@civic/auth 0.3.5-temp-debug-logs.2 → 0.3.6-beta.0

package/dist/shared/hooks/useWindowFocused.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"useWindowFocused.d.ts","sourceRoot":"","sources":["../../../src/shared/hooks/useWindowFocused.ts"],"names":[],"mappings":"AAEA,QAAA,MAAM,gBAAgB;;CAmBrB,CAAC;AACF,OAAO,EAAE,gBAAgB,EAAE,CAAC"}

package/dist/shared/hooks/useWindowFocused.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"useWindowFocused.js","sourceRoot":"","sources":["../../../src/shared/hooks/useWindowFocused.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,QAAQ,EAAE,MAAM,OAAO,CAAC;AAE5C,MAAM,gBAAgB,GAAG,GAAG,EAAE;IAC5B,MAAM,CAAC,eAAe,EAAE,kBAAkB,CAAC,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC;IAC7D,SAAS,CAAC,GAAG,EAAE;QACb,MAAM,WAAW,GAAG,GAAG,EAAE;YACvB,kBAAkB,CAAC,IAAI,CAAC,CAAC;QAC3B,CAAC,CAAC;QAEF,MAAM,UAAU,GAAG,GAAG,EAAE;YACtB,kBAAkB,CAAC,KAAK,CAAC,CAAC;QAC5B,CAAC,CAAC;QACF,MAAM,CAAC,gBAAgB,CAAC,OAAO,EAAE,WAAW,CAAC,CAAC;QAC9C,MAAM,CAAC,gBAAgB,CAAC,MAAM,EAAE,UAAU,CAAC,CAAC;QAE5C,OAAO,GAAG,EAAE;YACV,MAAM,CAAC,mBAAmB,CAAC,OAAO,EAAE,WAAW,CAAC,CAAC;YACjD,MAAM,CAAC,mBAAmB,CAAC,MAAM,EAAE,UAAU,CAAC,CAAC;QACjD,CAAC,CAAC;IACJ,CAAC,EAAE,EAAE,CAAC,CAAC;IACP,OAAO,EAAE,eAAe,EAAE,CAAC;AAC7B,CAAC,CAAC;AACF,OAAO,EAAE,gBAAgB,EAAE,CAAC","sourcesContent":["import { useEffect, useState } from \"react\";\n\nconst useWindowFocused = () => {\n  const [isWindowFocused, setIsWindowFocused] = useState(true);\n  useEffect(() => {\n    const handleFocus = () => {\n      setIsWindowFocused(true);\n    };\n\n    const handleBlur = () => {\n      setIsWindowFocused(false);\n    };\n    window.addEventListener(\"focus\", handleFocus);\n    window.addEventListener(\"blur\", handleBlur);\n\n    return () => {\n      window.removeEventListener(\"focus\", handleFocus);\n      window.removeEventListener(\"blur\", handleBlur);\n    };\n  }, []);\n  return { isWindowFocused };\n};\nexport { useWindowFocused };\n"]}

package/dist/shared/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/shared/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,MAAM,cAAc,CAAC;AACvC,OAAO,EAAE,OAAO,EAAE,CAAC;AAEnB,eAAO,MAAM,UAAU,cAAgB,CAAC;AAExC,eAAO,MAAM,YAAY,YAWxB,CAAC;AACF,OAAO,EAAE,oBAAoB,EAAE,MAAM,sCAAsC,CAAC;AAC5E,OAAO,EAAE,WAAW,EAAE,MAAM,sBAAsB,CAAC"}

package/dist/shared/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/shared/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,MAAM,cAAc,CAAC;AACvC,OAAO,EAAE,OAAO,EAAE,CAAC;AACnB,IAAI,cAAc,GAAG,KAAK,CAAC;AAC3B,MAAM,CAAC,MAAM,UAAU,GAAG,GAAG,EAAE,CAAC,OAAO,CAAC;AACxC,mCAAmC;AACnC,MAAM,CAAC,MAAM,YAAY,GAAG,GAAG,EAAE;IAC/B,IAAI,CAAC,cAAc,EAAE,CAAC;QACpB,cAAc,GAAG,IAAI,CAAC;QACtB,IACE,UAAU,EAAE;YACZ,OAAO,MAAM,KAAK,WAAW;YAC7B,OAAO,QAAQ,KAAK,WAAW,EAC/B,CAAC;YACD,OAAO,CAAC,GAAG,CAAC,UAAU,EAAE,CAAC,CAAC;QAC5B,CAAC;IACH,CAAC;AACH,CAAC,CAAC;AACF,OAAO,EAAE,oBAAoB,EAAE,MAAM,sCAAsC,CAAC;AAC5E,OAAO,EAAE,WAAW,EAAE,MAAM,sBAAsB,CAAC","sourcesContent":["import { VERSION } from \"./version.js\";\nexport { VERSION };\nlet versionPrinted = false;\nexport const getVersion = () => VERSION;\n// print the version to the browser\nexport const printVersion = () => {\n  if (!versionPrinted) {\n    versionPrinted = true;\n    if (\n      getVersion() &&\n      typeof window !== \"undefined\" &&\n      typeof document !== \"undefined\"\n    ) {\n      console.log(getVersion());\n    }\n  }\n};\nexport { BrowserCookieStorage } from \"@/shared/lib/BrowserCookieStorage.js\";\nexport { clearTokens } from \"@/shared/lib/util.js\";\n"]}

package/dist/shared/lib/AuthenticationRefresherImpl.d.ts

@@ -0,0 +1,14 @@
+import type { AuthConfig } from "../../server/config.js";
+import type { AuthStorage, Endpoints, OIDCTokenResponseBody } from "../../types.js";
+import { GenericAuthenticationRefresher } from "./GenericAuthenticationRefresher.js";
+export declare class AuthenticationRefresherImpl extends GenericAuthenticationRefresher {
+    protected endpointOverrides?: Partial<Endpoints> | undefined;
+    private endpoints;
+    private oauth2client;
+    constructor(authConfig: AuthConfig, storage: AuthStorage, endpointOverrides?: Partial<Endpoints> | undefined);
+    init(): Promise<this>;
+    static build(authConfig: AuthConfig, storage: AuthStorage, endpointOverrides?: Partial<Endpoints>): Promise<AuthenticationRefresherImpl>;
+    storeTokens(tokenResponseBody: OIDCTokenResponseBody): Promise<void>;
+    refreshAccessToken(): Promise<OIDCTokenResponseBody>;
+}
+//# sourceMappingURL=AuthenticationRefresherImpl.d.ts.map

package/dist/shared/lib/AuthenticationRefresherImpl.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"AuthenticationRefresherImpl.d.ts","sourceRoot":"","sources":["../../../src/shared/lib/AuthenticationRefresherImpl.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAC;AAMrD,OAAO,KAAK,EAAE,WAAW,EAAE,SAAS,EAAE,qBAAqB,EAAE,MAAM,YAAY,CAAC;AAEhF,OAAO,EAAE,8BAA8B,EAAE,MAAM,qCAAqC,CAAC;AAErF,qBAAa,2BAA4B,SAAQ,8BAA8B;IAM3E,SAAS,CAAC,iBAAiB,CAAC,EAAE,OAAO,CAAC,SAAS,CAAC;IALlD,OAAO,CAAC,SAAS,CAAwB;IACzC,OAAO,CAAC,YAAY,CAA2B;gBAE7C,UAAU,EAAE,UAAU,EACtB,OAAO,EAAE,WAAW,EACV,iBAAiB,CAAC,EAAE,OAAO,CAAC,SAAS,CAAC,YAAA;IAQ5C,IAAI,IAAI,OAAO,CAAC,IAAI,CAAC;WAmBd,KAAK,CAChB,UAAU,EAAE,UAAU,EACtB,OAAO,EAAE,WAAW,EACpB,iBAAiB,CAAC,EAAE,OAAO,CAAC,SAAS,CAAC,GACrC,OAAO,CAAC,2BAA2B,CAAC;IAWjC,WAAW,CAAC,iBAAiB,EAAE,qBAAqB,GAAG,OAAO,CAAC,IAAI,CAAC;IAKpE,kBAAkB,IAAI,OAAO,CAAC,qBAAqB,CAAC;CAoB3D"}

package/dist/shared/lib/AuthenticationRefresherImpl.js

@@ -0,0 +1,48 @@
+import { getEndpointsWithOverrides, storeTokens, validateOauth2Tokens, } from "../../shared/lib/util.js";
+import { OAuth2Client } from "oslo/oauth2";
+import { GenericAuthenticationRefresher } from "./GenericAuthenticationRefresher.js";
+export class AuthenticationRefresherImpl extends GenericAuthenticationRefresher {
+    endpointOverrides;
+    endpoints;
+    oauth2client;
+    constructor(authConfig, storage, endpointOverrides) {
+        super();
+        this.endpointOverrides = endpointOverrides;
+        this.authConfig = authConfig;
+        this.storage = storage;
+        this.init();
+    }
+    async init() {
+        if (!this.authConfig)
+            throw new Error("No auth config available");
+        // resolve oauth config
+        this.endpoints = await getEndpointsWithOverrides(this.oauthServer, this.endpointOverrides);
+        this.oauth2client = new OAuth2Client(this.authConfig.clientId, this.endpoints.auth, this.endpoints.token, {
+            redirectURI: this.authConfig.redirectUrl,
+        });
+        return this;
+    }
+    static async build(authConfig, storage, endpointOverrides) {
+        const refresher = new AuthenticationRefresherImpl(authConfig, storage, endpointOverrides);
+        await refresher.init();
+        return refresher;
+    }
+    async storeTokens(tokenResponseBody) {
+        if (!this.storage)
+            throw new Error("No storage available");
+        await storeTokens(this.storage, tokenResponseBody);
+    }
+    async refreshAccessToken() {
+        if (!this.storage)
+            throw new Error("No storage available");
+        const refreshToken = await this.getRefreshToken();
+        if (!this.oauth2client)
+            this.init();
+        const oauth2Client = this.oauth2client;
+        const tokenResponseBody = await oauth2Client.refreshAccessToken(refreshToken);
+        await validateOauth2Tokens(tokenResponseBody, this.endpoints, oauth2Client, this.oauthServer);
+        await this.storeTokens(tokenResponseBody);
+        return tokenResponseBody;
+    }
+}
+//# sourceMappingURL=AuthenticationRefresherImpl.js.map

