@lvce-editor/auth-worker 1.14.0 → 1.16.0

package/dist/authWorkerMain.js

@@ -1188,6 +1188,7 @@ const toBackendAuthState = value => {
   return {
     authAccessToken: getString(value.accessToken),
     authErrorMessage: getString(value.error),
+    authRefreshToken: getString(value.refreshToken),
     userName: getString(value.userName),
     userState: value.accessToken ? 'loggedIn' : 'loggedOut',
     userSubscriptionPlan: getString(value.subscriptionPlan),
@@ -1261,7 +1262,22 @@ const waitForBackendLogin = async (backendUrl, timeoutMs = 30_000, pollIntervalM
   return getLoggedOutBackendAuthState(lastErrorMessage);
 };
 
-if (typeof navigator === 'undefined' || !navigator.userAgent?.startsWith?.('Mozilla/5.0 ')) ;
+let USER_AGENT;
+if (typeof navigator === 'undefined' || !navigator.userAgent?.startsWith?.('Mozilla/5.0 ')) {
+  const NAME = 'oauth4webapi';
+  const VERSION = 'v3.8.6';
+  USER_AGENT = `${NAME}/${VERSION}`;
+}
+function looseInstanceOf(input, expected) {
+  if (input == null) {
+    return false;
+  }
+  try {
+    return input instanceof expected || Object.getPrototypeOf(input)[Symbol.toStringTag] === expected.prototype[Symbol.toStringTag];
+  } catch {
+    return false;
+  }
+}
 const ERR_INVALID_ARG_VALUE = 'ERR_INVALID_ARG_VALUE';
 const ERR_INVALID_ARG_TYPE = 'ERR_INVALID_ARG_TYPE';
 function CodedTypeError(message, code, cause) {
@@ -1273,6 +1289,11 @@ function CodedTypeError(message, code, cause) {
   });
   return err;
 }
+const allowInsecureRequests = Symbol();
+const clockSkew = Symbol();
+const clockTolerance = Symbol();
+const customFetch = Symbol();
+const jweDecrypt = Symbol();
 const encoder = new TextEncoder();
 const decoder = new TextDecoder();
 function buf(input) {
@@ -1336,6 +1357,83 @@ function b64u(input) {
   }
   return encodeBase64Url(input);
 }
+class UnsupportedOperationError extends Error {
+  code;
+  constructor(message, options) {
+    super(message, options);
+    this.name = this.constructor.name;
+    this.code = UNSUPPORTED_OPERATION;
+    Error.captureStackTrace?.(this, this.constructor);
+  }
+}
+class OperationProcessingError extends Error {
+  code;
+  constructor(message, options) {
+    super(message, options);
+    this.name = this.constructor.name;
+    if (options?.code) {
+      this.code = options?.code;
+    }
+    Error.captureStackTrace?.(this, this.constructor);
+  }
+}
+function OPE(message, code, cause) {
+  return new OperationProcessingError(message, {
+    code,
+    cause
+  });
+}
+function isJsonObject(input) {
+  if (input === null || typeof input !== 'object' || Array.isArray(input)) {
+    return false;
+  }
+  return true;
+}
+function prepareHeaders(input) {
+  if (looseInstanceOf(input, Headers)) {
+    input = Object.fromEntries(input.entries());
+  }
+  const headers = new Headers(input ?? {});
+  if (USER_AGENT && !headers.has('user-agent')) {
+    headers.set('user-agent', USER_AGENT);
+  }
+  if (headers.has('authorization')) {
+    throw CodedTypeError('"options.headers" must not include the "authorization" header name', ERR_INVALID_ARG_VALUE);
+  }
+  return headers;
+}
+function signal(url, value) {
+  if (value !== undefined) {
+    if (typeof value === 'function') {
+      value = value(url.href);
+    }
+    if (!(value instanceof AbortSignal)) {
+      throw CodedTypeError('"options.signal" must return or be an instance of AbortSignal', ERR_INVALID_ARG_TYPE);
+    }
+    return value;
+  }
+  return undefined;
+}
+function assertNumber(input, allow0, it, code, cause) {
+  try {
+    if (typeof input !== 'number' || !Number.isFinite(input)) {
+      throw CodedTypeError(`${it} must be a number`, ERR_INVALID_ARG_TYPE, cause);
+    }
+    if (input > 0) return;
+    if (allow0) {
+      if (input !== 0) {
+        throw CodedTypeError(`${it} must be a non-negative number`, ERR_INVALID_ARG_VALUE, cause);
+      }
+      return;
+    }
+    throw CodedTypeError(`${it} must be a positive number`, ERR_INVALID_ARG_VALUE, cause);
+  } catch (err) {
+    if (code) {
+      throw OPE(err.message, code, cause);
+    }
+    throw err;
+  }
+}
 function assertString(input, it, code, cause) {
   try {
     if (typeof input !== 'string') {
