@shokirovr16/frontend-library 0.1.2

package/src/auth/core/OidcDiscovery.js

@@ -0,0 +1,17 @@
+const DISCOVERY_PATH = '/.well-known/openid-configuration';
+
+export async function loadOidcDiscovery(issuer, fetchImpl = fetch) {
+  if (!issuer) throw new Error('[cmfrt/auth] issuer is required for OIDC discovery.');
+  const url = issuer.replace(/\/+$/g, '') + DISCOVERY_PATH;
+  const res = await fetchImpl(url, { headers: { accept: 'application/json' } });
+  if (!res.ok) {
+    throw new Error(`[cmfrt/auth] OIDC discovery failed: ${res.status} ${res.statusText}`);
+  }
+  /** @type {any} */
+  const json = await res.json();
+  if (!json.authorization_endpoint || !json.token_endpoint) {
+    throw new Error('[cmfrt/auth] Invalid OIDC discovery document (missing endpoints).');
+  }
+  return json;
+}
+

package/src/auth/core/Pkce.js

@@ -0,0 +1,18 @@
+import { uint8ArrayToBase64Url } from '../utils/base64url.js';
+import { randomString } from '../utils/random.js';
+
+export function generateCodeVerifier() {
+  // RFC 7636 allows 43..128 chars. Use 64.
+  return randomString(64);
+}
+
+export async function codeChallengeS256(codeVerifier) {
+  const cryptoObj = globalThis.crypto;
+  if (!cryptoObj?.subtle) {
+    throw new Error('[cmfrt/auth] crypto.subtle is required for PKCE S256.');
+  }
+  const data = new TextEncoder().encode(codeVerifier);
+  const digest = await cryptoObj.subtle.digest('SHA-256', data);
+  return uint8ArrayToBase64Url(new Uint8Array(digest));
+}
+

package/src/auth/events/AuthEventBus.js

@@ -0,0 +1,22 @@
+export function createAuthEventBus() {
+  /** @type {Set<(event:any)=>void>} */
+  const listeners = new Set();
+
+  function emit(event) {
+    for (const listener of listeners) {
+      try {
+        listener(event);
+      } catch {
+        // best-effort
+      }
+    }
+  }
+
+  function subscribe(listener) {
+    listeners.add(listener);
+    return () => listeners.delete(listener);
+  }
+
+  return { emit, subscribe };
+}
+

package/src/auth/http/authFetch.js

@@ -0,0 +1,32 @@
+import { getAuth } from '../singleton.js';
+
+/**
+ * Fetch wrapper that:
+ * - adds Authorization header
+ * - ensures fresh token (single-flight via engine)
+ * - retries once on 401 after refresh
+ *
+ * @param {RequestInfo|URL} input
+ * @param {RequestInit} [init]
+ * @param {{ engine?: any, minValiditySec?: number, retryOn401?: boolean }} [options]
+ */
+export async function authFetch(input, init, options) {
+  const engine = options?.engine || getAuth();
+  const retryOn401 = options?.retryOn401 ?? true;
+  const minValiditySec = options?.minValiditySec;
+
+  const doFetch = async (isRetry) => {
+    await engine.ensureFreshToken(minValiditySec);
+    const token = engine.getAccessToken();
+    const headers = new Headers(init?.headers || {});
+    if (token) headers.set('authorization', `Bearer ${token}`);
+    const res = await fetch(input, { ...init, headers });
+    if (res.status === 401 && retryOn401 && !isRetry) {
+      await engine.refresh();
+      return doFetch(true);
+    }
+    return res;
+  };
+
+  return doFetch(false);
+}

package/src/auth/http/createAuthHttpClient.js

@@ -0,0 +1,42 @@
+/**
+ * Axios integration without importing axios:
+ * user passes an axios instance.
+ */
+
+export function createAuthHttpClient({ axios, engine, minValiditySec = 30, retryOn401 = true }) {
+  if (!axios) throw new Error('[cmfrt/auth] axios instance is required.');
+  if (!engine) throw new Error('[cmfrt/auth] engine is required.');
+
+  const instance = axios.create ? axios.create() : axios;
+
+  instance.interceptors.request.use(async (config) => {
+    await engine.ensureFreshToken(minValiditySec);
+    const token = engine.getAccessToken();
+    if (token) {
+      config.headers = config.headers || {};
+      config.headers.Authorization = `Bearer ${token}`;
+    }
+    return config;
+  });
+
+  instance.interceptors.response.use(
+    (res) => res,
+    async (error) => {
+      const status = error?.response?.status;
+      const original = error?.config;
+      if (!retryOn401 || status !== 401 || !original || original.__cmfrtAuthRetry) throw error;
+
+      original.__cmfrtAuthRetry = true;
+      await engine.refresh();
+      const token = engine.getAccessToken();
+      if (token) {
+        original.headers = original.headers || {};
+        original.headers.Authorization = `Bearer ${token}`;
+      }
+      return instance(original);
+    }
+  );
+
+  return instance;
+}
+

