@lwrjs/auth-middleware 0.10.0-alpha.3 → 0.10.0-alpha.4

package/README.md

@@ -28,7 +28,7 @@ platformWebServerAuthMiddleware(lwrApp.getServer()); // Pass in the generic LWR
 Start the LWR server, and pass the [Connected App information](#variables) in using environment variables:
 
 ```
-MY_DOMAIN=https://somewhere.force.com CLIENT_KEY=abc.123 CLIENT_SECRET=****** yarn start
+CLIENT_KEY=abc.123 CLIENT_SECRET=****** yarn start
 ```
 
 Authenticate by accessing the `/login` [endpoint](#endpoints) from the LWR app:
@@ -91,7 +91,6 @@ platformWebServerAuthMiddleware(lwrApp.getServer(), { proxyEndpoint: '/some/wher
 
 In order to authenticate with the Web Server Flow, the following Connected App information is needed:
 
--   `MY_DOMAIN`: The [domain of the Salesforce org](https://help.salesforce.com/s/articleView?id=sf.faq_domain_name_what.htm&type=5) (_Note_: Find this in Setup -> "My Domain"; this is **not** necessarily the same as the URL in the browser address bar when visiting the org).
 -   `CLIENT_KEY`: The public OAuth identifier for the Connected App (i.e. "Consumer Key", "Client ID").
 -   `CLIENT_SECRET`: The password to go along with the `CLIENT_KEY` (i.e. "Consumer Secret", "Client Secret"), known only to the Connected App the and LWR server.
 
@@ -99,6 +98,12 @@ This information is passed to the LWR server via environment variables to keep t
 
 > Read more about the OAuth Client ID and Secret [here](https://www.oauth.com/oauth2-servers/client-registration/client-id-secret/).
 
+#### Optional Variables
+
+Additionally, the following optional environment variables are supported:
+
+-   `MY_DOMAIN`: The [domain of the Salesforce org](https://help.salesforce.com/s/articleView?id=sf.faq_domain_name_what.htm&type=5) (_Note_: Find this in Setup -> "My Domain"; this is **not** necessarily the same as the URL in the browser address bar when visiting the org). If this is not set then `https://login.salesforce.com` will be used as the fallback login server. NOTE: if a login request has the `login_server` query parameter set that overrides `MY_DOMAIN` for that login request.
+
 ### Endpoints
 
 The LWR authentication middleware provides the following endpoints:
@@ -106,6 +111,7 @@ The LWR authentication middleware provides the following endpoints:
 -   `/login`: Accessed from the LWR app client code to trigger the OAuth flow and allow the current user to log in.
     -   The `/login` endpoint takes an optional query parameter: `app_path`. Set `app_path` to the [path and parameters](https://developer.mozilla.org/en-US/docs/Learn/Common_questions/What_is_a_URL#path_to_resource) the LWR server should redirect to after authenticating (e.g. `/home`, `/list?sort=desc`). If omitted, `app_path` defaults to `/`. This value must be URL encoded.
 -   `/oauth`: Used internally as part of the OAuth flow, this is the [OAuth redirect URI](https://www.oauth.com/oauth2-servers/redirect-uris/) for the [Connected App](#connected-app-setup) which fetches the OAuth token.
+-   `/revoke`: Accessed from the LWR app client code to trigger a revoke of the access token. This should be called whenever a user logs out of the LWR app client.
 -   proxy endpoint: Requests sent to this endpoint are proxied to the Salesforce org with the OAuth token in an [Authorization header](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Authorization). By proxying these requests through the LWR server, the token remains secure from inspection by the client. The proxy endpoint is optionally passed into the [`platformWebServerAuthMiddleware`](#middleware) as an option; the default proxy endpoint is `/services/data`.
 
