@cloudbase/oauth 3.0.0 → 3.0.1

package/src/oauth2client/oauth2client.ts

@@ -1,5 +1,5 @@
 import { ErrorType } from './consts'
-import { ApiUrls, ApiUrlsV2, AUTH_API_PREFIX } from '../auth/consts'
+import { ApiUrls, ApiUrlsV2, AUTH_API_PREFIX, AUTH_STATE_CHANGED_TYPE, EVENTS } from '../auth/consts'
 
 import { AuthClient, SimpleStorage } from './interface'
 
@@ -17,7 +17,7 @@ import { getPathName } from '../utils/index'
 
 import { SinglePromise } from '../utils/function/single-promise'
 import { weBtoa } from '../utils/base64'
-import { isMatch } from '../utils/cloudbase-adapter-wx_mp'
+import { isMp } from '../utils/mp'
 import { AuthOptions } from '../auth/apis'
 import { ICloudbaseConfig } from '@cloudbase/types'
 import { langEvent } from '@cloudbase/utilities'
@@ -106,6 +106,7 @@ class DefaultStorage implements SimpleStorage {
   /**
    * 缓存key统一使用后缀区分
    */
+  // eslint-disable-next-line @typescript-eslint/naming-convention
   private readonly _env: string
 
   constructor(opts?: { env: string }) {
@@ -197,6 +198,8 @@ class LocalCredentials {
   private clientId: string
 
   private credentials: Credentials | null = null
+  // 来自accessKey的身份，不持久化
+  private accessKeyCredentials: Credentials | null = null
 
   private singlePromise: SinglePromise = null
 
@@ -210,9 +213,6 @@ class LocalCredentials {
     this.clientId = options.clientId
     this.singlePromise = new SinglePromise({ clientId: this.clientId })
     this.credentials = options.credentials || null
-    if (this.credentials) {
-      this.setCredentials(this.credentials)
-    }
   }
 
   public getStorageCredentialsSync(): Credentials | null {
@@ -254,6 +254,14 @@ class LocalCredentials {
     }
   }
 
+  /**
+   * set credentials from accessKey
+   * @param {Credentials} credentials
+   */
+  public setAccessKeyCredentials(credentials?: Credentials) {
+    this.accessKeyCredentials = credentials
+  }
+
   /**
    * Get credentials.
    * @return {Promise<Credentials | null>}
@@ -261,7 +269,11 @@ class LocalCredentials {
   public async getCredentials(): Promise<Credentials | null> {
     return this.singlePromise.run('getCredentials', async () => {
       if (isCredentialsExpired(this.credentials)) {
-        this.credentials = await this.getStorageCredentials()
+        const { credentials, isAccessKeyCredentials } = await this.getStorageCredentials()
+        if (isAccessKeyCredentials) {
+          return credentials
+        }
+        this.credentials = credentials
       }
       return this.credentials
     })
@@ -270,11 +282,12 @@ class LocalCredentials {
   /**
    * Get storage credentials.
    */
-  private async getStorageCredentials(): Promise<Credentials | null> {
+  private async getStorageCredentials(): Promise<{ credentials: Credentials | null; isAccessKeyCredentials: boolean }> {
     return this.singlePromise.run('_getStorageCredentials', async () => {
       let credentials: Credentials = null
+      let isAccessKeyCredentials = false
       const tokenStr: string = await this.storage.getItem(this.tokenSectionName)
-      if (tokenStr !== undefined && tokenStr !== null) {
+      if (!!tokenStr) {
         try {
           credentials = JSON.parse(tokenStr)
           if (credentials?.expires_at) {
@@ -284,8 +297,11 @@ class LocalCredentials {
           await this.storage.removeItem(this.tokenSectionName)
           credentials = null
         }
+      } else {
+        credentials = this.accessKeyCredentials || null
+        isAccessKeyCredentials = true
       }
-      return credentials
+      return { credentials, isAccessKeyCredentials }
     })
   }
 }
@@ -299,6 +315,20 @@ export class OAuth2Client implements AuthClient {
   private static maxRetry = 5
   private static retryInterval = 1000
 
