npm - @dloizides/auth-client - Versions diffs - 2.0.0 → 3.0.0 - Mend

@dloizides/auth-client 2.0.0 → 3.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (21) hide show

package/CHANGELOG.md +90 -0
package/README.md +37 -1
package/dist/{AuthClient-Dim7HPRz.d.ts → AuthClient-BGr8L03W.d.mts} +62 -35
package/dist/{AuthClient-Dim7HPRz.d.mts → AuthClient-D95OMajD.d.ts} +62 -35
package/dist/TokenResponse-CY1CaU2l.d.mts +59 -0
package/dist/TokenResponse-CY1CaU2l.d.ts +59 -0
package/dist/index.d.mts +109 -28
package/dist/index.d.ts +109 -28
package/dist/index.js +329 -19
package/dist/index.js.map +1 -1
package/dist/index.mjs +322 -20
package/dist/index.mjs.map +1 -1
package/dist/oidc/index.d.mts +127 -0
package/dist/oidc/index.d.ts +127 -0
package/dist/oidc/index.js +192 -0
package/dist/oidc/index.js.map +1 -0
package/dist/oidc/index.mjs +184 -0
package/dist/oidc/index.mjs.map +1 -0
package/dist/react.d.mts +2 -1
package/dist/react.d.ts +2 -1
package/package.json +12 -2

package/dist/index.js CHANGED Viewed

@@ -159,11 +159,63 @@ var AuthClient = class _AuthClient {
       ...config,
       scope: config.scope ?? DEFAULT_SCOPE
     };
+    this.directKcAuth = config.useDirectKcAuth === true;
     this.tokenStorage = storage;
     this.api = collaborators.api;
     this.interceptor = collaborators.interceptor;
     this.inactivityTracker = collaborators.inactivityTracker;
     this.events = collaborators.events ?? new AuthEventEmitter();
+    this.onTokenAcquired = collaborators.onTokenAcquired;
+    this.onTokenRefreshed = collaborators.onTokenRefreshed;
+  }
+  /**
+   * Whether this client is configured to route auth flows directly to
+   * Keycloak (v2.1.0 direct-KC path) instead of through the proxied
+   * identity-api `/auth/*` endpoints.
+   *
+   * Apps can render conditionally on this — e.g. to swap a login form for
+   * a "Sign in with Keycloak" redirect button.
+   */
+  isDirectMode() {
+    return this.directKcAuth;
+  }
+  /**
+   * Persist a token bundle produced by an external flow (e.g. the
+   * app-side `useKeycloakExchange` hook that consumes the shared
+   * `exchangeAuthorizationCode` primitive). Fires `onTokenAcquired` after
+   * persistence and marks the inactivity tracker active.
+   *
+   * Designed for the v2.1.0 direct-KC path where the PKCE code exchange
+   * happens in the app's React-Query hook (which needs `useDispatch`/etc.)
+   * but the token persistence + observability should still flow through
+   * the shared client.
+   */
+  async acceptDirectKcTokens(response) {
+    const tokens = tokenResponseToAuthTokens(response);
+    await this.tokenStorage.write(tokens);
+    if (this.inactivityTracker !== void 0) {
+      await this.inactivityTracker.markActive();
+    }
+    if (this.onTokenAcquired !== void 0) {
+      this.onTokenAcquired(tokens);
+    }
+    return tokens;
+  }
+  /**
+   * Same as {@link acceptDirectKcTokens} but fires `onTokenRefreshed`.
+   * Use after a `refreshAccessToken()` swap to keep observability counts
+   * separated between "fresh login" and "silent refresh".
