@nekm/sveltekit-armor 0.2.2 → 0.3.0

package/src/contracts.ts

@@ -26,7 +26,8 @@ export interface ArmorAccessToken extends JWTPayload {
 export interface ArmorTokens {
 	readonly exchange: ArmorTokenExchange;
 	readonly idToken: ArmorIdToken;
-	readonly accessToken: ArmorAccessToken;
+	readonly accessToken: ArmorAccessToken | string;
+	readonly expiresAt: Date;
 }
 
 interface OauthBaseUrl {
@@ -36,6 +37,7 @@ interface OauthBaseUrl {
 	readonly authorizeEndpoint?: never;
 	readonly logoutEndpoint?: never;
 	readonly tokenEndpoint?: never;
+	readonly refreshEndpoint?: never;
 }
 
 interface OauthEndpoints {
@@ -45,18 +47,21 @@ interface OauthEndpoints {
 	readonly authorizeEndpoint: string;
 	readonly logoutEndpoint?: string;
 	readonly tokenEndpoint: string;
+	readonly refreshEndpoint: string;
 }
 
 type OauthEndpointsOrBaseUrl = OauthBaseUrl | OauthEndpoints;
 
 export interface ArmorConfig {
 	readonly session: {
-		readonly exists: (event: RequestEvent) => Promise<boolean> | boolean;
 		readonly login: (
 			event: RequestEvent,
 			tokens: ArmorTokens,
 		) => Promise<void> | void;
 		readonly logout: (event: RequestEvent) => Promise<void> | void;
+		readonly getTokens: (
+			event: RequestEvent,
+		) => Promise<ArmorTokens | undefined> | ArmorTokens | undefined;
 	};
 	readonly oauth: OauthEndpointsOrBaseUrl & {
 		readonly clientId: string;

package/src/errors.ts

@@ -2,3 +2,4 @@ export class ArmorError extends Error {}
 export class ArmorOpenIdConfigError extends ArmorError {}
 export class ArmorInvalidStateError extends ArmorError {}
 export class ArmorAuthMissingError extends ArmorError {}
+export class ArmorRefreshError extends ArmorError {}

package/src/index.ts

@@ -1,32 +1,45 @@
 import { redirect, type Handle } from "@sveltejs/kit";
 import { ROUTE_PATH_LOGIN } from "./routes/login";
 import type { ArmorConfig, ArmorOpenIdConfig, ArmorTokens } from "./contracts";
-import { ROUTE_PATH_LOGOUT } from "./routes/logout";
 import { routeCreate } from "./routes/routes";
-import { ArmorOpenIdConfigError } from "./errors";
+import { ArmorOpenIdConfigError, ArmorRefreshError } from "./errors";
+import { shouldRefresh } from "./utils/utils";
+import { createRefresh } from "./utils/refresh";
 
 export type { ArmorConfig, ArmorTokens };
 export { armorCookieSession, armorCookieSessionGet } from "./session/cookie";
 
-export const ARMOR_LOGIN = ROUTE_PATH_LOGIN;
-export const ARMOR_LOGOUT = ROUTE_PATH_LOGOUT;
-
 export function armor(config: ArmorConfig): Handle {
-	const routes = routeCreate(config);
+	const routeByPath = routeCreate(config);
+	const refresh = createRefresh(config);
 
 	return async ({ event, resolve }) => {
-		const routeHandle = routes.get(event.url.pathname);
+		const route = routeByPath.get(event.url.pathname);
 
-		if (routeHandle) {
-			return routeHandle({ event, resolve });
+		if (route && route.method === event.request.method) {
+			return route.handle({ event, resolve });
 		}
 
-		const exists = await config.session.exists(event);
+		const tokens = await config.session.getTokens(event);
 
-		if (!exists) {
+		if (!tokens) {
 			throw redirect(302, ROUTE_PATH_LOGIN);
 		}
 
+		try {
+			if (shouldRefresh(tokens)) {
+				console.log("Refreshing token...");
+				await refresh(event, tokens);
+			}
+		} catch (error) {
+			if (error instanceof ArmorRefreshError) {
+				console.error("Could not refresh token. Redirect user to login...");
+				throw redirect(302, ROUTE_PATH_LOGIN);
+			}
+
+			throw error;
+		}
+
 		return resolve(event);
 	};
 }
@@ -65,6 +78,7 @@ export async function armorConfigFromOpenId(
 			issuer: body.issuer,
 			jwksEndpoint: body.jwks_uri,
 			logoutEndpoint: body.end_session_endpoint ?? undefined,
+			refreshEndpoint: body.token_endpoint,
 		},
 	};
 }

package/src/routes/login.ts

@@ -6,8 +6,9 @@ import { randomUUID } from "node:crypto";
 import type { RouteFactory } from "./routes";
 import { COOKIE_STATE, cookieSet } from "../utils/cookie";
 import { urlConcat } from "../utils/utils";
+import { ARMOR_LOGIN } from "../browser";
 
