@dbmx/confy 0.0.73 → 0.0.76

package/esm/node_modules/@dbmx/auth/dist/index.js

@@ -0,0 +1,638 @@
+import urljoin from '../../../url-join/lib/url-join.js';
+import axios from 'axios';
+import { nanoid } from 'nanoid';
+import { jws, hextob64u as hextob64u_1, crypto as crypto_1 } from '../../../jsrsasign/lib/jsrsasign.js';
+import { AuthRedirect as AuthRedirect$1 } from './oidc-client.js';
+import '../../../oidc-client-ts/dist/esm/oidc-client-ts.js';
+import merge from '../../../ramda/es/merge.js';
+import prop from '../../../ramda/es/prop.js';
+
+let self;
+
+const DEFAULT_CONFIG = {
+  response_type: 'code',
+  scope: 'openid offline_access',
+  automaticSilentRenew: true,
+};
+
+const SESSION_ENDING_TIMEOUT = 30;
+const OTP_ACCESS_TOKEN_NAME = 'OTP_ACCESS_TOKEN';
+
+class EventEmitter {
+  constructor() {
+    this.listeners = {};
+  }
+
+  on(type, cb) {
+    if (!(type in this.listeners)) {
+      this.listeners[type] = [];
+    }
+    this.listeners[type].push(cb);
+  }
+
+  emit(event) {
+    if (!(event.type in this.listeners)) return
+    const stack = this.listeners[event.type].slice();
+    for (let i = 0, l = stack.length; i < l; i++) {
+      stack[i].call(this, event);
+    }
+  }
+}
+
+class Auth extends EventEmitter {
+  constructor(options, tokens) {
+    super();
+    this.options = options;
+    this.tokens = tokens;
+  }
+
+  registerLogout(delay) {
+    if (!this.tokens) return
+    this.logoutTimer = setTimeout(() => this.signOut(), delay || this.tokens.expires_in * 1000);
+  }
+
+  registerEndSession() {
+    if (!this.tokens) return
+    if (this.refreshSessionTimer) clearTimeout(this.refreshSessionTimer);
+    this.refreshSessionTimer = setTimeout(() => {
+      this.checkSession()
+        .then(() => this.emit({ type: 'sessionEnding', timeout: SESSION_ENDING_TIMEOUT }))
+        .catch(() => this.signOut());
+    }, this.getSessionExpirationDelay(this.tokens));
+  }
+
+  async refreshTokens() {
+    if (!this.tokens) return
+    try {
+      const url = '/api/authOTP/refreshTokens';
+      const res = await fetch(url, {
+        method: 'POST',
+        headers: {
+          'Content-Type': 'application/json',
+          Authorization: `Bearer ${this.tokens.access_token}`,
+        },
+        body: JSON.stringify({
+          refreshToken: this.tokens.refresh_token,
+        }),
+      });
+      if (!res.ok) {
+        const errorData = await res.json();
+        throw { response: { data: errorData }, status: res.status }
+      }
+      const { accessToken, refreshToken, idToken } = await res.json();
+      const id_token = jws.JWS.parse(idToken);
+      this.tokens = {
+        access_token: accessToken,
+        refresh_token: refreshToken,
+        expires_in: id_token.payloadObj.exp,
+      };
+
+      this.emit({
+        ...this.tokens,
+        type: 'tokensRefreshed',
+        payload: id_token.payloadObj,
+      });
+
+      this.setAccessTokenCookie(accessToken, this.tokens);
+      this.registerEndSession();
+
+      return { ...this.tokens, payload: id_token.payloadObj }
+    } catch (err) {
+      this.signOut();
+      if (err.response?.data) return this.emit({ type: 'error', ...err.response.data })
+      throw err
+    }
+  }
+
+  getSessionExpirationDelay(token) {
+    if (!token?.expires_in) return 3570000
+    return Math.max(0, token.expires_in * 1000 - Date.now() - SESSION_ENDING_TIMEOUT * 1000)
+  }
+
+  autoRefreshTokens() {
+    if (!this.tokens) return
+    if (this.autoRefreshTimer) clearTimeout(this.autoRefreshTimer); // autoRefreshTimer can be called by a client
+    this.autoRefreshTimer = setTimeout(() => this.refreshTokens(), this.getSessionExpirationDelay(this.tokens));
+  }
+
+  async signOut() {
+    await this.endSession();
+    // await this.revokeRefreshToken()
+    this.tokens = null;
+    this.logoutTimer = clearTimeout(this.logoutTimer);
+    this.autoRefreshTimer = clearTimeout(this.autoRefreshTimer);
+    this.refreshSessionTimer = clearTimeout(this.refreshSessionTimer);
+  }
+}
+
+class Oidc extends EventEmitter {
+  constructor(options, tokens) {
+    super();
