@civic/auth 0.0.1-beta.30 → 0.0.1-beta.31

package/dist/cjs/src/shared/session.js

@@ -0,0 +1,13 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.getUser = getUser;
+const util_js_js_1 = require("../shared/lib/util.js.js");
+const jwt_1 = require("oslo/jwt");
+async function getUser(storage) {
+    const tokens = await (0, util_js_js_1.retrieveTokens)(storage);
+    if (!tokens)
+        return null;
+    // Assumes all information is in the ID token
+    return (0, jwt_1.parseJWT)(tokens.id_token)?.payload ?? null;
+}
+//# sourceMappingURL=session.js.map

package/dist/cjs/src/shared/session.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"session.js","sourceRoot":"","sources":["../../../../src/shared/session.ts"],"names":[],"mappings":";;AAIA,0BAMC;AAVD,wDAAyD;AACzD,kCAAoC;AAG7B,KAAK,UAAU,OAAO,CAAC,OAAoB;IAChD,MAAM,MAAM,GAAG,MAAM,IAAA,2BAAc,EAAC,OAAO,CAAC,CAAC;IAC7C,IAAI,CAAC,MAAM;QAAE,OAAO,IAAI,CAAC;IAEzB,6CAA6C;IAC7C,OAAQ,IAAA,cAAQ,EAAC,MAAM,CAAC,QAAQ,CAAC,EAAE,OAAgB,IAAI,IAAI,CAAC;AAC9D,CAAC","sourcesContent":["import { retrieveTokens } from \"@/shared/lib/util.js.js\";\nimport { parseJWT } from \"oslo/jwt\";\nimport type { AuthStorage, User } from \"@/types.js\";\n\nexport async function getUser(storage: AuthStorage): Promise<User | null> {\n  const tokens = await retrieveTokens(storage);\n  if (!tokens) return null;\n\n  // Assumes all information is in the ID token\n  return (parseJWT(tokens.id_token)?.payload as User) ?? null;\n}\n"]}

package/dist/{src/shared/lib → cjs/src/shared}/util.d.ts

@@ -1,11 +1,17 @@
-import type { AuthStorage, Endpoints, OIDCTokenResponseBody, ParsedTokens } from "@/types.js";
+import type { AuthStorage, Endpoints, OIDCTokenResponseBody, ParsedTokens } from "../types.js";
 import { OAuth2Client } from "oslo/oauth2";
-import type { PKCEConsumer, PKCEProducer } from "@/services/types.js";
+import type { PKCEConsumer, PKCEProducer } from "../services/types.js";
 /**
  * Given a PKCE code verifier, derive the code challenge using SHA
  */
 export declare function deriveCodeChallenge(codeVerifier: string, method?: "Plain" | "S256"): Promise<string>;
-export declare function getEndpointsWithOverrides(oauthServer: string, endpointOverrides?: Partial<Endpoints>): Promise<Endpoints>;
+export declare function getEndpointsWithOverrides(oauthServer: string, endpointOverrides?: Partial<Endpoints>): Promise<{
+    jwks: string;
+    auth: string;
+    token: string;
+    userinfo: string;
+    challenge?: string;
+}>;
 export declare function generateOauthLoginUrl(config: {
     clientId: string;
     scopes: string[];
@@ -28,6 +34,6 @@ export declare function exchangeTokens(code: string, state: string, pkceProducer
 export declare function storeTokens(storage: AuthStorage, tokens: OIDCTokenResponseBody): void;
 export declare function clearTokens(storage: AuthStorage): void;
