npm - @nekm/sveltekit-armor - Versions diffs - 0.2.4 → 0.3.0 - Mend

@nekm/sveltekit-armor 0.2.4 → 0.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (26) hide show

package/dist/browser/index.d.ts +8 -0
package/dist/contracts.d.ts +4 -1
package/dist/errors.d.ts +2 -0
package/dist/index.d.ts +0 -2
package/dist/index.esm.js +135 -18
package/dist/index.esm.js.map +1 -1
package/dist/index.js +133 -18
package/dist/index.js.map +1 -1
package/dist/routes/refresh.d.ts +3 -0
package/dist/routes/routes.d.ts +2 -1
package/dist/utils/refresh.d.ts +3 -0
package/dist/utils/utils.d.ts +3 -1
package/package.json +23 -12
package/src/browser/index.ts +32 -0
package/src/contracts.ts +6 -1
package/src/errors.ts +1 -0
package/src/index.ts +25 -11
package/src/routes/login.ts +3 -1
package/src/routes/logout.ts +1 -0
package/src/routes/redirect-login.ts +3 -1
package/src/routes/redirect-logout.ts +1 -0
package/src/routes/refresh.ts +39 -0
package/src/routes/routes.ts +6 -2
package/src/session/cookie.ts +5 -3
package/src/utils/refresh.ts +87 -0
package/src/utils/utils.ts +13 -1

package/src/index.ts CHANGED Viewed

@@ -1,32 +1,45 @@
 import { redirect, type Handle } from "@sveltejs/kit";
 import { ROUTE_PATH_LOGIN } from "./routes/login";
 import type { ArmorConfig, ArmorOpenIdConfig, ArmorTokens } from "./contracts";
-import { ROUTE_PATH_LOGOUT } from "./routes/logout";
 import { routeCreate } from "./routes/routes";
-import { ArmorOpenIdConfigError } from "./errors";
+import { ArmorOpenIdConfigError, ArmorRefreshError } from "./errors";
+import { shouldRefresh } from "./utils/utils";
+import { createRefresh } from "./utils/refresh";
 export type { ArmorConfig, ArmorTokens };
 export { armorCookieSession, armorCookieSessionGet } from "./session/cookie";
-export const ARMOR_LOGIN = ROUTE_PATH_LOGIN;
-export const ARMOR_LOGOUT = ROUTE_PATH_LOGOUT;
 export function armor(config: ArmorConfig): Handle {
-	const routes = routeCreate(config);
+	const routeByPath = routeCreate(config);
+	const refresh = createRefresh(config);
 	return async ({ event, resolve }) => {
-		const routeHandle = routes.get(event.url.pathname);
+		const route = routeByPath.get(event.url.pathname);
-		if (routeHandle) {
-			return routeHandle({ event, resolve });
+		if (route && route.method === event.request.method) {
+			return route.handle({ event, resolve });
 		}
-		const exists = await config.session.exists(event);
+		const tokens = await config.session.getTokens(event);
-		if (!exists) {
+		if (!tokens) {
 			throw redirect(302, ROUTE_PATH_LOGIN);
 		}
+		try {
+			if (shouldRefresh(tokens)) {
+				console.log("Refreshing token...");
+				await refresh(event, tokens);
+			}
+		} catch (error) {
+			if (error instanceof ArmorRefreshError) {
+				console.error("Could not refresh token. Redirect user to login...");
+				throw redirect(302, ROUTE_PATH_LOGIN);
+			}
+			throw error;
+		}
 		return resolve(event);
 	};
 }
@@ -65,6 +78,7 @@ export async function armorConfigFromOpenId(
 			issuer: body.issuer,
 			jwksEndpoint: body.jwks_uri,
 			logoutEndpoint: body.end_session_endpoint ?? undefined,
+			refreshEndpoint: body.token_endpoint,
 		},
 	};
 }

package/src/routes/login.ts CHANGED Viewed

@@ -6,8 +6,9 @@ import { randomUUID } from "node:crypto";
 import type { RouteFactory } from "./routes";
 import { COOKIE_STATE, cookieSet } from "../utils/cookie";
 import { urlConcat } from "../utils/utils";
+import { ARMOR_LOGIN } from "../browser";
-export const ROUTE_PATH_LOGIN = "/_armor/login";
+export const ROUTE_PATH_LOGIN = ARMOR_LOGIN;
 export const routeLoginFactory: RouteFactory = (config: ArmorConfig) => {
 	const authorizeEndpoint =
@@ -18,6 +19,7 @@ export const routeLoginFactory: RouteFactory = (config: ArmorConfig) => {
 	return {
 		path: ROUTE_PATH_LOGIN,
+		method: "GET",
 		async handle({ event }) {
 			const state = randomUUID();
 			cookieSet(event.cookies, COOKIE_STATE, state);