-export const ROUTE_PATH_LOGIN = "/_armor/login";
+export const ROUTE_PATH_LOGIN = ARMOR_LOGIN;
 
 export const routeLoginFactory: RouteFactory = (config: ArmorConfig) => {
 	const authorizeEndpoint =
@@ -18,6 +19,7 @@ export const routeLoginFactory: RouteFactory = (config: ArmorConfig) => {
 
 	return {
 		path: ROUTE_PATH_LOGIN,
+		method: "GET",
 		async handle({ event }) {
 			const state = randomUUID();
 			cookieSet(event.cookies, COOKIE_STATE, state);

package/src/routes/logout.ts

@@ -19,6 +19,7 @@ export const routeLogoutFactory: RouteFactory = (config: ArmorConfig) => {
 
 	return {
 		path: ROUTE_PATH_LOGOUT,
+		method: "GET",
 		async handle({ event }) {
 			const state = randomUUID();
 			cookieSet(event.cookies, COOKIE_STATE, state);

package/src/routes/redirect-login.ts

@@ -7,7 +7,7 @@ import type {
 import { queryParamsCreate, throwIfUndefined } from "@nekm/core";
 import { createRemoteJWKSet } from "jose";
 import type { RouteFactory } from "./routes";
-import { urlConcat, isTokenExchange } from "../utils/utils";
+import { urlConcat, isTokenExchange, createExpiresAt } from "../utils/utils";
 import { jwtVerifyAccessToken, jwtVerifyIdToken } from "../utils/jwt";
 import { eventStateValidOrThrow } from "../utils/event";
 
@@ -70,6 +70,7 @@ export const routeRedirectLoginFactory: RouteFactory = (
 
 	return {
 		path: ROUTE_PATH_REDIRECT_LOGIN,
+		method: "GET",
 		async handle({ event }) {
 			eventStateValidOrThrow(event);
 
@@ -113,7 +114,10 @@ export const routeRedirectLoginFactory: RouteFactory = (
 			await config.session.login(event, {
 				exchange,
 				idToken: idToken as ArmorIdToken,
-				accessToken,
+				// Generally, IdP's require an audience to get a JWT
+				// access token. Most cases, this doesn't matter.
+				accessToken: accessToken ?? exchange.access_token,
+				expiresAt: createExpiresAt(exchange.expires_in),
 			});
 
 			throw redirect(302, "/");

package/src/routes/redirect-logout.ts

@@ -15,6 +15,7 @@ export const routeRedirectLogoutFactory: RouteFactory = (
 
 	return {
 		path: ROUTE_PATH_REDIRECT_LOGOUT,
+		method: "GET",
 		async handle({ event }) {
 			eventStateValidOrThrow(event);
 

package/src/routes/refresh.ts

@@ -0,0 +1,39 @@
+import { error, json } from "@sveltejs/kit";
+import type { ArmorConfig } from "../contracts";
+import type { RouteFactory } from "./routes";
+import { createRefresh } from "../utils/refresh";
+import { ARMOR_REFRESH } from "../browser";
+import { ArmorRefreshError } from "../errors";
+
+export const ROUTE_PATH_REFRESH = ARMOR_REFRESH;
+
+export const routeRefreshFactory: RouteFactory = (config: ArmorConfig) => {
+	const refresh = createRefresh(config);
+
+	return {
+		path: ROUTE_PATH_REFRESH,
+		method: "POST",
+		async handle({ event }) {
+			try {
+				const tokens = await config.session.getTokens(event);
+
+				if (!tokens) {
+					return error(401, "Unauthorized");
+				}
+
+				const { idToken, expiresAt, accessToken } = await refresh(
+					event,
+					tokens,
+				);
+
+				return json({ idToken, expiresAt, accessToken });
+			} catch (ex) {
+				if (ex instanceof ArmorRefreshError) {
+					return error(401, "Unauthorized");
+				}
+
+				throw ex;
+			}
+		},
+	};
+};

