@nsshunt/stsoauth2plugin 0.1.96 → 0.1.99

package/dist/stsoauth2worker.js

@@ -1,27 +1,21 @@
-var __classPrivateFieldSet = (this && this.__classPrivateFieldSet) || function (receiver, state, value, kind, f) {
-    if (kind === "m") throw new TypeError("Private method is not writable");
-    if (kind === "a" && !f) throw new TypeError("Private accessor was defined without a setter");
-    if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot write private member to an object whose class did not declare it");
-    return (kind === "a" ? f.call(receiver, value) : f ? f.value = value : state.set(receiver, value)), value;
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
 };
-var __classPrivateFieldGet = (this && this.__classPrivateFieldGet) || function (receiver, state, kind, f) {
-    if (kind === "a" && !f) throw new TypeError("Private accessor was defined without a getter");
-    if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot read private member from an object whose class did not declare it");
-    return kind === "m" ? f : kind === "a" ? f.call(receiver) : f ? f.value : state.get(receiver);
-};
-var _STSOAuth2Worker_clientSessionStore, _STSOAuth2Worker_cUtils, _STSOAuth2Worker_qParams, _STSOAuth2Worker_STORAGE_SESSION_KEY, _STSOAuth2Worker_aic, _STSOAuth2Worker_oauthWorkerPort, _STSOAuth2Worker_options, _STSOAuth2Worker_HandleAuthenticateEvent, _STSOAuth2Worker_HandleErrorEvent, _STSOAuth2Worker_LogMessage, _STSOAuth2Worker_GetAccessToken, _STSOAuth2Worker_UpdateInstrument, _STSOAuth2Worker_ProcessCommand, _STSOAuth2Worker_RestoreSession, _STSOAuth2Worker_Authorize, _STSOAuth2Worker_HandleRedirect, _STSOAuth2Worker_GetTokenFromBroker, _STSOAuth2Worker_GetToken, _STSOAuth2Worker_RefreshToken, _STSOAuth2Worker_Logout;
-import Debug from "debug";
-const debug = Debug(`proc:${process.pid}:stsoauth2worker.ts`);
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.STSOAuth2Worker = void 0;
+const debug_1 = __importDefault(require("debug"));
+const debug = (0, debug_1.default)(`proc:${process.pid}:stsoauth2worker.ts`);
 //import 'colors'
-import axios from "axios";
-import { OAuth2ParameterType } from '@nsshunt/stsutils';
-import CryptoUtils from './Utils/CryptoUtils';
-import QueryParams from './Utils/QueryParams';
-import jwt_decode from "jwt-decode";
-import { ClientStorageType, ClientStorageFactory } from './stsStorage';
-import { StatusCodes } from 'http-status-codes';
-import { AuthorizeOptionsResponseType, AuthorizeOptionsResponseMode, OAuthGrantTypes, IOauth2ListenerCommand } from './stsoauth2types';
-import { Gauge } from '@nsshunt/stsinstrumentation';
+const axios_1 = __importDefault(require("axios"));
+const stsutils_1 = require("@nsshunt/stsutils");
+const CryptoUtils_1 = __importDefault(require("./Utils/CryptoUtils"));
+const QueryParams_1 = __importDefault(require("./Utils/QueryParams"));
+const jwt_decode_1 = __importDefault(require("jwt-decode"));
+const stsStorage_1 = require("./stsStorage");
+const http_status_codes_1 = require("http-status-codes");
+const stsoauth2types_1 = require("./stsoauth2types");
+const stsinstrumentation_1 = require("@nsshunt/stsinstrumentation");
 const CreateRandomString = (size = 43) => {
     const randomValues = Array.from(self.crypto.getRandomValues(new Uint8Array(size)));
     const b64 = window.btoa(String.fromCharCode(...randomValues));
@@ -29,555 +23,500 @@ const CreateRandomString = (size = 43) => {
     //return randomValues.toString('base64');
 };
 // STS Client SDK for SPAs
-export class STSOAuth2Worker {
+class STSOAuth2Worker {
+    //#storageManager = null;
+    #clientSessionStore = null; // In memory tokens while the client is logged in
+    #cUtils = new CryptoUtils_1.default();
+    #qParams = new QueryParams_1.default();
+    #STORAGE_SESSION_KEY = 'session.stsmda.com.au';
+    #aic = null;
+    #oauthWorkerPort = null;
+    #options = null;
     constructor(workerPort, options) {
-        //#storageManager = null;
-        _STSOAuth2Worker_clientSessionStore.set(this, null); // In memory tokens while the client is logged in
-        _STSOAuth2Worker_cUtils.set(this, new CryptoUtils());
-        _STSOAuth2Worker_qParams.set(this, new QueryParams());
-        _STSOAuth2Worker_STORAGE_SESSION_KEY.set(this, 'session.stsmda.com.au');
-        _STSOAuth2Worker_aic.set(this, null);
-        _STSOAuth2Worker_oauthWorkerPort.set(this, null);
-        _STSOAuth2Worker_options.set(this, null);
-        // Attempt to restore a previous session using the STSBroker
-        /*
-        { parameterType: OAuth2ParameterType.CLIENT_ID, errorType: authErrorType.CLIENT_ID_MISMATCH },
-        { parameterType: OAuth2ParameterType.SCOPE, errorType: authErrorType.SCOPE_MISMATCH }
-        { parameterType: OAuth2ParameterType.REDIRECT_URI, errorType: authErrorType.REDIRECT_URI_MISMATCH },
-        { parameterType: OAuth2ParameterType.AUDIENCE, errorType: authErrorType.SCOPE_MISMATCH }
-    
-        Successful Response
-        {
-            "access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik5HVEZ2ZEstZnl0aEV1Q...",
-            "token_type": "Bearer",
-            "expires_in": 3599,
-            "scope": "https%3A%2F%2Fgraph.microsoft.com%2Fmail.read",
-            "refresh_token": "AwABAAAAvPM1KaPlrEqdFSBzjqfTGAMxZGUTdM0t4B4...",
-            "id_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0.eyJhdWQiOiIyZDRkMTFhMi1mODE0LTQ2YTctOD...",
-        }
-    
-        Error Response
-        {
-            "error": "invalid_scope",
-            "error_description": "AADSTS70011: The provided value for the input parameter 'scope' is not valid. The scope https://foo.microsoft.com/mail.read is not valid.\r\nTrace ID: 255d1aef-8c98-452f-ac51-23d051240864\r\nCorrelation ID: fb3d2015-bc17-4bb9-bb85-30c5cf1aaaa7\r\nTimestamp: 2016-01-09 02:02:12Z",
-            "error_codes": [
-                70011
-            ],
-            "timestamp": "2016-01-09 02:02:12Z",
-        }
-    
-        
-        */
-        _STSOAuth2Worker_HandleAuthenticateEvent.set(this, (id_token) => {
-            const message = {
-                messageId: -1,
-                command: IOauth2ListenerCommand.AUTHENTICATE_EVENT
-            };
-            __classPrivateFieldGet(this, _STSOAuth2Worker_ProcessCommand, "f").call(this, message, id_token);
-        });
-        _STSOAuth2Worker_HandleErrorEvent.set(this, (error) => {
-            const message = {
-                messageId: -1,
-                command: IOauth2ListenerCommand.ERROR
-            };
-            __classPrivateFieldGet(this, _STSOAuth2Worker_ProcessCommand, "f").call(this, message, error);
-        });
-        _STSOAuth2Worker_LogMessage.set(this, (messageToSend) => {
-            const message = {
-                messageId: -1,
-                command: IOauth2ListenerCommand.LOG
-            };
-            __classPrivateFieldGet(this, _STSOAuth2Worker_ProcessCommand, "f").call(this, message, messageToSend);
-        });
-        _STSOAuth2Worker_GetAccessToken.set(this, () => {
-            const tokens = __classPrivateFieldGet(this, _STSOAuth2Worker_clientSessionStore, "f").get(__classPrivateFieldGet(this, _STSOAuth2Worker_STORAGE_SESSION_KEY, "f"));
-            return tokens.access_token;
-        });
-        _STSOAuth2Worker_UpdateInstrument.set(this, (instrumentName, telemetry) => {
-            const message = {
-                messageId: -1,
-                command: IOauth2ListenerCommand.UPDATE_INSTRUMENT
-            };
-            __classPrivateFieldGet(this, _STSOAuth2Worker_ProcessCommand, "f").call(this, message, {
-                instrumentName,
-                telemetry
-            });
