@logto/client 2.6.7 → 2.7.0

package/lib/adapter/defaults.cjs

@@ -3,24 +3,26 @@
 var js = require('@logto/js');
 var jose = require('jose');
 
-const issuedAtTimeTolerance = 300; // 5 minutes
-const verifyIdToken = async (idToken, clientId, issuer, jwks) => {
-    const result = await jose.jwtVerify(idToken, jwks, { audience: clientId, issuer });
-    if (Math.abs((result.payload.iat ?? 0) - Date.now() / 1000) > issuedAtTimeTolerance) {
+const defaultClockTolerance = 300; // 5 minutes
+const verifyIdToken = async (idToken, clientId, issuer, jwks, clockTolerance = defaultClockTolerance) => {
+    const result = await jose.jwtVerify(idToken, jwks, { audience: clientId, issuer, clockTolerance });
+    if (Math.abs((result.payload.iat ?? 0) - Date.now() / 1000) > clockTolerance) {
         throw new js.LogtoError('id_token.invalid_iat');
     }
 };
 class DefaultJwtVerifier {
-    constructor(client) {
+    constructor(client, clockTolerance = defaultClockTolerance) {
         this.client = client;
+        this.clockTolerance = clockTolerance;
     }
     async verifyIdToken(idToken) {
         const { appId } = this.client.logtoConfig;
         const { issuer, jwksUri } = await this.client.getOidcConfig();
         this.getJwtVerifyGetKey ||= jose.createRemoteJWKSet(new URL(jwksUri));
-        await verifyIdToken(idToken, appId, issuer, this.getJwtVerifyGetKey);
+        await verifyIdToken(idToken, appId, issuer, this.getJwtVerifyGetKey, this.clockTolerance);
     }
 }
 
 exports.DefaultJwtVerifier = DefaultJwtVerifier;
+exports.defaultClockTolerance = defaultClockTolerance;
 exports.verifyIdToken = verifyIdToken;

package/lib/adapter/defaults.d.ts

@@ -1,10 +1,12 @@
 import type { JWTVerifyGetKey } from 'jose';
 import { type StandardLogtoClient } from '../client.js';
 import { type JwtVerifier } from './types.js';
-export declare const verifyIdToken: (idToken: string, clientId: string, issuer: string, jwks: JWTVerifyGetKey) => Promise<void>;
+export declare const defaultClockTolerance = 300;
+export declare const verifyIdToken: (idToken: string, clientId: string, issuer: string, jwks: JWTVerifyGetKey, clockTolerance?: number) => Promise<void>;
 export declare class DefaultJwtVerifier implements JwtVerifier {
     protected client: StandardLogtoClient;
+    readonly clockTolerance: number;
     protected getJwtVerifyGetKey?: JWTVerifyGetKey;
-    constructor(client: StandardLogtoClient);
+    constructor(client: StandardLogtoClient, clockTolerance?: number);
     verifyIdToken(idToken: string): Promise<void>;
 }

package/lib/adapter/defaults.js

@@ -1,23 +1,24 @@
 import { LogtoError } from '@logto/js';
 import { createRemoteJWKSet, jwtVerify } from 'jose';
 
-const issuedAtTimeTolerance = 300; // 5 minutes
-const verifyIdToken = async (idToken, clientId, issuer, jwks) => {
-    const result = await jwtVerify(idToken, jwks, { audience: clientId, issuer });
-    if (Math.abs((result.payload.iat ?? 0) - Date.now() / 1000) > issuedAtTimeTolerance) {
+const defaultClockTolerance = 300; // 5 minutes
+const verifyIdToken = async (idToken, clientId, issuer, jwks, clockTolerance = defaultClockTolerance) => {
+    const result = await jwtVerify(idToken, jwks, { audience: clientId, issuer, clockTolerance });
+    if (Math.abs((result.payload.iat ?? 0) - Date.now() / 1000) > clockTolerance) {
         throw new LogtoError('id_token.invalid_iat');
     }
 };
 class DefaultJwtVerifier {
-    constructor(client) {
+    constructor(client, clockTolerance = defaultClockTolerance) {
         this.client = client;
+        this.clockTolerance = clockTolerance;
     }
     async verifyIdToken(idToken) {
         const { appId } = this.client.logtoConfig;
         const { issuer, jwksUri } = await this.client.getOidcConfig();
         this.getJwtVerifyGetKey ||= createRemoteJWKSet(new URL(jwksUri));
-        await verifyIdToken(idToken, appId, issuer, this.getJwtVerifyGetKey);
+        await verifyIdToken(idToken, appId, issuer, this.getJwtVerifyGetKey, this.clockTolerance);
     }
 }
 
