@civic/auth 0.0.1-beta.30 → 0.0.1-beta.4

package/dist/cjs/src/server/login.js

@@ -1,42 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.resolveOAuthAccessCode = resolveOAuthAccessCode;
-exports.isLoggedIn = isLoggedIn;
-exports.buildLoginUrl = buildLoginUrl;
-const constants_js_1 = require("../constants.js");
-const AuthenticationService_js_1 = require("../services/AuthenticationService.js");
-const PKCE_js_1 = require("../services/PKCE.js");
-const ServerAuthenticationResolver_js_1 = require("../server/ServerAuthenticationResolver.js");
-/**
- * Resolve an OAuth access code to a set of OIDC tokens
- * @param code The access code, typically from a query parameter in the redirect url
- * @param state The oauth random state string, used to distinguish between requests. Typically also passed in the redirect url
- * @param storage The place that this server uses to store session data (e.g. a cookie store)
- * @param config Oauth Server configuration
- */
-async function resolveOAuthAccessCode(code, state, storage, config) {
-    const authSessionService = await ServerAuthenticationResolver_js_1.ServerAuthenticationResolver.build({
-        ...config,
-        oauthServer: config.oauthServer ?? constants_js_1.DEFAULT_AUTH_SERVER,
-    }, storage, config.endpointOverrides);
-    return authSessionService.tokenExchange(code, state);
-}
-async function isLoggedIn(storage) {
-    return !!(await storage.get("id_token"));
-}
-async function buildLoginUrl(config, storage) {
-    // generate a random state if not provided
-    const state = config.state ?? Math.random().toString(36).substring(2);
-    const scopes = config.scopes ?? constants_js_1.DEFAULT_SCOPES;
-    const pkceProducer = new PKCE_js_1.GenericPublicClientPKCEProducer(storage);
-    const authInitiator = new AuthenticationService_js_1.GenericAuthenticationInitiator({
-        ...config,
-        state,
-        scopes,
-        oauthServer: config.oauthServer ?? constants_js_1.DEFAULT_AUTH_SERVER,
-        // When retrieving the PKCE challenge on the server-side, we produce it and store it in the session
-        pkceConsumer: pkceProducer,
-    });
-    return authInitiator.signIn();
-}
-//# sourceMappingURL=login.js.map

package/dist/cjs/src/server/login.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"login.js","sourceRoot":"","sources":["../../../../src/server/login.ts"],"names":[],"mappings":";;AAaA,wDAgBC;AAED,gCAEC;AAED,sCAuBC;AAzDD,iDAAqE;AACrE,kFAAqF;AACrF,gDAAqE;AACrE,8FAAwF;AAExF;;;;;;GAMG;AACI,KAAK,UAAU,sBAAsB,CAC1C,IAAY,EACZ,KAAa,EACb,OAAoB,EACpB,MAAkB;IAElB,MAAM,kBAAkB,GAAG,MAAM,8DAA4B,CAAC,KAAK,CACjE;QACE,GAAG,MAAM;QACT,WAAW,EAAE,MAAM,CAAC,WAAW,IAAI,kCAAmB;KACvD,EACD,OAAO,EACP,MAAM,CAAC,iBAAiB,CACzB,CAAC;IAEF,OAAO,kBAAkB,CAAC,aAAa,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;AACvD,CAAC;AAEM,KAAK,UAAU,UAAU,CAAC,OAAoB;IACnD,OAAO,CAAC,CAAC,CAAC,MAAM,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC,CAAC;AAC3C,CAAC;AAEM,KAAK,UAAU,aAAa,CACjC,MAKG,EACH,OAAoB;IAEpB,0CAA0C;IAC1C,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC;IACtE,MAAM,MAAM,GAAG,MAAM,CAAC,MAAM,IAAI,6BAAc,CAAC;IAC/C,MAAM,YAAY,GAAG,IAAI,yCAA+B,CAAC,OAAO,CAAC,CAAC;IAClE,MAAM,aAAa,GAAG,IAAI,yDAA8B,CAAC;QACvD,GAAG,MAAM;QACT,KAAK;QACL,MAAM;QACN,WAAW,EAAE,MAAM,CAAC,WAAW,IAAI,kCAAmB;QACtD,mGAAmG;QACnG,YAAY,EAAE,YAAY;KAC3B,CAAC,CAAC;IAEH,OAAO,aAAa,CAAC,MAAM,EAAE,CAAC;AAChC,CAAC","sourcesContent":["import type { AuthStorage, OIDCTokenResponseBody } from \"@/types.js\";\nimport { DEFAULT_AUTH_SERVER, DEFAULT_SCOPES } from \"@/constants.js\";\nimport { GenericAuthenticationInitiator } from \"@/services/AuthenticationService.js\";\nimport { GenericPublicClientPKCEProducer } from \"@/services/PKCE.js\";\nimport { ServerAuthenticationResolver } from \"@/server/ServerAuthenticationResolver.js\";\nimport type { AuthConfig } from \"@/server/config.ts\";\n/**\n * Resolve an OAuth access code to a set of OIDC tokens\n * @param code The access code, typically from a query parameter in the redirect url\n * @param state The oauth random state string, used to distinguish between requests. Typically also passed in the redirect url\n * @param storage The place that this server uses to store session data (e.g. a cookie store)\n * @param config Oauth Server configuration\n */\nexport async function resolveOAuthAccessCode(\n  code: string,\n  state: string,\n  storage: AuthStorage,\n  config: AuthConfig,\n): Promise<OIDCTokenResponseBody> {\n  const authSessionService = await ServerAuthenticationResolver.build(\n    {\n      ...config,\n      oauthServer: config.oauthServer ?? DEFAULT_AUTH_SERVER,\n    },\n    storage,\n    config.endpointOverrides,\n  );\n\n  return authSessionService.tokenExchange(code, state);\n}\n\nexport async function isLoggedIn(storage: AuthStorage): Promise<boolean> {\n  return !!(await storage.get(\"id_token\"));\n}\n\nexport async function buildLoginUrl(\n  config: Pick<AuthConfig, \"clientId\" | \"redirectUrl\"> &\n    Partial<Pick<AuthConfig, \"oauthServer\">> & {\n      scopes?: string[];\n      state?: string;\n      nonce?: string;\n    },\n  storage: AuthStorage,\n): Promise<URL> {\n  // generate a random state if not provided\n  const state = config.state ?? Math.random().toString(36).substring(2);\n  const scopes = config.scopes ?? DEFAULT_SCOPES;\n  const pkceProducer = new GenericPublicClientPKCEProducer(storage);\n  const authInitiator = new GenericAuthenticationInitiator({\n    ...config,\n    state,\n    scopes,\n    oauthServer: config.oauthServer ?? DEFAULT_AUTH_SERVER,\n    // When retrieving the PKCE challenge on the server-side, we produce it and store it in the session\n    pkceConsumer: pkceProducer,\n  });\n\n  return authInitiator.signIn();\n}\n"]}

package/dist/cjs/src/server/refresh.d.ts

@@ -1,7 +0,0 @@
-import type { AuthStorage, OIDCTokenResponseBody } from "../types.js";
-import type { AuthConfig } from "../server/config.ts";
-/**
- * Refresh the current set of OIDC tokens
- */
-export declare function refreshTokens(storage: AuthStorage, config: AuthConfig): Promise<OIDCTokenResponseBody>;
-//# sourceMappingURL=refresh.d.ts.map

package/dist/cjs/src/server/refresh.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"refresh.d.ts","sourceRoot":"","sources":["../../../../src/server/refresh.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,WAAW,EAAE,qBAAqB,EAAE,MAAM,YAAY,CAAC;AAGrE,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAC;AAErD;;GAEG;AACH,wBAAsB,aAAa,CACjC,OAAO,EAAE,WAAW,EACpB,MAAM,EAAE,UAAU,GACjB,OAAO,CAAC,qBAAqB,CAAC,CAWhC"}

package/dist/cjs/src/server/refresh.js

@@ -1,16 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.refreshTokens = refreshTokens;
-const constants_js_1 = require("../constants.js");
-const GenericAuthenticationRefresher_js_1 = require("../shared/lib/GenericAuthenticationRefresher.js");
-/**
- * Refresh the current set of OIDC tokens
- */
-async function refreshTokens(storage, config) {
-    const refresher = await GenericAuthenticationRefresher_js_1.GenericAuthenticationRefresher.build({
-        ...config,
-        oauthServer: config.oauthServer ?? constants_js_1.DEFAULT_AUTH_SERVER,
-    }, storage, config.endpointOverrides);
-    return refresher.refreshTokens();
-}
-//# sourceMappingURL=refresh.js.map

