@civic/auth 0.0.1-beta.18 → 0.0.1-beta.2

package/dist/chunk-G3P5TIO2.mjs

@@ -1,708 +0,0 @@
-import {
-  __async,
-  __spreadProps,
-  __spreadValues
-} from "./chunk-RGHW4PYM.mjs";
-
-// src/shared/storage.ts
-var DEFAULT_COOKIE_DURATION = 60 * 15;
-var CookieStorage = class {
-  constructor(settings = {}) {
-    var _a, _b, _c, _d, _e;
-    this.settings = {
-      httpOnly: (_a = settings.httpOnly) != null ? _a : true,
-      secure: (_b = settings.secure) != null ? _b : true,
-      // the callback request comes the auth server
-      // 'lax' ensures the code_verifier cookie is sent with the request
-      sameSite: (_c = settings.sameSite) != null ? _c : "lax",
-      expires: (_d = settings.expires) != null ? _d : new Date(Date.now() + 1e3 * DEFAULT_COOKIE_DURATION),
-      path: (_e = settings.path) != null ? _e : "/"
-    };
-  }
-};
-
-// src/constants.ts
-var DEFAULT_SCOPES = [
-  "openid",
-  "profile",
-  "email",
-  "forwardedTokens",
-  "offline_access"
-];
-var IFRAME_ID = "civic-auth-iframe";
-var AUTH_SERVER = "https://auth-dev.civic.com/oauth";
-var DEFAULT_OAUTH_GET_PARAMS = ["code", "state", "iss"];
-var TOKEN_EXCHANGE_TRIGGER_TEXT = "sameDomainCodeExchangeRequired";
-
-// src/shared/types.ts
-var OAuthTokens = /* @__PURE__ */ ((OAuthTokens2) => {
-  OAuthTokens2["ID_TOKEN"] = "id_token";
-  OAuthTokens2["ACCESS_TOKEN"] = "access_token";
-  OAuthTokens2["REFRESH_TOKEN"] = "refresh_token";
-  return OAuthTokens2;
-})(OAuthTokens || {});
-
-// src/shared/util.ts
-import { OAuth2Client } from "oslo/oauth2";
-
-// src/lib/oauth.ts
-import { v4 as uuid } from "uuid";
-var getIssuerVariations = (issuer) => {
-  const issuerWithoutSlash = issuer.endsWith("/") ? issuer.slice(0, issuer.length - 1) : issuer;
-  const issuerWithSlash = `${issuerWithoutSlash}/`;
-  return [issuerWithoutSlash, issuerWithSlash];
-};
-var addSlashIfNeeded = (url) => url.endsWith("/") ? url : `${url}/`;
-var getOauthEndpoints = (oauthServer) => __async(void 0, null, function* () {
-  const openIdConfigResponse = yield fetch(
-    `${addSlashIfNeeded(oauthServer)}.well-known/openid-configuration`
-  );
-  const openIdConfig = yield openIdConfigResponse.json();
-  return {
-    jwks: openIdConfig.jwks_uri,
-    auth: openIdConfig.authorization_endpoint,
-    token: openIdConfig.token_endpoint,
-    userinfo: openIdConfig.userinfo_endpoint
-  };
-});
-var generateState = (displayMode) => {
-  const jsonString = JSON.stringify({
-    uuid: uuid(),
-    displayMode
-  });
-  return btoa(jsonString);
-};
-var displayModeFromState = (state, sessionDisplayMode) => {
-  try {
-    const jsonString = atob(state);
-    return JSON.parse(jsonString).displayMode;
-  } catch (e) {
-    console.error("Failed to parse displayMode from state:", state);
-    return sessionDisplayMode;
-  }
-};
-
-// src/shared/util.ts
-import * as jose from "jose";
-
-// src/utils.ts
-import { clsx } from "clsx";
-import { twMerge } from "tailwind-merge";
-var cn = (...inputs) => {
-  return twMerge(clsx(inputs));
-};
-var withoutUndefined = (obj) => {
-  const result = {};
-  for (const key in obj) {
-    if (obj[key] !== void 0) {
-      result[key] = obj[key];
-    }
-  }
-  return result;
-};
-
-// src/lib/jwt.ts
-var convertForwardedTokenFormat = (inputTokens) => Object.fromEntries(
-  Object.entries(inputTokens).map(([source, tokens]) => [
-    source,
-    {
-      idToken: tokens == null ? void 0 : tokens.id_token,
-      accessToken: tokens == null ? void 0 : tokens.access_token,
-      refreshToken: tokens == null ? void 0 : tokens.refresh_token
-    }
-  ])
-);
-
-// src/shared/UserSession.ts
-var GenericUserSession = class {
-  constructor(storage) {
-    this.storage = storage;
-  }
-  get() {
-    const user = this.storage.get("user" /* USER */);
-    return user ? JSON.parse(user) : null;
-  }
-  set(user) {