+    if (!this.isValidConfig(options)) throw new Error(`Invalid setup`)
+    this.options = options;
+    this.tokens = tokens;
+  }
+
+  get configurationUrl() {
+    return urljoin(this.options.authority, '/.well-known/openid-configuration')
+  }
+
+  decodeState(state) {
+    return state && JSON.parse(atob(state))
+  }
+
+  makeState() {
+    const state = {
+      srcUrl: window.location.href,
+    };
+    return btoa(JSON.stringify(state))
+  }
+
+  getSessionExpirationDelay(token) {
+    if (!token?.expires_in) return 3570000
+    return token.expires_in * 1000 - SESSION_ENDING_TIMEOUT * 1000
+  }
+
+  get authorizationUrl() {
+    this.code_verifier = `${nanoid()}-${nanoid()}`;
+    localStorage.setItem('code_verifier', this.code_verifier);
+    this.code_challenge = hextob64u_1(crypto_1.Util.hashString(this.code_verifier, 'SHA256'));
+    return urljoin(
+      this.authConfig.authorization_endpoint,
+      `?client_id=${this.options.client_id}`,
+      `?scope=${this.options.scope}`,
+      `?redirect_uri=${this.options.redirect_uri}`,
+      `?response_type=${this.options.response_type}`,
+      `?nonce=${nanoid()}`,
+      `?code_challenge=${this.code_challenge}`,
+      `?code_challenge_method=S256`,
+      `?state=${this.makeState()}`,
+    )
+  }
+
+  get endSessionUrl() {
+    return urljoin(
+      this.authConfig.end_session_endpoint,
+      `?client_id=${this.options.client_id}`,
+      `?id_token_hint=${this.tokens?.id_token}`,
+    )
+  }
+
+  get endSessionUrlWithRedirect() {
+    return urljoin(this.endSessionUrl, `&post_logout_redirect_uri=${this.options.redirect_uri}`)
+  }
+
+  async getOpenIdConfiguration() {
+    try {
+      const res = await axios.get(this.configurationUrl).then(prop('data'));
+      this.emit({ type: 'configurationLoaded', config: this.authConfig });
+      return res
+    } catch (err) {
+      throw new Error(`Cannot load openid configuration from ${this.configurationUrl}`)
+    }
+  }
+
+  async revoke(type) {
+    const url = this.authConfig.revocation_endpoint;
+    const config = {
+      headers: {
+        'Content-Type': 'application/x-www-form-urlencoded',
+      },
+    };
+    const params = new URLSearchParams();
+    params.append('client_id', this.options.client_id);
+    params.append('token', this.tokens[type]);
+    params.append('token_type_hint', type);
+
+    try {
+      await axios.post(url, params, config).then(prop('data'));
+    } catch (err) {
+      if (err.response?.data) return this.emit({ type: 'error', ...err.response.data })
+      throw err
+    }
+  }
+
+  revokeAccessToken() {
+    return this.revoke('access_token')
+  }
+
+  revokeRefreshToken() {
+    return this.revoke('refresh_token')
+  }
+
+  registerLogout(delay) {
+    if (!this.tokens) return
+    this.logoutTimer = setTimeout(() => this.signOut(), delay || this.tokens.expires_in * 1000);
+  }
+
+  autoRefreshTokens() {
+    if (!this.tokens) return
+    if (this.autoRefreshTimer) clearTimeout(this.autoRefreshTimer); // autoRefreshTimer can be called by a client
+    this.autoRefreshTimer = setTimeout(() => this.refreshTokens(), this.getSessionExpirationDelay(this.tokens));
+  }
+
+  async checkSession() {
+    if (!this.tokens) return
+    const url = urljoin(this.authConfig.userinfo_endpoint, `?access_token=${this.tokens.access_token}`);
+    return axios.get(url)
+  }
+
+  manageSession(delay = 60 * 1000) {
+    if (!this.tokens) return
+    setTimeout(() => {
+      this.checkSession()
+        .then(() => this.manageSession(delay))
+        .catch(() => this.signOut());
+    }, delay);
+  }
+
+  registerEndSession() {
+    if (!this.tokens) return
+    if (this.refreshSessionTimer) clearTimeout(this.refreshSessionTimer);
+    this.refreshSessionTimer = setTimeout(() => {
+      this.checkSession()
+        .then(() => this.emit({ type: 'sessionEnding', timeout: SESSION_ENDING_TIMEOUT }))
+        .catch(() => this.signOut());
+    }, this.getSessionExpirationDelay(this.tokens));
+  }
+
+  isValidConfig(config) {
+    return config?.authority
+  }
+
+  async getAccessTokenFromCode(code) {
+    const params = new URLSearchParams();