package/dist/cjs/src/server/refresh.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"refresh.js","sourceRoot":"","sources":["../../../../src/server/refresh.ts"],"names":[],"mappings":";;AAQA,sCAcC;AArBD,iDAAqD;AACrD,sGAAgG;AAGhG;;GAEG;AACI,KAAK,UAAU,aAAa,CACjC,OAAoB,EACpB,MAAkB;IAElB,MAAM,SAAS,GAAG,MAAM,kEAA8B,CAAC,KAAK,CAC1D;QACE,GAAG,MAAM;QACT,WAAW,EAAE,MAAM,CAAC,WAAW,IAAI,kCAAmB;KACvD,EACD,OAAO,EACP,MAAM,CAAC,iBAAiB,CACzB,CAAC;IAEF,OAAO,SAAS,CAAC,aAAa,EAAE,CAAC;AACnC,CAAC","sourcesContent":["import type { AuthStorage, OIDCTokenResponseBody } from \"@/types.js\";\nimport { DEFAULT_AUTH_SERVER } from \"@/constants.js\";\nimport { GenericAuthenticationRefresher } from \"@/shared/lib/GenericAuthenticationRefresher.js\";\nimport type { AuthConfig } from \"@/server/config.ts\";\n\n/**\n * Refresh the current set of OIDC tokens\n */\nexport async function refreshTokens(\n  storage: AuthStorage,\n  config: AuthConfig,\n): Promise<OIDCTokenResponseBody> {\n  const refresher = await GenericAuthenticationRefresher.build(\n    {\n      ...config,\n      oauthServer: config.oauthServer ?? DEFAULT_AUTH_SERVER,\n    },\n    storage,\n    config.endpointOverrides,\n  );\n\n  return refresher.refreshTokens();\n}\n"]}

package/dist/cjs/src/services/AuthenticationService.d.ts

@@ -1,87 +0,0 @@
-import type { DisplayMode, Endpoints, OIDCTokenResponseBody, SessionData } from "../types.js";
-import { BrowserPublicClientPKCEProducer } from "../services/PKCE.js";
-import type { AuthenticationInitiator, AuthenticationResolver, PKCEConsumer } from "../services/types.js";
-/**
- * An authentication initiator that works on a browser. Since this is just triggering
- * login and logout, session data is not stored here.
- * An associated AuthenticationResolver would be needed to get the session data.
- * Storage is needed for the code verifier, this is the domain of the PKCEConsumer
- * The storage used by the PKCEConsumer should be available to the AuthenticationResolver.
- *
- * Example usage:
- *
- * 1) Client-only SPA -eg a react app with no server:
- * new BrowserAuthenticationInitiator({
- *   pkceConsumer: new BrowserPublicClientPKCEProducer(), // generate and retrieve the challenge client-side
- *   ... other config
- * })
- *
- * 2) Client-side of a client/server app - eg a react app with a backend:
- * new BrowserAuthenticationInitiator({
- *  pkceConsumer: new ConfidentialClientPKCEConsumer("https://myserver.com/pkce"), // get the challenge from the server
- *  ... other config
- * })
- */
-export declare class BrowserAuthenticationInitiator implements AuthenticationInitiator {
-    private postMessageHandler;
-    protected config: {
-        clientId: string;
-        redirectUrl: string;
-        state: string;
-        scopes: string[];
-        displayMode: DisplayMode;
-        oauthServer: string;
-        endpointOverrides?: Partial<Endpoints>;
-        pkceConsumer: PKCEConsumer;
-        nonce?: string;
-    };
-    constructor(config: typeof this.config);
-    handleLoginAppPopupFailed(redirectUrl: string): Promise<void>;
-    signIn(iframeRef: HTMLIFrameElement | null): Promise<URL>;
-    signOut(): Promise<URL>;
-    cleanup(): void;
-}
-/** A general-purpose authentication initiator, that just generates urls, but lets
- * the caller decide how to use them. This is useful for server-side applications
- * that may serve this URL to their front-ends or just call them directly
- */
-export declare class GenericAuthenticationInitiator implements AuthenticationInitiator {
-    protected config: {
-        clientId: string;
-        redirectUrl: string;
-        state: string;
-        scopes: string[];
-        oauthServer: string;
-        nonce?: string;
-        endpointOverrides?: Partial<Endpoints>;
-        pkceConsumer: PKCEConsumer;
-    };
-    constructor(config: typeof this.config);
-    signIn(): Promise<URL>;
-    signOut(): Promise<URL>;
-}
-type BrowserAuthenticationConfig = {
-    clientId: string;
-    redirectUrl: string;
-    scopes: string[];
-    oauthServer: string;
-    endpointOverrides?: Partial<Endpoints>;
-    displayMode: DisplayMode;
-};
-/**
- * An authentication resolver that can run on the browser (i.e. a public client)
- * It uses PKCE for security. PKCE and Session data are stored in local storage
- */
-export declare class BrowserAuthenticationService extends BrowserAuthenticationInitiator {
-    protected pkceProducer: BrowserPublicClientPKCEProducer;
-    private oauth2client;
-    private endpoints;
-    constructor(config: BrowserAuthenticationConfig, pkceProducer?: BrowserPublicClientPKCEProducer);
-    init(): Promise<this>;
-    tokenExchange(code: string, state: string): Promise<OIDCTokenResponseBody>;
-    getSessionData(): Promise<SessionData | null>;
-    validateExistingSession(): Promise<SessionData>;
-    static build(config: BrowserAuthenticationConfig): Promise<AuthenticationResolver>;
-}
-export {};
-//# sourceMappingURL=AuthenticationService.d.ts.map

package/dist/cjs/src/services/AuthenticationService.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"AuthenticationService.d.ts","sourceRoot":"","sources":["../../../../src/services/AuthenticationService.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EACV,WAAW,EACX,SAAS,EAET,qBAAqB,EACrB,WAAW,EACZ,MAAM,YAAY,CAAC;AACpB,OAAO,EAAE,+BAA+B,EAAE,MAAM,oBAAoB,CAAC;AAerE,OAAO,KAAK,EACV,uBAAuB,EACvB,sBAAsB,EACtB,YAAY,EACb,MAAM,qBAAqB,CAAC;AAM7B;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,qBAAa,8BAA+B,YAAW,uBAAuB;IAC5E,OAAO,CAAC,kBAAkB,CAAgD;IAE1E,SAAS,CAAC,MAAM,EAAE;QAChB,QAAQ,EAAE,MAAM,CAAC;QACjB,WAAW,EAAE,MAAM,CAAC;QACpB,KAAK,EAAE,MAAM,CAAC;QACd,MAAM,EAAE,MAAM,EAAE,CAAC;QAEjB,WAAW,EAAE,WAAW,CAAC;QACzB,WAAW,EAAE,MAAM,CAAC;QAEpB,iBAAiB,CAAC,EAAE,OAAO,CAAC,SAAS,CAAC,CAAC;QAEvC,YAAY,EAAE,YAAY,CAAC;QAE3B,KAAK,CAAC,EAAE,MAAM,CAAC;KAChB,CAAC;gBAEU,MAAM,EAAE,OAAO,IAAI,CAAC,MAAM;IAIhC,yBAAyB,CAAC,WAAW,EAAE,MAAM;IAU7C,MAAM,CAAC,SAAS,EAAE,iBAAiB,GAAG,IAAI,GAAG,OAAO,CAAC,GAAG,CAAC;IAyCzD,OAAO,IAAI,OAAO,CAAC,GAAG,CAAC;IAU7B,OAAO;CAKR;AAED;;;GAGG;AACH,qBAAa,8BAA+B,YAAW,uBAAuB;IAC5E,SAAS,CAAC,MAAM,EAAE;QAChB,QAAQ,EAAE,MAAM,CAAC;QACjB,WAAW,EAAE,MAAM,CAAC;QACpB,KAAK,EAAE,MAAM,CAAC;QACd,MAAM,EAAE,MAAM,EAAE,CAAC;QACjB,WAAW,EAAE,MAAM,CAAC;QACpB,KAAK,CAAC,EAAE,MAAM,CAAC;QAEf,iBAAiB,CAAC,EAAE,OAAO,CAAC,SAAS,CAAC,CAAC;QAEvC,YAAY,EAAE,YAAY,CAAC;KAC5B,CAAC;gBAEU,MAAM,EAAE,OAAO,IAAI,CAAC,MAAM;IAMhC,MAAM,IAAI,OAAO,CAAC,GAAG,CAAC;IAItB,OAAO,IAAI,OAAO,CAAC,GAAG,CAAC;CAG9B;AAED,KAAK,2BAA2B,GAAG;IACjC,QAAQ,EAAE,MAAM,CAAC;IACjB,WAAW,EAAE,MAAM,CAAC;IACpB,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,WAAW,EAAE,MAAM,CAAC;IACpB,iBAAiB,CAAC,EAAE,OAAO,CAAC,SAAS,CAAC,CAAC;IACvC,WAAW,EAAE,WAAW,CAAC;CAC1B,CAAC;AAEF;;;GAGG;AACH,qBAAa,4BAA6B,SAAQ,8BAA8B;IAQ5E,SAAS,CAAC,YAAY;IAPxB,OAAO,CAAC,YAAY,CAA2B;IAC/C,OAAO,CAAC,SAAS,CAAwB;gBAIvC,MAAM,EAAE,2BAA2B,EAEzB,YAAY,kCAAwC;IAa1D,IAAI,IAAI,OAAO,CAAC,IAAI,CAAC;IAqBrB,aAAa,CACjB,IAAI,EAAE,MAAM,EACZ,KAAK,EAAE,MAAM,GACZ,OAAO,CAAC,qBAAqB,CAAC;IAiC3B,cAAc,IAAI,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC;IAa7C,uBAAuB,IAAI,OAAO,CAAC,WAAW,CAAC;WAgCxC,KAAK,CAChB,MAAM,EAAE,2BAA2B,GAClC,OAAO,CAAC,sBAAsB,CAAC;CAMnC"}

