@civic/auth 0.4.2-beta.1 → 0.4.3-alpha.0

package/dist/cjs/shared/lib/session.js

@@ -0,0 +1,48 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.getUser = getUser;
+exports.getTokens = getTokens;
+const util_js_1 = require("../../shared/lib/util.js");
+const jose_1 = require("jose");
+const types_js_1 = require("../../types.js");
+const constants_js_1 = require("../../constants.js");
+// Function to omit keys from an object
+const omitKeys = (keys, obj) => {
+    const result = { ...obj };
+    keys.forEach((key) => {
+        delete result[key];
+    });
+    return result;
+};
+const parseJWTToType = (jwt) => {
+    const parseResult = (0, jose_1.decodeJwt)(jwt);
+    return parseResult;
+};
+async function getUser(storage) {
+    const tokens = await (0, util_js_1.retrieveTokens)(storage);
+    if (!tokens)
+        return null;
+    const parsedToken = parseJWTToType(tokens.id_token);
+    // it might be preferable to throw here
+    if (!parsedToken.sub)
+        return null;
+    // set the user ID from the token sub
+    const userWithAdditionalTokenFields = {
+        ...parsedToken,
+        id: parsedToken.sub,
+    };
+    // Assumes all information is in the ID token
+    // remove the token keys from the user object to stop it getting too large
+    return omitKeys([...constants_js_1.JWT_PAYLOAD_KNOWN_CLAIM_KEYS, ...types_js_1.tokenKeys], userWithAdditionalTokenFields);
+}
+async function getTokens(storage) {
+    const storageData = await (0, util_js_1.retrieveTokens)(storage);
+    if (!storageData)
+        return null;
+    return {
+        idToken: storageData.id_token,
+        accessToken: storageData.access_token,
+        refreshToken: storageData.refresh_token,
+    };
+}
+//# sourceMappingURL=session.js.map

package/dist/cjs/shared/lib/session.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"session.js","sourceRoot":"","sources":["../../../../src/shared/lib/session.ts"],"names":[],"mappings":";;AA+BA,0BAsBC;AAED,8BAWC;AAlED,kDAAsD;AACtD,+BAAkD;AAClD,yCAOoB;AACpB,iDAA8D;AAE9D,uCAAuC;AACvC,MAAM,QAAQ,GAAG,CACf,IAAS,EACT,GAAM,EACM,EAAE;IACd,MAAM,MAAM,GAAG,EAAE,GAAG,GAAG,EAAE,CAAC;IAC1B,IAAI,CAAC,OAAO,CAAC,CAAC,GAAG,EAAE,EAAE;QACnB,OAAO,MAAM,CAAC,GAAG,CAAC,CAAC;IACrB,CAAC,CAAC,CAAC;IACH,OAAO,MAAM,CAAC;AAChB,CAAC,CAAC;AAEF,MAAM,cAAc,GAAG,CACrB,GAAW,EACK,EAAE;IAClB,MAAM,WAAW,GAAG,IAAA,gBAAS,EAAC,GAAG,CAAC,CAAC;IACnC,OAAO,WAA6B,CAAC;AACvC,CAAC,CAAC;AAEK,KAAK,UAAU,OAAO,CAC3B,OAAoB;IAEpB,MAAM,MAAM,GAAG,MAAM,IAAA,wBAAc,EAAC,OAAO,CAAC,CAAC;IAC7C,IAAI,CAAC,MAAM;QAAE,OAAO,IAAI,CAAC;IAEzB,MAAM,WAAW,GAAG,cAAc,CAAI,MAAM,CAAC,QAAQ,CAAC,CAAC;IACvD,uCAAuC;IACvC,IAAI,CAAC,WAAW,CAAC,GAAG;QAAE,OAAO,IAAI,CAAC;IAElC,qCAAqC;IACrC,MAAM,6BAA6B,GAAG;QACpC,GAAI,WAAiB;QACrB,EAAE,EAAE,WAAW,CAAC,GAAG;KACpB,CAAC;IAEF,6CAA6C;IAC7C,0EAA0E;IAC1E,OAAO,QAAQ,CACb,CAAC,GAAG,2CAA4B,EAAE,GAAG,oBAAS,CAAC,EAC/C,6BAA6B,CACnB,CAAC;AACf,CAAC;AAEM,KAAK,UAAU,SAAS,CAC7B,OAAoB;IAEpB,MAAM,WAAW,GAAG,MAAM,IAAA,wBAAc,EAAC,OAAO,CAAC,CAAC;IAClD,IAAI,CAAC,WAAW;QAAE,OAAO,IAAI,CAAC;IAE9B,OAAO;QACL,OAAO,EAAE,WAAW,CAAC,QAAQ;QAC7B,WAAW,EAAE,WAAW,CAAC,YAAY;QACrC,YAAY,EAAE,WAAW,CAAC,aAAa;KACxC,CAAC;AACJ,CAAC","sourcesContent":["import { retrieveTokens } from \"@/shared/lib/util.js\";\nimport { decodeJwt, type JWTPayload } from \"jose\";\nimport {\n  tokenKeys,\n  type AuthStorage,\n  type OAuthTokens,\n  type User,\n  type EmptyObject,\n  type UnknownObject,\n} from \"@/types.js\";\nimport { JWT_PAYLOAD_KNOWN_CLAIM_KEYS } from \"@/constants.js\";\n\n// Function to omit keys from an object\nconst omitKeys = <K extends keyof T, T extends Record<string, unknown>>(\n  keys: K[],\n  obj: T,\n): Omit<T, K> => {\n  const result = { ...obj };\n  keys.forEach((key) => {\n    delete result[key];\n  });\n  return result;\n};\n\nconst parseJWTToType = <T extends UnknownObject = EmptyObject>(\n  jwt: string,\n): JWTPayload & T => {\n  const parseResult = decodeJwt(jwt);\n  return parseResult as JWTPayload & T;\n};\n\nexport async function getUser<T extends UnknownObject = EmptyObject>(\n  storage: AuthStorage,\n): Promise<User<T> | null> {\n  const tokens = await retrieveTokens(storage);\n  if (!tokens) return null;\n\n  const parsedToken = parseJWTToType<T>(tokens.id_token);\n  // it might be preferable to throw here\n  if (!parsedToken.sub) return null;\n\n  // set the user ID from the token sub\n  const userWithAdditionalTokenFields = {\n    ...(parsedToken as T),\n    id: parsedToken.sub,\n  };\n\n  // Assumes all information is in the ID token\n  // remove the token keys from the user object to stop it getting too large\n  return omitKeys(\n    [...JWT_PAYLOAD_KNOWN_CLAIM_KEYS, ...tokenKeys],\n    userWithAdditionalTokenFields,\n  ) as User<T>;\n}\n\nexport async function getTokens(\n  storage: AuthStorage,\n): Promise<OAuthTokens | null> {\n  const storageData = await retrieveTokens(storage);\n  if (!storageData) return null;\n\n  return {\n    idToken: storageData.id_token,\n    accessToken: storageData.access_token,\n    refreshToken: storageData.refresh_token,\n  };\n}\n"]}

package/dist/cjs/shared/lib/storage.d.ts

@@ -0,0 +1,35 @@
+import type { AuthStorage, SessionData, UnknownObject, User } from "../../types.js";
+import type { CookieConfig } from "./types.js";
+type SameSiteOption = "strict" | "lax" | "none";
+export interface SessionStorage {
+    get(): SessionData;
+    getUser(): User<UnknownObject> | null;
+    set(data: Partial<SessionData>): void;
+    setUser(data: User<UnknownObject> | null): void;
+    clear(): void;
+}
+export type CookieStorageSettings = {
+    httpOnly: boolean;
+    secure: boolean;
+    sameSite: SameSiteOption;
+    expires: Date;
+    path: string;
+};
+export declare const DEFAULT_COOKIE_DURATION: number;
+export declare abstract class CookieStorage implements AuthStorage {
+    protected settings: CookieStorageSettings;
+    protected constructor(settings?: Partial<CookieStorageSettings>);
+    abstract get(key: string): Promise<string | null>;
+    abstract set(key: string, value: string, cookieConfigOverride?: Partial<CookieConfig>): Promise<void>;
+    abstract delete(key: string): Promise<void>;
+}
+export type AuthCookieStorageSettings = {
+    httpOnly: boolean;
+    secure: boolean;
+    sameSite: SameSiteOption;
+    expires: Date;
+    path: string;
+    timestamp: Date;
+};
+export {};
+//# sourceMappingURL=storage.d.ts.map