@@ -1345,9 +1443,32 @@ function assertString(input, it, code, cause) {
       throw CodedTypeError(`${it} must not be empty`, ERR_INVALID_ARG_VALUE, cause);
     }
   } catch (err) {
+    if (code) {
+      throw OPE(err.message, code, cause);
+    }
     throw err;
   }
 }
+function assertApplicationJson(response) {
+  assertContentType(response, 'application/json');
+}
+function notJson(response, ...types) {
+  let msg = '"response" content-type must be ';
+  if (types.length > 2) {
+    const last = types.pop();
+    msg += `${types.join(', ')}, or ${last}`;
+  } else if (types.length === 2) {
+    msg += `${types[0]} or ${types[1]}`;
+  } else {
+    msg += types[0];
+  }
+  return OPE(msg, RESPONSE_IS_NOT_JSON, response);
+}
+function assertContentType(response, contentType) {
+  if (getContentType(response) !== contentType) {
+    throw notJson(response, contentType);
+  }
+}
 function randomBytes() {
   return b64u(crypto.getRandomValues(new Uint8Array(32)));
 }
@@ -1358,6 +1479,581 @@ async function calculatePKCECodeChallenge(codeVerifier) {
   assertString(codeVerifier, 'codeVerifier');
   return b64u(await crypto.subtle.digest('SHA-256', buf(codeVerifier)));
 }
+function getClockSkew(client) {
+  const skew = client?.[clockSkew];
+  return typeof skew === 'number' && Number.isFinite(skew) ? skew : 0;
+}
+function getClockTolerance(client) {
+  const tolerance = client?.[clockTolerance];
+  return typeof tolerance === 'number' && Number.isFinite(tolerance) && Math.sign(tolerance) !== -1 ? tolerance : 30;
+}
+function epochTime() {
+  return Math.floor(Date.now() / 1000);
+}
+function assertAs(as) {
+  if (typeof as !== 'object' || as === null) {
+    throw CodedTypeError('"as" must be an object', ERR_INVALID_ARG_TYPE);
+  }
+  assertString(as.issuer, '"as.issuer"');
+}
+function assertClient(client) {
+  if (typeof client !== 'object' || client === null) {
+    throw CodedTypeError('"client" must be an object', ERR_INVALID_ARG_TYPE);
+  }
+  assertString(client.client_id, '"client.client_id"');
+}
+function None() {
+  return (_as, client, body, _headers) => {
+    body.set('client_id', client.client_id);
+  };
+}
+const URLParse = URL.parse ? (url, base) => URL.parse(url, base) : (url, base) => {
+  try {
+    return new URL(url, base);
+  } catch {
+    return null;
+  }
+};
+function checkProtocol(url, enforceHttps) {
+  if (enforceHttps && url.protocol !== 'https:') {
+    throw OPE('only requests to HTTPS are allowed', HTTP_REQUEST_FORBIDDEN, url);
+  }
+  if (url.protocol !== 'https:' && url.protocol !== 'http:') {
+    throw OPE('only HTTP and HTTPS requests are allowed', REQUEST_PROTOCOL_FORBIDDEN, url);
+  }
+}
+function validateEndpoint(value, endpoint, useMtlsAlias, enforceHttps) {
+  let url;
+  if (typeof value !== 'string' || !(url = URLParse(value))) {
+    throw OPE(`authorization server metadata does not contain a valid ${useMtlsAlias ? `"as.mtls_endpoint_aliases.${endpoint}"` : `"as.${endpoint}"`}`, value === undefined ? MISSING_SERVER_METADATA : INVALID_SERVER_METADATA, {
+      attribute: useMtlsAlias ? `mtls_endpoint_aliases.${endpoint}` : endpoint
+    });
+  }
+  checkProtocol(url, enforceHttps);
+  return url;
+}
+function resolveEndpoint(as, endpoint, useMtlsAlias, enforceHttps) {
+  if (useMtlsAlias && as.mtls_endpoint_aliases && endpoint in as.mtls_endpoint_aliases) {
+    return validateEndpoint(as.mtls_endpoint_aliases[endpoint], endpoint, useMtlsAlias, enforceHttps);
+  }
+  return validateEndpoint(as[endpoint], endpoint, useMtlsAlias, enforceHttps);
+}
+class ResponseBodyError extends Error {
+  cause;
+  code;
+  error;
+  status;
+  error_description;
+  response;
+  constructor(message, options) {
+    super(message, options);
+    this.name = this.constructor.name;
+    this.code = RESPONSE_BODY_ERROR;
+    this.cause = options.cause;
+    this.error = options.cause.error;
+    this.status = options.response.status;
+    this.error_description = options.cause.error_description;
+    Object.defineProperty(this, 'response', {
+      enumerable: false,
+      value: options.response
+    });
+    Error.captureStackTrace?.(this, this.constructor);
+  }
+}
+class WWWAuthenticateChallengeError extends Error {
