@logto/client 3.0.0-alpha.2 → 3.0.3

package/package.json

@@ -1,23 +1,15 @@
 {
   "name": "@logto/client",
-  "version": "3.0.0-alpha.2",
+  "version": "3.0.3",
   "type": "module",
-  "main": "./lib/index.cjs",
   "module": "./lib/index.js",
   "types": "./lib/index.d.ts",
+  "react-native": "./lib/shim.js",
   "exports": {
-    ".": {
-      "types": "./lib/index.d.ts",
-      "require": "./lib/index.cjs",
-      "import": "./lib/index.js",
-      "default": "./lib/index.js"
-    },
-    "./shim": {
-      "types": "./lib/shim.d.ts",
-      "require": "./lib/shim.cjs",
-      "import": "./lib/shim.js",
-      "default": "./lib/shim.js"
-    }
+    "types": "./lib/index.d.ts",
+    "react-native": "./lib/shim.js",
+    "import": "./lib/index.js",
+    "default": "./lib/index.js"
   },
   "files": [
     "lib"
@@ -29,27 +21,23 @@
     "directory": "packages/client"
   },
   "dependencies": {
-    "@logto/js": "^4.0.0-alpha.2",
-    "@silverhand/essentials": "^2.8.7",
-    "camelcase-keys": "^7.0.1",
-    "jose": "^5.0.0"
+    "@silverhand/essentials": "^2.9.2",
+    "camelcase-keys": "^9.1.3",
+    "jose": "^5.2.2",
+    "@logto/js": "^5.0.2"
   },
   "devDependencies": {
-    "@silverhand/eslint-config": "^5.0.0",
-    "@silverhand/ts-config": "^5.0.0",
-    "@swc/core": "^1.3.50",
-    "@swc/jest": "^0.2.24",
-    "@types/jest": "^29.5.0",
-    "@types/node": "^20.0.0",
-    "eslint": "^8.44.0",
-    "jest": "^29.5.0",
-    "jest-matcher-specific-error": "^1.0.0",
+    "@silverhand/eslint-config": "^6.0.1",
+    "@silverhand/ts-config": "^6.0.0",
+    "@types/node": "^22.0.0",
+    "@vitest/coverage-v8": "^1.6.0",
+    "eslint": "^8.57.0",
+    "happy-dom": "^15.10.2",
     "lint-staged": "^15.0.0",
-    "nock": "^13.3.0",
+    "nock": "14.0.0-beta.19",
     "prettier": "^3.0.0",
-    "text-encoder": "^0.0.4",
-    "type-fest": "^4.0.0",
-    "typescript": "^5.0.0"
+    "typescript": "^5.3.3",
+    "vitest": "^1.6.0"
   },
   "eslintConfig": {
     "extends": "@silverhand"
@@ -64,7 +52,8 @@
     "check": "tsc --noEmit",
     "build": "rm -rf lib/ && tsc -p tsconfig.build.json --noEmit && rollup -c",
     "lint": "eslint --ext .ts src",
-    "test": "jest",
-    "test:coverage": "jest --silent --env=jsdom && jest --silent --coverage"
+    "test": "vitest",
+    "test:dom": "vitest --config=vitest.config.dom.ts",
+    "test:coverage": "pnpm test:dom --silent --no-watch && pnpm run test --no-watch --silent --coverage"
   }
 }

package/lib/adapter/defaults.cjs

@@ -1,28 +0,0 @@
-'use strict';
-
-var js = require('@logto/js');
-var jose = require('jose');
-
-const issuedAtTimeTolerance = 300; // 5 minutes
-const verifyIdToken = async (idToken, clientId, issuer, jwks) => {
-    const result = await jose.jwtVerify(idToken, jwks, { audience: clientId, issuer });
-    if (Math.abs((result.payload.iat ?? 0) - Date.now() / 1000) > issuedAtTimeTolerance) {
-        throw new js.LogtoError('id_token.invalid_iat');
-    }
-};
-class DefaultJwtVerifier {
-    constructor(client) {
-        this.client = client;
-    }
-    async verifyIdToken(idToken) {
-        const { appId } = this.client.logtoConfig;
-        const { issuer, jwksUri } = await this.client.getOidcConfig();
-        if (!this.getJwtVerifyGetKey) {
-            this.getJwtVerifyGetKey = jose.createRemoteJWKSet(new URL(jwksUri));
-        }
-        await verifyIdToken(idToken, appId, issuer, this.getJwtVerifyGetKey);
-    }
-}
-
-exports.DefaultJwtVerifier = DefaultJwtVerifier;
-exports.verifyIdToken = verifyIdToken;