+        this.#options = options;
+        debug(`STSOAuth2Worker:constructor:#options: [${JSON.stringify(this.#options)}]`);
+        // In memory storage for OAuth2 tokens for our valid session
+        this.#clientSessionStore = new stsStorage_1.ClientStorageFactory({ clientStorageType: stsStorage_1.ClientStorageType.MEMORY_STORAGE }).GetStorage();
+        //@@ needs to be sent the instrument manager controller port
+        //@@this.#aic = app.config.globalProperties.$sts.aic.PrimaryPublishInstrumentController;
+        //this.#handleAuthenticateEvent = handleAuthenticateEvent;
+        this.#oauthWorkerPort = workerPort;
+        debug(`STSOAuth2Worker:constructor:#oauthWorkerPort: [${JSON.stringify(this.#oauthWorkerPort)}]`);
+        this.SetupListener();
+        this.#UpdateInstrument(stsinstrumentation_1.Gauge.LOGGER, {
+            LogMessage: `STSOauth2 Plugin - Successfully Loaded`
         });
-        this.SetupListener = () => {
-            __classPrivateFieldGet(this, _STSOAuth2Worker_oauthWorkerPort, "f").onmessage = async (data) => {
-                const auth2ListenerMessage = data.data;
-                debug(`STSOAuth2Worker:SetupListener:onmessage: [${auth2ListenerMessage.command}]`);
-                switch (auth2ListenerMessage.command) {
-                    case IOauth2ListenerCommand.RESTORE_SESSION:
-                        __classPrivateFieldGet(this, _STSOAuth2Worker_ProcessCommand, "f").call(this, auth2ListenerMessage, await __classPrivateFieldGet(this, _STSOAuth2Worker_RestoreSession, "f").call(this));
-                        break;
-                    case IOauth2ListenerCommand.AUTHORIZE:
-                        __classPrivateFieldGet(this, _STSOAuth2Worker_ProcessCommand, "f").call(this, auth2ListenerMessage, await __classPrivateFieldGet(this, _STSOAuth2Worker_Authorize, "f").call(this));
-                        break;
-                    case IOauth2ListenerCommand.HANDLE_REDIRECT:
-                        __classPrivateFieldGet(this, _STSOAuth2Worker_ProcessCommand, "f").call(this, auth2ListenerMessage, await __classPrivateFieldGet(this, _STSOAuth2Worker_HandleRedirect, "f").call(this, auth2ListenerMessage.payload));
-                        break;
-                    case IOauth2ListenerCommand.LOGOUT:
-                        __classPrivateFieldGet(this, _STSOAuth2Worker_ProcessCommand, "f").call(this, auth2ListenerMessage, await __classPrivateFieldGet(this, _STSOAuth2Worker_Logout, "f").call(this));
-                        break;
-                    //@@ Need a way of keeping this out of the main thread - should always stay within the worker
-                    case IOauth2ListenerCommand.ACCESS_TOKEN:
-                        __classPrivateFieldGet(this, _STSOAuth2Worker_ProcessCommand, "f").call(this, auth2ListenerMessage, await __classPrivateFieldGet(this, _STSOAuth2Worker_GetAccessToken, "f").call(this));
-                        break;
-                    default:
-                        throw new Error(`Command: [${auth2ListenerMessage.command}'] not found.`);
-                }
-            };
-        };
         /*
-        #GetIDToken = async(): Promise<string> => {
-            return '-- ID Token --';
-        }
+        setInterval(() => { // Used for testing purposes only.
+            this.#UpdateInstrument(Gauge.LOGGER, {
+                LogMessage: `--> [${Date.now().toString()}] <--`
+            } as InstrumentLogTelemetry);
+        }, 1000);
         */
-        _STSOAuth2Worker_ProcessCommand.set(this, async (auth2ListenerMessage, response) => {
-            const messageResponse = {
-                messageId: auth2ListenerMessage.messageId,
-                command: auth2ListenerMessage.command,
-                payload: response
-            };
-            __classPrivateFieldGet(this, _STSOAuth2Worker_oauthWorkerPort, "f").postMessage(messageResponse);
-        });
-        _STSOAuth2Worker_RestoreSession.set(this, async () => {
-            //@@ attempt to get from client storage first
-            let restoredSessionData = null;
-            restoredSessionData = __classPrivateFieldGet(this, _STSOAuth2Worker_clientSessionStore, "f").get(__classPrivateFieldGet(this, _STSOAuth2Worker_STORAGE_SESSION_KEY, "f"));
-            if (restoredSessionData !== null) {
-                console.log('Session restored from client storage.');
-                if (__classPrivateFieldGet(this, _STSOAuth2Worker_aic, "f")) {
-                    __classPrivateFieldGet(this, _STSOAuth2Worker_aic, "f").UpdateInstrument('m', { LogMessage: 'Session restored from client storage.' });
-                }
-                __classPrivateFieldGet(this, _STSOAuth2Worker_LogMessage, "f").call(this, 'Session restored from client storage.');
-            }
-            else {
-                const url = `${__classPrivateFieldGet(this, _STSOAuth2Worker_options, "f").brokerendpoint}:${__classPrivateFieldGet(this, _STSOAuth2Worker_options, "f").brokerport}${__classPrivateFieldGet(this, _STSOAuth2Worker_options, "f").brokerapiroot}/session`;
-                console.log('RestoreSession');
-                console.log(url);
-                if (__classPrivateFieldGet(this, _STSOAuth2Worker_aic, "f")) {
-                    __classPrivateFieldGet(this, _STSOAuth2Worker_aic, "f").UpdateInstrument('m', { LogMessage: 'RestoreSession' });
-                    __classPrivateFieldGet(this, _STSOAuth2Worker_aic, "f").UpdateInstrument('m', { LogMessage: url });
-                }
-                __classPrivateFieldGet(this, _STSOAuth2Worker_LogMessage, "f").call(this, 'RestoreSession.');
-                __classPrivateFieldGet(this, _STSOAuth2Worker_LogMessage, "f").call(this, url);
-                try {
-                    const retVal = await axios({
-                        method: "post",
-                        url: url,
-                        data: {
-                            [OAuth2ParameterType.CLIENT_ID]: __classPrivateFieldGet(this, _STSOAuth2Worker_options, "f").client_id,
-                            [OAuth2ParameterType.SCOPE]: __classPrivateFieldGet(this, _STSOAuth2Worker_options, "f").scope,
-                            [OAuth2ParameterType.REDIRECT_URI]: __classPrivateFieldGet(this, _STSOAuth2Worker_options, "f").redirect_uri,
-                            [OAuth2ParameterType.AUDIENCE]: __classPrivateFieldGet(this, _STSOAuth2Worker_options, "f").audience
-                        },
-                        withCredentials: true,
-                        timeout: __classPrivateFieldGet(this, _STSOAuth2Worker_options, "f").timeout,
-                    });
-                    if (retVal.data.status === StatusCodes.OK) {
-                        restoredSessionData = retVal.data.detail;
-                        __classPrivateFieldGet(this, _STSOAuth2Worker_clientSessionStore, "f").set(__classPrivateFieldGet(this, _STSOAuth2Worker_STORAGE_SESSION_KEY, "f"), restoredSessionData);
-                        console.log('Session restored from server side cookie.');
-                    }
-                    else {
-                        //@@ handle error better
-                        console.log('Could not restore previous session:-');
-                        console.log(JSON.stringify(retVal.data));
-                    }
-                }
-                catch (error) {
-                    //@@ handle error better
-                    console.log('Could not restore previous session (error state):-');
-                    console.log(error);
-                    console.log(JSON.stringify(error));
-                }
-            }
-            //@@ must only use in-memory for this ...
