@microsoft/teamsfx 0.4.1-alpha.fcc60ca0.0 → 0.4.2-alpha.7b2fe9ea.0

package/dist/index.esm2017.js

@@ -1,6 +1,6 @@
 import jwt_decode from 'jwt-decode';
 import * as microsoftTeams from '@microsoft/teams-js';
-import axios from 'axios';
+import { PublicClientApplication } from '@azure/msal-browser';
 import { Client } from '@microsoft/microsoft-graph-client';
 
 // Copyright (c) Microsoft Corporation.
@@ -309,6 +309,57 @@ function getUserInfoFromSsoToken(ssoToken) {
     }
     return userInfo;
 }
+/**
+ * @internal
+ */
+function getTenantIdAndLoginHintFromSsoToken(ssoToken) {
+    if (!ssoToken) {
+        const errorMsg = "SSO token is undefined.";
+        internalLogger.error(errorMsg);
+        throw new ErrorWithCode(errorMsg, ErrorCode.InvalidParameter);
+    }
+    const tokenObject = parseJwt(ssoToken);
+    const userInfo = {
+        tid: tokenObject.tid,
+        loginHint: tokenObject.ver === "2.0"
+            ? tokenObject.preferred_username
+            : tokenObject.upn,
+    };
+    return userInfo;
+}
+/**
+ * @internal
+ */
+function parseAccessTokenFromAuthCodeTokenResponse(tokenResponse) {
+    try {
+        const tokenResponseObject = typeof tokenResponse == "string"
+            ? JSON.parse(tokenResponse)
+            : tokenResponse;
+        if (!tokenResponseObject || !tokenResponseObject.accessToken) {
+            const errorMsg = "Get empty access token from Auth Code token response.";
+            internalLogger.error(errorMsg);
+            throw new Error(errorMsg);
+        }
+        const token = tokenResponseObject.accessToken;
+        const tokenObject = parseJwt(token);
+        if (tokenObject.ver !== "1.0" && tokenObject.ver !== "2.0") {
+            const errorMsg = "SSO token is not valid with an unknown version: " + tokenObject.ver;
+            internalLogger.error(errorMsg);
+            throw new Error(errorMsg);
+        }
+        const accessToken = {
+            token: token,
+            expiresOnTimestamp: tokenObject.exp * 1000,
+        };
+        return accessToken;
+    }
+    catch (error) {
+        const errorMsg = "Parse access token failed from Auth Code token response in node env with error: " +
+            error.message;
+        internalLogger.error(errorMsg);
+        throw new ErrorWithCode(errorMsg, ErrorCode.InternalError);
+    }
+}
 /**
  * Format string template with replacements
  *
@@ -548,43 +599,10 @@ class OnBehalfOfUserCredential {
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
-/**
- * Configuration used in initialization.
- * @internal
- */
-class Cache {
-    static get(key) {
-        return sessionStorage.getItem(key);
-    }
-    static set(key, value) {
-        sessionStorage.setItem(key, value);
-    }
-    static remove(key) {
-        sessionStorage.removeItem(key);
-    }
-}
-
-// Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
-/**
- * @internal
- */
-var GrantType;
-(function (GrantType) {
-    GrantType["authCode"] = "authorization_code";
-    GrantType["ssoToken"] = "sso_token";
-})(GrantType || (GrantType = {}));
-
-// Copyright (c) Microsoft Corporation.
-const accessTokenCacheKeyPrefix = "accessToken";
-const separator = "-";
 const tokenRefreshTimeSpanInMillisecond = 5 * 60 * 1000;
 const initializeTeamsSdkTimeoutInMillisecond = 5000;
 const loginPageWidth = 600;
 const loginPageHeight = 535;
-const maxRetryCount = 3;
-const retryTimeSpanInMillisecond = 3000;
 /**
  * Represent Teams current user's identity, and it is used within Teams tab application.
