@civic/auth 0.0.1-beta.30 → 0.0.1-beta.31

package/dist/chunk-AM2Y662I.js

@@ -1,601 +0,0 @@
-"use strict";Object.defineProperty(exports, "__esModule", {value: true}); function _interopRequireWildcard(obj) { if (obj && obj.__esModule) { return obj; } else { var newObj = {}; if (obj != null) { for (var key in obj) { if (Object.prototype.hasOwnProperty.call(obj, key)) { newObj[key] = obj[key]; } } } newObj.default = obj; return newObj; } }
-
-
-
-var _chunkCRTRMMJ7js = require('./chunk-CRTRMMJ7.js');
-
-// src/shared/types.ts
-var OAuthTokens = /* @__PURE__ */ ((OAuthTokens2) => {
-  OAuthTokens2["ID_TOKEN"] = "id_token";
-  OAuthTokens2["ACCESS_TOKEN"] = "access_token";
-  OAuthTokens2["REFRESH_TOKEN"] = "refresh_token";
-  return OAuthTokens2;
-})(OAuthTokens || {});
-
-// src/shared/util.ts
-var _oauth2 = require('oslo/oauth2');
-
-// src/lib/oauth.ts
-var _uuid = require('uuid');
-var getIssuerVariations = (issuer) => {
-  const issuerWithoutSlash = issuer.endsWith("/") ? issuer.slice(0, issuer.length - 1) : issuer;
-  const issuerWithSlash = `${issuerWithoutSlash}/`;
-  return [issuerWithoutSlash, issuerWithSlash];
-};
-var addSlashIfNeeded = (url) => url.endsWith("/") ? url : `${url}/`;
-var getOauthEndpoints = (oauthServer) => _chunkCRTRMMJ7js.__async.call(void 0, void 0, null, function* () {
-  const openIdConfigResponse = yield fetch(
-    `${addSlashIfNeeded(oauthServer)}.well-known/openid-configuration`
-  );
-  const openIdConfig = yield openIdConfigResponse.json();
-  return {
-    jwks: openIdConfig.jwks_uri,
-    auth: openIdConfig.authorization_endpoint,
-    token: openIdConfig.token_endpoint,
-    userinfo: openIdConfig.userinfo_endpoint
-  };
-});
-var generateState = (displayMode, serverTokenExchange) => {
-  const jsonString = JSON.stringify(_chunkCRTRMMJ7js.__spreadValues.call(void 0, {
-    uuid: _uuid.v4.call(void 0, ),
-    displayMode
-  }, serverTokenExchange ? { serverTokenExchange } : {}));
-  return btoa(jsonString);
-};
-var displayModeFromState = (state, sessionDisplayMode) => {
-  try {
-    const jsonString = atob(state);
-    return JSON.parse(jsonString).displayMode;
-  } catch (e) {
-    console.error("Failed to parse displayMode from state:", state);
-    return sessionDisplayMode;
-  }
-};
-var serverTokenExchangeFromState = (state) => {
-  try {
-    const jsonString = atob(state);
-    return JSON.parse(jsonString).serverTokenExchange;
-  } catch (e) {
-    console.error("Failed to parse serverTokenExchange from state:", state);
-    return void 0;
-  }
-};
-
-// src/shared/util.ts
-var _jose = require('jose'); var jose = _interopRequireWildcard(_jose);
-
-// src/utils.ts
-var _clsx = require('clsx');
-var _tailwindmerge = require('tailwind-merge');
-var cn = (...inputs) => {
-  return _tailwindmerge.twMerge.call(void 0, _clsx.clsx.call(void 0, inputs));
-};
-var withoutUndefined = (obj) => {
-  const result = {};
-  for (const key in obj) {
-    if (obj[key] !== void 0) {
-      result[key] = obj[key];
-    }
-  }
-  return result;
-};
-
-// src/lib/jwt.ts
-var convertForwardedTokenFormat = (inputTokens) => Object.fromEntries(
-  Object.entries(inputTokens).map(([source, tokens]) => [
-    source,
-    {
-      idToken: tokens == null ? void 0 : tokens.id_token,
-      accessToken: tokens == null ? void 0 : tokens.access_token,
-      refreshToken: tokens == null ? void 0 : tokens.refresh_token
-    }
-  ])
-);
-
-// src/shared/UserSession.ts
-var GenericUserSession = class {
-  constructor(storage) {
-    this.storage = storage;
-  }
-  get() {
-    const user = this.storage.get("user" /* USER */);
-    return user ? JSON.parse(user) : null;
-  }
-  set(user) {
