npm - @spidy092/auth-client - Versions diffs - 2.0.5 → 2.0.6 - Mend

@spidy092/auth-client 2.0.5 → 2.0.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/api.js CHANGED Viewed

@@ -12,7 +12,8 @@ api.interceptors.request.use((config) => {
   const runtimeConfig = getConfig();
   if (!config.baseURL) {
-    config.baseURL = runtimeConfig?.authBaseUrl || 'http://localhost:4000/auth';
+    config.baseURL = runtimeConfig?.authBaseUrl || 'http://auth.local.test:4000/auth';
   }
   if (!config.headers) {

package/core.js CHANGED Viewed

@@ -12,7 +12,8 @@ import { getConfig, isRouterMode } from './config';
 let callbackProcessed = false;
-export function login(clientKeyArg, redirectUriArg) {
+export function login(clientKeyArg, redirectUriArg, options = {}) {
+  // ✅ Reset callback state when starting new login
   resetCallbackState();
   const {
@@ -24,11 +25,14 @@ export function login(clientKeyArg, redirectUriArg) {
   const clientKey = clientKeyArg || defaultClientKey;
   const redirectUri = redirectUriArg || defaultRedirectUri;
+  const { codeChallenge, codeChallengeMethod, state } = options;
   console.log('🔄 Smart Login initiated:', {
     mode: isRouterMode() ? 'ROUTER' : 'CLIENT',
     clientKey,
-    redirectUri
+    redirectUri,
+    hasPKCE: !!codeChallenge,
+    hasState: !!state
   });
   if (!clientKey || !redirectUri) {
@@ -39,25 +43,76 @@ export function login(clientKeyArg, redirectUriArg) {
   sessionStorage.setItem('returnUrl', redirectUri);
   if (isRouterMode()) {
-    return routerLogin(clientKey, redirectUri);
+    // Router mode: Direct backend authentication
+    return routerLogin(clientKey, redirectUri, { codeChallenge, codeChallengeMethod, state });
   } else {
-    return clientLogin(clientKey, redirectUri);
+    // Client mode: Redirect to centralized login
+    return clientLogin(clientKey, redirectUri, { codeChallenge, codeChallengeMethod, state });
   }
 }
-function routerLogin(clientKey, redirectUri) {
+// ✅ Router mode: Direct backend call
+function routerLogin(clientKey, redirectUri, options = {}) {
   const { authBaseUrl } = getConfig();
-  const backendLoginUrl = `${authBaseUrl}/login/${clientKey}?redirect_uri=${encodeURIComponent(redirectUri)}`;
+  const { codeChallenge, codeChallengeMethod, state } = options;
-  console.log('🏭 Router Login:', backendLoginUrl);
+  // Build URL with PKCE and state parameters
+  const params = new URLSearchParams({
+    redirect_uri: redirectUri
+  });
+  if (codeChallenge) {
+    params.append('code_challenge', codeChallenge);
+    params.append('code_challenge_method', codeChallengeMethod || 'S256');
+  }
+  if (state) {
+    params.append('state', state);
+  }
+  const backendLoginUrl = `${authBaseUrl}/login/${clientKey}?${params.toString()}`;
+  console.log('🏭 Router Login: Direct backend authentication', {
+    clientKey,
+    redirectUri,
+    hasPKCE: !!codeChallenge,
+    hasState: !!state,
+    backendUrl: backendLoginUrl
+  });
   window.location.href = backendLoginUrl;
 }
-function clientLogin(clientKey, redirectUri) {
+// ✅ Client mode: Centralized login
+function clientLogin(clientKey, redirectUri, options = {}) {
   const { accountUiUrl } = getConfig();
-  const centralizedLoginUrl = `${accountUiUrl}/login?client=${clientKey}&redirect_uri=${encodeURIComponent(redirectUri)}`;
+  const { codeChallenge, codeChallengeMethod, state } = options;
+  // Build URL with PKCE and state parameters
+  const params = new URLSearchParams({
+    client: clientKey,
+    redirect_uri: redirectUri
+  });
-  console.log('🔄 Client Login:', centralizedLoginUrl);