-            if (restoredSessionData !== null) {
-                __classPrivateFieldGet(this, _STSOAuth2Worker_HandleAuthenticateEvent, "f").call(this, restoredSessionData.id_token);
-                console.log('Refreshing tokens ...');
-                return __classPrivateFieldGet(this, _STSOAuth2Worker_RefreshToken, "f").call(this);
-            }
-            else {
-                __classPrivateFieldGet(this, _STSOAuth2Worker_HandleAuthenticateEvent, "f").call(this, null);
-                return false;
-            }
-        });
-        _STSOAuth2Worker_Authorize.set(this, async () => {
-            console.log('Authorize ...');
-            /* MS Example
-            --------------
-            https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize?
-            client_id=6731de76-14a6-49ae-97bc-6eba6914391e
-            &response_type=code
-            &redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F
-            &response_mode=query
-            &scope=offline_access%20https%3A%2F%2Fgraph.microsoft.com%2Fuser.read%20api%3A%2F%2F
-            &state=12345
-            &code_challenge=YTFjNjI1OWYzMzA3MTI4ZDY2Njg5M2RkNmVjNDE5YmEyZGRhOGYyM2IzNjdmZWFhMTQ1ODg3NDcxY2Nl
-            &code_challenge_method=S256
-    
-            Successful Response
-    
-            GET http://localhost?
-            code=AwABAAAAvPM1KaPlrEqdFSBzjqfTGBCmLdgfSTLEMPGYuNHSUYBrq...
-            &state=12345
-    
-            Error Response
-            GET http://localhost?
-            error=access_denied
-            &error_description=the+user+canceled+the+authentication
-    
-            << Hybrid Flow >>
-    
-            https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize?
-            client_id=6731de76-14a6-49ae-97bc-6eba6914391e
-            &response_type=code%20id_token
-            &redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F
-            &response_mode=fragment
-            &scope=openid%20offline_access%20https%3A%2F%2Fgraph.microsoft.com%2Fuser.read
-            &state=12345
-            &nonce=abcde
-            &code_challenge=YTFjNjI1OWYzMzA3MTI4ZDY2Njg5M2RkNmVjNDE5YmEyZGRhOGYyM2IzNjdmZWFhMTQ1ODg3NDcxY2Nl
-            &code_challenge_method=S256
-    
-            Successful Response
-    
-            GET https://login.microsoftonline.com/common/oauth2/nativeclient#
-            code=AwABAAAAvPM1KaPlrEqdFSBzjqfTGBCmLdgfSTLEMPGYuNHSUYBrq...
-            &id_token=eYj...
-            &state=12345
+    }
+    // Attempt to restore a previous session using the STSBroker
+    /*
+    { parameterType: OAuth2ParameterType.CLIENT_ID, errorType: authErrorType.CLIENT_ID_MISMATCH },
+    { parameterType: OAuth2ParameterType.SCOPE, errorType: authErrorType.SCOPE_MISMATCH }
+    { parameterType: OAuth2ParameterType.REDIRECT_URI, errorType: authErrorType.REDIRECT_URI_MISMATCH },
+    { parameterType: OAuth2ParameterType.AUDIENCE, errorType: authErrorType.SCOPE_MISMATCH }
+
+    Successful Response
+    {
+        "access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik5HVEZ2ZEstZnl0aEV1Q...",
+        "token_type": "Bearer",
+        "expires_in": 3599,
+        "scope": "https%3A%2F%2Fgraph.microsoft.com%2Fmail.read",
+        "refresh_token": "AwABAAAAvPM1KaPlrEqdFSBzjqfTGAMxZGUTdM0t4B4...",
+        "id_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0.eyJhdWQiOiIyZDRkMTFhMi1mODE0LTQ2YTctOD...",
+    }
+
+    Error Response
+    {
+        "error": "invalid_scope",
+        "error_description": "AADSTS70011: The provided value for the input parameter 'scope' is not valid. The scope https://foo.microsoft.com/mail.read is not valid.\r\nTrace ID: 255d1aef-8c98-452f-ac51-23d051240864\r\nCorrelation ID: fb3d2015-bc17-4bb9-bb85-30c5cf1aaaa7\r\nTimestamp: 2016-01-09 02:02:12Z",
+        "error_codes": [
+            70011
+        ],
+        "timestamp": "2016-01-09 02:02:12Z",
+    }
+
     
-            Notes:
-            The nonce is included as a claim inside the returned id_token
-            Ref: https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow
-            */
-            const client_id = __classPrivateFieldGet(this, _STSOAuth2Worker_options, "f").client_id;
-            const nonce = __classPrivateFieldGet(this, _STSOAuth2Worker_cUtils, "f").CreateRandomString();
-            const response_type = [AuthorizeOptionsResponseType.CODE];
-            const redirect_uri = __classPrivateFieldGet(this, _STSOAuth2Worker_options, "f").redirect_uri;
-            const response_mode = AuthorizeOptionsResponseMode.QUERY;
-            const scope = __classPrivateFieldGet(this, _STSOAuth2Worker_options, "f").scope;
-            const state = __classPrivateFieldGet(this, _STSOAuth2Worker_cUtils, "f").CreateRandomString();
-            const code_verifier = __classPrivateFieldGet(this, _STSOAuth2Worker_cUtils, "f").CreateRandomString();
-            const code_challenge = await __classPrivateFieldGet(this, _STSOAuth2Worker_cUtils, "f").DigestMessage(code_verifier);
-            const code_challenge_method = 'S256';
-            //let audience = this.#options.AUDIENCE;
-            const authorizeOptions = {
-                client_id,
-                nonce,
-                response_type,
-                redirect_uri,
-                response_mode,
-                scope,
-                state,
-                code_challenge,
-                code_challenge_method
-            };
-            const url = `${__classPrivateFieldGet(this, _STSOAuth2Worker_options, "f").authorizeendpoint}:${__classPrivateFieldGet(this, _STSOAuth2Worker_options, "f").authorizeport}${__classPrivateFieldGet(this, _STSOAuth2Worker_options, "f").authorizeapiroot}?${__classPrivateFieldGet(this, _STSOAuth2Worker_qParams, "f").CreateQueryParams(authorizeOptions)}`;
-            console.log(url);
-            // Now add the code_verifier to the transaction data
-            authorizeOptions.code_verifier = code_verifier; //@@ Is this is the only thing required across the transaction ?
