@civic/auth 0.0.1-beta.18 → 0.0.1-beta.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +0 -26
- package/dist/chunk-5NUJ7LFF.mjs +17 -0
- package/dist/chunk-5NUJ7LFF.mjs.map +1 -0
- package/dist/chunk-KS7ERXGZ.js +481 -0
- package/dist/chunk-KS7ERXGZ.js.map +1 -0
- package/dist/chunk-NINRO7GS.js +209 -0
- package/dist/chunk-NINRO7GS.js.map +1 -0
- package/dist/chunk-NXBKSUKI.mjs +481 -0
- package/dist/chunk-NXBKSUKI.mjs.map +1 -0
- package/dist/chunk-T7HUHQ3J.mjs +209 -0
- package/dist/chunk-T7HUHQ3J.mjs.map +1 -0
- package/dist/chunk-WZLC5B4C.js +17 -0
- package/dist/chunk-WZLC5B4C.js.map +1 -0
- package/dist/index-DoDoIY_K.d.mts +79 -0
- package/dist/index-DoDoIY_K.d.ts +79 -0
- package/dist/index.css +70 -63
- package/dist/index.css.map +1 -1
- package/dist/index.d.mts +1 -3
- package/dist/index.d.ts +1 -3
- package/dist/nextjs.d.mts +11 -10
- package/dist/nextjs.d.ts +11 -10
- package/dist/nextjs.js +173 -62
- package/dist/nextjs.js.map +1 -1
- package/dist/nextjs.mjs +171 -60
- package/dist/nextjs.mjs.map +1 -1
- package/dist/react.d.mts +65 -39
- package/dist/react.d.ts +65 -39
- package/dist/react.js +212 -433
- package/dist/react.js.map +1 -1
- package/dist/react.mjs +235 -456
- package/dist/react.mjs.map +1 -1
- package/dist/server.d.mts +12 -13
- package/dist/server.d.ts +12 -13
- package/dist/server.js +186 -3
- package/dist/server.js.map +1 -1
- package/dist/server.mjs +192 -9
- package/dist/server.mjs.map +1 -1
- package/package.json +4 -4
- package/dist/chunk-5XL2ST72.mjs +0 -226
- package/dist/chunk-5XL2ST72.mjs.map +0 -1
- package/dist/chunk-G3P5TIO2.mjs +0 -708
- package/dist/chunk-G3P5TIO2.mjs.map +0 -1
- package/dist/chunk-RF23Q4V6.js +0 -708
- package/dist/chunk-RF23Q4V6.js.map +0 -1
- package/dist/chunk-SEKF2WZX.js +0 -226
- package/dist/chunk-SEKF2WZX.js.map +0 -1
- package/dist/index-DTimUlkB.d.ts +0 -17
- package/dist/index-DvjkKpkk.d.mts +0 -17
- package/dist/types-HdCjGldB.d.mts +0 -58
- package/dist/types-HdCjGldB.d.ts +0 -58
- package/dist/types-b4c1koXj.d.mts +0 -19
- package/dist/types-b4c1koXj.d.ts +0 -19
|
@@ -0,0 +1,209 @@
|
|
|
1
|
+
"use strict";Object.defineProperty(exports, "__esModule", {value: true}); function _interopRequireWildcard(obj) { if (obj && obj.__esModule) { return obj; } else { var newObj = {}; if (obj != null) { for (var key in obj) { if (Object.prototype.hasOwnProperty.call(obj, key)) { newObj[key] = obj[key]; } } } newObj.default = obj; return newObj; } }
|
|
2
|
+
|
|
3
|
+
|
|
4
|
+
var _chunkCRTRMMJ7js = require('./chunk-CRTRMMJ7.js');
|
|
5
|
+
|
|
6
|
+
// src/utils.ts
|
|
7
|
+
var _clsx = require('clsx');
|
|
8
|
+
var _tailwindmerge = require('tailwind-merge');
|
|
9
|
+
var isPopupBlocked = () => {
|
|
10
|
+
const popup = window.open("", "", "width=1,height=1");
|
|
11
|
+
if (!popup) {
|
|
12
|
+
return true;
|
|
13
|
+
}
|
|
14
|
+
try {
|
|
15
|
+
if (typeof popup.closed === "undefined") {
|
|
16
|
+
throw new Error("Popup is blocked");