  *
@@ -602,7 +620,6 @@ class TeamsUserCredential {
      * ```typescript
      * const config = {
      *  authentication: {
-     *    runtimeConnectorEndpoint: "https://xxx.xxx.com",
      *    initiateLoginEndpoint: "https://localhost:3000/auth-start.html",
      *    clientId: "xxx"
      *   }
@@ -620,6 +637,7 @@ class TeamsUserCredential {
         internalLogger.info("Create teams user credential");
         this.config = this.loadAndValidateConfig();
         this.ssoToken = null;
+        this.initialized = false;
     }
     /**
      * Popup login page to get user's access token with specific scopes.
@@ -637,7 +655,6 @@ class TeamsUserCredential {
      * @param scopes - The list of scopes for which the token will have access, before that, we will request user to consent.
      *
      * @throws {@link ErrorCode|InternalError} when failed to login with unknown error.
-     * @throws {@link ErrorCode|ServiceError} when simple auth server failed to exchange access token.
      * @throws {@link ErrorCode|ConsentFailed} when user canceled or failed to consent.
      * @throws {@link ErrorCode|InvalidParameter} when scopes is not a valid string or string array.
      * @throws {@link ErrorCode|RuntimeNotSupported} when runtime is nodeJS.
@@ -648,27 +665,39 @@ class TeamsUserCredential {
         validateScopesType(scopes);
         const scopesStr = typeof scopes === "string" ? scopes : scopes.join(" ");
         internalLogger.info(`Popup login page to get user's access token with scopes: ${scopesStr}`);
+        if (!this.initialized) {
+            await this.init();
+        }
         return new Promise((resolve, reject) => {
             microsoftTeams.initialize(() => {
                 microsoftTeams.authentication.authenticate({
-                    url: `${this.config.initiateLoginEndpoint}?clientId=${this.config.clientId}&scope=${encodeURI(scopesStr)}`,
+                    url: `${this.config.initiateLoginEndpoint}?clientId=${this.config.clientId}&scope=${encodeURI(scopesStr)}&loginHint=${this.loginHint}`,
                     width: loginPageWidth,
                     height: loginPageHeight,
                     successCallback: async (result) => {
                         if (!result) {
-                            const errorMsg = "Get empty authentication result from Teams";
+                            const errorMsg = "Get empty authentication result from MSAL";
                             internalLogger.error(errorMsg);
                             reject(new ErrorWithCode(errorMsg, ErrorCode.InternalError));
                             return;
                         }
-                        const authCodeResult = JSON.parse(result);
+                        let resultJson = {};
                         try {
-                            await this.exchangeAccessTokenFromSimpleAuthServer(scopesStr, authCodeResult);
+                            resultJson = JSON.parse(result);
+                        }
+                        catch (error) {
+                            // If can not parse result as Json, will NOT throw error since user may return other info in auth-end page.
+                            // TODO: resolve the result.
+                            const failedToParseResult = "Failed to parse result to Json.";
+                            internalLogger.verbose(failedToParseResult);
                             resolve();
+                            return;
                         }
-                        catch (err) {
-                            reject(this.generateAuthServerError(err));
+                        // If sessionStorage exists in result, set the values in current session storage.
+                        if (resultJson.sessionStorage) {
+                            this.setSessionStorage(resultJson.sessionStorage);
                         }
+                        resolve();
                     },
                     failureCallback: (reason) => {
                         const errorMsg = `Consent failed for the scope ${scopesStr} with error: ${reason}`;
@@ -703,7 +732,6 @@ class TeamsUserCredential {
      *
      * @throws {@link ErrorCode|InternalError} when failed to get access token with unknown error.
      * @throws {@link ErrorCode|UiRequiredError} when need user consent to get access token.
-     * @throws {@link ErrorCode|ServiceError} when failed to get access token from simple auth server.
      * @throws {@link ErrorCode|InvalidParameter} when scopes is not a valid string or string array.