package/src/routes/logout.ts CHANGED Viewed

@@ -19,6 +19,7 @@ export const routeLogoutFactory: RouteFactory = (config: ArmorConfig) => {
 	return {
 		path: ROUTE_PATH_LOGOUT,
+		method: "GET",
 		async handle({ event }) {
 			const state = randomUUID();
 			cookieSet(event.cookies, COOKIE_STATE, state);

package/src/routes/redirect-login.ts CHANGED Viewed

@@ -7,7 +7,7 @@ import type {
 import { queryParamsCreate, throwIfUndefined } from "@nekm/core";
 import { createRemoteJWKSet } from "jose";
 import type { RouteFactory } from "./routes";
-import { urlConcat, isTokenExchange } from "../utils/utils";
+import { urlConcat, isTokenExchange, createExpiresAt } from "../utils/utils";
 import { jwtVerifyAccessToken, jwtVerifyIdToken } from "../utils/jwt";
 import { eventStateValidOrThrow } from "../utils/event";
@@ -70,6 +70,7 @@ export const routeRedirectLoginFactory: RouteFactory = (
 	return {
 		path: ROUTE_PATH_REDIRECT_LOGIN,
+		method: "GET",
 		async handle({ event }) {
 			eventStateValidOrThrow(event);
@@ -116,6 +117,7 @@ export const routeRedirectLoginFactory: RouteFactory = (
 				// Generally, IdP's require an audience to get a JWT
 				// access token. Most cases, this doesn't matter.
 				accessToken: accessToken ?? exchange.access_token,
+				expiresAt: createExpiresAt(exchange.expires_in),
 			});
 			throw redirect(302, "/");

package/src/routes/redirect-logout.ts CHANGED Viewed

@@ -15,6 +15,7 @@ export const routeRedirectLogoutFactory: RouteFactory = (
 	return {
 		path: ROUTE_PATH_REDIRECT_LOGOUT,
+		method: "GET",
 		async handle({ event }) {
 			eventStateValidOrThrow(event);

package/src/routes/refresh.ts ADDED Viewed

@@ -0,0 +1,39 @@
+import { error, json } from "@sveltejs/kit";
+import type { ArmorConfig } from "../contracts";
+import type { RouteFactory } from "./routes";
+import { createRefresh } from "../utils/refresh";
+import { ARMOR_REFRESH } from "../browser";
+import { ArmorRefreshError } from "../errors";
+export const ROUTE_PATH_REFRESH = ARMOR_REFRESH;
+export const routeRefreshFactory: RouteFactory = (config: ArmorConfig) => {
+	const refresh = createRefresh(config);
+	return {
+		path: ROUTE_PATH_REFRESH,
+		method: "POST",
+		async handle({ event }) {
+			try {
+				const tokens = await config.session.getTokens(event);
+				if (!tokens) {
+					return error(401, "Unauthorized");
+				}
+				const { idToken, expiresAt, accessToken } = await refresh(
+					event,
+					tokens,
+				);
+				return json({ idToken, expiresAt, accessToken });
+			} catch (ex) {
+				if (ex instanceof ArmorRefreshError) {
+					return error(401, "Unauthorized");
+				}
+				throw ex;
+			}
+		},
+	};
+};

package/src/routes/routes.ts CHANGED Viewed

@@ -4,10 +4,12 @@ import { routeLoginFactory } from "./login";
 import { routeLogoutFactory } from "./logout";
 import { routeRedirectLogoutFactory } from "./redirect-logout";
 import { routeRedirectLoginFactory } from "./redirect-login";
+import { routeRefreshFactory } from "./refresh";
 export interface Route {
 	readonly path: string;
 	readonly handle: Handle;
+	readonly method: "GET" | "POST";
 }
 export type RouteFactory = (config: ArmorConfig) => Route | undefined;
@@ -17,14 +19,16 @@ const routeFactories = Object.freeze([
 	routeLogoutFactory,
 	routeRedirectLoginFactory,
 	routeRedirectLogoutFactory,
+	routeRefreshFactory,
 ]);
-export function routeCreate(config: ArmorConfig): Map<string, Handle> {
+export function routeCreate(config: ArmorConfig): Map<string, Route> {
+	// @ts-expect-error Incorrect typing error.
 	return new Map(
 		routeFactories
 			.map((routeFactory) => routeFactory(config))
 			.filter((route) => Boolean(route))
 			// @ts-expect-error Incorrect typing error.
-			.map((route) => [route.path, route.handle]),
+			.map((route) => [route.path, route]),
 	);
 }

