@okta/okta-auth-js 7.0.0 → 7.1.0

package/cjs/oidc/util/prepareTokenParams.js

@@ -1,24 +1,16 @@
 "use strict";
 
 var _interopRequireDefault = require("@babel/runtime/helpers/interopRequireDefault");
-
 exports.assertPKCESupport = assertPKCESupport;
 exports.preparePKCE = preparePKCE;
 exports.prepareTokenParams = prepareTokenParams;
 exports.validateCodeChallengeMethod = validateCodeChallengeMethod;
-
 var _wellKnown = require("../endpoints/well-known");
-
 var _errors = require("../../errors");
-
 var _defaultTokenParams = require("./defaultTokenParams");
-
 var _constants = require("../../constants");
-
 var _pkce = _interopRequireDefault(require("./pkce"));
-
 /* eslint-disable complexity */
-
 /*!
  * Copyright (c) 2015-present, Okta, Inc. and/or its affiliates. All rights reserved.
  * The Okta software accompanied by this notice is provided pursuant to the Apache License, Version 2.0 (the "License.")
@@ -31,56 +23,52 @@ var _pkce = _interopRequireDefault(require("./pkce"));
  * See the License for the specific language governing permissions and limitations under the License.
  *
  */
+
 function assertPKCESupport(sdk) {
   if (!sdk.features.isPKCESupported()) {
     var errorMessage = 'PKCE requires a modern browser with encryption support running in a secure context.';
-
     if (!sdk.features.isHTTPS()) {
       // eslint-disable-next-line max-len
       errorMessage += '\nThe current page is not being served with HTTPS protocol. PKCE requires secure HTTPS protocol.';
     }
-
     if (!sdk.features.hasTextEncoder()) {
       // eslint-disable-next-line max-len
       errorMessage += '\n"TextEncoder" is not defined. To use PKCE, you may need to include a polyfill/shim for this browser.';
     }
-
     throw new _errors.AuthSdkError(errorMessage);
   }
 }
-
 async function validateCodeChallengeMethod(sdk, codeChallengeMethod) {
   // set default code challenge method, if none provided
-  codeChallengeMethod = codeChallengeMethod || sdk.options.codeChallengeMethod || _constants.DEFAULT_CODE_CHALLENGE_METHOD; // validate against .well-known/openid-configuration
+  codeChallengeMethod = codeChallengeMethod || sdk.options.codeChallengeMethod || _constants.DEFAULT_CODE_CHALLENGE_METHOD;
 
+  // validate against .well-known/openid-configuration
   const wellKnownResponse = await (0, _wellKnown.getWellKnown)(sdk);
   var methods = wellKnownResponse['code_challenge_methods_supported'] || [];
-
   if (methods.indexOf(codeChallengeMethod) === -1) {
     throw new _errors.AuthSdkError('Invalid code_challenge_method');
   }
-
   return codeChallengeMethod;
 }
-
 async function preparePKCE(sdk, tokenParams) {
   let {
     codeVerifier,
     codeChallenge,
     codeChallengeMethod
-  } = tokenParams; // PKCE calculations can be avoided by passing a codeChallenge
+  } = tokenParams;
 
+  // PKCE calculations can be avoided by passing a codeChallenge
   codeChallenge = codeChallenge || sdk.options.codeChallenge;
-
   if (!codeChallenge) {
     assertPKCESupport(sdk);
     codeVerifier = codeVerifier || _pkce.default.generateVerifier();
     codeChallenge = await _pkce.default.computeChallenge(codeVerifier);
   }
+  codeChallengeMethod = await validateCodeChallengeMethod(sdk, codeChallengeMethod);
 
-  codeChallengeMethod = await validateCodeChallengeMethod(sdk, codeChallengeMethod); // Clone/copy the params. Set PKCE values
-
-  tokenParams = { ...tokenParams,
+  // Clone/copy the params. Set PKCE values
+  tokenParams = {
+    ...tokenParams,
     responseType: 'code',
     // responseType is forced
     codeVerifier,
@@ -88,21 +76,20 @@ async function preparePKCE(sdk, tokenParams) {
     codeChallengeMethod
   };
   return tokenParams;
-} // Prepares params for a call to /authorize or /token
-
+}
 
+// Prepares params for a call to /authorize or /token
 async function prepareTokenParams(sdk, tokenParams = {}) {
   // build params using defaults + options
   const defaults = (0, _defaultTokenParams.getDefaultTokenParams)(sdk);
-  tokenParams = { ...defaults,
+  tokenParams = {
+    ...defaults,
     ...tokenParams
   };
-
   if (tokenParams.pkce === false) {
     // Implicit flow or authorization_code without PKCE
     return tokenParams;
   }
-
   return preparePKCE(sdk, tokenParams);
 }
 //# sourceMappingURL=prepareTokenParams.js.map