package/dist/shared/lib/AuthenticationRefresherImpl.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"AuthenticationRefresherImpl.js","sourceRoot":"","sources":["../../../src/shared/lib/AuthenticationRefresherImpl.ts"],"names":[],"mappings":"AACA,OAAO,EACL,yBAAyB,EACzB,WAAW,EACX,oBAAoB,GACrB,MAAM,sBAAsB,CAAC;AAE9B,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAC3C,OAAO,EAAE,8BAA8B,EAAE,MAAM,qCAAqC,CAAC;AAErF,MAAM,OAAO,2BAA4B,SAAQ,8BAA8B;IAMjE;IALJ,SAAS,CAAwB;IACjC,YAAY,CAA2B;IAC/C,YACE,UAAsB,EACtB,OAAoB,EACV,iBAAsC;QAEhD,KAAK,EAAE,CAAC;QAFE,sBAAiB,GAAjB,iBAAiB,CAAqB;QAGhD,IAAI,CAAC,UAAU,GAAG,UAAU,CAAC;QAC7B,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC;QACvB,IAAI,CAAC,IAAI,EAAE,CAAC;IACd,CAAC;IAED,KAAK,CAAC,IAAI;QACR,IAAI,CAAC,IAAI,CAAC,UAAU;YAAE,MAAM,IAAI,KAAK,CAAC,0BAA0B,CAAC,CAAC;QAClE,uBAAuB;QACvB,IAAI,CAAC,SAAS,GAAG,MAAM,yBAAyB,CAC9C,IAAI,CAAC,WAAW,EAChB,IAAI,CAAC,iBAAiB,CACvB,CAAC;QACF,IAAI,CAAC,YAAY,GAAG,IAAI,YAAY,CAClC,IAAI,CAAC,UAAU,CAAC,QAAQ,EACxB,IAAI,CAAC,SAAS,CAAC,IAAI,EACnB,IAAI,CAAC,SAAS,CAAC,KAAK,EACpB;YACE,WAAW,EAAE,IAAI,CAAC,UAAU,CAAC,WAAW;SACzC,CACF,CAAC;QAEF,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM,CAAC,KAAK,CAAC,KAAK,CAChB,UAAsB,EACtB,OAAoB,EACpB,iBAAsC;QAEtC,MAAM,SAAS,GAAG,IAAI,2BAA2B,CAC/C,UAAU,EACV,OAAO,EACP,iBAAiB,CAClB,CAAC;QACF,MAAM,SAAS,CAAC,IAAI,EAAE,CAAC;QAEvB,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,KAAK,CAAC,WAAW,CAAC,iBAAwC;QACxD,IAAI,CAAC,IAAI,CAAC,OAAO;YAAE,MAAM,IAAI,KAAK,CAAC,sBAAsB,CAAC,CAAC;QAC3D,MAAM,WAAW,CAAC,IAAI,CAAC,OAAO,EAAE,iBAAiB,CAAC,CAAC;IACrD,CAAC;IAED,KAAK,CAAC,kBAAkB;QACtB,IAAI,CAAC,IAAI,CAAC,OAAO;YAAE,MAAM,IAAI,KAAK,CAAC,sBAAsB,CAAC,CAAC;QAC3D,MAAM,YAAY,GAAG,MAAM,IAAI,CAAC,eAAe,EAAE,CAAC;QAElD,IAAI,CAAC,IAAI,CAAC,YAAY;YAAE,IAAI,CAAC,IAAI,EAAE,CAAC;QACpC,MAAM,YAAY,GAAG,IAAI,CAAC,YAAa,CAAC;QACxC,MAAM,iBAAiB,GACrB,MAAM,YAAY,CAAC,kBAAkB,CACnC,YAAY,CACb,CAAC;QACJ,MAAM,oBAAoB,CACxB,iBAAiB,EACjB,IAAI,CAAC,SAAU,EACf,YAAY,EACZ,IAAI,CAAC,WAAW,CACjB,CAAC;QAEF,MAAM,IAAI,CAAC,WAAW,CAAC,iBAAiB,CAAC,CAAC;QAC1C,OAAO,iBAAiB,CAAC;IAC3B,CAAC;CACF","sourcesContent":["import type { AuthConfig } from \"@/server/config.js\";\nimport {\n  getEndpointsWithOverrides,\n  storeTokens,\n  validateOauth2Tokens,\n} from \"@/shared/lib/util.js\";\nimport type { AuthStorage, Endpoints, OIDCTokenResponseBody } from \"@/types.js\";\nimport { OAuth2Client } from \"oslo/oauth2\";\nimport { GenericAuthenticationRefresher } from \"./GenericAuthenticationRefresher.js\";\n\nexport class AuthenticationRefresherImpl extends GenericAuthenticationRefresher {\n  private endpoints: Endpoints | undefined;\n  private oauth2client: OAuth2Client | undefined;\n  constructor(\n    authConfig: AuthConfig,\n    storage: AuthStorage,\n    protected endpointOverrides?: Partial<Endpoints>,\n  ) {\n    super();\n    this.authConfig = authConfig;\n    this.storage = storage;\n    this.init();\n  }\n\n  async init(): Promise<this> {\n    if (!this.authConfig) throw new Error(\"No auth config available\");\n    // resolve oauth config\n    this.endpoints = await getEndpointsWithOverrides(\n      this.oauthServer,\n      this.endpointOverrides,\n    );\n    this.oauth2client = new OAuth2Client(\n      this.authConfig.clientId,\n      this.endpoints.auth,\n      this.endpoints.token,\n      {\n        redirectURI: this.authConfig.redirectUrl,\n      },\n    );\n\n    return this;\n  }\n\n  static async build(\n    authConfig: AuthConfig,\n    storage: AuthStorage,\n    endpointOverrides?: Partial<Endpoints>,\n  ): Promise<AuthenticationRefresherImpl> {\n    const refresher = new AuthenticationRefresherImpl(\n      authConfig,\n      storage,\n      endpointOverrides,\n    );\n    await refresher.init();\n\n    return refresher;\n  }\n\n  async storeTokens(tokenResponseBody: OIDCTokenResponseBody): Promise<void> {\n    if (!this.storage) throw new Error(\"No storage available\");\n    await storeTokens(this.storage, tokenResponseBody);\n  }\n\n  async refreshAccessToken(): Promise<OIDCTokenResponseBody> {\n    if (!this.storage) throw new Error(\"No storage available\");\n    const refreshToken = await this.getRefreshToken();\n\n    if (!this.oauth2client) this.init();\n    const oauth2Client = this.oauth2client!;\n    const tokenResponseBody =\n      await oauth2Client.refreshAccessToken<OIDCTokenResponseBody>(\n        refreshToken,\n      );\n    await validateOauth2Tokens(\n      tokenResponseBody,\n      this.endpoints!,\n      oauth2Client,\n      this.oauthServer,\n    );\n\n    await this.storeTokens(tokenResponseBody);\n    return tokenResponseBody;\n  }\n}\n"]}

package/dist/shared/lib/BrowserCookieStorage.d.ts

@@ -0,0 +1,9 @@
+import { CookieStorage, type CookieStorageSettings } from "../../shared/lib/storage.js";
+import type { CookieConfig } from "./types.js";
+export declare class BrowserCookieStorage extends CookieStorage {
+    constructor(config?: Partial<CookieStorageSettings>);
+    get(key: string): Promise<string | null>;
+    set(key: string, value: string, cookieConfigOverride?: Partial<CookieConfig>): Promise<void>;
+    delete(key: string): Promise<void>;
+}
+//# sourceMappingURL=BrowserCookieStorage.d.ts.map

package/dist/shared/lib/BrowserCookieStorage.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"BrowserCookieStorage.d.ts","sourceRoot":"","sources":["../../../src/shared/lib/BrowserCookieStorage.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,aAAa,EACb,KAAK,qBAAqB,EAC3B,MAAM,yBAAyB,CAAC;AACjC,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAoC/C,qBAAa,oBAAqB,SAAQ,aAAa;gBACzC,MAAM,GAAE,OAAO,CAAC,qBAAqB,CAAM;IASjD,GAAG,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC;IASxC,GAAG,CACP,GAAG,EAAE,MAAM,EACX,KAAK,EAAE,MAAM,EACb,oBAAoB,GAAE,OAAO,CAAC,YAAY,CAAM,GAC/C,OAAO,CAAC,IAAI,CAAC;IAOV,MAAM,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;CAGzC"}

package/dist/shared/lib/BrowserCookieStorage.js

@@ -0,0 +1,56 @@
+import { CookieStorage, } from "../../shared/lib/storage.js";
+// Ensure only runs in a browser environment
+function documentObj() {
+    if (typeof globalThis.window !== "undefined")
+        return globalThis.document;
+    const stack = new Error().stack;
+    throw new Error("Document is not available in this environment:" + JSON.stringify(stack));
+}
+const split = (separator) => (str) => str.split(separator);
+const cookieStringFromSettings = (settings) => {
+    let cookieSettings = "";
+    if (settings.path) {
+        cookieSettings += `Path=${settings.path}; `;
+    }
+    if (settings.expires) {
+        cookieSettings += `Expires=${settings.expires}; `;
+    }
+    if (settings.secure) {
+        cookieSettings += `Secure; `;
+    }
+    if (settings.httpOnly) {
+        // HttpOnly cannot be set from client-side JavaScript, so this clause can be omitted.
+        console.warn("HttpOnly cannot be set on client-side cookies. Ignoring this setting.");
+    }
+    if (settings.sameSite) {
+        cookieSettings += `SameSite=${settings.sameSite}; `;
+    }
+    return cookieSettings.trim();
+};
+export class BrowserCookieStorage extends CookieStorage {
+    constructor(config = {}) {
+        super({
+            // sensible browser defaults
+            secure: false,
+            httpOnly: false,
+            ...config,
+        });
+    }
+    async get(key) {
+        const encodedValue = documentObj()
+            .cookie.split(";")
+            .map(split("="))
+            .find(([cookieKey]) => cookieKey?.trim() === key)?.[1];
+        return encodedValue ? decodeURIComponent(encodedValue) : null;
+    }
+    async set(key, value, cookieConfigOverride = {}) {
+        const encodedValue = encodeURIComponent(value);
+        const settings = { ...this.settings, ...cookieConfigOverride };
+        const cookieString = cookieStringFromSettings(settings);
+        documentObj().cookie = `${key}=${encodedValue}; ${cookieString}`;
+    }
+    async delete(key) {
+        documentObj().cookie = `${key}=; expires=Thu, 01 Jan 1970 00:00:00 UTC; path=/;`;
+    }
+}
+//# sourceMappingURL=BrowserCookieStorage.js.map

package/dist/shared/lib/BrowserCookieStorage.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"BrowserCookieStorage.js","sourceRoot":"","sources":["../../../src/shared/lib/BrowserCookieStorage.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,aAAa,GAEd,MAAM,yBAAyB,CAAC;AAGjC,4CAA4C;AAC5C,SAAS,WAAW;IAClB,IAAI,OAAO,UAAU,CAAC,MAAM,KAAK,WAAW;QAAE,OAAO,UAAU,CAAC,QAAQ,CAAC;IACzE,MAAM,KAAK,GAAG,IAAI,KAAK,EAAE,CAAC,KAAK,CAAC;IAChC,MAAM,IAAI,KAAK,CACb,gDAAgD,GAAG,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CACzE,CAAC;AACJ,CAAC;AAED,MAAM,KAAK,GAAG,CAAC,SAAiB,EAAE,EAAE,CAAC,CAAC,GAAW,EAAE,EAAE,CAAC,GAAG,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;AAE3E,MAAM,wBAAwB,GAAG,CAAC,QAA+B,EAAU,EAAE;IAC3E,IAAI,cAAc,GAAG,EAAE,CAAC;IAExB,IAAI,QAAQ,CAAC,IAAI,EAAE,CAAC;QAClB,cAAc,IAAI,QAAQ,QAAQ,CAAC,IAAI,IAAI,CAAC;IAC9C,CAAC;IACD,IAAI,QAAQ,CAAC,OAAO,EAAE,CAAC;QACrB,cAAc,IAAI,WAAW,QAAQ,CAAC,OAAO,IAAI,CAAC;IACpD,CAAC;IACD,IAAI,QAAQ,CAAC,MAAM,EAAE,CAAC;QACpB,cAAc,IAAI,UAAU,CAAC;IAC/B,CAAC;IACD,IAAI,QAAQ,CAAC,QAAQ,EAAE,CAAC;QACtB,qFAAqF;QACrF,OAAO,CAAC,IAAI,CACV,uEAAuE,CACxE,CAAC;IACJ,CAAC;IACD,IAAI,QAAQ,CAAC,QAAQ,EAAE,CAAC;QACtB,cAAc,IAAI,YAAY,QAAQ,CAAC,QAAQ,IAAI,CAAC;IACtD,CAAC;IACD,OAAO,cAAc,CAAC,IAAI,EAAE,CAAC;AAC/B,CAAC,CAAC;AACF,MAAM,OAAO,oBAAqB,SAAQ,aAAa;IACrD,YAAY,SAAyC,EAAE;QACrD,KAAK,CAAC;YACJ,4BAA4B;YAC5B,MAAM,EAAE,KAAK;YACb,QAAQ,EAAE,KAAK;YACf,GAAG,MAAM;SACV,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,GAAG,CAAC,GAAW;QACnB,MAAM,YAAY,GAAG,WAAW,EAAE;aAC/B,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC;aACjB,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;aACf,IAAI,CAAC,CAAC,CAAC,SAAS,CAAC,EAAE,EAAE,CAAC,SAAS,EAAE,IAAI,EAAE,KAAK,GAAG,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;QAEzD,OAAO,YAAY,CAAC,CAAC,CAAC,kBAAkB,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;IAChE,CAAC;IAED,KAAK,CAAC,GAAG,CACP,GAAW,EACX,KAAa,EACb,uBAA8C,EAAE;QAEhD,MAAM,YAAY,GAAG,kBAAkB,CAAC,KAAK,CAAC,CAAC;QAC/C,MAAM,QAAQ,GAAG,EAAE,GAAG,IAAI,CAAC,QAAQ,EAAE,GAAG,oBAAoB,EAAE,CAAC;QAC/D,MAAM,YAAY,GAAG,wBAAwB,CAAC,QAAQ,CAAC,CAAC;QACxD,WAAW,EAAE,CAAC,MAAM,GAAG,GAAG,GAAG,IAAI,YAAY,KAAK,YAAY,EAAE,CAAC;IACnE,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,GAAW;QACtB,WAAW,EAAE,CAAC,MAAM,GAAG,GAAG,GAAG,mDAAmD,CAAC;IACnF,CAAC;CACF","sourcesContent":["import {\n  CookieStorage,\n  type CookieStorageSettings,\n} from \"@/shared/lib/storage.js\";\nimport type { CookieConfig } from \"./types.js\";\n\n// Ensure only runs in a browser environment\nfunction documentObj() {\n  if (typeof globalThis.window !== \"undefined\") return globalThis.document;\n  const stack = new Error().stack;\n  throw new Error(\n    \"Document is not available in this environment:\" + JSON.stringify(stack),\n  );\n}\n\nconst split = (separator: string) => (str: string) => str.split(separator);\n\nconst cookieStringFromSettings = (settings: CookieStorageSettings): string => {\n  let cookieSettings = \"\";\n\n  if (settings.path) {\n    cookieSettings += `Path=${settings.path}; `;\n  }\n  if (settings.expires) {\n    cookieSettings += `Expires=${settings.expires}; `;\n  }\n  if (settings.secure) {\n    cookieSettings += `Secure; `;\n  }\n  if (settings.httpOnly) {\n    // HttpOnly cannot be set from client-side JavaScript, so this clause can be omitted.\n    console.warn(\n      \"HttpOnly cannot be set on client-side cookies. Ignoring this setting.\",\n    );\n  }\n  if (settings.sameSite) {\n    cookieSettings += `SameSite=${settings.sameSite}; `;\n  }\n  return cookieSettings.trim();\n};\nexport class BrowserCookieStorage extends CookieStorage {\n  constructor(config: Partial<CookieStorageSettings> = {}) {\n    super({\n      // sensible browser defaults\n      secure: false,\n      httpOnly: false,\n      ...config,\n    });\n  }\n\n  async get(key: string): Promise<string | null> {\n    const encodedValue = documentObj()\n      .cookie.split(\";\")\n      .map(split(\"=\"))\n      .find(([cookieKey]) => cookieKey?.trim() === key)?.[1];\n\n    return encodedValue ? decodeURIComponent(encodedValue) : null;\n  }\n\n  async set(\n    key: string,\n    value: string,\n    cookieConfigOverride: Partial<CookieConfig> = {},\n  ): Promise<void> {\n    const encodedValue = encodeURIComponent(value);\n    const settings = { ...this.settings, ...cookieConfigOverride };\n    const cookieString = cookieStringFromSettings(settings);\n    documentObj().cookie = `${key}=${encodedValue}; ${cookieString}`;\n  }\n\n  async delete(key: string): Promise<void> {\n    documentObj().cookie = `${key}=; expires=Thu, 01 Jan 1970 00:00:00 UTC; path=/;`;\n  }\n}\n"]}