-    const forwardedTokens = (user == null ? void 0 : user.forwardedTokens) ? convertForwardedTokenFormat(user == null ? void 0 : user.forwardedTokens) : null;
-    const value = user ? JSON.stringify(_chunkCRTRMMJ7js.__spreadProps.call(void 0, _chunkCRTRMMJ7js.__spreadValues.call(void 0, {}, user), { forwardedTokens })) : "";
-    this.storage.set("user" /* USER */, value);
-  }
-};
-
-// src/shared/util.ts
-function deriveCodeChallenge(codeVerifier, method = "S256") {
-  return _chunkCRTRMMJ7js.__async.call(void 0, this, null, function* () {
-    if (method === "Plain") {
-      console.warn("Using insecure plain code challenge method");
-      return codeVerifier;
-    }
-    const encoder = new TextEncoder();
-    const data = encoder.encode(codeVerifier);
-    const digest = yield crypto.subtle.digest("SHA-256", data);
-    return btoa(String.fromCharCode(...new Uint8Array(digest))).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
-  });
-}
-function getEndpointsWithOverrides(_0) {
-  return _chunkCRTRMMJ7js.__async.call(void 0, this, arguments, function* (oauthServer, endpointOverrides = {}) {
-    const endpoints = yield getOauthEndpoints(oauthServer);
-    return _chunkCRTRMMJ7js.__spreadValues.call(void 0, _chunkCRTRMMJ7js.__spreadValues.call(void 0, {}, endpoints), endpointOverrides);
-  });
-}
-function generateOauthLoginUrl(config) {
-  return _chunkCRTRMMJ7js.__async.call(void 0, this, null, function* () {
-    const endpoints = yield getEndpointsWithOverrides(
-      config.oauthServer,
-      config.endpointOverrides
-    );
-    const oauth2Client = buildOauth2Client(
-      config.clientId,
-      config.redirectUrl,
-      endpoints
-    );
-    const challenge = yield config.pkceConsumer.getCodeChallenge();
-    const oAuthUrl = yield oauth2Client.createAuthorizationURL({
-      state: config.state,
-      scopes: config.scopes
-    });
-    oAuthUrl.searchParams.append("code_challenge", challenge);
-    oAuthUrl.searchParams.append("code_challenge_method", "S256");
-    if (config.nonce) {
-      oAuthUrl.searchParams.append("nonce", config.nonce);
-    }
-    oAuthUrl.searchParams.append("prompt", "consent");
-    console.log("Generated OAuth URL", oAuthUrl.toString());
-    return oAuthUrl;
-  });
-}
-function generateOauthLogoutUrl(config) {
-  return _chunkCRTRMMJ7js.__async.call(void 0, this, null, function* () {
-    return new URL("http://localhost");
-  });
-}
-function buildOauth2Client(clientId, redirectUri, endpoints) {
-  return new (0, _oauth2.OAuth2Client)(clientId, endpoints.auth, endpoints.token, {
-    redirectURI: redirectUri
-  });
-}
-function exchangeTokens(code, state, pkceProducer, oauth2Client, oauthServer, endpoints) {
-  return _chunkCRTRMMJ7js.__async.call(void 0, this, null, function* () {
-    const codeVerifier = yield pkceProducer.getCodeVerifier();
-    if (!codeVerifier) throw new Error("Code verifier not found in state");
-    const tokens = yield oauth2Client.validateAuthorizationCode(code, {
-      codeVerifier
-    });
-    try {
-      yield validateOauth2Tokens(tokens, endpoints, oauth2Client, oauthServer);
-    } catch (error) {
-      console.error("tokenExchange error", { error, tokens });
-      throw new Error(
-        `OIDC tokens validation failed: ${error.message}`
-      );
-    }
-    return tokens;
-  });
-}
-function storeTokens(storage, tokens) {
-  storage.set("id_token" /* ID_TOKEN */, tokens.id_token);
-  storage.set("access_token" /* ACCESS_TOKEN */, tokens.access_token);
-  if (tokens.refresh_token)
-    storage.set("refresh_token" /* REFRESH_TOKEN */, tokens.refresh_token);
-}
-function clearTokens(storage) {
