npm - @imtbl/auth - Versions diffs - 2.12.5-alpha.16 → 2.12.5-alpha.18 - Mend

@imtbl/auth 2.12.5-alpha.16 → 2.12.5-alpha.18

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (10) hide show

package/src/Auth.test.ts CHANGED Viewed

@@ -137,7 +137,7 @@ describe('Auth', () => {
     });
   });
-  describe('username extraction', () => {
+  describe('mapOidcUserToDomainModel', () => {
     it('extracts username from id token when present', () => {
       const mockOidcUser = {
         id_token: 'token',
@@ -158,256 +158,113 @@ describe('Auth', () => {
       expect(result.profile.username).toEqual('username123');
     });
-    it('maps username when creating OIDC user from device tokens', () => {
-      const tokenResponse = {
+    it('extracts zkEvm chain data from passport metadata', () => {
+      const mockOidcUser = {
         id_token: 'token',
         access_token: 'access',
         refresh_token: 'refresh',
-        token_type: 'Bearer',
-        expires_in: 3600,
+        expired: false,
+        profile: { sub: 'user-123', email: 'test@example.com', nickname: 'tester' },
       };
       (decodeJwtPayload as jest.Mock).mockReturnValue({
-        sub: 'user-123',
-        iss: 'issuer',
-        aud: 'audience',
-        exp: 1,
-        iat: 0,
-        email: 'test@example.com',
-        nickname: 'tester',
-        username: 'username123',
-        passport: undefined,
+        passport: {
+          zkevm_eth_address: '0xzkevmaddress',
+          zkevm_user_admin_address: '0xzkevmadmin',
+        },
       });
-      const oidcUser = (Auth as any).mapDeviceTokenResponseToOidcUser(tokenResponse);
+      const result = (Auth as any).mapOidcUserToDomainModel(mockOidcUser);
-      expect(decodeJwtPayload).toHaveBeenCalledWith('token');
-      expect(oidcUser.profile.username).toEqual('username123');
+      expect(result.zkEvm).toEqual({
+        ethAddress: '0xzkevmaddress',
+        userAdminAddress: '0xzkevmadmin',
+      });
     });
-  });
-  describe('refreshTokenAndUpdatePromise', () => {
-    it('emits TOKEN_REFRESHED event when signinSilent succeeds', async () => {
+    it('extracts arbitrum_one chain data from nested passport metadata', () => {
       const mockOidcUser = {
-        id_token: 'new-id',
-        access_token: 'new-access',
-        refresh_token: 'new-refresh',
+        id_token: 'token',
+        access_token: 'access',
+        refresh_token: 'refresh',
         expired: false,
         profile: { sub: 'user-123', email: 'test@example.com', nickname: 'tester' },
       };
       (decodeJwtPayload as jest.Mock).mockReturnValue({
-        username: undefined,
-        passport: undefined,
+        passport: {
+          arbitrum_one: {
+            eth_address: '0xarbaddress',
+            user_admin_address: '0xarbadmin',
+          },
+        },
       });
-      const auth = Object.create(Auth.prototype) as Auth;
-      const mockEventEmitter = { emit: jest.fn() };
-      const mockUserManager = {
-        signinSilent: jest.fn().mockResolvedValue(mockOidcUser),
-      };
-      (auth as any).eventEmitter = mockEventEmitter;
-      (auth as any).userManager = mockUserManager;
-      (auth as any).refreshingPromise = null;
-      const user = await (auth as any).refreshTokenAndUpdatePromise();
-      expect(user).toBeDefined();
-      expect(user.accessToken).toBe('new-access');
-      expect(mockEventEmitter.emit).toHaveBeenCalledWith(
-        AuthEvents.TOKEN_REFRESHED,
-        expect.objectContaining({
-          accessToken: 'new-access',
-          refreshToken: 'new-refresh',
-        }),
-      );
-    });
-    it('does not emit TOKEN_REFRESHED event when signinSilent returns null', async () => {
-      const auth = Object.create(Auth.prototype) as Auth;
-      const mockEventEmitter = { emit: jest.fn() };
-      const mockUserManager = {
-        signinSilent: jest.fn().mockResolvedValue(null),
-      };
-      (auth as any).eventEmitter = mockEventEmitter;
-      (auth as any).userManager = mockUserManager;
-      (auth as any).refreshingPromise = null;
-      const user = await (auth as any).refreshTokenAndUpdatePromise();
-      expect(user).toBeNull();
