@lvce-editor/auth-worker 1.16.0 → 1.18.0

package/dist/authWorkerMain.js

@@ -1113,155 +1113,6 @@ const logoutFromBackend = async backendUrl => {
   }
 };
 
-const getBackendRefreshUrl = backendUrl => {
-  return getBackendAuthUrl(backendUrl, '/auth/refresh');
-};
-
-const delay = async ms => {
-  await new Promise(resolve => setTimeout(resolve, ms));
-};
-
-let nextLoginResponse;
-let nextRefreshResponse;
-const setNextLoginResponse = response => {
-  nextLoginResponse = response;
-};
-const setNextRefreshResponse = response => {
-  nextRefreshResponse = response;
-};
-const clear = () => {
-  nextLoginResponse = undefined;
-  nextRefreshResponse = undefined;
-};
-const hasPendingMockLoginResponse = () => {
-  return !!nextLoginResponse;
-};
-const hasPendingMockRefreshResponse = () => {
-  return !!nextRefreshResponse;
-};
-const consumeNextLoginResponse = async () => {
-  if (!nextLoginResponse) {
-    return undefined;
-  }
-  const response = nextLoginResponse;
-  nextLoginResponse = undefined;
-  if (response.delay > 0) {
-    await delay(response.delay);
-  }
-  if (response.type === 'error') {
-    throw new Error(response.message);
-  }
-  return response.response;
-};
-const consumeNextRefreshResponse = async () => {
-  if (!nextRefreshResponse) {
-    return undefined;
-  }
-  const response = nextRefreshResponse;
-  nextRefreshResponse = undefined;
-  if (response.delay > 0) {
-    await new Promise(resolve => setTimeout(resolve, response.delay));
-  }
-  if (response.type === 'error') {
-    throw new Error(response.message);
-  }
-  return response.response;
-};
-
-const isObject = value => {
-  return !!value && typeof value === 'object';
-};
-
-const isBackendAuthResponse = value => {
-  return isObject(value);
-};
-
-const getNumber = (value, fallback = 0) => {
-  return typeof value === 'number' ? value : fallback;
-};
-
-const getString = (value, fallback = '') => {
-  return typeof value === 'string' ? value : fallback;
-};
-
-const toBackendAuthState = value => {
-  return {
-    authAccessToken: getString(value.accessToken),
-    authErrorMessage: getString(value.error),
-    authRefreshToken: getString(value.refreshToken),
-    userName: getString(value.userName),
-    userState: value.accessToken ? 'loggedIn' : 'loggedOut',
-    userSubscriptionPlan: getString(value.subscriptionPlan),
-    userUsedTokens: getNumber(value.usedTokens)
-  };
-};
-
-const parseBackendAuthResponse = value => {
-  if (!isBackendAuthResponse(value)) {
-    return getLoggedOutBackendAuthState('Backend returned an invalid authentication response.');
-  }
-  return toBackendAuthState(value);
-};
-
-const syncBackendAuth = async backendUrl => {
-  if (!backendUrl) {
-    return getLoggedOutBackendAuthState('Backend URL is missing.');
-  }
-  try {
-    if (hasPendingMockRefreshResponse()) {
-      const mockResponse = await consumeNextRefreshResponse();
-      return parseBackendAuthResponse(mockResponse);
-    }
-    const response = await fetch(getBackendRefreshUrl(backendUrl), {
-      credentials: 'include',
-      headers: {
-        Accept: 'application/json'
-      },
-      method: 'POST'
-    });
-    if (response.status === 401 || response.status === 403) {
-      return getLoggedOutBackendAuthState();
-    }
-    let payload = undefined;
-    try {
-      payload = await response.json();
-    } catch {
-      payload = undefined;
-    }
-    if (!response.ok) {
-      const parsed = parseBackendAuthResponse(payload);
-      return getLoggedOutBackendAuthState(parsed.authErrorMessage || 'Backend authentication failed.');
-    }
-    const parsed = parseBackendAuthResponse(payload);
-    if (parsed.authErrorMessage) {
-      return getLoggedOutBackendAuthState(parsed.authErrorMessage);
-    }
-    if (!parsed.authAccessToken) {
-      return getLoggedOutBackendAuthState();
-    }
-    return parsed;
-  } catch (error) {
-    const authErrorMessage = error instanceof Error && error.message ? error.message : 'Backend authentication failed.';
-    return getLoggedOutBackendAuthState(authErrorMessage);
-  }
-};
-
-const waitForBackendLogin = async (backendUrl, timeoutMs = 30_000, pollIntervalMs = 1000) => {
-  const deadline = Date.now() + timeoutMs;
-  let lastErrorMessage = '';
-  while (Date.now() < deadline) {
-    const authState = await syncBackendAuth(backendUrl);
-    if (authState.userState === 'loggedIn') {
-      return authState;
-    }
-    if (authState.authErrorMessage) {
-      lastErrorMessage = authState.authErrorMessage;
-    }
-    await delay(pollIntervalMs);
-  }
-  return getLoggedOutBackendAuthState(lastErrorMessage);
-};
-
 let USER_AGENT;
 if (typeof navigator === 'undefined' || !navigator.userAgent?.startsWith?.('Mozilla/5.0 ')) {
   const NAME = 'oauth4webapi';
@@ -2055,14 +1906,34 @@ async function getResponseJsonBody(response, check = assertApplicationJson) {
 }
 const _expectedIssuer = Symbol();
 