|
|
17
|
+
}
|
|
18
|
+
} catch (e) {
|
|
19
|
+
return true;
|
|
20
|
+
}
|
|
21
|
+
popup.close();
|
|
22
|
+
return false;
|
|
23
|
+
};
|
|
24
|
+
var cn = (...inputs) => {
|
|
25
|
+
return _tailwindmerge.twMerge.call(void 0, _clsx.clsx.call(void 0, inputs));
|
|
26
|
+
};
|
|
27
|
+
var withoutUndefined = (obj) => {
|
|
28
|
+
const result = {};
|
|
29
|
+
for (const key in obj) {
|
|
30
|
+
if (obj[key] !== void 0) {
|
|
31
|
+
result[key] = obj[key];
|
|
32
|
+
}
|
|
33
|
+
}
|
|
34
|
+
return result;
|
|
35
|
+
};
|
|
36
|
+
|
|
37
|
+
// src/shared/util.ts
|
|
38
|
+
var _oauth2 = require('oslo/oauth2');
|
|
39
|
+
|
|
40
|
+
// src/lib/oauth.ts
|
|
41
|
+
var _uuid = require('uuid');
|
|
42
|
+
var getIssuerVariations = (issuer) => {
|
|
43
|
+
const issuerWithoutSlash = issuer.endsWith("/") ? issuer.slice(0, issuer.length - 1) : issuer;
|
|
44
|
+
const issuerWithSlash = `${issuerWithoutSlash}/`;
|
|
45
|
+
return [issuerWithoutSlash, issuerWithSlash];
|
|
46
|
+
};
|
|
47
|
+
var addSlashIfNeeded = (url) => url.endsWith("/") ? url : `${url}/`;
|
|
48
|
+
var getOauthEndpoints = (oauthServer) => _chunkCRTRMMJ7js.__async.call(void 0, void 0, null, function* () {
|
|
49
|
+
const openIdConfigResponse = yield fetch(
|
|
50
|
+
`${addSlashIfNeeded(oauthServer)}.well-known/openid-configuration`
|
|
51
|
+
);
|
|
52
|
+
const openIdConfig = yield openIdConfigResponse.json();
|
|
53
|
+
return {
|
|
54
|
+
jwks: openIdConfig.jwks_uri,
|
|
55
|
+
auth: openIdConfig.authorization_endpoint,
|
|
56
|
+
token: openIdConfig.token_endpoint,
|
|
57
|
+
userinfo: openIdConfig.userinfo_endpoint
|
|
58
|
+
};
|
|
59
|
+
});
|
|
60
|
+
var generateState = (displayMode) => {
|
|
61
|
+
const jsonString = JSON.stringify({
|
|
62
|
+
uuid: _uuid.v4.call(void 0, ),
|
|
63
|
+
displayMode
|
|
64
|
+
});
|
|
65
|
+
return btoa(jsonString);
|
|
66
|
+
};
|
|
67
|
+
var displayModeFromState = (state, sessionDisplayMode) => {
|
|
68
|
+
try {
|
|
69
|
+
const jsonString = btoa(state);
|
|
70
|
+
return JSON.parse(jsonString).displayMode;
|
|
71
|
+
} catch (e) {
|
|
72
|
+
console.error("Failed to parse displayMode from state:", state);
|
|
73
|
+
return sessionDisplayMode;
|
|
74
|
+
}
|
|
75
|
+
};
|
|
76
|
+
|
|
77
|
+
// src/shared/util.ts
|
|
78
|
+
var _jose = require('jose'); var jose = _interopRequireWildcard(_jose);
|
|
79
|
+
function deriveCodeChallenge(codeVerifier, method = "S256") {
|
|
80
|
+
return _chunkCRTRMMJ7js.__async.call(void 0, this, null, function* () {
|
|
81
|
+
if (method === "Plain") {
|
|
82
|
+
console.warn("Using insecure plain code challenge method");
|
|
83
|
+
return codeVerifier;
|
|
84
|
+
}
|
|
85
|
+
const encoder = new TextEncoder();
|
|
86
|
+
const data = encoder.encode(codeVerifier);
|
|
87
|
+
const digest = yield crypto.subtle.digest("SHA-256", data);
|
|
88
|
+
return btoa(String.fromCharCode(...new Uint8Array(digest))).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