-      expect(mockEventEmitter.emit).not.toHaveBeenCalled();
-    });
-    it('emits USER_REMOVED event for invalid_grant error', async () => {
-      const auth = Object.create(Auth.prototype) as Auth;
-      const mockEventEmitter = { emit: jest.fn() };
-      const mockUserManager = {
-        signinSilent: jest.fn().mockRejectedValue(
-          Object.assign(new Error('invalid_grant'), {
-            error: 'invalid_grant',
-            error_description: 'Unknown or invalid refresh token',
-          }),
-        ),
-        removeUser: jest.fn().mockResolvedValue(undefined),
-      };
+      const result = (Auth as any).mapOidcUserToDomainModel(mockOidcUser);
-      // Make the error an instance of ErrorResponse
-      const { ErrorResponse } = jest.requireActual('oidc-client-ts');
-      const errorResponse = new ErrorResponse({
-        error: 'invalid_grant',
-        error_description: 'Unknown or invalid refresh token',
+      expect(result.arbitrum_one).toEqual({
+        ethAddress: '0xarbaddress',
+        userAdminAddress: '0xarbadmin',
       });
-      mockUserManager.signinSilent.mockRejectedValue(errorResponse);
-      (auth as any).eventEmitter = mockEventEmitter;
-      (auth as any).userManager = mockUserManager;
-      (auth as any).refreshingPromise = null;
-      await expect((auth as any).refreshTokenAndUpdatePromise()).rejects.toThrow();
-      expect(mockEventEmitter.emit).toHaveBeenCalledWith(
-        AuthEvents.USER_REMOVED,
-        expect.objectContaining({
-          reason: 'refresh_failed',
-        }),
-      );
-      expect(mockUserManager.removeUser).toHaveBeenCalled();
     });
-    it('emits USER_REMOVED event for login_required error', async () => {
-      const auth = Object.create(Auth.prototype) as Auth;
-      const mockEventEmitter = { emit: jest.fn() };
-      const mockUserManager = {
-        signinSilent: jest.fn(),
-        removeUser: jest.fn().mockResolvedValue(undefined),
+    it('extracts both zkEvm and arbitrum_one when present', () => {
+      const mockOidcUser = {
+        id_token: 'token',
+        access_token: 'access',
+        refresh_token: 'refresh',
+        expired: false,
+        profile: { sub: 'user-123', email: 'test@example.com', nickname: 'tester' },
       };
-      const { ErrorResponse } = jest.requireActual('oidc-client-ts');
-      const errorResponse = new ErrorResponse({
-        error: 'login_required',
-        error_description: 'User must re-authenticate',
+      (decodeJwtPayload as jest.Mock).mockReturnValue({
+        passport: {
+          zkevm_eth_address: '0xzkevmaddress',
+          zkevm_user_admin_address: '0xzkevmadmin',
+          arbitrum_one: {
+            eth_address: '0xarbaddress',
+            user_admin_address: '0xarbadmin',
+          },
+        },
       });
-      mockUserManager.signinSilent.mockRejectedValue(errorResponse);
-      (auth as any).eventEmitter = mockEventEmitter;
-      (auth as any).userManager = mockUserManager;
-      (auth as any).refreshingPromise = null;
-      await expect((auth as any).refreshTokenAndUpdatePromise()).rejects.toThrow();
-      expect(mockEventEmitter.emit).toHaveBeenCalledWith(
-        AuthEvents.USER_REMOVED,
-        expect.objectContaining({
-          reason: 'refresh_failed',
-        }),
-      );
-      expect(mockUserManager.removeUser).toHaveBeenCalled();
-    });
-    it('emits USER_REMOVED event for network errors', async () => {
-      const auth = Object.create(Auth.prototype) as Auth;
-      const mockEventEmitter = { emit: jest.fn() };
-      const mockUserManager = {
-        signinSilent: jest.fn().mockRejectedValue(new Error('Network error: Failed to fetch')),
-        removeUser: jest.fn().mockResolvedValue(undefined),
-      };
-      (auth as any).eventEmitter = mockEventEmitter;
-      (auth as any).userManager = mockUserManager;
-      (auth as any).refreshingPromise = null;
-      await expect((auth as any).refreshTokenAndUpdatePromise()).rejects.toThrow();
-      expect(mockEventEmitter.emit).toHaveBeenCalledWith(
-        AuthEvents.USER_REMOVED,
-        expect.objectContaining({
-          reason: 'refresh_failed',
-        }),
-      );
-      expect(mockUserManager.removeUser).toHaveBeenCalled();
