@okta/okta-auth-js 5.11.0 → 6.2.0

package/cjs/oidc/util/prepareTokenParams.js

@@ -1,21 +1,26 @@
 "use strict";
 
-var _interopRequireDefault = require("@babel/runtime/helpers/interopRequireDefault");
+var _interopRequireDefault = require("@babel/runtime-corejs3/helpers/interopRequireDefault");
 
+exports.assertPKCESupport = assertPKCESupport;
+exports.validateCodeChallengeMethod = validateCodeChallengeMethod;
+exports.preparePKCE = preparePKCE;
 exports.prepareTokenParams = prepareTokenParams;
 
+var _indexOf = _interopRequireDefault(require("@babel/runtime-corejs3/core-js-stable/instance/index-of"));
+
 var _wellKnown = require("../endpoints/well-known");
 
 var _errors = require("../../errors");
 
-var _util = require("../../util");
-
 var _defaultTokenParams = require("./defaultTokenParams");
 
 var _constants = require("../../constants");
 
 var _pkce = _interopRequireDefault(require("./pkce"));
 
+/* eslint-disable complexity */
+
 /*!
  * Copyright (c) 2015-present, Okta, Inc. and/or its affiliates. All rights reserved.
  * The Okta software accompanied by this notice is provided pursuant to the Apache License, Version 2.0 (the "License.")
@@ -28,18 +33,7 @@ var _pkce = _interopRequireDefault(require("./pkce"));
  * See the License for the specific language governing permissions and limitations under the License.
  *
  */
-// Prepares params for a call to /authorize or /token
-function prepareTokenParams(sdk, tokenParams) {
-  // build params using defaults + options
-  const defaults = (0, _defaultTokenParams.getDefaultTokenParams)(sdk);
-  tokenParams = Object.assign({}, defaults, (0, _util.clone)(tokenParams));
-
-  if (tokenParams.pkce === false) {
-    // Implicit flow or authorization_code without PKCE
-    return Promise.resolve(tokenParams);
-  } // PKCE flow
-
-
+function assertPKCESupport(sdk) {
   if (!sdk.features.isPKCESupported()) {
     var errorMessage = 'PKCE requires a modern browser with encryption support running in a secure context.';
 
@@ -53,35 +47,64 @@ function prepareTokenParams(sdk, tokenParams) {
       errorMessage += '\n"TextEncoder" is not defined. To use PKCE, you may need to include a polyfill/shim for this browser.';
     }
 
-    return Promise.reject(new _errors.AuthSdkError(errorMessage));
-  } // set default code challenge method, if none provided
+    throw new _errors.AuthSdkError(errorMessage);
+  }
+}
 
+async function validateCodeChallengeMethod(sdk, codeChallengeMethod) {
+  // set default code challenge method, if none provided
+  codeChallengeMethod = codeChallengeMethod || sdk.options.codeChallengeMethod || _constants.DEFAULT_CODE_CHALLENGE_METHOD; // validate against .well-known/openid-configuration
 
-  if (!tokenParams.codeChallengeMethod) {
-    tokenParams.codeChallengeMethod = _constants.DEFAULT_CODE_CHALLENGE_METHOD;
-  } // responseType is forced
+  const wellKnownResponse = await (0, _wellKnown.getWellKnown)(sdk);
+  var methods = wellKnownResponse['code_challenge_methods_supported'] || [];
 
+  if ((0, _indexOf.default)(methods).call(methods, codeChallengeMethod) === -1) {
+    throw new _errors.AuthSdkError('Invalid code_challenge_method');
+  }
 
-  tokenParams.responseType = 'code';
-  return (0, _wellKnown.getWellKnown)(sdk, null).then(function (res) {
-    var methods = res['code_challenge_methods_supported'] || [];
+  return codeChallengeMethod;
+}
 
-    if (methods.indexOf(tokenParams.codeChallengeMethod) === -1) {
-      throw new _errors.AuthSdkError('Invalid code_challenge_method');
-    }
-  }).then(function () {
-    if (!tokenParams.codeVerifier) {
-      tokenParams.codeVerifier = _pkce.default.generateVerifier();
-    }
+async function preparePKCE(sdk, tokenParams) {
+  let {
+    codeVerifier,
+    codeChallenge,
+    codeChallengeMethod
+  } = tokenParams; // PKCE calculations can be avoided by passing a codeChallenge
+
+  codeChallenge = codeChallenge || sdk.options.codeChallenge;
+
+  if (!codeChallenge) {
+    assertPKCESupport(sdk);
+    codeVerifier = codeVerifier || _pkce.default.generateVerifier();
+    codeChallenge = await _pkce.default.computeChallenge(codeVerifier);
+  }
+
+  codeChallengeMethod = await validateCodeChallengeMethod(sdk, codeChallengeMethod); // Clone/copy the params. Set PKCE values
+
+  tokenParams = { ...tokenParams,
+    responseType: 'code',
+    // responseType is forced
+    codeVerifier,
+    codeChallenge,
+    codeChallengeMethod
+  };
+  return tokenParams;
+} // Prepares params for a call to /authorize or /token
+
+
+async function prepareTokenParams(sdk, tokenParams = {}) {
+  // build params using defaults + options
+  const defaults = (0, _defaultTokenParams.getDefaultTokenParams)(sdk);
+  tokenParams = { ...defaults,
+    ...tokenParams
+  };
+
+  if (tokenParams.pkce === false) {
+    // Implicit flow or authorization_code without PKCE
+    return tokenParams;
+  }
 
-    return _pkce.default.computeChallenge(tokenParams.codeVerifier);
-  }).then(function (codeChallenge) {
-    // Clone/copy the params. Set codeChallenge
-    var clonedParams = (0, _util.clone)(tokenParams) || {};
-    Object.assign(clonedParams, tokenParams, {
-      codeChallenge: codeChallenge
-    });
-    return clonedParams;
-  });
+  return preparePKCE(sdk, tokenParams);
 }
 //# sourceMappingURL=prepareTokenParams.js.map

