@civic/auth 0.0.1-beta.23 → 0.0.1-beta.24

package/dist/chunk-RF23Q4V6.js

@@ -0,0 +1,708 @@
+"use strict";Object.defineProperty(exports, "__esModule", {value: true}); function _interopRequireWildcard(obj) { if (obj && obj.__esModule) { return obj; } else { var newObj = {}; if (obj != null) { for (var key in obj) { if (Object.prototype.hasOwnProperty.call(obj, key)) { newObj[key] = obj[key]; } } } newObj.default = obj; return newObj; } }
+
+
+
+var _chunkCRTRMMJ7js = require('./chunk-CRTRMMJ7.js');
+
+// src/shared/storage.ts
+var DEFAULT_COOKIE_DURATION = 60 * 15;
+var CookieStorage = class {
+  constructor(settings = {}) {
+    var _a, _b, _c, _d, _e;
+    this.settings = {
+      httpOnly: (_a = settings.httpOnly) != null ? _a : true,
+      secure: (_b = settings.secure) != null ? _b : true,
+      // the callback request comes the auth server
+      // 'lax' ensures the code_verifier cookie is sent with the request
+      sameSite: (_c = settings.sameSite) != null ? _c : "lax",
+      expires: (_d = settings.expires) != null ? _d : new Date(Date.now() + 1e3 * DEFAULT_COOKIE_DURATION),
+      path: (_e = settings.path) != null ? _e : "/"
+    };
+  }
+};
+
+// src/constants.ts
+var DEFAULT_SCOPES = [
+  "openid",
+  "profile",
+  "email",
+  "forwardedTokens",
+  "offline_access"
+];
+var IFRAME_ID = "civic-auth-iframe";
+var AUTH_SERVER = "https://auth-dev.civic.com/oauth";
+var DEFAULT_OAUTH_GET_PARAMS = ["code", "state", "iss"];
+var TOKEN_EXCHANGE_TRIGGER_TEXT = "sameDomainCodeExchangeRequired";
+
+// src/shared/types.ts
+var OAuthTokens = /* @__PURE__ */ ((OAuthTokens2) => {
+  OAuthTokens2["ID_TOKEN"] = "id_token";
+  OAuthTokens2["ACCESS_TOKEN"] = "access_token";
+  OAuthTokens2["REFRESH_TOKEN"] = "refresh_token";
+  return OAuthTokens2;
+})(OAuthTokens || {});
+
+// src/shared/util.ts
+var _oauth2 = require('oslo/oauth2');
+
+// src/lib/oauth.ts
+var _uuid = require('uuid');
+var getIssuerVariations = (issuer) => {
+  const issuerWithoutSlash = issuer.endsWith("/") ? issuer.slice(0, issuer.length - 1) : issuer;
+  const issuerWithSlash = `${issuerWithoutSlash}/`;
+  return [issuerWithoutSlash, issuerWithSlash];
+};
+var addSlashIfNeeded = (url) => url.endsWith("/") ? url : `${url}/`;
+var getOauthEndpoints = (oauthServer) => _chunkCRTRMMJ7js.__async.call(void 0, void 0, null, function* () {
+  const openIdConfigResponse = yield fetch(
+    `${addSlashIfNeeded(oauthServer)}.well-known/openid-configuration`
+  );
+  const openIdConfig = yield openIdConfigResponse.json();
+  return {
+    jwks: openIdConfig.jwks_uri,
+    auth: openIdConfig.authorization_endpoint,
+    token: openIdConfig.token_endpoint,
+    userinfo: openIdConfig.userinfo_endpoint
+  };
+});
+var generateState = (displayMode) => {
+  const jsonString = JSON.stringify({
+    uuid: _uuid.v4.call(void 0, ),
+    displayMode
+  });
+  return btoa(jsonString);
+};
+var displayModeFromState = (state, sessionDisplayMode) => {
+  try {
+    const jsonString = atob(state);
+    return JSON.parse(jsonString).displayMode;
+  } catch (e) {
+    console.error("Failed to parse displayMode from state:", state);
+    return sessionDisplayMode;
+  }
+};
+
+// src/shared/util.ts
+var _jose = require('jose'); var jose = _interopRequireWildcard(_jose);
+
+// src/utils.ts
+var _clsx = require('clsx');
+var _tailwindmerge = require('tailwind-merge');
+var cn = (...inputs) => {
+  return _tailwindmerge.twMerge.call(void 0, _clsx.clsx.call(void 0, inputs));
+};
+var withoutUndefined = (obj) => {