-// cspell:ignore pkce
+const getBackendOidcTokenUrl = backendUrl => {
+  return getBackendAuthUrl(backendUrl, '/oidc/token');
+};
 
-const createPkceValues = async () => {
-  const codeVerifier = generateRandomCodeVerifier();
-  const codeChallenge = await calculatePKCECodeChallenge(codeVerifier);
+const getAuthorizationServer$1 = backendUrl => {
   return {
-    codeChallenge,
-    codeVerifier
+    issuer: getBackendAuthUrl(backendUrl, '/oidc'),
+    jwks_uri: getBackendAuthUrl(backendUrl, '/oidc/jwks'),
+    token_endpoint: getBackendOidcTokenUrl(backendUrl)
+  };
+};
+const getClient$1 = clientId => {
+  return {
+    client_id: clientId
+  };
+};
+const exchangeAuthorizationCode = async (backendUrl, clientId, code, redirectUri, codeVerifier, requestTokenEndpoint = genericTokenEndpointRequest, processTokenEndpointResponse = processGenericTokenEndpointResponse) => {
+  const authorizationServer = getAuthorizationServer$1(backendUrl);
+  const client = getClient$1(clientId);
+  const response = await requestTokenEndpoint(authorizationServer, client, None(), 'authorization_code', new URLSearchParams({
+    code,
+    code_verifier: codeVerifier,
+    redirect_uri: redirectUri
+  }));
+  const tokenResponse = await processTokenEndpointResponse(authorizationServer, client, response);
+  return {
+    accessToken: tokenResponse.access_token,
+    refreshToken: typeof tokenResponse.refresh_token === 'string' ? tokenResponse.refresh_token : ''
   };
 };
 
@@ -2078,71 +1949,533 @@ const getCurrentHref = async () => {
   return globalThis.location.href;
 };
 
-const successHtml = `<!doctype html>
-<html lang="en">
-  <head>
-    <meta charset="utf-8">
-    <meta name="viewport" content="width=device-width, initial-scale=1">
-    <title>Authentication Complete</title>
-    <style>
-      :root {
-        color-scheme: light;
-        --background: linear-gradient(180deg, #f4f7fb 0%, #e9eef8 100%);
-        --panel: rgba(255, 255, 255, 0.92);
-        --panel-border: rgba(33, 52, 88, 0.08);
-        --text: #132238;
-        --muted: #5f6f86;
-        --accent: #1f7a5a;
-        --accent-soft: #e7f6ef;
-        --shadow: 0 24px 60px rgba(44, 65, 98, 0.16);
-      }
-
-      * {
-        box-sizing: border-box;
-      }
-
-      html,
-      body {
-        margin: 0;
-        min-height: 100%;
-        font-family: Inter, sans-serif;
-        background: var(--background);
-        color: var(--text);
-      }
-
-      body {
-        display: flex;
-        align-items: center;
-        justify-content: center;
-        padding: 24px;
-      }
+const getPayload$1 = async response => {
+  try {
+    return await response.json();
+  } catch {
+    return undefined;
+  }
+};
+const getOidcUserName = async (backendUrl, accessToken, fetchFn = fetch) => {
+  if (!backendUrl || !accessToken) {
+    return '';
+  }
+  const response = await fetchFn(new URL('/account/me', backendUrl), {
+    headers: {
+      Accept: 'application/json',
+      Authorization: `Bearer ${accessToken}`
+    }
+  });
+  if (!response.ok) {
+    return '';
+  }
+  const payload = await getPayload$1(response);
+  if (!payload || typeof payload !== 'object') {
+    return '';
+  }
+  const displayName = Reflect.get(payload, 'displayName');
+  return typeof displayName === 'string' ? displayName : '';
+};
 
-      .card {
-        width: min(100%, 460px);
-        padding: 32px 28px;
-        border: 1px solid var(--panel-border);
-        border-radius: 20px;
-        background: var(--panel);
-        box-shadow: var(--shadow);
-        text-align: center;
-        backdrop-filter: blur(12px);
-      }
+const databaseName = 'auth-worker';
+const objectStoreName = 'auth';
+const memoryStorage = new Map();
+let databasePromise;
 
