npm - @dloizides/auth-client - Versions diffs - 2.0.0 → 2.1.0 - Mend

@dloizides/auth-client 2.0.0 → 2.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (20) hide show

package/CHANGELOG.md +63 -0
package/dist/{AuthClient-Dim7HPRz.d.ts → AuthClient-BGr8L03W.d.mts} +62 -35
package/dist/{AuthClient-Dim7HPRz.d.mts → AuthClient-D95OMajD.d.ts} +62 -35
package/dist/TokenResponse-CY1CaU2l.d.mts +59 -0
package/dist/TokenResponse-CY1CaU2l.d.ts +59 -0
package/dist/index.d.mts +6 -28
package/dist/index.d.ts +6 -28
package/dist/index.js +213 -19
package/dist/index.js.map +1 -1
package/dist/index.mjs +207 -20
package/dist/index.mjs.map +1 -1
package/dist/oidc/index.d.mts +127 -0
package/dist/oidc/index.d.ts +127 -0
package/dist/oidc/index.js +192 -0
package/dist/oidc/index.js.map +1 -0
package/dist/oidc/index.mjs +184 -0
package/dist/oidc/index.mjs.map +1 -0
package/dist/react.d.mts +2 -1
package/dist/react.d.ts +2 -1
package/package.json +11 -1

package/dist/index.mjs CHANGED Viewed

@@ -157,11 +157,63 @@ var AuthClient = class _AuthClient {
       ...config,
       scope: config.scope ?? DEFAULT_SCOPE
     };
+    this.directKcAuth = config.useDirectKcAuth === true;
     this.tokenStorage = storage;
     this.api = collaborators.api;
     this.interceptor = collaborators.interceptor;
     this.inactivityTracker = collaborators.inactivityTracker;
     this.events = collaborators.events ?? new AuthEventEmitter();
+    this.onTokenAcquired = collaborators.onTokenAcquired;
+    this.onTokenRefreshed = collaborators.onTokenRefreshed;
+  }
+  /**
+   * Whether this client is configured to route auth flows directly to
+   * Keycloak (v2.1.0 direct-KC path) instead of through the proxied
+   * identity-api `/auth/*` endpoints.
+   *
+   * Apps can render conditionally on this — e.g. to swap a login form for
+   * a "Sign in with Keycloak" redirect button.
+   */
+  isDirectMode() {
+    return this.directKcAuth;
+  }
+  /**
+   * Persist a token bundle produced by an external flow (e.g. the
+   * app-side `useKeycloakExchange` hook that consumes the shared
+   * `exchangeAuthorizationCode` primitive). Fires `onTokenAcquired` after
+   * persistence and marks the inactivity tracker active.
+   *
+   * Designed for the v2.1.0 direct-KC path where the PKCE code exchange
+   * happens in the app's React-Query hook (which needs `useDispatch`/etc.)
+   * but the token persistence + observability should still flow through
+   * the shared client.
+   */
+  async acceptDirectKcTokens(response) {
+    const tokens = tokenResponseToAuthTokens(response);
+    await this.tokenStorage.write(tokens);
+    if (this.inactivityTracker !== void 0) {
+      await this.inactivityTracker.markActive();
+    }
+    if (this.onTokenAcquired !== void 0) {
+      this.onTokenAcquired(tokens);
+    }
+    return tokens;
+  }
+  /**
+   * Same as {@link acceptDirectKcTokens} but fires `onTokenRefreshed`.
+   * Use after a `refreshAccessToken()` swap to keep observability counts
+   * separated between "fresh login" and "silent refresh".
