@civic/auth 0.0.1-beta.28 → 0.0.1-beta.3

package/dist/esm/src/server/login.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"login.js","sourceRoot":"","sources":["../../../../src/server/login.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,mBAAmB,EAAE,cAAc,EAAE,MAAM,gBAAgB,CAAC;AACrE,OAAO,EAAE,8BAA8B,EAAE,MAAM,qCAAqC,CAAC;AACrF,OAAO,EAAE,+BAA+B,EAAE,MAAM,oBAAoB,CAAC;AACrE,OAAO,EAAE,4BAA4B,EAAE,MAAM,0CAA0C,CAAC;AAExF;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,sBAAsB,CAC1C,IAAY,EACZ,KAAa,EACb,OAAoB,EACpB,MAAkB;IAElB,MAAM,kBAAkB,GAAG,MAAM,4BAA4B,CAAC,KAAK,CACjE;QACE,GAAG,MAAM;QACT,WAAW,EAAE,MAAM,CAAC,WAAW,IAAI,mBAAmB;KACvD,EACD,OAAO,EACP,MAAM,CAAC,iBAAiB,CACzB,CAAC;IAEF,OAAO,kBAAkB,CAAC,aAAa,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;AACvD,CAAC;AAED,MAAM,UAAU,UAAU,CAAC,OAAoB;IAC7C,OAAO,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;AACnC,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,aAAa,CACjC,MAKG,EACH,OAAoB;IAEpB,0CAA0C;IAC1C,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC;IACtE,MAAM,MAAM,GAAG,MAAM,CAAC,MAAM,IAAI,cAAc,CAAC;IAC/C,MAAM,YAAY,GAAG,IAAI,+BAA+B,CAAC,OAAO,CAAC,CAAC;IAClE,MAAM,aAAa,GAAG,IAAI,8BAA8B,CAAC;QACvD,GAAG,MAAM;QACT,KAAK;QACL,MAAM;QACN,WAAW,EAAE,MAAM,CAAC,WAAW,IAAI,mBAAmB;QACtD,mGAAmG;QACnG,YAAY,EAAE,YAAY;KAC3B,CAAC,CAAC;IAEH,OAAO,aAAa,CAAC,MAAM,EAAE,CAAC;AAChC,CAAC","sourcesContent":["import type { AuthStorage, OIDCTokenResponseBody } from \"@/types.js\";\nimport { DEFAULT_AUTH_SERVER, DEFAULT_SCOPES } from \"@/constants.js\";\nimport { GenericAuthenticationInitiator } from \"@/services/AuthenticationService.js\";\nimport { GenericPublicClientPKCEProducer } from \"@/services/PKCE.js\";\nimport { ServerAuthenticationResolver } from \"@/server/ServerAuthenticationResolver.js\";\nimport type { AuthConfig } from \"@/server/config.ts\";\n/**\n * Resolve an OAuth access code to a set of OIDC tokens\n * @param code The access code, typically from a query parameter in the redirect url\n * @param state The oauth random state string, used to distinguish between requests. Typically also passed in the redirect url\n * @param storage The place that this server uses to store session data (e.g. a cookie store)\n * @param config Oauth Server configuration\n */\nexport async function resolveOAuthAccessCode(\n  code: string,\n  state: string,\n  storage: AuthStorage,\n  config: AuthConfig,\n): Promise<OIDCTokenResponseBody> {\n  const authSessionService = await ServerAuthenticationResolver.build(\n    {\n      ...config,\n      oauthServer: config.oauthServer ?? DEFAULT_AUTH_SERVER,\n    },\n    storage,\n    config.endpointOverrides,\n  );\n\n  return authSessionService.tokenExchange(code, state);\n}\n\nexport function isLoggedIn(storage: AuthStorage): boolean {\n  return !!storage.get(\"id_token\");\n}\n\nexport async function buildLoginUrl(\n  config: Pick<AuthConfig, \"clientId\" | \"redirectUrl\"> &\n    Partial<Pick<AuthConfig, \"oauthServer\">> & {\n      scopes?: string[];\n      state?: string;\n      nonce?: string;\n    },\n  storage: AuthStorage,\n): Promise<URL> {\n  // generate a random state if not provided\n  const state = config.state ?? Math.random().toString(36).substring(2);\n  const scopes = config.scopes ?? DEFAULT_SCOPES;\n  const pkceProducer = new GenericPublicClientPKCEProducer(storage);\n  const authInitiator = new GenericAuthenticationInitiator({\n    ...config,\n    state,\n    scopes,\n    oauthServer: config.oauthServer ?? DEFAULT_AUTH_SERVER,\n    // When retrieving the PKCE challenge on the server-side, we produce it and store it in the session\n    pkceConsumer: pkceProducer,\n  });\n\n  return authInitiator.signIn();\n}\n"]}

package/dist/esm/src/server/refresh.d.ts

@@ -1,7 +0,0 @@
-import type { AuthStorage, OIDCTokenResponseBody } from "../types.js";
-import type { AuthConfig } from "../server/config.ts";
-/**
- * Refresh the current set of OIDC tokens
- */
-export declare function refreshTokens(storage: AuthStorage, config: AuthConfig): Promise<OIDCTokenResponseBody>;
-//# sourceMappingURL=refresh.d.ts.map

package/dist/esm/src/server/refresh.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"refresh.d.ts","sourceRoot":"","sources":["../../../../src/server/refresh.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,WAAW,EAAE,qBAAqB,EAAE,MAAM,YAAY,CAAC;AAGrE,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAC;AAErD;;GAEG;AACH,wBAAsB,aAAa,CACjC,OAAO,EAAE,WAAW,EACpB,MAAM,EAAE,UAAU,GACjB,OAAO,CAAC,qBAAqB,CAAC,CAWhC"}

package/dist/esm/src/server/refresh.js

@@ -1,13 +0,0 @@
-import { DEFAULT_AUTH_SERVER } from "../constants.js";
-import { GenericAuthenticationRefresher } from "../shared/lib/GenericAuthenticationRefresher.js";
-/**
- * Refresh the current set of OIDC tokens
- */
-export async function refreshTokens(storage, config) {
-    const refresher = await GenericAuthenticationRefresher.build({
-        ...config,
-        oauthServer: config.oauthServer ?? DEFAULT_AUTH_SERVER,
-    }, storage, config.endpointOverrides);
-    return refresher.refreshTokens();
-}
-//# sourceMappingURL=refresh.js.map

package/dist/esm/src/server/refresh.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"refresh.js","sourceRoot":"","sources":["../../../../src/server/refresh.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,mBAAmB,EAAE,MAAM,gBAAgB,CAAC;AACrD,OAAO,EAAE,8BAA8B,EAAE,MAAM,gDAAgD,CAAC;AAGhG;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CACjC,OAAoB,EACpB,MAAkB;IAElB,MAAM,SAAS,GAAG,MAAM,8BAA8B,CAAC,KAAK,CAC1D;QACE,GAAG,MAAM;QACT,WAAW,EAAE,MAAM,CAAC,WAAW,IAAI,mBAAmB;KACvD,EACD,OAAO,EACP,MAAM,CAAC,iBAAiB,CACzB,CAAC;IAEF,OAAO,SAAS,CAAC,aAAa,EAAE,CAAC;AACnC,CAAC","sourcesContent":["import type { AuthStorage, OIDCTokenResponseBody } from \"@/types.js\";\nimport { DEFAULT_AUTH_SERVER } from \"@/constants.js\";\nimport { GenericAuthenticationRefresher } from \"@/shared/lib/GenericAuthenticationRefresher.js\";\nimport type { AuthConfig } from \"@/server/config.ts\";\n\n/**\n * Refresh the current set of OIDC tokens\n */\nexport async function refreshTokens(\n  storage: AuthStorage,\n  config: AuthConfig,\n): Promise<OIDCTokenResponseBody> {\n  const refresher = await GenericAuthenticationRefresher.build(\n    {\n      ...config,\n      oauthServer: config.oauthServer ?? DEFAULT_AUTH_SERVER,\n    },\n    storage,\n    config.endpointOverrides,\n  );\n\n  return refresher.refreshTokens();\n}\n"]}