|
|
89
|
+
});
|
|
90
|
+
}
|
|
91
|
+
function getEndpointsWithOverrides(_0) {
|
|
92
|
+
return _chunkCRTRMMJ7js.__async.call(void 0, this, arguments, function* (oauthServer, endpointOverrides = {}) {
|
|
93
|
+
const endpoints = yield getOauthEndpoints(oauthServer);
|
|
94
|
+
return _chunkCRTRMMJ7js.__spreadValues.call(void 0, _chunkCRTRMMJ7js.__spreadValues.call(void 0, {}, endpoints), endpointOverrides);
|
|
95
|
+
});
|
|
96
|
+
}
|
|
97
|
+
function generateOauthLoginUrl(config) {
|
|
98
|
+
return _chunkCRTRMMJ7js.__async.call(void 0, this, null, function* () {
|
|
99
|
+
const endpoints = yield getEndpointsWithOverrides(
|
|
100
|
+
config.oauthServer,
|
|
101
|
+
config.endpointOverrides
|
|
102
|
+
);
|
|
103
|
+
const oauth2Client = buildOauth2Client(
|
|
104
|
+
config.clientId,
|
|
105
|
+
config.redirectUrl,
|
|
106
|
+
endpoints
|
|
107
|
+
);
|
|
108
|
+
const challenge = yield config.pkceConsumer.getCodeChallenge();
|
|
109
|
+
const oAuthUrl = yield oauth2Client.createAuthorizationURL({
|
|
110
|
+
state: config.state,
|
|
111
|
+
scopes: config.scopes
|
|
112
|
+
});
|
|
113
|
+
oAuthUrl.searchParams.append("code_challenge", challenge);
|
|
114
|
+
oAuthUrl.searchParams.append("code_challenge_method", "S256");
|
|
115
|
+
return oAuthUrl;
|
|
116
|
+
});
|
|
117
|
+
}
|
|
118
|
+
function generateOauthLogoutUrl(config) {
|
|
119
|
+
return _chunkCRTRMMJ7js.__async.call(void 0, this, null, function* () {
|
|
120
|
+
return new URL("http://localhost");
|
|
121
|
+
});
|
|
122
|
+
}
|
|
123
|
+
function buildOauth2Client(clientId, redirectUri, endpoints) {
|
|
124
|
+
return new (0, _oauth2.OAuth2Client)(
|
|
125
|
+
clientId,
|
|
126
|
+
endpoints.auth,
|
|
127
|
+
endpoints.token,
|
|
128
|
+
// this
|
|
129
|
+
{ redirectURI: redirectUri }
|
|
130
|
+
);
|
|
131
|
+
}
|
|
132
|
+
function exchangeTokens(code, state, pkceProducer, oauth2Client, oauthServer, endpoints) {
|
|
133
|
+
return _chunkCRTRMMJ7js.__async.call(void 0, this, null, function* () {
|
|
134
|
+
const codeVerifier = yield pkceProducer.getCodeVerifier();
|
|
135
|
+
if (!codeVerifier) throw new Error("Code verifier not found in state");
|
|
136
|
+
const tokens = yield oauth2Client.validateAuthorizationCode(code, {
|
|
137
|
+
codeVerifier
|
|
138
|
+
});
|
|
139
|
+
try {
|
|
140
|
+
yield validateOauth2Tokens(tokens, endpoints, oauth2Client, oauthServer);
|
|
141
|
+
} catch (error) {
|
|
142
|
+
console.error("tokenExchange error", { error, tokens });
|
|
143
|
+
throw new Error(
|
|
144
|
+
`OIDC tokens validation failed: ${error.message}`
|
|
145
|
+
);
|
|
146
|
+
}
|
|
147
|
+
return tokens;
|
|
148
|
+
});
|
|
149
|
+
}
|
|
150
|
+
function storeTokens(storage, tokens) {
|
|
151
|
+
storage.set("id_token", tokens.id_token);
|
|
152
|
+
storage.set("access_token", tokens.access_token);
|
|
153
|
+
if (tokens.refresh_token) storage.set("refresh_token", tokens.refresh_token);
