@civic/auth 0.0.1-beta.11 → 0.0.1-beta.12
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/{chunk-YNLXRD5L.js → chunk-2SAT3UFJ.js} +8 -3
- package/dist/chunk-2SAT3UFJ.js.map +1 -0
- package/dist/{chunk-EGFTMH5S.mjs → chunk-3MO4WWTJ.mjs} +2 -2
- package/dist/{chunk-EAANLFR5.mjs → chunk-3PEZMCN4.mjs} +2 -2
- package/dist/{chunk-MVO4UZ2A.js → chunk-EM4APQVY.js} +3 -3
- package/dist/{chunk-MVO4UZ2A.js.map → chunk-EM4APQVY.js.map} +1 -1
- package/dist/{chunk-PMDIR5XE.mjs → chunk-KHGGUCM6.mjs} +8 -3
- package/dist/chunk-KHGGUCM6.mjs.map +1 -0
- package/dist/{chunk-KCSGIIPA.js → chunk-ZXULHA47.js} +16 -16
- package/dist/{chunk-KCSGIIPA.js.map → chunk-ZXULHA47.js.map} +1 -1
- package/dist/nextjs.js +20 -20
- package/dist/nextjs.mjs +3 -3
- package/dist/react.js +24 -24
- package/dist/react.mjs +2 -2
- package/dist/server.d.mts +2 -2
- package/dist/server.d.ts +2 -2
- package/dist/server.js +3 -3
- package/dist/server.mjs +2 -2
- package/package.json +1 -1
- package/dist/chunk-PMDIR5XE.mjs.map +0 -1
- package/dist/chunk-YNLXRD5L.js.map +0 -1
- /package/dist/{chunk-EGFTMH5S.mjs.map → chunk-3MO4WWTJ.mjs.map} +0 -0
- /package/dist/{chunk-EAANLFR5.mjs.map → chunk-3PEZMCN4.mjs.map} +0 -0
|
@@ -215,10 +215,15 @@ function validateOauth2Tokens(tokens, endpoints, oauth2Client, issuer) {
|
|
|
215
215
|
var _jwt = require('oslo/jwt');
|
|
216
216
|
function getUser(storage) {
|
|
217
217
|
return _chunkCRTRMMJ7js.__async.call(void 0, this, null, function* () {
|
|
218
|
-
var _a, _b;
|
|
218
|
+
var _a, _b, _c;
|
|
219
219
|
const tokens = retrieveTokens(storage);
|
|
220
220
|
if (!tokens) return null;
|
|
221
|
-
|
|
221
|
+
const user = (_b = (_a = _jwt.parseJWT.call(void 0, tokens.id_token)) == null ? void 0 : _a.payload) != null ? _b : null;
|
|
222
|
+
return _chunkCRTRMMJ7js.__spreadProps.call(void 0, _chunkCRTRMMJ7js.__spreadValues.call(void 0, {}, user), {
|
|
223
|
+
idToken: tokens.id_token,
|
|
224
|
+
accessToken: tokens.access_token,
|
|
225
|
+
refreshToken: (_c = tokens.refresh_token) != null ? _c : ""
|
|
226
|
+
});
|
|
222
227
|
});
|
|
223
228
|
}
|
|
224
229
|
|
|
@@ -499,4 +504,4 @@ var BrowserAuthenticationService = class _BrowserAuthenticationService extends B
|
|
|
499
504
|
|
|
500
505
|
|
|
501
506
|
exports.GenericUserSession = GenericUserSession; exports.DEFAULT_SCOPES = DEFAULT_SCOPES; exports.IFRAME_ID = IFRAME_ID; exports.AUTH_SERVER = AUTH_SERVER; exports.isWindowInIframe = isWindowInIframe; exports.generateState = generateState; exports.cn = cn; exports.withoutUndefined = withoutUndefined; exports.getEndpointsWithOverrides = getEndpointsWithOverrides; exports.exchangeTokens = exchangeTokens; exports.storeTokens = storeTokens; exports.clearTokens = clearTokens; exports.retrieveTokens = retrieveTokens; exports.LocalStorageAdapter = LocalStorageAdapter; exports.ConfidentialClientPKCEConsumer = ConfidentialClientPKCEConsumer; exports.GenericPublicClientPKCEProducer = GenericPublicClientPKCEProducer; exports.BrowserPublicClientPKCEProducer = BrowserPublicClientPKCEProducer; exports.BrowserAuthenticationInitiator = BrowserAuthenticationInitiator; exports.GenericAuthenticationInitiator = GenericAuthenticationInitiator; exports.BrowserAuthenticationService = BrowserAuthenticationService; exports.getUser = getUser;
|
|
502
|
-
//# sourceMappingURL=chunk-
|
|
507
|
+
//# sourceMappingURL=chunk-2SAT3UFJ.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"sources":["/Users/patrick/Code/civic-auth/packages/civic-auth-client/dist/chunk-2SAT3UFJ.js","../src/shared/types.ts","../src/shared/util.ts","../src/lib/oauth.ts","../src/utils.ts","../src/shared/UserSession.ts","../src/shared/session.ts","../src/constants.ts","../src/services/PKCE.ts","../src/browser/storage.ts","../src/services/AuthenticationService.ts","../src/lib/windowUtil.ts"],"names":["OAuthTokens","OAuth2Client","window","localStorage"],"mappings":"AAAA;AACE;AACA;AACA;AACF,sDAA4B;AAC5B;AACA;ACNO,IAAK,YAAA,kBAAL,CAAA,CAAKA,YAAAA,EAAAA,GAAL;AACL,EAAAA,YAAAA,CAAA,UAAA,EAAA,EAAW,UAAA;AACX,EAAAA,YAAAA,CAAA,cAAA,EAAA,EAAe,cAAA;AACf,EAAAA,YAAAA,CAAA,eAAA,EAAA,EAAgB,eAAA;AAHN,EAAA,OAAAA,YAAAA;AAAA,CAAA,CAAA,CAAA,YAAA,GAAA,CAAA,CAAA,CAAA;ADaZ;AACA;AEHA,qCAA6B;AFK7B;AACA;AGhBA,4BAA2B;AAE3B,IAAM,oBAAA,EAAsB,CAAC,MAAA,EAAA,GAA6B;AACxD,EAAA,MAAM,mBAAA,EAAqB,MAAA,CAAO,QAAA,CAAS,GAAG,EAAA,EAC1C,MAAA,CAAO,KAAA,CAAM,CAAA,EAAG,MAAA,CAAO,OAAA,EAAS,CAAC,EAAA,EACjC,MAAA;AAEJ,EAAA,MAAM,gBAAA,EAAkB,CAAA,EAAA;AAEhB,EAAA;AACV;AAE0B;AAGO;AACzB,EAAA;AACgB,IAAA;AACtB,EAAA;AAEG,EAAA;AACI,EAAA;AACc,IAAA;AACA,IAAA;AACC,IAAA;AACG,IAAA;AACzB,EAAA;AACF;AAOuB;AACG,EAAA;AACX,IAAA;AACX,IAAA;AACD,EAAA;AACqB,EAAA;AACxB;AAQ6B;AAIvB,EAAA;AACiB,IAAA;AACD,IAAA;AACR,EAAA;AACI,IAAA;AACP,IAAA;AACT,EAAA;AACF;AHP2B;AACA;AEzCL;AF2CK;AACA;AIzDW;AACd;AAkCgB;AAClB,EAAA;AACtB;AAWE;AAEgB,EAAA;AAEO,EAAA;AACJ,IAAA;AAIe,MAAA;AAChC,IAAA;AACF,EAAA;AAEO,EAAA;AACT;AJU2B;AACA;AKjEpB;AACsC,EAAA;AAAtB,IAAA;AAAuB,EAAA;AAEzB,EAAA;AACC,IAAA;AACC,IAAA;AACrB,EAAA;AAEqC,EAAA;AACd,IAAA;AACR,IAAA;AACf,EAAA;AACF;ALmE2B;AACA;AEnEL;AAGH,EAAA;AACF,IAAA;AACA,MAAA;AACN,MAAA;AACT,IAAA;AAEoB,IAAA;AACC,IAAA;AACA,IAAA;AACF,IAAA;AAIrB,EAAA;AAAA;AAEsB;AAGpB,EAAA;AACkB,IAAA;AACX,IAAA;AAIT,EAAA;AAAA;AAEsB;AAUL,EAAA;AACG,IAAA;AACT,MAAA;AACA,MAAA;AACT,IAAA;AACqB,IAAA;AACZ,MAAA;AACA,MAAA;AACP,MAAA;AACF,IAAA;AACkB,IAAA;AACK,IAAA;AACP,MAAA;AACC,MAAA;AAChB,IAAA;AAGqB,IAAA;AACA,IAAA;AACJ,IAAA;AAEP,MAAA;AACX,IAAA;AAEsB,IAAA;AAEV,IAAA;AACL,IAAA;AACT,EAAA;AAAA;AAEsB;AAOL,EAAA;AAEA,IAAA;AACjB,EAAA;AAAA;AAGE;AAIwB,EAAA;AACT,IAAA;AACd,EAAA;AACH;AAGE;AAMA,EAAA;AACqB,IAAA;AACF,IAAA;AAGX,IAAA;AACJ,MAAA;AACD,IAAA;AAGC,IAAA;AACI,MAAA;AACQ,IAAA;AACA,MAAA;AACJ,MAAA;AACR,QAAA;AACF,MAAA;AACF,IAAA;AAEO,IAAA;AACT,EAAA;AAAA;AAGE;AAIQ,EAAA;AACA,EAAA;AACG,EAAA;AACD,IAAA;AACZ;AAE4B;AACD,EAAA;AACD,IAAA;AACvB,EAAA;AACH;AAC0B;AACA,EAAA;AACJ,EAAA;AACtB;AAGE;AAEwB,EAAA;AACJ,EAAA;AACC,EAAA;AAEJ,EAAA;AAEV,EAAA;AACK,IAAA;AACI,IAAA;AACC,IAAA;AACjB,EAAA;AACF;AAEsB;AAKG,EAAA;AACL,IAAA;AAGZ,IAAA;AACG,MAAA;AACP,MAAA;AACA,MAAA;AACU,QAAA;AACE,QAAA;AACZ,MAAA;AACF,IAAA;AAGM,IAAA;AACG,MAAA;AACP,MAAA;AACA,MAAA;AACU,QAAA;AACV,MAAA;AACF,IAAA;AAEO,IAAA;AACK,MAAA;AACI,MAAA;AACC,MAAA;AAChB,IAAA;AACH,EAAA;AAAA;AFE2B;AACA;AMpNF;AAMO;AAAA,EAAA;AAPhC,IAAA;AAQiB,IAAA;AACK,IAAA;AAIN,IAAA;AACP,IAAA;AAEW,MAAA;AACI,MAAA;AACN,MAAA;AAChB,IAAA;AACF,EAAA;AAAA;ANgN2B;AACA;AOrOJ;AACrB,EAAA;AACA,EAAA;AACA,EAAA;AACA,EAAA;AACA,EAAA;AACF;AACkB;AAEE;AAEd;APqOqB;AACA;AQhPlB;ARkPkB;AACA;ASlPpB;AACoB,EAAA;AACH,IAAA;AACtB,EAAA;AAEsC,EAAA;AACf,IAAA;AACvB,EAAA;AACF;ATmP2B;AACA;AQvPd;AACS,EAAA;AAAA,IAAA;AAAgC,EAAA;AACV,EAAA;AAAA,IAAA;AACvB,MAAA;AACG,MAAA;AACR,MAAA;AACd,IAAA;AAAA,EAAA;AACF;AAGa;AAC+B,EAAA;AAAtB,IAAA;AAAuB,EAAA;AAAA;AAAA;AAID,EAAA;AAAA,IAAA;AAGvB,MAAA;AACA,MAAA;AAEV,MAAA;AACT,IAAA;AAAA,EAAA;AAAA;AAEgD,EAAA;AAAA,IAAA;AAC1B,MAAA;AACtB,IAAA;AAAA,EAAA;AACF;AAGa;AACG,EAAA;AACF,IAAA;AACZ,EAAA;AACF;AR2P2B;AACA;AUhRlBC;AVkRkB;AACA;AWxSDC;AAA1B,EAAA;AACwB,EAAA;AAEhB,IAAA;AACEA,MAAAA;AACK,QAAA;AACT,MAAA;AAEW,IAAA;AAEJ,MAAA;AACT,IAAA;AACF,EAAA;AACO,EAAA;AACT;AAEM;AACgB,EAAA;AACI,EAAA;AACL,IAAA;AAClB,EAAA;AACc,EAAA;AACjB;AXuS2B;AACA;AU1Qd;AAiB6B,EAAA;AACxB,IAAA;AAChB,EAAA;AAAA;AAAA;AAGgE,EAAA;AAAA,IAAA;AAC5C,MAAA;AAEF,MAAA;AACT,QAAA;AACa,UAAA;AACR,QAAA;AACZ,MAAA;AACgB,MAAA;AACE,QAAA;AAClB,MAAA;AACgB,MAAA;AACE,QAAA;AAClB,MAAA;AACO,MAAA;AACT,IAAA;AAAA,EAAA;AAE8B,EAAA;AAAA,IAAA;AACtBC,MAAAA;AACMA,MAAAA;AACFA,MAAAA;AAGQ,MAAA;AACX,MAAA;AACT,IAAA;AAAA,EAAA;AACF;AAMa;AAc6B,EAAA;AACxB,IAAA;AAChB,EAAA;AAAA;AAAA;AAI6B,EAAA;AAAA,IAAA;AACpB,MAAA;AACT,IAAA;AAAA,EAAA;AAE8B,EAAA;AAAA,IAAA;AACrB,MAAA;AACT,IAAA;AAAA,EAAA;AACF;AAea;AAAoE;AAQnE,EAAA;AAEJ,IAAA;AAEiB,MAAA;AAAkB;AAEzB,MAAA;AACf,IAAA;AAPS,IAAA;AAQZ,EAAA;AAAA;AAAA;AAAA;AAK4B,EAAA;AAAA,IAAA;AAET,MAAA;AACH,QAAA;AACA,QAAA;AACd,MAAA;AACoB,MAAA;AACN,QAAA;AACG,QAAA;AACA,QAAA;AACf,QAAA;AACe,UAAA;AACf,QAAA;AACF,MAAA;AAEO,MAAA;AACT,IAAA;AAAA,EAAA;AAAA;AAAA;AAAA;AAOE,EAAA;AACgC,IAAA;AACtB,MAAA;AACW,MAAA;AACF,MAAA;AAGE,MAAA;AACnB,QAAA;AACA,QAAA;AACK,QAAA;AACA,QAAA;AAAA;AACO,QAAA;AACP,QAAA;AAAA;AACP,MAAA;AAEgB,MAAA;AAGV,MAAA;AACJ,QAAA;AACY,QAAA;AACd,MAAA;AAEI,MAAA;AAEW,QAAA;AACJ,MAAA;AAET,QAAA;AACF,MAAA;AACO,MAAA;AACT,IAAA;AAAA,EAAA;AAAA;AAGoD,EAAA;AAAA,IAAA;AAC9B,MAAA;AAEF,MAAA;AAEX,MAAA;AACY,QAAA;AACR,QAAA;AACI,QAAA;AACC,QAAA;AAChB,MAAA;AACF,IAAA;AAAA,EAAA;AAEM,EAAA;AAAgD,IAAA;AAChD,MAAA;AACI,QAAA;AACD,QAAA;AACG,UAAA;AACU,UAAA;AACT,UAAA;AACT,QAAA;AACU,QAAA;AAGJ,QAAA;AACJ,UAAA;AACgB,YAAA;AACJ,YAAA;AACK,YAAA;AACjB,UAAA;AACK,UAAA;AACA,UAAA;AACO,UAAA;AACd,QAAA;AACO,QAAA;AACO,MAAA;AACD,QAAA;AACP,QAAA;AACW,UAAA;AACjB,QAAA;AACgB,QAAA;AACT,QAAA;AACT,MAAA;AACF,IAAA;AAAA,EAAA;AAImC,EAAA;AAAA,IAAA;AACZ,MAAA;AACD,MAAA;AAEb,MAAA;AACT,IAAA;AAAA,EAAA;AACF;AV0M2B;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA","file":"/Users/patrick/Code/civic-auth/packages/civic-auth-client/dist/chunk-2SAT3UFJ.js","sourcesContent":[null,"export enum OAuthTokens {\n ID_TOKEN = \"id_token\",\n ACCESS_TOKEN = \"access_token\",\n REFRESH_TOKEN = \"refresh_token\",\n}\n\nexport enum UserStorage {\n USER = \"user\",\n}\n","// Utility functions shared by auth server and client integrations\n// Typically these functions should be used inside AuthenticationInitiator and AuthenticationResolver implementations\n\nimport {\n AuthStorage,\n Endpoints,\n JWTPayload,\n OIDCTokenResponseBody,\n ParsedTokens,\n} from \"@/types.js\";\nimport { OAuthTokens } from \"./types\";\nimport { OAuth2Client } from \"oslo/oauth2\";\nimport { getIssuerVariations, getOauthEndpoints } from \"@/lib/oauth.js\";\nimport * as jose from \"jose\";\nimport { withoutUndefined } from \"@/utils.js\";\nimport { PKCEConsumer, PKCEProducer } from \"@/services/types.js\";\nimport { GenericUserSession } from \"./UserSession\";\n\n/**\n * Given a PKCE code verifier, derive the code challenge using SHA\n */\nexport async function deriveCodeChallenge(\n codeVerifier: string,\n method: \"Plain\" | \"S256\" = \"S256\",\n): Promise<string> {\n if (method === \"Plain\") {\n console.warn(\"Using insecure plain code challenge method\");\n return codeVerifier;\n }\n\n const encoder = new TextEncoder();\n const data = encoder.encode(codeVerifier);\n const digest = await crypto.subtle.digest(\"SHA-256\", data);\n return btoa(String.fromCharCode(...new Uint8Array(digest)))\n .replace(/\\+/g, \"-\")\n .replace(/\\//g, \"_\")\n .replace(/=+$/, \"\");\n}\n\nexport async function getEndpointsWithOverrides(\n oauthServer: string,\n endpointOverrides: Partial<Endpoints> = {},\n) {\n const endpoints = await getOauthEndpoints(oauthServer);\n return {\n ...endpoints,\n ...endpointOverrides,\n };\n}\n\nexport async function generateOauthLoginUrl(config: {\n clientId: string;\n scopes: string[];\n state: string;\n redirectUrl: string;\n oauthServer: string;\n nonce?: string;\n endpointOverrides?: Partial<Endpoints>;\n // used to get the PKCE challenge\n pkceConsumer: PKCEConsumer;\n}): Promise<URL> {\n const endpoints = await getEndpointsWithOverrides(\n config.oauthServer,\n config.endpointOverrides,\n );\n const oauth2Client = buildOauth2Client(\n config.clientId,\n config.redirectUrl,\n endpoints,\n );\n const challenge = await config.pkceConsumer.getCodeChallenge();\n const oAuthUrl = await oauth2Client.createAuthorizationURL({\n state: config.state,\n scopes: config.scopes,\n });\n // The OAuth2 client supports PKCE, but does not allow passing in a code challenge from some other source\n // It only allows passing in a code verifier which it then hashes itself.\n oAuthUrl.searchParams.append(\"code_challenge\", challenge);\n oAuthUrl.searchParams.append(\"code_challenge_method\", \"S256\");\n if (config.nonce) {\n // nonce isn't supported by oslo, so we add it manually\n oAuthUrl.searchParams.append(\"nonce\", config.nonce);\n }\n // Required by the auth server for offline_access scope\n oAuthUrl.searchParams.append(\"prompt\", \"consent\");\n\n console.log(\"Generated OAuth URL\", oAuthUrl.toString());\n return oAuthUrl;\n}\n\nexport async function generateOauthLogoutUrl(config: {\n clientId: string;\n scopes: string[];\n oauthServer: string;\n endpointOverrides?: Partial<Endpoints>;\n // used to get the PKCE challenge\n pkceConsumer: PKCEConsumer;\n}): Promise<URL> {\n // TODO\n return new URL(\"http://localhost\");\n}\n\nexport function buildOauth2Client(\n clientId: string,\n redirectUri: string,\n endpoints: Endpoints,\n): OAuth2Client {\n return new OAuth2Client(clientId, endpoints.auth, endpoints.token, {\n redirectURI: redirectUri,\n });\n}\n\nexport async function exchangeTokens(\n code: string,\n state: string,\n pkceProducer: PKCEProducer,\n oauth2Client: OAuth2Client,\n oauthServer: string,\n endpoints: Endpoints,\n) {\n const codeVerifier = await pkceProducer.getCodeVerifier();\n if (!codeVerifier) throw new Error(\"Code verifier not found in state\");\n\n const tokens =\n await oauth2Client.validateAuthorizationCode<OIDCTokenResponseBody>(code, {\n codeVerifier,\n });\n\n // Validate relevant tokens\n try {\n await validateOauth2Tokens(tokens, endpoints, oauth2Client, oauthServer);\n } catch (error) {\n console.error(\"tokenExchange error\", { error, tokens });\n throw new Error(\n `OIDC tokens validation failed: ${(error as Error).message}`,\n );\n }\n\n return tokens;\n}\n\nexport function storeTokens(\n storage: AuthStorage,\n tokens: OIDCTokenResponseBody,\n) {\n // store tokens in storage ( TODO we should probably store them against the state to allow multiple logins )\n storage.set(OAuthTokens.ID_TOKEN, tokens.id_token);\n storage.set(OAuthTokens.ACCESS_TOKEN, tokens.access_token);\n if (tokens.refresh_token)\n storage.set(OAuthTokens.REFRESH_TOKEN, tokens.refresh_token);\n}\n\nexport function clearTokens(storage: AuthStorage) {\n Object.values(OAuthTokens).forEach((cookie) => {\n storage.set(cookie, \"\");\n });\n}\nexport function clearUser(storage: AuthStorage) {\n const userSession = new GenericUserSession(storage);\n userSession.set(null);\n}\n\nexport function retrieveTokens(\n storage: AuthStorage,\n): OIDCTokenResponseBody | null {\n const idToken = storage.get(OAuthTokens.ID_TOKEN);\n const accessToken = storage.get(OAuthTokens.ACCESS_TOKEN);\n const refreshToken = storage.get(OAuthTokens.REFRESH_TOKEN);\n\n if (!idToken || !accessToken) return null;\n\n return {\n id_token: idToken,\n access_token: accessToken,\n refresh_token: refreshToken ?? undefined,\n };\n}\n\nexport async function validateOauth2Tokens(\n tokens: OIDCTokenResponseBody,\n endpoints: Endpoints,\n oauth2Client: OAuth2Client,\n issuer: string,\n): Promise<ParsedTokens> {\n const JWKS = jose.createRemoteJWKSet(new URL(endpoints.jwks));\n\n // validate the ID token\n const idTokenResponse = await jose.jwtVerify<JWTPayload>(\n tokens.id_token,\n JWKS,\n {\n issuer: getIssuerVariations(issuer),\n audience: oauth2Client.clientId,\n },\n );\n\n // validate the access token\n const accessTokenResponse = await jose.jwtVerify<JWTPayload>(\n tokens.access_token,\n JWKS,\n {\n issuer: getIssuerVariations(issuer),\n },\n );\n\n return withoutUndefined({\n id_token: idTokenResponse.payload,\n access_token: accessTokenResponse.payload,\n refresh_token: tokens.refresh_token,\n });\n}\n","import { DisplayMode, Endpoints, OpenIdConfiguration } from \"@/types\";\nimport { v4 as uuid } from \"uuid\";\n\nconst getIssuerVariations = (issuer: string): string[] => {\n const issuerWithoutSlash = issuer.endsWith(\"/\")\n ? issuer.slice(0, issuer.length - 1)\n : issuer;\n\n const issuerWithSlash = `${issuerWithoutSlash}/`;\n\n return [issuerWithoutSlash, issuerWithSlash];\n};\n\nconst addSlashIfNeeded = (url: string): string =>\n url.endsWith(\"/\") ? url : `${url}/`;\n\nconst getOauthEndpoints = async (oauthServer: string): Promise<Endpoints> => {\n const openIdConfigResponse = await fetch(\n `${addSlashIfNeeded(oauthServer)}.well-known/openid-configuration`,\n );\n const openIdConfig =\n (await openIdConfigResponse.json()) as OpenIdConfiguration;\n return {\n jwks: openIdConfig.jwks_uri,\n auth: openIdConfig.authorization_endpoint,\n token: openIdConfig.token_endpoint,\n userinfo: openIdConfig.userinfo_endpoint,\n };\n};\n\n/**\n * creates a state string for the OAuth2 flow, encoding the display mode too for future use\n * @param {DisplayMode} displayMode\n * @returns {string}\n */\nconst generateState = (displayMode: DisplayMode): string => {\n const jsonString = JSON.stringify({\n uuid: uuid(),\n displayMode,\n });\n return btoa(jsonString);\n};\n\n/**\n * parses the state string from the OAuth2 flow, decoding the display mode too\n * @param state\n * @param sessionDisplayMode\n * @returns { uuid: string, displayMode: DisplayMode }\n */\nconst displayModeFromState = (\n state: string,\n sessionDisplayMode: DisplayMode | undefined,\n): DisplayMode | undefined => {\n try {\n const jsonString = atob(state);\n return JSON.parse(jsonString).displayMode;\n } catch (e) {\n console.error(\"Failed to parse displayMode from state:\", state);\n return sessionDisplayMode;\n }\n};\n\nexport {\n getIssuerVariations,\n getOauthEndpoints,\n displayModeFromState,\n generateState,\n};\n","import { clsx, type ClassValue } from \"clsx\";\nimport { twMerge } from \"tailwind-merge\";\n\n/**\n * Checks if a popup window is blocked by the browser.\n *\n * This function attempts to open a small popup window and then checks if it was successfully created.\n * If the popup is blocked by the browser, the function returns `true`. Otherwise, it returns `false`.\n *\n * @returns {boolean} - `true` if the popup is blocked, `false` otherwise.\n */\nconst isPopupBlocked = (): boolean => {\n // First we try to open a small popup window. It either returns a window object or null.\n const popup = window.open(\"\", \"\", \"width=1,height=1\");\n\n // If window.open() returns null, popup is definitely blocked\n if (!popup) {\n return true;\n }\n\n try {\n // Try to access a property of the popup to check if it's usable\n if (typeof popup.closed === \"undefined\") {\n throw new Error(\"Popup is blocked\");\n }\n } catch {\n // Accessing the popup's properties throws an error if the popup is blocked\n return true;\n }\n\n // Close the popup immediately if it was opened\n popup.close();\n return false;\n};\n\nconst cn = (...inputs: ClassValue[]) => {\n return twMerge(clsx(inputs));\n};\n\n// This type narrows T as far as it can by:\n// - removing all keys where the value is `undefined`\n// - making keys that are not undefined required\n// So, for example: given { a: string | undefined, b: string | undefined },\n// if you pass in { a: \"foo\" }, it returns an object of type: { a: string }\ntype WithoutUndefined<T> = {\n [K in keyof T as undefined extends T[K] ? never : K]: T[K];\n};\nexport const withoutUndefined = <T extends { [K in keyof T]: unknown }>(\n obj: T,\n): WithoutUndefined<T> => {\n const result = {} as WithoutUndefined<T>;\n\n for (const key in obj) {\n if (obj[key] !== undefined) {\n // TypeScript needs assurance that key is a valid key in WithoutUndefined<T>\n // We use type assertion here\n // eslint-disable-next-line @typescript-eslint/no-explicit-any\n (result as any)[key] = obj[key];\n }\n }\n\n return result;\n};\n\nexport { cn, isPopupBlocked };\n","import { AuthStorage, Tokens, User } from \"@/types\";\nimport { UserStorage } from \"./types\";\n\nexport interface UserSession {\n get(): User | null;\n set(user: User): void;\n}\n\nexport class GenericUserSession implements UserSession {\n constructor(readonly storage: AuthStorage) {}\n\n get(): User | null {\n const user = this.storage.get(UserStorage.USER);\n return user ? JSON.parse(user) : null;\n }\n\n set(user: User<Tokens> | null): void {\n const value = user ? JSON.stringify(user) : \"\";\n this.storage.set(UserStorage.USER, value);\n }\n}\n","import { retrieveTokens } from \"@/shared/util.js\";\nimport { parseJWT } from \"oslo/jwt\";\nimport { AuthStorage, Tokens, User } from \"@/types.js\";\n\n// eslint-disable-next-line @typescript-eslint/no-empty-object-type\nexport async function getUser(\n storage: AuthStorage,\n): Promise<User<Tokens> | null> {\n const tokens = retrieveTokens(storage);\n if (!tokens) return null;\n\n // Assumes all information is in the ID token\n // include the tokens and the user object\n const user = (parseJWT(tokens.id_token)?.payload as User) ?? null;\n return {\n ...user!,\n idToken: tokens.id_token,\n accessToken: tokens.access_token,\n refreshToken: tokens.refresh_token ?? \"\",\n };\n}\n","const DEFAULT_SCOPES = [\n \"openid\",\n \"profile\",\n \"email\",\n \"forwardedTokens\",\n \"offline_access\",\n];\nconst IFRAME_ID = \"civic-auth-iframe\";\n\nconst AUTH_SERVER = \"https://auth-dev.civic.com/oauth\";\n\nconst DEFAULT_OAUTH_GET_PARAMS = [\"code\", \"state\", \"iss\"];\n\nexport { DEFAULT_SCOPES, DEFAULT_OAUTH_GET_PARAMS, IFRAME_ID, AUTH_SERVER };\n","import { deriveCodeChallenge } from \"@/shared/util.js\";\nimport { generateCodeVerifier } from \"oslo/oauth2\";\nimport { LocalStorageAdapter } from \"@/browser/storage.js\";\nimport { PKCEConsumer, PKCEProducer } from \"@/services/types.ts\";\nimport { AuthStorage } from \"@/types\";\n\n/** A PKCE consumer that retrieves the challenge from a server endpoint */\nexport class ConfidentialClientPKCEConsumer implements PKCEConsumer {\n constructor(private pkceChallengeEndpoint: string) {}\n async getCodeChallenge(): Promise<string> {\n const response = await fetch(this.pkceChallengeEndpoint);\n const data = (await response.json()) as { challenge: string };\n return data.challenge;\n }\n}\n\n/** A PKCE Producer that can generate and store a code verifier, but is agnostic as to the storage location */\nexport class GenericPublicClientPKCEProducer implements PKCEProducer {\n constructor(private storage: AuthStorage) {}\n\n // if there is already a verifier, return it,\n // If not, create a new one and store it\n async getCodeChallenge(): Promise<string> {\n // let verifier = await this.getCodeVerifier();\n // if (!verifier) {\n const verifier = generateCodeVerifier();\n this.storage.set(\"code_verifier\", verifier);\n // }\n return deriveCodeChallenge(verifier);\n }\n // if there is already a verifier, return it,\n async getCodeVerifier(): Promise<string | null> {\n return this.storage.get(\"code_verifier\");\n }\n}\n\n/** A PKCE Producer that is expected to run on a browser, and does not need a backend */\nexport class BrowserPublicClientPKCEProducer extends GenericPublicClientPKCEProducer {\n constructor() {\n super(new LocalStorageAdapter());\n }\n}\n","import { AuthStorage } from \"@/types\";\n\nexport class LocalStorageAdapter implements AuthStorage {\n get(key: string): string {\n return localStorage.getItem(key) || \"\";\n }\n\n set(key: string, value: string): void {\n localStorage.setItem(key, value);\n }\n}\n","// Proposals for revised versions of the SessionService AKA AuthSessionService\n\nimport {\n DisplayMode,\n Endpoints,\n OIDCTokenResponseBody,\n SessionData,\n} from \"@/types.js\";\nimport { BrowserPublicClientPKCEProducer } from \"@/services/PKCE.js\";\nimport {\n clearTokens,\n clearUser,\n exchangeTokens,\n generateOauthLoginUrl,\n generateOauthLogoutUrl,\n getEndpointsWithOverrides,\n retrieveTokens,\n storeTokens,\n validateOauth2Tokens,\n} from \"@/shared/util.js\";\nimport { displayModeFromState, generateState } from \"@/lib/oauth.js\";\nimport { OAuth2Client } from \"oslo/oauth2\";\nimport { LocalStorageAdapter } from \"@/browser/storage.js\";\nimport {\n AuthenticationInitiator,\n AuthenticationResolver,\n PKCEConsumer,\n} from \"@/services/types.js\";\nimport { removeParamsWithoutReload } from \"@/lib/windowUtil\";\nimport { DEFAULT_OAUTH_GET_PARAMS } from \"@/constants\";\n\n/**\n * An authentication initiator that works on a browser. Since this is just triggering\n * login and logout, session data is not stored here.\n * An associated AuthenticationResolver would be needed to get the session data.\n * Storage is needed for the code verifier, this is the domain of the PKCEConsumer\n * The storage used by the PKCEConsumer should be available to the AuthenticationResolver.\n *\n * Example usage:\n *\n * 1) Client-only SPA -eg a react app with no server:\n * new BrowserAuthenticationInitiator({\n * pkceConsumer: new BrowserPublicClientPKCEProducer(), // generate and retrieve the challenge client-side\n * ... other config\n * })\n *\n * 2) Client-side of a client/server app - eg a react app with a backend:\n * new BrowserAuthenticationInitiator({\n * pkceConsumer: new ConfidentialClientPKCEConsumer(\"https://myserver.com/pkce\"), // get the challenge from the server\n * ... other config\n * })\n */\nexport class BrowserAuthenticationInitiator implements AuthenticationInitiator {\n protected config: {\n clientId: string;\n redirectUrl: string;\n state: string;\n scopes: string[];\n // determines whether to trigger the login/logout in an iframe, a new browser window, or redirect the current one.