+  if (codeChallenge) {
+    params.append('code_challenge', codeChallenge);
+    params.append('code_challenge_method', codeChallengeMethod || 'S256');
+  }
+  if (state) {
+    params.append('state', state);
+  }
+  const centralizedLoginUrl = `${accountUiUrl}/login?${params.toString()}`;
+  console.log('🔄 Client Login: Redirecting to centralized login', {
+    clientKey,
+    redirectUri,
+    hasPKCE: !!codeChallenge,
+    hasState: !!state,
+    centralizedUrl: centralizedLoginUrl
+  });
   window.location.href = centralizedLoginUrl;
 }
@@ -88,7 +143,7 @@ async function routerLogout(clientKey, authBaseUrl, accountUiUrl, token) {
   try {
     const response = await fetch(`${authBaseUrl}/logout/${clientKey}`, {
-      method: 'POST',
+      method: 'GET',
       credentials: 'include',
       headers: {
         'Authorization': token ? `Bearer ${token}` : '',
@@ -131,42 +186,83 @@ function clientLogout(clientKey, accountUiUrl) {
 export function handleCallback() {
   const params = new URLSearchParams(window.location.search);
   const accessToken = params.get('access_token');
-  const refreshToken = params.get('refresh_token');
   const error = params.get('error');
+  const state = params.get('state');
   console.log('🔄 Callback handling:', {
     hasAccessToken: !!accessToken,
-    hasRefreshToken: !!refreshToken,
-    error
+    error,
+    hasState: !!state
   });
+  // ✅ Validate state parameter
+  if (state) {
+    const storedState = sessionStorage.getItem('oauth_state');
+    if (storedState && storedState !== state) {
+      console.error('❌ State mismatch - possible CSRF attack', {
+        received: state.substring(0, 10),
+        expected: storedState.substring(0, 10)
+      });
+      throw new Error('Invalid state parameter - authentication may have been compromised');
+    }
+    // Check state age (prevent replay attacks)
+    const stateTimestamp = parseInt(sessionStorage.getItem('pkce_timestamp') || '0', 10);
+    const stateAge = Date.now() - stateTimestamp;
+    const MAX_STATE_AGE = 10 * 60 * 1000; // 10 minutes
+    if (stateAge > MAX_STATE_AGE) {
+      console.error('❌ State expired', { stateAge });
+      throw new Error('Authentication state expired - please try again');
+    }
+    // Clear state after validation
+    sessionStorage.removeItem('oauth_state');
+    sessionStorage.removeItem('pkce_timestamp');
+  }
+  // ✅ Prevent duplicate callback processing
   if (callbackProcessed) {
     const existingToken = getToken();
-    if (existingToken) return existingToken;
+    if (existingToken) {
+      console.log('✅ Callback already processed, returning existing token');
+      return existingToken;
+    }
+    // Reset if no token found (might be a retry)
+    callbackProcessed = false;
   }
   callbackProcessed = true;
   sessionStorage.removeItem('originalApp');
   sessionStorage.removeItem('returnUrl');
+  sessionStorage.removeItem('pkce_code_verifier'); // Clear PKCE verifier after use
   if (error) {
-    throw new Error(`Authentication failed: ${error}`);
+    const errorDescription = params.get('error_description') || error;
+    throw new Error(`Authentication failed: ${errorDescription}`);
   }
   if (accessToken) {
     setToken(accessToken);
-    if (refreshToken) {
-      setRefreshToken(refreshToken);
-      console.log('✅ Refresh token persisted');
+    // ✅ Refresh token should NOT be in URL - it's in httpOnly cookie
+    // If refresh token is in URL, log warning but don't store it client-side
+    const refreshTokenInUrl = params.get('refresh_token');
