@opentdf/sdk 0.19.0-beta.175 → 0.19.0-beta.177
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/cjs/src/access/access-fetch.js +2 -2
- package/dist/cjs/src/access/access-rpc.js +4 -4
- package/dist/cjs/src/auth/oidc.js +32 -19
- package/dist/cjs/src/auth/token-providers.js +8 -41
- package/dist/cjs/src/auth/tokenExpiry.js +44 -0
- package/dist/types/src/access/access-fetch.d.ts.map +1 -1
- package/dist/types/src/access/access-rpc.d.ts.map +1 -1
- package/dist/types/src/auth/oidc.d.ts +11 -2
- package/dist/types/src/auth/oidc.d.ts.map +1 -1
- package/dist/types/src/auth/token-providers.d.ts.map +1 -1
- package/dist/types/src/auth/tokenExpiry.d.ts +16 -0
- package/dist/types/src/auth/tokenExpiry.d.ts.map +1 -0
- package/dist/web/src/access/access-fetch.js +2 -2
- package/dist/web/src/access/access-rpc.js +4 -4
- package/dist/web/src/auth/oidc.js +32 -19
- package/dist/web/src/auth/token-providers.js +2 -35
- package/dist/web/src/auth/tokenExpiry.js +39 -0
- package/package.json +1 -1
- package/src/access/access-fetch.ts +3 -1
- package/src/access/access-rpc.ts +7 -3
- package/src/auth/oidc.ts +42 -18
- package/src/auth/token-providers.ts +1 -34
- package/src/auth/tokenExpiry.ts +38 -0
|
@@ -45,7 +45,7 @@ async function fetchWrappedKey(url, requestBody, authProvider) {
|
|
|
45
45
|
case 401:
|
|
46
46
|
throw new errors_js_1.UnauthenticatedError(`401 for [${req.url}]; rewrap auth failure`);
|
|
47
47
|
case 403:
|
|
48
|
-
throw new errors_js_1.PermissionDeniedError(`403 for [${req.url}]; rewrap permission denied`);
|
|
48
|
+
throw new errors_js_1.PermissionDeniedError(`403 for [${req.url}]; rewrap permission denied: forbidden`);
|
|
49
49
|
default:
|
|
50
50
|
if (response.status >= 500) {
|
|
51
51
|
throw new errors_js_1.ServiceError(`${response.status} for [${req.url}]: rewrap failure due to service error [${await response.text()}]`);
|
|
@@ -152,4 +152,4 @@ async function fetchKasPubKey(kasEndpoint, algorithm) {
|
|
|
152
152
|
...(kid && { kid }),
|
|
153
153
|
};
|
|
154
154
|
}
|
|
155
|
-
//# sourceMappingURL=data:application/json;base64,
|
|
155
|
+
//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiYWNjZXNzLWZldGNoLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vLi4vLi4vc3JjL2FjY2Vzcy9hY2Nlc3MtZmV0Y2gudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6Ijs7QUE4QkEsMENBd0RDO0FBRUQsc0RBK0NDO0FBRUQsd0NBNkRDO0FBdE1ELDRDQUF3RjtBQUV4Riw0Q0FPc0I7QUFDdEIsMENBQWdEO0FBYWhEOzs7Ozs7R0FNRztBQUNJLEtBQUssVUFBVSxlQUFlLENBQ25DLEdBQVcsRUFDWCxXQUEwQixFQUMxQixZQUEwQjtJQUUxQixNQUFNLEdBQUcsR0FBRyxNQUFNLFlBQVksQ0FBQyxTQUFTLENBQUM7UUFDdkMsR0FBRztRQUNILE1BQU0sRUFBRSxNQUFNO1FBQ2QsT0FBTyxFQUFFO1lBQ1AsY0FBYyxFQUFFLGtCQUFrQjtTQUNuQztRQUNELElBQUksRUFBRSxJQUFJLENBQUMsU0FBUyxDQUFDLFdBQVcsQ0FBQztLQUNsQyxDQUFDLENBQUM7SUFFSCxJQUFJLFFBQWtCLENBQUM7SUFFdkIsSUFBSSxDQUFDO1FBQ0gsUUFBUSxHQUFHLE1BQU0sS0FBSyxDQUFDLEdBQUcsQ0FBQyxHQUFHLEVBQUU7WUFDOUIsTUFBTSxFQUFFLEdBQUcsQ0FBQyxNQUFNO1lBQ2xCLElBQUksRUFBRSxNQUFNLEVBQUUsOEJBQThCO1lBQzVDLEtBQUssRUFBRSxVQUFVLEVBQUUsMERBQTBEO1lBQzdFLFdBQVcsRUFBRSxhQUFhLEVBQUUsOEJBQThCO1lBQzFELE9BQU8sRUFBRSxHQUFHLENBQUMsT0FBTztZQUNwQixRQUFRLEVBQUUsUUFBUSxFQUFFLHlCQUF5QjtZQUM3QyxjQUFjLEVBQUUsYUFBYSxFQUFFLHNKQUFzSjtZQUNyTCxJQUFJLEVBQUUsR0FBRyxDQUFDLElBQWdCO1NBQzNCLENBQUMsQ0FBQztJQUNMLENBQUM7SUFBQyxPQUFPLENBQUMsRUFBRSxDQUFDO1FBQ1gsTUFBTSxJQUFJLHdCQUFZLENBQUMscUNBQXFDLEdBQUcsR0FBRyxFQUFFLENBQUMsQ0FBQyxDQUFDO0lBQ3pFLENBQUM7SUFFRCxJQUFJLENBQUMsUUFBUSxDQUFDLEVBQUUsRUFBRSxDQUFDO1FBQ2pCLFFBQVEsUUFBUSxDQUFDLE1BQU0sRUFBRSxDQUFDO1lBQ3hCLEtBQUssR0FBRztnQkFDTixNQUFNLElBQUksNEJBQWdCLENBQ3hCLFlBQVksR0FBRyxDQUFDLEdBQUcsMEJBQTBCLE1BQU0sUUFBUSxDQUFDLElBQUksRUFBRSxHQUFHLENBQ3RFLENBQUM7WUFDSixLQUFLLEdBQUc7Z0JBQ04sTUFBTSxJQUFJLGdDQUFvQixDQUFDLFlBQVksR0FBRyxDQUFDLEdBQUcsd0JBQXdCLENBQUMsQ0FBQztZQUM5RSxLQUFLLEdBQUc7Z0JBQ04sTUFBTSxJQUFJLGlDQUFxQixDQUM3QixZQUFZLEdBQUcsQ0FBQyxHQUFHLHdDQUF3QyxDQUM1RCxDQUFDO1lBQ0o7Z0JBQ0UsSUFBSSxRQUFRLENBQUMsTUFBTSxJQUFJLEdBQUcsRUFBRSxDQUFDO29CQUMzQixNQUFNLElBQUksd0JBQVksQ0FDcEIsR0FBRyxRQUFRLENBQUMsTUFBTSxTQUFTLEdBQUcsQ0FBQyxHQUFHLDJDQUEyQyxNQUFNLFFBQVEsQ0FBQyxJQUFJLEVBQUUsR0FBRyxDQUN0RyxDQUFDO2dCQUNKLENBQUM7Z0JBQ0QsTUFBTSxJQUFJLHdCQUFZLENBQ3BCLEdBQUcsR0FBRyxDQUFDLE1BQU0sSUFBSSxHQUFHLENBQUMsR0FBRyxPQUFPLFFBQVEsQ0FBQyxNQUFNLElBQUksUUFBUSxDQUFDLFVBQVUsRUFBRSxDQUN4RSxDQUFDO1FBQ04sQ0FBQztJQUNILENBQUM7SUFFRCxPQUFPLFFBQVEsQ0FBQyxJQUFJLEVBQUUsQ0FBQztBQUN6QixDQUFDO0FBRU0sS0FBSyxVQUFVLHFCQUFxQixDQUN6QyxXQUFtQixFQUNuQixZQUEwQjtJQUUxQixJQUFJLFVBQVUsR0FBRyxDQUFDLENBQUM7SUFDbkIsTUFBTSxVQUFVLEdBQUcsRUFBRSxDQUFDO0lBQ3RCLEdBQUcsQ0FBQztRQUNGLE1BQU0sR0FBRyxHQUFHLE1BQU0sWUFBWSxDQUFDLFNBQVMsQ0FBQztZQUN2QyxHQUFHLEVBQUUsR0FBRyxXQUFXLHlDQUF5QyxVQUFVLEVBQUU7WUFDeEUsTUFBTSxFQUFFLEtBQUs7WUFDYixPQUFPLEVBQUU7Z0JBQ1AsY0FBYyxFQUFFLGtCQUFrQjthQUNuQztTQUNGLENBQUMsQ0FBQztRQUNILElBQUksUUFBa0IsQ0FBQztRQUN2QixJQUFJLENBQUM7WUFDSCxRQUFRLEdBQUcsTUFBTSxLQUFLLENBQUMsR0FBRyxDQUFDLEdBQUcsRUFBRTtnQkFDOUIsTUFBTSxFQUFFLEdBQUcsQ0FBQyxNQUFNO2dCQUNsQixPQUFPLEVBQUUsR0FBRyxDQUFDLE9BQU87Z0JBQ3BCLElBQUksRUFBRSxHQUFHLENBQUMsSUFBZ0I7Z0JBQzFCLElBQUksRUFBRSxNQUFNO2dCQUNaLEtBQUssRUFBRSxVQUFVO2dCQUNqQixXQUFXLEVBQUUsYUFBYTtnQkFDMUIsUUFBUSxFQUFFLFFBQVE7Z0JBQ2xCLGNBQWMsRUFBRSxhQUFhO2FBQzlCLENBQUMsQ0FBQztRQUNMLENBQUM7UUFBQyxPQUFPLENBQUMsRUFBRSxDQUFDO1lBQ1gsTUFBTSxJQUFJLHdCQUFZLENBQUMsa0NBQWtDLEdBQUcsQ0FBQyxHQUFHLEdBQUcsRUFBRSxDQUFDLENBQUMsQ0FBQztRQUMxRSxDQUFDO1FBQ0QsMkRBQTJEO1FBQzNELElBQUksQ0FBQyxRQUFRLENBQUMsRUFBRSxFQUFFLENBQUM7WUFDakIsTUFBTSxJQUFJLHdCQUFZLENBQ3BCLGtDQUFrQyxHQUFHLENBQUMsR0FBRyxjQUFjLFFBQVEsQ0FBQyxNQUFNLEVBQUUsQ0FDekUsQ0FBQztRQUNKLENBQUM7UUFDRCxNQUFNLEVBQUUsZ0JBQWdCLEdBQUcsRUFBRSxFQUFFLFVBQVUsR0FBRyxFQUFFLEVBQUUsR0FBRyxNQUFNLFFBQVEsQ0FBQyxJQUFJLEVBQUUsQ0FBQztRQUN6RSxVQUFVLENBQUMsSUFBSSxDQUFDLEdBQUcsZ0JBQWdCLENBQUMsQ0FBQztRQUNyQyxVQUFVLEdBQUcsVUFBVSxDQUFDLFVBQVUsSUFBSSxDQUFDLENBQUM7SUFDMUMsQ0FBQyxRQUFRLFVBQVUsR0FBRyxDQUFDLEVBQUU7SUFFekIsTUFBTSxVQUFVLEdBQUcsVUFBVSxDQUFDLEdBQUcsQ0FBQyxDQUFDLE1BQU0sRUFBRSxFQUFFLENBQUMsTUFBTSxDQUFDLEdBQUcsQ0FBQyxDQUFDO0lBQzFELHdCQUF3QjtJQUN4QixJQUFJLENBQUMsVUFBVSxDQUFDLFFBQVEsQ0FBQyxHQUFHLFdBQVcsTUFBTSxDQUFDLEVBQUUsQ0FBQztRQUMvQyxVQUFVLENBQUMsSUFBSSxDQUFDLEdBQUcsV0FBVyxNQUFNLENBQUMsQ0FBQztJQUN4QyxDQUFDO0lBRUQsT0FBTyxJQUFJLDJCQUFlLENBQUMsVUFBVSxFQUFFLEtBQUssQ0FBQyxDQUFDO0FBQ2hELENBQUM7QUFFTSxLQUFLLFVBQVUsY0FBYyxDQUNsQyxXQUFtQixFQUNuQixTQUFpQztJQUVqQyxJQUFJLENBQUMsV0FBVyxFQUFFLENBQUM7UUFDakIsTUFBTSxJQUFJLDhCQUFrQixDQUFDLDBCQUEwQixDQUFDLENBQUM7SUFDM0QsQ0FBQztJQUNELHVEQUF1RDtJQUN2RCxJQUFBLDRCQUFpQixFQUFDLFdBQVcsQ0FBQyxDQUFDO0lBRS9CLG9GQUFvRjtJQUNwRixJQUFJLE9BQVksQ0FBQztJQUNqQixJQUFJLENBQUM7UUFDSCxPQUFPLEdBQUcsSUFBSSxHQUFHLENBQUMsV0FBVyxDQUFDLENBQUM7SUFDakMsQ0FBQztJQUFDLE9BQU8sQ0FBQyxFQUFFLENBQUM7UUFDWCxNQUFNLElBQUksOEJBQWtCLENBQUMsNEJBQTRCLFdBQVcsR0FBRyxFQUFFLENBQUMsQ0FBQyxDQUFDO0lBQzlFLENBQUM7SUFDRCxJQUFJLENBQUMsT0FBTyxDQUFDLFFBQVEsQ0FBQyxRQUFRLENBQUMsZ0JBQWdCLENBQUMsRUFBRSxDQUFDO1FBQ2pELElBQUksQ0FBQyxPQUFPLENBQUMsUUFBUSxDQUFDLFFBQVEsQ0FBQyxHQUFHLENBQUMsRUFBRSxDQUFDO1lBQ3BDLE9BQU8sQ0FBQyxRQUFRLElBQUksR0FBRyxDQUFDO1FBQzFCLENBQUM7UUFDRCxPQUFPLENBQUMsUUFBUSxJQUFJLG1CQUFtQixDQUFDO0lBQzFDLENBQUM7SUFDRCxPQUFPLENBQUMsWUFBWSxDQUFDLEdBQUcsQ0FBQyxXQUFXLEVBQUUsU0FBUyxJQUFJLFVBQVUsQ0FBQyxDQUFDO0lBQy9ELElBQUksQ0FBQyxPQUFPLENBQUMsWUFBWSxDQUFDLEdBQUcsQ0FBQyxHQUFHLENBQUMsRUFBRSxDQUFDO1FBQ25DLE9BQU8sQ0FBQyxZQUFZLENBQUMsR0FBRyxDQUFDLEdBQUcsRUFBRSxHQUFHLENBQUMsQ0FBQztJQUNyQyxDQUFDO0lBRUQsSUFBSSxtQkFBNkIsQ0FBQztJQUNsQyxJQUFJLENBQUM7UUFDSCxtQkFBbUIsR0FBRyxNQUFNLEtBQUssQ0FBQyxPQUFPLENBQUMsQ0FBQztJQUM3QyxDQUFDO0lBQUMsT0FBTyxDQUFDLEVBQUUsQ0FBQztRQUNYLE1BQU0sSUFBSSx3QkFBWSxDQUFDLG9DQUFvQyxPQUFPLEdBQUcsRUFBRSxDQUFDLENBQUMsQ0FBQztJQUM1RSxDQUFDO0lBQ0QsSUFBSSxDQUFDLG1CQUFtQixDQUFDLEVBQUUsRUFBRSxDQUFDO1FBQzVCLFFBQVEsbUJBQW1CLENBQUMsTUFBTSxFQUFFLENBQUM7WUFDbkMsS0FBSyxHQUFHO2dCQUNOLE1BQU0sSUFBSSw4QkFBa0IsQ0FBQyxZQUFZLE9BQU8sR0FBRyxDQUFDLENBQUM7WUFDdkQsS0FBSyxHQUFHO2dCQUNOLE1BQU0sSUFBSSxnQ0FBb0IsQ0FBQyxZQUFZLE9BQU8sR0FBRyxDQUFDLENBQUM7WUFDekQsS0FBSyxHQUFHO2dCQUNOLE1BQU0sSUFBSSxpQ0FBcUIsQ0FBQyxZQUFZLE9BQU8sR0FBRyxDQUFDLENBQUM7WUFDMUQ7Z0JBQ0UsTUFBTSxJQUFJLHdCQUFZLENBQ3BCLEdBQUcsT0FBTyxPQUFPLG1CQUFtQixDQUFDLE1BQU0sSUFBSSxtQkFBbUIsQ0FBQyxVQUFVLEVBQUUsQ0FDaEYsQ0FBQztRQUNOLENBQUM7SUFDSCxDQUFDO0lBQ0QsTUFBTSxXQUFXLEdBQUcsTUFBTSxtQkFBbUIsQ0FBQyxJQUFJLEVBQUUsQ0FBQztJQUNyRCxNQUFNLEVBQUUsU0FBUyxFQUFFLEdBQUcsRUFBRSxHQUFxQixXQUFXLENBQUM7SUFDekQsSUFBSSxDQUFDLFNBQVMsRUFBRSxDQUFDO1FBQ2YsTUFBTSxJQUFJLHdCQUFZLENBQ3BCLDhDQUE4QyxJQUFJLENBQUMsU0FBUyxDQUFDLFdBQVcsQ0FBQyxHQUFHLENBQzdFLENBQUM7SUFDSixDQUFDO0lBQ0QsT0FBTztRQUNMLFNBQVM7UUFDVCxHQUFHLEVBQUUsV0FBVztRQUNoQixTQUFTLEVBQUUsU0FBUyxJQUFJLFVBQVU7UUFDbEMsR0FBRyxDQUFDLEdBQUcsSUFBSSxFQUFFLEdBQUcsRUFBRSxDQUFDO0tBQ3BCLENBQUM7QUFDSixDQUFDIn0=
|
|
@@ -46,7 +46,7 @@ function handleRpcRewrapError(e, platformUrl) {
|
|
|
46
46
|
case connect_1.Code.InvalidArgument: // 400 Bad Request
|
|
47
47
|
throw new errors_js_1.InvalidFileError(`400 for [${platformUrl}]: rewrap bad request [${e.message}]`);
|
|
48
48
|
case connect_1.Code.PermissionDenied: // 403 Forbidden
|
|
49
|
-
throw new errors_js_1.PermissionDeniedError(`403 for [${platformUrl}]; rewrap permission denied`);
|
|
49
|
+
throw new errors_js_1.PermissionDeniedError(`403 for [${platformUrl}]; rewrap permission denied: forbidden`);
|
|
50
50
|
case connect_1.Code.Unauthenticated: // 401 Unauthorized
|
|
51
51
|
throw new errors_js_1.UnauthenticatedError(`401 for [${platformUrl}]; rewrap auth failure`);
|
|
52
52
|
case connect_1.Code.Internal:
|
|
@@ -69,9 +69,9 @@ function handleRpcRewrapErrorString(e, platformUrl, requiredObligations) {
|
|
|
69
69
|
}
|
|
70
70
|
if (e.includes(connect_1.Code[connect_1.Code.PermissionDenied])) {
|
|
71
71
|
if (requiredObligations && requiredObligations.length > 0) {
|
|
72
|
-
throw new errors_js_1.PermissionDeniedError(`403 for [${platformUrl}]; rewrap permission denied`, requiredObligations);
|
|
72
|
+
throw new errors_js_1.PermissionDeniedError(`403 for [${platformUrl}]; rewrap permission denied: forbidden`, requiredObligations);
|
|
73
73
|
}
|
|
74
|
-
throw new errors_js_1.PermissionDeniedError(`403 for [${platformUrl}]; rewrap permission denied`);
|
|
74
|
+
throw new errors_js_1.PermissionDeniedError(`403 for [${platformUrl}]; rewrap permission denied: forbidden`);
|
|
75
75
|
}
|
|
76
76
|
if (e.includes(connect_1.Code[connect_1.Code.Unauthenticated])) {
|
|
77
77
|
// 401 Unauthorized
|
|
@@ -187,4 +187,4 @@ async function fetchKasBasePubKey(kasEndpoint) {
|
|
|
187
187
|
throw new errors_js_1.NetworkError(`[${platformUrl}] [PublicKey] ${(0, utils_js_1.extractRpcErrorMessage)(e)}`);
|
|
188
188
|
}
|
|
189
189
|
}
|
|
190
|
-
//# sourceMappingURL=data:application/json;base64,
|
|
190
|
+
//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiYWNjZXNzLXJwYy5qcyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIi4uLy4uLy4uLy4uL3NyYy9hY2Nlc3MvYWNjZXNzLXJwYy50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiOztBQW9DQSwwQ0FxQkM7QUFFRCxvREEwQkM7QUFFRCxnRUFvQ0M7QUFFRCxzREFpQ0M7QUEyQkQsd0NBNkJDO0FBU0QsZ0RBNkJDO0FBM1BELDRDQUtzQjtBQUV0Qiw2REFBK0U7QUFDL0UsNENBT3NCO0FBQ3RCLGdEQUFnRDtBQUdoRCwwQ0FJcUI7QUFDckIsaURBQTZEO0FBQzdELGlEQUF5RDtBQUV6RDs7Ozs7OztHQU9HO0FBQ0ksS0FBSyxVQUFVLGVBQWUsQ0FDbkMsR0FBVyxFQUNYLGtCQUEwQixFQUMxQixJQUFnQixFQUNoQiw2QkFBc0M7SUFFdEMsTUFBTSxXQUFXLEdBQUcsSUFBQSx3Q0FBNkIsRUFBQyxHQUFHLENBQUMsQ0FBQztJQUN2RCxNQUFNLFFBQVEsR0FBRyxJQUFJLDRCQUFjLENBQUMsRUFBRSxZQUFZLEVBQUUsSUFBQSxxQ0FBbUIsRUFBQyxJQUFJLENBQUMsRUFBRSxXQUFXLEVBQUUsQ0FBQyxDQUFDO0lBQzlGLE1BQU0sT0FBTyxHQUFnQixFQUFFLENBQUM7SUFDaEMsSUFBSSw2QkFBNkIsRUFBRSxDQUFDO1FBQ2xDLE9BQU8sQ0FBQyxPQUFPLEdBQUc7WUFDaEIsQ0FBQywwQ0FBMkIsQ0FBQyxFQUFFLDZCQUE2QjtTQUM3RCxDQUFDO0lBQ0osQ0FBQztJQUNELElBQUksUUFBd0IsQ0FBQztJQUM3QixJQUFJLENBQUM7UUFDSCxRQUFRLEdBQUcsTUFBTSxRQUFRLENBQUMsRUFBRSxDQUFDLE1BQU0sQ0FBQyxNQUFNLENBQUMsRUFBRSxrQkFBa0IsRUFBRSxFQUFFLE9BQU8sQ0FBQyxDQUFDO0lBQzlFLENBQUM7SUFBQyxPQUFPLENBQUMsRUFBRSxDQUFDO1FBQ1gsb0JBQW9CLENBQUMsQ0FBQyxFQUFFLFdBQVcsQ0FBQyxDQUFDO0lBQ3ZDLENBQUM7SUFDRCxPQUFPLFFBQVEsQ0FBQztBQUNsQixDQUFDO0FBRUQsU0FBZ0Isb0JBQW9CLENBQUMsQ0FBVSxFQUFFLFdBQW1CO0lBQ2xFLElBQUksQ0FBQyxZQUFZLHNCQUFZLEVBQUUsQ0FBQztRQUM5QixPQUFPLENBQUMsR0FBRyxDQUFDLG9DQUFvQyxFQUFFLENBQUMsQ0FBQyxJQUFJLENBQUMsQ0FBQztRQUMxRCxRQUFRLENBQUMsQ0FBQyxJQUFJLEVBQUUsQ0FBQztZQUNmLEtBQUssY0FBSSxDQUFDLGVBQWUsRUFBRSxrQkFBa0I7Z0JBQzNDLE1BQU0sSUFBSSw0QkFBZ0IsQ0FBQyxZQUFZLFdBQVcsMEJBQTBCLENBQUMsQ0FBQyxPQUFPLEdBQUcsQ0FBQyxDQUFDO1lBQzVGLEtBQUssY0FBSSxDQUFDLGdCQUFnQixFQUFFLGdCQUFnQjtnQkFDMUMsTUFBTSxJQUFJLGlDQUFxQixDQUM3QixZQUFZLFdBQVcsd0NBQXdDLENBQ2hFLENBQUM7WUFDSixLQUFLLGNBQUksQ0FBQyxlQUFlLEVBQUUsbUJBQW1CO2dCQUM1QyxNQUFNLElBQUksZ0NBQW9CLENBQUMsWUFBWSxXQUFXLHdCQUF3QixDQUFDLENBQUM7WUFDbEYsS0FBSyxjQUFJLENBQUMsUUFBUSxDQUFDO1lBQ25CLEtBQUssY0FBSSxDQUFDLGFBQWEsQ0FBQztZQUN4QixLQUFLLGNBQUksQ0FBQyxRQUFRLENBQUM7WUFDbkIsS0FBSyxjQUFJLENBQUMsT0FBTyxDQUFDO1lBQ2xCLEtBQUssY0FBSSxDQUFDLGdCQUFnQixDQUFDO1lBQzNCLEtBQUssY0FBSSxDQUFDLFdBQVcsRUFBRSxxQkFBcUI7Z0JBQzFDLE1BQU0sSUFBSSx3QkFBWSxDQUNwQixHQUFHLENBQUMsQ0FBQyxJQUFJLFNBQVMsV0FBVywyQ0FBMkMsQ0FBQyxDQUFDLE9BQU8sR0FBRyxDQUNyRixDQUFDO1lBQ0o7Z0JBQ0UsTUFBTSxJQUFJLHdCQUFZLENBQUMsSUFBSSxXQUFXLGNBQWMsQ0FBQyxDQUFDLE9BQU8sRUFBRSxDQUFDLENBQUM7UUFDckUsQ0FBQztJQUNILENBQUM7SUFDRCxNQUFNLElBQUksd0JBQVksQ0FBQyxJQUFJLFdBQVcsY0FBYyxJQUFBLGlDQUFzQixFQUFDLENBQUMsQ0FBQyxFQUFFLENBQUMsQ0FBQztBQUNuRixDQUFDO0FBRUQsU0FBZ0IsMEJBQTBCLENBQ3hDLENBQVMsRUFDVCxXQUFtQixFQUNuQixtQkFBOEI7SUFFOUIsSUFBSSxDQUFDLENBQUMsUUFBUSxDQUFDLGNBQUksQ0FBQyxjQUFJLENBQUMsZUFBZSxDQUFDLENBQUMsRUFBRSxDQUFDO1FBQzNDLGtCQUFrQjtRQUNsQixNQUFNLElBQUksNEJBQWdCLENBQUMsWUFBWSxXQUFXLDBCQUEwQixDQUFDLEdBQUcsQ0FBQyxDQUFDO0lBQ3BGLENBQUM7SUFDRCxJQUFJLENBQUMsQ0FBQyxRQUFRLENBQUMsY0FBSSxDQUFDLGNBQUksQ0FBQyxnQkFBZ0IsQ0FBQyxDQUFDLEVBQUUsQ0FBQztRQUM1QyxJQUFJLG1CQUFtQixJQUFJLG1CQUFtQixDQUFDLE1BQU0sR0FBRyxDQUFDLEVBQUUsQ0FBQztZQUMxRCxNQUFNLElBQUksaUNBQXFCLENBQzdCLFlBQVksV0FBVyx3Q0FBd0MsRUFDL0QsbUJBQW1CLENBQ3BCLENBQUM7UUFDSixDQUFDO1FBQ0QsTUFBTSxJQUFJLGlDQUFxQixDQUM3QixZQUFZLFdBQVcsd0NBQXdDLENBQ2hFLENBQUM7SUFDSixDQUFDO0lBQ0QsSUFBSSxDQUFDLENBQUMsUUFBUSxDQUFDLGNBQUksQ0FBQyxjQUFJLENBQUMsZUFBZSxDQUFDLENBQUMsRUFBRSxDQUFDO1FBQzNDLG1CQUFtQjtRQUNuQixNQUFNLElBQUksZ0NBQW9CLENBQUMsWUFBWSxXQUFXLHdCQUF3QixDQUFDLENBQUM7SUFDbEYsQ0FBQztJQUNELElBQ0UsQ0FBQyxDQUFDLFFBQVEsQ0FBQyxjQUFJLENBQUMsY0FBSSxDQUFDLFFBQVEsQ0FBQyxDQUFDO1FBQy9CLENBQUMsQ0FBQyxRQUFRLENBQUMsY0FBSSxDQUFDLGNBQUksQ0FBQyxhQUFhLENBQUMsQ0FBQztRQUNwQyxDQUFDLENBQUMsUUFBUSxDQUFDLGNBQUksQ0FBQyxjQUFJLENBQUMsUUFBUSxDQUFDLENBQUM7UUFDL0IsQ0FBQyxDQUFDLFFBQVEsQ0FBQyxjQUFJLENBQUMsY0FBSSxDQUFDLE9BQU8sQ0FBQyxDQUFDO1FBQzlCLENBQUMsQ0FBQyxRQUFRLENBQUMsY0FBSSxDQUFDLGNBQUksQ0FBQyxnQkFBZ0IsQ0FBQyxDQUFDO1FBQ3ZDLENBQUMsQ0FBQyxRQUFRLENBQUMsY0FBSSxDQUFDLGNBQUksQ0FBQyxXQUFXLENBQUMsQ0FBQyxFQUNsQyxDQUFDO1FBQ0QsUUFBUTtRQUNSLE1BQU0sSUFBSSx3QkFBWSxDQUFDLFNBQVMsV0FBVywyQ0FBMkMsQ0FBQyxHQUFHLENBQUMsQ0FBQztJQUM5RixDQUFDO0lBQ0QsTUFBTSxJQUFJLHdCQUFZLENBQUMsSUFBSSxXQUFXLGNBQWMsQ0FBQyxFQUFFLENBQUMsQ0FBQztBQUMzRCxDQUFDO0FBRU0sS0FBSyxVQUFVLHFCQUFxQixDQUN6QyxXQUFtQixFQUNuQixJQUFnQjtJQUVoQixJQUFJLFVBQVUsR0FBRyxDQUFDLENBQUM7SUFDbkIsTUFBTSxVQUFVLEdBQUcsRUFBRSxDQUFDO0lBQ3RCLE1BQU0sUUFBUSxHQUFHLElBQUksNEJBQWMsQ0FBQyxFQUFFLFlBQVksRUFBRSxJQUFBLHFDQUFtQixFQUFDLElBQUksQ0FBQyxFQUFFLFdBQVcsRUFBRSxDQUFDLENBQUM7SUFFOUYsR0FBRyxDQUFDO1FBQ0YsSUFBSSxRQUFzQyxDQUFDO1FBQzNDLElBQUksQ0FBQztZQUNILFFBQVEsR0FBRyxNQUFNLFFBQVEsQ0FBQyxFQUFFLENBQUMsdUJBQXVCLENBQUMsb0JBQW9CLENBQUM7Z0JBQ3hFLFVBQVUsRUFBRTtvQkFDVixNQUFNLEVBQUUsVUFBVTtpQkFDbkI7YUFDRixDQUFDLENBQUM7UUFDTCxDQUFDO1FBQUMsT0FBTyxDQUFDLEVBQUUsQ0FBQztZQUNYLE1BQU0sSUFBSSx3QkFBWSxDQUNwQixJQUFJLFdBQVcsNEJBQTRCLElBQUEsaUNBQXNCLEVBQUMsQ0FBQyxDQUFDLEVBQUUsQ0FDdkUsQ0FBQztRQUNKLENBQUM7UUFFRCxVQUFVLENBQUMsSUFBSSxDQUFDLEdBQUcsUUFBUSxDQUFDLGdCQUFnQixDQUFDLENBQUM7UUFDOUMsVUFBVSxHQUFHLFFBQVEsRUFBRSxVQUFVLEVBQUUsVUFBVSxJQUFJLENBQUMsQ0FBQztJQUNyRCxDQUFDLFFBQVEsVUFBVSxHQUFHLENBQUMsRUFBRTtJQUV6QixNQUFNLFVBQVUsR0FBRyxVQUFVLENBQUMsR0FBRyxDQUFDLENBQUMsTUFBTSxFQUFFLEVBQUUsQ0FBQyxNQUFNLENBQUMsR0FBRyxDQUFDLENBQUM7SUFDMUQsd0JBQXdCO0lBQ3hCLElBQUksQ0FBQyxVQUFVLENBQUMsUUFBUSxDQUFDLEdBQUcsV0FBVyxNQUFNLENBQUMsRUFBRSxDQUFDO1FBQy9DLFVBQVUsQ0FBQyxJQUFJLENBQUMsR0FBRyxXQUFXLE1BQU0sQ0FBQyxDQUFDO0lBQ3hDLENBQUM7SUFFRCxPQUFPLElBQUksMkJBQWUsQ0FBQyxVQUFVLEVBQUUsS0FBSyxDQUFDLENBQUM7QUFDaEQsQ0FBQztBQVlELFNBQVMsU0FBUyxDQUFDLE9BQWlCO0lBQ2xDLElBQUksQ0FBQyxPQUFPLEVBQUUsQ0FBQztRQUNiLE9BQU8sS0FBSyxDQUFDO0lBQ2YsQ0FBQztJQUNELE1BQU0sRUFBRSxHQUFHLE9BQTBCLENBQUM7SUFDdEMsT0FBTyxDQUNMLENBQUMsQ0FBQyxFQUFFLENBQUMsT0FBTztRQUNaLENBQUMsQ0FBQyxFQUFFLENBQUMsVUFBVTtRQUNmLE9BQU8sRUFBRSxDQUFDLFVBQVUsS0FBSyxRQUFRO1FBQ2pDLENBQUMsQ0FBQyxFQUFFLENBQUMsVUFBVSxDQUFDLEdBQUc7UUFDbkIsQ0FBQyxDQUFDLEVBQUUsQ0FBQyxVQUFVLENBQUMsU0FBUztRQUN6QixJQUFBLGdDQUFvQixFQUFDLEVBQUUsQ0FBQyxVQUFVLENBQUMsU0FBUyxDQUFDLENBQzlDLENBQUM7QUFDSixDQUFDO0FBRU0sS0FBSyxVQUFVLGNBQWMsQ0FDbEMsV0FBbUIsRUFDbkIsU0FBaUM7SUFFakMsSUFBSSxDQUFDLFdBQVcsRUFBRSxDQUFDO1FBQ2pCLE1BQU0sSUFBSSw4QkFBa0IsQ0FBQywwQkFBMEIsQ0FBQyxDQUFDO0lBQzNELENBQUM7SUFDRCx1REFBdUQ7SUFDdkQsSUFBQSw0QkFBaUIsRUFBQyxXQUFXLENBQUMsQ0FBQztJQUUvQixNQUFNLFdBQVcsR0FBRyxJQUFBLHdDQUE2QixFQUFDLFdBQVcsQ0FBQyxDQUFDO0lBQy9ELE1BQU0sUUFBUSxHQUFHLElBQUksNEJBQWMsQ0FBQztRQUNsQyxXQUFXO0tBQ1osQ0FBQyxDQUFDO0lBQ0gsSUFBSSxDQUFDO1FBQ0gsTUFBTSxFQUFFLEdBQUcsRUFBRSxTQUFTLEVBQUUsR0FBRyxNQUFNLFFBQVEsQ0FBQyxFQUFFLENBQUMsTUFBTSxDQUFDLFNBQVMsQ0FBQztZQUM1RCxTQUFTLEVBQUUsU0FBUyxJQUFJLFVBQVU7WUFDbEMsQ0FBQyxFQUFFLEdBQUc7U0FDUCxDQUFDLENBQUM7UUFDSCxNQUFNLE1BQU0sR0FBcUI7WUFDL0IsU0FBUztZQUNULEdBQUcsRUFBRSxXQUFXO1lBQ2hCLFNBQVMsRUFBRSxTQUFTLElBQUksVUFBVTtZQUNsQyxHQUFHLENBQUMsR0FBRyxJQUFJLEVBQUUsR0FBRyxFQUFFLENBQUM7U0FDcEIsQ0FBQztRQUNGLE9BQU8sTUFBTSxDQUFDO0lBQ2hCLENBQUM7SUFBQyxPQUFPLENBQUMsRUFBRSxDQUFDO1FBQ1gsTUFBTSxJQUFJLHdCQUFZLENBQUMsSUFBSSxXQUFXLGlCQUFpQixJQUFBLGlDQUFzQixFQUFDLENBQUMsQ0FBQyxFQUFFLENBQUMsQ0FBQztJQUN0RixDQUFDO0FBQ0gsQ0FBQztBQUVEOzs7Ozs7R0FNRztBQUNJLEtBQUssVUFBVSxrQkFBa0IsQ0FBQyxXQUFtQjtJQUMxRCxJQUFJLENBQUMsV0FBVyxFQUFFLENBQUM7UUFDakIsTUFBTSxJQUFJLDhCQUFrQixDQUFDLDBCQUEwQixDQUFDLENBQUM7SUFDM0QsQ0FBQztJQUNELElBQUEsNEJBQWlCLEVBQUMsV0FBVyxDQUFDLENBQUM7SUFFL0IsTUFBTSxXQUFXLEdBQUcsSUFBQSx3Q0FBNkIsRUFBQyxXQUFXLENBQUMsQ0FBQztJQUMvRCxNQUFNLFFBQVEsR0FBRyxJQUFJLDRCQUFjLENBQUM7UUFDbEMsV0FBVztLQUNaLENBQUMsQ0FBQztJQUNILElBQUksQ0FBQztRQUNILE1BQU0sRUFBRSxhQUFhLEVBQUUsR0FBRyxNQUFNLFFBQVEsQ0FBQyxFQUFFLENBQUMsU0FBUyxDQUFDLHlCQUF5QixDQUFDLEVBQUUsQ0FBQyxDQUFDO1FBQ3BGLE1BQU0sT0FBTyxHQUFHLGFBQWEsRUFBRSxRQUFzQyxDQUFDO1FBQ3RFLElBQUksQ0FBQyxTQUFTLENBQUMsT0FBTyxDQUFDLEVBQUUsQ0FBQztZQUN4QixNQUFNLElBQUksd0JBQVksQ0FDcEIsb0NBQW9DLFdBQVcsZ0RBQWdELENBQ2hHLENBQUM7UUFDSixDQUFDO1FBRUQsTUFBTSxNQUFNLEdBQXFCO1lBQy9CLFNBQVMsRUFBRSxPQUFPLENBQUMsVUFBVSxDQUFDLEdBQUc7WUFDakMsR0FBRyxFQUFFLE9BQU8sQ0FBQyxPQUFPO1lBQ3BCLFNBQVMsRUFBRSxPQUFPLENBQUMsVUFBVSxDQUFDLFNBQVM7WUFDdkMsR0FBRyxFQUFFLE9BQU8sQ0FBQyxVQUFVLENBQUMsR0FBRztTQUM1QixDQUFDO1FBQ0YsT0FBTyxNQUFNLENBQUM7SUFDaEIsQ0FBQztJQUFDLE9BQU8sQ0FBQyxFQUFFLENBQUM7UUFDWCxNQUFNLElBQUksd0JBQVksQ0FBQyxJQUFJLFdBQVcsaUJBQWlCLElBQUEsaUNBQXNCLEVBQUMsQ0FBQyxDQUFDLEVBQUUsQ0FBQyxDQUFDO0lBQ3RGLENBQUM7QUFDSCxDQUFDIn0=
|
|
@@ -6,6 +6,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
|
|
|
6
6
|
exports.AccessToken = void 0;
|
|
7
7
|
const dpop_js_1 = __importDefault(require("./dpop.js"));
|
|
8
8
|
const auth_js_1 = require("./auth.js");
|
|
9
|
+
const tokenExpiry_js_1 = require("./tokenExpiry.js");
|
|
9
10
|
const index_js_1 = require("../encodings/index.js");
|
|
10
11
|
const errors_js_1 = require("../errors.js");
|
|
11
12
|
const utils_js_1 = require("../utils.js");
|
|
@@ -140,19 +141,24 @@ class AccessToken {
|
|
|
140
141
|
}
|
|
141
142
|
/**
|
|
142
143
|
* Gets an access token; operates lazily/cached, with an optional check for freshness.
|
|
143
|
-
*
|
|
144
|
+
*
|
|
145
|
+
* Freshness is determined locally from the token's `exp` claim (or the OAuth
|
|
146
|
+
* `expires_in` from the token response) — no network round trip. This replaces an
|
|
147
|
+
* earlier scheme that validated cached tokens against the OIDC `userinfo` endpoint.
|
|
148
|
+
* @param validate if we should check that any cached access token is still fresh
|
|
149
|
+
* before returning it; when false, a cached token is returned regardless of expiry
|
|
144
150
|
* @returns
|
|
145
151
|
*/
|
|
146
152
|
async get(validate = true) {
|
|
147
|
-
if (this.data?.access_token) {
|
|
153
|
+
if (this.data?.access_token && (!validate || !(0, tokenExpiry_js_1.isTokenExpired)(this.cachedExpiry))) {
|
|
154
|
+
return this.data.access_token;
|
|
155
|
+
}
|
|
156
|
+
// Dedupe concurrent refreshes so a burst of requests triggers one exchange.
|
|
157
|
+
if (this.inFlight) {
|
|
158
|
+
return this.inFlight;
|
|
159
|
+
}
|
|
160
|
+
this.inFlight = (async () => {
|
|
148
161
|
try {
|
|
149
|
-
if (validate) {
|
|
150
|
-
await this.info(this.data.access_token);
|
|
151
|
-
}
|
|
152
|
-
return this.data.access_token;
|
|
153
|
-
}
|
|
154
|
-
catch (e) {
|
|
155
|
-
console.log('access_token fails on user_info endpoint; attempting to renew', e);
|
|
156
162
|
if (this.data?.refresh_token) {
|
|
157
163
|
// Prefer the latest refresh_token if present over creds passed in
|
|
158
164
|
// to constructor
|
|
@@ -163,10 +169,15 @@ class AccessToken {
|
|
|
163
169
|
};
|
|
164
170
|
}
|
|
165
171
|
delete this.data;
|
|
172
|
+
const tokenResponse = (this.data = await this.accessTokenLookup(this.config));
|
|
173
|
+
this.cachedExpiry = (0, tokenExpiry_js_1.resolveTokenExpiry)(tokenResponse.access_token, tokenResponse.expires_in);
|
|
174
|
+
return tokenResponse.access_token;
|
|
166
175
|
}
|
|
167
|
-
|
|
168
|
-
|
|
169
|
-
|
|
176
|
+
finally {
|
|
177
|
+
delete this.inFlight;
|
|
178
|
+
}
|
|
179
|
+
})();
|
|
180
|
+
return this.inFlight;
|
|
170
181
|
}
|
|
171
182
|
/**
|
|
172
183
|
* A TDF client MUST call this method whenever the client wants to use a new
|
|
@@ -176,13 +187,15 @@ class AccessToken {
|
|
|
176
187
|
* Calling this function will trigger a forcible token refresh using the cached refresh token, and contact the auth server.
|
|
177
188
|
*/
|
|
178
189
|
async refreshTokenClaimsWithClientPubkeyIfNeeded(signingKey) {
|
|
179
|
-
// If we already have a token, and the pubkey
|
|
180
|
-
// we
|
|
181
|
-
//
|
|
182
|
-
if (this.
|
|
190
|
+
// If we already have a token, and the pubkey is unchanged,
|
|
191
|
+
// we can keep the cached token - otherwise drop it so the next `get()`
|
|
192
|
+
// refetches a token bound to the new public key.
|
|
193
|
+
if (this.data?.access_token && signingKey === this.signingKey) {
|
|
183
194
|
return;
|
|
184
195
|
}
|
|
185
|
-
delete this.
|
|
196
|
+
delete this.data;
|
|
197
|
+
delete this.cachedExpiry;
|
|
198
|
+
delete this.inFlight;
|
|
186
199
|
this.signingKey = signingKey;
|
|
187
200
|
}
|
|
188
201
|
/**
|
|
@@ -213,7 +226,7 @@ class AccessToken {
|
|
|
213
226
|
if (this.config.dpopEnabled && !this.signingKey) {
|
|
214
227
|
throw new errors_js_1.ConfigurationError('Client public key was not set via `updateClientPublicKey` or passed in via constructor; required when DPoP is enabled');
|
|
215
228
|
}
|
|
216
|
-
const accessToken =
|
|
229
|
+
const accessToken = await this.get();
|
|
217
230
|
if (this.config.dpopEnabled && this.signingKey) {
|
|
218
231
|
const dpopToken = await (0, dpop_js_1.default)(this.signingKey, this.cryptoService, httpReq.url, httpReq.method,
|
|
219
232
|
/* nonce */ undefined, accessToken);
|
|
@@ -224,4 +237,4 @@ class AccessToken {
|
|
|
224
237
|
}
|
|
225
238
|
}
|
|
226
239
|
exports.AccessToken = AccessToken;
|
|
227
|
-
//# sourceMappingURL=data:application/json;base64,
|
|
240
|
+
//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoib2lkYy5qcyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIi4uLy4uLy4uLy4uL3NyYy9hdXRoL29pZGMudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6Ijs7Ozs7O0FBQUEsd0RBQThDO0FBQzlDLHVDQUFxRDtBQUNyRCxxREFBc0U7QUFDdEUsb0RBQStDO0FBQy9DLDRDQUE0RDtBQUM1RCwwQ0FBcUM7QUFxRHJDLE1BQU0sVUFBVSxHQUFHLENBQUMsR0FBMkIsRUFBRSxFQUFFLENBQUMsSUFBSSxlQUFlLENBQUMsR0FBRyxDQUFDLENBQUMsUUFBUSxFQUFFLENBQUM7QUFReEY7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7OztHQXFCRztBQUNILE1BQWEsV0FBVztJQXVCdEIsWUFBWSxHQUFvQixFQUFFLGFBQTRCLEVBQUUsT0FBc0I7UUFWdEYsaUJBQVksR0FBMkIsRUFBRSxDQUFDO1FBV3hDLElBQUksQ0FBQyxHQUFHLENBQUMsUUFBUSxFQUFFLENBQUM7WUFDbEIsTUFBTSxJQUFJLDhCQUFrQixDQUMxQiw0RUFBNEUsQ0FDN0UsQ0FBQztRQUNKLENBQUM7UUFDRCxJQUFJLEdBQUcsQ0FBQyxRQUFRLEtBQUssUUFBUSxJQUFJLENBQUMsR0FBRyxDQUFDLFlBQVksRUFBRSxDQUFDO1lBQ25ELE1BQU0sSUFBSSw4QkFBa0IsQ0FDMUIsNEVBQTRFLENBQzdFLENBQUM7UUFDSixDQUFDO1FBQ0QsSUFBSSxHQUFHLENBQUMsUUFBUSxLQUFLLFNBQVMsSUFBSSxDQUFDLEdBQUcsQ0FBQyxZQUFZLEVBQUUsQ0FBQztZQUNwRCxNQUFNLElBQUksOEJBQWtCLENBQUMsNERBQTRELENBQUMsQ0FBQztRQUM3RixDQUFDO1FBQ0QsSUFBSSxHQUFHLENBQUMsUUFBUSxLQUFLLFVBQVUsSUFBSSxDQUFDLEdBQUcsQ0FBQyxXQUFXLEVBQUUsQ0FBQztZQUNwRCxNQUFNLElBQUksOEJBQWtCLENBQUMsbURBQW1ELENBQUMsQ0FBQztRQUNwRixDQUFDO1FBQ0QsSUFBSSxDQUFDLEdBQUcsQ0FBQyxRQUFRLEVBQUUsQ0FBQztZQUNsQixNQUFNLElBQUksOEJBQWtCLENBQUMsNEJBQTRCLENBQUMsQ0FBQztRQUM3RCxDQUFDO1FBQ0QsSUFBSSxDQUFDLE1BQU0sR0FBRyxHQUFHLENBQUM7UUFDbEIsSUFBSSxDQUFDLGFBQWEsR0FBRyxhQUFhLENBQUM7UUFDbkMsSUFBSSxDQUFDLE9BQU8sR0FBRyxPQUFPLENBQUM7UUFDdkIsSUFBSSxDQUFDLE9BQU8sR0FBRyxJQUFBLGlCQUFNLEVBQUMsR0FBRyxDQUFDLFVBQVUsRUFBRSxHQUFHLENBQUMsQ0FBQztRQUMzQyxJQUFJLENBQUMsYUFBYSxHQUFHLEdBQUcsQ0FBQyxpQkFBaUIsSUFBSSxHQUFHLElBQUksQ0FBQyxPQUFPLGdDQUFnQyxDQUFDO1FBQzlGLElBQUksQ0FBQyxnQkFBZ0I7WUFDbkIsR0FBRyxDQUFDLG9CQUFvQixJQUFJLEdBQUcsSUFBSSxDQUFDLE9BQU8sbUNBQW1DLENBQUM7UUFDakYsSUFBSSxDQUFDLFVBQVUsR0FBRyxHQUFHLENBQUMsVUFBVSxDQUFDO0lBQ25DLENBQUM7SUFFRDs7OztPQUlHO0lBQ0gsS0FBSyxDQUFDLElBQUksQ0FBQyxXQUFtQjtRQUM1QixNQUFNLE9BQU8sR0FBRztZQUNkLEdBQUcsSUFBSSxDQUFDLFlBQVk7WUFDcEIsYUFBYSxFQUFFLFVBQVUsV0FBVyxFQUFFO1NBQ2IsQ0FBQztRQUM1QixJQUFJLElBQUksQ0FBQyxNQUFNLENBQUMsV0FBVyxJQUFJLElBQUksQ0FBQyxVQUFVLEVBQUUsQ0FBQztZQUMvQyxPQUFPLENBQUMsSUFBSSxHQUFHLE1BQU0sSUFBQSxpQkFBTSxFQUN6QixJQUFJLENBQUMsVUFBVSxFQUNmLElBQUksQ0FBQyxhQUFhLEVBQ2xCLElBQUksQ0FBQyxnQkFBZ0IsRUFDckIsTUFBTSxDQUNQLENBQUM7UUFDSixDQUFDO1FBQ0QsTUFBTSxRQUFRLEdBQUcsTUFBTSxDQUFDLElBQUksQ0FBQyxPQUFPLElBQUksS0FBSyxDQUFDLENBQUMsSUFBSSxDQUFDLGdCQUFnQixFQUFFO1lBQ3BFLE9BQU87U0FDUixDQUFDLENBQUM7UUFDSCxJQUFJLENBQUMsUUFBUSxDQUFDLEVBQUUsRUFBRSxDQUFDO1lBQ2pCLE9BQU8sQ0FBQyxLQUFLLENBQUMsTUFBTSxRQUFRLENBQUMsSUFBSSxFQUFFLENBQUMsQ0FBQztZQUNyQyxNQUFNLElBQUksb0JBQVEsQ0FDaEIsd0JBQXdCLElBQUksQ0FBQyxnQkFBZ0IsUUFBUSxRQUFRLENBQUMsTUFBTSxJQUFJLFFBQVEsQ0FBQyxVQUFVLEVBQUUsQ0FDOUYsQ0FBQztRQUNKLENBQUM7UUFFRCxPQUFPLENBQUMsTUFBTSxRQUFRLENBQUMsSUFBSSxFQUFFLENBQVksQ0FBQztJQUM1QyxDQUFDO0lBRUQsS0FBSyxDQUFDLE1BQU0sQ0FBQyxHQUFXLEVBQUUsQ0FBeUI7UUFDakQsTUFBTSxPQUFPLEdBQTJCO1lBQ3RDLGNBQWMsRUFBRSxtQ0FBbUM7WUFDbkQsTUFBTSxFQUFFLGtCQUFrQjtTQUMzQixDQUFDO1FBQ0YsaUNBQWlDO1FBQ2pDLElBQUksSUFBSSxDQUFDLE1BQU0sQ0FBQyxXQUFXLEVBQUUsQ0FBQztZQUM1QixJQUFJLENBQUMsSUFBSSxDQUFDLFVBQVUsRUFBRSxDQUFDO2dCQUNyQixNQUFNLElBQUksOEJBQWtCLENBQUMseUJBQXlCLENBQUMsQ0FBQztZQUMxRCxDQUFDO1lBQ0Qsb0RBQW9EO1lBQ3BELE1BQU0sWUFBWSxHQUFHLE1BQU0sSUFBSSxDQUFDLGFBQWEsQ0FBQyxrQkFBa0IsQ0FBQyxJQUFJLENBQUMsVUFBVSxDQUFDLFNBQVMsQ0FBQyxDQUFDO1lBQzVGLHFFQUFxRTtZQUNyRSwwRUFBMEU7WUFDMUUsT0FBTyxDQUFDLGdCQUFnQixDQUFDLEdBQUcsaUJBQU0sQ0FBQyxNQUFNLENBQUMsWUFBWSxDQUFDLENBQUM7WUFDeEQsT0FBTyxDQUFDLElBQUksR0FBRyxNQUFNLElBQUEsaUJBQU0sRUFBQyxJQUFJLENBQUMsVUFBVSxFQUFFLElBQUksQ0FBQyxhQUFhLEVBQUUsR0FBRyxFQUFFLE1BQU0sQ0FBQyxDQUFDO1FBQ2hGLENBQUM7UUFDRCxPQUFPLENBQUMsSUFBSSxDQUFDLE9BQU8sSUFBSSxLQUFLLENBQUMsQ0FBQyxHQUFHLEVBQUU7WUFDbEMsTUFBTSxFQUFFLE1BQU07WUFDZCxPQUFPO1lBQ1AsSUFBSSxFQUFFLFVBQVUsQ0FBQyxDQUFDLENBQUM7U0FDcEIsQ0FBQyxDQUFDO0lBQ0wsQ0FBQztJQUVELEtBQUssQ0FBQyxpQkFBaUIsQ0FBQyxHQUFvQjtRQUMxQyxJQUFJLElBQUksQ0FBQztRQUNULFFBQVEsR0FBRyxDQUFDLFFBQVEsRUFBRSxDQUFDO1lBQ3JCLEtBQUssUUFBUTtnQkFDWCxJQUFJLEdBQUc7b0JBQ0wsVUFBVSxFQUFFLG9CQUFvQjtvQkFDaEMsU0FBUyxFQUFFLEdBQUcsQ0FBQyxRQUFRO29CQUN2QixhQUFhLEVBQUUsR0FBRyxDQUFDLFlBQVk7aUJBQ2hDLENBQUM7Z0JBQ0YsTUFBTTtZQUNSLEtBQUssVUFBVTtnQkFDYixJQUFJLEdBQUc7b0JBQ0wsVUFBVSxFQUFFLGlEQUFpRDtvQkFDN0QsYUFBYSxFQUFFLEdBQUcsQ0FBQyxXQUFXO29CQUM5QixrQkFBa0IsRUFBRSxzQ0FBc0M7b0JBQzFELFFBQVEsRUFBRSxHQUFHLENBQUMsUUFBUTtvQkFDdEIsU0FBUyxFQUFFLEdBQUcsQ0FBQyxRQUFRO2lCQUN4QixDQUFDO2dCQUNGLE1BQU07WUFDUixLQUFLLFNBQVM7Z0JBQ1osSUFBSSxHQUFHO29CQUNMLFVBQVUsRUFBRSxlQUFlO29CQUMzQixhQUFhLEVBQUUsR0FBRyxDQUFDLFlBQVk7b0JBQy9CLFNBQVMsRUFBRSxHQUFHLENBQUMsUUFBUTtpQkFDeEIsQ0FBQztnQkFDRixNQUFNO1FBQ1YsQ0FBQztRQUNELE1BQU0sUUFBUSxHQUFHLE1BQU0sSUFBSSxDQUFDLE1BQU0sQ0FBQyxJQUFJLENBQUMsYUFBYSxFQUFFLElBQUksQ0FBQyxDQUFDO1FBQzdELElBQUksQ0FBQyxRQUFRLENBQUMsRUFBRSxFQUFFLENBQUM7WUFDakIsT0FBTyxDQUFDLEtBQUssQ0FBQyxNQUFNLFFBQVEsQ0FBQyxJQUFJLEVBQUUsQ0FBQyxDQUFDO1lBQ3JDLE1BQU0sSUFBSSxvQkFBUSxDQUNoQixtQ0FBbUMsSUFBSSxDQUFDLGFBQWEsUUFBUSxRQUFRLENBQUMsTUFBTSxJQUFJLFFBQVEsQ0FBQyxVQUFVLEVBQUUsQ0FDdEcsQ0FBQztRQUNKLENBQUM7UUFDRCxPQUFPLFFBQVEsQ0FBQyxJQUFJLEVBQUUsQ0FBQztJQUN6QixDQUFDO0lBRUQ7Ozs7Ozs7OztPQVNHO0lBQ0gsS0FBSyxDQUFDLEdBQUcsQ0FBQyxRQUFRLEdBQUcsSUFBSTtRQUN2QixJQUFJLElBQUksQ0FBQyxJQUFJLEVBQUUsWUFBWSxJQUFJLENBQUMsQ0FBQyxRQUFRLElBQUksQ0FBQyxJQUFBLCtCQUFjLEVBQUMsSUFBSSxDQUFDLFlBQVksQ0FBQyxDQUFDLEVBQUUsQ0FBQztZQUNqRixPQUFPLElBQUksQ0FBQyxJQUFJLENBQUMsWUFBWSxDQUFDO1FBQ2hDLENBQUM7UUFFRCw0RUFBNEU7UUFDNUUsSUFBSSxJQUFJLENBQUMsUUFBUSxFQUFFLENBQUM7WUFDbEIsT0FBTyxJQUFJLENBQUMsUUFBUSxDQUFDO1FBQ3ZCLENBQUM7UUFFRCxJQUFJLENBQUMsUUFBUSxHQUFHLENBQUMsS0FBSyxJQUFJLEVBQUU7WUFDMUIsSUFBSSxDQUFDO2dCQUNILElBQUksSUFBSSxDQUFDLElBQUksRUFBRSxhQUFhLEVBQUUsQ0FBQztvQkFDN0Isa0VBQWtFO29CQUNsRSxpQkFBaUI7b0JBQ2pCLElBQUksQ0FBQyxNQUFNLEdBQUc7d0JBQ1osR0FBRyxJQUFJLENBQUMsTUFBTTt3QkFDZCxRQUFRLEVBQUUsU0FBUzt3QkFDbkIsWUFBWSxFQUFFLElBQUksQ0FBQyxJQUFJLENBQUMsYUFBYTtxQkFDdEMsQ0FBQztnQkFDSixDQUFDO2dCQUNELE9BQU8sSUFBSSxDQUFDLElBQUksQ0FBQztnQkFFakIsTUFBTSxhQUFhLEdBQUcsQ0FBQyxJQUFJLENBQUMsSUFBSSxHQUFHLE1BQU0sSUFBSSxDQUFDLGlCQUFpQixDQUFDLElBQUksQ0FBQyxNQUFNLENBQUMsQ0FBQyxDQUFDO2dCQUM5RSxJQUFJLENBQUMsWUFBWSxHQUFHLElBQUEsbUNBQWtCLEVBQ3BDLGFBQWEsQ0FBQyxZQUFZLEVBQzFCLGFBQWEsQ0FBQyxVQUFVLENBQ3pCLENBQUM7Z0JBQ0YsT0FBTyxhQUFhLENBQUMsWUFBWSxDQUFDO1lBQ3BDLENBQUM7b0JBQVMsQ0FBQztnQkFDVCxPQUFPLElBQUksQ0FBQyxRQUFRLENBQUM7WUFDdkIsQ0FBQztRQUNILENBQUMsQ0FBQyxFQUFFLENBQUM7UUFFTCxPQUFPLElBQUksQ0FBQyxRQUFRLENBQUM7SUFDdkIsQ0FBQztJQUVEOzs7Ozs7T0FNRztJQUNILEtBQUssQ0FBQywwQ0FBMEMsQ0FBQyxVQUFtQjtRQUNsRSwyREFBMkQ7UUFDM0QsdUVBQXVFO1FBQ3ZFLGlEQUFpRDtRQUNqRCxJQUFJLElBQUksQ0FBQyxJQUFJLEVBQUUsWUFBWSxJQUFJLFVBQVUsS0FBSyxJQUFJLENBQUMsVUFBVSxFQUFFLENBQUM7WUFDOUQsT0FBTztRQUNULENBQUM7UUFDRCxPQUFPLElBQUksQ0FBQyxJQUFJLENBQUM7UUFDakIsT0FBTyxJQUFJLENBQUMsWUFBWSxDQUFDO1FBQ3pCLE9BQU8sSUFBSSxDQUFDLFFBQVEsQ0FBQztRQUNyQixJQUFJLENBQUMsVUFBVSxHQUFHLFVBQVUsQ0FBQztJQUMvQixDQUFDO0lBRUQ7O09BRUc7SUFDSCxLQUFLLENBQUMsdUJBQXVCO1FBQzNCLE1BQU0sR0FBRyxHQUFHLElBQUksQ0FBQyxNQUFNLENBQUM7UUFDeEIsSUFBSSxHQUFHLENBQUMsUUFBUSxJQUFJLFVBQVUsSUFBSSxHQUFHLENBQUMsUUFBUSxJQUFJLFNBQVMsRUFBRSxDQUFDO1lBQzVELE1BQU0sSUFBSSw4QkFBa0IsQ0FBQyw0QkFBNEIsQ0FBQyxDQUFDO1FBQzdELENBQUM7UUFDRCxNQUFNLGFBQWEsR0FBRyxDQUFDLElBQUksQ0FBQyxJQUFJLEdBQUcsTUFBTSxJQUFJLENBQUMsaUJBQWlCLENBQUMsSUFBSSxDQUFDLE1BQU0sQ0FBQyxDQUFDLENBQUM7UUFDOUUsSUFBSSxDQUFDLGFBQWEsQ0FBQyxhQUFhLEVBQUUsQ0FBQztZQUNqQyxPQUFPLENBQUMsR0FBRyxDQUFDLDJCQUEyQixDQUFDLENBQUM7WUFDekMsT0FBTyxDQUNMLENBQUMsR0FBRyxDQUFDLFFBQVEsSUFBSSxTQUFTLElBQUksR0FBRyxDQUFDLFlBQVksQ0FBQztnQkFDL0MsQ0FBQyxHQUFHLENBQUMsUUFBUSxJQUFJLFVBQVUsSUFBSSxHQUFHLENBQUMsV0FBVyxDQUFDO2dCQUMvQyxFQUFFLENBQ0gsQ0FBQztRQUNKLENBQUM7UUFDRCxrRUFBa0U7UUFDbEUsaUJBQWlCO1FBQ2pCLElBQUksQ0FBQyxNQUFNLEdBQUc7WUFDWixHQUFHLElBQUksQ0FBQyxNQUFNO1lBQ2QsUUFBUSxFQUFFLFNBQVM7WUFDbkIsWUFBWSxFQUFFLGFBQWEsQ0FBQyxhQUFhO1NBQzFDLENBQUM7UUFDRixPQUFPLGFBQWEsQ0FBQyxZQUFZLENBQUM7SUFDcEMsQ0FBQztJQUVELEtBQUssQ0FBQyxTQUFTLENBQUMsT0FBb0I7UUFDbEMsSUFBSSxJQUFJLENBQUMsTUFBTSxDQUFDLFdBQVcsSUFBSSxDQUFDLElBQUksQ0FBQyxVQUFVLEVBQUUsQ0FBQztZQUNoRCxNQUFNLElBQUksOEJBQWtCLENBQzFCLHVIQUF1SCxDQUN4SCxDQUFDO1FBQ0osQ0FBQztRQUNELE1BQU0sV0FBVyxHQUFHLE1BQU0sSUFBSSxDQUFDLEdBQUcsRUFBRSxDQUFDO1FBQ3JDLElBQUksSUFBSSxDQUFDLE1BQU0sQ0FBQyxXQUFXLElBQUksSUFBSSxDQUFDLFVBQVUsRUFBRSxDQUFDO1lBQy9DLE1BQU0sU0FBUyxHQUFHLE1BQU0sSUFBQSxpQkFBTSxFQUM1QixJQUFJLENBQUMsVUFBVSxFQUNmLElBQUksQ0FBQyxhQUFhLEVBQ2xCLE9BQU8sQ0FBQyxHQUFHLEVBQ1gsT0FBTyxDQUFDLE1BQU07WUFDZCxXQUFXLENBQUMsU0FBUyxFQUNyQixXQUFXLENBQ1osQ0FBQztZQUNGLHVFQUF1RTtZQUN2RSxPQUFPLElBQUEscUJBQVcsRUFBQyxPQUFPLEVBQUUsRUFBRSxhQUFhLEVBQUUsVUFBVSxXQUFXLEVBQUUsRUFBRSxJQUFJLEVBQUUsU0FBUyxFQUFFLENBQUMsQ0FBQztRQUMzRixDQUFDO1FBQ0QsT0FBTyxJQUFBLHFCQUFXLEVBQUMsT0FBTyxFQUFFLEVBQUUsYUFBYSxFQUFFLFVBQVUsV0FBVyxFQUFFLEVBQUUsQ0FBQyxDQUFDO0lBQzFFLENBQUM7Q0FDRjtBQXBRRCxrQ0FvUUMifQ==
|
|
@@ -3,6 +3,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
|
|
|
3
3
|
exports.clientCredentialsTokenProvider = clientCredentialsTokenProvider;
|
|
4
4
|
exports.refreshTokenProvider = refreshTokenProvider;
|
|
5
5
|
exports.externalJwtTokenProvider = externalJwtTokenProvider;
|
|
6
|
+
const tokenExpiry_js_1 = require("./tokenExpiry.js");
|
|
6
7
|
const errors_js_1 = require("../errors.js");
|
|
7
8
|
const utils_js_1 = require("../utils.js");
|
|
8
9
|
function resolveTokenEndpoint(oidcOrigin, override) {
|
|
@@ -14,40 +15,6 @@ function resolveTokenEndpoint(oidcOrigin, override) {
|
|
|
14
15
|
}
|
|
15
16
|
return `${(0, utils_js_1.rstrip)(base, '/')}/protocol/openid-connect/token`;
|
|
16
17
|
}
|
|
17
|
-
/**
|
|
18
|
-
* Decode a JWT's exp claim without verifying the signature.
|
|
19
|
-
* Returns the expiration time in seconds since epoch, or undefined if not present.
|
|
20
|
-
*/
|
|
21
|
-
function getJwtExpiration(token) {
|
|
22
|
-
try {
|
|
23
|
-
const parts = token.split('.');
|
|
24
|
-
if (parts.length !== 3)
|
|
25
|
-
return undefined;
|
|
26
|
-
// Base64url decode the payload
|
|
27
|
-
const payload = parts[1].replace(/-/g, '+').replace(/_/g, '/');
|
|
28
|
-
const padded = payload + '='.repeat((4 - (payload.length % 4)) % 4);
|
|
29
|
-
const decoded = JSON.parse(atob(padded));
|
|
30
|
-
return typeof decoded.exp === 'number' ? decoded.exp : undefined;
|
|
31
|
-
}
|
|
32
|
-
catch {
|
|
33
|
-
return undefined;
|
|
34
|
-
}
|
|
35
|
-
}
|
|
36
|
-
/**
|
|
37
|
-
* Compute the absolute expiry (seconds since epoch) for a token response.
|
|
38
|
-
* Prefers `expires_in` from the token response, falls back to the JWT `exp` claim.
|
|
39
|
-
*/
|
|
40
|
-
function resolveTokenExpiry(accessToken, expiresIn) {
|
|
41
|
-
if (typeof expiresIn === 'number') {
|
|
42
|
-
return Date.now() / 1000 + expiresIn;
|
|
43
|
-
}
|
|
44
|
-
return getJwtExpiration(accessToken);
|
|
45
|
-
}
|
|
46
|
-
function isTokenExpired(expiry, bufferSeconds = 30) {
|
|
47
|
-
if (expiry === undefined)
|
|
48
|
-
return true;
|
|
49
|
-
return Date.now() / 1000 >= expiry - bufferSeconds;
|
|
50
|
-
}
|
|
51
18
|
async function fetchToken(tokenEndpoint, body) {
|
|
52
19
|
const response = await fetch(tokenEndpoint, {
|
|
53
20
|
method: 'POST',
|
|
@@ -91,7 +58,7 @@ function clientCredentialsTokenProvider(options) {
|
|
|
91
58
|
let cachedExpiry;
|
|
92
59
|
let inFlight;
|
|
93
60
|
return async () => {
|
|
94
|
-
if (cachedToken && !isTokenExpired(cachedExpiry)) {
|
|
61
|
+
if (cachedToken && !(0, tokenExpiry_js_1.isTokenExpired)(cachedExpiry)) {
|
|
95
62
|
return cachedToken;
|
|
96
63
|
}
|
|
97
64
|
if (!inFlight) {
|
|
@@ -103,7 +70,7 @@ function clientCredentialsTokenProvider(options) {
|
|
|
103
70
|
client_secret: options.clientSecret,
|
|
104
71
|
});
|
|
105
72
|
cachedToken = resp.access_token;
|
|
106
|
-
cachedExpiry = resolveTokenExpiry(resp.access_token, resp.expires_in);
|
|
73
|
+
cachedExpiry = (0, tokenExpiry_js_1.resolveTokenExpiry)(resp.access_token, resp.expires_in);
|
|
107
74
|
return cachedToken;
|
|
108
75
|
}
|
|
109
76
|
finally {
|
|
@@ -141,7 +108,7 @@ function refreshTokenProvider(options) {
|
|
|
141
108
|
let cachedExpiry;
|
|
142
109
|
let inFlight;
|
|
143
110
|
return async () => {
|
|
144
|
-
if (cachedToken && !isTokenExpired(cachedExpiry)) {
|
|
111
|
+
if (cachedToken && !(0, tokenExpiry_js_1.isTokenExpired)(cachedExpiry)) {
|
|
145
112
|
return cachedToken;
|
|
146
113
|
}
|
|
147
114
|
if (!inFlight) {
|
|
@@ -153,7 +120,7 @@ function refreshTokenProvider(options) {
|
|
|
153
120
|
client_id: options.clientId,
|
|
154
121
|
});
|
|
155
122
|
cachedToken = resp.access_token;
|
|
156
|
-
cachedExpiry = resolveTokenExpiry(resp.access_token, resp.expires_in);
|
|
123
|
+
cachedExpiry = (0, tokenExpiry_js_1.resolveTokenExpiry)(resp.access_token, resp.expires_in);
|
|
157
124
|
if (resp.refresh_token) {
|
|
158
125
|
currentRefreshToken = resp.refresh_token;
|
|
159
126
|
}
|
|
@@ -195,7 +162,7 @@ function externalJwtTokenProvider(options) {
|
|
|
195
162
|
let initialExchangeDone = false;
|
|
196
163
|
let inFlight;
|
|
197
164
|
return async () => {
|
|
198
|
-
if (cachedToken && !isTokenExpired(cachedExpiry)) {
|
|
165
|
+
if (cachedToken && !(0, tokenExpiry_js_1.isTokenExpired)(cachedExpiry)) {
|
|
199
166
|
return cachedToken;
|
|
200
167
|
}
|
|
201
168
|
if (!inFlight) {
|
|
@@ -230,7 +197,7 @@ function externalJwtTokenProvider(options) {
|
|
|
230
197
|
});
|
|
231
198
|
}
|
|
232
199
|
cachedToken = resp.access_token;
|
|
233
|
-
cachedExpiry = resolveTokenExpiry(resp.access_token, resp.expires_in);
|
|
200
|
+
cachedExpiry = (0, tokenExpiry_js_1.resolveTokenExpiry)(resp.access_token, resp.expires_in);
|
|
234
201
|
if (resp.refresh_token) {
|
|
235
202
|
currentRefreshToken = resp.refresh_token;
|
|
236
203
|
}
|
|
@@ -244,4 +211,4 @@ function externalJwtTokenProvider(options) {
|
|
|
244
211
|
return inFlight;
|
|
245
212
|
};
|
|
246
213
|
}
|
|
247
|
-
//# sourceMappingURL=data:application/json;base64,
|
|
214
|
+
//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoidG9rZW4tcHJvdmlkZXJzLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vLi4vLi4vc3JjL2F1dGgvdG9rZW4tcHJvdmlkZXJzLnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiI7O0FBeUdBLHdFQWlDQztBQW1CRCxvREFtQ0M7QUFtQkQsNERBMERDO0FBNVFELHFEQUFzRTtBQUN0RSw0Q0FBNEQ7QUFDNUQsMENBQXFDO0FBcURyQyxTQUFTLG9CQUFvQixDQUFDLFVBQWtCLEVBQUUsUUFBaUI7SUFDakUsSUFBSSxRQUFRLEVBQUUsSUFBSSxFQUFFO1FBQUUsT0FBTyxRQUFRLENBQUM7SUFDdEMsTUFBTSxJQUFJLEdBQUcsVUFBVSxFQUFFLElBQUksRUFBRSxDQUFDO0lBQ2hDLElBQUksQ0FBQyxJQUFJLEVBQUUsQ0FBQztRQUNWLE1BQU0sSUFBSSw4QkFBa0IsQ0FBQyw2Q0FBNkMsQ0FBQyxDQUFDO0lBQzlFLENBQUM7SUFDRCxPQUFPLEdBQUcsSUFBQSxpQkFBTSxFQUFDLElBQUksRUFBRSxHQUFHLENBQUMsZ0NBQWdDLENBQUM7QUFDOUQsQ0FBQztBQUVELEtBQUssVUFBVSxVQUFVLENBQ3ZCLGFBQXFCLEVBQ3JCLElBQTRCO0lBRTVCLE1BQU0sUUFBUSxHQUFHLE1BQU0sS0FBSyxDQUFDLGFBQWEsRUFBRTtRQUMxQyxNQUFNLEVBQUUsTUFBTTtRQUNkLE9BQU8sRUFBRTtZQUNQLGNBQWMsRUFBRSxtQ0FBbUM7WUFDbkQsTUFBTSxFQUFFLGtCQUFrQjtTQUMzQjtRQUNELElBQUksRUFBRSxJQUFJLGVBQWUsQ0FBQyxJQUFJLENBQUMsQ0FBQyxRQUFRLEVBQUU7S0FDM0MsQ0FBQyxDQUFDO0lBQ0gsSUFBSSxDQUFDLFFBQVEsQ0FBQyxFQUFFLEVBQUUsQ0FBQztRQUNqQixNQUFNLElBQUksR0FBRyxNQUFNLFFBQVEsQ0FBQyxJQUFJLEVBQUUsQ0FBQztRQUNuQyxNQUFNLElBQUksb0JBQVEsQ0FDaEIsK0JBQStCLGFBQWEsUUFBUSxRQUFRLENBQUMsTUFBTSxJQUFJLFFBQVEsQ0FBQyxVQUFVLEtBQUssSUFBSSxFQUFFLENBQ3RHLENBQUM7SUFDSixDQUFDO0lBQ0QsT0FBTyxDQUFDLE1BQU0sUUFBUSxDQUFDLElBQUksRUFBRSxDQUFrQixDQUFDO0FBQ2xELENBQUM7QUFFRDs7Ozs7Ozs7Ozs7Ozs7Ozs7O0dBa0JHO0FBQ0gsU0FBZ0IsOEJBQThCLENBQzVDLE9BQThDO0lBRTlDLElBQUksQ0FBQyxPQUFPLENBQUMsUUFBUSxJQUFJLENBQUMsT0FBTyxDQUFDLFlBQVksRUFBRSxDQUFDO1FBQy9DLE1BQU0sSUFBSSw4QkFBa0IsQ0FBQyx3Q0FBd0MsQ0FBQyxDQUFDO0lBQ3pFLENBQUM7SUFDRCxNQUFNLGFBQWEsR0FBRyxvQkFBb0IsQ0FBQyxPQUFPLENBQUMsVUFBVSxFQUFFLE9BQU8sQ0FBQyxpQkFBaUIsQ0FBQyxDQUFDO0lBQzFGLElBQUksV0FBK0IsQ0FBQztJQUNwQyxJQUFJLFlBQWdDLENBQUM7SUFDckMsSUFBSSxRQUFxQyxDQUFDO0lBRTFDLE9BQU8sS0FBSyxJQUFJLEVBQUU7UUFDaEIsSUFBSSxXQUFXLElBQUksQ0FBQyxJQUFBLCtCQUFjLEVBQUMsWUFBWSxDQUFDLEVBQUUsQ0FBQztZQUNqRCxPQUFPLFdBQVcsQ0FBQztRQUNyQixDQUFDO1FBQ0QsSUFBSSxDQUFDLFFBQVEsRUFBRSxDQUFDO1lBQ2QsUUFBUSxHQUFHLENBQUMsS0FBSyxJQUFJLEVBQUU7Z0JBQ3JCLElBQUksQ0FBQztvQkFDSCxNQUFNLElBQUksR0FBRyxNQUFNLFVBQVUsQ0FBQyxhQUFhLEVBQUU7d0JBQzNDLFVBQVUsRUFBRSxvQkFBb0I7d0JBQ2hDLFNBQVMsRUFBRSxPQUFPLENBQUMsUUFBUTt3QkFDM0IsYUFBYSxFQUFFLE9BQU8sQ0FBQyxZQUFZO3FCQUNwQyxDQUFDLENBQUM7b0JBQ0gsV0FBVyxHQUFHLElBQUksQ0FBQyxZQUFZLENBQUM7b0JBQ2hDLFlBQVksR0FBRyxJQUFBLG1DQUFrQixFQUFDLElBQUksQ0FBQyxZQUFZLEVBQUUsSUFBSSxDQUFDLFVBQVUsQ0FBQyxDQUFDO29CQUN0RSxPQUFPLFdBQVcsQ0FBQztnQkFDckIsQ0FBQzt3QkFBUyxDQUFDO29CQUNULFFBQVEsR0FBRyxTQUFTLENBQUM7Z0JBQ3ZCLENBQUM7WUFDSCxDQUFDLENBQUMsRUFBRSxDQUFDO1FBQ1AsQ0FBQztRQUNELE9BQU8sUUFBUSxDQUFDO0lBQ2xCLENBQUMsQ0FBQztBQUNKLENBQUM7QUFFRDs7Ozs7Ozs7Ozs7Ozs7OztHQWdCRztBQUNILFNBQWdCLG9CQUFvQixDQUFDLE9BQW9DO0lBQ3ZFLElBQUksQ0FBQyxPQUFPLENBQUMsUUFBUSxJQUFJLENBQUMsT0FBTyxDQUFDLFlBQVksRUFBRSxDQUFDO1FBQy9DLE1BQU0sSUFBSSw4QkFBa0IsQ0FBQyx3Q0FBd0MsQ0FBQyxDQUFDO0lBQ3pFLENBQUM7SUFDRCxNQUFNLGFBQWEsR0FBRyxvQkFBb0IsQ0FBQyxPQUFPLENBQUMsVUFBVSxFQUFFLE9BQU8sQ0FBQyxpQkFBaUIsQ0FBQyxDQUFDO0lBQzFGLElBQUksbUJBQW1CLEdBQUcsT0FBTyxDQUFDLFlBQVksQ0FBQztJQUMvQyxJQUFJLFdBQStCLENBQUM7SUFDcEMsSUFBSSxZQUFnQyxDQUFDO0lBQ3JDLElBQUksUUFBcUMsQ0FBQztJQUUxQyxPQUFPLEtBQUssSUFBSSxFQUFFO1FBQ2hCLElBQUksV0FBVyxJQUFJLENBQUMsSUFBQSwrQkFBYyxFQUFDLFlBQVksQ0FBQyxFQUFFLENBQUM7WUFDakQsT0FBTyxXQUFXLENBQUM7UUFDckIsQ0FBQztRQUNELElBQUksQ0FBQyxRQUFRLEVBQUUsQ0FBQztZQUNkLFFBQVEsR0FBRyxDQUFDLEtBQUssSUFBSSxFQUFFO2dCQUNyQixJQUFJLENBQUM7b0JBQ0gsTUFBTSxJQUFJLEdBQUcsTUFBTSxVQUFVLENBQUMsYUFBYSxFQUFFO3dCQUMzQyxVQUFVLEVBQUUsZUFBZTt3QkFDM0IsYUFBYSxFQUFFLG1CQUFtQjt3QkFDbEMsU0FBUyxFQUFFLE9BQU8sQ0FBQyxRQUFRO3FCQUM1QixDQUFDLENBQUM7b0JBQ0gsV0FBVyxHQUFHLElBQUksQ0FBQyxZQUFZLENBQUM7b0JBQ2hDLFlBQVksR0FBRyxJQUFBLG1DQUFrQixFQUFDLElBQUksQ0FBQyxZQUFZLEVBQUUsSUFBSSxDQUFDLFVBQVUsQ0FBQyxDQUFDO29CQUN0RSxJQUFJLElBQUksQ0FBQyxhQUFhLEVBQUUsQ0FBQzt3QkFDdkIsbUJBQW1CLEdBQUcsSUFBSSxDQUFDLGFBQWEsQ0FBQztvQkFDM0MsQ0FBQztvQkFDRCxPQUFPLFdBQVcsQ0FBQztnQkFDckIsQ0FBQzt3QkFBUyxDQUFDO29CQUNULFFBQVEsR0FBRyxTQUFTLENBQUM7Z0JBQ3ZCLENBQUM7WUFDSCxDQUFDLENBQUMsRUFBRSxDQUFDO1FBQ1AsQ0FBQztRQUNELE9BQU8sUUFBUSxDQUFDO0lBQ2xCLENBQUMsQ0FBQztBQUNKLENBQUM7QUFFRDs7Ozs7Ozs7Ozs7Ozs7OztHQWdCRztBQUNILFNBQWdCLHdCQUF3QixDQUFDLE9BQXdDO0lBQy9FLElBQUksQ0FBQyxPQUFPLENBQUMsUUFBUSxJQUFJLENBQUMsT0FBTyxDQUFDLFdBQVcsRUFBRSxDQUFDO1FBQzlDLE1BQU0sSUFBSSw4QkFBa0IsQ0FBQyx1Q0FBdUMsQ0FBQyxDQUFDO0lBQ3hFLENBQUM7SUFDRCxNQUFNLGFBQWEsR0FBRyxvQkFBb0IsQ0FBQyxPQUFPLENBQUMsVUFBVSxFQUFFLE9BQU8sQ0FBQyxpQkFBaUIsQ0FBQyxDQUFDO0lBQzFGLElBQUksV0FBK0IsQ0FBQztJQUNwQyxJQUFJLFlBQWdDLENBQUM7SUFDckMsSUFBSSxtQkFBdUMsQ0FBQztJQUM1QyxJQUFJLG1CQUFtQixHQUFHLEtBQUssQ0FBQztJQUNoQyxJQUFJLFFBQXFDLENBQUM7SUFFMUMsT0FBTyxLQUFLLElBQUksRUFBRTtRQUNoQixJQUFJLFdBQVcsSUFBSSxDQUFDLElBQUEsK0JBQWMsRUFBQyxZQUFZLENBQUMsRUFBRSxDQUFDO1lBQ2pELE9BQU8sV0FBVyxDQUFDO1FBQ3JCLENBQUM7UUFDRCxJQUFJLENBQUMsUUFBUSxFQUFFLENBQUM7WUFDZCxRQUFRLEdBQUcsQ0FBQyxLQUFLLElBQUksRUFBRTtnQkFDckIsSUFBSSxDQUFDO29CQUNILElBQUksSUFBbUIsQ0FBQztvQkFDeEIsSUFBSSxDQUFDLG1CQUFtQixFQUFFLENBQUM7d0JBQ3pCLElBQUksR0FBRyxNQUFNLFVBQVUsQ0FBQyxhQUFhLEVBQUU7NEJBQ3JDLFVBQVUsRUFBRSxpREFBaUQ7NEJBQzdELGFBQWEsRUFBRSxPQUFPLENBQUMsV0FBVzs0QkFDbEMsa0JBQWtCLEVBQUUsc0NBQXNDOzRCQUMxRCxRQUFRLEVBQUUsT0FBTyxDQUFDLFFBQVE7NEJBQzFCLFNBQVMsRUFBRSxPQUFPLENBQUMsUUFBUTt5QkFDNUIsQ0FBQyxDQUFDO3dCQUNILG1CQUFtQixHQUFHLElBQUksQ0FBQztvQkFDN0IsQ0FBQzt5QkFBTSxJQUFJLG1CQUFtQixFQUFFLENBQUM7d0JBQy9CLElBQUksR0FBRyxNQUFNLFVBQVUsQ0FBQyxhQUFhLEVBQUU7NEJBQ3JDLFVBQVUsRUFBRSxlQUFlOzRCQUMzQixhQUFhLEVBQUUsbUJBQW1COzRCQUNsQyxTQUFTLEVBQUUsT0FBTyxDQUFDLFFBQVE7eUJBQzVCLENBQUMsQ0FBQztvQkFDTCxDQUFDO3lCQUFNLENBQUM7d0JBQ04sNkRBQTZEO3dCQUM3RCxJQUFJLEdBQUcsTUFBTSxVQUFVLENBQUMsYUFBYSxFQUFFOzRCQUNyQyxVQUFVLEVBQUUsaURBQWlEOzRCQUM3RCxhQUFhLEVBQUUsT0FBTyxDQUFDLFdBQVc7NEJBQ2xDLGtCQUFrQixFQUFFLHNDQUFzQzs0QkFDMUQsUUFBUSxFQUFFLE9BQU8sQ0FBQyxRQUFROzRCQUMxQixTQUFTLEVBQUUsT0FBTyxDQUFDLFFBQVE7eUJBQzVCLENBQUMsQ0FBQztvQkFDTCxDQUFDO29CQUVELFdBQVcsR0FBRyxJQUFJLENBQUMsWUFBWSxDQUFDO29CQUNoQyxZQUFZLEdBQUcsSUFBQSxtQ0FBa0IsRUFBQyxJQUFJLENBQUMsWUFBWSxFQUFFLElBQUksQ0FBQyxVQUFVLENBQUMsQ0FBQztvQkFDdEUsSUFBSSxJQUFJLENBQUMsYUFBYSxFQUFFLENBQUM7d0JBQ3ZCLG1CQUFtQixHQUFHLElBQUksQ0FBQyxhQUFhLENBQUM7b0JBQzNDLENBQUM7b0JBQ0QsT0FBTyxXQUFXLENBQUM7Z0JBQ3JCLENBQUM7d0JBQVMsQ0FBQztvQkFDVCxRQUFRLEdBQUcsU0FBUyxDQUFDO2dCQUN2QixDQUFDO1lBQ0gsQ0FBQyxDQUFDLEVBQUUsQ0FBQztRQUNQLENBQUM7UUFDRCxPQUFPLFFBQVEsQ0FBQztJQUNsQixDQUFDLENBQUM7QUFDSixDQUFDIn0=
|
|
@@ -0,0 +1,44 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
/**
|
|
3
|
+
* Helpers for deciding whether a cached access token is still fresh, using the
|
|
4
|
+
* JWT `exp` claim (or an OAuth `expires_in`) rather than a network round trip.
