@civic/auth 0.0.1-beta.28 → 0.0.1-beta.29

package/dist/chunk-Q7DSPTUG.mjs

@@ -0,0 +1,601 @@
+import {
+  __async,
+  __spreadProps,
+  __spreadValues
+} from "./chunk-RGHW4PYM.mjs";
+
+// src/shared/types.ts
+var OAuthTokens = /* @__PURE__ */ ((OAuthTokens2) => {
+  OAuthTokens2["ID_TOKEN"] = "id_token";
+  OAuthTokens2["ACCESS_TOKEN"] = "access_token";
+  OAuthTokens2["REFRESH_TOKEN"] = "refresh_token";
+  return OAuthTokens2;
+})(OAuthTokens || {});
+
+// src/shared/util.ts
+import { OAuth2Client } from "oslo/oauth2";
+
+// src/lib/oauth.ts
+import { v4 as uuid } from "uuid";
+var getIssuerVariations = (issuer) => {
+  const issuerWithoutSlash = issuer.endsWith("/") ? issuer.slice(0, issuer.length - 1) : issuer;
+  const issuerWithSlash = `${issuerWithoutSlash}/`;
+  return [issuerWithoutSlash, issuerWithSlash];
+};
+var addSlashIfNeeded = (url) => url.endsWith("/") ? url : `${url}/`;
+var getOauthEndpoints = (oauthServer) => __async(void 0, null, function* () {
+  const openIdConfigResponse = yield fetch(
+    `${addSlashIfNeeded(oauthServer)}.well-known/openid-configuration`
+  );
+  const openIdConfig = yield openIdConfigResponse.json();
+  return {
+    jwks: openIdConfig.jwks_uri,
+    auth: openIdConfig.authorization_endpoint,
+    token: openIdConfig.token_endpoint,
+    userinfo: openIdConfig.userinfo_endpoint
+  };
+});
+var generateState = (displayMode, serverTokenExchange) => {
+  const jsonString = JSON.stringify(__spreadValues({
+    uuid: uuid(),
+    displayMode
+  }, serverTokenExchange ? { serverTokenExchange } : {}));
+  return btoa(jsonString);
+};
+var displayModeFromState = (state, sessionDisplayMode) => {
+  try {
+    const jsonString = atob(state);
+    return JSON.parse(jsonString).displayMode;
+  } catch (e) {
+    console.error("Failed to parse displayMode from state:", state);
+    return sessionDisplayMode;
+  }
+};
+var serverTokenExchangeFromState = (state) => {
+  try {
+    const jsonString = atob(state);
+    return JSON.parse(jsonString).serverTokenExchange;
+  } catch (e) {
+    console.error("Failed to parse serverTokenExchange from state:", state);
+    return void 0;
+  }
+};
+
+// src/shared/util.ts
+import * as jose from "jose";
+
+// src/utils.ts
+import { clsx } from "clsx";
+import { twMerge } from "tailwind-merge";
+var cn = (...inputs) => {
+  return twMerge(clsx(inputs));
+};
+var withoutUndefined = (obj) => {
+  const result = {};
+  for (const key in obj) {
+    if (obj[key] !== void 0) {
+      result[key] = obj[key];
+    }
+  }
+  return result;
+};
+
+// src/lib/jwt.ts
+var convertForwardedTokenFormat = (inputTokens) => Object.fromEntries(
+  Object.entries(inputTokens).map(([source, tokens]) => [
+    source,
+    {
+      idToken: tokens == null ? void 0 : tokens.id_token,
+      accessToken: tokens == null ? void 0 : tokens.access_token,
+      refreshToken: tokens == null ? void 0 : tokens.refresh_token
+    }
+  ])
+);
+
+// src/shared/UserSession.ts
+var GenericUserSession = class {
+  constructor(storage) {
+    this.storage = storage;
+  }
+  get() {
+    const user = this.storage.get("user" /* USER */);
+    return user ? JSON.parse(user) : null;
+  }
+  set(user) {
+    const forwardedTokens = (user == null ? void 0 : user.forwardedTokens) ? convertForwardedTokenFormat(user == null ? void 0 : user.forwardedTokens) : null;
+    const value = user ? JSON.stringify(__spreadProps(__spreadValues({}, user), { forwardedTokens })) : "";
+    this.storage.set("user" /* USER */, value);
+  }
+};
+
+// src/shared/util.ts
+function deriveCodeChallenge(codeVerifier, method = "S256") {
+  return __async(this, null, function* () {
+    if (method === "Plain") {
+      console.warn("Using insecure plain code challenge method");
+      return codeVerifier;
+    }
+    const encoder = new TextEncoder();
+    const data = encoder.encode(codeVerifier);
+    const digest = yield crypto.subtle.digest("SHA-256", data);