\n displayMode: DisplayMode;\n oauthServer: string;\n // the endpoints to use for the login (if not obtained from the auth server\n endpointOverrides?: Partial<Endpoints>;\n // used to get the PKCE challenge\n pkceConsumer: PKCEConsumer;\n // the nonce to use for the login\n nonce?: string;\n };\n\n constructor(config: typeof this.config) {\n this.config = config;\n }\n // Use the config (Client ID, scopes OAuth Server, Endpoints, PKCEConsumer) to generate a new login url\n // and then use the display mode to decide how to send the user there\n async signIn(iframeRef: HTMLIFrameElement | null): Promise<URL> {\n const url = await generateOauthLoginUrl(this.config);\n\n if (this.config.displayMode === \"iframe\") {\n if (!iframeRef)\n throw new Error(\"iframeRef is required for displayMode 'iframe'\");\n iframeRef.setAttribute(\"src\", url.toString());\n }\n if (this.config.displayMode === \"redirect\") {\n window.location.href = url.toString();\n }\n if (this.config.displayMode === \"new_tab\") {\n window.open(url.toString(), \"_blank\");\n }\n return url;\n }\n\n async signOut(): Promise<URL> {\n const localStorage = new LocalStorageAdapter();\n clearTokens(localStorage);\n clearUser(localStorage);\n // TODO open the iframe or new tab etc: the logout URL is not currently\n // supported by on the oauth, so just clear state until then\n const url = await generateOauthLogoutUrl(this.config);\n return url;\n }\n}\n\n/** A general-purpose authentication initiator, that just generates urls, but lets\n * the caller decide how to use them. This is useful for server-side applications\n * that may serve this URL to their front-ends or just call them directly\n */\nexport class GenericAuthenticationInitiator implements AuthenticationInitiator {\n protected config: {\n clientId: string;\n redirectUrl: string;\n state: string;\n scopes: string[];\n oauthServer: string;\n nonce?: string;\n // the endpoints to use for the login (if not obtained from the auth server)\n endpointOverrides?: Partial<Endpoints>;\n // used to get the PKCE challenge\n pkceConsumer: PKCEConsumer;\n };\n\n constructor(config: typeof this.config) {\n this.config = config;\n }\n\n // Use the config (Client ID, scopes OAuth Server, Endpoints, PKCEConsumer) to generate a new login url\n // and simply return the url\n async signIn(): Promise<URL> {\n return generateOauthLoginUrl(this.config);\n }\n\n async signOut(): Promise<URL> {\n return generateOauthLogoutUrl(this.config);\n }\n}\n\ntype BrowserAuthenticationConfig = {\n clientId: string;\n redirectUrl: string;\n scopes: string[];\n oauthServer: string;\n endpointOverrides?: Partial<Endpoints>;\n displayMode: DisplayMode;\n};\n\n/**\n * An authentication resolver that can run on the browser (i.e. a public client)\n * It uses PKCE for security. PKCE and Session data are stored in local storage\n */\nexport class BrowserAuthenticationService extends BrowserAuthenticationInitiator {\n private oauth2client: OAuth2Client | undefined;\n private endpoints: Endpoints | undefined;\n\n // TODO WIP - perhaps we want to keep resolver and initiator separate here\n constructor(\n config: BrowserAuthenticationConfig,\n // Since we are running fully on the client, we produce as well as consume the PKCE challenge\n protected pkceProducer = new BrowserPublicClientPKCEProducer(),\n ) {\n super({\n ...config,\n state: generateState(config.displayMode),\n // Store and retrieve the PKCE challenge in local storage\n pkceConsumer: pkceProducer,\n });\n }\n\n // TODO too much code duplication here between the browser and the server variant.\n // Suggestion for refactor: Standardise the config for AuthenticationResolvers and create a one-shot\n // function for generating an oauth2client from it\n async init(): Promise<this> {\n // resolve oauth config\n this.endpoints = await getEndpointsWithOverrides(\n this.config.oauthServer,\n this.config.endpointOverrides,\n );\n this.oauth2client = new OAuth2Client(\n this.config.clientId,\n this.endpoints.auth,\n this.endpoints.token,\n {\n redirectURI: this.config.redirectUrl,\n },\n );\n\n return this;\n }\n\n // Two responsibilities:\n // 1. resolve the auth code to get the tokens (should use library code)\n // 2. store the tokens in local storage\n async tokenExchange(\n code: string,\n state: string,\n ): Promise<OIDCTokenResponseBody> {\n if (!this.oauth2client) await this.init();\n const codeVerifier = await this.pkceProducer.getCodeVerifier();\n if (!codeVerifier) throw new Error(\"Code verifier not found in storage\");\n\n // exchange auth code for tokens\n const tokens = await exchangeTokens(\n code,\n state,\n this.pkceProducer,\n this.oauth2client!, // clean up types here to avoid the ! operator\n this.config.oauthServer,\n this.endpoints!, // clean up types here to avoid the ! operator\n );\n\n storeTokens(new LocalStorageAdapter(), tokens);\n\n // cleanup the browser window if needed\n const parsedDisplayMode = displayModeFromState(\n state,\n this.config.displayMode,\n );\n\n if (parsedDisplayMode === \"new_tab\") {\n // Close the popup window\n window.close();\n } else if (parsedDisplayMode === \"redirect\") {\n // these are the default oAuth params that get added to the URL which we want to remove\n removeParamsWithoutReload(DEFAULT_OAUTH_GET_PARAMS);\n }\n return tokens;\n }\n\n // Get the session data from local storage\n async getSessionData(): Promise<SessionData | null> {\n const storageData = retrieveTokens(new LocalStorageAdapter());\n\n if (!storageData) return null;\n\n return {\n authenticated: !!storageData.id_token,\n idToken: storageData.id_token,\n accessToken: storageData.access_token,\n refreshToken: storageData.refresh_token,\n };\n }\n\n async validateExistingSession(): Promise<SessionData> {\n try {\n const sessionData = await this.getSessionData();\n if (!sessionData?.idToken || !sessionData.accessToken) {\n const unAuthenticatedSession = { ...sessionData, authenticated: false };\n clearTokens(new LocalStorageAdapter());\n return unAuthenticatedSession;\n }\n if (!this.endpoints || !this.oauth2client) await this.init();\n\n // this function will throw if any of the tokens are invalid\n await validateOauth2Tokens(\n {\n access_token: sessionData.accessToken,\n id_token: sessionData.idToken,\n refresh_token: sessionData.refreshToken,\n },\n this.endpoints!,\n this.oauth2client!,\n this.config.oauthServer,\n );\n return sessionData;\n } catch (error) {\n console.warn(\"Failed to validate existing tokens\", error);\n const unAuthenticatedSession = {\n authenticated: false,\n };\n clearTokens(new LocalStorageAdapter());\n return unAuthenticatedSession;\n }\n }\n\n static async build(\n config: BrowserAuthenticationConfig,\n ): Promise<AuthenticationResolver> {\n const resolver = new BrowserAuthenticationService(config);\n await resolver.init();\n\n return resolver;\n }\n}\n","const isWindowInIframe = (window: Window): boolean => {\n if (typeof window !== \"undefined\") {\n // use the window width to determine if we're in an iframe or not\n try {\n if (window?.frameElement?.id === \"civic-auth-iframe\") {\n return true;\n }\n // eslint-disable-next-line @typescript-eslint/no-unused-vars\n } catch (_e) {\n // If we get an error, we're not in an iframe\n return false;\n }\n }\n return false;\n};\n\nconst removeParamsWithoutReload = (paramsToRemove: string[]) => {\n const url = new URL(window.location.href);\n paramsToRemove.forEach((param: string) => {\n url.searchParams.delete(param);\n });\n window.history.replaceState({}, \"\", url);\n};\n\nexport { isWindowInIframe, removeParamsWithoutReload };\n"]}
|
|
@@ -7,7 +7,7 @@ import {
|
|
|
7
7
|
getEndpointsWithOverrides,
|
|
8
8
|
retrieveTokens,
|
|
9
9
|
storeTokens
|
|
10
|
-
} from "./chunk-
|
|
10
|
+
} from "./chunk-KHGGUCM6.mjs";
|
|
11
11
|
import {
|
|
12
12
|
__async,
|
|
13
13
|
__spreadProps,
|
|
@@ -211,4 +211,4 @@ export {
|
|
|
211
211
|
buildLoginUrl,
|
|
212
212
|
refreshTokens
|
|
213
213
|
};
|
|
214
|
-
//# sourceMappingURL=chunk-
|
|
214
|
+
//# sourceMappingURL=chunk-3MO4WWTJ.mjs.map
|
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
import {
|
|
2
2
|
withoutUndefined
|
|
3
|
-
} from "./chunk-
|
|
3
|
+
} from "./chunk-KHGGUCM6.mjs";
|
|
4
4
|
import {
|
|
5
5
|
__spreadProps,
|
|
6
6
|
__spreadValues
|
|
@@ -145,4 +145,4 @@ export {
|
|
|
145
145
|
createCivicAuthPlugin,
|
|
146
146
|
resolveCallbackUrl
|
|
147
147
|
};
|
|
148
|
-
//# sourceMappingURL=chunk-
|
|
148
|
+
//# sourceMappingURL=chunk-3PEZMCN4.mjs.map
|
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
"use strict";Object.defineProperty(exports, "__esModule", {value: true}); function _interopRequireDefault(obj) { return obj && obj.__esModule ? obj : { default: obj }; }
|
|
2
2
|
|
|
3
|
-
var
|
|
3
|
+
var _chunk2SAT3UFJjs = require('./chunk-2SAT3UFJ.js');
|
|
4
4
|
|
|
5
5
|
|
|
6
6
|
|
|
@@ -83,7 +83,7 @@ var defaultAuthConfig = {
|
|
|
83
83
|
};
|
|
84
84
|
var resolveAuthConfig = (config = {}) => {
|
|
85
85
|
var _a, _b, _c, _d;
|
|
86
|
-
const configFromEnv =
|
|
86
|
+
const configFromEnv = _chunk2SAT3UFJjs.withoutUndefined.call(void 0, {
|
|
87
87
|
clientId: process.env._civic_auth_client_id,
|
|
88
88
|
oauthServer: process.env._civic_oauth_server,
|
|
89
89
|
callbackUrl: process.env._civic_auth_callback_url,
|
|
@@ -145,4 +145,4 @@ var resolveCallbackUrl = (config, alternativeUrl) => {
|
|
|
145
145
|
|
|
146
146
|
|
|
147
147
|
exports.loggers = loggers; exports.defaultAuthConfig = defaultAuthConfig; exports.resolveAuthConfig = resolveAuthConfig; exports.createCivicAuthPlugin = createCivicAuthPlugin; exports.resolveCallbackUrl = resolveCallbackUrl;
|
|
148
|
-
//# sourceMappingURL=chunk-
|
|
148
|
+
//# sourceMappingURL=chunk-EM4APQVY.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"sources":["/Users/patrick/Code/civic-auth/packages/civic-auth-client/dist/chunk-
|
|
1
|
+
{"version":3,"sources":["/Users/patrick/Code/civic-auth/packages/civic-auth-client/dist/chunk-EM4APQVY.js","../src/lib/logger.ts","../src/nextjs/config.ts","../src/nextjs/utils.ts"],"names":[],"mappings":"AAAA;AACE;AACF,sDAA4B;AAC5B;AACE;AACA;AACF,sDAA4B;AAC5B;AACA;ACRA,4EAAkB;AAElB,IAAM,aAAA,EAAe,aAAA;AASrB,IAAM,YAAA,EAAN,MAAoC;AAAA,EAMlC,WAAA,CAAY,SAAA,EAAmB;AAE7B,IAAA,IAAA,CAAK,YAAA,EAAc,6BAAA,CAAM,EAAA;AACD,IAAA;AACA,IAAA;AACC,IAAA;AAEA,IAAA;AACD,IAAA;AACA,IAAA;AACC,IAAA;AAC3B,EAAA;AAEiD,EAAA;AACrB,IAAA;AAC5B,EAAA;AAEgD,EAAA;AACrB,IAAA;AAC3B,EAAA;AAEgD,EAAA;AACrB,IAAA;AAC3B,EAAA;AAEiD,EAAA;AACrB,IAAA;AAC5B,EAAA;AACF;AAE6B;AAIN;AAAA;AAEb,EAAA;AACe,IAAA;AACI,IAAA;AACf,IAAA;AACW,MAAA;AACrB,IAAA;AACF,EAAA;AAAA;AAEO,EAAA;AACoB,IAAA;AACL,IAAA;AACE,IAAA;AACxB,EAAA;AAAA;AAEU,EAAA;AACiB,IAAA;AACH,IAAA;AACxB,EAAA;AACF;ADd8B;AACA;AErDA;AAiC6C;AAC5D,EAAA;AACA,EAAA;AACC,EAAA;AACH,EAAA;AACD,EAAA;AACI,EAAA;AACJ,EAAA;AACD,EAAA;AACC,IAAA;AACI,MAAA;AACJ,MAAA;AACO,MAAA;AAAA;AACf,IAAA;AACM,IAAA;AACM,MAAA;AACJ,MAAA;AACO,MAAA;AAAA;AACf,IAAA;AACF,EAAA;AACF;AAoBE;AA9EF,EAAA;AAiFwB,EAAA;AACE,IAAA;AACG,IAAA;AACA,IAAA;AACC,IAAA;AACJ,IAAA;AACF,IAAA;AACG,IAAA;AACN,IAAA;AACA,IAAA;AACI,IAAA;AAGtB,EAAA;AAEoB,EAAA;AAAA;AAIV,IAAA;AACC,MAAA;AAIF,MAAA;AAIR,IAAA;AACF,EAAA;AAEa,EAAA;AACA,EAAA;AACI,EAAA;AACC,IAAA;AAClB,EAAA;AACO,EAAA;AACT;AA0BE;AAGoC,EAAA;AACX,IAAA;AAChB,IAAA;AAEA,MAAA;AAAA;AAGH,QAAA;AACqB,QAAA;AACrB,QAAA;AACA,QAAA;AACA,QAAA;AACA,QAAA;AACqB,QAAA;AACC,QAAA;AACA,QAAA;AACtB,QAAA;AACF,MAAA;AACF,IAAA;AACF,EAAA;AACF;AFpC8B;AACA;AGjI5B;AAHF,EAAA;AAMkB,EAAA;AACY,EAAA;AACA,EAAA;AAC9B;AHkI8B;AACA;AACA;AACA;AACA;AACA;AACA;AACA","file":"/Users/patrick/Code/civic-auth/packages/civic-auth-client/dist/chunk-EM4APQVY.js","sourcesContent":[null,"import debug from \"debug\";\n\nconst PACKAGE_NAME = \"@civic/auth\";\n\nexport interface Logger {\n debug(message: string, ...args: unknown[]): void;\n info(message: string, ...args: unknown[]): void;\n warn(message: string, ...args: unknown[]): void;\n error(message: string, ...args: unknown[]): void;\n}\n\nclass DebugLogger implements Logger {\n private debugLogger: debug.Debugger;\n private infoLogger: debug.Debugger;\n private warnLogger: debug.Debugger;\n private errorLogger: debug.Debugger;\n\n constructor(namespace: string) {\n // Format: @org/package:library:component:level\n this.debugLogger = debug(`${PACKAGE_NAME}:${namespace}:debug`);\n this.infoLogger = debug(`${PACKAGE_NAME}:${namespace}:info`);\n this.warnLogger = debug(`${PACKAGE_NAME}:${namespace}:warn`);\n this.errorLogger = debug(`${PACKAGE_NAME}:${namespace}:error`);\n\n this.debugLogger.color = \"4\";\n this.infoLogger.color = \"2\";\n this.warnLogger.color = \"3\";\n this.errorLogger.color = \"1\";\n }\n\n debug(message: string, ...args: unknown[]): void {\n this.debugLogger(message, ...args);\n }\n\n info(message: string, ...args: unknown[]): void {\n this.infoLogger(message, ...args);\n }\n\n warn(message: string, ...args: unknown[]): void {\n this.warnLogger(message, ...args);\n }\n\n error(message: string, ...args: unknown[]): void {\n this.errorLogger(message, ...args);\n }\n}\n\nexport const createLogger = (namespace: string): Logger =>\n new DebugLogger(namespace);\n\n// Pre-configured loggers for different parts of your package\nexport const loggers = {\n // Next.js specific loggers\n nextjs: {\n routes: createLogger(\"api:routes\"),\n middleware: createLogger(\"api:middleware\"),\n handlers: {\n auth: createLogger(\"api:handlers:auth\"),\n },\n },\n // React specific loggers\n react: {\n components: createLogger(\"react:components\"),\n hooks: createLogger(\"react:hooks\"),\n context: createLogger(\"react:context\"),\n },\n // Shared utilities loggers\n services: {\n validation: createLogger(\"utils:validation\"),\n network: createLogger(\"utils:network\"),\n },\n} as const;\n","/* eslint-disable turbo/no-undeclared-env-vars */\nimport { NextConfig } from \"next\";\nimport { loggers } from \"@/lib/logger\";\nimport { withoutUndefined } from \"@/utils\";\n\nconst logger = loggers.nextjs.handlers.auth;\n\nexport interface CookieConfig {\n secure?: boolean;\n sameSite?: \"strict\" | \"lax\" | \"none\";\n domain?: string;\n path?: string;\n maxAge?: number;\n}\n\nexport type AuthConfigWithDefaults = {\n clientId: string;\n oauthServer: string;\n callbackUrl: string;\n loginUrl: string;\n logoutUrl: string;\n appUrl?: string;\n challengeUrl: string;\n include: string[];\n exclude: string[];\n cookies: {\n tokens: CookieConfig;\n user: CookieConfig;\n };\n};\n\nexport type AuthConfig = Partial<AuthConfigWithDefaults>;\n\nexport type DefinedAuthConfig = AuthConfigWithDefaults;\n\n/**\n * Default configuration values that will be used if not overridden\n */\nexport const defaultAuthConfig: Omit<AuthConfigWithDefaults, \"clientId\"> = {\n oauthServer: \"https://auth-dev.civic.com/oauth\",\n callbackUrl: \"/api/auth/callback\",\n challengeUrl: \"/api/auth/challenge\",\n logoutUrl: \"/api/auth/logout\",\n loginUrl: \"/\",\n include: [\"/*\"],\n exclude: [],\n cookies: {\n tokens: {\n sameSite: \"strict\",\n path: \"/\",\n maxAge: 60 * 60, // 1 hour\n },\n user: {\n sameSite: \"strict\",\n path: \"/\",\n maxAge: 60 * 60, // 1 hour\n },\n },\n};\n\n/**\n * Resolves the authentication configuration by combining:\n * 1. Default values\n * 2. Environment variables (set internally by the plugin)\n * 3. Explicitly passed configuration\n *\n * Note: Developers should not set _civic_auth_* environment variables directly.\n * Instead, pass configuration to the createCivicAuthPlugin in next.config.js:\n *\n * @example\n * ```js\n * // next.config.js\n * export default createCivicAuthPlugin({\n * callbackUrl: '/custom/callback',\n * })\n * ```\n */\nexport const resolveAuthConfig = (\n config: AuthConfig = {},\n): AuthConfigWithDefaults & { clientId: string } => {\n // Read configuration that was set by the plugin via environment variables\n const configFromEnv = withoutUndefined({\n clientId: process.env._civic_auth_client_id,\n oauthServer: process.env._civic_oauth_server,\n callbackUrl: process.env._civic_auth_callback_url,\n challengeUrl: process.env._civic_auth_challenge_url,\n loginUrl: process.env._civic_auth_login_url,\n appUrl: process.env._civic_auth_app_url,\n logoutUrl: process.env._civic_auth_logout_url,\n include: process.env._civic_auth_includes?.split(\",\"),\n exclude: process.env._civic_auth_excludes?.split(\",\"),\n cookies: process.env._civic_auth_cookie_config\n ? JSON.parse(process.env._civic_auth_cookie_config)\n : undefined,\n });\n\n const mergedConfig = {\n ...defaultAuthConfig,\n ...configFromEnv, // Apply plugin-set config\n ...config, // Override with directly passed config\n cookies: {\n tokens: {\n ...defaultAuthConfig.cookies.tokens,\n ...(config.cookies?.tokens || {}),\n },\n user: {\n ...defaultAuthConfig.cookies.user,\n ...(config.cookies?.user || {}),\n },\n },\n };\n\n logger.debug(\"Config from environment:\", configFromEnv);\n logger.debug(\"Resolved config:\", mergedConfig);\n if (mergedConfig.clientId === undefined) {\n throw new Error(\"Civic Auth client ID is required\");\n }\n return mergedConfig as AuthConfigWithDefaults & { clientId: string };\n};\n\n/**\n * Creates a Next.js plugin that handles auth configuration.\n *\n * This is the main configuration point for the auth system.\n * Do not set _civic_auth_* environment variables directly - instead,\n * pass your configuration here:\n *\n * @example\n * ```js\n * // next.config.js\n * export default createCivicAuthPlugin({\n * clientId: 'my-client-id',\n * callbackUrl: '/custom/callback',\n * loginUrl: '/custom/login',\n * logoutUrl: '/custom/logout',\n * include: ['/protected/*'],\n * exclude: ['/public/*']\n * })\n * ```\n *\n * The plugin sets internal environment variables that are used by\n * the auth system. These variables should not be set manually.\n */\nexport const createCivicAuthPlugin = (\n clientId: string,\n authConfig: AuthConfig = {},\n) => {\n return (nextConfig?: NextConfig) => {\n const resolvedConfig = resolveAuthConfig({ ...authConfig, clientId });\n return {\n ...nextConfig,\n env: {\n ...nextConfig?.env,\n // Internal environment variables - do not set these manually\n _civic_auth_client_id: clientId,\n _civic_oauth_server: resolvedConfig.oauthServer,\n _civic_auth_callback_url: resolvedConfig.callbackUrl,\n _civic_auth_challenge_url: resolvedConfig.challengeUrl,\n _civic_auth_login_url: resolvedConfig.loginUrl,\n _civic_auth_logout_url: resolvedConfig.logoutUrl,\n _civic_auth_app_url: resolvedConfig.appUrl,\n _civic_auth_includes: resolvedConfig.include.join(\",\"),\n _civic_auth_excludes: resolvedConfig.exclude.join(\",\"),\n _civic_auth_cookie_config: JSON.stringify(resolvedConfig.cookies),\n },\n };\n };\n};\n","import { AuthConfigWithDefaults } from \"@/nextjs/config\";\n\nexport const resolveCallbackUrl = (\n config: AuthConfigWithDefaults,\n alternativeUrl?: string,\n): string => {\n const baseUrl = config.appUrl ?? alternativeUrl;\n const callbackUrl = new URL(config?.callbackUrl, baseUrl).toString();\n return callbackUrl.toString();\n};\n"]}
|
|
@@ -215,10 +215,15 @@ function validateOauth2Tokens(tokens, endpoints, oauth2Client, issuer) {
|
|
|
215
215
|
import { parseJWT } from "oslo/jwt";
|
|
216
216
|
function getUser(storage) {
|
|
217
217
|
return __async(this, null, function* () {
|
|
218
|
-
var _a, _b;
|
|
218
|
+
var _a, _b, _c;
|
|
219
219
|
const tokens = retrieveTokens(storage);
|
|
220
220
|
if (!tokens) return null;
|
|
221
|
-
|
|
221
|
+
const user = (_b = (_a = parseJWT(tokens.id_token)) == null ? void 0 : _a.payload) != null ? _b : null;
|
|
222
|
+
return __spreadProps(__spreadValues({}, user), {
|
|
223
|
+
idToken: tokens.id_token,
|
|
224
|
+
accessToken: tokens.access_token,
|
|
225
|
+
refreshToken: (_c = tokens.refresh_token) != null ? _c : ""
|
|
226
|
+
});
|
|
222
227
|
});
|
|
223
228
|
}
|
|
224
229
|
|
|
@@ -499,4 +504,4 @@ export {
|
|
|
499
504
|
BrowserAuthenticationService,
|
|
500
505
|
getUser
|
|
501
506
|
};
|
|
502
|
-
//# sourceMappingURL=chunk-
|
|
507
|
+
//# sourceMappingURL=chunk-KHGGUCM6.mjs.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"sources":["../src/shared/types.ts","../src/shared/util.ts","../src/lib/oauth.ts","../src/utils.ts","../src/shared/UserSession.ts","../src/shared/session.ts","../src/constants.ts","../src/services/PKCE.ts","../src/browser/storage.ts","../src/services/AuthenticationService.ts","../src/lib/windowUtil.ts"],"sourcesContent":["export enum OAuthTokens {\n ID_TOKEN = \"id_token\",\n ACCESS_TOKEN = \"access_token\",\n REFRESH_TOKEN = \"refresh_token\",\n}\n\nexport enum UserStorage {\n USER = \"user\",\n}\n","// Utility functions shared by auth server and client integrations\n// Typically these functions should be used inside AuthenticationInitiator and AuthenticationResolver implementations\n\nimport {\n AuthStorage,\n Endpoints,\n JWTPayload,\n OIDCTokenResponseBody,\n ParsedTokens,\n} from \"@/types.js\";\nimport { OAuthTokens } from \"./types\";\nimport { OAuth2Client } from \"oslo/oauth2\";\nimport { getIssuerVariations, getOauthEndpoints } from \"@/lib/oauth.js\";\nimport * as jose from \"jose\";\nimport { withoutUndefined } from \"@/utils.js\";\nimport { PKCEConsumer, PKCEProducer } from \"@/services/types.js\";\nimport { GenericUserSession } from \"./UserSession\";\n\n/**\n * Given a PKCE code verifier, derive the code challenge using SHA\n */\nexport async function deriveCodeChallenge(\n codeVerifier: string,\n method: \"Plain\" | \"S256\" = \"S256\",\n): Promise<string> {\n if (method === \"Plain\") {\n console.warn(\"Using insecure plain code challenge method\");\n return codeVerifier;\n }\n\n const encoder = new TextEncoder();\n const data = encoder.encode(codeVerifier);\n const digest = await crypto.subtle.digest(\"SHA-256\", data);\n return btoa(String.fromCharCode(...new Uint8Array(digest)))\n .replace(/\\+/g, \"-\")\n .replace(/\\//g, \"_\")\n .replace(/=+$/, \"\");\n}\n\nexport async function getEndpointsWithOverrides(\n oauthServer: string,\n endpointOverrides: Partial<Endpoints> = {},\n) {\n const endpoints = await getOauthEndpoints(oauthServer);\n return {\n ...endpoints,\n ...endpointOverrides,\n };\n}\n\nexport async function generateOauthLoginUrl(config: {\n clientId: string;\n scopes: string[];\n state: string;\n redirectUrl: string;\n oauthServer: string;\n nonce?: string;\n endpointOverrides?: Partial<Endpoints>;\n // used to get the PKCE challenge\n pkceConsumer: PKCEConsumer;\n}): Promise<URL> {\n const endpoints = await getEndpointsWithOverrides(\n config.oauthServer,\n config.endpointOverrides,\n );\n const oauth2Client = buildOauth2Client(\n config.clientId,\n config.redirectUrl,\n endpoints,\n );\n const challenge = await config.pkceConsumer.getCodeChallenge();\n const oAuthUrl = await oauth2Client.createAuthorizationURL({\n state: config.state,\n scopes: config.scopes,\n });\n // The OAuth2 client supports PKCE, but does not allow passing in a code challenge from some other source\n // It only allows passing in a code verifier which it then hashes itself.