@openstax/ts-utils 1.21.11 → 1.23.0

package/dist/cjs/services/authProvider/browser.d.ts

@@ -0,0 +1,74 @@
+import { ConfigProviderForConfig } from '../../config';
+import { FetchConfig, GenericFetch } from '../../fetch';
+import { User } from '.';
+declare type Config = {
+    accountsBase: string;
+};
+interface Initializer<C> {
+    configSpace?: C;
+    window: Window;
+}
+export declare type EventHandler = (e: {
+    data: any;
+    origin: string;
+    source: Pick<Window, 'postMessage'>;
+}) => void;
+export interface Window {
+    fetch: GenericFetch;
+    parent: Pick<Window, 'postMessage'>;
+    location: {
+        search: string;
+    };
+    document: {
+        referrer: string;
+    };
+    postMessage: (data: any, origin: string) => void;
+    addEventListener: (event: 'message', callback: EventHandler) => void;
+    removeEventListener: (event: 'message', callback: EventHandler) => void;
+}
+export declare type UpdatableUserFields = Partial<Pick<User, 'consent_preferences' | 'first_name' | 'last_name'>>;
+export declare const browserAuthProvider: <C extends string = "auth">({ window, configSpace }: Initializer<C>) => (configProvider: { [key in C]: {
+    accountsBase: import("../../config").ConfigValueProvider<string>;
+}; }) => {
+    /**
+     * gets the authentication token
+     */
+    getAuthToken: () => Promise<string | null>;
+    /**
+     * adds auth parameters to the url. this is only safe to use when using javascript to navigate
+     * within the current window, eg `window.location = 'https://my.otherservice.com';` anchors
+     * should use getAuthorizedLinkUrl for their href.
+     *
+     * result unreliable unless `getUser` is resolved first.
+     */
+    getAuthorizedUrl: (urlString: string) => string;
+    /**
+     * all link href-s must be rendered with auth tokens so that they work when opened in a new tab
+     *
+     * result unreliable unless `getUser` is resolved first.
+     */
+    getAuthorizedLinkUrl: (urlString: string) => string;
+    /**
+     * gets an authorized url for an iframe src. sets params on the url and saves its
+     * origin to trust releasing user identity to it
+     */
+    getAuthorizedEmbedUrl: (urlString: string, extraParams?: {
+        [key: string]: string;
+    } | undefined) => string;
+    /**
+     * gets second argument for `fetch` that has authentication token or cookie
+     */
+    getAuthorizedFetchConfig: () => Promise<FetchConfig>;
+    /**
+     * loads current user identity. does not reflect changes in identity after being called the first time.
+     */
+    getUser: () => Promise<User | undefined>;
+    /**
+     * updates user settings, for example the cookie consent preferences
+     */
+    updateUser: (updates: UpdatableUserFields) => Promise<{
+        user: User;
+        token: string | null;
+    }>;
+};
+export {};

