@civic/auth 0.9.6-beta.1 → 0.9.6-beta.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (219) hide show
  1. package/CHANGELOG.md +5 -0
  2. package/dist/nextjs/actions.d.ts +12 -0
  3. package/dist/nextjs/actions.d.ts.map +1 -0
  4. package/dist/nextjs/actions.js +26 -0
  5. package/dist/nextjs/actions.js.map +1 -0
  6. package/dist/nextjs/config.d.ts +2 -0
  7. package/dist/nextjs/config.d.ts.map +1 -1
  8. package/dist/nextjs/config.js +3 -2
  9. package/dist/nextjs/config.js.map +1 -1
  10. package/dist/nextjs/cookies.d.ts.map +1 -1
  11. package/dist/nextjs/cookies.js +45 -3
  12. package/dist/nextjs/cookies.js.map +1 -1
  13. package/dist/nextjs/hooks/useInitialAuthConfig.d.ts +31 -0
  14. package/dist/nextjs/hooks/useInitialAuthConfig.d.ts.map +1 -0
  15. package/dist/nextjs/hooks/useInitialAuthConfig.js +109 -0
  16. package/dist/nextjs/hooks/useInitialAuthConfig.js.map +1 -0
  17. package/dist/nextjs/index.d.ts +1 -0
  18. package/dist/nextjs/index.d.ts.map +1 -1
  19. package/dist/nextjs/index.js +13 -3
  20. package/dist/nextjs/index.js.map +1 -1
  21. package/dist/nextjs/providers/NextAuthProvider.d.ts +6 -7
  22. package/dist/nextjs/providers/NextAuthProvider.d.ts.map +1 -1
  23. package/dist/nextjs/providers/NextAuthProvider.js +19 -138
  24. package/dist/nextjs/providers/NextAuthProvider.js.map +1 -1
  25. package/dist/nextjs/providers/NextAuthProviderClient.d.ts +11 -0
  26. package/dist/nextjs/providers/NextAuthProviderClient.d.ts.map +1 -0
  27. package/dist/nextjs/providers/NextAuthProviderClient.js +62 -0
  28. package/dist/nextjs/providers/NextAuthProviderClient.js.map +1 -0
  29. package/dist/nextjs/providers/ServerUserContext.d.ts +2 -0
  30. package/dist/nextjs/providers/ServerUserContext.d.ts.map +1 -0
  31. package/dist/nextjs/providers/ServerUserContext.js +5 -0
  32. package/dist/nextjs/providers/ServerUserContext.js.map +1 -0
  33. package/dist/nextjs/routeHandler.d.ts.map +1 -1
  34. package/dist/nextjs/routeHandler.js +241 -352
  35. package/dist/nextjs/routeHandler.js.map +1 -1
  36. package/dist/react-router-7/components/UserButton.js +1 -1
  37. package/dist/react-router-7/components/UserButton.js.map +1 -1
  38. package/dist/react-router-7/routeHandler.d.ts.map +1 -1
  39. package/dist/react-router-7/routeHandler.js +1 -0
  40. package/dist/react-router-7/routeHandler.js.map +1 -1
  41. package/dist/react-router-7/useUser.d.ts.map +1 -1
  42. package/dist/react-router-7/useUser.js +13 -2
  43. package/dist/react-router-7/useUser.js.map +1 -1
  44. package/dist/reactjs/components/ButtonContentOrLoader.d.ts.map +1 -1
  45. package/dist/reactjs/components/ButtonContentOrLoader.js +2 -4
  46. package/dist/reactjs/components/ButtonContentOrLoader.js.map +1 -1
  47. package/dist/reactjs/components/CivicAuthIframeContainer.d.ts +2 -0
  48. package/dist/reactjs/components/CivicAuthIframeContainer.d.ts.map +1 -0
  49. package/dist/reactjs/components/CivicAuthIframeContainer.js +26 -0
  50. package/dist/reactjs/components/CivicAuthIframeContainer.js.map +1 -0
  51. package/dist/reactjs/components/SignInButton.d.ts.map +1 -1
  52. package/dist/reactjs/components/SignInButton.js +11 -1
  53. package/dist/reactjs/components/SignInButton.js.map +1 -1
  54. package/dist/reactjs/components/UserButton.d.ts +9 -2
  55. package/dist/reactjs/components/UserButton.d.ts.map +1 -1
  56. package/dist/reactjs/components/UserButton.js +41 -9
  57. package/dist/reactjs/components/UserButton.js.map +1 -1
  58. package/dist/reactjs/components/index.d.ts +1 -0
  59. package/dist/reactjs/components/index.d.ts.map +1 -1
  60. package/dist/reactjs/components/index.js +1 -0
  61. package/dist/reactjs/components/index.js.map +1 -1
  62. package/dist/reactjs/core/GlobalAuthManager.d.ts +26 -0
  63. package/dist/reactjs/core/GlobalAuthManager.d.ts.map +1 -1
  64. package/dist/reactjs/core/GlobalAuthManager.js +76 -5
  65. package/dist/reactjs/core/GlobalAuthManager.js.map +1 -1
  66. package/dist/reactjs/hooks/useUser.d.ts +19 -2
  67. package/dist/reactjs/hooks/useUser.d.ts.map +1 -1
  68. package/dist/reactjs/hooks/useUser.js +95 -7
  69. package/dist/reactjs/hooks/useUser.js.map +1 -1
  70. package/dist/reactjs/index.d.ts +1 -2
  71. package/dist/reactjs/index.d.ts.map +1 -1
  72. package/dist/reactjs/index.js +1 -2
  73. package/dist/reactjs/index.js.map +1 -1
  74. package/dist/server/ServerAuthenticationResolver.d.ts.map +1 -1
  75. package/dist/server/ServerAuthenticationResolver.js +18 -0
  76. package/dist/server/ServerAuthenticationResolver.js.map +1 -1
  77. package/dist/server/index.d.ts +1 -1
  78. package/dist/server/index.d.ts.map +1 -1
  79. package/dist/server/index.js.map +1 -1
  80. package/dist/server/session.d.ts +51 -0
  81. package/dist/server/session.d.ts.map +1 -1
  82. package/dist/server/session.js +276 -15
  83. package/dist/server/session.js.map +1 -1
  84. package/dist/shared/components/SVGLoading.js +1 -1
  85. package/dist/shared/components/SVGLoading.js.map +1 -1
  86. package/dist/shared/components/UserButtonPresentation.d.ts.map +1 -0
  87. package/dist/shared/components/UserButtonPresentation.js.map +1 -0
  88. package/dist/shared/hooks/index.d.ts +1 -2
  89. package/dist/shared/hooks/index.d.ts.map +1 -1
  90. package/dist/shared/hooks/index.js +1 -2
  91. package/dist/shared/hooks/index.js.map +1 -1
  92. package/dist/shared/hooks/useBfcacheHandler.d.ts +23 -0
  93. package/dist/shared/hooks/useBfcacheHandler.d.ts.map +1 -0
  94. package/dist/shared/hooks/useBfcacheHandler.js +65 -0
  95. package/dist/shared/hooks/useBfcacheHandler.js.map +1 -0
  96. package/dist/shared/index.d.ts +1 -0
  97. package/dist/shared/index.d.ts.map +1 -1
  98. package/dist/shared/index.js +1 -0
  99. package/dist/shared/index.js.map +1 -1
  100. package/dist/shared/lib/util.d.ts +32 -0
  101. package/dist/shared/lib/util.d.ts.map +1 -1
  102. package/dist/shared/lib/util.js +79 -0
  103. package/dist/shared/lib/util.js.map +1 -1
  104. package/dist/shared/providers/AuthStatusContext.d.ts.map +1 -1
  105. package/dist/shared/providers/AuthStatusContext.js +2 -1
  106. package/dist/shared/providers/AuthStatusContext.js.map +1 -1
  107. package/dist/shared/providers/CivicAuthConfigContext.d.ts +2 -1
  108. package/dist/shared/providers/CivicAuthConfigContext.d.ts.map +1 -1
  109. package/dist/shared/providers/CivicAuthConfigContext.js +5 -2
  110. package/dist/shared/providers/CivicAuthConfigContext.js.map +1 -1
  111. package/dist/shared/providers/types.d.ts +1 -0
  112. package/dist/shared/providers/types.d.ts.map +1 -1
  113. package/dist/shared/providers/types.js.map +1 -1
  114. package/dist/shared/utils/locationChange.d.ts +34 -0
  115. package/dist/shared/utils/locationChange.d.ts.map +1 -0
  116. package/dist/shared/utils/locationChange.js +28 -0
  117. package/dist/shared/utils/locationChange.js.map +1 -0
  118. package/dist/shared/version.d.ts +1 -1
  119. package/dist/shared/version.js +1 -1
  120. package/dist/shared/version.js.map +1 -1
  121. package/dist/vanillajs/auth/AuthenticationEvents.d.ts +10 -1
  122. package/dist/vanillajs/auth/AuthenticationEvents.d.ts.map +1 -1
  123. package/dist/vanillajs/auth/AuthenticationEvents.js +29 -0
  124. package/dist/vanillajs/auth/AuthenticationEvents.js.map +1 -1
  125. package/dist/vanillajs/auth/BackendAuthenticationRefresher.d.ts.map +1 -1
  126. package/dist/vanillajs/auth/BackendAuthenticationRefresher.js +2 -2
  127. package/dist/vanillajs/auth/BackendAuthenticationRefresher.js.map +1 -1
  128. package/dist/vanillajs/auth/CivicAuth.d.ts +32 -0
  129. package/dist/vanillajs/auth/CivicAuth.d.ts.map +1 -1
  130. package/dist/vanillajs/auth/CivicAuth.js +255 -55
  131. package/dist/vanillajs/auth/CivicAuth.js.map +1 -1
  132. package/dist/vanillajs/auth/SessionManager.d.ts +3 -2
  133. package/dist/vanillajs/auth/SessionManager.d.ts.map +1 -1
  134. package/dist/vanillajs/auth/SessionManager.js +33 -7
  135. package/dist/vanillajs/auth/SessionManager.js.map +1 -1
  136. package/dist/vanillajs/auth/config/ConfigProcessor.d.ts.map +1 -1
  137. package/dist/vanillajs/auth/config/ConfigProcessor.js +2 -14
  138. package/dist/vanillajs/auth/config/ConfigProcessor.js.map +1 -1
  139. package/dist/vanillajs/auth/handlers/IframeAuthHandler.d.ts.map +1 -1
  140. package/dist/vanillajs/auth/handlers/IframeAuthHandler.js +64 -11
  141. package/dist/vanillajs/auth/handlers/IframeAuthHandler.js.map +1 -1
  142. package/dist/vanillajs/auth/handlers/MessageHandler.d.ts.map +1 -1
  143. package/dist/vanillajs/auth/handlers/MessageHandler.js +4 -1
  144. package/dist/vanillajs/auth/handlers/MessageHandler.js.map +1 -1
  145. package/dist/vanillajs/auth/handlers/PopupHandler.d.ts.map +1 -1
  146. package/dist/vanillajs/auth/handlers/PopupHandler.js +3 -1
  147. package/dist/vanillajs/auth/handlers/PopupHandler.js.map +1 -1
  148. package/dist/vanillajs/auth/types/AuthTypes.d.ts +11 -1
  149. package/dist/vanillajs/auth/types/AuthTypes.d.ts.map +1 -1
  150. package/dist/vanillajs/auth/types/AuthTypes.js.map +1 -1
  151. package/dist/vanillajs/iframe/IframeManager.d.ts +22 -1
  152. package/dist/vanillajs/iframe/IframeManager.d.ts.map +1 -1
  153. package/dist/vanillajs/iframe/IframeManager.js +184 -22
  154. package/dist/vanillajs/iframe/IframeManager.js.map +1 -1
  155. package/dist/vanillajs/types/index.d.ts +1 -1
  156. package/dist/vanillajs/types/index.d.ts.map +1 -1
  157. package/dist/vanillajs/types/index.js +1 -1
  158. package/dist/vanillajs/types/index.js.map +1 -1
  159. package/dist/vanillajs/ui/LoadingComponents.d.ts +4 -0
  160. package/dist/vanillajs/ui/LoadingComponents.d.ts.map +1 -1
  161. package/dist/vanillajs/ui/LoadingComponents.js +51 -1
  162. package/dist/vanillajs/ui/LoadingComponents.js.map +1 -1
  163. package/package.json +5 -5
  164. package/dist/nextjs/hooks/index.d.ts +0 -2
  165. package/dist/nextjs/hooks/index.d.ts.map +0 -1
  166. package/dist/nextjs/hooks/index.js +0 -2
  167. package/dist/nextjs/hooks/index.js.map +0 -1
  168. package/dist/nextjs/hooks/usePrevious.d.ts +0 -2
  169. package/dist/nextjs/hooks/usePrevious.d.ts.map +0 -1
  170. package/dist/nextjs/hooks/usePrevious.js +0 -9
  171. package/dist/nextjs/hooks/usePrevious.js.map +0 -1
  172. package/dist/nextjs/hooks/useUserCookie.d.ts +0 -9
  173. package/dist/nextjs/hooks/useUserCookie.d.ts.map +0 -1
  174. package/dist/nextjs/hooks/useUserCookie.js +0 -109
  175. package/dist/nextjs/hooks/useUserCookie.js.map +0 -1
  176. package/dist/react-router-7/components/UserButtonPresentation.d.ts.map +0 -1
  177. package/dist/react-router-7/components/UserButtonPresentation.js.map +0 -1
  178. package/dist/shared/components/BlockDisplay.d.ts +0 -6
  179. package/dist/shared/components/BlockDisplay.d.ts.map +0 -1
  180. package/dist/shared/components/BlockDisplay.js +0 -30
  181. package/dist/shared/components/BlockDisplay.js.map +0 -1
  182. package/dist/shared/components/CivicAuthIframe.d.ts +0 -10
  183. package/dist/shared/components/CivicAuthIframe.d.ts.map +0 -1
  184. package/dist/shared/components/CivicAuthIframe.js +0 -49
  185. package/dist/shared/components/CivicAuthIframe.js.map +0 -1
  186. package/dist/shared/components/CivicAuthIframeContainer.d.ts +0 -15
  187. package/dist/shared/components/CivicAuthIframeContainer.d.ts.map +0 -1
  188. package/dist/shared/components/CivicAuthIframeContainer.js +0 -177
  189. package/dist/shared/components/CivicAuthIframeContainer.js.map +0 -1
  190. package/dist/shared/components/CivicAuthLogoutIframeContainer.d.ts +0 -6
  191. package/dist/shared/components/CivicAuthLogoutIframeContainer.d.ts.map +0 -1
  192. package/dist/shared/components/CivicAuthLogoutIframeContainer.js +0 -51
  193. package/dist/shared/components/CivicAuthLogoutIframeContainer.js.map +0 -1
  194. package/dist/shared/components/IFrameAndLoading.d.ts +0 -7
  195. package/dist/shared/components/IFrameAndLoading.d.ts.map +0 -1
  196. package/dist/shared/components/IFrameAndLoading.js +0 -66
  197. package/dist/shared/components/IFrameAndLoading.js.map +0 -1
  198. package/dist/shared/hooks/useAuth.d.ts +0 -3
  199. package/dist/shared/hooks/useAuth.d.ts.map +0 -1
  200. package/dist/shared/hooks/useAuth.js +0 -12
  201. package/dist/shared/hooks/useAuth.js.map +0 -1
  202. package/dist/shared/hooks/useIframe.d.ts +0 -3
  203. package/dist/shared/hooks/useIframe.d.ts.map +0 -1
  204. package/dist/shared/hooks/useIframe.js +0 -13
  205. package/dist/shared/hooks/useIframe.js.map +0 -1
  206. package/dist/shared/hooks/useIsInIframe.d.ts +0 -7
  207. package/dist/shared/hooks/useIsInIframe.d.ts.map +0 -1
  208. package/dist/shared/hooks/useIsInIframe.js +0 -23
  209. package/dist/shared/hooks/useIsInIframe.js.map +0 -1
  210. package/dist/shared/hooks/useSignIn.d.ts +0 -20
  211. package/dist/shared/hooks/useSignIn.d.ts.map +0 -1
  212. package/dist/shared/hooks/useSignIn.js +0 -358
  213. package/dist/shared/hooks/useSignIn.js.map +0 -1
  214. package/dist/shared/providers/IframeProvider.d.ts +0 -28
  215. package/dist/shared/providers/IframeProvider.d.ts.map +0 -1
  216. package/dist/shared/providers/IframeProvider.js +0 -64
  217. package/dist/shared/providers/IframeProvider.js.map +0 -1
  218. /package/dist/{react-router-7 → shared}/components/UserButtonPresentation.d.ts +0 -0
  219. /package/dist/{react-router-7 → shared}/components/UserButtonPresentation.js +0 -0
package/dist/server/session.js CHANGED
@@ -4,13 +4,15 @@ import { clearTokens as clearTokensUtil } from "../shared/lib/util.js";
4
4
  import { resolveOAuthAccessCode } from "../server/login.js";
5
5
