@civic/auth 0.11.4 → 0.11.5-beta.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (27) hide show
  1. package/CHANGELOG.md +4 -0
  2. package/dist/lib/oauth2/OAuth2Client.d.ts +69 -0
  3. package/dist/lib/oauth2/OAuth2Client.d.ts.map +1 -0
  4. package/dist/lib/oauth2/OAuth2Client.js +171 -0
  5. package/dist/lib/oauth2/OAuth2Client.js.map +1 -0
  6. package/dist/server/ServerAuthenticationResolver.js +1 -1
  7. package/dist/server/ServerAuthenticationResolver.js.map +1 -1
  8. package/dist/services/AuthenticationService.js +1 -1
  9. package/dist/services/AuthenticationService.js.map +1 -1
  10. package/dist/services/PKCE.js +1 -1
  11. package/dist/services/PKCE.js.map +1 -1
  12. package/dist/shared/lib/AuthenticationRefresherImpl.js +1 -1
  13. package/dist/shared/lib/AuthenticationRefresherImpl.js.map +1 -1
  14. package/dist/shared/lib/util.d.ts +1 -1
  15. package/dist/shared/lib/util.d.ts.map +1 -1
  16. package/dist/shared/lib/util.js +1 -1
  17. package/dist/shared/lib/util.js.map +1 -1
  18. package/dist/shared/version.d.ts +1 -1
  19. package/dist/shared/version.d.ts.map +1 -1
  20. package/dist/shared/version.js +1 -1
  21. package/dist/shared/version.js.map +1 -1
  22. package/dist/vanillajs/auth/CivicAuth.js +1 -0
  23. package/dist/vanillajs/auth/CivicAuth.js.map +1 -1
  24. package/dist/vanillajs/auth/SessionManager.d.ts.map +1 -1
  25. package/dist/vanillajs/auth/SessionManager.js +1 -0
  26. package/dist/vanillajs/auth/SessionManager.js.map +1 -1
  27. package/package.json +2 -2
package/CHANGELOG.md CHANGED
@@ -1,3 +1,7 @@
1
+ # 0.11.5
2
+ - Remote deprecated Oslo dependency
3
+ - Fix NextJS logout then login bug where existing state wasn't being correctly cleared on logout
4
+
1
5
  # 0.11.4
2
6
  - Fix bug where logout was being aborted before completing
3
7
 
package/dist/lib/oauth2/OAuth2Client.d.ts ADDED
@@ -0,0 +1,69 @@
1
+ /**
2
+ * OAuth2Client - Drop-in replacement for oslo/oauth2 OAuth2Client
3
+ *
4
+ * This implementation maintains the same interface as the deprecated oslo/oauth2 library
5
+ * while using modern web APIs and @oslojs/oauth2 for response parsing.
6
+ */
7
+ /**
8
+ * OAuth2 token response body type definition
9
+ */
10
+ export interface TokenResponseBody {
11
+ access_token: string;
12
+ token_type: string;
13
+ expires_in?: number;
14
+ refresh_token?: string;
15
+ scope?: string;
16
+ id_token?: string;
17
+ [key: string]: unknown;
18
+ }
19
+ /**
20
+ * OAuth2Client class - Compatible with oslo/oauth2 interface
21
+ */
22
+ export declare class OAuth2Client {
23
+ private clientId;
24
+ private authEndpoint;
25
+ private tokenEndpoint;
26
+ private options;
27
+ constructor(clientId: string, authEndpoint: string, tokenEndpoint: string, options?: {
28
+ redirectURI?: string;
29
+ });
30
+ /**
31
+ * Creates an OAuth2 authorization URL
32
+ * @param options - Configuration for the authorization URL
33
+ * @returns Promise<URL> - The authorization URL
34
+ */
35
+ createAuthorizationURL(options: {
36
+ state: string;
37
+ scopes?: string[];
38
+ codeVerifier?: string;
39
+ [key: string]: unknown;
40
+ }): Promise<URL>;
41
+ /**
42
+ * Refreshes an access token using a refresh token
43
+ * @param refreshToken - The refresh token
44
+ * @param options - Options for the refresh request
45
+ * @returns Promise<TokenResponseBody> - The new token response
46
+ */
47
+ refreshAccessToken(refreshToken: string, options?: {
48
+ credentials?: string;
49
+ authenticateWith?: string;
50
+ }): Promise<TokenResponseBody>;
51
+ /**
52
+ * Validates an authorization code and exchanges it for tokens
53
+ * @param code - The authorization code
54
+ * @param options - Options for the token exchange
55
+ * @returns Promise<T> - The token response
56
+ */
57
+ validateAuthorizationCode<T = TokenResponseBody>(code: string, options?: {
58
+ codeVerifier?: string;
59
+ credentials?: string;
60
+ authenticateWith?: string;
61
+ }): Promise<T>;
62
+ }
63
+ /**
64
+ * Generate a code verifier for PKCE
65
+ * Compatible with oslo/oauth2's generateCodeVerifier function
66
+ * @returns string - A random code verifier
67
+ */
68
+ export declare function generateCodeVerifier(): string;
69
+ //# sourceMappingURL=OAuth2Client.d.ts.map
package/dist/lib/oauth2/OAuth2Client.d.ts.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"OAuth2Client.d.ts","sourceRoot":"","sources":["../../../src/lib/oauth2/OAuth2Client.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAKH;;GAEG;AACH,MAAM,WAAW,iBAAiB;IAChC,YAAY,EAAE,MAAM,CAAC;IACrB,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;CACxB;AAED;;GAEG;AACH,qBAAa,YAAY;IAErB,OAAO,CAAC,QAAQ;IAChB,OAAO,CAAC,YAAY;IACpB,OAAO,CAAC,aAAa;IACrB,OAAO,CAAC,OAAO;gBAHP,QAAQ,EAAE,MAAM,EAChB,YAAY,EAAE,MAAM,EACpB,aAAa,EAAE,MAAM,EACrB,OAAO,GAAE;QAAE,WAAW,CAAC,EAAE,MAAM,CAAA;KAAO;IAGhD;;;;OAIG;IACG,sBAAsB,CAAC,OAAO,EAAE;QACpC,KAAK,EAAE,MAAM,CAAC;QACd,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;QAClB,YAAY,CAAC,EAAE,MAAM,CAAC;QACtB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;KACxB,GAAG,OAAO,CAAC,GAAG,CAAC;IA0ChB;;;;;OAKG;IACG,kBAAkB,CACtB,YAAY,EAAE,MAAM,EACpB,OAAO,GAAE;QACP,WAAW,CAAC,EAAE,MAAM,CAAC;QACrB,gBAAgB,CAAC,EAAE,MAAM,CAAC;KACtB,GACL,OAAO,CAAC,iBAAiB,CAAC;IAgD7B;;;;;OAKG;IACG,yBAAyB,CAAC,CAAC,GAAG,iBAAiB,EACnD,IAAI,EAAE,MAAM,EACZ,OAAO,GAAE;QACP,YAAY,CAAC,EAAE,MAAM,CAAC;QACtB,WAAW,CAAC,EAAE,MAAM,CAAC;QACrB,gBAAgB,CAAC,EAAE,MAAM,CAAC;KACtB,GACL,OAAO,CAAC,CAAC,CAAC;CA0Dd;AAED;;;;GAIG;AACH,wBAAgB,oBAAoB,IAAI,MAAM,CAO7C"}
package/dist/lib/oauth2/OAuth2Client.js ADDED
@@ -0,0 +1,171 @@
1
+ /**
2
+ * OAuth2Client - Drop-in replacement for oslo/oauth2 OAuth2Client
3
+ *
4
+ * This implementation maintains the same interface as the deprecated oslo/oauth2 library
5
+ * while using modern web APIs and @oslojs/oauth2 for response parsing.
6
+ */
7
+ import { TokenRequestResult } from "@oslojs/oauth2";
8
+ import { deriveCodeChallenge } from "../../shared/lib/util.js";
9
+ /**
10
+ * OAuth2Client class - Compatible with oslo/oauth2 interface
11
+ */
12
+ export class OAuth2Client {
13
+ clientId;
14
+ authEndpoint;
15
+ tokenEndpoint;
16
+ options;
17
+ constructor(clientId, authEndpoint, tokenEndpoint, options = {}) {
18
+ this.clientId = clientId;
19
+ this.authEndpoint = authEndpoint;
20
+ this.tokenEndpoint = tokenEndpoint;
21
+ this.options = options;
22
+ }
23
+ /**
24
+ * Creates an OAuth2 authorization URL
25
+ * @param options - Configuration for the authorization URL
26
+ * @returns Promise<URL> - The authorization URL
27
+ */
28
+ async createAuthorizationURL(options) {
29
+ const url = new URL(this.authEndpoint);
30
+ // Set required parameters
31
+ url.searchParams.set("client_id", this.clientId);
32
+ url.searchParams.set("response_type", "code");
33
+ url.searchParams.set("state", options.state);
34
+ // Set redirect URI if configured
35
+ if (this.options.redirectURI) {
36
+ url.searchParams.set("redirect_uri", this.options.redirectURI);
37
+ }
38
+ // Set scopes if provided
39
+ if (options.scopes?.length) {
40
+ url.searchParams.set("scope", options.scopes.join(" "));
41
+ }
42
+ // Handle PKCE if code verifier is provided
43
+ if (options.codeVerifier) {
44
+ // Use existing deriveCodeChallenge function
45
+ const challenge = await deriveCodeChallenge(options.codeVerifier);
46
+ url.searchParams.set("code_challenge", challenge);
47
+ url.searchParams.set("code_challenge_method", "S256");
48
+ }
49
+ // Add any additional parameters (for extensibility)
50
+ for (const [key, value] of Object.entries(options)) {
51
+ if (key !== "state" &&
52
+ key !== "scopes" &&
53
+ key !== "codeVerifier" &&
54
+ value !== undefined &&
55
+ value !== null) {
56
+ url.searchParams.set(key, String(value));
57
+ }
58
+ }
59
+ return url;
60
+ }
61
+ /**
62
+ * Refreshes an access token using a refresh token
63
+ * @param refreshToken - The refresh token
64
+ * @param options - Options for the refresh request
65
+ * @returns Promise<TokenResponseBody> - The new token response
66
+ */
67
+ async refreshAccessToken(refreshToken, options = {}) {
68
+ const body = new URLSearchParams({
69
+ grant_type: "refresh_token",
70
+ refresh_token: refreshToken,
71
+ client_id: this.clientId,
72
+ });
73
+ // Add client secret if provided (for confidential clients)
74
+ if (options.credentials && options.authenticateWith === "request_body") {
75
+ body.set("client_secret", options.credentials);
76
+ }
77
+ // Make the refresh request
78
+ const response = await fetch(this.tokenEndpoint, {
79
+ method: "POST",
80
+ headers: {
81
+ "Content-Type": "application/x-www-form-urlencoded",
82
+ Accept: "application/json",
83
+ },
84
+ body: body.toString(),
85
+ });
86
+ // Parse the response
87
+ const data = await response.json();
88
+ // Validate response format
89
+ if (typeof data !== "object" || data === null) {
90
+ throw new Error("Unexpected response body from token endpoint");
91
+ }
92
+ // Use @oslojs/oauth2 to parse and validate the response
93
+ const result = new TokenRequestResult(data);
94
+ // Check for OAuth2 errors
95
+ if (result.hasErrorCode()) {
96
+ const error = result.errorCode();
97
+ const description = result.hasErrorDescription()
98
+ ? result.errorDescription()
99
+ : "";
100
+ throw new Error(`OAuth2 error: ${error}${description ? ` - ${description}` : ""}`);
101
+ }
102
+ // Return the full response
103
+ return data;
104
+ }
105
+ /**
106
+ * Validates an authorization code and exchanges it for tokens
107
+ * @param code - The authorization code
108
+ * @param options - Options for the token exchange
109
+ * @returns Promise<T> - The token response
110
+ */
111
+ async validateAuthorizationCode(code, options = {}) {
112
+ const body = new URLSearchParams({
113
+ grant_type: "authorization_code",
114
+ code: code,
115
+ client_id: this.clientId,
116
+ });
117
+ // Add redirect URI if configured
118
+ if (this.options.redirectURI) {
119
+ body.set("redirect_uri", this.options.redirectURI);
120
+ }
121
+ // Add PKCE code verifier if provided
122
+ if (options.codeVerifier) {
123
+ body.set("code_verifier", options.codeVerifier);
124
+ }
125
+ // Add client secret if provided (for confidential clients)
126
+ if (options.credentials && options.authenticateWith === "request_body") {
127
+ body.set("client_secret", options.credentials);
128
+ }
129
+ // Make the token exchange request
130
+ const response = await fetch(this.tokenEndpoint, {
131
+ method: "POST",
132
+ headers: {
133
+ "Content-Type": "application/x-www-form-urlencoded",
134
+ Accept: "application/json",
135
+ },
136
+ body: body.toString(),
137
+ });
138
+ // Parse the response
139
+ const data = await response.json();
140
+ // Validate response format
141
+ if (typeof data !== "object" || data === null) {
142
+ throw new Error("Unexpected response body from token endpoint");
143
+ }
144
+ // Use @oslojs/oauth2 to parse and validate the response
145
+ const result = new TokenRequestResult(data);
146
+ // Check for OAuth2 errors
147
+ if (result.hasErrorCode()) {
148
+ const error = result.errorCode();
149
+ const description = result.hasErrorDescription()
150
+ ? result.errorDescription()
151
+ : "";
152
+ throw new Error(`OAuth2 error: ${error}${description ? ` - ${description}` : ""}`);
153
+ }
154
+ // Return the full response for backward compatibility
155
+ // The original oslo/oauth2 returns the raw response data
156
+ return data;
157
+ }
158
+ }
159
+ /**
160
+ * Generate a code verifier for PKCE
161
+ * Compatible with oslo/oauth2's generateCodeVerifier function
162
+ * @returns string - A random code verifier
163
+ */
164
+ export function generateCodeVerifier() {
165
+ const bytes = new Uint8Array(32);
166
+ crypto.getRandomValues(bytes);
167
+ // Base64url encode (without padding)
168
+ const base64 = btoa(String.fromCharCode(...bytes));
169
+ return base64.replace(/\+/g, "-").replace(/\//g, "_").replace(/=/g, "");
170
+ }
171
+ //# sourceMappingURL=OAuth2Client.js.map
package/dist/lib/oauth2/OAuth2Client.js.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"OAuth2Client.js","sourceRoot":"","sources":["../../../src/lib/oauth2/OAuth2Client.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,kBAAkB,EAAE,MAAM,gBAAgB,CAAC;AACpD,OAAO,EAAE,mBAAmB,EAAE,MAAM,0BAA0B,CAAC;AAe/D;;GAEG;AACH,MAAM,OAAO,YAAY;IAEb;IACA;IACA;IACA;IAJV,YACU,QAAgB,EAChB,YAAoB,EACpB,aAAqB,EACrB,UAAoC,EAAE;QAHtC,aAAQ,GAAR,QAAQ,CAAQ;QAChB,iBAAY,GAAZ,YAAY,CAAQ;QACpB,kBAAa,GAAb,aAAa,CAAQ;QACrB,YAAO,GAAP,OAAO,CAA+B;IAC7C,CAAC;IAEJ;;;;OAIG;IACH,KAAK,CAAC,sBAAsB,CAAC,OAK5B;QACC,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;QAEvC,0BAA0B;QAC1B,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,WAAW,EAAE,IAAI,CAAC,QAAQ,CAAC,CAAC;QACjD,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,eAAe,EAAE,MAAM,CAAC,CAAC;QAC9C,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,OAAO,CAAC,KAAK,CAAC,CAAC;QAE7C,iCAAiC;QACjC,IAAI,IAAI,CAAC,OAAO,CAAC,WAAW,EAAE,CAAC;YAC7B,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,cAAc,EAAE,IAAI,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC;QACjE,CAAC;QAED,yBAAyB;QACzB,IAAI,OAAO,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC;YAC3B,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;QAC1D,CAAC;QAED,2CAA2C;QAC3C,IAAI,OAAO,CAAC,YAAY,EAAE,CAAC;YACzB,4CAA4C;YAC5C,MAAM,SAAS,GAAG,MAAM,mBAAmB,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC;YAClE,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,gBAAgB,EAAE,SAAS,CAAC,CAAC;YAClD,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,uBAAuB,EAAE,MAAM,CAAC,CAAC;QACxD,CAAC;QAED,oDAAoD;QACpD,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC;YACnD,IACE,GAAG,KAAK,OAAO;gBACf,GAAG,KAAK,QAAQ;gBAChB,GAAG,KAAK,cAAc;gBACtB,KAAK,KAAK,SAAS;gBACnB,KAAK,KAAK,IAAI,EACd,CAAC;gBACD,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,GAAG,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC;YAC3C,CAAC;QACH,CAAC;QAED,OAAO,GAAG,CAAC;IACb,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,kBAAkB,CACtB,YAAoB,EACpB,UAGI,EAAE;QAEN,MAAM,IAAI,GAAG,IAAI,eAAe,CAAC;YAC/B,UAAU,EAAE,eAAe;YAC3B,aAAa,EAAE,YAAY;YAC3B,SAAS,EAAE,IAAI,CAAC,QAAQ;SACzB,CAAC,CAAC;QAEH,2DAA2D;QAC3D,IAAI,OAAO,CAAC,WAAW,IAAI,OAAO,CAAC,gBAAgB,KAAK,cAAc,EAAE,CAAC;YACvE,IAAI,CAAC,GAAG,CAAC,eAAe,EAAE,OAAO,CAAC,WAAW,CAAC,CAAC;QACjD,CAAC;QAED,2BAA2B;QAC3B,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,IAAI,CAAC,aAAa,EAAE;YAC/C,MAAM,EAAE,MAAM;YACd,OAAO,EAAE;gBACP,cAAc,EAAE,mCAAmC;gBACnD,MAAM,EAAE,kBAAkB;aAC3B;YACD,IAAI,EAAE,IAAI,CAAC,QAAQ,EAAE;SACtB,CAAC,CAAC;QAEH,qBAAqB;QACrB,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;QAEnC,2BAA2B;QAC3B,IAAI,OAAO,IAAI,KAAK,QAAQ,IAAI,IAAI,KAAK,IAAI,EAAE,CAAC;YAC9C,MAAM,IAAI,KAAK,CAAC,8CAA8C,CAAC,CAAC;QAClE,CAAC;QAED,wDAAwD;QACxD,MAAM,MAAM,GAAG,IAAI,kBAAkB,CAAC,IAAI,CAAC,CAAC;QAE5C,0BAA0B;QAC1B,IAAI,MAAM,CAAC,YAAY,EAAE,EAAE,CAAC;YAC1B,MAAM,KAAK,GAAG,MAAM,CAAC,SAAS,EAAE,CAAC;YACjC,MAAM,WAAW,GAAG,MAAM,CAAC,mBAAmB,EAAE;gBAC9C,CAAC,CAAC,MAAM,CAAC,gBAAgB,EAAE;gBAC3B,CAAC,CAAC,EAAE,CAAC;YACP,MAAM,IAAI,KAAK,CACb,iBAAiB,KAAK,GAAG,WAAW,CAAC,CAAC,CAAC,MAAM,WAAW,EAAE,CAAC,CAAC,CAAC,EAAE,EAAE,CAClE,CAAC;QACJ,CAAC;QAED,2BAA2B;QAC3B,OAAO,IAAyB,CAAC;IACnC,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,yBAAyB,CAC7B,IAAY,EACZ,UAII,EAAE;QAEN,MAAM,IAAI,GAAG,IAAI,eAAe,CAAC;YAC/B,UAAU,EAAE,oBAAoB;YAChC,IAAI,EAAE,IAAI;YACV,SAAS,EAAE,IAAI,CAAC,QAAQ;SACzB,CAAC,CAAC;QAEH,iCAAiC;QACjC,IAAI,IAAI,CAAC,OAAO,CAAC,WAAW,EAAE,CAAC;YAC7B,IAAI,CAAC,GAAG,CAAC,cAAc,EAAE,IAAI,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC;QACrD,CAAC;QAED,qCAAqC;QACrC,IAAI,OAAO,CAAC,YAAY,EAAE,CAAC;YACzB,IAAI,CAAC,GAAG,CAAC,eAAe,EAAE,OAAO,CAAC,YAAY,CAAC,CAAC;QAClD,CAAC;QAED,2DAA2D;QAC3D,IAAI,OAAO,CAAC,WAAW,IAAI,OAAO,CAAC,gBAAgB,KAAK,cAAc,EAAE,CAAC;YACvE,IAAI,CAAC,GAAG,CAAC,eAAe,EAAE,OAAO,CAAC,WAAW,CAAC,CAAC;QACjD,CAAC;QAED,kCAAkC;QAClC,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,IAAI,CAAC,aAAa,EAAE;YAC/C,MAAM,EAAE,MAAM;YACd,OAAO,EAAE;gBACP,cAAc,EAAE,mCAAmC;gBACnD,MAAM,EAAE,kBAAkB;aAC3B;YACD,IAAI,EAAE,IAAI,CAAC,QAAQ,EAAE;SACtB,CAAC,CAAC;QAEH,qBAAqB;QACrB,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;QAEnC,2BAA2B;QAC3B,IAAI,OAAO,IAAI,KAAK,QAAQ,IAAI,IAAI,KAAK,IAAI,EAAE,CAAC;YAC9C,MAAM,IAAI,KAAK,CAAC,8CAA8C,CAAC,CAAC;QAClE,CAAC;QAED,wDAAwD;QACxD,MAAM,MAAM,GAAG,IAAI,kBAAkB,CAAC,IAAI,CAAC,CAAC;QAE5C,0BAA0B;QAC1B,IAAI,MAAM,CAAC,YAAY,EAAE,EAAE,CAAC;YAC1B,MAAM,KAAK,GAAG,MAAM,CAAC,SAAS,EAAE,CAAC;YACjC,MAAM,WAAW,GAAG,MAAM,CAAC,mBAAmB,EAAE;gBAC9C,CAAC,CAAC,MAAM,CAAC,gBAAgB,EAAE;gBAC3B,CAAC,CAAC,EAAE,CAAC;YACP,MAAM,IAAI,KAAK,CACb,iBAAiB,KAAK,GAAG,WAAW,CAAC,CAAC,CAAC,MAAM,WAAW,EAAE,CAAC,CAAC,CAAC,EAAE,EAAE,CAClE,CAAC;QACJ,CAAC;QAED,sDAAsD;QACtD,yDAAyD;QACzD,OAAO,IAAS,CAAC;IACnB,CAAC;CACF;AAED;;;;GAIG;AACH,MAAM,UAAU,oBAAoB;IAClC,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC;IACjC,MAAM,CAAC,eAAe,CAAC,KAAK,CAAC,CAAC;IAE9B,qCAAqC;IACrC,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC,GAAG,KAAK,CAAC,CAAC,CAAC;IACnD,OAAO,MAAM,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;AAC1E,CAAC","sourcesContent":["/**\n * OAuth2Client - Drop-in replacement for oslo/oauth2 OAuth2Client\n *\n * This implementation maintains the same interface as the deprecated oslo/oauth2 library\n * while using modern web APIs and @oslojs/oauth2 for response parsing.