@equinor/fusion-framework-module-msal-node 0.1.0

package/CHANGELOG.md

@@ -0,0 +1,99 @@
+# @equinor/fusion-framework-module-msal-node
+
+## 0.1.0
+
+### Minor Changes
+
+- [#3056](https://github.com/equinor/fusion-framework/pull/3056) [`378bade`](https://github.com/equinor/fusion-framework/commit/378bade86c38e1057afe125fffc0bb06d6927deb) Thanks [@odinr](https://github.com/odinr)! - Easily add secure Azure AD authentication to your Node.js Fusion Framework apps with the new `@equinor/fusion-framework-module-msal-node` package. This module is designed for developers who need to authenticate services, CLI tools, or background jobs against Microsoft Azure using familiar, robust MSAL flows—without the hassle of manual token management or insecure storage.
+
+  **Why use this module?**
+
+  - **Simple integration:** Plug into the Fusion Framework with minimal setup.
+  - **Multiple auth flows:** Choose the right authentication mode for your use case—CI/CD, background jobs, or interactive CLI tools.
+  - **Secure by default:** Tokens are encrypted and stored safely using `@azure/msal-node-extensions`.
+  - **Consistent API:** Acquire tokens the same way across all your Node.js Fusion projects.
+
+  **How to use:**
+
+  1. Install the package in your Fusion Framework Node.js project.
+  2. Enable the module and pick your authentication mode (`token_only`, `silent`, or `interactive`).
+  3. Use the provided API to acquire tokens for Azure resources—no need to handle refresh logic or storage yourself.
+
+  - Supports token_only, silent, and interactive authentication modes
+  - Provides secure, encrypted token storage using `@azure/msal-node-extensions`
+  - Integrates with Fusion Framework for seamless authentication
+  - Includes comprehensive documentation and usage examples
+
+  ## Example Setups
+
+  ### `token_only` Mode
+
+  ```ts
+  import {
+    enableAuthModule,
+    type MsalNodeModule,
+  } from "@equinor/fusion-framework-msal-node";
+  import { ModulesConfigurator } from "@equinor/fusion-framework-module";
+
+  const configurator = new ModulesConfigurator<[MsalNodeModule]>();
+
+  enableAuthModule(configurator, (builder) => {
+    builder.setMode("token_only");
+    builder.setAccessToken("your-access-token"); // Provide your token
+  });
+
+  const instance = await initialize();
+  console.log(
+    await instance.auth.acquireAccessToken({ scopes: ["user.read"] })
+  );
+  ```
+
+  ### `silent` Mode
+
+  ```ts
+  import {
+    enableAuthModule,
+    type MsalNodeModule,
+  } from "@equinor/fusion-framework-msal-node";
+  import { ModulesConfigurator } from "@equinor/fusion-framework-module";
+
+  const configurator = new ModulesConfigurator<[MsalNodeModule]>();
+
+  enableAuthModule(configurator, (builder) => {
+    builder.setMode("silent");
+    builder.setClientId("your-client-id");
+    builder.setTenantId("your-tenant-id");
+  });
+
+  const instance = await initialize();
+  console.log(
+    await instance.auth.acquireAccessToken({ scopes: ["user.read"] })
+  );
+  ```
+
+  ### `interactive` Mode
+
+  ```ts
+  import {
+    enableAuthModule,
+    type MsalNodeModule,
+  } from "@equinor/fusion-framework-msal-node";
+  import { ModulesConfigurator } from "@equinor/fusion-framework-module";
+
+  const configurator = new ModulesConfigurator<[MsalNodeModule]>();
+
+  enableAuthModule(configurator, (builder) => {
+    builder.setMode("interactive");
+    builder.setClientId("your-client-id");
+    builder.setTenantId("your-tenant-id");
+    builder.setServerPort(3000); // Local server port for auth callback
+    builder.setServerOnOpen((url) => {
+      console.log(`Please navigate to: ${url}`);
+    });
+  });
+
+  const instance = await initialize();
+  console.log(await instance.auth.login({ scopes: ["user.read"] }));
+  ```
+
+  See README.md for details.

