@logto/client 1.1.1 → 2.0.0

package/lib/adapter.d.ts

@@ -0,0 +1,17 @@
+import type { Requester } from '@logto/js';
+import type { Nullable } from '@silverhand/essentials';
+export type StorageKey = 'idToken' | 'refreshToken' | 'accessToken' | 'signInSession';
+export type Storage = {
+    getItem(key: StorageKey): Promise<Nullable<string>>;
+    setItem(key: StorageKey, value: string): Promise<void>;
+    removeItem(key: StorageKey): Promise<void>;
+};
+export type Navigate = (url: string) => void;
+export type ClientAdapter = {
+    requester: Requester;
+    storage: Storage;
+    navigate: Navigate;
+    generateState: () => string;
+    generateCodeVerifier: () => string;
+    generateCodeChallenge: (codeVerifier: string) => Promise<string>;
+};

package/lib/errors.cjs

@@ -0,0 +1,17 @@
+'use strict';
+
+const logtoClientErrorCodes = Object.freeze({
+    'sign_in_session.invalid': 'Invalid sign-in session.',
+    'sign_in_session.not_found': 'Sign-in session not found.',
+    not_authenticated: 'Not authenticated.',
+    fetch_user_info_failed: 'Unable to fetch user info. The access token may be invalid.',
+});
+class LogtoClientError extends Error {
+    constructor(code, data) {
+        super(logtoClientErrorCodes[code]);
+        this.code = code;
+        this.data = data;
+    }
+}
+
+exports.LogtoClientError = LogtoClientError;

package/lib/errors.d.ts

@@ -0,0 +1,13 @@
+declare const logtoClientErrorCodes: Readonly<{
+    'sign_in_session.invalid': "Invalid sign-in session.";
+    'sign_in_session.not_found': "Sign-in session not found.";
+    not_authenticated: "Not authenticated.";
+    fetch_user_info_failed: "Unable to fetch user info. The access token may be invalid.";
+}>;
+export type LogtoClientErrorCode = keyof typeof logtoClientErrorCodes;
+export declare class LogtoClientError extends Error {
+    code: LogtoClientErrorCode;
+    data: unknown;
+    constructor(code: LogtoClientErrorCode, data?: unknown);
+}
+export {};

package/lib/errors.js

@@ -0,0 +1,15 @@
+const logtoClientErrorCodes = Object.freeze({
+    'sign_in_session.invalid': 'Invalid sign-in session.',
+    'sign_in_session.not_found': 'Sign-in session not found.',
+    not_authenticated: 'Not authenticated.',
+    fetch_user_info_failed: 'Unable to fetch user info. The access token may be invalid.',
+});
+class LogtoClientError extends Error {
+    constructor(code, data) {
+        super(logtoClientErrorCodes[code]);
+        this.code = code;
+        this.data = data;
+    }
+}
+
+export { LogtoClientError };