package/src/routes/routes.ts

@@ -4,10 +4,12 @@ import { routeLoginFactory } from "./login";
 import { routeLogoutFactory } from "./logout";
 import { routeRedirectLogoutFactory } from "./redirect-logout";
 import { routeRedirectLoginFactory } from "./redirect-login";
+import { routeRefreshFactory } from "./refresh";
 
 export interface Route {
 	readonly path: string;
 	readonly handle: Handle;
+	readonly method: "GET" | "POST";
 }
 
 export type RouteFactory = (config: ArmorConfig) => Route | undefined;
@@ -17,14 +19,16 @@ const routeFactories = Object.freeze([
 	routeLogoutFactory,
 	routeRedirectLoginFactory,
 	routeRedirectLogoutFactory,
+	routeRefreshFactory,
 ]);
 
-export function routeCreate(config: ArmorConfig): Map<string, Handle> {
+export function routeCreate(config: ArmorConfig): Map<string, Route> {
+	// @ts-expect-error Incorrect typing error.
 	return new Map(
 		routeFactories
 			.map((routeFactory) => routeFactory(config))
 			.filter((route) => Boolean(route))
 			// @ts-expect-error Incorrect typing error.
-			.map((route) => [route.path, route.handle]),
+			.map((route) => [route.path, route]),
 	);
 }

package/src/session/cookie.ts

@@ -8,8 +8,10 @@ import {
 import { ArmorConfig, ArmorTokens } from "../contracts";
 import { ArmorAuthMissingError } from "../errors";
 
-function cookieSessionExists({ cookies }: RequestEvent): boolean {
-	return Boolean(cookies.get(COOKIE_TOKENS));
+function cookieSessionGetTokens({
+	cookies,
+}: RequestEvent): ArmorTokens | undefined {
+	return cookies.get(COOKIE_TOKENS) as ArmorTokens | undefined;
 }
 
 export function cookieSessionLogin(
@@ -34,7 +36,7 @@ export function armorCookieSessionGet({ cookies }: RequestEvent): ArmorTokens {
 }
 
 export const armorCookieSession: ArmorConfig["session"] = {
-	exists: cookieSessionExists,
+	getTokens: cookieSessionGetTokens,
 	login: cookieSessionLogin,
 	logout: cookieSessionLogout,
 };

package/src/utils/jwt.ts

@@ -1,12 +1,19 @@
 import { ArmorConfig } from "../contracts";
 import { JWTPayload, jwtVerify, JWTVerifyGetKey, JWTVerifyOptions } from "jose";
+import { throwIfUndefined } from "@nekm/core";
+
+function jwtIsCompactJwt(token: string): boolean {
+	// Must be three base64url segments
+	const parts = token.trim().split(".");
+	return parts.length === 3 && parts.every((p) => p.length > 0);
+}
 
 export function jwtVerifyIdToken(
 	config: ArmorConfig,
 	jwks: JWTVerifyGetKey,
 	idToken: string,
 ): Promise<JWTPayload> {
-	return jwtVerifyToken(
+	const payload = jwtVerifyToken(
 		jwks,
 		{
 			issuer: config.oauth.issuer,
@@ -14,13 +21,16 @@ export function jwtVerifyIdToken(
 		},
 		idToken,
 	);
+	throwIfUndefined(payload);
+	// @ts-expect-error We're already verifying non-null above.
+	return payload;
 }
 
 export function jwtVerifyAccessToken(
 	config: ArmorConfig,
 	jwks: JWTVerifyGetKey,
 	accessToken: string,
-): Promise<JWTPayload> {
+): Promise<JWTPayload | undefined> {
 	const opts: JWTVerifyOptions = { issuer: config.oauth.issuer };
 
 	if (config.oauth.audience) {
@@ -30,11 +40,33 @@ export function jwtVerifyAccessToken(
 	return jwtVerifyToken(jwks, opts, accessToken);
 }
 
