@schibsted/account-sdk-browser 5.0.0 → 5.0.1-beta

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@schibsted/account-sdk-browser",
-  "version": "5.0.0",
+  "version": "5.0.1-beta",
   "description": "Schibsted account SDK for browsers",
   "main": "index.js",
   "type": "module",

package/src/cache.d.ts

@@ -14,7 +14,6 @@ export default class Cache {
     /**
      * Get a value from cache (checks that the object has not expired)
      * @param {string} key
-     * @private
      * @returns {*} - The value if it exists, otherwise null
      */
     private get;
@@ -23,14 +22,12 @@ export default class Cache {
      * @param {string} key
      * @param {*} value
      * @param {Number} expiresIn - Value in milliseconds until the entry expires
-     * @private
      * @returns {void}
      */
     private set;
     /**
      * Delete a cache entry
      * @param {string} key
-     * @private
      * @returns {void}
      */
     private delete;

package/src/cache.js

@@ -89,7 +89,6 @@ export default class Cache {
     /**
      * Get a value from cache (checks that the object has not expired)
      * @param {string} key
-     * @private
      * @returns {*} - The value if it exists, otherwise null
      */
     get(key) {
@@ -124,7 +123,6 @@ export default class Cache {
      * @param {string} key
      * @param {*} value
      * @param {Number} expiresIn - Value in milliseconds until the entry expires
-     * @private
      * @returns {void}
      */
     set(key, value, expiresIn = 0) {
@@ -145,7 +143,6 @@ export default class Cache {
     /**
      * Delete a cache entry
      * @param {string} key
-     * @private
      * @returns {void}
      */
     delete(key) {

package/src/identity.d.ts

@@ -28,7 +28,8 @@ export class Identity extends TinyEmitter {
     _sessionInitiatedSent: boolean;
     window: any;
     clientId: string;
-    cache: any;
+    sessionStorageCache: any;
+    localStorageCache: any;
     redirectUri: string;
     env: string;
     log: Function;
@@ -36,6 +37,31 @@ export class Identity extends TinyEmitter {
     _sessionDomain: string;
     _enableSessionCaching: boolean;
     _session: {};
+
+    /**
+     * Read tabId from session storage
+     * @returns {number}
+     * @private
+     */
+    private _getTabId;
+    /**
+     * Checks if calling get session is blocked
+     * @private
+     * @returns {boolean|void}
+     */
+    private _isSessionCallBlocked;
+    /**
+     * Block calls to get session. This is done to prevent concurrent calls which can log user out if session is refreshed by one of them
+     * @private
+     * @returns {void}
+     */
+    private _blockSessionCall;
+    /**
+     * Unblocks calls to get session if the lock was put by the same tab
+     * @private
+     * @returns {void}
+     */
+    private _unblockSessionCall;
     /**
      * Set SPiD server URL
      * @private
@@ -77,7 +103,7 @@ export class Identity extends TinyEmitter {
     private _setGlobalSessionServiceUrl;
     _globalSessionService: RESTClient;
     /**
-     * Emits the relevant events based on the previous and new reply from hassession
+     * Emits the relevant events based on the previous and new reply from {@link Identity#hasSession}
      * @private
      * @param {object} previous
      * @param {object} current
@@ -92,7 +118,7 @@ export class Identity extends TinyEmitter {
     private _closePopup;
     popup: Window;
     /**
-     * Set the Varnish cookie (`SP_ID`) when hasSession() is called. Note that most browsers require
+     * Set the Varnish cookie (`SP_ID`) when {@link Identity#hasSession} is called. Note that most browsers require
      * that you are on a "real domain" for this to work — so, **not** `localhost`
      * @param {object} [options]
      * @param {number} [options.expiresIn] Override this to set number of seconds before the varnish
@@ -195,7 +221,7 @@ export class Identity extends TinyEmitter {
      * @description This function calls {@link Identity#hasSession} internally and thus has the side
      * effect that it might perform an auto-login on the user
      * @throws {SDKError} If the user isn't connected to the merchant
-     * @return {Promise<string>} The `userId` field (not to be confused with the `uuid`)
+     * @return {number} The `userId` field (not to be confused with the `uuid`)
      */
     getUserId(): Promise<string>;
     /**
@@ -355,7 +381,7 @@ export type LoginOptions = {
      * `password` (will force password confirmation, even if user is already logged in), `eid`. Those values might
      * be mixed as space-separated string. To make sure that user has authenticated with 2FA you need
      * to verify AMR (Authentication Methods References) claim in ID token.
-     * Might also be used to ensure additional acr (sms, otp, eid) for already logged in users.
+     * Might also be used to ensure additional acr (sms, otp, eid) for already logged-in users.
      * Supported value is also 'otp-email' means one time password using email.
      */
     acrValues?: string;
@@ -424,7 +450,7 @@ export type SimplifiedLoginWidgetLoginOptions = {
      * `password` (will force password confirmation, even if user is already logged in). Those values might
      * be mixed as space-separated string. To make sure that user has authenticated with 2FA you need
      * to verify AMR (Authentication Methods References) claim in ID token.
-     * Might also be used to ensure additional acr (sms, otp) for already logged in users.
+     * Might also be used to ensure additional acr (sms, otp) for already logged-in users.
      * Supported value is also 'otp-email' means one time password using email.
      */
     acrValues?: string;
@@ -592,7 +618,7 @@ export type HasSessionFailureResponse = {
 };
 export type SimplifiedLoginData = {
     /**
-     * - Deprecated: User UUID, to be be used as `loginHint` for {@link Identity#login}
+     * - Deprecated: User UUID, to be used as `loginHint` for {@link Identity#login}
      */
     identifier: string;
     /**

