@enterprisestandard/react 0.0.2 → 0.0.3-beta.2

package/dist/index.d.ts

@@ -1,12 +1,12 @@
 import { type IAM } from './iam';
-import { SSOManager } from './sso';
+import { type SSO } from './sso';
 import { type Vault } from './vault';
 export type EnterpriseStandard = {
     ioniteUrl: string;
     appId: string;
     defaultInstance: boolean;
     vault: Vault;
-    sso?: SSOManager;
+    sso?: SSO;
     iam?: IAM;
 };
 type ESConfig = {

package/dist/index.js

@@ -31,35 +31,31 @@ function getES(es) {
 
 // src/sso.ts
 var jwksCache = new Map;
-
-class SSOManager {
-  config;
-  constructor(config) {
-    this.config = {
-      ...config,
-      secure: !!(config.secure === undefined || config.secure === true),
-      sameSite: config.sameSite === undefined || config.sameSite === "Strict" ? "Strict" : "Lax",
-      cookiePrefix: config.cookiePrefix ?? `es.sso.${config.client_id}`,
-      cookiePath: config.cookiePath ?? "/"
-    };
-  }
-  async getUser(request) {
-    if (!this.config) {
+function sso(config) {
+  const configWithDefaults = {
+    ...config,
+    secure: config.secure !== undefined ? config.secure : false,
+    sameSite: config.sameSite !== undefined ? config.sameSite : "Lax",
+    cookiePrefix: config.cookiePrefix ?? `es.sso.${config.client_id}`,
+    cookiePath: config.cookiePath ?? "/"
+  };
+  async function getUser(request) {
+    if (!configWithDefaults) {
       console.error("SSO Manager not initialized");
       return;
     }
     try {
-      const token = await this.getJwt(request);
+      const token = await getTokenFromCookies(request);
       if (!token)
         return;
-      return await this.parseUser(token);
+      return await parseUser(token);
     } catch (error) {
       console.error("Error parsing user from cookies:", error);
       return;
     }
   }
-  async getRequiredUser(request) {
-    const user = await this.getUser(request);
+  async function getRequiredUser(request) {
+    const user = await getUser(request);
     if (user)
       return user;
     throw new Response("Unauthorized", {
@@ -67,38 +63,38 @@ class SSOManager {
       statusText: "Unauthorized"
     });
   }
-  async initiateLogin(landingPage, errorPage) {
-    if (!this.config) {
+  async function initiateLogin({ landingUrl, errorUrl }) {
+    if (!configWithDefaults) {
       console.error("SSO Manager not initialized");
       return Promise.resolve(new Response("SSO Manager not initialized", { status: 503 }));
     }
-    const state = this.generateRandomString();
-    const codeVerifier = this.generateRandomString(64);
-    const url = new URL(this.config.authorization_url);
-    url.searchParams.append("client_id", this.config.client_id);
-    url.searchParams.append("redirect_uri", this.config.redirect_uri);
+    const state = generateRandomString();
+    const codeVerifier = generateRandomString(64);
+    const url = new URL(configWithDefaults.authorization_url);
+    url.searchParams.append("client_id", configWithDefaults.client_id);
+    url.searchParams.append("redirect_uri", configWithDefaults.redirect_uri);
     url.searchParams.append("response_type", "code");
-    url.searchParams.append("scope", this.config.scope);
+    url.searchParams.append("scope", configWithDefaults.scope);
     url.searchParams.append("state", state);
-    const codeChallenge = await this.pkceChallengeFromVerifier(codeVerifier);
+    const codeChallenge = await pkceChallengeFromVerifier(codeVerifier);
     url.searchParams.append("code_challenge", codeChallenge);
     url.searchParams.append("code_challenge_method", "S256");
     const val = {
       state,
       codeVerifier,
-      landingPage,
-      errorPage
+      landingUrl,
+      errorUrl
     };
     return new Response("Redirecting to SSO Provider", {
       status: 302,
       headers: {
         Location: url.toString(),
-        "Set-Cookie": this.createCookie("state", val, 86400)
+        "Set-Cookie": createCookie("state", val, 86400)
       }
     });
   }
-  async callbackHandler(request) {
-    if (!this.config) {
+  async function callbackHandler(request) {
+    if (!configWithDefaults) {
       console.error("SSO Manager not initialized");
       return Promise.resolve(new Response("SSO Manager not initialized", { status: 503 }));
     }
@@ -107,37 +103,37 @@ class SSOManager {
     try {
       const codeFromUrl = must(params.get("code"), 'OIDC "code" was not passed as a search param, ensure that the SSO login completed successfully');
       const stateFromUrl = must(params.get("state"), 'OIDC "state" was not passed as a search param, ensure that the SSO login completed successfully');
-      const cookie = this.getCookie("state", request, true);
-      const { codeVerifier, state, landingPage } = cookie ?? {};