package/src/auth/index.js

@@ -0,0 +1,90 @@
+export { createAuthEngine } from './core/AuthEngine.js';
+export { createDefaultTenantResolver } from './tenancy/TenantResolver.js';
+export { createAuthEventBus } from './events/AuthEventBus.js';
+
+export { initializeAuth, getAuth } from './singleton.js';
+
+/**
+ * @typedef {import('./types.js').AuthRuntimeConfig} AuthRuntimeConfig
+ * @typedef {import('./types.js').AuthEngine} AuthEngine
+ * @typedef {import('./types.js').InitializeAuthOptions} InitializeAuthOptions
+ */
+
+import { getAuth as _getAuth } from './singleton.js';
+
+export function subscribeAuthEvents(listener) {
+  return _getAuth().subscribeAuthEvents(listener);
+}
+
+export function getUser() {
+  return _getAuth().getUser();
+}
+
+export function getAccessToken() {
+  return _getAuth().getAccessToken();
+}
+
+export function getIdToken() {
+  return _getAuth().getIdToken();
+}
+
+export function isAuthenticated() {
+  return _getAuth().isAuthenticated();
+}
+
+export function login(params) {
+  return _getAuth().login(params);
+}
+
+export function logout(params) {
+  return _getAuth().logout(params);
+}
+
+export function refresh(params) {
+  return _getAuth().refresh(params);
+}
+
+export function ensureFreshToken(minValiditySec) {
+  return _getAuth().ensureFreshToken(minValiditySec);
+}
+
+export function handleCallback(params) {
+  return _getAuth().handleCallback(params);
+}
+
+export function handleSilentCallbackMessage(event) {
+  return _getAuth().handleSilentCallbackMessage(event);
+}
+
+export function clearSession(reason) {
+  return _getAuth().clearSession(reason);
+}
+
+export function setTenant(tenant) {
+  return _getAuth().setTenant(tenant);
+}
+
+export function switchTenant(tenant, opts) {
+  return _getAuth().switchTenant(tenant, opts);
+}
+
+export function hasRole(role) {
+  return _getAuth().hasRole(role);
+}
+export function hasAnyRole(roles) {
+  return _getAuth().hasAnyRole(roles);
+}
+export function hasAllRoles(roles) {
+  return _getAuth().hasAllRoles(roles);
+}
+export function hasPermission(permission) {
+  return _getAuth().hasPermission(permission);
+}
+export function can(permission) {
+  return _getAuth().can(permission);
+}
+
+export { authFetch } from './http/authFetch.js';
+export { createAuthHttpClient } from './http/createAuthHttpClient.js';
+
+export { createSilentCheckSsoCallback } from './silent/silentCallback.js';

package/src/auth/permissions/ClaimsNormalizer.js

@@ -0,0 +1,69 @@
+function getByPath(obj, path) {
+  if (!obj || !path) return undefined;
+  const parts = [];
+  // Supports `a.b[0].c` and `resource_access[{clientId}].roles`
+  const re = /([^[.\]]+)|\[(.*?)\]/g;
+  let m;
+  while ((m = re.exec(path))) {
+    const part = m[1] ?? m[2];
+    if (part === '') continue;
+    parts.push(part);
+  }
+  let cur = obj;
+  for (const part of parts) {
+    if (cur == null) return undefined;
+    cur = cur[part];
+  }
+  return cur;
+}
+
+function uniq(arr) {
+  return Array.from(new Set((arr || []).filter(Boolean)));
+}
+
+export function normalizeClaims({ accessClaims, idClaims, clientId, claimsPolicy }) {
+  const rolePaths = claimsPolicy?.roleClaimPaths || [
+    'realm_access.roles',
+    'resource_access[{clientId}].roles',
+  ];
+  const permissionPaths = claimsPolicy?.permissionClaimPaths || [];
+  const profilePaths = claimsPolicy?.profileClaimPaths || {
+    sub: 'sub',
+    name: 'name',
+    email: 'email',
+    username: 'preferred_username',
+  };
+
+  const ctx = { clientId };
+  const replaceVars = (p) => p.replaceAll('{clientId}', String(ctx.clientId));
+
+  const roles = [];
+  for (const p of rolePaths) {
+    const v = getByPath(accessClaims, replaceVars(p));
+    if (Array.isArray(v)) roles.push(...v);
+  }
+
+  const permissions = [];
+  for (const p of permissionPaths) {
+    const v = getByPath(accessClaims, replaceVars(p));
+    if (Array.isArray(v)) permissions.push(...v);
+  }
+
+  /** @type {any} */
+  const profile = {};
+  for (const [k, p] of Object.entries(profilePaths)) {
+    const v = getByPath(idClaims || accessClaims, replaceVars(p));
+    if (v != null) profile[k] = v;
+  }
+
+  return {
+    ...profile,
+    roles: uniq(roles),
+    permissions: uniq(permissions),
+    claims: {
+      access: accessClaims || null,
+      id: idClaims || null,
+    },
+  };
+}
+

