@civic/auth 0.0.1-beta.3 → 0.0.1-beta.30

package/dist/chunk-AM2Y662I.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["/Users/patrick/Code/civic-auth/packages/civic-auth-client/dist/chunk-AM2Y662I.js","../src/shared/types.ts","../src/shared/util.ts","../src/lib/oauth.ts","../src/utils.ts","../src/lib/jwt.ts","../src/shared/UserSession.ts","../src/shared/session.ts","../src/constants.ts","../src/browser/storage.ts","../src/services/PKCE.ts","../src/services/AuthenticationService.ts","../src/services/types.ts","../src/lib/windowUtil.ts","../src/lib/postMessage.ts"],"names":["OAuthTokens","OAuth2Client","window","localStorage"],"mappings":"AAAA;AACE;AACA;AACA;AACF,sDAA4B;AAC5B;AACA;ACNO,IAAK,YAAA,kBAAL,CAAA,CAAKA,YAAAA,EAAAA,GAAL;AACL,EAAAA,YAAAA,CAAA,UAAA,EAAA,EAAW,UAAA;AACX,EAAAA,YAAAA,CAAA,cAAA,EAAA,EAAe,cAAA;AACf,EAAAA,YAAAA,CAAA,eAAA,EAAA,EAAgB,eAAA;AAHN,EAAA,OAAAA,YAAAA;AAAA,CAAA,CAAA,CAAA,YAAA,GAAA,CAAA,CAAA,CAAA;ADaZ;AACA;AEHA,qCAA6B;AFK7B;AACA;AGhBA,4BAA2B;AAE3B,IAAM,oBAAA,EAAsB,CAAC,MAAA,EAAA,GAA6B;AACxD,EAAA,MAAM,mBAAA,EAAqB,MAAA,CAAO,QAAA,CAAS,GAAG,EAAA,EAC1C,MAAA,CAAO,KAAA,CAAM,CAAA,EAAG,MAAA,CAAO,OAAA,EAAS,CAAC,EAAA,EACjC,MAAA;AAEJ,EAAA,MAAM,gBAAA,EAAkB,CAAA,EAAA;AAEhB,EAAA;AACV;AAE0B;AAGO;AACzB,EAAA;AACgB,IAAA;AACtB,EAAA;AAEG,EAAA;AACI,EAAA;AACc,IAAA;AACA,IAAA;AACC,IAAA;AACG,IAAA;AACzB,EAAA;AACF;AAQE;AAGwB,EAAA;AACX,IAAA;AACX,IAAA;AAC0B,EAAA;AAEN,EAAA;AACxB;AAQ6B;AAIvB,EAAA;AACiB,IAAA;AACD,IAAA;AACZ,EAAA;AACQ,IAAA;AACP,IAAA;AACT,EAAA;AACF;AAEM;AACA,EAAA;AACiB,IAAA;AACD,IAAA;AACZ,EAAA;AACQ,IAAA;AACP,IAAA;AACT,EAAA;AACF;AHZ2B;AACA;AElDL;AFoDK;AACA;AIlEW;AACd;AAkCgB;AAClB,EAAA;AACtB;AAWE;AAEgB,EAAA;AAEO,EAAA;AACJ,IAAA;AAIe,MAAA;AAChC,IAAA;AACF,EAAA;AAEO,EAAA;AACT;AJmB2B;AACA;AKhFd;AAIM,EAAA;AACb,IAAA;AACA,IAAA;AACW,MAAA;AACI,MAAA;AACC,MAAA;AAChB,IAAA;AACD,EAAA;AACH;AL+EyB;AACA;AMrFpB;AACsC,EAAA;AAAtB,IAAA;AAAuB,EAAA;AAEzB,EAAA;AACC,IAAA;AACC,IAAA;AACrB,EAAA;AAE6B,EAAA;AACrB,IAAA;AAGe,IAAA;AACR,IAAA;AACf,EAAA;AACF;ANqF2B;AACA;AEzFL;AAGH,EAAA;AACF,IAAA;AACA,MAAA;AACN,MAAA;AACT,IAAA;AAEoB,IAAA;AACC,IAAA;AACA,IAAA;AACF,IAAA;AAIrB,EAAA;AAAA;AAEsB;AAGpB,EAAA;AACkB,IAAA;AACX,IAAA;AAIT,EAAA;AAAA;AAEsB;AAUL,EAAA;AACG,IAAA;AACT,MAAA;AACA,MAAA;AACT,IAAA;AACqB,IAAA;AACZ,MAAA;AACA,MAAA;AACP,MAAA;AACF,IAAA;AACkB,IAAA;AACK,IAAA;AACP,MAAA;AACC,MAAA;AAChB,IAAA;AAGqB,IAAA;AACA,IAAA;AACJ,IAAA;AAEP,MAAA;AACX,IAAA;AAEsB,IAAA;AAEV,IAAA;AACL,IAAA;AACT,EAAA;AAAA;AAEsB;AAOL,EAAA;AAEA,IAAA;AACjB,EAAA;AAAA;AAGE;AAIwB,EAAA;AACT,IAAA;AACd,EAAA;AACH;AAGE;AAMA,EAAA;AACqB,IAAA;AACF,IAAA;AAGX,IAAA;AACJ,MAAA;AACD,IAAA;AAGC,IAAA;AACI,MAAA;AACQ,IAAA;AACA,MAAA;AACJ,MAAA;AACR,QAAA;AACF,MAAA;AACF,IAAA;AAEO,IAAA;AACT,EAAA;AAAA;AAGE;AAIQ,EAAA;AACA,EAAA;AACG,EAAA;AACD,IAAA;AACZ;AAE4B;AACD,EAAA;AACD,IAAA;AACvB,EAAA;AACM,EAAA;AACiB,IAAA;AACvB,EAAA;AACH;AAC0B;AACA,EAAA;AACJ,EAAA;AACtB;AAGE;AAEwB,EAAA;AACJ,EAAA;AACC,EAAA;AAEJ,EAAA;AAEV,EAAA;AACK,IAAA;AACI,IAAA;AACC,IAAA;AACjB,EAAA;AACF;AAEsB;AAKG,EAAA;AACL,IAAA;AAGZ,IAAA;AACG,MAAA;AACP,MAAA;AACA,MAAA;AACU,QAAA;AACE,QAAA;AACZ,MAAA;AACF,IAAA;AAGM,IAAA;AACG,MAAA;AACP,MAAA;AACA,MAAA;AACU,QAAA;AACV,MAAA;AACF,IAAA;AAEO,IAAA;AACK,MAAA;AACI,MAAA;AACC,MAAA;AAChB,IAAA;AACH,EAAA;AAAA;AFwB2B;AACA;AO7OF;AAGiD;AAAA,EAAA;AAJ1E,IAAA;AAKiB,IAAA;AACK,IAAA;AAGZ,IAAA;AACV,EAAA;AAAA;AP8O2B;AACA;AQzPJ;AACrB,EAAA;AACA,EAAA;AACA,EAAA;AACA,EAAA;AACA,EAAA;AACF;AACkB;AAEU;AAEtB;AAIA;AAEA;ARqPqB;AACA;ASrQpB;AACoB,EAAA;AACH,IAAA;AACtB,EAAA;AAEsC,EAAA;AACf,IAAA;AACvB,EAAA;AACF;ATsQ2B;AACA;AUhRlB;AAOI;AACS,EAAA;AAAA,IAAA;AAAgC,EAAA;AACV,EAAA;AAAA,IAAA;AACvB,MAAA;AACP,QAAA;AACV,MAAA;AACoB,MAAA;AACR,MAAA;AACd,IAAA;AAAA,EAAA;AACF;AAGa;AAC+B,EAAA;AAAtB,IAAA;AAAuB,EAAA;AAAA;AAAA;AAID,EAAA;AAAA,IAAA;AAGvB,MAAA;AACJ,MAAA;AAEN,MAAA;AACT,IAAA;AAAA,EAAA;AAAA;AAEgD,EAAA;AAAA,IAAA;AAC1B,MAAA;AACtB,IAAA;AAAA,EAAA;AACF;AAGa;AACG,EAAA;AACF,IAAA;AACZ,EAAA;AACF;AV8Q2B;AACA;AWrSlBC;AXuSkB;AACA;AY9Qd;AACkB,EAAA;AACd,IAAA;AACS,IAAA;AACxB,EAAA;AACF;AZgR2B;AACA;AatUDC;AAA1B,EAAA;AACwB,EAAA;AAEhB,IAAA;AACEA,MAAAA;AACK,QAAA;AACT,MAAA;AAEW,IAAA;AAEJ,MAAA;AACT,IAAA;AACF,EAAA;AACO,EAAA;AACT;AAEM;AACgB,EAAA;AACI,EAAA;AACL,IAAA;AAClB,EAAA;AACG,EAAA;AACa,IAAA;AACD,EAAA;AACD,IAAA;AACf,EAAA;AACF;AbqU2B;AACA;Ac9VrB;AAIc,EAAA;AACO,EAAA;AAEZ,EAAA;AAOJ,IAAA;AACT,EAAA;AACO,EAAA;AACT;AdsV2B;AACA;AWnTd;AAmB6B,EAAA;AAlBhC,IAAA;AAmBQ,IAAA;AACF,IAAA;AACd,EAAA;AAEM,EAAA;AAA+C,IAAA;AAC3C,MAAA;AACN,QAAA;AACA,QAAA;AACF,MAAA;AACgB,MAAA;AAClB,IAAA;AAAA,EAAA;AAAA;AAAA;AAIgE,EAAA;AAAA,IAAA;AAC5C,MAAA;AAEb,MAAA;AACa,QAAA;AAED,QAAA;AAGR,UAAA;AACS,YAAA;AACZ,YAAA;AACF,UAAA;AACM,UAAA;AACM,UAAA;AACP,UAAA;AACP,QAAA;AACF,MAAA;AACO,MAAA;AACS,MAAA;AACT,QAAA;AACa,UAAA;AACR,QAAA;AACZ,MAAA;AACgB,MAAA;AACE,QAAA;AAClB,MAAA;AACgB,MAAA;AACV,QAAA;AACI,UAAA;AACM,UAAA;AACP,UAAA;AACO,YAAA;AACZ,UAAA;AACc,QAAA;AACA,UAAA;AACJ,UAAA;AACR,YAAA;AACF,UAAA;AACF,QAAA;AACF,MAAA;AACO,MAAA;AACT,IAAA;AAAA,EAAA;AAE8B,EAAA;AAAA,IAAA;AACtBC,MAAAA;AACMA,MAAAA;AACFA,MAAAA;AAGQ,MAAA;AACX,MAAA;AACT,IAAA;AAAA,EAAA;AAEU,EAAA;AACC,IAAA;AACA,MAAA;AACT,IAAA;AACF,EAAA;AACF;AAMa;AAc6B,EAAA;AACxB,IAAA;AACF,IAAA;AACV,MAAA;AACD,IAAA;AACH,EAAA;AAAA;AAAA;AAI6B,EAAA;AAAA,IAAA;AACpB,MAAA;AACT,IAAA;AAAA,EAAA;AAE8B,EAAA;AAAA,IAAA;AACrB,MAAA;AACT,IAAA;AAAA,EAAA;AACF;AAea;AAAoE;AAQnE,EAAA;AAEE,IAAA;AACV,MAAA;AACD,IAAA;AACK,IAAA;AAEiB,MAAA;AAAkB;AAEzB,MAAA;AACf,IAAA;AAVS,IAAA;AAWZ,EAAA;AAAA;AAAA;AAAA;AAK4B,EAAA;AAAA,IAAA;AAET,MAAA;AACH,QAAA;AACA,QAAA;AACd,MAAA;AACoB,MAAA;AACN,QAAA;AACG,QAAA;AACA,QAAA;AACf,QAAA;AACe,UAAA;AACf,QAAA;AACF,MAAA;AAEO,MAAA;AACT,IAAA;AAAA,EAAA;AAAA;AAAA;AAAA;AAOE,EAAA;AACgC,IAAA;AACtB,MAAA;AACW,MAAA;AACF,MAAA;AAGE,MAAA;AACnB,QAAA;AACA,QAAA;AACK,QAAA;AACA,QAAA;AAAA;AACO,QAAA;AACP,QAAA;AAAA;AACP,MAAA;AAEgB,MAAA;AAGV,MAAA;AACJ,QAAA;AACY,QAAA;AACd,MAAA;AAEI,MAAA;AAEW,QAAA;AACf,MAAA;AAEA,MAAA;AACO,MAAA;AACT,IAAA;AAAA,EAAA;AAAA;AAGoD,EAAA;AAAA,IAAA;AAC9B,MAAA;AAEF,MAAA;AAEX,MAAA;AACY,QAAA;AACR,QAAA;AACI,QAAA;AACC,QAAA;AAChB,MAAA;AACF,IAAA;AAAA,EAAA;AAEM,EAAA;AAAgD,IAAA;AAChD,MAAA;AACI,QAAA;AACD,QAAA;AACG,UAAA;AACU,UAAA;AACT,UAAA;AACT,QAAA;AACU,QAAA;AAGJ,QAAA;AACJ,UAAA;AACgB,YAAA;AACJ,YAAA;AACK,YAAA;AACjB,UAAA;AACK,UAAA;AACA,UAAA;AACO,UAAA;AACd,QAAA;AACO,QAAA;AACO,MAAA;AACD,QAAA;AACP,QAAA;AACW,UAAA;AACjB,QAAA;AACgB,QAAA;AACT,QAAA;AACT,MAAA;AACF,IAAA;AAAA,EAAA;AAImC,EAAA;AAAA,IAAA;AACZ,MAAA;AACD,MAAA;AAEb,MAAA;AACT,IAAA;AAAA,EAAA;AACF;AX8O2B;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA","file":"/Users/patrick/Code/civic-auth/packages/civic-auth-client/dist/chunk-AM2Y662I.js","sourcesContent":[null,"export enum OAuthTokens {\n  ID_TOKEN = \"id_token\",\n  ACCESS_TOKEN = \"access_token\",\n  REFRESH_TOKEN = \"refresh_token\",\n}\n\nexport enum CodeVerifier {\n  COOKIE_NAME = \"code_verifier\",\n  APP_URL = \"app_url\",\n}\nexport enum UserStorage {\n  USER = \"user\",\n}\nexport interface CookieConfig {\n  secure?: boolean;\n  sameSite?: \"strict\" | \"lax\" | \"none\";\n  domain?: string;\n  path?: string;\n  maxAge?: number;\n  httpOnly?: boolean;\n}\n\nexport type TokensCookieConfig = Record<\n  OAuthTokens | CodeVerifier,\n  CookieConfig\n>;\n","// Utility functions shared by auth server and client integrations\n// Typically these functions should be used inside AuthenticationInitiator and AuthenticationResolver implementations\n\nimport {\n  AuthStorage,\n  Endpoints,\n  JWTPayload,\n  OIDCTokenResponseBody,\n  ParsedTokens,\n} from \"@/types.js\";\nimport { CodeVerifier, OAuthTokens } from \"./types\";\nimport { OAuth2Client } from \"oslo/oauth2\";\nimport { getIssuerVariations, getOauthEndpoints } from \"@/lib/oauth.js\";\nimport * as jose from \"jose\";\nimport { withoutUndefined } from \"@/utils.js\";\nimport { PKCEConsumer, PKCEProducer } from \"@/services/types.js\";\nimport { GenericUserSession } from \"./UserSession\";\n\n/**\n * Given a PKCE code verifier, derive the code challenge using SHA\n */\nexport async function deriveCodeChallenge(\n  codeVerifier: string,\n  method: \"Plain\" | \"S256\" = \"S256\",\n): Promise<string> {\n  if (method === \"Plain\") {\n    console.warn(\"Using insecure plain code challenge method\");\n    return codeVerifier;\n  }\n\n  const encoder = new TextEncoder();\n  const data = encoder.encode(codeVerifier);\n  const digest = await crypto.subtle.digest(\"SHA-256\", data);\n  return btoa(String.fromCharCode(...new Uint8Array(digest)))\n    .replace(/\\+/g, \"-\")\n    .replace(/\\//g, \"_\")\n    .replace(/=+$/, \"\");\n}\n\nexport async function getEndpointsWithOverrides(\n  oauthServer: string,\n  endpointOverrides: Partial<Endpoints> = {},\n) {\n  const endpoints = await getOauthEndpoints(oauthServer);\n  return {\n    ...endpoints,\n    ...endpointOverrides,\n  };\n}\n\nexport async function generateOauthLoginUrl(config: {\n  clientId: string;\n  scopes: string[];\n  state: string;\n  redirectUrl: string;\n  oauthServer: string;\n  nonce?: string;\n  endpointOverrides?: Partial<Endpoints>;\n  // used to get the PKCE challenge\n  pkceConsumer: PKCEConsumer;\n}): Promise<URL> {\n  const endpoints = await getEndpointsWithOverrides(\n    config.oauthServer,\n    config.endpointOverrides,\n  );\n  const oauth2Client = buildOauth2Client(\n    config.clientId,\n    config.redirectUrl,\n    endpoints,\n  );\n  const challenge = await config.pkceConsumer.getCodeChallenge();\n  const oAuthUrl = await oauth2Client.createAuthorizationURL({\n    state: config.state,\n    scopes: config.scopes,\n  });\n  // The OAuth2 client supports PKCE, but does not allow passing in a code challenge from some other source\n  // It only allows passing in a code verifier which it then hashes itself.