npm - @lvce-editor/auth-worker - Versions diffs - 1.15.0 → 1.16.0 - Mend

@lvce-editor/auth-worker 1.15.0 → 1.16.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/dist/authWorkerMain.js +83 -151
package/package.json +1 -1

package/dist/authWorkerMain.js CHANGED Viewed

@@ -1718,16 +1718,6 @@ async function tokenEndpointRequest(as, client, clientAuthentication, grantType,
 }
 const idTokenClaims = new WeakMap();
 const jwtRefs = new WeakMap();
-function getValidatedIdTokenClaims(ref) {
-  if (!ref.id_token) {
-    return undefined;
-  }
-  const claims = idTokenClaims.get(ref);
-  if (!claims) {
-    throw CodedTypeError('"ref" was already garbage collected or did not resolve from the proper sources', ERR_INVALID_ARG_VALUE);
-  }
-  return claims;
-}
 async function processGenericAccessTokenResponse(as, client, response, additionalRequiredIdTokenClaims, decryptFn, recognizedTokenTypes) {
   assertAs(as);
   assertClient(client);
@@ -1773,9 +1763,6 @@ async function processGenericAccessTokenResponse(as, client, response, additiona
       assertNumber(client.default_max_age, true, '"client.default_max_age"');
       requiredClaims.push('auth_time');
     }
-    if (additionalRequiredIdTokenClaims?.length) {
-      requiredClaims.push(...additionalRequiredIdTokenClaims);
-    }
     const {
       claims,
       jwt
@@ -1853,27 +1840,6 @@ function validateIssuer(as, result) {
   return result;
 }
 const branded = new WeakSet();
-const nopkce = Symbol();
-async function authorizationCodeGrantRequest(as, client, clientAuthentication, callbackParameters, redirectUri, codeVerifier, options) {
-  assertAs(as);
-  assertClient(client);
-  if (!branded.has(callbackParameters)) {
-    throw CodedTypeError('"callbackParameters" must be an instance of URLSearchParams obtained from "validateAuthResponse()", or "validateJwtAuthResponse()', ERR_INVALID_ARG_VALUE);
-  }
-  assertString(redirectUri, '"redirectUri"');
-  const code = getURLSearchParameter(callbackParameters, 'code');
-  if (!code) {
-    throw OPE('no authorization code in "callbackParameters"', INVALID_RESPONSE);
-  }
-  const parameters = new URLSearchParams(options?.additionalParameters);
-  parameters.set('redirect_uri', redirectUri);
-  parameters.set('code', code);
-  if (codeVerifier !== nopkce) {
-    assertString(codeVerifier, '"codeVerifier"');
-    parameters.set('code_verifier', codeVerifier);
-  }
-  return tokenEndpointRequest(as, client, clientAuthentication, 'authorization_code', parameters, options);
-}
 const jwtClaimNames = {
   aud: 'audience',
   c_hash: 'code hash',
@@ -1901,98 +1867,6 @@ function validatePresence(required, result) {
   }
   return result;
 }
-const expectNoNonce = Symbol();
-const skipAuthTimeCheck = Symbol();
-async function processAuthorizationCodeResponse(as, client, response, options) {
-  if (typeof options?.expectedNonce === 'string' || typeof options?.maxAge === 'number' || options?.requireIdToken) {
-    return processAuthorizationCodeOpenIDResponse(as, client, response, options.expectedNonce, options.maxAge, options[jweDecrypt], options.recognizedTokenTypes);
-  }
-  return processAuthorizationCodeOAuth2Response(as, client, response, options?.[jweDecrypt], options?.recognizedTokenTypes);
-}
-async function processAuthorizationCodeOpenIDResponse(as, client, response, expectedNonce, maxAge, decryptFn, recognizedTokenTypes) {
-  const additionalRequiredClaims = [];
-  switch (expectedNonce) {
-    case undefined:
-      expectedNonce = expectNoNonce;
-      break;
-    case expectNoNonce:
-      break;
-    default:
-      assertString(expectedNonce, '"expectedNonce" argument');