+  cause;
+  code;
+  response;
+  status;
+  constructor(message, options) {
+    super(message, options);
+    this.name = this.constructor.name;
+    this.code = WWW_AUTHENTICATE_CHALLENGE;
+    this.cause = options.cause;
+    this.status = options.response.status;
+    this.response = options.response;
+    Object.defineProperty(this, 'response', {
+      enumerable: false
+    });
+    Error.captureStackTrace?.(this, this.constructor);
+  }
+}
+const tokenMatch = "[a-zA-Z0-9!#$%&\\'\\*\\+\\-\\.\\^_`\\|~]+";
+const token68Match = '[a-zA-Z0-9\\-\\._\\~\\+\\/]+={0,2}';
+const quotedMatch = '"((?:[^"\\\\]|\\\\[\\s\\S])*)"';
+const quotedParamMatcher = '(' + tokenMatch + ')\\s*=\\s*' + quotedMatch;
+const paramMatcher = '(' + tokenMatch + ')\\s*=\\s*(' + tokenMatch + ')';
+const schemeRE = new RegExp('^[,\\s]*(' + tokenMatch + ')');
+const quotedParamRE = new RegExp('^[,\\s]*' + quotedParamMatcher + '[,\\s]*(.*)');
+const unquotedParamRE = new RegExp('^[,\\s]*' + paramMatcher + '[,\\s]*(.*)');
+const token68ParamRE = new RegExp('^(' + token68Match + ')(?:$|[,\\s])(.*)');
+function parseWwwAuthenticateChallenges(response) {
+  if (!looseInstanceOf(response, Response)) {
+    throw CodedTypeError('"response" must be an instance of Response', ERR_INVALID_ARG_TYPE);
+  }
+  const header = response.headers.get('www-authenticate');
+  if (header === null) {
+    return undefined;
+  }
+  const challenges = [];
+  let rest = header;
+  while (rest) {
+    let match = rest.match(schemeRE);
+    const scheme = match?.['1'].toLowerCase();
+    if (!scheme) {
+      return undefined;
+    }
+    const afterScheme = rest.substring(match[0].length);
+    if (afterScheme && !afterScheme.match(/^[\s,]/)) {
+      return undefined;
+    }
+    const spaceMatch = afterScheme.match(/^\s+(.*)$/);
+    const hasParameters = !!spaceMatch;
+    rest = spaceMatch ? spaceMatch[1] : undefined;
+    const parameters = {};
+    let token68;
+    if (hasParameters) {
+      while (rest) {
+        let key;
+        let value;
+        if (match = rest.match(quotedParamRE)) {
+          [, key, value, rest] = match;
+          if (value.includes('\\')) {
+            try {
+              value = JSON.parse(`"${value}"`);
+            } catch {}
+          }
+          parameters[key.toLowerCase()] = value;
+          continue;
+        }
+        if (match = rest.match(unquotedParamRE)) {
+          [, key, value, rest] = match;
+          parameters[key.toLowerCase()] = value;
+          continue;
+        }
+        if (match = rest.match(token68ParamRE)) {
+          if (Object.keys(parameters).length) {
+            break;
+          }
+          [, token68, rest] = match;
+          break;
+        }
+        return undefined;
+      }
+    } else {
+      rest = afterScheme || undefined;
+    }
+    const challenge = {
+      scheme,
+      parameters
+    };
+    if (token68) {
+      challenge.token68 = token68;
+    }
+    challenges.push(challenge);
+  }
+  if (!challenges.length) {
+    return undefined;
+  }
+  return challenges;
+}
+async function parseOAuthResponseErrorBody(response) {
+  if (response.status > 399 && response.status < 500) {
+    assertReadableResponse(response);
+    assertApplicationJson(response);
+    try {
+      const json = await response.clone().json();
+      if (isJsonObject(json) && typeof json.error === 'string' && json.error.length) {
+        return json;
+      }
+    } catch {}
+  }
+  return undefined;
+}
+async function checkOAuthBodyError(response, expected, label) {
+  if (response.status !== expected) {
+    checkAuthenticationChallenges(response);
+    let err;
+    if (err = await parseOAuthResponseErrorBody(response)) {
+      await response.body?.cancel();
+      throw new ResponseBodyError('server responded with an error in the response body', {
+        cause: err,
+        response
+      });
+    }
+    throw OPE(`"response" is not a conform ${label} response (unexpected HTTP status code)`, RESPONSE_IS_NOT_CONFORM, response);
+  }
+}
+function assertDPoP(option) {
+  if (!branded.has(option)) {
+    throw CodedTypeError('"options.DPoP" is not a valid DPoPHandle', ERR_INVALID_ARG_VALUE);
+  }
+}
