@cloudbase/oauth 2.23.3 → 2.24.0

package/src/oauth2client/oauth2client.ts

@@ -1,5 +1,5 @@
 import { ErrorType } from './consts'
-import { ApiUrls, ApiUrlsV2, AUTH_API_PREFIX } from '../auth/consts'
+import { ApiUrls, ApiUrlsV2, AUTH_API_PREFIX, AUTH_STATE_CHANGED_TYPE, EVENTS } from '../auth/consts'
 
 import { AuthClient, SimpleStorage } from './interface'
 
@@ -315,6 +315,20 @@ export class OAuth2Client implements AuthClient {
   private static maxRetry = 5
   private static retryInterval = 1000
 
+  public localCredentials: LocalCredentials
+  /**
+   * Keeps track of the async client initialization.
+   * When null or not yet resolved the auth state is `unknown`
+   * Once resolved the auth state is known and it's safe to call any further client methods.
+   */
+  public initializePromise: Promise<{ error: Error | null }> | null = null
+  protected lockAcquired = false
+  protected pendingInLock: Promise<any>[] = []
+  protected logDebugMessages: boolean
+  protected getInitialSession?: () => Promise<{
+    data: { session: Credentials; user?: any } | null
+    error: Error | null
+  }>
   private apiOrigin: string
   private apiPath: string
   private clientId: string
@@ -322,7 +336,6 @@ export class OAuth2Client implements AuthClient {
   private retry: number
   private clientSecret?: string
   private baseRequest: <T>(url: string, options?: RequestOptions) => Promise<T>
-  private localCredentials: LocalCredentials
   private storage: SimpleStorage
   private deviceID?: string
   private tokenInURL?: boolean
@@ -332,8 +345,10 @@ export class OAuth2Client implements AuthClient {
   private anonymousSignInFunc: (Credentials) => Promise<Credentials | void>
   private wxCloud: any
   private useWxCloud: boolean
+  private eventBus: any
   private basicAuth: string
   private onCredentialsError: AuthOptions['onCredentialsError'] | undefined
+  private onInitialSessionObtained?: (data: { session: Credentials; user?: any }, error?: any) => void | Promise<void>
 
   /**
    * constructor
@@ -352,6 +367,7 @@ export class OAuth2Client implements AuthClient {
     this.apiPath = options.apiPath || AUTH_API_PREFIX
     this.clientId = options.clientId
     this.i18n = options.i18n
+    this.eventBus = options.eventBus
     this.singlePromise = new SinglePromise({ clientId: this.clientId })
     this.retry = this.formatRetry(options.retry, OAuth2Client.defaultRetry)
     if (options.baseRequest) {
@@ -389,9 +405,56 @@ export class OAuth2Client implements AuthClient {
     this.anonymousSignInFunc = options.anonymousSignInFunc
     this.onCredentialsError = options.onCredentialsError
 
-    langEvent.bus.on(langEvent.LANG_CHANGE_EVENT, (params) => {
+    // New options for session detection
+    this.getInitialSession = options.getInitialSession
+    this.onInitialSessionObtained = options.onInitialSessionObtained
+    this.logDebugMessages = options.debug ?? false
+
+    langEvent.bus.on(langEvent.LANG_CHANGE_EVENT, (params: any) => {
       this.i18n = params.data?.i18n || this.i18n
     })
+
+    // Note: Auto-initialize is NOT called here to allow CloudbaseOAuth to set getInitialSession first
+    // CloudbaseOAuth.constructor will call initialize() after setting up the callback
+  }
+
+  /**
+   * Sets the getInitialSession callback.
+   * This callback is called during initialize() to get the initial session (e.g., from OAuth callback in URL).
+   * @param callback The callback function to get initial session
+   */
+  public setGetInitialSession(callback: () => Promise<{
+    data: { session: Credentials; user?: any } | null
+    error: Error | null
+  }>,): void {
+    this.getInitialSession = callback
+  }
+
+  /**
+   * Sets the onInitialSessionObtained callback.
+   * This callback is invoked after initial session is obtained and stored,
+   * allowing upper layers to handle user info storage.
+   * @param callback The callback function to handle session and user data
+   */
+  public setOnInitialSessionObtained(callback: (data: { session: Credentials; user?: any }) => void | Promise<void>,): void {
+    this.onInitialSessionObtained = callback
+  }
+
+  /**
+   * Initializes the client session either from the url or from storage.
+   * This method is automatically called when instantiating the client with detectSessionInUrl=true,
+   * but should also be called manually when checking for an error from an auth redirect.
+   * @param onInitialSessionObtained Optional callback to set before initialization starts
+   */
+  async initialize(): Promise<{ error: Error | null }> {
+    // eslint-disable-next-line @typescript-eslint/no-misused-promises
+    if (this.initializePromise) {
+      return await this.initializePromise
+    }
+
+    this.initializePromise = (async () => await this._acquireLock(-1, async () => await this._initialize()))()
+
+    return await this.initializePromise
   }
 
