter());\n        return unAuthenticatedSession;\n      }\n      if (!this.endpoints || !this.oauth2client) await this.init();\n\n      // this function will throw if any of the tokens are invalid\n      await validateOauth2Tokens(\n        {\n          access_token: sessionData.accessToken,\n          id_token: sessionData.idToken,\n          refresh_token: sessionData.refreshToken,\n        },\n        this.endpoints!,\n        this.oauth2client!,\n        this.config.oauthServer,\n      );\n      return sessionData;\n    } catch (error) {\n      console.warn(\"Failed to validate existing tokens\", error);\n      const unAuthenticatedSession = {\n        authenticated: false,\n      };\n      clearTokens(new LocalStorageAdapter());\n      return unAuthenticatedSession;\n    }\n  }\n\n  static async build(\n    config: BrowserAuthenticationConfig,\n  ): Promise<AuthenticationResolver> {\n    const resolver = new BrowserAuthenticationService(config);\n    await resolver.init();\n\n    return resolver;\n  }\n}\n"]}

package/dist/esm/src/services/PKCE.d.ts

@@ -0,0 +1,20 @@
+import type { PKCEConsumer, PKCEProducer } from "../services/types.js";
+import type { AuthStorage } from "../types.js";
+/** A PKCE consumer that retrieves the challenge from a server endpoint */
+export declare class ConfidentialClientPKCEConsumer implements PKCEConsumer {
+    private pkceChallengeEndpoint;
+    constructor(pkceChallengeEndpoint: string);
+    getCodeChallenge(): Promise<string>;
+}
+/** A PKCE Producer that can generate and store a code verifier, but is agnostic as to the storage location */
+export declare class GenericPublicClientPKCEProducer implements PKCEProducer {
+    private storage;
+    constructor(storage: AuthStorage);
+    getCodeChallenge(): Promise<string>;
+    getCodeVerifier(): Promise<string | null>;
+}
+/** A PKCE Producer that is expected to run on a browser, and does not need a backend */
+export declare class BrowserPublicClientPKCEProducer extends GenericPublicClientPKCEProducer {
+    constructor();
+}
+//# sourceMappingURL=PKCE.d.ts.map

package/dist/esm/src/services/PKCE.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"PKCE.d.ts","sourceRoot":"","sources":["../../../../src/services/PKCE.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,YAAY,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AACtE,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AAG9C,0EAA0E;AAC1E,qBAAa,8BAA+B,YAAW,YAAY;IACrD,OAAO,CAAC,qBAAqB;gBAArB,qBAAqB,EAAE,MAAM;IAC3C,gBAAgB,IAAI,OAAO,CAAC,MAAM,CAAC;CAK1C;AAED,8GAA8G;AAC9G,qBAAa,+BAAgC,YAAW,YAAY;IACtD,OAAO,CAAC,OAAO;gBAAP,OAAO,EAAE,WAAW;IAIlC,gBAAgB,IAAI,OAAO,CAAC,MAAM,CAAC;IASnC,eAAe,IAAI,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC;CAGhD;AAED,wFAAwF;AACxF,qBAAa,+BAAgC,SAAQ,+BAA+B;;CAInF"}

package/dist/esm/src/services/PKCE.js

@@ -0,0 +1,44 @@
+import { deriveCodeChallenge } from "../shared/lib/util.js";
+import { generateCodeVerifier } from "oslo/oauth2";
+import { LocalStorageAdapter } from "../browser/storage.js";
+import { CodeVerifier } from "../shared/lib/types.js";
+/** A PKCE consumer that retrieves the challenge from a server endpoint */
+export class ConfidentialClientPKCEConsumer {
+    pkceChallengeEndpoint;
+    constructor(pkceChallengeEndpoint) {
+        this.pkceChallengeEndpoint = pkceChallengeEndpoint;
+    }
+    async getCodeChallenge() {
+        const response = await fetch(this.pkceChallengeEndpoint);
+        const data = (await response.json());
+        return data.challenge;
+    }
+}
+/** A PKCE Producer that can generate and store a code verifier, but is agnostic as to the storage location */
+export class GenericPublicClientPKCEProducer {
+    storage;
+    constructor(storage) {
+        this.storage = storage;
+    }
+    // if there is already a verifier, return it,
+    // If not, create a new one and store it
+    async getCodeChallenge() {
+        // let verifier = await this.getCodeVerifier();
+        // if (!verifier) {
+        const verifier = generateCodeVerifier();
+        this.storage.set(CodeVerifier.COOKIE_NAME, verifier);
+        // }
+        return deriveCodeChallenge(verifier);
+    }
+    // if there is already a verifier, return it,
+    async getCodeVerifier() {
+        return this.storage.get(CodeVerifier.COOKIE_NAME);
+    }
+}
+/** A PKCE Producer that is expected to run on a browser, and does not need a backend */
+export class BrowserPublicClientPKCEProducer extends GenericPublicClientPKCEProducer {
+    constructor() {
+        super(new LocalStorageAdapter());
+    }
+}
+//# sourceMappingURL=PKCE.js.map

package/dist/esm/src/services/PKCE.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"PKCE.js","sourceRoot":"","sources":["../../../../src/services/PKCE.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,mBAAmB,EAAE,MAAM,sBAAsB,CAAC;AAC3D,OAAO,EAAE,oBAAoB,EAAE,MAAM,aAAa,CAAC;AACnD,OAAO,EAAE,mBAAmB,EAAE,MAAM,sBAAsB,CAAC;AAG3D,OAAO,EAAE,YAAY,EAAE,MAAM,uBAAuB,CAAC;AAErD,0EAA0E;AAC1E,MAAM,OAAO,8BAA8B;IACrB;IAApB,YAAoB,qBAA6B;QAA7B,0BAAqB,GAArB,qBAAqB,CAAQ;IAAG,CAAC;IACrD,KAAK,CAAC,gBAAgB;QACpB,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,IAAI,CAAC,qBAAqB,CAAC,CAAC;QACzD,MAAM,IAAI,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAA0B,CAAC;QAC9D,OAAO,IAAI,CAAC,SAAS,CAAC;IACxB,CAAC;CACF;AAED,8GAA8G;AAC9G,MAAM,OAAO,+BAA+B;IACtB;IAApB,YAAoB,OAAoB;QAApB,YAAO,GAAP,OAAO,CAAa;IAAG,CAAC;IAE5C,6CAA6C;IAC7C,wCAAwC;IACxC,KAAK,CAAC,gBAAgB;QACpB,+CAA+C;QAC/C,mBAAmB;QACnB,MAAM,QAAQ,GAAG,oBAAoB,EAAE,CAAC;QACxC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,WAAW,EAAE,QAAQ,CAAC,CAAC;QACrD,IAAI;QACJ,OAAO,mBAAmB,CAAC,QAAQ,CAAC,CAAC;IACvC,CAAC;IACD,6CAA6C;IAC7C,KAAK,CAAC,eAAe;QACnB,OAAO,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,WAAW,CAAC,CAAC;IACpD,CAAC;CACF;AAED,wFAAwF;AACxF,MAAM,OAAO,+BAAgC,SAAQ,+BAA+B;IAClF;QACE,KAAK,CAAC,IAAI,mBAAmB,EAAE,CAAC,CAAC;IACnC,CAAC;CACF","sourcesContent":["import { deriveCodeChallenge } from \"@/shared/lib/util.js\";\nimport { generateCodeVerifier } from \"oslo/oauth2\";\nimport { LocalStorageAdapter } from \"@/browser/storage.js\";\nimport type { PKCEConsumer, PKCEProducer } from \"@/services/types.js\";\nimport type { AuthStorage } from \"@/types.js\";\nimport { CodeVerifier } from \"@/shared/lib/types.js\";\n\n/** A PKCE consumer that retrieves the challenge from a server endpoint */\nexport class ConfidentialClientPKCEConsumer implements PKCEConsumer {\n  constructor(private pkceChallengeEndpoint: string) {}\n  async getCodeChallenge(): Promise<string> {\n    const response = await fetch(this.pkceChallengeEndpoint);\n    const data = (await response.json()) as { challenge: string };\n    return data.challenge;\n  }\n}\n\n/** A PKCE Producer that can generate and store a code verifier, but is agnostic as to the storage location */\nexport class GenericPublicClientPKCEProducer implements PKCEProducer {\n  constructor(private storage: AuthStorage) {}\n\n  // if there is already a verifier, return it,\n  // If not, create a new one and store it\n  async getCodeChallenge(): Promise<string> {\n    // let verifier = await this.getCodeVerifier();\n    // if (!verifier) {\n    const verifier = generateCodeVerifier();\n    this.storage.set(CodeVerifier.COOKIE_NAME, verifier);\n    // }\n    return deriveCodeChallenge(verifier);\n  }\n  // if there is already a verifier, return it,\n  async getCodeVerifier(): Promise<string | null> {\n    return this.storage.get(CodeVerifier.COOKIE_NAME);\n  }\n}\n\n/** A PKCE Producer that is expected to run on a browser, and does not need a backend */\nexport class BrowserPublicClientPKCEProducer extends GenericPublicClientPKCEProducer {\n  constructor() {\n    super(new LocalStorageAdapter());\n  }\n}\n"]}