+    return btoa(String.fromCharCode(...new Uint8Array(digest))).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+  });
+}
+function getEndpointsWithOverrides(_0) {
+  return __async(this, arguments, function* (oauthServer, endpointOverrides = {}) {
+    const endpoints = yield getOauthEndpoints(oauthServer);
+    return __spreadValues(__spreadValues({}, endpoints), endpointOverrides);
+  });
+}
+function generateOauthLoginUrl(config) {
+  return __async(this, null, function* () {
+    const endpoints = yield getEndpointsWithOverrides(
+      config.oauthServer,
+      config.endpointOverrides
+    );
+    const oauth2Client = buildOauth2Client(
+      config.clientId,
+      config.redirectUrl,
+      endpoints
+    );
+    const challenge = yield config.pkceConsumer.getCodeChallenge();
+    const oAuthUrl = yield oauth2Client.createAuthorizationURL({
+      state: config.state,
+      scopes: config.scopes
+    });
+    oAuthUrl.searchParams.append("code_challenge", challenge);
+    oAuthUrl.searchParams.append("code_challenge_method", "S256");
+    if (config.nonce) {
+      oAuthUrl.searchParams.append("nonce", config.nonce);
+    }
+    oAuthUrl.searchParams.append("prompt", "consent");
+    console.log("Generated OAuth URL", oAuthUrl.toString());
+    return oAuthUrl;
+  });
+}
+function generateOauthLogoutUrl(config) {
+  return __async(this, null, function* () {
+    return new URL("http://localhost");
+  });
+}
+function buildOauth2Client(clientId, redirectUri, endpoints) {
+  return new OAuth2Client(clientId, endpoints.auth, endpoints.token, {
+    redirectURI: redirectUri
+  });
+}
+function exchangeTokens(code, state, pkceProducer, oauth2Client, oauthServer, endpoints) {
+  return __async(this, null, function* () {
+    const codeVerifier = yield pkceProducer.getCodeVerifier();
+    if (!codeVerifier) throw new Error("Code verifier not found in state");
+    const tokens = yield oauth2Client.validateAuthorizationCode(code, {
+      codeVerifier
+    });
+    try {
+      yield validateOauth2Tokens(tokens, endpoints, oauth2Client, oauthServer);
+    } catch (error) {
+      console.error("tokenExchange error", { error, tokens });
+      throw new Error(
+        `OIDC tokens validation failed: ${error.message}`
+      );
+    }
+    return tokens;
+  });
+}
+function storeTokens(storage, tokens) {
+  storage.set("id_token" /* ID_TOKEN */, tokens.id_token);
+  storage.set("access_token" /* ACCESS_TOKEN */, tokens.access_token);
+  if (tokens.refresh_token)
+    storage.set("refresh_token" /* REFRESH_TOKEN */, tokens.refresh_token);
+}
+function clearTokens(storage) {
+  Object.values(OAuthTokens).forEach((cookie) => {
+    storage.set(cookie, "");
+  });
+  Object.values("code_verifier" /* COOKIE_NAME */).forEach((cookie) => {
+    storage.set(cookie, "");
+  });
+}
+function clearUser(storage) {
+  const userSession = new GenericUserSession(storage);
+  userSession.set(null);
+}
+function retrieveTokens(storage) {
+  const idToken = storage.get("id_token" /* ID_TOKEN */);
+  const accessToken = storage.get("access_token" /* ACCESS_TOKEN */);
+  const refreshToken = storage.get("refresh_token" /* REFRESH_TOKEN */);
+  if (!idToken || !accessToken) return null;
+  return {
+    id_token: idToken,
+    access_token: accessToken,
+    refresh_token: refreshToken != null ? refreshToken : void 0
+  };
+}
+function validateOauth2Tokens(tokens, endpoints, oauth2Client, issuer) {
+  return __async(this, null, function* () {
+    const JWKS = jose.createRemoteJWKSet(new URL(endpoints.jwks));
+    const idTokenResponse = yield jose.jwtVerify(
+      tokens.id_token,
+      JWKS,
+      {
+        issuer: getIssuerVariations(issuer),
+        audience: oauth2Client.clientId
+      }
+    );
+    const accessTokenResponse = yield jose.jwtVerify(
+      tokens.access_token,
+      JWKS,
+      {
+        issuer: getIssuerVariations(issuer)
+      }
+    );
+    return withoutUndefined({