-export { DefaultJwtVerifier, verifyIdToken };
+export { DefaultJwtVerifier, defaultClockTolerance, verifyIdToken };

package/lib/client.cjs

@@ -23,6 +23,9 @@ var types = require('./adapter/types.cjs');
  * can use `StandardLogtoClient` and provide your own JWT verifier.
  */
 class StandardLogtoClient {
+    get jwtVerifier() {
+        return this.jwtVerifierInstance;
+    }
     constructor(logtoConfig, adapter, buildJwtVerifier) {
         /**
          * Get the OIDC configuration from the discovery endpoint. This method will
@@ -78,9 +81,17 @@ class StandardLogtoClient {
         this.accessTokenMap = new Map();
         this.logtoConfig = index.normalizeLogtoConfig(logtoConfig);
         this.adapter = new index$1.ClientAdapterInstance(adapter);
-        this.jwtVerifier = buildJwtVerifier(this);
+        this.jwtVerifierInstance = buildJwtVerifier(this);
         void this.loadAccessTokenMap();
     }
+    /**
+     * Set the JWT verifier for the client.
+     * @param buildJwtVerifier The JWT verifier instance or a function that returns the JWT verifier instance.
+     */
+    setJwtVerifier(buildJwtVerifier) {
+        this.jwtVerifierInstance =
+            typeof buildJwtVerifier === 'function' ? buildJwtVerifier(this) : buildJwtVerifier;
+    }
     /**
      * Check if the user is authenticated by checking if the ID token exists.
      */

package/lib/client.d.ts

@@ -85,9 +85,15 @@ export declare class StandardLogtoClient {
      */
     readonly handleSignInCallback: (this: unknown, callbackUri: string) => Promise<void>;
     readonly adapter: ClientAdapterInstance;
-    readonly jwtVerifier: JwtVerifier;
+    protected jwtVerifierInstance: JwtVerifier;
     protected readonly accessTokenMap: Map<string, AccessToken>;
+    get jwtVerifier(): JwtVerifier;
     constructor(logtoConfig: LogtoConfig, adapter: ClientAdapter, buildJwtVerifier: (client: StandardLogtoClient) => JwtVerifier);
+    /**
+     * Set the JWT verifier for the client.
+     * @param buildJwtVerifier The JWT verifier instance or a function that returns the JWT verifier instance.
+     */
+    setJwtVerifier(buildJwtVerifier: JwtVerifier | ((client: StandardLogtoClient) => JwtVerifier)): void;
     /**
      * Check if the user is authenticated by checking if the ID token exists.
      */

package/lib/client.js

@@ -21,6 +21,9 @@ import { PersistKey, CacheKey } from './adapter/types.js';
  * can use `StandardLogtoClient` and provide your own JWT verifier.
  */
 class StandardLogtoClient {
+    get jwtVerifier() {
+        return this.jwtVerifierInstance;
+    }
     constructor(logtoConfig, adapter, buildJwtVerifier) {
         /**
          * Get the OIDC configuration from the discovery endpoint. This method will
@@ -76,9 +79,17 @@ class StandardLogtoClient {
         this.accessTokenMap = new Map();
         this.logtoConfig = normalizeLogtoConfig(logtoConfig);
         this.adapter = new ClientAdapterInstance(adapter);
-        this.jwtVerifier = buildJwtVerifier(this);
+        this.jwtVerifierInstance = buildJwtVerifier(this);
         void this.loadAccessTokenMap();
     }
+    /**
+     * Set the JWT verifier for the client.
+     * @param buildJwtVerifier The JWT verifier instance or a function that returns the JWT verifier instance.
+     */
+    setJwtVerifier(buildJwtVerifier) {
+        this.jwtVerifierInstance =
+            typeof buildJwtVerifier === 'function' ? buildJwtVerifier(this) : buildJwtVerifier;
+    }
     /**
      * Check if the user is authenticated by checking if the ID token exists.
      */

package/lib/types/index.cjs

@@ -6,18 +6,21 @@ var essentials = require('@silverhand/essentials');
 /**
  * Normalize the Logto client configuration per the following rules:
  *
- * - Add default scopes (`openid`, `offline_access` and `profile`) if not provided.
- * - Add {@link ReservedResource.Organization} to resources if {@link UserScope.Organizations} is included in scopes.
+ * - Add default scopes (`openid`, `offline_access` and `profile`) if not provided and
+ * `includeReservedScopes` is `true`.
+ * - Add {@link ReservedResource.Organization} to resources if {@link UserScope.Organizations} is
+ * included in scopes.
  *
  * @param config The Logto client configuration to be normalized.
  * @returns The normalized Logto client configuration.
  */
 const normalizeLogtoConfig = (config) => {
     const { prompt = js.Prompt.Consent, scopes = [], resources, ...rest } = config;
+    const includeReservedScopes = config.includeReservedScopes ?? true;
     return {
         ...rest,
         prompt,
-        scopes: js.withDefaultScopes(scopes).split(' '),
+        scopes: includeReservedScopes ? js.withReservedScopes(scopes).split(' ') : scopes,
         resources: scopes.includes(js.UserScope.Organizations)
             ? essentials.deduplicate([...(resources ?? []), js.ReservedResource.Organization])
             : resources,