+      const cookie = getCookie("state", request, true);
+      const { codeVerifier, state, landingUrl } = cookie ?? {};
       must(codeVerifier, 'OIDC "codeVerifier" was not present in cookies, ensure that the SSO login was initiated correctly');
       must(state, 'OIDC "stateVerifier" was not present in cookies, ensure that the SSO login was initiated correctly');
-      must(landingPage, 'OIDC "landingPage" was not present in cookies');
+      must(landingUrl, 'OIDC "landingUrl" was not present in cookies');
       if (stateFromUrl !== state) {
         throw new Error('SSO State Verifier failed, the "state" request parameter does not equal the "state" in the SSO cookie');
       }
-      const tokenResponse = await this.exchangeCodeForToken(codeFromUrl, codeVerifier);
-      const user = await this.parseUser(tokenResponse);
+      const tokenResponse = await exchangeCodeForToken(codeFromUrl, codeVerifier);
+      const user = await parseUser(tokenResponse);
       return new Response("Authentication successful, redirecting", {
         status: 302,
         headers: [
-          ["Location", landingPage],
-          ["Set-Cookie", this.clearCookie("state")],
-          ...this.createJwtCookies(tokenResponse, user.sso.expires)
+          ["Location", landingUrl],
+          ["Set-Cookie", clearCookie("state")],
+          ...createJwtCookies(tokenResponse, user.sso.expires)
         ]
       });
     } catch (error) {
       console.error("Error during sign-in callback:", error);
       try {
-        const cookie = this.getCookie("state", request, true);
-        const { errorPage } = cookie ?? {};
-        if (errorPage) {
-          return new Response("Redirecting to error page", {
+        const cookie = getCookie("state", request, true);
+        const { errorUrl } = cookie ?? {};
+        if (errorUrl) {
+          return new Response("Redirecting to error url", {
             status: 302,
-            headers: [["Location", errorPage]]
+            headers: [["Location", errorUrl]]
           });
         }
       } catch (_err) {
-        console.warn("Error parsing the errorPage from the OIDC cookie");
+        console.warn("Error parsing the errorUrl from the OIDC cookie");
       }
       console.warn("No error page was found in the cookies. The user will be shown a default error page.");
       return new Response("An error occurred during authentication, please return to the application homepage and try again.", {
@@ -145,10 +141,10 @@ class SSOManager {
       });
     }
   }
-  async parseUser(token) {
-    if (!this.config)
+  async function parseUser(token) {
+    if (!configWithDefaults)
       throw new Error("SSO Manager not initialized");
-    const idToken = await this.parseJwt(token.id_token);
+    const idToken = await parseJwt(token.id_token);
     const expiresIn = Number(token.refresh_expires_in ?? token.expires_in ?? 3600);
     const expires = token.expires ? new Date(token.expires) : new Date(Date.now() + expiresIn * 1000);
     return {
@@ -165,12 +161,12 @@ class SSOManager {
       sso: {
         profile: {
           ...idToken,
-          iss: idToken.iss || this.config.authority,
-          aud: idToken.aud || this.config.client_id
+          iss: idToken.iss || configWithDefaults.authority,
+          aud: idToken.aud || configWithDefaults.client_id
         },
         tenant: {
-          id: idToken.idp || idToken.iss || this.config.authority,
-          name: idToken.iss || this.config.authority
+          id: idToken.idp || idToken.iss || configWithDefaults.authority,
+          name: idToken.iss || configWithDefaults.authority
         },
         scope: token.scope,
         tokenType: token.token_type,
@@ -179,15 +175,15 @@ class SSOManager {
       }
     };
   }
-  async exchangeCodeForToken(code, codeVerifier) {
-    if (!this.config)
+  async function exchangeCodeForToken(code, codeVerifier) {
+    if (!configWithDefaults)
       throw new Error("SSO Manager not initialized");
-    const tokenUrl = this.config.token_url;
+    const tokenUrl = configWithDefaults.token_url;
     const body = new URLSearchParams;
     body.append("grant_type", "authorization_code");
     body.append("code", code);
-    body.append("redirect_uri", this.config.redirect_uri);
-    body.append("client_id", this.config.client_id);
+    body.append("redirect_uri", configWithDefaults.redirect_uri);
+    body.append("client_id", configWithDefaults.client_id);
     body.append("code_verifier", codeVerifier);
     try {
       const response = await fetch(tokenUrl, {
@@ -209,15 +205,15 @@ class SSOManager {
       throw new Error("Error during token exchange");
     }
   }
-  async refreshToken(refreshToken) {