+      id_token: idTokenResponse.payload,
+      access_token: accessTokenResponse.payload,
+      refresh_token: tokens.refresh_token
+    });
+  });
+}
+
+// src/shared/session.ts
+import { parseJWT } from "oslo/jwt";
+function getUser(storage) {
+  return __async(this, null, function* () {
+    var _a, _b;
+    const tokens = retrieveTokens(storage);
+    if (!tokens) return null;
+    return (_b = (_a = parseJWT(tokens.id_token)) == null ? void 0 : _a.payload) != null ? _b : null;
+  });
+}
+
+// src/constants.ts
+var DEFAULT_SCOPES = [
+  "openid",
+  "profile",
+  "email",
+  "forwardedTokens",
+  "offline_access"
+];
+var IFRAME_ID = "civic-auth-iframe";
+var DEFAULT_AUTH_SERVER = "https://auth.civic.com/oauth";
+var DEFAULT_OAUTH_GET_PARAMS = ["code", "state", "iss"];
+var TOKEN_EXCHANGE_TRIGGER_TEXT = "sameDomainCodeExchangeRequired";
+var TOKEN_EXCHANGE_SUCCESS_TEXT = "serverSideTokenExchangeSuccess";
+
+// src/browser/storage.ts
+var LocalStorageAdapter = class {
+  get(key) {
+    return localStorage.getItem(key) || "";
+  }
+  set(key, value) {
+    localStorage.setItem(key, value);
+  }
+};
+
+// src/services/PKCE.ts
+import { generateCodeVerifier } from "oslo/oauth2";
+var ConfidentialClientPKCEConsumer = class {
+  constructor(pkceChallengeEndpoint) {
+    this.pkceChallengeEndpoint = pkceChallengeEndpoint;
+  }
+  getCodeChallenge() {
+    return __async(this, null, function* () {
+      const response = yield fetch(
+        `${this.pkceChallengeEndpoint}?appUrl=${window.location.origin}`
+      );
+      const data = yield response.json();
+      return data.challenge;
+    });
+  }
+};
+var GenericPublicClientPKCEProducer = class {
+  constructor(storage) {
+    this.storage = storage;
+  }
+  // if there is already a verifier, return it,
+  // If not, create a new one and store it
+  getCodeChallenge() {
+    return __async(this, null, function* () {
+      const verifier = generateCodeVerifier();
+      this.storage.set("code_verifier" /* COOKIE_NAME */, verifier);
+      return deriveCodeChallenge(verifier);
+    });
+  }
+  // if there is already a verifier, return it,
+  getCodeVerifier() {
+    return __async(this, null, function* () {
+      return this.storage.get("code_verifier" /* COOKIE_NAME */);
+    });
+  }
+};
+var BrowserPublicClientPKCEProducer = class extends GenericPublicClientPKCEProducer {
+  constructor() {
+    super(new LocalStorageAdapter());
+  }
+};
+
+// src/services/AuthenticationService.ts
+import { OAuth2Client as OAuth2Client2 } from "oslo/oauth2";
+
+// src/services/types.ts
+var PopupError = class _PopupError extends Error {
+  constructor(message) {
+    super(message);
+    Object.setPrototypeOf(this, _PopupError.prototype);
+  }
+};
+
+// src/lib/windowUtil.ts
+var isWindowInIframe = (window2) => {
+  var _a;
+  if (typeof window2 !== "undefined") {
+    try {
+      if (((_a = window2 == null ? void 0 : window2.frameElement) == null ? void 0 : _a.id) === "civic-auth-iframe") {
+        return true;
+      }
+    } catch (_e) {
+      return false;
+    }
+  }
+  return false;
+};
+var removeParamsWithoutReload = (paramsToRemove) => {
+  const url = new URL(window.location.href);
+  paramsToRemove.forEach((param) => {
+    url.searchParams.delete(param);
+  });
+  try {
+    window.history.replaceState({}, "", url);
+  } catch (error) {
+    console.warn("window.history.replaceState failed", error);
+  }
+};
+
+// src/lib/postMessage.ts
+var validateLoginAppPostMessage = (event, clientId) => {
+  const caseEvent = event;
+  console.log("caseEvent", caseEvent);
+  if (!caseEvent.clientId || !caseEvent.data.url || !caseEvent.source || !caseEvent.type || caseEvent.clientId !== clientId || caseEvent.source !== "civicloginApp") {
+    return false;
+  }
+  return true;
+};
+
+// src/services/AuthenticationService.ts
+var BrowserAuthenticationInitiator = class {
+  constructor(config) {
+    this.postMessageHandler = null;
