@civic/auth 0.11.9 → 0.13.0-beta.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (51) hide show
  1. package/CHANGELOG.md +6 -1
  2. package/dist/nextjs/config.d.ts +19 -0
  3. package/dist/nextjs/config.d.ts.map +1 -1
  4. package/dist/nextjs/config.js +5 -0
  5. package/dist/nextjs/config.js.map +1 -1
  6. package/dist/nextjs/hooks/useInitialAuthConfig.d.ts.map +1 -1
  7. package/dist/nextjs/hooks/useInitialAuthConfig.js +5 -4
  8. package/dist/nextjs/hooks/useInitialAuthConfig.js.map +1 -1
  9. package/dist/nextjs/providers/NextAuthProvider.d.ts +1 -4
  10. package/dist/nextjs/providers/NextAuthProvider.d.ts.map +1 -1
  11. package/dist/nextjs/providers/NextAuthProvider.js.map +1 -1
  12. package/dist/nextjs/providers/NextAuthProviderClient.d.ts +6 -2
  13. package/dist/nextjs/providers/NextAuthProviderClient.d.ts.map +1 -1
  14. package/dist/nextjs/providers/NextAuthProviderClient.js.map +1 -1
  15. package/dist/nextjs/routeHandler.d.ts.map +1 -1
  16. package/dist/nextjs/routeHandler.js +57 -7
  17. package/dist/nextjs/routeHandler.js.map +1 -1
  18. package/dist/nextjs/utils.d.ts.map +1 -1
  19. package/dist/nextjs/utils.js +20 -2
  20. package/dist/nextjs/utils.js.map +1 -1
  21. package/dist/reactjs/core/GlobalAuthManager.d.ts.map +1 -1
  22. package/dist/reactjs/core/GlobalAuthManager.js +3 -1
  23. package/dist/reactjs/core/GlobalAuthManager.js.map +1 -1
  24. package/dist/server/session.d.ts.map +1 -1
  25. package/dist/server/session.js +21 -10
  26. package/dist/server/session.js.map +1 -1
  27. package/dist/shared/lib/cookieConfig.d.ts.map +1 -1
  28. package/dist/shared/lib/cookieConfig.js +6 -1
  29. package/dist/shared/lib/cookieConfig.js.map +1 -1
  30. package/dist/shared/lib/types.d.ts +10 -2
  31. package/dist/shared/lib/types.d.ts.map +1 -1
  32. package/dist/shared/lib/types.js +9 -0
  33. package/dist/shared/lib/types.js.map +1 -1
  34. package/dist/shared/lib/util.d.ts +19 -0
  35. package/dist/shared/lib/util.d.ts.map +1 -1
  36. package/dist/shared/lib/util.js +118 -0
  37. package/dist/shared/lib/util.js.map +1 -1
  38. package/dist/shared/providers/types.d.ts +16 -0
  39. package/dist/shared/providers/types.d.ts.map +1 -1
  40. package/dist/shared/providers/types.js.map +1 -1
  41. package/dist/shared/version.d.ts +1 -1
  42. package/dist/shared/version.d.ts.map +1 -1
  43. package/dist/shared/version.js +1 -1
  44. package/dist/shared/version.js.map +1 -1
  45. package/dist/vanillajs/auth/handlers/MessageHandler.d.ts.map +1 -1
  46. package/dist/vanillajs/auth/handlers/MessageHandler.js +3 -1
  47. package/dist/vanillajs/auth/handlers/MessageHandler.js.map +1 -1
  48. package/dist/vanillajs/types/index.d.ts +4 -0
  49. package/dist/vanillajs/types/index.d.ts.map +1 -1
  50. package/dist/vanillajs/types/index.js.map +1 -1
  51. package/package.json +2 -2
package/dist/shared/lib/util.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"util.js","sourceRoot":"","sources":["../../../src/shared/lib/util.ts"],"names":[],"mappings":"AAQA,OAAO,EACL,0BAA0B,EAC1B,mBAAmB,EACnB,eAAe,GAChB,MAAM,YAAY,CAAC;AACpB,OAAO,EAAE,YAAY,EAAE,MAAM,kCAAkC,CAAC;AAChE,OAAO,EAAE,gBAAgB,EAAE,iBAAiB,EAAE,MAAM,gBAAgB,CAAC;AACrE,OAAO,EAAE,gBAAgB,EAAE,MAAM,YAAY,CAAC;AAE9C,OAAO,EAAE,kBAAkB,EAAE,MAAM,6BAA6B,CAAC;AACjE,OAAO,EAAE,SAAS,EAAE,MAAM,MAAM,CAAC;AAEjC,OAAO,EACL,wBAAwB,EACxB,YAAY,EACZ,sBAAsB,EACtB,mBAAmB,GACpB,MAAM,gBAAgB,CAAC;AACxB,OAAO,EAAE,OAAO,EAAE,MAAM,iBAAiB,CAAC;AAE1C,OAAO,EAAE,MAAM,EAAsB,MAAM,oBAAoB,CAAC;AAEhE,MAAM,MAAM,GAAG,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAC;AAC3C;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,mBAAmB,CACvC,YAAoB,EACpB,SAA2B,MAAM;IAEjC,IAAI,MAAM,KAAK,OAAO,EAAE,CAAC;QACvB,OAAO,CAAC,IAAI,CAAC,4CAA4C,CAAC,CAAC;QAC3D,OAAO,YAAY,CAAC;IACtB,CAAC;IAED,MAAM,OAAO,GAAG,IAAI,WAAW,EAAE,CAAC;IAClC,MAAM,IAAI,GAAG,OAAO,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC;IAC1C,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,IAAI,CAAC,CAAC;IAC3D,OAAO,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC,GAAG,IAAI,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC;SACxD,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC;SACnB,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC;SACnB,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;AACxB,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,yBAAyB,CAC7C,WAAmB,EACnB,oBAAwC,EAAE;IAE1C,MAAM,SAAS,GAAG,MAAM,iBAAiB,CAAC,WAAW,CAAC,CAAC;IACvD,OAAO;QACL,GAAG,SAAS;QACZ,GAAG,iBAAiB;KACrB,CAAC;AACJ,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,qBAAqB,CAAC,MAU3C;IACC,MAAM,SAAS,GAAG,MAAM,yBAAyB,CAC/C,MAAM,CAAC,WAAW,EAClB,MAAM,CAAC,iBAAiB,CACzB,CAAC;IACF,MAAM,YAAY,GAAG,iBAAiB,CACpC,MAAM,CAAC,QAAQ,EACf,MAAM,CAAC,WAAW,EAClB,SAAS,CACV,CAAC;IAEF,MAAM,QAAQ,GAAG,MAAM,YAAY,CAAC,sBAAsB,CAAC;QACzD,KAAK,EAAE,MAAM,CAAC,KAAK;QACnB,MAAM,EAAE,MAAM,CAAC,MAAM;KACtB,CAAC,CAAC;IAEH,yDAAyD;IACzD,IAAI,MAAM,CAAC,YAAY,EAAE,CAAC;QACxB,MAAM,SAAS,GAAG,MAAM,MAAM,CAAC,YAAY,CAAC,gBAAgB,EAAE,CAAC;QAC/D,yGAAyG;QACzG,yEAAyE;QACzE,QAAQ,CAAC,YAAY,CAAC,MAAM,CAAC,gBAAgB,EAAE,SAAS,CAAC,CAAC;QAC1D,QAAQ,CAAC,YAAY,CAAC,MAAM,CAAC,uBAAuB,EAAE,MAAM,CAAC,CAAC;IAChE,CAAC;IAED,IAAI,MAAM,CAAC,KAAK,EAAE,CAAC;QACjB,uDAAuD;QACvD,QAAQ,CAAC,YAAY,CAAC,MAAM,CAAC,OAAO,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC;IACtD,CAAC;IACD,uDAAuD;IACvD,QAAQ,CAAC,YAAY,CAAC,MAAM,CAAC,QAAQ,EAAE,SAAS,CAAC,CAAC;IAElD,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,sBAAsB,CAAC,MAO5C;IACC,MAAM,SAAS,GAAG,MAAM,yBAAyB,CAC/C,MAAM,CAAC,WAAW,EAClB,MAAM,CAAC,iBAAiB,CACzB,CAAC;IACF,MAAM,aAAa,GAAG,IAAI,GAAG,CAAC,SAAS,CAAC,UAAU,CAAC,CAAC;IACpD,aAAa,CAAC,YAAY,CAAC,MAAM,CAAC,WAAW,EAAE,MAAM,CAAC,QAAQ,CAAC,CAAC;IAChE,aAAa,CAAC,YAAY,CAAC,MAAM,CAAC,eAAe,EAAE,MAAM,CAAC,OAAO,CAAC,CAAC;IACnE,aAAa,CAAC,YAAY,CAAC,MAAM,CAAC,OAAO,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC;IACzD,aAAa,CAAC,YAAY,CAAC,MAAM,CAC/B,0BAA0B,EAC1B,MAAM,CAAC,WAAW,CACnB,CAAC;IACF,OAAO,aAAa,CAAC;AACvB,CAAC;AAED,MAAM,UAAU,iBAAiB,CAC/B,QAAgB,EAChB,WAAmB,EACnB,SAAoB;IAEpB,OAAO,IAAI,YAAY,CAAC,QAAQ,EAAE,SAAS,CAAC,IAAI,EAAE,SAAS,CAAC,KAAK,EAAE;QACjE,WAAW,EAAE,WAAW;KACzB,CAAC,CAAC;AACL,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,cAAc,CAClC,IAAY,EACZ,KAAa,EACb,YAAiC,EACjC,YAA0B,EAC1B,UAA4B;IAE5B,kCAAkC;IAClC,MAAM,YAAY,GAAG,YAAY;QAC/B,CAAC,CAAC,MAAM,YAAY,CAAC,eAAe,EAAE;QACtC,CAAC,CAAC,IAAI,CAAC;IAET,wDAAwD;IACxD,IAAI,CAAC,YAAY,IAAI,CAAC,UAAU,CAAC,YAAY,EAAE,CAAC;QAC9C,MAAM,IAAI,KAAK,CACb,6DAA6D,CAC9D,CAAC;IACJ,CAAC;IAED,8CAA8C;IAC9C,MAAM,iBAAiB,GAA2B,EAAE,CAAC;IAErD,IAAI,YAAY,EAAE,CAAC;QACjB,iBAAiB,CAAC,YAAY,GAAG,YAAY,CAAC;IAChD,CAAC;IAED,IAAI,UAAU,CAAC,YAAY,EAAE,CAAC;QAC5B,iBAAiB,CAAC,WAAW,GAAG,UAAU,CAAC,YAAY,CAAC;QACxD,iBAAiB,CAAC,gBAAgB,GAAG,cAAc,CAAC,CAAC,gCAAgC;IACvF,CAAC;IAED,MAAM,MAAM,GAAG,CAAC,MAAM,YAAY,CAAC,yBAAyB,CAC1D,IAAI,EACJ,iBAAiB,CAClB,CAA0B,CAAC;IAE5B,2BAA2B;IAC3B,IAAI,CAAC;QACH,MAAM,oBAAoB,CAAC,MAAM,EAAE,UAAU,CAAC,CAAC;IACjD,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO,CAAC,KAAK,CAAC,qBAAqB,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC,CAAC;QACxD,MAAM,IAAI,KAAK,CACb,kCAAmC,KAAe,CAAC,OAAO,EAAE,CAC7D,CAAC;IACJ,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AACD;;;;;;;;GAQG;AACH,MAAM,CAAC,MAAM,gBAAgB,GAAG,CAC9B,MAA6B,EACyB,EAAE;IACxD,MAAM,WAAW,GAAG,EAAE,GAAG,EAAE,CAAC,CAAC,iBAAiB;IAE9C,IAAI,aAAa,GAAG,WAAW,CAAC;IAChC,IAAI,iBAAiB,GAAG,WAAW,CAAC;IAEpC,iEAAiE;IACjE,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;QACpB,iEAAiE;QACjE,MAAM,aAAa,GAAG,SAAS,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;QACjD,IAAI,aAAa,EAAE,GAAG,EAAE,CAAC;YACvB,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;YAC1C,aAAa,GAAG,aAAa,CAAC,GAAG,GAAG,GAAG,CAAC;QAC1C,CAAC;IACH,CAAC;IAED,IAAI,MAAM,CAAC,YAAY,EAAE,CAAC;QACxB,mDAAmD;QACnD,MAAM,iBAAiB,GAAG,SAAS,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC;QACzD,iBAAiB;YACf,MAAM,CAAC,iBAAiB,EAAE,cAAc,CAAC,IAAI,WAAW,CAAC;QAE3D,mDAAmD;QACnD,IAAI,iBAAiB,EAAE,GAAG,EAAE,CAAC;YAC3B,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;YAC1C,iBAAiB,GAAG,iBAAiB,CAAC,GAAG,GAAG,GAAG,CAAC;QAClD,CAAC;IACH,CAAC;IAED,OAAO;QACL,iBAAiB;QACjB,aAAa;KACd,CAAC;AACJ,CAAC,CAAC;AAEF,MAAM,CAAC,KAAK,UAAU,uBAAuB,CAC3C,OAAoC,EACpC,MAA6B;IAE7B,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IAC1C,MAAM,EAAE,aAAa,EAAE,GAAG,gBAAgB,CAAC,MAAM,CAAC,CAAC;IACnD,oGAAoG;IACpG,MAAM,OAAO,CAAC,GAAG,CACf,eAAe,CAAC,uBAAuB,EACvC,CAAC,aAAa,GAAG,GAAG,CAAC,CAAC,QAAQ,EAAE,CACjC,CAAC;AACJ,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,WAAW,CAC/B,OAAoB,EACpB,MAA6B;IAE7B,0DAA0D;IAC1D,MAAM,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,QAAQ,EAAE,MAAM,CAAC,QAAQ,CAAC,CAAC;IAE7D,4DAA4D;IAC5D,IAAI,MAAM,CAAC,YAAY,EAAE,CAAC;QACxB,MAAM,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,YAAY,EAAE,MAAM,CAAC,YAAY,CAAC,CAAC;IACvE,CAAC;IAED,mCAAmC;IACnC,IAAI,MAAM,CAAC,aAAa,EAAE,CAAC;QACzB,MAAM,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,aAAa,EAAE,MAAM,CAAC,aAAa,CAAC,CAAC;IACzE,CAAC;IAED,4DAA4D;IAC5D,mDAAmD;IACnD,MAAM,uBAAuB,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;AACjD,CAAC;AAED;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,iBAAiB,CACrC,OAAoC,EACpC,MAA6B;IAE7B,8EAA8E;IAC9E,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IAC1C,MAAM,EAAE,aAAa,EAAE,iBAAiB,EAAE,GAAG,gBAAgB,CAAC,MAAM,CAAC,CAAC;IAEtE,oGAAoG;IACpG,MAAM,oBAAoB,GAAG,GAAG,GAAG,aAAa,CAAC;IACjD,MAAM,aAAa,GAAG,OAAwB,CAAC;IAE/C,iCAAiC;IACjC,MAAM,wBAAwB,GAAG;QAC/B,MAAM,EAAE,iBAAiB;KAC1B,CAAC;IAEF,MAAM,yBAAyB,GAAG;QAChC,MAAM,EAAE,sBAAsB;KAC/B,CAAC;IAEF,2DAA2D;IAC3D,MAAM,aAAa,CAAC,GAAG,CAAC,eAAe,CAAC,QAAQ,EAAE,MAAM,CAAC,QAAQ,EAAE;QACjE,MAAM,EAAE,aAAa;KACtB,CAAC,CAAC;IAEH,mDAAmD;IACnD,IAAI,MAAM,CAAC,YAAY,EAAE,CAAC;QACxB,MAAM,aAAa,CAAC,GAAG,CACrB,eAAe,CAAC,YAAY,EAC5B,MAAM,CAAC,YAAY,EACnB,wBAAwB,CACzB,CAAC;IACJ,CAAC;IAED,mDAAmD;IACnD,IAAI,MAAM,CAAC,aAAa,EAAE,CAAC;QACzB,MAAM,aAAa,CAAC,GAAG,CACrB,eAAe,CAAC,aAAa,EAC7B,MAAM,CAAC,aAAa,EACpB,yBAAyB,CAC1B,CAAC;IACJ,CAAC;IAED,4EAA4E;IAC5E,MAAM,OAAO,CAAC,GAAG,CACf,eAAe,CAAC,uBAAuB,EACvC,oBAAoB,CAAC,QAAQ,EAAE,EAC/B;QACE,iHAAiH;QACjH,MAAM,EAAE,aAAa;KACtB,CACF,CAAC;IACF,MAAM,CAAC,KAAK,CAAC,mBAAmB,EAAE;QAChC,oBAAoB;QACpB,kBAAkB,EAAE,sBAAsB;QAC1C,aAAa;QACb,cAAc,EAAE,CAAC,CAAC,MAAM,CAAC,YAAY;KACtC,CAAC,CAAC;AACL,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,WAAW,CAAC,OAAoC;IACpE,kEAAkE;IAClE,MAAM,kBAAkB,GAAG;QACzB,GAAG,MAAM,CAAC,MAAM,CAAC,eAAe,CAAC;QACjC,mBAAmB;QACnB,wBAAwB;QACxB,YAAY;KACb,CAAC,GAAG,CAAC,KAAK,EAAE,GAAG,EAAE,EAAE;QAClB,MAAM,OAAO,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;IAC5B,CAAC,CAAC,CAAC;IACH,MAAM,OAAO,CAAC,GAAG,CAAC,CAAC,GAAG,kBAAkB,CAAC,CAAC,CAAC;AAC7C,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,sBAAsB,CAAC,OAAoB;IAC/D,MAAM,OAAO,CAAC,MAAM,CAAC,mBAAmB,CAAC,CAAC;IAC1C,MAAM,OAAO,CAAC,MAAM,CAAC,0BAA0B,CAAC,CAAC;AACnD,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,SAAS,CAAC,OAAoB;IAClD,MAAM,WAAW,GAAG,IAAI,kBAAkB,CAAC,OAAO,CAAC,CAAC;IACpD,MAAM,WAAW,CAAC,KAAK,EAAE,CAAC;AAC5B,CAAC;AAED;;;;;;;GAOG;AACH,SAAS,yBAAyB,CAAC,KAAoB;IACrD,IAAI,CAAC,KAAK;QAAE,OAAO,KAAK,CAAC;IAEzB,uEAAuE;IACvE,+FAA+F;IAC/F,IAAI,KAAK,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,KAAK,CAAC,MAAM,GAAG,GAAG,EAAE,CAAC;QACxD,IAAI,CAAC;YACH,4CAA4C;YAC5C,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC;YAExC,wEAAwE;YACxE,IACE,OAAO;gBACP,OAAO,OAAO,KAAK,QAAQ;gBAC3B,OAAO,CAAC,KAAK;gBACb,OAAO,OAAO,CAAC,KAAK,KAAK,QAAQ;gBACjC,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,KAAK,CAAC,EACrC,CAAC;gBACD,OAAO,OAAO,CAAC,KAAK,CAAC;YACvB,CAAC;QACH,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO,CAAC,KAAK,CAAC,wCAAwC,EAAE,KAAK,CAAC,CAAC;QACjE,CAAC;IACH,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,cAAc,CAClC,OAAoB;IAEpB,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,QAAQ,CAAC,CAAC;IAC5D,MAAM,WAAW,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,YAAY,CAAC,CAAC;IACpE,MAAM,YAAY,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,aAAa,CAAC,CAAC;IACtE,MAAM,oBAAoB,GAAG,MAAM,OAAO,CAAC,GAAG,CAC5C,eAAe,CAAC,uBAAuB,CACxC,CAAC;IAEF,OAAO;QACL,QAAQ,EAAE,yBAAyB,CAAC,OAAO,CAAC,IAAI,SAAS;QACzD,YAAY,EAAE,yBAAyB,CAAC,WAAW,CAAC,IAAI,SAAS;QACjE,aAAa,EAAE,yBAAyB,CAAC,YAAY,CAAC,IAAI,SAAS;QACnE,uBAAuB,EACrB,oBAAoB,KAAK,IAAI;YAC3B,CAAC,CAAC,QAAQ,CAAC,oBAAoB,EAAE,EAAE,CAAC;YACpC,CAAC,CAAC,SAAS,EAAE,2BAA2B;KAC7C,CAAC;AACJ,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,mCAAmC,CACvD,OAAoB;IAEpB,MAAM,YAAY,GAAG,MAAM,OAAO,CAAC,GAAG,CACpC,eAAe,CAAC,uBAAuB,CACxC,CAAC;IACF,IAAI,CAAC,YAAY,EAAE,CAAC;QAClB,OAAO,IAAI,CAAC;IACd,CAAC;IACD,MAAM,SAAS,GAAG,MAAM,CAAC,YAAY,CAAC,CAAC;IACvC,OAAO,KAAK,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,SAAS,CAAC;AAC7C,CAAC;AAMD,MAAM,CAAC,KAAK,UAAU,oBAAoB,CACxC,MAA6B,EAC7B,MAAwB;IAExB,MAAM,UAAU,GAAG,gBAAgB,CACjC,CAAC,MAAM,CAAC,WAAW,IAAI,MAAM,CAAC,kBAAkB,CAAC;QAC/C,+BAA+B,CAClC,CAAC;IAEF,2EAA2E;IAC3E,MAAM,oBAAoB,GAAkB;QAC1C,MAAM,EAAE,UAAU;KACnB,CAAC;IAEF,4BAA4B;IAC5B,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;QACpB,6EAA6E;QAC7E,oBAAoB,CAAC,GAAG,GAAG,MAAM,CAAC,QAAQ,CAAC;IAC7C,CAAC;IAED,MAAM,CAAC,KAAK,CAAC,kCAAkC,EAAE;QAC/C,oBAAoB;QACpB,MAAM;KACP,CAAC,CAAC;IAEH,+DAA+D;IAC/D,MAAM,cAAc,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,QAAQ,EAAE,oBAAoB,CAAC,CAAC;IAE3E,+EAA+E;IAC/E,IAAI,kBAAkB,CAAC;IACvB,IAAI,MAAM,CAAC,YAAY,EAAE,CAAC;QACxB,MAAM,wBAAwB,GAAkB;YAC9C,MAAM,EAAE,UAAU;YAClB,4EAA4E;YAC5E,GAAG,EAAE,OAAO;YACZ,QAAQ,EAAE,MAAM,CAAC,QAAQ;SAC1B,CAAC;QAEF,MAAM,CAAC,KAAK,CAAC,sCAAsC,EAAE;YACnD,wBAAwB;SACzB,CAAC,CAAC;QAEH,mEAAmE;QACnE,kBAAkB,GAAG,MAAM,MAAM,CAC/B,MAAM,CAAC,YAAY,EACnB,wBAAwB,CACzB,CAAC;IACJ,CAAC;IAED,OAAO,gBAAgB,CAAC;QACtB,QAAQ,EAAE,cAAc;QACxB,YAAY,EAAE,kBAAkB;QAChC,GAAG,CAAC,MAAM,EAAE,aAAa,CAAC,CAAC,CAAC,EAAE,aAAa,EAAE,MAAM,CAAC,aAAa,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;KAC1E,CAAC,CAAC;AACL,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,mBAAmB,CACjC,gBAAmC;IAEnC,OAAO;QACL,OAAO,EAAE,gBAAgB,EAAE,OAAO,IAAI,eAAe;QACrD,MAAM,EAAE,gBAAgB,EAAE,MAAM,IAAI,cAAc;QAClD,IAAI,EAAE,gBAAgB,EAAE,IAAI,IAAI,YAAY;QAC5C,YAAY,EAAE,gBAAgB,EAAE,YAAY,IAAI,oBAAoB;KACrE,CAAC;AACJ,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,kBAAkB,CAChC,OAAe,EACf,QAA4B;IAE5B,4BAA4B;IAC5B,IAAI,CAAC,QAAQ,EAAE,CAAC;QACd,MAAM,IAAI,KAAK,CAAC,uBAAuB,CAAC,CAAC;IAC3C,CAAC;IAED,0CAA0C;IAC1C,IAAI,QAAQ,CAAC,UAAU,CAAC,SAAS,CAAC,IAAI,QAAQ,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;QACtE,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED,8CAA8C;IAC9C,OAAO,GAAG,OAAO,GAAG,QAAQ,EAAE,CAAC;AACjC,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,sBAAsB,CAAC,OAAiB;IACtD,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,qCAAqC;QACrC,OAAO,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,YAAY,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC;IACpE,CAAC;IAED,iEAAiE;IACjE,MAAM,cAAc,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC,CAAC;IAChE,IAAI,cAAc,EAAE,CAAC;QACnB,OAAO,cAAc,KAAK,OAAO,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC;IACzD,CAAC;IAED,MAAM,iBAAiB,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,sBAAsB,CAAC,CAAC;IACtE,IAAI,iBAAiB,EAAE,CAAC;QACtB,OAAO,iBAAiB,KAAK,OAAO,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC;IAC5D,CAAC;IAED,iDAAiD;IACjD,MAAM,SAAS,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;IACnD,IAAI,SAAS,EAAE,CAAC;QACd,MAAM,UAAU,GAAG,SAAS,CAAC,KAAK,CAAC,mBAAmB,CAAC,CAAC;QACxD,IAAI,UAAU,EAAE,CAAC;YACf,OAAO,UAAU,CAAC,CAAC,CAAC,KAAK,OAAO,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC;QACxD,CAAC;IACH,CAAC;IAED,sCAAsC;IACtC,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IACjC,OAAO,GAAG,CAAC,QAAQ,CAAC;AACtB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,eAAe,CAAC,OAAiB;IAC/C,IAAI,CAAC,OAAO;QAAE,OAAO,KAAK,CAAC;IAE3B,MAAM,SAAS,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,IAAI,EAAE,CAAC;IAC1D,OAAO,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;AACvE,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,cAAc,CAAC,OAAiB;IAC9C,IAAI,CAAC,OAAO;QAAE,OAAO,KAAK,CAAC;IAE3B,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IACjC,OAAO,GAAG,CAAC,QAAQ,KAAK,WAAW,IAAI,GAAG,CAAC,QAAQ,KAAK,WAAW,CAAC;AACtE,CAAC;AAED;;;;;;;;;;;GAWG;AACH,MAAM,UAAU,sBAAsB,CAAC,OAAiB;IAItD,MAAM,QAAQ,GAAG,eAAe,CAAC,OAAO,CAAC,CAAC;IAC1C,MAAM,WAAW,GAAG,cAAc,CAAC,OAAO,CAAC,CAAC;IAC5C,MAAM,QAAQ,GAAG,sBAAsB,CAAC,OAAO,CAAC,CAAC;IACjD,MAAM,OAAO,GAAG,QAAQ,KAAK,QAAQ,CAAC;IAEtC,IAAI,QAAQ,IAAI,WAAW,EAAE,CAAC;QAC5B,4DAA4D;QAC5D,OAAO;YACL,MAAM,EAAE,KAAK;YACb,QAAQ,EAAE,KAAK;SAChB,CAAC;IACJ,CAAC;SAAM,IAAI,OAAO,EAAE,CAAC;QACnB,+DAA+D;QAC/D,OAAO;YACL,MAAM,EAAE,IAAI;YACZ,QAAQ,EAAE,MAAM;SACjB,CAAC;IACJ,CAAC;SAAM,CAAC;QACN,yEAAyE;QACzE,iDAAiD;QACjD,iFAAiF;QACjF,uDAAuD;QACvD,OAAO;YACL,MAAM,EAAE,IAAI;YACZ,QAAQ,EAAE,MAAM;SACjB,CAAC;IACJ,CAAC;AACH,CAAC","sourcesContent":["// Utility functions shared by auth server and client integrations\n// Typically these functions should be used inside AuthenticationInitiator and AuthenticationResolver implementations\nimport type {\n AuthStorage,\n Endpoints,\n OIDCTokenResponseBody,\n ParsedTokens,\n} from \"@/types.js\";\nimport {\n AUTH_SERVER_LEGACY_SESSION,\n AUTH_SERVER_SESSION,\n OAuthTokenTypes,\n} from \"./types.js\";\nimport { OAuth2Client } from \"../../lib/oauth2/OAuth2Client.js\";\nimport { addSlashIfNeeded, getOauthEndpoints } from \"@/lib/oauth.js\";\nimport { withoutUndefined } from \"@/utils.js\";\nimport type { PKCEConsumer, PKCEProducer } from \"@/services/types.js\";\nimport { GenericUserSession } from \"@/shared/lib/UserSession.js\";\nimport { decodeJwt } from \"jose\";\nimport type { CookieStorage } from \"./storage.js\";\nimport {\n AUTOREFRESH_TIMEOUT_NAME,\n LOGOUT_STATE,\n MAX_COOKIE_AGE_SECONDS,\n REFRESH_IN_PROGRESS,\n} from \"@/constants.js\";\nimport { loggers } from \"@/lib/logger.js\";\nimport type { AuthConfig, BackendEndpoints } from \"@/server/config.js\";\nimport { verify, type VerifyOptions } from \"@civic/auth-verify\";\n\nconst logger = loggers.services.validation;\n/**\n * Given a PKCE code verifier, derive the code challenge using SHA\n */\nexport async function deriveCodeChallenge(\n codeVerifier: string,\n method: \"Plain\" | \"S256\" = \"S256\",\n): Promise<string> {\n if (method === \"Plain\") {\n console.warn(\"Using insecure plain code challenge method\");\n return codeVerifier;\n }\n\n const encoder = new TextEncoder();\n const data = encoder.encode(codeVerifier);\n const digest = await crypto.subtle.digest(\"SHA-256\", data);\n return btoa(String.fromCharCode(...new Uint8Array(digest)))\n .replace(/\\+/g, \"-\")\n .replace(/\\//g, \"_\")\n .replace(/=+$/, \"\");\n}\n\nexport async function getEndpointsWithOverrides(\n oauthServer: string,\n endpointOverrides: Partial<Endpoints> = {},\n): Promise<Endpoints> {\n const endpoints = await getOauthEndpoints(oauthServer);\n return {\n ...endpoints,\n ...endpointOverrides,\n };\n}\n\nexport async function generateOauthLoginUrl(config: {\n clientId: string;\n scopes: string[];\n state: string;\n redirectUrl: string;\n oauthServer: string;\n nonce?: string;\n endpointOverrides?: Partial<Endpoints>;\n // Optional PKCE challenge - not needed for confidential clients using client secrets\n pkceConsumer?: PKCEConsumer;\n}): Promise<URL> {\n const endpoints = await getEndpointsWithOverrides(\n config.oauthServer,\n config.endpointOverrides,\n );\n const oauth2Client = buildOauth2Client(\n config.clientId,\n config.redirectUrl,\n endpoints,\n );\n\n const oAuthUrl = await oauth2Client.createAuthorizationURL({\n state: config.state,\n scopes: config.scopes,\n });\n\n // Only add PKCE parameters if a pkceConsumer is provided\n if (config.pkceConsumer) {\n const challenge = await config.pkceConsumer.getCodeChallenge();\n // The OAuth2 client supports PKCE, but does not allow passing in a code challenge from some other source\n // It only allows passing in a code verifier which it then hashes itself.