+function getContentType(input) {
+  return input.headers.get('content-type')?.split(';')[0];
+}
+async function authenticatedRequest(as, client, clientAuthentication, url, body, headers, options) {
+  await clientAuthentication(as, client, body, headers);
+  headers.set('content-type', 'application/x-www-form-urlencoded;charset=UTF-8');
+  return (options?.[customFetch] || fetch)(url.href, {
+    body,
+    headers: Object.fromEntries(headers.entries()),
+    method: 'POST',
+    redirect: 'manual',
+    signal: signal(url, options?.signal)
+  });
+}
+async function tokenEndpointRequest(as, client, clientAuthentication, grantType, parameters, options) {
+  const url = resolveEndpoint(as, 'token_endpoint', client.use_mtls_endpoint_aliases, options?.[allowInsecureRequests] !== true);
+  parameters.set('grant_type', grantType);
+  const headers = prepareHeaders(options?.headers);
+  headers.set('accept', 'application/json');
+  if (options?.DPoP !== undefined) {
+    assertDPoP(options.DPoP);
+    await options.DPoP.addProof(url, headers, 'POST');
+  }
+  const response = await authenticatedRequest(as, client, clientAuthentication, url, parameters, headers, options);
+  options?.DPoP?.cacheNonce(response, url);
+  return response;
+}
+const idTokenClaims = new WeakMap();
+const jwtRefs = new WeakMap();
+async function processGenericAccessTokenResponse(as, client, response, additionalRequiredIdTokenClaims, decryptFn, recognizedTokenTypes) {
+  assertAs(as);
+  assertClient(client);
+  if (!looseInstanceOf(response, Response)) {
+    throw CodedTypeError('"response" must be an instance of Response', ERR_INVALID_ARG_TYPE);
+  }
+  await checkOAuthBodyError(response, 200, 'Token Endpoint');
+  assertReadableResponse(response);
+  const json = await getResponseJsonBody(response);
+  assertString(json.access_token, '"response" body "access_token" property', INVALID_RESPONSE, {
+    body: json
+  });
+  assertString(json.token_type, '"response" body "token_type" property', INVALID_RESPONSE, {
+    body: json
+  });
+  json.token_type = json.token_type.toLowerCase();
+  if (json.expires_in !== undefined) {
+    let expiresIn = typeof json.expires_in !== 'number' ? parseFloat(json.expires_in) : json.expires_in;
+    assertNumber(expiresIn, true, '"response" body "expires_in" property', INVALID_RESPONSE, {
+      body: json
+    });
+    json.expires_in = expiresIn;
+  }
+  if (json.refresh_token !== undefined) {
+    assertString(json.refresh_token, '"response" body "refresh_token" property', INVALID_RESPONSE, {
+      body: json
+    });
+  }
+  if (json.scope !== undefined && typeof json.scope !== 'string') {
+    throw OPE('"response" body "scope" property must be a string', INVALID_RESPONSE, {
+      body: json
+    });
+  }
+  if (json.id_token !== undefined) {
+    assertString(json.id_token, '"response" body "id_token" property', INVALID_RESPONSE, {
+      body: json
+    });
+    const requiredClaims = ['aud', 'exp', 'iat', 'iss', 'sub'];
+    if (client.require_auth_time === true) {
+      requiredClaims.push('auth_time');
+    }
+    if (client.default_max_age !== undefined) {
+      assertNumber(client.default_max_age, true, '"client.default_max_age"');
+      requiredClaims.push('auth_time');
+    }
+    const {
+      claims,
+      jwt
+    } = await validateJwt(json.id_token, checkSigningAlgorithm.bind(undefined, client.id_token_signed_response_alg, as.id_token_signing_alg_values_supported, 'RS256'), getClockSkew(client), getClockTolerance(client), decryptFn).then(validatePresence.bind(undefined, requiredClaims)).then(validateIssuer.bind(undefined, as)).then(validateAudience.bind(undefined, client.client_id));
+    if (Array.isArray(claims.aud) && claims.aud.length !== 1) {
+      if (claims.azp === undefined) {
+        throw OPE('ID Token "aud" (audience) claim includes additional untrusted audiences', JWT_CLAIM_COMPARISON, {
+          claims,
+          claim: 'aud'
+        });
+      }
+      if (claims.azp !== client.client_id) {
+        throw OPE('unexpected ID Token "azp" (authorized party) claim value', JWT_CLAIM_COMPARISON, {
+          expected: client.client_id,
+          claims,
+          claim: 'azp'
+        });
