@lvce-editor/auth-worker 1.15.0 → 1.17.0

package/dist/authWorkerMain.js

@@ -1184,14 +1184,21 @@ const getString = (value, fallback = '') => {
   return typeof value === 'string' ? value : fallback;
 };
 
+const getUserName = value => {
+  if (typeof value.userName === 'string') {
+    return value.userName;
+  }
+  return getString(value.user?.displayName);
+};
 const toBackendAuthState = value => {
   return {
     authAccessToken: getString(value.accessToken),
     authErrorMessage: getString(value.error),
     authRefreshToken: getString(value.refreshToken),
-    userName: getString(value.userName),
+    userName: getUserName(value),
     userState: value.accessToken ? 'loggedIn' : 'loggedOut',
     userSubscriptionPlan: getString(value.subscriptionPlan),
+    userSubscriptionStatus: getString(value.subscriptionStatus),
     userUsedTokens: getNumber(value.usedTokens)
   };
 };
@@ -1203,6 +1210,13 @@ const parseBackendAuthResponse = value => {
   return toBackendAuthState(value);
 };
 
+const getPayload = async response => {
+  try {
+    return await response.json();
+  } catch {
+    return undefined;
+  }
+};
 const syncBackendAuth = async backendUrl => {
   if (!backendUrl) {
     return getLoggedOutBackendAuthState('Backend URL is missing.');
@@ -1222,12 +1236,7 @@ const syncBackendAuth = async backendUrl => {
     if (response.status === 401 || response.status === 403) {
       return getLoggedOutBackendAuthState();
     }
-    let payload = undefined;
-    try {
-      payload = await response.json();
-    } catch {
-      payload = undefined;
-    }
+    const payload = await getPayload(response);
     if (!response.ok) {
       const parsed = parseBackendAuthResponse(payload);
       return getLoggedOutBackendAuthState(parsed.authErrorMessage || 'Backend authentication failed.');
@@ -1718,16 +1727,6 @@ async function tokenEndpointRequest(as, client, clientAuthentication, grantType,
 }
 const idTokenClaims = new WeakMap();
 const jwtRefs = new WeakMap();
-function getValidatedIdTokenClaims(ref) {
-  if (!ref.id_token) {
-    return undefined;
-  }
-  const claims = idTokenClaims.get(ref);
-  if (!claims) {
-    throw CodedTypeError('"ref" was already garbage collected or did not resolve from the proper sources', ERR_INVALID_ARG_VALUE);
-  }
-  return claims;
-}
 async function processGenericAccessTokenResponse(as, client, response, additionalRequiredIdTokenClaims, decryptFn, recognizedTokenTypes) {
   assertAs(as);
   assertClient(client);
@@ -1773,9 +1772,6 @@ async function processGenericAccessTokenResponse(as, client, response, additiona
       assertNumber(client.default_max_age, true, '"client.default_max_age"');
       requiredClaims.push('auth_time');
     }
-    if (additionalRequiredIdTokenClaims?.length) {
-      requiredClaims.push(...additionalRequiredIdTokenClaims);
-    }
     const {
       claims,
       jwt
@@ -1853,27 +1849,6 @@ function validateIssuer(as, result) {
   return result;
 }
 const branded = new WeakSet();
-const nopkce = Symbol();
-async function authorizationCodeGrantRequest(as, client, clientAuthentication, callbackParameters, redirectUri, codeVerifier, options) {
-  assertAs(as);
-  assertClient(client);
-  if (!branded.has(callbackParameters)) {
-    throw CodedTypeError('"callbackParameters" must be an instance of URLSearchParams obtained from "validateAuthResponse()", or "validateJwtAuthResponse()', ERR_INVALID_ARG_VALUE);
-  }
-  assertString(redirectUri, '"redirectUri"');
-  const code = getURLSearchParameter(callbackParameters, 'code');
-  if (!code) {
-    throw OPE('no authorization code in "callbackParameters"', INVALID_RESPONSE);
-  }
-  const parameters = new URLSearchParams(options?.additionalParameters);
-  parameters.set('redirect_uri', redirectUri);
-  parameters.set('code', code);
-  if (codeVerifier !== nopkce) {
-    assertString(codeVerifier, '"codeVerifier"');
-    parameters.set('code_verifier', codeVerifier);
-  }
-  return tokenEndpointRequest(as, client, clientAuthentication, 'authorization_code', parameters, options);
-}
 const jwtClaimNames = {
   aud: 'audience',
