npm - @spidy092/auth-client - Versions diffs - 1.0.6 → 1.0.8 - Mend

@spidy092/auth-client 1.0.6 → 1.0.8

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/core.js +53 -45
package/package.json +1 -1

package/core.js CHANGED Viewed

@@ -1,8 +1,7 @@
 import { setToken, clearToken, getToken } from './token';
 import { getConfig } from './config';
-export function login(clientKeyArg, redirectUriArg, stateArg) {
+export function login(clientKeyArg, redirectUriArg) {  // Removed stateArg
   const {
     clientKey: defaultClientKey,
     authBaseUrl,
@@ -12,94 +11,103 @@ export function login(clientKeyArg, redirectUriArg, stateArg) {
   const clientKey = clientKeyArg || defaultClientKey;
   const redirectUri = redirectUriArg || defaultRedirectUri;
-  const state = stateArg || crypto.randomUUID();
+  // Removed state generation
   console.log('Initiating login with parameters:', {
     clientKey,
-    redirectUri,
-    state,});
+    redirectUri
+    // Removed state from logging
+  });
   if (!clientKey || !redirectUri) {
     throw new Error('Missing clientKey or redirectUri');
   }
-  // Store state for callback validation
-  sessionStorage.setItem('authState', state);
+  // Store only app info, no state
   sessionStorage.setItem('originalApp', clientKey);
   sessionStorage.setItem('returnUrl', redirectUri);
   // --- ENTERPRISE LOGIC ---
   // If we are already in Account-UI, go straight to the backend
   if (window.location.origin === accountUiUrl && clientKey === 'account-ui') {
-    // Direct SSO kick-off for Account-UI
-    const backendLoginUrl = `${authBaseUrl}/login/${clientKey}?redirect_uri=${encodeURIComponent(redirectUri)}&state=${encodeURIComponent(state)}`;
+    // Direct SSO kick-off for Account-UI (no state parameter)
+    const backendLoginUrl = `${authBaseUrl}/login/${clientKey}?redirect_uri=${encodeURIComponent(redirectUri)}`;
     console.log('Redirecting directly to auth backend:', backendLoginUrl);
     window.location.href = backendLoginUrl;
     return;
   }
-  // Otherwise, centralized login flow (for other apps)
+  // Otherwise, centralized login flow (for other apps, no state)
   const accountLoginUrl = `${accountUiUrl}/login?` + new URLSearchParams({
     client: clientKey,
-    redirect_uri: redirectUri,
-    state: state
+    redirect_uri: redirectUri
+    // Removed state
   });
   console.log('Redirecting to centralized Account UI:', accountLoginUrl);
   window.location.href = accountLoginUrl;
 }
 export function logout() {
   const { clientKey, authBaseUrl, accountUiUrl } = getConfig();
   const token = getToken();
-  if (!token) {
-    window.location.href = `${accountUiUrl}/login`;
-    return;
-  }
+  console.log('Initiating logout for client:', clientKey);
+  // Clear local storage immediately
   clearToken();
-  // Call logout endpoint
-  fetch(`${authBaseUrl}/logout/${clientKey}`, {
-    method: 'POST',
-    credentials: 'include',
-    headers: {
-      'Authorization': `Bearer ${token}`
-    }
-  }).catch(console.error);
+  sessionStorage.clear();
+  // Don't clear localStorage completely - might break other stuff
+  // localStorage.clear(); // Remove this line
-  // Redirect to Account UI logout page
-  window.location.href = `${accountUiUrl}/logout?client=${clientKey}`;
+  // Call backend logout if we have a token
+  if (token) {
+    fetch(`${authBaseUrl}/logout/${clientKey}`, {
+      method: 'POST',
+      credentials: 'include', // ✅ CRITICAL: This sends cookies
+      headers: {
+        'Authorization': `Bearer ${token}`,
+        'Content-Type': 'application/json'
+      }
+    })
+    .then(response => response.json())
+    .then(data => {
+      console.log('Backend logout response:', data);
+      // If we get a Keycloak logout URL, redirect there
+      if (data.keycloakLogoutUrl) {
+        window.location.href = data.keycloakLogoutUrl;
+        return;
+      }
+      // Otherwise redirect to login
+      window.location.href = `${accountUiUrl}/login`;
+    })
+    .catch(error => {
+      console.error('Logout error:', error);
+      // Always redirect to login even on error
+      window.location.href = `${accountUiUrl}/login`;
+    });
+  } else {
+    // No token, just redirect to login
+    window.location.href = `${accountUiUrl}/login`;
+  }
 }
 export function handleCallback() {
   const params = new URLSearchParams(window.location.search);
   const accessToken = params.get('access_token');
   const error = params.get('error');
-  const state = params.get('state');
-  const storedState = sessionStorage.getItem('authState');
+  // Removed state handling completely
   console.log('Handling authentication callback:', {
     accessToken,
-    error,
-    state,
-    storedState
+    error
+    // Removed state from logging
   });
+  // Removed all state validation
-  // Validate state
-  // if (state && storedState && state !== storedState) {
-  //   throw new Error('Invalid state. Possible CSRF attack.');
-  // }
-  if (!state && !storedState ) {
-    throw new Error('no state. Possible CSRF attack.');
-  }
-  sessionStorage.removeItem('authState');
   sessionStorage.removeItem('originalApp');
   sessionStorage.removeItem('returnUrl');

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@spidy092/auth-client",
-  "version": "1.0.6",
+  "version": "1.0.8",
   "description": "Scalable frontend auth SDK for centralized login using Keycloak + Auth Service.",
   "main": "index.js",
   "module": "index.js",