+  const result = {};
+  for (const key in obj) {
+    if (obj[key] !== void 0) {
+      result[key] = obj[key];
+    }
+  }
+  return result;
+};
+
+// src/lib/jwt.ts
+var convertForwardedTokenFormat = (inputTokens) => Object.fromEntries(
+  Object.entries(inputTokens).map(([source, tokens]) => [
+    source,
+    {
+      idToken: tokens == null ? void 0 : tokens.id_token,
+      accessToken: tokens == null ? void 0 : tokens.access_token,
+      refreshToken: tokens == null ? void 0 : tokens.refresh_token
+    }
+  ])
+);
+
+// src/shared/UserSession.ts
+var GenericUserSession = class {
+  constructor(storage) {
+    this.storage = storage;
+  }
+  get() {
+    const user = this.storage.get("user" /* USER */);
+    return user ? JSON.parse(user) : null;
+  }
+  set(user) {
+    const forwardedTokens = (user == null ? void 0 : user.forwardedTokens) ? convertForwardedTokenFormat(user == null ? void 0 : user.forwardedTokens) : null;
+    const value = user ? JSON.stringify(_chunkCRTRMMJ7js.__spreadProps.call(void 0, _chunkCRTRMMJ7js.__spreadValues.call(void 0, {}, user), { forwardedTokens })) : "";
+    this.storage.set("user" /* USER */, value);
+  }
+};
+
+// src/shared/util.ts
+function deriveCodeChallenge(codeVerifier, method = "S256") {
+  return _chunkCRTRMMJ7js.__async.call(void 0, this, null, function* () {
+    if (method === "Plain") {
+      console.warn("Using insecure plain code challenge method");
+      return codeVerifier;
+    }
+    const encoder = new TextEncoder();
+    const data = encoder.encode(codeVerifier);
+    const digest = yield crypto.subtle.digest("SHA-256", data);
+    return btoa(String.fromCharCode(...new Uint8Array(digest))).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+  });
+}
+function getEndpointsWithOverrides(_0) {
+  return _chunkCRTRMMJ7js.__async.call(void 0, this, arguments, function* (oauthServer, endpointOverrides = {}) {
+    const endpoints = yield getOauthEndpoints(oauthServer);
+    return _chunkCRTRMMJ7js.__spreadValues.call(void 0, _chunkCRTRMMJ7js.__spreadValues.call(void 0, {}, endpoints), endpointOverrides);
+  });
+}
+function generateOauthLoginUrl(config) {
+  return _chunkCRTRMMJ7js.__async.call(void 0, this, null, function* () {
+    const endpoints = yield getEndpointsWithOverrides(
+      config.oauthServer,
+      config.endpointOverrides
+    );
+    const oauth2Client = buildOauth2Client(
+      config.clientId,
+      config.redirectUrl,
+      endpoints
+    );
+    const challenge = yield config.pkceConsumer.getCodeChallenge();
+    const oAuthUrl = yield oauth2Client.createAuthorizationURL({
+      state: config.state,
+      scopes: config.scopes
+    });
+    oAuthUrl.searchParams.append("code_challenge", challenge);
+    oAuthUrl.searchParams.append("code_challenge_method", "S256");
+    if (config.nonce) {
+      oAuthUrl.searchParams.append("nonce", config.nonce);
+    }
+    oAuthUrl.searchParams.append("prompt", "consent");
+    console.log("Generated OAuth URL", oAuthUrl.toString());
+    return oAuthUrl;
+  });
+}
+function generateOauthLogoutUrl(config) {
+  return _chunkCRTRMMJ7js.__async.call(void 0, this, null, function* () {
+    return new URL("http://localhost");
+  });
+}
+function buildOauth2Client(clientId, redirectUri, endpoints) {
+  return new (0, _oauth2.OAuth2Client)(clientId, endpoints.auth, endpoints.token, {
+    redirectURI: redirectUri
+  });
+}
+function exchangeTokens(code, state, pkceProducer, oauth2Client, oauthServer, endpoints) {