\n  oAuthUrl.searchParams.append(\"code_challenge\", challenge);\n  oAuthUrl.searchParams.append(\"code_challenge_method\", \"S256\");\n  if (config.nonce) {\n    // nonce isn't supported by oslo, so we add it manually\n    oAuthUrl.searchParams.append(\"nonce\", config.nonce);\n  }\n  // Required by the auth server for offline_access scope\n  oAuthUrl.searchParams.append(\"prompt\", \"consent\");\n\n  console.log(\"Generated OAuth URL\", oAuthUrl.toString());\n  return oAuthUrl;\n}\n\nexport async function generateOauthLogoutUrl(config: {\n  clientId: string;\n  scopes: string[];\n  oauthServer: string;\n  endpointOverrides?: Partial<Endpoints>;\n  // used to get the PKCE challenge\n  pkceConsumer: PKCEConsumer;\n}): Promise<URL> {\n  // TODO\n  return new URL(\"http://localhost\");\n}\n\nexport function buildOauth2Client(\n  clientId: string,\n  redirectUri: string,\n  endpoints: Endpoints,\n): OAuth2Client {\n  return new OAuth2Client(clientId, endpoints.auth, endpoints.token, {\n    redirectURI: redirectUri,\n  });\n}\n\nexport async function exchangeTokens(\n  code: string,\n  state: string,\n  pkceProducer: PKCEProducer,\n  oauth2Client: OAuth2Client,\n  oauthServer: string,\n  endpoints: Endpoints,\n) {\n  const codeVerifier = await pkceProducer.getCodeVerifier();\n  if (!codeVerifier) throw new Error(\"Code verifier not found in state\");\n\n  const tokens =\n    await oauth2Client.validateAuthorizationCode<OIDCTokenResponseBody>(code, {\n      codeVerifier,\n    });\n\n  // Validate relevant tokens\n  try {\n    await validateOauth2Tokens(tokens, endpoints, oauth2Client, oauthServer);\n  } catch (error) {\n    console.error(\"tokenExchange error\", { error, tokens });\n    throw new Error(\n      `OIDC tokens validation failed: ${(error as Error).message}`,\n    );\n  }\n\n  return tokens;\n}\n\nexport function storeTokens(\n  storage: AuthStorage,\n  tokens: OIDCTokenResponseBody,\n) {\n  // store tokens in storage ( TODO we should probably store them against the state to allow multiple logins )\n  storage.set(OAuthTokens.ID_TOKEN, tokens.id_token);\n  storage.set(OAuthTokens.ACCESS_TOKEN, tokens.access_token);\n  if (tokens.refresh_token)\n    storage.set(OAuthTokens.REFRESH_TOKEN, tokens.refresh_token);\n}\n\nexport function clearTokens(storage: AuthStorage) {\n  Object.values(OAuthTokens).forEach((cookie) => {\n    storage.set(cookie, \"\");\n  });\n  Object.values(CodeVerifier.COOKIE_NAME).forEach((cookie) => {\n    storage.set(cookie, \"\");\n  });\n}\nexport function clearUser(storage: AuthStorage) {\n  const userSession = new GenericUserSession(storage);\n  userSession.set(null);\n}\n\nexport function retrieveTokens(\n  storage: AuthStorage,\n): OIDCTokenResponseBody | null {\n  const idToken = storage.get(OAuthTokens.ID_TOKEN);\n  const accessToken = storage.get(OAuthTokens.ACCESS_TOKEN);\n  const refreshToken = storage.get(OAuthTokens.REFRESH_TOKEN);\n\n  if (!idToken || !accessToken) return null;\n\n  return {\n    id_token: idToken,\n    access_token: accessToken,\n    refresh_token: refreshToken ?? undefined,\n  };\n}\n\nexport async function validateOauth2Tokens(\n  tokens: OIDCTokenResponseBody,\n  endpoints: Endpoints,\n  oauth2Client: OAuth2Client,\n  issuer: string,\n): Promise<ParsedTokens> {\n  const JWKS = jose.createRemoteJWKSet(new URL(endpoints.jwks));\n\n  // validate the ID token\n  const idTokenResponse = await jose.jwtVerify<JWTPayload>(\n    tokens.id_token,\n    JWKS,\n    {\n      issuer: getIssuerVariations(issuer),\n      audience: oauth2Client.clientId,\n    },\n  );\n\n  // validate the access token\n  const accessTokenResponse = await jose.jwtVerify<JWTPayload>(\n    tokens.access_token,\n    JWKS,\n    {\n      issuer: getIssuerVariations(issuer),\n    },\n  );\n\n  return withoutUndefined({\n    id_token: idTokenResponse.payload,\n    access_token: accessTokenResponse.payload,\n    refresh_token: tokens.refresh_token,\n  });\n}\n","import { DisplayMode, Endpoints, OpenIdConfiguration } from \"@/types\";\nimport { v4 as uuid } from \"uuid\";\n\nconst getIssuerVariations = (issuer: string): string[] => {\n  const issuerWithoutSlash = issuer.endsWith(\"/\")\n    ? issuer.slice(0, issuer.length - 1)\n    : issuer;\n\n  const issuerWithSlash = `${issuerWithoutSlash}/`;\n\n  return [issuerWithoutSlash, issuerWithSlash];\n};\n\nconst addSlashIfNeeded = (url: string): string =>\n  url.endsWith(\"/\") ? url : `${url}/`;\n\nconst getOauthEndpoints = async (oauthServer: string): Promise<Endpoints> => {\n  const openIdConfigResponse = await fetch(\n    `${addSlashIfNeeded(oauthServer)}.well-known/openid-configuration`,\n  );\n  const openIdConfig =\n    (await openIdConfigResponse.json()) as OpenIdConfiguration;\n  return {\n    jwks: openIdConfig.jwks_uri,\n    auth: openIdConfig.authorization_endpoint,\n    token: openIdConfig.token_endpoint,\n    userinfo: openIdConfig.userinfo_endpoint,\n  };\n};\n\n/**\n * creates a state string for the OAuth2 flow, encoding the display mode too for future use\n * @param {DisplayMode} displayMode\n * @returns {string}\n */\nconst generateState = (\n  displayMode: DisplayMode,\n  serverTokenExchange?: boolean,\n): string => {\n  const jsonString = JSON.stringify({\n    uuid: uuid(),\n    displayMode,\n    ...(serverTokenExchange ? { serverTokenExchange } : {}),\n  });\n  return btoa(jsonString);\n};\n\n/**\n * parses the state string from the OAuth2 flow, decoding the display mode too\n * @param state\n * @param sessionDisplayMode\n * @returns { uuid: string, displayMode: DisplayMode }\n */\nconst displayModeFromState = (\n  state: string,\n  sessionDisplayMode: DisplayMode | undefined,\n): DisplayMode | undefined => {\n  try {\n    const jsonString = atob(state);\n    return JSON.parse(jsonString).displayMode;\n  } catch {\n    console.error(\"Failed to parse displayMode from state:\", state);\n    return sessionDisplayMode;\n  }\n};\n\nconst serverTokenExchangeFromState = (state: string): boolean | undefined => {\n  try {\n    const jsonString = atob(state);\n    return JSON.parse(jsonString).serverTokenExchange;\n  } catch {\n    console.error(\"Failed to parse serverTokenExchange from state:\", state);\n    return undefined;\n  }\n};\n\nexport {\n  serverTokenExchangeFromState,\n  getIssuerVariations,\n  getOauthEndpoints,\n  displayModeFromState,\n  generateState,\n};\n","import { clsx, type ClassValue } from \"clsx\";\nimport { twMerge } from \"tailwind-merge\";\n\n/**\n * Checks if a popup window is blocked by the browser.\n *\n * This function attempts to open a small popup window and then checks if it was successfully created.\n * If the popup is blocked by the browser, the function returns `true`. Otherwise, it returns `false`.\n *\n * @returns {boolean} - `true` if the popup is blocked, `false` otherwise.\n */\nconst isPopupBlocked = (): boolean => {\n  // First we try to open a small popup window. It either returns a window object or null.\n  const popup = window.open(\"\", \"\", \"width=1,height=1\");\n\n  // If window.open() returns null, popup is definitely blocked\n  if (!popup) {\n    return true;\n  }\n\n  try {\n    // Try to access a property of the popup to check if it's usable\n    if (typeof popup.closed === \"undefined\") {\n      throw new Error(\"Popup is blocked\");\n    }\n  } catch {\n    // Accessing the popup's properties throws an error if the popup is blocked\n    return true;\n  }\n\n  // Close the popup immediately if it was opened\n  popup.close();\n  return false;\n};\n\nconst cn = (...inputs: ClassValue[]) => {\n  return twMerge(clsx(inputs));\n};\n\n// This type narrows T as far as it can by:\n// - removing all keys where the value is `undefined`\n// - making keys that are not undefined required\n// So, for example: given { a: string | undefined, b: string | undefined },\n// if you pass in { a: \"foo\" }, it returns an object of type: { a: string }\ntype WithoutUndefined<T> = {\n  [K in keyof T as undefined extends T[K] ? never : K]: T[K];\n};\nexport const withoutUndefined = <T extends { [K in keyof T]: unknown }>(\n  obj: T,\n): WithoutUndefined<T> => {\n  const result = {} as WithoutUndefined<T>;\n\n  for (const key in obj) {\n    if (obj[key] !== undefined) {\n      // TypeScript needs assurance that key is a valid key in WithoutUndefined<T>\n      // We use type assertion here\n      // eslint-disable-next-line @typescript-eslint/no-explicit-any\n      (result as any)[key] = obj[key];\n    }\n  }\n\n  return result;\n};\n\nexport { cn, isPopupBlocked };\n","import { ForwardedTokens, ForwardedTokensJWT } from \"@/types.js\";\n\nexport const convertForwardedTokenFormat = (\n  inputTokens: ForwardedTokensJWT,\n): ForwardedTokens =>\n  Object.fromEntries(\n    Object.entries(inputTokens).map(([source, tokens]) => [\n      source,\n      {\n        idToken: tokens?.id_token,\n        accessToken: tokens?.access_token,\n        refreshToken: tokens?.refresh_token,\n      },\n    ]),\n  );\n","import { AuthStorage, ForwardedTokensJWT, User } from \"@/types\";\nimport { UserStorage } from \"./types\";\nimport { convertForwardedTokenFormat } from \"@/lib/jwt\";\n\nexport interface UserSession {\n  get(): User | null;\n  set(user: User): void;\n}\n\nexport class GenericUserSession implements UserSession {\n  constructor(readonly storage: AuthStorage) {}\n\n  get(): User | null {\n    const user = this.storage.get(UserStorage.USER);\n    return user ? JSON.parse(user) : null;\n  }\n\n  set(user: User | null): void {\n    const forwardedTokens = user?.forwardedTokens\n      ? convertForwardedTokenFormat(user?.forwardedTokens as ForwardedTokensJWT)\n      : null;\n    const value = user ? JSON.stringify({ ...user, forwardedTokens }) : \"\";\n    this.storage.set(UserStorage.USER, value);\n  }\n}\n","import { retrieveTokens } from \"@/shared/util.js\";\nimport { parseJWT } from \"oslo/jwt\";\nimport { AuthStorage, User } from \"@/types.js\";\n\nexport async function getUser(storage: AuthStorage): Promise<User | null> {\n  const tokens = retrieveTokens(storage);\n  if (!tokens) return null;\n\n  // Assumes all information is in the ID token\n  return (parseJWT(tokens.id_token)?.payload as User) ?? null;\n}\n","const DEFAULT_SCOPES = [\n  \"openid\",\n  \"profile\",\n  \"email\",\n  \"forwardedTokens\",\n  \"offline_access\",\n];\nconst IFRAME_ID = \"civic-auth-iframe\";\n\nconst DEFAULT_AUTH_SERVER = \"https://auth.civic.com/oauth\";\n\nconst DEFAULT_OAUTH_GET_PARAMS = [\"code\", \"state\", \"iss\"];\n\n// The server's callback handler renders this text if it needs the front-end to make an additional token exchange call,\n// for the iframe case where cookies are not sent along with the initial redirect.