package/cjs/oidc/util/prepareTokenParams.js.map

@@ -1 +1 @@
-{"version":3,"file":"prepareTokenParams.js","names":["assertPKCESupport","sdk","features","isPKCESupported","errorMessage","isHTTPS","hasTextEncoder","AuthSdkError","validateCodeChallengeMethod","codeChallengeMethod","options","DEFAULT_CODE_CHALLENGE_METHOD","wellKnownResponse","getWellKnown","methods","indexOf","preparePKCE","tokenParams","codeVerifier","codeChallenge","PKCE","generateVerifier","computeChallenge","responseType","prepareTokenParams","defaults","getDefaultTokenParams","pkce"],"sources":["../../../../lib/oidc/util/prepareTokenParams.ts"],"sourcesContent":["/* eslint-disable complexity */\n/*!\n * Copyright (c) 2015-present, Okta, Inc. and/or its affiliates. All rights reserved.\n * The Okta software accompanied by this notice is provided pursuant to the Apache License, Version 2.0 (the \"License.\")\n *\n * You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0.\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT\n * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n *\n * See the License for the specific language governing permissions and limitations under the License.\n *\n */\nimport { getWellKnown } from '../endpoints/well-known';\nimport { AuthSdkError } from '../../errors';\nimport { OktaAuthOAuthInterface, TokenParams } from '../types';\nimport { getDefaultTokenParams } from './defaultTokenParams';\nimport { DEFAULT_CODE_CHALLENGE_METHOD } from '../../constants';\nimport PKCE from './pkce';\nimport { OktaAuthBaseInterface } from '../../base/types';\n\nexport function assertPKCESupport(sdk: OktaAuthBaseInterface) {\n  if (!sdk.features.isPKCESupported()) {\n    var errorMessage = 'PKCE requires a modern browser with encryption support running in a secure context.';\n    if (!sdk.features.isHTTPS()) {\n      // eslint-disable-next-line max-len\n      errorMessage += '\\nThe current page is not being served with HTTPS protocol. PKCE requires secure HTTPS protocol.';\n    }\n    if (!sdk.features.hasTextEncoder()) {\n      // eslint-disable-next-line max-len\n      errorMessage += '\\n\"TextEncoder\" is not defined. To use PKCE, you may need to include a polyfill/shim for this browser.';\n    }\n    throw new AuthSdkError(errorMessage);\n  }\n}\n\nexport async function validateCodeChallengeMethod(sdk: OktaAuthOAuthInterface, codeChallengeMethod?: string) {\n  // set default code challenge method, if none provided\n  codeChallengeMethod = codeChallengeMethod || sdk.options.codeChallengeMethod || DEFAULT_CODE_CHALLENGE_METHOD;\n\n  // validate against .well-known/openid-configuration\n  const wellKnownResponse = await getWellKnown(sdk);\n  var methods = wellKnownResponse['code_challenge_methods_supported'] || [];\n  if (methods.indexOf(codeChallengeMethod) === -1) {\n    throw new AuthSdkError('Invalid code_challenge_method');\n  }\n  return codeChallengeMethod;\n}\n\nexport async function preparePKCE(\n  sdk: OktaAuthOAuthInterface, \n  tokenParams: TokenParams\n): Promise<TokenParams> {\n  let {\n    codeVerifier,\n    codeChallenge,\n    codeChallengeMethod\n  } = tokenParams;\n\n  // PKCE calculations can be avoided by passing a codeChallenge\n  codeChallenge = codeChallenge || sdk.options.codeChallenge;\n  if (!codeChallenge) {\n    assertPKCESupport(sdk);\n    codeVerifier = codeVerifier || PKCE.generateVerifier();\n    codeChallenge = await PKCE.computeChallenge(codeVerifier);\n  }\n  codeChallengeMethod = await validateCodeChallengeMethod(sdk, codeChallengeMethod);\n\n  // Clone/copy the params. Set PKCE values\n  tokenParams = {\n    ...tokenParams,\n    responseType: 'code', // responseType is forced\n    codeVerifier,\n    codeChallenge,\n    codeChallengeMethod\n  };\n\n  return tokenParams;\n}\n\n// Prepares params for a call to /authorize or /token\nexport async function prepareTokenParams(\n  sdk: OktaAuthOAuthInterface,\n  tokenParams: TokenParams = {}\n): Promise<TokenParams> {\n  // build params using defaults + options\n  const defaults = getDefaultTokenParams(sdk);\n  tokenParams = { ...defaults, ...tokenParams };\n\n  if (tokenParams.pkce === false) {\n    // Implicit flow or authorization_code without PKCE\n    return tokenParams;\n  }\n\n  return preparePKCE(sdk, tokenParams);\n}"],"mappings":";;;;;;;;;AAaA;;AACA;;AAEA;;AACA;;AACA;;AAlBA;;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AASO,SAASA,iBAAT,CAA2BC,GAA3B,EAAuD;EAC5D,IAAI,CAACA,GAAG,CAACC,QAAJ,CAAaC,eAAb,EAAL,EAAqC;IACnC,IAAIC,YAAY,GAAG,qFAAnB;;IACA,IAAI,CAACH,GAAG,CAACC,QAAJ,CAAaG,OAAb,EAAL,EAA6B;MAC3B;MACAD,YAAY,IAAI,kGAAhB;IACD;;IACD,IAAI,CAACH,GAAG,CAACC,QAAJ,CAAaI,cAAb,EAAL,EAAoC;MAClC;MACAF,YAAY,IAAI,wGAAhB;IACD;;IACD,MAAM,IAAIG,oBAAJ,CAAiBH,YAAjB,CAAN;EACD;AACF;;AAEM,eAAeI,2BAAf,CAA2CP,GAA3C,EAAwEQ,mBAAxE,EAAsG;EAC3G;EACAA,mBAAmB,GAAGA,mBAAmB,IAAIR,GAAG,CAACS,OAAJ,CAAYD,mBAAnC,IAA0DE,wCAAhF,CAF2G,CAI3G;;EACA,MAAMC,iBAAiB,GAAG,MAAM,IAAAC,uBAAA,EAAaZ,GAAb,CAAhC;EACA,IAAIa,OAAO,GAAGF,iBAAiB,CAAC,kCAAD,CAAjB,IAAyD,EAAvE;;EACA,IAAIE,OAAO,CAACC,OAAR,CAAgBN,mBAAhB,MAAyC,CAAC,CAA9C,EAAiD;IAC/C,MAAM,IAAIF,oBAAJ,CAAiB,+BAAjB,CAAN;EACD;;EACD,OAAOE,mBAAP;AACD;;AAEM,eAAeO,WAAf,CACLf,GADK,EAELgB,WAFK,EAGiB;EACtB,IAAI;IACFC,YADE;IAEFC,aAFE;IAGFV;EAHE,IAIAQ,WAJJ,CADsB,CAOtB;;EACAE,aAAa,GAAGA,aAAa,IAAIlB,GAAG,CAACS,OAAJ,CAAYS,aAA7C;;EACA,IAAI,CAACA,aAAL,EAAoB;IAClBnB,iBAAiB,CAACC,GAAD,CAAjB;IACAiB,YAAY,GAAGA,YAAY,IAAIE,aAAA,CAAKC,gBAAL,EAA/B;IACAF,aAAa,GAAG,MAAMC,aAAA,CAAKE,gBAAL,CAAsBJ,YAAtB,CAAtB;EACD;;EACDT,mBAAmB,GAAG,MAAMD,2BAA2B,CAACP,GAAD,EAAMQ,mBAAN,CAAvD,CAdsB,CAgBtB;;EACAQ,WAAW,GAAG,EACZ,GAAGA,WADS;IAEZM,YAAY,EAAE,MAFF;IAEU;IACtBL,YAHY;IAIZC,aAJY;IAKZV;EALY,CAAd;EAQA,OAAOQ,WAAP;AACD,C,CAED;;;AACO,eAAeO,kBAAf,CACLvB,GADK,EAELgB,WAAwB,GAAG,EAFtB,EAGiB;EACtB;EACA,MAAMQ,QAAQ,GAAG,IAAAC,yCAAA,EAAsBzB,GAAtB,CAAjB;EACAgB,WAAW,GAAG,EAAE,GAAGQ,QAAL;IAAe,GAAGR;EAAlB,CAAd;;EAEA,IAAIA,WAAW,CAACU,IAAZ,KAAqB,KAAzB,EAAgC;IAC9B;IACA,OAAOV,WAAP;EACD;;EAED,OAAOD,WAAW,CAACf,GAAD,EAAMgB,WAAN,CAAlB;AACD"}
+{"version":3,"file":"prepareTokenParams.js","names":["assertPKCESupport","sdk","features","isPKCESupported","errorMessage","isHTTPS","hasTextEncoder","AuthSdkError","validateCodeChallengeMethod","codeChallengeMethod","options","DEFAULT_CODE_CHALLENGE_METHOD","wellKnownResponse","getWellKnown","methods","indexOf","preparePKCE","tokenParams","codeVerifier","codeChallenge","PKCE","generateVerifier","computeChallenge","responseType","prepareTokenParams","defaults","getDefaultTokenParams","pkce"],"sources":["../../../../lib/oidc/util/prepareTokenParams.ts"],"sourcesContent":["/* eslint-disable complexity */\n/*!\n * Copyright (c) 2015-present, Okta, Inc. and/or its affiliates. All rights reserved.\n * The Okta software accompanied by this notice is provided pursuant to the Apache License, Version 2.0 (the \"License.\")\n *\n * You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0.\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT\n * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n *\n * See the License for the specific language governing permissions and limitations under the License.\n *\n */\nimport { getWellKnown } from '../endpoints/well-known';\nimport { AuthSdkError } from '../../errors';\nimport { OktaAuthOAuthInterface, TokenParams } from '../types';\nimport { getDefaultTokenParams } from './defaultTokenParams';\nimport { DEFAULT_CODE_CHALLENGE_METHOD } from '../../constants';\nimport PKCE from './pkce';\nimport { OktaAuthBaseInterface } from '../../base/types';\n\nexport function assertPKCESupport(sdk: OktaAuthBaseInterface) {\n  if (!sdk.features.isPKCESupported()) {\n    var errorMessage = 'PKCE requires a modern browser with encryption support running in a secure context.';\n    if (!sdk.features.isHTTPS()) {\n      // eslint-disable-next-line max-len\n      errorMessage += '\\nThe current page is not being served with HTTPS protocol. PKCE requires secure HTTPS protocol.';\n    }\n    if (!sdk.features.hasTextEncoder()) {\n      // eslint-disable-next-line max-len\n      errorMessage += '\\n\"TextEncoder\" is not defined. To use PKCE, you may need to include a polyfill/shim for this browser.';\n    }\n    throw new AuthSdkError(errorMessage);\n  }\n}\n\nexport async function validateCodeChallengeMethod(sdk: OktaAuthOAuthInterface, codeChallengeMethod?: string) {\n  // set default code challenge method, if none provided\n  codeChallengeMethod = codeChallengeMethod || sdk.options.codeChallengeMethod || DEFAULT_CODE_CHALLENGE_METHOD;\n\n  // validate against .well-known/openid-configuration\n  const wellKnownResponse = await getWellKnown(sdk);\n  var methods = wellKnownResponse['code_challenge_methods_supported'] || [];\n  if (methods.indexOf(codeChallengeMethod) === -1) {\n    throw new AuthSdkError('Invalid code_challenge_method');\n  }\n  return codeChallengeMethod;\n}\n\nexport async function preparePKCE(\n  sdk: OktaAuthOAuthInterface, \n  tokenParams: TokenParams\n): Promise<TokenParams> {\n  let {\n    codeVerifier,\n    codeChallenge,\n    codeChallengeMethod\n  } = tokenParams;\n\n  // PKCE calculations can be avoided by passing a codeChallenge\n  codeChallenge = codeChallenge || sdk.options.codeChallenge;\n  if (!codeChallenge) {\n    assertPKCESupport(sdk);\n    codeVerifier = codeVerifier || PKCE.generateVerifier();\n    codeChallenge = await PKCE.computeChallenge(codeVerifier);\n  }\n  codeChallengeMethod = await validateCodeChallengeMethod(sdk, codeChallengeMethod);\n\n  // Clone/copy the params. Set PKCE values\n  tokenParams = {\n    ...tokenParams,\n    responseType: 'code', // responseType is forced\n    codeVerifier,\n    codeChallenge,\n    codeChallengeMethod\n  };\n\n  return tokenParams;\n}\n\n// Prepares params for a call to /authorize or /token\nexport async function prepareTokenParams(\n  sdk: OktaAuthOAuthInterface,\n  tokenParams: TokenParams = {}\n): Promise<TokenParams> {\n  // build params using defaults + options\n  const defaults = getDefaultTokenParams(sdk);\n  tokenParams = { ...defaults, ...tokenParams };\n\n  if (tokenParams.pkce === false) {\n    // Implicit flow or authorization_code without PKCE\n    return tokenParams;\n  }\n\n  return preparePKCE(sdk, tokenParams);\n}"],"mappings":";;;;;;;AAaA;AACA;AAEA;AACA;AACA;AAlBA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AASO,SAASA,iBAAiB,CAACC,GAA0B,EAAE;EAC5D,IAAI,CAACA,GAAG,CAACC,QAAQ,CAACC,eAAe,EAAE,EAAE;IACnC,IAAIC,YAAY,GAAG,qFAAqF;IACxG,IAAI,CAACH,GAAG,CAACC,QAAQ,CAACG,OAAO,EAAE,EAAE;MAC3B;MACAD,YAAY,IAAI,kGAAkG;IACpH;IACA,IAAI,CAACH,GAAG,CAACC,QAAQ,CAACI,cAAc,EAAE,EAAE;MAClC;MACAF,YAAY,IAAI,wGAAwG;IAC1H;IACA,MAAM,IAAIG,oBAAY,CAACH,YAAY,CAAC;EACtC;AACF;AAEO,eAAeI,2BAA2B,CAACP,GAA2B,EAAEQ,mBAA4B,EAAE;EAC3G;EACAA,mBAAmB,GAAGA,mBAAmB,IAAIR,GAAG,CAACS,OAAO,CAACD,mBAAmB,IAAIE,wCAA6B;;EAE7G;EACA,MAAMC,iBAAiB,GAAG,MAAM,IAAAC,uBAAY,EAACZ,GAAG,CAAC;EACjD,IAAIa,OAAO,GAAGF,iBAAiB,CAAC,kCAAkC,CAAC,IAAI,EAAE;EACzE,IAAIE,OAAO,CAACC,OAAO,CAACN,mBAAmB,CAAC,KAAK,CAAC,CAAC,EAAE;IAC/C,MAAM,IAAIF,oBAAY,CAAC,+BAA+B,CAAC;EACzD;EACA,OAAOE,mBAAmB;AAC5B;AAEO,eAAeO,WAAW,CAC/Bf,GAA2B,EAC3BgB,WAAwB,EACF;EACtB,IAAI;IACFC,YAAY;IACZC,aAAa;IACbV;EACF,CAAC,GAAGQ,WAAW;;EAEf;EACAE,aAAa,GAAGA,aAAa,IAAIlB,GAAG,CAACS,OAAO,CAACS,aAAa;EAC1D,IAAI,CAACA,aAAa,EAAE;IAClBnB,iBAAiB,CAACC,GAAG,CAAC;IACtBiB,YAAY,GAAGA,YAAY,IAAIE,aAAI,CAACC,gBAAgB,EAAE;IACtDF,aAAa,GAAG,MAAMC,aAAI,CAACE,gBAAgB,CAACJ,YAAY,CAAC;EAC3D;EACAT,mBAAmB,GAAG,MAAMD,2BAA2B,CAACP,GAAG,EAAEQ,mBAAmB,CAAC;;EAEjF;EACAQ,WAAW,GAAG;IACZ,GAAGA,WAAW;IACdM,YAAY,EAAE,MAAM;IAAE;IACtBL,YAAY;IACZC,aAAa;IACbV;EACF,CAAC;EAED,OAAOQ,WAAW;AACpB;;AAEA;AACO,eAAeO,kBAAkB,CACtCvB,GAA2B,EAC3BgB,WAAwB,GAAG,CAAC,CAAC,EACP;EACtB;EACA,MAAMQ,QAAQ,GAAG,IAAAC,yCAAqB,EAACzB,GAAG,CAAC;EAC3CgB,WAAW,GAAG;IAAE,GAAGQ,QAAQ;IAAE,GAAGR;EAAY,CAAC;EAE7C,IAAIA,WAAW,CAACU,IAAI,KAAK,KAAK,EAAE;IAC9B;IACA,OAAOV,WAAW;EACpB;EAEA,OAAOD,WAAW,CAACf,GAAG,EAAEgB,WAAW,CAAC;AACtC"}

package/cjs/oidc/util/refreshToken.js

@@ -2,30 +2,23 @@
 
 exports.isRefreshTokenError = isRefreshTokenError;
 exports.isSameRefreshToken = isSameRefreshToken;
-
 var _errors = require("../../errors");
-
 function isSameRefreshToken(a, b) {
   return a.refreshToken === b.refreshToken;
 }
-
 function isRefreshTokenError(err) {
   if (!(0, _errors.isAuthApiError)(err)) {
     return false;
   }
-
   if (!err.xhr || !err.xhr.responseJSON) {
     return false;
   }
-
   const {
     responseJSON
   } = err.xhr;
-
   if (responseJSON.error === 'invalid_grant') {
     return true;
   }
-
   return false;
 }
 //# sourceMappingURL=refreshToken.js.map