-      additionalRequiredClaims.push('nonce');
-  }
-  maxAge ??= client.default_max_age;
-  switch (maxAge) {
-    case undefined:
-      maxAge = skipAuthTimeCheck;
-      break;
-    case skipAuthTimeCheck:
-      break;
-    default:
-      assertNumber(maxAge, true, '"maxAge" argument');
-      additionalRequiredClaims.push('auth_time');
-  }
-  const result = await processGenericAccessTokenResponse(as, client, response, additionalRequiredClaims, decryptFn, recognizedTokenTypes);
-  assertString(result.id_token, '"response" body "id_token" property', INVALID_RESPONSE, {
-    body: result
-  });
-  const claims = getValidatedIdTokenClaims(result);
-  if (maxAge !== skipAuthTimeCheck) {
-    const now = epochTime() + getClockSkew(client);
-    const tolerance = getClockTolerance(client);
-    if (claims.auth_time + maxAge < now - tolerance) {
-      throw OPE('too much time has elapsed since the last End-User authentication', JWT_TIMESTAMP_CHECK, {
-        claims,
-        now,
-        tolerance,
-        claim: 'auth_time'
-      });
-    }
-  }
-  if (expectedNonce === expectNoNonce) {
-    if (claims.nonce !== undefined) {
-      throw OPE('unexpected ID Token "nonce" claim value', JWT_CLAIM_COMPARISON, {
-        expected: undefined,
-        claims,
-        claim: 'nonce'
-      });
-    }
-  } else if (claims.nonce !== expectedNonce) {
-    throw OPE('unexpected ID Token "nonce" claim value', JWT_CLAIM_COMPARISON, {
-      expected: expectedNonce,
-      claims,
-      claim: 'nonce'
-    });
-  }
-  return result;
-}
-async function processAuthorizationCodeOAuth2Response(as, client, response, decryptFn, recognizedTokenTypes) {
-  const result = await processGenericAccessTokenResponse(as, client, response, undefined, decryptFn, recognizedTokenTypes);
-  const claims = getValidatedIdTokenClaims(result);
-  if (claims) {
-    if (client.default_max_age !== undefined) {
-      assertNumber(client.default_max_age, true, '"client.default_max_age"');
-      const now = epochTime() + getClockSkew(client);
-      const tolerance = getClockTolerance(client);
-      if (claims.auth_time + client.default_max_age < now - tolerance) {
-        throw OPE('too much time has elapsed since the last End-User authentication', JWT_TIMESTAMP_CHECK, {
-          claims,
-          now,
-          tolerance,
-          claim: 'auth_time'
-        });
-      }
-    }
-    if (claims.nonce !== undefined) {
-      throw OPE('unexpected ID Token "nonce" claim value', JWT_CLAIM_COMPARISON, {
-        expected: undefined,
-        claims,
-        claim: 'nonce'
-      });
-    }
-  }
-  return result;
-}
 const WWW_AUTHENTICATE_CHALLENGE = 'OAUTH_WWW_AUTHENTICATE_CHALLENGE';
 const RESPONSE_BODY_ERROR = 'OAUTH_RESPONSE_BODY_ERROR';
 const UNSUPPORTED_OPERATION = 'OAUTH_UNSUPPORTED_OPERATION';
@@ -2006,6 +1880,15 @@ const JWT_TIMESTAMP_CHECK = 'OAUTH_JWT_TIMESTAMP_CHECK_FAILED';
 const JWT_CLAIM_COMPARISON = 'OAUTH_JWT_CLAIM_COMPARISON_FAILED';
 const MISSING_SERVER_METADATA = 'OAUTH_MISSING_SERVER_METADATA';
 const INVALID_SERVER_METADATA = 'OAUTH_INVALID_SERVER_METADATA';
+async function genericTokenEndpointRequest(as, client, clientAuthentication, grantType, parameters, options) {
+  assertAs(as);
+  assertClient(client);
+  assertString(grantType, '"grantType"');
+  return tokenEndpointRequest(as, client, clientAuthentication, grantType, new URLSearchParams(parameters), options);
+}
+async function processGenericTokenEndpointResponse(as, client, response, options) {
+  return processGenericAccessTokenResponse(as, client, response, undefined, options?.[jweDecrypt], options?.recognizedTokenTypes);