\n oAuthUrl.searchParams.append(\"code_challenge\", challenge);\n oAuthUrl.searchParams.append(\"code_challenge_method\", \"S256\");\n if (config.nonce) {\n // nonce isn't supported by oslo, so we add it manually\n oAuthUrl.searchParams.append(\"nonce\", config.nonce);\n }\n // Required by the auth server for offline_access scope\n oAuthUrl.searchParams.append(\"prompt\", \"consent\");\n\n console.log(\"Generated OAuth URL\", oAuthUrl.toString());\n return oAuthUrl;\n}\n\nexport async function generateOauthLogoutUrl(config: {\n clientId: string;\n scopes: string[];\n oauthServer: string;\n endpointOverrides?: Partial<Endpoints>;\n // used to get the PKCE challenge\n pkceConsumer: PKCEConsumer;\n}): Promise<URL> {\n // TODO\n return new URL(\"http://localhost\");\n}\n\nexport function buildOauth2Client(\n clientId: string,\n redirectUri: string,\n endpoints: Endpoints,\n): OAuth2Client {\n return new OAuth2Client(clientId, endpoints.auth, endpoints.token, {\n redirectURI: redirectUri,\n });\n}\n\nexport async function exchangeTokens(\n code: string,\n state: string,\n pkceProducer: PKCEProducer,\n oauth2Client: OAuth2Client,\n oauthServer: string,\n endpoints: Endpoints,\n) {\n const codeVerifier = await pkceProducer.getCodeVerifier();\n if (!codeVerifier) throw new Error(\"Code verifier not found in state\");\n\n const tokens =\n await oauth2Client.validateAuthorizationCode<OIDCTokenResponseBody>(code, {\n codeVerifier,\n });\n\n // Validate relevant tokens\n try {\n await validateOauth2Tokens(tokens, endpoints, oauth2Client, oauthServer);\n } catch (error) {\n console.error(\"tokenExchange error\", { error, tokens });\n throw new Error(\n `OIDC tokens validation failed: ${(error as Error).message}`,\n );\n }\n\n return tokens;\n}\n\nexport function storeTokens(\n storage: AuthStorage,\n tokens: OIDCTokenResponseBody,\n) {\n // store tokens in storage ( TODO we should probably store them against the state to allow multiple logins )\n storage.set(OAuthTokens.ID_TOKEN, tokens.id_token);\n storage.set(OAuthTokens.ACCESS_TOKEN, tokens.access_token);\n if (tokens.refresh_token)\n storage.set(OAuthTokens.REFRESH_TOKEN, tokens.refresh_token);\n}\n\nexport function clearTokens(storage: AuthStorage) {\n Object.values(OAuthTokens).forEach((cookie) => {\n storage.set(cookie, \"\");\n });\n}\nexport function clearUser(storage: AuthStorage) {\n const userSession = new GenericUserSession(storage);\n userSession.set(null);\n}\n\nexport function retrieveTokens(\n storage: AuthStorage,\n): OIDCTokenResponseBody | null {\n const idToken = storage.get(OAuthTokens.ID_TOKEN);\n const accessToken = storage.get(OAuthTokens.ACCESS_TOKEN);\n const refreshToken = storage.get(OAuthTokens.REFRESH_TOKEN);\n\n if (!idToken || !accessToken) return null;\n\n return {\n id_token: idToken,\n access_token: accessToken,\n refresh_token: refreshToken ?? undefined,\n };\n}\n\nexport async function validateOauth2Tokens(\n tokens: OIDCTokenResponseBody,\n endpoints: Endpoints,\n oauth2Client: OAuth2Client,\n issuer: string,\n): Promise<ParsedTokens> {\n const JWKS = jose.createRemoteJWKSet(new URL(endpoints.jwks));\n\n // validate the ID token\n const idTokenResponse = await jose.jwtVerify<JWTPayload>(\n tokens.id_token,\n JWKS,\n {\n issuer: getIssuerVariations(issuer),\n audience: oauth2Client.clientId,\n },\n );\n\n // validate the access token\n const accessTokenResponse = await jose.jwtVerify<JWTPayload>(\n tokens.access_token,\n JWKS,\n {\n issuer: getIssuerVariations(issuer),\n },\n );\n\n return withoutUndefined({\n id_token: idTokenResponse.payload,\n access_token: accessTokenResponse.payload,\n refresh_token: tokens.refresh_token,\n });\n}\n","import { DisplayMode, Endpoints, OpenIdConfiguration } from \"@/types\";\nimport { v4 as uuid } from \"uuid\";\n\nconst getIssuerVariations = (issuer: string): string[] => {\n const issuerWithoutSlash = issuer.endsWith(\"/\")\n ? issuer.slice(0, issuer.length - 1)\n : issuer;\n\n const issuerWithSlash = `${issuerWithoutSlash}/`;\n\n return [issuerWithoutSlash, issuerWithSlash];\n};\n\nconst addSlashIfNeeded = (url: string): string =>\n url.endsWith(\"/\") ? url : `${url}/`;\n\nconst getOauthEndpoints = async (oauthServer: string): Promise<Endpoints> => {\n const openIdConfigResponse = await fetch(\n `${addSlashIfNeeded(oauthServer)}.well-known/openid-configuration`,\n );\n const openIdConfig =\n (await openIdConfigResponse.json()) as OpenIdConfiguration;\n return {\n jwks: openIdConfig.jwks_uri,\n auth: openIdConfig.authorization_endpoint,\n token: openIdConfig.token_endpoint,\n userinfo: openIdConfig.userinfo_endpoint,\n };\n};\n\n/**\n * creates a state string for the OAuth2 flow, encoding the display mode too for future use\n * @param {DisplayMode} displayMode\n * @returns {string}\n */\nconst generateState = (displayMode: DisplayMode): string => {\n const jsonString = JSON.stringify({\n uuid: uuid(),\n displayMode,\n });\n return btoa(jsonString);\n};\n\n/**\n * parses the state string from the OAuth2 flow, decoding the display mode too\n * @param state\n * @param sessionDisplayMode\n * @returns { uuid: string, displayMode: DisplayMode }\n */\nconst displayModeFromState = (\n state: string,\n sessionDisplayMode: DisplayMode | undefined,\n): DisplayMode | undefined => {\n try {\n const jsonString = atob(state);\n return JSON.parse(jsonString).displayMode;\n } catch (e) {\n console.error(\"Failed to parse displayMode from state:\", state);\n return sessionDisplayMode;\n }\n};\n\nexport {\n getIssuerVariations,\n getOauthEndpoints,\n displayModeFromState,\n generateState,\n};\n","import { clsx, type ClassValue } from \"clsx\";\nimport { twMerge } from \"tailwind-merge\";\n\n/**\n * Checks if a popup window is blocked by the browser.\n *\n * This function attempts to open a small popup window and then checks if it was successfully created.\n * If the popup is blocked by the browser, the function returns `true`. Otherwise, it returns `false`.\n *\n * @returns {boolean} - `true` if the popup is blocked, `false` otherwise.\n */\nconst isPopupBlocked = (): boolean => {\n // First we try to open a small popup window. It either returns a window object or null.\n const popup = window.open(\"\", \"\", \"width=1,height=1\");\n\n // If window.open() returns null, popup is definitely blocked\n if (!popup) {\n return true;\n }\n\n try {\n // Try to access a property of the popup to check if it's usable\n if (typeof popup.closed === \"undefined\") {\n throw new Error(\"Popup is blocked\");\n }\n } catch {\n // Accessing the popup's properties throws an error if the popup is blocked\n return true;\n }\n\n // Close the popup immediately if it was opened\n popup.close();\n return false;\n};\n\nconst cn = (...inputs: ClassValue[]) => {\n return twMerge(clsx(inputs));\n};\n\n// This type narrows T as far as it can by:\n// - removing all keys where the value is `undefined`\n// - making keys that are not undefined required\n// So, for example: given { a: string | undefined, b: string | undefined },\n// if you pass in { a: \"foo\" }, it returns an object of type: { a: string }\ntype WithoutUndefined<T> = {\n [K in keyof T as undefined extends T[K] ? never : K]: T[K];\n};\nexport const withoutUndefined = <T extends { [K in keyof T]: unknown }>(\n obj: T,\n): WithoutUndefined<T> => {\n const result = {} as WithoutUndefined<T>;\n\n for (const key in obj) {\n if (obj[key] !== undefined) {\n // TypeScript needs assurance that key is a valid key in WithoutUndefined<T>\n // We use type assertion here\n // eslint-disable-next-line @typescript-eslint/no-explicit-any\n (result as any)[key] = obj[key];\n }\n }\n\n return result;\n};\n\nexport { cn, isPopupBlocked };\n","import { AuthStorage, Tokens, User } from \"@/types\";\nimport { UserStorage } from \"./types\";\n\nexport interface UserSession {\n get(): User | null;\n set(user: User): void;\n}\n\nexport class GenericUserSession implements UserSession {\n constructor(readonly storage: AuthStorage) {}\n\n get(): User | null {\n const user = this.storage.get(UserStorage.USER);\n return user ? JSON.parse(user) : null;\n }\n\n set(user: User<Tokens> | null): void {\n const value = user ? JSON.stringify(user) : \"\";\n this.storage.set(UserStorage.USER, value);\n }\n}\n","import { retrieveTokens } from \"@/shared/util.js\";\nimport { parseJWT } from \"oslo/jwt\";\nimport { AuthStorage, Tokens, User } from \"@/types.js\";\n\n// eslint-disable-next-line @typescript-eslint/no-empty-object-type\nexport async function getUser(\n storage: AuthStorage,\n): Promise<User<Tokens> | null> {\n const tokens = retrieveTokens(storage);\n if (!tokens) return null;\n\n // Assumes all information is in the ID token\n // include the tokens and the user object\n const user = (parseJWT(tokens.id_token)?.payload as User) ?? null;\n return {\n ...user!,\n idToken: tokens.id_token,\n accessToken: tokens.access_token,\n refreshToken: tokens.refresh_token ?? \"\",\n };\n}\n","const DEFAULT_SCOPES = [\n \"openid\",\n \"profile\",\n \"email\",\n \"forwardedTokens\",\n \"offline_access\",\n];\nconst IFRAME_ID = \"civic-auth-iframe\";\n\nconst AUTH_SERVER = \"https://auth-dev.civic.com/oauth\";\n\nconst DEFAULT_OAUTH_GET_PARAMS = [\"code\", \"state\", \"iss\"];\n\nexport { DEFAULT_SCOPES, DEFAULT_OAUTH_GET_PARAMS, IFRAME_ID, AUTH_SERVER };\n","import { deriveCodeChallenge } from \"@/shared/util.js\";\nimport { generateCodeVerifier } from \"oslo/oauth2\";\nimport { LocalStorageAdapter } from \"@/browser/storage.js\";\nimport { PKCEConsumer, PKCEProducer } from \"@/services/types.ts\";\nimport { AuthStorage } from \"@/types\";\n\n/** A PKCE consumer that retrieves the challenge from a server endpoint */\nexport class ConfidentialClientPKCEConsumer implements PKCEConsumer {\n constructor(private pkceChallengeEndpoint: string) {}\n async getCodeChallenge(): Promise<string> {\n const response = await fetch(this.pkceChallengeEndpoint);\n const data = (await response.json()) as { challenge: string };\n return data.challenge;\n }\n}\n\n/** A PKCE Producer that can generate and store a code verifier, but is agnostic as to the storage location */\nexport class GenericPublicClientPKCEProducer implements PKCEProducer {\n constructor(private storage: AuthStorage) {}\n\n // if there is already a verifier, return it,\n // If not, create a new one and store it\n async getCodeChallenge(): Promise<string> {\n // let verifier = await this.getCodeVerifier();\n // if (!verifier) {\n const verifier = generateCodeVerifier();\n this.storage.set(\"code_verifier\", verifier);\n // }\n return deriveCodeChallenge(verifier);\n }\n // if there is already a verifier, return it,\n async getCodeVerifier(): Promise<string | null> {\n return this.storage.get(\"code_verifier\");\n }\n}\n\n/** A PKCE Producer that is expected to run on a browser, and does not need a backend */\nexport class BrowserPublicClientPKCEProducer extends GenericPublicClientPKCEProducer {\n constructor() {\n super(new LocalStorageAdapter());\n }\n}\n","import { AuthStorage } from \"@/types\";\n\nexport class LocalStorageAdapter implements AuthStorage {\n get(key: string): string {\n return localStorage.getItem(key) || \"\";\n }\n\n set(key: string, value: string): void {\n localStorage.setItem(key, value);\n }\n}\n","// Proposals for revised versions of the SessionService AKA AuthSessionService\n\nimport {\n DisplayMode,\n Endpoints,\n OIDCTokenResponseBody,\n SessionData,\n} from \"@/types.js\";\nimport { BrowserPublicClientPKCEProducer } from \"@/services/PKCE.js\";\nimport {\n clearTokens,\n clearUser,\n exchangeTokens,\n generateOauthLoginUrl,\n generateOauthLogoutUrl,\n getEndpointsWithOverrides,\n retrieveTokens,\n storeTokens,\n validateOauth2Tokens,\n} from \"@/shared/util.js\";\nimport { displayModeFromState, generateState } from \"@/lib/oauth.js\";\nimport { OAuth2Client } from \"oslo/oauth2\";\nimport { LocalStorageAdapter } from \"@/browser/storage.js\";\nimport {\n AuthenticationInitiator,\n AuthenticationResolver,\n PKCEConsumer,\n} from \"@/services/types.js\";\nimport { removeParamsWithoutReload } from \"@/lib/windowUtil\";\nimport { DEFAULT_OAUTH_GET_PARAMS } from \"@/constants\";\n\n/**\n * An authentication initiator that works on a browser. Since this is just triggering\n * login and logout, session data is not stored here.\n * An associated AuthenticationResolver would be needed to get the session data.\n * Storage is needed for the code verifier, this is the domain of the PKCEConsumer\n * The storage used by the PKCEConsumer should be available to the AuthenticationResolver.\n *\n * Example usage:\n *\n * 1) Client-only SPA -eg a react app with no server:\n * new BrowserAuthenticationInitiator({\n * pkceConsumer: new BrowserPublicClientPKCEProducer(), // generate and retrieve the challenge client-side\n * ... other config\n * })\n *\n * 2) Client-side of a client/server app - eg a react app with a backend:\n * new BrowserAuthenticationInitiator({\n * pkceConsumer: new ConfidentialClientPKCEConsumer(\"https://myserver.com/pkce\"), // get the challenge from the server\n * ... other config\n * })\n */\nexport class BrowserAuthenticationInitiator implements AuthenticationInitiator {\n protected config: {\n clientId: string;\n redirectUrl: string;\n state: string;\n scopes: string[];\n // determines whether to trigger the login/logout in an iframe, a new browser window, or redirect the current one.\n displayMode: DisplayMode;\n oauthServer: string;\n // the endpoints to use for the login (if not obtained from the auth server\n endpointOverrides?: Partial<Endpoints>;\n // used to get the PKCE challenge\n pkceConsumer: PKCEConsumer;\n // the nonce to use for the login\n nonce?: string;\n };\n\n constructor(config: typeof this.config) {\n this.config = config;\n }\n // Use the config (Client ID, scopes OAuth Server, Endpoints, PKCEConsumer) to generate a new login url\n // and then use the display mode to decide how to send the user there\n async signIn(iframeRef: HTMLIFrameElement | null): Promise<URL> {\n const url = await generateOauthLoginUrl(this.config);\n\n if (this.config.displayMode === \"iframe\") {\n if (!iframeRef)\n throw new Error(\"iframeRef is required for displayMode 'iframe'\");\n iframeRef.setAttribute(\"src\", url.toString());\n }\n if (this.config.displayMode === \"redirect\") {\n window.location.href = url.toString();\n }\n if (this.config.displayMode === \"new_tab\") {\n window.open(url.toString(), \"_blank\");\n }\n return url;\n }\n\n async signOut(): Promise<URL> {\n const localStorage = new LocalStorageAdapter();\n clearTokens(localStorage);\n clearUser(localStorage);\n // TODO open the iframe or new tab etc: the logout URL is not currently\n // supported by on the oauth, so just clear state until then\n const url = await generateOauthLogoutUrl(this.config);\n return url;\n }\n}\n\n/** A general-purpose authentication initiator, that just generates urls, but lets\n * the caller decide how to use them. This is useful for server-side applications\n * that may serve this URL to their front-ends or just call them directly\n */\nexport class GenericAuthenticationInitiator implements AuthenticationInitiator {\n protected config: {\n clientId: string;\n redirectUrl: string;\n state: string;\n scopes: string[];\n oauthServer: string;\n nonce?: string;\n // the endpoints to use for the login (if not obtained from the auth server)\n endpointOverrides?: Partial<Endpoints>;\n // used to get the PKCE challenge\n pkceConsumer: PKCEConsumer;\n };\n\n constructor(config: typeof this.config) {\n this.config = config;\n }\n\n // Use the config (Client ID, scopes OAuth Server, Endpoints, PKCEConsumer) to generate a new login url\n // and simply return the url\n async signIn(): Promise<URL> {\n return generateOauthLoginUrl(this.config);\n }\n\n async signOut(): Promise<URL> {\n return generateOauthLogoutUrl(this.config);\n }\n}\n\ntype BrowserAuthenticationConfig = {\n clientId: string;\n redirectUrl: string;\n scopes: string[];\n oauthServer: string;\n endpointOverrides?: Partial<Endpoints>;\n displayMode: DisplayMode;\n};\n\n/**\n * An authentication resolver that can run on the browser (i.e. a public client)\n * It uses PKCE for security. PKCE and Session data are stored in local storage\n */\nexport class BrowserAuthenticationService extends BrowserAuthenticationInitiator {\n private oauth2client: OAuth2Client | undefined;\n private endpoints: Endpoints | undefined;\n\n // TODO WIP - perhaps we want to keep resolver and initiator separate here\n constructor(\n config: BrowserAuthenticationConfig,\n // Since we are running fully on the client, we produce as well as consume the PKCE challenge\n protected pkceProducer = new BrowserPublicClientPKCEProducer(),\n ) {\n super({\n ...config,\n state: generateState(config.displayMode),\n // Store and retrieve the PKCE challenge in local storage\n pkceConsumer: pkceProducer,\n });\n }\n\n // TODO too much code duplication here between the browser and the server variant.\n // Suggestion for refactor: Standardise the config for AuthenticationResolvers and create a one-shot\n // function for generating an oauth2client from it\n async init(): Promise<this> {\n // resolve oauth config\n this.endpoints = await getEndpointsWithOverrides(\n this.config.oauthServer,\n this.config.endpointOverrides,\n );\n this.oauth2client = new OAuth2Client(\n this.config.clientId,\n this.endpoints.auth,\n this.endpoints.token,\n {\n redirectURI: this.config.redirectUrl,\n },\n );\n\n return this;\n }\n\n // Two responsibilities:\n // 1. resolve the auth code to get the tokens (should use library code)\n // 2. store the tokens in local storage\n async tokenExchange(\n code: string,\n state: string,\n ): Promise<OIDCTokenResponseBody> {\n if (!this.oauth2client) await this.init();\n const codeVerifier = await this.pkceProducer.getCodeVerifier();\n if (!codeVerifier) throw new Error(\"Code verifier not found in storage\");\n\n // exchange auth code for tokens\n const tokens = await exchangeTokens(\n code,\n state,\n this.pkceProducer,\n this.oauth2client!, // clean up types here to avoid the ! operator\n this.config.oauthServer,\n this.endpoints!, // clean up types here to avoid the ! operator\n );\n\n storeTokens(new LocalStorageAdapter(), tokens);\n\n // cleanup the browser window if needed\n const parsedDisplayMode = displayModeFromState(\n state,\n this.config.displayMode,\n );\n\n if (parsedDisplayMode === \"new_tab\") {\n // Close the popup window\n window.close();\n } else if (parsedDisplayMode === \"redirect\") {\n // these are the default oAuth params that get added to the URL which we want to remove\n removeParamsWithoutReload(DEFAULT_OAUTH_GET_PARAMS);\n }\n return tokens;\n }\n\n // Get the session data from local storage\n async getSessionData(): Promise<SessionData | null> {\n const storageData = retrieveTokens(new LocalStorageAdapter());\n\n if (!storageData) return null;\n\n return {\n authenticated: !!storageData.id_token,\n idToken: storageData.id_token,\n accessToken: storageData.access_token,\n refreshToken: storageData.refresh_token,\n };\n }\n\n async validateExistingSession(): Promise<SessionData> {\n try {\n const sessionData = await this.getSessionData();\n if (!sessionData?.idToken || !sessionData.accessToken) {\n const unAuthenticatedSession = { ...sessionData, authenticated: false };\n clearTokens(new LocalStorageAdapter());\n return unAuthenticatedSession;\n }\n if (!this.endpoints || !this.oauth2client) await this.init();\n\n // this function will throw if any of the tokens are invalid\n await validateOauth2Tokens(\n {\n access_token: sessionData.accessToken,\n id_token: sessionData.idToken,\n refresh_token: sessionData.refreshToken,\n },\n this.endpoints!,\n this.oauth2client!,\n this.config.oauthServer,\n );\n return sessionData;\n } catch (error) {\n console.warn(\"Failed to validate existing tokens\", error);\n const unAuthenticatedSession = {\n authenticated: false,\n };\n clearTokens(new LocalStorageAdapter());\n return unAuthenticatedSession;\n }\n }\n\n static async build(\n config: BrowserAuthenticationConfig,\n ): Promise<AuthenticationResolver> {\n const resolver = new BrowserAuthenticationService(config);\n await resolver.init();\n\n return resolver;\n }\n}\n","const isWindowInIframe = (window: Window): boolean => {\n if (typeof window !== \"undefined\") {\n // use the window width to determine if we're in an iframe or not\n try {\n if (window?.frameElement?.id === \"civic-auth-iframe\") {\n return true;\n }\n // eslint-disable-next-line @typescript-eslint/no-unused-vars\n } catch (_e) {\n // If we get an error, we're not in an iframe\n return false;\n }\n }\n return false;\n};\n\nconst removeParamsWithoutReload = (paramsToRemove: string[]) => {\n const url = new URL(window.location.href);\n paramsToRemove.forEach((param: string) => {\n url.searchParams.delete(param);\n });\n window.history.replaceState({}, \"\", url);\n};\n\nexport { isWindowInIframe, removeParamsWithoutReload };\n"],"mappings":";;;;;;;AAAO,IAAK,cAAL,kBAAKA,iBAAL;AACL,EAAAA,aAAA,cAAW;AACX,EAAAA,aAAA,kBAAe;AACf,EAAAA,aAAA,mBAAgB;AAHN,SAAAA;AAAA,GAAA;;;ACWZ,SAAS,oBAAoB;;;ACV7B,SAAS,MAAM,YAAY;AAE3B,IAAM,sBAAsB,CAAC,WAA6B;AACxD,QAAM,qBAAqB,OAAO,SAAS,GAAG,IAC1C,OAAO,MAAM,GAAG,OAAO,SAAS,CAAC,IACjC;AAEJ,QAAM,kBAAkB,GAAG,kBAAkB;AAE7C,SAAO,CAAC,oBAAoB,eAAe;AAC7C;AAEA,IAAM,mBAAmB,CAAC,QACxB,IAAI,SAAS,GAAG,IAAI,MAAM,GAAG,GAAG;AAElC,IAAM,oBAAoB,CAAO,gBAA4C;AAC3E,QAAM,uBAAuB,MAAM;AAAA,IACjC,GAAG,iBAAiB,WAAW,CAAC;AAAA,EAClC;AACA,QAAM,eACH,MAAM,qBAAqB,KAAK;AACnC,SAAO;AAAA,IACL,MAAM,aAAa;AAAA,IACnB,MAAM,aAAa;AAAA,IACnB,OAAO,aAAa;AAAA,IACpB,UAAU,aAAa;AAAA,EACzB;AACF;AAOA,IAAM,gBAAgB,CAAC,gBAAqC;AAC1D,QAAM,aAAa,KAAK,UAAU;AAAA,IAChC,MAAM,KAAK;AAAA,IACX;AAAA,EACF,CAAC;AACD,SAAO,KAAK,UAAU;AACxB;AAQA,IAAM,uBAAuB,CAC3B,OACA,uBAC4B;AAC5B,MAAI;AACF,UAAM,aAAa,KAAK,KAAK;AAC7B,WAAO,KAAK,MAAM,UAAU,EAAE;AAAA,EAChC,SAAS,GAAG;AACV,YAAQ,MAAM,2CAA2C,KAAK;AAC9D,WAAO;AAAA,EACT;AACF;;;AD/CA,YAAY,UAAU;;;AEbtB,SAAS,YAA6B;AACtC,SAAS,eAAe;AAkCxB,IAAM,KAAK,IAAI,WAAyB;AACtC,SAAO,QAAQ,KAAK,MAAM,CAAC;AAC7B;AAUO,IAAM,mBAAmB,CAC9B,QACwB;AACxB,QAAM,SAAS,CAAC;AAEhB,aAAW,OAAO,KAAK;AACrB,QAAI,IAAI,GAAG,MAAM,QAAW;AAI1B,MAAC,OAAe,GAAG,IAAI,IAAI,GAAG;AAAA,IAChC;AAAA,EACF;AAEA,SAAO;AACT;;;ACtDO,IAAM,qBAAN,MAAgD;AAAA,EACrD,YAAqB,SAAsB;AAAtB;AAAA,EAAuB;AAAA,EAE5C,MAAmB;AACjB,UAAM,OAAO,KAAK,QAAQ,qBAAoB;AAC9C,WAAO,OAAO,KAAK,MAAM,IAAI,IAAI;AAAA,EACnC;AAAA,EAEA,IAAI,MAAiC;AACnC,UAAM,QAAQ,OAAO,KAAK,UAAU,IAAI,IAAI;AAC5C,SAAK,QAAQ,uBAAsB,KAAK;AAAA,EAC1C;AACF;;;AHCA,SAAsB,oBACpB,cACA,SAA2B,QACV;AAAA;AACjB,QAAI,WAAW,SAAS;AACtB,cAAQ,KAAK,4CAA4C;AACzD,aAAO;AAAA,IACT;AAEA,UAAM,UAAU,IAAI,YAAY;AAChC,UAAM,OAAO,QAAQ,OAAO,YAAY;AACxC,UAAM,SAAS,MAAM,OAAO,OAAO,OAAO,WAAW,IAAI;AACzD,WAAO,KAAK,OAAO,aAAa,GAAG,IAAI,WAAW,MAAM,CAAC,CAAC,EACvD,QAAQ,OAAO,GAAG,EAClB,QAAQ,OAAO,GAAG,EAClB,QAAQ,OAAO,EAAE;AAAA,EACtB;AAAA;AAEA,SAAsB,0BACpB,IAEA;AAAA,6CAFA,aACA,oBAAwC,CAAC,GACzC;AACA,UAAM,YAAY,MAAM,kBAAkB,WAAW;AACrD,WAAO,kCACF,YACA;AAAA,EAEP;AAAA;AAEA,SAAsB,sBAAsB,QAU3B;AAAA;AACf,UAAM,YAAY,MAAM;AAAA,MACtB,OAAO;AAAA,MACP,OAAO;AAAA,IACT;AACA,UAAM,eAAe;AAAA,MACnB,OAAO;AAAA,MACP,OAAO;AAAA,MACP;AAAA,IACF;AACA,UAAM,YAAY,MAAM,OAAO,aAAa,iBAAiB;AAC7D,UAAM,WAAW,MAAM,aAAa,uBAAuB;AAAA,MACzD,OAAO,OAAO;AAAA,MACd,QAAQ,OAAO;AAAA,IACjB,CAAC;AAGD,aAAS,aAAa,OAAO,kBAAkB,SAAS;AACxD,aAAS,aAAa,OAAO,yBAAyB,MAAM;AAC5D,QAAI,OAAO,OAAO;AAEhB,eAAS,aAAa,OAAO,SAAS,OAAO,KAAK;AAAA,IACpD;AAEA,aAAS,aAAa,OAAO,UAAU,SAAS;AAEhD,YAAQ,IAAI,uBAAuB,SAAS,SAAS,CAAC;AACtD,WAAO;AAAA,EACT;AAAA;AAEA,SAAsB,uBAAuB,QAO5B;AAAA;AAEf,WAAO,IAAI,IAAI,kBAAkB;AAAA,EACnC;AAAA;AAEO,SAAS,kBACd,UACA,aACA,WACc;AACd,SAAO,IAAI,aAAa,UAAU,UAAU,MAAM,UAAU,OAAO;AAAA,IACjE,aAAa;AAAA,EACf,CAAC;AACH;AAEA,SAAsB,eACpB,MACA,OACA,cACA,cACA,aACA,WACA;AAAA;AACA,UAAM,eAAe,MAAM,aAAa,gBAAgB;AACxD,QAAI,CAAC,aAAc,OAAM,IAAI,MAAM,kCAAkC;AAErE,UAAM,SACJ,MAAM,aAAa,0BAAiD,MAAM;AAAA,MACxE;AAAA,IACF,CAAC;AAGH,QAAI;AACF,YAAM,qBAAqB,QAAQ,WAAW,cAAc,WAAW;AAAA,IACzE,SAAS,OAAO;AACd,cAAQ,MAAM,uBAAuB,EAAE,OAAO,OAAO,CAAC;AACtD,YAAM,IAAI;AAAA,QACR,kCAAmC,MAAgB,OAAO;AAAA,MAC5D;AAAA,IACF;AAEA,WAAO;AAAA,EACT;AAAA;AAEO,SAAS,YACd,SACA,QACA;AAEA,UAAQ,+BAA0B,OAAO,QAAQ;AACjD,UAAQ,uCAA8B,OAAO,YAAY;AACzD,MAAI,OAAO;AACT,YAAQ,yCAA+B,OAAO,aAAa;AAC/D;AAEO,SAAS,YAAY,SAAsB;AAChD,SAAO,OAAO,WAAW,EAAE,QAAQ,CAAC,WAAW;AAC7C,YAAQ,IAAI,QAAQ,EAAE;AAAA,EACxB,CAAC;AACH;AACO,SAAS,UAAU,SAAsB;AAC9C,QAAM,cAAc,IAAI,mBAAmB,OAAO;AAClD,cAAY,IAAI,IAAI;AACtB;AAEO,SAAS,eACd,SAC8B;AAC9B,QAAM,UAAU,QAAQ,6BAAwB;AAChD,QAAM,cAAc,QAAQ,qCAA4B;AACxD,QAAM,eAAe,QAAQ,uCAA6B;AAE1D,MAAI,CAAC,WAAW,CAAC,YAAa,QAAO;AAErC,SAAO;AAAA,IACL,UAAU;AAAA,IACV,cAAc;AAAA,IACd,eAAe,sCAAgB;AAAA,EACjC;AACF;AAEA,SAAsB,qBACpB,QACA,WACA,cACA,QACuB;AAAA;AACvB,UAAM,OAAY,wBAAmB,IAAI,IAAI,UAAU,IAAI,CAAC;AAG5D,UAAM,kBAAkB,MAAW;AAAA,MACjC,OAAO;AAAA,MACP;AAAA,MACA;AAAA,QACE,QAAQ,oBAAoB,MAAM;AAAA,QAClC,UAAU,aAAa;AAAA,MACzB;AAAA,IACF;AAGA,UAAM,sBAAsB,MAAW;AAAA,MACrC,OAAO;AAAA,MACP;AAAA,MACA;AAAA,QACE,QAAQ,oBAAoB,MAAM;AAAA,MACpC;AAAA,IACF;AAEA,WAAO,iBAAiB;AAAA,MACtB,UAAU,gBAAgB;AAAA,MAC1B,cAAc,oBAAoB;AAAA,MAClC,eAAe,OAAO;AAAA,IACxB,CAAC;AAAA,EACH;AAAA;;;AIjNA,SAAS,gBAAgB;AAIzB,SAAsB,QACpB,SAC8B;AAAA;AAPhC;AAQE,UAAM,SAAS,eAAe,OAAO;AACrC,QAAI,CAAC,OAAQ,QAAO;AAIpB,UAAM,QAAQ,oBAAS,OAAO,QAAQ,MAAxB,mBAA2B,YAA3B,YAA+C;AAC7D,WAAO,iCACF,OADE;AAAA,MAEL,SAAS,OAAO;AAAA,MAChB,aAAa,OAAO;AAAA,MACpB,eAAc,YAAO,kBAAP,YAAwB;AAAA,IACxC;AAAA,EACF;AAAA;;;ACpBA,IAAM,iBAAiB;AAAA,EACrB;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF;AACA,IAAM,YAAY;AAElB,IAAM,cAAc;AAEpB,IAAM,2BAA2B,CAAC,QAAQ,SAAS,KAAK;;;ACVxD,SAAS,4BAA4B;;;ACC9B,IAAM,sBAAN,MAAiD;AAAA,EACtD,IAAI,KAAqB;AACvB,WAAO,aAAa,QAAQ,GAAG,KAAK;AAAA,EACtC;AAAA,EAEA,IAAI,KAAa,OAAqB;AACpC,iBAAa,QAAQ,KAAK,KAAK;AAAA,EACjC;AACF;;;ADHO,IAAM,iCAAN,MAA6D;AAAA,EAClE,YAAoB,uBAA+B;AAA/B;AAAA,EAAgC;AAAA,EAC9C,mBAAoC;AAAA;AACxC,YAAM,WAAW,MAAM,MAAM,KAAK,qBAAqB;AACvD,YAAM,OAAQ,MAAM,SAAS,KAAK;AAClC,aAAO,KAAK;AAAA,IACd;AAAA;AACF;AAGO,IAAM,kCAAN,MAA8D;AAAA,EACnE,YAAoB,SAAsB;AAAtB;AAAA,EAAuB;AAAA;AAAA;AAAA,EAIrC,mBAAoC;AAAA;AAGxC,YAAM,WAAW,qBAAqB;AACtC,WAAK,QAAQ,IAAI,iBAAiB,QAAQ;AAE1C,aAAO,oBAAoB,QAAQ;AAAA,IACrC;AAAA;AAAA;AAAA,EAEM,kBAA0C;AAAA;AAC9C,aAAO,KAAK,QAAQ,IAAI,eAAe;AAAA,IACzC;AAAA;AACF;AAGO,IAAM,kCAAN,cAA8C,gCAAgC;AAAA,EACnF,cAAc;AACZ,UAAM,IAAI,oBAAoB,CAAC;AAAA,EACjC;AACF;;;AEpBA,SAAS,gBAAAC,qBAAoB;;;ACrB7B,IAAM,mBAAmB,CAACC,YAA4B;AAAtD;AACE,MAAI,OAAOA,YAAW,aAAa;AAEjC,QAAI;AACF,YAAI,KAAAA,WAAA,gBAAAA,QAAQ,iBAAR,mBAAsB,QAAO,qBAAqB;AACpD,eAAO;AAAA,MACT;AAAA,IAEF,SAAS,IAAI;AAEX,aAAO;AAAA,IACT;AAAA,EACF;AACA,SAAO;AACT;AAEA,IAAM,4BAA4B,CAAC,mBAA6B;AAC9D,QAAM,MAAM,IAAI,IAAI,OAAO,SAAS,IAAI;AACxC,iBAAe,QAAQ,CAAC,UAAkB;AACxC,QAAI,aAAa,OAAO,KAAK;AAAA,EAC/B,CAAC;AACD,SAAO,QAAQ,aAAa,CAAC,GAAG,IAAI,GAAG;AACzC;;;AD8BO,IAAM,iCAAN,MAAwE;AAAA,EAiB7E,YAAY,QAA4B;AACtC,SAAK,SAAS;AAAA,EAChB;AAAA;AAAA;AAAA,EAGM,OAAO,WAAmD;AAAA;AAC9D,YAAM,MAAM,MAAM,sBAAsB,KAAK,MAAM;AAEnD,UAAI,KAAK,OAAO,gBAAgB,UAAU;AACxC,YAAI,CAAC;AACH,gBAAM,IAAI,MAAM,gDAAgD;AAClE,kBAAU,aAAa,OAAO,IAAI,SAAS,CAAC;AAAA,MAC9C;AACA,UAAI,KAAK,OAAO,gBAAgB,YAAY;AAC1C,eAAO,SAAS,OAAO,IAAI,SAAS;AAAA,MACtC;AACA,UAAI,KAAK,OAAO,gBAAgB,WAAW;AACzC,eAAO,KAAK,IAAI,SAAS,GAAG,QAAQ;AAAA,MACtC;AACA,aAAO;AAAA,IACT;AAAA;AAAA,EAEM,UAAwB;AAAA;AAC5B,YAAMC,gBAAe,IAAI,oBAAoB;AAC7C,kBAAYA,aAAY;AACxB,gBAAUA,aAAY;AAGtB,YAAM,MAAM,MAAM,uBAAuB,KAAK,MAAM;AACpD,aAAO;AAAA,IACT;AAAA;AACF;AAMO,IAAM,iCAAN,MAAwE;AAAA,EAc7E,YAAY,QAA4B;AACtC,SAAK,SAAS;AAAA,EAChB;AAAA;AAAA;AAAA,EAIM,SAAuB;AAAA;AAC3B,aAAO,sBAAsB,KAAK,MAAM;AAAA,IAC1C;AAAA;AAAA,EAEM,UAAwB;AAAA;AAC5B,aAAO,uBAAuB,KAAK,MAAM;AAAA,IAC3C;AAAA;AACF;AAeO,IAAM,+BAAN,MAAM,sCAAqC,+BAA+B;AAAA;AAAA,EAK/E,YACE,QAEU,eAAe,IAAI,gCAAgC,GAC7D;AACA,UAAM,iCACD,SADC;AAAA,MAEJ,OAAO,cAAc,OAAO,WAAW;AAAA;AAAA,MAEvC,cAAc;AAAA,IAChB,EAAC;AAPS;AAAA,EAQZ;AAAA;AAAA;AAAA;AAAA,EAKM,OAAsB;AAAA;AAE1B,WAAK,YAAY,MAAM;AAAA,QACrB,KAAK,OAAO;AAAA,QACZ,KAAK,OAAO;AAAA,MACd;AACA,WAAK,eAAe,IAAIC;AAAA,QACtB,KAAK,OAAO;AAAA,QACZ,KAAK,UAAU;AAAA,QACf,KAAK,UAAU;AAAA,QACf;AAAA,UACE,aAAa,KAAK,OAAO;AAAA,QAC3B;AAAA,MACF;AAEA,aAAO;AAAA,IACT;AAAA;AAAA;AAAA;AAAA;AAAA,EAKM,cACJ,MACA,OACgC;AAAA;AAChC,UAAI,CAAC,KAAK,aAAc,OAAM,KAAK,KAAK;AACxC,YAAM,eAAe,MAAM,KAAK,aAAa,gBAAgB;AAC7D,UAAI,CAAC,aAAc,OAAM,IAAI,MAAM,oCAAoC;AAGvE,YAAM,SAAS,MAAM;AAAA,QACnB;AAAA,QACA;AAAA,QACA,KAAK;AAAA,QACL,KAAK;AAAA;AAAA,QACL,KAAK,OAAO;AAAA,QACZ,KAAK;AAAA;AAAA,MACP;AAEA,kBAAY,IAAI,oBAAoB,GAAG,MAAM;AAG7C,YAAM,oBAAoB;AAAA,QACxB;AAAA,QACA,KAAK,OAAO;AAAA,MACd;AAEA,UAAI,sBAAsB,WAAW;AAEnC,eAAO,MAAM;AAAA,MACf,WAAW,sBAAsB,YAAY;AAE3C,kCAA0B,wBAAwB;AAAA,MACpD;AACA,aAAO;AAAA,IACT;AAAA;AAAA;AAAA,EAGM,iBAA8C;AAAA;AAClD,YAAM,cAAc,eAAe,IAAI,oBAAoB,CAAC;AAE5D,UAAI,CAAC,YAAa,QAAO;AAEzB,aAAO;AAAA,QACL,eAAe,CAAC,CAAC,YAAY;AAAA,QAC7B,SAAS,YAAY;AAAA,QACrB,aAAa,YAAY;AAAA,QACzB,cAAc,YAAY;AAAA,MAC5B;AAAA,IACF;AAAA;AAAA,EAEM,0BAAgD;AAAA;AACpD,UAAI;AACF,cAAM,cAAc,MAAM,KAAK,eAAe;AAC9C,YAAI,EAAC,2CAAa,YAAW,CAAC,YAAY,aAAa;AACrD,gBAAM,yBAAyB,iCAAK,cAAL,EAAkB,eAAe,MAAM;AACtE,sBAAY,IAAI,oBAAoB,CAAC;AACrC,iBAAO;AAAA,QACT;AACA,YAAI,CAAC,KAAK,aAAa,CAAC,KAAK,aAAc,OAAM,KAAK,KAAK;AAG3D,cAAM;AAAA,UACJ;AAAA,YACE,cAAc,YAAY;AAAA,YAC1B,UAAU,YAAY;AAAA,YACtB,eAAe,YAAY;AAAA,UAC7B;AAAA,UACA,KAAK;AAAA,UACL,KAAK;AAAA,UACL,KAAK,OAAO;AAAA,QACd;AACA,eAAO;AAAA,MACT,SAAS,OAAO;AACd,gBAAQ,KAAK,sCAAsC,KAAK;AACxD,cAAM,yBAAyB;AAAA,UAC7B,eAAe;AAAA,QACjB;AACA,oBAAY,IAAI,oBAAoB,CAAC;AACrC,eAAO;AAAA,MACT;AAAA,IACF;AAAA;AAAA,EAEA,OAAa,MACX,QACiC;AAAA;AACjC,YAAM,WAAW,IAAI,8BAA6B,MAAM;AACxD,YAAM,SAAS,KAAK;AAEpB,aAAO;AAAA,IACT;AAAA;AACF;","names":["OAuthTokens","OAuth2Client","window","localStorage","OAuth2Client"]}