+    params.append('code', code);
+    params.append('client_id', this.options.client_id);
+    params.append('grant_type', 'authorization_code');
+    params.append('redirect_uri', this.options.redirect_uri);
+    params.append('code_verifier', this.code_verifier);
+    const config = {
+      headers: {
+        'Content-Type': 'application/x-www-form-urlencoded',
+      },
+    };
+    const url = this.authConfig.token_endpoint;
+    try {
+      this.tokens = await axios.post(url, params, config).then(prop('data'));
+      const id_token = jws.JWS.parse(this.tokens.id_token);
+      if (this.options.autoRefresh) this.autoRefreshTokens();
+      else this.registerEndSession();
+      this.emit({ ...this.tokens, type: 'signedIn', payload: id_token.payloadObj });
+      return { ...this.tokens, payload: id_token.payloadObj }
+    } catch (err) {
+      if (err.response?.data) return this.emit({ type: 'error', ...err.response.data })
+      throw err
+    }
+  }
+
+  async refreshTokens() {
+    if (!this.tokens) return
+    const params = new URLSearchParams();
+    params.append('client_id', this.options.client_id);
+    params.append('grant_type', 'refresh_token');
+    params.append('refresh_token', this.tokens.refresh_token);
+    const config = {
+      headers: {
+        'Content-Type': 'application/x-www-form-urlencoded',
+      },
+    };
+    const url = this.authConfig.token_endpoint;
+    try {
+      this.tokens = await axios.post(url, params, config).then(prop('data'));
+      const id_token = jws.JWS.parse(this.tokens.id_token);
+      if (this.options.autoRefresh) this.autoRefreshTokens();
+      else this.registerEndSession();
+      this.emit({ ...this.tokens, type: 'tokensRefreshed', payload: id_token.payloadObj });
+      return { ...this.tokens, payload: id_token.payloadObj }
+    } catch (err) {
+      this.signOut();
+      if (err.response?.data) return this.emit({ type: 'error', ...err.response.data })
+      throw err
+    }
+  }
+
+  async signOut() {
+    await this.endSession();
+    // await this.revokeRefreshToken()
+    this.tokens = null;
+    this.logoutTimer = clearTimeout(this.logoutTimer);
+    this.autoRefreshTimer = clearTimeout(this.autoRefreshTimer);
+    this.refreshSessionTimer = clearTimeout(this.refreshSessionTimer);
+  }
+
+  async init(tokens) {
+    this.authConfig = await this.getOpenIdConfiguration();
+    if (tokens || tokens === null) this.tokens = tokens;
+    this.emit({ type: 'configurationLoaded', config: this.authConfig });
+    return this
+  }
+}
+
+class OidcIFrame extends Oidc {
+  async signIn(params) {
+    const options = merge(this.options, params);
+    try {
+      if (!this.authConfig) await this.init();
+      let iframe;
+      if (!options.frame) iframe = this.loginIframe;
+      else {
+        iframe = window.document.getElementById(options.frame);
+        this.loginIframe = iframe;
+      }
+      if (!iframe) throw new Error(`Cannot get login iframe ${options.frame}`)
+      iframe.src = this.authorizationUrl;
+    } catch (err) {
+      this.emit({ type: 'error', error_description: err.message || err.toString() });
+    }
+  }
+
+  async endSession() {
+    if (!this.tokens) return
+    let iframe = document.querySelector('iframe[id=logout-frame]');
+    if (!iframe) {
+      iframe = window.document.createElement('iframe');
+      iframe.id = 'logout-frame';
+      iframe.style = 'position: absolute; width: 1px; height: 1px; inset: -9999px; display: none;';
+      window.document.body.appendChild(iframe);
+    }
+    iframe.src = this.endSessionUrl;
+  }
+}
+
+class OidcLib extends Oidc {
+  async init() {
+    try {
+      this.code_verifier = localStorage.getItem('code_verifier');
+      if (!this.authConfig) this.authConfig = await this.getOpenIdConfiguration();
+      this.emit({ type: 'configurationLoaded', config: this.authConfig });
+    } catch (err) {
+      this.emit({ type: 'error', error_description: err.message || err.toString() });
+    }
+  }
+
+  async signIn() {
+    try {
+      if (!this.authConfig) await this.init();
+      window.location.replace(this.authorizationUrl);