+}
 function assertReadableResponse(response) {
   if (response.bodyUsed) {
     throw CodedTypeError('"response" body has been used already', ERR_INVALID_ARG_VALUE);
@@ -2155,16 +2038,6 @@ function checkSigningAlgorithm(client, issuer, fallback, header) {
     fallback
   });
 }
-function getURLSearchParameter(parameters, name) {
-  const {
-    0: value,
-    length
-  } = parameters.getAll(name);
-  if (length > 1) {
-    throw OPE(`"${name}" parameter must be provided only once`, INVALID_RESPONSE);
-  }
-  return value;
-}
 async function getResponseJsonBody(response, check = assertApplicationJson) {
   let json;
   try {
@@ -2518,6 +2391,60 @@ const isLoginResponse = value => {
   return true;
 };
+const databaseName = 'auth-worker';
+const objectStoreName = 'auth';
+const memoryStorage = new Map();
+let databasePromise;
+// eslint-disable-next-line @typescript-eslint/prefer-readonly-parameter-types
+const transactionToPromise = transaction => {
+  return new Promise((resolve, reject) => {
+    transaction.addEventListener('complete', () => {
+      resolve();
+    });
+    transaction.addEventListener('abort', () => {
+      reject(transaction.error ?? new Error('Persistent storage transaction failed.'));
+    });
+    transaction.addEventListener('error', () => {
+      reject(transaction.error ?? new Error('Persistent storage transaction failed.'));
+    });
+  });
+};
+const getDatabase = async () => {
+  if (typeof indexedDB === 'undefined') {
+    return undefined;
+  }
+  if (!databasePromise) {
+    databasePromise = new Promise((resolve, reject) => {
+      const request = indexedDB.open(databaseName, 1);
+      request.addEventListener('upgradeneeded', () => {
+        const database = request.result;
+        if (!database.objectStoreNames.contains(objectStoreName)) {
+          database.createObjectStore(objectStoreName);
+        }
+      });
+      request.addEventListener('success', () => {
+        resolve(request.result);
+      });
+      request.addEventListener('error', () => {
+        reject(request.error ?? new Error('Failed to open persistent auth storage.'));
+      });
+    });
+  }
+  return databasePromise;
+};
+const setPersistentAuthValue = async (key, value) => {
+  memoryStorage.set(key, value);
+  const database = await getDatabase();
+  if (!database) {
+    return;
+  }
+  const transaction = database.transaction(objectStoreName, 'readwrite');
+  const objectStore = transaction.objectStore(objectStoreName);
+  objectStore.put(value, key);
+  await transactionToPromise(transaction);
+};
 const getBackendOidcTokenUrl = backendUrl => {
   return getBackendAuthUrl(backendUrl, '/oidc/token');
 };
@@ -2534,15 +2461,15 @@ const getClient = () => {
     client_id: oidcClientId
   };
 };
-const exchangeElectronAuthorizationCode = async (backendUrl, code, redirectUri, codeVerifier, nonce, requestAuthorizationCodeGrant = authorizationCodeGrantRequest, processAuthorizationCodeGrantResponse = processAuthorizationCodeResponse) => {
+const exchangeElectronAuthorizationCode = async (backendUrl, code, redirectUri, codeVerifier, requestTokenEndpoint = genericTokenEndpointRequest, processTokenEndpointResponse = processGenericTokenEndpointResponse) => {
   const authorizationServer = getAuthorizationServer(backendUrl);
   const client = getClient();
-  const response = await requestAuthorizationCodeGrant(authorizationServer, client, None(), new URLSearchParams({
-    code
-  }), redirectUri, codeVerifier);
-  const tokenResponse = await processAuthorizationCodeGrantResponse(authorizationServer, client, response, {