+   */
+  async acceptDirectKcRefresh(response) {
+    const tokens = tokenResponseToAuthTokens(response);
+    await this.tokenStorage.write(tokens);
+    if (this.inactivityTracker !== void 0) {
+      await this.inactivityTracker.markActive();
+    }
+    if (this.onTokenRefreshed !== void 0) {
+      this.onTokenRefreshed(tokens);
+    }
+    return tokens;
   }
   /**
    * Build an {@link AuthClient} from a standalone issuer URL by parsing the
@@ -308,7 +360,11 @@ var AuthClient = class _AuthClient {
     if (this.interceptor === void 0) {
       throw new Error("AuthClient.refresh: no RefreshInterceptor configured");
     }
-    return this.interceptor.refreshTokens();
+    const tokens = await this.interceptor.refreshTokens();
+    if (tokens !== null && this.onTokenRefreshed !== void 0) {
+      this.onTokenRefreshed(tokens);
+    }
+    return tokens;
   }
   async loginWithOtp(input) {
     return this.runLogin(this.requireApi().loginWithOtp({
@@ -355,6 +411,9 @@ var AuthClient = class _AuthClient {
     if (this.inactivityTracker !== void 0) {
       await this.inactivityTracker.markActive();
     }
+    if (this.onTokenAcquired !== void 0) {
+      this.onTokenAcquired(tokens);
+    }
     return tokens;
   }
   requireApi() {
@@ -374,6 +433,152 @@ var AuthClient = class _AuthClient {
   }
 };
+// src/oidc/discovery.ts
+var cache = /* @__PURE__ */ new Map();
+function normalizeIssuer(issuerUrl) {
+  return issuerUrl.replace(/\/$/, "");
+}
+function isOidcDiscoveryDocument(data) {
+  if (data === null || typeof data !== "object") {
+    return false;
+  }
+  const d = data;
+  return typeof d.issuer === "string" && d.issuer !== "" && typeof d.authorization_endpoint === "string" && d.authorization_endpoint !== "" && typeof d.token_endpoint === "string" && d.token_endpoint !== "";
+}
+async function fetchDiscoveryDocument(input) {
+  const key = normalizeIssuer(input.issuerUrl);
+  const cached = cache.get(key);
+  if (cached !== void 0) {
+    return cached;
+  }
+  const response = await input.http({
+    url: `${key}/.well-known/openid-configuration`,
+    method: "GET"
+  });
+  if (!response.ok) {
+    throw new Error(
+      `OIDC discovery failed: ${String(response.status)} for ${key}`
+    );
+  }
+  if (!isOidcDiscoveryDocument(response.data)) {
+    throw new Error(`OIDC discovery returned invalid metadata for ${key}`);
+  }
+  cache.set(key, response.data);
+  return response.data;
+}
+function clearDiscoveryCache() {
+  cache.clear();
+}
+// src/oidc/pkce.ts
+var VERIFIER_MIN_LENGTH = 43;
+var VERIFIER_MAX_LENGTH = 128;
+var DEFAULT_VERIFIER_LENGTH = 64;
+var RANDOM_BYTES_PER_CHAR = 1;
+var UNRESERVED_CHARS = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-._~";
+function getCrypto() {
+  const c = globalThis.crypto;
+  if (c === void 0 || c.subtle === void 0) {
+    throw new Error("pkce: globalThis.crypto.subtle is required (Node 16+ / modern browser)");
+  }
+  return c;
+}
+function assertVerifierLength(length) {
+  if (length < VERIFIER_MIN_LENGTH || length > VERIFIER_MAX_LENGTH) {
+    throw new Error(`pkce: code_verifier length must be ${String(VERIFIER_MIN_LENGTH)}-${String(VERIFIER_MAX_LENGTH)} chars (RFC 7636)`);
+  }
+}
+function base64UrlEncode(buffer) {
+  const bytes = new Uint8Array(buffer);
+  let binary = "";
+  for (let i = 0; i < bytes.length; i++) {
+    binary += String.fromCharCode(bytes[i]);
+  }
+  const b64 = globalThis.btoa?.(binary) ?? Buffer.from(binary, "binary").toString("base64");
+  let end = b64.length;
+  while (end > 0 && b64.charCodeAt(end - 1) === "=".charCodeAt(0)) {
+    end -= 1;
+  }
+  return b64.slice(0, end).replace(/\+/g, "-").replace(/\//g, "_");
+}
+function generateCodeVerifier(length = DEFAULT_VERIFIER_LENGTH) {
+  assertVerifierLength(length);
+  const crypto = getCrypto();
+  const bytes = new Uint8Array(length * RANDOM_BYTES_PER_CHAR);
+  crypto.getRandomValues(bytes);
+  let out = "";
+  for (let i = 0; i < length; i++) {
+    const byte = bytes[i];
+    out += UNRESERVED_CHARS[byte % UNRESERVED_CHARS.length];
+  }
+  return out;
+}
+async function deriveCodeChallenge(verifier) {
+  assertVerifierLength(verifier.length);
+  const crypto = getCrypto();
+  const data = new TextEncoder().encode(verifier);
+  const digest = await crypto.subtle.digest("SHA-256", data);