-    const forwardedTokens = (user == null ? void 0 : user.forwardedTokens) ? convertForwardedTokenFormat(user == null ? void 0 : user.forwardedTokens) : null;
-    const value = user ? JSON.stringify(__spreadProps(__spreadValues({}, user), { forwardedTokens })) : "";
-    this.storage.set("user" /* USER */, value);
-  }
-};
-
-// src/shared/util.ts
-function deriveCodeChallenge(codeVerifier, method = "S256") {
-  return __async(this, null, function* () {
-    if (method === "Plain") {
-      console.warn("Using insecure plain code challenge method");
-      return codeVerifier;
-    }
-    const encoder = new TextEncoder();
-    const data = encoder.encode(codeVerifier);
-    const digest = yield crypto.subtle.digest("SHA-256", data);
-    return btoa(String.fromCharCode(...new Uint8Array(digest))).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
-  });
-}
-function getEndpointsWithOverrides(_0) {
-  return __async(this, arguments, function* (oauthServer, endpointOverrides = {}) {
-    const endpoints = yield getOauthEndpoints(oauthServer);
-    return __spreadValues(__spreadValues({}, endpoints), endpointOverrides);
-  });
-}
-function generateOauthLoginUrl(config) {
-  return __async(this, null, function* () {
-    const endpoints = yield getEndpointsWithOverrides(
-      config.oauthServer,
-      config.endpointOverrides
-    );
-    const oauth2Client = buildOauth2Client(
-      config.clientId,
-      config.redirectUrl,
-      endpoints
-    );
-    const challenge = yield config.pkceConsumer.getCodeChallenge();
-    const oAuthUrl = yield oauth2Client.createAuthorizationURL({
-      state: config.state,
-      scopes: config.scopes
-    });
-    oAuthUrl.searchParams.append("code_challenge", challenge);
-    oAuthUrl.searchParams.append("code_challenge_method", "S256");
-    if (config.nonce) {
-      oAuthUrl.searchParams.append("nonce", config.nonce);
-    }
-    oAuthUrl.searchParams.append("prompt", "consent");
-    console.log("Generated OAuth URL", oAuthUrl.toString());
-    return oAuthUrl;
-  });
-}
-function generateOauthLogoutUrl(config) {
-  return __async(this, null, function* () {
-    return new URL("http://localhost");
-  });
-}
-function buildOauth2Client(clientId, redirectUri, endpoints) {
-  return new OAuth2Client(clientId, endpoints.auth, endpoints.token, {
-    redirectURI: redirectUri
-  });
-}
-function exchangeTokens(code, state, pkceProducer, oauth2Client, oauthServer, endpoints) {
-  return __async(this, null, function* () {
-    const codeVerifier = yield pkceProducer.getCodeVerifier();
-    if (!codeVerifier) throw new Error("Code verifier not found in state");
-    const tokens = yield oauth2Client.validateAuthorizationCode(code, {
-      codeVerifier
-    });
-    try {
-      yield validateOauth2Tokens(tokens, endpoints, oauth2Client, oauthServer);
-    } catch (error) {
-      console.error("tokenExchange error", { error, tokens });
-      throw new Error(
-        `OIDC tokens validation failed: ${error.message}`
-      );
-    }
-    return tokens;
-  });
-}
-function storeTokens(storage, tokens) {
-  storage.set("id_token" /* ID_TOKEN */, tokens.id_token);
-  storage.set("access_token" /* ACCESS_TOKEN */, tokens.access_token);
-  if (tokens.refresh_token)
-    storage.set("refresh_token" /* REFRESH_TOKEN */, tokens.refresh_token);
-}
-function clearTokens(storage) {
-  Object.values(OAuthTokens).forEach((cookie) => {
-    storage.set(cookie, "");
-  });
-}
-function clearUser(storage) {
-  const userSession = new GenericUserSession(storage);
-  userSession.set(null);
-}
-function retrieveTokens(storage) {
-  const idToken = storage.get("id_token" /* ID_TOKEN */);
-  const accessToken = storage.get("access_token" /* ACCESS_TOKEN */);
-  const refreshToken = storage.get("refresh_token" /* REFRESH_TOKEN */);
-  if (!idToken || !accessToken) return null;
-  return {
-    id_token: idToken,
-    access_token: accessToken,