+  return _chunkCRTRMMJ7js.__async.call(void 0, this, null, function* () {
+    const codeVerifier = yield pkceProducer.getCodeVerifier();
+    if (!codeVerifier) throw new Error("Code verifier not found in state");
+    const tokens = yield oauth2Client.validateAuthorizationCode(code, {
+      codeVerifier
+    });
+    try {
+      yield validateOauth2Tokens(tokens, endpoints, oauth2Client, oauthServer);
+    } catch (error) {
+      console.error("tokenExchange error", { error, tokens });
+      throw new Error(
+        `OIDC tokens validation failed: ${error.message}`
+      );
+    }
+    return tokens;
+  });
+}
+function storeTokens(storage, tokens) {
+  storage.set("id_token" /* ID_TOKEN */, tokens.id_token);
+  storage.set("access_token" /* ACCESS_TOKEN */, tokens.access_token);
+  if (tokens.refresh_token)
+    storage.set("refresh_token" /* REFRESH_TOKEN */, tokens.refresh_token);
+}
+function clearTokens(storage) {
+  Object.values(OAuthTokens).forEach((cookie) => {
+    storage.set(cookie, "");
+  });
+}
+function clearUser(storage) {
+  const userSession = new GenericUserSession(storage);
+  userSession.set(null);
+}
+function retrieveTokens(storage) {
+  const idToken = storage.get("id_token" /* ID_TOKEN */);
+  const accessToken = storage.get("access_token" /* ACCESS_TOKEN */);
+  const refreshToken = storage.get("refresh_token" /* REFRESH_TOKEN */);
+  if (!idToken || !accessToken) return null;
+  return {
+    id_token: idToken,
+    access_token: accessToken,
+    refresh_token: refreshToken != null ? refreshToken : void 0
+  };
+}
+function validateOauth2Tokens(tokens, endpoints, oauth2Client, issuer) {
+  return _chunkCRTRMMJ7js.__async.call(void 0, this, null, function* () {
+    const JWKS = jose.createRemoteJWKSet(new URL(endpoints.jwks));
+    const idTokenResponse = yield jose.jwtVerify(
+      tokens.id_token,
+      JWKS,
+      {
+        issuer: getIssuerVariations(issuer),
+        audience: oauth2Client.clientId
+      }
+    );
+    const accessTokenResponse = yield jose.jwtVerify(
+      tokens.access_token,
+      JWKS,
+      {
+        issuer: getIssuerVariations(issuer)
+      }
+    );
+    return withoutUndefined({
+      id_token: idTokenResponse.payload,
+      access_token: accessTokenResponse.payload,
+      refresh_token: tokens.refresh_token
+    });
+  });
+}
+
+// src/services/PKCE.ts
+
+
+// src/browser/storage.ts
+var LocalStorageAdapter = class {
+  get(key) {
+    return localStorage.getItem(key) || "";
+  }
+  set(key, value) {
+    localStorage.setItem(key, value);
+  }
+};
+
+// src/services/PKCE.ts
+var ConfidentialClientPKCEConsumer = class {
+  constructor(pkceChallengeEndpoint) {
+    this.pkceChallengeEndpoint = pkceChallengeEndpoint;
+  }
+  getCodeChallenge() {
+    return _chunkCRTRMMJ7js.__async.call(void 0, this, null, function* () {
+      const response = yield fetch(this.pkceChallengeEndpoint);
+      const data = yield response.json();
+      return data.challenge;
+    });
+  }
+};
+var GenericPublicClientPKCEProducer = class {
+  constructor(storage) {
+    this.storage = storage;
+  }
+  // if there is already a verifier, return it,
+  // If not, create a new one and store it
+  getCodeChallenge() {
+    return _chunkCRTRMMJ7js.__async.call(void 0, this, null, function* () {
+      const verifier = _oauth2.generateCodeVerifier.call(void 0, );
+      this.storage.set("code_verifier", verifier);
+      return deriveCodeChallenge(verifier);
+    });
+  }