 ### Flow

package/build/cjs/utils.cjs

@@ -9,25 +9,28 @@ var __export = (target, all) => {
 __markAsModule(exports);
 __export(exports, {
   COOKIE_NAME: () => COOKIE_NAME,
+  DEFAULT_LOGIN_SERVER: () => DEFAULT_LOGIN_SERVER,
   LOGIN_ENDPOINT: () => LOGIN_ENDPOINT,
   MESSAGE_PREFIX: () => MESSAGE_PREFIX,
   PROXY_ENDPOINT: () => PROXY_ENDPOINT,
   REDIRECT_ENDPOINT: () => REDIRECT_ENDPOINT,
+  REVOKE_ENDPOINT: () => REVOKE_ENDPOINT,
   buildProxyRequest: () => buildProxyRequest,
   buildRedirectUrl: () => buildRedirectUrl,
   generateStateString: () => generateStateString,
-  getAppPath: () => getAppPath,
   getOauthInfoFromCookie: () => getOauthInfoFromCookie,
-  getPlatformWebServerEnvVars: () => getPlatformWebServerEnvVars
+  getPlatformWebServerEnvVars: () => getPlatformWebServerEnvVars,
+  sanitizeAppPath: () => sanitizeAppPath
 });
 var MESSAGE_PREFIX = "Web Server OAuth Middleware - ";
 var LOGIN_ENDPOINT = "/login";
+var REVOKE_ENDPOINT = "/revoke";
 var REDIRECT_ENDPOINT = "/oauth";
 var PROXY_ENDPOINT = "/services/data";
 var COOKIE_NAME = "lwr_web_server_oauth_info";
-var REDIRECT_QUERY = "app_path";
+var DEFAULT_LOGIN_SERVER = "https://login.salesforce.com";
 function buildRedirectUrl(req) {
-  return encodeURIComponent(`${req.protocol}://${req.get("host")}${REDIRECT_ENDPOINT}`);
+  return `${req.protocol}://${req.get("host")}${REDIRECT_ENDPOINT}`;
 }
 function getPlatformWebServerEnvVars() {
   const env = {myDomain: "MY_DOMAIN", clientKey: "CLIENT_KEY", clientSecret: "CLIENT_SECRET"};
@@ -35,9 +38,6 @@ function getPlatformWebServerEnvVars() {
   const clientKey = process.env[env.clientKey];
   const clientSecret = process.env[env.clientSecret];
   const errorMsg = "Web Server OAuth Middleware: missing process.env.";
-  if (!myDomain) {
-    throw new Error(`${errorMsg}${env.myDomain}`);
-  }
   if (!clientKey) {
     throw new Error(`${errorMsg}${env.clientKey}`);
   }
@@ -49,13 +49,13 @@ function getPlatformWebServerEnvVars() {
 function generateStateString() {
   return `s${Math.floor(Math.random() * 65536).toString(16)}`;
 }
-function getAppPath(req) {
-  let appPath = req.query[REDIRECT_QUERY];
-  if (appPath && !decodeURIComponent(appPath).startsWith("/")) {
+function sanitizeAppPath(app_path) {
+  let appPath = app_path ? decodeURIComponent(app_path) : `/`;
+  if (!appPath.startsWith("/")) {
     console.warn('The "app_path" parameter must be a relative path staring with "/". Defaulting to "app_path" = "/".');
-    appPath = void 0;
+    appPath = "/";
   }
-  return appPath ? decodeURIComponent(appPath) : "/";
+  return appPath;
 }
 function getOauthInfoFromCookie(req) {
   const oauthInfoStr = req.cookie(COOKIE_NAME);