-    refresh_token: refreshToken != null ? refreshToken : void 0
-  };
-}
-function validateOauth2Tokens(tokens, endpoints, oauth2Client, issuer) {
-  return __async(this, null, function* () {
-    const JWKS = jose.createRemoteJWKSet(new URL(endpoints.jwks));
-    const idTokenResponse = yield jose.jwtVerify(
-      tokens.id_token,
-      JWKS,
-      {
-        issuer: getIssuerVariations(issuer),
-        audience: oauth2Client.clientId
-      }
-    );
-    const accessTokenResponse = yield jose.jwtVerify(
-      tokens.access_token,
-      JWKS,
-      {
-        issuer: getIssuerVariations(issuer)
-      }
-    );
-    return withoutUndefined({
-      id_token: idTokenResponse.payload,
-      access_token: accessTokenResponse.payload,
-      refresh_token: tokens.refresh_token
-    });
-  });
-}
-
-// src/services/PKCE.ts
-import { generateCodeVerifier } from "oslo/oauth2";
-
-// src/browser/storage.ts
-var LocalStorageAdapter = class {
-  get(key) {
-    return localStorage.getItem(key) || "";
-  }
-  set(key, value) {
-    localStorage.setItem(key, value);
-  }
-};
-
-// src/services/PKCE.ts
-var ConfidentialClientPKCEConsumer = class {
-  constructor(pkceChallengeEndpoint) {
-    this.pkceChallengeEndpoint = pkceChallengeEndpoint;
-  }
-  getCodeChallenge() {
-    return __async(this, null, function* () {
-      const response = yield fetch(this.pkceChallengeEndpoint);
-      const data = yield response.json();
-      return data.challenge;
-    });
-  }
-};
-var GenericPublicClientPKCEProducer = class {
-  constructor(storage) {
-    this.storage = storage;
-  }
-  // if there is already a verifier, return it,
-  // If not, create a new one and store it
-  getCodeChallenge() {
-    return __async(this, null, function* () {
-      const verifier = generateCodeVerifier();
-      this.storage.set("code_verifier", verifier);
-      return deriveCodeChallenge(verifier);
-    });
-  }
-  // if there is already a verifier, return it,
-  getCodeVerifier() {
-    return __async(this, null, function* () {
-      return this.storage.get("code_verifier");
-    });
-  }
-};
-var BrowserPublicClientPKCEProducer = class extends GenericPublicClientPKCEProducer {
-  constructor() {
-    super(new LocalStorageAdapter());
-  }
-};
-
-// src/services/AuthenticationService.ts
-import { OAuth2Client as OAuth2Client2 } from "oslo/oauth2";
-
-// src/lib/windowUtil.ts
-var isWindowInIframe = (window2) => {
-  var _a;
-  if (typeof window2 !== "undefined") {
-    try {
-      if (((_a = window2 == null ? void 0 : window2.frameElement) == null ? void 0 : _a.id) === "civic-auth-iframe") {
-        return true;
-      }
-    } catch (_e) {
-      return false;
-    }
-  }
-  return false;
-};
-var removeParamsWithoutReload = (paramsToRemove) => {
-  const url = new URL(window.location.href);
-  paramsToRemove.forEach((param) => {
-    url.searchParams.delete(param);
-  });
-  window.history.replaceState({}, "", url);
-};
-
-// src/services/AuthenticationService.ts
-var BrowserAuthenticationInitiator = class {
-  constructor(config) {
-    this.config = config;
-  }
-  // Use the config (Client ID, scopes OAuth Server, Endpoints, PKCEConsumer) to generate a new login url
-  // and then use the display mode to decide how to send the user there
-  signIn(iframeRef) {
-    return __async(this, null, function* () {
-      const url = yield generateOauthLoginUrl(this.config);
-      if (this.config.displayMode === "iframe") {
-        if (!iframeRef)
-          throw new Error("iframeRef is required for displayMode 'iframe'");
-        iframeRef.setAttribute("src", url.toString());
-      }
-      if (this.config.displayMode === "redirect") {
-        window.location.href = url.toString();
-      }
-      if (this.config.displayMode === "new_tab") {
-        window.open(url.toString(), "_blank");
-      }
-      return url;
-    });
-  }