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2022 Equinor
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,125 @@
+# Fusion MSAL Node Module
+
+`@equinor/fusion-framework-msal-node` enables secure authentication for the Fusion Framework in Node.js environments using Microsoft's MSAL (Microsoft Authentication Library) to integrate with Azure Active Directory (Azure AD).
+
+## Features
+
+- **Simple Token Acquisition**: Easy-to-use API for acquiring authentication tokens.
+- **Multiple Auth Flows**: Supports client credentials and other Azure AD authentication flows.
+- **Token Caching**: Built-in caching for improved performance and security.
+- **Fusion Framework Integration**: Seamless authentication across Fusion Framework applications.
+- **Authentication Modes**:
+  - `token_only`: Uses a pre-provided token for authentication (e.g., CI/CD, automation).
+  - `silent`: Acquires tokens silently using cached or refresh tokens (background services, scripts).
+  - `interactive`: Prompts users for authentication via a local HTTP server (CLI tools, development).
+
+## Authentication Modes
+
+The module supports three authentication modes to suit different use cases:
+
+| Mode          | Description                                                                  | Use Case                                   |
+| ------------- | ---------------------------------------------------------------------------- | ------------------------------------------ |
+| `token_only`  | Uses a pre-obtained token, typically from environment variables.             | CI/CD pipelines, automated processes.      |
+| `silent`      | Acquires tokens silently using cached or refresh tokens, without user input. | Background services, pre-seeding commands. |
+| `interactive` | Prompts user login via a browser, using a local HTTP server for callbacks.   | CLI tools, development, manual operations. |
+
+### `token_only`
+Ideal for scenarios where a token is already available (e.g., via CI/CD). No interaction with Azure AD is required.
+
+### `silent`
+Uses cached or refresh tokens to authenticate without user interaction. Perfect for automated or background tasks.
+
+### `interactive`
+Requires user interaction, launching a local HTTP server to handle browser-based authentication. Suitable for CLI or development workflows.
+
+## Secure Token Storage
+
+The module leverages `@azure/msal-node-extensions` for secure, encrypted token storage:
+
+- **Encryption**: Tokens are encrypted at rest using platform-specific mechanisms (e.g., DPAPI on Windows, Keychain on macOS).
+- **Cross-Platform**: Supports Windows, macOS, and Linux.
+- **Persistence**: Tokens are stored securely for reuse across sessions, minimizing re-authentication.
+
+This ensures sensitive token data is protected, reducing the risk of unauthorized access.
+
+## Usage
+
+Below are examples for enabling the module in each authentication mode.
+
+### `token_only` Mode
+
+Use a pre-obtained token for authentication.
+
+```ts
+import { enableAuthModule, type MsalNodeModule } from '@equinor/fusion-framework-msal-node';
+import { ModulesConfigurator } from '@equinor/fusion-framework-module';
+
+const configurator = new ModulesConfigurator<[MsalNodeModule]>();
+
+enableAuthModule(configurator, (builder) => {
+  builder.setMode('token_only');
+  builder.setAccessToken('your-access-token'); // Provide your token
+});
+
+const instance = await initialize();
+console.log(typeof instance.auth); // AuthTokenProvider
+console.log(await instance.auth.acquireAccessToken({ scopes: ['user.read'] }));
+```
+
+### `silent` Mode
+
+Authenticate silently using cached or refresh tokens.
+
+```ts
+import { enableAuthModule, type MsalNodeModule } from '@equinor/fusion-framework-msal-node';
+import { ModulesConfigurator } from '@equinor/fusion-framework-module';
+
+const configurator = new ModulesConfigurator<[MsalNodeModule]>();
+
+enableAuthModule(configurator, (builder) => {
+  builder.setMode('silent');
+  builder.setClientId('your-client-id'); // Azure AD client ID
+  builder.setTenantId('your-tenant-id'); // Azure AD tenant ID
+});
+
+const instance = await initialize();
+console.log(typeof instance.auth); // AuthTokenProvider
+console.log(await instance.auth.acquireAccessToken({ scopes: ['user.read'] }));
+```
+
+### `interactive` Mode
+
+Prompt the user for browser-based authentication.
+
+```ts
+import { enableAuthModule, type MsalNodeModule } from '@equinor/fusion-framework-msal-node';
+import { ModulesConfigurator } from '@equinor/fusion-framework-module';
+
+const configurator = new ModulesConfigurator<[MsalNodeModule]>();
+
+enableAuthModule(configurator, (builder) => {
+  builder.setMode('interactive');
+  builder.setClientId('your-client-id'); // Azure AD client ID
+  builder.setTenantId('your-tenant-id'); // Azure AD tenant ID
+  builder.setServerPort(3000); // Local server port for auth callback
+  builder.setServerOnOpen((url) => {
+    console.log(`Please navigate to: ${url}`);
+  });
+});
+
+const instance = await initialize();
+console.log(typeof instance.auth); // AuthProviderInteractive
+console.log(await instance.auth.login({ scopes: ['user.read'] }));
+```
+
+## Configuration
+
+- **Client ID and Tenant ID**: Obtain these from your Azure AD application registration.
+- **Scopes**: Specify required permissions (e.g., `['user.read']`) when acquiring tokens.
+- **Server Port**: For `interactive` mode, ensure the port is available and not blocked by firewalls.
+
+## Troubleshooting
+
+- **Token Issues**: Verify your token, client ID, or tenant ID are correct.
+- **Interactive Mode Fails**: Check if the specified port is free and accessible.
+- **Silent Mode Fails**: Ensure cached tokens or refresh tokens are valid.