package/build/cjs/web-server.cjs

@@ -29,33 +29,36 @@ __export(exports, {
 });
 var import_node_fetch = __toModule(require("node-fetch"));
 var import_utils = __toModule(require("./utils.cjs"));
-var stateMap = {};
+var stateMap = new Map();
 function platformWebServerAuthMiddleware(server, {proxyEndpoint = import_utils.PROXY_ENDPOINT} = {}) {
-  let redirectUri;
-  const {myDomain, clientKey, clientSecret} = (0, import_utils.getPlatformWebServerEnvVars)();
+  const {clientKey, clientSecret, myDomain} = (0, import_utils.getPlatformWebServerEnvVars)();
+  const loginServerFallback = myDomain || import_utils.DEFAULT_LOGIN_SERVER;
   server.get(import_utils.LOGIN_ENDPOINT, (req, res) => {
-    redirectUri = redirectUri || (0, import_utils.buildRedirectUrl)(req);
+    const {redirect_uri, login_server, app_path} = req.query;
+    const redirectUri = redirect_uri ? decodeURIComponent(redirect_uri) : (0, import_utils.buildRedirectUrl)(req);
+    const loginServer = login_server ? decodeURIComponent(login_server) : loginServerFallback;
+    const appPath = (0, import_utils.sanitizeAppPath)(app_path);
     const stateStr = (0, import_utils.generateStateString)();
-    const appPath = (0, import_utils.getAppPath)(req);
-    stateMap[stateStr] = appPath;
-    const loginUri = `${myDomain}/services/oauth2/authorize?response_type=code`;
+    stateMap.set(stateStr, {redirectUri, loginServer, appPath});
+    const loginUri = `${loginServer}/services/oauth2/authorize?response_type=code`;
     res.set({
-      Location: `${loginUri}&client_id=${clientKey}&redirect_uri=${redirectUri}&state=${stateStr}`
+      Location: `${loginUri}&client_id=${clientKey}&redirect_uri=${encodeURIComponent(redirectUri)}&state=${stateStr}`
     });
     res.sendStatus(302);
   });
   server.get(import_utils.REDIRECT_ENDPOINT, async (req, res) => {
     const {code, state} = req.query;
-    const appPath = stateMap[state];
-    if (!appPath) {
+    const loginState = stateMap.get(state);
+    if (!loginState) {
       res.status(400).send(`${import_utils.MESSAGE_PREFIX}invalid login attempt.`);
       return;
     }
-    delete stateMap[state];
-    const response = await (0, import_node_fetch.default)(`${myDomain}/services/oauth2/token`, {
+    stateMap.delete(state);
+    const {appPath, loginServer, redirectUri} = loginState;
+    const response = await (0, import_node_fetch.default)(`${loginServer}/services/oauth2/token`, {
       method: "POST",
       headers: {"Content-Type": "application/x-www-form-urlencoded", Accept: "application/json"},
-      body: `grant_type=authorization_code&code=${code}&client_id=${clientKey}&client_secret=${clientSecret}&redirect_uri=${redirectUri}`
+      body: `grant_type=authorization_code&code=${code}&client_id=${clientKey}&client_secret=${clientSecret}&redirect_uri=${encodeURIComponent(redirectUri)}`
     });
     const contentType = response.headers.get("Content-Type") || "";
     const data = await (contentType.includes("application/json") ? response.json() : response.text());
@@ -68,7 +71,7 @@ function platformWebServerAuthMiddleware(server, {proxyEndpoint = import_utils.P
       res.set({Location: appPath});
       res.sendStatus(302);
     } else {
-      const errorMsg = `${import_utils.MESSAGE_PREFIX}could not authenticate.`;
+      const errorMsg = `${import_utils.MESSAGE_PREFIX}could not authenticate. Error body: ${JSON.stringify(data)}`;
       console.error(errorMsg, data);
       res.status(response.status).send(errorMsg);
     }
@@ -85,4 +88,20 @@ function platformWebServerAuthMiddleware(server, {proxyEndpoint = import_utils.P
       res.status(401).send(`${import_utils.MESSAGE_PREFIX}user is not authenticated.`);
     }
   });
+  server.get(import_utils.REVOKE_ENDPOINT, async (req, res) => {
+    let returnStatus = 200;
+    let returnBody = null;
+    const oauthInfo = (0, import_utils.getOauthInfoFromCookie)(req);
+    if (oauthInfo) {
+      const {access_token, instance_url} = oauthInfo;
+      const url = `${instance_url}/services/oauth2/revoke?token=${access_token}`;
+      const proxyRes = await (0, import_node_fetch.default)(url);
+      const contentType = proxyRes.headers.get("Content-Type") || "";
+      const data = await (contentType.includes("application/json") ? proxyRes.json() : proxyRes.text());
+      returnStatus = proxyRes.status;
+      returnBody = data;
+    }
+    res.cookie(import_utils.COOKIE_NAME, "", {httpOnly: true, secure: true});
+    res.status(returnStatus).send(returnBody);
+  });
 }