-    return this.retryWithBackoff(async () => {
-      if (!this.config)
+  async function refreshToken(refreshToken2) {
+    return retryWithBackoff(async () => {
+      if (!configWithDefaults)
         throw new Error("SSO Manager not initialized");
-      const tokenUrl = this.config.token_url;
+      const tokenUrl = configWithDefaults.token_url;
       const body = new URLSearchParams;
       body.append("grant_type", "refresh_token");
-      body.append("refresh_token", refreshToken);
-      body.append("client_id", this.config.client_id);
+      body.append("refresh_token", refreshToken2);
+      body.append("client_id", configWithDefaults.client_id);
       const response = await fetch(tokenUrl, {
         method: "POST",
         headers: {
@@ -234,12 +230,13 @@ class SSOManager {
       return data;
     });
   }
-  async fetchJwks() {
-    const url = this.config.jwks_uri || `${this.config.authority}/protocol/openid-connect/certs`;
-    if (jwksCache.has(url))
-      return jwksCache.get(url);
-    return this.retryWithBackoff(async () => {
-      if (!this.config)
+  async function fetchJwks() {
+    const url = configWithDefaults.jwks_uri || `${configWithDefaults.authority}/protocol/openid-connect/certs`;
+    const cached = jwksCache.get(url);
+    if (cached)
+      return cached;
+    return retryWithBackoff(async () => {
+      if (!configWithDefaults)
         throw new Error("SSO Manager not initialized");
       const response = await fetch(url);
       if (!response.ok)
@@ -249,7 +246,7 @@ class SSOManager {
       return jwks;
     });
   }
-  async retryWithBackoff(operation, maxRetries = 3, baseDelay = 1000, maxDelay = 30000) {
+  async function retryWithBackoff(operation, maxRetries = 3, baseDelay = 1000, maxDelay = 30000) {
     let lastError = new Error("Placeholder Error");
     for (let attempt = 0;attempt <= maxRetries; attempt++) {
       try {
@@ -270,7 +267,7 @@ class SSOManager {
     }
     throw lastError;
   }
-  async parseJwt(token) {
+  async function parseJwt(token) {
     try {
       const parts = token.split(".");
       if (parts.length !== 3)
@@ -278,7 +275,7 @@ class SSOManager {
       const header = JSON.parse(atob(parts[0].replace(/-/g, "+").replace(/_/g, "/")));
       const payload = JSON.parse(atob(parts[1].replace(/-/g, "+").replace(/_/g, "/")));
       const signature = parts[2].replace(/-/g, "+").replace(/_/g, "/");
-      const publicKey = await this.getPublicKey(header.kid);
+      const publicKey = await getPublicKey(header.kid);
       const encoder = new TextEncoder;
       const data = encoder.encode(`${parts[0]}.${parts[1]}`);
       const isValid = await crypto.subtle.verify("RSASSA-PKCS1-v1_5", publicKey, Uint8Array.from(atob(signature), (c) => c.charCodeAt(0)), data);
@@ -290,12 +287,12 @@ class SSOManager {
       throw e;
     }
   }
-  generateRandomString(length = 32) {
+  function generateRandomString(length = 32) {
     const array = new Uint8Array(length);
     crypto.getRandomValues(array);
     return Array.from(array, (byte) => byte.toString(16).padStart(2, "0")).join("").substring(0, length);
   }
-  async pkceChallengeFromVerifier(verifier) {
+  async function pkceChallengeFromVerifier(verifier) {
     const encoder = new TextEncoder;
     const data = encoder.encode(verifier);
     const hashBuffer = await crypto.subtle.digest("SHA-256", data);
@@ -303,8 +300,8 @@ class SSOManager {
     const hashBase64 = btoa(String.fromCharCode(...hashArray)).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
     return hashBase64;
   }
-  async getPublicKey(kid) {
-    const jwks = await this.fetchJwks();
+  async function getPublicKey(kid) {
+    const jwks = await fetchJwks();
     const key = jwks.keys.find((k) => k.kid === kid);
     if (!key)
       throw new Error("Public key not found");
@@ -315,7 +312,7 @@ class SSOManager {
     }, { name: "RSASSA-PKCS1-v1_5", hash: "SHA-256" }, false, ["verify"]);
     return publicKey;
   }
-  createJwtCookies(token, expires) {
+  function createJwtCookies(token, expires) {
     const control = {
       expires_in: token.expires_in,
       refresh_expires_in: token.refresh_expires_in,
@@ -325,17 +322,17 @@ class SSOManager {
       expires: expires.toISOString()
     };
     return [
-      ["Set-Cookie", this.createCookie("access", token.access_token, expires)],
-      ["Set-Cookie", this.createCookie("id", token.id_token, expires)],
-      ["Set-Cookie", this.createCookie("refresh", token.refresh_token ?? "", expires)],
-      ["Set-Cookie", this.createCookie("control", control, expires)]
+      ["Set-Cookie", createCookie("access", token.access_token, expires)],
+      ["Set-Cookie", createCookie("id", token.id_token, expires)],