+  public localCredentials: LocalCredentials
+  /**
+   * Keeps track of the async client initialization.
+   * When null or not yet resolved the auth state is `unknown`
+   * Once resolved the auth state is known and it's safe to call any further client methods.
+   */
+  public initializePromise: Promise<{ error: Error | null }> | null = null
+  protected lockAcquired = false
+  protected pendingInLock: Promise<any>[] = []
+  protected logDebugMessages: boolean
+  protected getInitialSession?: () => Promise<{
+    data: { session: Credentials; user?: any } | null
+    error: Error | null
+  }>
   private apiOrigin: string
   private apiPath: string
   private clientId: string
@@ -306,7 +336,6 @@ export class OAuth2Client implements AuthClient {
   private retry: number
   private clientSecret?: string
   private baseRequest: <T>(url: string, options?: RequestOptions) => Promise<T>
-  private localCredentials: LocalCredentials
   private storage: SimpleStorage
   private deviceID?: string
   private tokenInURL?: boolean
@@ -315,9 +344,11 @@ export class OAuth2Client implements AuthClient {
   private singlePromise: SinglePromise = null
   private anonymousSignInFunc: (Credentials) => Promise<Credentials | void>
   private wxCloud: any
+  private useWxCloud: boolean
+  private eventBus: any
   private basicAuth: string
   private onCredentialsError: AuthOptions['onCredentialsError'] | undefined
-  private publishable_key: ICloudbaseConfig['publishable_key']
+  private onInitialSessionObtained?: (data: { session: Credentials; user?: any }, error?: any) => void | Promise<void>
 
   /**
    * constructor
@@ -336,7 +367,7 @@ export class OAuth2Client implements AuthClient {
     this.apiPath = options.apiPath || AUTH_API_PREFIX
     this.clientId = options.clientId
     this.i18n = options.i18n
-    this.publishable_key = options.publishable_key
+    this.eventBus = options.eventBus
     this.singlePromise = new SinglePromise({ clientId: this.clientId })
     this.retry = this.formatRetry(options.retry, OAuth2Client.defaultRetry)
     if (options.baseRequest) {
@@ -352,13 +383,6 @@ export class OAuth2Client implements AuthClient {
       tokenSectionName: `credentials_${options.clientId}`,
       storage: this.storage,
       clientId: options.clientId,
-      credentials: this.publishable_key ? {
-        access_token: this.publishable_key,
-        token_type: 'Bearer',
-        scope: 'publishable_key',
-        expires_at: new Date(+new Date() + +new Date()),
-        expires_in: +new Date() + +new Date(),
-      } : null,
     })
 
     this.clientSecret = options.clientSecret
@@ -367,9 +391,12 @@ export class OAuth2Client implements AuthClient {
     }
     this.wxCloud = options.wxCloud
     try {
-      if (isMatch() && this.wxCloud === undefined && options.env) {
-        wx.cloud.init({ env: options.env })
-        this.wxCloud = wx.cloud
+      if (isMp()) {
+        this.useWxCloud = options.useWxCloud
+        if (this.wxCloud === undefined && options.env) {
+          wx.cloud.init({ env: options.env })
+          this.wxCloud = wx.cloud
+        }
       }
     } catch (error) {
       //
@@ -378,9 +405,61 @@ export class OAuth2Client implements AuthClient {
     this.anonymousSignInFunc = options.anonymousSignInFunc
     this.onCredentialsError = options.onCredentialsError
 