package/build/es/types.d.ts

@@ -1,11 +1,16 @@
 import type { RequestInit } from 'node-fetch';
 export interface PlatformWebServerInput {
-    /** base URL to the Connected App, e.g. "https://lwr.lightning.force.com" (no trailing slash) */
-    myDomain: string;
     /** "Consumer Key" from the Connected App */
     clientKey: string;
     /** "Consumer Secret" from the Connected App */
     clientSecret: string;
+    /**
+     * (optional) base URL to the Connected App, e.g. "https://lwr.lightning.force.com" (no trailing slash)
+     *
+     * This is not used if a request sets the "login_server" query parameter.  Login will
+     * default to "https://login.salesforce.com" if this is not set.
+     */
+    myDomain?: string;
 }
 export interface PlatformWebServerOptions {
     /** The endpoint path through which all authenticated/proxied requests pass */
@@ -21,4 +26,9 @@ export interface RequestOptions {
     url: string;
     options: RequestInit;
 }
+export interface LoginState {
+    appPath: string;
+    redirectUri: string;
+    loginServer: string;
+}
 //# sourceMappingURL=types.d.ts.map

package/build/es/utils.d.ts

@@ -2,13 +2,15 @@ import type { MiddlewareRequest, Headers } from '@lwrjs/types';
 import type { OAuthInfo, RequestOptions, PlatformWebServerInput } from './types.js';
 export declare const MESSAGE_PREFIX = "Web Server OAuth Middleware - ";
 export declare const LOGIN_ENDPOINT = "/login";
+export declare const REVOKE_ENDPOINT = "/revoke";
 export declare const REDIRECT_ENDPOINT = "/oauth";
 export declare const PROXY_ENDPOINT = "/services/data";
 export declare const COOKIE_NAME = "lwr_web_server_oauth_info";
+export declare const DEFAULT_LOGIN_SERVER = "https://login.salesforce.com";
 export declare function buildRedirectUrl(req: MiddlewareRequest): string;
 export declare function getPlatformWebServerEnvVars(): PlatformWebServerInput;
 export declare function generateStateString(): string;
-export declare function getAppPath(req: MiddlewareRequest): string;
+export declare function sanitizeAppPath(app_path: string | undefined): string;
 export declare function getOauthInfoFromCookie(req: MiddlewareRequest): OAuthInfo | undefined;
 export declare function buildProxyRequest(req: MiddlewareRequest, { access_token, instance_url }: OAuthInfo, existingHeader: Headers): RequestOptions;
 //# sourceMappingURL=utils.d.ts.map

