@spidy092/auth-client 2.0.3 → 2.0.4

package/core.js

@@ -1,4 +1,5 @@
-// auth-client/core.js
+// auth-client/core.js - MINIMAL WORKING VERSION
+
 import {
   setToken,
   clearToken,
@@ -9,10 +10,9 @@ import {
 } from './token';
 import { getConfig, isRouterMode } from './config';
 
-// ✅ Track callback state with listeners
 let callbackProcessed = false;
 
-export async function login(clientKeyArg, redirectUriArg) {
+export function login(clientKeyArg, redirectUriArg, options = {}) {
   // ✅ Reset callback state when starting new login
   resetCallbackState();
   
@@ -25,129 +25,91 @@ export async function login(clientKeyArg, redirectUriArg) {
 
   const clientKey = clientKeyArg || defaultClientKey;
   const redirectUri = redirectUriArg || defaultRedirectUri;
+  const { codeChallenge, codeChallengeMethod, state } = options;
 
   console.log('🔄 Smart Login initiated:', {
     mode: isRouterMode() ? 'ROUTER' : 'CLIENT',
     clientKey,
-    redirectUri
+    redirectUri,
+    hasPKCE: !!codeChallenge,
+    hasState: !!state
   });
 
   if (!clientKey || !redirectUri) {
     throw new Error('Missing clientKey or redirectUri');
   }
 
-  // Store app info
   sessionStorage.setItem('originalApp', clientKey);
   sessionStorage.setItem('returnUrl', redirectUri);
 
-    try {
-    const hasValidSession = await checkExistingTokens();
-    if (hasValidSession) {
-      console.log('✅ Valid session found, skipping login redirect');
-      return getToken();
-    }
-  } catch (err) {
-    console.log('⚠️ No valid session, proceeding with login flow');
-  }
-
-  // ✅ Smart Router Logic
   if (isRouterMode()) {
     // Router mode: Direct backend authentication
-    return routerLogin(clientKey, redirectUri);
+    return routerLogin(clientKey, redirectUri, { codeChallenge, codeChallengeMethod, state });
   } else {
     // Client mode: Redirect to centralized login
-    return clientLogin(clientKey, redirectUri);
+    return clientLogin(clientKey, redirectUri, { codeChallenge, codeChallengeMethod, state });
   }
 }
 
 // ✅ Router mode: Direct backend call
-function routerLogin(clientKey, redirectUri) {
+function routerLogin(clientKey, redirectUri, options = {}) {
   const { authBaseUrl } = getConfig();
-  const backendLoginUrl = `${authBaseUrl}/login/${clientKey}?redirect_uri=${encodeURIComponent(redirectUri)}`;
+  const { codeChallenge, codeChallengeMethod, state } = options;
+  
+  // Build URL with PKCE and state parameters
+  const params = new URLSearchParams({
+    redirect_uri: redirectUri
+  });
+  
+  if (codeChallenge) {
+    params.append('code_challenge', codeChallenge);
+    params.append('code_challenge_method', codeChallengeMethod || 'S256');
+  }
+  
+  if (state) {
+    params.append('state', state);
+  }
+  
+  const backendLoginUrl = `${authBaseUrl}/login/${clientKey}?${params.toString()}`;
   
   console.log('🏭 Router Login: Direct backend authentication', {
     clientKey,
     redirectUri,
+    hasPKCE: !!codeChallenge,
+    hasState: !!state,
     backendUrl: backendLoginUrl
   });
 
   window.location.href = backendLoginUrl;
 }
 
-
-async function checkExistingTokens() {
-  const token = getToken();
-  const refreshTokenValue = getRefreshToken();
+// ✅ Client mode: Centralized login
+function clientLogin(clientKey, redirectUri, options = {}) {
+  const { accountUiUrl } = getConfig();
+  const { codeChallenge, codeChallengeMethod, state } = options;
   
-  console.log('🔍 Checking existing tokens:', {
-    hasAccessToken: !!token,
-    hasRefreshToken: !!refreshTokenValue
+  // Build URL with PKCE and state parameters
+  const params = new URLSearchParams({
+    client: clientKey,
+    redirect_uri: redirectUri
   });
   