-  Object.values(OAuthTokens).forEach((cookie) => {
-    storage.set(cookie, "");
-  });
-  Object.values("code_verifier" /* COOKIE_NAME */).forEach((cookie) => {
-    storage.set(cookie, "");
-  });
-}
-function clearUser(storage) {
-  const userSession = new GenericUserSession(storage);
-  userSession.set(null);
-}
-function retrieveTokens(storage) {
-  const idToken = storage.get("id_token" /* ID_TOKEN */);
-  const accessToken = storage.get("access_token" /* ACCESS_TOKEN */);
-  const refreshToken = storage.get("refresh_token" /* REFRESH_TOKEN */);
-  if (!idToken || !accessToken) return null;
-  return {
-    id_token: idToken,
-    access_token: accessToken,
-    refresh_token: refreshToken != null ? refreshToken : void 0
-  };
-}
-function validateOauth2Tokens(tokens, endpoints, oauth2Client, issuer) {
-  return _chunkCRTRMMJ7js.__async.call(void 0, this, null, function* () {
-    const JWKS = jose.createRemoteJWKSet(new URL(endpoints.jwks));
-    const idTokenResponse = yield jose.jwtVerify(
-      tokens.id_token,
-      JWKS,
-      {
-        issuer: getIssuerVariations(issuer),
-        audience: oauth2Client.clientId
-      }
-    );
-    const accessTokenResponse = yield jose.jwtVerify(
-      tokens.access_token,
-      JWKS,
-      {
-        issuer: getIssuerVariations(issuer)
-      }
-    );
-    return withoutUndefined({
-      id_token: idTokenResponse.payload,
-      access_token: accessTokenResponse.payload,
-      refresh_token: tokens.refresh_token
-    });
-  });
-}
-
-// src/shared/session.ts
-var _jwt = require('oslo/jwt');
-function getUser(storage) {
-  return _chunkCRTRMMJ7js.__async.call(void 0, this, null, function* () {
-    var _a, _b;
-    const tokens = retrieveTokens(storage);
-    if (!tokens) return null;
-    return (_b = (_a = _jwt.parseJWT.call(void 0, tokens.id_token)) == null ? void 0 : _a.payload) != null ? _b : null;
-  });
-}
-
-// src/constants.ts
-var DEFAULT_SCOPES = [
-  "openid",
-  "profile",
-  "email",
-  "forwardedTokens",
-  "offline_access"
-];
-var IFRAME_ID = "civic-auth-iframe";
-var DEFAULT_AUTH_SERVER = "https://auth.civic.com/oauth";
-var DEFAULT_OAUTH_GET_PARAMS = ["code", "state", "iss"];
-var TOKEN_EXCHANGE_TRIGGER_TEXT = "sameDomainCodeExchangeRequired";
-var TOKEN_EXCHANGE_SUCCESS_TEXT = "serverSideTokenExchangeSuccess";
-
-// src/browser/storage.ts
-var LocalStorageAdapter = class {
-  get(key) {
-    return localStorage.getItem(key) || "";
-  }
-  set(key, value) {
-    localStorage.setItem(key, value);
-  }
-};
-
-// src/services/PKCE.ts
-
-var ConfidentialClientPKCEConsumer = class {
-  constructor(pkceChallengeEndpoint) {
-    this.pkceChallengeEndpoint = pkceChallengeEndpoint;
-  }
-  getCodeChallenge() {
-    return _chunkCRTRMMJ7js.__async.call(void 0, this, null, function* () {
-      const response = yield fetch(
-        `${this.pkceChallengeEndpoint}?appUrl=${window.location.origin}`
-      );
-      const data = yield response.json();
-      return data.challenge;
-    });
-  }
-};
-var GenericPublicClientPKCEProducer = class {
-  constructor(storage) {
-    this.storage = storage;
-  }
-  // if there is already a verifier, return it,
-  // If not, create a new one and store it
-  getCodeChallenge() {
-    return _chunkCRTRMMJ7js.__async.call(void 0, this, null, function* () {
-      const verifier = _oauth2.generateCodeVerifier.call(void 0, );
-      this.storage.set("code_verifier" /* COOKIE_NAME */, verifier);
-      return deriveCodeChallenge(verifier);
-    });
-  }
-  // if there is already a verifier, return it,
-  getCodeVerifier() {
-    return _chunkCRTRMMJ7js.__async.call(void 0, this, null, function* () {