package/dist/esm/src/services/AuthenticationService.d.ts

@@ -1,87 +0,0 @@
-import type { DisplayMode, Endpoints, OIDCTokenResponseBody, SessionData } from "../types.js";
-import { BrowserPublicClientPKCEProducer } from "../services/PKCE.js";
-import type { AuthenticationInitiator, AuthenticationResolver, PKCEConsumer } from "../services/types.js";
-/**
- * An authentication initiator that works on a browser. Since this is just triggering
- * login and logout, session data is not stored here.
- * An associated AuthenticationResolver would be needed to get the session data.
- * Storage is needed for the code verifier, this is the domain of the PKCEConsumer
- * The storage used by the PKCEConsumer should be available to the AuthenticationResolver.
- *
- * Example usage:
- *
- * 1) Client-only SPA -eg a react app with no server:
- * new BrowserAuthenticationInitiator({
- *   pkceConsumer: new BrowserPublicClientPKCEProducer(), // generate and retrieve the challenge client-side
- *   ... other config
- * })
- *
- * 2) Client-side of a client/server app - eg a react app with a backend:
- * new BrowserAuthenticationInitiator({
- *  pkceConsumer: new ConfidentialClientPKCEConsumer("https://myserver.com/pkce"), // get the challenge from the server
- *  ... other config
- * })
- */
-export declare class BrowserAuthenticationInitiator implements AuthenticationInitiator {
-    private postMessageHandler;
-    protected config: {
-        clientId: string;
-        redirectUrl: string;
-        state: string;
-        scopes: string[];
-        displayMode: DisplayMode;
-        oauthServer: string;
-        endpointOverrides?: Partial<Endpoints>;
-        pkceConsumer: PKCEConsumer;
-        nonce?: string;
-    };
-    constructor(config: typeof this.config);
-    handleLoginAppPopupFailed(redirectUrl: string): Promise<void>;
-    signIn(iframeRef: HTMLIFrameElement | null): Promise<URL>;
-    signOut(): Promise<URL>;
-    cleanup(): void;
-}
-/** A general-purpose authentication initiator, that just generates urls, but lets
- * the caller decide how to use them. This is useful for server-side applications
- * that may serve this URL to their front-ends or just call them directly
- */
-export declare class GenericAuthenticationInitiator implements AuthenticationInitiator {
-    protected config: {
-        clientId: string;
-        redirectUrl: string;
-        state: string;
-        scopes: string[];
-        oauthServer: string;
-        nonce?: string;
-        endpointOverrides?: Partial<Endpoints>;
-        pkceConsumer: PKCEConsumer;
-    };
-    constructor(config: typeof this.config);
-    signIn(): Promise<URL>;
-    signOut(): Promise<URL>;
-}
-type BrowserAuthenticationConfig = {
-    clientId: string;
-    redirectUrl: string;
-    scopes: string[];
-    oauthServer: string;
-    endpointOverrides?: Partial<Endpoints>;
-    displayMode: DisplayMode;
-};
-/**
- * An authentication resolver that can run on the browser (i.e. a public client)
- * It uses PKCE for security. PKCE and Session data are stored in local storage
- */
-export declare class BrowserAuthenticationService extends BrowserAuthenticationInitiator {
-    protected pkceProducer: BrowserPublicClientPKCEProducer;
-    private oauth2client;
-    private endpoints;
-    constructor(config: BrowserAuthenticationConfig, pkceProducer?: BrowserPublicClientPKCEProducer);
-    init(): Promise<this>;
-    tokenExchange(code: string, state: string): Promise<OIDCTokenResponseBody>;
-    getSessionData(): Promise<SessionData | null>;
-    validateExistingSession(): Promise<SessionData>;
-    static build(config: BrowserAuthenticationConfig): Promise<AuthenticationResolver>;
-}
-export {};
-//# sourceMappingURL=AuthenticationService.d.ts.map

package/dist/esm/src/services/AuthenticationService.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"AuthenticationService.d.ts","sourceRoot":"","sources":["../../../../src/services/AuthenticationService.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EACV,WAAW,EACX,SAAS,EAET,qBAAqB,EACrB,WAAW,EACZ,MAAM,YAAY,CAAC;AACpB,OAAO,EAAE,+BAA+B,EAAE,MAAM,oBAAoB,CAAC;AAerE,OAAO,KAAK,EACV,uBAAuB,EACvB,sBAAsB,EACtB,YAAY,EACb,MAAM,qBAAqB,CAAC;AAM7B;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,qBAAa,8BAA+B,YAAW,uBAAuB;IAC5E,OAAO,CAAC,kBAAkB,CAAgD;IAE1E,SAAS,CAAC,MAAM,EAAE;QAChB,QAAQ,EAAE,MAAM,CAAC;QACjB,WAAW,EAAE,MAAM,CAAC;QACpB,KAAK,EAAE,MAAM,CAAC;QACd,MAAM,EAAE,MAAM,EAAE,CAAC;QAEjB,WAAW,EAAE,WAAW,CAAC;QACzB,WAAW,EAAE,MAAM,CAAC;QAEpB,iBAAiB,CAAC,EAAE,OAAO,CAAC,SAAS,CAAC,CAAC;QAEvC,YAAY,EAAE,YAAY,CAAC;QAE3B,KAAK,CAAC,EAAE,MAAM,CAAC;KAChB,CAAC;gBAEU,MAAM,EAAE,OAAO,IAAI,CAAC,MAAM;IAKhC,yBAAyB,CAAC,WAAW,EAAE,MAAM;IAU7C,MAAM,CAAC,SAAS,EAAE,iBAAiB,GAAG,IAAI,GAAG,OAAO,CAAC,GAAG,CAAC;IA4CzD,OAAO,IAAI,OAAO,CAAC,GAAG,CAAC;IAU7B,OAAO;CAKR;AAED;;;GAGG;AACH,qBAAa,8BAA+B,YAAW,uBAAuB;IAC5E,SAAS,CAAC,MAAM,EAAE;QAChB,QAAQ,EAAE,MAAM,CAAC;QACjB,WAAW,EAAE,MAAM,CAAC;QACpB,KAAK,EAAE,MAAM,CAAC;QACd,MAAM,EAAE,MAAM,EAAE,CAAC;QACjB,WAAW,EAAE,MAAM,CAAC;QACpB,KAAK,CAAC,EAAE,MAAM,CAAC;QAEf,iBAAiB,CAAC,EAAE,OAAO,CAAC,SAAS,CAAC,CAAC;QAEvC,YAAY,EAAE,YAAY,CAAC;KAC5B,CAAC;gBAEU,MAAM,EAAE,OAAO,IAAI,CAAC,MAAM;IAShC,MAAM,IAAI,OAAO,CAAC,GAAG,CAAC;IAItB,OAAO,IAAI,OAAO,CAAC,GAAG,CAAC;CAG9B;AAED,KAAK,2BAA2B,GAAG;IACjC,QAAQ,EAAE,MAAM,CAAC;IACjB,WAAW,EAAE,MAAM,CAAC;IACpB,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,WAAW,EAAE,MAAM,CAAC;IACpB,iBAAiB,CAAC,EAAE,OAAO,CAAC,SAAS,CAAC,CAAC;IACvC,WAAW,EAAE,WAAW,CAAC;CAC1B,CAAC;AAEF;;;GAGG;AACH,qBAAa,4BAA6B,SAAQ,8BAA8B;IAQ5E,SAAS,CAAC,YAAY;IAPxB,OAAO,CAAC,YAAY,CAA2B;IAC/C,OAAO,CAAC,SAAS,CAAwB;gBAIvC,MAAM,EAAE,2BAA2B,EAEzB,YAAY,kCAAwC;IAgB1D,IAAI,IAAI,OAAO,CAAC,IAAI,CAAC;IAqBrB,aAAa,CACjB,IAAI,EAAE,MAAM,EACZ,KAAK,EAAE,MAAM,GACZ,OAAO,CAAC,qBAAqB,CAAC;IAiC3B,cAAc,IAAI,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC;IAa7C,uBAAuB,IAAI,OAAO,CAAC,WAAW,CAAC;WAgCxC,KAAK,CAChB,MAAM,EAAE,2BAA2B,GAClC,OAAO,CAAC,sBAAsB,CAAC;CAMnC"}