\n */\n\nimport { TokenRequestResult } from \"@oslojs/oauth2\";\nimport { deriveCodeChallenge } from \"../../shared/lib/util.js\";\n\n/**\n * OAuth2 token response body type definition\n */\nexport interface TokenResponseBody {\n access_token: string;\n token_type: string;\n expires_in?: number;\n refresh_token?: string;\n scope?: string;\n id_token?: string;\n [key: string]: unknown;\n}\n\n/**\n * OAuth2Client class - Compatible with oslo/oauth2 interface\n */\nexport class OAuth2Client {\n constructor(\n private clientId: string,\n private authEndpoint: string,\n private tokenEndpoint: string,\n private options: { redirectURI?: string } = {},\n ) {}\n\n /**\n * Creates an OAuth2 authorization URL\n * @param options - Configuration for the authorization URL\n * @returns Promise<URL> - The authorization URL\n */\n async createAuthorizationURL(options: {\n state: string;\n scopes?: string[];\n codeVerifier?: string;\n [key: string]: unknown; // Allow additional parameters\n }): Promise<URL> {\n const url = new URL(this.authEndpoint);\n\n // Set required parameters\n url.searchParams.set(\"client_id\", this.clientId);\n url.searchParams.set(\"response_type\", \"code\");\n url.searchParams.set(\"state\", options.state);\n\n // Set redirect URI if configured\n if (this.options.redirectURI) {\n url.searchParams.set(\"redirect_uri\", this.options.redirectURI);\n }\n\n // Set scopes if provided\n if (options.scopes?.length) {\n url.searchParams.set(\"scope\", options.scopes.join(\" \"));\n }\n\n // Handle PKCE if code verifier is provided\n if (options.codeVerifier) {\n // Use existing deriveCodeChallenge function\n const challenge = await deriveCodeChallenge(options.codeVerifier);\n url.searchParams.set(\"code_challenge\", challenge);\n url.searchParams.set(\"code_challenge_method\", \"S256\");\n }\n\n // Add any additional parameters (for extensibility)\n for (const [key, value] of Object.entries(options)) {\n if (\n key !== \"state\" &&\n key !== \"scopes\" &&\n key !== \"codeVerifier\" &&\n value !== undefined &&\n value !== null\n ) {\n url.searchParams.set(key, String(value));\n }\n }\n\n return url;\n }\n\n /**\n * Refreshes an access token using a refresh token\n * @param refreshToken - The refresh token\n * @param options - Options for the refresh request\n * @returns Promise<TokenResponseBody> - The new token response\n */\n async refreshAccessToken(\n refreshToken: string,\n options: {\n credentials?: string;\n authenticateWith?: string;\n } = {},\n ): Promise<TokenResponseBody> {\n const body = new URLSearchParams({\n grant_type: \"refresh_token\",\n refresh_token: refreshToken,\n client_id: this.clientId,\n });\n\n // Add client secret if provided (for confidential clients)\n if (options.credentials && options.authenticateWith === \"request_body\") {\n body.set(\"client_secret\", options.credentials);\n }\n\n // Make the refresh request\n const response = await fetch(this.tokenEndpoint, {\n method: \"POST\",\n headers: {\n \"Content-Type\": \"application/x-www-form-urlencoded\",\n Accept: \"application/json\",\n },\n body: body.toString(),\n });\n\n // Parse the response\n const data = await response.json();\n\n // Validate response format\n if (typeof data !== \"object\" || data === null) {\n throw new Error(\"Unexpected response body from token endpoint\");\n }\n\n // Use @oslojs/oauth2 to parse and validate the response\n const result = new TokenRequestResult(data);\n\n // Check for OAuth2 errors\n if (result.hasErrorCode()) {\n const error = result.errorCode();\n const description = result.hasErrorDescription()\n ? result.errorDescription()\n : \"\";\n throw new Error(\n `OAuth2 error: ${error}${description ? ` - ${description}` : \"\"}`,\n );\n }\n\n // Return the full response\n return data as TokenResponseBody;\n }\n\n /**\n * Validates an authorization code and exchanges it for tokens\n * @param code - The authorization code\n * @param options - Options for the token exchange\n * @returns Promise<T> - The token response\n */\n async validateAuthorizationCode<T = TokenResponseBody>(\n code: string,\n options: {\n codeVerifier?: string;\n credentials?: string;\n authenticateWith?: string;\n } = {},\n ): Promise<T> {\n const body = new URLSearchParams({\n grant_type: \"authorization_code\",\n code: code,\n client_id: this.clientId,\n });\n\n // Add redirect URI if configured\n if (this.options.redirectURI) {\n body.set(\"redirect_uri\", this.options.redirectURI);\n }\n\n // Add PKCE code verifier if provided\n if (options.codeVerifier) {\n body.set(\"code_verifier\", options.codeVerifier);\n }\n\n // Add client secret if provided (for confidential clients)\n if (options.credentials && options.authenticateWith === \"request_body\") {\n body.set(\"client_secret\", options.credentials);\n }\n\n // Make the token exchange request\n const response = await fetch(this.tokenEndpoint, {\n method: \"POST\",\n headers: {\n \"Content-Type\": \"application/x-www-form-urlencoded\",\n Accept: \"application/json\",\n },\n body: body.toString(),\n });\n\n // Parse the response\n const data = await response.json();\n\n // Validate response format\n if (typeof data !== \"object\" || data === null) {\n throw new Error(\"Unexpected response body from token endpoint\");\n }\n\n // Use @oslojs/oauth2 to parse and validate the response\n const result = new TokenRequestResult(data);\n\n // Check for OAuth2 errors\n if (result.hasErrorCode()) {\n const error = result.errorCode();\n const description = result.hasErrorDescription()\n ? result.errorDescription()\n : \"\";\n throw new Error(\n `OAuth2 error: ${error}${description ? ` - ${description}` : \"\"}`,\n );\n }\n\n // Return the full response for backward compatibility\n // The original oslo/oauth2 returns the raw response data\n return data as T;\n }\n}\n\n/**\n * Generate a code verifier for PKCE\n * Compatible with oslo/oauth2's generateCodeVerifier function\n * @returns string - A random code verifier\n */\nexport function generateCodeVerifier(): string {\n const bytes = new Uint8Array(32);\n crypto.getRandomValues(bytes);\n\n // Base64url encode (without padding)\n const base64 = btoa(String.fromCharCode(...bytes));\n return base64.replace(/\\+/g, \"-\").replace(/\\//g, \"_\").replace(/=/g, \"\");\n}\n"]}
package/dist/server/ServerAuthenticationResolver.js CHANGED
@@ -1,5 +1,5 @@
1
1
  import { GenericPublicClientPKCEProducer } from "../services/PKCE.js";
2
- import { OAuth2Client } from "oslo/oauth2";
2
+ import { OAuth2Client } from "../lib/oauth2/OAuth2Client.js";
3
3
  import { exchangeTokens, getEndpointsWithOverrides, retrieveTokens, storeServerTokens, validateOauth2Tokens, } from "../shared/lib/util.js";
4
4
  import { DEFAULT_AUTH_SERVER } from "../constants.js";
5
5
  import { CodeVerifier } from "../shared/lib/types.js";
package/dist/server/ServerAuthenticationResolver.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"ServerAuthenticationResolver.js","sourceRoot":"","sources":["../../src/server/ServerAuthenticationResolver.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,+BAA+B,EAAE,MAAM,oBAAoB,CAAC;AACrE,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAQ3C,OAAO,EACL,cAAc,EACd,yBAAyB,EACzB,cAAc,EACd,iBAAiB,EACjB,oBAAoB,GACrB,MAAM,sBAAsB,CAAC;AAE9B,OAAO,EAAE,mBAAmB,EAAE,MAAM,gBAAgB,CAAC;AACrD,OAAO,EAAE,YAAY,EAAE,MAAM,uBAAuB,CAAC;AACrD,OAAO,EAAE,OAAO,EAAE,MAAM,iBAAiB,CAAC;AAC1C,OAAO,EAAE,OAAO,EAAE,iBAAiB,EAAE,MAAM,yBAAyB,CAAC;AACrE,OAAO,EAAE,kBAAkB,EAAE,MAAM,6BAA6B,CAAC;AAEjE,OAAO,EAAE,2BAA2B,EAAE,MAAM,6CAA6C,CAAC;AAE1F,MAAM,MAAM,GAAG,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAC;AAE3C,MAAM,OAAO,4BAA4B;IAM5B;IACA;IACA;IAPH,YAAY,CAAsB;IAClC,YAAY,CAA2B;IACvC,SAAS,CAAwB;IAEzC,YACW,UAAsB,EACtB,OAAoB,EACpB,iBAAsC;QAFtC,eAAU,GAAV,UAAU,CAAY;QACtB,YAAO,GAAP,OAAO,CAAa;QACpB,sBAAiB,GAAjB,iBAAiB,CAAqB;QAE/C,mDAAmD;QACnD,kBAAkB;QAClB,MAAM,OAAO,GAAG,UAAU,CAAC,IAAI,KAAK,KAAK,CAAC;QAE1C,gDAAgD;QAChD,IAAI,CAAC,YAAY,GAAG,OAAO;YACzB,CAAC,CAAC,IAAI,+BAA+B,CAAC,OAAO,CAAC;YAC9C,CAAC,CAAC,IAAI,CAAC;IACX,CAAC;IAED;;;;OAIG;IACH,KAAK,CAAC,gBAAgB,CACpB,WAA+B;QAE/B,MAAM,CAAC,KAAK,CAAC,kBAAkB,EAAE,EAAE,WAAW,EAAE,CAAC,CAAC;QAClD,wDAAwD;QACxD,IAAI,WAAW,EAAE,YAAY,EAAE,CAAC;YAC9B,MAAM,aAAa,GAAG,MAAM,2BAA2B,CAAC,KAAK,CAC3D;gBACE,GAAG,IAAI,CAAC,UAAU;gBAClB,WAAW,EAAE,IAAI,CAAC,UAAU,CAAC,WAAW,IAAI,mBAAmB;aAChE,EACD,IAAI,CAAC,OAAO,EACZ,KAAK,EAAE,KAAK,EAAE,EAAE;gBACd,MAAM,CAAC,KAAK,CACV,uDAAuD,EACvD,EAAE,KAAK,EAAE,CACV,CAAC;gBACF,OAAO,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YAC/B,CAAC,EACD,IAAI,CAAC,iBAAiB,CACvB,CAAC;YACF,MAAM,iBAAiB,GAAG,MAAM,aAAa,CAAC,kBAAkB,EAAE,CAAC;YACnE,IAAI,CAAC,iBAAiB,EAAE,CAAC;gBACvB,MAAM,IAAI,KAAK,CAAC,iCAAiC,CAAC,CAAC;YACrD,CAAC;YACD,2DAA2D;YAC3D,IAAI,CAAC;gBACH,MAAM,IAAI,GAAG,MAAM,iBAAiB,CAAC,iBAAiB,CAAC,CAAC;gBACxD,IAAI,IAAI,EAAE,CAAC;oBACT,MAAM,WAAW,GAAG,IAAI,kBAAkB,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;oBACzD,MAAM,WAAW,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;oBAC5B,MAAM,CAAC,KAAK,CAAC,iCAAiC,EAAE;wBAC9C,OAAO,EAAE,CAAC,CAAC,IAAI;qBAChB,CAAC,CAAC;gBACL,CAAC;qBAAM,CAAC;oBACN,MAAM,CAAC,IAAI,CAAC,oCAAoC,CAAC,CAAC;gBACpD,CAAC;YACH,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACf,MAAM,CAAC,KAAK,CAAC,8BAA8B,EAAE,KAAK,CAAC,CAAC;YACtD,CAAC;YACD,oDAAoD;YACpD,OAAO;gBACL,aAAa,EAAE,IAAI;gBACnB,OAAO,EAAE,iBAAiB,CAAC,QAAQ;gBACnC,WAAW,EAAE,iBAAiB,CAAC,YAAY;gBAC3C,YAAY,EAAE,iBAAiB,CAAC,aAAa;gBAC7C,oBAAoB,EAAE,iBAAiB,CAAC,uBAAuB;gBAC/D,aAAa,EAAE,IAAI;aACpB,CAAC;QACJ,CAAC;QAED,6BAA6B;QAC7B,OAAO,EAAE,GAAG,WAAW,EAAE,aAAa,EAAE,KAAK,EAAE,CAAC;IAClD,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,uBAAuB,CAC3B,kBAAkB,GAAG,IAAI;QAEzB,sEAAsE;QACtE,qFAAqF;QACrF,MAAM,WAAW,GAAG,MAAM,IAAI,CAAC,cAAc,EAAE,CAAC;QAEhD,0EAA0E;QAC1E,wDAAwD;QACxD,IAAI,CAAC,WAAW,EAAE,OAAO,EAAE,CAAC;YAC1B,IAAI,kBAAkB,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,cAAc,EAAE,CAAC;gBAC1D,MAAM,oBAAoB,GAAG,MAAM,IAAI,CAAC,gBAAgB,CAAC,WAAW,CAAC,CAAC;gBACtE,IAAI,oBAAoB,CAAC,aAAa,EAAE,CAAC;oBACvC,OAAO,oBAAoB,CAAC;gBAC9B,CAAC;YACH,CAAC;YAED,OAAO,EAAE,GAAG,WAAW,EAAE,aAAa,EAAE,KAAK,EAAE,CAAC;QAClD,CAAC;QAED,uBAAuB;QACvB,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,IAAI,IAAI,CAAC,IAAI,CAAC,YAAY;YAAE,MAAM,IAAI,CAAC,IAAI,EAAE,CAAC;QAEnE,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,IAAI,EAAE,CAAC;YAC1B,MAAM,IAAI,KAAK,CAAC,yBAAyB,CAAC,CAAC;QAC7C,CAAC;QAED,IAAI,CAAC;YACH,+EAA+E;YAC/E,MAAM,oBAAoB,CACxB;gBACE,YAAY,EAAE,WAAW,CAAC,WAAW,EAAE,mBAAmB;gBAC1D,QAAQ,EAAE,WAAW,CAAC,OAAO,EAAE,kBAAkB;gBACjD,aAAa,EAAE,WAAW,CAAC,YAAY;gBACvC,uBAAuB,EAAE,WAAW,CAAC,oBAAoB;aAC1D,EACD,IAAI,CAAC,UAAU,CAChB,CAAC;YACF,OAAO,WAAW,CAAC;QACrB,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,CAAC,IAAI,CAAC,yBAAyB,EAAE,EAAE,KAAK,EAAE,CAAC,CAAC;YAClD,IAAI,kBAAkB,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,cAAc,EAAE,CAAC;gBAC1D,mDAAmD;gBACnD,IAAI,CAAC;oBACH,MAAM,oBAAoB,GAAG,MAAM,IAAI,CAAC,gBAAgB,CAAC,WAAW,CAAC,CAAC;oBACtE,IAAI,oBAAoB,CAAC,aAAa,EAAE,CAAC;wBACvC,OAAO,oBAAoB,CAAC;oBAC9B,CAAC;gBACH,CAAC;gBAAC,OAAO,KAAK,EAAE,CAAC;oBACf,MAAM,CAAC,KAAK,CAAC,kDAAkD,EAAE;wBAC/D,KAAK;qBACN,CAAC,CAAC;oBACH,OAAO,EAAE,GAAG,WAAW,EAAE,aAAa,EAAE,KAAK,EAAE,CAAC;gBAClD,CAAC;YACH,CAAC;YAED,OAAO,EAAE,GAAG,WAAW,EAAE,aAAa,EAAE,KAAK,EAAE,CAAC;QAClD,CAAC;IACH,CAAC;IAED,IAAI,WAAW;QACb,OAAO,IAAI,CAAC,UAAU,CAAC,WAAW,IAAI,mBAAmB,CAAC;IAC5D,CAAC;IAED,KAAK,CAAC,IAAI;QACR,kDAAkD;QAClD,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,QAAQ,EAAE,CAAC;YAC9B,MAAM,IAAI,KAAK,CAAC,kDAAkD,CAAC,CAAC;QACtE,CAAC;QAED,uBAAuB;QACvB,IAAI,CAAC,SAAS,GAAG,MAAM,yBAAyB,CAC9C,IAAI,CAAC,WAAW,EAChB,IAAI,CAAC,iBAAiB,CACvB,CAAC;QACF,IAAI,CAAC,YAAY,GAAG,IAAI,YAAY,CAClC,IAAI,CAAC,UAAU,CAAC,QAAQ,EACxB,IAAI,CAAC,SAAS,CAAC,IAAI,EACnB,IAAI,CAAC,SAAS,CAAC,KAAK,EACpB;YACE,WAAW,EAAE,IAAI,CAAC,UAAU,CAAC,WAAW;SACzC,CACF,CAAC;QAEF,OAAO,IAAI,CAAC;IACd,CAAC;IAED,KAAK,CAAC,aAAa,CACjB,IAAY,EACZ,KAAa;QAEb,IAAI,CAAC,IAAI,CAAC,YAAY;YAAE,MAAM,IAAI,CAAC,IAAI,EAAE,CAAC;QAE1C,iEAAiE;QACjE,IAAI,IAAI,CAAC,YAAY,EAAE,CAAC;YACtB,MAAM,YAAY,GAAG,MAAM,IAAI,CAAC,YAAY,CAAC,eAAe,EAAE,CAAC;YAC/D,IAAI,CAAC,YAAY;gBAAE,MAAM,IAAI,KAAK,CAAC,oCAAoC,CAAC,CAAC;QAC3E,CAAC;QAED,gCAAgC;QAChC,MAAM,MAAM,GAAG,MAAM,cAAc,CACjC,IAAI,EACJ,KAAK,EACL,IAAI,CAAC,YAAY,EACjB,IAAI,CAAC,YAAa,EAAE,8CAA8C;QAClE,IAAI,CAAC,UAAU,CAChB,CAAC;QAEF,MAAM,iBAAiB,CAAC,IAAI,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;QAE9C,iEAAiE;QACjE,IAAI,CAAC;YACH,MAAM,IAAI,GAAG,MAAM,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YACzC,IAAI,IAAI,EAAE,CAAC;gBACT,MAAM,WAAW,GAAG,IAAI,kBAAkB,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;gBACzD,MAAM,WAAW,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;gBAC5B,MAAM,CAAC,KAAK,CAAC,iCAAiC,EAAE,EAAE,OAAO,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC;YACvE,CAAC;iBAAM,CAAC;gBACN,MAAM,CAAC,IAAI,CAAC,oCAAoC,CAAC,CAAC;YACpD,CAAC;QACH,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,CAAC,KAAK,CAAC,8BAA8B,EAAE,KAAK,CAAC,CAAC;YACpD,oFAAoF;QACtF,CAAC;QAED,wEAAwE;QACxE,IAAI,IAAI,CAAC,YAAY,EAAE,CAAC;YACtB,MAAM,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,YAAY,CAAC,WAAW,CAAC,CAAC;QACtD,CAAC;QACD,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,KAAK,CAAC,cAAc;QAClB,MAAM,WAAW,GAAG,MAAM,cAAc,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAEvD,IAAI,CAAC,WAAW;YAAE,OAAO,IAAI,CAAC;QAE9B,OAAO;YACL,aAAa,EAAE,CAAC,CAAC,WAAW,CAAC,QAAQ,EAAE,iDAAiD;YACxF,OAAO,EAAE,WAAW,CAAC,QAAQ;YAC7B,WAAW,EAAE,WAAW,CAAC,YAAY,EAAE,WAAW;YAClD,YAAY,EAAE,WAAW,CAAC,aAAa;YACvC,oBAAoB,EAAE,WAAW,CAAC,uBAAuB;SAC1D,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,qBAAqB;QACzB,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,CAAC;YACpB,OAAO,IAAI,CAAC;QACd,CAAC;QACD,OAAO,IAAI,CAAC,SAAS,CAAC,UAAU,CAAC;IACnC,CAAC;IAED,MAAM,CAAC,KAAK,CAAC,KAAK,CAChB,UAAsB,EACtB,OAAsB,EACtB,iBAAsC;QAEtC,MAAM,QAAQ,GAAG,IAAI,4BAA4B,CAC/C,UAAU,EACV,OAAO,EACP,iBAAiB,CAClB,CAAC;QACF,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;QAEtB,OAAO,QAAQ,CAAC;IAClB,CAAC;CACF","sourcesContent":["import { GenericPublicClientPKCEProducer } from \"@/services/PKCE.js\";\nimport { OAuth2Client } from \"oslo/oauth2\";\nimport type {\n AuthStorage,\n Endpoints,\n OIDCTokenResponseBody,\n SessionData,\n} from \"@/types.js\";\nimport type { AuthConfig } from \"@/server/config.js\";\nimport {\n exchangeTokens,\n getEndpointsWithOverrides,\n retrieveTokens,\n storeServerTokens,\n validateOauth2Tokens,\n} from \"@/shared/lib/util.js\";\nimport type { AuthenticationResolver, PKCEProducer } from \"@/services/types.ts\";\nimport { DEFAULT_AUTH_SERVER } from \"@/constants.js\";\nimport { CodeVerifier } from \"@/shared/lib/types.js\";\nimport { loggers } from \"@/lib/logger.js\";\nimport { getUser, getUserFromTokens } from \"@/shared/lib/session.js\";\nimport { GenericUserSession } from \"@/shared/lib/UserSession.js\";\nimport type { CookieStorage } from \"@/shared/lib/storage.js\";\nimport { AuthenticationRefresherImpl } from \"@/shared/lib/AuthenticationRefresherImpl.js\";\n\nconst logger = loggers.services.validation;\n\nexport class ServerAuthenticationResolver implements AuthenticationResolver {\n private pkceProducer: PKCEProducer | null;\n private oauth2client: OAuth2Client | undefined;\n private endpoints: Endpoints | undefined;\n\n private constructor(\n readonly authConfig: AuthConfig,\n readonly storage: AuthStorage,\n readonly endpointOverrides?: Partial<Endpoints>,\n ) {\n // Determine if PKCE should be used based on config\n // Default to true\n const usePkce = authConfig.pkce !