npm - @lvce-editor/auth-worker - Versions diffs - 1.13.0 → 1.15.0 - Mend

@lvce-editor/auth-worker 1.13.0 → 1.15.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/dist/authWorkerMain.js +869 -10
package/package.json +1 -1

package/dist/authWorkerMain.js CHANGED Viewed

@@ -1188,6 +1188,7 @@ const toBackendAuthState = value => {
   return {
     authAccessToken: getString(value.accessToken),
     authErrorMessage: getString(value.error),
+    authRefreshToken: getString(value.refreshToken),
     userName: getString(value.userName),
     userState: value.accessToken ? 'loggedIn' : 'loggedOut',
     userSubscriptionPlan: getString(value.subscriptionPlan),
@@ -1261,7 +1262,22 @@ const waitForBackendLogin = async (backendUrl, timeoutMs = 30_000, pollIntervalM
   return getLoggedOutBackendAuthState(lastErrorMessage);
 };
-if (typeof navigator === 'undefined' || !navigator.userAgent?.startsWith?.('Mozilla/5.0 ')) ;
+let USER_AGENT;
+if (typeof navigator === 'undefined' || !navigator.userAgent?.startsWith?.('Mozilla/5.0 ')) {
+  const NAME = 'oauth4webapi';
+  const VERSION = 'v3.8.6';
+  USER_AGENT = `${NAME}/${VERSION}`;
+}
+function looseInstanceOf(input, expected) {
+  if (input == null) {
+    return false;
+  }
+  try {
+    return input instanceof expected || Object.getPrototypeOf(input)[Symbol.toStringTag] === expected.prototype[Symbol.toStringTag];
+  } catch {
+    return false;
+  }
+}
 const ERR_INVALID_ARG_VALUE = 'ERR_INVALID_ARG_VALUE';
 const ERR_INVALID_ARG_TYPE = 'ERR_INVALID_ARG_TYPE';
 function CodedTypeError(message, code, cause) {
@@ -1273,6 +1289,11 @@ function CodedTypeError(message, code, cause) {
   });
   return err;
 }
+const allowInsecureRequests = Symbol();
+const clockSkew = Symbol();
+const clockTolerance = Symbol();
+const customFetch = Symbol();
+const jweDecrypt = Symbol();
 const encoder = new TextEncoder();
 const decoder = new TextDecoder();
 function buf(input) {
@@ -1336,6 +1357,83 @@ function b64u(input) {
   }
   return encodeBase64Url(input);
 }
+class UnsupportedOperationError extends Error {
+  code;
+  constructor(message, options) {
+    super(message, options);
+    this.name = this.constructor.name;
+    this.code = UNSUPPORTED_OPERATION;
+    Error.captureStackTrace?.(this, this.constructor);
+  }
+}
+class OperationProcessingError extends Error {
+  code;
+  constructor(message, options) {
+    super(message, options);
+    this.name = this.constructor.name;
+    if (options?.code) {
+      this.code = options?.code;
+    }
+    Error.captureStackTrace?.(this, this.constructor);
+  }
+}
+function OPE(message, code, cause) {
+  return new OperationProcessingError(message, {
+    code,
+    cause
+  });
+}
+function isJsonObject(input) {
+  if (input === null || typeof input !== 'object' || Array.isArray(input)) {
+    return false;
+  }
+  return true;
+}
+function prepareHeaders(input) {
+  if (looseInstanceOf(input, Headers)) {
+    input = Object.fromEntries(input.entries());
+  }
+  const headers = new Headers(input ?? {});
+  if (USER_AGENT && !headers.has('user-agent')) {
+    headers.set('user-agent', USER_AGENT);
+  }
+  if (headers.has('authorization')) {
+    throw CodedTypeError('"options.headers" must not include the "authorization" header name', ERR_INVALID_ARG_VALUE);
+  }
+  return headers;
+}
+function signal(url, value) {
+  if (value !== undefined) {
+    if (typeof value === 'function') {
+      value = value(url.href);
+    }
+    if (!(value instanceof AbortSignal)) {
+      throw CodedTypeError('"options.signal" must return or be an instance of AbortSignal', ERR_INVALID_ARG_TYPE);
+    }
+    return value;
+  }
+  return undefined;
+}
+function assertNumber(input, allow0, it, code, cause) {
+  try {
+    if (typeof input !== 'number' || !Number.isFinite(input)) {
+      throw CodedTypeError(`${it} must be a number`, ERR_INVALID_ARG_TYPE, cause);
+    }
+    if (input > 0) return;
+    if (allow0) {
+      if (input !== 0) {
+        throw CodedTypeError(`${it} must be a non-negative number`, ERR_INVALID_ARG_VALUE, cause);
+      }
+      return;
+    }
+    throw CodedTypeError(`${it} must be a positive number`, ERR_INVALID_ARG_VALUE, cause);
+  } catch (err) {
+    if (code) {
+      throw OPE(err.message, code, cause);
+    }
+    throw err;
+  }
+}
 function assertString(input, it, code, cause) {
   try {
     if (typeof input !== 'string') {
@@ -1345,9 +1443,32 @@ function assertString(input, it, code, cause) {
       throw CodedTypeError(`${it} must not be empty`, ERR_INVALID_ARG_VALUE, cause);