package/dist/esm/src/services/AuthenticationService.js

@@ -1,222 +0,0 @@
-// Proposals for revised versions of the SessionService AKA AuthSessionService
-import { BrowserPublicClientPKCEProducer } from "../services/PKCE.js";
-import { clearTokens, clearUser, exchangeTokens, generateOauthLoginUrl, generateOauthLogoutUrl, getEndpointsWithOverrides, retrieveTokens, storeTokens, validateOauth2Tokens, } from "../shared/lib/util.js";
-import { displayModeFromState, generateState } from "../lib/oauth.js";
-import { OAuth2Client } from "oslo/oauth2";
-import { LocalStorageAdapter } from "../browser/storage.js";
-import { PopupError } from "../services/types.js";
-import { removeParamsWithoutReload } from "../lib/windowUtil.js";
-import { DEFAULT_OAUTH_GET_PARAMS } from "../constants.js";
-import { validateLoginAppPostMessage } from "../lib/postMessage.js";
-/**
- * An authentication initiator that works on a browser. Since this is just triggering
- * login and logout, session data is not stored here.
- * An associated AuthenticationResolver would be needed to get the session data.
- * Storage is needed for the code verifier, this is the domain of the PKCEConsumer
- * The storage used by the PKCEConsumer should be available to the AuthenticationResolver.
- *
- * Example usage:
- *
- * 1) Client-only SPA -eg a react app with no server:
- * new BrowserAuthenticationInitiator({
- *   pkceConsumer: new BrowserPublicClientPKCEProducer(), // generate and retrieve the challenge client-side
- *   ... other config
- * })
- *
- * 2) Client-side of a client/server app - eg a react app with a backend:
- * new BrowserAuthenticationInitiator({
- *  pkceConsumer: new ConfidentialClientPKCEConsumer("https://myserver.com/pkce"), // get the challenge from the server
- *  ... other config
- * })
- */
-export class BrowserAuthenticationInitiator {
-    postMessageHandler = null;
-    config;
-    constructor(config) {
-        this.config = config;
-        console.log("BrowserAuthenticationInitiator constructor", this.config);
-    }
-    async handleLoginAppPopupFailed(redirectUrl) {
-        console.warn("Login app popup failed open a popup, using redirect mode instead...", redirectUrl);
-        window.location.href = redirectUrl;
-    }
-    // Use the config (Client ID, scopes OAuth Server, Endpoints, PKCEConsumer) to generate a new login url
-    // and then use the display mode to decide how to send the user there
-    async signIn(iframeRef) {
-        const url = await generateOauthLoginUrl(this.config);
-        this.postMessageHandler = (event) => {
-            const thisURL = new URL(window.location.href);
-            if (event.origin.endsWith("civic.com") ||
-                thisURL.hostname === "localhost") {
-                if (!validateLoginAppPostMessage(event.data, this.config.clientId)) {
-                    console.log("Received invalid message from login app", event.data);
-                    return;
-                }
-                const loginMessage = event.data;
-                console.log("Received message from login app", event.data);
-                this.handleLoginAppPopupFailed(loginMessage.data.url);
-            }
-        };
-        window.addEventListener("message", this.postMessageHandler);
-        if (this.config.displayMode === "iframe") {
-            if (!iframeRef)
-                throw new Error("iframeRef is required for displayMode 'iframe'");
-            iframeRef.setAttribute("src", url.toString());
-        }
-        if (this.config.displayMode === "redirect") {
-            window.location.href = url.toString();
-        }
-        if (this.config.displayMode === "new_tab") {
-            try {
-                const popupWindow = window.open(url.toString(), "_blank");
-                console.log("signIn", popupWindow);
-                if (!popupWindow) {
-                    throw new PopupError("Failed to open popup window");
-                }
-            }
-            catch (error) {
-                console.error("popupWindow", error);
-                throw new PopupError("window.open has thrown: Failed to open popup window");
-            }
-        }
-        return url;
-    }
-    async signOut() {
-        const localStorage = new LocalStorageAdapter();
-        clearTokens(localStorage);
-        clearUser(localStorage);
-        // TODO open the iframe or new tab etc: the logout URL is not currently
-        // supported by on the oauth, so just clear state until then
-        const url = await generateOauthLogoutUrl(this.config);
-        return url;
-    }
-    cleanup() {
-        if (this.postMessageHandler) {
-            window.removeEventListener("message", this.postMessageHandler);
-        }
-    }
-}
-/** A general-purpose authentication initiator, that just generates urls, but lets
- * the caller decide how to use them. This is useful for server-side applications
- * that may serve this URL to their front-ends or just call them directly
- */
-export class GenericAuthenticationInitiator {
-    config;
-    constructor(config) {
-        this.config = config;
-        console.log("GenericAuthenticationInitiator constructor", {
-            config,
-        });
-    }
-    // Use the config (Client ID, scopes OAuth Server, Endpoints, PKCEConsumer) to generate a new login url
-    // and simply return the url
-    async signIn() {
-        return generateOauthLoginUrl(this.config);
-    }
-    async signOut() {
-        return generateOauthLogoutUrl(this.config);
-    }
-}
-/**
- * An authentication resolver that can run on the browser (i.e. a public client)
- * It uses PKCE for security. PKCE and Session data are stored in local storage
- */
-export class BrowserAuthenticationService extends BrowserAuthenticationInitiator {
-    pkceProducer;
-    oauth2client;
-    endpoints;
-    // TODO WIP - perhaps we want to keep resolver and initiator separate here
-    constructor(config, 
-    // Since we are running fully on the client, we produce as well as consume the PKCE challenge
-    pkceProducer = new BrowserPublicClientPKCEProducer()) {
-        console.log("BrowserAuthenticationService constructor", {
-            config,
-        });
-        super({
-            ...config,
-            state: generateState(config.displayMode),
-            // Store and retrieve the PKCE challenge in local storage
-            pkceConsumer: pkceProducer,
-        });
-        this.pkceProducer = pkceProducer;
-    }
-    // TODO too much code duplication here between the browser and the server variant.
-    // Suggestion for refactor: Standardise the config for AuthenticationResolvers and create a one-shot
-    // function for generating an oauth2client from it
-    async init() {
-        // resolve oauth config
-        this.endpoints = await getEndpointsWithOverrides(this.config.oauthServer, this.config.endpointOverrides);
-        this.oauth2client = new OAuth2Client(this.config.clientId, this.endpoints.auth, this.endpoints.token, {
-            redirectURI: this.config.redirectUrl,
-        });
-        return this;
-    }
-    // Two responsibilities:
-    // 1. resolve the auth code to get the tokens (should use library code)
-    // 2. store the tokens in local storage
-    async tokenExchange(code, state) {
-        if (!this.oauth2client)
-            await this.init();
-        const codeVerifier = await this.pkceProducer.getCodeVerifier();
-        if (!codeVerifier)
-            throw new Error("Code verifier not found in storage");
-        // exchange auth code for tokens
-        const tokens = await exchangeTokens(code, state, this.pkceProducer, this.oauth2client, // clean up types here to avoid the ! operator
-        this.config.oauthServer, this.endpoints);
-        storeTokens(new LocalStorageAdapter(), tokens);
-        // cleanup the browser window if needed
-        const parsedDisplayMode = displayModeFromState(state, this.config.displayMode);
-        if (parsedDisplayMode === "new_tab") {
-            // Close the popup window
-            window.close();
-        }
-        // these are the default oAuth params that get added to the URL in redirect which we want to remove if present
-        removeParamsWithoutReload(DEFAULT_OAUTH_GET_PARAMS);
-        return tokens;
-    }
-    // Get the session data from local storage
-    async getSessionData() {
-        const storageData = retrieveTokens(new LocalStorageAdapter());
-        if (!storageData)
-            return null;
-        return {
-            authenticated: !!storageData.id_token,
-            idToken: storageData.id_token,
-            accessToken: storageData.access_token,
-            refreshToken: storageData.refresh_token,
-        };
-    }
-    async validateExistingSession() {
-        try {
-            const sessionData = await this.getSessionData();
-            if (!sessionData?.idToken || !sessionData.accessToken) {
-                const unAuthenticatedSession = { ...sessionData, authenticated: false };
-                clearTokens(new LocalStorageAdapter());
-                return unAuthenticatedSession;
-            }
-            if (!this.endpoints || !this.oauth2client)
-                await this.init();
-            // this function will throw if any of the tokens are invalid
-            await validateOauth2Tokens({
-                access_token: sessionData.accessToken,
-                id_token: sessionData.idToken,
-                refresh_token: sessionData.refreshToken,
-            }, this.endpoints, this.oauth2client, this.config.oauthServer);
-            return sessionData;
-        }
-        catch (error) {
-            console.warn("Failed to validate existing tokens", error);
-            const unAuthenticatedSession = {
-                authenticated: false,
-            };
-            clearTokens(new LocalStorageAdapter());
-            return unAuthenticatedSession;
-        }
-    }
-    static async build(config) {
-        const resolver = new BrowserAuthenticationService(config);
-        await resolver.init();
-        return resolver;
-    }
-}
-//# sourceMappingURL=AuthenticationService.js.map