   /**
@@ -399,8 +462,10 @@ export class OAuth2Client implements AuthClient {
    * @param {Credentials} credentials
    * @return {Promise<void>}
    */
-  public setCredentials(credentials?: Credentials): Promise<void> {
-    return this.localCredentials.setCredentials(credentials)
+  public async setCredentials(credentials?: Credentials): Promise<void> {
+    // If initialization is in progress, wait for it first
+    await this.initializePromise
+    return this._acquireLock(-1, async () => this.localCredentials.setCredentials(credentials))
   }
 
   /**
@@ -415,6 +480,8 @@ export class OAuth2Client implements AuthClient {
    * getAccessToken return a validate access token
    */
   public async getAccessToken(): Promise<string> {
+    // If initialization is in progress, wait for it first
+    await this.initializePromise
     const credentials: Credentials = await this.getCredentials()
     if (credentials?.access_token) {
       return Promise.resolve(credentials.access_token)
@@ -451,7 +518,9 @@ export class OAuth2Client implements AuthClient {
       options.headers.Authorization = this.basicAuth
     }
     if (options?.withCredentials) {
-      const credentials = await this.getCredentials()
+      // Use custom getCredentials function if provided, otherwise use default
+      // Custom getCredentials avoids default getCredentials() call which may cause deadlock during initialization
+      const credentials = options.getCredentials ? await options.getCredentials() : await this.getCredentials()
       if (credentials) {
         if (this.tokenInURL) {
           if (url.indexOf('?') < 0) {
@@ -543,33 +612,10 @@ export class OAuth2Client implements AuthClient {
    * Get credentials.
    */
   public async getCredentials(): Promise<Credentials | null> {
-    let credentials: Credentials = await this.localCredentials.getCredentials()
-    if (!credentials) {
-      const msg = 'credentials not found'
-      this.onCredentialsError?.({ msg })
-      return this.unAuthenticatedError(msg)
-    }
-    if (isCredentialsExpired(credentials)) {
-      if (credentials.refresh_token) {
-        try {
-          credentials = await this.refreshToken(credentials)
-        } catch (error) {
-          if (credentials.scope === 'anonymous') {
-            credentials = await this.anonymousLogin(credentials)
-          } else {
-            this.onCredentialsError?.({ msg: error.error_description })
-            return Promise.reject(error)
-          }
-        }
-      } else if (credentials.scope === 'anonymous') {
-        credentials = await this.anonymousLogin(credentials)
-      } else {
-        const msg = 'no refresh token found in credentials'
-        this.onCredentialsError?.({ msg })
-        return this.unAuthenticatedError(msg)
-      }
-    }
-    return credentials
+    // If initialization is in progress, wait for it first
+    await this.initializePromise
+
+    return this._acquireLock(-1, async () => this._getCredentials())
   }
 