-    });
-    it('emits USER_REMOVED event for server_error OAuth error', async () => {
-      const auth = Object.create(Auth.prototype) as Auth;
-      const mockEventEmitter = { emit: jest.fn() };
-      const mockUserManager = {
-        signinSilent: jest.fn(),
-        removeUser: jest.fn().mockResolvedValue(undefined),
-      };
+      const result = (Auth as any).mapOidcUserToDomainModel(mockOidcUser);
-      const { ErrorResponse } = jest.requireActual('oidc-client-ts');
-      const errorResponse = new ErrorResponse({
-        error: 'server_error',
-        error_description: 'Internal server error',
+      expect(result.zkEvm).toEqual({
+        ethAddress: '0xzkevmaddress',
+        userAdminAddress: '0xzkevmadmin',
+      });
+      expect(result.arbitrum_one).toEqual({
+        ethAddress: '0xarbaddress',
+        userAdminAddress: '0xarbadmin',
       });
-      mockUserManager.signinSilent.mockRejectedValue(errorResponse);
-      (auth as any).eventEmitter = mockEventEmitter;
-      (auth as any).userManager = mockUserManager;
-      (auth as any).refreshingPromise = null;
-      await expect((auth as any).refreshTokenAndUpdatePromise()).rejects.toThrow();
-      expect(mockEventEmitter.emit).toHaveBeenCalledWith(
-        AuthEvents.USER_REMOVED,
-        expect.objectContaining({
-          reason: 'refresh_failed',
-        }),
-      );
-      expect(mockUserManager.removeUser).toHaveBeenCalled();
-    });
-    it('emits USER_REMOVED event for unknown errors (safer default)', async () => {
-      const auth = Object.create(Auth.prototype) as Auth;
-      const mockEventEmitter = { emit: jest.fn() };
-      const mockUserManager = {
-        signinSilent: jest.fn().mockRejectedValue(new Error('Some unknown error')),
-        removeUser: jest.fn().mockResolvedValue(undefined),
-      };
-      (auth as any).eventEmitter = mockEventEmitter;
-      (auth as any).userManager = mockUserManager;
-      (auth as any).refreshingPromise = null;
-      await expect((auth as any).refreshTokenAndUpdatePromise()).rejects.toThrow();
-      // Unknown errors should remove user (safer default)
-      expect(mockEventEmitter.emit).toHaveBeenCalledWith(
-        AuthEvents.USER_REMOVED,
-        expect.objectContaining({
-          reason: 'refresh_failed',
-        }),
-      );
-      expect(mockUserManager.removeUser).toHaveBeenCalled();
     });
-    it('does not emit USER_REMOVED event for ErrorTimeout', async () => {
-      const auth = Object.create(Auth.prototype) as Auth;
-      const mockEventEmitter = { emit: jest.fn() };
-      const mockUserManager = {
-        signinSilent: jest.fn(),
-        removeUser: jest.fn().mockResolvedValue(undefined),
+    it('maps username when creating OIDC user from device tokens', () => {
+      const tokenResponse = {
+        id_token: 'token',
+        access_token: 'access',
+        refresh_token: 'refresh',
+        token_type: 'Bearer',
+        expires_in: 3600,
       };
-      // Mock ErrorTimeout
-      const { ErrorTimeout } = jest.requireActual('oidc-client-ts');
-      const timeoutError = new ErrorTimeout('Silent sign-in timed out');
-      mockUserManager.signinSilent.mockRejectedValue(timeoutError);
-      (auth as any).eventEmitter = mockEventEmitter;
-      (auth as any).userManager = mockUserManager;
-      (auth as any).refreshingPromise = null;
+      (decodeJwtPayload as jest.Mock).mockReturnValue({
+        sub: 'user-123',
+        iss: 'issuer',
+        aud: 'audience',
+        exp: 1,
+        iat: 0,
+        email: 'test@example.com',
+        nickname: 'tester',
+        username: 'username123',
+        passport: undefined,
+      });
-      await expect((auth as any).refreshTokenAndUpdatePromise()).rejects.toThrow();
+      const oidcUser = (Auth as any).mapDeviceTokenResponseToOidcUser(tokenResponse);
-      expect(mockEventEmitter.emit).not.toHaveBeenCalledWith(
-        AuthEvents.USER_REMOVED,
-        expect.anything(),
-      );
-      expect(mockUserManager.removeUser).not.toHaveBeenCalled();
+      expect(decodeJwtPayload).toHaveBeenCalledWith('token');
+      expect(oidcUser.profile.username).toEqual('username123');
     });
   });