package/cjs/oidc/util/refreshToken.js.map

@@ -1 +1 @@
-{"version":3,"file":"refreshToken.js","names":["isSameRefreshToken","a","b","refreshToken","isRefreshTokenError","err","isAuthApiError","xhr","responseJSON","error"],"sources":["../../../../lib/oidc/util/refreshToken.ts"],"sourcesContent":["import { RefreshToken } from '../types';\nimport { isAuthApiError } from '../../errors';\n\nexport function isSameRefreshToken(a: RefreshToken, b: RefreshToken) {\n  return (a.refreshToken === b.refreshToken);\n}\n\nexport function isRefreshTokenError(err: Error) {\n  if (!isAuthApiError(err)) {\n    return false;\n  }\n\n  if (!err.xhr || !err.xhr.responseJSON) {\n    return false;\n  }\n\n  const { responseJSON } = err.xhr;\n  if (responseJSON.error === 'invalid_grant') {\n    return true;\n  }\n\n  return false;\n}"],"mappings":";;;;;AACA;;AAEO,SAASA,kBAAT,CAA4BC,CAA5B,EAA6CC,CAA7C,EAA8D;EACnE,OAAQD,CAAC,CAACE,YAAF,KAAmBD,CAAC,CAACC,YAA7B;AACD;;AAEM,SAASC,mBAAT,CAA6BC,GAA7B,EAAyC;EAC9C,IAAI,CAAC,IAAAC,sBAAA,EAAeD,GAAf,CAAL,EAA0B;IACxB,OAAO,KAAP;EACD;;EAED,IAAI,CAACA,GAAG,CAACE,GAAL,IAAY,CAACF,GAAG,CAACE,GAAJ,CAAQC,YAAzB,EAAuC;IACrC,OAAO,KAAP;EACD;;EAED,MAAM;IAAEA;EAAF,IAAmBH,GAAG,CAACE,GAA7B;;EACA,IAAIC,YAAY,CAACC,KAAb,KAAuB,eAA3B,EAA4C;IAC1C,OAAO,IAAP;EACD;;EAED,OAAO,KAAP;AACD"}
+{"version":3,"file":"refreshToken.js","names":["isSameRefreshToken","a","b","refreshToken","isRefreshTokenError","err","isAuthApiError","xhr","responseJSON","error"],"sources":["../../../../lib/oidc/util/refreshToken.ts"],"sourcesContent":["import { RefreshToken } from '../types';\nimport { isAuthApiError } from '../../errors';\n\nexport function isSameRefreshToken(a: RefreshToken, b: RefreshToken) {\n  return (a.refreshToken === b.refreshToken);\n}\n\nexport function isRefreshTokenError(err: Error) {\n  if (!isAuthApiError(err)) {\n    return false;\n  }\n\n  if (!err.xhr || !err.xhr.responseJSON) {\n    return false;\n  }\n\n  const { responseJSON } = err.xhr;\n  if (responseJSON.error === 'invalid_grant') {\n    return true;\n  }\n\n  return false;\n}"],"mappings":";;;;AACA;AAEO,SAASA,kBAAkB,CAACC,CAAe,EAAEC,CAAe,EAAE;EACnE,OAAQD,CAAC,CAACE,YAAY,KAAKD,CAAC,CAACC,YAAY;AAC3C;AAEO,SAASC,mBAAmB,CAACC,GAAU,EAAE;EAC9C,IAAI,CAAC,IAAAC,sBAAc,EAACD,GAAG,CAAC,EAAE;IACxB,OAAO,KAAK;EACd;EAEA,IAAI,CAACA,GAAG,CAACE,GAAG,IAAI,CAACF,GAAG,CAACE,GAAG,CAACC,YAAY,EAAE;IACrC,OAAO,KAAK;EACd;EAEA,MAAM;IAAEA;EAAa,CAAC,GAAGH,GAAG,CAACE,GAAG;EAChC,IAAIC,YAAY,CAACC,KAAK,KAAK,eAAe,EAAE;IAC1C,OAAO,IAAI;EACb;EAEA,OAAO,KAAK;AACd"}

package/cjs/oidc/util/sharedStorage.js

@@ -4,9 +4,7 @@ exports.clearTransactionFromSharedStorage = clearTransactionFromSharedStorage;
 exports.loadTransactionFromSharedStorage = loadTransactionFromSharedStorage;
 exports.pruneSharedStorage = pruneSharedStorage;
 exports.saveTransactionToSharedStorage = saveTransactionToSharedStorage;
-
 var _types = require("../types");
-
 const MAX_ENTRY_LIFETIME = 30 * 60 * 1000; // 30 minutes
 
 function pruneSharedStorage(storageManager) {
@@ -15,14 +13,12 @@ function pruneSharedStorage(storageManager) {
   Object.keys(entries).forEach(state => {
     const entry = entries[state];
     const age = Date.now() - entry.dateCreated;
-
     if (age > MAX_ENTRY_LIFETIME) {
       delete entries[state];
     }
   });
   sharedStorage.setStorage(entries);
 }
-
 function saveTransactionToSharedStorage(storageManager, state, meta) {
   const sharedStorage = storageManager.getSharedTansactionStorage();
   const entries = sharedStorage.getStorage();
@@ -32,19 +28,15 @@ function saveTransactionToSharedStorage(storageManager, state, meta) {
   };
   sharedStorage.setStorage(entries);
 }
-
 function loadTransactionFromSharedStorage(storageManager, state) {
   const sharedStorage = storageManager.getSharedTansactionStorage();
   const entries = sharedStorage.getStorage();
   const entry = entries[state];
-
   if (entry && entry.transaction && (0, _types.isTransactionMeta)(entry.transaction)) {
     return entry.transaction;
   }
-
   return null;
 }
-
 function clearTransactionFromSharedStorage(storageManager, state) {
   const sharedStorage = storageManager.getSharedTansactionStorage();
   const entries = sharedStorage.getStorage();