\n oAuthUrl.searchParams.append(\"code_challenge\", challenge);\n oAuthUrl.searchParams.append(\"code_challenge_method\", \"S256\");\n }\n\n if (config.nonce) {\n // nonce isn't supported by oslo, so we add it manually\n oAuthUrl.searchParams.append(\"nonce\", config.nonce);\n }\n // Required by the auth server for offline_access scope\n oAuthUrl.searchParams.append(\"prompt\", \"consent\");\n\n return oAuthUrl;\n}\n\nexport async function generateOauthLogoutUrl(config: {\n clientId: string;\n redirectUrl: string;\n idToken: string;\n state: string;\n oauthServer: string;\n endpointOverrides?: Partial<Endpoints>;\n}): Promise<URL> {\n const endpoints = await getEndpointsWithOverrides(\n config.oauthServer,\n config.endpointOverrides,\n );\n const endSessionUrl = new URL(endpoints.endsession);\n endSessionUrl.searchParams.append(\"client_id\", config.clientId);\n endSessionUrl.searchParams.append(\"id_token_hint\", config.idToken);\n endSessionUrl.searchParams.append(\"state\", config.state);\n endSessionUrl.searchParams.append(\n \"post_logout_redirect_uri\",\n config.redirectUrl,\n );\n return endSessionUrl;\n}\n\nexport function buildOauth2Client(\n clientId: string,\n redirectUri: string,\n endpoints: Endpoints,\n): OAuth2Client {\n return new OAuth2Client(clientId, endpoints.auth, endpoints.token, {\n redirectURI: redirectUri,\n });\n}\n\nexport async function exchangeTokens(\n code: string,\n state: string,\n pkceProducer: PKCEProducer | null,\n oauth2Client: OAuth2Client,\n authConfig: ValidationConfig,\n) {\n // Get code verifier if using PKCE\n const codeVerifier = pkceProducer\n ? await pkceProducer.getCodeVerifier()\n : null;\n\n // Ensure at least one authentication method is provided\n if (!codeVerifier && !authConfig.clientSecret) {\n throw new Error(\n \"Either PKCE code verifier or client secret must be provided\",\n );\n }\n\n // Build options for validateAuthorizationCode\n const validationOptions: Record<string, string> = {};\n\n if (codeVerifier) {\n validationOptions.codeVerifier = codeVerifier;\n }\n\n if (authConfig.clientSecret) {\n validationOptions.credentials = authConfig.clientSecret;\n validationOptions.authenticateWith = \"request_body\"; // Use client_secret_post method\n }\n\n const tokens = (await oauth2Client.validateAuthorizationCode(\n code,\n validationOptions,\n )) as OIDCTokenResponseBody;\n\n // Validate relevant tokens\n try {\n await validateOauth2Tokens(tokens, authConfig);\n } catch (error) {\n console.error(\"tokenExchange error\", { error, tokens });\n throw new Error(\n `OIDC tokens validation failed: ${(error as Error).message}`,\n );\n }\n return tokens;\n}\n/**\n * Calculates the maxAge values for access and refresh token cookies\n * based on the TTL values in the access token\n *\n * maxAge needs to be in seconds from now until expiration\n *\n * @param tokens OIDC tokens response containing the access token\n * @returns Object with accessTokenMaxAge and refreshTokenMaxAge in seconds\n */\nexport const getCookiesMaxAge = (\n tokens: OIDCTokenResponseBody,\n): { idTokenMaxAge: number; accessTokenMaxAge: number } => {\n const DEFAULT_TTL = 60 * 60; // 1 hour default\n\n let idTokenMaxAge = DEFAULT_TTL;\n let accessTokenMaxAge = DEFAULT_TTL;\n\n // The ID token takes priority, as it represents the OIDC session\n if (tokens.id_token) {\n // If no access token exists, try to get expiration from ID token\n const parsedIdToken = decodeJwt(tokens.id_token);\n if (parsedIdToken?.exp) {\n const now = Math.floor(Date.now() / 1000);\n idTokenMaxAge = parsedIdToken.exp - now;\n }\n }\n\n if (tokens.access_token) {\n // Get access token TTL from the token if it exists\n const parsedAccessToken = decodeJwt(tokens.access_token);\n accessTokenMaxAge =\n Number(parsedAccessToken?.accessTokenTTL) || DEFAULT_TTL;\n\n // If access token has exp claim, use that directly\n if (parsedAccessToken?.exp) {\n const now = Math.floor(Date.now() / 1000);\n accessTokenMaxAge = parsedAccessToken.exp - now;\n }\n }\n\n return {\n accessTokenMaxAge,\n idTokenMaxAge,\n };\n};\n\nexport async function setOidcSessionExpiresAt(\n storage: AuthStorage | CookieStorage,\n tokens: OIDCTokenResponseBody,\n) {\n const now = Math.floor(Date.now() / 1000);\n const { idTokenMaxAge } = getCookiesMaxAge(tokens);\n // The OIDC session expiry is linked to the ID token expiry, since this is primarily an OIDC client.\n await storage.set(\n OAuthTokenTypes.OIDC_SESSION_EXPIRES_AT,\n (idTokenMaxAge + now).toString(),\n );\n}\n\nexport async function storeTokens(\n storage: AuthStorage,\n tokens: OIDCTokenResponseBody,\n) {\n // ID token is the primary token and must always be stored\n await storage.set(OAuthTokenTypes.ID_TOKEN, tokens.id_token);\n\n // Only store access token if it exists (no longer required)\n if (tokens.access_token) {\n await storage.set(OAuthTokenTypes.ACCESS_TOKEN, tokens.access_token);\n }\n\n // Store refresh token if it exists\n if (tokens.refresh_token) {\n await storage.set(OAuthTokenTypes.REFRESH_TOKEN, tokens.refresh_token);\n }\n\n // Still set access token expiration even if no access token\n // (will get expiration from ID token in this case)\n await setOidcSessionExpiresAt(storage, tokens);\n}\n\n/**\n * Stores tokens in server-side cookies with appropriate expiration times\n * Uses TTL values from the tokens to set cookie maxAge values\n * Refresh token is set with 400 day expiry\n */\nexport async function storeServerTokens(\n storage: AuthStorage | CookieStorage,\n tokens: OIDCTokenResponseBody,\n) {\n // Get maxAge values based on token TTLs (refresh token TTL will be undefined)\n const now = Math.floor(Date.now() / 1000);\n const { idTokenMaxAge, accessTokenMaxAge } = getCookiesMaxAge(tokens);\n\n // The OIDC session expiry is linked to the ID token expiry, since this is primarily an OIDC client.\n const oidcSessionExpiresAt = now + idTokenMaxAge;\n const cookieStorage = storage as CookieStorage;\n\n // Apply maxAge to cookie options\n const accessTokenCookieOptions = {\n maxAge: accessTokenMaxAge,\n };\n\n const refreshTokenCookieOptions = {\n maxAge: MAX_COOKIE_AGE_SECONDS,\n };\n\n // ID token is always stored (primary authentication token)\n await cookieStorage.set(OAuthTokenTypes.ID_TOKEN, tokens.id_token, {\n maxAge: idTokenMaxAge,\n });\n\n // Access token is optional - only set if it exists\n if (tokens.access_token) {\n await cookieStorage.set(\n OAuthTokenTypes.ACCESS_TOKEN,\n tokens.access_token,\n accessTokenCookieOptions,\n );\n }\n\n // Set refresh token if present with 400 day expiry\n if (tokens.refresh_token) {\n await cookieStorage.set(\n OAuthTokenTypes.REFRESH_TOKEN,\n tokens.refresh_token,\n refreshTokenCookieOptions,\n );\n }\n\n // Still store the access token expiration timestamp even if no access token\n await storage.set(\n OAuthTokenTypes.OIDC_SESSION_EXPIRES_AT,\n oidcSessionExpiresAt.toString(),\n {\n // This is primarily an OIDC client, so we use the ID token max age for the session timeout / refresh scheduling.\n maxAge: idTokenMaxAge,\n },\n );\n logger.debug(\"storeServerTokens\", {\n oidcSessionExpiresAt,\n refreshTokenMaxAge: MAX_COOKIE_AGE_SECONDS,\n idTokenMaxAge,\n hasAccessToken: !!tokens.access_token,\n });\n}\n\nexport async function clearTokens(storage: AuthStorage | CookieStorage) {\n // clear all local storage keys related to OAuth and CivicAuth SDK\n const clearOAuthPromises = [\n ...Object.values(OAuthTokenTypes),\n REFRESH_IN_PROGRESS,\n AUTOREFRESH_TIMEOUT_NAME,\n LOGOUT_STATE,\n ].map(async (key) => {\n await storage.delete(key);\n });\n await Promise.all([...clearOAuthPromises]);\n}\n\nexport async function clearAuthServerSession(storage: AuthStorage) {\n await storage.delete(AUTH_SERVER_SESSION);\n await storage.delete(AUTH_SERVER_LEGACY_SESSION);\n}\n\nexport async function clearUser(storage: AuthStorage) {\n const userSession = new GenericUserSession(storage);\n await userSession.clear();\n}\n\n/**\n * Smart token unwrapping for Safari's base64-encoding bug\n * Only unwraps tokens that are:\n * 1. Base64-encoded (Safari bug) - very long strings without dots\n * 2. Contain a JSON object with a 'value' property that's a valid JWT\n *\n * Does NOT unwrap React Router's normal {value: \"token\"} objects\n */\nfunction unwrapSafariTokenIfNeeded(token: string | null): string | null {\n if (!token) return token;\n\n // Safari-specific detection: base64-encoded JSON that's extremely long\n // Normal wrapped objects from React Router are much shorter and have different characteristics\n if (token && !token.includes(\".\") && token.length > 800) {\n try {\n // Try to decode as base64 and parse as JSON\n const decoded = JSON.parse(atob(token));\n\n // Verify this is Safari's bug: wrapped value must be a valid 3-part JWT\n if (\n decoded &&\n typeof decoded === \"object\" &&\n decoded.value &&\n typeof decoded.value === \"string\" &&\n decoded.value.split(\".\").length === 3\n ) {\n return decoded.value;\n }\n } catch (error) {\n console.error(\"HERE UTIL - SAFARI TOKEN UNWRAP FAILED\", error);\n }\n }\n\n return token;\n}\n\nexport async function retrieveTokens(\n storage: AuthStorage,\n): Promise<Partial<OIDCTokenResponseBody> | null> {\n const idToken = await storage.get(OAuthTokenTypes.ID_TOKEN);\n const accessToken = await storage.get(OAuthTokenTypes.ACCESS_TOKEN);\n const refreshToken = await storage.get(OAuthTokenTypes.REFRESH_TOKEN);\n const oidcSessionExpiresAt = await storage.get(\n OAuthTokenTypes.OIDC_SESSION_EXPIRES_AT,\n );\n\n return {\n id_token: unwrapSafariTokenIfNeeded(idToken) ?? undefined,\n access_token: unwrapSafariTokenIfNeeded(accessToken) ?? undefined,\n refresh_token: unwrapSafariTokenIfNeeded(refreshToken) ?? undefined,\n oidc_session_expires_at:\n oidcSessionExpiresAt !== null\n ? parseInt(oidcSessionExpiresAt, 10)\n : undefined, // Convert string to number\n };\n}\n\nexport async function retrieveOidcSessionExpiredAtSeconds(\n storage: AuthStorage,\n): Promise<number | null> {\n const valueSeconds = await storage.get(\n OAuthTokenTypes.OIDC_SESSION_EXPIRES_AT,\n );\n if (!valueSeconds) {\n return null;\n }\n const expiresAt = Number(valueSeconds);\n return isNaN(expiresAt) ? null : expiresAt;\n}\n\nexport type ValidationConfig = Pick<\n AuthConfig,\n \"clientId\" | \"oauthServer\" | \"oauthServerBaseUrl\" | \"clientSecret\"\n>;\nexport async function validateOauth2Tokens(\n tokens: OIDCTokenResponseBody,\n config: ValidationConfig,\n): Promise<ParsedTokens> {\n const baseIssuer = addSlashIfNeeded(\n (config.oauthServer || config.oauthServerBaseUrl) ??\n \"https://auth.civic.com/oauth/\",\n );\n\n // Validate the ID token - this is now the primary token for authentication\n const idTokenVerifyOptions: VerifyOptions = {\n issuer: baseIssuer,\n };\n\n // Set audience for ID token\n if (config.clientId) {\n // ID tokens should have the client ID as audience for proper OIDC compliance\n idTokenVerifyOptions.aud = config.clientId;\n }\n\n logger.debug(`Verifying id_token with options:`, {\n idTokenVerifyOptions,\n config,\n });\n\n // Use the @civic/auth-verify package for ID token verification\n const idTokenPayload = await verify(tokens.id_token, idTokenVerifyOptions);\n\n // Only validate the access token if it exists, but if present it must be valid\n let accessTokenPayload;\n if (tokens.access_token) {\n const accessTokenVerifyOptions: VerifyOptions = {\n issuer: baseIssuer,\n // Access tokens have \"civic\" as audience based on auth server configuration\n aud: \"civic\",\n clientId: config.clientId,\n };\n\n logger.debug(`Verifying access_token with options:`, {\n accessTokenVerifyOptions,\n });\n\n // Use the @civic/auth-verify package for access token verification\n accessTokenPayload = await verify(\n tokens.access_token,\n accessTokenVerifyOptions,\n );\n }\n\n return withoutUndefined({\n id_token: idTokenPayload,\n access_token: accessTokenPayload,\n ...(tokens?.refresh_token ? { refresh_token: tokens.refresh_token } : {}),\n });\n}\n\n/**\n * Get backend endpoints with default values merged with custom configuration\n * @param backendEndpoints - Optional custom backend endpoints configuration\n * @returns Backend endpoints with defaults applied\n */\nexport function getBackendEndpoints(\n backendEndpoints?: BackendEndpoints,\n): BackendEndpoints {\n return {\n refresh: backendEndpoints?.refresh ?? \"/auth/refresh\",\n logout: backendEndpoints?.logout ?? \"/auth/logout\",\n user: backendEndpoints?.user ?? \"/auth/user\",\n clearSession: backendEndpoints?.clearSession ?? \"/auth/clearsession\",\n };\n}\n\n/**\n * Resolves an endpoint URL by checking if it's already a full URL\n * or if it needs to be combined with a base URL\n * @param baseUrl - The base URL (e.g., \"https://api.example.com\")\n * @param endpoint - The endpoint that might be relative (e.g., \"/auth/logout\") or absolute (e.g., \"https://other-server.com/logout\")\n * @returns The resolved URL\n */\nexport function resolveEndpointUrl(\n baseUrl: string,\n endpoint: string | undefined,\n): string {\n // Handle undefined endpoint\n if (!endpoint) {\n throw new Error(\"Endpoint is undefined\");\n }\n\n // Check if endpoint is already a full URL\n if (endpoint.startsWith(\"http://\") || endpoint.startsWith(\"https://\")) {\n return endpoint;\n }\n\n // Concatenate base URL with relative endpoint\n return `${baseUrl}${endpoint}`;\n}\n\n/**\n * Determines the protocol from request headers or environment\n * Checks common proxy headers before falling back to URL or environment\n */\nexport function getProtocolFromRequest(request?: Request): string {\n if (!request) {\n // Fallback when no request available\n return process.env.NODE_ENV === \"production\" ? \"https:\" : \"http:\";\n }\n\n // Check common proxy headers that indicate the original protocol\n const forwardedProto = request.headers.get(\"x-forwarded-proto\");\n if (forwardedProto) {\n return forwardedProto === \"https\" ? \"https:\" : \"http:\";\n }\n\n const forwardedProtocol = request.headers.get(\"x-forwarded-protocol\");\n if (forwardedProtocol) {\n return forwardedProtocol === \"https\" ? \"https:\" : \"http:\";\n }\n\n // Parse the standard Forwarded header (RFC 7239)\n const forwarded = request.headers.get(\"forwarded\");\n if (forwarded) {\n const protoMatch = forwarded.match(/proto=([^;,\\s]+)/i);\n if (protoMatch) {\n return protoMatch[1] === \"https\" ? \"https:\" : \"http:\";\n }\n }\n\n // Extract from the request URL itself\n const url = new URL(request.url);\n return url.protocol;\n}\n\n/**\n * Detect Safari browser from user agent\n */\nexport function isSafariBrowser(request?: Request): boolean {\n if (!request) return false;\n\n const userAgent = request.headers.get(\"user-agent\") || \"\";\n return userAgent.includes(\"Safari\") && !userAgent.includes(\"Chrome\");\n}\n\n/**\n * Detect if running on localhost\n */\nexport function isLocalhostUrl(request?: Request): boolean {\n if (!request) return false;\n\n const url = new URL(request.url);\n return url.hostname === \"localhost\" || url.hostname === \"127.0.0.1\";\n}\n\n/**\n * Get cookie configuration based on environment and browser\n * Handles special cases for Safari on localhost and HTTPS detection\n *\n * @param request - Optional request object for environment detection\n * @returns Cookie configuration with secure and sameSite settings\n *\n * Configuration rules:\n * - Safari on localhost: Uses lax sameSite to avoid cross-origin issues\n * - HTTPS: Uses secure cookies with none sameSite for cross-origin iframe support\n * - HTTP localhost (non-Safari): Uses secure cookies for Chrome's localhost exception\n */\nexport function getCookieConfiguration(request?: Request): {\n secure: boolean;\n sameSite: \"lax\" | \"none\";\n} {\n const isSafari = isSafariBrowser(request);\n const isLocalhost = isLocalhostUrl(request);\n const protocol = getProtocolFromRequest(request);\n const isHttps = protocol === \"https:\";\n\n if (isSafari && isLocalhost) {\n // Safari on localhost: use lax to avoid cross-origin issues\n return {\n secure: false,\n sameSite: \"lax\",\n };\n } else if (isHttps) {\n // HTTPS (production): use none for cross-origin iframe support\n return {\n secure: true,\n sameSite: \"none\",\n };\n } else {\n // HTTP localhost (non-Safari): use secure: true for iframe compatibility\n // Chrome allows secure cookies on localhost HTTP\n // This allows secure: true cookies to work on localhost for iframe compatibility\n // Reference: Chrome's third-party cookie documentation\n return {\n secure: true,\n sameSite: \"none\",\n };\n }\n}\n"]}
1
+ {"version":3,"file":"util.js","sourceRoot":"","sources":["../../../src/shared/lib/util.ts"],"names":[],"mappings":"AAQA,OAAO,EACL,0BAA0B,EAC1B,mBAAmB,EACnB,eAAe,GAChB,MAAM,YAAY,CAAC;AACpB,OAAO,EAAE,YAAY,EAAE,MAAM,kCAAkC,CAAC;AAChE,OAAO,EAAE,gBAAgB,EAAE,iBAAiB,EAAE,MAAM,gBAAgB,CAAC;AACrE,OAAO,EAAE,gBAAgB,EAAE,MAAM,YAAY,CAAC;AAE9C,OAAO,EAAE,kBAAkB,EAAE,MAAM,6BAA6B,CAAC;AACjE,OAAO,EAAE,SAAS,EAAE,MAAM,MAAM,CAAC;AAEjC,OAAO,EACL,wBAAwB,EACxB,YAAY,EACZ,sBAAsB,EACtB,mBAAmB,GACpB,MAAM,gBAAgB,CAAC;AACxB,OAAO,EAAE,OAAO,EAAE,MAAM,iBAAiB,CAAC;AAE1C,OAAO,EAAE,MAAM,EAAsB,MAAM,oBAAoB,CAAC;AAEhE,MAAM,MAAM,GAAG,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAC;AAC3C;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,mBAAmB,CACvC,YAAoB,EACpB,SAA2B,MAAM;IAEjC,IAAI,MAAM,KAAK,OAAO,EAAE,CAAC;QACvB,OAAO,CAAC,IAAI,CAAC,4CAA4C,CAAC,CAAC;QAC3D,OAAO,YAAY,CAAC;IACtB,CAAC;IAED,MAAM,OAAO,GAAG,IAAI,WAAW,EAAE,CAAC;IAClC,MAAM,IAAI,GAAG,OAAO,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC;IAC1C,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,IAAI,CAAC,CAAC;IAC3D,OAAO,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC,GAAG,IAAI,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC;SACxD,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC;SACnB,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC;SACnB,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;AACxB,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,yBAAyB,CAC7C,WAAmB,EACnB,oBAAwC,EAAE;IAE1C,MAAM,SAAS,GAAG,MAAM,iBAAiB,CAAC,WAAW,CAAC,CAAC;IACvD,OAAO;QACL,GAAG,SAAS;QACZ,GAAG,iBAAiB;KACrB,CAAC;AACJ,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,qBAAqB,CAAC,MAU3C;IACC,MAAM,SAAS,GAAG,MAAM,yBAAyB,CAC/C,MAAM,CAAC,WAAW,EAClB,MAAM,CAAC,iBAAiB,CACzB,CAAC;IACF,MAAM,YAAY,GAAG,iBAAiB,CACpC,MAAM,CAAC,QAAQ,EACf,MAAM,CAAC,WAAW,EAClB,SAAS,CACV,CAAC;IAEF,MAAM,QAAQ,GAAG,MAAM,YAAY,CAAC,sBAAsB,CAAC;QACzD,KAAK,EAAE,MAAM,CAAC,KAAK;QACnB,MAAM,EAAE,MAAM,CAAC,MAAM;KACtB,CAAC,CAAC;IAEH,yDAAyD;IACzD,IAAI,MAAM,CAAC,YAAY,EAAE,CAAC;QACxB,MAAM,SAAS,GAAG,MAAM,MAAM,CAAC,YAAY,CAAC,gBAAgB,EAAE,CAAC;QAC/D,yGAAyG;QACzG,yEAAyE;QACzE,QAAQ,CAAC,YAAY,CAAC,MAAM,CAAC,gBAAgB,EAAE,SAAS,CAAC,CAAC;QAC1D,QAAQ,CAAC,YAAY,CAAC,MAAM,CAAC,uBAAuB,EAAE,MAAM,CAAC,CAAC;IAChE,CAAC;IAED,IAAI,MAAM,CAAC,KAAK,EAAE,CAAC;QACjB,uDAAuD;QACvD,QAAQ,CAAC,YAAY,CAAC,MAAM,CAAC,OAAO,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC;IACtD,CAAC;IACD,uDAAuD;IACvD,QAAQ,CAAC,YAAY,CAAC,MAAM,CAAC,QAAQ,EAAE,SAAS,CAAC,CAAC;IAElD,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,sBAAsB,CAAC,MAO5C;IACC,MAAM,SAAS,GAAG,MAAM,yBAAyB,CAC/C,MAAM,CAAC,WAAW,EAClB,MAAM,CAAC,iBAAiB,CACzB,CAAC;IACF,MAAM,aAAa,GAAG,IAAI,GAAG,CAAC,SAAS,CAAC,UAAU,CAAC,CAAC;IACpD,aAAa,CAAC,YAAY,CAAC,MAAM,CAAC,WAAW,EAAE,MAAM,CAAC,QAAQ,CAAC,CAAC;IAChE,aAAa,CAAC,YAAY,CAAC,MAAM,CAAC,eAAe,EAAE,MAAM,CAAC,OAAO,CAAC,CAAC;IACnE,aAAa,CAAC,YAAY,CAAC,MAAM,CAAC,OAAO,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC;IACzD,aAAa,CAAC,YAAY,CAAC,MAAM,CAC/B,0BAA0B,EAC1B,MAAM,CAAC,WAAW,CACnB,CAAC;IACF,OAAO,aAAa,CAAC;AACvB,CAAC;AAED,MAAM,UAAU,iBAAiB,CAC/B,QAAgB,EAChB,WAAmB,EACnB,SAAoB;IAEpB,OAAO,IAAI,YAAY,CAAC,QAAQ,EAAE,SAAS,CAAC,IAAI,EAAE,SAAS,CAAC,KAAK,EAAE;QACjE,WAAW,EAAE,WAAW;KACzB,CAAC,CAAC;AACL,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,cAAc,CAClC,IAAY,EACZ,KAAa,EACb,YAAiC,EACjC,YAA0B,EAC1B,UAA4B;IAE5B,kCAAkC;IAClC,MAAM,YAAY,GAAG,YAAY;QAC/B,CAAC,CAAC,MAAM,YAAY,CAAC,eAAe,EAAE;QACtC,CAAC,CAAC,IAAI,CAAC;IAET,wDAAwD;IACxD,IAAI,CAAC,YAAY,IAAI,CAAC,UAAU,CAAC,YAAY,EAAE,CAAC;QAC9C,MAAM,IAAI,KAAK,CACb,6DAA6D,CAC9D,CAAC;IACJ,CAAC;IAED,8CAA8C;IAC9C,MAAM,iBAAiB,GAA2B,EAAE,CAAC;IAErD,IAAI,YAAY,EAAE,CAAC;QACjB,iBAAiB,CAAC,YAAY,GAAG,YAAY,CAAC;IAChD,CAAC;IAED,IAAI,UAAU,CAAC,YAAY,EAAE,CAAC;QAC5B,iBAAiB,CAAC,WAAW,GAAG,UAAU,CAAC,YAAY,CAAC;QACxD,iBAAiB,CAAC,gBAAgB,GAAG,cAAc,CAAC,CAAC,gCAAgC;IACvF,CAAC;IAED,MAAM,MAAM,GAAG,CAAC,MAAM,YAAY,CAAC,yBAAyB,CAC1D,IAAI,EACJ,iBAAiB,CAClB,CAA0B,CAAC;IAE5B,2BAA2B;IAC3B,IAAI,CAAC;QACH,MAAM,oBAAoB,CAAC,MAAM,EAAE,UAAU,CAAC,CAAC;IACjD,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO,CAAC,KAAK,CAAC,qBAAqB,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC,CAAC;QACxD,MAAM,IAAI,KAAK,CACb,kCAAmC,KAAe,CAAC,OAAO,EAAE,CAC7D,CAAC;IACJ,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AACD;;;;;;;;GAQG;AACH,MAAM,CAAC,MAAM,gBAAgB,GAAG,CAC9B,MAA6B,EACyB,EAAE;IACxD,MAAM,WAAW,GAAG,EAAE,GAAG,EAAE,CAAC,CAAC,iBAAiB;IAE9C,IAAI,aAAa,GAAG,WAAW,CAAC;IAChC,IAAI,iBAAiB,GAAG,WAAW,CAAC;IAEpC,iEAAiE;IACjE,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;QACpB,iEAAiE;QACjE,MAAM,aAAa,GAAG,SAAS,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;QACjD,IAAI,aAAa,EAAE,GAAG,EAAE,CAAC;YACvB,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;YAC1C,aAAa,GAAG,aAAa,CAAC,GAAG,GAAG,GAAG,CAAC;QAC1C,CAAC;IACH,CAAC;IAED,IAAI,MAAM,CAAC,YAAY,EAAE,CAAC;QACxB,mDAAmD;QACnD,MAAM,iBAAiB,GAAG,SAAS,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC;QACzD,iBAAiB;YACf,MAAM,CAAC,iBAAiB,EAAE,cAAc,CAAC,IAAI,WAAW,CAAC;QAE3D,mDAAmD;QACnD,IAAI,iBAAiB,EAAE,GAAG,EAAE,CAAC;YAC3B,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;YAC1C,iBAAiB,GAAG,iBAAiB,CAAC,GAAG,GAAG,GAAG,CAAC;QAClD,CAAC;IACH,CAAC;IAED,OAAO;QACL,iBAAiB;QACjB,aAAa;KACd,CAAC;AACJ,CAAC,CAAC;AAEF,MAAM,CAAC,KAAK,UAAU,uBAAuB,CAC3C,OAAoC,EACpC,MAA6B;IAE7B,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IAC1C,MAAM,EAAE,aAAa,EAAE,GAAG,gBAAgB,CAAC,MAAM,CAAC,CAAC;IACnD,oGAAoG;IACpG,MAAM,OAAO,CAAC,GAAG,CACf,eAAe,CAAC,uBAAuB,EACvC,CAAC,aAAa,GAAG,GAAG,CAAC,CAAC,QAAQ,EAAE,CACjC,CAAC;AACJ,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,WAAW,CAC/B,OAAoB,EACpB,MAA6B;IAE7B,0DAA0D;IAC1D,MAAM,