  import { buildLoginUrl } from "../server/login.js";
6
6
  import { buildLogoutRedirectUrl } from "../server/logout.js";
7
+ import { TOKEN_EXCHANGE_SUCCESS_TEXT, TOKEN_EXCHANGE_TRIGGER_TEXT, } from "../constants.js";
7
8
  import { refreshTokens } from "../server/refresh.js";
8
9
  import { getVersion } from "../shared/index.js";
9
10
  import { ServerAuthenticationResolver } from "../server/ServerAuthenticationResolver.js";
10
11
  import { DEFAULT_AUTH_SERVER, JWT_PAYLOAD_KNOWN_CLAIM_KEYS, } from "../constants.js";
11
- import { displayModeFromState } from "../lib/oauth.js";
12
+ import { displayModeFromState, loginSuccessUrlFromState } from "../lib/oauth.js";
12
13
  import { decodeJwt } from "jose";
13
14
  import { generateOauthLogoutUrl } from "../shared/lib/util.js";
15
+ import { CodeVerifier } from "../shared/lib/types.js";
14
16
  // Function to omit keys from an object
15
17
  const omitKeys = (keys, obj) => {
16
18
  const result = { ...obj };
@@ -19,6 +21,14 @@ const omitKeys = (keys, obj) => {
19
21
  });
20
22
  return result;
21
23
  };
24
+ /**
25
+ * Helper to detect if this is a same-domain callback request (for iframe workaround)
26
+ */
27
+ const isSameDomainCallback = (req) => {
28
+ if (!req.url)
29
+ return false;
30
+ return req.url.includes("sameDomainCallback=true");
31
+ };
22
32
  /**
23
33
  * Extract user information directly from OIDC tokens
24
34
  * @param tokens The OIDC tokens response
@@ -190,6 +200,98 @@ export class CivicAuth {
190
200
  async clearTokens() {
191
201
  return clearTokensUtil(this.storage);
192
202
  }
203
+ /**
204
+ * Framework-agnostic URL detection and resolution helpers
205
+ * These methods handle proxy environments and can be used by any framework
206
+ */
207
+ /**
208
+ * Try to URI decode a value, returning the original value on error
209
+ */
210
+ static tryUriDecode(value) {
211
+ try {
212
+ return decodeURIComponent(value);
213
+ }
214
+ catch (e) {
215
+ console.error("Error decoding URI component:", e);
216
+ return value;
217
+ }
218
+ }
219
+ /**
220
+ * Get decoded query parameter from request
221
+ */
222
+ static getDecodedQueryParam(request, paramName) {
223
+ const queryParam = request.searchParams.get(paramName);
224
+ if (queryParam) {
225
+ return CivicAuth.tryUriDecode(queryParam);
226
+ }
227
+ return null;
228
+ }
229
+ /**
230
+ * Get value from cookie or query parameter (cookie takes precedence)
231
+ */
232
+ static getCookieOrQueryParam(request, cookieName, queryName) {
233
+ // First check the cookie as it might have the full path with base directory
234
+ const cookieValue = request.cookies.get(cookieName)?.value;
235
+ if (cookieValue) {
236
+ return CivicAuth.tryUriDecode(cookieValue);
237
+ }
238
+ // Fallback to query parameter
239
+ return CivicAuth.getDecodedQueryParam(request, queryName);
240
+ }
241
+ /**
242
+ * Get app URL from request (for proxy environment support)
243
+ * Checks cookies first, then query parameters
244
+ */
245
+ static getAppUrl(request) {
246
+ return CivicAuth.getCookieOrQueryParam(request, CodeVerifier.APP_URL, "appUrl");
247
+ }
248
+ /**
249
+ * Get login success URL with proper base URL handling
250
+ * Extracts from state parameter or query parameters, resolves with baseUrl if provided
251
+ */
252
+ static getLoginSuccessUrl(request, baseUrl) {
253
+ const state = request.searchParams.get("state");
254
+ const loginSuccessUrl = loginSuccessUrlFromState(state) ||
255
+ CivicAuth.getDecodedQueryParam(request, "loginSuccessUrl");
256
+ if (!loginSuccessUrl) {
257
+ return null;
258
+ }
259
+ return baseUrl ? new URL(loginSuccessUrl, baseUrl).href : loginSuccessUrl;
260
+ }
261
+ /**
262
+ * Convert relative URL to absolute URL using appUrl for proxy environments
263
+ */
264
+ static toAbsoluteUrl(request, url, appUrl) {
265
+ if (url.startsWith("http")) {
266
+ return url;
267
+ }
268
+ // Use appUrl if available (for proxy environments), otherwise fall back to request origin
269
+ const baseUrl = appUrl || new URL(request.url).origin;
270
+ return new URL(url, baseUrl).href;
271
+ }
272
+ /**
273
+ * Get post-logout redirect URL with proxy environment support
274
+ */
275
+ getPostLogoutRedirectUrl(request) {
276
+ // Check if we have a target URL in the request (from middleware)
277
+ const targetUrl = request.searchParams.get("targetUrl");
278
+ if (targetUrl) {
279
+ return targetUrl;
280
+ }
281
+ const redirectTarget = this.authConfig.loginSuccessUrl ?? "/";
282
+ // If loginSuccessUrl is absolute, use it as-is
283
+ const isAbsoluteRedirect = /^(https?:\/\/|www\.).+/i.test(redirectTarget);
284
+ if (isAbsoluteRedirect) {
285
+ return redirectTarget;
286
+ }
287
+ // Use appUrl from client for proxy environments
288
+ const appUrl = CivicAuth.getAppUrl(request);
289
+ if (appUrl) {
290
+ return new URL(redirectTarget, appUrl).href;
291
+ }
292
+ // Fallback to request origin
293
+ return new URL(request.url).origin;
294
+ }
193
295
  /**
194
296
  * Smart callback handler that automatically detects frontend vs backend requests
195
297
  * and redirects appropriately. Use this instead of resolveOAuthAccessCode + manual redirect.
@@ -220,11 +322,113 @@ export class CivicAuth {
220
322
  * ```
221
323
  */
222
324
  async handleCallback({ code, state, req }, options) {
223
- // First, resolve the OAuth code and create session
224
- const tokens = await this.resolveOAuthAccessCode(code, state);
225
- // Extract user info directly from tokens
226
- const user = getUserFromTokens(tokens);
227
- const frontendUrl = options?.frontendUrl || this.authConfig.loginSuccessUrl;
325
+ // Handle same-domain callback for iframe workaround
326
+ if (isSameDomainCallback(req)) {
327
+ try {
328
+ // Check if user is already authenticated before attempting token exchange
329
+ const isAlreadyLoggedIn = await this.isLoggedIn();
330
+ let user = null;
331
+ if (isAlreadyLoggedIn) {
332
+ // User is already authenticated, get existing user data
333
+ user = await this.getUser();
334
+ console.log("User already authenticated in same-domain callback:", !!user);
335
+ }
336
+ else {
337
+ // For same-domain callbacks, we should have access to cookies
338
+ const tokens = await this.resolveOAuthAccessCode(code, state);
339
+ user = getUserFromTokens(tokens);
340
+ console.log("Completed token exchange in same-domain callback:", !!user);
341
+ }
342
+ // Return JSON response for same-domain callback
343
+ const currentUrl = new URL(req.url || "");
344
+ const newSearchParams = new URLSearchParams(currentUrl.search);
345
+ newSearchParams.delete("sameDomainCallback");
346
+ newSearchParams.delete("appUrl");
347
+ newSearchParams.delete("loginSuccessUrl");
348
+ const redirectUrl = `${currentUrl.pathname}?${newSearchParams.toString()}${currentUrl.hash}`;
349
+ return {
350
+ content: {
351
+ success: true,
352
+ redirectUrl,
353
+ },
354
+ };
355
+ }
356
+ catch (error) {
357
+ console.error("Same-domain callback failed:", error);
358
+ throw error;
359
+ }
360
+ }
361
+ // Try to resolve the OAuth code and create session
362
+ let tokens;
363
+ let user;
364
+ try {
365
+ tokens = await this.resolveOAuthAccessCode(code, state);
366
+ user = getUserFromTokens(tokens);
367
+ }
368
+ catch (error) {
369
+ // Check if this is a code verifier error and we're in iframe mode
370
+ const isCodeVerifierError = error instanceof Error &&
371
+ error.message.includes("Code verifier not found in storage");
372
+ if (isCodeVerifierError) {
373
+ // First check if user is already authenticated before trying iframe workaround
374
+ try {
375
+ const isAlreadyLoggedIn = await this.isLoggedIn();
376
+ if (isAlreadyLoggedIn) {
377
+ // "User already authenticated, skipping iframe workaround",
378
+ const user = await this.getUser();
379
+ const loginSuccessUrlFromStateValue = loginSuccessUrlFromState(state);
380
+ const frontendUrl = options?.frontendUrl ||
381
+ loginSuccessUrlFromStateValue ||
382
+ this.authConfig.loginSuccessUrl;
383
+ // Check if this is an iframe context - if so, generate iframe completion HTML
384
+ const stateDisplayMode = displayModeFromState(state, undefined);
385
+ const isConfiguredForIframe = stateDisplayMode === "iframe";
386
+ if (isConfiguredForIframe &&
387
+ !this.authConfig.disableIframeDetection &&
388
+ user &&
389
+ frontendUrl) {
390
+ // Generating iframe completion HTML for already authenticated user",
391
+ const completionHtml = this.generateIframeCompletionHtml(user, frontendUrl);
392
+ return { content: completionHtml };
393
+ }
394
+ if (frontendUrl) {
395
+ return { redirectTo: frontendUrl };
396
+ }
397
+ else {
398
+ return { content: { success: true, user } };
399
+ }
400
+ }
401
+ }
402
+ catch (authCheckError) {
403
+ console.warn("Failed to check authentication status:", authCheckError);
404
+ // Continue with iframe workaround if auth check fails
405
+ }
406
+ const stateDisplayMode = displayModeFromState(state, undefined);
407
+ const isConfiguredForIframe = stateDisplayMode === "iframe";
408
+ if (isConfiguredForIframe && !this.authConfig.disableIframeDetection) {
409
+ // Generate HTML that will trigger same-domain callback
410
+ const loginSuccessUrlFromStateValue = loginSuccessUrlFromState(state);
411
+ const frontendUrl = options?.frontendUrl ||
412
+ loginSuccessUrlFromStateValue ||
413
+ this.authConfig.loginSuccessUrl;
414
+ const callbackUrl = req.url || "";
415
+ const sameDomainHtml = this.generateSameDomainCallbackHtml(callbackUrl, frontendUrl);
416
+ return { content: sameDomainHtml };
417
+ }
418
+ // For non-iframe mode or when iframe detection is disabled, return trigger text
419
+ return {
420
+ content: `<html lang="en"><body><span style="display:none">${TOKEN_EXCHANGE_TRIGGER_TEXT}</span></body></html>`,
421
+ };
422
+ }
423
+ // Re-throw other errors
424
+ throw error;
425
+ }
426
+ // Extract loginSuccessUrl from state if present
427
+ const loginSuccessUrlFromStateValue = loginSuccessUrlFromState(state);
428
+ // Priority: options.frontendUrl > loginSuccessUrl from state > config loginSuccessUrl
429
+ const frontendUrl = options?.frontendUrl ||
430
+ loginSuccessUrlFromStateValue ||
431
+ this.authConfig.loginSuccessUrl;
228
432
  // Priority 1: Check state for display mode configuration
229
433
  const stateDisplayMode = displayModeFromState(state, undefined);
230
434
  const isConfiguredForIframe = stateDisplayMode === "iframe";
@@ -232,6 +436,7 @@ export class CivicAuth {
232
436
  // Configuration (from state) takes precedence over auto-detection
233
437
  const shouldTreatAsIframe = isConfiguredForIframe && !this.authConfig.disableIframeDetection;
234
438
  const isTopLevelRedirect = req.headers["sec-fetch-dest"] === "document";
439
+ const isIframeRequest = req.headers["sec-fetch-dest"] === "iframe";
235
440
  const isApiRequest = options?.apiResponse || req.headers.accept?.includes("application/json");
236
441
  // Detect Safari or other browsers where iframe postMessage may fail due to cross-origin restrictions
237
442
  //TODO: Find a better way to detect this
@@ -245,7 +450,7 @@ export class CivicAuth {
245
450
  user &&
246
451
  frontendUrl &&
247
452
  !isLikelyCrossOriginIframe) {
248
- const completionHtml = this.generateIframeCompletionHtml(user);
453
+ const completionHtml = this.generateIframeCompletionHtml(user, frontendUrl);
249
454
  return { content: completionHtml };
250
455
  }
251
456
  // Case 1b: Safari/cross-origin iframe case - redirect instead of HTML
@@ -259,6 +464,19 @@ export class CivicAuth {
259
464
  if (isTopLevelRedirect && frontendUrl) {
260
465
  return { redirectTo: frontendUrl };
261
466
  }
467
+ // Case 2a: The request is from an iframe (detected by sec-fetch-dest)
468
+ // Even if not configured for iframe in state, we should still generate iframe completion HTML
469
+ if (isIframeRequest && user && frontendUrl) {
470
+ if (isLikelyCrossOriginIframe) {
471
+ console.log("Iframe request detected but cross-origin issues likely - redirecting");
472
+ return { redirectTo: frontendUrl };
473
+ }
474
+ else {
475
+ console.log("Generating iframe completion HTML for iframe request (detected by sec-fetch-dest)");
476
+ const completionHtml = this.generateIframeCompletionHtml(user, frontendUrl);
477
+ return { content: completionHtml };
478
+ }
479
+ }
262
480
  // Case 3: The request is an API call. Return JSON content.
263
481
  if (isApiRequest) {
264
482
  return {
@@ -290,9 +508,14 @@ export class CivicAuth {
290
508
  /**
291
509
  * Generate HTML content for iframe completion that sends postMessage to parent
292
510
  */
293
- generateIframeCompletionHtml(user) {
511
+ generateIframeCompletionHtml(user, frontendUrl) {
294
512
  const escapedUser = JSON.stringify(user).replace(/'/g, "\\'");
295
513
  const clientId = this.authConfig.clientId;
514
+ // Determine fallback redirect URL
515
+ const fallbackUrl = frontendUrl ||
516
+ this.authConfig.redirectUrl ||
517
+ this.authConfig.postLogoutRedirectUrl ||
518
+ "/";
296
519
  return `
297
520
  <!DOCTYPE html>
298
521
  <html>
@@ -300,20 +523,15 @@ export class CivicAuth {
300
523
  <title>Authentication Complete</title>
301
524
  <meta charset="utf-8">
302
525
  </head>
303
- <body>
304
- <div style="text-align: center; padding: 20px; font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif;">
305
- <p>Authentication successful! Completing login...</p>
306
- </div>
307
-
526
+ <body>
308
527
  <!-- Success signal for SignalObserver -->
309
528
  <div id="civic-auth-success-signal" style="display: none;" data-user-info='${escapedUser}'>
310
- Authentication successful!