+      ["Set-Cookie", createCookie("refresh", token.refresh_token ?? "", expires)],
+      ["Set-Cookie", createCookie("control", control, expires)]
     ];
   }
-  async getJwt(req) {
-    const access_token = this.getCookie("access", req);
-    const id_token = this.getCookie("id", req);
-    const refresh_token = this.getCookie("refresh", req);
-    const control = this.getCookie("control", req, true);
+  async function getTokenFromCookies(req) {
+    const access_token = getCookie("access", req);
+    const id_token = getCookie("id", req);
+    const refresh_token = getCookie("refresh", req);
+    const control = getCookie("control", req, true);
     if (!access_token || !id_token || !refresh_token || !control) {
       return;
     }
@@ -346,12 +343,18 @@ class SSOManager {
       ...control
     };
     if (control.expires && refresh_token && Date.now() > new Date(control.expires).getTime()) {
-      tokenResponse = await this.refreshToken(refresh_token);
+      tokenResponse = await refreshToken(refresh_token);
     }
     return tokenResponse;
   }
-  createCookie(name, value, expires) {
-    name = `${this.config.cookiePrefix}.${name}`;
+  async function getJwt(request) {
+    const tokenResponse = await getTokenFromCookies(request);
+    if (!tokenResponse)
+      return;
+    return tokenResponse.access_token;
+  }
+  function createCookie(name, value, expires) {
+    name = `${configWithDefaults.cookiePrefix}.${name}`;
     if (typeof value !== "string") {
       value = btoa(JSON.stringify(value));
     }
@@ -366,16 +369,16 @@ class SSOManager {
     if (value.length > 4000) {
       throw new Error(`Error setting cookie: ${name}. Cookie length is: ${value.length}`);
     }
-    return `${name}=${value}; ${exp}; Path=${this.config.cookiePath}; HttpOnly;${this.config.secure ? " Secure;" : ""} SameSite=${this.config.sameSite};`;
+    return `${name}=${value}; ${exp}; Path=${configWithDefaults.cookiePath}; HttpOnly;${configWithDefaults.secure ? " Secure;" : ""} SameSite=${configWithDefaults.sameSite};`;
   }
-  clearCookie(name) {
-    return `${this.config.cookiePrefix}.${name}=; Max-Age=0; Path=${this.config.cookiePath}; HttpOnly;${this.config.secure ? " Secure;" : ""} SameSite=${this.config.sameSite};`;
+  function clearCookie(name) {
+    return `${configWithDefaults.cookiePrefix}.${name}=; Max-Age=0; Path=${configWithDefaults.cookiePath}; HttpOnly;${configWithDefaults.secure ? " Secure;" : ""} SameSite=${configWithDefaults.sameSite};`;
   }
-  getCookie(name, req, parse = false) {
+  function getCookie(name, req, parse = false) {
     const header = req.headers.get("cookie");
     if (!header)
       return null;
-    const cookie = header.split(";").find((row) => row.trim().startsWith(`${this.config.cookiePrefix}.${name}=`));
+    const cookie = header.split(";").find((row) => row.trim().startsWith(`${configWithDefaults.cookiePrefix}.${name}=`));
     if (!cookie)
       return null;
     const val = cookie.split("=")[1].trim();
@@ -384,17 +387,73 @@ class SSOManager {
     const str = atob(val);
     return JSON.parse(str);
   }
+  async function handler(request, handlerConfig) {
+    let { loginUrl, userUrl, errorUrl, landingUrl, tokenUrl, refreshUrl } = handlerConfig ?? {};
+    if (!loginUrl)
+      loginUrl = "*";
+    const path = new URL(request.url).pathname;
+    if (new URL(config.redirect_uri).pathname === path) {
+      return callbackHandler(request);
+    }
+    if (userUrl === path) {
+      const user = await getUser(request);
+      if (!user) {
+        return new Response("User not logged in", { status: 401 });
+      }
+      return new Response(JSON.stringify(user), {
+        headers: [["Content-Type", "application/json"]]
+      });
+    }
+    if (tokenUrl === path) {
+      const tokenResponse = await getTokenFromCookies(request);
+      if (!tokenResponse) {
+        return new Response("User not logged in", { status: 401 });
+      }
+      return new Response(JSON.stringify({
+        token: tokenResponse.access_token,
+        expires: tokenResponse.expires
+      }), {
+        headers: [["Content-Type", "application/json"]]
+      });
+    }
+    if (refreshUrl === path) {
+      const tokenResponse = await getTokenFromCookies(request);
+      if (!tokenResponse) {
+        return new Response("User not logged in", { status: 401 });
+      }
+      return new Response("Refresh Complete", { status: 200 });
+    }
+    if (loginUrl === "*" || loginUrl === path) {
+      return initiateLogin({
+        landingUrl: landingUrl || "/",
+        errorUrl
+      });
+    }
+    return new Response("Not Found", { status: 404 });
+  }
+  return {
+    getUser,
+    getRequiredUser,
+    getJwt,
+    initiateLogin,
+    callbackHandler,
+    handler
+  };
 }
 