|
|
5
|
+
*/
|
|
6
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
7
|
+
exports.getJwtExpiration = getJwtExpiration;
|
|
8
|
+
exports.resolveTokenExpiry = resolveTokenExpiry;
|
|
9
|
+
exports.isTokenExpired = isTokenExpired;
|
|
10
|
+
/**
|
|
11
|
+
* Decode a JWT's exp claim without verifying the signature.
|
|
12
|
+
* Returns the expiration time in seconds since epoch, or undefined if not present.
|
|
13
|
+
*/
|
|
14
|
+
function getJwtExpiration(token) {
|
|
15
|
+
try {
|
|
16
|
+
const parts = token.split('.');
|
|
17
|
+
if (parts.length !== 3)
|
|
18
|
+
return undefined;
|
|
19
|
+
// Base64url decode the payload
|
|
20
|
+
const payload = parts[1].replace(/-/g, '+').replace(/_/g, '/');
|
|
21
|
+
const padded = payload + '='.repeat((4 - (payload.length % 4)) % 4);
|
|
22
|
+
const decoded = JSON.parse(atob(padded));
|
|
23
|
+
return typeof decoded.exp === 'number' ? decoded.exp : undefined;
|
|
24
|
+
}
|
|
25
|
+
catch {
|
|
26
|
+
return undefined;
|
|
27
|
+
}
|
|
28
|
+
}
|
|
29
|
+
/**
|
|
30
|
+
* Compute the absolute expiry (seconds since epoch) for a token response.
|
|
31
|
+
* Prefers `expires_in` from the token response, falls back to the JWT `exp` claim.
|
|
32
|
+
*/
|
|
33
|
+
function resolveTokenExpiry(accessToken, expiresIn) {
|
|
34
|
+
if (typeof expiresIn === 'number') {
|
|
35
|
+
return Math.floor(Date.now() / 1000) + expiresIn;
|
|
36
|
+
}
|
|
37
|
+
return getJwtExpiration(accessToken);
|
|
38
|
+
}
|
|
39
|
+
function isTokenExpired(expiry, bufferSeconds = 30) {
|
|
40
|
+
if (expiry === undefined)
|
|
41
|
+
return true;
|
|
42
|
+
return Math.floor(Date.now() / 1000) >= expiry - bufferSeconds;
|
|
43
|
+
}
|
|
44
|
+
//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoidG9rZW5FeHBpcnkuanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi8uLi8uLi9zcmMvYXV0aC90b2tlbkV4cGlyeS50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiO0FBQUE7OztHQUdHOztBQU1ILDRDQVlDO0FBTUQsZ0RBS0M7QUFFRCx3Q0FHQztBQWhDRDs7O0dBR0c7QUFDSCxTQUFnQixnQkFBZ0IsQ0FBQyxLQUFhO0lBQzVDLElBQUksQ0FBQztRQUNILE1BQU0sS0FBSyxHQUFHLEtBQUssQ0FBQyxLQUFLLENBQUMsR0FBRyxDQUFDLENBQUM7UUFDL0IsSUFBSSxLQUFLLENBQUMsTUFBTSxLQUFLLENBQUM7WUFBRSxPQUFPLFNBQVMsQ0FBQztRQUN6QywrQkFBK0I7UUFDL0IsTUFBTSxPQUFPLEdBQUcsS0FBSyxDQUFDLENBQUMsQ0FBQyxDQUFDLE9BQU8sQ0FBQyxJQUFJLEVBQUUsR0FBRyxDQUFDLENBQUMsT0FBTyxDQUFDLElBQUksRUFBRSxHQUFHLENBQUMsQ0FBQztRQUMvRCxNQUFNLE1BQU0sR0FBRyxPQUFPLEdBQUcsR0FBRyxDQUFDLE1BQU0sQ0FBQyxDQUFDLENBQUMsR0FBRyxDQUFDLE9BQU8sQ0FBQyxNQUFNLEdBQUcsQ0FBQyxDQUFDLENBQUMsR0FBRyxDQUFDLENBQUMsQ0FBQztRQUNwRSxNQUFNLE9BQU8sR0FBRyxJQUFJLENBQUMsS0FBSyxDQUFDLElBQUksQ0FBQyxNQUFNLENBQUMsQ0FBQyxDQUFDO1FBQ3pDLE9BQU8sT0FBTyxPQUFPLENBQUMsR0FBRyxLQUFLLFFBQVEsQ0FBQyxDQUFDLENBQUMsT0FBTyxDQUFDLEdBQUcsQ0FBQyxDQUFDLENBQUMsU0FBUyxDQUFDO0lBQ25FLENBQUM7SUFBQyxNQUFNLENBQUM7UUFDUCxPQUFPLFNBQVMsQ0FBQztJQUNuQixDQUFDO0FBQ0gsQ0FBQztBQUVEOzs7R0FHRztBQUNILFNBQWdCLGtCQUFrQixDQUFDLFdBQW1CLEVBQUUsU0FBa0I7SUFDeEUsSUFBSSxPQUFPLFNBQVMsS0FBSyxRQUFRLEVBQUUsQ0FBQztRQUNsQyxPQUFPLElBQUksQ0FBQyxLQUFLLENBQUMsSUFBSSxDQUFDLEdBQUcsRUFBRSxHQUFHLElBQUksQ0FBQyxHQUFHLFNBQVMsQ0FBQztJQUNuRCxDQUFDO0lBQ0QsT0FBTyxnQkFBZ0IsQ0FBQyxXQUFXLENBQUMsQ0FBQztBQUN2QyxDQUFDO0FBRUQsU0FBZ0IsY0FBYyxDQUFDLE1BQTBCLEVBQUUsYUFBYSxHQUFHLEVBQUU7SUFDM0UsSUFBSSxNQUFNLEtBQUssU0FBUztRQUFFLE9BQU8sSUFBSSxDQUFDO0lBQ3RDLE9BQU8sSUFBSSxDQUFDLEtBQUssQ0FBQyxJQUFJLENBQUMsR0FBRyxFQUFFLEdBQUcsSUFBSSxDQUFDLElBQUksTUFBTSxHQUFHLGFBQWEsQ0FBQztBQUNqRSxDQUFDIn0=
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"access-fetch.d.ts","sourceRoot":"","sources":["../../../../src/access/access-fetch.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,qBAAqB,EAAE,gBAAgB,EAAE,eAAe,EAAE,MAAM,cAAc,CAAC;AACxF,OAAO,EAAE,KAAK,YAAY,EAAE,MAAM,iBAAiB,CAAC;AAWpD,MAAM,MAAM,aAAa,GAAG;IAC1B,kBAAkB,EAAE,MAAM,CAAC;CAC5B,CAAC;AAEF,MAAM,MAAM,oBAAoB,GAAG;IACjC,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAClC,gBAAgB,EAAE,MAAM,CAAC;IACzB,gBAAgB,EAAE,MAAM,CAAC;IACzB,aAAa,EAAE,MAAM,CAAC;CACvB,CAAC;AAEF;;;;;;GAMG;AACH,wBAAsB,eAAe,CACnC,GAAG,EAAE,MAAM,EACX,WAAW,EAAE,aAAa,EAC1B,YAAY,EAAE,YAAY,GACzB,OAAO,CAAC,oBAAoB,CAAC,
|
|
1
|
+
{"version":3,"file":"access-fetch.d.ts","sourceRoot":"","sources":["../../../../src/access/access-fetch.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,qBAAqB,EAAE,gBAAgB,EAAE,eAAe,EAAE,MAAM,cAAc,CAAC;AACxF,OAAO,EAAE,KAAK,YAAY,EAAE,MAAM,iBAAiB,CAAC;AAWpD,MAAM,MAAM,aAAa,GAAG;IAC1B,kBAAkB,EAAE,MAAM,CAAC;CAC5B,CAAC;AAEF,MAAM,MAAM,oBAAoB,GAAG;IACjC,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAClC,gBAAgB,EAAE,MAAM,CAAC;IACzB,gBAAgB,EAAE,MAAM,CAAC;IACzB,aAAa,EAAE,MAAM,CAAC;CACvB,CAAC;AAEF;;;;;;GAMG;AACH,wBAAsB,eAAe,CACnC,GAAG,EAAE,MAAM,EACX,WAAW,EAAE,aAAa,EAC1B,YAAY,EAAE,YAAY,GACzB,OAAO,CAAC,oBAAoB,CAAC,CAoD/B;AAED,wBAAsB,qBAAqB,CACzC,WAAW,EAAE,MAAM,EACnB,YAAY,EAAE,YAAY,GACzB,OAAO,CAAC,eAAe,CAAC,CA4C1B;AAED,wBAAsB,cAAc,CAClC,WAAW,EAAE,MAAM,EACnB,SAAS,CAAC,EAAE,qBAAqB,GAChC,OAAO,CAAC,gBAAgB,CAAC,CA0D3B"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"access-rpc.d.ts","sourceRoot":"","sources":["../../../../src/access/access-rpc.ts"],"names":[],"mappings":"AACA,OAAO,EAEL,qBAAqB,EACrB,gBAAgB,EAChB,eAAe,EAChB,MAAM,cAAc,CAAC;AAEtB,OAAO,EAAE,KAAK,UAAU,EAAuB,MAAM,yBAAyB,CAAC;AAU/E,OAAO,EAAE,cAAc,EAAE,MAAM,2BAA2B,CAAC;AAU3D;;;;;;;GAOG;AACH,wBAAsB,eAAe,CACnC,GAAG,EAAE,MAAM,EACX,kBAAkB,EAAE,MAAM,EAC1B,IAAI,EAAE,UAAU,EAChB,6BAA6B,CAAC,EAAE,MAAM,GACrC,OAAO,CAAC,cAAc,CAAC,CAgBzB;AAED,wBAAgB,oBAAoB,CAAC,CAAC,EAAE,OAAO,EAAE,WAAW,EAAE,MAAM,GAAG,KAAK,
|
|
1
|
+
{"version":3,"file":"access-rpc.d.ts","sourceRoot":"","sources":["../../../../src/access/access-rpc.ts"],"names":[],"mappings":"AACA,OAAO,EAEL,qBAAqB,EACrB,gBAAgB,EAChB,eAAe,EAChB,MAAM,cAAc,CAAC;AAEtB,OAAO,EAAE,KAAK,UAAU,EAAuB,MAAM,yBAAyB,CAAC;AAU/E,OAAO,EAAE,cAAc,EAAE,MAAM,2BAA2B,CAAC;AAU3D;;;;;;;GAOG;AACH,wBAAsB,eAAe,CACnC,GAAG,EAAE,MAAM,EACX,kBAAkB,EAAE,MAAM,EAC1B,IAAI,EAAE,UAAU,EAChB,6BAA6B,CAAC,EAAE,MAAM,GACrC,OAAO,CAAC,cAAc,CAAC,CAgBzB;AAED,wBAAgB,oBAAoB,CAAC,CAAC,EAAE,OAAO,EAAE,WAAW,EAAE,MAAM,GAAG,KAAK,CA0B3E;AAED,wBAAgB,0BAA0B,CACxC,CAAC,EAAE,MAAM,EACT,WAAW,EAAE,MAAM,EACnB,mBAAmB,CAAC,EAAE,MAAM,EAAE,GAC7B,KAAK,CAgCP;AAED,wBAAsB,qBAAqB,CACzC,WAAW,EAAE,MAAM,EACnB,IAAI,EAAE,UAAU,GACf,OAAO,CAAC,eAAe,CAAC,CA8B1B;AA2BD,wBAAsB,cAAc,CAClC,WAAW,EAAE,MAAM,EACnB,SAAS,CAAC,EAAE,qBAAqB,GAChC,OAAO,CAAC,gBAAgB,CAAC,CA0B3B;AAED;;;;;;GAMG;AACH,wBAAsB,kBAAkB,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,gBAAgB,CAAC,CA6BvF"}
|
|
@@ -44,6 +44,7 @@ export type OIDCCredentials = ClientSecretCredentials | ExternalJwtCredentials |
|
|
|
44
44
|
export type AccessTokenResponse = {
|
|
45
45
|
access_token: string;
|
|
46
46
|
refresh_token?: string;
|
|
47
|
+
expires_in?: number;
|
|
47
48
|
};
|
|
48
49
|
/**
|
|
49
50
|
* Class that provides OIDC functionality to auth providers, assuming 'enhanced'
|
|
@@ -76,7 +77,10 @@ export declare class AccessToken {
|
|
|
76
77
|
userInfoEndpoint: string;
|
|
77
78
|
signingKey?: KeyPair;
|
|
78
79
|
extraHeaders: Record<string, string>;
|
|
79
|
-
|
|
80
|
+
/** Absolute expiry (seconds since epoch) of the cached access token in `data`. */
|
|
81
|
+
cachedExpiry?: number;
|
|
82
|
+
/** In-flight token exchange, used to dedupe concurrent `get()` calls. */
|
|
83
|
+
inFlight?: Promise<string>;
|
|
80
84
|
cryptoService: CryptoService;
|
|
81
85
|
constructor(cfg: OIDCCredentials, cryptoService: CryptoService, request?: typeof fetch);
|
|
82
86
|
/**
|
|
@@ -89,7 +93,12 @@ export declare class AccessToken {
|
|
|
89
93
|
accessTokenLookup(cfg: OIDCCredentials): Promise<any>;
|
|
90
94
|
/**
|
|
91
95
|
* Gets an access token; operates lazily/cached, with an optional check for freshness.
|
|
92
|
-
*
|
|
96
|
+
*
|
|
97
|
+
* Freshness is determined locally from the token's `exp` claim (or the OAuth
|
|
98
|
+
* `expires_in` from the token response) — no network round trip. This replaces an
|
|
99
|
+
* earlier scheme that validated cached tokens against the OIDC `userinfo` endpoint.
|
|
100
|
+
* @param validate if we should check that any cached access token is still fresh
|
|
101
|
+
* before returning it; when false, a cached token is returned regardless of expiry
|
|
93
102
|
* @returns
|
|
94
103
|
*/
|
|
95
104
|
get(validate?: boolean): Promise<string>;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"oidc.d.ts","sourceRoot":"","sources":["../../../../src/auth/oidc.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,WAAW,EAAe,MAAM,WAAW,CAAC;
|
|
1
|
+
{"version":3,"file":"oidc.d.ts","sourceRoot":"","sources":["../../../../src/auth/oidc.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,WAAW,EAAe,MAAM,WAAW,CAAC;AAKrD,OAAO,EAAE,KAAK,aAAa,EAAE,KAAK,OAAO,EAAE,MAAM,uCAAuC,CAAC;AAEzF;;GAEG;AACH,MAAM,MAAM,iBAAiB,GAAG;IAC9B,oEAAoE;IACpE,QAAQ,EAAE,MAAM,CAAC;IACjB,sGAAsG;IACtG,UAAU,EAAE,MAAM,CAAC;IACnB,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,oBAAoB,CAAC,EAAE,MAAM,CAAC;IAC9B,sCAAsC;IACtC,WAAW,CAAC,EAAE,OAAO,CAAC;IAEtB,2HAA2H;IAC3H,UAAU,CAAC,EAAE,OAAO,CAAC;CACtB,CAAC;AAEF;;GAEG;AACH,MAAM,MAAM,uBAAuB,GAAG,iBAAiB,GAAG;IACxD,QAAQ,EAAE,QAAQ,CAAC;IACnB,yEAAyE;IACzE,YAAY,EAAE,MAAM,CAAC;CACtB,CAAC;AAEF;;GAEG;AACH,MAAM,MAAM,uBAAuB,GAAG,iBAAiB,GAAG;IACxD,QAAQ,EAAE,SAAS,CAAC;IACpB,qCAAqC;IACrC,YAAY,EAAE,MAAM,CAAC;CACtB,CAAC;AAEF;;;GAGG;AACH,MAAM,MAAM,sBAAsB,GAAG,iBAAiB,GAAG;IACvD,QAAQ,EAAE,UAAU,CAAC;IACrB,yCAAyC;IACzC,WAAW,EAAE,MAAM,CAAC;CACrB,CAAC;AAEF,MAAM,MAAM,eAAe,GACvB,uBAAuB,GACvB,sBAAsB,GACtB,uBAAuB,CAAC;AAI5B,MAAM,MAAM,mBAAmB,GAAG;IAChC,YAAY,EAAE,MAAM,CAAC;IACrB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB,CAAC;AAEF;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,qBAAa,WAAW;IACtB,MAAM,EAAE,eAAe,CAAC;IAExB,OAAO,CAAC,EAAE,CAAC,KAAK,EAAE,WAAW,EAAE,IAAI,CAAC,EAAE,WAAW,KAAK,OAAO,CAAC,QAAQ,CAAC,CAAC;IAExE,IAAI,CAAC,EAAE,mBAAmB,CAAC;IAE3B,OAAO,EAAE,MAAM,CAAC;IAChB,aAAa,EAAE,MAAM,CAAC;IACtB,gBAAgB,EAAE,MAAM,CAAC;IAEzB,UAAU,CAAC,EAAE,OAAO,CAAC;IAErB,YAAY,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAM;IAE1C,kFAAkF;IAClF,YAAY,CAAC,EAAE,MAAM,CAAC;IAEtB,yEAAyE;IACzE,QAAQ,CAAC,EAAE,OAAO,CAAC,MAAM,CAAC,CAAC;IAE3B,aAAa,EAAE,aAAa,CAAC;gBAEjB,GAAG,EAAE,eAAe,EAAE,aAAa,EAAE,aAAa,EAAE,OAAO,CAAC,EAAE,OAAO,KAAK;IA8BtF;;;;OAIG;IACG,IAAI,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IA0B3C,MAAM,CAAC,GAAG,EAAE,MAAM,EAAE,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC;IAwB7C,iBAAiB,CAAC,GAAG,EAAE,eAAe;IAqC5C;;;;;;;;;OASG;IACG,GAAG,CAAC,QAAQ,UAAO,GAAG,OAAO,CAAC,MAAM,CAAC;IAqC3C;;;;;;OAMG;IACG,0CAA0C,CAAC,UAAU,EAAE,OAAO,GAAG,OAAO,CAAC,IAAI,CAAC;IAapF;;OAEG;IACG,uBAAuB,IAAI,OAAO,CAAC,MAAM,CAAC;IAwB1C,SAAS,CAAC,OAAO,EAAE,WAAW,GAAG,OAAO,CAAC,WAAW,CAAC;CAqB5D"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"token-providers.d.ts","sourceRoot":"","sources":["../../../../src/auth/token-providers.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,aAAa,EAAE,MAAM,mBAAmB,CAAC;
|
|
1
|
+
{"version":3,"file":"token-providers.d.ts","sourceRoot":"","sources":["../../../../src/auth/token-providers.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,aAAa,EAAE,MAAM,mBAAmB,CAAC;AAKvD;;;;;GAKG;AACH,MAAM,MAAM,qCAAqC,GAAG;IAClD,sBAAsB;IACtB,QAAQ,EAAE,MAAM,CAAC;IACjB,0BAA0B;IAC1B,YAAY,EAAE,MAAM,CAAC;IACrB,yEAAyE;IACzE,UAAU,EAAE,MAAM,CAAC;IACnB,+FAA+F;IAC/F,iBAAiB,CAAC,EAAE,MAAM,CAAC;CAC5B,CAAC;AAEF;;GAEG;AACH,MAAM,MAAM,2BAA2B,GAAG;IACxC,sBAAsB;IACtB,QAAQ,EAAE,MAAM,CAAC;IACjB,sDAAsD;IACtD,YAAY,EAAE,MAAM,CAAC;IACrB,yEAAyE;IACzE,UAAU,EAAE,MAAM,CAAC;IACnB,mCAAmC;IACnC,iBAAiB,CAAC,EAAE,MAAM,CAAC;CAC5B,CAAC;AAEF;;GAEG;AACH,MAAM,MAAM,+BAA+B,GAAG;IAC5C,sBAAsB;IACtB,QAAQ,EAAE,MAAM,CAAC;IACjB,gCAAgC;IAChC,WAAW,EAAE,MAAM,CAAC;IACpB,yEAAyE;IACzE,UAAU,EAAE,MAAM,CAAC;IACnB,mCAAmC;IACnC,iBAAiB,CAAC,EAAE,MAAM,CAAC;CAC5B,CAAC;AAsCF;;;;;;;;;;;;;;;;;;GAkBG;AACH,wBAAgB,8BAA8B,CAC5C,OAAO,EAAE,qCAAqC,GAC7C,aAAa,CA+Bf;AAED;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAgB,oBAAoB,CAAC,OAAO,EAAE,2BAA2B,GAAG,aAAa,CAmCxF;AAED;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAgB,wBAAwB,CAAC,OAAO,EAAE,+BAA+B,GAAG,aAAa,CA0DhG"}
|
|
@@ -0,0 +1,16 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Helpers for deciding whether a cached access token is still fresh, using the
|
|
3
|
+
* JWT `exp` claim (or an OAuth `expires_in`) rather than a network round trip.