529
+ ${TOKEN_EXCHANGE_SUCCESS_TEXT}
311
530
  </div>
312
531
 
313
532
  <script>
314
533
  // Send postMessage to parent to resolve authentication promise
315
534
  if (window.parent && window.parent !== window) {
316
- console.log('📤 Sending auth success postMessage to parent');
317
535
  try {
318
536
  window.parent.postMessage({
319
537
  type: 'auth_success',
@@ -342,10 +560,53 @@ export class CivicAuth {
342
560
  } else {
343
561
  console.log('❌ Not in iframe context or no parent window');
344
562
  }
563
+
564
+ // Fallback redirect after 500ms delay to handle cases where:
565
+ // 1. postMessage fails or parent doesn't respond
566
+ // 2. Not in iframe context
567
+ // 3. Any other edge cases where the user gets stuck
568
+ setTimeout(function() {
569
+ console.log('🔄 Executing fallback redirect to: ${fallbackUrl}');
570
+ window.location.href = '${fallbackUrl}';
571
+ }, 500);
345
572
  </script>
346
573
  </body>
347
574
  </html>
348
575
  `;
349
576
  }
577
+ /**
578
+ * Generate HTML response that triggers same-domain callback for iframe workaround
579
+ */
580
+ generateSameDomainCallbackHtml = (callbackUrl, frontendUrl) => {
581
+ const loginSuccessSegment = frontendUrl
582
+ ? `&loginSuccessUrl=${encodeURIComponent(frontendUrl)}`
583
+ : "";
584
+ return `<html lang="en">
585
+ <body>
586
+ <span style="display:none">
587
+ <script>
588
+ window.onload = function () {
589
+ // Get the complete URL including origin and path
590
+ // This ensures we capture any base path like /directory
591
+ const appUrl = window.location.href.substring(
592
+ 0,
593
+ window.location.href.indexOf("/api/auth")
594
+ );
595
+ fetch('${callbackUrl}&sameDomainCallback=true&appUrl=' + encodeURIComponent(appUrl) + '${loginSuccessSegment}').then((response) => {
596
+ response.json().then((jsonResponse) => {
597
+ // For login: Redirect back to the callback route, so Case 2 in handleTokenExchangeComplete will be triggered
598
+ // For logout: Redirect to the postLogoutRedirectUrl
599
+ if(jsonResponse.redirectUrl) {
600
+ window.location.href = jsonResponse.redirectUrl;
601
+ }
602
+ });
603
+ });
604
+ };
605
+ </script>
606
+ </span>
607
+ </body>
608
+ </html>
609
+ `;
610
+ };
350
611
  }
351
612
  //# sourceMappingURL=session.js.map
package/dist/server/session.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"session.js","sourceRoot":"","sources":["../../src/server/session.ts"],"names":[],"mappings":"AAAA,OAAO,EAOL,SAAS,GACV,MAAM,YAAY,CAAC;AAEpB,OAAO,EACL,OAAO,IAAI,iBAAiB,EAC5B,SAAS,IAAI,mBAAmB,GACjC,MAAM,yBAAyB,CAAC;AACjC,OAAO,EAAE,WAAW,IAAI,eAAe,EAAE,MAAM,sBAAsB,CAAC;AACtE,OAAO,EAAE,sBAAsB,EAAE,MAAM,mBAAmB,CAAC;AAC3D,OAAO,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAC;AAClD,OAAO,EAAE,sBAAsB,EAAE,MAAM,oBAAoB,CAAC;AAC5D,OAAO,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AACpD,OAAO,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAC;AAC/C,OAAO,EAAE,4BAA4B,EAAE,MAAM,0CAA0C,CAAC;AACxF,OAAO,EACL,mBAAmB,EACnB,4BAA4B,GAC7B,MAAM,gBAAgB,CAAC;AAExB,OAAO,EAAE,oBAAoB,EAAE,MAAM,gBAAgB,CAAC;AACtD,OAAO,EAAE,SAAS,EAAmB,MAAM,MAAM,CAAC;AAClD,OAAO,EAAE,sBAAsB,EAAE,MAAM,sBAAsB,CAAC;AAkB9D,uCAAuC;AACvC,MAAM,QAAQ,GAAG,CACf,IAAS,EACT,GAAM,EACM,EAAE;IACd,MAAM,MAAM,GAAG,EAAE,GAAG,GAAG,EAAE,CAAC;IAC1B,IAAI,CAAC,OAAO,CAAC,CAAC,GAAG,EAAE,EAAE;QACnB,OAAO,MAAM,CAAC,GAAG,CAAC,CAAC;IACrB,CAAC,CAAC,CAAC;IACH,OAAO,MAAM,CAAC;AAChB,CAAC,CAAC;AAEF;;;;GAIG;AACH,SAAS,iBAAiB,CACxB,MAA6B;IAE7B,IAAI,CAAC,MAAM,CAAC,QAAQ;QAAE,OAAO,IAAI,CAAC;IAElC,MAAM,WAAW,GAAG,SAAS,CAAC,MAAM,CAAC,QAAQ,CAAmB,CAAC;IACjE,IAAI,CAAC,WAAW,CAAC,GAAG;QAAE,OAAO,IAAI,CAAC;IAElC,qCAAqC;IACrC,MAAM,6BAA6B,GAAG;QACpC,GAAI,WAAiB;QACrB,EAAE,EAAE,WAAW,CAAC,GAAG;KACpB,CAAC;IAEF,0EAA0E;IAC1E,OAAO,QAAQ,CACb,CAAC,GAAG,4BAA4B,EAAE,GAAG,SAAS,CAAC,EAC/C,6BAA6B,CACnB,CAAC;AACf,CAAC;AAED;;;GAGG;AACH,MAAM,OAAO,SAAS;IAGT;IACA;IAHX,aAAa,GAAkC,IAAI,CAAC;IACpD,YACW,OAAoB,EACpB,UAAsB;QADtB,YAAO,GAAP,OAAO,CAAa;QACpB,eAAU,GAAV,UAAU,CAAY;IAC9B,CAAC;IAEJ,IAAI,WAAW;QACb,OAAO,IAAI,CAAC,UAAU,CAAC,WAAW,IAAI,mBAAmB,CAAC;IAC5D,CAAC;IAED,KAAK,CAAC,eAAe;QACnB,IAAI,IAAI,CAAC,aAAa,EAAE,CAAC;YACvB,OAAO,OAAO,CAAC,OAAO,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;QAC7C,CAAC;QACD,IAAI,CAAC,aAAa,GAAG,MAAM,4BAA4B,CAAC,KAAK,CAC3D;YACE,GAAG,IAAI,CAAC,UAAU;YAClB,WAAW,EAAE,IAAI,CAAC,WAAW;SAC9B,EACD,IAAI,CAAC,OAAO,CACb,CAAC;QACF,OAAO,IAAI,CAAC,aAAa,CAAC;IAC5B,CAAC;IACD;;;OAGG;IACH,KAAK,CAAC,OAAO;QAGX,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,eAAe,EAAE,CAAC;QAE9C,IAAI,CAAC;YACH,iDAAiD;YACjD,MAAM,OAAO,GAAG,MAAM,QAAQ,CAAC,uBAAuB,EAAE,CAAC;YACzD,IAAI,CAAC,OAAO,EAAE,aAAa,EAAE,CAAC;gBAC5B,OAAO,IAAI,CAAC;YACd,CAAC;YAED,qEAAqE;YACrE,OAAO,iBAAiB,CAAI,IAAI,CAAC,OAAO,CAAC,CAAC;QAC5C,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO,CAAC,KAAK,CAAC,wCAAwC,EAAE,KAAK,CAAC,CAAC;YAC/D,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,SAAS;QACb,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,eAAe,EAAE,CAAC;QAE9C,IAAI,CAAC;YACH,mDAAmD;YACnD,MAAM,OAAO,GAAG,MAAM,QAAQ,CAAC,uBAAuB,EAAE,CAAC;YAEzD,IAAI,CAAC,OAAO,EAAE,aAAa,EAAE,CAAC;gBAC5B,OAAO,IAAI,CAAC;YACd,CAAC;YAED,uEAAuE;YACvE,MAAM,MAAM,GAAG,MAAM,mBAAmB,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YACvD,OAAO,MAAM,CAAC;QAChB,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO,CAAC,KAAK,CAAC,4CAA4C,EAAE,KAAK,CAAC,CAAC;YACnE,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,sBAAsB,CAC1B,IAAY,EACZ,KAAa;QAEb,OAAO,sBAAsB,CAAC,IAAI,EAAE,KAAK,EAAE,IAAI,CAAC,OAAO,EAAE,IAAI,CAAC,UAAU,CAAC,CAAC;IAC5E,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,UAAU;QACd,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,eAAe,EAAE,CAAC;QAC9C,MAAM,OAAO,GAAG,MAAM,QAAQ,CAAC,uBAAuB,EAAE,CAAC;QACzD,OAAO,OAAO,EAAE,aAAa,IAAI,KAAK,CAAC;IACzC,CAAC;IAED;;;;OAIG;IACH,KAAK,CAAC,aAAa,CAAC,OAInB;QACC,OAAO,aAAa,CAClB;YACE,GAAG,IAAI,CAAC,UAAU;YAClB,MAAM,EAAE,OAAO,EAAE,MAAM;YACvB,KAAK,EAAE,OAAO,EAAE,KAAK;YACrB,KAAK,EAAE,OAAO,EAAE,KAAK;YACrB,SAAS,EAAE,QAAQ;YACnB,UAAU,EAAE,UAAU,EAAE;SACzB,EACD,IAAI,CAAC,OAAO,CACb,CAAC;IACJ,CAAC;IAED;;;;OAIG;IACH,KAAK,CAAC,sBAAsB,CAAC,OAG5B;QACC,uEAAuE;QACvE,+FAA+F;QAC/F,IAAI,CAAC;YACH,gFAAgF;YAChF,uEAAuE;YACvE,MAAM,MAAM,GAAG,MAAM,mBAAmB,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YAEvD,IAAI,MAAM,EAAE,OAAO,EAAE,CAAC;gBACpB,kDAAkD;gBAClD,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,QAAQ,EAAE,CAAC;oBAC9B,MAAM,IAAI,KAAK,CAAC,kDAAkD,CAAC,CAAC;gBACtE,CAAC;gBAED,wDAAwD;gBACxD,yDAAyD;gBAEzD,MAAM,SAAS,GAAG,MAAM,sBAAsB,CAAC;oBAC7C,QAAQ,EAAE,IAAI,CAAC,UAAU,CAAC,QAAQ;oBAClC,WAAW,EAAE,IAAI,CAAC,UAAU,CAAC,qBAAqB,IAAI,GAAG;oBACzD,OAAO,EAAE,MAAM,CAAC,OAAO;oBACvB,KAAK,EAAE,OAAO,EAAE,KAAK,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC;oBAChE,WAAW,EAAE,IAAI,CAAC,WAAW;iBAC9B,CAAC,CAAC;gBAEH,OAAO,SAAS,CAAC;YACnB,CAAC;QACH,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,kEAAkE;YAClE,OAAO,CAAC,IAAI,CACV,sFAAsF,EACtF,KAAK,CACN,CAAC;QACJ,CAAC;QAED,4FAA4F;QAC5F,OAAO,sBAAsB,CAC3B;YACE,GAAG,IAAI,CAAC,UAAU;YAClB,MAAM,EAAE,OAAO,EAAE,MAAM;YACvB,KAAK,EAAE,OAAO,EAAE,KAAK;SACtB,EACD,IAAI,CAAC,OAAO,CACb,CAAC;IACJ,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,aAAa;QACjB,OAAO,aAAa,CAAC,IAAI,CAAC,OAAO,EAAE,IAAI,CAAC,UAAU,CAAC,CAAC;IACtD,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,WAAW;QACf,OAAO,eAAe,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IACvC,CAAC;IAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;OA4BG;IACH,KAAK,CAAC,cAAc,CAClB,EAAE,IAAI,EAAE,KAAK,EAAE,GAAG,EAAwB,EAC1C,OAGC;QAKD,mDAAmD;QACnD,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,sBAAsB,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;QAE9D,yCAAyC;QACzC,MAAM,IAAI,GAAG,iBAAiB,CAAC,MAAM,CAAC,CAAC;QAEvC,MAAM,WAAW,GAAG,OAAO,EAAE,WAAW,IAAI,IAAI,CAAC,UAAU,CAAC,eAAe,CAAC;QAE5E,yDAAyD;QACzD,MAAM,gBAAgB,GAAG,oBAAoB,CAAC,KAAK,EAAE,SAAS,CAAC,CAAC;QAChE,MAAM,qBAAqB,GAAG,gBAAgB,KAAK,QAAQ,CAAC;QAE5D,2DAA2D;QAC3D,kEAAkE;QAClE,MAAM,mBAAmB,GACvB,qBAAqB,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,sBAAsB,CAAC;QAEnE,MAAM,kBAAkB,GAAG,GAAG,CAAC,OAAO,CAAC,gBAAgB,CAAC,KAAK,UAAU,CAAC;QACxE,MAAM,YAAY,GAChB,OAAO,EAAE,WAAW,IAAI,GAAG,CAAC,OAAO,CAAC,MAAM,EAAE,QAAQ,CAAC,kBAAkB,CAAC,CAAC;QAE3E,qGAAqG;QACrG,wCAAwC;QACxC,MAAM,SAAS,GAAG,GAAG,CAAC,OAAO,CAAC,YAAY,CAAC,IAAI,EAAE,CAAC;QAClD,MAAM,QAAQ,GACZ,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;QAChE,MAAM,yBAAyB,GAC7B,QAAQ;YACR,CAAC,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,CAAC;QAElE,wEAAwE;QACxE,yFAAyF;QACzF,IACE,mBAAmB;YACnB,IAAI;YACJ,WAAW;YACX,CAAC,yBAAyB,EAC1B,CAAC;YACD,MAAM,cAAc,GAAG,IAAI,CAAC,4BAA4B,CAAC,IAAI,CAAC,CAAC;YAC/D,OAAO,EAAE,OAAO,EAAE,cAAc,EAAE,CAAC;QACrC,CAAC;QAED,sEAAsE;QACtE,IACE,mBAAmB;YACnB,IAAI;YACJ,WAAW;YACX,yBAAyB,EACzB,CAAC;YACD,OAAO,EAAE,UAAU,EAAE,WAAW,EAAE,CAAC;QACrC,CAAC;QAED,sEAAsE;QACtE,IAAI,kBAAkB,IAAI,WAAW,EAAE,CAAC;YACtC,OAAO,EAAE,UAAU,EAAE,WAAW,EAAE,CAAC;QACrC,CAAC;QAED,2DAA2D;QAC3D,IAAI,YAAY,EAAE,CAAC;YACjB,OAAO;gBACL,OAAO,EAAE;oBACP,OAAO,EAAE,IAAI;oBACb,IAAI;iBACL;aACF,CAAC;QACJ,CAAC;QAED,kFAAkF;QAClF,2BAA2B;QAC3B,IAAI,WAAW,EAAE,CAAC;YAChB,OAAO,EAAE,UAAU,EAAE,WAAW,EAAE,CAAC;QACrC,CAAC;QAED,8FAA8F;QAC9F,mDAAmD;QACnD,IAAI,IAAI,CAAC,UAAU,CAAC,qBAAqB,EAAE,CAAC;YAC1C,OAAO,EAAE,UAAU,EAAE,IAAI,CAAC,UAAU,CAAC,qBAAqB,EAAE,CAAC;QAC/D,CAAC;QAED,oFAAoF;QACpF,kFAAkF;QAClF,OAAO;YACL,OAAO,EAAE;gBACP,OAAO,EAAE,IAAI;gBACb,IAAI;aACL;SACF,CAAC;IACJ,CAAC;IAED;;OAEG;IACK,4BAA4B,CAAC,IAAU;QAC7C,MAAM,WAAW,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;QAC9D,MAAM,QAAQ,GAAG,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC;QAE1C,OAAO;;;;;;;;;;;;;qFAa0E,WAAW;;;;;;;;;;;;;0BAatE,WAAW;;;;;;;;;;;;6BAYR,QAAQ;;0BAEX,WAAW;;;;;;;;;;;;KAYhC,CAAC;IACJ,CAAC;CACF","sourcesContent":["import {\n type AuthStorage,\n type OAuthTokens,\n type User,\n type EmptyObject,\n type UnknownObject,\n type OIDCTokenResponseBody,\n tokenKeys,\n} from \"@/types.js\";\nimport type { AuthConfig } from \"@/server/config.js\";\nimport {\n getUser as getUserFromShared,\n getTokens as getTokensFromShared,\n} from \"@/shared/lib/session.js\";\nimport { clearTokens as clearTokensUtil } from \"@/shared/lib/util.js\";\nimport { resolveOAuthAccessCode } from \"@/server/login.js\";\nimport { buildLoginUrl } from \"@/server/login.js\";\nimport { buildLogoutRedirectUrl } from \"@/server/logout.js\";\nimport { refreshTokens } from \"@/server/refresh.js\";\nimport { getVersion } from \"@/shared/index.js\";\nimport { ServerAuthenticationResolver } from \"@/server/ServerAuthenticationResolver.js\";\nimport {\n DEFAULT_AUTH_SERVER,\n JWT_PAYLOAD_KNOWN_CLAIM_KEYS,\n} from \"@/constants.js\";\nimport type { AuthenticationResolver } from \"@/services/types.js\";\nimport { displayModeFromState } from \"@/lib/oauth.js\";\nimport { decodeJwt, type JWTPayload } from \"jose\";\nimport { generateOauthLogoutUrl } from \"@/shared/lib/util.js\";\nexport type HandleCallbackRequest = {\n headers: {\n [key: string]: string | string[] | undefined;\n referer?: string;\n origin?: string;\n \"user-agent\"?: string;\n accept?: string;\n \"sec-fetch-dest\"?: string;\n };\n};\n\nexport type HandleCallbackParams = {\n code: string;\n state: string;\n req: HandleCallbackRequest;\n};\n\n// Function to omit keys from an object\nconst omitKeys = <K extends keyof T, T extends Record<string, unknown>>(\n keys: K[],\n obj: T,\n): Omit<T, K> => {\n const result = { ...obj };\n keys.forEach((key) => {\n delete result[key];\n });\n return result;\n};\n\n/**\n * Extract user information directly from OIDC tokens\n * @param tokens The OIDC tokens response\n * @returns The user object or null if no valid ID token\n */\nfunction getUserFromTokens<T extends UnknownObject = EmptyObject>(\n tokens: OIDCTokenResponseBody,\n): User<T> | null {\n if (!tokens.id_token) return null;\n\n const parsedToken = decodeJwt(tokens.id_token) as JWTPayload & T;\n if (!parsedToken.sub) return null;\n\n // set the user ID from the token sub\n const userWithAdditionalTokenFields = {\n ...(parsedToken as T),\n id: parsedToken.sub,\n };\n\n // Remove the token keys from the user object to stop it getting too large\n return omitKeys(\n [...JWT_PAYLOAD_KNOWN_CLAIM_KEYS, ...tokenKeys],\n userWithAdditionalTokenFields,\n ) as User<T>;\n}\n\n/**\n * CivicAuth is the main entry point for server-side authentication operations.\n * It provides a unified interface to all the authentication functions.