package/lib/adapter/index.cjs

@@ -1,63 +0,0 @@
-'use strict';
-
-var essentials = require('@silverhand/essentials');
-var types = require('./types.cjs');
-
-class ClientAdapterInstance {
-    /* END OF IMPLEMENTATION */
-    constructor(adapter) {
-        // eslint-disable-next-line @silverhand/fp/no-mutating-assign
-        Object.assign(this, adapter);
-    }
-    async setStorageItem(key, value) {
-        if (!value) {
-            await this.storage.removeItem(key);
-            return;
-        }
-        await this.storage.setItem(key, value);
-    }
-    /**
-     * Try to get the string value from the cache and parse as JSON.
-     * Return the parsed value if it is an object, return `undefined` otherwise.
-     *
-     * @param key The cache key to get value from.
-     */
-    async getCachedObject(key) {
-        const cached = await essentials.trySafe(async () => {
-            const data = await this.unstable_cache?.getItem(key);
-            // It's actually `unknown`
-            // eslint-disable-next-line no-restricted-syntax
-            return essentials.conditional(data && JSON.parse(data));
-        });
-        if (cached && typeof cached === 'object') {
-            // Trust cache for now
-            // eslint-disable-next-line no-restricted-syntax
-            return cached;
-        }
-    }
-    /**
-     * Try to get the value from the cache first, if it doesn't exist in cache,
-     * run the getter function and store the result into cache.
-     *
-     * @param key The cache key to get value from.
-     */
-    async getWithCache(key, getter) {
-        const cached = await this.getCachedObject(key);
-        if (cached) {
-            return cached;
-        }
-        const result = await getter();
-        await this.unstable_cache?.setItem(key, JSON.stringify(result));
-        return result;
-    }
-}
-
-Object.defineProperty(exports, "CacheKey", {
-    enumerable: true,
-    get: function () { return types.CacheKey; }
-});
-Object.defineProperty(exports, "PersistKey", {
-    enumerable: true,
-    get: function () { return types.PersistKey; }
-});
-exports.ClientAdapterInstance = ClientAdapterInstance;

package/lib/adapter/types.cjs

@@ -1,24 +0,0 @@
-'use strict';
-
-exports.PersistKey = void 0;
-(function (PersistKey) {
-    PersistKey["IdToken"] = "idToken";
-    PersistKey["RefreshToken"] = "refreshToken";
-    PersistKey["AccessToken"] = "accessToken";
-    PersistKey["SignInSession"] = "signInSession";
-})(exports.PersistKey || (exports.PersistKey = {}));
-exports.CacheKey = void 0;
-(function (CacheKey) {
-    /**
-     * OpenID Configuration endpoint response.
-     *
-     * @see {@link https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse | OpenID Connect Discovery 1.0}
-     */
-    CacheKey["OpenidConfig"] = "openidConfiguration";
-    /**
-     * The content of OpenID Provider's `jwks_uri` (JSON Web Key Set).
-     *
-     * @see {@link https://openid.net/specs/openid-connect-discovery-1_0-21.html#ProviderMetadata | OpenID Connect Discovery 1.0}
-     */
-    CacheKey["Jwks"] = "jwks";
-})(exports.CacheKey || (exports.CacheKey = {}));

