@equinor/fusion-framework-vite-plugin-spa 3.1.5 → 3.1.7

package/CHANGELOG.md

@@ -1,5 +1,19 @@
 # @equinor/fusion-framework-vite-plugin-spa
 
+## 3.1.7
+
+### Patch Changes
+
+- Updated dependencies [[`dcf51aa`](https://github.com/equinor/fusion-framework/commit/dcf51aa87ac79200893ec4909632554464e75055)]:
+  - @equinor/fusion-framework-module-msal@7.2.0
+
+## 3.1.6
+
+### Patch Changes
+
+- Updated dependencies [[`0b34d5d`](https://github.com/equinor/fusion-framework/commit/0b34d5d895c740a77fc995abeca910fdca1cf633)]:
+  - @equinor/fusion-framework-module-msal@7.1.0
+
 ## 3.1.5
 
 ### Patch Changes

package/dist/esm/version.js

@@ -1,3 +1,3 @@
 // Generated by genversion.
-export const version = '3.1.5';
+export const version = '3.1.7';
 //# sourceMappingURL=version.js.map

package/dist/html/bootstrap.js

@@ -153,8 +153,8 @@ function requireRe () {
 
 		// ## Pre-release Version Identifier
 		// A numeric identifier, or a non-numeric identifier.
-		// Non-numberic identifiers include numberic identifiers but can be longer.
-		// Therefore non-numberic identifiers must go first.
+		// Non-numeric identifiers include numeric identifiers but can be longer.
+		// Therefore non-numeric identifiers must go first.
 
 		createToken('PRERELEASEIDENTIFIER', `(?:${src[t.NONNUMERICIDENTIFIER]
 		}|${src[t.NUMERICIDENTIFIER]})`);
@@ -850,7 +850,7 @@ function requireDiff () {
 	    return prefix + 'patch'
 	  }
 
-	  // high and low are preleases
+	  // high and low are prereleases
 	  return 'prerelease'
 	};
 
@@ -2409,7 +2409,7 @@ function requireSubset () {
 	// - If LT
 	//   - If LT.semver is greater than any < or <= comp in C, return false
 	//   - If LT is <=, and LT.semver does not satisfy every C, return false
-	//   - If GT.semver has a prerelease, and not in prerelease mode
+	//   - If LT.semver has a prerelease, and not in prerelease mode
 	//     - If no C has a prerelease and the LT.semver tuple, return false
 	// - Else return true
 
@@ -40463,7 +40463,7 @@ const createClientLogCallback = (provider, metadata, scope) => {
 };
 
 // Generated by genversion.
-const version$2 = '7.0.0';
+const version$2 = '7.2.0';
 