-    langEvent.bus.on(langEvent.LANG_CHANGE_EVENT, (params) => {
+    // New options for session detection
+    this.getInitialSession = options.getInitialSession
+    this.onInitialSessionObtained = options.onInitialSessionObtained
+    this.logDebugMessages = options.debug ?? false
+
+    langEvent.bus.on(langEvent.LANG_CHANGE_EVENT, (params: any) => {
       this.i18n = params.data?.i18n || this.i18n
     })
+
+    // Note: Auto-initialize is NOT called here to allow CloudbaseOAuth to set getInitialSession first
+    // CloudbaseOAuth.constructor will call initialize() after setting up the callback
+  }
+
+  /**
+   * Sets the getInitialSession callback.
+   * This callback is called during initialize() to get the initial session (e.g., from OAuth callback in URL).
+   * @param callback The callback function to get initial session
+   */
+  public setGetInitialSession(callback: () => Promise<{
+    data: { session: Credentials; user?: any } | null
+    error: Error | null
+  }>,): void {
+    this.getInitialSession = callback
+  }
+
+  /**
+   * Sets the onInitialSessionObtained callback.
+   * This callback is invoked after initial session is obtained and stored,
+   * allowing upper layers to handle user info storage.
+   * @param callback The callback function to handle session and user data
+   */
+  public setOnInitialSessionObtained(callback: (data: { session: Credentials; user?: any }) => void | Promise<void>,): void {
+    this.onInitialSessionObtained = callback
+  }
+
+  /**
+   * Initializes the client session either from the url or from storage.
+   * This method is automatically called when instantiating the client with detectSessionInUrl=true,
+   * but should also be called manually when checking for an error from an auth redirect.
+   * @param onInitialSessionObtained Optional callback to set before initialization starts
+   */
+  async initialize(func?:  Promise<{ error: Error | null }>): Promise<{ error: Error | null }> {
+    // eslint-disable-next-line @typescript-eslint/no-misused-promises
+    if (this.initializePromise) {
+      return await this.initializePromise
+    }
+
+    if (func !== undefined) {
+      this.initializePromise = func
+      return await this.initializePromise
+    }
+
+    this.initializePromise = (async () => await this._acquireLock(-1, async () => await this._initialize()))()
+
+    return await this.initializePromise
   }
 
   /**
@@ -388,14 +467,26 @@ export class OAuth2Client implements AuthClient {
    * @param {Credentials} credentials
    * @return {Promise<void>}
    */
-  public setCredentials(credentials?: Credentials): Promise<void> {
-    return this.localCredentials.setCredentials(credentials)
+  public async setCredentials(credentials?: Credentials): Promise<void> {
+    // If initialization is in progress, wait for it first
+    await this.initializePromise
+    return this._acquireLock(-1, async () => this.localCredentials.setCredentials(credentials))
+  }
+
+  /**
+   * set credentials from accessKey
+   * @param {Credentials} credentials
+   */
+  public setAccessKeyCredentials(credentials?: Credentials) {
+    return this.localCredentials.setAccessKeyCredentials(credentials)
   }
 
   /**
    * getAccessToken return a validate access token
    */
   public async getAccessToken(): Promise<string> {
+    // If initialization is in progress, wait for it first
+    await this.initializePromise
     const credentials: Credentials = await this.getCredentials()
     if (credentials?.access_token) {
       return Promise.resolve(credentials.access_token)
@@ -432,7 +523,9 @@ export class OAuth2Client implements AuthClient {
       options.headers.Authorization = this.basicAuth
     }
     if (options?.withCredentials) {
-      const credentials = await this.getCredentials()
+      // Use custom getCredentials function if provided, otherwise use default
+      // Custom getCredentials avoids default getCredentials() call which may cause deadlock during initialization
+      const credentials = options.getCredentials ? await options.getCredentials() : await this.getCredentials()
       if (credentials) {
         if (this.tokenInURL) {
           if (url.indexOf('?') < 0) {
@@ -456,11 +549,20 @@ export class OAuth2Client implements AuthClient {
     const maxRequestTimes: number = retry + 1
     for (let requestTime = 0; requestTime < maxRequestTimes; requestTime++) {
       try {
-        if (options.useWxCloud) {
+        if (options.useWxCloud || this.useWxCloud) {
           response = await this.wxCloudCallFunction<T>(url, options)
         } else {
           response = await this.baseRequest<T>(url, options)
         }
+
+        if (!!(response as any)?.code) {
+          throw ({
+            error: (response as any).code,
+            error_description: (response as any).message,
+            error_uri: new URL(url).pathname,
+          })
+        }
+
         break
       } catch (responseError) {
         if (options.withCredentials && responseError && responseError.error === ErrorType.UNAUTHENTICATED) {
@@ -524,33 +626,10 @@ export class OAuth2Client implements AuthClient {
    * Get credentials.
    */
   public async getCredentials(): Promise<Credentials | null> {
-    let credentials: Credentials = await this.localCredentials.getCredentials()
-    if (!credentials) {
-      const msg = 'credentials not found'
-      this.onCredentialsError?.({ msg })
-      return this.unAuthenticatedError(msg)
-    }
-    if (isCredentialsExpired(credentials)) {
-      if (credentials.refresh_token) {
-        try {
-          credentials = await this.refreshToken(credentials)
-        } catch (error) {
-          if (credentials.scope === 'anonymous') {
-            credentials = await this.anonymousLogin(credentials)
-          } else {
-            this.onCredentialsError?.({ msg: error.error_description })
-            return Promise.reject(error)
-          }
-        }
-      } else if (credentials.scope === 'anonymous') {
-        credentials = await this.anonymousLogin(credentials)
-      } else {
-        const msg = 'no refresh token found in credentials'
-        this.onCredentialsError?.({ msg })
-        return this.unAuthenticatedError(msg)
-      }
-    }
-    return credentials
+    // If initialization is in progress, wait for it first
+    await this.initializePromise
+
+    return this._acquireLock(-1, async () => this._getCredentials())
   }
 