package/dist/cjs/services/authProvider/browser.js

@@ -0,0 +1,154 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.browserAuthProvider = void 0;
+const __1 = require("../..");
+const config_1 = require("../../config");
+const guards_1 = require("../../guards");
+const routing_1 = require("../../routing");
+const embeddedAuthProvider_1 = require("./utils/embeddedAuthProvider");
+const isUserData = (0, routing_1.unsafePayloadValidator)();
+const browserAuthProvider = ({ window, configSpace }) => (configProvider) => {
+    const config = configProvider[(0, guards_1.ifDefined)(configSpace, 'auth')];
+    const accountsBase = (0, __1.once)(() => (0, config_1.resolveConfigValue)(config.accountsBase));
+    const queryString = window.location.search;
+    const queryKey = 'auth';
+    const urlSearchParams = new URLSearchParams(queryString);
+    const authQuery = urlSearchParams.get(queryKey);
+    const referrer = window.document.referrer ? new URL(window.document.referrer) : undefined;
+    const isEmbedded = window.parent !== window;
+    const trustedParent = isEmbedded && referrer && referrer.hostname.match(/^(openstax\.org|((.*)(\.openstax\.org|local|localhost)))$/) ? referrer : undefined;
+    const { embeddedQueryKey, embeddedQueryValue, getAuthorizedEmbedUrl } = (0, embeddedAuthProvider_1.embeddedAuthProvider)(() => getUserData(), { authQuery: { key: queryKey, value: authQuery }, window });
+    const embeddedQuery = urlSearchParams.get(embeddedQueryKey);
+    let userData = { token: authQuery };
+    const getAuthToken = async () => {
+        return (await getUserData()).token;
+    };
+    const getAuthorizedLinkUrl = (urlString) => {
+        const url = new URL(urlString);
+        if (userData.token) {
+            url.searchParams.set(queryKey, userData.token);
+        }
+        return url.href;
+    };
+    const getAuthorizedUrl = (urlString) => {
+        const url = new URL(urlString);
+        if (authQuery) {
+            url.searchParams.set(queryKey, authQuery);
+        }
+        else if (embeddedQuery) {
+            url.searchParams.set(queryKey, 'embedded');
+        }
+        if (embeddedQuery) {
+            url.searchParams.set(embeddedQueryKey, embeddedQuery);
+        }
+        return url.href;
+    };
+    // *note* that this does not actually prevent cookies from being sent on same-origin
+    // requests, i'm not sure if its possible to stop browsers from sending cookies in
+    // that case
+    const getAuthorizedFetchConfigFromData = (data) => {
+        const { token } = data;
+        return token ? {
+            headers: { Authorization: `Bearer ${token}` },
+        } : {
+            credentials: 'include',
+        };
+    };
+    const getAuthorizedFetchConfig = async () => {
+        return getAuthorizedFetchConfigFromData(userData.token ? userData : await getUserData());
+    };
+    /*
+     * requests user identity from parent window via postMessage
+     */
+    const getParentWindowUser = () => new Promise((resolve, reject) => {
+        if (!window.parent || !trustedParent) {
+            return reject(new Error('parent window is undefined or not trusted'));
+        }
+        const handler = (event) => {
+            if (event.data.type === embeddedAuthProvider_1.PostMessageTypes.ReceiveUser && event.origin === trustedParent.origin) {
+                clearTimeout(timeout);
+                window.removeEventListener('message', handler);
+                resolve(event.data.userData);
+            }
+        };
+        window.addEventListener('message', handler);
+        window.parent.postMessage({ type: embeddedAuthProvider_1.PostMessageTypes.RequestUser }, trustedParent.origin);
+        const timeout = setTimeout(() => {
+            window.removeEventListener('message', handler);
+            reject(new Error('loading user identity timed out'));
+        }, 5000);
+    });
+    /*
+     * requests user identity from accounts api using given token or cookie
+     */
+    const getFetchUser = async () => {
+        const response = await window.fetch((await accountsBase()).replace(/\/+$/, '') + '/api/user?always_200=true', getAuthorizedFetchConfigFromData(userData));
+        if (response.status === 200) {
+            const body = await response.json();
+            const user = isUserData(body) ? body : undefined;
+            return { ...userData, user };
+        }
+        const message = await response.text();
+        throw new Error(`Error response from Accounts ${response.status}: ${message}`);
+    };
+    const getUserData = (0, __1.once)(async () => {
+        // For backwards compatibility
+        if (authQuery === 'embedded') {
+            return getParentWindowUser();
+        }
+        // getFetchUser() will throw here if authQuery is not set
+        return await (embeddedQuery === embeddedQueryValue ? getParentWindowUser() : getFetchUser());
+    });
+    const getUser = async () => {
+        return (await getUserData()).user;
+    };
+    const updateUser = async (updates) => {
+        const response = await window.fetch((await accountsBase()).replace(/\/+$/, '') + '/api/user', { ...getAuthorizedFetchConfigFromData(userData), method: routing_1.METHOD.PUT, body: JSON.stringify(updates) });
+        if (response.status === 200) {
+            const user = await response.json();
+            if (isUserData(user)) {
+                return { ...userData, user };
+            }
+        }
+        const message = await response.text();
+        throw new Error(`Error response from Accounts ${response.status}: ${message}`);
+    };
+    return {
+        /**
+         * gets the authentication token
+         */
+        getAuthToken,
+        /**
+         * adds auth parameters to the url. this is only safe to use when using javascript to navigate
+         * within the current window, eg `window.location = 'https://my.otherservice.com';` anchors
+         * should use getAuthorizedLinkUrl for their href.
+         *
+         * result unreliable unless `getUser` is resolved first.
+         */
+        getAuthorizedUrl,
+        /**
+         * all link href-s must be rendered with auth tokens so that they work when opened in a new tab
+         *
+         * result unreliable unless `getUser` is resolved first.
+         */
+        getAuthorizedLinkUrl,
+        /**
+         * gets an authorized url for an iframe src. sets params on the url and saves its
+         * origin to trust releasing user identity to it
+         */
+        getAuthorizedEmbedUrl,
+        /**
+         * gets second argument for `fetch` that has authentication token or cookie
+         */
+        getAuthorizedFetchConfig,
+        /**
+         * loads current user identity. does not reflect changes in identity after being called the first time.
+         */
+        getUser,
+        /**
+         * updates user settings, for example the cookie consent preferences
+         */
+        updateUser,
+    };
+};
+exports.browserAuthProvider = browserAuthProvider;