 export declare function clearUser(storage: AuthStorage): void;
-export declare function retrieveTokens(storage: AuthStorage): OIDCTokenResponseBody | null;
+export declare function retrieveTokens(storage: AuthStorage): Promise<OIDCTokenResponseBody | null>;
 export declare function validateOauth2Tokens(tokens: OIDCTokenResponseBody, endpoints: Endpoints, oauth2Client: OAuth2Client, issuer: string): Promise<ParsedTokens>;
 //# sourceMappingURL=util.d.ts.map

package/dist/cjs/src/shared/util.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"util.d.ts","sourceRoot":"","sources":["../../../../src/shared/util.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EACV,WAAW,EACX,SAAS,EAET,qBAAqB,EACrB,YAAY,EACb,MAAM,YAAY,CAAC;AAEpB,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAI3C,OAAO,KAAK,EAAE,YAAY,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AAGtE;;GAEG;AACH,wBAAsB,mBAAmB,CACvC,YAAY,EAAE,MAAM,EACpB,MAAM,GAAE,OAAO,GAAG,MAAe,GAChC,OAAO,CAAC,MAAM,CAAC,CAajB;AAED,wBAAsB,yBAAyB,CAC7C,WAAW,EAAE,MAAM,EACnB,iBAAiB,GAAE,OAAO,CAAC,SAAS,CAAM;;;;;;GAO3C;AAED,wBAAsB,qBAAqB,CAAC,MAAM,EAAE;IAClD,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,KAAK,EAAE,MAAM,CAAC;IACd,WAAW,EAAE,MAAM,CAAC;IACpB,WAAW,EAAE,MAAM,CAAC;IACpB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,iBAAiB,CAAC,EAAE,OAAO,CAAC,SAAS,CAAC,CAAC;IAEvC,YAAY,EAAE,YAAY,CAAC;CAC5B,GAAG,OAAO,CAAC,GAAG,CAAC,CA2Bf;AAED,wBAAsB,sBAAsB,CAAC,MAAM,EAAE;IACnD,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,WAAW,EAAE,MAAM,CAAC;IACpB,iBAAiB,CAAC,EAAE,OAAO,CAAC,SAAS,CAAC,CAAC;IAEvC,YAAY,EAAE,YAAY,CAAC;CAC5B,GAAG,OAAO,CAAC,GAAG,CAAC,CAGf;AAED,wBAAgB,iBAAiB,CAC/B,QAAQ,EAAE,MAAM,EAChB,WAAW,EAAE,MAAM,EACnB,SAAS,EAAE,SAAS,GACnB,YAAY,CAId;AAED,wBAAsB,cAAc,CAClC,IAAI,EAAE,MAAM,EACZ,KAAK,EAAE,MAAM,EACb,YAAY,EAAE,YAAY,EAC1B,YAAY,EAAE,YAAY,EAC1B,WAAW,EAAE,MAAM,EACnB,SAAS,EAAE,SAAS,kCAqBrB;AAED,wBAAgB,WAAW,CACzB,OAAO,EAAE,WAAW,EACpB,MAAM,EAAE,qBAAqB,QAO9B;AAED,wBAAgB,WAAW,CAAC,OAAO,EAAE,WAAW,QAO/C;AACD,wBAAgB,SAAS,CAAC,OAAO,EAAE,WAAW,QAG7C;AAED,wBAAsB,cAAc,CAClC,OAAO,EAAE,WAAW,GACnB,OAAO,CAAC,qBAAqB,GAAG,IAAI,CAAC,CAYvC;AAED,wBAAsB,oBAAoB,CACxC,MAAM,EAAE,qBAAqB,EAC7B,SAAS,EAAE,SAAS,EACpB,YAAY,EAAE,YAAY,EAC1B,MAAM,EAAE,MAAM,GACb,OAAO,CAAC,YAAY,CAAC,CA2BvB"}

package/dist/cjs/src/shared/util.js

@@ -0,0 +1,162 @@
+"use strict";
+// Utility functions shared by auth server and client integrations
+// Typically these functions should be used inside AuthenticationInitiator and AuthenticationResolver implementations
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || function (mod) {
+    if (mod && mod.__esModule) return mod;
+    var result = {};
+    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
+    __setModuleDefault(result, mod);
+    return result;
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.deriveCodeChallenge = deriveCodeChallenge;