package/src/session/cookie.ts CHANGED Viewed

@@ -8,8 +8,10 @@ import {
 import { ArmorConfig, ArmorTokens } from "../contracts";
 import { ArmorAuthMissingError } from "../errors";
-function cookieSessionExists({ cookies }: RequestEvent): boolean {
-	return Boolean(cookies.get(COOKIE_TOKENS));
+function cookieSessionGetTokens({
+	cookies,
+}: RequestEvent): ArmorTokens | undefined {
+	return cookies.get(COOKIE_TOKENS) as ArmorTokens | undefined;
 }
 export function cookieSessionLogin(
@@ -34,7 +36,7 @@ export function armorCookieSessionGet({ cookies }: RequestEvent): ArmorTokens {
 }
 export const armorCookieSession: ArmorConfig["session"] = {
-	exists: cookieSessionExists,
+	getTokens: cookieSessionGetTokens,
 	login: cookieSessionLogin,
 	logout: cookieSessionLogout,
 };

package/src/utils/refresh.ts ADDED Viewed

@@ -0,0 +1,87 @@
+import { createRemoteJWKSet } from "jose";
+import {
+	ArmorConfig,
+	ArmorIdToken,
+	ArmorTokenExchange,
+	ArmorTokens,
+} from "../contracts";
+import { ArmorRefreshError } from "../errors";
+import { createExpiresAt, urlConcat } from "./utils";
+import { jwtVerifyAccessToken, jwtVerifyIdToken } from "./jwt";
+import { RequestEvent } from "@sveltejs/kit";
+export function createRefresh(config: ArmorConfig) {
+	const refreshEndpoint =
+		config.oauth.refreshEndpoint ??
+		urlConcat(config.oauth.baseUrl, "oauth2/token");
+	const jwksUrl = new URL(
+		config.oauth.jwksEndpoint ??
+			urlConcat(config.oauth.baseUrl, ".well-known/jwks.json"),
+	);
+	const refresh = async (
+		fetch: typeof global.fetch,
+		refreshToken: string,
+	): Promise<ArmorTokenExchange> => {
+		const body = new URLSearchParams({
+			grant_type: "refresh_token",
+			client_id: config.oauth.clientId,
+			client_secret: config.oauth.clientSecret,
+			refresh_token: refreshToken,
+		});
+		if (config.oauth.scope) {
+			body.set("scope", config.oauth.scope);
+		}
+		const response = await fetch(refreshEndpoint, {
+			headers: {
+				"Content-Type": "application/x-www-form-urlencoded",
+				Accept: "application/json",
+			},
+			body: body.toString(),
+		});
+		if (!response.ok) {
+			const error = await response.text();
+			throw new ArmorRefreshError(`Could not refresh token: ${error}`);
+		}
+		const json: ArmorTokenExchange = await response.json();
+		return {
+			...json,
+			refresh_token: json.refresh_token ?? refreshToken,
+		};
+	};
+	return async (
+		event: RequestEvent,
+		tokens: ArmorTokens,
+	): Promise<ArmorTokens> => {
+		const refreshToken = tokens.exchange?.refresh_token;
+		if (!refreshToken) {
+			throw new ArmorRefreshError("Could not find refresh token");
+		}
+		const newExchange = await refresh(event.fetch, refreshToken);
+		const jwks = createRemoteJWKSet(jwksUrl);
+		const [idToken, accessToken] = await Promise.all([
+			jwtVerifyIdToken(config, jwks, newExchange.id_token),
+			jwtVerifyAccessToken(config, jwks, newExchange.access_token),
+		]);
+		return {
+			exchange: newExchange,
+			idToken: idToken as ArmorIdToken,
+			// Generally, IdP's require an audience to get a JWT
+			// access token. Most cases, this doesn't matter.
+			accessToken: accessToken ?? newExchange.access_token,
+			expiresAt: createExpiresAt(newExchange.expires_in),
+		};
+	};
+}

package/src/utils/utils.ts CHANGED Viewed

@@ -1,5 +1,5 @@
 import { strTrimEnd, strTrimStart } from "@nekm/core";
-import type { ArmorTokenExchange } from "../contracts";
+import type { ArmorTokenExchange, ArmorTokens } from "../contracts";
 export function urlConcat(origin: string, path: string): string {
 	return [strTrimEnd(origin, "/"), strTrimStart(path, "/")].join("/");
@@ -21,3 +21,15 @@ export function isTokenExchange(value: unknown): value is ArmorTokenExchange {
 		(typeof obj.scope === "string" || obj.scope === undefined)
 	);
 }
+const MINUTES_MS = 60 * 1000;
+export function shouldRefresh(tokens: ArmorTokens) {
+	return tokens.expiresAt.getTime() < Date.now() + 5 * MINUTES_MS;
+}
+export function createExpiresAt(seconds: number): Date {
+	const now = new Date();
+	now.setSeconds(now.getSeconds() + seconds);
+	return now;
+}