package/lib/client.cjs

@@ -1,383 +0,0 @@
-'use strict';
-
-var js = require('@logto/js');
-var index$1 = require('./adapter/index.cjs');
-var errors = require('./errors.cjs');
-var index = require('./types/index.cjs');
-var index$2 = require('./utils/index.cjs');
-var memoize = require('./utils/memoize.cjs');
-var once = require('./utils/once.cjs');
-var types = require('./adapter/types.cjs');
-
-/**
- * The Logto base client class that provides the essential methods for
- * interacting with the Logto server.
- *
- * It also provides an adapter object that allows the customizations of the
- * client behavior for different environments.
- *
- * NOTE: Usually, you would use the `LogtoClient` class instead of `StandardLogtoClient` since it
- * provides the default JWT verifier. However, if you want to avoid the use of `jose` package
- * which is useful for certain environments that don't support native modules like `crypto`, you
- * can use `StandardLogtoClient` and provide your own JWT verifier.
- */
-class StandardLogtoClient {
-    constructor(logtoConfig, adapter, buildJwtVerifier) {
-        /**
-         * Get the OIDC configuration from the discovery endpoint. This method will
-         * only fetch the configuration once and cache the result.
-         */
-        this.getOidcConfig = once.once(this.#getOidcConfig);
-        /**
-         * Get the access token from the storage with refresh strategy.
-         *
-         * - If the access token has expired, it will try to fetch a new one using the Refresh Token.
-         * - If there's an ongoing Promise to fetch the access token, it will return the Promise.
-         *
-         * If you want to get the access token claims, use {@link getAccessTokenClaims} instead.
-         *
-         * @param resource The resource that the access token is granted for. If not
-         * specified, the access token will be used for OpenID Connect or the default
-         * resource, as specified in the Logto Console.
-         * @returns The access token string.
-         * @throws LogtoClientError if the user is not authenticated.
-         */
-        this.getAccessToken = memoize.memoize(this.#getAccessToken);
-        /**
-         * Get the access token for the specified organization from the storage with refresh strategy.
-         *
-         * Scope {@link UserScope.Organizations} is required in the config to use organization-related
-         * methods.
-         *
-         * @param organizationId The ID of the organization that the access token is granted for.
-         * @returns The access token string.
-         * @throws LogtoClientError if the user is not authenticated.
-         * @remarks
-         * It uses the same refresh strategy as {@link getAccessToken}.
-         */
-        this.getOrganizationToken = memoize.memoize(this.#getOrganizationToken);
-        /**
-         * Handle the sign-in callback by parsing the authorization code from the
-         * callback URI and exchanging it for the tokens.
-         *
-         * @param callbackUri The callback URI, including the search params, that the user is redirected to after the sign-in flow is completed.
-         * The origin and pathname of this URI must match the origin and pathname of the redirect URI specified in {@link signIn}.
-         * In many cases you'll probably end up passing `window.location.href` as the argument to this function.
-         * @throws LogtoClientError if the sign-in session is not found.
-         */
-        this.handleSignInCallback = memoize.memoize(this.#handleSignInCallback);
-        this.accessTokenMap = new Map();
-        this.logtoConfig = index.normalizeLogtoConfig(logtoConfig);
-        this.adapter = new index$1.ClientAdapterInstance(adapter);
-        this.jwtVerifier = buildJwtVerifier(this);
-        void this.loadAccessTokenMap();
-    }
-    /**
-     * Check if the user is authenticated by checking if the ID token exists.
-     */
-    async isAuthenticated() {
-        return Boolean(await this.getIdToken());
-    }
-    /**
-     * Get the Refresh Token from the storage.
-     */
-    async getRefreshToken() {
-        return this.adapter.storage.getItem('refreshToken');
-    }
-    /**
-     * Get the ID Token from the storage. If you want to get the ID Token claims,
-     * use {@link getIdTokenClaims} instead.
-     */
-    async getIdToken() {
-        return this.adapter.storage.getItem('idToken');