package/cjs/oidc/util/sharedStorage.js.map

@@ -1 +1 @@
-{"version":3,"file":"sharedStorage.js","names":["MAX_ENTRY_LIFETIME","pruneSharedStorage","storageManager","sharedStorage","getSharedTansactionStorage","entries","getStorage","Object","keys","forEach","state","entry","age","Date","now","dateCreated","setStorage","saveTransactionToSharedStorage","meta","transaction","loadTransactionFromSharedStorage","isTransactionMeta","clearTransactionFromSharedStorage"],"sources":["../../../../lib/oidc/util/sharedStorage.ts"],"sourcesContent":["import { OAuthStorageManagerInterface, OAuthTransactionMeta, isTransactionMeta } from '../types';\n\nconst MAX_ENTRY_LIFETIME = 30 * 60 * 1000; // 30 minutes\n\nexport function pruneSharedStorage<M extends OAuthTransactionMeta>(storageManager: OAuthStorageManagerInterface<M>) {\n  const sharedStorage = storageManager.getSharedTansactionStorage();\n  const entries = sharedStorage.getStorage();\n  Object.keys(entries).forEach(state => {\n    const entry = entries[state];\n    const age = Date.now() - entry.dateCreated;\n    if (age > MAX_ENTRY_LIFETIME) {\n      delete entries[state];\n    }\n  });\n  sharedStorage.setStorage(entries);\n}\n\nexport function saveTransactionToSharedStorage<M extends OAuthTransactionMeta>(\n  storageManager: OAuthStorageManagerInterface<M>, state: string, meta: M\n) {\n  const sharedStorage = storageManager.getSharedTansactionStorage();\n  const entries = sharedStorage.getStorage();\n  entries[state] = {\n    dateCreated: Date.now(),\n    transaction: meta\n  };\n  sharedStorage.setStorage(entries);\n}\n\n\nexport function loadTransactionFromSharedStorage<M extends OAuthTransactionMeta>(\n  storageManager: OAuthStorageManagerInterface<M>, state: string\n) {\n  const sharedStorage = storageManager.getSharedTansactionStorage();\n  const entries = sharedStorage.getStorage();\n  const entry = entries[state];\n  if (entry && entry.transaction && isTransactionMeta(entry.transaction)) {\n    return entry.transaction;\n  }\n  return null;\n}\n\nexport function clearTransactionFromSharedStorage<M extends OAuthTransactionMeta>(\n  storageManager: OAuthStorageManagerInterface<M>, state: string\n) {\n  const sharedStorage = storageManager.getSharedTansactionStorage();\n  const entries = sharedStorage.getStorage();\n  delete entries[state];\n  sharedStorage.setStorage(entries);\n}\n"],"mappings":";;;;;;;AAAA;;AAEA,MAAMA,kBAAkB,GAAG,KAAK,EAAL,GAAU,IAArC,C,CAA2C;;AAEpC,SAASC,kBAAT,CAA4DC,cAA5D,EAA6G;EAClH,MAAMC,aAAa,GAAGD,cAAc,CAACE,0BAAf,EAAtB;EACA,MAAMC,OAAO,GAAGF,aAAa,CAACG,UAAd,EAAhB;EACAC,MAAM,CAACC,IAAP,CAAYH,OAAZ,EAAqBI,OAArB,CAA6BC,KAAK,IAAI;IACpC,MAAMC,KAAK,GAAGN,OAAO,CAACK,KAAD,CAArB;IACA,MAAME,GAAG,GAAGC,IAAI,CAACC,GAAL,KAAaH,KAAK,CAACI,WAA/B;;IACA,IAAIH,GAAG,GAAGZ,kBAAV,EAA8B;MAC5B,OAAOK,OAAO,CAACK,KAAD,CAAd;IACD;EACF,CAND;EAOAP,aAAa,CAACa,UAAd,CAAyBX,OAAzB;AACD;;AAEM,SAASY,8BAAT,CACLf,cADK,EAC4CQ,KAD5C,EAC2DQ,IAD3D,EAEL;EACA,MAAMf,aAAa,GAAGD,cAAc,CAACE,0BAAf,EAAtB;EACA,MAAMC,OAAO,GAAGF,aAAa,CAACG,UAAd,EAAhB;EACAD,OAAO,CAACK,KAAD,CAAP,GAAiB;IACfK,WAAW,EAAEF,IAAI,CAACC,GAAL,EADE;IAEfK,WAAW,EAAED;EAFE,CAAjB;EAIAf,aAAa,CAACa,UAAd,CAAyBX,OAAzB;AACD;;AAGM,SAASe,gCAAT,CACLlB,cADK,EAC4CQ,KAD5C,EAEL;EACA,MAAMP,aAAa,GAAGD,cAAc,CAACE,0BAAf,EAAtB;EACA,MAAMC,OAAO,GAAGF,aAAa,CAACG,UAAd,EAAhB;EACA,MAAMK,KAAK,GAAGN,OAAO,CAACK,KAAD,CAArB;;EACA,IAAIC,KAAK,IAAIA,KAAK,CAACQ,WAAf,IAA8B,IAAAE,wBAAA,EAAkBV,KAAK,CAACQ,WAAxB,CAAlC,EAAwE;IACtE,OAAOR,KAAK,CAACQ,WAAb;EACD;;EACD,OAAO,IAAP;AACD;;AAEM,SAASG,iCAAT,CACLpB,cADK,EAC4CQ,KAD5C,EAEL;EACA,MAAMP,aAAa,GAAGD,cAAc,CAACE,0BAAf,EAAtB;EACA,MAAMC,OAAO,GAAGF,aAAa,CAACG,UAAd,EAAhB;EACA,OAAOD,OAAO,CAACK,KAAD,CAAd;EACAP,aAAa,CAACa,UAAd,CAAyBX,OAAzB;AACD"}
+{"version":3,"file":"sharedStorage.js","names":["MAX_ENTRY_LIFETIME","pruneSharedStorage","storageManager","sharedStorage","getSharedTansactionStorage","entries","getStorage","Object","keys","forEach","state","entry","age","Date","now","dateCreated","setStorage","saveTransactionToSharedStorage","meta","transaction","loadTransactionFromSharedStorage","isTransactionMeta","clearTransactionFromSharedStorage"],"sources":["../../../../lib/oidc/util/sharedStorage.ts"],"sourcesContent":["import { OAuthStorageManagerInterface, OAuthTransactionMeta, isTransactionMeta } from '../types';\n\nconst MAX_ENTRY_LIFETIME = 30 * 60 * 1000; // 30 minutes\n\nexport function pruneSharedStorage<M extends OAuthTransactionMeta>(storageManager: OAuthStorageManagerInterface<M>) {\n  const sharedStorage = storageManager.getSharedTansactionStorage();\n  const entries = sharedStorage.getStorage();\n  Object.keys(entries).forEach(state => {\n    const entry = entries[state];\n    const age = Date.now() - entry.dateCreated;\n    if (age > MAX_ENTRY_LIFETIME) {\n      delete entries[state];\n    }\n  });\n  sharedStorage.setStorage(entries);\n}\n\nexport function saveTransactionToSharedStorage<M extends OAuthTransactionMeta>(\n  storageManager: OAuthStorageManagerInterface<M>, state: string, meta: M\n) {\n  const sharedStorage = storageManager.getSharedTansactionStorage();\n  const entries = sharedStorage.getStorage();\n  entries[state] = {\n    dateCreated: Date.now(),\n    transaction: meta\n  };\n  sharedStorage.setStorage(entries);\n}\n\n\nexport function loadTransactionFromSharedStorage<M extends OAuthTransactionMeta>(\n  storageManager: OAuthStorageManagerInterface<M>, state: string\n) {\n  const sharedStorage = storageManager.getSharedTansactionStorage();\n  const entries = sharedStorage.getStorage();\n  const entry = entries[state];\n  if (entry && entry.transaction && isTransactionMeta(entry.transaction)) {\n    return entry.transaction;\n  }\n  return null;\n}\n\nexport function clearTransactionFromSharedStorage<M extends OAuthTransactionMeta>(\n  storageManager: OAuthStorageManagerInterface<M>, state: string\n) {\n  const sharedStorage = storageManager.getSharedTansactionStorage();\n  const entries = sharedStorage.getStorage();\n  delete entries[state];\n  sharedStorage.setStorage(entries);\n}\n"],"mappings":";;;;;;AAAA;AAEA,MAAMA,kBAAkB,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;;AAEpC,SAASC,kBAAkB,CAAiCC,cAA+C,EAAE;EAClH,MAAMC,aAAa,GAAGD,cAAc,CAACE,0BAA0B,EAAE;EACjE,MAAMC,OAAO,GAAGF,aAAa,CAACG,UAAU,EAAE;EAC1CC,MAAM,CAACC,IAAI,CAACH,OAAO,CAAC,CAACI,OAAO,CAACC,KAAK,IAAI;IACpC,MAAMC,KAAK,GAAGN,OAAO,CAACK,KAAK,CAAC;IAC5B,MAAME,GAAG,GAAGC,IAAI,CAACC,GAAG,EAAE,GAAGH,KAAK,CAACI,WAAW;IAC1C,IAAIH,GAAG,GAAGZ,kBAAkB,EAAE;MAC5B,OAAOK,OAAO,CAACK,KAAK,CAAC;IACvB;EACF,CAAC,CAAC;EACFP,aAAa,CAACa,UAAU,CAACX,OAAO,CAAC;AACnC;AAEO,SAASY,8BAA8B,CAC5Cf,cAA+C,EAAEQ,KAAa,EAAEQ,IAAO,EACvE;EACA,MAAMf,aAAa,GAAGD,cAAc,CAACE,0BAA0B,EAAE;EACjE,MAAMC,OAAO,GAAGF,aAAa,CAACG,UAAU,EAAE;EAC1CD,OAAO,CAACK,KAAK,CAAC,GAAG;IACfK,WAAW,EAAEF,IAAI,CAACC,GAAG,EAAE;IACvBK,WAAW,EAAED;EACf,CAAC;EACDf,aAAa,CAACa,UAAU,CAACX,OAAO,CAAC;AACnC;AAGO,SAASe,gCAAgC,CAC9ClB,cAA+C,EAAEQ,KAAa,EAC9D;EACA,MAAMP,aAAa,GAAGD,cAAc,CAACE,0BAA0B,EAAE;EACjE,MAAMC,OAAO,GAAGF,aAAa,CAACG,UAAU,EAAE;EAC1C,MAAMK,KAAK,GAAGN,OAAO,CAACK,KAAK,CAAC;EAC5B,IAAIC,KAAK,IAAIA,KAAK,CAACQ,WAAW,IAAI,IAAAE,wBAAiB,EAACV,KAAK,CAACQ,WAAW,CAAC,EAAE;IACtE,OAAOR,KAAK,CAACQ,WAAW;EAC1B;EACA,OAAO,IAAI;AACb;AAEO,SAASG,iCAAiC,CAC/CpB,cAA+C,EAAEQ,KAAa,EAC9D;EACA,MAAMP,aAAa,GAAGD,cAAc,CAACE,0BAA0B,EAAE;EACjE,MAAMC,OAAO,GAAGF,aAAa,CAACG,UAAU,EAAE;EAC1C,OAAOD,OAAO,CAACK,KAAK,CAAC;EACrBP,aAAa,CAACa,UAAU,CAACX,OAAO,CAAC;AACnC"}

package/cjs/oidc/util/urlParams.js

@@ -1,7 +1,6 @@
 "use strict";
 
 exports.urlParamsToObject = urlParamsToObject;
-
 /*!
  * Copyright (c) 2015-present, Okta, Inc. and/or its affiliates. All rights reserved.
  * The Okta software accompanied by this notice is provided pursuant to the Apache License, Version 2.0 (the "License.")
@@ -14,45 +13,43 @@ exports.urlParamsToObject = urlParamsToObject;
  * See the License for the specific language governing permissions and limitations under the License.
  *
  */
-
 /* eslint-disable complexity, max-statements */
+
 function urlParamsToObject(hashOrSearch) {
   // Predefine regexs for parsing hash
   var plus2space = /\+/g;
   var paramSplit = /([^&=]+)=?([^&]*)/g;
-  var fragment = hashOrSearch || ''; // Some hash based routers will automatically add a / character after the hash
+  var fragment = hashOrSearch || '';
 
+  // Some hash based routers will automatically add a / character after the hash
   if (fragment.charAt(0) === '#' && fragment.charAt(1) === '/') {
     fragment = fragment.substring(2);
-  } // Remove the leading # or ?
-
+  }
 
+  // Remove the leading # or ?
   if (fragment.charAt(0) === '#' || fragment.charAt(0) === '?') {
     fragment = fragment.substring(1);
   }
+  var obj = {};
 
-  var obj = {}; // Loop until we have no more params
-
+  // Loop until we have no more params
   var param;
-
   while (true) {
     // eslint-disable-line no-constant-condition
     param = paramSplit.exec(fragment);
-
     if (!param) {
       break;
     }
-
     var key = param[1];
-    var value = param[2]; // id_token should remain base64url encoded
+    var value = param[2];
 
+    // id_token should remain base64url encoded
     if (key === 'id_token' || key === 'access_token' || key === 'code') {
       obj[key] = value;
     } else {
       obj[key] = decodeURIComponent(value.replace(plus2space, ' '));
     }
   }
-
   return obj;
 }
 //# sourceMappingURL=urlParams.js.map