package/cjs/oidc/util/prepareTokenParams.js.map

@@ -1 +1 @@
-{"version":3,"sources":["../../../../lib/oidc/util/prepareTokenParams.ts"],"names":["prepareTokenParams","sdk","tokenParams","defaults","Object","assign","pkce","Promise","resolve","features","isPKCESupported","errorMessage","isHTTPS","hasTextEncoder","reject","AuthSdkError","codeChallengeMethod","DEFAULT_CODE_CHALLENGE_METHOD","responseType","then","res","methods","indexOf","codeVerifier","generateVerifier","computeChallenge","codeChallenge","clonedParams"],"mappings":";;;;;;AAYA;;AACA;;AAEA;;AACA;;AACA;;AACA;;AAlBA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AASA;AACO,SAASA,kBAAT,CAA4BC,GAA5B,EAA2CC,WAA3C,EAA4F;AACjG;AACA,QAAMC,QAAQ,GAAG,+CAAsBF,GAAtB,CAAjB;AACAC,EAAAA,WAAW,GAAGE,MAAM,CAACC,MAAP,CAAc,EAAd,EAAkBF,QAAlB,EAA4B,iBAAMD,WAAN,CAA5B,CAAd;;AAEA,MAAIA,WAAW,CAACI,IAAZ,KAAqB,KAAzB,EAAgC;AAC9B;AACA,WAAOC,OAAO,CAACC,OAAR,CAAgBN,WAAhB,CAAP;AACD,GARgG,CAUjG;;;AACA,MAAI,CAACD,GAAG,CAACQ,QAAJ,CAAaC,eAAb,EAAL,EAAqC;AACnC,QAAIC,YAAY,GAAG,qFAAnB;;AACA,QAAI,CAACV,GAAG,CAACQ,QAAJ,CAAaG,OAAb,EAAL,EAA6B;AAC3B;AACAD,MAAAA,YAAY,IAAI,kGAAhB;AACD;;AACD,QAAI,CAACV,GAAG,CAACQ,QAAJ,CAAaI,cAAb,EAAL,EAAoC;AAClC;AACAF,MAAAA,YAAY,IAAI,wGAAhB;AACD;;AACD,WAAOJ,OAAO,CAACO,MAAR,CAAe,IAAIC,oBAAJ,CAAiBJ,YAAjB,CAAf,CAAP;AACD,GAtBgG,CAwBjG;;;AACA,MAAI,CAACT,WAAW,CAACc,mBAAjB,EAAsC;AACpCd,IAAAA,WAAW,CAACc,mBAAZ,GAAkCC,wCAAlC;AACD,GA3BgG,CA6BjG;;;AACAf,EAAAA,WAAW,CAACgB,YAAZ,GAA2B,MAA3B;AAEA,SAAO,6BAAajB,GAAb,EAAkB,IAAlB,EACJkB,IADI,CACC,UAAUC,GAAV,EAAe;AACnB,QAAIC,OAAO,GAAGD,GAAG,CAAC,kCAAD,CAAH,IAA2C,EAAzD;;AACA,QAAIC,OAAO,CAACC,OAAR,CAAgBpB,WAAW,CAACc,mBAA5B,MAAqD,CAAC,CAA1D,EAA6D;AAC3D,YAAM,IAAID,oBAAJ,CAAiB,+BAAjB,CAAN;AACD;AACF,GANI,EAOJI,IAPI,CAOC,YAAY;AAChB,QAAI,CAACjB,WAAW,CAACqB,YAAjB,EAA+B;AAC7BrB,MAAAA,WAAW,CAACqB,YAAZ,GAA2BjB,cAAKkB,gBAAL,EAA3B;AACD;;AACD,WAAOlB,cAAKmB,gBAAL,CAAsBvB,WAAW,CAACqB,YAAlC,CAAP;AACD,GAZI,EAaJJ,IAbI,CAaC,UAAUO,aAAV,EAAyB;AAC7B;AACA,QAAIC,YAAY,GAAG,iBAAMzB,WAAN,KAAsB,EAAzC;AACAE,IAAAA,MAAM,CAACC,MAAP,CAAcsB,YAAd,EAA4BzB,WAA5B,EAAyC;AACvCwB,MAAAA,aAAa,EAAEA;AADwB,KAAzC;AAGA,WAAOC,YAAP;AACD,GApBI,CAAP;AAqBD","sourcesContent":["/*!\n * Copyright (c) 2015-present, Okta, Inc. and/or its affiliates. All rights reserved.\n * The Okta software accompanied by this notice is provided pursuant to the Apache License, Version 2.0 (the \"License.\")\n *\n * You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0.\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT\n * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n *\n * See the License for the specific language governing permissions and limitations under the License.\n *\n */\nimport { getWellKnown } from '../endpoints/well-known';\nimport { AuthSdkError } from '../../errors';\nimport { OktaAuth, TokenParams } from '../../types';\nimport { clone } from '../../util';\nimport { getDefaultTokenParams } from './defaultTokenParams';\nimport { DEFAULT_CODE_CHALLENGE_METHOD } from '../../constants';\nimport pkce from './pkce';\n\n// Prepares params for a call to /authorize or /token\nexport function prepareTokenParams(sdk: OktaAuth, tokenParams?: TokenParams): Promise<TokenParams> {\n  // build params using defaults + options\n  const defaults = getDefaultTokenParams(sdk);\n  tokenParams = Object.assign({}, defaults, clone(tokenParams));\n\n  if (tokenParams.pkce === false) {\n    // Implicit flow or authorization_code without PKCE\n    return Promise.resolve(tokenParams);\n  }\n\n  // PKCE flow\n  if (!sdk.features.isPKCESupported()) {\n    var errorMessage = 'PKCE requires a modern browser with encryption support running in a secure context.';\n    if (!sdk.features.isHTTPS()) {\n      // eslint-disable-next-line max-len\n      errorMessage += '\\nThe current page is not being served with HTTPS protocol. PKCE requires secure HTTPS protocol.';\n    }\n    if (!sdk.features.hasTextEncoder()) {\n      // eslint-disable-next-line max-len\n      errorMessage += '\\n\"TextEncoder\" is not defined. To use PKCE, you may need to include a polyfill/shim for this browser.';\n    }\n    return Promise.reject(new AuthSdkError(errorMessage));\n  }\n\n  // set default code challenge method, if none provided\n  if (!tokenParams.codeChallengeMethod) {\n    tokenParams.codeChallengeMethod = DEFAULT_CODE_CHALLENGE_METHOD;\n  }\n\n  // responseType is forced\n  tokenParams.responseType = 'code';\n\n  return getWellKnown(sdk, null)\n    .then(function (res) {\n      var methods = res['code_challenge_methods_supported'] || [];\n      if (methods.indexOf(tokenParams.codeChallengeMethod) === -1) {\n        throw new AuthSdkError('Invalid code_challenge_method');\n      }\n    })\n    .then(function () {\n      if (!tokenParams.codeVerifier) {\n        tokenParams.codeVerifier = pkce.generateVerifier();\n      }\n      return pkce.computeChallenge(tokenParams.codeVerifier);\n    })\n    .then(function (codeChallenge) {\n      // Clone/copy the params. Set codeChallenge\n      var clonedParams = clone(tokenParams) || {};\n      Object.assign(clonedParams, tokenParams, {\n        codeChallenge: codeChallenge,\n      });\n      return clonedParams;\n    });\n}"],"file":"prepareTokenParams.js"}
+{"version":3,"sources":["../../../../lib/oidc/util/prepareTokenParams.ts"],"names":["assertPKCESupport","sdk","features","isPKCESupported","errorMessage","isHTTPS","hasTextEncoder","AuthSdkError","validateCodeChallengeMethod","codeChallengeMethod","options","DEFAULT_CODE_CHALLENGE_METHOD","wellKnownResponse","methods","preparePKCE","tokenParams","codeVerifier","codeChallenge","PKCE","generateVerifier","computeChallenge","responseType","prepareTokenParams","defaults","pkce"],"mappings":";;;;;;;;;;;AAaA;;AACA;;AAEA;;AACA;;AACA;;AAlBA;;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAQO,SAASA,iBAAT,CAA2BC,GAA3B,EAAmD;AACxD,MAAI,CAACA,GAAG,CAACC,QAAJ,CAAaC,eAAb,EAAL,EAAqC;AACnC,QAAIC,YAAY,GAAG,qFAAnB;;AACA,QAAI,CAACH,GAAG,CAACC,QAAJ,CAAaG,OAAb,EAAL,EAA6B;AAC3B;AACAD,MAAAA,YAAY,IAAI,kGAAhB;AACD;;AACD,QAAI,CAACH,GAAG,CAACC,QAAJ,CAAaI,cAAb,EAAL,EAAoC;AAClC;AACAF,MAAAA,YAAY,IAAI,wGAAhB;AACD;;AACD,UAAM,IAAIG,oBAAJ,CAAiBH,YAAjB,CAAN;AACD;AACF;;AAEM,eAAeI,2BAAf,CAA2CP,GAA3C,EAAmEQ,mBAAnE,EAAiG;AACtG;AACAA,EAAAA,mBAAmB,GAAGA,mBAAmB,IAAIR,GAAG,CAACS,OAAJ,CAAYD,mBAAnC,IAA0DE,wCAAhF,CAFsG,CAItG;;AACA,QAAMC,iBAAiB,GAAG,MAAM,6BAAaX,GAAb,CAAhC;AACA,MAAIY,OAAO,GAAGD,iBAAiB,CAAC,kCAAD,CAAjB,IAAyD,EAAvE;;AACA,MAAI,sBAAAC,OAAO,MAAP,CAAAA,OAAO,EAASJ,mBAAT,CAAP,KAAyC,CAAC,CAA9C,EAAiD;AAC/C,UAAM,IAAIF,oBAAJ,CAAiB,+BAAjB,CAAN;AACD;;AACD,SAAOE,mBAAP;AACD;;AAEM,eAAeK,WAAf,CACLb,GADK,EAELc,WAFK,EAGiB;AACtB,MAAI;AACFC,IAAAA,YADE;AAEFC,IAAAA,aAFE;AAGFR,IAAAA;AAHE,MAIAM,WAJJ,CADsB,CAOtB;;AACAE,EAAAA,aAAa,GAAGA,aAAa,IAAIhB,GAAG,CAACS,OAAJ,CAAYO,aAA7C;;AACA,MAAI,CAACA,aAAL,EAAoB;AAClBjB,IAAAA,iBAAiB,CAACC,GAAD,CAAjB;AACAe,IAAAA,YAAY,GAAGA,YAAY,IAAIE,cAAKC,gBAAL,EAA/B;AACAF,IAAAA,aAAa,GAAG,MAAMC,cAAKE,gBAAL,CAAsBJ,YAAtB,CAAtB;AACD;;AACDP,EAAAA,mBAAmB,GAAG,MAAMD,2BAA2B,CAACP,GAAD,EAAMQ,mBAAN,CAAvD,CAdsB,CAgBtB;;AACAM,EAAAA,WAAW,GAAG,EACZ,GAAGA,WADS;AAEZM,IAAAA,YAAY,EAAE,MAFF;AAEU;AACtBL,IAAAA,YAHY;AAIZC,IAAAA,aAJY;AAKZR,IAAAA;AALY,GAAd;AAQA,SAAOM,WAAP;AACD,C,CAED;;;AACO,eAAeO,kBAAf,CACLrB,GADK,EAELc,WAAwB,GAAG,EAFtB,EAGiB;AACtB;AACA,QAAMQ,QAAQ,GAAG,+CAAsBtB,GAAtB,CAAjB;AACAc,EAAAA,WAAW,GAAG,EAAE,GAAGQ,QAAL;AAAe,OAAGR;AAAlB,GAAd;;AAEA,MAAIA,WAAW,CAACS,IAAZ,KAAqB,KAAzB,EAAgC;AAC9B;AACA,WAAOT,WAAP;AACD;;AAED,SAAOD,WAAW,CAACb,GAAD,EAAMc,WAAN,CAAlB;AACD","sourcesContent":["/* eslint-disable complexity */\n/*!\n * Copyright (c) 2015-present, Okta, Inc. and/or its affiliates. All rights reserved.\n * The Okta software accompanied by this notice is provided pursuant to the Apache License, Version 2.0 (the \"License.\")\n *\n * You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0.\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT\n * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n *\n * See the License for the specific language governing permissions and limitations under the License.\n *\n */\nimport { getWellKnown } from '../endpoints/well-known';\nimport { AuthSdkError } from '../../errors';\nimport { OktaAuthInterface, TokenParams } from '../../types';\nimport { getDefaultTokenParams } from './defaultTokenParams';\nimport { DEFAULT_CODE_CHALLENGE_METHOD } from '../../constants';\nimport PKCE from './pkce';\n\nexport function assertPKCESupport(sdk: OktaAuthInterface) {\n  if (!sdk.features.isPKCESupported()) {\n    var errorMessage = 'PKCE requires a modern browser with encryption support running in a secure context.';\n    if (!sdk.features.isHTTPS()) {\n      // eslint-disable-next-line max-len\n      errorMessage += '\\nThe current page is not being served with HTTPS protocol. PKCE requires secure HTTPS protocol.';\n    }\n    if (!sdk.features.hasTextEncoder()) {\n      // eslint-disable-next-line max-len\n      errorMessage += '\\n\"TextEncoder\" is not defined. To use PKCE, you may need to include a polyfill/shim for this browser.';\n    }\n    throw new AuthSdkError(errorMessage);\n  }\n}\n\nexport async function validateCodeChallengeMethod(sdk: OktaAuthInterface, codeChallengeMethod?: string) {\n  // set default code challenge method, if none provided\n  codeChallengeMethod = codeChallengeMethod || sdk.options.codeChallengeMethod || DEFAULT_CODE_CHALLENGE_METHOD;\n\n  // validate against .well-known/openid-configuration\n  const wellKnownResponse = await getWellKnown(sdk);\n  var methods = wellKnownResponse['code_challenge_methods_supported'] || [];\n  if (methods.indexOf(codeChallengeMethod) === -1) {\n    throw new AuthSdkError('Invalid code_challenge_method');\n  }\n  return codeChallengeMethod;\n}\n\nexport async function preparePKCE(\n  sdk: OktaAuthInterface, \n  tokenParams: TokenParams\n): Promise<TokenParams> {\n  let {\n    codeVerifier,\n    codeChallenge,\n    codeChallengeMethod\n  } = tokenParams;\n\n  // PKCE calculations can be avoided by passing a codeChallenge\n  codeChallenge = codeChallenge || sdk.options.codeChallenge;\n  if (!codeChallenge) {\n    assertPKCESupport(sdk);\n    codeVerifier = codeVerifier || PKCE.generateVerifier();\n    codeChallenge = await PKCE.computeChallenge(codeVerifier);\n  }\n  codeChallengeMethod = await validateCodeChallengeMethod(sdk, codeChallengeMethod);\n\n  // Clone/copy the params. Set PKCE values\n  tokenParams = {\n    ...tokenParams,\n    responseType: 'code', // responseType is forced\n    codeVerifier,\n    codeChallenge,\n    codeChallengeMethod\n  };\n\n  return tokenParams;\n}\n\n// Prepares params for a call to /authorize or /token\nexport async function prepareTokenParams(\n  sdk: OktaAuthInterface,\n  tokenParams: TokenParams = {}\n): Promise<TokenParams> {\n  // build params using defaults + options\n  const defaults = getDefaultTokenParams(sdk);\n  tokenParams = { ...defaults, ...tokenParams };\n\n  if (tokenParams.pkce === false) {\n    // Implicit flow or authorization_code without PKCE\n    return tokenParams;\n  }\n\n  return preparePKCE(sdk, tokenParams);\n}"],"file":"prepareTokenParams.js"}

package/cjs/oidc/util/validateClaims.js

@@ -1,11 +1,13 @@
 "use strict";
 
-var _interopRequireDefault = require("@babel/runtime/helpers/interopRequireDefault");
+var _interopRequireDefault = require("@babel/runtime-corejs3/helpers/interopRequireDefault");
 
 exports.validateClaims = validateClaims;
 
 var _AuthSdkError = _interopRequireDefault(require("../../errors/AuthSdkError"));
 
+/* eslint-disable @typescript-eslint/no-non-null-assertion */
+
 /*!
  * Copyright (c) 2015-present, Okta, Inc. and/or its affiliates. All rights reserved.
  * The Okta software accompanied by this notice is provided pursuant to the Apache License, Version 2.0 (the "License.")