   /**
@@ -590,7 +669,17 @@ export class OAuth2Client implements AuthClient {
    * @param {Credentials} credentials
    * @return {Promise<Credentials>}
    */
-  public async refreshToken(credentials: Credentials): Promise<Credentials> {
+  public async refreshToken(credentials: Credentials, options?: { throwError?: boolean }): Promise<Credentials> {
+    // If initialization is in progress, wait for it first
+    await this.initializePromise
+
+    return this._acquireLock(-1, async () => this._refreshToken(credentials, options))
+  }
+
+  /**
+   * Internal refresh token method (called within lock)
+   */
+  private async _refreshToken(credentials: Credentials, options?: { throwError?: boolean }): Promise<Credentials> {
     return this.singlePromise.run('_refreshToken', async () => {
       if (!credentials || !credentials.refresh_token) {
         const msg = 'no refresh token found in credentials'
@@ -600,8 +689,14 @@ export class OAuth2Client implements AuthClient {
       try {
         const newCredentials: Credentials = await this.refreshTokenFunc(credentials.refresh_token, credentials)
         await this.localCredentials.setCredentials(newCredentials)
+
+        this.eventBus?.fire(EVENTS.AUTH_STATE_CHANGED, { event: AUTH_STATE_CHANGED_TYPE.TOKEN_REFRESHED })
+
         return newCredentials
       } catch (error) {
+        if (options?.throwError) {
+          throw error
+        }
         if (error.error === ErrorType.INVALID_GRANT) {
           await this.localCredentials.setCredentials(null)
           const msg = error.error_description
@@ -758,4 +853,162 @@ export class OAuth2Client implements AuthClient {
     }
     return Promise.reject(respErr)
   }
+
+  /**
+   * Debug logging helper
+   */
+  private _debug(...args: any[]): void {
+    if (this.logDebugMessages) {
+      console.log('[OAuth2Client]', ...args)
+    }
+  }
+
+  /**
+   * IMPORTANT:
+   * 1. Never throw in this method, as it is called from the constructor
+   * 2. Never return a session from this method as it would be cached over
+   *    the whole lifetime of the client
+   */
+  private async _initialize(): Promise<{ error: Error | null }> {
+    try {
+      // If no getInitialSession callback is set, nothing to do
+      if (!this.getInitialSession) {
+        this._debug('#_initialize()', 'no getInitialSession callback set, skipping')
+        return { error: null }
+      }
+
+      this._debug('#_initialize()', 'calling getInitialSession callback')
+
+      try {
+        const { data, error } = await this.getInitialSession()
+
+        if (data?.session) {
+          this._debug('#_initialize()', 'session obtained from getInitialSession', data.session)
+          await this.localCredentials.setCredentials(data?.session)
+        }
+
+        // Invoke callback for upper layer to handle user storage
+        // This is called BEFORE lock is released so user storage is atomic with session
+        if (this.onInitialSessionObtained) {
+          this._debug('#_initialize()', 'calling onInitialSessionObtained callback')
+          try {
+            await this.onInitialSessionObtained(data, error)
+          } catch (callbackError) {
+            this._debug('#_initialize()', 'error in onInitialSessionObtained', callbackError)
+            // Don't fail initialization if callback fails
+          }
+        }
+        if (error) {
+          this._debug('#_initialize()', 'error from getInitialSession', error)