-      .badge {
-        display: inline-flex;
-        align-items: center;
-        justify-content: center;
-        width: 64px;
-        height: 64px;
-        margin-bottom: 20px;
-        border-radius: 999px;
-        background: var(--accent-soft);
-        color: var(--accent);
-      }
+// IndexedDB request objects are mutable browser primitives and cannot satisfy the readonly rule structurally.
+// eslint-disable-next-line @typescript-eslint/prefer-readonly-parameter-types
+const requestToPromise = request => {
+  return new Promise((resolve, reject) => {
+    request.addEventListener('success', () => {
+      resolve(request.result);
+    });
+    request.addEventListener('error', () => {
+      reject(request.error ?? new Error('Persistent storage request failed.'));
+    });
+  });
+};
 
-      h1 {
-        margin: 0;
-        font-size: 28px;
+// eslint-disable-next-line @typescript-eslint/prefer-readonly-parameter-types
+const transactionToPromise = transaction => {
+  return new Promise((resolve, reject) => {
+    transaction.addEventListener('complete', () => {
+      resolve();
+    });
+    transaction.addEventListener('abort', () => {
+      reject(transaction.error ?? new Error('Persistent storage transaction failed.'));
+    });
+    transaction.addEventListener('error', () => {
+      reject(transaction.error ?? new Error('Persistent storage transaction failed.'));
+    });
+  });
+};
+const getDatabase = async () => {
+  if (typeof indexedDB === 'undefined') {
+    return undefined;
+  }
+  if (!databasePromise) {
+    databasePromise = new Promise((resolve, reject) => {
+      const request = indexedDB.open(databaseName, 1);
+      request.addEventListener('upgradeneeded', () => {
+        const database = request.result;
+        if (!database.objectStoreNames.contains(objectStoreName)) {
+          database.createObjectStore(objectStoreName);
+        }
+      });
+      request.addEventListener('success', () => {
+        resolve(request.result);
+      });
+      request.addEventListener('error', () => {
+        reject(request.error ?? new Error('Failed to open persistent auth storage.'));
+      });
+    });
+  }
+  return databasePromise;
+};
+const getPersistentAuthValue = async key => {
+  const database = await getDatabase();
+  if (!database) {
+    return memoryStorage.get(key) ?? '';
+  }
+  const transaction = database.transaction(objectStoreName, 'readonly');
+  const objectStore = transaction.objectStore(objectStoreName);
+  const value = await requestToPromise(objectStore.get(key));
+  return typeof value === 'string' ? value : '';
+};
+const setPersistentAuthValue = async (key, value) => {
+  memoryStorage.set(key, value);
+  const database = await getDatabase();
+  if (!database) {
+    return;
+  }
+  const transaction = database.transaction(objectStoreName, 'readwrite');
+  const objectStore = transaction.objectStore(objectStoreName);
+  objectStore.put(value, key);
+  await transactionToPromise(transaction);
+};
+const clearPersistentAuthValue = async key => {
+  memoryStorage.delete(key);
+  const database = await getDatabase();
+  if (!database) {
+    return;
+  }
+  const transaction = database.transaction(objectStoreName, 'readwrite');
+  const objectStore = transaction.objectStore(objectStoreName);
+  objectStore.delete(key);
+  await transactionToPromise(transaction);
+};
+
+const callbackUrlKey = 'oidcCallbackUrl';
+const clientIdKey = 'oidcClientId';
+const pendingClientIdKey = 'pendingOidcClientId';
+const pendingCodeVerifierKey = 'pendingOidcCodeVerifier';
+const pendingRedirectUriKey = 'pendingOidcRedirectUri';
+const pendingStateKey = 'pendingOidcState';
+const clearOidcCallbackUrl = async () => {
+  await clearPersistentAuthValue(callbackUrlKey);
+};
+const clearStoredOidcClientId = async () => {
+  await clearPersistentAuthValue(clientIdKey);
+};
+const clearPendingOidcAuthState = async () => {
+  await Promise.all([clearPersistentAuthValue(pendingClientIdKey), clearPersistentAuthValue(pendingCodeVerifierKey), clearPersistentAuthValue(pendingRedirectUriKey), clearPersistentAuthValue(pendingStateKey)]);
+};
+const getOidcCallbackUrl = async () => {
+  return getPersistentAuthValue(callbackUrlKey);
+};
+const getStoredOidcClientId = async () => {
+  return getPersistentAuthValue(clientIdKey);
+};
+const loadPendingOidcAuthState = async () => {