+      }
+    }
+    if (claims.auth_time !== undefined) {
+      assertNumber(claims.auth_time, true, 'ID Token "auth_time" (authentication time)', INVALID_RESPONSE, {
+        claims
+      });
+    }
+    jwtRefs.set(response, jwt);
+    idTokenClaims.set(json, claims);
+  }
+  if (recognizedTokenTypes?.[json.token_type] !== undefined) {
+    recognizedTokenTypes[json.token_type](response, json);
+  } else if (json.token_type !== 'dpop' && json.token_type !== 'bearer') {
+    throw new UnsupportedOperationError('unsupported `token_type` value', {
+      cause: {
+        body: json
+      }
+    });
+  }
+  return json;
+}
+function checkAuthenticationChallenges(response) {
+  let challenges;
+  if (challenges = parseWwwAuthenticateChallenges(response)) {
+    throw new WWWAuthenticateChallengeError('server responded with a challenge in the WWW-Authenticate HTTP Header', {
+      cause: challenges,
+      response
+    });
+  }
+}
+function validateAudience(expected, result) {
+  if (Array.isArray(result.claims.aud)) {
+    if (!result.claims.aud.includes(expected)) {
+      throw OPE('unexpected JWT "aud" (audience) claim value', JWT_CLAIM_COMPARISON, {
+        expected,
+        claims: result.claims,
+        claim: 'aud'
+      });
+    }
+  } else if (result.claims.aud !== expected) {
+    throw OPE('unexpected JWT "aud" (audience) claim value', JWT_CLAIM_COMPARISON, {
+      expected,
+      claims: result.claims,
+      claim: 'aud'
+    });
+  }
+  return result;
+}
+function validateIssuer(as, result) {
+  const expected = as[_expectedIssuer]?.(result) ?? as.issuer;
+  if (result.claims.iss !== expected) {
+    throw OPE('unexpected JWT "iss" (issuer) claim value', JWT_CLAIM_COMPARISON, {
+      expected,
+      claims: result.claims,
+      claim: 'iss'
+    });
+  }
+  return result;
+}
+const branded = new WeakSet();
+const jwtClaimNames = {
+  aud: 'audience',
+  c_hash: 'code hash',
+  client_id: 'client id',
+  exp: 'expiration time',
+  iat: 'issued at',
+  iss: 'issuer',
+  jti: 'jwt id',
+  nonce: 'nonce',
+  s_hash: 'state hash',
+  sub: 'subject',
+  ath: 'access token hash',
+  htm: 'http method',
+  htu: 'http uri',
+  cnf: 'confirmation',
+  auth_time: 'authentication time'
+};
+function validatePresence(required, result) {
+  for (const claim of required) {
+    if (result.claims[claim] === undefined) {
+      throw OPE(`JWT "${claim}" (${jwtClaimNames[claim]}) claim missing`, INVALID_RESPONSE, {
+        claims: result.claims
+      });
+    }
+  }
+  return result;
+}
+const WWW_AUTHENTICATE_CHALLENGE = 'OAUTH_WWW_AUTHENTICATE_CHALLENGE';
+const RESPONSE_BODY_ERROR = 'OAUTH_RESPONSE_BODY_ERROR';
+const UNSUPPORTED_OPERATION = 'OAUTH_UNSUPPORTED_OPERATION';
+const PARSE_ERROR = 'OAUTH_PARSE_ERROR';
+const INVALID_RESPONSE = 'OAUTH_INVALID_RESPONSE';
+const RESPONSE_IS_NOT_JSON = 'OAUTH_RESPONSE_IS_NOT_JSON';
+const RESPONSE_IS_NOT_CONFORM = 'OAUTH_RESPONSE_IS_NOT_CONFORM';
+const HTTP_REQUEST_FORBIDDEN = 'OAUTH_HTTP_REQUEST_FORBIDDEN';
+const REQUEST_PROTOCOL_FORBIDDEN = 'OAUTH_REQUEST_PROTOCOL_FORBIDDEN';
+const JWT_TIMESTAMP_CHECK = 'OAUTH_JWT_TIMESTAMP_CHECK_FAILED';
+const JWT_CLAIM_COMPARISON = 'OAUTH_JWT_CLAIM_COMPARISON_FAILED';
+const MISSING_SERVER_METADATA = 'OAUTH_MISSING_SERVER_METADATA';
+const INVALID_SERVER_METADATA = 'OAUTH_INVALID_SERVER_METADATA';
+async function genericTokenEndpointRequest(as, client, clientAuthentication, grantType, parameters, options) {
+  assertAs(as);
+  assertClient(client);
+  assertString(grantType, '"grantType"');
+  return tokenEndpointRequest(as, client, clientAuthentication, grantType, new URLSearchParams(parameters), options);
+}
+async function processGenericTokenEndpointResponse(as, client, response, options) {
+  return processGenericAccessTokenResponse(as, client, response, undefined, options?.[jweDecrypt], options?.recognizedTokenTypes);
+}
+function assertReadableResponse(response) {
+  if (response.bodyUsed) {
+    throw CodedTypeError('"response" body has been used already', ERR_INVALID_ARG_VALUE);
+  }
+}
+async function validateJwt(jws, checkAlg, clockSkew, clockTolerance, decryptJwt) {
+  let {
+    0: protectedHeader,
+    1: payload,