-  // No tokens at all
-  if (!token && !refreshTokenValue) {
-    console.log('❌ No tokens found');
-    return false;
+  if (codeChallenge) {
+    params.append('code_challenge', codeChallenge);
+    params.append('code_challenge_method', codeChallengeMethod || 'S256');
   }
   
-  // Have valid access token
-  if (token && !isTokenExpiredLocal(token)) {
-    console.log('✅ Valid access token exists');
-    return true;
+  if (state) {
+    params.append('state', state);
   }
   
-  // Have refresh token, try to get new access token
-  if (refreshTokenValue) {
-    try {
-      console.log('🔄 Access token expired, attempting refresh...');
-      const newToken = await refreshToken();
-      console.log('✅ Token refreshed successfully');
-      return !!newToken;
-    } catch (err) {
-      console.warn('❌ Token refresh failed:', err);
-      return false;
-    }
-  }
-  
-  return false;
-}
-
-// ✅ NEW HELPER: Check if token is expired
-function isTokenExpiredLocal(token, bufferSeconds = 60) {
-  if (!token) return true;
-  
-  try {
-    const parts = token.split('.');
-    if (parts.length !== 3) return true;
-    
-    const payload = JSON.parse(atob(parts[1]));
-    
-    if (!payload.exp) return true;
-    
-    const now = Date.now() / 1000;
-    const isExpired = payload.exp < (now + bufferSeconds);
-    
-    console.log('🕐 Token expiry check:', {
-      expiresAt: new Date(payload.exp * 1000).toLocaleString(),
-      now: new Date(now * 1000).toLocaleString(),
-      isExpired
-    });
-    
-    return isExpired;
-  } catch (err) {
-    console.error('❌ Failed to decode token:', err);
-    return true;
-  }
-}
-
-// ✅ Client mode: Centralized login
-function clientLogin(clientKey, redirectUri) {
-  const { accountUiUrl } = getConfig();
-  const centralizedLoginUrl = `${accountUiUrl}/login?client=${clientKey}&redirect_uri=${encodeURIComponent(redirectUri)}`;
+  const centralizedLoginUrl = `${accountUiUrl}/login?${params.toString()}`;
   
   console.log('🔄 Client Login: Redirecting to centralized login', {
     clientKey,
     redirectUri,
+    hasPKCE: !!codeChallenge,
+    hasState: !!state,
     centralizedUrl: centralizedLoginUrl
   });
 
@@ -155,19 +117,13 @@ function clientLogin(clientKey, redirectUri) {
 }
 
 export function logout() {
-  // ✅ Reset callback state on logout
   resetCallbackState();
   
   const { clientKey, authBaseUrl, accountUiUrl } = getConfig();
   const token = getToken();
 
-  console.log('🚪 Smart Logout initiated:', {
-    mode: isRouterMode() ? 'ROUTER' : 'CLIENT',
-    clientKey,
-    hasToken: !!token
-  });
+  console.log('🚪 Smart Logout initiated');
 
-  // Clear local storage immediately (this will trigger listeners)
   clearToken();
   clearRefreshToken();
   sessionStorage.removeItem('originalApp');
@@ -180,35 +136,31 @@ export function logout() {
   }
 }
 
-// ✅ Router logout
 async function routerLogout(clientKey, authBaseUrl, accountUiUrl, token) {
-  console.log('🏭 Enhanced Router Logout with sessionStorage');
+  console.log('🏭 Router Logout');
 
   const refreshToken = getRefreshToken();
-  console.log('Refresh token available:', refreshToken ? 'FOUND' : 'MISSING');
 
   try {
     const response = await fetch(`${authBaseUrl}/logout/${clientKey}`, {
-      method: 'POST',
+      method: 'GET',
       credentials: 'include',
       headers: {
         'Authorization': token ? `Bearer ${token}` : '',
         'Content-Type': 'application/json'
       },
       body: JSON.stringify({
-        refreshToken: refreshToken // Send in body
+        refreshToken: refreshToken
       })
     });
 
     const data = await response.json();
     console.log('✅ Logout response:', data);
 
