@civic/auth 0.1.3 → 0.1.4-beta.1

package/dist/esm/shared/hooks/useOAuthEndpoints.d.ts

@@ -0,0 +1,4 @@
+import type { Endpoints } from "../../types.js";
+declare const useOAuthEndpoints: (oauthServer?: string) => Endpoints | null;
+export { useOAuthEndpoints };
+//# sourceMappingURL=useOAuthEndpoints.d.ts.map

package/dist/esm/shared/hooks/useOAuthEndpoints.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"useOAuthEndpoints.d.ts","sourceRoot":"","sources":["../../../../src/shared/hooks/useOAuthEndpoints.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AAG5C,QAAA,MAAM,iBAAiB,iBAAkB,MAAM,qBAW9C,CAAC;AAEF,OAAO,EAAE,iBAAiB,EAAE,CAAC"}

package/dist/esm/shared/hooks/useOAuthEndpoints.js

@@ -0,0 +1,14 @@
+import { DEFAULT_AUTH_SERVER } from "../../constants.js";
+import { getOauthEndpoints } from "../../lib/oauth.js";
+import { useEffect, useState } from "react";
+const useOAuthEndpoints = (oauthServer) => {
+    const [endpoints, setEndpoints] = useState(null);
+    useEffect(() => {
+        getOauthEndpoints(oauthServer || DEFAULT_AUTH_SERVER).then((retrievedEndpoints) => {
+            setEndpoints(retrievedEndpoints);
+        });
+    }, [oauthServer]);
+    return endpoints;
+};
+export { useOAuthEndpoints };
+//# sourceMappingURL=useOAuthEndpoints.js.map

package/dist/esm/shared/hooks/useOAuthEndpoints.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"useOAuthEndpoints.js","sourceRoot":"","sources":["../../../../src/shared/hooks/useOAuthEndpoints.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,mBAAmB,EAAE,MAAM,gBAAgB,CAAC;AACrD,OAAO,EAAE,iBAAiB,EAAE,MAAM,gBAAgB,CAAC;AAEnD,OAAO,EAAE,SAAS,EAAE,QAAQ,EAAE,MAAM,OAAO,CAAC;AAE5C,MAAM,iBAAiB,GAAG,CAAC,WAAoB,EAAE,EAAE;IACjD,MAAM,CAAC,SAAS,EAAE,YAAY,CAAC,GAAG,QAAQ,CAAmB,IAAI,CAAC,CAAC;IACnE,SAAS,CAAC,GAAG,EAAE;QACb,iBAAiB,CAAC,WAAW,IAAI,mBAAmB,CAAC,CAAC,IAAI,CACxD,CAAC,kBAAkB,EAAE,EAAE;YACrB,YAAY,CAAC,kBAAkB,CAAC,CAAC;QACnC,CAAC,CACF,CAAC;IACJ,CAAC,EAAE,CAAC,WAAW,CAAC,CAAC,CAAC;IAElB,OAAO,SAAS,CAAC;AACnB,CAAC,CAAC;AAEF,OAAO,EAAE,iBAAiB,EAAE,CAAC","sourcesContent":["import { DEFAULT_AUTH_SERVER } from \"@/constants.js\";\nimport { getOauthEndpoints } from \"@/lib/oauth.js\";\nimport type { Endpoints } from \"@/types.js\";\nimport { useEffect, useState } from \"react\";\n\nconst useOAuthEndpoints = (oauthServer?: string) => {\n  const [endpoints, setEndpoints] = useState<Endpoints | null>(null);\n  useEffect(() => {\n    getOauthEndpoints(oauthServer || DEFAULT_AUTH_SERVER).then(\n      (retrievedEndpoints) => {\n        setEndpoints(retrievedEndpoints);\n      },\n    );\n  }, [oauthServer]);\n\n  return endpoints;\n};\n\nexport { useOAuthEndpoints };\n"]}

package/dist/esm/shared/hooks/useRefresh.d.ts

@@ -0,0 +1,4 @@
+import type { SessionData } from "../../types.js";
+declare const useRefresh: (session: SessionData | null) => void;
+export { useRefresh };
+//# sourceMappingURL=useRefresh.d.ts.map

package/dist/esm/shared/hooks/useRefresh.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"useRefresh.d.ts","sourceRoot":"","sources":["../../../../src/shared/hooks/useRefresh.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AAE9C,QAAA,MAAM,UAAU,YAAa,WAAW,GAAG,IAAI,SAuC9C,CAAC;AAEF,OAAO,EAAE,UAAU,EAAE,CAAC"}

package/dist/esm/shared/hooks/useRefresh.js

@@ -0,0 +1,38 @@
+import { LocalStorageAdapter } from "../../browser/storage.js";
+import { useEffect, useMemo, useState } from "react";
+import { GenericAuthenticationRefresher } from "../lib/GenericAuthenticationRefresher.js";
+import { useCivicAuthConfig } from "./useCivicAuthConfig.js";
+const useRefresh = (session) => {
+    const authConfig = useCivicAuthConfig();
+    const storage = useMemo(() => new LocalStorageAdapter(), []);
+    // setup token autorefresh
+    const [refresher, setRefresher] = useState(undefined);
+    useEffect(() => {
+        if (!authConfig)
+            return;
+        const abortController = new AbortController();
+        const currentRefresher = refresher;
+        GenericAuthenticationRefresher.build({ ...authConfig }, storage).then((newRefresher) => {
+            if (abortController.signal.aborted)
+                return;
+            currentRefresher?.clearAutorefresh();
+            setRefresher(newRefresher);
+        });
+        return () => {
+            abortController.abort();
+            currentRefresher?.clearAutorefresh();
+        };
+        // eslint-disable-next-line react-hooks/exhaustive-deps
+    }, [authConfig, storage]); // Only depend on what actually changes
+    useEffect(() => {
+        if (session?.authenticated) {
+            refresher?.setupAutorefresh();
+        }
+        else {
+            refresher?.clearAutorefresh();
+        }
+        return () => refresher?.clearAutorefresh();
+    }, [refresher, session?.authenticated]);
+};
+export { useRefresh };
+//# sourceMappingURL=useRefresh.js.map

package/dist/esm/shared/hooks/useRefresh.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"useRefresh.js","sourceRoot":"","sources":["../../../../src/shared/hooks/useRefresh.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,mBAAmB,EAAE,MAAM,sBAAsB,CAAC;AAC3D,OAAO,EAAE,SAAS,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,OAAO,CAAC;AACrD,OAAO,EAAE,8BAA8B,EAAE,MAAM,0CAA0C,CAAC;AAC1F,OAAO,EAAE,kBAAkB,EAAE,MAAM,yBAAyB,CAAC;AAG7D,MAAM,UAAU,GAAG,CAAC,OAA2B,EAAE,EAAE;IACjD,MAAM,UAAU,GAAG,kBAAkB,EAAE,CAAC;IACxC,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,EAAE,CAAC,IAAI,mBAAmB,EAAE,EAAE,EAAE,CAAC,CAAC;IAE7D,0BAA0B;IAC1B,MAAM,CAAC,SAAS,EAAE,YAAY,CAAC,GAAG,QAAQ,CAExC,SAAS,CAAC,CAAC;IAEb,SAAS,CAAC,GAAG,EAAE;QACb,IAAI,CAAC,UAAU;YAAE,OAAO;QACxB,MAAM,eAAe,GAAG,IAAI,eAAe,EAAE,CAAC;QAC9C,MAAM,gBAAgB,GAAG,SAAS,CAAC;QAEnC,8BAA8B,CAAC,KAAK,CAAC,EAAE,GAAG,UAAU,EAAE,EAAE,OAAO,CAAC,CAAC,IAAI,CACnE,CAAC,YAAY,EAAE,EAAE;YACf,IAAI,eAAe,CAAC,MAAM,CAAC,OAAO;gBAAE,OAAO;YAE3C,gBAAgB,EAAE,gBAAgB,EAAE,CAAC;YACrC,YAAY,CAAC,YAAY,CAAC,CAAC;QAC7B,CAAC,CACF,CAAC;QAEF,OAAO,GAAG,EAAE;YACV,eAAe,CAAC,KAAK,EAAE,CAAC;YACxB,gBAAgB,EAAE,gBAAgB,EAAE,CAAC;QACvC,CAAC,CAAC;QACF,uDAAuD;IACzD,CAAC,EAAE,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC,CAAC,CAAC,uCAAuC;IAElE,SAAS,CAAC,GAAG,EAAE;QACb,IAAI,OAAO,EAAE,aAAa,EAAE,CAAC;YAC3B,SAAS,EAAE,gBAAgB,EAAE,CAAC;QAChC,CAAC;aAAM,CAAC;YACN,SAAS,EAAE,gBAAgB,EAAE,CAAC;QAChC,CAAC;QAED,OAAO,GAAG,EAAE,CAAC,SAAS,EAAE,gBAAgB,EAAE,CAAC;IAC7C,CAAC,EAAE,CAAC,SAAS,EAAE,OAAO,EAAE,aAAa,CAAC,CAAC,CAAC;AAC1C,CAAC,CAAC;AAEF,OAAO,EAAE,UAAU,EAAE,CAAC","sourcesContent":["import { LocalStorageAdapter } from \"@/browser/storage.js\";\nimport { useEffect, useMemo, useState } from \"react\";\nimport { GenericAuthenticationRefresher } from \"../lib/GenericAuthenticationRefresher.js\";\nimport { useCivicAuthConfig } from \"./useCivicAuthConfig.js\";\nimport type { SessionData } from \"@/types.js\";\n\nconst useRefresh = (session: SessionData | null) => {\n  const authConfig = useCivicAuthConfig();\n  const storage = useMemo(() => new LocalStorageAdapter(), []);\n\n  // setup token autorefresh\n  const [refresher, setRefresher] = useState<\n    GenericAuthenticationRefresher | undefined\n  >(undefined);\n\n  useEffect(() => {\n    if (!authConfig) return;\n    const abortController = new AbortController();\n    const currentRefresher = refresher;\n\n    GenericAuthenticationRefresher.build({ ...authConfig }, storage).then(\n      (newRefresher) => {\n        if (abortController.signal.aborted) return;\n\n        currentRefresher?.clearAutorefresh();\n        setRefresher(newRefresher);\n      },\n    );\n\n    return () => {\n      abortController.abort();\n      currentRefresher?.clearAutorefresh();\n    };\n    // eslint-disable-next-line react-hooks/exhaustive-deps\n  }, [authConfig, storage]); // Only depend on what actually changes\n\n  useEffect(() => {\n    if (session?.authenticated) {\n      refresher?.setupAutorefresh();\n    } else {\n      refresher?.clearAutorefresh();\n    }\n\n    return () => refresher?.clearAutorefresh();\n  }, [refresher, session?.authenticated]);\n};\n\nexport { useRefresh };\n"]}

package/dist/esm/shared/hooks/useSession.d.ts

@@ -1,3 +1,3 @@
-declare const useSession: () => import("../../types.js").SessionData;
+declare const useSession: () => import("../../shared/providers/SessionProvider.js").SessionProviderOutput;
 export { useSession };
 //# sourceMappingURL=useSession.d.ts.map

package/dist/esm/shared/hooks/useSession.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"useSession.d.ts","sourceRoot":"","sources":["../../../../src/shared/hooks/useSession.ts"],"names":[],"mappings":"AAKA,QAAA,MAAM,UAAU,4CAMf,CAAC;AAEF,OAAO,EAAE,UAAU,EAAE,CAAC"}
+{"version":3,"file":"useSession.d.ts","sourceRoot":"","sources":["../../../../src/shared/hooks/useSession.ts"],"names":[],"mappings":"AAKA,QAAA,MAAM,UAAU,6EAMf,CAAC;AAEF,OAAO,EAAE,UAAU,EAAE,CAAC"}

package/dist/esm/shared/hooks/useSignIn.d.ts

@@ -0,0 +1,14 @@
+import type { DisplayMode } from "../../types.js";
+import { type PKCEConsumer } from "../../services/types.js";
+type SignInProps = {
+    pkceConsumer?: PKCEConsumer;
+    preSignOut?: () => Promise<void>;
+    postSignOut?: () => Promise<void>;
+};
+declare const useSignIn: ({ pkceConsumer, preSignOut, postSignOut }: SignInProps) => {
+    signIn: (inDisplayMode?: DisplayMode) => Promise<void>;
+    signOut: () => Promise<void>;
+    displayMode: DisplayMode;
+};
+export { useSignIn };
+//# sourceMappingURL=useSignIn.d.ts.map

package/dist/esm/shared/hooks/useSignIn.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"useSignIn.d.ts","sourceRoot":"","sources":["../../../../src/shared/hooks/useSignIn.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AAG9C,OAAO,EAAc,KAAK,YAAY,EAAE,MAAM,qBAAqB,CAAC;AAEpE,KAAK,WAAW,GAAG;IACjB,YAAY,CAAC,EAAE,YAAY,CAAC;IAC5B,UAAU,CAAC,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;IACjC,WAAW,CAAC,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;CACnC,CAAC;AACF,QAAA,MAAM,SAAS,8CAA+C,WAAW;6BAgC/C,WAAW,KAAc,OAAO,CAAC,IAAI,CAAC;;;CAuC/D,CAAC;AACF,OAAO,EAAE,SAAS,EAAE,CAAC"}