+    this.config = config;
+    console.log("BrowserAuthenticationInitiator constructor", this.config);
+  }
+  handleLoginAppPopupFailed(redirectUrl) {
+    return __async(this, null, function* () {
+      console.warn(
+        "Login app popup failed open a popup, using redirect mode instead...",
+        redirectUrl
+      );
+      window.location.href = redirectUrl;
+    });
+  }
+  // Use the config (Client ID, scopes OAuth Server, Endpoints, PKCEConsumer) to generate a new login url
+  // and then use the display mode to decide how to send the user there
+  signIn(iframeRef) {
+    return __async(this, null, function* () {
+      const url = yield generateOauthLoginUrl(this.config);
+      this.postMessageHandler = (event) => {
+        const thisURL = new URL(window.location.href);
+        if (event.origin.endsWith("civic.com") || thisURL.hostname === "localhost") {
+          if (!validateLoginAppPostMessage(event.data, this.config.clientId)) {
+            console.log("Received invalid message from login app", event.data);
+            return;
+          }
+          const loginMessage = event.data;
+          console.log("Received message from login app", event.data);
+          this.handleLoginAppPopupFailed(loginMessage.data.url);
+        }
+      };
+      window.addEventListener("message", this.postMessageHandler);
+      if (this.config.displayMode === "iframe") {
+        if (!iframeRef)
+          throw new Error("iframeRef is required for displayMode 'iframe'");
+        iframeRef.setAttribute("src", url.toString());
+      }
+      if (this.config.displayMode === "redirect") {
+        window.location.href = url.toString();
+      }
+      if (this.config.displayMode === "new_tab") {
+        try {
+          const popupWindow = window.open(url.toString(), "_blank");
+          console.log("signIn", popupWindow);
+          if (!popupWindow) {
+            throw new PopupError("Failed to open popup window");
+          }
+        } catch (error) {
+          console.error("popupWindow", error);
+          throw new PopupError(
+            "window.open has thrown: Failed to open popup window"
+          );
+        }
+      }
+      return url;
+    });
+  }
+  signOut() {
+    return __async(this, null, function* () {
+      const localStorage2 = new LocalStorageAdapter();
+      clearTokens(localStorage2);
+      clearUser(localStorage2);
+      const url = yield generateOauthLogoutUrl(this.config);
+      return url;
+    });
+  }
+  cleanup() {
+    if (this.postMessageHandler) {
+      window.removeEventListener("message", this.postMessageHandler);
+    }
+  }
+};
+var GenericAuthenticationInitiator = class {
+  constructor(config) {
+    this.config = config;
+    console.log("GenericAuthenticationInitiator constructor", {
+      config
+    });
+  }
+  // Use the config (Client ID, scopes OAuth Server, Endpoints, PKCEConsumer) to generate a new login url
+  // and simply return the url
+  signIn() {
+    return __async(this, null, function* () {
+      return generateOauthLoginUrl(this.config);
+    });
+  }
+  signOut() {
+    return __async(this, null, function* () {
+      return generateOauthLogoutUrl(this.config);
+    });
+  }
+};
+var BrowserAuthenticationService = class _BrowserAuthenticationService extends BrowserAuthenticationInitiator {
+  // TODO WIP - perhaps we want to keep resolver and initiator separate here
+  constructor(config, pkceProducer = new BrowserPublicClientPKCEProducer()) {
+    console.log("BrowserAuthenticationService constructor", {
+      config
+    });
+    super(__spreadProps(__spreadValues({}, config), {
+      state: generateState(config.displayMode),
+      // Store and retrieve the PKCE challenge in local storage
+      pkceConsumer: pkceProducer
+    }));
+    this.pkceProducer = pkceProducer;
+  }
+  // TODO too much code duplication here between the browser and the server variant.