package/build/es/utils.js

@@ -1,13 +1,13 @@
 export const MESSAGE_PREFIX = 'Web Server OAuth Middleware - ';
 export const LOGIN_ENDPOINT = '/login';
+export const REVOKE_ENDPOINT = '/revoke';
 export const REDIRECT_ENDPOINT = '/oauth';
 export const PROXY_ENDPOINT = '/services/data';
 export const COOKIE_NAME = 'lwr_web_server_oauth_info';
-const REDIRECT_QUERY = 'app_path';
+export const DEFAULT_LOGIN_SERVER = 'https://login.salesforce.com';
 // Create an OAuth redirect URI from the origin of a request
-// Return the redirect URI encoded so it can be used as a query param
 export function buildRedirectUrl(req) {
-    return encodeURIComponent(`${req.protocol}://${req.get('host')}${REDIRECT_ENDPOINT}`);
+    return `${req.protocol}://${req.get('host')}${REDIRECT_ENDPOINT}`;
 }
 // Retrieve and validate environment variables for the Web Server OAuth flow
 export function getPlatformWebServerEnvVars() {
@@ -15,11 +15,8 @@ export function getPlatformWebServerEnvVars() {
     const myDomain = process.env[env.myDomain];
     const clientKey = process.env[env.clientKey];
     const clientSecret = process.env[env.clientSecret];
-    // The inputs are all required
+    // Check required vars
     const errorMsg = 'Web Server OAuth Middleware: missing process.env.';
-    if (!myDomain) {
-        throw new Error(`${errorMsg}${env.myDomain}`);
-    }
     if (!clientKey) {
         throw new Error(`${errorMsg}${env.clientKey}`);
     }
@@ -34,14 +31,14 @@ export function getPlatformWebServerEnvVars() {
 export function generateStateString() {
     return `s${Math.floor(Math.random() * 0x10000).toString(16)}`;
 }
-// Parse the app_path query param, validate it, and return it decoded. Default = "/"
-export function getAppPath(req) {
-    let appPath = req.query[REDIRECT_QUERY];
-    if (appPath && !decodeURIComponent(appPath).startsWith('/')) {
+// Ensures the given appPath is defined and decoded. Default = "/"
+export function sanitizeAppPath(app_path) {
+    let appPath = app_path ? decodeURIComponent(app_path) : `/`;
+    if (!appPath.startsWith('/')) {
         console.warn('The "app_path" parameter must be a relative path staring with "/". Defaulting to "app_path" = "/".');
-        appPath = undefined;
+        appPath = '/';
     }
-    return appPath ? decodeURIComponent(appPath) : '/';
+    return appPath;
 }
 // Get the token and url from the cookie
 export function getOauthInfoFromCookie(req) {

package/build/es/web-server.d.ts

@@ -1,16 +1,18 @@
 import type { PublicAppServer, ServerTypes } from '@lwrjs/types';
-import type { PlatformWebServerOptions } from './types.js';
-export declare const stateMap: {
-    [key: string]: string;
-};
+import type { PlatformWebServerOptions, LoginState } from './types.js';
+export declare const stateMap: Map<string, LoginState>;
 /**
  * Web Server OAuth middleware: https://help.salesforce.com/s/articleView?id=sf.remoteaccess_oauth_web_server_flow.htm&type=5
  * Accepts the following environment variables:
- *      - process.env.MY_DOMAIN
  *      - process.env.CLIENT_KEY
  *      - process.env.CLIENT_SECRET
+ *      - process.env.MY_DOMAIN: (optional) The domain of the salesforce org, will be used to determine the login server if
+ *                               login_server query parameter is not set.  Login server defaults to "https://login.salesforce.com"
+ *                               if both login_server nd MY_DOMAIN are not set.
  * The login endpoint accepts the following query parameters:
  *      - app_path: a path encoded string; the middleware redirects to this path after setting the OAuth token in a cookie; default is "/"
+ *      - login_server: an encoded string; the middleware attempts to login at this address; default is "https://login.salesforce.com"
+ *      - redirect_uri: an encoded string; this is where the middleware redirects to after OAuth is done; default is calculated from the request source
  */
 export declare function platformWebServerAuthMiddleware<T extends ServerTypes>(server: PublicAppServer<T>, { proxyEndpoint }?: PlatformWebServerOptions): void;
 //# sourceMappingURL=web-server.d.ts.map