 /**
  * Zod schema for telemetry configuration validation.
@@ -40488,6 +40488,8 @@ const MsalConfigSchema = z.object({
     provider: z.custom().optional(),
     requiresAuth: z.boolean().optional(),
     redirectUri: z.string().optional(),
+    loginHint: z.string().optional(),
+    authCode: z.string().optional(),
     version: z.string().transform((x) => String(semver.coerce(x))),
     telemetry: TelemetryConfigSchema,
 });
@@ -40555,6 +40557,37 @@ class MsalConfigurator extends BaseConfigBuilder {
         this.#msalConfig = config;
         return this;
     }
+    /**
+     * Sets a backend-issued authorization code for token exchange.
+     *
+     * This enables the MSAL module to exchange a backend-generated auth code for tokens
+     * during initialization, allowing users to be automatically signed in without triggering
+     * an interactive MSAL login flow. The auth code is exchanged before the requiresAuth check,
+     * so tokens are cached and no login prompt appears.
+     *
+     * This follows Microsoft's standard SPA Auth Code Flow pattern and is compatible with
+     * MSAL Browser's acquireTokenByCode() method.
+     *
+     * @param authCode - The authorization code issued by the backend
+     * @returns The configurator instance for method chaining
+     *
+     * @example
+     * ```typescript
+     * // Backend provides auth code in HTML/config
+     * const config = { auth: { code: getAuthCodeFromBackend() } };
+     * configurator.setAuthCode(config.auth.code);
+     * ```
+     *
+     * @remarks
+     * - Auth codes are single-use and short-lived (typically 5-10 minutes)
+     * - The exchange happens during module initialization before requiresAuth check
+     * - If exchange fails, the provider falls back to standard MSAL authentication flows
+     * - Requires backend to be configured with SPA Auth Code support
+     */
+    setAuthCode(authCode) {
+        this._set('authCode', async () => authCode);
+        return this;
+    }
     /**
      * Sets whether authentication is required for the application.
      *
@@ -40578,6 +40611,24 @@ class MsalConfigurator extends BaseConfigBuilder {
         this._set('requiresAuth', async () => requiresAuth);
         return this;
     }
+    /**
+     * Sets a default login hint for authentication flows.
+     *
+     * The login hint is used to pre-fill the username during authentication and
+     * enables silent SSO when no account is available.
+     *
+     * @param loginHint - The preferred username/email to use as login hint
+     * @returns The configurator instance for method chaining
+     *
+     * @example
+     * ```typescript
+     * configurator.setLoginHint('user@company.com');
+     * ```
+     */
+    setLoginHint(loginHint) {
+        this._set('loginHint', async () => loginHint);
+        return this;
+    }
     /**
      * @deprecated - since version 5.1.0, use setClient instead
      */
@@ -41441,6 +41492,8 @@ class MsalProvider extends BaseModuleProvider {
     #client;
     #telemetry;
     #requiresAuth;
+    #authCode;
+    #loginHint;
     /**
      * The MSAL module version enum value indicating the API compatibility level.
      *
@@ -41498,6 +41551,10 @@ class MsalProvider extends BaseModuleProvider {
         });
         this.#requiresAuth = config.requiresAuth;
         this.#telemetry = config.telemetry;
+        this.#loginHint = config.loginHint;
+        // Extract auth code from config if present
+        // This will be used during initialize to exchange for tokens
+        this.#authCode = config.authCode;
         // Validate required client configuration
         if (!config.client) {
             const error = new Error('Client is required, please provide a valid client in the configuration');
@@ -41513,12 +41570,17 @@ class MsalProvider extends BaseModuleProvider {
      *
      * This method must be called before using any authentication operations. It performs:
      * - Client initialization
+     * - Auth code exchange (if backend-issued code provided)
      * - Redirect result handling (if returning from auth flow)
      * - Automatic login attempt if requiresAuth is enabled and no valid session exists
      *
      * @returns Promise that resolves when initialization is complete
      *
      * @remarks
+     * Auth code exchange happens before the requiresAuth check, allowing automatic sign-in
+     * without user interaction when a valid backend-issued code is provided. If exchange fails,
+     * the provider falls back to standard MSAL authentication flows.
+     *
      * The provider will attempt automatic login with empty scopes if requiresAuth is true.
      * Apps should call acquireToken with actual scopes after initialization completes.
      */
@@ -41526,6 +41588,52 @@ class MsalProvider extends BaseModuleProvider {
         const measurement = this._trackMeasurement('initialize', TelemetryLevel.Debug);
         // Initialize the underlying MSAL client first
         await this.#client.initialize();
+        // Priority 0: Exchange auth code if provided by backend
+        // This must happen before the requiresAuth check so tokens are cached
+        if (this.#authCode) {
+            try {
+                this._trackEvent('initialize.exchanging-auth-code', TelemetryLevel.Information);
+                // Use MSAL's acquireTokenByCode to exchange backend auth code for tokens
+                // This follows Microsoft's standard SPA Auth Code Flow pattern
+                const clientId = this.#client.clientId;
+                if (!clientId) {
+                    throw new Error('Client ID is required for auth code exchange');
+                }
+                // Exchange the auth code for tokens using the client ID's default scope.
+                // The `/.default` scope represents all permissions configured for this app in Entra ID,
+                // ensuring the exchanged tokens have the correct app-level permissions without requiring
+                // the caller to specify scopes. This follows MSAL's recommended SPA auth code pattern.
+                // This method is inherited from PublicClientApplication (MSAL Browser v4+)
+                const result = await this.#client.acquireTokenByCode({
+                    code: this.#authCode,
+                    scopes: [`${clientId}/.default`],
+                });
+                // Successfully exchanged auth code - set active account
+                if (result.account) {
+                    this.#client.setActiveAccount(result.account);
+                    this._trackEvent('initialize.auth-code-exchanged-account', TelemetryLevel.Information, {
+                        properties: {
+                            username: result.account.username,
+                        },
+                    });
+                }
+            }
+            catch (error) {
+                // Auth code exchange failed - log and fall back to standard flows
+                this._trackException('initialize.auth-code-exchange-failed', TelemetryLevel.Warning, {
+                    exception: error instanceof Error ? error : new Error(String(error)),
+                    properties: {
+                        message: error instanceof Error ? error.message : String(error),
+                        reason: 'Auth code exchange failed, falling back to standard authentication flows',
+                    },
+                });
+                // Continue to requiresAuth check - will trigger standard login if needed
+            }
+            finally {
+                // Clear auth code to avoid repeated attempts
+                this.#authCode = undefined;
+            }
+        }
         // Only attempt authentication if this provider requires it
         if (this.#requiresAuth) {
             // Priority 1: Check if returning from redirect-based authentication
@@ -41704,6 +41812,8 @@ class MsalProvider extends BaseModuleProvider {
      */
     async login(options) {
         const { behavior = 'redirect', silent = true, request } = options;
+        request.loginHint ??=
+            this.#loginHint ?? this.account?.username ?? this.account?.loginHint ?? undefined;
         // Determine if silent login is possible based on available account/hint information
         // Silent login requires either an account object or a loginHint to work
         const canLoginSilently = silent && (request.account || request.loginHint);
@@ -44818,7 +44928,7 @@ async function registerServiceWorker(framework) {
 }
 
 // Generated by genversion.
-const version = '3.1.5';
+const version = '3.1.7';
 
 // Allow dynamic import without vite
 const importWithoutVite = (path) => import(/* @vite-ignore */ path);