package/dist/cjs/shared/lib/storage.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"storage.d.ts","sourceRoot":"","sources":["../../../../src/shared/lib/storage.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,WAAW,EAAE,WAAW,EAAE,aAAa,EAAE,IAAI,EAAE,MAAM,YAAY,CAAC;AAChF,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAE/C,KAAK,cAAc,GAAG,QAAQ,GAAG,KAAK,GAAG,MAAM,CAAC;AAEhD,MAAM,WAAW,cAAc;IAC7B,GAAG,IAAI,WAAW,CAAC;IACnB,OAAO,IAAI,IAAI,CAAC,aAAa,CAAC,GAAG,IAAI,CAAC;IACtC,GAAG,CAAC,IAAI,EAAE,OAAO,CAAC,WAAW,CAAC,GAAG,IAAI,CAAC;IACtC,OAAO,CAAC,IAAI,EAAE,IAAI,CAAC,aAAa,CAAC,GAAG,IAAI,GAAG,IAAI,CAAC;IAChD,KAAK,IAAI,IAAI,CAAC;CACf;AAED,MAAM,MAAM,qBAAqB,GAAG;IAClC,QAAQ,EAAE,OAAO,CAAC;IAClB,MAAM,EAAE,OAAO,CAAC;IAChB,QAAQ,EAAE,cAAc,CAAC;IACzB,OAAO,EAAE,IAAI,CAAC;IACd,IAAI,EAAE,MAAM,CAAC;CACd,CAAC;AAEF,eAAO,MAAM,uBAAuB,QAAU,CAAC;AAE/C,8BAAsB,aAAc,YAAW,WAAW;IACxD,SAAS,CAAC,QAAQ,EAAE,qBAAqB,CAAC;IAC1C,SAAS,aAAa,QAAQ,GAAE,OAAO,CAAC,qBAAqB,CAAM;IAanE,QAAQ,CAAC,GAAG,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC;IACjD,QAAQ,CAAC,GAAG,CACV,GAAG,EAAE,MAAM,EACX,KAAK,EAAE,MAAM,EACb,oBAAoB,CAAC,EAAE,OAAO,CAAC,YAAY,CAAC,GAC3C,OAAO,CAAC,IAAI,CAAC;IAChB,QAAQ,CAAC,MAAM,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;CAC5C;AAED,MAAM,MAAM,yBAAyB,GAAG;IACtC,QAAQ,EAAE,OAAO,CAAC;IAClB,MAAM,EAAE,OAAO,CAAC;IAChB,QAAQ,EAAE,cAAc,CAAC;IACzB,OAAO,EAAE,IAAI,CAAC;IACd,IAAI,EAAE,MAAM,CAAC;IACb,SAAS,EAAE,IAAI,CAAC;CACjB,CAAC"}

package/dist/cjs/shared/lib/storage.js

@@ -0,0 +1,21 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.CookieStorage = exports.DEFAULT_COOKIE_DURATION = void 0;
+exports.DEFAULT_COOKIE_DURATION = 60 * 15; // 15 minutes
+class CookieStorage {
+    settings;
+    constructor(settings = {}) {
+        this.settings = {
+            httpOnly: settings.httpOnly ?? true,
+            secure: settings.secure ?? true,
+            // the callback request comes the auth server
+            // 'lax' ensures the code_verifier cookie is sent with the request
+            sameSite: settings.sameSite ?? "lax",
+            expires: settings.expires ??
+                new Date(Date.now() + 1000 * exports.DEFAULT_COOKIE_DURATION),
+            path: settings.path ?? "/",
+        };
+    }
+}
+exports.CookieStorage = CookieStorage;
+//# sourceMappingURL=storage.js.map

package/dist/cjs/shared/lib/storage.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"storage.js","sourceRoot":"","sources":["../../../../src/shared/lib/storage.ts"],"names":[],"mappings":";;;AAqBa,QAAA,uBAAuB,GAAG,EAAE,GAAG,EAAE,CAAC,CAAC,aAAa;AAE7D,MAAsB,aAAa;IACvB,QAAQ,CAAwB;IAC1C,YAAsB,WAA2C,EAAE;QACjE,IAAI,CAAC,QAAQ,GAAG;YACd,QAAQ,EAAE,QAAQ,CAAC,QAAQ,IAAI,IAAI;YACnC,MAAM,EAAE,QAAQ,CAAC,MAAM,IAAI,IAAI;YAC/B,6CAA6C;YAC7C,kEAAkE;YAClE,QAAQ,EAAE,QAAQ,CAAC,QAAQ,IAAI,KAAK;YACpC,OAAO,EACL,QAAQ,CAAC,OAAO;gBAChB,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,GAAG,+BAAuB,CAAC;YACvD,IAAI,EAAE,QAAQ,CAAC,IAAI,IAAI,GAAG;SAC3B,CAAC;IACJ,CAAC;CAQF;AAtBD,sCAsBC","sourcesContent":["import type { AuthStorage, SessionData, UnknownObject, User } from \"@/types.js\";\nimport type { CookieConfig } from \"./types.js\";\n\ntype SameSiteOption = \"strict\" | \"lax\" | \"none\";\n\nexport interface SessionStorage {\n  get(): SessionData;\n  getUser(): User<UnknownObject> | null;\n  set(data: Partial<SessionData>): void;\n  setUser(data: User<UnknownObject> | null): void;\n  clear(): void;\n}\n\nexport type CookieStorageSettings = {\n  httpOnly: boolean;\n  secure: boolean;\n  sameSite: SameSiteOption;\n  expires: Date;\n  path: string;\n};\n\nexport const DEFAULT_COOKIE_DURATION = 60 * 15; // 15 minutes\n\nexport abstract class CookieStorage implements AuthStorage {\n  protected settings: CookieStorageSettings;\n  protected constructor(settings: Partial<CookieStorageSettings> = {}) {\n    this.settings = {\n      httpOnly: settings.httpOnly ?? true,\n      secure: settings.secure ?? true,\n      // the callback request comes the auth server\n      // 'lax' ensures the code_verifier cookie is sent with the request\n      sameSite: settings.sameSite ?? \"lax\",\n      expires:\n        settings.expires ??\n        new Date(Date.now() + 1000 * DEFAULT_COOKIE_DURATION),\n      path: settings.path ?? \"/\",\n    };\n  }\n  abstract get(key: string): Promise<string | null>;\n  abstract set(\n    key: string,\n    value: string,\n    cookieConfigOverride?: Partial<CookieConfig>,\n  ): Promise<void>;\n  abstract delete(key: string): Promise<void>;\n}\n\nexport type AuthCookieStorageSettings = {\n  httpOnly: boolean;\n  secure: boolean;\n  sameSite: SameSiteOption;\n  expires: Date;\n  path: string;\n  timestamp: Date;\n};\n"]}

package/dist/cjs/shared/lib/types.d.ts

@@ -0,0 +1,39 @@
+import type { Endpoints } from "../../types.js";
+export declare enum OAuthTokens {
+    ID_TOKEN = "id_token",
+    ACCESS_TOKEN = "access_token",
+    REFRESH_TOKEN = "refresh_token",
+    ACCESS_TOKEN_EXPIRES_AT = "access_token_expires_at"
+}
+export declare const AUTH_SERVER_SESSION = "_session";
+export declare const AUTH_SERVER_LEGACY_SESSION = "_session.legacy";
+export declare enum CodeVerifier {
+    COOKIE_NAME = "code_verifier",
+    APP_URL = "app_url"
+}
+export declare enum UserStorage {
+    USER = "user"
+}
+export interface CookieConfig {
+    secure?: boolean;
+    sameSite?: "strict" | "lax" | "none";
+    domain?: string;
+    path?: string;
+    maxAge?: number;
+    httpOnly?: boolean;
+}
+export type KeySetter = OAuthTokens | CodeVerifier | UserStorage;
+export type TokensCookieConfig = Record<OAuthTokens | CodeVerifier, CookieConfig>;
+export type CivicAuthConfig = null | {
+    clientId: string;
+    redirectUrl: string;
+    logoutRedirectUrl: string;
+    oauthServer: string;
+    endpoints: Endpoints;
+    scopes: string[];
+    nonce?: string;
+    challengeUrl?: string;
+    refreshUrl?: string;
+    logoutUrl?: string;
+};
+//# sourceMappingURL=types.d.ts.map

package/dist/cjs/shared/lib/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../../../src/shared/lib/types.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AAE5C,oBAAY,WAAW;IACrB,QAAQ,aAAa;IACrB,YAAY,iBAAiB;IAC7B,aAAa,kBAAkB;IAC/B,uBAAuB,4BAA4B;CACpD;AAED,eAAO,MAAM,mBAAmB,aAAa,CAAC;AAC9C,eAAO,MAAM,0BAA0B,oBAAoB,CAAC;AAE5D,oBAAY,YAAY;IACtB,WAAW,kBAAkB;IAC7B,OAAO,YAAY;CACpB;AACD,oBAAY,WAAW;IACrB,IAAI,SAAS;CACd;AACD,MAAM,WAAW,YAAY;IAC3B,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB,QAAQ,CAAC,EAAE,QAAQ,GAAG,KAAK,GAAG,MAAM,CAAC;IACrC,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,QAAQ,CAAC,EAAE,OAAO,CAAC;CACpB;AACD,MAAM,MAAM,SAAS,GAAG,WAAW,GAAG,YAAY,GAAG,WAAW,CAAC;AAEjE,MAAM,MAAM,kBAAkB,GAAG,MAAM,CACrC,WAAW,GAAG,YAAY,EAC1B,YAAY,CACb,CAAC;AAEF,MAAM,MAAM,eAAe,GAAG,IAAI,GAAG;IACnC,QAAQ,EAAE,MAAM,CAAC;IACjB,WAAW,EAAE,MAAM,CAAC;IACpB,iBAAiB,EAAE,MAAM,CAAC;IAC1B,WAAW,EAAE,MAAM,CAAC;IACpB,SAAS,EAAE,SAAS,CAAC;IACrB,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB,CAAC"}

