@civic/auth 0.0.1-beta.19 → 0.0.1-beta.2

package/dist/chunk-HTTTZ2BP.mjs.map

@@ -1 +0,0 @@
-{"version":3,"sources":["../src/shared/storage.ts","../src/server/ServerAuthenticationResolver.ts","../src/server/login.ts","../src/shared/GenericAuthenticationRefresher.ts","../src/server/refresh.ts"],"sourcesContent":["import { AuthStorage, SessionData, UnknownObject, User } from \"@/types.js\";\n\ntype SameSiteOption = \"strict\" | \"lax\" | \"none\";\n\nexport interface SessionStorage {\n  get(): SessionData;\n  getUser(): User<UnknownObject> | null;\n  set(data: Partial<SessionData>): void;\n  setUser(data: User<UnknownObject> | null): void;\n  clear(): void;\n}\n\nexport type CookieStorageSettings = {\n  httpOnly: boolean;\n  secure: boolean;\n  sameSite: SameSiteOption;\n  expires: Date;\n  path: string;\n};\n\nexport const DEFAULT_COOKIE_DURATION = 60 * 15; // 15 minutes\n\nexport abstract class CookieStorage implements AuthStorage {\n  protected settings: CookieStorageSettings;\n  protected constructor(settings: Partial<CookieStorageSettings> = {}) {\n    this.settings = {\n      httpOnly: settings.httpOnly ?? true,\n      secure: settings.secure ?? true,\n      // the callback request comes the auth server\n      // 'lax' ensures the code_verifier cookie is sent with the request\n      sameSite: settings.sameSite ?? \"lax\",\n      expires:\n        settings.expires ??\n        new Date(Date.now() + 1000 * DEFAULT_COOKIE_DURATION),\n      path: settings.path ?? \"/\",\n    };\n  }\n  abstract get(key: string): string | null;\n  abstract set(key: string, value: string): void;\n}\n","import { GenericPublicClientPKCEProducer } from \"@/services/PKCE.js\";\nimport { OAuth2Client } from \"oslo/oauth2\";\nimport {\n  AuthStorage,\n  Endpoints,\n  OIDCTokenResponseBody,\n  SessionData,\n} from \"@/types.js\";\nimport { AuthConfig } from \"@/server/config.js\";\nimport {\n  exchangeTokens,\n  getEndpointsWithOverrides,\n  retrieveTokens,\n  storeTokens,\n} from \"@/shared/util.js\";\nimport { AuthenticationResolver, PKCEProducer } from \"@/services/types.ts\";\n\nexport class ServerAuthenticationResolver implements AuthenticationResolver {\n  private pkceProducer: PKCEProducer;\n  private oauth2client: OAuth2Client | undefined;\n  private endpoints: Endpoints | undefined;\n\n  private constructor(\n    readonly authConfig: AuthConfig,\n    readonly storage: AuthStorage,\n    readonly endpointOverrides?: Partial<Endpoints>,\n  ) {\n    console.log(\"ServerAuthenticationResolver constructor\", {\n      authConfig,\n      storage,\n      endpointOverrides,\n    });\n    this.pkceProducer = new GenericPublicClientPKCEProducer(storage);\n  }\n  validateExistingSession(): Promise<SessionData> {\n    throw new Error(\"Method not implemented.\");\n  }\n\n  async init(): Promise<this> {\n    // resolve oauth config\n    this.endpoints = await getEndpointsWithOverrides(\n      this.authConfig.oauthServer,\n      this.endpointOverrides,\n    );\n    this.oauth2client = new OAuth2Client(\n      this.authConfig.clientId,\n      this.endpoints.auth,\n      this.endpoints.token,\n      {\n        redirectURI: this.authConfig.redirectUrl,\n      },\n    );\n\n    return this;\n  }\n\n  async tokenExchange(\n    code: string,\n    state: string,\n  ): Promise<OIDCTokenResponseBody> {\n    if (!this.oauth2client) await this.init();\n    const codeVerifier = await this.pkceProducer.getCodeVerifier();\n    if (!codeVerifier) throw new Error(\"Code verifier not found in storage\");\n\n    // exchange auth code for tokens\n    const tokens = await exchangeTokens(\n      code,\n      state,\n      this.pkceProducer,\n      this.oauth2client!, // clean up types here to avoid the ! operator\n      this.authConfig.oauthServer,\n      this.endpoints!, // clean up types here to avoid the ! operator\n    );\n\n    storeTokens(this.storage, tokens);\n\n    return tokens;\n  }\n\n  async getSessionData(): Promise<SessionData | null> {\n    const storageData = retrieveTokens(this.storage);\n\n    if (!storageData) return null;\n\n    return {\n      authenticated: !!storageData.id_token,\n      idToken: storageData.id_token,\n      accessToken: storageData.access_token,\n      refreshToken: storageData.refresh_token,\n    };\n  }\n\n  static async build(\n    authConfig: AuthConfig,\n    storage: AuthStorage,\n    endpointOverrides?: Partial<Endpoints>,\n  ): Promise<AuthenticationResolver> {\n    const resolver = new ServerAuthenticationResolver(\n      authConfig,\n      storage,\n      endpointOverrides,\n    );\n    await resolver.init();\n\n    return resolver;\n  }\n}\n","import { AuthStorage, OIDCTokenResponseBody } from \"@/types.js\";\nimport { AUTH_SERVER, DEFAULT_SCOPES } from \"@/constants.js\";\nimport { GenericAuthenticationInitiator } from \"@/services/AuthenticationService.js\";\nimport { GenericPublicClientPKCEProducer } from \"@/services/PKCE.js\";\nimport { ServerAuthenticationResolver } from \"@/server/ServerAuthenticationResolver.js\";\nimport { AuthConfig } from \"@/server/config.ts\";\n/**\n * Resolve an OAuth access code to a set of OIDC tokens\n * @param code The access code, typically from a query parameter in the redirect url\n * @param state The oauth random state string, used to distinguish between requests. Typically also passed in the redirect url\n * @param storage The place that this server uses to store session data (e.g. a cookie store)\n * @param config Oauth Server configuration\n */\nexport async function resolveOAuthAccessCode(\n  code: string,\n  state: string,\n  storage: AuthStorage,\n  config: AuthConfig,\n): Promise<OIDCTokenResponseBody> {\n  const authSessionService = await ServerAuthenticationResolver.build(\n    {\n      ...config,\n      oauthServer: config.oauthServer ?? AUTH_SERVER,\n    },\n    storage,\n    config.endpointOverrides,\n  );\n\n  return authSessionService.tokenExchange(code, state);\n}\n\nexport function isLoggedIn(storage: AuthStorage): boolean {\n  return !!storage.get(\"id_token\");\n}\n\nexport async function buildLoginUrl(\n  config: Pick<AuthConfig, \"oauthServer\" | \"clientId\" | \"redirectUrl\"> & {\n    scopes?: string[];\n    state?: string;\n    nonce?: string;\n  },\n  storage: AuthStorage,\n): Promise<URL> {\n  // generate a random state if not provided\n  const state = config.state ?? Math.random().toString(36).substring(2);\n  const scopes = config.scopes ?? DEFAULT_SCOPES;\n  const pkceProducer = new GenericPublicClientPKCEProducer(storage);\n  const authInitiator = new GenericAuthenticationInitiator({\n    ...config,\n    state,\n    scopes,\n    oauthServer: config.oauthServer ?? AUTH_SERVER,\n    // When retrieving the PKCE challenge on the server-side, we produce it and store it in the session\n    pkceConsumer: pkceProducer,\n  });\n\n  return authInitiator.signIn();\n}\n","import { AuthenticationRefresher } from \"@/services/types.ts\";\nimport { AuthStorage, Endpoints, OIDCTokenResponseBody } from \"@/types\";\nimport {\n  getEndpointsWithOverrides,\n  retrieveTokens,\n  storeTokens,\n} from \"@/shared/util.ts\";\nimport { AuthConfig } from \"@/server/config.ts\";\nimport { OAuth2Client } from \"oslo/oauth2\";\n\nexport class GenericAuthenticationRefresher implements AuthenticationRefresher {\n  private oauth2client: OAuth2Client | undefined;\n  private endpoints: Endpoints | undefined;\n\n  private constructor(\n    private authConfig: AuthConfig,\n    private storage: AuthStorage,\n    private endpointOverrides?: Partial<Endpoints>,\n  ) {\n    console.log(\"GenericAuthenticationRefresher constructor\", {\n      authConfig,\n      endpointOverrides,\n    });\n  }\n\n  async init(): Promise<this> {\n    // resolve oauth config\n    this.endpoints = await getEndpointsWithOverrides(\n      this.authConfig.oauthServer,\n      this.endpointOverrides,\n    );\n    this.oauth2client = new OAuth2Client(\n      this.authConfig.clientId,\n      this.endpoints.auth,\n      this.endpoints.token,\n      {\n        redirectURI: this.authConfig.redirectUrl,\n      },\n    );\n\n    return this;\n  }\n\n  static async build(\n    authConfig: AuthConfig,\n    storage: AuthStorage,\n    endpointOverrides?: Partial<Endpoints>,\n  ): Promise<GenericAuthenticationRefresher> {\n    const refresher = new GenericAuthenticationRefresher(\n      authConfig,\n      storage,\n      endpointOverrides,\n    );\n    await refresher.init();\n\n    return refresher;\n  }\n\n  async