package/cjs/oidc/util/urlParams.js.map

@@ -1 +1 @@
-{"version":3,"file":"urlParams.js","names":["urlParamsToObject","hashOrSearch","plus2space","paramSplit","fragment","charAt","substring","obj","param","exec","key","value","decodeURIComponent","replace"],"sources":["../../../../lib/oidc/util/urlParams.ts"],"sourcesContent":["/*!\n * Copyright (c) 2015-present, Okta, Inc. and/or its affiliates. All rights reserved.\n * The Okta software accompanied by this notice is provided pursuant to the Apache License, Version 2.0 (the \"License.\")\n *\n * You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0.\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT\n * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n *\n * See the License for the specific language governing permissions and limitations under the License.\n *\n */\n/* eslint-disable complexity, max-statements */\n\nexport function urlParamsToObject(hashOrSearch: string) {\n  // Predefine regexs for parsing hash\n  var plus2space = /\\+/g;\n  var paramSplit = /([^&=]+)=?([^&]*)/g;\n  var fragment = hashOrSearch || '';\n\n  // Some hash based routers will automatically add a / character after the hash\n  if (fragment.charAt(0) === '#' && fragment.charAt(1) === '/') {\n    fragment = fragment.substring(2);\n  }\n\n  // Remove the leading # or ?\n  if (fragment.charAt(0) === '#' || fragment.charAt(0) === '?') {\n    fragment = fragment.substring(1);\n  }\n\n\n  var obj = {};\n\n  // Loop until we have no more params\n  var param;\n  while (true) { // eslint-disable-line no-constant-condition\n    param = paramSplit.exec(fragment);\n    if (!param) { break; }\n\n    var key = param[1];\n    var value = param[2];\n\n    // id_token should remain base64url encoded\n    if (key === 'id_token' || key === 'access_token' || key === 'code') {\n      obj[key] = value;\n    } else {\n      obj[key] = decodeURIComponent(value.replace(plus2space, ' '));\n    }\n  }\n  return obj;\n}\n"],"mappings":";;;;AAAA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AACA;AAEO,SAASA,iBAAT,CAA2BC,YAA3B,EAAiD;EACtD;EACA,IAAIC,UAAU,GAAG,KAAjB;EACA,IAAIC,UAAU,GAAG,oBAAjB;EACA,IAAIC,QAAQ,GAAGH,YAAY,IAAI,EAA/B,CAJsD,CAMtD;;EACA,IAAIG,QAAQ,CAACC,MAAT,CAAgB,CAAhB,MAAuB,GAAvB,IAA8BD,QAAQ,CAACC,MAAT,CAAgB,CAAhB,MAAuB,GAAzD,EAA8D;IAC5DD,QAAQ,GAAGA,QAAQ,CAACE,SAAT,CAAmB,CAAnB,CAAX;EACD,CATqD,CAWtD;;;EACA,IAAIF,QAAQ,CAACC,MAAT,CAAgB,CAAhB,MAAuB,GAAvB,IAA8BD,QAAQ,CAACC,MAAT,CAAgB,CAAhB,MAAuB,GAAzD,EAA8D;IAC5DD,QAAQ,GAAGA,QAAQ,CAACE,SAAT,CAAmB,CAAnB,CAAX;EACD;;EAGD,IAAIC,GAAG,GAAG,EAAV,CAjBsD,CAmBtD;;EACA,IAAIC,KAAJ;;EACA,OAAO,IAAP,EAAa;IAAE;IACbA,KAAK,GAAGL,UAAU,CAACM,IAAX,CAAgBL,QAAhB,CAAR;;IACA,IAAI,CAACI,KAAL,EAAY;MAAE;IAAQ;;IAEtB,IAAIE,GAAG,GAAGF,KAAK,CAAC,CAAD,CAAf;IACA,IAAIG,KAAK,GAAGH,KAAK,CAAC,CAAD,CAAjB,CALW,CAOX;;IACA,IAAIE,GAAG,KAAK,UAAR,IAAsBA,GAAG,KAAK,cAA9B,IAAgDA,GAAG,KAAK,MAA5D,EAAoE;MAClEH,GAAG,CAACG,GAAD,CAAH,GAAWC,KAAX;IACD,CAFD,MAEO;MACLJ,GAAG,CAACG,GAAD,CAAH,GAAWE,kBAAkB,CAACD,KAAK,CAACE,OAAN,CAAcX,UAAd,EAA0B,GAA1B,CAAD,CAA7B;IACD;EACF;;EACD,OAAOK,GAAP;AACD"}
+{"version":3,"file":"urlParams.js","names":["urlParamsToObject","hashOrSearch","plus2space","paramSplit","fragment","charAt","substring","obj","param","exec","key","value","decodeURIComponent","replace"],"sources":["../../../../lib/oidc/util/urlParams.ts"],"sourcesContent":["/*!\n * Copyright (c) 2015-present, Okta, Inc. and/or its affiliates. All rights reserved.\n * The Okta software accompanied by this notice is provided pursuant to the Apache License, Version 2.0 (the \"License.\")\n *\n * You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0.\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT\n * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n *\n * See the License for the specific language governing permissions and limitations under the License.\n *\n */\n/* eslint-disable complexity, max-statements */\n\nexport function urlParamsToObject(hashOrSearch: string) {\n  // Predefine regexs for parsing hash\n  var plus2space = /\\+/g;\n  var paramSplit = /([^&=]+)=?([^&]*)/g;\n  var fragment = hashOrSearch || '';\n\n  // Some hash based routers will automatically add a / character after the hash\n  if (fragment.charAt(0) === '#' && fragment.charAt(1) === '/') {\n    fragment = fragment.substring(2);\n  }\n\n  // Remove the leading # or ?\n  if (fragment.charAt(0) === '#' || fragment.charAt(0) === '?') {\n    fragment = fragment.substring(1);\n  }\n\n\n  var obj = {};\n\n  // Loop until we have no more params\n  var param;\n  while (true) { // eslint-disable-line no-constant-condition\n    param = paramSplit.exec(fragment);\n    if (!param) { break; }\n\n    var key = param[1];\n    var value = param[2];\n\n    // id_token should remain base64url encoded\n    if (key === 'id_token' || key === 'access_token' || key === 'code') {\n      obj[key] = value;\n    } else {\n      obj[key] = decodeURIComponent(value.replace(plus2space, ' '));\n    }\n  }\n  return obj;\n}\n"],"mappings":";;;AAAA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AAEO,SAASA,iBAAiB,CAACC,YAAoB,EAAE;EACtD;EACA,IAAIC,UAAU,GAAG,KAAK;EACtB,IAAIC,UAAU,GAAG,oBAAoB;EACrC,IAAIC,QAAQ,GAAGH,YAAY,IAAI,EAAE;;EAEjC;EACA,IAAIG,QAAQ,CAACC,MAAM,CAAC,CAAC,CAAC,KAAK,GAAG,IAAID,QAAQ,CAACC,MAAM,CAAC,CAAC,CAAC,KAAK,GAAG,EAAE;IAC5DD,QAAQ,GAAGA,QAAQ,CAACE,SAAS,CAAC,CAAC,CAAC;EAClC;;EAEA;EACA,IAAIF,QAAQ,CAACC,MAAM,CAAC,CAAC,CAAC,KAAK,GAAG,IAAID,QAAQ,CAACC,MAAM,CAAC,CAAC,CAAC,KAAK,GAAG,EAAE;IAC5DD,QAAQ,GAAGA,QAAQ,CAACE,SAAS,CAAC,CAAC,CAAC;EAClC;EAGA,IAAIC,GAAG,GAAG,CAAC,CAAC;;EAEZ;EACA,IAAIC,KAAK;EACT,OAAO,IAAI,EAAE;IAAE;IACbA,KAAK,GAAGL,UAAU,CAACM,IAAI,CAACL,QAAQ,CAAC;IACjC,IAAI,CAACI,KAAK,EAAE;MAAE;IAAO;IAErB,IAAIE,GAAG,GAAGF,KAAK,CAAC,CAAC,CAAC;IAClB,IAAIG,KAAK,GAAGH,KAAK,CAAC,CAAC,CAAC;;IAEpB;IACA,IAAIE,GAAG,KAAK,UAAU,IAAIA,GAAG,KAAK,cAAc,IAAIA,GAAG,KAAK,MAAM,EAAE;MAClEH,GAAG,CAACG,GAAG,CAAC,GAAGC,KAAK;IAClB,CAAC,MAAM;MACLJ,GAAG,CAACG,GAAG,CAAC,GAAGE,kBAAkB,CAACD,KAAK,CAACE,OAAO,CAACX,UAAU,EAAE,GAAG,CAAC,CAAC;IAC/D;EACF;EACA,OAAOK,GAAG;AACZ"}

package/cjs/oidc/util/validateClaims.js

@@ -1,13 +1,9 @@
 "use strict";
 
 var _interopRequireDefault = require("@babel/runtime/helpers/interopRequireDefault");
-
 exports.validateClaims = validateClaims;
-
 var _AuthSdkError = _interopRequireDefault(require("../../errors/AuthSdkError"));
-
 /* eslint-disable @typescript-eslint/no-non-null-assertion */
-
 /*!
  * Copyright (c) 2015-present, Okta, Inc. and/or its affiliates. All rights reserved.
  * The Okta software accompanied by this notice is provided pursuant to the Apache License, Version 2.0 (the "License.")
@@ -20,40 +16,36 @@ var _AuthSdkError = _interopRequireDefault(require("../../errors/AuthSdkError"))
  * See the License for the specific language governing permissions and limitations under the License.
  *
  */
-
 /* eslint-disable complexity, max-statements */
-function validateClaims(sdk, claims, validationParams) {
-  var aud = validationParams.clientId;
-  var iss = validationParams.issuer;
-  var nonce = validationParams.nonce;
 
+function validateClaims(sdk, claims, validationParams) {
+  const aud = validationParams.clientId;
+  const iss = validationParams.issuer;
+  const nonce = validationParams.nonce;
+  const acr = validationParams.acrValues;
   if (!claims || !iss || !aud) {
     throw new _AuthSdkError.default('The jwt, iss, and aud arguments are all required');
   }
-
   if (nonce && claims.nonce !== nonce) {
     throw new _AuthSdkError.default('OAuth flow response nonce doesn\'t match request nonce');
   }
-
-  var now = Math.floor(Date.now() / 1000);
-
+  const now = Math.floor(Date.now() / 1000);
   if (claims.iss !== iss) {
     throw new _AuthSdkError.default('The issuer [' + claims.iss + '] ' + 'does not match [' + iss + ']');
   }
-
   if (claims.aud !== aud) {
     throw new _AuthSdkError.default('The audience [' + claims.aud + '] ' + 'does not match [' + aud + ']');
   }
-
+  if (acr && claims.acr !== acr) {
+    throw new _AuthSdkError.default('The acr [' + claims.acr + '] ' + 'does not match acr_values [' + acr + ']');
+  }
   if (claims.iat > claims.exp) {
     throw new _AuthSdkError.default('The JWT expired before it was issued');
   }
-
   if (!sdk.options.ignoreLifetime) {
     if (now - sdk.options.maxClockSkew > claims.exp) {
       throw new _AuthSdkError.default('The JWT expired and is no longer valid');
     }
-
     if (claims.iat > now + sdk.options.maxClockSkew) {
       throw new _AuthSdkError.default('The JWT was issued in the future');
     }