package/lib/types/index.d.ts

@@ -39,12 +39,20 @@ export type LogtoConfig = {
      * The prompt parameter to be used for the authorization request.
      */
     prompt?: Prompt | Prompt[];
+    /**
+     * Whether to include reserved scopes (`openid`, `offline_access` and `profile`) in the scopes.
+     *
+     * @default true
+     */
+    includeReservedScopes?: boolean;
 };
 /**
  * Normalize the Logto client configuration per the following rules:
  *
- * - Add default scopes (`openid`, `offline_access` and `profile`) if not provided.
- * - Add {@link ReservedResource.Organization} to resources if {@link UserScope.Organizations} is included in scopes.
+ * - Add default scopes (`openid`, `offline_access` and `profile`) if not provided and
+ * `includeReservedScopes` is `true`.
+ * - Add {@link ReservedResource.Organization} to resources if {@link UserScope.Organizations} is
+ * included in scopes.
  *
  * @param config The Logto client configuration to be normalized.
  * @returns The normalized Logto client configuration.

package/lib/types/index.js

@@ -1,21 +1,24 @@
-import { Prompt, withDefaultScopes, UserScope, ReservedResource, isArbitraryObject } from '@logto/js';
+import { Prompt, withReservedScopes, UserScope, ReservedResource, isArbitraryObject } from '@logto/js';
 import { deduplicate } from '@silverhand/essentials';
 
 /**
  * Normalize the Logto client configuration per the following rules:
  *
- * - Add default scopes (`openid`, `offline_access` and `profile`) if not provided.
- * - Add {@link ReservedResource.Organization} to resources if {@link UserScope.Organizations} is included in scopes.
+ * - Add default scopes (`openid`, `offline_access` and `profile`) if not provided and
+ * `includeReservedScopes` is `true`.
+ * - Add {@link ReservedResource.Organization} to resources if {@link UserScope.Organizations} is
+ * included in scopes.
  *
  * @param config The Logto client configuration to be normalized.
  * @returns The normalized Logto client configuration.
  */
 const normalizeLogtoConfig = (config) => {
     const { prompt = Prompt.Consent, scopes = [], resources, ...rest } = config;
+    const includeReservedScopes = config.includeReservedScopes ?? true;
     return {
         ...rest,
         prompt,
-        scopes: withDefaultScopes(scopes).split(' '),
+        scopes: includeReservedScopes ? withReservedScopes(scopes).split(' ') : scopes,
         resources: scopes.includes(UserScope.Organizations)
             ? deduplicate([...(resources ?? []), ReservedResource.Organization])
             : resources,

package/lib/utils/requester.cjs

@@ -15,12 +15,12 @@ const createRequester = (fetchFunction) => {
         if (!response.ok) {
             const responseJson = await response.json();
             console.error(`Logto requester error: [status=${response.status}]`, responseJson);
-            if (!js.isLogtoRequestError(responseJson)) {
+            if (!js.isLogtoRequestErrorJson(responseJson)) {
                 throw new js.LogtoError('unexpected_response_error', responseJson);
             }
             // Expected request error from server
             const { code, message } = responseJson;
-            throw new js.LogtoRequestError(code, message);
+            throw new js.LogtoRequestError(code, message, response.clone());
         }
         return response.json();
     };

package/lib/utils/requester.js

@@ -1,4 +1,4 @@
-import { isLogtoRequestError, LogtoError, LogtoRequestError } from '@logto/js';
+import { isLogtoRequestErrorJson, LogtoError, LogtoRequestError } from '@logto/js';
 
 /**
  * A factory function that creates a requester by accepting a `fetch`-like function.
@@ -13,12 +13,12 @@ const createRequester = (fetchFunction) => {
         if (!response.ok) {
             const responseJson = await response.json();
             console.error(`Logto requester error: [status=${response.status}]`, responseJson);
-            if (!isLogtoRequestError(responseJson)) {
+            if (!isLogtoRequestErrorJson(responseJson)) {
                 throw new LogtoError('unexpected_response_error', responseJson);
             }
             // Expected request error from server
             const { code, message } = responseJson;
-            throw new LogtoRequestError(code, message);
+            throw new LogtoRequestError(code, message, response.clone());
         }
         return response.json();
     };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@logto/client",
-  "version": "2.6.7",
+  "version": "2.7.0",
   "type": "module",
   "main": "./lib/index.cjs",
   "module": "./lib/index.js",
@@ -32,7 +32,7 @@
     "@silverhand/essentials": "^2.8.7",
     "camelcase-keys": "^7.0.1",
     "jose": "^5.2.2",
-    "@logto/js": "^4.1.1"
+    "@logto/js": "^4.1.3"
   },
   "devDependencies": {
     "@silverhand/eslint-config": "^6.0.1",
@@ -42,7 +42,7 @@
     "eslint": "^8.57.0",
     "happy-dom": "^14.0.0",
     "lint-staged": "^15.0.0",
-    "nock": "14.0.0-beta.5",
+    "nock": "14.0.0-beta.7",
     "prettier": "^3.0.0",
     "typescript": "^5.3.3",
     "vitest": "^1.4.0"