      * @throws {@link ErrorCode|RuntimeNotSupported} when runtime is nodeJS.
      *
@@ -724,21 +752,47 @@ class TeamsUserCredential {
         }
         else {
             internalLogger.info("Get access token with scopes: " + scopeStr);
-            const cachedKey = await this.getAccessTokenCacheKey(scopeStr);
-            const cachedToken = this.getTokenCache(cachedKey);
-            if (cachedToken) {
-                if (!this.isAccessTokenNearExpired(cachedToken)) {
-                    internalLogger.verbose("Get access token from cache");
-                    return cachedToken;
+            if (!this.initialized) {
+                await this.init();
+            }
+            let tokenResponse;
+            const scopesArray = typeof scopes === "string" ? scopes.split(" ") : scopes;
+            const domain = window.location.origin;
+            // First try to get Access Token from cache.
+            try {
+                const account = this.msalInstance.getAccountByUsername(this.loginHint);
+                const scopesRequestForAcquireTokenSilent = {
+                    scopes: scopesArray,
+                    account: account !== null && account !== void 0 ? account : undefined,
+                    redirectUri: `${domain}/blank-auth-end.html`,
+                };
+                tokenResponse = await this.msalInstance.acquireTokenSilent(scopesRequestForAcquireTokenSilent);
+            }
+            catch (error) {
+                const acquireTokenSilentFailedMessage = `Failed to call acquireTokenSilent. Reason: ${error === null || error === void 0 ? void 0 : error.message}. `;
+                internalLogger.verbose(acquireTokenSilentFailedMessage);
+            }
+            if (!tokenResponse) {
+                // If fail to get Access Token from cache, try to get Access token by silent login.
+                try {
+                    const scopesRequestForSsoSilent = {
+                        scopes: scopesArray,
+                        loginHint: this.loginHint,
+                        redirectUri: `${domain}/blank-auth-end.html`,
+                    };
+                    tokenResponse = await this.msalInstance.ssoSilent(scopesRequestForSsoSilent);
                 }
-                else {
-                    internalLogger.verbose("Cached access token is expired");
+                catch (error) {
+                    const ssoSilentFailedMessage = `Failed to call ssoSilent. Reason: ${error === null || error === void 0 ? void 0 : error.message}. `;
+                    internalLogger.verbose(ssoSilentFailedMessage);
                 }
             }
-            else {
-                internalLogger.verbose("No cached access token");
+            if (!tokenResponse) {
+                const errorMsg = `Failed to get access token cache silently, please login first: you need login first before get access token.`;
+                internalLogger.error(errorMsg);
+                throw new ErrorWithCode(errorMsg, ErrorCode.UiRequiredError);
             }
-            const accessToken = await this.getAndCacheAccessTokenFromSimpleAuthServer(scopeStr);
+            const accessToken = parseAccessTokenFromAuthCodeTokenResponse(tokenResponse);
             return accessToken;
         }
     }
@@ -763,65 +817,22 @@ class TeamsUserCredential {
         const ssoToken = await this.getSSOToken();
         return getUserInfoFromSsoToken(ssoToken.token);
     }
-    async exchangeAccessTokenFromSimpleAuthServer(scopesStr, authCodeResult) {
-        var _a, _b;
-        const axiosInstance = await this.getAxiosInstance();
-        let retryCount = 0;
-        while (true) {
-            try {
-                const response = await axiosInstance.post("/auth/token", {
-                    scope: scopesStr,
-                    code: authCodeResult.code,
-                    code_verifier: authCodeResult.codeVerifier,
-                    redirect_uri: authCodeResult.redirectUri,
-                    grant_type: GrantType.authCode,
-                });
-                const tokenResult = response.data;
-                const key = await this.getAccessTokenCacheKey(scopesStr);
-                // Important: tokens are stored in sessionStorage, read more here: https://aka.ms/teamsfx-session-storage-notice