+    } catch (err) {
+      this.emit({ type: 'error', error_description: err.message || err.toString() });
+    }
+  }
+
+  async endSession() {
+    try {
+      if (!this.tokens) return
+      this.emit({ type: 'signedOut' });
+      window.location.replace(this.endSessionUrlWithRedirect);
+    } catch (err) {
+      this.emit({ type: 'error', error_description: err.message || err.toString() });
+    }
+  }
+}
+
+class OTP extends Auth {
+  init(tokens) {
+    this.tokens = tokens;
+    return this
+  }
+
+  async endSession() {
+    if (!this.tokens) return
+
+    try {
+      const url = '/api/authOTP/logout';
+      const res = await fetch(url, {
+        method: 'POST',
+        headers: {
+          'Content-Type': 'application/json',
+        },
+        body: JSON.stringify({
+          accessToken: this.tokens.access_token,
+        }),
+      });
+
+      if (!res.ok) {
+        const errorData = await res.json();
+        throw { response: { data: errorData }, status: res.status }
+      }
+
+      this.removeAccessTokenCookie();
+      this.emit({ type: 'signedOut' });
+    } catch (err) {
+      if (err.response?.data) return this.emit({ type: 'error', ...err.response.data })
+      throw err
+    }
+  }
+
+  async checkSession() {
+    if (!this.tokens) return
+
+    const url = '/api/authOTP/getMe';
+
+    const res = await fetch(url, {
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/json',
+      },
+      body: JSON.stringify({
+        accessToken: this.tokens.access_token,
+      }),
+    });
+
+    if (!res.ok) {
+      throw new Error(`Request failed with status ${res.status}`)
+    }
+
+    return res.json()
+  }
+
+  getHostname() {
+    return location.hostname
+  }
+
+  getBaseDomain() {
+    const hostname = this.getHostname();
+    const parts = hostname.split('.');
+    if (parts.length >= 2) {
+      // take the last two parts for base domain (x.com)
+      const base = parts.slice(-2).join('.');
+      return `.${base}`
+    }
+    return hostname
+  }
+
+  getCookieDomain() {
+    const hostname = this.getHostname();
+    return hostname === 'localhost' || hostname === '0.0.0.0' || hostname === '127.0.0.1'
+      ? ''
+      : `domain=${this.getBaseDomain()};`
+  }
+
+  setAccessTokenCookie(value, token) {
+    const nowSeconds = Math.floor(Date.now() / 1000);
+    const maxAge = Math.max(0, token.expires_in - nowSeconds);
+    const domain = this.getCookieDomain();
+    const addationalParams = domain ? 'Secure; SameSite=None;' : '';
+    document.cookie = `${OTP_ACCESS_TOKEN_NAME}=${value}; max-age=${maxAge}; ${domain} path=/; ${addationalParams}`;
+  }
+
+  getAccessTokenCookie() {
+    const cookies = document.cookie.split(';');
+    for (let cookie of cookies) {
+      const [cookieName, cookieValue] = cookie.split('=');
+      if (cookieName.trim() === OTP_ACCESS_TOKEN_NAME) {
+        const value = cookieValue?.trim();
+        return value ? value : null
+      }
+    }
+    return null
+  }
+
+  removeAccessTokenCookie() {
+    const domain = this.getCookieDomain();
+    document.cookie = `${OTP_ACCESS_TOKEN_NAME}=; ${domain} path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT`;
+  }
+
+  async userTokens(tokens) {
+    const { accessToken, refreshToken, idToken } = tokens;
+
+    try {
+      const idTokenPayload = jws.JWS.parse(idToken);
+
+      this.tokens = {
+        access_token: accessToken,
+        refresh_token: refreshToken,
+        expires_in: idTokenPayload.payloadObj.exp,
+      };
+
+      const signedInOptions = {
+        ...this.tokens,
+        payload: idTokenPayload.payloadObj,
+      };
+
+      this.emit({
+        type: 'signedIn',
+        ...signedInOptions,
+      });
+
+      this.setAccessTokenCookie(accessToken, this.tokens);
+      this.registerEndSession();
+
+      return signedInOptions
+    } catch (error) {
+      // this.emit({ type: 'error', error_description: err.message || err.toString() })
+      this.emit({ type: 'error', error: 'failed' });
+    }
+  }
+}
+
+/**
+ * Factory function to create an instance of AuthIFrame, enabling authentication using an iframe
+ *
