@equinor/fusion-framework-vite-plugin-spa 3.1.6 → 3.1.8

package/CHANGELOG.md

@@ -1,5 +1,19 @@
 # @equinor/fusion-framework-vite-plugin-spa
 
+## 3.1.8
+
+### Patch Changes
+
+- Updated dependencies [[`1594ed8`](https://github.com/equinor/fusion-framework/commit/1594ed879579d0db6e42c5052a33174f7bf9346c), [`1594ed8`](https://github.com/equinor/fusion-framework/commit/1594ed879579d0db6e42c5052a33174f7bf9346c)]:
+  - @equinor/fusion-framework-module-msal@7.2.1
+
+## 3.1.7
+
+### Patch Changes
+
+- Updated dependencies [[`dcf51aa`](https://github.com/equinor/fusion-framework/commit/dcf51aa87ac79200893ec4909632554464e75055)]:
+  - @equinor/fusion-framework-module-msal@7.2.0
+
 ## 3.1.6
 
 ### Patch Changes

package/dist/esm/version.js

@@ -1,3 +1,3 @@
 // Generated by genversion.
-export const version = '3.1.6';
+export const version = '3.1.8';
 //# sourceMappingURL=version.js.map

package/dist/html/bootstrap.js

@@ -40463,7 +40463,7 @@ const createClientLogCallback = (provider, metadata, scope) => {
 };
 
 // Generated by genversion.
-const version$2 = '7.1.0';
+const version$2 = '7.2.1';
 
