@cloudbase/oauth 2.23.3 → 2.24.0

package/dist/types/auth/apis.d.ts

@@ -28,6 +28,9 @@ export interface AuthOptions {
     };
     i18n?: ICloudbaseConfig['i18n'];
     useWxCloud?: boolean;
+    eventBus?: any;
+    detectSessionInUrl?: boolean;
+    debug?: boolean;
 }
 export declare class Auth {
     private static parseParamsToSearch;
@@ -54,15 +57,29 @@ export declare class Auth {
     grantProviderToken(params: GrantProviderTokenRequest, useWxCloud?: boolean): Promise<GrantProviderTokenResponse>;
     patchProviderToken(params: PatchProviderTokenRequest): Promise<PatchProviderTokenResponse>;
     signInWithProvider(params: SignInWithProviderRequest, useWxCloud?: boolean): Promise<Credentials>;
+    toBindIdentity(params: {
+        provider_token: string;
+        provider: string;
+        credentials?: Credentials;
+        fireEvent?: boolean;
+    }): Promise<any>;
+    getInitialSession(): Promise<{
+        data: {
+            session: Credentials;
+            user?: any;
+        } | null;
+        error: Error | null;
+    }>;
     signInCustom(params: SignInCustomRequest): Promise<Credentials>;
     signInWithWechat(params?: any): Promise<Credentials>;
-    bindWithProvider(params: BindWithProviderRequest): Promise<void>;
+    bindWithProvider(params: BindWithProviderRequest, credentials?: Credentials): Promise<void>;
     getUserProfile(params: {
         version?: string;
     }): Promise<UserProfile>;
     getUserInfo(params?: {
         version?: string;
         query?: string;
+        credentials?: Credentials;
     }): Promise<UserInfo>;
     getWedaUserInfo(): Promise<any>;
     deleteMe(params: WithSudoRequest): Promise<UserProfile>;
@@ -120,4 +137,5 @@ export declare class Auth {
     getUserBehaviorLog(params: GetUserBehaviorLog): Promise<GetUserBehaviorLogRes>;
     modifyPassword(params: ModifyUserBasicInfoRequest): Promise<void>;
     modifyPasswordWithoutLogin(params: ModifyPasswordWithoutLoginRequest): Promise<void>;
+    private restoreUrlState;
 }

package/dist/types/auth/auth-error.d.ts

@@ -0,0 +1,6 @@
+export declare class AuthError extends Error {
+    code: (string & {}) | undefined;
+    status: number | undefined;
+    protected __isAuthError: boolean;
+    constructor(error: any);
+}

package/dist/types/auth/consts.d.ts

@@ -108,3 +108,25 @@ export declare enum ErrorType {
     CAPTCHA_REQUIRED = "captcha_required",
     CAPTCHA_INVALID = "captcha_invalid"
 }
+export declare const LOGIN_STATE_CHANGED_TYPE: {
+    SIGN_OUT: string;
+    SIGN_IN: string;
+    CREDENTIALS_ERROR: string;
+};
+export declare const AUTH_STATE_CHANGED_TYPE: {
+    SIGNED_OUT: string;
+    SIGNED_IN: string;
+    INITIAL_SESSION: string;
+    PASSWORD_RECOVERY: string;
+    TOKEN_REFRESHED: string;
+    USER_UPDATED: string;
+    BIND_IDENTITY: string;
+};
+export declare const EVENTS: {
+    LOGIN_STATE_CHANGED: string;
+    AUTH_STATE_CHANGED: string;
+};
+export declare const OAUTH_TYPE: {
+    SIGN_IN: string;
+    BIND_IDENTITY: string;
+};

package/dist/types/auth/models.d.ts

@@ -511,6 +511,8 @@ export interface ModifyUserBasicInfoRequest {
     gender?: 'MALE' | 'FEMALE';
     password?: string;
     new_password?: string;
+    email?: string;
+    phone?: string;
 }
 export interface GetUserBehaviorLog {
     type: 'LOGIN' | 'MODIFY';

package/dist/types/captcha/captcha-dom.d.ts

@@ -0,0 +1,3 @@
+import { CaptchaToken } from '@cloudbase/adapter-interface';
+import { Auth } from '../auth/apis';
+export declare const openURIWithCallback: (url: string, oauthInstance?: Auth) => Promise<CaptchaToken>;