+  const [clientId, codeVerifier, redirectUri, state] = await Promise.all([getPersistentAuthValue(pendingClientIdKey), getPersistentAuthValue(pendingCodeVerifierKey), getPersistentAuthValue(pendingRedirectUriKey), getPersistentAuthValue(pendingStateKey)]);
+  if (!clientId || !codeVerifier || !redirectUri || !state) {
+    return undefined;
+  }
+  return {
+    clientId,
+    codeVerifier,
+    redirectUri,
+    state
+  };
+};
+const saveOidcClientId = async clientId => {
+  await setPersistentAuthValue(clientIdKey, clientId);
+};
+const savePendingOidcAuthState = async value => {
+  await Promise.all([setPersistentAuthValue(pendingClientIdKey, value.clientId), setPersistentAuthValue(pendingCodeVerifierKey, value.codeVerifier), setPersistentAuthValue(pendingRedirectUriKey, value.redirectUri), setPersistentAuthValue(pendingStateKey, value.state)]);
+};
+
+const normalizeRedirectUri = value => {
+  const url = new URL(value);
+  url.hash = '';
+  url.search = '';
+  return url.toString();
+};
+const getCallbackHref = async () => {
+  const storedCallbackUrl = await getOidcCallbackUrl();
+  if (storedCallbackUrl) {
+    await clearOidcCallbackUrl();
+    return storedCallbackUrl;
+  }
+  return getCurrentHref();
+};
+const completeBrowserOidcLogin = async backendUrl => {
+  const href = await getCallbackHref();
+  if (!href) {
+    return undefined;
+  }
+  let url;
+  try {
+    url = new URL(href);
+  } catch {
+    return undefined;
+  }
+  const code = url.searchParams.get('code') || '';
+  const error = url.searchParams.get('error') || '';
+  const errorDescription = url.searchParams.get('error_description') || '';
+  if (!code && !error) {
+    return undefined;
+  }
+  const pendingAuthState = await loadPendingOidcAuthState();
+  if (!pendingAuthState) {
+    await clearPendingOidcAuthState();
+    return getLoggedOutBackendAuthState('Authentication state is missing.');
+  }
+  if (normalizeRedirectUri(href) !== normalizeRedirectUri(pendingAuthState.redirectUri)) {
+    await clearPendingOidcAuthState();
+    return getLoggedOutBackendAuthState('Authentication returned to an unexpected redirect URI.');
+  }
+  if (error) {
+    await clearPendingOidcAuthState();
+    return getLoggedOutBackendAuthState(errorDescription || error);
+  }
+  const returnedState = url.searchParams.get('state') || '';
+  if (!returnedState || returnedState !== pendingAuthState.state) {
+    await clearPendingOidcAuthState();
+    return getLoggedOutBackendAuthState('Authentication state mismatch.');
+  }
+  const exchanged = await exchangeAuthorizationCode(backendUrl, pendingAuthState.clientId, code, pendingAuthState.redirectUri, pendingAuthState.codeVerifier);
+  const userName = await getOidcUserName(backendUrl, exchanged.accessToken);
+  await clearPendingOidcAuthState();
+  return {
+    authAccessToken: exchanged.accessToken,
+    authClientId: pendingAuthState.clientId,
+    authErrorMessage: '',
+    authRefreshToken: exchanged.refreshToken,
+    userName,
+    userState: exchanged.accessToken ? 'loggedIn' : 'loggedOut'
+  };
+};
+
+const getBackendRefreshUrl = backendUrl => {
+  return getBackendAuthUrl(backendUrl, '/auth/refresh');
+};
+
+const delay = async ms => {
+  await new Promise(resolve => setTimeout(resolve, ms));
+};
+
+let nextLoginResponse;
+let nextRefreshResponse;
+const setNextLoginResponse = response => {
+  nextLoginResponse = response;
+};
+const setNextRefreshResponse = response => {
+  nextRefreshResponse = response;
+};
+const clear = () => {
+  nextLoginResponse = undefined;
+  nextRefreshResponse = undefined;
+};
+const hasPendingMockLoginResponse = () => {
+  return !!nextLoginResponse;
+};
+const hasPendingMockRefreshResponse = () => {
+  return !!nextRefreshResponse;
+};
+const consumeNextLoginResponse = async () => {
+  if (!nextLoginResponse) {
+    return undefined;
+  }
+  const response = nextLoginResponse;
+  nextLoginResponse = undefined;
+  if (response.delay > 0) {
+    await delay(response.delay);
+  }
+  if (response.type === 'error') {
+    throw new Error(response.message);
+  }
+  return response.response;
+};
+const consumeNextRefreshResponse = async () => {
+  if (!nextRefreshResponse) {
+    return undefined;
+  }
+  const response = nextRefreshResponse;
+  nextRefreshResponse = undefined;
+  if (response.delay > 0) {