package/dist/esm/src/services/types.d.ts

@@ -0,0 +1,23 @@
+import type { OIDCTokenResponseBody, SessionData } from "../types.js";
+export interface PKCEConsumer {
+    getCodeChallenge(): Promise<string>;
+}
+export interface PKCEProducer extends PKCEConsumer {
+    getCodeVerifier(): Promise<string | null>;
+}
+export interface AuthenticationInitiator {
+    signIn(iframeRef: HTMLIFrameElement | null): Promise<URL>;
+    signOut(): Promise<URL>;
+}
+export interface AuthenticationResolver {
+    tokenExchange(code: string, state: string): Promise<OIDCTokenResponseBody>;
+    getSessionData(): Promise<SessionData | null>;
+    validateExistingSession(): Promise<SessionData>;
+}
+export interface AuthenticationRefresher {
+    refreshTokens: () => Promise<OIDCTokenResponseBody>;
+}
+export declare class PopupError extends Error {
+    constructor(message: string);
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/esm/src/services/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../../../src/services/types.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,qBAAqB,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AASrE,MAAM,WAAW,YAAY;IAE3B,gBAAgB,IAAI,OAAO,CAAC,MAAM,CAAC,CAAC;CACrC;AAGD,MAAM,WAAW,YAAa,SAAQ,YAAY;IAEhD,eAAe,IAAI,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC;CAC3C;AAGD,MAAM,WAAW,uBAAuB;IAEtC,MAAM,CAAC,SAAS,EAAE,iBAAiB,GAAG,IAAI,GAAG,OAAO,CAAC,GAAG,CAAC,CAAC;IAG1D,OAAO,IAAI,OAAO,CAAC,GAAG,CAAC,CAAC;CACzB;AAGD,MAAM,WAAW,sBAAsB;IAKrC,aAAa,CAAC,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,qBAAqB,CAAC,CAAC;IAG3E,cAAc,IAAI,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC,CAAC;IAG9C,uBAAuB,IAAI,OAAO,CAAC,WAAW,CAAC,CAAC;CACjD;AAED,MAAM,WAAW,uBAAuB;IACtC,aAAa,EAAE,MAAM,OAAO,CAAC,qBAAqB,CAAC,CAAC;CACrD;AAED,qBAAa,UAAW,SAAQ,KAAK;gBACvB,OAAO,EAAE,MAAM;CAI5B"}

package/dist/esm/src/services/types.js

@@ -0,0 +1,7 @@
+export class PopupError extends Error {
+    constructor(message) {
+        super(message);
+        Object.setPrototypeOf(this, PopupError.prototype);
+    }
+}
+//# sourceMappingURL=types.js.map

package/dist/esm/src/services/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../../../../src/services/types.ts"],"names":[],"mappings":"AAgDA,MAAM,OAAO,UAAW,SAAQ,KAAK;IACnC,YAAY,OAAe;QACzB,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,MAAM,CAAC,cAAc,CAAC,IAAI,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC;IACpD,CAAC;CACF","sourcesContent":["import type { OIDCTokenResponseBody, SessionData } from \"@/types.js\";\n\n// A PKCEConsumer can get a code challenge to use in the login process\n// A PKCEProducer can also generate and store verifiers. The producer must also be a consumer in order to get the challenge from an existing flow\n// Examples:\n// - Client-only SPA: The SPA generates the code challenge and verifier, stores the verifier in state and returns the code challenge\n// Note - The SPA should use PKCEProducer instead to do both\n// - Client-side of a client/server app: The client calls the backend to get the challenge.\n// - Server-side: The server should generate a new stored verifier and derive the challenge from it.\nexport interface PKCEConsumer {\n  // Retrieve a new PKCE challenge\n  getCodeChallenge(): Promise<string>;\n}\n\n// All producers are consumers, because the producer can get its own challenge\nexport interface PKCEProducer extends PKCEConsumer {\n  // Retrieve the PKCE challenge from the session if one exists\n  getCodeVerifier(): Promise<string | null>;\n}\n\n// A service that can initiate requests to login or log out\nexport interface AuthenticationInitiator {\n  // trigger a new login\n  signIn(iframeRef: HTMLIFrameElement | null): Promise<URL>;\n\n  // trigger a new logout\n  signOut(): Promise<URL>;\n}\n\n// A service that can resolve an authentication request according to the OAuth Auth Code grant types\nexport interface AuthenticationResolver {\n  // Given an auth code, get the tokens from the auth server and store them. works in PKCE and non-PKCE environments\n  // Note, if we choose later to implement other grants, this method would move into a subinterface specifically\n  // for the authorization code grant type.\n  // The return type is just for convenience and can be ignored, as the same data would be provided by getSessionData\n  tokenExchange(code: string, state: string): Promise<OIDCTokenResponseBody>;\n\n  // If the tokens have already been retrieved, return them\n  getSessionData(): Promise<SessionData | null>;\n\n  // If an existing session is found, validate it and return the session data\n  validateExistingSession(): Promise<SessionData>;\n}\n\nexport interface AuthenticationRefresher {\n  refreshTokens: () => Promise<OIDCTokenResponseBody>;\n}\n\nexport class PopupError extends Error {\n  constructor(message: string) {\n    super(message);\n    Object.setPrototypeOf(this, PopupError.prototype);\n  }\n}\n"]}

package/dist/esm/src/shared/AuthContext.d.ts

@@ -0,0 +1,10 @@
+import type { DisplayMode } from "../types.js";
+export type AuthContextType = {
+    signIn: (displayMode?: DisplayMode) => Promise<void>;
+    isAuthenticated: boolean;
+    isLoading: boolean;
+    error: Error | null;
+    signOut: () => Promise<void>;
+};
+export declare const AuthContext: import("react").Context<AuthContextType | null>;
+//# sourceMappingURL=AuthContext.d.ts.map

package/dist/esm/src/shared/AuthContext.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"AuthContext.d.ts","sourceRoot":"","sources":["../../../../src/shared/AuthContext.tsx"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AAE9C,MAAM,MAAM,eAAe,GAAG;IAC5B,MAAM,EAAE,CAAC,WAAW,CAAC,EAAE,WAAW,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IACrD,eAAe,EAAE,OAAO,CAAC;IACzB,SAAS,EAAE,OAAO,CAAC;IACnB,KAAK,EAAE,KAAK,GAAG,IAAI,CAAC;IACpB,OAAO,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;CAC9B,CAAC;AACF,eAAO,MAAM,WAAW,iDAA8C,CAAC"}

package/dist/esm/src/shared/AuthContext.js

@@ -0,0 +1,3 @@
+import { createContext } from "react";
+export const AuthContext = createContext(null);
+//# sourceMappingURL=AuthContext.js.map

package/dist/esm/src/shared/AuthContext.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"AuthContext.js","sourceRoot":"","sources":["../../../../src/shared/AuthContext.tsx"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,MAAM,OAAO,CAAC;AAUtC,MAAM,CAAC,MAAM,WAAW,GAAG,aAAa,CAAyB,IAAI,CAAC,CAAC","sourcesContent":["import { createContext } from \"react\";\nimport type { DisplayMode } from \"@/types.js\";\n\nexport type AuthContextType = {\n  signIn: (displayMode?: DisplayMode) => Promise<void>;\n  isAuthenticated: boolean;\n  isLoading: boolean;\n  error: Error | null;\n  signOut: () => Promise<void>;\n};\nexport const AuthContext = createContext<AuthContextType | null>(null);\n"]}

package/dist/esm/src/shared/AuthProvider.d.ts

@@ -0,0 +1,18 @@
+import React, { type ReactNode } from "react";
+import type { Config, SessionData } from "../types.js";
+import type { PKCEConsumer } from "../services/types.js";
+export type AuthProviderProps = {
+    children: ReactNode;
+    clientId: string;
+    redirectUrl?: string;
+    nonce?: string;
+    config?: Config;
+    onSignIn?: (error?: Error) => void;
+    onSignOut?: () => Promise<void>;
+    pkceConsumer?: PKCEConsumer;
+    modalIframe?: boolean;
+    sessionData?: SessionData;
+};
+declare const AuthProvider: ({ children, clientId, redirectUrl: inputRedirectUrl, config, onSignIn, onSignOut, pkceConsumer, nonce, modalIframe, sessionData: inputSessionData, }: AuthProviderProps) => React.JSX.Element | null;
+export { AuthProvider };
+//# sourceMappingURL=AuthProvider.d.ts.map

