@phila/sso-core 0.0.1 → 0.0.3

package/dist/index.mjs

@@ -1,58 +1,67 @@
-import { LogLevel as A, PublicClientApplication as y, InteractionRequiredAuthError as l } from "@azure/msal-browser";
-class m {
+import { LogLevel, PublicClientApplication, InteractionRequiredAuthError } from "@azure/msal-browser";
+class SSOEventEmitter {
   listeners = /* @__PURE__ */ new Map();
-  on(t, e) {
-    this.listeners.has(t) || this.listeners.set(t, /* @__PURE__ */ new Set());
-    const i = this.listeners.get(t);
-    return i.add(e), () => {
-      i.delete(e);
+  on(event, listener) {
+    if (!this.listeners.has(event)) {
+      this.listeners.set(event, /* @__PURE__ */ new Set());
+    }
+    const set = this.listeners.get(event);
+    set.add(listener);
+    return () => {
+      set.delete(listener);
     };
   }
-  emit(t, e) {
-    const i = this.listeners.get(t);
-    if (i)
-      for (const o of i)
-        o(e);
+  emit(event, data) {
+    const set = this.listeners.get(event);
+    if (set) {
+      for (const listener of set) {
+        listener(data);
+      }
+    }
   }
   removeAllListeners() {
     this.listeners.clear();
   }
 }
-const r = {
+const DEFAULT_POLICIES = {
   SIGN_UP_SIGN_IN: "B2C_1A_SIGNUP_SIGNIN",
   SIGN_IN_ONLY: "B2C_1A_AD_SIGNIN_ONLY",
   RESET_PASSWORD: "B2C_1A_PASSWORDRESET"
-}, h = {
+};
+const DEFAULT_SCOPES = {
   OPENID: "openid",
   PROFILE: "profile",
   OFFLINE_ACCESS: "offline_access"
-}, u = {
+};
+const CACHE_CONFIG = {
   LOCATION: "sessionStorage",
-  STORE_AUTH_STATE_IN_COOKIE: !1
-}, R = {
+  STORE_AUTH_STATE_IN_COOKIE: false
+};
+const MSAL_ERROR_CODES = {
   USER_CANCELLED: "user_cancelled",
   NO_CACHED_AUTHORITY: "no_cached_authority_error",
   INTERACTION_REQUIRED: "interaction_required",
   FORGOT_PASSWORD: "AADB2C90118"
-}, d = "|";
-function _(s) {
-  return btoa(JSON.stringify(s));
+};
+const STATE_SEPARATOR = "|";
+function encodeState(stateObj) {
+  return btoa(JSON.stringify(stateObj));
 }
-function E(s) {
+function decodeState(encoded) {
   try {
-    return JSON.parse(atob(s));
+    return JSON.parse(atob(encoded));
   } catch {
     return null;
   }
 }
-function L(s) {
-  if (!s) return null;
-  const t = s.split(d);
-  if (t.length < 2) return null;
-  const e = t.slice(1).join(d);
-  return E(e);
+function extractCustomState(msalState) {
+  if (!msalState) return null;
+  const parts = msalState.split(STATE_SEPARATOR);
+  if (parts.length < 2) return null;
+  const customPart = parts.slice(1).join(STATE_SEPARATOR);
+  return decodeState(customPart);
 }
-class a {
+class B2CProvider {
   type = "b2c";
   clientId;
   b2cEnv;
@@ -62,12 +71,19 @@ class a {
   policies;
   apiScopes;
   cacheLocation;
-  constructor(t) {
-    this.clientId = t.clientId, this.b2cEnv = t.b2cEnvironment, this.authorityDomain = t.authorityDomain, this.redirectUri = t.redirectUri, this.postLogoutRedirectUri = t.postLogoutRedirectUri ?? t.redirectUri, this.policies = {
-      signUpSignIn: t.policies?.signUpSignIn ?? r.SIGN_UP_SIGN_IN,
-      signInOnly: t.policies?.signInOnly ?? r.SIGN_IN_ONLY,
-      resetPassword: t.policies?.resetPassword ?? r.RESET_PASSWORD
-    }, this.apiScopes = t.apiScopes ?? [], this.cacheLocation = t.cacheLocation ?? u.LOCATION;
+  constructor(config) {
+    this.clientId = config.clientId;
+    this.b2cEnv = config.b2cEnvironment;
+    this.authorityDomain = config.authorityDomain;
+    this.redirectUri = config.redirectUri;
+    this.postLogoutRedirectUri = config.postLogoutRedirectUri ?? config.redirectUri;
+    this.policies = {
+      signUpSignIn: config.policies?.signUpSignIn ?? DEFAULT_POLICIES.SIGN_UP_SIGN_IN,