+    length
+  } = jws.split('.');
+  if (length === 5) {
+    if (decryptJwt !== undefined) {
+      jws = await decryptJwt(jws);
+      ({
+        0: protectedHeader,
+        1: payload,
+        length
+      } = jws.split('.'));
+    } else {
+      throw new UnsupportedOperationError('JWE decryption is not configured', {
+        cause: jws
+      });
+    }
+  }
+  if (length !== 3) {
+    throw OPE('Invalid JWT', INVALID_RESPONSE, jws);
+  }
+  let header;
+  try {
+    header = JSON.parse(buf(b64u(protectedHeader)));
+  } catch (cause) {
+    throw OPE('failed to parse JWT Header body as base64url encoded JSON', PARSE_ERROR, cause);
+  }
+  if (!isJsonObject(header)) {
+    throw OPE('JWT Header must be a top level object', INVALID_RESPONSE, jws);
+  }
+  checkAlg(header);
+  if (header.crit !== undefined) {
+    throw new UnsupportedOperationError('no JWT "crit" header parameter extensions are supported', {
+      cause: {
+        header
+      }
+    });
+  }
+  let claims;
+  try {
+    claims = JSON.parse(buf(b64u(payload)));
+  } catch (cause) {
+    throw OPE('failed to parse JWT Payload body as base64url encoded JSON', PARSE_ERROR, cause);
+  }
+  if (!isJsonObject(claims)) {
+    throw OPE('JWT Payload must be a top level object', INVALID_RESPONSE, jws);
+  }
+  const now = epochTime() + clockSkew;
+  if (claims.exp !== undefined) {
+    if (typeof claims.exp !== 'number') {
+      throw OPE('unexpected JWT "exp" (expiration time) claim type', INVALID_RESPONSE, {
+        claims
+      });
+    }
+    if (claims.exp <= now - clockTolerance) {
+      throw OPE('unexpected JWT "exp" (expiration time) claim value, expiration is past current timestamp', JWT_TIMESTAMP_CHECK, {
+        claims,
+        now,
+        tolerance: clockTolerance,
+        claim: 'exp'
+      });
+    }
+  }
+  if (claims.iat !== undefined) {
+    if (typeof claims.iat !== 'number') {
+      throw OPE('unexpected JWT "iat" (issued at) claim type', INVALID_RESPONSE, {
+        claims
+      });
+    }
+  }
+  if (claims.iss !== undefined) {
+    if (typeof claims.iss !== 'string') {
+      throw OPE('unexpected JWT "iss" (issuer) claim type', INVALID_RESPONSE, {
+        claims
+      });
+    }
+  }
+  if (claims.nbf !== undefined) {
+    if (typeof claims.nbf !== 'number') {
+      throw OPE('unexpected JWT "nbf" (not before) claim type', INVALID_RESPONSE, {
+        claims
+      });
+    }
+    if (claims.nbf > now + clockTolerance) {
+      throw OPE('unexpected JWT "nbf" (not before) claim value', JWT_TIMESTAMP_CHECK, {
+        claims,
+        now,
+        tolerance: clockTolerance,
+        claim: 'nbf'
+      });
+    }
+  }
+  if (claims.aud !== undefined) {
+    if (typeof claims.aud !== 'string' && !Array.isArray(claims.aud)) {
+      throw OPE('unexpected JWT "aud" (audience) claim type', INVALID_RESPONSE, {
+        claims
+      });
+    }
+  }
+  return {
+    header,
+    claims,
+    jwt: jws
+  };
+}
+function checkSigningAlgorithm(client, issuer, fallback, header) {
+  if (client !== undefined) {
+    if (typeof client === 'string' ? header.alg !== client : !client.includes(header.alg)) {
+      throw OPE('unexpected JWT "alg" header parameter', INVALID_RESPONSE, {
+        header,
+        expected: client,
+        reason: 'client configuration'
+      });
+    }
+    return;
+  }
+  if (Array.isArray(issuer)) {
+    if (!issuer.includes(header.alg)) {
+      throw OPE('unexpected JWT "alg" header parameter', INVALID_RESPONSE, {
+        header,
+        expected: issuer,
+        reason: 'authorization server metadata'
+      });
+    }
+    return;
+  }
+  if (fallback !== undefined) {
+    if (typeof fallback === 'string' ? header.alg !== fallback : typeof fallback === 'function' ? !fallback(header.alg) : !fallback.includes(header.alg)) {
+      throw OPE('unexpected JWT "alg" header parameter', INVALID_RESPONSE, {
+        header,
+        expected: fallback,
+        reason: 'default value'
+      });
+    }
+    return;
+  }
+  throw OPE('missing client or server configuration to verify used JWT "alg" header parameter', undefined, {
+    client,
+    issuer,
+    fallback
+  });
+}