package/cjs/oidc/util/validateClaims.js.map

@@ -1 +1 @@
-{"version":3,"file":"validateClaims.js","names":["validateClaims","sdk","claims","validationParams","aud","clientId","iss","issuer","nonce","AuthSdkError","now","Math","floor","Date","iat","exp","options","ignoreLifetime","maxClockSkew"],"sources":["../../../../lib/oidc/util/validateClaims.ts"],"sourcesContent":["/* eslint-disable @typescript-eslint/no-non-null-assertion */\n/*!\n * Copyright (c) 2015-present, Okta, Inc. and/or its affiliates. All rights reserved.\n * The Okta software accompanied by this notice is provided pursuant to the Apache License, Version 2.0 (the \"License.\")\n *\n * You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0.\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT\n * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n *\n * See the License for the specific language governing permissions and limitations under the License.\n *\n */\n/* eslint-disable complexity, max-statements */\n\nimport AuthSdkError from '../../errors/AuthSdkError';\nimport { OktaAuthOAuthInterface, TokenVerifyParams, UserClaims } from '../../oidc/types';\n\nexport function validateClaims(sdk: OktaAuthOAuthInterface, claims: UserClaims, validationParams: TokenVerifyParams) {\n  var aud = validationParams.clientId;\n  var iss = validationParams.issuer;\n  var nonce = validationParams.nonce;\n\n  if (!claims || !iss || !aud) {\n    throw new AuthSdkError('The jwt, iss, and aud arguments are all required');\n  }\n\n  if (nonce && claims.nonce !== nonce) {\n    throw new AuthSdkError('OAuth flow response nonce doesn\\'t match request nonce');\n  }\n\n  var now = Math.floor(Date.now()/1000);\n\n  if (claims.iss !== iss) {\n    throw new AuthSdkError('The issuer [' + claims.iss + '] ' +\n      'does not match [' + iss + ']');\n  }\n\n  if (claims.aud !== aud) {\n    throw new AuthSdkError('The audience [' + claims.aud + '] ' +\n      'does not match [' + aud + ']');\n  }\n\n  if (claims.iat! > claims.exp!) {\n    throw new AuthSdkError('The JWT expired before it was issued');\n  }\n\n  if (!sdk.options.ignoreLifetime) {\n    if ((now - sdk.options.maxClockSkew!) > claims.exp!) {\n      throw new AuthSdkError('The JWT expired and is no longer valid');\n    }\n\n    if (claims.iat! > (now + sdk.options.maxClockSkew!)) {\n      throw new AuthSdkError('The JWT was issued in the future');\n    }\n  }\n}\n"],"mappings":";;;;;;AAeA;;AAfA;;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AACA;AAKO,SAASA,cAAT,CAAwBC,GAAxB,EAAqDC,MAArD,EAAyEC,gBAAzE,EAA8G;EACnH,IAAIC,GAAG,GAAGD,gBAAgB,CAACE,QAA3B;EACA,IAAIC,GAAG,GAAGH,gBAAgB,CAACI,MAA3B;EACA,IAAIC,KAAK,GAAGL,gBAAgB,CAACK,KAA7B;;EAEA,IAAI,CAACN,MAAD,IAAW,CAACI,GAAZ,IAAmB,CAACF,GAAxB,EAA6B;IAC3B,MAAM,IAAIK,qBAAJ,CAAiB,kDAAjB,CAAN;EACD;;EAED,IAAID,KAAK,IAAIN,MAAM,CAACM,KAAP,KAAiBA,KAA9B,EAAqC;IACnC,MAAM,IAAIC,qBAAJ,CAAiB,wDAAjB,CAAN;EACD;;EAED,IAAIC,GAAG,GAAGC,IAAI,CAACC,KAAL,CAAWC,IAAI,CAACH,GAAL,KAAW,IAAtB,CAAV;;EAEA,IAAIR,MAAM,CAACI,GAAP,KAAeA,GAAnB,EAAwB;IACtB,MAAM,IAAIG,qBAAJ,CAAiB,iBAAiBP,MAAM,CAACI,GAAxB,GAA8B,IAA9B,GACrB,kBADqB,GACAA,GADA,GACM,GADvB,CAAN;EAED;;EAED,IAAIJ,MAAM,CAACE,GAAP,KAAeA,GAAnB,EAAwB;IACtB,MAAM,IAAIK,qBAAJ,CAAiB,mBAAmBP,MAAM,CAACE,GAA1B,GAAgC,IAAhC,GACrB,kBADqB,GACAA,GADA,GACM,GADvB,CAAN;EAED;;EAED,IAAIF,MAAM,CAACY,GAAP,GAAcZ,MAAM,CAACa,GAAzB,EAA+B;IAC7B,MAAM,IAAIN,qBAAJ,CAAiB,sCAAjB,CAAN;EACD;;EAED,IAAI,CAACR,GAAG,CAACe,OAAJ,CAAYC,cAAjB,EAAiC;IAC/B,IAAKP,GAAG,GAAGT,GAAG,CAACe,OAAJ,CAAYE,YAAnB,GAAoChB,MAAM,CAACa,GAA/C,EAAqD;MACnD,MAAM,IAAIN,qBAAJ,CAAiB,wCAAjB,CAAN;IACD;;IAED,IAAIP,MAAM,CAACY,GAAP,GAAeJ,GAAG,GAAGT,GAAG,CAACe,OAAJ,CAAYE,YAArC,EAAqD;MACnD,MAAM,IAAIT,qBAAJ,CAAiB,kCAAjB,CAAN;IACD;EACF;AACF"}
+{"version":3,"file":"validateClaims.js","names":["validateClaims","sdk","claims","validationParams","aud","clientId","iss","issuer","nonce","acr","acrValues","AuthSdkError","now","Math","floor","Date","iat","exp","options","ignoreLifetime","maxClockSkew"],"sources":["../../../../lib/oidc/util/validateClaims.ts"],"sourcesContent":["/* eslint-disable @typescript-eslint/no-non-null-assertion */\n/*!\n * Copyright (c) 2015-present, Okta, Inc. and/or its affiliates. All rights reserved.\n * The Okta software accompanied by this notice is provided pursuant to the Apache License, Version 2.0 (the \"License.\")\n *\n * You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0.\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT\n * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n *\n * See the License for the specific language governing permissions and limitations under the License.\n *\n */\n/* eslint-disable complexity, max-statements */\n\nimport AuthSdkError from '../../errors/AuthSdkError';\nimport { OktaAuthOAuthInterface, TokenVerifyParams, UserClaims } from '../../oidc/types';\n\nexport function validateClaims(sdk: OktaAuthOAuthInterface, claims: UserClaims, validationParams: TokenVerifyParams) {\n  const aud = validationParams.clientId;\n  const iss = validationParams.issuer;\n  const nonce = validationParams.nonce;\n  const acr = validationParams.acrValues;\n\n  if (!claims || !iss || !aud) {\n    throw new AuthSdkError('The jwt, iss, and aud arguments are all required');\n  }\n\n  if (nonce && claims.nonce !== nonce) {\n    throw new AuthSdkError('OAuth flow response nonce doesn\\'t match request nonce');\n  }\n\n  const now = Math.floor(Date.now()/1000);\n\n  if (claims.iss !== iss) {\n    throw new AuthSdkError('The issuer [' + claims.iss + '] ' +\n      'does not match [' + iss + ']');\n  }\n\n  if (claims.aud !== aud) {\n    throw new AuthSdkError('The audience [' + claims.aud + '] ' +\n      'does not match [' + aud + ']');\n  }\n\n  if (acr && claims.acr !== acr) {\n    throw new AuthSdkError('The acr [' + claims.acr + '] ' +\n      'does not match acr_values [' + acr + ']');\n  }\n\n  if (claims.iat! > claims.exp!) {\n    throw new AuthSdkError('The JWT expired before it was issued');\n  }\n\n  if (!sdk.options.ignoreLifetime) {\n    if ((now - sdk.options.maxClockSkew!) > claims.exp!) {\n      throw new AuthSdkError('The JWT expired and is no longer valid');\n    }\n\n    if (claims.iat! > (now + sdk.options.maxClockSkew!)) {\n      throw new AuthSdkError('The JWT was issued in the future');\n    }\n  }\n}\n"],"mappings":";;;;AAeA;AAfA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AAKO,SAASA,cAAc,CAACC,GAA2B,EAAEC,MAAkB,EAAEC,gBAAmC,EAAE;EACnH,MAAMC,GAAG,GAAGD,gBAAgB,CAACE,QAAQ;EACrC,MAAMC,GAAG,GAAGH,gBAAgB,CAACI,MAAM;EACnC,MAAMC,KAAK,GAAGL,gBAAgB,CAACK,KAAK;EACpC,MAAMC,GAAG,GAAGN,gBAAgB,CAACO,SAAS;EAEtC,IAAI,CAACR,MAAM,IAAI,CAACI,GAAG,IAAI,CAACF,GAAG,EAAE;IAC3B,MAAM,IAAIO,qBAAY,CAAC,kDAAkD,CAAC;EAC5E;EAEA,IAAIH,KAAK,IAAIN,MAAM,CAACM,KAAK,KAAKA,KAAK,EAAE;IACnC,MAAM,IAAIG,qBAAY,CAAC,wDAAwD,CAAC;EAClF;EAEA,MAAMC,GAAG,GAAGC,IAAI,CAACC,KAAK,CAACC,IAAI,CAACH,GAAG,EAAE,GAAC,IAAI,CAAC;EAEvC,IAAIV,MAAM,CAACI,GAAG,KAAKA,GAAG,EAAE;IACtB,MAAM,IAAIK,qBAAY,CAAC,cAAc,GAAGT,MAAM,CAACI,GAAG,GAAG,IAAI,GACvD,kBAAkB,GAAGA,GAAG,GAAG,GAAG,CAAC;EACnC;EAEA,IAAIJ,MAAM,CAACE,GAAG,KAAKA,GAAG,EAAE;IACtB,MAAM,IAAIO,qBAAY,CAAC,gBAAgB,GAAGT,MAAM,CAACE,GAAG,GAAG,IAAI,GACzD,kBAAkB,GAAGA,GAAG,GAAG,GAAG,CAAC;EACnC;EAEA,IAAIK,GAAG,IAAIP,MAAM,CAACO,GAAG,KAAKA,GAAG,EAAE;IAC7B,MAAM,IAAIE,qBAAY,CAAC,WAAW,GAAGT,MAAM,CAACO,GAAG,GAAG,IAAI,GACpD,6BAA6B,GAAGA,GAAG,GAAG,GAAG,CAAC;EAC9C;EAEA,IAAIP,MAAM,CAACc,GAAG,GAAId,MAAM,CAACe,GAAI,EAAE;IAC7B,MAAM,IAAIN,qBAAY,CAAC,sCAAsC,CAAC;EAChE;EAEA,IAAI,CAACV,GAAG,CAACiB,OAAO,CAACC,cAAc,EAAE;IAC/B,IAAKP,GAAG,GAAGX,GAAG,CAACiB,OAAO,CAACE,YAAa,GAAIlB,MAAM,CAACe,GAAI,EAAE;MACnD,MAAM,IAAIN,qBAAY,CAAC,wCAAwC,CAAC;IAClE;IAEA,IAAIT,MAAM,CAACc,GAAG,GAAKJ,GAAG,GAAGX,GAAG,CAACiB,OAAO,CAACE,YAAc,EAAE;MACnD,MAAM,IAAIT,qBAAY,CAAC,kCAAkC,CAAC;IAC5D;EACF;AACF"}

package/cjs/oidc/util/validateToken.js

@@ -1,25 +1,20 @@
 "use strict";
 
 exports.validateToken = validateToken;
-
 var _errors = require("../../errors");
-
 var _types = require("../../oidc/types");
-
 /* eslint-disable complexity */
+
 function validateToken(token, type) {
   if (!(0, _types.isIDToken)(token) && !(0, _types.isAccessToken)(token) && !(0, _types.isRefreshToken)(token)) {
     throw new _errors.AuthSdkError('Token must be an Object with scopes, expiresAt, and one of: an idToken, accessToken, or refreshToken property');
   }
-
   if (type === 'accessToken' && !(0, _types.isAccessToken)(token)) {
     throw new _errors.AuthSdkError('invalid accessToken');
   }
-
   if (type === 'idToken' && !(0, _types.isIDToken)(token)) {
     throw new _errors.AuthSdkError('invalid idToken');
   }
-
   if (type === 'refreshToken' && !(0, _types.isRefreshToken)(token)) {
     throw new _errors.AuthSdkError('invalid refreshToken');
   }