package/dist/esm/AuthConfigurator.interface.js

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=AuthConfigurator.interface.js.map

package/dist/esm/AuthConfigurator.interface.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"AuthConfigurator.interface.js","sourceRoot":"","sources":["../../src/AuthConfigurator.interface.ts"],"names":[],"mappings":""}

package/dist/esm/AuthConfigurator.js

@@ -0,0 +1,112 @@
+import { PublicClientApplication } from '@azure/msal-node';
+import { BaseConfigBuilder, } from '@equinor/fusion-framework-module';
+import { createAuthClient } from './create-auth-client';
+/**
+ * Internal builder for MSAL Node authentication configuration.
+ *
+ * This class provides the implementation for the fluent API exposed via the public interface.
+ * Most consumer-facing documentation is in the interface; see {@link IAuthConfigurator} for usage details.
+ *
+ * @see IAuthConfigurator
+ * @extends BaseConfigBuilder
+ *
+ * Maintainers: Extend or refactor this class to support new authentication modes or configuration options.
+ * Ensure changes are reflected in the interface and validated in `_processConfig`.
+ */
+export class AuthConfigurator extends BaseConfigBuilder {
+    constructor() {
+        super();
+        this.setMode('interactive');
+    }
+    setMode(mode) {
+        this._set('mode', mode);
+    }
+    setClient(client) {
+        this._set('client', client);
+    }
+    setClientConfig(tenantId, clientId) {
+        this._set('client', () => createAuthClient(tenantId, clientId));
+    }
+    setServerPort(port) {
+        this._set('server.port', port);
+    }
+    setServerOnOpen(onOpen) {
+        this._set('server.onOpen', onOpen);
+    }
+    setAccessToken(token) {
+        this._set('accessToken', token);
+    }
+    /**
+     * Prepares and finalizes the authentication configuration before validation and use.
+     *
+     * This method injects the parent authentication provider reference (if available)
+     * into the configuration. It is called before `_processConfig` and allows for
+     * dynamic or contextual configuration adjustments based on the current module instance.
+     *
+     * Future maintainers: If additional contextual setup is needed (e.g., injecting
+     * dependencies, environment-specific values, or chaining providers), extend this method.
+     *
+     * @inheritdoc
+     * @param init - Initialization arguments, including module references.
+     * @param initial - Optional initial configuration values.
+     * @returns The prepared configuration object, ready for validation.
+     */
+    _buildConfig(init, initial) {
+        // Inject the parent auth provider from the current module instance, if present
+        this._set('parent', init.ref?.auth);
+        // Call the base builder to finalize the config
+        return super._buildConfig(init, initial);
+    }
+    /**
+     * Validates and processes the authentication configuration before use.
+     *
+     * This method ensures that all required properties are present and correctly typed
+     * for the selected authentication mode. Throws descriptive errors if configuration
+     * is incomplete or invalid, helping catch misconfigurations early.
+     *
+     * Future maintainers: Update this logic if new authentication modes or required
+     * properties are introduced. Keep error messages clear to aid debugging.
+     *
+     * @inheritdoc
+     * @param config - The authentication configuration object to validate.
+     * @returns The validated configuration object.
+     * @throws Error if required properties are missing or invalid for the selected mode.
+     */
+    async _processConfig(config) {
+        switch (config.mode) {
+            case 'interactive': {
+                // Interactive mode requires a valid MSAL client instance
+                if (config.client instanceof PublicClientApplication === false) {
+                    throw new Error('Client is required when mode is interactive');
+                }
+                // Server configuration must be present
+                if (!config.server) {
+                    throw new Error('Server is required when mode is interactive');
+                }
+                // Server port must be a number
+                if (typeof config.server.port !== 'number') {
+                    throw new Error('Server port must be a number when mode is interactive');
+                }
+                break;
+            }
+            case 'silent': {
+                // Silent mode requires a valid MSAL client instance
+                if (config.client instanceof PublicClientApplication === false) {
+                    throw new Error('Client is required when mode is silent');
+                }
+                break;
+            }
+            case 'token_only': {
+                // Token only mode requires a string access token
+                if (typeof config.accessToken !== 'string') {
+                    throw new Error('Access token is required when mode is token_only');
+                }
+                break;
+            }
+            // If new modes are added, ensure validation is implemented here
+        }
+        // Return the validated config for use by the module
+        return config;
+    }
+}
+//# sourceMappingURL=AuthConfigurator.js.map