+  // if there is already a verifier, return it,
+  getCodeVerifier() {
+    return _chunkCRTRMMJ7js.__async.call(void 0, this, null, function* () {
+      return this.storage.get("code_verifier");
+    });
+  }
+};
+var BrowserPublicClientPKCEProducer = class extends GenericPublicClientPKCEProducer {
+  constructor() {
+    super(new LocalStorageAdapter());
+  }
+};
+
+// src/services/AuthenticationService.ts
+
+
+// src/lib/windowUtil.ts
+var isWindowInIframe = (window2) => {
+  var _a;
+  if (typeof window2 !== "undefined") {
+    try {
+      if (((_a = window2 == null ? void 0 : window2.frameElement) == null ? void 0 : _a.id) === "civic-auth-iframe") {
+        return true;
+      }
+    } catch (_e) {
+      return false;
+    }
+  }
+  return false;
+};
+var removeParamsWithoutReload = (paramsToRemove) => {
+  const url = new URL(window.location.href);
+  paramsToRemove.forEach((param) => {
+    url.searchParams.delete(param);
+  });
+  window.history.replaceState({}, "", url);
+};
+
+// src/services/AuthenticationService.ts
+var BrowserAuthenticationInitiator = class {
+  constructor(config) {
+    this.config = config;
+  }
+  // Use the config (Client ID, scopes OAuth Server, Endpoints, PKCEConsumer) to generate a new login url
+  // and then use the display mode to decide how to send the user there
+  signIn(iframeRef) {
+    return _chunkCRTRMMJ7js.__async.call(void 0, this, null, function* () {
+      const url = yield generateOauthLoginUrl(this.config);
+      if (this.config.displayMode === "iframe") {
+        if (!iframeRef)
+          throw new Error("iframeRef is required for displayMode 'iframe'");
+        iframeRef.setAttribute("src", url.toString());
+      }
+      if (this.config.displayMode === "redirect") {
+        window.location.href = url.toString();
+      }
+      if (this.config.displayMode === "new_tab") {
+        window.open(url.toString(), "_blank");
+      }
+      return url;
+    });
+  }
+  signOut() {
+    return _chunkCRTRMMJ7js.__async.call(void 0, this, null, function* () {
+      const localStorage2 = new LocalStorageAdapter();
+      clearTokens(localStorage2);
+      clearUser(localStorage2);
+      const url = yield generateOauthLogoutUrl(this.config);
+      return url;
+    });
+  }
+};
+var GenericAuthenticationInitiator = class {
+  constructor(config) {
+    this.config = config;
+  }
+  // Use the config (Client ID, scopes OAuth Server, Endpoints, PKCEConsumer) to generate a new login url
+  // and simply return the url
+  signIn() {
+    return _chunkCRTRMMJ7js.__async.call(void 0, this, null, function* () {
+      return generateOauthLoginUrl(this.config);
+    });
+  }
+  signOut() {
+    return _chunkCRTRMMJ7js.__async.call(void 0, this, null, function* () {
+      return generateOauthLogoutUrl(this.config);
+    });
+  }
+};
+var BrowserAuthenticationService = class _BrowserAuthenticationService extends BrowserAuthenticationInitiator {
+  // TODO WIP - perhaps we want to keep resolver and initiator separate here
+  constructor(config, pkceProducer = new BrowserPublicClientPKCEProducer()) {
+    super(_chunkCRTRMMJ7js.__spreadProps.call(void 0, _chunkCRTRMMJ7js.__spreadValues.call(void 0, {}, config), {
+      state: generateState(config.displayMode),
+      // Store and retrieve the PKCE challenge in local storage
+      pkceConsumer: pkceProducer
+    }));
+    this.pkceProducer = pkceProducer;
+  }
+  // TODO too much code duplication here between the browser and the server variant.