package/cjs/oidc/util/validateToken.js.map

@@ -1 +1 @@
-{"version":3,"file":"validateToken.js","names":["validateToken","token","type","isIDToken","isAccessToken","isRefreshToken","AuthSdkError"],"sources":["../../../../lib/oidc/util/validateToken.ts"],"sourcesContent":["/* eslint-disable complexity */\n\nimport { AuthSdkError } from '../../errors';\nimport { isAccessToken, isIDToken, isRefreshToken, Token, TokenType } from '../../oidc/types';\n\nexport function validateToken(token: Token, type?: TokenType) {\n  if (!isIDToken(token) && !isAccessToken(token) && !isRefreshToken(token)) {\n    throw new AuthSdkError(\n      'Token must be an Object with scopes, expiresAt, and one of: an idToken, accessToken, or refreshToken property'\n    );\n  }\n  \n  if (type === 'accessToken' && !isAccessToken(token)) {\n    throw new AuthSdkError('invalid accessToken');\n  } \n  if (type === 'idToken' && !isIDToken(token)) {\n    throw new AuthSdkError('invalid idToken');\n  }\n\n  if (type === 'refreshToken' && !isRefreshToken(token)) {\n    throw new AuthSdkError('invalid refreshToken');\n  }\n}"],"mappings":";;;;AAEA;;AACA;;AAHA;AAKO,SAASA,aAAT,CAAuBC,KAAvB,EAAqCC,IAArC,EAAuD;EAC5D,IAAI,CAAC,IAAAC,gBAAA,EAAUF,KAAV,CAAD,IAAqB,CAAC,IAAAG,oBAAA,EAAcH,KAAd,CAAtB,IAA8C,CAAC,IAAAI,qBAAA,EAAeJ,KAAf,CAAnD,EAA0E;IACxE,MAAM,IAAIK,oBAAJ,CACJ,+GADI,CAAN;EAGD;;EAED,IAAIJ,IAAI,KAAK,aAAT,IAA0B,CAAC,IAAAE,oBAAA,EAAcH,KAAd,CAA/B,EAAqD;IACnD,MAAM,IAAIK,oBAAJ,CAAiB,qBAAjB,CAAN;EACD;;EACD,IAAIJ,IAAI,KAAK,SAAT,IAAsB,CAAC,IAAAC,gBAAA,EAAUF,KAAV,CAA3B,EAA6C;IAC3C,MAAM,IAAIK,oBAAJ,CAAiB,iBAAjB,CAAN;EACD;;EAED,IAAIJ,IAAI,KAAK,cAAT,IAA2B,CAAC,IAAAG,qBAAA,EAAeJ,KAAf,CAAhC,EAAuD;IACrD,MAAM,IAAIK,oBAAJ,CAAiB,sBAAjB,CAAN;EACD;AACF"}
+{"version":3,"file":"validateToken.js","names":["validateToken","token","type","isIDToken","isAccessToken","isRefreshToken","AuthSdkError"],"sources":["../../../../lib/oidc/util/validateToken.ts"],"sourcesContent":["/* eslint-disable complexity */\n\nimport { AuthSdkError } from '../../errors';\nimport { isAccessToken, isIDToken, isRefreshToken, Token, TokenType } from '../../oidc/types';\n\nexport function validateToken(token: Token, type?: TokenType) {\n  if (!isIDToken(token) && !isAccessToken(token) && !isRefreshToken(token)) {\n    throw new AuthSdkError(\n      'Token must be an Object with scopes, expiresAt, and one of: an idToken, accessToken, or refreshToken property'\n    );\n  }\n  \n  if (type === 'accessToken' && !isAccessToken(token)) {\n    throw new AuthSdkError('invalid accessToken');\n  } \n  if (type === 'idToken' && !isIDToken(token)) {\n    throw new AuthSdkError('invalid idToken');\n  }\n\n  if (type === 'refreshToken' && !isRefreshToken(token)) {\n    throw new AuthSdkError('invalid refreshToken');\n  }\n}"],"mappings":";;;AAEA;AACA;AAHA;;AAKO,SAASA,aAAa,CAACC,KAAY,EAAEC,IAAgB,EAAE;EAC5D,IAAI,CAAC,IAAAC,gBAAS,EAACF,KAAK,CAAC,IAAI,CAAC,IAAAG,oBAAa,EAACH,KAAK,CAAC,IAAI,CAAC,IAAAI,qBAAc,EAACJ,KAAK,CAAC,EAAE;IACxE,MAAM,IAAIK,oBAAY,CACpB,+GAA+G,CAChH;EACH;EAEA,IAAIJ,IAAI,KAAK,aAAa,IAAI,CAAC,IAAAE,oBAAa,EAACH,KAAK,CAAC,EAAE;IACnD,MAAM,IAAIK,oBAAY,CAAC,qBAAqB,CAAC;EAC/C;EACA,IAAIJ,IAAI,KAAK,SAAS,IAAI,CAAC,IAAAC,gBAAS,EAACF,KAAK,CAAC,EAAE;IAC3C,MAAM,IAAIK,oBAAY,CAAC,iBAAiB,CAAC;EAC3C;EAEA,IAAIJ,IAAI,KAAK,cAAc,IAAI,CAAC,IAAAG,qBAAc,EAACJ,KAAK,CAAC,EAAE;IACrD,MAAM,IAAIK,oBAAY,CAAC,sBAAsB,CAAC;EAChD;AACF"}

package/cjs/oidc/verifyToken.js

@@ -1,25 +1,15 @@
 "use strict";
 
 exports.verifyToken = verifyToken;
-
 var _wellKnown = require("./endpoints/well-known");
-
 var _util = require("./util");
-
 var _errors = require("../errors");
-
 var _decodeToken = require("./decodeToken");
-
 var sdkCrypto = _interopRequireWildcard(require("../crypto"));
-
 function _getRequireWildcardCache(nodeInterop) { if (typeof WeakMap !== "function") return null; var cacheBabelInterop = new WeakMap(); var cacheNodeInterop = new WeakMap(); return (_getRequireWildcardCache = function (nodeInterop) { return nodeInterop ? cacheNodeInterop : cacheBabelInterop; })(nodeInterop); }
-
 function _interopRequireWildcard(obj, nodeInterop) { if (!nodeInterop && obj && obj.__esModule) { return obj; } if (obj === null || typeof obj !== "object" && typeof obj !== "function") { return { default: obj }; } var cache = _getRequireWildcardCache(nodeInterop); if (cache && cache.has(obj)) { return cache.get(obj); } var newObj = {}; var hasPropertyDescriptor = Object.defineProperty && Object.getOwnPropertyDescriptor; for (var key in obj) { if (key !== "default" && Object.prototype.hasOwnProperty.call(obj, key)) { var desc = hasPropertyDescriptor ? Object.getOwnPropertyDescriptor(obj, key) : null; if (desc && (desc.get || desc.set)) { Object.defineProperty(newObj, key, desc); } else { newObj[key] = obj[key]; } } } newObj.default = obj; if (cache) { cache.set(obj, newObj); } return newObj; }
-
 /* eslint-disable max-len */
-
 /* eslint-disable complexity */
-
 /*!
  * Copyright (c) 2015-present, Okta, Inc. and/or its affiliates. All rights reserved.
  * The Okta software accompanied by this notice is provided pursuant to the Apache License, Version 2.0 (the "License.")
@@ -32,52 +22,52 @@ function _interopRequireWildcard(obj, nodeInterop) { if (!nodeInterop && obj &&
  * See the License for the specific language governing permissions and limitations under the License.
  *
  */
+
 // Verify the id token
 async function verifyToken(sdk, token, validationParams) {
   if (!token || !token.idToken) {
     throw new _errors.AuthSdkError('Only idTokens may be verified');
-  } // Decode the Jwt object (may throw)
+  }
 
+  // Decode the Jwt object (may throw)
+  const jwt = (0, _decodeToken.decodeToken)(token.idToken);
 
-  var jwt = (0, _decodeToken.decodeToken)(token.idToken); // The configured issuer may point to a frontend proxy.
+  // The configured issuer may point to a frontend proxy.
   // Get the "real" issuer from .well-known/openid-configuration
-
   const configuredIssuer = (validationParams === null || validationParams === void 0 ? void 0 : validationParams.issuer) || sdk.options.issuer;
   const {
     issuer
   } = await (0, _wellKnown.getWellKnown)(sdk, configuredIssuer);
-  var validationOptions = Object.assign({
+  const validationOptions = Object.assign({
     // base options, can be overridden by params
     clientId: sdk.options.clientId,
     ignoreSignature: sdk.options.ignoreSignature
   }, validationParams, {
     // final options, cannot be overridden
     issuer
-  }); // Standard claim validation (may throw)
+  });
 
-  (0, _util.validateClaims)(sdk, jwt.payload, validationOptions); // If the browser doesn't support native crypto or we choose not
-  // to verify the signature, bail early
+  // Standard claim validation (may throw)
+  (0, _util.validateClaims)(sdk, jwt.payload, validationOptions);
 
+  // If the browser doesn't support native crypto or we choose not
+  // to verify the signature, bail early
   if (validationOptions.ignoreSignature == true || !sdk.features.isTokenVerifySupported()) {
     return token;
-  } // eslint-disable-next-line @typescript-eslint/no-non-null-assertion
-
+  }
 
+  // eslint-disable-next-line @typescript-eslint/no-non-null-assertion
   const key = await (0, _wellKnown.getKey)(sdk, token.issuer, jwt.header.kid);
   const valid = await sdkCrypto.verifyToken(token.idToken, key);
-
   if (!valid) {
     throw new _errors.AuthSdkError('The token signature is not valid');
   }
-
   if (validationParams && validationParams.accessToken && token.claims.at_hash) {
     const hash = await sdkCrypto.getOidcHash(validationParams.accessToken);
-
     if (hash !== token.claims.at_hash) {
       throw new _errors.AuthSdkError('Token hash verification failed');
     }
   }
-
   return token;
 }
 //# sourceMappingURL=verifyToken.js.map