+      signInOnly: config.policies?.signInOnly ?? DEFAULT_POLICIES.SIGN_IN_ONLY,
+      resetPassword: config.policies?.resetPassword ?? DEFAULT_POLICIES.RESET_PASSWORD
+    };
+    this.apiScopes = config.apiScopes ?? [];
+    this.cacheLocation = config.cacheLocation ?? CACHE_CONFIG.LOCATION;
   }
   buildMsalConfig() {
     return {
@@ -77,35 +93,37 @@ class a {
         knownAuthorities: this.getKnownAuthorities(),
         redirectUri: this.redirectUri,
         postLogoutRedirectUri: this.postLogoutRedirectUri,
-        navigateToLoginRequestUrl: !1
+        navigateToLoginRequestUrl: false
       },
       cache: {
         cacheLocation: this.cacheLocation,
-        storeAuthStateInCookie: u.STORE_AUTH_STATE_IN_COOKIE
+        storeAuthStateInCookie: CACHE_CONFIG.STORE_AUTH_STATE_IN_COOKIE
       },
       system: {
         loggerOptions: {
-          logLevel: A.Warning,
-          loggerCallback: (t, e) => {
-            console.warn("[sso-core/b2c]", e);
+          logLevel: LogLevel.Warning,
+          loggerCallback: (_level, message) => {
+            console.warn("[sso-core/b2c]", message);
           }
         }
       }
     };
   }
-  getAuthority(t) {
-    const e = t ?? this.policies.signUpSignIn;
-    return `https://${this.authorityDomain}/${this.b2cEnv}.onmicrosoft.com/${e}`;
+  getAuthority(policy) {
+    const p = policy ?? this.policies.signUpSignIn;
+    return `https://${this.authorityDomain}/${this.b2cEnv}.onmicrosoft.com/${p}`;
   }
   getKnownAuthorities() {
     return [this.authorityDomain];
   }
-  identifyPolicy(t) {
-    const e = t.idTokenClaims;
-    return e ? (e.acr ?? e.tfp)?.toUpperCase() ?? null : null;
+  identifyPolicy(response) {
+    const claims = response.idTokenClaims;
+    if (!claims) return null;
+    const acr = claims.acr ?? claims.tfp;
+    return acr?.toUpperCase() ?? null;
   }
   getDefaultScopes() {
-    return [h.OPENID, h.PROFILE];
+    return [DEFAULT_SCOPES.OPENID, DEFAULT_SCOPES.PROFILE];
   }
   getApiScopes() {
     return this.apiScopes;
@@ -123,174 +141,247 @@ class a {
     return this.policies;
   }
 }
-const g = {
-  isAuthenticated: !1,
-  isLoading: !1,
+const INITIAL_STATE = {
+  isAuthenticated: false,
+  isLoading: false,
   user: null,
   token: null,
   error: null,
   activePolicy: null,
-  authReady: !1
+  authReady: false
 };
-class w {
-  events = new m();
+class SSOClient {
+  events = new SSOEventEmitter();
   provider;
   debug;
   encodedState;
   msalInstance = null;
-  _state = { ...g };
-  constructor(t) {
-    this.provider = t.provider, this.debug = t.debug ?? !1, this.encodedState = t.state ? _(t.state) : null;
+  _state = { ...INITIAL_STATE };
+  constructor(config) {
+    this.provider = config.provider;
+    this.debug = config.debug ?? false;
+    this.encodedState = config.state ? encodeState(config.state) : null;
   }
   get state() {
     return this._state;
   }
   // ── Lifecycle ──
   async initialize() {
-    this.log("Initializing SSOClient..."), this.updateState({ isLoading: !0 });
-    const t = this.provider.buildMsalConfig();
-    this.msalInstance = new y(t), await this.msalInstance.initialize();
-    const e = await this.handleRedirect();
-    return this.updateState({ isLoading: !1, authReady: !0 }), e;
+    this.log("Initializing SSOClient...");
+    this.updateState({ isLoading: true });
+    const msalConfig = this.provider.buildMsalConfig();
+    this.msalInstance = new PublicClientApplication(msalConfig);
+    await this.msalInstance.initialize();
+    const result = await this.handleRedirect();
+    this.updateState({ isLoading: false, authReady: true });