package/dist/cjs/src/services/AuthenticationService.js

@@ -1,218 +0,0 @@
-"use strict";
-// Proposals for revised versions of the SessionService AKA AuthSessionService
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.BrowserAuthenticationService = exports.GenericAuthenticationInitiator = exports.BrowserAuthenticationInitiator = void 0;
-const PKCE_js_1 = require("../services/PKCE.js");
-const util_js_1 = require("../shared/lib/util.js");
-const oauth_js_1 = require("../lib/oauth.js");
-const oauth2_1 = require("oslo/oauth2");
-const storage_js_1 = require("../browser/storage.js");
-const types_js_1 = require("../services/types.js");
-const windowUtil_js_1 = require("../lib/windowUtil.js");
-const constants_js_1 = require("../constants.js");
-const postMessage_js_1 = require("../lib/postMessage.js");
-/**
- * An authentication initiator that works on a browser. Since this is just triggering
- * login and logout, session data is not stored here.
- * An associated AuthenticationResolver would be needed to get the session data.
- * Storage is needed for the code verifier, this is the domain of the PKCEConsumer
- * The storage used by the PKCEConsumer should be available to the AuthenticationResolver.
- *
- * Example usage:
- *
- * 1) Client-only SPA -eg a react app with no server:
- * new BrowserAuthenticationInitiator({
- *   pkceConsumer: new BrowserPublicClientPKCEProducer(), // generate and retrieve the challenge client-side
- *   ... other config
- * })
- *
- * 2) Client-side of a client/server app - eg a react app with a backend:
- * new BrowserAuthenticationInitiator({
- *  pkceConsumer: new ConfidentialClientPKCEConsumer("https://myserver.com/pkce"), // get the challenge from the server
- *  ... other config
- * })
- */
-class BrowserAuthenticationInitiator {
-    postMessageHandler = null;
-    config;
-    constructor(config) {
-        this.config = config;
-    }
-    async handleLoginAppPopupFailed(redirectUrl) {
-        console.warn("Login app popup failed open a popup, using redirect mode instead...", redirectUrl);
-        window.location.href = redirectUrl;
-    }
-    // Use the config (Client ID, scopes OAuth Server, Endpoints, PKCEConsumer) to generate a new login url
-    // and then use the display mode to decide how to send the user there
-    async signIn(iframeRef) {
-        const url = await (0, util_js_1.generateOauthLoginUrl)(this.config);
-        this.postMessageHandler = (event) => {
-            const thisURL = new URL(window.location.href);
-            if (event.origin.endsWith("civic.com") ||
-                thisURL.hostname === "localhost") {
-                if (!(0, postMessage_js_1.validateLoginAppPostMessage)(event.data, this.config.clientId)) {
-                    return;
-                }
-                const loginMessage = event.data;
-                this.handleLoginAppPopupFailed(loginMessage.data.url);
-            }
-        };
-        window.addEventListener("message", this.postMessageHandler);
-        if (this.config.displayMode === "iframe") {
-            if (!iframeRef)
-                throw new Error("iframeRef is required for displayMode 'iframe'");
-            iframeRef.setAttribute("src", url.toString());
-        }
-        if (this.config.displayMode === "redirect") {
-            window.location.href = url.toString();
-        }
-        if (this.config.displayMode === "new_tab") {
-            try {
-                const popupWindow = window.open(url.toString(), "_blank");
-                if (!popupWindow) {
-                    throw new types_js_1.PopupError("Failed to open popup window");
-                }
-            }
-            catch (error) {
-                console.error("popupWindow", error);
-                throw new types_js_1.PopupError("window.open has thrown: Failed to open popup window");
-            }
-        }
-        return url;
-    }
-    async signOut() {
-        const localStorage = new storage_js_1.LocalStorageAdapter();
-        await (0, util_js_1.clearTokens)(localStorage);
-        await (0, util_js_1.clearUser)(localStorage);
-        // TODO open the iframe or new tab etc: the logout URL is not currently
-        // supported by on the oauth, so just clear state until then
-        const url = await (0, util_js_1.generateOauthLogoutUrl)(this.config);
-        return url;
-    }
-    cleanup() {
-        if (this.postMessageHandler) {
-            window.removeEventListener("message", this.postMessageHandler);
-        }
-    }
-}
-exports.BrowserAuthenticationInitiator = BrowserAuthenticationInitiator;
-/** A general-purpose authentication initiator, that just generates urls, but lets
- * the caller decide how to use them. This is useful for server-side applications
- * that may serve this URL to their front-ends or just call them directly
- */
-class GenericAuthenticationInitiator {
-    config;
-    constructor(config) {
-        this.config = config;
-    }
-    // Use the config (Client ID, scopes OAuth Server, Endpoints, PKCEConsumer) to generate a new login url
-    // and simply return the url
-    async signIn() {
-        return (0, util_js_1.generateOauthLoginUrl)(this.config);
-    }
-    async signOut() {
-        return (0, util_js_1.generateOauthLogoutUrl)(this.config);
-    }
-}
-exports.GenericAuthenticationInitiator = GenericAuthenticationInitiator;
-/**
- * An authentication resolver that can run on the browser (i.e. a public client)
- * It uses PKCE for security. PKCE and Session data are stored in local storage
- */
-class BrowserAuthenticationService extends BrowserAuthenticationInitiator {
-    pkceProducer;
-    oauth2client;
-    endpoints;
-    // TODO WIP - perhaps we want to keep resolver and initiator separate here
-    constructor(config, 
-    // Since we are running fully on the client, we produce as well as consume the PKCE challenge
-    pkceProducer = new PKCE_js_1.BrowserPublicClientPKCEProducer()) {
-        super({
-            ...config,
-            state: (0, oauth_js_1.generateState)(config.displayMode),
-            // Store and retrieve the PKCE challenge in local storage
-            pkceConsumer: pkceProducer,
-        });
-        this.pkceProducer = pkceProducer;
-    }
-    // TODO too much code duplication here between the browser and the server variant.
-    // Suggestion for refactor: Standardise the config for AuthenticationResolvers and create a one-shot
-    // function for generating an oauth2client from it
-    async init() {
-        // resolve oauth config
-        this.endpoints = await (0, util_js_1.getEndpointsWithOverrides)(this.config.oauthServer, this.config.endpointOverrides);
-        this.oauth2client = new oauth2_1.OAuth2Client(this.config.clientId, this.endpoints.auth, this.endpoints.token, {
-            redirectURI: this.config.redirectUrl,
-        });
-        return this;
-    }
-    // Two responsibilities:
-    // 1. resolve the auth code to get the tokens (should use library code)
-    // 2. store the tokens in local storage
-    async tokenExchange(code, state) {
-        if (!this.oauth2client)
-            await this.init();
-        const codeVerifier = await this.pkceProducer.getCodeVerifier();
-        if (!codeVerifier)
-            throw new Error("Code verifier not found in storage");
-        // exchange auth code for tokens
-        const tokens = await (0, util_js_1.exchangeTokens)(code, state, this.pkceProducer, this.oauth2client, // clean up types here to avoid the ! operator
-        this.config.oauthServer, this.endpoints);
-        await (0, util_js_1.storeTokens)(new storage_js_1.LocalStorageAdapter(), tokens);
-        // cleanup the browser window if needed
-        const parsedDisplayMode = (0, oauth_js_1.displayModeFromState)(state, this.config.displayMode);
-        if (parsedDisplayMode === "new_tab") {
-            // Close the popup window
-            window.close();
-        }
-        // these are the default oAuth params that get added to the URL in redirect which we want to remove if present
-        (0, windowUtil_js_1.removeParamsWithoutReload)(constants_js_1.DEFAULT_OAUTH_GET_PARAMS);
-        return tokens;
-    }
-    // Get the session data from local storage
-    async getSessionData() {
-        const storageData = await (0, util_js_1.retrieveTokens)(new storage_js_1.LocalStorageAdapter());
-        if (!storageData)
-            return null;
-        return {
-            authenticated: !!storageData.id_token,
-            idToken: storageData.id_token,
-            accessToken: storageData.access_token,
-            refreshToken: storageData.refresh_token,
-        };
-    }
-    async validateExistingSession() {
-        try {
-            const sessionData = await this.getSessionData();
-            if (!sessionData?.idToken || !sessionData.accessToken) {
-                const unAuthenticatedSession = { ...sessionData, authenticated: false };
-                await (0, util_js_1.clearTokens)(new storage_js_1.LocalStorageAdapter());
-                return unAuthenticatedSession;
-            }
-            if (!this.endpoints || !this.oauth2client)
-                await this.init();
-            // this function will throw if any of the tokens are invalid
-            await (0, util_js_1.validateOauth2Tokens)({
-                access_token: sessionData.accessToken,
-                id_token: sessionData.idToken,
-                refresh_token: sessionData.refreshToken,
-            }, this.endpoints, this.oauth2client, this.config.oauthServer);
-            return sessionData;
-        }
-        catch (error) {
-            console.warn("Failed to validate existing tokens", error);
-            const unAuthenticatedSession = {
-                authenticated: false,
-            };
-            await (0, util_js_1.clearTokens)(new storage_js_1.LocalStorageAdapter());
-            return unAuthenticatedSession;
-        }
-    }
-    static async build(config) {
-        const resolver = new BrowserAuthenticationService(config);
-        await resolver.init();
-        return resolver;
-    }
-}
-exports.BrowserAuthenticationService = BrowserAuthenticationService;
-//# sourceMappingURL=AuthenticationService.js.map