\n */\nexport class CivicAuth {\n _authResolver: AuthenticationResolver | null = null;\n constructor(\n readonly storage: AuthStorage,\n readonly authConfig: AuthConfig,\n ) {}\n\n get oauthServer(): string {\n return this.authConfig.oauthServer || DEFAULT_AUTH_SERVER;\n }\n\n async getAuthResolver(): Promise<AuthenticationResolver> {\n if (this._authResolver) {\n return Promise.resolve(this._authResolver);\n }\n this._authResolver = await ServerAuthenticationResolver.build(\n {\n ...this.authConfig,\n oauthServer: this.oauthServer,\n },\n this.storage,\n );\n return this._authResolver;\n }\n /**\n * Gets the authenticated user with token validation\n * @returns The user object if authenticated, null otherwise\n */\n async getUser<\n T extends UnknownObject = EmptyObject,\n >(): Promise<User<T> | null> {\n const resolver = await this.getAuthResolver();\n\n try {\n // Validate the session before returning the user\n const session = await resolver.validateExistingSession();\n if (!session?.authenticated) {\n return null;\n }\n\n // If session is valid, use the shared implementation to get the user\n return getUserFromShared<T>(this.storage);\n } catch (error) {\n console.error(\"Token validation failed during getUser\", error);\n return null;\n }\n }\n\n /**\n * Gets the authentication tokens with token validation\n * @returns The tokens if authenticated, null otherwise\n */\n async getTokens(): Promise<OAuthTokens | null> {\n const resolver = await this.getAuthResolver();\n\n try {\n // Validate the session before returning the tokens\n const session = await resolver.validateExistingSession();\n\n if (!session?.authenticated) {\n return null;\n }\n\n // If session is valid, use the shared implementation to get the tokens\n const tokens = await getTokensFromShared(this.storage);\n return tokens;\n } catch (error) {\n console.error(\"❌ Token validation failed during getTokens\", error);\n return null;\n }\n }\n\n /**\n * Resolve an OAuth access code to a set of OIDC tokens\n * @param code The access code from the query parameter\n * @param state The OAuth state parameter\n * @returns OIDC tokens\n */\n async resolveOAuthAccessCode(\n code: string,\n state: string,\n ): Promise<OIDCTokenResponseBody> {\n return resolveOAuthAccessCode(code, state, this.storage, this.authConfig);\n }\n\n /**\n * Check if the user is currently logged in\n * @returns true if logged in, false otherwise\n */\n async isLoggedIn(): Promise<boolean> {\n const resolver = await this.getAuthResolver();\n const session = await resolver.validateExistingSession();\n return session?.authenticated ?? false;\n }\n\n /**\n * Build a login URL to redirect the user to\n * @param options Additional options for building the login URL\n * @returns The login URL\n */\n async buildLoginUrl(options?: {\n scopes?: string[];\n state?: string;\n nonce?: string;\n }): Promise<URL> {\n return buildLoginUrl(\n {\n ...this.authConfig,\n scopes: options?.scopes,\n state: options?.state,\n nonce: options?.nonce,\n framework: \"server\",\n sdkVersion: getVersion(),\n },\n this.storage,\n );\n }\n\n /**\n * Build a logout URL to redirect the user to\n * @param options Additional options for building the logout URL\n * @returns The logout URL\n */\n async buildLogoutRedirectUrl(options?: {\n scopes?: string[];\n state?: string;\n }): Promise<URL> {\n // For backend flows with HTTP-only cookies, try to get tokens directly\n // For logout, we don't need valid/authenticated tokens - just the ID token to build logout URL\n try {\n // Use the shared getTokens function directly - this bypasses session validation\n // since for logout we just need the raw ID token, not validated tokens\n const tokens = await getTokensFromShared(this.storage);\n\n if (tokens?.idToken) {\n // Ensure clientId is present for OAuth operations\n if (!this.authConfig.clientId) {\n throw new Error(\"clientId is required for OAuth logout operations\");\n }\n\n // We have access to the ID token from HTTP-only cookies\n // Build the logout URL manually using the shared utility\n\n const logoutUrl = await generateOauthLogoutUrl({\n clientId: this.authConfig.clientId,\n redirectUrl: this.authConfig.postLogoutRedirectUrl || \"/\",\n idToken: tokens.idToken,\n state: options?.state ?? Math.random().toString(36).substring(2),\n oauthServer: this.oauthServer,\n });\n\n return logoutUrl;\n }\n } catch (error) {\n // If direct token access fails, fall back to the generic function\n console.warn(\n \"❌ Could not get tokens directly from storage, falling back to generic logout method:\",\n error,\n );\n }\n\n // Fallback to the generic function for other storage types or when tokens aren't accessible\n return buildLogoutRedirectUrl(\n {\n ...this.authConfig,\n scopes: options?.scopes,\n state: options?.state,\n },\n this.storage,\n );\n }\n\n /**\n * Refresh the current set of OIDC tokens\n * @returns The refreshed tokens or null for backend flows where tokens are managed in HTTP-only cookies\n */\n async refreshTokens(): Promise<OIDCTokenResponseBody | null> {\n return refreshTokens(this.storage, this.authConfig);\n }\n\n /**\n * Clear all authentication tokens from storage\n */\n async clearTokens(): Promise<void> {\n return clearTokensUtil(this.storage);\n }\n\n /**\n * Smart callback handler that automatically detects frontend vs backend requests\n * and redirects appropriately. Use this instead of resolveOAuthAccessCode + manual redirect.\n *\n * @param params An object containing the authorization code, state, and the incoming request.\n * @param params.code The authorization code from query parameters.\n * @param params.state The OAuth state parameter.\n * @param params.req The incoming request object (e.g., from Express).\n * @param options Configuration options (frontendUrl override, apiResponse flag).\n * @returns Object with redirect information or HTML content for iframe completion.\n *\n * @example\n * ```javascript\n * app.get('/auth/callback', async (req, res) => {\n * const { code, state } = req.query;\n * // The request object 'req' is passed directly\n * const result = await req.civicAuth.handleCallback({ code, state, req });\n *\n * if (result.htmlContent) {\n * res.setHeader('Content-Type', 'text/html');\n * res.send(result.htmlContent);\n * } else if (result.redirectTo) {\n * res.redirect(result.redirectTo);\n * } else {\n * res.json({ success: true, user: result.user });\n * }\n * });\n * ```\n */\n async handleCallback(\n { code, state, req }: HandleCallbackParams,\n options?: {\n frontendUrl?: string;\n apiResponse?: boolean;\n },\n ): Promise<{\n redirectTo?: string;\n content?: string | { success: boolean; user?: User | null };\n }> {\n // First, resolve the OAuth code and create session\n const tokens = await this.resolveOAuthAccessCode(code, state);\n\n // Extract user info directly from tokens\n const user = getUserFromTokens(tokens);\n\n const frontendUrl = options?.frontendUrl || this.authConfig.loginSuccessUrl;\n\n // Priority 1: Check state for display mode configuration\n const stateDisplayMode = displayModeFromState(state, undefined);\n const isConfiguredForIframe = stateDisplayMode === \"iframe\";\n\n // Determine if this should be treated as an iframe request\n // Configuration (from state) takes precedence over auto-detection\n const shouldTreatAsIframe =\n isConfiguredForIframe && !this.authConfig.disableIframeDetection;\n\n const isTopLevelRedirect = req.headers[\"sec-fetch-dest\"] === \"document\";\n const isApiRequest =\n options?.apiResponse || req.headers.accept?.includes(\"application/json\");\n\n // Detect Safari or other browsers where iframe postMessage may fail due to cross-origin restrictions\n //TODO: Find a better way to detect this\n const userAgent = req.headers[\"user-agent\"] || \"\";\n const isSafari =\n userAgent.includes(\"Safari\") && !userAgent.includes(\"Chrome\");\n const isLikelyCrossOriginIframe =\n isSafari ||\n (userAgent.includes(\"WebKit\") && !userAgent.includes(\"Chrome\"));\n\n // Case 1: The request should be treated as iframe. Return HTML content.\n // Unless iframe detection is disabled via configuration OR we detect cross-origin issues\n if (\n shouldTreatAsIframe &&\n user &&\n frontendUrl &&\n !isLikelyCrossOriginIframe\n ) {\n const completionHtml = this.generateIframeCompletionHtml(user);\n return { content: completionHtml };\n }\n\n // Case 1b: Safari/cross-origin iframe case - redirect instead of HTML\n if (\n shouldTreatAsIframe &&\n user &&\n frontendUrl &&\n isLikelyCrossOriginIframe\n ) {\n return { redirectTo: frontendUrl };\n }\n\n // Case 2: The request is a top-level navigation. Return redirect URL.\n if (isTopLevelRedirect && frontendUrl) {\n return { redirectTo: frontendUrl };\n }\n\n // Case 3: The request is an API call. Return JSON content.\n if (isApiRequest) {\n return {\n content: {\n success: true,\n user,\n },\n };\n }\n\n // Fallback for older browsers or other contexts: if a frontend URL is configured,\n // assume a redirect to it.\n if (frontendUrl) {\n return { redirectTo: frontendUrl };\n }\n\n // Server-side fallback: if no frontend URL is configured but we have a postLogoutRedirectUrl,\n // redirect there instead of returning JSON content\n if (this.authConfig.postLogoutRedirectUrl) {\n return { redirectTo: this.authConfig.postLogoutRedirectUrl };\n }\n\n // Absolute fallback: return success as JSON content if no other conditions are met.\n // This could happen if no loginSuccessUrl or postLogoutRedirectUrl is configured.\n return {\n content: {\n success: true,\n user,\n },\n };\n }\n\n /**\n * Generate HTML content for iframe completion that sends postMessage to parent\n */\n private generateIframeCompletionHtml(user: User): string {\n const escapedUser = JSON.stringify(user).replace(/'/g, \"\\\\'\");\n const clientId = this.authConfig.clientId;\n\n return `\n <!DOCTYPE html>\n <html>\n <head>\n <title>Authentication Complete</title>\n <meta charset=\"utf-8\">\n </head>\n <body>\n <div style=\"text-align: center; padding: 20px; font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif;\">\n <p>Authentication successful! Completing login...</p>\n </div>\n \n <!-- Success signal for SignalObserver -->\n <div id=\"civic-auth-success-signal\" style=\"display: none;\" data-user-info='${escapedUser}'>\n Authentication successful!\n </div>\n \n <script> \n // Send postMessage to parent to resolve authentication promise\n if (window.parent && window.parent !== window) {\n console.log('📤 Sending auth success postMessage to parent');\n try {\n window.parent.postMessage({\n type: 'auth_success',\n detail: 'Authentication successful',\n data: {\n user: ${escapedUser}\n }\n }, '*');\n } catch (error) {\n console.error('❌ Failed to send postMessage:', error);\n }\n \n // Also send civicloginApp format message for compatibility\n try {\n window.parent.postMessage({\n source: 'civicloginApp',\n type: 'auth_success',\n clientId: '${clientId}',\n data: {\n user: ${escapedUser}\n }\n }, '*');\n } catch (error) {\n console.error('❌ Failed to send civicloginApp message:', error);\n }\n } else {\n console.log('❌ Not in iframe context or no parent window');\n }\n </script>\n </body>\n </html>\n `;\n }\n}\n"]}
1
+ {"version":3,"file":"session.js","sourceRoot":"","sources":["../../src/server/session.ts"],"names":[],"mappings":"AAAA,OAAO,EAOL,SAAS,GACV,MAAM,YAAY,CAAC;AAEpB,OAAO,EACL,OAAO,IAAI,iBAAiB,EAC5B,SAAS,IAAI,mBAAmB,GACjC,MAAM,yBAAyB,CAAC;AACjC,OAAO,EAAE,WAAW,IAAI,eAAe,EAAE,MAAM,sBAAsB,CAAC;AACtE,OAAO,EAAE,sBAAsB,EAAE,MAAM,mBAAmB,CAAC;AAC3D,OAAO,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAC;AAClD,OAAO,EAAE,sBAAsB,EAAE,MAAM,oBAAoB,CAAC;AAC5D,OAAO,EACL,2BAA2B,EAC3B,2BAA2B,GAC5B,MAAM,gBAAgB,CAAC;AACxB,OAAO,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AACpD,OAAO,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAC;AAC/C,OAAO,EAAE,4BAA4B,EAAE,MAAM,0CAA0C,CAAC;AACxF,OAAO,EACL,mBAAmB,EACnB,4BAA4B,GAC7B,MAAM,gBAAgB,CAAC;AAExB,OAAO,EAAE,oBAAoB,EAAE,wBAAwB,EAAE,MAAM,gBAAgB,CAAC;AAChF,OAAO,EAAE,SAAS,EAAmB,MAAM,MAAM,CAAC;AAClD,OAAO,EAAE,sBAAsB,EAAE,MAAM,sBAAsB,CAAC;AAC9D,OAAO,EAAE,YAAY,EAAE,MAAM,uBAAuB,CAAC;AAgCrD,uCAAuC;AACvC,MAAM,QAAQ,GAAG,CACf,IAAS,EACT,GAAM,EACM,EAAE;IACd,MAAM,MAAM,GAAG,EAAE,GAAG,GAAG,EAAE,CAAC;IAC1B,IAAI,CAAC,OAAO,CAAC,CAAC,GAAG,EAAE,EAAE;QACnB,OAAO,MAAM,CAAC,GAAG,CAAC,CAAC;IACrB,CAAC,CAAC,CAAC;IACH,OAAO,MAAM,CAAC;AAChB,CAAC,CAAC;AAEF;;GAEG;AACH,MAAM,oBAAoB,GAAG,CAAC,GAA0B,EAAW,EAAE;IACnE,IAAI,CAAC,GAAG,CAAC,GAAG;QAAE,OAAO,KAAK,CAAC;IAC3B,OAAO,GAAG,CAAC,GAAG,CAAC,QAAQ,CAAC,yBAAyB,CAAC,CAAC;AACrD,CAAC,CAAC;AAEF;;;;GAIG;AACH,SAAS,iBAAiB,CACxB,MAA6B;IAE7B,IAAI,CAAC,MAAM,CAAC,QAAQ;QAAE,OAAO,IAAI,CAAC;IAElC,MAAM,WAAW,GAAG,SAAS,CAAC,MAAM,CAAC,QAAQ,CAAmB,CAAC;IACjE,IAAI,CAAC,WAAW,CAAC,GAAG;QAAE,OAAO,IAAI,CAAC;IAElC,qCAAqC;IACrC,MAAM,6BAA6B,GAAG;QACpC,GAAI,WAAiB;QACrB,EAAE,EAAE,WAAW,CAAC,GAAG;KACpB,CAAC;IAEF,0EAA0E;IAC1E,OAAO,QAAQ,CACb,CAAC,GAAG,4BAA4B,EAAE,GAAG,SAAS,CAAC,EAC/C,6BAA6B,CACnB,CAAC;AACf,CAAC;AAED;;;GAGG;AACH,MAAM,OAAO,SAAS;IAGT;IACA;IAHX,aAAa,GAAkC,IAAI,CAAC;IACpD,YACW,OAAoB,EACpB,UAAsB;QADtB,YAAO,GAAP,OAAO,CAAa;QACpB,eAAU,GAAV,UAAU,CAAY;IAC9B,CAAC;IAEJ,IAAI,WAAW;QACb,OAAO,IAAI,CAAC,UAAU,CAAC,WAAW,IAAI,mBAAmB,CAAC;IAC5D,CAAC;IAED,KAAK,CAAC,eAAe;QACnB,IAAI,IAAI,CAAC,aAAa,EAAE,CAAC;YACvB,OAAO,OAAO,CAAC,OAAO,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;QAC7C,CAAC;QACD,IAAI,CAAC,aAAa,GAAG,MAAM,4BAA4B,CAAC,KAAK,CAC3D;YACE,GAAG,IAAI