\nconst TOKEN_EXCHANGE_TRIGGER_TEXT = \"sameDomainCodeExchangeRequired\";\n\nconst TOKEN_EXCHANGE_SUCCESS_TEXT = \"serverSideTokenExchangeSuccess\";\n\nconst DEFAULT_DISPLAY_MODE = \"iframe\";\nexport {\n  DEFAULT_SCOPES,\n  DEFAULT_OAUTH_GET_PARAMS,\n  DEFAULT_DISPLAY_MODE,\n  IFRAME_ID,\n  DEFAULT_AUTH_SERVER,\n  TOKEN_EXCHANGE_TRIGGER_TEXT,\n  TOKEN_EXCHANGE_SUCCESS_TEXT,\n};\n","import { AuthStorage } from \"@/types\";\n\nexport class LocalStorageAdapter implements AuthStorage {\n  get(key: string): string {\n    return localStorage.getItem(key) || \"\";\n  }\n\n  set(key: string, value: string): void {\n    localStorage.setItem(key, value);\n  }\n}\n","import { deriveCodeChallenge } from \"@/shared/util.js\";\nimport { generateCodeVerifier } from \"oslo/oauth2\";\nimport { LocalStorageAdapter } from \"@/browser/storage.js\";\nimport { PKCEConsumer, PKCEProducer } from \"@/services/types.ts\";\nimport { AuthStorage } from \"@/types\";\nimport { CodeVerifier } from \"@/shared/types\";\n\n/** A PKCE consumer that retrieves the challenge from a server endpoint */\nexport class ConfidentialClientPKCEConsumer implements PKCEConsumer {\n  constructor(private pkceChallengeEndpoint: string) {}\n  async getCodeChallenge(): Promise<string> {\n    const response = await fetch(\n      `${this.pkceChallengeEndpoint}?appUrl=${window.location.origin}`,\n    );\n    const data = (await response.json()) as { challenge: string };\n    return data.challenge;\n  }\n}\n\n/** A PKCE Producer that can generate and store a code verifier, but is agnostic as to the storage location */\nexport class GenericPublicClientPKCEProducer implements PKCEProducer {\n  constructor(private storage: AuthStorage) {}\n\n  // if there is already a verifier, return it,\n  // If not, create a new one and store it\n  async getCodeChallenge(): Promise<string> {\n    // let verifier = await this.getCodeVerifier();\n    // if (!verifier) {\n    const verifier = generateCodeVerifier();\n    this.storage.set(CodeVerifier.COOKIE_NAME, verifier);\n    // }\n    return deriveCodeChallenge(verifier);\n  }\n  // if there is already a verifier, return it,\n  async getCodeVerifier(): Promise<string | null> {\n    return this.storage.get(CodeVerifier.COOKIE_NAME);\n  }\n}\n\n/** A PKCE Producer that is expected to run on a browser, and does not need a backend */\nexport class BrowserPublicClientPKCEProducer extends GenericPublicClientPKCEProducer {\n  constructor() {\n    super(new LocalStorageAdapter());\n  }\n}\n","// Proposals for revised versions of the SessionService AKA AuthSessionService\n\nimport {\n  DisplayMode,\n  Endpoints,\n  LoginPostMessage,\n  OIDCTokenResponseBody,\n  SessionData,\n} from \"@/types.js\";\nimport { BrowserPublicClientPKCEProducer } from \"@/services/PKCE.js\";\nimport {\n  clearTokens,\n  clearUser,\n  exchangeTokens,\n  generateOauthLoginUrl,\n  generateOauthLogoutUrl,\n  getEndpointsWithOverrides,\n  retrieveTokens,\n  storeTokens,\n  validateOauth2Tokens,\n} from \"@/shared/util.js\";\nimport { displayModeFromState, generateState } from \"@/lib/oauth.js\";\nimport { OAuth2Client } from \"oslo/oauth2\";\nimport { LocalStorageAdapter } from \"@/browser/storage.js\";\nimport {\n  AuthenticationInitiator,\n  AuthenticationResolver,\n  PKCEConsumer,\n  PopupError,\n} from \"@/services/types.js\";\nimport { removeParamsWithoutReload } from \"@/lib/windowUtil\";\nimport { DEFAULT_OAUTH_GET_PARAMS } from \"@/constants\";\nimport { validateLoginAppPostMessage } from \"@/lib/postMessage\";\n\n/**\n * An authentication initiator that works on a browser. Since this is just triggering\n * login and logout, session data is not stored here.\n * An associated AuthenticationResolver would be needed to get the session data.\n * Storage is needed for the code verifier, this is the domain of the PKCEConsumer\n * The storage used by the PKCEConsumer should be available to the AuthenticationResolver.\n *\n * Example usage:\n *\n * 1) Client-only SPA -eg a react app with no server:\n * new BrowserAuthenticationInitiator({\n *   pkceConsumer: new BrowserPublicClientPKCEProducer(), // generate and retrieve the challenge client-side\n *   ... other config\n * })\n *\n * 2) Client-side of a client/server app - eg a react app with a backend:\n * new BrowserAuthenticationInitiator({\n *  pkceConsumer: new ConfidentialClientPKCEConsumer(\"https://myserver.com/pkce\"), // get the challenge from the server\n *  ... other config\n * })\n */\nexport class BrowserAuthenticationInitiator implements AuthenticationInitiator {\n  private postMessageHandler: null | ((event: MessageEvent) => void) = null;\n\n  protected config: {\n    clientId: string;\n    redirectUrl: string;\n    state: string;\n    scopes: string[];\n    // determines whether to trigger the login/logout in an iframe, a new browser window, or redirect the current one.\n    displayMode: DisplayMode;\n    oauthServer: string;\n    // the endpoints to use for the login (if not obtained from the auth server\n    endpointOverrides?: Partial<Endpoints>;\n    // used to get the PKCE challenge\n    pkceConsumer: PKCEConsumer;\n    // the nonce to use for the login\n    nonce?: string;\n  };\n\n  constructor(config: typeof this.config) {\n    this.config = config;\n    console.log(\"BrowserAuthenticationInitiator constructor\", this.config);\n  }\n\n  async handleLoginAppPopupFailed(redirectUrl: string) {\n    console.warn(\n      \"Login app popup failed open a popup, using redirect mode instead...\",\n      redirectUrl,\n    );\n    window.location.href = redirectUrl;\n  }\n\n  // Use the config (Client ID, scopes OAuth Server, Endpoints, PKCEConsumer) to generate a new login url\n  // and then use the display mode to decide how to send the user there\n  async signIn(iframeRef: HTMLIFrameElement | null): Promise<URL> {\n    const url = await generateOauthLoginUrl(this.config);\n\n    this.postMessageHandler = (event: MessageEvent) => {\n      const thisURL = new URL(window.location.href);\n      if (\n        event.origin.endsWith(\"civic.com\") ||\n        thisURL.hostname === \"localhost\"\n      ) {\n        if (!validateLoginAppPostMessage(event.data, this.config.clientId)) {\n          console.log(\"Received invalid message from login app\", event.data);\n          return;\n        }\n        const loginMessage = event.data as LoginPostMessage;\n        console.log(\"Received message from login app\", event.data);\n        this.handleLoginAppPopupFailed(loginMessage.data.url);\n      }\n    };\n    window.addEventListener(\"message\", this.postMessageHandler);\n    if (this.config.displayMode === \"iframe\") {\n      if (!iframeRef)\n        throw new Error(\"iframeRef is required for displayMode 'iframe'\");\n      iframeRef.setAttribute(\"src\", url.toString());\n    }\n    if (this.config.displayMode === \"redirect\") {\n      window.location.href = url.toString();\n    }\n    if (this.config.displayMode === \"new_tab\") {\n      try {\n        const popupWindow = window.open(url.toString(), \"_blank\");\n        console.log(\"signIn\", popupWindow);\n        if (!popupWindow) {\n          throw new PopupError(\"Failed to open popup window\");\n        }\n      } catch (error) {\n        console.error(\"popupWindow\", error);\n        throw new PopupError(\n          \"window.open has thrown: Failed to open popup window\",\n        );\n      }\n    }\n    return url;\n  }\n\n  async signOut(): Promise<URL> {\n    const localStorage = new LocalStorageAdapter();\n    clearTokens(localStorage);\n    clearUser(localStorage);\n    // TODO open the iframe or new tab etc: the logout URL is not currently\n    // supported by on the oauth, so just clear state until then\n    const url = await generateOauthLogoutUrl(this.config);\n    return url;\n  }\n\n  cleanup() {\n    if (this.postMessageHandler) {\n      window.removeEventListener(\"message\", this.postMessageHandler);\n    }\n  }\n}\n\n/** A general-purpose authentication initiator, that just generates urls, but lets\n * the caller decide how to use them. This is useful for server-side applications\n * that may serve this URL to their front-ends or just call them directly\n */\nexport class GenericAuthenticationInitiator implements AuthenticationInitiator {\n  protected config: {\n    clientId: string;\n    redirectUrl: string;\n    state: string;\n    scopes: string[];\n    oauthServer: string;\n    nonce?: string;\n    // the endpoints to use for the login (if not obtained from the auth server)\n    endpointOverrides?: Partial<Endpoints>;\n    // used to get the PKCE challenge\n    pkceConsumer: PKCEConsumer;\n  };\n\n  constructor(config: typeof this.config) {\n    this.config = config;\n    console.log(\"GenericAuthenticationInitiator constructor\", {\n      config,\n    });\n  }\n\n  // Use the config (Client ID, scopes OAuth Server, Endpoints, PKCEConsumer) to generate a