     }
   } catch (err) {
+    if (code) {
+      throw OPE(err.message, code, cause);
+    }
     throw err;
   }
 }
+function assertApplicationJson(response) {
+  assertContentType(response, 'application/json');
+}
+function notJson(response, ...types) {
+  let msg = '"response" content-type must be ';
+  if (types.length > 2) {
+    const last = types.pop();
+    msg += `${types.join(', ')}, or ${last}`;
+  } else if (types.length === 2) {
+    msg += `${types[0]} or ${types[1]}`;
+  } else {
+    msg += types[0];
+  }
+  return OPE(msg, RESPONSE_IS_NOT_JSON, response);
+}
+function assertContentType(response, contentType) {
+  if (getContentType(response) !== contentType) {
+    throw notJson(response, contentType);
+  }
+}
 function randomBytes() {
   return b64u(crypto.getRandomValues(new Uint8Array(32)));
 }
@@ -1358,6 +1479,708 @@ async function calculatePKCECodeChallenge(codeVerifier) {
   assertString(codeVerifier, 'codeVerifier');
   return b64u(await crypto.subtle.digest('SHA-256', buf(codeVerifier)));
 }
+function getClockSkew(client) {
+  const skew = client?.[clockSkew];
+  return typeof skew === 'number' && Number.isFinite(skew) ? skew : 0;
+}
+function getClockTolerance(client) {
+  const tolerance = client?.[clockTolerance];
+  return typeof tolerance === 'number' && Number.isFinite(tolerance) && Math.sign(tolerance) !== -1 ? tolerance : 30;
+}
+function epochTime() {
+  return Math.floor(Date.now() / 1000);
+}
+function assertAs(as) {
+  if (typeof as !== 'object' || as === null) {
+    throw CodedTypeError('"as" must be an object', ERR_INVALID_ARG_TYPE);
+  }
+  assertString(as.issuer, '"as.issuer"');
+}
+function assertClient(client) {
+  if (typeof client !== 'object' || client === null) {
+    throw CodedTypeError('"client" must be an object', ERR_INVALID_ARG_TYPE);
+  }
+  assertString(client.client_id, '"client.client_id"');
+}
+function None() {
+  return (_as, client, body, _headers) => {
+    body.set('client_id', client.client_id);
+  };
+}
+const URLParse = URL.parse ? (url, base) => URL.parse(url, base) : (url, base) => {
+  try {
+    return new URL(url, base);
+  } catch {
+    return null;
+  }
+};
+function checkProtocol(url, enforceHttps) {
+  if (enforceHttps && url.protocol !== 'https:') {
+    throw OPE('only requests to HTTPS are allowed', HTTP_REQUEST_FORBIDDEN, url);
+  }
+  if (url.protocol !== 'https:' && url.protocol !== 'http:') {
+    throw OPE('only HTTP and HTTPS requests are allowed', REQUEST_PROTOCOL_FORBIDDEN, url);
+  }
+}
+function validateEndpoint(value, endpoint, useMtlsAlias, enforceHttps) {
+  let url;
+  if (typeof value !== 'string' || !(url = URLParse(value))) {
+    throw OPE(`authorization server metadata does not contain a valid ${useMtlsAlias ? `"as.mtls_endpoint_aliases.${endpoint}"` : `"as.${endpoint}"`}`, value === undefined ? MISSING_SERVER_METADATA : INVALID_SERVER_METADATA, {
+      attribute: useMtlsAlias ? `mtls_endpoint_aliases.${endpoint}` : endpoint
+    });
+  }
+  checkProtocol(url, enforceHttps);
+  return url;
+}
+function resolveEndpoint(as, endpoint, useMtlsAlias, enforceHttps) {
+  if (useMtlsAlias && as.mtls_endpoint_aliases && endpoint in as.mtls_endpoint_aliases) {
+    return validateEndpoint(as.mtls_endpoint_aliases[endpoint], endpoint, useMtlsAlias, enforceHttps);
+  }
+  return validateEndpoint(as[endpoint], endpoint, useMtlsAlias, enforceHttps);
+}
+class ResponseBodyError extends Error {
+  cause;
+  code;
+  error;
+  status;
+  error_description;
+  response;
+  constructor(message, options) {
+    super(message, options);
+    this.name = this.constructor.name;
+    this.code = RESPONSE_BODY_ERROR;
+    this.cause = options.cause;
+    this.error = options.cause.error;
+    this.status = options.response.status;
+    this.error_description = options.cause.error_description;
+    Object.defineProperty(this, 'response', {
+      enumerable: false,
+      value: options.response
+    });
+    Error.captureStackTrace?.(this, this.constructor);
+  }
+}
+class WWWAuthenticateChallengeError extends Error {
+  cause;
+  code;
+  response;
+  status;
+  constructor(message, options) {
+    super(message, options);
+    this.name = this.constructor.name;
+    this.code = WWW_AUTHENTICATE_CHALLENGE;
+    this.cause = options.cause;
+    this.status = options.response.status;
+    this.response = options.response;
+    Object.defineProperty(this, 'response', {
+      enumerable: false
+    });
+    Error.captureStackTrace?.(this, this.constructor);
+  }