+async function getResponseJsonBody(response, check = assertApplicationJson) {
+  let json;
+  try {
+    json = await response.json();
+  } catch (cause) {
+    check(response);
+    throw OPE('failed to parse "response" body as JSON', PARSE_ERROR, cause);
+  }
+  if (!isJsonObject(json)) {
+    throw OPE('"response" body must be a top level object', INVALID_RESPONSE, {
+      body: json
+    });
+  }
+  return json;
+}
+const _expectedIssuer = Symbol();
 
 // cspell:ignore pkce
 
@@ -1652,11 +2348,12 @@ const getBackendLoginRequest = async (backendUrl, platform = 0, uid = 0, redirec
     codeChallenge,
     codeVerifier
   } = await createPkceValuesFn();
+  const nonce = createRandomUuid();
   const loginUrl = new URL(getBackendAuthUrl(backendUrl, '/oidc/auth'));
   loginUrl.searchParams.set('client_id', oidcClientId);
   loginUrl.searchParams.set('code_challenge', codeChallenge);
   loginUrl.searchParams.set('code_challenge_method', 'S256');
-  loginUrl.searchParams.set('nonce', createRandomUuid());
+  loginUrl.searchParams.set('nonce', nonce);
   loginUrl.searchParams.set('prompt', 'consent');
   loginUrl.searchParams.set('response_type', 'code');
   loginUrl.searchParams.set('scope', oidcScope);
@@ -1667,16 +2364,19 @@ const getBackendLoginRequest = async (backendUrl, platform = 0, uid = 0, redirec
   return {
     codeVerifier,
     loginUrl: loginUrl.toString(),
+    nonce,
     redirectUri: effectiveRedirectUri
   };
 };
 
 const getLoggedInState = (state, response) => {
   const accessToken = typeof response.accessToken === 'string' ? response.accessToken : '';
+  const refreshToken = typeof response.refreshToken === 'string' ? response.refreshToken : '';
   return {
     ...state,
     authAccessToken: accessToken,
     authErrorMessage: '',
+    authRefreshToken: refreshToken,
     userName: typeof response.userName === 'string' ? response.userName : state.userName,
     userState: accessToken ? 'loggedIn' : 'loggedOut',
     userSubscriptionPlan: typeof response.subscriptionPlan === 'string' ? response.subscriptionPlan : state.userSubscriptionPlan,
@@ -1691,22 +2391,108 @@ const isLoginResponse = value => {
   return true;
 };
 
+const databaseName = 'auth-worker';
+const objectStoreName = 'auth';
+const memoryStorage = new Map();
+let databasePromise;
+
+// eslint-disable-next-line @typescript-eslint/prefer-readonly-parameter-types
+const transactionToPromise = transaction => {
+  return new Promise((resolve, reject) => {
+    transaction.addEventListener('complete', () => {
+      resolve();
+    });
+    transaction.addEventListener('abort', () => {
+      reject(transaction.error ?? new Error('Persistent storage transaction failed.'));
+    });
+    transaction.addEventListener('error', () => {
+      reject(transaction.error ?? new Error('Persistent storage transaction failed.'));
+    });
+  });
+};
+const getDatabase = async () => {
+  if (typeof indexedDB === 'undefined') {
+    return undefined;
+  }
+  if (!databasePromise) {
+    databasePromise = new Promise((resolve, reject) => {
+      const request = indexedDB.open(databaseName, 1);
+      request.addEventListener('upgradeneeded', () => {
+        const database = request.result;
+        if (!database.objectStoreNames.contains(objectStoreName)) {
+          database.createObjectStore(objectStoreName);
+        }
+      });
+      request.addEventListener('success', () => {
+        resolve(request.result);
+      });
+      request.addEventListener('error', () => {
+        reject(request.error ?? new Error('Failed to open persistent auth storage.'));
+      });
+    });
+  }
+  return databasePromise;
+};
+const setPersistentAuthValue = async (key, value) => {
+  memoryStorage.set(key, value);
+  const database = await getDatabase();
+  if (!database) {
+    return;
+  }
+  const transaction = database.transaction(objectStoreName, 'readwrite');
+  const objectStore = transaction.objectStore(objectStoreName);
+  objectStore.put(value, key);
+  await transactionToPromise(transaction);
+};
+
+const getBackendOidcTokenUrl = backendUrl => {
+  return getBackendAuthUrl(backendUrl, '/oidc/token');
+};
+
+const getAuthorizationServer = backendUrl => {
+  return {
+    issuer: getBackendAuthUrl(backendUrl, '/oidc'),