,CAAC,UAAU;YAClB,WAAW,EAAE,IAAI,CAAC,WAAW;SAC9B,EACD,IAAI,CAAC,OAAO,CACb,CAAC;QACF,OAAO,IAAI,CAAC,aAAa,CAAC;IAC5B,CAAC;IACD;;;OAGG;IACH,KAAK,CAAC,OAAO;QAGX,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,eAAe,EAAE,CAAC;QAE9C,IAAI,CAAC;YACH,iDAAiD;YACjD,MAAM,OAAO,GAAG,MAAM,QAAQ,CAAC,uBAAuB,EAAE,CAAC;YACzD,IAAI,CAAC,OAAO,EAAE,aAAa,EAAE,CAAC;gBAC5B,OAAO,IAAI,CAAC;YACd,CAAC;YAED,qEAAqE;YACrE,OAAO,iBAAiB,CAAI,IAAI,CAAC,OAAO,CAAC,CAAC;QAC5C,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO,CAAC,KAAK,CAAC,wCAAwC,EAAE,KAAK,CAAC,CAAC;YAC/D,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,SAAS;QACb,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,eAAe,EAAE,CAAC;QAE9C,IAAI,CAAC;YACH,mDAAmD;YACnD,MAAM,OAAO,GAAG,MAAM,QAAQ,CAAC,uBAAuB,EAAE,CAAC;YAEzD,IAAI,CAAC,OAAO,EAAE,aAAa,EAAE,CAAC;gBAC5B,OAAO,IAAI,CAAC;YACd,CAAC;YAED,uEAAuE;YACvE,MAAM,MAAM,GAAG,MAAM,mBAAmB,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YACvD,OAAO,MAAM,CAAC;QAChB,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO,CAAC,KAAK,CAAC,4CAA4C,EAAE,KAAK,CAAC,CAAC;YACnE,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,sBAAsB,CAC1B,IAAY,EACZ,KAAa;QAEb,OAAO,sBAAsB,CAAC,IAAI,EAAE,KAAK,EAAE,IAAI,CAAC,OAAO,EAAE,IAAI,CAAC,UAAU,CAAC,CAAC;IAC5E,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,UAAU;QACd,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,eAAe,EAAE,CAAC;QAC9C,MAAM,OAAO,GAAG,MAAM,QAAQ,CAAC,uBAAuB,EAAE,CAAC;QACzD,OAAO,OAAO,EAAE,aAAa,IAAI,KAAK,CAAC;IACzC,CAAC;IAED;;;;OAIG;IACH,KAAK,CAAC,aAAa,CAAC,OAInB;QACC,OAAO,aAAa,CAClB;YACE,GAAG,IAAI,CAAC,UAAU;YAClB,MAAM,EAAE,OAAO,EAAE,MAAM;YACvB,KAAK,EAAE,OAAO,EAAE,KAAK;YACrB,KAAK,EAAE,OAAO,EAAE,KAAK;YACrB,SAAS,EAAE,QAAQ;YACnB,UAAU,EAAE,UAAU,EAAE;SACzB,EACD,IAAI,CAAC,OAAO,CACb,CAAC;IACJ,CAAC;IAED;;;;OAIG;IACH,KAAK,CAAC,sBAAsB,CAAC,OAG5B;QACC,uEAAuE;QACvE,+FAA+F;QAC/F,IAAI,CAAC;YACH,gFAAgF;YAChF,uEAAuE;YACvE,MAAM,MAAM,GAAG,MAAM,mBAAmB,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YAEvD,IAAI,MAAM,EAAE,OAAO,EAAE,CAAC;gBACpB,kDAAkD;gBAClD,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,QAAQ,EAAE,CAAC;oBAC9B,MAAM,IAAI,KAAK,CAAC,kDAAkD,CAAC,CAAC;gBACtE,CAAC;gBAED,wDAAwD;gBACxD,yDAAyD;gBAEzD,MAAM,SAAS,GAAG,MAAM,sBAAsB,CAAC;oBAC7C,QAAQ,EAAE,IAAI,CAAC,UAAU,CAAC,QAAQ;oBAClC,WAAW,EAAE,IAAI,CAAC,UAAU,CAAC,qBAAqB,IAAI,GAAG;oBACzD,OAAO,EAAE,MAAM,CAAC,OAAO;oBACvB,KAAK,EAAE,OAAO,EAAE,KAAK,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC;oBAChE,WAAW,EAAE,IAAI,CAAC,WAAW;iBAC9B,CAAC,CAAC;gBAEH,OAAO,SAAS,CAAC;YACnB,CAAC;QACH,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,kEAAkE;YAClE,OAAO,CAAC,IAAI,CACV,sFAAsF,EACtF,KAAK,CACN,CAAC;QACJ,CAAC;QAED,4FAA4F;QAC5F,OAAO,sBAAsB,CAC3B;YACE,GAAG,IAAI,CAAC,UAAU;YAClB,MAAM,EAAE,OAAO,EAAE,MAAM;YACvB,KAAK,EAAE,OAAO,EAAE,KAAK;SACtB,EACD,IAAI,CAAC,OAAO,CACb,CAAC;IACJ,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,aAAa;QACjB,OAAO,aAAa,CAAC,IAAI,CAAC,OAAO,EAAE,IAAI,CAAC,UAAU,CAAC,CAAC;IACtD,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,WAAW;QACf,OAAO,eAAe,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IACvC,CAAC;IAED;;;OAGG;IAEH;;OAEG;IACH,MAAM,CAAC,YAAY,CAAC,KAAa;QAC/B,IAAI,CAAC;YACH,OAAO,kBAAkB,CAAC,KAAK,CAAC,CAAC;QACnC,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,OAAO,CAAC,KAAK,CAAC,+BAA+B,EAAE,CAAC,CAAC,CAAC;YAClD,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;IAED;;OAEG;IACH,MAAM,CAAC,oBAAoB,CACzB,OAA4B,EAC5B,SAAiB;QAEjB,MAAM,UAAU,GAAG,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;QACvD,IAAI,UAAU,EAAE,CAAC;YACf,OAAO,SAAS,CAAC,YAAY,CAAC,UAAU,CAAC,CAAC;QAC5C,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;IAED;;OAEG;IACH,MAAM,CAAC,qBAAqB,CAC1B,OAA4B,EAC5B,UAAkB,EAClB,SAAiB;QAEjB,4EAA4E;QAC5E,MAAM,WAAW,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,EAAE,KAAK,CAAC;QAC3D,IAAI,WAAW,EAAE,CAAC;YAChB,OAAO,SAAS,CAAC,YAAY,CAAC,WAAW,CAAC,CAAC;QAC7C,CAAC;QAED,8BAA8B;QAC9B,OAAO,SAAS,CAAC,oBAAoB,CAAC,OAAO,EAAE,SAAS,CAAC,CAAC;IAC5D,CAAC;IAED;;;OAGG;IACH,MAAM,CAAC,SAAS,CAAC,OAA4B;QAC3C,OAAO,SAAS,CAAC,qBAAqB,CACpC,OAAO,EACP,YAAY,CAAC,OAAO,EACpB,QAAQ,CACT,CAAC;IACJ,CAAC;IAED;;;OAGG;IACH,MAAM,CAAC,kBAAkB,CACvB,OAA4B,EAC5B,OAAuB;QAEvB,MAAM,KAAK,GAAG,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QAChD,MAAM,eAAe,GACnB,wBAAwB,CAAC,KAAK,CAAC;YAC/B,SAAS,CAAC,oBAAoB,CAAC,OAAO,EAAE,iBAAiB,CAAC,CAAC;QAE7D,IAAI,CAAC,eAAe,EAAE,CAAC;YACrB,OAAO,IAAI,CAAC;QACd,CAAC;QAED,OAAO,OAAO,CAAC,CAAC,CAAC,IAAI,GAAG,CAAC,eAAe,EAAE,OAAO,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,eAAe,CAAC;IAC5E,CAAC;IAED;;OAEG;IACH,MAAM,CAAC,aAAa,CAClB,OAA4B,EAC5B,GAAW,EACX,MAAsB;QAEtB,IAAI,GAAG,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC;YAC3B,OAAO,GAAG,CAAC;QACb,CAAC;QAED,0FAA0F;QAC1F,MAAM,OAAO,GAAG,MAAM,IAAI,IAAI,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC;QACtD,OAAO,IAAI,GAAG,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC,IAAI,CAAC;IACpC,CAAC;IAED;;OAEG;IACH,wBAAwB,CAAC,OAA4B;QACnD,iEAAiE;QACjE,MAAM,SAAS,GAAG,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;QACxD,IAAI,SAAS,EAAE,CAAC;YACd,OAAO,SAAS,CAAC;QACnB,CAAC;QAED,MAAM,cAAc,GAAG,IAAI,CAAC,UAAU,CAAC,eAAe,IAAI,GAAG,CAAC;QAE9D,+CAA+C;QAC/C,MAAM,kBAAkB,GAAG,yBAAyB,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC;QAC1E,IAAI,kBAAkB,EAAE,CAAC;YACvB,OAAO,cAAc,CAAC;QACxB,CAAC;QAED,gDAAgD;QAChD,MAAM,MAAM,GAAG,SAAS,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;QAC5C,IAAI,MAAM,EAAE,CAAC;YACX,OAAO,IAAI,GAAG,CAAC,cAAc,EAAE,MAAM,CAAC,CAAC,IAAI,CAAC;QAC9C,CAAC;QAED,6BAA6B;QAC7B,OAAO,IAAI,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC;IACrC,CAAC;IAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;OA4BG;IACH,KAAK,CAAC,cAAc,CAClB,EAAE,IAAI,EAAE,KAAK,EAAE,GAAG,EAAwB,EAC1C,OAGC;QAKD,oDAAoD;QACpD,IAAI,oBAAoB,CAAC,GAAG,CAAC,EAAE,CAAC;YAC9B,IAAI,CAAC;gBACH,0EAA0E;gBAC1E,MAAM,iBAAiB,GAAG,MAAM,IAAI,CAAC,UAAU,EAAE,CAAC;gBAClD,IAAI,IAAI,GAAgB,IAAI,CAAC;gBAE7B,IAAI,iBAAiB,EAAE,CAAC;oBACtB,wDAAwD;oBACxD,IAAI,GAAG,MAAM,IAAI,CAAC,OAAO,EAAE,CAAC;oBAC5B,OAAO,CAAC,GAAG,CACT,qDAAqD,EACrD,CAAC,CAAC,IAAI,CACP,CAAC;gBACJ,CAAC;qBAAM,CAAC;oBACN,8DAA8D;oBAC9D,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,sBAAsB,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;oBAC9D,IAAI,GAAG,iBAAiB,CAAC,MAAM,CAAC,CAAC;oBACjC,OAAO,CAAC,GAAG,CACT,mDAAmD,EACnD,CAAC,CAAC,IAAI,CACP,CAAC;gBACJ,CAAC;gBAED,gDAAgD;gBAChD,MAAM,UAAU,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,GAAG,IAAI,EAAE,CAAC,CAAC;gBAC1C,MAAM,eAAe,GAAG,IAAI,eAAe,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC;gBAC/D,eAAe,CAAC,MAAM,CAAC,oBAAoB,CAAC,CAAC;gBAC7C,eAAe,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;gBACjC,eAAe,CAAC,MAAM,CAAC,iBAAiB,CAAC,CAAC;gBAE1C,MAAM,WAAW,GAAG,GAAG,UAAU,CAAC,QAAQ,IAAI,eAAe,CAAC,QAAQ,EAAE,GAAG,UAAU,CAAC,IAAI,EAAE,CAAC;gBAC7F,OAAO;oBACL,OAAO,EAAE;wBACP,OAAO,EAAE,IAAI;wBACb,WAAW;qBACiC;iBAC/C,CAAC;YACJ,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACf,OAAO,CAAC,KAAK,CAAC,8BAA8B,EAAE,KAAK,CAAC,CAAC;gBACrD,MAAM,KAAK,CAAC;YACd,CAAC;QACH,CAAC;QAED,mDAAmD;QACnD,IAAI,MAA6B,CAAC;QAClC,IAAI,IAAiB,CAAC;QAEtB,IAAI,CAAC;YACH,MAAM,GAAG,MAAM,IAAI,CAAC,sBAAsB,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;YACxD,IAAI,GAAG,iBAAiB,CAAC,MAAM,CAAC,CAAC;QACnC,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,kEAAkE;YAClE,MAAM,mBAAmB,GACvB,KAAK,YAAY,KAAK;gBACtB,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,oCAAoC,CAAC,CAAC;YAE/D,IAAI,mBAAmB,EAAE,CAAC;gBACxB,+EAA+E;gBAC/E,IAAI,CAAC;oBACH,MAAM,iBAAiB,GAAG,MAAM,IAAI,CAAC,UAAU,EAAE,CAAC;oBAElD,IAAI,iBAAiB,EAAE,CAAC;wBACtB,4DAA4D;wBAC5D,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,OAAO,EAAE,CAAC;wBAClC,MAAM,6BAA6B,GACjC,wBAAwB,CAAC,KAAK,CAAC,CAAC;wBAClC,MAAM,WAAW,GACf,OAAO,EAAE,WAAW;4BACpB,6BAA6B;4BAC7B,IAAI,CAAC,UAAU,CAAC,eAAe,CAAC;wBAElC,8EAA8E;wBAC9E,MAAM,gBAAgB,GAAG,oBAAoB,CAAC,KAAK,EAAE,SAAS,CAAC,CAAC;wBAChE,MAAM,qBAAqB,GAAG,gBAAgB,KAAK,QAAQ,CAAC;wBAE5D,IACE,qBAAqB;4BACrB,CAAC,IAAI,CAAC,UAAU,CAAC,sBAAsB;4BACvC,IAAI;4BACJ,WAAW,EACX,CAAC;4BACD,qEAAqE;4BACrE,MAAM,cAAc,GAAG,IAAI,CAAC,4BAA4B,CACtD,IAAI,EACJ,WAAW,CACZ,CAAC;4BACF,OAAO,EAAE,OAAO,EAAE,cAAc,EAAE,CAAC;wBACrC,CAAC;wBAED,IAAI,WAAW,EAAE,CAAC;4BAChB,OAAO,EAAE,UAAU,EAAE,WAAW,EAAE,CAAC;wBACrC,CAAC;6BAAM,CAAC;4BACN,OAAO,EAAE,OAAO,EAAE,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,EAAE,CAAC;wBAC9C,CAAC;oBACH,CAAC;gBACH,CAAC;gBAAC,OAAO,cAAc,EAAE,CAAC;oBACxB,OAAO,CAAC,IAAI,CACV,wCAAwC,EACxC,cAAc,CACf,CAAC;oBACF,sDAAsD;gBACxD,CAAC;gBAED,MAAM,gBAAgB,GAAG,oBAAoB,CAAC,KAAK,EAAE,SAAS,CAAC,CAAC;gBAChE,MAAM,qBAAqB,GAAG,gBAAgB,KAAK,QAAQ,CAAC;gBAE5D,IAAI,qBAAqB,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,sBAAsB,EAAE,CAAC;oBACrE,uDAAuD;oBACvD,MAAM,6BAA6B,GAAG,wBAAwB,CAAC,KAAK,CAAC,CAAC;oBACtE,MAAM,WAAW,GACf,OAAO,EAAE,WAAW;wBACpB,6BAA6B;wBAC7B,IAAI,CAAC,UAAU,CAAC,eAAe,CAAC;oBAElC,MAAM,WAAW,GAAG,GAAG,CAAC,GAAG,IAAI,EAAE,CAAC;oBAClC,MAAM,cAAc,GAAG,IAAI,CAAC,8BAA8B,CACxD,WAAW,EACX,WAAW,CACZ,CAAC;oBACF,OAAO,EAAE,OAAO,EAAE,cAAc,EAAE,CAAC;gBACrC,CAAC;gBAED,gFAAgF;gBAChF,OAAO;oBACL,OAAO,EAAE,oDAAoD,2BAA2B,uBAAuB;iBAChH,CAAC;YACJ,CAAC;YAED,wBAAwB;YACxB,MAAM,KAAK,CAAC;QACd,CAAC;QAED,gDAAgD;QAChD,MAAM,6BAA6B,GAAG,wBAAwB,CAAC,KAAK,CAAC,CAAC;QAEtE,sFAAsF;QACtF,MAAM,WAAW,GACf,OAAO,EAAE,WAAW;YACpB,6BAA6B;YAC7B,IAAI,CAAC,UAAU,CAAC,eAAe,CAAC;QAElC,yDAAyD;QACzD,MAAM,gBAAgB,GAAG,oBAAoB,CAAC,KAAK,EAAE,SAAS,CAAC,CAAC;QAChE,MAAM,qBAAqB,GAAG,gBAAgB,KAAK,QAAQ,CAAC;QAE5D,2DAA2D;QAC3D,kEAAkE;QAClE,MAAM,mBAAmB,GACvB,qBAAqB,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,sBAAsB,CAAC;QAEnE,MAAM,kBAAkB,GAAG,GAAG,CAAC,OAAO,CAAC,gBAAgB,CAAC,KAAK,UAAU,CAAC;QACxE,MAAM,eAAe,GAAG,GAAG,CAAC,OAAO,CAAC,gBAAgB,CAAC,KAAK,QAAQ,CAAC;QACnE,MAAM,YAAY,GAChB,OAAO,EAAE,WAAW,IAAI,GAAG,CAAC,OAAO,CAAC,MAAM,EAAE,QAAQ,CAAC,kBAAkB,CAAC,CAAC;QAE3E,qGAAqG;QACrG,wCAAwC;QACxC,MAAM,SAAS,GAAG,GAAG,CAAC,OAAO,CAAC,YAAY,CAAC,IAAI,EAAE,CAAC;QAClD,MAAM,QAAQ,GACZ,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;QAChE,MAAM,yBAAyB,GAC7B,QAAQ;YACR,CAAC,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,CAAC;QAElE,wEAAwE;QACxE,yFAAyF;QACzF,IACE,mBAAmB;YACnB,IAAI;YACJ,WAAW;YACX,CAAC,yBAAyB,EAC1B,CAAC;YACD,MAAM,cAAc,GAAG,IAAI,CAAC,4BAA4B,CACtD,IAAI,EACJ,WAAW,CACZ,CAAC;YACF,OAAO,EAAE,OAAO,EAAE,cAAc,EAAE,CAAC;QACrC,CAAC;QAED,sEAAsE;QACtE,IACE,mBAAmB;YACnB,IAAI;YACJ,WAAW;YACX,yBAAyB,EACzB,CAAC;YACD,OAAO,EAAE,UAAU,EAAE,WAAW,EAAE,CAAC;QACrC,CAAC;QAED,sEAAsE;QACtE,IAAI,kBAAkB,IAAI,WAAW,EAAE,CAAC;YACtC,OAAO,EAAE,UAAU,EAAE,WAAW,EAAE,CAAC;QACrC,CAAC;QAED,sEAAsE;QACtE,8FAA8F;QAC9F,IAAI,eAAe,IAAI,IAAI,IAAI,WAAW,EAAE,CAAC;YAC3C,IAAI,yBAAyB,EAAE,CAAC;gBAC9B,OAAO,CAAC,GAAG,CACT,sEAAsE,CACvE,CAAC;gBACF,OAAO,EAAE,UAAU,EAAE,WAAW,EAAE,CAAC;YACrC,CAAC;iBAAM,CAAC;gBACN,OAAO,CAAC,GAAG,CACT,mFAAmF,CACpF,CAAC;gBACF,MAAM,cAAc,GAAG,IAAI,CAAC,4BAA4B,CACtD,IAAI,EACJ,WAAW,CACZ,CAAC;gBACF,OAAO,EAAE,OAAO,EAAE,cAAc,EAAE,CAAC;YACrC,CAAC;QACH,CAAC;QAED,2DAA2D;QAC3D,IAAI,YAAY,EAAE,CAAC;YACjB,OAAO;gBACL,OAAO,EAAE;oBACP,OAAO,EAAE,IAAI;oBACb,IAAI;iBACL;aACF,CAAC;QACJ,CAAC;QAED,kFAAkF;QAClF,2BAA2B;QAC3B,IAAI,WAAW,EAAE,CAAC;YAChB,OAAO,EAAE,UAAU,EAAE,WAAW,EAAE,CAAC;QACrC,CAAC;QAED,8FAA8F;QAC9F,mDAAmD;QACnD,IAAI,IAAI,CAAC,UAAU,CAAC,qBAAqB,EAAE,CAAC;YAC1C,OAAO,EAAE,UAAU,EAAE,IAAI,CAAC,UAAU,CAAC,qBAAqB,EAAE,CAAC;QAC/D,CAAC;QAED,oFAAoF;QACpF,kFAAkF;QAClF,OAAO;YACL,OAAO,EAAE;gBACP,OAAO,EAAE,IAAI;gBACb,IAAI;aACL;SACF,CAAC;IACJ,CAAC;IAED;;OAEG;IACK,4BAA4B,CAClC,IAAU,EACV,WAAoB;QAEpB,MAAM,WAAW,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;QAC9D,MAAM,QAAQ,GAAG,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC;QAE1C,kCAAkC;QAClC,MAAM,WAAW,GACf,WAAW;YACX,IAAI,CAAC,UAAU,CAAC,WAAW;YAC3B,IAAI,CAAC,UAAU,CAAC,qBAAqB;YACrC,GAAG,CAAC;QAEN,OAAO;;;;;;;;;qFAS0E,WAAW;YACpF,2BAA2B;;;;;;;;;;;0BAWb,WAAW;;;;;;;;;;;;6BAYR,QAAQ;;0BAEX,WAAW;;;;;;;;;;;;;;;8DAeyB,WAAW;sCACnC,WAAW;;;;;KAK5C,CAAC;IACJ,CAAC;IAED;;OAEG;IACK,8BAA8B,GAAG,CACvC,WAAmB,EACnB,WAAoB,EACZ,EAAE;QACV,MAAM,mBAAmB,GAAG,WAAW;YACrC,CAAC,CAAC,oBAAoB,kBAAkB,CAAC,WAAW,CAAC,EAAE;YACvD,CAAC,CAAC,EAAE,CAAC;QAEP,OAAO;;;;;;;;;;;2BAWgB,WAAW,qEAAqE,mBAAmB;;;;;;;;;;;;;;CAc7H,CAAC;IACA,CAAC,CAAC;CACH","sourcesContent":["import {\n type AuthStorage,\n type OAuthTokens,\n type User,\n type EmptyObject,\n type UnknownObject,\n type OIDCTokenResponseBody,\n tokenKeys,\n} from \"@/types.js\";\nimport type { AuthConfig } from \"@/server/config.js\";\nimport {\n getUser as getUserFromShared,\n getTokens as getTokensFromShared,\n} from \"@/shared/lib/session.js\";\nimport { clearTokens as clearTokensUtil } from \"@/shared/lib/util.js\";\nimport { resolveOAuthAccessCode } from \"@/server/login.js\";\nimport { buildLoginUrl } from \"@/server/login.js\";\nimport { buildLogoutRedirectUrl } from \"@/server/logout.js\";\nimport {\n TOKEN_EXCHANGE_SUCCESS_TEXT,\n TOKEN_EXCHANGE_TRIGGER_TEXT,\n} from \"@/constants.js\";\nimport { refreshTokens } from \"@/server/refresh.js\";\nimport { getVersion } from \"@/shared/index.js\";\nimport { ServerAuthenticationResolver } from \"@/server/ServerAuthenticationResolver.js\";\nimport {\n DEFAULT_AUTH_SERVER,\n JWT_PAYLOAD_KNOWN_CLAIM_KEYS,\n} from \"@/constants.js\";\nimport type { AuthenticationResolver } from \"@/services/types.js\";\nimport { displayModeFromState, loginSuccessUrlFromState } from \"@/lib/oauth.js\";\nimport { decodeJwt, type JWTPayload } from \"jose\";\nimport { generateOauthLogoutUrl } from \"@/shared/lib/util.js\";\nimport { CodeVerifier } from \"@/shared/lib/types.js\";\n\n// Generic request interface for framework-agnostic URL detection\nexport type UrlDetectionRequest = {\n url: string;\n headers: Record<string, string | string[] | undefined>;\n searchParams: {\n get(name: string): string | null;\n };\n cookies: {\n get(name: string): { value: string } | undefined;\n };\n};\n\nexport type HandleCallbackRequest = {\n headers: {\n [key: string]: string | string[] | undefined;\n referer?: string;\n origin?: string;\n \"user-agent\"?: string;\n accept?: string;\n \"sec-fetch-dest\"?: string;\n };\n url?: string;\n};\n\nexport type HandleCallbackParams = {\n code: string;\n state: string;\n req: HandleCallbackRequest;\n};\n\n// Function to omit keys from an object\nconst omitKeys = <K extends keyof T, T extends Record<string, unknown>>(\n keys: K[],\n obj: T,\n): Omit<T, K> => {\n const result = { ...obj };\n keys.forEach((key) => {\n delete result[key];\n });\n return result;\n};\n\n/**\n * Helper to detect if this is a same-domain callback request (for iframe workaround)\n */\nconst isSameDomainCallback = (req: HandleCallbackRequest): boolean => {\n if (!req.url) return false;\n return req.url.includes(\"sameDomainCallback=true\");\n};\n\n/**\n * Extract user information directly from OIDC tokens\n * @param tokens The OIDC tokens response\n * @returns The user object or null if no valid ID token\n */\nfunction getUserFromTokens<T extends UnknownObject = EmptyObject>(\n tokens: OIDCTokenResponseBody,\n): User<T> | null {\n if (!tokens.id_token) return null;\n\n const parsedToken = decodeJwt(tokens.id_token) as JWTPayload & T;\n if (!parsedToken.sub) return null;\n\n // set the user ID from the token sub\n const userWithAdditionalTokenFields = {\n ...(parsedToken as T),\n id: parsedToken.sub,\n };\n\n // Remove the token keys from the user object to stop it getting too large\n return omitKeys(\n [...JWT_PAYLOAD_KNOWN_CLAIM_KEYS, ...tokenKeys],\n userWithAdditionalTokenFields,\n ) as User<T>;\n}\n\n/**\n * CivicAuth is the main entry point for server-side authentication operations.\n * It provides a unified interface to all the authentication functions.\n */\nexport class CivicAuth {\n _authResolver: AuthenticationResolver | null = null;\n constructor(\n readonly storage: AuthStorage,\n readonly authConfig: AuthConfig,\n ) {}\n\n get oauthServer(): string {\n return this.authConfig.oauthServer || DEFAULT_AUTH_SERVER;\n }\n\n async getAuthResolver(): Promise<AuthenticationResolver> {\n if (this._authResolver) {\n return Promise.resolve(this._authResolver);\n }\n this._authResolver = await ServerAuthenticationResolver.build(\n {\n ...this.authConfig,\n oauthServer: this.oauthServer,\n },\n this.storage,\n );\n return this._authResolver;\n }\n /**\n * Gets the authenticated user with token validation\n * @returns The user object if authenticated, null otherwise\n */\n async getUser<\n T extends UnknownObject = EmptyObject,\n >(): Promise<User<T> | null> {\n const resolver = await this.getAuthResolver();\n\n try {\n // Validate the session before returning the user\n const session = await resolver.validateExistingSession();\n if (!session?.authenticated) {\n return null;\n }\n\n // If session is valid, use the shared implementation to get the user\n return getUserFromShared<T>(this.storage);\n } catch (error) {\n console.error(\"Token validation failed during getUser\", error);\n return null;\n }\n }\n\n /**\n * Gets the authentication tokens with token validation\n * @returns The tokens if authenticated, null otherwise\n */\n async getTokens(): Promise<OAuthTokens | null> {\n const resolver = await this.getAuthResolver();\n\n try {\n // Validate the session before returning the tokens\n const session = await resolver.validateExistingSession();\n\n if (!session?.authenticated) {\n return null;\n }\n\n // If session is valid, use the shared implementation to get the tokens\n const tokens = await getTokensFromShared(this.storage);\n return tokens;\n } catch (error) {\n console.error(\"❌ Token validation failed during getTokens\", error);\n return null;\n }\n }\n\n /**\n * Resolve an OAuth access code to a set of OIDC tokens\n * @param code The access code from the query parameter\n * @param state The OAuth state parameter\n * @returns OIDC tokens\n */\n async resolveOAuthAccessCode(\n code: string,\n state: string,\n ): Promise<OIDCTokenResponseBody> {\n return resolveOAuthAccessCode(code, state, this.storage, this.authConfig);\n }\n\n /**\n * Check if the user is currently logged in\n * @returns true if logged in, false otherwise\n */\n async isLoggedIn(): Promise<boolean> {\n const resolver = await this.getAuthResolver();\n const session = await resolver.validateExistingSession();\n return session?.authenticated ?? false;\n }\n\n /**\n * Build a login URL to redirect the user to\n * @param options Additional options for building the login URL\n * @returns The login URL\n */\n async buildLoginUrl(options?: {\n scopes?: string[];\n state?: string;\n nonce?: string;\n }): Promise<URL> {\n return buildLoginUrl(\n {\n ...this.authConfig,\n scopes: options?.scopes,\n state: options?.state,\n nonce: options?.nonce,\n framework: \"server\",\n sdkVersion: getVersion(),\n },\n this.storage,\n );\n }\n\n /**\n * Build a logout URL to redirect the user to\n * @param options Additional options for building the logout URL\n * @returns The logout URL\n */\n async buildLogoutRedirectUrl(options?: {\n scopes?: string[];\n state?: string;\n }): Promise<URL> {\n // For backend flows with HTTP-only cookies, try to get tokens directly\n // For logout, we don't need valid/authenticated tokens - just the ID token to build logout URL\n try {\n // Use the shared getTokens function directly - this bypasses session validation\n // since for logout we just need the raw ID token, not validated tokens\n const tokens = await getTokensFromShared(this.storage);\n\n if (tokens?.idToken) {\n // Ensure clientId is present for OAuth operations\n if (!this.authConfig.clientId) {\n throw new Error(\"clientId is required for OAuth logout operations\");\n }\n\n // We have access to the ID token from HTTP-only cookies\n // Build the logout URL manually using the shared utility\n\n const logoutUrl = await generateOauthLogoutUrl({\n clientId: this.authConfig.clientId,\n redirectUrl: this.authConfig.postLogoutRedirectUrl || \"/\",\n idToken: tokens.idToken,\n state: options?.state ?? Math.random().toString(36).substring(2),\n oauthServer: this.oauthServer,\n });\n\n return logoutUrl;\n }\n } catch (error) {\n // If direct token access fails, fall back to the generic function\n console.warn(\n \"❌ Could not get tokens directly from storage, falling back to generic logout method:\",\n error,\n );\n }\n\n // Fallback to the generic function for other storage types or when tokens aren't accessible\n return buildLogoutRedirectUrl(\n {\n ...this.authConfig,\n scopes: options?.scopes,\n state: options?.state,\n },\n this.storage,\n );\n }\n\n /**\n * Refresh the current set of OIDC tokens\n * @returns The refreshed tokens or null for backend flows where tokens are managed in HTTP-only cookies\n */\n async refreshTokens(): Promise<OIDCTokenResponseBody | null> {\n return refreshTokens(this.storage, this.authConfig);\n }\n\n /**\n * Clear all authentication tokens from storage\n */\n async clearTokens(): Promise<void> {\n return clearTokensUtil(this.storage);\n }\n\n /**\n * Framework-agnostic URL detection and resolution helpers\n * These methods handle proxy environments and can be used by any framework\n */\n\n /**\n * Try to URI decode a value, returning the original value on error\n */\n static tryUriDecode(value: string): string {\n try {\n return decodeURIComponent(value);\n } catch (e) {\n console.error(\"Error decoding URI component:\", e);\n return value;\n }\n }\n\n /**\n * Get decoded query parameter from request\n */\n static getDecodedQueryParam(\n request: UrlDetectionRequest,\n paramName: string,\n ): string | null {\n const queryParam = request.searchParams.get(paramName);\n if (queryParam) {\n return CivicAuth.tryUriDecode(queryParam);\n }\n return null;\n }\n\n /**\n * Get value from cookie or query parameter (cookie takes precedence)\n */\n static getCookieOrQueryParam(\n request: UrlDetectionRequest,\n cookieName: string,\n queryName: string,\n ): string | null {\n // First check the cookie as it might have the full path with base directory\n const cookieValue = request.cookies.get(cookieName)?.value;\n if (cookieValue) {\n return CivicAuth.tryUriDecode(cookieValue);\n }\n\n // Fallback to query parameter\n return CivicAuth.getDecodedQueryParam(request, queryName);\n }\n\n /**\n * Get app URL from request (for proxy environment support)\n * Checks cookies first, then query parameters\n */\n static getAppUrl(request: UrlDetectionRequest): string | null {\n return CivicAuth.getCookieOrQueryParam(\n request,\n CodeVerifier.APP_URL,\n \"appUrl\",\n );\n }\n\n /**\n * Get login success URL with proper base URL handling\n * Extracts from state parameter or query parameters, resolves with baseUrl if provided\n */\n static getLoginSuccessUrl(\n request: UrlDetectionRequest,\n baseUrl?: string | null,\n ): string | null {\n const state = request.searchParams.get(\"state\");\n const loginSuccessUrl =\n loginSuccessUrlFromState(state) ||\n CivicAuth.getDecodedQueryParam(request, \"loginSuccessUrl\");\n\n if (!loginSuccessUrl) {\n return null;\n }\n\n return baseUrl ? new URL(loginSuccessUrl, baseUrl).href : loginSuccessUrl;\n }\n\n /**\n * Convert relative URL to absolute URL using appUrl for proxy environments\n */\n static toAbsoluteUrl(\n request: UrlDetectionRequest,\n url: string,\n appUrl?: string | null,\n ): string {\n if (url.startsWith(\"http\")) {\n return url;\n }\n\n // Use appUrl if available (for proxy environments), otherwise fall back to request origin\n const baseUrl = appUrl || new URL(request.url).origin;\n return new URL(url, baseUrl).href;\n }\n\n /**\n * Get post-logout redirect URL with proxy environment support\n */\n getPostLogoutRedirectUrl(request: UrlDetectionRequest): string {\n // Check if we have a target URL in the request (from middleware)\n const targetUrl = request.searchParams.get(\"targetUrl\");\n if (targetUrl) {\n return targetUrl;\n }\n\n const redirectTarget = this.authConfig.loginSuccessUrl ?? \"/\";\n\n // If loginSuccessUrl is absolute, use it as-is\n const isAbsoluteRedirect = /^(https?:\\/\\/|www\\.).+/i.test(redirectTarget);\n if (isAbsoluteRedirect) {\n return redirectTarget;\n }\n\n // Use appUrl from client for proxy environments\n const appUrl = CivicAuth.getAppUrl(request);\n if (appUrl) {\n return new URL(redirectTarget, appUrl).href;\n }\n\n // Fallback to request origin\n return new URL(request.url).origin;\n }\n\n /**\n * Smart callback handler that automatically detects frontend vs backend requests\n * and redirects appropriately. Use this instead of resolveOAuthAccessCode + manual redirect.\n *\n * @param params An object containing the authorization code, state, and the incoming request.\n * @param params.code The authorization code from query parameters.\n * @param params.state The OAuth state parameter.\n * @param params.req The incoming request object (e.g., from Express).\n * @param options Configuration options (frontendUrl override, apiResponse flag).\n * @returns Object with redirect information or HTML content for iframe completion.\n *\n * @example\n * ```javascript\n * app.get('/auth/callback', async (req, res) => {\n * const { code, state } = req.query;\n * // The request object 'req' is passed directly\n * const result = await req.civicAuth.handleCallback({ code, state, req });\n *\n * if (result.htmlContent) {\n * res.setHeader('Content-Type', 'text/html');\n * res.send(result.htmlContent);\n * } else if (result.redirectTo) {\n * res.redirect(result.redirectTo);\n * } else {\n * res.json({ success: true, user: result.user });\n * }\n * });\n * ```\n */\n async handleCallback(\n { code, state, req }: HandleCallbackParams,\n options?: {\n frontendUrl?: string;\n apiResponse?: boolean;\n },\n ): Promise<{\n redirectTo?: string;\n content?: string | { success: boolean; user?: User | null };\n }> {\n // Handle same-domain callback for iframe workaround\n if (isSameDomainCallback(req)) {\n try {\n // Check if user is already authenticated before attempting token exchange\n const isAlreadyLoggedIn = await this.isLoggedIn();\n let user: User | null = null;\n\n if (isAlreadyLoggedIn) {\n // User is already authenticated, get existing user data\n user = await this.getUser();\n console.log(\n \"User already authenticated in same-domain callback:\",\n !!user,\n );\n } else {\n // For same-domain callbacks, we should have access to cookies\n const tokens = await this.resolveOAuthAccessCode(code, state);\n user = getUserFromTokens(tokens);\n console.log(\n \"Completed token exchange in same-domain callback:\",\n !!user,\n );\n }\n\n // Return JSON response for same-domain callback\n const currentUrl = new URL(req.url || \"\");\n const newSearchParams = new URLSearchParams(currentUrl.search);\n newSearchParams.delete(\"sameDomainCallback\");\n newSearchParams.delete(\"appUrl\");\n newSearchParams.delete(\"loginSuccessUrl\");\n\n const redirectUrl = `${currentUrl.pathname}?