package/dist/esm/src/shared/AuthProvider.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"AuthProvider.d.ts","sourceRoot":"","sources":["../../../../src/shared/AuthProvider.tsx"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,EACZ,KAAK,SAAS,EAMf,MAAM,OAAO,CAAC;AAEf,OAAO,KAAK,EAAE,MAAM,EAAe,WAAW,EAAE,MAAM,YAAY,CAAC;AAanE,OAAO,KAAK,EAA0B,YAAY,EAAE,MAAM,qBAAqB,CAAC;AAqBhF,MAAM,MAAM,iBAAiB,GAAG;IAC9B,QAAQ,EAAE,SAAS,CAAC;IACpB,QAAQ,EAAE,MAAM,CAAC;IACjB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,QAAQ,CAAC,EAAE,CAAC,KAAK,CAAC,EAAE,KAAK,KAAK,IAAI,CAAC;IACnC,SAAS,CAAC,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;IAChC,YAAY,CAAC,EAAE,YAAY,CAAC;IAC5B,WAAW,CAAC,EAAE,OAAO,CAAC;IACtB,WAAW,CAAC,EAAE,WAAW,CAAC;CAC3B,CAAC;AAYF,QAAA,MAAM,YAAY,yJAWf,iBAAiB,6BAgSnB,CAAC;AAEF,OAAO,EAAE,YAAY,EAAE,CAAC"}

package/dist/esm/src/shared/AuthProvider.js

@@ -0,0 +1,250 @@
+"use client";
+import React, { useCallback, useEffect, useMemo, useRef, useState, } from "react";
+import { useMutation, useQuery, useQueryClient } from "@tanstack/react-query";
+import { CivicAuthIframeContainer } from "@/shared/components/CivicAuthIframeContainer.jsx";
+import { TokenProvider } from "../shared/providers/TokenProvider.js";
+import { SessionProvider } from "../shared/providers/SessionProvider.js";
+import { DEFAULT_SCOPES } from "../constants.js";
+import { authConfig } from "../config.js";
+import { LoadingIcon } from "../shared/components/LoadingIcon.js";
+import { isWindowInIframe } from "../lib/windowUtil.js";
+import { AuthContext } from "@/shared/AuthContext.jsx";
+import { BrowserAuthenticationInitiator, BrowserAuthenticationService, } from "../services/AuthenticationService.js";
+import { PopupError } from "../services/types.js";
+import { ConfidentialClientPKCEConsumer } from "../services/PKCE.js";
+import { generateState } from "../lib/oauth.js";
+import { LocalStorageAdapter } from "../browser/storage.js";
+import { ConfigProvider } from "@/shared/providers/ConfigProvider.jsx";
+import { getUser } from "./session.js";
+import { GenericUserSession } from "./UserSession.js";
+import { IframeProvider } from "../shared/providers/IframeProvider.js";
+// Global this object setup
+let globalThisObject;
+if (typeof window !== "undefined") {
+    globalThisObject = window;
+}
+else if (typeof global !== "undefined") {
+    globalThisObject = global;
+}
+else {
+    globalThisObject = Function("return this")();
+}
+globalThisObject.globalThis = globalThisObject;
+function BlockDisplay({ children }) {
+    return (React.createElement("div", { className: "cac-relative cac-left-0 cac-top-0 cac-z-50 cac-flex cac-h-screen cac-w-screen cac-items-center cac-justify-center cac-bg-white" },
+        React.createElement("div", { className: "cac-absolute cac-inset-0 cac-flex cac-items-center cac-justify-center cac-bg-white" }, children)));
+}
+const AuthProvider = ({ children, clientId, redirectUrl: inputRedirectUrl, config = authConfig, onSignIn, onSignOut, pkceConsumer, nonce, modalIframe = true, sessionData: inputSessionData, }) => {
+    const [iframeUrl, setIframeUrl] = useState(null);
+    const [currentUrl, setCurrentUrl] = useState(null);
+    const [isInIframe, setIsInIframe] = useState(false);
+    const [authResponseUrl, setAuthResponseUrl] = useState(null);
+    const [tokenExchangeError, setTokenExchangeError] = useState();
+    const [displayMode, setDisplayMode] = useState("iframe");
+    const [browserAuthenticationInitiator, setBrowserAuthenticationInitiator] = useState();
+    const [showIFrame, setShowIFrame] = useState(false);
+    const [isRedirecting, setIsRedirecting] = useState(false);
+    const queryClient = useQueryClient();
+    const iframeRef = useRef(null);
+    // TODO maybe we want to support or derive serverTokenExchange another way?
+    const serverTokenExchange = pkceConsumer instanceof ConfidentialClientPKCEConsumer;
+    // check if the current window is in an iframe with the iframe id, and set an isInIframe state
+    useEffect(() => {
+        if (typeof globalThis.window !== "undefined") {
+            setCurrentUrl(globalThis.window.location.href);
+            const isInIframeVal = isWindowInIframe(globalThis.window);
+            setIsInIframe(isInIframeVal);
+        }
+    }, []);
+    const redirectUrl = useMemo(() => (inputRedirectUrl || currentUrl || "").split("?")[0], [currentUrl, inputRedirectUrl]);
+    const [authService, setAuthService] = useState();
+    useEffect(() => {
+        if (!currentUrl || !redirectUrl)
+            return;
+        BrowserAuthenticationService.build({
+            clientId,
+            redirectUrl,
+            oauthServer: config.oauthServer,
+            scopes: DEFAULT_SCOPES,
+            displayMode,
+        }).then(setAuthService);
+    }, [currentUrl, clientId, redirectUrl, config, displayMode]);
+    const { data: session, isLoading, error, } = useQuery({
+        queryKey: [
+            "session",
+            authResponseUrl,
+            iframeUrl,
+            currentUrl,
+            isInIframe,
+            authService,
+        ],
+        queryFn: async () => {
+            if (!authService) {
+                return { authenticated: false };
+            }
+            if (inputSessionData) {
+                return inputSessionData;
+            }
+            const url = new URL(authResponseUrl
+                ? authResponseUrl
+                : globalThis.window.location.href || "");
+            // if we have existing tokens, then validate them and return the session data
+            // otherwise check if we have a code in the url and exchange it for tokens
+            // if we have neither, return undefined
+            const existingSessionData = await authService.validateExistingSession();
+            if (existingSessionData.authenticated) {
+                return existingSessionData;
+            }
+            const code = url.searchParams.get("code");
+            const state = url.searchParams.get("state");
+            if (!serverTokenExchange && code && state && !isInIframe) {
+                try {
+                    console.log("AuthProvider useQuery code", {
+                        isInIframe,
+                        code,
+                        state,
+                    });
+                    await authService.tokenExchange(code, state);
+                    const clientStorage = new LocalStorageAdapter();
+                    const user = await getUser(clientStorage);
+                    if (!user) {
+                        throw new Error("Failed to get user info");
+                    }
+                    const userSession = new GenericUserSession(clientStorage);
+                    userSession.set(user);
+                    onSignIn?.(); // Call onSignIn without an error if successful
+                    return authService.getSessionData();
+                }
+                catch (error) {
+                    setTokenExchangeError(error);
+                    onSignIn?.(error instanceof Error ? error : new Error("Failed to sign in")); // Pass the error to onSignIn
+                    return { authenticated: false };
+                }
+            }
+            return existingSessionData;
+        },
+    });
+    const signOutMutation = useMutation({
+        mutationFn: async () => {
+            // Implement signOut logic here
+            const authInitiator = getAuthInitiator();
+            authInitiator?.signOut();
+            setIframeUrl(null);
+            setShowIFrame(false);
+            setAuthResponseUrl(null);
+            onSignOut?.();
+        },
+        onSuccess: () => {
+            queryClient.setQueryData([
+                "session",
+                authResponseUrl,
+                iframeUrl,
+                currentUrl,
+                isInIframe,
+                authService,
+            ], null);
+        },
+    });
+    const getAuthInitiator = useCallback((overrideDisplayMode) => {
+        const useDisplayMode = overrideDisplayMode || displayMode;
+        if (!pkceConsumer || !redirectUrl) {
+            return null;
+        }
+        return (browserAuthenticationInitiator ||
+            new BrowserAuthenticationInitiator({
+                pkceConsumer, // generate and retrieve the challenge client-side
+                clientId,
+                redirectUrl,
+                state: generateState(useDisplayMode, serverTokenExchange),
+                scopes: DEFAULT_SCOPES,
+                displayMode: useDisplayMode,
+                oauthServer: config.oauthServer,
+                // the endpoints to use for the login (if not obtained from the auth server
+                endpointOverrides: config.endpoints,
+                nonce,
+            }));
+    }, [
+        serverTokenExchange,
+        displayMode,
+        browserAuthenticationInitiator,
+        clientId,
+        redirectUrl,
+        config.oauthServer,
+        config.endpoints,
+        pkceConsumer,
+        nonce,
+    ]);
+    const signIn = useCallback(async (overrideDisplayMode = "iframe") => {
+        setDisplayMode(overrideDisplayMode);
+        const authInitiator = getAuthInitiator(overrideDisplayMode);
+        setBrowserAuthenticationInitiator(authInitiator);
+        if (overrideDisplayMode === "iframe") {
+            setShowIFrame(true);
+        }
+        else if (overrideDisplayMode === "redirect") {
+            setIsRedirecting(true);
+        }
+        authInitiator?.signIn(iframeRef.current).catch((error) => {
+            console.log("signIn error", {
+                error,
+                isPopupError: error instanceof PopupError,
+            });
+            // if we've tried to open a popup and it has failed, then fallback to redirect mode
+            if (error instanceof PopupError) {
+                signIn("redirect");
+            }
+        });
+    }, [getAuthInitiator]);
+    // remove event listeners when the component unmounts
+    useEffect(() => {
+        return () => {
+            if (browserAuthenticationInitiator) {
+                browserAuthenticationInitiator.cleanup();
+            }
+        };
+    }, [browserAuthenticationInitiator]);
+    const isAuthenticated = useMemo(() => (session ? session.authenticated : false), [session]);
+    useQuery({
+        queryKey: ["autoSignIn", modalIframe, redirectUrl, isAuthenticated],
+        queryFn: async () => {
+            if (!modalIframe &&
+                redirectUrl &&
+                !isAuthenticated &&
+                iframeRef.current) {
+                signIn("iframe");
+            }
+            return true;
+        },
+        refetchOnWindowFocus: false,
+    });
+    const value = useMemo(() => ({
+        isLoading,
+        error: error,
+        signOut: async () => {
+            await signOutMutation.mutateAsync();
+        },
+        isAuthenticated,
+        signIn,
+    }), [isLoading, error, signOutMutation, isAuthenticated, signIn]);
+    if (!redirectUrl)
+        return null;
+    return (React.createElement(AuthContext.Provider, { value: value },
+        React.createElement(ConfigProvider, { config: config, redirectUrl: redirectUrl, modalIframe: modalIframe, serverTokenExchange: serverTokenExchange },
+            React.createElement(IframeProvider, { setAuthResponseUrl: setAuthResponseUrl, iframeRef: iframeRef },
+                React.createElement(SessionProvider, { session: session },
+                    React.createElement(TokenProvider, null,
+                        modalIframe && !isInIframe && !session?.authenticated && (React.createElement("div", { style: showIFrame ? { display: "block" } : { display: "none" } },
+                            React.createElement(CivicAuthIframeContainer, { onClose: () => setShowIFrame(false) }))),
+                        modalIframe &&
+                            (isInIframe ||
+                                isRedirecting ||
+                                (isLoading && !serverTokenExchange)) && (React.createElement(BlockDisplay, null,
+                            React.createElement(LoadingIcon, null))),
+                        (tokenExchangeError || error) && (React.createElement(BlockDisplay, null,
+                            React.createElement("div", null,
+                                "Error: ",
+                                (tokenExchangeError || error).message))),
+                        children))))));
+};
+export { AuthProvider };
+//# sourceMappingURL=AuthProvider.js.map