package/lib/index.cjs

@@ -0,0 +1,285 @@
+'use strict';
+
+Object.defineProperty(exports, '__esModule', { value: true });
+
+var js = require('@logto/js');
+var jose = require('jose');
+var errors = require('./errors.cjs');
+var index = require('./types/index.cjs');
+var index$1 = require('./utils/index.cjs');
+var once = require('./utils/once.cjs');
+var requester = require('./utils/requester.cjs');
+
+class LogtoClient {
+    constructor(logtoConfig, adapter) {
+        this.getOidcConfig = once.once(this._getOidcConfig);
+        this.getJwtVerifyGetKey = once.once(this._getJwtVerifyGetKey);
+        this.accessTokenMap = new Map();
+        this.logtoConfig = {
+            ...logtoConfig,
+            prompt: logtoConfig.prompt ?? js.Prompt.Consent,
+            scopes: js.withDefaultScopes(logtoConfig.scopes).split(' '),
+        };
+        this.adapter = adapter;
+        void this.loadAccessTokenMap();
+    }
+    async isAuthenticated() {
+        return Boolean(await this.getIdToken());
+    }
+    async getRefreshToken() {
+        return this.adapter.storage.getItem('refreshToken');
+    }
+    async getIdToken() {
+        return this.adapter.storage.getItem('idToken');
+    }
+    async getAccessToken(resource) {
+        if (!(await this.getIdToken())) {
+            throw new errors.LogtoClientError('not_authenticated');
+        }
+        const accessTokenKey = index$1.buildAccessTokenKey(resource);
+        const accessToken = this.accessTokenMap.get(accessTokenKey);
+        if (accessToken && accessToken.expiresAt > Date.now() / 1000) {
+            return accessToken.token;
+        }
+        // Since the access token has expired, delete it from the map.
+        if (accessToken) {
+            this.accessTokenMap.delete(accessTokenKey);
+        }
+        /**
+         * Need to fetch a new access token using refresh token.
+         */
+        return this.getAccessTokenByRefreshToken(resource);
+    }
+    async getIdTokenClaims() {
+        const idToken = await this.getIdToken();
+        if (!idToken) {
+            throw new errors.LogtoClientError('not_authenticated');
+        }
+        return js.decodeIdToken(idToken);
+    }
+    async fetchUserInfo() {
+        const { userinfoEndpoint } = await this.getOidcConfig();
+        const accessToken = await this.getAccessToken();
+        if (!accessToken) {
+            throw new errors.LogtoClientError('fetch_user_info_failed');
+        }
+        return js.fetchUserInfo(userinfoEndpoint, accessToken, this.adapter.requester);
+    }
+    async signIn(redirectUri, interactionMode) {
+        const { appId: clientId, prompt, resources, scopes } = this.logtoConfig;
+        const { authorizationEndpoint } = await this.getOidcConfig();
+        const codeVerifier = this.adapter.generateCodeVerifier();
+        const codeChallenge = await this.adapter.generateCodeChallenge(codeVerifier);
+        const state = this.adapter.generateState();
+        const signInUri = js.generateSignInUri({
+            authorizationEndpoint,
+            clientId,
+            redirectUri,
+            codeChallenge,
+            state,
+            scopes,
+            resources,
+            prompt,
+            interactionMode,
+        });
+        await this.setSignInSession({ redirectUri, codeVerifier, state });
+        await this.setRefreshToken(null);
+        await this.setIdToken(null);
+        this.adapter.navigate(signInUri);
+    }
+    async isSignInRedirected(url) {
+        const signInSession = await this.getSignInSession();
+        if (!signInSession) {
+            return false;
+        }
+        const { redirectUri } = signInSession;
+        const { origin, pathname } = new URL(url);
+        return `${origin}${pathname}` === redirectUri;
+    }
+    async handleSignInCallback(callbackUri) {
+        const { logtoConfig, adapter } = this;
+        const { requester } = adapter;
+        const signInSession = await this.getSignInSession();
+        if (!signInSession) {
+            throw new errors.LogtoClientError('sign_in_session.not_found');
+        }
+        const { redirectUri, state, codeVerifier } = signInSession;
+        const code = js.verifyAndParseCodeFromCallbackUri(callbackUri, redirectUri, state);
+        const { appId: clientId } = logtoConfig;
+        const { tokenEndpoint } = await this.getOidcConfig();
+        const codeTokenResponse = await js.fetchTokenByAuthorizationCode({
+            clientId,
+            tokenEndpoint,
+            redirectUri,
+            codeVerifier,
+            code,
+        }, requester);
+        await this.verifyIdToken(codeTokenResponse.idToken);
+        await this.saveCodeToken(codeTokenResponse);
+        await this.setSignInSession(null);
+    }
+    async signOut(postLogoutRedirectUri) {
+        const { appId: clientId } = this.logtoConfig;
+        const { endSessionEndpoint, revocationEndpoint } = await this.getOidcConfig();
+        const refreshToken = await this.getRefreshToken();
+        if (refreshToken) {
+            try {
+                await js.revoke(revocationEndpoint, clientId, refreshToken, this.adapter.requester);
+            }
+            catch {
+                // Do nothing at this point, as we don't want to break the sign-out flow even if the revocation is failed
+            }
+        }
+        const url = js.generateSignOutUri({
+            endSessionEndpoint,
+            postLogoutRedirectUri,
+            clientId,
+        });
+        this.accessTokenMap.clear();
+        await this.setRefreshToken(null);
+        await this.setIdToken(null);