|
|
4
|
+
*/
|
|
5
|
+
/**
|
|
6
|
+
* Decode a JWT's exp claim without verifying the signature.
|
|
7
|
+
* Returns the expiration time in seconds since epoch, or undefined if not present.
|
|
8
|
+
*/
|
|
9
|
+
export declare function getJwtExpiration(token: string): number | undefined;
|
|
10
|
+
/**
|
|
11
|
+
* Compute the absolute expiry (seconds since epoch) for a token response.
|
|
12
|
+
* Prefers `expires_in` from the token response, falls back to the JWT `exp` claim.
|
|
13
|
+
*/
|
|
14
|
+
export declare function resolveTokenExpiry(accessToken: string, expiresIn?: number): number | undefined;
|
|
15
|
+
export declare function isTokenExpired(expiry: number | undefined, bufferSeconds?: number): boolean;
|
|
16
|
+
//# sourceMappingURL=tokenExpiry.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"tokenExpiry.d.ts","sourceRoot":"","sources":["../../../../src/auth/tokenExpiry.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH;;;GAGG;AACH,wBAAgB,gBAAgB,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS,CAYlE;AAED;;;GAGG;AACH,wBAAgB,kBAAkB,CAAC,WAAW,EAAE,MAAM,EAAE,SAAS,CAAC,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS,CAK9F;AAED,wBAAgB,cAAc,CAAC,MAAM,EAAE,MAAM,GAAG,SAAS,EAAE,aAAa,SAAK,GAAG,OAAO,CAGtF"}
|
|
@@ -40,7 +40,7 @@ export async function fetchWrappedKey(url, requestBody, authProvider) {
|
|
|
40
40
|
case 401:
|
|
41
41
|
throw new UnauthenticatedError(`401 for [${req.url}]; rewrap auth failure`);
|
|
42
42
|
case 403:
|
|
43
|
-
throw new PermissionDeniedError(`403 for [${req.url}]; rewrap permission denied`);
|
|
43
|
+
throw new PermissionDeniedError(`403 for [${req.url}]; rewrap permission denied: forbidden`);
|
|
44
44
|
default:
|
|
45
45
|
if (response.status >= 500) {
|
|
46
46
|
throw new ServiceError(`${response.status} for [${req.url}]: rewrap failure due to service error [${await response.text()}]`);
|
|
@@ -147,4 +147,4 @@ export async function fetchKasPubKey(kasEndpoint, algorithm) {
|
|
|
147
147
|
...(kid && { kid }),
|
|
148
148
|
};
|
|
149
149
|
}
|
|
150
|
-
//# sourceMappingURL=data:application/json;base64,
|
|
150
|
+
//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiYWNjZXNzLWZldGNoLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vLi4vLi4vc3JjL2FjY2Vzcy9hY2Nlc3MtZmV0Y2gudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6IkFBQUEsT0FBTyxFQUEyQyxlQUFlLEVBQUUsTUFBTSxjQUFjLENBQUM7QUFFeEYsT0FBTyxFQUNMLGtCQUFrQixFQUNsQixnQkFBZ0IsRUFDaEIsWUFBWSxFQUNaLHFCQUFxQixFQUNyQixZQUFZLEVBQ1osb0JBQW9CLEdBQ3JCLE1BQU0sY0FBYyxDQUFDO0FBQ3RCLE9BQU8sRUFBRSxpQkFBaUIsRUFBRSxNQUFNLGFBQWEsQ0FBQztBQWFoRDs7Ozs7O0dBTUc7QUFDSCxNQUFNLENBQUMsS0FBSyxVQUFVLGVBQWUsQ0FDbkMsR0FBVyxFQUNYLFdBQTBCLEVBQzFCLFlBQTBCO0lBRTFCLE1BQU0sR0FBRyxHQUFHLE1BQU0sWUFBWSxDQUFDLFNBQVMsQ0FBQztRQUN2QyxHQUFHO1FBQ0gsTUFBTSxFQUFFLE1BQU07UUFDZCxPQUFPLEVBQUU7WUFDUCxjQUFjLEVBQUUsa0JBQWtCO1NBQ25DO1FBQ0QsSUFBSSxFQUFFLElBQUksQ0FBQyxTQUFTLENBQUMsV0FBVyxDQUFDO0tBQ2xDLENBQUMsQ0FBQztJQUVILElBQUksUUFBa0IsQ0FBQztJQUV2QixJQUFJLENBQUM7UUFDSCxRQUFRLEdBQUcsTUFBTSxLQUFLLENBQUMsR0FBRyxDQUFDLEdBQUcsRUFBRTtZQUM5QixNQUFNLEVBQUUsR0FBRyxDQUFDLE1BQU07WUFDbEIsSUFBSSxFQUFFLE1BQU0sRUFBRSw4QkFBOEI7WUFDNUMsS0FBSyxFQUFFLFVBQVUsRUFBRSwwREFBMEQ7WUFDN0UsV0FBVyxFQUFFLGFBQWEsRUFBRSw4QkFBOEI7WUFDMUQsT0FBTyxFQUFFLEdBQUcsQ0FBQyxPQUFPO1lBQ3BCLFFBQVEsRUFBRSxRQUFRLEVBQUUseUJBQXlCO1lBQzdDLGNBQWMsRUFBRSxhQUFhLEVBQUUsc0pBQXNKO1lBQ3JMLElBQUksRUFBRSxHQUFHLENBQUMsSUFBZ0I7U0FDM0IsQ0FBQyxDQUFDO0lBQ0wsQ0FBQztJQUFDLE9BQU8sQ0FBQyxFQUFFLENBQUM7UUFDWCxNQUFNLElBQUksWUFBWSxDQUFDLHFDQUFxQyxHQUFHLEdBQUcsRUFBRSxDQUFDLENBQUMsQ0FBQztJQUN6RSxDQUFDO0lBRUQsSUFBSSxDQUFDLFFBQVEsQ0FBQyxFQUFFLEVBQUUsQ0FBQztRQUNqQixRQUFRLFFBQVEsQ0FBQyxNQUFNLEVBQUUsQ0FBQztZQUN4QixLQUFLLEdBQUc7Z0JBQ04sTUFBTSxJQUFJLGdCQUFnQixDQUN4QixZQUFZLEdBQUcsQ0FBQyxHQUFHLDBCQUEwQixNQUFNLFFBQVEsQ0FBQyxJQUFJLEVBQUUsR0FBRyxDQUN0RSxDQUFDO1lBQ0osS0FBSyxHQUFHO2dCQUNOLE1BQU0sSUFBSSxvQkFBb0IsQ0FBQyxZQUFZLEdBQUcsQ0FBQyxHQUFHLHdCQUF3QixDQUFDLENBQUM7WUFDOUUsS0FBSyxHQUFHO2dCQUNOLE1BQU0sSUFBSSxxQkFBcUIsQ0FDN0IsWUFBWSxHQUFHLENBQUMsR0FBRyx3Q0FBd0MsQ0FDNUQsQ0FBQztZQUNKO2dCQUNFLElBQUksUUFBUSxDQUFDLE1BQU0sSUFBSSxHQUFHLEVBQUUsQ0FBQztvQkFDM0IsTUFBTSxJQUFJLFlBQVksQ0FDcEIsR0FBRyxRQUFRLENBQUMsTUFBTSxTQUFTLEdBQUcsQ0FBQyxHQUFHLDJDQUEyQyxNQUFNLFFBQVEsQ0FBQyxJQUFJLEVBQUUsR0FBRyxDQUN0RyxDQUFDO2dCQUNKLENBQUM7Z0JBQ0QsTUFBTSxJQUFJLFlBQVksQ0FDcEIsR0FBRyxHQUFHLENBQUMsTUFBTSxJQUFJLEdBQUcsQ0FBQyxHQUFHLE9BQU8sUUFBUSxDQUFDLE1BQU0sSUFBSSxRQUFRLENBQUMsVUFBVSxFQUFFLENBQ3hFLENBQUM7UUFDTixDQUFDO0lBQ0gsQ0FBQztJQUVELE9BQU8sUUFBUSxDQUFDLElBQUksRUFBRSxDQUFDO0FBQ3pCLENBQUM7QUFFRCxNQUFNLENBQUMsS0FBSyxVQUFVLHFCQUFxQixDQUN6QyxXQUFtQixFQUNuQixZQUEwQjtJQUUxQixJQUFJLFVBQVUsR0FBRyxDQUFDLENBQUM7SUFDbkIsTUFBTSxVQUFVLEdBQUcsRUFBRSxDQUFDO0lBQ3RCLEdBQUcsQ0FBQztRQUNGLE1BQU0sR0FBRyxHQUFHLE1BQU0sWUFBWSxDQUFDLFNBQVMsQ0FBQztZQUN2QyxHQUFHLEVBQUUsR0FBRyxXQUFXLHlDQUF5QyxVQUFVLEVBQUU7WUFDeEUsTUFBTSxFQUFFLEtBQUs7WUFDYixPQUFPLEVBQUU7Z0JBQ1AsY0FBYyxFQUFFLGtCQUFrQjthQUNuQztTQUNGLENBQUMsQ0FBQztRQUNILElBQUksUUFBa0IsQ0FBQztRQUN2QixJQUFJLENBQUM7WUFDSCxRQUFRLEdBQUcsTUFBTSxLQUFLLENBQUMsR0FBRyxDQUFDLEdBQUcsRUFBRTtnQkFDOUIsTUFBTSxFQUFFLEdBQUcsQ0FBQyxNQUFNO2dCQUNsQixPQUFPLEVBQUUsR0FBRyxDQUFDLE9BQU87Z0JBQ3BCLElBQUksRUFBRSxHQUFHLENBQUMsSUFBZ0I7Z0JBQzFCLElBQUksRUFBRSxNQUFNO2dCQUNaLEtBQUssRUFBRSxVQUFVO2dCQUNqQixXQUFXLEVBQUUsYUFBYTtnQkFDMUIsUUFBUSxFQUFFLFFBQVE7Z0JBQ2xCLGNBQWMsRUFBRSxhQUFhO2FBQzlCLENBQUMsQ0FBQztRQUNMLENBQUM7UUFBQyxPQUFPLENBQUMsRUFBRSxDQUFDO1lBQ1gsTUFBTSxJQUFJLFlBQVksQ0FBQyxrQ0FBa0MsR0FBRyxDQUFDLEdBQUcsR0FBRyxFQUFFLENBQUMsQ0FBQyxDQUFDO1FBQzFFLENBQUM7UUFDRCwyREFBMkQ7UUFDM0QsSUFBSSxDQUFDLFFBQVEsQ0FBQyxFQUFFLEVBQUUsQ0FBQztZQUNqQixNQUFNLElBQUksWUFBWSxDQUNwQixrQ0FBa0MsR0FBRyxDQUFDLEdBQUcsY0FBYyxRQUFRLENBQUMsTUFBTSxFQUFFLENBQ3pFLENBQUM7UUFDSixDQUFDO1FBQ0QsTUFBTSxFQUFFLGdCQUFnQixHQUFHLEVBQUUsRUFBRSxVQUFVLEdBQUcsRUFBRSxFQUFFLEdBQUcsTUFBTSxRQUFRLENBQUMsSUFBSSxFQUFFLENBQUM7UUFDekUsVUFBVSxDQUFDLElBQUksQ0FBQyxHQUFHLGdCQUFnQixDQUFDLENBQUM7UUFDckMsVUFBVSxHQUFHLFVBQVUsQ0FBQyxVQUFVLElBQUksQ0FBQyxDQUFDO0lBQzFDLENBQUMsUUFBUSxVQUFVLEdBQUcsQ0FBQyxFQUFFO0lBRXpCLE1BQU0sVUFBVSxHQUFHLFVBQVUsQ0FBQyxHQUFHLENBQUMsQ0FBQyxNQUFNLEVBQUUsRUFBRSxDQUFDLE1BQU0sQ0FBQyxHQUFHLENBQUMsQ0FBQztJQUMxRCx3QkFBd0I7SUFDeEIsSUFBSSxDQUFDLFVBQVUsQ0FBQyxRQUFRLENBQUMsR0FBRyxXQUFXLE1BQU0sQ0FBQyxFQUFFLENBQUM7UUFDL0MsVUFBVSxDQUFDLElBQUksQ0FBQyxHQUFHLFdBQVcsTUFBTSxDQUFDLENBQUM7SUFDeEMsQ0FBQztJQUVELE9BQU8sSUFBSSxlQUFlLENBQUMsVUFBVSxFQUFFLEtBQUssQ0FBQyxDQUFDO0FBQ2hELENBQUM7QUFFRCxNQUFNLENBQUMsS0FBSyxVQUFVLGNBQWMsQ0FDbEMsV0FBbUIsRUFDbkIsU0FBaUM7SUFFakMsSUFBSSxDQUFDLFdBQVcsRUFBRSxDQUFDO1FBQ2pCLE1BQU0sSUFBSSxrQkFBa0IsQ0FBQywwQkFBMEIsQ0FBQyxDQUFDO0lBQzNELENBQUM7SUFDRCx1REFBdUQ7SUFDdkQsaUJBQWlCLENBQUMsV0FBVyxDQUFDLENBQUM7SUFFL0Isb0ZBQW9GO0lBQ3BGLElBQUksT0FBWSxDQUFDO0lBQ2pCLElBQUksQ0FBQztRQUNILE9BQU8sR0FBRyxJQUFJLEdBQUcsQ0FBQyxXQUFXLENBQUMsQ0FBQztJQUNqQyxDQUFDO0lBQUMsT0FBTyxDQUFDLEVBQUUsQ0FBQztRQUNYLE1BQU0sSUFBSSxrQkFBa0IsQ0FBQyw0QkFBNEIsV0FBVyxHQUFHLEVBQUUsQ0FBQyxDQUFDLENBQUM7SUFDOUUsQ0FBQztJQUNELElBQUksQ0FBQyxPQUFPLENBQUMsUUFBUSxDQUFDLFFBQVEsQ0FBQyxnQkFBZ0IsQ0FBQyxFQUFFLENBQUM7UUFDakQsSUFBSSxDQUFDLE9BQU8sQ0FBQyxRQUFRLENBQUMsUUFBUSxDQUFDLEdBQUcsQ0FBQyxFQUFFLENBQUM7WUFDcEMsT0FBTyxDQUFDLFFBQVEsSUFBSSxHQUFHLENBQUM7UUFDMUIsQ0FBQztRQUNELE9BQU8sQ0FBQyxRQUFRLElBQUksbUJBQW1CLENBQUM7SUFDMUMsQ0FBQztJQUNELE9BQU8sQ0FBQyxZQUFZLENBQUMsR0FBRyxDQUFDLFdBQVcsRUFBRSxTQUFTLElBQUksVUFBVSxDQUFDLENBQUM7SUFDL0QsSUFBSSxDQUFDLE9BQU8sQ0FBQyxZQUFZLENBQUMsR0FBRyxDQUFDLEdBQUcsQ0FBQyxFQUFFLENBQUM7UUFDbkMsT0FBTyxDQUFDLFlBQVksQ0FBQyxHQUFHLENBQUMsR0FBRyxFQUFFLEdBQUcsQ0FBQyxDQUFDO0lBQ3JDLENBQUM7SUFFRCxJQUFJLG1CQUE2QixDQUFDO0lBQ2xDLElBQUksQ0FBQztRQUNILG1CQUFtQixHQUFHLE1BQU0sS0FBSyxDQUFDLE9BQU8sQ0FBQyxDQUFDO0lBQzdDLENBQUM7SUFBQyxPQUFPLENBQUMsRUFBRSxDQUFDO1FBQ1gsTUFBTSxJQUFJLFlBQVksQ0FBQyxvQ0FBb0MsT0FBTyxHQUFHLEVBQUUsQ0FBQyxDQUFDLENBQUM7SUFDNUUsQ0FBQztJQUNELElBQUksQ0FBQyxtQkFBbUIsQ0FBQyxFQUFFLEVBQUUsQ0FBQztRQUM1QixRQUFRLG1CQUFtQixDQUFDLE1BQU0sRUFBRSxDQUFDO1lBQ25DLEtBQUssR0FBRztnQkFDTixNQUFNLElBQUksa0JBQWtCLENBQUMsWUFBWSxPQUFPLEdBQUcsQ0FBQyxDQUFDO1lBQ3ZELEtBQUssR0FBRztnQkFDTixNQUFNLElBQUksb0JBQW9CLENBQUMsWUFBWSxPQUFPLEdBQUcsQ0FBQyxDQUFDO1lBQ3pELEtBQUssR0FBRztnQkFDTixNQUFNLElBQUkscUJBQXFCLENBQUMsWUFBWSxPQUFPLEdBQUcsQ0FBQyxDQUFDO1lBQzFEO2dCQUNFLE1BQU0sSUFBSSxZQUFZLENBQ3BCLEdBQUcsT0FBTyxPQUFPLG1CQUFtQixDQUFDLE1BQU0sSUFBSSxtQkFBbUIsQ0FBQyxVQUFVLEVBQUUsQ0FDaEYsQ0FBQztRQUNOLENBQUM7SUFDSCxDQUFDO0lBQ0QsTUFBTSxXQUFXLEdBQUcsTUFBTSxtQkFBbUIsQ0FBQyxJQUFJLEVBQUUsQ0FBQztJQUNyRCxNQUFNLEVBQUUsU0FBUyxFQUFFLEdBQUcsRUFBRSxHQUFxQixXQUFXLENBQUM7SUFDekQsSUFBSSxDQUFDLFNBQVMsRUFBRSxDQUFDO1FBQ2YsTUFBTSxJQUFJLFlBQVksQ0FDcEIsOENBQThDLElBQUksQ0FBQyxTQUFTLENBQUMsV0FBVyxDQUFDLEdBQUcsQ0FDN0UsQ0FBQztJQUNKLENBQUM7SUFDRCxPQUFPO1FBQ0wsU0FBUztRQUNULEdBQUcsRUFBRSxXQUFXO1FBQ2hCLFNBQVMsRUFBRSxTQUFTLElBQUksVUFBVTtRQUNsQyxHQUFHLENBQUMsR0FBRyxJQUFJLEVBQUUsR0FBRyxFQUFFLENBQUM7S0FDcEIsQ0FBQztBQUNKLENBQUMifQ==
|
|
@@ -38,7 +38,7 @@ export function handleRpcRewrapError(e, platformUrl) {
|
|
|
38
38
|
case Code.InvalidArgument: // 400 Bad Request
|
|
39
39
|
throw new InvalidFileError(`400 for [${platformUrl}]: rewrap bad request [${e.message}]`);
|
|
40
40
|
case Code.PermissionDenied: // 403 Forbidden
|
|
41
|
-
throw new PermissionDeniedError(`403 for [${platformUrl}]; rewrap permission denied`);
|
|
41
|
+
throw new PermissionDeniedError(`403 for [${platformUrl}]; rewrap permission denied: forbidden`);
|
|
42
42
|
case Code.Unauthenticated: // 401 Unauthorized
|
|
43
43
|
throw new UnauthenticatedError(`401 for [${platformUrl}]; rewrap auth failure`);
|
|
44
44
|
case Code.Internal:
|
|
@@ -61,9 +61,9 @@ export function handleRpcRewrapErrorString(e, platformUrl, requiredObligations)
|
|
|
61
61
|
}
|
|
62
62
|
if (e.includes(Code[Code.PermissionDenied])) {
|
|
63
63
|
if (requiredObligations && requiredObligations.length > 0) {
|
|
64
|
-
throw new PermissionDeniedError(`403 for [${platformUrl}]; rewrap permission denied`, requiredObligations);
|
|
64
|
+
throw new PermissionDeniedError(`403 for [${platformUrl}]; rewrap permission denied: forbidden`, requiredObligations);
|
|
65
65
|
}
|
|
66
|
-
throw new PermissionDeniedError(`403 for [${platformUrl}]; rewrap permission denied`);
|
|
66
|
+
throw new PermissionDeniedError(`403 for [${platformUrl}]; rewrap permission denied: forbidden`);
|
|
67
67
|
}
|
|
68
68
|
if (e.includes(Code[Code.Unauthenticated])) {
|
|
69
69
|
// 401 Unauthorized
|
|
@@ -179,4 +179,4 @@ export async function fetchKasBasePubKey(kasEndpoint) {
|
|
|
179
179
|
throw new NetworkError(`[${platformUrl}] [PublicKey] ${extractRpcErrorMessage(e)}`);
|
|
180
180
|
}
|
|
181
181
|
}
|
|
182
|
-
//# sourceMappingURL=data:application/json;base64,
|
|
182
|
+