package/src/identity.js

@@ -26,7 +26,7 @@ import version from './version.js';
  * `password` (will force password confirmation, even if user is already logged in), `eid`. Those values might
  * be mixed as space-separated string. To make sure that user has authenticated with 2FA you need
  * to verify AMR (Authentication Methods References) claim in ID token.
- * Might also be used to ensure additional acr (sms, otp) for already logged in users.
+ * Might also be used to ensure additional acr (sms, otp) for already logged-in users.
  * Supported value is also 'otp-email' means one time password using email.
  * @property {string} [scope] - The OAuth scopes for the tokens. This is a list of
  * scopes, separated by space. If the list of scopes contains `openid`, the generated tokens
@@ -60,7 +60,7 @@ import version from './version.js';
  * `password` (will force password confirmation, even if user is already logged in). Those values might
  * be mixed as space-separated string. To make sure that user has authenticated with 2FA you need
  * to verify AMR (Authentication Methods References) claim in ID token.
- * Might also be used to ensure additional acr (sms, otp) for already logged in users.
+ * Might also be used to ensure additional acr (sms, otp) for already logged-in users.
  * Supported value is also 'otp-email' means one time password using email.
  * @property {string} [scope] - The OAuth scopes for the tokens. This is a list of
  * scopes, separated by space. If the list of scopes contains `openid`, the generated tokens
@@ -134,7 +134,7 @@ import version from './version.js';
 
 /**
  * @typedef {object} SimplifiedLoginData
- * @property {string} identifier - Deprecated: User UUID, to be be used as `loginHint` for {@link Identity#login}
+ * @property {string} identifier - Deprecated: User UUID, to be as `loginHint` for {@link Identity#login}
  * @property {string} display_text - Human-readable user identifier
  * @property {string} client_name - Client name
  */
@@ -146,12 +146,16 @@ import version from './version.js';
 
 const HAS_SESSION_CACHE_KEY = 'hasSession-cache';
 const SESSION_CALL_BLOCKED_CACHE_KEY = 'sessionCallBlocked-cache';
-const SESSION_CALL_BLOCKED_TTL = 1000 * 60 * 5;
+const SESSION_CALL_BLOCKED_TTL = 1000 * 30;
+
+const TAB_ID_KEY = 'tab-id-cache';
+const TAB_ID = Math.floor(Math.random() * 100000)
+const TAB_ID_TTL = 1000 * 60 * 60 * 24 * 30;
 
 const globalWindow = () => window;
 