   /**
@@ -609,7 +655,17 @@ export class OAuth2Client implements AuthClient {
    * @param {Credentials} credentials
    * @return {Promise<Credentials>}
    */
-  public async refreshToken(credentials: Credentials): Promise<Credentials> {
+  public async refreshToken(credentials: Credentials, options?: { throwError?: boolean }): Promise<Credentials> {
+    // If initialization is in progress, wait for it first
+    await this.initializePromise
+
+    return this._acquireLock(-1, async () => this._refreshToken(credentials, options))
+  }
+
+  /**
+   * Internal refresh token method (called within lock)
+   */
+  private async _refreshToken(credentials: Credentials, options?: { throwError?: boolean }): Promise<Credentials> {
     return this.singlePromise.run('_refreshToken', async () => {
       if (!credentials || !credentials.refresh_token) {
         const msg = 'no refresh token found in credentials'
@@ -619,8 +675,14 @@ export class OAuth2Client implements AuthClient {
       try {
         const newCredentials: Credentials = await this.refreshTokenFunc(credentials.refresh_token, credentials)
         await this.localCredentials.setCredentials(newCredentials)
+
+        this.eventBus?.fire(EVENTS.AUTH_STATE_CHANGED, { event: AUTH_STATE_CHANGED_TYPE.TOKEN_REFRESHED })
+
         return newCredentials
       } catch (error) {
+        if (options?.throwError) {
+          throw error
+        }
         if (error.error === ErrorType.INVALID_GRANT) {
           await this.localCredentials.setCredentials(null)
           const msg = error.error_description
@@ -777,4 +839,162 @@ export class OAuth2Client implements AuthClient {
     }
     return Promise.reject(respErr)
   }
+
+  /**
+   * Debug logging helper
+   */
+  private _debug(...args: any[]): void {
+    if (this.logDebugMessages) {
+      console.log('[OAuth2Client]', ...args)
+    }
+  }
+
+  /**
+   * IMPORTANT:
+   * 1. Never throw in this method, as it is called from the constructor
+   * 2. Never return a session from this method as it would be cached over
+   *    the whole lifetime of the client
+   */
+  private async _initialize(): Promise<{ error: Error | null }> {
+    try {
+      // If no getInitialSession callback is set, nothing to do
+      if (!this.getInitialSession) {
+        this._debug('#_initialize()', 'no getInitialSession callback set, skipping')
+        return { error: null }
+      }
+
+      this._debug('#_initialize()', 'calling getInitialSession callback')
+
+      try {
+        const { data, error } = await this.getInitialSession()
+
+        if (data?.session) {
+          this._debug('#_initialize()', 'session obtained from getInitialSession', data.session)
+          await this.localCredentials.setCredentials(data?.session)
+        }
+
+        // Invoke callback for upper layer to handle user storage
+        // This is called BEFORE lock is released so user storage is atomic with session
+        if (this.onInitialSessionObtained) {
+          this._debug('#_initialize()', 'calling onInitialSessionObtained callback')
+          try {
+            await this.onInitialSessionObtained(data, error)
+          } catch (callbackError) {
+            this._debug('#_initialize()', 'error in onInitialSessionObtained', callbackError)
+            // Don't fail initialization if callback fails
+          }
+        }
+        if (error) {
+          this._debug('#_initialize()', 'error from getInitialSession', error)
+          return { error }
+        }
+
+        return { error: null }
+      } catch (err) {
+        this._debug('#_initialize()', 'exception during getInitialSession', err)
+        return { error: err instanceof Error ? err : new Error(String(err)) }
+      }
+    } catch (error) {
+      this._debug('#_initialize()', 'unexpected error', error)
+      return { error: error instanceof Error ? error : new Error(String(error)) }
+    } finally {
+      this._debug('#_initialize()', 'end')
+    }
+  }
+
+  /**
+   * Acquires a global lock based on the client ID.
+   * This ensures that only one operation can modify credentials at a time.
+   */
+  private async _acquireLock<R>(acquireTimeout: number, fn: () => Promise<R>): Promise<R> {
+    this._debug('#_acquireLock', 'begin', acquireTimeout)
+
+    try {
+      if (this.lockAcquired) {
+        // Lock is already acquired, queue the operation
+        const last = this.pendingInLock.length ? this.pendingInLock[this.pendingInLock.length - 1] : Promise.resolve()
+
+        const result = (async () => {
+          await last
+          return await fn()
+        })()
+
+        this.pendingInLock.push((async () => {
+          try {
+            await result
+          } catch (_e: any) {
+            // we just care if it finished
+          }
+        })(),)
+
+        return result
+      }
+
+      // Acquire the lock
+      this._debug('#_acquireLock', 'acquiring lock for client', this.clientId)
+
+      try {
+        this.lockAcquired = true
+
+        const result = fn()
+
+        this.pendingInLock.push((async () => {
+          try {
+            await result
+          } catch (_e: any) {
+            // we just care if it finished
+          }
+        })(),)
+
+        await result
+
+        // keep draining the queue until there's nothing to wait on
+        while (this.pendingInLock.length) {
+          const waitOn = [...this.pendingInLock]
+          await Promise.all(waitOn)
+          this.pendingInLock.splice(0, waitOn.length)
+        }
+
+        return await result
+      } finally {
+        this._debug('#_acquireLock', 'releasing lock for client', this.clientId)
+        this.lockAcquired = false
+      }
+    } finally {
+      this._debug('#_acquireLock', 'end')
+    }
+  }
+
+  /**
+   * Internal method to get credentials (called within lock)
+   */
+  private async _getCredentials(): Promise<Credentials | null> {
+    let credentials: Credentials = await this.localCredentials.getCredentials()
+    if (!credentials) {
+      const msg = 'credentials not found'
+      this.onCredentialsError?.({ msg })
+      return this.unAuthenticatedError(msg)
+    }
+    if (isCredentialsExpired(credentials)) {
+      if (credentials.refresh_token) {
+        try {
+          credentials = await this._refreshToken(credentials)
+        } catch (error) {
+          if (credentials.scope === 'anonymous') {
+            credentials = await this.anonymousLogin(credentials)
+          } else {
+            this.onCredentialsError?.({ msg: error.error_description })
+            return Promise.reject(error)
+          }
+        }
+      } else if (credentials.scope === 'anonymous') {
+        credentials = await this.anonymousLogin(credentials)
+      } else {
+        const msg = 'no refresh token found in credentials'
+        this.onCredentialsError?.({ msg })
+        return this.unAuthenticatedError(msg)
+      }
+    }
+    return credentials
+  }
 }

package/src/utils/base64.ts

@@ -98,3 +98,15 @@ export function weappJwtDecode(token: string, options?: any) {
     throw new Error(`Invalid token specified: ${e}` ? (e as any).message : '')
   }
 }
+
+export function weappJwtDecodeAll(token: string) {
+  if (typeof token !== 'string') {
+    throw new Error('Invalid token specified')
+  }
+  try {
+    const parts = token.split('.').map((segment, i) => i === 2 ? segment : JSON.parse(base64_url_decode(segment)))
+    return { claims: parts[1], header: parts[0], signature: parts[2]}
+  } catch (e) {
+    throw new Error(`Invalid token specified: ${e}` ? (e as any).message : '')
+  }
+}