 // src/vault.ts
-async function vault(url, token) {
+function vault(url, token) {
   async function getFullSecret(path) {
     const resp = await fetch(`${url}/${path}`, { headers: { "X-Vault-Token": token } });
     if (resp.status !== 200) {
       throw new Error(`Vault returned invalid status, ${resp.status}: '${resp.statusText}' from URL: ${url}`);
     }
-    const secret = await resp.json();
-    return secret.data;
+    try {
+      const secret = await resp.json();
+      return secret.data;
+    } catch (cause) {
+      throw new Error("Error retrieving secret", { cause });
+    }
   }
   return {
     url,
@@ -508,8 +567,8 @@ function oidcCallbackSchema(vendor) {
   };
 }
 // src/server.ts
-function getSSO(es) {
-  es = getES(es);
+function getSSO(config) {
+  const es = getES(config?.es);
   if (!es.sso) {
     console.error("TODO tell them how to connect SSO");
     return;
@@ -523,36 +582,42 @@ function unavailable() {
     headers: { "Content-Type": "application/json" }
   });
 }
-async function getUser(request, es) {
-  return getSSO(es)?.getUser(request);
+async function getUser(request, config) {
+  return getSSO(config)?.getUser(request);
+}
+async function getRequiredUser(request, config) {
+  const sso2 = getSSO(config);
+  if (!sso2)
+    throw unavailable();
+  return sso2.getRequiredUser(request);
 }
-async function getRequiredUser(request, es) {
-  const sso = getSSO(es);
-  if (!sso)
+async function initiateLogin(config) {
+  const sso2 = getSSO(config);
+  if (!sso2)
     throw unavailable();
-  return sso.getRequiredUser(request);
+  return sso2.initiateLogin(config);
 }
-async function initiateLogin(landingPage, errorPage, es) {
-  const sso = getSSO(es);
-  if (!sso)
+async function callback(request, config) {
+  const sso2 = getSSO(config);
+  if (!sso2)
     throw unavailable();
-  return sso.initiateLogin(landingPage, errorPage);
+  return sso2.callbackHandler(request);
 }
-async function callback(request, es) {
-  const sso = getSSO(es);
-  if (!sso)
+async function handler(request, config) {
+  const sso2 = getSSO(config);
+  if (!sso2)
     throw unavailable();
-  return sso.callbackHandler(request);
+  return sso2.handler(request, config);
 }
 // src/ui/sign-in-loading.tsx
 import { jsxDEV, Fragment } from "react/jsx-dev-runtime";
-function SignInLoading({ children }) {
+function SignInLoading({ complete = false, children }) {
   const { isLoading } = useUser();
-  if (isLoading)
+  if (isLoading && !complete)
     return /* @__PURE__ */ jsxDEV(Fragment, {
       children
     }, undefined, false, undefined, this);
-  return /* @__PURE__ */ jsxDEV(Fragment, {}, undefined, false, undefined, this);
+  return null;
 }
 // src/ui/signed-in.tsx
 import { jsxDEV as jsxDEV2, Fragment as Fragment2 } from "react/jsx-dev-runtime";
@@ -562,14 +627,14 @@ function SignedIn({ children }) {
     return /* @__PURE__ */ jsxDEV2(Fragment2, {
       children
     }, undefined, false, undefined, this);
-  return /* @__PURE__ */ jsxDEV2(Fragment2, {}, undefined, false, undefined, this);
+  return null;
 }
 // src/ui/signed-out.tsx
 import { jsxDEV as jsxDEV3, Fragment as Fragment3 } from "react/jsx-dev-runtime";
 function SignedOut({ children }) {
   const { user } = useUser();
   if (user)
-    return /* @__PURE__ */ jsxDEV3(Fragment3, {}, undefined, false, undefined, this);
+    return null;
   return /* @__PURE__ */ jsxDEV3(Fragment3, {
     children
   }, undefined, false, undefined, this);
@@ -577,7 +642,7 @@ function SignedOut({ children }) {
 // src/ui/sso-provider.tsx
 import { createContext, useCallback, useContext, useEffect, useState } from "react";
 import { jsxDEV as jsxDEV4 } from "react/jsx-dev-runtime";
-var SSOContext = createContext(undefined);
+var CTX = createContext(undefined);
 var generateStorageKey = (tenantId) => {
   return `es-sso-user-${tenantId.replace(/[^a-zA-Z0-9]/g, "-").replace(/-+/g, "-").replace(/^-|-$/g, "")}`;
 };
@@ -586,6 +651,8 @@ function SSOProvider({
   storage = "memory",
   storageKey,
   userUrl,
+  tokenUrl,
+  refreshUrl,
   disableListener = false,
   children
 }) {
@@ -598,7 +665,7 @@ function SSOProvider({
     return user2.sso?.tenant?.id === tenantId;
   }, [tenantId]);
   const loadUserFromStorage = useCallback(() => {
-    if (storage === "memory")
+    if (storage === "memory" || typeof window === "undefined")
       return null;
     try {
       const storageObject = storage === "local" ? localStorage : sessionStorage;
