npm - @ericminassian/auth - Versions diffs - 0.2.0 → 0.3.0 - Mend

@ericminassian/auth 0.2.0 → 0.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/dist/{auth-client-DZWvgw3X.d.ts → auth-client-DSXlCl42.d.ts} +18 -0
package/dist/client/index.d.ts +1 -1
package/dist/client/index.js +110 -36
package/dist/react/index.d.ts +1 -1
package/package.json +1 -1

package/dist/{auth-client-DZWvgw3X.d.ts → auth-client-DSXlCl42.d.ts} RENAMED Viewed

@@ -38,10 +38,28 @@ interface SignInOptions {
 interface AuthClient {
   /** Build a PKCE+state transaction and navigate to the authorize endpoint. */
   signInWithRedirect(options?: SignInOptions): Promise<void>;
+  /**
+   * Attempt silent SSO via a hidden iframe (`prompt=none`). Resolves to the
+   * resulting state — authenticated if an IdP session already existed,
+   * otherwise unchanged. Never rejects on `login_required`.
+   *
+   * Same-site only: the IdP session cookie is not sent to a cross-site iframe,
+   * so this is a no-op when the app and issuer aren't on the same site (e.g.
+   * `localhost` against a hosted issuer).
+   */
+  signInSilently(): Promise<AuthState>;
   /** Complete the redirect: exchange the code for tokens. Returns the saved returnTo. */
   handleRedirectCallback(url?: string): Promise<{
     returnTo: string | undefined;
   }>;
+  /**
+   * Call from the redirect callback page. Inside a silent-auth iframe it relays
+   * the result to the opener and resolves `null` (the page should do nothing
+   * else). At top level it completes the code exchange and returns `returnTo`.
+   */
+  handleCallback(): Promise<{
+    returnTo: string | undefined;
+  } | null>;
   /** A valid access token, refreshing if necessary. Throws `login_required` if not signed in. */
   getAccessToken(options?: {
     forceRefresh?: boolean;

package/dist/client/index.d.ts CHANGED Viewed

@@ -1,3 +1,3 @@
 import { i as User, n as AuthErrorCode, r as DEFAULT_ISSUER, t as AuthError } from "../index-CiPxwNnj.js";
-import { a as createAuthClient, i as SignInOptions, n as AuthClientOptions, o as TokenStorage, r as AuthState, t as AuthClient } from "../auth-client-DZWvgw3X.js";
+import { a as createAuthClient, i as SignInOptions, n as AuthClientOptions, o as TokenStorage, r as AuthState, t as AuthClient } from "../auth-client-DSXlCl42.js";
 export { type AuthClient, type AuthClientOptions, AuthError, type AuthErrorCode, type AuthState, DEFAULT_ISSUER, type SignInOptions, type TokenStorage, type User, createAuthClient };