 /**
  * Zod schema for telemetry configuration validation.
@@ -40488,6 +40488,7 @@ const MsalConfigSchema = z.object({
     provider: z.custom().optional(),
     requiresAuth: z.boolean().optional(),
     redirectUri: z.string().optional(),
+    loginHint: z.string().optional(),
     authCode: z.string().optional(),
     version: z.string().transform((x) => String(semver.coerce(x))),
     telemetry: TelemetryConfigSchema,
@@ -40610,6 +40611,24 @@ class MsalConfigurator extends BaseConfigBuilder {
         this._set('requiresAuth', async () => requiresAuth);
         return this;
     }
+    /**
+     * Sets a default login hint for authentication flows.
+     *
+     * The login hint is used to pre-fill the username during authentication and
+     * enables silent SSO when no account is available.
+     *
+     * @param loginHint - The preferred username/email to use as login hint
+     * @returns The configurator instance for method chaining
+     *
+     * @example
+     * ```typescript
+     * configurator.setLoginHint('user@company.com');
+     * ```
+     */
+    setLoginHint(loginHint) {
+        this._set('loginHint', async () => loginHint);
+        return this;
+    }
     /**
      * @deprecated - since version 5.1.0, use setClient instead
      */
@@ -41474,6 +41493,16 @@ class MsalProvider extends BaseModuleProvider {
     #telemetry;
     #requiresAuth;
     #authCode;
+    #loginHint;
+    /**
+     * Default OAuth scopes used when the caller provides no scopes.
+     *
+     * Resolves to the app's Entra ID configured permissions via the `/.default` scope.
+     */
+    get defaultScopes() {
+        const clientId = this.#client.clientId;
+        return clientId ? [`${clientId}/.default`] : [];
+    }
     /**
      * The MSAL module version enum value indicating the API compatibility level.
      *
@@ -41531,6 +41560,7 @@ class MsalProvider extends BaseModuleProvider {
         });
         this.#requiresAuth = config.requiresAuth;
         this.#telemetry = config.telemetry;
+        this.#loginHint = config.loginHint;
         // Extract auth code from config if present
         // This will be used during initialize to exchange for tokens
         this.#authCode = config.authCode;
@@ -41631,9 +41661,9 @@ class MsalProvider extends BaseModuleProvider {
             else if (!this.#client.hasValidClaims) {
                 // Priority 2: No valid session found - attempt automatic login
                 // This handles first-time app load when no authentication state exists
-                // Note: Using empty scopes here as we don't know what scopes the app needs yet
+                // Note: Using default scopes here as we don't know what scopes the app needs yet
                 // App should call acquireToken with actual scopes after initialization
-                const loginResult = await this.login({ request: { scopes: [] } });
+                const loginResult = await this.login({ request: { scopes: this.defaultScopes } });
                 if (loginResult?.account) {
                     // Automatic login successful - set as active account
                     this.#client.setActiveAccount(loginResult.account);
@@ -41699,37 +41729,52 @@ class MsalProvider extends BaseModuleProvider {
      * ```
      */
     async acquireToken(options) {
-        const { behavior = 'redirect', silent = true, request = {}, } = options;
-        const account = request.account ?? this.account ?? undefined;
-        // Extract scopes from either new format (request.scopes) or legacy format (scopes)
-        const scopes = options.request?.scopes ?? options?.scopes ?? [];
+        // Determine behavior and silent options, with defaults (redirect and true respectively)
+        const behavior = options?.behavior ?? 'redirect';
+        // Silent mode defaults to true, meaning the provider will attempt silent token acquisition first
+        const silent = options?.silent ?? true;
+        const defaultScopes = this.defaultScopes;
+        const inputRequest = options?.request;
+        // Determine the account to use for token acquisition, prioritizing request-specific account, then active account
+        const account = inputRequest?.account ?? this.account ?? undefined;
+        // Extract caller-provided scopes from either new format (request.scopes) or legacy format (scopes)
+        const candidateScopes = inputRequest?.scopes ?? options?.scopes ?? [];
+        const scopes = candidateScopes.length > 0 ? candidateScopes : defaultScopes.length > 0 ? defaultScopes : [];
+        // Prepare telemetry properties for this token acquisition attempt
         const telemetryProperties = { behavior, silent, scopes };
         // Track usage of deprecated legacy scopes format for migration monitoring
-        if (options.scopes) {
+        if (options?.scopes) {
             this._trackEvent('acquireToken.legacy-scopes-provided', TelemetryLevel.Warning, {
                 properties: telemetryProperties,
             });
         }
         // Handle empty scopes - currently monitoring for telemetry, will throw in future
-        if (scopes.length === 0) {
-            const exception = new Error('Empty scopes provided, not allowed');
-            this._trackException('acquireToken.missing-scope', TelemetryLevel.Warning, {
-                exception,
-                properties: telemetryProperties,
-            });
-            // TODO: throw exception when sufficient metrics are collected
-            // This allows us to monitor how often empty scopes are provided before enforcing validation
+        if (candidateScopes.length === 0) {
+            if (defaultScopes.length > 0) {
+                this._trackEvent('acquireToken.missing-scope.defaulted', TelemetryLevel.Warning, {
+                    properties: { ...telemetryProperties, defaultScopes },
+                });
+            }
+            else {
+                const exception = new Error('Empty scopes provided and clientId is missing for default scope');
+                this._trackException('acquireToken.missing-scope', TelemetryLevel.Warning, {
+                    exception,
+                    properties: telemetryProperties,
+                });
+                // TODO: throw exception when sufficient metrics are collected
+                // This allows us to monitor how often empty scopes are provided before enforcing validation
+            }
         }
         try {
             const measurement = this._trackMeasurement('acquireToken', TelemetryLevel.Information, {
                 properties: telemetryProperties,
             });
-            // Merge account, original request options, and resolved scopes
-            // Account ensures context awareness, request preserves custom options, scopes uses resolved value
+            // Merge account, original request options, and resolved scopes.
+            // Account ensures context awareness, request preserves custom options, scopes uses resolved value.
             const result = await this.#client.acquireToken({
                 behavior,
                 silent,
-                request: { ...options.request, account, scopes },
+                request: { ...inputRequest, account, scopes },
             });
             measurement?.measure();
             return result;
@@ -41791,6 +41836,13 @@ class MsalProvider extends BaseModuleProvider {
      */
     async login(options) {
         const { behavior = 'redirect', silent = true, request } = options;
+        request.loginHint ??=
+            this.#loginHint ?? this.account?.username ?? this.account?.loginHint ?? undefined;
+        const defaultScopes = this.defaultScopes;
+        // Fallback to app default scope when possible; empty scopes tracked for monitoring
+        if (!request.scopes || request.scopes.length === 0) {
+            request.scopes = defaultScopes.length > 0 ? defaultScopes : [];
+        }
         // Determine if silent login is possible based on available account/hint information
         // Silent login requires either an account object or a loginHint to work
         const canLoginSilently = silent && (request.account || request.loginHint);
@@ -41798,10 +41850,9 @@ class MsalProvider extends BaseModuleProvider {
         // Default to active account if no account/hint provided in request
         // This allows silent login to work automatically with existing authentication state
         request.account ??= this.account ?? undefined;
-        // Default to empty scopes if none provided
-        // Empty scopes are tracked for monitoring but allowed for compatibility
-        if (!request.scopes) {
-            request.scopes = [];
+        // If scopes are still empty here, we couldn't derive a default scope (e.g. missing clientId).
+        // Track for monitoring; behavior will be enforced once we have sufficient metrics.
+        if (request.scopes.length === 0) {
             this._trackEvent('login.missing-scope', TelemetryLevel.Warning, {
                 properties: telemetryProperties,
             });
@@ -44905,7 +44956,7 @@ async function registerServiceWorker(framework) {
 }
 
 // Generated by genversion.
-const version = '3.1.6';
+const version = '3.1.8';
 
 // Allow dynamic import without vite
 const importWithoutVite = (path) => import(/* @vite-ignore */ path);