new login url\n  // and simply return the url\n  async signIn(): Promise<URL> {\n    return generateOauthLoginUrl(this.config);\n  }\n\n  async signOut(): Promise<URL> {\n    return generateOauthLogoutUrl(this.config);\n  }\n}\n\ntype BrowserAuthenticationConfig = {\n  clientId: string;\n  redirectUrl: string;\n  scopes: string[];\n  oauthServer: string;\n  endpointOverrides?: Partial<Endpoints>;\n  displayMode: DisplayMode;\n};\n\n/**\n * An authentication resolver that can run on the browser (i.e. a public client)\n * It uses PKCE for security. PKCE and Session data are stored in local storage\n */\nexport class BrowserAuthenticationService extends BrowserAuthenticationInitiator {\n  private oauth2client: OAuth2Client | undefined;\n  private endpoints: Endpoints | undefined;\n\n  // TODO WIP - perhaps we want to keep resolver and initiator separate here\n  constructor(\n    config: BrowserAuthenticationConfig,\n    // Since we are running fully on the client, we produce as well as consume the PKCE challenge\n    protected pkceProducer = new BrowserPublicClientPKCEProducer(),\n  ) {\n    console.log(\"BrowserAuthenticationService constructor\", {\n      config,\n    });\n    super({\n      ...config,\n      state: generateState(config.displayMode),\n      // Store and retrieve the PKCE challenge in local storage\n      pkceConsumer: pkceProducer,\n    });\n  }\n\n  // TODO too much code duplication here between the browser and the server variant.\n  // Suggestion for refactor: Standardise the config for AuthenticationResolvers and create a one-shot\n  // function for generating an oauth2client from it\n  async init(): Promise<this> {\n    // resolve oauth config\n    this.endpoints = await getEndpointsWithOverrides(\n      this.config.oauthServer,\n      this.config.endpointOverrides,\n    );\n    this.oauth2client = new OAuth2Client(\n      this.config.clientId,\n      this.endpoints.auth,\n      this.endpoints.token,\n      {\n        redirectURI: this.config.redirectUrl,\n      },\n    );\n\n    return this;\n  }\n\n  // Two responsibilities:\n  // 1. resolve the auth code to get the tokens (should use library code)\n  // 2. store the tokens in local storage\n  async tokenExchange(\n    code: string,\n    state: string,\n  ): Promise<OIDCTokenResponseBody> {\n    if (!this.oauth2client) await this.init();\n    const codeVerifier = await this.pkceProducer.getCodeVerifier();\n    if (!codeVerifier) throw new Error(\"Code verifier not found in storage\");\n\n    // exchange auth code for tokens\n    const tokens = await exchangeTokens(\n      code,\n      state,\n      this.pkceProducer,\n      this.oauth2client!, // clean up types here to avoid the ! operator\n      this.config.oauthServer,\n      this.endpoints!, // clean up types here to avoid the ! operator\n    );\n\n    storeTokens(new LocalStorageAdapter(), tokens);\n\n    // cleanup the browser window if needed\n    const parsedDisplayMode = displayModeFromState(\n      state,\n      this.config.displayMode,\n    );\n\n    if (parsedDisplayMode === \"new_tab\") {\n      // Close the popup window\n      window.close();\n    }\n    // these are the default oAuth params that get added to the URL in redirect which we want to remove if present\n    removeParamsWithoutReload(DEFAULT_OAUTH_GET_PARAMS);\n    return tokens;\n  }\n\n  // Get the session data from local storage\n  async getSessionData(): Promise<SessionData | null> {\n    const storageData = retrieveTokens(new LocalStorageAdapter());\n\n    if (!storageData) return null;\n\n    return {\n      authenticated: !!storageData.id_token,\n      idToken: storageData.id_token,\n      accessToken: storageData.access_token,\n      refreshToken: storageData.refresh_token,\n    };\n  }\n\n  async validateExistingSession(): Promise<SessionData> {\n    try {\n      const sessionData = await this.getSessionData();\n      if (!sessionData?.idToken || !sessionData.accessToken) {\n        const unAuthenticatedSession = { ...sessionData, authenticated: false };\n        clearTokens(new LocalStorageAdapter());\n        return unAuthenticatedSession;\n      }\n      if (!this.endpoints || !this.oauth2client) await this.init();\n\n      // this function will throw if any of the tokens are invalid\n      await validateOauth2Tokens(\n        {\n          access_token: sessionData.accessToken,\n          id_token: sessionData.idToken,\n          refresh_token: sessionData.refreshToken,\n        },\n        this.endpoints!,\n        this.oauth2client!,\n        this.config.oauthServer,\n      );\n      return sessionData;\n    } catch (error) {\n      console.warn(\"Failed to validate existing tokens\", error);\n      const unAuthenticatedSession = {\n        authenticated: false,\n      };\n      clearTokens(new LocalStorageAdapter());\n      return unAuthenticatedSession;\n    }\n  }\n\n  static async build(\n    config: BrowserAuthenticationConfig,\n  ): Promise<AuthenticationResolver> {\n    const resolver = new BrowserAuthenticationService(config);\n    await resolver.init();\n\n    return resolver;\n  }\n}\n","import { OIDCTokenResponseBody, SessionData } from \"@/types.js\";\n\n// A PKCEConsumer can get a code challenge to use in the login process\n// A PKCEProducer can also generate and store verifiers. The producer must also be a consumer in order to get the challenge from an existing flow\n// Examples:\n// - Client-only SPA: The SPA generates the code challenge and verifier, stores the verifier in state and returns the code challenge\n// Note - The SPA should use PKCEProducer instead to do both\n// - Client-side of a client/server app: The client calls the backend to get the challenge.\n// - Server-side: The server should generate a new stored verifier and derive the challenge from it.\nexport interface PKCEConsumer {\n  // Retrieve a new PKCE challenge\n  getCodeChallenge(): Promise<string>;\n}\n\n// All producers are consumers, because the producer can get its own challenge\nexport interface PKCEProducer extends PKCEConsumer {\n  // Retrieve the PKCE challenge from the session if one exists\n  getCodeVerifier(): Promise<string | null>;\n}\n\n// A service that can initiate requests to login or log out\nexport interface AuthenticationInitiator {\n  // trigger a new login\n  signIn(iframeRef: HTMLIFrameElement | null): Promise<URL>;\n\n  // trigger a new logout\n  signOut(): Promise<URL>;\n}\n\n// A service that can resolve an authentication request according to the OAuth Auth Code grant types\nexport interface AuthenticationResolver {\n  // Given an auth code, get the tokens from the auth server and store them. works in PKCE and non-PKCE environments\n  // Note, if we choose later to implement other grants, this method would move into a subinterface specifically\n  // for the authorization code grant type.\n  // The return type is just for convenience and can be ignored, as the same data would be provided by getSessionData\n  tokenExchange(code: string, state: string): Promise<OIDCTokenResponseBody>;\n\n  // If the tokens have already been retrieved, return them\n  getSessionData(): Promise<SessionData | null>;\n\n  // If an existing session is found, validate it and return the session data\n  validateExistingSession(): Promise<SessionData>;\n}\n\nexport interface AuthenticationRefresher {\n  refreshTokens: () => Promise<OIDCTokenResponseBody>;\n}\n\nexport class PopupError extends Error {\n  constructor(message: string) {\n    super(message);\n    Object.setPrototypeOf(this, PopupError.prototype);\n  }\n}\n","const isWindowInIframe = (window: Window): boolean => {\n  if (typeof window !== \"undefined\") {\n    // use the window width to determine if we're in an iframe or not\n    try {\n      if (window?.frameElement?.id === \"civic-auth-iframe\") {\n        return true;\n      }\n      // eslint-disable-next-line @typescript-eslint/no-unused-vars\n    } catch (_e) {\n      // If we get an error, we're not in an iframe\n      return false;\n    }\n  }\n  return false;\n};\n\nconst removeParamsWithoutReload = (paramsToRemove: string[]) => {\n  const url = new URL(window.location.href);\n  paramsToRemove.forEach((param: string) => {\n    url.searchParams.delete(param);\n  });\n  try {\n    window.history.replaceState({}, \"\", url);\n  } catch (error) {\n    console.warn(\"window.history.replaceState failed\", error);\n  }\n};\n\nexport { isWindowInIframe, removeParamsWithoutReload };\n","import { LoginPostMessage } from \"@/types\";\n\nconst validateLoginAppPostMessage = (\n  event: LoginPostMessage,\n  clientId: string,\n): boolean => {\n  const caseEvent = event as LoginPostMessage;\n  console.log(\"caseEvent\", caseEvent);\n  if (\n    !caseEvent.clientId ||\n    !caseEvent.data.url ||\n    !caseEvent.source ||\n    !caseEvent.type ||\n    caseEvent.clientId !== clientId ||\n    caseEvent.source !== \"civicloginApp\"\n  ) {\n    return false;\n  }\n  return true;\n};\n\nexport { validateLoginAppPostMessage };\n"]}

package/dist/chunk-AP4627CS.mjs

@@ -0,0 +1,223 @@
+import {
+  DEFAULT_AUTH_SERVER,
+  DEFAULT_SCOPES,
+  GenericAuthenticationInitiator,
+  GenericPublicClientPKCEProducer,
+  exchangeTokens,
+  getEndpointsWithOverrides,
+  retrieveTokens,
+  storeTokens
+} from "./chunk-4PLCDPEN.mjs";
+import {
+  __async,
+  __spreadProps,
+  __spreadValues
+} from "./chunk-RGHW4PYM.mjs";
+
+// src/shared/storage.ts
+var DEFAULT_COOKIE_DURATION = 60 * 15;
+var CookieStorage = class {
+  constructor(settings = {}) {
+    var _a, _b, _c, _d, _e;
+    this.settings = {
+      httpOnly: (_a = settings.httpOnly) != null ? _a : true,
+      secure: (_b = settings.secure) != null ? _b : true,
+      // the callback request comes the auth server