package/dist/esm/shared/hooks/useSignIn.js

@@ -0,0 +1,71 @@
+import { BrowserAuthenticationInitiator } from "../../services/AuthenticationService.js";
+import { BrowserPublicClientPKCEProducer } from "../../services/PKCE.js";
+import { useCivicAuthConfig } from "../../shared/hooks/useCivicAuthConfig.js";
+import { useIframe } from "../../shared/hooks/useIframe.js";
+import { useCallback, useEffect, useMemo, useState } from "react";
+import { PopupError } from "../../services/types.js";
+const useSignIn = ({ pkceConsumer, preSignOut, postSignOut }) => {
+    const civicAuthConfig = useCivicAuthConfig();
+    const { iframeRef, setIframeIsVisible } = useIframe();
+    const [displayMode, setDisplayMode] = useState("iframe");
+    const authInitiator = useMemo(() => {
+        if (!civicAuthConfig) {
+            return null;
+        }
+        const { clientId, redirectUrl, nonce, oauthServer, endpoints, scopes } = civicAuthConfig;
+        return new BrowserAuthenticationInitiator({
+            pkceConsumer: pkceConsumer || new BrowserPublicClientPKCEProducer(), // generate and retrieve the challenge client-side
+            clientId,
+            redirectUrl,
+            scopes,
+            displayMode,
+            oauthServer,
+            endpointOverrides: endpoints,
+            nonce,
+        });
+    }, [civicAuthConfig, displayMode, pkceConsumer]);
+    useEffect(() => {
+        return () => {
+            if (authInitiator) {
+                authInitiator.cleanup();
+            }
+        };
+    }, [authInitiator]);
+    const signIn = useCallback(async (inDisplayMode = "iframe") => {
+        if (!authInitiator)
+            return;
+        authInitiator.setDisplayMode(inDisplayMode);
+        setDisplayMode(inDisplayMode);
+        if (inDisplayMode === "iframe") {
+            setIframeIsVisible(true);
+        }
+        const useIframeRef = iframeRef?.current || null;
+        await authInitiator.signIn(useIframeRef).catch((error) => {
+            console.log("signIn error", {
+                error,
+                isPopupError: error instanceof PopupError,
+            });
+            // if we've tried to open a popup and it has failed, then fallback to redirect mode
+            if (error instanceof PopupError) {
+                setDisplayMode("redirect");
+                setIframeIsVisible(false); // hide the iframe
+                authInitiator.cleanup(); // clear any event listeners from before
+                authInitiator.setDisplayMode("redirect"); // switch to redirect mode
+                authInitiator.signIn(useIframeRef); // retry the sign in
+            }
+        });
+    }, [authInitiator, iframeRef, setIframeIsVisible]);
+    const signOut = useCallback(async () => {
+        await preSignOut?.();
+        await authInitiator?.signOut();
+        setIframeIsVisible(false);
+        await postSignOut?.();
+    }, [preSignOut, authInitiator, setIframeIsVisible, postSignOut]);
+    return {
+        signIn,
+        signOut,
+        displayMode,
+    };
+};
+export { useSignIn };
+//# sourceMappingURL=useSignIn.js.map

package/dist/esm/shared/hooks/useSignIn.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"useSignIn.js","sourceRoot":"","sources":["../../../../src/shared/hooks/useSignIn.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,8BAA8B,EAAE,MAAM,qCAAqC,CAAC;AACrF,OAAO,EAAE,+BAA+B,EAAE,MAAM,oBAAoB,CAAC;AACrE,OAAO,EAAE,kBAAkB,EAAE,MAAM,sCAAsC,CAAC;AAE1E,OAAO,EAAE,SAAS,EAAE,MAAM,6BAA6B,CAAC;AACxD,OAAO,EAAE,WAAW,EAAE,SAAS,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,OAAO,CAAC;AAClE,OAAO,EAAE,UAAU,EAAqB,MAAM,qBAAqB,CAAC;AAOpE,MAAM,SAAS,GAAG,CAAC,EAAE,YAAY,EAAE,UAAU,EAAE,WAAW,EAAe,EAAE,EAAE;IAC3E,MAAM,eAAe,GAAG,kBAAkB,EAAE,CAAC;IAC7C,MAAM,EAAE,SAAS,EAAE,kBAAkB,EAAE,GAAG,SAAS,EAAE,CAAC;IACtD,MAAM,CAAC,WAAW,EAAE,cAAc,CAAC,GAAG,QAAQ,CAAc,QAAQ,CAAC,CAAC;IAEtE,MAAM,aAAa,GAAG,OAAO,CAAC,GAAG,EAAE;QACjC,IAAI,CAAC,eAAe,EAAE,CAAC;YACrB,OAAO,IAAI,CAAC;QACd,CAAC;QACD,MAAM,EAAE,QAAQ,EAAE,WAAW,EAAE,KAAK,EAAE,WAAW,EAAE,SAAS,EAAE,MAAM,EAAE,GACpE,eAAe,CAAC;QAClB,OAAO,IAAI,8BAA8B,CAAC;YACxC,YAAY,EAAE,YAAY,IAAI,IAAI,+BAA+B,EAAE,EAAE,kDAAkD;YACvH,QAAQ;YACR,WAAW;YACX,MAAM;YACN,WAAW;YACX,WAAW;YACX,iBAAiB,EAAE,SAAS;YAC5B,KAAK;SACN,CAAC,CAAC;IACL,CAAC,EAAE,CAAC,eAAe,EAAE,WAAW,EAAE,YAAY,CAAC,CAAC,CAAC;IAEjD,SAAS,CAAC,GAAG,EAAE;QACb,OAAO,GAAG,EAAE;YACV,IAAI,aAAa,EAAE,CAAC;gBAClB,aAAa,CAAC,OAAO,EAAE,CAAC;YAC1B,CAAC;QACH,CAAC,CAAC;IACJ,CAAC,EAAE,CAAC,aAAa,CAAC,CAAC,CAAC;IAEpB,MAAM,MAAM,GAAG,WAAW,CACxB,KAAK,EAAE,gBAA6B,QAAQ,EAAiB,EAAE;QAC7D,IAAI,CAAC,aAAa;YAAE,OAAO;QAE3B,aAAa,CAAC,cAAc,CAAC,aAAa,CAAC,CAAC;QAC5C,cAAc,CAAC,aAAa,CAAC,CAAC;QAC9B,IAAI,aAAa,KAAK,QAAQ,EAAE,CAAC;YAC/B,kBAAkB,CAAC,IAAI,CAAC,CAAC;QAC3B,CAAC;QACD,MAAM,YAAY,GAAG,SAAS,EAAE,OAAO,IAAI,IAAI,CAAC;QAChD,MAAM,aAAa,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC,KAAK,CAAC,CAAC,KAAK,EAAE,EAAE;YACvD,OAAO,CAAC,GAAG,CAAC,cAAc,EAAE;gBAC1B,KAAK;gBACL,YAAY,EAAE,KAAK,YAAY,UAAU;aAC1C,CAAC,CAAC;YACH,mFAAmF;YACnF,IAAI,KAAK,YAAY,UAAU,EAAE,CAAC;gBAChC,cAAc,CAAC,UAAU,CAAC,CAAC;gBAC3B,kBAAkB,CAAC,KAAK,CAAC,CAAC,CAAC,kBAAkB;gBAC7C,aAAa,CAAC,OAAO,EAAE,CAAC,CAAC,wCAAwC;gBACjE,aAAa,CAAC,cAAc,CAAC,UAAU,CAAC,CAAC,CAAC,0BAA0B;gBACpE,aAAa,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC,CAAC,oBAAoB;YAC1D,CAAC;QACH,CAAC,CAAC,CAAC;IACL,CAAC,EACD,CAAC,aAAa,EAAE,SAAS,EAAE,kBAAkB,CAAC,CAC/C,CAAC;IAEF,MAAM,OAAO,GAAG,WAAW,CAAC,KAAK,IAAI,EAAE;QACrC,MAAM,UAAU,EAAE,EAAE,CAAC;QACrB,MAAM,aAAa,EAAE,OAAO,EAAE,CAAC;QAC/B,kBAAkB,CAAC,KAAK,CAAC,CAAC;QAC1B,MAAM,WAAW,EAAE,EAAE,CAAC;IACxB,CAAC,EAAE,CAAC,UAAU,EAAE,aAAa,EAAE,kBAAkB,EAAE,WAAW,CAAC,CAAC,CAAC;IAEjE,OAAO;QACL,MAAM;QACN,OAAO;QACP,WAAW;KACZ,CAAC;AACJ,CAAC,CAAC;AACF,OAAO,EAAE,SAAS,EAAE,CAAC","sourcesContent":["import { BrowserAuthenticationInitiator } from \"@/services/AuthenticationService.js\";\nimport { BrowserPublicClientPKCEProducer } from \"@/services/PKCE.js\";\nimport { useCivicAuthConfig } from \"@/shared/hooks/useCivicAuthConfig.js\";\nimport type { DisplayMode } from \"@/types.js\";\nimport { useIframe } from \"@/shared/hooks/useIframe.js\";\nimport { useCallback, useEffect, useMemo, useState } from \"react\";\nimport { PopupError, type PKCEConsumer } from \"@/services/types.js\";\n\ntype SignInProps = {\n  pkceConsumer?: PKCEConsumer;\n  preSignOut?: () => Promise<void>;\n  postSignOut?: () => Promise<void>;\n};\nconst useSignIn = ({ pkceConsumer, preSignOut, postSignOut }: SignInProps) => {\n  const civicAuthConfig = useCivicAuthConfig();\n  const { iframeRef, setIframeIsVisible } = useIframe();\n  const [displayMode, setDisplayMode] = useState<DisplayMode>(\"iframe\");\n\n  const authInitiator = useMemo(() => {\n    if (!civicAuthConfig) {\n      return null;\n    }\n    const { clientId, redirectUrl, nonce, oauthServer, endpoints, scopes } =\n      civicAuthConfig;\n    return new BrowserAuthenticationInitiator({\n      pkceConsumer: pkceConsumer || new BrowserPublicClientPKCEProducer(), // generate and retrieve the challenge client-side\n      clientId,\n      redirectUrl,\n      scopes,\n      displayMode,\n      oauthServer,\n      endpointOverrides: endpoints,\n      nonce,\n    });\n  }, [civicAuthConfig, displayMode, pkceConsumer]);\n\n  useEffect(() => {\n    return () => {\n      if (authInitiator) {\n        authInitiator.cleanup();\n      }\n    };\n  }, [authInitiator]);\n\n  const signIn = useCallback(\n    async (inDisplayMode: DisplayMode = \"iframe\"): Promise<void> => {\n      if (!authInitiator) return;\n\n      authInitiator.setDisplayMode(inDisplayMode);\n      setDisplayMode(inDisplayMode);\n      if (inDisplayMode === \"iframe\") {\n        setIframeIsVisible(true);\n      }\n      const useIframeRef = iframeRef?.current || null;\n      await authInitiator.signIn(useIframeRef).catch((error) => {\n        console.log(\"signIn error\", {\n          error,\n          isPopupError: error instanceof PopupError,\n        });\n        // if we've tried to open a popup and it has failed, then fallback to redirect mode\n        if (error instanceof PopupError) {\n          setDisplayMode(\"redirect\");\n          setIframeIsVisible(false); // hide the iframe\n          authInitiator.cleanup(); // clear any event listeners from before\n          authInitiator.setDisplayMode(\"redirect\"); // switch to redirect mode\n          authInitiator.signIn(useIframeRef); // retry the sign in\n        }\n      });\n    },\n    [authInitiator, iframeRef, setIframeIsVisible],\n  );\n\n  const signOut = useCallback(async () => {\n    await preSignOut?.();\n    await authInitiator?.signOut();\n    setIframeIsVisible(false);\n    await postSignOut?.();\n  }, [preSignOut, authInitiator, setIframeIsVisible, postSignOut]);\n\n  return {\n    signIn,\n    signOut,\n    displayMode,\n  };\n};\nexport { useSignIn };\n"]}

package/dist/esm/shared/lib/GenericAuthenticationRefresher.d.ts

@@ -7,10 +7,14 @@ export declare class GenericAuthenticationRefresher implements AuthenticationRef
     private endpointOverrides?;
     private oauth2client;
     private endpoints;
+    private refreshTimeout;
     private constructor();
     get oauthServer(): string;
     init(): Promise<this>;
     static build(authConfig: AuthConfig, storage: AuthStorage, endpointOverrides?: Partial<Endpoints>): Promise<GenericAuthenticationRefresher>;
     refreshTokens(): Promise<OIDCTokenResponseBody>;
+    private handleRefresh;
+    setupAutorefresh(): Promise<void>;
+    clearAutorefresh(): void;
 }
 //# sourceMappingURL=GenericAuthenticationRefresher.d.ts.map