package/dist/cjs/shared/lib/types.js

@@ -0,0 +1,22 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.UserStorage = exports.CodeVerifier = exports.AUTH_SERVER_LEGACY_SESSION = exports.AUTH_SERVER_SESSION = exports.OAuthTokens = void 0;
+var OAuthTokens;
+(function (OAuthTokens) {
+    OAuthTokens["ID_TOKEN"] = "id_token";
+    OAuthTokens["ACCESS_TOKEN"] = "access_token";
+    OAuthTokens["REFRESH_TOKEN"] = "refresh_token";
+    OAuthTokens["ACCESS_TOKEN_EXPIRES_AT"] = "access_token_expires_at";
+})(OAuthTokens || (exports.OAuthTokens = OAuthTokens = {}));
+exports.AUTH_SERVER_SESSION = "_session";
+exports.AUTH_SERVER_LEGACY_SESSION = "_session.legacy";
+var CodeVerifier;
+(function (CodeVerifier) {
+    CodeVerifier["COOKIE_NAME"] = "code_verifier";
+    CodeVerifier["APP_URL"] = "app_url";
+})(CodeVerifier || (exports.CodeVerifier = CodeVerifier = {}));
+var UserStorage;
+(function (UserStorage) {
+    UserStorage["USER"] = "user";
+})(UserStorage || (exports.UserStorage = UserStorage = {}));
+//# sourceMappingURL=types.js.map

package/dist/cjs/shared/lib/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../../../../src/shared/lib/types.ts"],"names":[],"mappings":";;;AAEA,IAAY,WAKX;AALD,WAAY,WAAW;IACrB,oCAAqB,CAAA;IACrB,4CAA6B,CAAA;IAC7B,8CAA+B,CAAA;IAC/B,kEAAmD,CAAA;AACrD,CAAC,EALW,WAAW,2BAAX,WAAW,QAKtB;AAEY,QAAA,mBAAmB,GAAG,UAAU,CAAC;AACjC,QAAA,0BAA0B,GAAG,iBAAiB,CAAC;AAE5D,IAAY,YAGX;AAHD,WAAY,YAAY;IACtB,6CAA6B,CAAA;IAC7B,mCAAmB,CAAA;AACrB,CAAC,EAHW,YAAY,4BAAZ,YAAY,QAGvB;AACD,IAAY,WAEX;AAFD,WAAY,WAAW;IACrB,4BAAa,CAAA;AACf,CAAC,EAFW,WAAW,2BAAX,WAAW,QAEtB","sourcesContent":["import type { Endpoints } from \"@/types.js\";\n\nexport enum OAuthTokens {\n  ID_TOKEN = \"id_token\",\n  ACCESS_TOKEN = \"access_token\",\n  REFRESH_TOKEN = \"refresh_token\",\n  ACCESS_TOKEN_EXPIRES_AT = \"access_token_expires_at\",\n}\n\nexport const AUTH_SERVER_SESSION = \"_session\";\nexport const AUTH_SERVER_LEGACY_SESSION = \"_session.legacy\";\n\nexport enum CodeVerifier {\n  COOKIE_NAME = \"code_verifier\",\n  APP_URL = \"app_url\",\n}\nexport enum UserStorage {\n  USER = \"user\",\n}\nexport interface CookieConfig {\n  secure?: boolean;\n  sameSite?: \"strict\" | \"lax\" | \"none\";\n  domain?: string;\n  path?: string;\n  maxAge?: number;\n  httpOnly?: boolean;\n}\nexport type KeySetter = OAuthTokens | CodeVerifier | UserStorage;\n\nexport type TokensCookieConfig = Record<\n  OAuthTokens | CodeVerifier,\n  CookieConfig\n>;\n\nexport type CivicAuthConfig = null | {\n  clientId: string;\n  redirectUrl: string;\n  logoutRedirectUrl: string;\n  oauthServer: string;\n  endpoints: Endpoints;\n  scopes: string[];\n  nonce?: string;\n  challengeUrl?: string;\n  refreshUrl?: string;\n  logoutUrl?: string;\n};\n"]}

package/dist/cjs/shared/lib/util.d.ts

@@ -0,0 +1,40 @@
+import type { AuthStorage, Endpoints, OIDCTokenResponseBody, ParsedTokens } from "../../types.js";
+import { OAuth2Client } from "oslo/oauth2";
+import type { PKCEConsumer, PKCEProducer } from "../../services/types.js";
+import type { CookieStorage } from "./storage.js";
+/**
+ * Given a PKCE code verifier, derive the code challenge using SHA
+ */
+export declare function deriveCodeChallenge(codeVerifier: string, method?: "Plain" | "S256"): Promise<string>;
+export declare function getEndpointsWithOverrides(oauthServer: string, endpointOverrides?: Partial<Endpoints>): Promise<Endpoints>;
+export declare function generateOauthLoginUrl(config: {
+    clientId: string;
+    scopes: string[];
+    state: string;
+    redirectUrl: string;
+    oauthServer: string;
+    nonce?: string;
+    endpointOverrides?: Partial<Endpoints>;
+    pkceConsumer: PKCEConsumer;
+}): Promise<URL>;
+export declare function generateOauthLogoutUrl(config: {
+    clientId: string;
+    redirectUrl: string;
+    idToken: string;
+    state: string;
+    oauthServer: string;
+    endpointOverrides?: Partial<Endpoints>;
+}): Promise<URL>;
+export declare function buildOauth2Client(clientId: string, redirectUri: string, endpoints: Endpoints): OAuth2Client;
+export declare function exchangeTokens(code: string, state: string, pkceProducer: PKCEProducer, oauth2Client: OAuth2Client, oauthServer: string, endpoints: Endpoints): Promise<OIDCTokenResponseBody>;
+export declare const getAccessTokenExpiresAt: (tokens: OIDCTokenResponseBody) => number;
+export declare function setAccessTokenExpiresAt(storage: AuthStorage | CookieStorage, tokens: OIDCTokenResponseBody): Promise<void>;
+export declare function storeTokens(storage: AuthStorage, tokens: OIDCTokenResponseBody): Promise<void>;
+export declare function storeServerTokens(storage: AuthStorage | CookieStorage, tokens: OIDCTokenResponseBody): Promise<void>;
+export declare function clearTokens(storage: AuthStorage): Promise<void>;
+export declare function clearAuthServerSession(storage: AuthStorage): Promise<void>;
+export declare function clearUser(storage: AuthStorage): Promise<void>;
+export declare function retrieveTokens(storage: AuthStorage): Promise<OIDCTokenResponseBody | null>;
+export declare function retrieveAccessTokenExpiresAt(storage: AuthStorage): Promise<number>;
+export declare function validateOauth2Tokens(tokens: OIDCTokenResponseBody, endpoints: Endpoints, oauth2Client: OAuth2Client, issuer: string): Promise<ParsedTokens>;
+//# sourceMappingURL=util.d.ts.map

package/dist/cjs/shared/lib/util.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"util.d.ts","sourceRoot":"","sources":["../../../../src/shared/lib/util.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EACV,WAAW,EACX,SAAS,EACT,qBAAqB,EACrB,YAAY,EACb,MAAM,YAAY,CAAC;AAMpB,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAI3C,OAAO,KAAK,EAAE,YAAY,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AAGtE,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,cAAc,CAAC;AAOlD;;GAEG;AACH,wBAAsB,mBAAmB,CACvC,YAAY,EAAE,MAAM,EACpB,MAAM,GAAE,OAAO,GAAG,MAAe,GAChC,OAAO,CAAC,MAAM,CAAC,CAajB;AAED,wBAAsB,yBAAyB,CAC7C,WAAW,EAAE,MAAM,EACnB,iBAAiB,GAAE,OAAO,CAAC,SAAS,CAAM,GACzC,OAAO,CAAC,SAAS,CAAC,CAMpB;AAED,wBAAsB,qBAAqB,CAAC,MAAM,EAAE;IAClD,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,KAAK,EAAE,MAAM,CAAC;IACd,WAAW,EAAE,MAAM,CAAC;IACpB,WAAW,EAAE,MAAM,CAAC;IACpB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,iBAAiB,CAAC,EAAE,OAAO,CAAC,SAAS,CAAC,CAAC;IAEvC,YAAY,EAAE,YAAY,CAAC;CAC5B,GAAG,OAAO,CAAC,GAAG,CAAC,CA2Bf;AAED,wBAAsB,sBAAsB,CAAC,MAAM,EAAE;IACnD,QAAQ,EAAE,MAAM,CAAC;IACjB,WAAW,EAAE,MAAM,CAAC;IACpB,OAAO,EAAE,MAAM,CAAC;IAChB,KAAK,EAAE,MAAM,CAAC;IACd,WAAW,EAAE,MAAM,CAAC;IACpB,iBAAiB,CAAC,EAAE,OAAO,CAAC,SAAS,CAAC,CAAC;CACxC,GAAG,OAAO,CAAC,GAAG,CAAC,CAcf;AAED,wBAAgB,iBAAiB,CAC/B,QAAQ,EAAE,MAAM,EAChB,WAAW,EAAE,MAAM,EACnB,SAAS,EAAE,SAAS,GACnB,YAAY,CAId;AAED,wBAAsB,cAAc,CAClC,IAAI,EAAE,MAAM,EACZ,KAAK,EAAE,MAAM,EACb,YAAY,EAAE,YAAY,EAC1B,YAAY,EAAE,YAAY,EAC1B,WAAW,EAAE,MAAM,EACnB,SAAS,EAAE,SAAS,kCAoBrB;AAED,eAAO,MAAM,uBAAuB,WAC1B,qBAAqB,KAC5B,MAUF,CAAC;AACF,wBAAsB,uBAAuB,CAC3C,OAAO,EAAE,WAAW,GAAG,aAAa,EACpC,MAAM,EAAE,qBAAqB,iBAQ9B;AAED,wBAAsB,WAAW,CAC/B,OAAO,EAAE,WAAW,EACpB,MAAM,EAAE,qBAAqB,iBAQ9B;AAED,wBAAsB,iBAAiB,CACrC,OAAO,EAAE,WAAW,GAAG,aAAa,EACpC,MAAM,EAAE,qBAAqB,iBA8C9B;AAED,wBAAsB,WAAW,CAAC,OAAO,EAAE,WAAW,iBAYrD;AAED,wBAAsB,sBAAsB,CAAC,OAAO,EAAE,WAAW,iBAGhE;AAED,wBAAsB,SAAS,CAAC,OAAO,EAAE,WAAW,iBAGnD;AAED,wBAAsB,cAAc,CAClC,OAAO,EAAE,WAAW,GACnB,OAAO,CAAC,qBAAqB,GAAG,IAAI,CAAC,CAkBvC;AAED,wBAAsB,4BAA4B,CAChD,OAAO,EAAE,WAAW,GACnB,OAAO,CAAC,MAAM,CAAC,CAEjB;AAED,wBAAsB,oBAAoB,CACxC,MAAM,EAAE,qBAAqB,EAC7B,SAAS,EAAE,SAAS,EACpB,YAAY,EAAE,YAAY,EAC1B,MAAM,EAAE,MAAM,GACb,OAAO,CAAC,YAAY,CAAC,CA2BvB"}