${newSearchParams.toString()}${currentUrl.hash}`;\n return {\n content: {\n success: true,\n redirectUrl,\n } as { success: boolean; redirectUrl: string },\n };\n } catch (error) {\n console.error(\"Same-domain callback failed:\", error);\n throw error;\n }\n }\n\n // Try to resolve the OAuth code and create session\n let tokens: OIDCTokenResponseBody;\n let user: User | null;\n\n try {\n tokens = await this.resolveOAuthAccessCode(code, state);\n user = getUserFromTokens(tokens);\n } catch (error) {\n // Check if this is a code verifier error and we're in iframe mode\n const isCodeVerifierError =\n error instanceof Error &&\n error.message.includes(\"Code verifier not found in storage\");\n\n if (isCodeVerifierError) {\n // First check if user is already authenticated before trying iframe workaround\n try {\n const isAlreadyLoggedIn = await this.isLoggedIn();\n\n if (isAlreadyLoggedIn) {\n // \"User already authenticated, skipping iframe workaround\",\n const user = await this.getUser();\n const loginSuccessUrlFromStateValue =\n loginSuccessUrlFromState(state);\n const frontendUrl =\n options?.frontendUrl ||\n loginSuccessUrlFromStateValue ||\n this.authConfig.loginSuccessUrl;\n\n // Check if this is an iframe context - if so, generate iframe completion HTML\n const stateDisplayMode = displayModeFromState(state, undefined);\n const isConfiguredForIframe = stateDisplayMode === \"iframe\";\n\n if (\n isConfiguredForIframe &&\n !this.authConfig.disableIframeDetection &&\n user &&\n frontendUrl\n ) {\n // Generating iframe completion HTML for already authenticated user\",\n const completionHtml = this.generateIframeCompletionHtml(\n user,\n frontendUrl,\n );\n return { content: completionHtml };\n }\n\n if (frontendUrl) {\n return { redirectTo: frontendUrl };\n } else {\n return { content: { success: true, user } };\n }\n }\n } catch (authCheckError) {\n console.warn(\n \"Failed to check authentication status:\",\n authCheckError,\n );\n // Continue with iframe workaround if auth check fails\n }\n\n const stateDisplayMode = displayModeFromState(state, undefined);\n const isConfiguredForIframe = stateDisplayMode === \"iframe\";\n\n if (isConfiguredForIframe && !this.authConfig.disableIframeDetection) {\n // Generate HTML that will trigger same-domain callback\n const loginSuccessUrlFromStateValue = loginSuccessUrlFromState(state);\n const frontendUrl =\n options?.frontendUrl ||\n loginSuccessUrlFromStateValue ||\n this.authConfig.loginSuccessUrl;\n\n const callbackUrl = req.url || \"\";\n const sameDomainHtml = this.generateSameDomainCallbackHtml(\n callbackUrl,\n frontendUrl,\n );\n return { content: sameDomainHtml };\n }\n\n // For non-iframe mode or when iframe detection is disabled, return trigger text\n return {\n content: `<html lang=\"en\"><body><span style=\"display:none\">${TOKEN_EXCHANGE_TRIGGER_TEXT}</span></body></html>`,\n };\n }\n\n // Re-throw other errors\n throw error;\n }\n\n // Extract loginSuccessUrl from state if present\n const loginSuccessUrlFromStateValue = loginSuccessUrlFromState(state);\n\n // Priority: options.frontendUrl > loginSuccessUrl from state > config loginSuccessUrl\n const frontendUrl =\n options?.frontendUrl ||\n loginSuccessUrlFromStateValue ||\n this.authConfig.loginSuccessUrl;\n\n // Priority 1: Check state for display mode configuration\n const stateDisplayMode = displayModeFromState(state, undefined);\n const isConfiguredForIframe = stateDisplayMode === \"iframe\";\n\n // Determine if this should be treated as an iframe request\n // Configuration (from state) takes precedence over auto-detection\n const shouldTreatAsIframe =\n isConfiguredForIframe && !this.authConfig.disableIframeDetection;\n\n const isTopLevelRedirect = req.headers[\"sec-fetch-dest\"] === \"document\";\n const isIframeRequest = req.headers[\"sec-fetch-dest\"] === \"iframe\";\n const isApiRequest =\n options?.apiResponse || req.headers.accept?.includes(\"application/json\");\n\n // Detect Safari or other browsers where iframe postMessage may fail due to cross-origin restrictions\n //TODO: Find a better way to detect this\n const userAgent = req.headers[\"user-agent\"] || \"\";\n const isSafari =\n userAgent.includes(\"Safari\") && !userAgent.includes(\"Chrome\");\n const isLikelyCrossOriginIframe =\n isSafari ||\n (userAgent.includes(\"WebKit\") && !userAgent.includes(\"Chrome\"));\n\n // Case 1: The request should be treated as iframe. Return HTML content.\n // Unless iframe detection is disabled via configuration OR we detect cross-origin issues\n if (\n shouldTreatAsIframe &&\n user &&\n frontendUrl &&\n !isLikelyCrossOriginIframe\n ) {\n const completionHtml = this.generateIframeCompletionHtml(\n user,\n frontendUrl,\n );\n return { content: completionHtml };\n }\n\n // Case 1b: Safari/cross-origin iframe case - redirect instead of HTML\n if (\n shouldTreatAsIframe &&\n user &&\n frontendUrl &&\n isLikelyCrossOriginIframe\n ) {\n return { redirectTo: frontendUrl };\n }\n\n // Case 2: The request is a top-level navigation. Return redirect URL.\n if (isTopLevelRedirect && frontendUrl) {\n return { redirectTo: frontendUrl };\n }\n\n // Case 2a: The request is from an iframe (detected by sec-fetch-dest)\n // Even if not configured for iframe in state, we should still generate iframe completion HTML\n if (isIframeRequest && user && frontendUrl) {\n if (isLikelyCrossOriginIframe) {\n console.log(\n \"Iframe request detected but cross-origin issues likely - redirecting\",\n );\n return { redirectTo: frontendUrl };\n } else {\n console.log(\n \"Generating iframe completion HTML for iframe request (detected by sec-fetch-dest)\",\n );\n const completionHtml = this.generateIframeCompletionHtml(\n user,\n frontendUrl,\n );\n return { content: completionHtml };\n }\n }\n\n // Case 3: The request is an API call. Return JSON content.\n if (isApiRequest) {\n return {\n content: {\n success: true,\n user,\n },\n };\n }\n\n // Fallback for older browsers or other contexts: if a frontend URL is configured,\n // assume a redirect to it.\n if (frontendUrl) {\n return { redirectTo: frontendUrl };\n }\n\n // Server-side fallback: if no frontend URL is configured but we have a postLogoutRedirectUrl,\n // redirect there instead of returning JSON content\n if (this.authConfig.postLogoutRedirectUrl) {\n return { redirectTo: this.authConfig.postLogoutRedirectUrl };\n }\n\n // Absolute fallback: return success as JSON content if no other conditions are met.\n // This could happen if no loginSuccessUrl or postLogoutRedirectUrl is configured.\n return {\n content: {\n success: true,\n user,\n },\n };\n }\n\n /**\n * Generate HTML content for iframe completion that sends postMessage to parent\n */\n private generateIframeCompletionHtml(\n user: User,\n frontendUrl?: string,\n ): string {\n const escapedUser = JSON.stringify(user).replace(/'/g, \"\\\\'\");\n const clientId = this.authConfig.clientId;\n\n // Determine fallback redirect URL\n const fallbackUrl =\n frontendUrl ||\n this.authConfig.redirectUrl ||\n this.authConfig.postLogoutRedirectUrl ||\n \"/\";\n\n return `\n <!DOCTYPE html>\n <html>\n <head>\n <title>Authentication Complete</title>\n <meta charset=\"utf-8\">\n </head>\n <body> \n <!-- Success signal for SignalObserver -->\n <div id=\"civic-auth-success-signal\" style=\"display: none;\" data-user-info='${escapedUser}'>\n ${TOKEN_EXCHANGE_SUCCESS_TEXT}\n </div>\n \n <script> \n // Send postMessage to parent to resolve authentication promise\n if (window.parent && window.parent !== window) {\n try {\n window.parent.postMessage({\n type: 'auth_success',\n detail: 'Authentication successful',\n data: {\n user: ${escapedUser}\n }\n }, '*');\n } catch (error) {\n console.error('❌ Failed to send postMessage:', error);\n }\n \n // Also send civicloginApp format message for compatibility\n try {\n window.parent.postMessage({\n source: 'civicloginApp',\n type: 'auth_success',\n clientId: '${clientId}',\n data: {\n user: ${escapedUser}\n }\n }, '*');\n } catch (error) {\n console.error('❌ Failed to send civicloginApp message:', error);\n }\n } else {\n console.log('❌ Not in iframe context or no parent window');\n }\n \n // Fallback redirect after 500ms delay to handle cases where:\n // 1. postMessage fails or parent doesn't respond\n // 2. Not in iframe context\n // 3. Any other edge cases where the user gets stuck\n setTimeout(function() {\n console.log('🔄 Executing fallback redirect to: ${fallbackUrl}');\n window.location.href = '${fallbackUrl}';\n }, 500);\n </script>\n </body>\n </html>\n `;\n }\n\n /**\n * Generate HTML response that triggers same-domain callback for iframe workaround\n */\n private generateSameDomainCallbackHtml = (\n callbackUrl: string,\n frontendUrl?: string,\n ): string => {\n const loginSuccessSegment = frontendUrl\n ? `&loginSuccessUrl=${encodeURIComponent(frontendUrl)}`\n : \"\";\n\n return `<html lang=\"en\">\n <body>\n <span style=\"display:none\">\n <script>\n window.onload = function () {\n // Get the complete URL including origin and path\n // This ensures we capture any base path like /directory\n const appUrl = window.location.href.substring(\n 0,\n window.location.href.indexOf(\"/api/auth\")\n );\n fetch('${callbackUrl}&sameDomainCallback=true&appUrl=' + encodeURIComponent(appUrl) + '${loginSuccessSegment}').then((response) => {\n response.json().then((jsonResponse) => {\n // For login: Redirect back to the callback route, so Case 2 in handleTokenExchangeComplete will be triggered\n // For logout: Redirect to the postLogoutRedirectUrl\n if(jsonResponse.redirectUrl) {\n window.location.href = jsonResponse.redirectUrl;\n }\n });\n });\n };\n </script>\n </span>\n </body>\n</html>\n`;\n };\n}\n"]}
package/dist/shared/components/SVGLoading.js CHANGED
@@ -22,6 +22,6 @@ export default function SVGLoading({ backgroundColor = "#ffffff" } = { backgroun
22
22
  left: 0,
23
23
  borderRadius: "0.5rem", // Added borderRadius
24
24
  backgroundColor,
25
- }, className: "svg-loading", children: [_jsx("defs", { children: _jsxs("linearGradient", { id: "Gradient-0", x2: "320", y1: "15", y2: "15", gradientUnits: "userSpaceOnUse", children: [_jsx("stop", { offset: "0", stopColor: backgroundColor }), _jsx("stop", { offset: ".511", stopColor: "#9A9DA6" }), _jsx("stop", { offset: "1", stopColor: backgroundColor })] }) }), _jsx("path", { id: "rect", fill: backgroundColor, d: "M0 0h328v28H0z" }), " ", _jsx("path", { id: "shimmer", fill: "url(#Gradient-0)", d: "M0 -2h328v34H0z", transform: "translate(-328)", style: shimmerStyle })] })] }));
25
+ }, className: "svg-loading", children: [_jsx("defs", { children: _jsxs("linearGradient", { id: "Gradient-0", x2: "360", y1: "15", y2: "15", gradientUnits: "userSpaceOnUse", children: [_jsx("stop", { offset: "0", stopColor: backgroundColor }), _jsx("stop", { offset: ".511", stopColor: "#9A9DA6" }), _jsx("stop", { offset: "1", stopColor: backgroundColor })] }) }), _jsx("path", { id: "rect", fill: backgroundColor, d: "M0 0h328v28H0z" }), " ", _jsx("path", { id: "shimmer", fill: "url(#Gradient-0)", d: "M0 -2h328v34H0z", transform: "translate(-328)", style: shimmerStyle })] })] }));
26
26
  }
27
27
  //# sourceMappingURL=SVGLoading.js.map