package/dist/esm/src/shared/AuthProvider.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"AuthProvider.js","sourceRoot":"","sources":["../../../../src/shared/AuthProvider.tsx"],"names":[],"mappings":"AAAA,YAAY,CAAC;AACb,OAAO,KAAK,EAAE,EAEZ,WAAW,EACX,SAAS,EACT,OAAO,EACP,MAAM,EACN,QAAQ,GACT,MAAM,OAAO,CAAC;AACf,OAAO,EAAE,WAAW,EAAE,QAAQ,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAC;AAE9E,OAAO,EAAE,wBAAwB,EAAE,MAAM,kDAAkD,CAAC;AAC5F,OAAO,EAAE,aAAa,EAAE,MAAM,qCAAqC,CAAC;AACpE,OAAO,EAAE,eAAe,EAAE,MAAM,uCAAuC,CAAC;AACxE,OAAO,EAAE,cAAc,EAAE,MAAM,gBAAgB,CAAC;AAChD,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACzC,OAAO,EAAE,WAAW,EAAE,MAAM,oCAAoC,CAAC;AACjE,OAAO,EAAE,gBAAgB,EAAE,MAAM,qBAAqB,CAAC;AACvD,OAAO,EAAE,WAAW,EAAE,MAAM,0BAA0B,CAAC;AACvD,OAAO,EACL,8BAA8B,EAC9B,4BAA4B,GAC7B,MAAM,qCAAqC,CAAC;AAE7C,OAAO,EAAE,UAAU,EAAE,MAAO,qBAAqB,CAAC;AAClD,OAAO,EAAE,8BAA8B,EAAE,MAAM,oBAAoB,CAAC;AACpE,OAAO,EAAE,aAAa,EAAE,MAAM,gBAAgB,CAAC;AAC/C,OAAO,EAAE,mBAAmB,EAAE,MAAM,sBAAsB,CAAC;AAC3D,OAAO,EAAE,cAAc,EAAE,MAAM,uCAAuC,CAAC;AACvE,OAAO,EAAE,OAAO,EAAE,MAAM,cAAc,CAAC;AACvC,OAAO,EAAE,kBAAkB,EAAE,MAAM,kBAAkB,CAAC;AACtD,OAAO,EAAE,cAAc,EAAE,MAAM,sCAAsC,CAAC;AAEtE,2BAA2B;AAC3B,IAAI,gBAAgB,CAAC;AACrB,IAAI,OAAO,MAAM,KAAK,WAAW,EAAE,CAAC;IAClC,gBAAgB,GAAG,MAAM,CAAC;AAC5B,CAAC;KAAM,IAAI,OAAO,MAAM,KAAK,WAAW,EAAE,CAAC;IACzC,gBAAgB,GAAG,MAAM,CAAC;AAC5B,CAAC;KAAM,CAAC;IACN,gBAAgB,GAAG,QAAQ,CAAC,aAAa,CAAC,EAAE,CAAC;AAC/C,CAAC;AACD,gBAAgB,CAAC,UAAU,GAAG,gBAAgB,CAAC;AAe/C,SAAS,YAAY,CAAC,EAAE,QAAQ,EAA2B;IACzD,OAAO,CACL,6BAAK,SAAS,EAAC,gIAAgI;QAC7I,6BAAK,SAAS,EAAC,oFAAoF,IAChG,QAAQ,CACL,CACF,CACP,CAAC;AACJ,CAAC;AAED,MAAM,YAAY,GAAG,CAAC,EACpB,QAAQ,EACR,QAAQ,EACR,WAAW,EAAE,gBAAgB,EAC7B,MAAM,GAAG,UAAU,EACnB,QAAQ,EACR,SAAS,EACT,YAAY,EACZ,KAAK,EACL,WAAW,GAAG,IAAI,EAClB,WAAW,EAAE,gBAAgB,GACX,EAAE,EAAE;IACtB,MAAM,CAAC,SAAS,EAAE,YAAY,CAAC,GAAG,QAAQ,CAAgB,IAAI,CAAC,CAAC;IAChE,MAAM,CAAC,UAAU,EAAE,aAAa,CAAC,GAAG,QAAQ,CAAgB,IAAI,CAAC,CAAC;IAClE,MAAM,CAAC,UAAU,EAAE,aAAa,CAAC,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC;IACpD,MAAM,CAAC,eAAe,EAAE,kBAAkB,CAAC,GAAG,QAAQ,CAAgB,IAAI,CAAC,CAAC;IAC5E,MAAM,CAAC,kBAAkB,EAAE,qBAAqB,CAAC,GAAG,QAAQ,EAAS,CAAC;IACtE,MAAM,CAAC,WAAW,EAAE,cAAc,CAAC,GAAG,QAAQ,CAAc,QAAQ,CAAC,CAAC;IACtE,MAAM,CAAC,8BAA8B,EAAE,iCAAiC,CAAC,GACvE,QAAQ,EAAyC,CAAC;IACpD,MAAM,CAAC,UAAU,EAAE,aAAa,CAAC,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC;IACpD,MAAM,CAAC,aAAa,EAAE,gBAAgB,CAAC,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC;IAC1D,MAAM,WAAW,GAAG,cAAc,EAAE,CAAC;IACrC,MAAM,SAAS,GAAG,MAAM,CAAoB,IAAI,CAAC,CAAC;IAElD,2EAA2E;IAC3E,MAAM,mBAAmB,GACvB,YAAY,YAAY,8BAA8B,CAAC;IACzD,8FAA8F;IAC9F,SAAS,CAAC,GAAG,EAAE;QACb,IAAI,OAAO,UAAU,CAAC,MAAM,KAAK,WAAW,EAAE,CAAC;YAC7C,aAAa,CAAC,UAAU,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;YAC/C,MAAM,aAAa,GAAG,gBAAgB,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC;YAC1D,aAAa,CAAC,aAAa,CAAC,CAAC;QAC/B,CAAC;IACH,CAAC,EAAE,EAAE,CAAC,CAAC;IAEP,MAAM,WAAW,GAAG,OAAO,CACzB,GAAG,EAAE,CAAC,CAAC,gBAAgB,IAAI,UAAU,IAAI,EAAE,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAC1D,CAAC,UAAU,EAAE,gBAAgB,CAAC,CAC/B,CAAC;IAEF,MAAM,CAAC,WAAW,EAAE,cAAc,CAAC,GAAG,QAAQ,EAA0B,CAAC;IAEzE,SAAS,CAAC,GAAG,EAAE;QACb,IAAI,CAAC,UAAU,IAAI,CAAC,WAAW;YAAE,OAAO;QACxC,4BAA4B,CAAC,KAAK,CAAC;YACjC,QAAQ;YACR,WAAW;YACX,WAAW,EAAE,MAAM,CAAC,WAAW;YAC/B,MAAM,EAAE,cAAc;YACtB,WAAW;SACZ,CAAC,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC;IAC1B,CAAC,EAAE,CAAC,UAAU,EAAE,QAAQ,EAAE,WAAW,EAAE,MAAM,EAAE,WAAW,CAAC,CAAC,CAAC;IAE7D,MAAM,EACJ,IAAI,EAAE,OAAO,EACb,SAAS,EACT,KAAK,GACN,GAAG,QAAQ,CAAC;QACX,QAAQ,EAAE;YACR,SAAS;YACT,eAAe;YACf,SAAS;YACT,UAAU;YACV,UAAU;YACV,WAAW;SACZ;QACD,OAAO,EAAE,KAAK,IAAI,EAAE;YAClB,IAAI,CAAC,WAAW,EAAE,CAAC;gBACjB,OAAO,EAAE,aAAa,EAAE,KAAK,EAAE,CAAC;YAClC,CAAC;YACD,IAAI,gBAAgB,EAAE,CAAC;gBACrB,OAAO,gBAAgB,CAAC;YAC1B,CAAC;YACD,MAAM,GAAG,GAAG,IAAI,GAAG,CACjB,eAAe;gBACb,CAAC,CAAC,eAAe;gBACjB,CAAC,CAAC,UAAU,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,IAAI,EAAE,CAC1C,CAAC;YACF,6EAA6E;YAC7E,0EAA0E;YAC1E,uCAAuC;YACvC,MAAM,mBAAmB,GAAG,MAAM,WAAW,CAAC,uBAAuB,EAAE,CAAC;YACxE,IAAI,mBAAmB,CAAC,aAAa,EAAE,CAAC;gBACtC,OAAO,mBAAmB,CAAC;YAC7B,CAAC;YACD,MAAM,IAAI,GAAG,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;YAC1C,MAAM,KAAK,GAAG,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;YAC5C,IAAI,CAAC,mBAAmB,IAAI,IAAI,IAAI,KAAK,IAAI,CAAC,UAAU,EAAE,CAAC;gBACzD,IAAI,CAAC;oBACH,OAAO,CAAC,GAAG,CAAC,4BAA4B,EAAE;wBACxC,UAAU;wBACV,IAAI;wBACJ,KAAK;qBACN,CAAC,CAAC;oBACH,MAAM,WAAW,CAAC,aAAa,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;oBAC7C,MAAM,aAAa,GAAG,IAAI,mBAAmB,EAAE,CAAC;oBAChD,MAAM,IAAI,GAAG,MAAM,OAAO,CAAC,aAAa,CAAC,CAAC;oBAC1C,IAAI,CAAC,IAAI,EAAE,CAAC;wBACV,MAAM,IAAI,KAAK,CAAC,yBAAyB,CAAC,CAAC;oBAC7C,CAAC;oBAED,MAAM,WAAW,GAAG,IAAI,kBAAkB,CAAC,aAAa,CAAC,CAAC;oBAC1D,WAAW,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;oBAEtB,QAAQ,EAAE,EAAE,CAAC,CAAC,+CAA+C;oBAC7D,OAAO,WAAW,CAAC,cAAc,EAAE,CAAC;gBACtC,CAAC;gBAAC,OAAO,KAAK,EAAE,CAAC;oBACf,qBAAqB,CAAC,KAAc,CAAC,CAAC;oBACtC,QAAQ,EAAE,CACR,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,mBAAmB,CAAC,CAChE,CAAC,CAAC,6BAA6B;oBAChC,OAAO,EAAE,aAAa,EAAE,KAAK,EAAE,CAAC;gBAClC,CAAC;YACH,CAAC;YAED,OAAO,mBAAmB,