+  return base64UrlEncode(digest);
+}
+async function generatePkcePair(length) {
+  const codeVerifier = generateCodeVerifier(length);
+  const codeChallenge = await deriveCodeChallenge(codeVerifier);
+  return { codeVerifier, codeChallenge, codeChallengeMethod: "S256" };
+}
+// src/utils/buildTokenRequestBody.ts
+function buildAuthorizationCodeBody(input) {
+  return new URLSearchParams({
+    client_id: input.clientId,
+    grant_type: "authorization_code",
+    code: input.code,
+    redirect_uri: input.redirectUri,
+    code_verifier: input.codeVerifier
+  }).toString();
+}
+function buildRefreshTokenBody(input) {
+  return new URLSearchParams({
+    client_id: input.clientId,
+    grant_type: "refresh_token",
+    refresh_token: input.refreshToken
+  }).toString();
+}
+// src/oidc/tokenExchange.ts
+var FORM_HEADERS = {
+  "Content-Type": "application/x-www-form-urlencoded"
+};
+async function postTokenEndpoint(http, url, body) {
+  const response = await http({
+    url,
+    method: "POST",
+    headers: FORM_HEADERS,
+    body
+  });
+  if (!response.ok) {
+    throw new Error(`token endpoint POST failed: ${String(response.status)}`);
+  }
+  return normalizeTokenResponse(response.data);
+}
+async function exchangeAuthorizationCode(input) {
+  const url = buildTokenEndpoint(input.baseUrl, input.realm);
+  const body = buildAuthorizationCodeBody({
+    clientId: input.clientId,
+    code: input.code,
+    redirectUri: input.redirectUri,
+    codeVerifier: input.codeVerifier
+  });
+  return postTokenEndpoint(input.http, url, body);
+}
+async function refreshAccessToken(input) {
+  const url = buildTokenEndpoint(input.baseUrl, input.realm);
+  const body = buildRefreshTokenBody({
+    clientId: input.clientId,
+    refreshToken: input.refreshToken
+  });
+  return postTokenEndpoint(input.http, url, body);
+}
 // src/types/KeycloakRoles.ts
 var KeycloakRoles = /* @__PURE__ */ ((KeycloakRoles2) => {
   KeycloakRoles2["SuperUser"] = "superUser";
@@ -854,6 +1059,121 @@ var AuthApiClient = class {
   }
 };
+// src/bff/BffAuthClient.ts
+var CSRF_HEADER = "X-BFF-Csrf";
+var CSRF_HEADER_VALUE = "1";
+var JSON_CONTENT_TYPE = "application/json";
+var ENDPOINTS = {
+  login: "/bff/login",
+  logout: "/bff/logout",
+  me: "/bff/me",
+  register: "/bff/register",
+  forgotPassword: "/bff/forgot-password",
+  resetPassword: "/bff/reset-password"
+};
+function isRecord(value) {
+  return typeof value === "object" && value !== null;
+}
+function extractUser(data) {
+  if (!isRecord(data)) {
+    return null;
+  }
+  const envelope = data;
+  return isRecord(envelope.user) ? envelope.user : null;
+}
+var BffAuthClient = class {
+  constructor(options) {
+    this.http = options.http;
+    this.baseUrl = (options.baseUrl ?? "").replace(/\/$/, "");
+  }
+  /**
+   * `POST /bff/login` — the BFF does ROPC against Keycloak server-side, stores
+   * the tokens in its Redis vault, and sets the httpOnly session cookie.
+   * Returns the sanitised user. Throws on a non-2xx response.
+   */
+  async login(request) {
+    const data = await this.postState(ENDPOINTS.login, request, "login");
+    const user = extractUser(data);
+    if (user === null) {
+      throw new Error("login: BFF response missing user");
+    }
+    return user;
+  }
+  /**
+   * `POST /bff/logout` — the BFF calls KC end-session, deletes the Redis
+   * session, and clears the cookie. Non-fatal: a failed logout still leaves
+   * the SPA logged out client-side. Throws only on a non-2xx response.
+   */
+  async logout() {
+    await this.postState(ENDPOINTS.logout, void 0, "logout");
+  }
+  /**
+   * `GET /bff/me` — the live session's sanitised user, or `null` when there is
+   * no session (the BFF answers `401`). Used at app load to bootstrap auth
+   * state in place of the old token-in-storage check.
+   */
+  async getCurrentUser() {
+    const response = await this.http({
+      url: `${this.baseUrl}${ENDPOINTS.me}`,
+      method: "GET",
+      headers: { Accept: JSON_CONTENT_TYPE },
+      credentials: "include"
+    });
+    if (!response.ok) {
+      return null;
+    }
+    return extractUser(response.data);
+  }
+  /**
+   * `POST /bff/register` — the BFF proxies registration to TenantService and,
+   * on success, establishes a session exactly like `login`. Returns the user.