package/dist/cjs/shared/lib/util.js

@@ -0,0 +1,252 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.getAccessTokenExpiresAt = void 0;
+exports.deriveCodeChallenge = deriveCodeChallenge;
+exports.getEndpointsWithOverrides = getEndpointsWithOverrides;
+exports.generateOauthLoginUrl = generateOauthLoginUrl;
+exports.generateOauthLogoutUrl = generateOauthLogoutUrl;
+exports.buildOauth2Client = buildOauth2Client;
+exports.exchangeTokens = exchangeTokens;
+exports.setAccessTokenExpiresAt = setAccessTokenExpiresAt;
+exports.storeTokens = storeTokens;
+exports.storeServerTokens = storeServerTokens;
+exports.clearTokens = clearTokens;
+exports.clearAuthServerSession = clearAuthServerSession;
+exports.clearUser = clearUser;
+exports.retrieveTokens = retrieveTokens;
+exports.retrieveAccessTokenExpiresAt = retrieveAccessTokenExpiresAt;
+exports.validateOauth2Tokens = validateOauth2Tokens;
+const types_js_1 = require("./types.js");
+const oauth2_1 = require("oslo/oauth2");
+const oauth_js_1 = require("../../lib/oauth.js");
+const jose = __importStar(require("jose"));
+const utils_js_1 = require("../../utils.js");
+const UserSession_js_1 = require("../../shared/lib/UserSession.js");
+const jose_1 = require("jose");
+const constants_js_1 = require("../../constants.js");
+/**
+ * Given a PKCE code verifier, derive the code challenge using SHA
+ */
+async function deriveCodeChallenge(codeVerifier, method = "S256") {
+    if (method === "Plain") {
+        console.warn("Using insecure plain code challenge method");
+        return codeVerifier;
+    }
+    const encoder = new TextEncoder();
+    const data = encoder.encode(codeVerifier);
+    const digest = await crypto.subtle.digest("SHA-256", data);
+    return btoa(String.fromCharCode(...new Uint8Array(digest)))
+        .replace(/\+/g, "-")
+        .replace(/\//g, "_")
+        .replace(/=+$/, "");
+}
+async function getEndpointsWithOverrides(oauthServer, endpointOverrides = {}) {
+    const endpoints = await (0, oauth_js_1.getOauthEndpoints)(oauthServer);
+    return {
+        ...endpoints,
+        ...endpointOverrides,
+    };
+}
+async function generateOauthLoginUrl(config) {
+    const endpoints = await getEndpointsWithOverrides(config.oauthServer, config.endpointOverrides);
+    const oauth2Client = buildOauth2Client(config.clientId, config.redirectUrl, endpoints);
+    const challenge = await config.pkceConsumer.getCodeChallenge();
+    const oAuthUrl = await oauth2Client.createAuthorizationURL({
+        state: config.state,
+        scopes: config.scopes,
+    });
+    // The OAuth2 client supports PKCE, but does not allow passing in a code challenge from some other source
+    // It only allows passing in a code verifier which it then hashes itself.
+    oAuthUrl.searchParams.append("code_challenge", challenge);
+    oAuthUrl.searchParams.append("code_challenge_method", "S256");
+    if (config.nonce) {
+        // nonce isn't supported by oslo, so we add it manually
+        oAuthUrl.searchParams.append("nonce", config.nonce);
+    }
+    // Required by the auth server for offline_access scope
+    oAuthUrl.searchParams.append("prompt", "consent");
+    return oAuthUrl;
+}
+async function generateOauthLogoutUrl(config) {
+    const endpoints = await getEndpointsWithOverrides(config.oauthServer, config.endpointOverrides);
+    const endSessionUrl = new URL(endpoints.endsession);
+    endSessionUrl.searchParams.append("client_id", config.clientId);
+    endSessionUrl.searchParams.append("id_token_hint", config.idToken);
+    endSessionUrl.searchParams.append("state", config.state);
+    endSessionUrl.searchParams.append("post_logout_redirect_uri", config.redirectUrl);
+    return endSessionUrl;
+}
+function buildOauth2Client(clientId, redirectUri, endpoints) {
+    return new oauth2_1.OAuth2Client(clientId, endpoints.auth, endpoints.token, {
+        redirectURI: redirectUri,
+    });
+}
+async function exchangeTokens(code, state, pkceProducer, oauth2Client, oauthServer, endpoints) {
+    const codeVerifier = await pkceProducer.getCodeVerifier();
+    if (!codeVerifier)
+        throw new Error("Code verifier not found in state");
+    const tokens = await oauth2Client.validateAuthorizationCode(code, {
+        codeVerifier,
+    });
+    // Validate relevant tokens
+    try {
+        await validateOauth2Tokens(tokens, endpoints, oauth2Client, oauthServer);
+    }
+    catch (error) {
+        console.error("tokenExchange error", { error, tokens });
+        throw new Error(`OIDC tokens validation failed: ${error.message}`);
+    }
+    return tokens;
+}
+const getAccessTokenExpiresAt = (tokens) => {
+    const parsedAccessToken = (0, jose_1.decodeJwt)(tokens.access_token);
+    if (parsedAccessToken?.exp || false) {
+        return parsedAccessToken.exp;
+    }
+    else if (tokens.expires_in) {
+        const now = Math.floor(new Date().getTime() / 1000);
+        return now + tokens.expires_in;
+    }
+    else {
+        throw new Error("Cannot determine access token expiry!");
+    }
+};
+exports.getAccessTokenExpiresAt = getAccessTokenExpiresAt;
+async function setAccessTokenExpiresAt(storage, tokens) {
+    // try to extract absolute expiry time from access token but fallback to calculation if not possible
+    const accessTokenExpiresAt = (0, exports.getAccessTokenExpiresAt)(tokens);
+    await storage.set(types_js_1.OAuthTokens.ACCESS_TOKEN_EXPIRES_AT, accessTokenExpiresAt.toString());
+}
+async function storeTokens(storage, tokens) {
+    await storage.set(types_js_1.OAuthTokens.ID_TOKEN, tokens.id_token);
+    await storage.set(types_js_1.OAuthTokens.ACCESS_TOKEN, tokens.access_token);
+    if (tokens.refresh_token) {
+        await storage.set(types_js_1.OAuthTokens.REFRESH_TOKEN, tokens.refresh_token);
+    }
+    await setAccessTokenExpiresAt(storage, tokens);
+}
+async function storeServerTokens(storage, tokens) {
+    const accessTokenExpiresAt = (0, exports.getAccessTokenExpiresAt)(tokens);
+    const cookieStorage = storage;
+    const now = Math.floor(Date.now() / 1000);
+    const accessTokenMaxAge = accessTokenExpiresAt && accessTokenExpiresAt - now;
+    console.log("storeServerTokens timestamps", {
+        now,
+        accessTokenMaxAge,
+        accessTokenExpiresAt,
+    });
+    const cookiesOverride = {
+        ...(accessTokenMaxAge ? { maxAge: accessTokenMaxAge } : {}),
+    };
+    // the refresh token must be longer-lived than the access token max age to allow time for automatic refresh
+    // as it's not a JWT, we derive it from the access token max age and add a margin
+    const refreshTokenMaxAge = accessTokenMaxAge && accessTokenMaxAge + 5 * 60;
+    const refreshCookiesOverride = {
+        ...(refreshTokenMaxAge ? { maxAge: refreshTokenMaxAge } : {}),
+    };
+    console.log("storeServerTokens overrides", {
+        cookiesOverride,
+        refreshCookiesOverride,
+    });
+    const idTokenExpiry = (0, jose_1.decodeJwt)(tokens.id_token)?.exp;
+    const idTokenMaxAge = idTokenExpiry && idTokenExpiry - now;
+    await cookieStorage.set(types_js_1.OAuthTokens.ID_TOKEN, tokens.id_token, {
+        ...(idTokenMaxAge ? { maxAge: idTokenMaxAge } : {}),
+    });
+    await cookieStorage.set(types_js_1.OAuthTokens.ACCESS_TOKEN, tokens.access_token, cookiesOverride);
+    if (tokens.refresh_token) {
+        await cookieStorage.set(types_js_1.OAuthTokens.REFRESH_TOKEN, tokens.refresh_token, refreshCookiesOverride);
+    }
+    await storage.set(types_js_1.OAuthTokens.ACCESS_TOKEN_EXPIRES_AT, accessTokenExpiresAt.toString(), cookiesOverride);
+}
+async function clearTokens(storage) {
+    console.log("clearTokens");
+    // clear all local storage keys related to OAuth and CivicAuth SDK
+    const clearOAuthPromises = [
+        ...Object.values(types_js_1.OAuthTokens),
+        constants_js_1.REFRESH_IN_PROGRESS,
+        constants_js_1.AUTOREFRESH_TIMEOUT_NAME,
+        constants_js_1.LOGOUT_STATE,
+    ].map(async (key) => {
+        await storage.delete(key);
+    });
+    await Promise.all([...clearOAuthPromises]);
+}
+async function clearAuthServerSession(storage) {
+    await storage.delete(types_js_1.AUTH_SERVER_SESSION);
+    await storage.delete(types_js_1.AUTH_SERVER_LEGACY_SESSION);
+}
+async function clearUser(storage) {
+    const userSession = new UserSession_js_1.GenericUserSession(storage);
+    await userSession.clear();
+}
+async function retrieveTokens(storage) {
+    const idToken = await storage.get(types_js_1.OAuthTokens.ID_TOKEN);
+    const accessToken = await storage.get(types_js_1.OAuthTokens.ACCESS_TOKEN);
+    const refreshToken = await storage.get(types_js_1.OAuthTokens.REFRESH_TOKEN);
+    const accessTokenExpiresAt = await storage.get(types_js_1.OAuthTokens.ACCESS_TOKEN_EXPIRES_AT);
+    if (!idToken || !accessToken)
+        return null;
+    return {
+        id_token: idToken,
+        access_token: accessToken,
+        refresh_token: refreshToken ?? undefined,
+        access_token_expires_at: accessTokenExpiresAt !== null
+            ? parseInt(accessTokenExpiresAt, 10)
+            : undefined, // Convert string to number
+    };
+}
+async function retrieveAccessTokenExpiresAt(storage) {
+    return Number(await storage.get(types_js_1.OAuthTokens.ACCESS_TOKEN_EXPIRES_AT));
+}
+async function validateOauth2Tokens(tokens, endpoints, oauth2Client, issuer) {
+    const JWKS = jose.createRemoteJWKSet(new URL(endpoints.jwks));
+    // validate the ID token
+    const idTokenResponse = await jose.jwtVerify(tokens.id_token, JWKS, {
+        issuer: (0, oauth_js_1.getIssuerVariations)(issuer),
+        audience: oauth2Client.clientId,
+    });
+    // validate the access token
+    const accessTokenResponse = await jose.jwtVerify(tokens.access_token, JWKS, {
+        issuer: (0, oauth_js_1.getIssuerVariations)(issuer),
+    });
+    return (0, utils_js_1.withoutUndefined)({
+        id_token: idTokenResponse.payload,
+        access_token: accessTokenResponse.payload,
+        refresh_token: tokens.refresh_token,
+    });
+}
+//# sourceMappingURL=util.js.map