|
|
154
|
+
}
|
|
155
|
+
function retrieveTokens(storage) {
|
|
156
|
+
const idToken = storage.get("id_token");
|
|
157
|
+
const accessToken = storage.get("access_token");
|
|
158
|
+
const refreshToken = storage.get("refresh_token");
|
|
159
|
+
if (!idToken || !accessToken) return null;
|
|
160
|
+
return {
|
|
161
|
+
id_token: idToken,
|
|
162
|
+
access_token: accessToken,
|
|
163
|
+
refresh_token: refreshToken != null ? refreshToken : void 0
|
|
164
|
+
};
|
|
165
|
+
}
|
|
166
|
+
function validateOauth2Tokens(tokens, endpoints, oauth2Client, oauthServer) {
|
|
167
|
+
return _chunkCRTRMMJ7js.__async.call(void 0, this, null, function* () {
|
|
168
|
+
const JWKS = jose.createRemoteJWKSet(new URL(endpoints.jwks));
|
|
169
|
+
const idTokenResponse = yield jose.jwtVerify(
|
|
170
|
+
tokens.id_token,
|
|
171
|
+
JWKS,
|
|
172
|
+
{
|
|
173
|
+
issuer: getIssuerVariations(oauthServer),
|
|
174
|
+
audience: oauth2Client.clientId
|
|
175
|
+
}
|
|
176
|
+
);
|
|
177
|
+
const accessTokenResponse = yield jose.jwtVerify(
|
|
178
|
+
tokens.access_token,
|
|
179
|
+
JWKS,
|
|
180
|
+
{
|
|
181
|
+
issuer: getIssuerVariations(oauthServer)
|
|
182
|
+
}
|
|
183
|
+
);
|
|
184
|
+
return withoutUndefined({
|
|
185
|
+
id_token: idTokenResponse.payload,
|
|
186
|
+
access_token: accessTokenResponse.payload,
|
|
187
|
+
refresh_token: tokens.refresh_token
|
|
188
|
+
});
|
|
189
|
+
});
|
|
190
|
+
}
|
|
191
|
+
|
|
192
|
+
|
|
193
|
+
|
|
194
|
+
|
|
195
|
+
|
|
196
|
+
|
|
197
|
+
|
|
198
|
+
|
|
199
|
+
|
|
200
|
+
|
|
201
|
+
|
|
202
|
+
|
|
203
|
+
|
|
204
|
+
|
|
205
|
+
|
|
206
|
+
|
|
207
|
+
|
|
208
|
+
exports.getOauthEndpoints = getOauthEndpoints; exports.generateState = generateState; exports.displayModeFromState = displayModeFromState; exports.isPopupBlocked = isPopupBlocked; exports.cn = cn; exports.withoutUndefined = withoutUndefined; exports.deriveCodeChallenge = deriveCodeChallenge; exports.getEndpointsWithOverrides = getEndpointsWithOverrides; exports.generateOauthLoginUrl = generateOauthLoginUrl; exports.generateOauthLogoutUrl = generateOauthLogoutUrl; exports.buildOauth2Client = buildOauth2Client; exports.exchangeTokens = exchangeTokens; exports.storeTokens = storeTokens; exports.retrieveTokens = retrieveTokens; exports.validateOauth2Tokens = validateOauth2Tokens;
|
|
209
|
+
//# sourceMappingURL=chunk-NINRO7GS.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"sources":["/Users/lucas/dev/civic/civic-auth/packages/civic-auth-client/dist/chunk-NINRO7GS.js","../src/utils.ts","../src/shared/util.ts","../src/lib/oauth.ts"],"names":[],"mappings":"AAAA;AACE;AACA;AACF,sDAA4B;AAC5B;AACA;ACLA,4BAAsC;AACtC,+CAAwB;AAUxB,IAAM,eAAA,EAAiB,CAAA,EAAA,GAAe;AAEpC,EAAA,MAAM,MAAA,EAAQ,MAAA,CAAO,IAAA,CAAK,EAAA,EAAI,EAAA,EAAI,kBAAkB,CAAA;AAGpD,EAAA,GAAA,CAAI,CAAC,KAAA,EAAO;AACV,IAAA,OAAO,IAAA;AAAA,EACT;AAEA,EAAA,IAAI;AAEF,IAAA,GAAA,CAAI,OAAO,KAAA,CAAM,OAAA,IAAW,WAAA,EAAa;AACvC,MAAA,MAAM,IAAI,