   c_hash: 'code hash',
@@ -1901,98 +1876,6 @@ function validatePresence(required, result) {
   }
   return result;
 }
-const expectNoNonce = Symbol();
-const skipAuthTimeCheck = Symbol();
-async function processAuthorizationCodeResponse(as, client, response, options) {
-  if (typeof options?.expectedNonce === 'string' || typeof options?.maxAge === 'number' || options?.requireIdToken) {
-    return processAuthorizationCodeOpenIDResponse(as, client, response, options.expectedNonce, options.maxAge, options[jweDecrypt], options.recognizedTokenTypes);
-  }
-  return processAuthorizationCodeOAuth2Response(as, client, response, options?.[jweDecrypt], options?.recognizedTokenTypes);
-}
-async function processAuthorizationCodeOpenIDResponse(as, client, response, expectedNonce, maxAge, decryptFn, recognizedTokenTypes) {
-  const additionalRequiredClaims = [];
-  switch (expectedNonce) {
-    case undefined:
-      expectedNonce = expectNoNonce;
-      break;
-    case expectNoNonce:
-      break;
-    default:
-      assertString(expectedNonce, '"expectedNonce" argument');
-      additionalRequiredClaims.push('nonce');
-  }
-  maxAge ??= client.default_max_age;
-  switch (maxAge) {
-    case undefined:
-      maxAge = skipAuthTimeCheck;
-      break;
-    case skipAuthTimeCheck:
-      break;
-    default:
-      assertNumber(maxAge, true, '"maxAge" argument');
-      additionalRequiredClaims.push('auth_time');
-  }
-  const result = await processGenericAccessTokenResponse(as, client, response, additionalRequiredClaims, decryptFn, recognizedTokenTypes);
-  assertString(result.id_token, '"response" body "id_token" property', INVALID_RESPONSE, {
-    body: result
-  });
-  const claims = getValidatedIdTokenClaims(result);
-  if (maxAge !== skipAuthTimeCheck) {
-    const now = epochTime() + getClockSkew(client);
-    const tolerance = getClockTolerance(client);
-    if (claims.auth_time + maxAge < now - tolerance) {
-      throw OPE('too much time has elapsed since the last End-User authentication', JWT_TIMESTAMP_CHECK, {
-        claims,
-        now,
-        tolerance,
-        claim: 'auth_time'
-      });
-    }
-  }
-  if (expectedNonce === expectNoNonce) {
-    if (claims.nonce !== undefined) {
-      throw OPE('unexpected ID Token "nonce" claim value', JWT_CLAIM_COMPARISON, {
-        expected: undefined,
-        claims,
-        claim: 'nonce'
-      });
-    }
-  } else if (claims.nonce !== expectedNonce) {
-    throw OPE('unexpected ID Token "nonce" claim value', JWT_CLAIM_COMPARISON, {
-      expected: expectedNonce,
-      claims,
-      claim: 'nonce'
-    });
-  }
-  return result;
-}
-async function processAuthorizationCodeOAuth2Response(as, client, response, decryptFn, recognizedTokenTypes) {
-  const result = await processGenericAccessTokenResponse(as, client, response, undefined, decryptFn, recognizedTokenTypes);
-  const claims = getValidatedIdTokenClaims(result);
-  if (claims) {
-    if (client.default_max_age !== undefined) {
-      assertNumber(client.default_max_age, true, '"client.default_max_age"');
-      const now = epochTime() + getClockSkew(client);
-      const tolerance = getClockTolerance(client);
-      if (claims.auth_time + client.default_max_age < now - tolerance) {
-        throw OPE('too much time has elapsed since the last End-User authentication', JWT_TIMESTAMP_CHECK, {
-          claims,
-          now,
-          tolerance,
-          claim: 'auth_time'
-        });
-      }
-    }
-    if (claims.nonce !== undefined) {
-      throw OPE('unexpected ID Token "nonce" claim value', JWT_CLAIM_COMPARISON, {
-        expected: undefined,
-        claims,
-        claim: 'nonce'
-      });
-    }
-  }
-  return result;
-}
 const WWW_AUTHENTICATE_CHALLENGE = 'OAUTH_WWW_AUTHENTICATE_CHALLENGE';
 const RESPONSE_BODY_ERROR = 'OAUTH_RESPONSE_BODY_ERROR';
 const UNSUPPORTED_OPERATION = 'OAUTH_UNSUPPORTED_OPERATION';
@@ -2006,6 +1889,15 @@ const JWT_TIMESTAMP_CHECK = 'OAUTH_JWT_TIMESTAMP_CHECK_FAILED';
 const JWT_CLAIM_COMPARISON = 'OAUTH_JWT_CLAIM_COMPARISON_FAILED';
 const MISSING_SERVER_METADATA = 'OAUTH_MISSING_SERVER_METADATA';