package/dist/esm/src/services/AuthenticationService.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"AuthenticationService.js","sourceRoot":"","sources":["../../../../src/services/AuthenticationService.ts"],"names":[],"mappings":"AAAA,8EAA8E;AAS9E,OAAO,EAAE,+BAA+B,EAAE,MAAM,oBAAoB,CAAC;AACrE,OAAO,EACL,WAAW,EACX,SAAS,EACT,cAAc,EACd,qBAAqB,EACrB,sBAAsB,EACtB,yBAAyB,EACzB,cAAc,EACd,WAAW,EACX,oBAAoB,GACrB,MAAM,sBAAsB,CAAC;AAC9B,OAAO,EAAE,oBAAoB,EAAE,aAAa,EAAE,MAAM,gBAAgB,CAAC;AACrE,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAC3C,OAAO,EAAE,mBAAmB,EAAE,MAAM,sBAAsB,CAAC;AAM3D,OAAO,EAAE,UAAU,EAAE,MAAM,qBAAqB,CAAC;AACjD,OAAO,EAAE,yBAAyB,EAAE,MAAM,qBAAqB,CAAC;AAChE,OAAO,EAAE,wBAAwB,EAAE,MAAM,gBAAgB,CAAC;AAC1D,OAAO,EAAE,2BAA2B,EAAE,MAAM,sBAAsB,CAAC;AAEnE;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,MAAM,OAAO,8BAA8B;IACjC,kBAAkB,GAA2C,IAAI,CAAC;IAEhE,MAAM,CAcd;IAEF,YAAY,MAA0B;QACpC,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;QACrB,OAAO,CAAC,GAAG,CAAC,4CAA4C,EAAE,IAAI,CAAC,MAAM,CAAC,CAAC;IACzE,CAAC;IAED,KAAK,CAAC,yBAAyB,CAAC,WAAmB;QACjD,OAAO,CAAC,IAAI,CACV,qEAAqE,EACrE,WAAW,CACZ,CAAC;QACF,MAAM,CAAC,QAAQ,CAAC,IAAI,GAAG,WAAW,CAAC;IACrC,CAAC;IAED,uGAAuG;IACvG,qEAAqE;IACrE,KAAK,CAAC,MAAM,CAAC,SAAmC;QAC9C,MAAM,GAAG,GAAG,MAAM,qBAAqB,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAErD,IAAI,CAAC,kBAAkB,GAAG,CAAC,KAAmB,EAAE,EAAE;YAChD,MAAM,OAAO,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;YAC9C,IACE,KAAK,CAAC,MAAM,CAAC,QAAQ,CAAC,WAAW,CAAC;gBAClC,OAAO,CAAC,QAAQ,KAAK,WAAW,EAChC,CAAC;gBACD,IAAI,CAAC,2BAA2B,CAAC,KAAK,CAAC,IAAI,EAAE,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,EAAE,CAAC;oBACnE,OAAO,CAAC,GAAG,CAAC,yCAAyC,EAAE,KAAK,CAAC,IAAI,CAAC,CAAC;oBACnE,OAAO;gBACT,CAAC;gBACD,MAAM,YAAY,GAAG,KAAK,CAAC,IAAwB,CAAC;gBACpD,OAAO,CAAC,GAAG,CAAC,iCAAiC,EAAE,KAAK,CAAC,IAAI,CAAC,CAAC;gBAC3D,IAAI,CAAC,yBAAyB,CAAC,YAAY,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;YACxD,CAAC;QACH,CAAC,CAAC;QACF,MAAM,CAAC,gBAAgB,CAAC,SAAS,EAAE,IAAI,CAAC,kBAAkB,CAAC,CAAC;QAC5D,IAAI,IAAI,CAAC,MAAM,CAAC,WAAW,KAAK,QAAQ,EAAE,CAAC;YACzC,IAAI,CAAC,SAAS;gBACZ,MAAM,IAAI,KAAK,CAAC,gDAAgD,CAAC,CAAC;YACpE,SAAS,CAAC,YAAY,CAAC,KAAK,EAAE,GAAG,CAAC,QAAQ,EAAE,CAAC,CAAC;QAChD,CAAC;QACD,IAAI,IAAI,CAAC,MAAM,CAAC,WAAW,KAAK,UAAU,EAAE,CAAC;YAC3C,MAAM,CAAC,QAAQ,CAAC,IAAI,GAAG,GAAG,CAAC,QAAQ,EAAE,CAAC;QACxC,CAAC;QACD,IAAI,IAAI,CAAC,MAAM,CAAC,WAAW,KAAK,SAAS,EAAE,CAAC;YAC1C,IAAI,CAAC;gBACH,MAAM,WAAW,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,QAAQ,EAAE,EAAE,QAAQ,CAAC,CAAC;gBAC1D,OAAO,CAAC,GAAG,CAAC,QAAQ,EAAE,WAAW,CAAC,CAAC;gBACnC,IAAI,CAAC,WAAW,EAAE,CAAC;oBACjB,MAAM,IAAI,UAAU,CAAC,6BAA6B,CAAC,CAAC;gBACtD,CAAC;YACH,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACf,OAAO,CAAC,KAAK,CAAC,aAAa,EAAE,KAAK,CAAC,CAAC;gBACpC,MAAM,IAAI,UAAU,CAClB,qDAAqD,CACtD,CAAC;YACJ,CAAC;QACH,CAAC;QACD,OAAO,GAAG,CAAC;IACb,CAAC;IAED,KAAK,CAAC,OAAO;QACX,MAAM,YAAY,GAAG,IAAI,mBAAmB,EAAE,CAAC;QAC/C,WAAW,CAAC,YAAY,CAAC,CAAC;QAC1B,SAAS,CAAC,YAAY,CAAC,CAAC;QACxB,uEAAuE;QACvE,4DAA4D;QAC5D,MAAM,GAAG,GAAG,MAAM,sBAAsB,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QACtD,OAAO,GAAG,CAAC;IACb,CAAC;IAED,OAAO;QACL,IAAI,IAAI,CAAC,kBAAkB,EAAE,CAAC;YAC5B,MAAM,CAAC,mBAAmB,CAAC,SAAS,EAAE,IAAI,CAAC,kBAAkB,CAAC,CAAC;QACjE,CAAC;IACH,CAAC;CACF;AAED;;;GAGG;AACH,MAAM,OAAO,8BAA8B;IAC/B,MAAM,CAWd;IAEF,YAAY,MAA0B;QACpC,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;QACrB,OAAO,CAAC,GAAG,CAAC,4CAA4C,EAAE;YACxD,MAAM;SACP,CAAC,CAAC;IACL,CAAC;IAED,uGAAuG;IACvG,4BAA4B;IAC5B,KAAK,CAAC,MAAM;QACV,OAAO,qBAAqB,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IAC5C,CAAC;IAED,KAAK,CAAC,OAAO;QACX,OAAO,sBAAsB,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IAC7C,CAAC;CACF;AAWD;;;GAGG;AACH,MAAM,OAAO,4BAA6B,SAAQ,8BAA8B;IAQlE;IAPJ,YAAY,CAA2B;IACvC,SAAS,CAAwB;IAEzC,0EAA0E;IAC1E,YACE,MAAmC;IACnC,6FAA6F;IACnF,eAAe,IAAI,+BAA+B,EAAE;QAE9D,OAAO,CAAC,GAAG,CAAC,0CAA0C,EAAE;YACtD,MAAM;SACP,CAAC,CAAC;QACH,KAAK,CAAC;YACJ,GAAG,MAAM;YACT,KAAK,EAAE,aAAa,CAAC,MAAM,CAAC,WAAW,CAAC;YACxC,yDAAyD;YACzD,YAAY,EAAE,YAAY;SAC3B,CAAC,CAAC;QAVO,iBAAY,GAAZ,YAAY,CAAwC;IAWhE,CAAC;IAED,kFAAkF;IAClF,oGAAoG;IACpG,kDAAkD;IAClD,KAAK,CAAC,IAAI;QACR,uBAAuB;QACvB,IAAI,CAAC,SAAS,GAAG,MAAM,yBAAyB,CAC9C,IAAI,CAAC,MAAM,CAAC,WAAW,EACvB,IAAI,CAAC,MAAM,CAAC,iBAAiB,CAC9B,CAAC;QACF,IAAI,CAAC,YAAY,GAAG,IAAI,YAAY,CAClC,IAAI,CAAC,MAAM,CAAC,QAAQ,EACpB,IAAI,CAAC,SAAS,CAAC,IAAI,EACnB,IAAI,CAAC,SAAS,CAAC,KAAK,EACpB;YACE,WAAW,EAAE,IAAI,CAAC,MAAM,CAAC,WAAW;SACrC,CACF,CAAC;QAEF,OAAO,IAAI,CAAC;IACd,CAAC;IAED,wBAAwB;IACxB,uEAAuE;IACvE,uCAAuC;IACvC,KAAK,CAAC,aAAa,CACjB,IAAY,EACZ,KAAa;QAEb,IAAI,CAAC,IAAI,CAAC,YAAY;YAAE,MAAM,IAAI,CAAC,IAAI,EAAE,CAAC;QAC1C,MAAM,YAAY,GAAG,MAAM,IAAI,CAAC,YAAY,CAAC,eAAe,EAAE,CAAC;QAC/D,IAAI,CAAC,YAAY;YAAE,MAAM,IAAI,KAAK,CAAC,oCAAoC,CAAC,CAAC;QAEzE,gCAAgC;QAChC,MAAM,MAAM,GAAG,MAAM,cAAc,CACjC,IAAI,EACJ,KAAK,EACL,IAAI,CAAC,YAAY,EACjB,IAAI,CAAC,YAAa,EAAE,8CAA8C;QAClE,IAAI,CAAC,MAAM,CAAC,WAAW,EACvB,IAAI,CAAC,SAAU,CAChB,CAAC;QAEF,WAAW,CAAC,IAAI,mBAAmB,EAAE,EAAE,MAAM,CAAC,CAAC;QAE/C,uCAAuC;QACvC,MAAM,iBAAiB,GAAG,oBAAoB,CAC5C,KAAK,EACL,IAAI,CAAC,MAAM,CAAC,WAAW,CACxB,CAAC;QAEF,IAAI,iBAAiB,KAAK,SAAS,EAAE,CAAC;YACpC,yBAAyB;YACzB,MAAM,CAAC,KAAK,EAAE,CAAC;QACjB,CAAC;QACD,8GAA8G;QAC9G,yBAAyB,CAAC,wBAAwB,CAAC,CAAC;QACpD,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,0CAA0C;IAC1C,KAAK,CAAC,cAAc;QAClB,MAAM,WAAW,GAAG,cAAc,CAAC,IAAI,mBAAmB,EAAE,CAAC,CAAC;QAE9D,IAAI,CAAC,WAAW;YAAE,OAAO,IAAI,CAAC;QAE9B,OAAO;YACL,aAAa,EAAE,CAAC,CAAC,WAAW,CAAC,QAAQ;YACrC,OAAO,EAAE,WAAW,CAAC,QAAQ;YAC7B,WAAW,EAAE,WAAW,CAAC,YAAY;YACrC,YAAY,EAAE,WAAW,CAAC,aAAa;SACxC,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,uBAAuB;QAC3B,IAAI,CAAC;YACH,MAAM,WAAW,GAAG,MAAM,IAAI,CAAC,cAAc,EAAE,CAAC;YAChD,IAAI,CAAC,WAAW,EAAE,OAAO,IAAI,CAAC,WAAW,CAAC,WAAW,EAAE,CAAC;gBACtD,MAAM,sBAAsB,GAAG,EAAE,GAAG,WAAW,EAAE,aAAa,EAAE,KAAK,EAAE,CAAC;gBACxE,WAAW,CAAC,IAAI,mBAAmB,EAAE,CAAC,CAAC;gBACvC,OAAO,sBAAsB,CAAC;YAChC,CAAC;YACD,IAAI,CAAC,IAAI,CAAC,SAAS,IAAI,CAAC,IAAI,CAAC,YAAY;gBAAE,MAAM,IAAI,CAAC,IAAI,EAAE,CAAC;YAE7D,4DAA4D;YAC5D,MAAM,oBAAoB,CACxB;gBACE,YAAY,EAAE,WAAW,CAAC,WAAW;gBACrC,QAAQ,EAAE,WAAW,CAAC,OAAO;gBAC7B,aAAa,EAAE,WAAW,CAAC,YAAY;aACxC,EACD,IAAI,CAAC,SAAU,EACf,IAAI,CAAC,YAAa,EAClB,IAAI,CAAC,MAAM,CAAC,WAAW,CACxB,CAAC;YACF,OAAO,WAAW,CAAC;QACrB,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO,CAAC,IAAI,CAAC,oCAAoC,EAAE,KAAK,CAAC,CAAC;YAC1D,MAAM,sBAAsB,GAAG;gBAC7B,aAAa,EAAE,KAAK;aACrB,CAAC;YACF,WAAW,CAAC,IAAI,mBAAmB,EAAE,CAAC,CAAC;YACvC,OAAO,sBAAsB,CAAC;QAChC,CAAC;IACH,CAAC;IAED,MAAM,CAAC,KAAK,CAAC,KAAK,CAChB,MAAmC;QAEnC,MAAM,QAAQ,GAAG,IAAI,4BAA4B,CAAC,MAAM,CAAC,CAAC;QAC1D,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;QAEtB,OAAO,QAAQ,CAAC;IAClB,CAAC;CACF","sourcesContent":["// Proposals for revised versions of the SessionService AKA AuthSessionService\n\nimport type {\n  DisplayMode,\n  Endpoints,\n  LoginPostMessage,\n  OIDCTokenResponseBody,\n  SessionData,\n} from \"@/types.js\";\nimport { BrowserPublicClientPKCEProducer } from \"@/services/PKCE.js\";\nimport {\n  clearTokens,\n  clearUser,\n  exchangeTokens,\n  generateOauthLoginUrl,\n  generateOauthLogoutUrl,\n  getEndpointsWithOverrides,\n  retrieveTokens,\n  storeTokens,\n  validateOauth2Tokens,\n} from \"@/shared/lib/util.js\";\nimport { displayModeFromState, generateState } from \"@/lib/oauth.js\";\nimport { OAuth2Client } from \"oslo/oauth2\";\nimport { LocalStorageAdapter } from \"@/browser/storage.js\";\nimport type {\n  AuthenticationInitiator,\n  AuthenticationResolver,\n  PKCEConsumer,\n} from \"@/services/types.js\";\nimport { PopupError } from \"@/services/types.js\";\nimport { removeParamsWithoutReload } from \"@/lib/windowUtil.js\";\nimport { DEFAULT_OAUTH_GET_PARAMS } from \"@/constants.js\";\nimport { validateLoginAppPostMessage } from \"@/lib/postMessage.js\";\n\n/**\n * An authentication initiator that works on a browser. Since this is just triggering\n * login and logout, session data is not stored here.\n * An associated AuthenticationResolver would be needed to get the session data.\n * Storage is needed for the code verifier, this is the domain of the PKCEConsumer\n * The storage used by the PKCEConsumer should be available to the AuthenticationResolver.\n *\n * Example usage:\n *\n * 1) Client-only SPA -eg a react app with no server:\n * new BrowserAuthenticationInitiator({\n *   pkceConsumer: new BrowserPublicClientPKCEProducer(), // generate and retrieve the challenge client-side\n *   ... other config\n * })\n *\n * 2) Client-side of a client/server app - eg a react app with a backend:\n * new BrowserAuthenticationInitiator({\n *  pkceConsumer: new ConfidentialClientPKCEConsumer(\"https://myserver.com/pkce\"), // get the challenge from the server\n *  ... other config\n * })\n */\nexport class BrowserAuthenticationInitiator implements AuthenticationInitiator {\n  private postMessageHandler: null | ((event: MessageEvent) => void) = null;\n\n  protected config: {\n    clientId: string;\n    redirectUrl: string;\n    state: string;\n    scopes: string[];\n    // determines whether to trigger the login/logout in an iframe, a new browser window, or redirect the current one.