+function isInvalidCompactJwt(error: unknown): boolean {
+	return Boolean(
+		typeof error === "object" &&
+		error &&
+		"message" in error &&
+		typeof error.message === "string" &&
+		/invalid compact jws/gi.test(error.message),
+	);
+}
+
 async function jwtVerifyToken(
 	jwks: JWTVerifyGetKey,
 	opts: JWTVerifyOptions,
 	token: string,
-): Promise<JWTPayload> {
-	const { payload } = await jwtVerify(token, jwks, opts);
-	return payload;
+): Promise<JWTPayload | undefined> {
+	try {
+		if (!jwtIsCompactJwt(token)) {
+			return undefined;
+		}
+
+		const { payload } = await jwtVerify(token, jwks, opts);
+		return payload;
+	} catch (error) {
+		if (isInvalidCompactJwt(error)) {
+			return undefined;
+		}
+
+		throw error;
+	}
 }

package/src/utils/refresh.ts

@@ -0,0 +1,87 @@
+import { createRemoteJWKSet } from "jose";
+import {
+	ArmorConfig,
+	ArmorIdToken,
+	ArmorTokenExchange,
+	ArmorTokens,
+} from "../contracts";
+import { ArmorRefreshError } from "../errors";
+import { createExpiresAt, urlConcat } from "./utils";
+import { jwtVerifyAccessToken, jwtVerifyIdToken } from "./jwt";
+import { RequestEvent } from "@sveltejs/kit";
+
+export function createRefresh(config: ArmorConfig) {
+	const refreshEndpoint =
+		config.oauth.refreshEndpoint ??
+		urlConcat(config.oauth.baseUrl, "oauth2/token");
+
+	const jwksUrl = new URL(
+		config.oauth.jwksEndpoint ??
+			urlConcat(config.oauth.baseUrl, ".well-known/jwks.json"),
+	);
+
+	const refresh = async (
+		fetch: typeof global.fetch,
+		refreshToken: string,
+	): Promise<ArmorTokenExchange> => {
+		const body = new URLSearchParams({
+			grant_type: "refresh_token",
+			client_id: config.oauth.clientId,
+			client_secret: config.oauth.clientSecret,
+			refresh_token: refreshToken,
+		});
+
+		if (config.oauth.scope) {
+			body.set("scope", config.oauth.scope);
+		}
+
+		const response = await fetch(refreshEndpoint, {
+			headers: {
+				"Content-Type": "application/x-www-form-urlencoded",
+				Accept: "application/json",
+			},
+			body: body.toString(),
+		});
+
+		if (!response.ok) {
+			const error = await response.text();
+			throw new ArmorRefreshError(`Could not refresh token: ${error}`);
+		}
+
+		const json: ArmorTokenExchange = await response.json();
+
+		return {
+			...json,
+			refresh_token: json.refresh_token ?? refreshToken,
+		};
+	};
+
+	return async (
+		event: RequestEvent,
+		tokens: ArmorTokens,
+	): Promise<ArmorTokens> => {
+		const refreshToken = tokens.exchange?.refresh_token;
+
+		if (!refreshToken) {
+			throw new ArmorRefreshError("Could not find refresh token");
+		}
+
+		const newExchange = await refresh(event.fetch, refreshToken);
+
+		const jwks = createRemoteJWKSet(jwksUrl);
+
+		const [idToken, accessToken] = await Promise.all([
+			jwtVerifyIdToken(config, jwks, newExchange.id_token),
+			jwtVerifyAccessToken(config, jwks, newExchange.access_token),
+		]);
+
+		return {
+			exchange: newExchange,
+			idToken: idToken as ArmorIdToken,
+			// Generally, IdP's require an audience to get a JWT
+			// access token. Most cases, this doesn't matter.
+			accessToken: accessToken ?? newExchange.access_token,
+			expiresAt: createExpiresAt(newExchange.expires_in),
+		};
+	};
+}

package/src/utils/utils.ts

@@ -1,5 +1,5 @@
 import { strTrimEnd, strTrimStart } from "@nekm/core";
-import type { ArmorTokenExchange } from "../contracts";
+import type { ArmorTokenExchange, ArmorTokens } from "../contracts";
 
 export function urlConcat(origin: string, path: string): string {
 	return [strTrimEnd(origin, "/"), strTrimStart(path, "/")].join("/");
@@ -21,3 +21,15 @@ export function isTokenExchange(value: unknown): value is ArmorTokenExchange {
 		(typeof obj.scope === "string" || obj.scope === undefined)
 	);
 }
+
+const MINUTES_MS = 60 * 1000;
+
+export function shouldRefresh(tokens: ArmorTokens) {
+	return tokens.expiresAt.getTime() < Date.now() + 5 * MINUTES_MS;
+}
+
+export function createExpiresAt(seconds: number): Date {
+	const now = new Date();
+	now.setSeconds(now.getSeconds() + seconds);
+	return now;
+}