@darkauth/client 0.2.0 → 0.2.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +13 -5
- package/dist/index.js +27 -9
- package/package.json +1 -1
package/README.md
CHANGED
|
@@ -2,6 +2,10 @@
|
|
|
2
2
|
|
|
3
3
|
A TypeScript client library for DarkAuth - providing zero-knowledge authentication and client-side encryption capabilities for web applications.
|
|
4
4
|
|
|
5
|
+
The client supports both:
|
|
6
|
+
- ZK-enabled OAuth/OIDC flows
|
|
7
|
+
- Standard OAuth/OIDC flows without ZK delivery
|
|
8
|
+
|
|
5
9
|
## Features
|
|
6
10
|
|
|
7
11
|
- **Zero-Knowledge Authentication**: Secure OAuth2/OIDC flow with PKCE and ephemeral key exchange
|
|
@@ -29,7 +33,7 @@ setConfig({
|
|
|
29
33
|
issuer: 'https://auth.example.com',
|
|
30
34
|
clientId: 'your-client-id',
|
|
31
35
|
redirectUri: 'https://app.example.com/callback',
|
|
32
|
-
zk:
|
|
36
|
+
zk: false // Optional: disable ZK request parameters for standard OIDC flows
|
|
33
37
|
});
|
|
34
38
|
|
|
35
39
|
// Start login flow
|
|
@@ -61,7 +65,7 @@ setConfig({
|
|
|
61
65
|
issuer: 'https://auth.example.com', // DarkAuth server URL
|
|
62
66
|
clientId: 'your-client-id', // Your application's client ID
|
|
63
67
|
redirectUri: 'https://app.example.com/callback', // OAuth callback URL
|
|
64
|
-
zk: true //
|
|
68
|
+
zk: true // Optional. Default true. Set false for non-ZK flows.
|
|
65
69
|
});
|
|
66
70
|
```
|
|
67
71
|
|
|
@@ -80,20 +84,24 @@ Starts the OAuth2/OIDC login flow with PKCE. Redirects the user to the DarkAuth
|
|
|
80
84
|
|
|
81
85
|
Processes the OAuth callback after successful authentication. Returns an `AuthSession` object containing:
|
|
82
86
|
- `idToken`: JWT ID token
|
|
83
|
-
- `drk`: Derived Root Key for encryption operations
|
|
87
|
+
- `drk`: Derived Root Key for encryption operations. In non-ZK flows this is an empty `Uint8Array`.
|
|
84
88
|
- `refreshToken?`: Optional refresh token
|
|
85
89
|
|
|
90
|
+
Behavior:
|
|
91
|
+
- If ZK artifacts are present in the callback/token response, ZK validation and DRK decryption are enforced.
|
|
92
|
+
- If no ZK artifacts are present, callback still succeeds as a standard OIDC flow.
|
|
93
|
+
|
|
86
94
|
#### `logout(): void`
|
|
87
95
|
|
|
88
96
|
Clears all authentication data from storage.
|
|
89
97
|
|
|
90
98
|
#### `getStoredSession(): AuthSession | null`
|
|
91
99
|
|
|
92
|
-
Retrieves the current session from storage if valid.
|
|
100
|
+
Retrieves the current session from storage if valid. For non-ZK sessions, returns `drk` as an empty `Uint8Array`.
|
|
93
101
|
|
|
94
102
|
#### `refreshSession(): Promise<AuthSession | null>`
|
|
95
103
|
|
|
96
|
-
Refreshes the current session using the stored refresh token.
|
|
104
|
+
Refreshes the current session using the stored refresh token. For non-ZK sessions, returns `drk` as an empty `Uint8Array`.
|
|
97
105
|
|
|
98
106
|
### User Information
|
|
99
107
|
|
package/dist/index.js
CHANGED
|
@@ -19,14 +19,16 @@ let cfg = {
|
|
|
19
19
|
clientId: (typeof window !== "undefined" && window.__APP_CONFIG__?.clientId) ||
|
|
20
20
|
viteEnvGet("VITE_CLIENT_ID") ||
|
|
21
21
|
(typeof process !== "undefined" ? process.env.DARKAUTH_CLIENT_ID : undefined) ||
|
|
22
|
-
"
|
|
22
|
+
"demo-public-client",
|
|
23
23
|
redirectUri: (typeof window !== "undefined" && window.__APP_CONFIG__?.redirectUri) ||
|
|
24
24
|
viteEnvGet("VITE_REDIRECT_URI") ||
|
|
25
25
|
(typeof window !== "undefined"
|
|
26
26
|
? `${window.location.origin}/callback`
|
|
27
27
|
: "http://localhost:5173/callback"),
|
|
28
|
+
zk: true,
|
|
28
29
|
};
|
|
29
30
|
const OBFUSCATION_KEY = "DarkAuth-Storage-Protection-2025";
|
|
31
|
+
const EMPTY_DRK = new Uint8Array(0);
|
|
30
32
|
export function setConfig(next) {
|
|
31
33
|
cfg = { ...cfg, ...next };
|
|
32
34
|
}
|
|
@@ -92,7 +94,7 @@ export function isTokenValid(token) {
|