package/dist/esm/shared/lib/GenericAuthenticationRefresher.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"GenericAuthenticationRefresher.d.ts","sourceRoot":"","sources":["../../../../src/shared/lib/GenericAuthenticationRefresher.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,uBAAuB,EAAE,MAAM,qBAAqB,CAAC;AACnE,OAAO,KAAK,EAAE,WAAW,EAAE,SAAS,EAAE,qBAAqB,EAAE,MAAM,YAAY,CAAC;AAMhF,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAC;AAIrD,qBAAa,8BAA+B,YAAW,uBAAuB;IAK1E,OAAO,CAAC,UAAU;IAClB,OAAO,CAAC,OAAO;IACf,OAAO,CAAC,iBAAiB,CAAC;IAN5B,OAAO,CAAC,YAAY,CAA2B;IAC/C,OAAO,CAAC,SAAS,CAAwB;IAEzC,OAAO;IAMP,IAAI,WAAW,IAAI,MAAM,CAExB;IAEK,IAAI,IAAI,OAAO,CAAC,IAAI,CAAC;WAkBd,KAAK,CAChB,UAAU,EAAE,UAAU,EACtB,OAAO,EAAE,WAAW,EACpB,iBAAiB,CAAC,EAAE,OAAO,CAAC,SAAS,CAAC,GACrC,OAAO,CAAC,8BAA8B,CAAC;IAWpC,aAAa;CAgBpB"}
+{"version":3,"file":"GenericAuthenticationRefresher.d.ts","sourceRoot":"","sources":["../../../../src/shared/lib/GenericAuthenticationRefresher.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,uBAAuB,EAAE,MAAM,qBAAqB,CAAC;AACnE,OAAO,KAAK,EAAE,WAAW,EAAE,SAAS,EAAE,qBAAqB,EAAE,MAAM,YAAY,CAAC;AAMhF,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAC;AAIrD,qBAAa,8BAA+B,YAAW,uBAAuB;IAM1E,OAAO,CAAC,UAAU;IAClB,OAAO,CAAC,OAAO;IACf,OAAO,CAAC,iBAAiB,CAAC;IAP5B,OAAO,CAAC,YAAY,CAA2B;IAC/C,OAAO,CAAC,SAAS,CAAwB;IACzC,OAAO,CAAC,cAAc,CAA6B;IAEnD,OAAO;IAMP,IAAI,WAAW,IAAI,MAAM,CAExB;IAEK,IAAI,IAAI,OAAO,CAAC,IAAI,CAAC;WAkBd,KAAK,CAChB,UAAU,EAAE,UAAU,EACtB,OAAO,EAAE,WAAW,EACpB,iBAAiB,CAAC,EAAE,OAAO,CAAC,SAAS,CAAC,GACrC,OAAO,CAAC,8BAA8B,CAAC;IAWpC,aAAa;YAiBL,aAAa;IAWrB,gBAAgB;IAkBtB,gBAAgB;CAKjB"}

package/dist/esm/shared/lib/GenericAuthenticationRefresher.js

@@ -7,6 +7,7 @@ export class GenericAuthenticationRefresher {
     endpointOverrides;
     oauth2client;
     endpoints;
+    refreshTimeout;
     constructor(authConfig, storage, endpointOverrides) {
         this.authConfig = authConfig;
         this.storage = storage;
@@ -39,5 +40,34 @@ export class GenericAuthenticationRefresher {
         await storeTokens(this.storage, refreshedTokens);
         return tokens;
     }
+    async handleRefresh() {
+        try {
+            await this.refreshTokens();
+            await this.setupAutorefresh(); // Reset the timeout after successful refresh
+            console.log("Autorefreshed tokens");
+        }
+        catch (error) {
+            console.error("Failed to refresh tokens:", error);
+        }
+    }
+    async setupAutorefresh() {
+        // Clear any existing timeout
+        this.clearAutorefresh();
+        // get expires_in
+        const tokens = await retrieveTokens(this.storage);
+        const expires_in = tokens?.expires_in || 60;
+        // Calculate time until expiry (subtract 30 seconds as buffer)
+        const bufferTimeMs = 30 * 1000; // 30 seconds in milliseconds
+        const expiresInMs = expires_in * 1000; // Convert to milliseconds
+        const refreshTimeMs = Math.max(0, expiresInMs - bufferTimeMs);
+        this.refreshTimeout = setTimeout(() => {
+            this.handleRefresh();
+        }, refreshTimeMs);
+    }
+    clearAutorefresh() {
+        if (this.refreshTimeout) {
+            clearTimeout(this.refreshTimeout);
+        }
+    }
 }
 //# sourceMappingURL=GenericAuthenticationRefresher.js.map

package/dist/esm/shared/lib/GenericAuthenticationRefresher.js.map

@@ -1 +1 @@
-{"version":3,"file":"GenericAuthenticationRefresher.js","sourceRoot":"","sources":["../../../../src/shared/lib/GenericAuthenticationRefresher.ts"],"names":[],"mappings":"AAEA,OAAO,EACL,yBAAyB,EACzB,cAAc,EACd,WAAW,GACZ,MAAM,sBAAsB,CAAC;AAE9B,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAC3C,OAAO,EAAE,mBAAmB,EAAE,MAAM,gBAAgB,CAAC;AAErD,MAAM,OAAO,8BAA8B;IAK/B;IACA;IACA;IANF,YAAY,CAA2B;IACvC,SAAS,CAAwB;IAEzC,YACU,UAAsB,EACtB,OAAoB,EACpB,iBAAsC;QAFtC,eAAU,GAAV,UAAU,CAAY;QACtB,YAAO,GAAP,OAAO,CAAa;QACpB,sBAAiB,GAAjB,iBAAiB,CAAqB;IAC7C,CAAC;IAEJ,IAAI,WAAW;QACb,OAAO,IAAI,CAAC,UAAU,CAAC,WAAW,IAAI,mBAAmB,CAAC;IAC5D,CAAC;IAED,KAAK,CAAC,IAAI;QACR,uBAAuB;QACvB,IAAI,CAAC,SAAS,GAAG,MAAM,yBAAyB,CAC9C,IAAI,CAAC,WAAW,EAChB,IAAI,CAAC,iBAAiB,CACvB,CAAC;QACF,IAAI,CAAC,YAAY,GAAG,IAAI,YAAY,CAClC,IAAI,CAAC,UAAU,CAAC,QAAQ,EACxB,IAAI,CAAC,SAAS,CAAC,IAAI,EACnB,IAAI,CAAC,SAAS,CAAC,KAAK,EACpB;YACE,WAAW,EAAE,IAAI,CAAC,UAAU,CAAC,WAAW;SACzC,CACF,CAAC;QAEF,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM,CAAC,KAAK,CAAC,KAAK,CAChB,UAAsB,EACtB,OAAoB,EACpB,iBAAsC;QAEtC,MAAM,SAAS,GAAG,IAAI,8BAA8B,CAClD,UAAU,EACV,OAAO,EACP,iBAAiB,CAClB,CAAC;QACF,MAAM,SAAS,CAAC,IAAI,EAAE,CAAC;QAEvB,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,KAAK,CAAC,aAAa;QACjB,IAAI,CAAC,IAAI,CAAC,YAAY;YAAE,MAAM,IAAI,CAAC,IAAI,EAAE,CAAC;QAE1C,MAAM,MAAM,GAAG,MAAM,cAAc,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAClD,IAAI,CAAC,MAAM,EAAE,aAAa;YAAE,MAAM,IAAI,KAAK,CAAC,4BAA4B,CAAC,CAAC;QAE1E,MAAM,YAAY,GAAG,IAAI,CAAC,YAAa,CAAC;QACxC,MAAM,eAAe,GACnB,MAAM,YAAY,CAAC,kBAAkB,CACnC,MAAM,CAAC,aAAa,CACrB,CAAC;QAEJ,MAAM,WAAW,CAAC,IAAI,CAAC,OAAO,EAAE,eAAe,CAAC,CAAC;QAEjD,OAAO,MAAM,CAAC;IAChB,CAAC;CACF","sourcesContent":["import type { AuthenticationRefresher } from \"@/services/types.js\";\nimport type { AuthStorage, Endpoints, OIDCTokenResponseBody } from \"@/types.js\";\nimport {\n  getEndpointsWithOverrides,\n  retrieveTokens,\n  storeTokens,\n} from \"@/shared/lib/util.js\";\nimport type { AuthConfig } from \"@/server/config.js\";\nimport { OAuth2Client } from \"oslo/oauth2\";\nimport { DEFAULT_AUTH_SERVER } from \"@/constants.js\";\n\nexport class GenericAuthenticationRefresher implements AuthenticationRefresher {\n  private oauth2client: OAuth2Client | undefined;\n  private endpoints: Endpoints | undefined;\n\n  private constructor(\n    private authConfig: AuthConfig,\n    private storage: AuthStorage,\n    private endpointOverrides?: Partial<Endpoints>,\n  ) {}\n\n  get oauthServer(): string {\n    return this.authConfig.oauthServer || DEFAULT_AUTH_SERVER;\n  }\n\n  async init(): Promise<this> {\n    // resolve oauth config\n    this.endpoints = await getEndpointsWithOverrides(\n      this.oauthServer,\n      this.endpointOverrides,\n    );\n    this.oauth2client = new OAuth2Client(\n      this.authConfig.clientId,\n      this.endpoints.auth,\n      this.endpoints.token,\n      {\n        redirectURI: this.authConfig.redirectUrl,\n      },\n    );\n\n    return this;\n  }\n\n  static async build(\n    authConfig: AuthConfig,\n    storage: AuthStorage,\n    endpointOverrides?: Partial<Endpoints>,\n  ): Promise<GenericAuthenticationRefresher> {\n    const refresher = new GenericAuthenticationRefresher(\n      authConfig,\n      storage,\n      endpointOverrides,\n    );\n    await refresher.init();\n\n    return refresher;\n  }\n\n  async refreshTokens() {\n    if (!this.oauth2client) await this.init();\n\n    const tokens = await retrieveTokens(this.storage);\n    if (!tokens?.refresh_token) throw new Error(\"No refresh token available\");\n\n    const oauth2Client = this.oauth2client!;\n    const refreshedTokens =\n      await oauth2Client.refreshAccessToken<OIDCTokenResponseBody>(\n        tokens.refresh_token,\n      );\n\n    await storeTokens(this.storage, refreshedTokens);\n\n    return tokens;\n  }\n}\n"]}
+{"version":3,"file":"GenericAuthenticationRefresher.js","sourceRoot":"","sources":["../../../../src/shared/lib/GenericAuthenticationRefresher.ts"],"names":[],"mappings":"AAEA,OAAO,EACL,yBAAyB,EACzB,cAAc,EACd,WAAW,GACZ,MAAM,sBAAsB,CAAC;AAE9B,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAC3C,OAAO,EAAE,mBAAmB,EAAE,MAAM,gBAAgB,CAAC;AAErD,MAAM,OAAO,8BAA8B;IAM/B;IACA;IACA;IAPF,YAAY,CAA2B;IACvC,SAAS,CAAwB;IACjC,cAAc,CAA6B;IAEnD,YACU,UAAsB,EACtB,OAAoB,EACpB,iBAAsC;QAFtC,eAAU,GAAV,UAAU,CAAY;QACtB,YAAO,GAAP,OAAO,CAAa;QACpB,sBAAiB,GAAjB,iBAAiB,CAAqB;IAC7C,CAAC;IAEJ,IAAI,WAAW;QACb,OAAO,IAAI,CAAC,UAAU,CAAC,WAAW,IAAI,mBAAmB,CAAC;IAC5D,CAAC;IAED,KAAK,CAAC,IAAI;QACR,uBAAuB;QACvB,IAAI,CAAC,SAAS,GAAG,MAAM,yBAAyB,CAC9C,IAAI,CAAC,WAAW,EAChB,IAAI,CAAC,iBAAiB,CACvB,CAAC;QACF,IAAI,CAAC,YAAY,GAAG,IAAI,YAAY,CAClC,IAAI,CAAC,UAAU,CAAC,QAAQ,EACxB,IAAI,CAAC,SAAS,CAAC,IAAI,EACnB,IAAI,CAAC,SAAS,CAAC,KAAK,EACpB;YACE,WAAW,EAAE,IAAI,CAAC,UAAU,CAAC,WAAW;SACzC,CACF,CAAC;QAEF,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM,CAAC,KAAK,CAAC,KAAK,CAChB,UAAsB,EACtB,OAAoB,EACpB,iBAAsC;QAEtC,MAAM,SAAS,GAAG,IAAI,8BAA8B,CAClD,UAAU,EACV,OAAO,EACP,iBAAiB,CAClB,CAAC;QACF,MAAM,SAAS,CAAC,IAAI,EAAE,CAAC;QAEvB,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,KAAK,CAAC,aAAa;QACjB,IAAI,CAAC,IAAI,CAAC,YAAY;YAAE,MAAM,IAAI,CAAC,IAAI,EAAE,CAAC;QAE1C,MAAM,MAAM,GAAG,MAAM,cAAc,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAClD,IAAI,CAAC,MAAM,EAAE,aAAa;YAAE,MAAM,IAAI,KAAK,CAAC,4BAA4B,CAAC,CAAC;QAE1E,MAAM,YAAY,GAAG,IAAI,CAAC,YAAa,CAAC;QACxC,MAAM,eAAe,GACnB,MAAM,YAAY,CAAC,kBAAkB,CACnC,MAAM,CAAC,aAAa,CACrB,CAAC;QAEJ,MAAM,WAAW,CAAC,IAAI,CAAC,OAAO,EAAE,eAAe,CAAC,CAAC;QAEjD,OAAO,MAAM,CAAC;IAChB,CAAC;IAEO,KAAK,CAAC,aAAa;QACzB,IAAI,CAAC;YACH,MAAM,IAAI,CAAC,aAAa,EAAE,CAAC;YAC3B,MAAM,IAAI,CAAC,gBAAgB,EAAE,CAAC,CAAC,6CAA6C;YAE5E,OAAO,CAAC,GAAG,CAAC,sBAAsB,CAAC,CAAC;QACtC,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO,CAAC,KAAK,CAAC,2BAA2B,EAAE,KAAK,CAAC,CAAC;QACpD,CAAC;IACH,CAAC;IAED,KAAK,CAAC,gBAAgB;QACpB,6BAA6B;QAC7B,IAAI,CAAC,gBAAgB,EAAE,CAAC;QAExB,iBAAiB;QACjB,MAAM,MAAM,GAAG,MAAM,cAAc,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAClD,MAAM,UAAU,GAAG,MAAM,EAAE,UAAU,IAAI,EAAE,CAAC;QAE5C,8DAA8D;QAC9D,MAAM,YAAY,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,6BAA6B;QAC7D,MAAM,WAAW,GAAG,UAAU,GAAG,IAAI,CAAC,CAAC,0BAA0B;QACjE,MAAM,aAAa,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,WAAW,GAAG,YAAY,CAAC,CAAC;QAE9D,IAAI,CAAC,cAAc,GAAG,UAAU,CAAC,GAAG,EAAE;YACpC,IAAI,CAAC,aAAa,EAAE,CAAC;QACvB,CAAC,EAAE,aAAa,CAAC,CAAC;IACpB,CAAC;IAED,gBAAgB;QACd,IAAI,IAAI,CAAC,cAAc,EAAE,CAAC;YACxB,YAAY,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC;QACpC,CAAC;IACH,CAAC;CACF","sourcesContent":["import type { AuthenticationRefresher } from \"@/services/types.js\";\nimport type { AuthStorage, Endpoints, OIDCTokenResponseBody } from \"@/types.js\";\nimport {\n  getEndpointsWithOverrides,\n  retrieveTokens,\n  storeTokens,\n} from \"@/shared/lib/util.js\";\nimport type { AuthConfig } from \"@/server/config.js\";\nimport { OAuth2Client } from \"oslo/oauth2\";\nimport { DEFAULT_AUTH_SERVER } from \"@/constants.js\";\n\nexport class GenericAuthenticationRefresher implements AuthenticationRefresher {\n  private oauth2client: OAuth2Client | undefined;\n  private endpoints: Endpoints | undefined;\n  private refreshTimeout: NodeJS.Timeout | undefined;\n\n  private constructor(\n    private authConfig: AuthConfig,\n    private storage: AuthStorage,\n    private endpointOverrides?: Partial<Endpoints>,\n  ) {}\n\n  get oauthServer(): string {\n    return this.authConfig.oauthServer || DEFAULT_AUTH_SERVER;\n  }\n\n  async init(): Promise<this> {\n    // resolve oauth config\n    this.endpoints = await getEndpointsWithOverrides(\n      this.oauthServer,\n      this.endpointOverrides,\n    );\n    this.oauth2client = new OAuth2Client(\n      this.authConfig.clientId,\n      this.endpoints.auth,\n      this.endpoints.token,\n      {\n        redirectURI: this.authConfig.redirectUrl,\n      },\n    );\n\n    return this;\n  }\n\n  static async build(\n    authConfig: AuthConfig,\n    storage: AuthStorage,\n    endpointOverrides?: Partial<Endpoints>,\n  ): Promise<GenericAuthenticationRefresher> {\n    const refresher = new GenericAuthenticationRefresher(\n      authConfig,\n      storage,\n      endpointOverrides,\n    );\n    await refresher.init();\n\n    return refresher;\n  }\n\n  async refreshTokens() {\n    if (!this.oauth2client) await this.init();\n\n    const tokens = await retrieveTokens(this.storage);\n    if (!tokens?.refresh_token) throw new Error(\"No refresh token available\");\n\n    const oauth2Client = this.oauth2client!;\n    const refreshedTokens =\n      await oauth2Client.refreshAccessToken<OIDCTokenResponseBody>(\n        tokens.refresh_token,\n      );\n\n    await storeTokens(this.storage, refreshedTokens);\n\n    return tokens;\n  }\n\n  private async handleRefresh() {\n    try {\n      await this.refreshTokens();\n      await this.setupAutorefresh(); // Reset the timeout after successful refresh\n\n      console.log(\"Autorefreshed tokens\");\n    } catch (error) {\n      console.error(\"Failed to refresh tokens:\", error);\n    }\n  }\n\n  async setupAutorefresh() {\n    // Clear any existing timeout\n    this.clearAutorefresh();\n\n    // get expires_in\n    const tokens = await retrieveTokens(this.storage);\n    const expires_in = tokens?.expires_in || 60;\n\n    // Calculate time until expiry (subtract 30 seconds as buffer)\n    const bufferTimeMs = 30 * 1000; // 30 seconds in milliseconds\n    const expiresInMs = expires_in * 1000; // Convert to milliseconds\n    const refreshTimeMs = Math.max(0, expiresInMs - bufferTimeMs);\n\n    this.refreshTimeout = setTimeout(() => {\n      this.handleRefresh();\n    }, refreshTimeMs);\n  }\n\n  clearAutorefresh() {\n    if (this.refreshTimeout) {\n      clearTimeout(this.refreshTimeout);\n    }\n  }\n}\n"]}