package/dist/cjs/services/authProvider/decryption.d.ts

@@ -0,0 +1,19 @@
+import type { ConfigProviderForConfig } from '../../config';
+import { AuthProvider, CookieAuthProvider } from '.';
+declare type Config = {
+    cookieName: string;
+    encryptionPrivateKey: string;
+    signaturePublicKey: string;
+};
+interface Initializer<C> {
+    configSpace?: C;
+}
+export declare type DecryptionAuthProvider = AuthProvider & {
+    getTokenExpiration: (tokenString?: string) => Promise<number | null | undefined>;
+};
+export declare const decryptionAuthProvider: <C extends string = "decryption">(initializer: Initializer<C>) => (configProvider: { [key in C]: {
+    cookieName: import("../../config").ConfigValueProvider<string>;
+    encryptionPrivateKey: import("../../config").ConfigValueProvider<string>;
+    signaturePublicKey: import("../../config").ConfigValueProvider<string>;
+}; }) => CookieAuthProvider<DecryptionAuthProvider>;
+export {};

package/dist/cjs/services/authProvider/decryption.js

@@ -0,0 +1,61 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.decryptionAuthProvider = void 0;
+const resolveConfigValue_1 = require("../../config/resolveConfigValue");
+const errors_1 = require("../../errors");
+const guards_1 = require("../../guards");
+const helpers_1 = require("../../misc/helpers");
+const decryptAndVerify_1 = require("./utils/decryptAndVerify");
+const _1 = require(".");
+const decryptionAuthProvider = (initializer) => (configProvider) => {
+    const config = configProvider[(0, guards_1.ifDefined)(initializer.configSpace, 'decryption')];
+    const cookieName = (0, helpers_1.once)(() => (0, resolveConfigValue_1.resolveConfigValue)(config.cookieName));
+    const encryptionPrivateKey = (0, helpers_1.once)(() => (0, resolveConfigValue_1.resolveConfigValue)(config.encryptionPrivateKey));
+    const signaturePublicKey = (0, helpers_1.once)(() => (0, resolveConfigValue_1.resolveConfigValue)(config.signaturePublicKey));
+    return ({ request, logger }) => {
+        let user;
+        const getAuthorizedFetchConfig = async () => {
+            const [token, headers] = (0, _1.getAuthTokenOrCookie)(request, await cookieName());
+            if (!token) {
+                return {};
+            }
+            return { headers };
+        };
+        const getPayload = async (tokenString) => {
+            const token = tokenString !== null && tokenString !== void 0 ? tokenString : (0, _1.getAuthTokenOrCookie)(request, await cookieName())[0];
+            if (!token) {
+                return undefined;
+            }
+            return (0, decryptAndVerify_1.decryptAndVerify)(token, await encryptionPrivateKey(), await signaturePublicKey());
+        };
+        const loadUser = async () => {
+            const result = await getPayload();
+            if (!result) {
+                return undefined;
+            }
+            if ('error' in result && result.error == 'expired token') {
+                throw new errors_1.SessionExpiredError();
+            }
+            if ('user' in result) {
+                logger.setContext({ user: result.user.uuid });
+                return result.user;
+            }
+            return undefined;
+        };
+        return {
+            getAuthorizedFetchConfig,
+            getTokenExpiration: async (tokenString) => {
+                var _a;
+                const payload = await getPayload(tokenString);
+                return payload ? ((_a = payload.exp) !== null && _a !== void 0 ? _a : null) : undefined;
+            },
+            getUser: async () => {
+                if (!user) {
+                    user = await loadUser();
+                }
+                return user;
+            },
+        };
+    };
+};
+exports.decryptionAuthProvider = decryptionAuthProvider;