+    await new Promise(resolve => setTimeout(resolve, response.delay));
+  }
+  if (response.type === 'error') {
+    throw new Error(response.message);
+  }
+  return response.response;
+};
+
+const isObject = value => {
+  return !!value && typeof value === 'object';
+};
+
+const isBackendAuthResponse = value => {
+  return isObject(value);
+};
+
+const getNumber = (value, fallback = 0) => {
+  return typeof value === 'number' ? value : fallback;
+};
+
+const getString = (value, fallback = '') => {
+  return typeof value === 'string' ? value : fallback;
+};
+
+const getUserName = value => {
+  if (typeof value.userName === 'string') {
+    return value.userName;
+  }
+  return getString(value.user?.displayName);
+};
+const toBackendAuthState = value => {
+  return {
+    authAccessToken: getString(value.accessToken),
+    authErrorMessage: getString(value.error),
+    authRefreshToken: getString(value.refreshToken),
+    userName: getUserName(value),
+    userState: value.accessToken ? 'loggedIn' : 'loggedOut',
+    userSubscriptionPlan: getString(value.subscriptionPlan),
+    userSubscriptionStatus: getString(value.subscriptionStatus),
+    userUsedTokens: getNumber(value.usedTokens)
+  };
+};
+
+const parseBackendAuthResponse = value => {
+  if (!isBackendAuthResponse(value)) {
+    return getLoggedOutBackendAuthState('Backend returned an invalid authentication response.');
+  }
+  return toBackendAuthState(value);
+};
+
+const persistLoginResult = async loginResult => {
+  if (loginResult.userState !== 'loggedIn') {
+    return loginResult;
+  }
+  await Promise.all([setPersistentAuthValue('accessToken', loginResult.authAccessToken ?? ''), setPersistentAuthValue('refreshToken', loginResult.authRefreshToken ?? ''), loginResult.authClientId ? saveOidcClientId(loginResult.authClientId) : Promise.resolve()]);
+  return loginResult;
+};
+
+const getAuthorizationServer = backendUrl => {
+  return {
+    issuer: getBackendAuthUrl(backendUrl, '/oidc'),
+    jwks_uri: getBackendAuthUrl(backendUrl, '/oidc/jwks'),
+    token_endpoint: getBackendOidcTokenUrl(backendUrl)
+  };
+};
+const getClient = clientId => {
+  return {
+    client_id: clientId
+  };
+};
+const refreshOidcTokens = async (backendUrl, clientId, refreshToken, requestTokenEndpoint = genericTokenEndpointRequest, processTokenEndpointResponse = processGenericTokenEndpointResponse) => {
+  const authorizationServer = getAuthorizationServer(backendUrl);
+  const client = getClient(clientId);
+  const response = await requestTokenEndpoint(authorizationServer, client, None(), 'refresh_token', new URLSearchParams({
+    refresh_token: refreshToken
+  }));
+  const tokenResponse = await processTokenEndpointResponse(authorizationServer, client, response);
+  return {
+    accessToken: tokenResponse.access_token,
+    refreshToken: typeof tokenResponse.refresh_token === 'string' ? tokenResponse.refresh_token : refreshToken
+  };
+};
+
+const clearStoredOidcAuth = async () => {
+  await Promise.all([clearPersistentAuthValue('accessToken'), clearPersistentAuthValue('refreshToken'), clearStoredOidcClientId()]);
+};
+const toLoginResult = (accessToken, refreshToken, clientId, userName) => {
+  return {
+    authAccessToken: accessToken,
+    authClientId: clientId,
+    authErrorMessage: '',
+    authRefreshToken: refreshToken,
+    userName,
+    userState: accessToken ? 'loggedIn' : 'loggedOut'
+  };
+};
+const restoreOidcAuth = async backendUrl => {
+  const [accessToken, refreshToken, clientId] = await Promise.all([getPersistentAuthValue('accessToken'), getPersistentAuthValue('refreshToken'), getStoredOidcClientId()]);
+  if (!refreshToken || !clientId) {
+    return undefined;
+  }
+  try {
+    const refreshedTokens = await refreshOidcTokens(backendUrl, clientId, refreshToken);
+    const userName = await getOidcUserName(backendUrl, refreshedTokens.accessToken);
+    return toLoginResult(refreshedTokens.accessToken, refreshedTokens.refreshToken, clientId, userName);
+  } catch {
+    if (accessToken) {
+      const userName = await getOidcUserName(backendUrl, accessToken);
+      if (userName) {
+        return toLoginResult(accessToken, refreshToken, clientId, userName);
+      }
+    }
+    await clearStoredOidcAuth();
+    return undefined;
+  }
+};
+
+const getPayload = async response => {
+  try {
+    return await response.json();
+  } catch {
+    return undefined;