+      // 'lax' ensures the code_verifier cookie is sent with the request
+      sameSite: (_c = settings.sameSite) != null ? _c : "lax",
+      expires: (_d = settings.expires) != null ? _d : new Date(Date.now() + 1e3 * DEFAULT_COOKIE_DURATION),
+      path: (_e = settings.path) != null ? _e : "/"
+    };
+  }
+};
+
+// src/server/ServerAuthenticationResolver.ts
+import { OAuth2Client } from "oslo/oauth2";
+var ServerAuthenticationResolver = class _ServerAuthenticationResolver {
+  constructor(authConfig, storage, endpointOverrides) {
+    this.authConfig = authConfig;
+    this.storage = storage;
+    this.endpointOverrides = endpointOverrides;
+    console.log("ServerAuthenticationResolver constructor", {
+      authConfig,
+      storage,
+      endpointOverrides
+    });
+    this.pkceProducer = new GenericPublicClientPKCEProducer(storage);
+  }
+  validateExistingSession() {
+    throw new Error("Method not implemented.");
+  }
+  init() {
+    return __async(this, null, function* () {
+      this.endpoints = yield getEndpointsWithOverrides(
+        this.authConfig.oauthServer,
+        this.endpointOverrides
+      );
+      this.oauth2client = new OAuth2Client(
+        this.authConfig.clientId,
+        this.endpoints.auth,
+        this.endpoints.token,
+        {
+          redirectURI: this.authConfig.redirectUrl
+        }
+      );
+      return this;
+    });
+  }
+  tokenExchange(code, state) {
+    return __async(this, null, function* () {
+      if (!this.oauth2client) yield this.init();
+      const codeVerifier = yield this.pkceProducer.getCodeVerifier();
+      if (!codeVerifier) throw new Error("Code verifier not found in storage");
+      const tokens = yield exchangeTokens(
+        code,
+        state,
+        this.pkceProducer,
+        this.oauth2client,
+        // clean up types here to avoid the ! operator
+        this.authConfig.oauthServer,
+        this.endpoints
+        // clean up types here to avoid the ! operator
+      );
+      storeTokens(this.storage, tokens);
+      return tokens;
+    });
+  }
+  getSessionData() {
+    return __async(this, null, function* () {
+      const storageData = retrieveTokens(this.storage);
+      if (!storageData) return null;
+      return {
+        authenticated: !!storageData.id_token,
+        idToken: storageData.id_token,
+        accessToken: storageData.access_token,
+        refreshToken: storageData.refresh_token
+      };
+    });
+  }
+  static build(authConfig, storage, endpointOverrides) {
+    return __async(this, null, function* () {
+      const resolver = new _ServerAuthenticationResolver(
+        authConfig,
+        storage,
+        endpointOverrides
+      );
+      yield resolver.init();
+      return resolver;
+    });
+  }
+};
+
+// src/server/login.ts
+function resolveOAuthAccessCode(code, state, storage, config) {
+  return __async(this, null, function* () {
+    var _a;
+    const authSessionService = yield ServerAuthenticationResolver.build(
+      __spreadProps(__spreadValues({}, config), {
+        oauthServer: (_a = config.oauthServer) != null ? _a : DEFAULT_AUTH_SERVER
+      }),
+      storage,
+      config.endpointOverrides
+    );
+    return authSessionService.tokenExchange(code, state);
+  });
+}
+function isLoggedIn(storage) {
+  return !!storage.get("id_token");
+}
+function buildLoginUrl(config, storage) {
+  return __async(this, null, function* () {
+    var _a, _b, _c;
+    const state = (_a = config.state) != null ? _a : Math.random().toString(36).substring(2);
+    const scopes = (_b = config.scopes) != null ? _b : DEFAULT_SCOPES;
+    const pkceProducer = new GenericPublicClientPKCEProducer(storage);
+    const authInitiator = new GenericAuthenticationInitiator(__spreadProps(__spreadValues({}, config), {
+      state,
+      scopes,
+      oauthServer: (_c = config.oauthServer) != null ? _c : DEFAULT_AUTH_SERVER,
+      // When retrieving the PKCE challenge on the server-side, we produce it and store it in the session
+      pkceConsumer: pkceProducer
+    }));
+    return authInitiator.signIn();
+  });
+}
+
+// src/shared/GenericAuthenticationRefresher.ts
+import { OAuth2Client as OAuth2Client2 } from "oslo/oauth2";
+var GenericAuthenticationRefresher = class _GenericAuthenticationRefresher {
+  constructor(authConfig, storage, endpointOverrides) {
+    this.authConfig = authConfig;
+    this.storage = storage;
+    this.endpointOverrides = endpointOverrides;
+    console.log("GenericAuthenticationRefresher constructor", {
+      authConfig,
+      endpointOverrides
+    });
+  }
+  init() {
+    return __async(this, null, function* () {
+      this.endpoints = yield getEndpointsWithOverrides(
+        this.authConfig.oauthServer,
+        this.endpointOverrides
+      );
+      this.oauth2client = new OAuth2Client2(
+        this.authConfig.clientId,
+        this.endpoints.auth,
+        this.endpoints.token,
+        {
+          redirectURI: this.authConfig.redirectUrl
+        }
+      );
+      return this;
+    });
+  }
+  static build(authConfig, storage, endpointOverrides) {
+    return __async(this, null, function* () {
+      const refresher = new _GenericAuthenticationRefresher(
+        authConfig,
+        storage,
+        endpointOverrides
+      );
+      yield refresher.init();
+      return refresher;
+    });
+  }
+  refreshTokens() {
+    return __async(this, null, function* () {
+      if (!this.oauth2client) yield this.init();
+      const tokens = retrieveTokens(this.storage);
+      if (!(tokens == null ? void 0 : tokens.refresh_token)) throw new Error("No refresh token available");
+      const oauth2Client = this.oauth2client;
+      const refreshedTokens = yield oauth2Client.refreshAccessToken(
+        tokens.refresh_token
+      );
+      storeTokens(this.storage, refreshedTokens);
+      return tokens;
+    });
+  }
+};
+
+// src/server/refresh.ts
+function refreshTokens(storage, config) {
+  return __async(this, null, function* () {
+    var _a;
+    const refresher = yield GenericAuthenticationRefresher.build(
+      __spreadProps(__spreadValues({}, config), {
+        oauthServer: (_a = config.oauthServer) != null ? _a : DEFAULT_AUTH_SERVER
+      }),
+      storage,
+      config.endpointOverrides
+    );
+    return refresher.refreshTokens();
+  });
+}
+
+export {
+  CookieStorage,
+  resolveOAuthAccessCode,
+  isLoggedIn,
+  buildLoginUrl,
+  refreshTokens
+};
+//# sourceMappingURL=chunk-AP4627CS.mjs.map

package/dist/chunk-AP4627CS.mjs.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/shared/storage.ts","../src/server/ServerAuthenticationResolver.ts","../src/server/login.ts","../src/shared/GenericAuthenticationRefresher.ts","../src/server/refresh.ts"],"sourcesContent":["import { AuthStorage, SessionData, UnknownObject, User } from \"@/types.js\";\n\ntype SameSiteOption = \"strict\" | \"lax\" | \"none\";\n\nexport interface SessionStorage {\n  get(): SessionData;\n  getUser(): User<UnknownObject> | null;\n  set(data: Partial<SessionData>): void;\n  setUser(data: User<UnknownObject> | null): void;\n  clear(): void;\n}\n\nexport type CookieStorageSettings = {\n  httpOnly: boolean;\n  secure: boolean;\n  sameSite: SameSiteOption;\n  expires: Date;\n  path: string;\n};\n\nexport const DEFAULT_COOKIE_DURATION = 60 * 15; // 15 minutes\n\nexport abstract class CookieStorage implements AuthStorage {\n  protected settings: CookieStorageSettings;\n  protected constructor(settings: Partial<CookieStorageSettings> = {}) {\n    this.settings = {\n      httpOnly: settings.httpOnly ?? true,\n      secure: settings.secure ?? true,\n      // the callback request comes the auth server\n      // 'lax' ensures the code_verifier cookie is sent with the request\n      sameSite: settings.sameSite ?? \"lax\",\n      expires:\n        settings.expires ??\n        new Date(Date.now() + 1000 * DEFAULT_COOKIE_DURATION),\n      path: settings.path ?? \"/\",\n    };\n  }\n  abstract get(key: string): string | null;\n  abstract set(key: string, value: string): void;\n}\n","import { GenericPublicClientPKCEProducer } from \"@/services/PKCE.js\";\nimport { OAuth2Client } from \"oslo/oauth2\";\nimport {\n  AuthStorage,\n  Endpoints,\n  OIDCTokenResponseBody,\n  SessionData,\n} from \"@/types.js\";\nimport { AuthConfig } from \"@/server/config.js\";\nimport {\n  exchangeTokens,\n  getEndpointsWithOverrides,\n  retrieveTokens,\n  storeTokens,\n} from \"@/shared/util.js\";\nimport { AuthenticationResolver, PKCEProducer } from \"@/services/types.ts\";\n\nexport class ServerAuthenticationResolver implements AuthenticationResolver {\n  private pkceProducer: PKCEProducer;\n  private oauth2client: OAuth2Client | undefined;\n  private endpoints: Endpoints | undefined;\n\n  private constructor(\n    readonly authConfig: AuthConfig,\n    readonly storage: AuthStorage,\n    readonly endpointOverrides?: Partial<Endpoints>,\n  ) {\n    console.log(\"ServerAuthenticationResolver constructor\", {\n      authConfig,\n      storage,\n      endpointOverrides,\n    });\n    this.pkceProducer = new GenericPublicClientPKCEProducer(storage);\n  }\n  validateExistingSession(): Promise<SessionData> {\n    throw new Error(\"Method not implemented.