-  signOut() {
-    return __async(this, null, function* () {
-      const localStorage2 = new LocalStorageAdapter();
-      clearTokens(localStorage2);
-      clearUser(localStorage2);
-      const url = yield generateOauthLogoutUrl(this.config);
-      return url;
-    });
-  }
-};
-var GenericAuthenticationInitiator = class {
-  constructor(config) {
-    this.config = config;
-  }
-  // Use the config (Client ID, scopes OAuth Server, Endpoints, PKCEConsumer) to generate a new login url
-  // and simply return the url
-  signIn() {
-    return __async(this, null, function* () {
-      return generateOauthLoginUrl(this.config);
-    });
-  }
-  signOut() {
-    return __async(this, null, function* () {
-      return generateOauthLogoutUrl(this.config);
-    });
-  }
-};
-var BrowserAuthenticationService = class _BrowserAuthenticationService extends BrowserAuthenticationInitiator {
-  // TODO WIP - perhaps we want to keep resolver and initiator separate here
-  constructor(config, pkceProducer = new BrowserPublicClientPKCEProducer()) {
-    super(__spreadProps(__spreadValues({}, config), {
-      state: generateState(config.displayMode),
-      // Store and retrieve the PKCE challenge in local storage
-      pkceConsumer: pkceProducer
-    }));
-    this.pkceProducer = pkceProducer;
-  }
-  // TODO too much code duplication here between the browser and the server variant.
-  // Suggestion for refactor: Standardise the config for AuthenticationResolvers and create a one-shot
-  // function for generating an oauth2client from it
-  init() {
-    return __async(this, null, function* () {
-      this.endpoints = yield getEndpointsWithOverrides(
-        this.config.oauthServer,
-        this.config.endpointOverrides
-      );
-      this.oauth2client = new OAuth2Client2(
-        this.config.clientId,
-        this.endpoints.auth,
-        this.endpoints.token,
-        {
-          redirectURI: this.config.redirectUrl
-        }
-      );
-      return this;
-    });
-  }
-  // Two responsibilities:
-  // 1. resolve the auth code to get the tokens (should use library code)
-  // 2. store the tokens in local storage
-  tokenExchange(code, state) {
-    return __async(this, null, function* () {
-      if (!this.oauth2client) yield this.init();
-      const codeVerifier = yield this.pkceProducer.getCodeVerifier();
-      if (!codeVerifier) throw new Error("Code verifier not found in storage");
-      const tokens = yield exchangeTokens(
-        code,
-        state,
-        this.pkceProducer,
-        this.oauth2client,
-        // clean up types here to avoid the ! operator
-        this.config.oauthServer,
-        this.endpoints
-        // clean up types here to avoid the ! operator
-      );
-      storeTokens(new LocalStorageAdapter(), tokens);
-      const parsedDisplayMode = displayModeFromState(
-        state,
-        this.config.displayMode
-      );
-      if (parsedDisplayMode === "new_tab") {
-        window.close();
-      } else if (parsedDisplayMode === "redirect") {
-        removeParamsWithoutReload(DEFAULT_OAUTH_GET_PARAMS);
-      }
-      return tokens;
-    });
-  }
-  // Get the session data from local storage
-  getSessionData() {
-    return __async(this, null, function* () {
-      const storageData = retrieveTokens(new LocalStorageAdapter());
-      if (!storageData) return null;
-      return {
-        authenticated: !!storageData.id_token,
-        idToken: storageData.id_token,
-        accessToken: storageData.access_token,
-        refreshToken: storageData.refresh_token
-      };
-    });
-  }
-  validateExistingSession() {
-    return __async(this, null, function* () {
-      try {
-        const sessionData = yield this.getSessionData();
-        if (!(sessionData == null ? void 0 : sessionData.idToken) || !sessionData.accessToken) {
