npm - @lvce-editor/auth-worker - Versions diffs - 1.17.0 → 1.18.0 - Mend

@lvce-editor/auth-worker 1.17.0 → 1.18.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/dist/authWorkerMain.js +616 -331
package/package.json +1 -1

package/dist/authWorkerMain.js CHANGED Viewed

@@ -1113,164 +1113,6 @@ const logoutFromBackend = async backendUrl => {
   }
 };
-const getBackendRefreshUrl = backendUrl => {
-  return getBackendAuthUrl(backendUrl, '/auth/refresh');
-};
-const delay = async ms => {
-  await new Promise(resolve => setTimeout(resolve, ms));
-};
-let nextLoginResponse;
-let nextRefreshResponse;
-const setNextLoginResponse = response => {
-  nextLoginResponse = response;
-};
-const setNextRefreshResponse = response => {
-  nextRefreshResponse = response;
-};
-const clear = () => {
-  nextLoginResponse = undefined;
-  nextRefreshResponse = undefined;
-};
-const hasPendingMockLoginResponse = () => {
-  return !!nextLoginResponse;
-};
-const hasPendingMockRefreshResponse = () => {
-  return !!nextRefreshResponse;
-};
-const consumeNextLoginResponse = async () => {
-  if (!nextLoginResponse) {
-    return undefined;
-  }
-  const response = nextLoginResponse;
-  nextLoginResponse = undefined;
-  if (response.delay > 0) {
-    await delay(response.delay);
-  }
-  if (response.type === 'error') {
-    throw new Error(response.message);
-  }
-  return response.response;
-};
-const consumeNextRefreshResponse = async () => {
-  if (!nextRefreshResponse) {
-    return undefined;
-  }
-  const response = nextRefreshResponse;
-  nextRefreshResponse = undefined;
-  if (response.delay > 0) {
-    await new Promise(resolve => setTimeout(resolve, response.delay));
-  }
-  if (response.type === 'error') {
-    throw new Error(response.message);
-  }
-  return response.response;
-};
-const isObject = value => {
-  return !!value && typeof value === 'object';
-};
-const isBackendAuthResponse = value => {
-  return isObject(value);
-};
-const getNumber = (value, fallback = 0) => {
-  return typeof value === 'number' ? value : fallback;
-};
-const getString = (value, fallback = '') => {
-  return typeof value === 'string' ? value : fallback;
-};
-const getUserName = value => {
-  if (typeof value.userName === 'string') {
-    return value.userName;
-  }
-  return getString(value.user?.displayName);
-};
-const toBackendAuthState = value => {
-  return {
-    authAccessToken: getString(value.accessToken),
-    authErrorMessage: getString(value.error),
-    authRefreshToken: getString(value.refreshToken),
-    userName: getUserName(value),
-    userState: value.accessToken ? 'loggedIn' : 'loggedOut',
-    userSubscriptionPlan: getString(value.subscriptionPlan),
-    userSubscriptionStatus: getString(value.subscriptionStatus),
-    userUsedTokens: getNumber(value.usedTokens)
-  };
-};
-const parseBackendAuthResponse = value => {
-  if (!isBackendAuthResponse(value)) {
-    return getLoggedOutBackendAuthState('Backend returned an invalid authentication response.');
-  }
-  return toBackendAuthState(value);
-};
-const getPayload = async response => {
-  try {
-    return await response.json();
-  } catch {
-    return undefined;
-  }
-};
-const syncBackendAuth = async backendUrl => {
-  if (!backendUrl) {
-    return getLoggedOutBackendAuthState('Backend URL is missing.');
-  }
-  try {
-    if (hasPendingMockRefreshResponse()) {
-      const mockResponse = await consumeNextRefreshResponse();
-      return parseBackendAuthResponse(mockResponse);
-    }
-    const response = await fetch(getBackendRefreshUrl(backendUrl), {
-      credentials: 'include',
-      headers: {
-        Accept: 'application/json'
-      },
-      method: 'POST'
-    });
-    if (response.status === 401 || response.status === 403) {
-      return getLoggedOutBackendAuthState();
-    }
-    const payload = await getPayload(response);
-    if (!response.ok) {
-      const parsed = parseBackendAuthResponse(payload);
-      return getLoggedOutBackendAuthState(parsed.authErrorMessage || 'Backend authentication failed.');
-    }
-    const parsed = parseBackendAuthResponse(payload);
-    if (parsed.authErrorMessage) {
-      return getLoggedOutBackendAuthState(parsed.authErrorMessage);
-    }
-    if (!parsed.authAccessToken) {
-      return getLoggedOutBackendAuthState();
-    }
-    return parsed;
-  } catch (error) {
-    const authErrorMessage = error instanceof Error && error.message ? error.message : 'Backend authentication failed.';
-    return getLoggedOutBackendAuthState(authErrorMessage);
-  }
-};
-const waitForBackendLogin = async (backendUrl, timeoutMs = 30_000, pollIntervalMs = 1000) => {