package/cjs/oidc/util/validateClaims.js.map

@@ -1 +1 @@
-{"version":3,"sources":["../../../../lib/oidc/util/validateClaims.ts"],"names":["validateClaims","sdk","claims","validationParams","aud","clientId","iss","issuer","nonce","AuthSdkError","now","Math","floor","Date","iat","exp","options","ignoreLifetime","maxClockSkew"],"mappings":";;;;;;AAcA;;AAdA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AACA;AAKO,SAASA,cAAT,CAAwBC,GAAxB,EAAuCC,MAAvC,EAA2DC,gBAA3D,EAAgG;AACrG,MAAIC,GAAG,GAAGD,gBAAgB,CAACE,QAA3B;AACA,MAAIC,GAAG,GAAGH,gBAAgB,CAACI,MAA3B;AACA,MAAIC,KAAK,GAAGL,gBAAgB,CAACK,KAA7B;;AAEA,MAAI,CAACN,MAAD,IAAW,CAACI,GAAZ,IAAmB,CAACF,GAAxB,EAA6B;AAC3B,UAAM,IAAIK,qBAAJ,CAAiB,kDAAjB,CAAN;AACD;;AAED,MAAID,KAAK,IAAIN,MAAM,CAACM,KAAP,KAAiBA,KAA9B,EAAqC;AACnC,UAAM,IAAIC,qBAAJ,CAAiB,wDAAjB,CAAN;AACD;;AAED,MAAIC,GAAG,GAAGC,IAAI,CAACC,KAAL,CAAWC,IAAI,CAACH,GAAL,KAAW,IAAtB,CAAV;;AAEA,MAAIR,MAAM,CAACI,GAAP,KAAeA,GAAnB,EAAwB;AACtB,UAAM,IAAIG,qBAAJ,CAAiB,iBAAiBP,MAAM,CAACI,GAAxB,GAA8B,IAA9B,GACrB,kBADqB,GACAA,GADA,GACM,GADvB,CAAN;AAED;;AAED,MAAIJ,MAAM,CAACE,GAAP,KAAeA,GAAnB,EAAwB;AACtB,UAAM,IAAIK,qBAAJ,CAAiB,mBAAmBP,MAAM,CAACE,GAA1B,GAAgC,IAAhC,GACrB,kBADqB,GACAA,GADA,GACM,GADvB,CAAN;AAED;;AAED,MAAIF,MAAM,CAACY,GAAP,GAAaZ,MAAM,CAACa,GAAxB,EAA6B;AAC3B,UAAM,IAAIN,qBAAJ,CAAiB,sCAAjB,CAAN;AACD;;AAED,MAAI,CAACR,GAAG,CAACe,OAAJ,CAAYC,cAAjB,EAAiC;AAC/B,QAAKP,GAAG,GAAGT,GAAG,CAACe,OAAJ,CAAYE,YAAnB,GAAmChB,MAAM,CAACa,GAA9C,EAAmD;AACjD,YAAM,IAAIN,qBAAJ,CAAiB,wCAAjB,CAAN;AACD;;AAED,QAAIP,MAAM,CAACY,GAAP,GAAcJ,GAAG,GAAGT,GAAG,CAACe,OAAJ,CAAYE,YAApC,EAAmD;AACjD,YAAM,IAAIT,qBAAJ,CAAiB,kCAAjB,CAAN;AACD;AACF;AACF","sourcesContent":["/*!\n * Copyright (c) 2015-present, Okta, Inc. and/or its affiliates. All rights reserved.\n * The Okta software accompanied by this notice is provided pursuant to the Apache License, Version 2.0 (the \"License.\")\n *\n * You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0.\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT\n * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n *\n * See the License for the specific language governing permissions and limitations under the License.\n *\n */\n/* eslint-disable complexity, max-statements */\n\nimport AuthSdkError from '../../errors/AuthSdkError';\nimport { OktaAuth, TokenVerifyParams, UserClaims } from '../../types';\n\nexport function validateClaims(sdk: OktaAuth, claims: UserClaims, validationParams: TokenVerifyParams) {\n  var aud = validationParams.clientId;\n  var iss = validationParams.issuer;\n  var nonce = validationParams.nonce;\n\n  if (!claims || !iss || !aud) {\n    throw new AuthSdkError('The jwt, iss, and aud arguments are all required');\n  }\n\n  if (nonce && claims.nonce !== nonce) {\n    throw new AuthSdkError('OAuth flow response nonce doesn\\'t match request nonce');\n  }\n\n  var now = Math.floor(Date.now()/1000);\n\n  if (claims.iss !== iss) {\n    throw new AuthSdkError('The issuer [' + claims.iss + '] ' +\n      'does not match [' + iss + ']');\n  }\n\n  if (claims.aud !== aud) {\n    throw new AuthSdkError('The audience [' + claims.aud + '] ' +\n      'does not match [' + aud + ']');\n  }\n\n  if (claims.iat > claims.exp) {\n    throw new AuthSdkError('The JWT expired before it was issued');\n  }\n\n  if (!sdk.options.ignoreLifetime) {\n    if ((now - sdk.options.maxClockSkew) > claims.exp) {\n      throw new AuthSdkError('The JWT expired and is no longer valid');\n    }\n\n    if (claims.iat > (now + sdk.options.maxClockSkew)) {\n      throw new AuthSdkError('The JWT was issued in the future');\n    }\n  }\n}\n"],"file":"validateClaims.js"}
+{"version":3,"sources":["../../../../lib/oidc/util/validateClaims.ts"],"names":["validateClaims","sdk","claims","validationParams","aud","clientId","iss","issuer","nonce","AuthSdkError","now","Math","floor","Date","iat","exp","options","ignoreLifetime","maxClockSkew"],"mappings":";;;;;;AAeA;;AAfA;;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AACA;AAKO,SAASA,cAAT,CAAwBC,GAAxB,EAAgDC,MAAhD,EAAoEC,gBAApE,EAAyG;AAC9G,MAAIC,GAAG,GAAGD,gBAAgB,CAACE,QAA3B;AACA,MAAIC,GAAG,GAAGH,gBAAgB,CAACI,MAA3B;AACA,MAAIC,KAAK,GAAGL,gBAAgB,CAACK,KAA7B;;AAEA,MAAI,CAACN,MAAD,IAAW,CAACI,GAAZ,IAAmB,CAACF,GAAxB,EAA6B;AAC3B,UAAM,IAAIK,qBAAJ,CAAiB,kDAAjB,CAAN;AACD;;AAED,MAAID,KAAK,IAAIN,MAAM,CAACM,KAAP,KAAiBA,KAA9B,EAAqC;AACnC,UAAM,IAAIC,qBAAJ,CAAiB,wDAAjB,CAAN;AACD;;AAED,MAAIC,GAAG,GAAGC,IAAI,CAACC,KAAL,CAAWC,IAAI,CAACH,GAAL,KAAW,IAAtB,CAAV;;AAEA,MAAIR,MAAM,CAACI,GAAP,KAAeA,GAAnB,EAAwB;AACtB,UAAM,IAAIG,qBAAJ,CAAiB,iBAAiBP,MAAM,CAACI,GAAxB,GAA8B,IAA9B,GACrB,kBADqB,GACAA,GADA,GACM,GADvB,CAAN;AAED;;AAED,MAAIJ,MAAM,CAACE,GAAP,KAAeA,GAAnB,EAAwB;AACtB,UAAM,IAAIK,qBAAJ,CAAiB,mBAAmBP,MAAM,CAACE,GAA1B,GAAgC,IAAhC,GACrB,kBADqB,GACAA,GADA,GACM,GADvB,CAAN;AAED;;AAED,MAAIF,MAAM,CAACY,GAAP,GAAcZ,MAAM,CAACa,GAAzB,EAA+B;AAC7B,UAAM,IAAIN,qBAAJ,CAAiB,sCAAjB,CAAN;AACD;;AAED,MAAI,CAACR,GAAG,CAACe,OAAJ,CAAYC,cAAjB,EAAiC;AAC/B,QAAKP,GAAG,GAAGT,GAAG,CAACe,OAAJ,CAAYE,YAAnB,GAAoChB,MAAM,CAACa,GAA/C,EAAqD;AACnD,YAAM,IAAIN,qBAAJ,CAAiB,wCAAjB,CAAN;AACD;;AAED,QAAIP,MAAM,CAACY,GAAP,GAAeJ,GAAG,GAAGT,GAAG,CAACe,OAAJ,CAAYE,YAArC,EAAqD;AACnD,YAAM,IAAIT,qBAAJ,CAAiB,kCAAjB,CAAN;AACD;AACF;AACF","sourcesContent":["/* eslint-disable @typescript-eslint/no-non-null-assertion */\n/*!\n * Copyright (c) 2015-present, Okta, Inc. and/or its affiliates. All rights reserved.\n * The Okta software accompanied by this notice is provided pursuant to the Apache License, Version 2.0 (the \"License.\")\n *\n * You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0.\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT\n * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n *\n * See the License for the specific language governing permissions and limitations under the License.\n *\n */\n/* eslint-disable complexity, max-statements */\n\nimport AuthSdkError from '../../errors/AuthSdkError';\nimport { OktaAuthInterface, TokenVerifyParams, UserClaims } from '../../types';\n\nexport function validateClaims(sdk: OktaAuthInterface, claims: UserClaims, validationParams: TokenVerifyParams) {\n  var aud = validationParams.clientId;\n  var iss = validationParams.issuer;\n  var nonce = validationParams.nonce;\n\n  if (!claims || !iss || !aud) {\n    throw new AuthSdkError('The jwt, iss, and aud arguments are all required');\n  }\n\n  if (nonce && claims.nonce !== nonce) {\n    throw new AuthSdkError('OAuth flow response nonce doesn\\'t match request nonce');\n  }\n\n  var now = Math.floor(Date.now()/1000);\n\n  if (claims.iss !== iss) {\n    throw new AuthSdkError('The issuer [' + claims.iss + '] ' +\n      'does not match [' + iss + ']');\n  }\n\n  if (claims.aud !== aud) {\n    throw new AuthSdkError('The audience [' + claims.aud + '] ' +\n      'does not match [' + aud + ']');\n  }\n\n  if (claims.iat! > claims.exp!) {\n    throw new AuthSdkError('The JWT expired before it was issued');\n  }\n\n  if (!sdk.options.ignoreLifetime) {\n    if ((now - sdk.options.maxClockSkew!) > claims.exp!) {\n      throw new AuthSdkError('The JWT expired and is no longer valid');\n    }\n\n    if (claims.iat! > (now + sdk.options.maxClockSkew!)) {\n      throw new AuthSdkError('The JWT was issued in the future');\n    }\n  }\n}\n"],"file":"validateClaims.js"}

package/cjs/oidc/verifyToken.js

@@ -1,7 +1,15 @@
 "use strict";
 
+var _WeakMap = require("@babel/runtime-corejs3/core-js-stable/weak-map");
+
+var _Object$getOwnPropertyDescriptor = require("@babel/runtime-corejs3/core-js-stable/object/get-own-property-descriptor");
+
+var _interopRequireDefault = require("@babel/runtime-corejs3/helpers/interopRequireDefault");
+
 exports.verifyToken = verifyToken;
 
+var _assign = _interopRequireDefault(require("@babel/runtime-corejs3/core-js-stable/object/assign"));
+
 var _wellKnown = require("./endpoints/well-known");
 
 var _util = require("./util");
@@ -12,9 +20,9 @@ var _decodeToken = require("./decodeToken");
 
 var sdkCrypto = _interopRequireWildcard(require("../crypto"));
 
-function _getRequireWildcardCache(nodeInterop) { if (typeof WeakMap !== "function") return null; var cacheBabelInterop = new WeakMap(); var cacheNodeInterop = new WeakMap(); return (_getRequireWildcardCache = function (nodeInterop) { return nodeInterop ? cacheNodeInterop : cacheBabelInterop; })(nodeInterop); }
+function _getRequireWildcardCache(nodeInterop) { if (typeof _WeakMap !== "function") return null; var cacheBabelInterop = new _WeakMap(); var cacheNodeInterop = new _WeakMap(); return (_getRequireWildcardCache = function (nodeInterop) { return nodeInterop ? cacheNodeInterop : cacheBabelInterop; })(nodeInterop); }
 