package/dist/esm/shared/lib/session.d.ts

@@ -1,3 +1,3 @@
-import type { AuthStorage, User } from "../../types.js";
+import { type AuthStorage, type User } from "../../types.js";
 export declare function getUser(storage: AuthStorage): Promise<User | null>;
 //# sourceMappingURL=session.d.ts.map

package/dist/esm/shared/lib/session.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"session.d.ts","sourceRoot":"","sources":["../../../../src/shared/lib/session.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,WAAW,EAAE,IAAI,EAAE,MAAM,YAAY,CAAC;AAEpD,wBAAsB,OAAO,CAAC,OAAO,EAAE,WAAW,GAAG,OAAO,CAAC,IAAI,GAAG,IAAI,CAAC,CAMxE"}
+{"version":3,"file":"session.d.ts","sourceRoot":"","sources":["../../../../src/shared/lib/session.ts"],"names":[],"mappings":"AAEA,OAAO,EAAa,KAAK,WAAW,EAAE,KAAK,IAAI,EAAE,MAAM,YAAY,CAAC;AAcpE,wBAAsB,OAAO,CAAC,OAAO,EAAE,WAAW,GAAG,OAAO,CAAC,IAAI,GAAG,IAAI,CAAC,CAQxE"}

package/dist/esm/shared/lib/session.js

@@ -1,10 +1,21 @@
 import { retrieveTokens } from "../../shared/lib/util.js";
 import { parseJWT } from "oslo/jwt";
+import { tokenKeys } from "../../types.js";
+// Function to omit keys from an object
+const omitKeys = (keys, obj) => {
+    const result = { ...obj };
+    keys.forEach((key) => {
+        delete result[key];
+    });
+    return result;
+};
 export async function getUser(storage) {
     const tokens = await retrieveTokens(storage);
     if (!tokens)
         return null;
+    const parsedToken = parseJWT(tokens.id_token)?.payload;
     // Assumes all information is in the ID token
-    return parseJWT(tokens.id_token)?.payload ?? null;
+    // remove the token keys from the user object to stop it getting too large
+    return parsedToken ? omitKeys(tokenKeys, parsedToken) : null;
 }
 //# sourceMappingURL=session.js.map

package/dist/esm/shared/lib/session.js.map

@@ -1 +1 @@
-{"version":3,"file":"session.js","sourceRoot":"","sources":["../../../../src/shared/lib/session.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AACtD,OAAO,EAAE,QAAQ,EAAE,MAAM,UAAU,CAAC;AAGpC,MAAM,CAAC,KAAK,UAAU,OAAO,CAAC,OAAoB;IAChD,MAAM,MAAM,GAAG,MAAM,cAAc,CAAC,OAAO,CAAC,CAAC;IAC7C,IAAI,CAAC,MAAM;QAAE,OAAO,IAAI,CAAC;IAEzB,6CAA6C;IAC7C,OAAQ,QAAQ,CAAC,MAAM,CAAC,QAAQ,CAAC,EAAE,OAAgB,IAAI,IAAI,CAAC;AAC9D,CAAC","sourcesContent":["import { retrieveTokens } from \"@/shared/lib/util.js\";\nimport { parseJWT } from \"oslo/jwt\";\nimport type { AuthStorage, User } from \"@/types.js\";\n\nexport async function getUser(storage: AuthStorage): Promise<User | null> {\n  const tokens = await retrieveTokens(storage);\n  if (!tokens) return null;\n\n  // Assumes all information is in the ID token\n  return (parseJWT(tokens.id_token)?.payload as User) ?? null;\n}\n"]}
+{"version":3,"file":"session.js","sourceRoot":"","sources":["../../../../src/shared/lib/session.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AACtD,OAAO,EAAE,QAAQ,EAAE,MAAM,UAAU,CAAC;AACpC,OAAO,EAAE,SAAS,EAA+B,MAAM,YAAY,CAAC;AAEpE,uCAAuC;AACvC,MAAM,QAAQ,GAAG,CACf,IAAS,EACT,GAAM,EACM,EAAE;IACd,MAAM,MAAM,GAAG,EAAE,GAAG,GAAG,EAAE,CAAC;IAC1B,IAAI,CAAC,OAAO,CAAC,CAAC,GAAG,EAAE,EAAE;QACnB,OAAO,MAAM,CAAC,GAAG,CAAC,CAAC;IACrB,CAAC,CAAC,CAAC;IACH,OAAO,MAAM,CAAC;AAChB,CAAC,CAAC;AAEF,MAAM,CAAC,KAAK,UAAU,OAAO,CAAC,OAAoB;IAChD,MAAM,MAAM,GAAG,MAAM,cAAc,CAAC,OAAO,CAAC,CAAC;IAC7C,IAAI,CAAC,MAAM;QAAE,OAAO,IAAI,CAAC;IAEzB,MAAM,WAAW,GAAG,QAAQ,CAAC,MAAM,CAAC,QAAQ,CAAC,EAAE,OAAe,CAAC;IAC/D,6CAA6C;IAC7C,0EAA0E;IAC1E,OAAO,WAAW,CAAC,CAAC,CAAE,QAAQ,CAAC,SAAS,EAAE,WAAW,CAAU,CAAC,CAAC,CAAC,IAAI,CAAC;AACzE,CAAC","sourcesContent":["import { retrieveTokens } from \"@/shared/lib/util.js\";\nimport { parseJWT } from \"oslo/jwt\";\nimport { tokenKeys, type AuthStorage, type User } from \"@/types.js\";\n\n// Function to omit keys from an object\nconst omitKeys = <K extends keyof T, T extends Record<string, unknown>>(\n  keys: K[],\n  obj: T,\n): Omit<T, K> => {\n  const result = { ...obj };\n  keys.forEach((key) => {\n    delete result[key];\n  });\n  return result;\n};\n\nexport async function getUser(storage: AuthStorage): Promise<User | null> {\n  const tokens = await retrieveTokens(storage);\n  if (!tokens) return null;\n\n  const parsedToken = parseJWT(tokens.id_token)?.payload as User;\n  // Assumes all information is in the ID token\n  // remove the token keys from the user object to stop it getting too large\n  return parsedToken ? (omitKeys(tokenKeys, parsedToken) as User) : null;\n}\n"]}

package/dist/esm/shared/lib/types.d.ts

@@ -1,7 +1,10 @@
+import type { Endpoints } from "../../types.js";
 export declare enum OAuthTokens {
     ID_TOKEN = "id_token",
     ACCESS_TOKEN = "access_token",
-    REFRESH_TOKEN = "refresh_token"
+    REFRESH_TOKEN = "refresh_token",
+    EXPIRES_IN = "expires_in",
+    TIMESTAMP = "timestamp"
 }
 export declare enum CodeVerifier {
     COOKIE_NAME = "code_verifier",
@@ -19,4 +22,14 @@ export interface CookieConfig {
     httpOnly?: boolean;
 }
 export type TokensCookieConfig = Record<OAuthTokens | CodeVerifier, CookieConfig>;
+export type CivicAuthConfig = null | {
+    clientId: string;
+    redirectUrl: string;
+    oauthServer: string;
+    endpoints: Endpoints;
+    scopes: string[];
+    nonce?: string;
+    challengeUrl?: string;
+    logoutUrl?: string;
+};
 //# sourceMappingURL=types.d.ts.map