-  const deadline = Date.now() + timeoutMs;
-  let lastErrorMessage = '';
-  while (Date.now() < deadline) {
-    const authState = await syncBackendAuth(backendUrl);
-    if (authState.userState === 'loggedIn') {
-      return authState;
-    }
-    if (authState.authErrorMessage) {
-      lastErrorMessage = authState.authErrorMessage;
-    }
-    await delay(pollIntervalMs);
-  }
-  return getLoggedOutBackendAuthState(lastErrorMessage);
-};
 let USER_AGENT;
 if (typeof navigator === 'undefined' || !navigator.userAgent?.startsWith?.('Mozilla/5.0 ')) {
   const NAME = 'oauth4webapi';
@@ -2064,14 +1906,34 @@ async function getResponseJsonBody(response, check = assertApplicationJson) {
 }
 const _expectedIssuer = Symbol();
-// cspell:ignore pkce
+const getBackendOidcTokenUrl = backendUrl => {
+  return getBackendAuthUrl(backendUrl, '/oidc/token');
+};
-const createPkceValues = async () => {
-  const codeVerifier = generateRandomCodeVerifier();
-  const codeChallenge = await calculatePKCECodeChallenge(codeVerifier);
+const getAuthorizationServer$1 = backendUrl => {
   return {
-    codeChallenge,
-    codeVerifier
+    issuer: getBackendAuthUrl(backendUrl, '/oidc'),
+    jwks_uri: getBackendAuthUrl(backendUrl, '/oidc/jwks'),
+    token_endpoint: getBackendOidcTokenUrl(backendUrl)
+  };
+};
+const getClient$1 = clientId => {
+  return {
+    client_id: clientId
+  };
+};
+const exchangeAuthorizationCode = async (backendUrl, clientId, code, redirectUri, codeVerifier, requestTokenEndpoint = genericTokenEndpointRequest, processTokenEndpointResponse = processGenericTokenEndpointResponse) => {
+  const authorizationServer = getAuthorizationServer$1(backendUrl);
+  const client = getClient$1(clientId);
+  const response = await requestTokenEndpoint(authorizationServer, client, None(), 'authorization_code', new URLSearchParams({
+    code,
+    code_verifier: codeVerifier,
+    redirect_uri: redirectUri
+  }));
+  const tokenResponse = await processTokenEndpointResponse(authorizationServer, client, response);
+  return {
+    accessToken: tokenResponse.access_token,
+    refreshToken: typeof tokenResponse.refresh_token === 'string' ? tokenResponse.refresh_token : ''
   };
 };
@@ -2087,55 +1949,517 @@ const getCurrentHref = async () => {
   return globalThis.location.href;
 };
-const successHtml = `<!doctype html>
-<html lang="en">
-  <head>
-    <meta charset="utf-8">
-    <meta name="viewport" content="width=device-width, initial-scale=1">
-    <title>Authentication Complete</title>
-    <style>
-      :root {
-        color-scheme: light;
-        --background: linear-gradient(180deg, #f4f7fb 0%, #e9eef8 100%);
-        --panel: rgba(255, 255, 255, 0.92);
-        --panel-border: rgba(33, 52, 88, 0.08);
-        --text: #132238;
-        --muted: #5f6f86;
-        --accent: #1f7a5a;
-        --accent-soft: #e7f6ef;
-        --shadow: 0 24px 60px rgba(44, 65, 98, 0.16);
-      }
-      * {
-        box-sizing: border-box;
-      }
-      html,
-      body {
-        margin: 0;
-        min-height: 100%;
-        font-family: Inter, sans-serif;
-        background: var(--background);
-        color: var(--text);
-      }
+const getPayload$1 = async response => {
+  try {
+    return await response.json();
+  } catch {
+    return undefined;
+  }
+};
+const getOidcUserName = async (backendUrl, accessToken, fetchFn = fetch) => {
+  if (!backendUrl || !accessToken) {
+    return '';
+  }
+  const response = await fetchFn(new URL('/account/me', backendUrl), {
+    headers: {
+      Accept: 'application/json',
+      Authorization: `Bearer ${accessToken}`
+    }
+  });
+  if (!response.ok) {
+    return '';
+  }
+  const payload = await getPayload$1(response);
+  if (!payload || typeof payload !== 'object') {
+    return '';
+  }
+  const displayName = Reflect.get(payload, 'displayName');
+  return typeof displayName === 'string' ? displayName : '';
+};
-      body {
-        display: flex;
-        align-items: center;
-        justify-content: center;
-        padding: 24px;
-      }
+const databaseName = 'auth-worker';
+const objectStoreName = 'auth';
+const memoryStorage = new Map();
+let databasePromise;
-      .card {
-        width: min(100%, 460px);
-        padding: 32px 28px;
-        border: 1px solid var(--panel-border);
-        border-radius: 20px;
-        background: var(--panel);
-        box-shadow: var(--shadow);
-        text-align: center;
-        backdrop-filter: blur(12px);
-      }
+// IndexedDB request objects are mutable browser primitives and cannot satisfy the readonly rule structurally.