+  // Suggestion for refactor: Standardise the config for AuthenticationResolvers and create a one-shot
+  // function for generating an oauth2client from it
+  init() {
+    return _chunkCRTRMMJ7js.__async.call(void 0, this, null, function* () {
+      this.endpoints = yield getEndpointsWithOverrides(
+        this.config.oauthServer,
+        this.config.endpointOverrides
+      );
+      this.oauth2client = new (0, _oauth2.OAuth2Client)(
+        this.config.clientId,
+        this.endpoints.auth,
+        this.endpoints.token,
+        {
+          redirectURI: this.config.redirectUrl
+        }
+      );
+      return this;
+    });
+  }
+  // Two responsibilities:
+  // 1. resolve the auth code to get the tokens (should use library code)
+  // 2. store the tokens in local storage
+  tokenExchange(code, state) {
+    return _chunkCRTRMMJ7js.__async.call(void 0, this, null, function* () {
+      if (!this.oauth2client) yield this.init();
+      const codeVerifier = yield this.pkceProducer.getCodeVerifier();
+      if (!codeVerifier) throw new Error("Code verifier not found in storage");
+      const tokens = yield exchangeTokens(
+        code,
+        state,
+        this.pkceProducer,
+        this.oauth2client,
+        // clean up types here to avoid the ! operator
+        this.config.oauthServer,
+        this.endpoints
+        // clean up types here to avoid the ! operator
+      );
+      storeTokens(new LocalStorageAdapter(), tokens);
+      const parsedDisplayMode = displayModeFromState(
+        state,
+        this.config.displayMode
+      );
+      if (parsedDisplayMode === "new_tab") {
+        window.close();
+      } else if (parsedDisplayMode === "redirect") {
+        removeParamsWithoutReload(DEFAULT_OAUTH_GET_PARAMS);
+      }
+      return tokens;
+    });
+  }
+  // Get the session data from local storage
+  getSessionData() {
+    return _chunkCRTRMMJ7js.__async.call(void 0, this, null, function* () {
+      const storageData = retrieveTokens(new LocalStorageAdapter());
+      if (!storageData) return null;
+      return {
+        authenticated: !!storageData.id_token,
+        idToken: storageData.id_token,
+        accessToken: storageData.access_token,
+        refreshToken: storageData.refresh_token
+      };
+    });
+  }
+  validateExistingSession() {
+    return _chunkCRTRMMJ7js.__async.call(void 0, this, null, function* () {
+      try {
+        const sessionData = yield this.getSessionData();
+        if (!(sessionData == null ? void 0 : sessionData.idToken) || !sessionData.accessToken) {
+          const unAuthenticatedSession = _chunkCRTRMMJ7js.__spreadProps.call(void 0, _chunkCRTRMMJ7js.__spreadValues.call(void 0, {}, sessionData), { authenticated: false });
+          clearTokens(new LocalStorageAdapter());
+          return unAuthenticatedSession;
+        }
+        if (!this.endpoints || !this.oauth2client) yield this.init();
+        yield validateOauth2Tokens(
+          {
+            access_token: sessionData.accessToken,
+            id_token: sessionData.idToken,
+            refresh_token: sessionData.refreshToken
+          },
+          this.endpoints,
+          this.oauth2client,
+          this.config.oauthServer
+        );
+        return sessionData;
+      } catch (error) {
+        console.warn("Failed to validate existing tokens", error);
+        const unAuthenticatedSession = {
+          authenticated: false
+        };
+        clearTokens(new LocalStorageAdapter());
+        return unAuthenticatedSession;
+      }
+    });
+  }
+  static build(config) {
+    return _chunkCRTRMMJ7js.__async.call(void 0, this, null, function* () {
+      const resolver = new _BrowserAuthenticationService(config);
+      yield resolver.init();
+      return resolver;
+    });
+  }
+};
+
+// src/server/ServerAuthenticationResolver.ts