+}
+const tokenMatch = "[a-zA-Z0-9!#$%&\\'\\*\\+\\-\\.\\^_`\\|~]+";
+const token68Match = '[a-zA-Z0-9\\-\\._\\~\\+\\/]+={0,2}';
+const quotedMatch = '"((?:[^"\\\\]|\\\\[\\s\\S])*)"';
+const quotedParamMatcher = '(' + tokenMatch + ')\\s*=\\s*' + quotedMatch;
+const paramMatcher = '(' + tokenMatch + ')\\s*=\\s*(' + tokenMatch + ')';
+const schemeRE = new RegExp('^[,\\s]*(' + tokenMatch + ')');
+const quotedParamRE = new RegExp('^[,\\s]*' + quotedParamMatcher + '[,\\s]*(.*)');
+const unquotedParamRE = new RegExp('^[,\\s]*' + paramMatcher + '[,\\s]*(.*)');
+const token68ParamRE = new RegExp('^(' + token68Match + ')(?:$|[,\\s])(.*)');
+function parseWwwAuthenticateChallenges(response) {
+  if (!looseInstanceOf(response, Response)) {
+    throw CodedTypeError('"response" must be an instance of Response', ERR_INVALID_ARG_TYPE);
+  }
+  const header = response.headers.get('www-authenticate');
+  if (header === null) {
+    return undefined;
+  }
+  const challenges = [];
+  let rest = header;
+  while (rest) {
+    let match = rest.match(schemeRE);
+    const scheme = match?.['1'].toLowerCase();
+    if (!scheme) {
+      return undefined;
+    }
+    const afterScheme = rest.substring(match[0].length);
+    if (afterScheme && !afterScheme.match(/^[\s,]/)) {
+      return undefined;
+    }
+    const spaceMatch = afterScheme.match(/^\s+(.*)$/);
+    const hasParameters = !!spaceMatch;
+    rest = spaceMatch ? spaceMatch[1] : undefined;
+    const parameters = {};
+    let token68;
+    if (hasParameters) {
+      while (rest) {
+        let key;
+        let value;
+        if (match = rest.match(quotedParamRE)) {
+          [, key, value, rest] = match;
+          if (value.includes('\\')) {
+            try {
+              value = JSON.parse(`"${value}"`);
+            } catch {}
+          }
+          parameters[key.toLowerCase()] = value;
+          continue;
+        }
+        if (match = rest.match(unquotedParamRE)) {
+          [, key, value, rest] = match;
+          parameters[key.toLowerCase()] = value;
+          continue;
+        }
+        if (match = rest.match(token68ParamRE)) {
+          if (Object.keys(parameters).length) {
+            break;
+          }
+          [, token68, rest] = match;
+          break;
+        }
+        return undefined;
+      }
+    } else {
+      rest = afterScheme || undefined;
+    }
+    const challenge = {
+      scheme,
+      parameters
+    };
+    if (token68) {
+      challenge.token68 = token68;
+    }
+    challenges.push(challenge);
+  }
+  if (!challenges.length) {
+    return undefined;
+  }
+  return challenges;
+}
+async function parseOAuthResponseErrorBody(response) {
+  if (response.status > 399 && response.status < 500) {
+    assertReadableResponse(response);
+    assertApplicationJson(response);
+    try {
+      const json = await response.clone().json();
+      if (isJsonObject(json) && typeof json.error === 'string' && json.error.length) {
+        return json;
+      }
+    } catch {}
+  }
+  return undefined;
+}
+async function checkOAuthBodyError(response, expected, label) {
+  if (response.status !== expected) {
+    checkAuthenticationChallenges(response);
+    let err;
+    if (err = await parseOAuthResponseErrorBody(response)) {
+      await response.body?.cancel();
+      throw new ResponseBodyError('server responded with an error in the response body', {
+        cause: err,
+        response
+      });
+    }
+    throw OPE(`"response" is not a conform ${label} response (unexpected HTTP status code)`, RESPONSE_IS_NOT_CONFORM, response);
+  }
+}
+function assertDPoP(option) {
+  if (!branded.has(option)) {
+    throw CodedTypeError('"options.DPoP" is not a valid DPoPHandle', ERR_INVALID_ARG_VALUE);
+  }
+}
+function getContentType(input) {
+  return input.headers.get('content-type')?.split(';')[0];
+}
+async function authenticatedRequest(as, client, clientAuthentication, url, body, headers, options) {
+  await clientAuthentication(as, client, body, headers);
+  headers.set('content-type', 'application/x-www-form-urlencoded;charset=UTF-8');
+  return (options?.[customFetch] || fetch)(url.href, {
+    body,
+    headers: Object.fromEntries(headers.entries()),
+    method: 'POST',
+    redirect: 'manual',
+    signal: signal(url, options?.signal)
+  });
+}
+async function tokenEndpointRequest(as, client, clientAuthentication, grantType, parameters, options) {
+  const url = resolveEndpoint(as, 'token_endpoint', client.use_mtls_endpoint_aliases, options?.[allowInsecureRequests] !== true);