+// eslint-disable-next-line @typescript-eslint/prefer-readonly-parameter-types
+const requestToPromise = request => {
+  return new Promise((resolve, reject) => {
+    request.addEventListener('success', () => {
+      resolve(request.result);
+    });
+    request.addEventListener('error', () => {
+      reject(request.error ?? new Error('Persistent storage request failed.'));
+    });
+  });
+};
+// eslint-disable-next-line @typescript-eslint/prefer-readonly-parameter-types
+const transactionToPromise = transaction => {
+  return new Promise((resolve, reject) => {
+    transaction.addEventListener('complete', () => {
+      resolve();
+    });
+    transaction.addEventListener('abort', () => {
+      reject(transaction.error ?? new Error('Persistent storage transaction failed.'));
+    });
+    transaction.addEventListener('error', () => {
+      reject(transaction.error ?? new Error('Persistent storage transaction failed.'));
+    });
+  });
+};
+const getDatabase = async () => {
+  if (typeof indexedDB === 'undefined') {
+    return undefined;
+  }
+  if (!databasePromise) {
+    databasePromise = new Promise((resolve, reject) => {
+      const request = indexedDB.open(databaseName, 1);
+      request.addEventListener('upgradeneeded', () => {
+        const database = request.result;
+        if (!database.objectStoreNames.contains(objectStoreName)) {
+          database.createObjectStore(objectStoreName);
+        }
+      });
+      request.addEventListener('success', () => {
+        resolve(request.result);
+      });
+      request.addEventListener('error', () => {
+        reject(request.error ?? new Error('Failed to open persistent auth storage.'));
+      });
+    });
+  }
+  return databasePromise;
+};
+const getPersistentAuthValue = async key => {
+  const database = await getDatabase();
+  if (!database) {
+    return memoryStorage.get(key) ?? '';
+  }
+  const transaction = database.transaction(objectStoreName, 'readonly');
+  const objectStore = transaction.objectStore(objectStoreName);
+  const value = await requestToPromise(objectStore.get(key));
+  return typeof value === 'string' ? value : '';
+};
+const setPersistentAuthValue = async (key, value) => {
+  memoryStorage.set(key, value);
+  const database = await getDatabase();
+  if (!database) {
+    return;
+  }
+  const transaction = database.transaction(objectStoreName, 'readwrite');
+  const objectStore = transaction.objectStore(objectStoreName);
+  objectStore.put(value, key);
+  await transactionToPromise(transaction);
+};
+const clearPersistentAuthValue = async key => {
+  memoryStorage.delete(key);
+  const database = await getDatabase();
+  if (!database) {
+    return;
+  }
+  const transaction = database.transaction(objectStoreName, 'readwrite');
+  const objectStore = transaction.objectStore(objectStoreName);
+  objectStore.delete(key);
+  await transactionToPromise(transaction);
+};
+const callbackUrlKey = 'oidcCallbackUrl';
+const clientIdKey = 'oidcClientId';
+const pendingClientIdKey = 'pendingOidcClientId';
+const pendingCodeVerifierKey = 'pendingOidcCodeVerifier';
+const pendingRedirectUriKey = 'pendingOidcRedirectUri';
+const pendingStateKey = 'pendingOidcState';
+const clearOidcCallbackUrl = async () => {
+  await clearPersistentAuthValue(callbackUrlKey);
+};
+const clearStoredOidcClientId = async () => {
+  await clearPersistentAuthValue(clientIdKey);
+};
+const clearPendingOidcAuthState = async () => {
+  await Promise.all([clearPersistentAuthValue(pendingClientIdKey), clearPersistentAuthValue(pendingCodeVerifierKey), clearPersistentAuthValue(pendingRedirectUriKey), clearPersistentAuthValue(pendingStateKey)]);
+};
+const getOidcCallbackUrl = async () => {
+  return getPersistentAuthValue(callbackUrlKey);
+};
+const getStoredOidcClientId = async () => {
+  return getPersistentAuthValue(clientIdKey);
+};
+const loadPendingOidcAuthState = async () => {
+  const [clientId, codeVerifier, redirectUri, state] = await Promise.all([getPersistentAuthValue(pendingClientIdKey), getPersistentAuthValue(pendingCodeVerifierKey), getPersistentAuthValue(pendingRedirectUriKey), getPersistentAuthValue(pendingStateKey)]);
+  if (!clientId || !codeVerifier || !redirectUri || !state) {
+    return undefined;
+  }
+  return {
+    clientId,
+    codeVerifier,
+    redirectUri,
+    state
+  };
+};
+const saveOidcClientId = async clientId => {
+  await setPersistentAuthValue(clientIdKey, clientId);