-    }
-    /**
-     * Get the ID Token claims.
-     */
-    async getIdTokenClaims() {
-        const idToken = await this.getIdToken();
-        if (!idToken) {
-            throw new errors.LogtoClientError('not_authenticated');
-        }
-        return js.decodeIdToken(idToken);
-    }
-    /**
-     * Get the access token claims for the specified resource.
-     *
-     * @param resource The resource that the access token is granted for. If not
-     * specified, the access token will be used for OpenID Connect or the default
-     * resource, as specified in the Logto Console.
-     */
-    async getAccessTokenClaims(resource) {
-        const accessToken = await this.getAccessToken(resource);
-        return js.decodeAccessToken(accessToken);
-    }
-    /**
-     * Get the organization token claims for the specified organization.
-     *
-     * @param organizationId The ID of the organization that the access token is granted for.
-     */
-    async getOrganizationTokenClaims(organizationId) {
-        const accessToken = await this.getOrganizationToken(organizationId);
-        return js.decodeAccessToken(accessToken);
-    }
-    /**
-     * Get the user information from the Userinfo Endpoint.
-     *
-     * Note the Userinfo Endpoint will return more claims than the ID Token. See
-     * {@link https://docs.logto.io/docs/recipes/integrate-logto/vanilla-js/#fetch-user-information | Fetch user information}
-     * for more information.
-     *
-     * @returns The user information.
-     * @throws LogtoClientError if the user is not authenticated.
-     */
-    async fetchUserInfo() {
-        const { userinfoEndpoint } = await this.getOidcConfig();
-        const accessToken = await this.getAccessToken();
-        if (!accessToken) {
-            throw new errors.LogtoClientError('fetch_user_info_failed');
-        }
-        return js.fetchUserInfo(userinfoEndpoint, accessToken, this.adapter.requester);
-    }
-    /**
-     * Start the sign-in flow with the specified redirect URI. The URI must be
-     * registered in the Logto Console.
-     *
-     * The user will be redirected to that URI after the sign-in flow is completed,
-     * and the client will be able to get the authorization code from the URI.
-     * To fetch the tokens from the authorization code, use {@link handleSignInCallback}
-     * after the user is redirected in the callback URI.
-     *
-     * @param redirectUri The redirect URI that the user will be redirected to after the sign-in flow is completed.
-     * @param interactionMode The interaction mode to be used for the authorization request. Note it's not
-     * a part of the OIDC standard, but a Logto-specific extension. Defaults to `signIn`.
-     *
-     * @see {@link https://docs.logto.io/docs/recipes/integrate-logto/vanilla-js/#sign-in | Sign in} for more information.
-     * @see {@link InteractionMode}
-     */
-    async signIn(redirectUri, interactionMode) {
-        const { appId: clientId, prompt, resources, scopes } = this.logtoConfig;
-        const { authorizationEndpoint } = await this.getOidcConfig();
-        const [codeVerifier, state] = await Promise.all([
-            this.adapter.generateCodeVerifier(),
-            this.adapter.generateState(),
-        ]);
-        const codeChallenge = await this.adapter.generateCodeChallenge(codeVerifier);
-        const signInUri = js.generateSignInUri({
-            authorizationEndpoint,
-            clientId,
-            redirectUri,
-            codeChallenge,
-            state,
-            scopes,
-            resources,
-            prompt,
-            interactionMode,
-        });
-        await Promise.all([
-            this.setSignInSession({ redirectUri, codeVerifier, state }),
-            this.setRefreshToken(null),
-            this.setIdToken(null),
-        ]);
-        await this.adapter.navigate(signInUri, { redirectUri, for: 'sign-in' });
-    }
-    /**
-     * Check if the user is redirected from the sign-in page by checking if the
-     * current URL matches the redirect URI in the sign-in session.
-     *
-     * If there's no sign-in session, it will return `false`.
-     *
-     * @param url The current URL.
-     */
-    async isSignInRedirected(url) {
-        const signInSession = await this.getSignInSession();
-        if (!signInSession) {
-            return false;
-        }
-        const { redirectUri } = signInSession;