\");\n  }\n\n  async init(): Promise<this> {\n    // resolve oauth config\n    this.endpoints = await getEndpointsWithOverrides(\n      this.authConfig.oauthServer,\n      this.endpointOverrides,\n    );\n    this.oauth2client = new OAuth2Client(\n      this.authConfig.clientId,\n      this.endpoints.auth,\n      this.endpoints.token,\n      {\n        redirectURI: this.authConfig.redirectUrl,\n      },\n    );\n\n    return this;\n  }\n\n  async tokenExchange(\n    code: string,\n    state: string,\n  ): Promise<OIDCTokenResponseBody> {\n    if (!this.oauth2client) await this.init();\n    const codeVerifier = await this.pkceProducer.getCodeVerifier();\n    if (!codeVerifier) throw new Error(\"Code verifier not found in storage\");\n\n    // exchange auth code for tokens\n    const tokens = await exchangeTokens(\n      code,\n      state,\n      this.pkceProducer,\n      this.oauth2client!, // clean up types here to avoid the ! operator\n      this.authConfig.oauthServer,\n      this.endpoints!, // clean up types here to avoid the ! operator\n    );\n\n    storeTokens(this.storage, tokens);\n\n    return tokens;\n  }\n\n  async getSessionData(): Promise<SessionData | null> {\n    const storageData = retrieveTokens(this.storage);\n\n    if (!storageData) return null;\n\n    return {\n      authenticated: !!storageData.id_token,\n      idToken: storageData.id_token,\n      accessToken: storageData.access_token,\n      refreshToken: storageData.refresh_token,\n    };\n  }\n\n  static async build(\n    authConfig: AuthConfig,\n    storage: AuthStorage,\n    endpointOverrides?: Partial<Endpoints>,\n  ): Promise<AuthenticationResolver> {\n    const resolver = new ServerAuthenticationResolver(\n      authConfig,\n      storage,\n      endpointOverrides,\n    );\n    await resolver.init();\n\n    return resolver;\n  }\n}\n","import { AuthStorage, OIDCTokenResponseBody } from \"@/types.js\";\nimport { DEFAULT_AUTH_SERVER, DEFAULT_SCOPES } from \"@/constants.js\";\nimport { GenericAuthenticationInitiator } from \"@/services/AuthenticationService.js\";\nimport { GenericPublicClientPKCEProducer } from \"@/services/PKCE.js\";\nimport { ServerAuthenticationResolver } from \"@/server/ServerAuthenticationResolver.js\";\nimport { AuthConfig } from \"@/server/config.ts\";\n/**\n * Resolve an OAuth access code to a set of OIDC tokens\n * @param code The access code, typically from a query parameter in the redirect url\n * @param state The oauth random state string, used to distinguish between requests. Typically also passed in the redirect url\n * @param storage The place that this server uses to store session data (e.g. a cookie store)\n * @param config Oauth Server configuration\n */\nexport async function resolveOAuthAccessCode(\n  code: string,\n  state: string,\n  storage: AuthStorage,\n  config: AuthConfig,\n): Promise<OIDCTokenResponseBody> {\n  const authSessionService = await ServerAuthenticationResolver.build(\n    {\n      ...config,\n      oauthServer: config.oauthServer ?? DEFAULT_AUTH_SERVER,\n    },\n    storage,\n    config.endpointOverrides,\n  );\n\n  return authSessionService.tokenExchange(code, state);\n}\n\nexport function isLoggedIn(storage: AuthStorage): boolean {\n  return !!storage.get(\"id_token\");\n}\n\nexport async function buildLoginUrl(\n  config: Pick<AuthConfig, \"oauthServer\" | \"clientId\" | \"redirectUrl\"> & {\n    scopes?: string[];\n    state?: string;\n    nonce?: string;\n  },\n  storage: AuthStorage,\n): Promise<URL> {\n  // generate a random state if not provided\n  const state = config.state ?? Math.random().toString(36).substring(2);\n  const scopes = config.scopes ?? DEFAULT_SCOPES;\n  const pkceProducer = new GenericPublicClientPKCEProducer(storage);\n  const authInitiator = new GenericAuthenticationInitiator({\n    ...config,\n    state,\n    scopes,\n    oauthServer: config.oauthServer ?? DEFAULT_AUTH_SERVER,\n    // When retrieving the PKCE challenge on the server-side, we produce it and store it in the session\n    pkceConsumer: pkceProducer,\n  });\n\n  return authInitiator.signIn();\n}\n","import { AuthenticationRefresher } from \"@/services/types.ts\";\nimport { AuthStorage, Endpoints, OIDCTokenResponseBody } from \"@/types\";\nimport {\n  getEndpointsWithOverrides,\n  retrieveTokens,\n  storeTokens,\n} from \"@/shared/util.ts\";\nimport { AuthConfig } from \"@/server/config.ts\";\nimport { OAuth2Client } from \"oslo/oauth2\";\n\nexport class GenericAuthenticationRefresher implements AuthenticationRefresher {\n  private oauth2client: OAuth2Client | undefined;\n  private endpoints: Endpoints | undefined;\n\n  private constructor(\n    private authConfig: AuthConfig,\n    private storage: AuthStorage,\n    private endpointOverrides?: Partial<Endpoints>,\n  ) {\n    console.log(\"GenericAuthenticationRefresher constructor\", {\n      authConfig,\n      endpointOverrides,\n    });\n  }\n\n  async init(): Promise<this> {\n    // resolve oauth config\n    this.endpoints = await getEndpointsWithOverrides(\n      this.authConfig.oauthServer,\n      this.endpointOverrides,\n    );\n    this.oauth2client = new OAuth2Client(\n      this.authConfig.clientId,\n      this.endpoints.auth,\n      this.endpoints.token,\n      {\n        redirectURI: this.authConfig.redirectUrl,\n      },\n    );\n\n    return this;\n  }\n\n  static async build(\n    authConfig: AuthConfig,\n    storage: AuthStorage,\n    endpointOverrides?: Partial<Endpoints>,\n  ): Promise<GenericAuthenticationRefresher> {\n    const refresher = new GenericAuthenticationRefresher(\n      authConfig,\n      storage,\n      endpointOverrides,\n    );\n    await refresher.init();\n\n    return refresher;\n  }\n\n  async refreshTokens() {\n    if (!this.oauth2client) await this.init();\n\n    const tokens = retrieveTokens(this.storage);\n    if (!tokens?.refresh_token) throw new Error(\"No refresh token available\");\n\n    const oauth2Client = this.oauth2client!;\n    const refreshedTokens =\n      await oauth2Client.refreshAccessToken<OIDCTokenResponseBody>(\n        tokens.refresh_token,\n      );\n\n    storeTokens(this.storage, refreshedTokens);\n\n    return tokens;\n  }\n}\n","import { AuthStorage, OIDCTokenResponseBody } from \"@/types.js\";\nimport { DEFAULT_AUTH_SERVER } from \"@/constants.js\";\nimport { GenericAuthenticationRefresher } from \"@/shared/GenericAuthenticationRefresher.ts\";\nimport { AuthConfig } from \"@/server/config.ts\";\n\n/**\n * Refresh the current set of OIDC tokens\n */\nexport async function refreshTokens(\n  storage: AuthStorage,\n  config: AuthConfig,\n): Promise<OIDCTokenResponseBody> {\n  const refresher = await GenericAuthenticationRefresher.build(\n    {\n      ...config,\n      oauthServer: config.oauthServer ?? DEFAULT_AUTH_SERVER,\n    },\n    storage,\n    config.endpointOverrides,\n  );\n\n  return refresher.refreshTokens();\n}\n"],"mappings":";;;;;;;;;;;;;;;;;AAoBO,IAAM,0BAA0B,KAAK;AAErC,IAAe,gBAAf,MAAoD;AAAA,EAE/C,YAAY,WAA2C,CAAC,GAAG;AAxBvE;AAyBI,SAAK,WAAW;AAAA,MACd,WAAU,cAAS,aAAT,YAAqB;AAAA,MAC/B,SAAQ,cAAS,WAAT,YAAmB;AAAA;AAAA;AAAA,MAG3B,WAAU,cAAS,aAAT,YAAqB;AAAA,MAC/B,UACE,cAAS,YAAT,YACA,IAAI,KAAK,KAAK,IAAI,IAAI,MAAO,uBAAuB;AAAA,MACtD,OAAM,cAAS,SAAT,YAAiB;AAAA,IACzB;AAAA,EACF;AAGF;;;ACtCA,SAAS,oBAAoB;AAgBtB,IAAM,+BAAN,MAAM,8BAA+D;AAAA,EAKlE,YACG,YACA,SACA,mBACT;AAHS;AACA;AACA;AAET,YAAQ,IAAI,4CAA4C;AAAA,MACtD;AAAA,MACA;AAAA,MACA;AAAA,IACF,CAAC;AACD,SAAK,eAAe,IAAI,gCAAgC,OAAO;AAAA,EACjE;AAAA,EACA,0BAAgD;AAC9C,UAAM,IAAI,MAAM,yBAAyB;AAAA,EAC3C;AAAA,EAEM,OAAsB;AAAA;AAE1B,WAAK,YAAY,MAAM;AAAA,QACrB,KAAK,WAAW;AAAA,QAChB,KAAK;AAAA,MACP;AACA,WAAK,eAAe,IAAI;AAAA,QACtB,KAAK,WAAW;AAAA,QAChB,KAAK,UAAU;AAAA,QACf,KAAK,UAAU;AAAA,QACf;AAAA,UACE,aAAa,KAAK,WAAW;AAAA,QAC/B;AAAA,MACF;AAEA,aAAO;AAAA,IACT;AAAA;AAAA,EAEM,cACJ,MACA,OACgC;AAAA;AAChC,UAAI,CAAC,KAAK,aAAc,OAAM,KAAK,KAAK;AACxC,YAAM,eAAe,MAAM,KAAK,aAAa,gBAAgB;AAC7D,UAAI,CAAC,aAAc,OAAM,IAAI,MAAM,oCAAoC;AAGvE,YAAM,SAAS,MAAM;AAAA,QACnB;AAAA,QACA;AAAA,QACA,KAAK;AAAA,QACL,KAAK;AAAA;AAAA,QACL,KAAK,WAAW;AAAA,QAChB,KAAK;AAAA;AAAA,MACP;AAEA,kBAAY,KAAK,SAAS,MAAM;AAEhC,aAAO;AAAA,IACT;AAAA;AAAA,EAEM,iBAA8C;AAAA;AAClD,YAAM,cAAc,eAAe,KAAK,OAAO;AAE/C,UAAI,CAAC,YAAa,QAAO;AAEzB,aAAO;AAAA,QACL,eAAe,CAAC,CAAC,YAAY;AAAA,QAC7B,SAAS,YAAY;AAAA,QACrB,aAAa,YAAY;AAAA,QACzB,cAAc,YAAY;AAAA,MAC5B;AAAA,IACF;AAAA;AAAA,EAEA,OAAa,MACX,YACA,SACA,mBACiC;AAAA;AACjC,YAAM,WAAW,IAAI;AAAA,QACnB;AAAA,QACA;AAAA,QACA;AAAA,MACF;AACA,YAAM,SAAS,KAAK;AAEpB,aAAO;AAAA,IACT;AAAA;AACF;;;AC7FA,SAAsB,uBACpB,MACA,OACA,SACA,QACgC;AAAA;AAlBlC;AAmBE,UAAM,qBAAqB,MAAM,6BAA6B;AAAA,MAC5D,iCACK,SADL;AAAA,QAEE,cAAa,YAAO,gBAAP,YAAsB;AAAA,MACrC;AAAA,MACA;AAAA,MACA,OAAO;AAAA,IACT;AAEA,WAAO,mBAAmB,cAAc,MAAM,KAAK;AAAA,EACrD;AAAA;AAEO,SAAS,WAAW,SAA+B;AACxD,SAAO,CAAC,CAAC,QAAQ,IAAI,UAAU;AACjC;AAEA,SAAsB,cACpB,QAKA,SACc;AAAA;AA1ChB;AA4CE,UAAM,SAAQ,YAAO,UAAP,YAAgB,KAAK,OAAO,EAAE,SAAS,EAAE,EAAE,UAAU,CAAC;AACpE,UAAM,UAAS,YAAO,WAAP,YAAiB;AAChC,UAAM,eAAe,IAAI,gCAAgC,OAAO;AAChE,UAAM,gBAAgB,IAAI,+BAA+B,iCACpD,SADoD;AAAA,MAEvD;AAAA,MACA;AAAA,MACA,cAAa,YAAO,gBAAP,YAAsB;AAAA;AAAA,MAEnC,cAAc;AAAA,IAChB,EAAC;AAED,WAAO,cAAc,OAAO;AAAA,EAC9B;AAAA;;;ACjDA,SAAS,gBAAAA,qBAAoB;AAEtB,IAAM,iCAAN,MAAM,gCAAkE;AAAA,EAIrE,YACE,YACA,SACA,mBACR;AAHQ;AACA;AACA;AAER,YAAQ,IAAI,8CAA8C;AAAA,MACxD;AAAA,MACA;AAAA,IACF,CAAC;AAAA,EACH;AAAA,EAEM,OAAsB;AAAA;AAE1B,WAAK,YAAY,MAAM;AAAA,QACrB,KAAK,WAAW;AAAA,QAChB,KAAK;AAAA,MACP;AACA,WAAK,eAAe,IAAIC;AAAA,QACtB,KAAK,WAAW;AAAA,QAChB,KAAK,UAAU;AAAA,QACf,KAAK,UAAU;AAAA,QACf;AAAA,UACE,aAAa,KAAK,WAAW;AAAA,QAC/B;AAAA,MACF;AAEA,aAAO;AAAA,IACT;AAAA;AAAA,EAEA,OAAa,MACX,YACA,SACA,mBACyC;AAAA;AACzC,YAAM,YAAY,IAAI;AAAA,QACpB;AAAA,QACA;AAAA,QACA;AAAA,MACF;AACA,YAAM,UAAU,KAAK;AAErB,aAAO;AAAA,IACT;AAAA;AAAA,EAEM,gBAAgB;AAAA;AACpB,UAAI,CAAC,KAAK,aAAc,OAAM,KAAK,KAAK;AAExC,YAAM,SAAS,eAAe,KAAK,OAAO;AAC1C,UAAI,EAAC,iCAAQ,eAAe,OAAM,IAAI,MAAM,4BAA4B;AAExE,YAAM,eAAe,KAAK;AAC1B,YAAM,kBACJ,MAAM,aAAa;AAAA,QACjB,OAAO;AAAA,MACT;AAEF,kBAAY,KAAK,SAAS,eAAe;AAEzC,aAAO;AAAA,IACT;AAAA;AACF;;;AClEA,SAAsB,cACpB,SACA,QACgC;AAAA;AAXlC;AAYE,UAAM,YAAY,MAAM,+BAA+B;AAAA,MACrD,iCACK,SADL;AAAA,QAEE,cAAa,YAAO,gBAAP,YAAsB;AAAA,MACrC;AAAA,MACA;AAAA,MACA,OAAO;AAAA,IACT;AAEA,WAAO,UAAU,cAAc;AAAA,EACjC;AAAA;","names":["OAuth2Client","OAuth2Client"]}