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,QAAQ,EAAE,MAAM,CAAC,QAAQ,CAAC,CAAC;IAE7D,4DAA4D;IAC5D,IAAI,MAAM,CAAC,YAAY,EAAE,CAAC;QACxB,MAAM,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,YAAY,EAAE,MAAM,CAAC,YAAY,CAAC,CAAC;IACvE,CAAC;IAED,mCAAmC;IACnC,IAAI,MAAM,CAAC,aAAa,EAAE,CAAC;QACzB,MAAM,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,aAAa,EAAE,MAAM,CAAC,aAAa,CAAC,CAAC;IACzE,CAAC;IAED,4DAA4D;IAC5D,mDAAmD;IACnD,MAAM,uBAAuB,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;AACjD,CAAC;AAED;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,iBAAiB,CACrC,OAAoC,EACpC,MAA6B;IAE7B,8EAA8E;IAC9E,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IAC1C,MAAM,EAAE,aAAa,EAAE,iBAAiB,EAAE,GAAG,gBAAgB,CAAC,MAAM,CAAC,CAAC;IAEtE,oGAAoG;IACpG,MAAM,oBAAoB,GAAG,GAAG,GAAG,aAAa,CAAC;IACjD,MAAM,aAAa,GAAG,OAAwB,CAAC;IAE/C,iCAAiC;IACjC,MAAM,wBAAwB,GAAG;QAC/B,MAAM,EAAE,iBAAiB;KAC1B,CAAC;IAEF,MAAM,yBAAyB,GAAG;QAChC,MAAM,EAAE,sBAAsB;KAC/B,CAAC;IAEF,2DAA2D;IAC3D,MAAM,aAAa,CAAC,GAAG,CAAC,eAAe,CAAC,QAAQ,EAAE,MAAM,CAAC,QAAQ,EAAE;QACjE,MAAM,EAAE,aAAa;KACtB,CAAC,CAAC;IAEH,mDAAmD;IACnD,IAAI,MAAM,CAAC,YAAY,EAAE,CAAC;QACxB,MAAM,aAAa,CAAC,GAAG,CACrB,eAAe,CAAC,YAAY,EAC5B,MAAM,CAAC,YAAY,EACnB,wBAAwB,CACzB,CAAC;IACJ,CAAC;IAED,mDAAmD;IACnD,IAAI,MAAM,CAAC,aAAa,EAAE,CAAC;QACzB,MAAM,aAAa,CAAC,GAAG,CACrB,eAAe,CAAC,aAAa,EAC7B,MAAM,CAAC,aAAa,EACpB,yBAAyB,CAC1B,CAAC;IACJ,CAAC;IAED,4EAA4E;IAC5E,MAAM,OAAO,CAAC,GAAG,CACf,eAAe,CAAC,uBAAuB,EACvC,oBAAoB,CAAC,QAAQ,EAAE,EAC/B;QACE,iHAAiH;QACjH,MAAM,EAAE,aAAa;KACtB,CACF,CAAC;IACF,MAAM,CAAC,KAAK,CAAC,mBAAmB,EAAE;QAChC,oBAAoB;QACpB,kBAAkB,EAAE,sBAAsB;QAC1C,aAAa;QACb,cAAc,EAAE,CAAC,CAAC,MAAM,CAAC,YAAY;KACtC,CAAC,CAAC;AACL,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,WAAW,CAAC,OAAoC;IACpE,kEAAkE;IAClE,MAAM,kBAAkB,GAAG;QACzB,GAAG,MAAM,CAAC,MAAM,CAAC,eAAe,CAAC;QACjC,mBAAmB;QACnB,wBAAwB;QACxB,YAAY;KACb,CAAC,GAAG,CAAC,KAAK,EAAE,GAAG,EAAE,EAAE;QAClB,MAAM,OAAO,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;IAC5B,CAAC,CAAC,CAAC;IACH,MAAM,OAAO,CAAC,GAAG,CAAC,CAAC,GAAG,kBAAkB,CAAC,CAAC,CAAC;AAC7C,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,sBAAsB,CAAC,OAAoB;IAC/D,MAAM,OAAO,CAAC,MAAM,CAAC,mBAAmB,CAAC,CAAC;IAC1C,MAAM,OAAO,CAAC,MAAM,CAAC,0BAA0B,CAAC,CAAC;AACnD,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,SAAS,CAAC,OAAoB;IAClD,MAAM,WAAW,GAAG,IAAI,kBAAkB,CAAC,OAAO,CAAC,CAAC;IACpD,MAAM,WAAW,CAAC,KAAK,EAAE,CAAC;AAC5B,CAAC;AAED;;;;;;;GAOG;AACH,SAAS,yBAAyB,CAAC,KAAoB;IACrD,IAAI,CAAC,KAAK;QAAE,OAAO,KAAK,CAAC;IAEzB,uEAAuE;IACvE,+FAA+F;IAC/F,IAAI,KAAK,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,KAAK,CAAC,MAAM,GAAG,GAAG,EAAE,CAAC;QACxD,IAAI,CAAC;YACH,4CAA4C;YAC5C,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC;YAExC,wEAAwE;YACxE,IACE,OAAO;gBACP,OAAO,OAAO,KAAK,QAAQ;gBAC3B,OAAO,CAAC,KAAK;gBACb,OAAO,OAAO,CAAC,KAAK,KAAK,QAAQ;gBACjC,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,KAAK,CAAC,EACrC,CAAC;gBACD,OAAO,OAAO,CAAC,KAAK,CAAC;YACvB,CAAC;QACH,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO,CAAC,KAAK,CAAC,wCAAwC,EAAE,KAAK,CAAC,CAAC;QACjE,CAAC;IACH,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,cAAc,CAClC,OAAoB;IAEpB,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,QAAQ,CAAC,CAAC;IAC5D,MAAM,WAAW,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,YAAY,CAAC,CAAC;IACpE,MAAM,YAAY,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,aAAa,CAAC,CAAC;IACtE,MAAM,oBAAoB,GAAG,MAAM,OAAO,CAAC,GAAG,CAC5C,eAAe,CAAC,uBAAuB,CACxC,CAAC;IAEF,OAAO;QACL,QAAQ,EAAE,yBAAyB,CAAC,OAAO,CAAC,IAAI,SAAS;QACzD,YAAY,EAAE,yBAAyB,CAAC,WAAW,CAAC,IAAI,SAAS;QACjE,aAAa,EAAE,yBAAyB,CAAC,YAAY,CAAC,IAAI,SAAS;QACnE,uBAAuB,EACrB,oBAAoB,KAAK,IAAI;YAC3B,CAAC,CAAC,QAAQ,CAAC,oBAAoB,EAAE,EAAE,CAAC;YACpC,CAAC,CAAC,SAAS,EAAE,2BAA2B;KAC7C,CAAC;AACJ,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,mCAAmC,CACvD,OAAoB;IAEpB,MAAM,YAAY,GAAG,MAAM,OAAO,CAAC,GAAG,CACpC,eAAe,CAAC,uBAAuB,CACxC,CAAC;IACF,IAAI,CAAC,YAAY,EAAE,CAAC;QAClB,OAAO,IAAI,CAAC;IACd,CAAC;IACD,MAAM,SAAS,GAAG,MAAM,CAAC,YAAY,CAAC,CAAC;IACvC,OAAO,KAAK,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,SAAS,CAAC;AAC7C,CAAC;AAMD,MAAM,CAAC,KAAK,UAAU,oBAAoB,CACxC,MAA6B,EAC7B,MAAwB;IAExB,MAAM,UAAU,GAAG,gBAAgB,CACjC,CAAC,MAAM,CAAC,WAAW,IAAI,MAAM,CAAC,kBAAkB,CAAC;QAC/C,+BAA+B,CAClC,CAAC;IAEF,2EAA2E;IAC3E,MAAM,oBAAoB,GAAkB;QAC1C,MAAM,EAAE,UAAU;KACnB,CAAC;IAEF,4BAA4B;IAC5B,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;QACpB,6EAA6E;QAC7E,oBAAoB,CAAC,GAAG,GAAG,MAAM,CAAC,QAAQ,CAAC;IAC7C,CAAC;IAED,MAAM,CAAC,KAAK,CAAC,kCAAkC,EAAE;QAC/C,oBAAoB;QACpB,MAAM;KACP,CAAC,CAAC;IAEH,+DAA+D;IAC/D,MAAM,cAAc,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,QAAQ,EAAE,oBAAoB,CAAC,CAAC;IAE3E,+EAA+E;IAC/E,IAAI,kBAAkB,CAAC;IACvB,IAAI,MAAM,CAAC,YAAY,EAAE,CAAC;QACxB,MAAM,wBAAwB,GAAkB;YAC9C,MAAM,EAAE,UAAU;YAClB,4EAA4E;YAC5E,GAAG,EAAE,OAAO;YACZ,QAAQ,EAAE,MAAM,CAAC,QAAQ;SAC1B,CAAC;QAEF,MAAM,CAAC,KAAK,CAAC,sCAAsC,EAAE;YACnD,wBAAwB;SACzB,CAAC,CAAC;QAEH,mEAAmE;QACnE,kBAAkB,GAAG,MAAM,MAAM,CAC/B,MAAM,CAAC,YAAY,EACnB,wBAAwB,CACzB,CAAC;IACJ,CAAC;IAED,OAAO,gBAAgB,CAAC;QACtB,QAAQ,EAAE,cAAc;QACxB,YAAY,EAAE,kBAAkB;QAChC,GAAG,CAAC,MAAM,EAAE,aAAa,CAAC,CAAC,CAAC,EAAE,aAAa,EAAE,MAAM,CAAC,aAAa,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;KAC1E,CAAC,CAAC;AACL,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,mBAAmB,CACjC,gBAAmC;IAEnC,OAAO;QACL,OAAO,EAAE,gBAAgB,EAAE,OAAO,IAAI,eAAe;QACrD,MAAM,EAAE,gBAAgB,EAAE,MAAM,IAAI,cAAc;QAClD,IAAI,EAAE,gBAAgB,EAAE,IAAI,IAAI,YAAY;QAC5C,YAAY,EAAE,gBAAgB,EAAE,YAAY,IAAI,oBAAoB;KACrE,CAAC;AACJ,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,kBAAkB,CAChC,OAAe,EACf,QAA4B;IAE5B,4BAA4B;IAC5B,IAAI,CAAC,QAAQ,EAAE,CAAC;QACd,MAAM,IAAI,KAAK,CAAC,uBAAuB,CAAC,CAAC;IAC3C,CAAC;IAED,0CAA0C;IAC1C,IAAI,QAAQ,CAAC,UAAU,CAAC,SAAS,CAAC,IAAI,QAAQ,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;QACtE,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED,8CAA8C;IAC9C,OAAO,GAAG,OAAO,GAAG,QAAQ,EAAE,CAAC;AACjC,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,sBAAsB,CAAC,OAAiB;IACtD,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,qCAAqC;QACrC,OAAO,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,YAAY,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC;IACpE,CAAC;IAED,iEAAiE;IACjE,MAAM,cAAc,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC,CAAC;IAChE,IAAI,cAAc,EAAE,CAAC;QACnB,OAAO,cAAc,KAAK,OAAO,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC;IACzD,CAAC;IAED,MAAM,iBAAiB,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,sBAAsB,CAAC,CAAC;IACtE,IAAI,iBAAiB,EAAE,CAAC;QACtB,OAAO,iBAAiB,KAAK,OAAO,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC;IAC5D,CAAC;IAED,iDAAiD;IACjD,MAAM,SAAS,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;IACnD,IAAI,SAAS,EAAE,CAAC;QACd,MAAM,UAAU,GAAG,SAAS,CAAC,KAAK,CAAC,mBAAmB,CAAC,CAAC;QACxD,IAAI,UAAU,EAAE,CAAC;YACf,OAAO,UAAU,CAAC,CAAC,CAAC,KAAK,OAAO,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC;QACxD,CAAC;IACH,CAAC;IAED,sCAAsC;IACtC,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IACjC,OAAO,GAAG,CAAC,QAAQ,CAAC;AACtB,CAAC;AAED,wEAAwE;AACxE,MAAM,qBAAqB,GAAG,IAAI,CAAC;AAEnC;;;;;;;;;;;;;;;;;GAiBG;AACH,MAAM,UAAU,iBAAiB,CAC/B,GAA8B,EAC9B,OAAe;IAEf,oCAAoC;IACpC,IAAI,CAAC,GAAG,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;QACpC,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM,UAAU,GAAG,GAAG,CAAC,IAAI,EAAE,CAAC;IAC9B,IAAI,CAAC,UAAU,EAAE,CAAC;QAChB,OAAO,IAAI,CAAC;IACd,CAAC;IAED,iDAAiD;IACjD,IAAI,UAAU,CAAC,MAAM,GAAG,qBAAqB,EAAE,CAAC;QAC9C,MAAM,CAAC,IAAI,CAAC,gCAAgC,EAAE;YAC5C,MAAM,EAAE,UAAU,CAAC,MAAM;YACzB,SAAS,EAAE,qBAAqB;SACjC,CAAC,CAAC;QACH,OAAO,IAAI,CAAC;IACd,CAAC;IAED,8BAA8B;IAC9B,MAAM,QAAQ,GAAG,UAAU,CAAC,WAAW,EAAE,CAAC;IAC1C,MAAM,gBAAgB,GAAG;QACvB,aAAa;QACb,OAAO;QACP,WAAW;QACX,OAAO;QACP,QAAQ;KACT,CAAC;IACF,KAAK,MAAM,MAAM,IAAI,gBAAgB,EAAE,CAAC;QACtC,IAAI,QAAQ,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC;YAChC,MAAM,CAAC,IAAI,CAAC,oCAAoC,EAAE;gBAChD,MAAM;gBACN,GAAG,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC,EAAE,EAAE,CAAC;aACjC,CAAC,CAAC;YACH,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAED,iFAAiF;IACjF,iCAAiC;IACjC,IAAI,UAAU,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;QAChC,MAAM,CAAC,IAAI,CAAC,gCAAgC,EAAE;YAC5C,GAAG,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC,EAAE,EAAE,CAAC;SACjC,CAAC,CAAC;QACH,OAAO,IAAI,CAAC;IACd,CAAC;IAED,2DAA2D;IAC3D,IAAI,UAAU,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;QAC/D,yDAAyD;QACzD,iFAAiF;QACjF,gFAAgF;QAChF,IAAI,CAAC;YACH,4CAA4C;YAC5C,MAAM,UAAU,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,CAAC;YACpC,MAAM,OAAO,GAAG,IAAI,GAAG,CAAC,UAAU,EAAE,UAAU,CAAC,CAAC;YAEhD,4DAA4D;YAC5D,IAAI,OAAO,CAAC,MAAM,KAAK,UAAU,CAAC,MAAM,EAAE,CAAC;gBACzC,MAAM,CAAC,IAAI,CAAC,iDAAiD,EAAE;oBAC7D,QAAQ,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC,EAAE,EAAE,CAAC;oBACrC,gBAAgB,EAAE,OAAO,CAAC,MAAM;oBAChC,cAAc,EAAE,UAAU,CAAC,MAAM;iBAClC,CAAC,CAAC;gBACH,OAAO,IAAI,CAAC;YACd,CAAC;YAED,qDAAqD;YACrD,OAAO,OAAO,CAAC,QAAQ,GAAG,OAAO,CAAC,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;QAC1D,CAAC;QAAC,MAAM,CAAC;YACP,qBAAqB;YACrB,MAAM,CAAC,IAAI,CAAC,iCAAiC,EAAE;gBAC7C,GAAG,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC,EAAE,EAAE,CAAC;aACjC,CAAC,CAAC;YACH,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAED,gCAAgC;IAChC,IAAI,CAAC;QACH,MAAM,SAAS,GAAG,IAAI,GAAG,CAAC,UAAU,CAAC,CAAC;QACtC,MAAM,UAAU,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,CAAC;QAEpC,8BAA8B;QAC9B,IAAI,SAAS,CAAC,MAAM,KAAK,UAAU,CAAC,MAAM,EAAE,CAAC;YAC3C,gEAAgE;YAChE,OAAO,SAAS,CAAC,QAAQ,GAAG,SAAS,CAAC,MAAM,GAAG,SAAS,CAAC,IAAI,CAAC;QAChE,CAAC;QAED,qDAAqD;QACrD,MAAM,CAAC,IAAI,CAAC,oCAAoC,EAAE;YAChD,GAAG,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC,EAAE,EAAE,CAAC;YAChC,SAAS,EAAE,SAAS,CAAC,MAAM;YAC3B,cAAc,EAAE,UAAU,CAAC,MAAM;SAClC,CAAC,CAAC;QACH,OAAO,IAAI,CAAC;IACd,CAAC;IAAC,MAAM,CAAC;QACP,sDAAsD;QACtD,oBAAoB;QACpB,MAAM,CAAC,IAAI,CAAC,+BAA+B,EAAE;YAC3C,GAAG,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC,EAAE,EAAE,CAAC;SACjC,CAAC,CAAC;QACH,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,eAAe,CAAC,OAAiB;IAC/C,IAAI,CAAC,OAAO;QAAE,OAAO,KAAK,CAAC;IAE3B,MAAM,SAAS,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,IAAI,EAAE,CAAC;IAC1D,OAAO,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;AACvE,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,cAAc,CAAC,OAAiB;IAC9C,IAAI,CAAC,OAAO;QAAE,OAAO,KAAK,CAAC;IAE3B,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IACjC,OAAO,GAAG,CAAC,QAAQ,KAAK,WAAW,IAAI,GAAG,CAAC,QAAQ,KAAK,WAAW,CAAC;AACtE,CAAC;AAED;;;;;;;;;;;GAWG;AACH,MAAM,UAAU,sBAAsB,CAAC,OAAiB;IAItD,MAAM,QAAQ,GAAG,eAAe,CAAC,OAAO,CAAC,CAAC;IAC1C,MAAM,WAAW,GAAG,cAAc,CAAC,OAAO,CAAC,CAAC;IAC5C,MAAM,QAAQ,GAAG,sBAAsB,CAAC,OAAO,CAAC,CAAC;IACjD,MAAM,OAAO,GAAG,QAAQ,KAAK,QAAQ,CAAC;IAEtC,IAAI,QAAQ,IAAI,WAAW,EAAE,CAAC;QAC5B,4DAA4D;QAC5D,OAAO;YACL,MAAM,EAAE,KAAK;YACb,QAAQ,EAAE,KAAK;SAChB,CAAC;IACJ,CAAC;SAAM,IAAI,OAAO,EAAE,CAAC;QACnB,+DAA+D;QAC/D,OAAO;YACL,MAAM,EAAE,IAAI;YACZ,QAAQ,EAAE,MAAM;SACjB,CAAC;IACJ,CAAC;SAAM,CAAC;QACN,yEAAyE;QACzE,iDAAiD;QACjD,iFAAiF;QACjF,uDAAuD;QACvD,OAAO;YACL,MAAM,EAAE,IAAI;YACZ,QAAQ,EAAE,MAAM;SACjB,CAAC;IACJ,CAAC;AACH,CAAC","sourcesContent":["// Utility functions shared by auth server and client integrations\n// Typically these functions should be used inside AuthenticationInitiator and AuthenticationResolver implementations\nimport type {\n AuthStorage,\n Endpoints,\n OIDCTokenResponseBody,\n ParsedTokens,\n} from \"@/types.js\";\nimport {\n AUTH_SERVER_LEGACY_SESSION,\n AUTH_SERVER_SESSION,\n OAuthTokenTypes,\n} from \"./types.js\";\nimport { OAuth2Client } from \"../../lib/oauth2/OAuth2Client.js\";\nimport { addSlashIfNeeded, getOauthEndpoints } from \"@/lib/oauth.js\";\nimport { withoutUndefined } from \"@/utils.js\";\nimport type { PKCEConsumer, PKCEProducer } from \"@/services/types.js\";\nimport { GenericUserSession } from \"@/shared/lib/UserSession.js\";\nimport { decodeJwt } from \"jose\";\nimport type { CookieStorage } from \"./storage.js\";\nimport {\n AUTOREFRESH_TIMEOUT_NAME,\n LOGOUT_STATE,\n MAX_COOKIE_AGE_SECONDS,\n REFRESH_IN_PROGRESS,\n} from \"@/constants.js\";\nimport { loggers } from \"@/lib/logger.js\";\nimport type { AuthConfig, BackendEndpoints } from \"@/server/config.js\";\nimport { verify, type VerifyOptions } from \"@civic/auth-verify\";\n\nconst logger = loggers.services.validation;\n/**\n * Given a PKCE code verifier, derive the code challenge using SHA\n */\nexport async function deriveCodeChallenge(\n codeVerifier: string,\n method: \"Plain\" | \"S256\" = \"S256\",\n): Promise<string> {\n if (method === \"Plain\") {\n console.warn(\"Using insecure plain code challenge method\");\n return codeVerifier;\n }\n\n const encoder = new TextEncoder();\n const data = encoder.encode(codeVerifier);\n const digest = await crypto.subtle.digest(\"SHA-256\", data);\n return btoa(String.fromCharCode(...new Uint8Array(digest)))\n .replace(/\\+/g, \"-\")\n .replace(/\\//g, \"_\")\n .replace(/=+$/, \"\");\n}\n\nexport async function getEndpointsWithOverrides(\n oauthServer: string,\n endpointOverrides: Partial<Endpoints> = {},\n): Promise<Endpoints> {\n const endpoints = await getOauthEndpoints(oauthServer);\n return {\n ...endpoints,\n ...endpointOverrides,\n };\n}\n\nexport async function generateOauthLoginUrl(config: {\n clientId: string;\n scopes: string[];\n state: string;\n redirectUrl: string;\n oauthServer: string;\n nonce?: string;\n endpointOverrides?: Partial<Endpoints>;\n // Optional PKCE challenge - not needed for confidential clients using client secrets\n pkceConsumer?: PKCEConsumer;\n}): Promise<URL> {\n const endpoints = await getEndpointsWithOverrides(\n config.oauthServer,\n config.endpointOverrides,\n );\n const oauth2Client = buildOauth2Client(\n config.clientId,\n config.redirectUrl,\n endpoints,\n );\n\n const oAuthUrl = await oauth2Client.createAuthorizationURL({\n state: config.state,\n scopes: config.scopes,\n });\n\n // Only add PKCE parameters if a pkceConsumer is provided\n if (config.pkceConsumer) {\n const challenge = await config.pkceConsumer.getCodeChallenge();\n // The OAuth2 client supports PKCE, but does not allow passing in a code challenge from some other source\n // It only allows passing in a code verifier which it then hashes itself.\n oAuthUrl.searchParams.append(\"code_challenge\", challenge);\n oAuthUrl.searchParams.append(\"code_challenge_method\", \"S256\");\n }\n\n if (config.nonce) {\n // nonce isn't supported by oslo, so we add it manually\n oAuthUrl.searchParams.append(\"nonce\", config.nonce);\n }\n // Required by the auth server for offline_access scope\n oAuthUrl.searchParams.append(\"prompt\", \"consent\");\n\n return oAuthUrl;\n}\n\nexport async function generateOauthLogoutUrl(config: {\n clientId: string;\n redirectUrl: string;\n idToken: string;\n state: string;\n oauthServer: string;\n endpointOverrides?: Partial<Endpoints>;\n}): Promise<URL> {\n const endpoints = await getEndpointsWithOverrides(\n config.oauthServer,\n config.endpointOverrides,\n );\n const endSessionUrl = new URL(endpoints.endsession);\n endSessionUrl.searchParams.append(\"client_id\", config.clientId);\n endSessionUrl.searchParams.append(\"id_token_hint\", config.idToken);\n endSessionUrl.searchParams.append(\"state\", config.state);\n endSessionUrl.searchParams.append(\n \"post_logout_redirect_uri\",\n config.redirectUrl,\n );\n return endSessionUrl;\n}\n\nexport function buildOauth2Client(\n clientId: string,\n redirectUri: string,\n endpoints: Endpoints,\n): OAuth2Client {\n return new OAuth2Client(clientId, endpoints.auth, endpoints.token, {\n redirectURI: redirectUri,\n });\n}\n\nexport async function exchangeTokens(\n code: string,\n state: string,\n pkceProducer: PKCEProducer | null,\n oauth2Client: OAuth2Client,\n authConfig: ValidationConfig,\n) {\n // Get code verifier if using PKCE\n const codeVerifier = pkceProducer\n ? await pkceProducer.getCodeVerifier()\n : null;\n\n // Ensure at least one authentication method is provided\n if (!codeVerifier && !authConfig.clientSecret) {\n throw new Error(\n \"Either PKCE code verifier or client secret must be provided\",\n );\n }\n\n // Build options for validateAuthorizationCode\n const validationOptions: Record<string, string> = {};\n\n if (codeVerifier) {\n validationOptions.codeVerifier = codeVerifier;\n }\n\n if (authConfig.clientSecret) {\n validationOptions.credentials = authConfig.clientSecret;\n validationOptions.authenticateWith = \"request_body\"; // Use client_secret_post method\n }\n\n const tokens = (await oauth2Client.validateAuthorizationCode(\n code,\n validationOptions,\n )) as OIDCTokenResponseBody;\n\n // Validate relevant tokens\n try {\n await validateOauth2Tokens(tokens, authConfig);\n } catch (error) {\n console.error(\"tokenExchange error\", { error, tokens });\n throw new Error(\n `OIDC tokens validation failed: ${(error as Error).message}`,\n );\n }\n return tokens;\n}\n/**\n * Calculates the maxAge values for access and refresh token cookies\n * based on the TTL values in the access token\n *\n * maxAge needs to be in seconds from now until expiration\n *\n * @param tokens OIDC tokens response containing the access token\n * @returns Object with accessTokenMaxAge and refreshTokenMaxAge in seconds\n */\nexport const getCookiesMaxAge = (\n tokens: OIDCTokenResponseBody,\n): { idTokenMaxAge: number; accessTokenMaxAge: number } => {\n const DEFAULT_TTL = 60 * 60; // 1 hour default\n\n let idTokenMaxAge = DEFAULT_TTL;\n let accessTokenMaxAge = DEFAULT_TTL;\n\n // The ID token takes priority, as it represents the OIDC session\n if (tokens.id_token) {\n // If no access token exists, try to get expiration from ID token\n const parsedIdToken = decodeJwt(tokens.id_token);\n if (parsedIdToken?.exp) {\n const now = Math.floor(Date.now() / 1000);\n idTokenMaxAge = parsedIdToken.exp - now;\n }\n }\n\n if (tokens.access_token) {\n // Get access token TTL from the token if it exists\n const parsedAccessToken = decodeJwt(tokens.access_token);\n accessTokenMaxAge =\n Number(parsedAccessToken?.accessTokenTTL) || DEFAULT_TTL;\n\n // If access token has exp claim, use that directly\n if (parsedAccessToken?.exp) {\n const now = Math.floor(Date.now() / 1000);\n accessTokenMaxAge = parsedAccessToken.exp - now;\n }\n }\n\n return {\n accessTokenMaxAge,\n idTokenMaxAge,\n };\n};\n\nexport async function setOidcSessionExpiresAt(\n storage: AuthStorage | CookieStorage,\n tokens: OIDCTokenResponseBody,\n) {\n const now = Math.floor(Date.now() / 1000);\n const { idTokenMaxAge } = getCookiesMaxAge(tokens);\n // The OIDC session expiry is linked to the ID token expiry, since this is primarily an OIDC client.\n await storage.set(\n OAuthTokenTypes.OIDC_SESSION_EXPIRES_AT,\n (idTokenMaxAge + now).toString(),\n );\n}\n\nexport async function storeTokens(\n storage: AuthStorage,\n tokens: OIDCTokenResponseBody,\n) {\n // ID token is the primary token and must always be stored\n await storage.set(OAuthTokenTypes.ID_TOKEN, tokens.id_token);\n\n // Only store access token if it exists (no longer required)\n if (tokens.access_token) {\n await storage.set(OAuthTokenTypes.ACCESS_TOKEN, tokens.access_token);\n }\n\n // Store refresh token if it exists\n if (tokens.refresh_token) {\n await storage.set(OAuthTokenTypes.REFRESH_TOKEN, tokens.refresh_token);\n }\n\n // Still set access token expiration even if no access token\n // (will get expiration from ID token in this case)\n await setOidcSessionExpiresAt(storage, tokens);\n}\n\n/**\n * Stores tokens in server-side cookies with appropriate expiration times\n * Uses TTL values from the tokens to set cookie maxAge values\n * Refresh token is set with 400 day expiry\n */\nexport async function storeServerTokens(\n storage: AuthStorage | CookieStorage,\n tokens: OIDCTokenResponseBody,\n) {\n // Get maxAge values based on token TTLs (refresh token TTL will be undefined)\n const now = Math.floor(Date.now() / 1000);\n const { idTokenMaxAge, accessTokenMaxAge } = getCookiesMaxAge(tokens);\n\n // The OIDC session expiry is linked to the ID token expiry, since this is primarily an OIDC client.\n const oidcSessionExpiresAt = now + idTokenMaxAge;\n const cookieStorage = storage as CookieStorage;\n\n // Apply maxAge to cookie options\n const accessTokenCookieOptions = {\n maxAge: accessTokenMaxAge,\n };\n\n const refreshTokenCookieOptions = {\n maxAge: MAX_COOKIE_AGE_SECONDS,\n };\n\n // ID token is always stored (primary authentication token)\n await cookieStorage.set(OAuthTokenTypes.ID_TOKEN, tokens.id_token, {\n maxAge: idTokenMaxAge,\n });\n\n // Access token is optional - only set if it exists\n if (tokens.access_token) {\n await cookieStorage.set(\n OAuthTokenTypes.ACCESS_TOKEN,\n tokens.access_token,\n accessTokenCookieOptions,\n );\n }\n\n // Set refresh token if present with 400 day expiry\n if (tokens.refresh_token) {\n await cookieStorage.set(\n OAuthTokenTypes.REFRESH_TOKEN,\n tokens.refresh_token,\n refreshTokenCookieOptions,\n );\n }\n\n // Still store the access token expiration timestamp even if no access token\n await storage.set(\n OAuthTokenTypes.OIDC_SESSION_EXPIRES_AT,\n oidcSessionExpiresAt.toString(),\n {\n // This is primarily an OIDC client, so we use the ID token max age for the session timeout / refresh scheduling.