@ericminassian/auth 0.1.0 → 0.3.0

package/dist/{auth-client-DZWvgw3X.d.ts → auth-client-DSXlCl42.d.ts}

@@ -38,10 +38,28 @@ interface SignInOptions {
 interface AuthClient {
   /** Build a PKCE+state transaction and navigate to the authorize endpoint. */
   signInWithRedirect(options?: SignInOptions): Promise<void>;
+  /**
+   * Attempt silent SSO via a hidden iframe (`prompt=none`). Resolves to the
+   * resulting state — authenticated if an IdP session already existed,
+   * otherwise unchanged. Never rejects on `login_required`.
+   *
+   * Same-site only: the IdP session cookie is not sent to a cross-site iframe,
+   * so this is a no-op when the app and issuer aren't on the same site (e.g.
+   * `localhost` against a hosted issuer).
+   */
+  signInSilently(): Promise<AuthState>;
   /** Complete the redirect: exchange the code for tokens. Returns the saved returnTo. */
   handleRedirectCallback(url?: string): Promise<{
     returnTo: string | undefined;
   }>;
+  /**
+   * Call from the redirect callback page. Inside a silent-auth iframe it relays
+   * the result to the opener and resolves `null` (the page should do nothing
+   * else). At top level it completes the code exchange and returns `returnTo`.
+   */
+  handleCallback(): Promise<{
+    returnTo: string | undefined;
+  } | null>;
   /** A valid access token, refreshing if necessary. Throws `login_required` if not signed in. */
   getAccessToken(options?: {
     forceRefresh?: boolean;

package/dist/client/index.d.ts

@@ -1,3 +1,3 @@
 import { i as User, n as AuthErrorCode, r as DEFAULT_ISSUER, t as AuthError } from "../index-CiPxwNnj.js";
-import { a as createAuthClient, i as SignInOptions, n as AuthClientOptions, o as TokenStorage, r as AuthState, t as AuthClient } from "../auth-client-DZWvgw3X.js";
+import { a as createAuthClient, i as SignInOptions, n as AuthClientOptions, o as TokenStorage, r as AuthState, t as AuthClient } from "../auth-client-DSXlCl42.js";
 export { type AuthClient, type AuthClientOptions, AuthError, type AuthErrorCode, type AuthState, DEFAULT_ISSUER, type SignInOptions, type TokenStorage, type User, createAuthClient };