-    // Clear stored tokens
     clearRefreshToken();
     clearToken();
 
-    // Delay before redirect
-    await new Promise(resolve => setTimeout(resolve, 5000)); // ⏳ wait 5 sec
+    await new Promise(resolve => setTimeout(resolve, 5000));
 
     if (data.success && data.keycloakLogoutUrl) {
       window.location.href = data.keycloakLogoutUrl;
@@ -221,16 +173,12 @@ async function routerLogout(clientKey, authBaseUrl, accountUiUrl, token) {
     clearToken();
   }
 
-  // Delay before fallback redirect
-  await new Promise(resolve => setTimeout(resolve, 5000)); // ⏳ wait 5 sec
+  await new Promise(resolve => setTimeout(resolve, 5000));
   window.location.href = '/login';
 }
 
-
-
-// ✅ Client logout
 function clientLogout(clientKey, accountUiUrl) {
-  console.log('🔄 Client Logout: Redirecting to centralized login');
+  console.log('🔄 Client Logout');
   const logoutUrl = `${accountUiUrl}/login?client=${clientKey}&logout=true`;
   window.location.href = logoutUrl;
 }
@@ -238,115 +186,150 @@ function clientLogout(clientKey, accountUiUrl) {
 export function handleCallback() {
   const params = new URLSearchParams(window.location.search);
   const accessToken = params.get('access_token');
-  const refreshToken = params.get('refresh_token'); // CAPTURE THIS
   const error = params.get('error');
+  const state = params.get('state');
 
-  console.log('🔄 Enhanced callback handling:', {
+  console.log('🔄 Callback handling:', {
     hasAccessToken: !!accessToken,
-    hasRefreshToken: !!refreshToken,
-    error
+    error,
+    hasState: !!state
   });
 
+  // ✅ Validate state parameter
+  if (state) {
+    const storedState = sessionStorage.getItem('oauth_state');
+    if (storedState && storedState !== state) {
+      console.error('❌ State mismatch - possible CSRF attack', {
+        received: state.substring(0, 10),
+        expected: storedState.substring(0, 10)
+      });
+      throw new Error('Invalid state parameter - authentication may have been compromised');
+    }
+    
+    // Check state age (prevent replay attacks)
+    const stateTimestamp = parseInt(sessionStorage.getItem('pkce_timestamp') || '0', 10);
+    const stateAge = Date.now() - stateTimestamp;
+    const MAX_STATE_AGE = 10 * 60 * 1000; // 10 minutes
+    
+    if (stateAge > MAX_STATE_AGE) {
+      console.error('❌ State expired', { stateAge });
+      throw new Error('Authentication state expired - please try again');
+    }
+    
+    // Clear state after validation
+    sessionStorage.removeItem('oauth_state');
+    sessionStorage.removeItem('pkce_timestamp');
+  }
+
+  // ✅ Prevent duplicate callback processing
   if (callbackProcessed) {
     const existingToken = getToken();
-    if (existingToken) return existingToken;
+    if (existingToken) {
+      console.log('✅ Callback already processed, returning existing token');
+      return existingToken;
+    }
+    // Reset if no token found (might be a retry)
+    callbackProcessed = false;
   }
 
   callbackProcessed = true;
   sessionStorage.removeItem('originalApp');
   sessionStorage.removeItem('returnUrl');
+  sessionStorage.removeItem('pkce_code_verifier'); // Clear PKCE verifier after use
 
   if (error) {
-    throw new Error(`Authentication failed: ${error}`);
+    const errorDescription = params.get('error_description') || error;
+    throw new Error(`Authentication failed: ${errorDescription}`);
   }
 
   if (accessToken) {
     setToken(accessToken);
-
-    // Store refresh token for future refresh calls
-    if (refreshToken) {
-      setRefreshToken(refreshToken);
-      console.log('✅ Refresh token persisted');
+    
+    // ✅ Refresh token should NOT be in URL - it's in httpOnly cookie
+    // If refresh token is in URL, log warning but don't store it client-side
+    const refreshTokenInUrl = params.get('refresh_token');
+    if (refreshTokenInUrl) {
+      console.warn('⚠️ SECURITY WARNING: Refresh token found in URL - this should not happen!');
+      // DO NOT store refresh token from URL - it should only be in httpOnly cookie
     }
     