-function _interopRequireWildcard(obj, nodeInterop) { if (!nodeInterop && obj && obj.__esModule) { return obj; } if (obj === null || typeof obj !== "object" && typeof obj !== "function") { return { default: obj }; } var cache = _getRequireWildcardCache(nodeInterop); if (cache && cache.has(obj)) { return cache.get(obj); } var newObj = {}; var hasPropertyDescriptor = Object.defineProperty && Object.getOwnPropertyDescriptor; for (var key in obj) { if (key !== "default" && Object.prototype.hasOwnProperty.call(obj, key)) { var desc = hasPropertyDescriptor ? Object.getOwnPropertyDescriptor(obj, key) : null; if (desc && (desc.get || desc.set)) { Object.defineProperty(newObj, key, desc); } else { newObj[key] = obj[key]; } } } newObj.default = obj; if (cache) { cache.set(obj, newObj); } return newObj; }
+function _interopRequireWildcard(obj, nodeInterop) { if (!nodeInterop && obj && obj.__esModule) { return obj; } if (obj === null || typeof obj !== "object" && typeof obj !== "function") { return { default: obj }; } var cache = _getRequireWildcardCache(nodeInterop); if (cache && cache.has(obj)) { return cache.get(obj); } var newObj = {}; var hasPropertyDescriptor = Object.defineProperty && _Object$getOwnPropertyDescriptor; for (var key in obj) { if (key !== "default" && Object.prototype.hasOwnProperty.call(obj, key)) { var desc = hasPropertyDescriptor ? _Object$getOwnPropertyDescriptor(obj, key) : null; if (desc && (desc.get || desc.set)) { Object.defineProperty(newObj, key, desc); } else { newObj[key] = obj[key]; } } } newObj.default = obj; if (cache) { cache.set(obj, newObj); } return newObj; }
 
 /* eslint-disable max-len */
 
@@ -46,7 +54,7 @@ async function verifyToken(sdk, token, validationParams) {
   const {
     issuer
   } = await (0, _wellKnown.getWellKnown)(sdk, configuredIssuer);
-  var validationOptions = Object.assign({
+  var validationOptions = (0, _assign.default)({
     // base options, can be overridden by params
     clientId: sdk.options.clientId,
     ignoreSignature: sdk.options.ignoreSignature
@@ -60,7 +68,8 @@ async function verifyToken(sdk, token, validationParams) {
 
   if (validationOptions.ignoreSignature == true || !sdk.features.isTokenVerifySupported()) {
     return token;
-  }
+  } // eslint-disable-next-line @typescript-eslint/no-non-null-assertion
+
 
   const key = await (0, _wellKnown.getKey)(sdk, token.issuer, jwt.header.kid);
   const valid = await sdkCrypto.verifyToken(token.idToken, key);

package/cjs/oidc/verifyToken.js.map

@@ -1 +1 @@
-{"version":3,"sources":["../../../lib/oidc/verifyToken.ts"],"names":["verifyToken","sdk","token","validationParams","idToken","AuthSdkError","jwt","configuredIssuer","issuer","options","validationOptions","Object","assign","clientId","ignoreSignature","payload","features","isTokenVerifySupported","key","header","kid","valid","sdkCrypto","accessToken","claims","at_hash","hash","getOidcHash"],"mappings":";;;;AAcA;;AACA;;AACA;;AAEA;;AACA;;;;;;AAnBA;;AACA;;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAQA;AACO,eAAeA,WAAf,CAA2BC,GAA3B,EAA0CC,KAA1C,EAA0DC,gBAA1D,EAAiH;AACtH,MAAI,CAACD,KAAD,IAAU,CAACA,KAAK,CAACE,OAArB,EAA8B;AAC5B,UAAM,IAAIC,oBAAJ,CAAiB,+BAAjB,CAAN;AACD,GAHqH,CAKtH;;;AACA,MAAIC,GAAG,GAAG,8BAAYJ,KAAK,CAACE,OAAlB,CAAV,CANsH,CAQtH;AACA;;AACA,QAAMG,gBAAgB,GAAG,CAAAJ,gBAAgB,SAAhB,IAAAA,gBAAgB,WAAhB,YAAAA,gBAAgB,CAAEK,MAAlB,KAA4BP,GAAG,CAACQ,OAAJ,CAAYD,MAAjE;AACA,QAAM;AAAEA,IAAAA;AAAF,MAAa,MAAM,6BAAaP,GAAb,EAAkBM,gBAAlB,CAAzB;AAEA,MAAIG,iBAAoC,GAAGC,MAAM,CAACC,MAAP,CAAc;AACvD;AACAC,IAAAA,QAAQ,EAAEZ,GAAG,CAACQ,OAAJ,CAAYI,QAFiC;AAGvDC,IAAAA,eAAe,EAAEb,GAAG,CAACQ,OAAJ,CAAYK;AAH0B,GAAd,EAIxCX,gBAJwC,EAItB;AACnB;AACAK,IAAAA;AAFmB,GAJsB,CAA3C,CAbsH,CAsBtH;;AACA,4BAAeP,GAAf,EAAoBK,GAAG,CAACS,OAAxB,EAAiCL,iBAAjC,EAvBsH,CAyBtH;AACA;;AACA,MAAIA,iBAAiB,CAACI,eAAlB,IAAqC,IAArC,IAA6C,CAACb,GAAG,CAACe,QAAJ,CAAaC,sBAAb,EAAlD,EAAyF;AACvF,WAAOf,KAAP;AACD;;AAED,QAAMgB,GAAG,GAAG,MAAM,uBAAOjB,GAAP,EAAYC,KAAK,CAACM,MAAlB,EAA0BF,GAAG,CAACa,MAAJ,CAAWC,GAArC,CAAlB;AACA,QAAMC,KAAK,GAAG,MAAMC,SAAS,CAACtB,WAAV,CAAsBE,KAAK,CAACE,OAA5B,EAAqCc,GAArC,CAApB;;AACA,MAAI,CAACG,KAAL,EAAY;AACV,UAAM,IAAIhB,oBAAJ,CAAiB,kCAAjB,CAAN;AACD;;AACD,MAAIF,gBAAgB,IAAIA,gBAAgB,CAACoB,WAArC,IAAoDrB,KAAK,CAACsB,MAAN,CAAaC,OAArE,EAA8E;AAC5E,UAAMC,IAAI,GAAG,MAAMJ,SAAS,CAACK,WAAV,CAAsBxB,gBAAgB,CAACoB,WAAvC,CAAnB;;AACA,QAAIG,IAAI,KAAKxB,KAAK,CAACsB,MAAN,CAAaC,OAA1B,EAAmC;AACjC,YAAM,IAAIpB,oBAAJ,CAAiB,gCAAjB,CAAN;AACD;AACF;;AACD,SAAOH,KAAP;AACD","sourcesContent":["/* eslint-disable max-len */\n/* eslint-disable complexity */\n/*!\n * Copyright (c) 2015-present, Okta, Inc. and/or its affiliates. All rights reserved.\n * The Okta software accompanied by this notice is provided pursuant to the Apache License, Version 2.0 (the \"License.\")\n *\n * You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0.\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT\n * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n *\n * See the License for the specific language governing permissions and limitations under the License.\n *\n */\nimport { getWellKnown, getKey } from './endpoints/well-known';\nimport { validateClaims } from './util';\nimport { AuthSdkError } from '../errors';\nimport { IDToken, OktaAuth, TokenVerifyParams } from '../types';\nimport { decodeToken } from './decodeToken';\nimport * as sdkCrypto from '../crypto';\n\n// Verify the id token\nexport async function verifyToken(sdk: OktaAuth, token: IDToken, validationParams: TokenVerifyParams): Promise<IDToken> {\n  if (!token || !token.idToken) {\n    throw new AuthSdkError('Only idTokens may be verified');\n  }\n\n  // Decode the Jwt object (may throw)\n  var jwt = decodeToken(token.idToken);\n\n  // The configured issuer may point to a frontend proxy.\n  // Get the \"real\" issuer from .well-known/openid-configuration\n  const configuredIssuer = validationParams?.issuer || sdk.options.issuer;\n  const { issuer } = await getWellKnown(sdk, configuredIssuer);\n\n  var validationOptions: TokenVerifyParams = Object.assign({\n    // base options, can be overridden by params\n    clientId: sdk.options.clientId,\n    ignoreSignature: sdk.options.ignoreSignature\n  }, validationParams, {\n    // final options, cannot be overridden\n    issuer\n  });\n\n  // Standard claim validation (may throw)\n  validateClaims(sdk, jwt.payload, validationOptions);\n\n  // If the browser doesn't support native crypto or we choose not\n  // to verify the signature, bail early\n  if (validationOptions.ignoreSignature == true || !sdk.features.isTokenVerifySupported()) {\n    return token;\n  }\n\n  const key = await getKey(sdk, token.issuer, jwt.header.kid);\n  const valid = await sdkCrypto.verifyToken(token.idToken, key);\n  if (!valid) {\n    throw new AuthSdkError('The token signature is not valid');\n  }\n  if (validationParams && validationParams.accessToken && token.claims.at_hash) {\n    const hash = await sdkCrypto.getOidcHash(validationParams.accessToken);\n    if (hash !== token.claims.at_hash) {\n      throw new AuthSdkError('Token hash verification failed');\n    }\n  }\n  return token;\n}\n"],"file":"verifyToken.js"}
+{"version":3,"sources":["../../../lib/oidc/verifyToken.ts"],"names":["verifyToken","sdk","token","validationParams","idToken","AuthSdkError","jwt","configuredIssuer","issuer","options","validationOptions","clientId","ignoreSignature","payload","features","isTokenVerifySupported","key","header","kid","valid","sdkCrypto","accessToken","claims","at_hash","hash","getOidcHash"],"mappings":";;;;;;;;;;;;AAcA;;AACA;;AACA;;AAEA;;AACA;;;;;;AAnBA;;AACA;;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAQA;AACO,eAAeA,WAAf,CAA2BC,GAA3B,EAAmDC,KAAnD,EAAmEC,gBAAnE,EAA0H;AAC/H,MAAI,CAACD,KAAD,IAAU,CAACA,KAAK,CAACE,OAArB,EAA8B;AAC5B,UAAM,IAAIC,oBAAJ,CAAiB,+BAAjB,CAAN;AACD,GAH8H,CAK/H;;;AACA,MAAIC,GAAG,GAAG,8BAAYJ,KAAK,CAACE,OAAlB,CAAV,CAN+H,CAQ/H;AACA;;AACA,QAAMG,gBAAgB,GAAG,CAAAJ,gBAAgB,SAAhB,IAAAA,gBAAgB,WAAhB,YAAAA,gBAAgB,CAAEK,MAAlB,KAA4BP,GAAG,CAACQ,OAAJ,CAAYD,MAAjE;AACA,QAAM;AAAEA,IAAAA;AAAF,MAAa,MAAM,6BAAaP,GAAb,EAAkBM,gBAAlB,CAAzB;AAEA,MAAIG,iBAAoC,GAAG,qBAAc;AACvD;AACAC,IAAAA,QAAQ,EAAEV,GAAG,CAACQ,OAAJ,CAAYE,QAFiC;AAGvDC,IAAAA,eAAe,EAAEX,GAAG,CAACQ,OAAJ,CAAYG;AAH0B,GAAd,EAIxCT,gBAJwC,EAItB;AACnB;AACAK,IAAAA;AAFmB,GAJsB,CAA3C,CAb+H,CAsB/H;;AACA,4BAAeP,GAAf,EAAoBK,GAAG,CAACO,OAAxB,EAAiCH,iBAAjC,EAvB+H,CAyB/H;AACA;;AACA,MAAIA,iBAAiB,CAACE,eAAlB,IAAqC,IAArC,IAA6C,CAACX,GAAG,CAACa,QAAJ,CAAaC,sBAAb,EAAlD,EAAyF;AACvF,WAAOb,KAAP;AACD,GA7B8H,CA+B/H;;;AACA,QAAMc,GAAG,GAAG,MAAM,uBAAOf,GAAP,EAAYC,KAAK,CAACM,MAAlB,EAA0BF,GAAG,CAACW,MAAJ,CAAWC,GAArC,CAAlB;AACA,QAAMC,KAAK,GAAG,MAAMC,SAAS,CAACpB,WAAV,CAAsBE,KAAK,CAACE,OAA5B,EAAqCY,GAArC,CAApB;;AACA,MAAI,CAACG,KAAL,EAAY;AACV,UAAM,IAAId,oBAAJ,CAAiB,kCAAjB,CAAN;AACD;;AACD,MAAIF,gBAAgB,IAAIA,gBAAgB,CAACkB,WAArC,IAAoDnB,KAAK,CAACoB,MAAN,CAAaC,OAArE,EAA8E;AAC5E,UAAMC,IAAI,GAAG,MAAMJ,SAAS,CAACK,WAAV,CAAsBtB,gBAAgB,CAACkB,WAAvC,CAAnB;;AACA,QAAIG,IAAI,KAAKtB,KAAK,CAACoB,MAAN,CAAaC,OAA1B,EAAmC;AACjC,YAAM,IAAIlB,oBAAJ,CAAiB,gCAAjB,CAAN;AACD;AACF;;AACD,SAAOH,KAAP;AACD","sourcesContent":["/* eslint-disable max-len */\n/* eslint-disable complexity */\n/*!\n * Copyright (c) 2015-present, Okta, Inc. and/or its affiliates. All rights reserved.\n * The Okta software accompanied by this notice is provided pursuant to the Apache License, Version 2.0 (the \"License.\")\n *\n * You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0.\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT\n * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n *\n * See the License for the specific language governing permissions and limitations under the License.\n *\n */\nimport { getWellKnown, getKey } from './endpoints/well-known';\nimport { validateClaims } from './util';\nimport { AuthSdkError } from '../errors';\nimport { IDToken, OktaAuthInterface, TokenVerifyParams } from '../types';\nimport { decodeToken } from './decodeToken';\nimport * as sdkCrypto from '../crypto';\n\n// Verify the id token\nexport async function verifyToken(sdk: OktaAuthInterface, token: IDToken, validationParams: TokenVerifyParams): Promise<IDToken> {\n  if (!token || !token.idToken) {\n    throw new AuthSdkError('Only idTokens may be verified');\n  }\n\n  // Decode the Jwt object (may throw)\n  var jwt = decodeToken(token.idToken);\n\n  // The configured issuer may point to a frontend proxy.\n  // Get the \"real\" issuer from .well-known/openid-configuration\n  const configuredIssuer = validationParams?.issuer || sdk.options.issuer;\n  const { issuer } = await getWellKnown(sdk, configuredIssuer);\n\n  var validationOptions: TokenVerifyParams = Object.assign({\n    // base options, can be overridden by params\n    clientId: sdk.options.clientId,\n    ignoreSignature: sdk.options.ignoreSignature\n  }, validationParams, {\n    // final options, cannot be overridden\n    issuer\n  });\n\n  // Standard claim validation (may throw)\n  validateClaims(sdk, jwt.payload, validationOptions);\n\n  // If the browser doesn't support native crypto or we choose not\n  // to verify the signature, bail early\n  if (validationOptions.ignoreSignature == true || !sdk.features.isTokenVerifySupported()) {\n    return token;\n  }\n\n  // eslint-disable-next-line @typescript-eslint/no-non-null-assertion\n  const key = await getKey(sdk, token.issuer, jwt.header.kid!);\n  const valid = await sdkCrypto.verifyToken(token.idToken, key);\n  if (!valid) {\n    throw new AuthSdkError('The token signature is not valid');\n  }\n  if (validationParams && validationParams.accessToken && token.claims.at_hash) {\n    const hash = await sdkCrypto.getOidcHash(validationParams.accessToken);\n    if (hash !== token.claims.at_hash) {\n      throw new AuthSdkError('Token hash verification failed');\n    }\n  }\n  return token;\n}\n"],"file":"verifyToken.js"}