|
|
92
94
|
return claims.exp * 1000 > Date.now() + 5000;
|
|
93
95
|
}
|
|
94
96
|
export async function initiateLogin() {
|
|
95
|
-
const zkEnabled = cfg.zk
|
|
97
|
+
const zkEnabled = cfg.zk !== false;
|
|
96
98
|
let zkPubParam;
|
|
97
99
|
if (zkEnabled) {
|
|
98
100
|
const keyPair = await crypto.subtle.generateKey({ name: "ECDH", namedCurve: "P-256" }, true, [
|
|
@@ -146,22 +148,36 @@ export async function handleCallback() {
|
|
|
146
148
|
const tokenResponse = await response.json();
|
|
147
149
|
const fragmentParams = parseFragmentParams(location.hash || "");
|
|
148
150
|
const drkJwe = fragmentParams.drk_jwe;
|
|
151
|
+
const zkDrkHash = typeof tokenResponse.zk_drk_hash === "string" ? tokenResponse.zk_drk_hash : null;
|
|
152
|
+
const idToken = tokenResponse.id_token;
|
|
153
|
+
const refreshToken = tokenResponse.refresh_token;
|
|
154
|
+
const hasZkArtifacts = !!drkJwe || !!zkDrkHash;
|
|
155
|
+
if (!hasZkArtifacts) {
|
|
156
|
+
sessionStorage.removeItem("zk_eph_priv_jwk");
|
|
157
|
+
try {
|
|
158
|
+
history.replaceState(null, "", location.origin + location.pathname);
|
|
159
|
+
}
|
|
160
|
+
catch { }
|
|
161
|
+
sessionStorage.setItem("id_token", idToken);
|
|
162
|
+
localStorage.removeItem("drk_protected");
|
|
163
|
+
if (refreshToken)
|
|
164
|
+
localStorage.setItem("refresh_token", refreshToken);
|
|
165
|
+
return { idToken, drk: EMPTY_DRK, refreshToken };
|
|
166
|
+
}
|
|
149
167
|
if (!drkJwe || typeof drkJwe !== "string")
|
|
150
168
|
throw new Error("Missing DRK JWE from URL fragment");
|
|
151
|
-
if (
|
|
169
|
+
if (zkDrkHash) {
|
|
152
170
|
const hash = bytesToBase64Url(await sha256(new TextEncoder().encode(drkJwe)));
|
|
153
|
-
if (
|
|
171
|
+
if (zkDrkHash !== hash)
|
|
154
172
|
throw new Error("DRK hash mismatch");
|
|
155
173
|
}
|
|
156
174
|
const privateJwkString = sessionStorage.getItem("zk_eph_priv_jwk");
|
|
157
175
|
if (!privateJwkString)
|
|
158
|
-
|
|
176
|
+
throw new Error("Missing ZK private key for callback");
|
|
159
177
|
sessionStorage.removeItem("zk_eph_priv_jwk");
|
|
160
178
|
const privateKey = await crypto.subtle.importKey("jwk", JSON.parse(privateJwkString), { name: "ECDH", namedCurve: "P-256" }, true, ["deriveBits", "deriveKey"]);
|
|
161
179
|
const { plaintext } = await compactDecrypt(drkJwe, privateKey);
|
|
162
180
|
const drk = new Uint8Array(plaintext);
|
|
163
|
-
const idToken = tokenResponse.id_token;
|
|
164
|
-
const refreshToken = tokenResponse.refresh_token;
|
|
165
181
|
try {
|
|
166
182
|
history.replaceState(null, "", location.origin + location.pathname);
|
|
167
183
|
}
|
|
@@ -176,10 +192,12 @@ export async function handleCallback() {
|
|
|
176
192
|
export function getStoredSession() {
|
|
177
193
|
const idToken = sessionStorage.getItem("id_token");
|
|
178
194
|
const obfuscatedDrkBase64 = localStorage.getItem("drk_protected");
|
|
179
|
-
if (!idToken
|
|
195
|
+
if (!idToken)
|
|
180
196
|
return null;
|
|
181
197
|
if (!isTokenValid(idToken))
|
|
182
198
|
return null;
|
|
199
|
+
if (!obfuscatedDrkBase64)
|
|
200
|
+
return { idToken, drk: EMPTY_DRK };
|
|
183
201
|
try {
|
|
184
202
|
const obfuscatedDrk = base64UrlToBytes(obfuscatedDrkBase64);
|
|
185
203
|
const drk = deobfuscateKey(obfuscatedDrk);
|
|
@@ -218,7 +236,7 @@ export async function refreshSession() {
|
|
|
218
236
|
localStorage.setItem("refresh_token", newRefreshToken);
|
|
219
237
|
const obfuscatedDrkBase64 = localStorage.getItem("drk_protected");
|
|
220
238
|
if (!obfuscatedDrkBase64)
|
|
221
|
-
return
|
|
239
|
+
return { idToken, drk: EMPTY_DRK, refreshToken: newRefreshToken || refreshToken };
|
|
222
240
|
const obfuscatedDrk = base64UrlToBytes(obfuscatedDrkBase64);
|
|
223
241
|
const drk = deobfuscateKey(obfuscatedDrk);
|
|
224
242
|
return { idToken, drk, refreshToken: newRefreshToken || refreshToken };
|