-      return this.storage.get("code_verifier" /* COOKIE_NAME */);
-    });
-  }
-};
-var BrowserPublicClientPKCEProducer = class extends GenericPublicClientPKCEProducer {
-  constructor() {
-    super(new LocalStorageAdapter());
-  }
-};
-
-// src/services/AuthenticationService.ts
-
-
-// src/services/types.ts
-var PopupError = class _PopupError extends Error {
-  constructor(message) {
-    super(message);
-    Object.setPrototypeOf(this, _PopupError.prototype);
-  }
-};
-
-// src/lib/windowUtil.ts
-var isWindowInIframe = (window2) => {
-  var _a;
-  if (typeof window2 !== "undefined") {
-    try {
-      if (((_a = window2 == null ? void 0 : window2.frameElement) == null ? void 0 : _a.id) === "civic-auth-iframe") {
-        return true;
-      }
-    } catch (_e) {
-      return false;
-    }
-  }
-  return false;
-};
-var removeParamsWithoutReload = (paramsToRemove) => {
-  const url = new URL(window.location.href);
-  paramsToRemove.forEach((param) => {
-    url.searchParams.delete(param);
-  });
-  try {
-    window.history.replaceState({}, "", url);
-  } catch (error) {
-    console.warn("window.history.replaceState failed", error);
-  }
-};
-
-// src/lib/postMessage.ts
-var validateLoginAppPostMessage = (event, clientId) => {
-  const caseEvent = event;
-  console.log("caseEvent", caseEvent);
-  if (!caseEvent.clientId || !caseEvent.data.url || !caseEvent.source || !caseEvent.type || caseEvent.clientId !== clientId || caseEvent.source !== "civicloginApp") {
-    return false;
-  }
-  return true;
-};
-
-// src/services/AuthenticationService.ts
-var BrowserAuthenticationInitiator = class {
-  constructor(config) {
-    this.postMessageHandler = null;
-    this.config = config;
-    console.log("BrowserAuthenticationInitiator constructor", this.config);
-  }
-  handleLoginAppPopupFailed(redirectUrl) {
-    return _chunkCRTRMMJ7js.__async.call(void 0, this, null, function* () {
-      console.warn(
-        "Login app popup failed open a popup, using redirect mode instead...",
-        redirectUrl
-      );
-      window.location.href = redirectUrl;
-    });
-  }
-  // Use the config (Client ID, scopes OAuth Server, Endpoints, PKCEConsumer) to generate a new login url
-  // and then use the display mode to decide how to send the user there
-  signIn(iframeRef) {
-    return _chunkCRTRMMJ7js.__async.call(void 0, this, null, function* () {
-      const url = yield generateOauthLoginUrl(this.config);
-      this.postMessageHandler = (event) => {
-        const thisURL = new URL(window.location.href);
-        if (event.origin.endsWith("civic.com") || thisURL.hostname === "localhost") {
-          if (!validateLoginAppPostMessage(event.data, this.config.clientId)) {
-            console.log("Received invalid message from login app", event.data);
-            return;
-          }
-          const loginMessage = event.data;
-          console.log("Received message from login app", event.data);
-          this.handleLoginAppPopupFailed(loginMessage.data.url);
-        }
-      };
-      window.addEventListener("message", this.postMessageHandler);
-      if (this.config.displayMode === "iframe") {
-        if (!iframeRef)
-          throw new Error("iframeRef is required for displayMode 'iframe'");
-        iframeRef.setAttribute("src", url.toString());
-      }
-      if (this.config.displayMode === "redirect") {
-        window.location.href = url.toString();
-      }
-      if (this.config.displayMode === "new_tab") {
-        try {
-          const popupWindow = window.open(url.toString(), "_blank");
-          console.log("signIn", popupWindow);
-          if (!popupWindow) {
-            throw new PopupError("Failed to open popup window");