package/cjs/options/browser.js

@@ -0,0 +1,81 @@
+"use strict";
+
+var _interopRequireDefault = require("@babel/runtime-corejs3/helpers/interopRequireDefault");
+
+exports.getCookieSettings = getCookieSettings;
+Object.defineProperty(exports, "storage", {
+  enumerable: true,
+  get: function () {
+    return _browserStorage.default;
+  }
+});
+exports.enableSharedStorage = exports.STORAGE_MANAGER_OPTIONS = void 0;
+
+var _util = require("../util");
+
+var _browserStorage = _interopRequireDefault(require("../browser/browserStorage"));
+
+/*!
+ * Copyright (c) 2015-present, Okta, Inc. and/or its affiliates. All rights reserved.
+ * The Okta software accompanied by this notice is provided pursuant to the Apache License, Version 2.0 (the "License.")
+ *
+ * You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0.
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * 
+ * See the License for the specific language governing permissions and limitations under the License.
+ */
+
+/* eslint-disable complexity */
+const STORAGE_MANAGER_OPTIONS = {
+  token: {
+    storageTypes: ['localStorage', 'sessionStorage', 'cookie']
+  },
+  cache: {
+    storageTypes: ['localStorage', 'sessionStorage', 'cookie']
+  },
+  transaction: {
+    storageTypes: ['sessionStorage', 'localStorage', 'cookie']
+  },
+  'shared-transaction': {
+    storageTypes: ['localStorage']
+  },
+  'original-uri': {
+    storageTypes: ['localStorage']
+  }
+};
+exports.STORAGE_MANAGER_OPTIONS = STORAGE_MANAGER_OPTIONS;
+const enableSharedStorage = true;
+exports.enableSharedStorage = enableSharedStorage;
+
+function getCookieSettings(args = {}, isHTTPS) {
+  // Secure cookies will be automatically used on a HTTPS connection
+  // Non-secure cookies will be automatically used on a HTTP connection
+  // secure option can override the automatic behavior
+  var cookieSettings = args.cookies || {};
+
+  if (typeof cookieSettings.secure === 'undefined') {
+    cookieSettings.secure = isHTTPS;
+  }
+
+  if (typeof cookieSettings.sameSite === 'undefined') {
+    cookieSettings.sameSite = cookieSettings.secure ? 'none' : 'lax';
+  } // If secure=true, but the connection is not HTTPS, set secure=false.
+
+
+  if (cookieSettings.secure && !isHTTPS) {
+    // eslint-disable-next-line no-console
+    (0, _util.warn)('The current page is not being served with the HTTPS protocol.\n' + 'For security reasons, we strongly recommend using HTTPS.\n' + 'If you cannot use HTTPS, set "cookies.secure" option to false.');
+    cookieSettings.secure = false;
+  } // Chrome >= 80 will block cookies with SameSite=None unless they are also Secure
+  // If sameSite=none, but the connection is not HTTPS, set sameSite=lax.
+
+
+  if (cookieSettings.sameSite === 'none' && !cookieSettings.secure) {
+    cookieSettings.sameSite = 'lax';
+  }
+
+  return cookieSettings;
+}
+//# sourceMappingURL=browser.js.map

package/cjs/options/browser.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../../lib/options/browser.ts"],"names":["STORAGE_MANAGER_OPTIONS","token","storageTypes","cache","transaction","enableSharedStorage","getCookieSettings","args","isHTTPS","cookieSettings","cookies","secure","sameSite"],"mappings":";;;;;;;;;;;;;AAcA;;AAEA;;AAhBA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AAEA;AAMO,MAAMA,uBAA8C,GAAG;AAC5DC,EAAAA,KAAK,EAAE;AACLC,IAAAA,YAAY,EAAE,CACZ,cADY,EAEZ,gBAFY,EAGZ,QAHY;AADT,GADqD;AAQ5DC,EAAAA,KAAK,EAAE;AACLD,IAAAA,YAAY,EAAE,CACZ,cADY,EAEZ,gBAFY,EAGZ,QAHY;AADT,GARqD;AAe5DE,EAAAA,WAAW,EAAE;AACXF,IAAAA,YAAY,EAAE,CACZ,gBADY,EAEZ,cAFY,EAGZ,QAHY;AADH,GAf+C;AAsB5D,wBAAsB;AACpBA,IAAAA,YAAY,EAAE,CACZ,cADY;AADM,GAtBsC;AA2B5D,kBAAgB;AACdA,IAAAA,YAAY,EAAE,CACZ,cADY;AADA;AA3B4C,CAAvD;;AAkCA,MAAMG,mBAAmB,GAAG,IAA5B;;;AAEA,SAASC,iBAAT,CAA2BC,IAAqB,GAAG,EAAnD,EAAuDC,OAAvD,EAAyE;AAC9E;AACA;AACA;AACA,MAAIC,cAAc,GAAGF,IAAI,CAACG,OAAL,IAAgB,EAArC;;AACA,MAAI,OAAOD,cAAc,CAACE,MAAtB,KAAiC,WAArC,EAAkD;AAChDF,IAAAA,cAAc,CAACE,MAAf,GAAwBH,OAAxB;AACD;;AACD,MAAI,OAAOC,cAAc,CAACG,QAAtB,KAAmC,WAAvC,EAAoD;AAClDH,IAAAA,cAAc,CAACG,QAAf,GAA0BH,cAAc,CAACE,MAAf,GAAwB,MAAxB,GAAiC,KAA3D;AACD,GAV6E,CAY9E;;;AACA,MAAIF,cAAc,CAACE,MAAf,IAAyB,CAACH,OAA9B,EAAuC;AACrC;AACA,oBACE,oEACA,4DADA,GAEA,gEAHF;AAKAC,IAAAA,cAAc,CAACE,MAAf,GAAwB,KAAxB;AACD,GArB6E,CAuB9E;AACA;;;AACA,MAAIF,cAAc,CAACG,QAAf,KAA4B,MAA5B,IAAsC,CAACH,cAAc,CAACE,MAA1D,EAAkE;AAChEF,IAAAA,cAAc,CAACG,QAAf,GAA0B,KAA1B;AACD;;AAED,SAAOH,cAAP;AACD","sourcesContent":["/*!\n * Copyright (c) 2015-present, Okta, Inc. and/or its affiliates. All rights reserved.\n * The Okta software accompanied by this notice is provided pursuant to the Apache License, Version 2.0 (the \"License.\")\n *\n * You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0.\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT\n * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * \n * See the License for the specific language governing permissions and limitations under the License.\n */\n\n/* eslint-disable complexity */\nimport { StorageManagerOptions, OktaAuthOptions } from '../types';\nimport { warn } from '../util';\n\nexport { default as storage } from '../browser/browserStorage';\n\nexport const STORAGE_MANAGER_OPTIONS: StorageManagerOptions = {\n  token: {\n    storageTypes: [\n      'localStorage',\n      'sessionStorage',\n      'cookie'\n    ]\n  },\n  cache: {\n    storageTypes: [\n      'localStorage',\n      'sessionStorage',\n      'cookie'\n    ]\n  },\n  transaction: {\n    storageTypes: [\n      'sessionStorage',\n      'localStorage',\n      'cookie'\n    ]\n  },\n  'shared-transaction': {\n    storageTypes: [\n      'localStorage'\n    ]\n  },\n  'original-uri': {\n    storageTypes: [\n      'localStorage'\n    ]\n  }\n};\n\nexport const enableSharedStorage = true;\n\nexport function getCookieSettings(args: OktaAuthOptions = {}, isHTTPS: boolean) {\n  // Secure cookies will be automatically used on a HTTPS connection\n  // Non-secure cookies will be automatically used on a HTTP connection\n  // secure option can override the automatic behavior\n  var cookieSettings = args.cookies || {};\n  if (typeof cookieSettings.secure === 'undefined') {\n    cookieSettings.secure = isHTTPS;\n  }\n  if (typeof cookieSettings.sameSite === 'undefined') {\n    cookieSettings.sameSite = cookieSettings.secure ? 'none' : 'lax';\n  }\n\n  // If secure=true, but the connection is not HTTPS, set secure=false.\n  if (cookieSettings.secure && !isHTTPS) {\n    // eslint-disable-next-line no-console\n    warn(\n      'The current page is not being served with the HTTPS protocol.\\n' +\n      'For security reasons, we strongly recommend using HTTPS.\\n' +\n      'If you cannot use HTTPS, set \"cookies.secure\" option to false.'\n    );\n    cookieSettings.secure = false;\n  }\n\n  // Chrome >= 80 will block cookies with SameSite=None unless they are also Secure\n  // If sameSite=none, but the connection is not HTTPS, set sameSite=lax.\n  if (cookieSettings.sameSite === 'none' && !cookieSettings.secure) {\n    cookieSettings.sameSite = 'lax';\n  }\n\n  return cookieSettings;\n}\n"],"file":"browser.js"}