\n maxAge: idTokenMaxAge,\n },\n );\n logger.debug(\"storeServerTokens\", {\n oidcSessionExpiresAt,\n refreshTokenMaxAge: MAX_COOKIE_AGE_SECONDS,\n idTokenMaxAge,\n hasAccessToken: !!tokens.access_token,\n });\n}\n\nexport async function clearTokens(storage: AuthStorage | CookieStorage) {\n // clear all local storage keys related to OAuth and CivicAuth SDK\n const clearOAuthPromises = [\n ...Object.values(OAuthTokenTypes),\n REFRESH_IN_PROGRESS,\n AUTOREFRESH_TIMEOUT_NAME,\n LOGOUT_STATE,\n ].map(async (key) => {\n await storage.delete(key);\n });\n await Promise.all([...clearOAuthPromises]);\n}\n\nexport async function clearAuthServerSession(storage: AuthStorage) {\n await storage.delete(AUTH_SERVER_SESSION);\n await storage.delete(AUTH_SERVER_LEGACY_SESSION);\n}\n\nexport async function clearUser(storage: AuthStorage) {\n const userSession = new GenericUserSession(storage);\n await userSession.clear();\n}\n\n/**\n * Smart token unwrapping for Safari's base64-encoding bug\n * Only unwraps tokens that are:\n * 1. Base64-encoded (Safari bug) - very long strings without dots\n * 2. Contain a JSON object with a 'value' property that's a valid JWT\n *\n * Does NOT unwrap React Router's normal {value: \"token\"} objects\n */\nfunction unwrapSafariTokenIfNeeded(token: string | null): string | null {\n if (!token) return token;\n\n // Safari-specific detection: base64-encoded JSON that's extremely long\n // Normal wrapped objects from React Router are much shorter and have different characteristics\n if (token && !token.includes(\".\") && token.length > 800) {\n try {\n // Try to decode as base64 and parse as JSON\n const decoded = JSON.parse(atob(token));\n\n // Verify this is Safari's bug: wrapped value must be a valid 3-part JWT\n if (\n decoded &&\n typeof decoded === \"object\" &&\n decoded.value &&\n typeof decoded.value === \"string\" &&\n decoded.value.split(\".\").length === 3\n ) {\n return decoded.value;\n }\n } catch (error) {\n console.error(\"HERE UTIL - SAFARI TOKEN UNWRAP FAILED\", error);\n }\n }\n\n return token;\n}\n\nexport async function retrieveTokens(\n storage: AuthStorage,\n): Promise<Partial<OIDCTokenResponseBody> | null> {\n const idToken = await storage.get(OAuthTokenTypes.ID_TOKEN);\n const accessToken = await storage.get(OAuthTokenTypes.ACCESS_TOKEN);\n const refreshToken = await storage.get(OAuthTokenTypes.REFRESH_TOKEN);\n const oidcSessionExpiresAt = await storage.get(\n OAuthTokenTypes.OIDC_SESSION_EXPIRES_AT,\n );\n\n return {\n id_token: unwrapSafariTokenIfNeeded(idToken) ?? undefined,\n access_token: unwrapSafariTokenIfNeeded(accessToken) ?? undefined,\n refresh_token: unwrapSafariTokenIfNeeded(refreshToken) ?? undefined,\n oidc_session_expires_at:\n oidcSessionExpiresAt !== null\n ? parseInt(oidcSessionExpiresAt, 10)\n : undefined, // Convert string to number\n };\n}\n\nexport async function retrieveOidcSessionExpiredAtSeconds(\n storage: AuthStorage,\n): Promise<number | null> {\n const valueSeconds = await storage.get(\n OAuthTokenTypes.OIDC_SESSION_EXPIRES_AT,\n );\n if (!valueSeconds) {\n return null;\n }\n const expiresAt = Number(valueSeconds);\n return isNaN(expiresAt) ? null : expiresAt;\n}\n\nexport type ValidationConfig = Pick<\n AuthConfig,\n \"clientId\" | \"oauthServer\" | \"oauthServerBaseUrl\" | \"clientSecret\"\n>;\nexport async function validateOauth2Tokens(\n tokens: OIDCTokenResponseBody,\n config: ValidationConfig,\n): Promise<ParsedTokens> {\n const baseIssuer = addSlashIfNeeded(\n (config.oauthServer || config.oauthServerBaseUrl) ??\n \"https://auth.civic.com/oauth/\",\n );\n\n // Validate the ID token - this is now the primary token for authentication\n const idTokenVerifyOptions: VerifyOptions = {\n issuer: baseIssuer,\n };\n\n // Set audience for ID token\n if (config.clientId) {\n // ID tokens should have the client ID as audience for proper OIDC compliance\n idTokenVerifyOptions.aud = config.clientId;\n }\n\n logger.debug(`Verifying id_token with options:`, {\n idTokenVerifyOptions,\n config,\n });\n\n // Use the @civic/auth-verify package for ID token verification\n const idTokenPayload = await verify(tokens.id_token, idTokenVerifyOptions);\n\n // Only validate the access token if it exists, but if present it must be valid\n let accessTokenPayload;\n if (tokens.access_token) {\n const accessTokenVerifyOptions: VerifyOptions = {\n issuer: baseIssuer,\n // Access tokens have \"civic\" as audience based on auth server configuration\n aud: \"civic\",\n clientId: config.clientId,\n };\n\n logger.debug(`Verifying access_token with options:`, {\n accessTokenVerifyOptions,\n });\n\n // Use the @civic/auth-verify package for access token verification\n accessTokenPayload = await verify(\n tokens.access_token,\n accessTokenVerifyOptions,\n );\n }\n\n return withoutUndefined({\n id_token: idTokenPayload,\n access_token: accessTokenPayload,\n ...(tokens?.refresh_token ? { refresh_token: tokens.refresh_token } : {}),\n });\n}\n\n/**\n * Get backend endpoints with default values merged with custom configuration\n * @param backendEndpoints - Optional custom backend endpoints configuration\n * @returns Backend endpoints with defaults applied\n */\nexport function getBackendEndpoints(\n backendEndpoints?: BackendEndpoints,\n): BackendEndpoints {\n return {\n refresh: backendEndpoints?.refresh ?? \"/auth/refresh\",\n logout: backendEndpoints?.logout ?? \"/auth/logout\",\n user: backendEndpoints?.user ?? \"/auth/user\",\n clearSession: backendEndpoints?.clearSession ?? \"/auth/clearsession\",\n };\n}\n\n/**\n * Resolves an endpoint URL by checking if it's already a full URL\n * or if it needs to be combined with a base URL\n * @param baseUrl - The base URL (e.g., \"https://api.example.com\")\n * @param endpoint - The endpoint that might be relative (e.g., \"/auth/logout\") or absolute (e.g., \"https://other-server.com/logout\")\n * @returns The resolved URL\n */\nexport function resolveEndpointUrl(\n baseUrl: string,\n endpoint: string | undefined,\n): string {\n // Handle undefined endpoint\n if (!endpoint) {\n throw new Error(\"Endpoint is undefined\");\n }\n\n // Check if endpoint is already a full URL\n if (endpoint.startsWith(\"http://\") || endpoint.startsWith(\"https://\")) {\n return endpoint;\n }\n\n // Concatenate base URL with relative endpoint\n return `${baseUrl}${endpoint}`;\n}\n\n/**\n * Determines the protocol from request headers or environment\n * Checks common proxy headers before falling back to URL or environment\n */\nexport function getProtocolFromRequest(request?: Request): string {\n if (!request) {\n // Fallback when no request available\n return process.env.NODE_ENV === \"production\" ? \"https:\" : \"http:\";\n }\n\n // Check common proxy headers that indicate the original protocol\n const forwardedProto = request.headers.get(\"x-forwarded-proto\");\n if (forwardedProto) {\n return forwardedProto === \"https\" ? \"https:\" : \"http:\";\n }\n\n const forwardedProtocol = request.headers.get(\"x-forwarded-protocol\");\n if (forwardedProtocol) {\n return forwardedProtocol === \"https\" ? \"https:\" : \"http:\";\n }\n\n // Parse the standard Forwarded header (RFC 7239)\n const forwarded = request.headers.get(\"forwarded\");\n if (forwarded) {\n const protoMatch = forwarded.match(/proto=([^;,\\s]+)/i);\n if (protoMatch) {\n return protoMatch[1] === \"https\" ? \"https:\" : \"http:\";\n }\n }\n\n // Extract from the request URL itself\n const url = new URL(request.url);\n return url.protocol;\n}\n\n// Maximum URL length to prevent cookie size issues (~4KB browser limit)\nconst MAX_RETURN_URL_LENGTH = 2048;\n\n/**\n * Sanitizes and validates a return URL to prevent open redirect vulnerabilities.\n * Only allows relative paths or same-origin URLs.\n *\n * @param url - The URL to validate (e.g., \"/admin/dashboard?tab=settings\")\n * @param baseUrl - The base URL of the application (e.g., \"https://example.com\")\n * @returns The sanitized URL if valid, or null if the URL fails validation\n *\n * @example\n * // Valid relative path\n * sanitizeReturnUrl(\"/admin/chat?param=123\", \"https://example.com\")\n * // Returns: \"/admin/chat?param=123\"\n *\n * @example\n * // Invalid - different domain\n * sanitizeReturnUrl(\"https://evil.com/phish\", \"https://example.com\")\n * // Returns: null\n */\nexport function sanitizeReturnUrl(\n url: string | null | undefined,\n baseUrl: string,\n): string | null {\n // Handle null/undefined/empty input\n if (!url || typeof url !== \"string\") {\n return null;\n }\n\n const trimmedUrl = url.trim();\n if (!trimmedUrl) {\n return null;\n }\n\n // Check URL length to prevent cookie size issues\n if (trimmedUrl.length > MAX_RETURN_URL_LENGTH) {\n logger.warn(\"Return URL too long, rejecting\", {\n length: trimmedUrl.length,\n maxLength: MAX_RETURN_URL_LENGTH,\n });\n return null;\n }\n\n // Block dangerous URL schemes\n const lowerUrl = trimmedUrl.toLowerCase();\n const dangerousSchemes = [\n \"javascript:\",\n \"data:\",\n \"vbscript:\",\n \"file:\",\n \"about:\",\n ];\n for (const scheme of dangerousSchemes) {\n if (lowerUrl.startsWith(scheme)) {\n logger.warn(\"Rejected URL with dangerous scheme\", {\n scheme,\n url: trimmedUrl.substring(0, 50),\n });\n return null;\n }\n }\n\n // Block protocol-relative URLs (//evil.com) - these inherit the current protocol\n // and can redirect to any domain\n if (trimmedUrl.startsWith(\"//\")) {\n logger.warn(\"Rejected protocol-relative URL\", {\n url: trimmedUrl.substring(0, 50),\n });\n return null;\n }\n\n // Check if it's a relative path (starts with / but not //)\n if (trimmedUrl.startsWith(\"/\") && !trimmedUrl.startsWith(\"//\")) {\n // Relative paths are safe - they stay on the same origin\n // Normalize by removing any .. or . segments to prevent path traversal confusion\n // Note: Path traversal on URLs doesn't cross origins, but we clean it up anyway\n try {\n // Use URL constructor to normalize the path\n const baseUrlObj = new URL(baseUrl);\n const fullUrl = new URL(trimmedUrl, baseUrlObj);\n\n // Verify we're still on the same origin after normalization\n if (fullUrl.origin !== baseUrlObj.origin) {\n logger.warn(\"Rejected URL after normalization changed origin\", {\n original: trimmedUrl.substring(0, 50),\n normalizedOrigin: fullUrl.origin,\n expectedOrigin: baseUrlObj.origin,\n });\n return null;\n }\n\n // Return just the path + query + hash (relative URL)\n return fullUrl.pathname + fullUrl.search + fullUrl.hash;\n } catch {\n // Invalid URL format\n logger.warn(\"Rejected malformed relative URL\", {\n url: trimmedUrl.substring(0, 50),\n });\n return null;\n }\n }\n\n // Check if it's an absolute URL\n try {\n const parsedUrl = new URL(trimmedUrl);\n const parsedBase = new URL(baseUrl);\n\n // Only allow same-origin URLs\n if (parsedUrl.origin === parsedBase.origin) {\n // Return relative path to avoid storing full URLs unnecessarily\n return parsedUrl.pathname + parsedUrl.search + parsedUrl.hash;\n }\n\n // Different origin - reject to prevent open redirect\n logger.warn(\"Rejected URL with different origin\", {\n url: trimmedUrl.substring(0, 50),\n urlOrigin: parsedUrl.origin,\n expectedOrigin: parsedBase.origin,\n });\n return null;\n } catch {\n // Not a valid absolute URL - might be a malformed URL\n // Reject to be safe\n logger.warn(\"Rejected invalid absolute URL\", {\n url: trimmedUrl.substring(0, 50),\n });\n return null;\n }\n}\n\n/**\n * Detect Safari browser from user agent\n */\nexport function isSafariBrowser(request?: Request): boolean {\n if (!request) return false;\n\n const userAgent = request.headers.get(\"user-agent\") || \"\";\n return userAgent.includes(\"Safari\") && !userAgent.includes(\"Chrome\");\n}\n\n/**\n * Detect if running on localhost\n */\nexport function isLocalhostUrl(request?: Request): boolean {\n if (!request) return false;\n\n const url = new URL(request.url);\n return url.hostname === \"localhost\" || url.hostname === \"127.0.0.1\";\n}\n\n/**\n * Get cookie configuration based on environment and browser\n * Handles special cases for Safari on localhost and HTTPS detection\n *\n * @param request - Optional request object for environment detection\n * @returns Cookie configuration with secure and sameSite settings\n *\n * Configuration rules:\n * - Safari on localhost: Uses lax sameSite to avoid cross-origin issues\n * - HTTPS: Uses secure cookies with none sameSite for cross-origin iframe support\n * - HTTP localhost (non-Safari): Uses secure cookies for Chrome's localhost exception\n */\nexport function getCookieConfiguration(request?: Request): {\n secure: boolean;\n sameSite: \"lax\" | \"none\";\n} {\n const isSafari = isSafariBrowser(request);\n const isLocalhost = isLocalhostUrl(request);\n const protocol = getProtocolFromRequest(request);\n const isHttps = protocol === \"https:\";\n\n if (isSafari && isLocalhost) {\n // Safari on localhost: use lax to avoid cross-origin issues\n return {\n secure: false,\n sameSite: \"lax\",\n };\n } else if (isHttps) {\n // HTTPS (production): use none for cross-origin iframe support\n return {\n secure: true,\n sameSite: \"none\",\n };\n } else {\n // HTTP localhost (non-Safari): use secure: true for iframe compatibility\n // Chrome allows secure cookies on localhost HTTP\n // This allows secure: true cookies to work on localhost for iframe compatibility\n // Reference: Chrome's third-party cookie documentation\n return {\n secure: true,\n sameSite: \"none\",\n };\n }\n}\n"]}
package/dist/shared/providers/types.d.ts CHANGED
@@ -1,18 +1,34 @@
1
1
  import type { Config, DisplayMode, IframeMode } from "../../types.js";
2
2
  import type { LoggingConfig, OnSignInResponse, OnSignOutResponse } from "../../vanillajs/index.js";
3
3
  import type { ReactNode } from "react";
4
+ /**
5
+ * Props for the Civic Auth provider component.
6
+ * These props configure the authentication behavior and UI display.
7
+ */
4
8
  export type AuthProviderProps = {
9
+ /** React children to render within the auth provider */
5
10
  children: ReactNode;
11
+ /** Civic Auth client ID from your Civic dashboard */
6
12
  clientId: string;
13
+ /** Optional nonce for additional security in the OAuth flow */
7
14
  nonce?: string;
15
+ /** Callback fired after successful or failed sign-in */
8
16
  onSignIn?: (response: OnSignInResponse) => void | Promise<void>;
17
+ /** Callback fired after sign-out */
9
18
  onSignOut?: (response: OnSignOutResponse) => void | Promise<void>;
19
+ /** Iframe display mode when displayMode is "iframe" - "modal" shows centered overlay, "embedded" renders in targetContainerElement */
10
20
  iframeMode?: IframeMode;
21
+ /** Additional configuration options for the auth client */
11
22
  config?: Config;
23
+ /** URL to redirect to after successful authentication */
12
24
  redirectUrl?: string;
25
+ /** URL to redirect to after logout */
13
26
  logoutRedirectUrl?: string;
27
+ /** Display mode for the authentication UI - "iframe" (default), "redirect", or "new_tab" */
14
28
  displayMode?: DisplayMode;
29
+ /** DOM element or CSS selector where embedded iframe should render (only used when iframeMode is "embedded") */
15
30
  targetContainerElement?: HTMLElement | string;
31
+ /** Logging configuration for debugging */
16
32
  logging?: LoggingConfig;
17
33
  };
18
34
  //# sourceMappingURL=types.d.ts.map
package/dist/shared/providers/types.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../../src/shared/providers/types.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,MAAM,EAAE,WAAW,EAAE,UAAU,EAAE,MAAM,YAAY,CAAC;AAClE,OAAO,KAAK,EACV,aAAa,EACb,gBAAgB,EAChB,iBAAiB,EAClB,MAAM,sBAAsB,CAAC;AAC9B,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,OAAO,CAAC;AAEvC,MAAM,MAAM,iBAAiB,GAAG;IAC9B,QAAQ,EAAE,SAAS,CAAC;IACpB,QAAQ,EAAE,MAAM,CAAC;IACjB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,QAAQ,CAAC,EAAE,CAAC,QAAQ,EAAE,gBAAgB,KAAK,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAChE,SAAS,CAAC,EAAE,CAAC,QAAQ,EAAE,iBAAiB,KAAK,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAClE,UAAU,CAAC,EAAE,UAAU,CAAC;IACxB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,WAAW,CAAC,EAAE,WAAW,CAAC;IAC1B,sBAAsB,CAAC,EAAE,WAAW,GAAG,MAAM,CAAC;IAC9C,OAAO,CAAC,EAAE,aAAa,CAAC;CACzB,CAAC"}
1
+ {"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../../src/shared/providers/types.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,MAAM,EAAE,WAAW,EAAE,UAAU,EAAE,MAAM,YAAY,CAAC;AAClE,OAAO,KAAK,EACV,aAAa,EACb,gBAAgB,EAChB,iBAAiB,EAClB,MAAM,sBAAsB,CAAC;AAC9B,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,OAAO,CAAC;AAEvC;;;GAGG;AACH,MAAM,MAAM,iBAAiB,GAAG;IAC9B,wDAAwD;IACxD,QAAQ,EAAE,SAAS,CAAC;IACpB,qDAAqD;IACrD,QAAQ,EAAE,MAAM,CAAC;IACjB,+DAA+D;IAC/D,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,wDAAwD;IACxD,QAAQ,CAAC,EAAE,CAAC,QAAQ,EAAE,gBAAgB,KAAK,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAChE,oCAAoC;IACpC,SAAS,CAAC,EAAE,CAAC,QAAQ,EAAE,iBAAiB,KAAK,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAClE,sIAAsI;IACtI,UAAU,CAAC,EAAE,UAAU,CAAC;IACxB,2DAA2D;IAC3D,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,yDAAyD;IACzD,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,sCAAsC;IACtC,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,4FAA4F;IAC5F,WAAW,CAAC,EAAE,WAAW,CAAC;IAC1B,gHAAgH;IAChH,sBAAsB,CAAC,EAAE,WAAW,GAAG,MAAM,CAAC;IAC9C,0CAA0C;IAC1C,OAAO,CAAC,EAAE,aAAa,CAAC;CACzB,CAAC"}
package/dist/shared/providers/types.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"types.js","sourceRoot":"","sources":["../../../src/shared/providers/types.ts"],"names":[],"mappings":"","sourcesContent":["import type { Config, DisplayMode, IframeMode } from \"@/types.js\";\nimport type {\n LoggingConfig,\n OnSignInResponse,\n OnSignOutResponse,\n} from \"@/vanillajs/index.js\";\nimport type { ReactNode } from \"react\";\n\nexport type AuthProviderProps = {\n children: ReactNode;\n clientId: string;\n nonce?: string;\n onSignIn?: (response: OnSignInResponse) => void | Promise<void>;\n onSignOut?: (response: OnSignOutResponse) => void | Promise<void>;\n iframeMode?: IframeMode;\n config?: Config;\n redirectUrl?: string;\n logoutRedirectUrl?: string;\n displayMode?: DisplayMode;\n targetContainerElement?: HTMLElement | string;\n logging?: LoggingConfig;\n};\n"]}
1
+ {"version":3,"file":"types.js","sourceRoot":"","sources":["../../../src/shared/providers/types.ts"],"names":[],"mappings":"","sourcesContent":["import type { Config, DisplayMode, IframeMode } from \"@/types.js\";\nimport type {\n LoggingConfig,\n OnSignInResponse,\n OnSignOutResponse,\n} from \"@/vanillajs/index.js\";\nimport type { ReactNode } from \"react\";\n\n/**\n * Props for the Civic Auth provider component.\n * These props configure the authentication behavior and UI display.\n */\nexport type AuthProviderProps = {\n /** React children to render within the auth provider */\n children: ReactNode;\n /** Civic Auth client ID from your Civic dashboard */\n clientId: string;\n /** Optional nonce for additional security in the OAuth flow */\n nonce?: string;\n /** Callback fired after successful or failed sign-in */\n onSignIn?: (response: OnSignInResponse) => void | Promise<void>;\n /** Callback fired after sign-out */\n onSignOut?: (response: OnSignOutResponse) => void | Promise<void>;\n /** Iframe display mode when displayMode is \"iframe\" - \"modal\" shows centered overlay, \"embedded\" renders in targetContainerElement */\n iframeMode?: IframeMode;\n /** Additional configuration options for the auth client */\n config?: Config;\n /** URL to redirect to after successful authentication */\n redirectUrl?: string;\n /** URL to redirect to after logout */\n logoutRedirectUrl?: string;\n /** Display mode for the authentication UI - \"iframe\" (default), \"redirect\", or \"new_tab\" */\n displayMode?: DisplayMode;\n /** DOM element or CSS selector where embedded iframe should render (only used when iframeMode is \"embedded\") */\n targetContainerElement?: HTMLElement | string;\n /** Logging configuration for debugging */\n logging?: LoggingConfig;\n};\n"]}
package/dist/shared/version.d.ts CHANGED
@@ -1,2 +1,2 @@
1
- export declare const VERSION = "@civic/auth:0.11.9";
1
+ export declare const VERSION = "@civic/auth:0.13.0-beta.0";
2
2
  //# sourceMappingURL=version.d.ts.map
package/dist/shared/version.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"version.d.ts","sourceRoot":"","sources":["../../src/shared/version.ts"],"names":[],"mappings":"AAEA,eAAO,MAAM,OAAO,uBAAuB,CAAC"}
1
+ {"version":3,"file":"version.d.ts","sourceRoot":"","sources":["../../src/shared/version.ts"],"names":[],"mappings":"AAEA,eAAO,MAAM,OAAO,8BAA8B,CAAC"}
package/dist/shared/version.js CHANGED
@@ -1,3 +1,3 @@
1
1
  // This is an auto-generated file. Do not edit.