refreshTokens() {\n    if (!this.oauth2client) await this.init();\n\n    const tokens = retrieveTokens(this.storage);\n    if (!tokens?.refresh_token) throw new Error(\"No refresh token available\");\n\n    const oauth2Client = this.oauth2client!;\n    const refreshedTokens =\n      await oauth2Client.refreshAccessToken<OIDCTokenResponseBody>(\n        tokens.refresh_token,\n      );\n\n    storeTokens(this.storage, refreshedTokens);\n\n    return tokens;\n  }\n}\n","import { AuthStorage, OIDCTokenResponseBody } from \"@/types.js\";\nimport { AUTH_SERVER } from \"@/constants.js\";\nimport { GenericAuthenticationRefresher } from \"@/shared/GenericAuthenticationRefresher.ts\";\nimport { AuthConfig } from \"@/server/config.ts\";\n\n/**\n * Refresh the current set of OIDC tokens\n */\nexport async function refreshTokens(\n  storage: AuthStorage,\n  config: AuthConfig,\n): Promise<OIDCTokenResponseBody> {\n  const refresher = await GenericAuthenticationRefresher.build(\n    {\n      ...config,\n      oauthServer: config.oauthServer ?? AUTH_SERVER,\n    },\n    storage,\n    config.endpointOverrides,\n  );\n\n  return refresher.refreshTokens();\n}\n"],"mappings":";;;;;;;;;;;;;;;;;AAoBO,IAAM,0BAA0B,KAAK;AAErC,IAAe,gBAAf,MAAoD;AAAA,EAE/C,YAAY,WAA2C,CAAC,GAAG;AAxBvE;AAyBI,SAAK,WAAW;AAAA,MACd,WAAU,cAAS,aAAT,YAAqB;AAAA,MAC/B,SAAQ,cAAS,WAAT,YAAmB;AAAA;AAAA;AAAA,MAG3B,WAAU,cAAS,aAAT,YAAqB;AAAA,MAC/B,UACE,cAAS,YAAT,YACA,IAAI,KAAK,KAAK,IAAI,IAAI,MAAO,uBAAuB;AAAA,MACtD,OAAM,cAAS,SAAT,YAAiB;AAAA,IACzB;AAAA,EACF;AAGF;;;ACtCA,SAAS,oBAAoB;AAgBtB,IAAM,+BAAN,MAAM,8BAA+D;AAAA,EAKlE,YACG,YACA,SACA,mBACT;AAHS;AACA;AACA;AAET,YAAQ,IAAI,4CAA4C;AAAA,MACtD;AAAA,MACA;AAAA,MACA;AAAA,IACF,CAAC;AACD,SAAK,eAAe,IAAI,gCAAgC,OAAO;AAAA,EACjE;AAAA,EACA,0BAAgD;AAC9C,UAAM,IAAI,MAAM,yBAAyB;AAAA,EAC3C;AAAA,EAEM,OAAsB;AAAA;AAE1B,WAAK,YAAY,MAAM;AAAA,QACrB,KAAK,WAAW;AAAA,QAChB,KAAK;AAAA,MACP;AACA,WAAK,eAAe,IAAI;AAAA,QACtB,KAAK,WAAW;AAAA,QAChB,KAAK,UAAU;AAAA,QACf,KAAK,UAAU;AAAA,QACf;AAAA,UACE,aAAa,KAAK,WAAW;AAAA,QAC/B;AAAA,MACF;AAEA,aAAO;AAAA,IACT;AAAA;AAAA,EAEM,cACJ,MACA,OACgC;AAAA;AAChC,UAAI,CAAC,KAAK,aAAc,OAAM,KAAK,KAAK;AACxC,YAAM,eAAe,MAAM,KAAK,aAAa,gBAAgB;AAC7D,UAAI,CAAC,aAAc,OAAM,IAAI,MAAM,oCAAoC;AAGvE,YAAM,SAAS,MAAM;AAAA,QACnB;AAAA,QACA;AAAA,QACA,KAAK;AAAA,QACL,KAAK;AAAA;AAAA,QACL,KAAK,WAAW;AAAA,QAChB,KAAK;AAAA;AAAA,MACP;AAEA,kBAAY,KAAK,SAAS,MAAM;AAEhC,aAAO;AAAA,IACT;AAAA;AAAA,EAEM,iBAA8C;AAAA;AAClD,YAAM,cAAc,eAAe,KAAK,OAAO;AAE/C,UAAI,CAAC,YAAa,QAAO;AAEzB,aAAO;AAAA,QACL,eAAe,CAAC,CAAC,YAAY;AAAA,QAC7B,SAAS,YAAY;AAAA,QACrB,aAAa,YAAY;AAAA,QACzB,cAAc,YAAY;AAAA,MAC5B;AAAA,IACF;AAAA;AAAA,EAEA,OAAa,MACX,YACA,SACA,mBACiC;AAAA;AACjC,YAAM,WAAW,IAAI;AAAA,QACnB;AAAA,QACA;AAAA,QACA;AAAA,MACF;AACA,YAAM,SAAS,KAAK;AAEpB,aAAO;AAAA,IACT;AAAA;AACF;;;AC7FA,SAAsB,uBACpB,MACA,OACA,SACA,QACgC;AAAA;AAlBlC;AAmBE,UAAM,qBAAqB,MAAM,6BAA6B;AAAA,MAC5D,iCACK,SADL;AAAA,QAEE,cAAa,YAAO,gBAAP,YAAsB;AAAA,MACrC;AAAA,MACA;AAAA,MACA,OAAO;AAAA,IACT;AAEA,WAAO,mBAAmB,cAAc,MAAM,KAAK;AAAA,EACrD;AAAA;AAEO,SAAS,WAAW,SAA+B;AACxD,SAAO,CAAC,CAAC,QAAQ,IAAI,UAAU;AACjC;AAEA,SAAsB,cACpB,QAKA,SACc;AAAA;AA1ChB;AA4CE,UAAM,SAAQ,YAAO,UAAP,YAAgB,KAAK,OAAO,EAAE,SAAS,EAAE,EAAE,UAAU,CAAC;AACpE,UAAM,UAAS,YAAO,WAAP,YAAiB;AAChC,UAAM,eAAe,IAAI,gCAAgC,OAAO;AAChE,UAAM,gBAAgB,IAAI,+BAA+B,iCACpD,SADoD;AAAA,MAEvD;AAAA,MACA;AAAA,MACA,cAAa,YAAO,gBAAP,YAAsB;AAAA;AAAA,MAEnC,cAAc;AAAA,IAChB,EAAC;AAED,WAAO,cAAc,OAAO;AAAA,EAC9B;AAAA;;;ACjDA,SAAS,gBAAAA,qBAAoB;AAEtB,IAAM,iCAAN,MAAM,gCAAkE;AAAA,EAIrE,YACE,YACA,SACA,mBACR;AAHQ;AACA;AACA;AAER,YAAQ,IAAI,8CAA8C;AAAA,MACxD;AAAA,MACA;AAAA,IACF,CAAC;AAAA,EACH;AAAA,EAEM,OAAsB;AAAA;AAE1B,WAAK,YAAY,MAAM;AAAA,QACrB,KAAK,WAAW;AAAA,QAChB,KAAK;AAAA,MACP;AACA,WAAK,eAAe,IAAIC;AAAA,QACtB,KAAK,WAAW;AAAA,QAChB,KAAK,UAAU;AAAA,QACf,KAAK,UAAU;AAAA,QACf;AAAA,UACE,aAAa,KAAK,WAAW;AAAA,QAC/B;AAAA,MACF;AAEA,aAAO;AAAA,IACT;AAAA;AAAA,EAEA,OAAa,MACX,YACA,SACA,mBACyC;AAAA;AACzC,YAAM,YAAY,IAAI;AAAA,QACpB;AAAA,QACA;AAAA,QACA;AAAA,MACF;AACA,YAAM,UAAU,KAAK;AAErB,aAAO;AAAA,IACT;AAAA;AAAA,EAEM,gBAAgB;AAAA;AACpB,UAAI,CAAC,KAAK,aAAc,OAAM,KAAK,KAAK;AAExC,YAAM,SAAS,eAAe,KAAK,OAAO;AAC1C,UAAI,EAAC,iCAAQ,eAAe,OAAM,IAAI,MAAM,4BAA4B;AAExE,YAAM,eAAe,KAAK;AAC1B,YAAM,kBACJ,MAAM,aAAa;AAAA,QACjB,OAAO;AAAA,MACT;AAEF,kBAAY,KAAK,SAAS,eAAe;AAEzC,aAAO;AAAA,IACT;AAAA;AACF;;;AClEA,SAAsB,cACpB,SACA,QACgC;AAAA;AAXlC;AAYE,UAAM,YAAY,MAAM,+BAA+B;AAAA,MACrD,iCACK,SADL;AAAA,QAEE,cAAa,YAAO,gBAAP,YAAsB;AAAA,MACrC;AAAA,MACA;AAAA,MACA,OAAO;AAAA,IACT;AAEA,WAAO,UAAU,cAAc;AAAA,EACjC;AAAA;","names":["OAuth2Client","OAuth2Client"]}