-                this.setTokenCache(key, {
-                    token: tokenResult.access_token,
-                    expiresOnTimestamp: tokenResult.expires_on,
-                });
-                return;
-            }
-            catch (err) {
-                if (((_b = (_a = err.response) === null || _a === void 0 ? void 0 : _a.data) === null || _b === void 0 ? void 0 : _b.type) && err.response.data.type === "AadUiRequiredException") {
-                    internalLogger.warn("Exchange access token failed, retry...");
-                    if (retryCount < maxRetryCount) {
-                        await this.sleep(retryTimeSpanInMillisecond);
-                        retryCount++;
-                        continue;
-                    }
-                }
-                throw err;
-            }
-        }
-    }
-    /**
-     * Get access token cache from authentication server
-     * @returns Access token
-     */
-    async getAndCacheAccessTokenFromSimpleAuthServer(scopesStr) {
-        try {
-            internalLogger.verbose("Get access token from authentication server with scopes: " + scopesStr);
-            const axiosInstance = await this.getAxiosInstance();
-            const response = await axiosInstance.post("/auth/token", {
-                scope: scopesStr,
-                grant_type: GrantType.ssoToken,
-            });
-            const accessTokenResult = response.data;
-            const accessToken = {
-                token: accessTokenResult.access_token,
-                expiresOnTimestamp: accessTokenResult.expires_on,
-            };
-            const cacheKey = await this.getAccessTokenCacheKey(scopesStr);
-            this.setTokenCache(cacheKey, accessToken);
-            return accessToken;
-        }
-        catch (err) {
-            throw this.generateAuthServerError(err);
-        }
+    async init() {
+        const ssoToken = await this.getSSOToken();
+        const info = getTenantIdAndLoginHintFromSsoToken(ssoToken.token);
+        this.loginHint = info.loginHint;
+        this.tid = info.tid;
+        const msalConfig = {
+            auth: {
+                clientId: this.config.clientId,
+                authority: `https://login.microsoftonline.com/${this.tid}`,
+            },
+            cache: {
+                cacheLocation: "sessionStorage",
+            },
+        };
+        this.msalInstance = new PublicClientApplication(msalConfig);
+        this.initialized = true;
     }
     /**
      * Get SSO token using teams SDK
@@ -891,16 +902,13 @@ class TeamsUserCredential {
             internalLogger.error(ErrorMessage.AuthenticationConfigurationNotExists);
             throw new ErrorWithCode(ErrorMessage.AuthenticationConfigurationNotExists, ErrorCode.InvalidConfiguration);
         }
-        if (config.initiateLoginEndpoint && config.simpleAuthEndpoint && config.clientId) {
+        if (config.initiateLoginEndpoint && config.clientId) {
             return config;
         }
         const missingValues = [];
         if (!config.initiateLoginEndpoint) {
             missingValues.push("initiateLoginEndpoint");
         }
-        if (!config.simpleAuthEndpoint) {
-            missingValues.push("simpleAuthEndpoint");
-        }
         if (!config.clientId) {
             missingValues.push("clientId");
         }
@@ -908,111 +916,20 @@ class TeamsUserCredential {
         internalLogger.error(errorMsg);
         throw new ErrorWithCode(errorMsg, ErrorCode.InvalidConfiguration);
     }
-    /**
-     * Get axios instance with sso token bearer header
-     * @returns AxiosInstance
-     */
-    async getAxiosInstance() {
-        const ssoToken = await this.getSSOToken();
-        const axiosInstance = axios.create({
-            baseURL: this.config.simpleAuthEndpoint,
-        });
-        axiosInstance.interceptors.request.use((config) => {
-            config.headers.Authorization = "Bearer " + ssoToken.token;
-            return config;
-        });
-        return axiosInstance;
-    }
-    /**
-     * Set access token to cache
-     * @param key
-     * @param token
-     */
-    setTokenCache(key, token) {
-        Cache.set(key, JSON.stringify(token));
-    }
-    /**
-     * Get access token from cache.