2
- export const VERSION = "@civic/auth:0.11.9";
2
+ export const VERSION = "@civic/auth:0.13.0-beta.0";
3
3
  //# sourceMappingURL=version.js.map
package/dist/shared/version.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"version.js","sourceRoot":"","sources":["../../src/shared/version.ts"],"names":[],"mappings":"AAAA,+CAA+C;AAE/C,MAAM,CAAC,MAAM,OAAO,GAAG,oBAAoB,CAAC","sourcesContent":["// This is an auto-generated file. Do not edit.\n\nexport const VERSION = \"@civic/auth:0.11.9\";\n"]}
1
+ {"version":3,"file":"version.js","sourceRoot":"","sources":["../../src/shared/version.ts"],"names":[],"mappings":"AAAA,+CAA+C;AAE/C,MAAM,CAAC,MAAM,OAAO,GAAG,2BAA2B,CAAC","sourcesContent":["// This is an auto-generated file. Do not edit.\n\nexport const VERSION = \"@civic/auth:0.13.0-beta.0\";\n"]}
package/dist/vanillajs/auth/handlers/MessageHandler.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"MessageHandler.d.ts","sourceRoot":"","sources":["../../../../src/vanillajs/auth/handlers/MessageHandler.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,sBAAsB,CAAC;AACvD,OAAO,KAAK,EAIV,wBAAwB,EAGzB,MAAM,uBAAuB,CAAC;AAE/B,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,uBAAuB,CAAC;AAI1D,MAAM,WAAW,oBAAoB;IACnC,MAAM,EAAE,wBAAwB,CAAC;IACjC,MAAM,EAAE,UAAU,CAAC,OAAO,YAAY,CAAC,CAAC;IACxC,aAAa,CAAC,EAAE,iBAAiB,CAAC;IAClC,aAAa,EAAE,CAAC,MAAM,EAAE,UAAU,KAAK,IAAI,CAAC;IAC5C,WAAW,EAAE,CAAC,KAAK,EAAE,KAAK,KAAK,IAAI,CAAC;IACpC,cAAc,EAAE,CAAC,SAAS,CAAC,EAAE,MAAM,KAAK,IAAI,CAAC;IAC7C,0BAA0B,EAAE,CAAC,SAAS,CAAC,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IAClE,OAAO,EAAE,MAAM,IAAI,CAAC;CACrB;AAED;;;GAGG;AACH,qBAAa,cAAc;IACzB,OAAO,CAAC,MAAM,CAA2B;IACzC,OAAO,CAAC,MAAM,CAAqC;IACnD,OAAO,CAAC,aAAa,CAAC,CAAoB;IAC1C,OAAO,CAAC,aAAa,CAA+B;IACpD,OAAO,CAAC,WAAW,CAAyB;IAC5C,OAAO,CAAC,cAAc,CAA+B;IACrD,OAAO,CAAC,0BAA0B,CAG9B;IACJ,OAAO,CAAC,OAAO,CAAa;IAG5B,OAAO,CAAC,oBAAoB,CAAC,CAAS;gBAE1B,aAAa,EAAE,oBAAoB;IAU/C;;;;;;;;OAQG;IACI,mBAAmB,CAAC,aAAa,EAAE,iBAAiB,GAAG,IAAI;IAIlE;;;;;;;OAOG;IACI,uBAAuB,CAAC,cAAc,EAAE,MAAM,GAAG,IAAI;IAQ5D;;OAEG;IACI,yBAAyB,IAAI,IAAI;IAOxC;;;;;;;OAOG;IACI,aAAa,UAAW,YAAY,KAAG,IAAI,CAYhD;IAEF;;;;;;;;OAQG;IACH,OAAO,CAAC,kBAAkB;IAa1B;;;;;;;;;OASG;IACH,OAAO,CAAC,oBAAoB;IA6D5B;;;;;;;OAOG;IACH,OAAO,CAAC,kBAAkB;IAoC1B;;;;;;;;OAQG;IACH,OAAO,CAAC,sBAAsB;IAS9B;;;;;;;;OAQG;IACH,OAAO,CAAC,0BAA0B;IA8DlC;;;;;;;OAOG;IAEH,OAAO,CAAC,sBAAsB;IAc9B;;;;;;;OAOG;IACH,OAAO,CAAC,wBAAwB;IAoBhC;;;;;OAKG;IACH,OAAO,CAAC,8BAA8B;IAkBtC;;;;;;;;OAQG;IACH,OAAO,CAAC,kBAAkB;IA8B1B;;;;;;;OAOG;IACH,OAAO,CAAC,mBAAmB;IAsB3B;;;;;;;OAOG;IACH,OAAO,CAAC,iCAAiC;IAqBzC;;;;;;;;OAQG;IACH,OAAO,CAAC,sBAAsB;IAY9B;;;;;;;OAOG;IACH,OAAO,CAAC,0BAA0B;IAYlC;;;;;;;OAOG;IACH,OAAO,CAAC,yBAAyB;IAmCjC;;;;;;;OAOG;IACH,OAAO,CAAC,iBAAiB;IASzB;;;;;;;OAOG;IACH,OAAO,CAAC,eAAe;CAcxB"}
1
+ {"version":3,"file":"MessageHandler.d.ts","sourceRoot":"","sources":["../../../../src/vanillajs/auth/handlers/MessageHandler.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,sBAAsB,CAAC;AACvD,OAAO,KAAK,EAIV,wBAAwB,EAGzB,MAAM,uBAAuB,CAAC;AAE/B,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,uBAAuB,CAAC;AAI1D,MAAM,WAAW,oBAAoB;IACnC,MAAM,EAAE,wBAAwB,CAAC;IACjC,MAAM,EAAE,UAAU,CAAC,OAAO,YAAY,CAAC,CAAC;IACxC,aAAa,CAAC,EAAE,iBAAiB,CAAC;IAClC,aAAa,EAAE,CAAC,MAAM,EAAE,UAAU,KAAK,IAAI,CAAC;IAC5C,WAAW,EAAE,CAAC,KAAK,EAAE,KAAK,KAAK,IAAI,CAAC;IACpC,cAAc,EAAE,CAAC,SAAS,CAAC,EAAE,MAAM,KAAK,IAAI,CAAC;IAC7C,0BAA0B,EAAE,CAAC,SAAS,CAAC,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IAClE,OAAO,EAAE,MAAM,IAAI,CAAC;CACrB;AAED;;;GAGG;AACH,qBAAa,cAAc;IACzB,OAAO,CAAC,MAAM,CAA2B;IACzC,OAAO,CAAC,MAAM,CAAqC;IACnD,OAAO,CAAC,aAAa,CAAC,CAAoB;IAC1C,OAAO,CAAC,aAAa,CAA+B;IACpD,OAAO,CAAC,WAAW,CAAyB;IAC5C,OAAO,CAAC,cAAc,CAA+B;IACrD,OAAO,CAAC,0BAA0B,CAG9B;IACJ,OAAO,CAAC,OAAO,CAAa;IAG5B,OAAO,CAAC,oBAAoB,CAAC,CAAS;gBAE1B,aAAa,EAAE,oBAAoB;IAU/C;;;;;;;;OAQG;IACI,mBAAmB,CAAC,aAAa,EAAE,iBAAiB,GAAG,IAAI;IAIlE;;;;;;;OAOG;IACI,uBAAuB,CAAC,cAAc,EAAE,MAAM,GAAG,IAAI;IAQ5D;;OAEG;IACI,yBAAyB,IAAI,IAAI;IAOxC;;;;;;;OAOG;IACI,aAAa,UAAW,YAAY,KAAG,IAAI,CAYhD;IAEF;;;;;;;;OAQG;IACH,OAAO,CAAC,kBAAkB;IAa1B;;;;;;;;;OASG;IACH,OAAO,CAAC,oBAAoB;IA6D5B;;;;;;;OAOG;IACH,OAAO,CAAC,kBAAkB;IAoC1B;;;;;;;;OAQG;IACH,OAAO,CAAC,sBAAsB;IAS9B;;;;;;;;OAQG;IACH,OAAO,CAAC,0BAA0B;IA8DlC;;;;;;;OAOG;IAEH,OAAO,CAAC,sBAAsB;IAc9B;;;;;;;OAOG;IACH,OAAO,CAAC,wBAAwB;IAoBhC;;;;;OAKG;IACH,OAAO,CAAC,8BAA8B;IAkBtC;;;;;;;;OAQG;IACH,OAAO,CAAC,kBAAkB;IA8B1B;;;;;;;OAOG;IACH,OAAO,CAAC,mBAAmB;IAsB3B;;;;;;;OAOG;IACH,OAAO,CAAC,iCAAiC;IAqBzC;;;;;;;;OAQG;IACH,OAAO,CAAC,sBAAsB;IAY9B;;;;;;;OAOG;IACH,OAAO,CAAC,0BAA0B;IAYlC;;;;;;;OAOG;IACH,OAAO,CAAC,yBAAyB;IAmCjC;;;;;;;OAOG;IACH,OAAO,CAAC,iBAAiB;IAWzB;;;;;;;OAOG;IACH,OAAO,CAAC,eAAe;CAcxB"}
package/dist/vanillajs/auth/handlers/MessageHandler.js CHANGED
@@ -507,11 +507,13 @@ export class MessageHandler {
507
507
  * @param data - The authentication success message containing result data
508
508
  */
509
509
  handleAuthSuccess(data) {
510
+ const authResult = data?.data || {};
510
511
  this.config.events?.emit(AuthEvent.SIGN_IN_COMPLETE, {
511
512
  detail: "Success signal received via postMessage",
512
513
  data,
514
+ redirectUrl: authResult.redirectUrl,
513
515
  });
514
- this.onAuthSuccess(data?.data || {});
516
+ this.onAuthSuccess(authResult);
515
517
  this.cleanup();
516
518
  }
517
519
  /**
package/dist/vanillajs/auth/handlers/MessageHandler.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"MessageHandler.js","sourceRoot":"","sources":["../../../../src/vanillajs/auth/handlers/MessageHandler.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,sBAAsB,CAAC;AAUjD,OAAO,EAAE,cAAc,EAAE,kBAAkB,EAAE,MAAM,uBAAuB,CAAC;AAE3E,OAAO,EAAE,YAAY,IAAI,cAAc,EAAE,MAAM,uBAAuB,CAAC;AACvE,OAAO,EAAE,aAAa,EAAE,MAAM,qCAAqC,CAAC;AAapE;;;GAGG;AACH,MAAM,OAAO,cAAc;IACjB,MAAM,CAA2B;IACjC,MAAM,GAAG,cAAc,CAAC,iBAAiB,CAAC,CAAC;IAC3C,aAAa,CAAqB;IAClC,aAAa,CAA+B;IAC5C,WAAW,CAAyB;IACpC,cAAc,CAA+B;IAC7C,0BAA0B,GAChC,GAAG,EAAE;QACH,OAAO,OAAO,CAAC,OAAO,EAAE,CAAC,CAAC,sCAAsC;IAClE,CAAC,CAAC;IACI,OAAO,CAAa;IAE5B,+CAA+C;IACvC,oBAAoB,CAAU;IAEtC,YAAY,aAAmC;QAC7C,IAAI,CAAC,MAAM,GAAG,aAAa,CAAC,MAAM,CAAC;QACnC,IAAI,CAAC,aAAa,GAAG,aAAa,CAAC,aAAa,CAAC;QACjD,IAAI,CAAC,aAAa,GAAG,aAAa,CAAC,aAAa,CAAC;QACjD,IAAI,CAAC,WAAW,GAAG,aAAa,CAAC,WAAW,CAAC;QAC7C,IAAI,CAAC,cAAc,GAAG,aAAa,CAAC,cAAc,CAAC;QACnD,IAAI,CAAC,0BAA0B,GAAG,aAAa,CAAC,0BAA0B,CAAC;QAC3E,IAAI,CAAC,OAAO,GAAG,aAAa,CAAC,OAAO,CAAC;IACvC,CAAC;IAED;;;;;;;;OAQG;IACI,mBAAmB,CAAC,aAAgC;QACzD,IAAI,CAAC,aAAa,GAAG,aAAa,CAAC;IACrC,CAAC;IAED;;;;;;;OAOG;IACI,uBAAuB,CAAC,cAAsB;QACnD,IAAI,CAAC,oBAAoB,GAAG,IAAI,GAAG,CAAC,cAAc,CAAC,CAAC,MAAM,CAAC;QAC3D,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,uDAAuD,EAAE;YACxE,oBAAoB,EAAE,IAAI,CAAC,oBAAoB;YAC/C,cAAc;SACf,CAAC,CAAC;IACL,CAAC;IAED;;OAEG;IACI,yBAAyB;QAC9B,IAAI,CAAC,oBAAoB,GAAG,SAAS,CAAC;QACtC,IAAI,CAAC,MAAM,CAAC,IAAI,CACd,qEAAqE,CACtE,CAAC;IACJ,CAAC;IAED;;;;;;;OAOG;IACI,aAAa,GAAG,CAAC,KAAmB,EAAQ,EAAE;QACnD,wFAAwF;QACxF,MAAM,cAAc,GAClB,IAAI,CAAC,oBAAoB;YACzB,IAAI,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,kBAAkB,CAAC,CAAC,MAAM,CAAC;QACjD,IAAI,CAAC,kBAAkB,CAAC,KAAK,EAAE,cAAc,CAAC,CAAC;QAE/C,IAAI,CAAC,IAAI,CAAC,oBAAoB,CAAC,KAAK,EAAE,cAAc,CAAC,EAAE,CAAC;YACtD,OAAO;QACT,CAAC;QAED,IAAI,CAAC,kBAAkB,CAAC,KAAK,CAAC,CAAC;IACjC,CAAC,CAAC;IAEF;;;;;;;;OAQG;IACK,kBAAkB,CACxB,KAAmB,EACnB,cAAsB;QAEtB,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,iCAAiC,EAAE;YACnD,IAAI,EAAE,KAAK,CAAC,IAAI;YAChB,MAAM,EAAE,KAAK,CAAC,MAAM;YACpB,cAAc,EAAE,CAAC,CAAC,KAAK,CAAC,MAAM;YAC9B,mBAAmB,EAAE,IAAI,CAAC,aAAa,EAAE,aAAa;YACtD,oBAAoB,EAAE,cAAc;SACrC,CAAC,CAAC;IACL,CAAC;IAED;;;;;;;;;OASG;IACK,oBAAoB,CAC1B,KAAmB,EACnB,cAAsB;QAEtB,6CAA6C;QAC7C,MAAM,aAAa,GAAG,KAAK,CAAC,MAAM,KAAK,IAAI,CAAC,aAAa,EAAE,aAAa,CAAC;QAEzE,gCAAgC;QAChC,MAAM,cAAc,GAAG,CAAC,cAAc,CAAC,CAAC;QAExC,qDAAqD;QACrD,IAAI,IAAI,CAAC,aAAa,EAAE,GAAG,EAAE,CAAC;YAC5B,IAAI,CAAC;gBACH,MAAM,kBAAkB,GAAG,IAAI,GAAG,CAAC,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC;gBAClE,cAAc,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC;YAC1C,CAAC;YAAC,MAAM,CAAC;gBACP,4BAA4B;YAC9B,CAAC;QACH,CAAC;QAED,IAAI,IAAI,CAAC,MAAM,CAAC,kBAAkB,EAAE,CAAC;YACnC,cAAc,CAAC,IAAI,CAAC,IAAI,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,kBAAkB,CAAC,CAAC,MAAM,CAAC,CAAC;QACtE,CAAC;QAED,uFAAuF;QACvF,4EAA4E;QAC5E,MAAM,YAAY,GAAG,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC;QAC5C,IAAI,CAAC,cAAc,CAAC,QAAQ,CAAC,YAAY,CAAC,EAAE,CAAC;YAC3C,cAAc,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;QACpC,CAAC;QAED,yDAAyD;QACzD,MAAM,WAAW,GAAG,IAAI,GAAG,CAAC,cAAc,CAAC,CAAC;QAC5C,IAAI,WAAW,CAAC,QAAQ,KAAK,WAAW,EAAE,CAAC;YACzC,qDAAqD;YACrD,cAAc,CAAC,IAAI,CAAC,uBAAuB,CAAC,CAAC,CAAC,yBAAyB;YACvE,cAAc,CAAC,IAAI,CAAC,uBAAuB,CAAC,CAAC,CAAC,mBAAmB;QACnE,CAAC;QAED,MAAM,aAAa,GAAG,cAAc,CAAC,QAAQ,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;QAE5D,IAAI,CAAC,aAAa,EAAE,CAAC;YACnB,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,yCAAyC,EAAE;gBAC1D,cAAc,EAAE,KAAK,CAAC,MAAM;gBAC5B,cAAc;gBACd,cAAc;gBACd,SAAS,EAAE,IAAI,CAAC,aAAa,EAAE,GAAG;aACnC,CAAC,CAAC;QACL,CAAC;QAED,IAAI,CAAC,aAAa,EAAE,CAAC;YACnB,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,yCAAyC,EAAE;gBAC1D,gBAAgB,EAAE,CAAC,CAAC,KAAK,CAAC,MAAM;gBAChC,8BAA8B,EAAE,CAAC,CAAC,IAAI,CAAC,aAAa,EAAE,aAAa;gBACnE,SAAS,EAAE,IAAI,CAAC,aAAa,EAAE,GAAG;aACnC,CAAC,CAAC;QACL,CAAC;QAED,OAAO,aAAa,IAAI,aAAa,CAAC;IACxC,CAAC;IAED;;;;;;;OAOG;IACK,kBAAkB,CAAC,KAAmB;QAC5C,IAAI,CAAC,MAAM,CAAC,IAAI,CACd,2DAA2D,EAC3D;YACE,IAAI,EAAE,KAAK,CAAC,IAAI;YAChB,SAAS,EAAE,IAAI,CAAC,aAAa,EAAE,GAAG;SACnC,CACF,CAAC;QAEF,MAAM,OAAO,GAAG,KAAK,CAAC,IAAqB,CAAC;QAE5C,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,2BAA2B,EAAE;YAC7C,WAAW,EAAE,OAAO,OAAO;YAC3B,OAAO,EAAE,OAAO,IAAI,OAAO,OAAO,KAAK,QAAQ,IAAI,MAAM,IAAI,OAAO;YACpE,SAAS,EAAE,OAAO,IAAI,OAAO,OAAO,KAAK,QAAQ,IAAI,QAAQ,IAAI,OAAO;YACxE,WAAW,EACT,OAAO,IAAI,OAAO,OAAO,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,EAAE;YACpE,OAAO,EAAE,OAAO;SACjB,CAAC,CAAC;QAEH,gCAAgC;QAChC,IAAI,IAAI,CAAC,sBAAsB,CAAC,OAAO,CAAC,EAAE,CAAC;YACzC,IAAI,CAAC,0BAA0B,CAAC,OAAO,CAAC,CAAC;YACzC,OAAO;QACT,CAAC;QAED,iCAAiC;QACjC,IAAI,IAAI,CAAC,sBAAsB,CAAC,OAAO,CAAC,EAAE,CAAC;YACzC,IAAI,CAAC,0BAA0B,CAAC,OAAO,CAAC,CAAC;YACzC,OAAO;QACT,CAAC;QAED,gCAAgC;QAChC,IAAI,CAAC,yBAAyB,CAAC,OAAO,CAAC,CAAC;IAC1C,CAAC;IAED;;;;;;;;OAQG;IACK,sBAAsB,CAAC,OAAgB;QAC7C,OAAO,CACL,OAAO,KAAK,IAAI;YAChB,OAAO,OAAO,KAAK,QAAQ;YAC3B,QAAQ,IAAI,OAAO;YAClB,OAAmC,CAAC,MAAM,KAAK,eAAe,CAChE,CAAC;IACJ,CAAC;IAED;;;;;;;;OAQG;IACK,0BAA0B,CAAC,OAAwB;QACzD,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,gCAAgC,EAAE;YACjD,IAAI,EAAE,OAAO,CAAC,IAAI;YAClB,QAAQ,EAAE,OAAO,CAAC,QAAQ;YAC1B,IAAI,EAAE,OAAO,CAAC,IAAI;SACnB,CAAC,CAAC;QAEH,uCAAuC;QACvC,IACE,OAAO,CAAC,QAAQ,KAAK,IAAI,CAAC,MAAM,CAAC,QAAQ;YACzC,IAAI,CAAC,MAAM,CAAC,QAAQ,KAAK,SAAS,EAClC,CAAC;YACD,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,yCAAyC,EAAE;gBAC1D,QAAQ,EAAE,OAAO,CAAC,QAAQ;gBAC1B,QAAQ,EAAE,IAAI,CAAC,MAAM,CAAC,QAAQ;aAC/B,CAAC,CAAC;YACH,OAAO;QACT,CAAC;QAED,QAAQ,OAAO,CAAC,IAAI,EAAE,CAAC;YACrB,KAAK,YAAY,CAAC;YAClB,KAAK,sBAAsB;gBACzB,IAAI,CAAC,wBAAwB,CAAC,OAAO,CAAC,CAAC;gBACvC,MAAM;YACR,KAAK,qBAAqB;gBACxB,IAAI,CAAC,kBAAkB,CAAC,OAAO,CAAC,CAAC;gBACjC,MAAM;YACR,KAAK,0BAA0B;gBAC7B,IAAI,CAAC,8BAA8B,CAAC,OAAO,CAAC,CAAC;gBAC7C,MAAM;YACR,KAAK,QAAQ;gBACX,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,8BAA8B,EAAE;oBAChD,IAAI,EAAE,OAAO,CAAC,IAAI;iBACnB,CAAC,CAAC;gBACH,IAAI,CAAC,mBAAmB,CAAC,OAAO,CAAC,IAAqC,CAAC,CAAC;gBACxE,MAAM;YACR,KAAK,oBAAoB;gBACvB,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,0CAA0C,EAAE;oBAC3D,IAAI,EAAE,OAAO,CAAC,IAAI;iBACnB,CAAC,CAAC;gBACH,IAAI,CAAC,sBAAsB,CAAC,OAAO,CAAC,CAAC;gBACrC,MAAM;YACR,KAAK,cAAc;gBACjB,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,oCAAoC,EAAE;oBACrD,IAAI,EAAE,OAAO,CAAC,IAAI;iBACnB,CAAC,CAAC;gBAEH,gEAAgE;gBAEhE,+DAA+D;gBAC/D,IAAI,CAAC,iBAAiB,CAAC;oBACrB,IAAI,EAAE,cAAc;oBACpB,MAAM,EAAE,2BAA2B;oBACnC,IAAI,EAAE,OAAO,CAAC,IAAI;iBACnB,CAAC,CAAC;gBACH,MAAM;YACR;gBACE,IAAI,CAAC,iCAAiC,CAAC,OAAO,CAAC,CAAC;gBAChD,MAAM;QACV,CAAC;IACH,CAAC;IAED;;;;;;;OAOG;IAEK,sBAAsB,CAAC,OAAwB;QACrD,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,0CAA0C,EAAE;YAC3D,IAAI,EAAE,OAAO,CAAC,IAAI;SACnB,CAAC,CAAC;QAEH,MAAM,iBAAiB,GAAG,IAAI,WAAW,CAAC,0BAA0B,EAAE;YACpE,MAAM,EAAE;gBACN,QAAQ,EAAE,OAAO,CAAC,QAAQ;gBAC1B,IAAI,EAAE,OAAO,CAAC,IAAI;aACnB;SACF,CAAC,CAAC;QACH,MAAM,CAAC,aAAa,CAAC,iBAAiB,CAAC,CAAC;IAC1C,CAAC;IAED;;;;;;;OAOG;IACK,wBAAwB,CAAC,OAAwB;QACvD,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,oCAAoC,EAAE;YACtD,IAAI,EAAE,OAAO,CAAC,IAAI;YAClB,IAAI,EAAE,OAAO,CAAC,IAAI;SACnB,CAAC,CAAC;QAEH,MAAM,KAAK,GAAG,IAAI,cAAc,CAC9B,oBAAoB,OAAO,CAAC,IAAI,EAAE,EAClC,kBAAkB,CAAC,eAAe,CACnC,CAAC;QAEF,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,IAAI,CAAC,SAAS,CAAC,aAAa,EAAE;YAChD,MAAM,EAAE,KAAK,CAAC,OAAO;YACrB,KAAK,EAAE,OAAO,CAAC,IAAI;SACpB,CAAC,CAAC;QAEH,IAAI,CAAC,WAAW,CAAC,KAAK,CAAC,CAAC;QACxB,IAAI,CAAC,OAAO,EAAE,CAAC;IACjB,CAAC;IAED;;;;;OAKG;IACK,8BAA8B,CAAC,OAAwB;QAC7D,MAAM,SAAS,GAAI,OAAO,CAAC,IAA4C;YACrE,EAAE,GAAyB,CAAC;QAC9B,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,0CAA0C,EAAE;YAC3D,SAAS;YACT,MAAM,EAAE,IAAI,CAAC,MAAM;YACnB,YAAY,EAAE,IAAI,CAAC,MAAM,CAAC,YAAY;SACvC,CAAC,CAAC;QACH,IACE,IAAI,CAAC,MAAM,CAAC,WAAW,KAAK,QAAQ;YACpC,IAAI,CAAC,MAAM,CAAC,iBAAiB,KAAK,OAAO;YACzC,IAAI,CAAC,MAAM,CAAC,YAAY,KAAK,KAAK,IAAI,iBAAiB;YACvD,SAAS,EACT,CAAC;YACD,aAAa,CAAC,8BAA8B,CAAC,SAAS,CAAC,CAAC;YACxD,IAAI,CAAC,0BAA0B,CAAC,SAAS,CAAC,CAAC;QAC7C,CAAC;IACH,CAAC;IACD;;;;;;;;OAQG;IACK,kBAAkB,CAAC,OAAwB;QACjD,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,uCAAuC,EAAE;YACxD,IAAI,EAAE,OAAO,CAAC,IAAI;SACnB,CAAC,CAAC;QAEH,MAAM,SAAS,GAAI,OAAO,CAAC,IAA4C;YACrE,EAAE,GAAyB,CAAC;QAC9B,IAAI,SAAS,EAAE,CAAC;YACd,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,oDAAoD,EAAE;gBACrE,SAAS;gBACT,WAAW,EAAE,IAAI,CAAC,MAAM,CAAC,WAAW;aACrC,CAAC,CAAC;YAEH,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,IAAI,CAAC,SAAS,CAAC,UAAU,EAAE;gBAC7C,MAAM,EAAE,uDAAuD;gBAC/D,GAAG,EAAE,SAAS;gBACd,MAAM,EAAE,WAAW;gBACnB,SAAS;gBACT,KAAK,EAAE;oBACL,IAAI,EAAE,eAAe;oBACrB,SAAS;oBACT,UAAU,EACR,2FAA2F;iBAC9F;aACF,CAAC,CAAC;QACL,CAAC;QAED,IAAI,CAAC,cAAc,CAAC,SAAS,CAAC,CAAC;IACjC,CAAC;IAED;;;;;;;OAOG;IACK,mBAAmB,CAAC,IAAmC;QAC7D,IAAI,CAAC,IAAI,EAAE,CAAC;YACV,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,sCAAsC,CAAC,CAAC;YAC1D,OAAO;QACT,CAAC;QAED,8BAA8B;QAC9B,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;YACnB,MAAM,eAAe,GAAgB,CAAC,OAAO,EAAE,MAAM,EAAE,MAAM,CAAC,CAAC;YAC/D,IAAI,eAAe,CAAC,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC;gBAC7C,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,6BAA6B,EAAE;oBAC/C,SAAS,EAAE,IAAI,CAAC,SAAS;iBAC1B,CAAC,CAAC;gBACH,aAAa,CAAC,uBAAuB,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;YACxD,CAAC;iBAAM,CAAC;gBACN,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,kCAAkC,EAAE;oBACpD,SAAS,EAAE,IAAI,CAAC,SAAS;iBAC1B,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;IAED;;;;;;;OAOG;IACK,iCAAiC,CAAC,OAAwB;QAChE,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,sCAAsC,EAAE;YACxD,IAAI,EAAE,OAAO,CAAC,IAAI;YAClB,IAAI,EAAE,OAAO,CAAC,IAAI;SACnB,CAAC,CAAC;QAEH,iEAAiE;QACjE,IAAI,OAAO,CAAC,IAAI,IAAI,OAAO,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,SAAS,CAAC,EAAE,CAAC;YACnE,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,8CAA8C,EAAE;gBAC/D,IAAI,EAAE,OAAO,CAAC,IAAI;gBAClB,IAAI,EAAE,OAAO,CAAC,IAAI;aACnB,CAAC,CAAC;YAEH,IAAI,CAAC,iBAAiB,CAAC;gBACrB,IAAI,EAAE,cAAc;gBACpB,MAAM,EAAE,0BAA0B,OAAO,CAAC,IAAI,EAAE;gBAChD,IAAI,EAAE,OAAO,CAAC,IAAI;aACnB,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED;;;;;;;;OAQG;IACK,sBAAsB,CAAC,OAAgB;QAC7C,OAAO,CACL,CAAC,OAAO,KAAK,IAAI;YACf,OAAO,OAAO,KAAK,QAAQ;YAC3B,MAAM,IAAI,OAAO;YACjB,CAAE,OAAmC,CAAC,IAAI,KAAK,qBAAqB;gBACjE,OAAmC,CAAC,IAAI;oBACvC,oBAAoB,CAAC,CAAC;YAC5B,CAAC,OAAO,OAAO,KAAK,QAAQ,IAAI,OAAO,CAAC,QAAQ,CAAC,oBAAoB,CAAC,CAAC,CACxE,CAAC;IACJ,CAAC;IAED;;;;;;;OAOG;IACK,0BAA0B,CAAC,OAAgB;QACjD,IAAI,OAAO,OAAO,KAAK,QAAQ,EAAE,CAAC;YAChC,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,uCAAuC,EAAE,EAAE,OAAO,EAAE,CAAC,CAAC;QAC1E,CAAC;aAAM,IAAI,OAAO,IAAI,OAAO,OAAO,KAAK,QAAQ,IAAI,OAAO,KAAK,IAAI,EAAE,CAAC;YACtE,MAAM,UAAU,GAAG,OAAkC,CAAC;YACtD,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,iCAAiC,EAAE;gBACnD,IAAI,EAAE,UAAU,CAAC,IAAI;gBACrB,MAAM,EAAE,UAAU,CAAC,MAAM;aAC1B,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED;;;;;;;OAOG;IACK,yBAAyB,CAAC,OAAgB;QAChD,MAAM,UAAU,GACd,OAAO,IAAI,OAAO,OAAO,KAAK,QAAQ,IAAI,OAAO,KAAK,IAAI;YACxD,CAAC,CAAE,OAAmC;YACtC,CAAC,CAAC,IAAI,CAAC;QACX,MAAM,WAAW,GAAG,UAAU,EAAE,IAAI,CAAC;QAErC,QAAQ,WAAW,EAAE,CAAC;YACpB,KAAK,cAAc;gBACjB,IAAI,CAAC,iBAAiB,CAAC,OAAsB,CAAC,CAAC;gBAC/C,MAAM;YACR,KAAK,YAAY;gBACf,IAAI,CAAC,eAAe,CAAC,OAAsB,CAAC,CAAC;gBAC7C,MAAM;YACR;gBACE,kFAAkF;gBAClF,IAAI,UAAU,EAAE,OAAO,KAAK,8BAA8B,EAAE,CAAC;oBAC3D,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,gDAAgD,EAAE;wBAClE,OAAO,EAAE,UAAU,CAAC,OAAO;wBAC3B,eAAe,EAAE,CAAC,CAAC,UAAU,CAAC,YAAY;qBAC3C,CAAC,CAAC;gBACL,CAAC;qBAAM,CAAC;oBACN,IAAI,CAAC,MAAM,CAAC,KAAK,CACf,4GAA4G,EAC5G;wBACE,IAAI,EAAE,OAAO;wBACb,WAAW,EAAE,OAAO,OAAO;wBAC3B,OAAO,EAAE,UAAU,EAAE,IAAI,IAAI,MAAM;wBACnC,WAAW,EAAE,UAAU,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,EAAE;qBACvD,CACF,CAAC;gBACJ,CAAC;QACL,CAAC;IACH,CAAC;IAED;;;;;;;OAOG;IACK,iBAAiB,CAAC,IAAiB;QACzC,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,IAAI,CAAC,SAAS,CAAC,gBAAgB,EAAE;YACnD,MAAM,EAAE,yCAAyC;YACjD,IAAI;SACL,CAAC,CAAC;QACH,IAAI,CAAC,aAAa,CAAE,IAAI,EAAE,IAAmB,IAAI,EAAE,CAAC,CAAC;QACrD,IAAI,CAAC,OAAO,EAAE,CAAC;IACjB,CAAC;IAED;;;;;;;OAOG;IACK,eAAe,CAAC,IAAiB;QACvC,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,IAAI,CAAC,SAAS,CAAC,aAAa,EAAE;YAChD,MAAM,EAAE,uCAAuC;YAC/C,KAAK,EAAE,IAAI;SACZ,CAAC,CAAC;QAEH,MAAM,KAAK,GAAG,IAAI,cAAc,CAC9B,IAAI,EAAE,MAAM,IAAI,uCAAuC,EACvD,kBAAkB,CAAC,eAAe,CACnC,CAAC;QAEF,IAAI,CAAC,WAAW,CAAC,KAAK,CAAC,CAAC;QACxB,IAAI,CAAC,OAAO,EAAE,CAAC;IACjB,CAAC;CACF","sourcesContent":["import { AuthEvent } from \"../../types/index.js\";\nimport type { AuthResult } from \"../../types/index.js\";\nimport type {\n IframeMessage,\n AuthMessage,\n LoginAppMessage,\n ProcessedCivicAuthConfig,\n ColorMode,\n DesignMessageData,\n} from \"../types/AuthTypes.js\";\nimport { CivicAuthError, CivicAuthErrorCode } from \"../types/AuthTypes.js\";\nimport type { createLogger } from \"../../utils/logger.js\";\nimport { createLogger as createLoggerFn } from \"../../utils/logger.js\";\nimport { IframeManager } from \"@/vanillajs/iframe/IframeManager.js\";\n\nexport interface MessageHandlerConfig {\n config: ProcessedCivicAuthConfig;\n logger: ReturnType<typeof createLogger>;\n iframeElement?: HTMLIFrameElement;\n onAuthSuccess: (result: AuthResult) => void;\n onAuthError: (error: Error) => void;\n onPopupFailure: (failedUrl?: string) => void;\n onBrowserCorsFailsSilently: (failedUrl?: string) => Promise<void>;\n cleanup: () => void;\n}\n\n/**\n * MessageHandler - Handles postMessage communication and authentication flow logic\n * Processes messages from iframe, validates origins, and manages auth state transitions\n */\nexport class MessageHandler {\n private config: ProcessedCivicAuthConfig;\n private logger = createLoggerFn(\"message-handler\");\n private iframeElement?: HTMLIFrameElement;\n private onAuthSuccess: (result: AuthResult) => void;\n private onAuthError: (error: Error) => void;\n private onPopupFailure: (failedUrl?: string) => void;\n private onBrowserCorsFailsSilently: (failedUrl?: string) => Promise<void> =\n () => {\n return Promise.resolve(); // No-op by default, can be overridden\n };\n private cleanup: () => void;\n\n // Backend integration - custom expected origin\n private customExpectedOrigin?: string;\n\n constructor(handlerConfig: MessageHandlerConfig) {\n this.config = handlerConfig.config;\n this.iframeElement = handlerConfig.iframeElement;\n this.onAuthSuccess = handlerConfig.onAuthSuccess;\n this.onAuthError = handlerConfig.onAuthError;\n this.onPopupFailure = handlerConfig.onPopupFailure;\n this.onBrowserCorsFailsSilently = handlerConfig.onBrowserCorsFailsSilently;\n this.cleanup = handlerConfig.cleanup;\n }\n\n /**\n * Updates the iframe element reference used for message validation.