 /**
- * Provides Identity functionalty to a web page
+ * Provides Identity functionality to a web page
  */
 export class Identity extends EventEmitter {
     /**
@@ -182,18 +186,21 @@ export class Identity extends EventEmitter {
         assert(sessionDomain && isUrl(sessionDomain), 'sessionDomain parameter is not a valid URL');
 
         spidTalk.emulate(window);
+
+        // Internal hack: set as false to always refresh from hasSession
+        this._enableSessionCaching = true;
+
         this._sessionInitiatedSent = false;
         this.window = window;
         this.clientId = clientId;
-        this.cache = new Cache(() => this.window && this.window.sessionStorage);
+        this.sessionStorageCache = new Cache(this.window && this.window.sessionStorage);
+        this.localStorageCache = new Cache(this.window && this.window.localStorage);
         this.redirectUri = redirectUri;
         this.env = env;
         this.log = log;
         this.callbackBeforeRedirect = callbackBeforeRedirect;
         this._sessionDomain = sessionDomain;
-
-        // Internal hack: set to false to always refresh from hassession
-        this._enableSessionCaching = true;
+        this._tabId = this._getTabId();
 
         // Old session
         this._session = {};
@@ -203,49 +210,59 @@ export class Identity extends EventEmitter {
         this._setBffServerUrl(env);
         this._setOauthServerUrl(env);
         this._setGlobalSessionServiceUrl(env);
-
-        this._unblockSessionCall();
+        this._unblockSessionCallByTab();
     }
 
     /**
-     * Checks if getting session is blocked
+     * Read tabId from session storage if possible, otherwise save tabId to session storage and return it
+     * @returns {number}
      * @private
-     *
-     * @returns {boolean|void}
      */
-    _isSessionCallBlocked(){
+    _getTabId() {
         if (this._enableSessionCaching) {
-            return this.cache.get(SESSION_CALL_BLOCKED_CACHE_KEY);
+            const tabId = this.sessionStorageCache.get(TAB_ID_KEY);
+            if (!tabId) {
+                this.sessionStorageCache.set(TAB_ID_KEY, TAB_ID, TAB_ID_TTL);
+
+                return TAB_ID;
+            }
+
+            return tabId;
         }
+
+        return TAB_ID;
     }
 
     /**
-     * Block calls to get session
+     * Checks if calling GET session is blocked
+     * @private
+     * @returns {number|null}
+     */
+    _isSessionCallBlocked(){
+        return this.localStorageCache.get(SESSION_CALL_BLOCKED_CACHE_KEY);
+    }
+
+    /**
+     * Block calls to get session. This is done to prevent concurrent calls which can log user out if session is refreshed by one of them
      * @private
-     *
      * @returns {void}
      */
     _blockSessionCall(){
-        if (this._enableSessionCaching) {
-            const SESSION_CALL_BLOCKED = true;
-
-            this.cache.set(
-                SESSION_CALL_BLOCKED_CACHE_KEY,
-                SESSION_CALL_BLOCKED,
-                SESSION_CALL_BLOCKED_TTL
-            );
-        }
+        this.localStorageCache.set(
+            SESSION_CALL_BLOCKED_CACHE_KEY,
+            this._tabId,
+            SESSION_CALL_BLOCKED_TTL
+        );
     }
 
     /**
-     * Unblocks calls to get session
+     * Unblocks calls to get session if the lock was put by the same tab
      * @private
-     *
      * @returns {void}
      */
-    _unblockSessionCall(){
-        if (this._enableSessionCaching) {
-            this.cache.delete(SESSION_CALL_BLOCKED_CACHE_KEY);
+    _unblockSessionCallByTab() {
+        if (this._isSessionCallBlocked() === this._tabId) {
+            this.localStorageCache.delete(SESSION_CALL_BLOCKED_CACHE_KEY);
         }
     }
 
@@ -327,7 +344,7 @@ export class Identity extends EventEmitter {
     }
 
     /**
-     * Emits the relevant events based on the previous and new reply from hassession
+     * Emits the relevant events based on the previous and new reply from {@link Identity#hasSession}
      * @private
      * @param {object} previous
      * @param {object} current
@@ -407,7 +424,7 @@ export class Identity extends EventEmitter {
     }
 