KAAA,CAAM,kBAAkB,CAAA;AAAA,IACpC;AAAA,EACF,EAAA,MAAA,CAAQ,CAAA,EAAA;AAEN,IAAA,OAAO,IAAA;AAAA,EACT;AAGA,EAAA,KAAA,CAAM,KAAA,CAAM,CAAA;AACZ,EAAA,OAAO,KAAA;AACT,CAAA;AAEA,IAAM,GAAA,EAAK,CAAA,GAAI,MAAA,EAAA,GAAyB;AACtC,EAAA,OAAO,oCAAA,wBAAQ,MAAW,CAAC,CAAA;AAC7B,CAAA;AAUO,IAAM,iBAAA,EAAmB,CAC9B,GAAA,EAAA,GACwB;AACxB,EAAA,MAAM,OAAA,EAAS,CAAC,CAAA;AAEhB,EAAA,IAAA,CAAA,MAAW,IAAA,GAAO,GAAA,EAAK;AACrB,IAAA,GAAA,CAAI,GAAA,CAAI,GAAG,EAAA,IAAM,KAAA,CAAA,EAAW;AAI1B,MAAC,MAAA,CAAe,GAAG,EAAA,EAAI,GAAA,CAAI,GAAG,CAAA;AAAA,IAChC;AAAA,EACF;AAEA,EAAA,OAAO,MAAA;AACT,CAAA;AD3BA;AACA;AE3BA,qCAA6B;AF6B7B;AACA;AGtCA,4BAA2B;AAE3B,IAAM,oBAAA,EAAsB,CAAC,MAAA,EAAA,GAA6B;AACxD,EAAA,MAAM,mBAAA,EAAqB,MAAA,CAAO,QAAA,CAAS,GAAG,EAAA,EAC1C,MAAA,CAAO,KAAA,CAAM,CAAA,EAAG,MAAA,CAAO,OAAA,EAAS,CAAC,EAAA,EACjC,MAAA;AAEJ,EAAA,MAAM,gBAAA,EAAkB,CAAA,EAAA;AAEhB,EAAA;AACV;AAE0B;AAGO;AACzB,EAAA;AACgB,IAAA;AACtB,EAAA;AAEG,EAAA;AACI,EAAA;AACc,IAAA;AACA,IAAA;AACC,IAAA;AACG,IAAA;AACzB,EAAA;AACF;AAOuB;AACG,EAAA;AACX,IAAA;AACX,IAAA;AACD,EAAA;AAEqB,EAAA;AACxB;AAQ6B;AAIvB,EAAA;AACiB,IAAA;AAED,IAAA;AACR,EAAA;AACI,IAAA;AACP,IAAA;AACT,EAAA;AACF;AHa2B;AACA;AEjEL;AAQA;AAGH,EAAA;AACF,IAAA;AACA,MAAA;AACN,MAAA;AACT,IAAA;AAEoB,IAAA;AACC,IAAA;AACA,IAAA;AACF,IAAA;AAIrB,EAAA;AAAA;AAEsB;AAGpB,EAAA;AACkB,IAAA;AACX,IAAA;AAIT,EAAA;AAAA;AAEsB;AASL,EAAA;AACG,IAAA;AACT,MAAA;AACA,MAAA;AACT,IAAA;AACqB,IAAA;AACZ,MAAA;AACA,MAAA;AACP,MAAA;AACF,IAAA;AACkB,IAAA;AACK,IAAA;AACP,MAAA;AACC,MAAA;AAChB,IAAA;AAGqB,IAAA;AACA,IAAA;AACf,IAAA;AACT,EAAA;AAAA;AAEsB;AAOL,EAAA;AAEA,IAAA;AACjB,EAAA;AAAA;AAGE;AAIW,EAAA;AACT,IAAA;AACU,IAAA;AACA,IAAA;AAAA;AAEK,IAAA;AACjB,EAAA;AACF;AAGE;AAMA,EAAA;AACqB,IAAA;AACF,IAAA;AAGX,IAAA;AACJ,MAAA;AACD,IAAA;AAGC,IAAA;AACI,MAAA;AACQ,IAAA;AACA,MAAA;AACJ,MAAA;AACR,QAAA;AACF,MAAA;AACF,IAAA;AAEO,IAAA;AACT,EAAA;AAAA;AAGE;AAIwB,EAAA;AACZ,EAAA;AACc,EAAA;AAC5B;AAGE;AAEwB,EAAA;AACJ,EAAA;AACC,EAAA;AAEJ,EAAA;AAEV,EAAA;AACK,IAAA;AACI,IAAA;AACC,IAAA;AACjB,EAAA;AACF;AAEsB;AAKG,EAAA;AACL,IAAA;AAGZ,IAAA;AACG,MAAA;AACP,MAAA;AACA,MAAA;AACU,QAAA;AACE,QAAA;AACZ,MAAA;AACF,IAAA;AAGM,IAAA;AACG,MAAA;AACP,MAAA;AACA,MAAA;AACU,QAAA;AACV,MAAA;AACF,IAAA;AAEO,IAAA;AACK,MAAA;AACI,MAAA;AACC,MAAA;AAChB,IAAA;AACH,EAAA;AAAA;AFF2B;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA","file":"/Users/lucas/dev/civic/civic-auth/packages/civic-auth-client/dist/chunk-NINRO7GS.js","sourcesContent":[null,"import { clsx, type ClassValue } from \"clsx\";\nimport { twMerge } from \"tailwind-merge\";\n\n/**\n * Checks if a popup window is blocked by the browser.\n *\n * This function attempts to open a small popup window and then checks if it was successfully created.\n * If the popup is blocked by the browser, the function returns `true`. Otherwise, it returns `false`.\n *\n * @returns {boolean} - `true` if the popup is blocked, `false` otherwise.\n */\nconst isPopupBlocked = (): boolean => {\n // First we try to open a small popup window. It either returns a window object or null.