+   */
+  async register(request) {
+    const data = await this.postState(ENDPOINTS.register, request, "register");
+    const user = extractUser(data);
+    if (user === null) {
+      throw new Error("register: BFF response missing user");
+    }
+    return user;
+  }
+  /**
+   * `POST /bff/forgot-password` — proxied to TenantService. The backend
+   * returns 200 unconditionally (no email enumeration); anything else throws.
+   */
+  async forgotPassword(request) {
+    await this.postState(ENDPOINTS.forgotPassword, request, "forgot-password");
+  }
+  /**
+   * `POST /bff/reset-password` — proxied to TenantService. Throws on a non-2xx
+   * response (e.g. `400` for an invalid / expired token).
+   */
+  async resetPassword(request) {
+    await this.postState(ENDPOINTS.resetPassword, request, "reset-password");
+  }
+  /**
+   * Shared POST for every state-changing `/bff/*` call: same-origin, cookie
+   * included, `X-BFF-Csrf` header attached. Throws a labelled error on non-2xx.
+   */
+  async postState(path, body, label) {
+    const headers = {
+      "Content-Type": JSON_CONTENT_TYPE,
+      Accept: JSON_CONTENT_TYPE,
+      [CSRF_HEADER]: CSRF_HEADER_VALUE
+    };
+    const response = await this.http({
+      url: `${this.baseUrl}${path}`,
+      method: "POST",
+      headers,
+      body: body === void 0 ? void 0 : JSON.stringify(body),
+      credentials: "include"
+    });
+    if (!response.ok) {
+      throw new Error(`${label} failed with status ${String(response.status)}`);
+    }
+    return response.data;
+  }
+};
 // src/utils/normalizeKeycloakUser.ts
 function isNonEmptyString(value) {
   return typeof value === "string" && value !== "";
@@ -904,24 +1224,6 @@ function normalizeKeycloakUser(u) {
   };
 }
-// src/utils/buildTokenRequestBody.ts
-function buildAuthorizationCodeBody(input) {
-  return new URLSearchParams({
-    client_id: input.clientId,
-    grant_type: "authorization_code",
-    code: input.code,
-    redirect_uri: input.redirectUri,
-    code_verifier: input.codeVerifier
-  }).toString();
-}
-function buildRefreshTokenBody(input) {
-  return new URLSearchParams({
-    client_id: input.clientId,
-    grant_type: "refresh_token",
-    refresh_token: input.refreshToken
-  }).toString();
-}
 // src/utils/extractAuthCode.ts
 function extractAuthCode(response) {
   if (!response) {
@@ -985,6 +1287,7 @@ function decodeUtf8(binary) {
 exports.AuthApiClient = AuthApiClient;
 exports.AuthClient = AuthClient;
 exports.AuthEventEmitter = AuthEventEmitter;
+exports.BffAuthClient = BffAuthClient;
 exports.BiometricGate = BiometricGate;
 exports.BrowserStorageTokenStorage = BrowserStorageTokenStorage;
 exports.CookieTokenStorage = CookieTokenStorage;
@@ -1001,16 +1304,23 @@ exports.buildLogoutEndpoint = buildLogoutEndpoint;
 exports.buildRefreshTokenBody = buildRefreshTokenBody;
 exports.buildTokenEndpoint = buildTokenEndpoint;
 exports.buildUserInfoEndpoint = buildUserInfoEndpoint;
+exports.clearDiscoveryCache = clearDiscoveryCache;
 exports.computeExpiresAt = computeExpiresAt;
 exports.createFetchHttpClient = createFetchHttpClient;
 exports.decodeJwt = decodeJwt;
+exports.deriveCodeChallenge = deriveCodeChallenge;
+exports.exchangeAuthorizationCode = exchangeAuthorizationCode;
 exports.extractAuthCode = extractAuthCode;
+exports.fetchDiscoveryDocument = fetchDiscoveryDocument;
+exports.generateCodeVerifier = generateCodeVerifier;
+exports.generatePkcePair = generatePkcePair;
 exports.isKeycloakRole = isKeycloakRole;
 exports.isTokenExpired = isTokenExpired;
 exports.normalizeKeycloakUser = normalizeKeycloakUser;
 exports.normalizeTokenResponse = normalizeTokenResponse;
 exports.parseBaseUrlFromIssuer = parseBaseUrlFromIssuer;
 exports.parseRealmFromIssuer = parseRealmFromIssuer;
+exports.refreshAccessToken = refreshAccessToken;
 exports.tokenResponseToAuthTokens = tokenResponseToAuthTokens;
 //# sourceMappingURL=index.js.map
 //# sourceMappingURL=index.js.map