-            console.log(`Authorize:authorizeOptions: [${JSON.stringify(authorizeOptions)}]`);
-            return {
-                url,
-                authorizeOptions
-            };
-            //window.location.assign(url);
-            //@@ this may need to be a message back to the plugin to re-direct
-            //window.location.replace(url);
+    */
+    #HandleAuthenticateEvent = (id_token) => {
+        const message = {
+            messageId: -1,
+            command: stsoauth2types_1.IOauth2ListenerCommand.AUTHENTICATE_EVENT
+        };
+        this.#ProcessCommand(message, id_token);
+    };
+    #HandleErrorEvent = (error) => {
+        const message = {
+            messageId: -1,
+            command: stsoauth2types_1.IOauth2ListenerCommand.ERROR
+        };
+        this.#ProcessCommand(message, error);
+    };
+    #LogMessage = (messageToSend) => {
+        const message = {
+            messageId: -1,
+            command: stsoauth2types_1.IOauth2ListenerCommand.LOG
+        };
+        this.#ProcessCommand(message, messageToSend);
+    };
+    #GetAccessToken = () => {
+        const tokens = this.#clientSessionStore.get(this.#STORAGE_SESSION_KEY);
+        return tokens.access_token;
+    };
+    #UpdateInstrument = (instrumentName, telemetry) => {
+        const message = {
+            messageId: -1,
+            command: stsoauth2types_1.IOauth2ListenerCommand.UPDATE_INSTRUMENT
+        };
+        this.#ProcessCommand(message, {
+            instrumentName,
+            telemetry
         });
-        _STSOAuth2Worker_HandleRedirect.set(this, async (payload) => {
-            const queryVars = payload.queryVars;
-            const authorizeOptions = payload.authorizeOptions;
-            console.log('HandleRedirect');
-            // We have been re-direct back here from the /authorize end-point
-            console.log(`HandleRedirect:Query Vars: [${JSON.stringify(queryVars)}]`);
-            if (queryVars[OAuth2ParameterType.CODE]) {
-                const response = queryVars;
-                console.log(`authorizeOptions from transaction state: [${JSON.stringify(authorizeOptions)}]`);
-                const redirectState = response.state;
-                const authorizeOptionsState = authorizeOptions.state;
-                if (authorizeOptionsState.localeCompare(redirectState) === 0) {
-                    console.log('redirected state (from queryVars) matched previously saved transaction authorizeOptions state'); // green
-                    return await __classPrivateFieldGet(this, _STSOAuth2Worker_GetToken, "f").call(this, authorizeOptions, response);
-                }
-                else {
-                    console.log('redirected state (from queryVars) did NOT match previously saved transaction authorizeOptions state'); // red
-                    __classPrivateFieldGet(this, _STSOAuth2Worker_HandleErrorEvent, "f").call(this, { message: 'State un-matched' });
-                    return false;
-                }
+    };
+    SetupListener = () => {
+        this.#oauthWorkerPort.onmessage = async (data) => {
+            const auth2ListenerMessage = data.data;
+            debug(`STSOAuth2Worker:SetupListener:onmessage: [${auth2ListenerMessage.command}]`);
+            switch (auth2ListenerMessage.command) {
+                case stsoauth2types_1.IOauth2ListenerCommand.RESTORE_SESSION:
+                    this.#ProcessCommand(auth2ListenerMessage, await this.#RestoreSession());
+                    break;
+                case stsoauth2types_1.IOauth2ListenerCommand.AUTHORIZE:
+                    this.#ProcessCommand(auth2ListenerMessage, await this.#Authorize());
+                    break;
+                case stsoauth2types_1.IOauth2ListenerCommand.HANDLE_REDIRECT:
+                    this.#ProcessCommand(auth2ListenerMessage, await this.#HandleRedirect(auth2ListenerMessage.payload));
+                    break;
+                case stsoauth2types_1.IOauth2ListenerCommand.LOGOUT:
+                    this.#ProcessCommand(auth2ListenerMessage, await this.#Logout());
+                    break;
+                //@@ Need a way of keeping this out of the main thread - should always stay within the worker
+                case stsoauth2types_1.IOauth2ListenerCommand.ACCESS_TOKEN:
+                    this.#ProcessCommand(auth2ListenerMessage, await this.#GetAccessToken());
+                    break;
+                default:
+                    throw new Error(`Command: [${auth2ListenerMessage.command}'] not found.`);
             }
-            else if (queryVars[OAuth2ParameterType.ERROR]) {
-                const response = queryVars;
-                //@@ pass error back to parent thread (to the plugin) as a message
-                const error = response.error;
-                const errorDescription = response.error_description;
-                __classPrivateFieldGet(this, _STSOAuth2Worker_HandleErrorEvent, "f").call(this, { message: 'State un-matched' });
-                return false;
-            }
-            else {
-                // Invalid redirect query params
-                const error = 'Invalid redirect query params'; //@@ fix
-                const errorDescription = 'Invalid redirect query params description'; //@@ fix
-                __classPrivateFieldGet(this, _STSOAuth2Worker_HandleErrorEvent, "f").call(this, { message: 'State un-matched' });
-                return false;
+        };
+    };
+    /*
+    #GetIDToken = async(): Promise<string> => {
+        return '-- ID Token --';
+    }
+    */
+    #ProcessCommand = async (auth2ListenerMessage, response) => {
+        const messageResponse = {
+            messageId: auth2ListenerMessage.messageId,
+            command: auth2ListenerMessage.command,
+            payload: response
+        };
+        this.#oauthWorkerPort.postMessage(messageResponse);
+    };
+    #RestoreSession = async () => {
+        //@@ attempt to get from client storage first
+        let restoredSessionData = null;
+        restoredSessionData = this.#clientSessionStore.get(this.#STORAGE_SESSION_KEY);
+        if (restoredSessionData !== null) {
+            console.log('Session restored from client storage.');
+            if (this.#aic) {
+                this.#aic.UpdateInstrument('m', { LogMessage: 'Session restored from client storage.' });
             }
+            this.#LogMessage('Session restored from client storage.');
         }
-        /*
-        client_id=6731de76-14a6-49ae-97bc-6eba6914391e
-        &scope=https%3A%2F%2Fgraph.microsoft.com%2Fmail.read
-        &code=OAAABAAAAiL9Kn2Z27UubvWFPbm0gLWQJVzCTE9UkP3pSx1aXxUjq3n8b2JRLk4OxVXr...
-        &redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F
-        &grant_type=authorization_code
-        &code_verifier=ThisIsntRandomButItNeedsToBe43CharactersLong
-        &client_secret=JqQX2PNo9bpM0uEihUPzyrh    // NOTE: Only required for web apps. This secret needs to be URL-Encoded.
-    
-        Successful Response
-        {
-            "access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik5HVEZ2ZEstZnl0aEV1Q...",
-            "token_type": "Bearer",
-            "expires_in": 3599,
-            "scope": "https%3A%2F%2Fgraph.microsoft.com%2Fmail.read",
-            "refresh_token": "AwABAAAAvPM1KaPlrEqdFSBzjqfTGAMxZGUTdM0t4B4...",
-            "id_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0.eyJhdWQiOiIyZDRkMTFhMi1mODE0LTQ2YTctOD...",
-        }
-        */
-        // Get access_token, refresh_token and id_token using OAuth2 Authorization Code Flow
-        );
-        /*
-        client_id=6731de76-14a6-49ae-97bc-6eba6914391e
-        &scope=https%3A%2F%2Fgraph.microsoft.com%2Fmail.read
-        &code=OAAABAAAAiL9Kn2Z27UubvWFPbm0gLWQJVzCTE9UkP3pSx1aXxUjq3n8b2JRLk4OxVXr...