+    return result;
   }
   destroy() {
-    this.events.removeAllListeners(), this.msalInstance = null, this._state = { ...g };
+    this.events.removeAllListeners();
+    this.msalInstance = null;
+    this._state = { ...INITIAL_STATE };
   }
   // ── Auth Actions ──
   async handleRedirect() {
-    this.assertInitialized(), this.log("Handling redirect promise...");
+    this.assertInitialized();
+    this.log("Handling redirect promise...");
     try {
-      const t = await this.msalInstance.handleRedirectPromise();
-      if (!t)
-        return this.selectAccount(null), null;
-      this.log("Redirect response received", t);
-      const e = L(t.state), i = this.provider.identifyPolicy(t);
-      if (this.updateState({ activePolicy: i }), this.isForgotPasswordPolicy(i))
-        return this.log("Forgot password flow completed"), this.events.emit("auth:forgotPassword", void 0), { ...t, customPostbackObject: e ?? void 0 };
-      this.updateState({ isLoading: !0 }), this.selectAccount(i), await this.acquireTokenAfterRedirect(t);
-      const o = {
-        ...t,
-        customPostbackObject: e ?? void 0
+      const response = await this.msalInstance.handleRedirectPromise();
+      if (!response) {
+        this.selectAccount(null);
+        return null;
+      }
+      this.log("Redirect response received", response);
+      const customState = extractCustomState(response.state);
+      const policy = this.provider.identifyPolicy(response);
+      this.updateState({ activePolicy: policy });
+      if (this.isForgotPasswordPolicy(policy)) {
+        this.log("Forgot password flow completed");
+        this.events.emit("auth:forgotPassword", void 0);
+        return { ...response, customPostbackObject: customState ?? void 0 };
+      }
+      this.updateState({ isLoading: true });
+      this.selectAccount(policy);
+      await this.acquireTokenAfterRedirect(response);
+      const authResponse = {
+        ...response,
+        customPostbackObject: customState ?? void 0
       };
-      return this.events.emit("auth:signedIn", o), o;
-    } catch (t) {
-      return this.handleRedirectError(t);
+      this.events.emit("auth:signedIn", authResponse);
+      return authResponse;
+    } catch (error) {
+      return this.handleRedirectError(error);
     }
   }
-  async signIn(t) {
-    this.assertInitialized(), this.log("Initiating sign-in..."), this.updateState({ isLoading: !0 }), this.events.emit("auth:loading", !0);
-    const e = this.buildLoginRequest(this.provider.getAuthority(), t);
-    await this.msalInstance.loginRedirect(e);
-  }
-  async signInCityEmployee(t) {
-    if (this.assertInitialized(), this.log("Initiating city employee sign-in..."), !(this.provider instanceof a))
-      return this.signIn(t);
-    const e = this.provider.getSignInOnlyAuthority(), i = this.buildLoginRequest(e, t);
-    await this.msalInstance.loginRedirect(i);
-  }
-  async signOut(t) {
-    this.assertInitialized(), this.log("Initiating sign-out...");
-    const e = {
-      postLogoutRedirectUri: t?.postLogoutRedirectUri,
+  async signIn(options) {
+    this.assertInitialized();
+    this.log("Initiating sign-in...");
+    this.updateState({ isLoading: true });
+    this.events.emit("auth:loading", true);
+    const request = this.buildLoginRequest(this.provider.getAuthority(), options);
+    await this.msalInstance.loginRedirect(request);
+  }
+  async signInCityEmployee(options) {
+    this.assertInitialized();
+    this.log("Initiating city employee sign-in...");
+    if (!(this.provider instanceof B2CProvider)) {
+      return this.signIn(options);
+    }