package/dist/client/index.js

@@ -52,6 +52,8 @@ const TX_KEY = "ema_auth_tx";
 const RT_KEY = "ema_auth_rt";
 const ID_KEY = "ema_auth_id";
 const EXPIRY_SKEW_SECONDS = 30;
+const SILENT_MESSAGE_SOURCE = "ema_auth_silent";
+const SILENT_TIMEOUT_MS = 8e3;
 function createAuthClient(options) {
 	const issuer = (options.issuer ?? DEFAULT_ISSUER).replace(/\/$/, "");
 	const scope = options.scope ?? "openid email offline_access";
@@ -99,46 +101,110 @@ function createAuthClient(options) {
 			});
 		}
 	}
+	async function buildAuthorizeUrl(extra, returnTo) {
+		const { authorization_endpoint } = await getDiscovery();
+		const pkce = await createPkcePair();
+		const tx = {
+			verifier: pkce.verifier,
+			state: createState()
+		};
+		if (returnTo !== void 0) tx.returnTo = returnTo;
+		storage.set(TX_KEY, JSON.stringify(tx));
+		const url = new URL(authorization_endpoint);
+		url.search = new URLSearchParams({
+			response_type: "code",
+			client_id: options.clientId,
+			redirect_uri: options.redirectUri,
+			scope,
+			state: tx.state,
+			code_challenge: pkce.challenge,
+			code_challenge_method: "S256",
+			...extra
+		}).toString();
+		return url.toString();
+	}
+	async function completeCallback(url) {
+		const params = new URL(url ?? currentUrl()).searchParams;
+		const raw = storage.get(TX_KEY);
+		storage.remove(TX_KEY);
+		if (!raw) throw new AuthError("state_mismatch", "no authorization transaction in progress");
+		const tx = JSON.parse(raw);
+		if (params.get("error")) throw new AuthError("invalid_grant", params.get("error_description") ?? params.get("error") ?? "authorization failed");
+		if (params.get("state") !== tx.state) throw new AuthError("state_mismatch", "state parameter mismatch");
+		const code = params.get("code");
+		if (!code) throw new AuthError("invalid_grant", "missing authorization code");
+		await exchange({
+			grant_type: "authorization_code",
+			code,
+			redirect_uri: options.redirectUri,
+			client_id: options.clientId,
+			code_verifier: tx.verifier
+		});
+		return { returnTo: tx.returnTo };
+	}
+	function runSilentFrame(authorizeUrl) {
+		return new Promise((resolve) => {
+			const iframe = document.createElement("iframe");
+			iframe.style.display = "none";
+			iframe.setAttribute("aria-hidden", "true");
+			let settled = false;
+			const finish = (result) => {
+				if (settled) return;
+				settled = true;
+				window.removeEventListener("message", onMessage);
+				clearTimeout(timer);
+				iframe.remove();
+				resolve(result);
+			};
+			const onMessage = (event) => {
+				if (event.origin !== window.location.origin) return;
+				const data = event.data;
+				if (!data || data.source !== SILENT_MESSAGE_SOURCE) return;
+				finish(typeof data.search === "string" ? data.search : "");
+			};
+			const timer = setTimeout(() => finish(void 0), SILENT_TIMEOUT_MS);
+			window.addEventListener("message", onMessage);
+			iframe.src = authorizeUrl;
+			document.body.appendChild(iframe);
+		});
+	}
 	return {
 		async signInWithRedirect(signInOptions) {
-			const { authorization_endpoint } = await getDiscovery();
-			const pkce = await createPkcePair();
-			const tx = {
-				verifier: pkce.verifier,
-				state: createState(),
-				returnTo: signInOptions?.returnTo ?? currentUrl()
-			};
-			storage.set(TX_KEY, JSON.stringify(tx));
-			const url = new URL(authorization_endpoint);
-			url.search = new URLSearchParams({
-				response_type: "code",
-				client_id: options.clientId,
-				redirect_uri: options.redirectUri,
-				scope,
-				state: tx.state,
-				code_challenge: pkce.challenge,
-				code_challenge_method: "S256"
-			}).toString();
-			redirect(url.toString());
+			redirect(await buildAuthorizeUrl({}, signInOptions?.returnTo ?? currentUrl()));
+		},
+		async signInSilently() {
+			if (state.status === "authenticated") return state;
+			if (typeof window === "undefined" || typeof document === "undefined") return state;
+			let authorizeUrl;
+			try {
+				authorizeUrl = await buildAuthorizeUrl({ prompt: "none" });
+			} catch {
+				return state;
+			}
+			const search = await runSilentFrame(authorizeUrl);
+			if (search === void 0) {
+				storage.remove(TX_KEY);
+				return state;
+			}
+			const callbackUrl = new URL(options.redirectUri);
+			callbackUrl.search = search;
+			try {
+				await completeCallback(callbackUrl.toString());
+			} catch {}
+			return state;
 		},
 		async handleRedirectCallback(url) {
-			const params = new URL(url ?? currentUrl()).searchParams;
-			const raw = storage.get(TX_KEY);
-			storage.remove(TX_KEY);
-			if (!raw) throw new AuthError("state_mismatch", "no authorization transaction in progress");
-			const tx = JSON.parse(raw);
-			if (params.get("error")) throw new AuthError("invalid_grant", params.get("error_description") ?? params.get("error") ?? "authorization failed");
-			if (params.get("state") !== tx.state) throw new AuthError("state_mismatch", "state parameter mismatch");
-			const code = params.get("code");
-			if (!code) throw new AuthError("invalid_grant", "missing authorization code");
-			await exchange({
-				grant_type: "authorization_code",
-				code,
-				redirect_uri: options.redirectUri,
-				client_id: options.clientId,
-				code_verifier: tx.verifier
-			});
-			return { returnTo: tx.returnTo };
+			return completeCallback(url);
+		},
+		async handleCallback() {
+			if (isFramed()) {
+				window.parent.postMessage({
+					source: SILENT_MESSAGE_SOURCE,
+					search: window.location.search
+				}, window.location.origin);
+				return null;
+			}
+			return completeCallback();
 		},
 		async getAccessToken(getOptions) {
 			if (!getOptions?.forceRefresh && cachedToken && cachedToken.expiresAt > Date.now()) return cachedToken.accessToken;
@@ -226,6 +292,14 @@ async function fetchJson(url) {
 function currentUrl() {
 	return typeof location !== "undefined" ? location.href : "";
 }
+function isFramed() {
+	if (typeof window === "undefined") return false;
+	try {
+		return window.self !== window.top;
+	} catch {
+		return true;
+	}
+}
 function redirect(url) {
 	if (typeof location !== "undefined") location.assign(url);
 }

package/dist/react/index.d.ts

@@ -1,5 +1,5 @@
 import { i as User } from "../index-CiPxwNnj.js";
-import { i as SignInOptions, r as AuthState, t as AuthClient } from "../auth-client-DZWvgw3X.js";
+import { i as SignInOptions, r as AuthState, t as AuthClient } from "../auth-client-DSXlCl42.js";
 import { ReactNode } from "react";
 
 //#region src/react/context.d.ts

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@ericminassian/auth",
-  "version": "0.1.0",
+  "version": "0.3.0",
   "description": "TypeScript SDK for auth.ericminassian.com — OIDC client, React bindings, and server-side JWT verification.",
   "license": "MIT",
   "repository": {
@@ -42,12 +42,6 @@
       "default": "./dist/server/express.js"
     }
   },
-  "scripts": {
-    "build": "tsdown",
-    "typecheck": "tsc --noEmit",
-    "generate": "openapi-typescript ../../openapi/openapi.json -o src/generated/api.d.ts",
-    "test": "vitest run"
-  },
   "dependencies": {
     "jose": "^6"
   },
@@ -80,5 +74,11 @@
   },
   "publishConfig": {
     "access": "public"
+  },
+  "scripts": {
+    "build": "tsdown",
+    "typecheck": "tsc --noEmit",
+    "generate": "openapi-typescript ../../openapi/openapi.json -o src/generated/api.d.ts",
+    "test": "vitest run"
   }
-}
+}