package/dist/esm/AuthConfigurator.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"AuthConfigurator.js","sourceRoot":"","sources":["../../src/AuthConfigurator.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,uBAAuB,EAAE,MAAM,kBAAkB,CAAC;AAC3D,OAAO,EACL,iBAAiB,GAGlB,MAAM,kCAAkC,CAAC;AAE1C,OAAO,EAAE,gBAAgB,EAAE,MAAM,sBAAsB,CAAC;AAKxD;;;;;;;;;;;GAWG;AACH,MAAM,OAAO,gBAAiB,SAAQ,iBAA6B;IACjE;QACE,KAAK,EAAE,CAAC;QACR,IAAI,CAAC,OAAO,CAAC,aAAa,CAAC,CAAC;IAC9B,CAAC;IAED,OAAO,CAAC,IAAwB;QAC9B,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC;IAC1B,CAAC;IAED,SAAS,CAAC,MAA4B;QACpC,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;IAC9B,CAAC;IAED,eAAe,CAAC,QAAgB,EAAE,QAAgB;QAChD,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,GAAG,EAAE,CAAC,gBAAgB,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC,CAAC;IAClE,CAAC;IAED,aAAa,CAAC,IAAY;QACxB,IAAI,CAAC,IAAI,CAAC,aAAa,EAAE,IAAI,CAAC,CAAC;IACjC,CAAC;IAED,eAAe,CAAC,MAA2C;QACzD,IAAI,CAAC,IAAI,CAAC,eAAe,EAAE,MAAM,CAAC,CAAC;IACrC,CAAC;IAED,cAAc,CAAC,KAAa;QAC1B,IAAI,CAAC,IAAI,CAAC,aAAa,EAAE,KAAK,CAAC,CAAC;IAClC,CAAC;IAED;;;;;;;;;;;;;;OAcG;IACO,YAAY,CACpB,IAA+B,EAC/B,OAAyC;QAEzC,+EAA+E;QAC/E,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAG,IAAI,CAAC,GAAyC,EAAE,IAAI,CAAC,CAAC;QAC3E,+CAA+C;QAC/C,OAAO,KAAK,CAAC,YAAY,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;IAC3C,CAAC;IAED;;;;;;;;;;;;;;OAcG;IACH,KAAK,CAAC,cAAc,CAAC,MAAkB;QACrC,QAAQ,MAAM,CAAC,IAAI,EAAE,CAAC;YACpB,KAAK,aAAa,CAAC,CAAC,CAAC;gBACnB,yDAAyD;gBACzD,IAAI,MAAM,CAAC,MAAM,YAAY,uBAAuB,KAAK,KAAK,EAAE,CAAC;oBAC/D,MAAM,IAAI,KAAK,CAAC,6CAA6C,CAAC,CAAC;gBACjE,CAAC;gBACD,uCAAuC;gBACvC,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;oBACnB,MAAM,IAAI,KAAK,CAAC,6CAA6C,CAAC,CAAC;gBACjE,CAAC;gBACD,+BAA+B;gBAC/B,IAAI,OAAO,MAAM,CAAC,MAAM,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;oBAC3C,MAAM,IAAI,KAAK,CAAC,uDAAuD,CAAC,CAAC;gBAC3E,CAAC;gBACD,MAAM;YACR,CAAC;YACD,KAAK,QAAQ,CAAC,CAAC,CAAC;gBACd,oDAAoD;gBACpD,IAAI,MAAM,CAAC,MAAM,YAAY,uBAAuB,KAAK,KAAK,EAAE,CAAC;oBAC/D,MAAM,IAAI,KAAK,CAAC,wCAAwC,CAAC,CAAC;gBAC5D,CAAC;gBACD,MAAM;YACR,CAAC;YACD,KAAK,YAAY,CAAC,CAAC,CAAC;gBAClB,iDAAiD;gBACjD,IAAI,OAAO,MAAM,CAAC,WAAW,KAAK,QAAQ,EAAE,CAAC;oBAC3C,MAAM,IAAI,KAAK,CAAC,kDAAkD,CAAC,CAAC;gBACtE,CAAC;gBACD,MAAM;YACR,CAAC;YACD,gEAAgE;QAClE,CAAC;QACD,oDAAoD;QACpD,OAAO,MAAM,CAAC;IAChB,CAAC;CACF"}