\n const popup = window.open(\"\", \"\", \"width=1,height=1\");\n\n // If window.open() returns null, popup is definitely blocked\n if (!popup) {\n return true;\n }\n\n try {\n // Try to access a property of the popup to check if it's usable\n if (typeof popup.closed === \"undefined\") {\n throw new Error(\"Popup is blocked\");\n }\n } catch {\n // Accessing the popup's properties throws an error if the popup is blocked\n return true;\n }\n\n // Close the popup immediately if it was opened\n popup.close();\n return false;\n};\n\nconst cn = (...inputs: ClassValue[]) => {\n return twMerge(clsx(inputs));\n};\n\n// This type narrows T as far as it can by:\n// - removing all keys where the value is `undefined`\n// - making keys that are not undefined required\n// So, for example: given { a: string | undefined, b: string | undefined },\n// if you pass in { a: \"foo\" }, it returns an object of type: { a: string }\ntype WithoutUndefined<T> = {\n [K in keyof T as undefined extends T[K] ? never : K]: T[K];\n};\nexport const withoutUndefined = <T extends { [K in keyof T]: unknown }>(\n obj: T,\n): WithoutUndefined<T> => {\n const result = {} as WithoutUndefined<T>;\n\n for (const key in obj) {\n if (obj[key] !== undefined) {\n // TypeScript needs assurance that key is a valid key in WithoutUndefined<T>\n // We use type assertion here\n // eslint-disable-next-line @typescript-eslint/no-explicit-any\n (result as any)[key] = obj[key];\n }\n }\n\n return result;\n};\n\nexport { cn, isPopupBlocked };\n","// Utility functions shared by auth server and client integrations\n// Typically these functions should be used inside AuthenticationInitiator and AuthenticationResolver implementations\n\nimport {\n Endpoints,\n JWTPayload,\n OIDCTokenResponseBody,\n ParsedTokens,\n} from \"@/types.js\";\nimport { OAuth2Client } from \"oslo/oauth2\";\nimport { getIssuerVariations, getOauthEndpoints } from \"@/lib/oauth.js\";\nimport * as jose from \"jose\";\nimport { withoutUndefined } from \"@/utils.js\";\nimport { AuthStorage } from \"@/shared/storage.js\";\nimport { PKCEConsumer, PKCEProducer } from \"@/services/types.js\";\n\n/**\n * Given a PKCE code verifier, derive the code challenge using SHA\n */\nexport async function deriveCodeChallenge(\n codeVerifier: string,\n method: \"Plain\" | \"S256\" = \"S256\",\n): Promise<string> {\n if (method === \"Plain\") {\n console.warn(\"Using insecure plain code challenge method\");\n return codeVerifier;\n }\n\n const encoder = new TextEncoder();\n const data = encoder.encode(codeVerifier);\n const digest = await crypto.subtle.digest(\"SHA-256\", data);\n return btoa(String.fromCharCode(...new Uint8Array(digest)))\n .replace(/\\+/g, \"-\")\n .replace(/\\//g, \"_\")\n .replace(/=+$/, \"\");\n}\n\nexport async function getEndpointsWithOverrides(\n oauthServer: string,\n endpointOverrides: Partial<Endpoints> = {},\n) {\n const endpoints = await getOauthEndpoints(oauthServer);\n return {\n ...endpoints,\n ...endpointOverrides,\n };\n}\n\nexport async function generateOauthLoginUrl(config: {\n clientId: string;\n scopes: string[];\n state: string;\n redirectUrl: string;\n oauthServer: string;\n endpointOverrides?: Partial<Endpoints>;\n // used to get the PKCE challenge\n pkceConsumer: PKCEConsumer;\n}): Promise<URL> {\n const endpoints = await getEndpointsWithOverrides(\n config.oauthServer,\n config.endpointOverrides,\n );\n const oauth2Client = buildOauth2Client(\n config.clientId,\n config.redirectUrl,\n endpoints,\n );\n const challenge = await config.pkceConsumer.getCodeChallenge();\n const oAuthUrl = await oauth2Client.createAuthorizationURL({\n state: config.state,\n scopes: config.scopes,\n });\n // The OAuth2 client supports PKCE, but does not allow passing in a code challenge from some other source\n // It only allows passing in a code verifier which it then hashes itself.\n oAuthUrl.searchParams.append(\"code_challenge\", challenge);\n oAuthUrl.searchParams.append(\"code_challenge_method\", \"S256\");\n return oAuthUrl;\n}\n\nexport async function generateOauthLogoutUrl(config: {\n clientId: string;\n scopes: string[];\n oauthServer: string;\n endpointOverrides?: Partial<Endpoints>;\n // used to get the PKCE challenge\n pkceConsumer: PKCEConsumer;\n}): Promise<URL> {\n // TODO\n return new URL(\"http://localhost\");\n}\n\nexport function buildOauth2Client(\n clientId: string,\n redirectUri: string,\n endpoints: Endpoints,\n): OAuth2Client {\n return new OAuth2Client(\n clientId,\n endpoints.auth,\n endpoints.token,\n // this\n { redirectURI: redirectUri },\n );\n}\n\nexport async function exchangeTokens(\n code: string,\n state: string,\n pkceProducer: PKCEProducer,\n oauth2Client: OAuth2Client,\n oauthServer: string,\n endpoints: Endpoints,\n) {\n const codeVerifier = await pkceProducer.getCodeVerifier();\n if (!codeVerifier) throw new Error(\"Code verifier not found in state\");\n\n const tokens =\n await oauth2Client.validateAuthorizationCode<OIDCTokenResponseBody>(code, {\n codeVerifier,\n });\n\n // Validate relevant tokens\n try {\n await validateOauth2Tokens(tokens, endpoints, oauth2Client, oauthServer);\n } catch (error) {\n console.error(\"tokenExchange error\", { error, tokens });\n throw new Error(\n `OIDC tokens validation failed: ${(error as Error).message}`,\n );\n }\n\n return tokens;\n}\n\nexport function storeTokens(\n storage: AuthStorage,\n tokens: OIDCTokenResponseBody,\n) {\n // store tokens in storage ( TODO we should probably store them against the state to allow multiple logins )\n storage.set(\"id_token\", tokens.id_token);\n storage.set(\"access_token\", tokens.access_token);\n if (tokens.refresh_token) storage.set(\"refresh_token\", tokens.refresh_token);\n}\n\nexport function retrieveTokens(\n storage: AuthStorage,\n): OIDCTokenResponseBody | null {\n const idToken = storage.get(\"id_token\");\n const accessToken = storage.get(\"access_token\");\n