+        await this.adapter.storage.removeItem('accessToken');
+        this.adapter.navigate(url);
+    }
+    async getSignInSession() {
+        const jsonItem = await this.adapter.storage.getItem('signInSession');
+        if (!jsonItem) {
+            return null;
+        }
+        const item = JSON.parse(jsonItem);
+        if (!index.isLogtoSignInSessionItem(item)) {
+            throw new errors.LogtoClientError('sign_in_session.invalid');
+        }
+        return item;
+    }
+    async setSignInSession(logtoSignInSessionItem) {
+        if (!logtoSignInSessionItem) {
+            await this.adapter.storage.removeItem('signInSession');
+            return;
+        }
+        const jsonItem = JSON.stringify(logtoSignInSessionItem);
+        await this.adapter.storage.setItem('signInSession', jsonItem);
+    }
+    async setIdToken(idToken) {
+        if (!idToken) {
+            await this.adapter.storage.removeItem('idToken');
+            return;
+        }
+        await this.adapter.storage.setItem('idToken', idToken);
+    }
+    async setRefreshToken(refreshToken) {
+        if (!refreshToken) {
+            await this.adapter.storage.removeItem('refreshToken');
+            return;
+        }
+        await this.adapter.storage.setItem('refreshToken', refreshToken);
+    }
+    async getAccessTokenByRefreshToken(resource) {
+        const currentRefreshToken = await this.getRefreshToken();
+        if (!currentRefreshToken) {
+            throw new errors.LogtoClientError('not_authenticated');
+        }
+        const accessTokenKey = index$1.buildAccessTokenKey(resource);
+        const { appId: clientId } = this.logtoConfig;
+        const { tokenEndpoint } = await this.getOidcConfig();
+        const { accessToken, refreshToken, idToken, scope, expiresIn } = await js.fetchTokenByRefreshToken({
+            clientId,
+            tokenEndpoint,
+            refreshToken: currentRefreshToken,
+            resource,
+        }, this.adapter.requester);
+        this.accessTokenMap.set(accessTokenKey, {
+            token: accessToken,
+            scope,
+            expiresAt: Math.round(Date.now() / 1000) + expiresIn,
+        });
+        await this.saveAccessTokenMap();
+        await this.setRefreshToken(refreshToken);
+        if (idToken) {
+            await this.verifyIdToken(idToken);
+            await this.setIdToken(idToken);
+        }
+        return accessToken;
+    }
+    async _getOidcConfig() {
+        const { endpoint } = this.logtoConfig;
+        const discoveryEndpoint = index$1.getDiscoveryEndpoint(endpoint);
+        return js.fetchOidcConfig(discoveryEndpoint, this.adapter.requester);
+    }
+    async _getJwtVerifyGetKey() {
+        const { jwksUri } = await this.getOidcConfig();
+        return jose.createRemoteJWKSet(new URL(jwksUri));
+    }
+    async verifyIdToken(idToken) {
+        const { appId } = this.logtoConfig;
+        const { issuer } = await this.getOidcConfig();
+        const jwtVerifyGetKey = await this.getJwtVerifyGetKey();
+        await js.verifyIdToken(idToken, appId, issuer, jwtVerifyGetKey);
+    }
+    async saveCodeToken({ refreshToken, idToken, scope, accessToken, expiresIn, }) {
+        await this.setRefreshToken(refreshToken ?? null);
+        await this.setIdToken(idToken);
+        // NOTE: Will add scope to accessTokenKey when needed. (Linear issue LOG-1589)
+        const accessTokenKey = index$1.buildAccessTokenKey();
+        const expiresAt = Date.now() / 1000 + expiresIn;
+        this.accessTokenMap.set(accessTokenKey, { token: accessToken, scope, expiresAt });
+        await this.saveAccessTokenMap();
+    }
+    async saveAccessTokenMap() {
+        const data = {};
+        for (const [key, accessToken] of this.accessTokenMap.entries()) {
+            // eslint-disable-next-line @silverhand/fp/no-mutation
+            data[key] = accessToken;
+        }
+        await this.adapter.storage.setItem('accessToken', JSON.stringify(data));
+    }
+    async loadAccessTokenMap() {
+        const raw = await this.adapter.storage.getItem('accessToken');
+        if (!raw) {
+            return;
+        }
+        try {
+            const json = JSON.parse(raw);
+            if (!index.isLogtoAccessTokenMap(json)) {
+                return;
+            }
+            this.accessTokenMap.clear();
+            for (const [key, accessToken] of Object.entries(json)) {
+                this.accessTokenMap.set(key, accessToken);
+            }
+        }
+        catch (error) {
+            console.warn(error);
+        }
+    }
+}
+
+Object.defineProperty(exports, 'LogtoError', {
+    enumerable: true,
+    get: function () { return js.LogtoError; }
+});
+Object.defineProperty(exports, 'LogtoRequestError', {
+    enumerable: true,
+    get: function () { return js.LogtoRequestError; }
+});
+Object.defineProperty(exports, 'OidcError', {
+    enumerable: true,
+    get: function () { return js.OidcError; }
+});
+Object.defineProperty(exports, 'Prompt', {
+    enumerable: true,
+    get: function () { return js.Prompt; }
+});
+Object.defineProperty(exports, 'ReservedScope', {
+    enumerable: true,
+    get: function () { return js.ReservedScope; }
+});
+Object.defineProperty(exports, 'UserScope', {
+    enumerable: true,
+    get: function () { return js.UserScope; }
+});
+exports.LogtoClientError = errors.LogtoClientError;
+exports.isLogtoAccessTokenMap = index.isLogtoAccessTokenMap;
+exports.isLogtoSignInSessionItem = index.isLogtoSignInSessionItem;
+exports.createRequester = requester.createRequester;
+exports.default = LogtoClient;