     /**
-     * Set the Varnish cookie (`SP_ID`) when hasSession() is called. Note that most browsers require
+     * Set the Varnish cookie (`SP_ID`) when {@link Identity#hasSession} is called. Note that most browsers require
      * that you are on a "real domain" for this to work — so, **not** `localhost`
      * @param {object} [options]
      * @param {number} [options.expiresIn] Override this to set number of seconds before the varnish
@@ -566,18 +583,19 @@ export class Identity extends EventEmitter {
         const _getSession = async () => {
             if (this._enableSessionCaching) {
                 // Try to resolve from cache (it has a TTL)
-                let cachedSession = this.cache.get(HAS_SESSION_CACHE_KEY);
+                let cachedSession = this.sessionStorageCache.get(HAS_SESSION_CACHE_KEY);
                 if (cachedSession) {
                     return _postProcess(cachedSession);
                 }
             }
+
             let sessionData = null;
             try {
-                sessionData = await this._sessionService.get('/v2/session');
+                sessionData = await this._sessionService.get('/v2/session', {tabId: this._tabId});
             } catch (err) {
                 if (err && err.code === 400 && this._enableSessionCaching) {
                     const expiresIn = 1000 * (err.expiresIn || 300);
-                    this.cache.set(HAS_SESSION_CACHE_KEY, { error: err }, expiresIn);
+                    this.sessionStorageCache.set(HAS_SESSION_CACHE_KEY, { error: err }, expiresIn);
                 }
                 throw err;
             }
@@ -589,12 +607,12 @@ export class Identity extends EventEmitter {
 
                     await this.callbackBeforeRedirect();
 
-                    return this._sessionService.makeUrl(sessionData.redirectURL);
+                    return this._sessionService.makeUrl(sessionData.redirectURL, {tabId: this._getTabId()});
                 }
 
                 if (this._enableSessionCaching) {
                     const expiresIn = 1000 * (sessionData.expiresIn || 300);
-                    this.cache.set(HAS_SESSION_CACHE_KEY, sessionData, expiresIn);
+                    this.sessionStorageCache.set(HAS_SESSION_CACHE_KEY, sessionData, expiresIn);
                 }
             }
 
@@ -642,7 +660,7 @@ export class Identity extends EventEmitter {
      * @returns {void}
      */
     clearCachedUserSession() {
-        this.cache.delete(HAS_SESSION_CACHE_KEY);
+        this.sessionStorageCache.delete(HAS_SESSION_CACHE_KEY);
     }
 
     /**
@@ -696,7 +714,7 @@ export class Identity extends EventEmitter {
      * @description This function calls {@link Identity#hasSession} internally and thus has the side
      * effect that it might perform an auto-login on the user
      * @throws {SDKError} If the user isn't connected to the merchant
-     * @return {Promise<string>} The `userId` field (not to be confused with the `uuid`)
+     * @return {number} The `userId` field (not to be confused with the `uuid`)
      */
     async getUserId() {
         const user = await this.hasSession();
@@ -853,7 +871,7 @@ export class Identity extends EventEmitter {
         prompt = 'select_account'
     }) {
         this._closePopup();
-        this.cache.delete(HAS_SESSION_CACHE_KEY);
+        this.sessionStorageCache.delete(HAS_SESSION_CACHE_KEY);
         const url = this.loginUrl({
             state,
             acrValues,
@@ -902,7 +920,7 @@ export class Identity extends EventEmitter {
      * @return {void}
      */
     logout(redirectUri = this.redirectUri) {
-        this.cache.delete(HAS_SESSION_CACHE_KEY);
+        this.sessionStorageCache.delete(HAS_SESSION_CACHE_KEY);
         this._maybeClearVarnishCookie();
         this.emit('logout');
         this.window.location.href = this.logoutUrl(redirectUri);

package/src/version.js

@@ -1,5 +1,5 @@
 // Automatically generated in 'npm version' by scripts/genversion.js
 
 'use strict'
-const version = '5.0.0';
+const version = '5.0.1-beta';
 export default version;