-    expectedNonce: nonce
-  });
+  const response = await requestTokenEndpoint(authorizationServer, client, None(), 'authorization_code', new URLSearchParams({
+    code,
+    code_verifier: codeVerifier,
+    redirect_uri: redirectUri
+  }));
+  const tokenResponse = await processTokenEndpointResponse(authorizationServer, client, response);
   return {
     accessToken: tokenResponse.access_token,
     refreshToken: typeof tokenResponse.refresh_token === 'string' ? tokenResponse.refresh_token : ''
@@ -2555,12 +2482,12 @@ const hasAuthorizationCode = value => {
 const getElectronAuthorizationCode = async uid => {
   return invoke$2('OAuthServer.getCode', String(uid));
 };
-const waitForElectronBackendLogin = async (backendUrl, uid, redirectUri, nonce, codeVerifier, timeoutMs = 30_000, pollIntervalMs = 1000, getAuthorizationCode = getElectronAuthorizationCode, exchangeAuthorizationCode = exchangeElectronAuthorizationCode) => {
+const waitForElectronBackendLogin = async (backendUrl, uid, redirectUri, codeVerifier, timeoutMs = 30_000, pollIntervalMs = 1000, getAuthorizationCode = getElectronAuthorizationCode, exchangeAuthorizationCode = exchangeElectronAuthorizationCode) => {
   const deadline = Date.now() + timeoutMs;
   while (Date.now() < deadline) {
     const authorizationCode = await getAuthorizationCode(uid);
     if (hasAuthorizationCode(authorizationCode)) {
-      const tokenResponse = await exchangeAuthorizationCode(backendUrl, authorizationCode, redirectUri, codeVerifier, nonce);
+      const tokenResponse = await exchangeAuthorizationCode(backendUrl, authorizationCode, redirectUri, codeVerifier);
       return {
         authAccessToken: tokenResponse.accessToken,
         authErrorMessage: '',
@@ -2573,6 +2500,14 @@ const waitForElectronBackendLogin = async (backendUrl, uid, redirectUri, nonce,
   return getLoggedOutBackendAuthState('Timed out waiting for backend login.');
 };
+const persistLoginResult = async loginResult => {
+  if (loginResult.userState !== 'loggedIn') {
+    return loginResult;
+  }
+  await setPersistentAuthValue('accessToken', loginResult.authAccessToken ?? '');
+  await setPersistentAuthValue('refreshToken', loginResult.authRefreshToken ?? '');
+  return loginResult;
+};
 const handleClickLogin = async options => {
   const {
     authUseRedirect,
@@ -2604,20 +2539,17 @@ const handleClickLogin = async options => {
           userState: 'loggedOut'
         };
       }
-      return getLoggedInState(signingInState, response);
+      return persistLoginResult(getLoggedInState(signingInState, response));
     }
     const uid = 0;
     const {
       codeVerifier,
       loginUrl,
-      nonce,
       redirectUri
     } = await getBackendLoginRequest(backendUrl, platform, uid);
     await invoke$1('Open.openUrl', loginUrl, platform, authUseRedirect);
-    const authState = platform === Electron ? await waitForElectronBackendLogin(backendUrl, uid, redirectUri, nonce, codeVerifier) : await waitForBackendLogin(backendUrl);
-    return {
-      ...authState
-    };
+    const authState = platform === Electron ? await waitForElectronBackendLogin(backendUrl, uid, redirectUri, codeVerifier) : await waitForBackendLogin(backendUrl);
+    return persistLoginResult(authState);
   } catch (error) {
     const errorMessage = error instanceof Error && error.message ? error.message : 'Backend authentication failed.';
     return {

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@lvce-editor/auth-worker",
-  "version": "1.15.0",
+  "version": "1.16.0",
   "description": "Auth Worker",
   "repository": {
     "type": "git",