+          return { error }
+        }
+
+        return { error: null }
+      } catch (err) {
+        this._debug('#_initialize()', 'exception during getInitialSession', err)
+        return { error: err instanceof Error ? err : new Error(String(err)) }
+      }
+    } catch (error) {
+      this._debug('#_initialize()', 'unexpected error', error)
+      return { error: error instanceof Error ? error : new Error(String(error)) }
+    } finally {
+      this._debug('#_initialize()', 'end')
+    }
+  }
+
+  /**
+   * Acquires a global lock based on the client ID.
+   * This ensures that only one operation can modify credentials at a time.
+   */
+  private async _acquireLock<R>(acquireTimeout: number, fn: () => Promise<R>): Promise<R> {
+    this._debug('#_acquireLock', 'begin', acquireTimeout)
+
+    try {
+      if (this.lockAcquired) {
+        // Lock is already acquired, queue the operation
+        const last = this.pendingInLock.length ? this.pendingInLock[this.pendingInLock.length - 1] : Promise.resolve()
+
+        const result = (async () => {
+          await last
+          return await fn()
+        })()
+
+        this.pendingInLock.push((async () => {
+          try {
+            await result
+          } catch (_e: any) {
+            // we just care if it finished
+          }
+        })(),)
+
+        return result
+      }
+
+      // Acquire the lock
+      this._debug('#_acquireLock', 'acquiring lock for client', this.clientId)
+
+      try {
+        this.lockAcquired = true
+
+        const result = fn()
+
+        this.pendingInLock.push((async () => {
+          try {
+            await result
+          } catch (_e: any) {
+            // we just care if it finished
+          }
+        })(),)
+
+        await result
+
+        // keep draining the queue until there's nothing to wait on
+        while (this.pendingInLock.length) {
+          const waitOn = [...this.pendingInLock]
+          await Promise.all(waitOn)
+          this.pendingInLock.splice(0, waitOn.length)
+        }
+
+        return await result
+      } finally {
+        this._debug('#_acquireLock', 'releasing lock for client', this.clientId)
+        this.lockAcquired = false
+      }
+    } finally {
+      this._debug('#_acquireLock', 'end')
+    }
+  }
+
+  /**
+   * Internal method to get credentials (called within lock)
+   */
+  private async _getCredentials(): Promise<Credentials | null> {
+    let credentials: Credentials = await this.localCredentials.getCredentials()
+    if (!credentials) {
+      const msg = 'credentials not found'
+      this.onCredentialsError?.({ msg })
+      return this.unAuthenticatedError(msg)
+    }
+    if (isCredentialsExpired(credentials)) {
+      if (credentials.refresh_token) {
+        try {
+          credentials = await this._refreshToken(credentials)
+        } catch (error) {
+          if (credentials.scope === 'anonymous') {
+            credentials = await this.anonymousLogin(credentials)
+          } else {
+            this.onCredentialsError?.({ msg: error.error_description })
+            return Promise.reject(error)
+          }
+        }
+      } else if (credentials.scope === 'anonymous') {
+        credentials = await this.anonymousLogin(credentials)
+      } else {
+        const msg = 'no refresh token found in credentials'
+        this.onCredentialsError?.({ msg })
+        return this.unAuthenticatedError(msg)
+      }
+    }
+    return credentials
+  }
 }