== false;\n\n // Only create PKCE producer if we're using PKCE\n this.pkceProducer = usePkce\n ? new GenericPublicClientPKCEProducer(storage)\n : null;\n }\n\n /**\n * Attempts to refresh tokens if a refresh token is available\n * @param sessionData Current session data\n * @returns Updated session data\n */\n async tryRefreshTokens(\n sessionData: SessionData | null,\n ): Promise<SessionData> {\n logger.debug(\"tryRefreshTokens\", { sessionData });\n // If there's a refresh token, attempt to refresh tokens\n if (sessionData?.refreshToken) {\n const authRefresher = await AuthenticationRefresherImpl.build(\n {\n ...this.authConfig,\n oauthServer: this.authConfig.oauthServer ?? DEFAULT_AUTH_SERVER,\n },\n this.storage,\n async (error) => {\n logger.error(\n \"ServerAuthenticationResolver: Error refreshing tokens\",\n { error },\n );\n return Promise.reject(error);\n },\n this.endpointOverrides,\n );\n const tokenResponseBody = await authRefresher.refreshAccessToken();\n if (!tokenResponseBody) {\n throw new Error(\"No tokens returned from refresh\");\n }\n // Store user data if a user can be derived from the tokens\n try {\n const user = await getUserFromTokens(tokenResponseBody);\n if (user) {\n const userSession = new GenericUserSession(this.storage);\n await userSession.set(user);\n logger.debug(\"User cookie stored successfully\", {\n hasUser: !!user,\n });\n } else {\n logger.warn(\"No user found after token exchange\");\n }\n } catch (error) {\n logger.error(\"Failed to store user cookie:\", error);\n }\n // Construct a refreshed session with the new tokens\n return {\n authenticated: true,\n idToken: tokenResponseBody.id_token,\n accessToken: tokenResponseBody.access_token,\n refreshToken: tokenResponseBody.refresh_token,\n oidcSessionExpiresAt: tokenResponseBody.oidc_session_expires_at,\n wasRehydrated: true,\n };\n }\n\n // No refresh token available\n return { ...sessionData, authenticated: false };\n }\n\n /**\n * returns The session data if the session is valid, otherwise an unauthenticated session\n * @returns {Promise<SessionData>}\n */\n async validateExistingSession(\n attemptRehydration = true,\n ): Promise<SessionData> {\n // TODO: investigate a more peformant way to validate a server session\n // other than using JWKS and JWT verification which is what validateOauth2Tokens uses\n const sessionData = await this.getSessionData();\n\n // If we don't have an ID token, try to refresh if we have a refresh token\n // Access token is no longer required for authentication\n if (!sessionData?.idToken) {\n if (attemptRehydration && !this.authConfig.disableRefresh) {\n const refreshedSessionData = await this.tryRefreshTokens(sessionData);\n if (refreshedSessionData.authenticated) {\n return refreshedSessionData;\n }\n }\n\n return { ...sessionData, authenticated: false };\n }\n\n // Initialize if needed\n if (!this.endpoints?.jwks || !this.oauth2client) await this.init();\n\n if (!this.endpoints?.jwks) {\n throw new Error(\"JWKS endpoint not found\");\n }\n\n try {\n // Validate existing tokens - access token validation happens only if it exists\n await validateOauth2Tokens(\n {\n access_token: sessionData.accessToken, // May be undefined\n id_token: sessionData.idToken, // Always required\n refresh_token: sessionData.refreshToken,\n oidc_session_expires_at: sessionData.oidcSessionExpiresAt,\n },\n this.authConfig,\n );\n return sessionData;\n } catch (error) {\n logger.warn(\"Error validating tokens\", { error });\n if (attemptRehydration && !this.authConfig.disableRefresh) {\n // If token validation fails, try to refresh tokens\n try {\n const refreshedSessionData = await this.tryRefreshTokens(sessionData);\n if (refreshedSessionData.authenticated) {\n return refreshedSessionData;\n }\n } catch (error) {\n logger.error(\"Error refreshing tokens after validation failure\", {\n error,\n });\n return { ...sessionData, authenticated: false };\n }\n }\n\n return { ...sessionData, authenticated: false };\n }\n }\n\n get oauthServer(): string {\n return this.authConfig.oauthServer || DEFAULT_AUTH_SERVER;\n }\n\n async init(): Promise<this> {\n // Ensure clientId is present for OAuth operations\n if (!this.authConfig.clientId) {\n throw new Error(\"clientId is required for OAuth server operations\");\n }\n\n // resolve oauth config\n this.endpoints = await getEndpointsWithOverrides(\n this.oauthServer,\n this.endpointOverrides,\n );\n this.oauth2client = new OAuth2Client(\n this.authConfig.clientId,\n this.endpoints.auth,\n this.endpoints.token,\n {\n redirectURI: this.authConfig.redirectUrl,\n },\n );\n\n return this;\n }\n\n async tokenExchange(\n code: string,\n state: string,\n ): Promise<OIDCTokenResponseBody> {\n if (!this.oauth2client) await this.init();\n\n // Check if we're using PKCE and validate code verifier if needed\n if (this.pkceProducer) {\n const codeVerifier = await this.pkceProducer.getCodeVerifier();\n if (!codeVerifier) throw new Error(\"Code verifier not found in storage\");\n }\n\n // exchange auth code for tokens\n const tokens = await exchangeTokens(\n code,\n state,\n this.pkceProducer,\n this.oauth2client!, // clean up types here to avoid the ! operator\n this.authConfig,\n );\n\n await storeServerTokens(this.storage, tokens);\n\n // Store user data in cookie (like VanillaJS implementation does)\n try {\n const user = await getUser(this.storage);\n if (user) {\n const userSession = new GenericUserSession(this.storage);\n await userSession.set(user);\n logger.debug(\"User cookie stored successfully\", { hasUser: !!user });\n } else {\n logger.warn(\"No user found after token exchange\");\n }\n } catch (error) {\n logger.error(\"Failed to store user cookie:\", error);\n // Don't throw - tokens are already stored, this is just for client-side convenience\n }\n\n // the code verifier should be single-use, so we delete it if using PKCE\n if (this.pkceProducer) {\n await this.storage.delete(CodeVerifier.COOKIE_NAME);\n }\n return tokens;\n }\n\n async getSessionData(): Promise<SessionData | null> {\n const storageData = await retrieveTokens(this.storage);\n\n if (!storageData) return null;\n\n return {\n authenticated: !!storageData.id_token, // User is authenticated if they have an ID token\n idToken: storageData.id_token,\n accessToken: storageData.access_token, // Optional\n refreshToken: storageData.refresh_token,\n oidcSessionExpiresAt: storageData.oidc_session_expires_at,\n };\n }\n\n async getEndSessionEndpoint(): Promise<string | null> {\n if (!this.endpoints) {\n return null;\n }\n return this.endpoints.endsession;\n }\n\n static async build(\n authConfig: AuthConfig,\n storage: CookieStorage,\n endpointOverrides?: Partial<Endpoints>,\n ): Promise<AuthenticationResolver> {\n const resolver = new ServerAuthenticationResolver(\n authConfig,\n storage,\n endpointOverrides,\n );\n await resolver.init();\n\n return resolver;\n }\n}\n"]}
1
+ {"version":3,"file":"ServerAuthenticationResolver.js","sourceRoot":"","sources":["../../src/server/ServerAuthenticationResolver.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,+BAA+B,EAAE,MAAM,oBAAoB,CAAC;AACrE,OAAO,EAAE,YAAY,EAAE,MAAM,+BAA+B,CAAC;AAQ7D,OAAO,EACL,cAAc,EACd,yBAAyB,EACzB,cAAc,EACd,iBAAiB,EACjB,oBAAoB,GACrB,MAAM,sBAAsB,CAAC;AAE9B,OAAO,EAAE,mBAAmB,EAAE,MAAM,gBAAgB,CAAC;AACrD,OAAO,EAAE,YAAY,EAAE,MAAM,uBAAuB,CAAC;AACrD,OAAO,EAAE,OAAO,EAAE,MAAM,iBAAiB,CAAC;AAC1C,OAAO,EAAE,OAAO,EAAE,iBAAiB,EAAE,MAAM,yBAAyB,CAAC;AACrE,OAAO,EAAE,kBAAkB,EAAE,MAAM,6BAA6B,CAAC;AAEjE,OAAO,EAAE,2BAA2B,EAAE,MAAM,6CAA6C,CAAC;AAE1F,MAAM,MAAM,GAAG,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAC;AAE3C,MAAM,OAAO,4BAA4B;IAM5B;IACA;IACA;IAPH,YAAY,CAAsB;IAClC,YAAY,CAA2B;IACvC,SAAS,CAAwB;IAEzC,YACW,UAAsB,EACtB,OAAoB,EACpB,iBAAsC;QAFtC,eAAU,GAAV,UAAU,CAAY;QACtB,YAAO,GAAP,OAAO,CAAa;QACpB,sBAAiB,GAAjB,iBAAiB,CAAqB;QAE/C,mDAAmD;QACnD,kBAAkB;QAClB,MAAM,OAAO,GAAG,UAAU,CAAC,IAAI,KAAK,KAAK,CAAC;QAE1C,gDAAgD;QAChD,IAAI,CAAC,YAAY,GAAG,OAAO;YACzB,CAAC,CAAC,IAAI,+BAA+B,CAAC,OAAO,CAAC;YAC9C,CAAC,CAAC,IAAI,CAAC;IACX,CAAC;IAED;;;;OAIG;IACH,KAAK,CAAC,gBAAgB,CACpB,WAA+B;QAE/B,MAAM,CAAC,KAAK,CAAC,kBAAkB,EAAE,EAAE,WAAW,EAAE,CAAC,CAAC;QAClD,wDAAwD;QACxD,IAAI,WAAW,EAAE,YAAY,EAAE,CAAC;YAC9B,MAAM,aAAa,GAAG,MAAM,2BAA2B,CAAC,KAAK,CAC3D;gBACE,GAAG,IAAI,CAAC,UAAU;gBAClB,WAAW,EAAE,IAAI,CAAC,UAAU,CAAC,WAAW,IAAI,mBAAmB;aAChE,EACD,IAAI,CAAC,OAAO,EACZ,KAAK,EAAE,KAAK,EAAE,EAAE;gBACd,MAAM,CAAC,KAAK,CACV,uDAAuD,EACvD,EAAE,KAAK,EAAE,CACV,CAAC;gBACF,OAAO,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YAC/B,CAAC,EACD,IAAI,CAAC,iBAAiB,CACvB,CAAC;YACF,MAAM,iBAAiB,GAAG,MAAM,aAAa,CAAC,kBAAkB,EAAE,CAAC;YACnE,IAAI,CAAC,iBAAiB,EAAE,CAAC;gBACvB,MAAM,IAAI,KAAK,CAAC,iCAAiC,CAAC,CAAC;YACrD,CAAC;YACD,2DAA2D;YAC3D,IAAI,CAAC;gBACH,MAAM,IAAI,GAAG,MAAM,iBAAiB,CAAC,iBAAiB,CAAC,CAAC;gBACxD,IAAI,IAAI,EAAE,CAAC;oBACT,MAAM,WAAW,GAAG,IAAI,kBAAkB,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;oBACzD,MAAM,WAAW,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;oBAC5B,MAAM,CAAC,KAAK,CAAC,iCAAiC,EAAE;wBAC9C,OAAO,EAAE,CAAC,CAAC,IAAI;qBAChB,CAAC,CAAC;gBACL,CAAC;qBAAM,CAAC;oBACN,MAAM,CAAC,IAAI,CAAC,oCAAoC,CAAC,CAAC;gBACpD,CAAC;YACH,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACf,MAAM,CAAC,KAAK,CAAC,8BAA8B,EAAE,KAAK,CAAC,CAAC;YACtD,CAAC;YACD,oDAAoD;YACpD,OAAO;gBACL,aAAa,EAAE,IAAI;gBACnB,OAAO,EAAE,iBAAiB,CAAC,QAAQ;gBACnC,WAAW,EAAE,iBAAiB,CAAC,YAAY;gBAC3C,YAAY,EAAE,iBAAiB,CAAC,aAAa;gBAC7C,oBAAoB,EAAE,iBAAiB,CAAC,uBAAuB;gBAC/D,aAAa,EAAE,IAAI;aACpB,CAAC;QACJ,CAAC;QAED,6BAA6B;QAC7B,OAAO,EAAE,GAAG,WAAW,EAAE,aAAa,EAAE,KAAK,EAAE,CAAC;IAClD,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,uBAAuB,CAC3B,kBAAkB,GAAG,IAAI;QAEzB,sEAAsE;QACtE,qFAAqF;QACrF,MAAM,WAAW,GAAG,MAAM,IAAI,CAAC,cAAc,EAAE,CAAC;QAEhD,0EAA0E;QAC1E,wDAAwD;QACxD,IAAI,CAAC,WAAW,EAAE,OAAO,EAAE,CAAC;YAC1B,IAAI,kBAAkB,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,cAAc,EAAE,CAAC;gBAC1D,MAAM,oBAAoB,GAAG,MAAM,IAAI,CAAC,gBAAgB,CAAC,WAAW,CAAC,CAAC;gBACtE,IAAI,oBAAoB,CAAC,aAAa,EAAE,CAAC;oBACvC,OAAO,oBAAoB,CAAC;gBAC9B,CAAC;YACH,CAAC;YAED,OAAO,EAAE,GAAG,WAAW,EAAE,aAAa,EAAE,KAAK,EAAE,CAAC;QAClD,CAAC;QAED,uBAAuB;QACvB,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,IAAI,IAAI,CAAC,IAAI,CAAC,YAAY;YAAE,MAAM,IAAI,CAAC,IAAI,EAAE,CAAC;QAEnE,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,IAAI,EAAE,CAAC;YAC1B,MAAM,IAAI,KAAK,CAAC,yBAAyB,CAAC,CAAC;QAC7C,CAAC;QAED,IAAI,CAAC;YACH,+EAA+E;YAC/E,MAAM,oBAAoB,CACxB;gBACE,YAAY,EAAE,WAAW,CAAC,WAAW,EAAE,mBAAmB;gBAC1D,QAAQ,EAAE,WAAW,CAAC,OAAO,EAAE,kBAAkB;gBACjD,aAAa,EAAE,WAAW,CAAC,YAAY;gBACvC,uBAAuB,EAAE,WAAW,CAAC,oBAAoB;aAC1D,EACD,IAAI,CAAC,UAAU,CAChB,CAAC;YACF,OAAO,WAAW,CAAC;QACrB,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,CAAC,IAAI,CAAC,yBAAyB,EAAE,EAAE,KAAK,EAAE,CAAC,CAAC;YAClD,IAAI,kBAAkB,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,cAAc,EAAE,CAAC;gBAC1D,mDAAmD;gBACnD,IAAI,CAAC;oBACH,MAAM,oBAAoB,GAAG,MAAM,IAAI,CAAC,gBAAgB,CAAC,WAAW,CAAC,CAAC;oBACtE,IAAI,oBAAoB,CAAC,aAAa,EAAE,CAAC;wBACvC,OAAO,oBAAoB,CAAC;oBAC9B,CAAC;gBACH,CAAC;gBAAC,OAAO,KAAK,EAAE,CAAC;oBACf,MAAM,CAAC,KAAK,CAAC,kDAAkD,EAAE;wBAC/D,KAAK;qBACN,CAAC,CAAC;oBACH,OAAO,EAAE,GAAG,WAAW,EAAE,aAAa,EAAE,KAAK,EAAE,CAAC;gBAClD,CAAC;YACH,CAAC;YAED,OAAO,EAAE,GAAG,WAAW,EAAE,aAAa,EAAE,KAAK,EAAE,CAAC;QAClD,CAAC;IACH,CAAC;IAED,IAAI,WAAW;QACb,OAAO,IAAI,CAAC,UAAU,CAAC,WAAW,IAAI,mBAAmB,CAAC;IAC5D,CAAC;IAED,KAAK,CAAC,IAAI;QACR,kDAAkD;QAClD,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,QAAQ,EAAE,CAAC;YAC9B,MAAM,IAAI,KAAK,CAAC,kDAAkD,CAAC,CAAC;QACtE,CAAC;QAED,uBAAuB;QACvB,IAAI,CAAC,SAAS,GAAG,MAAM,yBAAyB,CAC9C,IAAI,CAAC,WAAW,EAChB,IAAI,CAAC,iBAAiB,CACvB,CAAC;QACF,IAAI,CAAC,YAAY,GAAG,IAAI,YAAY,CAClC,IAAI,CAAC,UAAU,CAAC,QAAQ,EACxB,IAAI,CAAC,SAAS,CAAC,IAAI,EACnB,IAAI,CAAC,SAAS,CAAC,KAAK,EACpB;YACE,WAAW,EAAE,IAAI,CAAC,UAAU,CAAC,WAAW;SACzC,CACF,CAAC;QAEF,OAAO,IAAI,CAAC;IACd,CAAC;IAED,KAAK,CAAC,aAAa,CACjB,IAAY,EACZ,KAAa;QAEb,IAAI,CAAC,IAAI,CAAC,YAAY;YAAE,MAAM,IAAI,CAAC,IAAI,EAAE,CAAC;QAE1C,iEAAiE;QACjE,IAAI,IAAI,CAAC,YAAY,EAAE,CAAC;YACtB,MAAM,YAAY,GAAG,MAAM,IAAI,CAAC,YAAY,CAAC,eAAe,EAAE,CAAC;YAC/D,IAAI,CAAC,YAAY;gBAAE,MAAM,IAAI,KAAK,CAAC,oCAAoC,CAAC,CAAC;QAC3E,CAAC;QAED,gCAAgC;QAChC,MAAM,MAAM,GAAG,MAAM,cAAc,CACjC,IAAI,EACJ,KAAK,EACL,IAAI,CAAC,YAAY,EACjB,IAAI,CAAC,YAAa,EAAE,8CAA8C;QAClE,IAAI,CAAC,UAAU,CAChB,CAAC;QAEF,MAAM,iBAAiB,CAAC,IAAI,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;QAE9C,iEAAiE;QACjE,IAAI,CAAC;YACH,MAAM,IAAI,GAAG,MAAM,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YACzC,IAAI,IAAI,EAAE,CAAC;gBACT,MAAM,WAAW,GAAG,IAAI,kBAAkB,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;gBACzD,MAAM,WAAW,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;gBAC5B,MAAM,CAAC,KAAK,CAAC,iCAAiC,EAAE,EAAE,OAAO,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC;YACvE,CAAC;iBAAM,CAAC;gBACN,MAAM,CAAC,IAAI,CAAC,oCAAoC,CAAC,CAAC;YACpD,CAAC;QACH,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,CAAC,KAAK,CAAC,8BAA8B,EAAE,KAAK,CAAC,CAAC;YACpD,oFAAoF;QACtF,CAAC;QAED,wEAAwE;QACxE,IAAI,IAAI,CAAC,YAAY,EAAE,CAAC;YACtB,MAAM,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,YAAY,CAAC,WAAW,CAAC,CAAC;QACtD,CAAC;QACD,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,KAAK,CAAC,cAAc;QAClB,MAAM,WAAW,GAAG,MAAM,cAAc,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAEvD,IAAI,CAAC,WAAW;YAAE,OAAO,IAAI,CAAC;QAE9B,OAAO;YACL,aAAa,EAAE,CAAC,CAAC,WAAW,CAAC,QAAQ,EAAE,iDAAiD;YACxF,OAAO,EAAE,WAAW,CAAC,QAAQ;YAC7B,WAAW,EAAE,WAAW,CAAC,YAAY,EAAE,WAAW;YAClD,YAAY,EAAE,WAAW,CAAC,aAAa;YACvC,oBAAoB,EAAE,WAAW,CAAC,uBAAuB;SAC1D,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,qBAAqB;QACzB,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,CAAC;YACpB,OAAO,IAAI,CAAC;QACd,CAAC;QACD,OAAO,IAAI,CAAC,SAAS,CAAC,UAAU,CAAC;IACnC,CAAC;IAED,MAAM,CAAC,KAAK,CAAC,KAAK,CAChB,UAAsB,EACtB,OAAsB,EACtB,iBAAsC;QAEtC,MAAM,QAAQ,GAAG,IAAI,4BAA4B,CAC/C,UAAU,EACV,OAAO,EACP,iBAAiB,CAClB,CAAC;QACF,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;QAEtB,OAAO,QAAQ,CAAC;IAClB,CAAC;CACF","sourcesContent":["import { GenericPublicClientPKCEProducer } from \"@/services/PKCE.js\";\nimport { OAuth2Client } from \"../lib/oauth2/OAuth2Client.js\";\nimport type {\n AuthStorage,\n Endpoints,\n OIDCTokenResponseBody,\n SessionData,\n} from \"@/types.js\";\nimport type { AuthConfig } from \"@/server/config.js\";\nimport {\n exchangeTokens,\n getEndpointsWithOverrides,\n retrieveTokens,\n storeServerTokens,\n validateOauth2Tokens,\n} from \"@/shared/lib/util.js\";\nimport type { AuthenticationResolver, PKCEProducer } from \"@/services/types.ts\";\nimport { DEFAULT_AUTH_SERVER } from \"@/constants.js\";\nimport { CodeVerifier } from \"@/shared/lib/types.js\";\nimport { loggers } from \"@/lib/logger.js\";\nimport { getUser, getUserFromTokens } from \"@/shared/lib/session.js\";\nimport { GenericUserSession } from \"@/shared/lib/UserSession.js\";\nimport type { CookieStorage } from \"@/shared/lib/storage.js\";\nimport { AuthenticationRefresherImpl } from \"@/shared/lib/AuthenticationRefresherImpl.js\";\n\nconst logger = loggers.services.validation;\n\nexport class ServerAuthenticationResolver implements AuthenticationResolver {\n private pkceProducer: PKCEProducer | null;\n private oauth2client: OAuth2Client | undefined;\n private endpoints: Endpoints | undefined;\n\n private constructor(\n readonly authConfig: AuthConfig,\n readonly storage: AuthStorage,\n readonly endpointOverrides?: Partial<Endpoints>,\n ) {\n // Determine if PKCE should be used based on config\n // Default to true\n const usePkce = authConfig.pkce !