package/dist/cjs/services/authProvider/index.d.ts

@@ -0,0 +1,61 @@
+import type { FetchConfig } from '../../fetch';
+import type { HttpHeaders, QueryParams } from '../../routing';
+import type { Logger } from '../logger';
+export declare type ConsentPreferences = {
+    consent_preferences: {
+        accepted: string[];
+        rejected: string[];
+    };
+};
+export declare type TokenUser = {
+    id: number;
+    name: string;
+    first_name: string;
+    last_name: string;
+    full_name: string;
+    uuid: string;
+    faculty_status: string;
+    is_administrator: boolean;
+} & Partial<ConsentPreferences>;
+export interface ApiUser extends TokenUser {
+    contact_infos: Array<{
+        type: string;
+        value: string;
+        is_verified: boolean;
+        is_guessed_preferred: boolean;
+    }>;
+    applications: Array<{
+        id: number;
+        name: string;
+        roles: string[];
+    }>;
+    external_ids: string[];
+    is_not_gdpr_location: boolean;
+    self_reported_role: string;
+    signed_contract_names: string[];
+    using_openstax: boolean;
+}
+export declare type User = TokenUser | ApiUser;
+export declare type AuthProvider = {
+    getUser: () => Promise<User | undefined>;
+    /**
+     * gets second argument for `fetch` that has authentication token or cookie
+     */
+    getAuthorizedFetchConfig: () => Promise<FetchConfig>;
+};
+export declare type CookieAuthProviderRequest = {
+    cookies?: string[];
+    headers: HttpHeaders;
+    queryStringParameters?: QueryParams;
+};
+export declare type CookieAuthProvider<T extends AuthProvider = AuthProvider> = (inputs: {
+    request: CookieAuthProviderRequest;
+    logger: Logger;
+}) => T;
+export declare type StubAuthProvider = (user: User | undefined) => AuthProvider;
+export declare const stubAuthProvider: (user?: User | undefined) => AuthProvider;
+export declare const getAuthTokenOrCookie: (request: CookieAuthProviderRequest, cookieName: string, queryKey?: string) => [string, {
+    Authorization: string;
+}] | [string, {
+    cookie: string;
+}];