package/dist/types/captcha/captcha.d.ts

@@ -1,7 +1,9 @@
 import { SimpleStorage, RequestFunction } from '../oauth2client/interface';
 import { AuthClientRequestOptions } from '../oauth2client/models';
 import { SDKAdapterInterface } from '@cloudbase/adapter-interface';
+import { Auth } from '../auth/apis';
 export interface CaptchaOptions {
+    env: string;
     clientId: string;
     request: RequestFunction;
     storage: SimpleStorage;
@@ -9,6 +11,7 @@ export interface CaptchaOptions {
     adapter?: SDKAdapterInterface & {
         isMatch?: () => boolean;
     };
+    oauthInstance?: Auth;
 }
 type OpenURIWithCallbackFuction = (url: string) => Promise<CaptchaToken>;
 export interface CaptchaToken {
@@ -31,7 +34,6 @@ export declare class Captcha {
     isMatch(): boolean;
     request<T>(url: string, options?: CaptchaRequestOptions): Promise<T>;
     private getDefaultOpenURIWithCallback;
-    private defaultOpenURIWithCallback;
     private getCaptchaToken;
     private appendCaptchaTokenToURL;
     private saveCaptchaToken;

package/dist/types/index.d.ts

@@ -1,13 +1,22 @@
 import { OAuth2Client } from './oauth2client/oauth2client';
 import { AuthOptions, Auth } from './auth/apis';
+import { Credentials } from './oauth2client/models';
 export { Auth } from './auth/apis';
-export { AUTH_API_PREFIX } from './auth/consts';
+export { AUTH_API_PREFIX, OAUTH_TYPE } from './auth/consts';
+export { AuthError } from './auth/auth-error';
 export * as authModels from './auth/models';
-export type { ProviderProfile } from './auth/models';
+export type { ProviderProfile, UserInfo, ModifyUserBasicInfoRequest } from './auth/models';
 export type { Credentials, OAuth2ClientOptions, ResponseError, AuthClientRequestOptions } from './oauth2client/models';
 export type { AuthOptions } from './auth/apis';
+export { weappJwtDecodeAll } from './utils/base64';
+export { LOGIN_STATE_CHANGED_TYPE, EVENTS, AUTH_STATE_CHANGED_TYPE } from './auth/consts';
 export declare class CloudbaseOAuth {
     oauth2client: OAuth2Client;
     authApi: Auth;
+    private detectSessionInUrl;
     constructor(authOptions: AuthOptions);
+    initializeSession(onUserObtained?: (data: {
+        session: Credentials;
+        user?: any;
+    }) => void | Promise<void>): void;
 }

package/dist/types/oauth2client/interface.d.ts

@@ -1,7 +1,7 @@
 import { Credentials, AuthClientRequestOptions } from './models';
 export declare abstract class AuthClient {
     abstract request: RequestFunction;
-    abstract setCredentials(credentials?: Credentials): void;
+    abstract setCredentials(credentials?: Credentials): Promise<void>;
     abstract getAccessToken(): Promise<string>;
 }
 export type RequestFunction = <T>(url: string, options?: AuthClientRequestOptions) => Promise<T>;

package/dist/types/oauth2client/models.d.ts

@@ -35,6 +35,7 @@ export interface AuthClientRequestOptions extends RequestOptions {
     withBasicAuth?: boolean;
     retry?: number;
     useWxCloud?: boolean;
+    getCredentials?: () => Credentials | Promise<Credentials | null> | null;
     [key: string]: any;
 }
 export interface OAuth2ClientOptions {
@@ -57,4 +58,17 @@ export interface OAuth2ClientOptions {
     onCredentialsError?: AuthOptions['onCredentialsError'];
     i18n?: ICloudbaseConfig['i18n'];
     useWxCloud?: boolean;
+    eventBus?: any;
+    debug?: boolean;
+    getInitialSession?: () => Promise<{
+        data: {
+            session: Credentials;
+            user?: any;
+        } | null;
+        error: Error | null;
+    }>;
+    onInitialSessionObtained?: (data: {
+        session: Credentials;
+        user?: any;
+    }) => void | Promise<void>;
 }