== false;\n\n // Only create PKCE producer if we're using PKCE\n this.pkceProducer = usePkce\n ? new GenericPublicClientPKCEProducer(storage)\n : null;\n }\n\n /**\n * Attempts to refresh tokens if a refresh token is available\n * @param sessionData Current session data\n * @returns Updated session data\n */\n async tryRefreshTokens(\n sessionData: SessionData | null,\n ): Promise<SessionData> {\n logger.debug(\"tryRefreshTokens\", { sessionData });\n // If there's a refresh token, attempt to refresh tokens\n if (sessionData?.refreshToken) {\n const authRefresher = await AuthenticationRefresherImpl.build(\n {\n ...this.authConfig,\n oauthServer: this.authConfig.oauthServer ?? DEFAULT_AUTH_SERVER,\n },\n this.storage,\n async (error) => {\n logger.error(\n \"ServerAuthenticationResolver: Error refreshing tokens\",\n { error },\n );\n return Promise.reject(error);\n },\n this.endpointOverrides,\n );\n const tokenResponseBody = await authRefresher.refreshAccessToken();\n if (!tokenResponseBody) {\n throw new Error(\"No tokens returned from refresh\");\n }\n // Store user data if a user can be derived from the tokens\n try {\n const user = await getUserFromTokens(tokenResponseBody);\n if (user) {\n const userSession = new GenericUserSession(this.storage);\n await userSession.set(user);\n logger.debug(\"User cookie stored successfully\", {\n hasUser: !!user,\n });\n } else {\n logger.warn(\"No user found after token exchange\");\n }\n } catch (error) {\n logger.error(\"Failed to store user cookie:\", error);\n }\n // Construct a refreshed session with the new tokens\n return {\n authenticated: true,\n idToken: tokenResponseBody.id_token,\n accessToken: tokenResponseBody.access_token,\n refreshToken: tokenResponseBody.refresh_token,\n oidcSessionExpiresAt: tokenResponseBody.oidc_session_expires_at,\n wasRehydrated: true,\n };\n }\n\n // No refresh token available\n return { ...sessionData, authenticated: false };\n }\n\n /**\n * returns The session data if the session is valid, otherwise an unauthenticated session\n * @returns {Promise<SessionData>}\n */\n async validateExistingSession(\n attemptRehydration = true,\n ): Promise<SessionData> {\n // TODO: investigate a more peformant way to validate a server session\n // other than using JWKS and JWT verification which is what validateOauth2Tokens uses\n const sessionData = await this.getSessionData();\n\n // If we don't have an ID token, try to refresh if we have a refresh token\n // Access token is no longer required for authentication\n if (!sessionData?.idToken) {\n if (attemptRehydration && !this.authConfig.disableRefresh) {\n const refreshedSessionData = await this.tryRefreshTokens(sessionData);\n if (refreshedSessionData.authenticated) {\n return refreshedSessionData;\n }\n }\n\n return { ...sessionData, authenticated: false };\n }\n\n // Initialize if needed\n if (!this.endpoints?.jwks || !this.oauth2client) await this.init();\n\n if (!this.endpoints?.jwks) {\n throw new Error(\"JWKS endpoint not found\");\n }\n\n try {\n // Validate existing tokens - access token validation happens only if it exists\n await validateOauth2Tokens(\n {\n access_token: sessionData.accessToken, // May be undefined\n id_token: sessionData.idToken, // Always required\n refresh_token: sessionData.refreshToken,\n oidc_session_expires_at: sessionData.oidcSessionExpiresAt,\n },\n this.authConfig,\n );\n return sessionData;\n } catch (error) {\n logger.warn(\"Error validating tokens\", { error });\n if (attemptRehydration && !this.authConfig.disableRefresh) {\n // If token validation fails, try to refresh tokens\n try {\n const refreshedSessionData = await this.tryRefreshTokens(sessionData);\n if (refreshedSessionData.authenticated) {\n return refreshedSessionData;\n }\n } catch (error) {\n logger.error(\"Error refreshing tokens after validation failure\", {\n error,\n });\n return { ...sessionData, authenticated: false };\n }\n }\n\n return { ...sessionData, authenticated: false };\n }\n }\n\n get oauthServer(): string {\n return this.authConfig.oauthServer || DEFAULT_AUTH_SERVER;\n }\n\n async init(): Promise<this> {\n // Ensure clientId is present for OAuth operations\n if (!this.authConfig.clientId) {\n throw new Error(\"clientId is required for OAuth server operations\");\n }\n\n // resolve oauth config\n this.endpoints = await getEndpointsWithOverrides(\n this.oauthServer,\n this.endpointOverrides,\n );\n this.oauth2client = new OAuth2Client(\n this.authConfig.clientId,\n this.endpoints.auth,\n this.endpoints.token,\n {\n redirectURI: this.authConfig.redirectUrl,\n },\n );\n\n return this;\n }\n\n async tokenExchange(\n code: string,\n state: string,\n ): Promise<OIDCTokenResponseBody> {\n if (!this.oauth2client) await this.init();\n\n // Check if we're using PKCE and validate code verifier if needed\n if (this.pkceProducer) {\n const codeVerifier = await this.pkceProducer.getCodeVerifier();\n if (!codeVerifier) throw new Error(\"Code verifier not found in storage\");\n }\n\n // exchange auth code for tokens\n const tokens = await exchangeTokens(\n code,\n state,\n this.pkceProducer,\n this.oauth2client!, // clean up types here to avoid the ! operator\n this.authConfig,\n );\n\n await storeServerTokens(this.storage, tokens);\n\n // Store user data in cookie (like VanillaJS implementation does)\n try {\n const user = await getUser(this.storage);\n if (user) {\n const userSession = new GenericUserSession(this.storage);\n await userSession.set(user);\n logger.debug(\"User cookie stored successfully\", { hasUser: !!user });\n } else {\n logger.warn(\"No user found after token exchange\");\n }\n } catch (error) {\n logger.error(\"Failed to store user cookie:\", error);\n // Don't throw - tokens are already stored, this is just for client-side convenience\n }\n\n // the code verifier should be single-use, so we delete it if using PKCE\n if (this.pkceProducer) {\n await this.storage.delete(CodeVerifier.COOKIE_NAME);\n }\n return tokens;\n }\n\n async getSessionData(): Promise<SessionData | null> {\n const storageData = await retrieveTokens(this.storage);\n\n if (!storageData) return null;\n\n return {\n authenticated: !!storageData.id_token, // User is authenticated if they have an ID token\n idToken: storageData.id_token,\n accessToken: storageData.access_token, // Optional\n refreshToken: storageData.refresh_token,\n oidcSessionExpiresAt: storageData.oidc_session_expires_at,\n };\n }\n\n async getEndSessionEndpoint(): Promise<string | null> {\n if (!this.endpoints) {\n return null;\n }\n return this.endpoints.endsession;\n }\n\n static async build(\n authConfig: AuthConfig,\n storage: CookieStorage,\n endpointOverrides?: Partial<Endpoints>,\n ): Promise<AuthenticationResolver> {\n const resolver = new ServerAuthenticationResolver(\n authConfig,\n storage,\n endpointOverrides,\n );\n await resolver.init();\n\n return resolver;\n }\n}\n"]}
package/dist/services/AuthenticationService.js CHANGED
@@ -3,7 +3,7 @@ import { BrowserPublicClientPKCEProducer, ConfidentialClientPKCEConsumer, } from
3
3
  import { clearTokens, clearUser, exchangeTokens, generateOauthLoginUrl, generateOauthLogoutUrl, getEndpointsWithOverrides, retrieveTokens, storeTokens, validateOauth2Tokens, } from "../shared/lib/util.js";
4
4
  import { displayModeFromState, generateState } from "../lib/oauth.js";
5
5
  import { getVersion } from "../shared/index.js";
6
- import { OAuth2Client } from "oslo/oauth2";
6
+ import { OAuth2Client } from "../lib/oauth2/OAuth2Client.js";
7
7
  import { LocalStorageAdapter } from "../browser/storage.js";
8
8
  import { PopupError } from "../services/types.js";
9
9
  import { removeParamsWithoutReload } from "../lib/windowUtil.js";
package/dist/services/AuthenticationService.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"AuthenticationService.js","sourceRoot":"","sources":["../../src/services/AuthenticationService.ts"],"names":[],"mappings":"AAAA,8EAA8E;AAW9E,OAAO,EACL,+BAA+B,EAC/B,8BAA8B,GAC/B,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EACL,WAAW,EACX,SAAS,EACT,cAAc,EACd,qBAAqB,EACrB,sBAAsB,EACtB,yBAAyB,EACzB,cAAc,EACd,WAAW,EACX,oBAAoB,GACrB,MAAM,sBAAsB,CAAC;AAC9B,OAAO,EAAE,oBAAoB,EAAE,aAAa,EAAE,MAAM,gBAAgB,CAAC;AACrE,OAAO,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAC;AAC/C,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAC3C,OAAO,EAAE,mBAAmB,EAAE,MAAM,sBAAsB,CAAC;AAM3D,OAAO,EAAE,UAAU,EAAE,MAAM,qBAAqB,CAAC;AACjD,OAAO,EAAE,yBAAyB,EAAE,MAAM,qBAAqB,CAAC;AAChE,OAAO,EACL,mBAAmB,EACnB,wBAAwB,EACxB,YAAY,GACb,MAAM,gBAAgB,CAAC;AACxB,OAAO,EAAE,2BAA2B,EAAE,MAAM,sBAAsB,CAAC;AACnE,OAAO,EAAE,OAAO,EAAE,MAAM,yBAAyB,CAAC;AAClD,OAAO,EAAE,kBAAkB,EAAE,MAAM,6BAA6B,CAAC;AACjE,OAAO,EACL,YAAY,EACZ,eAAe,EACf,oBAAoB,GACrB,MAAM,6BAA6B,CAAC;AACrC,OAAO,EAAE,EAAE,IAAI,IAAI,EAAE,MAAM,MAAM,CAAC;AAClC,OAAO,EAAE,YAAY,EAAE,MAAM,uBAAuB,CAAC;AACrD,OAAO,EAAE,8BAA8B,EAAE,MAAM,gDAAgD,CAAC;AAChG,OAAO,EAAE,0BAA0B,EAAE,MAAM,oBAAoB,CAAC;AAEhE,MAAM,0BAA0B,GAAG,KAAK,IAAI,EAAE;IAC5C,MAAM,YAAY,GAAG,IAAI,mBAAmB,EAAE,CAAC;IAC/C,MAAM,WAAW,CAAC,YAAY,CAAC,CAAC;IAChC,MAAM,SAAS,CAAC,YAAY,CAAC,CAAC;IAC9B,mBAAmB,CAAC,OAAO,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;AAC9C,CAAC,CAAC;AAmCF,MAAM,uBAAuB,GAAG,CAAC,KAA4B,EAAE,EAAE;IAC/D,YAAY,CAAC,OAAO,CAAC,gBAAgB,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC,CAAC;AAChE,CAAC,CAAC;AACF;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,MAAM,OAAO,8BAA8B;IAiC9B;IAhCH,kBAAkB,GAA2C,IAAI,CAAC;IAEhE,MAAM,CAAuC;IACvD,MAAM,CAAC,mCAAmC,CAAS;IAC3C,UAAU,GAA6B,IAAI,CAAC;IAE7C,cAAc,CAAC,WAAwB;QAC5C,IAAI,CAAC,MAAM,CAAC,WAAW,GAAG,WAAW,CAAC;IACxC,CAAC;IAED,IAAI,WAAW;QACb,OAAO,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC;IACjC,CAAC;IAED,IAAI,qBAAqB;QACvB,OAAO,IAAI,CAAC,MAAM,CAAC,YAAY,YAAY,8BAA8B,CAAC;IAC5E,CAAC;IACD,IAAI,KAAK;QACP,OAAO,aAAa,CAAC;YACnB,WAAW,EAAE,IAAI,CAAC,MAAM,CAAC,WAAW;YACpC,iBAAiB,EAAE,IAAI,CAAC,MAAM,CAAC,iBAAiB;YAChD,mBAAmB,EAAE,IAAI,CAAC,qBAAqB;YAC/C,eAAe,EAAE,IAAI,CAAC,MAAM,CAAC,eAAe;YAC5C,SAAS,EAAE,IAAI,CAAC,MAAM,CAAC,SAAS;YAChC,UAAU,EAAE,UAAU,EAAE;SACzB,CAAC,CAAC;IACL,CAAC;IACM,UAAU,CAAS;IACnB,mCAAmC,GAAW,EAAE,CAAC;IAExD,YACE,MAA0B,EACjB,mBAAmB,uBAAuB;QAA1C,qBAAgB,GAAhB,gBAAgB,CAA0B;QAEnD,IAAI,CAAC,UAAU,GAAG,IAAI,EAAE,CAAC;QACzB,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;QAErB,IAAI,CAAC,kBAAkB,GAAG,CAAC,KAAmB,EAAE,EAAE;YAChD,MAAM,OAAO,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;YAC9C,IACE,KAAK,CAAC,MAAM,CAAC,QAAQ,CAAC,WAAW,CAAC;gBAClC,OAAO,CAAC,QAAQ,KAAK,WAAW,EAChC,CAAC;gBACD,IAAI,CAAC,2BAA2B,CAAC,KAAK,CAAC,IAAI,EAAE,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,EAAE,CAAC;oBACnE,OAAO;gBACT,CAAC;gBACD,MAAM,YAAY,GAAG,KAAK,CAAC,IAAwB,CAAC;gBACpD,IAAI,YAAY,CAAC,IAAI,KAAK,qBAAqB,EAAE,CAAC;oBAChD,IAAI,CAAC,yBAAyB,CAC3B,YAAY,CAAC,IAAwB,CAAC,GAAG,CAC3C,CAAC;oBACF,OAAO;gBACT,CAAC;gBACD,IACE,YAAY,CAAC,IAAI,KAAK,0BAA0B;oBAChD,IAAI,CAAC,WAAW,KAAK,QAAQ,EAC7B,CAAC;oBACD,IAAI,CAAC,8BAA8B,CAChC,YAAY,CAAC,IAAwB,CAAC,GAAG,CAC3C,CAAC;oBACF,OAAO;gBACT,CAAC;gBACD,IAAI,YAAY,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;oBACnC,iCAAiC;oBACjC,IAAI,CAAC,0BAA0B,CAC7B,YAAY,CAAC,IAA6B,CAC3C,CAAC;oBACF,OAAO;gBACT,CAAC;YACH,CAAC;QACH,CAAC,CAAC;QAEF,MAAM,CAAC,gBAAgB,CAAC,SAAS,EAAE,IAAI,CAAC,kBAAkB,CAAC,CAAC;IAC9D,CAAC;IAED,KAAK,CAAC,yBAAyB,CAAC,WAAmB;QACjD,OAAO,CAAC,IAAI,CACV,qEAAqE,EACrE,WAAW,CACZ,CAAC;QACF,MAAM,CAAC,QAAQ,CAAC,IAAI,GAAG,WAAW,CAAC;IACrC,CAAC;IAED,KAAK,CAAC,8BAA8B,CAAC,WAAmB;QACtD,8BAA8B,CAAC,mCAAmC;YAChE,WAAW,CAAC;QACd,8CAA8C;QAC9C,IAAI,IAAI,CAAC,MAAM,CAAC,YAAY,KAAK,KAAK,IAAI,eAAe,EAAE,EAAE,CAAC;YAC5D,4CAA4C;YAC5C,oDAAoD;YACpD,MAAM,MAAM,GAAG,QAAQ,CAAC,cAAc,CACpC,6BAA6B,CACF,CAAC;YAC9B,IAAI,MAAM,EAAE,CAAC;gBACX,MAAM,CAAC,KAAK,CAAC,OAAO,GAAG,MAAM,CAAC;YAChC,CAAC;YACD,OAAO,IAAI,CAAC,6CAA6C,EAAE,CAAC;QAC9D,CAAC;IACH,CAAC;IAED,KAAK,CAAC,6CAA6C;QAGjD,MAAM,sBAAsB,GAAG,oBAAoB,EAAE,CAAC;QACtD,iCAAiC;QACjC,IACE,CAAC,sBAAsB;YACvB,IAAI,CAAC,MAAM,CAAC,YAAY,KAAK,KAAK,IAAI,iBAAiB;YACvD,8BAA8B,CAAC,mCAAmC,EAClE,CAAC;YACD,OAAO,CAAC,IAAI,CACV,8CAA8C,EAC9C,8BAA8B,CAAC,mCAAmC,CACnE,CAAC;YACF,IAAI,CAAC,MAAM,CAAC,WAAW,GAAG,UAAU,CAAC;YACrC,0BAA0B,CACxB,IAAI,CAAC,MAAM,CAAC,QAAQ,EACpB,IAAI,CAAC,MAAM,CAAC,WAAW,EACvB,IAAI,CAAC,MAAM,CAAC,SAAS,CACtB,CAAC;YACF,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,YAAY,EAAE,CAAC;YAC5C,MAAM,CAAC,aAAa,CAClB,IAAI,WAAW,CAAC,oBAAoB,EAAE;gBACpC,MAAM,EAAE,EAAE,MAAM,EAAE,SAAS,CAAC,QAAQ,EAAE,EAAE;aACzC,CAAC,CACH,CAAC;YACF,UAAU,CAAC,GAAG,EAAE;gBACd,MAAM,CAAC,QAAQ,CAAC,IAAI,GAAG,SAAS,CAAC,QAAQ,EAAE,CAAC;YAC9C,CAAC,EAAE,GAAG,CAAC,CAAC;YACR,OAAO,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC;QACjC,CAAC;QACD,OAAO,EAAE,aAAa,EAAE,KAAK,EAAE,CAAC;IAClC,CAAC;IAED,KAAK,CAAC,0BAA0B,CAAC,OAA8B;QAC7D,IAAI,CAAC,gBAAgB,CAAC,OAAO,CAAC,CAAC;IACjC,CAAC;IAED,KAAK,CAAC,YAAY;QAChB,MAAM,GAAG,GAAG,MAAM,qBAAqB,CAAC;YACtC,GAAG,IAAI,CAAC,MAAM;YACd,KAAK,EAAE,IAAI,CAAC,KAAK;SAClB,CAAC,CAAC;QACH,OAAO,GAAG,CAAC;IACb,CAAC;IAED,uGAAuG;IACvG,qEAAqE;IACrE,KAAK,CAAC,MAAM,CAAC,SAAmC;QAC9C,gDAAgD;QAChD,kEAAkE;QAClE,0BAA0B,CACxB,IAAI,CAAC,MAAM,CAAC,QAAQ,EACpB,IAAI,CAAC,MAAM,CAAC,WAAW,EACvB,IAAI,CAAC,MAAM,CAAC,SAAS,CACtB,CAAC;QAEF,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,YAAY,EAAE,CAAC;QAEtC,IAAI,IAAI,CAAC,MAAM,CAAC,WAAW,KAAK,QAAQ,EAAE,CAAC;YACzC,MAAM,GAAG,GAAG,YAAY,CAAC,SAAS,CAAC,CAAC;YACpC,GAAG,CAAC,YAAY,CAAC,KAAK,EAAE,GAAG,CAAC,QAAQ,EAAE,CAAC,CAAC;QAC1C,CAAC;QAED,IAAI,IAAI,CAAC,MAAM,CAAC,WAAW,KAAK,UAAU,EAAE,CAAC;YAC3C,MAAM,CAAC,QAAQ,CAAC,IAAI,GAAG,GAAG,CAAC,QAAQ,EAAE,CAAC;QACxC,CAAC;QAED,IAAI,IAAI,CAAC,MAAM,CAAC,WAAW,KAAK,SAAS,EAAE,CAAC;YAC1C,IAAI,CAAC;gBACH,MAAM,WAAW,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,QAAQ,EAAE,EAAE,QAAQ,CAAC,CAAC;gBAC1D,IAAI,CAAC,WAAW,EAAE,CAAC;oBACjB,MAAM,IAAI,UAAU,CAAC,6BAA6B,CAAC,CAAC;gBACtD,CAAC;gBACD,uEAAuE;YACzE,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACf,OAAO,CAAC,KAAK,CAAC,aAAa,EAAE,KAAK,CAAC,CAAC;gBACpC,MAAM,IAAI,UAAU,CAClB,qDAAqD,CACtD,CAAC;YACJ,CAAC;QACH,CAAC;QAED,OAAO,GAAG,CAAC;IACb,CAAC;IAED,KAAK,CAAC,OAAO,CACX,OAA2B,EAC3B,SAAmC;QAEnC,IAAI,GAAG,CAAC;QACR,MAAM,YAAY,GAAG,IAAI,mBAAmB,EAAE,CAAC;QAC/C,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC;QACzB,IAAI,IAAI,CAAC,qBAAqB,EAAE,CAAC;YAC/B,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,SAAS,EAAE,CAAC;gBAC3B,MAAM,IAAI,KAAK,CAAC,iDAAiD,CAAC,CAAC;YACrE,CAAC;YACD,GAAG,GAAG,IAAI,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,SAAS,EAAE,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;YAC7D,GAAG,CAAC,YAAY,CAAC,MAAM,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC;QAC1C,CAAC;aAAM,CAAC;YACN,IAAI,CAAC,OAAO,EAAE,CAAC;gBACb,MAAM,IAAI,KAAK,CAAC,mDAAmD,CAAC,CAAC;YACvE,CAAC;YAED,GAAG,GAAG,MAAM,sBAAsB,CAAC;gBACjC,GAAG,IAAI,CAAC,MAAM;gBACd,OAAO;gBACP,KAAK;gBACL,WAAW,EAAE,IAAI,CAAC,MAAM,CAAC,iBAAiB;aAC3C,CAAC,CAAC;QACL,CAAC;QAED,IAAI,IAAI,CAAC,MAAM,CAAC,WAAW,KAAK,QAAQ,EAAE,CAAC;YACzC,8EAA8E;YAC9E,MAAM,0BAA0B,EAAE,CAAC;YACnC,MAAM,YAAY,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC;YACxC,MAAM,GAAG,GAAG,YAAY,CAAC,SAAS,CAAC,CAAC;YACpC,GAAG,CAAC,YAAY,CAAC,KAAK,EAAE,GAAG,CAAC,QAAQ,EAAE,CAAC,CAAC;YAExC,mBAAmB,CAAC,OAAO,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;QAC9C,CAAC;QAED,IAAI,IAAI,CAAC,MAAM,CAAC,WAAW,KAAK,UAAU,EAAE,CAAC;YAC3C,yEAAyE;YACzE,oCAAoC;YACpC,MAAM,YAAY,CAAC,GAAG,CAAC,YAAY,EAAE,KAAK,CAAC,CAAC;YAC5C,MAAM,CAAC,QAAQ,CAAC,IAAI,GAAG,GAAG,CAAC,QAAQ,EAAE,CAAC;QACxC,CAAC;QAED,IAAI,IAAI,CAAC,MAAM,CAAC,WAAW,KAAK,SAAS,EAAE,CAAC;YAC1C,IAAI,CAAC;gBACH,8EAA8E;gBAC9E,MAAM,0BAA0B,EAAE,CAAC;gBACnC,MAAM,WAAW,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,QAAQ,EAAE,EAAE,QAAQ,CAAC,CAAC;gBAC1D,IAAI,CAAC,WAAW,EAAE,CAAC;oBACjB,MAAM,IAAI,UAAU,CAAC,6BAA6B,CAAC,CAAC;gBACtD,CAAC;YACH,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACf,OAAO,CAAC,KAAK,CAAC,aAAa,EAAE,KAAK,CAAC,CAAC;gBACpC,MAAM,IAAI,UAAU,CAClB,qDAAqD,CACtD,CAAC;YACJ,CAAC;QACH,CAAC;QAED,OAAO,GAAG,CAAC;IACb,CAAC;IAED,OAAO;QACL,IAAI,IAAI,CAAC,kBAAkB,EAAE,CAAC;YAC5B,MAAM,CAAC,mBAAmB,CAAC,SAAS,EAAE,IAAI,CAAC,kBAAkB,CAAC,CAAC;QACjE,CAAC;IACH,CAAC;CACF;AAED;;;GAGG;AACH,MAAM,OAAO,8BAA8B;IAC/B,MAAM,CAAuC;IAEvD,YAAY,MAA0B;QACpC,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;IACvB,CAAC;IAED,uGAAuG;IACvG,4BAA4B;IAC5B,KAAK,CAAC,MAAM;QACV,OAAO,qBAAqB,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IAC5C,CAAC;IAED,KAAK,CAAC,OAAO,CAAC,OAAe;QAC3B,OAAO,sBAAsB,CAAC;YAC5B,GAAG,IAAI,CAAC,MAAM;YACd,OAAO;SACR,CAAC,CAAC;IACL,CAAC;CACF;AAaD;;;GAGG;AACH,MAAM,OAAO,4BAA6B,SAAQ,8BAA8B;IAQlE;IAPJ,YAAY,CAA2B;IACvC,SAAS,CAAwB;IAEzC,0EAA0E;IAC1E,YACE,MAAmC;IACnC,6FAA6F;IACnF,eAAe,IAAI,+BAA+B,EAAE;QAE9D,KAAK,CAAC;YACJ,GAAG,MAAM;YACT,yDAAyD;YACzD,YAAY,EAAE,YAAY;SAC3B,CAAC,CAAC;QANO,iBAAY,GAAZ,YAAY,CAAwC;IAOhE,CAAC;IAED,kFAAkF;IAClF,oGAAoG;IACpG,kDAAkD;IAClD,KAAK,CAAC,IAAI;QACR,uBAAuB;QACvB,IAAI,CAAC,SAAS,GAAG,MAAM,yBAAyB,CAC9C,IAAI,CAAC,WAAW,EAChB,IAAI,CAAC,MAAM,CAAC,iBAAiB,CAC9B,CAAC;QACF,IAAI,CAAC,YAAY,GAAG,IAAI,YAAY,CAClC,IAAI,CAAC,MAAM,CAAC,QAAQ,EACpB,IAAI,CAAC,SAAS,CAAC,IAAI,EACnB,IAAI,CAAC,SAAS,CAAC,KAAK,EACpB;YACE,WAAW,EAAE,IAAI,CAAC,MAAM,CAAC,WAAW;SACrC,CACF,CAAC;QAEF,OAAO,IAAI,CAAC;IACd,CAAC;IAED,KAAK,CAAC,kBAAkB,CAAC,MAA6B;QACpD,MAAM,aAAa,GAAG,IAAI,mBAAmB,EAAE,CAAC;QAChD,MAAM,WAAW,CAAC,aAAa,EAAE,MAAM,CAAC,CAAC;QACzC,kDAAkD;QAClD,MAAM,aAAa,CAAC,MAAM,CAAC,YAAY,CAAC,WAAW,CAAC,CAAC;QACrD,MAAM,IAAI,GAAG,MAAM,OAAO,CAAC,aAAa,CAAC,CAAC;QAC1C,IAAI,CAAC,IAAI,EAAE,CAAC;YACV,MAAM,IAAI,KAAK,CAAC,yBAAyB,CAAC,CAAC;QAC7C,CAAC;QACD,MAAM,WAAW,GAAG,IAAI,kBAAkB,CAAC,aAAa,CAAC,CAAC;QAC1D,MAAM,WAAW,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QAC5B,mBAAmB,CAAC,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IAC7C,CAAC;IAED,wBAAwB;IACxB,uEAAuE;IACvE,uCAAuC;IACvC,KAAK,CAAC,aAAa,CACjB,IAAY,EACZ,KAAa;QAEb,IAAI,CAAC,IAAI,CAAC,YAAY;YAAE,MAAM,IAAI,CAAC,IAAI,EAAE,CAAC;QAC1C,MAAM,YAAY,GAAG,MAAM,IAAI,CAAC,YAAY,CAAC,eAAe,EAAE,CAAC;QAC/D,IAAI,CAAC,YAAY;YAAE,MAAM,IAAI,KAAK,CAAC,oCAAoC,CAAC,CAAC;QAEzE,gCAAgC;QAChC,MAAM,MAAM,GAAG,MAAM,cAAc,CACjC,IAAI,EACJ,KAAK,EACL,IAAI,CAAC,YAAY,EACjB,IAAI,CAAC,YAAa,EAAE,8CAA8C;QAClE,IAAI,CAAC,MAAM,CACZ,CAAC;QACF,MAAM,IAAI,CAAC,kBAAkB,CAAC,MAAM,CAAC,CAAC;QACtC,uCAAuC;QACvC,MAAM,iBAAiB,GAAG,oBAAoB,CAC5C,KAAK,EACL,IAAI,CAAC,MAAM,CAAC,WAAW,CACxB,CAAC;QAEF,IAAI,iBAAiB,KAAK,SAAS,EAAE,CAAC;YACpC,yBAAyB;YACzB,MAAM,CAAC,gBAAgB,CAAC,cAAc,EAAE,GAAG,EAAE;gBAC3C,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC;YAC1B,CAAC,CAAC,CAAC;YACH,MAAM,CAAC,KAAK,EAAE,CAAC;QACjB,CAAC;QACD,8GAA8G;QAC9G,yBAAyB,CAAC,wBAAwB,CAAC,CAAC;QACpD,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,0CAA0C;IAC1C,KAAK,CAAC,cAAc;QAClB,MAAM,WAAW,GAAG,MAAM,cAAc,CAAC,IAAI,mBAAmB,EAAE,CAAC,CAAC;QACpE,IAAI,CAAC,WAAW;YAAE,OAAO,IAAI,CAAC;QAE9B,OAAO;YACL,aAAa,EAAE,CAAC,CAAC,WAAW,CAAC,QAAQ;YACrC,OAAO,EAAE,WAAW,CAAC,QAAQ;YAC7B,WAAW,EAAE,WAAW,CAAC,YAAY;YACrC,YAAY,EAAE,WAAW,CAAC,aAAa;YACvC,oBAAoB,EAAE,WAAW,CAAC,uBAAuB;SAC1D,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,gBAAgB,CACpB,WAA+B;QAE/B,4EAA4E;QAC5E,IAAI,WAAW,EAAE,YAAY,EAAE,CAAC;YAC9B,IAAI,CAAC;gBACH,MAAM,aAAa,GAAG,IAAI,mBAAmB,EAAE,CAAC;gBAEhD,yFAAyF;gBACzF,MAAM,UAAU,GAAG;oBACjB,QAAQ,EAAE,IAAI,CAAC,MAAM,CAAC,QAAQ;oBAC9B,WAAW,EAAE,IAAI,CAAC,WAAW;oBAC7B,WAAW,EAAE,IAAI,CAAC,MAAM,CAAC,WAAW;iBACrC,CAAC;gBAEF,gDAAgD;gBAChD,MAAM,SAAS,GAAG,MAAM,8BAA8B,CAAC,KAAK,CAC1D,UAAU,EACV,aAAa,EACb,KAAK,EAAE,KAAY,EAAE,EAAE;oBACrB,OAAO,CAAC,IAAI,CAAC,4CAA4C,EAAE,KAAK,CAAC,CAAC;gBACpE,CAAC,EACD,IAAI,CAAC,MAAM,CAAC,iBAAiB,CAC9B,CAAC;gBAEF,IAAI,CAAC;oBACH,0DAA0D;oBAC1D,MAAM,aAAa,GAAG,MAAM,SAAS,CAAC,kBAAkB,EAAE,CAAC;oBAE3D,uFAAuF;oBACvF,IAAI,aAAa,EAAE,CAAC;wBAClB,yDAAyD;wBACzD,MAAM,IAAI,CAAC,kBAAkB,CAAC,aAAa,CAAC,CAAC;oBAC/C,CAAC;oBAED,iDAAiD;oBACjD,MAAM,gBAAgB,GAAG,MAAM,IAAI,CAAC,cAAc,EAAE,CAAC;oBACrD,IAAI,gBAAgB,IAAI,gBAAgB,CAAC,aAAa,EAAE,CAAC;wBACvD,OAAO;4BACL,GAAG,gBAAgB;4BACnB,aAAa,EAAE,IAAI;yBACpB,CAAC;oBACJ,CAAC;yBAAM,CAAC;wBACN,MAAM,IAAI,KAAK,CAAC,sCAAsC,CAAC,CAAC;oBAC1D,CAAC;gBACH,CAAC;gBAAC,OAAO,eAAe,EAAE,CAAC;oBACzB,OAAO,CAAC,KAAK,CACX,sCAAsC,EACtC,eAAe,CAChB,CAAC;oBACF,MAAM,eAAe,CAAC,CAAC,6CAA6C;gBACtE,CAAC;YACH,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACf,MAAM,YAAY,GAAG,KAAc,CAAC;gBACpC,OAAO,CAAC,KAAK,CAAC,kCAAkC,EAAE,YAAY,CAAC,CAAC;gBAChE,oEAAoE;gBACpE,2BAA2B;gBAC3B,IACE,YAAY,CAAC,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAC;oBACxC,YAAY,CAAC,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAC,EACxC,CAAC;oBACD,MAAM,aAAa,GAAG,IAAI,mBAAmB,EAAE,CAAC;oBAChD,OAAO,CAAC,GAAG,CAAC,gCAAgC,CAAC,CAAC;oBAC9C,MAAM,WAAW,CAAC,aAAa,CAAC,CAAC;oBACjC,MAAM,SAAS,CAAC,aAAa,CAAC,CAAC;gBACjC,CAAC;gBACD,OAAO,CAAC,IAAI,CAAC,0BAA0B,EAAE,YAAY,CAAC,CAAC;YACzD,CAAC;QACH,CAAC;QAED,OAAO;YACL,GAAG,WAAW;YACd,aAAa,EAAE,KAAK;SACrB,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,uBAAuB;QAC3B,IAAI,CAAC;YACH,MAAM,WAAW,GAAG,MAAM,IAAI,CAAC,cAAc,EAAE,CAAC;YAChD,IAAI,CAAC,WAAW,EAAE,OAAO,EAAE,CAAC;gBAC1B,MAAM,oBAAoB,GAAG,MAAM,IAAI,CAAC,gBAAgB,CAAC,WAAW,CAAC,CAAC;gBACtE,IAAI,oBAAoB,CAAC,aAAa,EAAE,CAAC;oBACvC,OAAO,oBAAoB,CAAC;gBAC9B,CAAC;gBACD,MAAM,sBAAsB,GAAG,EAAE,GAAG,WAAW,EAAE,aAAa,EAAE,KAAK,EAAE,CAAC;gBACxE,OAAO,sBAAsB,CAAC;YAChC,CAAC;YACD,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,IAAI,IAAI,CAAC,IAAI,CAAC,YAAY;gBAAE,MAAM,IAAI,CAAC,IAAI,EAAE,CAAC;YAEnE,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,IAAI,EAAE,CAAC;gBAC1B,MAAM,IAAI,KAAK,CAAC,kBAAkB,CAAC,CAAC;YACtC,CAAC;YAED,qDAAqD;YACrD,8DAA8D;YAC9D,MAAM,oBAAoB,CACxB;gBACE,QAAQ,EAAE,WAAW,CAAC,OAAO;gBAC7B,aAAa,EAAE,WAAW,CAAC,YAAY;gBACvC,YAAY,EAAE,WAAW,CAAC,WAAW;gBACrC,uBAAuB,EAAE,WAAW,CAAC,oBAAoB;aAC1D,EACD,IAAI,CAAC,MAAM,CACZ,CAAC;YACF,OAAO,WAAW,CAAC;QACrB,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO,CAAC,IAAI,CAAC,oCAAoC,EAAE,KAAK,CAAC,CAAC;YAC1D,MAAM,sBAAsB,GAAG;gBAC7B,aAAa,EAAE,KAAK;aACrB,CAAC;YACF,MAAM,OAAO,GAAG,IAAI,mBAAmB,EAAE,CAAC;YAC1C,MAAM,WAAW,CAAC,OAAO,CAAC,CAAC;YAC3B,MAAM,SAAS,CAAC,OAAO,CAAC,CAAC;YACzB,OAAO,sBAAsB,CAAC;QAChC,CAAC;IACH,CAAC;IAED,IAAI,WAAW;QACb,OAAO,IAAI,CAAC,MAAM,CAAC,WAAW,IAAI,mBAAmB,CAAC;IACxD,CAAC;IAED,KAAK,CAAC,qBAAqB;QACzB,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,CAAC;YACpB,OAAO,IAAI,CAAC;QACd,CAAC;QACD,OAAO,IAAI,CAAC,SAAS,EAAE,UAAU,CAAC;IACpC,CAAC;IAED,MAAM,CAAC,KAAK,CAAC,KAAK,CAChB,MAAmC;QAEnC,MAAM,QAAQ,GAAG,IAAI,4BAA4B,CAAC,MAAM,CAAC,CAAC;QAC1D,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;QAEtB,OAAO,QAAQ,CAAC;IAClB,CAAC;CACF","sourcesContent":["// Proposals for revised versions of the SessionService AKA AuthSessionService\n\nimport type {\n DisplayMode,\n Endpoints,\n FrameworkType,\n LoginAppDesignOptions,\n LoginPostMessage,\n OIDCTokenResponseBody,\n SessionData,\n} from \"@/types.js\";\nimport {\n BrowserPublicClientPKCEProducer,\n ConfidentialClientPKCEConsumer,\n} from \"@/services/PKCE.js\";\nimport {\n clearTokens,\n clearUser,\n exchangeTokens,\n generateOauthLoginUrl,\n generateOauthLogoutUrl,\n getEndpointsWithOverrides,\n retrieveTokens,\n storeTokens,\n validateOauth2Tokens,\n} from \"@/shared/lib/util.js\";\nimport { displayModeFromState, generateState } from \"@/lib/oauth.js\";\nimport { getVersion } from \"@/shared/index.js\";\nimport { OAuth2Client } from \"oslo/oauth2\";\nimport { LocalStorageAdapter } from \"@/browser/storage.js\";\nimport type {\n AuthenticationInitiator,\n AuthenticationResolver,\n PKCEConsumer,\n} from \"@/services/types.js\";\nimport { PopupError } from \"@/services/types.js\";\nimport { removeParamsWithoutReload } from \"@/lib/windowUtil.js\";\nimport {\n DEFAULT_AUTH_SERVER,\n DEFAULT_OAUTH_GET_PARAMS,\n LOGOUT_STATE,\n} from \"@/constants.js\";\nimport { validateLoginAppPostMessage } from \"@/lib/postMessage.js\";\nimport { getUser } from \"@/shared/lib/session.js\";\nimport { GenericUserSession } from \"@/shared/lib/UserSession.js\";\nimport {\n getIframeRef,\n iframeIsVisible,\n isEmbeddedIframeMode,\n} from \"@/shared/lib/iframeUtils.js\";\nimport { v4 as uuid } from \"uuid\";\nimport { CodeVerifier } from \"@/shared/lib/types.js\";\nimport { BrowserAuthenticationRefresher } from \"@/shared/lib/BrowserAuthenticationRefresher.js\";\nimport { collectAndSendSDKAnalytics } from \"@/lib/analytics.js\";\n\nconst clearStorageAndEmitSignOut = async () => {\n const localStorage = new LocalStorageAdapter();\n await clearTokens(localStorage);\n await clearUser(localStorage);\n LocalStorageAdapter.emitter.emit(\"signOut\");\n};\n\nexport type GenericAuthenticationInitiatorConfig = {\n clientId: string;\n redirectUrl: string;\n state: string;\n scopes: string[];\n oauthServer: string;\n nonce?: string;\n // the endpoints to use for the login (if not obtained from the auth server)\n endpointOverrides?: Partial<Endpoints>;\n // Optional PKCE challenge - not needed for confidential clients using client secrets\n pkceConsumer?: PKCEConsumer;\n};\n\nexport type BrowserAuthenticationInitiatorConfig = Omit<\n GenericAuthenticationInitiatorConfig,\n \"state\"\n> & {\n logoutUrl?: string;\n logoutRedirectUrl: string;\n // determines whether to trigger the login/logout in an iframe, a new browser window, or redirect the current one.\n displayMode: DisplayMode;\n // Optional iframe display mode - modal (full-screen overlay) or embedded (within container)\n iframeDisplayMode?: \"modal\" | \"embedded\";\n // Optional base path for routing in case app is served from a subdirectory\n basePath?: string;\n // Optional URL to redirect to after login success\n loginSuccessUrl?: string;\n // Framework being used (for analytics)\n framework?: FrameworkType;\n // Whether to automatically switch to redirect mode when browser doesn't support iframe-based auth\n autoRedirect?: boolean;\n};\n\nconst defaultSetDesignOptions = (value: LoginAppDesignOptions) => {\n localStorage.setItem(\"loginAppDesign\", JSON.stringify(value));\n};\n/**\n * An authentication initiator that works on a browser. Since this is just triggering\n * login and logout, session data is not stored here.\n * An associated AuthenticationResolver would be needed to get the session data.\n * Storage is needed for the code verifier, this is the domain of the PKCEConsumer\n * The storage used by the PKCEConsumer should be available to the AuthenticationResolver.\n *\n * Example usage:\n *\n * 1) Client-only SPA -eg a react app with no server:\n * new BrowserAuthenticationInitiator({\n * pkceConsumer: new BrowserPublicClientPKCEProducer(), // generate and retrieve the challenge client-side\n * ... other config\n * })\n *\n * 2) Client-side of a client/server app - eg a react app with a backend:\n * new BrowserAuthenticationInitiator({\n * pkceConsumer: new ConfidentialClientPKCEConsumer(\"https://myserver.com/pkce\"), // get the challenge from the server\n * ... other config\n * })\n */\nexport class BrowserAuthenticationInitiator implements AuthenticationInitiator {\n private postMessageHandler: null | ((event: MessageEvent) => void) = null;\n\n protected config: BrowserAuthenticationInitiatorConfig;\n static browserCorsFailsSilentlyRedirectUrl: string;\n private _iframeRef: HTMLIFrameElement | null = null;\n\n public setDisplayMode(displayMode: DisplayMode) {\n this.config.displayMode = displayMode;\n }\n\n get displayMode() {\n return this.config.displayMode;\n }\n\n get isServerTokenExchange() {\n return this.config.pkceConsumer instanceof ConfidentialClientPKCEConsumer;\n }\n get state() {\n return generateState({\n displayMode: this.config.displayMode,\n iframeDisplayMode: this.config.iframeDisplayMode,\n serverTokenExchange: this.isServerTokenExchange,\n loginSuccessUrl: this.config.loginSuccessUrl,\n framework: this.config.framework,\n sdkVersion: getVersion(),\n });\n }\n public instanceId: string;\n public browserCorsFailsSilentlyRedirectUrl: string = \"\";\n\n constructor(\n config: typeof this.config,\n readonly setDesignOptions = defaultSetDesignOptions,\n ) {\n this.instanceId = uuid();\n this.config = config;\n\n this.postMessageHandler = (event: MessageEvent) => {\n const thisURL = new URL(window.location.href);\n if (\n event.origin.endsWith(\"civic.com\") ||\n thisURL.hostname === \"localhost\"\n ) {\n if (!validateLoginAppPostMessage(event.data, this.config.clientId)) {\n return;\n }\n const loginMessage = event.data as LoginPostMessage;\n if (loginMessage.type === \"generatePopupFailed\") {\n this.handleLoginAppPopupFailed(\n (loginMessage.data as { url: string }).url,\n );\n return;\n }\n if (\n loginMessage.type === \"browserCorsFailsSilently\" &&\n this.displayMode === \"iframe\"\n ) {\n this.handleBrowserCorsFailsSilently(\n (loginMessage.data as { url: string }).url,\n );\n return;\n }\n if (loginMessage.type === \"design\") {\n // TODO handle the design message\n this.handleLoginAppDesignUpdate(\n loginMessage.data as LoginAppDesignOptions,\n );\n return;\n }\n }\n };\n\n window.addEventListener(\"message\", this.postMessageHandler);\n }\n\n async handleLoginAppPopupFailed(redirectUrl: string) {\n console.warn(\n \"Login app popup failed open a popup, using redirect mode instead...\",\n redirectUrl,\n );\n window.location.href = redirectUrl;\n }\n\n async handleBrowserCorsFailsSilently(redirectUrl: string) {\n BrowserAuthenticationInitiator.browserCorsFailsSilentlyRedirectUrl =\n redirectUrl;\n // Check autoRedirect config before proceeding\n if (this.config.autoRedirect !== false && iframeIsVisible()) {\n // hide the iframe as we're in redirect mode\n // to avoid it loading then immediately disappearing\n const iframe = document.getElementById(\n \"civic-auth-iframe-container\",\n ) as HTMLIFrameElement | null;\n if (iframe) {\n iframe.style.display = \"none\";\n }\n return this.handleUserInteractionBrowserCorsFailsSilently();\n }\n }\n\n async handleUserInteractionBrowserCorsFailsSilently(): Promise<{\n isRedirecting: boolean;\n }> {\n const isInEmbeddedIframeMode = isEmbeddedIframeMode();\n // check if the iframe is visible\n if (\n !isInEmbeddedIframeMode &&\n this.config.autoRedirect !== false && // Add this check\n BrowserAuthenticationInitiator.browserCorsFailsSilentlyRedirectUrl\n ) {\n console.warn(\n \"Browser CORS failed silently, redirecting...\",\n BrowserAuthenticationInitiator.browserCorsFailsSilentlyRedirectUrl,\n );\n this.config.displayMode = \"redirect\";\n collectAndSendSDKAnalytics(\n this.config.clientId,\n this.config.oauthServer,\n this.config.framework,\n );\n const signInUrl = await this.getSignInUrl();\n window.dispatchEvent(\n new CustomEvent(\"locationWillChange\", {\n detail: { newUrl: signInUrl.toString() },\n }),\n );\n setTimeout(() => {\n window.location.href = signInUrl.toString();\n }, 100);\n return { isRedirecting: true };\n }\n return { isRedirecting: false };\n }\n\n async handleLoginAppDesignUpdate(options: LoginAppDesignOptions) {\n this.setDesignOptions(options);\n }\n\n async getSignInUrl(): Promise<URL> {\n const val = await generateOauthLoginUrl({\n ...this.config,\n state: this.state,\n });\n return val;\n }\n\n // Use the config (Client ID, scopes OAuth Server, Endpoints, PKCEConsumer) to generate a new login url\n // and then use the display mode to decide how to send the user there\n async signIn(iframeRef: HTMLIFrameElement | null): Promise<URL> {\n // Send SDK analytics when authentication starts\n // Fire and forget - don't block authentication if analytics fails\n collectAndSendSDKAnalytics(\n this.config.clientId,\n this.config.oauthServer,\n this.config.framework,\n );\n\n const url = await this.getSignInUrl();\n\n if (this.config.displayMode === \"iframe\") {\n const ref = getIframeRef(iframeRef);\n ref.setAttribute(\"src\", url.toString());\n }\n\n if (this.config.displayMode === \"redirect\") {\n window.location.href = url.toString();\n }\n\n if (this.config.displayMode === \"new_tab\") {\n try {\n const popupWindow = window.open(url.toString(), \"_blank\");\n if (!popupWindow) {\n throw new PopupError(\"Failed to open popup window\");\n }\n // TODO handle the 'onclose' event to clean up and reset the authStatus\n } catch (error) {\n console.error(\"popupWindow\", error);\n throw new PopupError(\n \"window.open has thrown: Failed to open popup window\",\n );\n }\n }\n\n return url;\n }\n\n async signOut(\n idToken: string | undefined,\n iframeRef: HTMLIFrameElement | null,\n ): Promise<URL> {\n let url;\n const localStorage = new LocalStorageAdapter();\n const state = this.state;\n if (this.isServerTokenExchange) {\n if (!this.config.logoutUrl) {\n throw new Error(\"logoutUrl is required for server token exchange\");\n }\n url = new URL(this.config.logoutUrl, window.location.origin);\n url.searchParams.append(\"state\", state);\n } else {\n if (!idToken) {\n throw new Error(\"idToken is required for non-server token exchange\");\n }\n\n url = await generateOauthLogoutUrl({\n ...this.config,\n idToken,\n state,\n redirectUrl: this.config.logoutRedirectUrl,\n });\n }\n\n if (this.config.displayMode === \"iframe\") {\n // Clear storage before calling server by setting iframe src to the logout url\n await clearStorageAndEmitSignOut();\n await localStorage.delete(LOGOUT_STATE);\n const ref = getIframeRef(iframeRef);\n ref.setAttribute(\"src\", url.toString());\n\n LocalStorageAdapter.emitter.emit(\"signOut\");\n }\n\n if (this.config.displayMode === \"redirect\") {\n // we don't clear any storage here as we're redirecting to the logout url\n // and the server should handle that\n await localStorage.set(LOGOUT_STATE, state);\n window.location.href = url.toString();\n }\n\n if (this.config.displayMode === \"new_tab\") {\n try {\n // Clear storage before calling server by setting iframe src to the logout url\n await clearStorageAndEmitSignOut();\n const popupWindow = window.open(url.toString(), \"_blank\");\n if (!popupWindow) {\n throw new PopupError(\"Failed to open popup window\");\n }\n } catch (error) {\n console.error(\"popupWindow\", error);\n throw new PopupError(\n \"window.open has thrown: Failed to open popup window\",\n );\n }\n }\n\n return url;\n }\n\n cleanup() {\n if (this.postMessageHandler) {\n window.removeEventListener(\"message\", this.postMessageHandler);\n }\n }\n}\n\n/** A general-purpose authentication initiator, that just generates urls, but lets\n * the caller decide how to use them. This is useful for server-side applications\n * that may serve this URL to their front-ends or just call them directly\n */\nexport class GenericAuthenticationInitiator implements AuthenticationInitiator {\n protected config: GenericAuthenticationInitiatorConfig;\n\n constructor(config: typeof this.config) {\n this.config = config;\n }\n\n // Use the config (Client ID, scopes OAuth Server, Endpoints, PKCEConsumer) to generate a new login url\n // and simply return the url\n async signIn(): Promise<URL> {\n return generateOauthLoginUrl(this.config);\n }\n\n async signOut(idToken: string): Promise<URL> {\n return generateOauthLogoutUrl({\n ...this.config,\n idToken,\n });\n }\n}\n\ntype BrowserAuthenticationConfig = {\n clientId: string;\n redirectUrl: string;\n logoutUrl?: string;\n logoutRedirectUrl: string;\n scopes: string[];\n oauthServer: string;\n endpointOverrides?: Partial<Endpoints>;\n displayMode: DisplayMode;\n};\n\n/**\n * An authentication resolver that can run on the browser (i.e. a public client)\n * It uses PKCE for security. PKCE and Session data are stored in local storage\n */\nexport class BrowserAuthenticationService extends BrowserAuthenticationInitiator {\n private oauth2client: OAuth2Client | undefined;\n private endpoints: Endpoints | undefined;\n\n // TODO WIP - perhaps we want to keep resolver and initiator separate here\n constructor(\n config: BrowserAuthenticationConfig,\n // Since we are running fully on the client, we produce as well as consume the PKCE challenge\n protected pkceProducer = new BrowserPublicClientPKCEProducer(),\n ) {\n super({\n ...config,\n // Store and retrieve the PKCE challenge in local storage\n pkceConsumer: pkceProducer,\n });\n }\n\n // TODO too much code duplication here between the browser and the server variant.