+  parameters.set('grant_type', grantType);
+  const headers = prepareHeaders(options?.headers);
+  headers.set('accept', 'application/json');
+  if (options?.DPoP !== undefined) {
+    assertDPoP(options.DPoP);
+    await options.DPoP.addProof(url, headers, 'POST');
+  }
+  const response = await authenticatedRequest(as, client, clientAuthentication, url, parameters, headers, options);
+  options?.DPoP?.cacheNonce(response, url);
+  return response;
+}
+const idTokenClaims = new WeakMap();
+const jwtRefs = new WeakMap();
+function getValidatedIdTokenClaims(ref) {
+  if (!ref.id_token) {
+    return undefined;
+  }
+  const claims = idTokenClaims.get(ref);
+  if (!claims) {
+    throw CodedTypeError('"ref" was already garbage collected or did not resolve from the proper sources', ERR_INVALID_ARG_VALUE);
+  }
+  return claims;
+}
+async function processGenericAccessTokenResponse(as, client, response, additionalRequiredIdTokenClaims, decryptFn, recognizedTokenTypes) {
+  assertAs(as);
+  assertClient(client);
+  if (!looseInstanceOf(response, Response)) {
+    throw CodedTypeError('"response" must be an instance of Response', ERR_INVALID_ARG_TYPE);
+  }
+  await checkOAuthBodyError(response, 200, 'Token Endpoint');
+  assertReadableResponse(response);
+  const json = await getResponseJsonBody(response);
+  assertString(json.access_token, '"response" body "access_token" property', INVALID_RESPONSE, {
+    body: json
+  });
+  assertString(json.token_type, '"response" body "token_type" property', INVALID_RESPONSE, {
+    body: json
+  });
+  json.token_type = json.token_type.toLowerCase();
+  if (json.expires_in !== undefined) {
+    let expiresIn = typeof json.expires_in !== 'number' ? parseFloat(json.expires_in) : json.expires_in;
+    assertNumber(expiresIn, true, '"response" body "expires_in" property', INVALID_RESPONSE, {
+      body: json
+    });
+    json.expires_in = expiresIn;
+  }
+  if (json.refresh_token !== undefined) {
+    assertString(json.refresh_token, '"response" body "refresh_token" property', INVALID_RESPONSE, {
+      body: json
+    });
+  }
+  if (json.scope !== undefined && typeof json.scope !== 'string') {
+    throw OPE('"response" body "scope" property must be a string', INVALID_RESPONSE, {
+      body: json
+    });
+  }
+  if (json.id_token !== undefined) {
+    assertString(json.id_token, '"response" body "id_token" property', INVALID_RESPONSE, {
+      body: json
+    });
+    const requiredClaims = ['aud', 'exp', 'iat', 'iss', 'sub'];
+    if (client.require_auth_time === true) {
+      requiredClaims.push('auth_time');
+    }
+    if (client.default_max_age !== undefined) {
+      assertNumber(client.default_max_age, true, '"client.default_max_age"');
+      requiredClaims.push('auth_time');
+    }
+    if (additionalRequiredIdTokenClaims?.length) {
+      requiredClaims.push(...additionalRequiredIdTokenClaims);
+    }
+    const {
+      claims,
+      jwt
+    } = await validateJwt(json.id_token, checkSigningAlgorithm.bind(undefined, client.id_token_signed_response_alg, as.id_token_signing_alg_values_supported, 'RS256'), getClockSkew(client), getClockTolerance(client), decryptFn).then(validatePresence.bind(undefined, requiredClaims)).then(validateIssuer.bind(undefined, as)).then(validateAudience.bind(undefined, client.client_id));
+    if (Array.isArray(claims.aud) && claims.aud.length !== 1) {
+      if (claims.azp === undefined) {
+        throw OPE('ID Token "aud" (audience) claim includes additional untrusted audiences', JWT_CLAIM_COMPARISON, {
+          claims,
+          claim: 'aud'
+        });
+      }
+      if (claims.azp !== client.client_id) {
+        throw OPE('unexpected ID Token "azp" (authorized party) claim value', JWT_CLAIM_COMPARISON, {
+          expected: client.client_id,
+          claims,
+          claim: 'azp'
+        });
+      }
+    }
+    if (claims.auth_time !== undefined) {
+      assertNumber(claims.auth_time, true, 'ID Token "auth_time" (authentication time)', INVALID_RESPONSE, {
+        claims
+      });
+    }
+    jwtRefs.set(response, jwt);
+    idTokenClaims.set(json, claims);
+  }
+  if (recognizedTokenTypes?.[json.token_type] !== undefined) {
+    recognizedTokenTypes[json.token_type](response, json);
+  } else if (json.token_type !== 'dpop' && json.token_type !== 'bearer') {
+    throw new UnsupportedOperationError('unsupported `token_type` value', {
+      cause: {
+        body: json
+      }
+    });
+  }
+  return json;
+}
+function checkAuthenticationChallenges(response) {