package/dist/cjs/services/authProvider/index.js

@@ -0,0 +1,26 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.getAuthTokenOrCookie = exports.stubAuthProvider = void 0;
+const cookie_1 = __importDefault(require("cookie"));
+const helpers_1 = require("../../misc/helpers");
+const helpers_2 = require("../../routing/helpers");
+const stubAuthProvider = (user) => ({
+    getUser: () => Promise.resolve(user),
+    getAuthorizedFetchConfig: () => Promise.resolve(user ? { headers: { Authorization: user.uuid } } : {})
+});
+exports.stubAuthProvider = stubAuthProvider;
+const getAuthTokenOrCookie = (request, cookieName, queryKey = 'auth') => {
+    var _a, _b;
+    const authParam = request.queryStringParameters ? request.queryStringParameters[queryKey] : undefined;
+    const authHeader = (0, helpers_2.getHeader)(request.headers, 'authorization');
+    const cookieValue = cookie_1.default.parse((_b = (_a = request.cookies) === null || _a === void 0 ? void 0 : _a.join('; ')) !== null && _b !== void 0 ? _b : '')[cookieName];
+    return typeof authParam === 'string'
+        ? (0, helpers_1.tuple)(authParam, { Authorization: `Bearer ${authParam}` })
+        : authHeader && authHeader.length >= 8 && authHeader.startsWith('Bearer ')
+            ? (0, helpers_1.tuple)(authHeader.slice(7), { Authorization: authHeader })
+            : (0, helpers_1.tuple)(cookieValue, { cookie: cookie_1.default.serialize(cookieName, cookieValue) });
+};
+exports.getAuthTokenOrCookie = getAuthTokenOrCookie;

package/dist/cjs/services/authProvider/subrequest.d.ts

@@ -0,0 +1,16 @@
+import { ConfigProviderForConfig } from '../../config';
+import { GenericFetch } from '../../fetch';
+import { CookieAuthProvider } from '.';
+declare type Config = {
+    cookieName: string;
+    accountsBase: string;
+};
+interface Initializer<C> {
+    configSpace?: C;
+    fetch: GenericFetch;
+}
+export declare const subrequestAuthProvider: <C extends string = "subrequest">(initializer: Initializer<C>) => (configProvider: { [key in C]: {
+    cookieName: import("../../config").ConfigValueProvider<string>;
+    accountsBase: import("../../config").ConfigValueProvider<string>;
+}; }) => CookieAuthProvider;
+export {};

package/dist/cjs/services/authProvider/subrequest.js

@@ -0,0 +1,50 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.subrequestAuthProvider = void 0;
+const cookie_1 = __importDefault(require("cookie"));
+const __1 = require("../..");
+const config_1 = require("../../config");
+const guards_1 = require("../../guards");
+const _1 = require(".");
+const subrequestAuthProvider = (initializer) => (configProvider) => {
+    const config = configProvider[(0, guards_1.ifDefined)(initializer.configSpace, 'subrequest')];
+    const cookieName = (0, __1.once)(() => (0, config_1.resolveConfigValue)(config.cookieName));
+    const accountsBase = (0, __1.once)(() => (0, config_1.resolveConfigValue)(config.accountsBase));
+    return ({ request, logger }) => {
+        let user;
+        const getAuthorizedFetchConfig = async () => {
+            const [token, headers] = (0, _1.getAuthTokenOrCookie)(request, await cookieName());
+            if (!token) {
+                return {};
+            }
+            return { headers };
+        };
+        const loadUser = async () => {
+            const resolvedCookieName = await cookieName();
+            const [token] = (0, _1.getAuthTokenOrCookie)(request, resolvedCookieName);
+            if (!token) {
+                return undefined;
+            }
+            const headers = { cookie: cookie_1.default.serialize(resolvedCookieName, token) };
+            const user = await initializer.fetch((await accountsBase()).replace(/\/+$/, '') + '/api/user', { headers })
+                .then(response => response.json());
+            if (user) {
+                logger.setContext({ user: user.uuid });
+            }
+            return user;
+        };
+        return {
+            getAuthorizedFetchConfig,
+            getUser: async () => {
+                if (!user) {
+                    user = await loadUser();
+                }
+                return user;
+            }
+        };
+    };
+};
+exports.subrequestAuthProvider = subrequestAuthProvider;