+    const authority = this.provider.getSignInOnlyAuthority();
+    const request = this.buildLoginRequest(authority, options);
+    await this.msalInstance.loginRedirect(request);
+  }
+  async signOut(options) {
+    this.assertInitialized();
+    this.log("Initiating sign-out...");
+    const logoutRequest = {
+      postLogoutRedirectUri: options?.postLogoutRedirectUri,
       authority: this.provider.getAuthority()
     };
-    this.updateState({ isLoading: !0 }), this.events.emit("auth:signedOut", void 0), await this.msalInstance.logoutRedirect(e);
+    this.updateState({ isLoading: true });
+    this.events.emit("auth:signedOut", void 0);
+    await this.msalInstance.logoutRedirect(logoutRequest);
   }
   async forgotPassword() {
-    if (this.assertInitialized(), !(this.provider instanceof a)) {
+    this.assertInitialized();
+    if (!(this.provider instanceof B2CProvider)) {
       this.log("Forgot password is only supported for B2C providers");
       return;
     }
     this.log("Initiating forgot password flow...");
-    const t = this.provider.getResetPasswordAuthority();
-    await this.msalInstance.loginRedirect({ scopes: [], authority: t });
-  }
-  async acquireToken(t) {
-    this.assertInitialized(), this.log("Acquiring token...");
-    const e = this._state.user;
-    if (!e)
-      return this.log("No account found, cannot acquire token"), null;
-    const o = {
-      scopes: t?.scopes ?? this.provider.getApiScopes(),
-      forceRefresh: t?.forceRefresh ?? !1,
-      account: e,
+    const authority = this.provider.getResetPasswordAuthority();
+    await this.msalInstance.loginRedirect({ scopes: [], authority });
+  }
+  async acquireToken(options) {
+    this.assertInitialized();
+    this.log("Acquiring token...");
+    const account = this._state.user;
+    if (!account) {
+      this.log("No account found, cannot acquire token");
+      return null;
+    }
+    const scopes = options?.scopes ?? this.provider.getApiScopes();
+    const tokenRequest = {
+      scopes,
+      forceRefresh: options?.forceRefresh ?? false,
+      account,
       authority: this._state.activePolicy ? this.provider.getAuthority(this._state.activePolicy) : this.provider.getAuthority()
     };
     try {
-      const n = await this.msalInstance.acquireTokenSilent(o);
-      if (!n.accessToken)
-        throw new l("empty_token");
-      return this.log("Token acquired silently"), this.updateState({ token: n.accessToken, error: null }), this.events.emit("auth:tokenAcquired", n.accessToken), n.accessToken;
-    } catch (n) {
-      if (n instanceof l) {
+      const response = await this.msalInstance.acquireTokenSilent(tokenRequest);
+      if (!response.accessToken) {
+        throw new InteractionRequiredAuthError("empty_token");
+      }
+      this.log("Token acquired silently");
+      this.updateState({ token: response.accessToken, error: null });
+      this.events.emit("auth:tokenAcquired", response.accessToken);
+      return response.accessToken;
+    } catch (error) {
+      if (error instanceof InteractionRequiredAuthError) {
         this.log("Silent token acquisition failed, falling back to redirect");
         try {
-          return await this.msalInstance.acquireTokenRedirect(o), null;
-        } catch (c) {
-          return this.handleError(c), null;
+          await this.msalInstance.acquireTokenRedirect(tokenRequest);
+          return null;
+        } catch (redirectError) {
+          this.handleError(redirectError);
+          return null;
         }
       }
-      return this.handleError(n), null;
+      this.handleError(error);
+      return null;
     }
   }
   // ── Internal Helpers ──