+  let challenges;
+  if (challenges = parseWwwAuthenticateChallenges(response)) {
+    throw new WWWAuthenticateChallengeError('server responded with a challenge in the WWW-Authenticate HTTP Header', {
+      cause: challenges,
+      response
+    });
+  }
+}
+function validateAudience(expected, result) {
+  if (Array.isArray(result.claims.aud)) {
+    if (!result.claims.aud.includes(expected)) {
+      throw OPE('unexpected JWT "aud" (audience) claim value', JWT_CLAIM_COMPARISON, {
+        expected,
+        claims: result.claims,
+        claim: 'aud'
+      });
+    }
+  } else if (result.claims.aud !== expected) {
+    throw OPE('unexpected JWT "aud" (audience) claim value', JWT_CLAIM_COMPARISON, {
+      expected,
+      claims: result.claims,
+      claim: 'aud'
+    });
+  }
+  return result;
+}
+function validateIssuer(as, result) {
+  const expected = as[_expectedIssuer]?.(result) ?? as.issuer;
+  if (result.claims.iss !== expected) {
+    throw OPE('unexpected JWT "iss" (issuer) claim value', JWT_CLAIM_COMPARISON, {
+      expected,
+      claims: result.claims,
+      claim: 'iss'
+    });
+  }
+  return result;
+}
+const branded = new WeakSet();
+const nopkce = Symbol();
+async function authorizationCodeGrantRequest(as, client, clientAuthentication, callbackParameters, redirectUri, codeVerifier, options) {
+  assertAs(as);
+  assertClient(client);
+  if (!branded.has(callbackParameters)) {
+    throw CodedTypeError('"callbackParameters" must be an instance of URLSearchParams obtained from "validateAuthResponse()", or "validateJwtAuthResponse()', ERR_INVALID_ARG_VALUE);
+  }
+  assertString(redirectUri, '"redirectUri"');
+  const code = getURLSearchParameter(callbackParameters, 'code');
+  if (!code) {
+    throw OPE('no authorization code in "callbackParameters"', INVALID_RESPONSE);
+  }
+  const parameters = new URLSearchParams(options?.additionalParameters);
+  parameters.set('redirect_uri', redirectUri);
+  parameters.set('code', code);
+  if (codeVerifier !== nopkce) {
+    assertString(codeVerifier, '"codeVerifier"');
+    parameters.set('code_verifier', codeVerifier);
+  }
+  return tokenEndpointRequest(as, client, clientAuthentication, 'authorization_code', parameters, options);
+}
+const jwtClaimNames = {
+  aud: 'audience',
+  c_hash: 'code hash',
+  client_id: 'client id',
+  exp: 'expiration time',
+  iat: 'issued at',
+  iss: 'issuer',
+  jti: 'jwt id',
+  nonce: 'nonce',
+  s_hash: 'state hash',
+  sub: 'subject',
+  ath: 'access token hash',
+  htm: 'http method',
+  htu: 'http uri',
+  cnf: 'confirmation',
+  auth_time: 'authentication time'
+};
+function validatePresence(required, result) {
+  for (const claim of required) {
+    if (result.claims[claim] === undefined) {
+      throw OPE(`JWT "${claim}" (${jwtClaimNames[claim]}) claim missing`, INVALID_RESPONSE, {
+        claims: result.claims
+      });
+    }
+  }
+  return result;
+}
+const expectNoNonce = Symbol();
+const skipAuthTimeCheck = Symbol();
+async function processAuthorizationCodeResponse(as, client, response, options) {
+  if (typeof options?.expectedNonce === 'string' || typeof options?.maxAge === 'number' || options?.requireIdToken) {
+    return processAuthorizationCodeOpenIDResponse(as, client, response, options.expectedNonce, options.maxAge, options[jweDecrypt], options.recognizedTokenTypes);
+  }
+  return processAuthorizationCodeOAuth2Response(as, client, response, options?.[jweDecrypt], options?.recognizedTokenTypes);
+}
+async function processAuthorizationCodeOpenIDResponse(as, client, response, expectedNonce, maxAge, decryptFn, recognizedTokenTypes) {
+  const additionalRequiredClaims = [];
+  switch (expectedNonce) {
+    case undefined:
+      expectedNonce = expectNoNonce;
+      break;
+    case expectNoNonce:
+      break;
+    default:
+      assertString(expectedNonce, '"expectedNonce" argument');
+      additionalRequiredClaims.push('nonce');
+  }
+  maxAge ??= client.default_max_age;
+  switch (maxAge) {
+    case undefined:
+      maxAge = skipAuthTimeCheck;
+      break;
+    case skipAuthTimeCheck:
+      break;
+    default:
+      assertNumber(maxAge, true, '"maxAge" argument');
+      additionalRequiredClaims.push('auth_time');
+  }
+  const result = await processGenericAccessTokenResponse(as, client, response, additionalRequiredClaims, decryptFn, recognizedTokenTypes);
+  assertString(result.id_token, '"response" body "id_token" property', INVALID_RESPONSE, {
+    body: result
+  });
+  const claims = getValidatedIdTokenClaims(result);