package/src/auth/permissions/permissions.js

@@ -0,0 +1,26 @@
+export function hasRole(user, role) {
+  if (!user || !role) return false;
+  return user.roles?.includes(role) || false;
+}
+
+export function hasAnyRole(user, roles) {
+  if (!user) return false;
+  for (const role of roles || []) if (user.roles?.includes(role)) return true;
+  return false;
+}
+
+export function hasAllRoles(user, roles) {
+  if (!user) return false;
+  for (const role of roles || []) if (!user.roles?.includes(role)) return false;
+  return true;
+}
+
+export function hasPermission(user, permission) {
+  if (!user || !permission) return false;
+  return user.permissions?.includes(permission) || false;
+}
+
+export function can(user, permission) {
+  return hasPermission(user, permission);
+}
+

package/src/auth/react/AuthProvider.js

@@ -0,0 +1,34 @@
+import React, { createContext, useContext, useEffect, useMemo, useState } from 'react';
+import { getAuth } from '../singleton.js';
+
+const AuthContext = createContext(null);
+
+/**
+ * @param {{
+ *  engine?: any,
+ *  children: React.ReactNode,
+ *  loading?: React.ReactNode,
+ *  onAuthEvent?: (event:any)=>void
+ * }} props
+ */
+export function AuthProvider({ engine, children, loading = null, onAuthEvent }) {
+  const auth = engine || getAuth();
+  const [snapshot, setSnapshot] = useState(() => auth.getSnapshot());
+
+  useEffect(() => auth.subscribe(setSnapshot), [auth]);
+  useEffect(() => (onAuthEvent ? auth.subscribeAuthEvents(onAuthEvent) : undefined), [auth, onAuthEvent]);
+
+  const value = useMemo(() => ({ engine: auth, snapshot }), [auth, snapshot]);
+
+  if (snapshot.status === 'loading_config' || snapshot.status === 'discovering' || snapshot.status === 'idle') {
+    return loading;
+  }
+
+  return React.createElement(AuthContext.Provider, { value }, children);
+}
+
+export function useAuthContext() {
+  const ctx = useContext(AuthContext);
+  if (!ctx) throw new Error('[cmfrt/auth] AuthProvider is missing.');
+  return ctx;
+}

package/src/auth/react/guards/RequireAuth.js

@@ -0,0 +1,35 @@
+import React, { useEffect } from 'react';
+import { useLocation } from 'react-router-dom';
+import { useAuth } from '../useAuth.js';
+
+/**
+ * @param {{
+ *  children: React.ReactNode,
+ *  fallback?: React.ReactNode,
+ *  guestOnly?: boolean
+ * }} props
+ */
+export function RequireAuth({ children, fallback = null, guestOnly = false }) {
+  const auth = useAuth();
+  const location = useLocation();
+
+  const returnTo = location.pathname + location.search + location.hash;
+
+  useEffect(() => {
+    if (guestOnly) return;
+    if (auth.status === 'authenticated') return;
+    if (auth.status === 'authenticating') return;
+    if (auth.status === 'refreshing') return;
+    if (auth.status === 'ready' || auth.status === 'logged_out') {
+      auth.login({ returnTo });
+    }
+  }, [guestOnly, auth.status, returnTo]); // eslint-disable-line react-hooks/exhaustive-deps
+
+  if (guestOnly) {
+    if (auth.status === 'authenticated') return fallback;
+    return children;
+  }
+
+  if (auth.status === 'authenticated') return children;
+  return fallback;
+}