package/dist/types/oauth2client/oauth2client.d.ts

@@ -23,11 +23,45 @@ declare class DefaultStorage implements SimpleStorage {
     setItemSync(key: string, value: string): void;
 }
 export declare const defaultStorage: DefaultStorage;
+interface LocalCredentialsOptions {
+    tokenSectionName: string;
+    storage: SimpleStorage;
+    clientId: string;
+    credentials?: Credentials;
+}
+declare class LocalCredentials {
+    private tokenSectionName;
+    private storage;
+    private clientId;
+    private credentials;
+    private accessKeyCredentials;
+    private singlePromise;
+    constructor(options: LocalCredentialsOptions);
+    getStorageCredentialsSync(): Credentials | null;
+    setCredentials(credentials?: Credentials): Promise<void>;
+    setAccessKeyCredentials(credentials?: Credentials): void;
+    getCredentials(): Promise<Credentials | null>;
+    private getStorageCredentials;
+}
 export declare class OAuth2Client implements AuthClient {
     private static defaultRetry;
     private static minRetry;
     private static maxRetry;
     private static retryInterval;
+    localCredentials: LocalCredentials;
+    initializePromise: Promise<{
+        error: Error | null;
+    }> | null;
+    protected lockAcquired: boolean;
+    protected pendingInLock: Promise<any>[];
+    protected logDebugMessages: boolean;
+    protected getInitialSession?: () => Promise<{
+        data: {
+            session: Credentials;
+            user?: any;
+        } | null;
+        error: Error | null;
+    }>;
     private apiOrigin;
     private apiPath;
     private clientId;
@@ -35,7 +69,6 @@ export declare class OAuth2Client implements AuthClient {
     private retry;
     private clientSecret?;
     private baseRequest;
-    private localCredentials;
     private storage;
     private deviceID?;
     private tokenInURL?;
@@ -45,9 +78,25 @@ export declare class OAuth2Client implements AuthClient {
     private anonymousSignInFunc;
     private wxCloud;
     private useWxCloud;
+    private eventBus;
     private basicAuth;
     private onCredentialsError;
+    private onInitialSessionObtained?;
     constructor(options: OAuth2ClientOptions);
+    setGetInitialSession(callback: () => Promise<{
+        data: {
+            session: Credentials;
+            user?: any;
+        } | null;
+        error: Error | null;
+    }>): void;
+    setOnInitialSessionObtained(callback: (data: {
+        session: Credentials;
+        user?: any;
+    }) => void | Promise<void>): void;
+    initialize(): Promise<{
+        error: Error | null;
+    }>;
     setCredentials(credentials?: Credentials): Promise<void>;
     setAccessKeyCredentials(credentials?: Credentials): void;
     getAccessToken(): Promise<string>;
@@ -58,7 +107,10 @@ export declare class OAuth2Client implements AuthClient {
     getCredentialsAsync(): Promise<Credentials | null>;
     getScope(): Promise<string>;
     getGroups(): Promise<string[]>;
-    refreshToken(credentials: Credentials): Promise<Credentials>;
+    refreshToken(credentials: Credentials, options?: {
+        throwError?: boolean;
+    }): Promise<Credentials>;
+    private _refreshToken;
     private anonymousLogin;
     private checkRetry;
     private formatRetry;
@@ -67,5 +119,9 @@ export declare class OAuth2Client implements AuthClient {
     private defaultRefreshTokenFunc;
     private getDeviceId;
     private unAuthenticatedError;
+    private _debug;
+    private _initialize;
+    private _acquireLock;
+    private _getCredentials;
 }
 export {};

package/dist/types/utils/base64.d.ts

@@ -2,3 +2,8 @@ export declare function weBtoa(string: string): string;
 export declare const weAtob: (string: string) => string;
 export declare function base64_url_decode(str: string): string;
 export declare function weappJwtDecode(token: string, options?: any): any;
+export declare function weappJwtDecodeAll(token: string): {
+    claims: any;
+    header: any;
+    signature: any;
+};