|
|
@@ -7,7 +7,7 @@
|
|
|
7
7
|
|
|
8
8
|
|
|
9
9
|
|
|
10
|
-
var
|
|
10
|
+
var _chunk2SAT3UFJjs = require('./chunk-2SAT3UFJ.js');
|
|
11
11
|
|
|
12
12
|
|
|
13
13
|
|
|
@@ -38,14 +38,14 @@ var ServerAuthenticationResolver = class _ServerAuthenticationResolver {
|
|
|
38
38
|
this.authConfig = authConfig;
|
|
39
39
|
this.storage = storage;
|
|
40
40
|
this.endpointOverrides = endpointOverrides;
|
|
41
|
-
this.pkceProducer = new (0,
|
|
41
|
+
this.pkceProducer = new (0, _chunk2SAT3UFJjs.GenericPublicClientPKCEProducer)(storage);
|
|
42
42
|
}
|
|
43
43
|
validateExistingSession() {
|
|
44
44
|
throw new Error("Method not implemented.");
|
|
45
45
|
}
|
|
46
46
|
init() {
|
|
47
47
|
return _chunkCRTRMMJ7js.__async.call(void 0, this, null, function* () {
|
|
48
|
-
this.endpoints = yield
|
|
48
|
+
this.endpoints = yield _chunk2SAT3UFJjs.getEndpointsWithOverrides.call(void 0,
|
|
49
49
|
this.authConfig.oauthServer,
|
|
50
50
|
this.endpointOverrides
|
|
51
51
|
);
|
|
@@ -65,7 +65,7 @@ var ServerAuthenticationResolver = class _ServerAuthenticationResolver {
|
|
|
65
65
|
if (!this.oauth2client) yield this.init();
|
|
66
66
|
const codeVerifier = yield this.pkceProducer.getCodeVerifier();
|
|
67
67
|
if (!codeVerifier) throw new Error("Code verifier not found in storage");
|
|
68
|
-
const tokens = yield
|
|
68
|
+
const tokens = yield _chunk2SAT3UFJjs.exchangeTokens.call(void 0,
|
|
69
69
|
code,
|
|
70
70
|
state,
|
|
71
71
|
this.pkceProducer,
|
|
@@ -75,13 +75,13 @@ var ServerAuthenticationResolver = class _ServerAuthenticationResolver {
|
|
|
75
75
|
this.endpoints
|
|
76
76
|
// clean up types here to avoid the ! operator
|
|
77
77
|
);
|
|
78
|
-
|
|
78
|
+
_chunk2SAT3UFJjs.storeTokens.call(void 0, this.storage, tokens);
|
|
79
79
|
return tokens;
|
|
80
80
|
});
|
|
81
81
|
}
|
|
82
82
|
getSessionData() {
|
|
83
83
|
return _chunkCRTRMMJ7js.__async.call(void 0, this, null, function* () {
|
|
84
|
-
const storageData =
|
|
84
|
+
const storageData = _chunk2SAT3UFJjs.retrieveTokens.call(void 0, this.storage);
|
|
85
85
|
if (!storageData) return null;
|
|
86
86
|
return {
|
|
87
87
|
authenticated: !!storageData.id_token,
|
|
@@ -110,7 +110,7 @@ function resolveOAuthAccessCode(code, state, storage, config) {
|
|
|
110
110
|
var _a;
|
|
111
111
|
const authSessionService = yield ServerAuthenticationResolver.build(
|
|
112
112
|
_chunkCRTRMMJ7js.__spreadProps.call(void 0, _chunkCRTRMMJ7js.__spreadValues.call(void 0, {}, config), {
|
|
113
|
-
oauthServer: (_a = config.oauthServer) != null ? _a :
|
|
113
|
+
oauthServer: (_a = config.oauthServer) != null ? _a : _chunk2SAT3UFJjs.AUTH_SERVER
|
|
114
114
|
}),
|
|
115
115
|
storage,
|
|
116
116
|
config.endpointOverrides
|
|
@@ -125,12 +125,12 @@ function buildLoginUrl(config, storage) {
|
|
|
125
125
|
return _chunkCRTRMMJ7js.__async.call(void 0, this, null, function* () {
|
|
126
126
|
var _a, _b, _c;
|
|
127
127
|
const state = (_a = config.state) != null ? _a : Math.random().toString(36).substring(2);
|
|
128
|
-
const scopes = (_b = config.scopes) != null ? _b :
|
|
129
|
-
const pkceProducer = new (0,
|
|
130
|
-
const authInitiator = new (0,
|
|
128
|
+
const scopes = (_b = config.scopes) != null ? _b : _chunk2SAT3UFJjs.DEFAULT_SCOPES;
|
|
129
|
+
const pkceProducer = new (0, _chunk2SAT3UFJjs.GenericPublicClientPKCEProducer)(storage);
|
|
130
|
+
const authInitiator = new (0, _chunk2SAT3UFJjs.GenericAuthenticationInitiator)(_chunkCRTRMMJ7js.__spreadProps.call(void 0, _chunkCRTRMMJ7js.__spreadValues.call(void 0, {}, config), {
|
|
131
131
|
state,
|
|
132
132
|
scopes,
|
|
133
|
-
oauthServer: (_c = config.oauthServer) != null ? _c :
|
|
133
|
+
oauthServer: (_c = config.oauthServer) != null ? _c : _chunk2SAT3UFJjs.AUTH_SERVER,
|
|
134
134
|
// When retrieving the PKCE challenge on the server-side, we produce it and store it in the session
|
|
135
135
|
pkceConsumer: pkceProducer
|
|
136
136
|
}));
|
|
@@ -148,7 +148,7 @@ var GenericAuthenticationRefresher = class _GenericAuthenticationRefresher {
|
|
|
148
148
|
}
|
|
149
149
|
init() {
|
|
150
150
|
return _chunkCRTRMMJ7js.__async.call(void 0, this, null, function* () {
|
|
151
|
-
this.endpoints = yield
|
|
151
|
+
this.endpoints = yield _chunk2SAT3UFJjs.getEndpointsWithOverrides.call(void 0,
|
|
152
152
|
this.authConfig.oauthServer,
|
|
153
153
|
this.endpointOverrides
|
|
154
154
|
);
|
|
@@ -177,13 +177,13 @@ var GenericAuthenticationRefresher = class _GenericAuthenticationRefresher {
|
|
|
177
177
|
refreshTokens() {
|
|
178
178
|
return _chunkCRTRMMJ7js.__async.call(void 0, this, null, function* () {
|
|
179
179
|
if (!this.oauth2client) yield this.init();
|
|
180
|
-
const tokens =
|
|
180
|
+
const tokens = _chunk2SAT3UFJjs.retrieveTokens.call(void 0, this.storage);
|
|
181
181
|
if (!(tokens == null ? void 0 : tokens.refresh_token)) throw new Error("No refresh token available");
|
|
182
182
|
const oauth2Client = this.oauth2client;
|
|
183
183
|
const refreshedTokens = yield oauth2Client.refreshAccessToken(
|
|
184
184
|
tokens.refresh_token
|
|
185
185
|
);
|
|
186
|
-
|
|
186
|
+
_chunk2SAT3UFJjs.storeTokens.call(void 0, this.storage, refreshedTokens);
|
|
187
187
|
return tokens;
|
|
188
188
|
});
|
|
189
189
|
}
|
|
@@ -195,7 +195,7 @@ function refreshTokens(storage, config) {
|
|
|
195
195
|
var _a;
|
|
196
196
|
const refresher = yield GenericAuthenticationRefresher.build(
|
|
197
197
|
_chunkCRTRMMJ7js.__spreadProps.call(void 0, _chunkCRTRMMJ7js.__spreadValues.call(void 0, {}, config), {
|
|
198
|
-
oauthServer: (_a = config.oauthServer) != null ? _a :
|
|
198
|
+
oauthServer: (_a = config.oauthServer) != null ? _a : _chunk2SAT3UFJjs.AUTH_SERVER
|
|
199
199
|
}),
|
|
200
200
|
storage,
|
|
201
201
|
config.endpointOverrides
|
|
@@ -211,4 +211,4 @@ function refreshTokens(storage, config) {
|
|
|
211
211
|
|
|
212
212
|
|
|
213
213
|
exports.CookieStorage = CookieStorage; exports.resolveOAuthAccessCode = resolveOAuthAccessCode; exports.isLoggedIn = isLoggedIn; exports.buildLoginUrl = buildLoginUrl; exports.refreshTokens = refreshTokens;
|
|
214
|
-
//# sourceMappingURL=chunk-
|
|
214
|
+
//# sourceMappingURL=chunk-ZXULHA47.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"sources":["/Users/patrick/Code/civic-auth/packages/civic-auth-client/dist/chunk-KCSGIIPA.js","../src/shared/storage.ts","../src/server/ServerAuthenticationResolver.ts","../src/server/login.ts","../src/shared/GenericAuthenticationRefresher.ts","../src/server/refresh.ts"],"names":["OAuth2Client"],"mappings":"AAAA;AACE;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACF,sDAA4B;AAC5B;AACE;AACA;AACA;AACF,sDAA4B;AAC5B;AACA;ACIO,IAAM,wBAAA,EAA0B,GAAA,EAAK,EAAA;AAErC,IAAe,cAAA,EAAf,MAAoD;AAAA,EAE/C,WAAA,CAAY,SAAA,EAA2C,CAAC,CAAA,EAAG;AAxBvE,IAAA,IAAA,EAAA,EAAA,EAAA,EAAA,EAAA,EAAA,EAAA,EAAA,EAAA;AAyBI,IAAA,IAAA,CAAK,SAAA,EAAW;AAAA,MACd,QAAA,EAAA,CAAU,GAAA,EAAA,QAAA,CAAS,QAAA,EAAA,GAAT,KAAA,EAAA,GAAA,EAAqB,IAAA;AAAA,MAC/B,MAAA,EAAA,CAAQ,GAAA,EAAA,QAAA,CAAS,MAAA,EAAA,GAAT,KAAA,EAAA,GAAA,EAAmB,IAAA;AAAA;AAAA;AAAA,MAG3B,QAAA,EAAA,CAAU,GAAA,EAAA,QAAA,CAAS,QAAA,EAAA,GAAT,KAAA,EAAA,GAAA,EAAqB,KAAA;AAAA,MAC/B,OAAA,EAAA,CACE,GAAA,EAAA,QAAA,CAAS,OAAA,EAAA,GAAT,KAAA,EAAA,GAAA,EACA,IAAI,IAAA,CAAK,IAAA,CAAK,GAAA,CAAI,EAAA,EAAI,IAAA,EAAO,uBAAuB,CAAA;AAAA,MACtD,IAAA,EAAA,CAAM,GAAA,EAAA,QAAA,CAAS,IAAA,EAAA,GAAT,KAAA,EAAA,GAAA,EAAiB;AAAA,IACzB,CAAA;AAAA,EACF;AAGF,CAAA;ADPA;AACA;AEhCA,qCAA6B;AAgBtB,IAAM,6BAAA,EAAN,MAAM,8BAA+D;AAAA,EAKlE,WAAA,CACG,UAAA,EACA,OAAA,EACA,iBAAA,EACT;AAHS,IAAA,IAAA,CAAA,WAAA,EAAA,UAAA;AACA,IAAA,IAAA,CAAA,QAAA,EAAA,OAAA;AACA,IAAA,IAAA,CAAA,kBAAA,EAAA,iBAAA;AAET,IAAA,IAAA,CAAK,aAAA,EAAe,IAAI,qDAAA,CAAgC,OAAO,CAAA;AAAA,EACjE;AAAA,EACA,uBAAA,CAAA,EAAgD;AAC9C,IAAA,MAAM,IAAI,KAAA,CAAM,yBAAyB,CAAA;AAAA,EAC3C;AAAA,EAEM,IAAA,CAAA,EAAsB;AAAA,IAAA,OAAA,sCAAA,IAAA,EAAA,IAAA,EAAA,QAAA,EAAA,CAAA,EAAA;AAE1B,MAAA,IAAA,CAAK,UAAA,EAAY,MAAM,wDAAA;AAAA,QACrB,IAAA,CAAK,UAAA,CAAW,WAAA;AAAA,QAChB,IAAA,CAAK;AAAA,MACP,CAAA;AACA,MAAA,IAAA,CAAK,aAAA,EAAe,IAAI,yBAAA;AAAA,QACtB,IAAA,CAAK,UAAA,CAAW,QAAA;AAAA,QAChB,IAAA,CAAK,SAAA,CAAU,IAAA;AAAA,QACf,IAAA,CAAK,SAAA,CAAU,KAAA;AAAA,QACf;AAAA,UACE,WAAA,EAAa,IAAA,CAAK,UAAA,CAAW;AAAA,QAC/B;AAAA,MACF,CAAA;AAEA,MAAA,OAAO,IAAA;AAAA,IACT,CAAA,CAAA;AAAA,EAAA;AAAA,EAEM,aAAA,CACJ,IAAA,EACA,KAAA,EACgC;AAAA,IAAA,OAAA,sCAAA,IAAA,EAAA,IAAA,EAAA,QAAA,EAAA,CAAA,EAAA;AAChC,MAAA,GAAA,CAAI,CAAC,IAAA,CAAK,YAAA,EAAc,MAAM,IAAA,CAAK,IAAA,CAAK,CAAA;AACxC,MAAA,MAAM,aAAA,EAAe,MAAM,IAAA,CAAK,YAAA,CAAa,eAAA,CAAgB,CAAA;AAC7D,MAAA,GAAA,CAAI,CAAC,YAAA,EAAc,MAAM,IAAI,KAAA,CAAM,oCAAoC,CAAA;AAGvE,MAAA,MAAM,OAAA,EAAS,MAAM,6CAAA;AAAA,QACnB,IAAA;AAAA,QACA,KAAA;AAAA,QACA,IAAA,CAAK,YAAA;AAAA,QACL,IAAA,CAAK,YAAA;AAAA;AAAA,QACL,IAAA,CAAK,UAAA,CAAW,WAAA;AAAA,QAChB,IAAA,CAAK;AAAA;AAAA,MACP,CAAA;AAEA,MAAA,0CAAA,IAAY,CAAK,OAAA,EAAS,MAAM,CAAA;AAEhC,MAAA,OAAO,MAAA;AAAA,IACT,CAAA,CAAA;AAAA,EAAA;AAAA,EAEM,cAAA,CAAA,EAA8C;AAAA,IAAA,OAAA,sCAAA,IAAA,EAAA,IAAA,EAAA,QAAA,EAAA,CAAA,EAAA;AAClD,MAAA,MAAM,YAAA,EAAc,6CAAA,IAAe,CAAK,OAAO,CAAA;AAE/C,MAAA,GAAA,CAAI,CAAC,WAAA,EAAa,OAAO,IAAA;AAEzB,MAAA,OAAO;AAAA,QACL,aAAA,EAAe,CAAC,CAAC,WAAA,CAAY,QAAA;AAAA,QAC7B,OAAA,EAAS,WAAA,CAAY,QAAA;AAAA,QACrB,WAAA,EAAa,WAAA,CAAY,YAAA;AAAA,QACzB,YAAA,EAAc,WAAA,CAAY;AAAA,MAC5B,CAAA;AAAA,IACF,CAAA,CAAA;AAAA,EAAA;AAAA,EAEA,OAAa,KAAA,CACX,UAAA,EACA,OAAA,EACA,iBAAA,EACiC;AAAA,IAAA,OAAA,sCAAA,IAAA,EAAA,IAAA,EAAA,QAAA,EAAA,CAAA,EAAA;AACjC,MAAA,MAAM,SAAA,EAAW,IAAI,6BAAA;AAAA,QACnB,UAAA;AAAA,QACA,OAAA;AAAA,QACA;AAAA,MACF,CAAA;AACA,MAAA,MAAM,QAAA,CAAS,IAAA,CAAK,CAAA;AAEpB,MAAA,OAAO,QAAA;AAAA,IACT,CAAA,CAAA;AAAA,EAAA;AACF,CAAA;AFIA;AACA;AG7FA,SAAsB,sBAAA,CACpB,IAAA,EACA,KAAA,EACA,OAAA,EACA,MAAA,EACgC;AAAA,EAAA,OAAA,sCAAA,IAAA,EAAA,IAAA,EAAA,QAAA,EAAA,CAAA,EAAA;AAlBlC,IAAA,IAAA,EAAA;AAmBE,IAAA,MAAM,mBAAA,EAAqB,MAAM,4BAAA,CAA6B,KAAA;AAAA,MAC5D,4CAAA,6CAAA,CAAA,CAAA,EACK,MAAA,CAAA,EADL;AAAA,QAEE,WAAA,EAAA,CAAa,GAAA,EAAA,MAAA,CAAO,WAAA,EAAA,GAAP,KAAA,EAAA,GAAA,EAAsB;AAAA,MACrC,CAAA,CAAA;AAAA,MACA,OAAA;AAAA,MACA,MAAA,CAAO;AAAA,IACT,CAAA;AAEA,IAAA,OAAO,kBAAA,CAAmB,aAAA,CAAc,IAAA,EAAM,KAAK,CAAA;AAAA,EACrD,CAAA,CAAA;AAAA;AAEO,SAAS,UAAA,CAAW,OAAA,EAA+B;AACxD,EAAA,OAAO,CAAC,CAAC,OAAA,CAAQ,GAAA,CAAI,UAAU,CAAA;AACjC;AAEA,SAAsB,aAAA,CACpB,MAAA,EAKA,OAAA,EACc;AAAA,EAAA,OAAA,sCAAA,IAAA,EAAA,IAAA,EAAA,QAAA,EAAA,CAAA,EAAA;AA1ChB,IAAA,IAAA,EAAA,EAAA,EAAA,EAAA,EAAA;AA4CE,IAAA,MAAM,MAAA,EAAA,CAAQ,GAAA,EAAA,MAAA,CAAO,KAAA,EAAA,GAAP,KAAA,EAAA,GAAA,EAAgB,IAAA,CAAK,MAAA,CAAO,CAAA,CAAE,QAAA,CAAS,EAAE,CAAA,CAAE,SAAA,CAAU,CAAC,CAAA;AACpE,IAAA,MAAM,OAAA,EAAA,CAAS,GAAA,EAAA,MAAA,CAAO,MAAA,EAAA,GAAP,KAAA,EAAA,GAAA,EAAiB,+BAAA;AAChC,IAAA,MAAM,aAAA,EAAe,IAAI,qDAAA,CAAgC,OAAO,CAAA;AAChE,IAAA,MAAM,cAAA,EAAgB,IAAI,oDAAA,CAA+B,4CAAA,6CAAA,CAAA,CAAA,EACpD,MAAA,CAAA,EADoD;AAAA,MAEvD,KAAA;AAAA,MACA,MAAA;AAAA,MACA,WAAA,EAAA,CAAa,GAAA,EAAA,MAAA,CAAO,WAAA,EAAA,GAAP,KAAA,EAAA,GAAA,EAAsB,4BAAA;AAAA;AAAA,MAEnC,YAAA,EAAc;AAAA,IAChB,CAAA,CAAC,CAAA;AAED,IAAA,OAAO,aAAA,CAAc,MAAA,CAAO,CAAA;AAAA,EAC9B,CAAA,CAAA;AAAA;AHkFA;AACA;AIpIA;AAEO,IAAM,+BAAA,EAAN,MAAM,gCAAkE;AAAA,EAIrE,WAAA,CACE,UAAA,EACA,OAAA,EACA,iBAAA,EACR;AAHQ,IAAA,IAAA,CAAA,WAAA,EAAA,UAAA;AACA,IAAA,IAAA,CAAA,QAAA,EAAA,OAAA;AACA,IAAA,IAAA,CAAA,kBAAA,EAAA,iBAAA;AAAA,EACP;AAAA,EAEG,IAAA,CAAA,EAAsB;AAAA,IAAA,OAAA,sCAAA,IAAA,EAAA,IAAA,EAAA,QAAA,EAAA,CAAA,EAAA;AAE1B,MAAA,IAAA,CAAK,UAAA,EAAY,MAAM,wDAAA;AAAA,QACrB,IAAA,CAAK,UAAA,CAAW,WAAA;AAAA,QAChB,IAAA,CAAK;AAAA,MACP,CAAA;AACA,MAAA,IAAA,CAAK,aAAA,EAAe,IAAIA,yBAAAA;AAAA,QACtB,IAAA,CAAK,UAAA,CAAW,QAAA;AAAA,QAChB,IAAA,CAAK,SAAA,CAAU,IAAA;AAAA,QACf,IAAA,CAAK,SAAA,CAAU,KAAA;AAAA,QACf;AAAA,UACE,WAAA,EAAa,IAAA,CAAK,UAAA,CAAW;AAAA,QAC/B;AAAA,MACF,CAAA;AAEA,MAAA,OAAO,IAAA;AAAA,IACT,CAAA,CAAA;AAAA,EAAA;AAAA,EAEA,OAAa,KAAA,CACX,UAAA,EACA,OAAA,EACA,iBAAA,EACyC;AAAA,IAAA,OAAA,sCAAA,IAAA,EAAA,IAAA,EAAA,QAAA,EAAA,CAAA,EAAA;AACzC,MAAA,MAAM,UAAA,EAAY,IAAI,+BAAA;AAAA,QACpB,UAAA;AAAA,QACA,OAAA;AAAA,QACA;AAAA,MACF,CAAA;AACA,MAAA,MAAM,SAAA,CAAU,IAAA,CAAK,CAAA;AAErB,MAAA,OAAO,SAAA;AAAA,IACT,CAAA,CAAA;AAAA,EAAA;AAAA,EAEM,aAAA,CAAA,EAAgB;AAAA,IAAA,OAAA,sCAAA,IAAA,EAAA,IAAA,EAAA,QAAA,EAAA,CAAA,EAAA;AACpB,MAAA,GAAA,CAAI,CAAC,IAAA,CAAK,YAAA,EAAc,MAAM,IAAA,CAAK,IAAA,CAAK,CAAA;AAExC,MAAA,MAAM,OAAA,EAAS,6CAAA,IAAe,CAAK,OAAO,CAAA;AAC1C,MAAA,GAAA,CAAI,CAAA,CAAC,OAAA,GAAA,KAAA,EAAA,KAAA,EAAA,EAAA,MAAA,CAAQ,aAAA,CAAA,EAAe,MAAM,IAAI,KAAA,CAAM,4BAA4B,CAAA;AAExE,MAAA,MAAM,aAAA,EAAe,IAAA,CAAK,YAAA;AAC1B,MAAA,MAAM,gBAAA,EACJ,MAAM,YAAA,CAAa,kBAAA;AAAA,QACjB,MAAA,CAAO;AAAA,MACT,CAAA;AAEF,MAAA,0CAAA,IAAY,CAAK,OAAA,EAAS,eAAe,CAAA;AAEzC,MAAA,OAAO,MAAA;AAAA,IACT,CAAA,CAAA;AAAA,EAAA;AACF,CAAA;AJyHA;AACA;AKvLA,SAAsB,aAAA,CACpB,OAAA,EACA,MAAA,EACgC;AAAA,EAAA,OAAA,sCAAA,IAAA,EAAA,IAAA,EAAA,QAAA,EAAA,CAAA,EAAA;AAXlC,IAAA,IAAA,EAAA;AAYE,IAAA,MAAM,UAAA,EAAY,MAAM,8BAAA,CAA+B,KAAA;AAAA,MACrD,4CAAA,6CAAA,CAAA,CAAA,EACK,MAAA,CAAA,EADL;AAAA,QAEE,WAAA,EAAA,CAAa,GAAA,EAAA,MAAA,CAAO,WAAA,EAAA,GAAP,KAAA,EAAA,GAAA,EAAsB;AAAA,MACrC,CAAA,CAAA;AAAA,MACA,OAAA;AAAA,MACA,MAAA,CAAO;AAAA,IACT,CAAA;AAEA,IAAA,OAAO,SAAA,CAAU,aAAA,CAAc,CAAA;AAAA,EACjC,CAAA,CAAA;AAAA;ALuLA;AACA;AACE;AACA;AACA;AACA;AACA;AACF,8MAAC","file":"/Users/patrick/Code/civic-auth/packages/civic-auth-client/dist/chunk-KCSGIIPA.js","sourcesContent":[null,"import { AuthStorage, SessionData, UnknownObject, User } from \"@/types.js\";\n\ntype SameSiteOption = \"strict\" | \"lax\" | \"none\";\n\nexport interface SessionStorage {\n get(): SessionData;\n getUser(): User<UnknownObject> | null;\n set(data: Partial<SessionData>): void;\n setUser(data: User<UnknownObject> | null): void;\n clear(): void;\n}\n\nexport type CookieStorageSettings = {\n httpOnly: boolean;\n secure: boolean;\n sameSite: SameSiteOption;\n expires: Date;\n path: string;\n};\n\nexport const DEFAULT_COOKIE_DURATION = 60 * 15; // 15 minutes\n\nexport abstract class CookieStorage implements AuthStorage {\n protected settings: CookieStorageSettings;\n protected constructor(settings: Partial<CookieStorageSettings> = {}) {\n this.settings = {\n httpOnly: settings.httpOnly ?? true,\n secure: settings.secure ?? true,\n // the callback request comes the auth server\n // 'lax' ensures the code_verifier cookie is sent with the request\n sameSite: settings.sameSite ?? \"lax\",\n expires:\n settings.expires ??\n new Date(Date.now() + 1000 * DEFAULT_COOKIE_DURATION),\n path: settings.path ?? \"/\",\n };\n }\n abstract get(key: string): string | null;\n abstract set(key: string, value: string): void;\n}\n","import { GenericPublicClientPKCEProducer } from \"@/services/PKCE.js\";\nimport { OAuth2Client } from \"oslo/oauth2\";\nimport {\n AuthStorage,\n Endpoints,\n OIDCTokenResponseBody,\n SessionData,\n} from \"@/types.js\";\nimport { AuthConfig } from \"@/server/config.js\";\nimport {\n exchangeTokens,\n getEndpointsWithOverrides,\n retrieveTokens,\n storeTokens,\n} from \"@/shared/util.js\";\nimport { AuthenticationResolver, PKCEProducer } from \"@/services/types.ts\";\n\nexport class ServerAuthenticationResolver implements AuthenticationResolver {\n private pkceProducer: PKCEProducer;\n private oauth2client: OAuth2Client | undefined;\n private endpoints: Endpoints | undefined;\n\n private constructor(\n readonly authConfig: AuthConfig,\n readonly storage: AuthStorage,\n readonly endpointOverrides?: Partial<Endpoints>,\n ) {\n this.pkceProducer = new GenericPublicClientPKCEProducer(storage);\n }\n validateExistingSession(): Promise<SessionData> {\n throw new Error(\"Method not implemented.\");\n }\n\n async init(): Promise<this> {\n // resolve oauth config\n this.endpoints = await getEndpointsWithOverrides(\n this.authConfig.oauthServer,\n this.endpointOverrides,\n );\n this.oauth2client = new OAuth2Client(\n this.authConfig.clientId,\n this.endpoints.auth,\n this.endpoints.token,\n {\n redirectURI: this.authConfig.redirectUrl,\n },\n );\n\n return this;\n }\n\n async tokenExchange(\n code: string,\n state: string,\n ): Promise<OIDCTokenResponseBody> {\n if (!this.oauth2client) await this.init();\n const codeVerifier = await this.pkceProducer.getCodeVerifier();\n if (!codeVerifier) throw new Error(\"Code verifier not found in storage\");\n\n // exchange auth code for tokens\n const tokens = await exchangeTokens(\n code,\n state,\n this.pkceProducer,\n this.oauth2client!, // clean up types here to avoid the ! operator\n this.authConfig.oauthServer,\n this.endpoints!, // clean up types here to avoid the ! operator\n );\n\n storeTokens(this.storage, tokens);\n\n return tokens;\n }\n\n async getSessionData(): Promise<SessionData | null> {\n const storageData = retrieveTokens(this.storage);\n\n if (!storageData) return null;\n\n return {\n authenticated: !!storageData.id_token,\n idToken: storageData.id_token,\n accessToken: storageData.access_token,\n refreshToken: storageData.refresh_token,\n };\n }\n\n static async build(\n authConfig: AuthConfig,\n storage: AuthStorage,\n endpointOverrides?: Partial<Endpoints>,\n ): Promise<AuthenticationResolver> {\n const resolver = new ServerAuthenticationResolver(\n authConfig,\n storage,\n endpointOverrides,\n );\n await resolver.init();\n\n return resolver;\n }\n}\n","import { AuthStorage, OIDCTokenResponseBody } from \"@/types.js\";\nimport { AUTH_SERVER, DEFAULT_SCOPES } from \"@/constants.js\";\nimport { GenericAuthenticationInitiator } from \"@/services/AuthenticationService.js\";\nimport { GenericPublicClientPKCEProducer } from \"@/services/PKCE.js\";\nimport { ServerAuthenticationResolver } from \"@/server/ServerAuthenticationResolver.js\";\nimport { AuthConfig } from \"@/server/config.ts\";\n/**\n * Resolve an OAuth access code to a set of OIDC tokens\n * @param code The access code, typically from a query parameter in the redirect url\n * @param state The oauth random state string, used to distinguish between requests. Typically also passed in the redirect url\n * @param storage The place that this server uses to store session data (e.g. a cookie store)\n * @param config Oauth Server configuration\n */\nexport async function resolveOAuthAccessCode(\n code: string,\n state: string,\n storage: AuthStorage,\n config: AuthConfig,\n): Promise<OIDCTokenResponseBody> {\n const authSessionService = await ServerAuthenticationResolver.build(\n {\n ...config,\n oauthServer: config.oauthServer ?? AUTH_SERVER,\n },\n storage,\n config.endpointOverrides,\n );\n\n return authSessionService.tokenExchange(code, state);\n}\n\nexport function isLoggedIn(storage: AuthStorage): boolean {\n return !!storage.get(\"id_token\");\n}\n\nexport async function buildLoginUrl(\n config: Pick<AuthConfig, \"oauthServer\" | \"clientId\" | \"redirectUrl\"> & {\n scopes?: string[];\n state?: string;\n nonce?: string;\n },\n storage: AuthStorage,\n): Promise<URL> {\n // generate a random state if not provided\n const state = config.state ?? Math.random().toString(36).substring(2);\n const scopes = config.scopes ?? DEFAULT_SCOPES;\n const pkceProducer = new GenericPublicClientPKCEProducer(storage);\n const authInitiator = new GenericAuthenticationInitiator({\n ...config,\n state,\n scopes,\n oauthServer: config.oauthServer ?? AUTH_SERVER,\n // When retrieving the PKCE challenge on the server-side, we produce it and store it in the session\n pkceConsumer: pkceProducer,\n });\n\n return authInitiator.signIn();\n}\n","import { AuthenticationRefresher } from \"@/services/types.ts\";\nimport { AuthStorage, Endpoints, OIDCTokenResponseBody } from \"@/types\";\nimport {\n getEndpointsWithOverrides,\n retrieveTokens,\n storeTokens,\n} from \"@/shared/util.ts\";\nimport { AuthConfig } from \"@/server/config.ts\";\nimport { OAuth2Client } from \"oslo/oauth2\";\n\nexport class GenericAuthenticationRefresher implements AuthenticationRefresher {\n private oauth2client: OAuth2Client | undefined;\n private endpoints: Endpoints | undefined;\n\n private constructor(\n private authConfig: AuthConfig,\n private storage: AuthStorage,\n private endpointOverrides?: Partial<Endpoints>,\n ) {}\n\n async init(): Promise<this> {\n // resolve oauth config\n this.endpoints = await getEndpointsWithOverrides(\n this.authConfig.oauthServer,\n this.endpointOverrides,\n );\n this.oauth2client = new OAuth2Client(\n this.authConfig.clientId,\n this.endpoints.auth,\n this.endpoints.token,\n {\n redirectURI: this.authConfig.redirectUrl,\n },\n );\n\n return this;\n }\n\n static async build(\n authConfig: AuthConfig,\n storage: AuthStorage,\n endpointOverrides?: Partial<Endpoints>,\n ): Promise<GenericAuthenticationRefresher> {\n const refresher = new GenericAuthenticationRefresher(\n authConfig,\n storage,\n endpointOverrides,\n );\n await refresher.init();\n\n return refresher;\n }\n\n async refreshTokens() {\n if (!this.oauth2client) await this.init();\n\n const tokens = retrieveTokens(this.storage);\n if (!tokens?.refresh_token) throw new Error(\"No refresh token available\");\n\n const oauth2Client = this.oauth2client!;\n const refreshedTokens =\n await oauth2Client.refreshAccessToken<OIDCTokenResponseBody>(\n tokens.refresh_token,\n );\n\n storeTokens(this.storage, refreshedTokens);\n\n return tokens;\n }\n}\n","import { AuthStorage, OIDCTokenResponseBody } from \"@/types.js\";\nimport { AUTH_SERVER } from \"@/constants.js\";\nimport { GenericAuthenticationRefresher } from \"@/shared/GenericAuthenticationRefresher.ts\";\nimport { AuthConfig } from \"@/server/config.ts\";\n\n/**\n * Refresh the current set of OIDC tokens\n */\nexport async function refreshTokens(\n storage: AuthStorage,\n config: AuthConfig,\n): Promise<OIDCTokenResponseBody> {\n const refresher = await GenericAuthenticationRefresher.build(\n {\n ...config,\n oauthServer: config.oauthServer ?? AUTH_SERVER,\n },\n storage,\n config.endpointOverrides,\n );\n\n return refresher.refreshTokens();\n}\n"]}