package/src/auth/react/guards/RequirePermission.js

@@ -0,0 +1,16 @@
+import React from 'react';
+import { useAuth } from '../useAuth.js';
+
+/**
+ * @param {{
+ *  permission: string,
+ *  children: React.ReactNode,
+ *  fallback?: React.ReactNode
+ * }} props
+ */
+export function RequirePermission({ permission, children, fallback = null }) {
+  const auth = useAuth();
+  if (auth.status !== 'authenticated') return fallback;
+  if (auth.can(permission)) return children;
+  return fallback;
+}

package/src/auth/react/guards/withAuthGuard.js

@@ -0,0 +1,12 @@
+import React from 'react';
+import { RequireAuth } from './RequireAuth.js';
+
+export function withAuthGuard(Component, { fallback = null } = {}) {
+  return function WithAuthGuard(props) {
+    return React.createElement(
+      RequireAuth,
+      { fallback },
+      React.createElement(Component, { ...props })
+    );
+  };
+}

package/src/auth/react/hooks/useRequireAuth.js

@@ -0,0 +1,24 @@
+import { useEffect } from 'react';
+import { useAuth } from '../useAuth.js';
+
+/**
+ * Hook version of route-guard: triggers login when unauthenticated.
+ * @param {{ returnTo?: string, enabled?: boolean }} [opts]
+ */
+export function useRequireAuth(opts) {
+  const auth = useAuth();
+  const enabled = opts?.enabled ?? true;
+
+  useEffect(() => {
+    if (!enabled) return;
+    if (auth.status === 'authenticated') return;
+    if (auth.status === 'authenticating') return;
+    if (auth.status === 'refreshing') return;
+    if (auth.status === 'ready' || auth.status === 'logged_out') {
+      auth.login({ returnTo: opts?.returnTo });
+    }
+  }, [enabled, auth.status]); // eslint-disable-line react-hooks/exhaustive-deps
+
+  return auth;
+}
+

package/src/auth/react/index.js

@@ -0,0 +1,6 @@
+export { AuthProvider } from './AuthProvider.js';
+export { useAuth } from './useAuth.js';
+export { RequireAuth } from './guards/RequireAuth.js';
+export { RequirePermission } from './guards/RequirePermission.js';
+export { withAuthGuard } from './guards/withAuthGuard.js';
+export { useRequireAuth } from './hooks/useRequireAuth.js';

package/src/auth/react/useAuth.js

@@ -0,0 +1,29 @@
+import { useMemo } from 'react';
+import { useAuthContext } from './AuthProvider.js';
+
+export function useAuth() {
+  const { engine, snapshot } = useAuthContext();
+
+  return useMemo(
+    () => ({
+      ...snapshot,
+      engine,
+      login: engine.login,
+      logout: engine.logout,
+      handleCallback: engine.handleCallback,
+      ensureFreshToken: engine.ensureFreshToken,
+      refresh: engine.refresh,
+      getAccessToken: engine.getAccessToken,
+      getIdToken: engine.getIdToken,
+      getUser: engine.getUser,
+      hasRole: engine.hasRole,
+      hasAnyRole: engine.hasAnyRole,
+      hasAllRoles: engine.hasAllRoles,
+      hasPermission: engine.hasPermission,
+      can: engine.can,
+      switchTenant: engine.switchTenant,
+      setTenant: engine.setTenant,
+    }),
+    [engine, snapshot]
+  );
+}

package/src/auth/silent/silentCallback.js

@@ -0,0 +1,42 @@
+/**
+ * Helper for the silent-check-sso redirect page (same-origin recommended).
+ *
+ * Usage (in your silent callback page/app route):
+ *   import { createSilentCheckSsoCallback } from 'cmfrt/auth';
+ *   createSilentCheckSsoCallback();
+ *
+ * It forwards the OIDC response (code/state/error) to the parent window via postMessage.
+ */
+
+import { parseUrlParams, stripQueryParams } from '../utils/url.js';
+
+export function createSilentCheckSsoCallback({
+  messageType = 'CMFRT_OIDC_SILENT_CALLBACK',
+  targetOrigin = '*',
+  stripParams = true,
+} = {}) {
+  if (typeof window === 'undefined') return;
+
+  const params = parseUrlParams(window.location.href);
+  const payload = {
+    type: messageType,
+    url: window.location.href,
+    params,
+  };
+
+  try {
+    window.parent?.postMessage(payload, targetOrigin);
+  } catch {
+    // ignore
+  }
+
+  if (stripParams) {
+    try {
+      const clean = stripQueryParams(window.location.href, ['code', 'state', 'error', 'error_description', 'session_state']);
+      window.history.replaceState({}, '', clean);
+    } catch {
+      // ignore
+    }
+  }
+}
+