+exports.getEndpointsWithOverrides = getEndpointsWithOverrides;
+exports.generateOauthLoginUrl = generateOauthLoginUrl;
+exports.generateOauthLogoutUrl = generateOauthLogoutUrl;
+exports.buildOauth2Client = buildOauth2Client;
+exports.exchangeTokens = exchangeTokens;
+exports.storeTokens = storeTokens;
+exports.clearTokens = clearTokens;
+exports.clearUser = clearUser;
+exports.retrieveTokens = retrieveTokens;
+exports.validateOauth2Tokens = validateOauth2Tokens;
+const types_js_1 = require("./types.js");
+const oauth2_1 = require("oslo/oauth2");
+const oauth_js_1 = require("../lib/oauth.js");
+const jose = __importStar(require("jose"));
+const utils_js_1 = require("../utils.js");
+const UserSession_js_1 = require("./UserSession.js");
+/**
+ * Given a PKCE code verifier, derive the code challenge using SHA
+ */
+async function deriveCodeChallenge(codeVerifier, method = "S256") {
+    if (method === "Plain") {
+        console.warn("Using insecure plain code challenge method");
+        return codeVerifier;
+    }
+    const encoder = new TextEncoder();
+    const data = encoder.encode(codeVerifier);
+    const digest = await crypto.subtle.digest("SHA-256", data);
+    return btoa(String.fromCharCode(...new Uint8Array(digest)))
+        .replace(/\+/g, "-")
+        .replace(/\//g, "_")
+        .replace(/=+$/, "");
+}
+async function getEndpointsWithOverrides(oauthServer, endpointOverrides = {}) {
+    const endpoints = await (0, oauth_js_1.getOauthEndpoints)(oauthServer);
+    return {
+        ...endpoints,
+        ...endpointOverrides,
+    };
+}
+async function generateOauthLoginUrl(config) {
+    const endpoints = await getEndpointsWithOverrides(config.oauthServer, config.endpointOverrides);
+    const oauth2Client = buildOauth2Client(config.clientId, config.redirectUrl, endpoints);
+    const challenge = await config.pkceConsumer.getCodeChallenge();
+    const oAuthUrl = await oauth2Client.createAuthorizationURL({
+        state: config.state,
+        scopes: config.scopes,
+    });
+    // The OAuth2 client supports PKCE, but does not allow passing in a code challenge from some other source
+    // It only allows passing in a code verifier which it then hashes itself.
+    oAuthUrl.searchParams.append("code_challenge", challenge);
+    oAuthUrl.searchParams.append("code_challenge_method", "S256");
+    if (config.nonce) {
+        // nonce isn't supported by oslo, so we add it manually
+        oAuthUrl.searchParams.append("nonce", config.nonce);
+    }
+    // Required by the auth server for offline_access scope
+    oAuthUrl.searchParams.append("prompt", "consent");
+    return oAuthUrl;
+}
+async function generateOauthLogoutUrl(config) {
+    // TODO
+    return new URL("http://localhost");
+}
+function buildOauth2Client(clientId, redirectUri, endpoints) {
+    return new oauth2_1.OAuth2Client(clientId, endpoints.auth, endpoints.token, {