-        const { origin, pathname } = new URL(url);
-        return `${origin}${pathname}` === redirectUri;
-    }
-    /**
-     * Start the sign-out flow with the specified redirect URI. The URI must be
-     * registered in the Logto Console.
-     *
-     * It will also revoke all the tokens and clean up the storage.
-     *
-     * The user will be redirected that URI after the sign-out flow is completed.
-     * If the `postLogoutRedirectUri` is not specified, the user will be redirected
-     * to a default page.
-     */
-    async signOut(postLogoutRedirectUri) {
-        const { appId: clientId } = this.logtoConfig;
-        const { endSessionEndpoint, revocationEndpoint } = await this.getOidcConfig();
-        const refreshToken = await this.getRefreshToken();
-        if (refreshToken) {
-            try {
-                await js.revoke(revocationEndpoint, clientId, refreshToken, this.adapter.requester);
-            }
-            catch {
-                // Do nothing at this point, as we don't want to break the sign-out flow even if the revocation is failed
-            }
-        }
-        const url = js.generateSignOutUri({
-            endSessionEndpoint,
-            postLogoutRedirectUri,
-            clientId,
-        });
-        this.accessTokenMap.clear();
-        await Promise.all([
-            this.setRefreshToken(null),
-            this.setIdToken(null),
-            this.adapter.storage.removeItem('accessToken'),
-        ]);
-        await this.adapter.navigate(url, { redirectUri: postLogoutRedirectUri, for: 'sign-out' });
-    }
-    async getSignInSession() {
-        const jsonItem = await this.adapter.storage.getItem('signInSession');
-        if (!jsonItem) {
-            return null;
-        }
-        const item = JSON.parse(jsonItem);
-        if (!index.isLogtoSignInSessionItem(item)) {
-            throw new errors.LogtoClientError('sign_in_session.invalid');
-        }
-        return item;
-    }
-    async setSignInSession(value) {
-        return this.adapter.setStorageItem(types.PersistKey.SignInSession, value && JSON.stringify(value));
-    }
-    async setIdToken(value) {
-        return this.adapter.setStorageItem(types.PersistKey.IdToken, value);
-    }
-    async setRefreshToken(value) {
-        return this.adapter.setStorageItem(types.PersistKey.RefreshToken, value);
-    }
-    async getAccessTokenByRefreshToken(resource, organizationId) {
-        const currentRefreshToken = await this.getRefreshToken();
-        if (!currentRefreshToken) {
-            throw new errors.LogtoClientError('not_authenticated');
-        }
-        const accessTokenKey = index$2.buildAccessTokenKey(resource, organizationId);
-        const { appId: clientId } = this.logtoConfig;
-        const { tokenEndpoint } = await this.getOidcConfig();
-        const requestedAt = Math.round(Date.now() / 1000);
-        const { accessToken, refreshToken, idToken, scope, expiresIn } = await js.fetchTokenByRefreshToken({
-            clientId,
-            tokenEndpoint,
-            refreshToken: currentRefreshToken,
-            resource,
-            organizationId,
-        }, this.adapter.requester);
-        this.accessTokenMap.set(accessTokenKey, {
-            token: accessToken,
-            scope,
-            /** The `expiresAt` variable provides an approximate estimation of the actual `exp` property
-             * in the token claims. It is utilized by the client to determine if the cached access token
-             * has expired and when a new access token should be requested.
-             */
-            expiresAt: requestedAt + expiresIn,
-        });
-        await this.saveAccessTokenMap();
-        if (refreshToken) {
-            await this.setRefreshToken(refreshToken);
-        }
-        if (idToken) {
-            await this.jwtVerifier.verifyIdToken(idToken);
-            await this.setIdToken(idToken);
-        }
-        return accessToken;
-    }
-    async saveAccessTokenMap() {
-        const data = {};
-        for (const [key, accessToken] of this.accessTokenMap.entries()) {
-            // eslint-disable-next-line @silverhand/fp/no-mutation
-            data[key] = accessToken;
-        }
-        await this.adapter.storage.setItem('accessToken', JSON.stringify(data));
-    }
-    async loadAccessTokenMap() {
-        const raw = await this.adapter.storage.getItem('accessToken');