package/dist/cjs/shared/lib/util.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"util.js","sourceRoot":"","sources":["../../../../src/shared/lib/util.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AA8BA,kDAgBC;AAED,8DASC;AAED,sDAqCC;AAED,wDAqBC;AAED,8CAQC;AAED,wCA0BC;AAeD,0DAUC;AAED,kCAUC;AAED,8CAgDC;AAED,kCAYC;AAED,wDAGC;AAED,8BAGC;AAED,wCAoBC;AAED,oEAIC;AAED,oDAgCC;AAlUD,yCAIoB;AACpB,wCAA2C;AAC3C,6CAAwE;AACxE,2CAA6B;AAC7B,yCAA8C;AAE9C,gEAAiE;AACjE,+BAAkD;AAElD,iDAIwB;AAExB;;GAEG;AACI,KAAK,UAAU,mBAAmB,CACvC,YAAoB,EACpB,SAA2B,MAAM;IAEjC,IAAI,MAAM,KAAK,OAAO,EAAE,CAAC;QACvB,OAAO,CAAC,IAAI,CAAC,4CAA4C,CAAC,CAAC;QAC3D,OAAO,YAAY,CAAC;IACtB,CAAC;IAED,MAAM,OAAO,GAAG,IAAI,WAAW,EAAE,CAAC;IAClC,MAAM,IAAI,GAAG,OAAO,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC;IAC1C,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,IAAI,CAAC,CAAC;IAC3D,OAAO,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC,GAAG,IAAI,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC;SACxD,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC;SACnB,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC;SACnB,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;AACxB,CAAC;AAEM,KAAK,UAAU,yBAAyB,CAC7C,WAAmB,EACnB,oBAAwC,EAAE;IAE1C,MAAM,SAAS,GAAG,MAAM,IAAA,4BAAiB,EAAC,WAAW,CAAC,CAAC;IACvD,OAAO;QACL,GAAG,SAAS;QACZ,GAAG,iBAAiB;KACrB,CAAC;AACJ,CAAC;AAEM,KAAK,UAAU,qBAAqB,CAAC,MAU3C;IACC,MAAM,SAAS,GAAG,MAAM,yBAAyB,CAC/C,MAAM,CAAC,WAAW,EAClB,MAAM,CAAC,iBAAiB,CACzB,CAAC;IACF,MAAM,YAAY,GAAG,iBAAiB,CACpC,MAAM,CAAC,QAAQ,EACf,MAAM,CAAC,WAAW,EAClB,SAAS,CACV,CAAC;IACF,MAAM,SAAS,GAAG,MAAM,MAAM,CAAC,YAAY,CAAC,gBAAgB,EAAE,CAAC;IAC/D,MAAM,QAAQ,GAAG,MAAM,YAAY,CAAC,sBAAsB,CAAC;QACzD,KAAK,EAAE,MAAM,CAAC,KAAK;QACnB,MAAM,EAAE,MAAM,CAAC,MAAM;KACtB,CAAC,CAAC;IACH,yGAAyG;IACzG,yEAAyE;IACzE,QAAQ,CAAC,YAAY,CAAC,MAAM,CAAC,gBAAgB,EAAE,SAAS,CAAC,CAAC;IAC1D,QAAQ,CAAC,YAAY,CAAC,MAAM,CAAC,uBAAuB,EAAE,MAAM,CAAC,CAAC;IAC9D,IAAI,MAAM,CAAC,KAAK,EAAE,CAAC;QACjB,uDAAuD;QACvD,QAAQ,CAAC,YAAY,CAAC,MAAM,CAAC,OAAO,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC;IACtD,CAAC;IACD,uDAAuD;IACvD,QAAQ,CAAC,YAAY,CAAC,MAAM,CAAC,QAAQ,EAAE,SAAS,CAAC,CAAC;IAElD,OAAO,QAAQ,CAAC;AAClB,CAAC;AAEM,KAAK,UAAU,sBAAsB,CAAC,MAO5C;IACC,MAAM,SAAS,GAAG,MAAM,yBAAyB,CAC/C,MAAM,CAAC,WAAW,EAClB,MAAM,CAAC,iBAAiB,CACzB,CAAC;IACF,MAAM,aAAa,GAAG,IAAI,GAAG,CAAC,SAAS,CAAC,UAAU,CAAC,CAAC;IACpD,aAAa,CAAC,YAAY,CAAC,MAAM,CAAC,WAAW,EAAE,MAAM,CAAC,QAAQ,CAAC,CAAC;IAChE,aAAa,CAAC,YAAY,CAAC,MAAM,CAAC,eAAe,EAAE,MAAM,CAAC,OAAO,CAAC,CAAC;IACnE,aAAa,CAAC,YAAY,CAAC,MAAM,CAAC,OAAO,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC;IACzD,aAAa,CAAC,YAAY,CAAC,MAAM,CAC/B,0BAA0B,EAC1B,MAAM,CAAC,WAAW,CACnB,CAAC;IACF,OAAO,aAAa,CAAC;AACvB,CAAC;AAED,SAAgB,iBAAiB,CAC/B,QAAgB,EAChB,WAAmB,EACnB,SAAoB;IAEpB,OAAO,IAAI,qBAAY,CAAC,QAAQ,EAAE,SAAS,CAAC,IAAI,EAAE,SAAS,CAAC,KAAK,EAAE;QACjE,WAAW,EAAE,WAAW;KACzB,CAAC,CAAC;AACL,CAAC;AAEM,KAAK,UAAU,cAAc,CAClC,IAAY,EACZ,KAAa,EACb,YAA0B,EAC1B,YAA0B,EAC1B,WAAmB,EACnB,SAAoB;IAEpB,MAAM,YAAY,GAAG,MAAM,YAAY,CAAC,eAAe,EAAE,CAAC;IAC1D,IAAI,CAAC,YAAY;QAAE,MAAM,IAAI,KAAK,CAAC,kCAAkC,CAAC,CAAC;IAEvE,MAAM,MAAM,GACV,MAAM,YAAY,CAAC,yBAAyB,CAAwB,IAAI,EAAE;QACxE,YAAY;KACb,CAAC,CAAC;IAEL,2BAA2B;IAC3B,IAAI,CAAC;QACH,MAAM,oBAAoB,CAAC,MAAM,EAAE,SAAS,EAAE,YAAY,EAAE,WAAW,CAAC,CAAC;IAC3E,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO,CAAC,KAAK,CAAC,qBAAqB,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC,CAAC;QACxD,MAAM,IAAI,KAAK,CACb,kCAAmC,KAAe,CAAC,OAAO,EAAE,CAC7D,CAAC;IACJ,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAEM,MAAM,uBAAuB,GAAG,CACrC,MAA6B,EACrB,EAAE;IACV,MAAM,iBAAiB,GAAG,IAAA,gBAAS,EAAC,MAAM,CAAC,YAAY,CAAC,CAAC;IACzD,IAAI,iBAAiB,EAAE,GAAG,IAAI,KAAK,EAAE,CAAC;QACpC,OAAO,iBAAiB,CAAC,GAAG,CAAC;IAC/B,CAAC;SAAM,IAAI,MAAM,CAAC,UAAU,EAAE,CAAC;QAC7B,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,IAAI,EAAE,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,CAAC;QACpD,OAAO,GAAG,GAAG,MAAM,CAAC,UAAU,CAAC;IACjC,CAAC;SAAM,CAAC;QACN,MAAM,IAAI,KAAK,CAAC,uCAAuC,CAAC,CAAC;IAC3D,CAAC;AACH,CAAC,CAAC;AAZW,QAAA,uBAAuB,2BAYlC;AACK,KAAK,UAAU,uBAAuB,CAC3C,OAAoC,EACpC,MAA6B;IAE7B,oGAAoG;IACpG,MAAM,oBAAoB,GAAG,IAAA,+BAAuB,EAAC,MAAM,CAAC,CAAC;IAC7D,MAAM,OAAO,CAAC,GAAG,CACf,sBAAW,CAAC,uBAAuB,EACnC,oBAAoB,CAAC,QAAQ,EAAE,CAChC,CAAC;AACJ,CAAC;AAEM,KAAK,UAAU,WAAW,CAC/B,OAAoB,EACpB,MAA6B;IAE7B,MAAM,OAAO,CAAC,GAAG,CAAC,sBAAW,CAAC,QAAQ,EAAE,MAAM,CAAC,QAAQ,CAAC,CAAC;IACzD,MAAM,OAAO,CAAC,GAAG,CAAC,sBAAW,CAAC,YAAY,EAAE,MAAM,CAAC,YAAY,CAAC,CAAC;IACjE,IAAI,MAAM,CAAC,aAAa,EAAE,CAAC;QACzB,MAAM,OAAO,CAAC,GAAG,CAAC,sBAAW,CAAC,aAAa,EAAE,MAAM,CAAC,aAAa,CAAC,CAAC;IACrE,CAAC;IACD,MAAM,uBAAuB,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;AACjD,CAAC;AAEM,KAAK,UAAU,iBAAiB,CACrC,OAAoC,EACpC,MAA6B;IAE7B,MAAM,oBAAoB,GAAG,IAAA,+BAAuB,EAAC,MAAM,CAAC,CAAC;IAC7D,MAAM,aAAa,GAAG,OAAwB,CAAC;IAC/C,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IAC1C,MAAM,iBAAiB,GAAG,oBAAoB,IAAI,oBAAoB,GAAG,GAAG,CAAC;IAC7E,OAAO,CAAC,GAAG,CAAC,8BAA8B,EAAE;QAC1C,GAAG;QACH,iBAAiB;QACjB,oBAAoB;KACrB,CAAC,CAAC;IACH,MAAM,eAAe,GAAG;QACtB,GAAG,CAAC,iBAAiB,CAAC,CAAC,CAAC,EAAE,MAAM,EAAE,iBAAiB,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;KAC5D,CAAC;IACF,2GAA2G;IAC3G,iFAAiF;IACjF,MAAM,kBAAkB,GAAG,iBAAiB,IAAI,iBAAiB,GAAG,CAAC,GAAG,EAAE,CAAC;IAC3E,MAAM,sBAAsB,GAAG;QAC7B,GAAG,CAAC,kBAAkB,CAAC,CAAC,CAAC,EAAE,MAAM,EAAE,kBAAkB,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;KAC9D,CAAC;IACF,OAAO,CAAC,GAAG,CAAC,6BAA6B,EAAE;QACzC,eAAe;QACf,sBAAsB;KACvB,CAAC,CAAC;IACH,MAAM,aAAa,GAAG,IAAA,gBAAS,EAAC,MAAM,CAAC,QAAQ,CAAC,EAAE,GAAG,CAAC;IACtD,MAAM,aAAa,GAAG,aAAa,IAAI,aAAa,GAAG,GAAG,CAAC;IAC3D,MAAM,aAAa,CAAC,GAAG,CAAC,sBAAW,CAAC,QAAQ,EAAE,MAAM,CAAC,QAAQ,EAAE;QAC7D,GAAG,CAAC,aAAa,CAAC,CAAC,CAAC,EAAE,MAAM,EAAE,aAAa,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;KACpD,CAAC,CAAC;IACH,MAAM,aAAa,CAAC,GAAG,CACrB,sBAAW,CAAC,YAAY,EACxB,MAAM,CAAC,YAAY,EACnB,eAAe,CAChB,CAAC;IACF,IAAI,MAAM,CAAC,aAAa,EAAE,CAAC;QACzB,MAAM,aAAa,CAAC,GAAG,CACrB,sBAAW,CAAC,aAAa,EACzB,MAAM,CAAC,aAAa,EACpB,sBAAsB,CACvB,CAAC;IACJ,CAAC;IACD,MAAM,OAAO,CAAC,GAAG,CACf,sBAAW,CAAC,uBAAuB,EACnC,oBAAoB,CAAC,QAAQ,EAAE,EAC/B,eAAe,CAChB,CAAC;AACJ,CAAC;AAEM,KAAK,UAAU,WAAW,CAAC,OAAoB;IACpD,OAAO,CAAC,GAAG,CAAC,aAAa,CAAC,CAAC;IAC3B,kEAAkE;IAClE,MAAM,kBAAkB,GAAG;QACzB,GAAG,MAAM,CAAC,MAAM,CAAC,sBAAW,CAAC;QAC7B,kCAAmB;QACnB,uCAAwB;QACxB,2BAAY;KACb,CAAC,GAAG,CAAC,KAAK,EAAE,GAAG,EAAE,EAAE;QAClB,MAAM,OAAO,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;IAC5B,CAAC,CAAC,CAAC;IACH,MAAM,OAAO,CAAC,GAAG,CAAC,CAAC,GAAG,kBAAkB,CAAC,CAAC,CAAC;AAC7C,CAAC;AAEM,KAAK,UAAU,sBAAsB,CAAC,OAAoB;IAC/D,MAAM,OAAO,CAAC,MAAM,CAAC,8BAAmB,CAAC,CAAC;IAC1C,MAAM,OAAO,CAAC,MAAM,CAAC,qCAA0B,CAAC,CAAC;AACnD,CAAC;AAEM,KAAK,UAAU,SAAS,CAAC,OAAoB;IAClD,MAAM,WAAW,GAAG,IAAI,mCAAkB,CAAC,OAAO,CAAC,CAAC;IACpD,MAAM,WAAW,CAAC,KAAK,EAAE,CAAC;AAC5B,CAAC;AAEM,KAAK,UAAU,cAAc,CAClC,OAAoB;IAEpB,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC,sBAAW,CAAC,QAAQ,CAAC,CAAC;IACxD,MAAM,WAAW,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC,sBAAW,CAAC,YAAY,CAAC,CAAC;IAChE,MAAM,YAAY,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC,sBAAW,CAAC,aAAa,CAAC,CAAC;IAClE,MAAM,oBAAoB,GAAG,MAAM,OAAO,CAAC,GAAG,CAC5C,sBAAW,CAAC,uBAAuB,CACpC,CAAC;IACF,IAAI,CAAC,OAAO,IAAI,CAAC,WAAW;QAAE,OAAO,IAAI,CAAC;IAE1C,OAAO;QACL,QAAQ,EAAE,OAAO;QACjB,YAAY,EAAE,WAAW;QACzB,aAAa,EAAE,YAAY,IAAI,SAAS;QACxC,uBAAuB,EACrB,oBAAoB,KAAK,IAAI;YAC3B,CAAC,CAAC,QAAQ,CAAC,oBAAoB,EAAE,EAAE,CAAC;YACpC,CAAC,CAAC,SAAS,EAAE,2BAA2B;KAC7C,CAAC;AACJ,CAAC;AAEM,KAAK,UAAU,4BAA4B,CAChD,OAAoB;IAEpB,OAAO,MAAM,CAAC,MAAM,OAAO,CAAC,GAAG,CAAC,sBAAW,CAAC,uBAAuB,CAAC,CAAC,CAAC;AACxE,CAAC;AAEM,KAAK,UAAU,oBAAoB,CACxC,MAA6B,EAC7B,SAAoB,EACpB,YAA0B,EAC1B,MAAc;IAEd,MAAM,IAAI,GAAG,IAAI,CAAC,kBAAkB,CAAC,IAAI,GAAG,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC;IAE9D,wBAAwB;IACxB,MAAM,eAAe,GAAG,MAAM,IAAI,CAAC,SAAS,CAC1C,MAAM,CAAC,QAAQ,EACf,IAAI,EACJ;QACE,MAAM,EAAE,IAAA,8BAAmB,EAAC,MAAM,CAAC;QACnC,QAAQ,EAAE,YAAY,CAAC,QAAQ;KAChC,CACF,CAAC;IAEF,4BAA4B;IAC5B,MAAM,mBAAmB,GAAG,MAAM,IAAI,CAAC,SAAS,CAC9C,MAAM,CAAC,YAAY,EACnB,IAAI,EACJ;QACE,MAAM,EAAE,IAAA,8BAAmB,EAAC,MAAM,CAAC;KACpC,CACF,CAAC;IAEF,OAAO,IAAA,2BAAgB,EAAC;QACtB,QAAQ,EAAE,eAAe,CAAC,OAAO;QACjC,YAAY,EAAE,mBAAmB,CAAC,OAAO;QACzC,aAAa,EAAE,MAAM,CAAC,aAAa;KACpC,CAAC,CAAC;AACL,CAAC","sourcesContent":["// Utility functions shared by auth server and client integrations\n// Typically these functions should be used inside AuthenticationInitiator and AuthenticationResolver implementations\nimport type {\n  AuthStorage,\n  Endpoints,\n  OIDCTokenResponseBody,\n  ParsedTokens,\n} from \"@/types.js\";\nimport {\n  AUTH_SERVER_LEGACY_SESSION,\n  AUTH_SERVER_SESSION,\n  OAuthTokens,\n} from \"./types.js\";\nimport { OAuth2Client } from \"oslo/oauth2\";\nimport { getIssuerVariations, getOauthEndpoints } from \"@/lib/oauth.js\";\nimport * as jose from \"jose\";\nimport { withoutUndefined } from \"@/utils.js\";\nimport type { PKCEConsumer, PKCEProducer } from \"@/services/types.js\";\nimport { GenericUserSession } from \"@/shared/lib/UserSession.js\";\nimport { decodeJwt, type JWTPayload } from \"jose\";\nimport type { CookieStorage } from \"./storage.js\";\nimport {\n  AUTOREFRESH_TIMEOUT_NAME,\n  LOGOUT_STATE,\n  REFRESH_IN_PROGRESS,\n} from \"@/constants.js\";\n\n/**\n * Given a PKCE code verifier, derive the code challenge using SHA\n */\nexport async function deriveCodeChallenge(\n  codeVerifier: string,\n  method: \"Plain\" | \"S256\" = \"S256\",\n): Promise<string> {\n  if (method === \"Plain\") {\n    console.warn(\"Using insecure plain code challenge method\");\n    return codeVerifier;\n  }\n\n  const encoder = new TextEncoder();\n  const data = encoder.encode(codeVerifier);\n  const digest = await crypto.subtle.digest(\"SHA-256\", data);\n  return btoa(String.fromCharCode(...new Uint8Array(digest)))\n    .replace(/\\+/g, \"-\")\n    .replace(/\\//g, \"_\")\n    .replace(/=+$/, \"\");\n}\n\nexport async function getEndpointsWithOverrides(\n  oauthServer: string,\n  endpointOverrides: Partial<Endpoints> = {},\n): Promise<Endpoints> {\n  const endpoints = await getOauthEndpoints(oauthServer);\n  return {\n    ...endpoints,\n    ...endpointOverrides,\n  };\n}\n\nexport async function generateOauthLoginUrl(config: {\n  clientId: string;\n  scopes: string[];\n  state: string;\n  redirectUrl: string;\n  oauthServer: string;\n  nonce?: string;\n  endpointOverrides?: Partial<Endpoints>;\n  // used to get the PKCE challenge\n  pkceConsumer: PKCEConsumer;\n}): Promise<URL> {\n  const endpoints = await getEndpointsWithOverrides(\n    config.oauthServer,\n    config.endpointOverrides,\n  );\n  const oauth2Client = buildOauth2Client(\n    config.clientId,\n    config.redirectUrl,\n    endpoints,\n  );\n  const challenge = await config.pkceConsumer.getCodeChallenge();\n  const oAuthUrl = await oauth2Client.createAuthorizationURL({\n    state: config.state,\n    scopes: config.scopes,\n  });\n  // The OAuth2 client supports PKCE, but does not allow passing in a code challenge from some other source\n  // It only allows passing in a code verifier which it then hashes itself.\n  oAuthUrl.searchParams.append(\"code_challenge\", challenge);\n  oAuthUrl.searchParams.append(\"code_challenge_method\", \"S256\");\n  if (config.nonce) {\n    // nonce isn't supported by oslo, so we add it manually\n    oAuthUrl.searchParams.append(\"nonce\", config.nonce);\n  }\n  // Required by the auth server for offline_access scope\n  oAuthUrl.searchParams.append(\"prompt\", \"consent\");\n\n  return oAuthUrl;\n}\n\nexport async function generateOauthLogoutUrl(config: {\n  clientId: string;\n  redirectUrl: string;\n  idToken: string;\n  state: string;\n  oauthServer: string;\n  endpointOverrides?: Partial<Endpoints>;\n}): Promise<URL> {\n  const endpoints = await getEndpointsWithOverrides(\n    config.oauthServer,\n    config.endpointOverrides,\n  );\n  const endSessionUrl = new URL(endpoints.endsession);\n  endSessionUrl.searchParams.append(\"client_id\", config.clientId);\n  endSessionUrl.searchParams.append(\"id_token_hint\", config.idToken);\n  endSessionUrl.searchParams.append(\"state\", config.state);\n  endSessionUrl.searchParams.append(\n    \"post_logout_redirect_uri\",\n    config.redirectUrl,\n  );\n  return endSessionUrl;\n}\n\nexport function buildOauth2Client(\n  clientId: string,\n  redirectUri: string,\n  endpoints: Endpoints,\n): OAuth2Client {\n  return new OAuth2Client(clientId, endpoints.auth, endpoints.token, {\n    redirectURI: redirectUri,\n  });\n}\n\nexport async function exchangeTokens(\n  code: string,\n  