-        &redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F
-        &grant_type=authorization_code
-        &code_verifier=ThisIsntRandomButItNeedsToBe43CharactersLong
-        &client_secret=JqQX2PNo9bpM0uEihUPzyrh    // NOTE: Only required for web apps. This secret needs to be URL-Encoded.
-    
-        Successful Response
-        {
-            "access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik5HVEZ2ZEstZnl0aEV1Q...",
-            "token_type": "Bearer",
-            "expires_in": 3599,
-            "scope": "https%3A%2F%2Fgraph.microsoft.com%2Fmail.read",
-            "refresh_token": "AwABAAAAvPM1KaPlrEqdFSBzjqfTGAMxZGUTdM0t4B4...",
-            "id_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0.eyJhdWQiOiIyZDRkMTFhMi1mODE0LTQ2YTctOD...",
-        }
-        */
-        // Get access_token, refresh_token and id_token using OAuth2 Authorization Code Flow
-        _STSOAuth2Worker_GetTokenFromBroker.set(this, async (authorizationCodeFlowParameters) => {
-            console.log("#GetTokenFromBroker");
-            __classPrivateFieldGet(this, _STSOAuth2Worker_clientSessionStore, "f").remove(__classPrivateFieldGet(this, _STSOAuth2Worker_STORAGE_SESSION_KEY, "f"));
-            const url = `${__classPrivateFieldGet(this, _STSOAuth2Worker_options, "f").brokerendpoint}:${__classPrivateFieldGet(this, _STSOAuth2Worker_options, "f").brokerport}${__classPrivateFieldGet(this, _STSOAuth2Worker_options, "f").brokerapiroot}/token`;
-            console.log(`#GetTokenFromBroker:url = [${url}]`);
-            console.log(authorizationCodeFlowParameters);
+        else {
+            const url = `${this.#options.brokerendpoint}:${this.#options.brokerport}${this.#options.brokerapiroot}/session`;
+            console.log('RestoreSession');
+            console.log(url);
+            if (this.#aic) {
+                this.#aic.UpdateInstrument('m', { LogMessage: 'RestoreSession' });
+                this.#aic.UpdateInstrument('m', { LogMessage: url });
+            }
+            this.#LogMessage('RestoreSession.');
+            this.#LogMessage(url);
             try {
-                const retVal = await axios({
+                const retVal = await (0, axios_1.default)({
                     method: "post",
                     url: url,
-                    data: authorizationCodeFlowParameters,
+                    data: {
+                        [stsutils_1.OAuth2ParameterType.CLIENT_ID]: this.#options.client_id,
+                        [stsutils_1.OAuth2ParameterType.SCOPE]: this.#options.scope,
+                        [stsutils_1.OAuth2ParameterType.REDIRECT_URI]: this.#options.redirect_uri,
+                        [stsutils_1.OAuth2ParameterType.AUDIENCE]: this.#options.audience
+                    },
                     withCredentials: true,
-                    timeout: __classPrivateFieldGet(this, _STSOAuth2Worker_options, "f").timeout
+                    timeout: this.#options.timeout,
                 });
-                console.log(`retVal: ${JSON.stringify(retVal)}`);
-                if (retVal.status === StatusCodes.OK) {
-                    console.log('Storing tokens...');
-                    const tokenResponse = retVal.data;
-                    __classPrivateFieldGet(this, _STSOAuth2Worker_HandleAuthenticateEvent, "f").call(this, tokenResponse.id_token);
-                    __classPrivateFieldGet(this, _STSOAuth2Worker_clientSessionStore, "f").set(__classPrivateFieldGet(this, _STSOAuth2Worker_STORAGE_SESSION_KEY, "f"), tokenResponse);
-                    return true;
-                }
-                else if (retVal.status === StatusCodes.UNAUTHORIZED) {
-                    console.log('NOT Storing tokens...');
-                    console.log(retVal.status);
-                    __classPrivateFieldGet(this, _STSOAuth2Worker_HandleAuthenticateEvent, "f").call(this, null);
-                    const response = retVal.data;
-                    //@@ store response in state
-                    //@@ go to error page ??
-                    return false;
+                if (retVal.data.status === http_status_codes_1.StatusCodes.OK) {
+                    restoredSessionData = retVal.data.detail;
+                    this.#clientSessionStore.set(this.#STORAGE_SESSION_KEY, restoredSessionData);
+                    console.log('Session restored from server side cookie.');
                 }
                 else {
-                    // General error
-                    console.log('NOT Storing tokens...');
-                    console.log(retVal.status);
-                    __classPrivateFieldGet(this, _STSOAuth2Worker_HandleAuthenticateEvent, "f").call(this, null);
-                    console.log('Could not obtain access_token from token end-point:-');
+                    //@@ handle error better
+                    console.log('Could not restore previous session:-');
                     console.log(JSON.stringify(retVal.data));
-                    //@@ store error in state to show in error page
-                    return false;
                 }
             }
             catch (error) {
-                __classPrivateFieldGet(this, _STSOAuth2Worker_HandleAuthenticateEvent, "f").call(this, null);
-                //console.log('Could not restore previous session (error state):-');
+                //@@ handle error better
+                console.log('Could not restore previous session (error state):-');
                 console.log(error);
                 console.log(JSON.stringify(error));
-                //@@ store error in state to show in error page
+            }
+        }
+        //@@ must only use in-memory for this ...
+        if (restoredSessionData !== null) {
+            this.#HandleAuthenticateEvent(restoredSessionData.id_token);
+            console.log('Refreshing tokens ...');
+            return this.#RefreshToken();
+        }
+        else {
+            this.#HandleAuthenticateEvent(null);
+            return false;
+        }
+    };
+    #Authorize = async () => {
+        console.log('Authorize ...');
+        /* MS Example
+        --------------
+        https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize?
+        client_id=6731de76-14a6-49ae-97bc-6eba6914391e
+        &response_type=code
+        &redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F
+        &response_mode=query
+        &scope=offline_access%20https%3A%2F%2Fgraph.microsoft.com%2Fuser.read%20api%3A%2F%2F
+        &state=12345
+        &code_challenge=YTFjNjI1OWYzMzA3MTI4ZDY2Njg5M2RkNmVjNDE5YmEyZGRhOGYyM2IzNjdmZWFhMTQ1ODg3NDcxY2Nl
+        &code_challenge_method=S256
+
+        Successful Response
+
+        GET http://localhost?
+        code=AwABAAAAvPM1KaPlrEqdFSBzjqfTGBCmLdgfSTLEMPGYuNHSUYBrq...
+        &state=12345
+
+        Error Response
+        GET http://localhost?
+        error=access_denied
+        &error_description=the+user+canceled+the+authentication
+
+        << Hybrid Flow >>
+
+        https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize?