+  }
+};
+const syncBackendAuth = async backendUrl => {
+  if (!backendUrl) {
+    return getLoggedOutBackendAuthState('Backend URL is missing.');
+  }
+  try {
+    const completedBrowserLogin = await completeBrowserOidcLogin(backendUrl);
+    if (completedBrowserLogin) {
+      return persistLoginResult(completedBrowserLogin);
+    }
+    const restoredOidcAuth = await restoreOidcAuth(backendUrl);
+    if (restoredOidcAuth) {
+      return persistLoginResult(restoredOidcAuth);
+    }
+    if (hasPendingMockRefreshResponse()) {
+      const mockResponse = await consumeNextRefreshResponse();
+      return parseBackendAuthResponse(mockResponse);
+    }
+    const response = await fetch(getBackendRefreshUrl(backendUrl), {
+      credentials: 'include',
+      headers: {
+        Accept: 'application/json'
+      },
+      method: 'POST'
+    });
+    if (response.status === 401 || response.status === 403) {
+      return getLoggedOutBackendAuthState();
+    }
+    const payload = await getPayload(response);
+    if (!response.ok) {
+      const parsed = parseBackendAuthResponse(payload);
+      return getLoggedOutBackendAuthState(parsed.authErrorMessage || 'Backend authentication failed.');
+    }
+    const parsed = parseBackendAuthResponse(payload);
+    if (parsed.authErrorMessage) {
+      return getLoggedOutBackendAuthState(parsed.authErrorMessage);
+    }
+    if (!parsed.authAccessToken) {
+      return getLoggedOutBackendAuthState();
+    }
+    return parsed;
+  } catch (error) {
+    const authErrorMessage = error instanceof Error && error.message ? error.message : 'Backend authentication failed.';
+    return getLoggedOutBackendAuthState(authErrorMessage);
+  }
+};
+
+const waitForBackendLogin = async (backendUrl, timeoutMs = 30_000, pollIntervalMs = 1000) => {
+  const deadline = Date.now() + timeoutMs;
+  let lastErrorMessage = '';
+  while (Date.now() < deadline) {
+    const authState = await syncBackendAuth(backendUrl);
+    if (authState.userState === 'loggedIn') {
+      return authState;
+    }
+    if (authState.authErrorMessage) {
+      lastErrorMessage = authState.authErrorMessage;
+    }
+    await delay(pollIntervalMs);
+  }
+  return getLoggedOutBackendAuthState(lastErrorMessage);
+};
+
+// cspell:ignore pkce
+
+const createPkceValues = async () => {
+  const codeVerifier = generateRandomCodeVerifier();
+  const codeChallenge = await calculatePKCECodeChallenge(codeVerifier);
+  return {
+    codeChallenge,
+    codeVerifier
+  };
+};
+
+const successHtml = `<!doctype html>
+<html lang="en">
+  <head>
+    <meta charset="utf-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1">
+    <title>Authentication Complete</title>
+    <style>
+      :root {
+        color-scheme: light;
+        --background: linear-gradient(180deg, #f4f7fb 0%, #e9eef8 100%);
+        --panel: rgba(255, 255, 255, 0.92);
+        --panel-border: rgba(33, 52, 88, 0.08);
+        --text: #132238;
+        --muted: #5f6f86;
+        --accent: #1f7a5a;
+        --accent-soft: #e7f6ef;
+        --shadow: 0 24px 60px rgba(44, 65, 98, 0.16);
+      }
+
+      * {
+        box-sizing: border-box;
+      }
+
+      html,
+      body {
+        margin: 0;
+        min-height: 100%;
+        font-family: Inter, sans-serif;
+        background: var(--background);
+        color: var(--text);
+      }
+
+      body {
+        display: flex;
+        align-items: center;
+        justify-content: center;
+        padding: 24px;
+      }
+
+      .card {
+        width: min(100%, 460px);
+        padding: 32px 28px;
+        border: 1px solid var(--panel-border);
+        border-radius: 20px;
+        background: var(--panel);
+        box-shadow: var(--shadow);
+        text-align: center;
+        backdrop-filter: blur(12px);
+      }
+
+      .badge {
+        display: inline-flex;
+        align-items: center;
+        justify-content: center;
+        width: 64px;
+        height: 64px;
+        margin-bottom: 20px;
+        border-radius: 999px;
+        background: var(--accent-soft);
+        color: var(--accent);
+      }
+
+      h1 {
+        margin: 0;
+        font-size: 28px;
         line-height: 1.15;
         letter-spacing: -0.03em;
       }
@@ -2329,6 +2662,18 @@ const getElectronRedirectUri = async uid => {
   return `http://localhost:${localOauthServerPort}/callback`;
 };
 