\n    displayMode: DisplayMode;\n    oauthServer: string;\n    // the endpoints to use for the login (if not obtained from the auth server\n    endpointOverrides?: Partial<Endpoints>;\n    // used to get the PKCE challenge\n    pkceConsumer: PKCEConsumer;\n    // the nonce to use for the login\n    nonce?: string;\n  };\n\n  constructor(config: typeof this.config) {\n    this.config = config;\n    console.log(\"BrowserAuthenticationInitiator constructor\", this.config);\n  }\n\n  async handleLoginAppPopupFailed(redirectUrl: string) {\n    console.warn(\n      \"Login app popup failed open a popup, using redirect mode instead...\",\n      redirectUrl,\n    );\n    window.location.href = redirectUrl;\n  }\n\n  // Use the config (Client ID, scopes OAuth Server, Endpoints, PKCEConsumer) to generate a new login url\n  // and then use the display mode to decide how to send the user there\n  async signIn(iframeRef: HTMLIFrameElement | null): Promise<URL> {\n    const url = await generateOauthLoginUrl(this.config);\n\n    this.postMessageHandler = (event: MessageEvent) => {\n      const thisURL = new URL(window.location.href);\n      if (\n        event.origin.endsWith(\"civic.com\") ||\n        thisURL.hostname === \"localhost\"\n      ) {\n        if (!validateLoginAppPostMessage(event.data, this.config.clientId)) {\n          console.log(\"Received invalid message from login app\", event.data);\n          return;\n        }\n        const loginMessage = event.data as LoginPostMessage;\n        console.log(\"Received message from login app\", event.data);\n        this.handleLoginAppPopupFailed(loginMessage.data.url);\n      }\n    };\n    window.addEventListener(\"message\", this.postMessageHandler);\n    if (this.config.displayMode === \"iframe\") {\n      if (!iframeRef)\n        throw new Error(\"iframeRef is required for displayMode 'iframe'\");\n      iframeRef.setAttribute(\"src\", url.toString());\n    }\n    if (this.config.displayMode === \"redirect\") {\n      window.location.href = url.toString();\n    }\n    if (this.config.displayMode === \"new_tab\") {\n      try {\n        const popupWindow = window.open(url.toString(), \"_blank\");\n        console.log(\"signIn\", popupWindow);\n        if (!popupWindow) {\n          throw new PopupError(\"Failed to open popup window\");\n        }\n      } catch (error) {\n        console.error(\"popupWindow\", error);\n        throw new PopupError(\n          \"window.open has thrown: Failed to open popup window\",\n        );\n      }\n    }\n    return url;\n  }\n\n  async signOut(): Promise<URL> {\n    const localStorage = new LocalStorageAdapter();\n    clearTokens(localStorage);\n    clearUser(localStorage);\n    // TODO open the iframe or new tab etc: the logout URL is not currently\n    // supported by on the oauth, so just clear state until then\n    const url = await generateOauthLogoutUrl(this.config);\n    return url;\n  }\n\n  cleanup() {\n    if (this.postMessageHandler) {\n      window.removeEventListener(\"message\", this.postMessageHandler);\n    }\n  }\n}\n\n/** A general-purpose authentication initiator, that just generates urls, but lets\n * the caller decide how to use them. This is useful for server-side applications\n * that may serve this URL to their front-ends or just call them directly\n */\nexport class GenericAuthenticationInitiator implements AuthenticationInitiator {\n  protected config: {\n    clientId: string;\n    redirectUrl: string;\n    state: string;\n    scopes: string[];\n    oauthServer: string;\n    nonce?: string;\n    // the endpoints to use for the login (if not obtained from the auth server)\n    endpointOverrides?: Partial<Endpoints>;\n    // used to get the PKCE challenge\n    pkceConsumer: PKCEConsumer;\n  };\n\n  constructor(config: typeof this.config) {\n    this.config = config;\n    console.log(\"GenericAuthenticationInitiator constructor\", {\n      config,\n    });\n  }\n\n  // Use the config (Client ID, scopes OAuth Server, Endpoints, PKCEConsumer) to generate a new login url\n  // and simply return the url\n  async signIn(): Promise<URL> {\n    return generateOauthLoginUrl(this.config);\n  }\n\n  async signOut(): Promise<URL> {\n    return generateOauthLogoutUrl(this.config);\n  }\n}\n\ntype BrowserAuthenticationConfig = {\n  clientId: string;\n  redirectUrl: string;\n  scopes: string[];\n  oauthServer: string;\n  endpointOverrides?: Partial<Endpoints>;\n  displayMode: DisplayMode;\n};\n\n/**\n * An authentication resolver that can run on the browser (i.e. a public client)\n * It uses PKCE for security. PKCE and Session data are stored in local storage\n */\nexport class BrowserAuthenticationService extends BrowserAuthenticationInitiator {\n  private oauth2client: OAuth2Client | undefined;\n  private endpoints: Endpoints | undefined;\n\n  // TODO WIP - perhaps we want to keep resolver and initiator separate here\n  constructor(\n    config: BrowserAuthenticationConfig,\n    // Since we are running fully on the client, we produce as well as consume the PKCE challenge\n    protected pkceProducer = new BrowserPublicClientPKCEProducer(),\n  ) {\n    console.log(\"BrowserAuthenticationService constructor\", {\n      config,\n    });\n    super({\n      ...config,\n      state: generateState(config.displayMode),\n      // Store and retrieve the PKCE challenge in local storage\n      pkceConsumer: pkceProducer,\n    });\n  }\n\n  // TODO too much code duplication here between the browser and the server variant.\n  // Suggestion for refactor: Standardise the config for AuthenticationResolvers and create a one-shot\n  // function for generating an oauth2client from it\n  async init(): Promise<this> {\n    // resolve oauth config\n    this.endpoints = await getEndpointsWithOverrides(\n      this.config.oauthServer,\n      this.config.endpointOverrides,\n    );\n    this.oauth2client = new OAuth2Client(\n      this.config.clientId,\n      this.endpoints.auth,\n      this.endpoints.token,\n      {\n        redirectURI: this.config.redirectUrl,\n      },\n    );\n\n    return this;\n  }\n\n  // Two responsibilities:\n  // 1. resolve the auth code to get the tokens (should use library code)\n  // 2. store the tokens in local storage\n  async tokenExchange(\n    code: string,\n    state: string,\n  ): Promise<OIDCTokenResponseBody> {\n    if (!this.oauth2client) await this.init();\n    const codeVerifier = await this.pkceProducer.getCodeVerifier();\n    if (!codeVerifier) throw new Error(\"Code verifier not found in storage\");\n\n    // exchange auth code for tokens\n    const tokens = await exchangeTokens(\n      code,\n      state,\n      this.pkceProducer,\n      this.oauth2client!, // clean up types here to avoid the ! operator\n      this.config.oauthServer,\n      this.endpoints!, // clean up types here to avoid the ! operator\n    );\n\n    storeTokens(new LocalStorageAdapter(), tokens);\n\n    // cleanup the browser window if needed\n    const parsedDisplayMode = displayModeFromState(\n      state,\n      this.config.displayMode,\n    );\n\n    if (parsedDisplayMode === \"new_tab\") {\n      // Close the popup window\n      window.close();\n    }\n    // these are the default oAuth params that get added to the URL in redirect which we want to remove if present\n    removeParamsWithoutReload(DEFAULT_OAUTH_GET_PARAMS);\n    return tokens;\n  }\n\n  // Get the session data from local storage\n  async getSessionData(): Promise<SessionData | null> {\n    const storageData = retrieveTokens(new LocalStorageAdapter());\n\n    if (!storageData) return null;\n\n    return {\n      authenticated: !!storageData.id_token,\n      idToken: storageData.id_token,\n      accessToken: storageData.access_token,\n      refreshToken: storageData.refresh_token,\n    };\n  }\n\n  async validateExistingSession(): Promise<SessionData> {\n    try {\n      const sessionData = await this.getSessionData();\n      if (!sessionData?.idToken || !sessionData.accessToken) {\n        const unAuthenticatedSession = { ...sessionData, authenticated: false };\n        clearTokens(new LocalStorageAdapter());\n        return unAuthenticatedSession;\n      }\n      if (!this.endpoints || !this.oauth2client) await this.init();\n\n      // this function will throw if any of the tokens are invalid\n      await validateOauth2Tokens(\n        {\n          access_token: sessionData.accessToken,\n          id_token: sessionData.idToken,\n          refresh_token: sessionData.refreshToken,\n        },\n        this.endpoints!,\n        this.oauth2client!,\n        this.config.oauthServer,\n      );\n      return sessionData;\n    } catch (error) {\n      console.warn(\"Failed to validate existing tokens\", error);\n      const unAuthenticatedSession = {\n        authenticated: false,\n      };\n      clearTokens(new LocalStorageAdapter());\n      return unAuthenticatedSession;\n    }\n  }\n\n  static async build(\n    config: BrowserAuthenticationConfig,\n  ): Promise<AuthenticationResolver> {\n    const resolver = new BrowserAuthenticationService(config);\n    await resolver.init();\n\n    return resolver;\n  }\n}\n"]}