package/dist/chunk-O2SODTR3.js

@@ -1,599 +0,0 @@
-"use strict";Object.defineProperty(exports, "__esModule", {value: true}); function _interopRequireWildcard(obj) { if (obj && obj.__esModule) { return obj; } else { var newObj = {}; if (obj != null) { for (var key in obj) { if (Object.prototype.hasOwnProperty.call(obj, key)) { newObj[key] = obj[key]; } } } newObj.default = obj; return newObj; } }
-
-
-
-var _chunkCRTRMMJ7js = require('./chunk-CRTRMMJ7.js');
-
-// src/shared/types.ts
-var OAuthTokens = /* @__PURE__ */ ((OAuthTokens2) => {
-  OAuthTokens2["ID_TOKEN"] = "id_token";
-  OAuthTokens2["ACCESS_TOKEN"] = "access_token";
-  OAuthTokens2["REFRESH_TOKEN"] = "refresh_token";
-  return OAuthTokens2;
-})(OAuthTokens || {});
-
-// src/shared/util.ts
-var _oauth2 = require('oslo/oauth2');
-
-// src/lib/oauth.ts
-var _uuid = require('uuid');
-var getIssuerVariations = (issuer) => {
-  const issuerWithoutSlash = issuer.endsWith("/") ? issuer.slice(0, issuer.length - 1) : issuer;
-  const issuerWithSlash = `${issuerWithoutSlash}/`;
-  return [issuerWithoutSlash, issuerWithSlash];
-};
-var addSlashIfNeeded = (url) => url.endsWith("/") ? url : `${url}/`;
-var getOauthEndpoints = (oauthServer) => _chunkCRTRMMJ7js.__async.call(void 0, void 0, null, function* () {
-  const openIdConfigResponse = yield fetch(
-    `${addSlashIfNeeded(oauthServer)}.well-known/openid-configuration`
-  );
-  const openIdConfig = yield openIdConfigResponse.json();
-  return {
-    jwks: openIdConfig.jwks_uri,
-    auth: openIdConfig.authorization_endpoint,
-    token: openIdConfig.token_endpoint,
-    userinfo: openIdConfig.userinfo_endpoint
-  };
-});
-var generateState = (displayMode, serverTokenExchange) => {
-  const jsonString = JSON.stringify(_chunkCRTRMMJ7js.__spreadValues.call(void 0, {
-    uuid: _uuid.v4.call(void 0, ),
-    displayMode
-  }, serverTokenExchange ? { serverTokenExchange } : {}));
-  return btoa(jsonString);
-};
-var displayModeFromState = (state, sessionDisplayMode) => {
-  try {
-    const jsonString = atob(state);
-    return JSON.parse(jsonString).displayMode;
-  } catch (e) {
-    console.error("Failed to parse displayMode from state:", state);
-    return sessionDisplayMode;
-  }
-};
-var serverTokenExchangeFromState = (state) => {
-  try {
-    const jsonString = atob(state);
-    return JSON.parse(jsonString).serverTokenExchange;
-  } catch (e) {
-    console.error("Failed to parse serverTokenExchange from state:", state);
-    return void 0;
-  }
-};
-
-// src/shared/util.ts
-var _jose = require('jose'); var jose = _interopRequireWildcard(_jose);
-
-// src/utils.ts
-var _clsx = require('clsx');
-var _tailwindmerge = require('tailwind-merge');
-var cn = (...inputs) => {
-  return _tailwindmerge.twMerge.call(void 0, _clsx.clsx.call(void 0, inputs));
-};
-var withoutUndefined = (obj) => {
-  const result = {};
-  for (const key in obj) {
-    if (obj[key] !== void 0) {
-      result[key] = obj[key];
-    }
-  }
-  return result;
-};
-
-// src/lib/jwt.ts
-var convertForwardedTokenFormat = (inputTokens) => Object.fromEntries(
-  Object.entries(inputTokens).map(([source, tokens]) => [
-    source,
-    {
-      idToken: tokens == null ? void 0 : tokens.id_token,
-      accessToken: tokens == null ? void 0 : tokens.access_token,
-      refreshToken: tokens == null ? void 0 : tokens.refresh_token
-    }
-  ])
-);
-
-// src/shared/UserSession.ts
-var GenericUserSession = class {
-  constructor(storage) {
-    this.storage = storage;
-  }
-  get() {
-    const user = this.storage.get("user" /* USER */);
-    return user ? JSON.parse(user) : null;
-  }
-  set(user) {
-    const forwardedTokens = (user == null ? void 0 : user.forwardedTokens) ? convertForwardedTokenFormat(user == null ? void 0 : user.forwardedTokens) : null;
-    const value = user ? JSON.stringify(_chunkCRTRMMJ7js.__spreadProps.call(void 0, _chunkCRTRMMJ7js.__spreadValues.call(void 0, {}, user), { forwardedTokens })) : "";
-    this.storage.set("user" /* USER */, value);