package/dist/esm/shared/lib/types.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../../../src/shared/lib/types.ts"],"names":[],"mappings":"AAAA,oBAAY,WAAW;IACrB,QAAQ,aAAa;IACrB,YAAY,iBAAiB;IAC7B,aAAa,kBAAkB;CAChC;AAED,oBAAY,YAAY;IACtB,WAAW,kBAAkB;IAC7B,OAAO,YAAY;CACpB;AACD,oBAAY,WAAW;IACrB,IAAI,SAAS;CACd;AACD,MAAM,WAAW,YAAY;IAC3B,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB,QAAQ,CAAC,EAAE,QAAQ,GAAG,KAAK,GAAG,MAAM,CAAC;IACrC,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,QAAQ,CAAC,EAAE,OAAO,CAAC;CACpB;AAED,MAAM,MAAM,kBAAkB,GAAG,MAAM,CACrC,WAAW,GAAG,YAAY,EAC1B,YAAY,CACb,CAAC"}
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../../../src/shared/lib/types.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AAE5C,oBAAY,WAAW;IACrB,QAAQ,aAAa;IACrB,YAAY,iBAAiB;IAC7B,aAAa,kBAAkB;IAC/B,UAAU,eAAe;IACzB,SAAS,cAAc;CACxB;AAED,oBAAY,YAAY;IACtB,WAAW,kBAAkB;IAC7B,OAAO,YAAY;CACpB;AACD,oBAAY,WAAW;IACrB,IAAI,SAAS;CACd;AACD,MAAM,WAAW,YAAY;IAC3B,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB,QAAQ,CAAC,EAAE,QAAQ,GAAG,KAAK,GAAG,MAAM,CAAC;IACrC,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,QAAQ,CAAC,EAAE,OAAO,CAAC;CACpB;AAED,MAAM,MAAM,kBAAkB,GAAG,MAAM,CACrC,WAAW,GAAG,YAAY,EAC1B,YAAY,CACb,CAAC;AAEF,MAAM,MAAM,eAAe,GAAG,IAAI,GAAG;IACnC,QAAQ,EAAE,MAAM,CAAC;IACjB,WAAW,EAAE,MAAM,CAAC;IACpB,WAAW,EAAE,MAAM,CAAC;IACpB,SAAS,EAAE,SAAS,CAAC;IACrB,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB,CAAC"}

package/dist/esm/shared/lib/types.js

@@ -3,6 +3,8 @@ export var OAuthTokens;
     OAuthTokens["ID_TOKEN"] = "id_token";
     OAuthTokens["ACCESS_TOKEN"] = "access_token";
     OAuthTokens["REFRESH_TOKEN"] = "refresh_token";
+    OAuthTokens["EXPIRES_IN"] = "expires_in";
+    OAuthTokens["TIMESTAMP"] = "timestamp";
 })(OAuthTokens || (OAuthTokens = {}));
 export var CodeVerifier;
 (function (CodeVerifier) {

package/dist/esm/shared/lib/types.js.map

@@ -1 +1 @@
-{"version":3,"file":"types.js","sourceRoot":"","sources":["../../../../src/shared/lib/types.ts"],"names":[],"mappings":"AAAA,MAAM,CAAN,IAAY,WAIX;AAJD,WAAY,WAAW;IACrB,oCAAqB,CAAA;IACrB,4CAA6B,CAAA;IAC7B,8CAA+B,CAAA;AACjC,CAAC,EAJW,WAAW,KAAX,WAAW,QAItB;AAED,MAAM,CAAN,IAAY,YAGX;AAHD,WAAY,YAAY;IACtB,6CAA6B,CAAA;IAC7B,mCAAmB,CAAA;AACrB,CAAC,EAHW,YAAY,KAAZ,YAAY,QAGvB;AACD,MAAM,CAAN,IAAY,WAEX;AAFD,WAAY,WAAW;IACrB,4BAAa,CAAA;AACf,CAAC,EAFW,WAAW,KAAX,WAAW,QAEtB","sourcesContent":["export enum OAuthTokens {\n  ID_TOKEN = \"id_token\",\n  ACCESS_TOKEN = \"access_token\",\n  REFRESH_TOKEN = \"refresh_token\",\n}\n\nexport enum CodeVerifier {\n  COOKIE_NAME = \"code_verifier\",\n  APP_URL = \"app_url\",\n}\nexport enum UserStorage {\n  USER = \"user\",\n}\nexport interface CookieConfig {\n  secure?: boolean;\n  sameSite?: \"strict\" | \"lax\" | \"none\";\n  domain?: string;\n  path?: string;\n  maxAge?: number;\n  httpOnly?: boolean;\n}\n\nexport type TokensCookieConfig = Record<\n  OAuthTokens | CodeVerifier,\n  CookieConfig\n>;\n"]}
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../../../../src/shared/lib/types.ts"],"names":[],"mappings":"AAEA,MAAM,CAAN,IAAY,WAMX;AAND,WAAY,WAAW;IACrB,oCAAqB,CAAA;IACrB,4CAA6B,CAAA;IAC7B,8CAA+B,CAAA;IAC/B,wCAAyB,CAAA;IACzB,sCAAuB,CAAA;AACzB,CAAC,EANW,WAAW,KAAX,WAAW,QAMtB;AAED,MAAM,CAAN,IAAY,YAGX;AAHD,WAAY,YAAY;IACtB,6CAA6B,CAAA;IAC7B,mCAAmB,CAAA;AACrB,CAAC,EAHW,YAAY,KAAZ,YAAY,QAGvB;AACD,MAAM,CAAN,IAAY,WAEX;AAFD,WAAY,WAAW;IACrB,4BAAa,CAAA;AACf,CAAC,EAFW,WAAW,KAAX,WAAW,QAEtB","sourcesContent":["import type { Endpoints } from \"@/types.js\";\n\nexport enum OAuthTokens {\n  ID_TOKEN = \"id_token\",\n  ACCESS_TOKEN = \"access_token\",\n  REFRESH_TOKEN = \"refresh_token\",\n  EXPIRES_IN = \"expires_in\",\n  TIMESTAMP = \"timestamp\",\n}\n\nexport enum CodeVerifier {\n  COOKIE_NAME = \"code_verifier\",\n  APP_URL = \"app_url\",\n}\nexport enum UserStorage {\n  USER = \"user\",\n}\nexport interface CookieConfig {\n  secure?: boolean;\n  sameSite?: \"strict\" | \"lax\" | \"none\";\n  domain?: string;\n  path?: string;\n  maxAge?: number;\n  httpOnly?: boolean;\n}\n\nexport type TokensCookieConfig = Record<\n  OAuthTokens | CodeVerifier,\n  CookieConfig\n>;\n\nexport type CivicAuthConfig = null | {\n  clientId: string;\n  redirectUrl: string;\n  oauthServer: string;\n  endpoints: Endpoints;\n  scopes: string[];\n  nonce?: string;\n  challengeUrl?: string;\n  logoutUrl?: string;\n};\n"]}

package/dist/esm/shared/lib/util.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"util.d.ts","sourceRoot":"","sources":["../../../../src/shared/lib/util.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EACV,WAAW,EACX,SAAS,EAET,qBAAqB,EACrB,YAAY,EACb,MAAM,YAAY,CAAC;AAEpB,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAI3C,OAAO,KAAK,EAAE,YAAY,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AAGtE;;GAEG;AACH,wBAAsB,mBAAmB,CACvC,YAAY,EAAE,MAAM,EACpB,MAAM,GAAE,OAAO,GAAG,MAAe,GAChC,OAAO,CAAC,MAAM,CAAC,CAajB;AAED,wBAAsB,yBAAyB,CAC7C,WAAW,EAAE,MAAM,EACnB,iBAAiB,GAAE,OAAO,CAAC,SAAS,CAAM,GACzC,OAAO,CAAC,SAAS,CAAC,CAMpB;AAED,wBAAsB,qBAAqB,CAAC,MAAM,EAAE;IAClD,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,KAAK,EAAE,MAAM,CAAC;IACd,WAAW,EAAE,MAAM,CAAC;IACpB,WAAW,EAAE,MAAM,CAAC;IACpB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,iBAAiB,CAAC,EAAE,OAAO,CAAC,SAAS,CAAC,CAAC;IAEvC,YAAY,EAAE,YAAY,CAAC;CAC5B,GAAG,OAAO,CAAC,GAAG,CAAC,CA2Bf;AAED,wBAAsB,sBAAsB,CAAC,MAAM,EAAE;IACnD,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,WAAW,EAAE,MAAM,CAAC;IACpB,iBAAiB,CAAC,EAAE,OAAO,CAAC,SAAS,CAAC,CAAC;IAEvC,YAAY,EAAE,YAAY,CAAC;CAC5B,GAAG,OAAO,CAAC,GAAG,CAAC,CAIf;AAED,wBAAgB,iBAAiB,CAC/B,QAAQ,EAAE,MAAM,EAChB,WAAW,EAAE,MAAM,EACnB,SAAS,EAAE,SAAS,GACnB,YAAY,CAId;AAED,wBAAsB,cAAc,CAClC,IAAI,EAAE,MAAM,EACZ,KAAK,EAAE,MAAM,EACb,YAAY,EAAE,YAAY,EAC1B,YAAY,EAAE,YAAY,EAC1B,WAAW,EAAE,MAAM,EACnB,SAAS,EAAE,SAAS,kCAqBrB;AAED,wBAAsB,WAAW,CAC/B,OAAO,EAAE,WAAW,EACpB,MAAM,EAAE,qBAAqB,iBAQ9B;AAED,wBAAsB,WAAW,CAAC,OAAO,EAAE,WAAW,iBAKrD;AACD,wBAAsB,SAAS,CAAC,OAAO,EAAE,WAAW,iBAGnD;AAED,wBAAsB,cAAc,CAClC,OAAO,EAAE,WAAW,GACnB,OAAO,CAAC,qBAAqB,GAAG,IAAI,CAAC,CAYvC;AAED,wBAAsB,oBAAoB,CACxC,MAAM,EAAE,qBAAqB,EAC7B,SAAS,EAAE,SAAS,EACpB,YAAY,EAAE,YAAY,EAC1B,MAAM,EAAE,MAAM,GACb,OAAO,CAAC,YAAY,CAAC,CA2BvB"}
+{"version":3,"file":"util.d.ts","sourceRoot":"","sources":["../../../../src/shared/lib/util.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EACV,WAAW,EACX,SAAS,EAET,qBAAqB,EACrB,YAAY,EACb,MAAM,YAAY,CAAC;AAEpB,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAI3C,OAAO,KAAK,EAAE,YAAY,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AAGtE;;GAEG;AACH,wBAAsB,mBAAmB,CACvC,YAAY,EAAE,MAAM,EACpB,MAAM,GAAE,OAAO,GAAG,MAAe,GAChC,OAAO,CAAC,MAAM,CAAC,CAajB;AAED,wBAAsB,yBAAyB,CAC7C,WAAW,EAAE,MAAM,EACnB,iBAAiB,GAAE,OAAO,CAAC,SAAS,CAAM,GACzC,OAAO,CAAC,SAAS,CAAC,CAMpB;AAED,wBAAsB,qBAAqB,CAAC,MAAM,EAAE;IAClD,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,KAAK,EAAE,MAAM,CAAC;IACd,WAAW,EAAE,MAAM,CAAC;IACpB,WAAW,EAAE,MAAM,CAAC;IACpB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,iBAAiB,CAAC,EAAE,OAAO,CAAC,SAAS,CAAC,CAAC;IAEvC,YAAY,EAAE,YAAY,CAAC;CAC5B,GAAG,OAAO,CAAC,GAAG,CAAC,CA2Bf;AAED,wBAAsB,sBAAsB,CAAC,MAAM,EAAE;IACnD,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,WAAW,EAAE,MAAM,CAAC;IACpB,iBAAiB,CAAC,EAAE,OAAO,CAAC,SAAS,CAAC,CAAC;IAEvC,YAAY,EAAE,YAAY,CAAC;CAC5B,GAAG,OAAO,CAAC,GAAG,CAAC,CAIf;AAED,wBAAgB,iBAAiB,CAC/B,QAAQ,EAAE,MAAM,EAChB,WAAW,EAAE,MAAM,EACnB,SAAS,EAAE,SAAS,GACnB,YAAY,CAId;AAED,wBAAsB,cAAc,CAClC,IAAI,EAAE,MAAM,EACZ,KAAK,EAAE,MAAM,EACb,YAAY,EAAE,YAAY,EAC1B,YAAY,EAAE,YAAY,EAC1B,WAAW,EAAE,MAAM,EACnB,SAAS,EAAE,SAAS,kCAoBrB;AAED,wBAAsB,WAAW,CAC/B,OAAO,EAAE,WAAW,EACpB,MAAM,EAAE,qBAAqB,iBAY9B;AAED,wBAAsB,WAAW,CAAC,OAAO,EAAE,WAAW,iBAKrD;AAED,wBAAsB,SAAS,CAAC,OAAO,EAAE,WAAW,iBAInD;AAED,wBAAsB,cAAc,CAClC,OAAO,EAAE,WAAW,GACnB,OAAO,CAAC,qBAAqB,GAAG,IAAI,CAAC,CAgBvC;AAED,wBAAsB,oBAAoB,CACxC,MAAM,EAAE,qBAAqB,EAC7B,SAAS,EAAE,SAAS,EACpB,YAAY,EAAE,YAAY,EAC1B,MAAM,EAAE,MAAM,GACb,OAAO,CAAC,YAAY,CAAC,CA2BvB"}