package/dist/cjs/src/services/AuthenticationService.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"AuthenticationService.js","sourceRoot":"","sources":["../../../../src/services/AuthenticationService.ts"],"names":[],"mappings":";AAAA,8EAA8E;;;AAS9E,gDAAqE;AACrE,kDAU8B;AAC9B,6CAAqE;AACrE,wCAA2C;AAC3C,qDAA2D;AAM3D,kDAAiD;AACjD,uDAAgE;AAChE,iDAA0D;AAC1D,yDAAmE;AAEnE;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,MAAa,8BAA8B;IACjC,kBAAkB,GAA2C,IAAI,CAAC;IAEhE,MAAM,CAcd;IAEF,YAAY,MAA0B;QACpC,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;IACvB,CAAC;IAED,KAAK,CAAC,yBAAyB,CAAC,WAAmB;QACjD,OAAO,CAAC,IAAI,CACV,qEAAqE,EACrE,WAAW,CACZ,CAAC;QACF,MAAM,CAAC,QAAQ,CAAC,IAAI,GAAG,WAAW,CAAC;IACrC,CAAC;IAED,uGAAuG;IACvG,qEAAqE;IACrE,KAAK,CAAC,MAAM,CAAC,SAAmC;QAC9C,MAAM,GAAG,GAAG,MAAM,IAAA,+BAAqB,EAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAErD,IAAI,CAAC,kBAAkB,GAAG,CAAC,KAAmB,EAAE,EAAE;YAChD,MAAM,OAAO,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;YAC9C,IACE,KAAK,CAAC,MAAM,CAAC,QAAQ,CAAC,WAAW,CAAC;gBAClC,OAAO,CAAC,QAAQ,KAAK,WAAW,EAChC,CAAC;gBACD,IAAI,CAAC,IAAA,4CAA2B,EAAC,KAAK,CAAC,IAAI,EAAE,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,EAAE,CAAC;oBACnE,OAAO;gBACT,CAAC;gBACD,MAAM,YAAY,GAAG,KAAK,CAAC,IAAwB,CAAC;gBACpD,IAAI,CAAC,yBAAyB,CAAC,YAAY,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;YACxD,CAAC;QACH,CAAC,CAAC;QACF,MAAM,CAAC,gBAAgB,CAAC,SAAS,EAAE,IAAI,CAAC,kBAAkB,CAAC,CAAC;QAC5D,IAAI,IAAI,CAAC,MAAM,CAAC,WAAW,KAAK,QAAQ,EAAE,CAAC;YACzC,IAAI,CAAC,SAAS;gBACZ,MAAM,IAAI,KAAK,CAAC,gDAAgD,CAAC,CAAC;YACpE,SAAS,CAAC,YAAY,CAAC,KAAK,EAAE,GAAG,CAAC,QAAQ,EAAE,CAAC,CAAC;QAChD,CAAC;QACD,IAAI,IAAI,CAAC,MAAM,CAAC,WAAW,KAAK,UAAU,EAAE,CAAC;YAC3C,MAAM,CAAC,QAAQ,CAAC,IAAI,GAAG,GAAG,CAAC,QAAQ,EAAE,CAAC;QACxC,CAAC;QACD,IAAI,IAAI,CAAC,MAAM,CAAC,WAAW,KAAK,SAAS,EAAE,CAAC;YAC1C,IAAI,CAAC;gBACH,MAAM,WAAW,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,QAAQ,EAAE,EAAE,QAAQ,CAAC,CAAC;gBAC1D,IAAI,CAAC,WAAW,EAAE,CAAC;oBACjB,MAAM,IAAI,qBAAU,CAAC,6BAA6B,CAAC,CAAC;gBACtD,CAAC;YACH,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACf,OAAO,CAAC,KAAK,CAAC,aAAa,EAAE,KAAK,CAAC,CAAC;gBACpC,MAAM,IAAI,qBAAU,CAClB,qDAAqD,CACtD,CAAC;YACJ,CAAC;QACH,CAAC;QACD,OAAO,GAAG,CAAC;IACb,CAAC;IAED,KAAK,CAAC,OAAO;QACX,MAAM,YAAY,GAAG,IAAI,gCAAmB,EAAE,CAAC;QAC/C,MAAM,IAAA,qBAAW,EAAC,YAAY,CAAC,CAAC;QAChC,MAAM,IAAA,mBAAS,EAAC,YAAY,CAAC,CAAC;QAC9B,uEAAuE;QACvE,4DAA4D;QAC5D,MAAM,GAAG,GAAG,MAAM,IAAA,gCAAsB,EAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QACtD,OAAO,GAAG,CAAC;IACb,CAAC;IAED,OAAO;QACL,IAAI,IAAI,CAAC,kBAAkB,EAAE,CAAC;YAC5B,MAAM,CAAC,mBAAmB,CAAC,SAAS,EAAE,IAAI,CAAC,kBAAkB,CAAC,CAAC;QACjE,CAAC;IACH,CAAC;CACF;AAzFD,wEAyFC;AAED;;;GAGG;AACH,MAAa,8BAA8B;IAC/B,MAAM,CAWd;IAEF,YAAY,MAA0B;QACpC,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;IACvB,CAAC;IAED,uGAAuG;IACvG,4BAA4B;IAC5B,KAAK,CAAC,MAAM;QACV,OAAO,IAAA,+BAAqB,EAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IAC5C,CAAC;IAED,KAAK,CAAC,OAAO;QACX,OAAO,IAAA,gCAAsB,EAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IAC7C,CAAC;CACF;AA3BD,wEA2BC;AAWD;;;GAGG;AACH,MAAa,4BAA6B,SAAQ,8BAA8B;IAQlE;IAPJ,YAAY,CAA2B;IACvC,SAAS,CAAwB;IAEzC,0EAA0E;IAC1E,YACE,MAAmC;IACnC,6FAA6F;IACnF,eAAe,IAAI,yCAA+B,EAAE;QAE9D,KAAK,CAAC;YACJ,GAAG,MAAM;YACT,KAAK,EAAE,IAAA,wBAAa,EAAC,MAAM,CAAC,WAAW,CAAC;YACxC,yDAAyD;YACzD,YAAY,EAAE,YAAY;SAC3B,CAAC,CAAC;QAPO,iBAAY,GAAZ,YAAY,CAAwC;IAQhE,CAAC;IAED,kFAAkF;IAClF,oGAAoG;IACpG,kDAAkD;IAClD,KAAK,CAAC,IAAI;QACR,uBAAuB;QACvB,IAAI,CAAC,SAAS,GAAG,MAAM,IAAA,mCAAyB,EAC9C,IAAI,CAAC,MAAM,CAAC,WAAW,EACvB,IAAI,CAAC,MAAM,CAAC,iBAAiB,CAC9B,CAAC;QACF,IAAI,CAAC,YAAY,GAAG,IAAI,qBAAY,CAClC,IAAI,CAAC,MAAM,CAAC,QAAQ,EACpB,IAAI,CAAC,SAAS,CAAC,IAAI,EACnB,IAAI,CAAC,SAAS,CAAC,KAAK,EACpB;YACE,WAAW,EAAE,IAAI,CAAC,MAAM,CAAC,WAAW;SACrC,CACF,CAAC;QAEF,OAAO,IAAI,CAAC;IACd,CAAC;IAED,wBAAwB;IACxB,uEAAuE;IACvE,uCAAuC;IACvC,KAAK,CAAC,aAAa,CACjB,IAAY,EACZ,KAAa;QAEb,IAAI,CAAC,IAAI,CAAC,YAAY;YAAE,MAAM,IAAI,CAAC,IAAI,EAAE,CAAC;QAC1C,MAAM,YAAY,GAAG,MAAM,IAAI,CAAC,YAAY,CAAC,eAAe,EAAE,CAAC;QAC/D,IAAI,CAAC,YAAY;YAAE,MAAM,IAAI,KAAK,CAAC,oCAAoC,CAAC,CAAC;QAEzE,gCAAgC;QAChC,MAAM,MAAM,GAAG,MAAM,IAAA,wBAAc,EACjC,IAAI,EACJ,KAAK,EACL,IAAI,CAAC,YAAY,EACjB,IAAI,CAAC,YAAa,EAAE,8CAA8C;QAClE,IAAI,CAAC,MAAM,CAAC,WAAW,EACvB,IAAI,CAAC,SAAU,CAChB,CAAC;QAEF,MAAM,IAAA,qBAAW,EAAC,IAAI,gCAAmB,EAAE,EAAE,MAAM,CAAC,CAAC;QAErD,uCAAuC;QACvC,MAAM,iBAAiB,GAAG,IAAA,+BAAoB,EAC5C,KAAK,EACL,IAAI,CAAC,MAAM,CAAC,WAAW,CACxB,CAAC;QAEF,IAAI,iBAAiB,KAAK,SAAS,EAAE,CAAC;YACpC,yBAAyB;YACzB,MAAM,CAAC,KAAK,EAAE,CAAC;QACjB,CAAC;QACD,8GAA8G;QAC9G,IAAA,yCAAyB,EAAC,uCAAwB,CAAC,CAAC;QACpD,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,0CAA0C;IAC1C,KAAK,CAAC,cAAc;QAClB,MAAM,WAAW,GAAG,MAAM,IAAA,wBAAc,EAAC,IAAI,gCAAmB,EAAE,CAAC,CAAC;QAEpE,IAAI,CAAC,WAAW;YAAE,OAAO,IAAI,CAAC;QAE9B,OAAO;YACL,aAAa,EAAE,CAAC,CAAC,WAAW,CAAC,QAAQ;YACrC,OAAO,EAAE,WAAW,CAAC,QAAQ;YAC7B,WAAW,EAAE,WAAW,CAAC,YAAY;YACrC,YAAY,EAAE,WAAW,CAAC,aAAa;SACxC,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,uBAAuB;QAC3B,IAAI,CAAC;YACH,MAAM,WAAW,GAAG,MAAM,IAAI,CAAC,cAAc,EAAE,CAAC;YAChD,IAAI,CAAC,WAAW,EAAE,OAAO,IAAI,CAAC,WAAW,CAAC,WAAW,EAAE,CAAC;gBACtD,MAAM,sBAAsB,GAAG,EAAE,GAAG,WAAW,EAAE,aAAa,EAAE,KAAK,EAAE,CAAC;gBACxE,MAAM,IAAA,qBAAW,EAAC,IAAI,gCAAmB,EAAE,CAAC,CAAC;gBAC7C,OAAO,sBAAsB,CAAC;YAChC,CAAC;YACD,IAAI,CAAC,IAAI,CAAC,SAAS,IAAI,CAAC,IAAI,CAAC,YAAY;gBAAE,MAAM,IAAI,CAAC,IAAI,EAAE,CAAC;YAE7D,4DAA4D;YAC5D,MAAM,IAAA,8BAAoB,EACxB;gBACE,YAAY,EAAE,WAAW,CAAC,WAAW;gBACrC,QAAQ,EAAE,WAAW,CAAC,OAAO;gBAC7B,aAAa,EAAE,WAAW,CAAC,YAAY;aACxC,EACD,IAAI,CAAC,SAAU,EACf,IAAI,CAAC,YAAa,EAClB,IAAI,CAAC,MAAM,CAAC,WAAW,CACxB,CAAC;YACF,OAAO,WAAW,CAAC;QACrB,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO,CAAC,IAAI,CAAC,oCAAoC,EAAE,KAAK,CAAC,CAAC;YAC1D,MAAM,sBAAsB,GAAG;gBAC7B,aAAa,EAAE,KAAK;aACrB,CAAC;YACF,MAAM,IAAA,qBAAW,EAAC,IAAI,gCAAmB,EAAE,CAAC,CAAC;YAC7C,OAAO,sBAAsB,CAAC;QAChC,CAAC;IACH,CAAC;IAED,MAAM,CAAC,KAAK,CAAC,KAAK,CAChB,MAAmC;QAEnC,MAAM,QAAQ,GAAG,IAAI,4BAA4B,CAAC,MAAM,CAAC,CAAC;QAC1D,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;QAEtB,OAAO,QAAQ,CAAC;IAClB,CAAC;CACF;AAnID,oEAmIC","sourcesContent":["// Proposals