|
|
1
|
+
{"version":3,"sources":["/Users/patrick/Code/civic-auth/packages/civic-auth-client/dist/chunk-ZXULHA47.js","../src/shared/storage.ts","../src/server/ServerAuthenticationResolver.ts","../src/server/login.ts","../src/shared/GenericAuthenticationRefresher.ts","../src/server/refresh.ts"],"names":["OAuth2Client"],"mappings":"AAAA;AACE;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACF,sDAA4B;AAC5B;AACE;AACA;AACA;AACF,sDAA4B;AAC5B;AACA;ACIO,IAAM,wBAAA,EAA0B,GAAA,EAAK,EAAA;AAErC,IAAe,cAAA,EAAf,MAAoD;AAAA,EAE/C,WAAA,CAAY,SAAA,EAA2C,CAAC,CAAA,EAAG;AAxBvE,IAAA,IAAA,EAAA,EAAA,EAAA,EAAA,EAAA,EAAA,EAAA,EAAA,EAAA;AAyBI,IAAA,IAAA,CAAK,SAAA,EAAW;AAAA,MACd,QAAA,EAAA,CAAU,GAAA,EAAA,QAAA,CAAS,QAAA,EAAA,GAAT,KAAA,EAAA,GAAA,EAAqB,IAAA;AAAA,MAC/B,MAAA,EAAA,CAAQ,GAAA,EAAA,QAAA,CAAS,MAAA,EAAA,GAAT,KAAA,EAAA,GAAA,EAAmB,IAAA;AAAA;AAAA;AAAA,MAG3B,QAAA,EAAA,CAAU,GAAA,EAAA,QAAA,CAAS,QAAA,EAAA,GAAT,KAAA,EAAA,GAAA,EAAqB,KAAA;AAAA,MAC/B,OAAA,EAAA,CACE,GAAA,EAAA,QAAA,CAAS,OAAA,EAAA,GAAT,KAAA,EAAA,GAAA,EACA,IAAI,IAAA,CAAK,IAAA,CAAK,GAAA,CAAI,EAAA,EAAI,IAAA,EAAO,uBAAuB,CAAA;AAAA,MACtD,IAAA,EAAA,CAAM,GAAA,EAAA,QAAA,CAAS,IAAA,EAAA,GAAT,KAAA,EAAA,GAAA,EAAiB;AAAA,IACzB,CAAA;AAAA,EACF;AAGF,CAAA;ADPA;AACA;AEhCA,qCAA6B;AAgBtB,IAAM,6BAAA,EAAN,MAAM,8BAA+D;AAAA,EAKlE,WAAA,CACG,UAAA,EACA,OAAA,EACA,iBAAA,EACT;AAHS,IAAA,IAAA,CAAA,WAAA,EAAA,UAAA;AACA,IAAA,IAAA,CAAA,QAAA,EAAA,OAAA;AACA,IAAA,IAAA,CAAA,kBAAA,EAAA,iBAAA;AAET,IAAA,IAAA,CAAK,aAAA,EAAe,IAAI,qDAAA,CAAgC,OAAO,CAAA;AAAA,EACjE;AAAA,EACA,uBAAA,CAAA,EAAgD;AAC9C,IAAA,MAAM,IAAI,KAAA,CAAM,yBAAyB,CAAA;AAAA,EAC3C;AAAA,EAEM,IAAA,CAAA,EAAsB;AAAA,IAAA,OAAA,sCAAA,IAAA,EAAA,IAAA,EAAA,QAAA,EAAA,CAAA,EAAA;AAE1B,MAAA,IAAA,CAAK,UAAA,EAAY,MAAM,wDAAA;AAAA,QACrB,IAAA,CAAK,UAAA,CAAW,WAAA;AAAA,QAChB,IAAA,CAAK;AAAA,MACP,CAAA;AACA,MAAA,IAAA,CAAK,aAAA,EAAe,IAAI,yBAAA;AAAA,QACtB,IAAA,CAAK,UAAA,CAAW,QAAA;AAAA,QAChB,IAAA,CAAK,SAAA,CAAU,IAAA;AAAA,QACf,IAAA,CAAK,SAAA,CAAU,KAAA;AAAA,QACf;AAAA,UACE,WAAA,EAAa,IAAA,CAAK,UAAA,CAAW;AAAA,QAC/B;AAAA,MACF,CAAA;AAEA,MAAA,OAAO,IAAA;AAAA,IACT,CAAA,CAAA;AAAA,EAAA;AAAA,EAEM,aAAA,CACJ,IAAA,EACA,KAAA,EACgC;AAAA,IAAA,OAAA,sCAAA,IAAA,EAAA,IAAA,EAAA,QAAA,EAAA,CAAA,EAAA;AAChC,MAAA,GAAA,CAAI,CAAC,IAAA,CAAK,YAAA,EAAc,MAAM,IAAA,CAAK,IAAA,CAAK,CAAA;AACxC,MAAA,MAAM,aAAA,EAAe,MAAM,IAAA,CAAK,YAAA,CAAa,eAAA,CAAgB,CAAA;AAC7D,MAAA,GAAA,CAAI,CAAC,YAAA,EAAc,MAAM,IAAI,KAAA,CAAM,oCAAoC,CAAA;AAGvE,MAAA,MAAM,OAAA,EAAS,MAAM,6CAAA;AAAA,QACnB,IAAA;AAAA,QACA,KAAA;AAAA,QACA,IAAA,CAAK,YAAA;AAAA,QACL,IAAA,CAAK,YAAA;AAAA;AAAA,QACL,IAAA,CAAK,UAAA,CAAW,WAAA;AAAA,QAChB,IAAA,CAAK;AAAA;AAAA,MACP,CAAA;AAEA,MAAA,0CAAA,IAAY,CAAK,OAAA,EAAS,MAAM,CAAA;AAEhC,MAAA,OAAO,MAAA;AAAA,IACT,CAAA,CAAA;AAAA,EAAA;AAAA,EAEM,cAAA,CAAA,EAA8C;AAAA,IAAA,OAAA,sCAAA,IAAA,EAAA,IAAA,EAAA,QAAA,EAAA,CAAA,EAAA;AAClD,MAAA,MAAM,YAAA,EAAc,6CAAA,IAAe,CAAK,OAAO,CAAA;AAE/C,MAAA,GAAA,CAAI,CAAC,WAAA,EAAa,OAAO,IAAA;AAEzB,MAAA,OAAO;AAAA,QACL,aAAA,EAAe,CAAC,CAAC,WAAA,CAAY,QAAA;AAAA,QAC7B,OAAA,EAAS,WAAA,CAAY,QAAA;AAAA,QACrB,WAAA,EAAa,WAAA,CAAY,YAAA;AAAA,QACzB,YAAA,EAAc,WAAA,CAAY;AAAA,MAC5B,CAAA;AAAA,IACF,CAAA,CAAA;AAAA,EAAA;AAAA,EAEA,OAAa,KAAA,CACX,UAAA,EACA,OAAA,EACA,iBAAA,EACiC;AAAA,IAAA,OAAA,sCAAA,IAAA,EAAA,IAAA,EAAA,QAAA,EAAA,CAAA,EAAA;AACjC,MAAA,MAAM,SAAA,EAAW,IAAI,6BAAA;AAAA,QACnB,UAAA;AAAA,QACA,OAAA;AAAA,QACA;AAAA,MACF,CAAA;AACA,MAAA,MAAM,QAAA,CAAS,IAAA,CAAK,CAAA;AAEpB,MAAA,OAAO,QAAA;AAAA,IACT,CAAA,CAAA;AAAA,EAAA;AACF,CAAA;AFIA;AACA;AG7FA,SAAsB,sBAAA,CACpB,IAAA,EACA,KAAA,EACA,OAAA,EACA,MAAA,EACgC;AAAA,EAAA,OAAA,sCAAA,IAAA,EAAA,IAAA,EAAA,QAAA,EAAA,CAAA,EAAA;AAlBlC,IAAA,IAAA,EAAA;AAmBE,IAAA,MAAM,mBAAA,EAAqB,MAAM,4BAAA,CAA6B,KAAA;AAAA,MAC5D,4CAAA,6CAAA,CAAA,CAAA,EACK,MAAA,CAAA,EADL;AAAA,QAEE,WAAA,EAAA,CAAa,GAAA,EAAA,MAAA,CAAO,WAAA,EAAA,GAAP,KAAA,EAAA,GAAA,EAAsB;AAAA,MACrC,CAAA,CAAA;AAAA,MACA,OAAA;AAAA,MACA,MAAA,CAAO;AAAA,IACT,CAAA;AAEA,IAAA,OAAO,kBAAA,CAAmB,aAAA,CAAc,IAAA,EAAM,KAAK,CAAA;AAAA,EACrD,CAAA,CAAA;AAAA;AAEO,SAAS,UAAA,CAAW,OAAA,EAA+B;AACxD,EAAA,OAAO,CAAC,CAAC,OAAA,CAAQ,GAAA,CAAI,UAAU,CAAA;AACjC;AAEA,SAAsB,aAAA,CACpB,MAAA,EAKA,OAAA,EACc;AAAA,EAAA,OAAA,sCAAA,IAAA,EAAA,IAAA,EAAA,QAAA,EAAA,CAAA,EAAA;AA1ChB,IAAA,IAAA,EAAA,EAAA,EAAA,EAAA,EAAA;AA4CE,IAAA,MAAM,MAAA,EAAA,CAAQ,GAAA,EAAA,MAAA,CAAO,KAAA,EAAA,GAAP,KAAA,EAAA,GAAA,EAAgB,IAAA,CAAK,MAAA,CAAO,CAAA,CAAE,QAAA,CAAS,EAAE,CAAA,CAAE,SAAA,CAAU,CAAC,CAAA;AACpE,IAAA,MAAM,OAAA,EAAA,CAAS,GAAA,EAAA,MAAA,CAAO,MAAA,EAAA,GAAP,KAAA,EAAA,GAAA,EAAiB,+BAAA;AAChC,IAAA,MAAM,aAAA,EAAe,IAAI,qDAAA,CAAgC,OAAO,CAAA;AAChE,IAAA,MAAM,cAAA,EAAgB,IAAI,oDAAA,CAA+B,4CAAA,6CAAA,CAAA,CAAA,EACpD,MAAA,CAAA,EADoD;AAAA,MAEvD,KAAA;AAAA,MACA,MAAA;AAAA,MACA,WAAA,EAAA,CAAa,GAAA,EAAA,MAAA,CAAO,WAAA,EAAA,GAAP,KAAA,EAAA,GAAA,EAAsB,4BAAA;AAAA;AAAA,MAEnC,YAAA,EAAc;AAAA,IAChB,CAAA,CAAC,CAAA;AAED,IAAA,OAAO,aAAA,CAAc,MAAA,CAAO,CAAA;AAAA,EAC9B,CAAA,CAAA;AAAA;AHkFA;AACA;AIpIA;AAEO,IAAM,+BAAA,EAAN,MAAM,gCAAkE;AAAA,EAIrE,WAAA,CACE,UAAA,EACA,OAAA,EACA,iBAAA,EACR;AAHQ,IAAA,IAAA,CAAA,WAAA,EAAA,UAAA;AACA,IAAA,IAAA,CAAA,QAAA,EAAA,OAAA;AACA,IAAA,IAAA,CAAA,kBAAA,EAAA,iBAAA;AAAA,EACP;AAAA,EAEG,IAAA,CAAA,EAAsB;AAAA,IAAA,OAAA,sCAAA,IAAA,EAAA,IAAA,EAAA,QAAA,EAAA,CAAA,EAAA;AAE1B,MAAA,IAAA,CAAK,UAAA,EAAY,MAAM,wDAAA;AAAA,QACrB,IAAA,CAAK,UAAA,CAAW,WAAA;AAAA,QAChB,IAAA,CAAK;AAAA,MACP,CAAA;AACA,MAAA,IAAA,CAAK,aAAA,EAAe,IAAIA,yBAAAA;AAAA,QACtB,IAAA,CAAK,UAAA,CAAW,QAAA;AAAA,QAChB,IAAA,CAAK,SAAA,CAAU,IAAA;AAAA,QACf,IAAA,CAAK,SAAA,CAAU,KAAA;AAAA,QACf;AAAA,UACE,WAAA,EAAa,IAAA,CAAK,UAAA,CAAW;AAAA,QAC/B;AAAA,MACF,CAAA;AAEA,MAAA,OAAO,IAAA;AAAA,IACT,CAAA,CAAA;AAAA,EAAA;AAAA,EAEA,OAAa,KAAA,CACX,UAAA,EACA,OAAA,EACA,iBAAA,EACyC;AAAA,IAAA,OAAA,sCAAA,IAAA,EAAA,IAAA,EAAA,QAAA,EAAA,CAAA,EAAA;AACzC,MAAA,MAAM,UAAA,EAAY,IAAI,+BAAA;AAAA,QACpB,UAAA;AAAA,QACA,OAAA;AAAA,QACA;AAAA,MACF,CAAA;AACA,MAAA,MAAM,SAAA,CAAU,IAAA,CAAK,CAAA;AAErB,MAAA,OAAO,SAAA;AAAA,IACT,CAAA,CAAA;AAAA,EAAA;AAAA,EAEM,aAAA,CAAA,EAAgB;AAAA,IAAA,OAAA,sCAAA,IAAA,EAAA,IAAA,EAAA,QAAA,EAAA,CAAA,EAAA;AACpB,MAAA,GAAA,CAAI,CAAC,IAAA,CAAK,YAAA,EAAc,MAAM,IAAA,CAAK,IAAA,CAAK,CAAA;AAExC,MAAA,MAAM,OAAA,EAAS,6CAAA,IAAe,CAAK,OAAO,CAAA;AAC1C,MAAA,GAAA,CAAI,CAAA,CAAC,OAAA,GAAA,KAAA,EAAA,KAAA,EAAA,EAAA,MAAA,CAAQ,aAAA,CAAA,EAAe,MAAM,IAAI,KAAA,CAAM,4BAA4B,CAAA;AAExE,MAAA,MAAM,aAAA,EAAe,IAAA,CAAK,YAAA;AAC1B,MAAA,MAAM,gBAAA,EACJ,MAAM,YAAA,CAAa,kBAAA;AAAA,QACjB,MAAA,CAAO;AAAA,MACT,CAAA;AAEF,MAAA,0CAAA,IAAY,CAAK,OAAA,EAAS,eAAe,CAAA;AAEzC,MAAA,OAAO,MAAA;AAAA,IACT,CAAA,CAAA;AAAA,EAAA;AACF,CAAA;AJyHA;AACA;AKvLA,SAAsB,aAAA,CACpB,OAAA,EACA,MAAA,EACgC;AAAA,EAAA,OAAA,sCAAA,IAAA,EAAA,IAAA,EAAA,QAAA,EAAA,CAAA,EAAA;AAXlC,IAAA,IAAA,EAAA;AAYE,IAAA,MAAM,UAAA,EAAY,MAAM,8BAAA,CAA+B,KAAA;AAAA,MACrD,4CAAA,6CAAA,CAAA,CAAA,EACK,MAAA,CAAA,EADL;AAAA,QAEE,WAAA,EAAA,CAAa,GAAA,EAAA,MAAA,CAAO,WAAA,EAAA,GAAP,KAAA,EAAA,GAAA,EAAsB;AAAA,MACrC,CAAA,CAAA;AAAA,MACA,OAAA;AAAA,MACA,MAAA,CAAO;AAAA,IACT,CAAA;AAEA,IAAA,OAAO,SAAA,CAAU,aAAA,CAAc,CAAA;AAAA,EACjC,CAAA,CAAA;AAAA;ALuLA;AACA;AACE;AACA;AACA;AACA;AACA;AACF,8MAAC","file":"/Users/patrick/Code/civic-auth/packages/civic-auth-client/dist/chunk-ZXULHA47.js","sourcesContent":[null,"import { AuthStorage, SessionData, UnknownObject, User } from \"@/types.js\";\n\ntype SameSiteOption = \"strict\" | \"lax\" | \"none\";\n\nexport interface SessionStorage {\n get(): SessionData;\n getUser(): User<UnknownObject> | null;\n set(data: Partial<SessionData>): void;\n setUser(data: User<UnknownObject> | null): void;\n clear(): void;\n}\n\nexport type CookieStorageSettings = {\n httpOnly: boolean;\n secure: boolean;\n sameSite: SameSiteOption;\n expires: Date;\n path: string;\n};\n\nexport const DEFAULT_COOKIE_DURATION = 60 * 15; // 15 minutes\n\nexport abstract class CookieStorage implements AuthStorage {\n protected settings: CookieStorageSettings;\n protected constructor(settings: Partial<CookieStorageSettings> = {}) {\n this.settings = {\n httpOnly: settings.httpOnly ?? true,\n secure: settings.secure ?? true,\n // the callback request comes the auth server\n // 'lax' ensures the code_verifier cookie is sent with the request\n sameSite: settings.sameSite ?? \"lax\",\n expires:\n settings.expires ??\n new Date(Date.now() + 1000 * DEFAULT_COOKIE_DURATION),\n path: settings.path ?? \"/\",\n };\n }\n abstract get(key: string): string | null;\n abstract set(key: string, value: string): void;\n}\n","import { GenericPublicClientPKCEProducer } from \"@/services/PKCE.js\";\nimport { OAuth2Client } from \"oslo/oauth2\";\nimport {\n AuthStorage,\n Endpoints,\n OIDCTokenResponseBody,\n SessionData,\n} from \"@/types.js\";\nimport { AuthConfig } from \"@/server/config.js\";\nimport {\n exchangeTokens,\n getEndpointsWithOverrides,\n retrieveTokens,\n storeTokens,\n} from \"@/shared/util.js\";\nimport { AuthenticationResolver, PKCEProducer } from \"@/services/types.ts\";\n\nexport class ServerAuthenticationResolver implements AuthenticationResolver {\n private pkceProducer: PKCEProducer;\n private oauth2client: OAuth2Client | undefined;\n private endpoints: Endpoints | undefined;\n\n private constructor(\n readonly authConfig: AuthConfig,\n readonly storage: AuthStorage,\n readonly endpointOverrides?: Partial<Endpoints>,\n ) {\n this.pkceProducer = new GenericPublicClientPKCEProducer(storage);\n }\n validateExistingSession(): Promise<SessionData> {\n throw new Error(\"Method not implemented.\");\n }\n\n async init(): Promise<this> {\n // resolve oauth config\n this.endpoints = await getEndpointsWithOverrides(\n this.authConfig.oauthServer,\n this.endpointOverrides,\n );\n this.oauth2client = new OAuth2Client(\n this.authConfig.clientId,\n this.endpoints.auth,\n this.endpoints.token,\n {\n redirectURI: this.authConfig.redirectUrl,\n },\n );\n\n return this;\n }\n\n async tokenExchange(\n code: string,\n state: string,\n ): Promise<OIDCTokenResponseBody> {\n if (!this.oauth2client) await this.init();\n const codeVerifier = await this.pkceProducer.getCodeVerifier();\n if (!codeVerifier) throw new Error(\"Code verifier not found in storage\");\n\n // exchange auth code for tokens\n const tokens = await exchangeTokens(\n code,\n state,\n this.pkceProducer,\n this.oauth2client!, // clean up types here to avoid the ! operator\n this.authConfig.oauthServer,\n this.endpoints!, // clean up types here to avoid the ! operator\n );\n\n storeTokens(this.storage, tokens);\n\n return tokens;\n }\n\n async getSessionData(): Promise<SessionData | null> {\n const storageData = retrieveTokens(this.storage);\n\n if (!storageData) return null;\n\n return {\n authenticated: !!storageData.id_token,\n idToken: storageData.id_token,\n accessToken: storageData.access_token,\n refreshToken: storageData.refresh_token,\n };\n }\n\n static async build(\n authConfig: AuthConfig,\n storage: AuthStorage,\n endpointOverrides?: Partial<Endpoints>,\n ): Promise<AuthenticationResolver> {\n const resolver = new ServerAuthenticationResolver(\n authConfig,\n storage,\n endpointOverrides,\n );\n await resolver.init();\n\n return resolver;\n }\n}\n","import { AuthStorage, OIDCTokenResponseBody } from \"@/types.js\";\nimport { AUTH_SERVER, DEFAULT_SCOPES } from \"@/constants.js\";\nimport { GenericAuthenticationInitiator } from \"@/services/AuthenticationService.js\";\nimport { GenericPublicClientPKCEProducer } from \"@/services/PKCE.js\";\nimport { ServerAuthenticationResolver } from \"@/server/ServerAuthenticationResolver.js\";\nimport { AuthConfig } from \"@/server/config.ts\";\n/**\n * Resolve an OAuth access code to a set of OIDC tokens\n * @param code The access code, typically from a query parameter in the redirect url\n * @param state The oauth random state string, used to distinguish between requests. Typically also passed in the redirect url\n * @param storage The place that this server uses to store session data (e.g. a cookie store)\n * @param config Oauth Server configuration\n */\nexport async function resolveOAuthAccessCode(\n code: string,\n state: string,\n storage: AuthStorage,\n config: AuthConfig,\n): Promise<OIDCTokenResponseBody> {\n const authSessionService = await ServerAuthenticationResolver.build(\n {\n ...config,\n oauthServer: config.oauthServer ?? AUTH_SERVER,\n },\n storage,\n config.endpointOverrides,\n );\n\n return authSessionService.tokenExchange(code, state);\n}\n\nexport function isLoggedIn(storage: AuthStorage): boolean {\n return !!storage.get(\"id_token\");\n}\n\nexport async function buildLoginUrl(\n config: Pick<AuthConfig, \"oauthServer\" | \"clientId\" | \"redirectUrl\"> & {\n scopes?: string[];\n state?: string;\n nonce?: string;\n },\n storage: AuthStorage,\n): Promise<URL> {\n // generate a random state if not provided\n const state = config.state ?? Math.random().toString(36).substring(2);\n const scopes = config.scopes ?? DEFAULT_SCOPES;\n const pkceProducer = new GenericPublicClientPKCEProducer(storage);\n const authInitiator = new GenericAuthenticationInitiator({\n ...config,\n state,\n scopes,\n oauthServer: config.oauthServer ?? AUTH_SERVER,\n // When retrieving the PKCE challenge on the server-side, we produce it and store it in the session\n pkceConsumer: pkceProducer,\n });\n\n return authInitiator.signIn();\n}\n","import { AuthenticationRefresher } from \"@/services/types.ts\";\nimport { AuthStorage, Endpoints, OIDCTokenResponseBody } from \"@/types\";\nimport {\n getEndpointsWithOverrides,\n retrieveTokens,\n storeTokens,\n} from \"@/shared/util.ts\";\nimport { AuthConfig } from \"@/server/config.ts\";\nimport { OAuth2Client } from \"oslo/oauth2\";\n\nexport class GenericAuthenticationRefresher implements AuthenticationRefresher {\n private oauth2client: OAuth2Client | undefined;\n private endpoints: Endpoints | undefined;\n\n private constructor(\n private authConfig: AuthConfig,\n private storage: AuthStorage,\n private endpointOverrides?: Partial<Endpoints>,\n ) {}\n\n async init(): Promise<this> {\n // resolve oauth config\n this.endpoints = await getEndpointsWithOverrides(\n this.authConfig.oauthServer,\n this.endpointOverrides,\n );\n this.oauth2client = new OAuth2Client(\n this.authConfig.clientId,\n this.endpoints.auth,\n this.endpoints.token,\n {\n redirectURI: this.authConfig.redirectUrl,\n },\n );\n\n return this;\n }\n\n static async build(\n authConfig: AuthConfig,\n storage: AuthStorage,\n endpointOverrides?: Partial<Endpoints>,\n ): Promise<GenericAuthenticationRefresher> {\n const refresher = new GenericAuthenticationRefresher(\n authConfig,\n storage,\n endpointOverrides,\n );\n await refresher.init();\n\n return refresher;\n }\n\n async refreshTokens() {\n if (!this.oauth2client) await this.init();\n\n const tokens = retrieveTokens(this.storage);\n if (!tokens?.refresh_token) throw new Error(\"No refresh token available\");\n\n const oauth2Client = this.oauth2client!;\n const refreshedTokens =\n await oauth2Client.refreshAccessToken<OIDCTokenResponseBody>(\n tokens.refresh_token,\n );\n\n storeTokens(this.storage, refreshedTokens);\n\n return tokens;\n }\n}\n","import { AuthStorage, OIDCTokenResponseBody } from \"@/types.js\";\nimport { AUTH_SERVER } from \"@/constants.js\";\nimport { GenericAuthenticationRefresher } from \"@/shared/GenericAuthenticationRefresher.ts\";\nimport { AuthConfig } from \"@/server/config.ts\";\n\n/**\n * Refresh the current set of OIDC tokens\n */\nexport async function refreshTokens(\n storage: AuthStorage,\n config: AuthConfig,\n): Promise<OIDCTokenResponseBody> {\n const refresher = await GenericAuthenticationRefresher.build(\n {\n ...config,\n oauthServer: config.oauthServer ?? AUTH_SERVER,\n },\n storage,\n config.endpointOverrides,\n );\n\n return refresher.refreshTokens();\n}\n"]}
|
package/dist/nextjs.js
CHANGED
|
@@ -4,17 +4,17 @@
|
|
|
4
4
|
|
|
5
5
|
|
|
6
6
|
|
|
7
|
-
var
|
|
7
|
+
var _chunkEM4APQVYjs = require('./chunk-EM4APQVY.js');
|
|
8
8
|
|
|
9
9
|
|
|
10
10
|
|
|
11
|
-
var
|
|
11
|
+
var _chunkZXULHA47js = require('./chunk-ZXULHA47.js');
|
|
12
12
|
|
|
13
13
|
|
|
14
14
|
|
|
15
15
|
|
|
16
16
|
|
|
17
|
-
var
|
|
17
|
+
var _chunk2SAT3UFJjs = require('./chunk-2SAT3UFJ.js');
|
|
18
18
|
|
|
19
19
|
|
|
20
20
|
|
|
@@ -25,12 +25,12 @@ var _chunkCRTRMMJ7js = require('./chunk-CRTRMMJ7.js');
|
|
|
25
25
|
var _headersjs = require('next/headers.js');
|
|
26
26
|
var clearAuthCookies = () => _chunkCRTRMMJ7js.__async.call(void 0, void 0, null, function* () {
|
|
27
27
|
const cookieStorage = new NextjsCookieStorage();
|
|
28
|
-
|
|
28
|
+
_chunk2SAT3UFJjs.clearTokens.call(void 0, cookieStorage);
|
|
29
29
|
const clientStorage = new NextjsClientStorage();
|
|
30
|
-
const userSession = new (0,
|
|
30
|
+
const userSession = new (0, _chunk2SAT3UFJjs.GenericUserSession)(clientStorage);
|
|
31
31
|
userSession.set(null);
|
|
32
32
|
});
|
|
33
|
-
var NextjsCookieStorage = class extends
|
|
33
|
+
var NextjsCookieStorage = class extends _chunkZXULHA47js.CookieStorage {
|
|
34
34
|
constructor(config = {}) {
|
|
35
35
|
super(_chunkCRTRMMJ7js.__spreadProps.call(void 0, _chunkCRTRMMJ7js.__spreadValues.call(void 0, {}, config), {
|
|
36
36
|
secure: true,
|
|
@@ -45,7 +45,7 @@ var NextjsCookieStorage = class extends _chunkKCSGIIPAjs.CookieStorage {
|
|
|
45
45
|
_headersjs.cookies.call(void 0, ).set(key, value, this.settings);
|
|
46
46
|
}
|
|
47
47
|
};
|
|
48
|
-
var NextjsClientStorage = class extends
|
|
48
|
+
var NextjsClientStorage = class extends _chunkZXULHA47js.CookieStorage {
|
|
49
49
|
constructor(config = {}) {
|
|
50
50
|
super(_chunkCRTRMMJ7js.__spreadProps.call(void 0, _chunkCRTRMMJ7js.__spreadValues.call(void 0, {}, config), {
|
|
51
51
|
secure: false,
|
|
@@ -64,7 +64,7 @@ var NextjsClientStorage = class extends _chunkKCSGIIPAjs.CookieStorage {
|
|
|
64
64
|
// src/nextjs/GetUser.ts
|
|
65
65
|
var getUser2 = () => {
|
|
66
66
|
const clientStorage = new NextjsClientStorage();
|
|
67
|
-
const userSession = new (0,
|
|
67
|
+
const userSession = new (0, _chunk2SAT3UFJjs.GenericUserSession)(clientStorage);
|
|
68
68
|
return userSession.get();
|
|
69
69
|
};
|
|
70
70
|
|
|
@@ -85,7 +85,7 @@ var matchesGlobs = (pathname, patterns) => patterns.some((pattern) => {
|
|
|
85
85
|
return matchGlob(pathname, pattern);
|
|
86
86
|
});
|
|
87
87
|
var applyAuth = (authConfig, request) => _chunkCRTRMMJ7js.__async.call(void 0, void 0, null, function* () {
|
|
88
|
-
const authConfigWithDefaults =
|
|
88
|
+
const authConfigWithDefaults = _chunkEM4APQVYjs.resolveAuthConfig.call(void 0, authConfig);
|
|
89
89
|
const isAuthenticated = !!request.cookies.get("id_token");
|
|
90
90
|
if (request.nextUrl.pathname === authConfigWithDefaults.loginUrl) {
|
|
91
91
|
console.log("\u2192 Skipping auth check - this is the login URL");
|
|
@@ -107,7 +107,7 @@ var applyAuth = (authConfig, request) => _chunkCRTRMMJ7js.__async.call(void 0, v
|
|
|
107
107
|
console.log("\u2192 Auth check passed");
|
|
108
108
|
return void 0;
|
|
109
109
|
});
|
|
110
|
-
var authMiddleware = (authConfig =
|
|
110
|
+
var authMiddleware = (authConfig = _chunkEM4APQVYjs.defaultAuthConfig) => (request) => _chunkCRTRMMJ7js.__async.call(void 0, void 0, null, function* () {
|
|
111
111
|
const response = yield applyAuth(authConfig, request);
|
|
112
112
|
if (response) return response;
|
|
113
113
|
return _serverjs.NextResponse.next();
|
|
@@ -132,7 +132,7 @@ function auth(authConfig = {}) {
|
|
|
132
132
|
// src/nextjs/routeHandler.ts
|
|
133
133
|
|
|
134
134
|
var _cachejs = require('next/cache.js');
|
|
135
|
-
var logger =
|
|
135
|
+
var logger = _chunkEM4APQVYjs.loggers.nextjs.handlers.auth;
|
|
136
136
|
var AuthError = class extends Error {
|
|
137
137
|
constructor(message, status = 401) {
|
|
138
138
|
super(message);
|
|
@@ -143,7 +143,7 @@ var AuthError = class extends Error {
|
|
|
143
143
|
function handleChallenge() {
|
|
144
144
|
return _chunkCRTRMMJ7js.__async.call(void 0, this, null, function* () {
|
|
145
145
|
const cookieStorage = new NextjsCookieStorage();
|
|
146
|
-
const pkceProducer = new (0,
|
|
146
|
+
const pkceProducer = new (0, _chunk2SAT3UFJjs.GenericPublicClientPKCEProducer)(cookieStorage);
|
|
147
147
|
const challenge = yield pkceProducer.getCodeChallenge();
|
|
148
148
|
return _serverjs.NextResponse.json({ status: "success", challenge });
|
|
149
149
|
});
|
|
@@ -160,22 +160,22 @@ function handleCallback(request, config) {
|
|
|
160
160
|
const state = request.nextUrl.searchParams.get("state");
|
|
161
161
|
if (!code || !state) throw new AuthError("Bad parameters", 400);
|
|
162
162
|
const cookieStorage = new NextjsCookieStorage();
|
|
163
|
-
const resolvedConfigs =
|
|
164
|
-
const callbackUrl =
|
|
163
|
+
const resolvedConfigs = _chunkEM4APQVYjs.resolveAuthConfig.call(void 0, config);
|
|
164
|
+
const callbackUrl = _chunkEM4APQVYjs.resolveCallbackUrl.call(void 0, resolvedConfigs, request.url);
|
|
165
165
|
try {
|
|
166
|
-
yield
|
|
166
|
+
yield _chunkZXULHA47js.resolveOAuthAccessCode.call(void 0, code, state, cookieStorage, _chunkCRTRMMJ7js.__spreadProps.call(void 0, _chunkCRTRMMJ7js.__spreadValues.call(void 0, {}, resolvedConfigs), {
|
|
167
167
|
redirectUrl: callbackUrl
|
|
168
168
|
}));
|
|
169
169
|
} catch (error) {
|
|
170
170
|
logger.error("Token exchange failed:", error);
|
|
171
171
|
throw new AuthError("Failed to authenticate user", 401);
|
|
172
172
|
}
|
|
173
|
-
const user = yield
|
|
173
|
+
const user = yield _chunk2SAT3UFJjs.getUser.call(void 0, cookieStorage);
|
|
174
174
|
if (!user) {
|
|
175
175
|
throw new AuthError("Failed to get user info", 401);
|
|
176
176
|
}
|
|
177
177
|
const clientStorage = new NextjsClientStorage();
|
|
178
|
-
const userSession = new (0,
|
|
178
|
+
const userSession = new (0, _chunk2SAT3UFJjs.GenericUserSession)(clientStorage);
|
|
179
179
|
userSession.set(user);
|
|
180
180
|
const response = new (0, _serverjs.NextResponse)(`<html></html>`);
|
|
181
181
|
response.headers.set("Content-Type", "text/html; charset=utf-8");
|
|
@@ -191,7 +191,7 @@ var getAbsoluteRedirectPath = (redirectPath, currentBasePath) => {
|
|
|
191
191
|
function handleLogout(request, config) {
|
|
192
192
|
return _chunkCRTRMMJ7js.__async.call(void 0, this, null, function* () {
|
|
193
193
|
var _a;
|
|
194
|
-
const resolvedConfigs =
|
|
194
|
+
const resolvedConfigs = _chunkEM4APQVYjs.resolveAuthConfig.call(void 0, config);
|
|
195
195
|
const defaultRedirectPath = (_a = resolvedConfigs.loginUrl) != null ? _a : "/";
|
|
196
196
|
const redirectTarget = new URL(request.url).searchParams.get("redirect") || defaultRedirectPath;
|
|
197
197
|
const isAbsoluteRedirect = /^(https?:\/\/|www\.).+/i.test(redirectTarget);
|
|
@@ -210,7 +210,7 @@ function handleLogout(request, config) {
|
|
|
210
210
|
});
|
|
211
211
|
}
|
|
212
212
|
var handler = (authConfig = {}) => (request) => _chunkCRTRMMJ7js.__async.call(void 0, void 0, null, function* () {
|
|
213
|
-
const config =
|
|
213
|
+
const config = _chunkEM4APQVYjs.resolveAuthConfig.call(void 0, authConfig);
|
|
214
214
|
try {
|
|
215
215
|
const pathname = request.nextUrl.pathname;
|
|
216
216
|
const pathSegments = pathname.split("/");
|
|
@@ -241,5 +241,5 @@ var handler = (authConfig = {}) => (request) => _chunkCRTRMMJ7js.__async.call(vo
|
|
|
241
241
|
|
|
242
242
|
|
|
243
243
|
|
|
244
|
-
exports.auth = auth; exports.authMiddleware = authMiddleware; exports.createCivicAuthPlugin =
|
|
244
|
+
exports.auth = auth; exports.authMiddleware = authMiddleware; exports.createCivicAuthPlugin = _chunkEM4APQVYjs.createCivicAuthPlugin; exports.getUser = getUser2; exports.handler = handler; exports.withAuth = withAuth;
|
|
245
245
|
//# sourceMappingURL=nextjs.js.map
|
package/dist/nextjs.mjs
CHANGED
|
@@ -4,17 +4,17 @@ import {
|
|
|
4
4
|
loggers,
|
|
5
5
|
resolveAuthConfig,
|
|
6
6
|
resolveCallbackUrl
|
|
7
|
-
} from "./chunk-
|
|
7
|
+
} from "./chunk-3PEZMCN4.mjs";
|
|
8
8
|
import {
|
|
9
9
|
CookieStorage,
|
|
10
10
|
resolveOAuthAccessCode
|
|
11
|
-
} from "./chunk-
|
|
11
|
+
} from "./chunk-3MO4WWTJ.mjs";
|
|
12
12
|
import {
|
|
13
13
|
GenericPublicClientPKCEProducer,
|
|
14
14
|
GenericUserSession,
|
|
15
15
|
clearTokens,
|
|
16
16
|
getUser
|
|
17
|
-
} from "./chunk-
|
|
17
|
+
} from "./chunk-KHGGUCM6.mjs";
|
|
18
18
|
import {
|
|
19
19
|
__async,
|
|
20
20
|
__spreadProps,
|