package/src/utils/base64.ts

@@ -98,3 +98,15 @@ export function weappJwtDecode(token: string, options?: any) {
     throw new Error(`Invalid token specified: ${e}` ? (e as any).message : '')
   }
 }
+
+export function weAppJwtDecodeAll(token: string) {
+  if (typeof token !== 'string') {
+    throw new Error('Invalid token specified')
+  }
+  try {
+    const parts = token.split('.').map((segment, i) => i === 2 ? segment : JSON.parse(base64_url_decode(segment)))
+    return { claims: parts[1], header: parts[0], signature: parts[2]}
+  } catch (e) {
+    throw new Error(`Invalid token specified: ${e}` ? (e as any).message : '')
+  }
+}

package/src/utils/encryptlong/index.js

@@ -2697,12 +2697,14 @@ and limitations under the License.
     rng_pool = []
     rng_pptr = 0
     var t = void 0
-    if (window?.crypto && window?.crypto.getRandomValues) {
-      // Extract entropy (2048 bits) from RNG if available
-      var z = new Uint32Array(256)
-      window?.crypto.getRandomValues(z)
-      for (t = 0; t < z.length; ++t) {
-        rng_pool[rng_pptr++] = z[t] & 255
+    if (typeof window !== 'undefined') {
+      if (window?.crypto && window?.crypto.getRandomValues) {
+        // Extract entropy (2048 bits) from RNG if available
+        var z = new Uint32Array(256)
+        window?.crypto.getRandomValues(z)
+        for (t = 0; t < z.length; ++t) {
+          rng_pool[rng_pptr++] = z[t] & 255
+        }
       }
     }
     // Use mouse events for entropy, if we do not have enough entropy by the time
@@ -2710,10 +2712,12 @@ and limitations under the License.
     var onMouseMoveListener_1 = function (ev) {
       this.count = this.count || 0
       if (this.count >= 256 || rng_pptr >= rng_psize) {
-        if (window?.removeEventListener) {
-          window?.removeEventListener('mousemove', onMouseMoveListener_1, false)
-        } else if (window?.detachEvent) {
-          window?.detachEvent('onmousemove', onMouseMoveListener_1)
+        if (typeof window !== 'undefined') {
+          if (window?.removeEventListener) {
+            window?.removeEventListener('mousemove', onMouseMoveListener_1, false)
+          } else if (window?.detachEvent) {
+            window?.detachEvent('onmousemove', onMouseMoveListener_1)
+          }
         }
         return
       }
@@ -2725,10 +2729,12 @@ and limitations under the License.
         // Sometimes Firefox will deny permission to access event properties for some reason. Ignore.
       }
     }
-    if (window?.addEventListener) {
-      window?.addEventListener('mousemove', onMouseMoveListener_1, false)
-    } else if (window?.attachEvent) {
-      window?.attachEvent('onmousemove', onMouseMoveListener_1)
+    if (typeof window !== 'undefined') {
+      if (window?.addEventListener) {
+        window?.addEventListener('mousemove', onMouseMoveListener_1, false)
+      } else if (window?.attachEvent) {
+        window?.attachEvent('onmousemove', onMouseMoveListener_1)
+      }
     }
   }
   function rng_get_byte() {

package/src/utils/index.ts

@@ -8,6 +8,7 @@
  */
 export const deepClone = (value: any) => {
   const clone = (copiedValue: any) => {
+    // eslint-disable-next-line no-restricted-syntax
     for (const key in value) {
       // eslint-disable-next-line no-prototype-builtins
       if (value.hasOwnProperty(key)) {

package/src/utils/mp.ts

@@ -10,7 +10,7 @@ export function isMp() {
   if ((globalThis as any).Page === undefined) {
     return false
   }
-  if (!wx.getSystemInfoSync) {
+  if (!wx.getDeviceInfo) {
     return false
   }
   if (!wx.getStorageSync) {
@@ -27,11 +27,11 @@ export function isMp() {
   }
 
   try {
-    if (!wx.getSystemInfoSync()) {
+    if (!wx.getDeviceInfo()) {
       return false
     }
 
-    if (wx.getSystemInfoSync().AppPlatform === 'qq') {
+    if (wx.getDeviceInfo().platform === 'qq') {
       return false
     }
   } catch (e) {

package/src/utils/urlSearchParams.ts

@@ -9,6 +9,7 @@ class MyURLSearchParams {
     if (typeof init === 'string') {
       this.parse(init)
     } else if (init && typeof init === 'object') {
+      // eslint-disable-next-line no-restricted-syntax
       for (const key in init) {
         if (Object.prototype.hasOwnProperty.call(init, key)) {
           this.append(key, init[key])
@@ -63,6 +64,7 @@ class MyURLSearchParams {
   // 返回查询字符串
   toString() {
     const items = []
+    // eslint-disable-next-line no-restricted-syntax
     for (const key in this.params) {
       if (Object.prototype.hasOwnProperty.call(this.params, key)) {
         this.params[key].forEach((value) => {

package/tsconfig.json

@@ -1,6 +1,7 @@
 {
   "extends": "../../tsconfig.base.json",
   "compilerOptions": {
+    "module": "node16",
     "outDir": "dist/cjs",
     "rootDir": "src",
     "noImplicitAny": false,

package/dist/cjs/utils/cloudbase-adapter-wx_mp.d.ts

@@ -1 +0,0 @@
-export declare function isMatch(): boolean;