package/cjs/options/index.js

@@ -0,0 +1,94 @@
+"use strict";
+
+var _interopRequireDefault = require("@babel/runtime-corejs3/helpers/interopRequireDefault");
+
+exports.getDefaultOptions = getDefaultOptions;
+exports.buildOptions = buildOptions;
+
+var _assign = _interopRequireDefault(require("@babel/runtime-corejs3/core-js-stable/object/assign"));
+
+var _util = require("../util");
+
+var _builderUtil = require("../builderUtil");
+
+var _fetchRequest = _interopRequireDefault(require("../fetch/fetchRequest"));
+
+var _node = require("./node");
+
+var _features = require("../features");
+
+/*!
+ * Copyright (c) 2015-present, Okta, Inc. and/or its affiliates. All rights reserved.
+ * The Okta software accompanied by this notice is provided pursuant to the Apache License, Version 2.0 (the "License.")
+ *
+ * You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0.
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * 
+ * See the License for the specific language governing permissions and limitations under the License.
+ */
+function getDefaultOptions() {
+  const options = {
+    devMode: false,
+    httpRequestClient: _fetchRequest.default,
+    storageUtil: _node.storage,
+    storageManager: _node.STORAGE_MANAGER_OPTIONS,
+    transactionManager: {
+      enableSharedStorage: _node.enableSharedStorage
+    }
+  };
+  return options;
+}
+
+function mergeOptions(options, args) {
+  return (0, _assign.default)({}, options, (0, _util.removeNils)(args), {
+    storageManager: (0, _assign.default)({}, options.storageManager, args.storageManager),
+    transactionManager: (0, _assign.default)({}, options.transactionManager, args.transactionManager)
+  });
+}
+
+function buildOptions(args = {}) {
+  (0, _builderUtil.assertValidConfig)(args);
+  args = mergeOptions(getDefaultOptions(), args);
+  return (0, _util.removeNils)({
+    // OIDC configuration
+    issuer: (0, _util.removeTrailingSlash)(args.issuer),
+    tokenUrl: (0, _util.removeTrailingSlash)(args.tokenUrl),
+    authorizeUrl: (0, _util.removeTrailingSlash)(args.authorizeUrl),
+    userinfoUrl: (0, _util.removeTrailingSlash)(args.userinfoUrl),
+    revokeUrl: (0, _util.removeTrailingSlash)(args.revokeUrl),
+    logoutUrl: (0, _util.removeTrailingSlash)(args.logoutUrl),
+    clientId: args.clientId,
+    redirectUri: args.redirectUri,
+    state: args.state,
+    scopes: args.scopes,
+    postLogoutRedirectUri: args.postLogoutRedirectUri,
+    responseMode: args.responseMode,
+    responseType: args.responseType,
+    pkce: args.pkce === false ? false : true,
+    // PKCE defaults to true
+    useInteractionCodeFlow: args.useInteractionCodeFlow,
+    // Internal options
+    httpRequestClient: args.httpRequestClient,
+    transformErrorXHR: args.transformErrorXHR,
+    transformAuthState: args.transformAuthState,
+    restoreOriginalUri: args.restoreOriginalUri,
+    storageUtil: args.storageUtil,
+    headers: args.headers,
+    devMode: !!args.devMode,
+    storageManager: args.storageManager,
+    transactionManager: args.transactionManager,
+    cookies: (0, _node.getCookieSettings)(args, (0, _features.isHTTPS)()),
+    flow: args.flow,
+    codeChallenge: args.codeChallenge,
+    codeChallengeMethod: args.codeChallengeMethod,
+    recoveryToken: args.recoveryToken,
+    activationToken: args.activationToken,
+    // Give the developer the ability to disable token signature validation.
+    ignoreSignature: !!args.ignoreSignature,
+    // Server-side web applications
+    clientSecret: args.clientSecret
+  });
+}
+//# sourceMappingURL=index.js.map

package/cjs/options/index.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../../lib/options/index.ts"],"names":["getDefaultOptions","options","devMode","httpRequestClient","fetchRequest","storageUtil","storage","storageManager","STORAGE_MANAGER_OPTIONS","transactionManager","enableSharedStorage","mergeOptions","args","buildOptions","issuer","tokenUrl","authorizeUrl","userinfoUrl","revokeUrl","logoutUrl","clientId","redirectUri","state","scopes","postLogoutRedirectUri","responseMode","responseType","pkce","useInteractionCodeFlow","transformErrorXHR","transformAuthState","restoreOriginalUri","headers","cookies","flow","codeChallenge","codeChallengeMethod","recoveryToken","activationToken","ignoreSignature","clientSecret"],"mappings":";;;;;;;;;AAYA;;AACA;;AAGA;;AACA;;AACA;;AAlBA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAUO,SAASA,iBAAT,GAA8C;AACnD,QAAMC,OAAO,GAAG;AACdC,IAAAA,OAAO,EAAE,KADK;AAEdC,IAAAA,iBAAiB,EAAEC,qBAFL;AAGdC,IAAAA,WAAW,EAAEC,aAHC;AAIdC,IAAAA,cAAc,EAAEC,6BAJF;AAKdC,IAAAA,kBAAkB,EAAE;AAClBC,MAAAA,mBAAmB,EAAnBA;AADkB;AALN,GAAhB;AASA,SAAOT,OAAP;AACD;;AAED,SAASU,YAAT,CAAsBV,OAAtB,EAA+BW,IAA/B,EAAsD;AACpD,SAAO,qBAAc,EAAd,EAAkBX,OAAlB,EAA2B,sBAAWW,IAAX,CAA3B,EAA6C;AAClDL,IAAAA,cAAc,EAAE,qBAAc,EAAd,EAAkBN,OAAO,CAACM,cAA1B,EAA0CK,IAAI,CAACL,cAA/C,CADkC;AAElDE,IAAAA,kBAAkB,EAAE,qBAAc,EAAd,EAAkBR,OAAO,CAACQ,kBAA1B,EAA8CG,IAAI,CAACH,kBAAnD;AAF8B,GAA7C,CAAP;AAID;;AAEM,SAASI,YAAT,CAAsBD,IAAqB,GAAG,EAA9C,EAAmE;AACxE,sCAAkBA,IAAlB;AACAA,EAAAA,IAAI,GAAGD,YAAY,CAACX,iBAAiB,EAAlB,EAAsBY,IAAtB,CAAnB;AACA,SAAO,sBAAW;AAChB;AACAE,IAAAA,MAAM,EAAE,+BAAoBF,IAAI,CAACE,MAAzB,CAFQ;AAGhBC,IAAAA,QAAQ,EAAE,+BAAoBH,IAAI,CAACG,QAAzB,CAHM;AAIhBC,IAAAA,YAAY,EAAE,+BAAoBJ,IAAI,CAACI,YAAzB,CAJE;AAKhBC,IAAAA,WAAW,EAAE,+BAAoBL,IAAI,CAACK,WAAzB,CALG;AAMhBC,IAAAA,SAAS,EAAE,+BAAoBN,IAAI,CAACM,SAAzB,CANK;AAOhBC,IAAAA,SAAS,EAAE,+BAAoBP,IAAI,CAACO,SAAzB,CAPK;AAQhBC,IAAAA,QAAQ,EAAER,IAAI,CAACQ,QARC;AAShBC,IAAAA,WAAW,EAAET,IAAI,CAACS,WATF;AAUhBC,IAAAA,KAAK,EAAEV,IAAI,CAACU,KAVI;AAWhBC,IAAAA,MAAM,EAAEX,IAAI,CAACW,MAXG;AAYhBC,IAAAA,qBAAqB,EAAEZ,IAAI,CAACY,qBAZZ;AAahBC,IAAAA,YAAY,EAAEb,IAAI,CAACa,YAbH;AAchBC,IAAAA,YAAY,EAAEd,IAAI,CAACc,YAdH;AAehBC,IAAAA,IAAI,EAAEf,IAAI,CAACe,IAAL,KAAc,KAAd,GAAsB,KAAtB,GAA8B,IAfpB;AAe0B;AAC1CC,IAAAA,sBAAsB,EAAEhB,IAAI,CAACgB,sBAhBb;AAkBhB;AACAzB,IAAAA,iBAAiB,EAAES,IAAI,CAACT,iBAnBR;AAoBhB0B,IAAAA,iBAAiB,EAAEjB,IAAI,CAACiB,iBApBR;AAqBhBC,IAAAA,kBAAkB,EAAElB,IAAI,CAACkB,kBArBT;AAsBhBC,IAAAA,kBAAkB,EAAEnB,IAAI,CAACmB,kBAtBT;AAuBhB1B,IAAAA,WAAW,EAAEO,IAAI,CAACP,WAvBF;AAwBhB2B,IAAAA,OAAO,EAAEpB,IAAI,CAACoB,OAxBE;AAyBhB9B,IAAAA,OAAO,EAAE,CAAC,CAACU,IAAI,CAACV,OAzBA;AA0BhBK,IAAAA,cAAc,EAAEK,IAAI,CAACL,cA1BL;AA2BhBE,IAAAA,kBAAkB,EAAEG,IAAI,CAACH,kBA3BT;AA4BhBwB,IAAAA,OAAO,EAAE,6BAAkBrB,IAAlB,EAAwB,wBAAxB,CA5BO;AA6BhBsB,IAAAA,IAAI,EAAEtB,IAAI,CAACsB,IA7BK;AA8BhBC,IAAAA,aAAa,EAAEvB,IAAI,CAACuB,aA9BJ;AA+BhBC,IAAAA,mBAAmB,EAAExB,IAAI,CAACwB,mBA/BV;AAgChBC,IAAAA,aAAa,EAAEzB,IAAI,CAACyB,aAhCJ;AAiChBC,IAAAA,eAAe,EAAE1B,IAAI,CAAC0B,eAjCN;AAmChB;AACAC,IAAAA,eAAe,EAAE,CAAC,CAAC3B,IAAI,CAAC2B,eApCR;AAsChB;AACAC,IAAAA,YAAY,EAAE5B,IAAI,CAAC4B;AAvCH,GAAX,CAAP;AAyCD","sourcesContent":["/*!\n * Copyright (c) 2015-present, Okta, Inc. and/or its affiliates. All rights reserved.\n * The Okta software accompanied by this notice is provided pursuant to the Apache License, Version 2.0 (the \"License.\")\n *\n * You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0.\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT\n * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * \n * See the License for the specific language governing permissions and limitations under the License.\n */\n\nimport { removeTrailingSlash, removeNils } from '../util';\nimport { assertValidConfig } from '../builderUtil';\nimport { OktaAuthOptions } from '../types';\n\nimport fetchRequest from '../fetch/fetchRequest';\nimport { storage, STORAGE_MANAGER_OPTIONS, enableSharedStorage, getCookieSettings } from './node';\nimport { isHTTPS } from '../features';\n\nexport function getDefaultOptions(): OktaAuthOptions {\n  const options = {\n    devMode: false,\n    httpRequestClient: fetchRequest,\n    storageUtil: storage,\n    storageManager: STORAGE_MANAGER_OPTIONS,\n    transactionManager: {\n      enableSharedStorage\n    }\n  };\n  return options;\n}\n\nfunction mergeOptions(options, args): OktaAuthOptions {\n  return Object.assign({}, options, removeNils(args), {\n    storageManager: Object.assign({}, options.storageManager, args.storageManager),\n    transactionManager: Object.assign({}, options.transactionManager, args.transactionManager),\n  });\n}\n\nexport function buildOptions(args: OktaAuthOptions = {}): OktaAuthOptions {\n  assertValidConfig(args);\n  args = mergeOptions(getDefaultOptions(), args);\n  return removeNils({\n    // OIDC configuration\n    issuer: removeTrailingSlash(args.issuer),\n    tokenUrl: removeTrailingSlash(args.tokenUrl),\n    authorizeUrl: removeTrailingSlash(args.authorizeUrl),\n    userinfoUrl: removeTrailingSlash(args.userinfoUrl),\n    revokeUrl: removeTrailingSlash(args.revokeUrl),\n    logoutUrl: removeTrailingSlash(args.logoutUrl),\n    clientId: args.clientId,\n    redirectUri: args.redirectUri,\n    state: args.state,\n    scopes: args.scopes,\n    postLogoutRedirectUri: args.postLogoutRedirectUri,\n    responseMode: args.responseMode,\n    responseType: args.responseType,\n    pkce: args.pkce === false ? false : true, // PKCE defaults to true\n    useInteractionCodeFlow: args.useInteractionCodeFlow,\n\n    // Internal options\n    httpRequestClient: args.httpRequestClient,\n    transformErrorXHR: args.transformErrorXHR,\n    transformAuthState: args.transformAuthState,\n    restoreOriginalUri: args.restoreOriginalUri,\n    storageUtil: args.storageUtil,\n    headers: args.headers,\n    devMode: !!args.devMode,\n    storageManager: args.storageManager,\n    transactionManager: args.transactionManager,\n    cookies: getCookieSettings(args, isHTTPS()),\n    flow: args.flow,\n    codeChallenge: args.codeChallenge,\n    codeChallengeMethod: args.codeChallengeMethod,\n    recoveryToken: args.recoveryToken,\n    activationToken: args.activationToken,\n\n    // Give the developer the ability to disable token signature validation.\n    ignoreSignature: !!args.ignoreSignature,\n\n    // Server-side web applications\n    clientSecret: args.clientSecret\n  });\n}\n"],"file":"index.js"}

