npm - @douvery/auth - Versions diffs - 0.3.2 → 0.3.3 - Mend

@douvery/auth 0.3.2 → 0.3.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/dist/index.d.ts CHANGED Viewed

@@ -454,5 +454,65 @@ declare class TokenManager {
     clearReturnTo(): Promise<void>;
     clearAll(): Promise<void>;
 }
+/**
+ * Options for createServerBridgedStorage.
+ *
+ * Use this when tokens are managed server-side (httpOnly cookies)
+ * but the OAuth/PKCE flow needs client-side ephemeral storage.
+ */
+interface ServerBridgedStorageOptions {
+    /**
+     * Name of a **non-httpOnly** cookie that holds the access token
+     * expiration timestamp (in milliseconds). Used to infer whether
+     * a valid session exists without exposing the actual tokens.
+     */
+    tokenExpirationCookie: string;
+    /**
+     * Placeholder value returned by `get()` for server-managed keys
+     * (accessToken, refreshToken). Signals to the caller that the
+     * real token exists but is not readable from JS.
+     * @default "__server_managed__"
+     */
+    serverManagedPlaceholder?: string;
+    /**
+     * Enable debug logging.
+     * @default false
+     */
+    debug?: boolean;
+}
+/**
+ * Creates a `TokenStorage` adapter for apps where **tokens are
+ * managed server-side** (e.g. httpOnly cookies set by routeLoader$/
+ * routeAction$) but the OAuth PKCE flow still needs ephemeral
+ * client-side storage for state, nonce, codeVerifier and returnTo.
+ *
+ * Behaviour per key category:
+ *
+ * | Category          | get()                                    | set() / remove() |
+ * |-------------------|------------------------------------------|-------------------|
+ * | accessToken       | returns placeholder if session is active | no-op (server)    |
+ * | refreshToken      | returns placeholder if session exists    | no-op (server)    |
+ * | idToken           | always null                              | no-op             |
+ * | expiresAt         | reads from expiration cookie             | no-op (server)    |
+ * | state/nonce/etc.  | sessionStorage                           | sessionStorage    |
+ *
+ * @example
+ * ```ts
+ * import { createServerBridgedStorage } from '@douvery/auth';
+ *
+ * const bridgedStorage = createServerBridgedStorage({
+ *   tokenExpirationCookie: 'dou_token_exp',
+ *   debug: import.meta.env.DEV,
+ * });
+ *
+ * const config: DouveryAuthConfig = {
+ *   clientId: 'my-app',
+ *   redirectUri: '/callback',
+ *   customStorage: bridgedStorage,
+ *   autoRefresh: false, // server handles refresh
+ * };
+ * ```
+ */
+declare function createServerBridgedStorage(options: ServerBridgedStorageOptions): TokenStorage;
-export { type AddAccountOptions, AuthError, type AuthErrorCode, type AuthEvent, type AuthEventHandler, type AuthNavigationOptions, type AuthState, type AuthStatus, type AuthUrl, type CallbackResult, CookieStorage, type DecodedIdToken, DouveryAuthClient, type DouveryAuthConfig, LocalStorage, type LoginOptions, type LogoutOptions, MemoryStorage, type OIDCDiscovery, type PKCEPair, type RecoverAccountOptions, type RegisterOptions, type RevokeTokenOptions, STORAGE_KEYS, type SelectAccountOptions, SessionStorage, type SetupAddressOptions, type SetupPasskeyOptions, type StorageKeys, type TokenInfo, TokenManager, type TokenSet, type TokenStorage, type UpgradeAccountOptions, type User, type VerifyAccountOptions, base64UrlDecode, base64UrlEncode, createDouveryAuth, createStorage, decodeJWT, generateCodeChallenge, generateCodeVerifier, generateNonce, generatePKCEPair, generateState, getTokenExpiration, isTokenExpired, verifyCodeChallenge };