package/dist/esm/src/services/PKCE.d.ts

@@ -1,20 +0,0 @@
-import type { PKCEConsumer, PKCEProducer } from "../services/types.js";
-import type { AuthStorage } from "../types.js";
-/** A PKCE consumer that retrieves the challenge from a server endpoint */
-export declare class ConfidentialClientPKCEConsumer implements PKCEConsumer {
-    private pkceChallengeEndpoint;
-    constructor(pkceChallengeEndpoint: string);
-    getCodeChallenge(): Promise<string>;
-}
-/** A PKCE Producer that can generate and store a code verifier, but is agnostic as to the storage location */
-export declare class GenericPublicClientPKCEProducer implements PKCEProducer {
-    private storage;
-    constructor(storage: AuthStorage);
-    getCodeChallenge(): Promise<string>;
-    getCodeVerifier(): Promise<string | null>;
-}
-/** A PKCE Producer that is expected to run on a browser, and does not need a backend */
-export declare class BrowserPublicClientPKCEProducer extends GenericPublicClientPKCEProducer {
-    constructor();
-}
-//# sourceMappingURL=PKCE.d.ts.map

package/dist/esm/src/services/PKCE.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"PKCE.d.ts","sourceRoot":"","sources":["../../../../src/services/PKCE.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,YAAY,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AACtE,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AAG9C,0EAA0E;AAC1E,qBAAa,8BAA+B,YAAW,YAAY;IACrD,OAAO,CAAC,qBAAqB;gBAArB,qBAAqB,EAAE,MAAM;IAC3C,gBAAgB,IAAI,OAAO,CAAC,MAAM,CAAC;CAO1C;AAED,8GAA8G;AAC9G,qBAAa,+BAAgC,YAAW,YAAY;IACtD,OAAO,CAAC,OAAO;gBAAP,OAAO,EAAE,WAAW;IAIlC,gBAAgB,IAAI,OAAO,CAAC,MAAM,CAAC;IASnC,eAAe,IAAI,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC;CAGhD;AAED,wFAAwF;AACxF,qBAAa,+BAAgC,SAAQ,+BAA+B;;CAInF"}