\n *\n * This method allows updating the iframe element after the MessageHandler\n * has been instantiated, which is useful when the iframe is created\n * dynamically after the handler setup.\n *\n * @param iframeElement - The new iframe element to associate with this handler\n */\n public updateIframeElement(iframeElement: HTMLIFrameElement): void {\n this.iframeElement = iframeElement;\n }\n\n /**\n * Sets a custom expected origin for backend integration.\n *\n * This allows the MessageHandler to accept messages from a custom backend\n * origin instead of the default OAuth server origin.\n *\n * @param customLoginUrl - The custom login URL to derive the origin from\n */\n public setCustomExpectedOrigin(customLoginUrl: string): void {\n this.customExpectedOrigin = new URL(customLoginUrl).origin;\n this.logger.info(\"🔗 Custom expected origin set for backend integration\", {\n customExpectedOrigin: this.customExpectedOrigin,\n customLoginUrl,\n });\n }\n\n /**\n * Clears the custom expected origin and returns to OAuth server origin.\n */\n public clearCustomExpectedOrigin(): void {\n this.customExpectedOrigin = undefined;\n this.logger.info(\n \"🔗 Custom expected origin cleared, returning to OAuth server origin\",\n );\n }\n\n /**\n * Main message handler for processing postMessage events.\n *\n * Validates message origin and source, then routes valid messages to\n * appropriate handlers. This is the entry point for all iframe communication.\n *\n * @param event - The MessageEvent received from the iframe or other sources\n */\n public handleMessage = (event: MessageEvent): void => {\n // Use custom origin if set (for backend integration), otherwise use OAuth server origin\n const expectedOrigin =\n this.customExpectedOrigin ||\n new URL(this.config.oauthServerBaseUrl).origin;\n this.logIncomingMessage(event, expectedOrigin);\n\n if (!this.isValidMessageSource(event, expectedOrigin)) {\n return;\n }\n\n this.handleValidMessage(event);\n };\n\n /**\n * Logs incoming message details for debugging purposes.\n *\n * Provides comprehensive logging of message properties including origin,\n * source validation, and iframe state for troubleshooting communication issues.\n *\n * @param event - The MessageEvent to log\n * @param expectedOrigin - The expected origin for comparison\n */\n private logIncomingMessage(\n event: MessageEvent,\n expectedOrigin: string,\n ): void {\n this.logger.debug(\"Global window received message:\", {\n data: event.data,\n origin: event.origin,\n sourceProvided: !!event.source,\n iframeContentWindow: this.iframeElement?.contentWindow,\n expectedIframeOrigin: expectedOrigin,\n });\n }\n\n /**\n * Validates that a message comes from the expected origin and source.\n *\n * Performs security checks to ensure messages are only processed from\n * the configured OAuth server origin and the designated iframe element.\n *\n * @param event - The MessageEvent to validate\n * @param expectedOrigin - The expected origin URL for the message\n * @returns True if the message source and origin are valid, false otherwise\n */\n private isValidMessageSource(\n event: MessageEvent,\n expectedOrigin: string,\n ): boolean {\n // Check if message is from the iframe source\n const isValidSource = event.source === this.iframeElement?.contentWindow;\n\n // Build list of allowed origins\n const allowedOrigins = [expectedOrigin];\n\n // Add the actual iframe origin (to handle redirects)\n if (this.iframeElement?.src) {\n try {\n const actualIframeOrigin = new URL(this.iframeElement.src).origin;\n allowedOrigins.push(actualIframeOrigin);\n } catch {\n // ignore URL parsing errors\n }\n }\n\n if (this.config.oauthServerBaseUrl) {\n allowedOrigins.push(new URL(this.config.oauthServerBaseUrl).origin);\n }\n\n // Add the client app's own origin (same-origin) for messages sent after token exchange\n // This is needed when the iframe navigates to the client app's callback URL\n const clientOrigin = window.location.origin;\n if (!allowedOrigins.includes(clientOrigin)) {\n allowedOrigins.push(clientOrigin);\n }\n\n // Add common development login app origins for localhost\n const expectedUrl = new URL(expectedOrigin);\n if (expectedUrl.hostname === \"localhost\") {\n // For localhost, also allow common development ports\n allowedOrigins.push(\"http://localhost:3004\"); // default login-app port\n allowedOrigins.push(\"http://localhost:3001\"); // auth server port\n }\n\n const isValidOrigin = allowedOrigins.includes(event.origin);\n\n if (!isValidOrigin) {\n this.logger.warn(\"Ignored message from unexpected origin.\", {\n receivedOrigin: event.origin,\n expectedOrigin,\n allowedOrigins,\n iframeSrc: this.iframeElement?.src,\n });\n }\n\n if (!isValidSource) {\n this.logger.warn(\"Ignored message from unexpected source.\", {\n isSourceProvided: !!event.source,\n isIframeContentWindowAvailable: !!this.iframeElement?.contentWindow,\n iframeSrc: this.iframeElement?.src,\n });\n }\n\n return isValidOrigin && isValidSource;\n }\n\n /**\n * Processes messages that have passed origin and source validation.\n *\n * Routes validated messages to specific handlers based on message type,\n * including civicloginApp messages, iframe resizer messages, and standard auth messages.\n *\n * @param event - The validated MessageEvent to process\n */\n private handleValidMessage(event: MessageEvent): void {\n this.logger.info(\n \"Message from configured iframe source and origin received\",\n {\n data: event.data,\n iframeSrc: this.iframeElement?.src,\n },\n );\n\n const message = event.data as IframeMessage;\n\n this.logger.debug(\"Processing iframe message\", {\n messageType: typeof message,\n hasType: message && typeof message === \"object\" && \"type\" in message,\n hasSource: message && typeof message === \"object\" && \"source\" in message,\n messageKeys:\n message && typeof message === \"object\" ? Object.keys(message) : [],\n rawData: message,\n });\n\n // Handle civicloginApp messages\n if (this.isCivicLoginAppMessage(message)) {\n this.handleCivicLoginAppMessage(message);\n return;\n }\n\n // Handle iframe resizer messages\n if (this.isIframeResizerMessage(message)) {\n this.handleIframeResizerMessage(message);\n return;\n }\n\n // Handle standard auth messages\n this.handleStandardAuthMessage(message);\n }\n\n /**\n * Type guard to identify civicloginApp messages.\n *\n * Checks if a message object has the structure and source property\n * that identifies it as coming from the civicloginApp.\n *\n * @param message - The message object to check\n * @returns True if the message is a LoginAppMessage, false otherwise\n */\n private isCivicLoginAppMessage(message: unknown): message is LoginAppMessage {\n return (\n message !== null &&\n typeof message === \"object\" &&\n \"source\" in message &&\n (message as Record<string, unknown>).source === \"civicloginApp\"\n );\n }\n\n /**\n * Handles messages originating from the civicloginApp.\n *\n * Processes various civicloginApp message types including authentication errors,\n * popup failures, design updates, and other app-specific communications.\n * Validates client ID matches before processing.\n *\n * @param message - The validated civicloginApp message to process\n */\n private handleCivicLoginAppMessage(message: LoginAppMessage): void {\n this.logger.info(\"Received civicloginApp message\", {\n type: message.type,\n clientId: message.clientId,\n data: message.data,\n });\n\n // Validate clientId matches our config\n if (\n message.clientId !== this.config.clientId &&\n this.config.loginUrl === undefined\n ) {\n this.logger.warn(\"civicloginApp message clientId mismatch\", {\n received: message.clientId,\n expected: this.config.clientId,\n });\n return;\n }\n\n switch (message.type) {\n case \"auth_error\":\n case \"auth_error_try_again\":\n this.handleCivicLoginAppError(message);\n break;\n case \"generatePopupFailed\":\n this.handlePopupFailure(message);\n break;\n case \"browserCorsFailsSilently\":\n this.handleBrowserCorsFailsSilently(message);\n break;\n case \"design\":\n this.logger.debug(\"civicloginApp design message\", {\n data: message.data,\n });\n this.handleDesignMessage(message.data as DesignMessageData | undefined);\n break;\n case \"auth_success_early\":\n this.logger.info(\"civicloginApp auth success early message\", {\n data: message.data,\n });\n this.handleAuthSuccessEarly(message);\n break;\n case \"auth_success\":\n this.logger.info(\"civicloginApp auth success message\", {\n data: message.data,\n });\n\n // Dispatch early auth success event for immediate modal closing\n\n // Still handle auth success normally (for callback processing)\n this.handleAuthSuccess({\n type: \"auth_success\",\n detail: \"Authentication successful\",\n data: message.data,\n });\n break;\n default:\n this.handleUnknownCivicLoginAppMessage(message);\n break;\n }\n }\n\n /**\n * Handles auth success early messages from civicloginApp.\n *\n * Processes auth_success_early messages, emits success events,\n * and triggers the success callback with authentication results.\n *\n * @param message - The civicloginApp auth success early message to process\n */\n\n private handleAuthSuccessEarly(message: LoginAppMessage): void {\n this.logger.info(\"civicloginApp auth success early message\", {\n data: message.data,\n });\n\n const earlySuccessEvent = new CustomEvent(\"civic-auth-success-early\", {\n detail: {\n clientId: message.clientId,\n data: message.data,\n },\n });\n window.dispatchEvent(earlySuccessEvent);\n }\n\n /**\n * Handles authentication error messages from civicloginApp.\n *\n * Processes auth_error and auth_error_try_again messages, creates\n * appropriate error objects, emits error events, and triggers cleanup.\n *\n * @param message - The civicloginApp error message to process\n */\n private handleCivicLoginAppError(message: LoginAppMessage): void {\n this.logger.error(\"civicloginApp authentication error\", {\n type: message.type,\n data: message.data,\n });\n\n const error = new CivicAuthError(\n `Login app error: ${message.type}`,\n CivicAuthErrorCode.INVALID_MESSAGE,\n );\n\n this.config.events?.emit(AuthEvent.SIGN_IN_ERROR, {\n detail: error.message,\n error: message.data,\n });\n\n this.onAuthError(error);\n this.cleanup();\n }\n\n /**\n * Handle the case where we know in advance that the browser will not prompt the user to open\n * a popup and will fail silently instead. We want to handle this case gracefully by switching to redirect\n * mode if the iframe is in modal display mode. This will be done when the auth flow actually starts\n * @param message\n */\n private handleBrowserCorsFailsSilently(message: LoginAppMessage): void {\n const failedUrl = (message.data as Record<string, unknown> | undefined)\n ?.url as string | undefined;\n this.logger.warn(\"civicloginApp browser CORS fail silently\", {\n failedUrl,\n config: this.config,\n autoRedirect: this.config.autoRedirect,\n });\n if (\n this.config.displayMode === \"iframe\" &&\n this.config.iframeDisplayMode === \"modal\" &&\n this.config.autoRedirect !== false && // Add this check\n failedUrl\n ) {\n IframeManager.handleBrowserCorsFailsSilently(failedUrl);\n this.onBrowserCorsFailsSilently(failedUrl);\n }\n }\n /**\n * Handles popup generation failure messages from civicloginApp.\n *\n * Processes generatePopupFailed messages, extracts the failed URL,\n * emits appropriate events, and triggers the popup failure callback\n * to enable fallback authentication methods.\n *\n * @param message - The civicloginApp popup failure message to process\n */\n private handlePopupFailure(message: LoginAppMessage): void {\n this.logger.warn(\"civicloginApp popup generation failed\", {\n data: message.data,\n });\n\n const failedUrl = (message.data as Record<string, unknown> | undefined)\n ?.url as string | undefined;\n if (failedUrl) {\n this.logger.info(\"Popup failed for URL, considering fallback options\", {\n failedUrl,\n displayMode: this.config.displayMode,\n });\n\n this.config.events?.emit(AuthEvent.URL_CHANGE, {\n detail: \"Popup blocked by browser - switching to redirect mode\",\n url: failedUrl,\n source: \"login_app\",\n failedUrl,\n error: {\n type: \"popup_blocked\",\n failedUrl,\n suggestion:\n \"The browser blocked a popup window. Redirecting to complete authentication in a new page.\",\n },\n });\n }\n\n this.onPopupFailure(failedUrl);\n }\n\n /**\n * Handles design messages from civicloginApp.\n *\n * Processes design messages containing customer preferences like colorMode\n * and forwards them to the appropriate handlers.\n *\n * @param data - The design message data payload\n */\n private handleDesignMessage(data: DesignMessageData | undefined): void {\n if (!data) {\n this.logger.debug(\"Design message received with no data\");\n return;\n }\n\n // Handle colorMode preference\n if (data.colorMode) {\n const validColorModes: ColorMode[] = [\"light\", \"dark\", \"auto\"];\n if (validColorModes.includes(data.colorMode)) {\n this.logger.debug(\"Setting customer color mode\", {\n colorMode: data.colorMode,\n });\n IframeManager.handleLoginAppColorMode(data.colorMode);\n } else {\n this.logger.debug(\"Invalid colorMode value received\", {\n colorMode: data.colorMode,\n });\n }\n }\n }\n\n /**\n * Handles unknown or unrecognized civicloginApp message types.\n *\n * Provides fallback handling for unexpected message types, with special\n * logic to detect potential success messages that don't match standard types.\n *\n * @param message - The unrecognized civicloginApp message to process\n */\n private handleUnknownCivicLoginAppMessage(message: LoginAppMessage): void {\n this.logger.debug(\"Unhandled civicloginApp message type\", {\n type: message.type,\n data: message.data,\n });\n\n // Check if this might be a success message with a different type\n if (message.type && message.type.toLowerCase().includes(\"success\")) {\n this.logger.info(\"Potential success message from civicloginApp\", {\n type: message.type,\n data: message.data,\n });\n\n this.handleAuthSuccess({\n type: \"auth_success\",\n detail: `civicloginApp success: ${message.type}`,\n data: message.data,\n });\n }\n }\n\n /**\n * Type guard to identify iframe resizer messages.\n *\n * Checks if a message is related to iframe resizing functionality,\n * including both civic-specific resize messages and iFrameResizerChild messages.\n *\n * @param message - The message object to check\n * @returns True if the message is an iframe resizer message, false otherwise\n */\n private isIframeResizerMessage(message: unknown): boolean {\n return (\n (message !== null &&\n typeof message === \"object\" &&\n \"type\" in message &&\n ((message as Record<string, unknown>).type === \"civic-iframe-resize\" ||\n (message as Record<string, unknown>).type ===\n \"civic-iframe-ready\")) ||\n (typeof message === \"string\" && message.includes(\"iFrameResizerChild\"))\n );\n }\n\n /**\n * Handles iframe resizer messages for dynamic iframe sizing.\n *\n * Processes messages related to iframe resizing, including height adjustments\n * and ready state notifications from the iframe resizer library.\n *\n * @param message - The iframe resizer message to process\n */\n private handleIframeResizerMessage(message: unknown): void {\n if (typeof message === \"string\") {\n this.logger.debug(\"Received iframe resizer child message\", { message });\n } else if (message && typeof message === \"object\" && message !== null) {\n const messageObj = message as Record<string, unknown>;\n this.logger.debug(\"Received iframe resizer message\", {\n type: messageObj.type,\n height: messageObj.height,\n });\n }\n }\n\n /**\n * Handles standard authentication messages.\n *\n * Processes auth_success and auth_error messages that follow the standard\n * authentication message format, routing them to appropriate success or error handlers.\n *\n * @param message - The standard auth message to process\n */\n private handleStandardAuthMessage(message: unknown): void {\n const messageObj =\n message && typeof message === \"object\" && message !== null\n ? (message as Record<string, unknown>)\n : null;\n const messageType = messageObj?.type;\n\n switch (messageType) {\n case \"auth_success\":\n this.handleAuthSuccess(message as AuthMessage);\n break;\n case \"auth_error\":\n this.handleAuthError(message as AuthMessage);\n break;\n default:\n // Check if this is a calculateSubFramePositioning message (expected and harmless)\n if (messageObj?.command === \"calculateSubFramePositioning\") {\n this.logger.debug(\"Received iframe positioning message (expected)\", {\n command: messageObj.command,\n hasSubFrameData: !!messageObj.subFrameData,\n });\n } else {\n this.logger.debug(\n \"Message from iframe did not match expected types (auth_success, auth_error, civicloginApp, iframe-resizer)\",\n {\n data: message,\n messageType: typeof message,\n hasType: messageObj?.type ?? \"none\",\n messageKeys: messageObj ? Object.keys(messageObj) : [],\n },\n );\n }\n }\n }\n\n /**\n * Handles successful authentication completion.\n *\n * Processes authentication success messages, emits success events,\n * triggers the success callback with authentication results, and performs cleanup.\n *\n * @param data - The authentication success message containing result data\n */\n private handleAuthSuccess(data: AuthMessage): void {\n this.config.events?.emit(AuthEvent.SIGN_IN_COMPLETE, {\n detail: \"Success signal received via postMessage\",\n data,\n });\n this.onAuthSuccess((data?.data as AuthResult) || {});\n this.cleanup();\n }\n\n /**\n * Handles authentication errors.\n *\n * Processes authentication error messages, creates appropriate error objects,\n * emits error events, triggers the error callback, and performs cleanup.\n *\n * @param data - The authentication error message containing error details\n */\n private handleAuthError(data: AuthMessage): void {\n this.config.events?.emit(AuthEvent.SIGN_IN_ERROR, {\n detail: \"Error signal received via postMessage\",\n error: data,\n });\n\n const error = new CivicAuthError(\n data?.detail || \"Error signal received via postMessage\",\n CivicAuthErrorCode.INVALID_MESSAGE,\n );\n\n this.onAuthError(error);\n this.cleanup();\n }\n}\n"]}
1