package/dist/react.js
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
"use strict";Object.defineProperty(exports, "__esModule", {value: true});
|
|
2
2
|
|
|
3
3
|
|
|
4
|
-
var
|
|
4
|
+
var _chunkEM4APQVYjs = require('./chunk-EM4APQVY.js');
|
|
5
5
|
|
|
6
6
|
|
|
7
7
|
|
|
@@ -15,7 +15,7 @@ var _chunkMVO4UZ2Ajs = require('./chunk-MVO4UZ2A.js');
|
|
|
15
15
|
|
|
16
16
|
|
|
17
17
|
|
|
18
|
-
var
|
|
18
|
+
var _chunk2SAT3UFJjs = require('./chunk-2SAT3UFJ.js');
|
|
19
19
|
|
|
20
20
|
|
|
21
21
|
|
|
@@ -176,7 +176,7 @@ var UserProvider = ({
|
|
|
176
176
|
if (!accessToken) {
|
|
177
177
|
return null;
|
|
178
178
|
}
|
|
179
|
-
const userSession = new (0,
|
|
179
|
+
const userSession = new (0, _chunk2SAT3UFJjs.GenericUserSession)(storage);
|
|
180
180
|
return userSession.get();
|
|
181
181
|
});
|
|
182
182
|
const {
|
|
@@ -281,7 +281,7 @@ var CivicAuthIframe = _react.forwardRef.call(void 0,
|
|
|
281
281
|
return /* @__PURE__ */ _jsxruntime.jsx.call(void 0,
|
|
282
282
|
"iframe",
|
|
283
283
|
{
|
|
284
|
-
id:
|
|
284
|
+
id: _chunk2SAT3UFJjs.IFRAME_ID,
|
|
285
285
|
ref,
|
|
286
286
|
className: "cac-h-96 cac-w-80 cac-border-none",
|
|
287
287
|
onLoad
|
|
@@ -465,11 +465,11 @@ var AuthProvider = ({
|
|
|
465
465
|
const [isRedirecting, setIsRedirecting] = _react.useState.call(void 0, false);
|
|
466
466
|
const queryClient3 = _reactquery.useQueryClient.call(void 0, );
|
|
467
467
|
const iframeRef = _react.useRef.call(void 0, null);
|
|
468
|
-
const serverTokenExchange = pkceConsumer instanceof
|
|
468
|
+
const serverTokenExchange = pkceConsumer instanceof _chunk2SAT3UFJjs.ConfidentialClientPKCEConsumer;
|
|
469
469
|
_react.useEffect.call(void 0, () => {
|
|
470
470
|
if (typeof globalThis.window !== "undefined") {
|
|
471
471
|
setCurrentUrl(globalThis.window.location.href);
|
|
472
|
-
const isInIframeVal =
|
|
472
|
+
const isInIframeVal = _chunk2SAT3UFJjs.isWindowInIframe.call(void 0, globalThis.window);
|
|
473
473
|
setIsInIframe(isInIframeVal);
|
|
474
474
|
}
|
|
475
475
|
}, []);
|
|
@@ -480,11 +480,11 @@ var AuthProvider = ({
|
|
|
480
480
|
const [authService, setAuthService] = _react.useState.call(void 0, );
|
|
481
481
|
_react.useEffect.call(void 0, () => {
|
|
482
482
|
if (!currentUrl) return;
|
|
483
|
-
|
|
483
|
+
_chunk2SAT3UFJjs.BrowserAuthenticationService.build({
|
|
484
484
|
clientId,
|
|
485
485
|
redirectUrl,
|
|
486
486
|
oauthServer: config.oauthServer,
|
|
487
|
-
scopes:
|
|
487
|
+
scopes: _chunk2SAT3UFJjs.DEFAULT_SCOPES,
|
|
488
488
|
displayMode
|
|
489
489
|
}).then(setAuthService);
|
|
490
490
|
}, [currentUrl, clientId, redirectUrl, config, displayMode]);
|
|
@@ -518,12 +518,12 @@ var AuthProvider = ({
|
|
|
518
518
|
state
|
|
519
519
|
});
|
|
520
520
|
yield authService.tokenExchange(code, state);
|
|
521
|
-
const clientStorage = new (0,
|
|
522
|
-
const user = yield
|
|
521
|
+
const clientStorage = new (0, _chunk2SAT3UFJjs.LocalStorageAdapter)();
|
|
522
|
+
const user = yield _chunk2SAT3UFJjs.getUser.call(void 0, clientStorage);
|
|
523
523
|
if (!user) {
|
|
524
524
|
throw new Error("Failed to get user info");
|
|
525
525
|
}
|
|
526
|
-
const userSession = new (0,
|
|
526
|
+
const userSession = new (0, _chunk2SAT3UFJjs.GenericUserSession)(clientStorage);
|
|
527
527
|
userSession.set(user);
|
|
528
528
|
onSignIn == null ? void 0 : onSignIn();
|
|
529
529
|
return authService.getSessionData();
|
|
@@ -571,13 +571,13 @@ var AuthProvider = ({
|
|
|
571
571
|
if (!pkceConsumer) {
|
|
572
572
|
return null;
|
|
573
573
|
}
|
|
574
|
-
return browserAuthenticationInitiator || new (0,
|
|
574
|
+
return browserAuthenticationInitiator || new (0, _chunk2SAT3UFJjs.BrowserAuthenticationInitiator)({
|
|
575
575
|
pkceConsumer,
|
|
576
576
|
// generate and retrieve the challenge client-side
|
|
577
577
|
clientId,
|
|
578
578
|
redirectUrl,
|
|
579
|
-
state:
|
|
580
|
-
scopes:
|
|
579
|
+
state: _chunk2SAT3UFJjs.generateState.call(void 0, useDisplayMode),
|
|
580
|
+
scopes: _chunk2SAT3UFJjs.DEFAULT_SCOPES,
|
|
581
581
|
displayMode: useDisplayMode,
|
|
582
582
|
oauthServer: config.oauthServer,
|
|
583
583
|
// the endpoints to use for the login (if not obtained from the auth server
|
|
@@ -653,7 +653,7 @@ var AuthProvider = ({
|
|
|
653
653
|
session,
|
|
654
654
|
setAuthResponseUrl,
|
|
655
655
|
iframeRef,
|
|
656
|
-
children: /* @__PURE__ */ _jsxruntime.jsx.call(void 0, TokenProvider, { children: /* @__PURE__ */ _jsxruntime.jsxs.call(void 0, UserProvider, { storage: new (0,
|
|
656
|
+
children: /* @__PURE__ */ _jsxruntime.jsx.call(void 0, TokenProvider, { children: /* @__PURE__ */ _jsxruntime.jsxs.call(void 0, UserProvider, { storage: new (0, _chunk2SAT3UFJjs.LocalStorageAdapter)(), children: [
|
|
657
657
|
modalIframe && !isInIframe && !(session == null ? void 0 : session.authenticated) && /* @__PURE__ */ _jsxruntime.jsx.call(void 0,
|
|
658
658
|
"div",
|
|
659
659
|
{
|
|
@@ -689,7 +689,7 @@ var CivicAuthProvider = (_a) => {
|
|
|
689
689
|
return /* @__PURE__ */ _jsxruntime.jsx.call(void 0, _reactquery.QueryClientProvider, { client: queryClient, children: /* @__PURE__ */ _jsxruntime.jsx.call(void 0,
|
|
690
690
|
AuthProvider,
|
|
691
691
|
_chunkCRTRMMJ7js.__spreadProps.call(void 0, _chunkCRTRMMJ7js.__spreadValues.call(void 0, {}, props), {
|
|
692
|
-
pkceConsumer: new (0,
|
|
692
|
+
pkceConsumer: new (0, _chunk2SAT3UFJjs.BrowserPublicClientPKCEProducer)(),
|
|
693
693
|
children
|
|
694
694
|
})
|
|
695
695
|
) });
|
|
@@ -766,11 +766,11 @@ var CivicNextAuthProvider = (_a) => {
|
|
|
766
766
|
]);
|
|
767
767
|
const user = useUserCookie();
|
|
768
768
|
const [redirectUrl, setRedirectUrl] = _react.useState.call(void 0, "");
|
|
769
|
-
const { clientId, oauthServer, callbackUrl, challengeUrl } =
|
|
769
|
+
const { clientId, oauthServer, callbackUrl, challengeUrl } = _chunkEM4APQVYjs.resolveAuthConfig.call(void 0, );
|
|
770
770
|
_react.useEffect.call(void 0, () => {
|
|
771
771
|
if (typeof globalThis.window !== "undefined") {
|
|
772
772
|
const currentUrl = globalThis.window.location.href;
|
|
773
|
-
setRedirectUrl(
|
|
773
|
+
setRedirectUrl(_chunkEM4APQVYjs.resolveCallbackUrl.call(void 0, _chunkEM4APQVYjs.resolveAuthConfig.call(void 0, ), currentUrl));
|
|
774
774
|
}
|
|
775
775
|
}, [callbackUrl]);
|
|
776
776
|
return /* @__PURE__ */ _jsxruntime.jsx.call(void 0, _reactquery.QueryClientProvider, { client: queryClient2, children: /* @__PURE__ */ _jsxruntime.jsx.call(void 0,
|
|
@@ -779,7 +779,7 @@ var CivicNextAuthProvider = (_a) => {
|
|
|
779
779
|
redirectUrl,
|
|
780
780
|
config: { oauthServer },
|
|
781
781
|
clientId,
|
|
782
|
-
pkceConsumer: new (0,
|
|
782
|
+
pkceConsumer: new (0, _chunk2SAT3UFJjs.ConfidentialClientPKCEConsumer)(challengeUrl),
|
|
783
783
|
children: /* @__PURE__ */ _jsxruntime.jsx.call(void 0, UserContext2.Provider, { value: user, children })
|
|
784
784
|
})
|
|
785
785
|
) });
|
|
@@ -881,7 +881,7 @@ var UserButton = ({
|
|
|
881
881
|
/* @__PURE__ */ _jsxruntime.jsxs.call(void 0,
|
|
882
882
|
"button",
|
|
883
883
|
{
|
|
884
|
-
className:
|
|
884
|
+
className: _chunk2SAT3UFJjs.cn.call(void 0,
|
|
885
885
|
"cac-flex cac-w-full cac-items-center cac-justify-between cac-gap-2 cac-rounded-full cac-border cac-border-neutral-500 cac-px-3 cac-py-2 cac-text-neutral-500 cac-transition-colors hover:cac-bg-neutral-200 hover:cac-bg-opacity-50",
|
|
886
886
|
className
|
|
887
887
|
),
|
|
@@ -920,7 +920,7 @@ var UserButton = ({
|
|
|
920
920
|
"button",
|
|
921
921
|
{
|
|
922
922
|
"data-testid": "sign-in-button",
|
|
923
|
-
className:
|
|
923
|
+
className: _chunk2SAT3UFJjs.cn.call(void 0,
|
|
924
924
|
"cac-rounded-full cac-border cac-border-neutral-500 cac-px-3 cac-py-2 cac-transition-colors hover:cac-bg-neutral-200 hover:cac-bg-opacity-50",
|
|
925
925
|
className
|
|
926
926
|
),
|
|
@@ -941,7 +941,7 @@ var SignInButton = ({
|
|
|
941
941
|
"button",
|
|
942
942
|
{
|
|
943
943
|
"data-testid": "sign-in-button",
|
|
944
|
-
className:
|
|
944
|
+
className: _chunk2SAT3UFJjs.cn.call(void 0,
|
|
945
945
|
"cac-rounded-full cac-border cac-border-neutral-500 cac-px-3 cac-py-2 cac-transition-colors hover:cac-bg-neutral-200 hover:cac-bg-opacity-50",
|
|
946
946
|
className
|
|
947
947
|
),
|
|
@@ -958,7 +958,7 @@ var SignOutButton = ({ className }) => {
|
|
|
958
958
|
return /* @__PURE__ */ _jsxruntime.jsx.call(void 0,
|
|
959
959
|
"button",
|
|
960
960
|
{
|
|
961
|
-
className:
|
|
961
|
+
className: _chunk2SAT3UFJjs.cn.call(void 0,
|
|
962
962
|
"cac-rounded-full cac-border cac-border-neutral-500 cac-px-3 cac-py-2 cac-transition-colors hover:cac-bg-neutral-200 hover:cac-bg-opacity-50",
|
|
963
963
|
className
|
|
964
964
|
),
|
|
@@ -971,7 +971,7 @@ var SignOutButton = ({ className }) => {
|
|
|
971
971
|
// src/react/components/NextLogOut.tsx
|
|
972
972
|
|
|
973
973
|
var NextLogOut = ({ children }) => {
|
|
974
|
-
const config =
|
|
974
|
+
const config = _chunkEM4APQVYjs.resolveAuthConfig.call(void 0, );
|
|
975
975
|
const logoutUrl = `${config.logoutUrl}`;
|
|
976
976
|
return /* @__PURE__ */ _jsxruntime.jsx.call(void 0, "a", { href: logoutUrl, children });
|
|
977
977
|
};
|
package/dist/react.mjs
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
import {
|
|
2
2
|
resolveAuthConfig,
|
|
3
3
|
resolveCallbackUrl
|
|
4
|
-
} from "./chunk-
|
|
4
|
+
} from "./chunk-3PEZMCN4.mjs";
|
|
5
5
|
import {
|
|
6
6
|
BrowserAuthenticationInitiator,
|
|
7
7
|
BrowserAuthenticationService,
|
|
@@ -15,7 +15,7 @@ import {
|
|
|
15
15
|
generateState,
|
|
16
16
|
getUser,
|
|
17
17
|
isWindowInIframe
|
|
18
|
-
} from "./chunk-
|
|
18
|
+
} from "./chunk-KHGGUCM6.mjs";
|
|
19
19
|
import {
|
|
20
20
|
__async,
|
|
21
21
|
__objRest,
|
package/dist/server.d.mts
CHANGED
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
import { S as SessionData, U as User, a as UnknownObject, A as AuthStorage, E as Endpoints, O as OIDCTokenResponseBody } from './index-Bfi0hVMZ.mjs';
|
|
1
|
+
import { S as SessionData, U as User, a as UnknownObject, A as AuthStorage, E as Endpoints, O as OIDCTokenResponseBody, T as Tokens } from './index-Bfi0hVMZ.mjs';
|
|
2
2
|
import 'oslo/oauth2';
|
|
3
3
|
|
|
4
4
|
type SameSiteOption = "strict" | "lax" | "none";
|
|
@@ -46,7 +46,7 @@ declare function buildLoginUrl(config: Pick<AuthConfig, "oauthServer" | "clientI
|
|
|
46
46
|
nonce?: string;
|
|
47
47
|
}, storage: AuthStorage): Promise<URL>;
|
|
48
48
|
|
|
49
|
-
declare function getUser(storage: AuthStorage): Promise<User | null>;
|
|
49
|
+
declare function getUser(storage: AuthStorage): Promise<User<Tokens> | null>;
|
|
50
50
|
|
|
51
51
|
/**
|
|
52
52
|
* Refresh the current set of OIDC tokens
|
package/dist/server.d.ts
CHANGED
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
import { S as SessionData, U as User, a as UnknownObject, A as AuthStorage, E as Endpoints, O as OIDCTokenResponseBody } from './index-Bfi0hVMZ.js';
|
|
1
|
+
import { S as SessionData, U as User, a as UnknownObject, A as AuthStorage, E as Endpoints, O as OIDCTokenResponseBody, T as Tokens } from './index-Bfi0hVMZ.js';
|
|
2
2
|
import 'oslo/oauth2';
|
|
3
3
|
|
|
4
4
|
type SameSiteOption = "strict" | "lax" | "none";
|
|
@@ -46,7 +46,7 @@ declare function buildLoginUrl(config: Pick<AuthConfig, "oauthServer" | "clientI
|
|
|
46
46
|
nonce?: string;
|
|
47
47
|
}, storage: AuthStorage): Promise<URL>;
|
|
48
48
|
|
|
49
|
-
declare function getUser(storage: AuthStorage): Promise<User | null>;
|
|
49
|
+
declare function getUser(storage: AuthStorage): Promise<User<Tokens> | null>;
|
|
50
50
|
|
|
51
51
|
/**
|
|
52
52
|
* Refresh the current set of OIDC tokens
|
package/dist/server.js
CHANGED
|
@@ -4,10 +4,10 @@
|
|
|
4
4
|
|
|
5
5
|
|
|
6
6
|
|
|
7
|
-
var
|
|
7
|
+
var _chunkZXULHA47js = require('./chunk-ZXULHA47.js');
|
|
8
8
|
|
|
9
9
|
|
|
10
|
-
var
|
|
10
|
+
var _chunk2SAT3UFJjs = require('./chunk-2SAT3UFJ.js');
|
|
11
11
|
require('./chunk-CRTRMMJ7.js');
|
|
12
12
|
|
|
13
13
|
|
|
@@ -16,5 +16,5 @@ require('./chunk-CRTRMMJ7.js');
|
|
|
16
16
|
|
|
17
17
|
|
|
18
18
|
|
|
19
|
-
exports.CookieStorage =
|
|
19
|
+
exports.CookieStorage = _chunkZXULHA47js.CookieStorage; exports.buildLoginUrl = _chunkZXULHA47js.buildLoginUrl; exports.getUser = _chunk2SAT3UFJjs.getUser; exports.isLoggedIn = _chunkZXULHA47js.isLoggedIn; exports.refreshTokens = _chunkZXULHA47js.refreshTokens; exports.resolveOAuthAccessCode = _chunkZXULHA47js.resolveOAuthAccessCode;
|
|
20
20
|
//# sourceMappingURL=server.js.map
|
package/dist/server.mjs
CHANGED
|
@@ -4,10 +4,10 @@ import {
|
|
|
4
4
|
isLoggedIn,
|
|
5
5
|
refreshTokens,
|
|
6
6
|
resolveOAuthAccessCode
|
|
7
|
-
} from "./chunk-
|
|
7
|
+
} from "./chunk-3MO4WWTJ.mjs";
|
|
8
8
|
import {
|
|
9
9
|
getUser
|
|
10
|
-
} from "./chunk-
|
|
10
|
+
} from "./chunk-KHGGUCM6.mjs";
|
|
11
11
|
import "./chunk-RGHW4PYM.mjs";
|
|
12
12
|
export {
|
|
13
13
|
CookieStorage,
|
package/package.json
CHANGED
|
@@ -1 +0,0 @@
|
|
|
1
|
-
{"version":3,"sources":["../src/shared/types.ts","../src/shared/util.ts","../src/lib/oauth.ts","../src/utils.ts","../src/shared/UserSession.ts","../src/shared/session.ts","../src/constants.ts","../src/services/PKCE.ts","../src/browser/storage.ts","../src/services/AuthenticationService.ts","../src/lib/windowUtil.ts"],"sourcesContent":["export enum OAuthTokens {\n ID_TOKEN = \"id_token\",\n ACCESS_TOKEN = \"access_token\",\n REFRESH_TOKEN = \"refresh_token\",\n}\n\nexport enum UserStorage {\n USER = \"user\",\n}\n","// Utility functions shared by auth server and client integrations\n// Typically these functions should be used inside AuthenticationInitiator and AuthenticationResolver implementations\n\nimport {\n AuthStorage,\n Endpoints,\n JWTPayload,\n OIDCTokenResponseBody,\n ParsedTokens,\n} from \"@/types.js\";\nimport { OAuthTokens } from \"./types\";\nimport { OAuth2Client } from \"oslo/oauth2\";\nimport { getIssuerVariations, getOauthEndpoints } from \"@/lib/oauth.js\";\nimport * as jose from \"jose\";\nimport { withoutUndefined } from \"@/utils.js\";\nimport { PKCEConsumer, PKCEProducer } from \"@/services/types.js\";\nimport { GenericUserSession } from \"./UserSession\";\n\n/**\n * Given a PKCE code verifier, derive the code challenge using SHA\n */\nexport async function deriveCodeChallenge(\n codeVerifier: string,\n method: \"Plain\" | \"S256\" = \"S256\",\n): Promise<string> {\n if (method === \"Plain\") {\n console.warn(\"Using insecure plain code challenge method\");\n return codeVerifier;\n }\n\n const encoder = new TextEncoder();\n const data = encoder.encode(codeVerifier);\n const digest = await crypto.subtle.digest(\"SHA-256\", data);\n return btoa(String.fromCharCode(...new Uint8Array(digest)))\n .replace(/\\+/g, \"-\")\n .replace(/\\//g, \"_\")\n .replace(/=+$/, \"\");\n}\n\nexport async function getEndpointsWithOverrides(\n oauthServer: string,\n endpointOverrides: Partial<Endpoints> = {},\n) {\n const endpoints = await getOauthEndpoints(oauthServer);\n return {\n ...endpoints,\n ...endpointOverrides,\n };\n}\n\nexport async function generateOauthLoginUrl(config: {\n clientId: string;\n scopes: string[];\n state: string;\n redirectUrl: string;\n oauthServer: string;\n nonce?: string;\n endpointOverrides?: Partial<Endpoints>;\n // used to get the PKCE challenge\n pkceConsumer: PKCEConsumer;\n}): Promise<URL> {\n const endpoints = await getEndpointsWithOverrides(\n config.oauthServer,\n config.endpointOverrides,\n );\n const oauth2Client = buildOauth2Client(\n config.clientId,\n config.redirectUrl,\n endpoints,\n );\n const challenge = await config.pkceConsumer.getCodeChallenge();\n const oAuthUrl = await oauth2Client.createAuthorizationURL({\n state: config.state,\n scopes: config.scopes,\n });\n // The OAuth2 client supports PKCE, but does not allow passing in a code challenge from some other source\n // It only allows passing in a code verifier which it then hashes itself.\n oAuthUrl.searchParams.append(\"code_challenge\", challenge);\n oAuthUrl.searchParams.append(\"code_challenge_method\", \"S256\");\n if (config.nonce) {\n // nonce isn't supported by oslo, so we add it manually\n oAuthUrl.searchParams.append(\"nonce\", config.nonce);\n }\n // Required by the auth server for offline_access scope\n oAuthUrl.searchParams.append(\"prompt\", \"consent\");\n\n console.log(\"Generated OAuth URL\", oAuthUrl.toString());\n return oAuthUrl;\n}\n\nexport async function generateOauthLogoutUrl(config: {\n clientId: string;\n scopes: string[];\n oauthServer: string;\n endpointOverrides?: Partial<Endpoints>;\n // used to get the PKCE challenge\n pkceConsumer: PKCEConsumer;\n}): Promise<URL> {\n // TODO\n return new URL(\"http://localhost\");\n}\n\nexport function buildOauth2Client(\n clientId: string,\n redirectUri: string,\n endpoints: Endpoints,\n): OAuth2Client {\n return new OAuth2Client(clientId, endpoints.auth, endpoints.token, {\n redirectURI: redirectUri,\n });\n}\n\nexport async function exchangeTokens(\n code: string,\n state: string,\n pkceProducer: PKCEProducer,\n oauth2Client: OAuth2Client,\n oauthServer: string,\n endpoints: Endpoints,\n) {\n const codeVerifier = await pkceProducer.getCodeVerifier();\n if (!codeVerifier) throw new Error(\"Code verifier not found in state\");\n\n const tokens =\n await oauth2Client.validateAuthorizationCode<OIDCTokenResponseBody>(code, {\n codeVerifier,\n });\n\n // Validate relevant tokens\n try {\n await validateOauth2Tokens(tokens, endpoints, oauth2Client, oauthServer);\n } catch (error) {\n console.error(\"tokenExchange error\", { error, tokens });\n throw new Error(\n `OIDC tokens validation failed: ${(error as Error).message}`,\n );\n }\n\n return tokens;\n}\n\nexport function storeTokens(\n storage: AuthStorage,\n tokens: OIDCTokenResponseBody,\n) {\n // store tokens in storage ( TODO we should probably store them against the state to allow multiple logins )\n storage.set(OAuthTokens.ID_TOKEN, tokens.id_token);\n storage.set(OAuthTokens.ACCESS_TOKEN, tokens.access_token);\n if (tokens.refresh_token)\n storage.set(OAuthTokens.REFRESH_TOKEN, tokens.refresh_token);\n}\n\nexport function clearTokens(storage: AuthStorage) {\n Object.values(OAuthTokens).forEach((cookie) => {\n storage.set(cookie, \"\");\n });\n}\nexport function clearUser(storage: AuthStorage) {\n const userSession = new GenericUserSession(storage);\n userSession.set(null);\n}\n\nexport function retrieveTokens(\n storage: AuthStorage,\n): OIDCTokenResponseBody | null {\n const idToken = storage.get(OAuthTokens.ID_TOKEN);\n const accessToken = storage.get(OAuthTokens.ACCESS_TOKEN);\n const refreshToken = storage.get(OAuthTokens.REFRESH_TOKEN);\n\n if (!idToken || !accessToken) return null;\n\n return {\n id_token: idToken,\n access_token: accessToken,\n refresh_token: refreshToken ?? undefined,\n };\n}\n\nexport async function validateOauth2Tokens(\n tokens: OIDCTokenResponseBody,\n endpoints: Endpoints,\n oauth2Client: OAuth2Client,\n issuer: string,\n): Promise<ParsedTokens> {\n const JWKS = jose.createRemoteJWKSet(new URL(endpoints.jwks));\n\n // validate the ID token\n const idTokenResponse = await jose.jwtVerify<JWTPayload>(\n tokens.id_token,\n JWKS,\n {\n issuer: getIssuerVariations(issuer),\n audience: oauth2Client.clientId,\n },\n );\n\n // validate the access token\n const accessTokenResponse = await jose.jwtVerify<JWTPayload>(\n tokens.access_token,\n JWKS,\n {\n issuer: getIssuerVariations(issuer),\n },\n );\n\n return withoutUndefined({\n id_token: idTokenResponse.payload,\n access_token: accessTokenResponse.payload,\n refresh_token: tokens.refresh_token,\n });\n}\n","import { DisplayMode, Endpoints, OpenIdConfiguration } from \"@/types\";\nimport { v4 as uuid } from \"uuid\";\n\nconst getIssuerVariations = (issuer: string): string[] => {\n const issuerWithoutSlash = issuer.endsWith(\"/\")\n ? issuer.slice(0, issuer.length - 1)\n : issuer;\n\n const issuerWithSlash = `${issuerWithoutSlash}/`;\n\n return [issuerWithoutSlash, issuerWithSlash];\n};\n\nconst addSlashIfNeeded = (url: string): string =>\n url.endsWith(\"/\") ? url : `${url}/`;\n\nconst getOauthEndpoints = async (oauthServer: string): Promise<Endpoints> => {\n const openIdConfigResponse = await fetch(\n `${addSlashIfNeeded(oauthServer)}.well-known/openid-configuration`,\n );\n const openIdConfig =\n (await openIdConfigResponse.json()) as OpenIdConfiguration;\n return {\n jwks: openIdConfig.jwks_uri,\n auth: openIdConfig.authorization_endpoint,\n token: openIdConfig.token_endpoint,\n userinfo: openIdConfig.userinfo_endpoint,\n };\n};\n\n/**\n * creates a state string for the OAuth2 flow, encoding the display mode too for future use\n * @param {DisplayMode} displayMode\n * @returns {string}\n */\nconst generateState = (displayMode: DisplayMode): string => {\n const jsonString = JSON.stringify({\n uuid: uuid(),\n displayMode,\n });\n return btoa(jsonString);\n};\n\n/**\n * parses the state string from the OAuth2 flow, decoding the display mode too\n * @param state\n * @param sessionDisplayMode\n * @returns { uuid: string, displayMode: DisplayMode }\n */\nconst displayModeFromState = (\n state: string,\n sessionDisplayMode: DisplayMode | undefined,\n): DisplayMode | undefined => {\n try {\n const jsonString = atob(state);\n return JSON.parse(jsonString).displayMode;\n } catch (e) {\n console.error(\"Failed to parse displayMode from state:\", state);\n return sessionDisplayMode;\n }\n};\n\nexport {\n getIssuerVariations,\n getOauthEndpoints,\n displayModeFromState,\n generateState,\n};\n","import { clsx, type ClassValue } from \"clsx\";\nimport { twMerge } from \"tailwind-merge\";\n\n/**\n * Checks if a popup window is blocked by the browser.\n *\n * This function attempts to open a small popup window and then checks if it was successfully created.\n * If the popup is blocked by the browser, the function returns `true`. Otherwise, it returns `false`.\n *\n * @returns {boolean} - `true` if the popup is blocked, `false` otherwise.\n */\nconst isPopupBlocked = (): boolean => {\n // First we try to open a small popup window. It either returns a window object or null.\n const popup = window.open(\"\", \"\", \"width=1,height=1\");\n\n // If window.open() returns null, popup is definitely blocked\n if (!popup) {\n return true;\n }\n\n try {\n // Try to access a property of the popup to check if it's usable\n if (typeof popup.closed === \"undefined\") {\n throw new Error(\"Popup is blocked\");\n }\n } catch {\n // Accessing the popup's properties throws an error if the popup is blocked\n return true;\n }\n\n // Close the popup immediately if it was opened\n popup.close();\n return false;\n};\n\nconst cn = (...inputs: ClassValue[]) => {\n return twMerge(clsx(inputs));\n};\n\n// This type narrows T as far as it can by:\n// - removing all keys where the value is `undefined`\n// - making keys that are not undefined required\n// So, for example: given { a: string | undefined, b: string | undefined },\n// if you pass in { a: \"foo\" }, it returns an object of type: { a: string }\ntype WithoutUndefined<T> = {\n [K in keyof T as undefined extends T[K] ? never : K]: T[K];\n};\nexport const withoutUndefined = <T extends { [K in keyof T]: unknown }>(\n obj: T,\n): WithoutUndefined<T> => {\n const result = {} as WithoutUndefined<T>;\n\n for (const key in obj) {\n if (obj[key] !