package/cjs/options/node.js

@@ -0,0 +1,46 @@
+"use strict";
+
+var _interopRequireDefault = require("@babel/runtime-corejs3/helpers/interopRequireDefault");
+
+exports.getCookieSettings = getCookieSettings;
+Object.defineProperty(exports, "storage", {
+  enumerable: true,
+  get: function () {
+    return _serverStorage.default;
+  }
+});
+exports.enableSharedStorage = exports.STORAGE_MANAGER_OPTIONS = void 0;
+
+var _serverStorage = _interopRequireDefault(require("../server/serverStorage"));
+
+/*!
+ * Copyright (c) 2015-present, Okta, Inc. and/or its affiliates. All rights reserved.
+ * The Okta software accompanied by this notice is provided pursuant to the Apache License, Version 2.0 (the "License.")
+ *
+ * You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0.
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * 
+ * See the License for the specific language governing permissions and limitations under the License.
+ */
+const STORAGE_MANAGER_OPTIONS = {
+  token: {
+    storageTypes: ['memory']
+  },
+  cache: {
+    storageTypes: ['memory']
+  },
+  transaction: {
+    storageTypes: ['memory']
+  }
+};
+exports.STORAGE_MANAGER_OPTIONS = STORAGE_MANAGER_OPTIONS;
+const enableSharedStorage = false; // eslint-disable-next-line @typescript-eslint/no-unused-vars, no-unused-vars
+
+exports.enableSharedStorage = enableSharedStorage;
+
+function getCookieSettings(args = {}, isHTTPS) {
+  return args.cookies;
+}
+//# sourceMappingURL=node.js.map

package/cjs/options/node.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../../lib/options/node.ts"],"names":["STORAGE_MANAGER_OPTIONS","token","storageTypes","cache","transaction","enableSharedStorage","getCookieSettings","args","isHTTPS","cookies"],"mappings":";;;;;;;;;;;;;AAcA;;AAdA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAMO,MAAMA,uBAA8C,GAAG;AAC5DC,EAAAA,KAAK,EAAE;AACLC,IAAAA,YAAY,EAAE,CACZ,QADY;AADT,GADqD;AAM5DC,EAAAA,KAAK,EAAE;AACLD,IAAAA,YAAY,EAAE,CACZ,QADY;AADT,GANqD;AAW5DE,EAAAA,WAAW,EAAE;AACXF,IAAAA,YAAY,EAAE,CACZ,QADY;AADH;AAX+C,CAAvD;;AAkBA,MAAMG,mBAAmB,GAAG,KAA5B,C,CAEP;;;;AACO,SAASC,iBAAT,CAA2BC,IAAqB,GAAG,EAAnD,EAAuDC,OAAvD,EAA0E;AAC/E,SAAOD,IAAI,CAACE,OAAZ;AACD","sourcesContent":["/*!\n * Copyright (c) 2015-present, Okta, Inc. and/or its affiliates. All rights reserved.\n * The Okta software accompanied by this notice is provided pursuant to the Apache License, Version 2.0 (the \"License.\")\n *\n * You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0.\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT\n * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * \n * See the License for the specific language governing permissions and limitations under the License.\n */\n\nimport { StorageManagerOptions, OktaAuthOptions } from '../types';\n\nexport { default as storage } from '../server/serverStorage';\n\nexport const STORAGE_MANAGER_OPTIONS: StorageManagerOptions = {\n  token: {\n    storageTypes: [\n      'memory'\n    ]\n  },\n  cache: {\n    storageTypes: [\n      'memory'\n    ]\n  },\n  transaction: {\n    storageTypes: [\n      'memory'\n    ]\n  }\n};\n\nexport const enableSharedStorage = false;\n\n// eslint-disable-next-line @typescript-eslint/no-unused-vars, no-unused-vars\nexport function getCookieSettings(args: OktaAuthOptions = {}, isHTTPS?: boolean) {\n  return args.cookies;\n}\n"],"file":"node.js"}

package/cjs/server/serverStorage.js

@@ -1,7 +1,11 @@
 "use strict";
 
+var _interopRequireDefault = require("@babel/runtime-corejs3/helpers/interopRequireDefault");
+
 exports.default = void 0;
 
+var _nodeCache = _interopRequireDefault(require("node-cache"));
+
 var _errors = require("../errors");
 
 /*!
@@ -16,11 +20,11 @@ var _errors = require("../errors");
  * See the License for the specific language governing permissions and limitations under the License.
  *
  */
-const NodeCache = require('node-cache'); // commonJS module cannot be imported without esModuleInterop
+// @ts-ignore 
+// Do not use this type in code, so it won't be emitted in the declaration output
+// eslint-disable-next-line import/no-commonjs
 // this is a SHARED memory storage to support a stateless http server
-
-
-const sharedStorage = typeof NodeCache === 'function' ? new NodeCache() : null;
+const sharedStorage = typeof _nodeCache.default === 'function' ? new _nodeCache.default() : null;
 
 class ServerCookies {
   // NodeCache
@@ -75,7 +79,7 @@ class ServerStorage {
   }
 
   getStorageByType(storageType) {
-    let storageProvider = null;
+    let storageProvider;
 
     switch (storageType) {
       case 'memory':