package/dist/cjs/services/authProvider/utils/decryptAndVerify.d.ts

@@ -0,0 +1,29 @@
+/// <reference types="node" />
+import type { User } from '..';
+export declare const decryptJwe: (jwe: string, encryptionPrivateKey: Buffer | string) => string | undefined;
+declare type MaybeAccountsSSOToken = {
+    iss?: string;
+    sub?: User | string;
+    aud?: string;
+    exp?: number;
+    nbf?: number;
+    iat?: number;
+    jti?: string;
+};
+export declare const verifyJws: (jws: string, signaturePublicKey: Buffer | string) => MaybeAccountsSSOToken | undefined;
+/**
+ * Decrypts and verifies a SSO cookie.
+ *
+ * @param token the encrypted token
+ * @param encryptionPrivateKey the private key used to encrypt the token
+ * @param signaturePublicKey the public key used to verify the decrypted token
+ * @returns {user: User; exp: number} (success) or {error: string} (failure)
+ */
+export declare const decryptAndVerify: (token: string, encryptionPrivateKey: string, signaturePublicKey: string) => {
+    user: User;
+    exp: number;
+} | {
+    error: string;
+    exp?: number;
+};
+export {};

package/dist/cjs/services/authProvider/utils/decryptAndVerify.js

@@ -0,0 +1,91 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.decryptAndVerify = exports.verifyJws = exports.decryptJwe = void 0;
+const crypto_1 = require("crypto");
+const guards_1 = require("../../../guards");
+const decryptJwe = (jwe, encryptionPrivateKey) => {
+    const jweParts = jwe.split('.', 6);
+    if (jweParts.length !== 5 || jweParts[1]) {
+        return undefined;
+    } // Invalid/unsupported JWE
+    const header = JSON.parse(Buffer.from(jweParts[0], 'base64url').toString());
+    if (header.alg !== 'dir' || header.enc !== 'A256GCM') {
+        // Unsupported signature/encryption algorithm
+        return undefined;
+    }
+    const aad = Buffer.from(jweParts[0]);
+    const iv = Buffer.from(jweParts[2], 'base64url');
+    const cipherText = Buffer.from(jweParts[3], 'base64url');
+    const authTag = Buffer.from(jweParts[4], 'base64url');
+    // Verify token signature and decrypt
+    const decipher = (0, crypto_1.createDecipheriv)('aes-256-gcm', encryptionPrivateKey, iv, { authTagLength: 16 });
+    decipher.setAAD(aad, { plaintextLength: cipherText.length });
+    try {
+        decipher.setAuthTag(authTag);
+        return `${decipher.update(cipherText)}${decipher.final()}`;
+    }
+    catch (error) {
+        // Invalid cipherText or authTag
+        return undefined;
+    }
+};
+exports.decryptJwe = decryptJwe;
+const issuer = 'OpenStax Accounts';
+const audience = 'OpenStax';
+const clockTolerance = 300; // 5 minutes
+const verifyJws = (jws, signaturePublicKey) => {
+    const jwsParts = jws.split('.', 4);
+    if (jwsParts.length !== 3) {
+        return undefined;
+    } // Invalid JWS
+    const header = JSON.parse(Buffer.from(jwsParts[0], 'base64url').toString());
+    if (header.alg !== 'RS256' || header.typ !== 'JWT') {
+        return undefined;
+    } // Unsupported JWS
+    const signedContent = Buffer.from(`${jwsParts[0]}.${jwsParts[1]}`);
+    const signature = Buffer.from(jwsParts[2], 'base64url');
+    if (!(0, crypto_1.verify)('RSA-SHA256', signedContent, signaturePublicKey, signature)) {
+        return undefined;
+    }
+    const payload = Buffer.from(jwsParts[1], 'base64url').toString();
+    try {
+        return JSON.parse(payload);
+    }
+    catch (error) {
+        return undefined;
+    }
+};
+exports.verifyJws = verifyJws;
+/**
+ * Decrypts and verifies a SSO cookie.
+ *
+ * @param token the encrypted token
+ * @param encryptionPrivateKey the private key used to encrypt the token
+ * @param signaturePublicKey the public key used to verify the decrypted token
+ * @returns {user: User; exp: number} (success) or {error: string} (failure)
+ */
+const decryptAndVerify = (token, encryptionPrivateKey, signaturePublicKey) => {
+    const timestamp = Math.floor(Date.now() / 1000);
+    const jws = (0, exports.decryptJwe)(token, encryptionPrivateKey);
+    if (!jws) {
+        return { error: 'invalid token' };
+    }
+    const payload = (0, exports.verifyJws)(jws, signaturePublicKey);
+    // Ensure payload contains all the claims we expect
+    // Normally "sub" would be a string but Accounts uses an object for it instead
+    if (!(0, guards_1.isPlainObject)(payload) ||
+        !(0, guards_1.isPlainObject)(payload.sub) || !payload.sub.uuid ||
+        payload.iss !== issuer ||
+        payload.aud !== audience ||
+        !payload.exp ||
+        !payload.nbf || payload.nbf > timestamp + clockTolerance ||
+        !payload.iat || payload.iat > timestamp + clockTolerance ||
+        !payload.jti) {
+        return { error: 'invalid token' };
+    }
+    if (payload.exp < timestamp - clockTolerance) {
+        return { error: 'expired token', exp: payload.exp };
+    }
+    return { user: payload.sub, exp: payload.exp };
+};
+exports.decryptAndVerify = decryptAndVerify;