package/dist/esm/src/services/PKCE.js

@@ -1,44 +0,0 @@
-import { deriveCodeChallenge } from "../shared/lib/util.js";
-import { generateCodeVerifier } from "oslo/oauth2";
-import { LocalStorageAdapter } from "../browser/storage.js";
-import { CodeVerifier } from "../shared/lib/types.js";
-/** A PKCE consumer that retrieves the challenge from a server endpoint */
-export class ConfidentialClientPKCEConsumer {
-    pkceChallengeEndpoint;
-    constructor(pkceChallengeEndpoint) {
-        this.pkceChallengeEndpoint = pkceChallengeEndpoint;
-    }
-    async getCodeChallenge() {
-        const response = await fetch(`${this.pkceChallengeEndpoint}?appUrl=${window.location.origin}`);
-        const data = (await response.json());
-        return data.challenge;
-    }
-}
-/** A PKCE Producer that can generate and store a code verifier, but is agnostic as to the storage location */
-export class GenericPublicClientPKCEProducer {
-    storage;
-    constructor(storage) {
-        this.storage = storage;
-    }
-    // if there is already a verifier, return it,
-    // If not, create a new one and store it
-    async getCodeChallenge() {
-        // let verifier = await this.getCodeVerifier();
-        // if (!verifier) {
-        const verifier = generateCodeVerifier();
-        this.storage.set(CodeVerifier.COOKIE_NAME, verifier);
-        // }
-        return deriveCodeChallenge(verifier);
-    }
-    // if there is already a verifier, return it,
-    async getCodeVerifier() {
-        return this.storage.get(CodeVerifier.COOKIE_NAME);
-    }
-}
-/** A PKCE Producer that is expected to run on a browser, and does not need a backend */
-export class BrowserPublicClientPKCEProducer extends GenericPublicClientPKCEProducer {
-    constructor() {
-        super(new LocalStorageAdapter());
-    }
-}
-//# sourceMappingURL=PKCE.js.map

package/dist/esm/src/services/PKCE.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"PKCE.js","sourceRoot":"","sources":["../../../../src/services/PKCE.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,mBAAmB,EAAE,MAAM,sBAAsB,CAAC;AAC3D,OAAO,EAAE,oBAAoB,EAAE,MAAM,aAAa,CAAC;AACnD,OAAO,EAAE,mBAAmB,EAAE,MAAM,sBAAsB,CAAC;AAG3D,OAAO,EAAE,YAAY,EAAE,MAAM,uBAAuB,CAAC;AAErD,0EAA0E;AAC1E,MAAM,OAAO,8BAA8B;IACrB;IAApB,YAAoB,qBAA6B;QAA7B,0BAAqB,GAArB,qBAAqB,CAAQ;IAAG,CAAC;IACrD,KAAK,CAAC,gBAAgB;QACpB,MAAM,QAAQ,GAAG,MAAM,KAAK,CAC1B,GAAG,IAAI,CAAC,qBAAqB,WAAW,MAAM,CAAC,QAAQ,CAAC,MAAM,EAAE,CACjE,CAAC;QACF,MAAM,IAAI,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAA0B,CAAC;QAC9D,OAAO,IAAI,CAAC,SAAS,CAAC;IACxB,CAAC;CACF;AAED,8GAA8G;AAC9G,MAAM,OAAO,+BAA+B;IACtB;IAApB,YAAoB,OAAoB;QAApB,YAAO,GAAP,OAAO,CAAa;IAAG,CAAC;IAE5C,6CAA6C;IAC7C,wCAAwC;IACxC,KAAK,CAAC,gBAAgB;QACpB,+CAA+C;QAC/C,mBAAmB;QACnB,MAAM,QAAQ,GAAG,oBAAoB,EAAE,CAAC;QACxC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,WAAW,EAAE,QAAQ,CAAC,CAAC;QACrD,IAAI;QACJ,OAAO,mBAAmB,CAAC,QAAQ,CAAC,CAAC;IACvC,CAAC;IACD,6CAA6C;IAC7C,KAAK,CAAC,eAAe;QACnB,OAAO,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,WAAW,CAAC,CAAC;IACpD,CAAC;CACF;AAED,wFAAwF;AACxF,MAAM,OAAO,+BAAgC,SAAQ,+BAA+B;IAClF;QACE,KAAK,CAAC,IAAI,mBAAmB,EAAE,CAAC,CAAC;IACnC,CAAC;CACF","sourcesContent":["import { deriveCodeChallenge } from \"@/shared/lib/util.js\";\nimport { generateCodeVerifier } from \"oslo/oauth2\";\nimport { LocalStorageAdapter } from \"@/browser/storage.js\";\nimport type { PKCEConsumer, PKCEProducer } from \"@/services/types.js\";\nimport type { AuthStorage } from \"@/types.js\";\nimport { CodeVerifier } from \"@/shared/lib/types.js\";\n\n/** A PKCE consumer that retrieves the challenge from a server endpoint */\nexport class ConfidentialClientPKCEConsumer implements PKCEConsumer {\n  constructor(private pkceChallengeEndpoint: string) {}\n  async getCodeChallenge(): Promise<string> {\n    const response = await fetch(\n      `${this.pkceChallengeEndpoint}?appUrl=${window.location.origin}`,\n    );\n    const data = (await response.json()) as { challenge: string };\n    return data.challenge;\n  }\n}\n\n/** A PKCE Producer that can generate and store a code verifier, but is agnostic as to the storage location */\nexport class GenericPublicClientPKCEProducer implements PKCEProducer {\n  constructor(private storage: AuthStorage) {}\n\n  // if there is already a verifier, return it,\n  // If not, create a new one and store it\n  async getCodeChallenge(): Promise<string> {\n    // let verifier = await this.getCodeVerifier();\n    // if (!verifier) {\n    const verifier = generateCodeVerifier();\n    this.storage.set(CodeVerifier.COOKIE_NAME, verifier);\n    // }\n    return deriveCodeChallenge(verifier);\n  }\n  // if there is already a verifier, return it,\n  async getCodeVerifier(): Promise<string | null> {\n    return this.storage.get(CodeVerifier.COOKIE_NAME);\n  }\n}\n\n/** A PKCE Producer that is expected to run on a browser, and does not need a backend */\nexport class BrowserPublicClientPKCEProducer extends GenericPublicClientPKCEProducer {\n  constructor() {\n    super(new LocalStorageAdapter());\n  }\n}\n"]}

package/dist/esm/src/services/types.d.ts

@@ -1,23 +0,0 @@
-import type { OIDCTokenResponseBody, SessionData } from "../types.js";
-export interface PKCEConsumer {
-    getCodeChallenge(): Promise<string>;
-}
-export interface PKCEProducer extends PKCEConsumer {
-    getCodeVerifier(): Promise<string | null>;
-}
-export interface AuthenticationInitiator {
-    signIn(iframeRef: HTMLIFrameElement | null): Promise<URL>;
-    signOut(): Promise<URL>;
-}
-export interface AuthenticationResolver {
-    tokenExchange(code: string, state: string): Promise<OIDCTokenResponseBody>;
-    getSessionData(): Promise<SessionData | null>;
-    validateExistingSession(): Promise<SessionData>;
-}
-export interface AuthenticationRefresher {
-    refreshTokens: () => Promise<OIDCTokenResponseBody>;
-}
-export declare class PopupError extends Error {
-    constructor(message: string);
-}
-//# sourceMappingURL=types.d.ts.map

package/dist/esm/src/services/types.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../../../src/services/types.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,qBAAqB,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AASrE,MAAM,WAAW,YAAY;IAE3B,gBAAgB,IAAI,OAAO,CAAC,MAAM,CAAC,CAAC;CACrC;AAGD,MAAM,WAAW,YAAa,SAAQ,YAAY;IAEhD,eAAe,IAAI,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC;CAC3C;AAGD,MAAM,WAAW,uBAAuB;IAEtC,MAAM,CAAC,SAAS,EAAE,iBAAiB,GAAG,IAAI,GAAG,OAAO,CAAC,GAAG,CAAC,CAAC;IAG1D,OAAO,IAAI,OAAO,CAAC,GAAG,CAAC,CAAC;CACzB;AAGD,MAAM,WAAW,sBAAsB;IAKrC,aAAa,CAAC,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,qBAAqB,CAAC,CAAC;IAG3E,cAAc,IAAI,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC,CAAC;IAG9C,uBAAuB,IAAI,OAAO,CAAC,WAAW,CAAC,CAAC;CACjD;AAED,MAAM,WAAW,uBAAuB;IACtC,aAAa,EAAE,MAAM,OAAO,CAAC,qBAAqB,CAAC,CAAC;CACrD;AAED,qBAAa,UAAW,SAAQ,KAAK;gBACvB,OAAO,EAAE,MAAM;CAI5B"}