package/dist/client/index.js CHANGED Viewed

@@ -52,6 +52,8 @@ const TX_KEY = "ema_auth_tx";
 const RT_KEY = "ema_auth_rt";
 const ID_KEY = "ema_auth_id";
 const EXPIRY_SKEW_SECONDS = 30;
+const SILENT_MESSAGE_SOURCE = "ema_auth_silent";
+const SILENT_TIMEOUT_MS = 8e3;
 function createAuthClient(options) {
 	const issuer = (options.issuer ?? DEFAULT_ISSUER).replace(/\/$/, "");
 	const scope = options.scope ?? "openid email offline_access";
@@ -99,46 +101,110 @@ function createAuthClient(options) {
 			});
 		}
 	}
+	async function buildAuthorizeUrl(extra, returnTo) {
+		const { authorization_endpoint } = await getDiscovery();
+		const pkce = await createPkcePair();
+		const tx = {
+			verifier: pkce.verifier,
+			state: createState()
+		};
+		if (returnTo !== void 0) tx.returnTo = returnTo;
+		storage.set(TX_KEY, JSON.stringify(tx));
+		const url = new URL(authorization_endpoint);
+		url.search = new URLSearchParams({
+			response_type: "code",
+			client_id: options.clientId,
+			redirect_uri: options.redirectUri,
+			scope,
+			state: tx.state,
+			code_challenge: pkce.challenge,
+			code_challenge_method: "S256",
+			...extra
+		}).toString();
+		return url.toString();
+	}
+	async function completeCallback(url) {
+		const params = new URL(url ?? currentUrl()).searchParams;
+		const raw = storage.get(TX_KEY);
+		storage.remove(TX_KEY);
+		if (!raw) throw new AuthError("state_mismatch", "no authorization transaction in progress");
+		const tx = JSON.parse(raw);
+		if (params.get("error")) throw new AuthError("invalid_grant", params.get("error_description") ?? params.get("error") ?? "authorization failed");
+		if (params.get("state") !== tx.state) throw new AuthError("state_mismatch", "state parameter mismatch");
+		const code = params.get("code");
+		if (!code) throw new AuthError("invalid_grant", "missing authorization code");
+		await exchange({
+			grant_type: "authorization_code",
+			code,
+			redirect_uri: options.redirectUri,
+			client_id: options.clientId,
+			code_verifier: tx.verifier
+		});
+		return { returnTo: tx.returnTo };
+	}
+	function runSilentFrame(authorizeUrl) {
+		return new Promise((resolve) => {
+			const iframe = document.createElement("iframe");
+			iframe.style.display = "none";
+			iframe.setAttribute("aria-hidden", "true");
+			let settled = false;
+			const finish = (result) => {
+				if (settled) return;
+				settled = true;
+				window.removeEventListener("message", onMessage);
+				clearTimeout(timer);
+				iframe.remove();
+				resolve(result);
+			};
+			const onMessage = (event) => {
+				if (event.origin !== window.location.origin) return;
+				const data = event.data;
+				if (!data || data.source !== SILENT_MESSAGE_SOURCE) return;
+				finish(typeof data.search === "string" ? data.search : "");
+			};
+			const timer = setTimeout(() => finish(void 0), SILENT_TIMEOUT_MS);
+			window.addEventListener("message", onMessage);
+			iframe.src = authorizeUrl;
+			document.body.appendChild(iframe);
+		});
+	}
 	return {
 		async signInWithRedirect(signInOptions) {
-			const { authorization_endpoint } = await getDiscovery();
-			const pkce = await createPkcePair();
-			const tx = {
-				verifier: pkce.verifier,
-				state: createState(),
-				returnTo: signInOptions?.returnTo ?? currentUrl()
-			};
-			storage.set(TX_KEY, JSON.stringify(tx));
-			const url = new URL(authorization_endpoint);
-			url.search = new URLSearchParams({
-				response_type: "code",
-				client_id: options.clientId,
-				redirect_uri: options.redirectUri,
-				scope,
-				state: tx.state,
-				code_challenge: pkce.challenge,
-				code_challenge_method: "S256"
-			}).toString();
-			redirect(url.toString());
+			redirect(await buildAuthorizeUrl({}, signInOptions?.returnTo ?? currentUrl()));
+		},
+		async signInSilently() {
+			if (state.status === "authenticated") return state;
+			if (typeof window === "undefined" || typeof document === "undefined") return state;
+			let authorizeUrl;
+			try {
+				authorizeUrl = await buildAuthorizeUrl({ prompt: "none" });
+			} catch {
+				return state;
+			}
+			const search = await runSilentFrame(authorizeUrl);
+			if (search === void 0) {
+				storage.remove(TX_KEY);
+				return state;
+			}
+			const callbackUrl = new URL(options.redirectUri);
+			callbackUrl.search = search;
+			try {
+				await completeCallback(callbackUrl.toString());
+			} catch {}
+			return state;
 		},
 		async handleRedirectCallback(url) {
-			const params = new URL(url ?? currentUrl()).searchParams;
-			const raw = storage.get(TX_KEY);
-			storage.remove(TX_KEY);
-			if (!raw) throw new AuthError("state_mismatch", "no authorization transaction in progress");
-			const tx = JSON.parse(raw);
-			if (params.get("error")) throw new AuthError("invalid_grant", params.get("error_description") ?? params.get("error") ?? "authorization failed");
-			if (params.get("state") !== tx.state) throw new AuthError("state_mismatch", "state parameter mismatch");
-			const code = params.get("code");
-			if (!code) throw new AuthError("invalid_grant", "missing authorization code");
-			await exchange({
-				grant_type: "authorization_code",
-				code,
-				redirect_uri: options.redirectUri,
-				client_id: options.clientId,
-				code_verifier: tx.verifier
-			});
-			return { returnTo: tx.returnTo };
+			return completeCallback(url);
+		},
+		async handleCallback() {
+			if (isFramed()) {
+				window.parent.postMessage({
+					source: SILENT_MESSAGE_SOURCE,
+					search: window.location.search
+				}, window.location.origin);
+				return null;
+			}
+			return completeCallback();
 		},
 		async getAccessToken(getOptions) {
 			if (!getOptions?.forceRefresh && cachedToken && cachedToken.expiresAt > Date.now()) return cachedToken.accessToken;
@@ -226,6 +292,14 @@ async function fetchJson(url) {
 function currentUrl() {
 	return typeof location !== "undefined" ? location.href : "";
 }
+function isFramed() {
+	if (typeof window === "undefined") return false;
+	try {
+		return window.self !== window.top;
+	} catch {
+		return true;
+	}
+}
 function redirect(url) {
 	if (typeof location !== "undefined") location.assign(url);
 }

package/dist/react/index.d.ts CHANGED Viewed

@@ -1,5 +1,5 @@
 import { i as User } from "../index-CiPxwNnj.js";
-import { i as SignInOptions, r as AuthState, t as AuthClient } from "../auth-client-DZWvgw3X.js";
+import { i as SignInOptions, r as AuthState, t as AuthClient } from "../auth-client-DSXlCl42.js";
 import { ReactNode } from "react";
 //#region src/react/context.d.ts

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@ericminassian/auth",
-  "version": "0.2.0",
+  "version": "0.3.0",
   "description": "TypeScript SDK for auth.ericminassian.com — OIDC client, React bindings, and server-side JWT verification.",
   "license": "MIT",
   "repository": {