+        client_id=6731de76-14a6-49ae-97bc-6eba6914391e
+        &response_type=code%20id_token
+        &redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F
+        &response_mode=fragment
+        &scope=openid%20offline_access%20https%3A%2F%2Fgraph.microsoft.com%2Fuser.read
+        &state=12345
+        &nonce=abcde
+        &code_challenge=YTFjNjI1OWYzMzA3MTI4ZDY2Njg5M2RkNmVjNDE5YmEyZGRhOGYyM2IzNjdmZWFhMTQ1ODg3NDcxY2Nl
+        &code_challenge_method=S256
+
+        Successful Response
+
+        GET https://login.microsoftonline.com/common/oauth2/nativeclient#
+        code=AwABAAAAvPM1KaPlrEqdFSBzjqfTGBCmLdgfSTLEMPGYuNHSUYBrq...
+        &id_token=eYj...
+        &state=12345
+
+        Notes:
+        The nonce is included as a claim inside the returned id_token
+        Ref: https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow
+        */
+        const client_id = this.#options.client_id;
+        const nonce = this.#cUtils.CreateRandomString();
+        const response_type = [stsoauth2types_1.AuthorizeOptionsResponseType.CODE];
+        const redirect_uri = this.#options.redirect_uri;
+        const response_mode = stsoauth2types_1.AuthorizeOptionsResponseMode.QUERY;
+        const scope = this.#options.scope;
+        const state = this.#cUtils.CreateRandomString();
+        const code_verifier = this.#cUtils.CreateRandomString();
+        const code_challenge = await this.#cUtils.DigestMessage(code_verifier);
+        const code_challenge_method = 'S256';
+        //let audience = this.#options.AUDIENCE;
+        const authorizeOptions = {
+            client_id,
+            nonce,
+            response_type,
+            redirect_uri,
+            response_mode,
+            scope,
+            state,
+            code_challenge,
+            code_challenge_method
+        };
+        const url = `${this.#options.authorizeendpoint}:${this.#options.authorizeport}${this.#options.authorizeapiroot}?${this.#qParams.CreateQueryParams(authorizeOptions)}`;
+        console.log(url);
+        // Now add the code_verifier to the transaction data
+        authorizeOptions.code_verifier = code_verifier; //@@ Is this is the only thing required across the transaction ?
+        console.log(`Authorize:authorizeOptions: [${JSON.stringify(authorizeOptions)}]`);
+        return {
+            url,
+            authorizeOptions
+        };
+        //window.location.assign(url);
+        //@@ this may need to be a message back to the plugin to re-direct
+        //window.location.replace(url);
+    };
+    #HandleRedirect = async (payload) => {
+        const queryVars = payload.queryVars;
+        const authorizeOptions = payload.authorizeOptions;
+        console.log('HandleRedirect');
+        // We have been re-direct back here from the /authorize end-point
+        console.log(`HandleRedirect:Query Vars: [${JSON.stringify(queryVars)}]`);
+        if (queryVars[stsutils_1.OAuth2ParameterType.CODE]) {
+            const response = queryVars;
+            console.log(`authorizeOptions from transaction state: [${JSON.stringify(authorizeOptions)}]`);
+            const redirectState = response.state;
+            const authorizeOptionsState = authorizeOptions.state;
+            if (authorizeOptionsState.localeCompare(redirectState) === 0) {
+                console.log('redirected state (from queryVars) matched previously saved transaction authorizeOptions state'); // green
+                return await this.#GetToken(authorizeOptions, response);
+            }
+            else {
+                console.log('redirected state (from queryVars) did NOT match previously saved transaction authorizeOptions state'); // red
+                this.#HandleErrorEvent({ message: 'State un-matched' });
                 return false;
             }
         }
-        // Get access_token, refresh_token and id_token using OAuth2 Authorization Code Flow
-        );
-        // Get access_token, refresh_token and id_token using OAuth2 Authorization Code Flow
-        _STSOAuth2Worker_GetToken.set(this, async (authorizeOptions, authorizeResponse) => {
-            console.log("#GetToken");
-            console.log(authorizeResponse);
-            __classPrivateFieldGet(this, _STSOAuth2Worker_clientSessionStore, "f").set(__classPrivateFieldGet(this, _STSOAuth2Worker_STORAGE_SESSION_KEY, "f"), null);
-            const authorizationCodeFlowParameters = {
-                client_id: __classPrivateFieldGet(this, _STSOAuth2Worker_options, "f").client_id,
-                scope: __classPrivateFieldGet(this, _STSOAuth2Worker_options, "f").scope,
-                code: authorizeResponse.code,
-                redirect_uri: __classPrivateFieldGet(this, _STSOAuth2Worker_options, "f").redirect_uri,
-                grant_type: OAuthGrantTypes.AUTHORIZATION_CODE,
-                code_verifier: authorizeOptions.code_verifier
-            };
-            return __classPrivateFieldGet(this, _STSOAuth2Worker_GetTokenFromBroker, "f").call(this, authorizationCodeFlowParameters);
+        else if (queryVars[stsutils_1.OAuth2ParameterType.ERROR]) {
+            const response = queryVars;
+            //@@ pass error back to parent thread (to the plugin) as a message
+            const error = response.error;
+            const errorDescription = response.error_description;
+            this.#HandleErrorEvent({ message: 'State un-matched' });
+            return false;
         }
-        /*
-        // Line breaks for legibility only
-    
-    POST /{tenant}/oauth2/v2.0/token HTTP/1.1
-    Host: https://login.microsoftonline.com
-    Content-Type: application/x-www-form-urlencoded
-    
-    client_id=535fb089-9ff3-47b6-9bfb-4f1264799865
-    &scope=https%3A%2F%2Fgraph.microsoft.com%2Fmail.read
-    &refresh_token=OAAABAAAAiL9Kn2Z27UubvWFPbm0gLWQJVzCTE9UkP3pSx1aXxUjq...
-    &grant_type=refresh_token
-    &client_secret=sampleCredentia1s    // NOTE: Only required for web apps. This secret needs to be URL-Encoded
-    
-    Error Response
-    {
-        "error": "invalid_scope",
-        "error_description": "AADSTS70011: The provided value for the input parameter 'scope' is not valid. The scope https://foo.microsoft.com/mail.read is not valid.\r\nTrace ID: 255d1aef-8c98-452f-ac51-23d051240864\r\nCorrelation ID: fb3d2015-bc17-4bb9-bb85-30c5cf1aaaa7\r\nTimestamp: 2016-01-09 02:02:12Z",
-        "error_codes": [
-          70011
-        ],
-        "timestamp": "2016-01-09 02:02:12Z",
-        "trace_id": "255d1aef-8c98-452f-ac51-23d051240864",
-        "correlation_id": "fb3d2015-bc17-4bb9-bb85-30c5cf1aaaa7"
-      }
-    */
-        );
-        /*
-        // Line breaks for legibility only
-    
-    POST /{tenant}/oauth2/v2.0/token HTTP/1.1
-    Host: https://login.microsoftonline.com
-    Content-Type: application/x-www-form-urlencoded
-    
-    client_id=535fb089-9ff3-47b6-9bfb-4f1264799865
+        else {
+            // Invalid redirect query params
+            const error = 'Invalid redirect query params'; //@@ fix
+            const errorDescription = 'Invalid redirect query params description'; //@@ fix
+            this.#HandleErrorEvent({ message: 'State un-matched' });
+            return false;
+        }
+    };
+    /*
+    client_id=6731de76-14a6-49ae-97bc-6eba6914391e
     &scope=https%3A%2F%2Fgraph.microsoft.com%2Fmail.read
-    &refresh_token=OAAABAAAAiL9Kn2Z27UubvWFPbm0gLWQJVzCTE9UkP3pSx1aXxUjq...