package/dist/shared/components/SVGLoading.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"SVGLoading.js","sourceRoot":"","sources":["../../../src/shared/components/SVGLoading.tsx"],"names":[],"mappings":";AAAA,OAAO,KAAK,MAAM,OAAO,CAAC;AAE1B,MAAM,gBAAgB,GAAG;;;;;;;;;CASxB,CAAC;AAEF,MAAM,YAAY,GAAG;IACnB,SAAS,EAAE,iCAAiC;CAC7C,CAAC;AAEF,MAAM,CAAC,OAAO,UAAU,UAAU,CAChC,EAAE,eAAe,GAAG,SAAS,EAAE,GAAG,EAAE,eAAe,EAAE,SAAS,EAAE;IAEhE,OAAO,CACL,8BACE,0BAAQ,gBAAgB,GAAS,EACjC,eACE,KAAK,EAAC,4BAA4B,EAClC,cAAc,EAAC,oBAAoB,EACnC,aAAa,EAAC,oBAAoB,EAClC,OAAO,EAAC,YAAY,CAAC,0BAA0B;kBAC/C,MAAM,EAAC,IAAI,CAAC,kBAAkB;kBAC9B,KAAK,EAAC,MAAM,EACZ,KAAK,EAAE;oBACL,QAAQ,EAAE,UAAU;oBACpB,GAAG,EAAE,CAAC,CAAC;oBACP,IAAI,EAAE,CAAC;oBACP,YAAY,EAAE,QAAQ,EAAE,qBAAqB;oBAC7C,eAAe;iBAChB,EACD,SAAS,EAAC,aAAa,aAEvB,yBACE,0BACE,EAAE,EAAC,YAAY,EACf,EAAE,EAAC,KAAK,EACR,EAAE,EAAC,IAAI,EACP,EAAE,EAAC,IAAI,EACP,aAAa,EAAC,gBAAgB,aAE9B,eAAM,MAAM,EAAC,GAAG,EAAC,SAAS,EAAE,eAAe,GAAI,EAC/C,eAAM,MAAM,EAAC,MAAM,EAAC,SAAS,EAAC,SAAS,GAAG,EAC1C,eAAM,MAAM,EAAC,GAAG,EAAC,SAAS,EAAE,eAAe,GAAI,IAChC,GACZ,EACP,eAAM,EAAE,EAAC,MAAM,EAAC,IAAI,EAAE,eAAe,EAAE,CAAC,EAAC,gBAAgB,GAAG,EAAC,GAAG,EAEhE,eACE,EAAE,EAAC,SAAS,EACZ,IAAI,EAAC,kBAAkB,EACvB,CAAC,EAAC,iBAAiB,EACnB,SAAS,EAAC,iBAAiB,EAC3B,KAAK,EAAE,YAAY,GACnB,IACE,IACL,CACJ,CAAC;AACJ,CAAC","sourcesContent":["import React from \"react\";\n\nconst shimmerKeyframes = `\n @keyframes shimmer {\n 0% {\n transform: translate(-328px, 0);\n }\n to {\n transform: translate(328px, 0);\n }\n }\n`;\n\nconst shimmerStyle = {\n animation: \"1s linear infinite both shimmer\",\n};\n\nexport default function SVGLoading(\n { backgroundColor = \"#ffffff\" } = { backgroundColor: \"#ffffff\" },\n): JSX.Element {\n return (\n <>\n <style>{shimmerKeyframes}</style>\n <svg\n xmlns=\"http://www.w3.org/2000/svg\"\n shapeRendering=\"geometricPrecision\"\n textRendering=\"geometricPrecision\"\n viewBox=\"0 0 324 28\" // Adjusted viewBox height\n height=\"40\" // Adjusted height\n width=\"100%\"\n style={{\n position: \"absolute\",\n top: -6,\n left: 0,\n borderRadius: \"0.5rem\", // Added borderRadius\n backgroundColor,\n }}\n className=\"svg-loading\"\n >\n <defs>\n <linearGradient\n id=\"Gradient-0\"\n x2=\"320\"\n y1=\"15\"\n y2=\"15\"\n gradientUnits=\"userSpaceOnUse\"\n >\n <stop offset=\"0\" stopColor={backgroundColor} />\n <stop offset=\".511\" stopColor=\"#9A9DA6\" />\n <stop offset=\"1\" stopColor={backgroundColor} />\n </linearGradient>\n </defs>\n <path id=\"rect\" fill={backgroundColor} d=\"M0 0h328v28H0z\" />{\" \"}\n {/* Adjusted height */}\n <path\n id=\"shimmer\"\n fill=\"url(#Gradient-0)\"\n d=\"M0 -2h328v34H0z\"\n transform=\"translate(-328)\"\n style={shimmerStyle}\n />\n </svg>\n </>\n );\n}\n"]}
1
+ {"version":3,"file":"SVGLoading.js","sourceRoot":"","sources":["../../../src/shared/components/SVGLoading.tsx"],"names":[],"mappings":";AAAA,OAAO,KAAK,MAAM,OAAO,CAAC;AAE1B,MAAM,gBAAgB,GAAG;;;;;;;;;CASxB,CAAC;AAEF,MAAM,YAAY,GAAG;IACnB,SAAS,EAAE,iCAAiC;CAC7C,CAAC;AAEF,MAAM,CAAC,OAAO,UAAU,UAAU,CAChC,EAAE,eAAe,GAAG,SAAS,EAAE,GAAG,EAAE,eAAe,EAAE,SAAS,EAAE;IAEhE,OAAO,CACL,8BACE,0BAAQ,gBAAgB,GAAS,EACjC,eACE,KAAK,EAAC,4BAA4B,EAClC,cAAc,EAAC,oBAAoB,EACnC,aAAa,EAAC,oBAAoB,EAClC,OAAO,EAAC,YAAY,CAAC,0BAA0B;kBAC/C,MAAM,EAAC,IAAI,CAAC,kBAAkB;kBAC9B,KAAK,EAAC,MAAM,EACZ,KAAK,EAAE;oBACL,QAAQ,EAAE,UAAU;oBACpB,GAAG,EAAE,CAAC,CAAC;oBACP,IAAI,EAAE,CAAC;oBACP,YAAY,EAAE,QAAQ,EAAE,qBAAqB;oBAC7C,eAAe;iBAChB,EACD,SAAS,EAAC,aAAa,aAEvB,yBACE,0BACE,EAAE,EAAC,YAAY,EACf,EAAE,EAAC,KAAK,EACR,EAAE,EAAC,IAAI,EACP,EAAE,EAAC,IAAI,EACP,aAAa,EAAC,gBAAgB,aAE9B,eAAM,MAAM,EAAC,GAAG,EAAC,SAAS,EAAE,eAAe,GAAI,EAC/C,eAAM,MAAM,EAAC,MAAM,EAAC,SAAS,EAAC,SAAS,GAAG,EAC1C,eAAM,MAAM,EAAC,GAAG,EAAC,SAAS,EAAE,eAAe,GAAI,IAChC,GACZ,EACP,eAAM,EAAE,EAAC,MAAM,EAAC,IAAI,EAAE,eAAe,EAAE,CAAC,EAAC,gBAAgB,GAAG,EAAC,GAAG,EAEhE,eACE,EAAE,EAAC,SAAS,EACZ,IAAI,EAAC,kBAAkB,EACvB,CAAC,EAAC,iBAAiB,EACnB,SAAS,EAAC,iBAAiB,EAC3B,KAAK,EAAE,YAAY,GACnB,IACE,IACL,CACJ,CAAC;AACJ,CAAC","sourcesContent":["import React from \"react\";\n\nconst shimmerKeyframes = `\n @keyframes shimmer {\n 0% {\n transform: translate(-328px, 0);\n }\n to {\n transform: translate(328px, 0);\n }\n }\n`;\n\nconst shimmerStyle = {\n animation: \"1s linear infinite both shimmer\",\n};\n\nexport default function SVGLoading(\n { backgroundColor = \"#ffffff\" } = { backgroundColor: \"#ffffff\" },\n): JSX.Element {\n return (\n <>\n <style>{shimmerKeyframes}</style>\n <svg\n xmlns=\"http://www.w3.org/2000/svg\"\n shapeRendering=\"geometricPrecision\"\n textRendering=\"geometricPrecision\"\n viewBox=\"0 0 324 28\" // Adjusted viewBox height\n height=\"40\" // Adjusted height\n width=\"100%\"\n style={{\n position: \"absolute\",\n top: -6,\n left: 0,\n borderRadius: \"0.5rem\", // Added borderRadius\n backgroundColor,\n }}\n className=\"svg-loading\"\n >\n <defs>\n <linearGradient\n id=\"Gradient-0\"\n x2=\"360\"\n y1=\"15\"\n y2=\"15\"\n gradientUnits=\"userSpaceOnUse\"\n >\n <stop offset=\"0\" stopColor={backgroundColor} />\n <stop offset=\".511\" stopColor=\"#9A9DA6\" />\n <stop offset=\"1\" stopColor={backgroundColor} />\n </linearGradient>\n </defs>\n <path id=\"rect\" fill={backgroundColor} d=\"M0 0h328v28H0z\" />{\" \"}\n {/* Adjusted height */}\n <path\n id=\"shimmer\"\n fill=\"url(#Gradient-0)\"\n d=\"M0 -2h328v34H0z\"\n transform=\"translate(-328)\"\n style={shimmerStyle}\n />\n </svg>\n </>\n );\n}\n"]}
package/dist/shared/components/UserButtonPresentation.d.ts.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"UserButtonPresentation.d.ts","sourceRoot":"","sources":["../../../src/shared/components/UserButtonPresentation.tsx"],"names":[],"mappings":"AAEA,UAAU,2BAA2B;IACnC,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,KAAK,CAAC,EAAE,KAAK,CAAC,aAAa,CAAC;IAC5B,OAAO,CAAC,EAAE,MAAM,IAAI,CAAC;IACrB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,QAAQ,EAAE,KAAK,CAAC,SAAS,CAAC;CAC3B;AAED,wBAAgB,sBAAsB,CAAC,EACrC,SAAS,EACT,KAAK,EACL,OAAO,EACP,aAAa,EAAE,UAAU,EACzB,QAAQ,GACT,EAAE,2BAA2B,oDA0B7B"}
package/dist/shared/components/UserButtonPresentation.js.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"UserButtonPresentation.js","sourceRoot":"","sources":["../../../src/shared/components/UserButtonPresentation.tsx"],"names":[],"mappings":"AAAA,YAAY,CAAC;;AAUb,MAAM,UAAU,sBAAsB,CAAC,EACrC,SAAS,EACT,KAAK,EACL,OAAO,EACP,aAAa,EAAE,UAAU,EACzB,QAAQ,GACoB;IAC5B,OAAO,CACL,iBACE,SAAS,EAAE,SAAS,EACpB,KAAK,EAAE;YACL,MAAM,EAAE,SAAS;YACjB,YAAY,EAAE,QAAQ;YACtB,MAAM,EAAE,mBAAmB;YAC3B,OAAO,EAAE,cAAc;YACvB,KAAK,EAAE,SAAS;YAChB,UAAU,EAAE,uBAAuB;YACnC,QAAQ,EAAE,KAAK;YACf,GAAG,KAAK;SACT,EACD,OAAO,EAAE,OAAO,iBACH,UAAU,EACvB,YAAY,EAAE,CAAC,CAAC,EAAE,EAAE;YAClB,CAAC,CAAC,aAAa,CAAC,KAAK,CAAC,eAAe,GAAG,SAAS,CAAC;QACpD,CAAC,EACD,YAAY,EAAE,CAAC,CAAC,EAAE,EAAE;YAClB,CAAC,CAAC,aAAa,CAAC,KAAK,CAAC,eAAe,GAAG,EAAE,CAAC;QAC7C,CAAC,YAEA,QAAQ,GACF,CACV,CAAC;AACJ,CAAC","sourcesContent":["\"use client\";\n\ninterface UserButtonPresentationProps {\n className?: string;\n style?: React.CSSProperties;\n onClick?: () => void;\n \"data-testid\"?: string;\n children: React.ReactNode;\n}\n\nexport function UserButtonPresentation({\n className,\n style,\n onClick,\n \"data-testid\": dataTestId,\n children,\n}: UserButtonPresentationProps) {\n return (\n <button\n className={className}\n style={{\n cursor: \"pointer\",\n borderRadius: \"9999px\",\n border: \"1px solid #6b7280\",\n padding: \"0.75rem 1rem\",\n color: \"#6b7280\",\n transition: \"background-color 0.2s\",\n minWidth: \"9em\",\n ...style,\n }}\n onClick={onClick}\n data-testid={dataTestId}\n onMouseEnter={(e) => {\n e.currentTarget.style.backgroundColor = \"#f3f4f6\";\n }}\n onMouseLeave={(e) => {\n e.currentTarget.style.backgroundColor = \"\";\n }}\n >\n {children}\n </button>\n );\n}\n"]}
package/dist/shared/hooks/index.d.ts CHANGED
@@ -1,6 +1,4 @@
1
1
  export { useToken } from "../../shared/hooks/useToken.js";
2
- export { useAuth } from "../../shared/hooks/useAuth.js";
3
- export { useIframe } from "../../shared/hooks/useIframe.js";
4
2
  export { useSession } from "../../shared/hooks/useSession.js";
5
3
  export { useCivicAuthConfig } from "../../shared/hooks/useCivicAuthConfig.js";
6
4
  export { useOAuthEndpoints } from "../../shared/hooks/useOAuthEndpoints.js";
@@ -8,5 +6,6 @@ export { useCurrentUrl } from "../../shared/hooks/useCurrentUrl.js";
8
6
  export { useClientTokenExchangeSession } from "../../shared/hooks/useClientTokenExchangeSession.js";
9
7
  export { useWindowFocused } from "../../shared/hooks/useWindowFocused.js";
10
8
  export { useRefresh } from "../../shared/hooks/useRefresh.js";
9
+ export { useBfcacheHandler } from "../../shared/hooks/useBfcacheHandler.js";
11
10
  export { useAuthStatus } from "../../shared/providers/AuthStatusContext.js";
12
11
  //# sourceMappingURL=index.d.ts.map
package/dist/shared/hooks/index.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/shared/hooks/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,4BAA4B,CAAC;AACtD,OAAO,EAAE,OAAO,EAAE,MAAM,2BAA2B,CAAC;AACpD,OAAO,EAAE,SAAS,EAAE,MAAM,6BAA6B,CAAC;AACxD,OAAO,EAAE,UAAU,EAAE,MAAM,8BAA8B,CAAC;AAC1D,OAAO,EAAE,kBAAkB,EAAE,MAAM,sCAAsC,CAAC;AAC1E,OAAO,EAAE,iBAAiB,EAAE,MAAM,qCAAqC,CAAC;AACxE,OAAO,EAAE,aAAa,EAAE,MAAM,iCAAiC,CAAC;AAChE,OAAO,EAAE,6BAA6B,EAAE,MAAM,iDAAiD,CAAC;AAChG,OAAO,EAAE,gBAAgB,EAAE,MAAM,oCAAoC,CAAC;AACtE,OAAO,EAAE,UAAU,EAAE,MAAM,8BAA8B,CAAC;AAE1D,OAAO,EAAE,aAAa,EAAE,MAAM,yCAAyC,CAAC"}
1
+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/shared/hooks/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,4BAA4B,CAAC;AACtD,OAAO,EAAE,UAAU,EAAE,MAAM,8BAA8B,CAAC;AAC1D,OAAO,EAAE,kBAAkB,EAAE,MAAM,sCAAsC,CAAC;AAC1E,OAAO,EAAE,iBAAiB,EAAE,MAAM,qCAAqC,CAAC;AACxE,OAAO,EAAE,aAAa,EAAE,MAAM,iCAAiC,CAAC;AAChE,OAAO,EAAE,6BAA6B,EAAE,MAAM,iDAAiD,CAAC;AAChG,OAAO,EAAE,gBAAgB,EAAE,MAAM,oCAAoC,CAAC;AACtE,OAAO,EAAE,UAAU,EAAE,MAAM,8BAA8B,CAAC;AAC1D,OAAO,EAAE,iBAAiB,EAAE,MAAM,qCAAqC,CAAC;AAExE,OAAO,EAAE,aAAa,EAAE,MAAM,yCAAyC,CAAC"}
package/dist/shared/hooks/index.js CHANGED
@@ -1,6 +1,4 @@
1
1
  export { useToken } from "../../shared/hooks/useToken.js";
2
- export { useAuth } from "../../shared/hooks/useAuth.js";
3
- export { useIframe } from "../../shared/hooks/useIframe.js";
4
2
  export { useSession } from "../../shared/hooks/useSession.js";
5
3
  export { useCivicAuthConfig } from "../../shared/hooks/useCivicAuthConfig.js";
6
4
  export { useOAuthEndpoints } from "../../shared/hooks/useOAuthEndpoints.js";
@@ -8,5 +6,6 @@ export { useCurrentUrl } from "../../shared/hooks/useCurrentUrl.js";
8
6
  export { useClientTokenExchangeSession } from "../../shared/hooks/useClientTokenExchangeSession.js";
9
7
  export { useWindowFocused } from "../../shared/hooks/useWindowFocused.js";
10
8
  export { useRefresh } from "../../shared/hooks/useRefresh.js";
9
+ export { useBfcacheHandler } from "../../shared/hooks/useBfcacheHandler.js";
11
10
  export { useAuthStatus } from "../../shared/providers/AuthStatusContext.js";
12
11
  //# sourceMappingURL=index.js.map
package/dist/shared/hooks/index.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/shared/hooks/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,4BAA4B,CAAC;AACtD,OAAO,EAAE,OAAO,EAAE,MAAM,2BAA2B,CAAC;AACpD,OAAO,EAAE,SAAS,EAAE,MAAM,6BAA6B,CAAC;AACxD,OAAO,EAAE,UAAU,EAAE,MAAM,8BAA8B,CAAC;AAC1D,OAAO,EAAE,kBAAkB,EAAE,MAAM,sCAAsC,CAAC;AAC1E,OAAO,EAAE,iBAAiB,EAAE,MAAM,qCAAqC,CAAC;AACxE,OAAO,EAAE,aAAa,EAAE,MAAM,iCAAiC,CAAC;AAChE,OAAO,EAAE,6BAA6B,EAAE,MAAM,iDAAiD,CAAC;AAChG,OAAO,EAAE,gBAAgB,EAAE,MAAM,oCAAoC,CAAC;AACtE,OAAO,EAAE,UAAU,EAAE,MAAM,8BAA8B,CAAC;AAE1D,OAAO,EAAE,aAAa,EAAE,MAAM,yCAAyC,CAAC","sourcesContent":["export { useToken } from \"@/shared/hooks/useToken.js\";\nexport { useAuth } from \"@/shared/hooks/useAuth.js\";\nexport { useIframe } from \"@/shared/hooks/useIframe.js\";\nexport { useSession } from \"@/shared/hooks/useSession.js\";\nexport { useCivicAuthConfig } from \"@/shared/hooks/useCivicAuthConfig.js\";\nexport { useOAuthEndpoints } from \"@/shared/hooks/useOAuthEndpoints.js\";\nexport { useCurrentUrl } from \"@/shared/hooks/useCurrentUrl.js\";\nexport { useClientTokenExchangeSession } from \"@/shared/hooks/useClientTokenExchangeSession.js\";\nexport { useWindowFocused } from \"@/shared/hooks/useWindowFocused.js\";\nexport { useRefresh } from \"@/shared/hooks/useRefresh.js\";\n\nexport { useAuthStatus } from \"@/shared/providers/AuthStatusContext.js\";\n"]}
1
+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/shared/hooks/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,4BAA4B,CAAC;AACtD,OAAO,EAAE,UAAU,EAAE,MAAM,8BAA8B,CAAC;AAC1D,OAAO,EAAE,kBAAkB,EAAE,MAAM,sCAAsC,CAAC;AAC1E,OAAO,EAAE,iBAAiB,EAAE,MAAM,qCAAqC,CAAC;AACxE,OAAO,EAAE,aAAa,EAAE,MAAM,iCAAiC,CAAC;AAChE,OAAO,EAAE,6BAA6B,EAAE,MAAM,iDAAiD,CAAC;AAChG,OAAO,EAAE,gBAAgB,EAAE,MAAM,oCAAoC,CAAC;AACtE,OAAO,EAAE,UAAU,EAAE,MAAM,8BAA8B,CAAC;AAC1D,OAAO,EAAE,iBAAiB,EAAE,MAAM,qCAAqC,CAAC;AAExE,OAAO,EAAE,aAAa,EAAE,MAAM,yCAAyC,CAAC","sourcesContent":["export { useToken } from \"@/shared/hooks/useToken.js\";\nexport { useSession } from \"@/shared/hooks/useSession.js\";\nexport { useCivicAuthConfig } from \"@/shared/hooks/useCivicAuthConfig.js\";\nexport { useOAuthEndpoints } from \"@/shared/hooks/useOAuthEndpoints.js\";\nexport { useCurrentUrl } from \"@/shared/hooks/useCurrentUrl.js\";\nexport { useClientTokenExchangeSession } from \"@/shared/hooks/useClientTokenExchangeSession.js\";\nexport { useWindowFocused } from \"@/shared/hooks/useWindowFocused.js\";\nexport { useRefresh } from \"@/shared/hooks/useRefresh.js\";\nexport { useBfcacheHandler } from \"@/shared/hooks/useBfcacheHandler.js\";\n\nexport { useAuthStatus } from \"@/shared/providers/AuthStatusContext.js\";\n"]}