package/build/es/web-server.js

@@ -1,30 +1,37 @@
 import fetch from 'node-fetch';
-import { COOKIE_NAME, LOGIN_ENDPOINT, MESSAGE_PREFIX, PROXY_ENDPOINT, REDIRECT_ENDPOINT, buildProxyRequest, buildRedirectUrl, generateStateString, getAppPath, getOauthInfoFromCookie, getPlatformWebServerEnvVars, } from './utils.js';
-export const stateMap = {};
+import { COOKIE_NAME, DEFAULT_LOGIN_SERVER, LOGIN_ENDPOINT, MESSAGE_PREFIX, PROXY_ENDPOINT, REDIRECT_ENDPOINT, REVOKE_ENDPOINT, buildProxyRequest, buildRedirectUrl, generateStateString, sanitizeAppPath, getOauthInfoFromCookie, getPlatformWebServerEnvVars, } from './utils.js';
+export const stateMap = new Map();
 /**
  * Web Server OAuth middleware: https://help.salesforce.com/s/articleView?id=sf.remoteaccess_oauth_web_server_flow.htm&type=5
  * Accepts the following environment variables:
- *      - process.env.MY_DOMAIN
  *      - process.env.CLIENT_KEY
  *      - process.env.CLIENT_SECRET
+ *      - process.env.MY_DOMAIN: (optional) The domain of the salesforce org, will be used to determine the login server if
+ *                               login_server query parameter is not set.  Login server defaults to "https://login.salesforce.com"
+ *                               if both login_server nd MY_DOMAIN are not set.
  * The login endpoint accepts the following query parameters:
  *      - app_path: a path encoded string; the middleware redirects to this path after setting the OAuth token in a cookie; default is "/"
+ *      - login_server: an encoded string; the middleware attempts to login at this address; default is "https://login.salesforce.com"
+ *      - redirect_uri: an encoded string; this is where the middleware redirects to after OAuth is done; default is calculated from the request source
  */
 export function platformWebServerAuthMiddleware(server, { proxyEndpoint = PROXY_ENDPOINT } = {}) {
-    let redirectUri;
-    const { myDomain, clientKey, clientSecret } = getPlatformWebServerEnvVars();
+    const { clientKey, clientSecret, myDomain } = getPlatformWebServerEnvVars();
+    const loginServerFallback = myDomain || DEFAULT_LOGIN_SERVER;
     // First, request an authorization code by redirecting to Salesforce login
     // The LWR app should call this endpoint when authentication is needed
     server.get(LOGIN_ENDPOINT, (req, res) => {
-        // Build the redirect URI and save the app path in the state map
-        redirectUri = redirectUri || buildRedirectUrl(req);
+        // Parse the encoded redirect_uri, login_server, app_path query params
+        const { redirect_uri, login_server, app_path } = req.query;
+        const redirectUri = redirect_uri ? decodeURIComponent(redirect_uri) : buildRedirectUrl(req);
+        const loginServer = login_server ? decodeURIComponent(login_server) : loginServerFallback;
+        const appPath = sanitizeAppPath(app_path);
+        // Save the state string for verification in step 2
         const stateStr = generateStateString();
-        const appPath = getAppPath(req);
-        stateMap[stateStr] = appPath; // Save the state string for verification in step 2
+        stateMap.set(stateStr, { redirectUri, loginServer, appPath });
         // Redirect to the Salesforce login page
-        const loginUri = `${myDomain}/services/oauth2/authorize?response_type=code`;
+        const loginUri = `${loginServer}/services/oauth2/authorize?response_type=code`;
         res.set({
-            Location: `${loginUri}&client_id=${clientKey}&redirect_uri=${redirectUri}&state=${stateStr}`,
+            Location: `${loginUri}&client_id=${clientKey}&redirect_uri=${encodeURIComponent(redirectUri)}&state=${stateStr}`,
         });
         res.sendStatus(302);
     });
@@ -33,18 +40,19 @@ export function platformWebServerAuthMiddleware(server, { proxyEndpoint = PROXY_