+ * @function AuthIFrame
+ * @tag auth
+ * @param {Object} - [options]:  Configuration options for authentication
+ * @param {Function} - [onSignIn]: Callback function invoked on successful sign-in
+ * @param {Function} - [onSignOut]: Callback function invoked on sign-out
+ * @param {Function} - [onAuthError]: Callback function invoked on authentication error
+ * @param {string} - [options.authority]: The authority URL for authentication
+ * @param {string} - [options.redirect_uri]: The redirect URI for authentication
+ * @param {string} - [options.client_id]: The client ID for authentication
+ * @return {Auth} - An instance of Auth
+ */
+const AuthIFrame = ({ onSignIn, onSignOut, onAuthError, ...config } = {}) => {
+  let signInTimer;
+  if (!self) {
+    const oidc = new OidcIFrame(Object.assign({}, DEFAULT_CONFIG, config, { redirect_uri: config.redirect_uri }));
+    if (onSignIn) oidc.on('signedIn', onSignIn);
+    if (onSignOut) oidc.on('signedOut', onSignOut);
+    if (onAuthError) oidc.on('error', onAuthError);
+    window.onmessage = e => {
+      if (e.origin === new URL(config.authority).origin) {
+        switch (e.data.type) {
+          case 'code':
+            oidc.getAccessTokenFromCode(e.data.code);
+            break
+          case 'signedOut':
+            oidc.emit({ type: 'signedOut' });
+            break
+          case 'session_not_found':
+            oidc.emit({
+              type: 'error',
+              error: 'session_not_found',
+              error_description: 'Session was expired, please sign in again',
+            });
+            if (signInTimer) clearTimeout(signInTimer);
+            signInTimer = setTimeout(() => oidc.signIn(), 1000);
+            break
+          default:
+            oidc.emit({ ...e.data, type: 'error' });
+        }
+      }
+    };
+    self = oidc;
+  }
+  return self
+};
+
+/**
+ * Factory function to create an instance of AuthRedirect, enabling redirect authentication.
+ *
+ * @function AuthRedirect
+ * @tag auth
+ * @param {Object} - [options]:  Configuration options for authentication
+ * @param {Function} - [onSignIn]: Callback function invoked on successful sign-in
+ * @param {Function} - [onSignOut]: Callback function invoked on sign-out
+ * @param {Function} - [onAuthError]: Callback function invoked on authentication error
+ * @param {string} - [options.redirect_uri]: The redirect URI for authentication
+ * @return {AuthRedirect} - An instance of Auth
+ */
+const AuthRedirect = ({ onSignIn, onSignOut, onAuthError, ...config } = {}) => {
+  if (config.lib === 'oidc-client-ts') return AuthRedirect$1({ onSignIn, onSignOut, onAuthError, ...config })
+
+  if (!self) {
+    const oidc = new OidcLib(Object.assign({}, DEFAULT_CONFIG, config, { redirect_uri: config.redirect_uri }));
+    if (onSignIn) oidc.on('signedIn', onSignIn);
+    if (onSignOut) oidc.on('signedOut', onSignOut);
+    if (onAuthError) oidc.on('error', onAuthError);
+
+    window.onmessage = async e => {
+      switch (e.data.type) {
+        case 'code':
+          await oidc.init();
+          oidc.getAccessTokenFromCode(e.data.code);
+          break
+      }
+    };
+
+    self = oidc;
+  }
+  return self
+};
+
+/**
+ * Factory function to create an instance of AuthOTP, enabling OTP authentication.
+ *
+ * @function AuthOTP
+ * @tag auth
+ * @param {Object} - [options]:  Configuration options for authentication
+ * @param {Function} - [onSignIn]: Callback function invoked on successful sign-in
+ * @param {Function} - [onSignOut]: Callback function invoked on sign-out
+ * @param {Function} - [onAuthError]: Callback function invoked on authentication error
+ * @return {AuthOTP} - An instance of AuthOTP
+ */
+const AuthOTP = ({ onSignIn, onSignOut, onAuthError, ...config } = {}) => {
+  if (!self) {
+    const otp = new OTP(Object.assign({}, config));
+    if (onSignIn) otp.on('signedIn', onSignIn);
+    if (onSignOut) otp.on('signedOut', onSignOut);
+    if (onAuthError) otp.on('error', onAuthError);
+
+    self = otp;
+  }
+  return self
+};
+
+export { AuthIFrame, AuthOTP, AuthRedirect, self };
+//# sourceMappingURL=index.js.map