+};
+const savePendingOidcAuthState = async value => {
+  await Promise.all([setPersistentAuthValue(pendingClientIdKey, value.clientId), setPersistentAuthValue(pendingCodeVerifierKey, value.codeVerifier), setPersistentAuthValue(pendingRedirectUriKey, value.redirectUri), setPersistentAuthValue(pendingStateKey, value.state)]);
+};
+const normalizeRedirectUri = value => {
+  const url = new URL(value);
+  url.hash = '';
+  url.search = '';
+  return url.toString();
+};
+const getCallbackHref = async () => {
+  const storedCallbackUrl = await getOidcCallbackUrl();
+  if (storedCallbackUrl) {
+    await clearOidcCallbackUrl();
+    return storedCallbackUrl;
+  }
+  return getCurrentHref();
+};
+const completeBrowserOidcLogin = async backendUrl => {
+  const href = await getCallbackHref();
+  if (!href) {
+    return undefined;
+  }
+  let url;
+  try {
+    url = new URL(href);
+  } catch {
+    return undefined;
+  }
+  const code = url.searchParams.get('code') || '';
+  const error = url.searchParams.get('error') || '';
+  const errorDescription = url.searchParams.get('error_description') || '';
+  if (!code && !error) {
+    return undefined;
+  }
+  const pendingAuthState = await loadPendingOidcAuthState();
+  if (!pendingAuthState) {
+    await clearPendingOidcAuthState();
+    return getLoggedOutBackendAuthState('Authentication state is missing.');
+  }
+  if (normalizeRedirectUri(href) !== normalizeRedirectUri(pendingAuthState.redirectUri)) {
+    await clearPendingOidcAuthState();
+    return getLoggedOutBackendAuthState('Authentication returned to an unexpected redirect URI.');
+  }
+  if (error) {
+    await clearPendingOidcAuthState();
+    return getLoggedOutBackendAuthState(errorDescription || error);
+  }
+  const returnedState = url.searchParams.get('state') || '';
+  if (!returnedState || returnedState !== pendingAuthState.state) {
+    await clearPendingOidcAuthState();
+    return getLoggedOutBackendAuthState('Authentication state mismatch.');
+  }
+  const exchanged = await exchangeAuthorizationCode(backendUrl, pendingAuthState.clientId, code, pendingAuthState.redirectUri, pendingAuthState.codeVerifier);
+  const userName = await getOidcUserName(backendUrl, exchanged.accessToken);
+  await clearPendingOidcAuthState();
+  return {
+    authAccessToken: exchanged.accessToken,
+    authClientId: pendingAuthState.clientId,
+    authErrorMessage: '',
+    authRefreshToken: exchanged.refreshToken,
+    userName,
+    userState: exchanged.accessToken ? 'loggedIn' : 'loggedOut'
+  };
+};
+const getBackendRefreshUrl = backendUrl => {
+  return getBackendAuthUrl(backendUrl, '/auth/refresh');
+};
+const delay = async ms => {
+  await new Promise(resolve => setTimeout(resolve, ms));
+};
+let nextLoginResponse;
+let nextRefreshResponse;
+const setNextLoginResponse = response => {
+  nextLoginResponse = response;
+};
+const setNextRefreshResponse = response => {
+  nextRefreshResponse = response;
+};
+const clear = () => {
+  nextLoginResponse = undefined;
+  nextRefreshResponse = undefined;
+};
+const hasPendingMockLoginResponse = () => {
+  return !!nextLoginResponse;
+};
+const hasPendingMockRefreshResponse = () => {
+  return !!nextRefreshResponse;
+};
+const consumeNextLoginResponse = async () => {
+  if (!nextLoginResponse) {
+    return undefined;
+  }
+  const response = nextLoginResponse;
+  nextLoginResponse = undefined;
+  if (response.delay > 0) {
+    await delay(response.delay);
+  }
+  if (response.type === 'error') {
+    throw new Error(response.message);
+  }
+  return response.response;
+};
+const consumeNextRefreshResponse = async () => {
+  if (!nextRefreshResponse) {
+    return undefined;
+  }
+  const response = nextRefreshResponse;
+  nextRefreshResponse = undefined;
+  if (response.delay > 0) {
+    await new Promise(resolve => setTimeout(resolve, response.delay));
+  }
+  if (response.type === 'error') {
+    throw new Error(response.message);
+  }
+  return response.response;
+};
+const isObject = value => {
+  return !!value && typeof value === 'object';
+};
+const isBackendAuthResponse = value => {
+  return isObject(value);
+};
+const getNumber = (value, fallback = 0) => {
+  return typeof value === 'number' ? value : fallback;
+};
+const getString = (value, fallback = '') => {
+  return typeof value === 'string' ? value : fallback;
+};
+const getUserName = value => {
+  if (typeof value.userName === 'string') {