+        redirectURI: redirectUri,
+    });
+}
+async function exchangeTokens(code, state, pkceProducer, oauth2Client, oauthServer, endpoints) {
+    const codeVerifier = await pkceProducer.getCodeVerifier();
+    if (!codeVerifier)
+        throw new Error("Code verifier not found in state");
+    const tokens = await oauth2Client.validateAuthorizationCode(code, {
+        codeVerifier,
+    });
+    // Validate relevant tokens
+    try {
+        await validateOauth2Tokens(tokens, endpoints, oauth2Client, oauthServer);
+    }
+    catch (error) {
+        console.error("tokenExchange error", { error, tokens });
+        throw new Error(`OIDC tokens validation failed: ${error.message}`);
+    }
+    return tokens;
+}
+function storeTokens(storage, tokens) {
+    // store tokens in storage ( TODO we should probably store them against the state to allow multiple logins )
+    storage.set(types_js_1.OAuthTokens.ID_TOKEN, tokens.id_token);
+    storage.set(types_js_1.OAuthTokens.ACCESS_TOKEN, tokens.access_token);
+    if (tokens.refresh_token)
+        storage.set(types_js_1.OAuthTokens.REFRESH_TOKEN, tokens.refresh_token);
+}
+function clearTokens(storage) {
+    Object.values(types_js_1.OAuthTokens).forEach((cookie) => {
+        storage.set(cookie, "");
+    });
+    Object.values(types_js_1.CodeVerifier.COOKIE_NAME).forEach((cookie) => {
+        storage.set(cookie, "");
+    });
+}
+function clearUser(storage) {
+    const userSession = new UserSession_js_1.GenericUserSession(storage);
+    userSession.set(null);
+}
+async function retrieveTokens(storage) {
+    const idToken = await storage.get(types_js_1.OAuthTokens.ID_TOKEN);
+    const accessToken = await storage.get(types_js_1.OAuthTokens.ACCESS_TOKEN);
+    const refreshToken = await storage.get(types_js_1.OAuthTokens.REFRESH_TOKEN);
+    if (!idToken || !accessToken)
+        return null;
+    return {
+        id_token: idToken,
+        access_token: accessToken,
+        refresh_token: refreshToken ?? undefined,
+    };
+}
+async function validateOauth2Tokens(tokens, endpoints, oauth2Client, issuer) {
+    const JWKS = jose.createRemoteJWKSet(new URL(endpoints.jwks));
+    // validate the ID token
+    const idTokenResponse = await jose.jwtVerify(tokens.id_token, JWKS, {
+        issuer: (0, oauth_js_1.getIssuerVariations)(issuer),
+        audience: oauth2Client.clientId,
+    });
+    // validate the access token
+    const accessTokenResponse = await jose.jwtVerify(tokens.access_token, JWKS, {
+        issuer: (0, oauth_js_1.getIssuerVariations)(issuer),
+    });
+    return (0, utils_js_1.withoutUndefined)({
+        id_token: idTokenResponse.payload,
+        access_token: accessTokenResponse.payload,
+        refresh_token: tokens.refresh_token,
+    });
+}
+//# sourceMappingURL=util.js.map