-          const unAuthenticatedSession = __spreadProps(__spreadValues({}, sessionData), { authenticated: false });
-          clearTokens(new LocalStorageAdapter());
-          return unAuthenticatedSession;
-        }
-        if (!this.endpoints || !this.oauth2client) yield this.init();
-        yield validateOauth2Tokens(
-          {
-            access_token: sessionData.accessToken,
-            id_token: sessionData.idToken,
-            refresh_token: sessionData.refreshToken
-          },
-          this.endpoints,
-          this.oauth2client,
-          this.config.oauthServer
-        );
-        return sessionData;
-      } catch (error) {
-        console.warn("Failed to validate existing tokens", error);
-        const unAuthenticatedSession = {
-          authenticated: false
-        };
-        clearTokens(new LocalStorageAdapter());
-        return unAuthenticatedSession;
-      }
-    });
-  }
-  static build(config) {
-    return __async(this, null, function* () {
-      const resolver = new _BrowserAuthenticationService(config);
-      yield resolver.init();
-      return resolver;
-    });
-  }
-};
-
-// src/server/ServerAuthenticationResolver.ts
-import { OAuth2Client as OAuth2Client3 } from "oslo/oauth2";
-var ServerAuthenticationResolver = class _ServerAuthenticationResolver {
-  constructor(authConfig, storage, endpointOverrides) {
-    this.authConfig = authConfig;
-    this.storage = storage;
-    this.endpointOverrides = endpointOverrides;
-    this.pkceProducer = new GenericPublicClientPKCEProducer(storage);
-  }
-  validateExistingSession() {
-    throw new Error("Method not implemented.");
-  }
-  init() {
-    return __async(this, null, function* () {
-      this.endpoints = yield getEndpointsWithOverrides(
-        this.authConfig.oauthServer,
-        this.endpointOverrides
-      );
-      this.oauth2client = new OAuth2Client3(
-        this.authConfig.clientId,
-        this.endpoints.auth,
-        this.endpoints.token,
-        {
-          redirectURI: this.authConfig.redirectUrl
-        }
-      );
-      return this;
-    });
-  }
-  tokenExchange(code, state) {
-    return __async(this, null, function* () {
-      if (!this.oauth2client) yield this.init();
-      const codeVerifier = yield this.pkceProducer.getCodeVerifier();
-      if (!codeVerifier) throw new Error("Code verifier not found in storage");
-      const tokens = yield exchangeTokens(
-        code,
-        state,
-        this.pkceProducer,
-        this.oauth2client,
-        // clean up types here to avoid the ! operator
-        this.authConfig.oauthServer,
-        this.endpoints
-        // clean up types here to avoid the ! operator
-      );
-      storeTokens(this.storage, tokens);
-      return tokens;
-    });
-  }
-  getSessionData() {
-    return __async(this, null, function* () {
-      const storageData = retrieveTokens(this.storage);
-      if (!storageData) return null;
-      return {
-        authenticated: !!storageData.id_token,
-        idToken: storageData.id_token,
-        accessToken: storageData.access_token,
-        refreshToken: storageData.refresh_token
-      };
-    });
-  }
-  static build(authConfig, storage, endpointOverrides) {
-    return __async(this, null, function* () {
-      const resolver = new _ServerAuthenticationResolver(
-        authConfig,
-        storage,
-        endpointOverrides
-      );
-      yield resolver.init();
-      return resolver;
-    });
-  }
-};
-
-// src/server/login.ts
-function resolveOAuthAccessCode(code, state, storage, config) {
-  return __async(this, null, function* () {
-    var _a;
-    const authSessionService = yield ServerAuthenticationResolver.build(
-      __spreadProps(__spreadValues({}, config), {
-        oauthServer: (_a = config.oauthServer) != null ? _a : AUTH_SERVER
-      }),
-      storage,
-      config.endpointOverrides
-    );
-    return authSessionService.tokenExchange(code, state);