+export { type AddAccountOptions, AuthError, type AuthErrorCode, type AuthEvent, type AuthEventHandler, type AuthNavigationOptions, type AuthState, type AuthStatus, type AuthUrl, type CallbackResult, CookieStorage, type DecodedIdToken, DouveryAuthClient, type DouveryAuthConfig, LocalStorage, type LoginOptions, type LogoutOptions, MemoryStorage, type OIDCDiscovery, type PKCEPair, type RecoverAccountOptions, type RegisterOptions, type RevokeTokenOptions, STORAGE_KEYS, type SelectAccountOptions, type ServerBridgedStorageOptions, SessionStorage, type SetupAddressOptions, type SetupPasskeyOptions, type StorageKeys, type TokenInfo, TokenManager, type TokenSet, type TokenStorage, type UpgradeAccountOptions, type User, type VerifyAccountOptions, base64UrlDecode, base64UrlEncode, createDouveryAuth, createServerBridgedStorage, createStorage, decodeJWT, generateCodeChallenge, generateCodeVerifier, generateNonce, generatePKCEPair, generateState, getTokenExpiration, isTokenExpired, verifyCodeChallenge };

package/dist/index.js CHANGED Viewed

@@ -286,6 +286,113 @@ var TokenManager = class {
     await this.storage.clear();
   }
 };
+var SERVER_TOKEN_KEYS = /* @__PURE__ */ new Set([
+  STORAGE_KEYS.accessToken,
+  STORAGE_KEYS.refreshToken,
+  STORAGE_KEYS.idToken
+]);
+var PKCE_KEYS = /* @__PURE__ */ new Set([
+  STORAGE_KEYS.state,
+  STORAGE_KEYS.nonce,
+  STORAGE_KEYS.codeVerifier,
+  STORAGE_KEYS.returnTo
+]);
+function readClientCookie(name) {
+  if (typeof document === "undefined") return null;
+  const cookies = document.cookie.split(";");
+  for (const c of cookies) {
+    const [key, ...parts] = c.trim().split("=");
+    if (key === name) return decodeURIComponent(parts.join("="));
+  }
+  return null;
+}
+function safeSessionStorage() {
+  if (typeof window === "undefined" || typeof sessionStorage === "undefined") {
+    return null;
+  }
+  return sessionStorage;
+}
+function createServerBridgedStorage(options) {
+  const {
+    tokenExpirationCookie,
+    serverManagedPlaceholder = "__server_managed__",
+    debug = false
+  } = options;
+  function log(msg) {
+    if (debug) console.debug(`[ServerBridgedStorage] ${msg}`);
+  }
+  return {
+    get(key) {
+      if (key === STORAGE_KEYS.accessToken) {
+        const exp = readClientCookie(tokenExpirationCookie);
+        if (exp) {
+          const ms = parseInt(exp, 10);
+          if (!isNaN(ms) && ms > Date.now()) return serverManagedPlaceholder;
+        }
+        return null;
+      }
+      if (key === STORAGE_KEYS.refreshToken) {
+        const exp = readClientCookie(tokenExpirationCookie);
+        return exp ? serverManagedPlaceholder : null;
+      }
+      if (key === STORAGE_KEYS.idToken) return null;
+      if (key === STORAGE_KEYS.expiresAt) {
+        return readClientCookie(tokenExpirationCookie);
+      }
+      if (PKCE_KEYS.has(key)) {
+        return safeSessionStorage()?.getItem(key) ?? null;
+      }
+      return safeSessionStorage()?.getItem(key) ?? null;
+    },
+    set(key, value) {
+      if (SERVER_TOKEN_KEYS.has(key) || key === STORAGE_KEYS.expiresAt) {
+        log(`Ignoring set("${key}") \u2013 managed by server`);
+        return;
+      }
+      const ss = safeSessionStorage();
+      if (ss) {
+        try {
+          ss.setItem(key, value);
+        } catch (e) {
+          if (debug)
+            console.warn(
+              "[ServerBridgedStorage] sessionStorage.setItem failed:",