//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiYWNjZXNzLXJwYy5qcyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIi4uLy4uLy4uLy4uL3NyYy9hY2Nlc3MvYWNjZXNzLXJwYy50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiQUFDQSxPQUFPLEVBQ0wsb0JBQW9CLEVBR3BCLGVBQWUsR0FDaEIsTUFBTSxjQUFjLENBQUM7QUFFdEIsT0FBTyxFQUFtQixtQkFBbUIsRUFBRSxNQUFNLHlCQUF5QixDQUFDO0FBQy9FLE9BQU8sRUFDTCxrQkFBa0IsRUFDbEIsZ0JBQWdCLEVBQ2hCLFlBQVksRUFDWixxQkFBcUIsRUFDckIsWUFBWSxFQUNaLG9CQUFvQixHQUNyQixNQUFNLGNBQWMsQ0FBQztBQUN0QixPQUFPLEVBQUUsY0FBYyxFQUFFLE1BQU0sZ0JBQWdCLENBQUM7QUFHaEQsT0FBTyxFQUNMLHNCQUFzQixFQUN0Qiw2QkFBNkIsRUFDN0IsaUJBQWlCLEdBQ2xCLE1BQU0sYUFBYSxDQUFDO0FBQ3JCLE9BQU8sRUFBRSwyQkFBMkIsRUFBRSxNQUFNLGdCQUFnQixDQUFDO0FBQzdELE9BQU8sRUFBRSxZQUFZLEVBQUUsSUFBSSxFQUFFLE1BQU0scUJBQXFCLENBQUM7QUFFekQ7Ozs7Ozs7R0FPRztBQUNILE1BQU0sQ0FBQyxLQUFLLFVBQVUsZUFBZSxDQUNuQyxHQUFXLEVBQ1gsa0JBQTBCLEVBQzFCLElBQWdCLEVBQ2hCLDZCQUFzQztJQUV0QyxNQUFNLFdBQVcsR0FBRyw2QkFBNkIsQ0FBQyxHQUFHLENBQUMsQ0FBQztJQUN2RCxNQUFNLFFBQVEsR0FBRyxJQUFJLGNBQWMsQ0FBQyxFQUFFLFlBQVksRUFBRSxtQkFBbUIsQ0FBQyxJQUFJLENBQUMsRUFBRSxXQUFXLEVBQUUsQ0FBQyxDQUFDO0lBQzlGLE1BQU0sT0FBTyxHQUFnQixFQUFFLENBQUM7SUFDaEMsSUFBSSw2QkFBNkIsRUFBRSxDQUFDO1FBQ2xDLE9BQU8sQ0FBQyxPQUFPLEdBQUc7WUFDaEIsQ0FBQywyQkFBMkIsQ0FBQyxFQUFFLDZCQUE2QjtTQUM3RCxDQUFDO0lBQ0osQ0FBQztJQUNELElBQUksUUFBd0IsQ0FBQztJQUM3QixJQUFJLENBQUM7UUFDSCxRQUFRLEdBQUcsTUFBTSxRQUFRLENBQUMsRUFBRSxDQUFDLE1BQU0sQ0FBQyxNQUFNLENBQUMsRUFBRSxrQkFBa0IsRUFBRSxFQUFFLE9BQU8sQ0FBQyxDQUFDO0lBQzlFLENBQUM7SUFBQyxPQUFPLENBQUMsRUFBRSxDQUFDO1FBQ1gsb0JBQW9CLENBQUMsQ0FBQyxFQUFFLFdBQVcsQ0FBQyxDQUFDO0lBQ3ZDLENBQUM7SUFDRCxPQUFPLFFBQVEsQ0FBQztBQUNsQixDQUFDO0FBRUQsTUFBTSxVQUFVLG9CQUFvQixDQUFDLENBQVUsRUFBRSxXQUFtQjtJQUNsRSxJQUFJLENBQUMsWUFBWSxZQUFZLEVBQUUsQ0FBQztRQUM5QixPQUFPLENBQUMsR0FBRyxDQUFDLG9DQUFvQyxFQUFFLENBQUMsQ0FBQyxJQUFJLENBQUMsQ0FBQztRQUMxRCxRQUFRLENBQUMsQ0FBQyxJQUFJLEVBQUUsQ0FBQztZQUNmLEtBQUssSUFBSSxDQUFDLGVBQWUsRUFBRSxrQkFBa0I7Z0JBQzNDLE1BQU0sSUFBSSxnQkFBZ0IsQ0FBQyxZQUFZLFdBQVcsMEJBQTBCLENBQUMsQ0FBQyxPQUFPLEdBQUcsQ0FBQyxDQUFDO1lBQzVGLEtBQUssSUFBSSxDQUFDLGdCQUFnQixFQUFFLGdCQUFnQjtnQkFDMUMsTUFBTSxJQUFJLHFCQUFxQixDQUM3QixZQUFZLFdBQVcsd0NBQXdDLENBQ2hFLENBQUM7WUFDSixLQUFLLElBQUksQ0FBQyxlQUFlLEVBQUUsbUJBQW1CO2dCQUM1QyxNQUFNLElBQUksb0JBQW9CLENBQUMsWUFBWSxXQUFXLHdCQUF3QixDQUFDLENBQUM7WUFDbEYsS0FBSyxJQUFJLENBQUMsUUFBUSxDQUFDO1lBQ25CLEtBQUssSUFBSSxDQUFDLGFBQWEsQ0FBQztZQUN4QixLQUFLLElBQUksQ0FBQyxRQUFRLENBQUM7WUFDbkIsS0FBSyxJQUFJLENBQUMsT0FBTyxDQUFDO1lBQ2xCLEtBQUssSUFBSSxDQUFDLGdCQUFnQixDQUFDO1lBQzNCLEtBQUssSUFBSSxDQUFDLFdBQVcsRUFBRSxxQkFBcUI7Z0JBQzFDLE1BQU0sSUFBSSxZQUFZLENBQ3BCLEdBQUcsQ0FBQyxDQUFDLElBQUksU0FBUyxXQUFXLDJDQUEyQyxDQUFDLENBQUMsT0FBTyxHQUFHLENBQ3JGLENBQUM7WUFDSjtnQkFDRSxNQUFNLElBQUksWUFBWSxDQUFDLElBQUksV0FBVyxjQUFjLENBQUMsQ0FBQyxPQUFPLEVBQUUsQ0FBQyxDQUFDO1FBQ3JFLENBQUM7SUFDSCxDQUFDO0lBQ0QsTUFBTSxJQUFJLFlBQVksQ0FBQyxJQUFJLFdBQVcsY0FBYyxzQkFBc0IsQ0FBQyxDQUFDLENBQUMsRUFBRSxDQUFDLENBQUM7QUFDbkYsQ0FBQztBQUVELE1BQU0sVUFBVSwwQkFBMEIsQ0FDeEMsQ0FBUyxFQUNULFdBQW1CLEVBQ25CLG1CQUE4QjtJQUU5QixJQUFJLENBQUMsQ0FBQyxRQUFRLENBQUMsSUFBSSxDQUFDLElBQUksQ0FBQyxlQUFlLENBQUMsQ0FBQyxFQUFFLENBQUM7UUFDM0Msa0JBQWtCO1FBQ2xCLE1BQU0sSUFBSSxnQkFBZ0IsQ0FBQyxZQUFZLFdBQVcsMEJBQTBCLENBQUMsR0FBRyxDQUFDLENBQUM7SUFDcEYsQ0FBQztJQUNELElBQUksQ0FBQyxDQUFDLFFBQVEsQ0FBQyxJQUFJLENBQUMsSUFBSSxDQUFDLGdCQUFnQixDQUFDLENBQUMsRUFBRSxDQUFDO1FBQzVDLElBQUksbUJBQW1CLElBQUksbUJBQW1CLENBQUMsTUFBTSxHQUFHLENBQUMsRUFBRSxDQUFDO1lBQzFELE1BQU0sSUFBSSxxQkFBcUIsQ0FDN0IsWUFBWSxXQUFXLHdDQUF3QyxFQUMvRCxtQkFBbUIsQ0FDcEIsQ0FBQztRQUNKLENBQUM7UUFDRCxNQUFNLElBQUkscUJBQXFCLENBQzdCLFlBQVksV0FBVyx3Q0FBd0MsQ0FDaEUsQ0FBQztJQUNKLENBQUM7SUFDRCxJQUFJLENBQUMsQ0FBQyxRQUFRLENBQUMsSUFBSSxDQUFDLElBQUksQ0FBQyxlQUFlLENBQUMsQ0FBQyxFQUFFLENBQUM7UUFDM0MsbUJBQW1CO1FBQ25CLE1BQU0sSUFBSSxvQkFBb0IsQ0FBQyxZQUFZLFdBQVcsd0JBQXdCLENBQUMsQ0FBQztJQUNsRixDQUFDO0lBQ0QsSUFDRSxDQUFDLENBQUMsUUFBUSxDQUFDLElBQUksQ0FBQyxJQUFJLENBQUMsUUFBUSxDQUFDLENBQUM7UUFDL0IsQ0FBQyxDQUFDLFFBQVEsQ0FBQyxJQUFJLENBQUMsSUFBSSxDQUFDLGFBQWEsQ0FBQyxDQUFDO1FBQ3BDLENBQUMsQ0FBQyxRQUFRLENBQUMsSUFBSSxDQUFDLElBQUksQ0FBQyxRQUFRLENBQUMsQ0FBQztRQUMvQixDQUFDLENBQUMsUUFBUSxDQUFDLElBQUksQ0FBQyxJQUFJLENBQUMsT0FBTyxDQUFDLENBQUM7UUFDOUIsQ0FBQyxDQUFDLFFBQVEsQ0FBQyxJQUFJLENBQUMsSUFBSSxDQUFDLGdCQUFnQixDQUFDLENBQUM7UUFDdkMsQ0FBQyxDQUFDLFFBQVEsQ0FBQyxJQUFJLENBQUMsSUFBSSxDQUFDLFdBQVcsQ0FBQyxDQUFDLEVBQ2xDLENBQUM7UUFDRCxRQUFRO1FBQ1IsTUFBTSxJQUFJLFlBQVksQ0FBQyxTQUFTLFdBQVcsMkNBQTJDLENBQUMsR0FBRyxDQUFDLENBQUM7SUFDOUYsQ0FBQztJQUNELE1BQU0sSUFBSSxZQUFZLENBQUMsSUFBSSxXQUFXLGNBQWMsQ0FBQyxFQUFFLENBQUMsQ0FBQztBQUMzRCxDQUFDO0FBRUQsTUFBTSxDQUFDLEtBQUssVUFBVSxxQkFBcUIsQ0FDekMsV0FBbUIsRUFDbkIsSUFBZ0I7SUFFaEIsSUFBSSxVQUFVLEdBQUcsQ0FBQyxDQUFDO0lBQ25CLE1BQU0sVUFBVSxHQUFHLEVBQUUsQ0FBQztJQUN0QixNQUFNLFFBQVEsR0FBRyxJQUFJLGNBQWMsQ0FBQyxFQUFFLFlBQVksRUFBRSxtQkFBbUIsQ0FBQyxJQUFJLENBQUMsRUFBRSxXQUFXLEVBQUUsQ0FBQyxDQUFDO0lBRTlGLEdBQUcsQ0FBQztRQUNGLElBQUksUUFBc0MsQ0FBQztRQUMzQyxJQUFJLENBQUM7WUFDSCxRQUFRLEdBQUcsTUFBTSxRQUFRLENBQUMsRUFBRSxDQUFDLHVCQUF1QixDQUFDLG9CQUFvQixDQUFDO2dCQUN4RSxVQUFVLEVBQUU7b0JBQ1YsTUFBTSxFQUFFLFVBQVU7aUJBQ25CO2FBQ0YsQ0FBQyxDQUFDO1FBQ0wsQ0FBQztRQUFDLE9BQU8sQ0FBQyxFQUFFLENBQUM7WUFDWCxNQUFNLElBQUksWUFBWSxDQUNwQixJQUFJLFdBQVcsNEJBQTRCLHNCQUFzQixDQUFDLENBQUMsQ0FBQyxFQUFFLENBQ3ZFLENBQUM7UUFDSixDQUFDO1FBRUQsVUFBVSxDQUFDLElBQUksQ0FBQyxHQUFHLFFBQVEsQ0FBQyxnQkFBZ0IsQ0FBQyxDQUFDO1FBQzlDLFVBQVUsR0FBRyxRQUFRLEVBQUUsVUFBVSxFQUFFLFVBQVUsSUFBSSxDQUFDLENBQUM7SUFDckQsQ0FBQyxRQUFRLFVBQVUsR0FBRyxDQUFDLEVBQUU7SUFFekIsTUFBTSxVQUFVLEdBQUcsVUFBVSxDQUFDLEdBQUcsQ0FBQyxDQUFDLE1BQU0sRUFBRSxFQUFFLENBQUMsTUFBTSxDQUFDLEdBQUcsQ0FBQyxDQUFDO0lBQzFELHdCQUF3QjtJQUN4QixJQUFJLENBQUMsVUFBVSxDQUFDLFFBQVEsQ0FBQyxHQUFHLFdBQVcsTUFBTSxDQUFDLEVBQUUsQ0FBQztRQUMvQyxVQUFVLENBQUMsSUFBSSxDQUFDLEdBQUcsV0FBVyxNQUFNLENBQUMsQ0FBQztJQUN4QyxDQUFDO0lBRUQsT0FBTyxJQUFJLGVBQWUsQ0FBQyxVQUFVLEVBQUUsS0FBSyxDQUFDLENBQUM7QUFDaEQsQ0FBQztBQVlELFNBQVMsU0FBUyxDQUFDLE9BQWlCO0lBQ2xDLElBQUksQ0FBQyxPQUFPLEVBQUUsQ0FBQztRQUNiLE9BQU8sS0FBSyxDQUFDO0lBQ2YsQ0FBQztJQUNELE1BQU0sRUFBRSxHQUFHLE9BQTBCLENBQUM7SUFDdEMsT0FBTyxDQUNMLENBQUMsQ0FBQyxFQUFFLENBQUMsT0FBTztRQUNaLENBQUMsQ0FBQyxFQUFFLENBQUMsVUFBVTtRQUNmLE9BQU8sRUFBRSxDQUFDLFVBQVUsS0FBSyxRQUFRO1FBQ2pDLENBQUMsQ0FBQyxFQUFFLENBQUMsVUFBVSxDQUFDLEdBQUc7UUFDbkIsQ0FBQyxDQUFDLEVBQUUsQ0FBQyxVQUFVLENBQUMsU0FBUztRQUN6QixvQkFBb0IsQ0FBQyxFQUFFLENBQUMsVUFBVSxDQUFDLFNBQVMsQ0FBQyxDQUM5QyxDQUFDO0FBQ0osQ0FBQztBQUVELE1BQU0sQ0FBQyxLQUFLLFVBQVUsY0FBYyxDQUNsQyxXQUFtQixFQUNuQixTQUFpQztJQUVqQyxJQUFJLENBQUMsV0FBVyxFQUFFLENBQUM7UUFDakIsTUFBTSxJQUFJLGtCQUFrQixDQUFDLDBCQUEwQixDQUFDLENBQUM7SUFDM0QsQ0FBQztJQUNELHVEQUF1RDtJQUN2RCxpQkFBaUIsQ0FBQyxXQUFXLENBQUMsQ0FBQztJQUUvQixNQUFNLFdBQVcsR0FBRyw2QkFBNkIsQ0FBQyxXQUFXLENBQUMsQ0FBQztJQUMvRCxNQUFNLFFBQVEsR0FBRyxJQUFJLGNBQWMsQ0FBQztRQUNsQyxXQUFXO0tBQ1osQ0FBQyxDQUFDO0lBQ0gsSUFBSSxDQUFDO1FBQ0gsTUFBTSxFQUFFLEdBQUcsRUFBRSxTQUFTLEVBQUUsR0FBRyxNQUFNLFFBQVEsQ0FBQyxFQUFFLENBQUMsTUFBTSxDQUFDLFNBQVMsQ0FBQztZQUM1RCxTQUFTLEVBQUUsU0FBUyxJQUFJLFVBQVU7WUFDbEMsQ0FBQyxFQUFFLEdBQUc7U0FDUCxDQUFDLENBQUM7UUFDSCxNQUFNLE1BQU0sR0FBcUI7WUFDL0IsU0FBUztZQUNULEdBQUcsRUFBRSxXQUFXO1lBQ2hCLFNBQVMsRUFBRSxTQUFTLElBQUksVUFBVTtZQUNsQyxHQUFHLENBQUMsR0FBRyxJQUFJLEVBQUUsR0FBRyxFQUFFLENBQUM7U0FDcEIsQ0FBQztRQUNGLE9BQU8sTUFBTSxDQUFDO0lBQ2hCLENBQUM7SUFBQyxPQUFPLENBQUMsRUFBRSxDQUFDO1FBQ1gsTUFBTSxJQUFJLFlBQVksQ0FBQyxJQUFJLFdBQVcsaUJBQWlCLHNCQUFzQixDQUFDLENBQUMsQ0FBQyxFQUFFLENBQUMsQ0FBQztJQUN0RixDQUFDO0FBQ0gsQ0FBQztBQUVEOzs7Ozs7R0FNRztBQUNILE1BQU0sQ0FBQyxLQUFLLFVBQVUsa0JBQWtCLENBQUMsV0FBbUI7SUFDMUQsSUFBSSxDQUFDLFdBQVcsRUFBRSxDQUFDO1FBQ2pCLE1BQU0sSUFBSSxrQkFBa0IsQ0FBQywwQkFBMEIsQ0FBQyxDQUFDO0lBQzNELENBQUM7SUFDRCxpQkFBaUIsQ0FBQyxXQUFXLENBQUMsQ0FBQztJQUUvQixNQUFNLFdBQVcsR0FBRyw2QkFBNkIsQ0FBQyxXQUFXLENBQUMsQ0FBQztJQUMvRCxNQUFNLFFBQVEsR0FBRyxJQUFJLGNBQWMsQ0FBQztRQUNsQyxXQUFXO0tBQ1osQ0FBQyxDQUFDO0lBQ0gsSUFBSSxDQUFDO1FBQ0gsTUFBTSxFQUFFLGFBQWEsRUFBRSxHQUFHLE1BQU0sUUFBUSxDQUFDLEVBQUUsQ0FBQyxTQUFTLENBQUMseUJBQXlCLENBQUMsRUFBRSxDQUFDLENBQUM7UUFDcEYsTUFBTSxPQUFPLEdBQUcsYUFBYSxFQUFFLFFBQXNDLENBQUM7UUFDdEUsSUFBSSxDQUFDLFNBQVMsQ0FBQyxPQUFPLENBQUMsRUFBRSxDQUFDO1lBQ3hCLE1BQU0sSUFBSSxZQUFZLENBQ3BCLG9DQUFvQyxXQUFXLGdEQUFnRCxDQUNoRyxDQUFDO1FBQ0osQ0FBQztRQUVELE1BQU0sTUFBTSxHQUFxQjtZQUMvQixTQUFTLEVBQUUsT0FBTyxDQUFDLFVBQVUsQ0FBQyxHQUFHO1lBQ2pDLEdBQUcsRUFBRSxPQUFPLENBQUMsT0FBTztZQUNwQixTQUFTLEVBQUUsT0FBTyxDQUFDLFVBQVUsQ0FBQyxTQUFTO1lBQ3ZDLEdBQUcsRUFBRSxPQUFPLENBQUMsVUFBVSxDQUFDLEdBQUc7U0FDNUIsQ0FBQztRQUNGLE9BQU8sTUFBTSxDQUFDO0lBQ2hCLENBQUM7SUFBQyxPQUFPLENBQUMsRUFBRSxDQUFDO1FBQ1gsTUFBTSxJQUFJLFlBQVksQ0FBQyxJQUFJLFdBQVcsaUJBQWlCLHNCQUFzQixDQUFDLENBQUMsQ0FBQyxFQUFFLENBQUMsQ0FBQztJQUN0RixDQUFDO0FBQ0gsQ0FBQyJ9
|
|
@@ -1,5 +1,6 @@
|
|
|
1
1
|
import { default as dpopFn } from './dpop.js';
|
|
2
2
|
import { withHeaders } from './auth.js';
|
|
3
|
+
import { isTokenExpired, resolveTokenExpiry } from './tokenExpiry.js';
|
|
3
4
|
import { base64 } from '../encodings/index.js';
|
|
4
5
|
import { ConfigurationError, TdfError } from '../errors.js';
|
|
5
6
|
import { rstrip } from '../utils.js';
|
|
@@ -134,19 +135,24 @@ export class AccessToken {
|
|
|
134
135
|
}
|
|
135
136
|
/**
|
|
136
137
|
* Gets an access token; operates lazily/cached, with an optional check for freshness.
|
|
137
|
-
*
|
|
138
|
+
*
|
|
139
|
+
* Freshness is determined locally from the token's `exp` claim (or the OAuth
|
|
140
|
+
* `expires_in` from the token response) — no network round trip. This replaces an
|
|
141
|
+
* earlier scheme that validated cached tokens against the OIDC `userinfo` endpoint.
|
|
142
|
+
* @param validate if we should check that any cached access token is still fresh
|
|
143
|
+
* before returning it; when false, a cached token is returned regardless of expiry
|
|
138
144
|
* @returns
|
|
139
145
|
*/
|
|
140
146
|
async get(validate = true) {
|
|
141
|
-
if (this.data?.access_token) {
|
|
147
|
+
if (this.data?.access_token && (!validate || !isTokenExpired(this.cachedExpiry))) {
|
|
148
|
+
return this.data.access_token;
|
|
149
|
+
}
|
|
150
|
+
// Dedupe concurrent refreshes so a burst of requests triggers one exchange.
|
|
151
|
+
if (this.inFlight) {
|
|
152
|
+
return this.inFlight;
|
|
153
|
+
}
|
|
154
|
+
this.inFlight = (async () => {
|
|
142
155
|
try {
|
|
143
|
-
if (validate) {
|
|
144
|
-
await this.info(this.data.access_token);
|
|
145
|
-
}
|
|
146
|
-
return this.data.access_token;
|
|
147
|
-
}
|
|
148
|
-
catch (e) {
|
|
149
|
-
console.log('access_token fails on user_info endpoint; attempting to renew', e);
|
|
150
156
|
if (this.data?.refresh_token) {
|
|
151
157
|
// Prefer the latest refresh_token if present over creds passed in
|
|
152
158
|
// to constructor
|
|
@@ -157,10 +163,15 @@ export class AccessToken {
|
|
|
157
163
|
};
|
|
158
164
|
}
|
|
159
165
|
delete this.data;
|
|
166
|
+
const tokenResponse = (this.data = await this.accessTokenLookup(this.config));
|
|
167
|
+
this.cachedExpiry = resolveTokenExpiry(tokenResponse.access_token, tokenResponse.expires_in);
|
|
168
|
+
return tokenResponse.access_token;
|
|
160
169
|
}
|
|
161
|
-
|
|
162
|
-
|
|
163
|
-
|
|
170
|
+
finally {
|
|
171
|
+
delete this.inFlight;
|
|
172
|
+
}
|
|
173
|
+
})();
|
|
174
|
+
return this.inFlight;
|
|
164
175
|
}
|
|
165
176
|
/**
|
|
166
177
|
* A TDF client MUST call this method whenever the client wants to use a new
|
|
@@ -170,13 +181,15 @@ export class AccessToken {
|
|
|
170
181
|
* Calling this function will trigger a forcible token refresh using the cached refresh token, and contact the auth server.
|
|
171
182
|
*/
|
|
172
183
|
async refreshTokenClaimsWithClientPubkeyIfNeeded(signingKey) {
|
|
173
|
-
// If we already have a token, and the pubkey
|
|
174
|
-
// we
|
|
175
|
-
//
|
|
176
|
-
if (this.
|
|
184
|
+
// If we already have a token, and the pubkey is unchanged,
|
|
185
|
+
// we can keep the cached token - otherwise drop it so the next `get()`
|
|
186
|
+
// refetches a token bound to the new public key.
|
|
187
|
+
if (this.data?.access_token && signingKey === this.signingKey) {
|
|
177
188
|
return;
|
|
178
189
|
}
|
|
179
|
-
delete this.