package/dist/shared/lib/GenericAuthenticationRefresher.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"GenericAuthenticationRefresher.d.ts","sourceRoot":"","sources":["../../../src/shared/lib/GenericAuthenticationRefresher.ts"],"names":[],"mappings":"AAKA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAC;AACrD,OAAO,KAAK,EAAE,uBAAuB,EAAE,MAAM,qBAAqB,CAAC;AAKnE,OAAO,KAAK,EAAE,WAAW,EAAE,qBAAqB,EAAE,MAAM,YAAY,CAAC;AAErE,8BAAsB,8BACpB,YAAW,uBAAuB;IAElC,SAAS,CAAC,UAAU,EAAE,UAAU,GAAG,SAAS,CAAC;IAC7C,SAAS,CAAC,OAAO,EAAE,WAAW,GAAG,SAAS,CAAC;IAC3C,MAAM,CAAC,iBAAiB,UAAS;IAEjC,IAAI,WAAW,IAAI,MAAM,CAExB;IAED,QAAQ,CAAC,kBAAkB,CACzB,YAAY,CAAC,EAAE,MAAM,GACpB,OAAO,CAAC,qBAAqB,CAAC;IAE3B,eAAe,IAAI,OAAO,CAAC,MAAM,CAAC;IAQlC,aAAa;YAIL,aAAa;IAerB,gBAAgB;IAoBtB,gBAAgB;CAQjB"}

package/dist/shared/lib/GenericAuthenticationRefresher.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"GenericAuthenticationRefresher.js","sourceRoot":"","sources":["../../../src/shared/lib/GenericAuthenticationRefresher.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,wBAAwB,EACxB,mBAAmB,EACnB,mBAAmB,GACpB,MAAM,gBAAgB,CAAC;AAGxB,OAAO,EACL,4BAA4B,EAC5B,cAAc,GACf,MAAM,sBAAsB,CAAC;AAG9B,MAAM,OAAgB,8BAA8B;IAGxC,UAAU,CAAyB;IACnC,OAAO,CAA0B;IAC3C,MAAM,CAAC,iBAAiB,GAAG,KAAK,CAAC;IAEjC,IAAI,WAAW;QACb,OAAO,IAAI,CAAC,UAAU,EAAE,WAAW,IAAI,mBAAmB,CAAC;IAC7D,CAAC;IAMD,KAAK,CAAC,eAAe;QACnB,IAAI,CAAC,IAAI,CAAC,OAAO;YAAE,MAAM,IAAI,KAAK,CAAC,sBAAsB,CAAC,CAAC;QAE3D,MAAM,MAAM,GAAG,MAAM,cAAc,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAClD,IAAI,CAAC,MAAM,EAAE,aAAa;YAAE,MAAM,IAAI,KAAK,CAAC,4BAA4B,CAAC,CAAC;QAC1E,OAAO,MAAM,CAAC,aAAa,CAAC;IAC9B,CAAC;IAED,KAAK,CAAC,aAAa;QACjB,OAAO,IAAI,CAAC,kBAAkB,EAAE,CAAC;IACnC,CAAC;IAEO,KAAK,CAAC,aAAa;QACzB,IAAI,CAAC;YACH,yCAAyC;YACzC,IAAI,YAAY,CAAC,OAAO,CAAC,mBAAmB,CAAC,KAAK,MAAM,EAAE,CAAC;gBACzD,YAAY,CAAC,OAAO,CAAC,mBAAmB,EAAE,MAAM,CAAC,CAAC;gBAClD,MAAM,IAAI,CAAC,aAAa,EAAE,CAAC;gBAC3B,YAAY,CAAC,OAAO,CAAC,mBAAmB,EAAE,OAAO,CAAC,CAAC;gBACnD,MAAM,IAAI,CAAC,gBAAgB,EAAE,CAAC,CAAC,6CAA6C;YAC9E,CAAC;QACH,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO,CAAC,KAAK,CAAC,2BAA2B,EAAE,KAAK,CAAC,CAAC;YAClD,kEAAkE;QACpE,CAAC;IACH,CAAC;IAED,KAAK,CAAC,gBAAgB;QACpB,IAAI,CAAC,IAAI,CAAC,OAAO;YAAE,MAAM,IAAI,KAAK,CAAC,sBAAsB,CAAC,CAAC;QAC3D,6BAA6B;QAC7B,IAAI,CAAC,gBAAgB,EAAE,CAAC;QAExB,iBAAiB;QACjB,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;QAC1C,MAAM,SAAS,GACb,CAAC,MAAM,4BAA4B,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,IAAI,GAAG,GAAG,EAAE,CAAC;QAEjE,8DAA8D;QAC9D,MAAM,UAAU,GAAG,EAAE,CAAC,CAAC,aAAa;QACpC,MAAM,WAAW,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,SAAS,GAAG,UAAU,GAAG,GAAG,CAAC,CAAC,CAAC,iDAAiD;QAEhH,MAAM,cAAc,GAAG,UAAU,CAAC,GAAG,EAAE;YACrC,IAAI,CAAC,aAAa,EAAE,CAAC;QACvB,CAAC,EAAE,IAAI,GAAG,WAAW,CAAC,CAAC;QACvB,YAAY,CAAC,OAAO,CAAC,wBAAwB,EAAE,cAAc,CAAC,QAAQ,EAAE,CAAC,CAAC;IAC5E,CAAC;IAED,gBAAgB;QACd,0EAA0E;QAC1E,mEAAmE;QACnE,MAAM,eAAe,GAAG,YAAY,CAAC,OAAO,CAAC,wBAAwB,CAAC,CAAC;QACvE,IAAI,eAAe,EAAE,CAAC;YACpB,YAAY,CAAC,eAAe,CAAC,CAAC;QAChC,CAAC;IACH,CAAC","sourcesContent":["import {\n  AUTOREFRESH_TIMEOUT_NAME,\n  DEFAULT_AUTH_SERVER,\n  REFRESH_IN_PROGRESS,\n} from \"@/constants.js\";\nimport type { AuthConfig } from \"@/server/config.js\";\nimport type { AuthenticationRefresher } from \"@/services/types.js\";\nimport {\n  retrieveAccessTokenExpiresAt,\n  retrieveTokens,\n} from \"@/shared/lib/util.js\";\nimport type { AuthStorage, OIDCTokenResponseBody } from \"@/types.js\";\n\nexport abstract class GenericAuthenticationRefresher\n  implements AuthenticationRefresher\n{\n  protected authConfig: AuthConfig | undefined;\n  protected storage: AuthStorage | undefined;\n  static refreshInProgress = false;\n\n  get oauthServer(): string {\n    return this.authConfig?.oauthServer || DEFAULT_AUTH_SERVER;\n  }\n\n  abstract refreshAccessToken(\n    refreshToken?: string,\n  ): Promise<OIDCTokenResponseBody>;\n\n  async getRefreshToken(): Promise<string> {\n    if (!this.storage) throw new Error(\"No storage available\");\n\n    const tokens = await retrieveTokens(this.storage);\n    if (!tokens?.refresh_token) throw new Error(\"No refresh token available\");\n    return tokens.refresh_token;\n  }\n\n  async refreshTokens() {\n    return this.refreshAccessToken();\n  }\n\n  private async handleRefresh() {\n    try {\n      // ensure only one refresh is in progress\n      if (localStorage.getItem(REFRESH_IN_PROGRESS) !== \"true\") {\n        localStorage.setItem(REFRESH_IN_PROGRESS, \"true\");\n        await this.refreshTokens();\n        localStorage.setItem(REFRESH_IN_PROGRESS, \"false\");\n        await this.setupAutorefresh(); // Reset the timeout after successful refresh\n      }\n    } catch (error) {\n      console.error(\"Failed to refresh tokens:\", error);\n      // TODO detect if refresh token has expired and if yes then logout\n    }\n  }\n\n  async setupAutorefresh() {\n    if (!this.storage) throw new Error(\"No storage available\");\n    // Clear any existing timeout\n    this.clearAutorefresh();\n\n    // get expires_in\n    const now = Math.floor(Date.now() / 1000);\n    const expiresAt =\n      (await retrieveAccessTokenExpiresAt(this.storage)) || now + 60;\n\n    // Calculate time until expiry (subtract 30 seconds as buffer)\n    const bufferTime = 30; // 30 seconds\n    const refreshTime = Math.max(0, expiresAt - bufferTime - now); // handle case were token has expired in the past\n\n    const refreshTimeout = setTimeout(() => {\n      this.handleRefresh();\n    }, 1000 * refreshTime);\n    localStorage.setItem(AUTOREFRESH_TIMEOUT_NAME, refreshTimeout.toString());\n  }\n\n  clearAutorefresh() {\n    // use local storage to store the timeout id so that if multiple instances\n    // of the refresher are created they can all clear the same timeout\n    const existingTimeout = localStorage.getItem(AUTOREFRESH_TIMEOUT_NAME);\n    if (existingTimeout) {\n      clearTimeout(existingTimeout);\n    }\n  }\n}\n"]}

package/dist/shared/lib/UserSession.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"UserSession.d.ts","sourceRoot":"","sources":["../../../src/shared/lib/UserSession.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EACV,WAAW,EACX,kBAAkB,EAClB,aAAa,EACb,IAAI,EACL,MAAM,YAAY,CAAC;AAIpB,MAAM,WAAW,WAAW,CAAC,CAAC,SAAS,aAAa;IAClD,GAAG,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC;IAC/B,GAAG,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC,CAAC,GAAG;QAAE,eAAe,CAAC,EAAE,kBAAkB,CAAA;KAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;CAC9E;AAED,qBAAa,kBAAkB,CAAC,CAAC,SAAS,aAAa,CACrD,YAAW,WAAW,CAAC,CAAC,CAAC;IAEb,QAAQ,CAAC,OAAO,EAAE,WAAW;gBAApB,OAAO,EAAE,WAAW;IAEnC,GAAG,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,GAAG,IAAI,CAAC;IAK9B,GAAG,CACP,IAAI,EAAE,CAAC,IAAI,CAAC,CAAC,CAAC,GAAG;QAAE,eAAe,CAAC,EAAE,kBAAkB,CAAA;KAAE,CAAC,GAAG,IAAI,GAChE,OAAO,CAAC,IAAI,CAAC;IAQV,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC;CAG7B"}

package/dist/shared/lib/UserSession.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"UserSession.js","sourceRoot":"","sources":["../../../src/shared/lib/UserSession.ts"],"names":[],"mappings":"AAMA,OAAO,EAAE,WAAW,EAAE,MAAM,uBAAuB,CAAC;AACpD,OAAO,EAAE,2BAA2B,EAAE,MAAM,cAAc,CAAC;AAO3D,MAAM,OAAO,kBAAkB;IAGR;IAArB,YAAqB,OAAoB;QAApB,YAAO,GAAP,OAAO,CAAa;IAAG,CAAC;IAE7C,KAAK,CAAC,GAAG;QACP,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,WAAW,CAAC,IAAI,CAAC,CAAC;QACtD,OAAO,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;IACxC,CAAC;IAED,KAAK,CAAC,GAAG,CACP,IAAiE;QAEjE,MAAM,eAAe,GAAG,IAAI,EAAE,eAAe;YAC3C,CAAC,CAAC,2BAA2B,CAAC,IAAI,EAAE,eAAqC,CAAC;YAC1E,CAAC,CAAC,IAAI,CAAC;QACT,MAAM,KAAK,GAAG,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,GAAG,IAAI,EAAE,eAAe,EAAE,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;QACvE,MAAM,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,WAAW,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;IAClD,CAAC;IAED,KAAK,CAAC,KAAK;QACT,MAAM,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,WAAW,CAAC,IAAI,CAAC,CAAC;IAC9C,CAAC;CACF","sourcesContent":["import type {\n  AuthStorage,\n  ForwardedTokensJWT,\n  UnknownObject,\n  User,\n} from \"@/types.js\";\nimport { UserStorage } from \"@/shared/lib/types.js\";\nimport { convertForwardedTokenFormat } from \"@/lib/jwt.js\";\n\nexport interface UserSession<T extends UnknownObject> {\n  get(): Promise<User<T> | null>;\n  set(user: User<T> & { forwardedTokens?: ForwardedTokensJWT }): Promise<void>;\n}\n\nexport class GenericUserSession<T extends UnknownObject>\n  implements UserSession<T>\n{\n  constructor(readonly storage: AuthStorage) {}\n\n  async get(): Promise<User<T> | null> {\n    const user = await this.storage.get(UserStorage.USER);\n    return user ? JSON.parse(user) : null;\n  }\n\n  async set(\n    user: (User<T> & { forwardedTokens?: ForwardedTokensJWT }) | null,\n  ): Promise<void> {\n    const forwardedTokens = user?.forwardedTokens\n      ? convertForwardedTokenFormat(user?.forwardedTokens as ForwardedTokensJWT)\n      : null;\n    const value = user ? JSON.stringify({ ...user, forwardedTokens }) : \"\";\n    await this.storage.set(UserStorage.USER, value);\n  }\n\n  async clear(): Promise<void> {\n    await this.storage.delete(UserStorage.USER);\n  }\n}\n"]}