CAAC;QAC7B,CAAC;KACF,CAAC,CAAC;IAEH,MAAM,eAAe,GAAG,WAAW,CAAC;QAClC,UAAU,EAAE,KAAK,IAAI,EAAE;YACrB,+BAA+B;YAC/B,MAAM,aAAa,GAAG,gBAAgB,EAAE,CAAC;YACzC,aAAa,EAAE,OAAO,EAAE,CAAC;YACzB,YAAY,CAAC,IAAI,CAAC,CAAC;YACnB,aAAa,CAAC,KAAK,CAAC,CAAC;YACrB,kBAAkB,CAAC,IAAI,CAAC,CAAC;YACzB,SAAS,EAAE,EAAE,CAAC;QAChB,CAAC;QACD,SAAS,EAAE,GAAG,EAAE;YACd,WAAW,CAAC,YAAY,CACtB;gBACE,SAAS;gBACT,eAAe;gBACf,SAAS;gBACT,UAAU;gBACV,UAAU;gBACV,WAAW;aACZ,EACD,IAAI,CACL,CAAC;QACJ,CAAC;KACF,CAAC,CAAC;IAEH,MAAM,gBAAgB,GAAG,WAAW,CAClC,CAAC,mBAAiC,EAAE,EAAE;QACpC,MAAM,cAAc,GAAG,mBAAmB,IAAI,WAAW,CAAC;QAC1D,IAAI,CAAC,YAAY,IAAI,CAAC,WAAW,EAAE,CAAC;YAClC,OAAO,IAAI,CAAC;QACd,CAAC;QACD,OAAO,CACL,8BAA8B;YAC9B,IAAI,8BAA8B,CAAC;gBACjC,YAAY,EAAE,kDAAkD;gBAChE,QAAQ;gBACR,WAAW;gBACX,KAAK,EAAE,aAAa,CAAC,cAAc,EAAE,mBAAmB,CAAC;gBACzD,MAAM,EAAE,cAAc;gBACtB,WAAW,EAAE,cAAc;gBAC3B,WAAW,EAAE,MAAM,CAAC,WAAW;gBAC/B,2EAA2E;gBAC3E,iBAAiB,EAAE,MAAM,CAAC,SAAS;gBACnC,KAAK;aACN,CAAC,CACH,CAAC;IACJ,CAAC,EACD;QACE,mBAAmB;QACnB,WAAW;QACX,8BAA8B;QAC9B,QAAQ;QACR,WAAW;QACX,MAAM,CAAC,WAAW;QAClB,MAAM,CAAC,SAAS;QAChB,YAAY;QACZ,KAAK;KACN,CACF,CAAC;IAEF,MAAM,MAAM,GAAG,WAAW,CACxB,KAAK,EAAE,sBAAmC,QAAQ,EAAE,EAAE;QACpD,cAAc,CAAC,mBAAmB,CAAC,CAAC;QACpC,MAAM,aAAa,GAAG,gBAAgB,CAAC,mBAAmB,CAAC,CAAC;QAC5D,iCAAiC,CAAC,aAAa,CAAC,CAAC;QACjD,IAAI,mBAAmB,KAAK,QAAQ,EAAE,CAAC;YACrC,aAAa,CAAC,IAAI,CAAC,CAAC;QACtB,CAAC;aAAM,IAAI,mBAAmB,KAAK,UAAU,EAAE,CAAC;YAC9C,gBAAgB,CAAC,IAAI,CAAC,CAAC;QACzB,CAAC;QACD,aAAa,EAAE,MAAM,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC,KAAK,CAAC,CAAC,KAAK,EAAE,EAAE;YACvD,OAAO,CAAC,GAAG,CAAC,cAAc,EAAE;gBAC1B,KAAK;gBACL,YAAY,EAAE,KAAK,YAAY,UAAU;aAC1C,CAAC,CAAC;YACH,mFAAmF;YACnF,IAAI,KAAK,YAAY,UAAU,EAAE,CAAC;gBAChC,MAAM,CAAC,UAAU,CAAC,CAAC;YACrB,CAAC;QACH,CAAC,CAAC,CAAC;IACL,CAAC,EACD,CAAC,gBAAgB,CAAC,CACnB,CAAC;IAEF,qDAAqD;IACrD,SAAS,CAAC,GAAG,EAAE;QACb,OAAO,GAAG,EAAE;YACV,IAAI,8BAA8B,EAAE,CAAC;gBACnC,8BAA8B,CAAC,OAAO,EAAE,CAAC;YAC3C,CAAC;QACH,CAAC,CAAC;IACJ,CAAC,EAAE,CAAC,8BAA8B,CAAC,CAAC,CAAC;IAErC,MAAM,eAAe,GAAG,OAAO,CAC7B,GAAG,EAAE,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC,aAAa,CAAC,CAAC,CAAC,KAAK,CAAC,EAC/C,CAAC,OAAO,CAAC,CACV,CAAC;IAEF,QAAQ,CAAC;QACP,QAAQ,EAAE,CAAC,YAAY,EAAE,WAAW,EAAE,WAAW,EAAE,eAAe,CAAC;QACnE,OAAO,EAAE,KAAK,IAAI,EAAE;YAClB,IACE,CAAC,WAAW;gBACZ,WAAW;gBACX,CAAC,eAAe;gBAChB,SAAS,CAAC,OAAO,EACjB,CAAC;gBACD,MAAM,CAAC,QAAQ,CAAC,CAAC;YACnB,CAAC;YACD,OAAO,IAAI,CAAC;QACd,CAAC;QACD,oBAAoB,EAAE,KAAK;KAC5B,CAAC,CAAC;IAEH,MAAM,KAAK,GAAG,OAAO,CACnB,GAAG,EAAE,CAAC,CAAC;QACL,SAAS;QACT,KAAK,EAAE,KAAqB;QAC5B,OAAO,EAAE,KAAK,IAAI,EAAE;YAClB,MAAM,eAAe,CAAC,WAAW,EAAE,CAAC;QACtC,CAAC;QACD,eAAe;QACf,MAAM;KACP,CAAC,EACF,CAAC,SAAS,EAAE,KAAK,EAAE,eAAe,EAAE,eAAe,EAAE,MAAM,CAAC,CAC7D,CAAC;IAEF,IAAI,CAAC,WAAW;QAAE,OAAO,IAAI,CAAC;IAE9B,OAAO,CACL,oBAAC,WAAW,CAAC,QAAQ,IAAC,KAAK,EAAE,KAAK;QAChC,oBAAC,cAAc,IACb,MAAM,EAAE,MAAM,EACd,WAAW,EAAE,WAAW,EACxB,WAAW,EAAE,WAAW,EACxB,mBAAmB,EAAE,mBAAmB;YAExC,oBAAC,cAAc,IACb,kBAAkB,EAAE,kBAAkB,EACtC,SAAS,EAAE,SAAS;gBAEpB,oBAAC,eAAe,IAAC,OAAO,EAAE,OAAO;oBAC/B,oBAAC,aAAa;wBACX,WAAW,IAAI,CAAC,UAAU,IAAI,CAAC,OAAO,EAAE,aAAa,IAAI,CACxD,6BACE,KAAK,EACH,UAAU,CAAC,CAAC,CAAC,EAAE,OAAO,EAAE,OAAO,EAAE,CAAC,CAAC,CAAC,EAAE,OAAO,EAAE,MAAM,EAAE;4BAGzD,oBAAC,wBAAwB,IACvB,OAAO,EAAE,GAAG,EAAE,CAAC,aAAa,CAAC,KAAK,CAAC,GACnC,CACE,CACP;wBAEA,WAAW;4BACV,CAAC,UAAU;gCACT,aAAa;gCACb,CAAC,SAAS,IAAI,CAAC,mBAAmB,CAAC,CAAC,IAAI,CACxC,oBAAC,YAAY;4BACX,oBAAC,WAAW,OAAG,CACF,CAChB;wBAEF,CAAC,kBAAkB,IAAI,KAAK,CAAC,IAAI,CAChC,oBAAC,YAAY;4BACX;;gCACU,CAAC,kBAAkB,IAAK,KAAe,CAAC,CAAC,OAAO,CACpD,CACO,CAChB;wBACA,QAAQ,CACK,CACA,CACH,CACF,CACI,CACxB,CAAC;AACJ,CAAC,CAAC;AAEF,OAAO,EAAE,YAAY,EAAE,CAAC","sourcesContent":["\"use client\";\nimport React, {\n  type ReactNode,\n  useCallback,\n  useEffect,\n  useMemo,\n  useRef,\n  useState,\n} from \"react\";\nimport { useMutation, useQuery, useQueryClient } from \"@tanstack/react-query\";\nimport type { Config, DisplayMode, SessionData } from \"@/types.js\";\nimport { CivicAuthIframeContainer } from \"@/shared/components/CivicAuthIframeContainer.jsx\";\nimport { TokenProvider } from \"@/shared/providers/TokenProvider.js\";\nimport { SessionProvider } from \"@/shared/providers/SessionProvider.js\";\nimport { DEFAULT_SCOPES } from \"@/constants.js\";\nimport { authConfig } from \"@/config.js\";\nimport { LoadingIcon } from \"@/shared/components/LoadingIcon.js\";\nimport { isWindowInIframe } from \"@/lib/windowUtil.js\";\nimport { AuthContext } from \"@/shared/AuthContext.jsx\";\nimport {\n  BrowserAuthenticationInitiator,\n  BrowserAuthenticationService,\n} from \"@/services/AuthenticationService.js\";\nimport type { AuthenticationResolver, PKCEConsumer } from \"@/services/types.js\";\nimport { PopupError } from  \"@/services/types.js\";\nimport { ConfidentialClientPKCEConsumer } from \"@/services/PKCE.js\";\nimport { generateState } from \"@/lib/oauth.js\";\nimport { LocalStorageAdapter } from \"@/browser/storage.js\";\nimport { ConfigProvider } from \"@/shared/providers/ConfigProvider.jsx\";\nimport { getUser } from \"./session.js\";\nimport { GenericUserSession } from \"./UserSession.js\";\nimport { IframeProvider } from \"@/shared/providers/IframeProvider.js\";\n\n// Global this object setup\nlet globalThisObject;\nif (typeof window !