-     * If there is no cache or cannot be parsed, then it will return null
-     * @param key
-     * @returns Access token or null
-     */
-    getTokenCache(key) {
-        const value = Cache.get(key);
-        if (value === null) {
-            return null;
-        }
-        const accessToken = this.validateAndParseJson(value);
-        return accessToken;
-    }
-    /**
-     * Parses passed value as JSON access token, if value is not a valid json string JSON.parse() will throw an error.
-     * @param jsonValue
-     */
-    validateAndParseJson(jsonValue) {
+    setSessionStorage(sessonStorageValues) {
         try {
-            const parsedJson = JSON.parse(jsonValue);
-            /**
-             * There are edge cases in which JSON.parse will successfully parse a non-valid JSON object
-             * (e.g. JSON.parse will parse an escaped string into an unescaped string), so adding a type check
-             * of the parsed value is necessary in order to be certain that the string represents a valid JSON object.
-             *
-             */
-            return parsedJson && typeof parsedJson === "object" ? parsedJson : null;
+            const sessionStorageKeys = Object.keys(sessonStorageValues);
+            sessionStorageKeys.forEach((key) => {
+                sessionStorage.setItem(key, sessonStorageValues[key]);
+            });
         }
         catch (error) {
-            return null;
-        }
-    }
-    /**
-     * Generate cache key
-     * @param scopesStr
-     * @returns Access token cache key, a key example: accessToken-userId-clientId-tenantId-scopes
-     */
-    async getAccessTokenCacheKey(scopesStr) {
-        const ssoToken = await this.getSSOToken();
-        const ssoTokenObj = parseJwt(ssoToken.token);
-        const clientId = this.config.clientId;
-        const userObjectId = ssoTokenObj.oid;
-        const tenantId = ssoTokenObj.tid;
-        const key = [accessTokenCacheKeyPrefix, userObjectId, clientId, tenantId, scopesStr]
-            .join(separator)
-            .replace(/" "/g, "_");
-        return key;
-    }
-    /**
-     * Check whether the token is about to expire (within 5 minutes)
-     * @returns Boolean value indicate whether the token is about to expire
-     */
-    isAccessTokenNearExpired(token) {
-        const expireDate = new Date(token.expiresOnTimestamp);
-        if (expireDate.getTime() - Date.now() > tokenRefreshTimeSpanInMillisecond) {
-            return false;
+            // Values in result.sessionStorage can not be set into session storage.
+            // Throw error since this may block user.
+            const errorMessage = `Failed to set values in session storage. Error: ${error.message}`;
+            internalLogger.error(errorMessage);
+            throw new ErrorWithCode(errorMessage, ErrorCode.InternalError);
         }
-        return true;
-    }
-    generateAuthServerError(err) {
-        var _a, _b;
-        let errorMessage = err.message;
-        if ((_b = (_a = err.response) === null || _a === void 0 ? void 0 : _a.data) === null || _b === void 0 ? void 0 : _b.type) {
-            errorMessage = err.response.data.detail;
-            if (err.response.data.type === "AadUiRequiredException") {
-                const fullErrorMsg = "Failed to get access token from authentication server, please login first: " +
-                    errorMessage;
-                internalLogger.warn(fullErrorMsg);
-                return new ErrorWithCode(fullErrorMsg, ErrorCode.UiRequiredError);
-            }
-            else {
-                const fullErrorMsg = "Failed to get access token from authentication server: " + errorMessage;
-                internalLogger.error(fullErrorMsg);
-                return new ErrorWithCode(fullErrorMsg, ErrorCode.ServiceError);
-            }
-        }
-        const fullErrorMsg = "Failed to get access token with error: " + errorMessage;
-        return new ErrorWithCode(fullErrorMsg, ErrorCode.InternalError);
-    }
-    sleep(ms) {
-        return new Promise((resolve) => setTimeout(resolve, ms));
     }
 }