package/dist/shared/lib/iframeUtils.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"iframeUtils.d.ts","sourceRoot":"","sources":["../../../src/shared/lib/iframeUtils.ts"],"names":[],"mappings":"AAAA,KAAK,qBAAqB,GAAG,iBAAiB,GAAG;IAC/C,UAAU,EAAE,MAAM,iBAAiB,CAAC;CACrC,CAAC;AACF,eAAO,MAAM,YAAY,cACZ,iBAAiB,GAAG,qBAAqB,GAAG,IAAI,KAC1D,iBAKF,CAAC"}

package/dist/shared/lib/iframeUtils.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"iframeUtils.js","sourceRoot":"","sources":["../../../src/shared/lib/iframeUtils.ts"],"names":[],"mappings":"AAGA,MAAM,CAAC,MAAM,YAAY,GAAG,CAC1B,SAA2D,EACxC,EAAE;IACrB,IAAI,CAAC,SAAS,EAAE,CAAC;QACf,MAAM,IAAI,KAAK,CAAC,gDAAgD,CAAC,CAAC;IACpE,CAAC;IACD,OAAQ,SAAmC,EAAE,UAAU,EAAE,EAAE,IAAI,SAAS,CAAC;AAC3E,CAAC,CAAC","sourcesContent":["type ExtendedIframeElement = HTMLIFrameElement & {\n  getElement: () => HTMLIFrameElement;\n};\nexport const getIframeRef = (\n  iframeRef: HTMLIFrameElement | ExtendedIframeElement | null,\n): HTMLIFrameElement => {\n  if (!iframeRef) {\n    throw new Error(\"iframeRef is required for displayMode 'iframe'\");\n  }\n  return (iframeRef as ExtendedIframeElement)?.getElement?.() ?? iframeRef;\n};\n"]}

package/dist/shared/lib/session.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"session.d.ts","sourceRoot":"","sources":["../../../src/shared/lib/session.ts"],"names":[],"mappings":"AAEA,OAAO,EAEL,KAAK,WAAW,EAChB,KAAK,WAAW,EAChB,KAAK,IAAI,EACT,KAAK,WAAW,EAChB,KAAK,aAAa,EACnB,MAAM,YAAY,CAAC;AAsBpB,wBAAsB,OAAO,CAAC,CAAC,SAAS,aAAa,GAAG,WAAW,EACjE,OAAO,EAAE,WAAW,GACnB,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,GAAG,IAAI,CAAC,CAoBzB;AAED,wBAAsB,SAAS,CAC7B,OAAO,EAAE,WAAW,GACnB,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC,CAS7B"}

package/dist/shared/lib/session.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"session.js","sourceRoot":"","sources":["../../../src/shared/lib/session.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AACtD,OAAO,EAAE,SAAS,EAAmB,MAAM,MAAM,CAAC;AAClD,OAAO,EACL,SAAS,GAMV,MAAM,YAAY,CAAC;AACpB,OAAO,EAAE,4BAA4B,EAAE,MAAM,gBAAgB,CAAC;AAE9D,uCAAuC;AACvC,MAAM,QAAQ,GAAG,CACf,IAAS,EACT,GAAM,EACM,EAAE;IACd,MAAM,MAAM,GAAG,EAAE,GAAG,GAAG,EAAE,CAAC;IAC1B,IAAI,CAAC,OAAO,CAAC,CAAC,GAAG,EAAE,EAAE;QACnB,OAAO,MAAM,CAAC,GAAG,CAAC,CAAC;IACrB,CAAC,CAAC,CAAC;IACH,OAAO,MAAM,CAAC;AAChB,CAAC,CAAC;AAEF,MAAM,cAAc,GAAG,CACrB,GAAW,EACK,EAAE;IAClB,MAAM,WAAW,GAAG,SAAS,CAAC,GAAG,CAAC,CAAC;IACnC,OAAO,WAA6B,CAAC;AACvC,CAAC,CAAC;AAEF,MAAM,CAAC,KAAK,UAAU,OAAO,CAC3B,OAAoB;IAEpB,MAAM,MAAM,GAAG,MAAM,cAAc,CAAC,OAAO,CAAC,CAAC;IAC7C,IAAI,CAAC,MAAM;QAAE,OAAO,IAAI,CAAC;IAEzB,MAAM,WAAW,GAAG,cAAc,CAAI,MAAM,CAAC,QAAQ,CAAC,CAAC;IACvD,uCAAuC;IACvC,IAAI,CAAC,WAAW,CAAC,GAAG;QAAE,OAAO,IAAI,CAAC;IAElC,qCAAqC;IACrC,MAAM,6BAA6B,GAAG;QACpC,GAAI,WAAiB;QACrB,EAAE,EAAE,WAAW,CAAC,GAAG;KACpB,CAAC;IAEF,6CAA6C;IAC7C,0EAA0E;IAC1E,OAAO,QAAQ,CACb,CAAC,GAAG,4BAA4B,EAAE,GAAG,SAAS,CAAC,EAC/C,6BAA6B,CACnB,CAAC;AACf,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,SAAS,CAC7B,OAAoB;IAEpB,MAAM,WAAW,GAAG,MAAM,cAAc,CAAC,OAAO,CAAC,CAAC;IAClD,IAAI,CAAC,WAAW;QAAE,OAAO,IAAI,CAAC;IAE9B,OAAO;QACL,OAAO,EAAE,WAAW,CAAC,QAAQ;QAC7B,WAAW,EAAE,WAAW,CAAC,YAAY;QACrC,YAAY,EAAE,WAAW,CAAC,aAAa;KACxC,CAAC;AACJ,CAAC","sourcesContent":["import { retrieveTokens } from \"@/shared/lib/util.js\";\nimport { decodeJwt, type JWTPayload } from \"jose\";\nimport {\n  tokenKeys,\n  type AuthStorage,\n  type OAuthTokens,\n  type User,\n  type EmptyObject,\n  type UnknownObject,\n} from \"@/types.js\";\nimport { JWT_PAYLOAD_KNOWN_CLAIM_KEYS } from \"@/constants.js\";\n\n// Function to omit keys from an object\nconst omitKeys = <K extends keyof T, T extends Record<string, unknown>>(\n  keys: K[],\n  obj: T,\n): Omit<T, K> => {\n  const result = { ...obj };\n  keys.forEach((key) => {\n    delete result[key];\n  });\n  return result;\n};\n\nconst parseJWTToType = <T extends UnknownObject = EmptyObject>(\n  jwt: string,\n): JWTPayload & T => {\n  const parseResult = decodeJwt(jwt);\n  return parseResult as JWTPayload & T;\n};\n\nexport async function getUser<T extends UnknownObject = EmptyObject>(\n  storage: AuthStorage,\n): Promise<User<T> | null> {\n  const tokens = await retrieveTokens(storage);\n  if (!tokens) return null;\n\n  const parsedToken = parseJWTToType<T>(tokens.id_token);\n  // it might be preferable to throw here\n  if (!parsedToken.sub) return null;\n\n  // set the user ID from the token sub\n  const userWithAdditionalTokenFields = {\n    ...(parsedToken as T),\n    id: parsedToken.sub,\n  };\n\n  // Assumes all information is in the ID token\n  // remove the token keys from the user object to stop it getting too large\n  return omitKeys(\n    [...JWT_PAYLOAD_KNOWN_CLAIM_KEYS, ...tokenKeys],\n    userWithAdditionalTokenFields,\n  ) as User<T>;\n}\n\nexport async function getTokens(\n  storage: AuthStorage,\n): Promise<OAuthTokens | null> {\n  const storageData = await retrieveTokens(storage);\n  if (!storageData) return null;\n\n  return {\n    idToken: storageData.id_token,\n    accessToken: storageData.access_token,\n    refreshToken: storageData.refresh_token,\n  };\n}\n"]}

package/dist/shared/lib/storage.d.ts

@@ -0,0 +1,35 @@
+import type { AuthStorage, SessionData, UnknownObject, User } from "../../types.js";
+import type { CookieConfig } from "./types.js";
+type SameSiteOption = "strict" | "lax" | "none";
+export interface SessionStorage {
+    get(): SessionData;
+    getUser(): User<UnknownObject> | null;
+    set(data: Partial<SessionData>): void;
+    setUser(data: User<UnknownObject> | null): void;
+    clear(): void;
+}
+export type CookieStorageSettings = {
+    httpOnly: boolean;
+    secure: boolean;
+    sameSite: SameSiteOption;
+    expires: Date;
+    path: string;
+};
+export declare const DEFAULT_COOKIE_DURATION: number;
+export declare abstract class CookieStorage implements AuthStorage {
+    protected settings: CookieStorageSettings;
+    protected constructor(settings?: Partial<CookieStorageSettings>);
+    abstract get(key: string): Promise<string | null>;
+    abstract set(key: string, value: string, cookieConfigOverride?: Partial<CookieConfig>): Promise<void>;
+    abstract delete(key: string): Promise<void>;
+}
+export type AuthCookieStorageSettings = {
+    httpOnly: boolean;
+    secure: boolean;
+    sameSite: SameSiteOption;
+    expires: Date;
+    path: string;
+    timestamp: Date;
+};
+export {};
+//# sourceMappingURL=storage.d.ts.map

package/dist/shared/lib/storage.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"storage.d.ts","sourceRoot":"","sources":["../../../src/shared/lib/storage.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,WAAW,EAAE,WAAW,EAAE,aAAa,EAAE,IAAI,EAAE,MAAM,YAAY,CAAC;AAChF,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAE/C,KAAK,cAAc,GAAG,QAAQ,GAAG,KAAK,GAAG,MAAM,CAAC;AAEhD,MAAM,WAAW,cAAc;IAC7B,GAAG,IAAI,WAAW,CAAC;IACnB,OAAO,IAAI,IAAI,CAAC,aAAa,CAAC,GAAG,IAAI,CAAC;IACtC,GAAG,CAAC,IAAI,EAAE,OAAO,CAAC,WAAW,CAAC,GAAG,IAAI,CAAC;IACtC,OAAO,CAAC,IAAI,EAAE,IAAI,CAAC,aAAa,CAAC,GAAG,IAAI,GAAG,IAAI,CAAC;IAChD,KAAK,IAAI,IAAI,CAAC;CACf;AAED,MAAM,MAAM,qBAAqB,GAAG;IAClC,QAAQ,EAAE,OAAO,CAAC;IAClB,MAAM,EAAE,OAAO,CAAC;IAChB,QAAQ,EAAE,cAAc,CAAC;IACzB,OAAO,EAAE,IAAI,CAAC;IACd,IAAI,EAAE,MAAM,CAAC;CACd,CAAC;AAEF,eAAO,MAAM,uBAAuB,QAAU,CAAC;AAE/C,8BAAsB,aAAc,YAAW,WAAW;IACxD,SAAS,CAAC,QAAQ,EAAE,qBAAqB,CAAC;IAC1C,SAAS,aAAa,QAAQ,GAAE,OAAO,CAAC,qBAAqB,CAAM;IAanE,QAAQ,CAAC,GAAG,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC;IACjD,QAAQ,CAAC,GAAG,CACV,GAAG,EAAE,MAAM,EACX,KAAK,EAAE,MAAM,EACb,oBAAoB,CAAC,EAAE,OAAO,CAAC,YAAY,CAAC,GAC3C,OAAO,CAAC,IAAI,CAAC;IAChB,QAAQ,CAAC,MAAM,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;CAC5C;AAED,MAAM,MAAM,yBAAyB,GAAG;IACtC,QAAQ,EAAE,OAAO,CAAC;IAClB,MAAM,EAAE,OAAO,CAAC;IAChB,QAAQ,EAAE,cAAc,CAAC;IACzB,OAAO,EAAE,IAAI,CAAC;IACd,IAAI,EAAE,MAAM,CAAC;IACb,SAAS,EAAE,IAAI,CAAC;CACjB,CAAC"}