|
|
190
|
+
delete this.data;
|
|
191
|
+
delete this.cachedExpiry;
|
|
192
|
+
delete this.inFlight;
|
|
180
193
|
this.signingKey = signingKey;
|
|
181
194
|
}
|
|
182
195
|
/**
|
|
@@ -207,7 +220,7 @@ export class AccessToken {
|
|
|
207
220
|
if (this.config.dpopEnabled && !this.signingKey) {
|
|
208
221
|
throw new ConfigurationError('Client public key was not set via `updateClientPublicKey` or passed in via constructor; required when DPoP is enabled');
|
|
209
222
|
}
|
|
210
|
-
const accessToken =
|
|
223
|
+
const accessToken = await this.get();
|
|
211
224
|
if (this.config.dpopEnabled && this.signingKey) {
|
|
212
225
|
const dpopToken = await dpopFn(this.signingKey, this.cryptoService, httpReq.url, httpReq.method,
|
|
213
226
|
/* nonce */ undefined, accessToken);
|
|
@@ -217,4 +230,4 @@ export class AccessToken {
|
|
|
217
230
|
return withHeaders(httpReq, { Authorization: `Bearer ${accessToken}` });
|
|
218
231
|
}
|
|
219
232
|
}
|
|
220
|
-
//# sourceMappingURL=data:application/json;base64,
|
|
233
|
+
//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoib2lkYy5qcyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIi4uLy4uLy4uLy4uL3NyYy9hdXRoL29pZGMudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6IkFBQUEsT0FBTyxFQUFFLE9BQU8sSUFBSSxNQUFNLEVBQUUsTUFBTSxXQUFXLENBQUM7QUFDOUMsT0FBTyxFQUFlLFdBQVcsRUFBRSxNQUFNLFdBQVcsQ0FBQztBQUNyRCxPQUFPLEVBQUUsY0FBYyxFQUFFLGtCQUFrQixFQUFFLE1BQU0sa0JBQWtCLENBQUM7QUFDdEUsT0FBTyxFQUFFLE1BQU0sRUFBRSxNQUFNLHVCQUF1QixDQUFDO0FBQy9DLE9BQU8sRUFBRSxrQkFBa0IsRUFBRSxRQUFRLEVBQUUsTUFBTSxjQUFjLENBQUM7QUFDNUQsT0FBTyxFQUFFLE1BQU0sRUFBRSxNQUFNLGFBQWEsQ0FBQztBQXFEckMsTUFBTSxVQUFVLEdBQUcsQ0FBQyxHQUEyQixFQUFFLEVBQUUsQ0FBQyxJQUFJLGVBQWUsQ0FBQyxHQUFHLENBQUMsQ0FBQyxRQUFRLEVBQUUsQ0FBQztBQVF4Rjs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7O0dBcUJHO0FBQ0gsTUFBTSxPQUFPLFdBQVc7SUF1QnRCLFlBQVksR0FBb0IsRUFBRSxhQUE0QixFQUFFLE9BQXNCO1FBVnRGLGlCQUFZLEdBQTJCLEVBQUUsQ0FBQztRQVd4QyxJQUFJLENBQUMsR0FBRyxDQUFDLFFBQVEsRUFBRSxDQUFDO1lBQ2xCLE1BQU0sSUFBSSxrQkFBa0IsQ0FDMUIsNEVBQTRFLENBQzdFLENBQUM7UUFDSixDQUFDO1FBQ0QsSUFBSSxHQUFHLENBQUMsUUFBUSxLQUFLLFFBQVEsSUFBSSxDQUFDLEdBQUcsQ0FBQyxZQUFZLEVBQUUsQ0FBQztZQUNuRCxNQUFNLElBQUksa0JBQWtCLENBQzFCLDRFQUE0RSxDQUM3RSxDQUFDO1FBQ0osQ0FBQztRQUNELElBQUksR0FBRyxDQUFDLFFBQVEsS0FBSyxTQUFTLElBQUksQ0FBQyxHQUFHLENBQUMsWUFBWSxFQUFFLENBQUM7WUFDcEQsTUFBTSxJQUFJLGtCQUFrQixDQUFDLDREQUE0RCxDQUFDLENBQUM7UUFDN0YsQ0FBQztRQUNELElBQUksR0FBRyxDQUFDLFFBQVEsS0FBSyxVQUFVLElBQUksQ0FBQyxHQUFHLENBQUMsV0FBVyxFQUFFLENBQUM7WUFDcEQsTUFBTSxJQUFJLGtCQUFrQixDQUFDLG1EQUFtRCxDQUFDLENBQUM7UUFDcEYsQ0FBQztRQUNELElBQUksQ0FBQyxHQUFHLENBQUMsUUFBUSxFQUFFLENBQUM7WUFDbEIsTUFBTSxJQUFJLGtCQUFrQixDQUFDLDRCQUE0QixDQUFDLENBQUM7UUFDN0QsQ0FBQztRQUNELElBQUksQ0FBQyxNQUFNLEdBQUcsR0FBRyxDQUFDO1FBQ2xCLElBQUksQ0FBQyxhQUFhLEdBQUcsYUFBYSxDQUFDO1FBQ25DLElBQUksQ0FBQyxPQUFPLEdBQUcsT0FBTyxDQUFDO1FBQ3ZCLElBQUksQ0FBQyxPQUFPLEdBQUcsTUFBTSxDQUFDLEdBQUcsQ0FBQyxVQUFVLEVBQUUsR0FBRyxDQUFDLENBQUM7UUFDM0MsSUFBSSxDQUFDLGFBQWEsR0FBRyxHQUFHLENBQUMsaUJBQWlCLElBQUksR0FBRyxJQUFJLENBQUMsT0FBTyxnQ0FBZ0MsQ0FBQztRQUM5RixJQUFJLENBQUMsZ0JBQWdCO1lBQ25CLEdBQUcsQ0FBQyxvQkFBb0IsSUFBSSxHQUFHLElBQUksQ0FBQyxPQUFPLG1DQUFtQyxDQUFDO1FBQ2pGLElBQUksQ0FBQyxVQUFVLEdBQUcsR0FBRyxDQUFDLFVBQVUsQ0FBQztJQUNuQyxDQUFDO0lBRUQ7Ozs7T0FJRztJQUNILEtBQUssQ0FBQyxJQUFJLENBQUMsV0FBbUI7UUFDNUIsTUFBTSxPQUFPLEdBQUc7WUFDZCxHQUFHLElBQUksQ0FBQyxZQUFZO1lBQ3BCLGFBQWEsRUFBRSxVQUFVLFdBQVcsRUFBRTtTQUNiLENBQUM7UUFDNUIsSUFBSSxJQUFJLENBQUMsTUFBTSxDQUFDLFdBQVcsSUFBSSxJQUFJLENBQUMsVUFBVSxFQUFFLENBQUM7WUFDL0MsT0FBTyxDQUFDLElBQUksR0FBRyxNQUFNLE1BQU0sQ0FDekIsSUFBSSxDQUFDLFVBQVUsRUFDZixJQUFJLENBQUMsYUFBYSxFQUNsQixJQUFJLENBQUMsZ0JBQWdCLEVBQ3JCLE1BQU0sQ0FDUCxDQUFDO1FBQ0osQ0FBQztRQUNELE1BQU0sUUFBUSxHQUFHLE1BQU0sQ0FBQyxJQUFJLENBQUMsT0FBTyxJQUFJLEtBQUssQ0FBQyxDQUFDLElBQUksQ0FBQyxnQkFBZ0IsRUFBRTtZQUNwRSxPQUFPO1NBQ1IsQ0FBQyxDQUFDO1FBQ0gsSUFBSSxDQUFDLFFBQVEsQ0FBQyxFQUFFLEVBQUUsQ0FBQztZQUNqQixPQUFPLENBQUMsS0FBSyxDQUFDLE1BQU0sUUFBUSxDQUFDLElBQUksRUFBRSxDQUFDLENBQUM7WUFDckMsTUFBTSxJQUFJLFFBQVEsQ0FDaEIsd0JBQXdCLElBQUksQ0FBQyxnQkFBZ0IsUUFBUSxRQUFRLENBQUMsTUFBTSxJQUFJLFFBQVEsQ0FBQyxVQUFVLEVBQUUsQ0FDOUYsQ0FBQztRQUNKLENBQUM7UUFFRCxPQUFPLENBQUMsTUFBTSxRQUFRLENBQUMsSUFBSSxFQUFFLENBQVksQ0FBQztJQUM1QyxDQUFDO0lBRUQsS0FBSyxDQUFDLE1BQU0sQ0FBQyxHQUFXLEVBQUUsQ0FBeUI7UUFDakQsTUFBTSxPQUFPLEdBQTJCO1lBQ3RDLGNBQWMsRUFBRSxtQ0FBbUM7WUFDbkQsTUFBTSxFQUFFLGtCQUFrQjtTQUMzQixDQUFDO1FBQ0YsaUNBQWlDO1FBQ2pDLElBQUksSUFBSSxDQUFDLE1BQU0sQ0FBQyxXQUFXLEVBQUUsQ0FBQztZQUM1QixJQUFJLENBQUMsSUFBSSxDQUFDLFVBQVUsRUFBRSxDQUFDO2dCQUNyQixNQUFNLElBQUksa0JBQWtCLENBQUMseUJBQXlCLENBQUMsQ0FBQztZQUMxRCxDQUFDO1lBQ0Qsb0RBQW9EO1lBQ3BELE1BQU0sWUFBWSxHQUFHLE1BQU0sSUFBSSxDQUFDLGFBQWEsQ0FBQyxrQkFBa0IsQ0FBQyxJQUFJLENBQUMsVUFBVSxDQUFDLFNBQVMsQ0FBQyxDQUFDO1lBQzVGLHFFQUFxRTtZQUNyRSwwRUFBMEU7WUFDMUUsT0FBTyxDQUFDLGdCQUFnQixDQUFDLEdBQUcsTUFBTSxDQUFDLE1BQU0sQ0FBQyxZQUFZLENBQUMsQ0FBQztZQUN4RCxPQUFPLENBQUMsSUFBSSxHQUFHLE1BQU0sTUFBTSxDQUFDLElBQUksQ0FBQyxVQUFVLEVBQUUsSUFBSSxDQUFDLGFBQWEsRUFBRSxHQUFHLEVBQUUsTUFBTSxDQUFDLENBQUM7UUFDaEYsQ0FBQztRQUNELE9BQU8sQ0FBQyxJQUFJLENBQUMsT0FBTyxJQUFJLEtBQUssQ0FBQyxDQUFDLEdBQUcsRUFBRTtZQUNsQyxNQUFNLEVBQUUsTUFBTTtZQUNkLE9BQU87WUFDUCxJQUFJLEVBQUUsVUFBVSxDQUFDLENBQUMsQ0FBQztTQUNwQixDQUFDLENBQUM7SUFDTCxDQUFDO0lBRUQsS0FBSyxDQUFDLGlCQUFpQixDQUFDLEdBQW9CO1FBQzFDLElBQUksSUFBSSxDQUFDO1FBQ1QsUUFBUSxHQUFHLENBQUMsUUFBUSxFQUFFLENBQUM7WUFDckIsS0FBSyxRQUFRO2dCQUNYLElBQUksR0FBRztvQkFDTCxVQUFVLEVBQUUsb0JBQW9CO29CQUNoQyxTQUFTLEVBQUUsR0FBRyxDQUFDLFFBQVE7b0JBQ3ZCLGFBQWEsRUFBRSxHQUFHLENBQUMsWUFBWTtpQkFDaEMsQ0FBQztnQkFDRixNQUFNO1lBQ1IsS0FBSyxVQUFVO2dCQUNiLElBQUksR0FBRztvQkFDTCxVQUFVLEVBQUUsaURBQWlEO29CQUM3RCxhQUFhLEVBQUUsR0FBRyxDQUFDLFdBQVc7b0JBQzlCLGtCQUFrQixFQUFFLHNDQUFzQztvQkFDMUQsUUFBUSxFQUFFLEdBQUcsQ0FBQyxRQUFRO29CQUN0QixTQUFTLEVBQUUsR0FBRyxDQUFDLFFBQVE7aUJBQ3hCLENBQUM7Z0JBQ0YsTUFBTTtZQUNSLEtBQUssU0FBUztnQkFDWixJQUFJLEdBQUc7b0JBQ0wsVUFBVSxFQUFFLGVBQWU7b0JBQzNCLGFBQWEsRUFBRSxHQUFHLENBQUMsWUFBWTtvQkFDL0IsU0FBUyxFQUFFLEdBQUcsQ0FBQyxRQUFRO2lCQUN4QixDQUFDO2dCQUNGLE1BQU07UUFDVixDQUFDO1FBQ0QsTUFBTSxRQUFRLEdBQUcsTUFBTSxJQUFJLENBQUMsTUFBTSxDQUFDLElBQUksQ0FBQyxhQUFhLEVBQUUsSUFBSSxDQUFDLENBQUM7UUFDN0QsSUFBSSxDQUFDLFFBQVEsQ0FBQyxFQUFFLEVBQUUsQ0FBQztZQUNqQixPQUFPLENBQUMsS0FBSyxDQUFDLE1BQU0sUUFBUSxDQUFDLElBQUksRUFBRSxDQUFDLENBQUM7WUFDckMsTUFBTSxJQUFJLFFBQVEsQ0FDaEIsbUNBQW1DLElBQUksQ0FBQyxhQUFhLFFBQVEsUUFBUSxDQUFDLE1BQU0sSUFBSSxRQUFRLENBQUMsVUFBVSxFQUFFLENBQ3RHLENBQUM7UUFDSixDQUFDO1FBQ0QsT0FBTyxRQUFRLENBQUMsSUFBSSxFQUFFLENBQUM7SUFDekIsQ0FBQztJQUVEOzs7Ozs7Ozs7T0FTRztJQUNILEtBQUssQ0FBQyxHQUFHLENBQUMsUUFBUSxHQUFHLElBQUk7UUFDdkIsSUFBSSxJQUFJLENBQUMsSUFBSSxFQUFFLFlBQVksSUFBSSxDQUFDLENBQUMsUUFBUSxJQUFJLENBQUMsY0FBYyxDQUFDLElBQUksQ0FBQyxZQUFZLENBQUMsQ0FBQyxFQUFFLENBQUM7WUFDakYsT0FBTyxJQUFJLENBQUMsSUFBSSxDQUFDLFlBQVksQ0FBQztRQUNoQyxDQUFDO1FBRUQsNEVBQTRFO1FBQzVFLElBQUksSUFBSSxDQUFDLFFBQVEsRUFBRSxDQUFDO1lBQ2xCLE9BQU8sSUFBSSxDQUFDLFFBQVEsQ0FBQztRQUN2QixDQUFDO1FBRUQsSUFBSSxDQUFDLFFBQVEsR0FBRyxDQUFDLEtBQUssSUFBSSxFQUFFO1lBQzFCLElBQUksQ0FBQztnQkFDSCxJQUFJLElBQUksQ0FBQyxJQUFJLEVBQUUsYUFBYSxFQUFFLENBQUM7b0JBQzdCLGtFQUFrRTtvQkFDbEUsaUJBQWlCO29CQUNqQixJQUFJLENBQUMsTUFBTSxHQUFHO3dCQUNaLEdBQUcsSUFBSSxDQUFDLE1BQU07d0JBQ2QsUUFBUSxFQUFFLFNBQVM7d0JBQ25CLFlBQVksRUFBRSxJQUFJLENBQUMsSUFBSSxDQUFDLGFBQWE7cUJBQ3RDLENBQUM7Z0JBQ0osQ0FBQztnQkFDRCxPQUFPLElBQUksQ0FBQyxJQUFJLENBQUM7Z0JBRWpCLE1BQU0sYUFBYSxHQUFHLENBQUMsSUFBSSxDQUFDLElBQUksR0FBRyxNQUFNLElBQUksQ0FBQyxpQkFBaUIsQ0FBQyxJQUFJLENBQUMsTUFBTSxDQUFDLENBQUMsQ0FBQztnQkFDOUUsSUFBSSxDQUFDLFlBQVksR0FBRyxrQkFBa0IsQ0FDcEMsYUFBYSxDQUFDLFlBQVksRUFDMUIsYUFBYSxDQUFDLFVBQVUsQ0FDekIsQ0FBQztnQkFDRixPQUFPLGFBQWEsQ0FBQyxZQUFZLENBQUM7WUFDcEMsQ0FBQztvQkFBUyxDQUFDO2dCQUNULE9BQU8sSUFBSSxDQUFDLFFBQVEsQ0FBQztZQUN2QixDQUFDO1FBQ0gsQ0FBQyxDQUFDLEVBQUUsQ0FBQztRQUVMLE9BQU8sSUFBSSxDQUFDLFFBQVEsQ0FBQztJQUN2QixDQUFDO0lBRUQ7Ozs7OztPQU1HO0lBQ0gsS0FBSyxDQUFDLDBDQUEwQyxDQUFDLFVBQW1CO1FBQ2xFLDJEQUEyRDtRQUMzRCx1RUFBdUU7UUFDdkUsaURBQWlEO1FBQ2pELElBQUksSUFBSSxDQUFDLElBQUksRUFBRSxZQUFZLElBQUksVUFBVSxLQUFLLElBQUksQ0FBQyxVQUFVLEVBQUUsQ0FBQztZQUM5RCxPQUFPO1FBQ1QsQ0FBQztRQUNELE9BQU8sSUFBSSxDQUFDLElBQUksQ0FBQztRQUNqQixPQUFPLElBQUksQ0FBQyxZQUFZLENBQUM7UUFDekIsT0FBTyxJQUFJLENBQUMsUUFBUSxDQUFDO1FBQ3JCLElBQUksQ0FBQyxVQUFVLEdBQUcsVUFBVSxDQUFDO0lBQy9CLENBQUM7SUFFRDs7T0FFRztJQUNILEtBQUssQ0FBQyx1QkFBdUI7UUFDM0IsTUFBTSxHQUFHLEdBQUcsSUFBSSxDQUFDLE1BQU0sQ0FBQztRQUN4QixJQUFJLEdBQUcsQ0FBQyxRQUFRLElBQUksVUFBVSxJQUFJLEdBQUcsQ0FBQyxRQUFRLElBQUksU0FBUyxFQUFFLENBQUM7WUFDNUQsTUFBTSxJQUFJLGtCQUFrQixDQUFDLDRCQUE0QixDQUFDLENBQUM7UUFDN0QsQ0FBQztRQUNELE1BQU0sYUFBYSxHQUFHLENBQUMsSUFBSSxDQUFDLElBQUksR0FBRyxNQUFNLElBQUksQ0FBQyxpQkFBaUIsQ0FBQyxJQUFJLENBQUMsTUFBTSxDQUFDLENBQUMsQ0FBQztRQUM5RSxJQUFJLENBQUMsYUFBYSxDQUFDLGFBQWEsRUFBRSxDQUFDO1lBQ2pDLE9BQU8sQ0FBQyxHQUFHLENBQUMsMkJBQTJCLENBQUMsQ0FBQztZQUN6QyxPQUFPLENBQ0wsQ0FBQyxHQUFHLENBQUMsUUFBUSxJQUFJLFNBQVMsSUFBSSxHQUFHLENBQUMsWUFBWSxDQUFDO2dCQUMvQyxDQUFDLEdBQUcsQ0FBQyxRQUFRLElBQUksVUFBVSxJQUFJLEdBQUcsQ0FBQyxXQUFXLENBQUM7Z0JBQy9DLEVBQUUsQ0FDSCxDQUFDO1FBQ0osQ0FBQztRQUNELGtFQUFrRTtRQUNsRSxpQkFBaUI7UUFDakIsSUFBSSxDQUFDLE1BQU0sR0FBRztZQUNaLEdBQUcsSUFBSSxDQUFDLE1BQU07WUFDZCxRQUFRLEVBQUUsU0FBUztZQUNuQixZQUFZLEVBQUUsYUFBYSxDQUFDLGFBQWE7U0FDMUMsQ0FBQztRQUNGLE9BQU8sYUFBYSxDQUFDLFlBQVksQ0FBQztJQUNwQyxDQUFDO0lBRUQsS0FBSyxDQUFDLFNBQVMsQ0FBQyxPQUFvQjtRQUNsQyxJQUFJLElBQUksQ0FBQyxNQUFNLENBQUMsV0FBVyxJQUFJLENBQUMsSUFBSSxDQUFDLFVBQVUsRUFBRSxDQUFDO1lBQ2hELE1BQU0sSUFBSSxrQkFBa0IsQ0FDMUIsdUhBQXVILENBQ3hILENBQUM7UUFDSixDQUFDO1FBQ0QsTUFBTSxXQUFXLEdBQUcsTUFBTSxJQUFJLENBQUMsR0FBRyxFQUFFLENBQUM7UUFDckMsSUFBSSxJQUFJLENBQUMsTUFBTSxDQUFDLFdBQVcsSUFBSSxJQUFJLENBQUMsVUFBVSxFQUFFLENBQUM7WUFDL0MsTUFBTSxTQUFTLEdBQUcsTUFBTSxNQUFNLENBQzVCLElBQUksQ0FBQyxVQUFVLEVBQ2YsSUFBSSxDQUFDLGFBQWEsRUFDbEIsT0FBTyxDQUFDLEdBQUcsRUFDWCxPQUFPLENBQUMsTUFBTTtZQUNkLFdBQVcsQ0FBQyxTQUFTLEVBQ3JCLFdBQVcsQ0FDWixDQUFDO1lBQ0YsdUVBQXVFO1lBQ3ZFLE9BQU8sV0FBVyxDQUFDLE9BQU8sRUFBRSxFQUFFLGFBQWEsRUFBRSxVQUFVLFdBQVcsRUFBRSxFQUFFLElBQUksRUFBRSxTQUFTLEVBQUUsQ0FBQyxDQUFDO1FBQzNGLENBQUM7UUFDRCxPQUFPLFdBQVcsQ0FBQyxPQUFPLEVBQUUsRUFBRSxhQUFhLEVBQUUsVUFBVSxXQUFXLEVBQUUsRUFBRSxDQUFDLENBQUM7SUFDMUUsQ0FBQztDQUNGIn0=
|
|
@@ -1,3 +1,4 @@
|
|
|
1
|
+
import { isTokenExpired, resolveTokenExpiry } from './tokenExpiry.js';
|
|
1
2
|
import { ConfigurationError, TdfError } from '../errors.js';
|
|
2
3
|
import { rstrip } from '../utils.js';
|
|
3
4
|
function resolveTokenEndpoint(oidcOrigin, override) {
|
|
@@ -9,40 +10,6 @@ function resolveTokenEndpoint(oidcOrigin, override) {
|
|
|
9
10
|
}
|
|
10
11
|
return `${rstrip(base, '/')}/protocol/openid-connect/token`;
|
|
11
12
|
}
|
|
12
|
-
/**
|
|
13
|
-
* Decode a JWT's exp claim without verifying the signature.
|
|
14
|
-
* Returns the expiration time in seconds since epoch, or undefined if not present.
|
|
15
|
-
*/
|
|
16
|
-
function getJwtExpiration(token) {
|
|
17
|
-
try {
|
|
18
|
-
const parts = token.split('.');
|
|
19
|
-
if (parts.length !== 3)
|
|
20
|
-
return undefined;
|
|
21
|
-
// Base64url decode the payload
|
|
22
|
-
const payload = parts[1].replace(/-/g, '+').replace(/_/g, '/');
|
|
23
|
-
const padded = payload + '='.repeat((4 - (payload.length % 4)) % 4);
|
|
24
|
-
const decoded = JSON.parse(atob(padded));
|
|
25
|
-
return typeof decoded.exp === 'number' ? decoded.exp : undefined;
|
|
26
|
-
}
|
|
27
|
-
catch {
|
|
28
|
-
return undefined;
|
|
29
|
-
}
|
|
30
|
-
}
|
|
31
|
-
/**
|
|
32
|
-
* Compute the absolute expiry (seconds since epoch) for a token response.
|
|
33
|
-
* Prefers `expires_in` from the token response, falls back to the JWT `exp` claim.
|
|
34
|
-
*/
|
|
35
|
-
function resolveTokenExpiry(accessToken, expiresIn) {
|
|
36
|
-
if (typeof expiresIn === 'number') {
|
|
37
|
-
return Date.now() / 1000 + expiresIn;
|
|
38
|
-
}
|
|
39
|
-
return getJwtExpiration(accessToken);
|
|
40
|
-
}
|
|
41
|
-
function isTokenExpired(expiry, bufferSeconds = 30) {
|
|
42
|
-
if (expiry === undefined)
|
|
43
|
-
return true;
|
|
44
|
-
return Date.now() / 1000 >= expiry - bufferSeconds;
|
|
45
|
-
}
|
|
46
13
|
async function fetchToken(tokenEndpoint, body) {
|
|
47
14
|
const response = await fetch(tokenEndpoint, {
|
|
48
15
|
method: 'POST',
|
|
@@ -239,4 +206,4 @@ export function externalJwtTokenProvider(options) {
|
|
|
239
206
|
return inFlight;
|
|
240
207
|
};
|
|
241
208
|
}
|
|
242
|
-
//# sourceMappingURL=data:application/json;base64,
|
|
209
|
+
//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoidG9rZW4tcHJvdmlkZXJzLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vLi4vLi4vc3JjL2F1dGgvdG9rZW4tcHJvdmlkZXJzLnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiJBQUNBLE9BQU8sRUFBRSxjQUFjLEVBQUUsa0JBQWtCLEVBQUUsTUFBTSxrQkFBa0IsQ0FBQztBQUN0RSxPQUFPLEVBQUUsa0JBQWtCLEVBQUUsUUFBUSxFQUFFLE1BQU0sY0FBYyxDQUFDO0FBQzVELE9BQU8sRUFBRSxNQUFNLEVBQUUsTUFBTSxhQUFhLENBQUM7QUFxRHJDLFNBQVMsb0JBQW9CLENBQUMsVUFBa0IsRUFBRSxRQUFpQjtJQUNqRSxJQUFJLFFBQVEsRUFBRSxJQUFJLEVBQUU7UUFBRSxPQUFPLFFBQVEsQ0FBQztJQUN0QyxNQUFNLElBQUksR0FBRyxVQUFVLEVBQUUsSUFBSSxFQUFFLENBQUM7SUFDaEMsSUFBSSxDQUFDLElBQUksRUFBRSxDQUFDO1FBQ1YsTUFBTSxJQUFJLGtCQUFrQixDQUFDLDZDQUE2QyxDQUFDLENBQUM7SUFDOUUsQ0FBQztJQUNELE9BQU8sR0FBRyxNQUFNLENBQUMsSUFBSSxFQUFFLEdBQUcsQ0FBQyxnQ0FBZ0MsQ0FBQztBQUM5RCxDQUFDO0FBRUQsS0FBSyxVQUFVLFVBQVUsQ0FDdkIsYUFBcUIsRUFDckIsSUFBNEI7SUFFNUIsTUFBTSxRQUFRLEdBQUcsTUFBTSxLQUFLLENBQUMsYUFBYSxFQUFFO1FBQzFDLE1BQU0sRUFBRSxNQUFNO1FBQ2QsT0FBTyxFQUFFO1lBQ1AsY0FBYyxFQUFFLG1DQUFtQztZQUNuRCxNQUFNLEVBQUUsa0JBQWtCO1NBQzNCO1FBQ0QsSUFBSSxFQUFFLElBQUksZUFBZSxDQUFDLElBQUksQ0FBQyxDQUFDLFFBQVEsRUFBRTtLQUMzQyxDQUFDLENBQUM7SUFDSCxJQUFJLENBQUMsUUFBUSxDQUFDLEVBQUUsRUFBRSxDQUFDO1FBQ2pCLE1BQU0sSUFBSSxHQUFHLE1BQU0sUUFBUSxDQUFDLElBQUksRUFBRSxDQUFDO1FBQ25DLE1BQU0sSUFBSSxRQUFRLENBQ2hCLCtCQUErQixhQUFhLFFBQVEsUUFBUSxDQUFDLE1BQU0sSUFBSSxRQUFRLENBQUMsVUFBVSxLQUFLLElBQUksRUFBRSxDQUN0RyxDQUFDO0lBQ0osQ0FBQztJQUNELE9BQU8sQ0FBQyxNQUFNLFFBQVEsQ0FBQyxJQUFJLEVBQUUsQ0FBa0IsQ0FBQztBQUNsRCxDQUFDO0FBRUQ7Ozs7Ozs7Ozs7Ozs7Ozs7OztHQWtCRztBQUNILE1BQU0sVUFBVSw4QkFBOEIsQ0FDNUMsT0FBOEM7SUFFOUMsSUFBSSxDQUFDLE9BQU8sQ0FBQyxRQUFRLElBQUksQ0FBQyxPQUFPLENBQUMsWUFBWSxFQUFFLENBQUM7UUFDL0MsTUFBTSxJQUFJLGtCQUFrQixDQUFDLHdDQUF3QyxDQUFDLENBQUM7SUFDekUsQ0FBQztJQUNELE1BQU0sYUFBYSxHQUFHLG9CQUFvQixDQUFDLE9BQU8sQ0FBQyxVQUFVLEVBQUUsT0FBTyxDQUFDLGlCQUFpQixDQUFDLENBQUM7SUFDMUYsSUFBSSxXQUErQixDQUFDO0lBQ3BDLElBQUksWUFBZ0MsQ0FBQztJQUNyQyxJQUFJLFFBQXFDLENBQUM7SUFFMUMsT0FBTyxLQUFLLElBQUksRUFBRTtRQUNoQixJQUFJLFdBQVcsSUFBSSxDQUFDLGNBQWMsQ0FBQyxZQUFZLENBQUMsRUFBRSxDQUFDO1lBQ2pELE9BQU8sV0FBVyxDQUFDO1FBQ3JCLENBQUM7UUFDRCxJQUFJLENBQUMsUUFBUSxFQUFFLENBQUM7WUFDZCxRQUFRLEdBQUcsQ0FBQyxLQUFLLElBQUksRUFBRTtnQkFDckIsSUFBSSxDQUFDO29CQUNILE1BQU0sSUFBSSxHQUFHLE1BQU0sVUFBVSxDQUFDLGFBQWEsRUFBRTt3QkFDM0MsVUFBVSxFQUFFLG9CQUFvQjt3QkFDaEMsU0FBUyxFQUFFLE9BQU8sQ0FBQyxRQUFRO3dCQUMzQixhQUFhLEVBQUUsT0FBTyxDQUFDLFlBQVk7cUJBQ3BDLENBQUMsQ0FBQztvQkFDSCxXQUFXLEdBQUcsSUFBSSxDQUFDLFlBQVksQ0FBQztvQkFDaEMsWUFBWSxHQUFHLGtCQUFrQixDQUFDLElBQUksQ0FBQyxZQUFZLEVBQUUsSUFBSSxDQUFDLFVBQVUsQ0FBQyxDQUFDO29CQUN0RSxPQUFPLFdBQVcsQ0FBQztnQkFDckIsQ0FBQzt3QkFBUyxDQUFDO29CQUNULFFBQVEsR0FBRyxTQUFTLENBQUM7Z0JBQ3ZCLENBQUM7WUFDSCxDQUFDLENBQUMsRUFBRSxDQUFDO1FBQ1AsQ0FBQztRQUNELE9BQU8sUUFBUSxDQUFDO0lBQ2xCLENBQUMsQ0FBQztBQUNKLENBQUM7QUFFRDs7Ozs7Ozs7Ozs7Ozs7OztHQWdCRztBQUNILE1BQU0sVUFBVSxvQkFBb0IsQ0FBQyxPQUFvQztJQUN2RSxJQUFJLENBQUMsT0FBTyxDQUFDLFFBQVEsSUFBSSxDQUFDLE9BQU8sQ0FBQyxZQUFZLEVBQUUsQ0FBQztRQUMvQyxNQUFNLElBQUksa0JBQWtCLENBQUMsd0NBQXdDLENBQUMsQ0FBQztJQUN6RSxDQUFDO0lBQ0QsTUFBTSxhQUFhLEdBQUcsb0JBQW9CLENBQUMsT0FBTyxDQUFDLFVBQVUsRUFBRSxPQUFPLENBQUMsaUJBQWlCLENBQUMsQ0FBQztJQUMxRixJQUFJLG1CQUFtQixHQUFHLE9BQU8sQ0FBQyxZQUFZLENBQUM7SUFDL0MsSUFBSSxXQUErQixDQUFDO0lBQ3BDLElBQUksWUFBZ0MsQ0FBQztJQUNyQyxJQUFJLFFBQXFDLENBQUM7SUFFMUMsT0FBTyxLQUFLLElBQUksRUFBRTtRQUNoQixJQUFJLFdBQVcsSUFBSSxDQUFDLGNBQWMsQ0FBQyxZQUFZLENBQUMsRUFBRSxDQUFDO1lBQ2pELE9BQU8sV0FBVyxDQUFDO1FBQ3JCLENBQUM7UUFDRCxJQUFJLENBQUMsUUFBUSxFQUFFLENBQUM7WUFDZCxRQUFRLEdBQUcsQ0FBQyxLQUFLLElBQUksRUFBRTtnQkFDckIsSUFBSSxDQUFDO29CQUNILE1BQU0sSUFBSSxHQUFHLE1BQU0sVUFBVSxDQUFDLGFBQWEsRUFBRTt3QkFDM0MsVUFBVSxFQUFFLGVBQWU7d0JBQzNCLGFBQWEsRUFBRSxtQkFBbUI7d0JBQ2xDLFNBQVMsRUFBRSxPQUFPLENBQUMsUUFBUTtxQkFDNUIsQ0FBQyxDQUFDO29CQUNILFdBQVcsR0FBRyxJQUFJLENBQUMsWUFBWSxDQUFDO29CQUNoQyxZQUFZLEdBQUcsa0JBQWtCLENBQUMsSUFBSSxDQUFDLFlBQVksRUFBRSxJQUFJLENBQUMsVUFBVSxDQUFDLENBQUM7b0JBQ3RFLElBQUksSUFBSSxDQUFDLGFBQWEsRUFBRSxDQUFDO3dCQUN2QixtQkFBbUIsR0FBRyxJQUFJLENBQUMsYUFBYSxDQUFDO29CQUMzQyxDQUFDO29CQUNELE9BQU8sV0FBVyxDQUFDO2dCQUNyQixDQUFDO3dCQUFTLENBQUM7b0JBQ1QsUUFBUSxHQUFHLFNBQVMsQ0FBQztnQkFDdkIsQ0FBQztZQUNILENBQUMsQ0FBQyxFQUFFLENBQUM7UUFDUCxDQUFDO1FBQ0QsT0FBTyxRQUFRLENBQUM7SUFDbEIsQ0FBQyxDQUFDO0FBQ0osQ0FBQztBQUVEOzs7Ozs7Ozs7Ozs7Ozs7O0dBZ0JHO0FBQ0gsTUFBTSxVQUFVLHdCQUF3QixDQUFDLE9BQXdDO0lBQy9FLElBQUksQ0FBQyxPQUFPLENBQUMsUUFBUSxJQUFJLENBQUMsT0FBTyxDQUFDLFdBQVcsRUFBRSxDQUFDO1FBQzlDLE1BQU0sSUFBSSxrQkFBa0IsQ0FBQyx1Q0FBdUMsQ0FBQyxDQUFDO0lBQ3hFLENBQUM7SUFDRCxNQUFNLGFBQWEsR0FBRyxvQkFBb0IsQ0FBQyxPQUFPLENBQUMsVUFBVSxFQUFFLE9BQU8sQ0FBQyxpQkFBaUIsQ0FBQyxDQUFDO0lBQzFGLElBQUksV0FBK0IsQ0FBQztJQUNwQyxJQUFJLFlBQWdDLENBQUM7SUFDckMsSUFBSSxtQkFBdUMsQ0FBQztJQUM1QyxJQUFJLG1CQUFtQixHQUFHLEtBQUssQ0FBQztJQUNoQyxJQUFJLFFBQXFDLENBQUM7SUFFMUMsT0FBTyxLQUFLLElBQUksRUFBRTtRQUNoQixJQUFJLFdBQVcsSUFBSSxDQUFDLGNBQWMsQ0FBQyxZQUFZLENBQUMsRUFBRSxDQUFDO1lBQ2pELE9BQU8sV0FBVyxDQUFDO1FBQ3JCLENBQUM7UUFDRCxJQUFJLENBQUMsUUFBUSxFQUFFLENBQUM7WUFDZCxRQUFRLEdBQUcsQ0FBQyxLQUFLLElBQUksRUFBRTtnQkFDckIsSUFBSSxDQUFDO29CQUNILElBQUksSUFBbUIsQ0FBQztvQkFDeEIsSUFBSSxDQUFDLG1CQUFtQixFQUFFLENBQUM7d0JBQ3pCLElBQUksR0FBRyxNQUFNLFVBQVUsQ0FBQyxhQUFhLEVBQUU7NEJBQ3JDLFVBQVUsRUFBRSxpREFBaUQ7NEJBQzdELGFBQWEsRUFBRSxPQUFPLENBQUMsV0FBVzs0QkFDbEMsa0JBQWtCLEVBQUUsc0NBQXNDOzRCQUMxRCxRQUFRLEVBQUUsT0FBTyxDQUFDLFFBQVE7NEJBQzFCLFNBQVMsRUFBRSxPQUFPLENBQUMsUUFBUTt5QkFDNUIsQ0FBQyxDQUFDO3dCQUNILG1CQUFtQixHQUFHLElBQUksQ0FBQztvQkFDN0IsQ0FBQzt5QkFBTSxJQUFJLG1CQUFtQixFQUFFLENBQUM7d0JBQy9CLElBQUksR0FBRyxNQUFNLFVBQVUsQ0FBQyxhQUFhLEVBQUU7NEJBQ3JDLFVBQVUsRUFBRSxlQUFlOzRCQUMzQixhQUFhLEVBQUUsbUJBQW1COzRCQUNsQyxTQUFTLEVBQUUsT0FBTyxDQUFDLFFBQVE7eUJBQzVCLENBQUMsQ0FBQztvQkFDTCxDQUFDO3lCQUFNLENBQUM7d0JBQ04sNkRBQTZEO3dCQUM3RCxJQUFJLEdBQUcsTUFBTSxVQUFVLENBQUMsYUFBYSxFQUFFOzRCQUNyQyxVQUFVLEVBQUUsaURBQWlEOzRCQUM3RCxhQUFhLEVBQUUsT0FBTyxDQUFDLFdBQVc7NEJBQ2xDLGtCQUFrQixFQUFFLHNDQUFzQzs0QkFDMUQsUUFBUSxFQUFFLE9BQU8sQ0FBQyxRQUFROzRCQUMxQixTQUFTLEVBQUUsT0FBTyxDQUFDLFFBQVE7eUJBQzVCLENBQUMsQ0FBQztvQkFDTCxDQUFDO29CQUVELFdBQVcsR0FBRyxJQUFJLENBQUMsWUFBWSxDQUFDO29CQUNoQyxZQUFZLEdBQUcsa0JBQWtCLENBQUMsSUFBSSxDQUFDLFlBQVksRUFBRSxJQUFJLENBQUMsVUFBVSxDQUFDLENBQUM7b0JBQ3RFLElBQUksSUFBSSxDQUFDLGFBQWEsRUFBRSxDQUFDO3dCQUN2QixtQkFBbUIsR0FBRyxJQUFJLENBQUMsYUFBYSxDQUFDO29CQUMzQyxDQUFDO29CQUNELE9BQU8sV0FBVyxDQUFDO2dCQUNyQixDQUFDO3dCQUFTLENBQUM7b0JBQ1QsUUFBUSxHQUFHLFNBQVMsQ0FBQztnQkFDdkIsQ0FBQztZQUNILENBQUMsQ0FBQyxFQUFFLENBQUM7UUFDUCxDQUFDO1FBQ0QsT0FBTyxRQUFRLENBQUM7SUFDbEIsQ0FBQyxDQUFDO0FBQ0osQ0FBQyJ9
|
|
@@ -0,0 +1,39 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Helpers for deciding whether a cached access token is still fresh, using the
|
|
3
|
+
* JWT `exp` claim (or an OAuth `expires_in`) rather than a network round trip.