@@ -616,7 +683,7 @@ function SSOProvider({
     }
   }, [storage, actualStorageKey, isValidUser]);
   const saveUserToStorage = useCallback((user2) => {
-    if (storage === "memory")
+    if (storage === "memory" || typeof window === "undefined")
       return;
     try {
       const storageObject = storage === "local" ? localStorage : sessionStorage;
@@ -641,6 +708,12 @@ function SSOProvider({
     setIsLoading(true);
     try {
       const response = await fetch(userUrl);
+      if (response.status === 401) {
+        setUserState(null);
+        saveUserToStorage(null);
+        setIsLoading(false);
+        return;
+      }
       if (!response.ok) {
         throw new Error(`Failed to fetch user: ${response.status} ${response.statusText}`);
       }
@@ -662,20 +735,17 @@ function SSOProvider({
     const storedUser = loadUserFromStorage();
     if (storedUser) {
       setUserState(storedUser);
-      setIsLoading(false);
-    } else if (userUrl) {
+    }
+    if (userUrl) {
       fetchUserFromUrl();
     } else {
       setIsLoading(false);
     }
   }, [loadUserFromStorage, userUrl, fetchUserFromUrl]);
   useEffect(() => {
-    console.log(disableListener, storage, actualStorageKey);
     if (disableListener || storage === "memory")
       return;
-    console.log("set up listener");
     const handleStorageChange = (event) => {
-      console.log("lsitened", actualStorageKey);
       if (event.key !== actualStorageKey)
         return;
       if (event.newValue === null) {
@@ -702,20 +772,99 @@ function SSOProvider({
   const contextValue = {
     user,
     setUser,
-    isLoading
+    isLoading,
+    tokenUrl,
+    refreshUrl
   };
-  return /* @__PURE__ */ jsxDEV4(SSOContext.Provider, {
+  return /* @__PURE__ */ jsxDEV4(CTX.Provider, {
     value: contextValue,
     children
   }, undefined, false, undefined, this);
 }
 function useUser() {
-  const context = useContext(SSOContext);
+  const context = useContext(CTX);
   if (context === undefined) {
     throw new Error("useUser must be used within a SSOProvider");
   }
   return context;
 }
+function useToken() {
+  const context = useContext(CTX);
+  if (context === undefined) {
+    throw new Error("useToken must be used within a SSOProvider");
+  }
+  const { tokenUrl, refreshUrl } = context;
+  if (!tokenUrl || !refreshUrl) {
+    throw new Error('useToken requires that a "tokenUrl" and "refreshUrl" be set in the SSOProvider');
+  }
+  const [token, setToken] = useState(null);
+  const [expires, setExpires] = useState(null);
+  const [isLoading, setIsLoading] = useState(!!tokenUrl);
+  const [error, setError] = useState(null);
+  const fetchJwt = useCallback(async (url) => {
+    setIsLoading(true);
+    setError(null);
+    try {
+      const response = await fetch(url);
+      if (response.status === 401) {
+        context.setUser(null);
+        setToken(null);
+        setExpires(null);
+        setIsLoading(false);
+        return;
+      }
+      if (!response.ok) {
+        throw new Error(`Failed to fetch JWT: ${response.status} ${response.statusText}`);
+      }
+      const data = await response.json();
+      setToken(data.token);
+      setExpires(new Date(data.expires));
+    } catch (err) {
+      const error2 = err instanceof Error ? err : new Error(String(err));
+      setError(error2);
+      setToken(null);
+      setExpires(null);
+      console.error("Error fetching JWT:", error2);
+    } finally {
+      setIsLoading(false);
+    }
+  }, [context]);
+  const refresh = useCallback(async () => {
+    const url = refreshUrl || tokenUrl;
+    if (!url) {
+      console.warn("No tokenUrl or refreshUrl provided");
+      return;
+    }
+    await fetchJwt(url);
+  }, [refreshUrl, tokenUrl, fetchJwt]);
+  useEffect(() => {
+    if (!tokenUrl) {
+      setIsLoading(false);
+      return;
+    }
+    fetchJwt(tokenUrl);
+  }, [tokenUrl, fetchJwt]);
+  useEffect(() => {
+    if (!expires || !refreshUrl)
+      return;
+    const checkExpiration = () => {
+      const now = new Date;
+      const timeUntilExpiry = expires.getTime() - now.getTime();
+      if (timeUntilExpiry <= 60000 && timeUntilExpiry > 0) {
+        refresh();
+      }
+    };
+    checkExpiration();
+    const interval = setInterval(checkExpiration, 30000);
+    return () => clearInterval(interval);
+  }, [expires, refreshUrl, refresh]);
+  return {
+    token,
+    isLoading,
+    error,
+    refresh
+  };
+}
 