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cloudbase/oauth",
-  "version": "2.23.3",
+  "version": "2.24.0",
   "description": "cloudbase javascript sdk auth componets",
   "main": "dist/cjs/index.js",
   "module": "dist/esm/index.js",
@@ -19,16 +19,16 @@
     "precommit": "npm run lint"
   },
   "dependencies": {
-    "@cloudbase/utilities": "2.23.3"
+    "@cloudbase/utilities": "2.24.0"
   },
   "devDependencies": {
     "@babel/preset-env": "^7.25.3",
-    "@cloudbase/types": "2.23.3",
+    "@cloudbase/types": "2.24.0",
     "@types/node": "^22.5.4",
     "terser-webpack-plugin": "^3.0.2",
     "ts-loader": "^9.5.1",
     "webpack-bundle-analyzer": "^4.9.1"
   },
   "license": "Apache-2.0",
-  "gitHead": "d5f566dbd448be5d75127c4a506bcaf0ff3ae84b"
+  "gitHead": "7dac230344ecae3eec15358b2f85d782fde51839"
 }

package/src/auth/apis.ts

@@ -1,6 +1,6 @@
 'use strict'
 
-import { ApiUrls, ApiUrlsV2, ErrorType } from './consts'
+import { ApiUrls, ApiUrlsV2, AUTH_STATE_CHANGED_TYPE, ErrorType, EVENTS, OAUTH_TYPE } from './consts'
 import {
   GetVerificationRequest,
   GetVerificationResponse,
@@ -69,6 +69,7 @@ import { deepClone } from '../utils'
 import MyURLSearchParams from '../utils/urlSearchParams'
 import { SDKAdapterInterface } from '@cloudbase/adapter-interface'
 import { ICloudbaseConfig } from '@cloudbase/types'
+import { AuthError } from '..'
 
 function getEncryptUtils(isEncrypt, adapter: SDKAdapterInterface) {
   const getUtils = () => {
@@ -119,6 +120,16 @@ export interface AuthOptions {
   headers?: { [key: string]: string }
   i18n?: ICloudbaseConfig['i18n']
   useWxCloud?: boolean
+  eventBus?: any
+  /**
+   * Set to true if you want to automatically detect OAuth grants in the URL
+   * and exchange the code for credentials.
+   */
+  detectSessionInUrl?: boolean
+  /**
+   * Enable debug logging
+   */
+  debug?: boolean
 }
 
 /**
@@ -158,16 +169,19 @@ export class Auth {
         onCredentialsError: opts.onCredentialsError,
         headers: opts.headers || {},
         i18n: opts.i18n,
+        debug: opts.debug,
       }
       oAuth2Client = new OAuth2Client(initOptions)
     }
     if (!request) {
       const baseRequest = oAuth2Client.request.bind(oAuth2Client)
       const captcha = new Captcha({
+        env: opts.env,
         clientId: opts.clientId,
         request: baseRequest,
         storage: opts.storage,
         adapter: opts.adapter,
+        oauthInstance: this,
         ...opts.captchaOptions,
       })
       request = captcha.request.bind(captcha)
@@ -443,6 +457,154 @@ export class Auth {
     return Promise.resolve(credentials)
   }
 