+
+var ServerAuthenticationResolver = class _ServerAuthenticationResolver {
+  constructor(authConfig, storage, endpointOverrides) {
+    this.authConfig = authConfig;
+    this.storage = storage;
+    this.endpointOverrides = endpointOverrides;
+    this.pkceProducer = new GenericPublicClientPKCEProducer(storage);
+  }
+  validateExistingSession() {
+    throw new Error("Method not implemented.");
+  }
+  init() {
+    return _chunkCRTRMMJ7js.__async.call(void 0, this, null, function* () {
+      this.endpoints = yield getEndpointsWithOverrides(
+        this.authConfig.oauthServer,
+        this.endpointOverrides
+      );
+      this.oauth2client = new (0, _oauth2.OAuth2Client)(
+        this.authConfig.clientId,
+        this.endpoints.auth,
+        this.endpoints.token,
+        {
+          redirectURI: this.authConfig.redirectUrl
+        }
+      );
+      return this;
+    });
+  }
+  tokenExchange(code, state) {
+    return _chunkCRTRMMJ7js.__async.call(void 0, this, null, function* () {
+      if (!this.oauth2client) yield this.init();
+      const codeVerifier = yield this.pkceProducer.getCodeVerifier();
+      if (!codeVerifier) throw new Error("Code verifier not found in storage");
+      const tokens = yield exchangeTokens(
+        code,
+        state,
+        this.pkceProducer,
+        this.oauth2client,
+        // clean up types here to avoid the ! operator
+        this.authConfig.oauthServer,
+        this.endpoints
+        // clean up types here to avoid the ! operator
+      );
+      storeTokens(this.storage, tokens);
+      return tokens;
+    });
+  }
+  getSessionData() {
+    return _chunkCRTRMMJ7js.__async.call(void 0, this, null, function* () {
+      const storageData = retrieveTokens(this.storage);
+      if (!storageData) return null;
+      return {
+        authenticated: !!storageData.id_token,
+        idToken: storageData.id_token,
+        accessToken: storageData.access_token,
+        refreshToken: storageData.refresh_token
+      };
+    });
+  }
+  static build(authConfig, storage, endpointOverrides) {
+    return _chunkCRTRMMJ7js.__async.call(void 0, this, null, function* () {
+      const resolver = new _ServerAuthenticationResolver(
+        authConfig,
+        storage,
+        endpointOverrides
+      );
+      yield resolver.init();
+      return resolver;
+    });
+  }
+};
+
+// src/server/login.ts
+function resolveOAuthAccessCode(code, state, storage, config) {
+  return _chunkCRTRMMJ7js.__async.call(void 0, this, null, function* () {
+    var _a;
+    const authSessionService = yield ServerAuthenticationResolver.build(
+      _chunkCRTRMMJ7js.__spreadProps.call(void 0, _chunkCRTRMMJ7js.__spreadValues.call(void 0, {}, config), {
+        oauthServer: (_a = config.oauthServer) != null ? _a : AUTH_SERVER
+      }),
+      storage,
+      config.endpointOverrides
+    );
+    return authSessionService.tokenExchange(code, state);
+  });
+}
+function isLoggedIn(storage) {
+  return !!storage.get("id_token");
+}
+function buildLoginUrl(config, storage) {
+  return _chunkCRTRMMJ7js.__async.call(void 0, this, null, function* () {
+    var _a, _b, _c;
+    const state = (_a = config.state) != null ? _a : Math.random().toString(36).substring(2);
+    const scopes = (_b = config.scopes) != null ? _b : DEFAULT_SCOPES;
+    const pkceProducer = new GenericPublicClientPKCEProducer(storage);
+    const authInitiator = new GenericAuthenticationInitiator(_chunkCRTRMMJ7js.__spreadProps.call(void 0, _chunkCRTRMMJ7js.__spreadValues.call(void 0, {}, config), {
+      state,
+      scopes,
+      oauthServer: (_c = config.oauthServer) != null ? _c : AUTH_SERVER,
+      // When retrieving the PKCE challenge on the server-side, we produce it and store it in the session
+      pkceConsumer: pkceProducer
+    }));
+    return authInitiator.signIn();