state: string,\n  pkceProducer: PKCEProducer,\n  oauth2Client: OAuth2Client,\n  oauthServer: string,\n  endpoints: Endpoints,\n) {\n  const codeVerifier = await pkceProducer.getCodeVerifier();\n  if (!codeVerifier) throw new Error(\"Code verifier not found in state\");\n\n  const tokens =\n    await oauth2Client.validateAuthorizationCode<OIDCTokenResponseBody>(code, {\n      codeVerifier,\n    });\n\n  // Validate relevant tokens\n  try {\n    await validateOauth2Tokens(tokens, endpoints, oauth2Client, oauthServer);\n  } catch (error) {\n    console.error(\"tokenExchange error\", { error, tokens });\n    throw new Error(\n      `OIDC tokens validation failed: ${(error as Error).message}`,\n    );\n  }\n  return tokens;\n}\n\nexport const getAccessTokenExpiresAt = (\n  tokens: OIDCTokenResponseBody,\n): number => {\n  const parsedAccessToken = decodeJwt(tokens.access_token);\n  if (parsedAccessToken?.exp || false) {\n    return parsedAccessToken.exp;\n  } else if (tokens.expires_in) {\n    const now = Math.floor(new Date().getTime() / 1000);\n    return now + tokens.expires_in;\n  } else {\n    throw new Error(\"Cannot determine access token expiry!\");\n  }\n};\nexport async function setAccessTokenExpiresAt(\n  storage: AuthStorage | CookieStorage,\n  tokens: OIDCTokenResponseBody,\n) {\n  // try to extract absolute expiry time from access token but fallback to calculation if not possible\n  const accessTokenExpiresAt = getAccessTokenExpiresAt(tokens);\n  await storage.set(\n    OAuthTokens.ACCESS_TOKEN_EXPIRES_AT,\n    accessTokenExpiresAt.toString(),\n  );\n}\n\nexport async function storeTokens(\n  storage: AuthStorage,\n  tokens: OIDCTokenResponseBody,\n) {\n  await storage.set(OAuthTokens.ID_TOKEN, tokens.id_token);\n  await storage.set(OAuthTokens.ACCESS_TOKEN, tokens.access_token);\n  if (tokens.refresh_token) {\n    await storage.set(OAuthTokens.REFRESH_TOKEN, tokens.refresh_token);\n  }\n  await setAccessTokenExpiresAt(storage, tokens);\n}\n\nexport async function storeServerTokens(\n  storage: AuthStorage | CookieStorage,\n  tokens: OIDCTokenResponseBody,\n) {\n  const accessTokenExpiresAt = getAccessTokenExpiresAt(tokens);\n  const cookieStorage = storage as CookieStorage;\n  const now = Math.floor(Date.now() / 1000);\n  const accessTokenMaxAge = accessTokenExpiresAt && accessTokenExpiresAt - now;\n  console.log(\"storeServerTokens timestamps\", {\n    now,\n    accessTokenMaxAge,\n    accessTokenExpiresAt,\n  });\n  const cookiesOverride = {\n    ...(accessTokenMaxAge ? { maxAge: accessTokenMaxAge } : {}),\n  };\n  // the refresh token must be longer-lived than the access token max age to allow time for automatic refresh\n  // as it's not a JWT, we derive it from the access token max age and add a margin\n  const refreshTokenMaxAge = accessTokenMaxAge && accessTokenMaxAge + 5 * 60;\n  const refreshCookiesOverride = {\n    ...(refreshTokenMaxAge ? { maxAge: refreshTokenMaxAge } : {}),\n  };\n  console.log(\"storeServerTokens overrides\", {\n    cookiesOverride,\n    refreshCookiesOverride,\n  });\n  const idTokenExpiry = decodeJwt(tokens.id_token)?.exp;\n  const idTokenMaxAge = idTokenExpiry && idTokenExpiry - now;\n  await cookieStorage.set(OAuthTokens.ID_TOKEN, tokens.id_token, {\n    ...(idTokenMaxAge ? { maxAge: idTokenMaxAge } : {}),\n  });\n  await cookieStorage.set(\n    OAuthTokens.ACCESS_TOKEN,\n    tokens.access_token,\n    cookiesOverride,\n  );\n  if (tokens.refresh_token) {\n    await cookieStorage.set(\n      OAuthTokens.REFRESH_TOKEN,\n      tokens.refresh_token,\n      refreshCookiesOverride,\n    );\n  }\n  await storage.set(\n    OAuthTokens.ACCESS_TOKEN_EXPIRES_AT,\n    accessTokenExpiresAt.toString(),\n    cookiesOverride,\n  );\n}\n\nexport async function clearTokens(storage: AuthStorage) {\n  console.log(\"clearTokens\");\n  // clear all local storage keys related to OAuth and CivicAuth SDK\n  const clearOAuthPromises = [\n    ...Object.values(OAuthTokens),\n    REFRESH_IN_PROGRESS,\n    AUTOREFRESH_TIMEOUT_NAME,\n    LOGOUT_STATE,\n  ].map(async (key) => {\n    await storage.delete(key);\n  });\n  await Promise.all([...clearOAuthPromises]);\n}\n\nexport async function clearAuthServerSession(storage: AuthStorage) {\n  await storage.delete(AUTH_SERVER_SESSION);\n  await storage.delete(AUTH_SERVER_LEGACY_SESSION);\n}\n\nexport async function clearUser(storage: AuthStorage) {\n  const userSession = new GenericUserSession(storage);\n  await userSession.clear();\n}\n\nexport async function retrieveTokens(\n  storage: AuthStorage,\n): Promise<OIDCTokenResponseBody | null> {\n  const idToken = await storage.get(OAuthTokens.ID_TOKEN);\n  const accessToken = await storage.get(OAuthTokens.ACCESS_TOKEN);\n  const refreshToken = await storage.get(OAuthTokens.REFRESH_TOKEN);\n  const accessTokenExpiresAt = await storage.get(\n    OAuthTokens.ACCESS_TOKEN_EXPIRES_AT,\n  );\n  if (!idToken || !accessToken) return null;\n\n  return {\n    id_token: idToken,\n    access_token: accessToken,\n    refresh_token: refreshToken ?? undefined,\n    access_token_expires_at:\n      accessTokenExpiresAt !== null\n        ? parseInt(accessTokenExpiresAt, 10)\n        : undefined, // Convert string to number\n  };\n}\n\nexport async function retrieveAccessTokenExpiresAt(\n  storage: AuthStorage,\n): Promise<number> {\n  return Number(await storage.get(OAuthTokens.ACCESS_TOKEN_EXPIRES_AT));\n}\n\nexport async function validateOauth2Tokens(\n  tokens: OIDCTokenResponseBody,\n  endpoints: Endpoints,\n  oauth2Client: OAuth2Client,\n  issuer: string,\n): Promise<ParsedTokens> {\n  const JWKS = jose.createRemoteJWKSet(new URL(endpoints.jwks));\n\n  // validate the ID token\n  const idTokenResponse = await jose.jwtVerify<JWTPayload>(\n    tokens.id_token,\n    JWKS,\n    {\n      issuer: getIssuerVariations(issuer),\n      audience: oauth2Client.clientId,\n    },\n  );\n\n  // validate the access token\n  const accessTokenResponse = await jose.jwtVerify<JWTPayload>(\n    tokens.access_token,\n    JWKS,\n    {\n      issuer: getIssuerVariations(issuer),\n    },\n  );\n\n  return withoutUndefined({\n    id_token: idTokenResponse.payload,\n    access_token: accessTokenResponse.payload,\n    refresh_token: tokens.refresh_token,\n  });\n}\n"]}