package/dist/chunk-CRTRMMJ7.js.map

@@ -1 +1 @@
-{"version":3,"sources":["/Users/lucas/dev/civic/civic-auth/packages/civic-auth-client/dist/chunk-CRTRMMJ7.js"],"names":[],"mappings":"AAAA,6EAAI,UAAU,EAAE,MAAM,CAAC,cAAc;AACrC,IAAI,WAAW,EAAE,MAAM,CAAC,gBAAgB;AACxC,IAAI,kBAAkB,EAAE,MAAM,CAAC,yBAAyB;AACxD,IAAI,oBAAoB,EAAE,MAAM,CAAC,qBAAqB;AACtD,IAAI,aAAa,EAAE,MAAM,CAAC,SAAS,CAAC,cAAc;AAClD,IAAI,aAAa,EAAE,MAAM,CAAC,SAAS,CAAC,oBAAoB;AACxD,IAAI,gBAAgB,EAAE,CAAC,GAAG,EAAE,GAAG,EAAE,KAAK,EAAE,GAAG,IAAI,GAAG,IAAI,EAAE,SAAS,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,UAAU,EAAE,IAAI,EAAE,YAAY,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,EAAE,MAAM,CAAC,EAAE,EAAE,GAAG,CAAC,GAAG,EAAE,EAAE,KAAK;AAC/J,IAAI,eAAe,EAAE,CAAC,CAAC,EAAE,CAAC,EAAE,GAAG;AAC/B,EAAE,IAAI,CAAC,IAAI,KAAK,GAAG,EAAE,GAAG,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC;AAChC,IAAI,GAAG,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC,EAAE,IAAI,CAAC;AAClC,MAAM,eAAe,CAAC,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC;AACvC,EAAE,GAAG,CAAC,mBAAmB;AACzB,IAAI,IAAI,CAAC,IAAI,KAAK,GAAG,mBAAmB,CAAC,CAAC,CAAC,EAAE;AAC7C,MAAM,GAAG,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC,EAAE,IAAI,CAAC;AACpC,QAAQ,eAAe,CAAC,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC;AACzC,IAAI;AACJ,EAAE,OAAO,CAAC;AACV,CAAC;AACD,IAAI,cAAc,EAAE,CAAC,CAAC,EAAE,CAAC,EAAE,GAAG,UAAU,CAAC,CAAC,EAAE,iBAAiB,CAAC,CAAC,CAAC,CAAC;AACjE,IAAI,UAAU,EAAE,CAAC,MAAM,EAAE,OAAO,EAAE,GAAG;AACrC,EAAE,IAAI,OAAO,EAAE,CAAC,CAAC;AACjB,EAAE,IAAI,CAAC,IAAI,KAAK,GAAG,MAAM;AACzB,IAAI,GAAG,CAAC,YAAY,CAAC,IAAI,CAAC,MAAM,EAAE,IAAI,EAAE,GAAG,OAAO,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC;AACpE,MAAM,MAAM,CAAC,IAAI,EAAE,EAAE,MAAM,CAAC,IAAI,CAAC;AACjC,EAAE,GAAG,CAAC,OAAO,GAAG,KAAK,GAAG,mBAAmB;AAC3C,IAAI,IAAI,CAAC,IAAI,KAAK,GAAG,mBAAmB,CAAC,MAAM,CAAC,EAAE;AAClD,MAAM,GAAG,CAAC,OAAO,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,EAAE,GAAG,YAAY,CAAC,IAAI,CAAC,MAAM,EAAE,IAAI,CAAC;AACtE,QAAQ,MAAM,CAAC,IAAI,EAAE,EAAE,MAAM,CAAC,IAAI,CAAC;AACnC,IAAI;AACJ,EAAE,OAAO,MAAM;AACf,CAAC;AACD,IAAI,QAAQ,EAAE,CAAC,MAAM,EAAE,WAAW,EAAE,SAAS,EAAE,GAAG;AAClD,EAAE,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,GAAG;AAC1C,IAAI,IAAI,UAAU,EAAE,CAAC,KAAK,EAAE,GAAG;AAC/B,MAAM,IAAI;AACV,QAAQ,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;AACnC,MAAM,EAAE,MAAM,CAAC,CAAC,EAAE;AAClB,QAAQ,MAAM,CAAC,CAAC,CAAC;AACjB,MAAM;AACN,IAAI,CAAC;AACL,IAAI,IAAI,SAAS,EAAE,CAAC,KAAK,EAAE,GAAG;AAC9B,MAAM,IAAI;AACV,QAAQ,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;AACpC,MAAM,EAAE,MAAM,CAAC,CAAC,EAAE;AAClB,QAAQ,MAAM,CAAC,CAAC,CAAC;AACjB,MAAM;AACN,IAAI,CAAC;AACL,IAAI,IAAI,KAAK,EAAE,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC,CAAC,KAAK,EAAE,EAAE,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,SAAS,EAAE,QAAQ,CAAC;AACpG,IAAI,IAAI,CAAC,CAAC,UAAU,EAAE,SAAS,CAAC,KAAK,CAAC,MAAM,EAAE,WAAW,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC;AACnE,EAAE,CAAC,CAAC;AACJ,CAAC;AACD;AACA;AACE;AACA;AACA;AACA;AACF,yIAAC","file":"/Users/lucas/dev/civic/civic-auth/packages/civic-auth-client/dist/chunk-CRTRMMJ7.js"}
+{"version":3,"sources":["/Users/patrick/Code/civic-auth/packages/civic-auth-client/dist/chunk-CRTRMMJ7.js"],"names":[],"mappings":"AAAA,6EAAI,UAAU,EAAE,MAAM,CAAC,cAAc;AACrC,IAAI,WAAW,EAAE,MAAM,CAAC,gBAAgB;AACxC,IAAI,kBAAkB,EAAE,MAAM,CAAC,yBAAyB;AACxD,IAAI,oBAAoB,EAAE,MAAM,CAAC,qBAAqB;AACtD,IAAI,aAAa,EAAE,MAAM,CAAC,SAAS,CAAC,cAAc;AAClD,IAAI,aAAa,EAAE,MAAM,CAAC,SAAS,CAAC,oBAAoB;AACxD,IAAI,gBAAgB,EAAE,CAAC,GAAG,EAAE,GAAG,EAAE,KAAK,EAAE,GAAG,IAAI,GAAG,IAAI,EAAE,SAAS,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,UAAU,EAAE,IAAI,EAAE,YAAY,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,EAAE,MAAM,CAAC,EAAE,EAAE,GAAG,CAAC,GAAG,EAAE,EAAE,KAAK;AAC/J,IAAI,eAAe,EAAE,CAAC,CAAC,EAAE,CAAC,EAAE,GAAG;AAC/B,EAAE,IAAI,CAAC,IAAI,KAAK,GAAG,EAAE,GAAG,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC;AAChC,IAAI,GAAG,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC,EAAE,IAAI,CAAC;AAClC,MAAM,eAAe,CAAC,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC;AACvC,EAAE,GAAG,CAAC,mBAAmB;AACzB,IAAI,IAAI,CAAC,IAAI,KAAK,GAAG,mBAAmB,CAAC,CAAC,CAAC,EAAE;AAC7C,MAAM,GAAG,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC,EAAE,IAAI,CAAC;AACpC,QAAQ,eAAe,CAAC,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC;AACzC,IAAI;AACJ,EAAE,OAAO,CAAC;AACV,CAAC;AACD,IAAI,cAAc,EAAE,CAAC,CAAC,EAAE,CAAC,EAAE,GAAG,UAAU,CAAC,CAAC,EAAE,iBAAiB,CAAC,CAAC,CAAC,CAAC;AACjE,IAAI,UAAU,EAAE,CAAC,MAAM,EAAE,OAAO,EAAE,GAAG;AACrC,EAAE,IAAI,OAAO,EAAE,CAAC,CAAC;AACjB,EAAE,IAAI,CAAC,IAAI,KAAK,GAAG,MAAM;AACzB,IAAI,GAAG,CAAC,YAAY,CAAC,IAAI,CAAC,MAAM,EAAE,IAAI,EAAE,GAAG,OAAO,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC;AACpE,MAAM,MAAM,CAAC,IAAI,EAAE,EAAE,MAAM,CAAC,IAAI,CAAC;AACjC,EAAE,GAAG,CAAC,OAAO,GAAG,KAAK,GAAG,mBAAmB;AAC3C,IAAI,IAAI,CAAC,IAAI,KAAK,GAAG,mBAAmB,CAAC,MAAM,CAAC,EAAE;AAClD,MAAM,GAAG,CAAC,OAAO,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,EAAE,GAAG,YAAY,CAAC,IAAI,CAAC,MAAM,EAAE,IAAI,CAAC;AACtE,QAAQ,MAAM,CAAC,IAAI,EAAE,EAAE,MAAM,CAAC,IAAI,CAAC;AACnC,IAAI;AACJ,EAAE,OAAO,MAAM;AACf,CAAC;AACD,IAAI,QAAQ,EAAE,CAAC,MAAM,EAAE,WAAW,EAAE,SAAS,EAAE,GAAG;AAClD,EAAE,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,GAAG;AAC1C,IAAI,IAAI,UAAU,EAAE,CAAC,KAAK,EAAE,GAAG;AAC/B,MAAM,IAAI;AACV,QAAQ,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;AACnC,MAAM,EAAE,MAAM,CAAC,CAAC,EAAE;AAClB,QAAQ,MAAM,CAAC,CAAC,CAAC;AACjB,MAAM;AACN,IAAI,CAAC;AACL,IAAI,IAAI,SAAS,EAAE,CAAC,KAAK,EAAE,GAAG;AAC9B,MAAM,IAAI;AACV,QAAQ,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;AACpC,MAAM,EAAE,MAAM,CAAC,CAAC,EAAE;AAClB,QAAQ,MAAM,CAAC,CAAC,CAAC;AACjB,MAAM;AACN,IAAI,CAAC;AACL,IAAI,IAAI,KAAK,EAAE,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC,CAAC,KAAK,EAAE,EAAE,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,SAAS,EAAE,QAAQ,CAAC;AACpG,IAAI,IAAI,CAAC,CAAC,UAAU,EAAE,SAAS,CAAC,KAAK,CAAC,MAAM,EAAE,WAAW,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC;AACnE,EAAE,CAAC,CAAC;AACJ,CAAC;AACD;AACA;AACE;AACA;AACA;AACA;AACF,yIAAC","file":"/Users/patrick/Code/civic-auth/packages/civic-auth-client/dist/chunk-CRTRMMJ7.js"}

package/dist/chunk-CTVJJBBA.js

@@ -0,0 +1,118 @@
+"use strict";Object.defineProperty(exports, "__esModule", {value: true});
+
+var _chunk6RFRDWIPjs = require('./chunk-6RFRDWIP.js');
+
+
+
+var _chunk7K3QN2ATjs = require('./chunk-7K3QN2AT.js');
+
+
+
+
+var _chunkCRTRMMJ7js = require('./chunk-CRTRMMJ7.js');
+
+// src/nextjs/cookies.ts
+var _headersjs = require('next/headers.js');
+var createTokenCookies = (response, sessionData, config) => {
+  var _a, _b;
+  const maxAge = (_a = sessionData.expiresIn) != null ? _a : 3600;
+  const cookieOptions = _chunkCRTRMMJ7js.__spreadProps.call(void 0, _chunkCRTRMMJ7js.__spreadValues.call(void 0, {}, (_b = config.cookies) == null ? void 0 : _b.tokens), {
+    maxAge
+  });
+  if (sessionData.accessToken) {
+    response.cookies.set("access_token", sessionData.accessToken, _chunkCRTRMMJ7js.__spreadProps.call(void 0, _chunkCRTRMMJ7js.__spreadValues.call(void 0, {}, cookieOptions), {
+      httpOnly: true
+    }));
+  }
+  if (sessionData.idToken) {
+    response.cookies.set("id_token", sessionData.idToken, _chunkCRTRMMJ7js.__spreadProps.call(void 0, _chunkCRTRMMJ7js.__spreadValues.call(void 0, {}, cookieOptions), {
+      httpOnly: true
+    }));
+  }
+  if (sessionData.refreshToken) {
+    response.cookies.set("refresh_token", sessionData.refreshToken, _chunkCRTRMMJ7js.__spreadProps.call(void 0, _chunkCRTRMMJ7js.__spreadValues.call(void 0, {}, cookieOptions), {
+      httpOnly: true
+    }));
+  }
+};
+var createUserInfoCookie = (response, user, sessionData, config) => {
+  var _a, _b, _c;
+  if (!user) {
+    response.cookies.set("user", "", _chunkCRTRMMJ7js.__spreadProps.call(void 0, _chunkCRTRMMJ7js.__spreadValues.call(void 0, {}, (_a = config.cookies) == null ? void 0 : _a.user), {
+      maxAge: 0
+    }));
+    return;
+  }
+  const maxAge = (_b = sessionData.expiresIn) != null ? _b : 3600;
+  const frontendUser = _chunkCRTRMMJ7js.__spreadValues.call(void 0, {}, user);
+  response.cookies.set("user", JSON.stringify(frontendUser), _chunkCRTRMMJ7js.__spreadProps.call(void 0, _chunkCRTRMMJ7js.__spreadValues.call(void 0, {}, (_c = config.cookies) == null ? void 0 : _c.user), {
+    maxAge
+  }));
+};
+var clearAuthCookies = (config) => _chunkCRTRMMJ7js.__async.call(void 0, void 0, null, function* () {
+  var _a;
+  const cookieStorage = new NextjsCookieStorage((_a = config.cookies) == null ? void 0 : _a.tokens);
+  _chunk7K3QN2ATjs.clearTokens.call(void 0, cookieStorage);
+  const clientStorage = new NextjsClientStorage();
+  const userSession = new (0, _chunk7K3QN2ATjs.GenericUserSession)(clientStorage);
+  userSession.set(null);
+});
+var NextjsCookieStorage = class extends _chunk6RFRDWIPjs.CookieStorage {
+  constructor(config = {}) {
+    super({
+      secure: true,
+      httpOnly: true
+    });
+    this.config = config;
+  }
+  get(key) {
+    var _a;
+    return ((_a = _headersjs.cookies.call(void 0, ).get(key)) == null ? void 0 : _a.value) || null;
+  }
+  set(key, value) {
+    var _a;
+    const cookieSettings = ((_a = this.config) == null ? void 0 : _a[key]) || _chunkCRTRMMJ7js.__spreadValues.call(void 0, {}, this.settings);
+    console.log(
+      "NextjsCookieStorage.set",
+      JSON.stringify(
+        { key, value, config: this.config, cookieSettings },
+        null,
+        2
+      )
+    );
+    _headersjs.cookies.call(void 0, ).set(key, value, cookieSettings);
+  }
+};
+var NextjsClientStorage = class extends _chunk6RFRDWIPjs.CookieStorage {
+  constructor(config = {}) {