+ {"version":3,"file":"MessageHandler.js","sourceRoot":"","sources":["../../../../src/vanillajs/auth/handlers/MessageHandler.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,sBAAsB,CAAC;AAUjD,OAAO,EAAE,cAAc,EAAE,kBAAkB,EAAE,MAAM,uBAAuB,CAAC;AAE3E,OAAO,EAAE,YAAY,IAAI,cAAc,EAAE,MAAM,uBAAuB,CAAC;AACvE,OAAO,EAAE,aAAa,EAAE,MAAM,qCAAqC,CAAC;AAapE;;;GAGG;AACH,MAAM,OAAO,cAAc;IACjB,MAAM,CAA2B;IACjC,MAAM,GAAG,cAAc,CAAC,iBAAiB,CAAC,CAAC;IAC3C,aAAa,CAAqB;IAClC,aAAa,CAA+B;IAC5C,WAAW,CAAyB;IACpC,cAAc,CAA+B;IAC7C,0BAA0B,GAChC,GAAG,EAAE;QACH,OAAO,OAAO,CAAC,OAAO,EAAE,CAAC,CAAC,sCAAsC;IAClE,CAAC,CAAC;IACI,OAAO,CAAa;IAE5B,+CAA+C;IACvC,oBAAoB,CAAU;IAEtC,YAAY,aAAmC;QAC7C,IAAI,CAAC,MAAM,GAAG,aAAa,CAAC,MAAM,CAAC;QACnC,IAAI,CAAC,aAAa,GAAG,aAAa,CAAC,aAAa,CAAC;QACjD,IAAI,CAAC,aAAa,GAAG,aAAa,CAAC,aAAa,CAAC;QACjD,IAAI,CAAC,WAAW,GAAG,aAAa,CAAC,WAAW,CAAC;QAC7C,IAAI,CAAC,cAAc,GAAG,aAAa,CAAC,cAAc,CAAC;QACnD,IAAI,CAAC,0BAA0B,GAAG,aAAa,CAAC,0BAA0B,CAAC;QAC3E,IAAI,CAAC,OAAO,GAAG,aAAa,CAAC,OAAO,CAAC;IACvC,CAAC;IAED;;;;;;;;OAQG;IACI,mBAAmB,CAAC,aAAgC;QACzD,IAAI,CAAC,aAAa,GAAG,aAAa,CAAC;IACrC,CAAC;IAED;;;;;;;OAOG;IACI,uBAAuB,CAAC,cAAsB;QACnD,IAAI,CAAC,oBAAoB,GAAG,IAAI,GAAG,CAAC,cAAc,CAAC,CAAC,MAAM,CAAC;QAC3D,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,uDAAuD,EAAE;YACxE,oBAAoB,EAAE,IAAI,CAAC,oBAAoB;YAC/C,cAAc;SACf,CAAC,CAAC;IACL,CAAC;IAED;;OAEG;IACI,yBAAyB;QAC9B,IAAI,CAAC,oBAAoB,GAAG,SAAS,CAAC;QACtC,IAAI,CAAC,MAAM,CAAC,IAAI,CACd,qEAAqE,CACtE,CAAC;IACJ,CAAC;IAED;;;;;;;OAOG;IACI,aAAa,GAAG,CAAC,KAAmB,EAAQ,EAAE;QACnD,wFAAwF;QACxF,MAAM,cAAc,GAClB,IAAI,CAAC,oBAAoB;YACzB,IAAI,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,kBAAkB,CAAC,CAAC,MAAM,CAAC;QACjD,IAAI,CAAC,kBAAkB,CAAC,KAAK,EAAE,cAAc,CAAC,CAAC;QAE/C,IAAI,CAAC,IAAI,CAAC,oBAAoB,CAAC,KAAK,EAAE,cAAc,CAAC,EAAE,CAAC;YACtD,OAAO;QACT,CAAC;QAED,IAAI,CAAC,kBAAkB,CAAC,KAAK,CAAC,CAAC;IACjC,CAAC,CAAC;IAEF;;;;;;;;OAQG;IACK,kBAAkB,CACxB,KAAmB,EACnB,cAAsB;QAEtB,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,iCAAiC,EAAE;YACnD,IAAI,EAAE,KAAK,CAAC,IAAI;YAChB,MAAM,EAAE,KAAK,CAAC,MAAM;YACpB,cAAc,EAAE,CAAC,CAAC,KAAK,CAAC,MAAM;YAC9B,mBAAmB,EAAE,IAAI,CAAC,aAAa,EAAE,aAAa;YACtD,oBAAoB,EAAE,cAAc;SACrC,CAAC,CAAC;IACL,CAAC;IAED;;;;;;;;;OASG;IACK,oBAAoB,CAC1B,KAAmB,EACnB,cAAsB;QAEtB,6CAA6C;QAC7C,MAAM,aAAa,GAAG,KAAK,CAAC,MAAM,KAAK,IAAI,CAAC,aAAa,EAAE,aAAa,CAAC;QAEzE,gCAAgC;QAChC,MAAM,cAAc,GAAG,CAAC,cAAc,CAAC,CAAC;QAExC,qDAAqD;QACrD,IAAI,IAAI,CAAC,aAAa,EAAE,GAAG,EAAE,CAAC;YAC5B,IAAI,CAAC;gBACH,MAAM,kBAAkB,GAAG,IAAI,GAAG,CAAC,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC;gBAClE,cAAc,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC;YAC1C,CAAC;YAAC,MAAM,CAAC;gBACP,4BAA4B;YAC9B,CAAC;QACH,CAAC;QAED,IAAI,IAAI,CAAC,MAAM,CAAC,kBAAkB,EAAE,CAAC;YACnC,cAAc,CAAC,IAAI,CAAC,IAAI,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,kBAAkB,CAAC,CAAC,MAAM,CAAC,CAAC;QACtE,CAAC;QAED,uFAAuF;QACvF,4EAA4E;QAC5E,MAAM,YAAY,GAAG,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC;QAC5C,IAAI,CAAC,cAAc,CAAC,QAAQ,CAAC,YAAY,CAAC,EAAE,CAAC;YAC3C,cAAc,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;QACpC,CAAC;QAED,yDAAyD;QACzD,MAAM,WAAW,GAAG,IAAI,GAAG,CAAC,cAAc,CAAC,CAAC;QAC5C,IAAI,WAAW,CAAC,QAAQ,KAAK,WAAW,EAAE,CAAC;YACzC,qDAAqD;YACrD,cAAc,CAAC,IAAI,CAAC,uBAAuB,CAAC,CAAC,CAAC,yBAAyB;YACvE,cAAc,CAAC,IAAI,CAAC,uBAAuB,CAAC,CAAC,CAAC,mBAAmB;QACnE,CAAC;QAED,MAAM,aAAa,GAAG,cAAc,CAAC,QAAQ,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;QAE5D,IAAI,CAAC,aAAa,EAAE,CAAC;YACnB,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,yCAAyC,EAAE;gBAC1D,cAAc,EAAE,KAAK,CAAC,MAAM;gBAC5B,cAAc;gBACd,cAAc;gBACd,SAAS,EAAE,IAAI,CAAC,aAAa,EAAE,GAAG;aACnC,CAAC,CAAC;QACL,CAAC;QAED,IAAI,CAAC,aAAa,EAAE,CAAC;YACnB,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,yCAAyC,EAAE;gBAC1D,gBAAgB,EAAE,CAAC,CAAC,KAAK,CAAC,MAAM;gBAChC,8BAA8B,EAAE,CAAC,CAAC,IAAI,CAAC,aAAa,EAAE,aAAa;gBACnE,SAAS,EAAE,IAAI,CAAC,aAAa,EAAE,GAAG;aACnC,CAAC,CAAC;QACL,CAAC;QAED,OAAO,aAAa,IAAI,aAAa,CAAC;IACxC,CAAC;IAED;;;;;;;OAOG;IACK,kBAAkB,CAAC,KAAmB;QAC5C,IAAI,CAAC,MAAM,CAAC,IAAI,CACd,2DAA2D,EAC3D;YACE,IAAI,EAAE,KAAK,CAAC,IAAI;YAChB,SAAS,EAAE,IAAI,CAAC,aAAa,EAAE,GAAG;SACnC,CACF,CAAC;QAEF,MAAM,OAAO,GAAG,KAAK,CAAC,IAAqB,CAAC;QAE5C,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,2BAA2B,EAAE;YAC7C,WAAW,EAAE,OAAO,OAAO;YAC3B,OAAO,EAAE,OAAO,IAAI,OAAO,OAAO,KAAK,QAAQ,IAAI,MAAM,IAAI,OAAO;YACpE,SAAS,EAAE,OAAO,IAAI,OAAO,OAAO,KAAK,QAAQ,IAAI,QAAQ,IAAI,OAAO;YACxE,WAAW,EACT,OAAO,IAAI,OAAO,OAAO,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,EAAE;YACpE,OAAO,EAAE,OAAO;SACjB,CAAC,CAAC;QAEH,gCAAgC;QAChC,IAAI,IAAI,CAAC,sBAAsB,CAAC,OAAO,CAAC,EAAE,CAAC;YACzC,IAAI,CAAC,0BAA0B,CAAC,OAAO,CAAC,CAAC;YACzC,OAAO;QACT,CAAC;QAED,iCAAiC;QACjC,IAAI,IAAI,CAAC,sBAAsB,CAAC,OAAO,CAAC,EAAE,CAAC;YACzC,IAAI,CAAC,0BAA0B,CAAC,OAAO,CAAC,CAAC;YACzC,OAAO;QACT,CAAC;QAED,gCAAgC;QAChC,IAAI,CAAC,yBAAyB,CAAC,OAAO,CAAC,CAAC;IAC1C,CAAC;IAED;;;;;;;;OAQG;IACK,sBAAsB,CAAC,OAAgB;QAC7C,OAAO,CACL,OAAO,KAAK,IAAI;YAChB,OAAO,OAAO,KAAK,QAAQ;YAC3B,QAAQ,IAAI,OAAO;YAClB,OAAmC,CAAC,MAAM,KAAK,eAAe,CAChE,CAAC;IACJ,CAAC;IAED;;;;;;;;OAQG;IACK,0BAA0B,CAAC,OAAwB;QACzD,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,gCAAgC,EAAE;YACjD,IAAI,EAAE,OAAO,CAAC,IAAI;YAClB,QAAQ,EAAE,OAAO,CAAC,QAAQ;YAC1B,IAAI,EAAE,OAAO,CAAC,IAAI;SACnB,CAAC,CAAC;QAEH,uCAAuC;QACvC,IACE,OAAO,CAAC,QAAQ,KAAK,IAAI,CAAC,MAAM,CAAC,QAAQ;YACzC,IAAI,CAAC,MAAM,CAAC,QAAQ,KAAK,SAAS,EAClC,CAAC;YACD,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,yCAAyC,EAAE;gBAC1D,QAAQ,EAAE,OAAO,CAAC,QAAQ;gBAC1B,QAAQ,EAAE,IAAI,CAAC,MAAM,CAAC,QAAQ;aAC/B,CAAC,CAAC;YACH,OAAO;QACT,CAAC;QAED,QAAQ,OAAO,CAAC,IAAI,EAAE,CAAC;YACrB,KAAK,YAAY,CAAC;YAClB,KAAK,sBAAsB;gBACzB,IAAI,CAAC,wBAAwB,CAAC,OAAO,CAAC,CAAC;gBACvC,MAAM;YACR,KAAK,qBAAqB;gBACxB,IAAI,CAAC,kBAAkB,CAAC,OAAO,CAAC,CAAC;gBACjC,MAAM;YACR,KAAK,0BAA0B;gBAC7B,IAAI,CAAC,8BAA8B,CAAC,OAAO,CAAC,CAAC;gBAC7C,MAAM;YACR,KAAK,QAAQ;gBACX,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,8BAA8B,EAAE;oBAChD,IAAI,EAAE,OAAO,CAAC,IAAI;iBACnB,CAAC,CAAC;gBACH,IAAI,CAAC,mBAAmB,CAAC,OAAO,CAAC,IAAqC,CAAC,CAAC;gBACxE,MAAM;YACR,KAAK,oBAAoB;gBACvB,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,0CAA0C,EAAE;oBAC3D,IAAI,EAAE,OAAO,CAAC,IAAI;iBACnB,CAAC,CAAC;gBACH,IAAI,CAAC,sBAAsB,CAAC,OAAO,CAAC,CAAC;gBACrC,MAAM;YACR,KAAK,cAAc;gBACjB,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,oCAAoC,EAAE;oBACrD,IAAI,EAAE,OAAO,CAAC,IAAI;iBACnB,CAAC,CAAC;gBAEH,gEAAgE;gBAEhE,+DAA+D;gBAC/D,IAAI,CAAC,iBAAiB,CAAC;oBACrB,IAAI,EAAE,cAAc;oBACpB,MAAM,EAAE,2BAA2B;oBACnC,IAAI,EAAE,OAAO,CAAC,IAAI;iBACnB,CAAC,CAAC;gBACH,MAAM;YACR;gBACE,IAAI,CAAC,iCAAiC,CAAC,OAAO,CAAC,CAAC;gBAChD,MAAM;QACV,CAAC;IACH,CAAC;IAED;;;;;;;OAOG;IAEK,sBAAsB,CAAC,OAAwB;QACrD,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,0CAA0C,EAAE;YAC3D,IAAI,EAAE,OAAO,CAAC,IAAI;SACnB,CAAC,CAAC;QAEH,MAAM,iBAAiB,GAAG,IAAI,WAAW,CAAC,0BAA0B,EAAE;YACpE,MAAM,EAAE;gBACN,QAAQ,EAAE,OAAO,CAAC,QAAQ;gBAC1B,IAAI,EAAE,OAAO,CAAC,IAAI;aACnB;SACF,CAAC,CAAC;QACH,MAAM,CAAC,aAAa,CAAC,iBAAiB,CAAC,CAAC;IAC1C,CAAC;IAED;;;;;;;OAOG;IACK,wBAAwB,CAAC,OAAwB;QACvD,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,oCAAoC,EAAE;YACtD,IAAI,EAAE,OAAO,CAAC,IAAI;YAClB,IAAI,EAAE,OAAO,CAAC,IAAI;SACnB,CAAC,CAAC;QAEH,MAAM,KAAK,GAAG,IAAI,cAAc,CAC9B,oBAAoB,OAAO,CAAC,IAAI,EAAE,EAClC,kBAAkB,CAAC,eAAe,CACnC,CAAC;QAEF,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,IAAI,CAAC,SAAS,CAAC,aAAa,EAAE;YAChD,MAAM,EAAE,KAAK,CAAC,OAAO;YACrB,KAAK,EAAE,OAAO,CAAC,IAAI;SACpB,CAAC,CAAC;QAEH,IAAI,CAAC,WAAW,CAAC,KAAK,CAAC,CAAC;QACxB,IAAI,CAAC,OAAO,EAAE,CAAC;IACjB,CAAC;IAED;;;;;OAKG;IACK,8BAA8B,CAAC,OAAwB;QAC7D,MAAM,SAAS,GAAI,OAAO,CAAC,IAA4C;YACrE,EAAE,GAAyB,CAAC;QAC9B,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,0CAA0C,EAAE;YAC3D,SAAS;YACT,MAAM,EAAE,IAAI,CAAC,MAAM;YACnB,YAAY,EAAE,IAAI,CAAC,MAAM,CAAC,YAAY;SACvC,CAAC,CAAC;QACH,IACE,IAAI,CAAC,MAAM,CAAC,WAAW,KAAK,QAAQ;YACpC,IAAI,CAAC,MAAM,CAAC,iBAAiB,KAAK,OAAO;YACzC,IAAI,CAAC,MAAM,CAAC,YAAY,KAAK,KAAK,IAAI,iBAAiB;YACvD,SAAS,EACT,CAAC;YACD,aAAa,CAAC,8BAA8B,CAAC,SAAS,CAAC,CAAC;YACxD,IAAI,CAAC,0BAA0B,CAAC,SAAS,CAAC,CAAC;QAC7C,CAAC;IACH,CAAC;IACD;;;;;;;;OAQG;IACK,kBAAkB,CAAC,OAAwB;QACjD,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,uCAAuC,EAAE;YACxD,IAAI,EAAE,OAAO,CAAC,IAAI;SACnB,CAAC,CAAC;QAEH,MAAM,SAAS,GAAI,OAAO,CAAC,IAA4C;YACrE,EAAE,GAAyB,CAAC;QAC9B,IAAI,SAAS,EAAE,CAAC;YACd,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,oDAAoD,EAAE;gBACrE,SAAS;gBACT,WAAW,EAAE,IAAI,CAAC,MAAM,CAAC,WAAW;aACrC,CAAC,CAAC;YAEH,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,IAAI,CAAC,SAAS,CAAC,UAAU,EAAE;gBAC7C,MAAM,EAAE,uDAAuD;gBAC/D,GAAG,EAAE,SAAS;gBACd,MAAM,EAAE,WAAW;gBACnB,SAAS;gBACT,KAAK,EAAE;oBACL,IAAI,EAAE,eAAe;oBACrB,SAAS;oBACT,UAAU,EACR,2FAA2F;iBAC9F;aACF,CAAC,CAAC;QACL,CAAC;QAED,IAAI,CAAC,cAAc,CAAC,SAAS,CAAC,CAAC;IACjC,CAAC;IAED;;;;;;;OAOG;IACK,mBAAmB,CAAC,IAAmC;QAC7D,IAAI,CAAC,IAAI,EAAE,CAAC;YACV,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,sCAAsC,CAAC,CAAC;YAC1D,OAAO;QACT,CAAC;QAED,8BAA8B;QAC9B,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;YACnB,MAAM,eAAe,GAAgB,CAAC,OAAO,EAAE,MAAM,EAAE,MAAM,CAAC,CAAC;YAC/D,IAAI,eAAe,CAAC,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC;gBAC7C,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,6BAA6B,EAAE;oBAC/C,SAAS,EAAE,IAAI,CAAC,SAAS;iBAC1B,CAAC,CAAC;gBACH,aAAa,CAAC,uBAAuB,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;YACxD,CAAC;iBAAM,CAAC;gBACN,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,kCAAkC,EAAE;oBACpD,SAAS,EAAE,IAAI,CAAC,SAAS;iBAC1B,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;IAED;;;;;;;OAOG;IACK,iCAAiC,CAAC,OAAwB;QAChE,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,sCAAsC,EAAE;YACxD,IAAI,EAAE,OAAO,CAAC,IAAI;YAClB,IAAI,EAAE,OAAO,CAAC,IAAI;SACnB,CAAC,CAAC;QAEH,iEAAiE;QACjE,IAAI,OAAO,CAAC,IAAI,IAAI,OAAO,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,SAAS,CAAC,EAAE,CAAC;YACnE,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,8CAA8C,EAAE;gBAC/D,IAAI,EAAE,OAAO,CAAC,IAAI;gBAClB,IAAI,EAAE,OAAO,CAAC,IAAI;aACnB,CAAC,CAAC;YAEH,IAAI,CAAC,iBAAiB,CAAC;gBACrB,IAAI,EAAE,cAAc;gBACpB,MAAM,EAAE,0BAA0B,OAAO,CAAC,IAAI,EAAE;gBAChD,IAAI,EAAE,OAAO,CAAC,IAAI;aACnB,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED;;;;;;;;OAQG;IACK,sBAAsB,CAAC,OAAgB;QAC7C,OAAO,CACL,CAAC,OAAO,KAAK,IAAI;YACf,OAAO,OAAO,KAAK,QAAQ;YAC3B,MAAM,IAAI,OAAO;YACjB,CAAE,OAAmC,CAAC,IAAI,KAAK,qBAAqB;gBACjE,OAAmC,CAAC,IAAI;oBACvC,oBAAoB,CAAC,CAAC;YAC5B,CAAC,OAAO,OAAO,KAAK,QAAQ,IAAI,OAAO,CAAC,QAAQ,CAAC,oBAAoB,CAAC,CAAC,CACxE,CAAC;IACJ,CAAC;IAED;;;;;;;OAOG;IACK,0BAA0B,CAAC,OAAgB;QACjD,IAAI,OAAO,OAAO,KAAK,QAAQ,EAAE,CAAC;YAChC,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,uCAAuC,EAAE,EAAE,OAAO,EAAE,CAAC,CAAC;QAC1E,CAAC;aAAM,IAAI,OAAO,IAAI,OAAO,OAAO,KAAK,QAAQ,IAAI,OAAO,KAAK,IAAI,EAAE,CAAC;YACtE,MAAM,UAAU,GAAG,OAAkC,CAAC;YACtD,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,iCAAiC,EAAE;gBACnD,IAAI,EAAE,UAAU,CAAC,IAAI;gBACrB,MAAM,EAAE,UAAU,CAAC,MAAM;aAC1B,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED;;;;;;;OAOG;IACK,yBAAyB,CAAC,OAAgB;QAChD,MAAM,UAAU,GACd,OAAO,IAAI,OAAO,OAAO,KAAK,QAAQ,IAAI,OAAO,KAAK,IAAI;YACxD,CAAC,CAAE,OAAmC;YACtC,CAAC,CAAC,IAAI,CAAC;QACX,MAAM,WAAW,GAAG,UAAU,EAAE,IAAI,CAAC;QAErC,QAAQ,WAAW,EAAE,CAAC;YACpB,KAAK,cAAc;gBACjB,IAAI,CAAC,iBAAiB,CAAC,OAAsB,CAAC,CAAC;gBAC/C,MAAM;YACR,KAAK,YAAY;gBACf,IAAI,CAAC,eAAe,CAAC,OAAsB,CAAC,CAAC;gBAC7C,MAAM;YACR;gBACE,kFAAkF;gBAClF,IAAI,UAAU,EAAE,OAAO,KAAK,8BAA8B,EAAE,CAAC;oBAC3D,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,gDAAgD,EAAE;wBAClE,OAAO,EAAE,UAAU,CAAC,OAAO;wBAC3B,eAAe,EAAE,CAAC,CAAC,UAAU,CAAC,YAAY;qBAC3C,CAAC,CAAC;gBACL,CAAC;qBAAM,CAAC;oBACN,IAAI,CAAC,MAAM,CAAC,KAAK,CACf,4GAA4G,EAC5G;wBACE,IAAI,EAAE,OAAO;wBACb,WAAW,EAAE,OAAO,OAAO;wBAC3B,OAAO,EAAE,UAAU,EAAE,IAAI,IAAI,MAAM;wBACnC,WAAW,EAAE,UAAU,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,EAAE;qBACvD,CACF,CAAC;gBACJ,CAAC;QACL,CAAC;IACH,CAAC;IAED;;;;;;;OAOG;IACK,iBAAiB,CAAC,IAAiB;QACzC,MAAM,UAAU,GAAI,IAAI,EAAE,IAAmB,IAAI,EAAE,CAAC;QACpD,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,IAAI,CAAC,SAAS,CAAC,gBAAgB,EAAE;YACnD,MAAM,EAAE,yCAAyC;YACjD,IAAI;YACJ,WAAW,EAAE,UAAU,CAAC,WAAW;SACpC,CAAC,CAAC;QACH,IAAI,CAAC,aAAa,CAAC,UAAU,CAAC,CAAC;QAC/B,IAAI,CAAC,OAAO,EAAE,CAAC;IACjB,CAAC;IAED;;;;;;;OAOG;IACK,eAAe,CAAC,IAAiB;QACvC,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,IAAI,CAAC,SAAS,CAAC,aAAa,EAAE;YAChD,MAAM,EAAE,uCAAuC;YAC/C,KAAK,EAAE,IAAI;SACZ,CAAC,CAAC;QAEH,MAAM,KAAK,GAAG,IAAI,cAAc,CAC9B,IAAI,EAAE,MAAM,IAAI,uCAAuC,EACvD,kBAAkB,CAAC,eAAe,CACnC,CAAC;QAEF,IAAI,CAAC,WAAW,CAAC,KAAK,CAAC,CAAC;QACxB,IAAI,CAAC,OAAO,EAAE,CAAC;IACjB,CAAC;CACF","sourcesContent":["import { AuthEvent } from \"../../types/index.js\";\nimport type { AuthResult } from \"../../types/index.js\";\nimport type {\n IframeMessage,\n AuthMessage,\n LoginAppMessage,\n ProcessedCivicAuthConfig,\n ColorMode,\n DesignMessageData,\n} from \"../types/AuthTypes.js\";\nimport { CivicAuthError, CivicAuthErrorCode } from \"../types/AuthTypes.js\";\nimport type { createLogger } from \"../../utils/logger.js\";\nimport { createLogger as createLoggerFn } from \"../../utils/logger.js\";\nimport { IframeManager } from \"@/vanillajs/iframe/IframeManager.js\";\n\nexport interface MessageHandlerConfig {\n config: ProcessedCivicAuthConfig;\n logger: ReturnType<typeof createLogger>;\n iframeElement?: HTMLIFrameElement;\n onAuthSuccess: (result: AuthResult) => void;\n onAuthError: (error: Error) => void;\n onPopupFailure: (failedUrl?: string) => void;\n onBrowserCorsFailsSilently: (failedUrl?: string) => Promise<void>;\n cleanup: () => void;\n}\n\n/**\n * MessageHandler - Handles postMessage communication and authentication flow logic\n * Processes messages from iframe, validates origins, and manages auth state transitions\n */\nexport class MessageHandler {\n private config: ProcessedCivicAuthConfig;\n private logger = createLoggerFn(\"message-handler\");\n private iframeElement?: HTMLIFrameElement;\n private onAuthSuccess: (result: AuthResult) => void;\n private onAuthError: (error: Error) => void;\n private onPopupFailure: (failedUrl?: string) => void;\n private onBrowserCorsFailsSilently: (failedUrl?: string) => Promise<void> =\n () => {\n return Promise.resolve(); // No-op by default, can be overridden\n };\n private cleanup: () => void;\n\n // Backend integration - custom expected origin\n private customExpectedOrigin?: string;\n\n constructor(handlerConfig: MessageHandlerConfig) {\n this.config = handlerConfig.config;\n this.iframeElement = handlerConfig.iframeElement;\n this.onAuthSuccess = handlerConfig.onAuthSuccess;\n this.onAuthError = handlerConfig.onAuthError;\n this.onPopupFailure = handlerConfig.onPopupFailure;\n this.onBrowserCorsFailsSilently = handlerConfig.onBrowserCorsFailsSilently;\n this.cleanup = handlerConfig.cleanup;\n }\n\n /**\n * Updates the iframe element reference used for message validation.\n *\n * This method allows updating the iframe element after the MessageHandler\n * has been instantiated, which is useful when the iframe is created\n * dynamically after the handler setup.\n *\n * @param iframeElement - The new iframe element to associate with this handler\n */\n public updateIframeElement(iframeElement: HTMLIFrameElement): void {\n this.iframeElement = iframeElement;\n }\n\n /**\n * Sets a custom expected origin for backend integration.\n *\n * This allows the MessageHandler to accept messages from a custom backend\n * origin instead of the default OAuth server origin.\n *\n * @param customLoginUrl - The custom login URL to derive the origin from\n */\n public setCustomExpectedOrigin(customLoginUrl: string): void {\n this.customExpectedOrigin = new URL(customLoginUrl).origin;\n this.logger.info(\"🔗 Custom expected origin set for backend integration\", {\n customExpectedOrigin: this.customExpectedOrigin,\n customLoginUrl,\n });\n }\n\n /**\n * Clears the custom expected origin and returns to OAuth server origin.\n */\n public clearCustomExpectedOrigin(): void {\n this.customExpectedOrigin = undefined;\n this.logger.info(\n \"🔗 Custom expected origin cleared, returning to OAuth server origin\",\n );\n }\n\n /**\n * Main message handler for processing postMessage events.\n *\n * Validates message origin and source, then routes valid messages to\n * appropriate handlers. This is the entry point for all iframe communication.\n *\n * @param event - The MessageEvent received from the iframe or other sources\n */\n public handleMessage = (event: MessageEvent): void => {\n // Use custom origin if set (for backend integration), otherwise use OAuth server origin\n const expectedOrigin =\n this.customExpectedOrigin ||\n new URL(this.config.oauthServerBaseUrl).origin;\n this.logIncomingMessage(event, expectedOrigin);\n\n if (!this.isValidMessageSource(event, expectedOrigin)) {\n return;\n }\n\n this.handleValidMessage(event);\n };\n\n /**\n * Logs incoming message details for debugging purposes.\n *\n * Provides comprehensive logging of message properties including origin,\n * source validation, and iframe state for troubleshooting communication issues.\n *\n * @param event - The MessageEvent to log\n * @param expectedOrigin - The expected origin for comparison\n */\n private logIncomingMessage(\n event: MessageEvent,\n expectedOrigin: string,\n ): void {\n this.logger.debug(\"Global window received message:\", {\n data: event.data,\n origin: event.origin,\n sourceProvided: !!event.source,\n iframeContentWindow: this.iframeElement?.contentWindow,\n expectedIframeOrigin: expectedOrigin,\n });\n }\n\n /**\n * Validates that a message comes from the expected origin and source.\n *\n * Performs security checks to ensure messages are only processed from\n * the configured OAuth server origin and the designated iframe element.\n *\n * @param event - The MessageEvent to validate\n * @param expectedOrigin - The expected origin URL for the message\n * @returns True if the message source and origin are valid, false otherwise\n */\n private isValidMessageSource(\n event: MessageEvent,\n expectedOrigin: string,\n ): boolean {\n // Check if message is from the iframe source\n const isValidSource = event.source === this.iframeElement?.contentWindow;\n\n // Build list of allowed origins\n const allowedOrigins = [expectedOrigin];\n\n // Add the actual iframe origin (to handle redirects)\n if (this.iframeElement?.src) {\n try {\n const actualIframeOrigin = new URL(this.iframeElement.src).origin;\n allowedOrigins.push(actualIframeOrigin);\n } catch {\n // ignore URL parsing errors\n }\n }\n\n if (this.config.oauthServerBaseUrl) {\n allowedOrigins.push(new URL(this.config.oauthServerBaseUrl).origin);\n }\n\n // Add the client app's own origin (same-origin) for messages sent after token exchange\n // This is needed when the iframe navigates to the client app's callback URL\n const clientOrigin = window.location.origin;\n if (!allowedOrigins.includes(clientOrigin)) {\n allowedOrigins.push(clientOrigin);\n }\n\n // Add common development login app origins for localhost\n const expectedUrl = new URL(expectedOrigin);\n if (expectedUrl.hostname === \"localhost\") {\n // For localhost, also allow common development ports\n allowedOrigins.push(\"http://localhost:3004\"); // default login-app port\n allowedOrigins.push(\"http://localhost:3001\"); // auth server port\n }\n\n const isValidOrigin = allowedOrigins.includes(event.origin);\n\n if (!isValidOrigin) {\n this.logger.warn(\"Ignored message from unexpected origin.\", {\n receivedOrigin: event.origin,\n expectedOrigin,\n allowedOrigins,\n iframeSrc: this.iframeElement?.src,\n });\n }\n\n if (!isValidSource) {\n this.logger.warn(\"Ignored message from unexpected source.\", {\n isSourceProvided: !!event.source,\n isIframeContentWindowAvailable: !!this.iframeElement?.contentWindow,\n iframeSrc: this.iframeElement?.src,\n });\n }\n\n return isValidOrigin && isValidSource;\n }\n\n /**\n * Processes messages that have passed origin and source validation.\n *\n * Routes validated messages to specific handlers based on message type,\n * including civicloginApp messages, iframe resizer messages, and standard auth messages.\n *\n * @param event - The validated MessageEvent to process\n */\n private handleValidMessage(event: MessageEvent): void {\n this.logger.info(\n \"Message from configured iframe source and origin received\",\n {\n data: event.data,\n iframeSrc: this.iframeElement?.src,\n },\n );\n\n const message = event.data as IframeMessage;\n\n this.logger.debug(\"Processing iframe message\", {\n messageType: typeof message,\n hasType: message && typeof message === \"object\" && \"type\" in message,\n hasSource: message && typeof message === \"object\" && \"source\" in message,\n messageKeys:\n message && typeof message === \"object\" ? Object.keys(message) : [],\n rawData: message,\n });\n\n // Handle civicloginApp messages\n if (this.isCivicLoginAppMessage(message)) {\n this.handleCivicLoginAppMessage(message);\n return;\n }\n\n // Handle iframe resizer messages\n if (this.isIframeResizerMessage(message)) {\n this.handleIframeResizerMessage(message);\n return;\n }\n\n // Handle standard auth messages\n this.handleStandardAuthMessage(message);\n }\n\n /**\n * Type guard to identify civicloginApp messages.