     server.get(REDIRECT_ENDPOINT, async (req, res) => {
         // Parse the code and state string from the query params
         const { code, state } = req.query;
-        const appPath = stateMap[state];
+        const loginState = stateMap.get(state);
         // If the state string is not found in the map, the request is invalid
-        if (!appPath) {
+        if (!loginState) {
             res.status(400).send(`${MESSAGE_PREFIX}invalid login attempt.`);
             return;
         }
-        delete stateMap[state];
+        stateMap.delete(state);
+        const { appPath, loginServer, redirectUri } = loginState;
         // Fetch the OAuth token
-        const response = await fetch(`${myDomain}/services/oauth2/token`, {
+        const response = await fetch(`${loginServer}/services/oauth2/token`, {
             method: 'POST',
             headers: { 'Content-Type': 'application/x-www-form-urlencoded', Accept: 'application/json' },
-            body: `grant_type=authorization_code&code=${code}&client_id=${clientKey}&client_secret=${clientSecret}&redirect_uri=${redirectUri}`,
+            body: `grant_type=authorization_code&code=${code}&client_id=${clientKey}&client_secret=${clientSecret}&redirect_uri=${encodeURIComponent(redirectUri)}`,
         });
         // Response handling
         const contentType = response.headers.get('Content-Type') || ''; // parse as json or text
@@ -63,7 +71,7 @@ export function platformWebServerAuthMiddleware(server, { proxyEndpoint = PROXY_
         }
         else {
             // Print and forward the error JSON to the client
-            const errorMsg = `${MESSAGE_PREFIX}could not authenticate.`;
+            const errorMsg = `${MESSAGE_PREFIX}could not authenticate. Error body: ${JSON.stringify(data)}`;
             console.error(errorMsg, data);
             res.status(response.status).send(errorMsg);
         }
@@ -83,5 +91,23 @@ export function platformWebServerAuthMiddleware(server, { proxyEndpoint = PROXY_
             res.status(401).send(`${MESSAGE_PREFIX}user is not authenticated.`);
         }
     });
+    // Revoke token if user explicitly logs out
+    server.get(REVOKE_ENDPOINT, async (req, res) => {
+        let returnStatus = 200;
+        let returnBody = null;
+        const oauthInfo = getOauthInfoFromCookie(req);
+        if (oauthInfo) {
+            const { access_token, instance_url } = oauthInfo;
+            const url = `${instance_url}/services/oauth2/revoke?token=${access_token}`;
+            const proxyRes = await fetch(url);
+            const contentType = proxyRes.headers.get('Content-Type') || ''; // parse as json or text
+            const data = await (contentType.includes('application/json') ? proxyRes.json() : proxyRes.text());
+            returnStatus = proxyRes.status;
+            returnBody = data;
+        }
+        // ensure cookie is cleared
+        res.cookie(COOKIE_NAME, '', { httpOnly: true, secure: true });
+        res.status(returnStatus).send(returnBody);
+    });
 }
 //# sourceMappingURL=web-server.js.map

package/package.json

@@ -4,7 +4,7 @@
     "publishConfig": {
         "access": "public"
     },
-    "version": "0.10.0-alpha.3",
+    "version": "0.10.0-alpha.4",
     "homepage": "https://developer.salesforce.com/docs/platform/lwr/overview",
     "repository": {
         "type": "git",
@@ -33,12 +33,12 @@
         "node-fetch": "^2.6.8"
     },
     "devDependencies": {
-        "@lwrjs/server": "0.10.0-alpha.3",
-        "@lwrjs/types": "0.10.0-alpha.3",
+        "@lwrjs/server": "0.10.0-alpha.4",
+        "@lwrjs/types": "0.10.0-alpha.4",
         "@types/node-fetch": "^2.5.12"
     },
     "engines": {
         "node": ">=16.0.0 <20"
     },
-    "gitHead": "e5c38c00c2ef094961b65e7dffa1ca6ee7c5f734"
+    "gitHead": "f39a534d92fd3980b87839820f484729172e1067"
 }