== undefined) {\n // TypeScript needs assurance that key is a valid key in WithoutUndefined<T>\n // We use type assertion here\n // eslint-disable-next-line @typescript-eslint/no-explicit-any\n (result as any)[key] = obj[key];\n }\n }\n\n return result;\n};\n\nexport { cn, isPopupBlocked };\n","import { AuthStorage, User } from \"@/types\";\nimport { UserStorage } from \"./types\";\n\nexport interface UserSession {\n get(): User | null;\n set(user: User): void;\n}\n\nexport class GenericUserSession implements UserSession {\n constructor(readonly storage: AuthStorage) {}\n\n get(): User | null {\n const user = this.storage.get(UserStorage.USER);\n return user ? JSON.parse(user) : null;\n }\n\n set(user: User | null): void {\n const value = user ? JSON.stringify(user) : \"\";\n this.storage.set(UserStorage.USER, value);\n }\n}\n","import { retrieveTokens } from \"@/shared/util.js\";\nimport { parseJWT } from \"oslo/jwt\";\nimport { AuthStorage, User } from \"@/types.js\";\n\nexport async function getUser(storage: AuthStorage): Promise<User | null> {\n const tokens = retrieveTokens(storage);\n if (!tokens) return null;\n\n // Assumes all information is in the ID token\n return (parseJWT(tokens.id_token)?.payload as User) ?? null;\n}\n","const DEFAULT_SCOPES = [\n \"openid\",\n \"profile\",\n \"email\",\n \"forwardedTokens\",\n \"offline_access\",\n];\nconst IFRAME_ID = \"civic-auth-iframe\";\n\nconst AUTH_SERVER = \"https://auth-dev.civic.com/oauth\";\n\nconst DEFAULT_OAUTH_GET_PARAMS = [\"code\", \"state\", \"iss\"];\n\nexport { DEFAULT_SCOPES, DEFAULT_OAUTH_GET_PARAMS, IFRAME_ID, AUTH_SERVER };\n","import { deriveCodeChallenge } from \"@/shared/util.js\";\nimport { generateCodeVerifier } from \"oslo/oauth2\";\nimport { LocalStorageAdapter } from \"@/browser/storage.js\";\nimport { PKCEConsumer, PKCEProducer } from \"@/services/types.ts\";\nimport { AuthStorage } from \"@/types\";\n\n/** A PKCE consumer that retrieves the challenge from a server endpoint */\nexport class ConfidentialClientPKCEConsumer implements PKCEConsumer {\n constructor(private pkceChallengeEndpoint: string) {}\n async getCodeChallenge(): Promise<string> {\n const response = await fetch(this.pkceChallengeEndpoint);\n const data = (await response.json()) as { challenge: string };\n return data.challenge;\n }\n}\n\n/** A PKCE Producer that can generate and store a code verifier, but is agnostic as to the storage location */\nexport class GenericPublicClientPKCEProducer implements PKCEProducer {\n constructor(private storage: AuthStorage) {}\n\n // if there is already a verifier, return it,\n // If not, create a new one and store it\n async getCodeChallenge(): Promise<string> {\n // let verifier = await this.getCodeVerifier();\n // if (!verifier) {\n const verifier = generateCodeVerifier();\n this.storage.set(\"code_verifier\", verifier);\n // }\n return deriveCodeChallenge(verifier);\n }\n // if there is already a verifier, return it,\n async getCodeVerifier(): Promise<string | null> {\n return this.storage.get(\"code_verifier\");\n }\n}\n\n/** A PKCE Producer that is expected to run on a browser, and does not need a backend */\nexport class BrowserPublicClientPKCEProducer extends GenericPublicClientPKCEProducer {\n constructor() {\n super(new LocalStorageAdapter());\n }\n}\n","import { AuthStorage } from \"@/types\";\n\nexport class LocalStorageAdapter implements AuthStorage {\n get(key: string): string {\n return localStorage.getItem(key) || \"\";\n }\n\n set(key: string, value: string): void {\n localStorage.setItem(key, value);\n }\n}\n","// Proposals for revised versions of the SessionService AKA AuthSessionService\n\nimport {\n DisplayMode,\n Endpoints,\n OIDCTokenResponseBody,\n SessionData,\n} from \"@/types.js\";\nimport { BrowserPublicClientPKCEProducer } from \"@/services/PKCE.js\";\nimport {\n clearTokens,\n clearUser,\n exchangeTokens,\n generateOauthLoginUrl,\n generateOauthLogoutUrl,\n getEndpointsWithOverrides,\n retrieveTokens,\n storeTokens,\n validateOauth2Tokens,\n} from \"@/shared/util.js\";\nimport { displayModeFromState, generateState } from \"@/lib/oauth.js\";\nimport { OAuth2Client } from \"oslo/oauth2\";\nimport { LocalStorageAdapter } from \"@/browser/storage.js\";\nimport {\n AuthenticationInitiator,\n AuthenticationResolver,\n PKCEConsumer,\n} from \"@/services/types.js\";\nimport { removeParamsWithoutReload } from \"@/lib/windowUtil\";\nimport { DEFAULT_OAUTH_GET_PARAMS } from \"@/constants\";\n\n/**\n * An authentication initiator that works on a browser. Since this is just triggering\n * login and logout, session data is not stored here.\n * An associated AuthenticationResolver would be needed to get the session data.\n * Storage is needed for the code verifier, this is the domain of the PKCEConsumer\n * The storage used by the PKCEConsumer should be available to the AuthenticationResolver.\n *\n * Example usage:\n *\n * 1) Client-only SPA -eg a react app with no server:\n * new BrowserAuthenticationInitiator({\n * pkceConsumer: new BrowserPublicClientPKCEProducer(), // generate and retrieve the challenge client-side\n * ... other config\n * })\n *\n * 2) Client-side of a client/server app - eg a react app with a backend:\n * new BrowserAuthenticationInitiator({\n * pkceConsumer: new ConfidentialClientPKCEConsumer(\"https://myserver.com/pkce\"), // get the challenge from the server\n * ... other config\n * })\n */\nexport class BrowserAuthenticationInitiator implements AuthenticationInitiator {\n protected config: {\n clientId: string;\n redirectUrl: string;\n state: string;\n scopes: string[];\n // determines whether to trigger the login/logout in an iframe, a new browser window, or redirect the current one.\n displayMode: DisplayMode;\n oauthServer: string;\n // the endpoints to use for the login (if not obtained from the auth server\n endpointOverrides?: Partial<Endpoints>;\n // used to get the PKCE challenge\n pkceConsumer: PKCEConsumer;\n // the nonce to use for the login\n nonce?: string;\n };\n\n constructor(config: typeof this.config) {\n this.config = config;\n }\n // Use the config (Client ID, scopes OAuth Server, Endpoints, PKCEConsumer) to generate a new login url\n // and then use the display mode to decide how to send the user there\n async signIn(iframeRef: HTMLIFrameElement | null): Promise<URL> {\n const url = await generateOauthLoginUrl(this.config);\n\n if (this.config.displayMode === \"iframe\") {\n if (!iframeRef)\n throw new Error(\"iframeRef is required for displayMode 'iframe'\");\n iframeRef.setAttribute(\"src\", url.toString());\n }\n if (this.config.displayMode === \"redirect\") {\n window.location.href = url.toString();\n }\n if (this.config.displayMode === \"new_tab\") {\n window.open(url.toString(), \"_blank\");\n }\n return url;\n }\n\n async signOut(): Promise<URL> {\n const localStorage = new LocalStorageAdapter();\n clearTokens(localStorage);\n clearUser(localStorage);\n // TODO open the iframe or new tab etc: the logout URL is not currently\n // supported by on the oauth, so just clear state until then\n const url = await generateOauthLogoutUrl(this.config);\n return url;\n }\n}\n\n/** A general-purpose authentication initiator, that just generates urls, but lets\n * the caller decide how to use them. This is useful for server-side applications\n * that may serve this URL to their front-ends or just call them directly\n */\nexport class GenericAuthenticationInitiator implements AuthenticationInitiator {\n protected config: {\n clientId: string;\n redirectUrl: string;\n state: string;\n scopes: string[];\n oauthServer: string;\n nonce?: string;\n // the endpoints to use for the login (if not obtained from the auth server)\n endpointOverrides?: Partial<Endpoints>;\n // used to get the PKCE challenge\n pkceConsumer: PKCEConsumer;\n };\n\n constructor(config: typeof this.config) {\n this.config = config;\n }\n\n // Use the config (Client ID, scopes OAuth Server, Endpoints, PKCEConsumer) to generate a new login url\n // and simply return the url\n async signIn(): Promise<URL> {\n return generateOauthLoginUrl(this.config);\n }\n\n async signOut(): Promise<URL> {\n return generateOauthLogoutUrl(this.config);\n }\n}\n\ntype BrowserAuthenticationConfig = {\n clientId: string;\n redirectUrl: string;\n scopes: string[];\n oauthServer: string;\n endpointOverrides?: Partial<Endpoints>;\n displayMode: DisplayMode;\n};\n\n/**\n * An authentication resolver that can run on the browser (i.e. a public client)\n * It uses PKCE for security. PKCE and Session data are stored in local storage\n */\nexport class BrowserAuthenticationService extends BrowserAuthenticationInitiator {\n private oauth2client: OAuth2Client | undefined;\n private endpoints: Endpoints | undefined;\n\n // TODO WIP - perhaps we want to keep resolver and initiator separate here\n constructor(\n config: BrowserAuthenticationConfig,\n // Since we are running fully on the client, we produce as well as consume the PKCE challenge\n protected pkceProducer = new BrowserPublicClientPKCEProducer(),\n ) {\n super({\n ...config,\n state: generateState(config.displayMode),\n // Store and retrieve the PKCE challenge in local storage\n pkceConsumer: pkceProducer,\n });\n }\n\n // TODO too much code duplication here between the browser and the server variant.\n // Suggestion for refactor: Standardise the config for AuthenticationResolvers and create a one-shot\n // function for generating an oauth2client from it\n async init(): Promise<this> {\n // resolve oauth config\n this.endpoints = await getEndpointsWithOverrides(\n this.config.oauthServer,\n this.config.endpointOverrides,\n );\n this.oauth2client = new OAuth2Client(\n this.config.clientId,\n this.endpoints.auth,\n this.endpoints.token,\n {\n redirectURI: this.config.redirectUrl,\n },\n );\n\n return this;\n }\n\n // Two responsibilities:\n // 1. resolve the auth code to get the tokens (should use library code)\n // 2. store the tokens in local storage\n async tokenExchange(\n code: string,\n state: string,\n ): Promise<OIDCTokenResponseBody> {\n if (!this.oauth2client) await this.init();\n const codeVerifier = await this.pkceProducer.getCodeVerifier();\n if (!codeVerifier) throw new Error(\"Code verifier not found in storage\");\n\n // exchange auth code for tokens\n const tokens = await exchangeTokens(\n code,\n state,\n this.pkceProducer,\n this.oauth2client!, // clean up types here to avoid the ! operator\n this.config.oauthServer,\n this.endpoints!, // clean up types here to avoid the ! operator\n );\n\n storeTokens(new LocalStorageAdapter(), tokens);\n\n // cleanup the browser window if needed\n const parsedDisplayMode = displayModeFromState(\n state,\n this.config.displayMode,\n );\n\n if (parsedDisplayMode === \"new_tab\") {\n // Close the popup window\n window.close();\n } else if (parsedDisplayMode === \"redirect\") {\n // these are the default oAuth params that get added to the URL which we want to remove\n removeParamsWithoutReload(DEFAULT_OAUTH_GET_PARAMS);\n }\n return tokens;\n }\n\n // Get the session data from local storage\n async getSessionData(): Promise<SessionData | null> {\n const storageData = retrieveTokens(new LocalStorageAdapter());\n\n if (!storageData) return null;\n\n return {\n authenticated: !!storageData.id_token,\n idToken: storageData.id_token,\n accessToken: storageData.access_token,\n refreshToken: storageData.refresh_token,\n };\n }\n\n async validateExistingSession(): Promise<SessionData> {\n try {\n const sessionData = await this.getSessionData();\n if (!sessionData?.idToken || !sessionData.accessToken) {\n const unAuthenticatedSession = { ...sessionData, authenticated: false };\n clearTokens(new LocalStorageAdapter());\n return unAuthenticatedSession;\n }\n if (!this.endpoints || !this.oauth2client) await this.init();\n\n // this function will throw if any of the tokens are invalid\n await validateOauth2Tokens(\n {\n access_token: sessionData.accessToken,\n id_token: sessionData.idToken,\n refresh_token: sessionData.refreshToken,\n },\n this.endpoints!,\n this.oauth2client!,\n this.config.oauthServer,\n );\n return sessionData;\n } catch (error) {\n console.warn(\"Failed to validate existing tokens\", error);\n const unAuthenticatedSession = {\n authenticated: false,\n };\n clearTokens(new LocalStorageAdapter());\n return unAuthenticatedSession;\n }\n }\n\n static async build(\n config: BrowserAuthenticationConfig,\n ): Promise<AuthenticationResolver> {\n const resolver = new BrowserAuthenticationService(config);\n await resolver.init();\n\n return resolver;\n }\n}\n","const isWindowInIframe = (window: Window): boolean => {\n if (typeof window !== \"undefined\") {\n // use the window width to determine if we're in an iframe or not\n try {\n if (window?.frameElement?.id === \"civic-auth-iframe\") {\n return true;\n }\n // eslint-disable-next-line @typescript-eslint/no-unused-vars\n } catch (_e) {\n // If we get an error, we're not in an iframe\n return false;\n }\n }\n return false;\n};\n\nconst removeParamsWithoutReload = (paramsToRemove: string[]) => {\n const url = new URL(window.location.href);\n paramsToRemove.forEach((param: string) => {\n url.searchParams.delete(param);\n });\n window.history.replaceState({}, \"\", url);\n};\n\nexport { isWindowInIframe, removeParamsWithoutReload };\n"],"mappings":";;;;;;;AAAO,IAAK,cAAL,kBAAKA,iBAAL;AACL,EAAAA,aAAA,cAAW;AACX,EAAAA,aAAA,kBAAe;AACf,EAAAA,aAAA,mBAAgB;AAHN,SAAAA;AAAA,GAAA;;;ACWZ,SAAS,oBAAoB;;;ACV7B,SAAS,MAAM,YAAY;AAE3B,IAAM,sBAAsB,CAAC,WAA6B;AACxD,QAAM,qBAAqB,OAAO,SAAS,GAAG,IAC1C,OAAO,MAAM,GAAG,OAAO,SAAS,CAAC,IACjC;AAEJ,QAAM,kBAAkB,GAAG,kBAAkB;AAE7C,SAAO,CAAC,oBAAoB,eAAe;AAC7C;AAEA,IAAM,mBAAmB,CAAC,QACxB,IAAI,SAAS,GAAG,IAAI,MAAM,GAAG,GAAG;AAElC,IAAM,oBAAoB,CAAO,gBAA4C;AAC3E,QAAM,uBAAuB,MAAM;AAAA,IACjC,GAAG,iBAAiB,WAAW,CAAC;AAAA,EAClC;AACA,QAAM,eACH,MAAM,qBAAqB,KAAK;AACnC,SAAO;AAAA,IACL,MAAM,aAAa;AAAA,IACnB,MAAM,aAAa;AAAA,IACnB,OAAO,aAAa;AAAA,IACpB,UAAU,aAAa;AAAA,EACzB;AACF;AAOA,IAAM,gBAAgB,CAAC,gBAAqC;AAC1D,QAAM,aAAa,KAAK,UAAU;AAAA,IAChC,MAAM,KAAK;AAAA,IACX;AAAA,EACF,CAAC;AACD,SAAO,KAAK,UAAU;AACxB;AAQA,IAAM,uBAAuB,CAC3B,OACA,uBAC4B;AAC5B,MAAI;AACF,UAAM,aAAa,KAAK,KAAK;AAC7B,WAAO,KAAK,MAAM,UAAU,EAAE;AAAA,EAChC,SAAS,GAAG;AACV,YAAQ,MAAM,2CAA2C,KAAK;AAC9D,WAAO;AAAA,EACT;AACF;;;AD/CA,YAAY,UAAU;;;AEbtB,SAAS,YAA6B;AACtC,SAAS,eAAe;AAkCxB,IAAM,KAAK,IAAI,WAAyB;AACtC,SAAO,QAAQ,KAAK,MAAM,CAAC;AAC7B;AAUO,IAAM,mBAAmB,CAC9B,QACwB;AACxB,QAAM,SAAS,CAAC;AAEhB,aAAW,OAAO,KAAK;AACrB,QAAI,IAAI,GAAG,MAAM,QAAW;AAI1B,MAAC,OAAe,GAAG,IAAI,IAAI,GAAG;AAAA,IAChC;AAAA,EACF;AAEA,SAAO;AACT;;;ACtDO,IAAM,qBAAN,MAAgD;AAAA,EACrD,YAAqB,SAAsB;AAAtB;AAAA,EAAuB;AAAA,EAE5C,MAAmB;AACjB,UAAM,OAAO,KAAK,QAAQ,qBAAoB;AAC9C,WAAO,OAAO,KAAK,MAAM,IAAI,IAAI;AAAA,EACnC;AAAA,EAEA,IAAI,MAAyB;AAC3B,UAAM,QAAQ,OAAO,KAAK,UAAU,IAAI,IAAI;AAC5C,SAAK,QAAQ,uBAAsB,KAAK;AAAA,EAC1C;AACF;;;AHCA,SAAsB,oBACpB,cACA,SAA2B,QACV;AAAA;AACjB,QAAI,WAAW,SAAS;AACtB,cAAQ,KAAK,4CAA4C;AACzD,aAAO;AAAA,IACT;AAEA,UAAM,UAAU,IAAI,YAAY;AAChC,UAAM,OAAO,QAAQ,OAAO,YAAY;AACxC,UAAM,SAAS,MAAM,OAAO,OAAO,OAAO,WAAW,IAAI;AACzD,WAAO,KAAK,OAAO,aAAa,GAAG,IAAI,WAAW,MAAM,CAAC,CAAC,EACvD,QAAQ,OAAO,GAAG,EAClB,QAAQ,OAAO,GAAG,EAClB,QAAQ,OAAO,EAAE;AAAA,EACtB;AAAA;AAEA,SAAsB,0BACpB,IAEA;AAAA,6CAFA,aACA,oBAAwC,CAAC,GACzC;AACA,UAAM,YAAY,MAAM,kBAAkB,WAAW;AACrD,WAAO,kCACF,YACA;AAAA,EAEP;AAAA;AAEA,SAAsB,sBAAsB,QAU3B;AAAA;AACf,UAAM,YAAY,MAAM;AAAA,MACtB,OAAO;AAAA,MACP,OAAO;AAAA,IACT;AACA,UAAM,eAAe;AAAA,MACnB,OAAO;AAAA,MACP,OAAO;AAAA,MACP;AAAA,IACF;AACA,UAAM,YAAY,MAAM,OAAO,aAAa,iBAAiB;AAC7D,UAAM,WAAW,MAAM,aAAa,uBAAuB;AAAA,MACzD,OAAO,OAAO;AAAA,MACd,QAAQ,OAAO;AAAA,IACjB,CAAC;AAGD,aAAS,aAAa,OAAO,kBAAkB,SAAS;AACxD,aAAS,aAAa,OAAO,yBAAyB,MAAM;AAC5D,QAAI,OAAO,OAAO;AAEhB,eAAS,aAAa,OAAO,SAAS,OAAO,KAAK;AAAA,IACpD;AAEA,aAAS,aAAa,OAAO,UAAU,SAAS;AAEhD,YAAQ,IAAI,uBAAuB,SAAS,SAAS,CAAC;AACtD,WAAO;AAAA,EACT;AAAA;AAEA,SAAsB,uBAAuB,QAO5B;AAAA;AAEf,WAAO,IAAI,IAAI,kBAAkB;AAAA,EACnC;AAAA;AAEO,SAAS,kBACd,UACA,aACA,WACc;AACd,SAAO,IAAI,aAAa,UAAU,UAAU,MAAM,UAAU,OAAO;AAAA,IACjE,aAAa;AAAA,EACf,CAAC;AACH;AAEA,SAAsB,eACpB,MACA,OACA,cACA,cACA,aACA,WACA;AAAA;AACA,UAAM,eAAe,MAAM,aAAa,gBAAgB;AACxD,QAAI,CAAC,aAAc,OAAM,IAAI,MAAM,kCAAkC;AAErE,UAAM,SACJ,MAAM,aAAa,0BAAiD,MAAM;AAAA,MACxE;AAAA,IACF,CAAC;AAGH,QAAI;AACF,YAAM,qBAAqB,QAAQ,WAAW,cAAc,WAAW;AAAA,IACzE,SAAS,OAAO;AACd,cAAQ,MAAM,uBAAuB,EAAE,OAAO,OAAO,CAAC;AACtD,YAAM,IAAI;AAAA,QACR,kCAAmC,MAAgB,OAAO;AAAA,MAC5D;AAAA,IACF;AAEA,WAAO;AAAA,EACT;AAAA;AAEO,SAAS,YACd,SACA,QACA;AAEA,UAAQ,+BAA0B,OAAO,QAAQ;AACjD,UAAQ,uCAA8B,OAAO,YAAY;AACzD,MAAI,OAAO;AACT,YAAQ,yCAA+B,OAAO,aAAa;AAC/D;AAEO,SAAS,YAAY,SAAsB;AAChD,SAAO,OAAO,WAAW,EAAE,QAAQ,CAAC,WAAW;AAC7C,YAAQ,IAAI,QAAQ,EAAE;AAAA,EACxB,CAAC;AACH;AACO,SAAS,UAAU,SAAsB;AAC9C,QAAM,cAAc,IAAI,mBAAmB,OAAO;AAClD,cAAY,IAAI,IAAI;AACtB;AAEO,SAAS,eACd,SAC8B;AAC9B,QAAM,UAAU,QAAQ,6BAAwB;AAChD,QAAM,cAAc,QAAQ,qCAA4B;AACxD,QAAM,eAAe,QAAQ,uCAA6B;AAE1D,MAAI,CAAC,WAAW,CAAC,YAAa,QAAO;AAErC,SAAO;AAAA,IACL,UAAU;AAAA,IACV,cAAc;AAAA,IACd,eAAe,sCAAgB;AAAA,EACjC;AACF;AAEA,SAAsB,qBACpB,QACA,WACA,cACA,QACuB;AAAA;AACvB,UAAM,OAAY,wBAAmB,IAAI,IAAI,UAAU,IAAI,CAAC;AAG5D,UAAM,kBAAkB,MAAW;AAAA,MACjC,OAAO;AAAA,MACP;AAAA,MACA;AAAA,QACE,QAAQ,oBAAoB,MAAM;AAAA,QAClC,UAAU,aAAa;AAAA,MACzB;AAAA,IACF;AAGA,UAAM,sBAAsB,MAAW;AAAA,MACrC,OAAO;AAAA,MACP;AAAA,MACA;AAAA,QACE,QAAQ,oBAAoB,MAAM;AAAA,MACpC;AAAA,IACF;AAEA,WAAO,iBAAiB;AAAA,MACtB,UAAU,gBAAgB;AAAA,MAC1B,cAAc,oBAAoB;AAAA,MAClC,eAAe,OAAO;AAAA,IACxB,CAAC;AAAA,EACH;AAAA;;;AIjNA,SAAS,gBAAgB;AAGzB,SAAsB,QAAQ,SAA4C;AAAA;AAJ1E;AAKE,UAAM,SAAS,eAAe,OAAO;AACrC,QAAI,CAAC,OAAQ,QAAO;AAGpB,YAAQ,oBAAS,OAAO,QAAQ,MAAxB,mBAA2B,YAA3B,YAA+C;AAAA,EACzD;AAAA;;;ACVA,IAAM,iBAAiB;AAAA,EACrB;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF;AACA,IAAM,YAAY;AAElB,IAAM,cAAc;AAEpB,IAAM,2BAA2B,CAAC,QAAQ,SAAS,KAAK;;;ACVxD,SAAS,4BAA4B;;;ACC9B,IAAM,sBAAN,MAAiD;AAAA,EACtD,IAAI,KAAqB;AACvB,WAAO,aAAa,QAAQ,GAAG,KAAK;AAAA,EACtC;AAAA,EAEA,IAAI,KAAa,OAAqB;AACpC,iBAAa,QAAQ,KAAK,KAAK;AAAA,EACjC;AACF;;;ADHO,IAAM,iCAAN,MAA6D;AAAA,EAClE,YAAoB,uBAA+B;AAA/B;AAAA,EAAgC;AAAA,EAC9C,mBAAoC;AAAA;AACxC,YAAM,WAAW,MAAM,MAAM,KAAK,qBAAqB;AACvD,YAAM,OAAQ,MAAM,SAAS,KAAK;AAClC,aAAO,KAAK;AAAA,IACd;AAAA;AACF;AAGO,IAAM,kCAAN,MAA8D;AAAA,EACnE,YAAoB,SAAsB;AAAtB;AAAA,EAAuB;AAAA;AAAA;AAAA,EAIrC,mBAAoC;AAAA;AAGxC,YAAM,WAAW,qBAAqB;AACtC,WAAK,QAAQ,IAAI,iBAAiB,QAAQ;AAE1C,aAAO,oBAAoB,QAAQ;AAAA,IACrC;AAAA;AAAA;AAAA,EAEM,kBAA0C;AAAA;AAC9C,aAAO,KAAK,QAAQ,IAAI,eAAe;AAAA,IACzC;AAAA;AACF;AAGO,IAAM,kCAAN,cAA8C,gCAAgC;AAAA,EACnF,cAAc;AACZ,UAAM,IAAI,oBAAoB,CAAC;AAAA,EACjC;AACF;;;AEpBA,SAAS,gBAAAC,qBAAoB;;;ACrB7B,IAAM,mBAAmB,CAACC,YAA4B;AAAtD;AACE,MAAI,OAAOA,YAAW,aAAa;AAEjC,QAAI;AACF,YAAI,KAAAA,WAAA,gBAAAA,QAAQ,iBAAR,mBAAsB,QAAO,qBAAqB;AACpD,eAAO;AAAA,MACT;AAAA,IAEF,SAAS,IAAI;AAEX,aAAO;AAAA,IACT;AAAA,EACF;AACA,SAAO;AACT;AAEA,IAAM,4BAA4B,CAAC,mBAA6B;AAC9D,QAAM,MAAM,IAAI,IAAI,OAAO,SAAS,IAAI;AACxC,iBAAe,QAAQ,CAAC,UAAkB;AACxC,QAAI,aAAa,OAAO,KAAK;AAAA,EAC/B,CAAC;AACD,SAAO,QAAQ,aAAa,CAAC,GAAG,IAAI,GAAG;AACzC;;;AD8BO,IAAM,iCAAN,MAAwE;AAAA,EAiB7E,YAAY,QAA4B;AACtC,SAAK,SAAS;AAAA,EAChB;AAAA;AAAA;AAAA,EAGM,OAAO,WAAmD;AAAA;AAC9D,YAAM,MAAM,MAAM,sBAAsB,KAAK,MAAM;AAEnD,UAAI,KAAK,OAAO,gBAAgB,UAAU;AACxC,YAAI,CAAC;AACH,gBAAM,IAAI,MAAM,gDAAgD;AAClE,kBAAU,aAAa,OAAO,IAAI,SAAS,CAAC;AAAA,MAC9C;AACA,UAAI,KAAK,OAAO,gBAAgB,YAAY;AAC1C,eAAO,SAAS,OAAO,IAAI,SAAS;AAAA,MACtC;AACA,UAAI,KAAK,OAAO,gBAAgB,WAAW;AACzC,eAAO,KAAK,IAAI,SAAS,GAAG,QAAQ;AAAA,MACtC;AACA,aAAO;AAAA,IACT;AAAA;AAAA,EAEM,UAAwB;AAAA;AAC5B,YAAMC,gBAAe,IAAI,oBAAoB;AAC7C,kBAAYA,aAAY;AACxB,gBAAUA,aAAY;AAGtB,YAAM,MAAM,MAAM,uBAAuB,KAAK,MAAM;AACpD,aAAO;AAAA,IACT;AAAA;AACF;AAMO,IAAM,iCAAN,MAAwE;AAAA,EAc7E,YAAY,QAA4B;AACtC,SAAK,SAAS;AAAA,EAChB;AAAA;AAAA;AAAA,EAIM,SAAuB;AAAA;AAC3B,aAAO,sBAAsB,KAAK,MAAM;AAAA,IAC1C;AAAA;AAAA,EAEM,UAAwB;AAAA;AAC5B,aAAO,uBAAuB,KAAK,MAAM;AAAA,IAC3C;AAAA;AACF;AAeO,IAAM,+BAAN,MAAM,sCAAqC,+BAA+B;AAAA;AAAA,EAK/E,YACE,QAEU,eAAe,IAAI,gCAAgC,GAC7D;AACA,UAAM,iCACD,SADC;AAAA,MAEJ,OAAO,cAAc,OAAO,WAAW;AAAA;AAAA,MAEvC,cAAc;AAAA,IAChB,EAAC;AAPS;AAAA,EAQZ;AAAA;AAAA;AAAA;AAAA,EAKM,OAAsB;AAAA;AAE1B,WAAK,YAAY,MAAM;AAAA,QACrB,KAAK,OAAO;AAAA,QACZ,KAAK,OAAO;AAAA,MACd;AACA,WAAK,eAAe,IAAIC;AAAA,QACtB,KAAK,OAAO;AAAA,QACZ,KAAK,UAAU;AAAA,QACf,KAAK,UAAU;AAAA,QACf;AAAA,UACE,aAAa,KAAK,OAAO;AAAA,QAC3B;AAAA,MACF;AAEA,aAAO;AAAA,IACT;AAAA;AAAA;AAAA;AAAA;AAAA,EAKM,cACJ,MACA,OACgC;AAAA;AAChC,UAAI,CAAC,KAAK,aAAc,OAAM,KAAK,KAAK;AACxC,YAAM,eAAe,MAAM,KAAK,aAAa,gBAAgB;AAC7D,UAAI,CAAC,aAAc,OAAM,IAAI,MAAM,oCAAoC;AAGvE,YAAM,SAAS,MAAM;AAAA,QACnB;AAAA,QACA;AAAA,QACA,KAAK;AAAA,QACL,KAAK;AAAA;AAAA,QACL,KAAK,OAAO;AAAA,QACZ,KAAK;AAAA;AAAA,MACP;AAEA,kBAAY,IAAI,oBAAoB,GAAG,MAAM;AAG7C,YAAM,oBAAoB;AAAA,QACxB;AAAA,QACA,KAAK,OAAO;AAAA,MACd;AAEA,UAAI,sBAAsB,WAAW;AAEnC,eAAO,MAAM;AAAA,MACf,WAAW,sBAAsB,YAAY;AAE3C,kCAA0B,wBAAwB;AAAA,MACpD;AACA,aAAO;AAAA,IACT;AAAA;AAAA;AAAA,EAGM,iBAA8C;AAAA;AAClD,YAAM,cAAc,eAAe,IAAI,oBAAoB,CAAC;AAE5D,UAAI,CAAC,YAAa,QAAO;AAEzB,aAAO;AAAA,QACL,eAAe,CAAC,CAAC,YAAY;AAAA,QAC7B,SAAS,YAAY;AAAA,QACrB,aAAa,YAAY;AAAA,QACzB,cAAc,YAAY;AAAA,MAC5B;AAAA,IACF;AAAA;AAAA,EAEM,0BAAgD;AAAA;AACpD,UAAI;AACF,cAAM,cAAc,MAAM,KAAK,eAAe;AAC9C,YAAI,EAAC,2CAAa,YAAW,CAAC,YAAY,aAAa;AACrD,gBAAM,yBAAyB,iCAAK,cAAL,EAAkB,eAAe,MAAM;AACtE,sBAAY,IAAI,oBAAoB,CAAC;AACrC,iBAAO;AAAA,QACT;AACA,YAAI,CAAC,KAAK,aAAa,CAAC,KAAK,aAAc,OAAM,KAAK,KAAK;AAG3D,cAAM;AAAA,UACJ;AAAA,YACE,cAAc,YAAY;AAAA,YAC1B,UAAU,YAAY;AAAA,YACtB,eAAe,YAAY;AAAA,UAC7B;AAAA,UACA,KAAK;AAAA,UACL,KAAK;AAAA,UACL,KAAK,OAAO;AAAA,QACd;AACA,eAAO;AAAA,MACT,SAAS,OAAO;AACd,gBAAQ,KAAK,sCAAsC,KAAK;AACxD,cAAM,yBAAyB;AAAA,UAC7B,eAAe;AAAA,QACjB;AACA,oBAAY,IAAI,oBAAoB,CAAC;AACrC,eAAO;AAAA,MACT;AAAA,IACF;AAAA;AAAA,EAEA,OAAa,MACX,QACiC;AAAA;AACjC,YAAM,WAAW,IAAI,8BAA6B,MAAM;AACxD,YAAM,SAAS,KAAK;AAEpB,aAAO;AAAA,IACT;AAAA;AACF;","names":["OAuthTokens","OAuth2Client","window","localStorage","OAuth2Client"]}
|
|
@@ -1 +0,0 @@
|
|
|
1
|
-
{"version":3,"sources":["/Users/patrick/Code/civic-auth/packages/civic-auth-client/dist/chunk-YNLXRD5L.js","../src/shared/types.ts","../src/shared/util.ts","../src/lib/oauth.ts","../src/utils.ts","../src/shared/UserSession.ts","../src/shared/session.ts","../src/constants.ts","../src/services/PKCE.ts","../src/browser/storage.ts","../src/services/AuthenticationService.ts","../src/lib/windowUtil.ts"],"names":["OAuthTokens","OAuth2Client","window","localStorage"],"mappings":"AAAA;AACE;AACA;AACA;AACF,sDAA4B;AAC5B;AACA;ACNO,IAAK,YAAA,kBAAL,CAAA,CAAKA,YAAAA,EAAAA,GAAL;AACL,EAAAA,YAAAA,CAAA,UAAA,EAAA,EAAW,UAAA;AACX,EAAAA,YAAAA,CAAA,cAAA,EAAA,EAAe,cAAA;AACf,EAAAA,YAAAA,CAAA,eAAA,EAAA,EAAgB,eAAA;AAHN,EAAA,OAAAA,YAAAA;AAAA,CAAA,CAAA,CAAA,YAAA,GAAA,CAAA,CAAA,CAAA;ADaZ;AACA;AEHA,qCAA6B;AFK7B;AACA;AGhBA,4BAA2B;AAE3B,IAAM,oBAAA,EAAsB,CAAC,MAAA,EAAA,GAA6B;AACxD,EAAA,MAAM,mBAAA,EAAqB,MAAA,CAAO,QAAA,CAAS,GAAG,EAAA,EAC1C,MAAA,CAAO,KAAA,CAAM,CAAA,EAAG,MAAA,CAAO,OAAA,EAAS,CAAC,EAAA,EACjC,MAAA;AAEJ,EAAA,MAAM,gBAAA,EAAkB,CAAA,EAAA;AAEhB,EAAA;AACV;AAE0B;AAGO;AACzB,EAAA;AACgB,IAAA;AACtB,EAAA;AAEG,EAAA;AACI,EAAA;AACc,IAAA;AACA,IAAA;AACC,IAAA;AACG,IAAA;AACzB,EAAA;AACF;AAOuB;AACG,EAAA;AACX,IAAA;AACX,IAAA;AACD,EAAA;AACqB,EAAA;AACxB;AAQ6B;AAIvB,EAAA;AACiB,IAAA;AACD,IAAA;AACR,EAAA;AACI,IAAA;AACP,IAAA;AACT,EAAA;AACF;AHP2B;AACA;AEzCL;AF2CK;AACA;AIzDW;AACd;AAkCgB;AAClB,EAAA;AACtB;AAWE;AAEgB,EAAA;AAEO,EAAA;AACJ,IAAA;AAIe,MAAA;AAChC,IAAA;AACF,EAAA;AAEO,EAAA;AACT;AJU2B;AACA;AKjEpB;AACsC,EAAA;AAAtB,IAAA;AAAuB,EAAA;AAEzB,EAAA;AACC,IAAA;AACC,IAAA;AACrB,EAAA;AAE6B,EAAA;AACN,IAAA;AACR,IAAA;AACf,EAAA;AACF;ALmE2B;AACA;AEnEL;AAGH,EAAA;AACF,IAAA;AACA,MAAA;AACN,MAAA;AACT,IAAA;AAEoB,IAAA;AACC,IAAA;AACA,IAAA;AACF,IAAA;AAIrB,EAAA;AAAA;AAEsB;AAGpB,EAAA;AACkB,IAAA;AACX,IAAA;AAIT,EAAA;AAAA;AAEsB;AAUL,EAAA;AACG,IAAA;AACT,MAAA;AACA,MAAA;AACT,IAAA;AACqB,IAAA;AACZ,MAAA;AACA,MAAA;AACP,MAAA;AACF,IAAA;AACkB,IAAA;AACK,IAAA;AACP,MAAA;AACC,MAAA;AAChB,IAAA;AAGqB,IAAA;AACA,IAAA;AACJ,IAAA;AAEP,MAAA;AACX,IAAA;AAEsB,IAAA;AAEV,IAAA;AACL,IAAA;AACT,EAAA;AAAA;AAEsB;AAOL,EAAA;AAEA,IAAA;AACjB,EAAA;AAAA;AAGE;AAIwB,EAAA;AACT,IAAA;AACd,EAAA;AACH;AAGE;AAMA,EAAA;AACqB,IAAA;AACF,IAAA;AAGX,IAAA;AACJ,MAAA;AACD,IAAA;AAGC,IAAA;AACI,MAAA;AACQ,IAAA;AACA,MAAA;AACJ,MAAA;AACR,QAAA;AACF,MAAA;AACF,IAAA;AAEO,IAAA;AACT,EAAA;AAAA;AAGE;AAIQ,EAAA;AACA,EAAA;AACG,EAAA;AACD,IAAA;AACZ;AAE4B;AACD,EAAA;AACD,IAAA;AACvB,EAAA;AACH;AAC0B;AACA,EAAA;AACJ,EAAA;AACtB;AAGE;AAEwB,EAAA;AACJ,EAAA;AACC,EAAA;AAEJ,EAAA;AAEV,EAAA;AACK,IAAA;AACI,IAAA;AACC,IAAA;AACjB,EAAA;AACF;AAEsB;AAKG,EAAA;AACL,IAAA;AAGZ,IAAA;AACG,MAAA;AACP,MAAA;AACA,MAAA;AACU,QAAA;AACE,QAAA;AACZ,MAAA;AACF,IAAA;AAGM,IAAA;AACG,MAAA;AACP,MAAA;AACA,MAAA;AACU,QAAA;AACV,MAAA;AACF,IAAA;AAEO,IAAA;AACK,MAAA;AACI,MAAA;AACC,MAAA;AAChB,IAAA;AACH,EAAA;AAAA;AFE2B;AACA;AMpNF;AAGiD;AAAA,EAAA;AAJ1E,IAAA;AAKiB,IAAA;AACK,IAAA;AAGZ,IAAA;AACV,EAAA;AAAA;ANqN2B;AACA;AOhOJ;AACrB,EAAA;AACA,EAAA;AACA,EAAA;AACA,EAAA;AACA,EAAA;AACF;AACkB;AAEE;AAEd;APgOqB;AACA;AQ3OlB;AR6OkB;AACA;AS7OpB;AACoB,EAAA;AACH,IAAA;AACtB,EAAA;AAEsC,EAAA;AACf,IAAA;AACvB,EAAA;AACF;AT8O2B;AACA;AQlPd;AACS,EAAA;AAAA,IAAA;AAAgC,EAAA;AACV,EAAA;AAAA,IAAA;AACvB,MAAA;AACG,MAAA;AACR,MAAA;AACd,IAAA;AAAA,EAAA;AACF;AAGa;AAC+B,EAAA;AAAtB,IAAA;AAAuB,EAAA;AAAA;AAAA;AAID,EAAA;AAAA,IAAA;AAGvB,MAAA;AACA,MAAA;AAEV,MAAA;AACT,IAAA;AAAA,EAAA;AAAA;AAEgD,EAAA;AAAA,IAAA;AAC1B,MAAA;AACtB,IAAA;AAAA,EAAA;AACF;AAGa;AACG,EAAA;AACF,IAAA;AACZ,EAAA;AACF;ARsP2B;AACA;AU3QlBC;AV6QkB;AACA;AWnSDC;AAA1B,EAAA;AACwB,EAAA;AAEhB,IAAA;AACEA,MAAAA;AACK,QAAA;AACT,MAAA;AAEW,IAAA;AAEJ,MAAA;AACT,IAAA;AACF,EAAA;AACO,EAAA;AACT;AAEM;AACgB,EAAA;AACI,EAAA;AACL,IAAA;AAClB,EAAA;AACc,EAAA;AACjB;AXkS2B;AACA;AUrQd;AAiB6B,EAAA;AACxB,IAAA;AAChB,EAAA;AAAA;AAAA;AAGgE,EAAA;AAAA,IAAA;AAC5C,MAAA;AAEF,MAAA;AACT,QAAA;AACa,UAAA;AACR,QAAA;AACZ,MAAA;AACgB,MAAA;AACE,QAAA;AAClB,MAAA;AACgB,MAAA;AACE,QAAA;AAClB,MAAA;AACO,MAAA;AACT,IAAA;AAAA,EAAA;AAE8B,EAAA;AAAA,IAAA;AACtBC,MAAAA;AACMA,MAAAA;AACFA,MAAAA;AAGQ,MAAA;AACX,MAAA;AACT,IAAA;AAAA,EAAA;AACF;AAMa;AAc6B,EAAA;AACxB,IAAA;AAChB,EAAA;AAAA;AAAA;AAI6B,EAAA;AAAA,IAAA;AACpB,MAAA;AACT,IAAA;AAAA,EAAA;AAE8B,EAAA;AAAA,IAAA;AACrB,MAAA;AACT,IAAA;AAAA,EAAA;AACF;AAea;AAAoE;AAQnE,EAAA;AAEJ,IAAA;AAEiB,MAAA;AAAkB;AAEzB,MAAA;AACf,IAAA;AAPS,IAAA;AAQZ,EAAA;AAAA;AAAA;AAAA;AAK4B,EAAA;AAAA,IAAA;AAET,MAAA;AACH,QAAA;AACA,QAAA;AACd,MAAA;AACoB,MAAA;AACN,QAAA;AACG,QAAA;AACA,QAAA;AACf,QAAA;AACe,UAAA;AACf,QAAA;AACF,MAAA;AAEO,MAAA;AACT,IAAA;AAAA,EAAA;AAAA;AAAA;AAAA;AAOE,EAAA;AACgC,IAAA;AACtB,MAAA;AACW,MAAA;AACF,MAAA;AAGE,MAAA;AACnB,QAAA;AACA,QAAA;AACK,QAAA;AACA,QAAA;AAAA;AACO,QAAA;AACP,QAAA;AAAA;AACP,MAAA;AAEgB,MAAA;AAGV,MAAA;AACJ,QAAA;AACY,QAAA;AACd,MAAA;AAEI,MAAA;AAEW,QAAA;AACJ,MAAA;AAET,QAAA;AACF,MAAA;AACO,MAAA;AACT,IAAA;AAAA,EAAA;AAAA;AAGoD,EAAA;AAAA,IAAA;AAC9B,MAAA;AAEF,MAAA;AAEX,MAAA;AACY,QAAA;AACR,QAAA;AACI,QAAA;AACC,QAAA;AAChB,MAAA;AACF,IAAA;AAAA,EAAA;AAEM,EAAA;AAAgD,IAAA;AAChD,MAAA;AACI,QAAA;AACD,QAAA;AACG,UAAA;AACU,UAAA;AACT,UAAA;AACT,QAAA;AACU,QAAA;AAGJ,QAAA;AACJ,UAAA;AACgB,YAAA;AACJ,YAAA;AACK,YAAA;AACjB,UAAA;AACK,UAAA;AACA,UAAA;AACO,UAAA;AACd,QAAA;AACO,QAAA;AACO,MAAA;AACD,QAAA;AACP,QAAA;AACW,UAAA;AACjB,QAAA;AACgB,QAAA;AACT,QAAA;AACT,MAAA;AACF,IAAA;AAAA,EAAA;AAImC,EAAA;AAAA,IAAA;AACZ,MAAA;AACD,MAAA;AAEb,MAAA;AACT,IAAA;AAAA,EAAA;AACF;AVqM2B;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA","file":"/Users/patrick/Code/civic-auth/packages/civic-auth-client/dist/chunk-YNLXRD5L.js","sourcesContent":[null,"export