+   */
+  async acceptDirectKcRefresh(response) {
+    const tokens = tokenResponseToAuthTokens(response);
+    await this.tokenStorage.write(tokens);
+    if (this.inactivityTracker !== void 0) {
+      await this.inactivityTracker.markActive();
+    }
+    if (this.onTokenRefreshed !== void 0) {
+      this.onTokenRefreshed(tokens);
+    }
+    return tokens;
   }
   /**
    * Build an {@link AuthClient} from a standalone issuer URL by parsing the
@@ -306,7 +358,11 @@ var AuthClient = class _AuthClient {
     if (this.interceptor === void 0) {
       throw new Error("AuthClient.refresh: no RefreshInterceptor configured");
     }
-    return this.interceptor.refreshTokens();
+    const tokens = await this.interceptor.refreshTokens();
+    if (tokens !== null && this.onTokenRefreshed !== void 0) {
+      this.onTokenRefreshed(tokens);
+    }
+    return tokens;
   }
   async loginWithOtp(input) {
     return this.runLogin(this.requireApi().loginWithOtp({
@@ -353,6 +409,9 @@ var AuthClient = class _AuthClient {
     if (this.inactivityTracker !== void 0) {
       await this.inactivityTracker.markActive();
     }
+    if (this.onTokenAcquired !== void 0) {
+      this.onTokenAcquired(tokens);
+    }
     return tokens;
   }
   requireApi() {
@@ -372,6 +431,152 @@ var AuthClient = class _AuthClient {
   }
 };
+// src/oidc/discovery.ts
+var cache = /* @__PURE__ */ new Map();
+function normalizeIssuer(issuerUrl) {
+  return issuerUrl.replace(/\/$/, "");
+}
+function isOidcDiscoveryDocument(data) {
+  if (data === null || typeof data !== "object") {
+    return false;
+  }
+  const d = data;
+  return typeof d.issuer === "string" && d.issuer !== "" && typeof d.authorization_endpoint === "string" && d.authorization_endpoint !== "" && typeof d.token_endpoint === "string" && d.token_endpoint !== "";
+}
+async function fetchDiscoveryDocument(input) {
+  const key = normalizeIssuer(input.issuerUrl);
+  const cached = cache.get(key);
+  if (cached !== void 0) {
+    return cached;
+  }
+  const response = await input.http({
+    url: `${key}/.well-known/openid-configuration`,
+    method: "GET"
+  });
+  if (!response.ok) {
+    throw new Error(
+      `OIDC discovery failed: ${String(response.status)} for ${key}`
+    );
+  }
+  if (!isOidcDiscoveryDocument(response.data)) {
+    throw new Error(`OIDC discovery returned invalid metadata for ${key}`);
+  }
+  cache.set(key, response.data);
+  return response.data;
+}
+function clearDiscoveryCache() {
+  cache.clear();
+}
+// src/oidc/pkce.ts
+var VERIFIER_MIN_LENGTH = 43;
+var VERIFIER_MAX_LENGTH = 128;
+var DEFAULT_VERIFIER_LENGTH = 64;
+var RANDOM_BYTES_PER_CHAR = 1;
+var UNRESERVED_CHARS = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-._~";
+function getCrypto() {
+  const c = globalThis.crypto;
+  if (c === void 0 || c.subtle === void 0) {
+    throw new Error("pkce: globalThis.crypto.subtle is required (Node 16+ / modern browser)");
+  }
+  return c;
+}
+function assertVerifierLength(length) {
+  if (length < VERIFIER_MIN_LENGTH || length > VERIFIER_MAX_LENGTH) {
+    throw new Error(`pkce: code_verifier length must be ${String(VERIFIER_MIN_LENGTH)}-${String(VERIFIER_MAX_LENGTH)} chars (RFC 7636)`);
+  }
+}
+function base64UrlEncode(buffer) {
+  const bytes = new Uint8Array(buffer);
+  let binary = "";
+  for (let i = 0; i < bytes.length; i++) {
+    binary += String.fromCharCode(bytes[i]);
+  }
+  const b64 = globalThis.btoa?.(binary) ?? Buffer.from(binary, "binary").toString("base64");
+  let end = b64.length;
+  while (end > 0 && b64.charCodeAt(end - 1) === "=".charCodeAt(0)) {
+    end -= 1;
+  }
+  return b64.slice(0, end).replace(/\+/g, "-").replace(/\//g, "_");
+}
+function generateCodeVerifier(length = DEFAULT_VERIFIER_LENGTH) {
+  assertVerifierLength(length);
+  const crypto = getCrypto();
+  const bytes = new Uint8Array(length * RANDOM_BYTES_PER_CHAR);
+  crypto.getRandomValues(bytes);
+  let out = "";
+  for (let i = 0; i < length; i++) {
+    const byte = bytes[i];
+    out += UNRESERVED_CHARS[byte % UNRESERVED_CHARS.length];
+  }
+  return out;
+}
+async function deriveCodeChallenge(verifier) {
+  assertVerifierLength(verifier.length);
+  const crypto = getCrypto();
+  const data = new TextEncoder().encode(verifier);