-    &grant_type=refresh_token
-    &client_secret=sampleCredentia1s    // NOTE: Only required for web apps. This secret needs to be URL-Encoded
-    
-    Error Response
+    &code=OAAABAAAAiL9Kn2Z27UubvWFPbm0gLWQJVzCTE9UkP3pSx1aXxUjq3n8b2JRLk4OxVXr...
+    &redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F
+    &grant_type=authorization_code
+    &code_verifier=ThisIsntRandomButItNeedsToBe43CharactersLong
+    &client_secret=JqQX2PNo9bpM0uEihUPzyrh    // NOTE: Only required for web apps. This secret needs to be URL-Encoded.
+
+    Successful Response
     {
-        "error": "invalid_scope",
-        "error_description": "AADSTS70011: The provided value for the input parameter 'scope' is not valid. The scope https://foo.microsoft.com/mail.read is not valid.\r\nTrace ID: 255d1aef-8c98-452f-ac51-23d051240864\r\nCorrelation ID: fb3d2015-bc17-4bb9-bb85-30c5cf1aaaa7\r\nTimestamp: 2016-01-09 02:02:12Z",
-        "error_codes": [
-          70011
-        ],
-        "timestamp": "2016-01-09 02:02:12Z",
-        "trace_id": "255d1aef-8c98-452f-ac51-23d051240864",
-        "correlation_id": "fb3d2015-bc17-4bb9-bb85-30c5cf1aaaa7"
-      }
+        "access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik5HVEZ2ZEstZnl0aEV1Q...",
+        "token_type": "Bearer",
+        "expires_in": 3599,
+        "scope": "https%3A%2F%2Fgraph.microsoft.com%2Fmail.read",
+        "refresh_token": "AwABAAAAvPM1KaPlrEqdFSBzjqfTGAMxZGUTdM0t4B4...",
+        "id_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0.eyJhdWQiOiIyZDRkMTFhMi1mODE0LTQ2YTctOD...",
+    }
     */
-        _STSOAuth2Worker_RefreshToken.set(this, async () => {
-            // Get access_token, refresh_token and id_token using OAuth2 Authorization Code Flow
-            console.log("RefreshToken");
-            const currentSessionData = __classPrivateFieldGet(this, _STSOAuth2Worker_clientSessionStore, "f").get(__classPrivateFieldGet(this, _STSOAuth2Worker_STORAGE_SESSION_KEY, "f"));
-            if (currentSessionData) {
-                const refreshFlowParameters = {
-                    client_id: __classPrivateFieldGet(this, _STSOAuth2Worker_options, "f").client_id,
-                    scope: __classPrivateFieldGet(this, _STSOAuth2Worker_options, "f").scope,
-                    refresh_token: currentSessionData.refresh_token,
-                    grant_type: OAuthGrantTypes.REFRESH_TOKEN
-                };
-                return __classPrivateFieldGet(this, _STSOAuth2Worker_GetTokenFromBroker, "f").call(this, refreshFlowParameters);
+    // Get access_token, refresh_token and id_token using OAuth2 Authorization Code Flow
+    #GetTokenFromBroker = async (authorizationCodeFlowParameters) => {
+        console.log("#GetTokenFromBroker");
+        this.#clientSessionStore.remove(this.#STORAGE_SESSION_KEY);
+        const url = `${this.#options.brokerendpoint}:${this.#options.brokerport}${this.#options.brokerapiroot}/token`;
+        console.log(`#GetTokenFromBroker:url = [${url}]`);
+        console.log(authorizationCodeFlowParameters);
+        try {
+            const retVal = await (0, axios_1.default)({
+                method: "post",
+                url: url,
+                data: authorizationCodeFlowParameters,
+                withCredentials: true,
+                timeout: this.#options.timeout
+            });
+            console.log(`retVal: ${JSON.stringify(retVal)}`);
+            if (retVal.status === http_status_codes_1.StatusCodes.OK) {
+                console.log('Storing tokens...');
+                const tokenResponse = retVal.data;
+                this.#HandleAuthenticateEvent(tokenResponse.id_token);
+                this.#clientSessionStore.set(this.#STORAGE_SESSION_KEY, tokenResponse);
+                return true;
+            }
+            else if (retVal.status === http_status_codes_1.StatusCodes.UNAUTHORIZED) {
+                console.log('NOT Storing tokens...');
+                console.log(retVal.status);
+                this.#HandleAuthenticateEvent(null);
+                const response = retVal.data;
+                //@@ store response in state
+                //@@ go to error page ??
+                return false;
             }
             else {
-                // show error
-                //@@ no valid session exists for refresh
+                // General error
+                console.log('NOT Storing tokens...');
+                console.log(retVal.status);
+                this.#HandleAuthenticateEvent(null);
+                console.log('Could not obtain access_token from token end-point:-');
+                console.log(JSON.stringify(retVal.data));
+                //@@ store error in state to show in error page
                 return false;
             }
         }
-        // call broker to logout
-        // broker to logout of server
-        // delete cookie
-        // clear session storage
-        // clear all state from $store
-        );
-        // call broker to logout
-        // broker to logout of server
-        // delete cookie
-        // clear session storage
-        // clear all state from $store
-        _STSOAuth2Worker_Logout.set(this, async () => {
-            console.log('Logout');
-            const url = `${__classPrivateFieldGet(this, _STSOAuth2Worker_options, "f").brokerendpoint}:${__classPrivateFieldGet(this, _STSOAuth2Worker_options, "f").brokerport}${__classPrivateFieldGet(this, _STSOAuth2Worker_options, "f").brokerapiroot}/logout`;
-            console.log(url);
-            const currentSessionData = __classPrivateFieldGet(this, _STSOAuth2Worker_clientSessionStore, "f").get(__classPrivateFieldGet(this, _STSOAuth2Worker_STORAGE_SESSION_KEY, "f"));
-            const refresh_token = currentSessionData.refresh_token;
-            console.log(refresh_token);
-            const decodedRefreshToken = jwt_decode(refresh_token);
-            console.log(decodedRefreshToken);
-            const sessionId = decodedRefreshToken.sts_session;
-            console.log(sessionId);
-            __classPrivateFieldGet(this, _STSOAuth2Worker_clientSessionStore, "f").remove(__classPrivateFieldGet(this, _STSOAuth2Worker_STORAGE_SESSION_KEY, "f"));
-            __classPrivateFieldGet(this, _STSOAuth2Worker_HandleAuthenticateEvent, "f").call(this, null);
-            try {
-                const retVal = await axios({
-                    method: "post",
-                    url: url,
-                    data: {
-                        sessionId
-                    },
-                    withCredentials: true,
-                    timeout: __classPrivateFieldGet(this, _STSOAuth2Worker_options, "f").timeout,
-                });
-                if (retVal.data.status === StatusCodes.OK) {
-                    return true;
-                }
-                else {
-                    console.log('Error during logout (server side)');
-                    console.log(JSON.stringify(retVal.data));
-                    return false;
-                }
+        catch (error) {
+            this.#HandleAuthenticateEvent(null);
+            //console.log('Could not restore previous session (error state):-');
+            console.log(error);
+            console.log(JSON.stringify(error));
+            //@@ store error in state to show in error page
+            return false;
+        }
+    };
+    // Get access_token, refresh_token and id_token using OAuth2 Authorization Code Flow
+    #GetToken = async (authorizeOptions, authorizeResponse) => {
+        console.log("#GetToken");
+        console.log(authorizeResponse);
+        this.#clientSessionStore.set(this.#STORAGE_SESSION_KEY, null);
+        const authorizationCodeFlowParameters = {
+            client_id: this.#options.client_id,
+            scope: this.#options.scope,
+            code: authorizeResponse.code,
+            redirect_uri: this.#options.redirect_uri,
+            grant_type: stsoauth2types_1.OAuthGrantTypes.AUTHORIZATION_CODE,
+            code_verifier: authorizeOptions.code_verifier
+        };
+        return this.#GetTokenFromBroker(authorizationCodeFlowParameters);
+    };
+    /*
+    // Line breaks for legibility only
+
+POST /{tenant}/oauth2/v2.0/token HTTP/1.1
+Host: https://login.microsoftonline.com
+Content-Type: application/x-www-form-urlencoded
+
+client_id=535fb089-9ff3-47b6-9bfb-4f1264799865
+&scope=https%3A%2F%2Fgraph.microsoft.com%2Fmail.read
+&refresh_token=OAAABAAAAiL9Kn2Z27UubvWFPbm0gLWQJVzCTE9UkP3pSx1aXxUjq...