 // src/index.ts
 async function enterpriseStandard(appId, appKey, initConfig) {
@@ -724,9 +873,9 @@ async function enterpriseStandard(appId, appKey, initConfig) {
   let paths;
   const ioniteUrl = initConfig?.ioniteUrl ?? "https://ionite.com";
   if (appId === "IONITE_PUBLIC_DEMO") {
-    vaultUrl = "https://vault.ionite.dev/v1/secret/data";
-    vaultToken = "hvs.qIM9R0hmdnVCQmdvWdDGPSZ4";
-    paths = { sso: "ionite/DEV01K2JRP1DWXFCZN9FRDT37J1Y0" };
+    vaultUrl = "https://vault-ionite.ionite.dev/v1/secret/data";
+    vaultToken = "hvs.NuiBSLuFk5Ju4JDOUwTOlSlP";
+    paths = { sso: "ionite/IONITE_PUBLIC_DEMO" };
   } else if (appKey) {
     if (!vaultUrl || !vaultToken) {
       throw new Error("TODO something is wrong with the ionite config, handle this error");
@@ -742,7 +891,7 @@ async function enterpriseStandard(appId, appKey, initConfig) {
     ioniteUrl,
     defaultInstance: initConfig?.defaultInstance || initConfig?.defaultInstance !== false && !defaultInstance2,
     vault: vaultClient,
-    sso: paths.sso ? new SSOManager(await vaultClient.getSecret(paths.sso)) : undefined,
+    sso: paths.sso ? sso(await vaultClient.getSecret(paths.sso)) : undefined,
     iam: paths.iam ? await iam(await vaultClient.getSecret(paths.iam)) : undefined
   };
   if (result.defaultInstance) {
@@ -755,8 +904,10 @@ async function enterpriseStandard(appId, appKey, initConfig) {
 }
 export {
   useUser,
+  useToken,
   oidcCallbackSchema,
   initiateLogin,
+  handler,
   getUser,
   getRequiredUser,
   enterpriseStandard,