for revised versions of the SessionService AKA AuthSessionService\n\nimport type {\n  DisplayMode,\n  Endpoints,\n  LoginPostMessage,\n  OIDCTokenResponseBody,\n  SessionData,\n} from \"@/types.js\";\nimport { BrowserPublicClientPKCEProducer } from \"@/services/PKCE.js\";\nimport {\n  clearTokens,\n  clearUser,\n  exchangeTokens,\n  generateOauthLoginUrl,\n  generateOauthLogoutUrl,\n  getEndpointsWithOverrides,\n  retrieveTokens,\n  storeTokens,\n  validateOauth2Tokens,\n} from \"@/shared/lib/util.js\";\nimport { displayModeFromState, generateState } from \"@/lib/oauth.js\";\nimport { OAuth2Client } from \"oslo/oauth2\";\nimport { LocalStorageAdapter } from \"@/browser/storage.js\";\nimport type {\n  AuthenticationInitiator,\n  AuthenticationResolver,\n  PKCEConsumer,\n} from \"@/services/types.js\";\nimport { PopupError } from \"@/services/types.js\";\nimport { removeParamsWithoutReload } from \"@/lib/windowUtil.js\";\nimport { DEFAULT_OAUTH_GET_PARAMS } from \"@/constants.js\";\nimport { validateLoginAppPostMessage } from \"@/lib/postMessage.js\";\n\n/**\n * An authentication initiator that works on a browser. Since this is just triggering\n * login and logout, session data is not stored here.\n * An associated AuthenticationResolver would be needed to get the session data.\n * Storage is needed for the code verifier, this is the domain of the PKCEConsumer\n * The storage used by the PKCEConsumer should be available to the AuthenticationResolver.\n *\n * Example usage:\n *\n * 1) Client-only SPA -eg a react app with no server:\n * new BrowserAuthenticationInitiator({\n *   pkceConsumer: new BrowserPublicClientPKCEProducer(), // generate and retrieve the challenge client-side\n *   ... other config\n * })\n *\n * 2) Client-side of a client/server app - eg a react app with a backend:\n * new BrowserAuthenticationInitiator({\n *  pkceConsumer: new ConfidentialClientPKCEConsumer(\"https://myserver.com/pkce\"), // get the challenge from the server\n *  ... other config\n * })\n */\nexport class BrowserAuthenticationInitiator implements AuthenticationInitiator {\n  private postMessageHandler: null | ((event: MessageEvent) => void) = null;\n\n  protected config: {\n    clientId: string;\n    redirectUrl: string;\n    state: string;\n    scopes: string[];\n    // determines whether to trigger the login/logout in an iframe, a new browser window, or redirect the current one.\n    displayMode: DisplayMode;\n    oauthServer: string;\n    // the endpoints to use for the login (if not obtained from the auth server\n    endpointOverrides?: Partial<Endpoints>;\n    // used to get the PKCE challenge\n    pkceConsumer: PKCEConsumer;\n    // the nonce to use for the login\n    nonce?: string;\n  };\n\n  constructor(config: typeof this.config) {\n    this.config = config;\n  }\n\n  async handleLoginAppPopupFailed(redirectUrl: string) {\n    console.warn(\n      \"Login app popup failed open a popup, using redirect mode instead...\",\n      redirectUrl,\n    );\n    window.location.href = redirectUrl;\n  }\n\n  // Use the config (Client ID, scopes OAuth Server, Endpoints, PKCEConsumer) to generate a new login url\n  // and then use the display mode to decide how to send the user there\n  async signIn(iframeRef: HTMLIFrameElement | null): Promise<URL> {\n    const url = await generateOauthLoginUrl(this.config);\n\n    this.postMessageHandler = (event: MessageEvent) => {\n      const thisURL = new URL(window.location.href);\n      if (\n        event.origin.endsWith(\"civic.com\") ||\n        thisURL.hostname === \"localhost\"\n      ) {\n        if (!validateLoginAppPostMessage(event.data, this.config.clientId)) {\n          return;\n        }\n        const loginMessage = event.data as LoginPostMessage;\n        this.handleLoginAppPopupFailed(loginMessage.data.url);\n      }\n    };\n    window.addEventListener(\"message\", this.postMessageHandler);\n    if (this.config.displayMode === \"iframe\") {\n      if (!iframeRef)\n        throw new Error(\"iframeRef is required for displayMode 'iframe'\");\n      iframeRef.setAttribute(\"src\", url.toString());\n    }\n    if (this.config.displayMode === \"redirect\") {\n      window.location.href = url.toString();\n    }\n    if (this.config.displayMode === \"new_tab\") {\n      try {\n        const popupWindow = window.open(url.toString(), \"_blank\");\n        if (!popupWindow) {\n          throw new PopupError(\"Failed to open popup window\");\n        }\n      } catch (error) {\n        console.error(\"popupWindow\", error);\n        throw new PopupError(\n          \"window.open has thrown: Failed to open popup window\",\n        );\n      }\n    }\n    return url;\n  }\n\n  async signOut(): Promise<URL> {\n    const localStorage = new LocalStorageAdapter();\n    await clearTokens(localStorage);\n    await clearUser(localStorage);\n    // TODO open the iframe or new tab etc: the logout URL is not currently\n    // supported by on the oauth, so just clear state until then\n    const url = await generateOauthLogoutUrl(this.config);\n    return url;\n  }\n\n  cleanup() {\n    if (this.postMessageHandler) {\n      window.removeEventListener(\"message\", this.postMessageHandler);\n    }\n  }\n}\n\n/** A general-purpose authentication initiator, that just generates urls, but lets\n * the caller decide how to use them. This is useful for server-side applications\n * that may serve this URL to their front-ends or just call them directly\n */\nexport class GenericAuthenticationInitiator implements AuthenticationInitiator {\n  protected config: {\n    clientId: string;\n    redirectUrl: string;\n    state: string;\n    scopes: string[];\n    oauthServer: string;\n    nonce?: string;\n    // the endpoints to use for the login (if not obtained from the auth server)\n    endpointOverrides?: Partial<Endpoints>;\n    // used to get the PKCE challenge\n    pkceConsumer: PKCEConsumer;\n  };\n\n  constructor(config: typeof this.config) {\n    this.config = config;\n  }\n\n  // Use the config (Client ID, scopes OAuth Server, Endpoints, PKCEConsumer) to generate a new login url\n  // and simply return the url\n  async signIn(): Promise<URL> {\n    return generateOauthLoginUrl(this.config);\n  }\n\n  async signOut(): Promise<URL> {\n    return generateOauthLogoutUrl(this.config);\n  }\n}\n\ntype BrowserAuthenticationConfig = {\n  clientId: string;\n  redirectUrl: string;\n  scopes: string[];\n  oauthServer: string;\n  endpointOverrides?: Partial<Endpoints>;\n  displayMode: DisplayMode;\n};\n\n/**\n * An authentication resolver that can run on the browser (i.e. a public client)\n * It uses PKCE for security. PKCE and Session data are stored in local storage\n */\nexport class BrowserAuthenticationService extends BrowserAuthenticationInitiator {\n  private oauth2client: OAuth2Client | undefined;\n  private endpoints: Endpoints | undefined;\n\n  // TODO WIP - perhaps we want to keep resolver and initiator separate here\n  constructor(\n    config: BrowserAuthenticationConfig,\n    // Since we are running fully on the client, we produce as well as consume the PKCE challenge\n    protected pkceProducer = new BrowserPublicClientPKCEProducer(),\n  ) {\n    super({\n      ...config,\n      state: generateState(config.displayMode),\n      // Store and retrieve the PKCE challenge in local storage\n      pkceConsumer: pkceProducer,\n    });\n  }\n\n  // TODO too much code duplication here between the browser and the server variant.\n  // Suggestion for refactor: Standardise the config for AuthenticationResolvers and create a one-shot\n  // function for generating an oauth2client from it\n  async init(): Promise<this> {\n    // resolve oauth config\n    this.endpoints = await getEndpointsWithOverrides(\n      this.config.oauthServer,\n      this.config.endpointOverrides,\n    );\n    this.oauth2client = new OAuth2Client(\n      this.config.clientId,\n      this.endpoints.auth,\n      this.endpoints.token,\n      {\n        redirectURI: this.config.redirectUrl,\n      },\n    );\n\n    return this;\n  }\n\n  // Two responsibilities:\n  // 1. resolve the auth code to get the tokens (should use library code)\n  // 2. store the tokens in local storage\n  async tokenExchange(\n    code: string,\n    state: string,\n  ): Promise<OIDCTokenResponseBody> {\n    if (!this.oauth2client) await this.init();\n    const codeVerifier = await this.pkceProducer.getCodeVerifier();\n    if (!codeVerifier) throw new Error(\"Code verifier not found in storage\");\n\n    // exchange auth code for tokens\n    const tokens = await exchangeTokens(\n      code,\n      state,\n      this.pkceProducer,\n      this.oauth2client!, // clean up types here to avoid the ! operator\n      this.config.oauthServer,\n      this.endpoints!, // clean up types here to avoid the ! operator\n    );\n\n    await storeTokens(new LocalStorageAdapter(), tokens);\n\n    // cleanup the browser window if needed\n    const parsedDisplayMode = displayModeFromState(\n      state,\n      this.config.displayMode,\n    );\n\n    if (parsedDisplayMode === \"new_tab\") {\n      // Close the popup window\n      window.close();\n    }\n    // these are the default oAuth params that get added to the URL in redirect which we want to remove if present\n    removeParamsWithoutReload(DEFAULT_OAUTH_GET_PARAMS);\n    return tokens;\n  }\n\n  // Get the session data from local storage\n  async getSessionData(): Promise<SessionData | null> {\n    const storageData = await retrieveTokens(new LocalStorageAdapter());\n\n    if (!storageData) return null;\n\n    return {\n      authenticated: !!storageData.id_token,\n      idToken: storageData.id_token,\n      accessToken: storageData.access_token,\n      refreshToken: storageData.refresh_token,\n    };\n  }\n\n  async validateExistingSession(): Promise<SessionData> {\n    try {\n      const sessionData = await this.getSessionData();\n      if (!sessionData?.idToken || !sessionData.accessToken) {\n        const unAuthenticatedSession = { ...sessionData, authenticated: false };\n        await clearTokens(new LocalStorageAdapter());\n        return unAuthenticatedSession;\n      }\n      if (!this.endpoints || !this.oauth2client) await this.init();\n\n      // this function will throw if any of the tokens are invalid\n      await validateOauth2Tokens(\n        {\n          access_token: sessionData.accessToken,\n          id_token: sessionData.idToken,\n          refresh_token: sessionData.refreshToken,\n        },\n        this.endpoints!,\n        this.oauth2client!,\n        this.config.oauthServer,\n      );\n      return sessionData;\n    } catch (error) {\n      console.warn(\"Failed to validate existing tokens\", error);\n      const unAuthenticatedSession = {\n        authenticated: false,\n      };\n      await clearTokens(new LocalStorageAdapter());\n      return unAuthenticatedSession;\n    }\n  }\n\n  static async build(\n    config: BrowserAuthenticationConfig,\n  ): Promise<AuthenticationResolver> {\n    const resolver = new BrowserAuthenticationService(config);\n    await resolver.init();\n\n    return resolver;\n  }\n}\n"]}