-  });
-}
-function isLoggedIn(storage) {
-  return !!storage.get("id_token");
-}
-function buildLoginUrl(config, storage) {
-  return __async(this, null, function* () {
-    var _a, _b, _c;
-    const state = (_a = config.state) != null ? _a : Math.random().toString(36).substring(2);
-    const scopes = (_b = config.scopes) != null ? _b : DEFAULT_SCOPES;
-    const pkceProducer = new GenericPublicClientPKCEProducer(storage);
-    const authInitiator = new GenericAuthenticationInitiator(__spreadProps(__spreadValues({}, config), {
-      state,
-      scopes,
-      oauthServer: (_c = config.oauthServer) != null ? _c : AUTH_SERVER,
-      // When retrieving the PKCE challenge on the server-side, we produce it and store it in the session
-      pkceConsumer: pkceProducer
-    }));
-    return authInitiator.signIn();
-  });
-}
-
-// src/shared/session.ts
-import { parseJWT } from "oslo/jwt";
-function getUser(storage) {
-  return __async(this, null, function* () {
-    var _a, _b;
-    const tokens = retrieveTokens(storage);
-    if (!tokens) return null;
-    return (_b = (_a = parseJWT(tokens.id_token)) == null ? void 0 : _a.payload) != null ? _b : null;
-  });
-}
-
-// src/shared/GenericAuthenticationRefresher.ts
-import { OAuth2Client as OAuth2Client4 } from "oslo/oauth2";
-var GenericAuthenticationRefresher = class _GenericAuthenticationRefresher {
-  constructor(authConfig, storage, endpointOverrides) {
-    this.authConfig = authConfig;
-    this.storage = storage;
-    this.endpointOverrides = endpointOverrides;
-  }
-  init() {
-    return __async(this, null, function* () {
-      this.endpoints = yield getEndpointsWithOverrides(
-        this.authConfig.oauthServer,
-        this.endpointOverrides
-      );
-      this.oauth2client = new OAuth2Client4(
-        this.authConfig.clientId,
-        this.endpoints.auth,
-        this.endpoints.token,
-        {
-          redirectURI: this.authConfig.redirectUrl
-        }
-      );
-      return this;
-    });
-  }
-  static build(authConfig, storage, endpointOverrides) {
-    return __async(this, null, function* () {
-      const refresher = new _GenericAuthenticationRefresher(
-        authConfig,
-        storage,
-        endpointOverrides
-      );
-      yield refresher.init();
-      return refresher;
-    });
-  }
-  refreshTokens() {
-    return __async(this, null, function* () {
-      if (!this.oauth2client) yield this.init();
-      const tokens = retrieveTokens(this.storage);
-      if (!(tokens == null ? void 0 : tokens.refresh_token)) throw new Error("No refresh token available");
-      const oauth2Client = this.oauth2client;
-      const refreshedTokens = yield oauth2Client.refreshAccessToken(
-        tokens.refresh_token
-      );
-      storeTokens(this.storage, refreshedTokens);
-      return tokens;
-    });
-  }
-};
-
-// src/server/refresh.ts
-function refreshTokens(storage, config) {
-  return __async(this, null, function* () {
-    var _a;
-    const refresher = yield GenericAuthenticationRefresher.build(
-      __spreadProps(__spreadValues({}, config), {
-        oauthServer: (_a = config.oauthServer) != null ? _a : AUTH_SERVER
-      }),
-      storage,
-      config.endpointOverrides
-    );
-    return refresher.refreshTokens();
-  });
-}
-
-export {
-  convertForwardedTokenFormat,
-  GenericUserSession,
-  DEFAULT_SCOPES,
-  IFRAME_ID,
-  TOKEN_EXCHANGE_TRIGGER_TEXT,
-  isWindowInIframe,
-  generateState,
-  cn,
-  withoutUndefined,
-  clearTokens,
-  retrieveTokens,
-  LocalStorageAdapter,
-  ConfidentialClientPKCEConsumer,
-  GenericPublicClientPKCEProducer,
-  BrowserPublicClientPKCEProducer,
-  BrowserAuthenticationInitiator,
-  BrowserAuthenticationService,
-  getUser,
-  CookieStorage,
-  resolveOAuthAccessCode,
-  isLoggedIn,
-  buildLoginUrl,
-  refreshTokens
-};
-//# sourceMappingURL=chunk-G3P5TIO2.mjs.map