@darkauth/client 0.2.0 → 1.4.3

package/README.md

@@ -2,6 +2,10 @@
 
 A TypeScript client library for DarkAuth - providing zero-knowledge authentication and client-side encryption capabilities for web applications.
 
+The client supports both:
+- ZK-enabled OAuth/OIDC flows
+- Standard OAuth/OIDC flows without ZK delivery
+
 ## Features
 
 - **Zero-Knowledge Authentication**: Secure OAuth2/OIDC flow with PKCE and ephemeral key exchange
@@ -29,7 +33,7 @@ setConfig({
   issuer: 'https://auth.example.com',
   clientId: 'your-client-id',
   redirectUri: 'https://app.example.com/callback',
-  zk: true // Enable zero-knowledge mode
+  zk: false // Optional: disable ZK request parameters for standard OIDC flows
 });
 
 // Start login flow
@@ -61,7 +65,7 @@ setConfig({
   issuer: 'https://auth.example.com',     // DarkAuth server URL
   clientId: 'your-client-id',              // Your application's client ID
   redirectUri: 'https://app.example.com/callback', // OAuth callback URL
-  zk: true                                 // Enable zero-knowledge mode (default: true)
+  zk: true                                 // Optional. Default true. Set false for non-ZK flows.
 });
 ```
 
@@ -80,20 +84,24 @@ Starts the OAuth2/OIDC login flow with PKCE. Redirects the user to the DarkAuth
 
 Processes the OAuth callback after successful authentication. Returns an `AuthSession` object containing:
 - `idToken`: JWT ID token
-- `drk`: Derived Root Key for encryption operations
+- `drk`: Derived Root Key for encryption operations. In non-ZK flows this is an empty `Uint8Array`.
 - `refreshToken?`: Optional refresh token
 
+Behavior:
+- If ZK artifacts are present in the callback/token response, ZK validation and DRK decryption are enforced.
+- If no ZK artifacts are present, callback still succeeds as a standard OIDC flow.
+
 #### `logout(): void`
 
 Clears all authentication data from storage.
 
 #### `getStoredSession(): AuthSession | null`
 
-Retrieves the current session from storage if valid.
+Retrieves the current session from storage if valid. For non-ZK sessions, returns `drk` as an empty `Uint8Array`.
 
 #### `refreshSession(): Promise<AuthSession | null>`
 
-Refreshes the current session using the stored refresh token.
+Refreshes the current session using the stored refresh token. For non-ZK sessions, returns `drk` as an empty `Uint8Array`.
 
 ### User Information
 

package/dist/index.js

@@ -19,17 +19,29 @@ let cfg = {
     clientId: (typeof window !== "undefined" && window.__APP_CONFIG__?.clientId) ||
         viteEnvGet("VITE_CLIENT_ID") ||
         (typeof process !== "undefined" ? process.env.DARKAUTH_CLIENT_ID : undefined) ||
-        "app-web",
+        "demo-public-client",
     redirectUri: (typeof window !== "undefined" && window.__APP_CONFIG__?.redirectUri) ||
         viteEnvGet("VITE_REDIRECT_URI") ||
         (typeof window !== "undefined"
             ? `${window.location.origin}/callback`
             : "http://localhost:5173/callback"),
+    zk: true,
 };
 const OBFUSCATION_KEY = "DarkAuth-Storage-Protection-2025";
+const EMPTY_DRK = new Uint8Array(0);
+const ID_TOKEN_KEY = "id_token";
 export function setConfig(next) {
     cfg = { ...cfg, ...next };
 }
+function setStoredIdToken(token) {
+    localStorage.setItem(ID_TOKEN_KEY, token);
+}
+function getStoredIdToken() {
+    return localStorage.getItem(ID_TOKEN_KEY);
+}
+function clearStoredIdToken() {
+    localStorage.removeItem(ID_TOKEN_KEY);
+}
 function bytesToBase64Url(bytes) {
     let s = "";
     for (const b of bytes)
@@ -92,7 +104,7 @@ export function isTokenValid(token) {
     return claims.exp * 1000 > Date.now() + 5000;
 }
 export async function initiateLogin() {
-    const zkEnabled = cfg.zk === true;
+    const zkEnabled = cfg.zk !== false;
     let zkPubParam;
     if (zkEnabled) {
         const keyPair = await crypto.subtle.generateKey({ name: "ECDH", namedCurve: "P-256" }, true, [
@@ -146,27 +158,41 @@ export async function handleCallback() {
     const tokenResponse = await response.json();
     const fragmentParams = parseFragmentParams(location.hash || "");
     const drkJwe = fragmentParams.drk_jwe;