-        if (!raw) {
-            return;
-        }
-        try {
-            const json = JSON.parse(raw);
-            if (!index.isLogtoAccessTokenMap(json)) {
-                return;
-            }
-            this.accessTokenMap.clear();
-            for (const [key, accessToken] of Object.entries(json)) {
-                this.accessTokenMap.set(key, accessToken);
-            }
-        }
-        catch (error) {
-            console.warn(error);
-        }
-    }
-    async #getOidcConfig() {
-        return this.adapter.getWithCache(types.CacheKey.OpenidConfig, async () => {
-            return js.fetchOidcConfig(index$2.getDiscoveryEndpoint(this.logtoConfig.endpoint), this.adapter.requester);
-        });
-    }
-    async #getAccessToken(resource, organizationId) {
-        if (!(await this.isAuthenticated())) {
-            throw new errors.LogtoClientError('not_authenticated');
-        }
-        const accessTokenKey = index$2.buildAccessTokenKey(resource, organizationId);
-        const accessToken = this.accessTokenMap.get(accessTokenKey);
-        if (accessToken && accessToken.expiresAt > Date.now() / 1000) {
-            return accessToken.token;
-        }
-        // Since the access token has expired, delete it from the map.
-        if (accessToken) {
-            this.accessTokenMap.delete(accessTokenKey);
-        }
-        /**
-         * Need to fetch a new access token using refresh token.
-         */
-        return this.getAccessTokenByRefreshToken(resource, organizationId);
-    }
-    async #getOrganizationToken(organizationId) {
-        if (!this.logtoConfig.scopes?.includes(js.UserScope.Organizations)) {
-            throw new errors.LogtoClientError('missing_scope_organizations');
-        }
-        return this.getAccessToken(undefined, organizationId);
-    }
-    async #handleSignInCallback(callbackUri) {
-        const signInSession = await this.getSignInSession();
-        if (!signInSession) {
-            throw new errors.LogtoClientError('sign_in_session.not_found');
-        }
-        const { redirectUri, state, codeVerifier } = signInSession;
-        const code = js.verifyAndParseCodeFromCallbackUri(callbackUri, redirectUri, state);
-        // NOTE: Will add scope to accessTokenKey when needed. (Linear issue LOG-1589)
-        const accessTokenKey = index$2.buildAccessTokenKey();
-        const { appId: clientId } = this.logtoConfig;
-        const { tokenEndpoint } = await this.getOidcConfig();
-        const requestedAt = Math.round(Date.now() / 1000);
-        const { idToken, refreshToken, accessToken, scope, expiresIn } = await js.fetchTokenByAuthorizationCode({
-            clientId,
-            tokenEndpoint,
-            redirectUri,
-            codeVerifier,
-            code,
-        }, this.adapter.requester);
-        await this.jwtVerifier.verifyIdToken(idToken);
-        await this.setRefreshToken(refreshToken ?? null);
-        await this.setIdToken(idToken);
-        this.accessTokenMap.set(accessTokenKey, {
-            token: accessToken,
-            scope,
-            /** The `expiresAt` variable provides an approximate estimation of the actual `exp` property
-             * in the token claims. It is utilized by the client to determine if the cached access token
-             * has expired and when a new access token should be requested.
-             */
-            expiresAt: requestedAt + expiresIn,
-        });
-        await this.saveAccessTokenMap();
-        await this.setSignInSession(null);
-    }
-}
-
-exports.StandardLogtoClient = StandardLogtoClient;

package/lib/errors.cjs

@@ -1,22 +0,0 @@
-'use strict';
-
-var js = require('@logto/js');
-
-const logtoClientErrorCodes = Object.freeze({
-    'sign_in_session.invalid': 'Invalid sign-in session.',
-    'sign_in_session.not_found': 'Sign-in session not found.',
-    not_authenticated: 'Not authenticated.',
-    fetch_user_info_failed: 'Unable to fetch user info. The access token may be invalid.',
-    user_cancelled: 'The user cancelled the action.',
-    missing_scope_organizations: `The \`${js.UserScope.Organizations}\` scope is required`,
-});
-class LogtoClientError extends Error {
-    constructor(code, data) {
-        super(logtoClientErrorCodes[code]);
-        this.name = 'LogtoClientError';
-        this.code = code;
-        this.data = data;
-    }
-}
-
-exports.LogtoClientError = LogtoClientError;