+    if (refreshTokenInUrl) {
+      console.warn('⚠️ SECURITY WARNING: Refresh token found in URL - this should not happen!');
+      // DO NOT store refresh token from URL - it should only be in httpOnly cookie
     }
     const url = new URL(window.location);
     url.searchParams.delete('access_token');
     url.searchParams.delete('refresh_token');
+    url.searchParams.delete('refresh_token');
     url.searchParams.delete('state');
+    url.searchParams.delete('error');
+    url.searchParams.delete('error_description');
     window.history.replaceState({}, '', url);
+    console.log('✅ Callback processed successfully, token stored');
     return accessToken;
   }
@@ -177,51 +273,61 @@ export function resetCallbackState() {
   callbackProcessed = false;
 }
+// ✅ Add refresh lock to prevent concurrent refresh calls
+let refreshInProgress = false;
+let refreshPromise = null;
 export async function refreshToken() {
   const { clientKey, authBaseUrl } = getConfig();
-  const refreshTokenValue = getRefreshToken();
-  console.log('🔄 Refreshing token');
-  if (!refreshTokenValue) {
-    console.warn('⚠️ No refresh token available');
-    clearToken();
-    throw new Error('No refresh token available');
+  // ✅ Prevent concurrent refresh calls
+  if (refreshInProgress && refreshPromise) {
+    console.log('🔄 Token refresh already in progress, waiting...');
+    return refreshPromise;
   }
+  refreshInProgress = true;
+  refreshPromise = (async () => {
+    try {
+      console.log('🔄 Refreshing token:', {
+        clientKey,
+        mode: isRouterMode() ? 'ROUTER' : 'CLIENT'
+      });
+      const response = await fetch(`${authBaseUrl}/refresh/${clientKey}`, {
+        method: 'POST',
+        credentials: 'include', // ✅ Include httpOnly cookies
+      });
+      if (!response.ok) {
+        const errorText = await response.text();
+        console.error('❌ Token refresh failed:', response.status, errorText);
+        throw new Error(`Refresh failed: ${response.status}`);
+      }
-  try {
-    const response = await fetch(`${authBaseUrl}/refresh/${clientKey}`, {
-      method: 'POST',
-      credentials: 'include',
-      headers: {
-        'Content-Type': 'application/json',
-        'X-Refresh-Token': refreshTokenValue
-      },
-      body: JSON.stringify({
-        refreshToken: refreshTokenValue
-      })
-    });
-    if (!response.ok) {
-      throw new Error('Refresh failed');
-    }
-    const { access_token, refresh_token: new_refresh_token } = await response.json();
-    setToken(access_token);
-    if (new_refresh_token) {
-      setRefreshToken(new_refresh_token);
+      const { access_token } = await response.json();
+      if (!access_token) {
+        throw new Error('No access token in refresh response');
+      }
+      // ✅ This will trigger token listeners
+      setToken(access_token);
+      console.log('✅ Token refresh successful, listeners notified');
+      return access_token;
+    } catch (err) {
+      console.error('❌ Token refresh error:', err);
+      // ✅ This will trigger token listeners
+      clearToken();
+      clearRefreshToken();
+      throw err;
+    } finally {
+      refreshInProgress = false;
+      refreshPromise = null;
     }
-    console.log('✅ Token refresh successful');
-    return access_token;
-  } catch (err) {
-    console.error('❌ Token refresh failed:', err);
-    clearToken();
-    clearRefreshToken();
-    throw err;
-  }
+  })();
+  return refreshPromise;
 }
 export async function validateCurrentSession() {