-    // Clean URL parameters
     const url = new URL(window.location);
     url.searchParams.delete('access_token');
-    url.searchParams.delete('refresh_token'); // Remove this too
+    url.searchParams.delete('refresh_token');
+    url.searchParams.delete('refresh_token');
     url.searchParams.delete('state');
+    url.searchParams.delete('error');
+    url.searchParams.delete('error_description');
     window.history.replaceState({}, '', url);
     
+    console.log('✅ Callback processed successfully, token stored');
     return accessToken;
   }
 
   throw new Error('No access token found in callback URL');
 }
 
-
-
-// ✅ Reset callback state
 export function resetCallbackState() {
   callbackProcessed = false;
-  console.log('🔄 Callback state reset');
 }
 
-// auth-client/core.js
+// ✅ Add refresh lock to prevent concurrent refresh calls
+let refreshInProgress = false;
+let refreshPromise = null;
+
 export async function refreshToken() {
   const { clientKey, authBaseUrl } = getConfig();
-  const refreshTokenValue = getRefreshToken(); // ✅ Now checks both cookie & localStorage
-
-  console.log('🔄 Refreshing token:', {
-    clientKey,
-    mode: isRouterMode() ? 'ROUTER' : 'CLIENT',
-    hasRefreshToken: !!refreshTokenValue
-  });
-
-  if (!refreshTokenValue) {
-    console.warn('⚠️ No refresh token available for refresh');
-    clearToken();
-    throw new Error('No refresh token available');
+  
+  // ✅ Prevent concurrent refresh calls
+  if (refreshInProgress && refreshPromise) {
+    console.log('🔄 Token refresh already in progress, waiting...');
+    return refreshPromise;
   }
+  
+  refreshInProgress = true;
+  refreshPromise = (async () => {
+    try {
+      console.log('🔄 Refreshing token:', { 
+        clientKey, 
+        mode: isRouterMode() ? 'ROUTER' : 'CLIENT' 
+      });
+      
+      const response = await fetch(`${authBaseUrl}/refresh/${clientKey}`, {
+        method: 'POST',
+        credentials: 'include', // ✅ Include httpOnly cookies
+      });
+
+      if (!response.ok) {
+        const errorText = await response.text();
+        console.error('❌ Token refresh failed:', response.status, errorText);
+        throw new Error(`Refresh failed: ${response.status}`);
+      }
 
-  try {
-    const response = await fetch(`${authBaseUrl}/refresh/${clientKey}`, {
-      method: 'POST',
-      credentials: 'include', // ✅ Sends cookie if available
-      headers: {
-        'Content-Type': 'application/json',
-        'X-Refresh-Token': refreshTokenValue // ✅ Also send in header as fallback
-      },
-      body: JSON.stringify({
-        refreshToken: refreshTokenValue // ✅ Also send in body
-      })
-    });
-
-    if (!response.ok) {
-      throw new Error('Refresh failed');
-    }
-
-    const { access_token, refresh_token: new_refresh_token } = await response.json();
-
-    // ✅ Update access token (triggers listeners)
-    setToken(access_token);
-
-    // ✅ Update refresh token in BOTH storages if backend returned new one
-    if (new_refresh_token) {
-      setRefreshToken(new_refresh_token);
+      const { access_token } = await response.json();
+      
+      if (!access_token) {
+        throw new Error('No access token in refresh response');
+      }
+      
+      // ✅ This will trigger token listeners
+      setToken(access_token);
+      console.log('✅ Token refresh successful, listeners notified');
+      return access_token;
+    } catch (err) {
+      console.error('❌ Token refresh error:', err);
+      // ✅ This will trigger token listeners
+      clearToken();
+      clearRefreshToken();
+      throw err;
+    } finally {
+      refreshInProgress = false;
+      refreshPromise = null;
     }
-
-    console.log('✅ Token refresh successful, listeners notified');
-    return access_token;
-  } catch (err) {
-    console.error('❌ Token refresh failed:', err);
-    // ✅ Clear everything on refresh failure
-    clearToken();
-    clearRefreshToken();
-    throw err;
-  }
+  })();
+  
+  return refreshPromise;
 }
 