package/dist/server.d.ts

@@ -1,5 +1,6 @@
-import type { EnterpriseStandard } from '.';
-export declare function getUser(request: Request, es?: EnterpriseStandard): Promise<import("./enterprise-user").EnterpriseUser | undefined>;
-export declare function getRequiredUser(request: Request, es?: EnterpriseStandard): Promise<import("./enterprise-user").EnterpriseUser>;
-export declare function initiateLogin(landingPage: string, errorPage?: string, es?: EnterpriseStandard): Promise<Response>;
-export declare function callback(request: Request, es?: EnterpriseStandard): Promise<Response>;
+import type { ESConfig, LoginConfig, SSOHandlerConfig } from './sso';
+export declare function getUser(request: Request, config?: ESConfig): Promise<import("./enterprise-user").EnterpriseUser | undefined>;
+export declare function getRequiredUser(request: Request, config?: ESConfig): Promise<import("./enterprise-user").EnterpriseUser>;
+export declare function initiateLogin(config: LoginConfig): Promise<Response>;
+export declare function callback(request: Request, config?: ESConfig): Promise<Response>;
+export declare function handler(request: Request, config?: SSOHandlerConfig): Promise<Response>;

package/dist/sso.d.ts

@@ -1,4 +1,4 @@
-import type { EnterpriseUser } from '.';
+import type { EnterpriseStandard, EnterpriseUser } from '.';
 export type SSOConfig = {
     authority: string;
     token_url: string;
@@ -15,32 +15,27 @@ export type SSOConfig = {
     sameSite?: 'Strict' | 'Lax';
     secure?: boolean;
 };
-type SSOConfigWithDefaults = SSOConfig & {
-    secure: boolean;
-    sameSite: string;
-    cookiePrefix: string;
-    cookiePath: string;
+export type ESConfig = {
+    es?: EnterpriseStandard;
 };
-export declare class SSOManager {
-    config: SSOConfigWithDefaults;
-    constructor(config: SSOConfig);
-    getUser(request: Request): Promise<EnterpriseUser | undefined>;
-    getRequiredUser(request: Request): Promise<EnterpriseUser>;
-    initiateLogin(landingPage: string, errorPage?: string): Promise<Response>;
-    callbackHandler(request: Request): Promise<Response>;
-    private parseUser;
-    private exchangeCodeForToken;
-    private refreshToken;
-    private fetchJwks;
-    private retryWithBackoff;
-    private parseJwt;
-    private generateRandomString;
-    private pkceChallengeFromVerifier;
-    private getPublicKey;
-    private createJwtCookies;
-    private getJwt;
-    private createCookie;
-    private clearCookie;
-    private getCookie;
-}
-export {};
+export type LoginConfig = {
+    landingUrl: string;
+    errorUrl?: string;
+} & ESConfig;
+export type SSOHandlerConfig = {
+    loginUrl?: string;
+    userUrl?: string;
+    errorUrl?: string;
+    landingUrl?: string;
+    tokenUrl?: string;
+    refreshUrl?: string;
+} & ESConfig;
+export type SSO = {
+    getUser: (request: Request) => Promise<EnterpriseUser | undefined>;
+    getRequiredUser: (request: Request) => Promise<EnterpriseUser>;
+    getJwt: (request: Request) => Promise<string | undefined>;
+    initiateLogin: (config: LoginConfig) => Promise<Response>;
+    callbackHandler: (request: Request) => Promise<Response>;
+    handler: (request: Request, handlerConfig?: SSOHandlerConfig) => Promise<Response>;
+};
+export declare function sso(config: SSOConfig): SSO;

package/dist/ui/sign-in-loading.d.ts

@@ -1,2 +1,4 @@
 import type { PropsWithChildren } from 'react';
-export declare function SignInLoading({ children }: PropsWithChildren): import("react/jsx-runtime").JSX.Element;
+export declare function SignInLoading({ complete, children }: {
+    complete?: boolean;
+} & PropsWithChildren): import("react/jsx-runtime").JSX.Element | null;

package/dist/ui/signed-in.d.ts

@@ -1,2 +1,2 @@
 import type { PropsWithChildren } from 'react';
-export declare function SignedIn({ children }: PropsWithChildren): import("react/jsx-runtime").JSX.Element;
+export declare function SignedIn({ children }: PropsWithChildren): import("react/jsx-runtime").JSX.Element | null;

package/dist/ui/signed-out.d.ts

@@ -1,2 +1,2 @@
 import type { PropsWithChildren } from 'react';
-export declare function SignedOut({ children }: PropsWithChildren): import("react/jsx-runtime").JSX.Element;
+export declare function SignedOut({ children }: PropsWithChildren): import("react/jsx-runtime").JSX.Element | null;

package/dist/ui/sso-provider.d.ts

@@ -6,14 +6,25 @@ interface SSOProviderProps {
     storage?: StorageType;
     storageKey?: string;
     userUrl?: string;
+    tokenUrl?: string;
+    refreshUrl?: string;
     disableListener?: boolean;
     children: ReactNode;
 }
-interface SSOContextValue {
+interface SSOContext {
     user: EnterpriseUser | null;
     setUser: (user: EnterpriseUser | null) => void;
     isLoading: boolean;
+    tokenUrl?: string;
+    refreshUrl?: string;
 }
-export declare function SSOProvider({ tenantId, storage, storageKey, userUrl, disableListener, children, }: SSOProviderProps): import("react/jsx-runtime").JSX.Element;
-export declare function useUser(): SSOContextValue;
+export declare function SSOProvider({ tenantId, storage, storageKey, userUrl, tokenUrl, refreshUrl, disableListener, children, }: SSOProviderProps): import("react/jsx-runtime").JSX.Element;
+export declare function useUser(): SSOContext;
+interface UseTokenReturn {
+    token: string | null;
+    isLoading: boolean;
+    error: Error | null;
+    refresh: () => Promise<void>;
+}
+export declare function useToken(): UseTokenReturn;
 export {};

package/dist/vault.d.ts

@@ -13,5 +13,5 @@ export type Vault = {
     getFullSecret: <T>(path: string) => Promise<Secret<T>>;
     getSecret: <T>(path: string) => Promise<T>;
 };
-export declare function vault(url: string, token: string): Promise<Vault>;
+export declare function vault(url: string, token: string): Vault;
 export {};

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@enterprisestandard/react",
-  "version": "0.0.2",
+  "version": "0.0.3-beta.2",
   "description": "Enterprise Standard React Components",
   "private": false,
   "main": "dist/index.js",