package/dist/shared/lib/storage.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"storage.js","sourceRoot":"","sources":["../../../src/shared/lib/storage.ts"],"names":[],"mappings":"AAqBA,MAAM,CAAC,MAAM,uBAAuB,GAAG,EAAE,GAAG,EAAE,CAAC,CAAC,aAAa;AAE7D,MAAM,OAAgB,aAAa;IACvB,QAAQ,CAAwB;IAC1C,YAAsB,WAA2C,EAAE;QACjE,IAAI,CAAC,QAAQ,GAAG;YACd,QAAQ,EAAE,QAAQ,CAAC,QAAQ,IAAI,IAAI;YACnC,MAAM,EAAE,QAAQ,CAAC,MAAM,IAAI,IAAI;YAC/B,6CAA6C;YAC7C,kEAAkE;YAClE,QAAQ,EAAE,QAAQ,CAAC,QAAQ,IAAI,KAAK;YACpC,OAAO,EACL,QAAQ,CAAC,OAAO;gBAChB,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,GAAG,uBAAuB,CAAC;YACvD,IAAI,EAAE,QAAQ,CAAC,IAAI,IAAI,GAAG;SAC3B,CAAC;IACJ,CAAC;CAQF","sourcesContent":["import type { AuthStorage, SessionData, UnknownObject, User } from \"@/types.js\";\nimport type { CookieConfig } from \"./types.js\";\n\ntype SameSiteOption = \"strict\" | \"lax\" | \"none\";\n\nexport interface SessionStorage {\n  get(): SessionData;\n  getUser(): User<UnknownObject> | null;\n  set(data: Partial<SessionData>): void;\n  setUser(data: User<UnknownObject> | null): void;\n  clear(): void;\n}\n\nexport type CookieStorageSettings = {\n  httpOnly: boolean;\n  secure: boolean;\n  sameSite: SameSiteOption;\n  expires: Date;\n  path: string;\n};\n\nexport const DEFAULT_COOKIE_DURATION = 60 * 15; // 15 minutes\n\nexport abstract class CookieStorage implements AuthStorage {\n  protected settings: CookieStorageSettings;\n  protected constructor(settings: Partial<CookieStorageSettings> = {}) {\n    this.settings = {\n      httpOnly: settings.httpOnly ?? true,\n      secure: settings.secure ?? true,\n      // the callback request comes the auth server\n      // 'lax' ensures the code_verifier cookie is sent with the request\n      sameSite: settings.sameSite ?? \"lax\",\n      expires:\n        settings.expires ??\n        new Date(Date.now() + 1000 * DEFAULT_COOKIE_DURATION),\n      path: settings.path ?? \"/\",\n    };\n  }\n  abstract get(key: string): Promise<string | null>;\n  abstract set(\n    key: string,\n    value: string,\n    cookieConfigOverride?: Partial<CookieConfig>,\n  ): Promise<void>;\n  abstract delete(key: string): Promise<void>;\n}\n\nexport type AuthCookieStorageSettings = {\n  httpOnly: boolean;\n  secure: boolean;\n  sameSite: SameSiteOption;\n  expires: Date;\n  path: string;\n  timestamp: Date;\n};\n"]}

package/dist/shared/lib/types.d.ts

@@ -0,0 +1,39 @@
+import type { Endpoints } from "../../types.js";
+export declare enum OAuthTokens {
+    ID_TOKEN = "id_token",
+    ACCESS_TOKEN = "access_token",
+    REFRESH_TOKEN = "refresh_token",
+    ACCESS_TOKEN_EXPIRES_AT = "access_token_expires_at"
+}
+export declare const AUTH_SERVER_SESSION = "_session";
+export declare const AUTH_SERVER_LEGACY_SESSION = "_session.legacy";
+export declare enum CodeVerifier {
+    COOKIE_NAME = "code_verifier",
+    APP_URL = "app_url"
+}
+export declare enum UserStorage {
+    USER = "user"
+}
+export interface CookieConfig {
+    secure?: boolean;
+    sameSite?: "strict" | "lax" | "none";
+    domain?: string;
+    path?: string;
+    maxAge?: number;
+    httpOnly?: boolean;
+}
+export type KeySetter = OAuthTokens | CodeVerifier | UserStorage;
+export type TokensCookieConfig = Record<OAuthTokens | CodeVerifier, CookieConfig>;
+export type CivicAuthConfig = null | {
+    clientId: string;
+    redirectUrl: string;
+    logoutRedirectUrl: string;
+    oauthServer: string;
+    endpoints: Endpoints;
+    scopes: string[];
+    nonce?: string;
+    challengeUrl?: string;
+    refreshUrl?: string;
+    logoutUrl?: string;
+};
+//# sourceMappingURL=types.d.ts.map

package/dist/shared/lib/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../../src/shared/lib/types.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AAE5C,oBAAY,WAAW;IACrB,QAAQ,aAAa;IACrB,YAAY,iBAAiB;IAC7B,aAAa,kBAAkB;IAC/B,uBAAuB,4BAA4B;CACpD;AAED,eAAO,MAAM,mBAAmB,aAAa,CAAC;AAC9C,eAAO,MAAM,0BAA0B,oBAAoB,CAAC;AAE5D,oBAAY,YAAY;IACtB,WAAW,kBAAkB;IAC7B,OAAO,YAAY;CACpB;AACD,oBAAY,WAAW;IACrB,IAAI,SAAS;CACd;AACD,MAAM,WAAW,YAAY;IAC3B,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB,QAAQ,CAAC,EAAE,QAAQ,GAAG,KAAK,GAAG,MAAM,CAAC;IACrC,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,QAAQ,CAAC,EAAE,OAAO,CAAC;CACpB;AACD,MAAM,MAAM,SAAS,GAAG,WAAW,GAAG,YAAY,GAAG,WAAW,CAAC;AAEjE,MAAM,MAAM,kBAAkB,GAAG,MAAM,CACrC,WAAW,GAAG,YAAY,EAC1B,YAAY,CACb,CAAC;AAEF,MAAM,MAAM,eAAe,GAAG,IAAI,GAAG;IACnC,QAAQ,EAAE,MAAM,CAAC;IACjB,WAAW,EAAE,MAAM,CAAC;IACpB,iBAAiB,EAAE,MAAM,CAAC;IAC1B,WAAW,EAAE,MAAM,CAAC;IACpB,SAAS,EAAE,SAAS,CAAC;IACrB,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB,CAAC"}

package/dist/shared/lib/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../../../src/shared/lib/types.ts"],"names":[],"mappings":"AAEA,MAAM,CAAN,IAAY,WAKX;AALD,WAAY,WAAW;IACrB,oCAAqB,CAAA;IACrB,4CAA6B,CAAA;IAC7B,8CAA+B,CAAA;IAC/B,kEAAmD,CAAA;AACrD,CAAC,EALW,WAAW,KAAX,WAAW,QAKtB;AAED,MAAM,CAAC,MAAM,mBAAmB,GAAG,UAAU,CAAC;AAC9C,MAAM,CAAC,MAAM,0BAA0B,GAAG,iBAAiB,CAAC;AAE5D,MAAM,CAAN,IAAY,YAGX;AAHD,WAAY,YAAY;IACtB,6CAA6B,CAAA;IAC7B,mCAAmB,CAAA;AACrB,CAAC,EAHW,YAAY,KAAZ,YAAY,QAGvB;AACD,MAAM,CAAN,IAAY,WAEX;AAFD,WAAY,WAAW;IACrB,4BAAa,CAAA;AACf,CAAC,EAFW,WAAW,KAAX,WAAW,QAEtB","sourcesContent":["import type { Endpoints } from \"@/types.js\";\n\nexport enum OAuthTokens {\n  ID_TOKEN = \"id_token\",\n  ACCESS_TOKEN = \"access_token\",\n  REFRESH_TOKEN = \"refresh_token\",\n  ACCESS_TOKEN_EXPIRES_AT = \"access_token_expires_at\",\n}\n\nexport const AUTH_SERVER_SESSION = \"_session\";\nexport const AUTH_SERVER_LEGACY_SESSION = \"_session.legacy\";\n\nexport enum CodeVerifier {\n  COOKIE_NAME = \"code_verifier\",\n  APP_URL = \"app_url\",\n}\nexport enum UserStorage {\n  USER = \"user\",\n}\nexport interface CookieConfig {\n  secure?: boolean;\n  sameSite?: \"strict\" | \"lax\" | \"none\";\n  domain?: string;\n  path?: string;\n  maxAge?: number;\n  httpOnly?: boolean;\n}\nexport type KeySetter = OAuthTokens | CodeVerifier | UserStorage;\n\nexport type TokensCookieConfig = Record<\n  OAuthTokens | CodeVerifier,\n  CookieConfig\n>;\n\nexport type CivicAuthConfig = null | {\n  clientId: string;\n  redirectUrl: string;\n  logoutRedirectUrl: string;\n  oauthServer: string;\n  endpoints: Endpoints;\n  scopes: string[];\n  nonce?: string;\n  challengeUrl?: string;\n  refreshUrl?: string;\n  logoutUrl?: string;\n};\n"]}

package/dist/shared/lib/util.d.ts

@@ -0,0 +1,40 @@
+import type { AuthStorage, Endpoints, OIDCTokenResponseBody, ParsedTokens } from "../../types.js";
+import { OAuth2Client } from "oslo/oauth2";
+import type { PKCEConsumer, PKCEProducer } from "../../services/types.js";
+import type { CookieStorage } from "./storage.js";
+/**
+ * Given a PKCE code verifier, derive the code challenge using SHA
+ */
+export declare function deriveCodeChallenge(codeVerifier: string, method?: "Plain" | "S256"): Promise<string>;
+export declare function getEndpointsWithOverrides(oauthServer: string, endpointOverrides?: Partial<Endpoints>): Promise<Endpoints>;
+export declare function generateOauthLoginUrl(config: {
+    clientId: string;
+    scopes: string[];
+    state: string;
+    redirectUrl: string;
+    oauthServer: string;
+    nonce?: string;
+    endpointOverrides?: Partial<Endpoints>;
+    pkceConsumer: PKCEConsumer;
+}): Promise<URL>;
+export declare function generateOauthLogoutUrl(config: {
+    clientId: string;
+    redirectUrl: string;
+    idToken: string;
+    state: string;
+    oauthServer: string;
+    endpointOverrides?: Partial<Endpoints>;
+}): Promise<URL>;
+export declare function buildOauth2Client(clientId: string, redirectUri: string, endpoints: Endpoints): OAuth2Client;
+export declare function exchangeTokens(code: string, state: string, pkceProducer: PKCEProducer, oauth2Client: OAuth2Client, oauthServer: string, endpoints: Endpoints): Promise<OIDCTokenResponseBody>;
+export declare const getAccessTokenExpiresAt: (tokens: OIDCTokenResponseBody) => number;
+export declare function setAccessTokenExpiresAt(storage: AuthStorage | CookieStorage, tokens: OIDCTokenResponseBody): Promise<void>;
+export declare function storeTokens(storage: AuthStorage, tokens: OIDCTokenResponseBody): Promise<void>;
+export declare function storeServerTokens(storage: AuthStorage | CookieStorage, tokens: OIDCTokenResponseBody): Promise<void>;
+export declare function clearTokens(storage: AuthStorage): Promise<void>;
+export declare function clearAuthServerSession(storage: AuthStorage): Promise<void>;
+export declare function clearUser(storage: AuthStorage): Promise<void>;
+export declare function retrieveTokens(storage: AuthStorage): Promise<OIDCTokenResponseBody | null>;
+export declare function retrieveAccessTokenExpiresAt(storage: AuthStorage): Promise<number>;
+export declare function validateOauth2Tokens(tokens: OIDCTokenResponseBody, endpoints: Endpoints, oauth2Client: OAuth2Client, issuer: string): Promise<ParsedTokens>;
+//# sourceMappingURL=util.d.ts.map