-  selectAccount(t) {
-    const e = this.msalInstance.getAllAccounts();
-    if (e.length === 0) {
-      this.updateState({ isAuthenticated: !1, user: null });
+  selectAccount(policy) {
+    const accounts = this.msalInstance.getAllAccounts();
+    if (accounts.length === 0) {
+      this.updateState({ isAuthenticated: false, user: null });
       return;
     }
-    let i = null;
-    if (e.length === 1)
-      i = e[0];
-    else if (t) {
-      const o = e.filter((n) => {
-        const p = n.idTokenClaims?.iss ?? "", f = this.provider.getKnownAuthorities().some((I) => p.toUpperCase().includes(I.toUpperCase())), S = n.homeAccountId.toUpperCase().includes(t.toUpperCase());
-        return f && S;
+    let selected = null;
+    if (accounts.length === 1) {
+      selected = accounts[0];
+    } else if (policy) {
+      const filtered = accounts.filter((account) => {
+        const claims = account.idTokenClaims;
+        const iss = claims?.iss ?? "";
+        const knownAuthorities = this.provider.getKnownAuthorities();
+        const matchesAuthority = knownAuthorities.some((auth) => iss.toUpperCase().includes(auth.toUpperCase()));
+        const matchesPolicy = account.homeAccountId.toUpperCase().includes(policy.toUpperCase());
+        return matchesAuthority && matchesPolicy;
       });
-      o.length >= 1 && (i = o[0]);
+      if (filtered.length >= 1) {
+        selected = filtered[0];
+      }
+    }
+    if (!selected && accounts.length > 0) {
+      selected = accounts[0];
+    }
+    if (selected) {
+      this.log("Account selected", selected.username);
+      this.updateState({ isAuthenticated: true, user: selected });
     }
-    !i && e.length > 0 && (i = e[0]), i && (this.log("Account selected", i.username), this.updateState({ isAuthenticated: !0, user: i }));
   }
-  async acquireTokenAfterRedirect(t) {
-    const e = this.msalInstance.getAccountByHomeId(t.account?.homeAccountId ?? "") ?? t.account ?? null;
-    e && this.updateState({ isAuthenticated: !0, user: e }), await this.acquireToken(), this.updateState({ isLoading: !1 });
+  async acquireTokenAfterRedirect(response) {
+    const account = this.msalInstance.getAccountByHomeId(response.account?.homeAccountId ?? "") ?? response.account ?? null;
+    if (account) {
+      this.updateState({ isAuthenticated: true, user: account });
+    }
+    await this.acquireToken();
+    this.updateState({ isLoading: false });
   }
-  buildLoginRequest(t, e) {
+  buildLoginRequest(authority, options) {
+    const scopes = options?.scopes ?? this.provider.getDefaultScopes();
     return {
-      scopes: e?.scopes ?? this.provider.getDefaultScopes(),
-      authority: t,
+      scopes,
+      authority,
       state: this.encodedState ? `${this.encodedState}` : void 0,
-      loginHint: e?.loginHint,
-      domainHint: e?.domainHint
+      loginHint: options?.loginHint,
+      domainHint: options?.domainHint
     };
   }
-  isForgotPasswordPolicy(t) {
-    return !t || !(this.provider instanceof a) ? !1 : t.toUpperCase() === this.provider.getPolicies().resetPassword.toUpperCase();
-  }
-  handleRedirectError(t) {
-    return t.errorMessage?.includes(R.FORGOT_PASSWORD) ? (this.log("Forgot password error detected, redirecting..."), this.forgotPassword(), null) : (this.handleError(t), this.updateState({ isLoading: !1 }), null);
+  isForgotPasswordPolicy(policy) {
+    if (!policy) return false;
+    if (!(this.provider instanceof B2CProvider)) return false;
+    return policy.toUpperCase() === this.provider.getPolicies().resetPassword.toUpperCase();
+  }
+  handleRedirectError(error) {
+    const err = error;