+    return value.userName;
+  }
+  return getString(value.user?.displayName);
+};
+const toBackendAuthState = value => {
+  return {
+    authAccessToken: getString(value.accessToken),
+    authErrorMessage: getString(value.error),
+    authRefreshToken: getString(value.refreshToken),
+    userName: getUserName(value),
+    userState: value.accessToken ? 'loggedIn' : 'loggedOut',
+    userSubscriptionPlan: getString(value.subscriptionPlan),
+    userSubscriptionStatus: getString(value.subscriptionStatus),
+    userUsedTokens: getNumber(value.usedTokens)
+  };
+};
+const parseBackendAuthResponse = value => {
+  if (!isBackendAuthResponse(value)) {
+    return getLoggedOutBackendAuthState('Backend returned an invalid authentication response.');
+  }
+  return toBackendAuthState(value);
+};
+const persistLoginResult = async loginResult => {
+  if (loginResult.userState !== 'loggedIn') {
+    return loginResult;
+  }
+  await Promise.all([setPersistentAuthValue('accessToken', loginResult.authAccessToken ?? ''), setPersistentAuthValue('refreshToken', loginResult.authRefreshToken ?? ''), loginResult.authClientId ? saveOidcClientId(loginResult.authClientId) : Promise.resolve()]);
+  return loginResult;
+};
+const getAuthorizationServer = backendUrl => {
+  return {
+    issuer: getBackendAuthUrl(backendUrl, '/oidc'),
+    jwks_uri: getBackendAuthUrl(backendUrl, '/oidc/jwks'),
+    token_endpoint: getBackendOidcTokenUrl(backendUrl)
+  };
+};
+const getClient = clientId => {
+  return {
+    client_id: clientId
+  };
+};
+const refreshOidcTokens = async (backendUrl, clientId, refreshToken, requestTokenEndpoint = genericTokenEndpointRequest, processTokenEndpointResponse = processGenericTokenEndpointResponse) => {
+  const authorizationServer = getAuthorizationServer(backendUrl);
+  const client = getClient(clientId);
+  const response = await requestTokenEndpoint(authorizationServer, client, None(), 'refresh_token', new URLSearchParams({
+    refresh_token: refreshToken
+  }));
+  const tokenResponse = await processTokenEndpointResponse(authorizationServer, client, response);
+  return {
+    accessToken: tokenResponse.access_token,
+    refreshToken: typeof tokenResponse.refresh_token === 'string' ? tokenResponse.refresh_token : refreshToken
+  };
+};
+const clearStoredOidcAuth = async () => {
+  await Promise.all([clearPersistentAuthValue('accessToken'), clearPersistentAuthValue('refreshToken'), clearStoredOidcClientId()]);
+};
+const toLoginResult = (accessToken, refreshToken, clientId, userName) => {
+  return {
+    authAccessToken: accessToken,
+    authClientId: clientId,
+    authErrorMessage: '',
+    authRefreshToken: refreshToken,
+    userName,
+    userState: accessToken ? 'loggedIn' : 'loggedOut'
+  };
+};
+const restoreOidcAuth = async backendUrl => {
+  const [accessToken, refreshToken, clientId] = await Promise.all([getPersistentAuthValue('accessToken'), getPersistentAuthValue('refreshToken'), getStoredOidcClientId()]);
+  if (!refreshToken || !clientId) {
+    return undefined;
+  }
+  try {
+    const refreshedTokens = await refreshOidcTokens(backendUrl, clientId, refreshToken);
+    const userName = await getOidcUserName(backendUrl, refreshedTokens.accessToken);
+    return toLoginResult(refreshedTokens.accessToken, refreshedTokens.refreshToken, clientId, userName);
+  } catch {
+    if (accessToken) {
+      const userName = await getOidcUserName(backendUrl, accessToken);
+      if (userName) {
+        return toLoginResult(accessToken, refreshToken, clientId, userName);
+      }
+    }
+    await clearStoredOidcAuth();
+    return undefined;
+  }
+};
+const getPayload = async response => {
+  try {
+    return await response.json();
+  } catch {
+    return undefined;
+  }
+};
+const syncBackendAuth = async backendUrl => {
+  if (!backendUrl) {
+    return getLoggedOutBackendAuthState('Backend URL is missing.');
+  }
+  try {
+    const completedBrowserLogin = await completeBrowserOidcLogin(backendUrl);
+    if (completedBrowserLogin) {
+      return persistLoginResult(completedBrowserLogin);
+    }
+    const restoredOidcAuth = await restoreOidcAuth(backendUrl);
+    if (restoredOidcAuth) {
+      return persistLoginResult(restoredOidcAuth);
+    }
+    if (hasPendingMockRefreshResponse()) {
+      const mockResponse = await consumeNextRefreshResponse();
+      return parseBackendAuthResponse(mockResponse);
+    }