\n // Suggestion for refactor: Standardise the config for AuthenticationResolvers and create a one-shot\n // function for generating an oauth2client from it\n async init(): Promise<this> {\n // resolve oauth config\n this.endpoints = await getEndpointsWithOverrides(\n this.oauthServer,\n this.config.endpointOverrides,\n );\n this.oauth2client = new OAuth2Client(\n this.config.clientId,\n this.endpoints.auth,\n this.endpoints.token,\n {\n redirectURI: this.config.redirectUrl,\n },\n );\n\n return this;\n }\n\n async storeTokensOnLogin(tokens: OIDCTokenResponseBody) {\n const clientStorage = new LocalStorageAdapter();\n await storeTokens(clientStorage, tokens);\n // delete code verifier as it should be single-use\n await clientStorage.delete(CodeVerifier.COOKIE_NAME);\n const user = await getUser(clientStorage);\n if (!user) {\n throw new Error(\"Failed to get user info\");\n }\n const userSession = new GenericUserSession(clientStorage);\n await userSession.set(user);\n LocalStorageAdapter.emitter.emit(\"signIn\");\n }\n\n // Two responsibilities:\n // 1. resolve the auth code to get the tokens (should use library code)\n // 2. store the tokens in local storage\n async tokenExchange(\n code: string,\n state: string,\n ): Promise<OIDCTokenResponseBody> {\n if (!this.oauth2client) await this.init();\n const codeVerifier = await this.pkceProducer.getCodeVerifier();\n if (!codeVerifier) throw new Error(\"Code verifier not found in storage\");\n\n // exchange auth code for tokens\n const tokens = await exchangeTokens(\n code,\n state,\n this.pkceProducer,\n this.oauth2client!, // clean up types here to avoid the ! operator\n this.config,\n );\n await this.storeTokensOnLogin(tokens);\n // cleanup the browser window if needed\n const parsedDisplayMode = displayModeFromState(\n state,\n this.config.displayMode,\n );\n\n if (parsedDisplayMode === \"new_tab\") {\n // Close the popup window\n window.addEventListener(\"beforeunload\", () => {\n window?.opener?.focus();\n });\n window.close();\n }\n // these are the default oAuth params that get added to the URL in redirect which we want to remove if present\n removeParamsWithoutReload(DEFAULT_OAUTH_GET_PARAMS);\n return tokens;\n }\n\n // Get the session data from local storage\n async getSessionData(): Promise<SessionData | null> {\n const storageData = await retrieveTokens(new LocalStorageAdapter());\n if (!storageData) return null;\n\n return {\n authenticated: !!storageData.id_token,\n idToken: storageData.id_token,\n accessToken: storageData.access_token,\n refreshToken: storageData.refresh_token,\n oidcSessionExpiresAt: storageData.oidc_session_expires_at,\n };\n }\n\n async tryRefreshTokens(\n sessionData: SessionData | null,\n ): Promise<SessionData> {\n // If token validation fails but we have a refresh token, attempt to refresh\n if (sessionData?.refreshToken) {\n try {\n const clientStorage = new LocalStorageAdapter();\n\n // Create a BrowserAuthenticationRefresher to handle token refresh using the build method\n const authConfig = {\n clientId: this.config.clientId,\n oauthServer: this.oauthServer,\n redirectUrl: this.config.redirectUrl,\n };\n\n // Use build method which handles initialization\n const refresher = await BrowserAuthenticationRefresher.build(\n authConfig,\n clientStorage,\n async (error: Error) => {\n console.warn(\"Failed to refresh tokens during validation\", error);\n },\n this.config.endpointOverrides,\n );\n\n try {\n // Perform token refresh (no need to call init explicitly)\n const tokenResponse = await refresher.refreshAccessToken();\n\n // For backend flows, tokenResponse might be null since tokens are in HTTP-only cookies\n if (tokenResponse) {\n // Store tokens for SPA flows where tokens are accessible\n await this.storeTokensOnLogin(tokenResponse);\n }\n\n // Return a new session with the refreshed tokens\n const refreshedSession = await this.getSessionData();\n if (refreshedSession && refreshedSession.authenticated) {\n return {\n ...refreshedSession,\n authenticated: true,\n };\n } else {\n throw new Error(\"Failed to get refreshed session data\");\n }\n } catch (refreshApiError) {\n console.error(\n \"Error during token refresh API call:\",\n refreshApiError,\n );\n throw refreshApiError; // Re-throw to be caught by outer catch block\n }\n } catch (error) {\n const refreshError = error as Error;\n console.error(\"Token refresh failed with error:\", refreshError);\n // Only delete refresh token if it's invalid, not for network errors\n // which might be temporary\n if (\n refreshError.message.includes(\"invalid\") ||\n refreshError.message.includes(\"expired\")\n ) {\n const clientStorage = new LocalStorageAdapter();\n console.log(\"Deleting invalid refresh token\");\n await clearTokens(clientStorage);\n await clearUser(clientStorage);\n }\n console.warn(\"Failed to refresh tokens\", refreshError);\n }\n }\n\n return {\n ...sessionData,\n authenticated: false,\n };\n }\n\n async validateExistingSession(): Promise<SessionData> {\n try {\n const sessionData = await this.getSessionData();\n if (!sessionData?.idToken) {\n const refreshedSessionData = await this.tryRefreshTokens(sessionData);\n if (refreshedSessionData.authenticated) {\n return refreshedSessionData;\n }\n const unAuthenticatedSession = { ...sessionData, authenticated: false };\n return unAuthenticatedSession;\n }\n if (!this.endpoints?.jwks || !this.oauth2client) await this.init();\n\n if (!this.endpoints?.jwks) {\n throw new Error(\"No jwks endpoint\");\n }\n\n // this function will throw if the idToken is invalid\n // Note: Access token is no longer required for authentication\n await validateOauth2Tokens(\n {\n id_token: sessionData.idToken,\n refresh_token: sessionData.refreshToken,\n access_token: sessionData.accessToken,\n oidc_session_expires_at: sessionData.oidcSessionExpiresAt,\n },\n this.config,\n );\n return sessionData;\n } catch (error) {\n console.warn(\"Failed to validate existing tokens\", error);\n const unAuthenticatedSession = {\n authenticated: false,\n };\n const storage = new LocalStorageAdapter();\n await clearTokens(storage);\n await clearUser(storage);\n return unAuthenticatedSession;\n }\n }\n\n get oauthServer(): string {\n return this.config.oauthServer || DEFAULT_AUTH_SERVER;\n }\n\n async getEndSessionEndpoint(): Promise<string | null> {\n if (!this.endpoints) {\n return null;\n }\n return this.endpoints?.endsession;\n }\n\n static async build(\n config: BrowserAuthenticationConfig,\n ): Promise<AuthenticationResolver> {\n const resolver = new BrowserAuthenticationService(config);\n await resolver.init();\n\n return resolver;\n }\n}\n"]}
1
+ {"version":3,"file":"AuthenticationService.js","sourceRoot":"","sources":["../../src/services/AuthenticationService.ts"],"names":[],"mappings":"AAAA,8EAA8E;AAW9E,OAAO,EACL,+BAA+B,EAC/B,8BAA8B,GAC/B,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EACL,WAAW,EACX,SAAS,EACT,cAAc,EACd,qBAAqB,EACrB,sBAAsB,EACtB,yBAAyB,EACzB,cAAc,EACd,WAAW,EACX,oBAAoB,GACrB,MAAM,sBAAsB,CAAC;AAC9B,OAAO,EAAE,oBAAoB,EAAE,aAAa,EAAE,MAAM,gBAAgB,CAAC;AACrE,OAAO,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAC;AAC/C,OAAO,EAAE,YAAY,EAAE,MAAM,+BAA+B,CAAC;AAC7D,OAAO,EAAE,mBAAmB,EAAE,MAAM,sBAAsB,CAAC;AAM3D,OAAO,EAAE,UAAU,EAAE,MAAM,qBAAqB,CAAC;AACjD,OAAO,EAAE,yBAAyB,EAAE,MAAM,qBAAqB,CAAC;AAChE,OAAO,EACL,mBAAmB,EACnB,wBAAwB,EACxB,YAAY,GACb,MAAM,gBAAgB,CAAC;AACxB,OAAO,EAAE,2BAA2B,EAAE,MAAM,sBAAsB,CAAC;AACnE,OAAO,EAAE,OAAO,EAAE,MAAM,yBAAyB,CAAC;AAClD,OAAO,EAAE,kBAAkB,EAAE,MAAM,6BAA6B,CAAC;AACjE,OAAO,EACL,YAAY,EACZ,eAAe,EACf,oBAAoB,GACrB,MAAM,6BAA6B,CAAC;AACrC,OAAO,EAAE,EAAE,IAAI,IAAI,EAAE,MAAM,MAAM,CAAC;AAClC,OAAO,EAAE,YAAY,EAAE,MAAM,uBAAuB,CAAC;AACrD,OAAO,EAAE,8BAA8B,EAAE,MAAM,gDAAgD,CAAC;AAChG,OAAO,EAAE,0BAA0B,EAAE,MAAM,oBAAoB,CAAC;AAEhE,MAAM,0BAA0B,GAAG,KAAK,IAAI,EAAE;IAC5C,MAAM,YAAY,GAAG,IAAI,mBAAmB,EAAE,CAAC;IAC/C,MAAM,WAAW,CAAC,YAAY,CAAC,CAAC;IAChC,MAAM,SAAS,CAAC,YAAY,CAAC,CAAC;IAC9B,mBAAmB,CAAC,OAAO,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;AAC9C,CAAC,CAAC;AAmCF,MAAM,uBAAuB,GAAG,CAAC,KAA4B,EAAE,EAAE;IAC/D,YAAY,CAAC,OAAO,CAAC,gBAAgB,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC,CAAC;AAChE,CAAC,CAAC;AACF;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,MAAM,OAAO,8BAA8B;IAiC9B;IAhCH,kBAAkB,GAA2C,IAAI,CAAC;IAEhE,MAAM,CAAuC;IACvD,MAAM,CAAC,mCAAmC,CAAS;IAC3C,UAAU,GAA6B,IAAI,CAAC;IAE7C,cAAc,CAAC,WAAwB;QAC5C,IAAI,CAAC,MAAM,CAAC,WAAW,GAAG,WAAW,CAAC;IACxC,CAAC;IAED,IAAI,WAAW;QACb,OAAO,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC;IACjC,CAAC;IAED,IAAI,qBAAqB;QACvB,OAAO,IAAI,CAAC,MAAM,CAAC,YAAY,YAAY,8BAA8B,CAAC;IAC5E,CAAC;IACD,IAAI,KAAK;QACP,OAAO,aAAa,CAAC;YACnB,WAAW,EAAE,IAAI,CAAC,MAAM,CAAC,WAAW;YACpC,iBAAiB,EAAE,IAAI,CAAC,MAAM,CAAC,iBAAiB;YAChD,mBAAmB,EAAE,IAAI,CAAC,qBAAqB;YAC/C,eAAe,EAAE,IAAI,CAAC,MAAM,CAAC,eAAe;YAC5C,SAAS,EAAE,IAAI,CAAC,MAAM,CAAC,SAAS;YAChC,UAAU,EAAE,UAAU,EAAE;SACzB,CAAC,CAAC;IACL,CAAC;IACM,UAAU,CAAS;IACnB,mCAAmC,GAAW,EAAE,CAAC;IAExD,YACE,MAA0B,EACjB,mBAAmB,uBAAuB;QAA1C,qBAAgB,GAAhB,gBAAgB,CAA0B;QAEnD,IAAI,CAAC,UAAU,GAAG,IAAI,EAAE,CAAC;QACzB,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;QAErB,IAAI,CAAC,kBAAkB,GAAG,CAAC,KAAmB,EAAE,EAAE;YAChD,MAAM,OAAO,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;YAC9C,IACE,KAAK,CAAC,MAAM,CAAC,QAAQ,CAAC,WAAW,CAAC;gBAClC,OAAO,CAAC,QAAQ,KAAK,WAAW,EAChC,CAAC;gBACD,IAAI,CAAC,2BAA2B,CAAC,KAAK,CAAC,IAAI,EAAE,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,EAAE,CAAC;oBACnE,OAAO;gBACT,CAAC;gBACD,MAAM,YAAY,GAAG,KAAK,CAAC,IAAwB,CAAC;gBACpD,IAAI,YAAY,CAAC,IAAI,KAAK,qBAAqB,EAAE,CAAC;oBAChD,IAAI,CAAC,yBAAyB,CAC3B,YAAY,CAAC,IAAwB,CAAC,GAAG,CAC3C,CAAC;oBACF,OAAO;gBACT,CAAC;gBACD,IACE,YAAY,CAAC,IAAI,KAAK,0BAA0B;oBAChD,IAAI,CAAC,WAAW,KAAK,QAAQ,EAC7B,CAAC;oBACD,IAAI,CAAC,8BAA8B,CAChC,YAAY,CAAC,IAAwB,CAAC,GAAG,CAC3C,CAAC;oBACF,OAAO;gBACT,CAAC;gBACD,IAAI,YAAY,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;oBACnC,iCAAiC;oBACjC,IAAI,CAAC,0BAA0B,CAC7B,YAAY,CAAC,IAA6B,CAC3C,CAAC;oBACF,OAAO;gBACT,CAAC;YACH,CAAC;QACH,CAAC,CAAC;QAEF,MAAM,CAAC,gBAAgB,CAAC,SAAS,EAAE,IAAI,CAAC,kBAAkB,CAAC,CAAC;IAC9D,CAAC;IAED,KAAK,CAAC,yBAAyB,CAAC,WAAmB;QACjD,OAAO,CAAC,IAAI,CACV,qEAAqE,EACrE,WAAW,CACZ,CAAC;QACF,MAAM,CAAC,QAAQ,CAAC,IAAI,GAAG,WAAW,CAAC;IACrC,CAAC;IAED,KAAK,CAAC,8BAA8B,CAAC,WAAmB;QACtD,8BAA8B,CAAC,mCAAmC;YAChE,WAAW,CAAC;QACd,8CAA8C;QAC9C,IAAI,IAAI,CAAC,MAAM,CAAC,YAAY,KAAK,KAAK,IAAI,eAAe,EAAE,EAAE,CAAC;YAC5D,4CAA4C;YAC5C,oDAAoD;YACpD,MAAM,MAAM,GAAG,QAAQ,CAAC,cAAc,CACpC,6BAA6B,CACF,CAAC;YAC9B,IAAI,MAAM,EAAE,CAAC;gBACX,MAAM,CAAC,KAAK,CAAC,OAAO,GAAG,MAAM,CAAC;YAChC,CAAC;YACD,OAAO,IAAI,CAAC,6CAA6C,EAAE,CAAC;QAC9D,CAAC;IACH,CAAC;IAED,KAAK,CAAC,6CAA6C;QAGjD,MAAM,sBAAsB,GAAG,oBAAoB,EAAE,CAAC;QACtD,iCAAiC;QACjC,IACE,CAAC,sBAAsB;YACvB,IAAI,CAAC,MAAM,CAAC,YAAY,KAAK,KAAK,IAAI,iBAAiB;YACvD,8BAA8B,CAAC,mCAAmC,EAClE,CAAC;YACD,OAAO,CAAC,IAAI,CACV,8CAA8C,EAC9C,8BAA8B,CAAC,mCAAmC,CACnE,CAAC;YACF,IAAI,CAAC,MAAM,CAAC,WAAW,GAAG,UAAU,CAAC;YACrC,0BAA0B,CACxB,IAAI,CAAC,MAAM,CAAC,QAAQ,EACpB,IAAI,CAAC,MAAM,CAAC,WAAW,EACvB,IAAI,CAAC,MAAM,CAAC,SAAS,CACtB,CAAC;YACF,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,YAAY,EAAE,CAAC;YAC5C,MAAM,CAAC,aAAa,CAClB,IAAI,WAAW,CAAC,oBAAoB,EAAE;gBACpC,MAAM,EAAE,EAAE,MAAM,EAAE,SAAS,CAAC,QAAQ,EAAE,EAAE;aACzC,CAAC,CACH,CAAC;YACF,UAAU,CAAC,GAAG,EAAE;gBACd,MAAM,CAAC,QAAQ,CAAC,IAAI,GAAG,SAAS,CAAC,QAAQ,EAAE,CAAC;YAC9C,CAAC,EAAE,GAAG,CAAC,CAAC;YACR,OAAO,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC;QACjC,CAAC;QACD,OAAO,EAAE,aAAa,EAAE,KAAK,EAAE,CAAC;IAClC,CAAC;IAED,KAAK,CAAC,0BAA0B,CAAC,OAA8B;QAC7D,IAAI,CAAC,gBAAgB,CAAC,OAAO,CAAC,CAAC;IACjC,CAAC;IAED,KAAK,CAAC,YAAY;QAChB,MAAM,GAAG,GAAG,MAAM,qBAAqB,CAAC;YACtC,GAAG,IAAI,CAAC,MAAM;YACd,KAAK,EAAE,IAAI,CAAC,KAAK;SAClB,CAAC,CAAC;QACH,OAAO,GAAG,CAAC;IACb,CAAC;IAED,uGAAuG;IACvG,qEAAqE;IACrE,KAAK,CAAC,MAAM,CAAC,SAAmC;QAC9C,gDAAgD;QAChD,kEAAkE;QAClE,0BAA0B,CACxB,IAAI,CAAC,MAAM,CAAC,QAAQ,EACpB,IAAI,CAAC,MAAM,CAAC,WAAW,EACvB,IAAI,CAAC,MAAM,CAAC,SAAS,CACtB,CAAC;QAEF,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,YAAY,EAAE,CAAC;QAEtC,IAAI,IAAI,CAAC,MAAM,CAAC,WAAW,KAAK,QAAQ,EAAE,CAAC;YACzC,MAAM,GAAG,GAAG,YAAY,CAAC,SAAS,CAAC,CAAC;YACpC,GAAG,CAAC,YAAY,CAAC,KAAK,EAAE,GAAG,CAAC,QAAQ,EAAE,CAAC,CAAC;QAC1C,CAAC;QAED,IAAI,IAAI,CAAC,MAAM,CAAC,WAAW,KAAK,UAAU,EAAE,CAAC;YAC3C,MAAM,CAAC,QAAQ,CAAC,IAAI,GAAG,GAAG,CAAC,QAAQ,EAAE,CAAC;QACxC,CAAC;QAED,IAAI,IAAI,CAAC,MAAM,CAAC,WAAW,KAAK,SAAS,EAAE,CAAC;YAC1C,IAAI,CAAC;gBACH,MAAM,WAAW,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,QAAQ,EAAE,EAAE,QAAQ,CAAC,CAAC;gBAC1D,IAAI,CAAC,WAAW,EAAE,CAAC;oBACjB,MAAM,IAAI,UAAU,CAAC,6BAA6B,CAAC,CAAC;gBACtD,CAAC;gBACD,uEAAuE;YACzE,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACf,OAAO,CAAC,KAAK,CAAC,aAAa,EAAE,KAAK,CAAC,CAAC;gBACpC,MAAM,IAAI,UAAU,CAClB,qDAAqD,CACtD,CAAC;YACJ,CAAC;QACH,CAAC;QAED,OAAO,GAAG,CAAC;IACb,CAAC;IAED,KAAK,CAAC,OAAO,CACX,OAA2B,EAC3B,SAAmC;QAEnC,IAAI,GAAG,CAAC;QACR,MAAM,YAAY,GAAG,IAAI,mBAAmB,EAAE,CAAC;QAC/C,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC;QACzB,IAAI,IAAI,CAAC,qBAAqB,EAAE,CAAC;YAC/B,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,SAAS,EAAE,CAAC;gBAC3B,MAAM,IAAI,KAAK,CAAC,iDAAiD,CAAC,CAAC;YACrE,CAAC;YACD,GAAG,GAAG,IAAI,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,SAAS,EAAE,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;YAC7D,GAAG,CAAC,YAAY,CAAC,MAAM,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC;QAC1C,CAAC;aAAM,CAAC;YACN,IAAI,CAAC,OAAO,EAAE,CAAC;gBACb,MAAM,IAAI,KAAK,CAAC,mDAAmD,CAAC,CAAC;YACvE,CAAC;YAED,GAAG,GAAG,MAAM,sBAAsB,CAAC;gBACjC,GAAG,IAAI,CAAC,MAAM;gBACd,OAAO;gBACP,KAAK;gBACL,WAAW,EAAE,IAAI,CAAC,MAAM,CAAC,iBAAiB;aAC3C,CAAC,CAAC;QACL,CAAC;QAED,IAAI,IAAI,CAAC,MAAM,CAAC,WAAW,KAAK,QAAQ,EAAE,CAAC;YACzC,8EAA8E;YAC9E,MAAM,0BAA0B,EAAE,CAAC;YACnC,MAAM,YAAY,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC;YACxC,MAAM,GAAG,GAAG,YAAY,CAAC,SAAS,CAAC,CAAC;YACpC,GAAG,CAAC,YAAY,CAAC,KAAK,EAAE,GAAG,CAAC,QAAQ,EAAE,CAAC,CAAC;YAExC,mBAAmB,CAAC,OAAO,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;QAC9C,CAAC;QAED,IAAI,IAAI,CAAC,MAAM,CAAC,WAAW,KAAK,UAAU,EAAE,CAAC;YAC3C,yEAAyE;YACzE,oCAAoC;YACpC,MAAM,YAAY,CAAC,GAAG,CAAC,YAAY,EAAE,KAAK,CAAC,CAAC;YAC5C,MAAM,CAAC,QAAQ,CAAC,IAAI,GAAG,GAAG,CAAC,QAAQ,EAAE,CAAC;QACxC,CAAC;QAED,IAAI,IAAI,CAAC,MAAM,CAAC,WAAW,KAAK,SAAS,EAAE,CAAC;YAC1C,IAAI,CAAC;gBACH,8EAA8E;gBAC9E,MAAM,0BAA0B,EAAE,CAAC;gBACnC,MAAM,WAAW,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,QAAQ,EAAE,EAAE,QAAQ,CAAC,CAAC;gBAC1D,IAAI,CAAC,WAAW,EAAE,CAAC;oBACjB,MAAM,IAAI,UAAU,CAAC,6BAA6B,CAAC,CAAC;gBACtD,CAAC;YACH,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACf,OAAO,CAAC,KAAK,CAAC,aAAa,EAAE,KAAK,CAAC,CAAC;gBACpC,MAAM,IAAI,UAAU,CAClB,qDAAqD,CACtD,CAAC;YACJ,CAAC;QACH,CAAC;QAED,OAAO,GAAG,CAAC;IACb,CAAC;IAED,OAAO;QACL,IAAI,IAAI,CAAC,kBAAkB,EAAE,CAAC;YAC5B,MAAM,CAAC,mBAAmB,CAAC,SAAS,EAAE,IAAI,CAAC,kBAAkB,CAAC,CAAC;QACjE,CAAC;IACH,CAAC;CACF;AAED;;;GAGG;AACH,MAAM,OAAO,8BAA8B;IAC/B,MAAM,CAAuC;IAEvD,YAAY,MAA0B;QACpC,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;IACvB,CAAC;IAED,uGAAuG;IACvG,4BAA4B;IAC5B,KAAK,CAAC,MAAM;QACV,OAAO,qBAAqB,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IAC5C,CAAC;IAED,KAAK,CAAC,OAAO,CAAC,OAAe;QAC3B,OAAO,sBAAsB,CAAC;YAC5B,GAAG,IAAI,CAAC,MAAM;YACd,OAAO;SACR,CAAC,CAAC;IACL,CAAC;CACF;AAaD;;;GAGG;AACH,MAAM,OAAO,4BAA6B,SAAQ,8BAA8B;IAQlE;IAPJ,YAAY,CAA2B;IACvC,SAAS,CAAwB;IAEzC,0EAA0E;IAC1E,YACE,MAAmC;IACnC,6FAA6F;IACnF,eAAe,IAAI,+BAA+B,EAAE;QAE9D,KAAK,CAAC;YACJ,GAAG,MAAM;YACT,yDAAyD;YACzD,YAAY,EAAE,YAAY;SAC3B,CAAC,CAAC;QANO,iBAAY,GAAZ,YAAY,CAAwC;IAOhE,CAAC;IAED,kFAAkF;IAClF,oGAAoG;IACpG,kDAAkD;IAClD,KAAK,CAAC,IAAI;QACR,uBAAuB;QACvB,IAAI,CAAC,SAAS,GAAG,MAAM,yBAAyB,CAC9C,IAAI,CAAC,WAAW,EAChB,IAAI,CAAC,MAAM,CAAC,iBAAiB,CAC9B,CAAC;QACF,IAAI,CAAC,YAAY,GAAG,IAAI,YAAY,CAClC,IAAI,CAAC,MAAM,CAAC,QAAQ,EACpB,IAAI,CAAC,SAAS,CAAC,IAAI,EACnB,IAAI,CAAC,SAAS,CAAC,KAAK,EACpB;YACE,WAAW,EAAE,IAAI,CAAC,MAAM,CAAC,WAAW;SACrC,CACF,CAAC;QAEF,OAAO,IAAI,CAAC;IACd,CAAC;IAED,KAAK,CAAC,kBAAkB,CAAC,MAA6B;QACpD,MAAM,aAAa,GAAG,IAAI,mBAAmB,EAAE,CAAC;QAChD,MAAM,WAAW,CAAC,aAAa,EAAE,MAAM,CAAC,CAAC;QACzC,kDAAkD;QAClD,MAAM,aAAa,CAAC,MAAM,CAAC,YAAY,CAAC,WAAW,CAAC,CAAC;QACrD,MAAM,IAAI,GAAG,MAAM,OAAO,CAAC,aAAa,CAAC,CAAC;QAC1C,IAAI,CAAC,IAAI,EAAE,CAAC;YACV,MAAM,IAAI,KAAK,CAAC,yBAAyB,CAAC,CAAC;QAC7C,CAAC;QACD,MAAM,WAAW,GAAG,IAAI,kBAAkB,CAAC,aAAa,CAAC,CAAC;QAC1D,MAAM,WAAW,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QAC5B,mBAAmB,CAAC,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IAC7C,CAAC;IAED,wBAAwB;IACxB,uEAAuE;IACvE,uCAAuC;IACvC,KAAK,CAAC,aAAa,CACjB,IAAY,EACZ,KAAa;QAEb,IAAI,CAAC,IAAI,CAAC,YAAY;YAAE,MAAM,IAAI,CAAC,IAAI,EAAE,CAAC;QAC1C,MAAM,YAAY,GAAG,MAAM,IAAI,CAAC,YAAY,CAAC,eAAe,EAAE,CAAC;QAC/D,IAAI,CAAC,YAAY;YAAE,MAAM,IAAI,KAAK,CAAC,oCAAoC,CAAC,CAAC;QAEzE,gCAAgC;QAChC,MAAM,MAAM,GAAG,MAAM,cAAc,CACjC,IAAI,EACJ,KAAK,EACL,IAAI,CAAC,YAAY,EACjB,IAAI,CAAC,YAAa,EAAE,8CAA8C;QAClE,IAAI,CAAC,MAAM,CACZ,CAAC;QACF,MAAM,IAAI,CAAC,kBAAkB,CAAC,MAAM,CAAC,CAAC;QACtC,uCAAuC;QACvC,MAAM,iBAAiB,GAAG,oBAAoB,CAC5C,KAAK,EACL,IAAI,CAAC,MAAM,CAAC,WAAW,CACxB,CAAC;QAEF,IAAI,iBAAiB,KAAK,SAAS,EAAE,CAAC;YACpC,yBAAyB;YACzB,MAAM,CAAC,gBAAgB,CAAC,cAAc,EAAE,GAAG,EAAE;gBAC3C,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC;YAC1B,CAAC,CAAC,CAAC;YACH,MAAM,CAAC,KAAK,EAAE,CAAC;QACjB,CAAC;QACD,8GAA8G;QAC9G,yBAAyB,CAAC,wBAAwB,CAAC,CAAC;QACpD,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,0CAA0C;IAC1C,KAAK,CAAC,cAAc;QAClB,MAAM,WAAW,GAAG,MAAM,cAAc,CAAC,IAAI,mBAAmB,EAAE,CAAC,CAAC;QACpE,IAAI,CAAC,WAAW;YAAE,OAAO,IAAI,CAAC;QAE9B,OAAO;YACL,aAAa,EAAE,CAAC,CAAC,WAAW,CAAC,QAAQ;YACrC,OAAO,EAAE,WAAW,CAAC,QAAQ;YAC7B,WAAW,EAAE,WAAW,CAAC,YAAY;YACrC,YAAY,EAAE,WAAW,CAAC,aAAa;YACvC,oBAAoB,EAAE,WAAW,CAAC,uBAAuB;SAC1D,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,gBAAgB,CACpB,WAA+B;QAE/B,4EAA4E;QAC5E,IAAI,WAAW,EAAE,YAAY,EAAE,CAAC;YAC9B,IAAI,CAAC;gBACH,MAAM,aAAa,GAAG,IAAI,mBAAmB,EAAE,CAAC;gBAEhD,yFAAyF;gBACzF,MAAM,UAAU,GAAG;oBACjB,QAAQ,EAAE,IAAI,CAAC,MAAM,CAAC,QAAQ;oBAC9B,WAAW,EAAE,IAAI,CAAC,WAAW;oBAC7B,WAAW,EAAE,IAAI,CAAC,MAAM,CAAC,WAAW;iBACrC,CAAC;gBAEF,gDAAgD;gBAChD,MAAM,SAAS,GAAG,MAAM,8BAA8B,CAAC,KAAK,CAC1D,UAAU,EACV,aAAa,EACb,KAAK,EAAE,KAAY,EAAE,EAAE;oBACrB,OAAO,CAAC,IAAI,CAAC,4CAA4C,EAAE,KAAK,CAAC,CAAC;gBACpE,CAAC,EACD,IAAI,CAAC,MAAM,CAAC,iBAAiB,CAC9B,CAAC;gBAEF,IAAI,CAAC;oBACH,0DAA0D;oBAC1D,MAAM,aAAa,GAAG,MAAM,SAAS,CAAC,kBAAkB,EAAE,CAAC;oBAE3D,uFAAuF;oBACvF,IAAI,aAAa,EAAE,CAAC;wBAClB,yDAAyD;wBACzD,MAAM,IAAI,CAAC,kBAAkB,CAAC,aAAa,CAAC,CAAC;oBAC/C,CAAC;oBAED,iDAAiD;oBACjD,MAAM,gBAAgB,GAAG,MAAM,IAAI,CAAC,cAAc,EAAE,CAAC;oBACrD,IAAI,gBAAgB,IAAI,gBAAgB,CAAC,aAAa,EAAE,CAAC;wBACvD,OAAO;4BACL,GAAG,gBAAgB;4BACnB,aAAa,EAAE,IAAI;yBACpB,CAAC;oBACJ,CAAC;yBAAM,CAAC;wBACN,MAAM,IAAI,KAAK,CAAC,sCAAsC,CAAC,CAAC;oBAC1D,CAAC;gBACH,CAAC;gBAAC,OAAO,eAAe,EAAE,CAAC;oBACzB,OAAO,CAAC,KAAK,CACX,sCAAsC,EACtC,eAAe,CAChB,CAAC;oBACF,MAAM,eAAe,CAAC,CAAC,6CAA6C;gBACtE,CAAC;YACH,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACf,MAAM,YAAY,GAAG,KAAc,CAAC;gBACpC,OAAO,CAAC,KAAK,CAAC,kCAAkC,EAAE,YAAY,CAAC,CAAC;gBAChE,oEAAoE;gBACpE,2BAA2B;gBAC3B,IACE,YAAY,CAAC,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAC;oBACxC,YAAY,CAAC,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAC,EACxC,CAAC;oBACD,MAAM,aAAa,GAAG,IAAI,mBAAmB,EAAE,CAAC;oBAChD,OAAO,CAAC,GAAG,CAAC,gCAAgC,CAAC,CAAC;oBAC9C,MAAM,WAAW,CAAC,aAAa,CAAC,CAAC;oBACjC,MAAM,SAAS,CAAC,aAAa,CAAC,CAAC;gBACjC,CAAC;gBACD,OAAO,CAAC,IAAI,CAAC,0BAA0B,EAAE,YAAY,CAAC,CAAC;YACzD,CAAC;QACH,CAAC;QAED,OAAO;YACL,GAAG,WAAW;YACd,aAAa,EAAE,KAAK;SACrB,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,uBAAuB;QAC3B,IAAI,CAAC;YACH,MAAM,WAAW,GAAG,MAAM,IAAI,CAAC,cAAc,EAAE,CAAC;YAChD,IAAI,CAAC,WAAW,EAAE,OAAO,EAAE,CAAC;gBAC1B,MAAM,oBAAoB,GAAG,MAAM,IAAI,CAAC,gBAAgB,CAAC,WAAW,CAAC,CAAC;gBACtE,IAAI,oBAAoB,CAAC,aAAa,EAAE,CAAC;oBACvC,OAAO,oBAAoB,CAAC;gBAC9B,CAAC;gBACD,MAAM,sBAAsB,GAAG,EAAE,GAAG,WAAW,EAAE,aAAa,EAAE,KAAK,EAAE,CAAC;gBACxE,OAAO,sBAAsB,CAAC;YAChC,CAAC;YACD,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,IAAI,IAAI,CAAC,IAAI,CAAC,YAAY;gBAAE,MAAM,IAAI,CAAC,IAAI,EAAE,CAAC;YAEnE,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,IAAI,EAAE,CAAC;gBAC1B,MAAM,IAAI,KAAK,CAAC,kBAAkB,CAAC,CAAC;YACtC,CAAC;YAED,qDAAqD;YACrD,8DAA8D;YAC9D,MAAM,oBAAoB,CACxB;gBACE,QAAQ,EAAE,WAAW,CAAC,OAAO;gBAC7B,aAAa,EAAE,WAAW,CAAC,YAAY;gBACvC,YAAY,EAAE,WAAW,CAAC,WAAW;gBACrC,uBAAuB,EAAE,WAAW,CAAC,oBAAoB;aAC1D,EACD,IAAI,CAAC,MAAM,CACZ,CAAC;YACF,OAAO,WAAW,CAAC;QACrB,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO,CAAC,IAAI,CAAC,oCAAoC,EAAE,KAAK,CAAC,CAAC;YAC1D,MAAM,sBAAsB,GAAG;gBAC7B,aAAa,EAAE,KAAK;aACrB,CAAC;YACF,MAAM,OAAO,GAAG,IAAI,mBAAmB,EAAE,CAAC;YAC1C,MAAM,WAAW,CAAC,OAAO,CAAC,CAAC;YAC3B,MAAM,SAAS,CAAC,OAAO,CAAC,CAAC;YACzB,OAAO,sBAAsB,CAAC;QAChC,CAAC;IACH,CAAC;IAED,IAAI,WAAW;QACb,OAAO,IAAI,CAAC,MAAM,CAAC,WAAW,IAAI,mBAAmB,CAAC;IACxD,CAAC;IAED,KAAK,CAAC,qBAAqB;QACzB,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,CAAC;YACpB,OAAO,IAAI,CAAC;QACd,CAAC;QACD,OAAO,IAAI,CAAC,SAAS,EAAE,UAAU,CAAC;IACpC,CAAC;IAED,MAAM,CAAC,KAAK,CAAC,KAAK,CAChB,MAAmC;QAEnC,MAAM,QAAQ,GAAG,IAAI,4BAA4B,CAAC,MAAM,CAAC,CAAC;QAC1D,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;QAEtB,OAAO,QAAQ,CAAC;IAClB,CAAC;CACF","sourcesContent":["// Proposals for revised versions of the SessionService AKA AuthSessionService\n\nimport type {\n DisplayMode,\n Endpoints,\n FrameworkType,\n LoginAppDesignOptions,\n LoginPostMessage,\n OIDCTokenResponseBody,\n SessionData,\n} from \"@/types.js\";\nimport {\n BrowserPublicClientPKCEProducer,\n ConfidentialClientPKCEConsumer,\n} from \"@/services/PKCE.js\";\nimport {\n clearTokens,\n clearUser,\n exchangeTokens,\n generateOauthLoginUrl,\n generateOauthLogoutUrl,\n getEndpointsWithOverrides,\n retrieveTokens,\n storeTokens,\n validateOauth2Tokens,\n} from \"@/shared/lib/util.js\";\nimport { displayModeFromState, generateState } from \"@/lib/oauth.js\";\nimport { getVersion } from \"@/shared/index.js\";\nimport { OAuth2Client } from \"../lib/oauth2/OAuth2Client.js\";\nimport { LocalStorageAdapter } from \"@/browser/storage.js\";\nimport type {\n AuthenticationInitiator,\n AuthenticationResolver,\n PKCEConsumer,\n} from \"@/services/types.js\";\nimport { PopupError } from \"@/services/types.js\";\nimport { removeParamsWithoutReload } from \"@/lib/windowUtil.js\";\nimport {\n DEFAULT_AUTH_SERVER,\n DEFAULT_OAUTH_GET_PARAMS,\n LOGOUT_STATE,\n} from \"@/constants.js\";\nimport { validateLoginAppPostMessage } from \"@/lib/postMessage.js\";\nimport { getUser } from \"@/shared/lib/session.js\";\nimport { GenericUserSession } from \"@/shared/lib/UserSession.js\";\nimport {\n getIframeRef,\n iframeIsVisible,\n isEmbeddedIframeMode,\n} from \"@/shared/lib/iframeUtils.js\";\nimport { v4 as uuid } from \"uuid\";\nimport { CodeVerifier } from \"@/shared/lib/types.js\";\nimport { BrowserAuthenticationRefresher } from \"@/shared/lib/BrowserAuthenticationRefresher.js\";\nimport { collectAndSendSDKAnalytics } from \"@/lib/analytics.js\";\n\nconst clearStorageAndEmitSignOut = async () => {\n const localStorage = new LocalStorageAdapter();\n await clearTokens(localStorage);\n await clearUser(localStorage);\n LocalStorageAdapter.emitter.emit(\"signOut\");\n};\n\nexport type GenericAuthenticationInitiatorConfig = {\n clientId: string;\n redirectUrl: string;\n state: string;\n scopes: string[];\n oauthServer: string;\n nonce?: string;\n // the endpoints to use for the login (if not obtained from the auth server)\n endpointOverrides?: Partial<Endpoints>;\n // Optional PKCE challenge - not needed for confidential clients using client secrets\n pkceConsumer?: PKCEConsumer;\n};\n\nexport type BrowserAuthenticationInitiatorConfig = Omit<\n GenericAuthenticationInitiatorConfig,\n \"state\"\n> & {\n logoutUrl?: string;\n logoutRedirectUrl: string;\n // determines whether to trigger the login/logout in an iframe, a new browser window, or redirect the current one.\n displayMode: DisplayMode;\n // Optional iframe display mode - modal (full-screen overlay) or embedded (within container)\n iframeDisplayMode?: \"modal\" | \"embedded\";\n // Optional base path for routing in case app is served from a subdirectory\n basePath?: string;\n // Optional URL to redirect to after login success\n loginSuccessUrl?: string;\n // Framework being used (for analytics)\n framework?: FrameworkType;\n // Whether to automatically switch to redirect mode when browser doesn't support iframe-based auth\n autoRedirect?: boolean;\n};\n\nconst defaultSetDesignOptions = (value: LoginAppDesignOptions) => {\n localStorage.setItem(\"loginAppDesign\", JSON.stringify(value));\n};\n/**\n * An authentication initiator that works on a browser. Since this is just triggering\n * login and logout, session data is not stored here.\n * An associated AuthenticationResolver would be needed to get the session data.\n * Storage is needed for the code verifier, this is the domain of the PKCEConsumer\n * The storage used by the PKCEConsumer should be available to the AuthenticationResolver.\n *\n * Example usage:\n *\n * 1) Client-only SPA -eg a react app with no server:\n * new BrowserAuthenticationInitiator({\n * pkceConsumer: new BrowserPublicClientPKCEProducer(), // generate and retrieve the challenge client-side\n * ... other config\n * })\n *\n * 2) Client-side of a client/server app - eg a react app with a backend:\n * new BrowserAuthenticationInitiator({\n * pkceConsumer: new ConfidentialClientPKCEConsumer(\"https://myserver.com/pkce\"), // get the challenge from the server\n * ... other config\n * })\n */\nexport class BrowserAuthenticationInitiator implements AuthenticationInitiator {\n private postMessageHandler: null | ((event: MessageEvent) => void) = null;\n\n protected config: BrowserAuthenticationInitiatorConfig;\n static browserCorsFailsSilentlyRedirectUrl: string;\n private _iframeRef: HTMLIFrameElement | null = null;\n\n public setDisplayMode(displayMode: DisplayMode) {\n this.config.displayMode = displayMode;\n }\n\n get displayMode() {\n return this.config.displayMode;\n }\n\n get isServerTokenExchange() {\n return this.config.pkceConsumer instanceof ConfidentialClientPKCEConsumer;\n }\n get state() {\n return generateState({\n displayMode: this.config.displayMode,\n iframeDisplayMode: this.config.iframeDisplayMode,\n serverTokenExchange: this.isServerTokenExchange,\n loginSuccessUrl: this.config.loginSuccessUrl,\n framework: this.config.framework,\n sdkVersion: getVersion(),\n });\n }\n public instanceId: string;\n public browserCorsFailsSilentlyRedirectUrl: string = \"\";\n\n constructor(\n config: typeof this.config,\n readonly setDesignOptions = defaultSetDesignOptions,\n ) {\n this.instanceId = uuid();\n this.config = config;\n\n this.postMessageHandler = (event: MessageEvent) => {\n const thisURL = new URL(window.location.href);\n if (\n event.origin.endsWith(\"civic.com\") ||\n thisURL.hostname === \"localhost\"\n ) {\n if (!validateLoginAppPostMessage(event.data, this.config.clientId)) {\n return;\n }\n const loginMessage = event.data as LoginPostMessage;\n if (loginMessage.type === \"generatePopupFailed\") {\n this.handleLoginAppPopupFailed(\n (loginMessage.data as { url: string }).url,\n );\n return;\n }\n if (\n loginMessage.type === \"browserCorsFailsSilently\" &&\n this.displayMode === \"iframe\"\n ) {\n this.handleBrowserCorsFailsSilently(\n (loginMessage.data as { url: string }).url,\n );\n return;\n }\n if (loginMessage.type === \"design\") {\n // TODO handle the design message\n this.handleLoginAppDesignUpdate(\n loginMessage.data as LoginAppDesignOptions,\n );\n return;\n }\n }\n };\n\n window.addEventListener(\"message\", this.postMessageHandler);\n }\n\n async handleLoginAppPopupFailed(redirectUrl: string) {\n console.warn(\n \"Login app popup failed open a popup, using redirect mode instead...\",\n redirectUrl,\n );\n window.location.href = redirectUrl;\n }\n\n async handleBrowserCorsFailsSilently(redirectUrl: string) {\n BrowserAuthenticationInitiator.browserCorsFailsSilentlyRedirectUrl =\n redirectUrl;\n // Check autoRedirect config before proceeding\n if (this.config.autoRedirect !== false && iframeIsVisible()) {\n // hide the iframe as we're in redirect mode\n // to avoid it loading then immediately disappearing\n const iframe = document.getElementById(\n \"civic-auth-iframe-container\",\n ) as HTMLIFrameElement | null;\n if (iframe) {\n iframe.style.display = \"none\";\n }\n return this.handleUserInteractionBrowserCorsFailsSilently();\n }\n }\n\n async handleUserInteractionBrowserCorsFailsSilently(): Promise<{\n isRedirecting: boolean;\n }> {\n const isInEmbeddedIframeMode = isEmbeddedIframeMode();\n // check if the iframe is visible\n if (\n !isInEmbeddedIframeMode &&\n this.config.autoRedirect !== false && // Add this check\n BrowserAuthenticationInitiator.browserCorsFailsSilentlyRedirectUrl\n ) {\n console.warn(\n \"Browser CORS failed silently, redirecting...\",\n BrowserAuthenticationInitiator.browserCorsFailsSilentlyRedirectUrl,\n );\n this.config.displayMode = \"redirect\";\n collectAndSendSDKAnalytics(\n this.config.clientId,\n this.config.oauthServer,\n this.config.framework,\n );\n const signInUrl = await this.getSignInUrl();\n window.dispatchEvent(\n new CustomEvent(\"locationWillChange\", {\n detail: { newUrl: signInUrl.toString() },\n }),\n );\n setTimeout(() => {\n window.location.href = signInUrl.toString();\n }, 100);\n return { isRedirecting: true };\n }\n return { isRedirecting: false };\n }\n\n async handleLoginAppDesignUpdate(options: LoginAppDesignOptions) {\n this.setDesignOptions(options);\n }\n\n async getSignInUrl(): Promise<URL> {\n const val = await generateOauthLoginUrl({\n ...this.config,\n state: this.state,\n });\n return val;\n }\n\n // Use the config (Client ID, scopes OAuth Server, Endpoints, PKCEConsumer) to generate a new login url\n // and then use the display mode to decide how to send the user there\n async signIn(iframeRef: HTMLIFrameElement | null): Promise<URL> {\n // Send SDK analytics when authentication starts\n // Fire and forget - don't block authentication if analytics fails\n collectAndSendSDKAnalytics(\n this.config.clientId,\n this.config.oauthServer,\n this.config.framework,\n );\n\n const url = await this.getSignInUrl();\n\n if (this.config.displayMode === \"iframe\") {\n const ref = getIframeRef(iframeRef);\n ref.setAttribute(\"src\", url.toString());\n }\n\n if (this.config.displayMode === \"redirect\") {\n window.location.href = url.toString();\n }\n\n if (this.config.displayMode === \"new_tab\") {\n try {\n const popupWindow = window.open(url.toString(), \"_blank\");\n if (!popupWindow) {\n throw new PopupError(\"Failed to open popup window\");\n }\n // TODO handle the 'onclose' event to clean up and reset the authStatus\n } catch (error) {\n console.error(\"popupWindow\", error);\n throw new PopupError(\n \"window.open has thrown: Failed to open popup window\",\n );\n }\n }\n\n return url;\n }\n\n async signOut(\n idToken: string | undefined,\n iframeRef: HTMLIFrameElement | null,\n ): Promise<URL> {\n let url;\n const localStorage = new LocalStorageAdapter();\n const state = this.state;\n if (this.isServerTokenExchange) {\n if (!this.config.logoutUrl) {\n throw new Error(\"logoutUrl is required for server token exchange\");\n }\n url = new URL(this.config.logoutUrl, window.location.origin);\n url.searchParams.append(\"state\", state);\n } else {\n if (!idToken) {\n throw new Error(\"idToken is required for non-server token exchange\");\n }\n\n url = await generateOauthLogoutUrl({\n ...this.config,\n idToken,\n state,\n redirectUrl: this.config.logoutRedirectUrl,\n });\n }\n\n if (this.config.displayMode === \"iframe\") {\n // Clear storage before calling server by setting iframe src to the logout url\n await clearStorageAndEmitSignOut();\n await localStorage.delete(LOGOUT_STATE);\n const ref = getIframeRef(iframeRef);\n ref.setAttribute(\"src\", url.toString());\n\n LocalStorageAdapter.emitter.emit(\"signOut\");\n }\n\n if (this.config.displayMode === \"redirect\") {\n // we don't clear any storage here as we're redirecting to the logout url\n // and the server should handle that\n await localStorage.set(LOGOUT_STATE, state);\n window.location.href = url.toString();\n }\n\n if (this.config.displayMode === \"new_tab\") {\n try {\n // Clear storage before calling server by setting iframe src to the logout url\n await clearStorageAndEmitSignOut();\n const popupWindow = window.open(url.toString(), \"_blank\");\n if (!popupWindow) {\n throw new PopupError(\"Failed to open popup window\");\n }\n } catch (error) {\n console.error(\"popupWindow\", error);\n throw new PopupError(\n \"window.open has thrown: Failed to open popup window\",\n );\n }\n }\n\n return url;\n }\n\n cleanup() {\n if (this.postMessageHandler) {\n window.removeEventListener(\"message\", this.postMessageHandler);\n }\n }\n}\n\n/** A general-purpose authentication initiator, that just generates urls, but lets\n * the caller decide how to use them. This is useful for server-side applications\n * that may serve this URL to their front-ends or just call them directly\n */\nexport class GenericAuthenticationInitiator implements AuthenticationInitiator {\n protected config: GenericAuthenticationInitiatorConfig;\n\n constructor(config: typeof this.config) {\n this.config = config;\n }\n\n // Use the config (Client ID, scopes OAuth Server, Endpoints, PKCEConsumer) to generate a new login url\n // and simply return the url\n async signIn(): Promise<URL> {\n return generateOauthLoginUrl(this.config);\n }\n\n async signOut(idToken: string): Promise<URL> {\n return generateOauthLogoutUrl({\n ...this.config,\n idToken,\n });\n }\n}\n\ntype BrowserAuthenticationConfig = {\n clientId: string;\n redirectUrl: string;\n logoutUrl?: string;\n logoutRedirectUrl: string;\n scopes: string[];\n oauthServer: string;\n endpointOverrides?: Partial<Endpoints>;\n displayMode: DisplayMode;\n};\n\n/**\n * An authentication resolver that can run on the browser (i.e. a public client)\n * It uses PKCE for security. PKCE and Session data are stored in local storage\n */\nexport class BrowserAuthenticationService extends BrowserAuthenticationInitiator {\n private oauth2client: OAuth2Client | undefined;\n private endpoints: Endpoints | undefined;\n\n // TODO WIP - perhaps we want to keep resolver and initiator separate here\n constructor(\n config: BrowserAuthenticationConfig,\n // Since we are running fully on the client, we produce as well as consume the PKCE challenge\n protected pkceProducer = new BrowserPublicClientPKCEProducer(),\n ) {\n super({\n ...config,\n // Store and retrieve the PKCE challenge in local storage\n pkceConsumer: pkceProducer,\n });\n }\n\n // TODO too much code duplication here between the browser and the server variant.