package/dist/esm/shared/lib/util.js

@@ -81,27 +81,36 @@ export async function storeTokens(storage, tokens) {
     if (tokens.refresh_token) {
         await storage.set(OAuthTokens.REFRESH_TOKEN, tokens.refresh_token);
     }
+    if (tokens.expires_in) {
+        await storage.set(OAuthTokens.EXPIRES_IN, tokens.expires_in.toString());
+        await storage.set(OAuthTokens.TIMESTAMP, new Date().getTime().toString());
+    }
 }
 export async function clearTokens(storage) {
-    const clearOAuthPromises = Object.values(OAuthTokens).map((cookie) => {
-        storage.set(cookie, "");
+    const clearOAuthPromises = Object.values(OAuthTokens).map(async (key) => {
+        await storage.set(key, "");
     });
     await Promise.all([...clearOAuthPromises]);
 }
 export async function clearUser(storage) {
     const userSession = new GenericUserSession(storage);
+    console.log("clearUser");
     await userSession.set(null);
 }
 export async function retrieveTokens(storage) {
     const idToken = await storage.get(OAuthTokens.ID_TOKEN);
     const accessToken = await storage.get(OAuthTokens.ACCESS_TOKEN);
     const refreshToken = await storage.get(OAuthTokens.REFRESH_TOKEN);
+    const expiresIn = await storage.get(OAuthTokens.EXPIRES_IN);
+    const timestamp = await storage.get(OAuthTokens.TIMESTAMP);
     if (!idToken || !accessToken)
         return null;
     return {
         id_token: idToken,
         access_token: accessToken,
         refresh_token: refreshToken ?? undefined,
+        expires_in: expiresIn ? parseInt(expiresIn, 10) : undefined, // Convert string to number
+        timestamp: timestamp ? parseInt(timestamp, 10) : undefined, // Convert string to number
     };
 }
 export async function validateOauth2Tokens(tokens, endpoints, oauth2Client, issuer) {