+    const zkDrkHash = typeof tokenResponse.zk_drk_hash === "string" ? tokenResponse.zk_drk_hash : null;
+    const idToken = tokenResponse.id_token;
+    const refreshToken = tokenResponse.refresh_token;
+    const hasZkArtifacts = !!drkJwe || !!zkDrkHash;
+    if (!hasZkArtifacts) {
+        sessionStorage.removeItem("zk_eph_priv_jwk");
+        try {
+            history.replaceState(null, "", location.origin + location.pathname);
+        }
+        catch { }
+        setStoredIdToken(idToken);
+        localStorage.removeItem("drk_protected");
+        if (refreshToken)
+            localStorage.setItem("refresh_token", refreshToken);
+        return { idToken, drk: EMPTY_DRK, refreshToken };
+    }
     if (!drkJwe || typeof drkJwe !== "string")
         throw new Error("Missing DRK JWE from URL fragment");
-    if (tokenResponse.zk_drk_hash) {
+    if (zkDrkHash) {
         const hash = bytesToBase64Url(await sha256(new TextEncoder().encode(drkJwe)));
-        if (tokenResponse.zk_drk_hash !== hash)
+        if (zkDrkHash !== hash)
             throw new Error("DRK hash mismatch");
     }
     const privateJwkString = sessionStorage.getItem("zk_eph_priv_jwk");
     if (!privateJwkString)
-        return null;
+        throw new Error("Missing ZK private key for callback");
     sessionStorage.removeItem("zk_eph_priv_jwk");
     const privateKey = await crypto.subtle.importKey("jwk", JSON.parse(privateJwkString), { name: "ECDH", namedCurve: "P-256" }, true, ["deriveBits", "deriveKey"]);
     const { plaintext } = await compactDecrypt(drkJwe, privateKey);
     const drk = new Uint8Array(plaintext);
-    const idToken = tokenResponse.id_token;
-    const refreshToken = tokenResponse.refresh_token;
     try {
         history.replaceState(null, "", location.origin + location.pathname);
     }
     catch { }
-    sessionStorage.setItem("id_token", idToken);
+    setStoredIdToken(idToken);
     const obfuscatedDrk = obfuscateKey(drk);
     localStorage.setItem("drk_protected", bytesToBase64Url(obfuscatedDrk));
     if (refreshToken)
@@ -174,12 +200,14 @@ export async function handleCallback() {
     return { idToken, drk, refreshToken };
 }
 export function getStoredSession() {
-    const idToken = sessionStorage.getItem("id_token");
+    const idToken = getStoredIdToken();
     const obfuscatedDrkBase64 = localStorage.getItem("drk_protected");
-    if (!idToken || !obfuscatedDrkBase64)
+    if (!idToken)
         return null;
     if (!isTokenValid(idToken))
         return null;
+    if (!obfuscatedDrkBase64)
+        return { idToken, drk: EMPTY_DRK };
     try {
         const obfuscatedDrk = base64UrlToBytes(obfuscatedDrkBase64);
         const drk = deobfuscateKey(obfuscatedDrk);
@@ -213,25 +241,25 @@ export async function refreshSession() {
     const tokenResponse = await response.json();
     const idToken = tokenResponse.id_token;
     const newRefreshToken = tokenResponse.refresh_token;
-    sessionStorage.setItem("id_token", idToken);
+    setStoredIdToken(idToken);
     if (newRefreshToken)
         localStorage.setItem("refresh_token", newRefreshToken);
     const obfuscatedDrkBase64 = localStorage.getItem("drk_protected");
     if (!obfuscatedDrkBase64)
-        return null;
+        return { idToken, drk: EMPTY_DRK, refreshToken: newRefreshToken || refreshToken };
     const obfuscatedDrk = base64UrlToBytes(obfuscatedDrkBase64);
     const drk = deobfuscateKey(obfuscatedDrk);
     return { idToken, drk, refreshToken: newRefreshToken || refreshToken };
 }
 export function logout() {
-    sessionStorage.removeItem("id_token");
+    clearStoredIdToken();
     localStorage.removeItem("drk_protected");
     sessionStorage.removeItem("zk_eph_priv_jwk");
     sessionStorage.removeItem("pkce_verifier");
     localStorage.removeItem("refresh_token");
 }
 export function getCurrentUser() {
-    const idToken = sessionStorage.getItem("id_token");
+    const idToken = getStoredIdToken();
     if (!idToken)
         return null;
     return parseJwt(idToken);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@darkauth/client",
-  "version": "0.2.0",
+  "version": "1.4.3",
   "license": "MIT",
   "type": "module",
   "main": "dist/index.js",