-
-
 export async function validateCurrentSession() {
   try {
     const { authBaseUrl } = getConfig();
@@ -386,6 +369,7 @@ export async function validateCurrentSession() {
 
 
 
+
 // export async function refreshToken() {
 //   const { clientKey, authBaseUrl } = getConfig();
   

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@spidy092/auth-client",
-  "version": "2.0.3",
+  "version": "2.0.4",
   "description": "Scalable frontend auth SDK for centralized login using Keycloak + Auth Service.",
   "main": "index.js",
   "module": "index.js",

package/react/AuthProvider.jsx

@@ -24,7 +24,7 @@ export function AuthProvider({ children }) {
       return;
     }
 
-    fetch(`${authBaseUrl}/me`, {
+    fetch(`${authBaseUrl}/account/profile`, {
       headers: { Authorization: `Bearer ${token}` },
       credentials: 'include',
     })

package/token.js

@@ -1,4 +1,4 @@
-// auth-client/token.js - CORRECTED VERSION
+// auth-client/token.js - MINIMAL WORKING VERSION
 
 import { jwtDecode } from 'jwt-decode';
 
@@ -6,7 +6,7 @@ let accessToken = null;
 const listeners = new Set();
 
 const REFRESH_COOKIE = 'account_refresh_token';
-const COOKIE_MAX_AGE = 7 * 24 * 60 * 60; // 7 days in seconds
+const COOKIE_MAX_AGE = 7 * 24 * 60 * 60;
 
 function secureAttribute() {
   try {
@@ -18,7 +18,7 @@ function secureAttribute() {
   }
 }
 
-// ========== ACCESS TOKEN (localStorage - keeps working) ==========
+// ========== ACCESS TOKEN ==========
 function writeAccessToken(token) {
   if (!token) {
     try {
@@ -45,8 +45,7 @@ function readAccessToken() {
   }
 }
 
-// ========== REFRESH TOKEN (Cookie + sessionStorage - REVERTED) ==========
-
+// ========== REFRESH TOKEN (KEEP SIMPLE) ==========
 export function setRefreshToken(token) {
   if (!token) {
     clearRefreshToken();
@@ -55,70 +54,38 @@ export function setRefreshToken(token) {
 
   const expires = new Date(Date.now() + COOKIE_MAX_AGE * 1000);
   
-  // ✅ REVERT: Use SameSite=Lax (NOT Strict) for SSO to work
   try {
     document.cookie = `${REFRESH_COOKIE}=${encodeURIComponent(token)}; Path=/; SameSite=Lax${secureAttribute()}; Expires=${expires.toUTCString()}`;
-    console.log('✅ Refresh token cookie set (SameSite=Lax for SSO)');
   } catch (err) {
-    console.warn('Could not persist refresh token cookie:', err);
-  }
-
-  // ✅ REVERT: Keep sessionStorage (NOT localStorage) as fallback
-  try {
-    sessionStorage.setItem(REFRESH_COOKIE, token);
-    console.log('✅ Refresh token sessionStorage backup set');
-  } catch (err) {
-    console.warn('Could not persist refresh token to sessionStorage:', err);
+    console.warn('Could not set refresh token:', err);
   }
 }
 
 export function getRefreshToken() {
-  // Prefer cookie to align with server expectations
-  let cookieMatch = null;
   try {
-    cookieMatch = document.cookie
+    const match = document.cookie
       ?.split('; ')
       ?.find((row) => row.startsWith(`${REFRESH_COOKIE}=`));
-  } catch (err) {
-    cookieMatch = null;
-  }
-
-  if (cookieMatch) {
-    console.log('✅ Retrieved refresh token from cookie');
-    return decodeURIComponent(cookieMatch.split('=')[1]);
-  }
-
-  // ✅ REVERT: Fallback to sessionStorage (NOT localStorage)
-  try {
-    const token = sessionStorage.getItem(REFRESH_COOKIE);
-    if (token) {
-      console.log('✅ Retrieved refresh token from sessionStorage (fallback)');
+    
+    if (match) {
+      return decodeURIComponent(match.split('=')[1]);
     }
-    return token;
   } catch (err) {
-    console.warn('Could not read refresh token from sessionStorage:', err);
-    return null;
+    console.warn('Could not read refresh token:', err);
   }
+  
+  return null;
 }
 