package/dist/cjs/services/authProvider/utils/embeddedAuthProvider.d.ts

@@ -0,0 +1,26 @@
+import { User } from '..';
+import { Window } from '../browser';
+export declare type UserData = {
+    user?: User;
+    token: string | null;
+};
+declare type UserDataLoader = () => Promise<UserData>;
+export declare enum PostMessageTypes {
+    ReceiveUser = "receive-user",
+    RequestUser = "request-user"
+}
+export declare const embeddedAuthProvider: (getUserData: UserDataLoader, { authQuery, window }: {
+    authQuery?: {
+        key: string;
+        value: string | null;
+    } | undefined;
+    window: Window;
+}) => {
+    embeddedQueryKey: string;
+    embeddedQueryValue: string;
+    getAuthorizedEmbedUrl: (urlString: string, extraParams?: {
+        [key: string]: string;
+    } | undefined) => string;
+    unmount: () => void;
+};
+export {};

package/dist/cjs/services/authProvider/utils/embeddedAuthProvider.js

@@ -0,0 +1,47 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.embeddedAuthProvider = exports.PostMessageTypes = void 0;
+const query_string_1 = __importDefault(require("query-string"));
+var PostMessageTypes;
+(function (PostMessageTypes) {
+    PostMessageTypes["ReceiveUser"] = "receive-user";
+    PostMessageTypes["RequestUser"] = "request-user";
+})(PostMessageTypes = exports.PostMessageTypes || (exports.PostMessageTypes = {}));
+const embeddedAuthProvider = (getUserData, { authQuery, window }) => {
+    const trustedEmbeds = new Set();
+    const embeddedQueryKey = 'embedded';
+    const embeddedQueryValue = 'true';
+    const messageHandler = event => {
+        if (event.data.type === PostMessageTypes.RequestUser && trustedEmbeds.has(event.origin)) {
+            getUserData().then(data => {
+                event.source.postMessage({ type: PostMessageTypes.ReceiveUser, userData: data }, event.origin);
+            });
+        }
+    };
+    window.addEventListener('message', messageHandler);
+    const getAuthorizedEmbedUrl = (urlString, extraParams) => {
+        const url = new URL(urlString);
+        trustedEmbeds.add(url.origin);
+        const params = query_string_1.default.parse(url.search);
+        url.search = query_string_1.default.stringify({
+            ...params,
+            ...extraParams,
+            ...(authQuery && authQuery.value ? { [authQuery.key]: authQuery.value } : { auth: 'embedded' }),
+            [embeddedQueryKey]: embeddedQueryValue,
+            subcontent: 'true',
+        });
+        return url.href;
+    };
+    return {
+        embeddedQueryKey,
+        embeddedQueryValue,
+        getAuthorizedEmbedUrl,
+        unmount: () => {
+            window.removeEventListener('message', messageHandler);
+        }
+    };
+};
+exports.embeddedAuthProvider = embeddedAuthProvider;