package/lib/index.d.ts

@@ -1,61 +1,17 @@
-import { Requester, Prompt, IdTokenClaims, UserInfoResponse, InteractionMode } from "@logto/js";
-import { Nullable, NormalizeKeyPaths } from "@silverhand/essentials";
-export type StorageKey = 'idToken' | 'refreshToken' | 'accessToken' | 'signInSession';
-export type Storage = {
-    getItem(key: StorageKey): Promise<Nullable<string>>;
-    setItem(key: StorageKey, value: string): Promise<void>;
-    removeItem(key: StorageKey): Promise<void>;
-};
-type Navigate = (url: string) => void;
-export type ClientAdapter = {
-    requester: Requester;
-    storage: Storage;
-    navigate: Navigate;
-    generateState: () => string;
-    generateCodeVerifier: () => string;
-    generateCodeChallenge: (codeVerifier: string) => Promise<string>;
-};
-declare const logtoClientErrorCodes: Readonly<{
-    sign_in_session: {
-        invalid: string;
-        not_found: string;
-    };
-    not_authenticated: "Not authenticated.";
-    fetch_user_info_failed: "Unable to fetch user info. The access token may be invalid.";
-}>;
-export type LogtoClientErrorCode = NormalizeKeyPaths<typeof logtoClientErrorCodes>;
-export class LogtoClientError extends Error {
-    code: LogtoClientErrorCode;
-    data: unknown;
-    constructor(code: LogtoClientErrorCode, data?: unknown);
-}
-export type LogtoConfig = {
-    endpoint: string;
-    appId: string;
-    appSecret?: string;
-    scopes?: string[];
-    resources?: string[];
-    prompt?: Prompt;
-};
-export type AccessToken = {
-    token: string;
-    scope: string;
-    expiresAt: number;
-};
-export const isLogtoSignInSessionItem: (data: unknown) => data is LogtoSignInSessionItem;
-export const isLogtoAccessTokenMap: (data: unknown) => data is Record<string, AccessToken>;
-export type LogtoSignInSessionItem = {
-    redirectUri: string;
-    codeVerifier: string;
-    state: string;
-};
-export const createRequester: (fetchFunction: typeof fetch) => Requester;
+import type { IdTokenClaims, UserInfoResponse, InteractionMode } from '@logto/js';
+import type { Nullable } from '@silverhand/essentials';
+import type { ClientAdapter } from './adapter.js';
+import type { AccessToken, LogtoConfig, LogtoSignInSessionItem } from './types/index.js';
 export type { IdTokenClaims, LogtoErrorCode, UserInfoResponse, InteractionMode } from '@logto/js';
 export { LogtoError, OidcError, Prompt, LogtoRequestError, ReservedScope, UserScope, } from '@logto/js';
+export * from './errors.js';
+export type { Storage, StorageKey, ClientAdapter } from './adapter.js';
+export { createRequester } from './utils/index.js';
+export * from './types/index.js';
 export default class LogtoClient {
     protected readonly logtoConfig: LogtoConfig;
-    protected readonly getOidcConfig: () => Promise<import("@silverhand/essentials").KeysToCamelCase<import("@logto/js").OidcConfigSnakeCaseResponse>>;
-    protected readonly getJwtVerifyGetKey: () => Promise<import("jose/dist/types/types").GetKeyFunction<import("jose").JWSHeaderParameters, import("jose").FlattenedJWSInput>>;
+    protected readonly getOidcConfig: typeof this._getOidcConfig;
+    protected readonly getJwtVerifyGetKey: (...args: unknown[]) => Promise<(protectedHeader?: import("jose").JWSHeaderParameters | undefined, token?: import("jose").FlattenedJWSInput | undefined) => Promise<import("jose").KeyLike>>;
     protected readonly adapter: ClientAdapter;
     protected readonly accessTokenMap: Map<string, AccessToken>;
     constructor(logtoConfig: LogtoConfig, adapter: ClientAdapter);
@@ -71,6 +27,13 @@ export default class LogtoClient {
     signOut(postLogoutRedirectUri?: string): Promise<void>;
     protected getSignInSession(): Promise<Nullable<LogtoSignInSessionItem>>;
     protected setSignInSession(logtoSignInSessionItem: Nullable<LogtoSignInSessionItem>): Promise<void>;
+    private setIdToken;
+    private setRefreshToken;
+    private getAccessTokenByRefreshToken;
+    private _getOidcConfig;
+    private _getJwtVerifyGetKey;
+    private verifyIdToken;
+    private saveCodeToken;
+    private saveAccessTokenMap;
+    private loadAccessTokenMap;
 }
-
-//# sourceMappingURL=index.d.ts.map