+    const response = await fetch(getBackendRefreshUrl(backendUrl), {
+      credentials: 'include',
+      headers: {
+        Accept: 'application/json'
+      },
+      method: 'POST'
+    });
+    if (response.status === 401 || response.status === 403) {
+      return getLoggedOutBackendAuthState();
+    }
+    const payload = await getPayload(response);
+    if (!response.ok) {
+      const parsed = parseBackendAuthResponse(payload);
+      return getLoggedOutBackendAuthState(parsed.authErrorMessage || 'Backend authentication failed.');
+    }
+    const parsed = parseBackendAuthResponse(payload);
+    if (parsed.authErrorMessage) {
+      return getLoggedOutBackendAuthState(parsed.authErrorMessage);
+    }
+    if (!parsed.authAccessToken) {
+      return getLoggedOutBackendAuthState();
+    }
+    return parsed;
+  } catch (error) {
+    const authErrorMessage = error instanceof Error && error.message ? error.message : 'Backend authentication failed.';
+    return getLoggedOutBackendAuthState(authErrorMessage);
+  }
+};
+const waitForBackendLogin = async (backendUrl, timeoutMs = 30_000, pollIntervalMs = 1000) => {
+  const deadline = Date.now() + timeoutMs;
+  let lastErrorMessage = '';
+  while (Date.now() < deadline) {
+    const authState = await syncBackendAuth(backendUrl);
+    if (authState.userState === 'loggedIn') {
+      return authState;
+    }
+    if (authState.authErrorMessage) {
+      lastErrorMessage = authState.authErrorMessage;
+    }
+    await delay(pollIntervalMs);
+  }
+  return getLoggedOutBackendAuthState(lastErrorMessage);
+};
+// cspell:ignore pkce
+const createPkceValues = async () => {
+  const codeVerifier = generateRandomCodeVerifier();
+  const codeChallenge = await calculatePKCECodeChallenge(codeVerifier);
+  return {
+    codeChallenge,
+    codeVerifier
+  };
+};
+const successHtml = `<!doctype html>
+<html lang="en">
+  <head>
+    <meta charset="utf-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1">
+    <title>Authentication Complete</title>
+    <style>
+      :root {
+        color-scheme: light;
+        --background: linear-gradient(180deg, #f4f7fb 0%, #e9eef8 100%);
+        --panel: rgba(255, 255, 255, 0.92);
+        --panel-border: rgba(33, 52, 88, 0.08);
+        --text: #132238;
+        --muted: #5f6f86;
+        --accent: #1f7a5a;
+        --accent-soft: #e7f6ef;
+        --shadow: 0 24px 60px rgba(44, 65, 98, 0.16);
+      }
+      * {
+        box-sizing: border-box;
+      }
+      html,
+      body {
+        margin: 0;
+        min-height: 100%;
+        font-family: Inter, sans-serif;
+        background: var(--background);
+        color: var(--text);
+      }
+      body {
+        display: flex;
+        align-items: center;
+        justify-content: center;
+        padding: 24px;
+      }
+      .card {
+        width: min(100%, 460px);
+        padding: 32px 28px;
+        border: 1px solid var(--panel-border);
+        border-radius: 20px;
+        background: var(--panel);
+        box-shadow: var(--shadow);
+        text-align: center;
+        backdrop-filter: blur(12px);
+      }
       .badge {
         display: inline-flex;
@@ -2338,6 +2662,18 @@ const getElectronRedirectUri = async uid => {
   return `http://localhost:${localOauthServerPort}/callback`;
 };
+const getWebRedirectUri = async () => {
+  const href = await getCurrentHref();
+  if (!href) {
+    return '';
+  }
+  try {
+    const url = new URL(href);
+    return `${url.origin}/auth/callback`;
+  } catch {
+    return '';
+  }
+};
 const getEffectiveRedirectUri = async (platform, uid, redirectUri) => {
   if (redirectUri) {
     return redirectUri;
@@ -2345,11 +2681,15 @@ const getEffectiveRedirectUri = async (platform, uid, redirectUri) => {
   if (platform === Electron) {
     return getElectronRedirectUri(uid);
   }
-  return getCurrentHref();
+  return getWebRedirectUri();
 };
-const oidcClientId = 'lvce-editor-native';
+const nativeOidcClientId = 'lvce-editor-native';
+const webOidcClientId = 'lvce-editor-web';
 const oidcScope = 'openid offline_access profile email';
+const getOidcClientId = platform => {
+  return platform === Electron ? nativeOidcClientId : webOidcClientId;
+};
 const getBackendLoginRequest = async (backendUrl, platform = 0, uid = 0, redirectUri = '', createPkceValuesFn = createPkceValues, createRandomUuid = () => globalThis.crypto.randomUUID()) => {
   const effectiveRedirectUri = await getEffectiveRedirectUri(platform, uid, redirectUri);