package/dist/cjs/src/shared/util.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"util.js","sourceRoot":"","sources":["../../../../src/shared/util.ts"],"names":[],"mappings":";AAAA,kEAAkE;AAClE,qHAAqH;;;;;;;;;;;;;;;;;;;;;;;;;AAoBrH,kDAgBC;AAED,8DASC;AAED,sDAqCC;AAED,wDAUC;AAED,8CAQC;AAED,wCA2BC;AAED,kCASC;AAED,kCAOC;AACD,8BAGC;AAED,wCAcC;AAED,oDAgCC;AA1MD,yCAAuD;AACvD,wCAA2C;AAC3C,6CAAwE;AACxE,2CAA6B;AAC7B,yCAA8C;AAE9C,qDAAsD;AAEtD;;GAEG;AACI,KAAK,UAAU,mBAAmB,CACvC,YAAoB,EACpB,SAA2B,MAAM;IAEjC,IAAI,MAAM,KAAK,OAAO,EAAE,CAAC;QACvB,OAAO,CAAC,IAAI,CAAC,4CAA4C,CAAC,CAAC;QAC3D,OAAO,YAAY,CAAC;IACtB,CAAC;IAED,MAAM,OAAO,GAAG,IAAI,WAAW,EAAE,CAAC;IAClC,MAAM,IAAI,GAAG,OAAO,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC;IAC1C,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,IAAI,CAAC,CAAC;IAC3D,OAAO,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC,GAAG,IAAI,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC;SACxD,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC;SACnB,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC;SACnB,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;AACxB,CAAC;AAEM,KAAK,UAAU,yBAAyB,CAC7C,WAAmB,EACnB,oBAAwC,EAAE;IAE1C,MAAM,SAAS,GAAG,MAAM,IAAA,4BAAiB,EAAC,WAAW,CAAC,CAAC;IACvD,OAAO;QACL,GAAG,SAAS;QACZ,GAAG,iBAAiB;KACrB,CAAC;AACJ,CAAC;AAEM,KAAK,UAAU,qBAAqB,CAAC,MAU3C;IACC,MAAM,SAAS,GAAG,MAAM,yBAAyB,CAC/C,MAAM,CAAC,WAAW,EAClB,MAAM,CAAC,iBAAiB,CACzB,CAAC;IACF,MAAM,YAAY,GAAG,iBAAiB,CACpC,MAAM,CAAC,QAAQ,EACf,MAAM,CAAC,WAAW,EAClB,SAAS,CACV,CAAC;IACF,MAAM,SAAS,GAAG,MAAM,MAAM,CAAC,YAAY,CAAC,gBAAgB,EAAE,CAAC;IAC/D,MAAM,QAAQ,GAAG,MAAM,YAAY,CAAC,sBAAsB,CAAC;QACzD,KAAK,EAAE,MAAM,CAAC,KAAK;QACnB,MAAM,EAAE,MAAM,CAAC,MAAM;KACtB,CAAC,CAAC;IACH,yGAAyG;IACzG,yEAAyE;IACzE,QAAQ,CAAC,YAAY,CAAC,MAAM,CAAC,gBAAgB,EAAE,SAAS,CAAC,CAAC;IAC1D,QAAQ,CAAC,YAAY,CAAC,MAAM,CAAC,uBAAuB,EAAE,MAAM,CAAC,CAAC;IAC9D,IAAI,MAAM,CAAC,KAAK,EAAE,CAAC;QACjB,uDAAuD;QACvD,QAAQ,CAAC,YAAY,CAAC,MAAM,CAAC,OAAO,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC;IACtD,CAAC;IACD,uDAAuD;IACvD,QAAQ,CAAC,YAAY,CAAC,MAAM,CAAC,QAAQ,EAAE,SAAS,CAAC,CAAC;IAElD,OAAO,QAAQ,CAAC;AAClB,CAAC;AAEM,KAAK,UAAU,sBAAsB,CAAC,MAO5C;IACC,OAAO;IACP,OAAO,IAAI,GAAG,CAAC,kBAAkB,CAAC,CAAC;AACrC,CAAC;AAED,SAAgB,iBAAiB,CAC/B,QAAgB,EAChB,WAAmB,EACnB,SAAoB;IAEpB,OAAO,IAAI,qBAAY,CAAC,QAAQ,EAAE,SAAS,CAAC,IAAI,EAAE,SAAS,CAAC,KAAK,EAAE;QACjE,WAAW,EAAE,WAAW;KACzB,CAAC,CAAC;AACL,CAAC;AAEM,KAAK,UAAU,cAAc,CAClC,IAAY,EACZ,KAAa,EACb,YAA0B,EAC1B,YAA0B,EAC1B,WAAmB,EACnB,SAAoB;IAEpB,MAAM,YAAY,GAAG,MAAM,YAAY,CAAC,eAAe,EAAE,CAAC;IAC1D,IAAI,CAAC,YAAY;QAAE,MAAM,IAAI,KAAK,CAAC,kCAAkC,CAAC,CAAC;IAEvE,MAAM,MAAM,GACV,MAAM,YAAY,CAAC,yBAAyB,CAAwB,IAAI,EAAE;QACxE,YAAY;KACb,CAAC,CAAC;IAEL,2BAA2B;IAC3B,IAAI,CAAC;QACH,MAAM,oBAAoB,CAAC,MAAM,EAAE,SAAS,EAAE,YAAY,EAAE,WAAW,CAAC,CAAC;IAC3E,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO,CAAC,KAAK,CAAC,qBAAqB,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC,CAAC;QACxD,MAAM,IAAI,KAAK,CACb,kCAAmC,KAAe,CAAC,OAAO,EAAE,CAC7D,CAAC;IACJ,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,SAAgB,WAAW,CACzB,OAAoB,EACpB,MAA6B;IAE7B,4GAA4G;IAC5G,OAAO,CAAC,GAAG,CAAC,sBAAW,CAAC,QAAQ,EAAE,MAAM,CAAC,QAAQ,CAAC,CAAC;IACnD,OAAO,CAAC,GAAG,CAAC,sBAAW,CAAC,YAAY,EAAE,MAAM,CAAC,YAAY,CAAC,CAAC;IAC3D,IAAI,MAAM,CAAC,aAAa;QACtB,OAAO,CAAC,GAAG,CAAC,sBAAW,CAAC,aAAa,EAAE,MAAM,CAAC,aAAa,CAAC,CAAC;AACjE,CAAC;AAED,SAAgB,WAAW,CAAC,OAAoB;IAC9C,MAAM,CAAC,MAAM,CAAC,sBAAW,CAAC,CAAC,OAAO,CAAC,CAAC,MAAM,EAAE,EAAE;QAC5C,OAAO,CAAC,GAAG,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;IAC1B,CAAC,CAAC,CAAC;IACH,MAAM,CAAC,MAAM,CAAC,uBAAY,CAAC,WAAW,CAAC,CAAC,OAAO,CAAC,CAAC,MAAM,EAAE,EAAE;QACzD,OAAO,CAAC,GAAG,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;IAC1B,CAAC,CAAC,CAAC;AACL,CAAC;AACD,SAAgB,SAAS,CAAC,OAAoB;IAC5C,MAAM,WAAW,GAAG,IAAI,mCAAkB,CAAC,OAAO,CAAC,CAAC;IACpD,WAAW,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;AACxB,CAAC;AAEM,KAAK,UAAU,cAAc,CAClC,OAAoB;IAEpB,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC,sBAAW,CAAC,QAAQ,CAAC,CAAC;IACxD,MAAM,WAAW,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC,sBAAW,CAAC,YAAY,CAAC,CAAC;IAChE,MAAM,YAAY,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC,sBAAW,CAAC,aAAa,CAAC,CAAC;IAElE,IAAI,CAAC,OAAO,IAAI,CAAC,WAAW;QAAE,OAAO,IAAI,CAAC;IAE1C,OAAO;QACL,QAAQ,EAAE,OAAO;QACjB,YAAY,EAAE,WAAW;QACzB,aAAa,EAAE,YAAY,IAAI,SAAS;KACzC,CAAC;AACJ,CAAC;AAEM,KAAK,UAAU,oBAAoB,CACxC,MAA6B,EAC7B,SAAoB,EACpB,YAA0B,EAC1B,MAAc;IAEd,MAAM,IAAI,GAAG,IAAI,CAAC,kBAAkB,CAAC,IAAI,GAAG,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC;IAE9D,wBAAwB;IACxB,MAAM,eAAe,GAAG,MAAM,IAAI,CAAC,SAAS,CAC1C,MAAM,CAAC,QAAQ,EACf,IAAI,EACJ;QACE,MAAM,EAAE,IAAA,8BAAmB,EAAC,MAAM,CAAC;QACnC,QAAQ,EAAE,YAAY,CAAC,QAAQ;KAChC,CACF,CAAC;IAEF,4BAA4B;IAC5B,MAAM,mBAAmB,GAAG,MAAM,IAAI,CAAC,SAAS,CAC9C,MAAM,CAAC,YAAY,EACnB,IAAI,EACJ;QACE,MAAM,EAAE,IAAA,8BAAmB,EAAC,MAAM,CAAC;KACpC,CACF,CAAC;IAEF,OAAO,IAAA,2BAAgB,EAAC;QACtB,QAAQ,EAAE,eAAe,CAAC,OAAO;QACjC,YAAY,EAAE,mBAAmB,CAAC,OAAO;QACzC,aAAa,EAAE,MAAM,CAAC,aAAa;KACpC,CAAC,CAAC;AACL,CAAC","sourcesContent":["// Utility functions shared by auth server and client integrations\n// Typically these functions should be used inside AuthenticationInitiator and AuthenticationResolver implementations\n\nimport type {\n  AuthStorage,\n  Endpoints,\n  JWTPayload,\n  OIDCTokenResponseBody,\n  ParsedTokens,\n} from \"@/types.js\";\nimport { CodeVerifier, OAuthTokens } from \"./types.js\";\nimport { OAuth2Client } from \"oslo/oauth2\";\nimport { getIssuerVariations, getOauthEndpoints } from \"@/lib/oauth.js\";\nimport * as jose from \"jose\";\nimport { withoutUndefined } from \"@/utils.js\";\nimport type { PKCEConsumer, PKCEProducer } from \"@/services/types.js\";\nimport { GenericUserSession } from \"./UserSession.js\";\n\n/**\n * Given