+  public async toBindIdentity(params: {
+    provider_token: string
+    provider: string
+    credentials?: Credentials
+    fireEvent?: boolean
+  }) {
+    const credentials = params.credentials || (await this.config.credentialsClient.localCredentials.getCredentials())
+    let res: any
+    try {
+      await this.bindWithProvider(
+        {
+          provider_token: params.provider_token,
+        },
+        credentials,
+      )
+      res = { data: { type: OAUTH_TYPE.BIND_IDENTITY, provider: params.provider }, error: null }
+    } catch (error) {
+      res = { data: { type: OAUTH_TYPE.BIND_IDENTITY }, error: new AuthError(error) }
+    }
+
+    if (params.fireEvent) {
+      this.config.eventBus?.fire?.(EVENTS.AUTH_STATE_CHANGED, {
+        event: AUTH_STATE_CHANGED_TYPE.BIND_IDENTITY,
+        info: res,
+      })
+    }
+
+    return res
+  }
+
+  /**
+   * 获取初始 session（如从 URL 中的 OAuth 回调）。
+   * 用于 OAuth2Client.initialize() 回调。
+   * 内部处理 URL 检测、OAuth 验证，返回 credentials 和 user。
+   * 不调用 setCredentials，由 OAuth2Client 负责保存。
+   *
+   * @returns { data: { session: Credentials; user?: any } | null, error: Error | null }
+   */
+  public async getInitialSession(): Promise<{
+    data: { session: Credentials; user?: any } | null
+    error: Error | null
+  }> {
+    let data: any = {}
+    try {
+      // Check if running in browser
+      if (typeof window === 'undefined' || typeof document === 'undefined') {
+        return { data: null, error: null }
+      }
+
+      // Parse URL parameters
+      const localSearch = new URLSearchParams(location?.search)
+      const code = localSearch.get('code')
+      const state = localSearch.get('state')
+
+      // No OAuth callback detected
+      if (!code || !state) {
+        return { data: null, error: null }
+      }
+
+      // Get provider from sessionStorage (saved during signInWithOAuth)
+      let cacheData: {
+        provider?: string
+        search?: string
+        hash?: string
+        type?: (typeof OAUTH_TYPE)[keyof typeof OAUTH_TYPE]
+      } | null = null
+      try {
+        cacheData = JSON.parse(sessionStorage.getItem(state) || 'null')
+      } catch {
+        // ignore
+      }
+      data = { type: cacheData?.type }
+      // Check for error in URL
+      const errorParam = localSearch.get('error')
+      const errorDescription = localSearch.get('error_description')
+      if (errorParam || errorDescription) {
+        return {
+          data,
+          error: new AuthError({ message: errorDescription || errorParam || 'Unknown error from OAuth provider' }),
+        }
+      }
+
+      const provider = cacheData?.provider || localSearch.get('provider')
+
+      if (!provider) {
+        return { data, error: new AuthError({ message: 'Provider is required for OAuth verification' }) }
+      }
+
+      // 获取当前页面的 redirect_uri
+      const redirectUri = location.origin + location.pathname
+
+      // Step 1: 获取 provider token
+      const { provider_token: providerToken } = await this.grantProviderToken({
+        provider_id: provider,
+        provider_redirect_uri: redirectUri,
+        provider_code: code,
+      })
+
+      let credentials: Credentials
+      let user: any = null
+      let res: any
+
+      if (cacheData.type === OAUTH_TYPE.BIND_IDENTITY) {
+        credentials = await this.config.credentialsClient.localCredentials.getCredentials()
+        res = await this.toBindIdentity({ provider, provider_token: providerToken, credentials })
+      } else if (cacheData.type === OAUTH_TYPE.SIGN_IN) {
+        res = this.getParamsByVersion({ provider }, 'AUTH_SIGN_IN_WITH_PROVIDER_URL')
+
+        // Step 2: 用 provider token 换取 credentials（直接调用 API，不触发 setCredentials）
+        credentials = await this.config.request<Credentials>(res.url, {
+          method: 'POST',
+          body: { provider_token: providerToken },
+        })
+
+        // Step 3: 获取 user info，传入 getCredentials 函数避免死锁
+        // 不调用 setCredentials，由 OAuth2Client._initialize 负责保存
+        try {
+          user = await this.getUserInfo({ credentials })
+        } catch (e) {
+          console.error('get user info error', e)
+          // 获取 user 失败不影响登录流程
+        }
+
+        res = { data: { ...data, session: credentials, user }, error: null }
+      }
+
+      // Clean up URL parameters and restore original URL state
+      localSearch.delete('code')
+      localSearch.delete('state')
+      localSearch.delete('provider')
+      this.restoreUrlState(
+        cacheData?.search === undefined ? `?${localSearch.toString()}` : cacheData.search,
+        cacheData?.hash || location.hash,
+      )
+
+      // Remove session storage
+      try {
+        sessionStorage.removeItem(state)
+      } catch {
+        // ignore
+      }
+
+      return res
+    } catch (error) {
+      return { data, error: new AuthError(error) }
+    }
+  }
+
   /**
    * Signin with custom.
    * @param {SignInCustomRequest} params A SignInCustomRequest object.
@@ -476,11 +638,12 @@ export class Auth {
    * @param {BindWithProviderRequest} params A BindWithProviderRequest object.
    * @return {Promise<void>} A Promise<any> object.
    */
-  public async bindWithProvider(params: BindWithProviderRequest): Promise<void> {
+  public async bindWithProvider(params: BindWithProviderRequest, credentials?: Credentials): Promise<void> {
     return this.config.request<any>(ApiUrls.PROVIDER_BIND_URL, {
       method: 'POST',
       body: params,
       withCredentials: true,
+      getCredentials: credentials ? () => credentials : undefined,
     })
   }
 