@@ -2357,24 +2697,28 @@ const getBackendLoginRequest = async (backendUrl, platform = 0, uid = 0, redirec
     codeChallenge,
     codeVerifier
   } = await createPkceValuesFn();
+  const clientId = getOidcClientId(platform);
   const nonce = createRandomUuid();
+  const state = createRandomUuid();
   const loginUrl = new URL(getBackendAuthUrl(backendUrl, '/oidc/auth'));
-  loginUrl.searchParams.set('client_id', oidcClientId);
+  loginUrl.searchParams.set('client_id', clientId);
   loginUrl.searchParams.set('code_challenge', codeChallenge);
   loginUrl.searchParams.set('code_challenge_method', 'S256');
   loginUrl.searchParams.set('nonce', nonce);
   loginUrl.searchParams.set('prompt', 'consent');
   loginUrl.searchParams.set('response_type', 'code');
   loginUrl.searchParams.set('scope', oidcScope);
-  loginUrl.searchParams.set('state', createRandomUuid());
+  loginUrl.searchParams.set('state', state);
   if (effectiveRedirectUri) {
     loginUrl.searchParams.set('redirect_uri', effectiveRedirectUri);
   }
   return {
+    clientId,
     codeVerifier,
     loginUrl: loginUrl.toString(),
     nonce,
-    redirectUri: effectiveRedirectUri
+    redirectUri: effectiveRedirectUri,
+    state
   };
 };
@@ -2398,98 +2742,8 @@ const isLoginResponse = value => {
   return !!value && typeof value === 'object';
 };
-const databaseName = 'auth-worker';
-const objectStoreName = 'auth';
-const memoryStorage = new Map();
-let databasePromise;
-// eslint-disable-next-line @typescript-eslint/prefer-readonly-parameter-types
-const transactionToPromise = transaction => {
-  return new Promise((resolve, reject) => {
-    transaction.addEventListener('complete', () => {
-      resolve();
-    });
-    transaction.addEventListener('abort', () => {
-      reject(transaction.error ?? new Error('Persistent storage transaction failed.'));
-    });
-    transaction.addEventListener('error', () => {
-      reject(transaction.error ?? new Error('Persistent storage transaction failed.'));
-    });
-  });
-};
-const getDatabase = async () => {
-  if (typeof indexedDB === 'undefined') {
-    return undefined;
-  }
-  if (!databasePromise) {
-    databasePromise = new Promise((resolve, reject) => {
-      const request = indexedDB.open(databaseName, 1);
-      request.addEventListener('upgradeneeded', () => {
-        const database = request.result;
-        if (!database.objectStoreNames.contains(objectStoreName)) {
-          database.createObjectStore(objectStoreName);
-        }
-      });
-      request.addEventListener('success', () => {
-        resolve(request.result);
-      });
-      request.addEventListener('error', () => {
-        reject(request.error ?? new Error('Failed to open persistent auth storage.'));
-      });
-    });
-  }
-  return databasePromise;
-};
-const setPersistentAuthValue = async (key, value) => {
-  memoryStorage.set(key, value);
-  const database = await getDatabase();
-  if (!database) {
-    return;
-  }
-  const transaction = database.transaction(objectStoreName, 'readwrite');
-  const objectStore = transaction.objectStore(objectStoreName);
-  objectStore.put(value, key);
-  await transactionToPromise(transaction);
-};
-const persistLoginResult = async loginResult => {
-  if (loginResult.userState !== 'loggedIn') {
-    return loginResult;
-  }
-  await setPersistentAuthValue('accessToken', loginResult.authAccessToken ?? '');
-  await setPersistentAuthValue('refreshToken', loginResult.authRefreshToken ?? '');
-  return loginResult;
-};
-const getBackendOidcTokenUrl = backendUrl => {
-  return getBackendAuthUrl(backendUrl, '/oidc/token');
-};
-const getAuthorizationServer = backendUrl => {
-  return {
-    issuer: getBackendAuthUrl(backendUrl, '/oidc'),
-    jwks_uri: getBackendAuthUrl(backendUrl, '/oidc/jwks'),
-    token_endpoint: getBackendOidcTokenUrl(backendUrl)
-  };
-};
-const getClient = () => {
-  return {
-    client_id: oidcClientId
-  };
-};
 const exchangeElectronAuthorizationCode = async (backendUrl, code, redirectUri, codeVerifier, requestTokenEndpoint = genericTokenEndpointRequest, processTokenEndpointResponse = processGenericTokenEndpointResponse) => {
-  const authorizationServer = getAuthorizationServer(backendUrl);
-  const client = getClient();
-  const response = await requestTokenEndpoint(authorizationServer, client, None(), 'authorization_code', new URLSearchParams({
-    code,