+const getWebRedirectUri = async () => {
+  const href = await getCurrentHref();
+  if (!href) {
+    return '';
+  }
+  try {
+    const url = new URL(href);
+    return `${url.origin}/auth/callback`;
+  } catch {
+    return '';
+  }
+};
 const getEffectiveRedirectUri = async (platform, uid, redirectUri) => {
   if (redirectUri) {
     return redirectUri;
@@ -2336,11 +2681,15 @@ const getEffectiveRedirectUri = async (platform, uid, redirectUri) => {
   if (platform === Electron) {
     return getElectronRedirectUri(uid);
   }
-  return getCurrentHref();
+  return getWebRedirectUri();
 };
 
-const oidcClientId = 'lvce-editor-native';
+const nativeOidcClientId = 'lvce-editor-native';
+const webOidcClientId = 'lvce-editor-web';
 const oidcScope = 'openid offline_access profile email';
+const getOidcClientId = platform => {
+  return platform === Electron ? nativeOidcClientId : webOidcClientId;
+};
 
 const getBackendLoginRequest = async (backendUrl, platform = 0, uid = 0, redirectUri = '', createPkceValuesFn = createPkceValues, createRandomUuid = () => globalThis.crypto.randomUUID()) => {
   const effectiveRedirectUri = await getEffectiveRedirectUri(platform, uid, redirectUri);
@@ -2348,24 +2697,28 @@ const getBackendLoginRequest = async (backendUrl, platform = 0, uid = 0, redirec
     codeChallenge,
     codeVerifier
   } = await createPkceValuesFn();
+  const clientId = getOidcClientId(platform);
   const nonce = createRandomUuid();
+  const state = createRandomUuid();
   const loginUrl = new URL(getBackendAuthUrl(backendUrl, '/oidc/auth'));
-  loginUrl.searchParams.set('client_id', oidcClientId);
+  loginUrl.searchParams.set('client_id', clientId);
   loginUrl.searchParams.set('code_challenge', codeChallenge);
   loginUrl.searchParams.set('code_challenge_method', 'S256');
   loginUrl.searchParams.set('nonce', nonce);
   loginUrl.searchParams.set('prompt', 'consent');
   loginUrl.searchParams.set('response_type', 'code');
   loginUrl.searchParams.set('scope', oidcScope);
-  loginUrl.searchParams.set('state', createRandomUuid());
+  loginUrl.searchParams.set('state', state);
   if (effectiveRedirectUri) {
     loginUrl.searchParams.set('redirect_uri', effectiveRedirectUri);
   }
   return {
+    clientId,
     codeVerifier,
     loginUrl: loginUrl.toString(),
     nonce,
-    redirectUri: effectiveRedirectUri
+    redirectUri: effectiveRedirectUri,
+    state
   };
 };
 
@@ -2380,100 +2733,17 @@ const getLoggedInState = (state, response) => {
     userName: typeof response.userName === 'string' ? response.userName : state.userName,
     userState: accessToken ? 'loggedIn' : 'loggedOut',
     userSubscriptionPlan: typeof response.subscriptionPlan === 'string' ? response.subscriptionPlan : state.userSubscriptionPlan,
+    userSubscriptionStatus: typeof response.subscriptionStatus === 'string' ? response.subscriptionStatus : state.userSubscriptionStatus,
     userUsedTokens: typeof response.usedTokens === 'number' ? response.usedTokens : state.userUsedTokens
   };
 };
 
 const isLoginResponse = value => {
-  if (!value || typeof value !== 'object') {
-    return false;
-  }
-  return true;
-};
-
-const databaseName = 'auth-worker';
-const objectStoreName = 'auth';
-const memoryStorage = new Map();
-let databasePromise;
-
-// eslint-disable-next-line @typescript-eslint/prefer-readonly-parameter-types
-const transactionToPromise = transaction => {
-  return new Promise((resolve, reject) => {
-    transaction.addEventListener('complete', () => {
-      resolve();
-    });
-    transaction.addEventListener('abort', () => {
-      reject(transaction.error ?? new Error('Persistent storage transaction failed.'));
-    });
-    transaction.addEventListener('error', () => {
-      reject(transaction.error ?? new Error('Persistent storage transaction failed.'));
-    });
-  });
-};
-const getDatabase = async () => {
-  if (typeof indexedDB === 'undefined') {
-    return undefined;
-  }
-  if (!databasePromise) {
-    databasePromise = new Promise((resolve, reject) => {
-      const request = indexedDB.open(databaseName, 1);
-      request.addEventListener('upgradeneeded', () => {
-        const database = request.result;
-        if (!database.objectStoreNames.contains(objectStoreName)) {
-          database.createObjectStore(objectStoreName);
-        }
-      });
-      request.addEventListener('success', () => {
-        resolve(request.result);
-      });
-      request.addEventListener('error', () => {
-        reject(request.error ?? new Error('Failed to open persistent auth storage.'));
-      });
-    });
-  }
-  return databasePromise;
-};
-const setPersistentAuthValue = async (key, value) => {
-  memoryStorage.set(key, value);
-  const database = await getDatabase();
-  if (!database) {
-    return;
-  }
-  const transaction = database.transaction(objectStoreName, 'readwrite');
-  const objectStore = transaction.objectStore(objectStoreName);
-  objectStore.put(value, key);
-  await transactionToPromise(transaction);
-};
-
-const getBackendOidcTokenUrl = backendUrl => {
-  return getBackendAuthUrl(backendUrl, '/oidc/token');
+  return !!value && typeof value === 'object';
 };
 
-const getAuthorizationServer = backendUrl => {
-  return {
-    issuer: getBackendAuthUrl(backendUrl, '/oidc'),
-    jwks_uri: getBackendAuthUrl(backendUrl, '/oidc/jwks'),
-    token_endpoint: getBackendOidcTokenUrl(backendUrl)
-  };
-};
-const getClient = () => {
-  return {
-    client_id: oidcClientId
-  };
-};
 const exchangeElectronAuthorizationCode = async (backendUrl, code, redirectUri, codeVerifier, requestTokenEndpoint = genericTokenEndpointRequest, processTokenEndpointResponse = processGenericTokenEndpointResponse) => {
-  const authorizationServer = getAuthorizationServer(backendUrl);
-  const client = getClient();
-  const response = await requestTokenEndpoint(authorizationServer, client, None(), 'authorization_code', new URLSearchParams({
-    code,
-    code_verifier: codeVerifier,
-    redirect_uri: redirectUri
-  }));
-  const tokenResponse = await processTokenEndpointResponse(authorizationServer, client, response);
-  return {
-    accessToken: tokenResponse.access_token,
-    refreshToken: typeof tokenResponse.refresh_token === 'string' ? tokenResponse.refresh_token : ''
-  };
+  return exchangeAuthorizationCode(backendUrl, nativeOidcClientId, code, redirectUri, codeVerifier, requestTokenEndpoint, processTokenEndpointResponse);
 };
 