package/dist/cjs/src/services/PKCE.d.ts

@@ -1,20 +0,0 @@
-import type { PKCEConsumer, PKCEProducer } from "../services/types.js";
-import type { AuthStorage } from "../types.js";
-/** A PKCE consumer that retrieves the challenge from a server endpoint */
-export declare class ConfidentialClientPKCEConsumer implements PKCEConsumer {
-    private pkceChallengeEndpoint;
-    constructor(pkceChallengeEndpoint: string);
-    getCodeChallenge(): Promise<string>;
-}
-/** A PKCE Producer that can generate and store a code verifier, but is agnostic as to the storage location */
-export declare class GenericPublicClientPKCEProducer implements PKCEProducer {
-    private storage;
-    constructor(storage: AuthStorage);
-    getCodeChallenge(): Promise<string>;
-    getCodeVerifier(): Promise<string | null>;
-}
-/** A PKCE Producer that is expected to run on a browser, and does not need a backend */
-export declare class BrowserPublicClientPKCEProducer extends GenericPublicClientPKCEProducer {
-    constructor();
-}
-//# sourceMappingURL=PKCE.d.ts.map

package/dist/cjs/src/services/PKCE.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"PKCE.d.ts","sourceRoot":"","sources":["../../../../src/services/PKCE.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,YAAY,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AACtE,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AAG9C,0EAA0E;AAC1E,qBAAa,8BAA+B,YAAW,YAAY;IACrD,OAAO,CAAC,qBAAqB;gBAArB,qBAAqB,EAAE,MAAM;IAC3C,gBAAgB,IAAI,OAAO,CAAC,MAAM,CAAC;CAO1C;AAED,8GAA8G;AAC9G,qBAAa,+BAAgC,YAAW,YAAY;IACtD,OAAO,CAAC,OAAO;gBAAP,OAAO,EAAE,WAAW;IAIlC,gBAAgB,IAAI,OAAO,CAAC,MAAM,CAAC;IASnC,eAAe,IAAI,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC;CAGhD;AAED,wFAAwF;AACxF,qBAAa,+BAAgC,SAAQ,+BAA+B;;CAInF"}

package/dist/cjs/src/services/PKCE.js

@@ -1,50 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.BrowserPublicClientPKCEProducer = exports.GenericPublicClientPKCEProducer = exports.ConfidentialClientPKCEConsumer = void 0;
-const util_js_1 = require("../shared/lib/util.js");
-const oauth2_1 = require("oslo/oauth2");
-const storage_js_1 = require("../browser/storage.js");
-const types_js_1 = require("../shared/lib/types.js");
-/** A PKCE consumer that retrieves the challenge from a server endpoint */
-class ConfidentialClientPKCEConsumer {
-    pkceChallengeEndpoint;
-    constructor(pkceChallengeEndpoint) {
-        this.pkceChallengeEndpoint = pkceChallengeEndpoint;
-    }
-    async getCodeChallenge() {
-        const response = await fetch(`${this.pkceChallengeEndpoint}?appUrl=${window.location.origin}`);
-        const data = (await response.json());
-        return data.challenge;
-    }
-}
-exports.ConfidentialClientPKCEConsumer = ConfidentialClientPKCEConsumer;
-/** A PKCE Producer that can generate and store a code verifier, but is agnostic as to the storage location */
-class GenericPublicClientPKCEProducer {
-    storage;
-    constructor(storage) {
-        this.storage = storage;
-    }
-    // if there is already a verifier, return it,
-    // If not, create a new one and store it
-    async getCodeChallenge() {
-        // let verifier = await this.getCodeVerifier();
-        // if (!verifier) {
-        const verifier = (0, oauth2_1.generateCodeVerifier)();
-        this.storage.set(types_js_1.CodeVerifier.COOKIE_NAME, verifier);
-        // }
-        return (0, util_js_1.deriveCodeChallenge)(verifier);
-    }
-    // if there is already a verifier, return it,
-    async getCodeVerifier() {
-        return this.storage.get(types_js_1.CodeVerifier.COOKIE_NAME);
-    }
-}
-exports.GenericPublicClientPKCEProducer = GenericPublicClientPKCEProducer;
-/** A PKCE Producer that is expected to run on a browser, and does not need a backend */
-class BrowserPublicClientPKCEProducer extends GenericPublicClientPKCEProducer {
-    constructor() {
-        super(new storage_js_1.LocalStorageAdapter());
-    }
-}
-exports.BrowserPublicClientPKCEProducer = BrowserPublicClientPKCEProducer;
-//# sourceMappingURL=PKCE.js.map

package/dist/cjs/src/services/PKCE.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"PKCE.js","sourceRoot":"","sources":["../../../../src/services/PKCE.ts"],"names":[],"mappings":";;;AAAA,kDAA2D;AAC3D,wCAAmD;AACnD,qDAA2D;AAG3D,oDAAqD;AAErD,0EAA0E;AAC1E,MAAa,8BAA8B;IACrB;IAApB,YAAoB,qBAA6B;QAA7B,0BAAqB,GAArB,qBAAqB,CAAQ;IAAG,CAAC;IACrD,KAAK,CAAC,gBAAgB;QACpB,MAAM,QAAQ,GAAG,MAAM,KAAK,CAC1B,GAAG,IAAI,CAAC,qBAAqB,WAAW,MAAM,CAAC,QAAQ,CAAC,MAAM,EAAE,CACjE,CAAC;QACF,MAAM,IAAI,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAA0B,CAAC;QAC9D,OAAO,IAAI,CAAC,SAAS,CAAC;IACxB,CAAC;CACF;AATD,wEASC;AAED,8GAA8G;AAC9G,MAAa,+BAA+B;IACtB;IAApB,YAAoB,OAAoB;QAApB,YAAO,GAAP,OAAO,CAAa;IAAG,CAAC;IAE5C,6CAA6C;IAC7C,wCAAwC;IACxC,KAAK,CAAC,gBAAgB;QACpB,+CAA+C;QAC/C,mBAAmB;QACnB,MAAM,QAAQ,GAAG,IAAA,6BAAoB,GAAE,CAAC;QACxC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,uBAAY,CAAC,WAAW,EAAE,QAAQ,CAAC,CAAC;QACrD,IAAI;QACJ,OAAO,IAAA,6BAAmB,EAAC,QAAQ,CAAC,CAAC;IACvC,CAAC;IACD,6CAA6C;IAC7C,KAAK,CAAC,eAAe;QACnB,OAAO,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,uBAAY,CAAC,WAAW,CAAC,CAAC;IACpD,CAAC;CACF;AAjBD,0EAiBC;AAED,wFAAwF;AACxF,MAAa,+BAAgC,SAAQ,+BAA+B;IAClF;QACE,KAAK,CAAC,IAAI,gCAAmB,EAAE,CAAC,CAAC;IACnC,CAAC;CACF;AAJD,0EAIC","sourcesContent":["import { deriveCodeChallenge } from \"@/shared/lib/util.js\";\nimport { generateCodeVerifier } from \"oslo/oauth2\";\nimport { LocalStorageAdapter } from \"@/browser/storage.js\";\nimport type { PKCEConsumer, PKCEProducer } from \"@/services/types.js\";\nimport type { AuthStorage } from \"@/types.js\";\nimport { CodeVerifier } from \"@/shared/lib/types.js\";\n\n/** A PKCE consumer that retrieves the challenge from a server endpoint */\nexport class ConfidentialClientPKCEConsumer implements PKCEConsumer {\n  constructor(private pkceChallengeEndpoint: string) {}\n  async getCodeChallenge(): Promise<string> {\n    const response = await fetch(\n      `${this.pkceChallengeEndpoint}?appUrl=${window.location.origin}`,\n    );\n    const data = (await response.json()) as { challenge: string };\n    return data.challenge;\n  }\n}\n\n/** A PKCE Producer that can generate and store a code verifier, but is agnostic as to the storage location */\nexport class GenericPublicClientPKCEProducer implements PKCEProducer {\n  constructor(private storage: AuthStorage) {}\n\n  // if there is already a verifier, return it,\n  // If not, create a new one and store it\n  async getCodeChallenge(): Promise<string> {\n    // let verifier = await this.getCodeVerifier();\n    // if (!verifier) {\n    const verifier = generateCodeVerifier();\n    this.storage.set(CodeVerifier.COOKIE_NAME, verifier);\n    // }\n    return deriveCodeChallenge(verifier);\n  }\n  // if there is already a verifier, return it,\n  async getCodeVerifier(): Promise<string | null> {\n    return this.storage.get(CodeVerifier.COOKIE_NAME);\n  }\n}\n\n/** A PKCE Producer that is expected to run on a browser, and does not need a backend */\nexport class BrowserPublicClientPKCEProducer extends GenericPublicClientPKCEProducer {\n  constructor() {\n    super(new LocalStorageAdapter());\n  }\n}\n"]}

package/dist/cjs/src/services/types.d.ts

@@ -1,23 +0,0 @@
-import type { OIDCTokenResponseBody, SessionData } from "../types.js";
-export interface PKCEConsumer {
-    getCodeChallenge(): Promise<string>;
-}
-export interface PKCEProducer extends PKCEConsumer {
-    getCodeVerifier(): Promise<string | null>;
-}
-export interface AuthenticationInitiator {
-    signIn(iframeRef: HTMLIFrameElement | null): Promise<URL>;
-    signOut(): Promise<URL>;
-}
-export interface AuthenticationResolver {
-    tokenExchange(code: string, state: string): Promise<OIDCTokenResponseBody>;
-    getSessionData(): Promise<SessionData | null>;
-    validateExistingSession(): Promise<SessionData>;
-}
-export interface AuthenticationRefresher {
-    refreshTokens: () => Promise<OIDCTokenResponseBody>;
-}
-export declare class PopupError extends Error {
-    constructor(message: string);
-}
-//# sourceMappingURL=types.d.ts.map