package/src/Auth.ts CHANGED Viewed

@@ -29,6 +29,7 @@ import {
   PassportMetadata,
   IdTokenPayload,
   isUserZkEvm,
+  EvmChain,
 } from './types';
 import EmbeddedLoginPrompt from './login/embeddedLoginPrompt';
 import TypedEventEmitter from './utils/typedEventEmitter';
@@ -570,12 +571,25 @@ export class Auth {
         username,
       },
     };
     if (passport?.zkevm_eth_address && passport?.zkevm_user_admin_address) {
       user.zkEvm = {
         ethAddress: passport.zkevm_eth_address,
         userAdminAddress: passport.zkevm_user_admin_address,
       };
     }
+    const chains = Object.values(EvmChain).filter((chain) => chain !== EvmChain.ZKEVM);
+    for (const chain of chains) {
+      const chainMetadata = passport?.[chain as Exclude<EvmChain, EvmChain.ZKEVM>];
+      if (chainMetadata?.eth_address && chainMetadata?.user_admin_address) {
+        user[chain] = {
+          ethAddress: chainMetadata.eth_address,
+          userAdminAddress: chainMetadata.user_admin_address,
+        };
+      }
+    }
     return user;
   };
@@ -765,21 +779,15 @@ export class Auth {
         try {
           const newOidcUser = await this.userManager.signinSilent();
           if (newOidcUser) {
-            const user = Auth.mapOidcUserToDomainModel(newOidcUser);
-            // Emit TOKEN_REFRESHED event so consumers (e.g., auth-next-client) can sync
-            // the new tokens to their session. This is critical for refresh token
-            // rotation - without this, the server-side session may have stale tokens.
-            this.eventEmitter.emit(AuthEvents.TOKEN_REFRESHED, user);
-            resolve(user);
+            resolve(Auth.mapOidcUserToDomainModel(newOidcUser));
             return;
           }
           resolve(null);
         } catch (err) {
           let passportErrorType = PassportErrorType.AUTHENTICATION_ERROR;
           let errorMessage = 'Failed to refresh token';
-          // Default to REMOVING user - safer to log out on unknown errors
-          // Only keep user logged in for explicitly known transient errors
           let removeUser = true;
           if (err instanceof ErrorTimeout) {
             passportErrorType = PassportErrorType.SILENT_LOGIN_ERROR;
             errorMessage = `${errorMessage}: ${err.message}`;
@@ -794,13 +802,6 @@ export class Auth {
           }
           if (removeUser) {
-            // Emit USER_REMOVED event BEFORE removing user so consumers can react
-            // (e.g., auth-next-client can clear the NextAuth session)
-            this.eventEmitter.emit(AuthEvents.USER_REMOVED, {
-              reason: 'refresh_failed',
-              error: errorMessage,
-            });
             try {
               await this.userManager.removeUser();
             } catch (removeUserError) {