\n // Suggestion for refactor: Standardise the config for AuthenticationResolvers and create a one-shot\n // function for generating an oauth2client from it\n async init(): Promise<this> {\n // resolve oauth config\n this.endpoints = await getEndpointsWithOverrides(\n this.oauthServer,\n this.config.endpointOverrides,\n );\n this.oauth2client = new OAuth2Client(\n this.config.clientId,\n this.endpoints.auth,\n this.endpoints.token,\n {\n redirectURI: this.config.redirectUrl,\n },\n );\n\n return this;\n }\n\n async storeTokensOnLogin(tokens: OIDCTokenResponseBody) {\n const clientStorage = new LocalStorageAdapter();\n await storeTokens(clientStorage, tokens);\n // delete code verifier as it should be single-use\n await clientStorage.delete(CodeVerifier.COOKIE_NAME);\n const user = await getUser(clientStorage);\n if (!user) {\n throw new Error(\"Failed to get user info\");\n }\n const userSession = new GenericUserSession(clientStorage);\n await userSession.set(user);\n LocalStorageAdapter.emitter.emit(\"signIn\");\n }\n\n // Two responsibilities:\n // 1. resolve the auth code to get the tokens (should use library code)\n // 2. store the tokens in local storage\n async tokenExchange(\n code: string,\n state: string,\n ): Promise<OIDCTokenResponseBody> {\n if (!this.oauth2client) await this.init();\n const codeVerifier = await this.pkceProducer.getCodeVerifier();\n if (!codeVerifier) throw new Error(\"Code verifier not found in storage\");\n\n // exchange auth code for tokens\n const tokens = await exchangeTokens(\n code,\n state,\n this.pkceProducer,\n this.oauth2client!, // clean up types here to avoid the ! operator\n this.config,\n );\n await this.storeTokensOnLogin(tokens);\n // cleanup the browser window if needed\n const parsedDisplayMode = displayModeFromState(\n state,\n this.config.displayMode,\n );\n\n if (parsedDisplayMode === \"new_tab\") {\n // Close the popup window\n window.addEventListener(\"beforeunload\", () => {\n window?.opener?.focus();\n });\n window.close();\n }\n // these are the default oAuth params that get added to the URL in redirect which we want to remove if present\n removeParamsWithoutReload(DEFAULT_OAUTH_GET_PARAMS);\n return tokens;\n }\n\n // Get the session data from local storage\n async getSessionData(): Promise<SessionData | null> {\n const storageData = await retrieveTokens(new LocalStorageAdapter());\n if (!storageData) return null;\n\n return {\n authenticated: !!storageData.id_token,\n idToken: storageData.id_token,\n accessToken: storageData.access_token,\n refreshToken: storageData.refresh_token,\n oidcSessionExpiresAt: storageData.oidc_session_expires_at,\n };\n }\n\n async tryRefreshTokens(\n sessionData: SessionData | null,\n ): Promise<SessionData> {\n // If token validation fails but we have a refresh token, attempt to refresh\n if (sessionData?.refreshToken) {\n try {\n const clientStorage = new LocalStorageAdapter();\n\n // Create a BrowserAuthenticationRefresher to handle token refresh using the build method\n const authConfig = {\n clientId: this.config.clientId,\n oauthServer: this.oauthServer,\n redirectUrl: this.config.redirectUrl,\n };\n\n // Use build method which handles initialization\n const refresher = await BrowserAuthenticationRefresher.build(\n authConfig,\n clientStorage,\n async (error: Error) => {\n console.warn(\"Failed to refresh tokens during validation\", error);\n },\n this.config.endpointOverrides,\n );\n\n try {\n // Perform token refresh (no need to call init explicitly)\n const tokenResponse = await refresher.refreshAccessToken();\n\n // For backend flows, tokenResponse might be null since tokens are in HTTP-only cookies\n if (tokenResponse) {\n // Store tokens for SPA flows where tokens are accessible\n await this.storeTokensOnLogin(tokenResponse);\n }\n\n // Return a new session with the refreshed tokens\n const refreshedSession = await this.getSessionData();\n if (refreshedSession && refreshedSession.authenticated) {\n return {\n ...refreshedSession,\n authenticated: true,\n };\n } else {\n throw new Error(\"Failed to get refreshed session data\");\n }\n } catch (refreshApiError) {\n console.error(\n \"Error during token refresh API call:\",\n refreshApiError,\n );\n throw refreshApiError; // Re-throw to be caught by outer catch block\n }\n } catch (error) {\n const refreshError = error as Error;\n console.error(\"Token refresh failed with error:\", refreshError);\n // Only delete refresh token if it's invalid, not for network errors\n // which might be temporary\n if (\n refreshError.message.includes(\"invalid\") ||\n refreshError.message.includes(\"expired\")\n ) {\n const clientStorage = new LocalStorageAdapter();\n console.log(\"Deleting invalid refresh token\");\n await clearTokens(clientStorage);\n await clearUser(clientStorage);\n }\n console.warn(\"Failed to refresh tokens\", refreshError);\n }\n }\n\n return {\n ...sessionData,\n authenticated: false,\n };\n }\n\n async validateExistingSession(): Promise<SessionData> {\n try {\n const sessionData = await this.getSessionData();\n if (!sessionData?.idToken) {\n const refreshedSessionData = await this.tryRefreshTokens(sessionData);\n if (refreshedSessionData.authenticated) {\n return refreshedSessionData;\n }\n const unAuthenticatedSession = { ...sessionData, authenticated: false };\n return unAuthenticatedSession;\n }\n if (!this.endpoints?.jwks || !this.oauth2client) await this.init();\n\n if (!this.endpoints?.jwks) {\n throw new Error(\"No jwks endpoint\");\n }\n\n // this function will throw if the idToken is invalid\n // Note: Access token is no longer required for authentication\n await validateOauth2Tokens(\n {\n id_token: sessionData.idToken,\n refresh_token: sessionData.refreshToken,\n access_token: sessionData.accessToken,\n oidc_session_expires_at: sessionData.oidcSessionExpiresAt,\n },\n this.config,\n );\n return sessionData;\n } catch (error) {\n console.warn(\"Failed to validate existing tokens\", error);\n const unAuthenticatedSession = {\n authenticated: false,\n };\n const storage = new LocalStorageAdapter();\n await clearTokens(storage);\n await clearUser(storage);\n return unAuthenticatedSession;\n }\n }\n\n get oauthServer(): string {\n return this.config.oauthServer || DEFAULT_AUTH_SERVER;\n }\n\n async getEndSessionEndpoint(): Promise<string | null> {\n if (!this.endpoints) {\n return null;\n }\n return this.endpoints?.endsession;\n }\n\n static async build(\n config: BrowserAuthenticationConfig,\n ): Promise<AuthenticationResolver> {\n const resolver = new BrowserAuthenticationService(config);\n await resolver.init();\n\n return resolver;\n }\n}\n"]}
package/dist/services/PKCE.js CHANGED
@@ -1,5 +1,5 @@
1
1
  import { deriveCodeChallenge } from "../shared/lib/util.js";
2
- import { generateCodeVerifier } from "oslo/oauth2";
2
+ import { generateCodeVerifier } from "../lib/oauth2/OAuth2Client.js";
3
3
  import { LocalStorageAdapter } from "../browser/storage.js";
4
4
  import { CodeVerifier } from "../shared/lib/types.js";
5
5
  /** A PKCE consumer that retrieves the challenge from a server endpoint */
package/dist/services/PKCE.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"PKCE.js","sourceRoot":"","sources":["../../src/services/PKCE.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,mBAAmB,EAAE,MAAM,sBAAsB,CAAC;AAC3D,OAAO,EAAE,oBAAoB,EAAE,MAAM,aAAa,CAAC;AACnD,OAAO,EAAE,mBAAmB,EAAE,MAAM,sBAAsB,CAAC;AAG3D,OAAO,EAAE,YAAY,EAAE,MAAM,uBAAuB,CAAC;AAErD,0EAA0E;AAC1E,MAAM,OAAO,8BAA8B;IAE/B;IACA;IAFV,YACU,qBAA6B,EAC7B,QAAiB;QADjB,0BAAqB,GAArB,qBAAqB,CAAQ;QAC7B,aAAQ,GAAR,QAAQ,CAAS;IACxB,CAAC;IAEJ,KAAK,CAAC,gBAAgB;QACpB,oCAAoC;QACpC,MAAM,MAAM,GAAG,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC;QAEtC,8EAA8E;QAC9E,MAAM,MAAM,GAAG,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,GAAG,MAAM,GAAG,IAAI,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC,MAAM,CAAC;QAEpE,MAAM,QAAQ,GAAG,MAAM,KAAK,CAC1B,GAAG,IAAI,CAAC,qBAAqB,WAAW,kBAAkB,CAAC,MAAM,CAAC,EAAE,CACrE,CAAC;QACF,MAAM,IAAI,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAA0B,CAAC;QAC9D,OAAO,IAAI,CAAC,SAAS,CAAC;IACxB,CAAC;CACF;AAED,8GAA8G;AAC9G,MAAM,OAAO,+BAA+B;IACtB;IAApB,YAAoB,OAAoB;QAApB,YAAO,GAAP,OAAO,CAAa;IAAG,CAAC;IAE5C,6CAA6C;IAC7C,wCAAwC;IACxC,KAAK,CAAC,gBAAgB;QACpB,IAAI,QAAQ,GAAG,MAAM,IAAI,CAAC,eAAe,EAAE,CAAC;QAC5C,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,QAAQ,GAAG,oBAAoB,EAAE,CAAC;YAClC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,WAAW,EAAE,QAAQ,CAAC,CAAC;QACvD,CAAC;QACD,OAAO,mBAAmB,CAAC,QAAQ,CAAC,CAAC;IACvC,CAAC;IACD,6CAA6C;IAC7C,KAAK,CAAC,eAAe;QACnB,OAAO,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,WAAW,CAAC,CAAC;IACpD,CAAC;CACF;AAED,wFAAwF;AACxF,MAAM,OAAO,+BAAgC,SAAQ,+BAA+B;IAClF;QACE,KAAK,CAAC,IAAI,mBAAmB,EAAE,CAAC,CAAC;IACnC,CAAC;CACF","sourcesContent":["import { deriveCodeChallenge } from \"@/shared/lib/util.js\";\nimport { generateCodeVerifier } from \"oslo/oauth2\";\nimport { LocalStorageAdapter } from \"@/browser/storage.js\";\nimport type { PKCEConsumer, PKCEProducer } from \"@/services/types.js\";\nimport type { AuthStorage } from \"@/types.js\";\nimport { CodeVerifier } from \"@/shared/lib/types.js\";\n\n/** A PKCE consumer that retrieves the challenge from a server endpoint */\nexport class ConfidentialClientPKCEConsumer implements PKCEConsumer {\n constructor(\n private pkceChallengeEndpoint: string,\n private basePath?: string,\n ) {}\n\n async getCodeChallenge(): Promise<string> {\n // Get only the origin from location\n const origin = window.location.origin;\n\n // Use only the origin plus basePath if provided, no need for pathname anymore\n const appUrl = this.basePath ? `${origin}${this.basePath}` : origin;\n\n const response = await fetch(\n `${this.pkceChallengeEndpoint}?appUrl=${encodeURIComponent(appUrl)}`,\n );\n const data = (await response.json()) as { challenge: string };\n return data.challenge;\n }\n}\n\n/** A PKCE Producer that can generate and store a code verifier, but is agnostic as to the storage location */\nexport class GenericPublicClientPKCEProducer implements PKCEProducer {\n constructor(private storage: AuthStorage) {}\n\n // if there is already a verifier, return it,\n // If not, create a new one and store it\n async getCodeChallenge(): Promise<string> {\n let verifier = await this.getCodeVerifier();\n if (!verifier) {\n verifier = generateCodeVerifier();\n this.storage.set(CodeVerifier.COOKIE_NAME, verifier);\n }\n return deriveCodeChallenge(verifier);\n }\n // if there is already a verifier, return it,\n async getCodeVerifier(): Promise<string | null> {\n return this.storage.get(CodeVerifier.COOKIE_NAME);\n }\n}\n\n/** A PKCE Producer that is expected to run on a browser, and does not need a backend */\nexport class BrowserPublicClientPKCEProducer extends GenericPublicClientPKCEProducer {\n constructor() {\n super(new LocalStorageAdapter());\n }\n}\n"]}
1
+ {"version":3,"file":"PKCE.js","sourceRoot":"","sources":["../../src/services/PKCE.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,mBAAmB,EAAE,MAAM,sBAAsB,CAAC;AAC3D,OAAO,EAAE,oBAAoB,EAAE,MAAM,+BAA+B,CAAC;AACrE,OAAO,EAAE,mBAAmB,EAAE,MAAM,sBAAsB,CAAC;AAG3D,OAAO,EAAE,YAAY,EAAE,MAAM,uBAAuB,CAAC;AAErD,0EAA0E;AAC1E,MAAM,OAAO,8BAA8B;IAE/B;IACA;IAFV,YACU,qBAA6B,EAC7B,QAAiB;QADjB,0BAAqB,GAArB,qBAAqB,CAAQ;QAC7B,aAAQ,GAAR,QAAQ,CAAS;IACxB,CAAC;IAEJ,KAAK,CAAC,gBAAgB;QACpB,oCAAoC;QACpC,MAAM,MAAM,GAAG,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC;QAEtC,8EAA8E;QAC9E,MAAM,MAAM,GAAG,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,GAAG,MAAM,GAAG,IAAI,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC,MAAM,CAAC;QAEpE,MAAM,QAAQ,GAAG,MAAM,KAAK,CAC1B,GAAG,IAAI,CAAC,qBAAqB,WAAW,kBAAkB,CAAC,MAAM,CAAC,EAAE,CACrE,CAAC;QACF,MAAM,IAAI,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAA0B,CAAC;QAC9D,OAAO,IAAI,CAAC,SAAS,CAAC;IACxB,CAAC;CACF;AAED,8GAA8G;AAC9G,MAAM,OAAO,+BAA+B;IACtB;IAApB,YAAoB,OAAoB;QAApB,YAAO,GAAP,OAAO,CAAa;IAAG,CAAC;IAE5C,6CAA6C;IAC7C,wCAAwC;IACxC,KAAK,CAAC,gBAAgB;QACpB,IAAI,QAAQ,GAAG,MAAM,IAAI,CAAC,eAAe,EAAE,CAAC;QAC5C,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,QAAQ,GAAG,oBAAoB,EAAE,CAAC;YAClC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,WAAW,EAAE,QAAQ,CAAC,CAAC;QACvD,CAAC;QACD,OAAO,mBAAmB,CAAC,QAAQ,CAAC,CAAC;IACvC,CAAC;IACD,6CAA6C;IAC7C,KAAK,CAAC,eAAe;QACnB,OAAO,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,WAAW,CAAC,CAAC;IACpD,CAAC;CACF;AAED,wFAAwF;AACxF,MAAM,OAAO,+BAAgC,SAAQ,+BAA+B;IAClF;QACE,KAAK,CAAC,IAAI,mBAAmB,EAAE,CAAC,CAAC;IACnC,CAAC;CACF","sourcesContent":["import { deriveCodeChallenge } from \"@/shared/lib/util.js\";\nimport { generateCodeVerifier } from \"../lib/oauth2/OAuth2Client.js\";\nimport { LocalStorageAdapter } from \"@/browser/storage.js\";\nimport type { PKCEConsumer, PKCEProducer } from \"@/services/types.js\";\nimport type { AuthStorage } from \"@/types.js\";\nimport { CodeVerifier } from \"@/shared/lib/types.js\";\n\n/** A PKCE consumer that retrieves the challenge from a server endpoint */\nexport class ConfidentialClientPKCEConsumer implements PKCEConsumer {\n constructor(\n private pkceChallengeEndpoint: string,\n private basePath?: string,\n ) {}\n\n async getCodeChallenge(): Promise<string> {\n // Get only the origin from location\n const origin = window.location.origin;\n\n // Use only the origin plus basePath if provided, no need for pathname anymore\n const appUrl = this.basePath ? `${origin}${this.basePath}` : origin;\n\n const response = await fetch(\n `${this.pkceChallengeEndpoint}?appUrl=${encodeURIComponent(appUrl)}`,\n );\n const data = (await response.json()) as { challenge: string };\n return data.challenge;\n }\n}\n\n/** A PKCE Producer that can generate and store a code verifier, but is agnostic as to the storage location */\nexport class GenericPublicClientPKCEProducer implements PKCEProducer {\n constructor(private storage: AuthStorage) {}\n\n // if there is already a verifier, return it,\n // If not, create a new one and store it\n async getCodeChallenge(): Promise<string> {\n let verifier = await this.getCodeVerifier();\n if (!verifier) {\n verifier = generateCodeVerifier();\n this.storage.set(CodeVerifier.COOKIE_NAME, verifier);\n }\n return deriveCodeChallenge(verifier);\n }\n // if there is already a verifier, return it,\n async getCodeVerifier(): Promise<string | null> {\n return this.storage.get(CodeVerifier.COOKIE_NAME);\n }\n}\n\n/** A PKCE Producer that is expected to run on a browser, and does not need a backend */\nexport class BrowserPublicClientPKCEProducer extends GenericPublicClientPKCEProducer {\n constructor() {\n super(new LocalStorageAdapter());\n }\n}\n"]}
package/dist/shared/lib/AuthenticationRefresherImpl.js CHANGED
@@ -1,5 +1,5 @@
1
1
  import { clearTokens, clearUser, getEndpointsWithOverrides, storeServerTokens, storeTokens, validateOauth2Tokens, } from "../../shared/lib/util.js";
2
- import { OAuth2Client } from "oslo/oauth2";
2
+ import { OAuth2Client } from "../../lib/oauth2/OAuth2Client.js";
3
3
  import { GenericAuthenticationRefresher } from "./GenericAuthenticationRefresher.js";
4
4
  import { loggers } from "../../lib/logger.js";
5
5
  export class AuthenticationRefresherImpl extends GenericAuthenticationRefresher {