package/cjs/server/serverStorage.js.map

@@ -1 +1 @@
-{"version":3,"sources":["../../../lib/server/serverStorage.ts"],"names":["NodeCache","require","sharedStorage","ServerCookies","constructor","nodeCache","set","name","value","expiresAt","Date","parse","ttl","now","get","delete","del","ServerStorage","storage","testStorageType","storageType","supported","getStorageByType","storageProvider","getStorage","AuthSdkError","findStorageType","getHttpCache","getItem","setItem","key"],"mappings":";;;;AAcA;;AAdA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAIA,MAAMA,SAAS,GAAGC,OAAO,CAAC,YAAD,CAAzB,C,CAAyC;AAEzC;;;AACA,MAAMC,aAAa,GAAG,OAAOF,SAAP,KAAqB,UAArB,GAAkC,IAAIA,SAAJ,EAAlC,GAAoD,IAA1E;;AAEA,MAAMG,aAAN,CAAuC;AACrB;AAEhBC,EAAAA,WAAW,CAACC,SAAD,EAAY;AACrB,SAAKA,SAAL,GAAiBA,SAAjB;AACD;;AAEDC,EAAAA,GAAG,CAACC,IAAD,EAAeC,KAAf,EAA8BC,SAA9B,EAAyD;AAC1D;AACA,QAAI,CAAC,CAAEC,IAAI,CAACC,KAAL,CAAWF,SAAX,CAAP,EAA+B;AAC7B;AACA,UAAIG,GAAG,GAAG,CAACF,IAAI,CAACC,KAAL,CAAWF,SAAX,IAAwBC,IAAI,CAACG,GAAL,EAAzB,IAAuC,IAAjD;AACA,WAAKR,SAAL,CAAeC,GAAf,CAAmBC,IAAnB,EAAyBC,KAAzB,EAAgCI,GAAhC;AACD,KAJD,MAIO;AACL,WAAKP,SAAL,CAAeC,GAAf,CAAmBC,IAAnB,EAAyBC,KAAzB;AACD;;AAED,WAAO,KAAKM,GAAL,CAASP,IAAT,CAAP;AACD;;AAEDO,EAAAA,GAAG,CAACP,IAAD,EAAe;AAChB,WAAO,KAAKF,SAAL,CAAeS,GAAf,CAAmBP,IAAnB,CAAP;AACD;;AAEDQ,EAAAA,MAAM,CAACR,IAAD,EAAO;AACX,WAAO,KAAKF,SAAL,CAAeW,GAAf,CAAmBT,IAAnB,CAAP;AACD;;AA1BoC,C,CA4BvC;;;AACA,MAAMU,aAAN,CAA2C;AACzB;AAEhBb,EAAAA,WAAW,CAACC,SAAD,EAAY;AACrB,SAAKA,SAAL,GAAiBA,SAAjB;AACA,SAAKa,OAAL,GAAe,IAAIf,aAAJ,CAAkBE,SAAlB,CAAf;AACD;;AAEDc,EAAAA,eAAe,CAACC,WAAD,EAAoC;AACjD,QAAIC,SAAS,GAAG,KAAhB;;AACA,YAAQD,WAAR;AACE,WAAK,QAAL;AACEC,QAAAA,SAAS,GAAG,IAAZ;AACA;;AACF;AACE;AALJ;;AAOA,WAAOA,SAAP;AACD;;AAEDC,EAAAA,gBAAgB,CAACF,WAAD,EAA0C;AACxD,QAAIG,eAAe,GAAG,IAAtB;;AACA,YAAQH,WAAR;AACE,WAAK,QAAL;AACEG,QAAAA,eAAe,GAAG,KAAKC,UAAL,EAAlB;AACA;;AACF;AACE,cAAM,IAAIC,oBAAJ,CAAkB,gCAA+BL,WAAY,EAA7D,CAAN;AACA;AANJ;;AAQA,WAAOG,eAAP;AACD;;AAEDG,EAAAA,eAAe,GAAgB;AAC7B,WAAO,QAAP;AACD,GAnCwC,CAqCzC;;;AACAC,EAAAA,YAAY,GAAG;AACb,WAAO,IAAP,CADa,CACA;AACd,GAxCwC,CA0CzC;;;AACAH,EAAAA,UAAU,GAAkB;AAC1B,WAAO;AACLI,MAAAA,OAAO,EAAE,KAAKvB,SAAL,CAAeS,GADnB;AAELe,MAAAA,OAAO,EAAE,CAACC,GAAD,EAAMtB,KAAN,KAAgB;AACvB,aAAKH,SAAL,CAAeC,GAAf,CAAmBwB,GAAnB,EAAwBtB,KAAxB,EAA+B,0BAA/B;AACD;AAJI,KAAP;AAMD;;AAlDwC;;eAqD5B,IAAIS,aAAJ,CAAkBf,aAAlB,C","sourcesContent":["/*!\n * Copyright (c) 2018-present, Okta, Inc. and/or its affiliates. All rights reserved.\n * The Okta software accompanied by this notice is provided pursuant to the Apache License, Version 2.0 (the \"License.\")\n *\n * You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0.\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT\n * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n *\n * See the License for the specific language governing permissions and limitations under the License.\n *\n */\n\nimport { SimpleStorage, StorageType, StorageUtil, Cookies } from '../types';\nimport { AuthSdkError } from '../errors';\nconst NodeCache = require('node-cache'); // commonJS module cannot be imported without esModuleInterop\n\n// this is a SHARED memory storage to support a stateless http server\nconst sharedStorage = typeof NodeCache === 'function' ? new NodeCache() : null;\n\nclass ServerCookies implements Cookies {\n  nodeCache: any; // NodeCache\n  \n  constructor(nodeCache) {\n    this.nodeCache = nodeCache;\n  }\n\n  set(name: string, value: string, expiresAt: string): string {\n    // eslint-disable-next-line no-extra-boolean-cast\n    if (!!(Date.parse(expiresAt))) {\n      // Time to expiration in seconds\n      var ttl = (Date.parse(expiresAt) - Date.now()) / 1000;\n      this.nodeCache.set(name, value, ttl);\n    } else {\n      this.nodeCache.set(name, value);\n    }\n\n    return this.get(name);\n  }\n\n  get(name): string {\n    return this.nodeCache.get(name);\n  }\n\n  delete(name) {\n    return this.nodeCache.del(name);\n  }\n}\n// Building this as an object allows us to mock the functions in our tests\nclass ServerStorage implements StorageUtil {\n  nodeCache: any; // NodeCache\n  storage: Cookies;\n  constructor(nodeCache) {\n    this.nodeCache = nodeCache;\n    this.storage = new ServerCookies(nodeCache);\n  }\n\n  testStorageType(storageType: StorageType): boolean {\n    var supported = false;\n    switch (storageType) {\n      case 'memory':\n        supported = true;\n        break;\n      default:\n        break;\n    }\n    return supported;\n  }\n\n  getStorageByType(storageType: StorageType): SimpleStorage {\n    let storageProvider = null;\n    switch (storageType) {\n      case 'memory':\n        storageProvider = this.getStorage();\n        break;\n      default:\n        throw new AuthSdkError(`Unrecognized storage option: ${storageType}`);\n        break;\n    }\n    return storageProvider;\n  }\n\n  findStorageType(): StorageType {\n    return 'memory';\n  }\n\n  // will be removed in next version. OKTA-362589\n  getHttpCache() {\n    return null; // stubbed in server.js\n  }\n\n  // shared in-memory using node cache\n  getStorage(): SimpleStorage {\n    return {\n      getItem: this.nodeCache.get,\n      setItem: (key, value) => {\n        this.nodeCache.set(key, value, '2200-01-01T00:00:00.000Z');\n      }\n    };\n  }\n}\n\nexport default new ServerStorage(sharedStorage);\n"],"file":"serverStorage.js"}
+{"version":3,"sources":["../../../lib/server/serverStorage.ts"],"names":["sharedStorage","NodeCache","ServerCookies","constructor","nodeCache","set","name","value","expiresAt","Date","parse","ttl","now","get","delete","del","ServerStorage","storage","testStorageType","storageType","supported","getStorageByType","storageProvider","getStorage","AuthSdkError","findStorageType","getHttpCache","getItem","setItem","key"],"mappings":";;;;;;AAeA;;AAEA;;AAjBA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAEA;AACA;AAIA;AAEA;AACA,MAAMA,aAAa,GAAG,OAAOC,kBAAP,KAAqB,UAArB,GAAkC,IAAIA,kBAAJ,EAAlC,GAAoD,IAA1E;;AAEA,MAAMC,aAAN,CAAuC;AACrB;AAEhBC,EAAAA,WAAW,CAACC,SAAD,EAAY;AACrB,SAAKA,SAAL,GAAiBA,SAAjB;AACD;;AAEDC,EAAAA,GAAG,CAACC,IAAD,EAAeC,KAAf,EAA8BC,SAA9B,EAAyD;AAC1D;AACA,QAAI,CAAC,CAAEC,IAAI,CAACC,KAAL,CAAWF,SAAX,CAAP,EAA+B;AAC7B;AACA,UAAIG,GAAG,GAAG,CAACF,IAAI,CAACC,KAAL,CAAWF,SAAX,IAAwBC,IAAI,CAACG,GAAL,EAAzB,IAAuC,IAAjD;AACA,WAAKR,SAAL,CAAeC,GAAf,CAAmBC,IAAnB,EAAyBC,KAAzB,EAAgCI,GAAhC;AACD,KAJD,MAIO;AACL,WAAKP,SAAL,CAAeC,GAAf,CAAmBC,IAAnB,EAAyBC,KAAzB;AACD;;AAED,WAAO,KAAKM,GAAL,CAASP,IAAT,CAAP;AACD;;AAEDO,EAAAA,GAAG,CAACP,IAAD,EAAe;AAChB,WAAO,KAAKF,SAAL,CAAeS,GAAf,CAAmBP,IAAnB,CAAP;AACD;;AAEDQ,EAAAA,MAAM,CAACR,IAAD,EAAO;AACX,WAAO,KAAKF,SAAL,CAAeW,GAAf,CAAmBT,IAAnB,CAAP;AACD;;AA1BoC,C,CA4BvC;;;AACA,MAAMU,aAAN,CAA2C;AACzB;AAEhBb,EAAAA,WAAW,CAACC,SAAD,EAAY;AACrB,SAAKA,SAAL,GAAiBA,SAAjB;AACA,SAAKa,OAAL,GAAe,IAAIf,aAAJ,CAAkBE,SAAlB,CAAf;AACD;;AAEDc,EAAAA,eAAe,CAACC,WAAD,EAAoC;AACjD,QAAIC,SAAS,GAAG,KAAhB;;AACA,YAAQD,WAAR;AACE,WAAK,QAAL;AACEC,QAAAA,SAAS,GAAG,IAAZ;AACA;;AACF;AACE;AALJ;;AAOA,WAAOA,SAAP;AACD;;AAEDC,EAAAA,gBAAgB,CAACF,WAAD,EAA0C;AACxD,QAAIG,eAAJ;;AACA,YAAQH,WAAR;AACE,WAAK,QAAL;AACEG,QAAAA,eAAe,GAAG,KAAKC,UAAL,EAAlB;AACA;;AACF;AACE,cAAM,IAAIC,oBAAJ,CAAkB,gCAA+BL,WAAY,EAA7D,CAAN;AACA;AANJ;;AAQA,WAAOG,eAAP;AACD;;AAEDG,EAAAA,eAAe,GAAgB;AAC7B,WAAO,QAAP;AACD,GAnCwC,CAqCzC;;;AACAC,EAAAA,YAAY,GAAG;AACb,WAAO,IAAP,CADa,CACA;AACd,GAxCwC,CA0CzC;;;AACAH,EAAAA,UAAU,GAAkB;AAC1B,WAAO;AACLI,MAAAA,OAAO,EAAE,KAAKvB,SAAL,CAAeS,GADnB;AAELe,MAAAA,OAAO,EAAE,CAACC,GAAD,EAAMtB,KAAN,KAAgB;AACvB,aAAKH,SAAL,CAAeC,GAAf,CAAmBwB,GAAnB,EAAwBtB,KAAxB,EAA+B,0BAA/B;AACD;AAJI,KAAP;AAMD;;AAlDwC;;eAqD5B,IAAIS,aAAJ,CAAkBhB,aAAlB,C","sourcesContent":["/*!\n * Copyright (c) 2018-present, Okta, Inc. and/or its affiliates. All rights reserved.\n * The Okta software accompanied by this notice is provided pursuant to the Apache License, Version 2.0 (the \"License.\")\n *\n * You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0.\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT\n * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n *\n * See the License for the specific language governing permissions and limitations under the License.\n *\n */\n\n// @ts-ignore \n// Do not use this type in code, so it won't be emitted in the declaration output\nimport NodeCache from 'node-cache';\nimport { SimpleStorage, StorageType, StorageUtil, Cookies } from '../types';\nimport { AuthSdkError } from '../errors';\n// eslint-disable-next-line import/no-commonjs\n\n// this is a SHARED memory storage to support a stateless http server\nconst sharedStorage = typeof NodeCache === 'function' ? new NodeCache() : null;\n\nclass ServerCookies implements Cookies {\n  nodeCache: any; // NodeCache\n  \n  constructor(nodeCache) {\n    this.nodeCache = nodeCache;\n  }\n\n  set(name: string, value: string, expiresAt: string): string {\n    // eslint-disable-next-line no-extra-boolean-cast\n    if (!!(Date.parse(expiresAt))) {\n      // Time to expiration in seconds\n      var ttl = (Date.parse(expiresAt) - Date.now()) / 1000;\n      this.nodeCache.set(name, value, ttl);\n    } else {\n      this.nodeCache.set(name, value);\n    }\n\n    return this.get(name);\n  }\n\n  get(name): string {\n    return this.nodeCache.get(name);\n  }\n\n  delete(name) {\n    return this.nodeCache.del(name);\n  }\n}\n// Building this as an object allows us to mock the functions in our tests\nclass ServerStorage implements StorageUtil {\n  nodeCache: any; // NodeCache\n  storage: Cookies;\n  constructor(nodeCache) {\n    this.nodeCache = nodeCache;\n    this.storage = new ServerCookies(nodeCache);\n  }\n\n  testStorageType(storageType: StorageType): boolean {\n    var supported = false;\n    switch (storageType) {\n      case 'memory':\n        supported = true;\n        break;\n      default:\n        break;\n    }\n    return supported;\n  }\n\n  getStorageByType(storageType: StorageType): SimpleStorage {\n    let storageProvider;\n    switch (storageType) {\n      case 'memory':\n        storageProvider = this.getStorage();\n        break;\n      default:\n        throw new AuthSdkError(`Unrecognized storage option: ${storageType}`);\n        break;\n    }\n    return storageProvider;\n  }\n\n  findStorageType(): StorageType {\n    return 'memory';\n  }\n\n  // will be removed in next version. OKTA-362589\n  getHttpCache() {\n    return null; // stubbed in server.js\n  }\n\n  // shared in-memory using node cache\n  getStorage(): SimpleStorage {\n    return {\n      getItem: this.nodeCache.get,\n      setItem: (key, value) => {\n        this.nodeCache.set(key, value, '2200-01-01T00:00:00.000Z');\n      }\n    };\n  }\n}\n\nexport default new ServerStorage(sharedStorage);\n"],"file":"serverStorage.js"}