package/dist/shared/lib/util.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"util.d.ts","sourceRoot":"","sources":["../../../src/shared/lib/util.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EACV,WAAW,EACX,SAAS,EACT,qBAAqB,EACrB,YAAY,EACb,MAAM,YAAY,CAAC;AAMpB,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAI3C,OAAO,KAAK,EAAE,YAAY,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AAGtE,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,cAAc,CAAC;AAOlD;;GAEG;AACH,wBAAsB,mBAAmB,CACvC,YAAY,EAAE,MAAM,EACpB,MAAM,GAAE,OAAO,GAAG,MAAe,GAChC,OAAO,CAAC,MAAM,CAAC,CAajB;AAED,wBAAsB,yBAAyB,CAC7C,WAAW,EAAE,MAAM,EACnB,iBAAiB,GAAE,OAAO,CAAC,SAAS,CAAM,GACzC,OAAO,CAAC,SAAS,CAAC,CAMpB;AAED,wBAAsB,qBAAqB,CAAC,MAAM,EAAE;IAClD,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,KAAK,EAAE,MAAM,CAAC;IACd,WAAW,EAAE,MAAM,CAAC;IACpB,WAAW,EAAE,MAAM,CAAC;IACpB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,iBAAiB,CAAC,EAAE,OAAO,CAAC,SAAS,CAAC,CAAC;IAEvC,YAAY,EAAE,YAAY,CAAC;CAC5B,GAAG,OAAO,CAAC,GAAG,CAAC,CA2Bf;AAED,wBAAsB,sBAAsB,CAAC,MAAM,EAAE;IACnD,QAAQ,EAAE,MAAM,CAAC;IACjB,WAAW,EAAE,MAAM,CAAC;IACpB,OAAO,EAAE,MAAM,CAAC;IAChB,KAAK,EAAE,MAAM,CAAC;IACd,WAAW,EAAE,MAAM,CAAC;IACpB,iBAAiB,CAAC,EAAE,OAAO,CAAC,SAAS,CAAC,CAAC;CACxC,GAAG,OAAO,CAAC,GAAG,CAAC,CAcf;AAED,wBAAgB,iBAAiB,CAC/B,QAAQ,EAAE,MAAM,EAChB,WAAW,EAAE,MAAM,EACnB,SAAS,EAAE,SAAS,GACnB,YAAY,CAId;AAED,wBAAsB,cAAc,CAClC,IAAI,EAAE,MAAM,EACZ,KAAK,EAAE,MAAM,EACb,YAAY,EAAE,YAAY,EAC1B,YAAY,EAAE,YAAY,EAC1B,WAAW,EAAE,MAAM,EACnB,SAAS,EAAE,SAAS,kCAoBrB;AAED,eAAO,MAAM,uBAAuB,WAC1B,qBAAqB,KAC5B,MAUF,CAAC;AACF,wBAAsB,uBAAuB,CAC3C,OAAO,EAAE,WAAW,GAAG,aAAa,EACpC,MAAM,EAAE,qBAAqB,iBAQ9B;AAED,wBAAsB,WAAW,CAC/B,OAAO,EAAE,WAAW,EACpB,MAAM,EAAE,qBAAqB,iBAQ9B;AAED,wBAAsB,iBAAiB,CACrC,OAAO,EAAE,WAAW,GAAG,aAAa,EACpC,MAAM,EAAE,qBAAqB,iBAsC9B;AAED,wBAAsB,WAAW,CAAC,OAAO,EAAE,WAAW,iBAYrD;AAED,wBAAsB,sBAAsB,CAAC,OAAO,EAAE,WAAW,iBAGhE;AAED,wBAAsB,SAAS,CAAC,OAAO,EAAE,WAAW,iBAGnD;AAED,wBAAsB,cAAc,CAClC,OAAO,EAAE,WAAW,GACnB,OAAO,CAAC,qBAAqB,GAAG,IAAI,CAAC,CAmBvC;AAED,wBAAsB,4BAA4B,CAChD,OAAO,EAAE,WAAW,GACnB,OAAO,CAAC,MAAM,CAAC,CAEjB;AAED,wBAAsB,oBAAoB,CACxC,MAAM,EAAE,qBAAqB,EAC7B,SAAS,EAAE,SAAS,EACpB,YAAY,EAAE,YAAY,EAC1B,MAAM,EAAE,MAAM,GACb,OAAO,CAAC,YAAY,CAAC,CA2BvB"}

package/dist/shared/lib/util.js

@@ -0,0 +1,187 @@
+import { AUTH_SERVER_LEGACY_SESSION, AUTH_SERVER_SESSION, OAuthTokens, } from "./types.js";
+import { OAuth2Client } from "oslo/oauth2";
+import { getIssuerVariations, getOauthEndpoints } from "../../lib/oauth.js";
+import * as jose from "jose";
+import { withoutUndefined } from "../../utils.js";
+import { GenericUserSession } from "../../shared/lib/UserSession.js";
+import { decodeJwt } from "jose";
+import { AUTOREFRESH_TIMEOUT_NAME, LOGOUT_STATE, REFRESH_IN_PROGRESS, } from "../../constants.js";
+/**
+ * Given a PKCE code verifier, derive the code challenge using SHA
+ */
+export async function deriveCodeChallenge(codeVerifier, method = "S256") {
+    if (method === "Plain") {
+        console.warn("Using insecure plain code challenge method");
+        return codeVerifier;
+    }
+    const encoder = new TextEncoder();
+    const data = encoder.encode(codeVerifier);
+    const digest = await crypto.subtle.digest("SHA-256", data);
+    return btoa(String.fromCharCode(...new Uint8Array(digest)))
+        .replace(/\+/g, "-")
+        .replace(/\//g, "_")
+        .replace(/=+$/, "");
+}
+export async function getEndpointsWithOverrides(oauthServer, endpointOverrides = {}) {
+    const endpoints = await getOauthEndpoints(oauthServer);
+    return {
+        ...endpoints,
+        ...endpointOverrides,
+    };
+}
+export async function generateOauthLoginUrl(config) {
+    const endpoints = await getEndpointsWithOverrides(config.oauthServer, config.endpointOverrides);
+    const oauth2Client = buildOauth2Client(config.clientId, config.redirectUrl, endpoints);
+    const challenge = await config.pkceConsumer.getCodeChallenge();
+    const oAuthUrl = await oauth2Client.createAuthorizationURL({
+        state: config.state,
+        scopes: config.scopes,
+    });
+    // The OAuth2 client supports PKCE, but does not allow passing in a code challenge from some other source
+    // It only allows passing in a code verifier which it then hashes itself.
+    oAuthUrl.searchParams.append("code_challenge", challenge);
+    oAuthUrl.searchParams.append("code_challenge_method", "S256");
+    if (config.nonce) {
+        // nonce isn't supported by oslo, so we add it manually
+        oAuthUrl.searchParams.append("nonce", config.nonce);
+    }
+    // Required by the auth server for offline_access scope
+    oAuthUrl.searchParams.append("prompt", "consent");
+    return oAuthUrl;
+}
+export async function generateOauthLogoutUrl(config) {
+    const endpoints = await getEndpointsWithOverrides(config.oauthServer, config.endpointOverrides);
+    const endSessionUrl = new URL(endpoints.endsession);
+    endSessionUrl.searchParams.append("client_id", config.clientId);
+    endSessionUrl.searchParams.append("id_token_hint", config.idToken);
+    endSessionUrl.searchParams.append("state", config.state);
+    endSessionUrl.searchParams.append("post_logout_redirect_uri", config.redirectUrl);
+    return endSessionUrl;
+}
+export function buildOauth2Client(clientId, redirectUri, endpoints) {
+    return new OAuth2Client(clientId, endpoints.auth, endpoints.token, {
+        redirectURI: redirectUri,
+    });
+}
+export async function exchangeTokens(code, state, pkceProducer, oauth2Client, oauthServer, endpoints) {
+    const codeVerifier = await pkceProducer.getCodeVerifier();
+    if (!codeVerifier)
+        throw new Error("Code verifier not found in state");
+    const tokens = await oauth2Client.validateAuthorizationCode(code, {
+        codeVerifier,
+    });
+    // Validate relevant tokens
+    try {
+        await validateOauth2Tokens(tokens, endpoints, oauth2Client, oauthServer);
+    }
+    catch (error) {
+        console.error("tokenExchange error", { error, tokens });
+        throw new Error(`OIDC tokens validation failed: ${error.message}`);
+    }
+    return tokens;
+}
+export const getAccessTokenExpiresAt = (tokens) => {
+    const parsedAccessToken = decodeJwt(tokens.access_token);
+    if (parsedAccessToken?.exp || false) {
+        return parsedAccessToken.exp;
+    }
+    else if (tokens.expires_in) {
+        const now = Math.floor(new Date().getTime() / 1000);
+        return now + tokens.expires_in;
+    }
+    else {
+        throw new Error("Cannot determine access token expiry!");
+    }
+};
+export async function setAccessTokenExpiresAt(storage, tokens) {
+    // try to extract absolute expiry time from access token but fallback to calculation if not possible
+    const accessTokenExpiresAt = getAccessTokenExpiresAt(tokens);
+    await storage.set(OAuthTokens.ACCESS_TOKEN_EXPIRES_AT, accessTokenExpiresAt.toString());
+}
+export async function storeTokens(storage, tokens) {
+    await storage.set(OAuthTokens.ID_TOKEN, tokens.id_token);
+    await storage.set(OAuthTokens.ACCESS_TOKEN, tokens.access_token);
+    if (tokens.refresh_token) {
+        await storage.set(OAuthTokens.REFRESH_TOKEN, tokens.refresh_token);
+    }
+    await setAccessTokenExpiresAt(storage, tokens);
+}
+export async function storeServerTokens(storage, tokens) {
+    const accessTokenExpiresAt = getAccessTokenExpiresAt(tokens);
+    const cookieStorage = storage;
+    const now = Math.floor(Date.now() / 1000);
+    const accessTokenMaxAge = accessTokenExpiresAt && accessTokenExpiresAt - now;
+    const cookiesOverride = {
+        ...(accessTokenMaxAge ? { maxAge: accessTokenMaxAge } : {}),
+    };
+    // the refresh token must be longer-lived than the access token max age to allow time for automatic refresh
+    // as it's not a JWT, we derive it from the access token max age and add a margin
+    const refreshTokenMaxAge = accessTokenMaxAge && accessTokenMaxAge + 5 * 60;
+    const refreshCookiesOverride = {
+        ...(refreshTokenMaxAge ? { maxAge: refreshTokenMaxAge } : {}),
+    };
+    await cookieStorage.set(OAuthTokens.ID_TOKEN, tokens.id_token, cookiesOverride);
+    await cookieStorage.set(OAuthTokens.ACCESS_TOKEN, tokens.access_token, cookiesOverride);
+    if (tokens.refresh_token) {
+        await cookieStorage.set(OAuthTokens.REFRESH_TOKEN, tokens.refresh_token, refreshCookiesOverride);
+    }
+    await storage.set(OAuthTokens.ACCESS_TOKEN_EXPIRES_AT, accessTokenExpiresAt.toString(), cookiesOverride);
+}
+export async function clearTokens(storage) {
+    console.log("clearTokens");
+    // clear all local storage keys related to OAuth and CivicAuth SDK
+    const clearOAuthPromises = [
+        ...Object.values(OAuthTokens),
+        REFRESH_IN_PROGRESS,
+        AUTOREFRESH_TIMEOUT_NAME,
+        LOGOUT_STATE,
+    ].map(async (key) => {
+        await storage.delete(key);
+    });
+    await Promise.all([...clearOAuthPromises]);
+}
+export async function clearAuthServerSession(storage) {
+    await storage.delete(AUTH_SERVER_SESSION);
+    await storage.delete(AUTH_SERVER_LEGACY_SESSION);
+}
+export async function clearUser(storage) {
+    const userSession = new GenericUserSession(storage);
+    await userSession.clear();
+}
+export async function retrieveTokens(storage) {
+    const idToken = await storage.get(OAuthTokens.ID_TOKEN);
+    const accessToken = await storage.get(OAuthTokens.ACCESS_TOKEN);
+    const refreshToken = await storage.get(OAuthTokens.REFRESH_TOKEN);
+    const accessTokenExpiresAt = await storage.get(OAuthTokens.ACCESS_TOKEN_EXPIRES_AT);
+    if (!idToken || !accessToken)
+        return null;
+    return {
+        id_token: idToken,
+        access_token: accessToken,
+        refresh_token: refreshToken ?? undefined,
+        access_token_expires_at: accessTokenExpiresAt !== null
+            ? parseInt(accessTokenExpiresAt, 10)
+            : undefined, // Convert string to number
+    };
+}
+export async function retrieveAccessTokenExpiresAt(storage) {
+    return Number(await storage.get(OAuthTokens.ACCESS_TOKEN_EXPIRES_AT));
+}
+export async function validateOauth2Tokens(tokens, endpoints, oauth2Client, issuer) {
+    const JWKS = jose.createRemoteJWKSet(new URL(endpoints.jwks));
+    // validate the ID token
+    const idTokenResponse = await jose.jwtVerify(tokens.id_token, JWKS, {
+        issuer: getIssuerVariations(issuer),
+        audience: oauth2Client.clientId,
+    });
+    // validate the access token
+    const accessTokenResponse = await jose.jwtVerify(tokens.access_token, JWKS, {
+        issuer: getIssuerVariations(issuer),
+    });
+    return withoutUndefined({
+        id_token: idTokenResponse.payload,
+        access_token: accessTokenResponse.payload,
+        refresh_token: tokens.refresh_token,
+    });
+}
+//# sourceMappingURL=util.js.map