-  }
-};
-
-// src/shared/util.ts
-function deriveCodeChallenge(codeVerifier, method = "S256") {
-  return _chunkCRTRMMJ7js.__async.call(void 0, this, null, function* () {
-    if (method === "Plain") {
-      console.warn("Using insecure plain code challenge method");
-      return codeVerifier;
-    }
-    const encoder = new TextEncoder();
-    const data = encoder.encode(codeVerifier);
-    const digest = yield crypto.subtle.digest("SHA-256", data);
-    return btoa(String.fromCharCode(...new Uint8Array(digest))).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
-  });
-}
-function getEndpointsWithOverrides(_0) {
-  return _chunkCRTRMMJ7js.__async.call(void 0, this, arguments, function* (oauthServer, endpointOverrides = {}) {
-    const endpoints = yield getOauthEndpoints(oauthServer);
-    return _chunkCRTRMMJ7js.__spreadValues.call(void 0, _chunkCRTRMMJ7js.__spreadValues.call(void 0, {}, endpoints), endpointOverrides);
-  });
-}
-function generateOauthLoginUrl(config) {
-  return _chunkCRTRMMJ7js.__async.call(void 0, this, null, function* () {
-    const endpoints = yield getEndpointsWithOverrides(
-      config.oauthServer,
-      config.endpointOverrides
-    );
-    const oauth2Client = buildOauth2Client(
-      config.clientId,
-      config.redirectUrl,
-      endpoints
-    );
-    const challenge = yield config.pkceConsumer.getCodeChallenge();
-    const oAuthUrl = yield oauth2Client.createAuthorizationURL({
-      state: config.state,
-      scopes: config.scopes
-    });
-    oAuthUrl.searchParams.append("code_challenge", challenge);
-    oAuthUrl.searchParams.append("code_challenge_method", "S256");
-    if (config.nonce) {
-      oAuthUrl.searchParams.append("nonce", config.nonce);
-    }
-    oAuthUrl.searchParams.append("prompt", "consent");
-    console.log("Generated OAuth URL", oAuthUrl.toString());
-    return oAuthUrl;
-  });
-}
-function generateOauthLogoutUrl(config) {
-  return _chunkCRTRMMJ7js.__async.call(void 0, this, null, function* () {
-    return new URL("http://localhost");
-  });
-}
-function buildOauth2Client(clientId, redirectUri, endpoints) {
-  return new (0, _oauth2.OAuth2Client)(clientId, endpoints.auth, endpoints.token, {
-    redirectURI: redirectUri
-  });
-}
-function exchangeTokens(code, state, pkceProducer, oauth2Client, oauthServer, endpoints) {
-  return _chunkCRTRMMJ7js.__async.call(void 0, this, null, function* () {
-    const codeVerifier = yield pkceProducer.getCodeVerifier();
-    if (!codeVerifier) throw new Error("Code verifier not found in state");
-    const tokens = yield oauth2Client.validateAuthorizationCode(code, {
-      codeVerifier
-    });
-    try {
-      yield validateOauth2Tokens(tokens, endpoints, oauth2Client, oauthServer);
-    } catch (error) {
-      console.error("tokenExchange error", { error, tokens });
-      throw new Error(
-        `OIDC tokens validation failed: ${error.message}`
-      );
-    }
-    return tokens;
-  });
-}
-function storeTokens(storage, tokens) {
-  storage.set("id_token" /* ID_TOKEN */, tokens.id_token);
-  storage.set("access_token" /* ACCESS_TOKEN */, tokens.access_token);
-  if (tokens.refresh_token)
-    storage.set("refresh_token" /* REFRESH_TOKEN */, tokens.refresh_token);
-}
-function clearTokens(storage) {
-  Object.values(OAuthTokens).forEach((cookie) => {
-    storage.set(cookie, "");
-  });
-  Object.values("code_verifier" /* COOKIE_NAME */).forEach((cookie) => {
-    storage.set(cookie, "");
-  });
-}
-function clearUser(storage) {
-  const userSession = new GenericUserSession(storage);
-  userSession.set(null);
-}
-function retrieveTokens(storage) {
-  const idToken = storage.get("id_token" /* ID_TOKEN */);
-  const accessToken = storage.get("access_token" /* ACCESS_TOKEN */);
-  const refreshToken = storage.get("refresh_token" /* REFRESH_TOKEN */);
-  if (!idToken || !accessToken) return null;
-  return {
-    id_token: idToken,
-    access_token: accessToken,
-    refresh_token: refreshToken != null ? refreshToken : void 0
-  };
-}
-function validateOauth2Tokens(tokens, endpoints, oauth2Client, issuer) {
-  return _chunkCRTRMMJ7js.__async.call(void 0, this, null, function* () {
-    const JWKS = jose.createRemoteJWKSet(new URL(endpoints.jwks));