package/dist/esm/shared/lib/util.js.map

@@ -1 +1 @@
-{"version":3,"file":"util.js","sourceRoot":"","sources":["../../../../src/shared/lib/util.ts"],"names":[],"mappings":"AASA,OAAO,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AACzC,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAC3C,OAAO,EAAE,mBAAmB,EAAE,iBAAiB,EAAE,MAAM,gBAAgB,CAAC;AACxE,OAAO,KAAK,IAAI,MAAM,MAAM,CAAC;AAC7B,OAAO,EAAE,gBAAgB,EAAE,MAAM,YAAY,CAAC;AAE9C,OAAO,EAAE,kBAAkB,EAAE,MAAM,6BAA6B,CAAC;AAEjE;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,mBAAmB,CACvC,YAAoB,EACpB,SAA2B,MAAM;IAEjC,IAAI,MAAM,KAAK,OAAO,EAAE,CAAC;QACvB,OAAO,CAAC,IAAI,CAAC,4CAA4C,CAAC,CAAC;QAC3D,OAAO,YAAY,CAAC;IACtB,CAAC;IAED,MAAM,OAAO,GAAG,IAAI,WAAW,EAAE,CAAC;IAClC,MAAM,IAAI,GAAG,OAAO,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC;IAC1C,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,IAAI,CAAC,CAAC;IAC3D,OAAO,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC,GAAG,IAAI,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC;SACxD,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC;SACnB,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC;SACnB,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;AACxB,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,yBAAyB,CAC7C,WAAmB,EACnB,oBAAwC,EAAE;IAE1C,MAAM,SAAS,GAAG,MAAM,iBAAiB,CAAC,WAAW,CAAC,CAAC;IACvD,OAAO;QACL,GAAG,SAAS;QACZ,GAAG,iBAAiB;KACrB,CAAC;AACJ,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,qBAAqB,CAAC,MAU3C;IACC,MAAM,SAAS,GAAG,MAAM,yBAAyB,CAC/C,MAAM,CAAC,WAAW,EAClB,MAAM,CAAC,iBAAiB,CACzB,CAAC;IACF,MAAM,YAAY,GAAG,iBAAiB,CACpC,MAAM,CAAC,QAAQ,EACf,MAAM,CAAC,WAAW,EAClB,SAAS,CACV,CAAC;IACF,MAAM,SAAS,GAAG,MAAM,MAAM,CAAC,YAAY,CAAC,gBAAgB,EAAE,CAAC;IAC/D,MAAM,QAAQ,GAAG,MAAM,YAAY,CAAC,sBAAsB,CAAC;QACzD,KAAK,EAAE,MAAM,CAAC,KAAK;QACnB,MAAM,EAAE,MAAM,CAAC,MAAM;KACtB,CAAC,CAAC;IACH,yGAAyG;IACzG,yEAAyE;IACzE,QAAQ,CAAC,YAAY,CAAC,MAAM,CAAC,gBAAgB,EAAE,SAAS,CAAC,CAAC;IAC1D,QAAQ,CAAC,YAAY,CAAC,MAAM,CAAC,uBAAuB,EAAE,MAAM,CAAC,CAAC;IAC9D,IAAI,MAAM,CAAC,KAAK,EAAE,CAAC;QACjB,uDAAuD;QACvD,QAAQ,CAAC,YAAY,CAAC,MAAM,CAAC,OAAO,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC;IACtD,CAAC;IACD,uDAAuD;IACvD,QAAQ,CAAC,YAAY,CAAC,MAAM,CAAC,QAAQ,EAAE,SAAS,CAAC,CAAC;IAElD,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,sBAAsB,CAAC,MAO5C;IACC,kCAAkC;IAClC,OAAO,CAAC,GAAG,CAAC,wCAAwC,EAAE,MAAM,CAAC,CAAC;IAC9D,OAAO,IAAI,GAAG,CAAC,kBAAkB,CAAC,CAAC;AACrC,CAAC;AAED,MAAM,UAAU,iBAAiB,CAC/B,QAAgB,EAChB,WAAmB,EACnB,SAAoB;IAEpB,OAAO,IAAI,YAAY,CAAC,QAAQ,EAAE,SAAS,CAAC,IAAI,EAAE,SAAS,CAAC,KAAK,EAAE;QACjE,WAAW,EAAE,WAAW;KACzB,CAAC,CAAC;AACL,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,cAAc,CAClC,IAAY,EACZ,KAAa,EACb,YAA0B,EAC1B,YAA0B,EAC1B,WAAmB,EACnB,SAAoB;IAEpB,MAAM,YAAY,GAAG,MAAM,YAAY,CAAC,eAAe,EAAE,CAAC;IAC1D,IAAI,CAAC,YAAY;QAAE,MAAM,IAAI,KAAK,CAAC,kCAAkC,CAAC,CAAC;IAEvE,MAAM,MAAM,GACV,MAAM,YAAY,CAAC,yBAAyB,CAAwB,IAAI,EAAE;QACxE,YAAY;KACb,CAAC,CAAC;IAEL,2BAA2B;IAC3B,IAAI,CAAC;QACH,MAAM,oBAAoB,CAAC,MAAM,EAAE,SAAS,EAAE,YAAY,EAAE,WAAW,CAAC,CAAC;IAC3E,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO,CAAC,KAAK,CAAC,qBAAqB,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC,CAAC;QACxD,MAAM,IAAI,KAAK,CACb,kCAAmC,KAAe,CAAC,OAAO,EAAE,CAC7D,CAAC;IACJ,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,WAAW,CAC/B,OAAoB,EACpB,MAA6B;IAE7B,4GAA4G;IAC5G,MAAM,OAAO,CAAC,GAAG,CAAC,WAAW,CAAC,QAAQ,EAAE,MAAM,CAAC,QAAQ,CAAC,CAAC;IACzD,MAAM,OAAO,CAAC,GAAG,CAAC,WAAW,CAAC,YAAY,EAAE,MAAM,CAAC,YAAY,CAAC,CAAC;IACjE,IAAI,MAAM,CAAC,aAAa,EAAE,CAAC;QACzB,MAAM,OAAO,CAAC,GAAG,CAAC,WAAW,CAAC,aAAa,EAAE,MAAM,CAAC,aAAa,CAAC,CAAC;IACrE,CAAC;AACH,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,WAAW,CAAC,OAAoB;IACpD,MAAM,kBAAkB,GAAG,MAAM,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,EAAE;QACnE,OAAO,CAAC,GAAG,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;IAC1B,CAAC,CAAC,CAAC;IACH,MAAM,OAAO,CAAC,GAAG,CAAC,CAAC,GAAG,kBAAkB,CAAC,CAAC,CAAC;AAC7C,CAAC;AACD,MAAM,CAAC,KAAK,UAAU,SAAS,CAAC,OAAoB;IAClD,MAAM,WAAW,GAAG,IAAI,kBAAkB,CAAC,OAAO,CAAC,CAAC;IACpD,MAAM,WAAW,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;AAC9B,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,cAAc,CAClC,OAAoB;IAEpB,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC,WAAW,CAAC,QAAQ,CAAC,CAAC;IACxD,MAAM,WAAW,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC,WAAW,CAAC,YAAY,CAAC,CAAC;IAChE,MAAM,YAAY,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC,WAAW,CAAC,aAAa,CAAC,CAAC;IAElE,IAAI,CAAC,OAAO,IAAI,CAAC,WAAW;QAAE,OAAO,IAAI,CAAC;IAE1C,OAAO;QACL,QAAQ,EAAE,OAAO;QACjB,YAAY,EAAE,WAAW;QACzB,aAAa,EAAE,YAAY,IAAI,SAAS;KACzC,CAAC;AACJ,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,oBAAoB,CACxC,MAA6B,EAC7B,SAAoB,EACpB,YAA0B,EAC1B,MAAc;IAEd,MAAM,IAAI,GAAG,IAAI,CAAC,kBAAkB,CAAC,IAAI,GAAG,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC;IAE9D,wBAAwB;IACxB,MAAM,eAAe,GAAG,MAAM,IAAI,CAAC,SAAS,CAC1C,MAAM,CAAC,QAAQ,EACf,IAAI,EACJ;QACE,MAAM,EAAE,mBAAmB,CAAC,MAAM,CAAC;QACnC,QAAQ,EAAE,YAAY,CAAC,QAAQ;KAChC,CACF,CAAC;IAEF,4BAA4B;IAC5B,MAAM,mBAAmB,GAAG,MAAM,IAAI,CAAC,SAAS,CAC9C,MAAM,CAAC,YAAY,EACnB,IAAI,EACJ;QACE,MAAM,EAAE,mBAAmB,CAAC,MAAM,CAAC;KACpC,CACF,CAAC;IAEF,OAAO,gBAAgB,CAAC;QACtB,QAAQ,EAAE,eAAe,CAAC,OAAO;QACjC,YAAY,EAAE,mBAAmB,CAAC,OAAO;QACzC,aAAa,EAAE,MAAM,CAAC,aAAa;KACpC,CAAC,CAAC;AACL,CAAC","sourcesContent":["// Utility functions shared by auth server and client integrations\n// Typically these functions should be used inside AuthenticationInitiator and AuthenticationResolver implementations\nimport type {\n  AuthStorage,\n  Endpoints,\n  JWTPayload,\n  OIDCTokenResponseBody,\n  ParsedTokens,\n} from \"@/types.js\";\nimport { OAuthTokens } from \"./types.js\";\nimport { OAuth2Client } from \"oslo/oauth2\";\nimport { getIssuerVariations, getOauthEndpoints } from \"@/lib/oauth.js\";\nimport * as jose from \"jose\";\nimport { withoutUndefined } from \"@/utils.js\";\nimport type { PKCEConsumer, PKCEProducer } from \"@/services/types.js\";\nimport { GenericUserSession } from \"@/shared/lib/UserSession.js\";\n\n/**\n * Given a PKCE code verifier, derive the code challenge using SHA\n */\nexport async function deriveCodeChallenge(\n  codeVerifier: string,\n  method: \"Plain\" | \"S256\" = \"S256\",\n): Promise<string> {\n  if (method === \"Plain\") {\n    console.warn(\"Using insecure plain code challenge method\");\n    return codeVerifier;\n  }\n\n  const encoder = new TextEncoder();\n  const data = encoder.encode(codeVerifier);\n  const digest = await crypto.subtle.digest(\"SHA-256\", data);\n  return btoa(String.fromCharCode(...new Uint8Array(digest)))\n    .replace(/\\+/g, \"-\")\n    .replace(/\\//g, \"_\")\n    .replace(/=+$/, \"\");\n}\n\nexport async function getEndpointsWithOverrides(\n  oauthServer: string,\n  endpointOverrides: Partial<Endpoints> = {},\n): Promise<Endpoints> {\n  const endpoints = await getOauthEndpoints(oauthServer);\n  return {\n    ...endpoints,\n    ...endpointOverrides,\n  };\n}\n\nexport async function generateOauthLoginUrl(config: {\n  clientId: string;\n  scopes: string[];\n  state: string;\n  redirectUrl: string;\n  oauthServer: string;\n  nonce?: string;\n  endpointOverrides?: Partial<Endpoints>;\n  // used to get the PKCE challenge\n  pkceConsumer: PKCEConsumer;\n}): Promise<URL> {\n  const endpoints = await getEndpointsWithOverrides(\n    config.oauthServer,\n    config.endpointOverrides,\n  );\n  const oauth2Client = buildOauth2Client(\n    config.clientId,\n    config.redirectUrl,\n    endpoints,\n  );\n  const challenge = await config.pkceConsumer.getCodeChallenge();\n  const oAuthUrl = await oauth2Client.createAuthorizationURL({\n    state: config.state,\n    scopes: config.scopes,\n  });\n  // The OAuth2 client supports PKCE, but does not allow passing in a code challenge from some other source\n  // It only allows passing in a code verifier which it then hashes itself.\n  oAuthUrl.searchParams.append(\"code_challenge\", challenge);\n  oAuthUrl.searchParams.append(\"code_challenge_method\", \"S256\");\n  if (config.nonce) {\n    // nonce isn't supported by oslo, so we add it manually\n    oAuthUrl.searchParams.append(\"nonce\", config.nonce);\n  }\n  // Required by the auth server for offline_access scope\n  oAuthUrl.searchParams.append(\"prompt\", \"consent\");\n\n  return oAuthUrl;\n}\n\nexport async function generateOauthLogoutUrl(config: {\n  clientId: string;\n  scopes: string[];\n  oauthServer: string;\n  endpointOverrides?: Partial<Endpoints>;\n  // used to get the PKCE challenge\n  pkceConsumer: PKCEConsumer;\n}): Promise<URL> {\n  // TODO TECH-676: Implement logout\n  console.log(\"generateOauthLogoutUrl not implemented\", config);\n  return new URL(\"http://localhost\");\n}\n\nexport function buildOauth2Client(\n  clientId: string,\n  redirectUri: string,\n  endpoints: Endpoints,\n): OAuth2Client {\n  return new OAuth2Client(clientId, endpoints.auth, endpoints.token, {\n    redirectURI: redirectUri,\n  });\n}\n\nexport async function exchangeTokens(\n  code: string,\n  state: string,\n  pkceProducer: PKCEProducer,\n  oauth2Client: OAuth2Client,\n  oauthServer: string,\n  endpoints: Endpoints,\n) {\n  const codeVerifier = await pkceProducer.getCodeVerifier();\n  if (!codeVerifier) throw new Error(\"Code verifier not found in state\");\n\n  const tokens =\n    await oauth2Client.validateAuthorizationCode<OIDCTokenResponseBody>(code, {\n      codeVerifier,\n    });\n\n  // Validate relevant tokens\n  try {\n    await validateOauth2Tokens(tokens, endpoints, oauth2Client, oauthServer);\n  } catch (error) {\n    console.error(\"tokenExchange error\", { error, tokens });\n    throw new Error(\n      `OIDC tokens validation failed: ${(error as Error).message}`,\n    );\n  }\n\n  return tokens;\n}\n\nexport async function storeTokens(\n  storage: AuthStorage,\n  tokens: OIDCTokenResponseBody,\n) {\n  // store tokens in storage ( TODO we should probably store them against the state to allow multiple logins )\n  await storage.set(OAuthTokens.ID_TOKEN, tokens.id_token);\n  await storage.set(OAuthTokens.ACCESS_TOKEN, tokens.access_token);\n  if (tokens.refresh_token) {\n    await storage.set(OAuthTokens.REFRESH_TOKEN, tokens.refresh_token);\n  }\n}\n\nexport async function clearTokens(storage: AuthStorage) {\n  const clearOAuthPromises = Object.values(OAuthTokens).map((cookie) => {\n    storage.set(cookie, \"\");\n  });\n  await Promise.all([...clearOAuthPromises]);\n}\nexport async function clearUser(storage: AuthStorage) {\n  const userSession = new GenericUserSession(storage);\n  await userSession.set(null);\n}\n\nexport async function retrieveTokens(\n  storage: AuthStorage,\n): Promise<OIDCTokenResponseBody | null> {\n  const idToken = await storage.get(OAuthTokens.ID_TOKEN);\n  const accessToken = await storage.get(OAuthTokens.ACCESS_TOKEN);\n  const refreshToken = await storage.get(OAuthTokens.REFRESH_TOKEN);\n\n  if (!idToken || !accessToken) return null;\n\n  return {\n    id_token: idToken,\n    access_token: accessToken,\n    refresh_token: refreshToken ?? undefined,\n  };\n}\n\nexport async function validateOauth2Tokens(\n  tokens: OIDCTokenResponseBody,\n  endpoints: Endpoints,\n  oauth2Client: OAuth2Client,\n  issuer: string,\n): Promise<ParsedTokens> {\n  const JWKS = jose.createRemoteJWKSet(new URL(endpoints.jwks));\n\n  // validate the ID token\n  const idTokenResponse = await jose.jwtVerify<JWTPayload>(\n    tokens.id_token,\n    JWKS,\n    {\n      issuer: getIssuerVariations(issuer),\n      audience: oauth2Client.clientId,\n    },\n  );\n\n  // validate the access token\n  const accessTokenResponse = await jose.jwtVerify<JWTPayload>(\n    tokens.access_token,\n    JWKS,\n    {\n      issuer: getIssuerVariations(issuer),\n    },\n  );\n\n  return withoutUndefined({\n    id_token: idTokenResponse.payload,\n    access_token: accessTokenResponse.payload,\n    refresh_token: tokens.refresh_token,\n  });\n}\n"]}
+{"version":3,"file":"util.js","sourceRoot":"","sources":["../../../../src/shared/lib/util.ts"],"names":[],"mappings":"AASA,OAAO,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AACzC,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAC3C,OAAO,EAAE,mBAAmB,EAAE,iBAAiB,EAAE,MAAM,gBAAgB,CAAC;AACxE,OAAO,KAAK,IAAI,MAAM,MAAM,CAAC;AAC7B,OAAO,EAAE,gBAAgB,EAAE,MAAM,YAAY,CAAC;AAE9C,OAAO,EAAE,kBAAkB,EAAE,MAAM,6BAA6B,CAAC;AAEjE;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,mBAAmB,CACvC,YAAoB,EACpB,SAA2B,MAAM;IAEjC,IAAI,MAAM,KAAK,OAAO,EAAE,CAAC;QACvB,OAAO,CAAC,IAAI,CAAC,4CAA4C,CAAC,CAAC;QAC3D,OAAO,YAAY,CAAC;IACtB,CAAC;IAED,MAAM,OAAO,GAAG,IAAI,WAAW,EAAE,CAAC;IAClC,MAAM,IAAI,GAAG,OAAO,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC;IAC1C,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,IAAI,CAAC,CAAC;IAC3D,OAAO,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC,GAAG,IAAI,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC;SACxD,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC;SACnB,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC;SACnB,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;AACxB,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,yBAAyB,CAC7C,WAAmB,EACnB,oBAAwC,EAAE;IAE1C,MAAM,SAAS,GAAG,MAAM,iBAAiB,CAAC,WAAW,CAAC,CAAC;IACvD,OAAO;QACL,GAAG,SAAS;QACZ,GAAG,iBAAiB;KACrB,CAAC;AACJ,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,qBAAqB,CAAC,MAU3C;IACC,MAAM,SAAS,GAAG,MAAM,yBAAyB,CAC/C,MAAM,CAAC,WAAW,EAClB,MAAM,CAAC,iBAAiB,CACzB,CAAC;IACF,MAAM,YAAY,GAAG,iBAAiB,CACpC,MAAM,CAAC,QAAQ,EACf,MAAM,CAAC,WAAW,EAClB,SAAS,CACV,CAAC;IACF,MAAM,SAAS,GAAG,MAAM,MAAM,CAAC,YAAY,CAAC,gBAAgB,EAAE,CAAC;IAC/D,MAAM,QAAQ,GAAG,MAAM,YAAY,CAAC,sBAAsB,CAAC;QACzD,KAAK,EAAE,MAAM,CAAC,KAAK;QACnB,MAAM,EAAE,MAAM,CAAC,MAAM;KACtB,CAAC,CAAC;IACH,yGAAyG;IACzG,yEAAyE;IACzE,QAAQ,CAAC,YAAY,CAAC,MAAM,CAAC,gBAAgB,EAAE,SAAS,CAAC,CAAC;IAC1D,QAAQ,CAAC,YAAY,CAAC,MAAM,CAAC,uBAAuB,EAAE,MAAM,CAAC,CAAC;IAC9D,IAAI,MAAM,CAAC,KAAK,EAAE,CAAC;QACjB,uDAAuD;QACvD,QAAQ,CAAC,YAAY,CAAC,MAAM,CAAC,OAAO,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC;IACtD,CAAC;IACD,uDAAuD;IACvD,QAAQ,CAAC,YAAY,CAAC,MAAM,CAAC,QAAQ,EAAE,SAAS,CAAC,CAAC;IAElD,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,sBAAsB,CAAC,MAO5C;IACC,kCAAkC;IAClC,OAAO,CAAC,GAAG,CAAC,wCAAwC,EAAE,MAAM,CAAC,CAAC;IAC9D,OAAO,IAAI,GAAG,CAAC,kBAAkB,CAAC,CAAC;AACrC,CAAC;AAED,MAAM,UAAU,iBAAiB,CAC/B,QAAgB,EAChB,WAAmB,EACnB,SAAoB;IAEpB,OAAO,IAAI,YAAY,CAAC,QAAQ,EAAE,SAAS,CAAC,IAAI,EAAE,SAAS,CAAC,KAAK,EAAE;QACjE,WAAW,EAAE,WAAW;KACzB,CAAC,CAAC;AACL,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,cAAc,CAClC,IAAY,EACZ,KAAa,EACb,YAA0B,EAC1B,YAA0B,EAC1B,WAAmB,EACnB,SAAoB;IAEpB,MAAM,YAAY,GAAG,MAAM,YAAY,CAAC,eAAe,EAAE,CAAC;IAC1D,IAAI,CAAC,YAAY;QAAE,MAAM,IAAI,KAAK,CAAC,kCAAkC,CAAC,CAAC;IAEvE,MAAM,MAAM,GACV,MAAM,YAAY,CAAC,yBAAyB,CAAwB,IAAI,EAAE;QACxE,YAAY;KACb,CAAC,CAAC;IAEL,2BAA2B;IAC3B,IAAI,CAAC;QACH,MAAM,oBAAoB,CAAC,MAAM,EAAE,SAAS,EAAE,YAAY,EAAE,WAAW,CAAC,CAAC;IAC3E,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO,CAAC,KAAK,CAAC,qBAAqB,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC,CAAC;QACxD,MAAM,IAAI,KAAK,CACb,kCAAmC,KAAe,CAAC,OAAO,EAAE,CAC7D,CAAC;IACJ,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,WAAW,CAC/B,OAAoB,EACpB,MAA6B;IAE7B,4GAA4G;IAC5G,MAAM,OAAO,CAAC,GAAG,CAAC,WAAW,CAAC,QAAQ,EAAE,MAAM,CAAC,QAAQ,CAAC,CAAC;IACzD,MAAM,OAAO,CAAC,GAAG,CAAC,WAAW,CAAC,YAAY,EAAE,MAAM,CAAC,YAAY,CAAC,CAAC;IACjE,IAAI,MAAM,CAAC,aAAa,EAAE,CAAC;QACzB,MAAM,OAAO,CAAC,GAAG,CAAC,WAAW,CAAC,aAAa,EAAE,MAAM,CAAC,aAAa,CAAC,CAAC;IACrE,CAAC;IACD,IAAI,MAAM,CAAC,UAAU,EAAE,CAAC;QACtB,MAAM,OAAO,CAAC,GAAG,CAAC,WAAW,CAAC,UAAU,EAAE,MAAM,CAAC,UAAU,CAAC,QAAQ,EAAE,CAAC,CAAC;QACxE,MAAM,OAAO,CAAC,GAAG,CAAC,WAAW,CAAC,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE,CAAC,CAAC;IAC5E,CAAC;AACH,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,WAAW,CAAC,OAAoB;IACpD,MAAM,kBAAkB,GAAG,MAAM,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC,GAAG,CAAC,KAAK,EAAE,GAAG,EAAE,EAAE;QACtE,MAAM,OAAO,CAAC,GAAG,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC;IAC7B,CAAC,CAAC,CAAC;IACH,MAAM,OAAO,CAAC,GAAG,CAAC,CAAC,GAAG,kBAAkB,CAAC,CAAC,CAAC;AAC7C,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,SAAS,CAAC,OAAoB;IAClD,MAAM,WAAW,GAAG,IAAI,kBAAkB,CAAC,OAAO,CAAC,CAAC;IACpD,OAAO,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;IACzB,MAAM,WAAW,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;AAC9B,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,cAAc,CAClC,OAAoB;IAEpB,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC,WAAW,CAAC,QAAQ,CAAC,CAAC;IACxD,MAAM,WAAW,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC,WAAW,CAAC,YAAY,CAAC,CAAC;IAChE,MAAM,YAAY,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC,WAAW,CAAC,aAAa,CAAC,CAAC;IAClE,MAAM,SAAS,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC,WAAW,CAAC,UAAU,CAAC,CAAC;IAC5D,MAAM,SAAS,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC,WAAW,CAAC,SAAS,CAAC,CAAC;IAE3D,IAAI,CAAC,OAAO,IAAI,CAAC,WAAW;QAAE,OAAO,IAAI,CAAC;IAE1C,OAAO;QACL,QAAQ,EAAE,OAAO;QACjB,YAAY,EAAE,WAAW;QACzB,aAAa,EAAE,YAAY,IAAI,SAAS;QACxC,UAAU,EAAE,SAAS,CAAC,CAAC,CAAC,QAAQ,CAAC,SAAS,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,SAAS,EAAE,2BAA2B;QACxF,SAAS,EAAE,SAAS,CAAC,CAAC,CAAC,QAAQ,CAAC,SAAS,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,SAAS,EAAE,2BAA2B;KACxF,CAAC;AACJ,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,oBAAoB,CACxC,MAA6B,EAC7B,SAAoB,EACpB,YAA0B,EAC1B,MAAc;IAEd,MAAM,IAAI,GAAG,IAAI,CAAC,kBAAkB,CAAC,IAAI,GAAG,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC;IAE9D,wBAAwB;IACxB,MAAM,eAAe,GAAG,MAAM,IAAI,CAAC,SAAS,CAC1C,MAAM,CAAC,QAAQ,EACf,IAAI,EACJ;QACE,MAAM,EAAE,mBAAmB,CAAC,MAAM,CAAC;QACnC,QAAQ,EAAE,YAAY,CAAC,QAAQ;KAChC,CACF,CAAC;IAEF,4BAA4B;IAC5B,MAAM,mBAAmB,GAAG,MAAM,IAAI,CAAC,SAAS,CAC9C,MAAM,CAAC,YAAY,EACnB,IAAI,EACJ;QACE,MAAM,EAAE,mBAAmB,CAAC,MAAM,CAAC;KACpC,CACF,CAAC;IAEF,OAAO,gBAAgB,CAAC;QACtB,QAAQ,EAAE,eAAe,CAAC,OAAO;QACjC,YAAY,EAAE,mBAAmB,CAAC,OAAO;QACzC,aAAa,EAAE,MAAM,CAAC,aAAa;KACpC,CAAC,CAAC;AACL,CAAC","sourcesContent":["// Utility functions shared by auth server and client integrations\n// Typically these functions should be used inside AuthenticationInitiator and AuthenticationResolver implementations\nimport type {\n  AuthStorage,\n  Endpoints,\n  JWTPayload,\n  OIDCTokenResponseBody,\n  ParsedTokens,\n} from \"@/types.js\";\nimport { OAuthTokens } from \"./types.js\";\nimport { OAuth2Client } from \"oslo/oauth2\";\nimport { getIssuerVariations, getOauthEndpoints } from \"@/lib/oauth.js\";\nimport * as jose from \"jose\";\nimport { withoutUndefined } from \"@/utils.js\";\nimport type { PKCEConsumer, PKCEProducer } from \"@/services/types.js\";\nimport { GenericUserSession } from \"@/shared/lib/UserSession.js\";\n\n/**\n * Given a PKCE code verifier, derive the code challenge using SHA\n */\nexport async function deriveCodeChallenge(\n  codeVerifier: string,\n  method: \"Plain\" | \"S256\" = \"S256\",\n): Promise<string> {\n  if (method === \"Plain\") {\n    console.warn(\"Using insecure plain code challenge method\");\n    return codeVerifier;\n  }\n\n  const encoder = new TextEncoder();\n  const data = encoder.encode(codeVerifier);\n  const digest = await crypto.subtle.digest(\"SHA-256\", data);\n  return btoa(String.fromCharCode(...new Uint8Array(digest)))\n    .replace(/\\+/g, \"-\")\n    .replace(/\\//g, \"_\")\n    .replace(/=+$/, \"\");\n}\n\nexport async function getEndpointsWithOverrides(\n  oauthServer: string,\n  endpointOverrides: Partial<Endpoints> = {},\n): Promise<Endpoints> {\n  const endpoints = await getOauthEndpoints(oauthServer);\n  return {\n    ...endpoints,\n    ...endpointOverrides,\n  };\n}\n\nexport async function generateOauthLoginUrl(config: {\n  clientId: string;\n  scopes: string[];\n  state: string;\n  redirectUrl: string;\n  oauthServer: string;\n  nonce?: string;\n  endpointOverrides?: Partial<Endpoints>;\n  // used to get the PKCE challenge\n  pkceConsumer: PKCEConsumer;\n}): Promise<URL> {\n  const endpoints = await getEndpointsWithOverrides(\n    config.oauthServer,\n    config.endpointOverrides,\n  );\n  const oauth2Client = buildOauth2Client(\n    config.clientId,\n    config.redirectUrl,\n    endpoints,\n  );\n  const challenge = await config.pkceConsumer.getCodeChallenge();\n  const oAuthUrl = await oauth2Client.createAuthorizationURL({\n    state: config.state,\n    scopes: config.scopes,\n  });\n  // The OAuth2 client supports PKCE, but does not allow passing in a code challenge from some other source\n  // It only allows passing in a code verifier which it then hashes itself.\n  oAuthUrl.searchParams.append(\"code_challenge\", challenge);\n  oAuthUrl.searchParams.append(\"code_challenge_method\", \"S256\");\n  if (config.nonce) {\n    // nonce isn't supported by oslo, so we add it manually\n    oAuthUrl.searchParams.append(\"nonce\", config.nonce);\n  }\n  // Required by the auth server for offline_access scope\n  oAuthUrl.searchParams.append(\"prompt\", \"consent\");\n\n  return oAuthUrl;\n}\n\nexport async function generateOauthLogoutUrl(config: {\n  clientId: string;\n  scopes: string[];\n  oauthServer: string;\n  endpointOverrides?: Partial<Endpoints>;\n  // used to get the PKCE challenge\n  pkceConsumer: PKCEConsumer;\n}): Promise<URL> {\n  // TODO TECH-676: Implement logout\n  console.log(\"generateOauthLogoutUrl not implemented\", config);\n  return new URL(\"http://localhost\");\n}\n\nexport function buildOauth2Client(\n  clientId: string,\n  redirectUri: string,\n  endpoints: Endpoints,\n): OAuth2Client {\n  return new OAuth2Client(clientId, endpoints.auth, endpoints.token, {\n    redirectURI: redirectUri,\n  });\n}\n\nexport async function exchangeTokens(\n  code: string,\n  state: string,\n  pkceProducer: PKCEProducer,\n  oauth2Client: OAuth2Client,\n  oauthServer: string,\n  endpoints: Endpoints,\n) {\n  const codeVerifier = await pkceProducer.getCodeVerifier();\n  if (!codeVerifier) throw new Error(\"Code verifier not found in state\");\n\n  const tokens =\n    await oauth2Client.validateAuthorizationCode<OIDCTokenResponseBody>(code, {\n      codeVerifier,\n    });\n\n  // Validate relevant tokens\n  try {\n    await validateOauth2Tokens(tokens, endpoints, oauth2Client, oauthServer);\n  } catch (error) {\n    console.error(\"tokenExchange error\", { error, tokens });\n    throw new Error(\n      `OIDC tokens validation failed: ${(error as Error).message}`,\n    );\n  }\n  return tokens;\n}\n\nexport async function storeTokens(\n  storage: AuthStorage,\n  tokens: OIDCTokenResponseBody,\n) {\n  // store tokens in storage ( TODO we should probably store them against the state to allow multiple logins )\n  await storage.set(OAuthTokens.ID_TOKEN, tokens.id_token);\n  await storage.set(OAuthTokens.ACCESS_TOKEN, tokens.access_token);\n  if (tokens.refresh_token) {\n    await storage.set(OAuthTokens.REFRESH_TOKEN, tokens.refresh_token);\n  }\n  if (tokens.expires_in) {\n    await storage.set(OAuthTokens.EXPIRES_IN, tokens.expires_in.toString());\n    await storage.set(OAuthTokens.TIMESTAMP, new Date().getTime().toString());\n  }\n}\n\nexport async function clearTokens(storage: AuthStorage) {\n  const clearOAuthPromises = Object.values(OAuthTokens).map(async (key) => {\n    await storage.set(key, \"\");\n  });\n  await Promise.all([...clearOAuthPromises]);\n}\n\nexport async function clearUser(storage: AuthStorage) {\n  const userSession = new GenericUserSession(storage);\n  console.log(\"clearUser\");\n  await userSession.set(null);\n}\n\nexport async function retrieveTokens(\n  storage: AuthStorage,\n): Promise<OIDCTokenResponseBody | null> {\n  const idToken = await storage.get(OAuthTokens.ID_TOKEN);\n  const accessToken = await storage.get(OAuthTokens.ACCESS_TOKEN);\n  const refreshToken = await storage.get(OAuthTokens.REFRESH_TOKEN);\n  const expiresIn = await storage.get(OAuthTokens.EXPIRES_IN);\n  const timestamp = await storage.get(OAuthTokens.TIMESTAMP);\n\n  if (!idToken || !accessToken) return null;\n\n  return {\n    id_token: idToken,\n    access_token: accessToken,\n    refresh_token: refreshToken ?? undefined,\n    expires_in: expiresIn ? parseInt(expiresIn, 10) : undefined, // Convert string to number\n    timestamp: timestamp ? parseInt(timestamp, 10) : undefined, // Convert string to number\n  };\n}\n\nexport async function validateOauth2Tokens(\n  tokens: OIDCTokenResponseBody,\n  endpoints: Endpoints,\n  oauth2Client: OAuth2Client,\n  issuer: string,\n): Promise<ParsedTokens> {\n  const JWKS = jose.createRemoteJWKSet(new URL(endpoints.jwks));\n\n  // validate the ID token\n  const idTokenResponse = await jose.jwtVerify<JWTPayload>(\n    tokens.id_token,\n    JWKS,\n    {\n      issuer: getIssuerVariations(issuer),\n      audience: oauth2Client.clientId,\n    },\n  );\n\n  // validate the access token\n  const accessTokenResponse = await jose.jwtVerify<JWTPayload>(\n    tokens.access_token,\n    JWKS,\n    {\n      issuer: getIssuerVariations(issuer),\n    },\n  );\n\n  return withoutUndefined({\n    id_token: idTokenResponse.payload,\n    access_token: accessTokenResponse.payload,\n    refresh_token: tokens.refresh_token,\n  });\n}\n"]}