package/dist/cjs/shared/providers/AuthContext.d.ts

@@ -0,0 +1,12 @@
+import type { AuthStatus, DisplayMode } from "../../types.js";
+export type AuthContextType = {
+    signIn: (displayMode?: DisplayMode) => Promise<void>;
+    isAuthenticated: boolean;
+    isLoading: boolean;
+    error: Error | null;
+    signOut: () => Promise<void>;
+    authStatus: AuthStatus;
+    displayMode: DisplayMode;
+};
+export declare const AuthContext: import("react").Context<AuthContextType | null>;
+//# sourceMappingURL=AuthContext.d.ts.map

package/dist/cjs/shared/providers/AuthContext.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"AuthContext.d.ts","sourceRoot":"","sources":["../../../../src/shared/providers/AuthContext.tsx"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,UAAU,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AAE1D,MAAM,MAAM,eAAe,GAAG;IAC5B,MAAM,EAAE,CAAC,WAAW,CAAC,EAAE,WAAW,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IACrD,eAAe,EAAE,OAAO,CAAC;IACzB,SAAS,EAAE,OAAO,CAAC;IACnB,KAAK,EAAE,KAAK,GAAG,IAAI,CAAC;IACpB,OAAO,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;IAC7B,UAAU,EAAE,UAAU,CAAC;IACvB,WAAW,EAAE,WAAW,CAAC;CAC1B,CAAC;AACF,eAAO,MAAM,WAAW,iDAA8C,CAAC"}

package/dist/cjs/shared/providers/AuthContext.js

@@ -0,0 +1,7 @@
+"use strict";
+"use client";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AuthContext = void 0;
+const react_1 = require("react");
+exports.AuthContext = (0, react_1.createContext)(null);
+//# sourceMappingURL=AuthContext.js.map

package/dist/cjs/shared/providers/AuthContext.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"AuthContext.js","sourceRoot":"","sources":["../../../../src/shared/providers/AuthContext.tsx"],"names":[],"mappings":";AAAA,YAAY,CAAC;;;AACb,iCAAsC;AAYzB,QAAA,WAAW,GAAG,IAAA,qBAAa,EAAyB,IAAI,CAAC,CAAC","sourcesContent":["\"use client\";\nimport { createContext } from \"react\";\nimport type { AuthStatus, DisplayMode } from \"@/types.js\";\n\nexport type AuthContextType = {\n  signIn: (displayMode?: DisplayMode) => Promise<void>;\n  isAuthenticated: boolean;\n  isLoading: boolean;\n  error: Error | null;\n  signOut: () => Promise<void>;\n  authStatus: AuthStatus;\n  displayMode: DisplayMode;\n};\nexport const AuthContext = createContext<AuthContextType | null>(null);\n"]}

package/dist/cjs/shared/providers/AuthProvider.d.ts

@@ -0,0 +1,22 @@
+import React, { type ReactNode } from "react";
+import type { Config, DisplayMode, SessionData } from "../../types.js";
+import type { PKCEConsumer } from "../../services/types.js";
+export type IframeMode = "embedded" | "modal";
+export type AuthProviderProps = {
+    children: ReactNode;
+    clientId: string;
+    nonce?: string;
+    onSignIn?: (error?: Error) => void;
+    onSignOut?: () => Promise<void>;
+    iframeMode?: IframeMode;
+    config?: Config;
+    redirectUrl?: string;
+    displayMode?: DisplayMode;
+};
+export type InternalAuthProviderProps = AuthProviderProps & {
+    sessionData?: SessionData;
+    pkceConsumer?: PKCEConsumer;
+};
+declare const AuthProvider: ({ children, onSignIn, onSignOut, pkceConsumer, iframeMode, displayMode, }: InternalAuthProviderProps) => React.JSX.Element;
+export { AuthProvider };
+//# sourceMappingURL=AuthProvider.d.ts.map

package/dist/cjs/shared/providers/AuthProvider.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"AuthProvider.d.ts","sourceRoot":"","sources":["../../../../src/shared/providers/AuthProvider.tsx"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,EAAE,KAAK,SAAS,EAAgC,MAAM,OAAO,CAAC;AAC5E,OAAO,KAAK,EAAE,MAAM,EAAE,WAAW,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AAEnE,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AAkBxD,MAAM,MAAM,UAAU,GAAG,UAAU,GAAG,OAAO,CAAC;AAC9C,MAAM,MAAM,iBAAiB,GAAG;IAC9B,QAAQ,EAAE,SAAS,CAAC;IACpB,QAAQ,EAAE,MAAM,CAAC;IACjB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,QAAQ,CAAC,EAAE,CAAC,KAAK,CAAC,EAAE,KAAK,KAAK,IAAI,CAAC;IACnC,SAAS,CAAC,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;IAChC,UAAU,CAAC,EAAE,UAAU,CAAC;IACxB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,WAAW,CAAC,EAAE,WAAW,CAAC;CAC3B,CAAC;AAEF,MAAM,MAAM,yBAAyB,GAAG,iBAAiB,GAAG;IAC1D,WAAW,CAAC,EAAE,WAAW,CAAC;IAC1B,YAAY,CAAC,EAAE,YAAY,CAAC;CAC7B,CAAC;AAEF,QAAA,MAAM,YAAY,8EAOf,yBAAyB,sBAsE3B,CAAC;AAEF,OAAO,EAAE,YAAY,EAAE,CAAC"}