+&grant_type=refresh_token
+&client_secret=sampleCredentia1s    // NOTE: Only required for web apps. This secret needs to be URL-Encoded
+
+Error Response
+{
+    "error": "invalid_scope",
+    "error_description": "AADSTS70011: The provided value for the input parameter 'scope' is not valid. The scope https://foo.microsoft.com/mail.read is not valid.\r\nTrace ID: 255d1aef-8c98-452f-ac51-23d051240864\r\nCorrelation ID: fb3d2015-bc17-4bb9-bb85-30c5cf1aaaa7\r\nTimestamp: 2016-01-09 02:02:12Z",
+    "error_codes": [
+      70011
+    ],
+    "timestamp": "2016-01-09 02:02:12Z",
+    "trace_id": "255d1aef-8c98-452f-ac51-23d051240864",
+    "correlation_id": "fb3d2015-bc17-4bb9-bb85-30c5cf1aaaa7"
+  }
+*/
+    #RefreshToken = async () => {
+        // Get access_token, refresh_token and id_token using OAuth2 Authorization Code Flow
+        console.log("RefreshToken");
+        const currentSessionData = this.#clientSessionStore.get(this.#STORAGE_SESSION_KEY);
+        if (currentSessionData) {
+            const refreshFlowParameters = {
+                client_id: this.#options.client_id,
+                scope: this.#options.scope,
+                refresh_token: currentSessionData.refresh_token,
+                grant_type: stsoauth2types_1.OAuthGrantTypes.REFRESH_TOKEN
+            };
+            return this.#GetTokenFromBroker(refreshFlowParameters);
+        }
+        else {
+            // show error
+            //@@ no valid session exists for refresh
+            return false;
+        }
+    };
+    // call broker to logout
+    // broker to logout of server
+    // delete cookie
+    // clear session storage
+    // clear all state from $store
+    #Logout = async () => {
+        console.log('Logout');
+        const url = `${this.#options.brokerendpoint}:${this.#options.brokerport}${this.#options.brokerapiroot}/logout`;
+        console.log(url);
+        const currentSessionData = this.#clientSessionStore.get(this.#STORAGE_SESSION_KEY);
+        const refresh_token = currentSessionData.refresh_token;
+        console.log(refresh_token);
+        const decodedRefreshToken = (0, jwt_decode_1.default)(refresh_token);
+        console.log(decodedRefreshToken);
+        const sessionId = decodedRefreshToken.sts_session;
+        console.log(sessionId);
+        this.#clientSessionStore.remove(this.#STORAGE_SESSION_KEY);
+        this.#HandleAuthenticateEvent(null);
+        try {
+            const retVal = await (0, axios_1.default)({
+                method: "post",
+                url: url,
+                data: {
+                    sessionId
+                },
+                withCredentials: true,
+                timeout: this.#options.timeout,
+            });
+            if (retVal.data.status === http_status_codes_1.StatusCodes.OK) {
+                return true;
             }
-            catch (error) {
+            else {
                 console.log('Error during logout (server side)');
-                console.log(error);
-                console.log(JSON.stringify(error));
+                console.log(JSON.stringify(retVal.data));
                 return false;
             }
-        });
-        __classPrivateFieldSet(this, _STSOAuth2Worker_options, options, "f");
-        debug(`STSOAuth2Worker:constructor:#options: [${JSON.stringify(__classPrivateFieldGet(this, _STSOAuth2Worker_options, "f"))}]`);
-        // In memory storage for OAuth2 tokens for our valid session
-        __classPrivateFieldSet(this, _STSOAuth2Worker_clientSessionStore, new ClientStorageFactory({ clientStorageType: ClientStorageType.MEMORY_STORAGE }).GetStorage(), "f");
-        //@@ needs to be sent the instrument manager controller port
-        //@@this.#aic = app.config.globalProperties.$sts.aic.PrimaryPublishInstrumentController;
-        //this.#handleAuthenticateEvent = handleAuthenticateEvent;
-        __classPrivateFieldSet(this, _STSOAuth2Worker_oauthWorkerPort, workerPort, "f");
-        debug(`STSOAuth2Worker:constructor:#oauthWorkerPort: [${JSON.stringify(__classPrivateFieldGet(this, _STSOAuth2Worker_oauthWorkerPort, "f"))}]`);
-        this.SetupListener();
-        __classPrivateFieldGet(this, _STSOAuth2Worker_UpdateInstrument, "f").call(this, Gauge.LOGGER, {
-            LogMessage: `STSOauth2 Plugin - Successfully Loaded`
-        });
-        /*
-        setInterval(() => { // Used for testing purposes only.
-            this.#UpdateInstrument(Gauge.LOGGER, {
-                LogMessage: `--> [${Date.now().toString()}] <--`
-            } as InstrumentLogTelemetry);
-        }, 1000);
-        */
-    }
+        }
+        catch (error) {
+            console.log('Error during logout (server side)');
+            console.log(error);
+            console.log(JSON.stringify(error));
+            return false;
+        }
+    };
 }
-_STSOAuth2Worker_clientSessionStore = new WeakMap(), _STSOAuth2Worker_cUtils = new WeakMap(), _STSOAuth2Worker_qParams = new WeakMap(), _STSOAuth2Worker_STORAGE_SESSION_KEY = new WeakMap(), _STSOAuth2Worker_aic = new WeakMap(), _STSOAuth2Worker_oauthWorkerPort = new WeakMap(), _STSOAuth2Worker_options = new WeakMap(), _STSOAuth2Worker_HandleAuthenticateEvent = new WeakMap(), _STSOAuth2Worker_HandleErrorEvent = new WeakMap(), _STSOAuth2Worker_LogMessage = new WeakMap(), _STSOAuth2Worker_GetAccessToken = new WeakMap(), _STSOAuth2Worker_UpdateInstrument = new WeakMap(), _STSOAuth2Worker_ProcessCommand = new WeakMap(), _STSOAuth2Worker_RestoreSession = new WeakMap(), _STSOAuth2Worker_Authorize = new WeakMap(), _STSOAuth2Worker_HandleRedirect = new WeakMap(), _STSOAuth2Worker_GetTokenFromBroker = new WeakMap(), _STSOAuth2Worker_GetToken = new WeakMap(), _STSOAuth2Worker_RefreshToken = new WeakMap(), _STSOAuth2Worker_Logout = new WeakMap();
+exports.STSOAuth2Worker = STSOAuth2Worker;
 /*
 let oAuth2Worker: STSOAuth2Worker = null;