package/dist/shared/lib/util.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"util.js","sourceRoot":"","sources":["../../../src/shared/lib/util.ts"],"names":[],"mappings":"AAQA,OAAO,EACL,0BAA0B,EAC1B,mBAAmB,EACnB,WAAW,GACZ,MAAM,YAAY,CAAC;AACpB,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAC3C,OAAO,EAAE,mBAAmB,EAAE,iBAAiB,EAAE,MAAM,gBAAgB,CAAC;AACxE,OAAO,KAAK,IAAI,MAAM,MAAM,CAAC;AAC7B,OAAO,EAAE,gBAAgB,EAAE,MAAM,YAAY,CAAC;AAE9C,OAAO,EAAE,kBAAkB,EAAE,MAAM,6BAA6B,CAAC;AACjE,OAAO,EAAE,SAAS,EAAmB,MAAM,MAAM,CAAC;AAElD,OAAO,EACL,wBAAwB,EACxB,YAAY,EACZ,mBAAmB,GACpB,MAAM,gBAAgB,CAAC;AAExB;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,mBAAmB,CACvC,YAAoB,EACpB,SAA2B,MAAM;IAEjC,IAAI,MAAM,KAAK,OAAO,EAAE,CAAC;QACvB,OAAO,CAAC,IAAI,CAAC,4CAA4C,CAAC,CAAC;QAC3D,OAAO,YAAY,CAAC;IACtB,CAAC;IAED,MAAM,OAAO,GAAG,IAAI,WAAW,EAAE,CAAC;IAClC,MAAM,IAAI,GAAG,OAAO,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC;IAC1C,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,IAAI,CAAC,CAAC;IAC3D,OAAO,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC,GAAG,IAAI,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC;SACxD,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC;SACnB,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC;SACnB,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;AACxB,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,yBAAyB,CAC7C,WAAmB,EACnB,oBAAwC,EAAE;IAE1C,MAAM,SAAS,GAAG,MAAM,iBAAiB,CAAC,WAAW,CAAC,CAAC;IACvD,OAAO;QACL,GAAG,SAAS;QACZ,GAAG,iBAAiB;KACrB,CAAC;AACJ,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,qBAAqB,CAAC,MAU3C;IACC,MAAM,SAAS,GAAG,MAAM,yBAAyB,CAC/C,MAAM,CAAC,WAAW,EAClB,MAAM,CAAC,iBAAiB,CACzB,CAAC;IACF,MAAM,YAAY,GAAG,iBAAiB,CACpC,MAAM,CAAC,QAAQ,EACf,MAAM,CAAC,WAAW,EAClB,SAAS,CACV,CAAC;IACF,MAAM,SAAS,GAAG,MAAM,MAAM,CAAC,YAAY,CAAC,gBAAgB,EAAE,CAAC;IAC/D,MAAM,QAAQ,GAAG,MAAM,YAAY,CAAC,sBAAsB,CAAC;QACzD,KAAK,EAAE,MAAM,CAAC,KAAK;QACnB,MAAM,EAAE,MAAM,CAAC,MAAM;KACtB,CAAC,CAAC;IACH,yGAAyG;IACzG,yEAAyE;IACzE,QAAQ,CAAC,YAAY,CAAC,MAAM,CAAC,gBAAgB,EAAE,SAAS,CAAC,CAAC;IAC1D,QAAQ,CAAC,YAAY,CAAC,MAAM,CAAC,uBAAuB,EAAE,MAAM,CAAC,CAAC;IAC9D,IAAI,MAAM,CAAC,KAAK,EAAE,CAAC;QACjB,uDAAuD;QACvD,QAAQ,CAAC,YAAY,CAAC,MAAM,CAAC,OAAO,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC;IACtD,CAAC;IACD,uDAAuD;IACvD,QAAQ,CAAC,YAAY,CAAC,MAAM,CAAC,QAAQ,EAAE,SAAS,CAAC,CAAC;IAElD,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,sBAAsB,CAAC,MAO5C;IACC,MAAM,SAAS,GAAG,MAAM,yBAAyB,CAC/C,MAAM,CAAC,WAAW,EAClB,MAAM,CAAC,iBAAiB,CACzB,CAAC;IACF,MAAM,aAAa,GAAG,IAAI,GAAG,CAAC,SAAS,CAAC,UAAU,CAAC,CAAC;IACpD,aAAa,CAAC,YAAY,CAAC,MAAM,CAAC,WAAW,EAAE,MAAM,CAAC,QAAQ,CAAC,CAAC;IAChE,aAAa,CAAC,YAAY,CAAC,MAAM,CAAC,eAAe,EAAE,MAAM,CAAC,OAAO,CAAC,CAAC;IACnE,aAAa,CAAC,YAAY,CAAC,MAAM,CAAC,OAAO,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC;IACzD,aAAa,CAAC,YAAY,CAAC,MAAM,CAC/B,0BAA0B,EAC1B,MAAM,CAAC,WAAW,CACnB,CAAC;IACF,OAAO,aAAa,CAAC;AACvB,CAAC;AAED,MAAM,UAAU,iBAAiB,CAC/B,QAAgB,EAChB,WAAmB,EACnB,SAAoB;IAEpB,OAAO,IAAI,YAAY,CAAC,QAAQ,EAAE,SAAS,CAAC,IAAI,EAAE,SAAS,CAAC,KAAK,EAAE;QACjE,WAAW,EAAE,WAAW;KACzB,CAAC,CAAC;AACL,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,cAAc,CAClC,IAAY,EACZ,KAAa,EACb,YAA0B,EAC1B,YAA0B,EAC1B,WAAmB,EACnB,SAAoB;IAEpB,MAAM,YAAY,GAAG,MAAM,YAAY,CAAC,eAAe,EAAE,CAAC;IAC1D,IAAI,CAAC,YAAY;QAAE,MAAM,IAAI,KAAK,CAAC,kCAAkC,CAAC,CAAC;IAEvE,MAAM,MAAM,GACV,MAAM,YAAY,CAAC,yBAAyB,CAAwB,IAAI,EAAE;QACxE,YAAY;KACb,CAAC,CAAC;IAEL,2BAA2B;IAC3B,IAAI,CAAC;QACH,MAAM,oBAAoB,CAAC,MAAM,EAAE,SAAS,EAAE,YAAY,EAAE,WAAW,CAAC,CAAC;IAC3E,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO,CAAC,KAAK,CAAC,qBAAqB,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC,CAAC;QACxD,MAAM,IAAI,KAAK,CACb,kCAAmC,KAAe,CAAC,OAAO,EAAE,CAC7D,CAAC;IACJ,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,MAAM,CAAC,MAAM,uBAAuB,GAAG,CACrC,MAA6B,EACrB,EAAE;IACV,MAAM,iBAAiB,GAAG,SAAS,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC;IACzD,IAAI,iBAAiB,EAAE,GAAG,IAAI,KAAK,EAAE,CAAC;QACpC,OAAO,iBAAiB,CAAC,GAAG,CAAC;IAC/B,CAAC;SAAM,IAAI,MAAM,CAAC,UAAU,EAAE,CAAC;QAC7B,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,IAAI,EAAE,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,CAAC;QACpD,OAAO,GAAG,GAAG,MAAM,CAAC,UAAU,CAAC;IACjC,CAAC;SAAM,CAAC;QACN,MAAM,IAAI,KAAK,CAAC,uCAAuC,CAAC,CAAC;IAC3D,CAAC;AACH,CAAC,CAAC;AACF,MAAM,CAAC,KAAK,UAAU,uBAAuB,CAC3C,OAAoC,EACpC,MAA6B;IAE7B,oGAAoG;IACpG,MAAM,oBAAoB,GAAG,uBAAuB,CAAC,MAAM,CAAC,CAAC;IAC7D,MAAM,OAAO,CAAC,GAAG,CACf,WAAW,CAAC,uBAAuB,EACnC,oBAAoB,CAAC,QAAQ,EAAE,CAChC,CAAC;AACJ,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,WAAW,CAC/B,OAAoB,EACpB,MAA6B;IAE7B,MAAM,OAAO,CAAC,GAAG,CAAC,WAAW,CAAC,QAAQ,EAAE,MAAM,CAAC,QAAQ,CAAC,CAAC;IACzD,MAAM,OAAO,CAAC,GAAG,CAAC,WAAW,CAAC,YAAY,EAAE,MAAM,CAAC,YAAY,CAAC,CAAC;IACjE,IAAI,MAAM,CAAC,aAAa,EAAE,CAAC;QACzB,MAAM,OAAO,CAAC,GAAG,CAAC,WAAW,CAAC,aAAa,EAAE,MAAM,CAAC,aAAa,CAAC,CAAC;IACrE,CAAC;IACD,MAAM,uBAAuB,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;AACjD,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,iBAAiB,CACrC,OAAoC,EACpC,MAA6B;IAE7B,MAAM,oBAAoB,GAAG,uBAAuB,CAAC,MAAM,CAAC,CAAC;IAC7D,MAAM,aAAa,GAAG,OAAwB,CAAC;IAC/C,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IAC1C,MAAM,iBAAiB,GAAG,oBAAoB,IAAI,oBAAoB,GAAG,GAAG,CAAC;IAE7E,MAAM,eAAe,GAAG;QACtB,GAAG,CAAC,iBAAiB,CAAC,CAAC,CAAC,EAAE,MAAM,EAAE,iBAAiB,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;KAC5D,CAAC;IACF,2GAA2G;IAC3G,iFAAiF;IACjF,MAAM,kBAAkB,GAAG,iBAAiB,IAAI,iBAAiB,GAAG,CAAC,GAAG,EAAE,CAAC;IAC3E,MAAM,sBAAsB,GAAG;QAC7B,GAAG,CAAC,kBAAkB,CAAC,CAAC,CAAC,EAAE,MAAM,EAAE,kBAAkB,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;KAC9D,CAAC;IACF,MAAM,aAAa,CAAC,GAAG,CACrB,WAAW,CAAC,QAAQ,EACpB,MAAM,CAAC,QAAQ,EACf,eAAe,CAChB,CAAC;IACF,MAAM,aAAa,CAAC,GAAG,CACrB,WAAW,CAAC,YAAY,EACxB,MAAM,CAAC,YAAY,EACnB,eAAe,CAChB,CAAC;IACF,IAAI,MAAM,CAAC,aAAa,EAAE,CAAC;QACzB,MAAM,aAAa,CAAC,GAAG,CACrB,WAAW,CAAC,aAAa,EACzB,MAAM,CAAC,aAAa,EACpB,sBAAsB,CACvB,CAAC;IACJ,CAAC;IACD,MAAM,OAAO,CAAC,GAAG,CACf,WAAW,CAAC,uBAAuB,EACnC,oBAAoB,CAAC,QAAQ,EAAE,EAC/B,eAAe,CAChB,CAAC;AACJ,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,WAAW,CAAC,OAAoB;IACpD,OAAO,CAAC,GAAG,CAAC,aAAa,CAAC,CAAC;IAC3B,kEAAkE;IAClE,MAAM,kBAAkB,GAAG;QACzB,GAAG,MAAM,CAAC,MAAM,CAAC,WAAW,CAAC;QAC7B,mBAAmB;QACnB,wBAAwB;QACxB,YAAY;KACb,CAAC,GAAG,CAAC,KAAK,EAAE,GAAG,EAAE,EAAE;QAClB,MAAM,OAAO,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;IAC5B,CAAC,CAAC,CAAC;IACH,MAAM,OAAO,CAAC,GAAG,CAAC,CAAC,GAAG,kBAAkB,CAAC,CAAC,CAAC;AAC7C,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,sBAAsB,CAAC,OAAoB;IAC/D,MAAM,OAAO,CAAC,MAAM,CAAC,mBAAmB,CAAC,CAAC;IAC1C,MAAM,OAAO,CAAC,MAAM,CAAC,0BAA0B,CAAC,CAAC;AACnD,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,SAAS,CAAC,OAAoB;IAClD,MAAM,WAAW,GAAG,IAAI,kBAAkB,CAAC,OAAO,CAAC,CAAC;IACpD,MAAM,WAAW,CAAC,KAAK,EAAE,CAAC;AAC5B,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,cAAc,CAClC,OAAoB;IAEpB,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC,WAAW,CAAC,QAAQ,CAAC,CAAC;IACxD,MAAM,WAAW,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC,WAAW,CAAC,YAAY,CAAC,CAAC;IAChE,MAAM,YAAY,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC,WAAW,CAAC,aAAa,CAAC,CAAC;IAClE,MAAM,oBAAoB,GAAG,MAAM,OAAO,CAAC,GAAG,CAC5C,WAAW,CAAC,uBAAuB,CACpC,CAAC;IAEF,IAAI,CAAC,OAAO,IAAI,CAAC,WAAW;QAAE,OAAO,IAAI,CAAC;IAE1C,OAAO;QACL,QAAQ,EAAE,OAAO;QACjB,YAAY,EAAE,WAAW;QACzB,aAAa,EAAE,YAAY,IAAI,SAAS;QACxC,uBAAuB,EACrB,oBAAoB,KAAK,IAAI;YAC3B,CAAC,CAAC,QAAQ,CAAC,oBAAoB,EAAE,EAAE,CAAC;YACpC,CAAC,CAAC,SAAS,EAAE,2BAA2B;KAC7C,CAAC;AACJ,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,4BAA4B,CAChD,OAAoB;IAEpB,OAAO,MAAM,CAAC,MAAM,OAAO,CAAC,GAAG,CAAC,WAAW,CAAC,uBAAuB,CAAC,CAAC,CAAC;AACxE,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,oBAAoB,CACxC,MAA6B,EAC7B,SAAoB,EACpB,YAA0B,EAC1B,MAAc;IAEd,MAAM,IAAI,GAAG,IAAI,CAAC,kBAAkB,CAAC,IAAI,GAAG,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC;IAE9D,wBAAwB;IACxB,MAAM,eAAe,GAAG,MAAM,IAAI,CAAC,SAAS,CAC1C,MAAM,CAAC,QAAQ,EACf,IAAI,EACJ;QACE,MAAM,EAAE,mBAAmB,CAAC,MAAM,CAAC;QACnC,QAAQ,EAAE,YAAY,CAAC,QAAQ;KAChC,CACF,CAAC;IAEF,4BAA4B;IAC5B,MAAM,mBAAmB,GAAG,MAAM,IAAI,CAAC,SAAS,CAC9C,MAAM,CAAC,YAAY,EACnB,IAAI,EACJ;QACE,MAAM,EAAE,mBAAmB,CAAC,MAAM,CAAC;KACpC,CACF,CAAC;IAEF,OAAO,gBAAgB,CAAC;QACtB,QAAQ,EAAE,eAAe,CAAC,OAAO;QACjC,YAAY,EAAE,mBAAmB,CAAC,OAAO;QACzC,aAAa,EAAE,MAAM,CAAC,aAAa;KACpC,CAAC,CAAC;AACL,CAAC","sourcesContent":["// Utility functions shared by auth server and client integrations\n// Typically these functions should be used inside AuthenticationInitiator and AuthenticationResolver implementations\nimport type {\n  AuthStorage,\n  Endpoints,\n  OIDCTokenResponseBody,\n  ParsedTokens,\n} from \"@/types.js\";\nimport {\n  AUTH_SERVER_LEGACY_SESSION,\n  AUTH_SERVER_SESSION,\n  OAuthTokens,\n} from \"./types.js\";\nimport { OAuth2Client } from \"oslo/oauth2\";\nimport { getIssuerVariations, getOauthEndpoints } from \"@/lib/oauth.js\";\nimport * as jose from \"jose\";\nimport { withoutUndefined } from \"@/utils.js\";\nimport type { PKCEConsumer, PKCEProducer } from \"@/services/types.js\";\nimport { GenericUserSession } from \"@/shared/lib/UserSession.js\";\nimport { decodeJwt, type JWTPayload } from \"jose\";\nimport type { CookieStorage } from \"./storage.js\";\nimport {\n  AUTOREFRESH_TIMEOUT_NAME,\n  