package/dist/esm/src/services/types.js

@@ -1,7 +0,0 @@
-export class PopupError extends Error {
-    constructor(message) {
-        super(message);
-        Object.setPrototypeOf(this, PopupError.prototype);
-    }
-}
-//# sourceMappingURL=types.js.map

package/dist/esm/src/services/types.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"types.js","sourceRoot":"","sources":["../../../../src/services/types.ts"],"names":[],"mappings":"AAgDA,MAAM,OAAO,UAAW,SAAQ,KAAK;IACnC,YAAY,OAAe;QACzB,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,MAAM,CAAC,cAAc,CAAC,IAAI,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC;IACpD,CAAC;CACF","sourcesContent":["import type { OIDCTokenResponseBody, SessionData } from \"@/types.js\";\n\n// A PKCEConsumer can get a code challenge to use in the login process\n// A PKCEProducer can also generate and store verifiers. The producer must also be a consumer in order to get the challenge from an existing flow\n// Examples:\n// - Client-only SPA: The SPA generates the code challenge and verifier, stores the verifier in state and returns the code challenge\n// Note - The SPA should use PKCEProducer instead to do both\n// - Client-side of a client/server app: The client calls the backend to get the challenge.\n// - Server-side: The server should generate a new stored verifier and derive the challenge from it.\nexport interface PKCEConsumer {\n  // Retrieve a new PKCE challenge\n  getCodeChallenge(): Promise<string>;\n}\n\n// All producers are consumers, because the producer can get its own challenge\nexport interface PKCEProducer extends PKCEConsumer {\n  // Retrieve the PKCE challenge from the session if one exists\n  getCodeVerifier(): Promise<string | null>;\n}\n\n// A service that can initiate requests to login or log out\nexport interface AuthenticationInitiator {\n  // trigger a new login\n  signIn(iframeRef: HTMLIFrameElement | null): Promise<URL>;\n\n  // trigger a new logout\n  signOut(): Promise<URL>;\n}\n\n// A service that can resolve an authentication request according to the OAuth Auth Code grant types\nexport interface AuthenticationResolver {\n  // Given an auth code, get the tokens from the auth server and store them. works in PKCE and non-PKCE environments\n  // Note, if we choose later to implement other grants, this method would move into a subinterface specifically\n  // for the authorization code grant type.\n  // The return type is just for convenience and can be ignored, as the same data would be provided by getSessionData\n  tokenExchange(code: string, state: string): Promise<OIDCTokenResponseBody>;\n\n  // If the tokens have already been retrieved, return them\n  getSessionData(): Promise<SessionData | null>;\n\n  // If an existing session is found, validate it and return the session data\n  validateExistingSession(): Promise<SessionData>;\n}\n\nexport interface AuthenticationRefresher {\n  refreshTokens: () => Promise<OIDCTokenResponseBody>;\n}\n\nexport class PopupError extends Error {\n  constructor(message: string) {\n    super(message);\n    Object.setPrototypeOf(this, PopupError.prototype);\n  }\n}\n"]}

package/dist/esm/src/shared/components/CivicAuthIframe.d.ts

@@ -1,8 +0,0 @@
-import React from "react";
-type CivicAuthIframeProps = {
-    onLoad?: () => void;
-};
-declare const CivicAuthIframe: React.ForwardRefExoticComponent<CivicAuthIframeProps & React.RefAttributes<HTMLIFrameElement>>;
-export type { CivicAuthIframeProps };
-export { CivicAuthIframe };
-//# sourceMappingURL=CivicAuthIframe.d.ts.map

package/dist/esm/src/shared/components/CivicAuthIframe.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"CivicAuthIframe.d.ts","sourceRoot":"","sources":["../../../../../src/shared/components/CivicAuthIframe.tsx"],"names":[],"mappings":"AAEA,OAAO,KAAqB,MAAM,OAAO,CAAC;AAE1C,KAAK,oBAAoB,GAAG;IAC1B,MAAM,CAAC,EAAE,MAAM,IAAI,CAAC;CACrB,CAAC;AAEF,QAAA,MAAM,eAAe,gGAWpB,CAAC;AAIF,YAAY,EAAE,oBAAoB,EAAE,CAAC;AAErC,OAAO,EAAE,eAAe,EAAE,CAAC"}

package/dist/esm/src/shared/components/CivicAuthIframe.js

@@ -1,9 +0,0 @@
-"use client";
-import { IFRAME_ID } from "../../constants.js";
-import React, { forwardRef } from "react";
-const CivicAuthIframe = forwardRef(({ onLoad }, ref) => {
-    return (React.createElement("iframe", { id: IFRAME_ID, ref: ref, style: { height: "26rem", width: "100%", border: "none" }, onLoad: onLoad }));
-});
-CivicAuthIframe.displayName = "CivicAuthIframe";
-export { CivicAuthIframe };
-//# sourceMappingURL=CivicAuthIframe.js.map

package/dist/esm/src/shared/components/CivicAuthIframe.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"CivicAuthIframe.js","sourceRoot":"","sources":["../../../../../src/shared/components/CivicAuthIframe.tsx"],"names":[],"mappings":"AAAA,YAAY,CAAC;AACb,OAAO,EAAE,SAAS,EAAE,MAAM,gBAAgB,CAAC;AAC3C,OAAO,KAAK,EAAE,EAAE,UAAU,EAAE,MAAM,OAAO,CAAC;AAM1C,MAAM,eAAe,GAAG,UAAU,CAChC,CAAC,EAAE,MAAM,EAAE,EAAE,GAAG,EAAE,EAAE;IAClB,OAAO,CACL,gCACE,EAAE,EAAE,SAAS,EACb,GAAG,EAAE,GAAG,EACR,KAAK,EAAE,EAAE,MAAM,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,EACzD,MAAM,EAAE,MAAM,GACd,CACH,CAAC;AACJ,CAAC,CACF,CAAC;AAEF,eAAe,CAAC,WAAW,GAAG,iBAAiB,CAAC;AAIhD,OAAO,EAAE,eAAe,EAAE,CAAC","sourcesContent":["\"use client\";\nimport { IFRAME_ID } from \"@/constants.js\";\nimport React, { forwardRef } from \"react\";\n\ntype CivicAuthIframeProps = {\n  onLoad?: () => void;\n};\n\nconst CivicAuthIframe = forwardRef<HTMLIFrameElement, CivicAuthIframeProps>(\n  ({ onLoad }, ref) => {\n    return (\n      <iframe\n        id={IFRAME_ID}\n        ref={ref}\n        style={{ height: \"26rem\", width: \"100%\", border: \"none\" }}\n        onLoad={onLoad}\n      />\n    );\n  },\n);\n\nCivicAuthIframe.displayName = \"CivicAuthIframe\";\n\nexport type { CivicAuthIframeProps };\n\nexport { CivicAuthIframe };\n"]}

package/dist/esm/src/shared/components/CivicAuthIframeContainer.d.ts

@@ -1,9 +0,0 @@
-import React from "react";
-type CivicAuthIframeContainerProps = {
-    onClose?: () => void;
-    closeOnRedirect?: boolean;
-};
-declare const CivicAuthIframeContainer: ({ onClose, closeOnRedirect, }: CivicAuthIframeContainerProps) => React.JSX.Element;
-export type { CivicAuthIframeContainerProps };
-export { CivicAuthIframeContainer };
-//# sourceMappingURL=CivicAuthIframeContainer.d.ts.map

package/dist/esm/src/shared/components/CivicAuthIframeContainer.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"CivicAuthIframeContainer.d.ts","sourceRoot":"","sources":["../../../../../src/shared/components/CivicAuthIframeContainer.tsx"],"names":[],"mappings":"AAEA,OAAO,KAAmD,MAAM,OAAO,CAAC;AAOxE,KAAK,6BAA6B,GAAG;IACnC,OAAO,CAAC,EAAE,MAAM,IAAI,CAAC;IACrB,eAAe,CAAC,EAAE,OAAO,CAAC;CAC3B,CAAC;AAuEF,QAAA,MAAM,wBAAwB,kCAG3B,6BAA6B,sBAuG/B,CAAC;AAEF,YAAY,EAAE,6BAA6B,EAAE,CAAC;AAE9C,OAAO,EAAE,wBAAwB,EAAE,CAAC"}