== \"undefined\") {\n  globalThisObject = window;\n} else if (typeof global !== \"undefined\") {\n  globalThisObject = global;\n} else {\n  globalThisObject = Function(\"return this\")();\n}\nglobalThisObject.globalThis = globalThisObject;\n\nexport type AuthProviderProps = {\n  children: ReactNode;\n  clientId: string;\n  redirectUrl?: string;\n  nonce?: string;\n  config?: Config;\n  onSignIn?: (error?: Error) => void;\n  onSignOut?: () => Promise<void>;\n  pkceConsumer?: PKCEConsumer;\n  modalIframe?: boolean;\n  sessionData?: SessionData;\n};\n\nfunction BlockDisplay({ children }: { children: ReactNode }) {\n  return (\n    <div className=\"cac-relative cac-left-0 cac-top-0 cac-z-50 cac-flex cac-h-screen cac-w-screen cac-items-center cac-justify-center cac-bg-white\">\n      <div className=\"cac-absolute cac-inset-0 cac-flex cac-items-center cac-justify-center cac-bg-white\">\n        {children}\n      </div>\n    </div>\n  );\n}\n\nconst AuthProvider = ({\n  children,\n  clientId,\n  redirectUrl: inputRedirectUrl,\n  config = authConfig,\n  onSignIn,\n  onSignOut,\n  pkceConsumer,\n  nonce,\n  modalIframe = true,\n  sessionData: inputSessionData,\n}: AuthProviderProps) => {\n  const [iframeUrl, setIframeUrl] = useState<string | null>(null);\n  const [currentUrl, setCurrentUrl] = useState<string | null>(null);\n  const [isInIframe, setIsInIframe] = useState(false);\n  const [authResponseUrl, setAuthResponseUrl] = useState<string | null>(null);\n  const [tokenExchangeError, setTokenExchangeError] = useState<Error>();\n  const [displayMode, setDisplayMode] = useState<DisplayMode>(\"iframe\");\n  const [browserAuthenticationInitiator, setBrowserAuthenticationInitiator] =\n    useState<BrowserAuthenticationInitiator | null>();\n  const [showIFrame, setShowIFrame] = useState(false);\n  const [isRedirecting, setIsRedirecting] = useState(false);\n  const queryClient = useQueryClient();\n  const iframeRef = useRef<HTMLIFrameElement>(null);\n\n  // TODO maybe we want to support or derive serverTokenExchange another way?\n  const serverTokenExchange =\n    pkceConsumer instanceof ConfidentialClientPKCEConsumer;\n  // check if the current window is in an iframe with the iframe id, and set an isInIframe state\n  useEffect(() => {\n    if (typeof globalThis.window !== \"undefined\") {\n      setCurrentUrl(globalThis.window.location.href);\n      const isInIframeVal = isWindowInIframe(globalThis.window);\n      setIsInIframe(isInIframeVal);\n    }\n  }, []);\n\n  const redirectUrl = useMemo(\n    () => (inputRedirectUrl || currentUrl || \"\").split(\"?\")[0],\n    [currentUrl, inputRedirectUrl],\n  );\n\n  const [authService, setAuthService] = useState<AuthenticationResolver>();\n\n  useEffect(() => {\n    if (!currentUrl || !redirectUrl) return;\n    BrowserAuthenticationService.build({\n      clientId,\n      redirectUrl,\n      oauthServer: config.oauthServer,\n      scopes: DEFAULT_SCOPES,\n      displayMode,\n    }).then(setAuthService);\n  }, [currentUrl, clientId, redirectUrl, config, displayMode]);\n\n  const {\n    data: session,\n    isLoading,\n    error,\n  } = useQuery({\n    queryKey: [\n      \"session\",\n      authResponseUrl,\n      iframeUrl,\n      currentUrl,\n      isInIframe,\n      authService,\n    ],\n    queryFn: async () => {\n      if (!authService) {\n        return { authenticated: false };\n      }\n      if (inputSessionData) {\n        return inputSessionData;\n      }\n      const url = new URL(\n        authResponseUrl\n          ? authResponseUrl\n          : globalThis.window.location.href || \"\",\n      );\n      // if we have existing tokens, then validate them and return the session data\n      // otherwise check if we have a code in the url and exchange it for tokens\n      // if we have neither, return undefined\n      const existingSessionData = await authService.validateExistingSession();\n      if (existingSessionData.authenticated) {\n        return existingSessionData;\n      }\n      const code = url.searchParams.get(\"code\");\n      const state = url.searchParams.get(\"state\");\n      if (!serverTokenExchange && code && state && !isInIframe) {\n        try {\n          console.log(\"AuthProvider useQuery code\", {\n            isInIframe,\n            code,\n            state,\n          });\n          await authService.tokenExchange(code, state);\n          const clientStorage = new LocalStorageAdapter();\n          const user = await getUser(clientStorage);\n          if (!user) {\n            throw new Error(\"Failed to get user info\");\n          }\n\n          const userSession = new GenericUserSession(clientStorage);\n          userSession.set(user);\n\n          onSignIn?.(); // Call onSignIn without an error if successful\n          return authService.getSessionData();\n        } catch (error) {\n          setTokenExchangeError(error as Error);\n          onSignIn?.