const refreshToken = storage.get(\"refresh_token\");\n\n if (!idToken || !accessToken) return null;\n\n return {\n id_token: idToken,\n access_token: accessToken,\n refresh_token: refreshToken ?? undefined,\n };\n}\n\nexport async function validateOauth2Tokens(\n tokens: OIDCTokenResponseBody,\n endpoints: Endpoints,\n oauth2Client: OAuth2Client,\n oauthServer: string,\n): Promise<ParsedTokens> {\n const JWKS = jose.createRemoteJWKSet(new URL(endpoints.jwks));\n\n // validate the ID token\n const idTokenResponse = await jose.jwtVerify<JWTPayload>(\n tokens.id_token,\n JWKS,\n {\n issuer: getIssuerVariations(oauthServer),\n audience: oauth2Client.clientId,\n },\n );\n\n // validate the access token\n const accessTokenResponse = await jose.jwtVerify<JWTPayload>(\n tokens.access_token,\n JWKS,\n {\n issuer: getIssuerVariations(oauthServer),\n },\n );\n\n return withoutUndefined({\n id_token: idTokenResponse.payload,\n access_token: accessTokenResponse.payload,\n refresh_token: tokens.refresh_token,\n });\n}\n","import { DisplayMode, Endpoints, OpenIdConfiguration } from \"@/types\";\nimport { v4 as uuid } from \"uuid\";\n\nconst getIssuerVariations = (issuer: string): string[] => {\n const issuerWithoutSlash = issuer.endsWith(\"/\")\n ? issuer.slice(0, issuer.length - 1)\n : issuer;\n\n const issuerWithSlash = `${issuerWithoutSlash}/`;\n\n return [issuerWithoutSlash, issuerWithSlash];\n};\n\nconst addSlashIfNeeded = (url: string): string =>\n url.endsWith(\"/\") ? url : `${url}/`;\n\nconst getOauthEndpoints = async (oauthServer: string): Promise<Endpoints> => {\n const openIdConfigResponse = await fetch(\n `${addSlashIfNeeded(oauthServer)}.well-known/openid-configuration`,\n );\n const openIdConfig =\n (await openIdConfigResponse.json()) as OpenIdConfiguration;\n return {\n jwks: openIdConfig.jwks_uri,\n auth: openIdConfig.authorization_endpoint,\n token: openIdConfig.token_endpoint,\n userinfo: openIdConfig.userinfo_endpoint,\n };\n};\n\n/**\n * creates a state string for the OAuth2 flow, encoding the display mode too for future use\n * @param {DisplayMode} displayMode\n * @returns {string}\n */\nconst generateState = (displayMode: DisplayMode): string => {\n const jsonString = JSON.stringify({\n uuid: uuid(),\n displayMode,\n });\n\n return btoa(jsonString);\n};\n\n/**\n * parses the state string from the OAuth2 flow, decoding the display mode too\n * @param state\n * @param sessionDisplayMode\n * @returns { uuid: string, displayMode: DisplayMode }\n */\nconst displayModeFromState = (\n state: string,\n sessionDisplayMode: DisplayMode | undefined,\n): DisplayMode | undefined => {\n try {\n const jsonString = btoa(state);\n\n return JSON.parse(jsonString).displayMode;\n } catch (e) {\n console.error(\"Failed to parse displayMode from state:\", state);\n return sessionDisplayMode;\n }\n};\n\nexport {\n getIssuerVariations,\n getOauthEndpoints,\n displayModeFromState,\n generateState,\n};\n"]}
|