-          }
-        } catch (error) {
-          console.error("popupWindow", error);
-          throw new PopupError(
-            "window.open has thrown: Failed to open popup window"
-          );
-        }
-      }
-      return url;
-    });
-  }
-  signOut() {
-    return _chunkCRTRMMJ7js.__async.call(void 0, this, null, function* () {
-      const localStorage2 = new LocalStorageAdapter();
-      clearTokens(localStorage2);
-      clearUser(localStorage2);
-      const url = yield generateOauthLogoutUrl(this.config);
-      return url;
-    });
-  }
-  cleanup() {
-    if (this.postMessageHandler) {
-      window.removeEventListener("message", this.postMessageHandler);
-    }
-  }
-};
-var GenericAuthenticationInitiator = class {
-  constructor(config) {
-    this.config = config;
-    console.log("GenericAuthenticationInitiator constructor", {
-      config
-    });
-  }
-  // Use the config (Client ID, scopes OAuth Server, Endpoints, PKCEConsumer) to generate a new login url
-  // and simply return the url
-  signIn() {
-    return _chunkCRTRMMJ7js.__async.call(void 0, this, null, function* () {
-      return generateOauthLoginUrl(this.config);
-    });
-  }
-  signOut() {
-    return _chunkCRTRMMJ7js.__async.call(void 0, this, null, function* () {
-      return generateOauthLogoutUrl(this.config);
-    });
-  }
-};
-var BrowserAuthenticationService = class _BrowserAuthenticationService extends BrowserAuthenticationInitiator {
-  // TODO WIP - perhaps we want to keep resolver and initiator separate here
-  constructor(config, pkceProducer = new BrowserPublicClientPKCEProducer()) {
-    console.log("BrowserAuthenticationService constructor", {
-      config
-    });
-    super(_chunkCRTRMMJ7js.__spreadProps.call(void 0, _chunkCRTRMMJ7js.__spreadValues.call(void 0, {}, config), {
-      state: generateState(config.displayMode),
-      // Store and retrieve the PKCE challenge in local storage
-      pkceConsumer: pkceProducer
-    }));
-    this.pkceProducer = pkceProducer;
-  }
-  // TODO too much code duplication here between the browser and the server variant.
-  // Suggestion for refactor: Standardise the config for AuthenticationResolvers and create a one-shot
-  // function for generating an oauth2client from it
-  init() {
-    return _chunkCRTRMMJ7js.__async.call(void 0, this, null, function* () {
-      this.endpoints = yield getEndpointsWithOverrides(
-        this.config.oauthServer,
-        this.config.endpointOverrides
-      );
-      this.oauth2client = new (0, _oauth2.OAuth2Client)(
-        this.config.clientId,
-        this.endpoints.auth,
-        this.endpoints.token,
-        {
-          redirectURI: this.config.redirectUrl
-        }
-      );
-      return this;
-    });
-  }
-  // Two responsibilities:
-  // 1. resolve the auth code to get the tokens (should use library code)
-  // 2. store the tokens in local storage
-  tokenExchange(code, state) {
-    return _chunkCRTRMMJ7js.__async.call(void 0, this, null, function* () {
-      if (!this.oauth2client) yield this.init();
-      const codeVerifier = yield this.pkceProducer.getCodeVerifier();
-      if (!codeVerifier) throw new Error("Code verifier not found in storage");
-      const tokens = yield exchangeTokens(
-        code,
-        state,
-        this.pkceProducer,
-        this.oauth2client,
-        // clean up types here to avoid the ! operator
-        this.config.oauthServer,
-        this.endpoints
-        // clean up types here to avoid the ! operator
-      );
-      storeTokens(new LocalStorageAdapter(), tokens);
-      const parsedDisplayMode = displayModeFromState(