(\n            error instanceof Error ? error : new Error(\"Failed to sign in\"),\n          ); // Pass the error to onSignIn\n          return { authenticated: false };\n        }\n      }\n\n      return existingSessionData;\n    },\n  });\n\n  const signOutMutation = useMutation({\n    mutationFn: async () => {\n      // Implement signOut logic here\n      const authInitiator = getAuthInitiator();\n      authInitiator?.signOut();\n      setIframeUrl(null);\n      setShowIFrame(false);\n      setAuthResponseUrl(null);\n      onSignOut?.();\n    },\n    onSuccess: () => {\n      queryClient.setQueryData(\n        [\n          \"session\",\n          authResponseUrl,\n          iframeUrl,\n          currentUrl,\n          isInIframe,\n          authService,\n        ],\n        null,\n      );\n    },\n  });\n\n  const getAuthInitiator = useCallback(\n    (overrideDisplayMode?: DisplayMode) => {\n      const useDisplayMode = overrideDisplayMode || displayMode;\n      if (!pkceConsumer || !redirectUrl) {\n        return null;\n      }\n      return (\n        browserAuthenticationInitiator ||\n        new BrowserAuthenticationInitiator({\n          pkceConsumer, // generate and retrieve the challenge client-side\n          clientId,\n          redirectUrl,\n          state: generateState(useDisplayMode, serverTokenExchange),\n          scopes: DEFAULT_SCOPES,\n          displayMode: useDisplayMode,\n          oauthServer: config.oauthServer,\n          // the endpoints to use for the login (if not obtained from the auth server\n          endpointOverrides: config.endpoints,\n          nonce,\n        })\n      );\n    },\n    [\n      serverTokenExchange,\n      displayMode,\n      browserAuthenticationInitiator,\n      clientId,\n      redirectUrl,\n      config.oauthServer,\n      config.endpoints,\n      pkceConsumer,\n      nonce,\n    ],\n  );\n\n  const signIn = useCallback(\n    async (overrideDisplayMode: DisplayMode = \"iframe\") => {\n      setDisplayMode(overrideDisplayMode);\n      const authInitiator = getAuthInitiator(overrideDisplayMode);\n      setBrowserAuthenticationInitiator(authInitiator);\n      if (overrideDisplayMode === \"iframe\") {\n        setShowIFrame(true);\n      } else if (overrideDisplayMode === \"redirect\") {\n        setIsRedirecting(true);\n      }\n      authInitiator?.signIn(iframeRef.current).catch((error) => {\n        console.log(\"signIn error\", {\n          error,\n          isPopupError: error instanceof PopupError,\n        });\n        // if we've tried to open a popup and it has failed, then fallback to redirect mode\n        if (error instanceof PopupError) {\n          signIn(\"redirect\");\n        }\n      });\n    },\n    [getAuthInitiator],\n  );\n\n  // remove event listeners when the component unmounts\n  useEffect(() => {\n    return () => {\n      if (browserAuthenticationInitiator) {\n        browserAuthenticationInitiator.cleanup();\n      }\n    };\n  }, [browserAuthenticationInitiator]);\n\n  const isAuthenticated = useMemo(\n    () => (session ? session.authenticated : false),\n    [session],\n  );\n\n  useQuery({\n    queryKey: [\"autoSignIn\", modalIframe, redirectUrl, isAuthenticated],\n    queryFn: async () => {\n      if (\n        !modalIframe &&\n        redirectUrl &&\n        !isAuthenticated &&\n        iframeRef.current\n      ) {\n        signIn(\"iframe\");\n      }\n      return true;\n    },\n    refetchOnWindowFocus: false,\n  });\n\n  const value = useMemo(\n    () => ({\n      isLoading,\n      error: error as Error | null,\n      signOut: async () => {\n        await signOutMutation.mutateAsync();\n      },\n      isAuthenticated,\n      signIn,\n    }),\n    [isLoading, error, signOutMutation, isAuthenticated, signIn],\n  );\n\n  if (!redirectUrl) return null;\n\n  return (\n    <AuthContext.Provider value={value}>\n      <ConfigProvider\n        config={config}\n        redirectUrl={redirectUrl}\n        modalIframe={modalIframe}\n        serverTokenExchange={serverTokenExchange}\n      >\n        <IframeProvider\n          setAuthResponseUrl={setAuthResponseUrl}\n          iframeRef={iframeRef}\n        >\n          <SessionProvider session={session}>\n            <TokenProvider>\n              {modalIframe && !isInIframe && !session?.authenticated && (\n                <div\n                  style={\n                    showIFrame ? { display: \"block\" } : { display: \"none\" }\n                  }\n                >\n                  <CivicAuthIframeContainer\n                    onClose={() => setShowIFrame(false)}\n                  />\n                </div>\n              )}\n\n              {modalIframe &&\n                (isInIframe ||\n                  isRedirecting ||\n                  (isLoading && !serverTokenExchange)) && (\n                  <BlockDisplay>\n                    <LoadingIcon />\n                  </BlockDisplay>\n                )}\n\n              {(tokenExchangeError || error) && (\n                <BlockDisplay>\n                  <div>\n                    Error: {(tokenExchangeError || (error as Error)).message}\n                  </div>\n                </BlockDisplay>\n              )}\n              {children}\n            </TokenProvider>\n          </SessionProvider>\n        </IframeProvider>\n      </ConfigProvider>\n    </AuthContext.Provider>\n  );\n};\n\nexport { AuthProvider };\n"]}