\n *\n * Checks if a message object has the structure and source property\n * that identifies it as coming from the civicloginApp.\n *\n * @param message - The message object to check\n * @returns True if the message is a LoginAppMessage, false otherwise\n */\n private isCivicLoginAppMessage(message: unknown): message is LoginAppMessage {\n return (\n message !== null &&\n typeof message === \"object\" &&\n \"source\" in message &&\n (message as Record<string, unknown>).source === \"civicloginApp\"\n );\n }\n\n /**\n * Handles messages originating from the civicloginApp.\n *\n * Processes various civicloginApp message types including authentication errors,\n * popup failures, design updates, and other app-specific communications.\n * Validates client ID matches before processing.\n *\n * @param message - The validated civicloginApp message to process\n */\n private handleCivicLoginAppMessage(message: LoginAppMessage): void {\n this.logger.info(\"Received civicloginApp message\", {\n type: message.type,\n clientId: message.clientId,\n data: message.data,\n });\n\n // Validate clientId matches our config\n if (\n message.clientId !== this.config.clientId &&\n this.config.loginUrl === undefined\n ) {\n this.logger.warn(\"civicloginApp message clientId mismatch\", {\n received: message.clientId,\n expected: this.config.clientId,\n });\n return;\n }\n\n switch (message.type) {\n case \"auth_error\":\n case \"auth_error_try_again\":\n this.handleCivicLoginAppError(message);\n break;\n case \"generatePopupFailed\":\n this.handlePopupFailure(message);\n break;\n case \"browserCorsFailsSilently\":\n this.handleBrowserCorsFailsSilently(message);\n break;\n case \"design\":\n this.logger.debug(\"civicloginApp design message\", {\n data: message.data,\n });\n this.handleDesignMessage(message.data as DesignMessageData | undefined);\n break;\n case \"auth_success_early\":\n this.logger.info(\"civicloginApp auth success early message\", {\n data: message.data,\n });\n this.handleAuthSuccessEarly(message);\n break;\n case \"auth_success\":\n this.logger.info(\"civicloginApp auth success message\", {\n data: message.data,\n });\n\n // Dispatch early auth success event for immediate modal closing\n\n // Still handle auth success normally (for callback processing)\n this.handleAuthSuccess({\n type: \"auth_success\",\n detail: \"Authentication successful\",\n data: message.data,\n });\n break;\n default:\n this.handleUnknownCivicLoginAppMessage(message);\n break;\n }\n }\n\n /**\n * Handles auth success early messages from civicloginApp.\n *\n * Processes auth_success_early messages, emits success events,\n * and triggers the success callback with authentication results.\n *\n * @param message - The civicloginApp auth success early message to process\n */\n\n private handleAuthSuccessEarly(message: LoginAppMessage): void {\n this.logger.info(\"civicloginApp auth success early message\", {\n data: message.data,\n });\n\n const earlySuccessEvent = new CustomEvent(\"civic-auth-success-early\", {\n detail: {\n clientId: message.clientId,\n data: message.data,\n },\n });\n window.dispatchEvent(earlySuccessEvent);\n }\n\n /**\n * Handles authentication error messages from civicloginApp.\n *\n * Processes auth_error and auth_error_try_again messages, creates\n * appropriate error objects, emits error events, and triggers cleanup.\n *\n * @param message - The civicloginApp error message to process\n */\n private handleCivicLoginAppError(message: LoginAppMessage): void {\n this.logger.error(\"civicloginApp authentication error\", {\n type: message.type,\n data: message.data,\n });\n\n const error = new CivicAuthError(\n `Login app error: ${message.type}`,\n CivicAuthErrorCode.INVALID_MESSAGE,\n );\n\n this.config.events?.emit(AuthEvent.SIGN_IN_ERROR, {\n detail: error.message,\n error: message.data,\n });\n\n this.onAuthError(error);\n this.cleanup();\n }\n\n /**\n * Handle the case where we know in advance that the browser will not prompt the user to open\n * a popup and will fail silently instead. We want to handle this case gracefully by switching to redirect\n * mode if the iframe is in modal display mode. This will be done when the auth flow actually starts\n * @param message\n */\n private handleBrowserCorsFailsSilently(message: LoginAppMessage): void {\n const failedUrl = (message.data as Record<string, unknown> | undefined)\n ?.url as string | undefined;\n this.logger.warn(\"civicloginApp browser CORS fail silently\", {\n failedUrl,\n config: this.config,\n autoRedirect: this.config.autoRedirect,\n });\n if (\n this.config.displayMode === \"iframe\" &&\n this.config.iframeDisplayMode === \"modal\" &&\n this.config.autoRedirect !== false && // Add this check\n failedUrl\n ) {\n IframeManager.handleBrowserCorsFailsSilently(failedUrl);\n this.onBrowserCorsFailsSilently(failedUrl);\n }\n }\n /**\n * Handles popup generation failure messages from civicloginApp.\n *\n * Processes generatePopupFailed messages, extracts the failed URL,\n * emits appropriate events, and triggers the popup failure callback\n * to enable fallback authentication methods.\n *\n * @param message - The civicloginApp popup failure message to process\n */\n private handlePopupFailure(message: LoginAppMessage): void {\n this.logger.warn(\"civicloginApp popup generation failed\", {\n data: message.data,\n });\n\n const failedUrl = (message.data as Record<string, unknown> | undefined)\n ?.url as string | undefined;\n if (failedUrl) {\n this.logger.info(\"Popup failed for URL, considering fallback options\", {\n failedUrl,\n displayMode: this.config.displayMode,\n });\n\n this.config.events?.emit(AuthEvent.URL_CHANGE, {\n detail: \"Popup blocked by browser - switching to redirect mode\",\n url: failedUrl,\n source: \"login_app\",\n failedUrl,\n error: {\n type: \"popup_blocked\",\n failedUrl,\n suggestion:\n \"The browser blocked a popup window. Redirecting to complete authentication in a new page.\",\n },\n });\n }\n\n this.onPopupFailure(failedUrl);\n }\n\n /**\n * Handles design messages from civicloginApp.\n *\n * Processes design messages containing customer preferences like colorMode\n * and forwards them to the appropriate handlers.\n *\n * @param data - The design message data payload\n */\n private handleDesignMessage(data: DesignMessageData | undefined): void {\n if (!data) {\n this.logger.debug(\"Design message received with no data\");\n return;\n }\n\n // Handle colorMode preference\n if (data.colorMode) {\n const validColorModes: ColorMode[] = [\"light\", \"dark\", \"auto\"];\n if (validColorModes.includes(data.colorMode)) {\n this.logger.debug(\"Setting customer color mode\", {\n colorMode: data.colorMode,\n });\n IframeManager.handleLoginAppColorMode(data.colorMode);\n } else {\n this.logger.debug(\"Invalid colorMode value received\", {\n colorMode: data.colorMode,\n });\n }\n }\n }\n\n /**\n * Handles unknown or unrecognized civicloginApp message types.\n *\n * Provides fallback handling for unexpected message types, with special\n * logic to detect potential success messages that don't match standard types.\n *\n * @param message - The unrecognized civicloginApp message to process\n */\n private handleUnknownCivicLoginAppMessage(message: LoginAppMessage): void {\n this.logger.debug(\"Unhandled civicloginApp message type\", {\n type: message.type,\n data: message.data,\n });\n\n // Check if this might be a success message with a different type\n if (message.type && message.type.toLowerCase().includes(\"success\")) {\n this.logger.info(\"Potential success message from civicloginApp\", {\n type: message.type,\n data: message.data,\n });\n\n this.handleAuthSuccess({\n type: \"auth_success\",\n detail: `civicloginApp success: ${message.type}`,\n data: message.data,\n });\n }\n }\n\n /**\n * Type guard to identify iframe resizer messages.\n *\n * Checks if a message is related to iframe resizing functionality,\n * including both civic-specific resize messages and iFrameResizerChild messages.\n *\n * @param message - The message object to check\n * @returns True if the message is an iframe resizer message, false otherwise\n */\n private isIframeResizerMessage(message: unknown): boolean {\n return (\n (message !== null &&\n typeof message === \"object\" &&\n \"type\" in message &&\n ((message as Record<string, unknown>).type === \"civic-iframe-resize\" ||\n (message as Record<string, unknown>).type ===\n \"civic-iframe-ready\")) ||\n (typeof message === \"string\" && message.includes(\"iFrameResizerChild\"))\n );\n }\n\n /**\n * Handles iframe resizer messages for dynamic iframe sizing.\n *\n * Processes messages related to iframe resizing, including height adjustments\n * and ready state notifications from the iframe resizer library.\n *\n * @param message - The iframe resizer message to process\n */\n private handleIframeResizerMessage(message: unknown): void {\n if (typeof message === \"string\") {\n this.logger.debug(\"Received iframe resizer child message\", { message });\n } else if (message && typeof message === \"object\" && message !== null) {\n const messageObj = message as Record<string, unknown>;\n this.logger.debug(\"Received iframe resizer message\", {\n type: messageObj.type,\n height: messageObj.height,\n });\n }\n }\n\n /**\n * Handles standard authentication messages.\n *\n * Processes auth_success and auth_error messages that follow the standard\n * authentication message format, routing them to appropriate success or error handlers.\n *\n * @param message - The standard auth message to process\n */\n private handleStandardAuthMessage(message: unknown): void {\n const messageObj =\n message && typeof message === \"object\" && message !== null\n ? (message as Record<string, unknown>)\n : null;\n const messageType = messageObj?.type;\n\n switch (messageType) {\n case \"auth_success\":\n this.handleAuthSuccess(message as AuthMessage);\n break;\n case \"auth_error\":\n this.handleAuthError(message as AuthMessage);\n break;\n default:\n // Check if this is a calculateSubFramePositioning message (expected and harmless)\n if (messageObj?.command === \"calculateSubFramePositioning\") {\n this.logger.debug(\"Received iframe positioning message (expected)\", {\n command: messageObj.command,\n hasSubFrameData: !!messageObj.subFrameData,\n });\n } else {\n this.logger.debug(\n \"Message from iframe did not match expected types (auth_success, auth_error, civicloginApp, iframe-resizer)\",\n {\n data: message,\n messageType: typeof message,\n hasType: messageObj?.type ?? \"none\",\n messageKeys: messageObj ? Object.keys(messageObj) : [],\n },\n );\n }\n }\n }\n\n /**\n * Handles successful authentication completion.\n *\n * Processes authentication success messages, emits success events,\n * triggers the success callback with authentication results, and performs cleanup.\n *\n * @param data - The authentication success message containing result data\n */\n private handleAuthSuccess(data: AuthMessage): void {\n const authResult = (data?.data as AuthResult) || {};\n this.config.events?.emit(AuthEvent.SIGN_IN_COMPLETE, {\n detail: \"Success signal received via postMessage\",\n data,\n redirectUrl: authResult.redirectUrl,\n });\n this.onAuthSuccess(authResult);\n this.cleanup();\n }\n\n /**\n * Handles authentication errors.\n *\n * Processes authentication error messages, creates appropriate error objects,\n * emits error events, triggers the error callback, and performs cleanup.\n *\n * @param data - The authentication error message containing error details\n */\n private handleAuthError(data: AuthMessage): void {\n this.config.events?.emit(AuthEvent.SIGN_IN_ERROR, {\n detail: \"Error signal received via postMessage\",\n error: data,\n });\n\n const error = new CivicAuthError(\n data?.detail || \"Error signal received via postMessage\",\n CivicAuthErrorCode.INVALID_MESSAGE,\n );\n\n this.onAuthError(error);\n this.cleanup();\n }\n}\n"]}
package/dist/vanillajs/types/index.d.ts CHANGED
@@ -29,11 +29,15 @@ export interface AuthResult {
29
29
  user?: User;
30
30
  /** Signal text indicating the result */
31
31
  signalText?: string;
32
+ /** URL to redirect to after successful authentication (for deep link preservation) */
33
+ redirectUrl?: string;
32
34
  }
33
35
  export type OnSignInResponse = {
34
36
  error?: Error;
35
37
  user?: User | null;
36
38
  session?: Session | null;
39
+ /** URL to redirect to after successful authentication (for deep link preservation) */
40
+ redirectUrl?: string;
37
41
  };
38
42
  export type OnSignOutResponse = {
39
43
  error?: Error;
package/dist/vanillajs/types/index.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/vanillajs/types/index.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,gBAAgB,CAAC;AAE3C,YAAY,EAAE,IAAI,EAAE,CAAC;AAErB,MAAM,WAAW,OAAO;IACtB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,IAAI,CAAC,EAAE,IAAI,CAAC;IACZ,SAAS,CAAC,EAAE,MAAM,CAAC;CAEpB;AAED,oBAAY,SAAS;IACnB,WAAW,gBAAgB;IAC3B,eAAe,oBAAoB;IACnC,gBAAgB,qBAAqB;IACrC,aAAa,kBAAkB;IAC/B,gBAAgB,qBAAqB;IACrC,iBAAiB,sBAAsB;IACvC,cAAc,mBAAmB;IACjC,qBAAqB,0BAA0B;IAC/C,sBAAsB,2BAA2B;IACjD,mBAAmB,wBAAwB;IAC3C,eAAe,oBAAoB;IACnC,eAAe,oBAAoB;IACnC,yBAAyB,8BAA8B;IACvD,UAAU,eAAe;IACzB,oBAAoB,yBAAyB;CAC9C;AAED,MAAM,WAAW,UAAU;IACzB,oDAAoD;IACpD,IAAI,CAAC,EAAE,IAAI,CAAC;IACZ,wCAAwC;IACxC,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED,MAAM,MAAM,gBAAgB,GAAG;IAC7B,KAAK,CAAC,EAAE,KAAK,CAAC;IACd,IAAI,CAAC,EAAE,IAAI,GAAG,IAAI,CAAC;IACnB,OAAO,CAAC,EAAE,OAAO,GAAG,IAAI,CAAC;CAC1B,CAAC;AACF,MAAM,MAAM,iBAAiB,GAAG;IAC9B,KAAK,CAAC,EAAE,KAAK,CAAC;CACf,CAAC"}
1
+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/vanillajs/types/index.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,gBAAgB,CAAC;AAE3C,YAAY,EAAE,IAAI,EAAE,CAAC;AAErB,MAAM,WAAW,OAAO;IACtB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,IAAI,CAAC,EAAE,IAAI,CAAC;IACZ,SAAS,CAAC,EAAE,MAAM,CAAC;CAEpB;AAED,oBAAY,SAAS;IACnB,WAAW,gBAAgB;IAC3B,eAAe,oBAAoB;IACnC,gBAAgB,qBAAqB;IACrC,aAAa,kBAAkB;IAC/B,gBAAgB,qBAAqB;IACrC,iBAAiB,sBAAsB;IACvC,cAAc,mBAAmB;IACjC,qBAAqB,0BAA0B;IAC/C,sBAAsB,2BAA2B;IACjD,mBAAmB,wBAAwB;IAC3C,eAAe,oBAAoB;IACnC,eAAe,oBAAoB;IACnC,yBAAyB,8BAA8B;IACvD,UAAU,eAAe;IACzB,oBAAoB,yBAAyB;CAC9C;AAED,MAAM,WAAW,UAAU;IACzB,oDAAoD;IACpD,IAAI,CAAC,EAAE,IAAI,CAAC;IACZ,wCAAwC;IACxC,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,sFAAsF;IACtF,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAED,MAAM,MAAM,gBAAgB,GAAG;IAC7B,KAAK,CAAC,EAAE,KAAK,CAAC;IACd,IAAI,CAAC,EAAE,IAAI,GAAG,IAAI,CAAC;IACnB,OAAO,CAAC,EAAE,OAAO,GAAG,IAAI,CAAC;IACzB,sFAAsF;IACtF,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB,CAAC;AACF,MAAM,MAAM,iBAAiB,GAAG;IAC9B,KAAK,CAAC,EAAE,KAAK,CAAC;CACf,CAAC"}
package/dist/vanillajs/types/index.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/vanillajs/types/index.ts"],"names":[],"mappings":"AAcA,MAAM,CAAN,IAAY,SAgBX;AAhBD,WAAY,SAAS;IACnB,wCAA2B,CAAA;IAC3B,gDAAmC,CAAA;IACnC,kDAAqC,CAAA;IACrC,4CAA+B,CAAA;IAC/B,kDAAqC,CAAA;IACrC,oDAAuC,CAAA;IACvC,8CAAiC,CAAA;IACjC,4DAA+C,CAAA;IAC/C,8DAAiD,CAAA;IACjD,wDAA2C,CAAA;IAC3C,gDAAmC,CAAA;IACnC,gDAAmC,CAAA;IACnC,oEAAuD,CAAA;IACvD,sCAAyB,CAAA;IACzB,0DAA6C,CAAA;AAC/C,CAAC,EAhBW,SAAS,KAAT,SAAS,QAgBpB","sourcesContent":["// Export other type files as they are created\nimport type { User } from \"../../types.js\";\n\nexport type { User };\n\nexport interface Session {\n accessToken?: string;\n idToken?: string;\n refreshToken?: string;\n user?: User;\n expiresAt?: number; // Timestamp in milliseconds\n // any other session-related data\n}\n\nexport enum AuthEvent {\n INITIALIZED = \"initialized\",\n SIGN_IN_STARTED = \"sign_in_started\",\n SIGN_IN_COMPLETE = \"sign_in_complete\",\n SIGN_IN_ERROR = \"sign_in_error\",\n SIGN_OUT_STARTED = \"sign_out_started\",\n SIGN_OUT_COMPLETE = \"sign_out_complete\",\n SIGN_OUT_ERROR = \"sign_out_error\",\n TOKEN_REFRESH_STARTED = \"token_refresh_started\",\n TOKEN_REFRESH_COMPLETE = \"token_refresh_complete\",\n TOKEN_REFRESH_ERROR = \"token_refresh_error\",\n SESSION_EXPIRED = \"session_expired\",\n SESSION_RENEWED = \"session_renewed\",\n USER_INTERACTION_REQUIRED = \"user_interaction_required\",\n URL_CHANGE = \"url_change\",\n USER_SESSION_CHANGED = \"user_session_changed\",\n}\n\nexport interface AuthResult {\n /** User information returned from authentication */\n user?: User;\n /** Signal text indicating the result */\n signalText?: string;\n}\n\nexport type OnSignInResponse = {\n error?: Error;\n user?: User | null;\n session?: Session | null;\n};\nexport type OnSignOutResponse = {\n error?: Error;\n};\n"]}
1
+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/vanillajs/types/index.ts"],"names":[],"mappings":"AAcA,MAAM,CAAN,IAAY,SAgBX;AAhBD,WAAY,SAAS;IACnB,wCAA2B,CAAA;IAC3B,gDAAmC,CAAA;IACnC,kDAAqC,CAAA;IACrC,4CAA+B,CAAA;IAC/B,kDAAqC,CAAA;IACrC,oDAAuC,CAAA;IACvC,8CAAiC,CAAA;IACjC,4DAA+C,CAAA;IAC/C,8DAAiD,CAAA;IACjD,wDAA2C,CAAA;IAC3C,gDAAmC,CAAA;IACnC,gDAAmC,CAAA;IACnC,oEAAuD,CAAA;IACvD,sCAAyB,CAAA;IACzB,0DAA6C,CAAA;AAC/C,CAAC,EAhBW,SAAS,KAAT,SAAS,QAgBpB","sourcesContent":["// Export other type files as they are created\nimport type { User } from \"../../types.js\";\n\nexport type { User };\n\nexport interface Session {\n accessToken?: string;\n idToken?: string;\n refreshToken?: string;\n user?: User;\n expiresAt?: number; // Timestamp in milliseconds\n // any other session-related data\n}\n\nexport enum AuthEvent {\n INITIALIZED = \"initialized\",\n SIGN_IN_STARTED = \"sign_in_started\",\n SIGN_IN_COMPLETE = \"sign_in_complete\",\n SIGN_IN_ERROR = \"sign_in_error\",\n SIGN_OUT_STARTED = \"sign_out_started\",\n SIGN_OUT_COMPLETE = \"sign_out_complete\",\n SIGN_OUT_ERROR = \"sign_out_error\",\n TOKEN_REFRESH_STARTED = \"token_refresh_started\",\n TOKEN_REFRESH_COMPLETE = \"token_refresh_complete\",\n TOKEN_REFRESH_ERROR = \"token_refresh_error\",\n SESSION_EXPIRED = \"session_expired\",\n SESSION_RENEWED = \"session_renewed\",\n USER_INTERACTION_REQUIRED = \"user_interaction_required\",\n URL_CHANGE = \"url_change\",\n USER_SESSION_CHANGED = \"user_session_changed\",\n}\n\nexport interface AuthResult {\n /** User information returned from authentication */\n user?: User;\n /** Signal text indicating the result */\n signalText?: string;\n /** URL to redirect to after successful authentication (for deep link preservation) */\n redirectUrl?: string;\n}\n\nexport type OnSignInResponse = {\n error?: Error;\n user?: User | null;\n session?: Session | null;\n /** URL to redirect to after successful authentication (for deep link preservation) */\n redirectUrl?: string;\n};\nexport type OnSignOutResponse = {\n error?: Error;\n};\n"]}
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@civic/auth",
3
- "version": "0.11.9",
3
+ "version": "0.13.0-beta.0",
4
4
  "type": "module",
5
5
  "main": "./dist/index.js",
6
6
  "module": "./dist/index.js",
@@ -78,7 +78,7 @@
78
78
  "esbuild-plugin-css-modules": "^0.3.0",
79
79
  "eslint": "^8.57.1",
80
80
  "eslint-plugin-require-extensions": "^0.1.3",
81
- "next": "^14.2.25",
81
+ "next": "^14.2.35",
82
82
  "prettier": "^3.3.3",
83
83
  "react": "18.3.1",
84
84
  "react-dom": "18.3.1",