LOGOUT_STATE,\n  REFRESH_IN_PROGRESS,\n} from \"@/constants.js\";\n\n/**\n * Given a PKCE code verifier, derive the code challenge using SHA\n */\nexport async function deriveCodeChallenge(\n  codeVerifier: string,\n  method: \"Plain\" | \"S256\" = \"S256\",\n): Promise<string> {\n  if (method === \"Plain\") {\n    console.warn(\"Using insecure plain code challenge method\");\n    return codeVerifier;\n  }\n\n  const encoder = new TextEncoder();\n  const data = encoder.encode(codeVerifier);\n  const digest = await crypto.subtle.digest(\"SHA-256\", data);\n  return btoa(String.fromCharCode(...new Uint8Array(digest)))\n    .replace(/\\+/g, \"-\")\n    .replace(/\\//g, \"_\")\n    .replace(/=+$/, \"\");\n}\n\nexport async function getEndpointsWithOverrides(\n  oauthServer: string,\n  endpointOverrides: Partial<Endpoints> = {},\n): Promise<Endpoints> {\n  const endpoints = await getOauthEndpoints(oauthServer);\n  return {\n    ...endpoints,\n    ...endpointOverrides,\n  };\n}\n\nexport async function generateOauthLoginUrl(config: {\n  clientId: string;\n  scopes: string[];\n  state: string;\n  redirectUrl: string;\n  oauthServer: string;\n  nonce?: string;\n  endpointOverrides?: Partial<Endpoints>;\n  // used to get the PKCE challenge\n  pkceConsumer: PKCEConsumer;\n}): Promise<URL> {\n  const endpoints = await getEndpointsWithOverrides(\n    config.oauthServer,\n    config.endpointOverrides,\n  );\n  const oauth2Client = buildOauth2Client(\n    config.clientId,\n    config.redirectUrl,\n    endpoints,\n  );\n  const challenge = await config.pkceConsumer.getCodeChallenge();\n  const oAuthUrl = await oauth2Client.createAuthorizationURL({\n    state: config.state,\n    scopes: config.scopes,\n  });\n  // The OAuth2 client supports PKCE, but does not allow passing in a code challenge from some other source\n  // It only allows passing in a code verifier which it then hashes itself.\n  oAuthUrl.searchParams.append(\"code_challenge\", challenge);\n  oAuthUrl.searchParams.append(\"code_challenge_method\", \"S256\");\n  if (config.nonce) {\n    // nonce isn't supported by oslo, so we add it manually\n    oAuthUrl.searchParams.append(\"nonce\", config.nonce);\n  }\n  // Required by the auth server for offline_access scope\n  oAuthUrl.searchParams.append(\"prompt\", \"consent\");\n\n  return oAuthUrl;\n}\n\nexport async function generateOauthLogoutUrl(config: {\n  clientId: string;\n  redirectUrl: string;\n  idToken: string;\n  state: string;\n  oauthServer: string;\n  endpointOverrides?: Partial<Endpoints>;\n}): Promise<URL> {\n  const endpoints = await getEndpointsWithOverrides(\n    config.oauthServer,\n    config.endpointOverrides,\n  );\n  const endSessionUrl = new URL(endpoints.endsession);\n  endSessionUrl.searchParams.append(\"client_id\", config.clientId);\n  endSessionUrl.searchParams.append(\"id_token_hint\", config.idToken);\n  endSessionUrl.searchParams.append(\"state\", config.state);\n  endSessionUrl.searchParams.append(\n    \"post_logout_redirect_uri\",\n    config.redirectUrl,\n  );\n  return endSessionUrl;\n}\n\nexport function buildOauth2Client(\n  clientId: string,\n  redirectUri: string,\n  endpoints: Endpoints,\n): OAuth2Client {\n  return new OAuth2Client(clientId, endpoints.auth, endpoints.token, {\n    redirectURI: redirectUri,\n  });\n}\n\nexport async function exchangeTokens(\n  code: string,\n  state: string,\n  pkceProducer: PKCEProducer,\n  oauth2Client: OAuth2Client,\n  oauthServer: string,\n  endpoints: Endpoints,\n) {\n  const codeVerifier = await pkceProducer.getCodeVerifier();\n  if (!codeVerifier) throw new Error(\"Code verifier not found in state\");\n\n  const tokens =\n    await oauth2Client.validateAuthorizationCode<OIDCTokenResponseBody>(code, {\n      codeVerifier,\n    });\n\n  // Validate relevant tokens\n  try {\n    await validateOauth2Tokens(tokens, endpoints, oauth2Client, oauthServer);\n  } catch (error) {\n    console.error(\"tokenExchange error\", { error, tokens });\n    throw new Error(\n      `OIDC tokens validation failed: ${(error as Error).message}`,\n    );\n  }\n  return tokens;\n}\n\nexport const getAccessTokenExpiresAt = (\n  tokens: OIDCTokenResponseBody,\n): number => {\n  const parsedAccessToken = decodeJwt(tokens.access_token);\n  if (parsedAccessToken?.exp || false) {\n    return parsedAccessToken.exp;\n  } else if (tokens.expires_in) {\n    const now = Math.floor(new Date().getTime() / 1000);\n    return now + tokens.expires_in;\n  } else {\n    throw new Error(\"Cannot determine access token expiry!\");\n  }\n};\nexport async function setAccessTokenExpiresAt(\n  storage: AuthStorage | CookieStorage,\n  tokens: OIDCTokenResponseBody,\n) {\n  // try to extract absolute expiry time from access token but fallback to calculation if not possible\n  const accessTokenExpiresAt = getAccessTokenExpiresAt(tokens);\n  await storage.set(\n    OAuthTokens.ACCESS_TOKEN_EXPIRES_AT,\n    accessTokenExpiresAt.toString(),\n  );\n}\n\nexport async function storeTokens(\n  storage: AuthStorage,\n  tokens: OIDCTokenResponseBody,\n) {\n  await storage.set(OAuthTokens.ID_TOKEN, tokens.id_token);\n  await storage.set(OAuthTokens.ACCESS_TOKEN, tokens.access_token);\n  if (tokens.refresh_token) {\n    await storage.set(OAuthTokens.REFRESH_TOKEN, tokens.refresh_token);\n  }\n  await setAccessTokenExpiresAt(storage, tokens);\n}\n\nexport async function storeServerTokens(\n  storage: AuthStorage | CookieStorage,\n  tokens: OIDCTokenResponseBody,\n) {\n  const accessTokenExpiresAt = getAccessTokenExpiresAt(tokens);\n  const cookieStorage = storage as CookieStorage;\n  const now = Math.floor(Date.now() / 1000);\n  const accessTokenMaxAge = accessTokenExpiresAt && accessTokenExpiresAt - now;\n\n  const cookiesOverride = {\n    ...(accessTokenMaxAge ? { maxAge: accessTokenMaxAge } : {}),\n  };\n  // the refresh token must be longer-lived than the access token max age to allow time for automatic refresh\n  // as it's not a JWT, we derive it from the access token max age and add a margin\n  const refreshTokenMaxAge = accessTokenMaxAge && accessTokenMaxAge + 5 * 60;\n  const refreshCookiesOverride = {\n    ...(refreshTokenMaxAge ? { maxAge: refreshTokenMaxAge } : {}),\n  };\n  await cookieStorage.set(\n    OAuthTokens.ID_TOKEN,\n    tokens.id_token,\n    cookiesOverride,\n  );\n  await cookieStorage.set(\n    OAuthTokens.ACCESS_TOKEN,\n    tokens.access_token,\n    cookiesOverride,\n  );\n  if (tokens.refresh_token) {\n    await cookieStorage.set(\n      OAuthTokens.REFRESH_TOKEN,\n      tokens.refresh_token,\n      refreshCookiesOverride,\n    );\n  }\n  await storage.set(\n    OAuthTokens.ACCESS_TOKEN_EXPIRES_AT,\n    accessTokenExpiresAt.toString(),\n    cookiesOverride,\n  );\n}\n\nexport async function clearTokens(storage: AuthStorage) {\n  console.log(\"clearTokens\");\n  // clear all local storage keys related to OAuth and CivicAuth SDK\n  const clearOAuthPromises = [\n    ...Object.values(OAuthTokens),\n    REFRESH_IN_PROGRESS,\n    AUTOREFRESH_TIMEOUT_NAME,\n    LOGOUT_STATE,\n  ].map(async (key) => {\n    await storage.delete(key);\n  });\n  await Promise.all([...clearOAuthPromises]);\n}\n\nexport async function clearAuthServerSession(storage: AuthStorage) {\n  await storage.delete(AUTH_SERVER_SESSION);\n  await storage.delete(AUTH_SERVER_LEGACY_SESSION);\n}\n\nexport async function clearUser(storage: AuthStorage) {\n  const userSession = new GenericUserSession(storage);\n  await userSession.clear();\n}\n\nexport async function retrieveTokens(\n  storage: AuthStorage,\n): Promise<OIDCTokenResponseBody | null> {\n  const idToken = await storage.get(OAuthTokens.ID_TOKEN);\n  const accessToken = await storage.get(OAuthTokens.ACCESS_TOKEN);\n  const refreshToken = await storage.get(OAuthTokens.REFRESH_TOKEN);\n  const accessTokenExpiresAt = await storage.get(\n    OAuthTokens.ACCESS_TOKEN_EXPIRES_AT,\n  );\n\n  if (!idToken || !accessToken) return null;\n\n  return {\n    id_token: idToken,\n    access_token: accessToken,\n    refresh_token: refreshToken ?? undefined,\n    access_token_expires_at:\n      accessTokenExpiresAt !== null\n        ? parseInt(accessTokenExpiresAt, 10)\n        : undefined, // Convert string to number\n  };\n}\n\nexport async function retrieveAccessTokenExpiresAt(\n  storage: AuthStorage,\n): Promise<number> {\n  return Number(await storage.get(OAuthTokens.ACCESS_TOKEN_EXPIRES_AT));\n}\n\nexport async function validateOauth2Tokens(\n  tokens: OIDCTokenResponseBody,\n  endpoints: Endpoints,\n  oauth2Client: OAuth2Client,\n  issuer: string,\n): Promise<ParsedTokens> {\n  const JWKS = jose.createRemoteJWKSet(new URL(endpoints.jwks));\n\n  // validate the ID token\n  const idTokenResponse = await jose.jwtVerify<JWTPayload>(\n    tokens.id_token,\n    JWKS,\n    {\n      issuer: getIssuerVariations(issuer),\n      audience: oauth2Client.clientId,\n    },\n  );\n\n  // validate the access token\n  const accessTokenResponse = await jose.jwtVerify<JWTPayload>(\n    tokens.access_token,\n    JWKS,\n    {\n      issuer: getIssuerVariations(issuer),\n    },\n  );\n\n  return withoutUndefined({\n    id_token: idTokenResponse.payload,\n    access_token: accessTokenResponse.payload,\n    refresh_token: tokens.refresh_token,\n  });\n}\n"]}