package/dist/esm/src/shared/CivicAuthProvider.d.ts

@@ -0,0 +1,7 @@
+import React from "react";
+import { type AuthProviderProps } from "../shared/AuthProvider.js";
+import "@civic/auth/styles.css";
+type CivicAuthProviderProps = Omit<AuthProviderProps, "pkceConsumer">;
+declare const CivicAuthProvider: ({ children, ...props }: CivicAuthProviderProps) => React.JSX.Element;
+export { CivicAuthProvider, type CivicAuthProviderProps };
+//# sourceMappingURL=CivicAuthProvider.d.ts.map

package/dist/esm/src/shared/CivicAuthProvider.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"CivicAuthProvider.d.ts","sourceRoot":"","sources":["../../../../src/shared/CivicAuthProvider.tsx"],"names":[],"mappings":"AACA,OAAO,KAAK,MAAM,OAAO,CAAC;AAC1B,OAAO,EAAgB,KAAK,iBAAiB,EAAE,MAAM,0BAA0B,CAAC;AAOhF,OAAO,wBAAwB,CAAC;AAIhC,KAAK,sBAAsB,GAAG,IAAI,CAAC,iBAAiB,EAAE,cAAc,CAAC,CAAC;AAEtE,QAAA,MAAM,iBAAiB,2BAA4B,sBAAsB,sBAaxE,CAAC;AAEF,OAAO,EAAE,iBAAiB,EAAE,KAAK,sBAAsB,EAAE,CAAC"}

package/dist/esm/src/shared/CivicAuthProvider.js

@@ -0,0 +1,17 @@
+"use client";
+import React from "react";
+import { AuthProvider } from "../shared/AuthProvider.js";
+import { QueryClient, QueryClientProvider } from "@tanstack/react-query";
+import { BrowserPublicClientPKCEProducer } from "../services/PKCE.js";
+import { UserProvider } from "./UserProvider.js";
+import { LocalStorageAdapter } from "../browser/storage.js";
+// adding the styles import here to be added to the bundle
+import "@civic/auth/styles.css";
+const queryClient = new QueryClient();
+const CivicAuthProvider = ({ children, ...props }) => {
+    return (React.createElement(QueryClientProvider, { client: queryClient },
+        React.createElement(AuthProvider, { ...props, pkceConsumer: new BrowserPublicClientPKCEProducer() },
+            React.createElement(UserProvider, { storage: new LocalStorageAdapter() }, children))));
+};
+export { CivicAuthProvider };
+//# sourceMappingURL=CivicAuthProvider.js.map

package/dist/esm/src/shared/CivicAuthProvider.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"CivicAuthProvider.js","sourceRoot":"","sources":["../../../../src/shared/CivicAuthProvider.tsx"],"names":[],"mappings":"AAAA,YAAY,CAAC;AACb,OAAO,KAAK,MAAM,OAAO,CAAC;AAC1B,OAAO,EAAE,YAAY,EAA0B,MAAM,0BAA0B,CAAC;AAChF,OAAO,EAAE,WAAW,EAAE,mBAAmB,EAAE,MAAM,uBAAuB,CAAC;AACzE,OAAO,EAAE,+BAA+B,EAAE,MAAM,oBAAoB,CAAC;AACrE,OAAO,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC;AACjD,OAAO,EAAE,mBAAmB,EAAE,MAAM,sBAAsB,CAAC;AAE3D,0DAA0D;AAC1D,OAAO,wBAAwB,CAAC;AAEhC,MAAM,WAAW,GAAG,IAAI,WAAW,EAAE,CAAC;AAItC,MAAM,iBAAiB,GAAG,CAAC,EAAE,QAAQ,EAAE,GAAG,KAAK,EAA0B,EAAE,EAAE;IAC3E,OAAO,CACL,oBAAC,mBAAmB,IAAC,MAAM,EAAE,WAAW;QACtC,oBAAC,YAAY,OACP,KAAK,EACT,YAAY,EAAE,IAAI,+BAA+B,EAAE;YAEnD,oBAAC,YAAY,IAAC,OAAO,EAAE,IAAI,mBAAmB,EAAE,IAC7C,QAAQ,CACI,CACF,CACK,CACvB,CAAC;AACJ,CAAC,CAAC;AAEF,OAAO,EAAE,iBAAiB,EAA+B,CAAC","sourcesContent":["\"use client\";\nimport React from \"react\";\nimport { AuthProvider, type AuthProviderProps } from \"@/shared/AuthProvider.js\";\nimport { QueryClient, QueryClientProvider } from \"@tanstack/react-query\";\nimport { BrowserPublicClientPKCEProducer } from \"@/services/PKCE.js\";\nimport { UserProvider } from \"./UserProvider.js\";\nimport { LocalStorageAdapter } from \"@/browser/storage.js\";\n\n// adding the styles import here to be added to the bundle\nimport \"@civic/auth/styles.css\";\n\nconst queryClient = new QueryClient();\n\ntype CivicAuthProviderProps = Omit<AuthProviderProps, \"pkceConsumer\">;\n\nconst CivicAuthProvider = ({ children, ...props }: CivicAuthProviderProps) => {\n  return (\n    <QueryClientProvider client={queryClient}>\n      <AuthProvider\n        {...props}\n        pkceConsumer={new BrowserPublicClientPKCEProducer()}\n      >\n        <UserProvider storage={new LocalStorageAdapter()}>\n          {children}\n        </UserProvider>\n      </AuthProvider>\n    </QueryClientProvider>\n  );\n};\n\nexport { CivicAuthProvider, type CivicAuthProviderProps };\n"]}

package/dist/esm/src/shared/GenericAuthenticationRefresher.d.ts

@@ -0,0 +1,15 @@
+import type { AuthenticationRefresher } from "../services/types.js";
+import type { AuthStorage, Endpoints, OIDCTokenResponseBody } from "../types.js";
+import type { AuthConfig } from "../server/config.js";
+export declare class GenericAuthenticationRefresher implements AuthenticationRefresher {
+    private authConfig;
+    private storage;
+    private endpointOverrides?;
+    private oauth2client;
+    private endpoints;
+    private constructor();
+    init(): Promise<this>;
+    static build(authConfig: AuthConfig, storage: AuthStorage, endpointOverrides?: Partial<Endpoints>): Promise<GenericAuthenticationRefresher>;
+    refreshTokens(): Promise<OIDCTokenResponseBody>;
+}
+//# sourceMappingURL=GenericAuthenticationRefresher.d.ts.map

package/dist/esm/src/shared/GenericAuthenticationRefresher.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"GenericAuthenticationRefresher.d.ts","sourceRoot":"","sources":["../../../../src/shared/GenericAuthenticationRefresher.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,uBAAuB,EAAE,MAAM,qBAAqB,CAAC;AACnE,OAAO,KAAK,EAAE,WAAW,EAAE,SAAS,EAAE,qBAAqB,EAAE,MAAM,YAAY,CAAC;AAMhF,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAC;AAGrD,qBAAa,8BAA+B,YAAW,uBAAuB;IAK1E,OAAO,CAAC,UAAU;IAClB,OAAO,CAAC,OAAO;IACf,OAAO,CAAC,iBAAiB,CAAC;IAN5B,OAAO,CAAC,YAAY,CAA2B;IAC/C,OAAO,CAAC,SAAS,CAAwB;IAEzC,OAAO;IAWD,IAAI,IAAI,OAAO,CAAC,IAAI,CAAC;WAkBd,KAAK,CAChB,UAAU,EAAE,UAAU,EACtB,OAAO,EAAE,WAAW,EACpB,iBAAiB,CAAC,EAAE,OAAO,CAAC,SAAS,CAAC,GACrC,OAAO,CAAC,8BAA8B,CAAC;IAWpC,aAAa;CAgBpB"}

package/dist/esm/src/shared/GenericAuthenticationRefresher.js

@@ -0,0 +1,43 @@
+import { getEndpointsWithOverrides, retrieveTokens, storeTokens, } from "../shared/util.js";
+import { OAuth2Client } from "oslo/oauth2";
+export class GenericAuthenticationRefresher {
+    authConfig;
+    storage;
+    endpointOverrides;
+    oauth2client;
+    endpoints;
+    constructor(authConfig, storage, endpointOverrides) {
+        this.authConfig = authConfig;
+        this.storage = storage;
+        this.endpointOverrides = endpointOverrides;
+        console.log("GenericAuthenticationRefresher constructor", {
+            authConfig,
+            endpointOverrides,
+        });
+    }
+    async init() {
+        // resolve oauth config
+        this.endpoints = await getEndpointsWithOverrides(this.authConfig.oauthServer, this.endpointOverrides);
+        this.oauth2client = new OAuth2Client(this.authConfig.clientId, this.endpoints.auth, this.endpoints.token, {
+            redirectURI: this.authConfig.redirectUrl,
+        });
+        return this;
+    }
+    static async build(authConfig, storage, endpointOverrides) {
+        const refresher = new GenericAuthenticationRefresher(authConfig, storage, endpointOverrides);
+        await refresher.init();
+        return refresher;
+    }
+    async refreshTokens() {
+        if (!this.oauth2client)
+            await this.init();
+        const tokens = retrieveTokens(this.storage);
+        if (!tokens?.refresh_token)
+            throw new Error("No refresh token available");
+        const oauth2Client = this.oauth2client;
+        const refreshedTokens = await oauth2Client.refreshAccessToken(tokens.refresh_token);
+        storeTokens(this.storage, refreshedTokens);
+        return tokens;
+    }
+}
+//# sourceMappingURL=GenericAuthenticationRefresher.js.map