a PKCE code verifier, derive the code challenge using SHA\n */\nexport async function deriveCodeChallenge(\n  codeVerifier: string,\n  method: \"Plain\" | \"S256\" = \"S256\",\n): Promise<string> {\n  if (method === \"Plain\") {\n    console.warn(\"Using insecure plain code challenge method\");\n    return codeVerifier;\n  }\n\n  const encoder = new TextEncoder();\n  const data = encoder.encode(codeVerifier);\n  const digest = await crypto.subtle.digest(\"SHA-256\", data);\n  return btoa(String.fromCharCode(...new Uint8Array(digest)))\n    .replace(/\\+/g, \"-\")\n    .replace(/\\//g, \"_\")\n    .replace(/=+$/, \"\");\n}\n\nexport async function getEndpointsWithOverrides(\n  oauthServer: string,\n  endpointOverrides: Partial<Endpoints> = {},\n) {\n  const endpoints = await getOauthEndpoints(oauthServer);\n  return {\n    ...endpoints,\n    ...endpointOverrides,\n  };\n}\n\nexport async function generateOauthLoginUrl(config: {\n  clientId: string;\n  scopes: string[];\n  state: string;\n  redirectUrl: string;\n  oauthServer: string;\n  nonce?: string;\n  endpointOverrides?: Partial<Endpoints>;\n  // used to get the PKCE challenge\n  pkceConsumer: PKCEConsumer;\n}): Promise<URL> {\n  const endpoints = await getEndpointsWithOverrides(\n    config.oauthServer,\n    config.endpointOverrides,\n  );\n  const oauth2Client = buildOauth2Client(\n    config.clientId,\n    config.redirectUrl,\n    endpoints,\n  );\n  const challenge = await config.pkceConsumer.getCodeChallenge();\n  const oAuthUrl = await oauth2Client.createAuthorizationURL({\n    state: config.state,\n    scopes: config.scopes,\n  });\n  // The OAuth2 client supports PKCE, but does not allow passing in a code challenge from some other source\n  // It only allows passing in a code verifier which it then hashes itself.\n  oAuthUrl.searchParams.append(\"code_challenge\", challenge);\n  oAuthUrl.searchParams.append(\"code_challenge_method\", \"S256\");\n  if (config.nonce) {\n    // nonce isn't supported by oslo, so we add it manually\n    oAuthUrl.searchParams.append(\"nonce\", config.nonce);\n  }\n  // Required by the auth server for offline_access scope\n  oAuthUrl.searchParams.append(\"prompt\", \"consent\");\n\n  return oAuthUrl;\n}\n\nexport async function generateOauthLogoutUrl(config: {\n  clientId: string;\n  scopes: string[];\n  oauthServer: string;\n  endpointOverrides?: Partial<Endpoints>;\n  // used to get the PKCE challenge\n  pkceConsumer: PKCEConsumer;\n}): Promise<URL> {\n  // TODO\n  return new URL(\"http://localhost\");\n}\n\nexport function buildOauth2Client(\n  clientId: string,\n  redirectUri: string,\n  endpoints: Endpoints,\n): OAuth2Client {\n  return new OAuth2Client(clientId, endpoints.auth, endpoints.token, {\n    redirectURI: redirectUri,\n  });\n}\n\nexport async function exchangeTokens(\n  code: string,\n  state: string,\n  