 const INVALID_SERVER_METADATA = 'OAUTH_INVALID_SERVER_METADATA';
+async function genericTokenEndpointRequest(as, client, clientAuthentication, grantType, parameters, options) {
+  assertAs(as);
+  assertClient(client);
+  assertString(grantType, '"grantType"');
+  return tokenEndpointRequest(as, client, clientAuthentication, grantType, new URLSearchParams(parameters), options);
+}
+async function processGenericTokenEndpointResponse(as, client, response, options) {
+  return processGenericAccessTokenResponse(as, client, response, undefined, options?.[jweDecrypt], options?.recognizedTokenTypes);
+}
 function assertReadableResponse(response) {
   if (response.bodyUsed) {
     throw CodedTypeError('"response" body has been used already', ERR_INVALID_ARG_VALUE);
@@ -2155,16 +2047,6 @@ function checkSigningAlgorithm(client, issuer, fallback, header) {
     fallback
   });
 }
-function getURLSearchParameter(parameters, name) {
-  const {
-    0: value,
-    length
-  } = parameters.getAll(name);
-  if (length > 1) {
-    throw OPE(`"${name}" parameter must be provided only once`, INVALID_RESPONSE);
-  }
-  return value;
-}
 async function getResponseJsonBody(response, check = assertApplicationJson) {
   let json;
   try {
@@ -2507,15 +2389,76 @@ const getLoggedInState = (state, response) => {
     userName: typeof response.userName === 'string' ? response.userName : state.userName,
     userState: accessToken ? 'loggedIn' : 'loggedOut',
     userSubscriptionPlan: typeof response.subscriptionPlan === 'string' ? response.subscriptionPlan : state.userSubscriptionPlan,
+    userSubscriptionStatus: typeof response.subscriptionStatus === 'string' ? response.subscriptionStatus : state.userSubscriptionStatus,
     userUsedTokens: typeof response.usedTokens === 'number' ? response.usedTokens : state.userUsedTokens
   };
 };
 
 const isLoginResponse = value => {
-  if (!value || typeof value !== 'object') {
-    return false;
+  return !!value && typeof value === 'object';
+};
+
+const databaseName = 'auth-worker';
+const objectStoreName = 'auth';
+const memoryStorage = new Map();
+let databasePromise;
+
+// eslint-disable-next-line @typescript-eslint/prefer-readonly-parameter-types
+const transactionToPromise = transaction => {
+  return new Promise((resolve, reject) => {
+    transaction.addEventListener('complete', () => {
+      resolve();
+    });
+    transaction.addEventListener('abort', () => {
+      reject(transaction.error ?? new Error('Persistent storage transaction failed.'));
+    });
+    transaction.addEventListener('error', () => {
+      reject(transaction.error ?? new Error('Persistent storage transaction failed.'));
+    });
+  });
+};
+const getDatabase = async () => {
+  if (typeof indexedDB === 'undefined') {
+    return undefined;
   }
-  return true;
+  if (!databasePromise) {
+    databasePromise = new Promise((resolve, reject) => {
+      const request = indexedDB.open(databaseName, 1);
+      request.addEventListener('upgradeneeded', () => {
+        const database = request.result;
+        if (!database.objectStoreNames.contains(objectStoreName)) {
+          database.createObjectStore(objectStoreName);
+        }
+      });
+      request.addEventListener('success', () => {
+        resolve(request.result);
+      });
+      request.addEventListener('error', () => {
+        reject(request.error ?? new Error('Failed to open persistent auth storage.'));
+      });
+    });
+  }
+  return databasePromise;
+};
+const setPersistentAuthValue = async (key, value) => {
+  memoryStorage.set(key, value);
+  const database = await getDatabase();
+  if (!database) {
+    return;
+  }
+  const transaction = database.transaction(objectStoreName, 'readwrite');
+  const objectStore = transaction.objectStore(objectStoreName);
+  objectStore.put(value, key);
+  await transactionToPromise(transaction);
+};
+
+const persistLoginResult = async loginResult => {
+  if (loginResult.userState !== 'loggedIn') {
+    return loginResult;
+  }
+  await setPersistentAuthValue('accessToken', loginResult.authAccessToken ?? '');