@@ -494,9 +657,14 @@ export class Auth {
 
   /**
    * Get the user info.
+   * @param params.getCredentials Optional custom getCredentials function to bypass default getCredentials() and avoid deadlock
    * @return {Promise<UserInfo>} A Promise<UserProfile> object.
    */
-  public async getUserInfo(params: { version?: string; query?: string } = {}): Promise<UserInfo> {
+  public async getUserInfo(params: {
+    version?: string
+    query?: string
+    credentials?: Credentials
+  } = {},): Promise<UserInfo> {
     const res = this.getParamsByVersion(params, 'USER_ME_URL')
 
     if (res.params?.query) {
@@ -507,6 +675,7 @@ export class Auth {
     const userInfo = await this.config.request<UserInfo>(res.url, {
       method: 'GET',
       withCredentials: true,
+      getCredentials: params.credentials ? () => params.credentials : undefined,
     })
 
     if (userInfo.sub) {
@@ -708,7 +877,8 @@ export class Auth {
   }
 
   /**
-   * Patch the user profile.
+   * Patch the user profile. 没有和数据源同步
+   * @deprecated use updateUserBasicInfo
    * @param {UserProfile} params A UserProfile Object.
    * @return {Promise<UserProfile>} A Promise<UserProfile> object.
    */
@@ -1102,4 +1272,19 @@ export class Auth {
       },
     })
   }
+
+  /**
+   * Restore URL state after OAuth callback
+   */
+  private restoreUrlState(search?: string, hash?: string): void {
+    if (search === undefined) return
+    try {
+      const url = new URL(window.location.href)
+      url.search = search
+      url.hash = hash || ''
+      window.history.replaceState(null, '', url.toString())
+    } catch {
+      // ignore
+    }
+  }
 }

package/src/auth/auth-error.ts

@@ -0,0 +1,21 @@
+export class AuthError extends Error {
+  /**
+   * Error code associated with the error. Most errors coming from
+   * HTTP responses will have a code, though some errors that occur
+   * before a response is received will not have one present. In that
+   * case {@link #status} will also be undefined.
+   */
+  code: (string & {}) | undefined
+
+  /** HTTP status code that caused the error. */
+  status: number | undefined
+
+  protected __isAuthError = true
+
+  constructor(error) {
+    super(error.error_description || error.message)
+    this.name = 'AuthError'
+    this.status = error.error
+    this.code = error.error_code
+  }
+}

package/src/auth/consts.ts

@@ -119,3 +119,31 @@ export enum ErrorType {
   CAPTCHA_REQUIRED = 'captcha_required',
   CAPTCHA_INVALID = 'captcha_invalid',
 }
+
+export const LOGIN_STATE_CHANGED_TYPE = {
+  SIGN_OUT: 'sign_out',
+  SIGN_IN: 'sign_in',
+  CREDENTIALS_ERROR: 'credentials_error',
+}
+
+export const AUTH_STATE_CHANGED_TYPE = {
+  SIGNED_OUT: 'SIGNED_OUT',
+  SIGNED_IN: 'SIGNED_IN',
+  INITIAL_SESSION: 'INITIAL_SESSION',
+  PASSWORD_RECOVERY: 'PASSWORD_RECOVERY',
+  TOKEN_REFRESHED: 'TOKEN_REFRESHED',
+  USER_UPDATED: 'USER_UPDATED',
+  BIND_IDENTITY: 'BIND_IDENTITY',
+}
+
+export const EVENTS = {
+  // 登录态改变后触发
+  LOGIN_STATE_CHANGED: 'loginStateChanged',
+  // 授权态改变后触发
+  AUTH_STATE_CHANGED: 'authStateChanged',
+}
+
+export const OAUTH_TYPE = {
+  SIGN_IN: 'sign_in',
+  BIND_IDENTITY: 'bind_identity',
+}

package/src/auth/models.ts

@@ -622,6 +622,8 @@ export interface ModifyUserBasicInfoRequest {
   gender?: 'MALE' | 'FEMALE'
   password?: string // 旧密码
   new_password?: string // 新密码
+  email?: string
+  phone?: string
 }
 
 export interface GetUserBehaviorLog {