package/dist/esm/AuthProvider.interface.js

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=AuthProvider.interface.js.map

package/dist/esm/AuthProvider.interface.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"AuthProvider.interface.js","sourceRoot":"","sources":["../../src/AuthProvider.interface.ts"],"names":[],"mappings":""}

package/dist/esm/AuthProvider.js

@@ -0,0 +1,109 @@
+import { AuthServerError, NoAccountsError, SilentTokenAcquisitionError } from './error.js';
+/**
+ * Implementation of the authentication provider for the Fusion MSAL Node module.
+ *
+ * Implements {@link IAuthProvider} and provides methods for managing authentication
+ * and token acquisition using the MSAL (Microsoft Authentication Library) for Node.js.
+ *
+ * This implementation assumes the user is already logged in and does not support
+ * triggering interactive login or logout flows. The `login` method will always throw, and `logout`
+ * only clears the token cache.
+ *
+ * @see AuthProviderInteractive For interactive login/logout support (user-driven authentication flows).
+ * @see AuthProviderTokenOnly For scenarios where a pre-obtained token is used (automation, CI/CD, etc).
+ *
+ * Developers extending this class can add support for additional authentication flows or modify token
+ * acquisition logic. Ensure that any changes remain consistent with the interface contract.
+ */
+export class AuthProvider {
+    _client;
+    constructor(_client) {
+        this._client = _client;
+    }
+    /**
+     * Retrieves the first account from the list of all accounts available in the MSAL client.
+     *
+     * @returns A promise that resolves to the first `AccountInfo` object if available, or `null` if no accounts exist.
+     */
+    async getAccount() {
+        const accounts = await this._client.getAllAccounts();
+        return accounts[0] ?? null;
+    }
+    /**
+     * Acquires an access token for the specified scopes.
+     *
+     * @param options - An object containing the options for acquiring the token.
+     * @param options.scopes - An array of strings representing the scopes for which the access token is requested.
+     * @returns A promise that resolves to the acquired access token as a string.
+     * @throws An error if the token acquisition process fails.
+     */
+    async acquireAccessToken(options) {
+        const { accessToken } = await this.acquireToken(options);
+        return accessToken;
+    }
+    /**
+     * Initiates the login process with the specified options.
+     *
+     * @param _options - An object containing the scopes required for authentication.
+     * @returns A promise that resolves to an `AuthenticationResult` upon successful login.
+     * @throws `AuthServerError` - Always throws this error as login is not supported in this implementation.
+     *
+     * @remarks
+     * This method is not supported and is intended to be overridden by `AuthProviderInteractive`.
+     */
+    async login(_options) {
+        throw new AuthServerError('Login not supported, use AuthProviderInteractive instead');
+    }
+    /**
+     * Logs out the user by clearing the token cache and removing all accounts.
+     *
+     * This method retrieves all accounts from the token cache and removes them
+     * individually. Afterward, it clears the entire cache to ensure no residual
+     * authentication data remains.
+     *
+     * @returns A promise that resolves when the logout process is complete.
+     */
+    async logout() {
+        const cache = this._client.getTokenCache();
+        const accounts = await cache.getAllAccounts();
+        for (const account of accounts) {
+            await cache.removeAccount(account);
+        }
+        this._client.clearCache();
+    }
+    /**
+     * Acquires an authentication token for the specified scopes.
+     *
+     * This method first attempts to acquire a token silently using the accounts
+     * available in the token cache. If no accounts are found and interactive login
+     * is allowed, it initiates an interactive login flow. If interactive login is
+     * not allowed and no accounts are found, an error is thrown.
+     *
+     * @param scopes - An array of strings representing the scopes for which the token is requested.
+     * @param options - Optional parameters for token acquisition.
+     * @param options.interactive - A boolean indicating whether interactive login is allowed
+     *                               if no accounts are found in the cache. Defaults to `false`.
+     * @returns A promise that resolves to an `AuthenticationResult` containing the acquired token.
+     * @throws {@link NoAccountsError} If no accounts are found in the cache and interactive login is not allowed.
+     * @throws {@link SilentTokenAcquisitionError} If an error occurs during silent token acquisition.
+     */
+    async acquireToken(options) {
+        const account = await this.getAccount();
+        if (!account) {
+            throw new NoAccountsError('No accounts found in cache');
+        }
+        try {
+            const tokenResponse = await this._client.acquireTokenSilent({
+                scopes: options.scopes,
+                account,
+            });
+            return tokenResponse;
+        }
+        catch (error) {
+            throw new SilentTokenAcquisitionError('Error acquiring token', {
+                cause: error,
+            });
+        }
+    }
+}
+//# sourceMappingURL=AuthProvider.js.map