+              e
+            );
+        }
+      }
+    },
+    remove(key) {
+      if (SERVER_TOKEN_KEYS.has(key) || key === STORAGE_KEYS.expiresAt) {
+        log(`Ignoring remove("${key}") \u2013 managed by server`);
+        return;
+      }
+      const ss = safeSessionStorage();
+      if (ss) {
+        try {
+          ss.removeItem(key);
+        } catch (e) {
+          if (debug)
+            console.warn(
+              "[ServerBridgedStorage] sessionStorage.removeItem failed:",
+              e
+            );
+        }
+      }
+    },
+    clear() {
+      const ss = safeSessionStorage();
+      if (!ss) return;
+      for (const key of PKCE_KEYS) {
+        try {
+          ss.removeItem(key);
+        } catch {
+        }
+      }
+      log("PKCE ephemeral data cleared from sessionStorage");
+    }
+  };
+}
 // src/client.ts
 var DEFAULT_ISSUER = "https://auth.douvery.com";
@@ -866,6 +973,7 @@ var DouveryAuthClient = class {
   async getDiscovery() {
     if (this.discovery) return this.discovery;
     const discoveryUrl = `${this.config.issuer}/.well-known/openid-configuration`;
+    this.log("Fetching discovery from:", discoveryUrl);
     const response = await fetch(discoveryUrl);
     if (!response.ok) {
       throw new AuthError(
@@ -873,7 +981,29 @@ var DouveryAuthClient = class {
         "Failed to fetch discovery document"
       );
     }
-    this.discovery = await response.json();
+    const doc = await response.json();
+    const docIssuer = doc.issuer;
+    const configIssuer = this.config.issuer;
+    if (docIssuer && docIssuer !== configIssuer) {
+      this.log(
+        `Rewriting discovery endpoints: "${docIssuer}" -> "${configIssuer}"`
+      );
+      const rewrite = (url) => url.replace(docIssuer, configIssuer);
+      doc.issuer = configIssuer;
+      doc.authorization_endpoint = rewrite(doc.authorization_endpoint);
+      doc.token_endpoint = rewrite(doc.token_endpoint);
+      if (doc.userinfo_endpoint)
+        doc.userinfo_endpoint = rewrite(doc.userinfo_endpoint);
+      if (doc.end_session_endpoint)
+        doc.end_session_endpoint = rewrite(doc.end_session_endpoint);
+      if (doc.jwks_uri) doc.jwks_uri = rewrite(doc.jwks_uri);
+      if (doc.revocation_endpoint)
+        doc.revocation_endpoint = rewrite(doc.revocation_endpoint);
+      if (doc.introspection_endpoint)
+        doc.introspection_endpoint = rewrite(doc.introspection_endpoint);
+    }
+    this.log("authorization_endpoint:", doc.authorization_endpoint);
+    this.discovery = doc;
     return this.discovery;
   }
   setupAutoRefresh() {
@@ -931,6 +1061,6 @@ function createDouveryAuth(config) {
   return new DouveryAuthClient(config);
 }
-export { AuthError, CookieStorage, DouveryAuthClient, LocalStorage, MemoryStorage, STORAGE_KEYS, SessionStorage, TokenManager, base64UrlDecode, base64UrlEncode, createDouveryAuth, createStorage, decodeJWT, generateCodeChallenge, generateCodeVerifier, generateNonce, generatePKCEPair, generateState, getTokenExpiration, isTokenExpired, verifyCodeChallenge };
+export { AuthError, CookieStorage, DouveryAuthClient, LocalStorage, MemoryStorage, STORAGE_KEYS, SessionStorage, TokenManager, base64UrlDecode, base64UrlEncode, createDouveryAuth, createServerBridgedStorage, createStorage, decodeJWT, generateCodeChallenge, generateCodeVerifier, generateNonce, generatePKCEPair, generateState, getTokenExpiration, isTokenExpired, verifyCodeChallenge };
 //# sourceMappingURL=index.js.map
 //# sourceMappingURL=index.js.map