+  await setPersistentAuthValue('refreshToken', loginResult.authRefreshToken ?? '');
+  return loginResult;
 };
 
 const getBackendOidcTokenUrl = backendUrl => {
@@ -2534,15 +2477,15 @@ const getClient = () => {
     client_id: oidcClientId
   };
 };
-const exchangeElectronAuthorizationCode = async (backendUrl, code, redirectUri, codeVerifier, nonce, requestAuthorizationCodeGrant = authorizationCodeGrantRequest, processAuthorizationCodeGrantResponse = processAuthorizationCodeResponse) => {
+const exchangeElectronAuthorizationCode = async (backendUrl, code, redirectUri, codeVerifier, requestTokenEndpoint = genericTokenEndpointRequest, processTokenEndpointResponse = processGenericTokenEndpointResponse) => {
   const authorizationServer = getAuthorizationServer(backendUrl);
   const client = getClient();
-  const response = await requestAuthorizationCodeGrant(authorizationServer, client, None(), new URLSearchParams({
-    code
-  }), redirectUri, codeVerifier);
-  const tokenResponse = await processAuthorizationCodeGrantResponse(authorizationServer, client, response, {
-    expectedNonce: nonce
-  });
+  const response = await requestTokenEndpoint(authorizationServer, client, None(), 'authorization_code', new URLSearchParams({
+    code,
+    code_verifier: codeVerifier,
+    redirect_uri: redirectUri
+  }));
+  const tokenResponse = await processTokenEndpointResponse(authorizationServer, client, response);
   return {
     accessToken: tokenResponse.access_token,
     refreshToken: typeof tokenResponse.refresh_token === 'string' ? tokenResponse.refresh_token : ''
@@ -2555,12 +2498,12 @@ const hasAuthorizationCode = value => {
 const getElectronAuthorizationCode = async uid => {
   return invoke$2('OAuthServer.getCode', String(uid));
 };
-const waitForElectronBackendLogin = async (backendUrl, uid, redirectUri, nonce, codeVerifier, timeoutMs = 30_000, pollIntervalMs = 1000, getAuthorizationCode = getElectronAuthorizationCode, exchangeAuthorizationCode = exchangeElectronAuthorizationCode) => {
+const waitForElectronBackendLogin = async (backendUrl, uid, redirectUri, codeVerifier, timeoutMs = 30_000, pollIntervalMs = 1000, getAuthorizationCode = getElectronAuthorizationCode, exchangeAuthorizationCode = exchangeElectronAuthorizationCode) => {
   const deadline = Date.now() + timeoutMs;
   while (Date.now() < deadline) {
     const authorizationCode = await getAuthorizationCode(uid);
     if (hasAuthorizationCode(authorizationCode)) {
-      const tokenResponse = await exchangeAuthorizationCode(backendUrl, authorizationCode, redirectUri, codeVerifier, nonce);
+      const tokenResponse = await exchangeAuthorizationCode(backendUrl, authorizationCode, redirectUri, codeVerifier);
       return {
         authAccessToken: tokenResponse.accessToken,
         authErrorMessage: '',
@@ -2604,20 +2547,17 @@ const handleClickLogin = async options => {
           userState: 'loggedOut'
         };
       }
-      return getLoggedInState(signingInState, response);
+      return persistLoginResult(getLoggedInState(signingInState, response));
     }
     const uid = 0;
     const {
       codeVerifier,
       loginUrl,
-      nonce,
       redirectUri
     } = await getBackendLoginRequest(backendUrl, platform, uid);
     await invoke$1('Open.openUrl', loginUrl, platform, authUseRedirect);
-    const authState = platform === Electron ? await waitForElectronBackendLogin(backendUrl, uid, redirectUri, nonce, codeVerifier) : await waitForBackendLogin(backendUrl);
-    return {
-      ...authState
-    };
+    const authState = platform === Electron ? await waitForElectronBackendLogin(backendUrl, uid, redirectUri, codeVerifier) : await waitForBackendLogin(backendUrl);
+    return persistLoginResult(authState);
   } catch (error) {
     const errorMessage = error instanceof Error && error.message ? error.message : 'Backend authentication failed.';
     return {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@lvce-editor/auth-worker",
-  "version": "1.15.0",
+  "version": "1.17.0",
   "description": "Auth Worker",
   "repository": {
     "type": "git",