package/dist/esm/AuthProvider.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"AuthProvider.js","sourceRoot":"","sources":["../../src/AuthProvider.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,eAAe,EAAE,eAAe,EAAE,2BAA2B,EAAE,MAAM,YAAY,CAAC;AAI3F;;;;;;;;;;;;;;;GAeG;AACH,MAAM,OAAO,YAAY;IACD;IAAtB,YAAsB,OAAgC;QAAhC,YAAO,GAAP,OAAO,CAAyB;IAAG,CAAC;IAE1D;;;;OAIG;IACI,KAAK,CAAC,UAAU;QACrB,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,cAAc,EAAE,CAAC;QACrD,OAAO,QAAQ,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC;IAC7B,CAAC;IAED;;;;;;;OAOG;IACI,KAAK,CAAC,kBAAkB,CAAC,OAE/B;QACC,MAAM,EAAE,WAAW,EAAE,GAAG,MAAM,IAAI,CAAC,YAAY,CAAC,OAAO,CAAC,CAAC;QACzD,OAAO,WAAW,CAAC;IACrB,CAAC;IAED;;;;;;;;;OASG;IACI,KAAK,CAAC,KAAK,CAAC,QAA8B;QAC/C,MAAM,IAAI,eAAe,CAAC,0DAA0D,CAAC,CAAC;IACxF,CAAC;IAED;;;;;;;;OAQG;IACI,KAAK,CAAC,MAAM;QACjB,MAAM,KAAK,GAAG,IAAI,CAAC,OAAO,CAAC,aAAa,EAAE,CAAC;QAC3C,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,cAAc,EAAE,CAAC;QAC9C,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;YAC/B,MAAM,KAAK,CAAC,aAAa,CAAC,OAAO,CAAC,CAAC;QACrC,CAAC;QACD,IAAI,CAAC,OAAO,CAAC,UAAU,EAAE,CAAC;IAC5B,CAAC;IAED;;;;;;;;;;;;;;;OAeG;IACI,KAAK,CAAC,YAAY,CAAC,OAEzB;QACC,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,UAAU,EAAE,CAAC;QACxC,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,MAAM,IAAI,eAAe,CAAC,4BAA4B,CAAC,CAAC;QAC1D,CAAC;QAED,IAAI,CAAC;YACH,MAAM,aAAa,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,kBAAkB,CAAC;gBAC1D,MAAM,EAAE,OAAO,CAAC,MAAM;gBACtB,OAAO;aACR,CAAC,CAAC;YACH,OAAO,aAAa,CAAC;QACvB,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,IAAI,2BAA2B,CAAC,uBAAuB,EAAE;gBAC7D,KAAK,EAAE,KAAK;aACb,CAAC,CAAC;QACL,CAAC;IACH,CAAC;CACF"}