package/dist/esm/shared/providers/AuthProvider.d.ts

@@ -1,13 +1,14 @@
 import React, { type ReactNode } from "react";
 import type { Config, SessionData } from "../../types.js";
 import type { PKCEConsumer } from "../../services/types.js";
+export type IframeMode = "embedded" | "modal";
 export type AuthProviderProps = {
     children: ReactNode;
     clientId: string;
     nonce?: string;
     onSignIn?: (error?: Error) => void;
     onSignOut?: () => Promise<void>;
-    modalIframe?: boolean;
+    iframeMode?: IframeMode;
     config?: Config;
     redirectUrl?: string;
 };
@@ -15,6 +16,6 @@ export type InternalAuthProviderProps = AuthProviderProps & {
     sessionData?: SessionData;
     pkceConsumer?: PKCEConsumer;
 };
-declare const AuthProvider: ({ children, clientId, redirectUrl: inputRedirectUrl, config, onSignIn, onSignOut, pkceConsumer, nonce, modalIframe, sessionData: inputSessionData, }: InternalAuthProviderProps) => React.JSX.Element | null;
+declare const AuthProvider: ({ children, onSignIn, onSignOut, pkceConsumer, iframeMode, }: InternalAuthProviderProps) => React.JSX.Element;
 export { AuthProvider };
 //# sourceMappingURL=AuthProvider.d.ts.map

package/dist/esm/shared/providers/AuthProvider.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"AuthProvider.d.ts","sourceRoot":"","sources":["../../../../src/shared/providers/AuthProvider.tsx"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,EACZ,KAAK,SAAS,EAMf,MAAM,OAAO,CAAC;AAEf,OAAO,KAAK,EAAE,MAAM,EAAe,WAAW,EAAE,MAAM,YAAY,CAAC;AAanE,OAAO,KAAK,EAA0B,YAAY,EAAE,MAAM,qBAAqB,CAAC;AAqBhF,MAAM,MAAM,iBAAiB,GAAG;IAC9B,QAAQ,EAAE,SAAS,CAAC;IACpB,QAAQ,EAAE,MAAM,CAAC;IACjB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,QAAQ,CAAC,EAAE,CAAC,KAAK,CAAC,EAAE,KAAK,KAAK,IAAI,CAAC;IACnC,SAAS,CAAC,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;IAChC,WAAW,CAAC,EAAE,OAAO,CAAC;IACtB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB,CAAC;AAEF,MAAM,MAAM,yBAAyB,GAAG,iBAAiB,GAAG;IAC1D,WAAW,CAAC,EAAE,WAAW,CAAC;IAC1B,YAAY,CAAC,EAAE,YAAY,CAAC;CAC7B,CAAC;AAoCF,QAAA,MAAM,YAAY,yJAWf,yBAAyB,6BAgS3B,CAAC;AAEF,OAAO,EAAE,YAAY,EAAE,CAAC"}
+{"version":3,"file":"AuthProvider.d.ts","sourceRoot":"","sources":["../../../../src/shared/providers/AuthProvider.tsx"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,EAAE,KAAK,SAAS,EAAgC,MAAM,OAAO,CAAC;AAC5E,OAAO,KAAK,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AAEtD,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AAkBxD,MAAM,MAAM,UAAU,GAAG,UAAU,GAAG,OAAO,CAAC;AAC9C,MAAM,MAAM,iBAAiB,GAAG;IAC9B,QAAQ,EAAE,SAAS,CAAC;IACpB,QAAQ,EAAE,MAAM,CAAC;IACjB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,QAAQ,CAAC,EAAE,CAAC,KAAK,CAAC,EAAE,KAAK,KAAK,IAAI,CAAC;IACnC,SAAS,CAAC,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;IAChC,UAAU,CAAC,EAAE,UAAU,CAAC;IACxB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB,CAAC;AAEF,MAAM,MAAM,yBAAyB,GAAG,iBAAiB,GAAG;IAC1D,WAAW,CAAC,EAAE,WAAW,CAAC;IAC1B,YAAY,CAAC,EAAE,YAAY,CAAC;CAC7B,CAAC;AAEF,QAAA,MAAM,YAAY,iEAMf,yBAAyB,sBA6D3B,CAAC;AAEF,OAAO,EAAE,YAAY,EAAE,CAAC"}