-    code_verifier: codeVerifier,
-    redirect_uri: redirectUri
-  }));
-  const tokenResponse = await processTokenEndpointResponse(authorizationServer, client, response);
-  return {
-    accessToken: tokenResponse.access_token,
-    refreshToken: typeof tokenResponse.refresh_token === 'string' ? tokenResponse.refresh_token : ''
-  };
+  return exchangeAuthorizationCode(backendUrl, nativeOidcClientId, code, redirectUri, codeVerifier, requestTokenEndpoint, processTokenEndpointResponse);
 };
 const hasAuthorizationCode = value => {
@@ -2516,6 +2770,55 @@ const waitForElectronBackendLogin = async (backendUrl, uid, redirectUri, codeVer
   return getLoggedOutBackendAuthState('Timed out waiting for backend login.');
 };
+const getMockLoginResult = async signingInState => {
+  if (!hasPendingMockLoginResponse()) {
+    return undefined;
+  }
+  const response = await consumeNextLoginResponse();
+  if (!isLoginResponse(response)) {
+    return {
+      authErrorMessage: 'Backend returned an invalid login response.',
+      userState: 'loggedOut'
+    };
+  }
+  if (typeof response.error === 'string' && response.error) {
+    return {
+      authErrorMessage: response.error,
+      userState: 'loggedOut'
+    };
+  }
+  return persistLoginResult(getLoggedInState(signingInState, response));
+};
+const getInteractiveLoginResult = async (backendUrl, platform, authUseRedirect, signingInState) => {
+  const uid = 0;
+  const {
+    clientId,
+    codeVerifier,
+    loginUrl,
+    redirectUri,
+    state
+  } = await getBackendLoginRequest(backendUrl, platform, uid);
+  if (platform !== Electron) {
+    await savePendingOidcAuthState({
+      clientId,
+      codeVerifier,
+      redirectUri,
+      state
+    });
+  }
+  await invoke$1('Open.openUrl', loginUrl, platform, authUseRedirect);
+  if (platform !== Electron && authUseRedirect) {
+    return signingInState;
+  }
+  const authState = platform === Electron ? await waitForElectronBackendLogin(backendUrl, uid, redirectUri, codeVerifier) : await waitForBackendLogin(backendUrl);
+  if (platform !== Electron) {
+    await clearPendingOidcAuthState();
+  }
+  return persistLoginResult({
+    ...authState,
+    authClientId: clientId
+  });
+};
 const handleClickLogin = async options => {
   const {
     authUseRedirect,
@@ -2533,32 +2836,13 @@ const handleClickLogin = async options => {
     userState: 'loggingIn'
   };
   try {
-    if (hasPendingMockLoginResponse()) {
-      const response = await consumeNextLoginResponse();
-      if (!isLoginResponse(response)) {
-        return {
-          authErrorMessage: 'Backend returned an invalid login response.',
-          userState: 'loggedOut'
-        };
-      }
-      if (typeof response.error === 'string' && response.error) {
-        return {
-          authErrorMessage: response.error,
-          userState: 'loggedOut'
-        };
-      }
-      return persistLoginResult(getLoggedInState(signingInState, response));
+    const mockLoginResult = await getMockLoginResult(signingInState);
+    if (mockLoginResult) {
+      return mockLoginResult;
     }
-    const uid = 0;
-    const {
-      codeVerifier,
-      loginUrl,
-      redirectUri
-    } = await getBackendLoginRequest(backendUrl, platform, uid);
-    await invoke$1('Open.openUrl', loginUrl, platform, authUseRedirect);
-    const authState = platform === Electron ? await waitForElectronBackendLogin(backendUrl, uid, redirectUri, codeVerifier) : await waitForBackendLogin(backendUrl);
-    return persistLoginResult(authState);
+    return getInteractiveLoginResult(backendUrl, platform, authUseRedirect, signingInState);
   } catch (error) {
+    await clearPendingOidcAuthState();
     const errorMessage = error instanceof Error && error.message ? error.message : 'Backend authentication failed.';
     return {
       ...signingInState,
@@ -2573,6 +2857,7 @@ const logout = async state => {
     userState: 'loggingOut'
   };
   await logoutFromBackend(state.backendUrl);
+  await Promise.all([clearOidcCallbackUrl(), clearPendingOidcAuthState(), clearStoredOidcClientId(), clearPersistentAuthValue('accessToken'), clearPersistentAuthValue('refreshToken')]);
   return {
     ...loggingOutState,
     ...getLoggedOutBackendAuthState()

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@lvce-editor/auth-worker",
-  "version": "1.17.0",
+  "version": "1.18.0",
   "description": "Auth Worker",
   "repository": {
     "type": "git",