package/dist/esm/AuthProviderInteractive.js

@@ -0,0 +1,88 @@
+import { CryptoProvider, } from '@azure/msal-node';
+import openBrowser from 'open';
+import { createAuthServer } from './create-auth-server.js';
+import { AuthProvider } from './AuthProvider.js';
+/**
+ * Implementation of an interactive authentication provider for the Fusion MSAL Node module.
+ *
+ * Extends {@link AuthProvider} to support user-driven authentication flows using the authorization code flow with PKCE.
+ * This class opens the user's default browser for authentication and handles the response via a local server.
+ *
+ * This implementation is intended for scenarios where interactive login is required, such as CLI tools or development utilities.
+ *
+ * Developers extending this provider can customize the interactive flow, server handling, or PKCE logic as needed.
+ * Ensure that any changes remain consistent with the expected interface and security best practices.
+ *
+ * @see AuthProvider for non-interactive (silent) authentication flows.
+ * @see AuthProviderTokenOnly for token-only scenarios.
+ */
+export class AuthProviderInteractive extends AuthProvider {
+    #options;
+    constructor(client, options) {
+        super(client);
+        this.#options = options;
+    }
+    /**
+     * Initiates the login process using the authorization code flow with PKCE.
+     *
+     * This method generates a PKCE code verifier and challenge to enhance security
+     * and prevent authorization code interception attacks. It constructs an
+     * authorization code URL, opens the default browser for user authentication,
+     * and starts a local server to handle the authentication response.
+     *
+     * @param scopes - An array of scopes that specify the permissions being requested.
+     * @returns A promise that resolves to an `AuthenticationResult` containing the
+     *          authentication details upon successful login.
+     *
+     * @throws Will throw an error if the PKCE code generation, browser opening, or
+     *         authentication server setup fails.
+     */
+    async login(options) {
+        const { scopes } = options;
+        const { port, onOpen } = this.#options.server;
+        // Generate a new PKCE code verifier and challenge
+        // This is used to enhance security in the authorization code flow
+        // by preventing authorization code interception attacks.
+        const cryptoProvider = new CryptoProvider();
+        const { verifier, challenge } = await cryptoProvider.generatePkceCodes();
+        const authCodeUrl = await this._client.getAuthCodeUrl({
+            scopes,
+            redirectUri: `http://localhost:${port}`,
+            codeChallenge: challenge,
+            codeChallengeMethod: 'S256',
+        });
+        // open default browser to authenticate
+        await openBrowser(authCodeUrl);
+        // callback to open the auth code url
+        if (onOpen)
+            onOpen(authCodeUrl);
+        return createAuthServer(this._client, scopes, {
+            codeVerifier: verifier,
+            port,
+        });
+    }
+    /**
+     * Acquires an authentication token for the specified scopes.
+     *
+     * This method first attempts to acquire a token silently using the accounts
+     * available in the token cache. If no accounts are found and interactive login
+     * is allowed, it initiates an interactive login flow. If interactive login is
+     * not allowed and no accounts are found, an error is thrown.
+     *
+     * @param scopes - An array of strings representing the scopes for which the token is requested.
+     * @param options - Optional parameters for token acquisition.
+     * @param options.interactive - A boolean indicating whether interactive login is allowed
+     *                               if no accounts are found in the cache. Defaults to `false`.
+     * @returns A promise that resolves to an `AuthenticationResult` containing the acquired token.
+     * @throws {@link NoAccountsError} If no accounts are found in the cache and interactive login is not allowed.
+     * @throws {@link SilentTokenAcquisitionError} If an error occurs during silent token acquisition.
+     */
+    async acquireToken(options) {
+        const { scopes } = options ?? { scopes: [] };
+        if ((await this.getAccount()) === null) {
+            return this.login({ scopes });
+        }
+        return super.acquireToken(options);
+    }
+}
+//# sourceMappingURL=AuthProviderInteractive.js.map