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@spidy092/auth-client",
-  "version": "2.0.5",
+  "version": "2.0.6",
   "description": "Scalable frontend auth SDK for centralized login using Keycloak + Auth Service.",
   "main": "index.js",
   "module": "index.js",

package/react/AuthProvider.jsx CHANGED Viewed

@@ -24,7 +24,7 @@ export function AuthProvider({ children }) {
       return;
     }
-    fetch(`${authBaseUrl}/me`, {
+    fetch(`${authBaseUrl}/account/profile`, {
       headers: { Authorization: `Bearer ${token}` },
       credentials: 'include',
     })

package/token.js CHANGED Viewed

@@ -46,44 +46,44 @@ function readAccessToken() {
 }
 // ========== REFRESH TOKEN (KEEP SIMPLE) ==========
-export function setRefreshToken(token) {
-  if (!token) {
-    clearRefreshToken();
-    return;
-  }
+// export function setRefreshToken(token) {
+//   if (!token) {
+//     clearRefreshToken();
+//     return;
+//   }
-  const expires = new Date(Date.now() + COOKIE_MAX_AGE * 1000);
+//   const expires = new Date(Date.now() + COOKIE_MAX_AGE * 1000);
-  try {
-    document.cookie = `${REFRESH_COOKIE}=${encodeURIComponent(token)}; Path=/; SameSite=Lax${secureAttribute()}; Expires=${expires.toUTCString()}`;
-  } catch (err) {
-    console.warn('Could not set refresh token:', err);
-  }
-}
+//   try {
+//     document.cookie = `${REFRESH_COOKIE}=${encodeURIComponent(token)}; Path=/; SameSite=Lax${secureAttribute()}; Expires=${expires.toUTCString()}`;
+//   } catch (err) {
+//     console.warn('Could not set refresh token:', err);
+//   }
+// }
-export function getRefreshToken() {
-  try {
-    const match = document.cookie
-      ?.split('; ')
-      ?.find((row) => row.startsWith(`${REFRESH_COOKIE}=`));
+// export function getRefreshToken() {
+//   try {
+//     const match = document.cookie
+//       ?.split('; ')
+//       ?.find((row) => row.startsWith(`${REFRESH_COOKIE}=`));
-    if (match) {
-      return decodeURIComponent(match.split('=')[1]);
-    }
-  } catch (err) {
-    console.warn('Could not read refresh token:', err);
-  }
+//     if (match) {
+//       return decodeURIComponent(match.split('=')[1]);
+//     }
+//   } catch (err) {
+//     console.warn('Could not read refresh token:', err);
+//   }
-  return null;
-}
+//   return null;
+// }
-export function clearRefreshToken() {
-  try {
-    document.cookie = `${REFRESH_COOKIE}=; Path=/; SameSite=Lax${secureAttribute()}; Expires=Thu, 01 Jan 1970 00:00:00 GMT`;
-  } catch (err) {
-    console.warn('Could not clear refresh token:', err);
-  }
-}
+// export function clearRefreshToken() {
+//   try {
+//     document.cookie = `${REFRESH_COOKIE}=; Path=/; SameSite=Lax${secureAttribute()}; Expires=Thu, 01 Jan 1970 00:00:00 GMT`;
+//   } catch (err) {
+//     console.warn('Could not clear refresh token:', err);
+//   }
+// }
 // ========== ACCESS TOKEN FUNCTIONS ==========
 function decode(token) {
@@ -145,6 +145,58 @@ export function clearToken() {
   });
 }
+export function setRefreshToken(token) {
+  // ✅ SECURITY: Refresh tokens should ONLY be in httpOnly cookies set by server
+  // This function should NOT be used - refresh tokens must come from server cookies
+  // Keeping for backwards compatibility but logging warning
+  if (!token) {
+    clearRefreshToken();
+    return;
+  }
+  console.warn('⚠️ SECURITY WARNING: setRefreshToken() called - refresh tokens should only be in httpOnly cookies!');
+  console.warn('⚠️ Refresh tokens set client-side are insecure and should be removed');
+  // ❌ DO NOT store refresh token in client-side storage
+  // The server sets it in httpOnly cookie, which is the only secure way
+  // Only clear any existing client-side storage
+  try {
+    sessionStorage.removeItem(REFRESH_COOKIE);
+  } catch (err) {
+    // Ignore
+  }
+}
+export function getRefreshToken() {
+  // ✅ Refresh tokens are stored in httpOnly cookies by the server
+  // We cannot read httpOnly cookies from JavaScript - they're only sent with requests
+  // This function is kept for backwards compatibility but returns null
+  // The refresh endpoint will automatically use the httpOnly cookie via credentials: 'include'
+  // ❌ DO NOT try to read refresh token from client-side storage
+  // httpOnly cookies are not accessible via document.cookie
+  console.warn('⚠️ getRefreshToken() called - refresh tokens are in httpOnly cookies and cannot be read from JavaScript');
+  console.warn('⚠️ The refresh endpoint will automatically use the httpOnly cookie via credentials: "include"');
+  return null; // Refresh token is in httpOnly cookie, not accessible to JavaScript
+}
+export function clearRefreshToken() {
+  try {
+    document.cookie = `${REFRESH_COOKIE}=; Path=/; SameSite=Strict${secureAttribute()}; Expires=Thu, 01 Jan 1970 00:00:00 GMT`;
+  } catch (err) {
+    console.warn('Could not clear refresh token cookie:', err);
+  }
+  try {
+    sessionStorage.removeItem(REFRESH_COOKIE);
+  } catch (err) {
+    console.warn('Could not clear refresh token from sessionStorage:', err);
+  }
+}
 export function addTokenListener(listener) {
   if (typeof listener !== 'function') {
     throw new Error('Token listener must be a function');