 const hasAuthorizationCode = value => {
@@ -2500,13 +2770,54 @@ const waitForElectronBackendLogin = async (backendUrl, uid, redirectUri, codeVer
   return getLoggedOutBackendAuthState('Timed out waiting for backend login.');
 };
 
-const persistLoginResult = async loginResult => {
-  if (loginResult.userState !== 'loggedIn') {
-    return loginResult;
+const getMockLoginResult = async signingInState => {
+  if (!hasPendingMockLoginResponse()) {
+    return undefined;
   }
-  await setPersistentAuthValue('accessToken', loginResult.authAccessToken ?? '');
-  await setPersistentAuthValue('refreshToken', loginResult.authRefreshToken ?? '');
-  return loginResult;
+  const response = await consumeNextLoginResponse();
+  if (!isLoginResponse(response)) {
+    return {
+      authErrorMessage: 'Backend returned an invalid login response.',
+      userState: 'loggedOut'
+    };
+  }
+  if (typeof response.error === 'string' && response.error) {
+    return {
+      authErrorMessage: response.error,
+      userState: 'loggedOut'
+    };
+  }
+  return persistLoginResult(getLoggedInState(signingInState, response));
+};
+const getInteractiveLoginResult = async (backendUrl, platform, authUseRedirect, signingInState) => {
+  const uid = 0;
+  const {
+    clientId,
+    codeVerifier,
+    loginUrl,
+    redirectUri,
+    state
+  } = await getBackendLoginRequest(backendUrl, platform, uid);
+  if (platform !== Electron) {
+    await savePendingOidcAuthState({
+      clientId,
+      codeVerifier,
+      redirectUri,
+      state
+    });
+  }
+  await invoke$1('Open.openUrl', loginUrl, platform, authUseRedirect);
+  if (platform !== Electron && authUseRedirect) {
+    return signingInState;
+  }
+  const authState = platform === Electron ? await waitForElectronBackendLogin(backendUrl, uid, redirectUri, codeVerifier) : await waitForBackendLogin(backendUrl);
+  if (platform !== Electron) {
+    await clearPendingOidcAuthState();
+  }
+  return persistLoginResult({
+    ...authState,
+    authClientId: clientId
+  });
 };
 const handleClickLogin = async options => {
   const {
@@ -2525,32 +2836,13 @@ const handleClickLogin = async options => {
     userState: 'loggingIn'
   };
   try {
-    if (hasPendingMockLoginResponse()) {
-      const response = await consumeNextLoginResponse();
-      if (!isLoginResponse(response)) {
-        return {
-          authErrorMessage: 'Backend returned an invalid login response.',
-          userState: 'loggedOut'
-        };
-      }
-      if (typeof response.error === 'string' && response.error) {
-        return {
-          authErrorMessage: response.error,
-          userState: 'loggedOut'
-        };
-      }
-      return persistLoginResult(getLoggedInState(signingInState, response));
+    const mockLoginResult = await getMockLoginResult(signingInState);
+    if (mockLoginResult) {
+      return mockLoginResult;
     }
-    const uid = 0;
-    const {
-      codeVerifier,
-      loginUrl,
-      redirectUri
-    } = await getBackendLoginRequest(backendUrl, platform, uid);
-    await invoke$1('Open.openUrl', loginUrl, platform, authUseRedirect);
-    const authState = platform === Electron ? await waitForElectronBackendLogin(backendUrl, uid, redirectUri, codeVerifier) : await waitForBackendLogin(backendUrl);
-    return persistLoginResult(authState);
+    return getInteractiveLoginResult(backendUrl, platform, authUseRedirect, signingInState);
   } catch (error) {
+    await clearPendingOidcAuthState();
     const errorMessage = error instanceof Error && error.message ? error.message : 'Backend authentication failed.';
     return {
       ...signingInState,
@@ -2565,6 +2857,7 @@ const logout = async state => {
     userState: 'loggingOut'
   };
   await logoutFromBackend(state.backendUrl);
+  await Promise.all([clearOidcCallbackUrl(), clearPendingOidcAuthState(), clearStoredOidcClientId(), clearPersistentAuthValue('accessToken'), clearPersistentAuthValue('refreshToken')]);
   return {
     ...loggingOutState,
     ...getLoggedOutBackendAuthState()

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@lvce-editor/auth-worker",
-  "version": "1.16.0",
+  "version": "1.18.0",
   "description": "Auth Worker",
   "repository": {
     "type": "git",