+  if (maxAge !== skipAuthTimeCheck) {
+    const now = epochTime() + getClockSkew(client);
+    const tolerance = getClockTolerance(client);
+    if (claims.auth_time + maxAge < now - tolerance) {
+      throw OPE('too much time has elapsed since the last End-User authentication', JWT_TIMESTAMP_CHECK, {
+        claims,
+        now,
+        tolerance,
+        claim: 'auth_time'
+      });
+    }
+  }
+  if (expectedNonce === expectNoNonce) {
+    if (claims.nonce !== undefined) {
+      throw OPE('unexpected ID Token "nonce" claim value', JWT_CLAIM_COMPARISON, {
+        expected: undefined,
+        claims,
+        claim: 'nonce'
+      });
+    }
+  } else if (claims.nonce !== expectedNonce) {
+    throw OPE('unexpected ID Token "nonce" claim value', JWT_CLAIM_COMPARISON, {
+      expected: expectedNonce,
+      claims,
+      claim: 'nonce'
+    });
+  }
+  return result;
+}
+async function processAuthorizationCodeOAuth2Response(as, client, response, decryptFn, recognizedTokenTypes) {
+  const result = await processGenericAccessTokenResponse(as, client, response, undefined, decryptFn, recognizedTokenTypes);
+  const claims = getValidatedIdTokenClaims(result);
+  if (claims) {
+    if (client.default_max_age !== undefined) {
+      assertNumber(client.default_max_age, true, '"client.default_max_age"');
+      const now = epochTime() + getClockSkew(client);
+      const tolerance = getClockTolerance(client);
+      if (claims.auth_time + client.default_max_age < now - tolerance) {
+        throw OPE('too much time has elapsed since the last End-User authentication', JWT_TIMESTAMP_CHECK, {
+          claims,
+          now,
+          tolerance,
+          claim: 'auth_time'
+        });
+      }
+    }
+    if (claims.nonce !== undefined) {
+      throw OPE('unexpected ID Token "nonce" claim value', JWT_CLAIM_COMPARISON, {
+        expected: undefined,
+        claims,
+        claim: 'nonce'
+      });
+    }
+  }
+  return result;
+}
+const WWW_AUTHENTICATE_CHALLENGE = 'OAUTH_WWW_AUTHENTICATE_CHALLENGE';
+const RESPONSE_BODY_ERROR = 'OAUTH_RESPONSE_BODY_ERROR';
+const UNSUPPORTED_OPERATION = 'OAUTH_UNSUPPORTED_OPERATION';
+const PARSE_ERROR = 'OAUTH_PARSE_ERROR';
+const INVALID_RESPONSE = 'OAUTH_INVALID_RESPONSE';
+const RESPONSE_IS_NOT_JSON = 'OAUTH_RESPONSE_IS_NOT_JSON';
+const RESPONSE_IS_NOT_CONFORM = 'OAUTH_RESPONSE_IS_NOT_CONFORM';
+const HTTP_REQUEST_FORBIDDEN = 'OAUTH_HTTP_REQUEST_FORBIDDEN';
+const REQUEST_PROTOCOL_FORBIDDEN = 'OAUTH_REQUEST_PROTOCOL_FORBIDDEN';
+const JWT_TIMESTAMP_CHECK = 'OAUTH_JWT_TIMESTAMP_CHECK_FAILED';
+const JWT_CLAIM_COMPARISON = 'OAUTH_JWT_CLAIM_COMPARISON_FAILED';
+const MISSING_SERVER_METADATA = 'OAUTH_MISSING_SERVER_METADATA';
+const INVALID_SERVER_METADATA = 'OAUTH_INVALID_SERVER_METADATA';
+function assertReadableResponse(response) {
+  if (response.bodyUsed) {
+    throw CodedTypeError('"response" body has been used already', ERR_INVALID_ARG_VALUE);
+  }
+}
+async function validateJwt(jws, checkAlg, clockSkew, clockTolerance, decryptJwt) {
+  let {
+    0: protectedHeader,
+    1: payload,
+    length
+  } = jws.split('.');
+  if (length === 5) {
+    if (decryptJwt !== undefined) {
+      jws = await decryptJwt(jws);
+      ({
+        0: protectedHeader,
+        1: payload,
+        length
+      } = jws.split('.'));
+    } else {
+      throw new UnsupportedOperationError('JWE decryption is not configured', {
+        cause: jws
+      });
+    }
+  }
+  if (length !== 3) {
+    throw OPE('Invalid JWT', INVALID_RESPONSE, jws);
+  }
+  let header;
+  try {
+    header = JSON.parse(buf(b64u(protectedHeader)));
+  } catch (cause) {
+    throw OPE('failed to parse JWT Header body as base64url encoded JSON', PARSE_ERROR, cause);
+  }
+  if (!isJsonObject(header)) {
+    throw OPE('JWT Header must be a top level object', INVALID_RESPONSE, jws);
+  }
+  checkAlg(header);
+  if (header.crit !== undefined) {
+    throw new UnsupportedOperationError('no JWT "crit" header parameter extensions are supported', {
+      cause: {
+        header
+      }
+    });
+  }
+  let claims;
+  try {
+    claims = JSON.parse(buf(b64u(payload)));
+  } catch (cause) {
+    throw OPE('failed to parse JWT Payload body as base64url encoded JSON', PARSE_ERROR, cause);
+  }
+  if (!isJsonObject(claims)) {
+    throw OPE('JWT Payload must be a top level object', INVALID_RESPONSE, jws);
+  }
+  const now = epochTime() + clockSkew;
+  if (claims.exp !== undefined) {
+    if (typeof claims.exp !== 'number') {