-    const idTokenResponse = yield jose.jwtVerify(
-      tokens.id_token,
-      JWKS,
-      {
-        issuer: getIssuerVariations(issuer),
-        audience: oauth2Client.clientId
-      }
-    );
-    const accessTokenResponse = yield jose.jwtVerify(
-      tokens.access_token,
-      JWKS,
-      {
-        issuer: getIssuerVariations(issuer)
-      }
-    );
-    return withoutUndefined({
-      id_token: idTokenResponse.payload,
-      access_token: accessTokenResponse.payload,
-      refresh_token: tokens.refresh_token
-    });
-  });
-}
-
-// src/shared/session.ts
-var _jwt = require('oslo/jwt');
-function getUser(storage) {
-  return _chunkCRTRMMJ7js.__async.call(void 0, this, null, function* () {
-    var _a, _b;
-    const tokens = retrieveTokens(storage);
-    if (!tokens) return null;
-    return (_b = (_a = _jwt.parseJWT.call(void 0, tokens.id_token)) == null ? void 0 : _a.payload) != null ? _b : null;
-  });
-}
-
-// src/constants.ts
-var DEFAULT_SCOPES = [
-  "openid",
-  "profile",
-  "email",
-  "forwardedTokens",
-  "offline_access"
-];
-var IFRAME_ID = "civic-auth-iframe";
-var AUTH_SERVER = "https://auth-dev.civic.com/oauth";
-var DEFAULT_OAUTH_GET_PARAMS = ["code", "state", "iss"];
-var TOKEN_EXCHANGE_TRIGGER_TEXT = "sameDomainCodeExchangeRequired";
-var TOKEN_EXCHANGE_SUCCESS_TEXT = "serverSideTokenExchangeSuccess";
-
-// src/browser/storage.ts
-var LocalStorageAdapter = class {
-  get(key) {
-    return localStorage.getItem(key) || "";
-  }
-  set(key, value) {
-    localStorage.setItem(key, value);
-  }
-};
-
-// src/services/PKCE.ts
-
-var ConfidentialClientPKCEConsumer = class {
-  constructor(pkceChallengeEndpoint) {
-    this.pkceChallengeEndpoint = pkceChallengeEndpoint;
-  }
-  getCodeChallenge() {
-    return _chunkCRTRMMJ7js.__async.call(void 0, this, null, function* () {
-      const response = yield fetch(this.pkceChallengeEndpoint);
-      const data = yield response.json();
-      return data.challenge;
-    });
-  }
-};
-var GenericPublicClientPKCEProducer = class {
-  constructor(storage) {
-    this.storage = storage;
-  }
-  // if there is already a verifier, return it,
-  // If not, create a new one and store it
-  getCodeChallenge() {
-    return _chunkCRTRMMJ7js.__async.call(void 0, this, null, function* () {
-      const verifier = _oauth2.generateCodeVerifier.call(void 0, );
-      this.storage.set("code_verifier" /* COOKIE_NAME */, verifier);
-      return deriveCodeChallenge(verifier);
-    });
-  }
-  // if there is already a verifier, return it,
-  getCodeVerifier() {
-    return _chunkCRTRMMJ7js.__async.call(void 0, this, null, function* () {
-      return this.storage.get("code_verifier" /* COOKIE_NAME */);
-    });
-  }
-};
-var BrowserPublicClientPKCEProducer = class extends GenericPublicClientPKCEProducer {
-  constructor() {
-    super(new LocalStorageAdapter());
-  }
-};
-
-// src/services/AuthenticationService.ts
-
-
-// src/services/types.ts
-var PopupError = class _PopupError extends Error {
-  constructor(message) {
-    super(message);
-    Object.setPrototypeOf(this, _PopupError.prototype);
-  }
-};
-
-// src/lib/windowUtil.ts
-var isWindowInIframe = (window2) => {
-  var _a;
-  if (typeof window2 !== "undefined") {
-    try {
-      if (((_a = window2 == null ? void 0 : window2.frameElement) == null ? void 0 : _a.id) === "civic-auth-iframe") {
-        return true;
-      }
-    } catch (_e) {
-      return false;
-    }
-  }
-  return false;
-};
-var removeParamsWithoutReload = (paramsToRemove) => {
-  const url = new URL(window.location.href);
-  paramsToRemove.forEach((param) => {
-    url.searchParams.delete(param);
-  });
-  try {
-    window.history.replaceState({}, "", url);
-  } catch (error) {
-    console.warn("window.history.replaceState failed", error);
-  }
-};
-
-// src/lib/postMessage.ts
-var validateLoginAppPostMessage = (event, clientId) => {
-  const caseEvent = event;
-  console.log("caseEvent", caseEvent);
-  if (!caseEvent.clientId || !caseEvent.data.url || !caseEvent.source || !caseEvent.type || caseEvent.clientId !== clientId || caseEvent.source !== "civicloginApp") {
-    return false;
-  }
-  return true;
-};
-
-// src/services/AuthenticationService.ts