package/dist/cjs/src/services/types.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../../../src/services/types.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,qBAAqB,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AASrE,MAAM,WAAW,YAAY;IAE3B,gBAAgB,IAAI,OAAO,CAAC,MAAM,CAAC,CAAC;CACrC;AAGD,MAAM,WAAW,YAAa,SAAQ,YAAY;IAEhD,eAAe,IAAI,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC;CAC3C;AAGD,MAAM,WAAW,uBAAuB;IAEtC,MAAM,CAAC,SAAS,EAAE,iBAAiB,GAAG,IAAI,GAAG,OAAO,CAAC,GAAG,CAAC,CAAC;IAG1D,OAAO,IAAI,OAAO,CAAC,GAAG,CAAC,CAAC;CACzB;AAGD,MAAM,WAAW,sBAAsB;IAKrC,aAAa,CAAC,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,qBAAqB,CAAC,CAAC;IAG3E,cAAc,IAAI,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC,CAAC;IAG9C,uBAAuB,IAAI,OAAO,CAAC,WAAW,CAAC,CAAC;CACjD;AAED,MAAM,WAAW,uBAAuB;IACtC,aAAa,EAAE,MAAM,OAAO,CAAC,qBAAqB,CAAC,CAAC;CACrD;AAED,qBAAa,UAAW,SAAQ,KAAK;gBACvB,OAAO,EAAE,MAAM;CAI5B"}

package/dist/cjs/src/services/types.js

@@ -1,11 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.PopupError = void 0;
-class PopupError extends Error {
-    constructor(message) {
-        super(message);
-        Object.setPrototypeOf(this, PopupError.prototype);
-    }
-}
-exports.PopupError = PopupError;
-//# sourceMappingURL=types.js.map

package/dist/cjs/src/services/types.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"types.js","sourceRoot":"","sources":["../../../../src/services/types.ts"],"names":[],"mappings":";;;AAgDA,MAAa,UAAW,SAAQ,KAAK;IACnC,YAAY,OAAe;QACzB,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,MAAM,CAAC,cAAc,CAAC,IAAI,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC;IACpD,CAAC;CACF;AALD,gCAKC","sourcesContent":["import type { OIDCTokenResponseBody, SessionData } from \"@/types.js\";\n\n// A PKCEConsumer can get a code challenge to use in the login process\n// A PKCEProducer can also generate and store verifiers. The producer must also be a consumer in order to get the challenge from an existing flow\n// Examples:\n// - Client-only SPA: The SPA generates the code challenge and verifier, stores the verifier in state and returns the code challenge\n// Note - The SPA should use PKCEProducer instead to do both\n// - Client-side of a client/server app: The client calls the backend to get the challenge.\n// - Server-side: The server should generate a new stored verifier and derive the challenge from it.\nexport interface PKCEConsumer {\n  // Retrieve a new PKCE challenge\n  getCodeChallenge(): Promise<string>;\n}\n\n// All producers are consumers, because the producer can get its own challenge\nexport interface PKCEProducer extends PKCEConsumer {\n  // Retrieve the PKCE challenge from the session if one exists\n  getCodeVerifier(): Promise<string | null>;\n}\n\n// A service that can initiate requests to login or log out\nexport interface AuthenticationInitiator {\n  // trigger a new login\n  signIn(iframeRef: HTMLIFrameElement | null): Promise<URL>;\n\n  // trigger a new logout\n  signOut(): Promise<URL>;\n}\n\n// A service that can resolve an authentication request according to the OAuth Auth Code grant types\nexport interface AuthenticationResolver {\n  // Given an auth code, get the tokens from the auth server and store them. works in PKCE and non-PKCE environments\n  // Note, if we choose later to implement other grants, this method would move into a subinterface specifically\n  // for the authorization code grant type.\n  // The return type is just for convenience and can be ignored, as the same data would be provided by getSessionData\n  tokenExchange(code: string, state: string): Promise<OIDCTokenResponseBody>;\n\n  // If the tokens have already been retrieved, return them\n  getSessionData(): Promise<SessionData | null>;\n\n  // If an existing session is found, validate it and return the session data\n  validateExistingSession(): Promise<SessionData>;\n}\n\nexport interface AuthenticationRefresher {\n  refreshTokens: () => Promise<OIDCTokenResponseBody>;\n}\n\nexport class PopupError extends Error {\n  constructor(message: string) {\n    super(message);\n    Object.setPrototypeOf(this, PopupError.prototype);\n  }\n}\n"]}

package/dist/cjs/src/shared/components/CivicAuthIframe.d.ts

@@ -1,8 +0,0 @@
-import React from "react";
-type CivicAuthIframeProps = {
-    onLoad?: () => void;
-};
-declare const CivicAuthIframe: React.ForwardRefExoticComponent<CivicAuthIframeProps & React.RefAttributes<HTMLIFrameElement>>;
-export type { CivicAuthIframeProps };
-export { CivicAuthIframe };
-//# sourceMappingURL=CivicAuthIframe.d.ts.map

package/dist/cjs/src/shared/components/CivicAuthIframe.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"CivicAuthIframe.d.ts","sourceRoot":"","sources":["../../../../../src/shared/components/CivicAuthIframe.tsx"],"names":[],"mappings":"AAEA,OAAO,KAAqB,MAAM,OAAO,CAAC;AAE1C,KAAK,oBAAoB,GAAG;IAC1B,MAAM,CAAC,EAAE,MAAM,IAAI,CAAC;CACrB,CAAC;AAEF,QAAA,MAAM,eAAe,gGAWpB,CAAC;AAIF,YAAY,EAAE,oBAAoB,EAAE,CAAC;AAErC,OAAO,EAAE,eAAe,EAAE,CAAC"}

package/dist/cjs/src/shared/components/CivicAuthIframe.js

@@ -1,35 +0,0 @@
-"use strict";
-"use client";
-var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    var desc = Object.getOwnPropertyDescriptor(m, k);
-    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
-      desc = { enumerable: true, get: function() { return m[k]; } };
-    }
-    Object.defineProperty(o, k2, desc);
-}) : (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    o[k2] = m[k];
-}));
-var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
-    Object.defineProperty(o, "default", { enumerable: true, value: v });
-}) : function(o, v) {
-    o["default"] = v;
-});
-var __importStar = (this && this.__importStar) || function (mod) {
-    if (mod && mod.__esModule) return mod;
-    var result = {};
-    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
-    __setModuleDefault(result, mod);
-    return result;
-};
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.CivicAuthIframe = void 0;
-const constants_js_1 = require("../../constants.js");
-const react_1 = __importStar(require("react"));
-const CivicAuthIframe = (0, react_1.forwardRef)(({ onLoad }, ref) => {
-    return (react_1.default.createElement("iframe", { id: constants_js_1.IFRAME_ID, ref: ref, style: { height: "26rem", width: "100%", border: "none" }, onLoad: onLoad }));
-});
-exports.CivicAuthIframe = CivicAuthIframe;
-CivicAuthIframe.displayName = "CivicAuthIframe";
-//# sourceMappingURL=CivicAuthIframe.js.map

package/dist/cjs/src/shared/components/CivicAuthIframe.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"CivicAuthIframe.js","sourceRoot":"","sources":["../../../../../src/shared/components/CivicAuthIframe.tsx"],"names":[],"mappings":";AAAA,YAAY,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;AACb,iDAA2C;AAC3C,+CAA0C;AAM1C,MAAM,eAAe,GAAG,IAAA,kBAAU,EAChC,CAAC,EAAE,MAAM,EAAE,EAAE,GAAG,EAAE,EAAE;IAClB,OAAO,CACL,0CACE,EAAE,EAAE,wBAAS,EACb,GAAG,EAAE,GAAG,EACR,KAAK,EAAE,EAAE,MAAM,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,EACzD,MAAM,EAAE,MAAM,GACd,CACH,CAAC;AACJ,CAAC,CACF,CAAC;AAMO,0CAAe;AAJxB,eAAe,CAAC,WAAW,GAAG,iBAAiB,CAAC","sourcesContent":["\"use client\";\nimport { IFRAME_ID } from \"@/constants.js\";\nimport React, { forwardRef } from \"react\";\n\ntype CivicAuthIframeProps = {\n  onLoad?: () => void;\n};\n\nconst CivicAuthIframe = forwardRef<HTMLIFrameElement, CivicAuthIframeProps>(\n  ({ onLoad }, ref) => {\n    return (\n      <iframe\n        id={IFRAME_ID}\n        ref={ref}\n        style={{ height: \"26rem\", width: \"100%\", border: \"none\" }}\n        onLoad={onLoad}\n      />\n    );\n  },\n);\n\nCivicAuthIframe.displayName = \"CivicAuthIframe\";\n\nexport type { CivicAuthIframeProps };\n\nexport { CivicAuthIframe };\n"]}