package/cjs/oidc/verifyToken.js.map

@@ -1 +1 @@
-{"version":3,"file":"verifyToken.js","names":["verifyToken","sdk","token","validationParams","idToken","AuthSdkError","jwt","decodeToken","configuredIssuer","issuer","options","getWellKnown","validationOptions","Object","assign","clientId","ignoreSignature","validateClaims","payload","features","isTokenVerifySupported","key","getKey","header","kid","valid","sdkCrypto","accessToken","claims","at_hash","hash","getOidcHash"],"sources":["../../../lib/oidc/verifyToken.ts"],"sourcesContent":["/* eslint-disable max-len */\n/* eslint-disable complexity */\n/*!\n * Copyright (c) 2015-present, Okta, Inc. and/or its affiliates. All rights reserved.\n * The Okta software accompanied by this notice is provided pursuant to the Apache License, Version 2.0 (the \"License.\")\n *\n * You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0.\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT\n * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n *\n * See the License for the specific language governing permissions and limitations under the License.\n *\n */\nimport { getWellKnown, getKey } from './endpoints/well-known';\nimport { validateClaims } from './util';\nimport { AuthSdkError } from '../errors';\nimport { IDToken, OktaAuthOAuthInterface, TokenVerifyParams } from '../oidc/types';\nimport { decodeToken } from './decodeToken';\nimport * as sdkCrypto from '../crypto';\n\n// Verify the id token\nexport async function verifyToken(sdk: OktaAuthOAuthInterface, token: IDToken, validationParams: TokenVerifyParams): Promise<IDToken> {\n  if (!token || !token.idToken) {\n    throw new AuthSdkError('Only idTokens may be verified');\n  }\n\n  // Decode the Jwt object (may throw)\n  var jwt = decodeToken(token.idToken);\n\n  // The configured issuer may point to a frontend proxy.\n  // Get the \"real\" issuer from .well-known/openid-configuration\n  const configuredIssuer = validationParams?.issuer || sdk.options.issuer;\n  const { issuer } = await getWellKnown(sdk, configuredIssuer);\n\n  var validationOptions: TokenVerifyParams = Object.assign({\n    // base options, can be overridden by params\n    clientId: sdk.options.clientId,\n    ignoreSignature: sdk.options.ignoreSignature\n  }, validationParams, {\n    // final options, cannot be overridden\n    issuer\n  });\n\n  // Standard claim validation (may throw)\n  validateClaims(sdk, jwt.payload, validationOptions);\n\n  // If the browser doesn't support native crypto or we choose not\n  // to verify the signature, bail early\n  if (validationOptions.ignoreSignature == true || !sdk.features.isTokenVerifySupported()) {\n    return token;\n  }\n\n  // eslint-disable-next-line @typescript-eslint/no-non-null-assertion\n  const key = await getKey(sdk, token.issuer, jwt.header.kid!);\n  const valid = await sdkCrypto.verifyToken(token.idToken, key);\n  if (!valid) {\n    throw new AuthSdkError('The token signature is not valid');\n  }\n  if (validationParams && validationParams.accessToken && token.claims.at_hash) {\n    const hash = await sdkCrypto.getOidcHash(validationParams.accessToken);\n    if (hash !== token.claims.at_hash) {\n      throw new AuthSdkError('Token hash verification failed');\n    }\n  }\n  return token;\n}\n"],"mappings":";;;;AAcA;;AACA;;AACA;;AAEA;;AACA;;;;;;AAnBA;;AACA;;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAQA;AACO,eAAeA,WAAf,CAA2BC,GAA3B,EAAwDC,KAAxD,EAAwEC,gBAAxE,EAA+H;EACpI,IAAI,CAACD,KAAD,IAAU,CAACA,KAAK,CAACE,OAArB,EAA8B;IAC5B,MAAM,IAAIC,oBAAJ,CAAiB,+BAAjB,CAAN;EACD,CAHmI,CAKpI;;;EACA,IAAIC,GAAG,GAAG,IAAAC,wBAAA,EAAYL,KAAK,CAACE,OAAlB,CAAV,CANoI,CAQpI;EACA;;EACA,MAAMI,gBAAgB,GAAG,CAAAL,gBAAgB,SAAhB,IAAAA,gBAAgB,WAAhB,YAAAA,gBAAgB,CAAEM,MAAlB,KAA4BR,GAAG,CAACS,OAAJ,CAAYD,MAAjE;EACA,MAAM;IAAEA;EAAF,IAAa,MAAM,IAAAE,uBAAA,EAAaV,GAAb,EAAkBO,gBAAlB,CAAzB;EAEA,IAAII,iBAAoC,GAAGC,MAAM,CAACC,MAAP,CAAc;IACvD;IACAC,QAAQ,EAAEd,GAAG,CAACS,OAAJ,CAAYK,QAFiC;IAGvDC,eAAe,EAAEf,GAAG,CAACS,OAAJ,CAAYM;EAH0B,CAAd,EAIxCb,gBAJwC,EAItB;IACnB;IACAM;EAFmB,CAJsB,CAA3C,CAboI,CAsBpI;;EACA,IAAAQ,oBAAA,EAAehB,GAAf,EAAoBK,GAAG,CAACY,OAAxB,EAAiCN,iBAAjC,EAvBoI,CAyBpI;EACA;;EACA,IAAIA,iBAAiB,CAACI,eAAlB,IAAqC,IAArC,IAA6C,CAACf,GAAG,CAACkB,QAAJ,CAAaC,sBAAb,EAAlD,EAAyF;IACvF,OAAOlB,KAAP;EACD,CA7BmI,CA+BpI;;;EACA,MAAMmB,GAAG,GAAG,MAAM,IAAAC,iBAAA,EAAOrB,GAAP,EAAYC,KAAK,CAACO,MAAlB,EAA0BH,GAAG,CAACiB,MAAJ,CAAWC,GAArC,CAAlB;EACA,MAAMC,KAAK,GAAG,MAAMC,SAAS,CAAC1B,WAAV,CAAsBE,KAAK,CAACE,OAA5B,EAAqCiB,GAArC,CAApB;;EACA,IAAI,CAACI,KAAL,EAAY;IACV,MAAM,IAAIpB,oBAAJ,CAAiB,kCAAjB,CAAN;EACD;;EACD,IAAIF,gBAAgB,IAAIA,gBAAgB,CAACwB,WAArC,IAAoDzB,KAAK,CAAC0B,MAAN,CAAaC,OAArE,EAA8E;IAC5E,MAAMC,IAAI,GAAG,MAAMJ,SAAS,CAACK,WAAV,CAAsB5B,gBAAgB,CAACwB,WAAvC,CAAnB;;IACA,IAAIG,IAAI,KAAK5B,KAAK,CAAC0B,MAAN,CAAaC,OAA1B,EAAmC;MACjC,MAAM,IAAIxB,oBAAJ,CAAiB,gCAAjB,CAAN;IACD;EACF;;EACD,OAAOH,KAAP;AACD"}
+{"version":3,"file":"verifyToken.js","names":["verifyToken","sdk","token","validationParams","idToken","AuthSdkError","jwt","decodeToken","configuredIssuer","issuer","options","getWellKnown","validationOptions","Object","assign","clientId","ignoreSignature","validateClaims","payload","features","isTokenVerifySupported","key","getKey","header","kid","valid","sdkCrypto","accessToken","claims","at_hash","hash","getOidcHash"],"sources":["../../../lib/oidc/verifyToken.ts"],"sourcesContent":["/* eslint-disable max-len */\n/* eslint-disable complexity */\n/*!\n * Copyright (c) 2015-present, Okta, Inc. and/or its affiliates. All rights reserved.\n * The Okta software accompanied by this notice is provided pursuant to the Apache License, Version 2.0 (the \"License.\")\n *\n * You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0.\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT\n * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n *\n * See the License for the specific language governing permissions and limitations under the License.\n *\n */\nimport { getWellKnown, getKey } from './endpoints/well-known';\nimport { validateClaims } from './util';\nimport { AuthSdkError } from '../errors';\nimport { IDToken, OktaAuthOAuthInterface, TokenVerifyParams } from '../oidc/types';\nimport { decodeToken } from './decodeToken';\nimport * as sdkCrypto from '../crypto';\n\n// Verify the id token\nexport async function verifyToken(sdk: OktaAuthOAuthInterface, token: IDToken, validationParams: TokenVerifyParams): Promise<IDToken> {\n  if (!token || !token.idToken) {\n    throw new AuthSdkError('Only idTokens may be verified');\n  }\n\n  // Decode the Jwt object (may throw)\n  const jwt = decodeToken(token.idToken);\n\n  // The configured issuer may point to a frontend proxy.\n  // Get the \"real\" issuer from .well-known/openid-configuration\n  const configuredIssuer = validationParams?.issuer || sdk.options.issuer;\n  const { issuer } = await getWellKnown(sdk, configuredIssuer);\n\n  const validationOptions: TokenVerifyParams = Object.assign({\n    // base options, can be overridden by params\n    clientId: sdk.options.clientId,\n    ignoreSignature: sdk.options.ignoreSignature\n  }, validationParams, {\n    // final options, cannot be overridden\n    issuer\n  });\n\n  // Standard claim validation (may throw)\n  validateClaims(sdk, jwt.payload, validationOptions);\n\n  // If the browser doesn't support native crypto or we choose not\n  // to verify the signature, bail early\n  if (validationOptions.ignoreSignature == true || !sdk.features.isTokenVerifySupported()) {\n    return token;\n  }\n\n  // eslint-disable-next-line @typescript-eslint/no-non-null-assertion\n  const key = await getKey(sdk, token.issuer, jwt.header.kid!);\n  const valid = await sdkCrypto.verifyToken(token.idToken, key);\n  if (!valid) {\n    throw new AuthSdkError('The token signature is not valid');\n  }\n  if (validationParams && validationParams.accessToken && token.claims.at_hash) {\n    const hash = await sdkCrypto.getOidcHash(validationParams.accessToken);\n    if (hash !== token.claims.at_hash) {\n      throw new AuthSdkError('Token hash verification failed');\n    }\n  }\n  return token;\n}\n"],"mappings":";;;AAcA;AACA;AACA;AAEA;AACA;AAAuC;AAAA;AAnBvC;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AAQA;AACO,eAAeA,WAAW,CAACC,GAA2B,EAAEC,KAAc,EAAEC,gBAAmC,EAAoB;EACpI,IAAI,CAACD,KAAK,IAAI,CAACA,KAAK,CAACE,OAAO,EAAE;IAC5B,MAAM,IAAIC,oBAAY,CAAC,+BAA+B,CAAC;EACzD;;EAEA;EACA,MAAMC,GAAG,GAAG,IAAAC,wBAAW,EAACL,KAAK,CAACE,OAAO,CAAC;;EAEtC;EACA;EACA,MAAMI,gBAAgB,GAAG,CAAAL,gBAAgB,aAAhBA,gBAAgB,uBAAhBA,gBAAgB,CAAEM,MAAM,KAAIR,GAAG,CAACS,OAAO,CAACD,MAAM;EACvE,MAAM;IAAEA;EAAO,CAAC,GAAG,MAAM,IAAAE,uBAAY,EAACV,GAAG,EAAEO,gBAAgB,CAAC;EAE5D,MAAMI,iBAAoC,GAAGC,MAAM,CAACC,MAAM,CAAC;IACzD;IACAC,QAAQ,EAAEd,GAAG,CAACS,OAAO,CAACK,QAAQ;IAC9BC,eAAe,EAAEf,GAAG,CAACS,OAAO,CAACM;EAC/B,CAAC,EAAEb,gBAAgB,EAAE;IACnB;IACAM;EACF,CAAC,CAAC;;EAEF;EACA,IAAAQ,oBAAc,EAAChB,GAAG,EAAEK,GAAG,CAACY,OAAO,EAAEN,iBAAiB,CAAC;;EAEnD;EACA;EACA,IAAIA,iBAAiB,CAACI,eAAe,IAAI,IAAI,IAAI,CAACf,GAAG,CAACkB,QAAQ,CAACC,sBAAsB,EAAE,EAAE;IACvF,OAAOlB,KAAK;EACd;;EAEA;EACA,MAAMmB,GAAG,GAAG,MAAM,IAAAC,iBAAM,EAACrB,GAAG,EAAEC,KAAK,CAACO,MAAM,EAAEH,GAAG,CAACiB,MAAM,CAACC,GAAG,CAAE;EAC5D,MAAMC,KAAK,GAAG,MAAMC,SAAS,CAAC1B,WAAW,CAACE,KAAK,CAACE,OAAO,EAAEiB,GAAG,CAAC;EAC7D,IAAI,CAACI,KAAK,EAAE;IACV,MAAM,IAAIpB,oBAAY,CAAC,kCAAkC,CAAC;EAC5D;EACA,IAAIF,gBAAgB,IAAIA,gBAAgB,CAACwB,WAAW,IAAIzB,KAAK,CAAC0B,MAAM,CAACC,OAAO,EAAE;IAC5E,MAAMC,IAAI,GAAG,MAAMJ,SAAS,CAACK,WAAW,CAAC5B,gBAAgB,CAACwB,WAAW,CAAC;IACtE,IAAIG,IAAI,KAAK5B,KAAK,CAAC0B,MAAM,CAACC,OAAO,EAAE;MACjC,MAAM,IAAIxB,oBAAY,CAAC,gCAAgC,CAAC;IAC1D;EACF;EACA,OAAOH,KAAK;AACd"}