+  });
+}
+
+// src/shared/session.ts
+var _jwt = require('oslo/jwt');
+function getUser(storage) {
+  return _chunkCRTRMMJ7js.__async.call(void 0, this, null, function* () {
+    var _a, _b;
+    const tokens = retrieveTokens(storage);
+    if (!tokens) return null;
+    return (_b = (_a = _jwt.parseJWT.call(void 0, tokens.id_token)) == null ? void 0 : _a.payload) != null ? _b : null;
+  });
+}
+
+// src/shared/GenericAuthenticationRefresher.ts
+
+var GenericAuthenticationRefresher = class _GenericAuthenticationRefresher {
+  constructor(authConfig, storage, endpointOverrides) {
+    this.authConfig = authConfig;
+    this.storage = storage;
+    this.endpointOverrides = endpointOverrides;
+  }
+  init() {
+    return _chunkCRTRMMJ7js.__async.call(void 0, this, null, function* () {
+      this.endpoints = yield getEndpointsWithOverrides(
+        this.authConfig.oauthServer,
+        this.endpointOverrides
+      );
+      this.oauth2client = new (0, _oauth2.OAuth2Client)(
+        this.authConfig.clientId,
+        this.endpoints.auth,
+        this.endpoints.token,
+        {
+          redirectURI: this.authConfig.redirectUrl
+        }
+      );
+      return this;
+    });
+  }
+  static build(authConfig, storage, endpointOverrides) {
+    return _chunkCRTRMMJ7js.__async.call(void 0, this, null, function* () {
+      const refresher = new _GenericAuthenticationRefresher(
+        authConfig,
+        storage,
+        endpointOverrides
+      );
+      yield refresher.init();
+      return refresher;
+    });
+  }
+  refreshTokens() {
+    return _chunkCRTRMMJ7js.__async.call(void 0, this, null, function* () {
+      if (!this.oauth2client) yield this.init();
+      const tokens = retrieveTokens(this.storage);
+      if (!(tokens == null ? void 0 : tokens.refresh_token)) throw new Error("No refresh token available");
+      const oauth2Client = this.oauth2client;
+      const refreshedTokens = yield oauth2Client.refreshAccessToken(
+        tokens.refresh_token
+      );
+      storeTokens(this.storage, refreshedTokens);
+      return tokens;
+    });
+  }
+};
+
+// src/server/refresh.ts
+function refreshTokens(storage, config) {
+  return _chunkCRTRMMJ7js.__async.call(void 0, this, null, function* () {
+    var _a;
+    const refresher = yield GenericAuthenticationRefresher.build(
+      _chunkCRTRMMJ7js.__spreadProps.call(void 0, _chunkCRTRMMJ7js.__spreadValues.call(void 0, {}, config), {
+        oauthServer: (_a = config.oauthServer) != null ? _a : AUTH_SERVER
+      }),
+      storage,
+      config.endpointOverrides
+    );
+    return refresher.refreshTokens();
+  });
+}
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+exports.convertForwardedTokenFormat = convertForwardedTokenFormat; exports.GenericUserSession = GenericUserSession; exports.DEFAULT_SCOPES = DEFAULT_SCOPES; exports.IFRAME_ID = IFRAME_ID; exports.TOKEN_EXCHANGE_TRIGGER_TEXT = TOKEN_EXCHANGE_TRIGGER_TEXT; exports.isWindowInIframe = isWindowInIframe; exports.generateState = generateState; exports.cn = cn; exports.withoutUndefined = withoutUndefined; exports.clearTokens = clearTokens; exports.retrieveTokens = retrieveTokens; exports.LocalStorageAdapter = LocalStorageAdapter; exports.ConfidentialClientPKCEConsumer = ConfidentialClientPKCEConsumer; exports.GenericPublicClientPKCEProducer = GenericPublicClientPKCEProducer; exports.BrowserPublicClientPKCEProducer = BrowserPublicClientPKCEProducer; exports.BrowserAuthenticationInitiator = BrowserAuthenticationInitiator; exports.BrowserAuthenticationService = BrowserAuthenticationService; exports.getUser = getUser; exports.CookieStorage = CookieStorage; exports.resolveOAuthAccessCode = resolveOAuthAccessCode; exports.isLoggedIn = isLoggedIn; exports.buildLoginUrl = buildLoginUrl; exports.refreshTokens = refreshTokens;
+//# sourceMappingURL=chunk-RF23Q4V6.js.map