enum OAuthTokens {\n ID_TOKEN = \"id_token\",\n ACCESS_TOKEN = \"access_token\",\n REFRESH_TOKEN = \"refresh_token\",\n}\n\nexport enum UserStorage {\n USER = \"user\",\n}\n","// Utility functions shared by auth server and client integrations\n// Typically these functions should be used inside AuthenticationInitiator and AuthenticationResolver implementations\n\nimport {\n AuthStorage,\n Endpoints,\n JWTPayload,\n OIDCTokenResponseBody,\n ParsedTokens,\n} from \"@/types.js\";\nimport { OAuthTokens } from \"./types\";\nimport { OAuth2Client } from \"oslo/oauth2\";\nimport { getIssuerVariations, getOauthEndpoints } from \"@/lib/oauth.js\";\nimport * as jose from \"jose\";\nimport { withoutUndefined } from \"@/utils.js\";\nimport { PKCEConsumer, PKCEProducer } from \"@/services/types.js\";\nimport { GenericUserSession } from \"./UserSession\";\n\n/**\n * Given a PKCE code verifier, derive the code challenge using SHA\n */\nexport async function deriveCodeChallenge(\n codeVerifier: string,\n method: \"Plain\" | \"S256\" = \"S256\",\n): Promise<string> {\n if (method === \"Plain\") {\n console.warn(\"Using insecure plain code challenge method\");\n return codeVerifier;\n }\n\n const encoder = new TextEncoder();\n const data = encoder.encode(codeVerifier);\n const digest = await crypto.subtle.digest(\"SHA-256\", data);\n return btoa(String.fromCharCode(...new Uint8Array(digest)))\n .replace(/\\+/g, \"-\")\n .replace(/\\//g, \"_\")\n .replace(/=+$/, \"\");\n}\n\nexport async function getEndpointsWithOverrides(\n oauthServer: string,\n endpointOverrides: Partial<Endpoints> = {},\n) {\n const endpoints = await getOauthEndpoints(oauthServer);\n return {\n ...endpoints,\n ...endpointOverrides,\n };\n}\n\nexport async function generateOauthLoginUrl(config: {\n clientId: string;\n scopes: string[];\n state: string;\n redirectUrl: string;\n oauthServer: string;\n nonce?: string;\n endpointOverrides?: Partial<Endpoints>;\n // used to get the PKCE challenge\n pkceConsumer: PKCEConsumer;\n}): Promise<URL> {\n const endpoints = await getEndpointsWithOverrides(\n config.oauthServer,\n config.endpointOverrides,\n );\n const oauth2Client = buildOauth2Client(\n config.clientId,\n config.redirectUrl,\n endpoints,\n );\n const challenge = await config.pkceConsumer.getCodeChallenge();\n const oAuthUrl = await oauth2Client.createAuthorizationURL({\n state: config.state,\n scopes: config.scopes,\n });\n // The OAuth2 client supports PKCE, but does not allow passing in a code challenge from some other source\n // It only allows passing in a code verifier which it then hashes itself.\n oAuthUrl.searchParams.append(\"code_challenge\", challenge);\n oAuthUrl.searchParams.append(\"code_challenge_method\", \"S256\");\n if (config.nonce) {\n // nonce isn't supported by oslo, so we add it manually\n oAuthUrl.searchParams.append(\"nonce\", config.nonce);\n }\n // Required by the auth server for offline_access scope\n oAuthUrl.searchParams.append(\"prompt\", \"consent\");\n\n console.log(\"Generated OAuth URL\", oAuthUrl.toString());\n return oAuthUrl;\n}\n\nexport async function generateOauthLogoutUrl(config: {\n clientId: string;\n scopes: string[];\n oauthServer: string;\n endpointOverrides?: Partial<Endpoints>;\n // used to get the PKCE challenge\n pkceConsumer: PKCEConsumer;\n}): Promise<URL> {\n // TODO\n return new URL(\"http://localhost\");\n}\n\nexport function buildOauth2Client(\n clientId: string,\n redirectUri: string,\n endpoints: Endpoints,\n): OAuth2Client {\n return new OAuth2Client(clientId, endpoints.auth, endpoints.token, {\n redirectURI: redirectUri,\n });\n}\n\nexport async function exchangeTokens(\n code: string,\n state: string,\n pkceProducer: PKCEProducer,\n oauth2Client: OAuth2Client,\n oauthServer: string,\n endpoints: Endpoints,\n) {\n const codeVerifier = await pkceProducer.getCodeVerifier();\n if (!codeVerifier) throw new Error(\"Code verifier not found in state\");\n\n const tokens =\n await oauth2Client.validateAuthorizationCode<OIDCTokenResponseBody>(code, {\n codeVerifier,\n });\n\n // Validate relevant tokens\n try {\n await validateOauth2Tokens(tokens, endpoints, oauth2Client, oauthServer);\n } catch (error) {\n console.error(\"tokenExchange error\", { error, tokens });\n throw new Error(\n `OIDC tokens validation failed: ${(error as Error).message}`,\n );\n }\n\n return tokens;\n}\n\nexport function storeTokens(\n storage: AuthStorage,\n tokens: OIDCTokenResponseBody,\n) {\n // store tokens in storage ( TODO we should probably store them against the state to allow multiple logins )\n storage.set(OAuthTokens.ID_TOKEN, tokens.id_token);\n storage.set(OAuthTokens.ACCESS_TOKEN, tokens.access_token);\n if (tokens.refresh_token)\n storage.set(OAuthTokens.REFRESH_TOKEN, tokens.refresh_token);\n}\n\nexport function clearTokens(storage: AuthStorage) {\n Object.values(OAuthTokens).forEach((cookie) => {\n storage.set(cookie, \"\");\n });\n}\nexport function clearUser(storage: AuthStorage) {\n const userSession = new GenericUserSession(storage);\n userSession.set(null);\n}\n\nexport function retrieveTokens(\n storage: AuthStorage,\n): OIDCTokenResponseBody | null {\n const idToken = storage.get(OAuthTokens.ID_TOKEN);\n const accessToken = storage.get(OAuthTokens.ACCESS_TOKEN);\n const refreshToken = storage.get(OAuthTokens.REFRESH_TOKEN);\n\n if (!idToken || !accessToken) return null;\n\n return {\n id_token: idToken,\n access_token: accessToken,\n refresh_token: refreshToken ?? undefined,\n };\n}\n\nexport async function validateOauth2Tokens(\n tokens: OIDCTokenResponseBody,\n endpoints: Endpoints,\n oauth2Client: OAuth2Client,\n issuer: string,\n): Promise<ParsedTokens> {\n const JWKS = jose.createRemoteJWKSet(new URL(endpoints.jwks));\n\n // validate the ID token\n const idTokenResponse = await jose.jwtVerify<JWTPayload>(\n tokens.id_token,\n JWKS,\n {\n issuer: getIssuerVariations(issuer),\n audience: oauth2Client.clientId,\n },\n );\n\n // validate the access token\n const accessTokenResponse = await jose.jwtVerify<JWTPayload>(\n tokens.access_token,\n JWKS,\n {\n issuer: getIssuerVariations(issuer),\n },\n );\n\n return withoutUndefined({\n id_token: idTokenResponse.payload,\n access_token: accessTokenResponse.payload,\n refresh_token: tokens.refresh_token,\n });\n}\n","import { DisplayMode, Endpoints, OpenIdConfiguration } from \"@/types\";\nimport { v4 as uuid } from \"uuid\";\n\nconst getIssuerVariations = (issuer: string): string[] => {\n const issuerWithoutSlash = issuer.endsWith(\"/\")\n ? issuer.slice(0, issuer.length - 1)\n : issuer;\n\n const issuerWithSlash = `${issuerWithoutSlash}/`;\n\n return [issuerWithoutSlash, issuerWithSlash];\n};\n\nconst addSlashIfNeeded = (url: string): string =>\n url.endsWith(\"/\") ? url : `${url}/`;\n\nconst getOauthEndpoints = async (oauthServer: string): Promise<Endpoints> => {\n const openIdConfigResponse = await fetch(\n `${addSlashIfNeeded(oauthServer)}.well-known/openid-configuration`,\n );\n const openIdConfig =\n (await openIdConfigResponse.json()) as OpenIdConfiguration;\n return {\n jwks: openIdConfig.jwks_uri,\n auth: openIdConfig.authorization_endpoint,\n token: openIdConfig.token_endpoint,\n userinfo: openIdConfig.userinfo_endpoint,\n };\n};\n\n/**\n * creates a state string for the OAuth2 flow, encoding the display mode too for future use\n * @param {DisplayMode} displayMode\n * @returns {string}\n */\nconst generateState = (displayMode: DisplayMode): string => {\n const jsonString = JSON.stringify({\n uuid: uuid(),\n displayMode,\n });\n return btoa(jsonString);\n};\n\n/**\n * parses the state string from the OAuth2 flow, decoding the display mode too\n * @param state\n * @param sessionDisplayMode\n * @returns { uuid: string, displayMode: DisplayMode }\n */\nconst displayModeFromState = (\n state: string,\n sessionDisplayMode: DisplayMode | undefined,\n): DisplayMode | undefined => {\n try {\n const jsonString = atob(state);\n return JSON.parse(jsonString).displayMode;\n } catch (e) {\n console.error(\"Failed to parse displayMode from state:\", state);\n return sessionDisplayMode;\n }\n};\n\nexport {\n getIssuerVariations,\n getOauthEndpoints,\n displayModeFromState,\n generateState,\n};\n","import { clsx, type ClassValue } from \"clsx\";\nimport { twMerge } from \"tailwind-merge\";\n\n/**\n * Checks if a popup window is blocked by the browser.\n *\n * This function attempts to open a small popup window and then checks if it was successfully created.\n * If the popup is blocked by the browser, the function returns `true`. Otherwise, it returns `false`.\n *\n * @returns {boolean} - `true` if the popup is blocked, `false` otherwise.\n */\nconst isPopupBlocked = (): boolean => {\n // First we try to open a small popup window. It either returns a window object or null.\n const popup = window.open(\"\", \"\", \"width=1,height=1\");\n\n // If window.open() returns null, popup is definitely blocked\n if (!popup) {\n return true;\n }\n\n try {\n // Try to access a property of the popup to check if it's usable\n if (typeof popup.closed === \"undefined\") {\n throw new Error(\"Popup is blocked\");\n }\n } catch {\n // Accessing the popup's properties throws an error if the popup is blocked\n return true;\n }\n\n // Close the popup immediately if it was opened\n popup.close();\n return false;\n};\n\nconst cn = (...inputs: ClassValue[]) => {\n return twMerge(clsx(inputs));\n};\n\n// This type narrows T as far as it can by:\n// - removing all keys where the value is `undefined`\n// - making keys that are not undefined required\n// So, for example: given { a: string | undefined, b: string | undefined },\n// if you pass in { a: \"foo\" }, it returns an object of type: { a: string }\ntype WithoutUndefined<T> = {\n [K in keyof T as undefined extends T[K] ? never : K]: T[K];\n};\nexport const withoutUndefined = <T extends { [K in keyof T]: unknown }>(\n obj: T,\n): WithoutUndefined<T> => {\n const result = {} as WithoutUndefined<T>;\n\n for (const key in obj) {\n if (obj[key] !== undefined) {\n // TypeScript needs assurance that key is a valid key in WithoutUndefined<T>\n // We use type assertion here\n // eslint-disable-next-line @typescript-eslint/no-explicit-any\n (result as any)[key] = obj[key];\n }\n }\n\n return result;\n};\n\nexport { cn, isPopupBlocked };\n","import { AuthStorage, User } from \"@/types\";\nimport { UserStorage } from \"./types\";\n\nexport interface UserSession {\n get(): User | null;\n set(user: User): void;\n}\n\nexport class GenericUserSession implements UserSession {\n constructor(readonly storage: AuthStorage) {}\n\n get(): User | null {\n const user = this.storage.get(UserStorage.USER);\n return user ? JSON.parse(user) : null;\n }\n\n set(user: User | null): void {\n const value = user ? JSON.stringify(user) : \"\";\n this.storage.set(UserStorage.USER, value);\n }\n}\n","import { retrieveTokens } from \"@/shared/util.js\";\nimport { parseJWT } from \"oslo/jwt\";\nimport { AuthStorage, User } from \"@/types.js\";\n\nexport async function getUser(storage: AuthStorage): Promise<User | null> {\n const tokens = retrieveTokens(storage);\n if (!tokens) return null;\n\n // Assumes all information is in the ID token\n return (parseJWT(tokens.id_token)?.payload as User) ?? null;\n}\n","const DEFAULT_SCOPES = [\n \"openid\",\n \"profile\",\n \"email\",\n \"forwardedTokens\",\n \"offline_access\",\n];\nconst IFRAME_ID = \"civic-auth-iframe\";\n\nconst AUTH_SERVER = \"https://auth-dev.civic.com/oauth\";\n\nconst DEFAULT_OAUTH_GET_PARAMS = [\"code\", \"state\", \"iss\"];\n\nexport { DEFAULT_SCOPES, DEFAULT_OAUTH_GET_PARAMS, IFRAME_ID, AUTH_SERVER };\n","import { deriveCodeChallenge } from \"@/shared/util.js\";\nimport { generateCodeVerifier } from \"oslo/oauth2\";\nimport { LocalStorageAdapter } from \"@/browser/storage.js\";\nimport { PKCEConsumer, PKCEProducer } from \"@/services/types.ts\";\nimport { AuthStorage } from \"@/types\";\n\n/** A PKCE consumer that retrieves the challenge from a server endpoint */\nexport class ConfidentialClientPKCEConsumer implements PKCEConsumer {\n constructor(private pkceChallengeEndpoint: string) {}\n async getCodeChallenge(): Promise<string> {\n const response = await fetch(this.pkceChallengeEndpoint);\n const data = (await response.json()) as { challenge: string };\n return data.challenge;\n }\n}\n\n/** A PKCE Producer that can generate and store a code verifier, but is agnostic as to the storage location */\nexport class GenericPublicClientPKCEProducer implements PKCEProducer {\n constructor(private storage: AuthStorage) {}\n\n // if there is already a verifier, return it,\n // If not, create a new one and store it\n async getCodeChallenge(): Promise<string> {\n // let verifier = await this.getCodeVerifier();\n // if (!verifier) {\n const verifier = generateCodeVerifier();\n this.storage.set(\"code_verifier\", verifier);\n // }\n return deriveCodeChallenge(verifier);\n }\n // if there is already a verifier, return it,\n async getCodeVerifier(): Promise<string | null> {\n return this.storage.get(\"code_verifier\");\n }\n}\n\n/** A PKCE Producer that is expected to run on a browser, and does not need a backend */\nexport class BrowserPublicClientPKCEProducer extends GenericPublicClientPKCEProducer {\n constructor() {\n super(new LocalStorageAdapter());\n }\n}\n","import { AuthStorage } from \"@/types\";\n\nexport class LocalStorageAdapter implements AuthStorage {\n get(key: string): string {\n return localStorage.getItem(key) || \"\";\n }\n\n set(key: string, value: string): void {\n localStorage.setItem(key, value);\n }\n}\n","// Proposals for revised versions of the SessionService AKA AuthSessionService\n\nimport {\n DisplayMode,\n Endpoints,\n OIDCTokenResponseBody,\n SessionData,\n} from \"@/types.js\";\nimport { BrowserPublicClientPKCEProducer } from \"@/services/PKCE.js\";\nimport {\n clearTokens,\n clearUser,\n exchangeTokens,\n generateOauthLoginUrl,\n generateOauthLogoutUrl,\n getEndpointsWithOverrides,\n retrieveTokens,\n storeTokens,\n validateOauth2Tokens,\n} from \"@/shared/util.js\";\nimport { displayModeFromState, generateState } from \"@/lib/oauth.js\";\nimport { OAuth2Client } from \"oslo/oauth2\";\nimport { LocalStorageAdapter } from \"@/browser/storage.js\";\nimport {\n AuthenticationInitiator,\n AuthenticationResolver,\n PKCEConsumer,\n} from \"@/services/types.js\";\nimport { removeParamsWithoutReload } from \"@/lib/windowUtil\";\nimport { DEFAULT_OAUTH_GET_PARAMS } from \"@/constants\";\n\n/**\n * An authentication initiator that works on a browser. Since this is just triggering\n * login and logout, session data is not stored here.\n * An associated AuthenticationResolver would be needed to get the session data.\n * Storage is needed for the code verifier, this is the domain of the PKCEConsumer\n * The storage used by the PKCEConsumer should be available to the AuthenticationResolver.\n *\n * Example usage:\n *\n * 1) Client-only SPA -eg a react app with no server:\n * new BrowserAuthenticationInitiator({\n * pkceConsumer: new BrowserPublicClientPKCEProducer(), // generate and retrieve the challenge client-side\n * ... other config\n * })\n *\n * 2) Client-side of a client/server app - eg a react app with a backend:\n * new BrowserAuthenticationInitiator({\n * pkceConsumer: new ConfidentialClientPKCEConsumer(\"https://myserver.com/pkce\"), // get the challenge from the server\n * ... other config\n * })\n */\nexport class BrowserAuthenticationInitiator implements AuthenticationInitiator {\n protected config: {\n clientId: string;\n redirectUrl: string;\n state: string;\n scopes: string[];\n // determines whether to trigger the login/logout in an iframe, a new browser window, or redirect the current one.\n displayMode: DisplayMode;\n oauthServer: string;\n // the endpoints to use for the login (if not obtained from the auth server\n endpointOverrides?: Partial<Endpoints>;\n // used to get the PKCE challenge\n pkceConsumer: PKCEConsumer;\n // the nonce to use for the login\n nonce?: string;\n };\n\n constructor(config: typeof this.config) {\n this.config = config;\n }\n // Use the config (Client ID, scopes OAuth Server, Endpoints, PKCEConsumer) to generate a new login url\n // and then use the display mode to decide how to send the user there\n async signIn(iframeRef: HTMLIFrameElement | null): Promise<URL> {\n const url = await generateOauthLoginUrl(this.config);\n\n if (this.config.displayMode === \"iframe\") {\n if (!iframeRef)\n throw new Error(\"iframeRef is required for displayMode 'iframe'\");\n iframeRef.setAttribute(\"src\", url.toString());\n }\n if (this.config.displayMode === \"redirect\") {\n window.location.href = url.toString();\n }\n if (this.config.displayMode === \"new_tab\") {\n window.open(url.toString(), \"_blank\");\n }\n return url;\n }\n\n async signOut(): Promise<URL> {\n const localStorage = new LocalStorageAdapter();\n clearTokens(localStorage);\n clearUser(localStorage);\n // TODO open the iframe or new tab etc: the logout URL is not currently\n // supported by on the oauth, so just clear state until then\n const url = await generateOauthLogoutUrl(this.config);\n return url;\n }\n}\n\n/** A general-purpose authentication initiator, that just generates urls, but lets\n * the caller decide how to use them. This is useful for server-side applications\n * that may serve this URL to their front-ends or just call them directly\n */\nexport class GenericAuthenticationInitiator implements AuthenticationInitiator {\n protected config: {\n clientId: string;\n redirectUrl: string;\n state: string;\n scopes: string[];\n oauthServer: string;\n nonce?: string;\n // the endpoints to use for the login (if not obtained from the auth server)\n endpointOverrides?: Partial<Endpoints>;\n // used to get the PKCE challenge\n pkceConsumer: PKCEConsumer;\n };\n\n constructor(config: typeof this.config) {\n this.config = config;\n }\n\n // Use the config (Client ID, scopes OAuth Server, Endpoints, PKCEConsumer) to generate a new login url\n // and simply return the url\n async signIn(): Promise<URL> {\n return generateOauthLoginUrl(this.config);\n }\n\n async signOut(): Promise<URL> {\n return generateOauthLogoutUrl(this.config);\n }\n}\n\ntype BrowserAuthenticationConfig = {\n clientId: string;\n redirectUrl: string;\n scopes: string[];\n oauthServer: string;\n endpointOverrides?: Partial<Endpoints>;\n displayMode: DisplayMode;\n};\n\n/**\n * An authentication resolver that can run on the browser (i.e. a public client)\n * It uses PKCE for security. PKCE and Session data are stored in local storage\n */\nexport class BrowserAuthenticationService extends BrowserAuthenticationInitiator {\n private oauth2client: OAuth2Client | undefined;\n private endpoints: Endpoints | undefined;\n\n // TODO WIP - perhaps we want to keep resolver and initiator separate here\n constructor(\n config: BrowserAuthenticationConfig,\n // Since we are running fully on the client, we produce as well as consume the PKCE challenge\n protected pkceProducer = new BrowserPublicClientPKCEProducer(),\n ) {\n super({\n ...config,\n state: generateState(config.displayMode),\n // Store and retrieve the PKCE challenge in local storage\n pkceConsumer: pkceProducer,\n });\n }\n\n // TODO too much code duplication here between the browser and the server variant.\n // Suggestion for refactor: Standardise the config for AuthenticationResolvers and create a one-shot\n // function for generating an oauth2client from it\n async init(): Promise<this> {\n // resolve oauth config\n this.endpoints = await getEndpointsWithOverrides(\n this.config.oauthServer,\n this.config.endpointOverrides,\n );\n this.oauth2client = new OAuth2Client(\n this.config.clientId,\n this.endpoints.auth,\n this.endpoints.token,\n {\n redirectURI: this.config.redirectUrl,\n },\n );\n\n return this;\n }\n\n // Two responsibilities:\n // 1. resolve the auth code to get the tokens (should use library code)\n // 2. store the tokens in local storage\n async tokenExchange(\n code: string,\n state: string,\n ): Promise<OIDCTokenResponseBody> {\n if (!this.oauth2client) await this.init();\n const codeVerifier = await this.pkceProducer.getCodeVerifier();\n if (!codeVerifier) throw new Error(\"Code verifier not found in storage\");\n\n // exchange auth code for tokens\n const tokens = await exchangeTokens(\n code,\n state,\n this.pkceProducer,\n this.oauth2client!, // clean up types here to avoid the ! operator\n this.config.oauthServer,\n this.endpoints!, // clean up types here to avoid the ! operator\n );\n\n storeTokens(new LocalStorageAdapter(), tokens);\n\n // cleanup the browser window if needed\n const parsedDisplayMode = displayModeFromState(\n state,\n this.config.displayMode,\n );\n\n if (parsedDisplayMode === \"new_tab\") {\n // Close the popup window\n window.close();\n } else if (parsedDisplayMode === \"redirect\") {\n // these are the default oAuth params that get added to the URL which we want to remove\n removeParamsWithoutReload(DEFAULT_OAUTH_GET_PARAMS);\n }\n return tokens;\n }\n\n // Get the session data from local storage\n async getSessionData(): Promise<SessionData | null> {\n const storageData = retrieveTokens(new LocalStorageAdapter());\n\n if (!storageData) return null;\n\n return {\n authenticated: !!storageData.id_token,\n idToken: storageData.id_token,\n accessToken: storageData.access_token,\n refreshToken: storageData.refresh_token,\n };\n }\n\n async validateExistingSession(): Promise<SessionData> {\n try {\n const sessionData = await this.getSessionData();\n if (!sessionData?.idToken || !sessionData.accessToken) {\n const unAuthenticatedSession = { ...sessionData, authenticated: false };\n clearTokens(new LocalStorageAdapter());\n return unAuthenticatedSession;\n }\n if (!this.endpoints || !this.oauth2client) await this.init();\n\n // this function will throw if any of the tokens are invalid\n await validateOauth2Tokens(\n {\n access_token: sessionData.accessToken,\n id_token: sessionData.idToken,\n refresh_token: sessionData.refreshToken,\n },\n this.endpoints!,\n this.oauth2client!,\n this.config.oauthServer,\n );\n return sessionData;\n } catch (error) {\n console.warn(\"Failed to validate existing tokens\", error);\n const unAuthenticatedSession = {\n authenticated: false,\n };\n clearTokens(new LocalStorageAdapter());\n return unAuthenticatedSession;\n }\n }\n\n static async build(\n config: BrowserAuthenticationConfig,\n ): Promise<AuthenticationResolver> {\n const resolver = new BrowserAuthenticationService(config);\n await resolver.init();\n\n return resolver;\n }\n}\n","const isWindowInIframe = (window: Window): boolean => {\n if (typeof window !== \"undefined\") {\n // use the window width to determine if we're in an iframe or not\n try {\n if (window?.frameElement?.id === \"civic-auth-iframe\") {\n return true;\n }\n // eslint-disable-next-line @typescript-eslint/no-unused-vars\n } catch (_e) {\n // If we get an error, we're not in an iframe\n return false;\n }\n }\n return false;\n};\n\nconst removeParamsWithoutReload = (paramsToRemove: string[]) => {\n const url = new URL(window.location.href);\n paramsToRemove.forEach((param: string) => {\n url.searchParams.delete(param);\n });\n window.history.replaceState({}, \"\", url);\n};\n\nexport { isWindowInIframe, removeParamsWithoutReload };\n"]}
|
|
File without changes
|
|
File without changes
|