pkceProducer: PKCEProducer,\n  oauth2Client: OAuth2Client,\n  oauthServer: string,\n  endpoints: Endpoints,\n) {\n  const codeVerifier = await pkceProducer.getCodeVerifier();\n  if (!codeVerifier) throw new Error(\"Code verifier not found in state\");\n\n  const tokens =\n    await oauth2Client.validateAuthorizationCode<OIDCTokenResponseBody>(code, {\n      codeVerifier,\n    });\n\n  // Validate relevant tokens\n  try {\n    await validateOauth2Tokens(tokens, endpoints, oauth2Client, oauthServer);\n  } catch (error) {\n    console.error(\"tokenExchange error\", { error, tokens });\n    throw new Error(\n      `OIDC tokens validation failed: ${(error as Error).message}`,\n    );\n  }\n\n  return tokens;\n}\n\nexport function storeTokens(\n  storage: AuthStorage,\n  tokens: OIDCTokenResponseBody,\n) {\n  // store tokens in storage ( TODO we should probably store them against the state to allow multiple logins )\n  storage.set(OAuthTokens.ID_TOKEN, tokens.id_token);\n  storage.set(OAuthTokens.ACCESS_TOKEN, tokens.access_token);\n  if (tokens.refresh_token)\n    storage.set(OAuthTokens.REFRESH_TOKEN, tokens.refresh_token);\n}\n\nexport function clearTokens(storage: AuthStorage) {\n  Object.values(OAuthTokens).forEach((cookie) => {\n    storage.set(cookie, \"\");\n  });\n  Object.values(CodeVerifier.COOKIE_NAME).forEach((cookie) => {\n    storage.set(cookie, \"\");\n  });\n}\nexport function clearUser(storage: AuthStorage) {\n  const userSession = new GenericUserSession(storage);\n  userSession.set(null);\n}\n\nexport async function retrieveTokens(\n  storage: AuthStorage,\n): Promise<OIDCTokenResponseBody | null> {\n  const idToken = await storage.get(OAuthTokens.ID_TOKEN);\n  const accessToken = await storage.get(OAuthTokens.ACCESS_TOKEN);\n  const refreshToken = await storage.get(OAuthTokens.REFRESH_TOKEN);\n\n  if (!idToken || !accessToken) return null;\n\n  return {\n    id_token: idToken,\n    access_token: accessToken,\n    refresh_token: refreshToken ?? undefined,\n  };\n}\n\nexport async function validateOauth2Tokens(\n  tokens: OIDCTokenResponseBody,\n  endpoints: Endpoints,\n  oauth2Client: OAuth2Client,\n  issuer: string,\n): Promise<ParsedTokens> {\n  const JWKS = jose.createRemoteJWKSet(new URL(endpoints.jwks));\n\n  // validate the ID token\n  const idTokenResponse = await jose.jwtVerify<JWTPayload>(\n    tokens.id_token,\n    JWKS,\n    {\n      issuer: getIssuerVariations(issuer),\n      audience: oauth2Client.clientId,\n    },\n  );\n\n  // validate the access token\n  const accessTokenResponse = await jose.jwtVerify<JWTPayload>(\n    tokens.access_token,\n    JWKS,\n    {\n      issuer: getIssuerVariations(issuer),\n    },\n  );\n\n  return withoutUndefined({\n    id_token: idTokenResponse.payload,\n    access_token: accessTokenResponse.payload,\n    refresh_token: tokens.refresh_token,\n  });\n}\n"]}