|
|
4
|
+
*/
|
|
5
|
+
/**
|
|
6
|
+
* Decode a JWT's exp claim without verifying the signature.
|
|
7
|
+
* Returns the expiration time in seconds since epoch, or undefined if not present.
|
|
8
|
+
*/
|
|
9
|
+
export function getJwtExpiration(token) {
|
|
10
|
+
try {
|
|
11
|
+
const parts = token.split('.');
|
|
12
|
+
if (parts.length !== 3)
|
|
13
|
+
return undefined;
|
|
14
|
+
// Base64url decode the payload
|
|
15
|
+
const payload = parts[1].replace(/-/g, '+').replace(/_/g, '/');
|
|
16
|
+
const padded = payload + '='.repeat((4 - (payload.length % 4)) % 4);
|
|
17
|
+
const decoded = JSON.parse(atob(padded));
|
|
18
|
+
return typeof decoded.exp === 'number' ? decoded.exp : undefined;
|
|
19
|
+
}
|
|
20
|
+
catch {
|
|
21
|
+
return undefined;
|
|
22
|
+
}
|
|
23
|
+
}
|
|
24
|
+
/**
|
|
25
|
+
* Compute the absolute expiry (seconds since epoch) for a token response.
|
|
26
|
+
* Prefers `expires_in` from the token response, falls back to the JWT `exp` claim.
|
|
27
|
+
*/
|
|
28
|
+
export function resolveTokenExpiry(accessToken, expiresIn) {
|
|
29
|
+
if (typeof expiresIn === 'number') {
|
|
30
|
+
return Math.floor(Date.now() / 1000) + expiresIn;
|
|
31
|
+
}
|
|
32
|
+
return getJwtExpiration(accessToken);
|
|
33
|
+
}
|
|
34
|
+
export function isTokenExpired(expiry, bufferSeconds = 30) {
|
|
35
|
+
if (expiry === undefined)
|
|
36
|
+
return true;
|
|
37
|
+
return Math.floor(Date.now() / 1000) >= expiry - bufferSeconds;
|
|
38
|
+
}
|
|
39
|
+
//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoidG9rZW5FeHBpcnkuanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi8uLi8uLi9zcmMvYXV0aC90b2tlbkV4cGlyeS50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiQUFBQTs7O0dBR0c7QUFFSDs7O0dBR0c7QUFDSCxNQUFNLFVBQVUsZ0JBQWdCLENBQUMsS0FBYTtJQUM1QyxJQUFJLENBQUM7UUFDSCxNQUFNLEtBQUssR0FBRyxLQUFLLENBQUMsS0FBSyxDQUFDLEdBQUcsQ0FBQyxDQUFDO1FBQy9CLElBQUksS0FBSyxDQUFDLE1BQU0sS0FBSyxDQUFDO1lBQUUsT0FBTyxTQUFTLENBQUM7UUFDekMsK0JBQStCO1FBQy9CLE1BQU0sT0FBTyxHQUFHLEtBQUssQ0FBQyxDQUFDLENBQUMsQ0FBQyxPQUFPLENBQUMsSUFBSSxFQUFFLEdBQUcsQ0FBQyxDQUFDLE9BQU8sQ0FBQyxJQUFJLEVBQUUsR0FBRyxDQUFDLENBQUM7UUFDL0QsTUFBTSxNQUFNLEdBQUcsT0FBTyxHQUFHLEdBQUcsQ0FBQyxNQUFNLENBQUMsQ0FBQyxDQUFDLEdBQUcsQ0FBQyxPQUFPLENBQUMsTUFBTSxHQUFHLENBQUMsQ0FBQyxDQUFDLEdBQUcsQ0FBQyxDQUFDLENBQUM7UUFDcEUsTUFBTSxPQUFPLEdBQUcsSUFBSSxDQUFDLEtBQUssQ0FBQyxJQUFJLENBQUMsTUFBTSxDQUFDLENBQUMsQ0FBQztRQUN6QyxPQUFPLE9BQU8sT0FBTyxDQUFDLEdBQUcsS0FBSyxRQUFRLENBQUMsQ0FBQyxDQUFDLE9BQU8sQ0FBQyxHQUFHLENBQUMsQ0FBQyxDQUFDLFNBQVMsQ0FBQztJQUNuRSxDQUFDO0lBQUMsTUFBTSxDQUFDO1FBQ1AsT0FBTyxTQUFTLENBQUM7SUFDbkIsQ0FBQztBQUNILENBQUM7QUFFRDs7O0dBR0c7QUFDSCxNQUFNLFVBQVUsa0JBQWtCLENBQUMsV0FBbUIsRUFBRSxTQUFrQjtJQUN4RSxJQUFJLE9BQU8sU0FBUyxLQUFLLFFBQVEsRUFBRSxDQUFDO1FBQ2xDLE9BQU8sSUFBSSxDQUFDLEtBQUssQ0FBQyxJQUFJLENBQUMsR0FBRyxFQUFFLEdBQUcsSUFBSSxDQUFDLEdBQUcsU0FBUyxDQUFDO0lBQ25ELENBQUM7SUFDRCxPQUFPLGdCQUFnQixDQUFDLFdBQVcsQ0FBQyxDQUFDO0FBQ3ZDLENBQUM7QUFFRCxNQUFNLFVBQVUsY0FBYyxDQUFDLE1BQTBCLEVBQUUsYUFBYSxHQUFHLEVBQUU7SUFDM0UsSUFBSSxNQUFNLEtBQUssU0FBUztRQUFFLE9BQU8sSUFBSSxDQUFDO0lBQ3RDLE9BQU8sSUFBSSxDQUFDLEtBQUssQ0FBQyxJQUFJLENBQUMsR0FBRyxFQUFFLEdBQUcsSUFBSSxDQUFDLElBQUksTUFBTSxHQUFHLGFBQWEsQ0FBQztBQUNqRSxDQUFDIn0=
|
package/package.json
CHANGED
|
@@ -68,7 +68,9 @@ export async function fetchWrappedKey(
|
|
|
68
68
|
case 401:
|
|
69
69
|
throw new UnauthenticatedError(`401 for [${req.url}]; rewrap auth failure`);
|
|
70
70
|
case 403:
|
|
71
|
-
throw new PermissionDeniedError(
|
|
71
|
+
throw new PermissionDeniedError(
|
|
72
|
+
`403 for [${req.url}]; rewrap permission denied: forbidden`
|
|
73
|
+
);
|
|
72
74
|
default:
|
|
73
75
|
if (response.status >= 500) {
|
|
74
76
|
throw new ServiceError(
|
package/src/access/access-rpc.ts
CHANGED
|
@@ -64,7 +64,9 @@ export function handleRpcRewrapError(e: unknown, platformUrl: string): never {
|
|
|
64
64
|
case Code.InvalidArgument: // 400 Bad Request
|
|
65
65
|
throw new InvalidFileError(`400 for [${platformUrl}]: rewrap bad request [${e.message}]`);
|
|
66
66
|
case Code.PermissionDenied: // 403 Forbidden
|
|
67
|
-
throw new PermissionDeniedError(
|
|
67
|
+
throw new PermissionDeniedError(
|
|
68
|
+
`403 for [${platformUrl}]; rewrap permission denied: forbidden`
|
|
69
|
+
);
|
|
68
70
|
case Code.Unauthenticated: // 401 Unauthorized
|
|
69
71
|
throw new UnauthenticatedError(`401 for [${platformUrl}]; rewrap auth failure`);
|
|
70
72
|
case Code.Internal:
|
|
@@ -95,11 +97,13 @@ export function handleRpcRewrapErrorString(
|
|
|
95
97
|
if (e.includes(Code[Code.PermissionDenied])) {
|
|
96
98
|
if (requiredObligations && requiredObligations.length > 0) {
|
|
97
99
|
throw new PermissionDeniedError(
|
|
98
|
-
`403 for [${platformUrl}]; rewrap permission denied`,
|
|
100
|
+
`403 for [${platformUrl}]; rewrap permission denied: forbidden`,
|
|
99
101
|
requiredObligations
|
|
100
102
|
);
|
|
101
103
|
}
|
|
102
|
-
throw new PermissionDeniedError(
|
|
104
|
+
throw new PermissionDeniedError(
|
|
105
|
+
`403 for [${platformUrl}]; rewrap permission denied: forbidden`
|
|
106
|
+
);
|
|
103
107
|
}
|
|
104
108
|
if (e.includes(Code[Code.Unauthenticated])) {
|
|
105
109
|
// 401 Unauthorized
|
package/src/auth/oidc.ts
CHANGED
|
@@ -1,5 +1,6 @@
|
|
|
1
1
|
import { default as dpopFn } from './dpop.js';
|
|
2
2
|
import { HttpRequest, withHeaders } from './auth.js';
|
|
3
|
+
import { isTokenExpired, resolveTokenExpiry } from './tokenExpiry.js';
|
|
3
4
|
import { base64 } from '../encodings/index.js';
|
|
4
5
|
import { ConfigurationError, TdfError } from '../errors.js';
|
|
5
6
|
import { rstrip } from '../utils.js';
|
|
@@ -60,6 +61,7 @@ const qstringify = (obj: Record<string, string>) => new URLSearchParams(obj).toS
|
|
|
60
61
|
export type AccessTokenResponse = {
|
|
61
62
|
access_token: string;
|
|
62
63
|
refresh_token?: string;
|
|
64
|
+
expires_in?: number;
|
|
63
65
|
};
|
|
64
66
|
|
|
65
67
|
/**
|
|
@@ -99,7 +101,11 @@ export class AccessToken {
|
|
|
99
101
|
|
|
100
102
|
extraHeaders: Record<string, string> = {};
|
|
101
103
|
|
|
102
|
-
|
|
104
|
+
/** Absolute expiry (seconds since epoch) of the cached access token in `data`. */
|
|
105
|
+
cachedExpiry?: number;
|
|
106
|
+
|
|
107
|
+
/** In-flight token exchange, used to dedupe concurrent `get()` calls. */
|
|
108
|
+
inFlight?: Promise<string>;
|
|
103
109
|
|
|
104
110
|
cryptoService: CryptoService;
|
|
105
111
|
|
|
@@ -227,18 +233,26 @@ export class AccessToken {
|
|
|
227
233
|
|
|
228
234
|
/**
|
|
229
235
|
* Gets an access token; operates lazily/cached, with an optional check for freshness.
|
|
230
|
-
*
|
|
236
|
+
*
|
|
237
|
+
* Freshness is determined locally from the token's `exp` claim (or the OAuth
|
|
238
|
+
* `expires_in` from the token response) — no network round trip. This replaces an
|
|
239
|
+
* earlier scheme that validated cached tokens against the OIDC `userinfo` endpoint.
|
|
240
|
+
* @param validate if we should check that any cached access token is still fresh
|
|
241
|
+
* before returning it; when false, a cached token is returned regardless of expiry
|
|
231
242
|
* @returns
|
|
232
243
|
*/
|
|
233
244
|
async get(validate = true): Promise<string> {
|
|
234
|
-
if (this.data?.access_token) {
|
|
245
|
+
if (this.data?.access_token && (!validate || !isTokenExpired(this.cachedExpiry))) {
|
|
246
|
+
return this.data.access_token;
|
|
247
|
+
}
|
|
248
|
+
|
|
249
|
+
// Dedupe concurrent refreshes so a burst of requests triggers one exchange.
|
|
250
|
+
if (this.inFlight) {
|
|
251
|
+
return this.inFlight;
|
|
252
|
+
}
|
|
253
|
+
|
|
254
|
+
this.inFlight = (async () => {
|
|
235
255
|
try {
|
|
236
|
-
if (validate) {
|
|
237
|
-
await this.info(this.data.access_token);
|
|
238
|
-
}
|
|
239
|
-
return this.data.access_token;
|
|
240
|
-
} catch (e) {
|
|
241
|
-
console.log('access_token fails on user_info endpoint; attempting to renew', e);
|
|
242
256
|
if (this.data?.refresh_token) {
|
|
243
257
|
// Prefer the latest refresh_token if present over creds passed in
|
|
244
258
|
// to constructor
|
|
@@ -249,11 +263,19 @@ export class AccessToken {
|
|
|
249
263
|
};
|
|
250
264
|
}
|
|
251
265
|
delete this.data;
|
|
266
|
+
|
|
267
|
+
const tokenResponse = (this.data = await this.accessTokenLookup(this.config));
|
|
268
|
+
this.cachedExpiry = resolveTokenExpiry(
|
|
269
|
+
tokenResponse.access_token,
|
|
270
|
+
tokenResponse.expires_in
|
|
271
|
+
);
|
|
272
|
+
return tokenResponse.access_token;
|
|
273
|
+
} finally {
|
|
274
|
+
delete this.inFlight;
|
|
252
275
|
}
|
|
253
|
-
}
|
|
276
|
+
})();
|
|
254
277
|
|
|
255
|
-
|
|
256
|
-
return tokenResponse.access_token;
|
|
278
|
+
return this.inFlight;
|
|
257
279
|
}
|
|
258
280
|
|
|
259
281
|
/**
|
|
@@ -264,13 +286,15 @@ export class AccessToken {
|
|
|
264
286
|
* Calling this function will trigger a forcible token refresh using the cached refresh token, and contact the auth server.
|
|
265
287
|
*/
|
|
266
288
|
async refreshTokenClaimsWithClientPubkeyIfNeeded(signingKey: KeyPair): Promise<void> {
|
|
267
|
-
// If we already have a token, and the pubkey
|
|
268
|
-
// we
|
|
269
|
-
//
|
|
270
|
-
if (this.
|
|
289
|
+
// If we already have a token, and the pubkey is unchanged,
|
|
290
|
+
// we can keep the cached token - otherwise drop it so the next `get()`
|
|
291
|
+
// refetches a token bound to the new public key.
|
|
292
|
+
if (this.data?.access_token && signingKey === this.signingKey) {
|
|
271
293
|
return;
|
|
272
294
|
}
|
|
273
|
-
delete this.
|
|
295
|
+
delete this.data;
|
|
296
|
+
delete this.cachedExpiry;
|
|
297
|
+
delete this.inFlight;
|
|
274
298
|
this.signingKey = signingKey;
|
|
275
299
|
}
|
|
276
300
|
|
|
@@ -307,7 +331,7 @@ export class AccessToken {
|
|
|
307
331
|
'Client public key was not set via `updateClientPublicKey` or passed in via constructor; required when DPoP is enabled'
|
|
308
332
|
);
|
|
309
333
|
}
|
|
310
|
-
const accessToken =
|
|
334
|
+
const accessToken = await this.get();
|
|
311
335
|
if (this.config.dpopEnabled && this.signingKey) {
|
|
312
336
|
const dpopToken = await dpopFn(
|
|
313
337
|
this.signingKey,
|
|
@@ -1,4 +1,5 @@
|
|
|
1
1
|
import { type TokenProvider } from './interceptors.js';
|
|
2
|
+
import { isTokenExpired, resolveTokenExpiry } from './tokenExpiry.js';
|
|
2
3
|
import { ConfigurationError, TdfError } from '../errors.js';
|
|
3
4
|
import { rstrip } from '../utils.js';
|
|
4
5
|
|
|
@@ -62,40 +63,6 @@ function resolveTokenEndpoint(oidcOrigin: string, override?: string): string {
|
|
|
62
63
|
return `${rstrip(base, '/')}/protocol/openid-connect/token`;
|
|
63
64
|
}
|
|
64
65
|
|
|
65
|
-
/**
|
|
66
|
-
* Decode a JWT's exp claim without verifying the signature.
|
|
67
|
-
* Returns the expiration time in seconds since epoch, or undefined if not present.
|
|
68
|
-
*/
|
|
69
|
-
function getJwtExpiration(token: string): number | undefined {
|
|
70
|
-
try {
|
|
71
|
-
const parts = token.split('.');
|
|
72
|
-
if (parts.length !== 3) return undefined;
|
|
73
|
-
// Base64url decode the payload
|
|
74
|
-
const payload = parts[1].replace(/-/g, '+').replace(/_/g, '/');
|
|
75
|
-
const padded = payload + '='.repeat((4 - (payload.length % 4)) % 4);
|
|
76
|
-
const decoded = JSON.parse(atob(padded));
|
|
77
|
-
return typeof decoded.exp === 'number' ? decoded.exp : undefined;
|
|
78
|
-
} catch {
|
|
79
|
-
return undefined;
|
|
80
|
-
}
|
|
81
|
-
}
|
|
82
|
-
|
|
83
|
-
/**
|
|
84
|
-
* Compute the absolute expiry (seconds since epoch) for a token response.
|
|
85
|
-
* Prefers `expires_in` from the token response, falls back to the JWT `exp` claim.
|
|
86
|
-
*/
|
|
87
|
-
function resolveTokenExpiry(accessToken: string, expiresIn?: number): number | undefined {
|
|
88
|
-
if (typeof expiresIn === 'number') {
|
|
89
|
-
return Date.now() / 1000 + expiresIn;
|
|
90
|
-
}
|
|
91
|
-
return getJwtExpiration(accessToken);
|
|
92
|
-
}
|
|
93
|
-
|
|
94
|
-
function isTokenExpired(expiry: number | undefined, bufferSeconds = 30): boolean {
|
|
95
|
-
if (expiry === undefined) return true;
|
|
96
|
-
return Date.now() / 1000 >= expiry - bufferSeconds;
|
|
97
|
-
}
|
|
98
|
-
|
|
99
66
|
async function fetchToken(
|
|
100
67
|
tokenEndpoint: string,
|
|
101
68
|
body: Record<string, string>
|
|
@@ -0,0 +1,38 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Helpers for deciding whether a cached access token is still fresh, using the
|
|
3
|
+
* JWT `exp` claim (or an OAuth `expires_in`) rather than a network round trip.
|
|
4
|
+
*/
|
|
5
|
+
|
|
6
|
+
/**
|
|
7
|
+
* Decode a JWT's exp claim without verifying the signature.
|
|
8
|
+
* Returns the expiration time in seconds since epoch, or undefined if not present.
|
|
9
|
+
*/
|
|
10
|
+
export function getJwtExpiration(token: string): number | undefined {
|
|
11
|
+
try {
|
|
12
|
+
const parts = token.split('.');
|
|
13
|
+
if (parts.length !== 3) return undefined;
|
|
14
|
+
// Base64url decode the payload
|
|
15
|
+
const payload = parts[1].replace(/-/g, '+').replace(/_/g, '/');
|
|
16
|
+
const padded = payload + '='.repeat((4 - (payload.length % 4)) % 4);
|
|
17
|
+
const decoded = JSON.parse(atob(padded));
|
|
18
|
+
return typeof decoded.exp === 'number' ? decoded.exp : undefined;
|
|
19
|
+
} catch {
|
|
20
|
+
return undefined;
|
|
21
|
+
}
|
|
22
|
+
}
|
|
23
|
+
|
|
24
|
+
/**
|
|
25
|
+
* Compute the absolute expiry (seconds since epoch) for a token response.
|
|
26
|
+
* Prefers `expires_in` from the token response, falls back to the JWT `exp` claim.
|
|
27
|
+
*/
|
|
28
|
+
export function resolveTokenExpiry(accessToken: string, expiresIn?: number): number | undefined {
|
|
29
|
+
if (typeof expiresIn === 'number') {
|
|
30
|
+
return Math.floor(Date.now() / 1000) + expiresIn;
|
|
31
|
+
}
|
|
32
|
+
return getJwtExpiration(accessToken);
|
|
33
|
+
}
|
|
34
|
+
|
|
35
|
+
export function isTokenExpired(expiry: number | undefined, bufferSeconds = 30): boolean {
|
|
36
|
+
if (expiry === undefined) return true;
|
|
37
|
+
return Math.floor(Date.now() / 1000) >= expiry - bufferSeconds;
|
|
38
|
+
}
|