+    super(_chunkCRTRMMJ7js.__spreadProps.call(void 0, _chunkCRTRMMJ7js.__spreadValues.call(void 0, {}, config), {
+      secure: false,
+      httpOnly: false
+    }));
+  }
+  get(key) {
+    var _a;
+    return ((_a = _headersjs.cookies.call(void 0, ).get(key)) == null ? void 0 : _a.value) || null;
+  }
+  set(key, value) {
+    _headersjs.cookies.call(void 0, ).set(key, value, this.settings);
+  }
+};
+
+// src/nextjs/utils.ts
+var resolveCallbackUrl = (config, alternativeUrl) => {
+  var _a;
+  const baseUrl = (_a = config.appUrl) != null ? _a : alternativeUrl;
+  const callbackUrl = new URL(config == null ? void 0 : config.callbackUrl, baseUrl).toString();
+  return callbackUrl.toString();
+};
+
+
+
+
+
+
+
+
+exports.createTokenCookies = createTokenCookies; exports.createUserInfoCookie = createUserInfoCookie; exports.clearAuthCookies = clearAuthCookies; exports.NextjsCookieStorage = NextjsCookieStorage; exports.NextjsClientStorage = NextjsClientStorage; exports.resolveCallbackUrl = resolveCallbackUrl;
+//# sourceMappingURL=chunk-CTVJJBBA.js.map

package/dist/chunk-CTVJJBBA.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["/Users/patrick/Code/civic-auth/packages/civic-auth-client/dist/chunk-CTVJJBBA.js","../src/nextjs/cookies.ts","../src/nextjs/utils.ts"],"names":[],"mappings":"AAAA;AACE;AACF,sDAA4B;AAC5B;AACE;AACA;AACF,sDAA4B;AAC5B;AACE;AACA;AACA;AACF,sDAA4B;AAC5B;AACA;ACTA,4CAAwB;AAQxB,IAAM,mBAAA,EAAqB,CACzB,QAAA,EACA,WAAA,EACA,MAAA,EAAA,GACG;AAhBL,EAAA,IAAA,EAAA,EAAA,EAAA;AAiBE,EAAA,MAAM,OAAA,EAAA,CAAS,GAAA,EAAA,WAAA,CAAY,SAAA,EAAA,GAAZ,KAAA,EAAA,GAAA,EAAyB,IAAA;AACxC,EAAA,MAAM,cAAA,EAAgB,4CAAA,6CAAA,CAAA,CAAA,EAAA,CACjB,GAAA,EAAA,MAAA,CAAO,OAAA,EAAA,GAAP,KAAA,EAAA,KAAA,EAAA,EAAA,EAAA,CAAgB,MAAA,CAAA,EADC;AAAA,IAEpB;AAAA,EACF,CAAA,CAAA;AAEA,EAAA,GAAA,CAAI,WAAA,CAAY,WAAA,EAAa;AAC3B,IAAA,QAAA,CAAS,OAAA,CAAQ,GAAA,CAAI,cAAA,EAAgB,WAAA,CAAY,WAAA,EAAa,4CAAA,6CAAA,CAAA,CAAA,EACzD,aAAA,CAAA,EADyD;AAAA,MAE5D,QAAA,EAAU;AAAA,IACZ,CAAA,CAAC,CAAA;AAAA,EACH;AAEA,EAAA,GAAA,CAAI,WAAA,CAAY,OAAA,EAAS;AACvB,IAAA,QAAA,CAAS,OAAA,CAAQ,GAAA,CAAI,UAAA,EAAY,WAAA,CAAY,OAAA,EAAS,4CAAA,6CAAA,CAAA,CAAA,EACjD,aAAA,CAAA,EADiD;AAAA,MAEpD,QAAA,EAAU;AAAA,IACZ,CAAA,CAAC,CAAA;AAAA,EACH;AAEA,EAAA,GAAA,CAAI,WAAA,CAAY,YAAA,EAAc;AAC5B,IAAA,QAAA,CAAS,OAAA,CAAQ,GAAA,CAAI,eAAA,EAAiB,WAAA,CAAY,YAAA,EAAc,4CAAA,6CAAA,CAAA,CAAA,EAC3D,aAAA,CAAA,EAD2D;AAAA,MAE9D,QAAA,EAAU;AAAA,IACZ,CAAA,CAAC,CAAA;AAAA,EACH;AACF,CAAA;AAKA,IAAM,qBAAA,EAAuB,CAC3B,QAAA,EACA,IAAA,EACA,WAAA,EACA,MAAA,EAAA,GACG;AArDL,EAAA,IAAA,EAAA,EAAA,EAAA,EAAA,EAAA;AAsDE,EAAA,GAAA,CAAI,CAAC,IAAA,EAAM;AACT,IAAA,QAAA,CAAS,OAAA,CAAQ,GAAA,CAAI,MAAA,EAAQ,EAAA,EAAI,4CAAA,6CAAA,CAAA,CAAA,EAAA,CAC5B,GAAA,EAAA,MAAA,CAAO,OAAA,EAAA,GAAP,KAAA,EAAA,KAAA,EAAA,EAAA,EAAA,CAAgB,IAAA,CAAA,EADY;AAAA,MAE/B,MAAA,EAAQ;AAAA,IACV,CAAA,CAAC,CAAA;AACD,IAAA,MAAA;AAAA,EACF;AACA,EAAA,MAAM,OAAA,EAAA,CAAS,GAAA,EAAA,WAAA,CAAY,SAAA,EAAA,GAAZ,KAAA,EAAA,GAAA,EAAyB,IAAA;AAGxC,EAAA,MAAM,aAAA,EAAe,6CAAA,CAAA,CAAA,EAChB,IAAA,CAAA;AAOL,EAAA,QAAA,CAAS,OAAA,CAAQ,GAAA,CAAI,MAAA,EAAQ,IAAA,CAAK,SAAA,CAAU,YAAY,CAAA,EAAG,4CAAA,6CAAA,CAAA,CAAA,EAAA,CACtD,GAAA,EAAA,MAAA,CAAO,OAAA,EAAA,GAAP,KAAA,EAAA,KAAA,EAAA,EAAA,EAAA,CAAgB,IAAA,CAAA,EADsC;AAAA,IAEzD;AAAA,EACF,CAAA,CAAC,CAAA;AACH,CAAA;AAKA,IAAM,iBAAA,EAAmB,CAAO,MAAA,EAAA,GAAuB,sCAAA,KAAA,CAAA,EAAA,IAAA,EAAA,QAAA,EAAA,CAAA,EAAA;AAjFvD,EAAA,IAAA,EAAA;AAmFE,EAAA,MAAM,cAAA,EAAgB,IAAI,mBAAA,CAAA,CAAoB,GAAA,EAAA,MAAA,CAAO,OAAA,EAAA,GAAP,KAAA,EAAA,KAAA,EAAA,EAAA,EAAA,CAAgB,MAAM,CAAA;AACpE,EAAA,0CAAA,aAAyB,CAAA;AAGzB,EAAA,MAAM,cAAA,EAAgB,IAAI,mBAAA,CAAoB,CAAA;AAC9C,EAAA,MAAM,YAAA,EAAc,IAAI,wCAAA,CAAmB,aAAa,CAAA;AACxD,EAAA,WAAA,CAAY,GAAA,CAAI,IAAI,CAAA;AACtB,CAAA,CAAA;AAGA,IAAM,oBAAA,EAAN,MAAA,QAAkC,+BAAc;AAAA,EAC9C,WAAA,CAAqB,OAAA,EAAsC,CAAC,CAAA,EAAG;AAC7D,IAAA,KAAA,CAAM;AAAA,MACJ,MAAA,EAAQ,IAAA;AAAA,MACR,QAAA,EAAU;AAAA,IACZ,CAAC,CAAA;AAJkB,IAAA,IAAA,CAAA,OAAA,EAAA,MAAA;AAAA,EAKrB;AAAA,EAEA,GAAA,CAAI,GAAA,EAA4B;AArGlC,IAAA,IAAA,EAAA;AAsGI,IAAA,OAAA,CAAA,CAAO,GAAA,EAAA,gCAAA,CAAQ,CAAE,GAAA,CAAI,GAAG,CAAA,EAAA,GAAjB,KAAA,EAAA,KAAA,EAAA,EAAA,EAAA,CAAoB,KAAA,EAAA,GAAS,IAAA;AAAA,EACtC;AAAA,EAEA,GAAA,CAAI,GAAA,EAAgB,KAAA,EAAqB;AAzG3C,IAAA,IAAA,EAAA;AA0GI,IAAA,MAAM,eAAA,EAAA,CAAA,CAAiB,GAAA,EAAA,IAAA,CAAK,MAAA,EAAA,GAAL,KAAA,EAAA,KAAA,EAAA,EAAA,EAAA,CAAc,GAAA,CAAA,EAAA,GAAqB,6CAAA,CAAA,CAAA,EACrD,IAAA,CAAK,QAAA,CAAA;AAEV,IAAA,OAAA,CAAQ,GAAA;AAAA,MACN,yBAAA;AAAA,MACA,IAAA,CAAK,SAAA;AAAA,QACH,EAAE,GAAA,EAAK,KAAA,EAAO,MAAA,EAAQ,IAAA,CAAK,MAAA,EAAQ,eAAe,CAAA;AAAA,QAClD,IAAA;AAAA,QACA;AAAA,MACF;AAAA,IACF,CAAA;AACA,IAAA,gCAAA,CAAQ,CAAE,GAAA,CAAI,GAAA,EAAK,KAAA,EAAO,cAAc,CAAA;AAAA,EAC1C;AACF,CAAA;AAEA,IAAM,oBAAA,EAAN,MAAA,QAAkC,+BAAc;AAAA,EAC9C,WAAA,CAAY,OAAA,EAAyC,CAAC,CAAA,EAAG;AACvD,IAAA,KAAA,CAAM,4CAAA,6CAAA,CAAA,CAAA,EACD,MAAA,CAAA,EADC;AAAA,MAEJ,MAAA,EAAQ,KAAA;AAAA,MACR,QAAA,EAAU;AAAA,IACZ,CAAA,CAAC,CAAA;AAAA,EACH;AAAA,EAEA,GAAA,CAAI,GAAA,EAA4B;AAlIlC,IAAA,IAAA,EAAA;AAmII,IAAA,OAAA,CAAA,CAAO,GAAA,EAAA,gCAAA,CAAQ,CAAE,GAAA,CAAI,GAAG,CAAA,EAAA,GAAjB,KAAA,EAAA,KAAA,EAAA,EAAA,EAAA,CAAoB,KAAA,EAAA,GAAS,IAAA;AAAA,EACtC;AAAA,EAEA,GAAA,CAAI,GAAA,EAAa,KAAA,EAAqB;AACpC,IAAA,gCAAA,CAAQ,CAAE,GAAA,CAAI,GAAA,EAAK,KAAA,EAAO,IAAA,CAAK,QAAQ,CAAA;AAAA,EACzC;AACF,CAAA;ADrCA;AACA;AEnGO,IAAM,mBAAA,EAAqB,CAChC,MAAA,EACA,cAAA,EAAA,GACW;AALb,EAAA,IAAA,EAAA;AAME,EAAA,MAAM,QAAA,EAAA,CAAU,GAAA,EAAA,MAAA,CAAO,MAAA,EAAA,GAAP,KAAA,EAAA,GAAA,EAAiB,cAAA;AACjC,EAAA,MAAM,YAAA,EAAc,IAAI,GAAA,CAAI,OAAA,GAAA,KAAA,EAAA,KAAA,EAAA,EAAA,MAAA,CAAQ,WAAA,EAAa,OAAO,CAAA,CAAE,QAAA,CAAS,CAAA;AACnE,EAAA,OAAO,WAAA,CAAY,QAAA,CAAS,CAAA;AAC9B,CAAA;AFmGA;AACA;AACE;AACA;AACA;AACA;AACA;AACA;AACF,ySAAC","file":"/Users/patrick/Code/civic-auth/packages/civic-auth-client/dist/chunk-CTVJJBBA.js","sourcesContent":[null,"import { SessionData, UnknownObject, User } from \"@/types\";\nimport { NextResponse } from \"next/server\";\nimport { AuthConfig } from \"@/nextjs/config\";\nimport { CookieStorage, CookieStorageSettings } from \"@/server\";\nimport { cookies } from \"next/headers.js\";\nimport { GenericUserSession } from \"@/shared/UserSession\";\nimport { clearTokens } from \"@/shared/util\";\nimport { CodeVerifier, OAuthTokens, TokensCookieConfig } from \"@/shared/types\";\n\n/**\n * Creates HTTP-only cookies for authentication tokens\n */\nconst createTokenCookies = (\n  response: NextResponse,\n  sessionData: SessionData,\n  config: AuthConfig,\n) => {\n  const maxAge = sessionData.expiresIn ?? 3600;\n  const cookieOptions = {\n    ...config.cookies?.tokens,\n    maxAge,\n  };\n\n  if (sessionData.accessToken) {\n    response.cookies.set(\"access_token\", sessionData.accessToken, {\n      ...cookieOptions,\n      httpOnly: true,\n    });\n  }\n\n  if (sessionData.idToken) {\n    response.cookies.set(\"id_token\", sessionData.idToken, {\n      ...cookieOptions,\n      httpOnly: true,\n    });\n  }\n\n  if (sessionData.refreshToken) {\n    response.cookies.set(\"refresh_token\", sessionData.refreshToken, {\n      ...cookieOptions,\n      httpOnly: true,\n    });\n  }\n};\n\n/**\n * Creates a client-readable cookie with user info\n */\nconst createUserInfoCookie = (\n  response: NextResponse,\n  user: User<UnknownObject> | null,\n  sessionData: SessionData,\n  config: AuthConfig,\n) => {\n  if (!user) {\n    response.cookies.set(\"user\", \"\", {\n      ...config.cookies?.user,\n      maxAge: 0,\n    });\n    return;\n  }\n  const maxAge = sessionData.expiresIn ?? 3600;\n\n  // TODO select fields to include in the user cookie\n  const frontendUser = {\n    ...user,\n  };\n\n  // TODO make call to get user info from the\n  // auth server /userinfo endpoint when it's available\n  // then add to the default claims above\n\n  response.cookies.set(\"user\", JSON.stringify(frontendUser), {\n    ...config.cookies?.user,\n    maxAge,\n  });\n};\n\n/**\n * Clears all authentication cookies\n */\nconst clearAuthCookies = async (config: AuthConfig) => {\n  // clear session, and tokens\n  const cookieStorage = new NextjsCookieStorage(config.cookies?.tokens);\n  clearTokens(cookieStorage);\n\n  // clear user\n  const clientStorage = new NextjsClientStorage();\n  const userSession = new GenericUserSession(clientStorage);\n  userSession.set(null);\n};\n\ntype KeySetter = OAuthTokens | CodeVerifier;\nclass NextjsCookieStorage extends CookieStorage {\n  constructor(readonly config: Partial<TokensCookieConfig> = {}) {\n    super({\n      secure: true,\n      httpOnly: true,\n    });\n  }\n\n  get(key: string): string | null {\n    return cookies().get(key)?.value || null;\n  }\n\n  set(key: KeySetter, value: string): void {\n    const cookieSettings = this.config?.[key as KeySetter] || {\n      ...this.settings,\n    };\n    console.log(\n      \"NextjsCookieStorage.set\",\n      JSON.stringify(\n        { key, value, config: this.config, cookieSettings },\n        null,\n        2,\n      ),\n    );\n    cookies().set(key, value, cookieSettings);\n  }\n}\n\nclass NextjsClientStorage extends CookieStorage {\n  constructor(config: Partial<CookieStorageSettings> = {}) {\n    super({\n      ...config,\n      secure: false,\n      httpOnly: false,\n    });\n  }\n\n  get(key: string): string | null {\n    return cookies().get(key)?.value || null;\n  }\n\n  set(key: string, value: string): void {\n    cookies().set(key, value, this.settings);\n  }\n}\n\nexport {\n  createTokenCookies,\n  createUserInfoCookie,\n  clearAuthCookies,\n  NextjsCookieStorage,\n  NextjsClientStorage,\n};\n","import { AuthConfigWithDefaults } from \"@/nextjs/config\";\n\nexport const resolveCallbackUrl = (\n  config: AuthConfigWithDefaults,\n  alternativeUrl?: string,\n): string => {\n  const baseUrl = config.appUrl ?? alternativeUrl;\n  const callbackUrl = new URL(config?.callbackUrl, baseUrl).toString();\n  return callbackUrl.toString();\n};\n"]}