package/src/index.ts CHANGED Viewed

@@ -17,13 +17,18 @@ export type {
   AuthModuleConfiguration,
   PopupOverlayOptions,
   PassportMetadata,
+  PassportChainMetadata,
+  ChainAddress,
   IdTokenPayload,
   PKCEData,
   AuthEventMap,
-  UserRemovedReason,
 } from './types';
 export {
-  isUserZkEvm, RollupType, MarketingConsentStatus, AuthEvents,
+  isUserZkEvm,
+  RollupType,
+  EvmChain,
+  MarketingConsentStatus,
+  AuthEvents,
 } from './types';
 // Export TypedEventEmitter

package/src/types.ts CHANGED Viewed

@@ -16,22 +16,45 @@ export enum RollupType {
   ZKEVM = 'zkEvm',
 }
+/**
+ * Supported EVM chains for user registration
+ * Matches EvmChain from @imtbl/wallet but defined here to avoid circular dependency
+ */
+export enum EvmChain {
+  ZKEVM = 'zkevm',
+  ARBITRUM_ONE = 'arbitrum_one',
+}
+export type ChainAddress = {
+  ethAddress: string;
+  userAdminAddress: string;
+};
 export type User = {
   idToken?: string;
   accessToken: string;
   refreshToken?: string;
   profile: UserProfile;
   expired?: boolean;
-  [RollupType.ZKEVM]?: {
-    ethAddress: string;
-    userAdminAddress: string;
-  };
+  [RollupType.ZKEVM]?: ChainAddress;
+} & {
+  [K in Exclude<EvmChain, EvmChain.ZKEVM>]?: ChainAddress;
+};
+export type PassportChainMetadata = {
+  eth_address: string;
+  user_admin_address: string;
 };
+/**
+ * Passport metadata
+ * - zkEVM: flat fields (zkevm_eth_address, zkevm_user_admin_address)
+ * - Other chains: nested objects (arbitrum_one: { eth_address, user_admin_address })
+ */
 export type PassportMetadata = {
   zkevm_eth_address?: string;
   zkevm_user_admin_address?: string;
-};
+} & Partial<Record<Exclude<EvmChain, EvmChain.ZKEVM>, PassportChainMetadata>>;
 export interface OidcConfiguration {
   clientId: string;
@@ -140,44 +163,12 @@ export type LoginOptions = {
 export enum AuthEvents {
   LOGGED_OUT = 'loggedOut',
   LOGGED_IN = 'loggedIn',
-  /**
-   * Emitted when tokens are refreshed via signinSilent().
-   * This is critical for refresh token rotation - when client-side refresh happens,
-   * the new tokens must be synced to server-side session to prevent race conditions.
-   */
-  TOKEN_REFRESHED = 'tokenRefreshed',
-  /**
-   * Emitted when the user is removed from local storage due to a permanent auth error.
-   * Only emitted for errors where the refresh token is truly invalid:
-   * - invalid_grant: refresh token expired, revoked, or already used
-   * - login_required: user must re-authenticate
-   * - consent_required / interaction_required: user must interact with auth server
-   *
-   * NOT emitted for transient errors (network, timeout, server errors) - user stays logged in.
-   * Consumers should sync this state by clearing their session (e.g., NextAuth signOut).
-   */
-  USER_REMOVED = 'userRemoved',
 }
-/**
- * Error reason for USER_REMOVED event.
- * Note: Network/timeout errors do NOT emit USER_REMOVED (user stays logged in),
- * so 'network_error' is not a valid reason.
- */
-export type UserRemovedReason =
-  // OAuth permanent errors (invalid_grant, login_required, etc.)
-  | 'refresh_token_invalid'
-  // Unknown non-OAuth errors
-  | 'refresh_failed'
-  // Fallback for truly unknown error types
-  | 'unknown';
 /**
  * Event map for typed event emitter
  */
 export interface AuthEventMap extends Record<string, any> {
   [AuthEvents.LOGGED_OUT]: [];
   [AuthEvents.LOGGED_IN]: [User];
-  [AuthEvents.TOKEN_REFRESHED]: [User];
-  [AuthEvents.USER_REMOVED]: [{ reason: UserRemovedReason; error?: string }];
 }