+    if (err.errorMessage?.includes(MSAL_ERROR_CODES.FORGOT_PASSWORD)) {
+      this.log("Forgot password error detected, redirecting...");
+      this.forgotPassword();
+      return null;
+    }
+    this.handleError(error);
+    this.updateState({ isLoading: false });
+    return null;
   }
-  handleError(t) {
-    const e = t instanceof Error ? t : new Error(String(t));
-    this.log("Error:", e.message), this.updateState({ error: e }), this.events.emit("auth:error", e);
+  handleError(error) {
+    const err = error instanceof Error ? error : new Error(String(error));
+    this.log("Error:", err.message);
+    this.updateState({ error: err });
+    this.events.emit("auth:error", err);
   }
-  updateState(t) {
-    this._state = { ...this._state, ...t }, this.events.emit("auth:stateChanged", this._state);
+  updateState(partial) {
+    this._state = { ...this._state, ...partial };
+    this.events.emit("auth:stateChanged", this._state);
   }
   assertInitialized() {
-    if (!this.msalInstance)
+    if (!this.msalInstance) {
       throw new Error("SSOClient not initialized. Call initialize() first.");
+    }
   }
-  log(...t) {
-    this.debug && console.log("[sso-core]", ...t);
+  log(...args) {
+    if (this.debug) {
+      console.log("[sso-core]", ...args);
+    }
   }
 }
-class C {
+class CIAMProvider {
   type = "ciam";
   config;
-  constructor(t) {
-    this.config = t;
+  constructor(config) {
+    this.config = config;
   }
   buildMsalConfig() {
     return {
@@ -300,7 +391,7 @@ class C {
         knownAuthorities: this.getKnownAuthorities(),
         redirectUri: this.config.redirectUri,
         postLogoutRedirectUri: this.config.postLogoutRedirectUri ?? this.config.redirectUri,
-        navigateToLoginRequestUrl: !1
+        navigateToLoginRequestUrl: false
       },
       cache: {
         cacheLocation: this.config.cacheLocation ?? "sessionStorage"
@@ -313,7 +404,7 @@ class C {
   getKnownAuthorities() {
     return [`${this.config.tenantSubdomain}.ciamlogin.com`];
   }
-  identifyPolicy(t) {
+  identifyPolicy(_response) {
     return null;
   }
   getDefaultScopes() {
@@ -323,11 +414,11 @@ class C {
     return this.config.scopes ?? [];
   }
 }
-class P {
+class EntraProvider {
   type = "entra";
   config;
-  constructor(t) {
-    this.config = t;
+  constructor(config) {
+    this.config = config;
   }
   buildMsalConfig() {
     return {
@@ -337,7 +428,7 @@ class P {
         knownAuthorities: this.getKnownAuthorities(),
         redirectUri: this.config.redirectUri,
         postLogoutRedirectUri: this.config.postLogoutRedirectUri ?? this.config.redirectUri,
-        navigateToLoginRequestUrl: !1
+        navigateToLoginRequestUrl: false
       },
       cache: {
         cacheLocation: this.config.cacheLocation ?? "sessionStorage"
@@ -350,7 +441,7 @@ class P {
   getKnownAuthorities() {
     return ["login.microsoftonline.com"];
   }
-  identifyPolicy(t) {
+  identifyPolicy(_response) {
     return null;
   }
   getDefaultScopes() {
@@ -361,18 +452,18 @@ class P {
   }
 }
 export {
-  a as B2CProvider,
-  u as CACHE_CONFIG,
-  C as CIAMProvider,
-  r as DEFAULT_POLICIES,
-  h as DEFAULT_SCOPES,
-  P as EntraProvider,
-  R as MSAL_ERROR_CODES,
-  w as SSOClient,
-  m as SSOEventEmitter,
-  d as STATE_SEPARATOR,
-  E as decodeState,
-  _ as encodeState,
-  L as extractCustomState
+  B2CProvider,
+  CACHE_CONFIG,
+  CIAMProvider,
+  DEFAULT_POLICIES,
+  DEFAULT_SCOPES,
+  EntraProvider,
+  MSAL_ERROR_CODES,
+  SSOClient,
+  SSOEventEmitter,
+  STATE_SEPARATOR,
+  decodeState,
+  encodeState,
+  extractCustomState
 };
 //# sourceMappingURL=index.mjs.map