package/src/auth/singleton.js

@@ -0,0 +1,22 @@
+import { createAuthEngine } from './core/AuthEngine.js';
+
+let _defaultEngine = null;
+
+export function initializeAuth(options) {
+  _defaultEngine = createAuthEngine(options);
+  return _defaultEngine;
+}
+
+export function getAuth() {
+  if (!_defaultEngine) {
+    throw new Error(
+      '[cmfrt/auth] Default auth engine is not initialized. Call initializeAuth(...) first or pass `engine` to AuthProvider.'
+    );
+  }
+  return _defaultEngine;
+}
+
+export function _setDefaultAuthEngine(engine) {
+  _defaultEngine = engine;
+}
+

package/src/auth/storage/InMemoryTokenStore.js

@@ -0,0 +1,56 @@
+import { decodeJwt, getJwtExp } from '../utils/jwt.js';
+
+export function createInMemoryTokenStore() {
+  /** @type {any} */
+  let tokens = null;
+  /** @type {any} */
+  let claims = null;
+
+  function set(next) {
+    tokens = next || null;
+    const accessClaims = next?.access_token ? decodeJwt(next.access_token) : null;
+    const idClaims = next?.id_token ? decodeJwt(next.id_token) : null;
+    claims = { access: accessClaims, id: idClaims };
+  }
+
+  function clear() {
+    tokens = null;
+    claims = null;
+  }
+
+  function get() {
+    return tokens;
+  }
+
+  function getClaims() {
+    return claims;
+  }
+
+  function getAccessToken() {
+    return tokens?.access_token || null;
+  }
+
+  function getIdToken() {
+    return tokens?.id_token || null;
+  }
+
+  function getRefreshToken() {
+    return tokens?.refresh_token || null;
+  }
+
+  function getAccessTokenExpSec() {
+    return getJwtExp(getAccessToken());
+  }
+
+  return {
+    set,
+    clear,
+    get,
+    getClaims,
+    getAccessToken,
+    getIdToken,
+    getRefreshToken,
+    getAccessTokenExpSec,
+  };
+}
+

package/src/auth/storage/TransactionStore.js

@@ -0,0 +1,51 @@
+function safeSessionStorage() {
+  try {
+    if (typeof window === 'undefined') return null;
+    return window.sessionStorage;
+  } catch {
+    return null;
+  }
+}
+
+export function createTransactionStore({ namespace }) {
+  const storage = safeSessionStorage();
+  const prefix = namespace ? `${namespace}.` : 'cmfrt.auth.txn.';
+
+  function key(k) {
+    return prefix + k;
+  }
+
+  function set(k, v) {
+    if (!storage) return;
+    storage.setItem(key(k), JSON.stringify(v));
+  }
+
+  function get(k) {
+    if (!storage) return null;
+    const raw = storage.getItem(key(k));
+    if (!raw) return null;
+    try {
+      return JSON.parse(raw);
+    } catch {
+      return null;
+    }
+  }
+
+  function remove(k) {
+    if (!storage) return;
+    storage.removeItem(key(k));
+  }
+
+  function clearAll() {
+    if (!storage) return;
+    const keys = [];
+    for (let i = 0; i < storage.length; i++) {
+      const k = storage.key(i);
+      if (k && k.startsWith(prefix)) keys.push(k);
+    }
+    for (const k of keys) storage.removeItem(k);
+  }
+
+  return { set, get, remove, clearAll };
+}
+

package/src/auth/sync/BroadcastChannelSync.js

@@ -0,0 +1,29 @@
+export function createBroadcastChannelSync({ name, onMessage }) {
+  if (typeof window === 'undefined' || typeof BroadcastChannel === 'undefined') {
+    return {
+      post() {},
+      close() {},
+      isSupported: false,
+    };
+  }
+
+  const channel = new BroadcastChannel(name);
+  channel.addEventListener('message', (ev) => {
+    try {
+      onMessage?.(ev.data);
+    } catch {
+      // best-effort
+    }
+  });
+
+  function post(message) {
+    channel.postMessage(message);
+  }
+
+  function close() {
+    channel.close();
+  }
+
+  return { post, close, isSupported: true };
+}
+