 export function clearRefreshToken() {
-  // ✅ REVERT: Clear with SameSite=Lax
   try {
     document.cookie = `${REFRESH_COOKIE}=; Path=/; SameSite=Lax${secureAttribute()}; Expires=Thu, 01 Jan 1970 00:00:00 GMT`;
   } catch (err) {
-    console.warn('Could not clear refresh token cookie:', err);
-  }
-
-  // ✅ REVERT: Clear sessionStorage (NOT localStorage)
-  try {
-    sessionStorage.removeItem(REFRESH_COOKIE);
-  } catch (err) {
-    console.warn('Could not clear refresh token from sessionStorage:', err);
+    console.warn('Could not clear refresh token:', err);
   }
 }
 
-// ========== ACCESS TOKEN FUNCTIONS (unchanged) ==========
-
+// ========== ACCESS TOKEN FUNCTIONS ==========
 function decode(token) {
   try {
     return jwtDecode(token);
@@ -178,6 +145,58 @@ export function clearToken() {
   });
 }
 
+export function setRefreshToken(token) {
+  // ✅ SECURITY: Refresh tokens should ONLY be in httpOnly cookies set by server
+  // This function should NOT be used - refresh tokens must come from server cookies
+  // Keeping for backwards compatibility but logging warning
+  
+  if (!token) {
+    clearRefreshToken();
+    return;
+  }
+
+  console.warn('⚠️ SECURITY WARNING: setRefreshToken() called - refresh tokens should only be in httpOnly cookies!');
+  console.warn('⚠️ Refresh tokens set client-side are insecure and should be removed');
+  
+  // ❌ DO NOT store refresh token in client-side storage
+  // The server sets it in httpOnly cookie, which is the only secure way
+  
+  // Only clear any existing client-side storage
+  try {
+    sessionStorage.removeItem(REFRESH_COOKIE);
+  } catch (err) {
+    // Ignore
+  }
+}
+
+export function getRefreshToken() {
+  // ✅ Refresh tokens are stored in httpOnly cookies by the server
+  // We cannot read httpOnly cookies from JavaScript - they're only sent with requests
+  // This function is kept for backwards compatibility but returns null
+  // The refresh endpoint will automatically use the httpOnly cookie via credentials: 'include'
+  
+  // ❌ DO NOT try to read refresh token from client-side storage
+  // httpOnly cookies are not accessible via document.cookie
+  
+  console.warn('⚠️ getRefreshToken() called - refresh tokens are in httpOnly cookies and cannot be read from JavaScript');
+  console.warn('⚠️ The refresh endpoint will automatically use the httpOnly cookie via credentials: "include"');
+  
+  return null; // Refresh token is in httpOnly cookie, not accessible to JavaScript
+}
+
+export function clearRefreshToken() {
+  try {
+    document.cookie = `${REFRESH_COOKIE}=; Path=/; SameSite=Strict${secureAttribute()}; Expires=Thu, 01 Jan 1970 00:00:00 GMT`;
+  } catch (err) {
+    console.warn('Could not clear refresh token cookie:', err);
+  }
+  try {
+    sessionStorage.removeItem(REFRESH_COOKIE);
+  } catch (err) {
+    console.warn('Could not clear refresh token from sessionStorage:', err);
+  }
+}
+
 export function addTokenListener(listener) {
   if (typeof listener !== 'function') {
     throw new Error('Token listener must be a function');
@@ -203,6 +222,7 @@ export function isAuthenticated() {
 
 
 
+
 // // auth-client/token.js
 // import { jwtDecode } from 'jwt-decode';