-var BrowserAuthenticationInitiator = class {
-  constructor(config) {
-    this.postMessageHandler = null;
-    this.config = config;
-    console.log("BrowserAuthenticationInitiator constructor", this.config);
-  }
-  handleLoginAppPopupFailed(redirectUrl) {
-    return _chunkCRTRMMJ7js.__async.call(void 0, this, null, function* () {
-      console.warn(
-        "Login app popup failed open a popup, using redirect mode instead...",
-        redirectUrl
-      );
-      window.location.href = redirectUrl;
-    });
-  }
-  // Use the config (Client ID, scopes OAuth Server, Endpoints, PKCEConsumer) to generate a new login url
-  // and then use the display mode to decide how to send the user there
-  signIn(iframeRef) {
-    return _chunkCRTRMMJ7js.__async.call(void 0, this, null, function* () {
-      const url = yield generateOauthLoginUrl(this.config);
-      this.postMessageHandler = (event) => {
-        const thisURL = new URL(window.location.href);
-        if (event.origin.endsWith("civic.com") || thisURL.hostname === "localhost") {
-          if (!validateLoginAppPostMessage(event.data, this.config.clientId)) {
-            console.log("Received invalid message from login app", event.data);
-            return;
-          }
-          const loginMessage = event.data;
-          console.log("Received message from login app", event.data);
-          this.handleLoginAppPopupFailed(loginMessage.data.url);
-        }
-      };
-      window.addEventListener("message", this.postMessageHandler);
-      if (this.config.displayMode === "iframe") {
-        if (!iframeRef)
-          throw new Error("iframeRef is required for displayMode 'iframe'");
-        iframeRef.setAttribute("src", url.toString());
-      }
-      if (this.config.displayMode === "redirect") {
-        window.location.href = url.toString();
-      }
-      if (this.config.displayMode === "new_tab") {
-        try {
-          const popupWindow = window.open(url.toString(), "_blank");
-          console.log("signIn", popupWindow);
-          if (!popupWindow) {
-            throw new PopupError("Failed to open popup window");
-          }
-        } catch (error) {
-          console.error("popupWindow", error);
-          throw new PopupError(
-            "window.open has thrown: Failed to open popup window"
-          );
-        }
-      }
-      return url;
-    });
-  }
-  signOut() {
-    return _chunkCRTRMMJ7js.__async.call(void 0, this, null, function* () {
-      const localStorage2 = new LocalStorageAdapter();
-      clearTokens(localStorage2);
-      clearUser(localStorage2);
-      const url = yield generateOauthLogoutUrl(this.config);
-      return url;
-    });
-  }
-  cleanup() {
-    if (this.postMessageHandler) {
-      window.removeEventListener("message", this.postMessageHandler);
-    }
-  }
-};
-var GenericAuthenticationInitiator = class {
-  constructor(config) {
-    this.config = config;
-    console.log("GenericAuthenticationInitiator constructor", {
-      config
-    });
-  }
-  // Use the config (Client ID, scopes OAuth Server, Endpoints, PKCEConsumer) to generate a new login url
-  // and simply return the url
-  signIn() {
-    return _chunkCRTRMMJ7js.__async.call(void 0, this, null, function* () {
-      return generateOauthLoginUrl(this.config);
-    });
-  }
-  signOut() {
-    return _chunkCRTRMMJ7js.__async.call(void 0, this, null, function* () {
-      return generateOauthLogoutUrl(this.config);
-    });
-  }
-};
-var BrowserAuthenticationService = class _BrowserAuthenticationService extends BrowserAuthenticationInitiator {
-  // TODO WIP - perhaps we want to keep resolver and initiator separate here
-  constructor(config, pkceProducer = new BrowserPublicClientPKCEProducer()) {
-    console.log("BrowserAuthenticationService constructor", {
-      config
-    });
-    super(_chunkCRTRMMJ7js.__spreadProps.call(void 0, _chunkCRTRMMJ7js.__spreadValues.call(void 0, {}, config), {
-      state: generateState(config.displayMode),
-      // Store and retrieve the PKCE challenge in local storage
-      pkceConsumer: pkceProducer
-    }));
-    this.pkceProducer = pkceProducer;
-  }
-  // TODO too much code duplication here between the browser and the server variant.