+      throw OPE('unexpected JWT "exp" (expiration time) claim type', INVALID_RESPONSE, {
+        claims
+      });
+    }
+    if (claims.exp <= now - clockTolerance) {
+      throw OPE('unexpected JWT "exp" (expiration time) claim value, expiration is past current timestamp', JWT_TIMESTAMP_CHECK, {
+        claims,
+        now,
+        tolerance: clockTolerance,
+        claim: 'exp'
+      });
+    }
+  }
+  if (claims.iat !== undefined) {
+    if (typeof claims.iat !== 'number') {
+      throw OPE('unexpected JWT "iat" (issued at) claim type', INVALID_RESPONSE, {
+        claims
+      });
+    }
+  }
+  if (claims.iss !== undefined) {
+    if (typeof claims.iss !== 'string') {
+      throw OPE('unexpected JWT "iss" (issuer) claim type', INVALID_RESPONSE, {
+        claims
+      });
+    }
+  }
+  if (claims.nbf !== undefined) {
+    if (typeof claims.nbf !== 'number') {
+      throw OPE('unexpected JWT "nbf" (not before) claim type', INVALID_RESPONSE, {
+        claims
+      });
+    }
+    if (claims.nbf > now + clockTolerance) {
+      throw OPE('unexpected JWT "nbf" (not before) claim value', JWT_TIMESTAMP_CHECK, {
+        claims,
+        now,
+        tolerance: clockTolerance,
+        claim: 'nbf'
+      });
+    }
+  }
+  if (claims.aud !== undefined) {
+    if (typeof claims.aud !== 'string' && !Array.isArray(claims.aud)) {
+      throw OPE('unexpected JWT "aud" (audience) claim type', INVALID_RESPONSE, {
+        claims
+      });
+    }
+  }
+  return {
+    header,
+    claims,
+    jwt: jws
+  };
+}
+function checkSigningAlgorithm(client, issuer, fallback, header) {
+  if (client !== undefined) {
+    if (typeof client === 'string' ? header.alg !== client : !client.includes(header.alg)) {
+      throw OPE('unexpected JWT "alg" header parameter', INVALID_RESPONSE, {
+        header,
+        expected: client,
+        reason: 'client configuration'
+      });
+    }
+    return;
+  }
+  if (Array.isArray(issuer)) {
+    if (!issuer.includes(header.alg)) {
+      throw OPE('unexpected JWT "alg" header parameter', INVALID_RESPONSE, {
+        header,
+        expected: issuer,
+        reason: 'authorization server metadata'
+      });
+    }
+    return;
+  }
+  if (fallback !== undefined) {
+    if (typeof fallback === 'string' ? header.alg !== fallback : typeof fallback === 'function' ? !fallback(header.alg) : !fallback.includes(header.alg)) {
+      throw OPE('unexpected JWT "alg" header parameter', INVALID_RESPONSE, {
+        header,
+        expected: fallback,
+        reason: 'default value'
+      });
+    }
+    return;
+  }
+  throw OPE('missing client or server configuration to verify used JWT "alg" header parameter', undefined, {
+    client,
+    issuer,
+    fallback
+  });
+}
+function getURLSearchParameter(parameters, name) {
+  const {
+    0: value,
+    length
+  } = parameters.getAll(name);
+  if (length > 1) {
+    throw OPE(`"${name}" parameter must be provided only once`, INVALID_RESPONSE);
+  }
+  return value;
+}
+async function getResponseJsonBody(response, check = assertApplicationJson) {
+  let json;
+  try {
+    json = await response.json();
+  } catch (cause) {
+    check(response);
+    throw OPE('failed to parse "response" body as JSON', PARSE_ERROR, cause);
+  }
+  if (!isJsonObject(json)) {
+    throw OPE('"response" body must be a top level object', INVALID_RESPONSE, {
+      body: json
+    });
+  }
+  return json;
+}
+const _expectedIssuer = Symbol();
 // cspell:ignore pkce
@@ -1646,19 +2469,18 @@ const getEffectiveRedirectUri = async (platform, uid, redirectUri) => {
 const oidcClientId = 'lvce-editor-native';
 const oidcScope = 'openid offline_access profile email';
-// cspell:ignore pkce
 const getBackendLoginRequest = async (backendUrl, platform = 0, uid = 0, redirectUri = '', createPkceValuesFn = createPkceValues, createRandomUuid = () => globalThis.crypto.randomUUID()) => {
   const effectiveRedirectUri = await getEffectiveRedirectUri(platform, uid, redirectUri);
   const {
     codeChallenge,
     codeVerifier
   } = await createPkceValuesFn();
+  const nonce = createRandomUuid();
   const loginUrl = new URL(getBackendAuthUrl(backendUrl, '/oidc/auth'));
   loginUrl.searchParams.set('client_id', oidcClientId);
   loginUrl.searchParams.set('code_challenge', codeChallenge);
   loginUrl.searchParams.set('code_challenge_method', 'S256');
-  loginUrl.searchParams.set('nonce', createRandomUuid());
+  loginUrl.searchParams.set('nonce', nonce);
   loginUrl.searchParams.set('prompt', 'consent');