+    jwks_uri: getBackendAuthUrl(backendUrl, '/oidc/jwks'),
+    token_endpoint: getBackendOidcTokenUrl(backendUrl)
+  };
+};
+const getClient = () => {
+  return {
+    client_id: oidcClientId
+  };
+};
+const exchangeElectronAuthorizationCode = async (backendUrl, code, redirectUri, codeVerifier, requestTokenEndpoint = genericTokenEndpointRequest, processTokenEndpointResponse = processGenericTokenEndpointResponse) => {
+  const authorizationServer = getAuthorizationServer(backendUrl);
+  const client = getClient();
+  const response = await requestTokenEndpoint(authorizationServer, client, None(), 'authorization_code', new URLSearchParams({
+    code,
+    code_verifier: codeVerifier,
+    redirect_uri: redirectUri
+  }));
+  const tokenResponse = await processTokenEndpointResponse(authorizationServer, client, response);
+  return {
+    accessToken: tokenResponse.access_token,
+    refreshToken: typeof tokenResponse.refresh_token === 'string' ? tokenResponse.refresh_token : ''
+  };
+};
+
 const hasAuthorizationCode = value => {
   return typeof value === 'string' && value.length > 0;
 };
 const getElectronAuthorizationCode = async uid => {
   return invoke$2('OAuthServer.getCode', String(uid));
 };
-const waitForElectronBackendLogin = async (uid, codeVerifier, timeoutMs = 30_000, pollIntervalMs = 1000, getAuthorizationCode = getElectronAuthorizationCode) => {
+const waitForElectronBackendLogin = async (backendUrl, uid, redirectUri, codeVerifier, timeoutMs = 30_000, pollIntervalMs = 1000, getAuthorizationCode = getElectronAuthorizationCode, exchangeAuthorizationCode = exchangeElectronAuthorizationCode) => {
   const deadline = Date.now() + timeoutMs;
   while (Date.now() < deadline) {
     const authorizationCode = await getAuthorizationCode(uid);
     if (hasAuthorizationCode(authorizationCode)) {
+      const tokenResponse = await exchangeAuthorizationCode(backendUrl, authorizationCode, redirectUri, codeVerifier);
       return {
-        authCode: authorizationCode,
-        authCodeVerifier: codeVerifier,
+        authAccessToken: tokenResponse.accessToken,
         authErrorMessage: '',
-        userState: 'loggedOut'
+        authRefreshToken: tokenResponse.refreshToken,
+        userState: tokenResponse.accessToken ? 'loggedIn' : 'loggedOut'
       };
     }
     await delay(pollIntervalMs);
@@ -1714,6 +2500,14 @@ const waitForElectronBackendLogin = async (uid, codeVerifier, timeoutMs = 30_000
   return getLoggedOutBackendAuthState('Timed out waiting for backend login.');
 };
 
+const persistLoginResult = async loginResult => {
+  if (loginResult.userState !== 'loggedIn') {
+    return loginResult;
+  }
+  await setPersistentAuthValue('accessToken', loginResult.authAccessToken ?? '');
+  await setPersistentAuthValue('refreshToken', loginResult.authRefreshToken ?? '');
+  return loginResult;
+};
 const handleClickLogin = async options => {
   const {
     authUseRedirect,
@@ -1745,18 +2539,17 @@ const handleClickLogin = async options => {
           userState: 'loggedOut'
         };
       }
-      return getLoggedInState(signingInState, response);
+      return persistLoginResult(getLoggedInState(signingInState, response));
     }
     const uid = 0;
     const {
       codeVerifier,
-      loginUrl
+      loginUrl,
+      redirectUri
     } = await getBackendLoginRequest(backendUrl, platform, uid);
     await invoke$1('Open.openUrl', loginUrl, platform, authUseRedirect);
-    const authState = platform === Electron ? await waitForElectronBackendLogin(uid, codeVerifier) : await waitForBackendLogin(backendUrl);
-    return {
-      ...authState
-    };
+    const authState = platform === Electron ? await waitForElectronBackendLogin(backendUrl, uid, redirectUri, codeVerifier) : await waitForBackendLogin(backendUrl);
+    return persistLoginResult(authState);
   } catch (error) {
     const errorMessage = error instanceof Error && error.message ? error.message : 'Backend authentication failed.';
     return {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@lvce-editor/auth-worker",
-  "version": "1.14.0",
+  "version": "1.16.0",
   "description": "Auth Worker",
   "repository": {
     "type": "git",