-  // Suggestion for refactor: Standardise the config for AuthenticationResolvers and create a one-shot
-  // function for generating an oauth2client from it
-  init() {
-    return _chunkCRTRMMJ7js.__async.call(void 0, this, null, function* () {
-      this.endpoints = yield getEndpointsWithOverrides(
-        this.config.oauthServer,
-        this.config.endpointOverrides
-      );
-      this.oauth2client = new (0, _oauth2.OAuth2Client)(
-        this.config.clientId,
-        this.endpoints.auth,
-        this.endpoints.token,
-        {
-          redirectURI: this.config.redirectUrl
-        }
-      );
-      return this;
-    });
-  }
-  // Two responsibilities:
-  // 1. resolve the auth code to get the tokens (should use library code)
-  // 2. store the tokens in local storage
-  tokenExchange(code, state) {
-    return _chunkCRTRMMJ7js.__async.call(void 0, this, null, function* () {
-      if (!this.oauth2client) yield this.init();
-      const codeVerifier = yield this.pkceProducer.getCodeVerifier();
-      if (!codeVerifier) throw new Error("Code verifier not found in storage");
-      const tokens = yield exchangeTokens(
-        code,
-        state,
-        this.pkceProducer,
-        this.oauth2client,
-        // clean up types here to avoid the ! operator
-        this.config.oauthServer,
-        this.endpoints
-        // clean up types here to avoid the ! operator
-      );
-      storeTokens(new LocalStorageAdapter(), tokens);
-      const parsedDisplayMode = displayModeFromState(
-        state,
-        this.config.displayMode
-      );
-      if (parsedDisplayMode === "new_tab") {
-        window.close();
-      }
-      removeParamsWithoutReload(DEFAULT_OAUTH_GET_PARAMS);
-      return tokens;
-    });
-  }
-  // Get the session data from local storage
-  getSessionData() {
-    return _chunkCRTRMMJ7js.__async.call(void 0, this, null, function* () {
-      const storageData = retrieveTokens(new LocalStorageAdapter());
-      if (!storageData) return null;
-      return {
-        authenticated: !!storageData.id_token,
-        idToken: storageData.id_token,
-        accessToken: storageData.access_token,
-        refreshToken: storageData.refresh_token
-      };
-    });
-  }
-  validateExistingSession() {
-    return _chunkCRTRMMJ7js.__async.call(void 0, this, null, function* () {
-      try {
-        const sessionData = yield this.getSessionData();
-        if (!(sessionData == null ? void 0 : sessionData.idToken) || !sessionData.accessToken) {
-          const unAuthenticatedSession = _chunkCRTRMMJ7js.__spreadProps.call(void 0, _chunkCRTRMMJ7js.__spreadValues.call(void 0, {}, sessionData), { authenticated: false });
-          clearTokens(new LocalStorageAdapter());
-          return unAuthenticatedSession;
-        }
-        if (!this.endpoints || !this.oauth2client) yield this.init();
-        yield validateOauth2Tokens(
-          {
-            access_token: sessionData.accessToken,
-            id_token: sessionData.idToken,
-            refresh_token: sessionData.refreshToken
-          },
-          this.endpoints,
-          this.oauth2client,
-          this.config.oauthServer
-        );
-        return sessionData;
-      } catch (error) {
-        console.warn("Failed to validate existing tokens", error);
-        const unAuthenticatedSession = {
-          authenticated: false
-        };
-        clearTokens(new LocalStorageAdapter());
-        return unAuthenticatedSession;
-      }
-    });
-  }
-  static build(config) {
-    return _chunkCRTRMMJ7js.__async.call(void 0, this, null, function* () {
-      const resolver = new _BrowserAuthenticationService(config);
-      yield resolver.init();
-      return resolver;
-    });
-  }
-};
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-exports.convertForwardedTokenFormat = convertForwardedTokenFormat; exports.GenericUserSession = GenericUserSession; exports.DEFAULT_SCOPES = DEFAULT_SCOPES; exports.IFRAME_ID = IFRAME_ID; exports.AUTH_SERVER = AUTH_SERVER; exports.TOKEN_EXCHANGE_TRIGGER_TEXT = TOKEN_EXCHANGE_TRIGGER_TEXT; exports.TOKEN_EXCHANGE_SUCCESS_TEXT = TOKEN_EXCHANGE_SUCCESS_TEXT; exports.isWindowInIframe = isWindowInIframe; exports.generateState = generateState; exports.serverTokenExchangeFromState = serverTokenExchangeFromState; exports.cn = cn; exports.withoutUndefined = withoutUndefined; exports.getEndpointsWithOverrides = getEndpointsWithOverrides; exports.exchangeTokens = exchangeTokens; exports.storeTokens = storeTokens; exports.clearTokens = clearTokens; exports.retrieveTokens = retrieveTokens; exports.LocalStorageAdapter = LocalStorageAdapter; exports.ConfidentialClientPKCEConsumer = ConfidentialClientPKCEConsumer; exports.GenericPublicClientPKCEProducer = GenericPublicClientPKCEProducer; exports.BrowserPublicClientPKCEProducer = BrowserPublicClientPKCEProducer; exports.PopupError = PopupError; exports.BrowserAuthenticationInitiator = BrowserAuthenticationInitiator; exports.GenericAuthenticationInitiator = GenericAuthenticationInitiator; exports.BrowserAuthenticationService = BrowserAuthenticationService; exports.getUser = getUser;
-//# sourceMappingURL=chunk-O2SODTR3.js.map