   loginUrl.searchParams.set('response_type', 'code');
   loginUrl.searchParams.set('scope', oidcScope);
@@ -1669,16 +2491,19 @@ const getBackendLoginRequest = async (backendUrl, platform = 0, uid = 0, redirec
   return {
     codeVerifier,
     loginUrl: loginUrl.toString(),
+    nonce,
     redirectUri: effectiveRedirectUri
   };
 };
 const getLoggedInState = (state, response) => {
   const accessToken = typeof response.accessToken === 'string' ? response.accessToken : '';
+  const refreshToken = typeof response.refreshToken === 'string' ? response.refreshToken : '';
   return {
     ...state,
     authAccessToken: accessToken,
     authErrorMessage: '',
+    authRefreshToken: refreshToken,
     userName: typeof response.userName === 'string' ? response.userName : state.userName,
     userState: accessToken ? 'loggedIn' : 'loggedOut',
     userSubscriptionPlan: typeof response.subscriptionPlan === 'string' ? response.subscriptionPlan : state.userSubscriptionPlan,
@@ -1693,22 +2518,54 @@ const isLoginResponse = value => {
   return true;
 };
+const getBackendOidcTokenUrl = backendUrl => {
+  return getBackendAuthUrl(backendUrl, '/oidc/token');
+};
+const getAuthorizationServer = backendUrl => {
+  return {
+    issuer: getBackendAuthUrl(backendUrl, '/oidc'),
+    jwks_uri: getBackendAuthUrl(backendUrl, '/oidc/jwks'),
+    token_endpoint: getBackendOidcTokenUrl(backendUrl)
+  };
+};
+const getClient = () => {
+  return {
+    client_id: oidcClientId
+  };
+};
+const exchangeElectronAuthorizationCode = async (backendUrl, code, redirectUri, codeVerifier, nonce, requestAuthorizationCodeGrant = authorizationCodeGrantRequest, processAuthorizationCodeGrantResponse = processAuthorizationCodeResponse) => {
+  const authorizationServer = getAuthorizationServer(backendUrl);
+  const client = getClient();
+  const response = await requestAuthorizationCodeGrant(authorizationServer, client, None(), new URLSearchParams({
+    code
+  }), redirectUri, codeVerifier);
+  const tokenResponse = await processAuthorizationCodeGrantResponse(authorizationServer, client, response, {
+    expectedNonce: nonce
+  });
+  return {
+    accessToken: tokenResponse.access_token,
+    refreshToken: typeof tokenResponse.refresh_token === 'string' ? tokenResponse.refresh_token : ''
+  };
+};
 const hasAuthorizationCode = value => {
   return typeof value === 'string' && value.length > 0;
 };
 const getElectronAuthorizationCode = async uid => {
   return invoke$2('OAuthServer.getCode', String(uid));
 };
-const waitForElectronBackendLogin = async (uid, codeVerifier, timeoutMs = 30_000, pollIntervalMs = 1000, getAuthorizationCode = getElectronAuthorizationCode) => {
+const waitForElectronBackendLogin = async (backendUrl, uid, redirectUri, nonce, codeVerifier, timeoutMs = 30_000, pollIntervalMs = 1000, getAuthorizationCode = getElectronAuthorizationCode, exchangeAuthorizationCode = exchangeElectronAuthorizationCode) => {
   const deadline = Date.now() + timeoutMs;
   while (Date.now() < deadline) {
     const authorizationCode = await getAuthorizationCode(uid);
     if (hasAuthorizationCode(authorizationCode)) {
+      const tokenResponse = await exchangeAuthorizationCode(backendUrl, authorizationCode, redirectUri, codeVerifier, nonce);
       return {
-        authCode: authorizationCode,
-        authCodeVerifier: codeVerifier,
+        authAccessToken: tokenResponse.accessToken,
         authErrorMessage: '',
-        userState: 'loggedOut'
+        authRefreshToken: tokenResponse.refreshToken,
+        userState: tokenResponse.accessToken ? 'loggedIn' : 'loggedOut'
       };
     }
     await delay(pollIntervalMs);
@@ -1752,10 +2609,12 @@ const handleClickLogin = async options => {
     const uid = 0;
     const {
       codeVerifier,
-      loginUrl
+      loginUrl,
+      nonce,
+      redirectUri
     } = await getBackendLoginRequest(backendUrl, platform, uid);
     await invoke$1('Open.openUrl', loginUrl, platform, authUseRedirect);
-    const authState = platform === Electron ? await waitForElectronBackendLogin(uid, codeVerifier) : await waitForBackendLogin(backendUrl);
+    const authState = platform === Electron ? await waitForElectronBackendLogin(backendUrl, uid, redirectUri, nonce, codeVerifier) : await waitForBackendLogin(backendUrl);
     return {
       ...authState
     };

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@lvce-editor/auth-worker",
-  "version": "1.13.0",
+  "version": "1.15.0",
   "description": "Auth Worker",
   "repository": {
     "type": "git",