-        state,
-        this.config.displayMode
-      );
-      if (parsedDisplayMode === "new_tab") {
-        window.close();
-      }
-      removeParamsWithoutReload(DEFAULT_OAUTH_GET_PARAMS);
-      return tokens;
-    });
-  }
-  // Get the session data from local storage
-  getSessionData() {
-    return _chunkCRTRMMJ7js.__async.call(void 0, this, null, function* () {
-      const storageData = retrieveTokens(new LocalStorageAdapter());
-      if (!storageData) return null;
-      return {
-        authenticated: !!storageData.id_token,
-        idToken: storageData.id_token,
-        accessToken: storageData.access_token,
-        refreshToken: storageData.refresh_token
-      };
-    });
-  }
-  validateExistingSession() {
-    return _chunkCRTRMMJ7js.__async.call(void 0, this, null, function* () {
-      try {
-        const sessionData = yield this.getSessionData();
-        if (!(sessionData == null ? void 0 : sessionData.idToken) || !sessionData.accessToken) {
-          const unAuthenticatedSession = _chunkCRTRMMJ7js.__spreadProps.call(void 0, _chunkCRTRMMJ7js.__spreadValues.call(void 0, {}, sessionData), { authenticated: false });
-          clearTokens(new LocalStorageAdapter());
-          return unAuthenticatedSession;
-        }
-        if (!this.endpoints || !this.oauth2client) yield this.init();
-        yield validateOauth2Tokens(
-          {
-            access_token: sessionData.accessToken,
-            id_token: sessionData.idToken,
-            refresh_token: sessionData.refreshToken
-          },
-          this.endpoints,
-          this.oauth2client,
-          this.config.oauthServer
-        );
-        return sessionData;
-      } catch (error) {
-        console.warn("Failed to validate existing tokens", error);
-        const unAuthenticatedSession = {
-          authenticated: false
-        };
-        clearTokens(new LocalStorageAdapter());
-        return unAuthenticatedSession;
-      }
-    });
-  }
-  static build(config) {
-    return _chunkCRTRMMJ7js.__async.call(void 0, this, null, function* () {
-      const resolver = new _BrowserAuthenticationService(config);
-      yield resolver.init();
-      return resolver;
-    });
-  }
-};
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-exports.convertForwardedTokenFormat = convertForwardedTokenFormat; exports.GenericUserSession = GenericUserSession; exports.DEFAULT_SCOPES = DEFAULT_SCOPES; exports.IFRAME_ID = IFRAME_ID; exports.DEFAULT_AUTH_SERVER = DEFAULT_AUTH_SERVER; exports.TOKEN_EXCHANGE_TRIGGER_TEXT = TOKEN_EXCHANGE_TRIGGER_TEXT; exports.TOKEN_EXCHANGE_SUCCESS_TEXT = TOKEN_EXCHANGE_SUCCESS_TEXT; exports.isWindowInIframe = isWindowInIframe; exports.generateState = generateState; exports.serverTokenExchangeFromState = serverTokenExchangeFromState; exports.cn = cn; exports.withoutUndefined = withoutUndefined; exports.getEndpointsWithOverrides = getEndpointsWithOverrides; exports.exchangeTokens = exchangeTokens; exports.storeTokens = storeTokens; exports.clearTokens = clearTokens; exports.retrieveTokens = retrieveTokens; exports.LocalStorageAdapter = LocalStorageAdapter; exports.ConfidentialClientPKCEConsumer = ConfidentialClientPKCEConsumer; exports.GenericPublicClientPKCEProducer = GenericPublicClientPKCEProducer; exports.BrowserPublicClientPKCEProducer = BrowserPublicClientPKCEProducer; exports.PopupError = PopupError; exports.BrowserAuthenticationInitiator = BrowserAuthenticationInitiator; exports.GenericAuthenticationInitiator = GenericAuthenticationInitiator; exports.BrowserAuthenticationService = BrowserAuthenticationService; exports.getUser = getUser;
-//# sourceMappingURL=chunk-AM2Y662I.js.map