+  const digest = await crypto.subtle.digest("SHA-256", data);
+  return base64UrlEncode(digest);
+}
+async function generatePkcePair(length) {
+  const codeVerifier = generateCodeVerifier(length);
+  const codeChallenge = await deriveCodeChallenge(codeVerifier);
+  return { codeVerifier, codeChallenge, codeChallengeMethod: "S256" };
+}
+// src/utils/buildTokenRequestBody.ts
+function buildAuthorizationCodeBody(input) {
+  return new URLSearchParams({
+    client_id: input.clientId,
+    grant_type: "authorization_code",
+    code: input.code,
+    redirect_uri: input.redirectUri,
+    code_verifier: input.codeVerifier
+  }).toString();
+}
+function buildRefreshTokenBody(input) {
+  return new URLSearchParams({
+    client_id: input.clientId,
+    grant_type: "refresh_token",
+    refresh_token: input.refreshToken
+  }).toString();
+}
+// src/oidc/tokenExchange.ts
+var FORM_HEADERS = {
+  "Content-Type": "application/x-www-form-urlencoded"
+};
+async function postTokenEndpoint(http, url, body) {
+  const response = await http({
+    url,
+    method: "POST",
+    headers: FORM_HEADERS,
+    body
+  });
+  if (!response.ok) {
+    throw new Error(`token endpoint POST failed: ${String(response.status)}`);
+  }
+  return normalizeTokenResponse(response.data);
+}
+async function exchangeAuthorizationCode(input) {
+  const url = buildTokenEndpoint(input.baseUrl, input.realm);
+  const body = buildAuthorizationCodeBody({
+    clientId: input.clientId,
+    code: input.code,
+    redirectUri: input.redirectUri,
+    codeVerifier: input.codeVerifier
+  });
+  return postTokenEndpoint(input.http, url, body);
+}
+async function refreshAccessToken(input) {
+  const url = buildTokenEndpoint(input.baseUrl, input.realm);
+  const body = buildRefreshTokenBody({
+    clientId: input.clientId,
+    refreshToken: input.refreshToken
+  });
+  return postTokenEndpoint(input.http, url, body);
+}
 // src/types/KeycloakRoles.ts
 var KeycloakRoles = /* @__PURE__ */ ((KeycloakRoles2) => {
   KeycloakRoles2["SuperUser"] = "superUser";
@@ -902,24 +1107,6 @@ function normalizeKeycloakUser(u) {
   };
 }
-// src/utils/buildTokenRequestBody.ts
-function buildAuthorizationCodeBody(input) {
-  return new URLSearchParams({
-    client_id: input.clientId,
-    grant_type: "authorization_code",
-    code: input.code,
-    redirect_uri: input.redirectUri,
-    code_verifier: input.codeVerifier
-  }).toString();
-}
-function buildRefreshTokenBody(input) {
-  return new URLSearchParams({
-    client_id: input.clientId,
-    grant_type: "refresh_token",
-    refresh_token: input.refreshToken
-  }).toString();
-}
 // src/utils/extractAuthCode.ts
 function extractAuthCode(response) {
   if (!response) {
@@ -980,6 +1167,6 @@ function decodeUtf8(binary) {
   return new TextDecoder("utf-8").decode(bytes);
 }
-export { AuthApiClient, AuthClient, AuthEventEmitter, BiometricGate, BrowserStorageTokenStorage, CookieTokenStorage, InMemoryTokenStorage, InactivityTracker, KeycloakRoles, RefreshInterceptor, SecureStoreTokenStorage, buildAuthorizationCodeBody, buildAuthorizationEndpoint, buildAuthorizationUrl, buildIssuerUrl, buildLogoutEndpoint, buildRefreshTokenBody, buildTokenEndpoint, buildUserInfoEndpoint, computeExpiresAt, createFetchHttpClient, decodeJwt, extractAuthCode, isKeycloakRole, isTokenExpired, normalizeKeycloakUser, normalizeTokenResponse, parseBaseUrlFromIssuer, parseRealmFromIssuer, tokenResponseToAuthTokens };
+export { AuthApiClient, AuthClient, AuthEventEmitter, BiometricGate, BrowserStorageTokenStorage, CookieTokenStorage, InMemoryTokenStorage, InactivityTracker, KeycloakRoles, RefreshInterceptor, SecureStoreTokenStorage, buildAuthorizationCodeBody, buildAuthorizationEndpoint, buildAuthorizationUrl, buildIssuerUrl, buildLogoutEndpoint, buildRefreshTokenBody, buildTokenEndpoint, buildUserInfoEndpoint, clearDiscoveryCache, computeExpiresAt, createFetchHttpClient, decodeJwt, deriveCodeChallenge, exchangeAuthorizationCode, extractAuthCode, fetchDiscoveryDocument, generateCodeVerifier, generatePkcePair, isKeycloakRole, isTokenExpired, normalizeKeycloakUser, normalizeTokenResponse, parseBaseUrlFromIssuer, parseRealmFromIssuer, refreshAccessToken, tokenResponseToAuthTokens };
 //# sourceMappingURL=index.mjs.map
 //# sourceMappingURL=index.mjs.map