package/dist/esm/AuthProviderInteractive.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"AuthProviderInteractive.js","sourceRoot":"","sources":["../../src/AuthProviderInteractive.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,cAAc,GAGf,MAAM,kBAAkB,CAAC;AAE1B,OAAO,WAAW,MAAM,MAAM,CAAC;AAC/B,OAAO,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAC3D,OAAO,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC;AAkBjD;;;;;;;;;;;;;GAaG;AACH,MAAM,OAAO,uBAAwB,SAAQ,YAAY;IACvD,QAAQ,CAAsB;IAE9B,YAAY,MAA+B,EAAE,OAA4B;QACvE,KAAK,CAAC,MAAM,CAAC,CAAC;QACd,IAAI,CAAC,QAAQ,GAAG,OAAO,CAAC;IAC1B,CAAC;IAED;;;;;;;;;;;;;;OAcG;IACI,KAAK,CAAC,KAAK,CAAC,OAA6B;QAC9C,MAAM,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC;QAC3B,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,GAAG,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC;QAE9C,kDAAkD;QAClD,kEAAkE;QAClE,yDAAyD;QACzD,MAAM,cAAc,GAAG,IAAI,cAAc,EAAE,CAAC;QAC5C,MAAM,EAAE,QAAQ,EAAE,SAAS,EAAE,GAAG,MAAM,cAAc,CAAC,iBAAiB,EAAE,CAAC;QACzE,MAAM,WAAW,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,cAAc,CAAC;YACpD,MAAM;YACN,WAAW,EAAE,oBAAoB,IAAI,EAAE;YACvC,aAAa,EAAE,SAAS;YACxB,mBAAmB,EAAE,MAAM;SAC5B,CAAC,CAAC;QAEH,uCAAuC;QACvC,MAAM,WAAW,CAAC,WAAW,CAAC,CAAC;QAE/B,qCAAqC;QACrC,IAAI,MAAM;YAAE,MAAM,CAAC,WAAW,CAAC,CAAC;QAEhC,OAAO,gBAAgB,CAAC,IAAI,CAAC,OAAO,EAAE,MAAM,EAAE;YAC5C,YAAY,EAAE,QAAQ;YACtB,IAAI;SACL,CAAC,CAAC;IACL,CAAC;IAED;;;;;;;;;;;;;;;OAeG;IACI,KAAK,CAAC,YAAY,CAAC,OAEzB;QACC,MAAM,EAAE,MAAM,EAAE,GAAG,OAAO,IAAI,EAAE,MAAM,EAAE,EAAE,EAAE,CAAC;QAC7C,IAAI,CAAC,MAAM,IAAI,CAAC,UAAU,EAAE,CAAC,KAAK,IAAI,EAAE,CAAC;YACvC,OAAO,IAAI,CAAC,KAAK,CAAC,EAAE,MAAM,EAAE,CAAC,CAAC;QAChC,CAAC;QACD,OAAO,KAAK,CAAC,YAAY,CAAC,OAAO,CAAC,CAAC;IACrC,CAAC;CACF"}

package/dist/esm/AuthTokenProvider.js

@@ -0,0 +1,50 @@
+/**
+ * Implementation of an authentication provider that supplies a static, pre-obtained access token.
+ *
+ * This class implements {@link IAuthProvider} and is intended for scenarios where authentication
+ * is handled externally and a token is provided directly (e.g., CI/CD pipelines, automation, or service accounts).
+ *
+ * Login and logout operations are not supported and will always throw errors if called.
+ *
+ * @see AuthProvider for silent authentication using cached accounts and MSAL flows.
+ * @see AuthProviderInteractive for interactive, user-driven authentication flows.
+ */
+export class AuthTokenProvider {
+    #accessToken;
+    constructor(token) {
+        this.#accessToken = token;
+    }
+    /**
+     * Not supported in token-only mode. Always throws an error if called.
+     *
+     * This provider is designed for scenarios where authentication is handled externally
+     * and a static token is supplied. Login flows are not possible in this context.
+     *
+     * @throws Error Always throws to indicate login is not supported.
+     */
+    login() {
+        throw new Error('Method not supported in token mode');
+    }
+    /**
+     * Not supported in token-only mode. Always throws an error if called.
+     *
+     * Since this provider does not manage user sessions or accounts, logout is not applicable.
+     *
+     * @throws Error Always throws to indicate logout is not supported.
+     */
+    logout() {
+        throw new Error('Method not supported in token mode');
+    }
+    /**
+     * Returns the pre-obtained access token supplied to the provider.
+     *
+     * This is the only supported operation for this provider. No token refresh or acquisition logic is performed.
+     *
+     * @returns The static access token as a string.
+     */
+    async acquireAccessToken() {
+        return this.#accessToken;
+    }
+}
+export default AuthTokenProvider;
+//# sourceMappingURL=AuthTokenProvider.js.map

package/dist/esm/AuthTokenProvider.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"AuthTokenProvider.js","sourceRoot":"","sources":["../../src/AuthTokenProvider.ts"],"names":[],"mappings":"AAGA;;;;;;;;;;GAUG;AACH,MAAM,OAAO,iBAAiB;IAC5B,YAAY,CAAS;IACrB,YAAY,KAAa;QACvB,IAAI,CAAC,YAAY,GAAG,KAAK,CAAC;IAC5B,CAAC;IAED;;;;;;;OAOG;IACH,KAAK;QACH,MAAM,IAAI,KAAK,CAAC,oCAAoC,CAAC,CAAC;IACxD,CAAC;IAED;;;;;;OAMG;IACH,MAAM;QACJ,MAAM,IAAI,KAAK,CAAC,oCAAoC,CAAC,CAAC;IACxD,CAAC;IAED;;;;;;OAMG;IACH,KAAK,CAAC,kBAAkB;QACtB,OAAO,IAAI,CAAC,YAAY,CAAC;IAC3B,CAAC;CACF;AAED,eAAe,iBAAiB,CAAC"}