+  // Suggestion for refactor: Standardise the config for AuthenticationResolvers and create a one-shot
+  // function for generating an oauth2client from it
+  init() {
+    return __async(this, null, function* () {
+      this.endpoints = yield getEndpointsWithOverrides(
+        this.config.oauthServer,
+        this.config.endpointOverrides
+      );
+      this.oauth2client = new OAuth2Client2(
+        this.config.clientId,
+        this.endpoints.auth,
+        this.endpoints.token,
+        {
+          redirectURI: this.config.redirectUrl
+        }
+      );
+      return this;
+    });
+  }
+  // Two responsibilities:
+  // 1. resolve the auth code to get the tokens (should use library code)
+  // 2. store the tokens in local storage
+  tokenExchange(code, state) {
+    return __async(this, null, function* () {
+      if (!this.oauth2client) yield this.init();
+      const codeVerifier = yield this.pkceProducer.getCodeVerifier();
+      if (!codeVerifier) throw new Error("Code verifier not found in storage");
+      const tokens = yield exchangeTokens(
+        code,
+        state,
+        this.pkceProducer,
+        this.oauth2client,
+        // clean up types here to avoid the ! operator
+        this.config.oauthServer,
+        this.endpoints
+        // clean up types here to avoid the ! operator
+      );
+      storeTokens(new LocalStorageAdapter(), tokens);
+      const parsedDisplayMode = displayModeFromState(
+        state,
+        this.config.displayMode
+      );
+      if (parsedDisplayMode === "new_tab") {
+        window.close();
+      }
+      removeParamsWithoutReload(DEFAULT_OAUTH_GET_PARAMS);
+      return tokens;
+    });
+  }
+  // Get the session data from local storage
+  getSessionData() {
+    return __async(this, null, function* () {
+      const storageData = retrieveTokens(new LocalStorageAdapter());
+      if (!storageData) return null;
+      return {
+        authenticated: !!storageData.id_token,
+        idToken: storageData.id_token,
+        accessToken: storageData.access_token,
+        refreshToken: storageData.refresh_token
+      };
+    });
+  }
+  validateExistingSession() {
+    return __async(this, null, function* () {
+      try {
+        const sessionData = yield this.getSessionData();
+        if (!(sessionData == null ? void 0 : sessionData.idToken) || !sessionData.accessToken) {
+          const unAuthenticatedSession = __spreadProps(__spreadValues({}, sessionData), { authenticated: false });
+          clearTokens(new LocalStorageAdapter());
+          return unAuthenticatedSession;
+        }
+        if (!this.endpoints || !this.oauth2client) yield this.init();
+        yield validateOauth2Tokens(
+          {
+            access_token: sessionData.accessToken,
+            id_token: sessionData.idToken,
+            refresh_token: sessionData.refreshToken
+          },
+          this.endpoints,
+          this.oauth2client,
+          this.config.oauthServer
+        );
+        return sessionData;
+      } catch (error) {
+        console.warn("Failed to validate existing tokens", error);
+        const unAuthenticatedSession = {
+          authenticated: false
+        };
+        clearTokens(new LocalStorageAdapter());
+        return unAuthenticatedSession;
+      }
+    });
+  }
+  static build(config) {
+    return __async(this, null, function* () {
+      const resolver = new _BrowserAuthenticationService(config);
+      yield resolver.init();
+      return resolver;
+    });
+  }
+};
+
+export {
+  convertForwardedTokenFormat,
+  GenericUserSession,
+  DEFAULT_SCOPES,
+  IFRAME_ID,
+  DEFAULT_AUTH_SERVER,
+  TOKEN_EXCHANGE_TRIGGER_TEXT,
+  TOKEN_EXCHANGE_SUCCESS_TEXT,
+  isWindowInIframe,
+  generateState,
+  serverTokenExchangeFromState,
+  cn,
+  withoutUndefined,
+  getEndpointsWithOverrides,
+  exchangeTokens,
+  storeTokens,
+  clearTokens,
+  retrieveTokens,
+  LocalStorageAdapter,
+  ConfidentialClientPKCEConsumer,
+  GenericPublicClientPKCEProducer,
+  BrowserPublicClientPKCEProducer,
+  PopupError,
+  BrowserAuthenticationInitiator,
+  GenericAuthenticationInitiator,
+  BrowserAuthenticationService,
+  getUser
+};
+//# sourceMappingURL=chunk-Q7DSPTUG.mjs.map